blockcheck.sh

@@ -441,62 +441,58 @@ check_prerequisites()
 	}
 
 	local prog progs='curl'
-	[ "$SKIP_PKTWS" = 1 ] || {
-		case "$UNAME" in
-			Linux)
-				case "$FWTYPE" in
-					iptables)
-						ipt_has_nfq || {
-							echo NFQUEUE iptables or ip6tables target is missing. pls install modules.
-							exitp 6
-						}
-						progs="$progs iptables ip6tables"
-						;;
-					nftables)
-						nft_has_nfq || {
-							echo nftables queue support is not available. pls install modules.
-							exitp 6
-						}
-						progs="$progs nft"
-						;;
-				esac
-				;;
-			FreeBSD)
-				freebsd_modules_loaded ipfw ipdivert || {
-					echo ipfw or ipdivert kernel module not loaded
-						exitp 6
-				}
-				[ "$(sysctl -qn net.inet.ip.fw.enable)" = 0 -o "$(sysctl -qn net.inet6.ip6.fw.enable)" = 0 ] && {
-					echo ipfw is disabled. use : ipfw enable firewall
-					exitp 6
-				}
-				pf_is_avail && {
-					pf_save
-					[ "$SUBSYS" = "pfSense" ] && {
-						# pfsense's ipfw may not work without these workarounds
-						sysctl net.inet.ip.pfil.outbound=ipfw,pf 2>/dev/null
-						sysctl net.inet.ip.pfil.inbound=ipfw,pf 2>/dev/null
-						sysctl net.inet6.ip6.pfil.outbound=ipfw,pf 2>/dev/null
-						sysctl net.inet6.ip6.pfil.inbound=ipfw,pf 2>/dev/null
-						pfctl -qd
-						pfctl -qe
-						pf_restore
-					}
-				}
-				progs="$progs ipfw"
-				;;
-			OpenBSD|Darwin)
-				pf_is_avail || {
-					echo pf is not available
-					exitp 6
-				}
-				pf_save
-				progs="$progs pfctl"
-				;;
-		esac
-	}
-
 	case "$UNAME" in
+		Linux)
+			case "$FWTYPE" in
+				iptables)
+					progs="$progs iptables ip6tables"
+					ipt_has_nfq || {
+						echo NFQUEUE iptables or ip6tables target is missing. pls install modules.
+						exitp 6
+					}
+					;;
+				nftables)
+					nft_has_nfq || {
+						echo nftables queue support is not available. pls install modules.
+						exitp 6
+					}
+					;;
+			esac
+			;;
+		FreeBSD)
+			progs="$progs ipfw"
+			freebsd_modules_loaded ipfw ipdivert || {
+				echo ipfw or ipdivert kernel module not loaded
+				exitp 6
+			}
+			[ "$(sysctl -qn net.inet.ip.fw.enable)" = 0 -o "$(sysctl -qn net.inet6.ip6.fw.enable)" = 0 ] && {
+				echo ipfw is disabled. use : ipfw enable firewall
+				exitp 6
+			}
+			pf_is_avail && {
+				pf_save
+				[ "$SUBSYS" = "pfSense" ] && {
+					# pfsense's ipfw may not work without these workarounds
+					sysctl net.inet.ip.pfil.outbound=ipfw,pf 2>/dev/null
+					sysctl net.inet.ip.pfil.inbound=ipfw,pf 2>/dev/null
+					sysctl net.inet6.ip6.pfil.outbound=ipfw,pf 2>/dev/null
+					sysctl net.inet6.ip6.pfil.inbound=ipfw,pf 2>/dev/null
+					pfctl -qd
+					pfctl -qe
+					pf_restore
+				}
+			}
+			;;
+		OpenBSD|Darwin)
+			progs="$progs pfctl"
+			pf_is_avail || {
+				echo pf is not available
+				exitp 6
+			}
+			# no divert sockets in MacOS
+			[ "$UNAME" = "Darwin" ] && SKIP_PKTWS=1
+			pf_save
+			;;
 		CYGWIN)
 			SKIP_TPWS=1
 			;;
@@ -919,9 +915,7 @@ pktws_start()
 }
 tpws_start()
