Merge 92ba6b439e into 8324c04a41

common/custom.sh

@@ -3,8 +3,6 @@ custom_runner()
 	# $1 - function name
 	# $2+ - params
 
-	[ "$DISABLE_CUSTOM" = 1 ] && return 0
-
 	local n script FUNC=$1
 
 	shift

common/ipt.sh

@@ -349,37 +349,27 @@ ipt_do_nfqws_in_out()
 	}
 }
 
-zapret_do_firewall_standard_tpws_rules_ipt()
+zapret_do_firewall_standard_rules_ipt()
 {
 	# $1 - 1 - add, 0 - del
 
 	local f4 f6
 
-	[ "$TPWS_ENABLE" = 1 -a -n "$TPWS_PORTS" ] && {
+	[ "$TPWS_ENABLE" = 1 -a -n "$TPWS_PORTS" ] &&
+	{
 		f4="-p tcp -m multiport --dports $TPWS_PORTS_IPT"
 		f6=$f4
 		filter_apply_ipset_target f4 f6
 		fw_tpws $1 "$f4" "$f6" $TPPORT
 	}
-}
-zapret_do_firewall_standard_nfqws_rules_ipt()
-{
-	# $1 - 1 - add, 0 - del
-
-	[ "$NFQWS_ENABLE" = 1 ] && {
+	[ "$NFQWS_ENABLE" = 1 ] &&
+	{
 		ipt_do_nfqws_in_out $1 tcp "$NFQWS_PORTS_TCP_IPT" "$NFQWS_TCP_PKT_OUT" "$NFQWS_TCP_PKT_IN"
 		ipt_do_nfqws_in_out $1 tcp "$NFQWS_PORTS_TCP_KEEPALIVE_IPT" keepalive "$NFQWS_TCP_PKT_IN"
 		ipt_do_nfqws_in_out $1 udp "$NFQWS_PORTS_UDP_IPT" "$NFQWS_UDP_PKT_OUT" "$NFQWS_UDP_PKT_IN"
 		ipt_do_nfqws_in_out $1 udp "$NFQWS_PORTS_UDP_KEEPALIVE_IPT" keepalive "$NFQWS_UDP_PKT_IN"
 	}
 }
-zapret_do_firewall_standard_rules_ipt()
-{
-	# $1 - 1 - add, 0 - del
-
-	zapret_do_firewall_standard_tpws_rules_ipt $1
-	zapret_do_firewall_standard_nfqws_rules_ipt $1
-}
 
 zapret_do_firewall_rules_ipt()
 {

common/linux_daemons.sh

@@ -1,55 +0,0 @@
-standard_mode_tpws_socks()
-{
-	# $1 - 1 - run, 0 - stop
-	local opt
-	[ "$TPWS_SOCKS_ENABLE" = 1 ] && {
-		opt="--port=$TPPORT_SOCKS $TPWS_SOCKS_OPT"
-		filter_apply_hostlist_target opt
-		do_tpws_socks $1 2 "$opt"
-	}
-}
-standard_mode_tpws()
-{
-	# $1 - 1 - run, 0 - stop
-	local opt
-	[ "$TPWS_ENABLE" = 1 ] && check_bad_ws_options $1 "$TPWS_OPT" && {
-		opt="--port=$TPPORT $TPWS_OPT"
-		filter_apply_hostlist_target opt
-		do_tpws $1 1 "$opt"
-	}
-}
-standard_mode_nfqws()
-{
-	# $1 - 1 - run, 0 - stop
-	local opt
-	[ "$NFQWS_ENABLE" = 1 ] && check_bad_ws_options $1 "$NFQWS_OPT" && {
-		opt="--qnum=$QNUM $NFQWS_OPT"
-		filter_apply_hostlist_target opt
-		do_nfqws $1 3 "$opt"
-	}
-}
-standard_mode_daemons()
-{
-	# $1 - 1 - run, 0 - stop
-
-	standard_mode_tpws_socks $1
-	standard_mode_tpws $1
-	standard_mode_nfqws $1
-}
-zapret_do_daemons()
-{
-	# $1 - 1 - run, 0 - stop
-
-	standard_mode_daemons $1
-	custom_runner zapret_custom_daemons $1
-
-	return 0
-}
-zapret_run_daemons()
-{
-	zapret_do_daemons 1 "$@"
-}
-zapret_stop_daemons()
-{
-	zapret_do_daemons 0 "$@"
-}

common/nft.sh

@@ -640,31 +640,25 @@ nft_apply_nfqws_in_out()
 	}
 }
 
-zapret_apply_firewall_standard_tpws_rules_nft()
+zapret_apply_firewall_standard_rules_nft()
 {
 	local f4 f6
 
