github actions: do not use broken upx 5.0.0

nfqws: also add stun l7proto to CLI help output

.github/workflows/build.yml

@@ -401,6 +401,7 @@ jobs:
         uses: crazy-max/ghaction-upx@v3
         with:
           install-only: true
+          version: v4.2.4
 
       - name: Prepare binaries
         shell: bash

blockcheck.sh

@@ -347,6 +347,7 @@ check_system()
 
 	UNAME=$(uname)
 	SUBSYS=
+	FIX_SEG=
 	local s
 
 	# can be passed FWTYPE=iptables to override default nftables preference
@@ -354,6 +355,7 @@ check_system()
 		Linux)
 			PKTWS="$NFQWS"
 			PKTWSD=nfqws
+			FIX_SEG='--fix-seg'
 			linux_fwtype
 			[ "$FWTYPE" = iptables -o "$FWTYPE" = nftables ] || {
 				echo firewall type $FWTYPE not supported in $UNAME
@@ -1430,6 +1432,11 @@ warn_mss()
 	[ -n "$1" ] && echo 'WARNING ! although mss worked it may not work on all sites and will likely cause significant slowdown. it may only be required for TLS1.2, not TLS1.3'
 	return 0
 }
+fix_seg()
+{
+	# $1 - split-pos
+	[ -n "$FIX_SEG" ] && contains "$1" , && echo "$FIX_SEG"
+}
 
 tpws_check_domain_http_bypass_()
 {
@@ -1455,7 +1462,7 @@ tpws_check_domain_http_bypass_()
 		done
 		for s2 in '' '--hostcase' '--oob' '--disorder' ${oobdis:+"$oobdis"}; do
 			for s in $splits_http ; do
-				tpws_curl_test_update $1 $3 --split-pos=$s $s2 && [ "$SCANLEVEL" != force ] && {
+				tpws_curl_test_update $1 $3 --split-pos=$s $(fix_seg $s) $s2 && [ "$SCANLEVEL" != force ] && {
 					[ "$SCANLEVEL" = quick ] && return
 					break
 				}
@@ -1470,7 +1477,7 @@ tpws_check_domain_http_bypass_()
 			s3=${mss:+--mss=$mss}
 			for s2 in '' '--oob' '--disorder' ${oobdis:+"$oobdis"}; do
 				for pos in $splits_tls; do
-					tpws_curl_test_update $1 $3 --split-pos=$pos $s2 $s3 && warn_mss $s3 && [ "$SCANLEVEL" != force ] && {
+					tpws_curl_test_update $1 $3 --split-pos=$pos $(fix_seg $pos) $s2 $s3 && warn_mss $s3 && [ "$SCANLEVEL" != force ] && {
 						[ "$SCANLEVEL" = quick ] && return
 						need_mss=0
 						break
@@ -1478,7 +1485,7 @@ tpws_check_domain_http_bypass_()
 				done
 			done
 			for s in '' '--oob' '--disorder' ${oobdis:+"$oobdis"}; do
-				for s2 in '--tlsrec=midsld' '--tlsrec=sniext+1 --split-pos=midsld' '--tlsrec=sniext+4 --split-pos=midsld' '--tlsrec=sniext+1 --split-pos=1,midsld' '--tlsrec=sniext+4 --split-pos=1,midsld' ; do
+				for s2 in '--tlsrec=midsld' '--tlsrec=sniext+1 --split-pos=midsld' '--tlsrec=sniext+4 --split-pos=midsld' "--tlsrec=sniext+1 --split-pos=1,midsld $FIX_SEG" "--tlsrec=sniext+4 --split-pos=1,midsld $FIX_SEG" ; do
 					tpws_curl_test_update $1 $3 $s2 $s $s3 && warn_mss $s3 && [ "$SCANLEVEL" != force ] && {
 						[ "$SCANLEVEL" = quick ] && return
 						need_mss=0

docs/changes.txt

@@ -471,3 +471,13 @@ v70.5
 
 nfqws: multiple --dpi-desync-fake-xxx
 nfqws: support of inter-packet fragmented QUIC CRYPTO
+
+v70.6
+
+nfqws: detect Discord Voice IP discovery packets
+nfqws: detect STUN message packets
+nfqws: change SNI to specified value tls mod : --dpi-desync-fake-tls-mod sni=<sni>
+nfqws: update default TLS ClientHello fake. firefox 136.0.4 finger, no kyber, SNI=microsoft.com
+nfqws: multiple mods for multiple TLS fakes
+init.d: remove 50-discord
+blockcheck: use tpws --fix-seg on linux for multiple splits

docs/compile/build_howto_openwrt.txt

@@ -12,10 +12,10 @@ Other packages may be required on your distribution. Look for the errors.
 
 examples :
 
-curl -o - https://downloads.openwrt.org/releases/23.05.5/targets/x86/64/openwrt-sdk-23.05.5-x86-64_gcc-12.3.0_musl.Linux-x86_64.tar.xz | tar -Jxvf -
+curl -o - https://downloads.openwrt.org/releases/23.05.5/targets/x86/64/openwrt-sdk-23.05.5-x86-64_gcc-12.3.0_musl.Linux-x86_64.tar.xz | tar -Jxv
 cd openwrt-sdk-23.05.5-x86-64_gcc-12.3.0_musl.Linux-x86_64
 
-curl -o - https://downloads.openwrt.org/snapshots/targets/x86/64/openwrt-sdk-x86-64_gcc-13.3.0_musl.Linux-x86_64.tar.zst | tar --zstd -xvf -
+curl -o - https://downloads.openwrt.org/snapshots/targets/x86/64/openwrt-sdk-x86-64_gcc-13.3.0_musl.Linux-x86_64.tar.zst | tar --zstd -xv
 cd openwrt-sdk-x86-64_gcc-13.3.0_musl.Linux-x86_64
 
 3) Install required libs
@@ -48,7 +48,7 @@ static build :  make CFLAGS=-static package/{tpws,nfqws,mdig,ip2net}/compile
 executables only : build_dir/target/<progname>
 ipk or apk packages : bin/packages/*/base
 
-8) Installating to openwrt to use with zapret
+8) Installing to openwrt to use with zapret
 
 zapret with or without binaries should be already installed in /opt/zapret.
 Install ipk's or apk's with all compiled progs using opkg or apk.

docs/compile/build_howto_unix.txt

@@ -1,7 +1,7 @@
 debian,ubuntu :
 
-apt install make gcc zlib1g-dev libcap-dev libnetfilter-queue-dev
-make -C /opt/zapret
+apt install make gcc zlib1g-dev libcap-dev libnetfilter-queue-dev libsystemd-dev
+make -C /opt/zapret systemd
 
 FreeBSD :
 

docs/readme.en.md

@@ -1,4 +1,4 @@
-# zapret v70.5
+# zapret v70.6
 
 # SCAMMER WARNING
 
@@ -174,12 +174,14 @@ nfqws takes the following parameters:
  --dpi-desync-any-protocol=0|1                  ; 0(default)=desync only http and tls  1=desync any nonempty data packet
  --dpi-desync-fake-http=<filename>|0xHEX        ; file containing fake http request
  --dpi-desync-fake-tls=<filename>|0xHEX         ; file containing fake TLS ClientHello (for https)
- --dpi-desync-fake-tls-mod=mod[,mod]            ; comma separated list of TLS fake mods. available mods : none,rnd,rndsni,dupsid,padencap
+ --dpi-desync-fake-tls-mod=mod[,mod]            ; comma separated list of TLS fake mods. available mods : none,rnd,rndsni,sni=<sni>,dupsid,padencap
  --dpi-desync-fake-unknown=<filename>|0xHEX     ; file containing unknown protocol fake payload
  --dpi-desync-fake-syndata=<filename>|0xHEX     ; file containing SYN data payload
  --dpi-desync-fake-quic=<filename>|0xHEX        ; file containing fake QUIC Initial
  --dpi-desync-fake-wireguard=<filename>|0xHEX   ; file containing fake wireguard handshake initiation
  --dpi-desync-fake-dht=<filename>|0xHEX         ; file containing fake DHT (d1..e)
+ --dpi-desync-fake-discord=<filename>|0xHEX     ; file containing fake Discord voice connection initiation packet (IP Discovery)
+ --dpi-desync-fake-stun=<filename>|0xHEX        ; file containing fake STUN message
  --dpi-desync-fake-unknown-udp=<filename>|0xHEX ; file containing unknown udp protocol fake payload
  --dpi-desync-udplen-increment=<int>            ; increase or decrease udp packet length by N bytes (default 2). negative values decrease length.
  --dpi-desync-udplen-pattern=<filename>|0xHEX   ; udp tail fill pattern
@@ -193,13 +195,13 @@ nfqws takes the following parameters:
  --hostlist-auto-fail-threshold=<int>           ; how many failed attempts cause hostname to be added to auto hostlist (default : 3)
  --hostlist-auto-fail-time=<int>                ; all failed attemps must be within these seconds (default : 60)
  --hostlist-auto-retrans-threshold=<int>        ; how many request retransmissions cause attempt to fail (default : 3)
- --hostlist-auto-debug=<logfile>        	; debug auto hostlist positives
+ --hostlist-auto-debug=<logfile>                ; debug auto hostlist positives
  --new                                          ; begin new strategy (new profile)
  --skip                                         ; do not use this profile
  --filter-l3=ipv4|ipv6                          ; L3 protocol filter. multiple comma separated values allowed.
  --filter-tcp=[~]port1[-port2]|*                ; TCP port filter. ~ means negation. setting tcp and not setting udp filter denies udp. comma separated list supported.
  --filter-udp=[~]port1[-port2]|*                ; UDP port filter. ~ means negation. setting udp and not setting tcp filter denies tcp. comma separated list supported.
- --filter-l7=[http|tls|quic|wireguard|dht|unknown] ; L6-L7 protocol filter. multiple comma separated values allowed.
+ --filter-l7=<proto>                            ; L6-L7 protocol filter. multiple comma separated values allowed. proto: http tls quic wireguard dht discord stun unknown
  --ipset=<filename>                             ; ipset include filter (one ip/CIDR per line, ipv4 and ipv6 accepted, gzip supported, multiple ipsets allowed)
  --ipset-ip=<ip_list>                           ; comma separated fixed subnet list
  --ipset-exclude=<filename>                     ; ipset exclude filter (one ip/CIDR per line, ipv4 and ipv6 accepted, gzip supported, multiple ipsets allowed)
@@ -283,14 +285,19 @@ It's possible to use TLS Client Hello with any fingerprint and any SNI.
  * `rnd`. Randomize `random` and `session id` fields. Applied on every request.
  * `rndsni`. Randomize SNI. If SNI >=7 symbols random SLD is applied with known TLD. Otherwise filled with random symbols. Applied only once at startup.
  * `dupsid`. Copy `session ID` from original TLS Client Hello. Takes precedence over `rnd`. Applied on every request.
+ * `sni=<sni>`. Set specified SNI value. Changes TLS fake length, fixes lengths in TLS structure. Applied once at startup before `rndsni`.
  * `padencap`. Padding extension is extended by original TLS Client Hello size (including multi packet variation with kyber). Padding extension is added to the end if not present, otherwise it must be the last extension. All lengths are increased. Fake size is not changed. Can be useful if DPI does not analyze sequence numbers properly. Applied on every request.
 
 By default if custom fake is not defined `rnd,rndsni,dupsid` mods are applied. If defined - `none`.
 This behaviour is compatible with previous versions with addition of `dupsid`.
 
-If TLS mod is enabled and there're multiple TLS fakes, all valid TLS Client Hello fakes are modified.
-If there's no TLS Client Hello program exits with error.
+If multiple TLS fakes are present each one takes the last mod.
+If a mod is specified after fake it replaces previous mod.
+This way it's possible to use different mods for every TLS fake.
 
+If a mod is set to non-TLS fake it causes error. Use `--dpi-desync-fake-tls-mod=none'.
+
+Example : `--dpi-desync-fake-tls=iana_org.bin --dpi-desync-fake-tls-mod=rndsni --dpi-desync-fake-tls=0xaabbccdd --dpi-desync-fake-tls-mod=none'
 
 ### TCP segmentation
 
@@ -474,7 +481,7 @@ This option can resist DPIs that track outgoing UDP packet sizes.
 Requires that application protocol does not depend on udp payload size.
 
 QUIC initial packets are recognized. Decryption and hostname extraction is supported so `--hostlist` parameter will work.
-Wireguard handshake initiation and DHT packets are also recognized.
+Wireguard handshake initiation, DHT, STUN and [Discord Voice IP Discovery](https://discord.com/developers/docs/topics/voice-connections#ip-discovery) packets are also recognized.
 For other protocols desync use `--dpi-desync-any-protocol`.
 
