mirror of
https://github.com/bol-van/zapret.git
synced 2025-05-24 22:32:58 +03:00
Compare commits
265 Commits
Author | SHA1 | Date | |
---|---|---|---|
|
6fc4e75d89 | ||
|
fb894a8e2c | ||
|
86352430d4 | ||
|
e5f20d05f6 | ||
|
b610f08a9c | ||
|
8bbd2d97d5 | ||
|
972f665d88 | ||
|
a9a497fa77 | ||
|
14a170c9a3 | ||
|
d4080b6c6f | ||
|
20f1fb2cfd | ||
|
35c3216287 | ||
|
628f629c49 | ||
|
33d3059dc8 | ||
|
f5cf7917fb | ||
|
b39508de7f | ||
|
c69a92f901 | ||
|
aba1fdeb04 | ||
|
02c76a4fb6 | ||
|
2ff6ec03aa | ||
|
80a0b38295 | ||
|
e0e935c2ae | ||
|
31cf106728 | ||
|
502e34a96d | ||
|
29ab747e5b | ||
|
b897ec5d9a | ||
|
440878cb9f | ||
|
1935473bd1 | ||
|
de6cadf8e4 | ||
|
d509497bb8 | ||
|
d7949f70b1 | ||
|
0912b7d104 | ||
|
29ff997a3f | ||
|
f21bd0c63c | ||
|
41693b1008 | ||
|
d000345043 | ||
|
f986da9ae2 | ||
|
c6e729b237 | ||
|
12a800db97 | ||
|
5e84656707 | ||
|
e87965cd2f | ||
|
4585cc4656 | ||
|
c0a08d3353 | ||
|
77474c9f76 | ||
|
15b2ee2d82 | ||
|
709279d6cf | ||
|
35d676406c | ||
|
9aff90b466 | ||
|
bc463930aa | ||
|
6fe9471077 | ||
|
884213f7ac | ||
|
80bf409615 | ||
|
3fe46ffb82 | ||
|
42c52014ee | ||
|
8aabc8b743 | ||
|
5df9b5d109 | ||
|
50616896c8 | ||
|
eb1cf7c15a | ||
|
b878c313f8 | ||
|
869e2cd8f9 | ||
|
8a996b415e | ||
|
62d2de904b | ||
|
a02be13dd1 | ||
|
c6058a4ea9 | ||
|
27ffe77243 | ||
|
3eb969cdaf | ||
|
73040bb156 | ||
|
c2bda9388f | ||
|
6cd0de7a0b | ||
|
85d319568c | ||
|
b3fd5c5dc1 | ||
|
202b7224fb | ||
|
647ee11917 | ||
|
63fbf2857c | ||
|
9c8636081c | ||
|
578d6d6db8 | ||
|
9ab9aef32b | ||
|
d4a72df111 | ||
|
ead91ae4f7 | ||
|
49385b6e57 | ||
|
499f9824ab | ||
|
2be5f1221a | ||
|
fef64e8849 | ||
|
675a8e52b6 | ||
|
d9a24b4105 | ||
|
594e613fcb | ||
|
7b7a6dd154 | ||
|
dcf78a76e5 | ||
|
fc42f6e20e | ||
|
45b93f3a45 | ||
|
1476cd2149 | ||
|
4ec6e5fa9f | ||
|
9d8398628c | ||
|
fe98c9d972 | ||
|
720c2fad86 | ||
|
7b057491af | ||
|
8e7b694076 | ||
|
e8395eea56 | ||
|
6e619eba1a | ||
|
f8bd218e67 | ||
|
207a6faf33 | ||
|
991e3534a6 | ||
|
ebb22dfa3f | ||
|
9bd65e0c1d | ||
|
5b337b6015 | ||
|
4189803693 | ||
|
1175b171ba | ||
|
bea643c967 | ||
|
addc813956 | ||
|
0f1721d2c4 | ||
|
abdc8d9449 | ||
|
9e9136cffd | ||
|
c802069a11 | ||
|
4e5caf4087 | ||
|
de63ee7321 | ||
|
d6688b935d | ||
|
21e08ca55e | ||
|
c4f53549b1 | ||
|
08645997f8 | ||
|
e42a545ebc | ||
|
8324c04a41 | ||
|
166847ba92 | ||
|
1904f01cf4 | ||
|
4ae1ad053d | ||
|
7d9946b007 | ||
|
86462f4cee | ||
|
669182c133 | ||
|
f81bb51f4a | ||
|
d4ff423add | ||
|
b14ff9b647 | ||
|
277c5f9e00 | ||
|
f016e5a4dc | ||
|
fc3912b4fe | ||
|
c01a764e1f | ||
|
4ecb40e03b | ||
|
be9c300cb3 | ||
|
839c720f60 | ||
|
127bec2f14 | ||
|
15879c82f6 | ||
|
9d188840c1 | ||
|
35a28f4efe | ||
|
78ea379e0f | ||
|
007cbe600b | ||
|
d1a8e276b5 | ||
|
eb2f5b5f45 | ||
|
a623cef95d | ||
|
f00b45a28e | ||
|
422faaa29c | ||
|
16a9e3f9c9 | ||
|
7c5869bc29 | ||
|
feb3dd4d73 | ||
|
b4204ca2ba | ||
|
89a67e6952 | ||
|
34199b151c | ||
|
c6962f575e | ||
|
9c8662b25e | ||
|
fedb62df66 | ||
|
44c19c1743 | ||
|
56aa481226 | ||
|
9184317549 | ||
|
a3048ae120 | ||
|
fc44d74f2b | ||
|
1779cfad30 | ||
|
4856be4ef1 | ||
|
033043bdc0 | ||
|
46284938ce | ||
|
09378553b9 | ||
|
6b85884cdf | ||
|
1b14a8210c | ||
|
182fe850db | ||
|
62b081e9fb | ||
|
e3e7449d74 | ||
|
669f1978a3 | ||
|
57c4b1a2b2 | ||
|
ac7385391e | ||
|
50a52d79ec | ||
|
d77a1c8cd6 | ||
|
395b9480c5 | ||
|
4470c73e48 | ||
|
9812630ef2 | ||
|
818520452e | ||
|
f0cc49c7e3 | ||
|
cc30a90556 | ||
|
e12dd237c2 | ||
|
19e7fca627 | ||
|
a0e1742861 | ||
|
a93b142dcd | ||
|
fc2d511d78 | ||
|
5207104c06 | ||
|
06147836d0 | ||
|
46eb30a897 | ||
|
840617a0c3 | ||
|
f7ae5eaae5 | ||
|
827a838715 | ||
|
db5c60e19f | ||
|
256c2d7e50 | ||
|
07c8cd3d5d | ||
|
8979384847 | ||
|
2a134b864a | ||
|
765770d2c7 | ||
|
ba58892011 | ||
|
63f40dd8a4 | ||
|
30443ed31d | ||
|
a8432a3caa | ||
|
53546a8d92 | ||
|
97f20a1cb5 | ||
|
2816f93831 | ||
|
8624ae1c4a | ||
|
ebcec6e79d | ||
|
faa9a3e714 | ||
|
69007b5098 | ||
|
ee44aebcc4 | ||
|
667d32a3e7 | ||
|
9a087fc6c9 | ||
|
3ad029efe0 | ||
|
92c27ea7d8 | ||
|
7b850e2e0e | ||
|
c48398871c | ||
|
8629a29eaa | ||
|
df69ce1991 | ||
|
c56e672600 | ||
|
677feecada | ||
|
5d6c91f7e9 | ||
|
cde3ca15c2 | ||
|
fa6f6822a1 | ||
|
ce33a27c57 | ||
|
4d47749e7c | ||
|
42090daf24 | ||
|
36cd8ca3b2 | ||
|
9ec2d685e3 | ||
|
46d31003e2 | ||
|
ef9f9ae428 | ||
|
e5bcc5f682 | ||
|
4961e0d1a5 | ||
|
6a20fa27b3 | ||
|
01af779f2a | ||
|
feb332140a | ||
|
a85a0f19da | ||
|
611292281c | ||
|
14e9fc4d43 | ||
|
8bc74333b8 | ||
|
28797184e4 | ||
|
08238664cd | ||
|
187affb844 | ||
|
5a82874624 | ||
|
200cd9caf2 | ||
|
f8b3dca6f5 | ||
|
f973a6f3a6 | ||
|
9b3bbb7285 | ||
|
284f911785 | ||
|
a17e490851 | ||
|
c1e670be23 | ||
|
918d52c2e6 | ||
|
1c7080ca68 | ||
|
656c549113 | ||
|
41b4c6650b | ||
|
925fdd633a | ||
|
c16b125a55 | ||
|
591b246ed6 | ||
|
07b8567beb | ||
|
f0e68527ba | ||
|
6514b6f4c3 | ||
|
d551f2f4ae | ||
|
acb07c9792 | ||
|
da3eedb443 |
2
.gitattributes
vendored
2
.gitattributes
vendored
@@ -1,5 +1,3 @@
|
||||
* text=auto eol=lf
|
||||
binaries/win64/readme.txt eol=crlf
|
||||
binaries/win32/readme.txt eol=crlf
|
||||
*.cmd eol=crlf
|
||||
*.bat eol=crlf
|
||||
|
1
.github/ISSUE_TEMPLATE/config.yml
vendored
Normal file
1
.github/ISSUE_TEMPLATE/config.yml
vendored
Normal file
@@ -0,0 +1 @@
|
||||
blank_issues_enabled: false
|
19
.github/ISSUE_TEMPLATE/issue-warning.md
vendored
Normal file
19
.github/ISSUE_TEMPLATE/issue-warning.md
vendored
Normal file
@@ -0,0 +1,19 @@
|
||||
---
|
||||
name: bugs
|
||||
about: do not write lame questions
|
||||
title: ''
|
||||
labels: ''
|
||||
assignees: ''
|
||||
|
||||
---
|
||||
|
||||
1. Здесь не место для вопросов, касающихся компьютерной грамотности и навыков использования ОС
|
||||
2. Здесь не место для вопросов "у меня не работает" без технических подробностей
|
||||
3. Здесь не место для вопросов "как мне открыть ютуб", "что писать в ...", "перестало открываться".
|
||||
4. Здесь не место для обсуждения сборок
|
||||
5. Вирусов здесь нет. У вас либо чья-то сборка, либо ваш антивирус давно пора отправить на покой. Антивирусы в основном жалуются на upx и windivert, которые убраны НЕ будут. upx - это паковщик для сокращения требуемого места на openwrt, windivert - замена iptables для windows, потенциальный инструмент хакера или компонент зловредной программы, но сам по себе вирусом не является. Не согласны - удаляйте софт. За агрессивные наезды "почему автор распространяет вирусы" молча схватите бан.
|
||||
|
||||
Все означенное обсуждать в дискуссиях или на форумах.
|
||||
При нарушении будет закрываться или конвертироваться в дискуссии.
|
||||
Issue только для обсуждения проблем самого софта. Неработа стратегии или ваше неумение настроить - это ваша проблема, а не проблема софта.
|
||||
Однокнопочные решения дают только сборщики, поэтому "открытие сайта" не является функцией программы, и нет смысла жаловаться, что он не открывается. Но можно это обсудить в дискуссиях. Не захламляйте issues !
|
150
.github/workflows/build.yml
vendored
150
.github/workflows/build.yml
vendored
@@ -52,6 +52,13 @@ jobs:
|
||||
tool: i586-unknown-linux-musl
|
||||
- arch: x86_64
|
||||
tool: x86_64-unknown-linux-musl
|
||||
- arch: lexra
|
||||
tool: mips-linux
|
||||
dir: rsdk-4.6.4-5281-EB-3.10-0.9.33-m32ub-20141001
|
||||
env:
|
||||
CFLAGS: '-march=5281'
|
||||
LDFLAGS: '-lgcc_eh'
|
||||
repo: 'bol-van/build'
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v4
|
||||
@@ -60,18 +67,31 @@ jobs:
|
||||
|
||||
- name: Set up build tools
|
||||
env:
|
||||
REPO: 'spvkgn/musl-cross'
|
||||
ARCH: ${{ matrix.arch }}
|
||||
TOOL: ${{ matrix.tool }}
|
||||
REPO: ${{ matrix.arch == 'lexra' && matrix.repo || 'spvkgn/musl-cross' }}
|
||||
DIR: ${{ matrix.arch == 'lexra' && matrix.dir || matrix.tool }}
|
||||
run: |
|
||||
sudo apt update -qq && sudo apt install -y libcap-dev
|
||||
if [[ "$ARCH" == lexra ]]; then
|
||||
sudo dpkg --add-architecture i386
|
||||
sudo apt update -qq
|
||||
sudo apt install -y libcap-dev libc6:i386 zlib1g:i386
|
||||
URL=https://github.com/$REPO/raw/refs/heads/master/$DIR.txz
|
||||
else
|
||||
sudo apt update -qq
|
||||
sudo apt install -y libcap-dev
|
||||
URL=https://github.com/$REPO/releases/download/latest/$TOOL.tar.xz
|
||||
fi
|
||||
mkdir -p $HOME/tools
|
||||
wget -qO- https://github.com/$REPO/releases/download/latest/$TOOL.tar.xz | tar -C $HOME/tools -xJ || exit 1
|
||||
[ -d "$HOME/tools/$TOOL/bin" ] && echo "$HOME/tools/$TOOL/bin" >> $GITHUB_PATH
|
||||
wget -qO- $URL | tar -C $HOME/tools -xJ || exit 1
|
||||
[[ -d "$HOME/tools/$DIR/bin" ]] && echo "$HOME/tools/$DIR/bin" >> $GITHUB_PATH
|
||||
|
||||
- name: Build
|
||||
env:
|
||||
ARCH: ${{ matrix.arch }}
|
||||
TARGET: ${{ matrix.tool }}
|
||||
CFLAGS: ${{ matrix.env.CFLAGS != '' && matrix.env.CFLAGS || null }}
|
||||
LDFLAGS: ${{ matrix.env.LDFLAGS != '' && matrix.env.LDFLAGS || null }}
|
||||
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
run: |
|
||||
DEPS_DIR=$GITHUB_WORKSPACE/deps
|
||||
@@ -81,21 +101,18 @@ jobs:
|
||||
export NM=$TARGET-nm
|
||||
export STRIP=$TARGET-strip
|
||||
export PKG_CONFIG_PATH=$DEPS_DIR/lib/pkgconfig
|
||||
|
||||
# optimize for size
|
||||
export CFLAGS="-Os -flto=auto"
|
||||
export LDFLAGS="-Os"
|
||||
export STAGING_DIR=$RUNNER_TEMP
|
||||
|
||||
# netfilter libs
|
||||
git clone --depth 1 -b libmnl-1.0.5 git://git.netfilter.org/libmnl
|
||||
git clone --depth 1 -b libnfnetlink-1.0.2 git://git.netfilter.org/libnfnetlink
|
||||
git clone --depth 1 -b libnetfilter_queue-1.0.5 git://git.netfilter.org/libnetfilter_queue
|
||||
wget -qO- https://www.netfilter.org/pub/libnfnetlink/libnfnetlink-1.0.2.tar.bz2 | tar -xj
|
||||
wget -qO- https://www.netfilter.org/pub/libmnl/libmnl-1.0.5.tar.bz2 | tar -xj
|
||||
wget -qO- https://www.netfilter.org/pub/libnetfilter_queue/libnetfilter_queue-1.0.5.tar.bz2 | tar -xj
|
||||
|
||||
for i in libmnl libnfnetlink libnetfilter_queue ; do
|
||||
(
|
||||
cd $i
|
||||
./autogen.sh && \
|
||||
./configure --prefix= --host=$TARGET --enable-static --disable-shared && \
|
||||
cd $i-*
|
||||
CFLAGS="-Os -flto=auto $CFLAGS" \
|
||||
./configure --prefix= --host=$TARGET --enable-static --disable-shared --disable-dependency-tracking
|
||||
make install -j$(nproc) DESTDIR=$DEPS_DIR
|
||||
)
|
||||
sed -i "s|^prefix=.*|prefix=$DEPS_DIR|g" $DEPS_DIR/lib/pkgconfig/$i.pc
|
||||
@@ -106,7 +123,8 @@ jobs:
|
||||
xargs -I{} wget -qO- https://github.com/madler/zlib/archive/refs/tags/{}.tar.gz | tar -xz
|
||||
(
|
||||
cd zlib-*
|
||||
./configure --prefix= --static && \
|
||||
CFLAGS="-Os -flto=auto $CFLAGS" \
|
||||
./configure --prefix= --static
|
||||
make install -j$(nproc) DESTDIR=$DEPS_DIR
|
||||
)
|
||||
|
||||
@@ -116,8 +134,8 @@ jobs:
|
||||
install -Dm644 -t $DEPS_DIR/include/sys /usr/include/x86_64-linux-gnu/sys/queue.h /usr/include/sys/capability.h
|
||||
|
||||
# zapret
|
||||
CFLAGS="$CFLAGS -static-libgcc -static -I$DEPS_DIR/include" \
|
||||
LDFLAGS="$LDFLAGS -L$DEPS_DIR/lib" \
|
||||
CFLAGS="-DZAPRET_GH_VER=${{ github.ref_name }} -DZAPRET_GH_HASH=${{ github.sha }} -static-libgcc -static -I$DEPS_DIR/include $CFLAGS" \
|
||||
LDFLAGS="-L$DEPS_DIR/lib $LDFLAGS" \
|
||||
make -C zapret -j$(nproc)
|
||||
tar -C zapret/binaries/my -cJf zapret-linux-$ARCH.tar.xz .
|
||||
|
||||
@@ -137,6 +155,7 @@ jobs:
|
||||
|
||||
- name: Build zapret
|
||||
run: |
|
||||
export CFLAGS="-DZAPRET_GH_VER=${{ github.ref_name }} -DZAPRET_GH_HASH=${{ github.sha }}"
|
||||
make mac -j$(sysctl -n hw.logicalcpu)
|
||||
tar -C binaries/my -cJf zapret-mac-x64.tar.xz .
|
||||
|
||||
@@ -171,7 +190,8 @@ jobs:
|
||||
TARGET: ${{ matrix.target }}
|
||||
ARCH: ${{ matrix.arch }}
|
||||
run: |
|
||||
settarget $TARGET-freebsd11 make bsd -j$(nproc) || exit 1
|
||||
export CFLAGS="-DZAPRET_GH_VER=${{ github.ref_name }} -DZAPRET_GH_HASH=${{ github.sha }}"
|
||||
settarget $TARGET-freebsd11 make bsd -j$(nproc)
|
||||
tar -C binaries/my -cJf zapret-freebsd-$ARCH.tar.xz .
|
||||
|
||||
- name: Upload artifacts
|
||||
@@ -204,6 +224,7 @@ jobs:
|
||||
- name: Build ip2net, mdig
|
||||
shell: msys2 {0}
|
||||
run: |
|
||||
export CFLAGS="-DZAPRET_GH_VER=${{ github.ref_name }} -DZAPRET_GH_HASH=${{ github.sha }}"
|
||||
mkdir -p output
|
||||
cd zapret
|
||||
mingw32-make -C ip2net win
|
||||
@@ -260,6 +281,7 @@ jobs:
|
||||
shell: C:\cygwin\bin\bash.exe -eo pipefail '{0}'
|
||||
run: >-
|
||||
export MAKEFLAGS=-j$(nproc) &&
|
||||
export CFLAGS="-DZAPRET_GH_VER=${{ github.ref_name }} -DZAPRET_GH_HASH=${{ github.sha }}" &&
|
||||
cd zapret &&
|
||||
make -C nfq ${TARGET} &&
|
||||
cp -a nfq/winws.exe ../output
|
||||
@@ -282,9 +304,81 @@ jobs:
|
||||
path: zapret-*.zip
|
||||
if-no-files-found: error
|
||||
|
||||
build-android:
|
||||
name: Android ${{ matrix.abi }}
|
||||
runs-on: ubuntu-latest
|
||||
strategy:
|
||||
matrix:
|
||||
include:
|
||||
- abi: armeabi-v7a
|
||||
target: armv7a-linux-androideabi
|
||||
- abi: arm64-v8a
|
||||
target: aarch64-linux-android
|
||||
- abi: x86
|
||||
target: i686-linux-android
|
||||
- abi: x86_64
|
||||
target: x86_64-linux-android
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v4
|
||||
with:
|
||||
path: zapret
|
||||
|
||||
- name: Build
|
||||
env:
|
||||
ABI: ${{ matrix.abi }}
|
||||
API: 21
|
||||
TARGET: ${{ matrix.target }}
|
||||
GH_TOKEN: ${{ github.token }}
|
||||
run: |
|
||||
DEPS_DIR=$GITHUB_WORKSPACE/deps
|
||||
export TOOLCHAIN=$ANDROID_NDK_HOME/toolchains/llvm/prebuilt/linux-x86_64
|
||||
export CC="$TOOLCHAIN/bin/clang --target=$TARGET$API"
|
||||
export AR=$TOOLCHAIN/bin/llvm-ar
|
||||
export AS=$CC
|
||||
export LD=$TOOLCHAIN/bin/ld
|
||||
export RANLIB=$TOOLCHAIN/bin/llvm-ranlib
|
||||
export STRIP=$TOOLCHAIN/bin/llvm-strip
|
||||
export PKG_CONFIG_PATH=$DEPS_DIR/lib/pkgconfig
|
||||
|
||||
# netfilter libs
|
||||
wget -qO- https://www.netfilter.org/pub/libnfnetlink/libnfnetlink-1.0.2.tar.bz2 | tar -xj
|
||||
wget -qO- https://www.netfilter.org/pub/libmnl/libmnl-1.0.5.tar.bz2 | tar -xj
|
||||
wget -qO- https://www.netfilter.org/pub/libnetfilter_queue/libnetfilter_queue-1.0.5.tar.bz2 | tar -xj
|
||||
patch -p1 -d libnetfilter_queue-* -i ../zapret/.github/workflows/libnetfilter_queue-android.patch
|
||||
|
||||
for i in libmnl libnfnetlink libnetfilter_queue ; do
|
||||
(
|
||||
cd $i-*
|
||||
CFLAGS="-Os -flto=auto -Wno-implicit-function-declaration" \
|
||||
./configure --prefix= --host=$TARGET --enable-static --disable-shared --disable-dependency-tracking
|
||||
make install -j$(nproc) DESTDIR=$DEPS_DIR
|
||||
)
|
||||
sed -i "s|^prefix=.*|prefix=$DEPS_DIR|g" $DEPS_DIR/lib/pkgconfig/$i.pc
|
||||
done
|
||||
|
||||
# zapret
|
||||
CFLAGS="-DZAPRET_GH_VER=${{ github.ref_name }} -DZAPRET_GH_HASH=${{ github.sha }} -I$DEPS_DIR/include" \
|
||||
LDFLAGS="-L$DEPS_DIR/lib" \
|
||||
make -C zapret android -j$(nproc)
|
||||
|
||||
# strip unwanted ELF sections to prevent warnings on old Android versions
|
||||
gh api repos/termux/termux-elf-cleaner/releases/latest --jq '.tag_name' |\
|
||||
xargs -I{} wget -O elf-cleaner https://github.com/termux/termux-elf-cleaner/releases/download/{}/termux-elf-cleaner
|
||||
chmod +x elf-cleaner
|
||||
./elf-cleaner --api-level $API zapret/binaries/my/*
|
||||
zip zapret-android-$ABI.zip -j zapret/binaries/my/*
|
||||
|
||||
- name: Upload artifacts
|
||||
uses: actions/upload-artifact@v4
|
||||
with:
|
||||
name: zapret-android-${{ matrix.abi }}
|
||||
path: zapret-*.zip
|
||||
if-no-files-found: error
|
||||
|
||||
release:
|
||||
if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v')
|
||||
needs: [ build-linux, build-windows, build-macos, build-freebsd ]
|
||||
needs: [ build-linux, build-windows, build-macos, build-freebsd, build-android ]
|
||||
permissions:
|
||||
contents: write
|
||||
runs-on: ubuntu-latest
|
||||
@@ -324,7 +418,7 @@ jobs:
|
||||
if [[ $dir == *-linux-x86_64 ]]; then
|
||||
tar -C $dir -czvf $dir/tpws_wsl.tgz tpws
|
||||
run_upx $dir/*
|
||||
elif [[ $dir =~ linux ]] && [[ $dir != *-linux-mips64 ]]; then
|
||||
elif [[ $dir =~ linux ]] && [[ $dir != *-linux-mips64 ]] && [[ $dir != *-linux-lexra ]]; then
|
||||
run_upx $dir/*
|
||||
fi
|
||||
;;
|
||||
@@ -343,6 +437,10 @@ jobs:
|
||||
if [ -d $dir ]; then
|
||||
echo "Processing $dir"
|
||||
case $dir in
|
||||
*-android-arm64-v8a ) run_dir android-aarch64 ;;
|
||||
*-android-armeabi-v7a ) run_dir android-arm ;;
|
||||
*-android-x86 ) run_dir android-x86 ;;
|
||||
*-android-x86_64 ) run_dir android-x86_64 ;;
|
||||
*-freebsd-x86_64 ) run_dir freebsd-x64 ;;
|
||||
*-linux-arm ) run_dir arm ;;
|
||||
*-linux-arm64 ) run_dir aarch64 ;;
|
||||
@@ -352,6 +450,7 @@ jobs:
|
||||
*-linux-ppc ) run_dir ppc ;;
|
||||
*-linux-x86 ) run_dir x86 ;;
|
||||
*-linux-x86_64 ) run_dir x86_64 ;;
|
||||
*-linux-lexra ) run_dir lexra ;;
|
||||
*-mac-x64 ) run_dir mac64 ;;
|
||||
*-win-x86 ) run_dir win32 ;;
|
||||
*-win-x86_64 ) run_dir win64 ;;
|
||||
@@ -363,8 +462,16 @@ jobs:
|
||||
- name: Create release bundles
|
||||
run: |
|
||||
rm -rf ${{ env.repo_dir }}/.git*
|
||||
tar -czf ${{ env.repo_dir }}.tar.gz ${{ env.repo_dir }}
|
||||
find ${{ env.repo_dir }}/binaries -type f -exec sha256sum {} \; >sha256sum.txt
|
||||
tar --owner=0 --group=0 -czf ${{ env.repo_dir }}.tar.gz ${{ env.repo_dir }}
|
||||
zip -qr ${{ env.repo_dir }}.zip ${{ env.repo_dir }}
|
||||
(
|
||||
cd ${{ env.repo_dir }}
|
||||
rm -rf binaries/{android*,freebsd*,mac*,win*,x86_64/tpws_wsl.tgz} \
|
||||
init.d/{openrc,macos,pfsense,runit,s6,systemd} \
|
||||
tpws nfq ip2net mdig docs files/huawei Makefile
|
||||
)
|
||||
tar --owner=0 --group=0 -czf ${{ env.repo_dir }}-openwrt-embedded.tar.gz ${{ env.repo_dir }}
|
||||
|
||||
- name: Upload release assets
|
||||
uses: softprops/action-gh-release@v2
|
||||
@@ -377,3 +484,4 @@ jobs:
|
||||
files: |
|
||||
zapret*.tar.gz
|
||||
zapret*.zip
|
||||
sha256sum.txt
|
||||
|
41
.github/workflows/libnetfilter_queue-android.patch
vendored
Normal file
41
.github/workflows/libnetfilter_queue-android.patch
vendored
Normal file
@@ -0,0 +1,41 @@
|
||||
--- a/src/extra/pktbuff.c
|
||||
+++ b/src/extra/pktbuff.c
|
||||
@@ -14,7 +14,7 @@
|
||||
#include <string.h> /* for memcpy */
|
||||
#include <stdbool.h>
|
||||
|
||||
-#include <netinet/if_ether.h>
|
||||
+#include <linux/if_ether.h>
|
||||
#include <netinet/ip.h>
|
||||
#include <netinet/tcp.h>
|
||||
|
||||
--- a/src/nlmsg.c
|
||||
+++ b/src/nlmsg.c
|
||||
@@ -21,7 +21,7 @@
|
||||
|
||||
#include <linux/netfilter/nfnetlink_queue.h>
|
||||
|
||||
-#include <libnetfilter_queue/libnetfilter_queue.h>
|
||||
+// #include <libnetfilter_queue/libnetfilter_queue.h>
|
||||
|
||||
#include "internal.h"
|
||||
|
||||
--- a/src/extra/tcp.c
|
||||
+++ b/src/extra/tcp.c
|
||||
@@ -139,12 +139,16 @@ void nfq_tcp_compute_checksum_ipv6(struc
|
||||
* (union is compatible to any of its members)
|
||||
* This means this part of the code is -fstrict-aliasing safe now.
|
||||
*/
|
||||
+#ifndef __ANDROID__
|
||||
union tcp_word_hdr {
|
||||
struct tcphdr hdr;
|
||||
uint32_t words[5];
|
||||
};
|
||||
+#endif
|
||||
|
||||
+#ifndef tcp_flag_word
|
||||
#define tcp_flag_word(tp) ( ((union tcp_word_hdr *)(tp))->words[3])
|
||||
+#endif
|
||||
|
||||
/**
|
||||
* nfq_pkt_snprintf_tcp_hdr - print tcp header into one buffer in a humnan
|
3
.gitignore
vendored
3
.gitignore
vendored
@@ -1,10 +1,11 @@
|
||||
/config
|
||||
ip2net/ip2net
|
||||
mdig/mdig
|
||||
nfq/dvtws
|
||||
nfq/nfqws
|
||||
nfq/winws.exe
|
||||
tpws/tpws
|
||||
binaries/my/
|
||||
init.d/**/custom
|
||||
ipset/zapret-ip*.txt
|
||||
ipset/zapret-ip*.gz
|
||||
ipset/zapret-hosts*.txt
|
||||
|
13
Makefile
13
Makefile
@@ -15,6 +15,19 @@ all: clean
|
||||
done \
|
||||
done
|
||||
|
||||
android: clean
|
||||
@mkdir -p "$(TGT)"; \
|
||||
for dir in $(DIRS); do \
|
||||
find "$$dir" -type f \( -name "*.c" -o -name "*.h" -o -name "*akefile" \) -exec chmod -x {} \; ; \
|
||||
$(MAKE) -C "$$dir" android || exit; \
|
||||
for exe in "$$dir/"*; do \
|
||||
if [ -f "$$exe" ] && [ -x "$$exe" ]; then \
|
||||
mv -f "$$exe" "${TGT}" ; \
|
||||
ln -fs "../${TGT}/$$(basename "$$exe")" "$$exe" ; \
|
||||
fi \
|
||||
done \
|
||||
done
|
||||
|
||||
bsd: clean
|
||||
@mkdir -p "$(TGT)"; \
|
||||
for dir in $(DIRS); do \
|
||||
|
481
blockcheck.sh
481
blockcheck.sh
@@ -23,6 +23,7 @@ CURL=${CURL:-curl}
|
||||
. "$ZAPRET_BASE/common/fwtype.sh"
|
||||
. "$ZAPRET_BASE/common/virt.sh"
|
||||
|
||||
DOMAINS_DEFAULT=${DOMAINS_DEFAULT:-rutracker.org}
|
||||
QNUM=${QNUM:-59780}
|
||||
SOCKS_PORT=${SOCKS_PORT:-1993}
|
||||
TPWS_UID=${TPWS_UID:-1}
|
||||
@@ -35,9 +36,9 @@ MDIG=${MDIG:-${ZAPRET_BASE}/mdig/mdig}
|
||||
DESYNC_MARK=0x10000000
|
||||
IPFW_RULE_NUM=${IPFW_RULE_NUM:-1}
|
||||
IPFW_DIVERT_PORT=${IPFW_DIVERT_PORT:-59780}
|
||||
DOMAINS=${DOMAINS:-rutracker.org}
|
||||
CURL_MAX_TIME=${CURL_MAX_TIME:-2}
|
||||
CURL_MAX_TIME_QUIC=${CURL_MAX_TIME_QUIC:-$CURL_MAX_TIME}
|
||||
CURL_MAX_TIME_DOH=${CURL_MAX_TIME_DOH:-2}
|
||||
MIN_TTL=${MIN_TTL:-1}
|
||||
MAX_TTL=${MAX_TTL:-12}
|
||||
USER_AGENT=${USER_AGENT:-Mozilla}
|
||||
@@ -45,9 +46,9 @@ HTTP_PORT=${HTTP_PORT:-80}
|
||||
HTTPS_PORT=${HTTPS_PORT:-443}
|
||||
QUIC_PORT=${QUIC_PORT:-443}
|
||||
UNBLOCKED_DOM=${UNBLOCKED_DOM:-iana.org}
|
||||
[ "$CURL_VERBOSE" = 1 ] && CURL_CMD=1
|
||||
PARALLEL_OUT=/tmp/zapret_parallel
|
||||
|
||||
HDRTEMP=/tmp/zapret-hdr.txt
|
||||
HDRTEMP=/tmp/zapret-hdr
|
||||
|
||||
NFT_TABLE=blockcheck
|
||||
|
||||
@@ -78,9 +79,11 @@ exitp()
|
||||
{
|
||||
local A
|
||||
|
||||
[ "$BATCH" = 1 ] || {
|
||||
echo
|
||||
echo press enter to continue
|
||||
read A
|
||||
}
|
||||
exit $1
|
||||
}
|
||||
|
||||
@@ -213,7 +216,7 @@ doh_resolve()
|
||||
# $1 - ip version 4/6
|
||||
# $2 - hostname
|
||||
# $3 - doh server URL. use $DOH_SERVER if empty
|
||||
$MDIG --family=$1 --dns-make-query=$2 | curl -s --data-binary @- -H "Content-Type: application/dns-message" "${3:-$DOH_SERVER}" | $MDIG --dns-parse-query
|
||||
$MDIG --family=$1 --dns-make-query=$2 | $CURL --max-time $CURL_MAX_TIME_DOH -s --data-binary @- -H "Content-Type: application/dns-message" "${3:-$DOH_SERVER}" | $MDIG --dns-parse-query
|
||||
}
|
||||
doh_find_working()
|
||||
{
|
||||
@@ -561,7 +564,7 @@ curl_supports_tls13()
|
||||
[ $? = 2 ] && return 1
|
||||
# curl can have tlsv1.3 key present but ssl library without TLS 1.3 support
|
||||
# this is online test because there's no other way to trigger library incompatibility case
|
||||
$CURL --tlsv1.3 --max-time $CURL_MAX_TIME -Is -o /dev/null https://iana.org 2>/dev/null
|
||||
$CURL --tlsv1.3 --max-time 1 -Is -o /dev/null https://iana.org 2>/dev/null
|
||||
r=$?
|
||||
[ $r != 4 -a $r != 35 ]
|
||||
}
|
||||
@@ -652,28 +655,28 @@ curl_test_http()
|
||||
# $3 - subst ip
|
||||
# $4 - "detail" - detail info
|
||||
|
||||
local code loc
|
||||
curl_probe $1 $2 $HTTP_PORT "$3" -SsD "$HDRTEMP" -A "$USER_AGENT" --max-time $CURL_MAX_TIME $CURL_OPT "http://$2" -o /dev/null 2>&1 || {
|
||||
local code loc hdrt="${HDRTEMP}_${!:-$$}.txt"
|
||||
curl_probe $1 $2 $HTTP_PORT "$3" -SsD "$hdrt" -A "$USER_AGENT" --max-time $CURL_MAX_TIME $CURL_OPT "http://$2" -o /dev/null 2>&1 || {
|
||||
code=$?
|
||||
rm -f "$HDRTEMP"
|
||||
rm -f "$hdrt"
|
||||
return $code
|
||||
}
|
||||
if [ "$4" = "detail" ] ; then
|
||||
head -n 1 "$HDRTEMP"
|
||||
grep "^[lL]ocation:" "$HDRTEMP"
|
||||
head -n 1 "$hdrt"
|
||||
grep "^[lL]ocation:" "$hdrt"
|
||||
else
|
||||
code=$(hdrfile_http_code "$HDRTEMP")
|
||||
code=$(hdrfile_http_code "$hdrt")
|
||||
[ "$code" = 301 -o "$code" = 302 -o "$code" = 307 -o "$code" = 308 ] && {
|
||||
loc=$(hdrfile_location "$HDRTEMP")
|
||||
loc=$(hdrfile_location "$hdrt")
|
||||
echo "$loc" | grep -qE "^https?://.*$2(/|$)" ||
|
||||
echo "$loc" | grep -vqE '^https?://' || {
|
||||
echo suspicious redirection $code to : $loc
|
||||
rm -f "$HDRTEMP"
|
||||
rm -f "$hdrt"
|
||||
return 254
|
||||
}
|
||||
}
|
||||
fi
|
||||
rm -f "$HDRTEMP"
|
||||
rm -f "$hdrt"
|
||||
[ "$code" = 400 ] && {
|
||||
# this can often happen if the server receives fake packets it should not receive
|
||||
echo http code $code. likely the server receives fakes.
|
||||
@@ -792,7 +795,7 @@ pktws_ipt_prepare()
|
||||
# disable PF to avoid interferences
|
||||
pf_is_avail && pfctl -qd
|
||||
for ip in $3; do
|
||||
IPFW_ADD divert $IPFW_DIVERT_PORT $1 from me to $ip $2 proto ip${IPV} out not diverted not sockarg
|
||||
IPFW_ADD divert $IPFW_DIVERT_PORT $1 from me to $ip $2 proto ip${IPV} out not diverted
|
||||
done
|
||||
;;
|
||||
opf)
|
||||
@@ -867,7 +870,7 @@ pktws_ipt_prepare_tcp()
|
||||
;;
|
||||
ipfw)
|
||||
for ip in $2; do
|
||||
IPFW_ADD divert $IPFW_DIVERT_PORT tcp from $ip $1 to me proto ip${IPV} tcpflags syn,ack in not diverted not sockarg
|
||||
IPFW_ADD divert $IPFW_DIVERT_PORT tcp from $ip $1 to me proto ip${IPV} tcpflags syn,ack in not diverted
|
||||
done
|
||||
;;
|
||||
esac
|
||||
@@ -965,8 +968,27 @@ curl_test()
|
||||
# $2 - domain
|
||||
# $3 - subst ip
|
||||
# $4 - param of test function
|
||||
local code=0 n=0
|
||||
local code=0 n=0 p pids
|
||||
|
||||
if [ "$PARALLEL" = 1 ]; then
|
||||
rm -f "${PARALLEL_OUT}"*
|
||||
for n in $(seq -s ' ' 1 $REPEATS); do
|
||||
$1 "$IPV" $2 $3 "$4" >"${PARALLEL_OUT}_$n" &
|
||||
pids="${pids:+$pids }$!"
|
||||
done
|
||||
n=1
|
||||
for p in $pids; do
|
||||
[ $REPEATS -gt 1 ] && printf "[attempt $n] "
|
||||
if wait $p; then
|
||||
[ $REPEATS -gt 1 ] && echo 'AVAILABLE'
|
||||
else
|
||||
code=$?
|
||||
cat "${PARALLEL_OUT}_$n"
|
||||
fi
|
||||
n=$(($n+1))
|
||||
done
|
||||
rm -f "${PARALLEL_OUT}"*
|
||||
else
|
||||
while [ $n -lt $REPEATS ]; do
|
||||
n=$(($n+1))
|
||||
[ $REPEATS -gt 1 ] && printf "[attempt $n] "
|
||||
@@ -977,6 +999,7 @@ curl_test()
|
||||
[ "$SCANLEVEL" = quick ] && break
|
||||
fi
|
||||
done
|
||||
fi
|
||||
[ "$4" = detail ] || {
|
||||
if [ $code = 254 ]; then
|
||||
echo "UNAVAILABLE"
|
||||
@@ -994,7 +1017,6 @@ ws_curl_test()
|
||||
# $2 - test function
|
||||
# $3 - domain
|
||||
# $4,$5,$6, ... - ws params
|
||||
|
||||
local code ws_start=$1 testf=$2 dom=$3
|
||||
shift
|
||||
shift
|
||||
@@ -1013,6 +1035,14 @@ tpws_curl_test()
|
||||
echo - checking tpws $3 $4 $5 $6 $7 $8 $9${TPWS_EXTRA:+ $TPWS_EXTRA}${TPWS_EXTRA_1:+ "$TPWS_EXTRA_1"}${TPWS_EXTRA_2:+ "$TPWS_EXTRA_2"}${TPWS_EXTRA_3:+ "$TPWS_EXTRA_3"}${TPWS_EXTRA_4:+ "$TPWS_EXTRA_4"}${TPWS_EXTRA_5:+ "$TPWS_EXTRA_5"}${TPWS_EXTRA_6:+ "$TPWS_EXTRA_6"}${TPWS_EXTRA_7:+ "$TPWS_EXTRA_7"}${TPWS_EXTRA_8:+ "$TPWS_EXTRA_8"}${TPWS_EXTRA_9:+ "$TPWS_EXTRA_9"}
|
||||
local ALL_PROXY="socks5://127.0.0.1:$SOCKS_PORT"
|
||||
ws_curl_test tpws_start "$@"${TPWS_EXTRA:+ $TPWS_EXTRA}${TPWS_EXTRA_1:+ "$TPWS_EXTRA_1"}${TPWS_EXTRA_2:+ "$TPWS_EXTRA_2"}${TPWS_EXTRA_3:+ "$TPWS_EXTRA_3"}${TPWS_EXTRA_4:+ "$TPWS_EXTRA_4"}${TPWS_EXTRA_5:+ "$TPWS_EXTRA_5"}${TPWS_EXTRA_6:+ "$TPWS_EXTRA_6"}${TPWS_EXTRA_7:+ "$TPWS_EXTRA_7"}${TPWS_EXTRA_8:+ "$TPWS_EXTRA_8"}${TPWS_EXTRA_9:+ "$TPWS_EXTRA_9"}
|
||||
local testf=$1 dom=$2 strategy code=$?
|
||||
[ "$code" = 0 ] && {
|
||||
shift; shift;
|
||||
strategy="$@"
|
||||
strategy_append_extra_tpws
|
||||
report_append "ipv${IPV} $dom $testf : tpws ${WF:+$WF }$strategy"
|
||||
}
|
||||
return $code
|
||||
}
|
||||
pktws_curl_test()
|
||||
{
|
||||
@@ -1021,7 +1051,25 @@ pktws_curl_test()
|
||||
# $3,$4,$5, ... - nfqws/dvtws params
|
||||
echo - checking $PKTWSD ${WF:+$WF }$3 $4 $5 $6 $7 $8 $9${PKTWS_EXTRA:+ $PKTWS_EXTRA}${PKTWS_EXTRA_1:+ "$PKTWS_EXTRA_1"}${PKTWS_EXTRA_2:+ "$PKTWS_EXTRA_2"}${PKTWS_EXTRA_3:+ "$PKTWS_EXTRA_3"}${PKTWS_EXTRA_4:+ "$PKTWS_EXTRA_4"}${PKTWS_EXTRA_5:+ "$PKTWS_EXTRA_5"}${PKTWS_EXTRA_6:+ "$PKTWS_EXTRA_6"}${PKTWS_EXTRA_7:+ "$PKTWS_EXTRA_7"}${PKTWS_EXTRA_8:+ "$PKTWS_EXTRA_8"}${PKTWS_EXTRA_9:+ "$PKTWS_EXTRA_9"}
|
||||
ws_curl_test pktws_start "$@"${PKTWS_EXTRA:+ $PKTWS_EXTRA}${PKTWS_EXTRA_1:+ "$PKTWS_EXTRA_1"}${PKTWS_EXTRA_2:+ "$PKTWS_EXTRA_2"}${PKTWS_EXTRA_3:+ "$PKTWS_EXTRA_3"}${PKTWS_EXTRA_4:+ "$PKTWS_EXTRA_4"}${PKTWS_EXTRA_5:+ "$PKTWS_EXTRA_5"}${PKTWS_EXTRA_6:+ "$PKTWS_EXTRA_6"}${PKTWS_EXTRA_7:+ "$PKTWS_EXTRA_7"}${PKTWS_EXTRA_8:+ "$PKTWS_EXTRA_8"}${PKTWS_EXTRA_9:+ "$PKTWS_EXTRA_9"}
|
||||
local testf=$1 dom=$2 strategy code=$?
|
||||
[ "$code" = 0 ] && {
|
||||
shift; shift;
|
||||
strategy="$@"
|
||||
strategy_append_extra_pktws
|
||||
report_append "ipv${IPV} $dom $testf : $PKTWSD ${WF:+$WF }$strategy"
|
||||
}
|
||||
return $code
|
||||
}
|
||||
|
||||
strategy_append_extra_pktws()
|
||||
{
|
||||
strategy="${strategy:+$strategy${PKTWS_EXTRA:+ $PKTWS_EXTRA}${PKTWS_EXTRA_1:+ "$PKTWS_EXTRA_1"}${PKTWS_EXTRA_2:+ "$PKTWS_EXTRA_2"}${PKTWS_EXTRA_3:+ "$PKTWS_EXTRA_3"}${PKTWS_EXTRA_4:+ "$PKTWS_EXTRA_4"}${PKTWS_EXTRA_5:+ "$PKTWS_EXTRA_5"}${PKTWS_EXTRA_6:+ "$PKTWS_EXTRA_6"}${PKTWS_EXTRA_7:+ "$PKTWS_EXTRA_7"}${PKTWS_EXTRA_8:+ "$PKTWS_EXTRA_8"}${PKTWS_EXTRA_9:+ "$PKTWS_EXTRA_9"}}"
|
||||
}
|
||||
strategy_append_extra_tpws()
|
||||
{
|
||||
strategy="${strategy:+$strategy${TPWS_EXTRA:+ $TPWS_EXTRA}${TPWS_EXTRA_1:+ "$TPWS_EXTRA_1"}${TPWS_EXTRA_2:+ "$TPWS_EXTRA_2"}${TPWS_EXTRA_3:+ "$TPWS_EXTRA_3"}${TPWS_EXTRA_4:+ "$TPWS_EXTRA_4"}${TPWS_EXTRA_5:+ "$TPWS_EXTRA_5"}${TPWS_EXTRA_6:+ "$TPWS_EXTRA_6"}${TPWS_EXTRA_7:+ "$TPWS_EXTRA_7"}${TPWS_EXTRA_8:+ "$TPWS_EXTRA_8"}${TPWS_EXTRA_9:+ "$TPWS_EXTRA_9"}}"
|
||||
}
|
||||
|
||||
xxxws_curl_test_update()
|
||||
{
|
||||
# $1 - xxx_curl_test function
|
||||
@@ -1073,7 +1121,7 @@ report_strategy()
|
||||
strategy="$(echo "$strategy" | xargs)"
|
||||
echo "!!!!! $1: working strategy found for ipv${IPV} $2 : $3 $strategy !!!!!"
|
||||
echo
|
||||
report_append "ipv${IPV} $2 $1 : $3 ${WF:+$WF }$strategy"
|
||||
# report_append "ipv${IPV} $2 $1 : $3 ${WF:+$WF }$strategy"
|
||||
return 0
|
||||
else
|
||||
echo "$1: $3 strategy for ipv${IPV} $2 not found"
|
||||
@@ -1086,9 +1134,13 @@ test_has_split()
|
||||
{
|
||||
contains "$1" split || contains "$1" disorder
|
||||
}
|
||||
test_has_fakedsplit()
|
||||
{
|
||||
contains "$1" fakedsplit || contains "$1" fakeddisorder
|
||||
}
|
||||
test_has_fake()
|
||||
{
|
||||
contains "$1" fake
|
||||
[ "$1" = fake ] || starts_with "$1" fake,
|
||||
}
|
||||
warn_fool()
|
||||
{
|
||||
@@ -1105,25 +1157,40 @@ pktws_curl_test_update_vary()
|
||||
# $4 - desync mode
|
||||
# $5,$6,... - strategy
|
||||
|
||||
local testf=$1 sec=$2 domain=$3 desync=$4 zerofake split fake
|
||||
local testf=$1 sec=$2 domain=$3 desync=$4 proto zerofake= tlsmod= splits= pos fake ret=1
|
||||
|
||||
shift; shift; shift; shift
|
||||
|
||||
zerofake=http
|
||||
[ "$sec" = 0 ] || zerofake=tls
|
||||
zerofake="--dpi-desync-fake-$zerofake=0x00000000"
|
||||
|
||||
for fake in '' $zerofake ; do
|
||||
for split in '' '--dpi-desync-split-pos=1' ; do
|
||||
pktws_curl_test_update $testf $domain --dpi-desync=$desync "$@" $fake $split && return 0
|
||||
# split-pos=1 is meaningful for DPIs searching for 16 03 in TLS. no reason to apply to http
|
||||
[ "$sec" = 1 ] || break
|
||||
test_has_split $desync || break
|
||||
proto=http
|
||||
[ "$sec" = 0 ] || proto=tls
|
||||
test_has_fake $desync && {
|
||||
zerofake="--dpi-desync-fake-$proto=0x00000000"
|
||||
[ "$sec" = 0 ] || tlsmod="--dpi-desync-fake-tls-mod=rnd,rndsni,padencap"
|
||||
}
|
||||
if test_has_fakedsplit $desync ; then
|
||||
splits="method+2 midsld"
|
||||
[ "$sec" = 0 ] || splits="1 midsld"
|
||||
elif test_has_split $desync ; then
|
||||
splits="method+2 midsld"
|
||||
[ "$sec" = 0 ] || splits="1 midsld 1,midsld"
|
||||
fi
|
||||
for fake in '' $zerofake $tlsmod ; do
|
||||
if [ -n "$splits" ]; then
|
||||
for pos in $splits ; do
|
||||
pktws_curl_test_update $testf $domain --dpi-desync=$desync "$@" --dpi-desync-split-pos=$pos $fake && {
|
||||
[ "$SCANLEVEL" = force ] || return 0
|
||||
ret=0
|
||||
}
|
||||
done
|
||||
test_has_fake $desync || break
|
||||
else
|
||||
pktws_curl_test_update $testf $domain --dpi-desync=$desync "$@" $fake && {
|
||||
[ "$SCANLEVEL" = force ] || return 0
|
||||
ret=0
|
||||
}
|
||||
fi
|
||||
done
|
||||
|
||||
return 1
|
||||
return $ret
|
||||
}
|
||||
|
||||
pktws_check_domain_http_bypass_()
|
||||
@@ -1132,82 +1199,73 @@ pktws_check_domain_http_bypass_()
|
||||
# $2 - encrypted test : 0 = plain, 1 - encrypted with server reply risk, 2 - encrypted without server reply risk
|
||||
# $3 - domain
|
||||
|
||||
local tests='fake' ret ok ttls s f e desync pos fooling frag sec="$2" delta hostcase
|
||||
local ok ttls s f f2 e desync pos fooling frag sec="$2" delta splits
|
||||
local need_split need_disorder need_fakedsplit need_fakeddisorder need_fake need_wssize
|
||||
local splits_http='method+2 midsld method+2,midsld'
|
||||
local splits_tls='2 1 sniext+1 sniext+4 host+1 midsld 1,midsld 1,sniext+1,host+1,midsld-2,midsld,midsld+2,endhost-1'
|
||||
|
||||
[ "$sec" = 0 ] && {
|
||||
for s in '--hostcase' '--hostspell=hoSt' '--hostnospace' '--domcase'; do
|
||||
for s in '--hostcase' '--hostspell=hoSt' '--hostnospace' '--domcase' '--methodeol'; do
|
||||
pktws_curl_test_update $1 $3 $s
|
||||
done
|
||||
}
|
||||
|
||||
s="--dpi-desync=split2"
|
||||
ok=0
|
||||
pktws_curl_test_update $1 $3 $s
|
||||
ret=$?
|
||||
[ "$ret" = 0 ] && {
|
||||
[ "$SCANLEVEL" = quick ] && return
|
||||
ok=1
|
||||
}
|
||||
[ "$ret" != 0 -o "$SCANLEVEL" = force ] && {
|
||||
if [ "$sec" = 0 ]; then
|
||||
pktws_curl_test_update $1 $3 $s --hostcase && {
|
||||
[ "$SCANLEVEL" = quick ] && return
|
||||
ok=1
|
||||
}
|
||||
for pos in method host; do
|
||||
for hostcase in '' '--hostcase'; do
|
||||
pktws_curl_test_update $1 $3 $s --dpi-desync-split-http-req=$pos $hostcase && {
|
||||
[ "$SCANLEVEL" = quick ] && return
|
||||
ok=1
|
||||
}
|
||||
done
|
||||
done
|
||||
else
|
||||
for pos in sni sniext; do
|
||||
pktws_curl_test_update $1 $3 $s --dpi-desync-split-tls=$pos && {
|
||||
[ "$SCANLEVEL" = quick ] && return
|
||||
ok=1
|
||||
}
|
||||
done
|
||||
fi
|
||||
for pos in 1 3 4 5 10 50; do
|
||||
s="--dpi-desync=split2 --dpi-desync-split-pos=$pos"
|
||||
if pktws_curl_test_update $1 $3 $s; then
|
||||
[ "$SCANLEVEL" = quick ] && return
|
||||
ok=1
|
||||
[ "$SCANLEVEL" = force ] || break
|
||||
elif [ "$sec" = 0 ]; then
|
||||
pktws_curl_test_update $1 $3 $s --hostcase && [ "$SCANLEVEL" = quick ] && return
|
||||
fi
|
||||
done
|
||||
}
|
||||
[ "$ok" = 1 -a "$SCANLEVEL" != force ] || tests="$tests split fake,split2 fake,split"
|
||||
|
||||
pktws_curl_test_update $1 $3 --dpi-desync=disorder2
|
||||
ret=$?
|
||||
[ "$ret" = 0 -a "$SCANLEVEL" = quick ] && return
|
||||
[ "$ret" != 0 -o "$SCANLEVEL" = force ] && {
|
||||
pktws_curl_test_update $1 $3 --dpi-desync=disorder2 --dpi-desync-split-pos=1
|
||||
ret=$?