-	[ "$TPWS_ENABLE" = 1 -a -n "$TPWS_PORTS" ] && {
+	[ "$TPWS_ENABLE" = 1 -a -n "$TPWS_PORTS" ] &&
+	{
 		f4="tcp dport {$TPWS_PORTS}"
 		f6=$f4
 		nft_filter_apply_ipset_target f4 f6
 		nft_fw_tpws "$f4" "$f6" $TPPORT
 	}
-}
-zapret_apply_firewall_standard_nfqws_rules_nft()
-{
-	[ "$NFQWS_ENABLE" = 1 ] && {
+	[ "$NFQWS_ENABLE" = 1 ] &&
+	{
 		nft_apply_nfqws_in_out tcp "$NFQWS_PORTS_TCP" "$NFQWS_TCP_PKT_OUT" "$NFQWS_TCP_PKT_IN"
 		nft_apply_nfqws_in_out tcp "$NFQWS_PORTS_TCP_KEEPALIVE" keepalive "$NFQWS_TCP_PKT_IN"
 		nft_apply_nfqws_in_out udp "$NFQWS_PORTS_UDP" "$NFQWS_UDP_PKT_OUT" "$NFQWS_UDP_PKT_IN"
 		nft_apply_nfqws_in_out udp "$NFQWS_PORTS_UDP_KEEPALIVE" keepalive "$NFQWS_UDP_PKT_IN"
 	}
 }
-zapret_apply_firewall_standard_rules_nft()
-{
-	zapret_apply_firewall_standard_tpws_rules_nft
-	zapret_apply_firewall_standard_nfqws_rules_nft
-}
 
 zapret_apply_firewall_rules_nft()
 {

docs/changes.txt

@@ -417,9 +417,3 @@ v69.5
 
 nfqws,tpws: --dry-run
 install_easy: check tpws and nfqws options validity
-
-v69.6
-
-nfqws: set NETLINK_NO_ENOBUFS to fix possible nfq recv errors
-init.d: unify custom scripts for linux
-init.d: new custom scripts : 20-fw-extra, 50-wg4all

docs/quick_start.md

@@ -158,7 +158,7 @@
    >
    > Далее, имея понимание что работает на http, https, quic нужно
    > сконструировать параметры запуска `tpws` и/или `nfqws` с использованием
-   > мультистратегии. Как работают мультистратегии описано в [readme.md](./readme.md#множественные-стратегии).
+   > мультистратегии. Как работают мультистратегии описано в readme.txt.
    >
    > Если кратко, то обычно параметры конструируются так:
    > ```sh

docs/quick_start_windows.md

@@ -59,7 +59,7 @@ _"Совсем ничего не могу, все очень сложно, да
 
 1) Скачайте и распакуйте архив https://github.com/bol-van/zapret-win-bundle/archive/refs/heads/master.zip.
 
-2) Если у вас Windows 7 x64, однократно запустите `win7/install_win7.cmd`. Батник заменит файлы windivert на совместимую с Windows 7 версию.
+2) Если у вас Windows 7 x64, читайте [docs/windows.md](./windows.md). Без описанной там подготовки может не работать.
 
 > [!WARNING]  
 > Для 32-битных систем Windows нет готового полного варианта.
@@ -123,7 +123,7 @@ blockcheck перейдет в этом случае на **DoH** _(DNS over HTT
    > она стабильна, на третьих полный хаос, и проще отказаться.
    >
    > Далее, имея понимание что работает на http, https, quic, нужно сконструировать параметры запуска winws
-   > с использованием мультистратегии. Как работают мультистратегии описано в [readme.md](./readme.md#множественные-стратегии).
+   > с использованием мультистратегии. Как работают мультистратегии описано в [readme.md](./readme.md).
    >
    > Прежде всего вам нужно собрать фильтр перехватываемого трафика. Это делается через параметры
    > `--wf-l3`, `--wf-tcp`, `--wf-udp`.