 Conntrack supports udp. `--dpi-desync-cutoff` will work. UDP conntrack timeout can be set in the 4th parameter of `--ctrack-timeouts`.
@@ -1444,12 +1451,8 @@ If this is the case then run another script in background and add some delay the
 
 Are welcome here :
 
-<img src=https://cdn-icons-png.flaticon.com/16/14446/14446252.png alt="USDT" style="vertical-align: middle;"/> USDT
-```
-0x3d52Ce15B7Be734c53fc9526ECbAB8267b63d66E
-```
+USDT `0x3d52Ce15B7Be734c53fc9526ECbAB8267b63d66E`
 
-<img src=https://cdn-icons-png.flaticon.com/16/5968/5968260.png  alt="USDT" style="vertical-align: middle;"/> BTC
-```
-bc1qhqew3mrvp47uk2vevt5sctp7p2x9m7m5kkchve
-```
+BTC  `bc1qhqew3mrvp47uk2vevt5sctp7p2x9m7m5kkchve`
+
+ETH  `0x3d52Ce15B7Be734c53fc9526ECbAB8267b63d66E`

docs/readme.md

@@ -1,4 +1,4 @@
-# zapret v70.5
+# zapret v70.6
 
 # ВНИМАНИЕ, остерегайтесь мошенников
 
@@ -196,11 +196,13 @@ dvtws, собираемый из тех же исходников (см. [док
 --dpi-desync-any-protocol=0|1                      ; 0(default)=работать только по http request и tls clienthello  1=по всем непустым пакетам данных
 --dpi-desync-fake-http=<filename>|0xHEX	           ; файл, содержащий фейковый http запрос для dpi-desync=fake, на замену стандартному www.iana.org
 --dpi-desync-fake-tls=<filename>|0xHEX             ; файл, содержащий фейковый tls clienthello для dpi-desync=fake, на замену стандартному
---dpi-desync-fake-tls-mod=mod[,mod]                ; список через запятую режимов runtime модификации фейков : none,rnd,rndsni,dupsid,padencap
+--dpi-desync-fake-tls-mod=mod[,mod]                ; список через запятую режимов runtime модификации фейков : none,rnd,rndsni,sni=<sni>,dupsid,padencap
 --dpi-desync-fake-unknown=<filename>|0xHEX         ; файл, содержащий фейковый пейлоад неизвестного протокола для dpi-desync=fake, на замену стандартным нулям 256 байт
 --dpi-desync-fake-syndata=<filename>|0xHEX         ; файл, содержащий фейковый пейлоад пакета SYN для режима десинхронизации syndata
 --dpi-desync-fake-quic=<filename>|0xHEX            ; файл, содержащий фейковый QUIC Initial
 --dpi-desync-fake-dht=<filename>|0xHEX             ; файл, содержащий фейковый пейлоад DHT протокола для dpi-desync=fake, на замену стандартным нулям 64 байт
+--dpi-desync-fake-discord=<filename>|0xHEX         ; файл, содержащий фейковый пейлоад Discord протокола нахождения IP адреса для голосовых чатов для dpi-desync=fake, на замену стандартным нулям 64 байт
+--dpi-desync-fake-stun=<filename>|0xHEX            ; файл, содержащий фейковый пейлоад STUN протокола для dpi-desync=fake, на замену стандартным нулям 64 байт
 --dpi-desync-fake-unknown-udp=<filename>|0xHEX     ; файл, содержащий фейковый пейлоад неизвестного udp протокола для dpi-desync=fake, на замену стандартным нулям 64 байт
 --dpi-desync-udplen-increment=<int>                ; насколько увеличивать длину udp пейлоада в режиме udplen
 --dpi-desync-udplen-pattern=<filename>|0xHEX       ; чем добивать udp пакет в режиме udplen. по умолчанию - нули
@@ -226,7 +228,7 @@ dvtws, собираемый из тех же исходников (см. [док
 --filter-l3=ipv4|ipv6                              ; фильтр версии ip для текущей стратегии
 --filter-tcp=[~]port1[-port2]|*                    ; фильтр портов tcp для текущей стратегии. ~ означает инверсию. установка фильтра tcp и неустановка фильтра udp запрещает udp. поддерживается список через запятую.
 --filter-udp=[~]port1[-port2]|*                    ; фильтр портов udp для текущей стратегии. ~ означает инверсию. установка фильтра udp и неустановка фильтра tcp запрещает tcp. поддерживается список через запятую.
---filter-l7=[http|tls|quic|wireguard|dht|unknown]  ; фильтр протокола L6-L7. поддерживается несколько значений через запятую.
+--filter-l7=<proto>                                ; фильтр протокола L6-L7. поддерживается несколько значений через запятую. proto : http tls quic wireguard dht discord stun unknown
 --ipset=<filename>                                 ; включающий ip list. на каждой строчке ip или cidr ipv4 или ipv6. поддерживается множество листов и gzip. перечитка автоматическая.
 --ipset-ip=<ip_list>                               ; фиксированный список подсетей через запятую. можно использовать # в начале для комментирования отдельных подсетей.
 --ipset-exclude=<filename>                         ; исключающий ip list. на каждой строчке ip или cidr ipv4 или ipv6. поддерживается множество листов и gzip. перечитка автоматическая.
@@ -338,13 +340,21 @@ dvtws, собираемый из тех же исходников (см. [док
  * `rnd`. Рандомизировать поля `random` и `session id`. Выполняется на каждый запрос.
  * `dupsid`. Копировать `session ID` из передаваемого TLS Client Hello. Имеет приоритет над `rnd`. Выполняется на каждый запрос.
  * `rndsni`. Рандомизировать SNI. Если SNI >=7 символов, применяется случайный домен 2 уровня с известным TLD, иначе заполняется случайными символами без точки. Выполняется один раз при старте.
+ * `sni=<sni>`. Заменить sni на указанное значение. Макс длина SNI - 63 байта. Общая длина TLS фейка и длины в структуре TLS Client Hello меняются. Выполняется один раз при старте. Если сочетается с `rndsni`, выполняется до него.
  * `padencap`. Расширяется padding extension на размер передаваемого TLS Client Hello (включая многопакетный вариант с kyber). Если padding отсутствует, он добавляется в конец. Если присутствует - требуется, чтобы padding шел последним extension. Правятся все длины, чтобы создать видимость включения передаваемого TLS Client Hello в padding extension. Размер фейка не изменяется. Расчет идет на DPI, который не анализирует sequence numbers должным образом. Выполняется на каждый запрос.
 
 По умолчанию если не задан собственный фейк для TLS используются модификации `rnd,rndsni,dupsid`. Если фейк задан, используется `none`.
 Это соответствует поведению программы более старых версий с добавлением функции `dupsid`.
 
-Если задан режим модификации и имеется множество TLS фейков, модифицируются все фейки, являющиеся TLS Client Hello.
-Если нет ни одного TLS Client Hello фейка, программа завершается с ошибкой.
+Если задан режим модификации и имеется множество TLS фейков, к каждому из них применяется последний режим модификации.
+Если режим модификации задан после фейка, то он замещает предыдущий режим.
+Таким образом можно использовать разные режимы модификации для разных фейков.
+При невозможности модифицировать фейк на этапе запуска программа завершается с ошибкой.
+
+Если сначала идет TLS фейк, для него задан режим однократной модификации, затем идет не TLS фейк, то будет ошибка.
+Нужно использовать `--dpi-desync-fake-tls-mod=none'.
+
+Пример : `--dpi-desync-fake-tls=iana_org.bin --dpi-desync-fake-tls-mod=rndsni --dpi-desync-fake-tls=0xaabbccdd --dpi-desync-fake-tls-mod=none'
 
 ### TCP СЕГМЕНТАЦИЯ
 
@@ -575,7 +585,8 @@ chrome рандомизирует фингерпринт TLS. SNI может о
 На текущий момент работает только с DHT.
 Поддерживается определение пакетов QUIC Initial с расшифровкой содержимого и имени хоста, то есть параметр
 `--hostlist` будет работать.
-Определяются пакеты wireguard handshake initiation и DHT (начинается с 'd1', кончается 'e').
+Определяются пакеты wireguard handshake initiation, DHT (начинается с 'd1', кончается 'e'), STUN и
+[Discord Voice IP Discovery](https://discord.com/developers/docs/topics/voice-connections#ip-discovery).
 Для десинхронизации других протоколов обязательно указывать `--dpi-desync-any-protocol`.
 Реализован conntrack для udp. Можно пользоваться --dpi-desync-cutoff. Таймаут conntrack для udp
 можно изменить 4-м параметром в `--ctrack-timeouts`.
@@ -2357,12 +2368,8 @@ VPS можно приобрести в множестве мест. Сущест
 
 ## Поддержать разработчика
 
-<img src=https://cdn-icons-png.flaticon.com/16/14446/14446252.png alt="USDT" style="vertical-align: middle;"/> USDT
-```
-0x3d52Ce15B7Be734c53fc9526ECbAB8267b63d66E
-```
+USDT `0x3d52Ce15B7Be734c53fc9526ECbAB8267b63d66E`
 
-<img src=https://cdn-icons-png.flaticon.com/16/5968/5968260.png  alt="USDT" style="vertical-align: middle;"/> BTC
-```
-bc1qhqew3mrvp47uk2vevt5sctp7p2x9m7m5kkchve
-```
+BTC  `bc1qhqew3mrvp47uk2vevt5sctp7p2x9m7m5kkchve`
+
+ETH  `0x3d52Ce15B7Be734c53fc9526ECbAB8267b63d66E`

init.d/custom.d.examples.linux/50-nfqws-ipset

@@ -0,0 +1,74 @@
+# this custom script demonstrates how to launch extra nfqws instance limited by ipset. ipv4 only.
+
+# can override in config :
+NFQWS_OPT_DESYNC_NFQWS_MY1="${NFQWS_OPT_DESYNC_NFQWS_MY1:---dpi-desync=fake --dpi-desync-repeats=6 --dpi-desync-any-protocol}"
+NFQWS_MY1_PORTS=${NFQWS_MY1_PORTS:-6000-6009}
+NFQWS_MY1_SUBNETS="${NFQWS_MY1_SUBNETS:-34.0.48.0/21 34.0.56.0/23 34.0.59.0/24 34.0.60.0/24 34.0.62.0/23}"
+
+alloc_dnum DNUM_NFQWS_MY1
+alloc_qnum QNUM_NFQWS_MY1
+NFQWS_MY1_SET_NAME=my1nfqws4
+
+zapret_custom_daemons()
+{
+	# $1 - 1 - run, 0 - stop
+
+	local opt="--qnum=$QNUM_NFQWS_MY1 $NFQWS_OPT_DESYNC_NFQWS_MY1"
+	do_nfqws $1 $DNUM_NFQWS_MY1 "$opt"
+}
+
+zapret_custom_firewall()
+{
+	# $1 - 1 - run, 0 - stop
+
+	local f
+	local first_packets_only="$ipt_connbytes 1:3"
+	local NFQWS_MY1_PORTS_IPT=$(replace_char - : $NFQWS_MY1_PORTS)
+	local dest_set="-m set --match-set $NFQWS_MY1_SET_NAME dst"
+	local subnet
+
+	local DISABLE_IPV6=1
+
+	[ "$1" = 1 ] && {
+		ipset create $NFQWS_MY1_SET_NAME hash:net hashsize 8192 maxelem 4096 2>/dev/null
+		ipset flush $NFQWS_MY1_SET_NAME
+		for subnet in $NFQWS_MY1_SUBNETS; do
+			echo add $NFQWS_MY1_SET_NAME $subnet
+		done | ipset -! restore
+	}
+
+	f="-p udp -m multiport --dports $NFQWS_MY1_PORTS_IPT"
+	fw_nfqws_post $1 "$f $first_packets_only $dest_set" "" $QNUM_NFQWS_MY1
+
+	[ "$1" = 1 ] || {
+		ipset destroy $NFQWS_MY1_SET_NAME 2>/dev/null
+	}
+}
+
+zapret_custom_firewall_nft()
+{
+	# stop logic is not required
+
+	local f
+	local first_packets_only="$nft_connbytes 1-3"
+	local dest_set="ip daddr @$NFQWS_MY1_SET_NAME"
+	local subnets
+
+	local DISABLE_IPV6=1
+
+	make_comma_list subnets $NFQWS_MY1_SUBNETS
+	nft_create_set $NFQWS_MY1_SET_NAME "type ipv4_addr; size 4096; auto-merge; flags interval;"
+	nft_flush_set $NFQWS_MY1_SET_NAME
+	nft_add_set_element $NFQWS_MY1_SET_NAME "$subnets"
+
+	f="udp dport {$NFQWS_MY1_PORTS}"
+	nft_fw_nfqws_post "$f $first_packets_only $dest_set" "" $QNUM_NFQWS_MY1
+}
+
+zapret_custom_firewall_nft_flush()
+{
+	# this function is called after all nft fw rules are deleted
+	# however sets are not deleted. it's desired to clear sets here.
+
+	nft_del_set $NFQWS_MY1_SET_NAME 2>/dev/null
+}

ipset/def.sh

@@ -274,7 +274,9 @@ hup_zapret_daemons()
  if exists killall; then
   killall -HUP tpws nfqws dvtws 2>/dev/null
  elif exists pkill; then
-  pkill -HUP ^tpws$ ^nfqws$ ^dvtws$
+  pkill -HUP ^tpws$
+  pkill -HUP ^nfqws$
+  pkill -HUP ^dvtws$
  else
   echo no mass killer available ! cant HUP zapret daemons
  fi

nfq/desync.c

@@ -16,51 +16,65 @@ const char *fake_http_request_default = "GET / HTTP/1.1\r\nHost: www.iana.org\r\
                                         "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\n"
                                         "Accept-Encoding: gzip, deflate, br\r\n\r\n";
 
