init script http+https

6 years ago · 2acd50e130
9 changed files with 189 additions and 44 deletions
--- a/init.d/openwrt/firewall.user.nfqws_all_https
+++ b/init.d/openwrt/firewall.user.nfqws_all_https
@ -0,0 +1,9 @@
+QNUM=200
+IPT_FILTER_PRE="-p tcp -m multiport --sports 80,443"
+IPT_FILTER_POST="-p tcp --dport 80"
+
+iptables -t raw -C PREROUTING $IPT_FILTER_PRE -j NFQUEUE --queue-num $QNUM --queue-bypass ||
+ iptables -t raw -I PREROUTING $IPT_FILTER_PRE -j NFQUEUE --queue-num $QNUM --queue-bypass
+
+iptables -t mangle -C POSTROUTING $IPT_FILTER_POST -j NFQUEUE --queue-num $QNUM --queue-bypass ||
+ iptables -t mangle -I POSTROUTING $IPT_FILTER_POST -j NFQUEUE --queue-num $QNUM --queue-bypass
--- a/init.d/openwrt/firewall.user.nfqws_ipset_https
+++ b/init.d/openwrt/firewall.user.nfqws_ipset_https
@ -0,0 +1,9 @@
+QNUM=200
+IPT_FILTER_PRE="-p tcp -m multiport --sports 80,443 -m set --match-set zapret src"
+IPT_FILTER_POST="-p tcp --dport 80 -m set --match-set zapret dst"
+
+iptables -t raw -C PREROUTING $IPT_FILTER_PRE -j NFQUEUE --queue-num $QNUM --queue-bypass ||
+ iptables -t raw -I PREROUTING $IPT_FILTER_PRE -j NFQUEUE --queue-num $QNUM --queue-bypass
+
+iptables -t mangle -C POSTROUTING $IPT_FILTER_POST -j NFQUEUE --queue-num $QNUM --queue-bypass ||
+ iptables -t mangle -I POSTROUTING $IPT_FILTER_POST -j NFQUEUE --queue-num $QNUM --queue-bypass
--- a/init.d/openwrt/firewall.user.tpws_all
+++ b/init.d/openwrt/firewall.user.tpws_all
@ -1,6 +1,6 @@
-TPPORT=1188
+TPPORT_HTTP=1188
 TPWS_USER=daemon
-IPT_FILTER="-p tcp --dport 80"
+IPT_FILTER_HTTP="-p tcp --dport 80"

 . /lib/functions/network.sh

@ -10,12 +10,12 @@ for ext_iface in $wan_iface; do
    network_get_device DEVICE $ext_iface
    # DNAT for local traffic

-    iptables -t nat -C OUTPUT -o $DEVICE -m owner ! --uid-owner $TPWS_USER $IPT_FILTER -j DNAT --to 127.0.0.1:$TPPORT ||
-     iptables -t nat -I OUTPUT -o $DEVICE -m owner ! --uid-owner $TPWS_USER $IPT_FILTER -j DNAT --to 127.0.0.1:$TPPORT
+    iptables -t nat -C OUTPUT -o $DEVICE -m owner ! --uid-owner $TPWS_USER $IPT_FILTER_HTTP -j DNAT --to 127.0.0.1:$TPPORT_HTTP ||
+     iptables -t nat -I OUTPUT -o $DEVICE -m owner ! --uid-owner $TPWS_USER $IPT_FILTER_HTTP -j DNAT --to 127.0.0.1:$TPPORT_HTTP

