gsd
/
zapret
mirror of https://github.com/bol-van/zapret/
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Merge branch 'bol-van:master' into master

pull/1115/head
allkatran 4 months ago
committed by GitHub
parent
8ed9143341 b3fd5c5dc1
commit
33c883540e
No known key found for this signature in database GPG Key ID: B5690EEEBB952194
44 changed files with 825 additions and 568 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 40
      .github/workflows/build.yml
  2. 2
      blockcheck.sh
  3. 2
      common/custom.sh
  4. 20
      common/ipt.sh
  5. 55
      common/linux_daemons.sh
  6. 58
      common/nft.sh
  7. 17
      docs/changes.txt
  8. 2
      docs/quick_start.md
  9. 4
      docs/quick_start_windows.md
  10. 3
      docs/readme.en.md
  11. 16
      docs/readme.md
  12. 0
      init.d/custom.d.examples.linux/10-keenetic-udp-fix
  13. 66
      init.d/custom.d.examples.linux/20-fw-extra
  14. 4
      init.d/custom.d.examples.linux/50-dht4all
  15. 2
      init.d/custom.d.examples.linux/50-discord
  16. 89
      init.d/custom.d.examples.linux/50-tpws-ipset
  17. 30
      init.d/custom.d.examples.linux/50-wg4all
  18. 38
      init.d/openwrt/custom.d.examples/50-dht4all
  19. 75
      init.d/openwrt/custom.d.examples/50-discord
  20. 1
      init.d/openwrt/functions
  21. 47
      init.d/openwrt/zapret
  22. 2
      init.d/pfsense/zapret.sh
  23. 43
      init.d/sysv/functions
  24. 2
      install_bin.sh
  25. 2
      install_easy.sh
  26. 10
      ip2net/Makefile
  27. 12
      mdig/Makefile
  28. 2
      nfq/BSDmakefile
  29. 12
      nfq/Makefile
  30. 7
      nfq/desync.c
  31. 1
      nfq/desync.h
  32. 471
      nfq/nfqws.c
  33. 2
      nfq/params.h
  34. 2
      nfq/protocol.c
  35. 4
      nfq/sec.c
  36. 2
      tpws/BSDmakefile
  37. 10
      tpws/Makefile
  38. 14
      tpws/helpers.c
  39. 111
      tpws/linux_compat.h
  40. 2
      tpws/params.h
  41. 2
      tpws/protocol.c
  42. 4
      tpws/redirect.c
  43. 104
      tpws/tpws.c
  44. 1
      tpws/tpws_conn.c

40
.github/workflows/build.yml
View File

@ -52,6 +52,13 @@ jobs:
# tool: i586-unknown-linux-musl
- arch: x86_64
tool: x86_64-unknown-linux-musl
- arch: lexra
tool: mips-linux
dir: rsdk-4.6.4-5281-EB-3.10-0.9.33-m32ub-20141001
env:
CFLAGS: '-march=5281'
LDFLAGS: '-lgcc_eh'
repo: 'bol-van/build'
steps:
- name: Checkout
uses: actions/checkout@v4
@ -60,18 +67,31 @@ jobs:
- name: Set up build tools
env:
REPO: 'spvkgn/musl-cross'
ARCH: ${{ matrix.arch }}
TOOL: ${{ matrix.tool }}
REPO: ${{ matrix.arch == 'lexra' && matrix.repo || 'spvkgn/musl-cross' }}
DIR: ${{ matrix.arch == 'lexra' && matrix.dir || matrix.tool }}
run: |
sudo apt update -qq && sudo apt install -y libcap-dev
if [[ "$ARCH" == lexra ]]; then
sudo dpkg --add-architecture i386
sudo apt update -qq
sudo apt install -y libcap-dev libc6:i386 zlib1g:i386
URL=https://github.com/$REPO/raw/refs/heads/master/$DIR.txz
else
sudo apt update -qq
sudo apt install -y libcap-dev
URL=https://github.com/$REPO/releases/download/latest/$TOOL.tar.xz
fi
mkdir -p $HOME/tools
wget -qO- https://github.com/$REPO/releases/download/latest/$TOOL.tar.xz | tar -C $HOME/tools -xJ || exit 1
[ -d "$HOME/tools/$TOOL/bin" ] && echo "$HOME/tools/$TOOL/bin" >> $GITHUB_PATH
wget -qO- $URL | tar -C $HOME/tools -xJ || exit 1
[[ -d "$HOME/tools/$DIR/bin" ]] && echo "$HOME/tools/$DIR/bin" >> $GITHUB_PATH
- name: Build
env:
ARCH: ${{ matrix.arch }}
TARGET: ${{ matrix.tool }}
CFLAGS: ${{ matrix.env.CFLAGS != '' && matrix.env.CFLAGS || null }}
LDFLAGS: ${{ matrix.env.LDFLAGS != '' && matrix.env.LDFLAGS || null }}
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
DEPS_DIR=$GITHUB_WORKSPACE/deps
@ -81,6 +101,7 @@ jobs:
export NM=$TARGET-nm
export STRIP=$TARGET-strip
export PKG_CONFIG_PATH=$DEPS_DIR/lib/pkgconfig
export STAGING_DIR=$RUNNER_TEMP
# netfilter libs
wget -qO- https://www.netfilter.org/pub/libnfnetlink/libnfnetlink-1.0.2.tar.bz2 | tar -xj
@ -90,7 +111,7 @@ jobs:
for i in libmnl libnfnetlink libnetfilter_queue ; do
(
cd $i-*
CFLAGS="-Os -flto=auto" \
CFLAGS="-Os -flto=auto $CFLAGS" \
./configure --prefix= --host=$TARGET --enable-static --disable-shared --disable-dependency-tracking
make install -j$(nproc) DESTDIR=$DEPS_DIR
)
@ -102,7 +123,7 @@ jobs:
xargs -I{} wget -qO- https://github.com/madler/zlib/archive/refs/tags/{}.tar.gz | tar -xz
(
cd zlib-*
CFLAGS="-Os -flto=auto" \
CFLAGS="-Os -flto=auto $CFLAGS" \
./configure --prefix= --static
make install -j$(nproc) DESTDIR=$DEPS_DIR
)
@ -113,8 +134,8 @@ jobs:
install -Dm644 -t $DEPS_DIR/include/sys /usr/include/x86_64-linux-gnu/sys/queue.h /usr/include/sys/capability.h
# zapret
CFLAGS="-DZAPRET_GH_VER=${{ github.ref_name }} -DZAPRET_GH_HASH=${{ github.sha }} -static-libgcc -static -I$DEPS_DIR/include" \
LDFLAGS="-L$DEPS_DIR/lib" \
CFLAGS="-DZAPRET_GH_VER=${{ github.ref_name }} -DZAPRET_GH_HASH=${{ github.sha }} -static-libgcc -static -I$DEPS_DIR/include $CFLAGS" \
LDFLAGS="-L$DEPS_DIR/lib $LDFLAGS" \
make -C zapret -j$(nproc)
tar -C zapret/binaries/my -cJf zapret-linux-$ARCH.tar.xz .
@ -390,7 +411,7 @@ jobs:
if [[ $dir == *-linux-x86_64 ]]; then
tar -C $dir -czvf $dir/tpws_wsl.tgz tpws
run_upx $dir/*
elif [[ $dir =~ linux ]] && [[ $dir != *-linux-mips64 ]]; then
elif [[ $dir =~ linux ]] && [[ $dir != *-linux-mips64 ]] && [[ $dir != *-linux-lexra ]]; then
run_upx $dir/*
fi
;;
@ -422,6 +443,7 @@ jobs:
*-linux-ppc ) run_dir ppc ;;
*-linux-x86 ) run_dir x86 ;;
*-linux-x86_64 ) run_dir x86_64 ;;
*-linux-lexra ) run_dir lexra ;;
*-mac-x64 ) run_dir mac64 ;;
*-win-x86 ) run_dir win32 ;;
*-win-x86_64 ) run_dir win64 ;;

2
blockcheck.sh
View File

@ -212,7 +212,7 @@ doh_resolve()
# $1 - ip version 4/6
# $2 - hostname
# $3 - doh server URL. use $DOH_SERVER if empty
$MDIG --family=$1 --dns-make-query=$2 | curl -s --data-binary @- -H "Content-Type: application/dns-message" "${3:-$DOH_SERVER}" | $MDIG --dns-parse-query
$MDIG --family=$1 --dns-make-query=$2 | $CURL -s --data-binary @- -H "Content-Type: application/dns-message" "${3:-$DOH_SERVER}" | $MDIG --dns-parse-query
}
doh_find_working()
{

2
common/custom.sh
View File

@ -3,6 +3,8 @@ custom_runner()
# $1 - function name
# $2+ - params
[ "$DISABLE_CUSTOM" = 1 ] && return 0
local n script FUNC=$1
shift