-// random : +11 size 32
-// random : +44 size 32
-// sni : gatech.edu +125 size 11
-const uint8_t fake_tls_clienthello_default[648] = {
-0x16,0x03,0x01,0x02,0x83,0x01,0x00,0x02,0x7f,0x03,0x03,0x98,0xfb,0x69,0x1d,0x31,
-0x66,0xc4,0xd8,0x07,0x25,0x2b,0x74,0x47,0x01,0x44,0x09,0x08,0xcf,0x13,0x67,0xe0,
-0x46,0x19,0x1f,0xcb,0xee,0xe6,0x8e,0x33,0xb9,0x91,0xa0,0x20,0xf2,0xed,0x56,0x73,
-0xa4,0x0a,0xce,0xa6,0xad,0xd2,0xfd,0x71,0xb8,0xb9,0xfd,0x06,0x0e,0xdd,0xf0,0x57,
-0x37,0x7d,0x96,0xb5,0x80,0x6e,0x54,0xe2,0x15,0xce,0x5f,0xff,0x00,0x22,0x13,0x01,
-0x13,0x03,0x13,0x02,0xc0,0x2b,0xc0,0x2f,0xcc,0xa9,0xcc,0xa8,0xc0,0x2c,0xc0,0x30,
-0xc0,0x0a,0xc0,0x09,0xc0,0x13,0xc0,0x14,0x00,0x9c,0x00,0x9d,0x00,0x2f,0x00,0x35,
-0x01,0x00,0x02,0x14,0x00,0x00,0x00,0x0f,0x00,0x0d,0x00,0x00,0x0a,0x67,0x61,0x74,
-0x65,0x63,0x68,0x2e,0x65,0x64,0x75,0x00,0x17,0x00,0x00,0xff,0x01,0x00,0x01,0x00,
-0x00,0x0a,0x00,0x0e,0x00,0x0c,0x00,0x1d,0x00,0x17,0x00,0x18,0x00,0x19,0x01,0x00,
-0x01,0x01,0x00,0x0b,0x00,0x02,0x01,0x00,0x00,0x10,0x00,0x0e,0x00,0x0c,0x02,0x68,
-0x32,0x08,0x68,0x74,0x74,0x70,0x2f,0x31,0x2e,0x31,0x00,0x05,0x00,0x05,0x01,0x00,
-0x00,0x00,0x00,0x00,0x22,0x00,0x0a,0x00,0x08,0x04,0x03,0x05,0x03,0x06,0x03,0x02,
-0x03,0x00,0x33,0x00,0x6b,0x00,0x69,0x00,0x1d,0x00,0x20,0x72,0xe5,0xce,0x58,0x31,
-0x3c,0x08,0xaa,0x2f,0xa8,0x40,0xe7,0x7a,0xdf,0x46,0x5b,0x63,0x62,0xc7,0xfa,0x49,
-0x18,0xac,0xa1,0x00,0x7c,0x42,0xc5,0x02,0x94,0x5c,0x44,0x00,0x17,0x00,0x41,0x04,
-0x8f,0x3e,0x5f,0xd4,0x7f,0x37,0x47,0xd3,0x33,0x70,0x38,0x7f,0x11,0x35,0xc1,0x55,
-0x8a,0x6c,0xc7,0x5a,0xd4,0xf7,0x31,0xbb,0x9e,0xee,0xd1,0x8f,0x74,0xdd,0x9b,0xbb,
-0x91,0xa1,0x72,0xda,0xeb,0xf6,0xc6,0x82,0x84,0xfe,0xb7,0xfd,0x7b,0xe1,0x9f,0xd2,
-0xb9,0x3e,0x83,0xa6,0x9c,0xac,0x81,0xe2,0x00,0xd5,0x19,0x55,0x91,0xa7,0x0c,0x29,
-0x00,0x2b,0x00,0x05,0x04,0x03,0x04,0x03,0x03,0x00,0x0d,0x00,0x18,0x00,0x16,0x04,
-0x03,0x05,0x03,0x06,0x03,0x08,0x04,0x08,0x05,0x08,0x06,0x04,0x01,0x05,0x01,0x06,
-0x01,0x02,0x03,0x02,0x01,0x00,0x1c,0x00,0x02,0x40,0x01,0xfe,0x0d,0x01,0x19,0x00,
-0x00,0x01,0x00,0x01,0xfe,0x00,0x20,0xae,0x8b,0x30,0x3c,0xf0,0xa9,0x0d,0xa1,0x69,
-0x95,0xb8,0xe2,0xed,0x08,0x6d,0x48,0xdf,0xf7,0x5b,0x9d,0x66,0xef,0x15,0x97,0xbc,
-0x2c,0x99,0x91,0x12,0x7a,0x35,0xd0,0x00,0xef,0xb1,0x8d,0xff,0x61,0x57,0x52,0xef,
-0xd6,0xea,0xbf,0xf3,0x6d,0x78,0x14,0x38,0xff,0xeb,0x58,0xe8,0x9d,0x59,0x4b,0xd5,
-0x9f,0x59,0x12,0xf9,0x03,0x9a,0x20,0x37,0x85,0x77,0xb1,0x4c,0xd8,0xef,0xa6,0xc8,
-0x54,0x8d,0x07,0x27,0x95,0xce,0xd5,0x37,0x4d,0x69,0x18,0xd4,0xfd,0x5e,0xdf,0x64,
-0xcc,0x10,0x2f,0x7f,0x0e,0xc9,0xfd,0xd4,0xd0,0x18,0x61,0x1b,0x57,0x8f,0x41,0x7f,
-0x6f,0x4f,0x5c,0xad,0x04,0xc6,0x5e,0x74,0x54,0x87,0xba,0x28,0xe6,0x11,0x0b,0x9d,
-0x3f,0x0b,0x6d,0xf4,0x2d,0xfc,0x31,0x4e,0xfd,0x49,0xe7,0x15,0x96,0xaf,0xee,0x9a,
-0x48,0x1b,0xae,0x5e,0x7c,0x20,0xbe,0xb4,0xec,0x68,0xb6,0x74,0x22,0xa0,0xec,0xff,
-0x19,0x96,0xe4,0x10,0x8f,0x3c,0x91,0x88,0xa1,0xcc,0x78,0xef,0x4e,0x0e,0xe3,0xb6,
-0x57,0x8c,0x33,0xef,0xaa,0xb0,0x1d,0x45,0x1c,0x02,0x4c,0xe2,0x80,0x30,0xe8,0x48,
-0x7a,0x09,0x71,0x94,0x7c,0xb6,0x75,0x81,0x1c,0xae,0xe3,0x3f,0xde,0xea,0x2b,0x45,
-0xcc,0xe3,0x64,0x09,0xf7,0x60,0x26,0x0c,0x7d,0xad,0x55,0x65,0xb6,0xf5,0x85,0x04,
-0x64,0x2f,0x97,0xd0,0x6a,0x06,0x36,0xcd,0x25,0xda,0x51,0xab,0xd6,0xf7,0x5e,0xeb,
-0xd4,0x03,0x39,0xa4,0xc4,0x2a,0x9c,0x17,0xe8,0xb0,0x9f,0xc0,0xd3,0x8c,0x76,0xdd,
-0xa1,0x0b,0x76,0x9f,0x23,0xfa,0xed,0xfb,0xd7,0x78,0x0f,0x00,0xf7,0x45,0x03,0x04,
-0x84,0x66,0x6b,0xec,0xc7,0xed,0xbc,0xe4
+// SNI - www.microsoft.com
+const uint8_t fake_tls_clienthello_default[680] = {
+  0x16, 0x03, 0x01, 0x02, 0xa3, 0x01, 0x00, 0x02, 0x9f, 0x03, 0x03, 0x41,
+  0x88, 0x82, 0x2d, 0x4f, 0xfd, 0x81, 0x48, 0x9e, 0xe7, 0x90, 0x65, 0x1f,
+  0xba, 0x05, 0x7b, 0xff, 0xa7, 0x5a, 0xf9, 0x5b, 0x8a, 0x8f, 0x45, 0x8b,
+  0x41, 0xf0, 0x3d, 0x1b, 0xdd, 0xe3, 0xf8, 0x20, 0x9b, 0x23, 0xa5, 0xd2,
+  0x21, 0x1e, 0x9f, 0xe7, 0x85, 0x6c, 0xfc, 0x61, 0x80, 0x3a, 0x3f, 0xba,
+  0xb9, 0x60, 0xba, 0xb3, 0x0e, 0x98, 0x27, 0x6c, 0xf7, 0x38, 0x28, 0x65,
+  0x80, 0x5d, 0x40, 0x38, 0x00, 0x22, 0x13, 0x01, 0x13, 0x03, 0x13, 0x02,
+  0xc0, 0x2b, 0xc0, 0x2f, 0xcc, 0xa9, 0xcc, 0xa8, 0xc0, 0x2c, 0xc0, 0x30,
+  0xc0, 0x0a, 0xc0, 0x09, 0xc0, 0x13, 0xc0, 0x14, 0x00, 0x9c, 0x00, 0x9d,
+  0x00, 0x2f, 0x00, 0x35, 0x01, 0x00, 0x02, 0x34, 0x00, 0x00, 0x00, 0x16,
+  0x00, 0x14, 0x00, 0x00, 0x11, 0x77, 0x77, 0x77, 0x2e, 0x6d, 0x69, 0x63,
+  0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x17,
+  0x00, 0x00, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00, 0x0a, 0x00, 0x0e, 0x00,
+  0x0c, 0x00, 0x1d, 0x00, 0x17, 0x00, 0x18, 0x00, 0x19, 0x01, 0x00, 0x01,
+  0x01, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x23, 0x00, 0x00, 0x00,
+  0x10, 0x00, 0x0e, 0x00, 0x0c, 0x02, 0x68, 0x32, 0x08, 0x68, 0x74, 0x74,
+  0x70, 0x2f, 0x31, 0x2e, 0x31, 0x00, 0x05, 0x00, 0x05, 0x01, 0x00, 0x00,
+  0x00, 0x00, 0x00, 0x22, 0x00, 0x0a, 0x00, 0x08, 0x04, 0x03, 0x05, 0x03,
+  0x06, 0x03, 0x02, 0x03, 0x00, 0x12, 0x00, 0x00, 0x00, 0x33, 0x00, 0x6b,
+  0x00, 0x69, 0x00, 0x1d, 0x00, 0x20, 0x69, 0x15, 0x16, 0x29, 0x6d, 0xad,
+  0xd5, 0x68, 0x88, 0x27, 0x2f, 0xde, 0xaf, 0xac, 0x3c, 0x4c, 0xa4, 0xe4,
+  0xd8, 0xc8, 0xfb, 0x41, 0x87, 0xf4, 0x76, 0x4e, 0x0e, 0xfa, 0x64, 0xc4,
+  0xe9, 0x29, 0x00, 0x17, 0x00, 0x41, 0x04, 0xfe, 0x62, 0xb9, 0x08, 0xc8,
+  0xc3, 0x2a, 0xb9, 0x87, 0x37, 0x84, 0x42, 0x6b, 0x5c, 0xcd, 0xc9, 0xca,
+  0x62, 0x38, 0xd3, 0xd9, 0x99, 0x8a, 0xc4, 0x2d, 0xc6, 0xd0, 0xa3, 0x60,
+  0xb2, 0x12, 0x54, 0x41, 0x8e, 0x52, 0x5e, 0xe3, 0xab, 0xf9, 0xc2, 0x07,
+  0x81, 0xdc, 0xf8, 0xf2, 0x6a, 0x91, 0x40, 0x2f, 0xcb, 0xa4, 0xff, 0x6f,
+  0x24, 0xc7, 0x4d, 0x77, 0x77, 0x2d, 0x6f, 0xe0, 0x77, 0xaa, 0x92, 0x00,
+  0x2b, 0x00, 0x05, 0x04, 0x03, 0x04, 0x03, 0x03, 0x00, 0x0d, 0x00, 0x18,
+  0x00, 0x16, 0x04, 0x03, 0x05, 0x03, 0x06, 0x03, 0x08, 0x04, 0x08, 0x05,
+  0x08, 0x06, 0x04, 0x01, 0x05, 0x01, 0x06, 0x01, 0x02, 0x03, 0x02, 0x01,
+  0x00, 0x2d, 0x00, 0x02, 0x01, 0x01, 0x00, 0x1c, 0x00, 0x02, 0x40, 0x01,
+  0x00, 0x1b, 0x00, 0x07, 0x06, 0x00, 0x01, 0x00, 0x02, 0x00, 0x03, 0xfe,
+  0x0d, 0x01, 0x19, 0x00, 0x00, 0x01, 0x00, 0x03, 0x21, 0x00, 0x20, 0x62,
+  0xe8, 0x83, 0xd8, 0x97, 0x05, 0x8a, 0xbe, 0xa1, 0xf2, 0x63, 0x4e, 0xce,
+  0x93, 0x84, 0x8e, 0xcf, 0xe7, 0xdd, 0xb2, 0xe4, 0x87, 0x06, 0xac, 0x11,
+  0x19, 0xbe, 0x0e, 0x71, 0x87, 0xf1, 0xa6, 0x00, 0xef, 0xd8, 0x6b, 0x27,
+  0x5e, 0xc0, 0xa7, 0x5d, 0x42, 0x4e, 0x8c, 0xdc, 0xf3, 0x9f, 0x1c, 0x51,
+  0x62, 0xef, 0xff, 0x5b, 0xed, 0xc8, 0xfd, 0xee, 0x6f, 0xbb, 0x88, 0x9b,
+  0xb1, 0x30, 0x9c, 0x66, 0x42, 0xab, 0x0f, 0x66, 0x89, 0x18, 0x8b, 0x11,
+  0xc1, 0x6d, 0xe7, 0x2a, 0xeb, 0x96, 0x3b, 0x7f, 0x52, 0x78, 0xdb, 0xf8,
+  0x6d, 0x04, 0xf7, 0x95, 0x1a, 0xa8, 0xf0, 0x64, 0x52, 0x07, 0x39, 0xf0,
+  0xa8, 0x1d, 0x0d, 0x16, 0x36, 0xb7, 0x18, 0x0e, 0xc8, 0x44, 0x27, 0xfe,
+  0xf3, 0x31, 0xf0, 0xde, 0x8c, 0x74, 0xf5, 0xa1, 0xd8, 0x8f, 0x6f, 0x45,
+  0x97, 0x69, 0x79, 0x5e, 0x2e, 0xd4, 0xb0, 0x2c, 0x0c, 0x1a, 0x6f, 0xcc,
+  0xce, 0x90, 0xc7, 0xdd, 0xc6, 0x60, 0x95, 0xf3, 0xc2, 0x19, 0xde, 0x50,
+  0x80, 0xbf, 0xde, 0xf2, 0x25, 0x63, 0x15, 0x26, 0x63, 0x09, 0x1f, 0xc5,
+  0xdf, 0x32, 0xf5, 0xea, 0x9c, 0xd2, 0xff, 0x99, 0x4e, 0x67, 0xa2, 0xe5,
+  0x1a, 0x94, 0x85, 0xe3, 0xdf, 0x36, 0xa5, 0x83, 0x4b, 0x0a, 0x1c, 0xaf,
+  0xd7, 0x48, 0xc9, 0x4b, 0x8a, 0x27, 0xdd, 0x58, 0x7f, 0x95, 0xf2, 0x6b,
+  0xde, 0x2b, 0x12, 0xd3, 0xec, 0x4d, 0x69, 0x37, 0x9c, 0x13, 0x9b, 0x16,
+  0xb0, 0x45, 0x52, 0x38, 0x77, 0x69, 0xef, 0xaa, 0x65, 0x19, 0xbc, 0xc2,
+  0x93, 0x4d, 0xb0, 0x1b, 0x7f, 0x5b, 0x41, 0xff, 0xaf, 0xba, 0x50, 0x51,
+  0xc3, 0xf1, 0x27, 0x09, 0x25, 0xf5, 0x60, 0x90, 0x09, 0xb1, 0xe5, 0xc0,
+  0xc7, 0x42, 0x78, 0x54, 0x3b, 0x23, 0x19, 0x7d, 0x8e, 0x72, 0x13, 0xb4,
+  0xd3, 0xcd, 0x63, 0xb6, 0xc4, 0x4a, 0x28, 0x3d, 0x45, 0x3e, 0x8b, 0xdb,
+  0x84, 0x4f, 0x78, 0x64, 0x30, 0x69, 0xe2, 0x1b
 };
 