|
||||
[ "$ret" = 0 -a "$SCANLEVEL" = quick ] && return
|
||||
}
|
||||
[ "$ret" != 0 -o "$SCANLEVEL" = force ] && tests="$tests disorder fake,disorder2 fake,disorder"
|
||||
|
||||
ttls=$(seq -s ' ' $MIN_TTL $MAX_TTL)
|
||||
need_wssize=1
|
||||
for e in '' '--wssize 1:6'; do
|
||||
need_split=
|
||||
need_disorder=
|
||||
|
||||
[ -n "$e" ] && {
|
||||
pktws_curl_test_update $1 $3 $e && [ "$SCANLEVEL" = quick ] && return
|
||||
for desync in split2 disorder2; do
|
||||
pktws_curl_test_update_vary $1 $2 $3 $desync $e && [ "$SCANLEVEL" = quick ] && return
|
||||
done
|
||||
}
|
||||
for desync in $tests; do
|
||||
|
||||
for desync in multisplit multidisorder; do
|
||||
ok=0
|
||||
splits="$splits_http"
|
||||
[ "$sec" = 0 ] || splits="$splits_tls"
|
||||
for pos in $splits; do
|
||||
pktws_curl_test_update $1 $3 --dpi-desync=$desync --dpi-desync-split-pos=$pos $e && {
|
||||
[ "$SCANLEVEL" = quick ] && return
|
||||
ok=1
|
||||
need_wssize=0
|
||||
[ "$SCANLEVEL" = force ] || break
|
||||
}
|
||||
done
|
||||
[ "$ok" = 1 -a "$SCANLEVEL" != force ] || {
|
||||
case $desync in
|
||||
multisplit)
|
||||
need_split=1
|
||||
;;
|
||||
multidisorder)
|
||||
need_disorder=1
|
||||
;;
|
||||
esac
|
||||
}
|
||||
done
|
||||
|
||||
need_fakedsplit=1
|
||||
need_fakeddisorder=1
|
||||
need_fake=1
|
||||
for desync in fake ${need_split:+fakedsplit fake,multisplit fake,fakedsplit} ${need_disorder:+fakeddisorder fake,multidisorder fake,fakeddisorder}; do
|
||||
[ "$need_fake" = 0 ] && test_has_fake "$desync" && continue
|
||||
[ "$need_fakedsplit" = 0 ] && contains "$desync" fakedsplit && continue
|
||||
[ "$need_fakeddisorder" = 0 ] && contains "$desync" fakeddisorder && continue
|
||||
ok=0
|
||||
for ttl in $ttls; do
|
||||
pktws_curl_test_update_vary $1 $2 $3 $desync --dpi-desync-ttl=$ttl $e && {
|
||||
[ "$SCANLEVEL" = quick ] && return
|
||||
ok=1
|
||||
need_wssize=0
|
||||
break
|
||||
}
|
||||
done
|
||||
# only skip tests if TTL succeeded. do not skip if TTL failed but fooling succeeded
|
||||
[ $ok = 1 -a "$SCANLEVEL" != force ] && {
|
||||
[ "$desync" = fake ] && need_fake=0
|
||||
[ "$desync" = fakedsplit ] && need_fakedsplit=0
|
||||
[ "$desync" = fakeddisorder ] && need_fakeddisorder=0
|
||||
}
|
||||
f=
|
||||
[ "$UNAME" = "OpenBSD" ] || f="badsum"
|
||||
f="$f badseq datanoack md5sig"
|
||||
@@ -1216,37 +1274,68 @@ pktws_check_domain_http_bypass_()
|
||||
pktws_curl_test_update_vary $1 $2 $3 $desync --dpi-desync-fooling=$fooling $e && {
|
||||
warn_fool $fooling
|
||||
[ "$SCANLEVEL" = quick ] && return
|
||||
need_wssize=0
|
||||
}
|
||||
done
|
||||
done
|
||||
|
||||
[ "$IPV" = 6 ] && {
|
||||
f="hopbyhop hopbyhop,split2 hopbyhop,disorder2 destopt destopt,split2 destopt,disorder2"
|
||||
[ -n "$IP6_DEFRAG_DISABLE" ] && f="$f ipfrag1 ipfrag1,split2 ipfrag1,disorder2"
|
||||
f="hopbyhop ${need_split:+hopbyhop,multisplit} ${need_disorder:+hopbyhop,multidisorder} destopt ${need_split:+destopt,multisplit} ${need_disorder:+destopt,multidisorder}"
|
||||
[ -n "$IP6_DEFRAG_DISABLE" ] && f="$f ipfrag1 ${need_split:+ ipfrag1,multisplit} ${need_disorder:+ ipfrag1,multidisorder}"
|
||||
for desync in $f; do
|
||||
pktws_curl_test_update_vary $1 $2 $3 $desync $e && [ "$SCANLEVEL" = quick ] && return
|
||||
pktws_curl_test_update_vary $1 $2 $3 $desync $e && {
|
||||
[ "$SCANLEVEL" = quick ] && return
|
||||
need_wssize=0
|
||||
}
|
||||
done
|
||||
}
|
||||
|
||||
for desync in split2 disorder2; do
|
||||
s="--dpi-desync=$desync"
|
||||
[ "$need_split" = 1 ] && {
|
||||
# relative markers can be anywhere, even in subsequent packets. first packet can be MTU-full.
|
||||
# make additional split pos "10" to guarantee enough space for seqovl and likely to be before midsld,sniext,...
|
||||
# method is always expected in the beginning of the first packet
|
||||
f="method+2 method+2,midsld"
|
||||
[ "$sec" = 0 ] || f="10 10,sniext+1 10,sniext+4 10,midsld"
|
||||
for pos in $f; do
|
||||
pktws_curl_test_update $1 $3 --dpi-desync=multisplit --dpi-desync-split-pos=$pos --dpi-desync-split-seqovl=1 $e && {
|
||||
[ "$SCANLEVEL" = quick ] && return
|
||||
need_wssize=0
|
||||
}
|
||||
done
|
||||
[ "$sec" != 0 ] && pktws_curl_test_update $1 $3 --dpi-desync=multisplit --dpi-desync-split-pos=2 --dpi-desync-split-seqovl=336 --dpi-desync-split-seqovl-pattern="$ZAPRET_BASE/files/fake/tls_clienthello_iana_org.bin" $e && {
|
||||
[ "$SCANLEVEL" = quick ] && return
|
||||
need_wssize=0
|
||||
}
|
||||
}
|
||||
[ "$need_disorder" = 1 ] && {
|
||||
if [ "$sec" = 0 ]; then
|
||||
for pos in method host; do
|
||||
pktws_curl_test_update $1 $3 $s --dpi-desync-split-seqovl=1 --dpi-desync-split-http-req=$pos $e && [ "$SCANLEVEL" = quick ] && return
|
||||
for pos in 'method+1 method+2' 'midsld-1 midsld' 'method+1 method+2,midsld'; do
|
||||
f="$(extract_arg 1 $pos)"
|
||||
f2="$(extract_arg 2 $pos)"
|
||||
pktws_curl_test_update $1 $3 --dpi-desync=multidisorder --dpi-desync-split-pos=$f2 --dpi-desync-split-seqovl=$f $e && {
|
||||
[ "$SCANLEVEL" = quick ] && return
|
||||
need_wssize=0
|
||||
}
|
||||
done
|
||||
else
|
||||
for pos in sni sniext; do
|
||||
pktws_curl_test_update $1 $3 $s --dpi-desync-split-seqovl=1 --dpi-desync-split-tls=$pos $e && [ "$SCANLEVEL" = quick ] && return
|
||||
done
|
||||
fi
|
||||
for pos in 2 3 4 5 10 50; do
|
||||
pktws_curl_test_update $1 $3 $s --dpi-desync-split-seqovl=$(($pos - 1)) --dpi-desync-split-pos=$pos $e && [ "$SCANLEVEL" = quick ] && return
|
||||
done
|
||||
[ "$sec" != 0 -a $desync = split2 ] && {
|
||||
pktws_curl_test_update $1 $3 $s --dpi-desync-split-seqovl=336 --dpi-desync-split-seqovl-pattern="$ZAPRET_BASE/files/fake/tls_clienthello_iana_org.bin" $e && [ "$SCANLEVEL" = quick ] && return
|
||||
for pos in '1 2' 'sniext sniext+1' 'sniext+3 sniext+4' 'midsld-1 midsld' '1 2,midsld'; do
|
||||
f=$(extract_arg 1 $pos)
|
||||
f2=$(extract_arg 2 $pos)
|
||||
pktws_curl_test_update $1 $3 --dpi-desync=multidisorder --dpi-desync-split-pos=$f2 --dpi-desync-split-seqovl=$f $e && {
|
||||
[ "$SCANLEVEL" = quick ] && return
|
||||
need_wssize=0
|
||||
}
|
||||
done
|
||||
fi
|
||||
}
|
||||
|
||||
for desync in $tests; do
|
||||
need_fakedsplit=1
|
||||
need_fakeddisorder=1
|
||||
need_fake=1
|
||||
for desync in fake ${need_split:+fakedsplit fake,multisplit fake,fakedsplit} ${need_disorder:+fakeddisorder fake,multidisorder fake,fakeddisorder}; do
|
||||
[ "$need_fake" = 0 ] && test_has_fake "$desync" && continue
|
||||
[ "$need_fakedsplit" = 0 ] && contains "$desync" fakedsplit && continue
|
||||
[ "$need_fakeddisorder" = 0 ] && contains "$desync" fakeddisorder && continue
|
||||
ok=0
|
||||
for delta in 1 2 3 4 5; do
|
||||
pktws_curl_test_update_vary $1 $2 $3 $desync --dpi-desync-ttl=1 --dpi-desync-autottl=$delta $e && ok=1
|
||||
@@ -1256,18 +1345,25 @@ pktws_check_domain_http_bypass_()
|
||||
echo "WARNING ! although autottl worked it requires testing on multiple domains to find out reliable delta"
|
||||
echo "WARNING ! if a reliable delta cannot be found it's a good idea not to use autottl"
|
||||
[ "$SCANLEVEL" = quick ] && return
|
||||
need_wssize=0
|
||||
[ "$SCANLEVEL" = force ] || {
|
||||
[ "$desync" = fake ] && need_fake=0
|
||||
[ "$desync" = fakedsplit ] && need_fakedsplit=0
|
||||
[ "$desync" = fakeddisorder ] && need_fakeddisorder=0
|
||||
}
|
||||
}
|
||||
done
|
||||
|
||||
s="http_iana_org.bin"
|
||||
[ "$sec" = 0 ] || s="tls_clienthello_iana_org.bin"
|
||||
for desync in syndata syndata,split2 syndata,disorder2 ; do
|
||||
for desync in syndata ${need_split:+syndata,multisplit} ${need_disorder:+syndata,multidisorder} ; do
|
||||
pktws_curl_test_update_vary $1 $2 $3 $desync $e && [ "$SCANLEVEL" = quick ] && return
|
||||
pktws_curl_test_update_vary $1 $2 $3 $desync --dpi-desync-fake-syndata="$ZAPRET_BASE/files/fake/$s" $e && [ "$SCANLEVEL" = quick ] && return
|
||||
done
|
||||
|
||||
# do not do wssize test for http and TLS 1.3. it's useless
|
||||
[ "$sec" = 1 ] || break
|
||||
[ "$SCANLEVEL" = force -o "$need_wssize" = 1 ] || break
|
||||
done
|
||||
}
|
||||
pktws_check_domain_http_bypass()
|
||||
@@ -1278,7 +1374,7 @@ pktws_check_domain_http_bypass()
|
||||
|
||||
local strategy
|
||||
pktws_check_domain_http_bypass_ "$@"
|
||||
strategy="${strategy:+$strategy${PKTWS_EXTRA:+ $PKTWS_EXTRA}${PKTWS_EXTRA_1:+ "$PKTWS_EXTRA_1"}${PKTWS_EXTRA_2:+ "$PKTWS_EXTRA_2"}${PKTWS_EXTRA_3:+ "$PKTWS_EXTRA_3"}${PKTWS_EXTRA_4:+ "$PKTWS_EXTRA_4"}${PKTWS_EXTRA_5:+ "$PKTWS_EXTRA_5"}${PKTWS_EXTRA_6:+ "$PKTWS_EXTRA_6"}${PKTWS_EXTRA_7:+ "$PKTWS_EXTRA_7"}${PKTWS_EXTRA_8:+ "$PKTWS_EXTRA_8"}${PKTWS_EXTRA_9:+ "$PKTWS_EXTRA_9"}}"
|
||||
strategy_append_extra_pktws
|
||||
report_strategy $1 $3 $PKTWSD
|
||||
}
|
||||
|
||||
@@ -1323,7 +1419,7 @@ pktws_check_domain_http3_bypass()
|
||||
|
||||
local strategy
|
||||
pktws_check_domain_http3_bypass_ "$@"
|
||||
strategy="${strategy:+$strategy $PKTWS_EXTRA $PKTWS_EXTRA_1 $PKTWS_EXTRA_2 $PKTWS_EXTRA_3 $PKTWS_EXTRA_4 $PKTWS_EXTRA_5 $PKTWS_EXTRA_6 $PKTWS_EXTRA_7 $PKTWS_EXTRA_8 $PKTWS_EXTRA_9}"
|
||||
strategy_append_extra_pktws
|
||||
report_strategy $1 $2 $PKTWSD
|
||||
}
|
||||
warn_mss()
|
||||
@@ -1338,50 +1434,58 @@ tpws_check_domain_http_bypass_()
|
||||
# $2 - encrypted test : 0 = plain, 1 - encrypted with server reply risk, 2 - encrypted without server reply risk
|
||||
# $3 - domain
|
||||
|
||||
local s mss s2 s3 pos sec="$2"
|
||||
local s mss s2 s3 oobdis pos sec="$2"
|
||||
local splits_tls='2 1 sniext+1 sniext+4 host+1 midsld 1,midsld 1,sniext+1,host+1,midsld,endhost-1'
|
||||
local splits_http='method+2 midsld method+2,midsld'
|
||||
|
||||
# simulteneous oob and disorder works properly only in linux. other systems retransmit oob byte without URG tcp flag and poison tcp stream.
|
||||
[ "$UNAME" = Linux ] && oobdis='--oob --disorder'
|
||||
if [ "$sec" = 0 ]; then
|
||||
for s in '--hostcase' '--hostspell=hoSt' '--hostdot' '--hosttab' '--hostnospace' '--domcase' \
|
||||
'--hostpad=1024' '--hostpad=2048' '--hostpad=4096' '--hostpad=8192' '--hostpad=16384' ; do
|
||||
for s in '--hostcase' '--hostspell=hoSt' '--hostdot' '--hosttab' '--hostnospace' '--domcase' ; do
|
||||
tpws_curl_test_update $1 $3 $s && [ "$SCANLEVEL" = quick ] && return
|
||||
done
|
||||
for s2 in '' '--oob' '--disorder' '--oob --disorder'; do
|
||||
for s in '--split-http-req=method' '--split-http-req=method --hostcase' '--split-http-req=host' '--split-http-req=host --hostcase' ; do
|
||||
tpws_curl_test_update $1 $3 $s $s2 && [ "$SCANLEVEL" = quick ] && return
|
||||
for s in 1024 2048 4096 8192 16384 ; do
|
||||
tpws_curl_test_update $1 $3 --hostpad=$s && [ "$SCANLEVEL" != force ] && {
|
||||
[ "$SCANLEVEL" = quick ] && return
|
||||
break
|
||||
}
|
||||
done
|
||||
for s2 in '' '--hostcase' '--oob' '--disorder' ${oobdis:+"$oobdis"}; do
|
||||
for s in $splits_http ; do
|
||||
tpws_curl_test_update $1 $3 --split-pos=$s $s2 && [ "$SCANLEVEL" != force ] && {
|
||||
[ "$SCANLEVEL" = quick ] && return
|
||||
break
|
||||
}
|
||||
done
|
||||
done
|
||||
for s in '--methodspace' '--unixeol' '--methodeol'; do
|
||||
tpws_curl_test_update $1 $3 $s && [ "$SCANLEVEL" = quick ] && return
|
||||
done
|
||||
else
|
||||
local need_mss=1
|
||||
for mss in '' 88; do
|
||||
s3=${mss:+--mss=$mss}
|
||||
for s2 in '' '--oob' '--disorder' '--oob --disorder'; do
|
||||
for pos in sni sniext; do
|
||||
s="--split-tls=$pos"
|
||||
tpws_curl_test_update $1 $3 $s $s2 $s3 && warn_mss $s3 && [ "$SCANLEVEL" != force ] && {
|
||||
[ "$SCANLEVEL" = quick ] && return
|
||||
break
|
||||
}
|
||||
done
|
||||
for pos in 1 2 3 4 5 10 50; do
|
||||
s="--split-pos=$pos"
|
||||
tpws_curl_test_update $1 $3 $s $s2 $s3 && warn_mss $s3 && [ "$SCANLEVEL" != force ] && {
|
||||
for s2 in '' '--oob' '--disorder' ${oobdis:+"$oobdis"}; do
|
||||
for pos in $splits_tls; do
|
||||
tpws_curl_test_update $1 $3 --split-pos=$pos $s2 $s3 && warn_mss $s3 && [ "$SCANLEVEL" != force ] && {
|
||||
[ "$SCANLEVEL" = quick ] && return
|
||||
need_mss=0
|
||||
break
|
||||
}
|
||||
done
|
||||
done
|
||||
for s2 in '--tlsrec=sni' '--tlsrec=sni --split-tls=sni' '--tlsrec=sni --split-tls=sni --oob' \
|
||||
'--tlsrec=sni --split-tls=sni --disorder' '--tlsrec=sni --split-tls=sni --oob --disorder' \
|
||||
'--tlsrec=sni --split-pos=1' '--tlsrec=sni --split-pos=1 --oob' '--tlsrec=sni --split-pos=1 --disorder' \
|
||||
'--tlsrec=sni --split-pos=1 --oob --disorder'; do
|
||||
tpws_curl_test_update $1 $3 $s2 $s3 && warn_mss $s3 && [ "$SCANLEVEL" != force ] && {
|
||||
for s in '' '--oob' '--disorder' ${oobdis:+"$oobdis"}; do
|
||||
for s2 in '--tlsrec=midsld' '--tlsrec=sniext+1 --split-pos=midsld' '--tlsrec=sniext+4 --split-pos=midsld' '--tlsrec=sniext+1 --split-pos=1,midsld' '--tlsrec=sniext+4 --split-pos=1,midsld' ; do
|
||||
tpws_curl_test_update $1 $3 $s2 $s $s3 && warn_mss $s3 && [ "$SCANLEVEL" != force ] && {
|
||||
[ "$SCANLEVEL" = quick ] && return
|
||||
need_mss=0
|
||||
break
|
||||
}
|
||||
done
|
||||
done
|
||||
# only linux supports mss
|
||||
[ "$UNAME" = Linux -a "$sec" = 1 ] || break
|
||||
[ "$SCANLEVEL" = force -o "$need_mss" = 1 ] || break
|
||||
done
|
||||
fi
|
||||
}
|
||||
@@ -1393,7 +1497,7 @@ tpws_check_domain_http_bypass()
|
||||
|
||||
local strategy
|
||||
tpws_check_domain_http_bypass_ "$@"
|
||||
strategy="${strategy:+$strategy${TPWS_EXTRA:+ $TPWS_EXTRA}${TPWS_EXTRA_1:+ "$TPWS_EXTRA_1"}${TPWS_EXTRA_2:+ "$TPWS_EXTRA_2"}${TPWS_EXTRA_3:+ "$TPWS_EXTRA_3"}${TPWS_EXTRA_4:+ "$TPWS_EXTRA_4"}${TPWS_EXTRA_5:+ "$TPWS_EXTRA_5"}${TPWS_EXTRA_6:+ "$TPWS_EXTRA_6"}${TPWS_EXTRA_7:+ "$TPWS_EXTRA_7"}${TPWS_EXTRA_8:+ "$TPWS_EXTRA_8"}${TPWS_EXTRA_9:+ "$TPWS_EXTRA_9"}}"
|
||||
strategy_append_extra_tpws
|
||||
report_strategy $1 $3 tpws
|
||||
}
|
||||
|
||||
@@ -1474,7 +1578,7 @@ check_domain_http_tcp()
|
||||
|
||||
check_domain_prolog $1 $2 $4 || return
|
||||
|
||||
check_dpi_ip_block $1 $4
|
||||
[ "$SKIP_IPBLOCK" = 1 ] || check_dpi_ip_block $1 $4
|
||||
|
||||
[ "$SKIP_TPWS" = 1 ] || {
|
||||
echo
|
||||
@@ -1520,22 +1624,22 @@ check_domain_http_udp()
|
||||
check_domain_http()
|
||||
{
|
||||
# $1 - domain
|
||||
check_domain_http_tcp curl_test_http 80 0 $1
|
||||
check_domain_http_tcp curl_test_http $HTTP_PORT 0 $1
|
||||
}
|
||||
check_domain_https_tls12()
|
||||
{
|
||||
# $1 - domain
|
||||
check_domain_http_tcp curl_test_https_tls12 443 1 $1
|
||||
check_domain_http_tcp curl_test_https_tls12 $HTTPS_PORT 1 $1
|
||||
}
|
||||
check_domain_https_tls13()
|
||||
{
|
||||
# $1 - domain
|
||||
check_domain_http_tcp curl_test_https_tls13 443 2 $1
|
||||
check_domain_http_tcp curl_test_https_tls13 $HTTPS_PORT 2 $1
|
||||
}
|
||||
check_domain_http3()
|
||||
{
|
||||
# $1 - domain
|
||||
check_domain_http_udp curl_test_http3 443 $1
|
||||
check_domain_http_udp curl_test_http3 $QUIC_PORT $1
|
||||
}
|
||||
|
||||
configure_ip_version()
|
||||
@@ -1630,87 +1734,119 @@ ask_params()
|
||||
exitp 1
|
||||
}
|
||||
|
||||
|
||||
local dom
|
||||
[ -n "$DOMAINS" ] || {
|
||||
DOMAINS="$DOMAINS_DEFAULT"
|
||||
[ "$BATCH" = 1 ] || {
|
||||
echo "specify domain(s) to test. multiple domains are space separated."
|
||||
printf "domain(s) (default: $DOMAINS) : "
|
||||
local dom
|
||||
read dom
|
||||
[ -n "$dom" ] && DOMAINS="$dom"
|
||||
}
|
||||
}
|
||||
|
||||
local IPVS_def=4
|
||||
[ -n "$IPVS" ] || {
|
||||
# yandex public dns
|
||||
pingtest 6 2a02:6b8::feed:0ff && IPVS_def=46
|
||||
[ "$BATCH" = 1 ] || {
|
||||
printf "ip protocol version(s) - 4, 6 or 46 for both (default: $IPVS_def) : "
|
||||
read IPVS
|
||||
}
|
||||
[ -n "$IPVS" ] || IPVS=$IPVS_def
|
||||
[ "$IPVS" = 4 -o "$IPVS" = 6 -o "$IPVS" = 46 ] || {
|
||||
echo 'invalid ip version(s). should be 4, 6 or 46.'
|
||||
exitp 1
|
||||
}
|
||||
}
|
||||
[ "$IPVS" = 46 ] && IPVS="4 6"
|
||||
|
||||
configure_curl_opt
|
||||
|
||||
[ -n "$ENABLE_HTTP" ] || {
|
||||
ENABLE_HTTP=1
|
||||
[ "$BATCH" = 1 ] || {
|
||||
echo
|
||||
ask_yes_no_var ENABLE_HTTP "check http"
|
||||
}
|
||||
}
|
||||
|
||||
[ -n "$ENABLE_HTTPS_TLS12" ] || {
|
||||
ENABLE_HTTPS_TLS12=1
|
||||
[ "$BATCH" = 1 ] || {
|
||||
echo
|
||||
ask_yes_no_var ENABLE_HTTPS_TLS12 "check https tls 1.2"
|
||||
}
|
||||
}
|
||||
|
||||
[ -n "$ENABLE_HTTPS_TLS13" ] || {
|
||||
ENABLE_HTTPS_TLS13=0
|
||||
echo
|
||||
if [ -n "$TLS13" ]; then
|
||||
[ "$BATCH" = 1 ] || {
|
||||
echo
|
||||
echo "TLS 1.3 uses encrypted ServerHello. DPI cannot check domain name in server response."
|
||||
echo "This can allow more bypass strategies to work."
|
||||
echo "What works for TLS 1.2 will also work for TLS 1.3 but not vice versa."
|
||||
echo "Most sites nowadays support TLS 1.3 but not all. If you can't find a strategy for TLS 1.2 use this test."
|
||||
echo "TLS 1.3 only strategy is better than nothing."
|
||||
ask_yes_no_var ENABLE_HTTPS_TLS13 "check https tls 1.3"
|
||||
}
|
||||
else
|
||||
echo
|
||||
echo "installed curl version does not support TLS 1.3 . tests disabled."
|
||||
fi
|
||||
|
||||
ENABLE_HTTP3=0
|
||||
echo
|
||||
if [ -n "$HTTP3" ]; then
|
||||
echo "make sure target domain(s) support QUIC or result will be negative in any case"
|
||||
ENABLE_HTTP3=1
|
||||
ask_yes_no_var ENABLE_HTTP3 "check http3 QUIC"
|
||||
else
|
||||
echo "installed curl version does not support http3 QUIC. tests disabled."
|
||||
fi
|
||||
|
||||
IGNORE_CA=0
|
||||
CURL_OPT=
|
||||
[ $ENABLE_HTTPS_TLS13 = 1 -o $ENABLE_HTTPS_TLS12 = 1 ] && {
|
||||
echo
|
||||
echo "on limited systems like openwrt CA certificates might not be installed to preserve space"
|
||||
echo "in such a case curl cannot verify server certificate and you should either install ca-bundle or disable verification"
|
||||
echo "however disabling verification will break https check if ISP does MitM attack and substitutes server certificate"
|
||||
ask_yes_no_var IGNORE_CA "do not verify server certificate"
|
||||
[ "$IGNORE_CA" = 1 ] && CURL_OPT=-k
|
||||
}
|
||||
|
||||
[ -n "$ENABLE_HTTP3" ] || {
|
||||
ENABLE_HTTP3=0
|
||||
if [ -n "$HTTP3" ]; then
|
||||
ENABLE_HTTP3=1
|
||||
[ "$BATCH" = 1 ] || {
|
||||
echo
|
||||
echo "make sure target domain(s) support QUIC or result will be negative in any case"
|
||||
ask_yes_no_var ENABLE_HTTP3 "check http3 QUIC"
|
||||
}
|
||||
else
|
||||
echo
|
||||
echo "installed curl version does not support http3 QUIC. tests disabled."
|
||||
fi
|
||||
}
|
||||
|
||||
[ -n "$REPEATS" ] || {
|
||||
[ "$BATCH" = 1 ] || {
|
||||
echo
|
||||
echo "sometimes ISPs use multiple DPIs or load balancing. bypass strategies may work unstable."
|
||||
printf "how many times to repeat each test (default: 1) : "
|
||||
read REPEATS
|
||||
}
|
||||
REPEATS=$((0+${REPEATS:-1}))
|
||||
[ "$REPEATS" = 0 ] && {
|
||||
echo invalid repeat count
|
||||
exitp 1
|
||||
}
|
||||
}
|
||||
[ -z "$PARALLEL" -a $REPEATS -gt 1 ] && {
|
||||
PARALLEL=0
|
||||
[ "$BATCH" = 1 ] || {
|
||||
echo
|
||||
echo "parallel scan can greatly increase speed but may also trigger DDoS protection and cause false result"
|
||||
ask_yes_no_var PARALLEL "enable parallel scan"
|
||||
}
|
||||
}
|
||||
PARALLEL=${PARALLEL:-0}
|
||||
|
||||
[ -n "$SCANLEVEL" ] || {
|
||||
SCANLEVEL=standard
|
||||
[ "$BATCH" = 1 ] || {
|
||||
echo
|
||||
echo quick - scan as fast as possible to reveal any working strategy
|
||||
echo standard - do investigation what works on your DPI
|
||||
echo force - scan maximum despite of result
|
||||
SCANLEVEL=${SCANLEVEL:-standard}
|
||||
ask_list SCANLEVEL "quick standard force" "$SCANLEVEL"
|
||||
# disable tpws checks by default in quick mode
|
||||
[ "$SCANLEVEL" = quick -a -z "$SKIP_TPWS" -a "$UNAME" != Darwin ] && SKIP_TPWS=1
|
||||
}
|
||||
}
|
||||
|
||||
echo
|
||||
|
||||
@@ -1915,14 +2051,15 @@ check_dns()
|
||||
unprepare_all()
|
||||
{
|
||||
# make sure we are not in a middle state that impacts connectivity
|
||||
rm -f "$HDRTEMP"
|
||||
[ -n "$IPV" ] && {
|
||||
pktws_ipt_unprepare_tcp 80
|
||||
pktws_ipt_unprepare_tcp 443
|
||||
pktws_ipt_unprepare_udp 443
|
||||
}
|
||||
ws_kill
|
||||
wait
|
||||
[ -n "$IPV" ] && {
|
||||
pktws_ipt_unprepare_tcp $HTTP_PORT
|
||||
pktws_ipt_unprepare_tcp $HTTPS_PORT
|
||||
pktws_ipt_unprepare_udp $QUIC_PORT
|
||||
}
|
||||
cleanup
|
||||
rm -f "${HDRTEMP}"* "${PARALLEL_OUT}"*
|
||||
}
|
||||
sigint()
|
||||
{
|
||||
@@ -1968,10 +2105,10 @@ for dom in $DOMAINS; do
|
||||
for IPV in $IPVS; do
|
||||
configure_ip_version
|
||||
[ "$ENABLE_HTTP" = 1 ] && {
|
||||
check_domain_port_block $dom $HTTP_PORT
|
||||
[ "$SKIP_IPBLOCK" = 1 ] || check_domain_port_block $dom $HTTP_PORT
|
||||
check_domain_http $dom
|
||||
}
|
||||
[ "$ENABLE_HTTPS_TLS12" = 1 -o "$ENABLE_HTTPS_TLS13" = 1 ] && check_domain_port_block $dom $HTTPS_PORT
|
||||
[ "$ENABLE_HTTPS_TLS12" = 1 -o "$ENABLE_HTTPS_TLS13" = 1 ] && [ "$SKIP_IPBLOCK" != 1 ] && check_domain_port_block $dom $HTTPS_PORT
|
||||
[ "$ENABLE_HTTPS_TLS12" = 1 ] && check_domain_https_tls12 $dom
|
||||
[ "$ENABLE_HTTPS_TLS13" = 1 ] && check_domain_https_tls13 $dom
|
||||
[ "$ENABLE_HTTP3" = 1 ] && check_domain_http3 $dom
|
||||
|
@@ -60,11 +60,22 @@ starts_with()
|
||||
esac
|
||||
return 1
|
||||
}
|
||||
extract_arg()
|
||||
{
|
||||
# $1 - arg number
|
||||
# $2,$3,... - args
|
||||
local n=$1
|
||||
while [ -n "$1" ]; do
|
||||
shift
|
||||
[ $n -eq 1 ] && { echo "$1"; return 0; }
|
||||
n=$(($n-1))
|
||||
done
|
||||
return 1
|
||||
}
|
||||
find_str_in_list()
|
||||
{
|
||||
# $1 - string
|
||||
# $2 - space separated values
|
||||
|
||||
local v
|
||||
[ -n "$1" ] && {
|
||||
for v in $2; do
|
||||
@@ -230,7 +241,7 @@ fix_sbin_path()
|
||||
# it can calculate floating point expr
|
||||
calc()
|
||||
{
|
||||
awk "BEGIN { print $*}";
|
||||
LC_ALL=C awk "BEGIN { print $*}";
|
||||
}
|
||||
|
||||
fsleep_setup()
|
||||
@@ -307,18 +318,27 @@ setup_md5()
|
||||
exists $MD5 || MD5=md5
|
||||
}
|
||||
|
||||
setup_random()
|
||||
{
|
||||
[ -n "$RCUT" ] && return
|
||||
RCUT="cut -c 1-17"
|
||||
# some shells can operate with 32 bit signed int
|
||||
[ $((0x100000000)) = 0 ] && RCUT="cut -c 1-9"
|
||||
}
|
||||
|
||||
random()
|
||||
{
|
||||
# $1 - min, $2 - max
|
||||
local r rs
|
||||
setup_md5
|
||||
setup_random
|
||||
if [ -c /dev/urandom ]; then
|
||||
read rs </dev/urandom
|
||||
else
|
||||
rs="$RANDOM$RANDOM$(date)"
|
||||
fi
|
||||
# shells use signed int64
|
||||
r=1$(echo $rs | $MD5 | sed 's/[^0-9]//g' | cut -c 1-17)
|
||||
r=1$(echo $rs | $MD5 | sed 's/[^0-9]//g' | $RCUT)
|
||||
echo $(( ($r % ($2-$1+1)) + $1 ))
|
||||
}
|
||||
|
||||
|
@@ -3,6 +3,8 @@ custom_runner()
|
||||
# $1 - function name
|
||||
# $2+ - params
|
||||
|
||||
[ "$DISABLE_CUSTOM" = 1 ] && return 0
|
||||
|
||||
local n script FUNC=$1
|
||||
|
||||
shift
|
||||
|
@@ -1,4 +1,4 @@
|
||||
readonly GET_LIST_PREFIX=/ipset/get_
|
||||
GET_LIST_PREFIX=/ipset/get_
|
||||
|
||||
SYSTEMD_DIR=/lib/systemd
|
||||
[ -d "$SYSTEMD_DIR" ] || SYSTEMD_DIR=/usr/lib/systemd
|
||||
@@ -140,7 +140,7 @@ echo_var()
|
||||
eval v="\$$1"
|
||||
if find_str_in_list $1 "$EDITVAR_NEWLINE_VARS"; then
|
||||
echo "$1=\""
|
||||
echo "$v\"" | sed "s/$EDITVAR_NEWLINE_DELIMETER /$EDITVAR_NEWLINE_DELIMETER\n/g"
|
||||
echo "$v\"" | tr '\n' ' ' | tr -d '\r' | sed -e 's/^ *//' -e 's/ *$//' -e "s/$EDITVAR_NEWLINE_DELIMETER /$EDITVAR_NEWLINE_DELIMETER\n/g"
|
||||
else
|
||||
if contains "$v" " "; then
|
||||
echo $1=\"$v\"
|
||||
@@ -170,6 +170,7 @@ list_vars()
|
||||
echo_var $1
|
||||
shift
|
||||
done
|
||||
echo
|
||||
}
|
||||
|
||||
openrc_test()
|
||||
@@ -190,6 +191,7 @@ check_system()
|
||||
|
||||
get_fwtype
|
||||
OPENWRT_FW3=
|
||||
OPENWRT_FW4=
|
||||
|
||||
local info
|
||||
UNAME=$(uname)
|
||||
@@ -201,27 +203,35 @@ check_system()
|
||||
# some distros include systemctl without systemd
|
||||
if [ -d "$SYSTEMD_DIR" ] && [ -x "$SYSTEMCTL" ] && [ "$INIT" = "systemd" ]; then
|
||||
SYSTEM=systemd
|
||||
elif [ -f "/etc/openwrt_release" ] && exists opkg && exists uci && [ "$INIT" = "procd" ] ; then
|
||||
{
|
||||
elif [ -f "/etc/openwrt_release" ] && exists opkg || exists apk && exists uci && [ "$INIT" = "procd" ] ; then
|
||||
SYSTEM=openwrt
|
||||
OPENWRT_PACKAGER=opkg
|
||||
OPENWRT_PACKAGER_INSTALL="opkg install"
|
||||
OPENWRT_PACKAGER_UPDATE="opkg update"
|
||||
exists apk && {
|
||||
OPENWRT_PACKAGER=apk
|
||||
OPENWRT_PACKAGER_INSTALL="apk add"
|
||||
OPENWRT_PACKAGER_UPDATE=
|
||||
}
|
||||
info="package manager $OPENWRT_PACKAGER\n"
|
||||
if openwrt_fw3 ; then
|
||||
OPENWRT_FW3=1
|
||||
info="openwrt firewall uses fw3"
|
||||
info="${info}firewall fw3"
|
||||
if is_ipt_flow_offload_avail; then
|
||||
info="$info. hardware flow offloading requires iptables."
|
||||
else
|
||||
info="$info. flow offloading unavailable."
|
||||
fi
|
||||
elif openwrt_fw4; then
|
||||
info="openwrt firewall uses fw4. flow offloading requires nftables."
|
||||
OPENWRT_FW4=1
|
||||
info="${info}firewall fw4. flow offloading requires nftables."
|
||||
fi
|
||||
}
|
||||
elif openrc_test; then
|
||||
SYSTEM=openrc
|
||||
else
|
||||
echo system is not either systemd, openrc or openwrt based
|
||||
echo easy installer can set up config settings but can\'t configure auto start
|
||||
echo you have to do it manually. check readme.txt for manual setup info.
|
||||
echo you have to do it manually. check readme.md for manual setup info.
|
||||
if [ -n "$1" ] || ask_yes_no N "do you want to continue"; then
|
||||
SYSTEM=linux
|
||||
else
|
||||
@@ -232,11 +242,11 @@ check_system()
|
||||
elif [ "$UNAME" = "Darwin" ]; then
|
||||
SYSTEM=macos
|
||||
else
|
||||
echo easy installer only supports Linux and MacOS. check readme.txt for supported systems and manual setup info.
|
||||
echo easy installer only supports Linux and MacOS. check readme.md for supported systems and manual setup info.
|
||||
exitp 5
|
||||
fi
|
||||
echo system is based on $SYSTEM
|
||||
[ -n "$info" ] && echo $info
|
||||
[ -n "$info" ] && printf "${info}\n"
|
||||
}
|
||||
|
||||
get_free_space_mb()
|
||||
@@ -420,14 +430,21 @@ check_kmod()
|
||||
}
|
||||
check_package_exists_openwrt()
|
||||
{
|
||||
[ -n "$(opkg list $1)" ]
|
||||
[ -n "$($OPENWRT_PACKAGER list $1)" ]
|
||||
}
|
||||
check_package_openwrt()
|
||||
{
|
||||
case $OPENWRT_PACKAGER in
|
||||
opkg)
|
||||
[ -n "$(opkg list-installed $1)" ] && return 0
|
||||
local what="$(opkg whatprovides $1 | tail -n +2 | head -n 1)"
|
||||
[ -n "$what" ] || return 1
|
||||
[ -n "$(opkg list-installed $what)" ]
|
||||
;;
|
||||
apk)
|
||||
apk info -e $1
|
||||
;;
|
||||
esac
|
||||
}
|
||||
check_packages_openwrt()
|
||||
{
|
||||
@@ -516,9 +533,8 @@ restart_openwrt_firewall()
|
||||
|
||||
local FW=fw4
|
||||
[ -n "$OPENWRT_FW3" ] && FW=fw3
|
||||
$FW -q restart || {
|
||||
exists $FW && $FW -q restart || {
|
||||
echo could not restart firewall $FW
|
||||
exitp 30
|
||||
}
|
||||
}
|
||||
remove_openwrt_firewall()
|
||||
@@ -601,11 +617,17 @@ write_config_var()
|
||||
replace_var_def $1 "$M" "$ZAPRET_CONFIG"
|
||||
}
|
||||
|
||||
no_prereq_exit()
|
||||
{
|
||||
echo could not install prerequisites
|
||||
exitp 6
|
||||
}
|
||||
check_prerequisites_linux()
|
||||
{
|
||||
echo \* checking prerequisites
|
||||
|
||||
local s cmd PKGS UTILS req="curl curl"
|
||||
local APTGET DNF YUM PACMAN ZYPPER EOPKG APK
|
||||
case "$FWTYPE" in
|
||||
iptables)
|
||||
req="$req iptables iptables ip6tables iptables ipset ipset"
|
||||
@@ -634,6 +656,7 @@ check_prerequisites_linux()
|
||||
echo packages required : $PKGS
|
||||
|
||||
APTGET=$(whichq apt-get)
|
||||
DNF=$(whichq dnf)
|
||||
YUM=$(whichq yum)
|
||||
PACMAN=$(whichq pacman)
|
||||
ZYPPER=$(whichq zypper)
|
||||
@@ -641,39 +664,23 @@ check_prerequisites_linux()
|
||||
APK=$(whichq apk)
|
||||
if [ -x "$APTGET" ] ; then
|
||||
"$APTGET" update
|
||||
"$APTGET" install -y --no-install-recommends $PKGS dnsutils || {
|
||||
echo could not install prerequisites
|
||||
exitp 6
|
||||
}
|
||||
"$APTGET" install -y --no-install-recommends $PKGS dnsutils || no_prereq_exit
|
||||
elif [ -x "$DNF" ] ; then
|
||||
"$DNF" -y install $PKGS || no_prereq_exit
|
||||
elif [ -x "$YUM" ] ; then
|
||||
"$YUM" -y install $PKGS || {
|
||||
echo could not install prerequisites
|
||||
exitp 6
|
||||
}
|
||||
"$YUM" -y install $PKGS || no_prereq_exit
|
||||
elif [ -x "$PACMAN" ] ; then
|
||||
"$PACMAN" -Syy
|
||||
"$PACMAN" --noconfirm -S $PKGS || {
|
||||
echo could not install prerequisites
|
||||
exitp 6
|
||||
}
|
||||
"$PACMAN" --noconfirm -S $PKGS || no_prereq_exit
|
||||
elif [ -x "$ZYPPER" ] ; then
|
||||
"$ZYPPER" --non-interactive install $PKGS || {
|
||||
echo could not install prerequisites
|
||||
exitp 6
|
||||
}
|
||||
"$ZYPPER" --non-interactive install $PKGS || no_prereq_exit
|
||||
elif [ -x "$EOPKG" ] ; then
|
||||
"$EOPKG" -y install $PKGS || {
|
||||
echo could not install prerequisites
|
||||
exitp 6
|
||||
}
|
||||
"$EOPKG" -y install $PKGS || no_prereq_exit
|
||||
elif [ -x "$APK" ] ; then
|
||||
"$APK" update
|
||||
# for alpine
|
||||
[ "$FWTYPE" = iptables ] && [ -n "$($APK list ip6tables)" ] && PKGS="$PKGS ip6tables"
|
||||
"$APK" add $PKGS || {
|
||||
echo could not install prerequisites
|
||||
exitp 6
|
||||
}
|
||||
"$APK" add $PKGS || no_prereq_exit
|
||||
else
|
||||
echo supported package manager not found
|
||||
echo you must manually install : $UTILS
|
||||
@@ -684,7 +691,23 @@ check_prerequisites_linux()
|
||||
|
||||
removable_pkgs_openwrt()
|
||||
{
|
||||
PKGS="iptables-mod-extra iptables-mod-nfqueue iptables-mod-filter iptables-mod-ipopt iptables-mod-conntrack-extra ip6tables-mod-nat ip6tables-extra kmod-nft-queue gzip coreutils-sort coreutils-sleep curl"
|
||||
local pkg PKGS2
|
||||
[ -n "$OPENWRT_FW4" ] && PKGS2="$PKGS2 iptables-zz-legacy iptables ip6tables-zz-legacy ip6tables"
|
||||
[ -n "$OPENWRT_FW3" ] && PKGS2="$PKGS2 nftables-json nftables-nojson nftables"
|
||||
PKGS=
|
||||
for pkg in $PKGS2; do
|
||||
check_package_exists_openwrt $pkg && PKGS="${PKGS:+$PKGS }$pkg"
|
||||
done
|
||||
PKGS="ipset iptables-mod-extra iptables-mod-nfqueue iptables-mod-filter iptables-mod-ipopt iptables-mod-conntrack-extra ip6tables-mod-nat ip6tables-extra kmod-nft-queue gzip coreutils-sort coreutils-sleep curl $PKGS"
|
||||
}
|
||||
|
||||
openwrt_fix_broken_apk_uninstall_scripts()
|
||||
{
|
||||
# at least in early snapshots with apk removing gnu gzip, sort, ... does not restore links to busybox
|
||||
# system may become unusable
|
||||
exists sort || { echo fixing missing sort; ln -fs /bin/busybox /usr/bin/sort; }
|
||||
exists gzip || { echo fixing missing gzip; ln -fs /bin/busybox /bin/gzip; }
|
||||
exists sleep || { echo fixing missing sleep; ln -fs /bin/busybox /bin/sleep; }
|
||||
}
|
||||
|
||||
remove_extra_pkgs_openwrt()
|
||||
@@ -693,19 +716,32 @@ remove_extra_pkgs_openwrt()
|
||||
echo \* remove dependencies
|
||||
removable_pkgs_openwrt
|
||||
echo these packages may have been installed by install_easy.sh : $PKGS
|
||||
ask_yes_no N "do you want to remove them" && opkg remove --autoremove $PKGS
|
||||
ask_yes_no N "do you want to remove them" && {
|
||||
case $OPENWRT_PACKAGER in
|
||||
opkg)
|
||||
opkg remove --autoremove $PKGS
|
||||
;;
|
||||
apk)
|
||||
apk del $PKGS
|
||||
openwrt_fix_broken_apk_uninstall_scripts
|
||||
;;
|
||||
esac
|
||||
}
|
||||
}
|
||||
|
||||
check_prerequisites_openwrt()
|
||||
{
|
||||
echo \* checking prerequisites
|
||||
|
||||
local PKGS="curl" UPD=0
|
||||
local PKGS="curl" UPD=0 local pkg_iptables
|
||||
|
||||
case "$FWTYPE" in
|
||||
iptables)
|
||||
PKGS="$PKGS ipset iptables iptables-mod-extra iptables-mod-nfqueue iptables-mod-filter iptables-mod-ipopt iptables-mod-conntrack-extra"
|
||||
[ "$DISABLE_IPV6" != "1" ] && PKGS="$PKGS ip6tables ip6tables-mod-nat ip6tables-extra"
|
||||
pkg_iptables=iptables
|
||||
check_package_exists_openwrt iptables-zz-legacy && pkg_iptables=iptables-zz-legacy
|
||||
PKGS="$PKGS ipset $pkg_iptables iptables-mod-extra iptables-mod-nfqueue iptables-mod-filter iptables-mod-ipopt iptables-mod-conntrack-extra"
|
||||
check_package_exists_openwrt ip6tables-zz-legacy && pkg_iptables=ip6tables-zz-legacy
|
||||
[ "$DISABLE_IPV6" = 1 ] || PKGS="$PKGS $pkg_iptables ip6tables-mod-nat ip6tables-extra"
|
||||
;;
|
||||
nftables)
|
||||
PKGS="$PKGS nftables kmod-nft-nat kmod-nft-offload kmod-nft-queue"
|
||||
@@ -717,9 +753,9 @@ check_prerequisites_openwrt()
|
||||
else
|
||||
echo \* installing prerequisites
|
||||
|
||||
opkg update
|
||||
$OPENWRT_PACKAGER_UPDATE
|
||||
UPD=1
|
||||
opkg install $PKGS || {
|
||||
$OPENWRT_PACKAGER_INSTALL $PKGS || {
|
||||
echo could not install prerequisites
|
||||
exitp 6
|
||||
}
|
||||
@@ -732,10 +768,10 @@ check_prerequisites_openwrt()
|
||||
echo installer can install GNU gzip but it requires about 100 Kb space
|
||||
if ask_yes_no N "do you want to install GNU gzip"; then
|
||||
[ "$UPD" = "0" ] && {
|
||||
opkg update
|
||||
$OPENWRT_PACKAGER_UPDATE
|
||||
UPD=1
|
||||
}
|
||||
opkg install --force-overwrite gzip
|
||||
$OPENWRT_PACKAGER_INSTALL --force-overwrite gzip
|
||||
fi
|
||||
}
|
||||
is_linked_to_busybox sort && {
|
||||
@@ -745,10 +781,10 @@ check_prerequisites_openwrt()
|
||||
echo installer can install GNU sort but it requires about 100 Kb space
|
||||
if ask_yes_no N "do you want to install GNU sort"; then
|
||||
[ "$UPD" = "0" ] && {
|
||||
opkg update
|
||||
$OPENWRT_PACKAGER_UPDATE
|
||||
UPD=1
|
||||
}
|
||||
opkg install --force-overwrite coreutils-sort
|
||||
$OPENWRT_PACKAGER_INSTALL --force-overwrite coreutils-sort
|
||||
fi
|
||||
}
|
||||
[ "$FSLEEP" = 0 ] && is_linked_to_busybox sleep && {
|
||||
@@ -757,10 +793,10 @@ check_prerequisites_openwrt()
|
||||
echo if you want to speed up blockcheck install coreutils-sleep. it requires about 40 Kb space
|
||||
if ask_yes_no N "do you want to install COREUTILS sleep"; then
|
||||
[ "$UPD" = "0" ] && {
|
||||
opkg update
|
||||
$OPENWRT_PACKAGER_UPDATE
|
||||
UPD=1
|
||||
}
|
||||
opkg install --force-overwrite coreutils-sleep
|
||||
$OPENWRT_PACKAGER_INSTALL --force-overwrite coreutils-sleep
|
||||
fsleep_setup
|
||||
fi
|
||||
}
|
||||
@@ -793,3 +829,37 @@ select_fwtype()
|
||||
echo select firewall type :
|
||||
ask_list FWTYPE "iptables nftables" "$FWTYPE" && write_config_var FWTYPE
|
||||
}
|
||||
|
||||
dry_run_tpws_()
|
||||
{
|
||||
local TPWS="$ZAPRET_BASE/tpws/tpws"
|
||||
echo verifying tpws options
|
||||
"$TPWS" --dry-run "$@"
|
||||
}
|
||||
dry_run_nfqws_()
|
||||
{
|
||||
local NFQWS="$ZAPRET_BASE/nfq/nfqws"
|
||||
echo verifying nfqws options
|
||||
"$NFQWS" --dry-run "$@"
|
||||
}
|
||||
dry_run_tpws()
|
||||
{
|
||||
[ "$TPWS_ENABLE" = 1 ] || return 0
|
||||
local opt="$TPWS_OPT" port=${TPPORT_SOCKS:-988}
|
||||
filter_apply_hostlist_target opt
|
||||
dry_run_tpws_ --port=$port $opt
|
||||
}
|
||||
dry_run_tpws_socks()
|
||||
{
|
||||
[ "$TPWS_SOCKS_ENABLE" = 1 ] || return 0
|
||||
local opt="$TPWS_SOCKS_OPT" port=${TPPORT:-987}
|
||||
filter_apply_hostlist_target opt
|
||||
dry_run_tpws_ --port=$port --socks $opt
|
||||
}
|
||||
dry_run_nfqws()
|
||||
{
|
||||
[ "$NFQWS_ENABLE" = 1 ] || return 0
|
||||
local opt="$NFQWS_OPT" qn=${QNUM:-200}
|
||||
filter_apply_hostlist_target opt
|
||||
dry_run_nfqws_ --qnum=$qn $opt
|
||||
}
|
||||
|
@@ -1,5 +1,9 @@
|
||||
std_ports
|
||||
readonly ipt_connbytes="-m connbytes --connbytes-dir=original --connbytes-mode=packets --connbytes"
|
||||
ipt_connbytes="-m connbytes --connbytes-dir=original --connbytes-mode=packets --connbytes"
|
||||
IPSET_EXCLUDE="-m set ! --match-set nozapret"
|
||||
IPSET_EXCLUDE6="-m set ! --match-set nozapret6"
|
||||
IPBAN_EXCLUDE="-m set ! --match-set ipban"
|
||||
IPBAN_EXCLUDE6="-m set ! --match-set ipban6"
|
||||
|
||||
ipt()
|
||||
{
|
||||
@@ -132,7 +136,7 @@ _fw_tpws4()
|
||||
|
||||
ipt_print_op $1 "$2" "tpws (port $3)"
|
||||
|
||||
rule="$2 $IPSET_EXCLUDE dst -j DNAT --to $TPWS_LOCALHOST4:$3"
|
||||
rule="$2 $IPSET_EXCLUDE dst $IPBAN_EXCLUDE dst -j DNAT --to $TPWS_LOCALHOST4:$3"
|
||||
for i in $4 ; do
|
||||
ipt_add_del $1 PREROUTING -t nat -i $i $rule
|
||||
done
|
||||
@@ -160,7 +164,7 @@ _fw_tpws6()
|
||||
|
||||
ipt_print_op $1 "$2" "tpws (port $3)" 6
|
||||
|
||||
rule="$2 $IPSET_EXCLUDE6 dst"
|
||||
rule="$2 $IPSET_EXCLUDE6 dst $IPBAN_EXCLUDE6 dst"
|
||||
for i in $4 ; do
|
||||
_dnat6_target $i DNAT6
|
||||
[ -n "$DNAT6" -a "$DNAT6" != "-" ] && ipt6_add_del $1 PREROUTING -t nat -i $i $rule -j DNAT --to [$DNAT6]:$3
|
||||
@@ -349,27 +353,37 @@ ipt_do_nfqws_in_out()
|
||||
}
|
||||
}
|
||||
|
||||
zapret_do_firewall_standard_rules_ipt()
|
||||
zapret_do_firewall_standard_tpws_rules_ipt()
|
||||
{
|
||||
# $1 - 1 - add, 0 - del
|
||||
|
||||
local f4 f6
|
||||
|
||||
[ "$TPWS_ENABLE" = 1 -a -n "$TPWS_PORTS" ] &&
|
||||
{
|
||||
[ "$TPWS_ENABLE" = 1 -a -n "$TPWS_PORTS" ] && {
|
||||
f4="-p tcp -m multiport --dports $TPWS_PORTS_IPT"
|
||||
f6=$f4
|
||||
filter_apply_ipset_target f4 f6
|
||||
fw_tpws $1 "$f4" "$f6" $TPPORT
|
||||
}
|
||||
[ "$NFQWS_ENABLE" = 1 ] &&
|
||||
{
|
||||
}
|
||||
zapret_do_firewall_standard_nfqws_rules_ipt()
|
||||
{
|
||||
# $1 - 1 - add, 0 - del
|
||||
|
||||
[ "$NFQWS_ENABLE" = 1 ] && {
|
||||
ipt_do_nfqws_in_out $1 tcp "$NFQWS_PORTS_TCP_IPT" "$NFQWS_TCP_PKT_OUT" "$NFQWS_TCP_PKT_IN"
|
||||
ipt_do_nfqws_in_out $1 tcp "$NFQWS_PORTS_TCP_KEEPALIVE_IPT" keepalive "$NFQWS_TCP_PKT_IN"
|
||||
ipt_do_nfqws_in_out $1 udp "$NFQWS_PORTS_UDP_IPT" "$NFQWS_UDP_PKT_OUT" "$NFQWS_UDP_PKT_IN"
|
||||
ipt_do_nfqws_in_out $1 udp "$NFQWS_PORTS_UDP_KEEPALIVE_IPT" keepalive "$NFQWS_UDP_PKT_IN"
|
||||
}
|
||||
}
|
||||
zapret_do_firewall_standard_rules_ipt()
|
||||
{
|
||||
# $1 - 1 - add, 0 - del
|
||||
|
||||
zapret_do_firewall_standard_tpws_rules_ipt $1
|
||||
zapret_do_firewall_standard_nfqws_rules_ipt $1
|
||||
}
|
||||
|
||||
zapret_do_firewall_rules_ipt()
|
||||
{
|
||||
|
55
common/linux_daemons.sh
Normal file
55
common/linux_daemons.sh
Normal file
@@ -0,0 +1,55 @@
|
||||
standard_mode_tpws_socks()
|
||||
{
|
||||
# $1 - 1 - run, 0 - stop
|
||||
local opt
|
||||
[ "$TPWS_SOCKS_ENABLE" = 1 ] && {
|
||||
opt="--port=$TPPORT_SOCKS $TPWS_SOCKS_OPT"
|
||||
filter_apply_hostlist_target opt
|
||||
do_tpws_socks $1 2 "$opt"
|
||||
}
|
||||
}
|
||||
standard_mode_tpws()
|
||||
{
|
||||
# $1 - 1 - run, 0 - stop
|
||||
local opt
|
||||
[ "$TPWS_ENABLE" = 1 ] && check_bad_ws_options $1 "$TPWS_OPT" && {
|
||||
opt="--port=$TPPORT $TPWS_OPT"
|
||||
filter_apply_hostlist_target opt
|
||||
do_tpws $1 1 "$opt"
|
||||
}
|
||||
}
|
||||
standard_mode_nfqws()
|
||||
{
|
||||
# $1 - 1 - run, 0 - stop
|
||||
local opt
|
||||
[ "$NFQWS_ENABLE" = 1 ] && check_bad_ws_options $1 "$NFQWS_OPT" && {
|
||||
opt="--qnum=$QNUM $NFQWS_OPT"
|
||||
filter_apply_hostlist_target opt
|
||||
do_nfqws $1 3 "$opt"
|
||||
}
|
||||
}
|
||||
standard_mode_daemons()
|
||||
{
|
||||
# $1 - 1 - run, 0 - stop
|
||||
|
||||
standard_mode_tpws_socks $1
|
||||
standard_mode_tpws $1
|
||||
standard_mode_nfqws $1
|
||||
}
|
||||
zapret_do_daemons()
|
||||
{
|
||||
# $1 - 1 - run, 0 - stop
|
||||
|
||||
standard_mode_daemons $1
|
||||
custom_runner zapret_custom_daemons $1
|
||||
|
||||
return 0
|
||||
}
|
||||
zapret_run_daemons()
|
||||
{
|
||||
zapret_do_daemons 1 "$@"
|
||||
}
|
||||
zapret_stop_daemons()
|
||||
{
|
||||
zapret_do_daemons 0 "$@"
|
||||
}
|
@@ -4,6 +4,8 @@
|
||||
# PREROUTING - can't DNAT to ::1. can DNAT to link local of -i interface or to any global addr
|
||||
# not a good idea to expose tpws to the world (bind to ::)
|
||||
|
||||
# max wait time for the link local ipv6 on the LAN interface
|
||||
LINKLOCAL_WAIT_SEC=${LINKLOCAL_WAIT_SEC:-5}
|
||||
|
||||
get_ipv6_linklocal()
|
||||
{
|
||||
@@ -125,3 +127,13 @@ resolve_lower_devices()
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
default_route_interfaces6()
|
||||
{
|
||||
sed -nre 's/^00000000000000000000000000000000 00 [0-9a-f]{32} [0-9a-f]{2} [0-9a-f]{32} [0-9a-f]{8} [0-9a-f]{8} [0-9a-f]{8} [0-9a-f]{8} +(.*)$/\1/p' /proc/net/ipv6_route | grep -v '^lo$' | sort -u | xargs
|
||||
}
|
||||
|
||||
default_route_interfaces4()
|
||||
{
|
||||
sed -nre 's/^([^\t]+)\t00000000\t[0-9A-F]{8}\t[0-9A-F]{4}\t[0-9]+\t[0-9]+\t[0-9]+\t00000000.*$/\1/p' /proc/net/route | sort -u | xargs
|
||||
}
|
||||
|
@@ -1,5 +1,5 @@
|
||||
readonly HOSTLIST_MARKER="<HOSTLIST>"
|
||||
readonly HOSTLIST_NOAUTO_MARKER="<HOSTLIST_NOAUTO>"
|
||||
HOSTLIST_MARKER="<HOSTLIST>"
|
||||
HOSTLIST_NOAUTO_MARKER="<HOSTLIST_NOAUTO>"