docs/readme.en.md

@@ -1,4 +1,4 @@
-# zapret v69.6
+# zapret v69.5
 
 # SCAMMER WARNING
 

docs/readme.md

@@ -1,4 +1,4 @@
-# zapret v69.6
+# zapret v69.5
 
 # ВНИМАНИЕ, остерегайтесь мошенников
 
@@ -1866,9 +1866,8 @@ custom скрипты - это маленькие shell программы, уп
 /opt/zapret/init.d/macos/custom.d
 ```
 Директория будет просканирована в алфавитном порядке, и каждый скрипт будет применен.
-
-В `init.d` имеется `custom.d.examples.linux`, в `init.d/macos` - `custom.d.examples`.
-Это готовые скрипты, которые можно копировать в `custom.d`. Их можно взять за основу для написания собственных.
+Рядом имеется `custom.d.examples`. Это готовые скрипты, которые можно копировать в `custom.d`.
+Их можно взять за основу для написания собственных.
 
 ***Для linux пишется код в функции***
 ```
@@ -1886,9 +1885,9 @@ zapret_custom_firewall_v6
 ```
 
 zapret_custom_daemons поднимает демоны **nfqws**/**tpws** в нужном вам количестве и с нужными вам параметрами.
-В первом параметре передается код операции: 1 = запуск, 0 = останов.
+Для систем традиционного linux (sysv) и MacOS в первом параметре передается код операции: 1 = запуск, 0 = останов.
+Для openwrt логика останова отсутствует за ненадобностью.
 Схема запуска демонов в openwrt отличается - используется procd.
-Поэтому логика останова отсутствует за ненадобностью, останов никогда не вызывается.
 
 zapret_custom_firewall поднимает и убирает правила `iptables`.
 В первом параметре передается код операции: 1 = запуск, 0 = останов.
@@ -1914,8 +1913,8 @@ zapret_custom_firewall_nft поднимает правила nftables.
 В macos firewall-функции ничего сами никуда не заносят. Их задача - лишь выдать текст в stdout,
 содержащий правила для pf-якоря. Остальное сделает обертка.
 
-Особо обратите внимание на номер демона в функциях `run_daemon` , `do_daemon`, `do_tpws`, `do_tpws_socks`, `do_nfqws` ,
-номера портов **tpws** и очередей **nfqueue**.
+Особо обратите внимание на номер демона в функциях `run_daemon` и `do_daemon`, номера портов **tpws**
+и очередей `nfqueue`.
 Они должны быть уникальными во всех скриптах. При накладке будет ошибка.
 Поэтому используйте функции динамического получения этих значений из пула.
 

init.d/custom.d.examples.linux/20-fw-extra

@@ -1,66 +0,0 @@
-# this custom script runs standard mode with extra firewall rules
-
-# config: use TPWS_ENABLE_OVERRIDE, NFQWS_ENABLE_OVERRIDE to enable standard mode daemons
-# standard and override switches cannot be enabled simultaneously !
-
-TPWS_ENABLE_OVERRIDE=${TPWS_ENABLE_OVERRIDE:-0}
-NFQWS_ENABLE_OVERRIDE=${NFQWS_ENABLE_OVERRIDE:-0}
-
-# config: some if these values must be set in config. not setting any of these makes this script meaningless.
-# pre vars put ipt/nft code to the rule beginning
-#FW_EXTRA_PRE_TPWS_IPT=
-#FW_EXTRA_PRE_TPWS_NFT=
-#FW_EXTRA_PRE_NFQWS_IPT="-m mark --mark 0x10000000/0x10000000"
-#FW_EXTRA_PRE_NFQWS_NFT="mark and 0x10000000 != 0"
-# post vars put ipt/nft code to the rule end
-#FW_EXTRA_POST_TPWS_IPT=
-#FW_EXTRA_POST_TPWS_NFT=
-#FW_EXTRA_POST_NFQWS_IPT=
-#FW_EXTRA_POST_NFQWS_NFT=
-
-check_std_intersect()
-{
-	[ "$TPWS_ENABLE_OVERRIDE" = 1 -a "$TPWS_ENABLE" = 1 ] && {
-		echo "ERROR ! both TPWS_ENABLE_OVERRIDE and TPWS_ENABLE are enabled"
-		return 1
-	}
-	[ "$NFQWS_ENABLE_OVERRIDE" = 1 -a "$NFQWS_ENABLE" = 1 ] && {
-		echo "ERROR ! both NFQWS_ENABLE_OVERRIDE and NFQWS_ENABLE are enabled"
-		return 1
-	}
-	return 0
-}
-
-zapret_custom_daemons()
-{
-	# $1 - 1 - add, 0 - stop
-
-	check_std_intersect || return
-
-	local TPWS_SOCKS_ENABLE=0 TPWS_ENABLE=$TPWS_ENABLE_OVERRIDE NFQWS_ENABLE=$NFQWS_ENABLE_OVERRIDE
-	standard_mode_daemons "$1"
-}
-zapret_custom_firewall()
-{
-        # $1 - 1 - run, 0 - stop