 #define PKTDATA_MAXDUMP 32
@@ -609,12 +623,12 @@ static uint16_t IP4_IP_ID_FIX(const struct ip *ip)
 // fake_mod buffer must at least sizeof(desync_profile->fake_tls)
 // size does not change
 // return : true - altered, false - not altered
-static bool runtime_tls_mod(int fake_n,const struct fake_tls_mod_cache *modcache, uint8_t fake_tls_mod, const uint8_t *fake_data, size_t fake_data_size, const uint8_t *payload, size_t payload_len, uint8_t *fake_mod)
+static bool runtime_tls_mod(int fake_n,const struct fake_tls_mod_cache *modcache, const struct fake_tls_mod *tls_mod, const uint8_t *fake_data, size_t fake_data_size, const uint8_t *payload, size_t payload_len, uint8_t *fake_mod)
 {
 	bool b=false;
 	if (modcache) // it's filled only if it's TLS
 	{
-		if (fake_tls_mod & FAKE_TLS_MOD_PADENCAP)
+		if (tls_mod->mod & FAKE_TLS_MOD_PADENCAP)
 		{
 			size_t sz_rec = pntoh16(fake_data+3) + payload_len;
 			size_t sz_handshake = pntoh24(fake_data+6) + payload_len;
@@ -630,18 +644,22 @@ static bool runtime_tls_mod(int fake_n,const struct fake_tls_mod_cache *modcache
 				phton16(fake_mod+modcache->extlen_offset,(uint16_t)sz_ext);
 				phton16(fake_mod+modcache->padlen_offset,(uint16_t)sz_pad);
 				b=true;
+				DLOG("fake[%d] applied padencap tls mod. sizes increased by %zu bytes.\n", fake_n, payload_len);
 			}
 		}
-		if (fake_tls_mod & FAKE_TLS_MOD_RND)
+		if (tls_mod->mod & FAKE_TLS_MOD_RND)
 		{
 			if (!b)	memcpy(fake_mod,fake_data,fake_data_size);
 			fill_random_bytes(fake_mod+11,32); // random
 			fill_random_bytes(fake_mod+44,fake_mod[43]); // session id
 			b=true;
+			DLOG("fake[%d] applied rnd tls mod\n", fake_n);
 		}
-		if (fake_tls_mod & FAKE_TLS_MOD_DUP_SID)
+		if (tls_mod->mod & FAKE_TLS_MOD_DUP_SID)
 		{
-			if (fake_data[43]!=payload[43])
+			if (payload_len<44)
+				DLOG("fake[%d] cannot apply dupsid tls mod. data payload is too short.\n",fake_n);
+			else if (fake_data[43]!=payload[43])
 				DLOG("fake[%d] cannot apply dupsid tls mod. fake and orig session id length mismatch.\n",fake_n);
 			else if (payload_len<(44+payload[43]))
 				DLOG("fake[%d] cannot apply dupsid tls mod. data payload is not valid.\n",fake_n);
@@ -650,6 +668,7 @@ static bool runtime_tls_mod(int fake_n,const struct fake_tls_mod_cache *modcache
 				if (!b)	memcpy(fake_mod,fake_data,fake_data_size);
 				memcpy(fake_mod+44,payload+44,fake_mod[43]); // session id
 				b=true;
+				DLOG("fake[%d] applied dupsid tls mod\n", fake_n);
 			}
 		}
 	}
@@ -1304,7 +1323,7 @@ static uint8_t dpi_desync_tcp_packet_play(bool replay, size_t reasm_offset, uint
 						{
 							case TLS:
 								if ((fake_item->size <= sizeof(fake_data_buf)) &&
-									runtime_tls_mod(n,(struct fake_tls_mod_cache *)fake_item->extra, dp->fake_tls_mod, fake_item->data, fake_item->size, rdata_payload, rlen_payload, fake_data_buf))
+									runtime_tls_mod(n,(struct fake_tls_mod_cache *)fake_item->extra,(struct fake_tls_mod *)fake_item->extra2, fake_item->data, fake_item->size, rdata_payload, rlen_payload, fake_data_buf))
 								{
 									fake_data = fake_data_buf;
 									break;
@@ -2079,6 +2098,18 @@ static uint8_t dpi_desync_udp_packet_play(bool replay, size_t reasm_offset, uint
 				l7proto = DHT;
 				if (ctrack && ctrack->l7proto==UNKNOWN) ctrack->l7proto = l7proto;
 			}
+			else if (IsDiscordIpDiscoveryRequest(dis->data_payload,dis->len_payload))
+			{
+				DLOG("packet contains discord voice IP discovery\n");
+				l7proto = DISCORD;
+				if (ctrack && ctrack->l7proto==UNKNOWN) ctrack->l7proto = l7proto;
+			}
+			else if (IsStunMessage(dis->data_payload,dis->len_payload))
+			{
+				DLOG("packet contains STUN message\n");
+				l7proto = STUN;
+				if (ctrack && ctrack->l7proto==UNKNOWN) ctrack->l7proto = l7proto;
+			}
 			else
 			{
 				if (!dp->desync_any_proto)
@@ -2191,6 +2222,12 @@ static uint8_t dpi_desync_udp_packet_play(bool replay, size_t reasm_offset, uint
 			case DHT:
 				fake = &dp->fake_dht;
 				break;
+			case DISCORD:
+				fake = &dp->fake_discord;
+				break;
+			case STUN:
+				fake = &dp->fake_stun;
+				break;
 			default:
 				fake = &dp->fake_unknown_udp;
 				break;

nfq/desync.h

@@ -41,7 +41,7 @@ enum dpi_desync_mode {
 };
 
 extern const char *fake_http_request_default;
-extern const uint8_t fake_tls_clienthello_default[648];
+extern const uint8_t fake_tls_clienthello_default[680];
 void randomize_default_tls_payload(uint8_t *p);
 
 enum dpi_desync_mode desync_mode_from_string(const char *s);

nfq/nfqws.c

@@ -738,6 +738,10 @@ static bool parse_l7_list(char *opt, uint32_t *l7)
 			*l7 |= L7_PROTO_WIREGUARD;
 		else if (!strcmp(p,"dht"))
 			*l7 |= L7_PROTO_DHT;
+		else if (!strcmp(p,"discord"))
+			*l7 |= L7_PROTO_DISCORD;
+		else if (!strcmp(p,"stun"))
+			*l7 |= L7_PROTO_STUN;
 		else if (!strcmp(p,"unknown"))
 			*l7 |= L7_PROTO_UNKNOWN;
 		else return false;
@@ -946,35 +950,57 @@ static bool parse_ip_list(char *opt, ipset *pp)
 	return true;
 }
 
-static bool parse_tlsmod_list(char *opt, uint8_t *mod)
+static bool parse_tlsmod_list(char *opt, struct fake_tls_mod *tls_mod)
 {
-	char *e,*p,c;
+	char *e,*e2,*p,c,c2;
 
-	*mod &= FAKE_TLS_MOD_SAVE_MASK;
-	*mod |= FAKE_TLS_MOD_SET;
+	tls_mod->mod &= FAKE_TLS_MOD_SAVE_MASK;
+	tls_mod->mod |= FAKE_TLS_MOD_SET;
 	for (p=opt ; p ; )
 	{
-		if ((e = strchr(p,',')))
+		for (e2=p ; *e2 && *e2!=',' && *e2!='=' ; e2++);
+
+		if ((e = strchr(e2,',')))
 		{
 			c=*e;
 			*e=0;
 		}
 