|
||||
|
||||
find_hostlists()
|
||||
{
|
||||
|
@@ -1,5 +1,5 @@
|
||||
[ -n "$ZAPRET_NFT_TABLE" ] || ZAPRET_NFT_TABLE=zapret
|
||||
readonly nft_connbytes="ct original packets"
|
||||
nft_connbytes="ct original packets"
|
||||
|
||||
# required for : nft -f -
|
||||
create_dev_stdin
|
||||
@@ -263,28 +263,6 @@ nft_add_flow_offload_exemption()
|
||||
[ "$DISABLE_IPV6" = "1" -o -z "$2" ] || nft_add_rule flow_offload oifname @wanif6 $2 ip6 daddr != @nozapret6 return comment \"$3\"
|
||||
}
|
||||
|
||||
nft_hw_offload_supported()
|
||||
{
|
||||
# $1,$2,... - interface names
|
||||
local devices res=1
|
||||
make_quoted_comma_list devices "$@"
|
||||
[ -n "$devices" ] && devices="devices={$devices};"
|
||||
nft add table ${ZAPRET_NFT_TABLE}_test && nft add flowtable ${ZAPRET_NFT_TABLE}_test ft "{ flags offload; $devices }" 2>/dev/null && res=0
|
||||
nft delete table ${ZAPRET_NFT_TABLE}_test 2>/dev/null
|
||||
return $res
|
||||
}
|
||||
|
||||
nft_hw_offload_find_supported()
|
||||
{
|
||||
# $1,$2,... - interface names
|
||||
local supported_list
|
||||
while [ -n "$1" ]; do
|
||||
nft_hw_offload_supported "$1" && append_separator_list supported_list ' ' '' "$1"
|
||||
shift
|
||||
done
|
||||
echo $supported_list
|
||||
}
|
||||
|
||||
nft_apply_flow_offloading()
|
||||
{
|
||||
# ft can be absent
|
||||
@@ -370,9 +348,8 @@ flush set inet $ZAPRET_NFT_TABLE lanif"
|
||||
nft_create_or_update_flowtable 'offload' 2>/dev/null
|
||||
# then add elements. some of them can cause error because unsupported
|
||||
for i in $ALLDEVS; do
|
||||
if nft_hw_offload_supported $i; then
|
||||
nft_create_or_update_flowtable 'offload' $i
|
||||
else
|
||||
# first try to add interface itself
|
||||
nft_create_or_update_flowtable 'offload' $i 2>/dev/null
|
||||
# bridge members must be added instead of the bridge itself
|
||||
# some members may not support hw offload. example : lan1 lan2 lan3 support, wlan0 wlan1 - not
|
||||
devs=$(resolve_lower_devices $i)
|
||||
@@ -380,7 +357,6 @@ flush set inet $ZAPRET_NFT_TABLE lanif"
|
||||
# do not display error if addition failed
|
||||
nft_create_or_update_flowtable 'offload' $j 2>/dev/null
|
||||
done
|
||||
fi
|
||||
done
|
||||
;;
|
||||
esac
|
||||
@@ -411,8 +387,8 @@ _nft_fw_tpws4()
|
||||
[ "$DISABLE_IPV4" = "1" -o -z "$1" ] || {
|
||||
local filter="$1" port="$2"
|
||||
nft_print_op "$filter" "tpws (port $2)" 4
|
||||
nft_insert_rule dnat_output skuid != $WS_USER ${3:+oifname @wanif }$filter ip daddr != @nozapret $FW_EXTRA_POST dnat ip to $TPWS_LOCALHOST4:$port
|
||||
nft_insert_rule dnat_pre iifname @lanif $filter ip daddr != @nozapret $FW_EXTRA_POST dnat ip to $TPWS_LOCALHOST4:$port
|
||||
nft_insert_rule dnat_output skuid != $WS_USER ${3:+oifname @wanif }$filter ip daddr != @nozapret ip daddr != @ipban $FW_EXTRA_POST dnat ip to $TPWS_LOCALHOST4:$port
|
||||
nft_insert_rule dnat_pre iifname @lanif $filter ip daddr != @nozapret ip daddr != @ipban $FW_EXTRA_POST dnat ip to $TPWS_LOCALHOST4:$port
|
||||
prepare_route_localnet
|
||||
}
|
||||
}
|
||||
@@ -426,9 +402,9 @@ _nft_fw_tpws6()
|
||||
[ "$DISABLE_IPV6" = "1" -o -z "$1" ] || {
|
||||
local filter="$1" port="$2" DNAT6 i
|
||||
nft_print_op "$filter" "tpws (port $port)" 6
|
||||
nft_insert_rule dnat_output skuid != $WS_USER ${4:+oifname @wanif6 }$filter ip6 daddr != @nozapret6 $FW_EXTRA_POST dnat ip6 to [::1]:$port
|
||||
nft_insert_rule dnat_output skuid != $WS_USER ${4:+oifname @wanif6 }$filter ip6 daddr != @nozapret6 ip6 daddr != @ipban6 $FW_EXTRA_POST dnat ip6 to [::1]:$port
|
||||
[ -n "$3" ] && {
|
||||
nft_insert_rule dnat_pre $filter ip6 daddr != @nozapret6 $FW_EXTRA_POST dnat ip6 to iifname map @link_local:$port
|
||||
nft_insert_rule dnat_pre $filter ip6 daddr != @nozapret6 ip6 daddr != @ipban6 $FW_EXTRA_POST dnat ip6 to iifname map @link_local:$port
|
||||
for i in $3; do
|
||||
_dnat6_target $i DNAT6
|
||||
# can be multiple tpws processes on different ports
|
||||
@@ -640,25 +616,31 @@ nft_apply_nfqws_in_out()
|
||||
}
|
||||
}
|
||||
|
||||
zapret_apply_firewall_standard_rules_nft()
|
||||
zapret_apply_firewall_standard_tpws_rules_nft()
|
||||
{
|
||||
local f4 f6
|
||||
|
||||
[ "$TPWS_ENABLE" = 1 -a -n "$TPWS_PORTS" ] &&
|
||||
{
|
||||
[ "$TPWS_ENABLE" = 1 -a -n "$TPWS_PORTS" ] && {
|
||||
f4="tcp dport {$TPWS_PORTS}"
|
||||
f6=$f4
|
||||
nft_filter_apply_ipset_target f4 f6
|
||||
nft_fw_tpws "$f4" "$f6" $TPPORT
|
||||
}
|
||||
[ "$NFQWS_ENABLE" = 1 ] &&
|
||||
{
|
||||
}
|
||||
zapret_apply_firewall_standard_nfqws_rules_nft()
|
||||
{
|
||||
[ "$NFQWS_ENABLE" = 1 ] && {
|
||||
nft_apply_nfqws_in_out tcp "$NFQWS_PORTS_TCP" "$NFQWS_TCP_PKT_OUT" "$NFQWS_TCP_PKT_IN"
|
||||
nft_apply_nfqws_in_out tcp "$NFQWS_PORTS_TCP_KEEPALIVE" keepalive "$NFQWS_TCP_PKT_IN"
|
||||
nft_apply_nfqws_in_out udp "$NFQWS_PORTS_UDP" "$NFQWS_UDP_PKT_OUT" "$NFQWS_UDP_PKT_IN"
|
||||
nft_apply_nfqws_in_out udp "$NFQWS_PORTS_UDP_KEEPALIVE" keepalive "$NFQWS_UDP_PKT_IN"
|
||||
}
|
||||
}
|
||||
zapret_apply_firewall_standard_rules_nft()
|
||||
{
|
||||
zapret_apply_firewall_standard_tpws_rules_nft
|
||||
zapret_apply_firewall_standard_nfqws_rules_nft
|
||||
}
|
||||
|
||||
zapret_apply_firewall_rules_nft()
|
||||
{
|
||||
|
@@ -55,7 +55,7 @@ TPPORT_SOCKS=987
|
||||
# <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
|
||||
TPWS_SOCKS_OPT="
|
||||
--filter-tcp=80 --methodeol <HOSTLIST> --new
|
||||
--filter-tcp=443 --split-tls=sni --disorder <HOSTLIST>
|
||||
--filter-tcp=443 --split-pos=1,midsld --disorder <HOSTLIST>
|
||||
"
|
||||
|
||||
TPWS_ENABLE=0
|
||||
@@ -65,7 +65,7 @@ TPWS_PORTS=80,443
|
||||
# <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
|
||||
TPWS_OPT="
|
||||
--filter-tcp=80 --methodeol <HOSTLIST> --new
|
||||
--filter-tcp=443 --split-tls=sni --disorder <HOSTLIST>
|
||||
--filter-tcp=443 --split-pos=1,midsld --disorder <HOSTLIST>
|
||||
"
|
||||
|
||||
NFQWS_ENABLE=0
|
||||
@@ -89,8 +89,8 @@ NFQWS_UDP_PKT_IN=0
|
||||
# hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
|
||||
# <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
|
||||
NFQWS_OPT="
|
||||
--filter-tcp=80 --dpi-desync=fake,split2 --dpi-desync-fooling=md5sig <HOSTLIST> --new
|
||||
--filter-tcp=443 --dpi-desync=fake,disorder2 --dpi-desync-fooling=md5sig <HOSTLIST> --new
|
||||
--filter-tcp=80 --dpi-desync=fake,multisplit --dpi-desync-split-pos=method+2 --dpi-desync-fooling=md5sig <HOSTLIST> --new
|
||||
--filter-tcp=443 --dpi-desync=fake,multidisorder --dpi-desync-split-pos=1,midsld --dpi-desync-fooling=badseq,md5sig <HOSTLIST> --new
|
||||
--filter-udp=443 --dpi-desync=fake --dpi-desync-repeats=6 <HOSTLIST_NOAUTO>
|
||||
"
|
||||
|
||||
|
@@ -1,6 +1,6 @@
|
||||
MIT License
|
||||
|
||||
Copyright (c) 2016-2021 bol-van
|
||||
Copyright (c) 2016-2024 bol-van
|
||||
|
||||
Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||
of this software and associated documentation files (the "Software"), to deal
|
||||
|
@@ -100,7 +100,7 @@ Later you will add ipfw commands to `/etc/rc.firewall.my` to be reapplied after
|
||||
You can also run zapret daemons from there. Start them with `--daemon` options, for example
|
||||
```
|
||||
pkill ^dvtws$
|
||||
/opt/zapret/nfq/dvtws --port=989 --daemon --dpi-desync=split2
|
||||
/opt/zapret/nfq/dvtws --port=989 --daemon --dpi-desync=multisplit --dpi-desync-split-pos=2
|
||||
```
|
||||
|
||||
To restart firewall and daemons run : `/etc/rc.d/ipfw restart`
|
||||
@@ -157,7 +157,7 @@ ipfw delete 100
|
||||
ipfw add 100 divert 989 tcp from any to any 80,443 out not diverted not sockarg xmit em0
|
||||
# required for autottl mode only
|
||||
ipfw add 100 divert 989 tcp from any 80,443 to any tcpflags syn,ack in not diverted not sockarg recv em0
|
||||
/opt/zapret/nfq/dvtws --port=989 --dpi-desync=split2
|
||||
/opt/zapret/nfq/dvtws --port=989 --dpi-desync=multisplit --dpi-desync-split-pos=2
|
||||
```
|
||||
|
||||
Process only table zapret with the exception of table nozapret:
|
||||
@@ -167,7 +167,7 @@ ipfw add 100 allow tcp from me to table\(nozapret\) 80,443
|
||||
ipfw add 100 divert 989 tcp from any to table\(zapret\) 80,443 out not diverted not sockarg xmit em0
|
||||
# required for autottl mode only
|
||||
ipfw add 100 divert 989 tcp from table\(zapret\) 80,443 to any tcpflags syn,ack in not diverted not sockarg recv em0
|
||||
/opt/zapret/nfq/dvtws --port=989 --dpi-desync=split2
|
||||
/opt/zapret/nfq/dvtws --port=989 --dpi-desync=multisplit --dpi-desync-split-pos=2
|
||||
```
|
||||
|
||||
Reinjection loop avoidance. FreeBSD artificially ignores sockarg for ipv6 in
|
||||
@@ -245,7 +245,7 @@ sysctl net.inet6.ip6.pfil.inbound=ipfw,pf
|
||||
ipfw delete 100
|
||||
ipfw add 100 divert 989 tcp from any to any 80,443 out not diverted not sockarg xmit em0
|
||||
pkill ^dvtws$
|
||||
dvtws --daemon --port 989 --dpi-desync=split2
|
||||
dvtws --daemon --port 989 --dpi-desync=multisplit --dpi-desync-split-pos=2
|
||||
|
||||
# required for newer pfsense versions (2.6.0 tested) to return ipfw to functional state
|
||||
pfctl -d ; pfctl -e
|
||||
@@ -280,7 +280,7 @@ Autostart `/usr/local/etc/rc.d/zapret.sh`:
|
||||
```
|
||||
pfctl -a zapret -f /etc/zapret.anchor
|
||||
pkill ^tpws$
|
||||
tpws --daemon --port=988 --enable-pf --bind-addr=127.0.0.1 --bind-iface6=em1 --bind-linklocal=force --split-http-req=method --split-pos=2
|
||||
tpws --daemon --port=988 --enable-pf --bind-addr=127.0.0.1 --bind-iface6=em1 --bind-linklocal=force --split-pos=2
|
||||
```
|
||||
|
||||
After reboot check that anchor is created and referred from the main ruleset:
|
||||
@@ -342,7 +342,7 @@ pass out quick on em0 proto tcp to port {80,443} divert-packet port 989
|
||||
Then:
|
||||
```
|
||||
pfctl -f /etc/pf.conf
|
||||
./dvtws --port=989 --dpi-desync=split2
|
||||
./dvtws --port=989 --dpi-desync=multisplit --dpi-desync-split-pos=2
|
||||
```
|
||||
|
||||
`dwtws` only for table zapret with the exception of table nozapret :
|
||||
@@ -375,7 +375,7 @@ pass out quick on em0 inet6 proto tcp to <zapret6-user> port {80,443} divert-p
|
||||
Then:
|
||||
```
|
||||
pfctl -f /etc/pf.conf
|
||||
./dvtws --port=989 --dpi-desync=split2
|
||||
./dvtws --port=989 --dpi-desync=multisplit --dpi-desync-split-pos=2
|
||||
```
|
||||
|
||||
divert-packet automatically adds the reverse rule. By default also incoming
|
||||
|
14
docs/bsd.md
14
docs/bsd.md
@@ -143,7 +143,7 @@ $ ipfw -q -f flush
|
||||
zapret, добавив в параметры `--daemon`. Например так:
|
||||
```sh
|
||||
$ pkill ^dvtws$
|
||||
$ /opt/zapret/nfq/dvtws --port=989 --daemon --dpi-desync=split2
|
||||
$ /opt/zapret/nfq/dvtws --port=989 --daemon --dpi-desync=multisplit --dpi-desync-split-pos=2
|
||||
```
|
||||
|
||||
Для перезапуска фаервола и демонов достаточно будет сделать:
|
||||
@@ -209,7 +209,7 @@ $ ipfw delete 100
|
||||
$ ipfw add 100 divert 989 tcp from any to any 80,443 out not diverted xmit em0
|
||||
# required for autottl mode only
|
||||
$ ipfw add 100 divert 989 tcp from any 80,443 to any tcpflags syn,ack in not diverted recv em0
|
||||
$ /opt/zapret/nfq/dvtws --port=989 --dpi-desync=split2
|
||||
$ /opt/zapret/nfq/dvtws --port=989 --dpi-desync=multisplit --dpi-desync-split-pos=2
|
||||
```
|
||||
|
||||
#### Трафик только на таблицу zapret, за исключением таблицы nozapret
|
||||
@@ -220,7 +220,7 @@ $ ipfw add 100 allow tcp from me to table\(nozapret\) 80,443
|
||||
$ ipfw add 100 divert 989 tcp from any to table\(zapret\) 80,443 out not diverted not sockarg xmit em0
|
||||
# required for autottl mode only
|
||||
$ ipfw add 100 divert 989 tcp from table\(zapret\) 80,443 to any tcpflags syn,ack in not diverted not sockarg recv em0
|
||||
$ /opt/zapret/nfq/dvtws --port=989 --dpi-desync=split2
|
||||
$ /opt/zapret/nfq/dvtws --port=989 --dpi-desync=multisplit --dpi-desync-split-pos=2
|
||||
```
|
||||
|
||||
|
||||
@@ -317,7 +317,7 @@ sysctl net.inet6.ip6.pfil.inbound=ipfw,pf
|
||||
ipfw delete 100
|
||||
ipfw add 100 divert 989 tcp from any to any 80,443 out not diverted xmit em0
|
||||
pkill ^dvtws$
|
||||
dvtws --daemon --port 989 --dpi-desync=split2
|
||||
dvtws --daemon --port 989 --dpi-desync=multisplit --dpi-desync-split-pos=2
|
||||
|
||||
# required for newer pfsense versions (2.6.0 tested) to return ipfw to functional state
|
||||
pfctl -d ; pfctl -e
|
||||
@@ -357,7 +357,7 @@ rdr pass on em1 inet6 proto tcp to port {80,443} -> fe80::20c:29ff:5ae3:4821 por
|
||||
```sh
|
||||
$ pfctl -a zapret -f /etc/zapret.anchor
|
||||
$ pkill ^tpws$
|
||||
$ tpws --daemon --port=988 --enable-pf --bind-addr=127.0.0.1 --bind-iface6=em1 --bind-linklocal=force --split-http-req=method --split-pos=2
|
||||
$ tpws --daemon --port=988 --enable-pf --bind-addr=127.0.0.1 --bind-iface6=em1 --bind-linklocal=force --split-pos=2
|
||||
```
|
||||
|
||||
4. После перезагрузки проверьте, что правила создались:
|
||||
@@ -424,7 +424,7 @@ pass out quick on em0 proto tcp to port {80,443} divert-packet port 989 no sta
|
||||
|
||||
```sh
|
||||
$ pfctl -f /etc/pf.conf
|
||||
$ ./dvtws --port=989 --dpi-desync=split2
|
||||
$ ./dvtws --port=989 --dpi-desync=multisplit --dpi-desync-split-pos=2
|
||||
```
|
||||
|
||||
#### Трафик только на таблицу zapret, за исключением таблицы nozapret
|
||||
@@ -456,7 +456,7 @@ pass out quick on em0 inet6 proto tcp to <zapret6-user> port {80,443} divert-p
|
||||
|
||||
```sh
|
||||
$ pfctl -f /etc/pf.conf
|
||||
$ ./dvtws --port=989 --dpi-desync=split2
|
||||
$ ./dvtws --port=989 --dpi-desync=multisplit --dpi-desync-split-pos=2
|
||||
```
|
||||
|
||||
|
||||
|
@@ -70,7 +70,7 @@ pass in quick on em0 proto tcp from port {80,443} flags SA/SA divert-packet por
|
||||
pass in quick on em0 proto tcp from port {80,443} no state
|
||||
pass out quick on em0 proto tcp to port {80,443} divert-packet port 989 no state
|
||||
pfctl -f /etc/pf.conf
|
||||
./dvtws --port=989 --dpi-desync=split2
|
||||
./dvtws --port=989 --dpi-desync=multisplit --dpi-desync-split-pos=2
|
||||
|
||||
; dvtws with table limitations : to zapret,zapret6 but not to nozapret,nozapret6
|
||||
; reload tables : pfctl -f /etc/pf.conf
|
||||
|
@@ -363,3 +363,92 @@ nfqws,tpws: use alternate $ sign for $<config_file>
|
||||
repo: binaries removed from repo. git actions binaries build in releases.
|
||||
uninstall_easy.sh: offer to remove dependencies in openwrt
|
||||
install_easy.sh: allow to download lists in autohostlist filter mode
|
||||
|
||||
v69:
|
||||
|
||||
nfqws, tpws: multisplit/multidisorder support.
|
||||
nfqws: name change split->fakedsplit, disorder->fakeddisorder. compat : old names are synonyms
|
||||
nfqws: --dpi-desync-split-http-req, --dpi-desync-split-tls deprecated. compat : these parameters add split point to multisplit.
|
||||
nfqws: --dpi-desync=split2|disorder2 deprecated. compat: they are now synonyms for multisplit/multidisorder
|
||||
nfqws: cancel seqovl if MTU is exceeded (linux only). cancel seqovl for disorder if seqovl>=first_part_size.
|
||||
nfqws: fixed splits in multiple TLS segments.
|
||||
tpws: --split-http-req,--split-tls deprecated. compat : these parameters add split point to multisplit.
|
||||
tpws: --tlsrec now takes pos markers. compat : old names are converted to pos markers
|
||||
tpws: --tlsrec-pos deprecated. compat : sets absolute pos marker
|
||||
nfqws,tpws: chown autohostlist, autohostlist debug log and debug log files after options parse
|
||||
nfqws,tpws: set EXEDIR env var to use in @config (won't work for stadalone winws without /bin/sh)
|
||||
dvtws: set random/increasing ip_id value in generated packets
|
||||
mdig: fixed parsing of DNS reply in windows (stdin is opened as text, not binary)
|
||||
tpws: support compile for android NDK api level >= 21 (Android 5.0)
|
||||
tpws: --fix-seg segmentation fixer
|
||||
repo: build for android NDK api level 21 (Android 5.0)
|
||||
install_easy: support for APK package manager in openwrt
|
||||
blockcheck: removed ignore CA question
|
||||
blockcheck: removed IGNORE_CA, CURL_VERBOSE
|
||||
blockcheck: added CURL_OPT
|
||||
blockcheck: new strategies support
|
||||
blockcheck: test sequence rework
|
||||
blockcheck: view all working strategies in summary
|
||||
|
||||
v69.1:
|
||||
|
||||
init.d: keenetic udp fix custom
|
||||
tpws: fixed incorrect hostlist checks
|
||||
|
||||
v69.2:
|
||||
|
||||
nfqws,tpws: --skip
|
||||
nfqws: --methodeol
|
||||
init.d: do not use pgrep in sysv for busybox compat
|
||||
|
||||
v69.3
|
||||
|
||||
nfqws,tpws: fixed ipsets and hostlists
|
||||
all progs: version numbers for github, build date/time for self built
|
||||
repo: light release for openwrt and embedded systems
|
||||
repo: sha256sum
|
||||
|
||||
v69.4
|
||||
|
||||
nfqws: fakedsplit/fakeddisorder fakes for both split segments
|
||||
nfqws: --dpi-desync-fakedsplit-pattern
|
||||
|
||||
v69.5
|
||||
|
||||
nfqws,tpws: --dry-run
|
||||
install_easy: check tpws and nfqws options validity
|
||||
|
||||
v69.6
|
||||
|
||||
nfqws: set NETLINK_NO_ENOBUFS to fix possible nfq recv errors
|
||||
init.d: unify custom scripts for linux
|
||||
init.d: new custom scripts : 20-fw-extra, 50-wg4all
|
||||
|
||||
v69.7
|
||||
|
||||
nfqws,tpws: --comment
|
||||
nfqws: trash flood warning
|
||||
winws: exclude empty outgoing ack packets in windivert filter
|
||||
|
||||
v69.8
|
||||
|
||||
winws: accept empty outgoing RST and FIN packets for conntrack needs
|
||||
repo: lexra build
|
||||
|
||||
v69.9
|
||||
|
||||
init.d: exclude ipban from tpws redirection
|
||||
macos: fix install_easy
|
||||
macos: fix national decimal separator in sleep
|
||||
ipset: scripts maintenance
|
||||
|
||||
v70
|
||||
|
||||
blockcheck: override all dialog questions and enable batch mode
|
||||
blockcheck: parallel attempts
|
||||
nfqws: weaken wireguard initiation recognition. use len=148 and data[0]=1 signature
|
||||
nfqws: apply split+seqovl only to the first reasm fragment
|
||||
install_easy: dnf packager support
|
||||
nfqws,tpws: hostlist/ipset track not only file mod time but also file size
|
||||
nfqws,tpws,ipset: return lists reload on HUP
|
||||
nfqws,blockcheck: --dpi-desync-fake-tls-mod
|
||||
|
@@ -1,21 +1,57 @@
|
||||
How to compile native programs for use in openwrt
|
||||
-------------------------------------------------
|
||||
|
||||
1) Download latest SDK for your platform from https://downloads.openwrt.org
|
||||
1) Install required packages to the host system :
|
||||
|
||||
curl -o - https://downloads.openwrt.org/releases/23.05.5/targets/x86/64/openwrt-sdk-23.05.5-x86-64_gcc-12.3.0_musl.Linux-x86_64.tar.xz | tar -Jxvf -
|
||||
cd openwrt-sdk-23.05.5-x86-64_gcc-12.3.0_musl.Linux-x86_64
|
||||
debian,ubuntu : apt install build-essential patch libncurses-dev python3-distutils unzip gawk wget git
|
||||
fedora: dnf install make patch gcc g++ ncurses-devel git perl
|
||||
|
||||
2) ./scripts/feeds update -a
|
||||
./scripts/feeds install -a
|
||||
Other packages may be required on your distribution. Look for the errors.
|
||||
|
||||
3) cp -R /opt/zapret/docs/compile/openwrt/. .
|
||||
cp -R /opt/zapret/tpws package/zapret/tpws
|
||||
cp -R /opt/zapret/nfq package/zapret/nfqws
|
||||
cp -R /opt/zapret/mdig package/zapret/mdig
|
||||
cp -R /opt/zapret/ip2net package/zapret/ip2net
|
||||
2) Download latest SDK for your target platform from https://downloads.openwrt.org
|
||||
|
||||
4) make package/{tpws,nfqws,mdig,ip2net}/compile
|
||||
examples :
|
||||
|
||||
5) find bin -name tpws*.ipk
|
||||
#take your tpws*.ipk , nfqws*.ipk , ip2net*.ipk, mdig*.ipk from there
|
||||
curl -o - https://downloads.openwrt.org/releases/23.05.5/targets/x86/64/openwrt-sdk-23.05.5-x86-64_gcc-12.3.0_musl.Linux-x86_64.tar.xz | tar -Jxvf -
|
||||
cd openwrt-sdk-23.05.5-x86-64_gcc-12.3.0_musl.Linux-x86_64
|
||||
|
||||
curl -o - https://downloads.openwrt.org/snapshots/targets/x86/64/openwrt-sdk-x86-64_gcc-13.3.0_musl.Linux-x86_64.tar.zst | tar --zstd -xvf -
|
||||
cd openwrt-sdk-x86-64_gcc-13.3.0_musl.Linux-x86_64
|
||||
|
||||
3) Install required libs
|
||||
|
||||
./scripts/feeds update base packages
|
||||
./scripts/feeds install libnetfilter-queue zlib libcap
|
||||
|
||||
4) Prepare openwrt package definitions
|
||||
|
||||
cp -R /opt/zapret/docs/compile/openwrt/. .
|
||||
cp -R /opt/zapret/tpws package/zapret/tpws
|
||||
cp -R /opt/zapret/nfq package/zapret/nfqws
|
||||
cp -R /opt/zapret/mdig package/zapret/mdig
|
||||
cp -R /opt/zapret/ip2net package/zapret/ip2net
|
||||
rm -f package/zapret/tpws/tpws/tpws package/zapret/nfqws/nfq/nfqws package/zapret/mdig/mdig/mdig package/zapret/ip2net/ip2net/ip2net
|
||||
|
||||
5) Prepare .config
|
||||
|
||||
make defconfig
|
||||
|
||||
If you only need bins without packages comment 'CONFIG_AUTOREMOVE=y' line in .config
|
||||
|
||||
6) Compile
|
||||
|
||||
dynamic build : make package/{tpws,nfqws,mdig,ip2net}/compile
|
||||
static build : make CFLAGS=-static package/{tpws,nfqws,mdig,ip2net}/compile
|
||||
|
||||
7) Get result
|
||||
|
||||
executables only : build_dir/target/<progname>
|
||||
ipk or apk packages : bin/packages/*/base
|
||||
|
||||
8) Installating to openwrt to use with zapret
|
||||
|
||||
zapret with or without binaries should be already installed in /opt/zapret.
|
||||
Install ipk's or apk's with all compiled progs using opkg or apk.
|
||||
Bins are placed to /opt/zapret/binaries/my.
|
||||
Or copy binaries there manually and set chmod 755 to them.
|
||||
Run install_bin.sh or install_easy.sh. They will use bins in 'my' folder.
|
||||
|
16
docs/compile/build_howto_unix.txt
Normal file
16
docs/compile/build_howto_unix.txt
Normal file
@@ -0,0 +1,16 @@
|
||||
debian,ubuntu :
|
||||
|
||||
apt install make gcc zlib1g-dev libcap-dev libnetfilter-queue-dev
|
||||
make -C /opt/zapret
|
||||
|
||||
FreeBSD :
|
||||
|
||||
make -C /opt/zapret
|
||||
|
||||
OpenBSD :
|
||||
|
||||
make -C /opt/zapret bsd
|
||||
|
||||
MacOS :
|
||||
|
||||
make -C /opt/zapret mac
|
29
docs/compile/build_howto_windows.txt
Normal file
29
docs/compile/build_howto_windows.txt
Normal file
@@ -0,0 +1,29 @@
|
||||
Windows x64
|
||||
|
||||
1) Download latest cygwin for windows 7
|
||||
|
||||
curl -O https://www.cygwin.com/setup-x86_64.exe
|
||||
setup-x86_64.exe --allow-unsupported-windows --no-verify --site http://ctm.crouchingtigerhiddenfruitbat.org/pub/cygwin/circa/64bit/2024/01/30/231215
|
||||
|
||||
2) During setup install packages : make gcc-core zlib-devel
|
||||
|
||||
3) Run Cygwin.bat
|
||||
|
||||
4) cd to %ZAPRET_BASE%/nfq
|
||||
|
||||
cd C:/Users/user/Downloads/zapret/nfq
|
||||
|
||||
5) Compile
|
||||
|
||||
make cygwin64
|
||||
|
||||
use winws.exe
|
||||
|
||||
6) Take windivert.dll and windivert64.sys here : https://reqrypt.org/download
|
||||
Choose version 2.2.2 for Windows 10 and 2.2.0 for Windows 7.
|
||||
|
||||
7) Copy cygwin1.dll, winws.exe, windivert.dll and windivert64.sys to one folder.
|
||||
|
||||
8) Run winws.exe from cmd.exe running as administrator.
|
||||
winws will not run from cygwin shell with cygwin1.dll copy in it's folder.
|
||||
winws will not run without cygwin1.dll outside of cygwin shell.
|
@@ -24,8 +24,8 @@ define Build/Compile
|
||||
endef
|
||||
|
||||
define Package/ip2net/install
|
||||
$(INSTALL_DIR) $(1)/opt/zapret/ip2net
|
||||
$(INSTALL_BIN) $(PKG_BUILD_DIR)/ip2net $(1)/opt/zapret/ip2net
|
||||
$(INSTALL_DIR) $(1)/opt/zapret/binaries/my
|
||||
$(INSTALL_BIN) $(PKG_BUILD_DIR)/ip2net $(1)/opt/zapret/binaries/my
|
||||
endef
|
||||
|
||||
$(eval $(call BuildPackage,ip2net))
|
||||
|
@@ -24,8 +24,8 @@ define Build/Compile
|
||||
endef
|
||||
|
||||
define Package/mdig/install
|
||||
$(INSTALL_DIR) $(1)/opt/zapret/mdig
|
||||
$(INSTALL_BIN) $(PKG_BUILD_DIR)/mdig $(1)/opt/zapret/mdig
|
||||
$(INSTALL_DIR) $(1)/opt/zapret/binaries/my
|
||||
$(INSTALL_BIN) $(PKG_BUILD_DIR)/mdig $(1)/opt/zapret/binaries/my
|
||||
endef
|
||||
|
||||
$(eval $(call BuildPackage,mdig))
|
||||
|
@@ -25,8 +25,8 @@ define Build/Compile
|
||||
endef
|
||||
|
||||
define Package/nfqws/install
|
||||
$(INSTALL_DIR) $(1)/opt/zapret/nfq
|
||||
$(INSTALL_BIN) $(PKG_BUILD_DIR)/nfqws $(1)/opt/zapret/nfq
|
||||
$(INSTALL_DIR) $(1)/opt/zapret/binaries/my
|
||||
$(INSTALL_BIN) $(PKG_BUILD_DIR)/nfqws $(1)/opt/zapret/binaries/my
|
||||
endef
|
||||
|
||||
$(eval $(call BuildPackage,nfqws))
|
||||
|
@@ -25,8 +25,8 @@ define Build/Compile
|
||||
endef
|
||||
|
||||
define Package/tpws/install
|
||||
$(INSTALL_DIR) $(1)/opt/zapret/tpws
|
||||
$(INSTALL_BIN) $(PKG_BUILD_DIR)/tpws $(1)/opt/zapret/tpws
|
||||
$(INSTALL_DIR) $(1)/opt/zapret/binaries/my
|
||||
$(INSTALL_BIN) $(PKG_BUILD_DIR)/tpws $(1)/opt/zapret/binaries/my
|
||||
endef
|
||||
|
||||
$(eval $(call BuildPackage,tpws))
|
||||
|
@@ -12,7 +12,7 @@ iptables -t mangle -I POSTROUTING -p udp --dport 443 -m mark ! --mark 0x40000000
|
||||
# auto hostlist with avoiding wrong ACK numbers in RST,ACK packets sent by russian DPI
|
||||
sysctl net.netfilter.nf_conntrack_tcp_be_liberal=1
|
||||
iptables -t mangle -I POSTROUTING -p tcp -m multiport --dports 80,443 -m connbytes --connbytes-dir=original --connbytes-mode=packets --connbytes 1:12 -m mark ! --mark 0x40000000/0x40000000 -j NFQUEUE --queue-num 200 --queue-bypass
|
||||
iptables -t mangle -I PREROUTING -p tcp -m multiport --sports 80,443 -m connbytes --connbytes-dir=reply --connbytes-mode=packets --connbytes 1:6 -m mark ! --mark 0x40000000/0x40000000 -j NFQUEUE --queue-num 200 --queue-bypass
|
||||
iptables -t mangle -I PREROUTING -p tcp -m multiport --sports 80,443 -m connbytes --connbytes-dir=reply --connbytes-mode=packets --connbytes 1:3 -m mark ! --mark 0x40000000/0x40000000 -j NFQUEUE --queue-num 200 --queue-bypass
|
||||
|
||||
|
||||
For TPROXY :
|
||||
|
@@ -19,8 +19,8 @@ For dpi desync attack :
|
||||
nft delete table inet ztest
|
||||
nft create table inet ztest
|
||||
nft add chain inet ztest post "{type filter hook postrouting priority mangle;}"
|
||||
nft add rule inet ztest post meta mark and 0x40000000 == 0 tcp dport "{80,443}" ct original packets 1-12 queue num 200 bypass
|
||||
nft add rule inet ztest post meta mark and 0x40000000 == 0 udp dport 443 ct original packets 1-12 queue num 200 bypass
|
||||
nft add rule inet ztest post meta mark and 0x40000000 == 0 tcp dport "{80,443}" ct original packets 1-6 queue num 200 bypass
|
||||
nft add rule inet ztest post meta mark and 0x40000000 == 0 udp dport 443 ct original packets 1-6 queue num 200 bypass
|
||||
|
||||
# auto hostlist with avoiding wrong ACK numbers in RST,ACK packets sent by russian DPI
|
||||
sysctl net.netfilter.nf_conntrack_tcp_be_liberal=1
|
||||
|
@@ -50,6 +50,8 @@
|
||||
> образ `squashfs` с помощью `image builder` и перешить этим вариантом роутер.
|
||||
|
||||
1. Скачайте последний [tar.gz релиз](https://github.com/bol-van/zapret/releases) в /tmp, распакуйте его, затем удалите архив.
|
||||
Для openwrt и прошивок используйте вариант `openwrt-embedded`.
|
||||
Для экономия места в /tmp можно качать через curl в stdout и сразу распаковывать.
|
||||
|
||||
2. Убедитесь, что у вас отключены все средства обхода блокировок, в том числе и
|
||||
сам zapret. Гарантированно уберет zapret скрипт `uninstall_easy.sh`.
|
||||
@@ -156,7 +158,7 @@
|
||||
>
|
||||
> Далее, имея понимание что работает на http, https, quic нужно
|
||||
> сконструировать параметры запуска `tpws` и/или `nfqws` с использованием
|
||||
> мультистратегии. Как работают мультистратегии описано в readme.txt.
|
||||
> мультистратегии. Как работают мультистратегии описано в [readme.md](./readme.md#множественные-стратегии).
|
||||
>
|
||||
> Если кратко, то обычно параметры конструируются так:
|
||||
> ```sh
|
||||
@@ -213,7 +215,7 @@
|
||||
> Если используются методы нулевой фазы десинхронизации (`--mss`,
|
||||
> `--wssize`, `--dpi-desync=syndata`) и режим фильтрации `hostlist`, то все
|
||||
> параметры, относящиеся к этим методам, следует помещать в отдельные
|
||||
> профили мульистратегии, которые получат управление до определения имени
|
||||
> профили мультистратегии, которые получат управление до определения имени
|
||||
> хоста. Необходимо понимать алгоритм работы мультистратегий. Самым надежным
|
||||
> вариантом будет дублирование этих параметров на 2 профиля. Какой-нибудь
|
||||
> сработает в зависимости от параметра `MODE_FILTER`.
|
||||
@@ -235,6 +237,13 @@
|
||||
8. На все остальные вопросы `install_easy.sh` отвечайте согласно выводимой
|
||||
аннотации.
|
||||
|
||||
9. Удалите директорию из /tmp, откуда производилась установка.
|
||||
|
||||
## Полное удаление
|
||||
|
||||
1. Прогоните `/opt/zapret/uninstall_easy.sh`.
|
||||
2. Cогласитесь на удаление зависимостей в openwrt.
|
||||
3. Удалите каталог `/opt/zapret`.
|
||||
|
||||
## Итог
|
||||
Это минимальная инструкция, чтобы быстро сориентироваться с чего начать.
|
||||
|
@@ -47,11 +47,19 @@ _"Совсем ничего не могу, все очень сложно, да
|
||||
|
||||
Не помогла _"таблетка"_ ? Это вовсе не значит, что ничего не получится. Но придется делать по нормальному.
|
||||
|
||||
## НЕ ПОМОГЛО, КАК ТЕПЕРЬ ЭТО УДАЛИТЬ
|
||||
|
||||
Если вы не устанавливали zapret как службу или запланированную задачу (а это требует редактирования cmd файлов),
|
||||
достаточно закрыть окно с winws и запустить windivert_delete.cmd.
|
||||
Альтернатива - перезагрузить компьютер.
|
||||
После чего можно удалить папку с zapret. На этом деинсталляция закончена.
|
||||
Если же вы устанавливали zapret как службу, то вы наверняка знаете как ее удалить.
|
||||
|
||||
## РЕШЕНИЕ "КАК ПОЛОЖЕНО"
|
||||
|
||||
1) Скачайте и распакуйте архив https://github.com/bol-van/zapret-win-bundle/archive/refs/heads/master.zip.
|
||||
|
||||
2) Если у вас Windows 7 x64, читайте [docs/windows.md](./windows.md). Без описанной там подготовки может не работать.
|
||||
2) Если у вас Windows 7 x64, однократно запустите `win7/install_win7.cmd`. Батник заменит файлы windivert на совместимую с Windows 7 версию.
|
||||
|
||||
> [!WARNING]
|
||||
> Для 32-битных систем Windows нет готового полного варианта.
|
||||
@@ -115,7 +123,7 @@ blockcheck перейдет в этом случае на **DoH** _(DNS over HTT
|
||||
> она стабильна, на третьих полный хаос, и проще отказаться.
|
||||
>
|
||||
> Далее, имея понимание что работает на http, https, quic, нужно сконструировать параметры запуска winws
|
||||
> с использованием мультистратегии. Как работают мультистратегии описано в [readme.md](./readme.md).
|
||||
> с использованием мультистратегии. Как работают мультистратегии описано в [readme.md](./readme.md#множественные-стратегии).
|
||||
>
|
||||
> Прежде всего вам нужно собрать фильтр перехватываемого трафика. Это делается через параметры
|
||||
> `--wf-l3`, `--wf-tcp`, `--wf-udp`.
|
||||
|
@@ -1,4 +1,9 @@
|
||||
# zapret v.67
|
||||
# zapret v70
|
||||
|
||||
# SCAMMER WARNING
|
||||
|
||||
This software is free and open source under [MIT license](./LICENSE.txt).
|
||||
If anyone demands you to download this software only from their webpage, telegram channel, forces you to delete links, videos, makes copyright claims, you are dealing with scammers.
|
||||
|
||||
# Multilanguage/Мультиязычный README
|
||||
___
|
||||
@@ -10,22 +15,34 @@ ___
|
||||
- [What is it for](#what-is-it-for)
|
||||
- [How it works](#how-it-works)
|
||||
- [How to put this into practice in the linux system](#how-to-put-this-into-practice-in-the-linux-system)
|
||||
- [ip6tables](#ip6tables)
|
||||
- [nftables](#nftables)
|
||||
- [When it will not work](#when-it-will-not-work)
|
||||
- [nfqws](#nfqws)
|
||||
- [DPI desync attack](#dpi-desync-attack)
|
||||
- [DPI desync combos](#dpi-desync-combos)
|
||||
- [SYNACK mode](#synack-mode)
|
||||
- [Fakes](#fakes)
|
||||
- [Fake mods](#fake-mods)
|
||||
- [TCP segmentation](#tcp-segmentation)
|
||||
- [Sequence numbers overlap](#sequence-numbers-overlap)
|
||||
- [ipv6 specific modes](#ipv6-specific-modes)
|
||||
- [Server reply reaction](#server-reply-reaction)
|
||||
- [SYNDATA mode](#syndata-mode)
|
||||
- [Virtual Machines](#virtual-machines)
|
||||
- [DPI desync combos](#dpi-desync-combos)
|
||||
- [CONNTRACK](#conntrack)
|
||||
- [Reassemble](#reassemble)
|
||||
- [UDP support](#udp-support)
|
||||
- [IP fragmentation](#ip-fragmentation)
|
||||
- [multiple strategies](#multiple-strategies)
|
||||
- [Multiple strategies](#multiple-strategies)
|
||||
- [Virtual machines](#virtual-machines)
|
||||
- [IPTABLES for nfqws](#iptables-for-nfqws)
|
||||
- [NFTABLES for nfqws](#nftables-for-nfqws)
|
||||
- [tpws](#tpws)
|
||||
- [multiple strategies](#multiple-strategies-1)
|
||||
- [TCP segmentation in tpws](#tcp-segmentation-in-tpws)
|
||||
- [TLSREC](#tlsrec)
|
||||
- [MSS](#mss)
|
||||
- [Other tamper options](#other-tamper-options)
|
||||
- [Supplementary options](#supplementary-options)
|
||||
- [Multiple strategies](#multiple-strategies-1)
|
||||
- [IPTABLES for tpws](#iptables-for-tpws)
|
||||
- [NFTABLES for tpws](#nftables-for-tpws)
|
||||
- [Ways to get a list of blocked IP](#ways-to-get-a-list-of-blocked-ip)
|
||||
- [Domain name filtering](#domain-name-filtering)
|
||||
- [**autohostlist** mode](#autohostlist-mode)
|
||||
@@ -94,101 +111,16 @@ deal with its consequences.
|
||||
2. Modification of the TCP connection at the stream level. Implemented through a proxy or transparent proxy.
|
||||
3. Modification of TCP connection at the packet level. Implemented through the NFQUEUE handler and raw sockets.
|
||||
|
||||
For options 2 and 3, tpws and nfqws programs are implemented, respectively.
|
||||
For options 2 and 3, **tpws** and **nfqws** programs are implemented, respectively.
|
||||
You need to run them with the necessary parameters and redirect certain traffic with iptables or nftables.
|
||||
|
||||
To redirect a TCP connection to a transparent proxy, the following commands are used:
|
||||
|
||||
forwarded traffic :
|
||||
`iptables -t nat -I PREROUTING -i <internal_interface> -p tcp --dport 80 -j DNAT --to 127.0.0.127:988`
|
||||
|
||||
outgoing traffic :
|
||||
`iptables -t nat -I OUTPUT -o <external_interface> -p tcp --dport 80 -m owner ! --uid-owner tpws -j DNAT --to 127.0.0.127:988`
|
||||
|
||||
DNAT on localhost works in the OUTPUT chain, but does not work in the PREROUTING chain without enabling the route_localnet parameter:
|
||||
|
||||
`sysctl -w net.ipv4.conf.<internal_interface>.route_localnet=1`
|
||||
|
||||
You can use `-j REDIRECT --to-port 988` instead of DNAT, but in this case the transparent proxy process
|
||||
should listen on the ip address of the incoming interface or on all addresses. Listen all - not good
|
||||
in terms of security. Listening one (local) is possible, but automated scripts will have to recognize it,
|
||||
then dynamically enter it into the command. In any case, additional efforts are required.
|
||||
Using route_localnet can also introduce some security risks. You make available from internal_interface everything
|
||||
bound to `127.0.0.0/8`. Services are usually bound to `127.0.0.1`. Its possible to deny input to `127.0.0.1` from all interfaces except lo
|
||||
or bind tpws to any other IP from `127.0.0.0/8` range, for example to `127.0.0.127`, and allow incomings only to that IP :
|
||||
|
||||
```
|
||||
iptables -A INPUT ! -i lo -d 127.0.0.127 -j ACCEPT
|
||||
iptables -A INPUT ! -i lo -d 127.0.0.0/8 -j DROP
|
||||
```
|
||||
|
||||
Owner filter is necessary to prevent recursive redirection of connections from tpws itself.
|
||||
tpws must be started under OS user `tpws`.
|
||||
|
||||
NFQUEUE redirection of the outgoing traffic and forwarded traffic going towards the external interface,
|
||||
can be done with the following commands:
|
||||
|
||||
`iptables -t mangle -I POSTROUTING -o <external_interface> -p tcp --dport 80 -j NFQUEUE --queue-num 200 --queue-bypass`
|
||||
|
||||
In order not to touch the traffic to unblocked addresses, you can take a list of blocked hosts, resolve it
|
||||
into IP addresses and put them to ipset 'zapret', then add a filter to the command:
|
||||
|
||||
`iptables -t mangle -I POSTROUTING -o <external_interface> -p tcp --dport 80 -m set --match-set zapret dst -j NFQUEUE --queue-num 200 --queue-bypass`
|
||||
|
||||
Some DPIs catch only the first http request, ignoring subsequent requests in a keep-alive session.
|
||||
Then we can reduce CPU load, refusing to process unnecessary packets.
|
||||
|
||||
`iptables -t mangle -I POSTROUTING -o <external_interface> -p tcp --dport 80 -m connbytes --connbytes-dir=original --connbytes-mode=packets --connbytes 1:6 -m mark ! --mark 0x40000000/0x40000000 -m set --match-set zapret dst -j NFQUEUE --queue-num 200 --queue-bypass`
|
||||
|
||||
Mark filter does not allow nfqws-generated packets to enter the queue again.
|
||||
Its necessary to use this filter when also using `connbytes`. Without it packet ordering can be changed breaking the whole idea.
|
||||
Also if there's huge packet send from nfqws it may deadlock without mark filter.
|
||||
|
||||
Some attacks require redirection of incoming packets :
|
||||
|
||||
`iptables -t mangle -I PREROUTING -i <external_interface> -p tcp --sport 80 -m connbytes --connbytes-dir=reply --connbytes-mode=packets --connbytes 1:6 -m set --match-set zapret src -j NFQUEUE --queue-num 200 --queue-bypass`
|
||||
|
||||
Incoming packets are filtered by incoming interface, source port and IP. This is opposite to the direct rule.
|
||||
|
||||
Some techniques that break NAT are possible only with nftables.
|
||||
|
||||
|
||||
## ip6tables
|
||||
|
||||
ip6tables work almost exactly the same way as ipv4, but there are a number of important nuances.
|
||||
In DNAT, you should take the address --to in square brackets. For example :
|
||||
|
||||
`ip6tables -t nat -I OUTPUT -o <external_interface> -p tcp --dport 80 -m owner ! --uid-owner tpws -j DNAT --to [::1]:988`
|
||||
|
||||
The route_localnet parameter does not exist for ipv6.
|
||||
DNAT to localhost (:: 1) is possible only in the OUTPUT chain.
|
||||
In the PREROUTING DNAT chain, it is possible to any global address or to the link local address of the same interface
|
||||
the packet came from.
|
||||
NFQUEUE works without changes.
|
||||
|
||||
|
||||
## nftables
|
||||
|
||||
nftables are fine except one very big problem.
|
||||
nft requires tons of RAM to load large nf sets (ip lists) with subnets/intervals. Most of the home routers can't afford that.
|
||||
For example, even a 256 Mb system can't load a 100K ip list. nft process will OOM.
|
||||
nf sets do not support overlapping intervals and that's why nft process applies very RAM consuming algorithm to merge intervals so they don't overlap.
|
||||
There're equivalents to iptables for all other functions. Interface and protocol anonymous sets allow not to write multiple similar rules.
|
||||
Flow offloading is built-in into new linux kernels and nft versions.
|
||||
|
||||
nft version `1.0.2` or higher is recommended. But the higher is version the better.
|
||||
|
||||
Some techniques can be fully used only with nftables. It's not possible to queue packets after NAT in iptables.
|
||||
This limits techniques that break NAT.
|
||||
|
||||
|
||||
## When it will not work
|
||||
|
||||
* If DNS server returns false responses. ISP can return false IP addresses or not return anything
|
||||
when blocked domains are queried. If this is the case change DNS to public ones, such as 8.8.8.8 or 1.1.1.1.Sometimes ISP hijacks queries to any DNS server. Dnscrypt or dns-over-tls help.
|
||||
* If blocking is done by IP.
|
||||
* If a connection passes through a filter capable of reconstructing a TCP connection, and which
|
||||
follows all standards. For example, we are routed to squid. Connection goes through the full OS tcpip stack, fragmentation disappears immediately as a means of circumvention. Squid is correct, it will find everything as it should, it is useless to deceive him. BUT. Only small providers can afford using squid, since it is very resource intensive. Large companies usually use DPI, which is designed for much greater bandwidth.
|
||||
follows all standards. For example, we are routed to squid. Connection goes through the full OS tcpip stack. This project targets DPI only, not full OS stack and not server applications.
|
||||
|
||||
## nfqws
|
||||
|
||||
@@ -200,6 +132,8 @@ nfqws takes the following parameters:
|
||||
@<config_file> ; read file for options. must be the only argument. other options are ignored.
|
||||
|
||||
--debug=0|1
|
||||
--dry-run ; verify parameters and exit with code 0 if successful
|
||||
--comment ; any text (ignored)
|
||||
--qnum=<nfqueue_number>
|
||||
--daemon ; daemonize
|
||||
--pidfile=<filename> ; write pid to file
|
||||
@@ -215,7 +149,8 @@ nfqws takes the following parameters:
|
||||
--hostspell ; exact spelling of "Host" header. must be 4 chars. default is "host"
|
||||
--hostnospace ; remove space after Host: and add it to User-Agent: to preserve packet size
|
||||
--domcase ; mix domain case : Host: TeSt.cOm
|
||||
--dpi-desync=[<mode0>,]<mode>[,<mode2>] ; try to desync dpi state. modes : synack fake fakeknown rst rstack hopbyhop destopt ipfrag1 disorder disorder2 split split2 ipfrag2 udplen tamper
|
||||
--methodeol ; add '\n' before method and remove space after Host:
|
||||
--dpi-desync=[<mode0>,]<mode>[,<mode2>] ; try to desync dpi state. modes : synack fake fakeknown rst rstack hopbyhop destopt ipfrag1 multisplit multidisorder fakedsplit fakeddisorder ipfrag2 udplen tamper
|
||||
--dpi-desync-fwmark=<int|0xHEX> ; override fwmark for desync packet. default = 0x40000000 (1073741824)
|
||||
--dpi-desync-ttl=<int> ; set ttl for desync packet
|
||||
--dpi-desync-ttl6=<int> ; set ipv6 hop limit for desync packet. by default ttl value is used.
|
||||
@@ -224,11 +159,13 @@ nfqws takes the following parameters:
|
||||
--dpi-desync-fooling=<mode>[,<mode>] ; can use multiple comma separated values. modes : none md5sig ts badseq badsum datanoack hopbyhop hopbyhop2
|
||||
--dpi-desync-repeats=<N> ; send every desync packet N times
|
||||
--dpi-desync-skip-nosni=0|1 ; 1(default)=do not act on ClientHello without SNI (ESNI ?)
|
||||
--dpi-desync-split-pos=<1..9216> ; data payload split position
|
||||
--dpi-desync-split-http-req=method|host ; split at specified logical part of plain http request
|
||||
--dpi-desync-split-tls=sni|sniext ; split at specified logical part of TLS ClientHello
|
||||
--dpi-desync-split-seqovl=<int> ; use sequence overlap before first sent original split segment
|
||||
--dpi-desync-split-pos=N|-N|marker+N|marker-N ; comma separated list of split positions
|
||||
; markers: method,host,endhost,sld,endsld,midsld,sniext
|
||||
; full list is only used by multisplit and multidisorder
|
||||
; fakedsplit/fakeddisorder use first l7-protocol-compatible parameter if present, first abs value otherwise
|
||||
--dpi-desync-split-seqovl=N|-N|marker+N|marker-N ; use sequence overlap before first sent original split segment
|
||||
--dpi-desync-split-seqovl-pattern=<filename>|0xHEX ; pattern for the fake part of overlap
|
||||
--dpi-desync-fakedsplit-pattern=<filename>|0xHEX ; fake pattern for fakedsplit/fakeddisorder
|
||||
--dpi-desync-ipfrag-pos-tcp=<8..9216> ; ip frag position starting from the transport header. multiple of 8, default 8.
|
||||
--dpi-desync-ipfrag-pos-udp=<8..9216> ; ip frag position starting from the transport header. multiple of 8, default 32.
|
||||
--dpi-desync-badseq-increment=<int|0xHEX> ; badseq fooling seq signed increment. default -10000
|
||||
@@ -236,6 +173,7 @@ nfqws takes the following parameters:
|
||||
--dpi-desync-any-protocol=0|1 ; 0(default)=desync only http and tls 1=desync any nonempty data packet
|
||||
--dpi-desync-fake-http=<filename>|0xHEX ; file containing fake http request
|
||||
--dpi-desync-fake-tls=<filename>|0xHEX ; file containing fake TLS ClientHello (for https)
|
||||
--dpi-desync-fake-tls-mod=mod[,mod] ; comma separated list of TLS fake mods. available mods : none,rnd,rndsni,padencap
|
||||
--dpi-desync-fake-unknown=<filename>|0xHEX ; file containing unknown protocol fake payload
|
||||
--dpi-desync-fake-syndata=<filename>|0xHEX ; file containing SYN data payload
|
||||
--dpi-desync-fake-quic=<filename>|0xHEX ; file containing fake QUIC Initial
|
||||
@@ -247,39 +185,41 @@ nfqws takes the following parameters:
|
||||
--dpi-desync-start=[n|d|s]N ; apply dpi desync only to packet numbers (n, default), data packet numbers (d), relative sequence (s) greater or equal than N
|
||||
--dpi-desync-cutoff=[n|d|s]N ; apply dpi desync only to packet numbers (n, default), data packet numbers (d), relative sequence (s) less than N
|
||||
--hostlist=<filename> ; apply dpi desync only to the listed hosts (one host per line, subdomains auto apply, gzip supported, multiple hostlists allowed)
|
||||
--hostlist-domains=<domain_list> ; comma separated fixed domain list
|
||||
--hostlist-exclude=<filename> ; do not apply dpi desync to the listed hosts (one host per line, subdomains auto apply, gzip supported, multiple hostlists allowed)
|
||||
--hostlist-exclude-domains=<domain_list> ; comma separated fixed domain list
|
||||
--hostlist-auto=<filename> ; detect DPI blocks and build hostlist automatically
|
||||
--hostlist-auto-fail-threshold=<int> ; how many failed attempts cause hostname to be added to auto hostlist (default : 3)
|
||||
--hostlist-auto-fail-time=<int> ; all failed attemps must be within these seconds (default : 60)
|
||||
--hostlist-auto-retrans-threshold=<int> ; how many request retransmissions cause attempt to fail (default : 3)
|
||||
--hostlist-auto-debug=<logfile> ; debug auto hostlist positives
|
||||
--new ; begin new strategy
|
||||
--new ; begin new strategy (new profile)
|
||||
--skip ; do not use this profile
|
||||
--filter-l3=ipv4|ipv6 ; L3 protocol filter. multiple comma separated values allowed.
|
||||
--filter-tcp=[~]port1[-port2]|* ; TCP port filter. ~ means negation. setting tcp and not setting udp filter denies udp. comma separated list supported.
|
||||
--filter-udp=[~]port1[-port2]|* ; UDP port filter. ~ means negation. setting udp and not setting tcp filter denies tcp. comma separated list supported.
|
||||
--filter-l7=[http|tls|quic|wireguard|dht|unknown] ; L6-L7 protocol filter. multiple comma separated values allowed.
|
||||
--ipset=<filename> ; ipset include filter (one ip/CIDR per line, ipv4 and ipv6 accepted, gzip supported, multiple ipsets allowed)
|
||||
--ipset-ip=<ip_list> ; comma separated fixed subnet list
|
||||
--ipset-exclude=<filename> ; ipset exclude filter (one ip/CIDR per line, ipv4 and ipv6 accepted, gzip supported, multiple ipsets allowed)
|
||||
--ipset-exclude-ip=<ip_list> ; comma separated fixed subnet list
|
||||
```
|
||||
|
||||
The manipulation parameters can be combined in any way.
|
||||
|
||||
WARNING. `--wsize` parameter is now not used anymore in scripts. TCP split can be achieved using DPI desync attack.
|
||||
|
||||
### DPI desync attack
|
||||
|
||||
After completion of the tcp 3-way handshake, the first data packet from the client goes.
|
||||
It usually has `GET / ...` or TLS ClientHello. We drop this packet, replacing with something else.
|
||||
It can be a fake version with another harmless but valid http or https request (`fake`), tcp reset packet (`rst`,`rstack`),
|
||||
split into 2 segments original packet with fake segment in the middle (`split`).
|
||||
`fakeknown` sends fake only in response to known application protocol.
|
||||
In articles these attack have names **TCB desynchronization** and **TCB teardown**.
|
||||
Fake packet must reach DPI, but do not reach the destination server.
|
||||
The following means are available: set a low TTL, send a packet with bad checksum,
|
||||
add tcp option **MD5 signature**. All of them have their own disadvantages :
|
||||
The idea is to take original message, modify it, add additional fake information in such a way that the server OS accepts original data only
|
||||
but DPI cannot recostruct original message or sees what it cannot identify as a prohibited request.
|
||||
|
||||
* md5sig does not work on all servers
|
||||
* badsum doesn't work if your device is behind NAT which does not pass invalid packets.
|
||||
There's a set of instruments to achieve that goal.
|
||||
It can be fake packets that reach DPI but do not reach server or get rejected by server, TCP segmentation or IP fragmentation.
|
||||
There're attacks based on TCP sequence numbers. Methods can be combined in many ways.
|
||||
|
||||
### Fakes
|
||||
|
||||
Fakes are separate generated by nfqws packets carrying false information for DPI. They must either not reach the server or be rejected by it. Otherwise TCP connection or data stream would be broken. There're multiple ways to solve this task.
|
||||
|
||||
* **md5sig** does not work on all servers
|
||||
* **badsum** doesn't work if your device is behind NAT which does not pass invalid packets.
|
||||
The most common Linux NAT router configuration does not pass them. Most home routers are Linux based.
|
||||
The default sysctl configuration `net.netfilter.nf_conntrack_checksum=1` causes contrack to verify tcp and udp checksums
|
||||
and set INVALID state for packets with invalid checksum.
|
||||
@@ -294,25 +234,25 @@ add tcp option **MD5 signature**. All of them have their own disadvantages :
|
||||
This behavior was observed on a Mediatek MT7621 based device.
|
||||
Tried to modify mediatek ethernet driver with no luck, likely hardware enforced limitation.
|
||||
However the device allowed to send badsum packets, problem only existed for passthrough traffic from clients.
|
||||
* badseq packets will be dropped by server, but DPI also can ignore them.
|
||||
* **badseq** packets will be dropped by server, but DPI also can ignore them.
|
||||
default badseq increment is set to -10000 because some DPIs drop packets outside of the small tcp window.
|
||||
But this also can cause troubles when `--dpi-desync-any-protocol` is enabled.
|
||||
To be 100% sure fake packet cannot fit to server tcp window consider setting badseq increment to 0x80000000
|
||||
* TTL looks like the best option, but it requires special tuning for each ISP. If DPI is further than local ISP websites
|
||||
* **TTL** looks like the best option, but it requires special tuning for each ISP. If DPI is further than local ISP websites
|
||||
you can cut access to them. Manual IP exclude list is required. Its possible to use md5sig with ttl.
|
||||
This way you cant hurt anything, but good chances it will help to open local ISP websites.
|
||||
If automatic solution cannot be found then use `zapret-hosts-user-exclude.txt`.
|
||||
Some router stock firmwares fix outgoing TTL. Without switching this option off TTL fooling will not work.
|
||||
* `hopbyhop` is ipv6 only. This fooling adds empty extension header `hop-by-hop options` or two headers in case of `hopbyhop2`.
|
||||
* **hopbyhop** is ipv6 only. This fooling adds empty extension header `hop-by-hop options` or two headers in case of `hopbyhop2`.
|
||||
Packets with two hop-by-hop headers violate RFC and discarded by all operating systems.
|
||||
All OS accept packets with one hop-by-hop header.
|
||||
Some ISPs/operators drop ipv6 packets with hop-by-hop options. Fakes will not be processed by the server either because
|
||||
ISP drops them or because there are two same headers.
|
||||
DPIs may still anaylize packets with one or two hop-by-hop headers.
|
||||
* `datanoack` sends tcp fakes without ACK flag. Servers do not accept this but DPI may accept.
|
||||
* **datanoack** sends tcp fakes without ACK flag. Servers do not accept this but DPI may accept.
|
||||
This mode may break NAT and may not work with iptables if masquerade is used, even from the router itself.
|
||||
Works with nftables properly. Likely requires external IP address (some ISPs pass these packets through their NAT).
|
||||
* `autottl` tries to automatically guess TTL value that allows DPI to receive fakes and does not allow them to reach the server.
|
||||
* **autottl** tries to automatically guess TTL value that allows DPI to receive fakes and does not allow them to reach the server.
|
||||
This tech relies on well known TTL values used by OS : 64,128,255. nfqws takes first incoming packet (YES, you need to redirect it too),
|
||||
guesses path length and decreases by `delta` value (default 1). If resulting value is outside the range (min,max - default 3,20)
|
||||
then its normalized to min or max. If the path shorter than the value then autottl fails and falls back to the fixed value.
|
||||
@@ -322,42 +262,68 @@ add tcp option **MD5 signature**. All of them have their own disadvantages :
|
||||
|
||||
`--dpi-desync-fooling` takes multiple comma separated values.
|
||||
|
||||
For fake,rst,rstack modes original packet is sent after the fake.
|
||||
### FAKE mods
|
||||
|
||||
Disorder mode splits original packet and sends packets in the following order :
|
||||
1. 2nd segment
|
||||
2. fake 1st segment, data filled with zeroes
|
||||
3. 1st segment
|
||||
4. fake 1st segment, data filled with zeroes (2nd copy)
|
||||
**nfqws** has built-in TLS fake. It can be customized with `--dpi-desync-fake-tls` option.
|
||||
Customized fake data can be anything - valid TLS Client Hello or arbitrary data.
|
||||
It's possible to use TLS Client Hello with any fingerprint and any SNI.
|
||||
|
||||
Original packet is always dropped. `--dpi-desync-split-pos` sets split position (default 2).
|
||||
If position is higher than packet length, pos=1 is used.
|
||||
This sequence is designed to make reconstruction of critical message as difficult as possible.
|
||||
Fake segments may not be required to bypass some DPIs, but can potentially help if more sophisticated reconstruction
|
||||
algorithms are used.
|
||||
Mode `disorder2` disables sending of fake segments.
|
||||
**nfqws** can do some modifications of valid TLS Client Hello fakes in runtime with `--dpi-desync-fake-tls-mod` option.
|
||||
|
||||
Split mode is very similar to disorder but without segment reordering :
|
||||
* `none`. Do not do any mods.
|
||||
* `rnd`. Randomize `random` and `session id` fields. Applied on every request.
|
||||
* `rndsni`. Randomize SNI. If SNI >=7 symbols random SLD is applied with known TLD. Otherwise filled with random symbols. Applied only once at startup.
|
||||
* `padencap`. Padding extension is extended by original TLS Client Hello size (including multi packet variation with kyber). Padding extension is added to the end if not present, otherwise it must be the last extension. All lengths are increased. Fake size is not changed. Can be useful if DPI does not analyze sequence numbers properly. Applied on every request.
|
||||
|
||||
1. fake 1st segment, data filled with zeroes
|
||||
2. 1st segment
|
||||
3. fake 1st segment, data filled with zeroes (2nd copy)
|
||||
4. 2nd segment
|
||||
By default if custom fake is not defined `rnd,rndsni` mods are applied. If defined - `none`.
|
||||
This behaviour is compatible with previous versions.
|
||||
|
||||
Mode `split2` disables sending of fake segments. It can be used as a faster alternative to --wsize.
|
||||
### TCP segmentation
|
||||
|
||||
In `disorder2` and `split2` modes no fake packets are sent, so ttl and fooling options are not required.
|
||||
* `multisplit`. split request at specified in `--dpi-desync-split-pos` positions
|
||||
* `multidisorder`. same as `multisplit` but send in reverse order
|
||||
* `fakedsplit`. split request into 2 segments adding fakes in the middle of them : fake 1st segment, 1st segment, fake 1st segment, fake 2nd segment, 2nd segment, fake 2nd segment
|
||||
* `fakeddisorder`. same as `fakedsplit` but with another order : fake 2nd segment, 2nd segment, fake 2nd segment, fake 1st segment, 1st segment, fake 1st segment
|
||||
|
||||
`seqovl` adds to the first sent original segment (1st for split, 2nd for disorder) seqovl bytes to the beginning and decreases
|
||||
sequence number.
|
||||
In `split2` mode this creates partially in-window packet. OS receives only in-window part.
|
||||
In `disorder2` mode OS receives fake and real part of the second segment but does not pass received data to the socket until first
|
||||
segment is received. First segment overwrites fake part of the second segment. Then OS passes original data to the socket.
|
||||
Positions are defined by markers.
|
||||
|
||||
* **Absolute positive marker** - numeric offset inside one packet or group of packets starting from the start
|
||||
* **Absolute negative marker** - numeric offset inside one packet or group of packets starting from the next byte after the end
|
||||
* **Relative marker** - positive or negative offset relative to a logical position within a packet or group of packets
|
||||
|
||||
Relative positions :
|
||||
|
||||
* **method** - HTTP method start ('GET', 'POST', 'HEAD', ...). Method is usually always at position 0 but can shift because of `--methodeol` fooling. If fooled position can become 1 or 2.
|
||||
* **host** - hostname start in a known protocol (http, TLS)
|
||||
* **endhost** - the byte next to the last hostname's byte
|
||||
* **sld** - second level domain start in the hostname
|
||||
* **endsld** - the byte next to the last SLD byte
|
||||
* **midsld** - middle of SLD
|
||||
* **sniext** - start of the data field in the SNI TLS extension. Any extension has 2-byte type and length fields followed by data field.
|
||||
|
||||
Marker list example : `100,midsld,sniext+1,endhost-2,-10`.
|
||||
|
||||
When splitting all markers are resolved to absolute offsets. If a relative position is absent in the current protocol its dropped. Then all resolved offsets are normalized to the current packet offset in multi packet group (multi-packet TLS with kyber, for example). Positions outside of the current packet are dropped. Remaining positions are sorted and deduplicated.
|
||||
|
||||
In `multisplit`or `multidisorder` case split is cancelled if no position remained.
|
||||
|
||||
`fakedsplit` и `fakeddisorder` use only one split position. It's searched from the `--dpi-desync-split-pos` list by a special alorightm.
|
||||
First relative markers are searched. If no suitable found absolute markers are searched. If nothing found position 1 is used.
|
||||
|
||||
For example, `--dpi-desync-split-pos=method+2,midsld,5` means `method+2` for http, `midsld` for TLS and 5 for others.
|
||||
|
||||
### Sequence numbers overlap
|
||||
|
||||
`seqovl` adds to one of the original segment `seqovl` bytes to the beginning and decreases sequence number. For `split` - to the first segment, for `disorder` - to the beginning of the penultimate segment sent (second in the original sequence).
|
||||
|
||||
In `split` mode this creates partially in-window packet. OS receives only in-window part.
|
||||
In `disorder` mode OS receives fake and real part of the second segment but does not pass received data to the socket until first segment is received. First segment overwrites fake part of the second segment. Then OS passes original data to the socket.
|
||||
All unix OS except Solaris preserve last received data. This is not the case for Windows servers and `disorder` with `seqovl` will not work.
|
||||
Disorder requires `seqovl` to be less than `split_pos`. Either statically defined or automatically calculated.
|
||||
Otherwise desync is not possible and will not happen.
|
||||
Disorder requires `seqovl` to be less than split position. Otherwise `seqovl` is not possible and will be cancelled.
|
||||
Method allows to avoid separate fakes. Fakes and real data are mixed.
|
||||
|
||||
### ipv6 specific modes
|
||||
|
||||
`hopbyhop`, `destopt` and `ipfrag1` desync modes (they're not the same as `hopbyhop` fooling !) are ipv6 only. One `hop-by-hop`,
|
||||
`destination options` or `fragment` header is added to all desynced packets.
|
||||
Extra header increases packet size and can't be applied to the maximum size packets.
|
||||
@@ -365,91 +331,36 @@ If it's not possible to send modified packet original one will be sent.
|
||||
The idea here is that DPI sees 0 in the next header field of the main ipv6 header and does not
|
||||
walk through the extension header chain until transport header is found.
|
||||
`hopbyhop`, `destopt`, `ipfrag1` modes can be used with any second phase mode except `ipfrag1+ipfrag2`.
|
||||
For example, `hopbyhop,split2` means split original tcp packet into 2 pieces and add hop-by-hop header to both.
|
||||
For example, `hopbyhop,multisplit` means split original tcp packet into several pieces and add hop-by-hop header to each.
|
||||
With `hopbyhop,ipfrag2` header sequence will be : `ipv6,hop-by-hop,fragment,tcp/udp`.
|
||||
`ipfrag1` mode may not always work without special preparations. See "IP Fragmentation" notices.
|
||||
|
||||
There are DPIs that analyze responses from the server, particularly the certificate from the ServerHello
|
||||
that contain domain name(s). The ClientHello delivery confirmation is an ACK packet from the server
|
||||
with ACK sequence number corresponding to the length of the ClientHello+1.
|
||||
### Server reply reaction
|
||||
|
||||
There are DPIs that analyze responses from the server, particularly the certificate from the ServerHello that contain domain name(s). The ClientHello delivery confirmation is an ACK packet from the server with ACK sequence number corresponding to the length of the ClientHello+1.
|
||||
In the disorder variant, a selective acknowledgement (SACK) usually arrives first, then a full ACK.
|
||||
If, instead of ACK or SACK, there is an RST packet with minimal delay, DPI cuts you off at the request stage.
|
||||
If the RST is after a full ACK after a delay of about ping to the server, then probably DPI acts
|
||||
on the server response. The DPI may be satisfied with good ClientHello and stop monitoring the TCP session
|
||||
without checking ServerHello. Then you were lucky. 'fake' option could work.
|
||||
If it does not stop monitoring and persistently checks the ServerHello, --wssize parameter may help (see CONNTRACK).
|
||||
If the RST is after a full ACK after a delay of about ping to the server, then probably DPI acts on the server response. The DPI may be satisfied with good ClientHello and stop monitoring the TCP session without checking ServerHello. Then you were lucky. 'fake' option could work.
|
||||
If it does not stop monitoring and persistently checks the ServerHello, --wssize parameter may help (see [CONNTRACK](#conntrack)).
|
||||
Otherwise it is hardly possible to overcome this without the help of the server.
|
||||
The best solution is to enable TLS 1.3 support on the server. TLS 1.3 sends the server certificate in encrypted form.
|
||||
This is recommendation to all admins of blocked sites. Enable TLS 1.3. You will give more opportunities to overcome DPI.
|
||||
|
||||
Hosts are extracted from plain http request Host: header and SNI of ClientHello TLS message.
|
||||
Subdomains are applied automatically. gzip lists are supported.
|
||||
|
||||
iptables for performing the attack on the first packet :
|
||||
|
||||
`iptables -t mangle -I POSTROUTING -o <external_interface> -p tcp -m multiport --dports 80,443 -m connbytes --connbytes-dir=original --connbytes-mode=packets --connbytes 1:6 -m mark ! --mark 0x40000000/0x40000000 -j NFQUEUE --queue-num 200 --queue-bypass`
|
||||
|
||||
This is good if DPI does not track all requests in http keep-alive session.
|
||||
If it does, then pass all outgoing packets for http and only first data packet for https :
|
||||
|
||||
```
|
||||
iptables -t mangle -I POSTROUTING -o <external_interface> -p tcp --dport 443 -m connbytes --connbytes-dir=original --connbytes-mode=packets --connbytes 1:6 -m mark ! --mark 0x40000000/0x40000000 -j NFQUEUE --queue-num 200 --queue-bypass
|
||||
iptables -t mangle -I POSTROUTING -o <external_interface> -p tcp --dport 80 -m mark ! --mark 0x40000000/0x40000000 -j NFQUEUE --queue-num 200 --queue-bypass
|
||||
```
|
||||
|
||||
mark is needed to keep away generated packets from NFQUEUE. nfqws sets fwmark when it sends generated packets.
|
||||
nfqws can internally filter marked packets. but when connbytes filter is used without mark filter
|
||||
packet ordering can be changed breaking the whole idea of desync attack.
|
||||
|
||||
### DPI desync combos
|
||||
|
||||
dpi-desync parameter takes up to 3 comma separated arguments.
|
||||
zero phase means tcp connection establishement (before sending data payload). Mode can be `synack`.
|
||||
Hostlist filter is not applicable to the zero phase.
|
||||
Next phases work on packets with data payload.
|
||||
1st phase mode can be `fake`,`rst`,`rstack`, 2nd phase mode - `disorder`,`disorder2`,`split`,`split2`,`ipfrag2`.
|
||||
Can be useful for ISPs with more than one DPI.
|
||||
|
||||
### SYNACK mode
|
||||
|
||||
In geneva docs it's called **TCP turnaround**. Attempt to make the DPI believe the roles of client and server are reversed.
|
||||
|
||||
!!! This mode breaks NAT operation and can be used only if there's no NAT between the attacker's device and the DPI !
|
||||
|
||||
In linux it's required to remove standard firewall rule dropping INVALID packets in the OUTPUT chain,
|
||||
for example : `-A OUTPUT -m state --state INVALID -j DROP`
|
||||
|
||||
In openwrt it's possible to disable the rule for both FORWARD and OUTPUT chains in /etc/config/firewall :
|
||||
```
|
||||
config zone
|
||||
option name 'wan'
|
||||
.........
|
||||
option masq_allow_invalid '1'
|
||||
```
|
||||
Unfortunately there's no OUTPUT only switch. It's not desired to remove the rule from the FORWARD chain.
|
||||
Add the following lines to `/etc/firewall.user` :
|
||||
|
||||
```
|
||||
iptables -D zone_wan_output -m comment --comment '!fw3' -j zone_wan_dest_ACCEPT
|
||||
ip6tables -D zone_wan_output -m comment --comment '!fw3' -j zone_wan_dest_ACCEPT
|
||||
```
|
||||
|
||||
then `/etc/init.d/firewall restart`
|
||||
|
||||
Otherwise raw sending SYN,ACK frame will cause error stopping the further processing.
|
||||
If you realize you don't need the synack mode it's highly suggested to restore drop INVALID rule.
|
||||
|
||||
### SYNDATA mode
|
||||
|
||||
Normally SYNs come without data payload. If it's present it's ignored by all major OS if TCP fast open (TFO) is not involved, but may not be ignored by DPI.
|
||||
Original connections with TFO are not touched because otherwise they would be definitely broken.
|
||||
Without extra parameter payload is 16 zero bytes.
|
||||
|
||||
### Virtual Machines
|
||||
### DPI desync combos
|
||||
|
||||
Most of nfqws packet magic does not work from VMs powered by virtualbox and vmware when network is NATed.
|
||||
Hypervisor forcibly changes ttl and does not forward fake packets.
|
||||
Set up bridge networking.
|
||||
`--dpi-desync` takes up to 3 comma separated modes.
|
||||
|
||||
* 0 phase modes work during the connection establishement : `synack`, `syndata` `--wsize`, `--wssize`. [hostlist](((#multiple-strategies))) filters are not applicable.
|
||||
* In the 1st phase fakes are sent before original data : `fake`, `rst`, `rstack`.
|
||||
* In the 2nd phase original data is sent in a modified way (for example `fakedsplit` or `ipfrag2`).
|
||||
|
||||
Modes must be specified in phase ascending order.
|
||||
|
||||
### CONNTRACK
|
||||
|
||||
@@ -535,11 +446,7 @@ If nfqws receives a partial ClientHello it begins reassemble session. Packets ar
|
||||
Then they go through desync using fully reassembled message.
|
||||
On any error reassemble is cancelled and all delayed packets are sent immediately without desync.
|
||||
|
||||
There is special support for all tcp split options for multi segment TLS. Split position is treated
|
||||
as message-oriented, not packet oriented. For example, if your client sends TLS ClientHello with size 2000
|
||||
and SNI is at 1700, desync mode is fake,split2, then fake is sent first, then original first segment
|
||||
and the last splitted segment. 3 segments total.
|
||||
|
||||
There is special support for all tcp split options for multi segment TLS. Split position is treated as message-oriented, not packet oriented. For example, if your client sends TLS ClientHello with size 2000 and SNI is at 1700, desync mode is `fake,multisplit`, then fake is sent first, then original first segment and the last splitted segment. 3 segments total.
|
||||
|
||||
### UDP support
|
||||
|
||||
@@ -619,9 +526,9 @@ nfqws sees packets with internal network source address. If fragmented NAT does
|
||||
This results in attempt to send packets to internet with internal IP address.
|
||||
You need to use nftables instead with hook priority 101 or higher.
|
||||
|
||||
### multiple strategies
|
||||
### Multiple strategies
|
||||
|
||||
`nfqws` can apply different strategies to different requests. It's done with multiple desync profiles.
|
||||
**nfqws** can apply different strategies to different requests. It's done with multiple desync profiles.
|
||||
Profiles are delimited by the `--new` parameter. First profile is created automatically and does not require `--new`.
|
||||
Each profile has a filter. By default it's empty and profile matches any packet.
|
||||
Filter can have hard parameters : ip version, ipset and tcp/udp port range.
|
||||
@@ -637,7 +544,7 @@ Otherwise verification goes to the next profile.
|
||||
It's possible that before knowing L7 and hostname connection is served by one profile and after
|
||||
this information is revealed it's switched to another profile.
|
||||
If you use 0-phase desync methods think carefully what can happen during strategy switch.
|
||||
Use `--debug` logging to understand better what `nfqws` does.
|
||||
Use `--debug` logging to understand better what **nfqws** does.
|
||||
|
||||
Profiles are numbered from 1 to N. There's last empty profile in the chain numbered 0.
|
||||
It's used when no filter matched.
|
||||
@@ -649,6 +556,99 @@ This way you may never unblock all resources and only confuse yourself.
|
||||
IMPORTANT : user-mode ipset implementation was not designed as a kernel version replacement. Kernel version is much more effective.
|
||||
It's for the systems that lack ipset support : Windows and Linux without nftables and ipset kernel modules (Android, for example).
|
||||
|
||||
### Virtual machines
|
||||
|
||||
Most of nfqws packet magic does not work from VMs powered by virtualbox and vmware when network is NATed.
|
||||
Hypervisor forcibly changes TTL and does not forward fake packets.
|
||||
Set up bridge networking.
|
||||
|
||||
### IPTABLES for nfqws
|
||||
|
||||
This is the common way to redirect some traffic to nfqws :
|
||||
|
||||
```
|
||||
iptables -t mangle -I POSTROUTING -o <wan_interface> -p tcp -m multiport --dports 80,443 -m connbytes --connbytes-dir=original --connbytes-mode=packets --connbytes 1:6 -m mark ! --mark 0x40000000/0x40000000 -j NFQUEUE --queue-num 200 --queue-bypass
|
||||
```
|
||||
|
||||
This variant works if DPI is stateful and does not track all packets separately in search for "bad requests". If it's stateless you have to redirect all outgoing plain http packets.
|
||||
|
||||
```
|
||||
iptables -t mangle -I POSTROUTING -o <wan_interface> -p tcp --dport 443 -m connbytes --connbytes-dir=original --connbytes-mode=packets --connbytes 1:6 -m mark ! --mark 0x40000000/0x40000000 -j NFQUEUE --queue-num 200 --queue-bypass
|
||||
iptables -t mangle -I POSTROUTING -o <wan_interface> -p tcp --dport 80 -m mark ! --mark 0x40000000/0x40000000 -j NFQUEUE --queue-num 200 --queue-bypass
|
||||
```
|
||||
|
||||
mark bit is used to prevent loops. **nfqws** sets this mark in each injected packet.
|
||||
It's also necessary for correct injected packet ordering and for deadlock prevention.
|
||||
|
||||
`autottl` requires incoming `SYN,ACK` packet or first reply packet (it's usually the same).
|
||||
|
||||
`autohostlist` needs incoming `RST` and `http redirect`.
|
||||
|
||||
It's possible to build tcp flags and u32 based filter but connbytes is easier.
|
||||
|
||||
`
|
||||
iptables -t mangle -I PREROUTING -i <wan_interface> -p tcp -m multiport --sports 80,443 -m connbytes --connbytes-dir=reply --connbytes-mode=packets --connbytes 1:3 -m mark ! --mark 0x40000000/0x40000000 -j NFQUEUE --queue-num 200 --queue-bypass
|
||||
`
|
||||
|
||||
For QUIC :
|
||||
|
||||
```
|
||||
iptables -t mangle -I POSTROUTING -o <wan_interface> -p udp --dport 443 -m connbytes --connbytes-dir=original --connbytes-mode=packets --connbytes 1:6 -m mark ! --mark 0x40000000/0x40000000 -j NFQUEUE --queue-num 200 --queue-bypass
|
||||
```
|
||||
|
||||
6 packets cover possible retransmissions of quic initials and feed `autohostlist` mode.
|
||||
|
||||
### NFTABLES for nfqws
|
||||
|
||||
This is the start configuration :
|
||||
|
||||
```
|
||||
IFACE_WAN=wan
|
||||
|
||||
nft create table inet ztest
|
||||
|
||||
nft add chain inet ztest post "{type filter hook postrouting priority mangle;}"
|
||||
nft add rule inet ztest post oifname $IFACE_WAN meta mark and 0x40000000 == 0 tcp dport "{80,443}" ct original packets 1-6 queue num 200 bypass
|
||||
nft add rule inet ztest post oifname $IFACE_WAN meta mark and 0x40000000 == 0 udp dport 443 ct original packets 1-6 queue num 200 bypass
|
||||
|
||||
# auto hostlist with avoiding wrong ACK numbers in RST,ACK packets sent by russian DPI
|
||||
sysctl net.netfilter.nf_conntrack_tcp_be_liberal=1
|
||||
nft add chain inet ztest pre "{type filter hook prerouting priority filter;}"
|
||||
nft add rule inet ztest pre iifname $IFACE_WAN tcp sport "{80,443}" ct reply packets 1-3 queue num 200 bypass
|
||||
```
|
||||
|
||||
To engage `datanoack` or `ipfrag` for passthrough traffic special POSTNAT configuration is required. Generated packets must be marked as **notrack** in the early stage to avoid being invalidated by linux conntrack.
|
||||
|
||||
```
|
||||
IFACE_WAN=wan
|
||||
|
||||
nft create table inet ztest
|
||||
|
||||
nft add chain inet ztest postnat "{type filter hook postrouting priority srcnat+1;}"
|
||||
nft add rule inet ztest postnat oifname $IFACE_WAN meta mark and 0x40000000 == 0 tcp dport "{80,443}" ct original packets 1-6 queue num 200 bypass
|
||||
nft add rule inet ztest postnat oifname $IFACE_WAN meta mark and 0x40000000 == 0 udp dport 443 ct original packets 1-6 queue num 200 bypass
|
||||
|
||||
nft add chain inet ztest predefrag "{type filter hook output priority -401;}"
|
||||
nft add rule inet ztest predefrag "mark & 0x40000000 != 0x00000000 notrack"
|
||||
```
|
||||
|
||||
Delete nftable :
|
||||
|
||||
```
|
||||
nft delete table inet ztest
|
||||
```
|
||||
|
||||
### Flow offloading
|
||||
|
||||
If your device supports flow offloading (hardware acceleration) iptables and nftables may not work. With offloading enabled packets bypass standard netfilter flow. It must be either disabled or selectively controlled.
|
||||
|
||||
Newer linux kernels have software flow offloading (SFO). The story is the same with SFO.
|
||||
|
||||
In `iptables` flow offloading is controlled by openwrt proprietary extension `FLOWOFFLOAD`. Newer `nftables` implement built-in offloading support.
|
||||
|
||||
Flow offloading does not interfere with **tpws** and `OUTPUT` traffic. It only breaks nfqws that fools `FORWARD` traffic.
|
||||
|
||||
|
||||
## tpws
|
||||
|
||||
tpws is transparent proxy.
|
||||
@@ -658,7 +658,8 @@ tpws is transparent proxy.
|
||||
|
||||
--debug=0|1|2|syslog|@<filename> ; 1 and 2 means log to console and set debug level. for other targets use --debug-level.
|
||||
--debug-level=0|1|2 ; specify debug level for syslog and @<filename>
|
||||
--bind-addr=<v4_addr>|<v6_addr>; for v6 link locals append %interface_name : fe80::1%br-lan
|
||||
--dry-run ; verify parameters and exit with code 0 if successful
|
||||
--bind-addr=<v4_addr>|<v6_addr> ; for v6 link locals append %interface_name : fe80::1%br-lan
|
||||
--bind-iface4=<interface_name> ; bind to the first ipv4 addr of interface
|
||||
--bind-iface6=<interface_name> ; bind to the first ipv6 addr of interface
|
||||
--bind-linklocal=no|unwanted|prefer|force
|
||||
@@ -681,6 +682,7 @@ tpws is transparent proxy.
|
||||
--skip-nodelay ; do not set TCP_NODELAY for outgoing connections. incompatible with split.
|
||||
--local-tcp-user-timeout=<seconds> ; set tcp user timeout for local leg (default : 10, 0 = system default)
|
||||
--remote-tcp-user-timeout=<seconds> ; set tcp user timeout for remote leg (default : 20, 0 = system default)
|
||||
--fix-seg=<int> ; recover failed TCP segmentation at the cost of slowdown. wait up to N msec.
|
||||
--no-resolve ; disable socks5 remote dns
|
||||
--resolver-threads=<int> ; number of resolver worker threads
|
||||
--maxconn=<max_connections> ; max number of local legs
|
||||
@@ -688,24 +690,28 @@ tpws is transparent proxy.
|
||||
; its worth to make a reserve with 1.5 multiplier. by default maxfiles is (X*connections)*1.5+16
|
||||
--max-orphan-time=<sec> ; if local leg sends something and closes and remote leg is still connecting then cancel connection attempt after N seconds
|
||||
|
||||
--new ; begin new strategy
|
||||
--new ; begin new strategy (new profile)
|
||||
--skip ; do not use this profile
|
||||
--filter-l3=ipv4|ipv6 ; L3 protocol filter. multiple comma separated values allowed.
|
||||
--filter-tcp=[~]port1[-port2]|* ; TCP port filter. ~ means negation. comma separated list supported.
|
||||
--filter-l7=[http|tls|unknown] ; L6-L7 protocol filter. multiple comma separated values allowed.
|
||||
--ipset=<filename> ; ipset include filter (one ip/CIDR per line, ipv4 and ipv6 accepted, gzip supported, multiple ipsets allowed)
|
||||
--ipset-ip=<ip_list> ; comma separated fixed subnet list
|
||||
--ipset-exclude=<filename> ; ipset exclude filter (one ip/CIDR per line, ipv4 and ipv6 accepted, gzip supported, multiple ipsets allowed)
|
||||
--ipset-exclude-ip=<ip_list> ; comma separated fixed subnet list
|
||||
|
||||
--hostlist=<filename> ; only act on hosts in the list (one host per line, subdomains auto apply, gzip supported, multiple hostlists allowed)
|
||||
--hostlist-domains=<domain_list> ; comma separated fixed domain list
|
||||
--hostlist-exclude=<filename> ; do not act on hosts in the list (one host per line, subdomains auto apply, gzip supported, multiple hostlists allowed)
|
||||
--hostlist-exclude-domains=<domain_list> ; comma separated fixed domain list
|
||||
--hostlist-auto=<filename> ; detect DPI blocks and build hostlist automatically
|
||||
--hostlist-auto-fail-threshold=<int> ; how many failed attempts cause hostname to be added to auto hostlist (default : 3)
|
||||
--hostlist-auto-fail-time=<int> ; all failed attemps must be within these seconds (default : 60)
|
||||
--hostlist-auto-debug=<logfile> ; debug auto hostlist positives
|
||||
|
||||
--split-http-req=method|host ; split http request at specified logical position.
|
||||
--split-tls=sni|sniext ; split at specified logical part of TLS ClientHello
|
||||
--split-pos=<numeric_offset> ; split at specified pos. split-http-req takes precedence over split-pos for http reqs.
|
||||
--split-any-protocol ; split not only http and https
|
||||
--split-pos=N|-N|marker+N|marker-N ; comma separated list of split positions
|
||||
; markers: method,host,endhost,sld,endsld,midsld,sniext
|
||||
--split-any-protocol ; split not only http and TLS
|
||||
--disorder[=http|tls] ; when splitting simulate sending second fragment first
|
||||
--oob[=http|tls] ; when splitting send out of band byte. default is HEX 0x00.
|
||||
--oob-data=<char>|0xHEX ; override default 0x00 OOB byte.
|
||||
@@ -719,10 +725,9 @@ tpws is transparent proxy.
|
||||
--methodspace ; add extra space after method
|
||||
--methodeol ; add end-of-line before method
|
||||
--unixeol ; replace 0D0A to 0A
|
||||
--tlsrec=sni|sniext ; make 2 TLS records. split at specified logical part. don't split if SNI is not present.
|
||||
--tlsrec=N|-N|marker+N|marker-N ; make 2 TLS records. split at specified logical part. don't split if SNI is not present.
|
||||
--tlsrec-pos=<pos> ; make 2 TLS records. split at specified pos
|
||||
--mss=<int> ; set client MSS. forces server to split messages but significantly decreases speed !
|
||||
--mss-pf=[~]port1[-port2] ; MSS port filter. ~ means negation
|
||||
--tamper-start=[n]<pos> ; start tampering only from specified outbound stream position. byte pos or block number ('n'). default is 0.
|
||||
--tamper-cutoff=[n]<pos> ; do not tamper anymore after specified outbound stream position. byte pos or block number ('n'). default is unlimited.
|
||||
--daemon ; daemonize
|
||||
@@ -731,13 +736,49 @@ tpws is transparent proxy.
|
||||
--uid=uid[:gid] ; drop root privs
|
||||
```
|
||||
|
||||
The manipulation parameters can be combined in any way.
|
||||
### TCP segmentation in tpws
|
||||
|
||||
`split-http-req` takes precedence over split-pos for http reqs.
|
||||
**tpws** like **nfqws** supports multiple splits. Split [markers](#tcp-segmentation) are specified in `--split-pos` parameter.
|
||||
|
||||
split-pos works by default only on http and TLS ClientHello. use `--split-any-protocol` to act on any packet
|
||||
On the socket level there's no guaranteed way to force OS to send pieces of data in separate packets. OS has a send buffer for each socket. If `TCP_NODELAY` socket option is enabled and send buffer is empty OS will likely send data immediately. If send buffer is not empty OS will coalesce it with new data and send in one packet if possible.
|
||||
|
||||
tpws can bind to multiple interfaces and IP addresses (up to 32).
|
||||
In practice outside of massive transmissions it's usually enough to enable `TCP_NODELAY` and use separate `send()` calls to force custom TCP segmentation. But if there're too many split segments Linux can combined some pieces and break desired behaviour. BSD and Windows are more predictable in this case. That's why it's not recommended to use too many splits. Tests revealed that 8+ can become problematic.
|
||||
|
||||
Since linux kernel 4.6 **tpws** can recognize TCP segmentation failures and warn about them. `--fix-seg` can fix segmentation failures at the cost of some slowdown. It waits for several msec until all previous data is sent. This breaks async processing model and slows down every other connection going through **tpws**. Thus it's not recommended on highly loaded systems. But can be compromise for home systems.
|
||||
|
||||
If you're attempting to split massive transmission with `--split-any-protocol` option it will definitely cause massive segmentation failures. Do not do that without `--tamper-start` and `--tamper-cutoff` limiters.
|
||||
|
||||
**tpws** works on socket level and receives in one shot long requests (TLS with kyber) that should normally require several TCP packets. It tampers entire received block without knowing how much packets it will take. OS will do additional segmenation to meet MTU.
|
||||
|
||||
`--disorder` sends every odd packet with TTL=1. Server receives even packets fastly. Then client OS retransmits odd packets with normal TTL and server receives them. In case of 6 segments server and DPI will see them in this order : `2 4 6 1 3 5`. This way of disorder causes some delays. Default retransmission timeout in Linux is 200 ms.
|
||||
|
||||
`--oob` sends one out-of-band byte in the end of the first split segment.
|
||||
|
||||
`--oob` and `--disorder` can be combined only in Linux. Others OS do not handle this correctly.
|
||||
|
||||
### TLSREC
|
||||
|
||||
`--tlsrec` allow to split TLS ClientHello into 2 TLS records in one TCP segment. It accepts single pos marker.
|
||||
|
||||
`--tlsrec` breaks significant number of sites. Crypto libraries on servers usually accept fine modified ClientHello but middleboxes such as CDNs and ddos guards - not always. Use of `--tlsrec` without filters is discouraged.
|
||||
|
||||
### MSS
|
||||
|
||||
`--mss` sets TCP_MAXSEG socket option. Client sets this value in MSS TCP option in the SYN packet.
|
||||
Server replies with it's own MSS in SYN,ACK packet. Usually servers lower their packet sizes but they still don't fit to supplied MSS. The greater MSS client sets the bigger server's packets will be.
|
||||
If it's enough to split TLS 1.2 ServerHello, it may fool DPI that checks certificate domain name.
|
||||
This scheme may significantly lower speed. Hostlist filter is possible only in socks mode if client uses remote resolving (firefox `network.proxy.socks_remote_dns`).
|
||||
`--mss` is not required for TLS1.3. If TLS1.3 is negotiable then MSS make things only worse. Use only if nothing better is available. Works only in Linux, not BSD or MacOS.
|
||||
|
||||
### Other tamper options
|
||||
|
||||
`--hostpad=<bytes>` adds padding headers before `Host:` with specified number of bytes. If `<bytes>` is too large headers are split by 2K. Padding more that 64K is not supported and not accepted by http servers.
|
||||
|
||||
It's useful against stateful DPI's that reassemble only limited amount of data. Increase padding `<bytes>` until website works. If minimum working `<bytes>` is close to MTU then it's likely DPI is not reassembling packets. Then it's better to use regular split instead of `--hostpad`.
|
||||
|
||||
### Supplementary options
|
||||
|
||||
**tpws** can bind to multiple interfaces and IP addresses (up to 32).
|
||||
|
||||
Port number is always the same.
|
||||
|
||||
@@ -773,44 +814,83 @@ To bind to a specific ip when its interface may not be configured yet do : `--bi
|
||||
|
||||
It's possible to bind to any nonexistent address in transparent mode but in socks mode address must exist.
|
||||
|
||||
In socks proxy mode no additional system privileges are required. Connections to local IPs of the system where tpws runs are prohibited.
|
||||
In socks proxy mode no additional system privileges are required. Connections to local IPs of the system where **tpws** runs are prohibited.
|
||||
tpws supports remote dns resolving (curl : `--socks5-hostname` firefox : `socks_remote_dns=true`) , but does it in blocking mode.
|
||||
|
||||
tpws uses async sockets for all activities. Domain names are resolved in multi threaded pool.
|
||||
**tpws** uses async sockets for all activities. Domain names are resolved in multi threaded pool.
|
||||
Resolving does not freeze other connections. But if there're too many requests resolving delays may increase.
|
||||
Number of resolver threads is choosen automatically proportinally to `--maxconn` and can be overriden using `--resolver-threads`.
|
||||
To disable hostname resolve use `--no-resolve` option.
|
||||
|
||||
`--disorder` is an additional flag to any split option.
|
||||
It tries to simulate `--disorder2` option of `nfqws` using standard socket API without the need of additional privileges.
|
||||
This works fine in Linux and MacOS but unexpectedly in FreeBSD and OpenBSD
|
||||
(system sends second fragment then the whole packet instead of the first fragment).
|
||||
### Multiple strategies
|
||||
|
||||
`--tlsrec` and `--tlsrec-pos` allow to split TLS ClientHello into 2 TLS records in one TCP segment.
|
||||
`--tlsrec=sni` splits between 1st and 2nd chars of the hostname. No split occurs if SNI is not present.
|
||||
`--tlsrec-pos` splits at specified position. If TLS data block size is too small pos=1 is applied.
|
||||
`--tlsrec` can be combined with `--split-pos` and `--disorder`.
|
||||
`--tlsrec` breaks significant number of sites. Crypto libraries on end servers usually accept fine modified ClientHello
|
||||
but middleboxes such as CDNs and ddos guards - not always.
|
||||
Use of `--tlsrec` without filters is discouraged.
|
||||
|
||||
`--mss` sets TCP_MAXSEG socket option. Client sets this value in MSS TCP option in the SYN packet.
|
||||
Server replies with it's own MSS in SYN,ACK packet. Usually servers lower their packet sizes but they still don't
|
||||
fit to supplied MSS. The greater MSS client sets the bigger server's packets will be.
|
||||
If it's enough to split TLS 1.2 ServerHello, it may fool DPI that checks certificate domain name.
|
||||
This scheme may significantly lower speed. Hostlist filter is possible only in socks mode if client uses remote resolving (firefox `network.proxy.socks_remote_dns`).
|
||||
`--mss` is not required for TLS1.3. If TLS1.3 is negotiable then MSS make things only worse.
|
||||
Use only if nothing better is available. Works only in Linux, not BSD or MacOS.
|
||||
|
||||
### multiple strategies
|
||||
|
||||
`tpws` supports multiple strategies as well. They work mostly like with `nfqws` with minimal differences.
|
||||
`filter-udp` is absent because `tpws` does not support udp. 0-phase desync methods (`--mss`) can work with hostlist in socks modes with remote hostname resolve.
|
||||
**tpws** like **nfqws** supports multiple strategies. They work mostly like with **nfqws** with minimal differences.
|
||||
`filter-udp` is absent because **tpws** does not support udp. 0-phase desync methods (`--mss`) can work with hostlist in socks modes with remote hostname resolve.
|
||||
This is the point where you have to plan profiles carefully. If you use `--mss` and hostlist filters, behaviour can be different depending on remote resolve feature enabled or not.
|
||||
Use `--mss` both in hostlist profile and profile without hostlist.
|
||||
Use `curl --socks5` and `curl --socks5-hostname` to issue two kinds of proxy queries.
|
||||
See `--debug` output to test your setup.
|
||||
|
||||
### IPTABLES for tpws
|
||||
|
||||
Use the following rules to redirect TCP connections to 'tpws' :
|
||||
```
|
||||
iptables -t nat -I OUTPUT -o <wan_interface> -p tcp --dport 80 -m owner ! --uid-owner tpws -j DNAT --to 127.0.0.127:988
|
||||
iptables -t nat -I PREROUTING -i <lan_interface> -p tcp --dport 80 -j DNAT --to 127.0.0.127:988
|
||||
```
|
||||
|
||||
First rule redirects outgoing from the same system traffic, second redirects passthrough traffic.
|
||||
|
||||
DNAT to localhost works only in the **OUTPUT** chain and does not work in the **PREROUTING** chain without setting this sysctl :
|
||||
|
||||
`sysctl -w net.ipv4.conf.<lan_interface>.route_localnet=1`
|
||||
|
||||
It's also possible to use `-j REDIRECT --to-port 988` instead of DNAT but in the latter case transparent proxy must listen on all IP addresses or on a LAN interface address. It's not too good to listen on all IP and it's not trivial to get specific IP in a shell script. `route_localnet` has it's own security impact if not protected by additional rules. You open `127.0.0.0/8` subnet to the net.
|
||||
|
||||
This is how to open only single `127.0.0.127` address :
|
||||
```
|
||||
iptables -A INPUT ! -i lo -d 127.0.0.127 -j ACCEPT
|
||||
iptables -A INPUT ! -i lo -d 127.0.0.0/8 -j DROP
|
||||
```
|
||||
|
||||
Owner filter is required to avoid redirection loops. **tpws** must be run with `--user tpws` parameter.
|
||||
|
||||
ip6tables work almost the same with minor differences. ipv6 addresses should be enclosed in square brackets :
|
||||
```
|
||||
ip6tables -t nat -I OUTPUT -o <wan_interface> -p tcp --dport 80 -m owner ! --uid-owner tpws -j DNAT --to [::1]:988
|
||||
```
|
||||
|
||||
There's no `route_localnet` for ipv6. DNAT to localhost (`::1`) is possible only in **OUTPUT** chain. In **PREROUTING** chain DNAT is possible to any global address or link local address of the interface where packet came from.
|
||||
|
||||
### NFTABLES for tpws
|
||||
|
||||
Base nftables scheme :
|
||||
```
|
||||
IFACE_WAN=wan
|
||||
IFACE_LAN=br-lan
|
||||
|
||||
sysctl -w net.ipv4.conf.$IFACE_LAN.route_localnet=1
|
||||
|
||||
nft create table inet ztest
|
||||
|
||||
nft create chain inet ztest localnet_protect
|
||||
nft add rule inet ztest localnet_protect ip daddr 127.0.0.127 return
|
||||
nft add rule inet ztest localnet_protect ip daddr 127.0.0.0/8 drop
|
||||
nft create chain inet ztest input "{type filter hook input priority filter - 1;}"
|
||||
nft add rule inet ztest input iif != "lo" jump localnet_protect
|
||||
|
||||
nft create chain inet ztest dnat_output "{type nat hook output priority dstnat;}"
|
||||
nft add rule inet ztest dnat_output meta skuid != tpws oifname $IFACE_WAN tcp dport { 80, 443 } dnat ip to 127.0.0.127:988
|
||||
nft create chain inet ztest dnat_pre "{type nat hook prerouting priority dstnat;}"
|
||||
nft add rule inet ztest dnat_pre meta iifname $IFACE_LAN tcp dport { 80, 443 } dnat ip to 127.0.0.127:988
|
||||
```
|
||||
|
||||
Delete nftable :
|
||||
```
|
||||
nft delete table inet ztest
|
||||
```
|
||||
|
||||
|
||||
## Ways to get a list of blocked IP
|
||||
|
||||
nftables can't work with ipsets. Native nf sets require lots of RAM to load large ip lists with subnets and intervals.
|
||||
@@ -878,8 +958,8 @@ LISTS_RELOAD=- disables reloading ip list backend.
|
||||
|
||||
## Domain name filtering
|
||||
|
||||
An alternative to ipset is to use tpws or nfqws with a list(s) of domains.
|
||||
Both `tpws` and `nfqws` take any number of include (`--hostlist`) and exclude (`--hostlist-exclude`) domain lists.
|
||||
An alternative to ipset is to use **tpws** or **nfqws** with a list(s) of domains.
|
||||
Both **tpws** and **nfqws** take any number of include (`--hostlist`) and exclude (`--hostlist-exclude`) domain lists.
|
||||
All lists of the same type are combined internally leaving only 2 lists : include and exclude.
|
||||
|
||||
Exclude list is checked first. Fooling is cancelled if domain belongs to exclude list.
|
||||
@@ -896,13 +976,14 @@ and 1 exclude list
|
||||
|
||||
`ipset/zapret-hosts-users-exclude.txt.gz` or `ipset/zapret-hosts-users-exclude.txt`
|
||||
|
||||
If `MODE_FILTER=hostlist` all present lists are passed to `nfqws` or `tpws`.
|
||||
If `MODE_FILTER=hostlist` all present lists are passed to **nfqws** or **tpws**.
|
||||
If all include lists are empty it works like no include lists exist at all.
|
||||
If you need "all except" mode you dont have to delete zapret-hosts-users.txt. Just make it empty.
|
||||
|
||||
Subdomains auto apply. For example, "ru" in the list affects "*.ru" .
|
||||
|
||||
tpws and nfqws automatically reload lists if their modification date is changed.
|
||||
**tpws** and **nfqws** automatically reload lists if their modification time or file size is changed.
|
||||
HUP signal forcibly reloads all lists.
|
||||
|
||||
When filtering by domain name, daemons should run without filtering by ipset.
|
||||
When using large regulator lists estimate the amount of RAM on the router !
|
||||
@@ -918,7 +999,7 @@ In case of nfqws it's required to redirect both incoming and outgoing traffic to
|
||||
It's strongly recommended to use connbytes filter or nfqws will process gigabytes of incoming traffic.
|
||||
For the same reason it's not recommended to use autohostlist mode in BSDs. BSDs do not support connbytes or similar mechanism.