 {
-	local uid
+	"$TPWS" --uid $TPWS_UID:$TPWS_GID --socks --bind-addr=127.0.0.1 --port=$SOCKS_PORT "$@" >/dev/null &
-	[ -n "$HAVE_ROOT" ] && uid="--uid $TPWS_UID:$TPWS_GID"
-	"$TPWS" $uid --socks --bind-addr=127.0.0.1 --port=$SOCKS_PORT "$@" >/dev/null &
 	PID=$!
 	# give some time to initialize
 	minsleep
@@ -1010,17 +1004,17 @@ tpws_curl_test()
 	# $1 - test function
 	# $2 - domain
 	# $3,$4,$5, ... - tpws params
-	echo - checking tpws $3 $4 $5 $6 $7 $8 $9${TPWS_EXTRA:+ $TPWS_EXTRA}${TPWS_EXTRA_1:+ "$TPWS_EXTRA_1"}${TPWS_EXTRA_2:+ "$TPWS_EXTRA_2"}${TPWS_EXTRA_3:+ "$TPWS_EXTRA_3"}${TPWS_EXTRA_4:+ "$TPWS_EXTRA_4"}${TPWS_EXTRA_5:+ "$TPWS_EXTRA_5"}${TPWS_EXTRA_6:+ "$TPWS_EXTRA_6"}${TPWS_EXTRA_7:+ "$TPWS_EXTRA_7"}${TPWS_EXTRA_8:+ "$TPWS_EXTRA_8"}${TPWS_EXTRA_9:+ "$TPWS_EXTRA_9"}
+	echo - checking tpws $3 $4 $5 $6 $7 $8 $9 $TPWS_EXTRA "$TPWS_EXTRA_1" "$TPWS_EXTRA_2" "$TPWS_EXTRA_3" "$TPWS_EXTRA_4" "$TPWS_EXTRA_5" "$TPWS_EXTRA_6" "$TPWS_EXTRA_7" "$TPWS_EXTRA_8" "$TPWS_EXTRA_9"
 	local ALL_PROXY="socks5://127.0.0.1:$SOCKS_PORT"
-	ws_curl_test tpws_start "$@"${TPWS_EXTRA:+ $TPWS_EXTRA}${TPWS_EXTRA_1:+ "$TPWS_EXTRA_1"}${TPWS_EXTRA_2:+ "$TPWS_EXTRA_2"}${TPWS_EXTRA_3:+ "$TPWS_EXTRA_3"}${TPWS_EXTRA_4:+ "$TPWS_EXTRA_4"}${TPWS_EXTRA_5:+ "$TPWS_EXTRA_5"}${TPWS_EXTRA_6:+ "$TPWS_EXTRA_6"}${TPWS_EXTRA_7:+ "$TPWS_EXTRA_7"}${TPWS_EXTRA_8:+ "$TPWS_EXTRA_8"}${TPWS_EXTRA_9:+ "$TPWS_EXTRA_9"}
+	ws_curl_test tpws_start "$@" $TPWS_EXTRA "$TPWS_EXTRA_1" "$TPWS_EXTRA_2" "$TPWS_EXTRA_3" "$TPWS_EXTRA_4" "$TPWS_EXTRA_5" "$TPWS_EXTRA_6" "$TPWS_EXTRA_7" "$TPWS_EXTRA_8" "$TPWS_EXTRA_9"
 }
 pktws_curl_test()
 {
 	# $1 - test function
 	# $2 - domain
 	# $3,$4,$5, ... - nfqws/dvtws params
-	echo - checking $PKTWSD ${WF:+$WF }$3 $4 $5 $6 $7 $8 $9${PKTWS_EXTRA:+ $PKTWS_EXTRA}${PKTWS_EXTRA_1:+ "$PKTWS_EXTRA_1"}${PKTWS_EXTRA_2:+ "$PKTWS_EXTRA_2"}${PKTWS_EXTRA_3:+ "$PKTWS_EXTRA_3"}${PKTWS_EXTRA_4:+ "$PKTWS_EXTRA_4"}${PKTWS_EXTRA_5:+ "$PKTWS_EXTRA_5"}${PKTWS_EXTRA_6:+ "$PKTWS_EXTRA_6"}${PKTWS_EXTRA_7:+ "$PKTWS_EXTRA_7"}${PKTWS_EXTRA_8:+ "$PKTWS_EXTRA_8"}${PKTWS_EXTRA_9:+ "$PKTWS_EXTRA_9"}
+	echo - checking $PKTWSD ${WF:+$WF }$3 $4 $5 $6 $7 $8 $9 $PKTWS_EXTRA "$PKTWS_EXTRA_1" "$PKTWS_EXTRA_2" "$PKTWS_EXTRA_3" "$PKTWS_EXTRA_4" "$PKTWS_EXTRA_5" "$PKTWS_EXTRA_6" "$PKTWS_EXTRA_7" "$PKTWS_EXTRA_8" "$PKTWS_EXTRA_9"
-	ws_curl_test pktws_start "$@"${PKTWS_EXTRA:+ $PKTWS_EXTRA}${PKTWS_EXTRA_1:+ "$PKTWS_EXTRA_1"}${PKTWS_EXTRA_2:+ "$PKTWS_EXTRA_2"}${PKTWS_EXTRA_3:+ "$PKTWS_EXTRA_3"}${PKTWS_EXTRA_4:+ "$PKTWS_EXTRA_4"}${PKTWS_EXTRA_5:+ "$PKTWS_EXTRA_5"}${PKTWS_EXTRA_6:+ "$PKTWS_EXTRA_6"}${PKTWS_EXTRA_7:+ "$PKTWS_EXTRA_7"}${PKTWS_EXTRA_8:+ "$PKTWS_EXTRA_8"}${PKTWS_EXTRA_9:+ "$PKTWS_EXTRA_9"}
+	ws_curl_test pktws_start "$@" $PKTWS_EXTRA "$PKTWS_EXTRA_1" "$PKTWS_EXTRA_2" "$PKTWS_EXTRA_3" "$PKTWS_EXTRA_4" "$PKTWS_EXTRA_5" "$PKTWS_EXTRA_6" "$PKTWS_EXTRA_7" "$PKTWS_EXTRA_8" "$PKTWS_EXTRA_9"
 }
 xxxws_curl_test_update()
 {
@@ -1278,7 +1272,7 @@ pktws_check_domain_http_bypass()
 