-		if (!strcmp(p,"rnd"))
-			*mod |= FAKE_TLS_MOD_RND;
-		else if (!strcmp(p,"rndsni"))
-			*mod |= FAKE_TLS_MOD_RND_SNI;
-		else if (!strcmp(p,"padencap"))
-			*mod |= FAKE_TLS_MOD_PADENCAP;
-		else if (!strcmp(p,"dupsid"))
-			*mod |= FAKE_TLS_MOD_DUP_SID;
-		else if (strcmp(p,"none"))
-			return false;
+		if (*e2=='=')
+		{
+			c2=*e2;
+			*e2=0;
+		}
+		else
+			e2=NULL;
 
+		if (!strcmp(p,"rnd"))
+			tls_mod->mod |= FAKE_TLS_MOD_RND;
+		else if (!strcmp(p,"rndsni"))
+			tls_mod->mod |= FAKE_TLS_MOD_RND_SNI;
+		else if (!strcmp(p,"sni"))
+		{
+			tls_mod->mod |= FAKE_TLS_MOD_SNI;
+			if (!e2 || !e2[1] || e2[1]==',') goto err;
+			strncpy(tls_mod->sni,e2+1,sizeof(tls_mod->sni)-1);
+			tls_mod->sni[sizeof(tls_mod->sni)-1-1]=0;
+		}
+		else if (!strcmp(p,"padencap"))
+			tls_mod->mod |= FAKE_TLS_MOD_PADENCAP;
+		else if (!strcmp(p,"dupsid"))
+			tls_mod->mod |= FAKE_TLS_MOD_DUP_SID;
+		else if (strcmp(p,"none"))
+			goto err;
+
+		if (e2) *e2=c2;
 		if (e) *e++=c;
 		p = e;
 	}
 	return true;
+err:
+	if (e2) *e2=c2;
+	if (e) *e++=c;
+	return false;
 }
 
 
@@ -1008,13 +1034,13 @@ static void SplitDebug(void)
 
 static const char * tld[]={"com","org","net","edu","gov","biz"};
 
-static bool onetime_tls_mod_blob(int profile_n, int fake_n, uint8_t fake_tls_mod, uint8_t *fake_tls, size_t *fake_tls_size, size_t fake_tls_buf_size, struct fake_tls_mod_cache *modcache)
+static bool onetime_tls_mod_blob(int profile_n, int fake_n, const struct fake_tls_mod *tls_mod, uint8_t *fake_tls, size_t *fake_tls_size, size_t fake_tls_buf_size, struct fake_tls_mod_cache *modcache)
 {
 	const uint8_t *ext;
-	size_t extlen, slen;
+	size_t extlen;
 
 	modcache->extlen_offset = modcache->padlen_offset = 0;
-	if (fake_tls_mod & FAKE_TLS_MOD_PADENCAP)
+	if (tls_mod->mod & (FAKE_TLS_MOD_RND_SNI|FAKE_TLS_MOD_SNI|FAKE_TLS_MOD_PADENCAP))
 	{
 		if (!TLSFindExtLen(fake_tls,*fake_tls_size,&modcache->extlen_offset))
 		{
@@ -1022,119 +1048,160 @@ static bool onetime_tls_mod_blob(int profile_n, int fake_n, uint8_t fake_tls_mod
 			return false;
 		}
 		DLOG("profile %d fake[%d] tls extensions length offset : %zu\n", profile_n, fake_n, modcache->extlen_offset);
-		if (TLSFindExt(fake_tls,*fake_tls_size,21,&ext,&extlen,false))
+		if (tls_mod->mod & (FAKE_TLS_MOD_RND_SNI|FAKE_TLS_MOD_SNI))
 		{
-			if ((ext-fake_tls+extlen)!=*fake_tls_size)
+			size_t slen;
+			if (!TLSFindExt(fake_tls,*fake_tls_size,0,&ext,&extlen,false))
 			{
-				DLOG_ERR("profile %d fake[%d] tls padding ext is present but it's not at the end. padding ext offset %zu, padding ext size %zu, fake size %zu\n", profile_n, fake_n, ext-fake_tls, extlen, *fake_tls_size);
+				DLOG_ERR("profile %d fake[%d] sni mod is set but tls fake does not have SNI\n", profile_n, fake_n);
 				return false;
 			}
-			modcache->padlen_offset = ext-fake_tls-2;
-			DLOG("profile %d fake[%d] tls padding ext is present, padding length offset %zu\n", profile_n, fake_n, modcache->padlen_offset);
-		}
-		else
-		{
-			if ((*fake_tls_size+4)>fake_tls_buf_size)
+			uint8_t *sniext = fake_tls + (ext - fake_tls);
+			if (!TLSAdvanceToHostInSNI(&ext,&extlen,&slen))
 			{
-				DLOG_ERR("profile %d fake[%d] tls padding is absent and there's no space to add it\n", profile_n, fake_n);
+				DLOG_ERR("profile %d fake[%d] sni set but tls fake has invalid SNI structure\n", profile_n, fake_n);
 				return false;
 			}
-			phton16(fake_tls+*fake_tls_size,21);
-			*fake_tls_size+=2;
-			modcache->padlen_offset=*fake_tls_size;
-			phton16(fake_tls+*fake_tls_size,0);
-			*fake_tls_size+=2;
-			phton16(fake_tls+modcache->extlen_offset,pntoh16(fake_tls+modcache->extlen_offset)+4);
-			phton16(fake_tls+3,pntoh16(fake_tls+3)+4); // increase tls record len
-			phton24(fake_tls+6,pntoh24(fake_tls+6)+4); // increase tls handshake len
-			DLOG("profile %d fake[%d] tls padding is absent. added. padding length offset %zu\n", profile_n, fake_n, modcache->padlen_offset);
-		}
-	}
-	if (fake_tls_mod & FAKE_TLS_MOD_RND_SNI)
-	{
-		if (!TLSFindExt(fake_tls,*fake_tls_size,0,&ext,&extlen,false))
-		{
-			DLOG_ERR("profile %d fake[%d] rndsni set but tls fake does not have SNI\n", profile_n, fake_n);
-			return false;
-		}
-		if (!TLSAdvanceToHostInSNI(&ext,&extlen,&slen))
-		{
-			DLOG_ERR("profile %d fake[%d] rndsni set but tls fake has invalid SNI structure\n", profile_n, fake_n);
-			return false;
-		}
-		if (!slen)
-		{
-			DLOG_ERR("profile %d fake[%d] rndsni set but tls fake has zero sized SNI\n", profile_n, fake_n);
-			return false;
-		}
-		uint8_t *sni = fake_tls + (ext - fake_tls);
-
-		char *s1=NULL, *s2=NULL;
-		if (params.debug)
-		{
-			if ((s1 = malloc(slen+1)))
+			uint8_t *sni = fake_tls + (ext - fake_tls);
+			if (tls_mod->mod & FAKE_TLS_MOD_SNI)
 			{
-				memcpy(s1,sni,slen); s1[slen]=0;
+				size_t slen_new = strlen(tls_mod->sni);
+				ssize_t slen_delta = slen_new-slen;
+				char *s1=NULL;
+				if (params.debug)
+				{
+					if ((s1 = malloc(slen+1)))
+					{
+						memcpy(s1,sni,slen); s1[slen]=0;
+					}
+				}
+				if (slen_delta)
+				{
+					if ((*fake_tls_size+slen_delta)>fake_tls_buf_size)
+					{
+						DLOG_ERR("profile %d fake[%d] not enough space for new SNI\n", profile_n, fake_n);
+						free(s1);
+						return false;
+					}
+					memmove(sni+slen_new,sni+slen,fake_tls+*fake_tls_size-(sni+slen));
+					phton16(fake_tls+3,(uint16_t)(pntoh16(fake_tls+3)+slen_delta));
+					phton24(fake_tls+6,(uint32_t)(pntoh24(fake_tls+6)+slen_delta));
+					phton16(fake_tls+modcache->extlen_offset,(uint16_t)(pntoh16(fake_tls+modcache->extlen_offset)+slen_delta));
+					phton16(sniext-2,(uint16_t)(pntoh16(sniext-2)+slen_delta));
+					phton16(sniext,(uint16_t)(pntoh16(sniext)+slen_delta));
+					phton16(sni-2,(uint16_t)(pntoh16(sni-2)+slen_delta));
+					*fake_tls_size+=slen_delta;
+					slen = slen_new;
+				}
+				DLOG("profile %d fake[%d] change SNI : %s => %s size_delta=%zd\n", profile_n, fake_n, s1, tls_mod->sni, slen_delta);
+				free(s1);
+
+				memcpy(sni,tls_mod->sni,slen_new);
+			}
+			if (tls_mod->mod & FAKE_TLS_MOD_RND_SNI)
+			{
+				if (!slen)
+				{
+					DLOG_ERR("profile %d fake[%d] rndsni set but tls fake has zero sized SNI\n", profile_n, fake_n);
+					return false;
+				}
+
+				char *s1=NULL, *s2=NULL;
+				if (params.debug)
+				{
+					if ((s1 = malloc(slen+1)))
+					{
+						memcpy(s1,sni,slen); s1[slen]=0;
+					}
+				}
+
+				fill_random_az(sni,1);
+				if (slen>=7) // domain name in SNI must be at least 3 chars long to enable xxx.tls randomization
+				{
+					fill_random_az09(sni+1,slen-5);
+					sni[slen-4] = '.';
+					memcpy(sni+slen-3,tld[random()%(sizeof(tld)/sizeof(*tld))],3);
+				}
+				else
+					fill_random_az09(sni+1,slen-1);
+
+				if (params.debug)
+				{
+					if (s1 && (s2 = malloc(slen+1)))
+					{
+						memcpy(s2,sni,slen); s2[slen]=0;
+						DLOG("profile %d fake[%d] generated random SNI : %s -> %s\n",profile_n,fake_n,s1,s2);
+					}
+					free(s1); free(s2);
+				}
 			}
 		}
-
-		fill_random_az(sni,1);
-		if (slen>=7) // domain name in SNI must be at least 3 chars long to enable xxx.tls randomization
+		if (tls_mod->mod & FAKE_TLS_MOD_PADENCAP)
 		{
-			fill_random_az09(sni+1,slen-5);
-			sni[slen-4] = '.';
-			memcpy(sni+slen-3,tld[random()%(sizeof(tld)/sizeof(*tld))],3);
-		}
-		else
-			fill_random_az09(sni+1,slen-1);
-
-		if (params.debug)
-		{
-			if (s1 && (s2 = malloc(slen+1)))
+			if (TLSFindExt(fake_tls,*fake_tls_size,21,&ext,&extlen,false))
 			{
-				memcpy(s2,sni,slen); s2[slen]=0;
-				DLOG("profile %d fake[%d] generated random SNI : %s -> %s\n",profile_n,fake_n,s1,s2);
+				if ((ext-fake_tls+extlen)!=*fake_tls_size)
+				{
+					DLOG_ERR("profile %d fake[%d] tls padding ext is present but it's not at the end. padding ext offset %zu, padding ext size %zu, fake size %zu\n", profile_n, fake_n, ext-fake_tls, extlen, *fake_tls_size);
+					return false;
+				}
+				modcache->padlen_offset = ext-fake_tls-2;
+				DLOG("profile %d fake[%d] tls padding ext is present, padding length offset %zu\n", profile_n, fake_n, modcache->padlen_offset);
+			}
+			else
+			{
+				if ((*fake_tls_size+4)>fake_tls_buf_size)
+				{
+					DLOG_ERR("profile %d fake[%d] tls padding is absent and there's no space to add it\n", profile_n, fake_n);
+					return false;
+				}
+				phton16(fake_tls+*fake_tls_size,21);
+				*fake_tls_size+=2;
+				modcache->padlen_offset=*fake_tls_size;
+				phton16(fake_tls+*fake_tls_size,0);
+				*fake_tls_size+=2;
+				phton16(fake_tls+modcache->extlen_offset,pntoh16(fake_tls+modcache->extlen_offset)+4);
+				phton16(fake_tls+3,pntoh16(fake_tls+3)+4); // increase tls record len
+				phton24(fake_tls+6,pntoh24(fake_tls+6)+4); // increase tls handshake len
+				DLOG("profile %d fake[%d] tls padding is absent. added. padding length offset %zu\n", profile_n, fake_n, modcache->padlen_offset);
 			}
-			free(s1); free(s2);
 		}
 	}
 	return true;
 }
 static bool onetime_tls_mod(struct desync_profile *dp)
 {
-	if (dp->n && !(dp->fake_tls_mod & (FAKE_TLS_MOD_SET|FAKE_TLS_MOD_CUSTOM_FAKE)))
-		dp->fake_tls_mod |= FAKE_TLS_MOD_RND|FAKE_TLS_MOD_RND_SNI|FAKE_TLS_MOD_DUP_SID; // old behavior compat + dup_sid
-	if (!(dp->fake_tls_mod & ~FAKE_TLS_MOD_SAVE_MASK))
-		return true; // nothing to do
-
 	struct blob_item *fake_tls;
+	struct fake_tls_mod *tls_mod;
 	int n=0;
-	bool bMod=false;
 