20
common/ipt.sh
View File

@ -349,27 +349,37 @@ ipt_do_nfqws_in_out()
}
}
zapret_do_firewall_standard_rules_ipt()
zapret_do_firewall_standard_tpws_rules_ipt()
{
# $1 - 1 - add, 0 - del
local f4 f6
[ "$TPWS_ENABLE" = 1 -a -n "$TPWS_PORTS" ] &&
{
[ "$TPWS_ENABLE" = 1 -a -n "$TPWS_PORTS" ] && {
f4="-p tcp -m multiport --dports $TPWS_PORTS_IPT"
f6=$f4
filter_apply_ipset_target f4 f6
fw_tpws $1 "$f4" "$f6" $TPPORT
}
[ "$NFQWS_ENABLE" = 1 ] &&
{
}
zapret_do_firewall_standard_nfqws_rules_ipt()
{
# $1 - 1 - add, 0 - del
[ "$NFQWS_ENABLE" = 1 ] && {
ipt_do_nfqws_in_out $1 tcp "$NFQWS_PORTS_TCP_IPT" "$NFQWS_TCP_PKT_OUT" "$NFQWS_TCP_PKT_IN"
ipt_do_nfqws_in_out $1 tcp "$NFQWS_PORTS_TCP_KEEPALIVE_IPT" keepalive "$NFQWS_TCP_PKT_IN"
ipt_do_nfqws_in_out $1 udp "$NFQWS_PORTS_UDP_IPT" "$NFQWS_UDP_PKT_OUT" "$NFQWS_UDP_PKT_IN"
ipt_do_nfqws_in_out $1 udp "$NFQWS_PORTS_UDP_KEEPALIVE_IPT" keepalive "$NFQWS_UDP_PKT_IN"
}
}
zapret_do_firewall_standard_rules_ipt()
{
# $1 - 1 - add, 0 - del
zapret_do_firewall_standard_tpws_rules_ipt $1
zapret_do_firewall_standard_nfqws_rules_ipt $1
}
zapret_do_firewall_rules_ipt()
{

55
common/linux_daemons.sh
View File

@ -0,0 +1,55 @@
standard_mode_tpws_socks()
{
# $1 - 1 - run, 0 - stop
local opt
[ "$TPWS_SOCKS_ENABLE" = 1 ] && {
opt="--port=$TPPORT_SOCKS $TPWS_SOCKS_OPT"
filter_apply_hostlist_target opt
do_tpws_socks $1 2 "$opt"
}
}
standard_mode_tpws()
{
# $1 - 1 - run, 0 - stop
local opt
[ "$TPWS_ENABLE" = 1 ] && check_bad_ws_options $1 "$TPWS_OPT" && {
opt="--port=$TPPORT $TPWS_OPT"
filter_apply_hostlist_target opt
do_tpws $1 1 "$opt"
}
}
standard_mode_nfqws()
{
# $1 - 1 - run, 0 - stop
local opt
[ "$NFQWS_ENABLE" = 1 ] && check_bad_ws_options $1 "$NFQWS_OPT" && {
opt="--qnum=$QNUM $NFQWS_OPT"
filter_apply_hostlist_target opt
do_nfqws $1 3 "$opt"
}
}
standard_mode_daemons()
{
# $1 - 1 - run, 0 - stop
standard_mode_tpws_socks $1
standard_mode_tpws $1
standard_mode_nfqws $1
}
zapret_do_daemons()
{
# $1 - 1 - run, 0 - stop
standard_mode_daemons $1
custom_runner zapret_custom_daemons $1
return 0
}
zapret_run_daemons()
{
zapret_do_daemons 1 "$@"
}
zapret_stop_daemons()
{
zapret_do_daemons 0 "$@"
}

58
common/nft.sh
View File

@ -263,28 +263,6 @@ nft_add_flow_offload_exemption()
[ "$DISABLE_IPV6" = "1" -o -z "$2" ] || nft_add_rule flow_offload oifname @wanif6 $2 ip6 daddr != @nozapret6 return comment \"$3\"
}
nft_hw_offload_supported()
{
# $1,$2,... - interface names
local devices res=1
make_quoted_comma_list devices "$@"
[ -n "$devices" ] && devices="devices={$devices};"
nft add table ${ZAPRET_NFT_TABLE}_test && nft add flowtable ${ZAPRET_NFT_TABLE}_test ft "{ flags offload; $devices }" 2>/dev/null && res=0
nft delete table ${ZAPRET_NFT_TABLE}_test 2>/dev/null
return $res
}
nft_hw_offload_find_supported()
{
# $1,$2,... - interface names
local supported_list
while [ -n "$1" ]; do
nft_hw_offload_supported "$1" && append_separator_list supported_list ' ' '' "$1"
shift
done
echo $supported_list
}
nft_apply_flow_offloading()
{
# ft can be absent
@ -370,17 +348,15 @@ flush set inet $ZAPRET_NFT_TABLE lanif"
nft_create_or_update_flowtable 'offload' 2>/dev/null
# then add elements. some of them can cause error because unsupported
for i in $ALLDEVS; do
if nft_hw_offload_supported $i; then
nft_create_or_update_flowtable 'offload' $i
else
# bridge members must be added instead of the bridge itself
# some members may not support hw offload. example : lan1 lan2 lan3 support, wlan0 wlan1 - not
devs=$(resolve_lower_devices $i)
for j in $devs; do
# do not display error if addition failed
nft_create_or_update_flowtable 'offload' $j 2>/dev/null
done
fi
# first try to add interface itself
nft_create_or_update_flowtable 'offload' $i 2>/dev/null
# bridge members must be added instead of the bridge itself
# some members may not support hw offload. example : lan1 lan2 lan3 support, wlan0 wlan1 - not
devs=$(resolve_lower_devices $i)
for j in $devs; do
# do not display error if addition failed
nft_create_or_update_flowtable 'offload' $j 2>/dev/null
done
done
;;
esac
@ -640,25 +616,31 @@ nft_apply_nfqws_in_out()
}
}
zapret_apply_firewall_standard_rules_nft()
zapret_apply_firewall_standard_tpws_rules_nft()
{
local f4 f6
[ "$TPWS_ENABLE" = 1 -a -n "$TPWS_PORTS" ] &&
{
[ "$TPWS_ENABLE" = 1 -a -n "$TPWS_PORTS" ] && {
f4="tcp dport {$TPWS_PORTS}"
f6=$f4
nft_filter_apply_ipset_target f4 f6
nft_fw_tpws "$f4" "$f6" $TPPORT
}
[ "$NFQWS_ENABLE" = 1 ] &&
{
}
zapret_apply_firewall_standard_nfqws_rules_nft()
{
[ "$NFQWS_ENABLE" = 1 ] && {
nft_apply_nfqws_in_out tcp "$NFQWS_PORTS_TCP" "$NFQWS_TCP_PKT_OUT" "$NFQWS_TCP_PKT_IN"
nft_apply_nfqws_in_out tcp "$NFQWS_PORTS_TCP_KEEPALIVE" keepalive "$NFQWS_TCP_PKT_IN"
nft_apply_nfqws_in_out udp "$NFQWS_PORTS_UDP" "$NFQWS_UDP_PKT_OUT" "$NFQWS_UDP_PKT_IN"
nft_apply_nfqws_in_out udp "$NFQWS_PORTS_UDP_KEEPALIVE" keepalive "$NFQWS_UDP_PKT_IN"
}
}
zapret_apply_firewall_standard_rules_nft()
{
zapret_apply_firewall_standard_tpws_rules_nft
zapret_apply_firewall_standard_nfqws_rules_nft
}
zapret_apply_firewall_rules_nft()
{

17
docs/changes.txt
View File

@ -417,3 +417,20 @@ v69.5
nfqws,tpws: --dry-run
install_easy: check tpws and nfqws options validity
v69.6
nfqws: set NETLINK_NO_ENOBUFS to fix possible nfq recv errors
init.d: unify custom scripts for linux
init.d: new custom scripts : 20-fw-extra, 50-wg4all
v69.7
nfqws,tpws: --comment
nfqws: trash flood warning
winws: exclude empty outgoing ack packets in windivert filter
v69.8
winws: accept empty outgoing RST and FIN packets for conntrack needs
repo: lexra build

2
docs/quick_start.md
View File

@ -158,7 +158,7 @@
>
> Далее, имея понимание что работает на http, https, quic нужно
> сконструировать параметры запуска `tpws` и/или `nfqws` с использованием
> мультистратегии. Как работают мультистратегии описано в readme.txt.
> мультистратегии. Как работают мультистратегии описано в [readme.md](./readme.md#множественные-стратегии).
>
> Если кратко, то обычно параметры конструируются так:
> ```sh

4
docs/quick_start_windows.md
View File

@ -59,7 +59,7 @@ _"Совсем ничего не могу, все очень сложно, да
1) Скачайте и распакуйте архив https://github.com/bol-van/zapret-win-bundle/archive/refs/heads/master.zip.
2) Если у вас Windows 7 x64, читайте [docs/windows.md](./windows.md). Без описанной там подготовки может не работать.
2) Если у вас Windows 7 x64, однократно запустите `win7/install_win7.cmd`. Батник заменит файлы windivert на совместимую с Windows 7 версию.
> [!WARNING]
> Для 32-битных систем Windows нет готового полного варианта.
@ -123,7 +123,7 @@ blockcheck перейдет в этом случае на **DoH** _(DNS over HTT
> она стабильна, на третьих полный хаос, и проще отказаться.
>
> Далее, имея понимание что работает на http, https, quic, нужно сконструировать параметры запуска winws
> с использованием мультистратегии. Как работают мультистратегии описано в [readme.md](./readme.md).
> с использованием мультистратегии. Как работают мультистратегии описано в [readme.md](./readme.md#множественные-стратегии).
>
> Прежде всего вам нужно собрать фильтр перехватываемого трафика. Это делается через параметры
> `--wf-l3`, `--wf-tcp`, `--wf-udp`.