 done

 network_get_device DEVICE lan
 sysctl -w net.ipv4.conf.$DEVICE.route_localnet=1
-iptables -t nat -C prerouting_lan_rule $IPT_FILTER -j DNAT --to 127.0.0.1:$TPPORT ||
- iptables -t nat -I prerouting_lan_rule $IPT_FILTER -j DNAT --to 127.0.0.1:$TPPORT
+iptables -t nat -C prerouting_lan_rule $IPT_FILTER_HTTP -j DNAT --to 127.0.0.1:$TPPORT_HTTP ||
+ iptables -t nat -I prerouting_lan_rule $IPT_FILTER_HTTP -j DNAT --to 127.0.0.1:$TPPORT_HTTP
--- a/init.d/openwrt/firewall.user.tpws_all_https
+++ b/init.d/openwrt/firewall.user.tpws_all_https
@ -0,0 +1,27 @@
+TPPORT_HTTP=1188
+TPPORT_HTTPS=1189
+TPWS_USER=daemon
+IPT_FILTER_HTTP="-p tcp --dport 80"
+IPT_FILTER_HTTPS="-p tcp --dport 443"
+
+. /lib/functions/network.sh
+
+network_find_wan wan_iface
+
+for ext_iface in $wan_iface; do
+    network_get_device DEVICE $ext_iface
+    # DNAT for local traffic
+
+    iptables -t nat -C OUTPUT -o $DEVICE -m owner ! --uid-owner $TPWS_USER $IPT_FILTER_HTTP -j DNAT --to 127.0.0.1:$TPPORT_HTTP ||
+     iptables -t nat -I OUTPUT -o $DEVICE -m owner ! --uid-owner $TPWS_USER $IPT_FILTER_HTTP -j DNAT --to 127.0.0.1:$TPPORT_HTTP
+    iptables -t nat -C OUTPUT -o $DEVICE -m owner ! --uid-owner $TPWS_USER $IPT_FILTER_HTTPS -j DNAT --to 127.0.0.1:$TPPORT_HTTPS ||
+     iptables -t nat -I OUTPUT -o $DEVICE -m owner ! --uid-owner $TPWS_USER $IPT_FILTER_HTTPS -j DNAT --to 127.0.0.1:$TPPORT_HTTPS
+
+done
+
+network_get_device DEVICE lan
+sysctl -w net.ipv4.conf.$DEVICE.route_localnet=1
+iptables -t nat -C prerouting_lan_rule $IPT_FILTER_HTTP -j DNAT --to 127.0.0.1:$TPPORT_HTTP ||
+ iptables -t nat -I prerouting_lan_rule $IPT_FILTER_HTTP -j DNAT --to 127.0.0.1:$TPPORT_HTTP
+iptables -t nat -C prerouting_lan_rule $IPT_FILTER_HTTPS -j DNAT --to 127.0.0.1:$TPPORT_HTTPS ||
+ iptables -t nat -I prerouting_lan_rule $IPT_FILTER_HTTPS -j DNAT --to 127.0.0.1:$TPPORT_HTTPS
--- a/init.d/openwrt/firewall.user.tpws_ipset
+++ b/init.d/openwrt/firewall.user.tpws_ipset
@ -1,6 +1,6 @@
-TPPORT=1188
+TPPORT_HTTP=1188
 TPWS_USER=daemon
-IPT_FILTER="-p tcp --dport 80 -m set --match-set zapret dst"
+IPT_FILTER_HTTP="-p tcp --dport 80 -m set --match-set zapret dst"

 . /lib/functions/network.sh

@ -10,12 +10,12 @@ for ext_iface in $wan_iface; do
    network_get_device DEVICE $ext_iface
    # DNAT for local traffic

-    iptables -t nat -C OUTPUT -o $DEVICE -m owner ! --uid-owner $TPWS_USER $IPT_FILTER -j DNAT --to 127.0.0.1:$TPPORT ||
-     iptables -t nat -I OUTPUT -o $DEVICE -m owner ! --uid-owner $TPWS_USER $IPT_FILTER -j DNAT --to 127.0.0.1:$TPPORT
+    iptables -t nat -C OUTPUT -o $DEVICE -m owner ! --uid-owner $TPWS_USER $IPT_FILTER_HTTP -j DNAT --to 127.0.0.1:$TPPORT_HTTP ||
+     iptables -t nat -I OUTPUT -o $DEVICE -m owner ! --uid-owner $TPWS_USER $IPT_FILTER_HTTP -j DNAT --to 127.0.0.1:$TPPORT_HTTP