 	LIST_FOREACH(fake_tls, &dp->fake_tls, next)
 	{
 		++n;
-		if (!IsTLSClientHello(fake_tls->data,fake_tls->size,false) || (fake_tls->size < (44+fake_tls->data[43]))) // has session id ?
-		{
-			DLOG("profile %d fake[%d] tls mod set but tls fake structure invalid. mod skipped.\n", dp->n, n);
+		tls_mod = (struct fake_tls_mod *)fake_tls->extra2;
+		if (!tls_mod) continue;
+		if (dp->n && !(tls_mod->mod & (FAKE_TLS_MOD_SET|FAKE_TLS_MOD_CUSTOM_FAKE)))
+			tls_mod->mod |= FAKE_TLS_MOD_RND|FAKE_TLS_MOD_RND_SNI|FAKE_TLS_MOD_DUP_SID; // old behavior compat + dup_sid
+		if (!(tls_mod->mod & ~FAKE_TLS_MOD_SAVE_MASK))
 			continue;
 
+		if (!IsTLSClientHello(fake_tls->data,fake_tls->size,false) || (fake_tls->size < (44+fake_tls->data[43]))) // has session id ?
+		{
+			DLOG("profile %d fake[%d] tls mod set but tls fake structure invalid.\n", dp->n, n);
+			return false;
 		}
-		bMod = true;
 		if (!fake_tls->extra)
 		{
 			fake_tls->extra = malloc(sizeof(struct fake_tls_mod_cache));
 			if (!fake_tls->extra) return false;
 		}
-		if (!onetime_tls_mod_blob(dp->n,n,dp->fake_tls_mod,fake_tls->data,&fake_tls->size,fake_tls->size_buf,(struct fake_tls_mod_cache*)fake_tls->extra))
+		if (!onetime_tls_mod_blob(dp->n,n,tls_mod,fake_tls->data,&fake_tls->size,fake_tls->size_buf,(struct fake_tls_mod_cache*)fake_tls->extra))
 			return false;
 	}
-	if (!bMod)
-		DLOG_ERR("profile %d tls fake list does not have any valid TLS ClientHello\n", dp->n);
-	return bMod;
+	return true;
 }
 
-static void load_blob_to_collection(const char *filename, struct blob_collection_head *blobs, size_t max_size, size_t size_reserve)
+static struct blob_item *load_blob_to_collection(const char *filename, struct blob_collection_head *blobs, size_t max_size, size_t size_reserve)
 {
 	struct blob_item *blob = blob_collection_add(blobs);
 	uint8_t *p;
@@ -1153,6 +1220,7 @@ static void load_blob_to_collection(const char *filename, struct blob_collection
 	}
 	blob->data = p;
 	blob->size_buf = blob->size+size_reserve;
+	return blob;
 }
 
 
@@ -1321,7 +1389,7 @@ static void exithelp(void)
 		" --filter-l3=ipv4|ipv6\t\t\t\t; L3 protocol filter. multiple comma separated values allowed.\n"
 		" --filter-tcp=[~]port1[-port2]|*\t\t; TCP port filter. ~ means negation. setting tcp and not setting udp filter denies udp. comma separated list allowed.\n"
 		" --filter-udp=[~]port1[-port2]|*\t\t; UDP port filter. ~ means negation. setting udp and not setting tcp filter denies tcp. comma separated list allowed.\n"
-		" --filter-l7=[http|tls|quic|wireguard|dht|unknown] ; L6-L7 protocol filter. multiple comma separated values allowed.\n"
+		" --filter-l7=[http|tls|quic|wireguard|dht|discord|stun|unknown] ; L6-L7 protocol filter. multiple comma separated values allowed.\n"
 		" --ipset=<filename>\t\t\t\t; ipset include filter (one ip/CIDR per line, ipv4 and ipv6 accepted, gzip supported, multiple ipsets allowed)\n"
 		" --ipset-ip=<ip_list>\t\t\t\t; comma separated fixed subnet list\n"
 		" --ipset-exclude=<filename>\t\t\t; ipset exclude filter (one ip/CIDR per line, ipv4 and ipv6 accepted, gzip supported, multiple ipsets allowed)\n"
@@ -1374,12 +1442,14 @@ static void exithelp(void)
 		" --dpi-desync-any-protocol=0|1\t\t\t; 0(default)=desync only http and tls  1=desync any nonempty data packet\n"
 		" --dpi-desync-fake-http=<filename>|0xHEX\t; file containing fake http request\n"
 		" --dpi-desync-fake-tls=<filename>|0xHEX\t\t; file containing fake TLS ClientHello (for https)\n"
-		" --dpi-desync-fake-tls-mod=mod[,mod]\t\t; comma separated list of TLS fake mods. available mods : none,rnd,rndsni,dupsid,padencap\n"
+		" --dpi-desync-fake-tls-mod=mod[,mod]\t\t; comma separated list of TLS fake mods. available mods : none,rnd,rndsni,sni=<sni>,dupsid,padencap\n"
 		" --dpi-desync-fake-unknown=<filename>|0xHEX\t; file containing unknown protocol fake payload\n"
 		" --dpi-desync-fake-syndata=<filename>|0xHEX\t; file containing SYN data payload\n"
 		" --dpi-desync-fake-quic=<filename>|0xHEX\t; file containing fake QUIC Initial\n"
 		" --dpi-desync-fake-wireguard=<filename>|0xHEX\t; file containing fake wireguard handshake initiation\n"
 		" --dpi-desync-fake-dht=<filename>|0xHEX\t\t; file containing DHT protocol fake payload (d1...e)\n"
+		" --dpi-desync-fake-discord=<filename>|0xHEX\t; file containing discord protocol fake payload (Voice IP Discovery)\n"
+		" --dpi-desync-fake-stun=<filename>|0xHEX\t; file containing STUN protocol fake payload\n"
 		" --dpi-desync-fake-unknown-udp=<filename>|0xHEX\t; file containing unknown udp protocol fake payload\n"
 		" --dpi-desync-udplen-increment=<int>\t\t; increase or decrease udp packet length by N bytes (default %u). negative values decrease length.\n"
 		" --dpi-desync-udplen-pattern=<filename>|0xHEX\t; udp tail fill pattern\n"
@@ -1604,43 +1674,45 @@ int main(int argc, char **argv)
 		{"dpi-desync-fake-quic",required_argument,0,0},// optidx=43
 		{"dpi-desync-fake-wireguard",required_argument,0,0},// optidx=44
 		{"dpi-desync-fake-dht",required_argument,0,0},// optidx=45
-		{"dpi-desync-fake-unknown-udp",required_argument,0,0},// optidx=46
-		{"dpi-desync-udplen-increment",required_argument,0,0},// optidx=47
-		{"dpi-desync-udplen-pattern",required_argument,0,0},// optidx=48
-		{"dpi-desync-cutoff",required_argument,0,0},// optidx=49
-		{"dpi-desync-start",required_argument,0,0},// optidx=50
-		{"hostlist",required_argument,0,0},		// optidx=51
-		{"hostlist-domains",required_argument,0,0},// optidx=52
-		{"hostlist-exclude",required_argument,0,0},	// optidx=53
-		{"hostlist-exclude-domains",required_argument,0,0},// optidx=54
-		{"hostlist-auto",required_argument,0,0},	// optidx=55
-		{"hostlist-auto-fail-threshold",required_argument,0,0},	// optidx=56
-		{"hostlist-auto-fail-time",required_argument,0,0},	// optidx=57
-		{"hostlist-auto-retrans-threshold",required_argument,0,0},	// optidx=58
-		{"hostlist-auto-debug",required_argument,0,0},	// optidx=59
-		{"new",no_argument,0,0},	// optidx=60
-		{"skip",no_argument,0,0},	// optidx=61
-		{"filter-l3",required_argument,0,0},	// optidx=62
-		{"filter-tcp",required_argument,0,0},	// optidx=63
-		{"filter-udp",required_argument,0,0},	// optidx=64
-		{"filter-l7",required_argument,0,0},	// optidx=65
-		{"ipset",required_argument,0,0},	// optidx=66
-		{"ipset-ip",required_argument,0,0},	// optidx=67
-		{"ipset-exclude",required_argument,0,0},// optidx=68
-		{"ipset-exclude-ip",required_argument,0,0},	// optidx=69
+		{"dpi-desync-fake-discord",required_argument,0,0},// optidx=46
+		{"dpi-desync-fake-stun",required_argument,0,0},// optidx=47
+		{"dpi-desync-fake-unknown-udp",required_argument,0,0},// optidx=48
+		{"dpi-desync-udplen-increment",required_argument,0,0},// optidx=49
+		{"dpi-desync-udplen-pattern",required_argument,0,0},// optidx=50
+		{"dpi-desync-cutoff",required_argument,0,0},// optidx=51
+		{"dpi-desync-start",required_argument,0,0},// optidx=52
+		{"hostlist",required_argument,0,0},		// optidx=53
+		{"hostlist-domains",required_argument,0,0},// optidx=54
+		{"hostlist-exclude",required_argument,0,0},	// optidx=55
+		{"hostlist-exclude-domains",required_argument,0,0},// optidx=56
+		{"hostlist-auto",required_argument,0,0},	// optidx=57
+		{"hostlist-auto-fail-threshold",required_argument,0,0},	// optidx=58
+		{"hostlist-auto-fail-time",required_argument,0,0},	// optidx=59
+		{"hostlist-auto-retrans-threshold",required_argument,0,0},	// optidx=60
+		{"hostlist-auto-debug",required_argument,0,0},	// optidx=61
+		{"new",no_argument,0,0},	// optidx=62
+		{"skip",no_argument,0,0},	// optidx=63
+		{"filter-l3",required_argument,0,0},	// optidx=64
+		{"filter-tcp",required_argument,0,0},	// optidx=65
+		{"filter-udp",required_argument,0,0},	// optidx=66
+		{"filter-l7",required_argument,0,0},	// optidx=67
+		{"ipset",required_argument,0,0},	// optidx=68
+		{"ipset-ip",required_argument,0,0},	// optidx=69
+		{"ipset-exclude",required_argument,0,0},// optidx=70
+		{"ipset-exclude-ip",required_argument,0,0},	// optidx=71
 #ifdef __linux__
-		{"bind-fix4",no_argument,0,0},		// optidx=70
-		{"bind-fix6",no_argument,0,0},		// optidx=71
+		{"bind-fix4",no_argument,0,0},		// optidx=72
+		{"bind-fix6",no_argument,0,0},		// optidx=73
 #elif defined(__CYGWIN__)
-		{"wf-iface",required_argument,0,0},	// optidx=70
-		{"wf-l3",required_argument,0,0},	// optidx=71
-		{"wf-tcp",required_argument,0,0},	// optidx=72
-		{"wf-udp",required_argument,0,0},	// optidx=73
-		{"wf-raw",required_argument,0,0},	// optidx=74
-		{"wf-save",required_argument,0,0},	// optidx=75
-		{"ssid-filter",required_argument,0,0},	// optidx=76
-		{"nlm-filter",required_argument,0,0},	// optidx=77
-		{"nlm-list",optional_argument,0,0},	// optidx=78
+		{"wf-iface",required_argument,0,0},	// optidx=72
+		{"wf-l3",required_argument,0,0},	// optidx=73
+		{"wf-tcp",required_argument,0,0},	// optidx=74
+		{"wf-udp",required_argument,0,0},	// optidx=75
+		{"wf-raw",required_argument,0,0},	// optidx=76
+		{"wf-save",required_argument,0,0},	// optidx=77
+		{"ssid-filter",required_argument,0,0},	// optidx=78
+		{"nlm-filter",required_argument,0,0},	// optidx=79
+		{"nlm-list",optional_argument,0,0},	// optidx=80
 #endif
 		{NULL,0,NULL,0}
 	};
@@ -2043,15 +2115,26 @@ int main(int argc, char **argv)
 			load_blob_to_collection(optarg, &dp->fake_http, FAKE_MAX_TCP,0);
 			break;
 		case 39: /* dpi-desync-fake-tls */
-			load_blob_to_collection(optarg, &dp->fake_tls, FAKE_MAX_TCP,4);
-			dp->fake_tls_mod |= FAKE_TLS_MOD_CUSTOM_FAKE;
+			{
+				dp->tls_fake_last = load_blob_to_collection(optarg, &dp->fake_tls, FAKE_MAX_TCP,4+sizeof(dp->tls_mod_last.sni));
+				if (!(dp->tls_fake_last->extra2 = malloc(sizeof(struct fake_tls_mod))))
+				{
+					DLOG_ERR("out of memory\n");
+					exit_clean(1);
+				}
+				struct fake_tls_mod *tls_mod = (struct fake_tls_mod*)dp->tls_fake_last->extra2;
+				*tls_mod = dp->tls_mod_last;
+				tls_mod->mod |= FAKE_TLS_MOD_CUSTOM_FAKE;
+			}
 			break;
 		case 40: /* dpi-desync-fake-tls-mod */
-			if (!parse_tlsmod_list(optarg,&dp->fake_tls_mod))
+			if (!parse_tlsmod_list(optarg,&dp->tls_mod_last))
 			{
 				DLOG_ERR("Invalid tls mod : %s\n",optarg);
 				exit_clean(1);
 			}
+			if (dp->tls_fake_last)
+				*(struct fake_tls_mod*)dp->tls_fake_last->extra2 = dp->tls_mod_last;
 			break;
 		case 41: /* dpi-desync-fake-unknown */
 			load_blob_to_collection(optarg, &dp->fake_unknown, FAKE_MAX_TCP, 0);
@@ -2069,17 +2152,23 @@ int main(int argc, char **argv)
 		case 45: /* dpi-desync-fake-dht */
 			load_blob_to_collection(optarg, &dp->fake_dht, FAKE_MAX_UDP, 0);
 			break;
-		case 46: /* dpi-desync-fake-unknown-udp */
+		case 46: /* dpi-desync-fake-discord */
+			load_blob_to_collection(optarg, &dp->fake_discord, FAKE_MAX_UDP, 0);
+			break;
+		case 47: /* dpi-desync-fake-stun */
+			load_blob_to_collection(optarg, &dp->fake_stun, FAKE_MAX_UDP, 0);
+			break;
+		case 48: /* dpi-desync-fake-unknown-udp */
 			load_blob_to_collection(optarg, &dp->fake_unknown_udp, FAKE_MAX_UDP, 0);
 			break;
-		case 47: /* dpi-desync-udplen-increment */
+		case 49: /* dpi-desync-udplen-increment */
 			if (sscanf(optarg,"%d",&dp->udplen_increment)<1 || dp->udplen_increment>0x7FFF || dp->udplen_increment<-0x8000)
 			{
 				DLOG_ERR("dpi-desync-udplen-increment must be integer within -32768..32767 range\n");
 				exit_clean(1);
 			}
 			break;
-		case 48: /* dpi-desync-udplen-pattern */
+		case 50: /* dpi-desync-udplen-pattern */
 			{
 				char buf[sizeof(dp->udplen_pattern)];
 				size_t sz=sizeof(buf);
@@ -2087,21 +2176,21 @@ int main(int argc, char **argv)
 				fill_pattern(dp->udplen_pattern,sizeof(dp->udplen_pattern),buf,sz);
 			}
 			break;
-		case 49: /* desync-cutoff */
+		case 51: /* desync-cutoff */
 			if (!parse_cutoff(optarg, &dp->desync_cutoff, &dp->desync_cutoff_mode))
 			{
 				DLOG_ERR("invalid desync-cutoff value\n");
 				exit_clean(1);
 			}
 			break;
-		case 50: /* desync-start */
+		case 52: /* desync-start */
 			if (!parse_cutoff(optarg, &dp->desync_start, &dp->desync_start_mode))
 			{
 				DLOG_ERR("invalid desync-start value\n");
 				exit_clean(1);
 			}
 			break;
-		case 51: /* hostlist */
+		case 53: /* hostlist */
 			if (bSkip) break;
 			if (!RegisterHostlist(dp, false, optarg))
 			{
@@ -2109,7 +2198,7 @@ int main(int argc, char **argv)
 				exit_clean(1);
 			}
 			break;
-		case 52: /* hostlist-domains */
+		case 54: /* hostlist-domains */
 			if (bSkip) break;
 			if (!anon_hl && !(anon_hl=RegisterHostlist(dp, false, NULL)))
 			{
@@ -2122,7 +2211,7 @@ int main(int argc, char **argv)
 				exit_clean(1);
 			}
 			break;
-		case 53: /* hostlist-exclude */
+		case 55: /* hostlist-exclude */
 			if (bSkip) break;
 			if (!RegisterHostlist(dp, true, optarg))
 			{
@@ -2130,7 +2219,7 @@ int main(int argc, char **argv)
 				exit_clean(1);
 			}
 			break;
-		case 54: /* hostlist-exclude-domains */
+		case 56: /* hostlist-exclude-domains */
 			if (bSkip) break;
 			if (!anon_hl_exclude && !(anon_hl_exclude=RegisterHostlist(dp, true, NULL)))
 			{
@@ -2143,7 +2232,7 @@ int main(int argc, char **argv)
 				exit_clean(1);
 			}
 			break;
-		case 55: /* hostlist-auto */
+		case 57: /* hostlist-auto */
 			if (bSkip) break;
 			if (dp->hostlist_auto)
 			{
@@ -2171,7 +2260,7 @@ int main(int argc, char **argv)
 				exit_clean(1);
 			}
 			break;
-		case 56: /* hostlist-auto-fail-threshold */
+		case 58: /* hostlist-auto-fail-threshold */
 			dp->hostlist_auto_fail_threshold = (uint8_t)atoi(optarg);
 			if (dp->hostlist_auto_fail_threshold<1 || dp->hostlist_auto_fail_threshold>20)
 			{
@@ -2179,7 +2268,7 @@ int main(int argc, char **argv)
 				exit_clean(1);
 			}
 			break;
-		case 57: /* hostlist-auto-fail-time */
+		case 59: /* hostlist-auto-fail-time */
 			dp->hostlist_auto_fail_time = (uint8_t)atoi(optarg);
 			if (dp->hostlist_auto_fail_time<1)
 			{
@@ -2187,7 +2276,7 @@ int main(int argc, char **argv)
 				exit_clean(1);
 			}
 			break;
-		case 58: /* hostlist-auto-retrans-threshold */
+		case 60: /* hostlist-auto-retrans-threshold */
 			dp->hostlist_auto_retrans_threshold = (uint8_t)atoi(optarg);
 			if (dp->hostlist_auto_retrans_threshold<2 || dp->hostlist_auto_retrans_threshold>10)
 			{
@@ -2195,7 +2284,7 @@ int main(int argc, char **argv)
 				exit_clean(1);
 			}
 			break;
-		case 59: /* hostlist-auto-debug */
+		case 61: /* hostlist-auto-debug */
 			{
 				FILE *F = fopen(optarg,"a+t");
 				if (!F)
@@ -2209,7 +2298,7 @@ int main(int argc, char **argv)
 			}
 			break;
 