3
docs/readme.en.md
View File

@ -1,4 +1,4 @@
# zapret v69.5
# zapret v69.8
# SCAMMER WARNING
@ -132,6 +132,7 @@ nfqws takes the following parameters:
--debug=0|1
--dry-run ; verify parameters and exit with code 0 if successful
--comment ; any text (ignored)
--qnum=<nfqueue_number>
--daemon ; daemonize
--pidfile=<filename> ; write pid to file

16
docs/readme.md
View File

@ -1,4 +1,4 @@
# zapret v69.5
# zapret v69.8
# ВНИМАНИЕ, остерегайтесь мошенников
@ -163,6 +163,7 @@ dvtws, собираемый из тех же исходников (см. [док
--debug=0|1 ; 1=выводить отладочные сообщения
--dry-run ; проверить опции командной строки и выйти. код 0 - успешная проверка.
--comment ; любой текст (игнорируется)
--daemon ; демонизировать прогу
--pidfile=<file> ; сохранить PID в файл
--user=<username> ; менять uid процесса
@ -1866,8 +1867,9 @@ custom скрипты - это маленькие shell программы, уп
/opt/zapret/init.d/macos/custom.d
```
Директория будет просканирована в алфавитном порядке, и каждый скрипт будет применен.
Рядом имеется `custom.d.examples`. Это готовые скрипты, которые можно копировать в `custom.d`.
Их можно взять за основу для написания собственных.
В `init.d` имеется `custom.d.examples.linux`, в `init.d/macos` - `custom.d.examples`.
Это готовые скрипты, которые можно копировать в `custom.d`. Их можно взять за основу для написания собственных.
***Для linux пишется код в функции***
```
@ -1885,9 +1887,9 @@ zapret_custom_firewall_v6
```
zapret_custom_daemons поднимает демоны **nfqws**/**tpws** в нужном вам количестве и с нужными вам параметрами.
Для систем традиционного linux (sysv) и MacOS в первом параметре передается код операции: 1 = запуск, 0 = останов.
Для openwrt логика останова отсутствует за ненадобностью.
В первом параметре передается код операции: 1 = запуск, 0 = останов.
Схема запуска демонов в openwrt отличается - используется procd.
Поэтому логика останова отсутствует за ненадобностью, останов никогда не вызывается.
zapret_custom_firewall поднимает и убирает правила `iptables`.
В первом параметре передается код операции: 1 = запуск, 0 = останов.
@ -1913,8 +1915,8 @@ zapret_custom_firewall_nft поднимает правила nftables.
В macos firewall-функции ничего сами никуда не заносят. Их задача - лишь выдать текст в stdout,
содержащий правила для pf-якоря. Остальное сделает обертка.
Особо обратите внимание на номер демона в функциях `run_daemon` и `do_daemon`, номера портов **tpws**
и очередей `nfqueue`.
Особо обратите внимание на номер демона в функциях `run_daemon` , `do_daemon`, `do_tpws`, `do_tpws_socks`, `do_nfqws` ,
номера портов **tpws** и очередей **nfqueue**.
Они должны быть уникальными во всех скриптах. При накладке будет ошибка.
Поэтому используйте функции динамического получения этих значений из пула.

0
init.d/sysv/custom.d.examples/10-keenetic-udp-fix → init.d/custom.d.examples.linux/10-keenetic-udp-fix
View File

66
init.d/custom.d.examples.linux/20-fw-extra
View File

@ -0,0 +1,66 @@
# this custom script runs standard mode with extra firewall rules
# config: use TPWS_ENABLE_OVERRIDE, NFQWS_ENABLE_OVERRIDE to enable standard mode daemons
# standard and override switches cannot be enabled simultaneously !
TPWS_ENABLE_OVERRIDE=${TPWS_ENABLE_OVERRIDE:-0}
NFQWS_ENABLE_OVERRIDE=${NFQWS_ENABLE_OVERRIDE:-0}
# config: some if these values must be set in config. not setting any of these makes this script meaningless.
# pre vars put ipt/nft code to the rule beginning
#FW_EXTRA_PRE_TPWS_IPT=
#FW_EXTRA_PRE_TPWS_NFT=
#FW_EXTRA_PRE_NFQWS_IPT="-m mark --mark 0x10000000/0x10000000"
#FW_EXTRA_PRE_NFQWS_NFT="mark and 0x10000000 != 0"
# post vars put ipt/nft code to the rule end
#FW_EXTRA_POST_TPWS_IPT=
#FW_EXTRA_POST_TPWS_NFT=
#FW_EXTRA_POST_NFQWS_IPT=
#FW_EXTRA_POST_NFQWS_NFT=
check_std_intersect()
{
[ "$TPWS_ENABLE_OVERRIDE" = 1 -a "$TPWS_ENABLE" = 1 ] && {
echo "ERROR ! both TPWS_ENABLE_OVERRIDE and TPWS_ENABLE are enabled"
return 1
}
[ "$NFQWS_ENABLE_OVERRIDE" = 1 -a "$NFQWS_ENABLE" = 1 ] && {
echo "ERROR ! both NFQWS_ENABLE_OVERRIDE and NFQWS_ENABLE are enabled"
return 1
}
return 0
}
zapret_custom_daemons()
{
# $1 - 1 - add, 0 - stop
check_std_intersect || return
local TPWS_SOCKS_ENABLE=0 TPWS_ENABLE=$TPWS_ENABLE_OVERRIDE NFQWS_ENABLE=$NFQWS_ENABLE_OVERRIDE
standard_mode_daemons "$1"
}
zapret_custom_firewall()
{
# $1 - 1 - run, 0 - stop
check_std_intersect || return
local FW_EXTRA_PRE FW_EXTRA_POST TPWS_ENABLE=$TPWS_ENABLE_OVERRIDE NFQWS_ENABLE=$NFQWS_ENABLE_OVERRIDE
FW_EXTRA_PRE="$FW_EXTRA_PRE_TPWS_IPT" FW_EXTRA_POST="$FW_EXTRA_POST_TPWS_IPT"
zapret_do_firewall_standard_tpws_rules_ipt $1
FW_EXTRA_PRE="$FW_EXTRA_PRE_NFQWS_IPT" FW_EXTRA_POST="$FW_EXTRA_POST_NFQWS_IPT"
zapret_do_firewall_standard_nfqws_rules_ipt $1
}
zapret_custom_firewall_nft()
{
# stop logic is not required
check_std_intersect || return
local FW_EXTRA_PRE FW_EXTRA_POST TPWS_ENABLE=$TPWS_ENABLE_OVERRIDE NFQWS_ENABLE=$NFQWS_ENABLE_OVERRIDE
FW_EXTRA_PRE="$FW_EXTRA_PRE_TPWS_NFT" FW_EXTRA_POST="$FW_EXTRA_POST_TPWS_NFT"
zapret_apply_firewall_standard_tpws_rules_nft
FW_EXTRA_PRE="$FW_EXTRA_PRE_NFQWS_NFT" FW_EXTRA_POST="$FW_EXTRA_POST_NFQWS_NFT"
zapret_apply_firewall_standard_nfqws_rules_nft
}

4
init.d/sysv/custom.d.examples/50-dht4all → init.d/custom.d.examples.linux/50-dht4all
View File

@ -8,9 +8,9 @@ alloc_qnum QNUM_DHT4ALL
zapret_custom_daemons()
{
# stop logic is managed by procd
# $1 - 1 - add, 0 - stop
local opt="--qnum=$QNUM_DHT4ALL $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_DHT"
local opt="--qnum=$QNUM_DHT4ALL $NFQWS_OPT_DESYNC_DHT"
do_nfqws $1 $DNUM_DHT4ALL "$opt"
}
zapret_custom_firewall()

2
init.d/sysv/custom.d.examples/50-discord → init.d/custom.d.examples.linux/50-discord
View File

@ -14,7 +14,7 @@ zapret_custom_daemons()
{
# $1 - 1 - run, 0 - stop
local opt="--qnum=$QNUM_DISCORD $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_DISCORD"
local opt="--qnum=$QNUM_DISCORD $NFQWS_OPT_DESYNC_DISCORD"
do_nfqws $1 $DNUM_DISCORD "$opt"
}

89
init.d/custom.d.examples.linux/50-tpws-ipset
View File

@ -0,0 +1,89 @@