-
-	check_std_intersect || return
-
-	local FW_EXTRA_PRE FW_EXTRA_POST TPWS_ENABLE=$TPWS_ENABLE_OVERRIDE NFQWS_ENABLE=$NFQWS_ENABLE_OVERRIDE
-	FW_EXTRA_PRE="$FW_EXTRA_PRE_TPWS_IPT" FW_EXTRA_POST="$FW_EXTRA_POST_TPWS_IPT"
-	zapret_do_firewall_standard_tpws_rules_ipt $1
-	FW_EXTRA_PRE="$FW_EXTRA_PRE_NFQWS_IPT" FW_EXTRA_POST="$FW_EXTRA_POST_NFQWS_IPT"
-	zapret_do_firewall_standard_nfqws_rules_ipt $1
-}
-zapret_custom_firewall_nft()
-{
-        # stop logic is not required
-
-	check_std_intersect || return
-
-	local FW_EXTRA_PRE FW_EXTRA_POST TPWS_ENABLE=$TPWS_ENABLE_OVERRIDE NFQWS_ENABLE=$NFQWS_ENABLE_OVERRIDE
-	FW_EXTRA_PRE="$FW_EXTRA_PRE_TPWS_NFT" FW_EXTRA_POST="$FW_EXTRA_POST_TPWS_NFT"
-	zapret_apply_firewall_standard_tpws_rules_nft
-	FW_EXTRA_PRE="$FW_EXTRA_PRE_NFQWS_NFT" FW_EXTRA_POST="$FW_EXTRA_POST_NFQWS_NFT"
-	zapret_apply_firewall_standard_nfqws_rules_nft
-}

init.d/custom.d.examples.linux/50-tpws-ipset

@@ -1,89 +0,0 @@
-# this custom script demonstrates how to launch extra tpws instance limited by ipset
-
-# can override in config :
-TPWS_MY1_OPT="${TPWS_MY1_OPT:---oob --split-pos=midsld}"
-TPWS_MY1_PORTS=${TPWS_MY1_PORTS:-$TPWS_PORTS}
-TPWS_MY1_SUBNETS4="${TPWS_MY1_SUBNETS4:-142.250.0.0/15 64.233.160.0/19 172.217.0.0/16 173.194.0.0/16 108.177.0.0/17 74.125.0.0/16 209.85.128.0/17 216.58.192.0/19}"
-TPWS_MY1_SUBNETS6="${TPWS_MY1_SUBNETS6:-2607:F8B0::/32 2a00:1450:4000::/37}"
-
-TPWS_MY1_IPSET_SIZE=${TPWS_MY1_IPSET_SIZE:-4096}
-TPWS_MY1_IPSET_OPT="${TPWS_MY1_IPSET_OPT:-hash:net hashsize 8192 maxelem $TPWS_MY1_IPSET_SIZE}"
-
-alloc_dnum DNUM_TPWS_MY1
-alloc_tpws_port PORT_TPWS_MY1
-TPWS_MY1_NAME4=my1tpws4
-TPWS_MY1_NAME6=my1tpws6
-
-zapret_custom_daemons()
-{
-	# $1 - 1 - run, 0 - stop
-
-	local opt="--port=$PORT_TPWS_MY1 $TPWS_MY1_OPT"
-	do_tpws $1 $DNUM_TPWS_MY1 "$opt"
-}
-
-zapret_custom_firewall()
-{
-	# $1 - 1 - run, 0 - stop
-
-	local f4 f6 subnet
-	local PORTS_IPT=$(replace_char - : $TPWS_MY1_PORTS)
-	local dest_set="-m set --match-set $TPWS_MY1_NAME4 dst"
-
-	[ "$1" = 1 -a "$DISABLE_IPV4" != 1 ] && {
-		ipset create $TPWS_MY1_NAME4 $TPWS_MY1_IPSET_OPT family inet 2>/dev/null
-		ipset flush $TPWS_MY1_NAME4
-		for subnet in $TPWS_MY1_SUBNETS4; do
-			echo add $TPWS_MY1_NAME4 $subnet
-		done | ipset -! restore
-	}
-	[ "$1" = 1 -a "$DISABLE_IPV6" != 1 ] && {
-		ipset create $TPWS_MY1_NAME6 $TPWS_MY1_IPSET_OPT family inet6 2>/dev/null
-		ipset flush $TPWS_MY1_NAME6
-		for subnet in $TPWS_MY1_SUBNETS6; do
-			echo add $TPWS_MY1_NAME6 $subnet
-		done | ipset -! restore
-	}
-
-	f4="-p tcp -m multiport --dports $PORTS_IPT -m set --match-set"
-	f6="$f4 $TPWS_MY1_NAME6 dst"
-	f4="$f4 $TPWS_MY1_NAME4 dst"
-	fw_tpws $1 "$f4" "$f6" $PORT_TPWS_MY1
-
-	[ "$1" = 1 ] || {
-		ipset destroy $TPWS_MY1_NAME4 2>/dev/null
-		ipset destroy $TPWS_MY1_NAME6 2>/dev/null
-	}
-}
-
-zapret_custom_firewall_nft()
-{
-	local f4 f6 subnet
-
-	[ "$DISABLE_IPV4" != 1 ] && {
-	        make_comma_list subnets $TPWS_MY1_SUBNETS4
-		nft_create_set $TPWS_MY1_NAME4 "type ipv4_addr; size $TPWS_MY1_IPSET_SIZE; auto-merge; flags interval;"
-		nft_flush_set $TPWS_MY1_NAME4
-		nft_add_set_element $TPWS_MY1_NAME4 "$subnets"
-	}
-	[ "$DISABLE_IPV6" != 1 ] && {
-	        make_comma_list subnets $TPWS_MY1_SUBNETS6
-		nft_create_set $TPWS_MY1_NAME6 "type ipv6_addr; size $TPWS_MY1_IPSET_SIZE; auto-merge; flags interval;"
-		nft_flush_set $TPWS_MY1_NAME6
-		nft_add_set_element $TPWS_MY1_NAME6 "$subnets"
-	}
-
-	f4="tcp dport {$TPWS_MY1_PORTS}"
-	f6="$f4 ip6 daddr @$TPWS_MY1_NAME6"
-	f4="$f4 ip daddr @$TPWS_MY1_NAME4"
-	nft_fw_tpws "$f4" "$f6" $PORT_TPWS_MY1
-}
-
-zapret_custom_firewall_nft_flush()
-{
-	# this function is called after all nft fw rules are deleted
