update compile docs

docs/changes.txt

@@ -477,3 +477,4 @@ v70.6
 nfqws: detect Discord Voice IP discovery packets
 nfqws: detect STUN message packets
 nfqws: change SNI to specified value tls mod : --dpi-desync-fake-tls-mod sni=<sni>
+init.d: remove 50-discord

docs/compile/build_howto_openwrt.txt

@@ -12,10 +12,10 @@ Other packages may be required on your distribution. Look for the errors.
 
 examples :
 
-curl -o - https://downloads.openwrt.org/releases/23.05.5/targets/x86/64/openwrt-sdk-23.05.5-x86-64_gcc-12.3.0_musl.Linux-x86_64.tar.xz | tar -Jxvf -
+curl -o - https://downloads.openwrt.org/releases/23.05.5/targets/x86/64/openwrt-sdk-23.05.5-x86-64_gcc-12.3.0_musl.Linux-x86_64.tar.xz | tar -Jxv
 cd openwrt-sdk-23.05.5-x86-64_gcc-12.3.0_musl.Linux-x86_64
 
-curl -o - https://downloads.openwrt.org/snapshots/targets/x86/64/openwrt-sdk-x86-64_gcc-13.3.0_musl.Linux-x86_64.tar.zst | tar --zstd -xvf -
+curl -o - https://downloads.openwrt.org/snapshots/targets/x86/64/openwrt-sdk-x86-64_gcc-13.3.0_musl.Linux-x86_64.tar.zst | tar --zstd -xv
 cd openwrt-sdk-x86-64_gcc-13.3.0_musl.Linux-x86_64
 
 3) Install required libs
@@ -48,7 +48,7 @@ static build :  make CFLAGS=-static package/{tpws,nfqws,mdig,ip2net}/compile
 executables only : build_dir/target/<progname>
 ipk or apk packages : bin/packages/*/base
 
-8) Installating to openwrt to use with zapret
+8) Installing to openwrt to use with zapret
 
 zapret with or without binaries should be already installed in /opt/zapret.
 Install ipk's or apk's with all compiled progs using opkg or apk.

init.d/custom.d.examples.linux/50-nfqws-ipset

@@ -0,0 +1,74 @@
+# this custom script demonstrates how to launch extra nfqws instance limited by ipset. ipv4 only.
+
+# can override in config :
+NFQWS_OPT_DESYNC_NFQWS_MY1="${NFQWS_OPT_DESYNC_NFQWS_MY1:---dpi-desync=fake --dpi-desync-repeats=6 --dpi-desync-any-protocol}"
+NFQWS_MY1_PORTS=${NFQWS_MY1_PORTS:-6000-6009}
+NFQWS_MY1_SUBNETS="${NFQWS_MY1_SUBNETS:-34.0.48.0/21 34.0.56.0/23 34.0.59.0/24 34.0.60.0/24 34.0.62.0/23}"
+
+alloc_dnum DNUM_NFQWS_MY1
+alloc_qnum QNUM_NFQWS_MY1
+NFQWS_MY1_SET_NAME=my1nfqws4
+
+zapret_custom_daemons()
+{
+	# $1 - 1 - run, 0 - stop
+
+	local opt="--qnum=$QNUM_NFQWS_MY1 $NFQWS_OPT_DESYNC_NFQWS_MY1"
+	do_nfqws $1 $DNUM_NFQWS_MY1 "$opt"
+}
+
+zapret_custom_firewall()
+{
+	# $1 - 1 - run, 0 - stop
+
+	local f
+	local first_packets_only="$ipt_connbytes 1:3"
+	local NFQWS_MY1_PORTS_IPT=$(replace_char - : $NFQWS_MY1_PORTS)
+	local dest_set="-m set --match-set $NFQWS_MY1_SET_NAME dst"
+	local subnet
+
+	local DISABLE_IPV6=1
+
+	[ "$1" = 1 ] && {
+		ipset create $NFQWS_MY1_SET_NAME hash:net hashsize 8192 maxelem 4096 2>/dev/null
+		ipset flush $NFQWS_MY1_SET_NAME
+		for subnet in $NFQWS_MY1_SUBNETS; do
+			echo add $NFQWS_MY1_SET_NAME $subnet
+		done | ipset -! restore
+	}
+
+	f="-p udp -m multiport --dports $NFQWS_MY1_PORTS_IPT"
+	fw_nfqws_post $1 "$f $first_packets_only $dest_set" "" $QNUM_NFQWS_MY1
+
+	[ "$1" = 1 ] || {
+		ipset destroy $NFQWS_MY1_SET_NAME 2>/dev/null
+	}
+}
+
+zapret_custom_firewall_nft()
+{
+	# stop logic is not required
+
+	local f
+	local first_packets_only="$nft_connbytes 1-3"
+	local dest_set="ip daddr @$NFQWS_MY1_SET_NAME"
+	local subnets
+
+	local DISABLE_IPV6=1
+
+	make_comma_list subnets $NFQWS_MY1_SUBNETS
+	nft_create_set $NFQWS_MY1_SET_NAME "type ipv4_addr; size 4096; auto-merge; flags interval;"
+	nft_flush_set $NFQWS_MY1_SET_NAME
+	nft_add_set_element $NFQWS_MY1_SET_NAME "$subnets"
+
+	f="udp dport {$NFQWS_MY1_PORTS}"
+	nft_fw_nfqws_post "$f $first_packets_only $dest_set" "" $QNUM_NFQWS_MY1
+}
+
+zapret_custom_firewall_nft_flush()
+{
+	# this function is called after all nft fw rules are deleted
+	# however sets are not deleted. it's desired to clear sets here.
+
+	nft_del_set $NFQWS_MY1_SET_NAME 2>/dev/null
+}

