From e42a545ebc27e51d73710e68833eee2b7904e998 Mon Sep 17 00:00:00 2001 From: bol-van Date: Wed, 4 Dec 2024 16:18:31 +0300 Subject: [PATCH 01/49] init.d: 50-tpws-ipset custom script example --- .../openwrt/custom.d.examples/50-tpws-ipset | 89 +++++++++++++++++++ init.d/sysv/custom.d.examples/50-tpws-ipset | 89 +++++++++++++++++++ 2 files changed, 178 insertions(+) create mode 100644 init.d/openwrt/custom.d.examples/50-tpws-ipset create mode 100644 init.d/sysv/custom.d.examples/50-tpws-ipset diff --git a/init.d/openwrt/custom.d.examples/50-tpws-ipset b/init.d/openwrt/custom.d.examples/50-tpws-ipset new file mode 100644 index 0000000..65be97e --- /dev/null +++ b/init.d/openwrt/custom.d.examples/50-tpws-ipset @@ -0,0 +1,89 @@ +# this custom script demonstrates how to launch extra tpws instance limited by ipset + +# can override in config : +TPWS_MY1_OPT="${TPWS_OPT_MY1:---oob --split-pos=midsld}" +TPWS_MY1_PORTS=${TPWS_MY1_PORTS:-$TPWS_PORTS} +TPWS_MY1_SUBNETS4="${TPWS_MY1_4:-142.250.0.0/15 64.233.160.0/19 172.217.0.0/16 173.194.0.0/16 108.177.0.0/17 74.125.0.0/16 209.85.128.0/17 216.58.192.0/19}" +TPWS_MY1_SUBNETS6="${TPWS_MY1_6:-2607:F8B0::/32 2a00:1450:4000::/37}" + +TPWS_MY1_IPSET_SIZE=${TPWS_MY1_IPSET_SIZE:-4096} +TPWS_MY1_IPSET_OPT="${TPWS_MY1_IPSET_OPT:-hash:net hashsize 8192 maxelem $TPWS_MY1_IPSET_SIZE}" + +alloc_dnum DNUM_TPWS_MY1 +alloc_tpws_port PORT_TPWS_MY1 +TPWS_MY1_NAME4=my1tpws4 +TPWS_MY1_NAME6=my1tpws6 + +zapret_custom_daemons() +{ + # stop logic is managed by procd + + local opt="--port=$PORT_TPWS_MY1 $TPWS_MY1_OPT" + run_tpws $DNUM_TPWS_MY1 "$opt" +} + +zapret_custom_firewall() +{ + # $1 - 1 - run, 0 - stop + + local f4 f6 subnet + local PORTS_IPT=$(replace_char - : $TPWS_MY1_PORTS) + local dest_set="-m set --match-set $TPWS_MY1_NAME4 dst" + + [ "$1" = 1 -a "$DISABLE_IPV4" != 1 ] && { + ipset create $TPWS_MY1_NAME4 $TPWS_MY1_IPSET_OPT family inet 2>/dev/null + ipset flush $TPWS_MY1_NAME4 + for subnet in $TPWS_MY1_SUBNETS4; do + echo add $TPWS_MY1_NAME4 $subnet + done | ipset -! restore + } + [ "$1" = 1 -a "$DISABLE_IPV6" != 1 ] && { + ipset create $TPWS_MY1_NAME6 $TPWS_MY1_IPSET_OPT family inet6 2>/dev/null + ipset flush $TPWS_MY1_NAME6 + for subnet in $TPWS_MY1_SUBNETS6; do + echo add $TPWS_MY1_NAME6 $subnet + done | ipset -! restore + } + + f4="-p tcp -m multiport --dports $PORTS_IPT -m set --match-set" + f6="$f4 $TPWS_MY1_NAME6 dst" + f4="$f4 $TPWS_MY1_NAME4 dst" + fw_tpws $1 "$f4" "$f6" $PORT_TPWS_MY1 + + [ "$1" = 1 ] || { + ipset destroy $TPWS_MY1_NAME4 2>/dev/null + ipset destroy $TPWS_MY1_NAME6 2>/dev/null + } +} + +zapret_custom_firewall_nft() +{ + local f4 f6 subnet + + [ "$DISABLE_IPV4" != 1 ] && { + make_comma_list subnets $TPWS_MY1_SUBNETS4 + nft_create_set $TPWS_MY1_NAME4 "type ipv4_addr; size $TPWS_MY1_IPSET_SIZE; auto-merge; flags interval;" + nft_flush_set $TPWS_MY1_NAME4 + nft_add_set_element $TPWS_MY1_NAME4 "$subnets" + } + [ "$DISABLE_IPV6" != 1 ] && { + make_comma_list subnets $TPWS_MY1_SUBNETS6 + nft_create_set $TPWS_MY1_NAME6 "type ipv6_addr; size $TPWS_MY1_IPSET_SIZE; auto-merge; flags interval;" + nft_flush_set $TPWS_MY1_NAME6 + nft_add_set_element $TPWS_MY1_NAME6 "$subnets" + } + + f4="tcp dport {$TPWS_MY1_PORTS}" + f6="$f4 ip6 daddr @$TPWS_MY1_NAME6" + f4="$f4 ip daddr @$TPWS_MY1_NAME4" + nft_fw_tpws "$f4" "$f6" $PORT_TPWS_MY1 +} + +zapret_custom_firewall_nft_flush() +{ + # this function is called after all nft fw rules are deleted + # however sets are not deleted. it's desired to clear sets here. + + nft_del_set $TPWS_MY1_NAME4 2>/dev/null + nft_del_set $TPWS_MY1_NAME6 2>/dev/null +} diff --git a/init.d/sysv/custom.d.examples/50-tpws-ipset b/init.d/sysv/custom.d.examples/50-tpws-ipset new file mode 100644 index 0000000..0f5de0b --- /dev/null +++ b/init.d/sysv/custom.d.examples/50-tpws-ipset @@ -0,0 +1,89 @@ +# this custom script demonstrates how to launch extra tpws instance limited by ipset + +# can override in config : +TPWS_MY1_OPT="${TPWS_OPT_MY1:---oob --split-pos=midsld}" +TPWS_MY1_PORTS=${TPWS_MY1_PORTS:-$TPWS_PORTS} +TPWS_MY1_SUBNETS4="${TPWS_MY1_4:-142.250.0.0/15 64.233.160.0/19 172.217.0.0/16 173.194.0.0/16 108.177.0.0/17 74.125.0.0/16 209.85.128.0/17 216.58.192.0/19}" +TPWS_MY1_SUBNETS6="${TPWS_MY1_6:-2607:F8B0::/32 2a00:1450:4000::/37}" + +TPWS_MY1_IPSET_SIZE=${TPWS_MY1_IPSET_SIZE:-4096} +TPWS_MY1_IPSET_OPT="${TPWS_MY1_IPSET_OPT:-hash:net hashsize 8192 maxelem $TPWS_MY1_IPSET_SIZE}" + +alloc_dnum DNUM_TPWS_MY1 +alloc_tpws_port PORT_TPWS_MY1 +TPWS_MY1_NAME4=my1tpws4 +TPWS_MY1_NAME6=my1tpws6 + +zapret_custom_daemons() +{ + # $1 - 1 - run, 0 - stop + + local opt="--port=$PORT_TPWS_MY1 $TPWS_MY1_OPT" + do_tpws $1 $DNUM_TPWS_MY1 "$opt" +} + +zapret_custom_firewall() +{ + # $1 - 1 - run, 0 - stop + + local f4 f6 subnet + local PORTS_IPT=$(replace_char - : $TPWS_MY1_PORTS) + local dest_set="-m set --match-set $TPWS_MY1_NAME4 dst" + + [ "$1" = 1 -a "$DISABLE_IPV4" != 1 ] && { + ipset create $TPWS_MY1_NAME4 $TPWS_MY1_IPSET_OPT family inet 2>/dev/null + ipset flush $TPWS_MY1_NAME4 + for subnet in $TPWS_MY1_SUBNETS4; do + echo add $TPWS_MY1_NAME4 $subnet + done | ipset -! restore + } + [ "$1" = 1 -a "$DISABLE_IPV6" != 1 ] && { + ipset create $TPWS_MY1_NAME6 $TPWS_MY1_IPSET_OPT family inet6 2>/dev/null + ipset flush $TPWS_MY1_NAME6 + for subnet in $TPWS_MY1_SUBNETS6; do + echo add $TPWS_MY1_NAME6 $subnet + done | ipset -! restore + } + + f4="-p tcp -m multiport --dports $PORTS_IPT -m set --match-set" + f6="$f4 $TPWS_MY1_NAME6 dst" + f4="$f4 $TPWS_MY1_NAME4 dst" + fw_tpws $1 "$f4" "$f6" $PORT_TPWS_MY1 + + [ "$1" = 1 ] || { + ipset destroy $TPWS_MY1_NAME4 2>/dev/null + ipset destroy $TPWS_MY1_NAME6 2>/dev/null + } +} + +zapret_custom_firewall_nft() +{ + local f4 f6 subnet + + [ "$DISABLE_IPV4" != 1 ] && { + make_comma_list subnets $TPWS_MY1_SUBNETS4 + nft_create_set $TPWS_MY1_NAME4 "type ipv4_addr; size $TPWS_MY1_IPSET_SIZE; auto-merge; flags interval;" + nft_flush_set $TPWS_MY1_NAME4 + nft_add_set_element $TPWS_MY1_NAME4 "$subnets" + } + [ "$DISABLE_IPV6" != 1 ] && { + make_comma_list subnets $TPWS_MY1_SUBNETS6 + nft_create_set $TPWS_MY1_NAME6 "type ipv6_addr; size $TPWS_MY1_IPSET_SIZE; auto-merge; flags interval;" + nft_flush_set $TPWS_MY1_NAME6 + nft_add_set_element $TPWS_MY1_NAME6 "$subnets" + } + + f4="tcp dport {$TPWS_MY1_PORTS}" + f6="$f4 ip6 daddr @$TPWS_MY1_NAME6" + f4="$f4 ip daddr @$TPWS_MY1_NAME4" + nft_fw_tpws "$f4" "$f6" $PORT_TPWS_MY1 +} + +zapret_custom_firewall_nft_flush() +{ + # this function is called after all nft fw rules are deleted + # however sets are not deleted. it's desired to clear sets here. + + nft_del_set $TPWS_MY1_NAME4 2>/dev/null + nft_del_set $TPWS_MY1_NAME6 2>/dev/null +} From 08645997f8b00b17b152482e3df5a8473a11876c Mon Sep 17 00:00:00 2001 From: bol-van Date: Wed, 4 Dec 2024 16:23:44 +0300 Subject: [PATCH 02/49] 50-tpws-ipset: fix var names --- init.d/openwrt/custom.d.examples/50-tpws-ipset | 6 +++--- init.d/sysv/custom.d.examples/50-tpws-ipset | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/init.d/openwrt/custom.d.examples/50-tpws-ipset b/init.d/openwrt/custom.d.examples/50-tpws-ipset index 65be97e..1a78ce9 100644 --- a/init.d/openwrt/custom.d.examples/50-tpws-ipset +++ b/init.d/openwrt/custom.d.examples/50-tpws-ipset @@ -1,10 +1,10 @@ # this custom script demonstrates how to launch extra tpws instance limited by ipset # can override in config : -TPWS_MY1_OPT="${TPWS_OPT_MY1:---oob --split-pos=midsld}" +TPWS_MY1_OPT="${TPWS_MY1_OPT:---oob --split-pos=midsld}" TPWS_MY1_PORTS=${TPWS_MY1_PORTS:-$TPWS_PORTS} -TPWS_MY1_SUBNETS4="${TPWS_MY1_4:-142.250.0.0/15 64.233.160.0/19 172.217.0.0/16 173.194.0.0/16 108.177.0.0/17 74.125.0.0/16 209.85.128.0/17 216.58.192.0/19}" -TPWS_MY1_SUBNETS6="${TPWS_MY1_6:-2607:F8B0::/32 2a00:1450:4000::/37}" +TPWS_MY1_SUBNETS4="${TPWS_MY1_SUBNETS4:-142.250.0.0/15 64.233.160.0/19 172.217.0.0/16 173.194.0.0/16 108.177.0.0/17 74.125.0.0/16 209.85.128.0/17 216.58.192.0/19}" +TPWS_MY1_SUBNETS6="${TPWS_MY1_SUBNETS6:-2607:F8B0::/32 2a00:1450:4000::/37}" TPWS_MY1_IPSET_SIZE=${TPWS_MY1_IPSET_SIZE:-4096} TPWS_MY1_IPSET_OPT="${TPWS_MY1_IPSET_OPT:-hash:net hashsize 8192 maxelem $TPWS_MY1_IPSET_SIZE}" diff --git a/init.d/sysv/custom.d.examples/50-tpws-ipset b/init.d/sysv/custom.d.examples/50-tpws-ipset index 0f5de0b..86898f9 100644 --- a/init.d/sysv/custom.d.examples/50-tpws-ipset +++ b/init.d/sysv/custom.d.examples/50-tpws-ipset @@ -1,10 +1,10 @@ # this custom script demonstrates how to launch extra tpws instance limited by ipset # can override in config : -TPWS_MY1_OPT="${TPWS_OPT_MY1:---oob --split-pos=midsld}" +TPWS_MY1_OPT="${TPWS_MY1_OPT:---oob --split-pos=midsld}" TPWS_MY1_PORTS=${TPWS_MY1_PORTS:-$TPWS_PORTS} -TPWS_MY1_SUBNETS4="${TPWS_MY1_4:-142.250.0.0/15 64.233.160.0/19 172.217.0.0/16 173.194.0.0/16 108.177.0.0/17 74.125.0.0/16 209.85.128.0/17 216.58.192.0/19}" -TPWS_MY1_SUBNETS6="${TPWS_MY1_6:-2607:F8B0::/32 2a00:1450:4000::/37}" +TPWS_MY1_SUBNETS4="${TPWS_MY1_SUBNETS4:-142.250.0.0/15 64.233.160.0/19 172.217.0.0/16 173.194.0.0/16 108.177.0.0/17 74.125.0.0/16 209.85.128.0/17 216.58.192.0/19}" +TPWS_MY1_SUBNETS6="${TPWS_MY1_SUBNETS6:-2607:F8B0::/32 2a00:1450:4000::/37}" TPWS_MY1_IPSET_SIZE=${TPWS_MY1_IPSET_SIZE:-4096} TPWS_MY1_IPSET_OPT="${TPWS_MY1_IPSET_OPT:-hash:net hashsize 8192 maxelem $TPWS_MY1_IPSET_SIZE}" From c4f53549b1a9de6f902d89ec8277a7c505c20c3a Mon Sep 17 00:00:00 2001 From: bol-van Date: Thu, 5 Dec 2024 18:05:02 +0300 Subject: [PATCH 03/49] quick_start_windows: simplify win7 --- docs/quick_start_windows.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/quick_start_windows.md b/docs/quick_start_windows.md index 6443f2d..6b76898 100644 --- a/docs/quick_start_windows.md +++ b/docs/quick_start_windows.md @@ -59,7 +59,7 @@ _"Совсем ничего не могу, все очень сложно, да 1) Скачайте и распакуйте архив https://github.com/bol-van/zapret-win-bundle/archive/refs/heads/master.zip. -2) Если у вас Windows 7 x64, читайте [docs/windows.md](./windows.md). Без описанной там подготовки может не работать. +2) Если у вас Windows 7 x64, однократно запустите `win7/install_win7.cmd`. Батник заменит файлы windivert на совместимую с Windows 7 версию. > [!WARNING] > Для 32-битных систем Windows нет готового полного варианта. From 21e08ca55e06758548a8c1a39a5010969a9fb6da Mon Sep 17 00:00:00 2001 From: bol-van Date: Thu, 5 Dec 2024 19:23:39 +0300 Subject: [PATCH 04/49] tpws,nfqws: fix recognition of CONNECT and OPTIONS http methods --- nfq/protocol.c | 2 +- tpws/protocol.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/nfq/protocol.c b/nfq/protocol.c index 62f5f0e..1c1142f 100644 --- a/nfq/protocol.c +++ b/nfq/protocol.c @@ -151,7 +151,7 @@ void ResolveMultiPos(const uint8_t *data, size_t sz, t_l7proto l7proto, const st } -const char *http_methods[] = { "GET /","POST /","HEAD /","OPTIONS /","PUT /","DELETE /","CONNECT /","TRACE /",NULL }; +const char *http_methods[] = { "GET /","POST /","HEAD /","OPTIONS ","PUT /","DELETE /","CONNECT ","TRACE /",NULL }; const char *HttpMethod(const uint8_t *data, size_t len) { const char **method; diff --git a/tpws/protocol.c b/tpws/protocol.c index edd2b5a..9639186 100644 --- a/tpws/protocol.c +++ b/tpws/protocol.c @@ -151,7 +151,7 @@ void ResolveMultiPos(const uint8_t *data, size_t sz, t_l7proto l7proto, const st } -const char *http_methods[] = { "GET /","POST /","HEAD /","OPTIONS /","PUT /","DELETE /","CONNECT /","TRACE /",NULL }; +const char *http_methods[] = { "GET /","POST /","HEAD /","OPTIONS ","PUT /","DELETE /","CONNECT ","TRACE /",NULL }; const char *HttpMethod(const uint8_t *data, size_t len) { const char **method; From d6688b935d93024acb8e51081978eb1b9e900305 Mon Sep 17 00:00:00 2001 From: bol-van Date: Thu, 5 Dec 2024 21:55:48 +0300 Subject: [PATCH 05/49] winws: fix non-working --dry-run --- nfq/nfqws.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/nfq/nfqws.c b/nfq/nfqws.c index 8f05553..ce72ba1 100644 --- a/nfq/nfqws.c +++ b/nfq/nfqws.c @@ -1407,7 +1407,6 @@ int main(int argc, char **argv) params.debug_target = LOG_TARGET_CONSOLE; } break; -#ifndef __CYGWIN__ case 1: /* dry-run */ bDry=true; break; @@ -1431,7 +1430,6 @@ int main(int argc, char **argv) } #endif break; -#endif case 3: /* daemon */ daemon = true; break; From de63ee7321e43adcd1a2ebeaa7b69d48586ff108 Mon Sep 17 00:00:00 2001 From: bol-van Date: Fri, 6 Dec 2024 11:26:50 +0300 Subject: [PATCH 06/49] quick_start_windows: improve link --- docs/quick_start_windows.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/quick_start_windows.md b/docs/quick_start_windows.md index 6b76898..085dff3 100644 --- a/docs/quick_start_windows.md +++ b/docs/quick_start_windows.md @@ -123,7 +123,7 @@ blockcheck перейдет в этом случае на **DoH** _(DNS over HTT > она стабильна, на третьих полный хаос, и проще отказаться. > > Далее, имея понимание что работает на http, https, quic, нужно сконструировать параметры запуска winws - > с использованием мультистратегии. Как работают мультистратегии описано в [readme.md](./readme.md). + > с использованием мультистратегии. Как работают мультистратегии описано в [readme.md](./readme.md#множественные-стратегии). > > Прежде всего вам нужно собрать фильтр перехватываемого трафика. Это делается через параметры > `--wf-l3`, `--wf-tcp`, `--wf-udp`. From 4e5caf4087d79ada0715387dbb14035783b6be41 Mon Sep 17 00:00:00 2001 From: bol-van Date: Fri, 6 Dec 2024 11:41:06 +0300 Subject: [PATCH 07/49] quick_start: improve link --- docs/quick_start.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/quick_start.md b/docs/quick_start.md index f6dd5ca..73f8cf4 100644 --- a/docs/quick_start.md +++ b/docs/quick_start.md @@ -158,7 +158,7 @@ > > Далее, имея понимание что работает на http, https, quic нужно > сконструировать параметры запуска `tpws` и/или `nfqws` с использованием - > мультистратегии. Как работают мультистратегии описано в readme.txt. + > мультистратегии. Как работают мультистратегии описано в [readme.md](./readme.md#множественные-стратегии). > > Если кратко, то обычно параметры конструируются так: > ```sh From c802069a1128c1d427725fa4f8b634727a246434 Mon Sep 17 00:00:00 2001 From: bol-van Date: Sat, 7 Dec 2024 20:51:29 +0300 Subject: [PATCH 08/49] nfqws: fix nfq recv result and error handling --- nfq/nfqws.c | 91 ++++++++++++++++++++++++++++++++++------------------- 1 file changed, 58 insertions(+), 33 deletions(-) diff --git a/nfq/nfqws.c b/nfq/nfqws.c index ce72ba1..c7d5870 100644 --- a/nfq/nfqws.c +++ b/nfq/nfqws.c @@ -152,50 +152,62 @@ static int nfq_cb(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, struct nfq_da DLOG("packet: id=%d pass unmodified\n", id); return nfq_set_verdict2(qh, id, NF_ACCEPT, mark, 0, NULL); } -static int nfq_main(void) +bool nfq_deinit(struct nfq_handle **h,struct nfq_q_handle **qh) { - struct nfq_handle *h = NULL; - struct nfq_q_handle *qh = NULL; - int fd,rv; - uint8_t buf[16384] __attribute__((aligned)); + if (*qh) + { + DLOG_CONDUP("unbinding from queue %u\n", params.qnum); + nfq_destroy_queue(*qh); + *qh = NULL; + } + if (*h) + { + DLOG_CONDUP("closing library handle\n"); + nfq_close(*h); + *h = NULL; + } +} +bool nfq_init(struct nfq_handle **h,struct nfq_q_handle **qh) +{ + nfq_deinit(h,qh); DLOG_CONDUP("opening library handle\n"); - h = nfq_open(); - if (!h) { + *h = nfq_open(); + if (!*h) { DLOG_PERROR("nfq_open()"); goto exiterr; } DLOG_CONDUP("unbinding existing nf_queue handler for AF_INET (if any)\n"); - if (nfq_unbind_pf(h, AF_INET) < 0) { + if (nfq_unbind_pf(*h, AF_INET) < 0) { DLOG_PERROR("nfq_unbind_pf()"); goto exiterr; } DLOG_CONDUP("binding nfnetlink_queue as nf_queue handler for AF_INET\n"); - if (nfq_bind_pf(h, AF_INET) < 0) { + if (nfq_bind_pf(*h, AF_INET) < 0) { DLOG_PERROR("nfq_bind_pf()"); goto exiterr; } DLOG_CONDUP("binding this socket to queue '%u'\n", params.qnum); - qh = nfq_create_queue(h, params.qnum, &nfq_cb, ¶ms); + *qh = nfq_create_queue(*h, params.qnum, &nfq_cb, ¶ms); if (!qh) { DLOG_PERROR("nfq_create_queue()"); goto exiterr; } DLOG_CONDUP("setting copy_packet mode\n"); - if (nfq_set_mode(qh, NFQNL_COPY_PACKET, 0xffff) < 0) { + if (nfq_set_mode(*qh, NFQNL_COPY_PACKET, 0xffff) < 0) { DLOG_PERROR("can't set packet_copy mode"); goto exiterr; } - if (nfq_set_queue_maxlen(qh, Q_MAXLEN) < 0) { + if (nfq_set_queue_maxlen(*qh, Q_MAXLEN) < 0) { DLOG_PERROR("can't set queue maxlen"); goto exiterr; } // accept packets if they cant be handled - if (nfq_set_queue_flags(qh, NFQA_CFG_F_FAIL_OPEN , NFQA_CFG_F_FAIL_OPEN)) + if (nfq_set_queue_flags(*qh, NFQA_CFG_F_FAIL_OPEN , NFQA_CFG_F_FAIL_OPEN)) { DLOG_ERR("can't set queue flags. its OK on linux <3.6\n"); // dot not fail. not supported on old linuxes <3.6 @@ -205,6 +217,25 @@ static int nfq_main(void) if (!rawsend_preinit(params.bind_fix4,params.bind_fix6)) goto exiterr; + // increase socket buffer size. on slow systems reloading hostlist can take a while. + // if too many unhandled packets are received its possible to get "no buffer space available" error + if (!set_socket_buffers(nfq_fd(*h),Q_RCVBUF/2,Q_SNDBUF/2)) + goto exiterr; + + return true; +exiterr: + nfq_deinit(h,qh); + return false; +} + +static int nfq_main(void) +{ + uint8_t buf[16384] __attribute__((aligned)); + struct nfq_handle *h = NULL; + struct nfq_q_handle *qh = NULL; + int fd,e; + ssize_t rd; + #ifndef __CYGWIN__ sec_harden(); @@ -216,36 +247,30 @@ static int nfq_main(void) pre_desync(); - fd = nfq_fd(h); + nfq_init(&h,&qh); - // increase socket buffer size. on slow systems reloading hostlist can take a while. - // if too many unhandled packets are received its possible to get "no buffer space available" error - if (!set_socket_buffers(fd,Q_RCVBUF/2,Q_SNDBUF/2)) - goto exiterr; + fd = nfq_fd(h); do { - while ((rv = recv(fd, buf, sizeof(buf), 0)) > 0) + while ((rd = recv(fd, buf, sizeof(buf), 0)) >= 0) { - int r = nfq_handle_packet(h, (char *)buf, rv); - if (r) DLOG_ERR("nfq_handle_packet error %d\n", r); + if (rd) + { + int r = nfq_handle_packet(h, (char *)buf, (int)rd); + if (r) DLOG_ERR("nfq_handle_packet error %d\n", r); + } + else + DLOG("recv from nfq returned 0 !