-	# however sets are not deleted. it's desired to clear sets here.
-
-	nft_del_set $TPWS_MY1_NAME4 2>/dev/null
-	nft_del_set $TPWS_MY1_NAME6 2>/dev/null
-}

init.d/custom.d.examples.linux/50-wg4all

@@ -1,30 +0,0 @@
-# this custom script runs desync to all wireguard handshake initiation packets
-
-# can override in config :
-NFQWS_OPT_DESYNC_WG="${NFQWS_OPT_DESYNC_WG:---dpi-desync=fake}"
-
-alloc_dnum DNUM_WG4ALL
-alloc_qnum QNUM_WG4ALL
-
-zapret_custom_daemons()
-{
-	# $1 - 1 - add, 0 - stop
-
-        local opt="--qnum=$QNUM_WG4ALL $NFQWS_OPT_DESYNC_WG"
-	do_nfqws $1 $DNUM_WG4ALL "$opt"
-}
-# size = 156 (8 udp header + 148 payload) && payload starts with 0x01000000
-zapret_custom_firewall()
-{
-        # $1 - 1 - run, 0 - stop
-
-        local f='-p udp -m u32 --u32'
-        fw_nfqws_post $1 "$f 0>>22&0x3C@4>>16=0x9c&&0>>22&0x3C@8=0x01000000" "$f 44>>16=0x9c&&48=0x01000000" $QNUM_WG4ALL
-}
-zapret_custom_firewall_nft()
-{
-        # stop logic is not required
-
-        local f="udp length 156 @th,64,32 0x01000000"
-        nft_fw_nfqws_post "$f" "$f" $QNUM_WG4ALL
-}

init.d/openwrt/custom.d.examples/50-dht4all

@@ -0,0 +1,38 @@
+# this custom script runs desync to DHT packets with udp payload length 101..399 , without ipset/hostlist filtering
+
+# can override in config :
+NFQWS_OPT_DESYNC_DHT="${NFQWS_OPT_DESYNC_DHT:---dpi-desync=tamper}"
+
+alloc_dnum DNUM_DHT4ALL
+alloc_qnum QNUM_DHT4ALL
+
+zapret_custom_daemons()
+{
+        # stop logic is managed by procd
+
+        local opt="--qnum=$QNUM_DHT4ALL $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_DHT"
+	run_daemon $DNUM_DHT4ALL $NFQWS "$opt"
+}
+zapret_custom_firewall()
+{
+        # $1 - 1 - run, 0 - stop
+
+        local f uf4 uf6
+        local first_packet_only="$ipt_connbytes 1:1"
+
+        f='-p udp -m length --length 109:407 -m u32 --u32'
+	uf4='0>>22&0x3C@8>>16=0x6431'
+	uf6='48>>16=0x6431'
+        fw_nfqws_post $1 "$f $uf4 $first_packet_only"  "$f $uf6 $first_packet_only" $QNUM_DHT4ALL
+
+}
+zapret_custom_firewall_nft()
+{
+        # stop logic is not required
+
+        local f
+        local first_packet_only="$nft_connbytes 1"
+
+        f="meta length 109-407 meta l4proto udp @th,64,16 0x6431"
+        nft_fw_nfqws_post "$f $first_packet_only" "$f $first_packet_only" $QNUM_DHT4ALL
+}

init.d/openwrt/functions

@@ -10,7 +10,6 @@ ZAPRET_CONFIG=${ZAPRET_CONFIG:-"$ZAPRET_RW/config"}
 . "$ZAPRET_BASE/common/ipt.sh"
 . "$ZAPRET_BASE/common/nft.sh"
 . "$ZAPRET_BASE/common/linux_fw.sh"
-. "$ZAPRET_BASE/common/linux_daemons.sh"
 . "$ZAPRET_BASE/common/list.sh"
 . "$ZAPRET_BASE/common/custom.sh"
 CUSTOM_DIR="$ZAPRET_RW/init.d/openwrt"

init.d/openwrt/zapret

@@ -81,10 +81,6 @@ run_tpws()
 	}
 	run_daemon $1 "$TPWS" "$OPT $2"
 }
-do_tpws()
-{
-	[ "$1" = 0 ] || { shift; run_tpws "$@"; }
-}
 run_tpws_socks()
 {
 	[ "$DISABLE_IPV4" = "1" ] && [ "$DISABLE_IPV6" = "1" ] && return 0
@@ -94,10 +90,13 @@ run_tpws_socks()
 	tpws_apply_socks_binds opt
 	run_daemon $1 "$TPWS" "$opt $2"
 }
-do_tpws_socks()
+
+stop_tpws()
 {
-	[ "$1" = 0 ] || { shift; run_tpws_socks "$@"; }
+	stop_daemon $1 "$TPWS"
 }
+
+
 tpws_apply_socks_binds()
 {
 	local o
@@ -106,27 +105,39 @@ tpws_apply_socks_binds()
 	[ "$DISABLE_IPV6" = "1" ] || o="$o --bind-addr=::1"
 	
 	for lan in $OPENWRT_LAN; do
-		network_get_device DEVICE $lan
-		[ -n "$DEVICE" ] || continue
-		[ "$DISABLE_IPV4" = "1" ] || o="$o --bind-iface4=$DEVICE $TPWS_WAIT"
-		[ "$DISABLE_IPV6" = "1" ] || o="$o --bind-iface6=$DEVICE --bind-linklocal=unwanted $TPWS_WAIT_SOCKS6"
+	    network_get_device DEVICE $lan
+	    [ -n "$DEVICE" ] || continue
+	    [ "$DISABLE_IPV4" = "1" ] || o="$o --bind-iface4=$DEVICE $TPWS_WAIT"