 done

 network_get_device DEVICE lan
 sysctl -w net.ipv4.conf.$DEVICE.route_localnet=1
-iptables -t nat -C prerouting_lan_rule $IPT_FILTER -j DNAT --to 127.0.0.1:$TPPORT ||
- iptables -t nat -I prerouting_lan_rule $IPT_FILTER -j DNAT --to 127.0.0.1:$TPPORT
+iptables -t nat -C prerouting_lan_rule $IPT_FILTER_HTTP -j DNAT --to 127.0.0.1:$TPPORT_HTTP ||
+ iptables -t nat -I prerouting_lan_rule $IPT_FILTER_HTTP -j DNAT --to 127.0.0.1:$TPPORT_HTTP
--- a/init.d/openwrt/firewall.user.tpws_ipset_https
+++ b/init.d/openwrt/firewall.user.tpws_ipset_https
@ -0,0 +1,27 @@
+TPPORT_HTTP=1188
+TPPORT_HTTPS=1189
+TPWS_USER=daemon
+IPT_FILTER_HTTP="-p tcp --dport 80 -m set --match-set zapret dst"
+IPT_FILTER_HTTPS="-p tcp --dport 443 -m set --match-set zapret dst"
+
+. /lib/functions/network.sh
+
+network_find_wan wan_iface
+
+for ext_iface in $wan_iface; do
+    network_get_device DEVICE $ext_iface
+    # DNAT for local traffic
+
+    iptables -t nat -C OUTPUT -o $DEVICE -m owner ! --uid-owner $TPWS_USER $IPT_FILTER_HTTP -j DNAT --to 127.0.0.1:$TPPORT_HTTP ||
+     iptables -t nat -I OUTPUT -o $DEVICE -m owner ! --uid-owner $TPWS_USER $IPT_FILTER_HTTP -j DNAT --to 127.0.0.1:$TPPORT_HTTP
+    iptables -t nat -C OUTPUT -o $DEVICE -m owner ! --uid-owner $TPWS_USER $IPT_FILTER_HTTPS -j DNAT --to 127.0.0.1:$TPPORT_HTTPS ||
+     iptables -t nat -I OUTPUT -o $DEVICE -m owner ! --uid-owner $TPWS_USER $IPT_FILTER_HTTPS -j DNAT --to 127.0.0.1:$TPPORT_HTTPS
+
+done
+
+network_get_device DEVICE lan
+sysctl -w net.ipv4.conf.$DEVICE.route_localnet=1
+iptables -t nat -C prerouting_lan_rule $IPT_FILTER_HTTP -j DNAT --to 127.0.0.1:$TPPORT_HTTP ||
+ iptables -t nat -I prerouting_lan_rule $IPT_FILTER_HTTP -j DNAT --to 127.0.0.1:$TPPORT_HTTP
+iptables -t nat -C prerouting_lan_rule $IPT_FILTER_HTTPS -j DNAT --to 127.0.0.1:$TPPORT_HTTPS ||
+ iptables -t nat -I prerouting_lan_rule $IPT_FILTER_HTTPS -j DNAT --to 127.0.0.1:$TPPORT_HTTPS
--- a/init.d/openwrt/zapret
+++ b/init.d/openwrt/zapret
@ -13,19 +13,24 @@ START=18

 # using nfqws with ipset
 #MODE=nfqws_ipset
+#MODE=nfqws_ipset_https
 # using nfqws for all
 #MODE=nfqws_all
+#MODE=nfqws_all_https
 # CHOOSE NFQWS DAEMON OPTIONS. run "nfq/nfqws --help" for option list
 NFQWS_OPT="--wsize=3 --hostspell=HOST"

 # using tpws with ipset
-MODE=tpws_ipset
+#MODE=tpws_ipset
+MODE=tpws_ipset_https
 # using tpws for all
 #MODE=tpws_all
+#MODE=tpws_all_https
 # using tpws with hostlist
 #MODE=tpws_hostlist
 # CHOOSE TPWS DAEMON OPTIONS. run "tpws/tpws --help" for option list
-TPWS_OPT="--hostspell=HOST --split-http-req=method"
+TPWS_OPT_HTTP="--hostspell=HOST --split-http-req=method"
+TPWS_OPT_HTTPS="--split-pos=3"