\n"); } - DLOG_ERR("recv: errno %d\n",errno); + e=errno; + DLOG_ERR("recv: recv=%zd errno %d\n",rd,e); + errno=e; DLOG_PERROR("recv"); // do not fail on ENOBUFS } while(errno==ENOBUFS); - DLOG_CONDUP("unbinding from queue %u\n", params.qnum); - nfq_destroy_queue(qh); - -#ifdef INSANE - /* normally, applications SHOULD NOT issue this command, since - * it detaches other programs/sockets from AF_INET, too ! */ - DLOG_CONDUP("unbinding from AF_INET\n"); - nfq_unbind_pf(h, AF_INET); -#endif + nfq_deinit(&h,&qh); - DLOG_CONDUP("closing library handle\n"); - nfq_close(h); return 0; exiterr: From 9e9136cffdbb3acc58a609f5d66284d2fdb97d22 Mon Sep 17 00:00:00 2001 From: bol-van Date: Sat, 7 Dec 2024 20:54:22 +0300 Subject: [PATCH 09/49] nfqws: static func --- nfq/nfqws.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nfq/nfqws.c b/nfq/nfqws.c index c7d5870..cd30a31 100644 --- a/nfq/nfqws.c +++ b/nfq/nfqws.c @@ -152,7 +152,7 @@ static int nfq_cb(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, struct nfq_da DLOG("packet: id=%d pass unmodified\n", id); return nfq_set_verdict2(qh, id, NF_ACCEPT, mark, 0, NULL); } -bool nfq_deinit(struct nfq_handle **h,struct nfq_q_handle **qh) +static bool nfq_deinit(struct nfq_handle **h,struct nfq_q_handle **qh) { if (*qh) { @@ -167,7 +167,7 @@ bool nfq_deinit(struct nfq_handle **h,struct nfq_q_handle **qh) *h = NULL; } } -bool nfq_init(struct nfq_handle **h,struct nfq_q_handle **qh) +static bool nfq_init(struct nfq_handle **h,struct nfq_q_handle **qh) { nfq_deinit(h,qh); From abdc8d9449bbac44f258491e7e5d43a91d118646 Mon Sep 17 00:00:00 2001 From: bol-van Date: Sat, 7 Dec 2024 22:05:26 +0300 Subject: [PATCH 10/49] nfqws: fix return value type --- nfq/nfqws.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nfq/nfqws.c b/nfq/nfqws.c index cd30a31..54a8cb5 100644 --- a/nfq/nfqws.c +++ b/nfq/nfqws.c @@ -152,7 +152,7 @@ static int nfq_cb(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, struct nfq_da DLOG("packet: id=%d pass unmodified\n", id); return nfq_set_verdict2(qh, id, NF_ACCEPT, mark, 0, NULL); } -static bool nfq_deinit(struct nfq_handle **h,struct nfq_q_handle **qh) +static void nfq_deinit(struct nfq_handle **h,struct nfq_q_handle **qh) { if (*qh) { From 0f1721d2c4ee2d135310aaa607be6902c243c547 Mon Sep 17 00:00:00 2001 From: bol-van Date: Sat, 7 Dec 2024 22:41:55 +0300 Subject: [PATCH 11/49] nfqws: dangling else fix --- nfq/nfqws.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/nfq/nfqws.c b/nfq/nfqws.c index 54a8cb5..604112b 100644 --- a/nfq/nfqws.c +++ b/nfq/nfqws.c @@ -1392,10 +1392,12 @@ int main(int argc, char **argv) while ((v = getopt_long_only(argc, argv, "", long_options, &option_index)) != -1) { if (v) + { if (bDry) exit_clean(1); else exithelp_clean(); + } switch (option_index) { case 0: /* debug */ From addc813956f675023a8fab5e3e2eef37dea70bfb Mon Sep 17 00:00:00 2001 From: bol-van Date: Sun, 8 Dec 2024 08:38:17 +0300 Subject: [PATCH 12/49] tpws: fix dangling else --- tpws/tpws.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tpws/tpws.c b/tpws/tpws.c index af5f4ab..0cef7d1 100644 --- a/tpws/tpws.c +++ b/tpws/tpws.c @@ -711,10 +711,12 @@ void parse_params(int argc, char *argv[]) while ((v = getopt_long_only(argc, argv, "", long_options, &option_index)) != -1) { if (v) + { if (bDry) exit_clean(1); else exithelp_clean(); + } switch (option_index) { case 0: From bea643c96774e68086fa32cbad7fd12fe8c08f21 Mon Sep 17 00:00:00 2001 From: bol-van Date: Sun, 8 Dec 2024 09:40:45 +0300 Subject: [PATCH 13/49] nfqws: more error checking fixing --- nfq/nfqws.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nfq/nfqws.c b/nfq/nfqws.c index 604112b..29db0fa 100644 --- a/nfq/nfqws.c +++ b/nfq/nfqws.c @@ -267,7 +267,7 @@ static int nfq_main(void) errno=e; DLOG_PERROR("recv"); // do not fail on ENOBUFS - } while(errno==ENOBUFS); + } while(e==ENOBUFS); nfq_deinit(&h,&qh); From 1175b171bac49a9de90abbced23d5ee75f43ff3e Mon Sep 17 00:00:00 2001 From: bol-van Date: Sun, 8 Dec 2024 09:58:30 +0300 Subject: [PATCH 14/49] nfqws: NETLINK_NO_ENOBUFS --- nfq/nfqws.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/nfq/nfqws.c b/nfq/nfqws.c index 29db0fa..c59b334 100644 --- a/nfq/nfqws.c +++ b/nfq/nfqws.c @@ -217,10 +217,12 @@ static bool nfq_init(struct nfq_handle **h,struct nfq_q_handle **qh) if (!rawsend_preinit(params.bind_fix4,params.bind_fix6)) goto exiterr; - // increase socket buffer size. on slow systems reloading hostlist can take a while. - // if too many unhandled packets are received its possible to get "no buffer space available" error - if (!set_socket_buffers(nfq_fd(*h),Q_RCVBUF/2,Q_SNDBUF/2)) - goto exiterr; + int yes=1, fd = nfq_fd(*h); + +#if defined SOL_NETLINK && defined NETLINK_NO_ENOBUFS + if (setsockopt(fd, SOL_NETLINK, NETLINK_NO_ENOBUFS, &yes, sizeof(yes)) == -1) + DLOG_PERROR("setsockopt(NETLINK_NO_ENOBUFS)"); +#endif return true; exiterr: From 41898036939f388e04236792713217d654e3b5eb Mon Sep 17 00:00:00 2001 From: bol-van Date: Sun, 8 Dec 2024 19:31:29 +0300 Subject: [PATCH 15/49] init.d: custom script 50-wg4all --- init.d/openwrt/custom.d.examples/50-wg4all | 30 ++++++++++++++++++++++ init.d/sysv/custom.d.examples/50-wg4all | 30 ++++++++++++++++++++++ 2 files changed, 60 insertions(+) create mode 100644 init.d/openwrt/custom.d.examples/50-wg4all create mode 100644 init.d/sysv/custom.d.examples/50-wg4all diff --git a/init.d/openwrt/custom.d.examples/50-wg4all b/init.d/openwrt/custom.d.examples/50-wg4all new file mode 100644 index 0000000..5e234d0 --- /dev/null +++ b/init.d/openwrt/custom.d.examples/50-wg4all @@ -0,0 +1,30 @@ +# this custom script runs desync to all wireguard handshake initiation packets + +# can override in config : +NFQWS_OPT_DESYNC_WG="${NFQWS_OPT_DESYNC_WG:---dpi-desync=fake --dpi-desync-any-protocol}" + +alloc_dnum DNUM_WG4ALL +alloc_qnum QNUM_WG4ALL + +zapret_custom_daemons() +{ + # stop logic is managed by procd + + local opt="--qnum=$QNUM_WG4ALL $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_WG" + run_daemon $DNUM_WG4ALL $NFQWS "$opt" +} +# size = 156 (8 udp header + 148 payload) && payload starts with 0x01000000 +zapret_custom_firewall() +{ + # $1 - 1 - run, 0 - stop + + local f='-p udp -m u32 --u32' + fw_nfqws_post $1 "$f 0>>22&0x3C@4>>16=0x9c&&0>>22&0x3C@8=0x01000000" "$f 44>>16=0x9c&&48=0x01000000" $QNUM_WG4ALL +} +zapret_custom_firewall_nft() +{ + # stop logic is not required + + local f="udp length 156 @th,64,32 0x01000000" + nft_fw_nfqws_post "$f" "$f" $QNUM_WG4ALL +} diff --git a/init.d/sysv/custom.d.examples/50-wg4all b/init.d/sysv/custom.d.examples/50-wg4all new file mode 100644 index 0000000..00ab973 --- /dev/null +++ b/init.d/sysv/custom.d.examples/50-wg4all @@ -0,0 +1,30 @@ +# this custom script runs desync to all wireguard handshake initiation packets + +# can override in config : +NFQWS_OPT_DESYNC_WG="${NFQWS_OPT_DESYNC_WG:---dpi-desync=fake --dpi-desync-any-protocol}" + +alloc_dnum DNUM_WG4ALL +alloc_qnum QNUM_WG4ALL + +zapret_custom_daemons() +{ + # stop logic is managed by procd + + local opt="--qnum=$QNUM_WG4ALL $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_WG" + do_nfqws $1 $DNUM_WG4ALL "$opt" +} +# size = 156 (8 udp header + 148 payload) && payload starts with 0x01000000 +zapret_custom_firewall() +{ + # $1 - 1 - run, 0 - stop + + local f='-p udp -m u32 --u32' + fw_nfqws_post $1 "$f 0>>22&0x3C@4>>16=0x9c&&0>>22&0x3C@8=0x01000000" "$f 44>>16=0x9c&&48=0x01000000" $QNUM_WG4ALL +} +zapret_custom_firewall_nft() +{ + # stop logic is not required + + local f="udp length 156 @th,64,32 0x01000000" + nft_fw_nfqws_post "$f" "$f" $QNUM_WG4ALL +} From 5b337b60158ef288e533990f91185f38b28b1dc5 Mon Sep 17 00:00:00 2001 From: bol-van Date: Sun, 8 Dec 2024 19:36:43 +0300 Subject: [PATCH 16/49] 50-wg4all: remove desync any protocol --- init.d/openwrt/custom.d.examples/50-wg4all | 2 +- init.d/sysv/custom.d.examples/50-wg4all | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/init.d/openwrt/custom.d.examples/50-wg4all b/init.d/openwrt/custom.d.examples/50-wg4all index 5e234d0..e292ae9 100644 --- a/init.d/openwrt/custom.d.examples/50-wg4all +++ b/init.d/openwrt/custom.d.examples/50-wg4all @@ -1,7 +1,7 @@ # this custom script runs desync to all wireguard handshake initiation packets # can override in config : -NFQWS_OPT_DESYNC_WG="${NFQWS_OPT_DESYNC_WG:---dpi-desync=fake --dpi-desync-any-protocol}" +NFQWS_OPT_DESYNC_WG="${NFQWS_OPT_DESYNC_WG:---dpi-desync=fake}" alloc_dnum DNUM_WG4ALL alloc_qnum QNUM_WG4ALL diff --git a/init.d/sysv/custom.d.examples/50-wg4all b/init.d/sysv/custom.d.examples/50-wg4all index 00ab973..a76fccb 100644 --- a/init.d/sysv/custom.d.examples/50-wg4all +++ b/init.d/sysv/custom.d.examples/50-wg4all @@ -1,7 +1,7 @@ # this custom script runs desync to all wireguard handshake initiation packets # can override in config : -NFQWS_OPT_DESYNC_WG="${NFQWS_OPT_DESYNC_WG:---dpi-desync=fake --dpi-desync-any-protocol}" +NFQWS_OPT_DESYNC_WG="${NFQWS_OPT_DESYNC_WG:---dpi-desync=fake}" alloc_dnum DNUM_WG4ALL alloc_qnum QNUM_WG4ALL From 9bd65e0c1d1076ebad409b4ec3ca3e8054f090a0 Mon Sep 17 00:00:00 2001 From: bol-van Date: Sun, 8 Dec 2024 20:07:06 +0300 Subject: [PATCH 17/49] init.d: remove NFQWS_OPT_BASE from sysv custom scripts --- init.d/sysv/custom.d.examples/50-dht4all | 2 +- init.d/sysv/custom.d.examples/50-discord | 2 +- init.d/sysv/custom.d.examples/50-wg4all | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/init.d/sysv/custom.d.examples/50-dht4all b/init.d/sysv/custom.d.examples/50-dht4all index 29de047..08605be 100644 --- a/init.d/sysv/custom.d.examples/50-dht4all +++ b/init.d/sysv/custom.d.examples/50-dht4all @@ -10,7 +10,7 @@ zapret_custom_daemons() { # stop logic is managed by procd - local opt="--qnum=$QNUM_DHT4ALL $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_DHT" + local opt="--qnum=$QNUM_DHT4ALL $NFQWS_OPT_DESYNC_DHT" do_nfqws $1 $DNUM_DHT4ALL "$opt" } zapret_custom_firewall() diff --git a/init.d/sysv/custom.d.examples/50-discord b/init.d/sysv/custom.d.examples/50-discord index 6c1705a..1c26e79 100644 --- a/init.d/sysv/custom.d.examples/50-discord +++ b/init.d/sysv/custom.d.examples/50-discord @@ -14,7 +14,7 @@ zapret_custom_daemons() { # $1 - 1 - run, 0 - stop - local opt="--qnum=$QNUM_DISCORD $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_DISCORD" + local opt="--qnum=$QNUM_DISCORD $NFQWS_OPT_DESYNC_DISCORD" do_nfqws $1 $DNUM_DISCORD "$opt" } diff --git a/init.d/sysv/custom.d.examples/50-wg4all b/init.d/sysv/custom.d.examples/50-wg4all index a76fccb..b95904a 100644 --- a/init.d/sysv/custom.d.examples/50-wg4all +++ b/init.d/sysv/custom.d.examples/50-wg4all @@ -10,7 +10,7 @@ zapret_custom_daemons() { # stop logic is managed by procd - local opt="--qnum=$QNUM_WG4ALL $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_WG" + local opt="--qnum=$QNUM_WG4ALL $NFQWS_OPT_DESYNC_WG" do_nfqws $1 $DNUM_WG4ALL "$opt" } # size = 156 (8 udp header + 148 payload) && payload starts with 0x01000000 From ebb22dfa3fc39b1e254b1815ef102a0c8613bbe2 Mon Sep 17 00:00:00 2001 From: bol-van Date: Mon, 9 Dec 2024 09:28:25 +0300 Subject: [PATCH 18/49] init.d: unitfy custom scripts for linux --- .../10-keenetic-udp-fix | 0 .../50-dht4all | 2 +- .../50-discord | 0 .../50-tpws-ipset | 0 .../50-wg4all | 2 +- init.d/openwrt/custom.d.examples/50-dht4all | 38 -------- init.d/openwrt/custom.d.examples/50-discord | 75 ---------------- .../openwrt/custom.d.examples/50-tpws-ipset | 89 ------------------- init.d/openwrt/custom.d.examples/50-wg4all | 30 ------- init.d/openwrt/zapret | 32 ++++--- 10 files changed, 24 insertions(+), 244 deletions(-) rename init.d/{sysv/custom.d.examples => custom.d.examples.linux}/10-keenetic-udp-fix (100%) rename init.d/{sysv/custom.d.examples => custom.d.examples.linux}/50-dht4all (96%) rename init.d/{sysv/custom.d.examples => custom.d.examples.linux}/50-discord (100%) rename init.d/{sysv/custom.d.examples => custom.d.examples.linux}/50-tpws-ipset (100%) rename init.d/{sysv/custom.d.examples => custom.d.examples.linux}/50-wg4all (95%) delete mode 100644 init.d/openwrt/custom.d.examples/50-dht4all delete mode 100644 init.d/openwrt/custom.d.examples/50-discord delete mode 100644 init.d/openwrt/custom.d.examples/50-tpws-ipset delete mode 100644 init.d/openwrt/custom.d.examples/50-wg4all diff --git a/init.d/sysv/custom.d.examples/10-keenetic-udp-fix b/init.d/custom.d.examples.linux/10-keenetic-udp-fix similarity index 100% rename from init.d/sysv/custom.d.examples/10-keenetic-udp-fix rename to init.d/custom.d.examples.linux/10-keenetic-udp-fix diff --git a/init.d/sysv/custom.d.examples/50-dht4all b/init.d/custom.d.examples.linux/50-dht4all similarity index 96% rename from init.d/sysv/custom.d.examples/50-dht4all rename to init.d/custom.d.examples.linux/50-dht4all index 08605be..a2f44b3 100644 --- a/init.d/sysv/custom.d.examples/50-dht4all +++ b/init.d/custom.d.examples.linux/50-dht4all @@ -8,7 +8,7 @@ alloc_qnum QNUM_DHT4ALL zapret_custom_daemons() { - # stop logic is managed by procd + # $1 - 1 - add, 0 - stop local opt="--qnum=$QNUM_DHT4ALL $NFQWS_OPT_DESYNC_DHT" do_nfqws $1 $DNUM_DHT4ALL "$opt" diff --git a/init.d/sysv/custom.d.examples/50-discord b/init.d/custom.d.examples.linux/50-discord similarity index 100% rename from init.d/sysv/custom.d.examples/50-discord rename to init.d/custom.d.examples.linux/50-discord diff --git a/init.d/sysv/custom.d.examples/50-tpws-ipset b/init.d/custom.d.examples.linux/50-tpws-ipset similarity index 100% rename from init.d/sysv/custom.d.examples/50-tpws-ipset rename to init.d/custom.d.examples.linux/50-tpws-ipset diff --git a/init.d/sysv/custom.d.examples/50-wg4all b/init.d/custom.d.examples.linux/50-wg4all similarity index 95% rename from init.d/sysv/custom.d.examples/50-wg4all rename to init.d/custom.d.examples.linux/50-wg4all index b95904a..0bf096a 100644 --- a/init.d/sysv/custom.d.examples/50-wg4all +++ b/init.d/custom.d.examples.linux/50-wg4all @@ -8,7 +8,7 @@ alloc_qnum QNUM_WG4ALL zapret_custom_daemons() { - # stop logic is managed by procd + # $1 - 1 - add, 0 - stop local opt="--qnum=$QNUM_WG4ALL $NFQWS_OPT_DESYNC_WG" do_nfqws $1 $DNUM_WG4ALL "$opt" diff --git a/init.d/openwrt/custom.d.examples/50-dht4all b/init.d/openwrt/custom.d.examples/50-dht4all deleted file mode 100644 index c29bbbb..0000000 --- a/init.d/openwrt/custom.d.examples/50-dht4all +++ /dev/null @@ -1,38 +0,0 @@ -# this custom script runs desync to DHT packets with udp payload length 101..399 , without ipset/hostlist filtering - -# can override in config : -NFQWS_OPT_DESYNC_DHT="${NFQWS_OPT_DESYNC_DHT:---dpi-desync=tamper}" - -alloc_dnum DNUM_DHT4ALL -alloc_qnum QNUM_DHT4ALL - -zapret_custom_daemons() -{ - # stop logic is managed by procd - - local opt="--qnum=$QNUM_DHT4ALL $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_DHT" - run_daemon $DNUM_DHT4ALL $NFQWS "$opt" -} -zapret_custom_firewall() -{ - # $1 - 1 - run, 0 - stop - - local f uf4 uf6 - local first_packet_only="$ipt_connbytes 1:1" - - f='-p udp -m length --length 109:407 -m u32 --u32' - uf4='0>>22&0x3C@8>>16=0x6431' - uf6='48>>16=0x6431' - fw_nfqws_post $1 "$f $uf4 $first_packet_only" "$f $uf6 $first_packet_only" $QNUM_DHT4ALL - -} -zapret_custom_firewall_nft() -{ - # stop logic is not required - - local f - local first_packet_only="$nft_connbytes 1" - - f="meta length 109-407 meta l4proto udp @th,64,16 0x6431" - nft_fw_nfqws_post "$f $first_packet_only" "$f $first_packet_only" $QNUM_DHT4ALL -} diff --git a/init.d/openwrt/custom.d.examples/50-discord b/init.d/openwrt/custom.d.examples/50-discord deleted file mode 100644 index da8f3be..0000000 --- a/init.d/openwrt/custom.d.examples/50-discord +++ /dev/null @@ -1,75 +0,0 @@ -# this custom script runs desync of some udp packets to discord subnets -# idea taken from community. not tested and not optimized by author. - -# can override in config : -NFQWS_OPT_DESYNC_DISCORD="${NFQWS_OPT_DESYNC_DISCORD:---dpi-desync=fake --dpi-desync-repeats=6 --dpi-desync-any-protocol}" -DISCORD_PORTS=${DISCORD_PORTS:-50000-50099} -DISCORD_SUBNETS="${DISCORD_SUBNETS:-5.200.14.249 18.165.140.0/25 23.227.38.74 34.0.48.0/24 34.0.49.64/26 34.0.50.0/25 34.0.51.0/24 34.0.52.0/22 34.0.56.0/23 34.0.59.0/24 34.0.60.0/24 34.0.62.128/25 34.0.63.228 34.0.64.0/23 34.0.66.130 34.0.82.140 34.0.129.128/25 34.0.130.0/24 34.0.131.130 34.0.132.139 34.0.133.75 34.0.134.0/24 34.0.135.251 34.0.136.51 34.0.137.0/24 34.0.139.0/24 34.0.140.0/23 34.0.142.0/25 34.0.144.0/23 34.0.146.0/24 34.0.148.25 34.0.149.101 34.0.151.0/25 34.0.153.0/24 34.0.155.0/24 34.0.156.101 34.0.157.0/25 34.0.158.247 34.0.159.188 34.0.192.0/25 34.0.193.0/24 34.0.194.0/24 34.0.195.172 34.0.196.200/29 34.0.197.81 34.0.198.25 34.0.199.0/24 34.0.200.0/24 34.0.201.81 34.0.202.34 34.0.203.0/24 34.0.204.0/23 34.0.206.0/25 34.0.207.0/25 34.0.208.195 34.0.209.0/24 34.0.210.20 34.0.211.0/26 34.0.212.0/24 34.0.213.64/26 34.0.215.128/25 34.0.216.238 34.0.217.0/24 34.0.218.83 34.0.220.103 34.0.221.0/24 34.0.222.193 34.0.223.68 34.0.227.0/24 34.0.240.0/21 34.0.248.0/23 34.0.250.0/24 34.0.251.0/25 34.1.216.0/24 34.1.221.166 35.207.64.0/23 35.207.67.116 35.207.71.0/24 35.207.72.32 35.207.73.0/24 35.207.74.0/24 35.207.75.128/25 35.207.76.128/26 35.207.77.0/24 35.207.78.129 35.207.79.0/24 35.207.80.76 35.207.81.248/30 35.207.82.0/23 35.207.84.0/24 35.207.85.160 35.207.86.41 35.207.87.184 35.207.89.188 35.207.91.146 35.207.92.230 35.207.95.0/24 35.207.97.174 35.207.99.134 35.207.100.64/26 35.207.101.130 35.207.103.64/26 35.207.104.0/24 35.207.106.128/26 35.207.107.19 35.207.108.192/27 35.207.109.185 35.207.110.0/24 35.207.111.174 35.207.114.16 35.207.115.163 35.207.116.51 35.207.117.0/24 35.207.121.204 35.207.122.0/25 35.207.124.145 35.207.125.116 35.207.126.30 35.207.129.0/24 35.207.131.128/27 35.207.132.247 35.207.135.147 35.207.136.69 35.207.137.0/24 35.207.139.0/24 35.207.140.241 35.207.141.119 35.207.142.0/24 35.207.143.96/27 35.207.144.0/25 35.207.145.0/24 35.207.146.89 35.207.147.0/24 35.207.149.0/24 35.207.150.0/24 35.207.151.61 35.207.153.117 35.207.154.0/24 35.207.155.128/25 35.207.156.254 35.207.157.7 35.207.158.192 35.207.160.160 35.207.162.239 35.207.163.0/24 35.207.164.0/25 35.207.165.147 35.207.166.0/25 35.207.167.0/24 35.207.168.116 35.207.170.0/23 35.207.172.0/24 35.207.174.55 35.207.176.128/25 35.207.178.0/24 