docs/changes.txt

@@ -477,4 +477,3 @@ v70.6
 nfqws: detect Discord Voice IP discovery packets
 nfqws: detect STUN message packets
 nfqws: change SNI to specified value tls mod : --dpi-desync-fake-tls-mod sni=<sni>
-init.d: remove 50-discord

docs/compile/build_howto_openwrt.txt

@@ -12,10 +12,10 @@ Other packages may be required on your distribution. Look for the errors.
 
 examples :
 
-curl -o - https://downloads.openwrt.org/releases/23.05.5/targets/x86/64/openwrt-sdk-23.05.5-x86-64_gcc-12.3.0_musl.Linux-x86_64.tar.xz | tar -Jxv
+curl -o - https://downloads.openwrt.org/releases/23.05.5/targets/x86/64/openwrt-sdk-23.05.5-x86-64_gcc-12.3.0_musl.Linux-x86_64.tar.xz | tar -Jxvf -
 cd openwrt-sdk-23.05.5-x86-64_gcc-12.3.0_musl.Linux-x86_64
 
-curl -o - https://downloads.openwrt.org/snapshots/targets/x86/64/openwrt-sdk-x86-64_gcc-13.3.0_musl.Linux-x86_64.tar.zst | tar --zstd -xv
+curl -o - https://downloads.openwrt.org/snapshots/targets/x86/64/openwrt-sdk-x86-64_gcc-13.3.0_musl.Linux-x86_64.tar.zst | tar --zstd -xvf -
 cd openwrt-sdk-x86-64_gcc-13.3.0_musl.Linux-x86_64
 
 3) Install required libs
@@ -48,7 +48,7 @@ static build :  make CFLAGS=-static package/{tpws,nfqws,mdig,ip2net}/compile
 executables only : build_dir/target/<progname>
 ipk or apk packages : bin/packages/*/base
 
-8) Installing to openwrt to use with zapret
+8) Installating to openwrt to use with zapret
 
 zapret with or without binaries should be already installed in /opt/zapret.
 Install ipk's or apk's with all compiled progs using opkg or apk.

init.d/custom.d.examples.linux/50-nfqws-ipset

@@ -1,74 +0,0 @@
-# this custom script demonstrates how to launch extra nfqws instance limited by ipset. ipv4 only.
-
-# can override in config :
-NFQWS_OPT_DESYNC_NFQWS_MY1="${NFQWS_OPT_DESYNC_NFQWS_MY1:---dpi-desync=fake --dpi-desync-repeats=6 --dpi-desync-any-protocol}"
-NFQWS_MY1_PORTS=${NFQWS_MY1_PORTS:-6000-6009}
-NFQWS_MY1_SUBNETS="${NFQWS_MY1_SUBNETS:-34.0.48.0/21 34.0.56.0/23 34.0.59.0/24 34.0.60.0/24 34.0.62.0/23}"
-
-alloc_dnum DNUM_NFQWS_MY1
-alloc_qnum QNUM_NFQWS_MY1
-NFQWS_MY1_SET_NAME=my1nfqws4
-
-zapret_custom_daemons()
-{
-	# $1 - 1 - run, 0 - stop
-
-	local opt="--qnum=$QNUM_NFQWS_MY1 $NFQWS_OPT_DESYNC_NFQWS_MY1"
-	do_nfqws $1 $DNUM_NFQWS_MY1 "$opt"
-}
-
-zapret_custom_firewall()
-{
-	# $1 - 1 - run, 0 - stop
-
-	local f
-	local first_packets_only="$ipt_connbytes 1:3"
-	local NFQWS_MY1_PORTS_IPT=$(replace_char - : $NFQWS_MY1_PORTS)
-	local dest_set="-m set --match-set $NFQWS_MY1_SET_NAME dst"
-	local subnet
-
-	local DISABLE_IPV6=1
-
-	[ "$1" = 1 ] && {
-		ipset create $NFQWS_MY1_SET_NAME hash:net hashsize 8192 maxelem 4096 2>/dev/null
-		ipset flush $NFQWS_MY1_SET_NAME
-		for subnet in $NFQWS_MY1_SUBNETS; do
-			echo add $NFQWS_MY1_SET_NAME $subnet
-		done | ipset -! restore
-	}
-
-	f="-p udp -m multiport --dports $NFQWS_MY1_PORTS_IPT"
-	fw_nfqws_post $1 "$f $first_packets_only $dest_set" "" $QNUM_NFQWS_MY1
-
-	[ "$1" = 1 ] || {
-		ipset destroy $NFQWS_MY1_SET_NAME 2>/dev/null
-	}
-}
-
-zapret_custom_firewall_nft()
-{
-	# stop logic is not required
-
-	local f
-	local first_packets_only="$nft_connbytes 1-3"
-	local dest_set="ip daddr @$NFQWS_MY1_SET_NAME"
-	local subnets
-
-	local DISABLE_IPV6=1
-
-	make_comma_list subnets $NFQWS_MY1_SUBNETS
-	nft_create_set $NFQWS_MY1_SET_NAME "type ipv4_addr; size 4096; auto-merge; flags interval;"
-	nft_flush_set $NFQWS_MY1_SET_NAME
-	nft_add_set_element $NFQWS_MY1_SET_NAME "$subnets"
-
-	f="udp dport {$NFQWS_MY1_PORTS}"
-	nft_fw_nfqws_post "$f $first_packets_only $dest_set" "" $QNUM_NFQWS_MY1
-}
-
-zapret_custom_firewall_nft_flush()
-{
-	# this function is called after all nft fw rules are deleted
-	# however sets are not deleted. it's desired to clear sets here.
-
-	nft_del_set $NFQWS_MY1_SET_NAME 2>/dev/null
-}

