Merge 92ba6b439e6aed8557a315ebfcd350016159be52 into 594e613fcb3669e377d1f564873e15459dc5f229

update docs
winws: --wf-tcp filter out empty ack
2025-05-24 22:32:58 +03:00 · 2024-12-13 19:25:01 +03:00 · 2024-12-13 18:59:43 +03:00 · 2024-12-13 18:49:45 +03:00 · 2024-12-13 15:59:58 +03:00
4 changed files with 38 additions and 3 deletions
--- a/docs/changes.txt
+++ b/docs/changes.txt
@ -423,3 +423,9 @@ v69.6
 nfqws: set NETLINK_NO_ENOBUFS to fix possible nfq recv errors
 init.d: unify custom scripts for linux
 init.d: new custom scripts : 20-fw-extra, 50-wg4all
+
+v69.7
+
+nfqws,tpws: --comment
+nfqws: trash flood warning
+winws: exclude empty outgoing ack packets in windivert filter
--- a/docs/readme.en.md
+++ b/docs/readme.en.md
@ -1,4 +1,4 @@
-# zapret v69.6
+# zapret v69.7

 # SCAMMER WARNING

@ -132,6 +132,7 @@ nfqws takes the following parameters:

 --debug=0|1
 --dry-run                                      ; verify parameters and exit with code 0 if successful
+ --comment                                      ; any text (ignored)
 --qnum=<nfqueue_number>
 --daemon                                       ; daemonize
 --pidfile=<filename>                           ; write pid to file
--- a/docs/readme.md
+++ b/docs/readme.md
@ -1,4 +1,4 @@
-# zapret v69.6
+# zapret v69.7

 # ВНИМАНИЕ, остерегайтесь мошенников

@ -163,6 +163,7 @@ dvtws, собираемый из тех же исходников (см. [док

 --debug=0|1                                        ; 1=выводить отладочные сообщения
 --dry-run                                          ; проверить опции командной строки и выйти. код 0 - успешная проверка.
+--comment                                          ; любой текст (игнорируется)
 --daemon                                           ; демонизировать прогу
 --pidfile=<file>                                   ; сохранить PID в файл
 --user=<username>                                  ; менять uid процесса
--- a/nfq/nfqws.c
+++ b/nfq/nfqws.c
@ -981,6 +981,7 @@ static bool wf_make_pf(char *opt, const char *l4, const char *portname, char *bu
 #define DIVERT_NO_LOCALNETS_SRC "(" DIVERT_NO_LOCALNETSv4_SRC " or " DIVERT_NO_LOCALNETSv6_SRC ")"
 #define DIVERT_NO_LOCALNETS_DST "(" DIVERT_NO_LOCALNETSv4_DST " or " DIVERT_NO_LOCALNETSv6_DST ")"

+#define DIVERT_TCP_NOT_EMPTY "(!tcp or tcp.Syn or tcp.PayloadLength>0)"
 #define DIVERT_TCP_INBOUNDS "(tcp.Ack and tcp.Syn or tcp.Rst or tcp.Fin)"

 // HTTP/1.? 30(2|7)
@ -998,6 +999,7 @@ static bool wf_make_filter(
 	char pf_dst_buf[512],iface[64];
 	const char *pf_dst;
 	const char *f_tcpin = *pf_tcp_src ? dp_list_have_autohostlist(&params.desync_profiles) ? "(" DIVERT_TCP_INBOUNDS " or (" DIVERT_HTTP_REDIRECT "))" : DIVERT_TCP_INBOUNDS : "";
+	const char *f_tcp_not_empty = *pf_tcp_src ? DIVERT_TCP_NOT_EMPTY " and " : "";

 	snprintf(iface,sizeof(iface)," ifIdx=%u and subIfIdx=%u and",IfIdx,SubIfIdx);