35.207.180.152 35.207.181.76 35.207.182.125 35.207.184.101 35.207.185.192 35.207.186.128/25 35.207.187.228 35.207.188.0/24 35.207.189.0/25 35.207.190.194 35.207.191.64/26 35.207.193.165 35.207.195.75 35.207.196.0/24 35.207.198.0/23 35.207.201.186 35.207.202.169 35.207.205.211 35.207.207.4 35.207.209.0/25 35.207.210.191 35.207.211.253 35.207.213.97 35.207.214.0/24 35.207.220.147 35.207.221.58 35.207.222.105 35.207.224.151 35.207.225.210 35.207.227.0/24 35.207.229.212 35.207.232.26 35.207.234.182 35.207.238.0/24 35.207.240.0/24 35.207.245.0/24 35.207.249.0/24 35.207.250.212 35.207.251.0/27 35.212.4.134 35.212.12.148 35.212.88.11 35.212.102.50 35.212.111.0/26 35.212.117.247 35.212.120.122 35.213.0.0/24 35.213.2.8 35.213.4.185 35.213.6.118 35.213.7.128/25 35.213.8.168 35.213.10.0/24 35.213.11.21 35.213.12.224/27 35.213.13.19 35.213.14.217 35.213.16.67 35.213.17.235 35.213.23.166 35.213.25.164 35.213.26.62 35.213.27.252 35.213.32.0/24 35.213.33.74 35.213.34.204 35.213.37.81 35.213.38.186 35.213.39.253 35.213.42.0/24 35.213.43.79 35.213.45.0/24 35.213.46.136 35.213.49.17 35.213.50.0/24 35.213.51.213 35.213.52.0/25 35.213.53.0/24 35.213.54.0/24 35.213.56.0/25 35.213.59.0/24 35.213.61.58 35.213.65.0/24 35.213.67.0/24 35.213.68.192/26 35.213.70.151 35.213.72.128/25 35.213.73.245 35.213.74.131 35.213.78.0/24 35.213.79.137 35.213.80.0/25 35.213.83.128/25 35.213.84.245 35.213.85.0/24 35.213.88.145 35.213.89.80/28 35.213.90.0/24 35.213.91.195 35.213.92.0/24 35.213.93.254 35.213.94.78 35.213.95.145 35.213.96.87 35.213.98.0/24 35.213.99.126 35.213.101.214 35.213.102.0/24 35.213.105.0/24 35.213.106.128/25 35.213.107.158 35.213.109.0/24 35.213.110.40 35.213.111.0/25 35.213.115.0/25 35.213.120.0/24 35.213.122.0/24 35.213.124.89 35.213.125.40 35.213.126.185 35.213.127.0/24 35.213.128.0/22 35.213.132.0/23 35.213.134.140 35.213.135.0/24 35.213.136.0/23 35.213.138.128/25 35.213.139.0/24 35.213.140.0/25 35.213.141.164 35.213.142.128/25 35.213.143.0/24 35.213.144.0/22 35.213.148.0/23 35.213.150.0/24 35.213.152.0/23 35.213.154.137 35.213.155.134 35.213.156.144 35.213.157.0/24 35.213.158.64/26 35.213.160.90 35.213.161.253 35.213.162.0/25 35.213.163.0/24 35.213.164.0/23 35.213.166.106 35.213.167.160/27 35.213.168.0/24 35.213.169.179 35.213.170.0/24 35.213.171.201 35.213.172.159 35.213.173.0/24 35.213.174.128/25 35.213.175.128/26 35.213.176.0/24 35.213.177.0/25 35.213.179.139 35.213.180.0/24 35.213.181.0/25 35.213.182.0/23 35.213.184.0/23 35.213.186.70 35.213.187.0/24 35.213.188.128/25 35.213.190.158 35.213.191.0/24 35.213.192.240/31 35.213.193.74 35.213.194.0/25 35.213.195.178 35.213.196.38 35.213.197.68 35.213.198.0/23 35.213.200.0/23 35.213.202.0/25 35.213.203.195 35.213.204.32/27 35.213.205.170 35.213.207.128/25 35.213.208.85 35.213.210.0/24 35.213.211.176/29 35.213.212.0/24 35.213.213.225 35.213.214.0/25 35.213.215.255 35.213.217.0/24 35.213.218.248 35.213.219.0/25 35.213.220.211 35.213.221.0/24 35.213.222.215 35.213.223.0/24 35.213.225.0/24 35.213.227.227 35.213.229.17 35.213.230.89 35.213.231.0/24 35.213.233.0/24 35.213.234.134 35.213.236.0/24 35.213.237.212 35.213.238.0/24 35.213.240.212 35.213.241.0/24 35.213.242.10 35.213.243.219 35.213.244.146 35.213.245.119 35.213.246.0/23 35.213.249.79 35.213.250.0/24 35.213.251.74 35.213.252.0/24 35.213.253.155 35.213.254.89 35.214.128.248 35.214.129.220 35.214.130.217 35.214.131.144 35.214.132.189 35.214.133.0/24 35.214.134.163 35.214.137.0/24 35.214.138.0/25 35.214.140.0/24 35.214.142.0/24 35.214.143.41 35.214.144.26 35.214.145.200 35.214.146.9 35.214.147.135 35.214.148.89 35.214.149.110 35.214.151.128/25 35.214.152.0/24 35.214.156.115 35.214.158.181 35.214.159.128/25 35.214.160.128/25 35.214.161.217 35.214.162.0/24 35.214.163.28 35.214.165.102 35.214.167.77 35.214.169.0/24 35.214.170.2 35.214.171.0/25 35.214.172.128/25 35.214.173.0/24 35.214.175.0/24 35.214.177.183 35.214.179.46 35.214.180.0/23 35.214.184.179 35.214.185.28 35.214.186.3 35.214.187.0/24 35.214.191.0/24 35.214.192.128/25 35.214.193.0/24 35.214.194.128/25 35.214.195.0/25 35.214.196.64/26 35.214.197.0/24 35.214.198.7 35.214.199.224 35.214.201.0/25 35.214.203.155 35.214.204.0/23 35.214.207.0/24 35.214.208.128/25 35.214.209.64 35.214.210.0/24 35.214.211.3 35.214.212.64/26 35.214.213.0/25 35.214.214.0/24 35.214.215.64/26 35.214.216.0/23 35.214.218.140 35.214.219.0/24 35.214.220.149 35.214.221.0/24 35.214.222.149 35.214.223.0/24 35.214.224.71 35.214.225.0/24 35.214.226.0/23 35.214.228.0/23 35.214.231.187 35.214.233.8 35.214.235.38 35.214.237.0/24 35.214.238.0/25 35.214.239.0/24 35.214.240.87 35.214.241.0/24 35.214.243.21 35.214.244.0/24 35.214.245.16/28 35.214.246.106 35.214.248.119 35.214.249.154 35.214.250.0/24 35.214.251.128/25 35.214.252.187 35.214.253.0/24 35.214.255.154 35.215.72.85 35.215.73.65 35.215.83.0 35.215.108.111 35.215.115.120 35.215.126.35 35.215.127.34 35.215.128.0/21 35.215.136.0/26 35.215.137.0/24 35.215.138.0/23 35.215.140.0/24 35.215.141.64/27 35.215.142.0/24 35.215.143.83 35.215.144.128/25 35.215.145.0/24 35.215.146.0/24 35.215.147.86 35.215.148.0/23 35.215.150.0/26 35.215.151.0/24 35.215.152.0/24 35.215.153.128/25 35.215.154.240/28 35.215.155.20 35.215.156.0/24 35.215.158.0/23 35.215.160.192/26 35.215.161.0/24 35.215.163.0/24 35.215.164.0/24 35.215.165.236 35.215.166.128/25 35.215.167.128/25 35.215.168.0/24 35.215.169.12 35.215.170.0/23 35.215.172.0/22 35.215.176.0/24 35.215.177.72 35.215.178.0/24 35.215.179.161 35.215.180.0/22 35.215.184.253 35.215.185.64/26 35.215.186.0/25 35.215.187.0/24 35.215.188.0/23 35.215.190.0/24 35.215.191.61 35.215.192.0/23 35.215.194.192/28 35.215.195.0/24 35.215.196.0/25 35.215.197.0/25 35.215.198.230 35.215.199.204 35.215.200.0/23 35.215.202.0/24 35.215.203.0/25 35.215.204.128/25 35.215.205.0/25 35.215.206.0/23 35.215.208.0/24 35.215.209.0/25 35.215.210.0/23 35.215.212.0/22 35.215.216.0/22 35.215.221.0/24 35.215.222.128/25 35.215.223.126 35.215.224.0/23 35.215.226.0/24 35.215.227.0/25 35.215.228.0/24 35.215.229.64 35.215.230.89 35.215.231.0/24 35.215.232.0/24 35.215.233.0/25 35.215.234.37 35.215.235.0/24 35.215.238.0/25 35.215.239.119 35.215.240.0/24 35.215.241.128/25 35.215.242.0/25 35.215.243.0/24 35.215.244.0/23 35.215.246.222 35.215.247.0/24 35.215.248.0/22 35.215.252.0/24 35.215.253.118 35.215.254.0/23 35.217.0.0/24 35.217.1.64/26 35.217.2.5 35.217.3.0/24 35.217.4.72 35.217.5.0/25 35.217.6.0/24 35.217.8.0/25 35.217.9.0/24 35.217.11.186 35.217.12.0/24 35.217.14.192/26 35.217.15.65 35.217.16.75 35.217.17.128/25 35.217.18.0/24 35.217.19.183 35.217.20.0/24 35.217.21.128/25 35.217.22.128/25 35.217.23.128/25 35.217.24.0/24 35.217.25.81 35.217.26.0/24 35.217.27.128/25 35.217.28.128/25 35.217.29.0/24 35.217.30.0/25 35.217.31.0/25 35.217.32.128/25 35.217.33.0/24 35.217.35.128/25 35.217.36.0/23 35.217.38.179 35.217.39.186 35.217.40.176 35.217.41.204 35.217.43.0/24 35.217.45.248 35.217.46.0/24 35.217.47.128/25 35.217.48.195 35.217.49.160/27 35.217.50.0/25 35.217.51.0/24 35.217.52.117 35.217.53.128/25 35.217.54.0/25 35.217.55.96/27 35.217.56.6 35.217.57.184 35.217.58.0/24 35.217.59.64/26 35.217.60.0/24 35.217.61.128/25 35.217.62.0/24 35.217.63.128/25 35.219.225.149 35.219.226.57 35.219.227.0/24 35.219.228.37 35.219.229.128/25 35.219.230.0/23 35.219.235.0/24 35.219.236.198 35.219.238.115 35.219.239.0/24 35.219.241.0/24 35.219.242.221 35.219.243.191 35.219.244.1 35.219.245.0/24 35.219.246.159 35.219.247.0/26 35.219.248.0/24 35.219.249.126 35.219.251.186 35.219.252.0/23 35.219.254.0/24 64.233.161.207 64.233.162.207 64.233.163.207 64.233.164.207 64.233.165.207 66.22.196.0/26 66.22.197.0/24 66.22.198.0/26 66.22.199.0/24 66.22.200.0/26 66.22.202.0/26 66.22.204.0/24 66.22.206.0/24 66.22.208.0/25 66.22.210.0/26 66.22.212.0/24 66.22.214.0/24 66.22.216.0/23 66.22.220.0/25 66.22.221.0/24 66.22.222.0/23 66.22.224.0/25 66.22.225.0/26 66.22.226.0/25 66.22.227.0/25 66.22.228.0/22 66.22.233.0/24 66.22.234.0/24 66.22.236.0/23 66.22.238.0/24 66.22.240.0/22 66.22.244.0/23 66.22.248.0/24 74.125.131.207 74.125.205.207 104.17.51.93 104.17.117.93 104.18.4.161 104.18.5.161 104.18.8.105 104.18.9.105 104.18.30.128 104.18.31.128 104.21.2.204 104.21.25.51 104.21.40.151 104.21.59.128 104.21.72.221 104.21.82.160 108.177.14.207 138.128.140.240/28 142.250.150.207 142.251.1.207 162.159.128.232/30 162.159.129.232/30 162.159.130.232/30 162.159.133.232/30 162.159.134.232/30 162.159.135.232/30 162.159.136.232/30 162.159.137.232/30 162.159.138.232/30 172.65.202.19 172.66.41.34 172.66.42.222 172.67.152.224/28 172.67.155.163 172.67.159.89 172.67.177.131 172.67.222.182 173.194.73.207 173.194.220.207 173.194.221.207 173.194.222.207 188.114.96.2 188.114.97.2 188.114.98.224 188.114.99.224 204.11.56.48 209.85.233.207}" - -DISCORD_SET_NAME=discord -alloc_dnum DNUM_DISCORD -alloc_qnum QNUM_DISCORD - -zapret_custom_daemons() -{ - # $1 - 1 - run, 0 - stop - - local opt="--qnum=$QNUM_DISCORD $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_DISCORD" - run_daemon $DNUM_DISCORD $NFQWS "$opt" -} - -zapret_custom_firewall() -{ - # $1 - 1 - run, 0 - stop - - local f - local first_packets_only="$ipt_connbytes 1:3" - local DISCORD_PORTS_IPT=$(replace_char - : $DISCORD_PORTS) - local dest_set="-m set --match-set $DISCORD_SET_NAME dst" - local subnet - - local DISABLE_IPV6=1 - - [ "$1" = 1 ] && { - ipset create $DISCORD_SET_NAME hash:net hashsize 8192 maxelem 4096 2>/dev/null - ipset flush $DISCORD_SET_NAME - for subnet in $DISCORD_SUBNETS; do - echo add $DISCORD_SET_NAME $subnet - done | ipset -! restore - } - - f="-p udp -m multiport --dports $DISCORD_PORTS_IPT" - fw_nfqws_post $1 "$f $first_packets_only $dest_set" "" $QNUM_DISCORD - - [ "$1" = 1 ] || { - ipset destroy $DISCORD_SET_NAME 2>/dev/null - } -} - -zapret_custom_firewall_nft() -{ - # stop logic is not required - - local f - local first_packets_only="$nft_connbytes 1-3" - local dest_set="ip daddr @$DISCORD_SET_NAME" - local subnets - - local DISABLE_IPV6=1 - - make_comma_list subnets $DISCORD_SUBNETS - nft_create_set $DISCORD_SET_NAME "type ipv4_addr; size 4096; auto-merge; flags interval;" - nft_flush_set $DISCORD_SET_NAME - nft_add_set_element $DISCORD_SET_NAME "$subnets" - - f="udp dport {$DISCORD_PORTS}" - nft_fw_nfqws_post "$f $first_packets_only $dest_set" "" $QNUM_DISCORD -} - -zapret_custom_firewall_nft_flush() -{ - # this function is called after all nft fw rules are deleted - # however sets are not deleted. it's desired to clear sets here. - - nft_del_set $DISCORD_SET_NAME 2>/dev/null -} diff --git a/init.d/openwrt/custom.d.examples/50-tpws-ipset b/init.d/openwrt/custom.d.examples/50-tpws-ipset deleted file mode 100644 index 1a78ce9..0000000 --- a/init.d/openwrt/custom.d.examples/50-tpws-ipset +++ /dev/null @@ -1,89 +0,0 @@ -# this custom script demonstrates how to launch extra tpws instance limited by ipset - -# can override in config : -TPWS_MY1_OPT="${TPWS_MY1_OPT:---oob --split-pos=midsld}" -TPWS_MY1_PORTS=${TPWS_MY1_PORTS:-$TPWS_PORTS} -TPWS_MY1_SUBNETS4="${TPWS_MY1_SUBNETS4:-142.250.0.0/15 64.233.160.0/19 172.217.0.0/16 173.194.0.0/16 108.177.0.0/17 74.125.0.0/16 209.85.128.0/17 216.58.192.0/19}" -TPWS_MY1_SUBNETS6="${TPWS_MY1_SUBNETS6:-2607:F8B0::/32 2a00:1450:4000::/37}" - -TPWS_MY1_IPSET_SIZE=${TPWS_MY1_IPSET_SIZE:-4096} -TPWS_MY1_IPSET_OPT="${TPWS_MY1_IPSET_OPT:-hash:net hashsize 8192 maxelem $TPWS_MY1_IPSET_SIZE}" - -alloc_dnum DNUM_TPWS_MY1 -alloc_tpws_port PORT_TPWS_MY1 -TPWS_MY1_NAME4=my1tpws4 -TPWS_MY1_NAME6=my1tpws6 - -zapret_custom_daemons() -{ - # stop logic is managed by procd - - local opt="--port=$PORT_TPWS_MY1 $TPWS_MY1_OPT" - run_tpws $DNUM_TPWS_MY1 "$opt" -} - -zapret_custom_firewall() -{ - # $1 - 1 - run, 0 - stop - - local f4 f6 subnet - local PORTS_IPT=$(replace_char - : $TPWS_MY1_PORTS) - local dest_set="-m set --match-set $TPWS_MY1_NAME4 dst" - - [ "$1" = 1 -a "$DISABLE_IPV4" != 1 ] && { - ipset create $TPWS_MY1_NAME4 $TPWS_MY1_IPSET_OPT family inet 2>/dev/null - ipset flush $TPWS_MY1_NAME4 - for subnet in $TPWS_MY1_SUBNETS4; do - echo add $TPWS_MY1_NAME4 $subnet - done | ipset -! restore - } - [ "$1" = 1 -a "$DISABLE_IPV6" != 1 ] && { - ipset create $TPWS_MY1_NAME6 $TPWS_MY1_IPSET_OPT family inet6 2>/dev/null - ipset flush $TPWS_MY1_NAME6 - for subnet in $TPWS_MY1_SUBNETS6; do - echo add $TPWS_MY1_NAME6 $subnet - done | ipset -! restore - } - - f4="-p tcp -m multiport --dports $PORTS_IPT -m set --match-set" - f6="$f4 $TPWS_MY1_NAME6 dst" - f4="$f4 $TPWS_MY1_NAME4 dst" - fw_tpws $1 "$f4" "$f6" $PORT_TPWS_MY1 - - [ "$1" = 1 ] || { - ipset destroy $TPWS_MY1_NAME4 2>/dev/null - ipset destroy $TPWS_MY1_NAME6 2>/dev/null - } -} - -zapret_custom_firewall_nft() -{ - local f4 f6 subnet - - [ "$DISABLE_IPV4" != 1 ] && { - make_comma_list subnets $TPWS_MY1_SUBNETS4 - nft_create_set $TPWS_MY1_NAME4 "type ipv4_addr; size $TPWS_MY1_IPSET_SIZE; auto-merge; flags interval;" - nft_flush_set $TPWS_MY1_NAME4 - nft_add_set_element $TPWS_MY1_NAME4 "$subnets" - } - [ "$DISABLE_IPV6" != 1 ] && { - make_comma_list subnets $TPWS_MY1_SUBNETS6 - nft_create_set $TPWS_MY1_NAME6 "type ipv6_addr; size $TPWS_MY1_IPSET_SIZE; auto-merge; flags interval;" - nft_flush_set $TPWS_MY1_NAME6 - nft_add_set_element $TPWS_MY1_NAME6 "$subnets" - } - - f4="tcp dport {$TPWS_MY1_PORTS}" - f6="$f4 ip6 daddr @$TPWS_MY1_NAME6" - f4="$f4 ip daddr @$TPWS_MY1_NAME4" - nft_fw_tpws "$f4" "$f6" $PORT_TPWS_MY1 -} - -zapret_custom_firewall_nft_flush() -{ - # this function is called after all nft fw rules are deleted - # however sets are not deleted. it's desired to clear sets here. - - nft_del_set $TPWS_MY1_NAME4 2>/dev/null - nft_del_set $TPWS_MY1_NAME6 2>/dev/null -} diff --git a/init.d/openwrt/custom.d.examples/50-wg4all b/init.d/openwrt/custom.d.examples/50-wg4all deleted file mode 100644 index e292ae9..0000000 --- a/init.d/openwrt/custom.d.examples/50-wg4all +++ /dev/null @@ -1,30 +0,0 @@ -# this custom script runs desync to all wireguard handshake initiation packets - -# can override in config : -NFQWS_OPT_DESYNC_WG="${NFQWS_OPT_DESYNC_WG:---dpi-desync=fake}" - -alloc_dnum DNUM_WG4ALL -alloc_qnum QNUM_WG4ALL - -zapret_custom_daemons() -{ - # stop logic is managed by procd - - local opt="--qnum=$QNUM_WG4ALL $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_WG" - run_daemon $DNUM_WG4ALL $NFQWS "$opt" -} -# size = 156 (8 udp header + 148 payload) && payload starts with 0x01000000 -zapret_custom_firewall() -{ - # $1 - 1 - run, 0 - stop - - local f='-p udp -m u32 --u32' - fw_nfqws_post $1 "$f 0>>22&0x3C@4>>16=0x9c&&0>>22&0x3C@8=0x01000000" "$f 44>>16=0x9c&&48=0x01000000" $QNUM_WG4ALL -} -zapret_custom_firewall_nft() -{ - # stop logic is not required - - local f="udp length 156 @th,64,32 0x01000000" - nft_fw_nfqws_post "$f" "$f" $QNUM_WG4ALL -} diff --git a/init.d/openwrt/zapret b/init.d/openwrt/zapret index 5c56472..907f732 100755 --- a/init.d/openwrt/zapret +++ b/init.d/openwrt/zapret @@ -81,6 +81,10 @@ run_tpws() } run_daemon $1 "$TPWS" "$OPT $2" } +do_tpws() +{ + [ "$1" = 0 ] || { shift; run_tpws "$@"; } +} run_tpws_socks() { [ "$DISABLE_IPV4" = "1" ] && [ "$DISABLE_IPV6" = "1" ] && return 0 @@ -90,13 +94,10 @@ run_tpws_socks() tpws_apply_socks_binds opt run_daemon $1 "$TPWS" "$opt $2" } - -stop_tpws() +do_tpws_socks() { - stop_daemon $1 "$TPWS" + [ "$1" = 0 ] || { shift; run_tpws_socks "$@"; } } - - tpws_apply_socks_binds() { local o @@ -105,14 +106,25 @@ tpws_apply_socks_binds() [ "$DISABLE_IPV6" = "1" ] || o="$o --bind-addr=::1" for lan in $OPENWRT_LAN; do - network_get_device DEVICE $lan - [ -n "$DEVICE" ] || continue - [ "$DISABLE_IPV4" = "1" ] || o="$o --bind-iface4=$DEVICE $TPWS_WAIT" - [ "$DISABLE_IPV6" = "1" ] || o="$o --bind-iface6=$DEVICE --bind-linklocal=unwanted $TPWS_WAIT_SOCKS6" + network_get_device DEVICE $lan + [ -n "$DEVICE" ] || continue + [ "$DISABLE_IPV4" = "1" ] || o="$o --bind-iface4=$DEVICE $TPWS_WAIT" + [ "$DISABLE_IPV6" = "1" ] || o="$o --bind-iface6=$DEVICE --bind-linklocal=unwanted $TPWS_WAIT_SOCKS6" done eval $1="\"\$$1 $o\"" } +run_nfqws() +{ + run_daemon $1 "$NFQWS" "$NFQWS_OPT_BASE $2" +} +do_nfqws() +{ + [ "$1" = 0 ] || { shift; run_nfqws "$@"; } +} + + + standard_mode_daemons() { @@ -137,7 +149,7 @@ standard_mode_daemons() start_daemons_procd() { standard_mode_daemons - custom_runner zapret_custom_daemons + custom_runner zapret_custom_daemons 1 return 0 } From 991e3534a6a5c8ef2ab5cb761fa32094ab51da18 Mon Sep 17 00:00:00 2001 From: bol-van Date: Mon, 9 Dec 2024 09:51:17 +0300 Subject: [PATCH 19/49] install_easy: copy custom.d.examples.linux in openwrt --- install_easy.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install_easy.sh b/install_easy.sh index ccb259c..11b5cdb 100755 --- a/install_easy.sh +++ b/install_easy.sh @@ -394,7 +394,7 @@ copy_openwrt() mkdir "$2/tpws" "$2/nfq" "$2/ip2net" "$2/mdig" "$2/binaries" "$2/binaries/$ARCH" "$2/init.d" "$2/tmp" "$2/files" cp -R "$1/files/fake" "$2/files" cp -R "$1/common" "$1/ipset" "$2" - cp -R "$1/init.d/openwrt" "$2/init.d" + cp -R "$1/init.d/openwrt" "$1/init.d/custom.d.examples.linux" "$2/init.d" cp "$1/config" "$1/config.default" "$1/install_easy.sh" "$1/uninstall_easy.sh" "$1/install_bin.sh" "$1/install_prereq.sh" "$1/blockcheck.sh" "$2" cp "$BINDIR/tpws" "$BINDIR/nfqws" "$BINDIR/ip2net" "$BINDIR/mdig" "$2/binaries/$ARCH" } From 207a6faf33781cf02849e84357ce7f6909ad2c55 Mon Sep 17 00:00:00 2001 From: bol-van Date: Mon, 9 Dec 2024 10:48:30 +0300 Subject: [PATCH 20/49] init.d: unify standard_mode_daemons --- init.d/openwrt/zapret | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/init.d/openwrt/zapret b/init.d/openwrt/zapret index 907f732..16b4e4b 100755 --- a/init.d/openwrt/zapret +++ b/init.d/openwrt/zapret @@ -128,6 +128,11 @@ do_nfqws() standard_mode_daemons() { + # $1 - 1 - run, 0 - stop + + # stop logic is managed by procd + [ "$1" = 0 ] && return 0 + local opt [ "$TPWS_ENABLE" = 1 ] && check_bad_ws_options 1 "$TPWS_OPT" && { opt="--port=$TPPORT $TPWS_OPT" @@ -148,7 +153,7 @@ standard_mode_daemons() start_daemons_procd() { - standard_mode_daemons + standard_mode_daemons 1 custom_runner zapret_custom_daemons 1 return 0 From f8bd218e67708593bfb149b61702b3919fb5ccad Mon Sep 17 00:00:00 2001 From: bol-van Date: Mon, 9 Dec 2024 11:04:13 +0300 Subject: [PATCH 21/49] custom.d: DISABLE_CUSTOM switch --- common/custom.