common/custom.sh

@@ -1,25 +0,0 @@
-custom_runner()
-{
-	# $1 - function name
-	# $2+ - params
-
-	local n script FUNC=$1
-
-	shift
-
-	[ -f "$CUSTOM_DIR/custom" ] && {
-		unset -f $FUNC
-		. "$CUSTOM_DIR/custom"
-		existf $FUNC && $FUNC "$@"
-	}
-	[ -d "$CUSTOM_DIR/custom.d" ] && {
-		n=$(ls "$CUSTOM_DIR/custom.d" | wc -c | xargs)
-		[ "$n" = 0 ] || {
-			for script in "$CUSTOM_DIR/custom.d/"*; do
-				unset -f $FUNC
-				. "$script"
-				existf $FUNC && $FUNC "$@"
-			done
-		}
-	}
-}

common/ipt.sh

@@ -437,7 +437,7 @@ zapret_do_firewall_rules_ipt()
 			fi
 			;;
 		custom)
-			custom_runner zapret_custom_firewall $1
+	    		existf zapret_custom_firewall && zapret_custom_firewall $1
 			;;
 	esac
 }

common/nft.sh

@@ -705,7 +705,7 @@ zapret_apply_firewall_rules_nft()
 			POSTNAT=$POSTNAT_SAVE
 			;;
 		custom)
-			custom_runner zapret_custom_firewall_nft
+	    		existf zapret_custom_firewall_nft && zapret_custom_firewall_nft
 			;;
 	esac
 }

common/pf.sh

@@ -106,11 +106,6 @@ pf_anchor_zapret_tables()
 
 	eval $tblv="\"\$_tbl\""
 }
-pf_nat_reorder_rules()
-{
-	# this is dirty hack to move rdr above route-to and remove route-to dups
-	sort -rfu
-}
 pf_anchor_port_target()
 {
 	if [ "$MODE_HTTP" = "1" ] && [ "$MODE_HTTPS" = "1" ]; then
@@ -124,17 +119,9 @@ pf_anchor_port_target()
 
 pf_anchor_zapret_v4_tpws()
 {
-	# $1 - tpws listen port
+	# $1 - port
-	# $2 - rdr ports. defaults are used if empty
-
-	local rule port
-
-	if [ -n "$2" ]; then
-		port="{$2}"
-	else
-		port=$(pf_anchor_port_target)
-	fi
 
+	local rule port=$(pf_anchor_port_target)
 	for lan in $IFACE_LAN; do
 		for t in $tbl; do
 			 echo "rdr on $lan inet proto tcp from any to $t port $port -> 127.0.0.1 port $1"
@@ -157,7 +144,7 @@ pf_anchor_zapret_v4()
 {
 	local tbl port
 	[ "$DISABLE_IPV4" = "1" ] || {
-		case "${MODE_OVERRIDE:-$MODE}" in
+		case $MODE in
 			tpws)
 				[ ! "$MODE_HTTP" = "1" ] && [ ! "$MODE_HTTPS" = "1" ] && return
 				pf_anchor_zapret_tables tbl zapret-user "$ZIPLIST_USER" zapret "$ZIPLIST"
@@ -165,24 +152,16 @@ pf_anchor_zapret_v4()
 				;;
 			custom)
 				pf_anchor_zapret_tables tbl zapret-user "$ZIPLIST_USER" zapret "$ZIPLIST"
-				custom_runner zapret_custom_firewall_v4 | pf_nat_reorder_rules
+				existf zapret_custom_firewall_v4 && zapret_custom_firewall_v4
 				;;
 		esac
 	}
 }
 pf_anchor_zapret_v6_tpws()
 {
-	# $1 - tpws listen port
+	# $1 - port
-	# $2 - rdr ports. defaults are used if empty
-
-	local rule LL_LAN port
-
-	if [ -n "$2" ]; then
-		port="{$2}"
-	else
-		port=$(pf_anchor_port_target)
-	fi
 
+	local LL_LAN rule port=$(pf_anchor_port_target)
 	# LAN link local is only for router
 	for lan in $IFACE_LAN; do
 		LL_LAN=$(get_ipv6_linklocal $lan)
@@ -209,7 +188,7 @@ pf_anchor_zapret_v6()
 	local tbl port
 
 	[ "$DISABLE_IPV6" = "1" ] || {
-		case "${MODE_OVERRIDE:-$MODE}" in
+		case $MODE in
 			tpws)
 				[ ! "$MODE_HTTP" = "1" ] && [ ! "$MODE_HTTPS" = "1" ] && return
 				pf_anchor_zapret_tables tbl zapret6-user "$ZIPLIST_USER6" zapret6 "$ZIPLIST6"
@@ -217,7 +196,7 @@ pf_anchor_zapret_v6()
 				;;
 			custom)
 				pf_anchor_zapret_tables tbl zapret6-user "$ZIPLIST_USER6" zapret6 "$ZIPLIST6"
-				custom_runner zapret_custom_firewall_v6 | pf_nat_reorder_rules
+				existf zapret_custom_firewall_v6 && zapret_custom_firewall_v6
 				;;
 		esac
 	}

docs/changes.txt

@@ -317,9 +317,3 @@ nfqws: multi-strategy
 v63:
 
 tpws: multi-strategy
-
-v64:
-
-blockcheck: warn if dpi bypass software is already running
-blockcheck: TPWS_EXTRA, NFQWS_EXTRA
-init.d: multiple custom scripts

docs/readme.txt

@@ -1,4 +1,4 @@
-zapret v.64
+zapret v.63
 
 English
 -------
@@ -1572,42 +1572,18 @@ nfset-ы принадлежат только одной таблице, след
 Вариант custom
 --------------
 
-custom код вынесен в отдельные shell includes.
+custom код вынесен в отдельный shell include
-Поддерживается старый вариант в
 /opt/zapret/init.d/sysv/custom
+или
 /opt/zapret/init.d/openwrt/custom
-/opt/zapret/init.d/macos/custom
-Он считается устаревшим. Актуальный вариант - помещать отдельные скрипты там же, но в директорию "custom.d".
-Она будет просканирована стандартным образом, т.е. в алфавитном порядке, и каждый скрипт будет применен.
-Рядом имеется "custom.d.examples". Это готовые скрипты, который можно копировать в "custom.d".
-Особо стоит отметить "10-inherit-*". Они наследуют стандартные режимы nfqws/tpws/tpws-socks.
-Полезно, чтобы не писать код заново. Достаточно лишь скопировать соответствующий файл.
 