# this custom script demonstrates how to launch extra tpws instance limited by ipset
# can override in config :
TPWS_MY1_OPT="${TPWS_MY1_OPT:---oob --split-pos=midsld}"
TPWS_MY1_PORTS=${TPWS_MY1_PORTS:-$TPWS_PORTS}
TPWS_MY1_SUBNETS4="${TPWS_MY1_SUBNETS4:-142.250.0.0/15 64.233.160.0/19 172.217.0.0/16 173.194.0.0/16 108.177.0.0/17 74.125.0.0/16 209.85.128.0/17 216.58.192.0/19}"
TPWS_MY1_SUBNETS6="${TPWS_MY1_SUBNETS6:-2607:F8B0::/32 2a00:1450:4000::/37}"
TPWS_MY1_IPSET_SIZE=${TPWS_MY1_IPSET_SIZE:-4096}
TPWS_MY1_IPSET_OPT="${TPWS_MY1_IPSET_OPT:-hash:net hashsize 8192 maxelem $TPWS_MY1_IPSET_SIZE}"
alloc_dnum DNUM_TPWS_MY1
alloc_tpws_port PORT_TPWS_MY1
TPWS_MY1_NAME4=my1tpws4
TPWS_MY1_NAME6=my1tpws6
zapret_custom_daemons()
{
# $1 - 1 - run, 0 - stop
local opt="--port=$PORT_TPWS_MY1 $TPWS_MY1_OPT"
do_tpws $1 $DNUM_TPWS_MY1 "$opt"
}
zapret_custom_firewall()
{
# $1 - 1 - run, 0 - stop
local f4 f6 subnet
local PORTS_IPT=$(replace_char - : $TPWS_MY1_PORTS)
local dest_set="-m set --match-set $TPWS_MY1_NAME4 dst"
[ "$1" = 1 -a "$DISABLE_IPV4" != 1 ] && {
ipset create $TPWS_MY1_NAME4 $TPWS_MY1_IPSET_OPT family inet 2>/dev/null
ipset flush $TPWS_MY1_NAME4
for subnet in $TPWS_MY1_SUBNETS4; do
echo add $TPWS_MY1_NAME4 $subnet
done | ipset -! restore
}
[ "$1" = 1 -a "$DISABLE_IPV6" != 1 ] && {
ipset create $TPWS_MY1_NAME6 $TPWS_MY1_IPSET_OPT family inet6 2>/dev/null
ipset flush $TPWS_MY1_NAME6
for subnet in $TPWS_MY1_SUBNETS6; do
echo add $TPWS_MY1_NAME6 $subnet
done | ipset -! restore
}
f4="-p tcp -m multiport --dports $PORTS_IPT -m set --match-set"
f6="$f4 $TPWS_MY1_NAME6 dst"
f4="$f4 $TPWS_MY1_NAME4 dst"
fw_tpws $1 "$f4" "$f6" $PORT_TPWS_MY1
[ "$1" = 1 ] || {
ipset destroy $TPWS_MY1_NAME4 2>/dev/null
ipset destroy $TPWS_MY1_NAME6 2>/dev/null
}
}
zapret_custom_firewall_nft()
{
local f4 f6 subnet
[ "$DISABLE_IPV4" != 1 ] && {
make_comma_list subnets $TPWS_MY1_SUBNETS4
nft_create_set $TPWS_MY1_NAME4 "type ipv4_addr; size $TPWS_MY1_IPSET_SIZE; auto-merge; flags interval;"
nft_flush_set $TPWS_MY1_NAME4
nft_add_set_element $TPWS_MY1_NAME4 "$subnets"
}
[ "$DISABLE_IPV6" != 1 ] && {
make_comma_list subnets $TPWS_MY1_SUBNETS6
nft_create_set $TPWS_MY1_NAME6 "type ipv6_addr; size $TPWS_MY1_IPSET_SIZE; auto-merge; flags interval;"
nft_flush_set $TPWS_MY1_NAME6
nft_add_set_element $TPWS_MY1_NAME6 "$subnets"
}
f4="tcp dport {$TPWS_MY1_PORTS}"
f6="$f4 ip6 daddr @$TPWS_MY1_NAME6"
f4="$f4 ip daddr @$TPWS_MY1_NAME4"
nft_fw_tpws "$f4" "$f6" $PORT_TPWS_MY1
}
zapret_custom_firewall_nft_flush()
{
# this function is called after all nft fw rules are deleted
# however sets are not deleted. it's desired to clear sets here.
nft_del_set $TPWS_MY1_NAME4 2>/dev/null
nft_del_set $TPWS_MY1_NAME6 2>/dev/null
}

30
init.d/custom.d.examples.linux/50-wg4all
View File

@ -0,0 +1,30 @@
# this custom script runs desync to all wireguard handshake initiation packets
# can override in config :
NFQWS_OPT_DESYNC_WG="${NFQWS_OPT_DESYNC_WG:---dpi-desync=fake}"
alloc_dnum DNUM_WG4ALL
alloc_qnum QNUM_WG4ALL
zapret_custom_daemons()
{
# $1 - 1 - add, 0 - stop
local opt="--qnum=$QNUM_WG4ALL $NFQWS_OPT_DESYNC_WG"
do_nfqws $1 $DNUM_WG4ALL "$opt"
}
# size = 156 (8 udp header + 148 payload) && payload starts with 0x01000000
zapret_custom_firewall()
{
# $1 - 1 - run, 0 - stop
local f='-p udp -m u32 --u32'
fw_nfqws_post $1 "$f 0>>22&0x3C@4>>16=0x9c&&0>>22&0x3C@8=0x01000000" "$f 44>>16=0x9c&&48=0x01000000" $QNUM_WG4ALL
}
zapret_custom_firewall_nft()
{
# stop logic is not required
local f="udp length 156 @th,64,32 0x01000000"
nft_fw_nfqws_post "$f" "$f" $QNUM_WG4ALL
}

38
init.d/openwrt/custom.d.examples/50-dht4all
View File

@ -1,38 +0,0 @@
# this custom script runs desync to DHT packets with udp payload length 101..399 , without ipset/hostlist filtering
# can override in config :
NFQWS_OPT_DESYNC_DHT="${NFQWS_OPT_DESYNC_DHT:---dpi-desync=tamper}"
alloc_dnum DNUM_DHT4ALL
alloc_qnum QNUM_DHT4ALL
zapret_custom_daemons()
{
# stop logic is managed by procd
local opt="--qnum=$QNUM_DHT4ALL $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_DHT"
run_daemon $DNUM_DHT4ALL $NFQWS "$opt"
}
zapret_custom_firewall()
{
# $1 - 1 - run, 0 - stop
local f uf4 uf6
local first_packet_only="$ipt_connbytes 1:1"
f='-p udp -m length --length 109:407 -m u32 --u32'
uf4='0>>22&0x3C@8>>16=0x6431'
uf6='48>>16=0x6431'
fw_nfqws_post $1 "$f $uf4 $first_packet_only" "$f $uf6 $first_packet_only" $QNUM_DHT4ALL
}
zapret_custom_firewall_nft()
{
# stop logic is not required
local f
local first_packet_only="$nft_connbytes 1"
f="meta length 109-407 meta l4proto udp @th,64,16 0x6431"
nft_fw_nfqws_post "$f $first_packet_only" "$f $first_packet_only" $QNUM_DHT4ALL
}

75
init.d/openwrt/custom.d.examples/50-discord
View File

File diff suppressed because one or more lines are too long

1
init.d/openwrt/functions
View File

@ -10,6 +10,7 @@ ZAPRET_CONFIG=${ZAPRET_CONFIG:-"$ZAPRET_RW/config"}
. "$ZAPRET_BASE/common/ipt.sh"
. "$ZAPRET_BASE/common/nft.sh"
. "$ZAPRET_BASE/common/linux_fw.sh"
. "$ZAPRET_BASE/common/linux_daemons.sh"
. "$ZAPRET_BASE/common/list.sh"
. "$ZAPRET_BASE/common/custom.sh"
CUSTOM_DIR="$ZAPRET_RW/init.d/openwrt"

47
init.d/openwrt/zapret
View File

@ -81,6 +81,10 @@ run_tpws()
}
run_daemon $1 "$TPWS" "$OPT $2"
}
do_tpws()
{
[ "$1" = 0 ] || { shift; run_tpws "$@"; }
}
run_tpws_socks()
{
[ "$DISABLE_IPV4" = "1" ] && [ "$DISABLE_IPV6" = "1" ] && return 0
@ -90,13 +94,10 @@ run_tpws_socks()
tpws_apply_socks_binds opt
run_daemon $1 "$TPWS" "$opt $2"
}
stop_tpws()
do_tpws_socks()
{
stop_daemon $1 "$TPWS"
[ "$1" = 0 ] || { shift; run_tpws_socks "$@"; }
}
tpws_apply_socks_binds()
{
local o
@ -105,39 +106,27 @@ tpws_apply_socks_binds()
[ "$DISABLE_IPV6" = "1" ] || o="$o --bind-addr=::1"
for lan in $OPENWRT_LAN; do
network_get_device DEVICE $lan
[ -n "$DEVICE" ] || continue
[ "$DISABLE_IPV4" = "1" ] || o="$o --bind-iface4=$DEVICE $TPWS_WAIT"
[ "$DISABLE_IPV6" = "1" ] || o="$o --bind-iface6=$DEVICE --bind-linklocal=unwanted $TPWS_WAIT_SOCKS6"
network_get_device DEVICE $lan
[ -n "$DEVICE" ] || continue
[ "$DISABLE_IPV4" = "1" ] || o="$o --bind-iface4=$DEVICE $TPWS_WAIT"
[ "$DISABLE_IPV6" = "1" ] || o="$o --bind-iface6=$DEVICE --bind-linklocal=unwanted $TPWS_WAIT_SOCKS6"
done
eval $1="\"\$$1 $o\""
}
standard_mode_daemons()
run_nfqws()
{
local opt
[ "$TPWS_ENABLE" = 1 ] && check_bad_ws_options 1 "$TPWS_OPT" && {
opt="--port=$TPPORT $TPWS_OPT"
filter_apply_hostlist_target opt
run_tpws 1 "$opt"
}
[ "$TPWS_SOCKS_ENABLE" = 1 ] && {
opt="--port=$TPPORT_SOCKS $TPWS_SOCKS_OPT"
filter_apply_hostlist_target opt
run_tpws_socks 2 "$opt"
}
[ "$NFQWS_ENABLE" = 1 ] && check_bad_ws_options 1 "$NFQWS_OPT" && {
opt="--qnum=$QNUM $NFQWS_OPT_BASE $NFQWS_OPT"
filter_apply_hostlist_target opt
run_daemon 3 "$NFQWS" "$opt"
}
run_daemon $1 "$NFQWS" "$NFQWS_OPT_BASE $2"
}
do_nfqws()
{
[ "$1" = 0 ] || { shift; run_nfqws "$@"; }
}
start_daemons_procd()
{
standard_mode_daemons
custom_runner zapret_custom_daemons
standard_mode_daemons 1
custom_runner zapret_custom_daemons 1
return 0
}

2
init.d/pfsense/zapret.sh
View File

@ -21,4 +21,4 @@ pfctl -d ; pfctl -e
ipfw delete 100
ipfw add 100 divert 989 tcp from any to any 80,443 out not diverted not sockarg
pkill ^dvtws$
dvtws --daemon --port 989 --dpi-desync=split2
dvtws --daemon --port 989 --dpi-desync=multisplit

43
init.d/sysv/functions
View File

@ -10,6 +10,7 @@ ZAPRET_CONFIG=${ZAPRET_CONFIG:-"$ZAPRET_RW/config"}
. "$ZAPRET_BASE/common/ipt.sh"
. "$ZAPRET_BASE/common/nft.sh"
. "$ZAPRET_BASE/common/linux_fw.sh"
. "$ZAPRET_BASE/common/linux_daemons.sh"
. "$ZAPRET_BASE/common/list.sh"
. "$ZAPRET_BASE/common/custom.sh"
CUSTOM_DIR="$ZAPRET_RW/init.d/sysv"
@ -275,45 +276,3 @@ create_ipset()
echo "Creating ip list table (firewall type $FWTYPE)"
"$IPSET_CR" "$@"
}
standard_mode_daemons()
{
# $1 - 1 - run, 0 - stop
local opt
[ "$TPWS_ENABLE" = 1 ] && check_bad_ws_options $1 "$TPWS_OPT" && {
opt="--port=$TPPORT $TPWS_OPT"
filter_apply_hostlist_target opt
do_tpws $1 1 "$opt"
}
[ "$TPWS_SOCKS_ENABLE" = 1 ] && {
opt="--port=$TPPORT_SOCKS $TPWS_SOCKS_OPT"
filter_apply_hostlist_target opt
do_tpws_socks $1 2 "$opt"
}
[ "$NFQWS_ENABLE" = 1 ] && check_bad_ws_options $1 "$NFQWS_OPT" && {
opt="--qnum=$QNUM $NFQWS_OPT"
filter_apply_hostlist_target opt
do_nfqws $1 3 "$opt"
}
}
zapret_do_daemons()
{
# $1 - 1 - run, 0 - stop
standard_mode_daemons $1
custom_runner zapret_custom_daemons $1
return 0
}
zapret_run_daemons()
{
zapret_do_daemons 1 "$@"
}
zapret_stop_daemons()
{
zapret_do_daemons 0 "$@"
}

2
install_bin.sh
View File

@ -56,7 +56,7 @@ UNAME=$(uname)
unset PKTWS
case $UNAME in
Linux)
ARCHLIST="my x86_64 x86 aarch64 arm mips64r2-msb mips32r1-lsb mips32r1-msb ppc"
ARCHLIST="my x86_64 x86 aarch64 arm mips64r2-msb mips32r1-lsb mips32r1-msb lexra ppc"
PKTWS=nfqws
;;
Darwin)

2
install_easy.sh
View File

@ -394,7 +394,7 @@ copy_openwrt()
mkdir "$2/tpws" "$2/nfq" "$2/ip2net" "$2/mdig" "$2/binaries" "$2/binaries/$ARCH" "$2/init.d" "$2/tmp" "$2/files"
cp -R "$1/files/fake" "$2/files"
cp -R "$1/common" "$1/ipset" "$2"
cp -R "$1/init.d/openwrt" "$2/init.d"
cp -R "$1/init.d/openwrt" "$1/init.d/custom.d.examples.linux" "$2/init.d"
cp "$1/config" "$1/config.default" "$1/install_easy.sh" "$1/uninstall_easy.sh" "$1/install_bin.sh" "$1/install_prereq.sh" "$1/blockcheck.sh" "$2"
cp "$BINDIR/tpws" "$BINDIR/nfqws" "$BINDIR/ip2net" "$BINDIR/mdig" "$2/binaries/$ARCH"
}

10
ip2net/Makefile
View File

@ -9,22 +9,22 @@ SRC_FILES = ip2net.c qsort.c
all: ip2net
ip2net: $(SRC_FILES)
$(CC) -s $(CFLAGS) -o ip2net $(SRC_FILES) $(LDFLAGS) $(LIBS)
$(CC) -s $(CFLAGS) -o ip2net $(SRC_FILES) $(LIBS) $(LDFLAGS)
android: ip2net
bsd: $(SRC_FILES)
$(CC) -s $(CFLAGS) $(CFLAGS_BSD) -o ip2net $(SRC_FILES) $(LDFLAGS) $(LIBS)
$(CC) -s $(CFLAGS) $(CFLAGS_BSD) -o ip2net $(SRC_FILES) $(LIBS) $(LDFLAGS)
mac: $(SRC_FILES)
$(CC) $(CFLAGS) $(CFLAGS_BSD) -o ip2neta $(SRC_FILES) $(LDFLAGS) -target arm64-apple-macos10.8 $(LIBS)
$(CC) $(CFLAGS) $(CFLAGS_BSD) -o ip2netx $(SRC_FILES) $(LDFLAGS) -target x86_64-apple-macos10.8 $(LIBS)
$(CC) $(CFLAGS) $(CFLAGS_BSD) -o ip2neta $(SRC_FILES) -target arm64-apple-macos10.8 $(LIBS) $(LDFLAGS)
$(CC) $(CFLAGS) $(CFLAGS_BSD) -o ip2netx $(SRC_FILES) -target x86_64-apple-macos10.8 $(LIBS) $(LDFLAGS)
strip ip2neta ip2netx
lipo -create -output ip2net ip2netx ip2neta
rm -f ip2netx ip2neta
win: $(SRC_FILES)
$(CC) -s $(CFLAGS) $(CFLAGS_WIN) -o ip2net $(SRC_FILES) $(LDFLAGS) $(LIBS_WIN)
$(CC) -s $(CFLAGS) $(CFLAGS_WIN) -o ip2net $(SRC_FILES) $(LIBS_WIN) $(LDFLAGS)
clean:
rm -f ip2net *.o

12
mdig/Makefile
View File

@ -10,23 +10,23 @@ SRC_FILES = *.c
all: mdig
mdig: $(SRC_FILES)
$(CC) -s $(CFLAGS) -o mdig $(SRC_FILES) $(LDFLAGS) $(LIBS)
$(CC) -s $(CFLAGS) -o mdig $(SRC_FILES) $(LIBS) $(LDFLAGS)
android: $(SRC_FILES)
$(CC) -s $(CFLAGS) -o mdig $(SRC_FILES) $(LDFLAGS) $(LIBS_ANDROID)
$(CC) -s $(CFLAGS) -o mdig $(SRC_FILES) $(LIBS_ANDROID) $(LDFLAGS)
bsd: $(SRC_FILES)
$(CC) -s $(CFLAGS) $(CFLAGS_BSD) -o mdig $(SRC_FILES) $(LDFLAGS) $(LIBS)
$(CC) -s $(CFLAGS) $(CFLAGS_BSD) -o mdig $(SRC_FILES) $(LIBS) $(LDFLAGS)
mac: $(SRC_FILES)
$(CC) $(CFLAGS) $(CFLAGS_BSD) -o mdiga $(SRC_FILES) $(LDFLAGS) -target arm64-apple-macos10.8 $(LIBS_BSD)
$(CC) $(CFLAGS) $(CFLAGS_BSD) -o mdigx $(SRC_FILES) $(LDFLAGS) -target x86_64-apple-macos10.8 $(LIBS_BSD)
$(CC) $(CFLAGS) $(CFLAGS_BSD) -o mdiga $(SRC_FILES) -target arm64-apple-macos10.8 $(LIBS_BSD) $(LDFLAGS)
$(CC) $(CFLAGS) $(CFLAGS_BSD) -o mdigx $(SRC_FILES) -target x86_64-apple-macos10.8 $(LIBS_BSD) $(LDFLAGS)
strip mdiga mdigx
lipo -create -output mdig mdigx mdiga
rm -f mdigx mdiga
win: $(SRC_FILES)
$(CC) -s $(CFLAGS) $(CFLAGS_WIN) -o mdig $(SRC_FILES) $(LDFLAGS) $(LIBS_WIN)
$(CC) -s $(CFLAGS) $(CFLAGS_WIN) -o mdig $(SRC_FILES) $(LIBS_WIN) $(LDFLAGS)
clean:
rm -f mdig *.o

2
nfq/BSDmakefile
View File

@ -6,7 +6,7 @@ SRC_FILES = *.c crypto/*.c
all: dvtws
dvtws: $(SRC_FILES)
$(CC) $(CFLAGS) -o dvtws $(SRC_FILES) $(LDFLAGS) $(LIBS)
$(CC) $(CFLAGS) -o dvtws $(SRC_FILES) $(LIBS) $(LDFLAGS)
clean:
rm -f dvtws

12
nfq/Makefile
View File

@ -14,24 +14,24 @@ SRC_FILES = *.c crypto/*.c
all: nfqws
nfqws: $(SRC_FILES)
$(CC) -s $(CFLAGS) -o nfqws $(SRC_FILES) $(LDFLAGS) $(LIBS_LINUX)
$(CC) -s $(CFLAGS) -o nfqws $(SRC_FILES) $(LIBS_LINUX) $(LDFLAGS)
android: nfqws