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/common/custom.sh b/common/custom.sh index ca0ea5f..0af19c0 100644 --- a/common/custom.sh +++ b/common/custom.sh @@ -3,6 +3,8 @@ custom_runner() # $1 - function name # $2+ - params + [ "$DISABLE_CUSTOM" = 1 ] && return 0 + local n script FUNC=$1 shift From 6e619eba1a6c8d0048738352d289b75536ca5080 Mon Sep 17 00:00:00 2001 From: bol-van Date: Mon, 9 Dec 2024 12:06:49 +0300 Subject: [PATCH 22/49] nfqws: fix crash --- nfq/nfqws.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/nfq/nfqws.c b/nfq/nfqws.c index c59b334..d22a318 100644 --- a/nfq/nfqws.c +++ b/nfq/nfqws.c @@ -192,7 +192,7 @@ static bool nfq_init(struct nfq_handle **h,struct nfq_q_handle **qh) DLOG_CONDUP("binding this socket to queue '%u'\n", params.qnum); *qh = nfq_create_queue(*h, params.qnum, &nfq_cb, ¶ms); - if (!qh) { + if (!*qh) { DLOG_PERROR("nfq_create_queue()"); goto exiterr; } @@ -249,7 +249,8 @@ static int nfq_main(void) pre_desync(); - nfq_init(&h,&qh); + if (!nfq_init(&h,&qh)) + goto exiterr; fd = nfq_fd(h); do From e8395eea56c59da2ba2c85841f76f68d13569a24 Mon Sep 17 00:00:00 2001 From: bol-van Date: Mon, 9 Dec 2024 12:13:48 +0300 Subject: [PATCH 23/49] nfqws: pfsense split2->multisplit --- init.d/pfsense/zapret.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/init.d/pfsense/zapret.sh b/init.d/pfsense/zapret.sh index 9c434ac..d4bc493 100755 --- a/init.d/pfsense/zapret.sh +++ b/init.d/pfsense/zapret.sh @@ -21,4 +21,4 @@ pfctl -d ; pfctl -e ipfw delete 100 ipfw add 100 divert 989 tcp from any to any 80,443 out not diverted not sockarg pkill ^dvtws$ -dvtws --daemon --port 989 --dpi-desync=split2 +dvtws --daemon --port 989 --dpi-desync=multisplit From 8e7b694076716727334ca0031c9a365accee5d79 Mon Sep 17 00:00:00 2001 From: bol-van Date: Mon, 9 Dec 2024 13:20:05 +0300 Subject: [PATCH 24/49] init.d: 20-fw-extra --- common/ipt.sh | 20 +++++-- common/linux_daemons.sh | 55 ++++++++++++++++++ common/nft.sh | 16 ++++-- init.d/custom.d.examples.linux/20-fw-extra | 66 ++++++++++++++++++++++ init.d/openwrt/functions | 1 + init.d/openwrt/zapret | 28 --------- init.d/sysv/functions | 43 +------------- 7 files changed, 149 insertions(+), 80 deletions(-) create mode 100644 common/linux_daemons.sh create mode 100644 init.d/custom.d.examples.linux/20-fw-extra diff --git a/common/ipt.sh b/common/ipt.sh index 5e4a30f..f9fbce7 100644 --- a/common/ipt.sh +++ b/common/ipt.sh @@ -349,27 +349,37 @@ ipt_do_nfqws_in_out() } } -zapret_do_firewall_standard_rules_ipt() +zapret_do_firewall_standard_tpws_rules_ipt() { # $1 - 1 - add, 0 - del local f4 f6 - [ "$TPWS_ENABLE" = 1 -a -n "$TPWS_PORTS" ] && - { + [ "$TPWS_ENABLE" = 1 -a -n "$TPWS_PORTS" ] && { f4="-p tcp -m multiport --dports $TPWS_PORTS_IPT" f6=$f4 filter_apply_ipset_target f4 f6 fw_tpws $1 "$f4" "$f6" $TPPORT } - [ "$NFQWS_ENABLE" = 1 ] && - { +} +zapret_do_firewall_standard_nfqws_rules_ipt() +{ + # $1 - 1 - add, 0 - del + + [ "$NFQWS_ENABLE" = 1 ] && { ipt_do_nfqws_in_out $1 tcp "$NFQWS_PORTS_TCP_IPT" "$NFQWS_TCP_PKT_OUT" "$NFQWS_TCP_PKT_IN" ipt_do_nfqws_in_out $1 tcp "$NFQWS_PORTS_TCP_KEEPALIVE_IPT" keepalive "$NFQWS_TCP_PKT_IN" ipt_do_nfqws_in_out $1 udp "$NFQWS_PORTS_UDP_IPT" "$NFQWS_UDP_PKT_OUT" "$NFQWS_UDP_PKT_IN" ipt_do_nfqws_in_out $1 udp "$NFQWS_PORTS_UDP_KEEPALIVE_IPT" keepalive "$NFQWS_UDP_PKT_IN" } } +zapret_do_firewall_standard_rules_ipt() +{ + # $1 - 1 - add, 0 - del + + zapret_do_firewall_standard_tpws_rules_ipt $1 + zapret_do_firewall_standard_nfqws_rules_ipt $1 +} zapret_do_firewall_rules_ipt() { diff --git a/common/linux_daemons.sh b/common/linux_daemons.sh new file mode 100644 index 0000000..b543b3e --- /dev/null +++ b/common/linux_daemons.sh @@ -0,0 +1,55 @@ +standard_mode_tpws_socks() +{ + # $1 - 1 - run, 0 - stop + local opt + [ "$TPWS_SOCKS_ENABLE" = 1 ] && { + opt="--port=$TPPORT_SOCKS $TPWS_SOCKS_OPT" + filter_apply_hostlist_target opt + do_tpws_socks $1 2 "$opt" + } +} +standard_mode_tpws() +{ + # $1 - 1 - run, 0 - stop + local opt + [ "$TPWS_ENABLE" = 1 ] && check_bad_ws_options $1 "$TPWS_OPT" && { + opt="--port=$TPPORT $TPWS_OPT" + filter_apply_hostlist_target opt + do_tpws $1 1 "$opt" + } +} +standard_mode_nfqws() +{ + # $1 - 1 - run, 0 - stop + local opt + [ "$NFQWS_ENABLE" = 1 ] && check_bad_ws_options $1 "$NFQWS_OPT" && { + opt="--qnum=$QNUM $NFQWS_OPT" + filter_apply_hostlist_target opt + do_nfqws $1 3 "$opt" + } +} +standard_mode_daemons() +{ + # $1 - 1 - run, 0 - stop + + standard_mode_tpws_socks $1 + standard_mode_tpws $1 + standard_mode_nfqws $1 +} +zapret_do_daemons() +{ + # $1 - 1 - run, 0 - stop + + standard_mode_daemons $1 + custom_runner zapret_custom_daemons $1 + + return 0 +} +zapret_run_daemons() +{ + zapret_do_daemons 1 "$@" +} +zapret_stop_daemons() +{ + zapret_do_daemons 0 "$@" +} diff --git a/common/nft.sh b/common/nft.sh index bcf9886..0f029ff 100644 --- a/common/nft.sh +++ b/common/nft.sh @@ -640,25 +640,31 @@ nft_apply_nfqws_in_out() } } -zapret_apply_firewall_standard_rules_nft() +zapret_apply_firewall_standard_tpws_rules_nft() { local f4 f6 - [ "$TPWS_ENABLE" = 1 -a -n "$TPWS_PORTS" ] && - { + [ "$TPWS_ENABLE" = 1 -a -n "$TPWS_PORTS" ] && { f4="tcp dport {$TPWS_PORTS}" f6=$f4 nft_filter_apply_ipset_target f4 f6 nft_fw_tpws "$f4" "$f6" $TPPORT } - [ "$NFQWS_ENABLE" = 1 ] && - { +} +zapret_apply_firewall_standard_nfqws_rules_nft() +{ + [ "$NFQWS_ENABLE" = 1 ] && { nft_apply_nfqws_in_out tcp "$NFQWS_PORTS_TCP" "$NFQWS_TCP_PKT_OUT" "$NFQWS_TCP_PKT_IN" nft_apply_nfqws_in_out tcp "$NFQWS_PORTS_TCP_KEEPALIVE" keepalive "$NFQWS_TCP_PKT_IN" nft_apply_nfqws_in_out udp "$NFQWS_PORTS_UDP" "$NFQWS_UDP_PKT_OUT" "$NFQWS_UDP_PKT_IN" nft_apply_nfqws_in_out udp "$NFQWS_PORTS_UDP_KEEPALIVE" keepalive "$NFQWS_UDP_PKT_IN" } } +zapret_apply_firewall_standard_rules_nft() +{ + zapret_apply_firewall_standard_tpws_rules_nft + zapret_apply_firewall_standard_nfqws_rules_nft +} zapret_apply_firewall_rules_nft() { diff --git a/init.d/custom.d.examples.linux/20-fw-extra b/init.d/custom.d.examples.linux/20-fw-extra new file mode 100644 index 0000000..c93ef63 --- /dev/null +++ b/init.d/custom.d.examples.linux/20-fw-extra @@ -0,0 +1,66 @@ +# this custom script runs standard mode with extra firewall rules + +# config: use TPWS_ENABLE_OVERRIDE, NFQWS_ENABLE_OVERRIDE to enable standard mode daemons +# standard and override switches cannot be enabled simultaneously ! + +TPWS_ENABLE_OVERRIDE=${TPWS_ENABLE_OVERRIDE:-0} +NFQWS_ENABLE_OVERRIDE=${NFQWS_ENABLE_OVERRIDE:-0} + +# config: some if these values must be set in config. not setting any of these makes this script meaningless. +# pre vars put ipt/nft code to the rule beginning +#FW_EXTRA_PRE_TPWS_IPT= +#FW_EXTRA_PRE_TPWS_NFT= +#FW_EXTRA_PRE_NFQWS_IPT="-m mark --mark 0x10000000/0x10000000" +#FW_EXTRA_PRE_NFQWS_NFT="mark and 0x10000000 != 0" +# post vars put ipt/nft code to the rule end +#FW_EXTRA_POST_TPWS_IPT= +#FW_EXTRA_POST_TPWS_NFT= +#FW_EXTRA_POST_NFQWS_IPT= +#FW_EXTRA_POST_NFQWS_NFT= + +check_std_intersect() +{ + [ "$TPWS_ENABLE_OVERRIDE" = 1 -a "$TPWS_ENABLE" = 1 ] && { + echo "ERROR ! both TPWS_ENABLE_OVERRIDE and TPWS_ENABLE are enabled" + return 1 + } + [ "$NFQWS_ENABLE_OVERRIDE" = 1 -a "$NFQWS_ENABLE" = 1 ] && { + echo "ERROR ! both NFQWS_ENABLE_OVERRIDE and NFQWS_ENABLE are enabled" + return 1 + } + return 0 +} + +zapret_custom_daemons() +{ + # $1 - 1 - add, 0 - stop + + check_std_intersect || return + + local TPWS_SOCKS_ENABLE=0 TPWS_ENABLE=$TPWS_ENABLE_OVERRIDE NFQWS_ENABLE=$NFQWS_ENABLE_OVERRIDE + standard_mode_daemons "$1" +} +zapret_custom_firewall() +{ + # $1 - 1 - run, 0 - stop + + check_std_intersect || return + + local FW_EXTRA_PRE FW_EXTRA_POST TPWS_ENABLE=$TPWS_ENABLE_OVERRIDE NFQWS_ENABLE=$NFQWS_ENABLE_OVERRIDE + FW_EXTRA_PRE="$FW_EXTRA_PRE_TPWS_IPT" FW_EXTRA_POST="$FW_EXTRA_POST_TPWS_IPT" + zapret_do_firewall_standard_tpws_rules_ipt $1 + FW_EXTRA_PRE="$FW_EXTRA_PRE_NFQWS_IPT" FW_EXTRA_POST="$FW_EXTRA_POST_NFQWS_IPT" + zapret_do_firewall_standard_nfqws_rules_ipt $1 +} +zapret_custom_firewall_nft() +{ + # stop logic is not required + + check_std_intersect || return + + local FW_EXTRA_PRE FW_EXTRA_POST TPWS_ENABLE=$TPWS_ENABLE_OVERRIDE NFQWS_ENABLE=$NFQWS_ENABLE_OVERRIDE + FW_EXTRA_PRE="$FW_EXTRA_PRE_TPWS_NFT" FW_EXTRA_POST="$FW_EXTRA_POST_TPWS_NFT" + zapret_apply_firewall_standard_tpws_rules_nft + FW_EXTRA_PRE="$FW_EXTRA_PRE_NFQWS_NFT" FW_EXTRA_POST="$FW_EXTRA_POST_NFQWS_NFT" + zapret_apply_firewall_standard_nfqws_rules_nft +} diff --git a/init.d/openwrt/functions b/init.d/openwrt/functions index 77fd5f9..2cd1e1f 100644 --- a/init.d/openwrt/functions +++ b/init.d/openwrt/functions @@ -10,6 +10,7 @@ ZAPRET_CONFIG=${ZAPRET_CONFIG:-"$ZAPRET_RW/config"} . "$ZAPRET_BASE/common/ipt.sh" . "$ZAPRET_BASE/common/nft.sh" . "$ZAPRET_BASE/common/linux_fw.sh" +. "$ZAPRET_BASE/common/linux_daemons.sh" . "$ZAPRET_BASE/common/list.sh" . "$ZAPRET_BASE/common/custom.sh" CUSTOM_DIR="$ZAPRET_RW/init.d/openwrt" diff --git a/init.d/openwrt/zapret b/init.d/openwrt/zapret index 16b4e4b..8d6d3a9 100755 --- a/init.d/openwrt/zapret +++ b/init.d/openwrt/zapret @@ -123,34 +123,6 @@ do_nfqws() [ "$1" = 0 ] || { shift; run_nfqws "$@"; } } - - - -standard_mode_daemons() -{ - # $1 - 1 - run, 0 - stop - - # stop logic is managed by procd - [ "$1" = 0 ] && return 0 - - local opt - [ "$TPWS_ENABLE" = 1 ] && check_bad_ws_options 1 "$TPWS_OPT" && { - opt="--port=$TPPORT $TPWS_OPT" - filter_apply_hostlist_target opt - run_tpws 1 "$opt" - } - [ "$TPWS_SOCKS_ENABLE" = 1 ] && { - opt="--port=$TPPORT_SOCKS $TPWS_SOCKS_OPT" - filter_apply_hostlist_target opt - run_tpws_socks 2 "$opt" - } - [ "$NFQWS_ENABLE" = 1 ] && check_bad_ws_options 1 "$NFQWS_OPT" && { - opt="--qnum=$QNUM $NFQWS_OPT_BASE $NFQWS_OPT" - filter_apply_hostlist_target opt - run_daemon 3 "$NFQWS" "$opt" - } -} - start_daemons_procd() { standard_mode_daemons 1 diff --git a/init.d/sysv/functions b/init.d/sysv/functions index e847780..abe6098 100644 --- a/init.d/sysv/functions +++ b/init.d/sysv/functions @@ -10,6 +10,7 @@ ZAPRET_CONFIG=${ZAPRET_CONFIG:-"$ZAPRET_RW/config"} . "$ZAPRET_BASE/common/ipt.sh" . "$ZAPRET_BASE/common/nft.sh" . "$ZAPRET_BASE/common/linux_fw.sh" +. "$ZAPRET_BASE/common/linux_daemons.sh" . "$ZAPRET_BASE/common/list.sh" . "$ZAPRET_BASE/common/custom.sh" CUSTOM_DIR="$ZAPRET_RW/init.d/sysv" @@ -275,45 +276,3 @@ create_ipset() echo "Creating ip list table (firewall type $FWTYPE)" "$IPSET_CR" "$@" } - - -standard_mode_daemons() -{ - # $1 - 1 - run, 0 - stop - - local opt - - [ "$TPWS_ENABLE" = 1 ] && check_bad_ws_options $1 "$TPWS_OPT" && { - opt="--port=$TPPORT $TPWS_OPT" - filter_apply_hostlist_target opt - do_tpws $1 1 "$opt" - } - [ "$TPWS_SOCKS_ENABLE" = 1 ] && { - opt="--port=$TPPORT_SOCKS $TPWS_SOCKS_OPT" - filter_apply_hostlist_target opt - do_tpws_socks $1 2 "$opt" - } - [ "$NFQWS_ENABLE" = 1 ] && check_bad_ws_options $1 "$NFQWS_OPT" && { - opt="--qnum=$QNUM $NFQWS_OPT" - filter_apply_hostlist_target opt - do_nfqws $1 3 "$opt" - } -} - -zapret_do_daemons() -{ - # $1 - 1 - run, 0 - stop - - standard_mode_daemons $1 - custom_runner zapret_custom_daemons $1 - - return 0 -} -zapret_run_daemons() -{ - zapret_do_daemons 1 "$@" -} -zapret_stop_daemons() -{ - zapret_do_daemons 0 "$@" -} From 7b057491afc2d8857dcdba00ea0c09991d09d665 Mon Sep 17 00:00:00 2001 From: bol-van Date: Mon, 9 Dec 2024 13:23:44 +0300 Subject: [PATCH 25/49] update docs --- docs/changes.txt | 6 ++++++ docs/readme.en.md | 2 +- docs/readme.md | 15 ++++++++------- 3 files changed, 15 insertions(+), 8 deletions(-) diff --git a/docs/changes.txt b/docs/changes.txt index c223041..614efe1 100644 --- a/docs/changes.txt +++ b/docs/changes.txt @@ -417,3 +417,9 @@ v69.5 nfqws,tpws: --dry-run install_easy: check tpws and nfqws options validity + +v69.6 + +nfqws: set NETLINK_NO_ENOBUFS to fix possible nfq recv errors +init.d: unify custom scripts for linux +init.d: new custom scripts : 20-fw-extra, 50-wg4all diff --git a/docs/readme.en.md b/docs/readme.en.md index f234805..685f1c4 100644 --- a/docs/readme.en.md +++ b/docs/readme.en.md @@ -1,4 +1,4 @@ -# zapret v69.5 +# zapret v69.6 # SCAMMER WARNING diff --git a/docs/readme.md b/docs/readme.md index b4c58be..94d1168 100644 --- a/docs/readme.md +++ b/docs/readme.md @@ -1,4 +1,4 @@ -# zapret v69.5 +# zapret v69.6 # ВНИМАНИЕ, остерегайтесь мошенников @@ -1866,8 +1866,9 @@ custom скрипты - это маленькие shell программы, уп /opt/zapret/init.d/macos/custom.d ``` Директория будет просканирована в алфавитном порядке, и каждый скрипт будет применен. -Рядом имеется `custom.d.examples`. Это готовые скрипты, которые можно копировать в `custom.d`. -Их можно взять за основу для написания собственных. + +В `init.d` имеется `custom.d.examples.linux`, в `init.d/macos` - `custom.d.examples`. +Это готовые скрипты, которые можно копировать в `custom.d`. Их можно взять за основу для написания собственных. ***Для linux пишется код в функции*** ``` @@ -1885,9 +1886,9 @@ zapret_custom_firewall_v6 ``` zapret_custom_daemons поднимает демоны **nfqws**/**tpws** в нужном вам количестве и с нужными вам параметрами. -Для систем традиционного linux (sysv) и MacOS в первом параметре передается код операции: 1 = запуск, 0 = останов. -Для openwrt логика останова отсутствует за ненадобностью. +В первом параметре передается код операции: 1 = запуск, 0 = останов. Схема запуска демонов в openwrt отличается - используется procd. +Поэтому логика останова отсутствует за ненадобностью, останов никогда не вызывается. zapret_custom_firewall поднимает и убирает правила `iptables`. В первом параметре передается код операции: 1 = запуск, 0 = останов. @@ -1913,8 +1914,8 @@ zapret_custom_firewall_nft поднимает правила nftables. В macos firewall-функции ничего сами никуда не заносят. Их задача - лишь выдать текст в stdout, содержащий правила для pf-якоря. Остальное сделает обертка. -Особо обратите внимание на номер демона в функциях `run_daemon` и `do_daemon`, номера портов **tpws** -и очередей `nfqueue`. +Особо обратите внимание на номер демона в функциях `run_daemon` , `do_daemon`, `do_tpws`, `do_tpws_socks`, `do_nfqws` , +номера портов **tpws** и очередей **nfqueue**. Они должны быть уникальными во всех скриптах. При накладке будет ошибка. Поэтому используйте функции динамического получения этих значений из пула. From 720c2fad865d981b5fed2bad58ae97e6fcbe444e Mon Sep 17 00:00:00 2001 From: bol-van Date: Mon, 9 Dec 2024 14:34:49 +0300 Subject: [PATCH 26/49] nfqws: nfq_main error logic cleanup --- nfq/nfqws.c | 10 ++-------- nfq/params.h | 2 -- 2 files changed, 2 insertions(+), 10 deletions(-) diff --git a/nfq/nfqws.c b/nfq/nfqws.c index d22a318..86149fd 100644 --- a/nfq/nfqws.c +++ b/nfq/nfqws.c @@ -242,7 +242,7 @@ static int nfq_main(void) sec_harden(); if (params.droproot && !droproot(params.uid, params.gid)) - goto exiterr; + return 1; print_id(); #endif @@ -250,7 +250,7 @@ static int nfq_main(void) pre_desync(); if (!nfq_init(&h,&qh)) - goto exiterr; + return 1; fd = nfq_fd(h); do @@ -273,13 +273,7 @@ static int nfq_main(void) } while(e==ENOBUFS); nfq_deinit(&h,&qh); - return 0; - -exiterr: - if (qh) nfq_destroy_queue(qh); - if (h) nfq_close(h); - return 1; } #elif defined(BSD) diff --git a/nfq/params.h b/nfq/params.h index a7a24ff..d556913 100644 --- a/nfq/params.h +++ b/nfq/params.h @@ -20,8 +20,6 @@ #define TLS_PARTIALS_ENABLE true -#define Q_RCVBUF (128*1024) // in bytes -#define Q_SNDBUF (64*1024) // in bytes #define RAW_SNDBUF (64*1024) // in bytes #define Q_MAXLEN 1024 // in packets From fe98c9d972409518ed3fbe32171ec898b67f2375 Mon Sep 17 00:00:00 2001 From: bol-van Date: Mon, 9 Dec 2024 14:54:09 +0300 Subject: [PATCH 27/49] nfqws: remove unneeded ifdefs --- nfq/nfqws.c | 4 ---- 1 file changed, 4 deletions(-) diff --git a/nfq/nfqws.c b/nfq/nfqws.c index 86149fd..420bfa0 100644 --- a/nfq/nfqws.c +++ b/nfq/nfqws.c @@ -238,14 +238,10 @@ static int nfq_main(void) int fd,e; ssize_t rd; -#ifndef __CYGWIN__ sec_harden(); - if (params.droproot && !droproot(params.uid, params.gid)) return 1; - print_id(); -#endif pre_desync(); From 9d8398628caa9b2aaf5c2489825ba4c2a6a41b85 Mon Sep 17 00:00:00 2001 From: bol-van Date: Mon, 9 Dec 2024 16:44:13 +0300 Subject: [PATCH 28/49] nfqws: fix bionic bad syscall on exit --- nfq/sec.c | 4 ---- 1 file changed, 4 deletions(-) diff --git a/nfq/sec.c b/nfq/sec.c index b6f8e66..71ba1c7 100644 --- a/nfq/sec.c +++ b/nfq/sec.c @@ -88,10 +88,6 @@ SYS_symlinkat, SYS_link, #endif SYS_linkat, -#ifdef SYS_pkey_mprotect -SYS_pkey_mprotect, -#endif -SYS_mprotect, SYS_truncate, #ifdef SYS_truncate64 SYS_truncate64, From 4ec6e5fa9f9e39a399b22713f2b2e9d4ae84a4e0 Mon Sep 17 00:00:00 2001 From: bol-van Date: Tue, 10 Dec 2024 11:27:35 +0300 Subject: [PATCH 29/49] tpws,nfqws: --comment --- nfq/nfqws.c | 318 ++++++++++++++++++++++++++-------------------------- tpws/tpws.c | 102 +++++++++-------- 2 files changed, 214 insertions(+), 206 deletions(-) diff --git a/nfq/nfqws.c b/nfq/nfqws.c index 420bfa0..9072849 100644 --- a/nfq/nfqws.c +++ b/nfq/nfqws.c @@ -1049,6 +1049,7 @@ static void exithelp(void) #endif " --debug=0|1|syslog|@\n" " --dry-run\t\t\t\t\t; verify parameters and exit with code 0 if successful\n" + " --comment=any_text\n" #ifdef __linux__ " --qnum=\n" #elif defined(BSD) @@ -1283,101 +1284,102 @@ int main(int argc, char **argv) const struct option long_options[] = { {"debug",optional_argument,0,0}, // optidx=0 {"dry-run",no_argument,0,0}, // optidx=1 + {"comment",optional_argument,0,0}, // optidx=2 #ifdef __linux__ - {"qnum",required_argument,0,0}, // optidx=2 + {"qnum",required_argument,0,0}, // optidx=3 #elif defined(BSD) - {"port",required_argument,0,0}, // optidx=2 + {"port",required_argument,0,0}, // optidx=3 #else - {"disabled_argument_1",no_argument,0,0},// optidx=2 + {"disabled_argument_1",no_argument,0,0},// optidx=3 #endif - {"daemon",no_argument,0,0}, // optidx=3 - {"pidfile",required_argument,0,0}, // optidx=4 + {"daemon",no_argument,0,0}, // optidx=4 + {"pidfile",required_argument,0,0}, // optidx=5 #ifndef __CYGWIN__ - {"user",required_argument,0,0 }, // optidx=5 - {"uid",required_argument,0,0 }, // optidx=6 + {"user",required_argument,0,0 }, // optidx=6 + {"uid",required_argument,0,0 }, // optidx=7 #else - {"disabled_argument_2",no_argument,0,0}, // optidx=5 - {"disabled_argument_3",no_argument,0,0}, // optidx=6 + {"disabled_argument_2",no_argument,0,0}, // optidx=6 + {"disabled_argument_3",no_argument,0,0}, // optidx=7 #endif - {"wsize",required_argument,0,0}, // optidx=7 - {"wssize",required_argument,0,0}, // optidx=8 - {"wssize-cutoff",required_argument,0,0},// optidx=9 - {"ctrack-timeouts",required_argument,0,0},// optidx=10 - {"hostcase",no_argument,0,0}, // optidx=11 - {"hostspell",required_argument,0,0}, // optidx=12 - {"hostnospace",no_argument,0,0}, // optidx=13 - {"domcase",no_argument,0,0 }, // optidx=14 - {"methodeol",no_argument,0,0 }, // optidx=15 + {"wsize",required_argument,0,0}, // optidx=8 + {"wssize",required_argument,0,0}, // optidx=9 + {"wssize-cutoff",required_argument,0,0},// optidx=10 + {"ctrack-timeouts",required_argument,0,0},// optidx=11 + {"hostcase",no_argument,0,0}, // optidx=12 + {"hostspell",required_argument,0,0}, // optidx=13 + {"hostnospace",no_argument,0,0}, // optidx=14 + {"domcase",no_argument,0,0 }, // optidx=15 + {"methodeol",no_argument,0,0 }, // optidx=16 {"dpi-desync",required_argument,0,0}, // optidx=17 #ifdef __linux__ - {"dpi-desync-fwmark",required_argument,0,0}, // optidx=17 + {"dpi-desync-fwmark",required_argument,0,0}, // optidx=18 #elif defined(SO_USER_COOKIE) - {"dpi-desync-sockarg",required_argument,0,0}, // optidx=17 + {"dpi-desync-sockarg",required_argument,0,0}, // optidx=18 #else - {"disabled_argument_4",no_argument,0,0}, // optidx=17 + {"disabled_argument_4",no_argument,0,0}, // optidx=18 #endif - {"dpi-desync-ttl",required_argument,0,0}, // optidx=18 - {"dpi-desync-ttl6",required_argument,0,0}, // optidx=19 - {"dpi-desync-autottl",optional_argument,0,0}, // optidx=20 - {"dpi-desync-autottl6",optional_argument,0,0}, // optidx=21 - {"dpi-desync-fooling",required_argument,0,0}, // optidx=22 - {"dpi-desync-repeats",required_argument,0,0}, // optidx=23 - {"dpi-desync-skip-nosni",optional_argument,0,0},// optidx=24 - {"dpi-desync-split-pos",required_argument,0,0},// optidx=25 - {"dpi-desync-split-http-req",required_argument,0,0 },// optidx=26 - {"dpi-desync-split-tls",required_argument,0,0 },// optidx=27 - {"dpi-desync-split-seqovl",required_argument,0,0 },// optidx=28 - {"dpi-desync-split-seqovl-pattern",required_argument,0,0 },// optidx=29 - {"dpi-desync-fakedsplit-pattern",required_argument,0,0 },// optidx=30 - {"dpi-desync-ipfrag-pos-tcp",required_argument,0,0},// optidx=31 - {"dpi-desync-ipfrag-pos-udp",required_argument,0,0},// optidx=32 - {"dpi-desync-badseq-increment",required_argument,0,0},// optidx=33 - {"dpi-desync-badack-increment",required_argument,0,0},// optidx=34 - {"dpi-desync-any-protocol",optional_argument,0,0},// optidx=35 - {"dpi-desync-fake-http",required_argument,0,0},// optidx=36 - {"dpi-desync-fake-tls",required_argument,0,0},// optidx=37 - {"dpi-desync-fake-unknown",required_argument,0,0},// optidx=38 - {"dpi-desync-fake-syndata",required_argument,0,0},// optidx=39 - {"dpi-desync-fake-quic",required_argument,0,0},// optidx=40 - {"dpi-desync-fake-wireguard",required_argument,0,0},// optidx=41 - {"dpi-desync-fake-dht",required_argument,0,0},// optidx=42 - {"dpi-desync-fake-unknown-udp",required_argument,0,0},// optidx=43 - {"dpi-desync-udplen-increment",required_argument,0,0},// optidx=44 - {"dpi-desync-udplen-pattern",required_argument,0,0},// optidx=45 - {"dpi-desync-cutoff",required_argument,0,0},// optidx=46 - {"dpi-desync-start",required_argument,0,0},// optidx=47 - {"hostlist",required_argument,0,0}, // optidx=48 - {"hostlist-domains",required_argument,0,0},// optidx=49 - {"hostlist-exclude",required_argument,0,0}, // optidx=50 - {"hostlist-exclude-domains",required_argument,0,0},// optidx=51 - {"hostlist-auto",required_argument,0,0}, // optidx=52 - {"hostlist-auto-fail-threshold",required_argument,0,0}, // optidx=53 - {"hostlist-auto-fail-time",required_argument,0,0}, // optidx=54 - {"hostlist-auto-retrans-threshold",required_argument,0,0}, // optidx=55 - {"hostlist-auto-debug",required_argument,0,0}, // optidx=56 - {"new",no_argument,0,0}, // optidx=57 - {"skip",no_argument,0,0}, // optidx=58 - {"filter-l3",required_argument,0,0}, // optidx=59 - {"filter-tcp",required_argument,0,0}, // optidx=60 - {"filter-udp",required_argument,0,0}, // optidx=61 - {"filter-l7",required_argument,0,0}, // optidx=62 - {"ipset",required_argument,0,0}, // optidx=63 - {"ipset-ip",required_argument,0,0}, // optidx=64 - {"ipset-exclude",required_argument,0,0},// optidx=65 - {"ipset-exclude-ip",required_argument,0,0}, // optidx=66 + {"dpi-desync-ttl",required_argument,0,0}, // optidx=19 + {"dpi-desync-ttl6",required_argument,0,0}, // optidx=20 + {"dpi-desync-autottl",optional_argument,0,0}, // optidx=21 + {"dpi-desync-autottl6",optional_argument,0,0}, // optidx=22 + {"dpi-desync-fooling",required_argument,0,0}, // optidx=23 + {"dpi-desync-repeats",required_argument,0,0}, // optidx=24 + {"dpi-desync-skip-nosni",optional_argument,0,0},// optidx=25 + {"dpi-desync-split-pos",required_argument,0,0},// optidx=26 + {"dpi-desync-split-http-req",required_argument,0,0 },// optidx=27 + {"dpi-desync-split-tls",required_argument,0,0 },// optidx=28 + {"dpi-desync-split-seqovl",required_argument,0,0 },// optidx=29 + {"dpi-desync-split-seqovl-pattern",required_argument,0,0 },// optidx=30 + {"dpi-desync-fakedsplit-pattern",required_argument,0,0 },// optidx=31 + {"dpi-desync-ipfrag-pos-tcp",required_argument,0,0},// optidx=32 + {"dpi-desync-ipfrag-pos-udp",required_argument,0,0},// optidx=33 + {"dpi-desync-badseq-increment",required_argument,0,0},// optidx=34 + {"dpi-desync-badack-increment",required_argument,0,0},// optidx=35 + {"dpi-desync-any-protocol",optional_argument,0,0},// optidx=36 + {"dpi-desync-fake-http",required_argument,0,0},// optidx=37 + {"dpi-desync-fake-tls",required_argument,0,0},// optidx=38 + {"dpi-desync-fake-unknown",required_argument,0,0},// optidx=39 + {"dpi-desync-fake-syndata",required_argument,0,0},// optidx=40 + {"dpi-desync-fake-quic",required_argument,0,0},// optidx=41 + {"dpi-desync-fake-wireguard",required_argument,0,0},// optidx=42 + {"dpi-desync-fake-dht",required_argument,0,0},// optidx=43 + {"dpi-desync-fake-unknown-udp",required_argument,0,0},// optidx=44 + {"dpi-desync-udplen-increment",required_argument,0,0},// optidx=45 + {"dpi-desync-udplen-pattern",required_argument,0,0},// optidx=46 + {"dpi-desync-cutoff",required_argument,0,0},// optidx=47 + {"dpi-desync-start",required_argument,0,0},// optidx=48 + {"hostlist",required_argument,0,0}, // optidx=49 + {"hostlist-domains",required_argument,0,0},// optidx=50 + {"hostlist-exclude",required_argument,0,0}, // optidx=51 + {"hostlist-exclude-domains",required_argument,0,0},// optidx=52 + {"hostlist-auto",required_argument,0,0}, // optidx=53 + {"hostlist-auto-fail-threshold",required_argument,0,0}, // optidx=54 + {"hostlist-auto-fail-time",required_argument,0,0}, // optidx=55 + {"hostlist-auto-retrans-threshold",required_argument,0,0}, // optidx=56 + {"hostlist-auto-debug",required_argument,0,0}, // optidx=57 + {"new",no_argument,0,0}, // optidx=58 + {"skip",no_argument,0,0}, // optidx=59 + {"filter-l3",required_argument,0,0}, // optidx=60 + {"filter-tcp",required_argument,0,0}, // optidx=61 + {"filter-udp",required_argument,0,0}, // optidx=62 + {"filter-l7",required_argument,0,0}, // optidx=63 + {"ipset",required_argument,0,0}, // optidx=64 + {"ipset-ip",required_argument,0,0}, // optidx=65 + {"ipset-exclude",required_argument,0,0},// optidx=66 + {"ipset-exclude-ip",required_argument,0,0}, // optidx=67 #ifdef __linux__ - {"bind-fix4",no_argument,0,0}, // optidx=67 - {"bind-fix6",no_argument,0,0}, // optidx=68 + {"bind-fix4",no_argument,0,0}, // optidx=68 + {"bind-fix6",no_argument,0,0}, // optidx=69 #elif defined(__CYGWIN__) - {"wf-iface",required_argument,0,0}, // optidx=67 - {"wf-l3",required_argument,0,0}, // optidx=68 - {"wf-tcp",required_argument,0,0}, // optidx=69 - {"wf-udp",required_argument,0,0}, // optidx=70 - {"wf-raw",required_argument,0,0}, // optidx=71 - {"wf-save",required_argument,0,0}, // optidx=72 - {"ssid-filter",required_argument,0,0}, // optidx=73 - {"nlm-filter",required_argument,0,0}, // optidx=74 - {"nlm-list",optional_argument,0,0}, // optidx=75 + {"wf-iface",required_argument,0,0}, // optidx=68 + {"wf-l3",required_argument,0,0}, // optidx=69 + {"wf-tcp",required_argument,0,0}, // optidx=70 + {"wf-udp",required_argument,0,0}, // optidx=71 + {"wf-raw",required_argument,0,0}, // optidx=72 + {"wf-save",required_argument,0,0}, // optidx=73 + {"ssid-filter",required_argument,0,0}, // optidx=74 + {"nlm-filter",required_argument,0,0}, // optidx=75 + {"nlm-list",optional_argument,0,0}, // optidx=76 #endif {NULL,0,NULL,0} }; @@ -1430,7 +1432,9 @@ int main(int argc, char **argv) case 1: /* dry-run */ bDry=true; break; - case 2: /* qnum or port */ + case 2: /* comment */ + break; + case 3: /* qnum or port */ #ifdef __linux__ params.qnum = atoi(optarg); if (params.qnum < 0 || params.qnum>65535) @@ -1450,15 +1454,15 @@ int main(int argc, char **argv) } #endif break; - case 3: /* daemon */ + case 4: /* daemon */ daemon = true; break; - case 4: /* pidfile */ + case 5: /* pidfile */ strncpy(pidfile, optarg, sizeof(pidfile)); pidfile[sizeof(pidfile) - 1] = '\0'; break; #ifndef __CYGWIN__ - case 5: /* user */ + case 6: /* user */ { struct passwd *pwd = getpwnam(optarg); if (!pwd) @@ -1471,7 +1475,7 @@ int main(int argc, char **argv) params.droproot = true; break; } - case 6: /* uid */ + case 7: /* uid */ params.gid = 0x7FFFFFFF; // default gid. drop gid=0 params.droproot = true; if (sscanf(optarg, "%u:%u", ¶ms.uid, ¶ms.gid)<1) @@ -1481,32 +1485,32 @@ int main(int argc, char **argv) } break; #endif - case 7: /* wsize */ + case 8: /* wsize */ if (!parse_ws_scale_factor(optarg,&dp->wsize,&dp->wscale)) exit_clean(1); break; - case 8: /* wssize */ + case 9: /* wssize */ if (!parse_ws_scale_factor(optarg,&dp->wssize,&dp->wsscale)) exit_clean(1); break; - case 9: /* wssize-cutoff */ + case 10: /* wssize-cutoff */ if (!parse_cutoff(optarg, &dp->wssize_cutoff, &dp->wssize_cutoff_mode)) { DLOG_ERR("invalid wssize-cutoff value\n"); exit_clean(1); } break; - case 10: /* ctrack-timeouts */ + case 11: /* ctrack-timeouts */ if (sscanf(optarg, "%u:%u:%u:%u", ¶ms.ctrack_t_syn, ¶ms.ctrack_t_est, ¶ms.ctrack_t_fin, ¶ms.ctrack_t_udp)<3) { DLOG_ERR("invalid ctrack-timeouts value\n"); exit_clean(1); } break; - case 11: /* hostcase */ + case 12: /* hostcase */ dp->hostcase = true; break; - case 12: /* hostspell */ + case 13: /* hostspell */ if (strlen(optarg) != 4) { DLOG_ERR("hostspell must be exactly 4 chars long\n"); @@ -1515,7 +1519,7 @@ int main(int argc, char **argv) dp->hostcase = true; memcpy(dp->hostspell, optarg, 4); break; - case 13: /* hostnospace */ + case 14: /* hostnospace */ if (dp->methodeol) { DLOG_ERR("--hostnospace and --methodeol are incompatible\n"); @@ -1523,10 +1527,10 @@ int main(int argc, char **argv) } dp->hostnospace = true; break; - case 14: /* domcase */ + case 15: /* domcase */ dp->domcase = true; break; - case 15: /* methodeol */ + case 16: /* methodeol */ if (dp->hostnospace) { DLOG_ERR("--hostnospace and --methodeol are incompatible\n"); @@ -1534,7 +1538,7 @@ int main(int argc, char **argv) } dp->methodeol = true; break; - case 16: /* dpi-desync */ + case 17: /* dpi-desync */ { char *mode=optarg,*mode2,*mode3; mode2 = mode ? strchr(mode,',') : NULL; @@ -1580,7 +1584,7 @@ int main(int argc, char **argv) } break; #ifndef __CYGWIN__ - case 17: /* dpi-desync-fwmark/dpi-desync-sockarg */ + case 18: /* dpi-desync-fwmark/dpi-desync-sockarg */ #if defined(__linux__) || defined(SO_USER_COOKIE) params.desync_fwmark = 0; if (sscanf(optarg, "0x%X", ¶ms.desync_fwmark)<=0) sscanf(optarg, "%u", ¶ms.desync_fwmark); @@ -1595,27 +1599,27 @@ int main(int argc, char **argv) #endif break; #endif - case 18: /* dpi-desync-ttl */ + case 19: /* dpi-desync-ttl */ dp->desync_ttl = (uint8_t)atoi(optarg); break; - case 19: /* dpi-desync-ttl6 */ + case 20: /* dpi-desync-ttl6 */ dp->desync_ttl6 = (uint8_t)atoi(optarg); break; - case 20: /* dpi-desync-autottl */ + case 21: /* dpi-desync-autottl */ if (!parse_autottl(optarg, &dp->desync_autottl)) { DLOG_ERR("dpi-desync-autottl value error\n"); exit_clean(1); } break; - case 21: /* dpi-desync-autottl6 */ + case 22: /* dpi-desync-autottl6 */ if (!parse_autottl(optarg, &dp->desync_autottl6)) { DLOG_ERR("dpi-desync-autottl6 value error\n"); exit_clean(1); } break; - case 22: /* dpi-desync-fooling */ + case 23: /* dpi-desync-fooling */ { char *e,*p = optarg; while (p) @@ -1650,17 +1654,17 @@ int main(int argc, char **argv) } } break; - case 23: /* dpi-desync-repeats */ + case 24: /* dpi-desync-repeats */ if (sscanf(optarg,"%u",&dp->desync_repeats)<1 || !dp->desync_repeats || dp->desync_repeats>20) { DLOG_ERR("dpi-desync-repeats must be within 1..20\n"); exit_clean(1); } break; - case 24: /* dpi-desync-skip-nosni */ + case 25: /* dpi-desync-skip-nosni */ dp->desync_skip_nosni = !optarg || atoi(optarg); break; - case 25: /* dpi-desync-split-pos */ + case 26: /* dpi-desync-split-pos */ { int ct; if (!parse_split_pos_list(optarg,dp->splits+dp->split_count,MAX_SPLITS-dp->split_count,&ct)) @@ -1671,7 +1675,7 @@ int main(int argc, char **argv) dp->split_count += ct; } break; - case 26: /* dpi-desync-split-http-req */ + case 27: /* dpi-desync-split-http-req */ // obsolete arg DLOG_CONDUP("WARNING ! --dpi-desync-split-http-req is deprecated. use --dpi-desync-split-pos with markers.\n",MAX_SPLITS); if (dp->split_count>=MAX_SPLITS) @@ -1686,7 +1690,7 @@ int main(int argc, char **argv) } dp->split_count++; break; - case 27: /* dpi-desync-split-tls */ + case 28: /* dpi-desync-split-tls */ // obsolete arg DLOG_CONDUP("WARNING ! --dpi-desync-split-tls is deprecated. use --dpi-desync-split-pos with markers.\n",MAX_SPLITS); if (dp->split_count>=MAX_SPLITS) @@ -1701,7 +1705,7 @@ int main(int argc, char **argv) } dp->split_count++; break; - case 28: /* dpi-desync-split-seqovl */ + case 29: /* dpi-desync-split-seqovl */ if (!strcmp(optarg,"0")) { // allow zero = disable seqovl @@ -1714,7 +1718,7 @@ int main(int argc, char **argv) exit_clean(1); } break; - case 29: /* dpi-desync-split-seqovl-pattern */ + case 30: /* dpi-desync-split-seqovl-pattern */ { char buf[sizeof(dp->seqovl_pattern)]; size_t sz=sizeof(buf); @@ -1722,7 +1726,7 @@ int main(int argc, char **argv) fill_pattern(dp->seqovl_pattern,sizeof(dp->seqovl_pattern),buf,sz); } break; - case 30: /* dpi-desync-fakedsplit-pattern */ + case 31: /* dpi-desync-fakedsplit-pattern */ { char buf[sizeof(dp->fsplit_pattern)]; size_t sz=sizeof(buf); @@ -1730,7 +1734,7 @@ int main(int argc, char **argv) fill_pattern(dp->fsplit_pattern,sizeof(dp->fsplit_pattern),buf,sz); } break; - case 31: /* dpi-desync-ipfrag-pos-tcp */ + case 32: /* dpi-desync-ipfrag-pos-tcp */ if (sscanf(optarg,"%u",&dp->desync_ipfrag_pos_tcp)<1 || dp->desync_ipfrag_pos_tcp<1 || dp->desync_ipfrag_pos_tcp>DPI_DESYNC_MAX_FAKE_LEN) { DLOG_ERR("dpi-desync-ipfrag-pos-tcp must be within 1..%u range\n",DPI_DESYNC_MAX_FAKE_LEN); @@ -1742,7 +1746,7 @@ int main(int argc, char **argv) exit_clean(1); } break; - case 32: /* dpi-desync-ipfrag-pos-udp */ + case 33: /* dpi-desync-ipfrag-pos-udp */ if (sscanf(optarg,"%u",&dp->desync_ipfrag_pos_udp)<1 || dp->desync_ipfrag_pos_udp<1 || dp->desync_ipfrag_pos_udp>DPI_DESYNC_MAX_FAKE_LEN) { DLOG_ERR("dpi-desync-ipfrag-pos-udp must be within 1..%u range\n",DPI_DESYNC_MAX_FAKE_LEN); @@ -1754,63 +1758,63 @@ int main(int argc, char **argv) exit_clean(1); } break; - case 33: /* dpi-desync-badseq-increments */ + case 34: /* dpi-desync-badseq-increments */ if (!parse_badseq_increment(optarg,&dp->desync_badseq_increment)) { DLOG_ERR("dpi-desync-badseq-increment should be signed decimal or signed 0xHEX\n"); exit_clean(1); } break; - case 34: /* dpi-desync-badack-increment */ + case 35: /* dpi-desync-badack-increment */ if (!parse_badseq_increment(optarg,&dp->desync_badseq_ack_increment)) { DLOG_ERR("dpi-desync-badack-increment should be signed decimal or signed 0xHEX\n"); exit_clean(1); } break; - case 35: /* dpi-desync-any-protocol */ + case 36: /* dpi-desync-any-protocol */ dp->desync_any_proto = !optarg || atoi(optarg); break; - case 36: /* dpi-desync-fake-http */ + case 37: /* dpi-desync-fake-http */ dp->fake_http_size = sizeof(dp->fake_http); load_file_or_exit(optarg,dp->fake_http,&dp->fake_http_size); break; - case 37: /* dpi-desync-fake-tls */ + case 38: /* dpi-desync-fake-tls */ dp->fake_tls_size = sizeof(dp->fake_tls); load_file_or_exit(optarg,dp->fake_tls,&dp->fake_tls_size); break; - case 38: /* dpi-desync-fake-unknown */ + case 39: /* dpi-desync-fake-unknown */ dp->fake_unknown_size = sizeof(dp->fake_unknown); load_file_or_exit(optarg,dp->fake_unknown,&dp->fake_unknown_size); break; - case 39: /* dpi-desync-fake-syndata */ + case 40: /* dpi-desync-fake-syndata */ dp->fake_syndata_size = sizeof(dp->fake_syndata); load_file_or_exit(optarg,dp->fake_syndata,&dp->fake_syndata_size); break; - case 40: /* dpi-desync-fake-quic */ + case 41: /* dpi-desync-fake-quic */ dp->fake_quic_size = sizeof(dp->fake_quic); load_file_or_exit(optarg,dp->fake_quic,&dp->fake_quic_size); break; - case 41: /* dpi-desync-fake-wireguard */ + case 42: /* dpi-desync-fake-wireguard */ dp->fake_wg_size = sizeof(dp->fake_wg); load_file_or_exit(optarg,dp->fake_wg,&dp->fake_wg_size); break; - case 42: /* dpi-desync-fake-dht */ + case 43: /* dpi-desync-fake-dht */ dp->fake_dht_size = sizeof(dp->fake_dht); load_file_or_exit(optarg,dp->fake_dht,&dp->fake_dht_size); break; - case 43: /* dpi-desync-fake-unknown-udp */ + case 44: /* dpi-desync-fake-unknown-udp */ dp->fake_unknown_udp_size = sizeof(dp->fake_unknown_udp); load_file_or_exit(optarg,dp->fake_unknown_udp,&dp->fake_unknown_udp_size); break; - case 44: /* dpi-desync-udplen-increment */ + case 45: /* dpi-desync-udplen-increment */ if (sscanf(optarg,"%d",&dp->udplen_increment)<1 || dp->udplen_increment>0x7FFF || dp->udplen_increment<-0x8000) { DLOG_ERR("dpi-desync-udplen-increment must be integer within -32768..32767 range\n"); exit_clean(1); } break; - case 45: /* dpi-desync-udplen-pattern */ + case 46: /* dpi-desync-udplen-pattern */ { char buf[sizeof(dp->udplen_pattern)]; size_t sz=sizeof(buf); @@ -1818,21 +1822,21 @@ int main(int argc, char **argv) fill_pattern(dp->udplen_pattern,sizeof(dp->udplen_pattern),buf,sz); } break; - case 46: /* desync-cutoff */ + case 47: /* desync-cutoff */ if (!parse_cutoff(optarg, &dp->desync_cutoff, &dp->desync_cutoff_mode)) { DLOG_ERR("invalid desync-cutoff value\n"); exit_clean(1); } break; - case 47: /* desync-start */ + case 48: /* desync-start */ if (!parse_cutoff(optarg, &dp->desync_start, &dp->desync_start_mode)) { DLOG_ERR("invalid desync-start value\n"); exit_clean(1); } break; - case 48: /* hostlist */ + case 49: /* hostlist */ if (bSkip) break; if (!RegisterHostlist(dp, false, optarg)) { @@ -1840,7 +1844,7 @@ int main(int argc, char **argv) exit_clean(1); } break; - case 49: /* hostlist-domains */ + case 50: /* hostlist-domains */ if (bSkip) break; if (!anon_hl && !