-Для linux пишется код в функции
+Нужно свой код вписать в функции :
 zapret_custom_daemons
 zapret_custom_firewall
 zapret_custom_firewall_nft
 
-Для macos
+В файле custom пишите ваш код, пользуясь хелперами из "functions" или "zapret".
-zapret_custom_daemons
+Смотрите как там сделано добавление iptables или запуск демонов.
-zapret_custom_firewall_v4
-zapret_custom_firewall_v6
-
-zapret_custom_daemons поднимает демоны nfqws/tpws в нужном вам количестве и с нужными вам параметрами.
-Особо обратите внимание на номер демона в функциях "run_daemon" и "do_daemon".
-Они должны быть уникальными во всех скриптах. При накладке будет ошибка.
-Так же следует избегать пересечения номеров портов tpws и очередей nfqws.
-При пересечении какой-то из демонов не запустится.
-Чтобы как-то нивелировать эту проблему, в examples используется переменная DNUM.
-На ее базе считается диапазон номеров очередей (5 шт), которые использует этот скрипт.
-При таком подходе достаточно, чтобы DNUM был везде уникален.
-Поскольку номера очереди и портов имеют нумерацию до 65536, можно использовать DNUM до 13106.
-Однако, следует оставить номера очереди 200-299 для стандартных режимов и не использовать их.
-
-custom скрипты могут использовать переменные из config. Можно помещать в config свои переменные
-и использовать их в скриптах.
-Можно использовать функции-хелперы. Они являются частью общего пространства функций shell.
-Полезные функции можно взять из примеров скриптов. Так же смотрите "common/*.sh".
 Используя хелпер функции, вы избавитесь от необходимости учитывать все возможные случаи
 типа наличия/отсутствия ipv6, является ли система роутером, имена интерфейсов, ...
 Хелперы это учитывают, вам нужно сосредоточиться лишь на фильтрах {ip,nf}tables и
@@ -1617,12 +1593,13 @@ custom скрипты могут использовать переменные
 Запуск это или остановка передается в параметре $1 (0 или 1).
 В openwrt за остановку отвечает procd.
 
-Для фаервола в linux кастом пишется отдельно для iptables и nftables. Все очень похоже, но отличается
+Для фаервола кастом пишется отдельно для iptables и nftables. Все очень похоже, но отличается
 написание фильтров и названия процедур хелперов. Если вам не нужны iptables или nftables -
 можете не писать соответствующую функцию.
 
-В macos firewall-функции ничего сами никуда не заносят. Их задача - лишь выдать текст в stdout,
+Готовый custom скрипт custom-tpws4http-nfqws4https позволяет применить дурение
-содержащий правила для pf-якоря. Остальное сделает обертка.
+tpws к http и nfqws к https. При этом поддерживаются установки из config.
+Его можно использовать как стартовую точку для написания своих скриптов.
 
 
 Простая установка

init.d/macos/custom-tpws

@@ -1,20 +1,16 @@
 # this script is an example describing how to run tpws on a custom port
 
-DNUM=100
+TPPORT_MY=987
-TPPORT_MY=${TPPORT_MY:-987}
-TPWS_OPT_MY=${TPWS_OPT_MY:-987}
-TPWS_OPT_SUFFIX_MY="${TPWS_OPT_SUFFIX_MY:-}"
-DPORTS_MY=${DPORTS_MY:-20443,20444,30000-30009}
 
 zapret_custom_daemons()
 {
 	# $1 - 1 - run, 0 - stop
 	local opt="--user=root --port=$TPPORT_MY"
 	tpws_apply_binds opt
-	opt="$opt $TPWS_OPT_MY"
+	opt="$opt $TPWS_OPT"
 	filter_apply_hostlist_target opt
-	filter_apply_suffix opt "$TPWS_OPT_SUFFIX_MY"
+	filter_apply_suffix opt "$TPWS_OPT_SUFFIX"
-	do_daemon $1 $DNUM "$TPWS" "$opt"
+	do_daemon $1 1 "$TPWS" "$opt"
 }
 
 # custom firewall functions echo rules for zapret-v4 and zapret-v6 anchors
@@ -22,9 +18,9 @@ zapret_custom_daemons()
 
 zapret_custom_firewall_v4()
 {
-	pf_anchor_zapret_v4_tpws $TPPORT_MY $(replace_char - : $DPORTS_MY)
+	pf_anchor_zapret_v4_tpws $TPPORT_MY
 }
 zapret_custom_firewall_v6()
 {
-	pf_anchor_zapret_v6_tpws $TPPORT_MY $(replace_char - : $DPORTS_MY)
+	pf_anchor_zapret_v6_tpws $TPPORT_MY
 }

init.d/macos/custom.d.examples/10-inherit-tpws

@@ -1,18 +0,0 @@
-# this custom script applies tpws mode as it would be with MODE=tpws
-
-OVERRIDE=tpws
-
-zapret_custom_daemons()
-{
-	# $1 - 1 - run, 0 - stop
-
-	MODE_OVERRIDE=$OVERRIDE zapret_do_daemons $1
-}
-zapret_custom_firewall_v4()
-{
-	MODE_OVERRIDE=$OVERRIDE pf_anchor_zapret_v4
-}
-zapret_custom_firewall_v6()
-{
-	MODE_OVERRIDE=$OVERRIDE pf_anchor_zapret_v6
-}

init.d/macos/custom.d.examples/10-inherit-tpws-socks

@@ -1,18 +0,0 @@
-# this custom script applies tpws-socks mode as it would be with MODE=tpws-socks
-
-OVERRIDE=tpws-socks
-
-zapret_custom_daemons()
-{
-	# $1 - 1 - run, 0 - stop
-
-	MODE_OVERRIDE=$OVERRIDE zapret_do_daemons $1
-}
-zapret_custom_firewall_v4()
-{
-	MODE_OVERRIDE=$OVERRIDE pf_anchor_zapret_v4
-}
-zapret_custom_firewall_v6()
-{
-	MODE_OVERRIDE=$OVERRIDE pf_anchor_zapret_v6
-}