 # only fill ipset, do not run daemons
 #MODE=ipset
@ -47,11 +52,14 @@ QNUM=200
 NFQWS=$ZAPRET_BASE/nfq/nfqws
 NFQWS_OPT_BASE="--qnum=$QNUM"

-TPPORT=1188
+TPPORT_HTTP=1188
+TPPORT_HTTPS=1189
 TPWS=$ZAPRET_BASE/tpws/tpws
 TPWS_USER=daemon
 TPWS_HOSTLIST=$ZAPRET_BASE/ipset/zapret-hosts.txt
-TPWS_OPT_BASE="--port=$TPPORT --user=$TPWS_USER --bind-addr=127.0.0.1"
+TPWS_OPT_BASE="--user=$TPWS_USER --bind-addr=127.0.0.1"
+TPWS_OPT_BASE_HTTP="--port=$TPPORT_HTTP $TPWS_OPT_BASE"
+TPWS_OPT_BASE_HTTPS="--port=$TPPORT_HTTPS $TPWS_OPT_BASE"


 # must execute /etc/firewall.user on every firewall reload
@ -99,20 +107,22 @@ start_service() {

 	case "${MODE}" in
 	    tpws_hostlist)
-		run_daemon 1 $TPWS "$TPWS_OPT_BASE $TPWS_OPT --hostlist=$TPWS_HOSTLIST"
+		run_daemon 1 $TPWS "$TPWS_OPT_BASE_HTTP $TPWS_OPT_HTTP --hostlist=$TPWS_HOSTLIST"
 		;;
-	    tpws_ipset)
+	    tpws_ipset|tpws_all)
 		create_ipset
-		run_daemon 1 $TPWS "$TPWS_OPT_BASE $TPWS_OPT"
+		run_daemon 1 $TPWS "$TPWS_OPT_BASE_HTTP $TPWS_OPT_HTTP"
 		;;
-	    tpws_all)
-		run_daemon 1 $TPWS "$TPWS_OPT_BASE $TPWS_OPT"
+	    tpws_ipset_https|tpws_all_https)
+		create_ipset
+		run_daemon 1 $TPWS "$TPWS_OPT_BASE_HTTP $TPWS_OPT_HTTP"
+		run_daemon 2 $TPWS "$TPWS_OPT_BASE_HTTPS $TPWS_OPT_HTTPS"
 		;;
-	    nfqws_ipset)
+	    nfqws_ipset|nfqws_ipset_https)
 		create_ipset
 		run_daemon 1 $NFQWS "$NFQWS_OPT_BASE $NFQWS_OPT"
 		;;
-	    nfqws_all)
+	    nfqws_all|nfqws_all_https)
 		run_daemon 1 $NFQWS "$NFQWS_OPT_BASE $NFQWS_OPT"
 		;;
 	    ipset)
--- a/init.d/sysv/zapret
+++ b/init.d/sysv/zapret
@ -18,19 +18,24 @@

 # using nfqws with ipset
 #MODE=nfqws_ipset
+#MODE=nfqws_ipset_https
 # using nfqws for all
 #MODE=nfqws_all
+#MODE=nfqws_all_https
 # CHOOSE NFQWS DAEMON OPTIONS. run "nfq/nfqws --help" for option list
 NFQWS_OPT="--wsize=3 --hostspell=HOST"

 # using tpws with ipset
-MODE=tpws_ipset
+#MODE=tpws_ipset
+MODE=tpws_ipset_https
 # using tpws for all
 #MODE=tpws_all
+#MODE=tpws_all_https
 # using tpws with hostlist
 #MODE=tpws_hostlist
 # CHOOSE TPWS DAEMON OPTIONS. run "tpws/tpws --help" for option list
-TPWS_OPT="--hostspell=HOST --split-http-req=method"
+TPWS_OPT_HTTP="--hostspell=HOST --split-http-req=method"
+TPWS_OPT_HTTPS="--split-pos=3"