 	local strategy
 	pktws_check_domain_http_bypass_ "$@"
-	strategy="${strategy:+$strategy${PKTWS_EXTRA:+ $PKTWS_EXTRA}${PKTWS_EXTRA_1:+ "$PKTWS_EXTRA_1"}${PKTWS_EXTRA_2:+ "$PKTWS_EXTRA_2"}${PKTWS_EXTRA_3:+ "$PKTWS_EXTRA_3"}${PKTWS_EXTRA_4:+ "$PKTWS_EXTRA_4"}${PKTWS_EXTRA_5:+ "$PKTWS_EXTRA_5"}${PKTWS_EXTRA_6:+ "$PKTWS_EXTRA_6"}${PKTWS_EXTRA_7:+ "$PKTWS_EXTRA_7"}${PKTWS_EXTRA_8:+ "$PKTWS_EXTRA_8"}${PKTWS_EXTRA_9:+ "$PKTWS_EXTRA_9"}}"
+	strategy="${strategy:+$strategy $PKTWS_EXTRA $PKTWS_EXTRA_1 $PKTWS_EXTRA_2 $PKTWS_EXTRA_3 $PKTWS_EXTRA_4 $PKTWS_EXTRA_5 $PKTWS_EXTRA_6 $PKTWS_EXTRA_7 $PKTWS_EXTRA_8 $PKTWS_EXTRA_9}"
 	report_strategy $1 $3 $PKTWSD
 }
 
@@ -1393,7 +1387,7 @@ tpws_check_domain_http_bypass()
 
 	local strategy
 	tpws_check_domain_http_bypass_ "$@"
-	strategy="${strategy:+$strategy${TPWS_EXTRA:+ $TPWS_EXTRA}${TPWS_EXTRA_1:+ "$TPWS_EXTRA_1"}${TPWS_EXTRA_2:+ "$TPWS_EXTRA_2"}${TPWS_EXTRA_3:+ "$TPWS_EXTRA_3"}${TPWS_EXTRA_4:+ "$TPWS_EXTRA_4"}${TPWS_EXTRA_5:+ "$TPWS_EXTRA_5"}${TPWS_EXTRA_6:+ "$TPWS_EXTRA_6"}${TPWS_EXTRA_7:+ "$TPWS_EXTRA_7"}${TPWS_EXTRA_8:+ "$TPWS_EXTRA_8"}${TPWS_EXTRA_9:+ "$TPWS_EXTRA_9"}}"
+	strategy="${strategy:+$strategy $TPWS_EXTRA $TPWS_EXTRA_1 $TPWS_EXTRA_2 $TPWS_EXTRA_3 $TPWS_EXTRA_4 $TPWS_EXTRA_5 $TPWS_EXTRA_6 $TPWS_EXTRA_7 $TPWS_EXTRA_8 $TPWS_EXTRA_9}"
 	report_strategy $1 $3 tpws
 }
 