+	    [ "$DISABLE_IPV6" = "1" ] || o="$o --bind-iface6=$DEVICE --bind-linklocal=unwanted $TPWS_WAIT_SOCKS6"
 	done
 	eval $1="\"\$$1 $o\""
 }
 
-run_nfqws()
+
+standard_mode_daemons()
 {
-	run_daemon $1 "$NFQWS" "$NFQWS_OPT_BASE $2"
-}
-do_nfqws()
-{
-	[ "$1" = 0 ] || { shift; run_nfqws "$@"; }
+	local opt
+	[ "$TPWS_ENABLE" = 1 ] && check_bad_ws_options 1 "$TPWS_OPT" && {
+		opt="--port=$TPPORT $TPWS_OPT"
+		filter_apply_hostlist_target opt
+		run_tpws 1 "$opt"
+	}
+	[ "$TPWS_SOCKS_ENABLE" = 1 ] && {
+		opt="--port=$TPPORT_SOCKS $TPWS_SOCKS_OPT"
+		filter_apply_hostlist_target opt
+		run_tpws_socks 2 "$opt"
+	}
+	[ "$NFQWS_ENABLE" = 1 ] && check_bad_ws_options 1 "$NFQWS_OPT" && {
+		opt="--qnum=$QNUM $NFQWS_OPT_BASE $NFQWS_OPT"
+		filter_apply_hostlist_target opt
+		run_daemon 3 "$NFQWS" "$opt"
+	}
 }
 
 start_daemons_procd()
 {
-	standard_mode_daemons 1
-	custom_runner zapret_custom_daemons 1
+	standard_mode_daemons
+	custom_runner zapret_custom_daemons
 
 	return 0
 }

init.d/pfsense/zapret.sh

@@ -21,4 +21,4 @@ pfctl -d ; pfctl -e
 ipfw delete 100
 ipfw add 100 divert 989 tcp from any to any 80,443 out not diverted not sockarg
 pkill ^dvtws$
-dvtws --daemon --port 989 --dpi-desync=multisplit
+dvtws --daemon --port 989 --dpi-desync=split2

init.d/sysv/custom.d.examples/50-dht4all

@@ -8,9 +8,9 @@ alloc_qnum QNUM_DHT4ALL
 
 zapret_custom_daemons()
 {
-	# $1 - 1 - add, 0 - stop
+        # stop logic is managed by procd
 
-        local opt="--qnum=$QNUM_DHT4ALL $NFQWS_OPT_DESYNC_DHT"
+        local opt="--qnum=$QNUM_DHT4ALL $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_DHT"
 	do_nfqws $1 $DNUM_DHT4ALL "$opt"
 }
 zapret_custom_firewall()

init.d/sysv/custom.d.examples/50-discord

@@ -14,7 +14,7 @@ zapret_custom_daemons()
 {
 	# $1 - 1 - run, 0 - stop
 
-	local opt="--qnum=$QNUM_DISCORD $NFQWS_OPT_DESYNC_DISCORD"
+	local opt="--qnum=$QNUM_DISCORD $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_DISCORD"
 	do_nfqws $1 $DNUM_DISCORD "$opt"
 }
 

init.d/sysv/functions

@@ -10,7 +10,6 @@ ZAPRET_CONFIG=${ZAPRET_CONFIG:-"$ZAPRET_RW/config"}
 . "$ZAPRET_BASE/common/ipt.sh"
 . "$ZAPRET_BASE/common/nft.sh"
 . "$ZAPRET_BASE/common/linux_fw.sh"
-. "$ZAPRET_BASE/common/linux_daemons.sh"
 . "$ZAPRET_BASE/common/list.sh"
 . "$ZAPRET_BASE/common/custom.sh"
 CUSTOM_DIR="$ZAPRET_RW/init.d/sysv"
@@ -276,3 +275,45 @@ create_ipset()
 	echo "Creating ip list table (firewall type $FWTYPE)"
 	"$IPSET_CR" "$@"
 }
+
+
+standard_mode_daemons()
+{
+	# $1 - 1 - run, 0 - stop
+
+	local opt
+
+	[ "$TPWS_ENABLE" = 1 ] && check_bad_ws_options $1 "$TPWS_OPT" && {
+		opt="--port=$TPPORT $TPWS_OPT"
+		filter_apply_hostlist_target opt
+		do_tpws $1 1 "$opt"
+	}
+	[ "$TPWS_SOCKS_ENABLE" = 1 ] && {
+		opt="--port=$TPPORT_SOCKS $TPWS_SOCKS_OPT"
+		filter_apply_hostlist_target opt
+		do_tpws_socks $1 2 "$opt"
+	}
+	[ "$NFQWS_ENABLE" = 1 ] && check_bad_ws_options $1 "$NFQWS_OPT" && {
+		opt="--qnum=$QNUM $NFQWS_OPT"
+		filter_apply_hostlist_target opt
+		do_nfqws $1 3 "$opt"
+	}
+}
+
+zapret_do_daemons()
+{
+	# $1 - 1 - run, 0 - stop
+
+	standard_mode_daemons $1
+	custom_runner zapret_custom_daemons $1
+
+	return 0
+}
+zapret_run_daemons()
+{
+	zapret_do_daemons 1 "$@"
+}
+zapret_stop_daemons()
+{
+	zapret_do_daemons 0 "$@"
+}

install_easy.sh

@@ -394,7 +394,7 @@ copy_openwrt()
 	mkdir "$2/tpws" "$2/nfq" "$2/ip2net" "$2/mdig" "$2/binaries" "$2/binaries/$ARCH" "$2/init.d" "$2/tmp" "$2/files"
 	cp -R "$1/files/fake" "$2/files"
 	cp -R "$1/common" "$1/ipset" "$2"
-	cp -R "$1/init.d/openwrt" "$1/init.d/custom.d.examples.linux" "$2/init.d"
+	cp -R "$1/init.d/openwrt" "$2/init.d"