 # only fill ipset, do not run daemons
 #MODE=ipset
@ -58,11 +63,14 @@ QNUM=200
 NFQWS=$ZAPRET_BASE/nfq/nfqws
 NFQWS_OPT_BASE="--qnum=$QNUM"

-TPPORT=1188
+TPPORT_HTTP=1188
+TPPORT_HTTPS=1189
 TPWS=$ZAPRET_BASE/tpws/tpws
 TPWS_USER=tpws
 TPWS_HOSTLIST=$ZAPRET_BASE/ipset/zapret-hosts.txt
-TPWS_OPT_BASE="--port=$TPPORT --user=$TPWS_USER --bind-addr=127.0.0.1"
+TPWS_OPT_BASE="--user=$TPWS_USER --bind-addr=127.0.0.1"
+TPWS_OPT_BASE_HTTP="--port=$TPPORT_HTTP $TPWS_OPT_BASE"
+TPWS_OPT_BASE_HTTPS="--port=$TPPORT_HTTPS $TPWS_OPT_BASE"

 # exit script on any error
 set -e
@ -75,25 +83,27 @@ exists()
 fw_tpws_add()
 {
 	# $1 - iptable filter
+	# $2 - tpws port
 	echo "Adding iptables rule for tpws : $1"
 	[ -n "$SLAVE_ETH" ] && {
-		iptables -t nat -C PREROUTING -i $SLAVE_ETH -p tcp $1 -j DNAT --to 127.0.0.1:$TPPORT 2>/dev/null ||
-		 iptables -t nat -I PREROUTING -i $SLAVE_ETH -p tcp $1 -j DNAT --to 127.0.0.1:$TPPORT
+		iptables -t nat -C PREROUTING -i $SLAVE_ETH -p tcp $1 -j DNAT --to 127.0.0.1:$2 2>/dev/null ||
+		 iptables -t nat -I PREROUTING -i $SLAVE_ETH -p tcp $1 -j DNAT --to 127.0.0.1:$2
 	}
-	iptables -t nat -C OUTPUT -m owner ! --uid-owner $TPWS_USER -p tcp $1 -j DNAT --to 127.0.0.1:$TPPORT 2>/dev/null ||
-	 iptables -t nat -I OUTPUT -m owner ! --uid-owner $TPWS_USER -p tcp $1 -j DNAT --to 127.0.0.1:$TPPORT
+	iptables -t nat -C OUTPUT -m owner ! --uid-owner $TPWS_USER -p tcp $1 -j DNAT --to 127.0.0.1:$2 2>/dev/null ||
+	 iptables -t nat -I OUTPUT -m owner ! --uid-owner $TPWS_USER -p tcp $1 -j DNAT --to 127.0.0.1:$2