|
||||
|
||||
nfqws и tpws detect the folowing situations :
|
||||
**nfqws** и **tpws** detect the folowing situations :
|
||||
1) [nfqws] Multiple retransmissions of the first request inside a TCP session having host.
|
||||
2) [nfqws,tpws] RST in response to the first request.
|
||||
3) [nfqws,tpws] HTTP redirect in response to the first http request with 2nd level domain diferent from the original.
|
||||
@@ -964,11 +1045,11 @@ On openwrt by default `nftables` is selected on `firewall4` based systems.
|
||||
`FWTYPE=iptables`
|
||||
|
||||
With `nftables` post-NAT scheme is used by default. It allows more DPI attacks on forwarded traffic.
|
||||
It's possible to use `iptables`-like pre-NAT scheme. `nfqws` will see client source IPs and display them in logs.
|
||||
It's possible to use `iptables`-like pre-NAT scheme. **nfqws** will see client source IPs and display them in logs.
|
||||
|
||||
`#POSTNAT=0`
|
||||
|
||||
There'are 3 standard options configured separately and independently : `tpws-socks`, `tpws`, `nfqws`.
|
||||
There'are 3 standard options configured separately and independently : `tpws-socks`, **tpws**, **nfqws**.
|
||||
They can be used alone or combined. Custom scripts in `init.d/{sysv,openwrt,macos}/custom.d` are always applied.
|
||||
|
||||
`tpws-socks` requires daemon parameter configuration but does not require traffic interception.
|
||||
@@ -987,45 +1068,45 @@ Don't use `<HOSTLIST>` in highly specialized profiles. Use your own filter or ho
|
||||
If any other profile adds something this profile accepts the change automatically.
|
||||
|
||||
|
||||
`tpws` socks proxy mode switch
|
||||
**tpws** socks proxy mode switch
|
||||
|
||||
`TPWS_SOCKS_ENABLE=0`
|
||||
|
||||
Listening tcp port for `tpws` proxy mode.
|
||||
Listening tcp port for **tpws** proxy mode.
|
||||
|
||||
`TPPORT_SOCKS=987`
|
||||
|
||||
`tpws` socks mode parameters
|
||||
**tpws** socks mode parameters
|
||||
|
||||
```
|
||||
TPWS_SOCKS_OPT="
|
||||
--filter-tcp=80 --methodeol <HOSTLIST> --new
|
||||
--filter-tcp=443 --split-tls=sni --disorder <HOSTLIST>
|
||||
--filter-tcp=443 --split-pos=1,midsld --disorder <HOSTLIST>"
|
||||
"
|
||||
```
|
||||
|
||||
`tpws` transparent mode switch
|
||||
**tpws** transparent mode switch
|
||||
|
||||
`TPWS_ENABLE=0`
|
||||
|
||||
`tpws` transparent mode target ports
|
||||
**tpws** transparent mode target ports
|
||||
|
||||
`TPWS_PORTS=80,443`
|
||||
|
||||
`tpws` transparent mode parameters
|
||||
**tpws** transparent mode parameters
|
||||
|
||||
```
|
||||
TPWS_OPT="
|
||||
--filter-tcp=80 --methodeol <HOSTLIST> --new
|
||||
--filter-tcp=443 --split-tls=sni --disorder <HOSTLIST>
|
||||
--filter-tcp=443 --split-pos=1,midsld --disorder <HOSTLIST>"
|
||||
"
|
||||
```
|
||||
|
||||
`nfqws` enable switch
|
||||
**nfqws** enable switch
|
||||
|
||||
`NFQWS_ENABLE=0`
|
||||
|
||||
`nfqws` port targets for `connbytes`-limited interception. `connbytes` allows to intercept only starting packets from connections.
|
||||
**nfqws** port targets for `connbytes`-limited interception. `connbytes` allows to intercept only starting packets from connections.
|
||||
This is more effective kernel-mode alternative to `nfqws --dpi-desync-cutoff=nX`.
|
||||
|
||||
```
|
||||
@@ -1053,12 +1134,12 @@ It's advised also to remove these ports from `connbytes`-limited interception li
|
||||
#NFQWS_PORTS_UDP_KEEPALIVE=
|
||||
```
|
||||
|
||||
`nfqws` parameters
|
||||
**nfqws** parameters
|
||||
|
||||
```
|
||||
NFQWS_OPT="
|
||||
--filter-tcp=80 --dpi-desync=fake,split2 --dpi-desync-fooling=md5sig <HOSTLIST> --new
|
||||
--filter-tcp=443 --dpi-desync=fake,disorder2 --dpi-desync-fooling=md5sig <HOSTLIST> --new
|
||||
--filter-tcp=80 --dpi-desync=fake,multisplit --dpi-desync-split-pos=method+2 --dpi-desync-fooling=md5sig <HOSTLIST> --new
|
||||
--filter-tcp=443 --dpi-desync=fake,multidisorder --dpi-desync-split-pos=1,midsld --dpi-desync-fooling=badseq,md5sig <HOSTLIST> --new
|
||||
--filter-udp=443 --dpi-desync=fake --dpi-desync-repeats=6 <HOSTLIST_NOAUTO>
|
||||
"
|
||||
```
|
||||
@@ -1276,33 +1357,29 @@ For low storage openwrt see `init.d/openwrt-minimal`.
|
||||
|
||||
### Android
|
||||
|
||||
Its not possible to use nfqws and tpws in transparent proxy mode without root privileges.
|
||||
Without root tpws can run in --socks mode.
|
||||
Its not possible to use **nfqws** and **tpws** in transparent proxy mode without root privileges. Without root **tpws** can run in `--socks` mode.
|
||||
|
||||
Android has NFQUEUE and nfqws should work.
|
||||
Android has NFQUEUE and **nfqws** should work.
|
||||
|
||||
There's no ipset support unless you run custom kernel. In common case task of bringing up ipset
|
||||
on android is ranging from "not easy" to "almost impossible", unless you find working kernel
|
||||
image for your device.
|
||||
There's no `ipset` support unless you run custom kernel. In common case task of bringing up `ipset` on android is ranging from "not easy" to "almost impossible", unless you find working kernel image for your device.
|
||||
|
||||
Android does not use /etc/passwd, `tpws --user` won't work. There's replacement.
|
||||
Use numeric uids in `--uid` option.
|
||||
Its recommended to use gid 3003 (AID_INET), otherwise tpws will not have inet access.
|
||||
Although linux binaries work it's recommended to use Android specific ones. They have no problems with user names, local time, DNS, ...
|
||||
Its recommended to use gid 3003 (AID_INET), otherwise **tpws** will not have inet access.
|
||||
|
||||
Example : `--uid 1:3003`
|
||||
|
||||
In iptables use : `! --uid-owner 1` instead of `! --uid-owner tpws`.
|
||||
|
||||
Nfqws should be executed with `--uid 1`. Otherwise on some devices or firmwares kernel may partially hang. Looks like processes with certain uids can be suspended. With buggy chineese cellular interface driver this can lead to device hang.
|
||||
**nfqws** should be executed with `--uid 1`. Otherwise on some devices or firmwares kernel may partially hang. Looks like processes with certain uids can be suspended. With buggy chineese cellular interface driver this can lead to device hang.
|
||||
|
||||
Write your own shell script with iptables and tpws, run it using your root manager.
|
||||
Write your own shell script with iptables and **tpws**, run it using your root manager.
|
||||
Autorun scripts are here :
|
||||
|
||||
magisk : `/data/adb/service.d`
|
||||
|
||||
supersu : `/system/su.d`
|
||||
|
||||
How to run tpws on root-less android.
|
||||
How to run **tpws** on root-less android.
|
||||
You can't write to `/system`, `/data`, can't run from sd card.
|
||||
Selinux prevents running executables in `/data/local/tmp` from apps.
|
||||
Use adb and adb shell.
|
||||
@@ -1336,7 +1413,7 @@ You will need :
|
||||
* root shell access. true sh shell, not microtik-like console
|
||||
* startup hook
|
||||
* r/w partition to store binaries and startup script with executable permission (+x)
|
||||
* tpws can be run almost anywhere but nfqws require kernel support for NFQUEUE. Its missing in most firmwares.
|
||||
* **tpws** can be run almost anywhere but **nfqws** require kernel support for NFQUEUE. Its missing in most firmwares.
|
||||
* too old 2.6 kernels are unsupported and can cause errors. newer 2.6 kernels are OK.
|
||||
If binaries crash with segfault (rare but happens on some kernels) try to unpack upx like this : upx -d tpws.
|
||||
|
||||
|
1043
docs/readme.md
1043
docs/readme.md
File diff suppressed because it is too large
Load Diff
@@ -101,10 +101,11 @@ There are several options :
|
||||
Replace these 2 files in every location they are present.
|
||||
In `zapret-win-bundle` they are in `zapret-winws` и `blockcheck/zapret/nfq` folders.
|
||||
However this option still requires 10+ year old patch that enables SHA256 signatures.
|
||||
If you're using win bundle you can simply run `win7\install_win7.cmd`
|
||||
|
||||
2. [Hack ESU](https://hackandpwn.com/windows-7-esu-patching)
|
||||
3. [Hack ESU](https://hackandpwn.com/windows-7-esu-patching)
|
||||
|
||||
3. Use `UpdatePack7R2` from simplix : https://blog.simplix.info
|
||||
4. Use `UpdatePack7R2` from simplix : https://blog.simplix.info
|
||||
If you are in Russia or Belarus temporary change region in Control Panel.
|
||||
|
||||
### blockcheck
|
||||
|
@@ -159,6 +159,7 @@ _windivert 2.2.2-A_, который идет в поставке zapret.
|
||||
и заменить эти 2 файла.
|
||||
В [zapret-win-bundle](https://github.com/bol-van/zapret-win-bundle) есть отдельных 2 места, где находится **winws** : [_zapret-winws_](https://github.com/bol-van/zapret-win-bundle/tree/master/zapret-winws) и [_blockcheck/zapret/nfq_](https://github.com/bol-van/zapret-win-bundle/tree/master/blockcheck).
|
||||
Надо менять в обоих местах.
|
||||
Альтернативный вариант при использовании win bundle - запустить `win7\install_win7.cmd`
|
||||
|
||||
> [!NOTE]
|
||||
> Этот вариант проверен и должен работать. Тем не менее патч 10 летней давности, который включает SHA256 сигнатуры, все еще необходим.
|
||||
|
@@ -1,133 +0,0 @@
|
||||
Index: WireGuard-0.0.20190123/src/cookie.c
|
||||
===================================================================
|
||||
--- WireGuard-0.0.20190123.orig/src/cookie.c
|
||||
+++ WireGuard-0.0.20190123/src/cookie.c
|
||||
@@ -193,6 +193,8 @@ void wg_cookie_message_create(struct mes
|
||||
xchacha20poly1305_encrypt(dst->encrypted_cookie, cookie, COOKIE_LEN,
|
||||
macs->mac1, COOKIE_LEN, dst->nonce,
|
||||
checker->cookie_encryption_key);
|
||||
+ // MOD : randomize trash
|
||||
+ dst->header.trash = gen_trash();
|
||||
}
|
||||
|
||||
void wg_cookie_message_consume(struct message_handshake_cookie *src,
|
||||
Index: WireGuard-0.0.20190123/src/messages.h
|
||||
===================================================================
|
||||
--- WireGuard-0.0.20190123.orig/src/messages.h
|
||||
+++ WireGuard-0.0.20190123/src/messages.h
|
||||
@@ -53,23 +53,41 @@ enum limits {
|
||||
MAX_QUEUED_PACKETS = 1024 /* TODO: replace this with DQL */
|
||||
};
|
||||
|
||||
+/*
|
||||
enum message_type {
|
||||
- MESSAGE_INVALID = 0,
|
||||
- MESSAGE_HANDSHAKE_INITIATION = 1,
|
||||
- MESSAGE_HANDSHAKE_RESPONSE = 2,
|
||||
- MESSAGE_HANDSHAKE_COOKIE = 3,
|
||||
- MESSAGE_DATA = 4
|
||||
+ MESSAGE_INVALID = 0,
|
||||
+ MESSAGE_HANDSHAKE_INITIATION = 1,
|
||||
+ MESSAGE_HANDSHAKE_RESPONSE = 2,
|
||||
+ MESSAGE_HANDSHAKE_COOKIE = 3,
|
||||
+ MESSAGE_DATA = 4
|
||||
};
|
||||
+*/
|
||||
+
|
||||
+// MOD : message type
|
||||
+enum message_type {
|
||||
+ MESSAGE_INVALID = 0xE319CCD0,
|
||||
+ MESSAGE_HANDSHAKE_INITIATION = 0x48ADE198,
|
||||
+ MESSAGE_HANDSHAKE_RESPONSE = 0xFCA6A8F3,
|
||||
+ MESSAGE_HANDSHAKE_COOKIE = 0x64A3BB18,
|
||||
+ MESSAGE_DATA = 0x391820AA
|
||||
+};
|
||||
+
|
||||
+// MOD : generate fast trash without true RNG
|
||||
+__le32 gen_trash(void);
|
||||
|
||||
struct message_header {
|
||||
- /* The actual layout of this that we want is:
|
||||
- * u8 type
|
||||
- * u8 reserved_zero[3]
|
||||
- *
|
||||
- * But it turns out that by encoding this as little endian,
|
||||
- * we achieve the same thing, and it makes checking faster.
|
||||
- */
|
||||
- __le32 type;
|
||||
+ /* The actual layout of this that we want is:
|
||||
+ * u8 type
|
||||
+ * u8 reserved_zero[3]
|
||||
+ *
|
||||
+ * But it turns out that by encoding this as little endian,
|
||||
+ * we achieve the same thing, and it makes checking faster.
|
||||
+ */
|
||||
+
|
||||
+ // MOD : trash field to change message size and add 4 byte offset to all fields
|
||||
+ __le32 trash;
|
||||
+
|
||||
+ __le32 type;
|
||||
};
|
||||
|
||||
struct message_macs {
|
||||
Index: WireGuard-0.0.20190123/src/noise.c
|
||||
===================================================================
|
||||
--- WireGuard-0.0.20190123.orig/src/noise.c
|
||||
+++ WireGuard-0.0.20190123/src/noise.c
|
||||
@@ -17,6 +17,24 @@
|
||||
#include <linux/highmem.h>
|
||||
#include <crypto/algapi.h>
|
||||
|
||||
+
|
||||
+// MOD : trash generator
|
||||
+__le32 gtrash = 0;
|
||||
+__le32 gen_trash(void)
|
||||
+{
|
||||
+ if (gtrash)
|
||||
+ gtrash = gtrash*1103515243 + 12345;
|
||||
+ else
|
||||
+ // first value is true random
|
||||
+ get_random_bytes_wait(>rash, sizeof(gtrash));
|
||||
+ return gtrash;
|
||||
+}
|
||||
+
|
||||
/* This implements Noise_IKpsk2:
|
||||
*
|
||||
* <- s
|
||||
@@ -515,6 +533,10 @@ wg_noise_handshake_create_initiation(str
|
||||
&handshake->entry);
|
||||
|
||||
handshake->state = HANDSHAKE_CREATED_INITIATION;
|
||||
+
|
||||
+ // MOD : randomize trash
|
||||
+ dst->header.trash = gen_trash();
|
||||
+
|
||||
ret = true;
|
||||
|
||||
out:
|
||||
@@ -655,6 +677,10 @@ bool wg_noise_handshake_create_response(
|
||||
&handshake->entry);
|
||||
|
||||
handshake->state = HANDSHAKE_CREATED_RESPONSE;
|
||||
+
|
||||
+ // MOD : randomize trash
|
||||
+ dst->header.trash = gen_trash();
|
||||
+
|
||||
ret = true;
|
||||
|
||||
out:
|
||||
Index: WireGuard-0.0.20190123/src/send.c
|
||||
===================================================================
|
||||
--- WireGuard-0.0.20190123.orig/src/send.c
|
||||
+++ WireGuard-0.0.20190123/src/send.c
|
||||
@@ -200,6 +200,10 @@ static bool encrypt_packet(struct sk_buf
|
||||
header->header.type = cpu_to_le32(MESSAGE_DATA);
|
||||
header->key_idx = keypair->remote_index;
|
||||
header->counter = cpu_to_le64(PACKET_CB(skb)->nonce);
|
||||
+
|
||||
+ // MOD : randomize trash
|
||||
+ header->header.trash = gen_trash();
|
||||
+
|
||||
pskb_put(skb, trailer, trailer_len);
|
||||
|
||||
/* Now we can encrypt the scattergather segments */
|
@@ -1,250 +0,0 @@
|
||||
!!! Эта инструкция написана еще до включения wireguard в ядро linux.
|
||||
!!! Процесс сборки для in-tree модулей отличается.
|
||||
!!! Цель данного чтива - дать идею для программистов как можно исправить исходники wireguard
|
||||
!!! для преодоления DPI. Автор не преследует цели поддерживать готовые патчи для актуальных версий.
|
||||
!!! Вместо патчинга гораздо проще использовать навесное решение ipobfs.
|
||||
|
||||
Посвящено возможной блокировке в РФ VPN протоколов через DPI.
|
||||
Предпосылками являются последние законодательные акты и во всю сочащиеся "секретные" записки.
|
||||
В РФ разрабатываются и готовятся к применению более продвинутые решения по блокировке трафика.
|
||||
Вполне вероятно будут резать стандартные VPN протоколы. Нам надо быть к этому готовыми.
|
||||
|
||||
Один из возможных и перспективных путей решения данного вопроса - кустомная модификация
|
||||
исходников VPN с целью незначительного изменения протокола, ломающего стандартные модули обнаружения в DPI.
|
||||
Это относительно сложно, доступно только для гиков.
|
||||
Никто не будет разрабатывать специальные модули обнаружения в DPI, если только кто-то не сделает простое и
|
||||
удобное решение для всех, и его станут широко применять. Но это маловероятно, и даже если и так,
|
||||
то всегда можно модифицировать протокол чуток по другому. Делать моды для DPI несравненно дольше
|
||||
и дороже, чем клепать на коленке изменения протокола для wireguard.
|
||||
|
||||
|
||||
ЗАМЕЧЕНИЕ : альтернативой модификации конечного софта для VPN является использование "навесных"
|
||||
обфускаторов. см : https://github.com/bol-van/ipobfs
|
||||
|
||||
|
||||
Рассмотрю что нам надо пропатчить в wireguard. Модифицированный wireguard проверен на виртуалках
|
||||
с десктопным linux, он работает, сообщения в wireshark действительно не вписываются в стандартный
|
||||
протокол и не опознаются.
|
||||
|
||||
Wireguard протокол очень простой. Все сообщения описаны в messages.h
|
||||
Поставим себе целью сделать 2 простые модификации :
|
||||
1) Добавим в начало всех сообщений немного мусора, чтобы изменить размер сообщений и смещения полей
|
||||
2) Изменим коды типов сообщений
|
||||
Этого может быть вполне достаточно для обмана DPI
|
||||
|
||||
--messages.h--------------------------
|
||||
/*
|
||||
enum message_type {
|
||||
MESSAGE_INVALID = 0,
|
||||
MESSAGE_HANDSHAKE_INITIATION = 1,
|
||||
MESSAGE_HANDSHAKE_RESPONSE = 2,
|
||||
MESSAGE_HANDSHAKE_COOKIE = 3,
|
||||
MESSAGE_DATA = 4
|
||||
};
|
||||
*/
|
||||
|
||||
// MOD : message type
|
||||
enum message_type {
|
||||
MESSAGE_INVALID = 0xE319CCD0,
|
||||
MESSAGE_HANDSHAKE_INITIATION = 0x48ADE198,
|
||||
MESSAGE_HANDSHAKE_RESPONSE = 0xFCA6A8F3,
|
||||
MESSAGE_HANDSHAKE_COOKIE = 0x64A3BB18,
|
||||
MESSAGE_DATA = 0x391820AA
|
||||
};
|
||||
|
||||
// MOD : generate fast trash without true RNG
|
||||
__le32 gen_trash(void);
|
||||
|
||||
struct message_header {
|
||||
/* The actual layout of this that we want is:
|
||||
* u8 type
|
||||
* u8 reserved_zero[3]
|
||||
*
|
||||
* But it turns out that by encoding this as little endian,
|
||||
* we achieve the same thing, and it makes checking faster.
|
||||
*/
|
||||
|
||||
// MOD : trash field to change message size and add 4 byte offset to all fields
|
||||
__le32 trash;
|
||||
|
||||
__le32 type;
|
||||
};
|
||||
--------------------------------------
|
||||
|
||||
Напишем функцию для генерации trash. Функция должна быть быстрая, важно не замедлить скорость.
|
||||
Мы не расчитываем, что нас будут специально ловить, иначе бы пришлось делать полноценный обфускатор.
|
||||
Задача лишь сломать стандартный модуль обнаружения протокола wireguard. Потому истинная рандомность
|
||||
trash не важна.
|
||||
Но все же немного "трэша" не повредит. Гонки между тредами так же пофигистичны. Это же трэш.
|
||||
|
||||
--noise.c-----------------------------
|
||||
// MOD : trash generator
|
||||
__le32 gtrash = 0;
|
||||
__le32 gen_trash(void)
|
||||
{
|
||||
if (gtrash)
|
||||
gtrash = gtrash*1103515243 + 12345;
|
||||
else
|
||||
// first value is true random
|
||||
get_random_bytes_wait(>rash, sizeof(gtrash));
|
||||
return gtrash;
|
||||
}
|
||||
--------------------------------------
|
||||
|
||||
Теперь осталось найти все места, где создаются сообщения и внести туда заполнение поля trash.
|
||||
Сообщений всего 4. Их можно найти по присваиванию полю type одного из значений enum message_type.
|
||||
|
||||
2 места в noise.c в функциях wg_noise_handshake_create_initiation и wg_noise_handshake_create_response,
|
||||
1 место в cookie.c в функции wg_cookie_message_create
|
||||
Дописываем в конец инициализации структуры сообщения :
|
||||
|
||||
--------------------------------------
|
||||
// MOD : randomize trash
|
||||
dst->header.trash = gen_trash();
|
||||
--------------------------------------
|
||||
|
||||
и 1 место в send.c в функции encrypt_packet
|
||||
|
||||
--------------------------------------
|
||||
// MOD : randomize trash
|
||||
header->header.trash = gen_trash();
|
||||
--------------------------------------
|
||||
|
||||
|
||||
Вот и весь патчинг. Полный patch (версия wireguard 0.0.20190123) лежит в 010-wg-mod.patch.
|
||||
Патчинг кода - самое простое. Для десктопного linux дальше все просто.
|
||||
Пересобираем через make, устанавливаем через make install, перегружаем
|
||||
модуль wireguard, перезапускаем интерфейсы, и все готово.
|
||||
|
||||
Настоящий геморой начнется когда вы это попытаетесь засунуть на роутер под openwrt.
|
||||
Одна из больших проблем linux - отсутствие совместимости драйверов на уровне бинариков.
|
||||
Поэтому собирать необходимо в точности под вашу версию ядра и в точности под его .config.
|
||||
Вам придется либо полностью самостоятельно собирать всю прошивку, либо найти SDK в точности
|
||||
от вашей версии прошивки для вашей архитектуры и собрать модуль с помощью этого SDK.
|
||||
Последний вариант более легкий.
|
||||
Для сборки вам понадобится система на linux x86_64. Ее можно установить в виртуалке.
|
||||
Теоретически можно пользоваться WSL из win10, но на практике там очень медленное I/O,
|
||||
по крайней мере на старых версиях win10. Безумно медленное. Будете собирать вечность.
|
||||
Может в новых win10 что-то и улучшили, но я бы сразу расчитывал на полноценный linux.
|
||||
|
||||
Находим здесь вашу версию : https://downloads.openwrt.org/
|
||||
Скачиваем файл openwrt-sdk-*.tar.xz или lede-sdk-*.tar.xz
|
||||
Например : https://downloads.openwrt.org/releases/18.06.2/targets/ar71xx/generic/openwrt-sdk-18.06.2-ar71xx-generic_gcc-7.3.0_musl.Linux-x86_64.tar.xz
|
||||
Если ваша версия непонятна или стара, то проще будет найти последнюю прошивку и перешить роутер.
|
||||
Распаковываем SDK. Следующими командами можно собрать оригинальный вариант wireguard :
|
||||
|
||||
# scripts/feeds update -a
|
||||
# scripts/feeds install -a
|
||||
# make defconfig
|
||||
# make -j 4 package/wireguard/compile
|
||||
|
||||
Сборка будет довольно долгой. Ведь придется подтащить ядро, собрать его, собрать зависимости.
|
||||
"-j 4" означает использовать 4 потока. Впишите вместо 4 количество доступных cpu cores.
|
||||
|
||||
Получим следующие файлы :
|
||||
|
||||
openwrt-sdk-18.06.2-ar71xx-generic_gcc-7.3.0_musl.Linux-x86_64/bin/targets/ar71xx/generic/packages/kmod-wireguard_4.9.152+0.0.20190123-1_mips_24kc.ipk
|
||||
openwrt-sdk-18.06.2-ar71xx-generic_gcc-7.3.0_musl.Linux-x86_64/bin/packages/mips_24kc/base/wireguard-tools_0.0.20190123-1_mips_24kc.ipk
|
||||
|
||||
Но это будет оригинальный wireguard. Нам нужен патченый.
|
||||
Установим quilt и mc для нормального редактора вместо vim :
|
||||
|
||||
# sudo apt-get update
|
||||
# sudo apt-get install quilt mc
|
||||
|
||||
# make package/wireguard/clean
|
||||
# make package/wireguard/prepare V=s QUILT=1
|
||||
|
||||
|
||||
Сорцы приготовлены для сборки в :
|
||||
openwrt-sdk-18.06.2-ar71xx-generic_gcc-7.3.0_musl.Linux-x86_64/build_dir/target-mips_24kc_musl/linux-ar71xx_generic/WireGuard-0.0.20190123/src
|
||||
|
||||
# cd build_dir/target-mips_24kc_musl/linux-ar71xx_generic/WireGuard-0.0.20190123/src
|
||||
# quilt push -a
|
||||
# quilt new 010-wg-mod.patch
|
||||
# export EDITOR=mcedit
|
||||
|
||||
Далее будет открываться редактор mcedit, в который нужно вносить изменения в каждый файл :
|
||||
|
||||
# quilt edit messages.h
|
||||
# quilt edit cookie.c
|
||||
# quilt edit noise.c
|
||||
# quilt edit send.c
|
||||
# quilt diff
|
||||
# quilt refresh
|
||||
|
||||
Получили файл патча в :
|
||||
openwrt-sdk-18.06.2-ar71xx-generic_gcc-7.3.0_musl.Linux-x86_64/build_dir/target-mips_24kc_musl/linux-ar71xx_generic/WireGuard-0.0.20190123/patches/010-wg-mod.patch
|
||||
|
||||
Выходим в корень SDK.
|
||||
|
||||
# make package/wireguard/compile V=99
|
||||
|
||||
Если не было ошибок, то получили измененные ipk.
|
||||
Патч можно зафиксировать в описании пакета :
|
||||
|
||||
# make package/wireguard/update
|
||||
|
||||
Получим :
|
||||
openwrt-sdk-18.06.2-ar71xx-generic_gcc-7.3.0_musl.Linux-x86_64/feeds/base/package/network/services/wireguard/patches/010-wg-mod.patch
|
||||
При последующей очистке и пересборке он будет автоматом применяться.
|
||||
|
||||
|
||||
АЛЬТЕРНАТИВА : можно не возиться с quilt.
|
||||
сделайте
|
||||
# make package/wireguard/clean
|
||||
# make package/wireguard/prepare
|
||||
и напрямую модифицируйте или копируйте файлы в
|
||||
openwrt-sdk-18.06.2-ar71xx-generic_gcc-7.3.0_musl.Linux-x86_64/build_dir/target-mips_24kc_musl/linux-ar71xx_generic/WireGuard-0.0.20190123/src
|
||||
затем
|
||||
# make package/wireguard/compile
|
||||
|
||||
Если нужно поменять версию wireguard, то идите в
|
||||
openwrt-sdk-18.06.2-ar71xx-generic_gcc-7.3.0_musl.Linux-x86_64/feeds/base/package/network/services/wireguard/Makefile
|
||||
поменяйте там версию в PKG_VERSION на последнюю из : https://git.zx2c4.com/WireGuard
|
||||
скачайте tar.xz с этой версией , вычислите его sha256sum, впишите в PKG_HASH
|
||||
|
||||
1 раз где-нибудь пропатчите файлы последней версии wireguard в текстовом редакторе, скопируйте в build_dir,
|
||||
сделайте версию для openwrt. эти же файлы скопируйте на ваш сервер с десктопным linux, сделайте там make / make install
|
||||
|
||||
Но имейте в виду, что build_dir - локация для временных файлов.
|
||||
make clean оттуда все снесет, включая ваши модификации. Модифицированные файлы лучше сохранить отдельно,
|
||||
чтобы потом было легко скопировать обратно.
|
||||
|
||||
Полученные ipk копируем на роутер в /tmp, устанавливаем через
|
||||
# cd /tmp
|
||||
# rm -r /tmp/opkg-lists
|
||||
# opkg install *.ipk
|
||||
Если требует зависимостей, то
|
||||
# opkg update
|
||||
# opkg install .... <зависимости>
|
||||
# rm -r /tmp/opkg-lists
|
||||
# opkg install *.ipk
|
||||
|
||||
В /tmp/opkg-lists opkg хранит кэш списка пакетов. Если попытаться установить файл ipk, и такой же пакет
|
||||
найдется в репозитории, opkg будет устанавливать из репозитория. А нам это не надо.
|
||||
|
||||
# rmmod wireguard
|
||||
# kmodloader
|
||||
# dmesg | tail
|
||||
должны увидеть что-то вроде :
|
||||
[8985.415490] wireguard: WireGuard 0.0.20190123 loaded. See www.wireguard.com for information.
|
||||
[8985.424178] wireguard: Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
|
||||
значит модуль загрузился
|
||||
|
||||
Могут понадобиться ключи opkg --force-reinstall, --force-depends.
|
||||
--force-depends поможет при несоответствии hash версии ядра. То есть версия x.x.x та же самая, но hash конфигурации разный.
|
||||
При несоответствии x.x.x вы что-то делаете не так, работать это не будет.
|
||||
Например : 4.14.56-1-b1186491495127cc6ff81d29c00a91fc, 4.14.56-1-3f8a21a63974cfb7ee67e41f2d4b805d
|
||||
Это свидетельствует о несоответствии .config ядра при сборке прошивки и в SDK.
|
||||
Если несоответствие легкое, то может все прокатить, но при более серьезной разнице в .config модуль может не загрузиться
|
||||
или вызвать стабильные или хаотические падения ядра и перезагрузки (включая вариант беcконечной перезагрузки - bootloop).
|
||||
Так что перед --force-depends убедитесь, что знаете как лечится такая ситуация, и не стоит это делать при отсутствии физического
|
||||
доступа к девайсу.
|
||||
|
||||
Когда поднимите линк, и вдруг ничего не будет работать, то посмотрите в wireshark udp пакеты
|
||||
на порт endpoint. Они не должны начинаться с 0,1,2,3,4. В первых 4 байтах должен быть рандом,
|
||||
в следующих 4 байтах - значения из измененного enum message_type. Если пакет все еще начинается с 0..4,
|
||||
значит модуль wireguard оригинальный, что-то не собралось, не скопировалось, не перезапустилось.
|
||||
В противном случае должен подняться линк, пинги ходить. Значит вы победили, поздравляю.
|
||||
Регулятору будет намного сложнее поймать ваш VPN.
|
@@ -236,7 +236,7 @@ config rule
|
||||
|
||||
--- Подготовка zapret ---
|
||||
|
||||
Выполните install_easy.sh. Он настроит режим обхода DPI. Если обход DPI не нужен - выберите MODE=filter.
|
||||
Выполните install_easy.sh. Он настроит режим обхода DPI. Если обход DPI не нужен - не включайте tpws и nfqws.
|
||||
Так же инсталятор заресолвит домены из ipset/zapret-hosts-user-ipban.txt и внесет крон-джоб для периодического обновления ip.
|
||||
|
||||
Если вы используете в своих правилах ipset zapret, то он ресолвится и обновляется только, если выбран режим фильтрации обхода DPI по ipset.
|
22
init.d/custom.d.examples.linux/10-keenetic-udp-fix
Normal file
22
init.d/custom.d.examples.linux/10-keenetic-udp-fix
Normal file
@@ -0,0 +1,22 @@
|
||||
# This script fixes keenetic issue with nfqws generated udp packets
|
||||
# Keenetic uses proprietary ndmmark and does not masquerade without this mark
|
||||
# If not masqueraded packets go to WAN with LAN IP and get dropped by ISP
|
||||
|
||||
# It's advised to set IFACE_WAN in config
|
||||
|
||||
zapret_custom_firewall()
|
||||
{
|
||||
# $1 - 1 - add, 0 - stop
|
||||
|
||||
local wan wanif rule
|
||||
|
||||
[ "$DISABLE_IPV4" = "1" ] || {
|
||||
# use IFACE_WAN if defined. if not - search for interfaces with default route.
|
||||
wanif=${IFACE_WAN:-$(sed -nre 's/^([^\t]+)\t00000000\t[0-9A-F]{8}\t[0-9A-F]{4}\t[0-9]+\t[0-9]+\t[0-9]+\t00000000.*$/\1/p' /proc/net/route | sort -u | xargs)}
|
||||
for wan in $wanif; do
|
||||
rule="-o $wan -p udp -m mark --mark $DESYNC_MARK/$DESYNC_MARK"
|
||||
ipt_print_op $1 "$rule" "keenetic udp fix"
|
||||
ipt_add_del $1 POSTROUTING -t nat $rule -j MASQUERADE
|
||||
done
|
||||
}
|
||||
}
|
66
init.d/custom.d.examples.linux/20-fw-extra
Normal file
66
init.d/custom.d.examples.linux/20-fw-extra
Normal file
@@ -0,0 +1,66 @@
|
||||
# this custom script runs standard mode with extra firewall rules
|
||||
|
||||
# config: use TPWS_ENABLE_OVERRIDE, NFQWS_ENABLE_OVERRIDE to enable standard mode daemons
|
||||
# standard and override switches cannot be enabled simultaneously !
|
||||
|
||||
TPWS_ENABLE_OVERRIDE=${TPWS_ENABLE_OVERRIDE:-0}
|
||||
NFQWS_ENABLE_OVERRIDE=${NFQWS_ENABLE_OVERRIDE:-0}
|
||||
|
||||
# config: some if these values must be set in config. not setting any of these makes this script meaningless.
|
||||
# pre vars put ipt/nft code to the rule beginning
|
||||
#FW_EXTRA_PRE_TPWS_IPT=
|
||||
#FW_EXTRA_PRE_TPWS_NFT=
|
||||
#FW_EXTRA_PRE_NFQWS_IPT="-m mark --mark 0x10000000/0x10000000"
|
||||
#FW_EXTRA_PRE_NFQWS_NFT="mark and 0x10000000 != 0"
|
||||
# post vars put ipt/nft code to the rule end
|
||||
#FW_EXTRA_POST_TPWS_IPT=
|
||||
#FW_EXTRA_POST_TPWS_NFT=
|
||||
#FW_EXTRA_POST_NFQWS_IPT=
|
||||
#FW_EXTRA_POST_NFQWS_NFT=
|
||||
|
||||
check_std_intersect()
|
||||
{
|
||||
[ "$TPWS_ENABLE_OVERRIDE" = 1 -a "$TPWS_ENABLE" = 1 ] && {
|
||||
echo "ERROR ! both TPWS_ENABLE_OVERRIDE and TPWS_ENABLE are enabled"
|
||||
return 1
|
||||
}
|
||||
[ "$NFQWS_ENABLE_OVERRIDE" = 1 -a "$NFQWS_ENABLE" = 1 ] && {
|
||||
echo "ERROR ! both NFQWS_ENABLE_OVERRIDE and NFQWS_ENABLE are enabled"
|
||||
return 1
|
||||
}
|
||||
return 0
|
||||
}
|
||||
|
||||
zapret_custom_daemons()
|
||||
{
|
||||
# $1 - 1 - add, 0 - stop
|
||||
|
||||
check_std_intersect || return
|
||||
|
||||
local TPWS_SOCKS_ENABLE=0 TPWS_ENABLE=$TPWS_ENABLE_OVERRIDE NFQWS_ENABLE=$NFQWS_ENABLE_OVERRIDE
|
||||
standard_mode_daemons "$1"
|
||||
}
|
||||
zapret_custom_firewall()
|
||||
{
|
||||
# $1 - 1 - run, 0 - stop
|
||||
|
||||
check_std_intersect || return
|
||||
|
||||
local FW_EXTRA_PRE FW_EXTRA_POST TPWS_ENABLE=$TPWS_ENABLE_OVERRIDE NFQWS_ENABLE=$NFQWS_ENABLE_OVERRIDE
|
||||
FW_EXTRA_PRE="$FW_EXTRA_PRE_TPWS_IPT" FW_EXTRA_POST="$FW_EXTRA_POST_TPWS_IPT"
|
||||
zapret_do_firewall_standard_tpws_rules_ipt $1
|
||||
FW_EXTRA_PRE="$FW_EXTRA_PRE_NFQWS_IPT" FW_EXTRA_POST="$FW_EXTRA_POST_NFQWS_IPT"
|
||||
zapret_do_firewall_standard_nfqws_rules_ipt $1
|
||||
}
|
||||
zapret_custom_firewall_nft()
|
||||
{
|
||||
# stop logic is not required
|
||||
|
||||
check_std_intersect || return
|
||||
|
||||
local FW_EXTRA_PRE FW_EXTRA_POST TPWS_ENABLE=$TPWS_ENABLE_OVERRIDE NFQWS_ENABLE=$NFQWS_ENABLE_OVERRIDE
|
||||
FW_EXTRA_PRE="$FW_EXTRA_PRE_TPWS_NFT" FW_EXTRA_POST="$FW_EXTRA_POST_TPWS_NFT"
|
||||
zapret_apply_firewall_standard_tpws_rules_nft
|
||||
FW_EXTRA_PRE="$FW_EXTRA_PRE_NFQWS_NFT" FW_EXTRA_POST="$FW_EXTRA_POST_NFQWS_NFT"
|
||||
zapret_apply_firewall_standard_nfqws_rules_nft
|
||||
}
|
@@ -8,9 +8,9 @@ alloc_qnum QNUM_DHT4ALL
|
||||
|
||||
zapret_custom_daemons()
|
||||
{
|
||||
# stop logic is managed by procd
|
||||
# $1 - 1 - add, 0 - stop
|
||||
|
||||
local opt="--qnum=$QNUM_DHT4ALL $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_DHT"
|
||||
local opt="--qnum=$QNUM_DHT4ALL $NFQWS_OPT_DESYNC_DHT"
|
||||
do_nfqws $1 $DNUM_DHT4ALL "$opt"
|
||||
}
|
||||
zapret_custom_firewall()
|
@@ -14,7 +14,7 @@ zapret_custom_daemons()
|
||||
{
|
||||
# $1 - 1 - run, 0 - stop
|
||||
|
||||
local opt="--qnum=$QNUM_DISCORD $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_DISCORD"
|
||||
local opt="--qnum=$QNUM_DISCORD $NFQWS_OPT_DESYNC_DISCORD"
|
||||
do_nfqws $1 $DNUM_DISCORD "$opt"
|
||||
}
|
||||
|
89
init.d/custom.d.examples.linux/50-tpws-ipset
Normal file
89
init.d/custom.d.examples.linux/50-tpws-ipset
Normal file
@@ -0,0 +1,89 @@
|
||||
# this custom script demonstrates how to launch extra tpws instance limited by ipset
|
||||
|
||||
# can override in config :
|
||||
TPWS_MY1_OPT="${TPWS_MY1_OPT:---oob --split-pos=midsld}"
|
||||
TPWS_MY1_PORTS=${TPWS_MY1_PORTS:-$TPWS_PORTS}
|
||||
TPWS_MY1_SUBNETS4="${TPWS_MY1_SUBNETS4:-142.250.0.0/15 64.233.160.0/19 172.217.0.0/16 173.194.0.0/16 108.177.0.0/17 74.125.0.0/16 209.85.128.0/17 216.58.192.0/19}"
|
||||
TPWS_MY1_SUBNETS6="${TPWS_MY1_SUBNETS6:-2607:F8B0::/32 2a00:1450:4000::/37}"
|
||||
|
||||
TPWS_MY1_IPSET_SIZE=${TPWS_MY1_IPSET_SIZE:-4096}
|
||||
TPWS_MY1_IPSET_OPT="${TPWS_MY1_IPSET_OPT:-hash:net hashsize 8192 maxelem $TPWS_MY1_IPSET_SIZE}"
|
||||
|
||||
alloc_dnum DNUM_TPWS_MY1
|
||||
alloc_tpws_port PORT_TPWS_MY1
|
||||
TPWS_MY1_NAME4=my1tpws4
|
||||
TPWS_MY1_NAME6=my1tpws6
|
||||
|
||||
zapret_custom_daemons()
|
||||
{
|
||||
# $1 - 1 - run, 0 - stop
|
||||
|
||||
local opt="--port=$PORT_TPWS_MY1 $TPWS_MY1_OPT"
|
||||
do_tpws $1 $DNUM_TPWS_MY1 "$opt"
|
||||
}
|
||||
|
||||
zapret_custom_firewall()
|
||||
{
|
||||
# $1 - 1 - run, 0 - stop
|
||||
|
||||
local f4 f6 subnet
|
||||
local PORTS_IPT=$(replace_char - : $TPWS_MY1_PORTS)
|
||||
local dest_set="-m set --match-set $TPWS_MY1_NAME4 dst"
|
||||
|
||||
[ "$1" = 1 -a "$DISABLE_IPV4" != 1 ] && {
|
||||
ipset create $TPWS_MY1_NAME4 $TPWS_MY1_IPSET_OPT family inet 2>/dev/null
|
||||
ipset flush $TPWS_MY1_NAME4
|
||||
for subnet in $TPWS_MY1_SUBNETS4; do
|
||||
echo add $TPWS_MY1_NAME4 $subnet
|
||||
done | ipset -! restore
|
||||
}
|
||||
[ "$1" = 1 -a "$DISABLE_IPV6" != 1 ] && {
|
||||
ipset create $TPWS_MY1_NAME6 $TPWS_MY1_IPSET_OPT family inet6 2>/dev/null
|
||||
ipset flush $TPWS_MY1_NAME6
|
||||
for subnet in $TPWS_MY1_SUBNETS6; do
|
||||
echo add $TPWS_MY1_NAME6 $subnet
|
||||
done | ipset -! restore
|
||||
}
|
||||
|
||||
f4="-p tcp -m multiport --dports $PORTS_IPT -m set --match-set"
|
||||
f6="$f4 $TPWS_MY1_NAME6 dst"
|
||||
f4="$f4 $TPWS_MY1_NAME4 dst"
|
||||
fw_tpws $1 "$f4" "$f6" $PORT_TPWS_MY1
|
||||
|
||||
[ "$1" = 1 ] || {
|
||||
ipset destroy $TPWS_MY1_NAME4 2>/dev/null
|
||||
ipset destroy $TPWS_MY1_NAME6 2>/dev/null
|
||||
}
|
||||
}
|
||||
|
||||
zapret_custom_firewall_nft()
|
||||
{
|
||||
local f4 f6 subnet
|
||||
|
||||
[ "$DISABLE_IPV4" != 1 ] && {
|
||||
make_comma_list subnets $TPWS_MY1_SUBNETS4
|
||||
nft_create_set $TPWS_MY1_NAME4 "type ipv4_addr; size $TPWS_MY1_IPSET_SIZE; auto-merge; flags interval;"
|
||||
nft_flush_set $TPWS_MY1_NAME4
|
||||
nft_add_set_element $TPWS_MY1_NAME4 "$subnets"
|
||||
}
|
||||
[ "$DISABLE_IPV6" != 1 ] && {
|
||||
make_comma_list subnets $TPWS_MY1_SUBNETS6
|
||||
nft_create_set $TPWS_MY1_NAME6 "type ipv6_addr; size $TPWS_MY1_IPSET_SIZE; auto-merge; flags interval;"
|
||||
nft_flush_set $TPWS_MY1_NAME6
|
||||
nft_add_set_element $TPWS_MY1_NAME6 "$subnets"
|
||||
}
|
||||
|
||||
f4="tcp dport {$TPWS_MY1_PORTS}"
|
||||
f6="$f4 ip6 daddr @$TPWS_MY1_NAME6"
|
||||
f4="$f4 ip daddr @$TPWS_MY1_NAME4"
|
||||
nft_fw_tpws "$f4" "$f6" $PORT_TPWS_MY1
|
||||
}
|
||||
|
||||
zapret_custom_firewall_nft_flush()
|
||||
{
|
||||
# this function is called after all nft fw rules are deleted
|
||||
# however sets are not deleted. it's desired to clear sets here.
|
||||
|
||||
nft_del_set $TPWS_MY1_NAME4 2>/dev/null
|
||||
nft_del_set $TPWS_MY1_NAME6 2>/dev/null
|
||||
}
|
30
init.d/custom.d.examples.linux/50-wg4all
Normal file
30
init.d/custom.d.examples.linux/50-wg4all
Normal file
@@ -0,0 +1,30 @@
|
||||
# this custom script runs desync to all wireguard handshake initiation packets
|
||||
|
||||
# can override in config :
|
||||
NFQWS_OPT_DESYNC_WG="${NFQWS_OPT_DESYNC_WG:---dpi-desync=fake}"
|
||||
|
||||
alloc_dnum DNUM_WG4ALL
|
||||
alloc_qnum QNUM_WG4ALL
|
||||
|
||||
zapret_custom_daemons()
|
||||
{
|
||||
# $1 - 1 - add, 0 - stop
|
||||
|
||||
local opt="--qnum=$QNUM_WG4ALL $NFQWS_OPT_DESYNC_WG"
|
||||
do_nfqws $1 $DNUM_WG4ALL "$opt"
|
||||
}
|
||||
# size = 156 (8 udp header + 148 payload) && payload starts with 0x01000000
|
||||
zapret_custom_firewall()
|
||||
{
|
||||
# $1 - 1 - run, 0 - stop
|
||||
|
||||
local f='-p udp -m u32 --u32'
|
||||
fw_nfqws_post $1 "$f 0>>22&0x3C@4>>16=0x9c&&0>>22&0x3C@8=0x01000000" "$f 44>>16=0x9c&&48=0x01000000" $QNUM_WG4ALL
|
||||
}
|
||||
zapret_custom_firewall_nft()
|
||||
{
|
||||
# stop logic is not required
|
||||
|
||||
local f="udp length 156 @th,64,32 0x01000000"
|
||||
nft_fw_nfqws_post "$f" "$f" $QNUM_WG4ALL
|
||||
}
|
@@ -1,38 +0,0 @@
|
||||
# this custom script runs desync to DHT packets with udp payload length 101..399 , without ipset/hostlist filtering
|
||||
|
||||
# can override in config :
|
||||
NFQWS_OPT_DESYNC_DHT="${NFQWS_OPT_DESYNC_DHT:---dpi-desync=tamper}"
|
||||
|
||||
alloc_dnum DNUM_DHT4ALL
|
||||
alloc_qnum QNUM_DHT4ALL
|
||||
|
||||
zapret_custom_daemons()
|
||||
{
|
||||
# stop logic is managed by procd
|
||||
|
||||
local opt="--qnum=$QNUM_DHT4ALL $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_DHT"
|
||||
run_daemon $DNUM_DHT4ALL $NFQWS "$opt"
|
||||
}
|
||||
zapret_custom_firewall()
|
||||
{
|
||||
# $1 - 1 - run, 0 - stop
|
||||
|
||||
local f uf4 uf6
|
||||
local first_packet_only="$ipt_connbytes 1:1"
|
||||
|
||||
f='-p udp -m length --length 109:407 -m u32 --u32'
|
||||
uf4='0>>22&0x3C@8>>16=0x6431'
|
||||
uf6='48>>16=0x6431'
|
||||
fw_nfqws_post $1 "$f $uf4 $first_packet_only" "$f $uf6 $first_packet_only" $QNUM_DHT4ALL
|
||||
|
||||
}
|
||||
zapret_custom_firewall_nft()
|
||||
{
|
||||
# stop logic is not required
|
||||
|
||||
local f
|
||||
local first_packet_only="$nft_connbytes 1"
|
||||
|
||||
f="meta length 109-407 meta l4proto udp @th,64,16 0x6431"
|
||||
nft_fw_nfqws_post "$f $first_packet_only" "$f $first_packet_only" $QNUM_DHT4ALL
|
||||
}
|
File diff suppressed because one or more lines are too long
@@ -10,6 +10,7 @@ ZAPRET_CONFIG=${ZAPRET_CONFIG:-"$ZAPRET_RW/config"}
|
||||
. "$ZAPRET_BASE/common/ipt.sh"
|
||||
. "$ZAPRET_BASE/common/nft.sh"
|
||||
. "$ZAPRET_BASE/common/linux_fw.sh"
|
||||
. "$ZAPRET_BASE/common/linux_daemons.sh"
|
||||
. "$ZAPRET_BASE/common/list.sh"
|
||||
. "$ZAPRET_BASE/common/custom.sh"
|
||||
CUSTOM_DIR="$ZAPRET_RW/init.d/openwrt"
|
||||
@@ -24,15 +25,8 @@ CUSTOM_DIR="$ZAPRET_RW/init.d/openwrt"
|
||||
|
||||
TPWS_LOCALHOST4=127.0.0.127
|
||||
|
||||
# max wait time for the link local ipv6 on the LAN interface
|
||||
LINKLOCAL_WAIT_SEC=5
|
||||
|
||||
IPSET_CR="$ZAPRET_BASE/ipset/create_ipset.sh"
|
||||
|
||||
IPSET_EXCLUDE="-m set ! --match-set nozapret"
|
||||
IPSET_EXCLUDE6="-m set ! --match-set nozapret6"
|
||||
|
||||
|
||||
# can be multiple ipv6 outgoing interfaces
|
||||
# uplink from isp, tunnelbroker, vpn, ...
|
||||
# want them all. who knows what's the real one that blocks sites
|
||||
|
@@ -81,6 +81,10 @@ run_tpws()
|
||||
}
|
||||
run_daemon $1 "$TPWS" "$OPT $2"
|
||||
}
|
||||
do_tpws()
|
||||
{
|
||||
[ "$1" = 0 ] || { shift; run_tpws "$@"; }
|
||||
}
|
||||
run_tpws_socks()
|
||||
{
|
||||
[ "$DISABLE_IPV4" = "1" ] && [ "$DISABLE_IPV6" = "1" ] && return 0
|
||||
@@ -90,13 +94,10 @@ run_tpws_socks()
|
||||
tpws_apply_socks_binds opt
|
||||
run_daemon $1 "$TPWS" "$opt $2"
|
||||
}
|
||||
|
||||
stop_tpws()
|
||||
do_tpws_socks()
|
||||
{
|
||||
stop_daemon $1 "$TPWS"
|
||||
[ "$1" = 0 ] || { shift; run_tpws_socks "$@"; }
|
||||
}
|
||||
|
||||
|
||||
tpws_apply_socks_binds()
|
||||
{
|
||||
local o
|
||||
@@ -113,31 +114,19 @@ tpws_apply_socks_binds()
|
||||
eval $1="\"\$$1 $o\""
|
||||
}
|
||||
|
||||
|
||||
standard_mode_daemons()
|
||||
run_nfqws()
|
||||
{
|
||||
local opt
|
||||
[ "$TPWS_ENABLE" = 1 ] && check_bad_ws_options 1 "$TPWS_OPT" && {
|
||||
opt="--port=$TPPORT $TPWS_OPT"
|
||||
filter_apply_hostlist_target opt
|
||||
run_tpws 1 "$opt"
|
||||
}
|
||||
[ "$TPWS_SOCKS_ENABLE" = 1 ] && {
|
||||
opt="--port=$TPPORT_SOCKS $TPWS_SOCKS_OPT"
|
||||
filter_apply_hostlist_target opt
|
||||
run_tpws_socks 2 "$opt"
|
||||
}
|
||||
[ "$NFQWS_ENABLE" = 1 ] && check_bad_ws_options 1 "$NFQWS_OPT" && {
|
||||
opt="--qnum=$QNUM $NFQWS_OPT_BASE $NFQWS_OPT"
|
||||
filter_apply_hostlist_target opt
|
||||
run_daemon 3 "$NFQWS" "$opt"
|
||||
}
|
||||
run_daemon $1 "$NFQWS" "$NFQWS_OPT_BASE $2"
|
||||
}
|
||||
do_nfqws()
|
||||
{
|
||||
[ "$1" = 0 ] || { shift; run_nfqws "$@"; }
|
||||
}
|
||||
|
||||
start_daemons_procd()
|
||||
{
|
||||
standard_mode_daemons
|
||||
custom_runner zapret_custom_daemons
|
||||
standard_mode_daemons 1
|
||||
custom_runner zapret_custom_daemons 1
|
||||
|
||||
return 0
|
||||
}
|
||||
|
@@ -21,4 +21,4 @@ pfctl -d ; pfctl -e
|
||||
ipfw delete 100
|
||||
ipfw add 100 divert 989 tcp from any to any 80,443 out not diverted not sockarg
|
||||
pkill ^dvtws$
|
||||
dvtws --daemon --port 989 --dpi-desync=split2
|
||||
dvtws --daemon --port 989 --dpi-desync=multisplit
|
||||
|
@@ -10,6 +10,7 @@ ZAPRET_CONFIG=${ZAPRET_CONFIG:-"$ZAPRET_RW/config"}
|
||||
. "$ZAPRET_BASE/common/ipt.sh"
|
||||
. "$ZAPRET_BASE/common/nft.sh"
|
||||
. "$ZAPRET_BASE/common/linux_fw.sh"
|
||||
. "$ZAPRET_BASE/common/linux_daemons.sh"
|
||||
. "$ZAPRET_BASE/common/list.sh"
|
||||
. "$ZAPRET_BASE/common/custom.sh"
|
||||
CUSTOM_DIR="$ZAPRET_RW/init.d/sysv"
|
||||
@@ -89,20 +90,13 @@ TPWS_WAIT_SOCKS6="$TPWS_WAIT --bind-wait-ip-linklocal=30"
|
||||
# first wait for lan to ifup, then wait for bind-wait-ip-linklocal seconds for link local address and bind-wait-ip for any ipv6 as the worst case
|
||||
TPWS_OPT_BASE6_PRE="--bind-linklocal=prefer $TPWS_WAIT --bind-wait-ip-linklocal=3"
|
||||
|
||||
# max wait time for the link local ipv6 on the LAN interface
|
||||
LINKLOCAL_WAIT_SEC=5
|
||||
|
||||
IPSET_EXCLUDE="-m set ! --match-set nozapret"
|
||||
IPSET_EXCLUDE6="-m set ! --match-set nozapret6"
|
||||
|
||||
|
||||
dnat6_target()
|
||||
{
|
||||
_dnat6_target "$@"
|
||||
}
|
||||
set_route_localnet()
|
||||
{
|
||||
_set_route_localnet $1 "$IFACE_LAN"
|
||||
_set_route_localnet $1 $IFACE_LAN
|
||||
}
|
||||
|
||||
fw_nfqws_post4()
|
||||
@@ -167,15 +161,18 @@ run_daemon()
|
||||
# use $PIDDIR/$DAEMONBASE$1.pid as pidfile
|
||||
|
||||
local DAEMONBASE="$(basename "$2")"
|
||||
local PIDFILE=$PIDDIR/$DAEMONBASE$1.pid
|
||||
local PID= PIDFILE=$PIDDIR/$DAEMONBASE$1.pid
|
||||
echo "Starting daemon $1: $2 $3"
|
||||
if exists start-stop-daemon ; then
|
||||
start-stop-daemon -S -p "$PIDFILE" -m -b -x "$2" -- $3
|
||||
else
|
||||
if [ -f "$PIDFILE" ] && pgrep -F "$PIDFILE" "$DAEMONBASE" >/dev/null; then
|
||||
|
||||
[ -f "$PIDFILE" ] && {
|
||||
read PID <"$PIDFILE"
|
||||
[ -d "/proc/$PID" ] || PID=
|
||||
}
|
||||
|
||||
if [ -n "$PID" ]; then
|
||||
echo already running
|
||||
else
|
||||
"$2" $3 >/dev/null 2>/dev/null &
|
||||
"$2" $3 >/dev/null &
|
||||
PID=$!
