# v1 Initial release # v2 * `nfqws`: command line options change. now using standard getopt. * `nfqws`: added options for window size changing and `Host:` case change * ISP support: tested on mns.ru and beeline (corbina) * init scripts: rewritten init scripts for simple choice of ISP * create_ipset: now using `ipset restore`, it works much faster * `readme`: updated. now using UTF-8 charset. # v3 * ``tpws``: * added transparent proxy (supports TPROXY and DNAT). * can help when ISP tracks whole HTTP session, not only the beginning * ipset: * added `zapret-hosts-user.txt` which contain user defined host names to be resolved * and added to zapret ip list * ISP support: dom.ru support via TPROXY/DNAT * ISP support: * successfully tested sknt.ru on 'domru' configuration * other configs will probably also work, but cannot test * compile: OpenWrt compile how-to # v4 * `tpws`: added ability to insert extra space after HTTP method: `GET /` => `GET /` * ISP support: TKT support # v5 * `nfqws`: IPv6 support in `nfqws` # v6 * `ipset`: added `get_antizapret.sh` # v7 * `tpws`: added ability to insert "." after `Host: name` # v8 * OpenWrt init: removed `hotplug.d/firewall` because of race conditions. now only use `/etc/firewall.user` # v9 * `ipban`: * added ipban ipset. place domains banned by ip to `zapret-hosts-user-ipban.txt` * these IPs must be soxified for both HTTP and HTTPS * ISP support: tiera support * ISP support: added DNS filtering to Ubuntu and Debian scripts # v10 * `tpws`: added `split-pos` option. split every message at specified position # v11 * `ipset`: scripts optimizations # v12 * `nfqws`: fix wrong TCP checksum calculation if packet length is odd and platform is big-endian # v13 * added binaries # v14 * change `get_antizapret` script to work with https://github.com/zapret-info/z-i/raw/master/dump.csv * filter out 192.168.*, 127.*, 10.* from blocked ips # v15 * added `--hostspell` option to `nfqws` and `tpws` * ISP support: beeline now catches "host" but other spellings still work * OpenWrt/LEDE: changed init script to work with procd * `tpws`, `nfqws`: minor cosmetic fixes # v16 * `tpws`: `split-http-req=method`: split inside method name, not after * ISP support: mns.ru changed split pos to 3 (got redirect page with HEAD req: `curl -I ej.ru`) # v17 * ISP support: athome moved from `nfqws` to `tpws` because of instability and HTTP request hangs * `tpws`: added options `unixeol`,`methodeol`,`hosttab` # v18 * `tpws`,`nfqws`: added `hostnospace` option # v19 * `tpws`: added `hostlist` option # v20 * added `ip2net`. `ip2net` groups ips from iplist into subnets and reduces ipset size twice # v21 * added `mdig`. `get_reestr.sh` is *real* again # v22 * total review of init script logic * dropped support of older Debian 7 and Ubuntu 12/14 systems * `install_bin.sh`: auto binaries preparation * `docs`: `readme` review. some new topics added, others deleted * `docs`: VPN setup with policy based routing using WireGuard * `docs`: WireGuard modding guide # v23 * major init system rewrite * OpenWrt: separate firewall include `/etc/firewall.zapret` * `install_easy.sh`: easy setup on OpenWrt, Debian, Ubuntu, CentOS, Fedora, openSUSE # v24 * separate config from init scripts * gzip support in `ipset/*.sh` and `tpws` # v25 * init: move to native systemd units * use links to units, init scripts and firewall includes, no more copying # v26 * IPv6 support * `tpws`: advanced bind options # v27 * `tpws`: major connection code rewrite. originally it was derived from not top quality example, with many bugs and potential problems. * next generation connection code uses nonblocking sockets. now its in EXPERIMENTAL state. # v28 * `tpws`: added socks5 support * `ipset`: major RKN getlist rewrite. added https://antifilter.network support # v29 * `nfqws`: DPI desync attack * ip exclude system # v30 * `nfqws`: DPI desync attack modes: `fake`, `rst` # v31 * `nfqws`: DPI desync attack modes: `disorder`, `disorder2`, `split`, `split2`. * `nfqws`: DPI desync fooling mode: `badseq`. multiple modes supported # v32 * `tpws`: multiple binds * init scripts: run only one instance of `tpws` in any case # v33 * OpenWrt: flow offloading support * `config`: `MODE` refactoring # v34 * `nfqws`: `dpi-desync` 2 mode combos * `nfqws`: `dpi-desync` without parameter no more supported. previously it meant `fake` * `nfqws`: custom fake HTTP request and TLS ClientHello # v35 * limited FreeBSD and OpenBSD support # v36 * full FreeBSD and OpenBSD support # v37 * limited macOS support # v38 * macOS easy install # v39 * `nfqws`: `conntrack`, `wssize` # v40 * init scripts: `IFACE_LAN`, `IFACE_WAN` now accept multiple interfaces * init scripts: OpenWrt uses now `OPENWRT_LAN` parameter to override incoming interfaces for `tpws` # v41 * `install_easy`: openrc support # v42 * `blockcheck.sh` # v43 * `nfqws`: UDP desync with conntrack support (any-protocol only for now) # v44 * `nfqws`: `ipfrag` # v45 * `nfqws`: `hop-by-hop` - IPv6 desync and fooling # v46 * big startup script refactoring to support `nftables` and new OpenWrt snapshot builds with `firewall4` # v47 * `nfqws`: QUIC initial decryption * `nfqws`: `udplen`, `fakeknown` dpi desync modes # v48 * `nfqws`, `tpws`: multiple `--hostlist` and `--hostlist-exclude` support * launch system, `ipset`: no more list merging. all lists are passed separately to `nfqws` and `tpws` * `nfqws`: `udplen` fooling supports packet shrinking (negative increment value) # v49 * QUIC support integrated to the main system and setup # v50 * DHT protocol support. * DPI desync mode `tamper` for DHT. * HEX string support in addition to binary files. # v51 * `tpws`: `--tlsrec` attack. # v52 * `autohostlist` mode # v53 * `nfqws`: TCP session reassemble for TLS ClientHello # v54 * `tpws`: out of band send when splitting (`--oob`) * `nfqws`: `autottl` * `nfqws`: `datanoack` fooling * nftables: use POSTNAT path for TCP redirections to allow NAT-breaking strategies. use additional mark bit DESYNC_MARK_POSTNAT. # v55 * `tpws`: * incompatible `oob` parameter change. it doesn't take oob byte anymore. instead it takes optional protocol filter - HTTP or TLS. * the same is done with `disorder`. oob byte can be specified in parameter `--oob-data`. * `blockcheck`: quick mode, strategy order optimizations, QUIC protocol support * `nfqws`: `syndata` desync mode # v56 * `tpws`: `mss` fooling * `tpws`: multi thread resolver. eliminates blocks related to hostname resolve. # v57 * `tpws`: `--nosplice` option * `nfqws`: postnat fixes * `nfqws`: `--dpi-desync-start` option * `nfqws`: packet delay for kyber TLS and QUIC * `nfqws`: `--dpi-desync-retrans` obsolete * `nfqws`: `--qnum` is mandatory, no more default queue 0 # v58 * `winws` # v59 * `tpws`: `--split-tls` * `tpws`: `--tlsrec=sniext` * `nfqws`: `--dpi-desync-split-http-req`, `--dpi-desync-split-tls`. multi segment TLS support for split. * `blockcheck`: `mdig` DNS cache # v60 * `blockcheck`: port block test, partial ip block test * `nfqws`: `seqovl` `split`/`disorder` modes # v61 * C code cleanups * `dvtws`: do not use raw sockets. use divert. * `nfqws`,`tpws`: detect TLS 1.2 ClientHello from very old libraries with SSL 3.0 version in record layer * `nfqws`,``tpws``: debug log to file and syslog * ``tpws``: `--connect-bind-addr` option * ``tpws``: log local endpoint (including source port number) for remote leg