 }
 fw_tpws_del()
 {
 	# $1 - iptable filter
+	# $2 - tpws port
 	echo "Deleting iptables rule for tpws : $1"
 	[ -n "$SLAVE_ETH" ] && {
-		iptables -t nat -C PREROUTING -i $SLAVE_ETH -p tcp $1 -j DNAT --to 127.0.0.1:$TPPORT 2>/dev/null &&
-		 iptables -t nat -D PREROUTING -i $SLAVE_ETH -p tcp $1 -j DNAT --to 127.0.0.1:$TPPORT
+		iptables -t nat -C PREROUTING -i $SLAVE_ETH -p tcp $1 -j DNAT --to 127.0.0.1:$2 2>/dev/null &&
+		 iptables -t nat -D PREROUTING -i $SLAVE_ETH -p tcp $1 -j DNAT --to 127.0.0.1:$2
 	}
-	iptables -t nat -C OUTPUT -m owner ! --uid-owner $TPWS_USER -p tcp $1 -j DNAT --to 127.0.0.1:$TPPORT 2>/dev/null &&
-	 iptables -t nat -D OUTPUT -m owner ! --uid-owner $TPWS_USER -p tcp $1 -j DNAT --to 127.0.0.1:$TPPORT
+	iptables -t nat -C OUTPUT -m owner ! --uid-owner $TPWS_USER -p tcp $1 -j DNAT --to 127.0.0.1:$2 2>/dev/null &&
+	 iptables -t nat -D OUTPUT -m owner ! --uid-owner $TPWS_USER -p tcp $1 -j DNAT --to 127.0.0.1:$2
 	true
 }
 fw_nfqws_add_pre()
@ -199,19 +209,34 @@ case "$1" in
 	case "${MODE}" in
 	    tpws_hostlist)
 	    	prepare_tpws
-		fw_tpws_add "--dport 80"
-		run_daemon 1 $TPWS "$TPWS_OPT_BASE $TPWS_OPT --hostlist=$TPWS_HOSTLIST"
+		fw_tpws_add "--dport 80" $TPPORT_HTTP
+		run_daemon 1 $TPWS "$TPWS_OPT_BASE_HTTP $TPWS_OPT_HTTP --hostlist=$TPWS_HOSTLIST"
 		;;
 	    tpws_ipset)
 		create_ipset
 	    	prepare_tpws
-		fw_tpws_add "--dport 80 -m set --match-set zapret dst"
-		run_daemon 1 $TPWS "$TPWS_OPT_BASE $TPWS_OPT"
+		fw_tpws_add "--dport 80 -m set --match-set zapret dst" $TPPORT_HTTP
+		run_daemon 1 $TPWS "$TPWS_OPT_BASE_HTTP $TPWS_OPT_HTTP"
+		;;
+	    tpws_ipset_https)
+		create_ipset
+	    	prepare_tpws
+		fw_tpws_add "--dport 80 -m set --match-set zapret dst" $TPPORT_HTTP
+		fw_tpws_add "--dport 443 -m set --match-set zapret dst" $TPPORT_HTTPS
+		run_daemon 1 $TPWS "$TPWS_OPT_BASE_HTTP $TPWS_OPT_HTTP"
+		run_daemon 2 $TPWS "$TPWS_OPT_BASE_HTTPS $TPWS_OPT_HTTPS"
 		;;
 	    tpws_all)
 	    	prepare_tpws
-		fw_tpws_add "--dport 80"
-		run_daemon 1 $TPWS "$TPWS_OPT_BASE $TPWS_OPT"
+		fw_tpws_add "--dport 80" $TPPORT_HTTP
+		run_daemon 1 $TPWS "$TPWS_OPT_BASE_HTTP $TPWS_OPT_HTTP"
+		;;
+	    tpws_all_https)
+	    	prepare_tpws
+		fw_tpws_add "--dport 80" $TPPORT_HTTP
+		fw_tpws_add "--dport 443" $TPPORT_HTTPS
+		run_daemon 1 $TPWS "$TPWS_OPT_BASE_HTTP $TPWS_OPT_HTTP"
+		run_daemon 2 $TPWS "$TPWS_OPT_BASE_HTTPS $TPWS_OPT_HTTPS"
 		;;
 	    nfqws_ipset)
 		create_ipset
@ -219,11 +244,22 @@ case "$1" in
 		fw_nfqws_add_post "--dport 80 -m set --match-set zapret dst"
 		run_daemon 1 $NFQWS "$NFQWS_OPT_BASE $NFQWS_OPT"
 		;;
+	    nfqws_ipset_https)
+		create_ipset
+		fw_nfqws_add_pre "-m multiport --sports 80,443 -m set --match-set zapret src"
+		fw_nfqws_add_post "--dport 80 -m set --match-set zapret dst"
+		run_daemon 1 $NFQWS "$NFQWS_OPT_BASE $NFQWS_OPT"
+		;;
 	    nfqws_all)
 		fw_nfqws_add_pre "--sport 80"
 		fw_nfqws_add_post "--dport 80"
 		run_daemon 1 $NFQWS "$NFQWS_OPT_BASE $NFQWS_OPT"
 		;;
+	    nfqws_all_https)
+		fw_nfqws_add_pre "-m multiport --sports 80,443"
+		fw_nfqws_add_post "--dport 80"
+		run_daemon 1 $NFQWS "$NFQWS_OPT_BASE $NFQWS_OPT"
+		;;
 	    ipset)
 		create_ipset
 		;;
@ -241,23 +277,45 @@ case "$1" in
  stop)
 	case "${MODE}" in
 	    tpws_hostlist|tpws_all)
-		fw_tpws_del "--dport 80"
+		fw_tpws_del "--dport 80" $TPPORT_HTTP
 		stop_daemon 1 $TPWS
 		;;
 	    tpws_ipset)
-		fw_tpws_del "--dport 80 -m set --match-set zapret dst"
+		fw_tpws_del "--dport 80 -m set --match-set zapret dst" $TPPORT_HTTP
+		stop_daemon 1 $TPWS
+		;;
+	    tpws_ipset_https)
+		fw_tpws_del "--dport 80 -m set --match-set zapret dst" $TPPORT_HTTP
+		fw_tpws_del "--dport 443 -m set --match-set zapret dst" $TPPORT_HTTPS
 		stop_daemon 1 $TPWS
+		stop_daemon 2 $TPWS
+		;;
+	    tpws_all_https)
+		fw_tpws_del "--dport 80" $TPPORT_HTTP
+		fw_tpws_del "--dport 443" $TPPORT_HTTPS
+		stop_daemon 1 $TPWS
+		stop_daemon 2 $TPWS
 		;;
 	    nfqws_ipset)
 		fw_nfqws_del_pre "--sport 80 -m set --match-set zapret src"
 		fw_nfqws_del_post "--dport 80 -m set --match-set zapret dst"
 		stop_daemon 1 $NFQWS
 		;;
+	    nfqws_ipset_https)
+		fw_nfqws_del_pre "-m multiport --sports 80,443 -m set --match-set zapret src"
+		fw_nfqws_del_post "--dport 80 -m set --match-set zapret dst"
+		stop_daemon 1 $NFQWS
+		;;
 	    nfqws_all)
 		fw_nfqws_del_pre "--sport 80"
 		fw_nfqws_del_post "--dport 80"
 		stop_daemon 1 $NFQWS
 		;;
+	    nfqws_all_https)
+		fw_nfqws_del_pre "-m multiport --sports 80,443"
+		fw_nfqws_del_post "--dport 80"
+		stop_daemon 1 $NFQWS
+		;;
 	    custom)
 		# PLACEHOLDER
 		echo !!! NEED ATTENTION !!!
--- a/readme.txt
+++ b/readme.txt
@ -210,9 +210,13 @@ tpws должен запускаться без фильтрации по ipset.
 Выберите MODE. Снимите комментарий только с одного из присваиваний.

 nfqws_ipset - использовать nfqws для модификации трафика на порт 80 только на IP из ipset "zapret"
+nfqws_ipset_https - использовать nfqws для модификации трафика на порты 80 и 443 только на IP из ipset "zapret"
 nfqws_all - использовать nfqws для модификации трафика на порт 80 для всех IP
+nfqws_all_https - использовать nfqws для модификации трафика на порты 80 и 443 для всех IP
 tpws_ipset - использовать tpws для модификации трафика на порт 80 только на IP из ipset "zapret"
+tpws_ipset_https - использовать tpws для модификации трафика на порты 80 и 443 только на IP из ipset "zapret"
 tpws_all - использовать tpws для модификации трафика на порт 80 для всех IP
+tpws_all_https - использовать tpws для модификации трафика на порты 80 и 443 для всех IP
 tpws_hostlist - пропускать через tpws весь трафик на порт 80. tpws применяет дурение только к хостам из hostlist.
 ipset - только заполнить ipset. ipset может быть применен для заворота трафика на прокси или на VPN
 custom - нужно самому запрограммировать запуск демонов и правила iptables
@ -220,7 +224,8 @@ custom - нужно самому запрограммировать запуск
 Можно изменить опции дурения, применяемые демонами nfqws и tpws :

 NFQWS_OPT="--wsize=3 --hostspell=HOST"
-TPWS_OPT="--hostspell=HOST --split-http-req=method"
+TPWS_OPT_HTTP="--hostspell=HOST --split-http-req=method"
+TPWS_OPT_HTTPS="--split-pos=3"

 Пример установки на debian-подобную систему
 -------------------------------------------