|
||||
if [ -n "$PID" ]; then
|
||||
echo $PID >$PIDFILE
|
||||
@@ -184,7 +181,6 @@ run_daemon()
|
||||
false
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
}
|
||||
stop_daemon()
|
||||
{
|
||||
@@ -192,11 +188,8 @@ stop_daemon()
|
||||
# $2 - daemon
|
||||
# use $PIDDIR/$DAEMONBASE$1.pid as pidfile
|
||||
local DAEMONBASE="$(basename "$2")"
|
||||
local PIDFILE=$PIDDIR/$DAEMONBASE$1.pid
|
||||
local PID PIDFILE=$PIDDIR/$DAEMONBASE$1.pid
|
||||
echo "Stopping daemon $1: $2"
|
||||
if exists start-stop-daemon ; then
|
||||
start-stop-daemon -K -p "$PIDFILE" -x "$2"
|
||||
else
|
||||
if [ -f "$PIDFILE" ]; then
|
||||
read PID <"$PIDFILE"
|
||||
kill $PID
|
||||
@@ -204,7 +197,6 @@ stop_daemon()
|
||||
else
|
||||
echo no pidfile : $PIDFILE
|
||||
fi
|
||||
fi
|
||||
}
|
||||
do_daemon()
|
||||
{
|
||||
@@ -277,45 +269,3 @@ create_ipset()
|
||||
echo "Creating ip list table (firewall type $FWTYPE)"
|
||||
"$IPSET_CR" "$@"
|
||||
}
|
||||
|
||||
|
||||
standard_mode_daemons()
|
||||
{
|
||||
# $1 - 1 - run, 0 - stop
|
||||
|
||||
local opt
|
||||
|
||||
[ "$TPWS_ENABLE" = 1 ] && check_bad_ws_options $1 "$TPWS_OPT" && {
|
||||
opt="--port=$TPPORT $TPWS_OPT"
|
||||
filter_apply_hostlist_target opt
|
||||
do_tpws $1 1 "$opt"
|
||||
}
|
||||
[ "$TPWS_SOCKS_ENABLE" = 1 ] && {
|
||||
opt="--port=$TPPORT_SOCKS $TPWS_SOCKS_OPT"
|
||||
filter_apply_hostlist_target opt
|
||||
do_tpws_socks $1 2 "$opt"
|
||||
}
|
||||
[ "$NFQWS_ENABLE" = 1 ] && check_bad_ws_options $1 "$NFQWS_OPT" && {
|
||||
opt="--qnum=$QNUM $NFQWS_OPT"
|
||||
filter_apply_hostlist_target opt
|
||||
do_nfqws $1 3 "$opt"
|
||||
}
|
||||
}
|
||||
|
||||
zapret_do_daemons()
|
||||
{
|
||||
# $1 - 1 - run, 0 - stop
|
||||
|
||||
standard_mode_daemons $1
|
||||
custom_runner zapret_custom_daemons $1
|
||||
|
||||
return 0
|
||||
}
|
||||
zapret_run_daemons()
|
||||
{
|
||||
zapret_do_daemons 1 "$@"
|
||||
}
|
||||
zapret_stop_daemons()
|
||||
{
|
||||
zapret_do_daemons 0 "$@"
|
||||
}
|
||||
|
@@ -74,8 +74,7 @@ case "$1" in
|
||||
;;
|
||||
|
||||
*)
|
||||
N=/etc/init.d/$NAME
|
||||
echo "Usage: $N {start|stop|restart|start-fw|stop-fw|restart-fw|start-daemons|stop-daemons|restart-daemons|reload-ifsets|list-ifsets|list-table}" >&2
|
||||
echo "Usage: $SCRIPT {start|stop|restart|start-fw|stop-fw|restart-fw|start-daemons|stop-daemons|restart-daemons|reload-ifsets|list-ifsets|list-table}" >&2
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
|
@@ -25,7 +25,11 @@ check_dir()
|
||||
# find does not use its own shell exec
|
||||
# it uses execvp(). in musl libc it does not call shell, in glibc it DOES call /bin/sh
|
||||
# that's why prefer bash or zsh if present. otherwise it's our last chance
|
||||
out=$(echo 0.0.0.0 | find "$dir" -maxdepth 1 -name ip2net -exec {} \; 2>/dev/null)
|
||||
local FIND=find
|
||||
if ! exists find && exists busybox; then
|
||||
FIND="busybox find"
|
||||
fi
|
||||
out=$(echo 0.0.0.0 | $FIND "$dir" -maxdepth 1 -name ip2net -exec {} \; 2>/dev/null)
|
||||
fi
|
||||
[ -n "$out" ]
|
||||
else
|
||||
@@ -52,7 +56,7 @@ UNAME=$(uname)
|
||||
unset PKTWS
|
||||
case $UNAME in
|
||||
Linux)
|
||||
ARCHLIST="my x86_64 x86 aarch64 arm mips64r2-msb mips32r1-lsb mips32r1-msb ppc"
|
||||
ARCHLIST="my x86_64 x86 aarch64 arm mips64r2-msb mips32r1-lsb mips32r1-msb lexra ppc"
|
||||
PKTWS=nfqws
|
||||
;;
|
||||
Darwin)
|
||||
@@ -64,7 +68,7 @@ case $UNAME in
|
||||
;;
|
||||
CYGWIN*)
|
||||
UNAME=CYGWIN
|
||||
ARCHLIST="win64"
|
||||
ARCHLIST="win64 win32"
|
||||
PKTWS=winws
|
||||
;;
|
||||
*)
|
||||
|
@@ -26,6 +26,7 @@ IPSET_DIR="$ZAPRET_BASE/ipset"
|
||||
. "$ZAPRET_BASE/common/ipt.sh"
|
||||
. "$ZAPRET_BASE/common/installer.sh"
|
||||
. "$ZAPRET_BASE/common/virt.sh"
|
||||
. "$ZAPRET_BASE/common/list.sh"
|
||||
|
||||
GET_LIST="$IPSET_DIR/get_config.sh"
|
||||
|
||||
@@ -69,7 +70,7 @@ check_bins()
|
||||
elif [ -f "$EXEDIR/Makefile" ] && exists make; then
|
||||
echo trying to compile
|
||||
[ "$SYSTEM" = "macos" ] && make_target=mac
|
||||
make -C "$EXEDIR" $make_target || {
|
||||
CFLAGS="-march=native ${CFLAGS}" make -C "$EXEDIR" $make_target || {
|
||||
echo could not compile
|
||||
make -C "$EXEDIR" clean
|
||||
exitp 8
|
||||
@@ -115,6 +116,30 @@ ws_opt_validate()
|
||||
}
|
||||
return 0
|
||||
}
|
||||
tpws_opt_validate()
|
||||
{
|
||||
ws_opt_validate "$1" || return 1
|
||||
dry_run_tpws || {
|
||||
echo invalid tpws options
|
||||
return 1
|
||||
}
|
||||
}
|
||||
tpws_socks_opt_validate()
|
||||
{
|
||||
# --ipset allowed here
|
||||
dry_run_tpws_socks || {
|
||||
echo invalid tpws options
|
||||
return 1
|
||||
}
|
||||
}
|
||||
nfqws_opt_validate()
|
||||
{
|
||||
ws_opt_validate "$1" || return 1
|
||||
dry_run_nfqws || {
|
||||
echo invalid nfqws options
|
||||
return 1
|
||||
}
|
||||
}
|
||||
|
||||
select_mode_group()
|
||||
{
|
||||
@@ -162,18 +187,17 @@ select_mode_group()
|
||||
select_mode_tpws_socks()
|
||||
{
|
||||
local EDITVAR_NEWLINE_DELIMETER="--new" EDITVAR_NEWLINE_VARS="TPWS_SOCKS_OPT"
|
||||
# --ipset allowed here
|
||||
select_mode_group TPWS_SOCKS_ENABLE "enable tpws socks mode on port $TPPORT_SOCKS ?" "TPPORT_SOCKS TPWS_SOCKS_OPT"
|
||||
select_mode_group TPWS_SOCKS_ENABLE "enable tpws socks mode on port $TPPORT_SOCKS ?" "TPPORT_SOCKS TPWS_SOCKS_OPT" tpws_socks_opt_validate TPWS_SOCKS_OPT
|
||||
}
|
||||
select_mode_tpws()
|
||||
{
|
||||
local EDITVAR_NEWLINE_DELIMETER="--new" EDITVAR_NEWLINE_VARS="TPWS_OPT"
|
||||
select_mode_group TPWS_ENABLE "enable tpws transparent mode ?" "TPWS_PORTS TPWS_OPT" ws_opt_validate TPWS_OPT
|
||||
select_mode_group TPWS_ENABLE "enable tpws transparent mode ?" "TPWS_PORTS TPWS_OPT" tpws_opt_validate TPWS_OPT
|
||||
}
|
||||
select_mode_nfqws()
|
||||
{
|
||||
local EDITVAR_NEWLINE_DELIMETER="--new" EDITVAR_NEWLINE_VARS="NFQWS_OPT"
|
||||
select_mode_group NFQWS_ENABLE "enable nfqws ?" "NFQWS_PORTS_TCP NFQWS_PORTS_UDP NFQWS_TCP_PKT_OUT NFQWS_TCP_PKT_IN NFQWS_UDP_PKT_OUT NFQWS_UDP_PKT_IN NFQWS_PORTS_TCP_KEEPALIVE NFQWS_PORTS_UDP_KEEPALIVE NFQWS_OPT" ws_opt_validate NFQWS_OPT
|
||||
select_mode_group NFQWS_ENABLE "enable nfqws ?" "NFQWS_PORTS_TCP NFQWS_PORTS_UDP NFQWS_TCP_PKT_OUT NFQWS_TCP_PKT_IN NFQWS_UDP_PKT_OUT NFQWS_UDP_PKT_IN NFQWS_PORTS_TCP_KEEPALIVE NFQWS_PORTS_UDP_KEEPALIVE NFQWS_OPT" nfqws_opt_validate NFQWS_OPT
|
||||
}
|
||||
|
||||
select_mode_mode()
|
||||
@@ -370,7 +394,7 @@ copy_openwrt()
|
||||
mkdir "$2/tpws" "$2/nfq" "$2/ip2net" "$2/mdig" "$2/binaries" "$2/binaries/$ARCH" "$2/init.d" "$2/tmp" "$2/files"
|
||||
cp -R "$1/files/fake" "$2/files"
|
||||
cp -R "$1/common" "$1/ipset" "$2"
|
||||
cp -R "$1/init.d/openwrt" "$2/init.d"
|
||||
cp -R "$1/init.d/openwrt" "$1/init.d/custom.d.examples.linux" "$2/init.d"
|
||||
cp "$1/config" "$1/config.default" "$1/install_easy.sh" "$1/uninstall_easy.sh" "$1/install_bin.sh" "$1/install_prereq.sh" "$1/blockcheck.sh" "$2"
|
||||
cp "$BINDIR/tpws" "$BINDIR/nfqws" "$BINDIR/ip2net" "$BINDIR/mdig" "$2/binaries/$ARCH"
|
||||
}
|
||||
@@ -549,7 +573,7 @@ service_install_systemd()
|
||||
|
||||
if [ -w "$SYSTEMD_SYSTEM_DIR" ] ; then
|
||||
rm -f "$INIT_SCRIPT"
|
||||
ln -fs "$EXEDIR/init.d/systemd/zapret.service" "$SYSTEMD_SYSTEM_DIR"
|
||||
cp -f "$EXEDIR/init.d/systemd/zapret.service" "$SYSTEMD_SYSTEM_DIR"
|
||||
"$SYSTEMCTL" daemon-reload
|
||||
"$SYSTEMCTL" enable zapret || {
|
||||
echo could not enable systemd service
|
||||
@@ -567,8 +591,8 @@ timer_install_systemd()
|
||||
if [ -w "$SYSTEMD_SYSTEM_DIR" ] ; then
|
||||
"$SYSTEMCTL" disable zapret-list-update.timer
|
||||
"$SYSTEMCTL" stop zapret-list-update.timer
|
||||
ln -fs "$EXEDIR/init.d/systemd/zapret-list-update.service" "$SYSTEMD_SYSTEM_DIR"
|
||||
ln -fs "$EXEDIR/init.d/systemd/zapret-list-update.timer" "$SYSTEMD_SYSTEM_DIR"
|
||||
cp -f "$EXEDIR/init.d/systemd/zapret-list-update.service" "$SYSTEMD_SYSTEM_DIR"
|
||||
cp -f "$EXEDIR/init.d/systemd/zapret-list-update.timer" "$SYSTEMD_SYSTEM_DIR"
|
||||
"$SYSTEMCTL" daemon-reload
|
||||
"$SYSTEMCTL" enable zapret-list-update.timer || {
|
||||
echo could not enable zapret-list-update.timer
|
||||
@@ -748,7 +772,6 @@ deoffload_openwrt_firewall()
|
||||
else
|
||||
echo system wide software flow offloading disabled. ok
|
||||
fi
|
||||
|
||||
}
|
||||
|
||||
|
||||
|
@@ -1,5 +1,5 @@
|
||||
CC ?= gcc
|
||||
CFLAGS += -std=gnu99 -O3
|
||||
CFLAGS += -std=gnu99 -Os -flto=auto
|
||||
CFLAGS_BSD = -Wno-address-of-packed-member
|
||||
CFLAGS_WIN = -static
|
||||
LIBS =
|
||||
@@ -9,20 +9,22 @@ SRC_FILES = ip2net.c qsort.c
|
||||
all: ip2net
|
||||
|
||||
ip2net: $(SRC_FILES)
|
||||
$(CC) -s $(CFLAGS) -o $@ $(SRC_FILES) $(LDFLAGS) $(LIBS)
|
||||
$(CC) -s $(CFLAGS) -o ip2net $(SRC_FILES) $(LIBS) $(LDFLAGS)
|
||||
|
||||
android: ip2net
|
||||
|
||||
bsd: $(SRC_FILES)
|
||||
$(CC) -s $(CFLAGS) $(CFLAGS_BSD) -o ip2net $(SRC_FILES) $(LDFLAGS) $(LIBS)
|
||||
$(CC) -s $(CFLAGS) $(CFLAGS_BSD) -o ip2net $(SRC_FILES) $(LIBS) $(LDFLAGS)
|
||||
|
||||
mac: $(SRC_FILES)
|
||||
$(CC) $(CFLAGS) $(CFLAGS_BSD) -o ip2neta $(SRC_FILES) $(LDFLAGS) -target arm64-apple-macos10.8 $(LIBS)
|
||||
$(CC) $(CFLAGS) $(CFLAGS_BSD) -o ip2netx $(SRC_FILES) $(LDFLAGS) -target x86_64-apple-macos10.8 $(LIBS)
|
||||
$(CC) $(CFLAGS) $(CFLAGS_BSD) -o ip2neta $(SRC_FILES) -target arm64-apple-macos10.8 $(LIBS) $(LDFLAGS)
|
||||
$(CC) $(CFLAGS) $(CFLAGS_BSD) -o ip2netx $(SRC_FILES) -target x86_64-apple-macos10.8 $(LIBS) $(LDFLAGS)
|
||||
strip ip2neta ip2netx
|
||||
lipo -create -output ip2net ip2netx ip2neta
|
||||
rm -f ip2netx ip2neta
|
||||
|
||||
win: $(SRC_FILES)
|
||||
$(CC) -s $(CFLAGS) $(CFLAGS_WIN) -o ip2net $(SRC_FILES) $(LDFLAGS) $(LIBS_WIN)
|
||||
$(CC) -s $(CFLAGS) $(CFLAGS_WIN) -o ip2net $(SRC_FILES) $(LIBS_WIN) $(LDFLAGS)
|
||||
|
||||
clean:
|
||||
rm -f ip2net *.o
|
||||
|
@@ -192,7 +192,7 @@ static void ip6_and(const struct in6_addr * restrict a, const struct in6_addr *
|
||||
static void rtrim(char *s)
|
||||
{
|
||||
if (s)
|
||||
for (char *p = s + strlen(s) - 1; p >= s && (*p == '\n' || *p == '\r'); p--) *p = '\0';
|
||||
for (char *p = s + strlen(s) - 1; p >= s && (*p == '\n' || *p == '\r' || *p == ' ' || *p == '\t'); p--) *p = '\0';
|
||||
}
|
||||
|
||||
|
||||
@@ -217,6 +217,14 @@ static void exithelp(void)
|
||||
exit(1);
|
||||
}
|
||||
|
||||
#define STRINGIFY(x) #x
|
||||
#define TOSTRING(x) STRINGIFY(x)
|
||||
#if defined(ZAPRET_GH_VER) || defined (ZAPRET_GH_HASH)
|
||||
#define PRINT_VER printf("github version %s (%s)\n\n", TOSTRING(ZAPRET_GH_VER), TOSTRING(ZAPRET_GH_HASH))
|
||||
#else
|
||||
#define PRINT_VER printf("self-built version %s %s\n\n", __DATE__, __TIME__)
|
||||
#endif
|
||||
|
||||
static void parse_params(int argc, char *argv[])
|
||||
{
|
||||
int option_index = 0;
|
||||
@@ -245,6 +253,7 @@ static void parse_params(int argc, char *argv[])
|
||||
{
|
||||
case 0:
|
||||
case 1:
|
||||
PRINT_VER;
|
||||
exithelp();
|
||||
break;
|
||||
case 2:
|
||||
|
@@ -7,7 +7,7 @@ get_antifilter()
|
||||
[ "$DISABLE_IPV4" != "1" ] && {
|
||||
curl --fail --max-time 150 --connect-timeout 20 --max-filesize 41943040 -k -L "$1" | cut_local >"$ZIPLISTTMP" &&
|
||||
{
|
||||
dlsize=$(LANG=C wc -c "$ZIPLISTTMP" | xargs | cut -f 1 -d ' ')
|
||||
dlsize=$(LC_ALL=C LANG=C wc -c "$ZIPLISTTMP" | xargs | cut -f 1 -d ' ')
|
||||
if [ $dlsize -lt 102400 ]; then
|
||||
echo list file is too small. can be bad.
|
||||
exit 2
|
||||
|
26
ipset/def.sh
26
ipset/def.sh
@@ -5,7 +5,7 @@ ZAPRET_RW=${ZAPRET_RW:-"$ZAPRET_BASE"}
|
||||
ZAPRET_CONFIG=${ZAPRET_CONFIG:-"$ZAPRET_RW/config"}
|
||||
IPSET_RW_DIR="$ZAPRET_RW/ipset"
|
||||
|
||||
. "$ZAPRET_CONFIG"
|
||||
[ -f "$ZAPRET_CONFIG" ] && . "$ZAPRET_CONFIG"
|
||||
. "$ZAPRET_BASE/common/base.sh"
|
||||
|
||||
[ -z "$TMPDIR" ] && TMPDIR=/tmp
|
||||
@@ -141,6 +141,18 @@ zzsize()
|
||||
printf 0
|
||||
fi
|
||||
}
|
||||
zzcopy()
|
||||
{
|
||||
local is_gz=0
|
||||
zztest "$1" && is_gz=1
|
||||
if [ "$GZIP_LISTS" = 1 -a $is_gz = 1 ]; then
|
||||
cp "$1" "${2}.gz"
|
||||
elif [ "$GZIP_LISTS" != 1 -a $is_gz != 1 ]; then
|
||||
cp "$1" "$2"
|
||||
else
|
||||
zzcat "$1" | zz "$2"
|
||||
fi
|
||||
}
|
||||
|
||||
digger()
|
||||
{
|
||||
@@ -255,3 +267,15 @@ getipban()
|
||||
_get_ipban
|
||||
return 0
|
||||
}
|
||||
|
||||
hup_zapret_daemons()
|
||||
{
|
||||
echo forcing zapret daemons to reload their hostlist
|
||||
if exists killall; then
|
||||
killall -HUP tpws nfqws dvtws 2>/dev/null
|
||||
elif exists pkill; then
|
||||
pkill -HUP ^tpws$ ^nfqws$ ^dvtws$
|
||||
else
|
||||
echo no mass killer available ! cant HUP zapret daemons
|
||||
fi
|
||||
}
|
||||
|
@@ -21,7 +21,7 @@ curl -H "Accept-Encoding: gzip" -k --fail --max-time 600 --connect-timeout 5 --r
|
||||
exit 2
|
||||
}
|
||||
|
||||
dlsize=$(LANG=C wc -c "$ZDOM" | xargs | cut -f 1 -d ' ')
|
||||
dlsize=$(LC_ALL=C LANG=C wc -c "$ZDOM" | xargs | cut -f 1 -d ' ')
|
||||
if test $dlsize -lt 102400; then
|
||||
echo list file is too small. can be bad.
|
||||
exit 2
|
||||
@@ -31,4 +31,6 @@ sort -u "$ZDOM" | zz "$ZHOSTLIST"
|
||||
|
||||
rm -f "$ZDOM"
|
||||
|
||||
hup_zapret_daemons
|
||||
|
||||
exit 0
|
||||
|
@@ -4,7 +4,7 @@
|
||||
IPSET_DIR="$(dirname "$0")"
|
||||
IPSET_DIR="$(cd "$IPSET_DIR"; pwd)"
|
||||
|
||||
. "$IPSET_DIR/../config"
|
||||
[ -f "$IPSET_DIR/../config" ] && . "$IPSET_DIR/../config"
|
||||
|
||||
[ -z "$GETLIST" ] && GETLIST=get_ipban.sh
|
||||
[ -x "$IPSET_DIR/$GETLIST" ] && exec "$IPSET_DIR/$GETLIST"
|
||||
|
@@ -5,9 +5,9 @@ IPSET_DIR="$(cd "$IPSET_DIR"; pwd)"
|
||||
|
||||
. "$IPSET_DIR/def.sh"
|
||||
|
||||
ZREESTR="$TMPDIR/zapret.txt"
|
||||
ZREESTR="$TMPDIR/zapret.txt.gz"
|
||||
IPB="$TMPDIR/ipb.txt"
|
||||
ZURL_REESTR=https://raw.githubusercontent.com/zapret-info/z-i/master/dump.csv
|
||||
ZURL_REESTR=https://raw.githubusercontent.com/zapret-info/z-i/master/dump.csv.gz
|
||||
|
||||
dl_checked()
|
||||
{
|
||||
@@ -21,7 +21,7 @@ dl_checked()
|
||||
echo list download failed : $1
|
||||
return 2
|
||||
}
|
||||
dlsize=$(LANG=C wc -c "$2" | xargs | cut -f 1 -d ' ')
|
||||
dlsize=$(LC_ALL=C LANG=C wc -c "$2" | xargs | cut -f 1 -d ' ')
|
||||
if test $dlsize -lt $3; then
|
||||
echo list is too small : $dlsize bytes. can be bad.
|
||||
return 2
|
||||
@@ -31,11 +31,11 @@ dl_checked()
|
||||
|
||||
reestr_list()
|
||||
{
|
||||
LANG=C cut -s -f2 -d';' "$ZREESTR" | LANG=C nice -n 5 sed -Ee 's/^\*\.(.+)$/\1/' -ne 's/^[a-z0-9A-Z._-]+$/&/p' | $AWK '{ print tolower($0) }'
|
||||
LC_ALL=C LANG=C gunzip -c "$ZREESTR" | cut -s -f2 -d';' | LC_ALL=C LANG=C nice -n 5 sed -Ee 's/^\*\.(.+)$/\1/' -ne 's/^[a-z0-9A-Z._-]+$/&/p' | $AWK '{ print tolower($0) }'
|
||||
}
|
||||
reestr_extract_ip()
|
||||
{
|
||||
LANG=C nice -n 5 $AWK -F ';' '($1 ~ /^([0-9]{1,3}\.){3}[0-9]{1,3}/) && (($2 == "" && $3 == "") || ($1 == $2)) {gsub(/ \| /, RS); print $1}' "$ZREESTR" | LANG=C $AWK '{split($1, a, /\|/); for (i in a) {print a[i]}}'
|
||||
LC_ALL=C LANG=C gunzip -c | nice -n 5 $AWK -F ';' '($1 ~ /^([0-9]{1,3}\.){3}[0-9]{1,3}/) && (($2 == "" && $3 == "") || ($1 == $2)) {gsub(/ \| /, RS); print $1}' | LC_ALL=C LANG=C $AWK '{split($1, a, /\|/); for (i in a) {print a[i]}}'
|
||||
}
|
||||
|
||||
ipban_fin()
|
||||
@@ -58,6 +58,8 @@ rm -f "$ZREESTR"
|
||||
[ "$DISABLE_IPV6" != "1" ] && $AWK '/^([0-9a-fA-F]{0,4}:){1,7}[0-9a-fA-F]{0,4}($|(\/[0-9]{2,3}$))/' "$IPB" | cut_local6 | ip2net6 | zz "$ZIPLIST_IPBAN6"
|
||||
rm -f "$IPB"
|
||||
|
||||
hup_zapret_daemons
|
||||
|
||||
ipban_fin
|
||||
|
||||
exit 0
|
||||
|
@@ -24,12 +24,12 @@ dl()
|
||||
echo list download failed : $1
|
||||
exit 2
|
||||
}
|
||||
dlsize=$(LANG=C wc -c "$TMPLIST" | xargs | cut -f 1 -d ' ')
|
||||
dlsize=$(LC_ALL=C LANG=C wc -c "$TMPLIST" | xargs | cut -f 1 -d ' ')
|
||||
if test $dlsize -lt $3; then
|
||||
echo list is too small : $dlsize bytes. can be bad.
|
||||
exit 2
|
||||
fi
|
||||
zzcat "$TMPLIST" | zz "$2"
|
||||
zzcopy "$TMPLIST" "$2"
|
||||
rm -f "$TMPLIST"
|
||||
}
|
||||
|
||||
|
@@ -24,12 +24,12 @@ dl()
|
||||
echo list download failed : $1
|
||||
exit 2
|
||||
}
|
||||
dlsize=$(LANG=C wc -c "$TMPLIST" | xargs | cut -f 1 -d ' ')
|
||||
dlsize=$(LC_ALL=C LANG=C wc -c "$TMPLIST" | xargs | cut -f 1 -d ' ')
|
||||
if test $dlsize -lt $3; then
|
||||
echo list is too small : $dlsize bytes. can be bad.
|
||||
exit 2
|
||||
fi
|
||||
zzcat "$TMPLIST" | zz "$2"
|
||||
zzcopy "$TMPLIST" "$2"
|
||||
rm -f "$TMPLIST"
|
||||
}
|
||||
|
||||
|
@@ -23,17 +23,19 @@ dl()
|
||||
echo list download failed : $1
|
||||
exit 2
|
||||
}
|
||||
dlsize=$(LANG=C wc -c "$TMPLIST" | xargs | cut -f 1 -d ' ')
|
||||
dlsize=$(LC_ALL=C LANG=C wc -c "$TMPLIST" | xargs | cut -f 1 -d ' ')
|
||||
if test $dlsize -lt $3; then
|
||||
echo list is too small : $dlsize bytes. can be bad.
|
||||
exit 2
|
||||
fi
|
||||
zzcat "$TMPLIST" | zz "$2"
|
||||
zzcopy "$TMPLIST" "$2"
|
||||
rm -f "$TMPLIST"
|
||||
}
|
||||
|
||||
dl "$URL" "$ZHOSTLIST" 65536 67108864
|
||||
|
||||
hup_zapret_daemons
|
||||
|
||||
[ "$DISABLE_IPV4" != "1" ] && dl "$IPB4" "$ZIPLIST_IPBAN" 8192 1048576
|
||||
[ "$DISABLE_IPV6" != "1" ] && dl "$IPB6" "$ZIPLIST_IPBAN6" 128 1048576
|
||||
|
||||
|
@@ -5,12 +5,12 @@ IPSET_DIR="$(cd "$IPSET_DIR"; pwd)"
|
||||
|
||||
. "$IPSET_DIR/def.sh"
|
||||
|
||||
ZREESTR="$TMPDIR/zapret.txt"
|
||||
ZREESTR="$TMPDIR/zapret.txt.gz"
|
||||
ZDIG="$TMPDIR/zapret-dig.txt"
|
||||
IPB="$TMPDIR/ipb.txt"
|
||||
ZIPLISTTMP="$TMPDIR/zapret-ip.txt"
|
||||
#ZURL=https://reestr.rublacklist.net/api/current
|
||||
ZURL_REESTR=https://raw.githubusercontent.com/zapret-info/z-i/master/dump.csv
|
||||
ZURL_REESTR=https://raw.githubusercontent.com/zapret-info/z-i/master/dump.csv.gz
|
||||
|
||||
dl_checked()
|
||||
{
|
||||
@@ -24,7 +24,7 @@ dl_checked()
|
||||
echo list download failed : $1
|
||||
return 2
|
||||
}
|
||||
dlsize=$(LANG=C wc -c "$2" | xargs | cut -f 1 -d ' ')
|
||||
dlsize=$(LC_ALL=C LANG=C wc -c "$2" | xargs | cut -f 1 -d ' ')
|
||||
if test $dlsize -lt $3; then
|
||||
echo list is too small : $dlsize bytes. can be bad.
|
||||
return 2
|
||||
@@ -34,11 +34,11 @@ dl_checked()
|
||||
|
||||
reestr_list()
|
||||
{
|
||||
LANG=C cut -s -f2 -d';' "$ZREESTR" | LANG=C nice -n 5 sed -Ee 's/^\*\.(.+)$/\1/' -ne 's/^[a-z0-9A-Z._-]+$/&/p'
|
||||
LC_ALL=C LANG=C gunzip -c "$ZREESTR" | cut -s -f2 -d';' | LC_ALL=C LANG=C nice -n 5 sed -Ee 's/^\*\.(.+)$/\1/' -ne 's/^[a-z0-9A-Z._-]+$/&/p' | $AWK '{ print tolower($0) }'
|
||||
}
|
||||
reestr_extract_ip()
|
||||
{
|
||||
LANG=C nice -n 5 $AWK -F ';' '($1 ~ /^([0-9]{1,3}\.){3}[0-9]{1,3}/) && (($2 == "" && $3 == "") || ($1 == $2)) {gsub(/ \| /, RS); print $1}' "$ZREESTR" | LANG=C $AWK '{split($1, a, /\|/); for (i in a) {print a[i]}}'
|
||||
LC_ALL=C LANG=C gunzip -c | nice -n 5 $AWK -F ';' '($1 ~ /^([0-9]{1,3}\.){3}[0-9]{1,3}/) && (($2 == "" && $3 == "") || ($1 == $2)) {gsub(/ \| /, RS); print $1}' | LC_ALL=C LANG=C $AWK '{split($1, a, /\|/); for (i in a) {print a[i]}}'
|
||||
}
|
||||
|
||||
getuser && {
|
||||
|
@@ -20,12 +20,12 @@ dl()
|
||||
echo list download failed : $1
|
||||
exit 2
|
||||
}
|
||||
dlsize=$(LANG=C wc -c "$TMPLIST" | xargs | cut -f 1 -d ' ')
|
||||
dlsize=$(LC_ALL=C LANG=C wc -c "$TMPLIST" | xargs | cut -f 1 -d ' ')
|
||||
if test $dlsize -lt $3; then
|
||||
echo list is too small : $dlsize bytes. can be bad.
|
||||
exit 2
|
||||
fi
|
||||
zzcat "$TMPLIST" | tr -d '\015' | zz "$2"
|
||||
zzcopy "$TMPLIST" "$2"
|
||||
rm -f "$TMPLIST"
|
||||
}
|
||||
|
||||
@@ -37,4 +37,6 @@ getipban || FAIL=1
|
||||
|
||||
dl "$URL" "$ZHOSTLIST" 32768 4194304
|
||||
|
||||
hup_zapret_daemons
|
||||
|
||||
exit 0
|
||||
|
@@ -20,13 +20,12 @@ dl()
|
||||
echo list download failed : $1
|
||||
exit 2
|
||||
}
|
||||
dlsize=$(LANG=C wc -c "$TMPLIST" | xargs | cut -f 1 -d ' ')
|
||||
dlsize=$(LC_ALL=C LANG=C wc -c "$TMPLIST" | xargs | cut -f 1 -d ' ')
|
||||
if test $dlsize -lt $3; then
|
||||
echo list is too small : $dlsize bytes. can be bad.
|
||||
exit 2
|
||||
fi
|
||||
# remove DOS EOL \r
|
||||
zzcat "$TMPLIST" | tr -d '\015' | zz "$2"
|
||||
zzcopy "$TMPLIST" "$2"
|
||||
rm -f "$TMPLIST"
|
||||
}
|
||||
|
||||
|
@@ -1,28 +1,32 @@
|
||||
CC ?= gcc
|
||||
CFLAGS += -std=gnu99 -O3
|
||||
CFLAGS += -std=gnu99 -Os
|
||||
CFLAGS_BSD = -Wno-address-of-packed-member
|
||||
CFLAGS_WIN = -static
|
||||
LIBS = -lpthread
|
||||
LIBS_ANDROID =
|
||||
LIBS_WIN = -lws2_32
|
||||
SRC_FILES = *.c
|
||||
|
||||
all: mdig
|
||||
|
||||
mdig: $(SRC_FILES)
|
||||
$(CC) -s $(CFLAGS) -o $@ $(SRC_FILES) $(LDFLAGS) $(LIBS)
|
||||
$(CC) -s $(CFLAGS) -o mdig $(SRC_FILES) $(LIBS) $(LDFLAGS)
|
||||
|
||||
android: $(SRC_FILES)
|
||||
$(CC) -s $(CFLAGS) -o mdig $(SRC_FILES) $(LIBS_ANDROID) $(LDFLAGS)
|
||||
|
||||
bsd: $(SRC_FILES)
|
||||
$(CC) -s $(CFLAGS) $(CFLAGS_BSD) -o mdig $(SRC_FILES) $(LDFLAGS) $(LIBS)
|
||||
$(CC) -s $(CFLAGS) $(CFLAGS_BSD) -o mdig $(SRC_FILES) $(LIBS) $(LDFLAGS)
|
||||
|
||||
mac: $(SRC_FILES)
|
||||
$(CC) $(CFLAGS) $(CFLAGS_BSD) -o mdiga $(SRC_FILES) $(LDFLAGS) -target arm64-apple-macos10.8 $(LIBS_BSD)
|
||||
$(CC) $(CFLAGS) $(CFLAGS_BSD) -o mdigx $(SRC_FILES) $(LDFLAGS) -target x86_64-apple-macos10.8 $(LIBS_BSD)
|
||||
$(CC) $(CFLAGS) $(CFLAGS_BSD) -o mdiga $(SRC_FILES) -target arm64-apple-macos10.8 $(LIBS_BSD) $(LDFLAGS)
|
||||
$(CC) $(CFLAGS) $(CFLAGS_BSD) -o mdigx $(SRC_FILES) -target x86_64-apple-macos10.8 $(LIBS_BSD) $(LDFLAGS)
|
||||
strip mdiga mdigx
|
||||
lipo -create -output mdig mdigx mdiga
|
||||
rm -f mdigx mdiga
|
||||
|
||||
win: $(SRC_FILES)
|
||||
$(CC) -s $(CFLAGS) $(CFLAGS_WIN) -o mdig $(SRC_FILES) $(LDFLAGS) $(LIBS_WIN)
|
||||
$(CC) -s $(CFLAGS) $(CFLAGS_WIN) -o mdig $(SRC_FILES) $(LIBS_WIN) $(LDFLAGS)
|
||||
|
||||
clean:
|
||||
rm -f mdig *.o
|
||||
|
23
mdig/mdig.c
23
mdig/mdig.c
@@ -12,7 +12,6 @@
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <stdbool.h>
|
||||
#include <unistd.h>
|
||||
#include <pthread.h>
|
||||
#include <getopt.h>
|
||||
#ifdef _WIN32
|
||||
@@ -21,7 +20,9 @@
|
||||
#include <winsock2.h>
|
||||
#include <ws2ipdef.h>
|
||||
#include <ws2tcpip.h>
|
||||
#include <fcntl.h>
|
||||
#else
|
||||
#include <unistd.h>
|
||||
#include <sys/socket.h>
|
||||
#include <arpa/inet.h>
|
||||
#include <netinet/in.h>
|
||||
@@ -34,7 +35,7 @@
|
||||
static void trimstr(char *s)
|
||||
{
|
||||
char *p;
|
||||
for (p = s + strlen(s) - 1; p >= s && (*p == '\n' || *p == '\r'); p--) *p = '\0';
|
||||
for (p = s + strlen(s) - 1; p >= s && (*p == '\n' || *p == '\r' || *p == ' ' || *p == '\t'); p--) *p = '\0';
|
||||
}
|
||||
|
||||
static const char* eai_str(int r)
|
||||
@@ -364,6 +365,9 @@ int dns_make_query(const char *dom, char family)
|
||||
fprintf(stderr, "could not make DNS query\n");
|
||||
return 1;
|
||||
}
|
||||
#ifdef _WIN32
|
||||
_setmode(_fileno(stdout), _O_BINARY);
|
||||
#endif
|
||||
if (fwrite(q,l,1,stdout)!=1)
|
||||
{
|
||||
fprintf(stderr, "could not write DNS query blob to stdout\n");
|
||||
@@ -420,8 +424,11 @@ bool dns_parse_print(const uint8_t *a, size_t len)
|
||||
}
|
||||
int dns_parse_query()
|
||||
{
|
||||
uint8_t a[1500];
|
||||
uint8_t a[8192];
|
||||
size_t l;
|
||||
#ifdef _WIN32
|
||||
_setmode(_fileno(stdin), _O_BINARY);
|
||||
#endif
|
||||
l = fread(a,1,sizeof(a),stdin);
|
||||
if (!l || !feof(stdin))
|
||||
{
|
||||
@@ -451,6 +458,15 @@ static void exithelp(void)
|
||||
);
|
||||
exit(1);
|
||||
}
|
||||
|
||||
#define STRINGIFY(x) #x
|
||||
#define TOSTRING(x) STRINGIFY(x)
|
||||
#if defined(ZAPRET_GH_VER) || defined (ZAPRET_GH_HASH)
|
||||
#define PRINT_VER printf("github version %s (%s)\n\n", TOSTRING(ZAPRET_GH_VER), TOSTRING(ZAPRET_GH_HASH))
|
||||
#else
|
||||
#define PRINT_VER printf("self-built version %s %s\n\n", __DATE__, __TIME__)
|
||||
#endif
|
||||
|
||||
int main(int argc, char **argv)
|
||||
{
|
||||
int r, v, option_index = 0;
|
||||
@@ -480,6 +496,7 @@ int main(int argc, char **argv)
|
||||
switch (option_index)
|
||||
{
|
||||
case 0: /* help */
|
||||
PRINT_VER;
|
||||
exithelp();
|
||||
break;
|
||||
case 1: /* threads */
|
||||
|
@@ -1,12 +1,12 @@
|
||||
CC ?= cc
|
||||
CFLAGS += -std=gnu99 -s -O3 -Wno-address-of-packed-member
|
||||
CFLAGS += -std=gnu99 -s -Os -Wno-address-of-packed-member -flto=auto
|
||||
LIBS = -lz
|
||||
SRC_FILES = *.c crypto/*.c
|
||||
|
||||
all: dvtws
|
||||
|
||||
dvtws: $(SRC_FILES)
|
||||
$(CC) $(CFLAGS) -o $@ $(SRC_FILES) $(LDFLAGS) $(LIBS)
|
||||
$(CC) $(CFLAGS) -o dvtws $(SRC_FILES) $(LIBS) $(LDFLAGS)
|
||||
|
||||
clean:
|
||||
rm -f dvtws
|
||||
|
19
nfq/Makefile
19
nfq/Makefile
@@ -1,11 +1,10 @@
|
||||
CC ?= gcc
|
||||
CFLAGS += -std=gnu99 -O3
|
||||
CFLAGS += -std=gnu99 -Os -flto=auto
|
||||
CFLAGS_BSD = -Wno-address-of-packed-member
|
||||
CFLAGS_MAC = -mmacosx-version-min=10.8
|
||||
CFLAGS_CYGWIN = -Wno-address-of-packed-member -static
|
||||
LIBS_LINUX = -lnetfilter_queue -lnfnetlink -lz
|
||||
LIBS_BSD = -lz
|
||||
LIBS_CYGWIN = -lz -Lwindows/windivert -Iwindows -lwlanapi -lole32 -loleaut32 -luuid
|
||||
LIBS_CYGWIN = -lz -Lwindows/windivert -Iwindows -lwlanapi -lole32 -loleaut32
|
||||
LIBS_CYGWIN32 = -lwindivert32
|
||||
LIBS_CYGWIN64 = -lwindivert64
|
||||
RES_CYGWIN32 = windows/res/32/winmanifest.o windows/res/32/winicon.o
|
||||
@@ -15,22 +14,24 @@ SRC_FILES = *.c crypto/*.c
|
||||
all: nfqws
|
||||
|
||||
nfqws: $(SRC_FILES)
|
||||
$(CC) -s $(CFLAGS) -o $@ $(SRC_FILES) $(LDFLAGS) $(LIBS_LINUX)
|
||||
$(CC) -s $(CFLAGS) -o nfqws $(SRC_FILES) $(LIBS_LINUX) $(LDFLAGS)
|
||||
|
||||
android: nfqws
|
||||
|
||||
bsd: $(SRC_FILES)
|
||||
$(CC) -s $(CFLAGS) $(CFLAGS_BSD) -o dvtws $(SRC_FILES) $(LDFLAGS) $(LIBS_BSD)
|
||||
$(CC) -s $(CFLAGS) $(CFLAGS_BSD) -o dvtws $(SRC_FILES) $(LIBS_BSD) $(LDFLAGS)
|
||||
|
||||
mac: $(SRC_FILES)
|
||||
$(CC) $(CFLAGS) $(CFLAGS_BSD) -o dvtwsa $(SRC_FILES) $(LDFLAGS) -target arm64-apple-macos10.8 $(LIBS_BSD)
|
||||
$(CC) $(CFLAGS) $(CFLAGS_BSD) -o dvtwsx $(SRC_FILES) $(LDFLAGS) -target x86_64-apple-macos10.8 $(LIBS_BSD)
|
||||
$(CC) $(CFLAGS) $(CFLAGS_BSD) -o dvtwsa $(SRC_FILES) -target arm64-apple-macos10.8 $(LIBS_BSD) $(LDFLAGS)
|
||||
$(CC) $(CFLAGS) $(CFLAGS_BSD) -o dvtwsx $(SRC_FILES) -target x86_64-apple-macos10.8 $(LIBS_BSD) $(LDFLAGS)
|
||||
strip dvtwsa dvtwsx
|
||||
lipo -create -output dvtws dvtwsx dvtwsa
|
||||
rm -f dvtwsx dvtwsa
|
||||
|
||||
cygwin64:
|
||||
$(CC) -s $(CFLAGS) $(CFLAGS_CYGWIN) -o winws $(SRC_FILES) $(LDFLAGS) $(LIBS_CYGWIN) $(LIBS_CYGWIN64) $(RES_CYGWIN64)
|
||||
$(CC) -s $(CFLAGS) $(CFLAGS_CYGWIN) -o winws $(SRC_FILES) $(LIBS_CYGWIN) $(LIBS_CYGWIN64) $(RES_CYGWIN64) $(LDFLAGS)
|
||||
cygwin32:
|
||||
$(CC) -s $(CFLAGS) $(CFLAGS_CYGWIN) -o winws $(SRC_FILES) $(LDFLAGS) $(LIBS_CYGWIN) $(LIBS_CYGWIN32) $(RES_CYGWIN32)
|
||||
$(CC) -s $(CFLAGS) $(CFLAGS_CYGWIN) -o winws $(SRC_FILES) $(LIBS_CYGWIN) $(LIBS_CYGWIN32) $(RES_CYGWIN32) $(LDFLAGS)
|
||||
cygwin: cygwin64
|
||||
|
||||
clean:
|
||||
|
@@ -12,29 +12,6 @@ static void ut_oom_recover(void *elem)
|
||||
oom = true;
|
||||
}
|
||||
|
||||
const char *l7proto_str(t_l7proto l7)
|
||||
{
|
||||
switch(l7)
|
||||
{
|
||||
case HTTP: return "http";
|
||||
case TLS: return "tls";
|
||||
case QUIC: return "quic";
|
||||
case WIREGUARD: return "wireguard";
|
||||
case DHT: return "dht";
|
||||
default: return "unknown";
|
||||
}
|
||||
}
|
||||
bool l7_proto_match(t_l7proto l7proto, uint32_t filter_l7)
|
||||
{
|
||||
return (l7proto==UNKNOWN && (filter_l7 & L7_PROTO_UNKNOWN)) ||
|
||||
(l7proto==HTTP && (filter_l7 & L7_PROTO_HTTP)) ||
|
||||
(l7proto==TLS && (filter_l7 & L7_PROTO_TLS)) ||
|
||||
(l7proto==QUIC && (filter_l7 & L7_PROTO_QUIC)) ||
|
||||
(l7proto==WIREGUARD && (filter_l7 & L7_PROTO_WIREGUARD)) ||
|
||||
(l7proto==DHT && (filter_l7 & L7_PROTO_DHT));
|
||||
}
|
||||
|
||||
|
||||
static const char *connstate_s[]={"SYN","ESTABLISHED","FIN"};
|
||||
|
||||
static void connswap(const t_conn *c, t_conn *c2)
|
||||
@@ -50,11 +27,8 @@ static void connswap(const t_conn *c, t_conn *c2)
|
||||
|
||||
void ConntrackClearHostname(t_ctrack *track)
|
||||
{
|
||||
if (track->hostname)
|
||||
{
|
||||
free(track->hostname);
|
||||
track->hostname = NULL;
|
||||
}
|
||||
}
|
||||
static void ConntrackClearTrack(t_ctrack *track)
|
||||
{
|
||||
@@ -372,11 +346,8 @@ void ConntrackPoolDump(const t_conntrack *p)
|
||||
|
||||
void ReasmClear(t_reassemble *reasm)
|
||||
{
|
||||
if (reasm->packet)
|
||||
{
|
||||
free(reasm->packet);
|
||||
reasm->packet = NULL;
|
||||
}
|
||||
reasm->size = reasm->size_present = 0;
|
||||
}
|
||||
bool ReasmInit(t_reassemble *reasm, size_t size_requested, uint32_t seq_start)
|
||||
|
@@ -4,8 +4,6 @@
|
||||
// this conntrack is not bullet-proof
|
||||
// its designed to satisfy dpi desync needs only
|
||||
|
||||
#include "packet_queue.h"
|
||||
|
||||
#include <stdbool.h>
|
||||
#include <stdint.h>
|
||||
#include <ctype.h>
|
||||
@@ -19,6 +17,8 @@
|
||||
#include <netinet/tcp.h>
|
||||
#include <netinet/udp.h>
|
||||
|
||||
#include "packet_queue.h"
|
||||
#include "protocol.h"
|
||||
|
||||
//#define HASH_BLOOM 20
|
||||
#define HASH_NONFATAL_OOM 1
|
||||
@@ -53,16 +53,6 @@ typedef struct {
|
||||
// FIN - FIN or RST received
|
||||
typedef enum {SYN=0, ESTABLISHED, FIN} t_connstate;
|
||||
|
||||
typedef enum {UNKNOWN=0, HTTP, TLS, QUIC, WIREGUARD, DHT} t_l7proto;
|
||||
#define L7_PROTO_HTTP 0x00000001
|
||||
#define L7_PROTO_TLS 0x00000002
|
||||
#define L7_PROTO_QUIC 0x00000004
|
||||
#define L7_PROTO_WIREGUARD 0x00000008
|
||||
#define L7_PROTO_DHT 0x00000010
|
||||
#define L7_PROTO_UNKNOWN 0x80000000
|
||||
const char *l7proto_str(t_l7proto l7);
|
||||
bool l7_proto_match(t_l7proto l7proto, uint32_t filter_l7);
|
||||
|
||||
typedef struct
|
||||
{
|
||||
bool bCheckDone, bCheckResult, bCheckExcluded; // hostlist check result cache
|
||||
|
102
nfq/darkmagic.c
102
nfq/darkmagic.c
@@ -163,7 +163,7 @@ static void fill_udphdr(struct udphdr *udp, uint16_t nsport, uint16_t ndport, ui
|
||||
udp->uh_sum = 0;
|
||||
}
|
||||
|
||||
static void fill_iphdr(struct ip *ip, const struct in_addr *src, const struct in_addr *dst, uint16_t pktlen, uint8_t proto, uint8_t ttl, uint8_t tos)
|
||||
static void fill_iphdr(struct ip *ip, const struct in_addr *src, const struct in_addr *dst, uint16_t pktlen, uint8_t proto, uint8_t ttl, uint8_t tos, uint16_t ip_id)
|
||||
{
|
||||
ip->ip_tos = tos;
|
||||
ip->ip_sum = 0;
|
||||
@@ -171,7 +171,7 @@ static void fill_iphdr(struct ip *ip, const struct in_addr *src, const struct in
|
||||
ip->ip_v = 4;
|
||||
ip->ip_hl = 5;
|
||||
ip->ip_len = htons(pktlen);
|
||||
ip->ip_id = 0;
|
||||
ip->ip_id = ip_id;
|
||||
ip->ip_ttl = ttl;
|
||||
ip->ip_p = proto;
|
||||
ip->ip_src = *src;
|
||||
@@ -196,6 +196,7 @@ bool prepare_tcp_segment4(
|
||||
uint32_t *timestamps,
|
||||
uint8_t ttl,
|
||||
uint8_t tos,
|
||||
uint16_t ip_id,
|
||||
uint32_t fooling,
|
||||
uint32_t badseq_increment,
|
||||
uint32_t badseq_ack_increment,
|
||||
@@ -211,7 +212,7 @@ bool prepare_tcp_segment4(
|
||||
struct tcphdr *tcp = (struct tcphdr*)(ip+1);
|
||||
uint8_t *payload = (uint8_t*)(tcp+1)+tcpoptlen;
|
||||
|
||||
fill_iphdr(ip, &src->sin_addr, &dst->sin_addr, pktlen, IPPROTO_TCP, ttl, tos);
|
||||
fill_iphdr(ip, &src->sin_addr, &dst->sin_addr, pktlen, IPPROTO_TCP, ttl, tos, ip_id);
|
||||
fill_tcphdr(tcp,fooling,tcp_flags,nseq,nack_seq,src->sin_port,dst->sin_port,nwsize,scale_factor,timestamps,badseq_increment,badseq_ack_increment,len);
|
||||
|
||||
memcpy(payload,data,len);
|
||||
@@ -314,7 +315,9 @@ bool prepare_tcp_segment(
|
||||
uint8_t scale_factor,
|
||||
uint32_t *timestamps,
|
||||
uint8_t ttl,
|
||||
uint8_t tos, uint32_t flow_label,
|
||||
uint8_t tos,
|
||||
uint16_t ip_id,
|
||||
uint32_t flow_label,
|
||||
uint32_t fooling,
|
||||
uint32_t badseq_increment,
|
||||
uint32_t badseq_ack_increment,
|
||||
@@ -322,7 +325,7 @@ bool prepare_tcp_segment(
|
||||
uint8_t *buf, size_t *buflen)
|
||||
{
|
||||
return (src->sa_family==AF_INET && dst->sa_family==AF_INET) ?
|
||||
prepare_tcp_segment4((struct sockaddr_in *)src,(struct sockaddr_in *)dst,tcp_flags,nseq,nack_seq,nwsize,scale_factor,timestamps,ttl,tos,fooling,badseq_increment,badseq_ack_increment,data,len,buf,buflen) :
|
||||
prepare_tcp_segment4((struct sockaddr_in *)src,(struct sockaddr_in *)dst,tcp_flags,nseq,nack_seq,nwsize,scale_factor,timestamps,ttl,tos,ip_id,fooling,badseq_increment,badseq_ack_increment,data,len,buf,buflen) :
|
||||
(src->sa_family==AF_INET6 && dst->sa_family==AF_INET6) ?
|
||||
prepare_tcp_segment6((struct sockaddr_in6 *)src,(struct sockaddr_in6 *)dst,tcp_flags,nseq,nack_seq,nwsize,scale_factor,timestamps,ttl,flow_label,fooling,badseq_increment,badseq_ack_increment,data,len,buf,buflen) :
|
||||
false;
|
||||
@@ -334,6 +337,7 @@ bool prepare_udp_segment4(
|
||||
const struct sockaddr_in *src, const struct sockaddr_in *dst,
|
||||
uint8_t ttl,
|
||||
uint8_t tos,
|
||||
uint16_t ip_id,
|
||||
uint32_t fooling,
|
||||
const uint8_t *padding, size_t padding_size,
|
||||
int padlen,
|
||||
@@ -357,7 +361,7 @@ bool prepare_udp_segment4(
|
||||
uint8_t *payload = (uint8_t*)(udp+1);
|
||||
|
||||
|
||||
fill_iphdr(ip, &src->sin_addr, &dst->sin_addr, pktlen, IPPROTO_UDP, ttl, tos);
|
||||
fill_iphdr(ip, &src->sin_addr, &dst->sin_addr, pktlen, IPPROTO_UDP, ttl, tos, ip_id);
|
||||
fill_udphdr(udp, src->sin_port, dst->sin_port, datalen);
|
||||
|
||||
memcpy(payload,data,len);
|
||||
@@ -463,7 +467,9 @@ bool prepare_udp_segment6(
|
||||
bool prepare_udp_segment(
|
||||
const struct sockaddr *src, const struct sockaddr *dst,
|
||||
uint8_t ttl,
|
||||
uint8_t tos, uint32_t flow_label,
|
||||
uint8_t tos,
|
||||
uint16_t ip_id,
|
||||
uint32_t flow_label,
|
||||
uint32_t fooling,
|
||||
const uint8_t *padding, size_t padding_size,
|
||||
int padlen,
|
||||
@@ -471,7 +477,7 @@ bool prepare_udp_segment(
|
||||
uint8_t *buf, size_t *buflen)
|
||||
{
|
||||
return (src->sa_family==AF_INET && dst->sa_family==AF_INET) ?