(anon_hl=RegisterHostlist(dp, false, NULL))) { @@ -1853,7 +1857,7 @@ int main(int argc, char **argv) exit_clean(1); } break; - case 50: /* hostlist-exclude */ + case 51: /* hostlist-exclude */ if (bSkip) break; if (!RegisterHostlist(dp, true, optarg)) { @@ -1861,7 +1865,7 @@ int main(int argc, char **argv) exit_clean(1); } break; - case 51: /* hostlist-exclude-domains */ + case 52: /* hostlist-exclude-domains */ if (bSkip) break; if (!anon_hl_exclude && !(anon_hl_exclude=RegisterHostlist(dp, true, NULL))) { @@ -1874,7 +1878,7 @@ int main(int argc, char **argv) exit_clean(1); } break; - case 52: /* hostlist-auto */ + case 53: /* hostlist-auto */ if (bSkip) break; if (dp->hostlist_auto) { @@ -1902,7 +1906,7 @@ int main(int argc, char **argv) exit_clean(1); } break; - case 53: /* hostlist-auto-fail-threshold */ + case 54: /* hostlist-auto-fail-threshold */ dp->hostlist_auto_fail_threshold = (uint8_t)atoi(optarg); if (dp->hostlist_auto_fail_threshold<1 || dp->hostlist_auto_fail_threshold>20) { @@ -1910,7 +1914,7 @@ int main(int argc, char **argv) exit_clean(1); } break; - case 54: /* hostlist-auto-fail-time */ + case 55: /* hostlist-auto-fail-time */ dp->hostlist_auto_fail_time = (uint8_t)atoi(optarg); if (dp->hostlist_auto_fail_time<1) { @@ -1918,7 +1922,7 @@ int main(int argc, char **argv) exit_clean(1); } break; - case 55: /* hostlist-auto-retrans-threshold */ + case 56: /* hostlist-auto-retrans-threshold */ dp->hostlist_auto_retrans_threshold = (uint8_t)atoi(optarg); if (dp->hostlist_auto_retrans_threshold<2 || dp->hostlist_auto_retrans_threshold>10) { @@ -1926,7 +1930,7 @@ int main(int argc, char **argv) exit_clean(1); } break; - case 56: /* hostlist-auto-debug */ + case 57: /* hostlist-auto-debug */ { FILE *F = fopen(optarg,"a+t"); if (!F) @@ -1940,7 +1944,7 @@ int main(int argc, char **argv) } break; - case 57: /* new */ + case 58: /* new */ if (bSkip) { dp_clear(dp); @@ -1961,18 +1965,18 @@ int main(int argc, char **argv) anon_hl = anon_hl_exclude = NULL; anon_ips = anon_ips_exclude = NULL; break; - case 58: /* skip */ + case 59: /* skip */ bSkip = true; break; - case 59: /* filter-l3 */ + case 60: /* filter-l3 */ if (!wf_make_l3(optarg,&dp->filter_ipv4,&dp->filter_ipv6)) { DLOG_ERR("bad value for --filter-l3\n"); exit_clean(1); } break; - case 60: /* filter-tcp */ + case 61: /* filter-tcp */ if (!parse_pf_list(optarg,&dp->pf_tcp)) { DLOG_ERR("Invalid port filter : %s\n",optarg); @@ -1982,7 +1986,7 @@ int main(int argc, char **argv) if (!port_filters_deny_if_empty(&dp->pf_udp)) exit_clean(1); break; - case 61: /* filter-udp */ + case 62: /* filter-udp */ if (!parse_pf_list(optarg,&dp->pf_udp)) { DLOG_ERR("Invalid port filter : %s\n",optarg); @@ -1992,14 +1996,14 @@ int main(int argc, char **argv) if (!port_filters_deny_if_empty(&dp->pf_tcp)) exit_clean(1); break; - case 62: /* filter-l7 */ + case 63: /* filter-l7 */ if (!parse_l7_list(optarg,&dp->filter_l7)) { DLOG_ERR("Invalid l7 filter : %s\n",optarg); exit_clean(1); } break; - case 63: /* ipset */ + case 64: /* ipset */ if (bSkip) break; if (!RegisterIpset(dp, false, optarg)) { @@ -2007,7 +2011,7 @@ int main(int argc, char **argv) exit_clean(1); } break; - case 64: /* ipset-ip */ + case 65: /* ipset-ip */ if (bSkip) break; if (!anon_ips && !(anon_ips=RegisterIpset(dp, false, NULL))) { @@ -2020,7 +2024,7 @@ int main(int argc, char **argv) exit_clean(1); } break; - case 65: /* ipset-exclude */ + case 66: /* ipset-exclude */ if (bSkip) break; if (!RegisterIpset(dp, true, optarg)) { @@ -2028,7 +2032,7 @@ int main(int argc, char **argv) exit_clean(1); } break; - case 66: /* ipset-exclude-ip */ + case 67: /* ipset-exclude-ip */ if (bSkip) break; if (!anon_ips_exclude && !(anon_ips_exclude=RegisterIpset(dp, true, NULL))) { @@ -2044,28 +2048,28 @@ int main(int argc, char **argv) #ifdef __linux__ - case 67: /* bind-fix4 */ + case 68: /* bind-fix4 */ params.bind_fix4 = true; break; - case 68: /* bind-fix6 */ + case 69: /* bind-fix6 */ params.bind_fix6 = true; break; #elif defined(__CYGWIN__) - case 67: /* wf-iface */ + case 68: /* wf-iface */ if (!sscanf(optarg,"%u.%u",&IfIdx,&SubIfIdx)) { DLOG_ERR("bad value for --wf-iface\n"); exit_clean(1); } break; - case 68: /* wf-l3 */ + case 69: /* wf-l3 */ if (!wf_make_l3(optarg,&wf_ipv4,&wf_ipv6)) { DLOG_ERR("bad value for --wf-l3\n"); exit_clean(1); } break; - case 69: /* wf-tcp */ + case 70: /* wf-tcp */ hash_wf_tcp=hash_jen(optarg,strlen(optarg)); if (!wf_make_pf(optarg,"tcp","SrcPort",wf_pf_tcp_src,sizeof(wf_pf_tcp_src)) || !wf_make_pf(optarg,"tcp","DstPort",wf_pf_tcp_dst,sizeof(wf_pf_tcp_dst))) @@ -2074,7 +2078,7 @@ int main(int argc, char **argv) exit_clean(1); } break; - case 70: /* wf-udp */ + case 71: /* wf-udp */ hash_wf_udp=hash_jen(optarg,strlen(optarg)); if (!wf_make_pf(optarg,"udp","SrcPort",wf_pf_udp_src,sizeof(wf_pf_udp_src)) || !wf_make_pf(optarg,"udp","DstPort",wf_pf_udp_dst,sizeof(wf_pf_udp_dst))) @@ -2083,7 +2087,7 @@ int main(int argc, char **argv) exit_clean(1); } break; - case 71: /* wf-raw */ + case 72: /* wf-raw */ hash_wf_raw=hash_jen(optarg,strlen(optarg)); if (optarg[0]=='@') { @@ -2097,11 +2101,11 @@ int main(int argc, char **argv) windivert_filter[sizeof(windivert_filter) - 1] = '\0'; } break; - case 72: /* wf-save */ + case 73: /* wf-save */ strncpy(wf_save_file, optarg, sizeof(wf_save_file)); wf_save_file[sizeof(wf_save_file) - 1] = '\0'; break; - case 73: /* ssid-filter */ + case 74: /* ssid-filter */ hash_ssid_filter=hash_jen(optarg,strlen(optarg)); { char *e,*p = optarg; @@ -2119,7 +2123,7 @@ int main(int argc, char **argv) } } break; - case 74: /* nlm-filter */ + case 75: /* nlm-filter */ hash_nlm_filter=hash_jen(optarg,strlen(optarg)); { char *e,*p = optarg; @@ -2137,7 +2141,7 @@ int main(int argc, char **argv) } } break; - case 75: /* nlm-list */ + case 76: /* nlm-list */ if (!nlm_list(optarg && !strcmp(optarg,"all"))) { DLOG_ERR("could not get list of NLM networks\n"); diff --git a/tpws/tpws.c b/tpws/tpws.c index 0cef7d1..d261ebf 100644 --- a/tpws/tpws.c +++ b/tpws/tpws.c @@ -176,6 +176,7 @@ static void exithelp(void) " --debug=0|1|2|syslog|@\t; 1 and 2 means log to console and set debug level. for other targets use --debug-level.\n" " --debug-level=0|1|2\t\t\t; specify debug level\n" " --dry-run\t\t\t\t; verify parameters and exit with code 0 if successful\n" + " --comment=any_text\n" "\nMULTI-STRATEGY:\n" " --new\t\t\t\t\t; begin new strategy\n" " --skip\t\t\t\t\t; do not use this strategy\n" @@ -669,21 +670,22 @@ void parse_params(int argc, char *argv[]) { "debug",optional_argument,0,0 },// optidx=45 { "debug-level",required_argument,0,0 },// optidx=46 { "dry-run",no_argument,0,0 },// optidx=47 - { "local-rcvbuf",required_argument,0,0 },// optidx=48 - { "local-sndbuf",required_argument,0,0 },// optidx=49 - { "remote-rcvbuf",required_argument,0,0 },// optidx=50 - { "remote-sndbuf",required_argument,0,0 },// optidx=51 - { "socks",no_argument,0,0 },// optidx=52 - { "no-resolve",no_argument,0,0 },// optidx=53 - { "resolver-threads",required_argument,0,0 },// optidx=54 - { "skip-nodelay",no_argument,0,0 },// optidx=55 - { "tamper-start",required_argument,0,0 },// optidx=56 - { "tamper-cutoff",required_argument,0,0 },// optidx=57 - { "connect-bind-addr",required_argument,0,0 },// optidx=58 - - { "new",no_argument,0,0 }, // optidx=59 - { "skip",no_argument,0,0 }, // optidx=60 - { "filter-l3",required_argument,0,0 }, // optidx=61 + { "comment",optional_argument,0,0 },// optidx=48 + { "local-rcvbuf",required_argument,0,0 },// optidx=49 + { "local-sndbuf",required_argument,0,0 },// optidx=50 + { "remote-rcvbuf",required_argument,0,0 },// optidx=51 + { "remote-sndbuf",required_argument,0,0 },// optidx=52 + { "socks",no_argument,0,0 },// optidx=53 + { "no-resolve",no_argument,0,0 },// optidx=54 + { "resolver-threads",required_argument,0,0 },// optidx=55 + { "skip-nodelay",no_argument,0,0 },// optidx=56 + { "tamper-start",required_argument,0,0 },// optidx=57 + { "tamper-cutoff",required_argument,0,0 },// optidx=58 + { "connect-bind-addr",required_argument,0,0 },// optidx=59 + + { "new",no_argument,0,0 }, // optidx=60 + { "skip",no_argument,0,0 }, // optidx=61 + { "filter-l3",required_argument,0,0 }, // optidx=62 { "filter-tcp",required_argument,0,0 }, // optidx=63 { "filter-l7",required_argument,0,0 }, // optidx=64 { "ipset",required_argument,0,0 }, // optidx=65 @@ -692,17 +694,17 @@ void parse_params(int argc, char *argv[]) { "ipset-exclude-ip",required_argument,0,0 }, // optidx=68 #if defined(__FreeBSD__) - { "enable-pf",no_argument,0,0 },// optidx=68 + { "enable-pf",no_argument,0,0 },// optidx=69 #elif defined(__APPLE__) - { "local-tcp-user-timeout",required_argument,0,0 }, // optidx=68 - { "remote-tcp-user-timeout",required_argument,0,0 }, // optidx=69 + { "local-tcp-user-timeout",required_argument,0,0 }, // optidx=69 + { "remote-tcp-user-timeout",required_argument,0,0 }, // optidx=70 #elif defined(__linux__) - { "local-tcp-user-timeout",required_argument,0,0 }, // optidx=68 - { "remote-tcp-user-timeout",required_argument,0,0 }, // optidx=69 - { "mss",required_argument,0,0 }, // optidx=70 - { "fix-seg",optional_argument,0,0 }, // optidx=71 + { "local-tcp-user-timeout",required_argument,0,0 }, // optidx=69 + { "remote-tcp-user-timeout",required_argument,0,0 }, // optidx=70 + { "mss",required_argument,0,0 }, // optidx=71 + { "fix-seg",optional_argument,0,0 }, // optidx=72 #ifdef SPLICE_PRESENT - { "nosplice",no_argument,0,0 }, // optidx=72 + { "nosplice",no_argument,0,0 }, // optidx=73 #endif #endif { "hostlist-auto-retrans-threshold",optional_argument,0,0}, // ignored. for nfqws command line compatibility @@ -1153,41 +1155,43 @@ void parse_params(int argc, char *argv[]) case 47: /* dry-run */ bDry = true; break; - case 48: /* local-rcvbuf */ + case 48: /* comment */ + break; + case 49: /* local-rcvbuf */ #ifdef __linux__ params.local_rcvbuf = atoi(optarg)/2; #else params.local_rcvbuf = atoi(optarg); #endif break; - case 49: /* local-sndbuf */ + case 50: /* local-sndbuf */ #ifdef __linux__ params.local_sndbuf = atoi(optarg)/2; #else params.local_sndbuf = atoi(optarg); #endif break; - case 50: /* remote-rcvbuf */ + case 51: /* remote-rcvbuf */ #ifdef __linux__ params.remote_rcvbuf = atoi(optarg)/2; #else params.remote_rcvbuf = atoi(optarg); #endif break; - case 51: /* remote-sndbuf */ + case 52: /* remote-sndbuf */ #ifdef __linux__ params.remote_sndbuf = atoi(optarg)/2; #else params.remote_sndbuf = atoi(optarg); #endif break; - case 52: /* socks */ + case 53: /* socks */ params.proxy_type = CONN_TYPE_SOCKS; break; - case 53: /* no-resolve */ + case 54: /* no-resolve */ params.no_resolve = true; break; - case 54: /* resolver-threads */ + case 55: /* resolver-threads */ params.resolver_threads = atoi(optarg); if (params.resolver_threads<1 || params.resolver_threads>300) { @@ -1195,10 +1199,10 @@ void parse_params(int argc, char *argv[]) exit_clean(1); } break; - case 55: /* skip-nodelay */ + case 56: /* skip-nodelay */ params.skip_nodelay = true; break; - case 56: /* tamper-start */ + case 57: /* tamper-start */ { const char *p=optarg; if (*p=='n') @@ -1212,7 +1216,7 @@ void parse_params(int argc, char *argv[]) } params.tamper_lim = true; break; - case 57: /* tamper-cutoff */ + case 58: /* tamper-cutoff */ { const char *p=optarg; if (*p=='n') @@ -1226,7 +1230,7 @@ void parse_params(int argc, char *argv[]) } params.tamper_lim = true; break; - case 58: /* connect-bind-addr */ + case 59: /* connect-bind-addr */ { char *p = strchr(optarg,'%'); if (p) *p++=0; @@ -1254,7 +1258,7 @@ void parse_params(int argc, char *argv[]) break; - case 59: /* new */ + case 60: /* new */ if (bSkip) { dp_clear(dp); @@ -1275,31 +1279,31 @@ void parse_params(int argc, char *argv[]) anon_hl = anon_hl_exclude = NULL; anon_ips = anon_ips_exclude = NULL; break; - case 60: /* skip */ + case 61: /* skip */ bSkip = true; break; - case 61: /* filter-l3 */ + case 62: /* filter-l3 */ if (!wf_make_l3(optarg,&dp->filter_ipv4,&dp->filter_ipv6)) { DLOG_ERR("bad value for --filter-l3\n"); exit_clean(1); } break; - case 62: /* filter-tcp */ + case 63: /* filter-tcp */ if (!parse_pf_list(optarg,&dp->pf_tcp)) { DLOG_ERR("Invalid port filter : %s\n",optarg); exit_clean(1); } break; - case 63: /* filter-l7 */ + case 64: /* filter-l7 */ if (!parse_l7_list(optarg,&dp->filter_l7)) { DLOG_ERR("Invalid l7 filter : %s\n",optarg); exit_clean(1); } break; - case 64: /* ipset */ + case 65: /* ipset */ if (bSkip) break; if (!RegisterIpset(dp, false, optarg)) { @@ -1308,7 +1312,7 @@ void parse_params(int argc, char *argv[]) } params.tamper = true; break; - case 65: /* ipset-ip */ + case 66: /* ipset-ip */ if (bSkip) break; if (!anon_ips && !(anon_ips=RegisterIpset(dp, false, NULL))) { @@ -1322,7 +1326,7 @@ void parse_params(int argc, char *argv[]) } params.tamper = true; break; - case 66: /* ipset-exclude */ + case 67: /* ipset-exclude */ if (bSkip) break; if (!RegisterIpset(dp, true, optarg)) { @@ -1331,7 +1335,7 @@ void parse_params(int argc, char *argv[]) } params.tamper = true; break; - case 67: /* ipset-exclude-ip */ + case 68: /* ipset-exclude-ip */ if (bSkip) break; if (!anon_ips_exclude && !(anon_ips_exclude=RegisterIpset(dp, true, NULL))) { @@ -1347,11 +1351,11 @@ void parse_params(int argc, char *argv[]) break; #if defined(__FreeBSD__) - case 68: /* enable-pf */ + case 69: /* enable-pf */ params.pf_enable = true; break; #elif defined(__linux__) || defined(__APPLE__) - case 68: /* local-tcp-user-timeout */ + case 69: /* local-tcp-user-timeout */ params.tcp_user_timeout_local = atoi(optarg); if (params.tcp_user_timeout_local<0 || params.tcp_user_timeout_local>86400) { @@ -1359,7 +1363,7 @@ void parse_params(int argc, char *argv[]) exit_clean(1); } break; - case 69: /* remote-tcp-user-timeout */ + case 70: /* remote-tcp-user-timeout */ params.tcp_user_timeout_remote = atoi(optarg); if (params.tcp_user_timeout_remote<0 || params.tcp_user_timeout_remote>86400) { @@ -1370,7 +1374,7 @@ void parse_params(int argc, char *argv[]) #endif #if defined(__linux__) - case 70: /* mss */ + case 71: /* mss */ // this option does not work in any BSD and MacOS. OS may accept but it changes nothing dp->mss = atoi(optarg); if (dp->mss<88 || dp->mss>32767) @@ -1379,7 +1383,7 @@ void parse_params(int argc, char *argv[]) exit_clean(1); } break; - case 71: /* fix-seg */ + case 72: /* fix-seg */ if (!params.fix_seg_avail) { DLOG_ERR("--fix-seg is supported since kernel 4.6\n"); @@ -1399,7 +1403,7 @@ void parse_params(int argc, char *argv[]) params.fix_seg = FIX_SEG_DEFAULT_MAX_WAIT; break; #ifdef SPLICE_PRESENT - case 72: /* nosplice */ + case 73: /* nosplice */ params.nosplice = true; break; #endif From 1476cd214951c478184973081582014e7fd00d82 Mon Sep 17 00:00:00 2001 From: bol-van Date: Tue, 10 Dec 2024 16:58:24 +0300 Subject: [PATCH 30/49] dvtws: fix build --- nfq/nfqws.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/nfq/nfqws.c b/nfq/nfqws.c index 9072849..82b9cbc 100644 --- a/nfq/nfqws.c +++ b/nfq/nfqws.c @@ -303,8 +303,6 @@ static int dvt_main(void) DLOG_PERROR("bind (DIVERT4)"); goto exiterr; } - if (!set_socket_buffers(fd[0],Q_RCVBUF,Q_SNDBUF)) - goto exiterr; } From 45b93f3a45fadd9cbbc4873751ad4003a1ade73b Mon Sep 17 00:00:00 2001 From: bol-van Date: Thu, 12 Dec 2024 09:14:38 +0300 Subject: [PATCH 31/49] blockcheck: use instead of curl in mdig test --- blockcheck.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/blockcheck.sh b/blockcheck.sh index 406143f..3c3d900 100755 --- a/blockcheck.sh +++ b/blockcheck.sh @@ -212,7 +212,7 @@ doh_resolve() # $1 - ip version 4/6 # $2 - hostname # $3 - doh server URL. use $DOH_SERVER if empty - $MDIG --family=$1 --dns-make-query=$2 | curl -s --data-binary @- -H "Content-Type: application/dns-message" "${3:-$DOH_SERVER}" | $MDIG --dns-parse-query + $MDIG --family=$1 --dns-make-query=$2 | $CURL -s --data-binary @- -H "Content-Type: application/dns-message" "${3:-$DOH_SERVER}" | $MDIG --dns-parse-query } doh_find_working() { From fc42f6e20e4922550707e363c24cc69d81c15048 Mon Sep 17 00:00:00 2001 From: bol-van Date: Thu, 12 Dec 2024 14:41:11 +0300 Subject: [PATCH 32/49] nfqws: remove obsolete code --- nfq/desync.c | 7 ------- nfq/desync.h | 1 - nfq/nfqws.c | 2 -- 3 files changed, 10 deletions(-) diff --git a/nfq/desync.c b/nfq/desync.c index 26e1c7b..0cfa059 100644 --- a/nfq/desync.c +++ b/nfq/desync.c @@ -76,13 +76,6 @@ void randomize_default_tls_payload(uint8_t *p) #define PKTDATA_MAXDUMP 32 #define IP_MAXDUMP 80 -static uint8_t zeropkt[DPI_DESYNC_MAX_FAKE_LEN]; - -void desync_init(void) -{ - memset(zeropkt, 0, sizeof(zeropkt)); -} - bool desync_valid_zero_stage(enum dpi_desync_mode mode) { return mode==DESYNC_SYNACK || mode==DESYNC_SYNDATA; diff --git a/nfq/desync.h b/nfq/desync.h index ad3aaf0..294a4fb 100644 --- a/nfq/desync.h +++ b/nfq/desync.h @@ -52,5 +52,4 @@ bool desync_valid_second_stage(enum dpi_desync_mode mode); bool desync_valid_second_stage_tcp(enum dpi_desync_mode mode); bool desync_valid_second_stage_udp(enum dpi_desync_mode mode); -void desync_init(void); uint8_t dpi_desync_packet(uint32_t fwmark, const char *ifout, uint8_t *data_pkt, size_t *len_pkt); diff --git a/nfq/nfqws.c b/nfq/nfqws.c index 82b9cbc..51cde19 100644 --- a/nfq/nfqws.c +++ b/nfq/nfqws.c @@ -84,8 +84,6 @@ static void pre_desync(void) signal(SIGHUP, onhup); signal(SIGUSR1, onusr1); signal(SIGUSR2, onusr2); - - desync_init(); } From dcf78a76e52571c127cb87030a16000e6b380add Mon Sep 17 00:00:00 2001 From: bol-van Date: Fri, 13 Dec 2024 15:59:58 +0300 Subject: [PATCH 33/49] nfqws: trash flood check --- nfq/nfqws.c | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/nfq/nfqws.c b/nfq/nfqws.c index 51cde19..154fd63 100644 --- a/nfq/nfqws.c +++ b/nfq/nfqws.c @@ -1190,6 +1190,27 @@ void config_from_file(const char *filename) } #endif +void check_dp(const struct desync_profile *dp) +{ + // only linux has connbytes limiter + if (dp->desync_any_proto && !dp->desync_cutoff && + (dp->desync_mode==DESYNC_FAKE || dp->desync_mode==DESYNC_RST || dp->desync_mode==DESYNC_RSTACK || + dp->desync_mode==DESYNC_FAKEDSPLIT || dp->desync_mode==DESYNC_FAKEDDISORDER || dp->desync_mode2==DESYNC_FAKEDSPLIT || dp->desync_mode2==DESYNC_FAKEDDISORDER)) + { +#ifdef __linux__ + DLOG_CONDUP("WARNING !!! in profile %d you are using --dpi-desync-any-protocol without --dpi-desync-cutoff\n", dp->n); + DLOG_CONDUP("WARNING !!! it's completely ok if connbytes or payload based ip/nf tables limiter is applied. Make sure it exists.