@ -1010,9 +1012,10 @@ static bool wf_make_filter(
 	else
 		pf_dst = *pf_tcp_dst ? pf_tcp_dst : pf_udp_dst;
 	snprintf(wf,len,
- 	       DIVERT_PROLOG " and%s%s\n ((outbound and %s%s)\n  or\n  (inbound and tcp%s%s%s%s%s%s%s))",
+	       DIVERT_PROLOG " and%s%s\n ((outbound and %s%s%s)\n  or\n  (inbound and tcp%s%s%s%s%s%s%s))",
 		IfIdx ? iface : "",
 		ipv4 ? ipv6 ? "" : " ip and" : " ipv6 and",
+		f_tcp_not_empty,
 		pf_dst,
 		ipv4 ? ipv6 ? " and " DIVERT_NO_LOCALNETS_DST : " and " DIVERT_NO_LOCALNETSv4_DST : " and " DIVERT_NO_LOCALNETSv6_DST,
 		*pf_tcp_src ? "" : " and false",
@ -1190,6 +1193,27 @@ void config_from_file(const char *filename)
 }
 #endif

+void check_dp(const struct desync_profile *dp)
+{
+	// only linux has connbytes limiter
+	if (dp->desync_any_proto && !dp->desync_cutoff &&
+		(dp->desync_mode==DESYNC_FAKE || dp->desync_mode==DESYNC_RST || dp->desync_mode==DESYNC_RSTACK ||
+		 dp->desync_mode==DESYNC_FAKEDSPLIT || dp->desync_mode==DESYNC_FAKEDDISORDER || dp->desync_mode2==DESYNC_FAKEDSPLIT || dp->desync_mode2==DESYNC_FAKEDDISORDER))
+	{
+#ifdef __linux__
+		DLOG_CONDUP("WARNING !!! in profile %d you are using --dpi-desync-any-protocol without --dpi-desync-cutoff\n", dp->n);
+		DLOG_CONDUP("WARNING !!! it's completely ok if connbytes or payload based ip/nf tables limiter is applied. Make sure it exists.\n");
+#else
+		DLOG_CONDUP("WARNING !!! possible TRASH FLOOD configuration detected in profile %d\n", dp->n);
+		DLOG_CONDUP("WARNING !!! it's highly recommended to use --dpi-desync-cutoff limiter or fakes will be sent on every processed packet\n");
+		DLOG_CONDUP("WARNING !!! make sure it's really what you want\n");
+#ifdef __CYGWIN__
+		DLOG_CONDUP("WARNING !!! in most cases this is acceptable only with custom payload based windivert filter (--wf-raw)\n");
+#endif
+#endif
+	}
+}
+
 #define STRINGIFY(x) #x
 #define TOSTRING(x) STRINGIFY(x)
 #if defined(ZAPRET_GH_VER) || defined (ZAPRET_GH_HASH)
@ -1950,6 +1974,7 @@ int main(int argc, char **argv)
 			}
 			else
 			{
+				check_dp(dp);
 				if (!(dpl = dp_list_add(&params.desync_profiles)))
 				{
 					DLOG_ERR("desync_profile_add: out of memory\n");
@ -2154,6 +2179,8 @@ int main(int argc, char **argv)
 		dp_entry_destroy(dpl);
 		desync_profile_count--;
 	}
+	else
+		check_dp(dp);

 	// do not need args from file anymore
 #if !defined( __OpenBSD__) && !defined(__ANDROID__)
Author	SHA1	Message	Date
Lorekin	15ac91cfab	Merge 92ba6b439e6aed8557a315ebfcd350016159be52 into 594e613fcb3669e377d1f564873e15459dc5f229	2024-12-13 19:25:01 +03:00
bol-van	594e613fcb	update docs	2024-12-13 18:59:43 +03:00
bol-van	7b7a6dd154	winws: --wf-tcp filter out empty ack	2024-12-13 18:49:45 +03:00
bol-van	dcf78a76e5	nfqws: trash flood check	2024-12-13 15:59:58 +03:00