 	cp "$1/config" "$1/config.default" "$1/install_easy.sh" "$1/uninstall_easy.sh" "$1/install_bin.sh" "$1/install_prereq.sh" "$1/blockcheck.sh" "$2"
 	cp "$BINDIR/tpws" "$BINDIR/nfqws" "$BINDIR/ip2net" "$BINDIR/mdig" "$2/binaries/$ARCH"
 }

ipset/get_antifilter_domains.sh

@@ -0,0 +1,40 @@
+#!/bin/sh
+
+IPSET_DIR="$(dirname "$0")"
+IPSET_DIR="$(cd "$IPSET_DIR"; pwd)"
+
+. "$IPSET_DIR/def.sh"
+
+TMPLIST="$TMPDIR/list.txt"
+
+URL="https://antifilter.download/list/domains.lst"
+
+dl()
+{
+  # $1 - url
+  # $2 - file
+  # $3 - minsize
+  # $4 - maxsize
+  curl -L -H "Accept-Encoding: gzip" -k --fail --max-time 60 --connect-timeout 10 --retry 4 --max-filesize 251658240 -o "$TMPLIST" "$1" ||
+  {
+   echo list download failed : $1
+   exit 2
+  }
+  dlsize=$(LANG=C wc -c "$TMPLIST" | xargs | cut -f 1 -d ' ')
+  if test $dlsize -lt $3; then
+   echo list is too small : $dlsize bytes. can be bad.
+   exit 2
+  fi
+  zzcat "$TMPLIST" | tr -d '\015' | zz "$2"
+  rm -f "$TMPLIST"
+}
+
+# useful in case ipban set is used in custom scripts
+FAIL=
+getipban || FAIL=1
+"$IPSET_DIR/create_ipset.sh"
+[ -n "$FAIL" ] && exit
+
+dl "$URL" "$ZHOSTLIST" 32768 4194304
+
+exit 0

nfq/nfqws.c

@@ -152,62 +152,50 @@ static int nfq_cb(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, struct nfq_da
 	DLOG("packet: id=%d pass unmodified\n", id);
 	return nfq_set_verdict2(qh, id, NF_ACCEPT, mark, 0, NULL);
 }
-static void nfq_deinit(struct nfq_handle **h,struct nfq_q_handle **qh)
+static int nfq_main(void)
 {
-	if (*qh)
-	{
-		DLOG_CONDUP("unbinding from queue %u\n", params.qnum);
-		nfq_destroy_queue(*qh);
-		*qh = NULL;
-	}
-	if (*h)
-	{
-		DLOG_CONDUP("closing library handle\n");
-		nfq_close(*h);
-		*h = NULL;
-	}
-}
-static bool nfq_init(struct nfq_handle **h,struct nfq_q_handle **qh)
-{
-	nfq_deinit(h,qh);
+	struct nfq_handle *h = NULL;
+	struct nfq_q_handle *qh = NULL;
+	int fd,rv;
+	uint8_t buf[16384] __attribute__((aligned));
 
 	DLOG_CONDUP("opening library handle\n");
-	*h = nfq_open();
-	if (!*h) {
+	h = nfq_open();
+	if (!h) {
 		DLOG_PERROR("nfq_open()");
 		goto exiterr;
 	}
 
 	DLOG_CONDUP("unbinding existing nf_queue handler for AF_INET (if any)\n");
-	if (nfq_unbind_pf(*h, AF_INET) < 0) {
+	if (nfq_unbind_pf(h, AF_INET) < 0) {
 		DLOG_PERROR("nfq_unbind_pf()");
 		goto exiterr;
 	}
 
 	DLOG_CONDUP("binding nfnetlink_queue as nf_queue handler for AF_INET\n");
-	if (nfq_bind_pf(*h, AF_INET) < 0) {
+	if (nfq_bind_pf(h, AF_INET) < 0) {
 		DLOG_PERROR("nfq_bind_pf()");
 		goto exiterr;
 	}
 
 	DLOG_CONDUP("binding this socket to queue '%u'\n", params.qnum);
-	*qh = nfq_create_queue(*h, params.qnum, &nfq_cb, &params);
-	if (!*qh) {
+	qh = nfq_create_queue(h, params.qnum, &nfq_cb, &params);
+	if (!qh) {
 		DLOG_PERROR("nfq_create_queue()");
 		goto exiterr;
 	}
 
 	DLOG_CONDUP("setting copy_packet mode\n");
-	if (nfq_set_mode(*qh, NFQNL_COPY_PACKET, 0xffff) < 0) {
+	if (nfq_set_mode(qh, NFQNL_COPY_PACKET, 0xffff) < 0) {
 		DLOG_PERROR("can't set packet_copy mode");
 		goto exiterr;
 	}
-	if (nfq_set_queue_maxlen(*qh, Q_MAXLEN) < 0) {
+	if (nfq_set_queue_maxlen(qh, Q_MAXLEN) < 0) {
 		DLOG_PERROR("can't set queue maxlen");
 		goto exiterr;
 	}
 	// accept packets if they cant be handled
-	if (nfq_set_queue_flags(*qh, NFQA_CFG_F_FAIL_OPEN , NFQA_CFG_F_FAIL_OPEN))
+	if (nfq_set_queue_flags(qh, NFQA_CFG_F_FAIL_OPEN , NFQA_CFG_F_FAIL_OPEN))
 	{
 		DLOG_ERR("can't set queue flags. its OK on linux <3.6\n");
 		// dot not fail. not supported on old linuxes <3.6 
@@ -217,27 +205,6 @@ static bool nfq_init(struct nfq_handle **h,struct nfq_q_handle **qh)
 	if (!rawsend_preinit(params.bind_fix4,params.bind_fix6))
 		goto exiterr;
 
-	int yes=1, fd = nfq_fd(*h);
-