bsd: $(SRC_FILES)
$(CC) -s $(CFLAGS) $(CFLAGS_BSD) -o dvtws $(SRC_FILES) $(LDFLAGS) $(LIBS_BSD)
$(CC) -s $(CFLAGS) $(CFLAGS_BSD) -o dvtws $(SRC_FILES) $(LIBS_BSD) $(LDFLAGS)
mac: $(SRC_FILES)
$(CC) $(CFLAGS) $(CFLAGS_BSD) -o dvtwsa $(SRC_FILES) $(LDFLAGS) -target arm64-apple-macos10.8 $(LIBS_BSD)
$(CC) $(CFLAGS) $(CFLAGS_BSD) -o dvtwsx $(SRC_FILES) $(LDFLAGS) -target x86_64-apple-macos10.8 $(LIBS_BSD)
$(CC) $(CFLAGS) $(CFLAGS_BSD) -o dvtwsa $(SRC_FILES) -target arm64-apple-macos10.8 $(LIBS_BSD) $(LDFLAGS)
$(CC) $(CFLAGS) $(CFLAGS_BSD) -o dvtwsx $(SRC_FILES) -target x86_64-apple-macos10.8 $(LIBS_BSD) $(LDFLAGS)
strip dvtwsa dvtwsx
lipo -create -output dvtws dvtwsx dvtwsa
rm -f dvtwsx dvtwsa
cygwin64:
$(CC) -s $(CFLAGS) $(CFLAGS_CYGWIN) -o winws $(SRC_FILES) $(LDFLAGS) $(LIBS_CYGWIN) $(LIBS_CYGWIN64) $(RES_CYGWIN64)
$(CC) -s $(CFLAGS) $(CFLAGS_CYGWIN) -o winws $(SRC_FILES) $(LIBS_CYGWIN) $(LIBS_CYGWIN64) $(RES_CYGWIN64) $(LDFLAGS)
cygwin32:
$(CC) -s $(CFLAGS) $(CFLAGS_CYGWIN) -o winws $(SRC_FILES) $(LDFLAGS) $(LIBS_CYGWIN) $(LIBS_CYGWIN32) $(RES_CYGWIN32)
$(CC) -s $(CFLAGS) $(CFLAGS_CYGWIN) -o winws $(SRC_FILES) $(LIBS_CYGWIN) $(LIBS_CYGWIN32) $(RES_CYGWIN32) $(LDFLAGS)
cygwin: cygwin64
clean:

7
nfq/desync.c
View File

@ -76,13 +76,6 @@ void randomize_default_tls_payload(uint8_t *p)
#define PKTDATA_MAXDUMP 32
#define IP_MAXDUMP 80
static uint8_t zeropkt[DPI_DESYNC_MAX_FAKE_LEN];
void desync_init(void)
{
memset(zeropkt, 0, sizeof(zeropkt));
}
bool desync_valid_zero_stage(enum dpi_desync_mode mode)
{
return mode==DESYNC_SYNACK || mode==DESYNC_SYNDATA;

1
nfq/desync.h
View File

@ -52,5 +52,4 @@ bool desync_valid_second_stage(enum dpi_desync_mode mode);
bool desync_valid_second_stage_tcp(enum dpi_desync_mode mode);
bool desync_valid_second_stage_udp(enum dpi_desync_mode mode);
void desync_init(void);
uint8_t dpi_desync_packet(uint32_t fwmark, const char *ifout, uint8_t *data_pkt, size_t *len_pkt);

471
nfq/nfqws.c
View File

File diff suppressed because it is too large

2
nfq/params.h
View File

@ -20,8 +20,6 @@
#define TLS_PARTIALS_ENABLE true
#define Q_RCVBUF (128*1024) // in bytes
#define Q_SNDBUF (64*1024) // in bytes
#define RAW_SNDBUF (64*1024) // in bytes
#define Q_MAXLEN 1024 // in packets

2
nfq/protocol.c
View File

@ -151,7 +151,7 @@ void ResolveMultiPos(const uint8_t *data, size_t sz, t_l7proto l7proto, const st
}
const char *http_methods[] = { "GET /","POST /","HEAD /","OPTIONS /","PUT /","DELETE /","CONNECT /","TRACE /",NULL };
const char *http_methods[] = { "GET /","POST /","HEAD /","OPTIONS ","PUT /","DELETE /","CONNECT ","TRACE /",NULL };
const char *HttpMethod(const uint8_t *data, size_t len)
{
const char **method;

4
nfq/sec.c
View File

@ -88,10 +88,6 @@ SYS_symlinkat,
SYS_link,
#endif
SYS_linkat,
#ifdef SYS_pkey_mprotect
SYS_pkey_mprotect,
#endif
SYS_mprotect,
SYS_truncate,
#ifdef SYS_truncate64
SYS_truncate64,

2
tpws/BSDmakefile
View File

@ -6,7 +6,7 @@ SRC_FILES = *.c
all: tpws
tpws: $(SRC_FILES)
$(CC) $(CFLAGS) -Iepoll-shim/include -o tpws $(SRC_FILES) epoll-shim/src/*.c $(LDFLAGS) $(LIBS)
$(CC) $(CFLAGS) -Iepoll-shim/include -o tpws $(SRC_FILES) epoll-shim/src/*.c $(LIBS) $(LDFLAGS)
clean:
rm -f tpws *.o

10
tpws/Makefile
View File

@ -9,17 +9,17 @@ SRC_FILES_ANDROID = $(SRC_FILES) andr/*.c
all: tpws
tpws: $(SRC_FILES)
$(CC) -s $(CFLAGS) -o tpws $(SRC_FILES) $(LDFLAGS) $(LIBS)
$(CC) -s $(CFLAGS) -o tpws $(SRC_FILES) $(LIBS) $(LDFLAGS)
android: $(SRC_FILES)
$(CC) -s $(CFLAGS) -o tpws $(SRC_FILES_ANDROID) $(LDFLAGS) $(LIBS_ANDROID)
$(CC) -s $(CFLAGS) -o tpws $(SRC_FILES_ANDROID) $(LIBS_ANDROID) $(LDFLAGS)
bsd: $(SRC_FILES)
$(CC) -s $(CFLAGS) $(CFLAGS_BSD) -Iepoll-shim/include -o tpws $(SRC_FILES) epoll-shim/src/*.c $(LDFLAGS) $(LIBS)
$(CC) -s $(CFLAGS) $(CFLAGS_BSD) -Iepoll-shim/include -o tpws $(SRC_FILES) epoll-shim/src/*.c $(LIBS) $(LDFLAGS)
mac: $(SRC_FILES)
$(CC) $(CFLAGS) $(CFLAGS_BSD) -Iepoll-shim/include -Imacos -o tpwsa -target arm64-apple-macos10.8 $(SRC_FILES) epoll-shim/src/*.c $(LDFLAGS) $(LIBS)
$(CC) $(CFLAGS) $(CFLAGS_BSD) -Iepoll-shim/include -Imacos -o tpwsx -target x86_64-apple-macos10.8 $(SRC_FILES) epoll-shim/src/*.c $(LDFLAGS) $(LIBS)
$(CC) $(CFLAGS) $(CFLAGS_BSD) -Iepoll-shim/include -Imacos -o tpwsa -target arm64-apple-macos10.8 $(SRC_FILES) epoll-shim/src/*.c $(LIBS) $(LDFLAGS)
$(CC) $(CFLAGS) $(CFLAGS_BSD) -Iepoll-shim/include -Imacos -o tpwsx -target x86_64-apple-macos10.8 $(SRC_FILES) epoll-shim/src/*.c $(LIBS) $(LDFLAGS)
strip tpwsa tpwsx
lipo -create -output tpws tpwsx tpwsa
rm -f tpwsx tpwsa

14
tpws/helpers.c
View File

@ -12,10 +12,6 @@
#include <libgen.h>
#include <unistd.h>
#ifdef __linux__
#include <linux/tcp.h>
#endif
#ifdef __ANDROID__
#include "andr/ifaddrs.h"
#else
@ -23,6 +19,10 @@
#endif
#include "helpers.h"
#ifdef __linux__
#include <linux/tcp.h>
#endif
#include "linux_compat.h"
int unique_size_t(size_t *pu, int ct)
{
@ -481,7 +481,7 @@ void msleep(unsigned int ms)
bool socket_supports_notsent()
{
int sfd;
struct tcp_info tcpi;
struct tcp_info_new tcpi;
sfd = socket(AF_INET,SOCK_STREAM,0);
if (sfd<0) return false;
@ -494,11 +494,11 @@ bool socket_supports_notsent()
}
close(sfd);
return ts>=((char *)&tcpi.tcpi_notsent_bytes - (char *)&tcpi.tcpi_state + sizeof(tcpi.tcpi_notsent_bytes));
return ts>=((char *)&tcpi.tcpi_notsent_bytes - (char *)&tcpi + sizeof(tcpi.tcpi_notsent_bytes));
}
bool socket_has_notsent(int sfd)
{
struct tcp_info tcpi;
struct tcp_info_new tcpi;
socklen_t ts = sizeof(tcpi);
if (getsockopt(sfd, IPPROTO_TCP, TCP_INFO, (char *)&tcpi, &ts) < 0)

111
tpws/linux_compat.h
View File

@ -0,0 +1,111 @@
#ifdef __linux__
#include <linux/types.h>
#ifndef TCP_USER_TIMEOUT
#define TCP_USER_TIMEOUT 18
#endif
#ifndef IP6T_SO_ORIGINAL_DST
#define IP6T_SO_ORIGINAL_DST 80
#endif
#ifndef PR_SET_NO_NEW_PRIVS
#define PR_SET_NO_NEW_PRIVS 38
#endif
// workaround for old headers
struct tcp_info_new {