init.d/macos/custom.default

@@ -0,0 +1,21 @@
+# this script contain your special code to launch daemons and configure firewall
+# use helpers from "functions" file
+# in case of upgrade keep this file only, do not modify others
+
+zapret_custom_daemons()
+{
+	# $1 - 1 - run, 0 - stop
+	:
+}
+
+# custom firewall functions echo rules for zapret-v4 and zapret-v6 anchors
+# they come after automated table definitions. so you can use <zapret> <zapret6> <zapret-user> ...
+
+zapret_custom_firewall_v4()
+{
+	:
+}
+zapret_custom_firewall_v6()
+{
+	:
+}

init.d/macos/functions

@@ -7,8 +7,6 @@ ZAPRET_CONFIG=${ZAPRET_CONFIG:-"$ZAPRET_RW/config"}
 . "$ZAPRET_BASE/common/base.sh"
 . "$ZAPRET_BASE/common/pf.sh"
 . "$ZAPRET_BASE/common/list.sh"
-. "$ZAPRET_BASE/common/custom.sh"
-CUSTOM_DIR="$ZAPRET_RW/init.d/macos"
 
 IPSET_DIR=$ZAPRET_BASE/ipset
 . "$IPSET_DIR/def.sh"
@@ -186,7 +184,7 @@ zapret_do_daemons()
 		filter)
 			;;
 		custom)
-			custom_runner zapret_custom_daemons $1
+			existf zapret_custom_daemons && zapret_custom_daemons $1
 			;;
 		*)
 			echo "unsupported MODE=$MODE"

init.d/openwrt/custom-nfqws-dht4all

@@ -1,39 +1,47 @@
-# this custom script runs desync to DHT packets with udp payload length 101..399 , without ipset/hostlist filtering
+# this custom script in addition to MODE=nfqws runs desync to DHT packets with udp payload length 101..399 , without ipset/hostlist filtering
 # need to add to config : NFQWS_OPT_DESYNC_DHT="--dpi-desync=fake --dpi-desync-ttl=5"
 
-DNUM=101
+QNUM2=$(($QNUM+20))
-QNUM2=$(($DNUM * 5))
 
 zapret_custom_daemons()
 {
         # stop logic is managed by procd
 
-        local opt="--qnum=$QNUM2 $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_DHT"
+        local MODE_OVERRIDE=nfqws
-	do_nfqws $1 $DNUM "$opt"
+        local opt
+
+        start_daemons_procd
+
+        opt="--qnum=$QNUM2 $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_DHT"
+        run_daemon 100 $NFQWS "$opt"
 }
 zapret_custom_firewall()
 {
         # $1 - 1 - run, 0 - stop
 
+        local MODE_OVERRIDE=nfqws
         local f uf4 uf6
         local first_packet_only="$ipt_connbytes 1:1"
         local desync="-m mark ! --mark $DESYNC_MARK/$DESYNC_MARK"
 
+        zapret_do_firewall_rules_ipt $1
+
         f='-p udp -m length --length 109:407 -m u32 --u32'
 	uf4='0>>22&0x3C@8>>16=0x6431'
 	uf6='48>>16=0x6431'
         fw_nfqws_post $1 "$f $uf4 $desync $first_packet_only"  "$f $uf6 $desync $first_packet_only" $QNUM2
-
 }
 zapret_custom_firewall_nft()
 {
         # stop logic is not required
 
+        local MODE_OVERRIDE=nfqws
         local f
         local first_packet_only="$nft_connbytes 1"
         local desync="mark and $DESYNC_MARK == 0"
 
+        zapret_apply_firewall_rules_nft
+
         f="meta length 109-407 meta l4proto udp @th,64,16 0x6431"
         nft_fw_nfqws_post "$f $desync $first_packet_only" "$f $desync $first_packet_only" $QNUM2
 }
-

init.d/openwrt/custom-nfqws-quic4all

@@ -1,25 +1,32 @@
-# this custom script runs desync to all QUIC initial packets, without ipset/hostlist filtering
+# this custom script in addition to MODE=nfqws runs desync to all QUIC initial packets, without ipset/hostlist filtering
 # need to add to config : NFQWS_OPT_DESYNC_QUIC="--dpi-desync=fake"
 # NOTE : do not use TTL fooling. chromium QUIC engine breaks sessions if TTL expired in transit received
 
-DNUM=102
+QNUM2=$(($QNUM+10))
-QNUM2=$(($DNUM * 5))
 
 zapret_custom_daemons()
 {
-	# $1 - 1 - run, 0 - stop
+	# stop logic is managed by procd
 
-	local opt="--qnum=$QNUM2 $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_QUIC"
+	local MODE_OVERRIDE=nfqws
-	run_daemon $DNUM $NFQWS "$opt"
+	local opt
+
+	start_daemons_procd
+
+	opt="--qnum=$QNUM2 $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_QUIC"
+	run_daemon 100 $NFQWS "$opt"
 }
 zapret_custom_firewall()
 {
 	# $1 - 1 - run, 0 - stop
 
+	local MODE_OVERRIDE=nfqws
 	local f
 	local first_packets_only="$ipt_connbytes 1:3"
 	local desync="-m mark ! --mark $DESYNC_MARK/$DESYNC_MARK"
 
+	zapret_do_firewall_rules_ipt $1
+
 	f="-p udp -m multiport --dports $QUIC_PORTS_IPT"
 	fw_nfqws_post $1 "$f $desync $first_packets_only" "$f $desync $first_packets_only" $QNUM2
 
@@ -28,10 +35,13 @@ zapret_custom_firewall_nft()
 {
 	# stop logic is not required
 
+	local MODE_OVERRIDE=nfqws
 	local f
 	local first_packets_only="$nft_connbytes 1-3"
 	local desync="mark and $DESYNC_MARK == 0"
 