nfq/nfqws.c

@@ -1067,20 +1067,11 @@ static bool onetime_tls_mod_blob(int profile_n, int fake_n, uint32_t fake_tls_mo
 			{
 				size_t slen_new = strlen(fake_tls_sni);
 				ssize_t slen_delta = slen_new-slen;
-				char *s1=NULL;
-				if (params.debug)
-				{
-					if ((s1 = malloc(slen+1)))
-					{
-						memcpy(s1,sni,slen); s1[slen]=0;
-					}
-				}
 				if (slen_delta)
 				{
 					if ((*fake_tls_size+slen_delta)>fake_tls_buf_size)
 					{
 						DLOG_ERR("profile %d fake[%d] not enough space for new SNI\n", profile_n, fake_n);
-						free(s1);
 						return false;
 					}
 					memmove(sni+slen_new,sni+slen,fake_tls+*fake_tls_size-(sni+slen));
@@ -1093,9 +1084,7 @@ static bool onetime_tls_mod_blob(int profile_n, int fake_n, uint32_t fake_tls_mo
 					*fake_tls_size+=slen_delta;
 					slen = slen_new;
 				}
-				DLOG("profile %d fake[%d] change SNI : %s => %s size_delta=%zd\n", profile_n, fake_n, s1, fake_tls_sni, slen_delta);
-				free(s1);
-
+				DLOG("profile %d fake[%d] change sni to %s size_delta=%zd\n", profile_n, fake_n, fake_tls_sni,slen_delta);
 				memcpy(sni,fake_tls_sni,slen_new);
 			}
 			if (fake_tls_mod & FAKE_TLS_MOD_RND_SNI)
@@ -1136,35 +1125,35 @@ static bool onetime_tls_mod_blob(int profile_n, int fake_n, uint32_t fake_tls_mo
 				}
 			}
 		}
-		if (fake_tls_mod & FAKE_TLS_MOD_PADENCAP)
+	}
+	if (fake_tls_mod & FAKE_TLS_MOD_PADENCAP)
+	{
+		if (TLSFindExt(fake_tls,*fake_tls_size,21,&ext,&extlen,false))
 		{
-			if (TLSFindExt(fake_tls,*fake_tls_size,21,&ext,&extlen,false))
+			if ((ext-fake_tls+extlen)!=*fake_tls_size)
 			{
-				if ((ext-fake_tls+extlen)!=*fake_tls_size)
-				{
-					DLOG_ERR("profile %d fake[%d] tls padding ext is present but it's not at the end. padding ext offset %zu, padding ext size %zu, fake size %zu\n", profile_n, fake_n, ext-fake_tls, extlen, *fake_tls_size);
-					return false;
-				}
-				modcache->padlen_offset = ext-fake_tls-2;
-				DLOG("profile %d fake[%d] tls padding ext is present, padding length offset %zu\n", profile_n, fake_n, modcache->padlen_offset);
+				DLOG_ERR("profile %d fake[%d] tls padding ext is present but it's not at the end. padding ext offset %zu, padding ext size %zu, fake size %zu\n", profile_n, fake_n, ext-fake_tls, extlen, *fake_tls_size);
+				return false;
 			}
-			else
+			modcache->padlen_offset = ext-fake_tls-2;
+			DLOG("profile %d fake[%d] tls padding ext is present, padding length offset %zu\n", profile_n, fake_n, modcache->padlen_offset);
+		}
+		else
+		{
+			if ((*fake_tls_size+4)>fake_tls_buf_size)
 			{
-				if ((*fake_tls_size+4)>fake_tls_buf_size)
-				{
-					DLOG_ERR("profile %d fake[%d] tls padding is absent and there's no space to add it\n", profile_n, fake_n);
-					return false;
-				}
-				phton16(fake_tls+*fake_tls_size,21);
-				*fake_tls_size+=2;
-				modcache->padlen_offset=*fake_tls_size;
-				phton16(fake_tls+*fake_tls_size,0);
-				*fake_tls_size+=2;
-				phton16(fake_tls+modcache->extlen_offset,pntoh16(fake_tls+modcache->extlen_offset)+4);
-				phton16(fake_tls+3,pntoh16(fake_tls+3)+4); // increase tls record len
-				phton24(fake_tls+6,pntoh24(fake_tls+6)+4); // increase tls handshake len
-				DLOG("profile %d fake[%d] tls padding is absent. added. padding length offset %zu\n", profile_n, fake_n, modcache->padlen_offset);
+				DLOG_ERR("profile %d fake[%d] tls padding is absent and there's no space to add it\n", profile_n, fake_n);
+				return false;
 			}
+			phton16(fake_tls+*fake_tls_size,21);
+			*fake_tls_size+=2;
+			modcache->padlen_offset=*fake_tls_size;
+			phton16(fake_tls+*fake_tls_size,0);
+			*fake_tls_size+=2;
+			phton16(fake_tls+modcache->extlen_offset,pntoh16(fake_tls+modcache->extlen_offset)+4);
+			phton16(fake_tls+3,pntoh16(fake_tls+3)+4); // increase tls record len
+			phton24(fake_tls+6,pntoh24(fake_tls+6)+4); // increase tls handshake len
+			DLOG("profile %d fake[%d] tls padding is absent. added. padding length offset %zu\n", profile_n, fake_n, modcache->padlen_offset);
 		}
 	}
 	return true;