@@ -1710,7 +1704,7 @@ ask_params()
 	SCANLEVEL=${SCANLEVEL:-standard}
 	ask_list SCANLEVEL "quick standard force" "$SCANLEVEL"
 	# disable tpws checks by default in quick mode
-	[ "$SCANLEVEL" = quick -a -z "$SKIP_TPWS" -a "$UNAME" != Darwin ] && SKIP_TPWS=1
+	[ "$SCANLEVEL" = quick -a -z "$SKIP_TPWS" ] && SKIP_TPWS=1
 
 	echo
 
@@ -1948,9 +1942,7 @@ fsleep_setup
 fix_sbin_path
 check_system
 check_already
-# no divert sockets in MacOS
+[ "$UNAME" = CYGWIN ] || require_root
-[ "$UNAME" = "Darwin" ] && SKIP_PKTWS=1
-[ "$UNAME" != CYGWIN  -a "$SKIP_PKTWS" != 1 ] && require_root
 check_prerequisites
 trap sigint_cleanup INT
 check_dns

common/elevate.sh

@@ -1,28 +1,13 @@
 require_root()
 {
-	local exe preserve_env
+	local exe
 	echo \* checking privileges
 	[ $(id -u) -ne "0" ] && {
 		echo root is required
 		exe="$EXEDIR/$(basename "$0")"
-		exists sudo && {
+		exists sudo && exec sudo sh "$exe"
-			echo elevating with sudo
+		exists su && exec su root -c "sh \"$exe\""
-			exec sudo -E sh "$exe"
-		}
-		exists su && {
-			echo elevating with su
-			case "$UNAME" in
-				Linux)
-					preserve_env="--preserve-environment"
-					;;
-				FreeBSD|OpenBSD|Darwin)
-					preserve_env="-m"
-					;;
-			esac
-			exec su $preserve_env root -c "sh \"$exe\""
-		}
 		echo su or sudo not found
 		exitp 2
 	}
-	HAVE_ROOT=1
 }

docs/changes.txt

@@ -352,5 +352,3 @@ nfqws,tpws: hostlist/ipset auto reload on file change. no more HUP.
 nfqws,tpws: --filter-tcp, --filter-udp take comma separated port range list
 config: <HOSTLIST_NOAUTO> marker
 binaries: remove zapret-winws. add win32.
-blockcheck, install_easy.sh: preserve user environment variables during elevation
-blockcheck: do not require root if SKIP_PKTWS=1

docs/readme.txt

@@ -1282,7 +1282,7 @@ standard дает возможность провести исследовани
 force дает максимум проверок даже в случаях, когда ресурс работает без обхода или с более простыми стратегиями.
 
 Есть ряд других параметров, которые не будут спрашиваться в диалоге, но которые можно переопределить через
-переменные.
+переменные. Переопределение работает только из рутового шелла. При повышении привилегий через su/sudo переменные теряются.
 
 DOMAINS - список тестируемых доменов через пробел
 CURL_MAX_TIME - время таймаута curl в секундах

init.d/openwrt/zapret

@@ -128,7 +128,7 @@ standard_mode_daemons()
 		run_tpws_socks 2 "$opt"
 	}
 	[ "$NFQWS_ENABLE" = 1 ] && check_bad_ws_options 1 "$NFQWS_OPT" && {
-		opt="--qnum=$QNUM $NFQWS_OPT_BASE $NFQWS_OPT"
+		opt="--qnum=$QNUM $NFQWS_OPT"
 		filter_apply_hostlist_target opt
 		run_daemon 3 "$NFQWS" "$opt"
 	}

init.d/sysv/functions

@@ -296,7 +296,7 @@ standard_mode_daemons()
 		do_tpws_socks $1 2 "$opt"
 	}
 	[ "$NFQWS_ENABLE" = 1 ] && check_bad_ws_options $1 "$NFQWS_OPT" && {
-		opt="--qnum=$QNUM $NFQWS_OPT"
+		opt="--qnum=$QNUM $NFQWS_OPT_BASE $NFQWS_OPT"
 		filter_apply_hostlist_target opt
 		do_nfqws $1 3 "$opt"
 	}

nfq/desync.c

@@ -849,7 +849,7 @@ static uint8_t dpi_desync_tcp_packet_play(bool replay, size_t reasm_offset, uint
 		size_t fake_size;
 		char host[256];
 		bool bHaveHost=false;
-		uint8_t *p, *phost=NULL;
+		uint8_t *p, *phost;
 		const uint8_t *rdata_payload = data_payload;
 		size_t rlen_payload = len_payload;
 		size_t split_pos;
@@ -1097,6 +1097,7 @@ static uint8_t dpi_desync_tcp_packet_play(bool replay, size_t reasm_offset, uint
 		}
 
 		ttl_fake = (ctrack_replay && ctrack_replay->autottl) ? ctrack_replay->autottl : (ip6hdr ? (dp->desync_ttl6 ? dp->desync_ttl6 : ttl_orig) : (dp->desync_ttl ? dp->desync_ttl : ttl_orig));
+
 		if ((l7proto == HTTP) && (dp->hostcase || dp->hostnospace || dp->domcase) && HttpFindHost(&phost,data_payload,len_payload))
 		{
 			if (dp->hostcase)