+	zapret_apply_firewall_rules_nft
+
 	f="udp dport {$QUIC_PORTS}"
 	nft_fw_nfqws_post "$f $desync $first_packets_only" "$f $desync $first_packets_only" $QNUM2
 }

init.d/openwrt/custom-reuse-builtin-mode

@@ -0,0 +1,47 @@
+# this custom script demonstrates how to reuse built-in modes and add something from yourself
+
+MY_TPPORT=$(($TPPORT + 1))
+MY_TPWS_OPT="--methodeol --hostcase"
+MY_DPORT=81
+
+zapret_custom_daemons()
+{
+	# stop logic is managed by procd
+
+	local MODE_OVERRIDE=tpws
+	local opt
+
+	start_daemons_procd
+
+	opt="--port=$MY_TPPORT $MY_TPWS_OPT"
+	filter_apply_hostlist_target opt
+	run_tpws 100 "$opt"
+}
+zapret_custom_firewall()
+{
+	# $1 - 1 - run, 0 - stop
+
+	local MODE_OVERRIDE=tpws
+	local f4 f6
+
+	zapret_do_firewall_rules_ipt $1
+
+	f4="-p tcp --dport $MY_DPORT"
+	f6=$f4
+	filter_apply_ipset_target f4 f6
+	fw_tpws $1 "$f4" "$f6" $MY_TPPORT
+}
+zapret_custom_firewall_nft()
+{
+	# stop logic is not required
+
+	local MODE_OVERRIDE=tpws
+	local f4 f6
+
+	zapret_apply_firewall_rules_nft
+
+	f4="tcp dport $MY_DPORT"
+	f6=$f4
+	nft_filter_apply_ipset_target f4 f6
+	nft_fw_tpws "$f4" "$f6" $MY_TPPORT
+}

init.d/openwrt/custom-tpws4http-nfqws4https

@@ -3,7 +3,7 @@
 
 zapret_custom_daemons()
 {
-	# $1 - 1 - run, 0 - stop
+	# stop logic is managed by procd
 
 	local opt
 
@@ -15,7 +15,7 @@ zapret_custom_daemons()
 	}
 
 	[ "$MODE_HTTPS" = "1" ] && {
-		opt="--qnum=$QNUM $NFQWS_OPT_DESYNC_HTTPS"
+		opt="--qnum=$QNUM $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_HTTPS"
 		filter_apply_hostlist_target opt
 		filter_apply_suffix opt "$NFQWS_OPT_DESYNC_HTTPS_SUFFIX"
 		run_daemon 2 $NFQWS "$opt"
@@ -41,8 +41,6 @@ zapret_custom_firewall()
 		f6=$f4
 		filter_apply_ipset_target f4 f6
 		fw_nfqws_post $1 "$f4 $desync" "$f6 $desync" $QNUM
-		# for modes that require incoming traffic
-		fw_reverse_nfqws_rule $1 "$f4" "$f6" $QNUM
 	}
 }
 zapret_custom_firewall_nft()

init.d/openwrt/custom.d.examples/10-inherit-nfqws

@@ -1,22 +0,0 @@
-# this custom script applies nfqws mode as it would be with MODE=nfqws
-
-OVERRIDE=nfqws
-
-zapret_custom_daemons()
-{
-        # stop logic is managed by procd
-
-	MODE_OVERRIDE=$OVERRIDE start_daemons_procd
-}
-zapret_custom_firewall()
-{
-	# $1 - 1 - run, 0 - stop
-
-	MODE_OVERRIDE=$OVERRIDE zapret_do_firewall_rules_ipt $1
-}
-zapret_custom_firewall_nft()
-{
-	# stop logic is not required
-
-	MODE_OVERRIDE=$OVERRIDE zapret_apply_firewall_rules_nft
-}

init.d/openwrt/custom.d.examples/10-inherit-tpws

@@ -1,22 +0,0 @@
-# this custom script applies tpws mode as it would be with MODE=tpws
-
-OVERRIDE=tpws
-
-zapret_custom_daemons()
-{
-	# $1 - 1 - run, 0 - stop
-
-	MODE_OVERRIDE=$OVERRIDE start_daemons_procd
-}
-zapret_custom_firewall()
-{
-	# $1 - 1 - run, 0 - stop
-
-	MODE_OVERRIDE=$OVERRIDE zapret_do_firewall_rules_ipt $1
-}
-zapret_custom_firewall_nft()
-{
-	# stop logic is not required
-
-	MODE_OVERRIDE=$OVERRIDE zapret_apply_firewall_rules_nft
-}

init.d/openwrt/custom.d.examples/10-inherit-tpws-socks

@@ -1,22 +0,0 @@
-# this custom script applies tpws-socks mode as it would be with MODE=tpws-socks
-
-OVERRIDE=tpws-socks
-
-zapret_custom_daemons()
-{
-	# $1 - 1 - run, 0 - stop
-
-	MODE_OVERRIDE=$OVERRIDE start_daemons_procd
-}
-zapret_custom_firewall()
-{
-	# $1 - 1 - run, 0 - stop
-
-	MODE_OVERRIDE=$OVERRIDE zapret_do_firewall_rules_ipt $1
-}
-zapret_custom_firewall_nft()
-{
-	# stop logic is not required
-
-	MODE_OVERRIDE=$OVERRIDE zapret_apply_firewall_rules_nft
-}

init.d/openwrt/custom.default

@@ -0,0 +1,33 @@
+# this script contain your special code to launch daemons and configure firewall
+# use helpers from "functions" file and "zapret" init script
+# in case of upgrade keep this file only, do not modify others
+
+zapret_custom_daemons()
+{
+	# stop logic is managed by procd
+
+	# PLACEHOLDER
+	echo !!! NEED ATTENTION !!!
+	echo Start daemon\(s\)
+	echo Study how other sections work
+
+	run_daemon 1 /bin/sleep 20
+}
+zapret_custom_firewall()
+{
+	# $1 - 1 - run, 0 - stop
+
+	# PLACEHOLDER
+	echo !!! NEED ATTENTION !!!
+	echo Configure iptables for required actions
+	echo Study how other sections work
+}
+zapret_custom_firewall_nft()
+{
+	# stop logic is not required
+
+	# PLACEHOLDER
+	echo !!! NEED ATTENTION !!!
+	echo Configure nftables for required actions
+	echo Study how other sections work
+}

init.d/openwrt/functions

@@ -12,8 +12,6 @@ ZAPRET_CONFIG=${ZAPRET_CONFIG:-"$ZAPRET_RW/config"}
 . "$ZAPRET_BASE/common/nft.sh"
 . "$ZAPRET_BASE/common/linux_fw.sh"
 . "$ZAPRET_BASE/common/list.sh"
-. "$ZAPRET_BASE/common/custom.sh"
-CUSTOM_DIR="$ZAPRET_RW/init.d/openwrt"
 
 [ -n "$QNUM" ] || QNUM=200
 [ -n "$TPPORT" ] || TPPORT=988
@@ -29,6 +27,9 @@ LINKLOCAL_WAIT_SEC=5
 
 IPSET_CR="$ZAPRET_BASE/ipset/create_ipset.sh"
 
+CUSTOM_SCRIPT="$ZAPRET_BASE/init.d/openwrt/custom"
+[ -f "$CUSTOM_SCRIPT" ] && . "$CUSTOM_SCRIPT"
+
 IPSET_EXCLUDE="-m set ! --match-set nozapret"
 IPSET_EXCLUDE6="-m set ! --match-set nozapret6"
 

init.d/openwrt/zapret

@@ -173,7 +173,7 @@ start_daemons_procd()
 			}
 			;;
 		custom)
-	    		custom_runner zapret_custom_daemons $1
+	    		existf zapret_custom_daemons && zapret_custom_daemons $1
 			;;
 	esac
 

init.d/sysv/custom-nfqws-dht4all

@@ -1,24 +1,31 @@
-# this custom script runs desync to DHT packets with udp payload length 101..399 , without ipset/hostlist filtering
+# this custom script in addition to MODE=nfqws runs desync to DHT packets with udp payload length 101..399 , without ipset/hostlist filtering
 # need to add to config : NFQWS_OPT_DESYNC_DHT="--dpi-desync=fake --dpi-desync-ttl=5"
 
-DNUM=101
+QNUM2=$(($QNUM+20))
-QNUM2=$(($DNUM * 5))
 
 zapret_custom_daemons()
 {
         # stop logic is managed by procd
 
-        local opt="--qnum=$QNUM2 $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_DHT"
+        local MODE_OVERRIDE=nfqws
-	run_daemon $DNUM $NFQWS "$opt"
+        local opt
+
+        zapret_do_daemons $1
+
+        opt="--qnum=$QNUM2 $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_DHT"
+	do_nfqws $1 100 "$opt"
 }
 zapret_custom_firewall()
 {
         # $1 - 1 - run, 0 - stop
 
+        local MODE_OVERRIDE=nfqws
         local f uf4 uf6
         local first_packet_only="$ipt_connbytes 1:1"
         local desync="-m mark ! --mark $DESYNC_MARK/$DESYNC_MARK"
 
+        zapret_do_firewall_rules_ipt $1
+
         f='-p udp -m length --length 109:407 -m u32 --u32'
 	uf4='0>>22&0x3C@8>>16=0x6431'
 	uf6='48>>16=0x6431'
@@ -29,10 +36,13 @@ zapret_custom_firewall_nft()
 {
         # stop logic is not required
 
+        local MODE_OVERRIDE=nfqws
         local f
         local first_packet_only="$nft_connbytes 1"
         local desync="mark and $DESYNC_MARK == 0"
 
+        zapret_apply_firewall_rules_nft
+
         f="meta length 109-407 meta l4proto udp @th,64,16 0x6431"
         nft_fw_nfqws_post "$f $desync $first_packet_only" "$f $desync $first_packet_only" $QNUM2
 }

init.d/sysv/custom-nfqws-quic4all

@@ -1,25 +1,32 @@
-# this custom script runs desync to all QUIC initial packets, without ipset/hostlist filtering
+# this custom script in addition to MODE=nfqws runs desync to all QUIC initial packets, without ipset/hostlist filtering
 # need to add to config : NFQWS_OPT_DESYNC_QUIC="--dpi-desync=fake"
 # NOTE : do not use TTL fooling. chromium QUIC engine breaks sessions if TTL expired in transit received
 
-DNUM=102
+QNUM2=$(($QNUM+10))
-QNUM2=$(($DNUM * 5))
 
 zapret_custom_daemons()
 {
 	# $1 - 1 - run, 0 - stop
 
-	local opt="--qnum=$QNUM2 $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_QUIC"
+	local MODE_OVERRIDE=nfqws
-	do_nfqws $1 $DNUM "$opt"
+	local opt
+
+	zapret_do_daemons $1
+
+	opt="--qnum=$QNUM2 $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_QUIC"
+	do_nfqws $1 100 "$opt"
 }
 zapret_custom_firewall()
 {
 	# $1 - 1 - run, 0 - stop
 
+	local MODE_OVERRIDE=nfqws
 	local f
 	local first_packets_only="$ipt_connbytes 1:3"
 	local desync="-m mark ! --mark $DESYNC_MARK/$DESYNC_MARK"
 
+	zapret_do_firewall_rules_ipt $1
+
 	f="-p udp -m multiport --dports $QUIC_PORTS_IPT"
 	fw_nfqws_post $1 "$f $desync $first_packets_only" "$f $desync $first_packets_only" $QNUM2
 
@@ -28,10 +35,13 @@ zapret_custom_firewall_nft()
 {
 	# stop logic is not required
 
+	local MODE_OVERRIDE=nfqws
 	local f
 	local first_packets_only="$nft_connbytes 1-3"
 	local desync="mark and $DESYNC_MARK == 0"
 
+	zapret_apply_firewall_rules_nft
+
 	f="udp dport {$QUIC_PORTS}"
 	nft_fw_nfqws_post "$f $desync $first_packets_only" "$f $desync $first_packets_only" $QNUM2
 }

init.d/sysv/custom-reuse-builtin-mode

@@ -0,0 +1,47 @@
+# this custom script demonstrates how to reuse built-in modes and add something from yourself
+
+MY_TPPORT=$(($TPPORT + 1))
+MY_TPWS_OPT="--methodeol --hostcase"
+MY_DPORT=81
+
+zapret_custom_daemons()
+{
+	# $1 - 1 - run, 0 - stop
+
+	local MODE_OVERRIDE=tpws
+	local opt
+
+	zapret_do_daemons $1
+
+	opt="--port=$MY_TPPORT $MY_TPWS_OPT"
+	filter_apply_hostlist_target opt
+	do_tpws $1 100 "$opt"
+}
+zapret_custom_firewall()
+{
+	# $1 - 1 - run, 0 - stop
+
+	local MODE_OVERRIDE=tpws
+	local f4 f6
+
+	zapret_do_firewall_rules_ipt $1
+
+	f4="-p tcp --dport $MY_DPORT"
+	f6=$f4
+	filter_apply_ipset_target f4 f6
+	fw_tpws $1 "$f4" "$f6" $MY_TPPORT
+}
+zapret_custom_firewall_nft()
+{
+	# stop logic is not required
+
+	local MODE_OVERRIDE=tpws
+	local f4 f6
+
+	zapret_apply_firewall_rules_nft
+
+	f4="tcp dport $MY_DPORT"
+	f6=$f4
+	nft_filter_apply_ipset_target f4 f6
+	nft_fw_tpws "$f4" "$f6" $MY_TPPORT
+}