\n"); +#else + DLOG_CONDUP("WARNING !!! possible TRASH FLOOD configuration detected in profile %d\n", dp->n); + DLOG_CONDUP("WARNING !!! it's highly recommended to use --dpi-desync-cutoff limiter or fakes will be sent on every processed packet\n"); + DLOG_CONDUP("WARNING !!! make sure it's really what you want\n"); +#ifdef __CYGWIN__ + DLOG_CONDUP("WARNING !!! in most cases this is acceptable only with custom payload based windivert filter (--wf-raw)\n"); +#endif +#endif + } +} + #define STRINGIFY(x) #x #define TOSTRING(x) STRINGIFY(x) #if defined(ZAPRET_GH_VER) || defined (ZAPRET_GH_HASH) @@ -1950,6 +1971,7 @@ int main(int argc, char **argv) } else { + check_dp(dp); if (!(dpl = dp_list_add(¶ms.desync_profiles))) { DLOG_ERR("desync_profile_add: out of memory\n"); @@ -2154,6 +2176,8 @@ int main(int argc, char **argv) dp_entry_destroy(dpl); desync_profile_count--; } + else + check_dp(dp); // do not need args from file anymore #if !defined( __OpenBSD__) && !defined(__ANDROID__) From 7b7a6dd15464ca2c2a5421bdfe2e9dee045397af Mon Sep 17 00:00:00 2001 From: bol-van Date: Fri, 13 Dec 2024 18:49:11 +0300 Subject: [PATCH 34/49] winws: --wf-tcp filter out empty ack --- nfq/nfqws.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/nfq/nfqws.c b/nfq/nfqws.c index 154fd63..08c8c74 100644 --- a/nfq/nfqws.c +++ b/nfq/nfqws.c @@ -981,6 +981,7 @@ static bool wf_make_pf(char *opt, const char *l4, const char *portname, char *bu #define DIVERT_NO_LOCALNETS_SRC "(" DIVERT_NO_LOCALNETSv4_SRC " or " DIVERT_NO_LOCALNETSv6_SRC ")" #define DIVERT_NO_LOCALNETS_DST "(" DIVERT_NO_LOCALNETSv4_DST " or " DIVERT_NO_LOCALNETSv6_DST ")" +#define DIVERT_TCP_NOT_EMPTY "(!tcp or tcp.Syn or tcp.PayloadLength>0)" #define DIVERT_TCP_INBOUNDS "(tcp.Ack and tcp.Syn or tcp.Rst or tcp.Fin)" // HTTP/1.? 30(2|7) @@ -998,6 +999,7 @@ static bool wf_make_filter( char pf_dst_buf[512],iface[64]; const char *pf_dst; const char *f_tcpin = *pf_tcp_src ? dp_list_have_autohostlist(¶ms.desync_profiles) ? "(" DIVERT_TCP_INBOUNDS " or (" DIVERT_HTTP_REDIRECT "))" : DIVERT_TCP_INBOUNDS : ""; + const char *f_tcp_not_empty = *pf_tcp_src ? DIVERT_TCP_NOT_EMPTY " and " : ""; snprintf(iface,sizeof(iface)," ifIdx=%u and subIfIdx=%u and",IfIdx,SubIfIdx); @@ -1010,9 +1012,10 @@ static bool wf_make_filter( else pf_dst = *pf_tcp_dst ? pf_tcp_dst : pf_udp_dst; snprintf(wf,len, - DIVERT_PROLOG " and%s%s\n ((outbound and %s%s)\n or\n (inbound and tcp%s%s%s%s%s%s%s))", + DIVERT_PROLOG " and%s%s\n ((outbound and %s%s%s)\n or\n (inbound and tcp%s%s%s%s%s%s%s))", IfIdx ? iface : "", ipv4 ? ipv6 ? "" : " ip and" : " ipv6 and", + f_tcp_not_empty, pf_dst, ipv4 ? ipv6 ? " and " DIVERT_NO_LOCALNETS_DST : " and " DIVERT_NO_LOCALNETSv4_DST : " and " DIVERT_NO_LOCALNETSv6_DST, *pf_tcp_src ? "" : " and false", From 594e613fcb3669e377d1f564873e15459dc5f229 Mon Sep 17 00:00:00 2001 From: bol-van Date: Fri, 13 Dec 2024 18:59:43 +0300 Subject: [PATCH 35/49] update docs --- docs/changes.txt | 6 ++++++ docs/readme.en.md | 3 ++- docs/readme.md | 3 ++- 3 files changed, 10 insertions(+), 2 deletions(-) diff --git a/docs/changes.txt b/docs/changes.txt index 614efe1..e374bf9 100644 --- a/docs/changes.txt +++ b/docs/changes.txt @@ -423,3 +423,9 @@ v69.6 nfqws: set NETLINK_NO_ENOBUFS to fix possible nfq recv errors init.d: unify custom scripts for linux init.d: new custom scripts : 20-fw-extra, 50-wg4all + +v69.7 + +nfqws,tpws: --comment +nfqws: trash flood warning +winws: exclude empty outgoing ack packets in windivert filter diff --git a/docs/readme.en.md b/docs/readme.en.md index 685f1c4..10072cc 100644 --- a/docs/readme.en.md +++ b/docs/readme.en.md @@ -1,4 +1,4 @@ -# zapret v69.6 +# zapret v69.7 # SCAMMER WARNING @@ -132,6 +132,7 @@ nfqws takes the following parameters: --debug=0|1 --dry-run ; verify parameters and exit with code 0 if successful + --comment ; any text (ignored) --qnum= --daemon ; daemonize --pidfile= ; write pid to file diff --git a/docs/readme.md b/docs/readme.md index 94d1168..b6354bd 100644 --- a/docs/readme.md +++ b/docs/readme.md @@ -1,4 +1,4 @@ -# zapret v69.6 +# zapret v69.7 # ВНИМАНИЕ, остерегайтесь мошенников @@ -163,6 +163,7 @@ dvtws, собираемый из тех же исходников (см. [док --debug=0|1 ; 1=выводить отладочные сообщения --dry-run ; проверить опции командной строки и выйти. код 0 - успешная проверка. +--comment ; любой текст (игнорируется) --daemon ; демонизировать прогу --pidfile= ; сохранить PID в файл --user= ; менять uid процесса From d9a24b41054ee82b7d5ad7ae4155f071f0923179 Mon Sep 17 00:00:00 2001 From: bol-van Date: Sat, 14 Dec 2024 10:20:48 +0300 Subject: [PATCH 36/49] winws: process outgoing tcp fin and rst --- nfq/nfqws.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nfq/nfqws.c b/nfq/nfqws.c index 08c8c74..07921e8 100644 --- a/nfq/nfqws.c +++ b/nfq/nfqws.c @@ -981,7 +981,7 @@ static bool wf_make_pf(char *opt, const char *l4, const char *portname, char *bu #define DIVERT_NO_LOCALNETS_SRC "(" DIVERT_NO_LOCALNETSv4_SRC " or " DIVERT_NO_LOCALNETSv6_SRC ")" #define DIVERT_NO_LOCALNETS_DST "(" DIVERT_NO_LOCALNETSv4_DST " or " DIVERT_NO_LOCALNETSv6_DST ")" -#define DIVERT_TCP_NOT_EMPTY "(!tcp or tcp.Syn or tcp.PayloadLength>0)" +#define DIVERT_TCP_NOT_EMPTY "(!tcp or tcp.Syn or tcp.Rst or tcp.Fin or tcp.PayloadLength>0)" #define DIVERT_TCP_INBOUNDS "(tcp.Ack and tcp.Syn or tcp.Rst or tcp.Fin)" // HTTP/1.? 30(2|7) From 675a8e52b66f3fe54ad96fab529cf33c9258e6c5 Mon Sep 17 00:00:00 2001 From: bol-van Date: Sat, 14 Dec 2024 13:13:41 +0300 Subject: [PATCH 37/49] tpws: old headers compat, increase default fix seg to 50 ms --- tpws/helpers.c | 17 +++---- tpws/linux_compat.h | 105 ++++++++++++++++++++++++++++++++++++++++++++ tpws/params.h | 2 +- 3 files changed, 113 insertions(+), 11 deletions(-) create mode 100644 tpws/linux_compat.h diff --git a/tpws/helpers.c b/tpws/helpers.c index afdcc44..3ee8fd1 100644 --- a/tpws/helpers.c +++ b/tpws/helpers.c @@ -12,10 +12,6 @@ #include #include -#ifdef __linux__ -#include -#endif - #ifdef __ANDROID__ #include "andr/ifaddrs.h" #else @@ -23,6 +19,7 @@ #endif #include "helpers.h" +#include "linux_compat.h" int unique_size_t(size_t *pu, int ct) { @@ -481,7 +478,7 @@ void msleep(unsigned int ms) bool socket_supports_notsent() { int sfd; - struct tcp_info tcpi; + union my_tcp_info tcpi; sfd = socket(AF_INET,SOCK_STREAM,0); if (sfd<0) return false; @@ -494,22 +491,22 @@ bool socket_supports_notsent() } close(sfd); - return ts>=((char *)&tcpi.tcpi_notsent_bytes - (char *)&tcpi.tcpi_state + sizeof(tcpi.tcpi_notsent_bytes)); + return ts>=((char *)&tcpi.ti.tcpi_notsent_bytes - (char *)&tcpi.ti + sizeof(tcpi.ti.tcpi_notsent_bytes)); } bool socket_has_notsent(int sfd) { - struct tcp_info tcpi; + union my_tcp_info tcpi; socklen_t ts = sizeof(tcpi); if (getsockopt(sfd, IPPROTO_TCP, TCP_INFO, (char *)&tcpi, &ts) < 0) return false; - if (tcpi.tcpi_state != 1) // TCP_ESTABLISHED + if (tcpi.ti.tcpi_state != 1) // TCP_ESTABLISHED return false; - size_t s = (char *)&tcpi.tcpi_notsent_bytes - (char *)&tcpi + sizeof(tcpi.tcpi_notsent_bytes); + size_t s = (char *)&tcpi.ti.tcpi_notsent_bytes - (char *)&tcpi.ti + sizeof(tcpi.ti.tcpi_notsent_bytes); if (ts < s) // old structure version return false; - return !!tcpi.tcpi_notsent_bytes; + return !!tcpi.ti.tcpi_notsent_bytes; } bool socket_wait_notsent(int sfd, unsigned int delay_ms, unsigned int *wasted_ms) { diff --git a/tpws/linux_compat.h b/tpws/linux_compat.h new file mode 100644 index 0000000..e06114e --- /dev/null +++ b/tpws/linux_compat.h @@ -0,0 +1,105 @@ +#ifdef __linux__ + +#include + +// workaround for old headers + +struct tcp_info_new { + __u8 tcpi_state; + __u8 tcpi_ca_state; + __u8 tcpi_retransmits; + __u8 tcpi_probes; + __u8 tcpi_backoff; + __u8 tcpi_options; + __u8 tcpi_snd_wscale : 4, tcpi_rcv_wscale : 4; + __u8 tcpi_delivery_rate_app_limited : 1, tcpi_fastopen_client_fail : 2; + + __u32 tcpi_rto; + __u32 tcpi_ato; + __u32 tcpi_snd_mss; + __u32 tcpi_rcv_mss; + + __u32 tcpi_unacked; + __u32 tcpi_sacked; + __u32 tcpi_lost; + __u32 tcpi_retrans; + __u32 tcpi_fackets; + + /* Times. */ + __u32 tcpi_last_data_sent; + __u32 tcpi_last_ack_sent; /* Not remembered, sorry. */ + __u32 tcpi_last_data_recv; + __u32 tcpi_last_ack_recv; + + /* Metrics. */ + __u32 tcpi_pmtu; + __u32 tcpi_rcv_ssthresh; + __u32 tcpi_rtt; + __u32 tcpi_rttvar; + __u32 tcpi_snd_ssthresh; + __u32 tcpi_snd_cwnd; + __u32 tcpi_advmss; + __u32 tcpi_reordering; + + __u32 tcpi_rcv_rtt; + __u32 tcpi_rcv_space; + + __u32 tcpi_total_retrans; + + __u64 tcpi_pacing_rate; + __u64 tcpi_max_pacing_rate; + __u64 tcpi_bytes_acked; /* RFC4898 tcpEStatsAppHCThruOctetsAcked */ + __u64 tcpi_bytes_received; /* RFC4898 tcpEStatsAppHCThruOctetsReceived */ + __u32 tcpi_segs_out; /* RFC4898 tcpEStatsPerfSegsOut */ + __u32 tcpi_segs_in; /* RFC4898 tcpEStatsPerfSegsIn */ + + __u32 tcpi_notsent_bytes; + __u32 tcpi_min_rtt; + __u32 tcpi_data_segs_in; /* RFC4898 tcpEStatsDataSegsIn */ + __u32 tcpi_data_segs_out; /* RFC4898 tcpEStatsDataSegsOut */ + + __u64 tcpi_delivery_rate; + + __u64 tcpi_busy_time; /* Time (usec) busy sending data */ + __u64 tcpi_rwnd_limited; /* Time (usec) limited by receive window */ + __u64 tcpi_sndbuf_limited; /* Time (usec) limited by send buffer */ + + __u32 tcpi_delivered; + __u32 tcpi_delivered_ce; + + __u64 tcpi_bytes_sent; /* RFC4898 tcpEStatsPerfHCDataOctetsOut */ + __u64 tcpi_bytes_retrans; /* RFC4898 tcpEStatsPerfOctetsRetrans */ + __u32 tcpi_dsack_dups; /* RFC4898 tcpEStatsStackDSACKDups */ + __u32 tcpi_reord_seen; /* reordering events seen */ + + __u32 tcpi_rcv_ooopack; /* Out-of-order packets received */ + + __u32 tcpi_snd_wnd; /* peer's advertised receive window after + * scaling (bytes) + */ + __u32 tcpi_rcv_wnd; /* local advertised receive window after + * scaling (bytes) + */ + + __u32 tcpi_rehash; /* PLB or timeout triggered rehash attempts */ + + __u16 tcpi_total_rto; /* Total number of RTO timeouts, including + * SYN/SYN-ACK and recurring timeouts. + */ + __u16 tcpi_total_rto_recoveries; /* Total number of RTO + * recoveries, including any + * unfinished recovery. + */ + __u32 tcpi_total_rto_time; /* Total time spent in RTO recoveries + * in milliseconds, including any + * unfinished recovery. + */ +}; + +union my_tcp_info +{ + struct tcp_info ti_native; + struct tcp_info_new ti; +}; + +#endif diff --git a/tpws/params.h b/tpws/params.h index 52022d8..67a357b 100644 --- a/tpws/params.h +++ b/tpws/params.h @@ -18,7 +18,7 @@ #define HOSTLIST_AUTO_FAIL_THRESHOLD_DEFAULT 3 #define HOSTLIST_AUTO_FAIL_TIME_DEFAULT 60 -#define FIX_SEG_DEFAULT_MAX_WAIT 30 +#define FIX_SEG_DEFAULT_MAX_WAIT 50 enum bindll { unwanted=0, no, prefer, force }; From fef64e884952568f851cbe6a0c2b3390f5336cc5 Mon Sep 17 00:00:00 2001 From: bol-van Date: Sat, 14 Dec 2024 14:35:04 +0300 Subject: [PATCH 38/49] nfqws: unify profile debug messages --- nfq/nfqws.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nfq/nfqws.c b/nfq/nfqws.c index 07921e8..b82dd9c 100644 --- a/nfq/nfqws.c +++ b/nfq/nfqws.c @@ -2267,9 +2267,9 @@ int main(int argc, char **argv) if (dp->desync_ttl6 == 0xFF) dp->desync_ttl6=dp->desync_ttl; if (!AUTOTTL_ENABLED(dp->desync_autottl6)) dp->desync_autottl6 = dp->desync_autottl; if (AUTOTTL_ENABLED(dp->desync_autottl)) - DLOG("[profile %d] autottl ipv4 %u:%u-%u\n",dp->n,dp->desync_autottl.delta,dp->desync_autottl.min,dp->desync_autottl.max); + DLOG("profile %d autottl ipv4 %u:%u-%u\n",dp->n,dp->desync_autottl.delta,dp->desync_autottl.min,dp->desync_autottl.max); if (AUTOTTL_ENABLED(dp->desync_autottl6)) - DLOG("[profile %d] autottl ipv6 %u:%u-%u\n",dp->n,dp->desync_autottl6.delta,dp->desync_autottl6.min,dp->desync_autottl6.max); + DLOG("profile %d autottl ipv6 %u:%u-%u\n",dp->n,dp->desync_autottl6.delta,dp->desync_autottl6.min,dp->desync_autottl6.max); split_compat(dp); #ifndef __CYGWIN__ if (params.droproot && dp->hostlist_auto && chown(dp->hostlist_auto->filename, params.uid, -1)) From 2be5f1221a16ee9eb8f0355bf270f3a9258cee4d Mon Sep 17 00:00:00 2001 From: bol-van Date: Sat, 14 Dec 2024 17:00:26 +0300 Subject: [PATCH 39/49] tpws: simplify tcp_info compat code --- tpws/helpers.c | 12 ++++++------ tpws/linux_compat.h | 6 ------ 2 files changed, 6 insertions(+), 12 deletions(-) diff --git a/tpws/helpers.c b/tpws/helpers.c index 3ee8fd1..c1b17bf 100644 --- a/tpws/helpers.c +++ b/tpws/helpers.c @@ -478,7 +478,7 @@ void msleep(unsigned int ms) bool socket_supports_notsent() { int sfd; - union my_tcp_info tcpi; + struct tcp_info_new tcpi; sfd = socket(AF_INET,SOCK_STREAM,0); if (sfd<0) return false; @@ -491,22 +491,22 @@ bool socket_supports_notsent() } close(sfd); - return ts>=((char *)&tcpi.ti.tcpi_notsent_bytes - (char *)&tcpi.ti + sizeof(tcpi.ti.tcpi_notsent_bytes)); + return ts>=((char *)&tcpi.tcpi_notsent_bytes - (char *)&tcpi + sizeof(tcpi.tcpi_notsent_bytes)); } bool socket_has_notsent(int sfd) { - union my_tcp_info tcpi; + struct tcp_info_new tcpi; socklen_t ts = sizeof(tcpi); if (getsockopt(sfd, IPPROTO_TCP, TCP_INFO, (char *)&tcpi, &ts) < 0) return false; - if (tcpi.ti.tcpi_state != 1) // TCP_ESTABLISHED + if (tcpi.tcpi_state != 1) // TCP_ESTABLISHED return false; - size_t s = (char *)&tcpi.ti.tcpi_notsent_bytes - (char *)&tcpi.ti + sizeof(tcpi.ti.tcpi_notsent_bytes); + size_t s = (char *)&tcpi.tcpi_notsent_bytes - (char *)&tcpi + sizeof(tcpi.tcpi_notsent_bytes); if (ts < s) // old structure version return false; - return !!tcpi.ti.tcpi_notsent_bytes; + return !!tcpi.tcpi_notsent_bytes; } bool socket_wait_notsent(int sfd, unsigned int delay_ms, unsigned int *wasted_ms) { diff --git a/tpws/linux_compat.h b/tpws/linux_compat.h index e06114e..8936c49 100644 --- a/tpws/linux_compat.h +++ b/tpws/linux_compat.h @@ -96,10 +96,4 @@ struct tcp_info_new { */ }; -union my_tcp_info -{ - struct tcp_info ti_native; - struct tcp_info_new ti; -}; - #endif From 499f9824ab4e7cbd5bb9d5abfad2c452956a7bef Mon Sep 17 00:00:00 2001 From: bol-van Date: Sat, 14 Dec 2024 20:36:56 +0300 Subject: [PATCH 40/49] tpws: more compats --- tpws/helpers.c | 3 +++ tpws/linux_compat.h | 10 +++++++++- tpws/redirect.c | 4 +--- tpws/tpws_conn.c | 1 + 4 files changed, 14 insertions(+), 4 deletions(-) diff --git a/tpws/helpers.c b/tpws/helpers.c index c1b17bf..8d71403 100644 --- a/tpws/helpers.c +++ b/tpws/helpers.c @@ -19,6 +19,9 @@ #endif #include "helpers.h" +#ifdef __linux__ +#include +#endif #include "linux_compat.h" int unique_size_t(size_t *pu, int ct) diff --git a/tpws/linux_compat.h b/tpws/linux_compat.h index 8936c49..5695292 100644 --- a/tpws/linux_compat.h +++ b/tpws/linux_compat.h @@ -1,6 +1,14 @@ #ifdef __linux__ -#include +#include + +#ifndef TCP_USER_TIMEOUT +#define TCP_USER_TIMEOUT 18 +#endif + +#ifndef IP6T_SO_ORIGINAL_DST + #define IP6T_SO_ORIGINAL_DST 80 +#endif // workaround for old headers diff --git a/tpws/redirect.c b/tpws/redirect.c index ecfc8b2..58491ec 100644 --- a/tpws/redirect.c +++ b/tpws/redirect.c @@ -9,12 +9,10 @@ #include "params.h" #include "helpers.h" +#include "linux_compat.h" #ifdef __linux__ #include - #ifndef IP6T_SO_ORIGINAL_DST - #define IP6T_SO_ORIGINAL_DST 80 - #endif #endif diff --git a/tpws/tpws_conn.c b/tpws/tpws_conn.c index 5c54ebd..b4056ee 100644 --- a/tpws/tpws_conn.c +++ b/tpws/tpws_conn.c @@ -23,6 +23,7 @@ #include "socks.h" #include "helpers.h" #include "hostlist.h" +#include "linux_compat.h" // keep separate legs counter. counting every time thousands of legs can consume cpu static int legs_local, legs_remote; From 49385b6e576f4c230bb4cf530bb5b7b0249951ca Mon Sep 17 00:00:00 2001 From: bol-van Date: Sun, 15 Dec 2024 12:59:04 +0300 Subject: [PATCH 41/49] tpws: more compats --- tpws/linux_compat.h | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tpws/linux_compat.h b/tpws/linux_compat.h index 5695292..d706ebf 100644 --- a/tpws/linux_compat.h +++ b/tpws/linux_compat.h @@ -10,6 +10,10 @@ #define IP6T_SO_ORIGINAL_DST 80 #endif +#ifndef PR_SET_NO_NEW_PRIVS + #define PR_SET_NO_NEW_PRIVS 38 +#endif + // workaround for old headers struct tcp_info_new { From ead91ae4f7342c9b89005d7c5adc03d94b0b794f Mon Sep 17 00:00:00 2001 From: bol-van Date: Sun, 15 Dec 2024 13:50:16 +0300 Subject: [PATCH 42/49] dvtws: openbsd build fix --- nfq/nfqws.