-		case 60: /* new */
+		case 62: /* new */
 			if (bSkip)
 			{
 				dp_clear(dp);
@@ -2231,18 +2320,18 @@ int main(int argc, char **argv)
 			anon_hl = anon_hl_exclude = NULL;
 			anon_ips = anon_ips_exclude = NULL;
 			break;
-		case 61: /* skip */
+		case 63: /* skip */
 			bSkip = true;
 			break;
 
-		case 62: /* filter-l3 */
+		case 64: /* filter-l3 */
 			if (!wf_make_l3(optarg,&dp->filter_ipv4,&dp->filter_ipv6))
 			{
 				DLOG_ERR("bad value for --filter-l3\n");
 				exit_clean(1);
 			}
 			break;
-		case 63: /* filter-tcp */
+		case 65: /* filter-tcp */
 			if (!parse_pf_list(optarg,&dp->pf_tcp))
 			{
 				DLOG_ERR("Invalid port filter : %s\n",optarg);
@@ -2252,7 +2341,7 @@ int main(int argc, char **argv)
 			if (!port_filters_deny_if_empty(&dp->pf_udp))
 				exit_clean(1);
 			break;
-		case 64: /* filter-udp */
+		case 66: /* filter-udp */
 			if (!parse_pf_list(optarg,&dp->pf_udp))
 			{
 				DLOG_ERR("Invalid port filter : %s\n",optarg);
@@ -2262,14 +2351,14 @@ int main(int argc, char **argv)
 			if (!port_filters_deny_if_empty(&dp->pf_tcp))
 				exit_clean(1);
 			break;
-		case 65: /* filter-l7 */
+		case 67: /* filter-l7 */
 			if (!parse_l7_list(optarg,&dp->filter_l7))
 			{
 				DLOG_ERR("Invalid l7 filter : %s\n",optarg);
 				exit_clean(1);
 			}
 			break;
-		case 66: /* ipset */
+		case 68: /* ipset */
 			if (bSkip) break;
 			if (!RegisterIpset(dp, false, optarg))
 			{
@@ -2277,7 +2366,7 @@ int main(int argc, char **argv)
 				exit_clean(1);
 			}
 			break;
-		case 67: /* ipset-ip */
+		case 69: /* ipset-ip */
 			if (bSkip) break;
 			if (!anon_ips && !(anon_ips=RegisterIpset(dp, false, NULL)))
 			{
@@ -2290,7 +2379,7 @@ int main(int argc, char **argv)
 				exit_clean(1);
 			}
 			break;
-		case 68: /* ipset-exclude */
+		case 70: /* ipset-exclude */
 			if (bSkip) break;
 			if (!RegisterIpset(dp, true, optarg))
 			{
@@ -2298,7 +2387,7 @@ int main(int argc, char **argv)
 				exit_clean(1);
 			}
 			break;
-		case 69: /* ipset-exclude-ip */
+		case 71: /* ipset-exclude-ip */
 			if (bSkip) break;
 			if (!anon_ips_exclude && !(anon_ips_exclude=RegisterIpset(dp, true, NULL)))
 			{
@@ -2314,28 +2403,28 @@ int main(int argc, char **argv)
 
 
 #ifdef __linux__
-		case 70: /* bind-fix4 */
+		case 72: /* bind-fix4 */
 			params.bind_fix4 = true;
 			break;
-		case 71: /* bind-fix6 */
+		case 73: /* bind-fix6 */
 			params.bind_fix6 = true;
 			break;
 #elif defined(__CYGWIN__)
-		case 70: /* wf-iface */
+		case 72: /* wf-iface */
 			if (!sscanf(optarg,"%u.%u",&IfIdx,&SubIfIdx))
 			{
 				DLOG_ERR("bad value for --wf-iface\n");
 				exit_clean(1);
 			}
 			break;
-		case 71: /* wf-l3 */
+		case 73: /* wf-l3 */
 			if (!wf_make_l3(optarg,&wf_ipv4,&wf_ipv6))
 			{
 				DLOG_ERR("bad value for --wf-l3\n");
 				exit_clean(1);
 			}
 			break;
-		case 72: /* wf-tcp */
+		case 74: /* wf-tcp */
 			hash_wf_tcp=hash_jen(optarg,strlen(optarg));
 			if (!wf_make_pf(optarg,"tcp","SrcPort",wf_pf_tcp_src,sizeof(wf_pf_tcp_src)) ||
 				!wf_make_pf(optarg,"tcp","DstPort",wf_pf_tcp_dst,sizeof(wf_pf_tcp_dst)))
@@ -2344,7 +2433,7 @@ int main(int argc, char **argv)
 				exit_clean(1);
 			}
 			break;
-		case 73: /* wf-udp */
+		case 75: /* wf-udp */
 			hash_wf_udp=hash_jen(optarg,strlen(optarg));
 			if (!wf_make_pf(optarg,"udp","SrcPort",wf_pf_udp_src,sizeof(wf_pf_udp_src)) ||
 				!wf_make_pf(optarg,"udp","DstPort",wf_pf_udp_dst,sizeof(wf_pf_udp_dst)))
@@ -2353,7 +2442,7 @@ int main(int argc, char **argv)
 				exit_clean(1);
 			}
 			break;
-		case 74: /* wf-raw */
+		case 76: /* wf-raw */
 			hash_wf_raw=hash_jen(optarg,strlen(optarg));
 			if (optarg[0]=='@')
 			{
@@ -2367,11 +2456,11 @@ int main(int argc, char **argv)
 				windivert_filter[sizeof(windivert_filter) - 1] = '\0';
 			}
 			break;
-		case 75: /* wf-save */
+		case 77: /* wf-save */
 			strncpy(wf_save_file, optarg, sizeof(wf_save_file));
 			wf_save_file[sizeof(wf_save_file) - 1] = '\0';
 			break;
-		case 76: /* ssid-filter */
+		case 78: /* ssid-filter */
 			hash_ssid_filter=hash_jen(optarg,strlen(optarg));
 			{
 				char *e,*p = optarg;
@@ -2389,7 +2478,7 @@ int main(int argc, char **argv)
 				}
 			}
 			break;
-		case 77: /* nlm-filter */
+		case 79: /* nlm-filter */
 			hash_nlm_filter=hash_jen(optarg,strlen(optarg));
 			{
 				char *e,*p = optarg;
@@ -2407,7 +2496,7 @@ int main(int argc, char **argv)
 				}
 			}
 			break;
-		case 78: /* nlm-list */
+		case 80: /* nlm-list */
 			if (!nlm_list(optarg && !strcmp(optarg,"all")))
 			{
 				DLOG_ERR("could not get list of NLM networks\n");

nfq/params.c

@@ -185,7 +185,6 @@ void dp_init(struct desync_profile *dp)
 	dp->desync_ipfrag_pos_udp = IPFRAG_UDP_DEFAULT;
 	dp->desync_ipfrag_pos_tcp = IPFRAG_TCP_DEFAULT;
 	dp->desync_repeats = 1;
-	dp->fake_tls_mod = 0;
 	dp->fake_syndata_size = 16;
 	dp->wscale=-1; // default - dont change scale factor (client)
 	dp->desync_ttl6 = 0xFF; // unused
@@ -206,8 +205,11 @@ bool dp_fake_defaults(struct desync_profile *dp)
 			return false;
 	if (blob_collection_empty(&dp->fake_tls))
 	{
-		if (!blob_collection_add_blob(&dp->fake_tls,fake_tls_clienthello_default,sizeof(fake_tls_clienthello_default),4))
+		if (!(item=blob_collection_add_blob(&dp->fake_tls,fake_tls_clienthello_default,sizeof(fake_tls_clienthello_default),4+sizeof(((struct fake_tls_mod*)0)->sni))))
 			return false;
+		if (!(item->extra2 = malloc(sizeof(struct fake_tls_mod))))
+			return false;
+		*(struct fake_tls_mod*)item->extra2 = dp->tls_mod_last;
 	}
 	if (blob_collection_empty(&dp->fake_unknown))
 	{
@@ -222,23 +224,15 @@ bool dp_fake_defaults(struct desync_profile *dp)
 		memset(item->data,0,item->size);
 		item->data[0] = 0x40;
 	}
-	if (blob_collection_empty(&dp->fake_wg))
+	struct blob_collection_head **fake,*fakes_z64[] = {&dp->fake_wg, &dp->fake_dht, &dp->fake_discord, &dp->fake_stun, &dp->fake_unknown_udp,NULL};
+	for(fake=fakes_z64;*fake;fake++)
 	{
-		if (!(item=blob_collection_add_blob(&dp->fake_wg,NULL,64,0)))
-			return false;
-		memset(item->data,0,item->size);
-	}
-	if (blob_collection_empty(&dp->fake_dht))
-	{
-		if (!(item=blob_collection_add_blob(&dp->fake_dht,NULL,64,0)))
-			return false;
-		memset(item->data,0,item->size);
-	}
-	if (blob_collection_empty(&dp->fake_unknown_udp))
-	{
-		if (!(item=blob_collection_add_blob(&dp->fake_unknown_udp,NULL,64,0)))
-			return false;
-		memset(item->data,0,item->size);
+		if (blob_collection_empty(*fake))
+		{
+			if (!(item=blob_collection_add_blob(*fake,NULL,64,0)))
+				return false;
+			memset(item->data,0,item->size);
+		}
 	}
 	return true;
 }
@@ -269,14 +263,9 @@ static void dp_clear_dynamic(struct desync_profile *dp)
 	ipset_collection_destroy(&dp->ips_collection_exclude);
 	port_filters_destroy(&dp->pf_tcp);
 	port_filters_destroy(&dp->pf_udp);
-	blob_collection_destroy(&dp->fake_http);
-	blob_collection_destroy(&dp->fake_tls);
-	blob_collection_destroy(&dp->fake_unknown);
-	blob_collection_destroy(&dp->fake_unknown_udp);
-	blob_collection_destroy(&dp->fake_quic);
-	blob_collection_destroy(&dp->fake_wg);
-	blob_collection_destroy(&dp->fake_dht);
 	HostFailPoolDestroy(&dp->hostlist_auto_fail_counters);
+	struct blob_collection_head **fake,*fakes[] = {&dp->fake_http, &dp->fake_tls, &dp->fake_unknown, &dp->fake_unknown_udp, &dp->fake_quic, &dp->fake_wg, &dp->fake_dht, &dp->fake_discord, &dp->fake_stun, NULL};
+	for(fake=fakes;*fake;fake++) blob_collection_destroy(*fake);
 }
 void dp_clear(struct desync_profile *dp)
 {

nfq/params.h

@@ -44,7 +44,8 @@
 #define FAKE_TLS_MOD_RND		0x10
 #define FAKE_TLS_MOD_DUP_SID		0x20
 #define FAKE_TLS_MOD_RND_SNI		0x40
-#define FAKE_TLS_MOD_PADENCAP		0x80
+#define FAKE_TLS_MOD_SNI		0x80
+#define FAKE_TLS_MOD_PADENCAP		0x100
 
 #define FAKE_MAX_TCP	1460
 #define FAKE_MAX_UDP	1472
@@ -55,6 +56,11 @@ struct fake_tls_mod_cache
 {
 	size_t extlen_offset, padlen_offset;
 };
+struct fake_tls_mod
+{
+	char sni[64];
+	uint32_t mod;
+};
 
 struct desync_profile
 {
@@ -83,11 +89,12 @@ struct desync_profile
 	uint32_t desync_fooling_mode;
 	uint32_t desync_badseq_increment, desync_badseq_ack_increment;
 
-	struct blob_collection_head fake_http,fake_tls,fake_unknown,fake_unknown_udp,fake_quic,fake_wg,fake_dht;
+	struct blob_collection_head fake_http,fake_tls,fake_unknown,fake_unknown_udp,fake_quic,fake_wg,fake_dht,fake_discord,fake_stun;
 	uint8_t fake_syndata[FAKE_MAX_TCP],seqovl_pattern[FAKE_MAX_TCP],fsplit_pattern[FAKE_MAX_TCP],udplen_pattern[FAKE_MAX_UDP];
 	size_t fake_syndata_size;
 
-	uint8_t fake_tls_mod;
+	struct fake_tls_mod tls_mod_last;
+	struct blob_item *tls_fake_last;
 
 	int udplen_increment;
 

nfq/pools.c

@@ -570,6 +570,7 @@ void blob_collection_destroy(struct blob_collection_head *head)
 	{
 		LIST_REMOVE(entry, next);
 		free(entry->extra);
+		free(entry->extra2);
 		free(entry->data);
 		free(entry);
 	}

nfq/pools.h

@@ -153,6 +153,7 @@ struct blob_item {
 	size_t size;	// main data blob size
 	size_t size_buf;// main data blob allocated size
 	void *extra;	// any data without size
+	void *extra2;	// any data without size
 	LIST_ENTRY(blob_item) next;
 };
 LIST_HEAD(blob_collection_head, blob_item);

nfq/protocol.c

@@ -35,6 +35,8 @@ const char *l7proto_str(t_l7proto l7)
 		case QUIC: return "quic";
 		case WIREGUARD: return "wireguard";
 		case DHT: return "dht";
+		case DISCORD: return "discord";
+		case STUN: return "stun";
 		default: return "unknown";
 	}
 }
@@ -45,7 +47,9 @@ bool l7_proto_match(t_l7proto l7proto, uint32_t filter_l7)
 		(l7proto==TLS && (filter_l7 & L7_PROTO_TLS)) ||
 		(l7proto==QUIC && (filter_l7 & L7_PROTO_QUIC)) ||
 		(l7proto==WIREGUARD && (filter_l7 & L7_PROTO_WIREGUARD)) ||
-		(l7proto==DHT && (filter_l7 & L7_PROTO_DHT));
+		(l7proto==DHT && (filter_l7 & L7_PROTO_DHT)) ||
+		(l7proto==DISCORD && (filter_l7 & L7_PROTO_DISCORD)) ||
+		(l7proto==STUN && (filter_l7 & L7_PROTO_STUN));
 }
 
 #define PM_ABS		0
@@ -1006,3 +1010,18 @@ bool IsDhtD1(const uint8_t *data, size_t len)
 {
 	return len>=7 && data[0]=='d' && data[1]=='1' && data[len-1]=='e';
 }
+bool IsDiscordIpDiscoveryRequest(const uint8_t *data, size_t len)
+{
+	return len==74 &&
+		data[0]==0 && data[1]==1 &&
+		data[2]==0 && data[3]==70 &&
+		data[8]==0 && memcmp(&data[8],&data[9],63)==0; // address is not set in requests
+}
+bool IsStunMessage(const uint8_t *data, size_t len)
+{
+	return len>=20 && // header size
+		(data[0]&0xC0)==0 && // 2 most significant bits must be zeroes
+		(data[3]&0b11)==0 && // length must be a multiple of 4
+		ntohl(*(uint32_t*)(&data[4]))==0x2112A442 && // magic cookie
+		ntohs(*(uint16_t*)(&data[2]))==len-20;
+}

nfq/protocol.h

@@ -7,12 +7,14 @@
 #include "crypto/aes-gcm.h"
 #include "helpers.h"
 
-typedef enum {UNKNOWN=0, HTTP, TLS, QUIC, WIREGUARD, DHT} t_l7proto;
+typedef enum {UNKNOWN=0, HTTP, TLS, QUIC, WIREGUARD, DHT, DISCORD, STUN} t_l7proto;
 #define L7_PROTO_HTTP		0x00000001
 #define L7_PROTO_TLS		0x00000002
 #define L7_PROTO_QUIC		0x00000004
 #define L7_PROTO_WIREGUARD	0x00000008
 #define L7_PROTO_DHT		0x00000010
+#define L7_PROTO_DISCORD	0x00000020
+#define L7_PROTO_STUN		0x00000040
 #define L7_PROTO_UNKNOWN	0x80000000
 const char *l7proto_str(t_l7proto l7);
 bool l7_proto_match(t_l7proto l7proto, uint32_t filter_l7);
@@ -72,6 +74,8 @@ bool TLSHelloExtractHostFromHandshake(const uint8_t *data, size_t len, char *hos
 
 bool IsWireguardHandshakeInitiation(const uint8_t *data, size_t len);
 bool IsDhtD1(const uint8_t *data, size_t len);
+bool IsDiscordIpDiscoveryRequest(const uint8_t *data, size_t len);
+bool IsStunMessage(const uint8_t *data, size_t len);
 
 #define QUIC_MAX_CID_LENGTH  20
 typedef struct quic_cid {

tpws/Makefile

@@ -3,7 +3,7 @@ CFLAGS += -std=gnu99 -Os -flto=auto
 CFLAGS_SYSTEMD = -DUSE_SYSTEMD
 CFLAGS_BSD = -Wno-address-of-packed-member
 LIBS = -lz -lpthread
-LIBS_SYSTEMD = -lz -lsystemd
+LIBS_SYSTEMD = -lsystemd
 LIBS_ANDROID = -lz
 SRC_FILES = *.c
 SRC_FILES_ANDROID = $(SRC_FILES) andr/*.c
@@ -14,7 +14,7 @@ tpws: $(SRC_FILES)
 	$(CC) -s $(CFLAGS) -o tpws $(SRC_FILES) $(LIBS) $(LDFLAGS)
 
 systemd: $(SRC_FILES)
-	$(CC) -s $(CFLAGS) $(CFLAGS_SYSTEMD) -o tpws $(SRC_FILES) $(LIBS_SYSTEMD) $(LDFLAGS)
+	$(CC) -s $(CFLAGS) $(CFLAGS_SYSTEMD) -o tpws $(SRC_FILES) $(LIBS) $(LIBS_SYSTEMD) $(LDFLAGS)
 
 android: $(SRC_FILES)
 	$(CC) -s $(CFLAGS) -o tpws $(SRC_FILES_ANDROID) $(LIBS_ANDROID) $(LDFLAGS)