__u8 tcpi_state;
__u8 tcpi_ca_state;
__u8 tcpi_retransmits;
__u8 tcpi_probes;
__u8 tcpi_backoff;
__u8 tcpi_options;
__u8 tcpi_snd_wscale : 4, tcpi_rcv_wscale : 4;
__u8 tcpi_delivery_rate_app_limited : 1, tcpi_fastopen_client_fail : 2;
__u32 tcpi_rto;
__u32 tcpi_ato;
__u32 tcpi_snd_mss;
__u32 tcpi_rcv_mss;
__u32 tcpi_unacked;
__u32 tcpi_sacked;
__u32 tcpi_lost;
__u32 tcpi_retrans;
__u32 tcpi_fackets;
/* Times. */
__u32 tcpi_last_data_sent;
__u32 tcpi_last_ack_sent; /* Not remembered, sorry. */
__u32 tcpi_last_data_recv;
__u32 tcpi_last_ack_recv;
/* Metrics. */
__u32 tcpi_pmtu;
__u32 tcpi_rcv_ssthresh;
__u32 tcpi_rtt;
__u32 tcpi_rttvar;
__u32 tcpi_snd_ssthresh;
__u32 tcpi_snd_cwnd;
__u32 tcpi_advmss;
__u32 tcpi_reordering;
__u32 tcpi_rcv_rtt;
__u32 tcpi_rcv_space;
__u32 tcpi_total_retrans;
__u64 tcpi_pacing_rate;
__u64 tcpi_max_pacing_rate;
__u64 tcpi_bytes_acked; /* RFC4898 tcpEStatsAppHCThruOctetsAcked */
__u64 tcpi_bytes_received; /* RFC4898 tcpEStatsAppHCThruOctetsReceived */
__u32 tcpi_segs_out; /* RFC4898 tcpEStatsPerfSegsOut */
__u32 tcpi_segs_in; /* RFC4898 tcpEStatsPerfSegsIn */
__u32 tcpi_notsent_bytes;
__u32 tcpi_min_rtt;
__u32 tcpi_data_segs_in; /* RFC4898 tcpEStatsDataSegsIn */
__u32 tcpi_data_segs_out; /* RFC4898 tcpEStatsDataSegsOut */
__u64 tcpi_delivery_rate;
__u64 tcpi_busy_time; /* Time (usec) busy sending data */
__u64 tcpi_rwnd_limited; /* Time (usec) limited by receive window */
__u64 tcpi_sndbuf_limited; /* Time (usec) limited by send buffer */
__u32 tcpi_delivered;
__u32 tcpi_delivered_ce;
__u64 tcpi_bytes_sent; /* RFC4898 tcpEStatsPerfHCDataOctetsOut */
__u64 tcpi_bytes_retrans; /* RFC4898 tcpEStatsPerfOctetsRetrans */
__u32 tcpi_dsack_dups; /* RFC4898 tcpEStatsStackDSACKDups */
__u32 tcpi_reord_seen; /* reordering events seen */
__u32 tcpi_rcv_ooopack; /* Out-of-order packets received */
__u32 tcpi_snd_wnd; /* peer's advertised receive window after
* scaling (bytes)
*/
__u32 tcpi_rcv_wnd; /* local advertised receive window after
* scaling (bytes)
*/
__u32 tcpi_rehash; /* PLB or timeout triggered rehash attempts */
__u16 tcpi_total_rto; /* Total number of RTO timeouts, including
* SYN/SYN-ACK and recurring timeouts.
*/
__u16 tcpi_total_rto_recoveries; /* Total number of RTO
* recoveries, including any
* unfinished recovery.
*/
__u32 tcpi_total_rto_time; /* Total time spent in RTO recoveries
* in milliseconds, including any
* unfinished recovery.
*/
};
#endif

2
tpws/params.h
View File

@ -18,7 +18,7 @@
#define HOSTLIST_AUTO_FAIL_THRESHOLD_DEFAULT 3
#define HOSTLIST_AUTO_FAIL_TIME_DEFAULT 60
#define FIX_SEG_DEFAULT_MAX_WAIT 30
#define FIX_SEG_DEFAULT_MAX_WAIT 50
enum bindll { unwanted=0, no, prefer, force };

2
tpws/protocol.c
View File

@ -151,7 +151,7 @@ void ResolveMultiPos(const uint8_t *data, size_t sz, t_l7proto l7proto, const st
}
const char *http_methods[] = { "GET /","POST /","HEAD /","OPTIONS /","PUT /","DELETE /","CONNECT /","TRACE /",NULL };
const char *http_methods[] = { "GET /","POST /","HEAD /","OPTIONS ","PUT /","DELETE /","CONNECT ","TRACE /",NULL };
const char *HttpMethod(const uint8_t *data, size_t len)
{
const char **method;

4
tpws/redirect.c
View File

@ -9,12 +9,10 @@
#include "params.h"
#include "helpers.h"
#include "linux_compat.h"
#ifdef __linux__
#include <linux/netfilter_ipv4.h>
#ifndef IP6T_SO_ORIGINAL_DST
#define IP6T_SO_ORIGINAL_DST 80
#endif
#endif

104
tpws/tpws.c
View File

@ -176,6 +176,7 @@ static void exithelp(void)
" --debug=0|1|2|syslog|@<filename>\t; 1 and 2 means log to console and set debug level. for other targets use --debug-level.\n"
" --debug-level=0|1|2\t\t\t; specify debug level\n"
" --dry-run\t\t\t\t; verify parameters and exit with code 0 if successful\n"
" --comment=any_text\n"
"\nMULTI-STRATEGY:\n"
" --new\t\t\t\t\t; begin new strategy\n"
" --skip\t\t\t\t\t; do not use this strategy\n"
@ -669,21 +670,22 @@ void parse_params(int argc, char *argv[])
{ "debug",optional_argument,0,0 },// optidx=45
{ "debug-level",required_argument,0,0 },// optidx=46
{ "dry-run",no_argument,0,0 },// optidx=47
{ "local-rcvbuf",required_argument,0,0 },// optidx=48
{ "local-sndbuf",required_argument,0,0 },// optidx=49
{ "remote-rcvbuf",required_argument,0,0 },// optidx=50
{ "remote-sndbuf",required_argument,0,0 },// optidx=51
{ "socks",no_argument,0,0 },// optidx=52
{ "no-resolve",no_argument,0,0 },// optidx=53
{ "resolver-threads",required_argument,0,0 },// optidx=54
{ "skip-nodelay",no_argument,0,0 },// optidx=55
{ "tamper-start",required_argument,0,0 },// optidx=56
{ "tamper-cutoff",required_argument,0,0 },// optidx=57
{ "connect-bind-addr",required_argument,0,0 },// optidx=58
{ "new",no_argument,0,0 }, // optidx=59
{ "skip",no_argument,0,0 }, // optidx=60
{ "filter-l3",required_argument,0,0 }, // optidx=61
{ "comment",optional_argument,0,0 },// optidx=48
{ "local-rcvbuf",required_argument,0,0 },// optidx=49
{ "local-sndbuf",required_argument,0,0 },// optidx=50
{ "remote-rcvbuf",required_argument,0,0 },// optidx=51
{ "remote-sndbuf",required_argument,0,0 },// optidx=52
{ "socks",no_argument,0,0 },// optidx=53
{ "no-resolve",no_argument,0,0 },// optidx=54
{ "resolver-threads",required_argument,0,0 },// optidx=55
{ "skip-nodelay",no_argument,0,0 },// optidx=56
{ "tamper-start",required_argument,0,0 },// optidx=57
{ "tamper-cutoff",required_argument,0,0 },// optidx=58
{ "connect-bind-addr",required_argument,0,0 },// optidx=59
{ "new",no_argument,0,0 }, // optidx=60
{ "skip",no_argument,0,0 }, // optidx=61
{ "filter-l3",required_argument,0,0 }, // optidx=62
{ "filter-tcp",required_argument,0,0 }, // optidx=63
{ "filter-l7",required_argument,0,0 }, // optidx=64
{ "ipset",required_argument,0,0 }, // optidx=65
@ -692,17 +694,17 @@ void parse_params(int argc, char *argv[])
{ "ipset-exclude-ip",required_argument,0,0 }, // optidx=68
#if defined(__FreeBSD__)
{ "enable-pf",no_argument,0,0 },// optidx=68
{ "enable-pf",no_argument,0,0 },// optidx=69
#elif defined(__APPLE__)
{ "local-tcp-user-timeout",required_argument,0,0 }, // optidx=68
{ "remote-tcp-user-timeout",required_argument,0,0 }, // optidx=69
{ "local-tcp-user-timeout",required_argument,0,0 }, // optidx=69
{ "remote-tcp-user-timeout",required_argument,0,0 }, // optidx=70
#elif defined(__linux__)
{ "local-tcp-user-timeout",required_argument,0,0 }, // optidx=68
{ "remote-tcp-user-timeout",required_argument,0,0 }, // optidx=69
{ "mss",required_argument,0,0 }, // optidx=70
{ "fix-seg",optional_argument,0,0 }, // optidx=71
{ "local-tcp-user-timeout",required_argument,0,0 }, // optidx=69
{ "remote-tcp-user-timeout",required_argument,0,0 }, // optidx=70
{ "mss",required_argument,0,0 }, // optidx=71
{ "fix-seg",optional_argument,0,0 }, // optidx=72
#ifdef SPLICE_PRESENT
{ "nosplice",no_argument,0,0 }, // optidx=72
{ "nosplice",no_argument,0,0 }, // optidx=73
#endif
#endif
{ "hostlist-auto-retrans-threshold",optional_argument,0,0}, // ignored. for nfqws command line compatibility
@ -711,10 +713,12 @@ void parse_params(int argc, char *argv[])
while ((v = getopt_long_only(argc, argv, "", long_options, &option_index)) != -1)
{
if (v)
{
if (bDry)
exit_clean(1);
else
exithelp_clean();
}
switch (option_index)
{
case 0:
@ -1151,41 +1155,43 @@ void parse_params(int argc, char *argv[])
case 47: /* dry-run */
bDry = true;
break;
case 48: /* local-rcvbuf */
case 48: /* comment */
break;
case 49: /* local-rcvbuf */
#ifdef __linux__
params.local_rcvbuf = atoi(optarg)/2;
#else
params.local_rcvbuf = atoi(optarg);
#endif
break;
case 49: /* local-sndbuf */
case 50: /* local-sndbuf */
#ifdef __linux__
params.local_sndbuf = atoi(optarg)/2;
#else
params.local_sndbuf = atoi(optarg);
#endif
break;
case 50: /* remote-rcvbuf */
case 51: /* remote-rcvbuf */
#ifdef __linux__
params.remote_rcvbuf = atoi(optarg)/2;
#else
params.remote_rcvbuf = atoi(optarg);
#endif
break;
case 51: /* remote-sndbuf */
case 52: /* remote-sndbuf */
#ifdef __linux__
params.remote_sndbuf = atoi(optarg)/2;
#else
params.remote_sndbuf = atoi(optarg);
#endif
break;
case 52: /* socks */
case 53: /* socks */
params.proxy_type = CONN_TYPE_SOCKS;
break;
case 53: /* no-resolve */
case 54: /* no-resolve */
params.no_resolve = true;
break;
case 54: /* resolver-threads */
case 55: /* resolver-threads */
params.resolver_threads = atoi(optarg);
if (params.resolver_threads<1 || params.resolver_threads>300)
{
@ -1193,10 +1199,10 @@ void parse_params(int argc, char *argv[])
exit_clean(1);
}
break;
case 55: /* skip-nodelay */
case 56: /* skip-nodelay */
params.skip_nodelay = true;
break;
case 56: /* tamper-start */
case 57: /* tamper-start */
{
const char *p=optarg;
if (*p=='n')
@ -1210,7 +1216,7 @@ void parse_params(int argc, char *argv[])
}
params.tamper_lim = true;
break;
case 57: /* tamper-cutoff */
case 58: /* tamper-cutoff */
{
const char *p=optarg;
if (*p=='n')
@ -1224,7 +1230,7 @@ void parse_params(int argc, char *argv[])
}
params.tamper_lim = true;
break;
case 58: /* connect-bind-addr */
case 59: /* connect-bind-addr */
{
char *p = strchr(optarg,'%');
if (p) *p++=0;
@ -1252,7 +1258,7 @@ void parse_params(int argc, char *argv[])
break;
case 59: /* new */
case 60: /* new */
if (bSkip)
{
dp_clear(dp);
@ -1273,31 +1279,31 @@ void parse_params(int argc, char *argv[])
anon_hl = anon_hl_exclude = NULL;
anon_ips = anon_ips_exclude = NULL;
break;
case 60: /* skip */
case 61: /* skip */
bSkip = true;
break;
case 61: /* filter-l3 */
case 62: /* filter-l3 */
if (!wf_make_l3(optarg,&dp->filter_ipv4,&dp->filter_ipv6))
{
DLOG_ERR("bad value for --filter-l3\n");
exit_clean(1);
}
break;
case 62: /* filter-tcp */
case 63: /* filter-tcp */
if (!parse_pf_list(optarg,&dp->pf_tcp))
{
DLOG_ERR("Invalid port filter : %s\n",optarg);
exit_clean(1);
}
break;
case 63: /* filter-l7 */
case 64: /* filter-l7 */
if (!parse_l7_list(optarg,&dp->filter_l7))
{
DLOG_ERR("Invalid l7 filter : %s\n",optarg);
exit_clean(1);
}
break;
case 64: /* ipset */
case 65: /* ipset */
if (bSkip) break;
if (!RegisterIpset(dp, false, optarg))
{
@ -1306,7 +1312,7 @@ void parse_params(int argc, char *argv[])
}
params.tamper = true;
break;
case 65: /* ipset-ip */
case 66: /* ipset-ip */
if (bSkip) break;
if (!anon_ips && !(anon_ips=RegisterIpset(dp, false, NULL)))
{
@ -1320,7 +1326,7 @@ void parse_params(int argc, char *argv[])
}
params.tamper = true;
break;
case 66: /* ipset-exclude */
case 67: /* ipset-exclude */
if (bSkip) break;
if (!RegisterIpset(dp, true, optarg))
{
@ -1329,7 +1335,7 @@ void parse_params(int argc, char *argv[])
}
params.tamper = true;
break;
case 67: /* ipset-exclude-ip */
case 68: /* ipset-exclude-ip */
if (bSkip) break;
if (!anon_ips_exclude && !(anon_ips_exclude=RegisterIpset(dp, true, NULL)))
{
@ -1345,11 +1351,11 @@ void parse_params(int argc, char *argv[])
break;
#if defined(__FreeBSD__)
case 68: /* enable-pf */
case 69: /* enable-pf */
params.pf_enable = true;
break;
#elif defined(__linux__) || defined(__APPLE__)
case 68: /* local-tcp-user-timeout */
case 69: /* local-tcp-user-timeout */
params.tcp_user_timeout_local = atoi(optarg);
if (params.tcp_user_timeout_local<0 || params.tcp_user_timeout_local>86400)
{
@ -1357,7 +1363,7 @@ void parse_params(int argc, char *argv[])
exit_clean(1);
}
break;
case 69: /* remote-tcp-user-timeout */
case 70: /* remote-tcp-user-timeout */
params.tcp_user_timeout_remote = atoi(optarg);
if (params.tcp_user_timeout_remote<0 || params.tcp_user_timeout_remote>86400)
{
@ -1368,7 +1374,7 @@ void parse_params(int argc, char *argv[])
#endif
#if defined(__linux__)
case 70: /* mss */
case 71: /* mss */
// this option does not work in any BSD and MacOS. OS may accept but it changes nothing
dp->mss = atoi(optarg);
if (dp->mss<88 || dp->mss>32767)
@ -1377,7 +1383,7 @@ void parse_params(int argc, char *argv[])
exit_clean(1);
}
break;
case 71: /* fix-seg */
case 72: /* fix-seg */
if (!params.fix_seg_avail)
{
DLOG_ERR("--fix-seg is supported since kernel 4.6\n");
@ -1397,7 +1403,7 @@ void parse_params(int argc, char *argv[])
params.fix_seg = FIX_SEG_DEFAULT_MAX_WAIT;
break;
#ifdef SPLICE_PRESENT
case 72: /* nosplice */
case 73: /* nosplice */
params.nosplice = true;
break;
#endif

1
tpws/tpws_conn.c
View File

@ -23,6 +23,7 @@
#include "socks.h"
#include "helpers.h"
#include "hostlist.h"
#include "linux_compat.h"
// keep separate legs counter. counting every time thousands of legs can consume cpu
static int legs_local, legs_remote;

Write Preview
Loading…
Cancel
Save