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/nfq/nfqws.c b/nfq/nfqws.c index b82dd9c..965893f 100644 --- a/nfq/nfqws.c +++ b/nfq/nfqws.c @@ -325,8 +325,6 @@ static int dvt_main(void) goto exiterr; } fdct++; - if (!set_socket_buffers(fd[1],Q_RCVBUF,Q_SNDBUF)) - goto exiterr; } #endif fdmax = (fd[0]>fd[1] ? fd[0] : fd[1]) + 1; From d4a72df111b4a9c96e88bae4c63664397d44fce3 Mon Sep 17 00:00:00 2001 From: bol-van Date: Sun, 15 Dec 2024 13:50:48 +0300 Subject: [PATCH 43/49] makefiles: LDFLAGS after LIBS --- ip2net/Makefile | 10 +++++----- mdig/Makefile | 12 ++++++------ nfq/BSDmakefile | 2 +- nfq/Makefile | 12 ++++++------ tpws/BSDmakefile | 2 +- tpws/Makefile | 10 +++++----- 6 files changed, 24 insertions(+), 24 deletions(-) diff --git a/ip2net/Makefile b/ip2net/Makefile index 5893f58..43c44ea 100644 --- a/ip2net/Makefile +++ b/ip2net/Makefile @@ -9,22 +9,22 @@ SRC_FILES = ip2net.c qsort.c all: ip2net ip2net: $(SRC_FILES) - $(CC) -s $(CFLAGS) -o ip2net $(SRC_FILES) $(LDFLAGS) $(LIBS) + $(CC) -s $(CFLAGS) -o ip2net $(SRC_FILES) $(LIBS) $(LDFLAGS) android: ip2net bsd: $(SRC_FILES) - $(CC) -s $(CFLAGS) $(CFLAGS_BSD) -o ip2net $(SRC_FILES) $(LDFLAGS) $(LIBS) + $(CC) -s $(CFLAGS) $(CFLAGS_BSD) -o ip2net $(SRC_FILES) $(LIBS) $(LDFLAGS) mac: $(SRC_FILES) - $(CC) $(CFLAGS) $(CFLAGS_BSD) -o ip2neta $(SRC_FILES) $(LDFLAGS) -target arm64-apple-macos10.8 $(LIBS) - $(CC) $(CFLAGS) $(CFLAGS_BSD) -o ip2netx $(SRC_FILES) $(LDFLAGS) -target x86_64-apple-macos10.8 $(LIBS) + $(CC) $(CFLAGS) $(CFLAGS_BSD) -o ip2neta $(SRC_FILES) -target arm64-apple-macos10.8 $(LIBS) $(LDFLAGS) + $(CC) $(CFLAGS) $(CFLAGS_BSD) -o ip2netx $(SRC_FILES) -target x86_64-apple-macos10.8 $(LIBS) $(LDFLAGS) strip ip2neta ip2netx lipo -create -output ip2net ip2netx ip2neta rm -f ip2netx ip2neta win: $(SRC_FILES) - $(CC) -s $(CFLAGS) $(CFLAGS_WIN) -o ip2net $(SRC_FILES) $(LDFLAGS) $(LIBS_WIN) + $(CC) -s $(CFLAGS) $(CFLAGS_WIN) -o ip2net $(SRC_FILES) $(LIBS_WIN) $(LDFLAGS) clean: rm -f ip2net *.o diff --git a/mdig/Makefile b/mdig/Makefile index ae2137a..556fd83 100644 --- a/mdig/Makefile +++ b/mdig/Makefile @@ -10,23 +10,23 @@ SRC_FILES = *.c all: mdig mdig: $(SRC_FILES) - $(CC) -s $(CFLAGS) -o mdig $(SRC_FILES) $(LDFLAGS) $(LIBS) + $(CC) -s $(CFLAGS) -o mdig $(SRC_FILES) $(LIBS) $(LDFLAGS) android: $(SRC_FILES) - $(CC) -s $(CFLAGS) -o mdig $(SRC_FILES) $(LDFLAGS) $(LIBS_ANDROID) + $(CC) -s $(CFLAGS) -o mdig $(SRC_FILES) $(LIBS_ANDROID) $(LDFLAGS) bsd: $(SRC_FILES) - $(CC) -s $(CFLAGS) $(CFLAGS_BSD) -o mdig $(SRC_FILES) $(LDFLAGS) $(LIBS) + $(CC) -s $(CFLAGS) $(CFLAGS_BSD) -o mdig $(SRC_FILES) $(LIBS) $(LDFLAGS) mac: $(SRC_FILES) - $(CC) $(CFLAGS) $(CFLAGS_BSD) -o mdiga $(SRC_FILES) $(LDFLAGS) -target arm64-apple-macos10.8 $(LIBS_BSD) - $(CC) $(CFLAGS) $(CFLAGS_BSD) -o mdigx $(SRC_FILES) $(LDFLAGS) -target x86_64-apple-macos10.8 $(LIBS_BSD) + $(CC) $(CFLAGS) $(CFLAGS_BSD) -o mdiga $(SRC_FILES) -target arm64-apple-macos10.8 $(LIBS_BSD) $(LDFLAGS) + $(CC) $(CFLAGS) $(CFLAGS_BSD) -o mdigx $(SRC_FILES) -target x86_64-apple-macos10.8 $(LIBS_BSD) $(LDFLAGS) strip mdiga mdigx lipo -create -output mdig mdigx mdiga rm -f mdigx mdiga win: $(SRC_FILES) - $(CC) -s $(CFLAGS) $(CFLAGS_WIN) -o mdig $(SRC_FILES) $(LDFLAGS) $(LIBS_WIN) + $(CC) -s $(CFLAGS) $(CFLAGS_WIN) -o mdig $(SRC_FILES) $(LIBS_WIN) $(LDFLAGS) clean: rm -f mdig *.o diff --git a/nfq/BSDmakefile b/nfq/BSDmakefile index 8c611c0..156311e 100644 --- a/nfq/BSDmakefile +++ b/nfq/BSDmakefile @@ -6,7 +6,7 @@ SRC_FILES = *.c crypto/*.c all: dvtws dvtws: $(SRC_FILES) - $(CC) $(CFLAGS) -o dvtws $(SRC_FILES) $(LDFLAGS) $(LIBS) + $(CC) $(CFLAGS) -o dvtws $(SRC_FILES) $(LIBS) $(LDFLAGS) clean: rm -f dvtws diff --git a/nfq/Makefile b/nfq/Makefile index d3de736..52f95ba 100644 --- a/nfq/Makefile +++ b/nfq/Makefile @@ -14,24 +14,24 @@ SRC_FILES = *.c crypto/*.c all: nfqws nfqws: $(SRC_FILES) - $(CC) -s $(CFLAGS) -o nfqws $(SRC_FILES) $(LDFLAGS) $(LIBS_LINUX) + $(CC) -s $(CFLAGS) -o nfqws $(SRC_FILES) $(LIBS_LINUX) $(LDFLAGS) android: nfqws bsd: $(SRC_FILES) - $(CC) -s $(CFLAGS) $(CFLAGS_BSD) -o dvtws $(SRC_FILES) $(LDFLAGS) $(LIBS_BSD) + $(CC) -s $(CFLAGS) $(CFLAGS_BSD) -o dvtws $(SRC_FILES) $(LIBS_BSD) $(LDFLAGS) mac: $(SRC_FILES) - $(CC) $(CFLAGS) $(CFLAGS_BSD) -o dvtwsa $(SRC_FILES) $(LDFLAGS) -target arm64-apple-macos10.8 $(LIBS_BSD) - $(CC) $(CFLAGS) $(CFLAGS_BSD) -o dvtwsx $(SRC_FILES) $(LDFLAGS) -target x86_64-apple-macos10.8 $(LIBS_BSD) + $(CC) $(CFLAGS) $(CFLAGS_BSD) -o dvtwsa $(SRC_FILES) -target arm64-apple-macos10.8 $(LIBS_BSD) $(LDFLAGS) + $(CC) $(CFLAGS) $(CFLAGS_BSD) -o dvtwsx $(SRC_FILES) -target x86_64-apple-macos10.8 $(LIBS_BSD) $(LDFLAGS) strip dvtwsa dvtwsx lipo -create -output dvtws dvtwsx dvtwsa rm -f dvtwsx dvtwsa cygwin64: - $(CC) -s $(CFLAGS) $(CFLAGS_CYGWIN) -o winws $(SRC_FILES) $(LDFLAGS) $(LIBS_CYGWIN) $(LIBS_CYGWIN64) $(RES_CYGWIN64) + $(CC) -s $(CFLAGS) $(CFLAGS_CYGWIN) -o winws $(SRC_FILES) $(LIBS_CYGWIN) $(LIBS_CYGWIN64) $(RES_CYGWIN64) $(LDFLAGS) cygwin32: - $(CC) -s $(CFLAGS) $(CFLAGS_CYGWIN) -o winws $(SRC_FILES) $(LDFLAGS) $(LIBS_CYGWIN) $(LIBS_CYGWIN32) $(RES_CYGWIN32) + $(CC) -s $(CFLAGS) $(CFLAGS_CYGWIN) -o winws $(SRC_FILES) $(LIBS_CYGWIN) $(LIBS_CYGWIN32) $(RES_CYGWIN32) $(LDFLAGS) cygwin: cygwin64 clean: diff --git a/tpws/BSDmakefile b/tpws/BSDmakefile index 922ca61..3f6b2cf 100644 --- a/tpws/BSDmakefile +++ b/tpws/BSDmakefile @@ -6,7 +6,7 @@ SRC_FILES = *.c all: tpws tpws: $(SRC_FILES) - $(CC) $(CFLAGS) -Iepoll-shim/include -o tpws $(SRC_FILES) epoll-shim/src/*.c $(LDFLAGS) $(LIBS) + $(CC) $(CFLAGS) -Iepoll-shim/include -o tpws $(SRC_FILES) epoll-shim/src/*.c $(LIBS) $(LDFLAGS) clean: rm -f tpws *.o diff --git a/tpws/Makefile b/tpws/Makefile index 3d6624d..9210a63 100644 --- a/tpws/Makefile +++ b/tpws/Makefile @@ -9,17 +9,17 @@ SRC_FILES_ANDROID = $(SRC_FILES) andr/*.c all: tpws tpws: $(SRC_FILES) - $(CC) -s $(CFLAGS) -o tpws $(SRC_FILES) $(LDFLAGS) $(LIBS) + $(CC) -s $(CFLAGS) -o tpws $(SRC_FILES) $(LIBS) $(LDFLAGS) android: $(SRC_FILES) - $(CC) -s $(CFLAGS) -o tpws $(SRC_FILES_ANDROID) $(LDFLAGS) $(LIBS_ANDROID) + $(CC) -s $(CFLAGS) -o tpws $(SRC_FILES_ANDROID) $(LIBS_ANDROID) $(LDFLAGS) bsd: $(SRC_FILES) - $(CC) -s $(CFLAGS) $(CFLAGS_BSD) -Iepoll-shim/include -o tpws $(SRC_FILES) epoll-shim/src/*.c $(LDFLAGS) $(LIBS) + $(CC) -s $(CFLAGS) $(CFLAGS_BSD) -Iepoll-shim/include -o tpws $(SRC_FILES) epoll-shim/src/*.c $(LIBS) $(LDFLAGS) mac: $(SRC_FILES) - $(CC) $(CFLAGS) $(CFLAGS_BSD) -Iepoll-shim/include -Imacos -o tpwsa -target arm64-apple-macos10.8 $(SRC_FILES) epoll-shim/src/*.c $(LDFLAGS) $(LIBS) - $(CC) $(CFLAGS) $(CFLAGS_BSD) -Iepoll-shim/include -Imacos -o tpwsx -target x86_64-apple-macos10.8 $(SRC_FILES) epoll-shim/src/*.c $(LDFLAGS) $(LIBS) + $(CC) $(CFLAGS) $(CFLAGS_BSD) -Iepoll-shim/include -Imacos -o tpwsa -target arm64-apple-macos10.8 $(SRC_FILES) epoll-shim/src/*.c $(LIBS) $(LDFLAGS) + $(CC) $(CFLAGS) $(CFLAGS_BSD) -Iepoll-shim/include -Imacos -o tpwsx -target x86_64-apple-macos10.8 $(SRC_FILES) epoll-shim/src/*.c $(LIBS) $(LDFLAGS) strip tpwsa tpwsx lipo -create -output tpws tpwsx tpwsa rm -f tpwsx tpwsa From 9ab9aef32b5b1f4ffc02f42a08e76842286f4c41 Mon Sep 17 00:00:00 2001 From: bol-van Date: Sun, 15 Dec 2024 16:22:05 +0300 Subject: [PATCH 44/49] install_bin: lexra --- install_bin.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install_bin.sh b/install_bin.sh index 6e4ba24..6eb8ebf 100755 --- a/install_bin.sh +++ b/install_bin.sh @@ -56,7 +56,7 @@ UNAME=$(uname) unset PKTWS case $UNAME in Linux) - ARCHLIST="my x86_64 x86 aarch64 arm mips64r2-msb mips32r1-lsb mips32r1-msb ppc" + ARCHLIST="my x86_64 x86 aarch64 arm mips64r2-msb mips32r1-lsb mips32r1-msb lexra ppc" PKTWS=nfqws ;; Darwin) From 578d6d6db84c72628e63fe48745ca76c6366113d Mon Sep 17 00:00:00 2001 From: bol-van Date: Sun, 15 Dec 2024 16:22:15 +0300 Subject: [PATCH 45/49] github: lexra --- .github/workflows/build.yml | 27 ++++++++++++++++++++++----- 1 file changed, 22 insertions(+), 5 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 54ecfef..8a62737 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -22,6 +22,9 @@ jobs: fail-fast: false matrix: include: + - arch: lexra + tool: mips-linux + dir: rsdk-4.6.4-5281-EB-3.10-0.9.33-m32ub-20141001 - arch: arm64 tool: aarch64-unknown-linux-musl - arch: arm @@ -61,12 +64,21 @@ jobs: - name: Set up build tools env: REPO: 'spvkgn/musl-cross' + REPO_LEXRA: 'bol-van/build' + ARCH: ${{ matrix.arch }} TOOL: ${{ matrix.tool }} + DIR: ${{ matrix.dir }} run: | - sudo apt update -qq && sudo apt install -y libcap-dev + DIR=${DIR:-$TOOL} + [ "$ARCH" = lexra ] && sudo dpkg --add-architecture i386 + sudo apt update -qq + sudo apt install -y libcap-dev + [ "$ARCH" = lexra ] && sudo apt install -y libc6:i386 zlib1g:i386 mkdir -p $HOME/tools - wget -qO- https://github.com/$REPO/releases/download/latest/$TOOL.tar.xz | tar -C $HOME/tools -xJ || exit 1 - [ -d "$HOME/tools/$TOOL/bin" ] && echo "$HOME/tools/$TOOL/bin" >> $GITHUB_PATH + URL=https://github.com/$REPO/releases/download/latest/$DIR.tar.xz + [ "$ARCH" = lexra ] && URL=https://github.com/$REPO_LEXRA/raw/refs/heads/master/$DIR.txz + wget -qO- $URL | tar -C $HOME/tools -xJ || exit 1 + [ -d "$HOME/tools/$DIR/bin" ] && echo "$HOME/tools/$DIR/bin" >> $GITHUB_PATH - name: Build env: @@ -81,6 +93,10 @@ jobs: export NM=$TARGET-nm export STRIP=$TARGET-strip export PKG_CONFIG_PATH=$DEPS_DIR/lib/pkgconfig + export STAGING_DIR=/tmp + LDFLAGS= + [ "$ARCH" = lexra ] && LDFLAGS=-lgcc_eh + export LDFLAGS # netfilter libs wget -qO- https://www.netfilter.org/pub/libnfnetlink/libnfnetlink-1.0.2.tar.bz2 | tar -xj @@ -114,7 +130,7 @@ jobs: # zapret CFLAGS="-DZAPRET_GH_VER=${{ github.ref_name }} -DZAPRET_GH_HASH=${{ github.sha }} -static-libgcc -static -I$DEPS_DIR/include" \ - LDFLAGS="-L$DEPS_DIR/lib" \ + LDFLAGS="-L$DEPS_DIR/lib $LDFLAGS" \ make -C zapret -j$(nproc) tar -C zapret/binaries/my -cJf zapret-linux-$ARCH.tar.xz . @@ -390,7 +406,7 @@ jobs: if [[ $dir == *-linux-x86_64 ]]; then tar -C $dir -czvf $dir/tpws_wsl.tgz tpws run_upx $dir/* - elif [[ $dir =~ linux ]] && [[ $dir != *-linux-mips64 ]]; then + elif [[ $dir =~ linux ]] && [[ $dir != *-linux-mips64 ]] && [[ $dir != *-linux-lexra ]]; then run_upx $dir/* fi ;; @@ -422,6 +438,7 @@ jobs: *-linux-ppc ) run_dir ppc ;; *-linux-x86 ) run_dir x86 ;; *-linux-x86_64 ) run_dir x86_64 ;; + *-linux-lexra ) run_dir lexra ;; *-mac-x64 ) run_dir mac64 ;; *-win-x86 ) run_dir win32 ;; *-win-x86_64 ) run_dir win64 ;; From 9c8636081c413dcc08ea6ce8eb33a36798908a8e Mon Sep 17 00:00:00 2001 From: bol-van Date: Sun, 15 Dec 2024 16:23:44 +0300 Subject: [PATCH 46/49] update docs --- docs/changes.txt | 5 +++++ docs/readme.en.md | 2 +- docs/readme.md | 2 +- 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/docs/changes.txt b/docs/changes.txt index e374bf9..4427958 100644 --- a/docs/changes.txt +++ b/docs/changes.txt @@ -429,3 +429,8 @@ v69.7 nfqws,tpws: --comment nfqws: trash flood warning winws: exclude empty outgoing ack packets in windivert filter + +v69.8 + +winws: accept empty outgoing RST and FIN packets for conntrack needs +repo: lexra build diff --git a/docs/readme.en.md b/docs/readme.en.md index 10072cc..f9d0a9a 100644 --- a/docs/readme.en.md +++ b/docs/readme.en.md @@ -1,4 +1,4 @@ -# zapret v69.7 +# zapret v69.8 # SCAMMER WARNING diff --git a/docs/readme.md b/docs/readme.md index b6354bd..c0d3236 100644 --- a/docs/readme.md +++ b/docs/readme.md @@ -1,4 +1,4 @@ -# zapret v69.7 +# zapret v69.8 # ВНИМАНИЕ, остерегайтесь мошенников From 63fbf2857cd836aa0592ce86cd6a76e985fa160f Mon Sep 17 00:00:00 2001 From: bol-van Date: Mon, 16 Dec 2024 19:59:50 +0300 Subject: [PATCH 47/49] nft.sh remove no more working hardware offload support test --- common/nft.sh | 42 +++++++++--------------------------------- 1 file changed, 9 insertions(+), 33 deletions(-) diff --git a/common/nft.sh b/common/nft.sh index 0f029ff..391a091 100644 --- a/common/nft.sh +++ b/common/nft.sh @@ -263,28 +263,6 @@ nft_add_flow_offload_exemption() [ "$DISABLE_IPV6" = "1" -o -z "$2" ] || nft_add_rule flow_offload oifname @wanif6 $2 ip6 daddr != @nozapret6 return comment \"$3\" } -nft_hw_offload_supported() -{ - # $1,$2,... - interface names - local devices res=1 - make_quoted_comma_list devices "$@" - [ -n "$devices" ] && devices="devices={$devices};" - nft add table ${ZAPRET_NFT_TABLE}_test && nft add flowtable ${ZAPRET_NFT_TABLE}_test ft "{ flags offload; $devices }" 2>/dev/null && res=0 - nft delete table ${ZAPRET_NFT_TABLE}_test 2>/dev/null - return $res -} - -nft_hw_offload_find_supported() -{ - # $1,$2,... - interface names - local supported_list - while [ -n "$1" ]; do - nft_hw_offload_supported "$1" && append_separator_list supported_list ' ' '' "$1" - shift - done - echo $supported_list -} - nft_apply_flow_offloading() { # ft can be absent @@ -370,17 +348,15 @@ flush set inet $ZAPRET_NFT_TABLE lanif" nft_create_or_update_flowtable 'offload' 2>/dev/null # then add elements. some of them can cause error because unsupported for i in $ALLDEVS; do - if nft_hw_offload_supported $i; then - nft_create_or_update_flowtable 'offload' $i - else - # bridge members must be added instead of the bridge itself - # some members may not support hw offload. example : lan1 lan2 lan3 support, wlan0 wlan1 - not - devs=$(resolve_lower_devices $i) - for j in $devs; do - # do not display error if addition failed - nft_create_or_update_flowtable 'offload' $j 2>/dev/null - done - fi + # first try to add interface itself + nft_create_or_update_flowtable 'offload' $i 2>/dev/null + # bridge members must be added instead of the bridge itself + # some members may not support hw offload. example : lan1 lan2 lan3 support, wlan0 wlan1 - not + devs=$(resolve_lower_devices $i) + for j in $devs; do + # do not display error if addition failed + nft_create_or_update_flowtable 'offload' $j 2>/dev/null + done done ;; esac From 647ee11917f908f5ae8f9c31b51b4a2b181521e3 Mon Sep 17 00:00:00 2001 From: spvkgn Date: Tue, 17 Dec 2024 10:02:29 +0500 Subject: [PATCH 48/49] github: optimize --- .github/workflows/build.yml | 39 ++++++++++++++++++++----------------- 1 file changed, 21 insertions(+), 18 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 8a62737..2e97860 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -22,9 +22,6 @@ jobs: fail-fast: false matrix: include: - - arch: lexra - tool: mips-linux - dir: rsdk-4.6.4-5281-EB-3.10-0.9.33-m32ub-20141001 - arch: arm64 tool: aarch64-unknown-linux-musl - arch: arm @@ -55,6 +52,12 @@ jobs: tool: i586-unknown-linux-musl - arch: x86_64 tool: x86_64-unknown-linux-musl + - arch: lexra + tool: mips-linux + dir: rsdk-4.6.4-5281-EB-3.10-0.9.33-m32ub-20141001 + env: + LDFLAGS: '-lgcc_eh' + repo: 'bol-van/build' steps: - name: Checkout uses: actions/checkout@v4 @@ -63,27 +66,30 @@ jobs: - name: Set up build tools env: - REPO: 'spvkgn/musl-cross' - REPO_LEXRA: 'bol-van/build' + REPO: ${{ matrix.arch == 'lexra' && matrix.repo || 'spvkgn/musl-cross' }} ARCH: ${{ matrix.arch }} TOOL: ${{ matrix.tool }} - DIR: ${{ matrix.dir }} + DIR: ${{ matrix.arch == 'lexra' && matrix.dir || matrix.tool }} run: | - DIR=${DIR:-$TOOL} - [ "$ARCH" = lexra ] && sudo dpkg --add-architecture i386 - sudo apt update -qq - sudo apt install -y libcap-dev - [ "$ARCH" = lexra ] && sudo apt install -y libc6:i386 zlib1g:i386 + if [[ "$ARCH" == lexra ]]; then + sudo dpkg --add-architecture i386 + sudo apt update -qq + sudo apt install -y libcap-dev libc6:i386 zlib1g:i386 + URL=https://github.com/$REPO/raw/refs/heads/master/$DIR.txz + else + sudo apt update -qq + sudo apt install -y libcap-dev + URL=https://github.com/$REPO/releases/download/latest/$TOOL.tar.xz + fi mkdir -p $HOME/tools - URL=https://github.com/$REPO/releases/download/latest/$DIR.tar.xz - [ "$ARCH" = lexra ] && URL=https://github.com/$REPO_LEXRA/raw/refs/heads/master/$DIR.txz wget -qO- $URL | tar -C $HOME/tools -xJ || exit 1 - [ -d "$HOME/tools/$DIR/bin" ] && echo "$HOME/tools/$DIR/bin" >> $GITHUB_PATH + [[ -d "$HOME/tools/$DIR/bin" ]] && echo "$HOME/tools/$DIR/bin" >> $GITHUB_PATH - name: Build env: ARCH: ${{ matrix.arch }} TARGET: ${{ matrix.tool }} + LDFLAGS: ${{ matrix.env.LDFLAGS != '' && matrix.env.LDFLAGS || null }} GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | DEPS_DIR=$GITHUB_WORKSPACE/deps @@ -93,10 +99,7 @@ jobs: export NM=$TARGET-nm export STRIP=$TARGET-strip export PKG_CONFIG_PATH=$DEPS_DIR/lib/pkgconfig - export STAGING_DIR=/tmp - LDFLAGS= - [ "$ARCH" = lexra ] && LDFLAGS=-lgcc_eh - export LDFLAGS + export STAGING_DIR=$RUNNER_TEMP # netfilter libs wget -qO- https://www.netfilter.org/pub/libnfnetlink/libnfnetlink-1.0.2.tar.bz2 | tar -xj From 202b7224fbb311306dad17dd09220c5cc54eb3c2 Mon Sep 17 00:00:00 2001 From: spvkgn Date: Wed, 18 Dec 2024 09:52:58 +0500 Subject: [PATCH 49/49] github: set target to RX5281 for lexra --- .github/workflows/build.yml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 2e97860..02d38ae 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -56,6 +56,7 @@ jobs: tool: mips-linux dir: rsdk-4.6.4-5281-EB-3.10-0.9.33-m32ub-20141001 env: + CFLAGS: '-march=5281' LDFLAGS: '-lgcc_eh' repo: 'bol-van/build' steps: @@ -66,9 +67,9 @@ jobs: - name: Set up build tools env: - REPO: ${{ matrix.arch == 'lexra' && matrix.repo || 'spvkgn/musl-cross' }} ARCH: ${{ matrix.arch }} TOOL: ${{ matrix.tool }} + REPO: ${{ matrix.arch == 'lexra' && matrix.repo || 'spvkgn/musl-cross' }} DIR: ${{ matrix.arch == 'lexra' && matrix.dir || matrix.tool }} run: | if [[ "$ARCH" == lexra ]]; then @@ -89,6 +90,7 @@ jobs: env: ARCH: ${{ matrix.arch }} TARGET: ${{ matrix.tool }} + CFLAGS: ${{ matrix.env.CFLAGS != '' && matrix.env.CFLAGS || null }} LDFLAGS: ${{ matrix.env.LDFLAGS != '' && matrix.env.LDFLAGS || null }} GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | @@ -109,7 +111,7 @@ jobs: for i in libmnl libnfnetlink libnetfilter_queue ; do ( cd $i-* - CFLAGS="-Os -flto=auto" \ + CFLAGS="-Os -flto=auto $CFLAGS" \ ./configure --prefix= --host=$TARGET --enable-static --disable-shared --disable-dependency-tracking make install -j$(nproc) DESTDIR=$DEPS_DIR ) @@ -121,7 +123,7 @@ jobs: xargs -I{} wget -qO- https://github.com/madler/zlib/archive/refs/tags/{}.tar.gz | tar -xz ( cd zlib-* - CFLAGS="-Os -flto=auto" \ + CFLAGS="-Os -flto=auto $CFLAGS" \ ./configure --prefix= --static make install -j$(nproc) DESTDIR=$DEPS_DIR ) @@ -132,7 +134,7 @@ jobs: install -Dm644 -t $DEPS_DIR/include/sys /usr/include/x86_64-linux-gnu/sys/queue.h /usr/include/sys/capability.h # zapret - CFLAGS="-DZAPRET_GH_VER=${{ github.ref_name }} -DZAPRET_GH_HASH=${{ github.sha }} -static-libgcc -static -I$DEPS_DIR/include" \ + CFLAGS="-DZAPRET_GH_VER=${{ github.ref_name }} -DZAPRET_GH_HASH=${{ github.sha }} -static-libgcc -static -I$DEPS_DIR/include $CFLAGS" \ LDFLAGS="-L$DEPS_DIR/lib $LDFLAGS" \ make -C zapret -j$(nproc) tar -C zapret/binaries/my -cJf zapret-linux-$ARCH.tar.xz .