nfq/nfqws.c

@@ -1067,11 +1067,20 @@ static bool onetime_tls_mod_blob(int profile_n, int fake_n, uint32_t fake_tls_mo
 			{
 				size_t slen_new = strlen(fake_tls_sni);
 				ssize_t slen_delta = slen_new-slen;
+				char *s1=NULL;
+				if (params.debug)
+				{
+					if ((s1 = malloc(slen+1)))
+					{
+						memcpy(s1,sni,slen); s1[slen]=0;
+					}
+				}
 				if (slen_delta)
 				{
 					if ((*fake_tls_size+slen_delta)>fake_tls_buf_size)
 					{
 						DLOG_ERR("profile %d fake[%d] not enough space for new SNI\n", profile_n, fake_n);
+						free(s1);
 						return false;
 					}
 					memmove(sni+slen_new,sni+slen,fake_tls+*fake_tls_size-(sni+slen));
@@ -1084,7 +1093,9 @@ static bool onetime_tls_mod_blob(int profile_n, int fake_n, uint32_t fake_tls_mo
 					*fake_tls_size+=slen_delta;
 					slen = slen_new;
 				}
-				DLOG("profile %d fake[%d] change sni to %s size_delta=%zd\n", profile_n, fake_n, fake_tls_sni,slen_delta);
+				DLOG("profile %d fake[%d] change SNI : %s => %s size_delta=%zd\n", profile_n, fake_n, s1, fake_tls_sni, slen_delta);
+				free(s1);
+
 				memcpy(sni,fake_tls_sni,slen_new);
 			}
 			if (fake_tls_mod & FAKE_TLS_MOD_RND_SNI)
@@ -1125,7 +1136,6 @@ static bool onetime_tls_mod_blob(int profile_n, int fake_n, uint32_t fake_tls_mo
 				}
 			}
 		}
-	}
 		if (fake_tls_mod & FAKE_TLS_MOD_PADENCAP)
 		{
 			if (TLSFindExt(fake_tls,*fake_tls_size,21,&ext,&extlen,false))
@@ -1156,6 +1166,7 @@ static bool onetime_tls_mod_blob(int profile_n, int fake_n, uint32_t fake_tls_mo
 				DLOG("profile %d fake[%d] tls padding is absent. added. padding length offset %zu\n", profile_n, fake_n, modcache->padlen_offset);
 			}
 		}
+	}
 	return true;
 }
 static bool onetime_tls_mod(struct desync_profile *dp)