Merge 92ba6b439e6aed8557a315ebfcd350016159be52 into 594e613fcb3669e377d1f564873e15459dc5f229

docs/changes.txt

@@ -423,3 +423,9 @@ v69.6
 nfqws: set NETLINK_NO_ENOBUFS to fix possible nfq recv errors
 init.d: unify custom scripts for linux
 init.d: new custom scripts : 20-fw-extra, 50-wg4all
+
+v69.7
+
+nfqws,tpws: --comment
+nfqws: trash flood warning
+winws: exclude empty outgoing ack packets in windivert filter

docs/readme.en.md

@@ -1,4 +1,4 @@
-# zapret v69.6
+# zapret v69.7
 
 # SCAMMER WARNING
 
@@ -132,6 +132,7 @@ nfqws takes the following parameters:
 
  --debug=0|1
  --dry-run                                      ; verify parameters and exit with code 0 if successful
+ --comment                                      ; any text (ignored)
  --qnum=<nfqueue_number>
  --daemon                                       ; daemonize
  --pidfile=<filename>                           ; write pid to file

docs/readme.md

@@ -1,4 +1,4 @@
-# zapret v69.6
+# zapret v69.7
 
 # ВНИМАНИЕ, остерегайтесь мошенников
 
@@ -163,6 +163,7 @@ dvtws, собираемый из тех же исходников (см. [док
 
 --debug=0|1                                        ; 1=выводить отладочные сообщения
 --dry-run                                          ; проверить опции командной строки и выйти. код 0 - успешная проверка.
+--comment                                          ; любой текст (игнорируется)
 --daemon                                           ; демонизировать прогу
 --pidfile=<file>                                   ; сохранить PID в файл
 --user=<username>                                  ; менять uid процесса

ipset/get_antifilter_domains.sh

@@ -0,0 +1,40 @@
+#!/bin/sh
+
+IPSET_DIR="$(dirname "$0")"
+IPSET_DIR="$(cd "$IPSET_DIR"; pwd)"
+
+. "$IPSET_DIR/def.sh"
+
+TMPLIST="$TMPDIR/list.txt"
+
+URL="https://antifilter.download/list/domains.lst"
+
+dl()
+{
+  # $1 - url
+  # $2 - file
+  # $3 - minsize
+  # $4 - maxsize
+  curl -L -H "Accept-Encoding: gzip" -k --fail --max-time 60 --connect-timeout 10 --retry 4 --max-filesize 251658240 -o "$TMPLIST" "$1" ||
+  {
+   echo list download failed : $1
+   exit 2
+  }
+  dlsize=$(LANG=C wc -c "$TMPLIST" | xargs | cut -f 1 -d ' ')
+  if test $dlsize -lt $3; then
+   echo list is too small : $dlsize bytes. can be bad.
+   exit 2
+  fi
+  zzcat "$TMPLIST" | tr -d '\015' | zz "$2"
+  rm -f "$TMPLIST"
+}
+
+# useful in case ipban set is used in custom scripts
+FAIL=
+getipban || FAIL=1
+"$IPSET_DIR/create_ipset.sh"
+[ -n "$FAIL" ] && exit
+
+dl "$URL" "$ZHOSTLIST" 32768 4194304
+
+exit 0

nfq/nfqws.c

@@ -981,6 +981,7 @@ static bool wf_make_pf(char *opt, const char *l4, const char *portname, char *bu
 #define DIVERT_NO_LOCALNETS_SRC "(" DIVERT_NO_LOCALNETSv4_SRC " or " DIVERT_NO_LOCALNETSv6_SRC ")"
 #define DIVERT_NO_LOCALNETS_DST "(" DIVERT_NO_LOCALNETSv4_DST " or " DIVERT_NO_LOCALNETSv6_DST ")"
 
+#define DIVERT_TCP_NOT_EMPTY "(!tcp or tcp.Syn or tcp.PayloadLength>0)"
 #define DIVERT_TCP_INBOUNDS "(tcp.Ack and tcp.Syn or tcp.Rst or tcp.Fin)"
 
 // HTTP/1.? 30(2|7)
@@ -998,6 +999,7 @@ static bool wf_make_filter(
 	char pf_dst_buf[512],iface[64];
 	const char *pf_dst;
 	const char *f_tcpin = *pf_tcp_src ? dp_list_have_autohostlist(&params.desync_profiles) ? "(" DIVERT_TCP_INBOUNDS " or (" DIVERT_HTTP_REDIRECT "))" : DIVERT_TCP_INBOUNDS : "";
+	const char *f_tcp_not_empty = *pf_tcp_src ? DIVERT_TCP_NOT_EMPTY " and " : "";
 
 	snprintf(iface,sizeof(iface)," ifIdx=%u and subIfIdx=%u and",IfIdx,SubIfIdx);
 
@@ -1010,9 +1012,10 @@ static bool wf_make_filter(
 	else
 		pf_dst = *pf_tcp_dst ? pf_tcp_dst : pf_udp_dst;
 	snprintf(wf,len,
- 	       DIVERT_PROLOG " and%s%s\n ((outbound and %s%s)\n  or\n  (inbound and tcp%s%s%s%s%s%s%s))",
+	       DIVERT_PROLOG " and%s%s\n ((outbound and %s%s%s)\n  or\n  (inbound and tcp%s%s%s%s%s%s%s))",
 		IfIdx ? iface : "",
 		ipv4 ? ipv6 ? "" : " ip and" : " ipv6 and",
+		f_tcp_not_empty,
 		pf_dst,
 		ipv4 ? ipv6 ? " and " DIVERT_NO_LOCALNETS_DST : " and " DIVERT_NO_LOCALNETSv4_DST : " and " DIVERT_NO_LOCALNETSv6_DST,
 		*pf_tcp_src ? "" : " and false",
@@ -1190,6 +1193,27 @@ void config_from_file(const char *filename)
 }
 #endif
 
+void check_dp(const struct desync_profile *dp)
+{
+	// only linux has connbytes limiter
+	if (dp->desync_any_proto && !dp->desync_cutoff &&
+		(dp->desync_mode==DESYNC_FAKE || dp->desync_mode==DESYNC_RST || dp->desync_mode==DESYNC_RSTACK ||
+		 dp->desync_mode==DESYNC_FAKEDSPLIT || dp->desync_mode==DESYNC_FAKEDDISORDER || dp->desync_mode2==DESYNC_FAKEDSPLIT || dp->desync_mode2==DESYNC_FAKEDDISORDER))
+	{
+#ifdef __linux__
+		DLOG_CONDUP("WARNING !!! in profile %d you are using --dpi-desync-any-protocol without --dpi-desync-cutoff\n", dp->n);
+		DLOG_CONDUP("WARNING !!! it's completely ok if connbytes or payload based ip/nf tables limiter is applied. Make sure it exists.\n");
+#else
+		DLOG_CONDUP("WARNING !!! possible TRASH FLOOD configuration detected in profile %d\n", dp->n);
+		DLOG_CONDUP("WARNING !!! it's highly recommended to use --dpi-desync-cutoff limiter or fakes will be sent on every processed packet\n");
+		DLOG_CONDUP("WARNING !!! make sure it's really what you want\n");
+#ifdef __CYGWIN__
+		DLOG_CONDUP("WARNING !!! in most cases this is acceptable only with custom payload based windivert filter (--wf-raw)\n");
+#endif
+#endif
+	}
+}
+
 #define STRINGIFY(x) #x
 #define TOSTRING(x) STRINGIFY(x)
 #if defined(ZAPRET_GH_VER) || defined (ZAPRET_GH_HASH)
@@ -1950,6 +1974,7 @@ int main(int argc, char **argv)
 			}
 			else
 			{
+				check_dp(dp);
 				if (!(dpl = dp_list_add(&params.desync_profiles)))
 				{
 					DLOG_ERR("desync_profile_add: out of memory\n");
@@ -2154,6 +2179,8 @@ int main(int argc, char **argv)
 		dp_entry_destroy(dpl);
 		desync_profile_count--;
 	}
+	else
+		check_dp(dp);
 
 	// do not need args from file anymore
 #if !defined( __OpenBSD__) && !defined(__ANDROID__)