init.d/sysv/custom.d.examples/10-inherit-nfqws

@@ -1,22 +0,0 @@
-# this custom script applies nfqws mode as it would be with MODE=nfqws
-
-OVERRIDE=nfqws
-
-zapret_custom_daemons()
-{
-	# $1 - 1 - run, 0 - stop
-
-	MODE_OVERRIDE=$OVERRIDE zapret_do_daemons $1
-}
-zapret_custom_firewall()
-{
-	# $1 - 1 - run, 0 - stop
-
-	MODE_OVERRIDE=$OVERRIDE zapret_do_firewall_rules_ipt $1
-}
-zapret_custom_firewall_nft()
-{
-	# stop logic is not required
-
-	MODE_OVERRIDE=$OVERRIDE zapret_apply_firewall_rules_nft
-}

init.d/sysv/custom.d.examples/10-inherit-tpws

@@ -1,22 +0,0 @@
-# this custom script applies tpws mode as it would be with MODE=tpws
-
-OVERRIDE=tpws
-
-zapret_custom_daemons()
-{
-	# $1 - 1 - run, 0 - stop
-
-	MODE_OVERRIDE=$OVERRIDE zapret_do_daemons $1
-}
-zapret_custom_firewall()
-{
-	# $1 - 1 - run, 0 - stop
-
-	MODE_OVERRIDE=$OVERRIDE zapret_do_firewall_rules_ipt $1
-}
-zapret_custom_firewall_nft()
-{
-	# stop logic is not required
-
-	MODE_OVERRIDE=$OVERRIDE zapret_apply_firewall_rules_nft
-}

init.d/sysv/custom.d.examples/10-inherit-tpws-socks

@@ -1,22 +0,0 @@
-# this custom script applies tpws-socks mode as it would be with MODE=tpws-socks
-
-OVERRIDE=tpws-socks
-
-zapret_custom_daemons()
-{
-	# $1 - 1 - run, 0 - stop
-
-	MODE_OVERRIDE=$OVERRIDE zapret_do_daemons $1
-}
-zapret_custom_firewall()
-{
-	# $1 - 1 - run, 0 - stop
-
-	MODE_OVERRIDE=$OVERRIDE zapret_do_firewall_rules_ipt $1
-}
-zapret_custom_firewall_nft()
-{
-	# stop logic is not required
-
-	MODE_OVERRIDE=$OVERRIDE zapret_apply_firewall_rules_nft
-}

init.d/sysv/custom.default

@@ -0,0 +1,34 @@
+# this script contain your special code to launch daemons and configure firewall
+# use helpers from "functions" file
+# in case of upgrade keep this file only, do not modify others
+
+zapret_custom_daemons()
+{
+	# $1 - 1 - run, 0 - stop
+
+	# PLACEHOLDER
+	echo !!! NEED ATTENTION !!!
+	echo Start daemon\(s\)
+	echo Study how other sections work
+
+	do_daemon $1 1 /bin/sleep 20
+}
+zapret_custom_firewall()
+{
+	# $1 - 1 - run, 0 - stop
+
+	# PLACEHOLDER
+	echo !!! NEED ATTENTION !!!
+	echo Configure iptables for required actions
+	echo Study how other sections work
+}
+
+zapret_custom_firewall_nft()
+{
+	# stop logic is not required
+
+	# PLACEHOLDER
+	echo !!! NEED ATTENTION !!!
+	echo Configure nftables for required actions
+	echo Study how other sections work
+}

init.d/sysv/functions

@@ -12,8 +12,6 @@ ZAPRET_CONFIG=${ZAPRET_CONFIG:-"$ZAPRET_RW/config"}
 . "$ZAPRET_BASE/common/nft.sh"
 . "$ZAPRET_BASE/common/linux_fw.sh"
 . "$ZAPRET_BASE/common/list.sh"
-. "$ZAPRET_BASE/common/custom.sh"
-CUSTOM_DIR="$ZAPRET_RW/init.d/sysv"
 
 
 user_exists()
@@ -93,6 +91,9 @@ TPWS_OPT_BASE6_PRE="--bind-linklocal=prefer $TPWS_WAIT --bind-wait-ip-linklocal=
 # max wait time for the link local ipv6 on the LAN interface
 LINKLOCAL_WAIT_SEC=5
 
+CUSTOM_SCRIPT="$ZAPRET_BASE/init.d/sysv/custom"
+[ -f "$CUSTOM_SCRIPT" ] && . "$CUSTOM_SCRIPT"
+
 IPSET_EXCLUDE="-m set ! --match-set nozapret"
 IPSET_EXCLUDE6="-m set ! --match-set nozapret6"
 
@@ -340,7 +341,7 @@ zapret_do_daemons()
 			}
 			;;
 		custom)
-			custom_runner zapret_custom_daemons $1
+	    		existf zapret_custom_daemons && zapret_custom_daemons $1
 			;;
 	esac
 

install_bin.sh

@@ -29,11 +29,11 @@ check_dir()
 			fi
 			[ -n "$out" ]
 		else
-			echo >&2 "$exe is not executable. set proper chmod."
+			echo "$exe is not executable. set proper chmod."
 			return 1
 		fi
 	else
-		echo >&2 "$exe is absent"
+		echo "$exe is absent"
 		return 2
 	fi
 }

install_easy.sh

@@ -138,15 +138,6 @@ select_mode_mode()
 			echo ..edited..
 		done
 	}
-	[ "$MODE" = custom ] && {
-		echo
-		echo "current custom scripts :"
-		[ -f "$CUSTOM_DIR/custom" ] && echo "legacy custom script $CUSTOM_DIR/custom"
-		echo "$CUSTOM_DIR/custom.d :"
-		[ -d "$CUSTOM_DIR/custom.d" ] && ls "$CUSTOM_DIR/custom.d"
-		echo "Make sure this is ok"
-		echo
-	}
 }
 select_mode_http()
 {
@@ -402,7 +393,7 @@ default_files()
 	for dir in openwrt sysv macos; do
 		[ -d "$1/init.d/$dir" ] && {
 			[ -d "$2/init.d/$dir" ] || mkdir -p "$2/init.d/$dir"
-			[ -d "$2/init.d/$dir/custom.d" ] || mkdir -p "$2/init.d/$dir/custom.d"
+			[ -f "$2/init.d/$dir/custom" ] || cp "$1/init.d/$dir/custom.default" "$2/init.d/$dir/custom"
 		}
 	done
 }
@@ -493,11 +484,7 @@ _backup_settings()
 {
 	local i=0
 	for f in "$@"; do
-		# safety check
-		[ -z "$f" -o "$f" = "/" ] && continue
-
 		[ -f "$ZAPRET_TARGET/$f" ] && cp -f "$ZAPRET_TARGET/$f" "/tmp/zapret-bkp-$i"
-		[ -d "$ZAPRET_TARGET/$f" ] && cp -rf "$ZAPRET_TARGET/$f" "/tmp/zapret-bkp-$i"
 		i=$(($i+1))
 	done
 }
@@ -505,14 +492,7 @@ _restore_settings()
 {
 	local i=0
 	for f in "$@"; do
-		# safety check
-		[ -z "$f" -o "$f" = "/" ] && continue
-
 		[ -f "/tmp/zapret-bkp-$i" ] && mv -f "/tmp/zapret-bkp-$i" "$ZAPRET_TARGET/$f" || rm -f "/tmp/zapret-bkp-$i"
-		[ -d "/tmp/zapret-bkp-$i" ] && {
-			[ -d "$ZAPRET_TARGET/$f" ] && rm -r "$ZAPRET_TARGET/$f"
-			mv -f "/tmp/zapret-bkp-$i" "$ZAPRET_TARGET/$f" || rm -r "/tmp/zapret-bkp-$i"
-		}
 		i=$(($i+1))
 	done
 }
@@ -520,7 +500,7 @@ backup_restore_settings()
 {
 	# $1 - 1 - backup, 0 - restore
 	local mode=$1
-	on_off_function _backup_settings _restore_settings $mode "config" "init.d/sysv/custom" "init.d/sysv/custom.d" "init.d/openwrt/custom" "init.d/openwrt/custom.d" "init.d/macos/custom" "init.d/macos/custom.d" "ipset/zapret-hosts-user.txt" "ipset/zapret-hosts-user-exclude.txt" "ipset/zapret-hosts-user-ipban.txt" "ipset/zapret-hosts-auto.txt"
+	on_off_function _backup_settings _restore_settings $mode "config" "init.d/sysv/custom" "init.d/openwrt/custom" "init.d/macos/custom" "ipset/zapret-hosts-user.txt" "ipset/zapret-hosts-user-exclude.txt" "ipset/zapret-hosts-user-ipban.txt" "ipset/zapret-hosts-auto.txt"
 }
 
 check_location()
@@ -643,7 +623,6 @@ check_dns()
 install_systemd()
 {
 	INIT_SCRIPT_SRC="$EXEDIR/init.d/sysv/zapret"
-	CUSTOM_DIR="$ZAPRET_RW/init.d/sysv"
 
 	check_bins
 	require_root
@@ -671,8 +650,6 @@ _install_sysv()
 {
 	# $1 - install init script
 
-	CUSTOM_DIR="$ZAPRET_RW/init.d/sysv"
-
 	check_bins
 	require_root
 	check_readonly_system
@@ -710,7 +687,6 @@ install_openrc()
 install_linux()
 {
 	INIT_SCRIPT_SRC="$EXEDIR/init.d/sysv/zapret"
-	CUSTOM_DIR="$ZAPRET_RW/init.d/sysv"
 
 	check_bins
 	require_root
@@ -781,7 +757,6 @@ deoffload_openwrt_firewall()
 install_openwrt()
 {
 	INIT_SCRIPT_SRC="$EXEDIR/init.d/openwrt/zapret"
-	CUSTOM_DIR="$ZAPRET_RW/init.d/openwrt"
 	FW_SCRIPT_SRC="$EXEDIR/init.d/openwrt/firewall.zapret"
 	OPENWRT_FW_INCLUDE=/etc/firewall.zapret
 	OPENWRT_IFACE_HOOK="$EXEDIR/init.d/openwrt/90-zapret"
@@ -854,7 +829,6 @@ macos_fw_reload_trigger_set()
 install_macos()
 {
 	INIT_SCRIPT_SRC="$EXEDIR/init.d/macos/zapret"
-	CUSTOM_DIR="$ZAPRET_RW/init.d/macos"
 
 	# compile before root
 	check_bins

ipset/create_ipset.sh

@@ -4,12 +4,12 @@
 # $1=no-update    - do not update ipset, only create if its absent
 # $1=clear        - clear ipset
 
-EXEDIR="$(dirname "$0")"
+IPSET_DIR="$(dirname "$0")"
-EXEDIR="$(cd "$EXEDIR"; pwd)"
+IPSET_DIR="$(cd "$IPSET_DIR"; pwd)"
 
-. "$EXEDIR/def.sh"
+. "$IPSET_DIR/def.sh"
-. "$ZAPRET_BASE/common/fwtype.sh"
+. "$IPSET_DIR/../common/fwtype.sh"
-. "$ZAPRET_BASE/common/nft.sh"
+. "$IPSET_DIR/../common/nft.sh"
 
 IPSET_CMD="$TMPDIR/ipset_cmd.txt"
 IPSET_SAVERAM_CHUNK_SIZE=20000
@@ -119,12 +119,13 @@ nfset_get_script_multi()
 	local set=$1 nonempty N=1 f
 	
 	shift
+
 	# first we need to make sure at least one element exists or nft will fail
 	while :
 	do
 		eval f=\$$N
 		[ -n "$f" ] || break
-		nonempty=$(zzexist "$f" && zzcat "$f" 2>/dev/null | head -n 1)
+		nonempty=$(zzexist "$f" && zzcat "$f" | head -n 1)
 		[ -n "$nonempty" ] && break
 		N=$(($N+1))
 	done

ipset/def.sh

@@ -1,12 +1,10 @@
-EXEDIR="$(dirname "$0")"
+[ -n "$IPSET_DIR" ] || {
-EXEDIR="$(cd "$EXEDIR"; pwd)"
+ IPSET_DIR="$(dirname "$0")"
-ZAPRET_BASE=${ZAPRET_BASE:-"$(cd "$EXEDIR/.."; pwd)"}
+ IPSET_DIR="$(cd "$IPSET_DIR"; pwd)"
-ZAPRET_RW=${ZAPRET_RW:-"$ZAPRET_BASE"}
+}
-ZAPRET_CONFIG=${ZAPRET_CONFIG:-"$ZAPRET_RW/config"}
-IPSET_RW_DIR="$ZAPRET_RW/ipset"
 
-. "$ZAPRET_CONFIG"
+. "$IPSET_DIR/../config"
-. "$ZAPRET_BASE/common/base.sh"
+. "$IPSET_DIR/../common/base.sh"
 
 [ -z "$TMPDIR" ] && TMPDIR=/tmp
 [ -z "$GZIP_LISTS" ] && GZIP_LISTS=1
@@ -23,27 +21,27 @@ ZIPSET=zapret
 ZIPSET6=zapret6
 ZIPSET_EXCLUDE=nozapret
 ZIPSET_EXCLUDE6=nozapret6
-ZIPLIST="$IPSET_RW_DIR/zapret-ip.txt"
+ZIPLIST="$IPSET_DIR/zapret-ip.txt"
-ZIPLIST6="$IPSET_RW_DIR/zapret-ip6.txt"
+ZIPLIST6="$IPSET_DIR/zapret-ip6.txt"
-ZIPLIST_EXCLUDE="$IPSET_RW_DIR/zapret-ip-exclude.txt"
+ZIPLIST_EXCLUDE="$IPSET_DIR/zapret-ip-exclude.txt"
-ZIPLIST_EXCLUDE6="$IPSET_RW_DIR/zapret-ip-exclude6.txt"
+ZIPLIST_EXCLUDE6="$IPSET_DIR/zapret-ip-exclude6.txt"
-ZIPLIST_USER="$IPSET_RW_DIR/zapret-ip-user.txt"
+ZIPLIST_USER="$IPSET_DIR/zapret-ip-user.txt"
-ZIPLIST_USER6="$IPSET_RW_DIR/zapret-ip-user6.txt"
+ZIPLIST_USER6="$IPSET_DIR/zapret-ip-user6.txt"
-ZUSERLIST="$IPSET_RW_DIR/zapret-hosts-user.txt"
+ZUSERLIST="$IPSET_DIR/zapret-hosts-user.txt"
-ZHOSTLIST="$IPSET_RW_DIR/zapret-hosts.txt"
+ZHOSTLIST="$IPSET_DIR/zapret-hosts.txt"
 
 ZIPSET_IPBAN=ipban
 ZIPSET_IPBAN6=ipban6
-ZIPLIST_IPBAN="$IPSET_RW_DIR/zapret-ip-ipban.txt"
+ZIPLIST_IPBAN="$IPSET_DIR/zapret-ip-ipban.txt"
-ZIPLIST_IPBAN6="$IPSET_RW_DIR/zapret-ip-ipban6.txt"
+ZIPLIST_IPBAN6="$IPSET_DIR/zapret-ip-ipban6.txt"
-ZIPLIST_USER_IPBAN="$IPSET_RW_DIR/zapret-ip-user-ipban.txt"
+ZIPLIST_USER_IPBAN="$IPSET_DIR/zapret-ip-user-ipban.txt"
-ZIPLIST_USER_IPBAN6="$IPSET_RW_DIR/zapret-ip-user-ipban6.txt"
+ZIPLIST_USER_IPBAN6="$IPSET_DIR/zapret-ip-user-ipban6.txt"
-ZUSERLIST_IPBAN="$IPSET_RW_DIR/zapret-hosts-user-ipban.txt"
+ZUSERLIST_IPBAN="$IPSET_DIR/zapret-hosts-user-ipban.txt"
-ZUSERLIST_EXCLUDE="$IPSET_RW_DIR/zapret-hosts-user-exclude.txt"
+ZUSERLIST_EXCLUDE="$IPSET_DIR/zapret-hosts-user-exclude.txt"
 
 
-[ -n "$IP2NET" ] || IP2NET="$ZAPRET_BASE/ip2net/ip2net"
+[ -n "$IP2NET" ] || IP2NET="$IPSET_DIR/../ip2net/ip2net"
-[ -n "$MDIG" ] || MDIG="$ZAPRET_BASE/mdig/mdig"
+[ -n "$MDIG" ] || MDIG="$IPSET_DIR/../mdig/mdig"
 [ -z "$MDIG_THREADS" ] && MDIG_THREADS=30
 
 

nfq/desync.c

@@ -630,6 +630,7 @@ static uint8_t dpi_desync_tcp_packet_play(bool replay, size_t reasm_offset, uint
 		{
 			dp = ctrack->dp;
 			ctrack_replay = ctrack;
+			maybe_cutoff(ctrack, IPPROTO_TCP);
 		}
 		if (dp)
 			DLOG("using cached desync profile %d\n",dp->n);
@@ -647,7 +648,6 @@ static uint8_t dpi_desync_tcp_packet_play(bool replay, size_t reasm_offset, uint
 			DLOG("matching desync profile not found\n");
 			return verdict;
 		}
-		maybe_cutoff(ctrack, IPPROTO_TCP);
 
 		HostFailPoolPurgeRateLimited(&dp->hostlist_auto_fail_counters);
 
@@ -1435,6 +1435,7 @@ static uint8_t dpi_desync_udp_packet_play(bool replay, size_t reasm_offset, uint
 		{
 			dp = ctrack->dp;
 			ctrack_replay = ctrack;
+			maybe_cutoff(ctrack, IPPROTO_UDP);
 		}
 		if (dp)
 			DLOG("using cached desync profile %d\n",dp->n);
@@ -1452,7 +1453,6 @@ static uint8_t dpi_desync_udp_packet_play(bool replay, size_t reasm_offset, uint
 			DLOG("matching desync profile not found\n");
 			return verdict;
 		}
-		maybe_cutoff(ctrack, IPPROTO_UDP);
 
 		HostFailPoolPurgeRateLimited(&dp->hostlist_auto_fail_counters);
 		//ConntrackPoolDump(&params.conntrack);