|
||||
prepare_udp_segment4((struct sockaddr_in *)src,(struct sockaddr_in *)dst,ttl,tos,fooling,padding,padding_size,padlen,data,len,buf,buflen) :
|
||||
prepare_udp_segment4((struct sockaddr_in *)src,(struct sockaddr_in *)dst,ttl,tos,ip_id,fooling,padding,padding_size,padlen,data,len,buf,buflen) :
|
||||
(src->sa_family==AF_INET6 && dst->sa_family==AF_INET6) ?
|
||||
prepare_udp_segment6((struct sockaddr_in6 *)src,(struct sockaddr_in6 *)dst,ttl,flow_label,fooling,padding,padding_size,padlen,data,len,buf,buflen) :
|
||||
false;
|
||||
@@ -869,60 +875,49 @@ void proto_skip_ipv6(uint8_t **data, size_t *len, uint8_t *proto_type, uint8_t *
|
||||
// we have garbage
|
||||
}
|
||||
|
||||
void proto_dissect_l3l4(
|
||||
uint8_t *data, size_t len,
|
||||
struct ip **ip, struct ip6_hdr **ip6,
|
||||
uint8_t *proto,
|
||||
struct tcphdr **tcp,
|
||||
struct udphdr **udp,
|
||||
size_t *transport_len,
|
||||
uint8_t **data_payload, size_t *len_payload)
|
||||
void proto_dissect_l3l4(uint8_t *data, size_t len,struct dissect *dis)
|
||||
{
|
||||
*ip = NULL;
|
||||
*ip6 = NULL;
|
||||
*proto = 0;
|
||||
*tcp = NULL;
|
||||
*transport_len = 0;
|
||||
*udp = NULL;
|
||||
*data_payload = NULL;
|
||||
*len_payload = 0;
|
||||
memset(dis,0,sizeof(*dis));
|
||||
|
||||
dis->data_pkt = data;
|
||||
dis->len_pkt = len;
|
||||
|
||||
if (proto_check_ipv4(data, len))
|
||||
{
|
||||
*ip = (struct ip *) data;
|
||||
*proto = (*ip)->ip_p;
|
||||
dis->ip = (struct ip *) data;
|
||||
dis->proto = dis->ip->ip_p;
|
||||
proto_skip_ipv4(&data, &len);
|
||||
}
|
||||
else if (proto_check_ipv6(data, len))
|
||||
{
|
||||
*ip6 = (struct ip6_hdr *) data;
|
||||
proto_skip_ipv6(&data, &len, proto, NULL);
|
||||
dis->ip6 = (struct ip6_hdr *) data;
|
||||
proto_skip_ipv6(&data, &len, &dis->proto, NULL);
|
||||
}
|
||||
else
|
||||
{
|
||||
return;
|
||||
}
|
||||
|
||||
if (*proto==IPPROTO_TCP && proto_check_tcp(data, len))
|
||||
if (dis->proto==IPPROTO_TCP && proto_check_tcp(data, len))
|
||||
{
|
||||
*tcp = (struct tcphdr *) data;
|
||||
*transport_len = len;
|
||||
dis->tcp = (struct tcphdr *) data;
|
||||
dis->transport_len = len;
|
||||
|
||||
proto_skip_tcp(&data, &len);
|
||||
|
||||
*data_payload = data;
|
||||
*len_payload = len;
|
||||
dis->data_payload = data;
|
||||
dis->len_payload = len;
|
||||
|
||||
}
|
||||
else if (*proto==IPPROTO_UDP && proto_check_udp(data, len))
|
||||
else if (dis->proto==IPPROTO_UDP && proto_check_udp(data, len))
|
||||
{
|
||||
*udp = (struct udphdr *) data;
|
||||
*transport_len = len;
|
||||
dis->udp = (struct udphdr *) data;
|
||||
dis->transport_len = len;
|
||||
|
||||
proto_skip_udp(&data, &len);
|
||||
|
||||
*data_payload = data;
|
||||
*len_payload = len;
|
||||
dis->data_payload = data;
|
||||
dis->len_payload = len;
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1882,3 +1877,34 @@ void verdict_udp_csum_fix(uint8_t verdict, struct udphdr *udphdr, size_t transpo
|
||||
udp_fix_checksum(udphdr,transport_len,ip,ip6hdr);
|
||||
}
|
||||
}
|
||||
|
||||
void dbgprint_socket_buffers(int fd)
|
||||
{
|
||||
if (params.debug)
|
||||
{
|
||||
int v;
|
||||
socklen_t sz;
|
||||
sz = sizeof(int);
|
||||
if (!getsockopt(fd, SOL_SOCKET, SO_RCVBUF, &v, &sz))
|
||||
DLOG("fd=%d SO_RCVBUF=%d\n", fd, v);
|
||||
sz = sizeof(int);
|
||||
if (!getsockopt(fd, SOL_SOCKET, SO_SNDBUF, &v, &sz))
|
||||
DLOG("fd=%d SO_SNDBUF=%d\n", fd, v);
|
||||
}
|
||||
}
|
||||
bool set_socket_buffers(int fd, int rcvbuf, int sndbuf)
|
||||
{
|
||||
DLOG("set_socket_buffers fd=%d rcvbuf=%d sndbuf=%d\n", fd, rcvbuf, sndbuf);
|
||||
if (rcvbuf && setsockopt(fd, SOL_SOCKET, SO_RCVBUF, &rcvbuf, sizeof(int)) < 0)
|
||||
{
|
||||
DLOG_PERROR("setsockopt (SO_RCVBUF)");
|
||||
return false;
|
||||
}
|
||||
if (sndbuf && setsockopt(fd, SOL_SOCKET, SO_SNDBUF, &sndbuf, sizeof(int)) < 0)
|
||||
{
|
||||
DLOG_PERROR("setsockopt (SO_SNDBUF)");
|
||||
return false;
|
||||
}
|
||||
dbgprint_socket_buffers(fd);
|
||||
return true;
|
||||
}
|
||||
|
@@ -22,6 +22,7 @@
|
||||
#endif
|
||||
|
||||
#ifdef __CYGWIN__
|
||||
#define INITGUID
|
||||
#include "windivert/windivert.h"
|
||||
#endif
|
||||
|
||||
@@ -60,6 +61,7 @@ uint32_t net16_add(uint16_t netorder_value, uint16_t cpuorder_increment);
|
||||
#define VERDICT_NOCSUM 4
|
||||
|
||||
#define IP4_TOS(ip_header) (ip_header ? ip_header->ip_tos : 0)
|
||||
#define IP4_IP_ID(ip_header) (ip_header ? ip_header->ip_id : 0)
|
||||
#define IP6_FLOW(ip6_header) (ip6_header ? ip6_header->ip6_ctlun.ip6_un1.ip6_un1_flow : 0)
|
||||
|
||||
// seq and wsize have network byte order
|
||||
@@ -72,6 +74,7 @@ bool prepare_tcp_segment4(
|
||||
uint32_t *timestamps,
|
||||
uint8_t ttl,
|
||||
uint8_t tos,
|
||||
uint16_t ip_id,
|
||||
uint32_t fooling,
|
||||
uint32_t badseq_increment,
|
||||
uint32_t badseq_ack_increment,
|
||||
@@ -99,7 +102,9 @@ bool prepare_tcp_segment(
|
||||
uint8_t scale_factor,
|
||||
uint32_t *timestamps,
|
||||
uint8_t ttl,
|
||||
uint8_t tos, uint32_t flow_label,
|
||||
uint8_t tos,
|
||||
uint16_t ip_id,
|
||||
uint32_t flow_label,
|
||||
uint32_t fooling,
|
||||
uint32_t badseq_increment,
|
||||
uint32_t badseq_ack_increment,
|
||||
@@ -111,6 +116,7 @@ bool prepare_udp_segment4(
|
||||
const struct sockaddr_in *src, const struct sockaddr_in *dst,
|
||||
uint8_t ttl,
|
||||
uint8_t tos,
|
||||
uint16_t ip_id,
|
||||
uint32_t fooling,
|
||||
const uint8_t *padding, size_t padding_size,
|
||||
int padlen,
|
||||
@@ -128,7 +134,9 @@ bool prepare_udp_segment6(
|
||||
bool prepare_udp_segment(
|
||||
const struct sockaddr *src, const struct sockaddr *dst,
|
||||
uint8_t ttl,
|
||||
uint8_t tos, uint32_t flow_label,
|
||||
uint8_t tos,
|
||||
uint16_t ip_id,
|
||||
uint32_t flow_label,
|
||||
uint32_t fooling,
|
||||
const uint8_t *padding, size_t padding_size,
|
||||
int padlen,
|
||||
@@ -210,14 +218,20 @@ bool proto_check_tcp(const uint8_t *data, size_t len);
|
||||
void proto_skip_tcp(uint8_t **data, size_t *len);
|
||||
bool proto_check_udp(const uint8_t *data, size_t len);
|
||||
void proto_skip_udp(uint8_t **data, size_t *len);
|
||||
void proto_dissect_l3l4(
|
||||
uint8_t *data, size_t len,
|
||||
struct ip **ip, struct ip6_hdr **ip6,
|
||||
uint8_t *proto,
|
||||
struct tcphdr **tcp,
|
||||
struct udphdr **udp,
|
||||
size_t *transport_len,
|
||||
uint8_t **data_payload, size_t *len_payload);
|
||||
struct dissect
|
||||
{
|
||||
uint8_t *data_pkt;
|
||||
size_t len_pkt;
|
||||
struct ip *ip;
|
||||
struct ip6_hdr *ip6;
|
||||
uint8_t proto;
|
||||
struct tcphdr *tcp;
|
||||
struct udphdr *udp;
|
||||
size_t transport_len;
|
||||
uint8_t *data_payload;
|
||||
size_t len_payload;
|
||||
};
|
||||
void proto_dissect_l3l4(uint8_t *data, size_t len,struct dissect *dis);
|
||||
|
||||
bool tcp_synack_segment(const struct tcphdr *tcphdr);
|
||||
bool tcp_syn_segment(const struct tcphdr *tcphdr);
|
||||
@@ -241,3 +255,6 @@ void do_nat(bool bOutbound, struct ip *ip, struct ip6_hdr *ip6, struct tcphdr *t
|
||||
|
||||
void verdict_tcp_csum_fix(uint8_t verdict, struct tcphdr *tcphdr, size_t transport_len, struct ip *ip, struct ip6_hdr *ip6hdr);
|
||||
void verdict_udp_csum_fix(uint8_t verdict, struct udphdr *udphdr, size_t transport_len, struct ip *ip, struct ip6_hdr *ip6hdr);
|
||||
|
||||
void dbgprint_socket_buffers(int fd);
|
||||
bool set_socket_buffers(int fd, int rcvbuf, int sndbuf);
|
||||
|
1043
nfq/desync.c
1043
nfq/desync.c
File diff suppressed because it is too large
Load Diff
@@ -28,10 +28,10 @@ enum dpi_desync_mode {
|
||||
DESYNC_RSTACK,
|
||||
DESYNC_SYNACK,
|
||||
DESYNC_SYNDATA,
|
||||
DESYNC_DISORDER,
|
||||
DESYNC_DISORDER2,
|
||||
DESYNC_SPLIT,
|
||||
DESYNC_SPLIT2,
|
||||
DESYNC_FAKEDSPLIT,
|
||||
DESYNC_FAKEDDISORDER,
|
||||
DESYNC_MULTISPLIT,
|
||||
DESYNC_MULTIDISORDER,
|
||||
DESYNC_IPFRAG2,
|
||||
DESYNC_HOPBYHOP,
|
||||
DESYNC_DESTOPT,
|
||||
@@ -52,5 +52,4 @@ bool desync_valid_second_stage(enum dpi_desync_mode mode);
|
||||
bool desync_valid_second_stage_tcp(enum dpi_desync_mode mode);
|
||||
bool desync_valid_second_stage_udp(enum dpi_desync_mode mode);
|
||||
|
||||
void desync_init(void);
|
||||
uint8_t dpi_desync_packet(uint32_t fwmark, const char *ifout, uint8_t *data_pkt, size_t *len_pkt);
|
||||
|
@@ -65,11 +65,8 @@ int z_readfile(FILE *F, char **buf, size_t *size)
|
||||
|
||||
zerr:
|
||||
inflateEnd(&zs);
|
||||
if (*buf)
|
||||
{
|
||||
free(*buf);
|
||||
*buf = NULL;
|
||||
}
|
||||
return r;
|
||||
}
|
||||
|
||||
|
@@ -5,11 +5,31 @@
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
#include <unistd.h>
|
||||
#include <stdlib.h>
|
||||
#include <ctype.h>
|
||||
#include <sys/stat.h>
|
||||
#include <libgen.h>
|
||||
|
||||
#include "params.h"
|
||||
int unique_size_t(size_t *pu, int ct)
|
||||
{
|
||||
int i, j, u;
|
||||
for (i = j = 0; j < ct; i++)
|
||||
{
|
||||
u = pu[j++];
|
||||
for (; j < ct && pu[j] == u; j++);
|
||||
pu[i] = u;
|
||||
}
|
||||
return i;
|
||||
}
|
||||
static int cmp_size_t(const void * a, const void * b)
|
||||
{
|
||||
return *(size_t*)a < *(size_t*)b ? -1 : *(size_t*)a > *(size_t*)b;
|
||||
}
|
||||
void qsort_size_t(size_t *array,size_t ct)
|
||||
{
|
||||
qsort(array,ct,sizeof(*array),cmp_size_t);
|
||||
}
|
||||
|
||||
|
||||
void rtrim(char *s)
|
||||
{
|
||||
@@ -43,22 +63,6 @@ char *strncasestr(const char *s, const char *find, size_t slen)
|
||||
return (char *)s;
|
||||
}
|
||||
|
||||
void hexdump_limited_dlog(const uint8_t *data, size_t size, size_t limit)
|
||||
{
|
||||
size_t k;
|
||||
bool bcut = false;
|
||||
if (size > limit)
|
||||
{
|
||||
size = limit;
|
||||
bcut = true;
|
||||
}
|
||||
if (!size) return;
|
||||
for (k = 0; k < size; k++) DLOG("%02X ", data[k]);
|
||||
DLOG(bcut ? "... : " : ": ");
|
||||
for (k = 0; k < size; k++) DLOG("%c", data[k] >= 0x20 && data[k] <= 0x7F ? (char)data[k] : '.');
|
||||
if (bcut) DLOG(" ...");
|
||||
}
|
||||
|
||||
|
||||
bool load_file(const char *filename, void *buffer, size_t *buffer_size)
|
||||
{
|
||||
@@ -199,38 +203,6 @@ uint16_t saport(const struct sockaddr *sa)
|
||||
sa->sa_family==AF_INET6 ? ((struct sockaddr_in6*)sa)->sin6_port : 0);
|
||||
}
|
||||
|
||||
void dbgprint_socket_buffers(int fd)
|
||||
{
|
||||
if (params.debug)
|
||||
{
|
||||
int v;
|
||||
socklen_t sz;
|
||||
sz = sizeof(int);
|
||||
if (!getsockopt(fd, SOL_SOCKET, SO_RCVBUF, &v, &sz))
|
||||
DLOG("fd=%d SO_RCVBUF=%d\n", fd, v);
|
||||
sz = sizeof(int);
|
||||
if (!getsockopt(fd, SOL_SOCKET, SO_SNDBUF, &v, &sz))
|
||||
DLOG("fd=%d SO_SNDBUF=%d\n", fd, v);
|
||||
}
|
||||
}
|
||||
bool set_socket_buffers(int fd, int rcvbuf, int sndbuf)
|
||||
{
|
||||
DLOG("set_socket_buffers fd=%d rcvbuf=%d sndbuf=%d\n", fd, rcvbuf, sndbuf);
|
||||
if (rcvbuf && setsockopt(fd, SOL_SOCKET, SO_RCVBUF, &rcvbuf, sizeof(int)) < 0)
|
||||
{
|
||||
DLOG_PERROR("setsockopt (SO_RCVBUF)");
|
||||
close(fd);
|
||||
return false;
|
||||
}
|
||||
if (sndbuf && setsockopt(fd, SOL_SOCKET, SO_SNDBUF, &sndbuf, sizeof(int)) < 0)
|
||||
{
|
||||
DLOG_PERROR("setsockopt (SO_SNDBUF)");
|
||||
close(fd);
|
||||
return false;
|
||||
}
|
||||
dbgprint_socket_buffers(fd);
|
||||
return true;
|
||||
}
|
||||
|
||||
uint64_t pntoh64(const void *p)
|
||||
{
|
||||
@@ -328,6 +300,18 @@ time_t file_mod_time(const char *filename)
|
||||
struct stat st;
|
||||
return stat(filename,&st)==-1 ? 0 : st.st_mtime;
|
||||
}
|
||||
bool file_mod_signature(const char *filename, file_mod_sig *ms)
|
||||
{
|
||||
struct stat st;
|
||||
if (stat(filename,&st)==-1)
|
||||
{
|
||||
FILE_MOD_RESET(ms);
|
||||
return false;
|
||||
}
|
||||
ms->mod_time=st.st_mtime;
|
||||
ms->size=st.st_size;
|
||||
return true;
|
||||
}
|
||||
|
||||
bool pf_in_range(uint16_t port, const port_filter *pf)
|
||||
{
|
||||
@@ -395,14 +379,14 @@ void fill_random_az09(uint8_t *p,size_t sz)
|
||||
}
|
||||
}
|
||||
|
||||
bool cd_to_exe_dir(const char *argv0)
|
||||
bool set_env_exedir(const char *argv0)
|
||||
{
|
||||
char *s,*d;
|
||||
bool bOK=false;
|
||||
if ((s = strdup(argv0)))
|
||||
{
|
||||
if ((d = dirname(s)))
|
||||
bOK = !chdir(d);
|
||||
setenv("EXEDIR",s,1);
|
||||
free(s);
|
||||
}
|
||||
return bOK;
|
||||
|
@@ -17,11 +17,13 @@ typedef union
|
||||
char _align[32]; // force 16-byte alignment for ip6_and int128 ops
|
||||
} sockaddr_in46;
|
||||
|
||||
int unique_size_t(size_t *pu, int ct);
|
||||
void qsort_size_t(size_t *array,size_t ct);
|
||||
|
||||
void rtrim(char *s);
|
||||
void replace_char(char *s, char from, char to);
|
||||
char *strncasestr(const char *s,const char *find, size_t slen);
|
||||
|
||||
void hexdump_limited_dlog(const uint8_t *data, size_t size, size_t limit);
|
||||
bool load_file(const char *filename,void *buffer,size_t *buffer_size);
|
||||
bool load_file_nonempty(const char *filename,void *buffer,size_t *buffer_size);
|
||||
bool save_file(const char *filename, const void *buffer, size_t buffer_size);
|
||||
@@ -37,9 +39,6 @@ uint16_t saport(const struct sockaddr *sa);
|
||||
|
||||
bool seq_within(uint32_t s, uint32_t s1, uint32_t s2);
|
||||
|
||||
void dbgprint_socket_buffers(int fd);
|
||||
bool set_socket_buffers(int fd, int rcvbuf, int sndbuf);
|
||||
|
||||
uint64_t pntoh64(const void *p);
|
||||
void phton64(uint8_t *p, uint64_t v);
|
||||
|
||||
@@ -52,6 +51,14 @@ static inline void phton16(uint8_t *p, uint16_t v) {
|
||||
p[0] = (uint8_t)(v >> 8);
|
||||
p[1] = v & 0xFF;
|
||||
}
|
||||
static inline uint32_t pntoh24(const uint8_t *p) {
|
||||
return ((uint32_t)p[0] << 16) | ((uint32_t)p[1] << 8) | (uint32_t)p[2];
|
||||
}
|
||||
static inline void phton24(uint8_t *p, uint32_t v) {
|
||||
p[0] = (uint8_t)(v>>16);
|
||||
p[1] = (uint8_t)(v>>8);
|
||||
p[2] = (uint8_t)v;
|
||||
}
|
||||
static inline uint32_t pntoh32(const uint8_t *p) {
|
||||
return ((uint32_t)p[0] << 24) | ((uint32_t)p[1] << 16) | ((uint32_t)p[2] << 8) | (uint32_t)p[3];
|
||||
}
|
||||
@@ -61,6 +68,14 @@ void fill_pattern(uint8_t *buf,size_t bufsize,const void *pattern,size_t patsize
|
||||
|
||||
int fprint_localtime(FILE *F);
|
||||
|
||||
typedef struct
|
||||
{
|
||||
time_t mod_time;
|
||||
off_t size;
|
||||
} file_mod_sig;
|
||||
#define FILE_MOD_COMPARE(ms1,ms2) (((ms1)->mod_time==(ms2)->mod_time) && ((ms1)->size==(ms2)->size))
|
||||
#define FILE_MOD_RESET(ms) memset(ms,0,sizeof(file_mod_sig))
|
||||
bool file_mod_signature(const char *filename, file_mod_sig *ms);
|
||||
time_t file_mod_time(const char *filename);
|
||||
|
||||
typedef struct
|
||||
@@ -76,7 +91,7 @@ void fill_random_bytes(uint8_t *p,size_t sz);
|
||||
void fill_random_az(uint8_t *p,size_t sz);
|
||||
void fill_random_az09(uint8_t *p,size_t sz);
|
||||
|
||||
bool cd_to_exe_dir(const char *argv0);
|
||||
bool set_env_exedir(const char *argv0);
|
||||
|
||||
|
||||
struct cidr4
|
||||
|
@@ -24,7 +24,7 @@ static bool addpool(strpool **hostlist, char **s, const char *end, int *ct)
|
||||
*hostlist = NULL;
|
||||
return false;
|
||||
}
|
||||
(*ct)++;
|
||||
if (ct) (*ct)++;
|
||||
}
|
||||
// advance to the next line
|
||||
for (; p<end && (!*p || *p=='\r' || *p=='\n') ; p++);
|
||||
@@ -32,6 +32,11 @@ static bool addpool(strpool **hostlist, char **s, const char *end, int *ct)
|
||||
return true;
|
||||
}
|
||||
|
||||
bool AppendHostlistItem(strpool **hostlist, char *s)
|
||||
{
|
||||
return addpool(hostlist,&s,s+strlen(s),NULL);
|
||||
}
|
||||
|
||||
bool AppendHostList(strpool **hostlist, const char *filename)
|
||||
{
|
||||
char *p, *e, s[256], *zbuf;
|
||||
@@ -98,21 +103,24 @@ bool AppendHostList(strpool **hostlist, const char *filename)
|
||||
|
||||
static bool LoadHostList(struct hostlist_file *hfile)
|
||||
{
|
||||
time_t t = file_mod_time(hfile->filename);
|
||||
if (!t)
|
||||
if (hfile->filename)
|
||||
{
|
||||
file_mod_sig fsig;
|
||||
if (!file_mod_signature(hfile->filename, &fsig))
|
||||
{
|
||||
// stat() error
|
||||
DLOG_ERR("cannot access hostlist file '%s'. in-memory content remains unchanged.\n",hfile->filename);
|
||||
return true;
|
||||
}
|
||||
if (t==hfile->mod_time) return true; // up to date
|
||||
if (FILE_MOD_COMPARE(&hfile->mod_sig,&fsig)) return true; // up to date
|
||||
StrPoolDestroy(&hfile->hostlist);
|
||||
if (!AppendHostList(&hfile->hostlist, hfile->filename))
|
||||
{
|
||||
StrPoolDestroy(&hfile->hostlist);
|
||||
return false;
|
||||
}
|
||||
hfile->mod_time=t;
|
||||
hfile->mod_sig=fsig;
|
||||
}
|
||||
return true;
|
||||
}
|
||||
static bool LoadHostLists(struct hostlist_files_head *list)
|
||||
@@ -202,7 +210,7 @@ static bool HostlistCheck_(const struct hostlist_collection_head *hostlists, con
|
||||
|
||||
LIST_FOREACH(item, hostlists_exclude, next)
|
||||
{
|
||||
DLOG("[%s] exclude ", item->hfile->filename);
|
||||
DLOG("[%s] exclude ", item->hfile->filename ? item->hfile->filename : "fixed");
|
||||
if (SearchHostList(item->hfile->hostlist, host))
|
||||
{
|
||||
if (excluded) *excluded = true;
|
||||
@@ -214,7 +222,7 @@ static bool HostlistCheck_(const struct hostlist_collection_head *hostlists, con
|
||||
{
|
||||
LIST_FOREACH(item, hostlists, next)
|
||||
{
|
||||
DLOG("[%s] include ", item->hfile->filename);
|
||||
DLOG("[%s] include ", item->hfile->filename ? item->hfile->filename : "fixed");
|
||||
if (SearchHostList(item->hfile->hostlist, host))
|
||||
return true;
|
||||
}
|
||||
@@ -235,17 +243,29 @@ bool HostlistCheck(const struct desync_profile *dp, const char *host, bool *excl
|
||||
static struct hostlist_file *RegisterHostlist_(struct hostlist_files_head *hostlists, struct hostlist_collection_head *hl_collection, const char *filename)
|
||||
{
|
||||
struct hostlist_file *hfile;
|
||||
|
||||
if (filename)
|
||||
{
|
||||
if (!(hfile=hostlist_files_search(hostlists, filename)))
|
||||
if (!(hfile=hostlist_files_add(hostlists, filename)))
|
||||
return NULL;
|
||||
if (!hostlist_collection_search(hl_collection, filename))
|
||||
if (!hostlist_collection_add(hl_collection, hfile))
|
||||
return NULL;
|
||||
}
|
||||
else
|
||||
{
|
||||
if (!(hfile=hostlist_files_add(hostlists, NULL)))
|
||||
return NULL;
|
||||
if (!hostlist_collection_add(hl_collection, hfile))
|
||||
return NULL;
|
||||
}
|
||||
|
||||
return hfile;
|
||||
}
|
||||
struct hostlist_file *RegisterHostlist(struct desync_profile *dp, bool bExclude, const char *filename)
|
||||
{
|
||||
if (!file_mod_time(filename))
|
||||
if (filename && !file_mod_time(filename))
|
||||
{
|
||||
DLOG_ERR("cannot access hostlist file '%s'\n",filename);
|
||||
return NULL;
|
||||
@@ -265,15 +285,30 @@ void HostlistsDebug()
|
||||
struct hostlist_item *hl_item;
|
||||
|
||||
LIST_FOREACH(hfile, ¶ms.hostlists, next)
|
||||
{
|
||||
if (hfile->filename)
|
||||
DLOG("hostlist file %s%s\n",hfile->filename,hfile->hostlist ? "" : " (empty)");
|
||||
else
|
||||
DLOG("hostlist fixed%s\n",hfile->hostlist ? "" : " (empty)");
|
||||
}
|
||||
|
||||
LIST_FOREACH(dpl, ¶ms.desync_profiles, next)
|
||||
{
|
||||
LIST_FOREACH(hl_item, &dpl->dp.hl_collection, next)
|
||||
if (hl_item->hfile!=dpl->dp.hostlist_auto)
|
||||
{
|
||||
if (hl_item->hfile->filename)
|
||||
DLOG("profile %d include hostlist %s%s\n",dpl->dp.n, hl_item->hfile->filename,hl_item->hfile->hostlist ? "" : " (empty)");
|
||||
else
|
||||
DLOG("profile %d include fixed hostlist%s\n",dpl->dp.n, hl_item->hfile->hostlist ? "" : " (empty)");
|
||||
}
|
||||
LIST_FOREACH(hl_item, &dpl->dp.hl_collection_exclude, next)
|
||||
{
|
||||
if (hl_item->hfile->filename)
|
||||
DLOG("profile %d exclude hostlist %s%s\n",dpl->dp.n,hl_item->hfile->filename,hl_item->hfile->hostlist ? "" : " (empty)");
|
||||
else
|
||||
DLOG("profile %d exclude fixed hostlist%s\n",dpl->dp.n,hl_item->hfile->hostlist ? "" : " (empty)");
|
||||
}
|
||||
if (dpl->dp.hostlist_auto)
|
||||
DLOG("profile %d auto hostlist %s%s\n",dpl->dp.n,dpl->dp.hostlist_auto->filename,dpl->dp.hostlist_auto->hostlist ? "" : " (empty)");
|
||||
}
|
||||
|
@@ -4,6 +4,7 @@
|
||||
#include "pools.h"
|
||||
#include "params.h"
|
||||
|
||||
bool AppendHostlistItem(strpool **hostlist, char *s);
|
||||
bool AppendHostList(strpool **hostlist, const char *filename);
|
||||
bool LoadAllHostLists();
|
||||
bool NonEmptyHostlist(strpool **hostlist);
|
||||
@@ -12,3 +13,5 @@ bool HostlistCheck(const struct desync_profile *dp,const char *host, bool *exclu
|
||||
struct hostlist_file *RegisterHostlist(struct desync_profile *dp, bool bExclude, const char *filename);
|
||||
bool HostlistsReloadCheckForProfile(const struct desync_profile *dp);
|
||||
void HostlistsDebug();
|
||||
|
||||
#define ResetAllHostlistsModTime() hostlist_files_reset_modtime(¶ms.hostlists)
|
||||
|
47
nfq/ipset.c
47
nfq/ipset.c
@@ -31,7 +31,7 @@ static bool addpool(ipset *ips, char **s, const char *end, int *ct)
|
||||
ipsetDestroy(ips);
|
||||
return false;
|
||||
}
|
||||
(*ct)++;
|
||||
if (ct) (*ct)++;
|
||||
}
|
||||
else if (parse_cidr6(cidr,&c6))
|
||||
{
|
||||
@@ -40,7 +40,7 @@ static bool addpool(ipset *ips, char **s, const char *end, int *ct)
|
||||
ipsetDestroy(ips);
|
||||
return false;
|
||||
}
|
||||
(*ct)++;
|
||||
if (ct) (*ct)++;
|
||||
}
|
||||
else
|
||||
DLOG_ERR("bad ip or subnet : %s\n",cidr);
|
||||
@@ -53,6 +53,11 @@ static bool addpool(ipset *ips, char **s, const char *end, int *ct)
|
||||
|
||||
}
|
||||
|
||||
bool AppendIpsetItem(ipset *ips, char *ip)
|
||||
{
|
||||
return addpool(ips,&ip,ip+strlen(ip),NULL);
|
||||
}
|
||||
|
||||
static bool AppendIpset(ipset *ips, const char *filename)
|
||||
{
|
||||
char *p, *e, s[256], *zbuf;
|
||||
@@ -119,21 +124,24 @@ static bool AppendIpset(ipset *ips, const char *filename)
|
||||
|
||||
static bool LoadIpset(struct ipset_file *hfile)
|
||||
{
|
||||
time_t t = file_mod_time(hfile->filename);
|
||||
if (!t)
|
||||
if (hfile->filename)
|
||||
{
|
||||
file_mod_sig fsig;
|
||||
if (!file_mod_signature(hfile->filename, &fsig))
|
||||
{
|
||||
// stat() error
|
||||
DLOG_ERR("cannot access ipset file '%s'. in-memory content remains unchanged.\n",hfile->filename);
|
||||
return true;
|
||||
}
|
||||
if (t==hfile->mod_time) return true; // up to date
|
||||
if (FILE_MOD_COMPARE(&hfile->mod_sig,&fsig)) return true; // up to date
|
||||
ipsetDestroy(&hfile->ipset);
|
||||
if (!AppendIpset(&hfile->ipset, hfile->filename))
|
||||
{
|
||||
ipsetDestroy(&hfile->ipset);
|
||||
return false;
|
||||
}
|
||||
hfile->mod_time=t;
|
||||
hfile->mod_sig=fsig;
|
||||
}
|
||||
return true;
|
||||
}
|
||||
static bool LoadIpsets(struct ipset_files_head *list)
|
||||
@@ -205,7 +213,7 @@ static bool IpsetCheck_(const struct ipset_collection_head *ips, const struct ip
|
||||
|
||||
LIST_FOREACH(item, ips_exclude, next)
|
||||
{
|
||||
DLOG("[%s] exclude ",item->hfile->filename);
|
||||
DLOG("[%s] exclude ",item->hfile->filename ? item->hfile->filename : "fixed");
|
||||
if (SearchIpset(&item->hfile->ipset, ipv4, ipv6))
|
||||
return false;
|
||||
}
|
||||
@@ -214,7 +222,7 @@ static bool IpsetCheck_(const struct ipset_collection_head *ips, const struct ip
|
||||
{
|
||||
LIST_FOREACH(item, ips, next)
|
||||
{
|
||||
DLOG("[%s] include ",item->hfile->filename);
|
||||
DLOG("[%s] include ",item->hfile->filename ? item->hfile->filename : "fixed");
|
||||
if (SearchIpset(&item->hfile->ipset, ipv4, ipv6))
|
||||
return true;
|
||||
}
|
||||
@@ -234,17 +242,27 @@ bool IpsetCheck(const struct desync_profile *dp, const struct in_addr *ipv4, con
|
||||
static struct ipset_file *RegisterIpset_(struct ipset_files_head *ipsets, struct ipset_collection_head *ips_collection, const char *filename)
|
||||
{
|
||||
struct ipset_file *hfile;
|
||||
if (filename)
|
||||
{
|
||||
if (!(hfile=ipset_files_search(ipsets, filename)))
|
||||
if (!(hfile=ipset_files_add(ipsets, filename)))
|
||||
return NULL;
|
||||
if (!ipset_collection_search(ips_collection, filename))
|
||||
if (!ipset_collection_add(ips_collection, hfile))
|
||||
return NULL;
|
||||
}
|
||||
else
|
||||
{
|
||||
if (!(hfile=ipset_files_add(ipsets, NULL)))
|
||||
return NULL;
|
||||
if (!ipset_collection_add(ips_collection, hfile))
|
||||
return NULL;
|
||||
}
|
||||
return hfile;
|
||||
}
|
||||
struct ipset_file *RegisterIpset(struct desync_profile *dp, bool bExclude, const char *filename)
|
||||
{
|
||||
if (!file_mod_time(filename))
|
||||
if (filename && !file_mod_time(filename))
|
||||
{
|
||||
DLOG_ERR("cannot access ipset file '%s'\n",filename);
|
||||
return NULL;
|
||||
@@ -277,13 +295,24 @@ void IpsetsDebug()
|
||||
struct ipset_item *ips_item;
|
||||
|
||||
LIST_FOREACH(hfile, ¶ms.ipsets, next)
|
||||
{
|
||||
if (hfile->filename)
|
||||
DLOG("ipset file %s (%s)\n",hfile->filename,dbg_ipset_fill(&hfile->ipset));
|
||||
else
|
||||
DLOG("ipset fixed (%s)\n",dbg_ipset_fill(&hfile->ipset));
|
||||
}
|
||||
|
||||
LIST_FOREACH(dpl, ¶ms.desync_profiles, next)
|
||||
{
|
||||
LIST_FOREACH(ips_item, &dpl->dp.ips_collection, next)
|
||||
if (ips_item->hfile->filename)
|
||||
DLOG("profile %d include ipset %s (%s)\n",dpl->dp.n,ips_item->hfile->filename,dbg_ipset_fill(&ips_item->hfile->ipset));
|
||||
else
|
||||
DLOG("profile %d include fixed ipset (%s)\n",dpl->dp.n,dbg_ipset_fill(&ips_item->hfile->ipset));
|
||||
LIST_FOREACH(ips_item, &dpl->dp.ips_collection_exclude, next)
|
||||
if (ips_item->hfile->filename)
|
||||
DLOG("profile %d exclude ipset %s (%s)\n",dpl->dp.n,ips_item->hfile->filename,dbg_ipset_fill(&ips_item->hfile->ipset));
|
||||
else
|
||||
DLOG("profile %d exclude fixed ipset (%s)\n",dpl->dp.n,dbg_ipset_fill(&ips_item->hfile->ipset));
|
||||
}
|
||||
}
|
||||
|
@@ -9,3 +9,6 @@ bool LoadAllIpsets();
|
||||
bool IpsetCheck(const struct desync_profile *dp, const struct in_addr *ipv4, const struct in6_addr *ipv6);
|
||||
struct ipset_file *RegisterIpset(struct desync_profile *dp, bool bExclude, const char *filename);
|
||||
void IpsetsDebug();
|
||||
bool AppendIpsetItem(ipset *ips, char *ip);
|
||||
|
||||
#define ResetAllIpsetModTime() ipset_files_reset_modtime(¶ms.ipsets)
|
||||
|
1076
nfq/nfqws.c
1076
nfq/nfqws.c
File diff suppressed because it is too large
Load Diff
113
nfq/params.c
113
nfq/params.c
@@ -154,47 +154,65 @@ int HOSTLIST_DEBUGLOG_APPEND(const char *format, ...)
|
||||
return 0;
|
||||
}
|
||||
|
||||
void hexdump_limited_dlog(const uint8_t *data, size_t size, size_t limit)
|
||||
{
|
||||
size_t k;
|
||||
bool bcut = false;
|
||||
if (size > limit)
|
||||
{
|
||||
size = limit;
|
||||
bcut = true;
|
||||
}
|
||||
if (!size) return;
|
||||
for (k = 0; k < size; k++) DLOG("%02X ", data[k]);
|
||||
DLOG(bcut ? "... : " : ": ");
|
||||
for (k = 0; k < size; k++) DLOG("%c", data[k] >= 0x20 && data[k] <= 0x7F ? (char)data[k] : '.');
|
||||
if (bcut) DLOG(" ...");
|
||||
}
|
||||
|
||||
void dp_init(struct desync_profile *dp)
|
||||
{
|
||||
LIST_INIT(&dp->hl_collection);
|
||||
LIST_INIT(&dp->hl_collection_exclude);
|
||||
LIST_INIT(&dp->ips_collection);
|
||||
LIST_INIT(&dp->ips_collection_exclude);
|
||||
LIST_INIT(&dp->pf_tcp);
|
||||
LIST_INIT(&dp->pf_udp);
|
||||
|
||||
memcpy(dp->hostspell, "host", 4); // default hostspell
|
||||
dp->desync_skip_nosni = true;
|
||||
dp->desync_ipfrag_pos_udp = IPFRAG_UDP_DEFAULT;
|
||||
dp->desync_ipfrag_pos_tcp = IPFRAG_TCP_DEFAULT;
|
||||
dp->desync_repeats = 1;
|
||||
dp->fake_tls_size = sizeof(fake_tls_clienthello_default);
|
||||
memcpy(dp->fake_tls,fake_tls_clienthello_default,dp->fake_tls_size);
|
||||
dp->fake_tls_mod = 0;
|
||||
dp->fake_http_size = strlen(fake_http_request_default);
|
||||
memcpy(dp->fake_http,fake_http_request_default,dp->fake_http_size);
|
||||
dp->fake_quic_size = 620; // must be 601+ for TSPU hack
|
||||
dp->fake_quic[0] = 0x40; // russian TSPU QUIC short header fake
|
||||
dp->fake_wg_size = 64;
|
||||
dp->fake_dht_size = 64;
|
||||
dp->fake_unknown_size = 256;
|
||||
dp->fake_syndata_size = 16;
|
||||
dp->fake_unknown_udp_size = 64;
|
||||
dp->wscale=-1; // default - dont change scale factor (client)
|
||||
dp->desync_ttl6 = 0xFF; // unused
|
||||
dp->desync_badseq_increment = BADSEQ_INCREMENT_DEFAULT;
|
||||
dp->desync_badseq_ack_increment = BADSEQ_ACK_INCREMENT_DEFAULT;
|
||||
dp->wssize_cutoff_mode = dp->desync_start_mode = dp->desync_cutoff_mode = 'n'; // packet number by default
|
||||
dp->udplen_increment = UDPLEN_INCREMENT_DEFAULT;
|
||||
dp->hostlist_auto_fail_threshold = HOSTLIST_AUTO_FAIL_THRESHOLD_DEFAULT;
|
||||
dp->hostlist_auto_fail_time = HOSTLIST_AUTO_FAIL_TIME_DEFAULT;
|
||||
dp->hostlist_auto_retrans_threshold = HOSTLIST_AUTO_RETRANS_THRESHOLD_DEFAULT;
|
||||
dp->filter_ipv4 = dp->filter_ipv6 = true;
|
||||
}
|
||||
struct desync_profile_list *dp_list_add(struct desync_profile_list_head *head)
|
||||
{
|
||||
struct desync_profile_list *entry = calloc(1,sizeof(struct desync_profile_list));
|
||||
if (!entry) return NULL;
|
||||
|
||||
LIST_INIT(&entry->dp.hl_collection);
|
||||
LIST_INIT(&entry->dp.hl_collection_exclude);
|
||||
LIST_INIT(&entry->dp.ips_collection);
|
||||
LIST_INIT(&entry->dp.ips_collection_exclude);
|
||||
LIST_INIT(&entry->dp.pf_tcp);
|
||||
LIST_INIT(&entry->dp.pf_udp);
|
||||
|
||||
memcpy(entry->dp.hostspell, "host", 4); // default hostspell
|
||||
entry->dp.desync_skip_nosni = true;
|
||||
entry->dp.desync_split_pos = 2;
|
||||
entry->dp.desync_ipfrag_pos_udp = IPFRAG_UDP_DEFAULT;
|
||||
entry->dp.desync_ipfrag_pos_tcp = IPFRAG_TCP_DEFAULT;
|
||||
entry->dp.desync_repeats = 1;
|
||||
entry->dp.fake_tls_size = sizeof(fake_tls_clienthello_default);
|
||||
memcpy(entry->dp.fake_tls,fake_tls_clienthello_default,entry->dp.fake_tls_size);
|
||||
randomize_default_tls_payload(entry->dp.fake_tls);
|
||||
entry->dp.fake_http_size = strlen(fake_http_request_default);
|
||||
memcpy(entry->dp.fake_http,fake_http_request_default,entry->dp.fake_http_size);
|
||||
entry->dp.fake_quic_size = 620; // must be 601+ for TSPU hack
|
||||
entry->dp.fake_quic[0] = 0x40; // russian TSPU QUIC short header fake
|
||||
entry->dp.fake_wg_size = 64;
|
||||
entry->dp.fake_dht_size = 64;
|
||||
entry->dp.fake_unknown_size = 256;
|
||||
entry->dp.fake_syndata_size = 16;
|
||||
entry->dp.fake_unknown_udp_size = 64;
|
||||
entry->dp.wscale=-1; // default - dont change scale factor (client)
|
||||
entry->dp.desync_ttl6 = 0xFF; // unused
|
||||
entry->dp.desync_badseq_increment = BADSEQ_INCREMENT_DEFAULT;
|
||||
entry->dp.desync_badseq_ack_increment = BADSEQ_ACK_INCREMENT_DEFAULT;
|
||||
entry->dp.wssize_cutoff_mode = entry->dp.desync_start_mode = entry->dp.desync_cutoff_mode = 'n'; // packet number by default
|
||||
entry->dp.udplen_increment = UDPLEN_INCREMENT_DEFAULT;
|
||||
entry->dp.hostlist_auto_fail_threshold = HOSTLIST_AUTO_FAIL_THRESHOLD_DEFAULT;
|
||||
entry->dp.hostlist_auto_fail_time = HOSTLIST_AUTO_FAIL_TIME_DEFAULT;
|
||||
entry->dp.hostlist_auto_retrans_threshold = HOSTLIST_AUTO_RETRANS_THRESHOLD_DEFAULT;
|
||||
entry->dp.filter_ipv4 = entry->dp.filter_ipv6 = true;
|
||||
dp_init(&entry->dp);
|
||||
|
||||
// add to the tail
|
||||
struct desync_profile_list *dpn,*dpl=LIST_FIRST(¶ms.desync_profiles);
|
||||
@@ -208,15 +226,24 @@ struct desync_profile_list *dp_list_add(struct desync_profile_list_head *head)
|
||||
|
||||
return entry;
|
||||
}
|
||||
static void dp_entry_destroy(struct desync_profile_list *entry)
|
||||
static void dp_clear_dynamic(struct desync_profile *dp)
|
||||
{
|
||||
hostlist_collection_destroy(&entry->dp.hl_collection);
|
||||
hostlist_collection_destroy(&entry->dp.hl_collection_exclude);
|
||||
ipset_collection_destroy(&entry->dp.ips_collection);
|
||||
ipset_collection_destroy(&entry->dp.ips_collection_exclude);
|
||||
port_filters_destroy(&entry->dp.pf_tcp);
|
||||
port_filters_destroy(&entry->dp.pf_udp);
|
||||
HostFailPoolDestroy(&entry->dp.hostlist_auto_fail_counters);
|
||||
hostlist_collection_destroy(&dp->hl_collection);
|
||||
hostlist_collection_destroy(&dp->hl_collection_exclude);
|
||||
ipset_collection_destroy(&dp->ips_collection);
|
||||
ipset_collection_destroy(&dp->ips_collection_exclude);
|
||||
port_filters_destroy(&dp->pf_tcp);
|
||||
port_filters_destroy(&dp->pf_udp);
|
||||
HostFailPoolDestroy(&dp->hostlist_auto_fail_counters);
|
||||
}
|
||||
void dp_clear(struct desync_profile *dp)
|
||||
{
|
||||
dp_clear_dynamic(dp);
|
||||
memset(dp,0,sizeof(*dp));
|
||||
}
|
||||
void dp_entry_destroy(struct desync_profile_list *entry)
|
||||
{
|
||||
dp_clear_dynamic(&entry->dp);
|
||||
free(entry);
|
||||
}
|
||||
void dp_list_destroy(struct desync_profile_list_head *head)
|
||||
|
39
nfq/params.h
39
nfq/params.h
@@ -14,14 +14,12 @@
|
||||
#include <stdio.h>
|
||||
#include <time.h>
|
||||
#include <sys/queue.h>
|
||||
#ifndef __OpenBSD__
|
||||
#if !defined( __OpenBSD__) && !defined(__ANDROID__)
|
||||
#include <wordexp.h>
|
||||
#endif
|
||||
|
||||
#define TLS_PARTIALS_ENABLE true
|
||||
|
||||
#define Q_RCVBUF (128*1024) // in bytes
|
||||
#define Q_SNDBUF (64*1024) // in bytes
|
||||
#define RAW_SNDBUF (64*1024) // in bytes
|
||||
|
||||
#define Q_MAXLEN 1024 // in packets
|
||||
@@ -38,6 +36,15 @@
|
||||
#define HOSTLIST_AUTO_FAIL_TIME_DEFAULT 60
|
||||
#define HOSTLIST_AUTO_RETRANS_THRESHOLD_DEFAULT 3
|
||||
|
||||
#define MAX_SPLITS 64
|
||||
|
||||
#define FAKE_TLS_MOD_SAVE_MASK 0x0F
|
||||
#define FAKE_TLS_MOD_SET 0x01
|
||||
#define FAKE_TLS_MOD_CUSTOM_FAKE 0x02
|
||||
#define FAKE_TLS_MOD_RND 0x10
|
||||
#define FAKE_TLS_MOD_RND_SNI 0x20
|
||||
#define FAKE_TLS_MOD_PADENCAP 0x40
|
||||
|
||||
enum log_target { LOG_TARGET_CONSOLE=0, LOG_TARGET_FILE, LOG_TARGET_SYSLOG };
|
||||
|
||||
struct desync_profile
|
||||
@@ -49,22 +56,30 @@ struct desync_profile
|
||||
char wssize_cutoff_mode; // n - packets, d - data packets, s - relative sequence
|
||||
unsigned int wssize_cutoff;
|
||||
|
||||
bool hostcase, hostnospace, domcase;
|
||||
bool hostcase, hostnospace, domcase, methodeol;
|
||||
char hostspell[4];
|
||||
enum dpi_desync_mode desync_mode0,desync_mode,desync_mode2;
|
||||
bool desync_retrans,desync_skip_nosni,desync_any_proto;
|
||||
unsigned int desync_repeats,desync_split_pos,desync_seqovl,desync_ipfrag_pos_tcp,desync_ipfrag_pos_udp;
|
||||
enum httpreqpos desync_split_http_req;
|
||||
enum tlspos desync_split_tls;
|
||||
unsigned int desync_repeats,desync_ipfrag_pos_tcp,desync_ipfrag_pos_udp;
|
||||
|
||||
// multisplit
|
||||
struct proto_pos splits[MAX_SPLITS];
|
||||
int split_count;
|
||||
struct proto_pos seqovl;
|
||||
|
||||
char desync_start_mode, desync_cutoff_mode; // n - packets, d - data packets, s - relative sequence
|
||||
unsigned int desync_start, desync_cutoff;
|
||||
uint8_t desync_ttl, desync_ttl6;
|
||||
autottl desync_autottl, desync_autottl6;
|
||||
uint32_t desync_fooling_mode;
|
||||
uint32_t desync_badseq_increment, desync_badseq_ack_increment;
|
||||
uint8_t fake_http[1460],fake_tls[1460],fake_unknown[1460],fake_syndata[1460],seqovl_pattern[1460];
|
||||
uint8_t fake_http[1460],fake_unknown[1460],fake_syndata[1460],seqovl_pattern[1460],fsplit_pattern[1460];
|
||||
uint8_t fake_unknown_udp[1472],udplen_pattern[1472],fake_quic[1472],fake_wg[1472],fake_dht[1472];
|
||||
size_t fake_http_size,fake_tls_size,fake_quic_size,fake_wg_size,fake_dht_size,fake_unknown_size,fake_syndata_size,fake_unknown_udp_size;
|
||||
size_t fake_http_size,fake_quic_size,fake_wg_size,fake_dht_size,fake_unknown_size,fake_syndata_size,fake_unknown_udp_size;
|
||||
|
||||
uint8_t fake_tls[1460],fake_tls_mod;
|
||||
size_t fake_tls_size, fake_tls_extlen_offset, fake_tls_padlen_offset;
|
||||
|
||||
int udplen_increment;
|
||||
|
||||
bool filter_ipv4,filter_ipv6;
|
||||
@@ -93,12 +108,15 @@ struct desync_profile_list {
|
||||
};
|
||||
LIST_HEAD(desync_profile_list_head, desync_profile_list);
|
||||
struct desync_profile_list *dp_list_add(struct desync_profile_list_head *head);
|
||||
void dp_entry_destroy(struct desync_profile_list *entry);
|
||||
void dp_list_destroy(struct desync_profile_list_head *head);
|
||||
bool dp_list_have_autohostlist(struct desync_profile_list_head *head);
|
||||
void dp_init(struct desync_profile *dp);
|
||||
void dp_clear(struct desync_profile *dp);
|
||||
|
||||
struct params_s
|
||||
{
|
||||
#ifndef __OpenBSD__
|
||||
#if !defined( __OpenBSD__) && !defined(__ANDROID__)
|
||||
wordexp_t wexp; // for file based config
|
||||
#endif
|
||||
|
||||
@@ -143,3 +161,4 @@ int DLOG_ERR(const char *format, ...);
|
||||
int DLOG_PERROR(const char *s);
|
||||
int DLOG_CONDUP(const char *format, ...);
|
||||
int HOSTLIST_DEBUGLOG_APPEND(const char *format, ...);
|
||||
void hexdump_limited_dlog(const uint8_t *data, size_t size, size_t limit);
|
||||
|
43
nfq/pools.c
43
nfq/pools.c
@@ -139,7 +139,7 @@ bool strlist_add(struct str_list_head *head, const char *filename)
|
||||
}
|
||||
static void strlist_entry_destroy(struct str_list *entry)
|
||||
{
|
||||
if (entry->str) free(entry->str);
|
||||
free(entry->str);
|
||||
free(entry);
|
||||
}
|
||||
void strlist_destroy(struct str_list_head *head)
|
||||
@@ -154,18 +154,22 @@ void strlist_destroy(struct str_list_head *head)
|
||||
|
||||
|
||||
|
||||
|
||||
struct hostlist_file *hostlist_files_add(struct hostlist_files_head *head, const char *filename)
|
||||
{
|
||||
struct hostlist_file *entry = malloc(sizeof(struct hostlist_file));
|
||||
if (entry)
|
||||
{
|
||||
if (filename)
|
||||
{
|
||||
if (!(entry->filename = strdup(filename)))
|
||||
{
|
||||
free(entry);
|
||||
return false;
|
||||
}
|
||||
entry->mod_time=0;
|
||||
}
|
||||
else
|
||||
entry->filename = NULL;
|
||||
FILE_MOD_RESET(&entry->mod_sig);
|
||||
entry->hostlist = NULL;
|
||||
LIST_INSERT_HEAD(head, entry, next);
|
||||
}
|
||||
@@ -173,7 +177,7 @@ struct hostlist_file *hostlist_files_add(struct hostlist_files_head *head, const
|
||||
}
|
||||
static void hostlist_files_entry_destroy(struct hostlist_file *entry)
|
||||
{
|
||||
if (entry->filename) free(entry->filename);
|
||||
free(entry->filename);
|
||||
StrPoolDestroy(&entry->hostlist);
|
||||
free(entry);
|
||||
}
|
||||
@@ -192,11 +196,18 @@ struct hostlist_file *hostlist_files_search(struct hostlist_files_head *head, co
|
||||
|
||||
LIST_FOREACH(hfile, head, next)
|
||||
{
|
||||
if (!strcmp(hfile->filename,filename))
|
||||
if (hfile->filename && !strcmp(hfile->filename,filename))
|
||||
return hfile;
|
||||
}
|
||||
return NULL;
|
||||
}
|
||||
void hostlist_files_reset_modtime(struct hostlist_files_head *list)
|
||||
{
|
||||
struct hostlist_file *hfile;
|
||||
|
||||
LIST_FOREACH(hfile, list, next)
|
||||
FILE_MOD_RESET(&hfile->mod_sig);
|
||||
}
|
||||
|
||||
struct hostlist_item *hostlist_collection_add(struct hostlist_collection_head *head, struct hostlist_file *hfile)
|
||||
{
|
||||
@@ -223,7 +234,7 @@ struct hostlist_item *hostlist_collection_search(struct hostlist_collection_head
|
||||
|
||||
LIST_FOREACH(item, head, next)
|
||||
{
|
||||
if (!strcmp(item->hfile->filename,filename))
|
||||
if (item->hfile->filename && !strcmp(item->hfile->filename,filename))
|
||||
return item;
|
||||
}
|
||||
return NULL;
|
||||
@@ -368,13 +379,18 @@ struct ipset_file *ipset_files_add(struct ipset_files_head *head, const char *fi
|
||||
{
|
||||
struct ipset_file *entry = malloc(sizeof(struct ipset_file));
|
||||
if (entry)
|
||||
{
|
||||
if (filename)
|
||||
{
|
||||
if (!(entry->filename = strdup(filename)))
|
||||
{
|
||||
free(entry);
|
||||
return false;
|
||||
}
|
||||
entry->mod_time=0;
|
||||
}
|
||||
else
|
||||
entry->filename = NULL;
|
||||
FILE_MOD_RESET(&entry->mod_sig);
|
||||
memset(&entry->ipset,0,sizeof(entry->ipset));
|
||||
LIST_INSERT_HEAD(head, entry, next);
|
||||
}
|
||||
@@ -382,7 +398,7 @@ struct ipset_file *ipset_files_add(struct ipset_files_head *head, const char *fi
|
||||
}
|
||||
static void ipset_files_entry_destroy(struct ipset_file *entry)
|
||||
{
|
||||
if (entry->filename) free(entry->filename);
|
||||
free(entry->filename);
|
||||
ipsetDestroy(&entry->ipset);
|
||||
free(entry);
|
||||
}
|
||||
@@ -401,11 +417,18 @@ struct ipset_file *ipset_files_search(struct ipset_files_head *head, const char
|
||||
|
||||
LIST_FOREACH(hfile, head, next)
|
||||
{
|
||||
if (!strcmp(hfile->filename,filename))
|
||||
if (hfile->filename && !strcmp(hfile->filename,filename))
|
||||
return hfile;
|
||||
}
|
||||
return NULL;
|
||||
}
|
||||
void ipset_files_reset_modtime(struct ipset_files_head *list)
|
||||
{
|
||||
struct ipset_file *hfile;
|
||||
|
||||
LIST_FOREACH(hfile, list, next)
|
||||
FILE_MOD_RESET(&hfile->mod_sig);
|
||||
}
|
||||
|
||||
struct ipset_item *ipset_collection_add(struct ipset_collection_head *head, struct ipset_file *hfile)
|
||||
{
|
||||
@@ -432,7 +455,7 @@ struct ipset_item *ipset_collection_search(struct ipset_collection_head *head, c
|
||||
|
||||
LIST_FOREACH(item, head, next)
|
||||
{
|
||||
if (!strcmp(item->hfile->filename,filename))
|
||||
if (item->hfile->filename && !strcmp(item->hfile->filename,filename))
|
||||
return item;
|
||||
}
|
||||
return NULL;
|
||||
|
@@ -50,7 +50,7 @@ void strlist_destroy(struct str_list_head *head);
|
||||
|
||||
struct hostlist_file {
|
||||
char *filename;
|
||||
time_t mod_time;
|
||||
file_mod_sig mod_sig;
|
||||
strpool *hostlist;
|
||||
LIST_ENTRY(hostlist_file) next;
|
||||
};
|
||||
@@ -59,6 +59,7 @@ LIST_HEAD(hostlist_files_head, hostlist_file);
|
||||
struct hostlist_file *hostlist_files_add(struct hostlist_files_head *head, const char *filename);
|
||||
void hostlist_files_destroy(struct hostlist_files_head *head);
|
||||
struct hostlist_file *hostlist_files_search(struct hostlist_files_head *head, const char *filename);
|
||||
void hostlist_files_reset_modtime(struct hostlist_files_head *list);
|
||||
|
||||
struct hostlist_item {
|
||||
struct hostlist_file *hfile;
|
||||
@@ -111,7 +112,7 @@ void ipsetPrint(ipset *ipset);
|
||||
|
||||
struct ipset_file {
|
||||
char *filename;
|
||||
time_t mod_time;
|
||||
file_mod_sig mod_sig;
|
||||
ipset ipset;
|
||||
LIST_ENTRY(ipset_file) next;
|
||||
};
|
||||
@@ -120,6 +121,7 @@ LIST_HEAD(ipset_files_head, ipset_file);
|
||||
struct ipset_file *ipset_files_add(struct ipset_files_head *head, const char *filename);
|
||||
void ipset_files_destroy(struct ipset_files_head *head);
|
||||
struct ipset_file *ipset_files_search(struct ipset_files_head *head, const char *filename);
|
||||
void ipset_files_reset_modtime(struct ipset_files_head *list);
|
||||
|
||||
struct ipset_item {
|
||||
struct ipset_file *hfile;
|
||||
|
324
nfq/protocol.c
324
nfq/protocol.c
@@ -2,12 +2,158 @@
|
||||
|
||||
#include "protocol.h"
|
||||
#include "helpers.h"
|
||||
#include "params.h"
|
||||
|
||||
#include <string.h>
|
||||
#include <ctype.h>
|
||||
#include <arpa/inet.h>
|
||||
#include <string.h>
|
||||
|
||||
const char *http_methods[] = { "GET /","POST /","HEAD /","OPTIONS /","PUT /","DELETE /","CONNECT /","TRACE /",NULL };
|
||||
// find N level domain
|
||||
static bool FindNLD(const uint8_t *dom, size_t dlen, int level, const uint8_t **p, size_t *len)
|
||||
{
|
||||
int i;
|
||||
const uint8_t *p1,*p2;
|
||||
for (i=1,p2=dom+dlen;i<level;i++)
|
||||
{
|
||||
for (p2--; p2>dom && *p2!='.'; p2--);
|
||||
if (p2<=dom) return false;
|
||||
}
|
||||
for (p1=p2-1 ; p1>dom && *p1!='.'; p1--);
|
||||
if (*p1=='.') p1++;
|
||||
if (p) *p = p1;
|
||||
if (len) *len = p2-p1;
|
||||
return true;
|
||||
}
|
||||
|
||||
const char *l7proto_str(t_l7proto l7)
|
||||
{
|
||||
switch(l7)
|
||||
{
|
||||
case HTTP: return "http";
|
||||
case TLS: return "tls";
|
||||
case QUIC: return "quic";
|
||||
case WIREGUARD: return "wireguard";
|
||||
case DHT: return "dht";
|
||||
default: return "unknown";
|
||||
}
|
||||
}
|
||||
bool l7_proto_match(t_l7proto l7proto, uint32_t filter_l7)
|
||||
{
|
||||
return (l7proto==UNKNOWN && (filter_l7 & L7_PROTO_UNKNOWN)) ||
|
||||
(l7proto==HTTP && (filter_l7 & L7_PROTO_HTTP)) ||
|
||||
(l7proto==TLS && (filter_l7 & L7_PROTO_TLS)) ||
|
||||
(l7proto==QUIC && (filter_l7 & L7_PROTO_QUIC)) ||
|
||||
(l7proto==WIREGUARD && (filter_l7 & L7_PROTO_WIREGUARD)) ||
|
||||
(l7proto==DHT && (filter_l7 & L7_PROTO_DHT));
|
||||
}
|
||||
|
||||
#define PM_ABS 0
|
||||
#define PM_HOST 1
|
||||
#define PM_HOST_END 2
|
||||
#define PM_HOST_SLD 3
|
||||
#define PM_HOST_MIDSLD 4
|
||||
#define PM_HOST_ENDSLD 5
|
||||
#define PM_HTTP_METHOD 6
|
||||
#define PM_SNI_EXT 7
|
||||
bool IsHostMarker(uint8_t posmarker)
|
||||
{
|
||||
switch(posmarker)
|
||||
{
|
||||
case PM_HOST:
|
||||
case PM_HOST_END:
|
||||
case PM_HOST_SLD:
|
||||
case PM_HOST_MIDSLD:
|
||||
case PM_HOST_ENDSLD:
|
||||
return true;
|
||||
default:
|
||||
return false;
|
||||
}
|
||||
}
|
||||
const char *posmarker_name(uint8_t posmarker)
|
||||
{
|
||||
switch(posmarker)
|
||||
{
|
||||
case PM_ABS: return "abs";
|
||||
case PM_HOST: return "host";
|
||||
case PM_HOST_END: return "endhost";
|
||||
case PM_HOST_SLD: return "sld";
|
||||
case PM_HOST_MIDSLD: return "midsld";
|
||||
case PM_HOST_ENDSLD: return "endsld";
|
||||
case PM_HTTP_METHOD: return "method";
|
||||
case PM_SNI_EXT: return "sniext";
|
||||
default: return "?";
|
||||
}
|
||||
}
|
||||
|
||||
static size_t CheckPos(size_t sz, ssize_t offset)
|
||||
{
|
||||
return (offset>=0 && offset<sz) ? offset : 0;
|
||||
}
|
||||
size_t AnyProtoPos(uint8_t posmarker, int16_t pos, const uint8_t *data, size_t sz)
|
||||
{
|
||||
ssize_t offset;
|
||||
switch(posmarker)
|
||||
{
|
||||
case PM_ABS:
|
||||
offset = (pos<0) ? sz+pos : pos;
|
||||
return CheckPos(sz,offset);
|
||||
default:
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
static size_t HostPos(uint8_t posmarker, int16_t pos, const uint8_t *data, size_t sz, size_t offset_host, size_t len_host)
|
||||
{
|
||||
ssize_t offset;
|
||||
const uint8_t *p;
|
||||
size_t slen;
|
||||
|
||||
switch(posmarker)
|
||||
{
|
||||
case PM_HOST:
|
||||
offset = offset_host+pos;
|
||||
break;
|
||||
case PM_HOST_END:
|
||||
offset = offset_host+len_host+pos;
|
||||
break;
|
||||
case PM_HOST_SLD:
|
||||
case PM_HOST_MIDSLD:
|
||||
case PM_HOST_ENDSLD:
|
||||
if (((offset_host+len_host)<=sz) && FindNLD(data+offset_host,len_host,2,&p,&slen))
|
||||
offset = (posmarker==PM_HOST_SLD ? p-data : posmarker==PM_HOST_ENDSLD ? p-data+slen : slen==1 ? p+1-data : p+slen/2-data) + pos;
|
||||
else
|
||||
offset = 0;
|
||||
break;
|
||||
}
|
||||
return CheckPos(sz,offset);
|
||||
}
|
||||
size_t ResolvePos(const uint8_t *data, size_t sz, t_l7proto l7proto, const struct proto_pos *sp)
|
||||
{
|
||||
switch(l7proto)
|
||||
{
|
||||
case HTTP:
|
||||
return HttpPos(sp->marker, sp->pos, data, sz);
|
||||
case TLS:
|
||||
return TLSPos(sp->marker, sp->pos, data, sz);
|
||||
default:
|
||||
return AnyProtoPos(sp->marker, sp->pos, data, sz);
|
||||
}
|
||||
}
|
||||
void ResolveMultiPos(const uint8_t *data, size_t sz, t_l7proto l7proto, const struct proto_pos *splits, int split_count, size_t *pos, int *pos_count)
|
||||
{
|
||||
int i,j;
|
||||
for(i=j=0;i<split_count;i++)
|
||||
{
|
||||
pos[j] = ResolvePos(data,sz,l7proto,splits+i);
|
||||
if (pos[j]) j++;
|
||||
}
|
||||
qsort_size_t(pos, j);
|
||||
j=unique_size_t(pos, j);
|
||||
*pos_count=j;
|
||||
}
|
||||
|
||||
|
||||
const char *http_methods[] = { "GET /","POST /","HEAD /","OPTIONS ","PUT /","DELETE /","CONNECT ","TRACE /",NULL };
|
||||
const char *HttpMethod(const uint8_t *data, size_t len)
|
||||
{
|
||||
const char **method;
|
||||
@@ -116,17 +262,6 @@ bool HttpExtractHost(const uint8_t *data, size_t len, char *host, size_t len_hos
|
||||
{
|
||||
return HttpExtractHeader(data, len, "\nHost:", host, len_host);
|
||||
}
|
||||
const char *HttpFind2ndLevelDomain(const char *host)
|
||||
{
|
||||
const char *p=NULL;
|
||||
if (*host)
|
||||
{
|
||||
for (p = host + strlen(host)-1; p>host && *p!='.'; p--);
|
||||
if (*p=='.') for (p--; p>host && *p!='.'; p--);
|
||||
if (*p=='.') p++;
|
||||
}
|
||||
return p;
|
||||
}
|
||||
// DPI redirects are global redirects to another domain
|
||||
bool HttpReplyLooksLikeDPIRedirect(const uint8_t *data, size_t len, const char *host)
|
||||
{
|
||||
@@ -157,45 +292,56 @@ bool HttpReplyLooksLikeDPIRedirect(const uint8_t *data, size_t len, const char *
|
||||
// somethinkg like : censor.net
|
||||
|
||||
// extract 2nd level domains
|
||||
const char *dhost, *drhost;
|
||||
if (!FindNLD((uint8_t*)host,strlen(host),2,(const uint8_t**)&dhost,NULL) || !FindNLD((uint8_t*)redirect_host,strlen(redirect_host),2,(const uint8_t**)&drhost,NULL))
|
||||
return false;
|
||||
|
||||
const char *dhost = HttpFind2ndLevelDomain(host);
|
||||
const char *drhost = HttpFind2ndLevelDomain(redirect_host);
|
||||
|
||||
// compare 2nd level domains
|
||||
return strcasecmp(dhost, drhost)!=0;
|
||||
}
|
||||
size_t HttpPos(enum httpreqpos tpos_type, size_t hpos_pos, const uint8_t *http, size_t sz)
|
||||
size_t HttpPos(uint8_t posmarker, int16_t pos, const uint8_t *data, size_t sz)
|
||||
{
|
||||
const uint8_t *method, *host=NULL;
|
||||
const uint8_t *method, *host=NULL, *p;
|
||||
size_t offset_host,len_host;
|
||||
ssize_t offset;
|
||||
int i;
|
||||
|
||||
switch(tpos_type)
|
||||
switch(posmarker)
|
||||
{
|
||||
case httpreqpos_method:
|
||||
case PM_HTTP_METHOD:
|
||||
// recognize some tpws pre-applied hacks
|
||||
method=http;
|
||||
method=data;
|
||||
if (sz<10) break;
|
||||
if (*method=='\n' || *method=='\r') method++;
|
||||
if (*method=='\n' || *method=='\r') method++;
|
||||
for (i=0;i<7;i++) if (*method>='A' && *method<='Z') method++;
|
||||
if (i<3 || *method!=' ') break;
|
||||
return method-http-1;
|
||||
case httpreqpos_host:
|
||||
if (HttpFindHostConst(&host,http,sz) && (host-http+7)<sz)
|
||||
for (p=method,i=0;i<7;i++) if (*p>='A' && *p<='Z') p++;
|
||||
if (i<3 || *p!=' ') break;
|
||||
return CheckPos(sz,method-data+pos);
|
||||
case PM_HOST:
|
||||
case PM_HOST_END:
|
||||
case PM_HOST_SLD:
|
||||
case PM_HOST_MIDSLD:
|
||||
case PM_HOST_ENDSLD:
|
||||
if (HttpFindHostConst(&host,data,sz) && (host-data+7)<sz)
|
||||
{
|
||||
host+=5;
|
||||
if (*host==' ') host++;
|
||||
return host-http;
|
||||
if (*host==' ' || *host=='\t') host++;
|
||||
offset_host = host-data;
|
||||
if (posmarker!=PM_HOST)
|
||||
for (len_host=0; (offset_host+len_host)<sz && data[offset_host+len_host]!='\r' && data[offset_host+len_host]!='\n'; len_host++);
|
||||
else
|
||||
len_host = 0;
|
||||
return HostPos(posmarker,pos,data,sz,offset_host,len_host);
|
||||
}
|
||||
break;
|
||||
case httpreqpos_pos:
|
||||
break;
|
||||
default:
|
||||
return 0;
|
||||
return AnyProtoPos(posmarker,pos,data,sz);
|
||||
}
|
||||
return hpos_pos<sz ? hpos_pos : 0;
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
|
||||
uint16_t TLSRecordDataLen(const uint8_t *data)
|
||||
{
|
||||
return pntoh16(data + 3);
|
||||
@@ -227,6 +373,46 @@ bool IsTLSHandshakeFull(const uint8_t *data, size_t len)
|
||||
}
|
||||
|
||||
|
||||
bool TLSFindExtLenOffsetInHandshake(const uint8_t *data, size_t len, size_t *off)
|
||||
{
|
||||
// +0
|
||||
// u8 HandshakeType: ClientHello
|
||||
// u24 Length
|
||||
// u16 Version
|
||||
// c[32] random
|
||||
// u8 SessionIDLength
|
||||
// <SessionID>
|
||||
// u16 CipherSuitesLength
|
||||
// <CipherSuites>
|
||||
// u8 CompressionMethodsLength
|
||||
// <CompressionMethods>
|
||||
// u16 ExtensionsLength
|
||||
|
||||
size_t l;
|
||||
|
||||
l = 1 + 3 + 2 + 32;
|
||||
// SessionIDLength
|
||||
if (len < (l + 1)) return false;
|
||||
l += data[l] + 1;
|
||||
// CipherSuitesLength
|
||||
if (len < (l + 2)) return false;
|
||||
l += pntoh16(data + l) + 2;
|
||||
// CompressionMethodsLength
|
||||
if (len < (l + 1)) return false;
|
||||
l += data[l] + 1;
|
||||
// ExtensionsLength
|
||||
if (len < (l + 2)) return false;
|
||||
*off = l;
|
||||
return true;
|
||||
}
|
||||
bool TLSFindExtLen(const uint8_t *data, size_t len, size_t *off)
|
||||
{
|
||||
if (!TLSFindExtLenOffsetInHandshake(data+5,len-5,off))
|
||||
return false;
|
||||
*off+=5;
|
||||
return true;
|
||||
}
|
||||
|
||||
// bPartialIsOK=true - accept partial packets not containing the whole TLS message
|
||||
bool TLSFindExtInHandshake(const uint8_t *data, size_t len, uint16_t type, const uint8_t **ext, size_t *len_ext, bool bPartialIsOK)
|
||||
{
|
||||
@@ -247,18 +433,7 @@ bool TLSFindExtInHandshake(const uint8_t *data, size_t len, uint16_t type, const
|
||||
|
||||
if (!bPartialIsOK && !IsTLSHandshakeFull(data,len)) return false;
|
||||
|
||||
l = 1 + 3 + 2 + 32;
|
||||
// SessionIDLength
|
||||
if (len < (l + 1)) return false;
|
||||
l += data[l] + 1;
|
||||
// CipherSuitesLength
|
||||
if (len < (l + 2)) return false;
|
||||
l += pntoh16(data + l) + 2;
|
||||
// CompressionMethodsLength
|
||||
if (len < (l + 1)) return false;
|
||||
l += data[l] + 1;
|
||||
// ExtensionsLength
|
||||
if (len < (l + 2)) return false;
|
||||
if (!TLSFindExtLenOffsetInHandshake(data,len,&l)) return false;
|
||||
|
||||
data += l; len -= l;
|
||||
l = pntoh16(data);
|
||||
@@ -305,15 +480,24 @@ bool TLSFindExt(const uint8_t *data, size_t len, uint16_t type, const uint8_t **
|
||||
if (reclen<len) len=reclen; // correct len if it has more data than the first tls record has
|
||||
return TLSFindExtInHandshake(data + 5, len - 5, type, ext, len_ext, bPartialIsOK);
|
||||
}
|
||||
bool TLSAdvanceToHostInSNI(const uint8_t **ext, size_t *elen, size_t *slen)
|
||||
{
|
||||
// u16 data+0 - name list length
|
||||
// u8 data+2 - server name type. 0=host_name
|
||||
// u16 data+3 - server name length
|
||||
if (*elen < 5 || (*ext)[2] != 0) return false;
|
||||
*slen = pntoh16(*ext + 3);
|
||||
*ext += 5; *elen -= 5;
|
||||
return *slen <= *elen;
|
||||
}
|
||||
static bool TLSExtractHostFromExt(const uint8_t *ext, size_t elen, char *host, size_t len_host)
|
||||
{
|
||||
// u16 data+0 - name list length
|
||||
// u8 data+2 - server name type. 0=host_name
|
||||
// u16 data+3 - server name length
|
||||
if (elen < 5 || ext[2] != 0) return false;
|
||||
size_t slen = pntoh16(ext + 3);
|
||||
ext += 5; elen -= 5;
|
||||
if (slen < elen) return false;
|
||||
size_t slen;
|
||||
if (!TLSAdvanceToHostInSNI(&ext,&elen,&slen))
|
||||
return false;
|
||||
if (host && len_host)
|
||||
{
|
||||
if (slen >= len_host) slen = len_host - 1;
|
||||
@@ -338,21 +522,39 @@ bool TLSHelloExtractHostFromHandshake(const uint8_t *data, size_t len, char *hos
|
||||
if (!TLSFindExtInHandshake(data, len, 0, &ext, &elen, bPartialIsOK)) return false;
|
||||
return TLSExtractHostFromExt(ext, elen, host, len_host);
|
||||
}
|
||||
size_t TLSPos(enum tlspos tpos_type, size_t tpos_pos, const uint8_t *tls, size_t sz, uint8_t type)
|
||||
|
||||
size_t TLSPos(uint8_t posmarker, int16_t pos, const uint8_t *data, size_t sz)
|
||||
{
|
||||
size_t elen;
|
||||
const uint8_t *ext;
|
||||
switch(tpos_type)
|
||||
const uint8_t *ext, *p;
|
||||
size_t offset_host,len_host;
|
||||
ssize_t offset;
|
||||
|
||||
switch(posmarker)
|
||||
{
|
||||
case tlspos_sni:
|
||||
case tlspos_sniext:
|
||||
if (TLSFindExt(tls,sz,0,&ext,&elen,false))
|
||||
return (tpos_type==tlspos_sni) ? ext-tls+6 : ext-tls+1;
|
||||
// fall through
|
||||
case tlspos_pos:
|
||||
return tpos_pos<sz ? tpos_pos : 0;
|
||||
default:
|
||||
case PM_HOST:
|
||||
case PM_HOST_END:
|
||||
case PM_HOST_SLD:
|
||||
case PM_HOST_MIDSLD:
|
||||
case PM_HOST_ENDSLD:
|
||||
case PM_SNI_EXT:
|
||||
if (TLSFindExt(data,sz,0,&ext,&elen,TLS_PARTIALS_ENABLE))
|
||||
{
|
||||
if (posmarker==PM_SNI_EXT)
|
||||
{
|
||||
return CheckPos(sz,ext-data+pos);
|
||||
}
|
||||
else
|
||||
{
|
||||
if (!TLSAdvanceToHostInSNI(&ext,&elen,&len_host))
|
||||
return 0;
|
||||
offset_host = ext-data;
|
||||
return HostPos(posmarker,pos,data,sz,offset_host,len_host);
|
||||
}
|
||||
}
|
||||
return 0;
|
||||
default:
|
||||
return AnyProtoPos(posmarker,pos,data,sz);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -699,6 +901,7 @@ bool QUICDefragCrypto(const uint8_t *clean,size_t clean_len, uint8_t *defrag,siz
|
||||
return found;
|
||||
}
|
||||
|
||||
/*
|
||||
bool QUICExtractHostFromInitial(const uint8_t *data, size_t data_len, char *host, size_t len_host, bool *bDecryptOK, bool *bIsCryptoHello)
|
||||
{
|
||||
if (bIsCryptoHello) *bIsCryptoHello=false;
|
||||
@@ -718,8 +921,9 @@ bool QUICExtractHostFromInitial(const uint8_t *data, size_t data_len, char *host
|
||||
if (!IsQUICCryptoHello(defrag, defrag_len, &hello_offset, &hello_len)) return false;
|
||||
if (bIsCryptoHello) *bIsCryptoHello=true;
|
||||
|
||||
return TLSHelloExtractHostFromHandshake(defrag + hello_offset, hello_len, host, len_host, true);
|
||||
return TLSHelloExtractHostFromHandshake(defrag + hello_offset, hello_len, host, len_host, NULL, true);
|
||||
}
|
||||
*/
|
||||
|
||||
bool IsQUICInitial(const uint8_t *data, size_t len)
|
||||
{
|
||||
@@ -763,7 +967,7 @@ bool IsQUICInitial(const uint8_t *data, size_t len)
|
||||
|
||||
bool IsWireguardHandshakeInitiation(const uint8_t *data, size_t len)
|
||||
{
|
||||
return len==148 && data[0]==1 && data[1]==0 && data[2]==0 && data[3]==0;
|
||||
return len==148 && data[0]==1;
|
||||
}
|
||||
bool IsDhtD1(const uint8_t *data, size_t len)
|
||||
{
|
||||
|
@@ -7,6 +7,39 @@
|
||||
#include "crypto/aes-gcm.h"
|
||||
#include "helpers.h"
|
||||
|
||||
typedef enum {UNKNOWN=0, HTTP, TLS, QUIC, WIREGUARD, DHT} t_l7proto;
|
||||
#define L7_PROTO_HTTP 0x00000001
|
||||
#define L7_PROTO_TLS 0x00000002
|
||||
#define L7_PROTO_QUIC 0x00000004
|
||||
#define L7_PROTO_WIREGUARD 0x00000008
|
||||
#define L7_PROTO_DHT 0x00000010
|
||||
#define L7_PROTO_UNKNOWN 0x80000000
|
||||
const char *l7proto_str(t_l7proto l7);
|
||||
bool l7_proto_match(t_l7proto l7proto, uint32_t filter_l7);
|
||||
|
||||
// pos markers
|
||||
#define PM_ABS 0
|
||||
#define PM_HOST 1
|
||||
#define PM_HOST_END 2
|
||||
#define PM_HOST_SLD 3
|
||||
#define PM_HOST_MIDSLD 4
|
||||
#define PM_HOST_ENDSLD 5
|
||||
#define PM_HTTP_METHOD 6
|
||||
#define PM_SNI_EXT 7
|
||||
struct proto_pos
|
||||
{
|
||||
int16_t pos;
|
||||
uint8_t marker;
|
||||
};
|
||||
#define PROTO_POS_EMPTY(sp) ((sp)->marker==PM_ABS && (sp)->pos==0)
|
||||
bool IsHostMarker(uint8_t posmarker);
|
||||
const char *posmarker_name(uint8_t posmarker);
|
||||
size_t AnyProtoPos(uint8_t posmarker, int16_t pos, const uint8_t *data, size_t sz);
|
||||
size_t HttpPos(uint8_t posmarker, int16_t pos, const uint8_t *data, size_t sz);
|
||||
size_t TLSPos(uint8_t posmarker, int16_t pos, const uint8_t *data, size_t sz);
|
||||
size_t ResolvePos(const uint8_t *data, size_t sz, t_l7proto l7proto, const struct proto_pos *sp);
|
||||
void ResolveMultiPos(const uint8_t *data, size_t sz, t_l7proto l7proto, const struct proto_pos *splits, int split_count, size_t *pos, int *pos_count);
|
||||
|
||||
extern const char *http_methods[9];
|
||||
const char *HttpMethod(const uint8_t *data, size_t len);
|
||||
bool IsHttp(const uint8_t *data, size_t len);
|
||||
@@ -21,8 +54,6 @@ const char *HttpFind2ndLevelDomain(const char *host);
|
||||
int HttpReplyCode(const uint8_t *data, size_t len);
|
||||
// must be pre-checked by IsHttpReply
|
||||
bool HttpReplyLooksLikeDPIRedirect(const uint8_t *data, size_t len, const char *host);
|
||||
enum httpreqpos { httpreqpos_none = 0, httpreqpos_method, httpreqpos_host, httpreqpos_pos };
|
||||
size_t HttpPos(enum httpreqpos tpos_type, size_t hpos_pos, const uint8_t *http, size_t sz);
|
||||
|
||||
uint16_t TLSRecordDataLen(const uint8_t *data);
|
||||
size_t TLSRecordLen(const uint8_t *data);
|
||||
@@ -31,12 +62,13 @@ bool IsTLSClientHello(const uint8_t *data, size_t len, bool bPartialIsOK);
|
||||
size_t TLSHandshakeLen(const uint8_t *data);
|
||||
bool IsTLSHandshakeClientHello(const uint8_t *data, size_t len);
|
||||
bool IsTLSHandshakeFull(const uint8_t *data, size_t len);
|
||||
bool TLSAdvanceToHostInSNI(const uint8_t **ext, size_t *elen, size_t *slen);
|
||||
bool TLSFindExtLen(const uint8_t *data, size_t len, size_t *off);
|
||||
bool TLSFindExtLenOffsetInHandshake(const uint8_t *data, size_t len, size_t *off);
|
||||
bool TLSFindExt(const uint8_t *data, size_t len, uint16_t type, const uint8_t **ext, size_t *len_ext, bool bPartialIsOK);
|
||||
bool TLSFindExtInHandshake(const uint8_t *data, size_t len, uint16_t type, const uint8_t **ext, size_t *len_ext, bool bPartialIsOK);
|
||||
bool TLSHelloExtractHost(const uint8_t *data, size_t len, char *host, size_t len_host, bool bPartialIsOK);
|
||||
bool TLSHelloExtractHostFromHandshake(const uint8_t *data, size_t len, char *host, size_t len_host, bool bPartialIsOK);
|
||||
enum tlspos { tlspos_none = 0, tlspos_sni, tlspos_sniext, tlspos_pos };
|
||||
size_t TLSPos(enum tlspos tpos_type, size_t tpos_pos, const uint8_t *tls, size_t sz, uint8_t type);
|
||||
|
||||
bool IsWireguardHandshakeInitiation(const uint8_t *data, size_t len);
|
||||
bool IsDhtD1(const uint8_t *data, size_t len);
|
||||
@@ -56,4 +88,4 @@ bool QUICExtractDCID(const uint8_t *data, size_t len, quic_cid_t *cid);
|
||||
|
||||
bool QUICDecryptInitial(const uint8_t *data, size_t data_len, uint8_t *clean, size_t *clean_len);
|
||||
bool QUICDefragCrypto(const uint8_t *clean,size_t clean_len, uint8_t *defrag,size_t *defrag_len);
|
||||
bool QUICExtractHostFromInitial(const uint8_t *data, size_t data_len, char *host, size_t len_host, bool *bDecryptOK, bool *bIsCryptoHello);
|
||||
//bool QUICExtractHostFromInitial(const uint8_t *data, size_t data_len, char *host, size_t len_host, bool *bDecryptOK, bool *bIsCryptoHello);
|
||||
|
@@ -88,10 +88,6 @@ SYS_symlinkat,
|
||||
SYS_link,
|
||||
#endif
|
||||
SYS_linkat,
|
||||
#ifdef SYS_pkey_mprotect
|
||||
SYS_pkey_mprotect,
|
||||
#endif
|
||||
SYS_mprotect,
|
||||
SYS_truncate,
|
||||
#ifdef SYS_truncate64
|
||||
SYS_truncate64,
|
||||
|
@@ -1,12 +1,12 @@
|
||||
CC ?= cc
|
||||
CFLAGS += -std=gnu99 -s -O3
|
||||
CFLAGS += -std=gnu99 -s -Os -flto=auto
|
||||
LIBS = -lz -lpthread
|
||||
SRC_FILES = *.c
|
||||
|
||||
all: tpws
|
||||
|
||||
tpws: $(SRC_FILES)
|
||||
$(CC) $(CFLAGS) -Iepoll-shim/include -o $@ $(SRC_FILES) epoll-shim/src/*.c $(LDFLAGS) $(LIBS)
|
||||
$(CC) $(CFLAGS) -Iepoll-shim/include -o tpws $(SRC_FILES) epoll-shim/src/*.c $(LIBS) $(LDFLAGS)
|
||||
|
||||
clean:
|
||||
rm -f tpws *.o
|
||||
|
@@ -1,20 +1,25 @@
|
||||
CC ?= gcc
|
||||
CFLAGS += -std=gnu99 -O3
|
||||
CFLAGS += -std=gnu99 -Os -flto=auto
|
||||
CFLAGS_BSD = -Wno-address-of-packed-member
|
||||
LIBS = -lz -lpthread
|
||||
LIBS_ANDROID = -lz
|
||||
SRC_FILES = *.c
|
||||
SRC_FILES_ANDROID = $(SRC_FILES) andr/*.c
|
||||
|
||||
all: tpws
|
||||
|
||||
tpws: $(SRC_FILES)
|
||||
$(CC) -s $(CFLAGS) -o $@ $(SRC_FILES) $(LDFLAGS) $(LIBS)
|
||||
$(CC) -s $(CFLAGS) -o tpws $(SRC_FILES) $(LIBS) $(LDFLAGS)
|
||||
|
||||
android: $(SRC_FILES)
|
||||
$(CC) -s $(CFLAGS) -o tpws $(SRC_FILES_ANDROID) $(LIBS_ANDROID) $(LDFLAGS)
|
||||
|
||||
bsd: $(SRC_FILES)
|
||||
$(CC) -s $(CFLAGS) $(CFLAGS_BSD) -Iepoll-shim/include -o tpws $(SRC_FILES) epoll-shim/src/*.c $(LDFLAGS) $(LIBS)
|
||||
$(CC) -s $(CFLAGS) $(CFLAGS_BSD) -Iepoll-shim/include -o tpws $(SRC_FILES) epoll-shim/src/*.c $(LIBS) $(LDFLAGS)
|
||||
|
||||
mac: $(SRC_FILES)
|
||||
$(CC) $(CFLAGS) $(CFLAGS_BSD) -Iepoll-shim/include -Imacos -o tpwsa -target arm64-apple-macos10.8 $(SRC_FILES) epoll-shim/src/*.c $(LDFLAGS) $(LIBS)
|
||||
$(CC) $(CFLAGS) $(CFLAGS_BSD) -Iepoll-shim/include -Imacos -o tpwsx -target x86_64-apple-macos10.8 $(SRC_FILES) epoll-shim/src/*.c $(LDFLAGS) $(LIBS)
|
||||
$(CC) $(CFLAGS) $(CFLAGS_BSD) -Iepoll-shim/include -Imacos -o tpwsa -target arm64-apple-macos10.8 $(SRC_FILES) epoll-shim/src/*.c $(LIBS) $(LDFLAGS)
|
||||
$(CC) $(CFLAGS) $(CFLAGS_BSD) -Iepoll-shim/include -Imacos -o tpwsx -target x86_64-apple-macos10.8 $(SRC_FILES) epoll-shim/src/*.c $(LIBS) $(LDFLAGS)
|
||||
strip tpwsa tpwsx
|
||||
lipo -create -output tpws tpwsx tpwsa
|
||||
rm -f tpwsx tpwsa
|
||||
|
26
tpws/andr/_musl_license.txt
Normal file
26
tpws/andr/_musl_license.txt
Normal file
@@ -0,0 +1,26 @@
|
||||
Code in this dir is taken from musl libc to support old android versions <7.0
|
||||
|
||||
musl as a whole is licensed under the following standard MIT license:
|
||||
|
||||
----------------------------------------------------------------------
|
||||
Copyright <20> 2005-2020 Rich Felker, et al.
|
||||
|
||||
Permission is hereby granted, free of charge, to any person obtaining
|
||||
a copy of this software and associated documentation files (the
|
||||
"Software"), to deal in the Software without restriction, including
|
||||
without limitation the rights to use, copy, modify, merge, publish,
|
||||
distribute, sublicense, and/or sell copies of the Software, and to
|
||||
permit persons to whom the Software is furnished to do so, subject to
|
||||
the following conditions:
|
||||
|
||||
The above copyright notice and this permission notice shall be
|
||||
included in all copies or substantial portions of the Software.
|
||||
|
||||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
|
||||
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
|
||||
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
|
||||
IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
|
||||
CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
|
||||
TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
|
||||
SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
||||
----------------------------------------------------------------------
|
216
tpws/andr/getifaddrs.c
Normal file
216
tpws/andr/getifaddrs.c
Normal file
@@ -0,0 +1,216 @@
|
||||
#define _GNU_SOURCE
|
||||
#include <errno.h>
|
||||
#include <string.h>
|
||||
#include <stdlib.h>
|
||||
#include <unistd.h>
|
||||
#include <ifaddrs.h>
|
||||
#include <syscall.h>
|
||||
#include <net/if.h>
|
||||
#include <netinet/in.h>
|
||||
#include "netlink.h"
|
||||
|
||||
#define IFADDRS_HASH_SIZE 64
|
||||
|
||||
/* getifaddrs() reports hardware addresses with PF_PACKET that implies
|
||||
* struct sockaddr_ll. But e.g. Infiniband socket address length is
|
||||
* longer than sockaddr_ll.ssl_addr[8] can hold. Use this hack struct
|
||||
* to extend ssl_addr - callers should be able to still use it. */
|
||||
struct sockaddr_ll_hack {
|
||||
unsigned short sll_family, sll_protocol;
|
||||
int sll_ifindex;
|
||||
unsigned short sll_hatype;
|
||||
unsigned char sll_pkttype, sll_halen;
|
||||
unsigned char sll_addr[24];
|
||||
};
|
||||
|
||||
union sockany {
|
||||
struct sockaddr sa;
|
||||
struct sockaddr_ll_hack ll;
|
||||
struct sockaddr_in v4;
|
||||
struct sockaddr_in6 v6;
|
||||
};
|
||||
|
||||
struct ifaddrs_storage {
|
||||
struct ifaddrs ifa;
|
||||
struct ifaddrs_storage *hash_next;
|
||||
union sockany addr, netmask, ifu;
|
||||
unsigned int index;
|
||||
char name[IFNAMSIZ+1];
|
||||
};
|
||||
|
||||
struct ifaddrs_ctx {
|
||||
struct ifaddrs *first;
|
||||
struct ifaddrs *last;
|
||||
struct ifaddrs_storage *hash[IFADDRS_HASH_SIZE];
|
||||
};
|
||||
|
||||
void freeifaddrs(struct ifaddrs *ifp)
|
||||
{
|
||||
struct ifaddrs *n;
|
||||
while (ifp) {
|
||||
n = ifp->ifa_next;
|
||||
free(ifp);
|
||||
ifp = n;
|
||||
}
|
||||
}
|
||||
|
||||
static void copy_addr(struct sockaddr **r, int af, union sockany *sa, void *addr, size_t addrlen, int ifindex)
|
||||
{
|
||||
uint8_t *dst;
|
||||
int len;
|
||||
|
||||
switch (af) {
|
||||
case AF_INET:
|
||||
dst = (uint8_t*) &sa->v4.sin_addr;
|
||||
len = 4;
|
||||
break;
|
||||
case AF_INET6:
|
||||
dst = (uint8_t*) &sa->v6.sin6_addr;
|
||||
len = 16;
|
||||
if (IN6_IS_ADDR_LINKLOCAL(addr) || IN6_IS_ADDR_MC_LINKLOCAL(addr))
|
||||
sa->v6.sin6_scope_id = ifindex;
|
||||
break;
|
||||
default:
|
||||
return;
|
||||
}
|
||||
if (addrlen < len) return;
|
||||
sa->sa.sa_family = af;
|
||||
memcpy(dst, addr, len);
|
||||
*r = &sa->sa;
|
||||
}
|
||||
|
||||
static void gen_netmask(struct sockaddr **r, int af, union sockany *sa, int prefixlen)
|
||||
{
|
||||
uint8_t addr[16] = {0};
|
||||
int i;
|
||||
|
||||
if (prefixlen > 8*sizeof(addr)) prefixlen = 8*sizeof(addr);
|
||||
i = prefixlen / 8;
|
||||
memset(addr, 0xff, i);
|
||||
if (i < sizeof(addr)) addr[i++] = 0xff << (8 - (prefixlen % 8));
|
||||
copy_addr(r, af, sa, addr, sizeof(addr), 0);
|
||||
}
|
||||
|
||||
static void copy_lladdr(struct sockaddr **r, union sockany *sa, void *addr, size_t addrlen, int ifindex, unsigned short hatype)
|
||||
{
|
||||
if (addrlen > sizeof(sa->ll.sll_addr)) return;
|
||||
sa->ll.sll_family = AF_PACKET;
|
||||
sa->ll.sll_ifindex = ifindex;
|
||||
sa->ll.sll_hatype = hatype;
|
||||
sa->ll.sll_halen = addrlen;
|
||||
memcpy(sa->ll.sll_addr, addr, addrlen);
|
||||
*r = &sa->sa;
|
||||
}
|
||||
|
||||
static int netlink_msg_to_ifaddr(void *pctx, struct nlmsghdr *h)
|
||||
{
|
||||
struct ifaddrs_ctx *ctx = pctx;
|
||||
struct ifaddrs_storage *ifs, *ifs0;
|
||||
struct ifinfomsg *ifi = NLMSG_DATA(h);
|
||||
struct ifaddrmsg *ifa = NLMSG_DATA(h);
|
||||
struct rtattr *rta;
|
||||
int stats_len = 0;
|
||||
|
||||
if (h->nlmsg_type == RTM_NEWLINK) {
|
||||
for (rta = NLMSG_RTA(h, sizeof(*ifi)); NLMSG_RTAOK(rta, h); rta = RTA_NEXT(rta)) {
|
||||
if (rta->rta_type != IFLA_STATS) continue;
|
||||
stats_len = RTA_DATALEN(rta);
|
||||
break;
|
||||
}
|
||||
} else {
|
||||
for (ifs0 = ctx->hash[ifa->ifa_index % IFADDRS_HASH_SIZE]; ifs0; ifs0 = ifs0->hash_next)
|
||||
if (ifs0->index == ifa->ifa_index)
|
||||
break;
|
||||
if (!ifs0) return 0;
|
||||
}
|
||||
|
||||
ifs = calloc(1, sizeof(struct ifaddrs_storage) + stats_len);
|
||||
if (ifs == 0) return -1;
|
||||
|
||||
if (h->nlmsg_type == RTM_NEWLINK) {
|
||||
ifs->index = ifi->ifi_index;
|
||||
ifs->ifa.ifa_flags = ifi->ifi_flags;
|
||||
|
||||
for (rta = NLMSG_RTA(h, sizeof(*ifi)); NLMSG_RTAOK(rta, h); rta = RTA_NEXT(rta)) {
|
||||
switch (rta->rta_type) {
|
||||
case IFLA_IFNAME:
|
||||
if (RTA_DATALEN(rta) < sizeof(ifs->name)) {
|
||||
memcpy(ifs->name, RTA_DATA(rta), RTA_DATALEN(rta));
|
||||
ifs->ifa.ifa_name = ifs->name;
|
||||
}
|
||||
break;
|
||||
case IFLA_ADDRESS:
|
||||
copy_lladdr(&ifs->ifa.ifa_addr, &ifs->addr, RTA_DATA(rta), RTA_DATALEN(rta), ifi->ifi_index, ifi->ifi_type);
|
||||
break;
|
||||
case IFLA_BROADCAST:
|
||||
copy_lladdr(&ifs->ifa.ifa_broadaddr, &ifs->ifu, RTA_DATA(rta), RTA_DATALEN(rta), ifi->ifi_index, ifi->ifi_type);
|
||||
break;
|
||||
case IFLA_STATS:
|
||||
ifs->ifa.ifa_data = (void*)(ifs+1);
|
||||
memcpy(ifs->ifa.ifa_data, RTA_DATA(rta), RTA_DATALEN(rta));
|
||||
break;
|
||||
}
|
||||
}
|
||||
if (ifs->ifa.ifa_name) {
|
||||
unsigned int bucket = ifs->index % IFADDRS_HASH_SIZE;
|
||||
ifs->hash_next = ctx->hash[bucket];
|
||||
ctx->hash[bucket] = ifs;
|
||||
}
|
||||
} else {
|
||||
ifs->ifa.ifa_name = ifs0->ifa.ifa_name;
|
||||
ifs->ifa.ifa_flags = ifs0->ifa.ifa_flags;
|
||||
for (rta = NLMSG_RTA(h, sizeof(*ifa)); NLMSG_RTAOK(rta, h); rta = RTA_NEXT(rta)) {
|
||||
switch (rta->rta_type) {
|
||||
case IFA_ADDRESS:
|
||||
/* If ifa_addr is already set we, received an IFA_LOCAL before
|
||||
* so treat this as destination address */
|
||||
if (ifs->ifa.ifa_addr)
|
||||
copy_addr(&ifs->ifa.ifa_dstaddr, ifa->ifa_family, &ifs->ifu, RTA_DATA(rta), RTA_DATALEN(rta), ifa->ifa_index);
|
||||
else
|
||||
copy_addr(&ifs->ifa.ifa_addr, ifa->ifa_family, &ifs->addr, RTA_DATA(rta), RTA_DATALEN(rta), ifa->ifa_index);
|
||||
break;
|
||||
case IFA_BROADCAST:
|
||||
copy_addr(&ifs->ifa.ifa_broadaddr, ifa->ifa_family, &ifs->ifu, RTA_DATA(rta), RTA_DATALEN(rta), ifa->ifa_index);
|
||||
break;
|
||||
case IFA_LOCAL:
|
||||
/* If ifa_addr is set and we get IFA_LOCAL, assume we have
|
||||
* a point-to-point network. Move address to correct field. */
|
||||
if (ifs->ifa.ifa_addr) {
|
||||
ifs->ifu = ifs->addr;
|
||||
ifs->ifa.ifa_dstaddr = &ifs->ifu.sa;
|
||||
memset(&ifs->addr, 0, sizeof(ifs->addr));
|
||||
}
|
||||
copy_addr(&ifs->ifa.ifa_addr, ifa->ifa_family, &ifs->addr, RTA_DATA(rta), RTA_DATALEN(rta), ifa->ifa_index);
|
||||
break;
|
||||
case IFA_LABEL:
|
||||
if (RTA_DATALEN(rta) < sizeof(ifs->name)) {
|
||||
memcpy(ifs->name, RTA_DATA(rta), RTA_DATALEN(rta));
|
||||
ifs->ifa.ifa_name = ifs->name;
|
||||
}
|
||||
break;
|
||||
}
|
||||
}
|
||||
if (ifs->ifa.ifa_addr)
|
||||
gen_netmask(&ifs->ifa.ifa_netmask, ifa->ifa_family, &ifs->netmask, ifa->ifa_prefixlen);
|
||||
}
|
||||
|
||||
if (ifs->ifa.ifa_name) {
|
||||
if (!ctx->first) ctx->first = &ifs->ifa;
|
||||
if (ctx->last) ctx->last->ifa_next = &ifs->ifa;
|
||||
ctx->last = &ifs->ifa;
|
||||
} else {
|
||||
free(ifs);
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
int getifaddrs(struct ifaddrs **ifap)
|
||||
{
|
||||
struct ifaddrs_ctx _ctx, *ctx = &_ctx;
|
||||
int r;
|
||||
memset(ctx, 0, sizeof *ctx);
|
||||
r = __rtnetlink_enumerate(AF_UNSPEC, AF_UNSPEC, netlink_msg_to_ifaddr, ctx);
|
||||
if (r == 0) *ifap = ctx->first;
|
||||
else freeifaddrs(ctx->first);
|
||||
return r;
|
||||
}
|
8
tpws/andr/ifaddrs.h
Normal file
8
tpws/andr/ifaddrs.h
Normal file
@@ -0,0 +1,8 @@
|
||||
#pragma once
|
||||
|
||||
#include <ifaddrs.h>
|
||||
|
||||
#if __ANDROID_API__ < 24
|
||||
void freeifaddrs(struct ifaddrs *);
|
||||
int getifaddrs(struct ifaddrs **);
|
||||
#endif
|
54
tpws/andr/netlink.c
Normal file
54
tpws/andr/netlink.c
Normal file
@@ -0,0 +1,54 @@
|
||||
#include <errno.h>
|
||||
#include <string.h>
|
||||
#include <syscall.h>
|
||||
#include <sys/socket.h>
|
||||
#include <unistd.h>
|
||||
|
||||
#include "netlink.h"
|
||||
|
||||
static int __netlink_enumerate(int fd, unsigned int seq, int type, int af,
|
||||
int (*cb)(void *ctx, struct nlmsghdr *h), void *ctx)
|
||||
{
|
||||
struct nlmsghdr *h;
|
||||
union {
|
||||
uint8_t buf[8192];
|
||||
struct {
|
||||
struct nlmsghdr nlh;
|
||||
struct rtgenmsg g;
|
||||
} req;
|
||||
struct nlmsghdr reply;
|
||||
} u;
|
||||
int r, ret;
|
||||
|
||||
memset(&u.req, 0, sizeof(u.req));
|
||||
u.req.nlh.nlmsg_len = sizeof(u.req);
|
||||
u.req.nlh.nlmsg_type = type;
|
||||
u.req.nlh.nlmsg_flags = NLM_F_DUMP | NLM_F_REQUEST;
|
||||
u.req.nlh.nlmsg_seq = seq;
|
||||
u.req.g.rtgen_family = af;
|
||||
r = send(fd, &u.req, sizeof(u.req), 0);
|
||||
if (r < 0) return r;
|
||||
|
||||
while (1) {
|
||||
r = recv(fd, u.buf, sizeof(u.buf), MSG_DONTWAIT);
|
||||
if (r <= 0) return -1;
|
||||
for (h = &u.reply; NLMSG_OK(h, (void*)&u.buf[r]); h = NLMSG_NEXT(h)) {
|
||||
if (h->nlmsg_type == NLMSG_DONE) return 0;
|
||||
if (h->nlmsg_type == NLMSG_ERROR) return -1;
|
||||
ret = cb(ctx, h);
|
||||
if (ret) return ret;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
int __rtnetlink_enumerate(int link_af, int addr_af, int (*cb)(void *ctx, struct nlmsghdr *h), void *ctx)
|
||||
{
|
||||
int fd, r;
|
||||
|
||||
fd = socket(PF_NETLINK, SOCK_RAW|SOCK_CLOEXEC, NETLINK_ROUTE);
|
||||
if (fd < 0) return -1;
|
||||
r = __netlink_enumerate(fd, 1, RTM_GETLINK, link_af, cb, ctx);
|
||||
if (!r) r = __netlink_enumerate(fd, 2, RTM_GETADDR, addr_af, cb, ctx);
|
||||
close(fd);
|
||||
return r;
|
||||
}
|
94
tpws/andr/netlink.h
Normal file
94
tpws/andr/netlink.h
Normal file
@@ -0,0 +1,94 @@
|
||||
#include <stdint.h>
|
||||
|
||||
/* linux/netlink.h */
|
||||
|
||||
#define NETLINK_ROUTE 0
|
||||
|
||||
struct nlmsghdr {
|
||||
uint32_t nlmsg_len;
|
||||
uint16_t nlmsg_type;
|
||||
uint16_t nlmsg_flags;
|
||||
uint32_t nlmsg_seq;
|
||||
uint32_t nlmsg_pid;
|
||||
};
|
||||
|
||||
#define NLM_F_REQUEST 1
|
||||
#define NLM_F_MULTI 2
|
||||
#define NLM_F_ACK 4
|
||||
|
||||
#define NLM_F_ROOT 0x100
|
||||
#define NLM_F_MATCH 0x200
|
||||
#define NLM_F_ATOMIC 0x400
|
||||
#define NLM_F_DUMP (NLM_F_ROOT|NLM_F_MATCH)
|
||||
|
||||
#define NLMSG_NOOP 0x1
|
||||
#define NLMSG_ERROR 0x2
|
||||
#define NLMSG_DONE 0x3
|
||||
#define NLMSG_OVERRUN 0x4
|
||||
|
||||
/* linux/rtnetlink.h */
|
||||
|
||||
#define RTM_NEWLINK 16
|
||||
#define RTM_GETLINK 18
|
||||
#define RTM_NEWADDR 20
|
||||
#define RTM_GETADDR 22
|
||||
|
||||
struct rtattr {
|
||||
unsigned short rta_len;
|
||||
unsigned short rta_type;
|
||||
};
|
||||
|
||||
struct rtgenmsg {
|
||||
unsigned char rtgen_family;
|
||||
};
|
||||
|
||||
struct ifinfomsg {
|
||||
unsigned char ifi_family;
|
||||
unsigned char __ifi_pad;
|
||||
unsigned short ifi_type;
|
||||
int ifi_index;
|
||||
unsigned ifi_flags;
|
||||
unsigned ifi_change;
|
||||
};
|
||||
|
||||
/* linux/if_link.h */
|
||||
|
||||
#define IFLA_ADDRESS 1
|
||||
#define IFLA_BROADCAST 2
|
||||
#define IFLA_IFNAME 3
|
||||
#define IFLA_STATS 7
|
||||
|
||||
/* linux/if_addr.h */
|
||||
|
||||
struct ifaddrmsg {
|
||||
uint8_t ifa_family;
|
||||
uint8_t ifa_prefixlen;
|
||||
uint8_t ifa_flags;
|
||||
uint8_t ifa_scope;
|
||||
uint32_t ifa_index;
|
||||
};
|
||||
|
||||
#define IFA_ADDRESS 1
|
||||
#define IFA_LOCAL 2
|
||||
#define IFA_LABEL 3
|
||||
#define IFA_BROADCAST 4
|
||||
|
||||
/* musl */
|
||||
|
||||
#define NETLINK_ALIGN(len) (((len)+3) & ~3)
|
||||
#define NLMSG_DATA(nlh) ((void*)((char*)(nlh)+sizeof(struct nlmsghdr)))
|
||||
#define NLMSG_DATALEN(nlh) ((nlh)->nlmsg_len-sizeof(struct nlmsghdr))
|
||||
#define NLMSG_DATAEND(nlh) ((char*)(nlh)+(nlh)->nlmsg_len)
|
||||
#define NLMSG_NEXT(nlh) (struct nlmsghdr*)((char*)(nlh)+NETLINK_ALIGN((nlh)->nlmsg_len))
|
||||
#define NLMSG_OK(nlh,end) ((char*)(end)-(char*)(nlh) >= sizeof(struct nlmsghdr))
|
||||
|
||||
#define RTA_DATA(rta) ((void*)((char*)(rta)+sizeof(struct rtattr)))
|
||||
#define RTA_DATALEN(rta) ((rta)->rta_len-sizeof(struct rtattr))
|
||||
#define RTA_DATAEND(rta) ((char*)(rta)+(rta)->rta_len)
|
||||
#define RTA_NEXT(rta) (struct rtattr*)((char*)(rta)+NETLINK_ALIGN((rta)->rta_len))
|
||||
#define RTA_OK(rta,end) ((char*)(end)-(char*)(rta) >= sizeof(struct rtattr))
|
||||
|
||||
#define NLMSG_RTA(nlh,len) ((void*)((char*)(nlh)+sizeof(struct nlmsghdr)+NETLINK_ALIGN(len)))
|
||||
#define NLMSG_RTAOK(rta,nlh) RTA_OK(rta,NLMSG_DATAEND(nlh))
|
||||
|
||||
int __rtnetlink_enumerate(int link_af, int addr_af, int (*cb)(void *ctx, struct nlmsghdr *h), void *ctx);
|
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user