-#if defined SOL_NETLINK && defined NETLINK_NO_ENOBUFS
-	if (setsockopt(fd, SOL_NETLINK, NETLINK_NO_ENOBUFS, &yes, sizeof(yes)) == -1)
-		DLOG_PERROR("setsockopt(NETLINK_NO_ENOBUFS)");
-#endif
-
-	return true;
-exiterr:
-	nfq_deinit(h,qh);
-	return false;
-}
-
-static int nfq_main(void)
-{
-	uint8_t buf[16384] __attribute__((aligned));
-	struct nfq_handle *h = NULL;
-	struct nfq_q_handle *qh = NULL;
-	int fd,e;
-	ssize_t rd;
-
 #ifndef __CYGWIN__
 	sec_harden();
 
@@ -249,31 +216,36 @@ static int nfq_main(void)
 
 	pre_desync();
 
-	if (!nfq_init(&h,&qh))
-		goto exiterr;
-
 	fd = nfq_fd(h);
+
+	// increase socket buffer size. on slow systems reloading hostlist can take a while.
+	// if too many unhandled packets are received its possible to get "no buffer space available" error
+	if (!set_socket_buffers(fd,Q_RCVBUF/2,Q_SNDBUF/2))
+		goto exiterr;
 	do
 	{
-		while ((rd = recv(fd, buf, sizeof(buf), 0)) >= 0)
+		while ((rv = recv(fd, buf, sizeof(buf), 0)) > 0)
 		{
-			if (rd)
-			{
-				int r = nfq_handle_packet(h, (char *)buf, (int)rd);
-				if (r) DLOG_ERR("nfq_handle_packet error %d\n", r);
-			}
-			else
-				DLOG("recv from nfq returned 0 !\n");
+			int r = nfq_handle_packet(h, (char *)buf, rv);
+			if (r) DLOG_ERR("nfq_handle_packet error %d\n", r);
 		}
-		e=errno;
-		DLOG_ERR("recv: recv=%zd errno %d\n",rd,e);
-		errno=e;
+		DLOG_ERR("recv: errno %d\n",errno);
 		DLOG_PERROR("recv");
 		// do not fail on ENOBUFS
-	} while(e==ENOBUFS);
+	} while(errno==ENOBUFS);
 
-	nfq_deinit(&h,&qh);
+	DLOG_CONDUP("unbinding from queue %u\n", params.qnum);
+	nfq_destroy_queue(qh);
 
+#ifdef INSANE
+	/* normally, applications SHOULD NOT issue this command, since
+	 * it detaches other programs/sockets from AF_INET, too ! */
+	DLOG_CONDUP("unbinding from AF_INET\n");
+	nfq_unbind_pf(h, AF_INET);
+#endif
+
+	DLOG_CONDUP("closing library handle\n");
+	nfq_close(h);
 	return 0;
 
 exiterr:
@@ -1395,12 +1367,10 @@ int main(int argc, char **argv)
 	while ((v = getopt_long_only(argc, argv, "", long_options, &option_index)) != -1)
 	{
 		if (v)
-		{
 			if (bDry)
 				exit_clean(1);
 			else
 				exithelp_clean();
-		}
 		switch (option_index)
 		{
 		case 0: /* debug */
@@ -1437,6 +1407,7 @@ int main(int argc, char **argv)
 				params.debug_target = LOG_TARGET_CONSOLE;
 			}
 			break;
+#ifndef __CYGWIN__
 		case 1: /* dry-run */
 			bDry=true;
 			break;
@@ -1460,6 +1431,7 @@ int main(int argc, char **argv)
 			}
 #endif
 			break;
+#endif
 		case 3: /* daemon */
 			daemon = true;
 			break;

nfq/protocol.c

@@ -151,7 +151,7 @@ void ResolveMultiPos(const uint8_t *data, size_t sz, t_l7proto l7proto, const st
 }
 
 
-const char *http_methods[] = { "GET /","POST /","HEAD /","OPTIONS ","PUT /","DELETE /","CONNECT ","TRACE /",NULL };
+const char *http_methods[] = { "GET /","POST /","HEAD /","OPTIONS /","PUT /","DELETE /","CONNECT /","TRACE /",NULL };
 const char *HttpMethod(const uint8_t *data, size_t len)
 {
 	const char **method;

tpws/protocol.c

@@ -151,7 +151,7 @@ void ResolveMultiPos(const uint8_t *data, size_t sz, t_l7proto l7proto, const st
 }
 
 
-const char *http_methods[] = { "GET /","POST /","HEAD /","OPTIONS ","PUT /","DELETE /","CONNECT ","TRACE /",NULL };
+const char *http_methods[] = { "GET /","POST /","HEAD /","OPTIONS /","PUT /","DELETE /","CONNECT /","TRACE /",NULL };
 const char *HttpMethod(const uint8_t *data, size_t len)
 {
 	const char **method;

tpws/tpws.c

@@ -711,12 +711,10 @@ void parse_params(int argc, char *argv[])
 	while ((v = getopt_long_only(argc, argv, "", long_options, &option_index)) != -1)
 	{
 		if (v)
-		{
 			if (bDry)
 				exit_clean(1);
 			else
 				exithelp_clean();
-		}
 		switch (option_index)
 		{
 		case 0: