Merge branch 'bol-van:master' into master

.github/workflows/build.yml

@@ -52,6 +52,13 @@ jobs:
           #   tool: i586-unknown-linux-musl
           - arch: x86_64
             tool: x86_64-unknown-linux-musl
+          - arch: lexra
+            tool: mips-linux
+            dir: rsdk-4.6.4-5281-EB-3.10-0.9.33-m32ub-20141001
+            env:
+              CFLAGS: '-march=5281'
+              LDFLAGS: '-lgcc_eh'
+            repo: 'bol-van/build'
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -60,18 +67,31 @@ jobs:
 
       - name: Set up build tools
         env:
-          REPO: 'spvkgn/musl-cross'
+          ARCH: ${{ matrix.arch }}
           TOOL: ${{ matrix.tool }}
+          REPO: ${{ matrix.arch == 'lexra' && matrix.repo || 'spvkgn/musl-cross' }}
+          DIR: ${{ matrix.arch == 'lexra' && matrix.dir || matrix.tool }}
         run: |
-          sudo apt update -qq && sudo apt install -y libcap-dev
+          if [[ "$ARCH" == lexra ]]; then
+            sudo dpkg --add-architecture i386
+            sudo apt update -qq
+            sudo apt install -y libcap-dev libc6:i386 zlib1g:i386
+            URL=https://github.com/$REPO/raw/refs/heads/master/$DIR.txz
+          else
+            sudo apt update -qq
+            sudo apt install -y libcap-dev
+            URL=https://github.com/$REPO/releases/download/latest/$TOOL.tar.xz
+          fi
           mkdir -p $HOME/tools
-          wget -qO- https://github.com/$REPO/releases/download/latest/$TOOL.tar.xz | tar -C $HOME/tools -xJ || exit 1
+          wget -qO- $URL | tar -C $HOME/tools -xJ || exit 1
-          [ -d "$HOME/tools/$TOOL/bin" ] && echo "$HOME/tools/$TOOL/bin" >> $GITHUB_PATH
+          [[ -d "$HOME/tools/$DIR/bin" ]] && echo "$HOME/tools/$DIR/bin" >> $GITHUB_PATH
 
       - name: Build
         env:
           ARCH: ${{ matrix.arch }}
           TARGET: ${{ matrix.tool }}
+          CFLAGS: ${{ matrix.env.CFLAGS != '' && matrix.env.CFLAGS || null }}
+          LDFLAGS: ${{ matrix.env.LDFLAGS != '' && matrix.env.LDFLAGS || null }}
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           DEPS_DIR=$GITHUB_WORKSPACE/deps
@@ -81,6 +101,7 @@ jobs:
           export NM=$TARGET-nm
           export STRIP=$TARGET-strip
           export PKG_CONFIG_PATH=$DEPS_DIR/lib/pkgconfig
+          export STAGING_DIR=$RUNNER_TEMP
 
           # netfilter libs
           wget -qO- https://www.netfilter.org/pub/libnfnetlink/libnfnetlink-1.0.2.tar.bz2 | tar -xj
@@ -90,7 +111,7 @@ jobs:
           for i in libmnl libnfnetlink libnetfilter_queue ; do
             (
               cd $i-*
-              CFLAGS="-Os -flto=auto" \
+              CFLAGS="-Os -flto=auto $CFLAGS" \
               ./configure --prefix= --host=$TARGET --enable-static --disable-shared --disable-dependency-tracking
               make install -j$(nproc) DESTDIR=$DEPS_DIR
             )
@@ -102,7 +123,7 @@ jobs:
             xargs -I{} wget -qO- https://github.com/madler/zlib/archive/refs/tags/{}.tar.gz | tar -xz
           (
             cd zlib-*
-            CFLAGS="-Os -flto=auto" \
+            CFLAGS="-Os -flto=auto $CFLAGS" \
             ./configure --prefix= --static
             make install -j$(nproc) DESTDIR=$DEPS_DIR
           )
@@ -113,8 +134,8 @@ jobs:
           install -Dm644 -t $DEPS_DIR/include/sys /usr/include/x86_64-linux-gnu/sys/queue.h /usr/include/sys/capability.h
 
           # zapret
-          CFLAGS="-DZAPRET_GH_VER=${{ github.ref_name }} -DZAPRET_GH_HASH=${{ github.sha }} -static-libgcc -static -I$DEPS_DIR/include" \
+          CFLAGS="-DZAPRET_GH_VER=${{ github.ref_name }} -DZAPRET_GH_HASH=${{ github.sha }} -static-libgcc -static -I$DEPS_DIR/include $CFLAGS" \
-          LDFLAGS="-L$DEPS_DIR/lib" \
+          LDFLAGS="-L$DEPS_DIR/lib $LDFLAGS" \
           make -C zapret -j$(nproc)
           tar -C zapret/binaries/my -cJf zapret-linux-$ARCH.tar.xz .
 
@@ -390,7 +411,7 @@ jobs:
                   if [[ $dir == *-linux-x86_64 ]]; then
                     tar -C $dir -czvf $dir/tpws_wsl.tgz tpws
                     run_upx $dir/*
-                  elif [[ $dir =~ linux ]] && [[ $dir != *-linux-mips64 ]]; then
+                  elif [[ $dir =~ linux ]] && [[ $dir != *-linux-mips64 ]] && [[ $dir != *-linux-lexra ]]; then
                     run_upx $dir/*
                   fi
                   ;;
@@ -422,6 +443,7 @@ jobs:
                 *-linux-ppc )           run_dir ppc ;;
                 *-linux-x86 )           run_dir x86 ;;
                 *-linux-x86_64 )        run_dir x86_64 ;;
+                *-linux-lexra )         run_dir lexra ;;
                 *-mac-x64 )             run_dir mac64 ;;
                 *-win-x86 )             run_dir win32 ;;
                 *-win-x86_64 )          run_dir win64 ;;

blockcheck.sh

@@ -212,7 +212,7 @@ doh_resolve()
 	# $1 - ip version 4/6
 	# $2 - hostname
 	# $3 - doh server URL. use $DOH_SERVER if empty
-	$MDIG --family=$1 --dns-make-query=$2 | curl -s --data-binary @- -H "Content-Type: application/dns-message" "${3:-$DOH_SERVER}" | $MDIG --dns-parse-query
+	$MDIG --family=$1 --dns-make-query=$2 | $CURL -s --data-binary @- -H "Content-Type: application/dns-message" "${3:-$DOH_SERVER}" | $MDIG --dns-parse-query
 }
 doh_find_working()
 {

common/custom.sh

@@ -3,6 +3,8 @@ custom_runner()
 	# $1 - function name
 	# $2+ - params
 
+	[ "$DISABLE_CUSTOM" = 1 ] && return 0
+
 	local n script FUNC=$1
 
 	shift

common/ipt.sh

@@ -349,27 +349,37 @@ ipt_do_nfqws_in_out()
 	}
 }
 
-zapret_do_firewall_standard_rules_ipt()
+zapret_do_firewall_standard_tpws_rules_ipt()
 {
 	# $1 - 1 - add, 0 - del
 
 	local f4 f6
 
-	[ "$TPWS_ENABLE" = 1 -a -n "$TPWS_PORTS" ] &&
+	[ "$TPWS_ENABLE" = 1 -a -n "$TPWS_PORTS" ] && {
-	{
 		f4="-p tcp -m multiport --dports $TPWS_PORTS_IPT"
 		f6=$f4
 		filter_apply_ipset_target f4 f6
 		fw_tpws $1 "$f4" "$f6" $TPPORT
 	}
-	[ "$NFQWS_ENABLE" = 1 ] &&
+}
-	{
+zapret_do_firewall_standard_nfqws_rules_ipt()
+{
+	# $1 - 1 - add, 0 - del
+
+	[ "$NFQWS_ENABLE" = 1 ] && {
 		ipt_do_nfqws_in_out $1 tcp "$NFQWS_PORTS_TCP_IPT" "$NFQWS_TCP_PKT_OUT" "$NFQWS_TCP_PKT_IN"
 		ipt_do_nfqws_in_out $1 tcp "$NFQWS_PORTS_TCP_KEEPALIVE_IPT" keepalive "$NFQWS_TCP_PKT_IN"
 		ipt_do_nfqws_in_out $1 udp "$NFQWS_PORTS_UDP_IPT" "$NFQWS_UDP_PKT_OUT" "$NFQWS_UDP_PKT_IN"
 		ipt_do_nfqws_in_out $1 udp "$NFQWS_PORTS_UDP_KEEPALIVE_IPT" keepalive "$NFQWS_UDP_PKT_IN"
 	}
 }
+zapret_do_firewall_standard_rules_ipt()
+{
+	# $1 - 1 - add, 0 - del
+
+	zapret_do_firewall_standard_tpws_rules_ipt $1
+	zapret_do_firewall_standard_nfqws_rules_ipt $1
+}
 
 zapret_do_firewall_rules_ipt()
 {

common/linux_daemons.sh

@@ -0,0 +1,55 @@
+standard_mode_tpws_socks()
+{
+	# $1 - 1 - run, 0 - stop
+	local opt
+	[ "$TPWS_SOCKS_ENABLE" = 1 ] && {
+		opt="--port=$TPPORT_SOCKS $TPWS_SOCKS_OPT"
+		filter_apply_hostlist_target opt
+		do_tpws_socks $1 2 "$opt"
+	}
+}
+standard_mode_tpws()
+{
+	# $1 - 1 - run, 0 - stop
+	local opt
+	[ "$TPWS_ENABLE" = 1 ] && check_bad_ws_options $1 "$TPWS_OPT" && {
+		opt="--port=$TPPORT $TPWS_OPT"
+		filter_apply_hostlist_target opt
+		do_tpws $1 1 "$opt"
+	}
+}
+standard_mode_nfqws()
+{
+	# $1 - 1 - run, 0 - stop
+	local opt
+	[ "$NFQWS_ENABLE" = 1 ] && check_bad_ws_options $1 "$NFQWS_OPT" && {
+		opt="--qnum=$QNUM $NFQWS_OPT"
+		filter_apply_hostlist_target opt
+		do_nfqws $1 3 "$opt"
+	}
+}
+standard_mode_daemons()
+{
+	# $1 - 1 - run, 0 - stop
+
+	standard_mode_tpws_socks $1
+	standard_mode_tpws $1
+	standard_mode_nfqws $1
+}
+zapret_do_daemons()
+{
+	# $1 - 1 - run, 0 - stop
+
+	standard_mode_daemons $1
+	custom_runner zapret_custom_daemons $1
+
+	return 0
+}
+zapret_run_daemons()
+{
+	zapret_do_daemons 1 "$@"
+}
+zapret_stop_daemons()
+{
+	zapret_do_daemons 0 "$@"
+}

common/nft.sh

@@ -263,28 +263,6 @@ nft_add_flow_offload_exemption()
 	[ "$DISABLE_IPV6" = "1" -o -z "$2" ] || nft_add_rule flow_offload oifname @wanif6 $2 ip6 daddr != @nozapret6 return comment \"$3\"
 }
 
-nft_hw_offload_supported()
-{
-	# $1,$2,... - interface names
-	local devices res=1
-	make_quoted_comma_list devices "$@"
-	[ -n "$devices" ] && devices="devices={$devices};"
-	nft add table ${ZAPRET_NFT_TABLE}_test && nft add flowtable ${ZAPRET_NFT_TABLE}_test ft "{ flags offload; $devices }" 2>/dev/null && res=0
-	nft delete table ${ZAPRET_NFT_TABLE}_test 2>/dev/null
-	return $res
-}
-
-nft_hw_offload_find_supported()
-{
-	# $1,$2,... - interface names
-	local supported_list
-	while [ -n "$1" ]; do
-		nft_hw_offload_supported "$1" && append_separator_list supported_list ' ' '' "$1"
-		shift
-	done
-	echo $supported_list
-}
-
 nft_apply_flow_offloading()
 {
 	# ft can be absent
@@ -370,17 +348,15 @@ flush set inet $ZAPRET_NFT_TABLE lanif"
 			nft_create_or_update_flowtable 'offload' 2>/dev/null
 			# then add elements. some of them can cause error because unsupported
 			for i in $ALLDEVS; do
-				if nft_hw_offload_supported $i; then
+				# first try to add interface itself
-					nft_create_or_update_flowtable 'offload' $i
+				nft_create_or_update_flowtable 'offload' $i 2>/dev/null
-				else
+				# bridge members must be added instead of the bridge itself
-					# bridge members must be added instead of the bridge itself
+				# some members may not support hw offload. example : lan1 lan2 lan3 support, wlan0 wlan1 - not
-					# some members may not support hw offload. example : lan1 lan2 lan3 support, wlan0 wlan1 - not
+				devs=$(resolve_lower_devices $i)
-					devs=$(resolve_lower_devices $i)
+				for j in $devs; do
-					for j in $devs; do
+					# do not display error if addition failed
-						# do not display error if addition failed
+					nft_create_or_update_flowtable 'offload' $j 2>/dev/null
-						nft_create_or_update_flowtable 'offload' $j 2>/dev/null
+				done
-					done
-				fi
 			done
 			;;
 	esac
@@ -640,25 +616,31 @@ nft_apply_nfqws_in_out()
 	}
 }
 
-zapret_apply_firewall_standard_rules_nft()
+zapret_apply_firewall_standard_tpws_rules_nft()
 {
 	local f4 f6
 
-	[ "$TPWS_ENABLE" = 1 -a -n "$TPWS_PORTS" ] &&
+	[ "$TPWS_ENABLE" = 1 -a -n "$TPWS_PORTS" ] && {
-	{
 		f4="tcp dport {$TPWS_PORTS}"
 		f6=$f4
 		nft_filter_apply_ipset_target f4 f6
 		nft_fw_tpws "$f4" "$f6" $TPPORT
 	}
-	[ "$NFQWS_ENABLE" = 1 ] &&
+}
-	{
+zapret_apply_firewall_standard_nfqws_rules_nft()
+{
+	[ "$NFQWS_ENABLE" = 1 ] && {
 		nft_apply_nfqws_in_out tcp "$NFQWS_PORTS_TCP" "$NFQWS_TCP_PKT_OUT" "$NFQWS_TCP_PKT_IN"
 		nft_apply_nfqws_in_out tcp "$NFQWS_PORTS_TCP_KEEPALIVE" keepalive "$NFQWS_TCP_PKT_IN"
 		nft_apply_nfqws_in_out udp "$NFQWS_PORTS_UDP" "$NFQWS_UDP_PKT_OUT" "$NFQWS_UDP_PKT_IN"
 		nft_apply_nfqws_in_out udp "$NFQWS_PORTS_UDP_KEEPALIVE" keepalive "$NFQWS_UDP_PKT_IN"
 	}
 }
+zapret_apply_firewall_standard_rules_nft()
+{
+	zapret_apply_firewall_standard_tpws_rules_nft
+	zapret_apply_firewall_standard_nfqws_rules_nft
+}
 
 zapret_apply_firewall_rules_nft()
 {

docs/changes.txt

@@ -417,3 +417,20 @@ v69.5
 
 nfqws,tpws: --dry-run
 install_easy: check tpws and nfqws options validity
+
+v69.6
+
+nfqws: set NETLINK_NO_ENOBUFS to fix possible nfq recv errors
+init.d: unify custom scripts for linux
+init.d: new custom scripts : 20-fw-extra, 50-wg4all
+
+v69.7
+
+nfqws,tpws: --comment
+nfqws: trash flood warning
+winws: exclude empty outgoing ack packets in windivert filter
+
+v69.8
+
+winws: accept empty outgoing RST and FIN packets for conntrack needs
+repo: lexra build

docs/quick_start.md

@@ -158,7 +158,7 @@
    >
    > Далее, имея понимание что работает на http, https, quic нужно
    > сконструировать параметры запуска `tpws` и/или `nfqws` с использованием
-   > мультистратегии. Как работают мультистратегии описано в readme.txt.
+   > мультистратегии. Как работают мультистратегии описано в [readme.md](./readme.md#множественные-стратегии).
    >
    > Если кратко, то обычно параметры конструируются так:
    > ```sh

docs/quick_start_windows.md

@@ -59,7 +59,7 @@ _"Совсем ничего не могу, все очень сложно, да
 
 1) Скачайте и распакуйте архив https://github.com/bol-van/zapret-win-bundle/archive/refs/heads/master.zip.
 
-2) Если у вас Windows 7 x64, читайте [docs/windows.md](./windows.md). Без описанной там подготовки может не работать.
+2) Если у вас Windows 7 x64, однократно запустите `win7/install_win7.cmd`. Батник заменит файлы windivert на совместимую с Windows 7 версию.
 
 > [!WARNING]  
 > Для 32-битных систем Windows нет готового полного варианта.
@@ -123,7 +123,7 @@ blockcheck перейдет в этом случае на **DoH** _(DNS over HTT
    > она стабильна, на третьих полный хаос, и проще отказаться.
    >
    > Далее, имея понимание что работает на http, https, quic, нужно сконструировать параметры запуска winws
-   > с использованием мультистратегии. Как работают мультистратегии описано в [readme.md](./readme.md).
+   > с использованием мультистратегии. Как работают мультистратегии описано в [readme.md](./readme.md#множественные-стратегии).
    >
    > Прежде всего вам нужно собрать фильтр перехватываемого трафика. Это делается через параметры
    > `--wf-l3`, `--wf-tcp`, `--wf-udp`.

docs/readme.en.md

@@ -1,4 +1,4 @@
-# zapret v69.5
+# zapret v69.8
 
 # SCAMMER WARNING
 
@@ -132,6 +132,7 @@ nfqws takes the following parameters:
 
  --debug=0|1
  --dry-run                                      ; verify parameters and exit with code 0 if successful
+ --comment                                      ; any text (ignored)
  --qnum=<nfqueue_number>
  --daemon                                       ; daemonize
  --pidfile=<filename>                           ; write pid to file

docs/readme.md

@@ -1,4 +1,4 @@
-# zapret v69.5
+# zapret v69.8
 
 # ВНИМАНИЕ, остерегайтесь мошенников
 
@@ -163,6 +163,7 @@ dvtws, собираемый из тех же исходников (см. [док
 
 --debug=0|1                                        ; 1=выводить отладочные сообщения
 --dry-run                                          ; проверить опции командной строки и выйти. код 0 - успешная проверка.
+--comment                                          ; любой текст (игнорируется)
 --daemon                                           ; демонизировать прогу
 --pidfile=<file>                                   ; сохранить PID в файл
 --user=<username>                                  ; менять uid процесса
@@ -1866,8 +1867,9 @@ custom скрипты - это маленькие shell программы, уп
 /opt/zapret/init.d/macos/custom.d
 ```
 Директория будет просканирована в алфавитном порядке, и каждый скрипт будет применен.
-Рядом имеется `custom.d.examples`. Это готовые скрипты, которые можно копировать в `custom.d`.
+
-Их можно взять за основу для написания собственных.
+В `init.d` имеется `custom.d.examples.linux`, в `init.d/macos` - `custom.d.examples`.
+Это готовые скрипты, которые можно копировать в `custom.d`. Их можно взять за основу для написания собственных.
 
 ***Для linux пишется код в функции***
 ```
@@ -1885,9 +1887,9 @@ zapret_custom_firewall_v6
 ```
 
 zapret_custom_daemons поднимает демоны **nfqws**/**tpws** в нужном вам количестве и с нужными вам параметрами.
-Для систем традиционного linux (sysv) и MacOS в первом параметре передается код операции: 1 = запуск, 0 = останов.
+В первом параметре передается код операции: 1 = запуск, 0 = останов.
-Для openwrt логика останова отсутствует за ненадобностью.
 Схема запуска демонов в openwrt отличается - используется procd.
+Поэтому логика останова отсутствует за ненадобностью, останов никогда не вызывается.
 
 zapret_custom_firewall поднимает и убирает правила `iptables`.
 В первом параметре передается код операции: 1 = запуск, 0 = останов.
@@ -1913,8 +1915,8 @@ zapret_custom_firewall_nft поднимает правила nftables.
 В macos firewall-функции ничего сами никуда не заносят. Их задача - лишь выдать текст в stdout,
 содержащий правила для pf-якоря. Остальное сделает обертка.
 
-Особо обратите внимание на номер демона в функциях `run_daemon` и `do_daemon`, номера портов **tpws**
+Особо обратите внимание на номер демона в функциях `run_daemon` , `do_daemon`, `do_tpws`, `do_tpws_socks`, `do_nfqws` ,
-и очередей `nfqueue`.
+номера портов **tpws** и очередей **nfqueue**.
 Они должны быть уникальными во всех скриптах. При накладке будет ошибка.
 Поэтому используйте функции динамического получения этих значений из пула.
 

init.d/custom.d.examples.linux/20-fw-extra

@@ -0,0 +1,66 @@
+# this custom script runs standard mode with extra firewall rules
+
+# config: use TPWS_ENABLE_OVERRIDE, NFQWS_ENABLE_OVERRIDE to enable standard mode daemons
+# standard and override switches cannot be enabled simultaneously !
+
+TPWS_ENABLE_OVERRIDE=${TPWS_ENABLE_OVERRIDE:-0}
+NFQWS_ENABLE_OVERRIDE=${NFQWS_ENABLE_OVERRIDE:-0}
+
+# config: some if these values must be set in config. not setting any of these makes this script meaningless.
+# pre vars put ipt/nft code to the rule beginning
+#FW_EXTRA_PRE_TPWS_IPT=
+#FW_EXTRA_PRE_TPWS_NFT=
+#FW_EXTRA_PRE_NFQWS_IPT="-m mark --mark 0x10000000/0x10000000"
+#FW_EXTRA_PRE_NFQWS_NFT="mark and 0x10000000 != 0"
+# post vars put ipt/nft code to the rule end
+#FW_EXTRA_POST_TPWS_IPT=
+#FW_EXTRA_POST_TPWS_NFT=
+#FW_EXTRA_POST_NFQWS_IPT=
+#FW_EXTRA_POST_NFQWS_NFT=
+
+check_std_intersect()
+{
+	[ "$TPWS_ENABLE_OVERRIDE" = 1 -a "$TPWS_ENABLE" = 1 ] && {
+		echo "ERROR ! both TPWS_ENABLE_OVERRIDE and TPWS_ENABLE are enabled"
+		return 1
+	}
+	[ "$NFQWS_ENABLE_OVERRIDE" = 1 -a "$NFQWS_ENABLE" = 1 ] && {
+		echo "ERROR ! both NFQWS_ENABLE_OVERRIDE and NFQWS_ENABLE are enabled"
+		return 1
+	}
+	return 0
+}
+
+zapret_custom_daemons()
+{
+	# $1 - 1 - add, 0 - stop
+
+	check_std_intersect || return
+
+	local TPWS_SOCKS_ENABLE=0 TPWS_ENABLE=$TPWS_ENABLE_OVERRIDE NFQWS_ENABLE=$NFQWS_ENABLE_OVERRIDE
+	standard_mode_daemons "$1"
+}
+zapret_custom_firewall()
+{
+        # $1 - 1 - run, 0 - stop
+
+	check_std_intersect || return
+
+	local FW_EXTRA_PRE FW_EXTRA_POST TPWS_ENABLE=$TPWS_ENABLE_OVERRIDE NFQWS_ENABLE=$NFQWS_ENABLE_OVERRIDE
+	FW_EXTRA_PRE="$FW_EXTRA_PRE_TPWS_IPT" FW_EXTRA_POST="$FW_EXTRA_POST_TPWS_IPT"
+	zapret_do_firewall_standard_tpws_rules_ipt $1
+	FW_EXTRA_PRE="$FW_EXTRA_PRE_NFQWS_IPT" FW_EXTRA_POST="$FW_EXTRA_POST_NFQWS_IPT"
+	zapret_do_firewall_standard_nfqws_rules_ipt $1
+}
+zapret_custom_firewall_nft()
+{
+        # stop logic is not required
+
+	check_std_intersect || return
+
+	local FW_EXTRA_PRE FW_EXTRA_POST TPWS_ENABLE=$TPWS_ENABLE_OVERRIDE NFQWS_ENABLE=$NFQWS_ENABLE_OVERRIDE
+	FW_EXTRA_PRE="$FW_EXTRA_PRE_TPWS_NFT" FW_EXTRA_POST="$FW_EXTRA_POST_TPWS_NFT"
+	zapret_apply_firewall_standard_tpws_rules_nft
+	FW_EXTRA_PRE="$FW_EXTRA_PRE_NFQWS_NFT" FW_EXTRA_POST="$FW_EXTRA_POST_NFQWS_NFT"
+	zapret_apply_firewall_standard_nfqws_rules_nft
+}

init.d/sysv/custom.d.examples/50-dht4all → init.d/custom.d.examples.linux/50-dht4all

@@ -8,9 +8,9 @@ alloc_qnum QNUM_DHT4ALL
 
 zapret_custom_daemons()
 {
-        # stop logic is managed by procd
+	# $1 - 1 - add, 0 - stop
 
-        local opt="--qnum=$QNUM_DHT4ALL $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_DHT"
+        local opt="--qnum=$QNUM_DHT4ALL $NFQWS_OPT_DESYNC_DHT"
 	do_nfqws $1 $DNUM_DHT4ALL "$opt"
 }
 zapret_custom_firewall()

init.d/sysv/custom.d.examples/50-discord → init.d/custom.d.examples.linux/50-discord

@@ -14,7 +14,7 @@ zapret_custom_daemons()
 {
 	# $1 - 1 - run, 0 - stop
 
-	local opt="--qnum=$QNUM_DISCORD $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_DISCORD"
+	local opt="--qnum=$QNUM_DISCORD $NFQWS_OPT_DESYNC_DISCORD"
 	do_nfqws $1 $DNUM_DISCORD "$opt"
 }
 

init.d/custom.d.examples.linux/50-tpws-ipset

@@ -0,0 +1,89 @@
+# this custom script demonstrates how to launch extra tpws instance limited by ipset
+
+# can override in config :
+TPWS_MY1_OPT="${TPWS_MY1_OPT:---oob --split-pos=midsld}"
+TPWS_MY1_PORTS=${TPWS_MY1_PORTS:-$TPWS_PORTS}
+TPWS_MY1_SUBNETS4="${TPWS_MY1_SUBNETS4:-142.250.0.0/15 64.233.160.0/19 172.217.0.0/16 173.194.0.0/16 108.177.0.0/17 74.125.0.0/16 209.85.128.0/17 216.58.192.0/19}"
+TPWS_MY1_SUBNETS6="${TPWS_MY1_SUBNETS6:-2607:F8B0::/32 2a00:1450:4000::/37}"
+
+TPWS_MY1_IPSET_SIZE=${TPWS_MY1_IPSET_SIZE:-4096}
+TPWS_MY1_IPSET_OPT="${TPWS_MY1_IPSET_OPT:-hash:net hashsize 8192 maxelem $TPWS_MY1_IPSET_SIZE}"
+
+alloc_dnum DNUM_TPWS_MY1
+alloc_tpws_port PORT_TPWS_MY1
+TPWS_MY1_NAME4=my1tpws4
+TPWS_MY1_NAME6=my1tpws6
+
+zapret_custom_daemons()
+{
+	# $1 - 1 - run, 0 - stop
+
+	local opt="--port=$PORT_TPWS_MY1 $TPWS_MY1_OPT"
+	do_tpws $1 $DNUM_TPWS_MY1 "$opt"
+}
+
+zapret_custom_firewall()
+{
+	# $1 - 1 - run, 0 - stop
+
+	local f4 f6 subnet
+	local PORTS_IPT=$(replace_char - : $TPWS_MY1_PORTS)
+	local dest_set="-m set --match-set $TPWS_MY1_NAME4 dst"
+
+	[ "$1" = 1 -a "$DISABLE_IPV4" != 1 ] && {
+		ipset create $TPWS_MY1_NAME4 $TPWS_MY1_IPSET_OPT family inet 2>/dev/null
+		ipset flush $TPWS_MY1_NAME4
+		for subnet in $TPWS_MY1_SUBNETS4; do
+			echo add $TPWS_MY1_NAME4 $subnet
+		done | ipset -! restore
+	}
+	[ "$1" = 1 -a "$DISABLE_IPV6" != 1 ] && {
+		ipset create $TPWS_MY1_NAME6 $TPWS_MY1_IPSET_OPT family inet6 2>/dev/null
+		ipset flush $TPWS_MY1_NAME6
+		for subnet in $TPWS_MY1_SUBNETS6; do
+			echo add $TPWS_MY1_NAME6 $subnet
+		done | ipset -! restore
+	}
+
+	f4="-p tcp -m multiport --dports $PORTS_IPT -m set --match-set"
+	f6="$f4 $TPWS_MY1_NAME6 dst"
+	f4="$f4 $TPWS_MY1_NAME4 dst"
+	fw_tpws $1 "$f4" "$f6" $PORT_TPWS_MY1
+
+	[ "$1" = 1 ] || {
+		ipset destroy $TPWS_MY1_NAME4 2>/dev/null
+		ipset destroy $TPWS_MY1_NAME6 2>/dev/null
+	}
+}
+
+zapret_custom_firewall_nft()
+{
+	local f4 f6 subnet
+
+	[ "$DISABLE_IPV4" != 1 ] && {
+	        make_comma_list subnets $TPWS_MY1_SUBNETS4
+		nft_create_set $TPWS_MY1_NAME4 "type ipv4_addr; size $TPWS_MY1_IPSET_SIZE; auto-merge; flags interval;"
+		nft_flush_set $TPWS_MY1_NAME4
+		nft_add_set_element $TPWS_MY1_NAME4 "$subnets"
+	}
+	[ "$DISABLE_IPV6" != 1 ] && {
+	        make_comma_list subnets $TPWS_MY1_SUBNETS6
+		nft_create_set $TPWS_MY1_NAME6 "type ipv6_addr; size $TPWS_MY1_IPSET_SIZE; auto-merge; flags interval;"
+		nft_flush_set $TPWS_MY1_NAME6
+		nft_add_set_element $TPWS_MY1_NAME6 "$subnets"
+	}
+
+	f4="tcp dport {$TPWS_MY1_PORTS}"
+	f6="$f4 ip6 daddr @$TPWS_MY1_NAME6"
+	f4="$f4 ip daddr @$TPWS_MY1_NAME4"
+	nft_fw_tpws "$f4" "$f6" $PORT_TPWS_MY1
+}
+
+zapret_custom_firewall_nft_flush()
+{
+	# this function is called after all nft fw rules are deleted
+	# however sets are not deleted. it's desired to clear sets here.
+
+	nft_del_set $TPWS_MY1_NAME4 2>/dev/null
+	nft_del_set $TPWS_MY1_NAME6 2>/dev/null
+}

init.d/custom.d.examples.linux/50-wg4all

@@ -0,0 +1,30 @@
+# this custom script runs desync to all wireguard handshake initiation packets
+
+# can override in config :
+NFQWS_OPT_DESYNC_WG="${NFQWS_OPT_DESYNC_WG:---dpi-desync=fake}"
+
+alloc_dnum DNUM_WG4ALL
+alloc_qnum QNUM_WG4ALL
+
+zapret_custom_daemons()
+{
+	# $1 - 1 - add, 0 - stop
+
+        local opt="--qnum=$QNUM_WG4ALL $NFQWS_OPT_DESYNC_WG"
+	do_nfqws $1 $DNUM_WG4ALL "$opt"
+}
+# size = 156 (8 udp header + 148 payload) && payload starts with 0x01000000
+zapret_custom_firewall()
+{
+        # $1 - 1 - run, 0 - stop
+
+        local f='-p udp -m u32 --u32'
+        fw_nfqws_post $1 "$f 0>>22&0x3C@4>>16=0x9c&&0>>22&0x3C@8=0x01000000" "$f 44>>16=0x9c&&48=0x01000000" $QNUM_WG4ALL
+}
+zapret_custom_firewall_nft()
+{
+        # stop logic is not required
+
+        local f="udp length 156 @th,64,32 0x01000000"
+        nft_fw_nfqws_post "$f" "$f" $QNUM_WG4ALL
+}

init.d/openwrt/custom.d.examples/50-dht4all

@@ -1,38 +0,0 @@
-# this custom script runs desync to DHT packets with udp payload length 101..399 , without ipset/hostlist filtering
-
-# can override in config :
-NFQWS_OPT_DESYNC_DHT="${NFQWS_OPT_DESYNC_DHT:---dpi-desync=tamper}"
-
-alloc_dnum DNUM_DHT4ALL
-alloc_qnum QNUM_DHT4ALL
-
-zapret_custom_daemons()
-{
-        # stop logic is managed by procd
-
-        local opt="--qnum=$QNUM_DHT4ALL $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_DHT"
-	run_daemon $DNUM_DHT4ALL $NFQWS "$opt"
-}
-zapret_custom_firewall()
-{
-        # $1 - 1 - run, 0 - stop
-
-        local f uf4 uf6
-        local first_packet_only="$ipt_connbytes 1:1"
-
-        f='-p udp -m length --length 109:407 -m u32 --u32'
-	uf4='0>>22&0x3C@8>>16=0x6431'
-	uf6='48>>16=0x6431'
-        fw_nfqws_post $1 "$f $uf4 $first_packet_only"  "$f $uf6 $first_packet_only" $QNUM_DHT4ALL
-
-}
-zapret_custom_firewall_nft()
-{
-        # stop logic is not required
-
-        local f
-        local first_packet_only="$nft_connbytes 1"
-
-        f="meta length 109-407 meta l4proto udp @th,64,16 0x6431"
-        nft_fw_nfqws_post "$f $first_packet_only" "$f $first_packet_only" $QNUM_DHT4ALL
-}

init.d/openwrt/functions

@@ -10,6 +10,7 @@ ZAPRET_CONFIG=${ZAPRET_CONFIG:-"$ZAPRET_RW/config"}
 . "$ZAPRET_BASE/common/ipt.sh"
 . "$ZAPRET_BASE/common/nft.sh"
 . "$ZAPRET_BASE/common/linux_fw.sh"
+. "$ZAPRET_BASE/common/linux_daemons.sh"
 . "$ZAPRET_BASE/common/list.sh"
 . "$ZAPRET_BASE/common/custom.sh"
 CUSTOM_DIR="$ZAPRET_RW/init.d/openwrt"

init.d/openwrt/zapret

@@ -81,6 +81,10 @@ run_tpws()
 	}
 	run_daemon $1 "$TPWS" "$OPT $2"
 }
+do_tpws()
+{
+	[ "$1" = 0 ] || { shift; run_tpws "$@"; }
+}
 run_tpws_socks()
 {
 	[ "$DISABLE_IPV4" = "1" ] && [ "$DISABLE_IPV6" = "1" ] && return 0
@@ -90,13 +94,10 @@ run_tpws_socks()
 	tpws_apply_socks_binds opt
 	run_daemon $1 "$TPWS" "$opt $2"
 }
-
+do_tpws_socks()
-stop_tpws()
 {
-	stop_daemon $1 "$TPWS"
+	[ "$1" = 0 ] || { shift; run_tpws_socks "$@"; }
 }
-
-
 tpws_apply_socks_binds()
 {
 	local o
@@ -105,39 +106,27 @@ tpws_apply_socks_binds()
 	[ "$DISABLE_IPV6" = "1" ] || o="$o --bind-addr=::1"
 	
 	for lan in $OPENWRT_LAN; do
-	    network_get_device DEVICE $lan
+		network_get_device DEVICE $lan
-	    [ -n "$DEVICE" ] || continue
+		[ -n "$DEVICE" ] || continue
-	    [ "$DISABLE_IPV4" = "1" ] || o="$o --bind-iface4=$DEVICE $TPWS_WAIT"
+		[ "$DISABLE_IPV4" = "1" ] || o="$o --bind-iface4=$DEVICE $TPWS_WAIT"
-	    [ "$DISABLE_IPV6" = "1" ] || o="$o --bind-iface6=$DEVICE --bind-linklocal=unwanted $TPWS_WAIT_SOCKS6"
+		[ "$DISABLE_IPV6" = "1" ] || o="$o --bind-iface6=$DEVICE --bind-linklocal=unwanted $TPWS_WAIT_SOCKS6"
 	done
 	eval $1="\"\$$1 $o\""
 }
 
-
+run_nfqws()
-standard_mode_daemons()
 {
-	local opt
+	run_daemon $1 "$NFQWS" "$NFQWS_OPT_BASE $2"
-	[ "$TPWS_ENABLE" = 1 ] && check_bad_ws_options 1 "$TPWS_OPT" && {
+}
-		opt="--port=$TPPORT $TPWS_OPT"
+do_nfqws()
-		filter_apply_hostlist_target opt
+{
-		run_tpws 1 "$opt"
+	[ "$1" = 0 ] || { shift; run_nfqws "$@"; }
-	}
-	[ "$TPWS_SOCKS_ENABLE" = 1 ] && {
-		opt="--port=$TPPORT_SOCKS $TPWS_SOCKS_OPT"
-		filter_apply_hostlist_target opt
-		run_tpws_socks 2 "$opt"
-	}
-	[ "$NFQWS_ENABLE" = 1 ] && check_bad_ws_options 1 "$NFQWS_OPT" && {
-		opt="--qnum=$QNUM $NFQWS_OPT_BASE $NFQWS_OPT"
-		filter_apply_hostlist_target opt
-		run_daemon 3 "$NFQWS" "$opt"
-	}
 }
 
 start_daemons_procd()
 {
-	standard_mode_daemons
+	standard_mode_daemons 1
-	custom_runner zapret_custom_daemons
+	custom_runner zapret_custom_daemons 1
 
 	return 0
 }

init.d/pfsense/zapret.sh

@@ -21,4 +21,4 @@ pfctl -d ; pfctl -e
 ipfw delete 100
 ipfw add 100 divert 989 tcp from any to any 80,443 out not diverted not sockarg
 pkill ^dvtws$
-dvtws --daemon --port 989 --dpi-desync=split2
+dvtws --daemon --port 989 --dpi-desync=multisplit

init.d/sysv/functions

@@ -10,6 +10,7 @@ ZAPRET_CONFIG=${ZAPRET_CONFIG:-"$ZAPRET_RW/config"}
 . "$ZAPRET_BASE/common/ipt.sh"
 . "$ZAPRET_BASE/common/nft.sh"
 . "$ZAPRET_BASE/common/linux_fw.sh"
+. "$ZAPRET_BASE/common/linux_daemons.sh"
 . "$ZAPRET_BASE/common/list.sh"
 . "$ZAPRET_BASE/common/custom.sh"
 CUSTOM_DIR="$ZAPRET_RW/init.d/sysv"
@@ -275,45 +276,3 @@ create_ipset()
 	echo "Creating ip list table (firewall type $FWTYPE)"
 	"$IPSET_CR" "$@"
 }
-
-
-standard_mode_daemons()
-{
-	# $1 - 1 - run, 0 - stop
-
-	local opt
-
-	[ "$TPWS_ENABLE" = 1 ] && check_bad_ws_options $1 "$TPWS_OPT" && {
-		opt="--port=$TPPORT $TPWS_OPT"
-		filter_apply_hostlist_target opt
-		do_tpws $1 1 "$opt"
-	}
-	[ "$TPWS_SOCKS_ENABLE" = 1 ] && {
-		opt="--port=$TPPORT_SOCKS $TPWS_SOCKS_OPT"
-		filter_apply_hostlist_target opt
-		do_tpws_socks $1 2 "$opt"
-	}
-	[ "$NFQWS_ENABLE" = 1 ] && check_bad_ws_options $1 "$NFQWS_OPT" && {
-		opt="--qnum=$QNUM $NFQWS_OPT"
-		filter_apply_hostlist_target opt
-		do_nfqws $1 3 "$opt"
-	}
-}
-
-zapret_do_daemons()
-{
-	# $1 - 1 - run, 0 - stop
-
-	standard_mode_daemons $1
-	custom_runner zapret_custom_daemons $1
-
-	return 0
-}
-zapret_run_daemons()
-{
-	zapret_do_daemons 1 "$@"
-}
-zapret_stop_daemons()
-{
-	zapret_do_daemons 0 "$@"
-}

install_bin.sh

@@ -56,7 +56,7 @@ UNAME=$(uname)
 unset PKTWS
 case $UNAME in
 	Linux)
-		ARCHLIST="my x86_64 x86 aarch64 arm mips64r2-msb mips32r1-lsb mips32r1-msb ppc"
+		ARCHLIST="my x86_64 x86 aarch64 arm mips64r2-msb mips32r1-lsb mips32r1-msb lexra ppc"
 		PKTWS=nfqws
 		;;
 	Darwin)

install_easy.sh

@@ -394,7 +394,7 @@ copy_openwrt()
 	mkdir "$2/tpws" "$2/nfq" "$2/ip2net" "$2/mdig" "$2/binaries" "$2/binaries/$ARCH" "$2/init.d" "$2/tmp" "$2/files"
 	cp -R "$1/files/fake" "$2/files"
 	cp -R "$1/common" "$1/ipset" "$2"
-	cp -R "$1/init.d/openwrt" "$2/init.d"
+	cp -R "$1/init.d/openwrt" "$1/init.d/custom.d.examples.linux" "$2/init.d"
 	cp "$1/config" "$1/config.default" "$1/install_easy.sh" "$1/uninstall_easy.sh" "$1/install_bin.sh" "$1/install_prereq.sh" "$1/blockcheck.sh" "$2"
 	cp "$BINDIR/tpws" "$BINDIR/nfqws" "$BINDIR/ip2net" "$BINDIR/mdig" "$2/binaries/$ARCH"
 }

ip2net/Makefile

@@ -9,22 +9,22 @@ SRC_FILES = ip2net.c qsort.c
 all: ip2net
 
 ip2net: $(SRC_FILES)
-	$(CC) -s $(CFLAGS) -o ip2net $(SRC_FILES) $(LDFLAGS) $(LIBS)
+	$(CC) -s $(CFLAGS) -o ip2net $(SRC_FILES) $(LIBS) $(LDFLAGS)
 
 android: ip2net
 
 bsd: $(SRC_FILES)
-	$(CC) -s $(CFLAGS) $(CFLAGS_BSD) -o ip2net $(SRC_FILES) $(LDFLAGS) $(LIBS)
+	$(CC) -s $(CFLAGS) $(CFLAGS_BSD) -o ip2net $(SRC_FILES) $(LIBS) $(LDFLAGS)
 
 mac: $(SRC_FILES)
-	$(CC) $(CFLAGS) $(CFLAGS_BSD) -o ip2neta $(SRC_FILES) $(LDFLAGS) -target arm64-apple-macos10.8 $(LIBS)
+	$(CC) $(CFLAGS) $(CFLAGS_BSD) -o ip2neta $(SRC_FILES) -target arm64-apple-macos10.8 $(LIBS) $(LDFLAGS)
-	$(CC) $(CFLAGS) $(CFLAGS_BSD) -o ip2netx $(SRC_FILES) $(LDFLAGS) -target x86_64-apple-macos10.8 $(LIBS)
+	$(CC) $(CFLAGS) $(CFLAGS_BSD) -o ip2netx $(SRC_FILES) -target x86_64-apple-macos10.8 $(LIBS) $(LDFLAGS)
 	strip ip2neta ip2netx
 	lipo -create -output ip2net ip2netx ip2neta
 	rm -f ip2netx ip2neta
 
 win: $(SRC_FILES)
-	$(CC) -s $(CFLAGS) $(CFLAGS_WIN) -o ip2net $(SRC_FILES) $(LDFLAGS) $(LIBS_WIN)
+	$(CC) -s $(CFLAGS) $(CFLAGS_WIN) -o ip2net $(SRC_FILES) $(LIBS_WIN) $(LDFLAGS)
 
 clean:
 	rm -f ip2net *.o

mdig/Makefile

@@ -10,23 +10,23 @@ SRC_FILES = *.c
 all: mdig
 
 mdig: $(SRC_FILES)
-	$(CC) -s $(CFLAGS) -o mdig $(SRC_FILES) $(LDFLAGS) $(LIBS)
+	$(CC) -s $(CFLAGS) -o mdig $(SRC_FILES) $(LIBS) $(LDFLAGS)
 
 android: $(SRC_FILES)
-	$(CC) -s $(CFLAGS) -o mdig $(SRC_FILES) $(LDFLAGS) $(LIBS_ANDROID)
+	$(CC) -s $(CFLAGS) -o mdig $(SRC_FILES) $(LIBS_ANDROID) $(LDFLAGS)
 
 bsd: $(SRC_FILES)
-	$(CC) -s $(CFLAGS) $(CFLAGS_BSD) -o mdig $(SRC_FILES) $(LDFLAGS) $(LIBS)
+	$(CC) -s $(CFLAGS) $(CFLAGS_BSD) -o mdig $(SRC_FILES) $(LIBS) $(LDFLAGS)
 
 mac: $(SRC_FILES)
-	$(CC) $(CFLAGS) $(CFLAGS_BSD) -o mdiga $(SRC_FILES) $(LDFLAGS) -target arm64-apple-macos10.8 $(LIBS_BSD)
+	$(CC) $(CFLAGS) $(CFLAGS_BSD) -o mdiga $(SRC_FILES) -target arm64-apple-macos10.8 $(LIBS_BSD) $(LDFLAGS)
-	$(CC) $(CFLAGS) $(CFLAGS_BSD) -o mdigx $(SRC_FILES) $(LDFLAGS) -target x86_64-apple-macos10.8 $(LIBS_BSD)
+	$(CC) $(CFLAGS) $(CFLAGS_BSD) -o mdigx $(SRC_FILES) -target x86_64-apple-macos10.8 $(LIBS_BSD) $(LDFLAGS)
 	strip mdiga mdigx
 	lipo -create -output mdig mdigx mdiga
 	rm -f mdigx mdiga
 
 win: $(SRC_FILES)
-	$(CC) -s $(CFLAGS) $(CFLAGS_WIN) -o mdig $(SRC_FILES) $(LDFLAGS) $(LIBS_WIN)
+	$(CC) -s $(CFLAGS) $(CFLAGS_WIN) -o mdig $(SRC_FILES) $(LIBS_WIN) $(LDFLAGS)
 
 clean:
 	rm -f mdig *.o

nfq/BSDmakefile

@@ -6,7 +6,7 @@ SRC_FILES = *.c crypto/*.c
 all: dvtws
 
 dvtws: $(SRC_FILES)
-	$(CC) $(CFLAGS) -o dvtws $(SRC_FILES) $(LDFLAGS) $(LIBS)
+	$(CC) $(CFLAGS) -o dvtws $(SRC_FILES) $(LIBS) $(LDFLAGS)
 
 clean:
 	rm -f dvtws

nfq/Makefile

@@ -14,24 +14,24 @@ SRC_FILES = *.c crypto/*.c
 all: nfqws
 
 nfqws: $(SRC_FILES)
-	$(CC) -s $(CFLAGS) -o nfqws $(SRC_FILES) $(LDFLAGS) $(LIBS_LINUX)
+	$(CC) -s $(CFLAGS) -o nfqws $(SRC_FILES) $(LIBS_LINUX) $(LDFLAGS)
 
 android: nfqws
 
 bsd: $(SRC_FILES)
-	$(CC) -s $(CFLAGS) $(CFLAGS_BSD) -o dvtws $(SRC_FILES) $(LDFLAGS) $(LIBS_BSD)
+	$(CC) -s $(CFLAGS) $(CFLAGS_BSD) -o dvtws $(SRC_FILES) $(LIBS_BSD) $(LDFLAGS)
 
 mac: $(SRC_FILES)
-	$(CC) $(CFLAGS) $(CFLAGS_BSD) -o dvtwsa $(SRC_FILES) $(LDFLAGS) -target arm64-apple-macos10.8 $(LIBS_BSD)
+	$(CC) $(CFLAGS) $(CFLAGS_BSD) -o dvtwsa $(SRC_FILES) -target arm64-apple-macos10.8 $(LIBS_BSD) $(LDFLAGS)
-	$(CC) $(CFLAGS) $(CFLAGS_BSD) -o dvtwsx $(SRC_FILES) $(LDFLAGS) -target x86_64-apple-macos10.8 $(LIBS_BSD)
+	$(CC) $(CFLAGS) $(CFLAGS_BSD) -o dvtwsx $(SRC_FILES) -target x86_64-apple-macos10.8 $(LIBS_BSD) $(LDFLAGS)
 	strip dvtwsa dvtwsx
 	lipo -create -output dvtws dvtwsx dvtwsa
 	rm -f dvtwsx dvtwsa
 
 cygwin64:
-	$(CC) -s $(CFLAGS) $(CFLAGS_CYGWIN) -o winws $(SRC_FILES) $(LDFLAGS) $(LIBS_CYGWIN) $(LIBS_CYGWIN64) $(RES_CYGWIN64)
+	$(CC) -s $(CFLAGS) $(CFLAGS_CYGWIN) -o winws $(SRC_FILES) $(LIBS_CYGWIN) $(LIBS_CYGWIN64) $(RES_CYGWIN64) $(LDFLAGS)
 cygwin32:
-	$(CC) -s $(CFLAGS) $(CFLAGS_CYGWIN) -o winws $(SRC_FILES) $(LDFLAGS) $(LIBS_CYGWIN) $(LIBS_CYGWIN32) $(RES_CYGWIN32)
+	$(CC) -s $(CFLAGS) $(CFLAGS_CYGWIN) -o winws $(SRC_FILES) $(LIBS_CYGWIN) $(LIBS_CYGWIN32) $(RES_CYGWIN32) $(LDFLAGS)
 cygwin: cygwin64
 
 clean:

nfq/desync.c

@@ -76,13 +76,6 @@ void randomize_default_tls_payload(uint8_t *p)
 #define PKTDATA_MAXDUMP 32
 #define IP_MAXDUMP 80
 
-static uint8_t zeropkt[DPI_DESYNC_MAX_FAKE_LEN];
-
-void desync_init(void)
-{
-	memset(zeropkt, 0, sizeof(zeropkt));
-}
-
 bool desync_valid_zero_stage(enum dpi_desync_mode mode)
 {
 	return mode==DESYNC_SYNACK || mode==DESYNC_SYNDATA;

nfq/desync.h

@@ -52,5 +52,4 @@ bool desync_valid_second_stage(enum dpi_desync_mode mode);
 bool desync_valid_second_stage_tcp(enum dpi_desync_mode mode);
 bool desync_valid_second_stage_udp(enum dpi_desync_mode mode);
 
-void desync_init(void);
 uint8_t dpi_desync_packet(uint32_t fwmark, const char *ifout, uint8_t *data_pkt, size_t *len_pkt);

nfq/params.h

@@ -20,8 +20,6 @@
 
 #define TLS_PARTIALS_ENABLE	true
 
-#define Q_RCVBUF	(128*1024)	// in bytes
-#define Q_SNDBUF	(64*1024)	// in bytes
 #define RAW_SNDBUF	(64*1024)	// in bytes
 
 #define Q_MAXLEN	1024		// in packets

nfq/protocol.c

@@ -151,7 +151,7 @@ void ResolveMultiPos(const uint8_t *data, size_t sz, t_l7proto l7proto, const st
 }
 
 
-const char *http_methods[] = { "GET /","POST /","HEAD /","OPTIONS /","PUT /","DELETE /","CONNECT /","TRACE /",NULL };
+const char *http_methods[] = { "GET /","POST /","HEAD /","OPTIONS ","PUT /","DELETE /","CONNECT ","TRACE /",NULL };
 const char *HttpMethod(const uint8_t *data, size_t len)
 {
 	const char **method;

nfq/sec.c

@@ -88,10 +88,6 @@ SYS_symlinkat,
 SYS_link,
 #endif
 SYS_linkat,
-#ifdef SYS_pkey_mprotect
-SYS_pkey_mprotect,
-#endif
-SYS_mprotect,
 SYS_truncate,
 #ifdef SYS_truncate64
 SYS_truncate64,

tpws/BSDmakefile

@@ -6,7 +6,7 @@ SRC_FILES = *.c
 all: tpws
 
 tpws: $(SRC_FILES)
-	$(CC) $(CFLAGS) -Iepoll-shim/include -o tpws $(SRC_FILES) epoll-shim/src/*.c $(LDFLAGS) $(LIBS)
+	$(CC) $(CFLAGS) -Iepoll-shim/include -o tpws $(SRC_FILES) epoll-shim/src/*.c $(LIBS) $(LDFLAGS)
 
 clean:
 	rm -f tpws *.o

tpws/Makefile

@@ -9,17 +9,17 @@ SRC_FILES_ANDROID = $(SRC_FILES) andr/*.c
 all: tpws
 
 tpws: $(SRC_FILES)
-	$(CC) -s $(CFLAGS) -o tpws $(SRC_FILES) $(LDFLAGS) $(LIBS)
+	$(CC) -s $(CFLAGS) -o tpws $(SRC_FILES) $(LIBS) $(LDFLAGS)
 
 android: $(SRC_FILES)
-	$(CC) -s $(CFLAGS) -o tpws $(SRC_FILES_ANDROID) $(LDFLAGS) $(LIBS_ANDROID)
+	$(CC) -s $(CFLAGS) -o tpws $(SRC_FILES_ANDROID) $(LIBS_ANDROID) $(LDFLAGS)
 
 bsd: $(SRC_FILES)
-	$(CC) -s $(CFLAGS) $(CFLAGS_BSD) -Iepoll-shim/include -o tpws $(SRC_FILES) epoll-shim/src/*.c $(LDFLAGS) $(LIBS)
+	$(CC) -s $(CFLAGS) $(CFLAGS_BSD) -Iepoll-shim/include -o tpws $(SRC_FILES) epoll-shim/src/*.c $(LIBS) $(LDFLAGS)
 
 mac: $(SRC_FILES)
-	$(CC) $(CFLAGS) $(CFLAGS_BSD) -Iepoll-shim/include -Imacos -o tpwsa -target arm64-apple-macos10.8 $(SRC_FILES) epoll-shim/src/*.c $(LDFLAGS) $(LIBS)
+	$(CC) $(CFLAGS) $(CFLAGS_BSD) -Iepoll-shim/include -Imacos -o tpwsa -target arm64-apple-macos10.8 $(SRC_FILES) epoll-shim/src/*.c $(LIBS) $(LDFLAGS)
-	$(CC) $(CFLAGS) $(CFLAGS_BSD) -Iepoll-shim/include -Imacos -o tpwsx -target x86_64-apple-macos10.8 $(SRC_FILES) epoll-shim/src/*.c $(LDFLAGS) $(LIBS)
+	$(CC) $(CFLAGS) $(CFLAGS_BSD) -Iepoll-shim/include -Imacos -o tpwsx -target x86_64-apple-macos10.8 $(SRC_FILES) epoll-shim/src/*.c $(LIBS) $(LDFLAGS)
 	strip tpwsa tpwsx
 	lipo -create -output tpws tpwsx tpwsa
 	rm -f tpwsx tpwsa

tpws/helpers.c

@@ -12,10 +12,6 @@
 #include <libgen.h>
 #include <unistd.h>
 
-#ifdef __linux__
-#include <linux/tcp.h>
-#endif
-
 #ifdef __ANDROID__
 #include "andr/ifaddrs.h"
 #else
@@ -23,6 +19,10 @@
 #endif
 
 #include "helpers.h"
+#ifdef __linux__
+#include <linux/tcp.h>
+#endif
+#include "linux_compat.h"
 
 int unique_size_t(size_t *pu, int ct)
 {
@@ -481,7 +481,7 @@ void msleep(unsigned int ms)
 bool socket_supports_notsent()
 {
 	int sfd;
-	struct tcp_info tcpi;
+	struct tcp_info_new tcpi;
 
 	sfd = socket(AF_INET,SOCK_STREAM,0);
 	if (sfd<0) return false;
@@ -494,11 +494,11 @@ bool socket_supports_notsent()
 	}
 	close(sfd);
 
-	return ts>=((char *)&tcpi.tcpi_notsent_bytes - (char *)&tcpi.tcpi_state + sizeof(tcpi.tcpi_notsent_bytes));
+	return ts>=((char *)&tcpi.tcpi_notsent_bytes - (char *)&tcpi + sizeof(tcpi.tcpi_notsent_bytes));
 }
 bool socket_has_notsent(int sfd)
 {
-	struct tcp_info tcpi;
+	struct tcp_info_new tcpi;
 	socklen_t ts = sizeof(tcpi);
 
 	if (getsockopt(sfd, IPPROTO_TCP, TCP_INFO, (char *)&tcpi, &ts) < 0)

tpws/linux_compat.h

@@ -0,0 +1,111 @@
+#ifdef __linux__
+
+#include <linux/types.h>
+
+#ifndef TCP_USER_TIMEOUT
+#define TCP_USER_TIMEOUT 18
+#endif
+
+#ifndef IP6T_SO_ORIGINAL_DST
+ #define IP6T_SO_ORIGINAL_DST 80
+#endif
+
+#ifndef PR_SET_NO_NEW_PRIVS
+ #define PR_SET_NO_NEW_PRIVS	38
+#endif
+
+// workaround for old headers
+
+struct tcp_info_new {
+	__u8    tcpi_state;
+	__u8    tcpi_ca_state;
+	__u8    tcpi_retransmits;
+	__u8    tcpi_probes;
+	__u8    tcpi_backoff;
+	__u8    tcpi_options;
+	__u8    tcpi_snd_wscale : 4, tcpi_rcv_wscale : 4;
+	__u8    tcpi_delivery_rate_app_limited : 1, tcpi_fastopen_client_fail : 2;
+
+	__u32   tcpi_rto;
+	__u32   tcpi_ato;
+	__u32   tcpi_snd_mss;
+	__u32   tcpi_rcv_mss;
+
+	__u32   tcpi_unacked;
+	__u32   tcpi_sacked;
+	__u32   tcpi_lost;
+	__u32   tcpi_retrans;
+	__u32   tcpi_fackets;
+
+	/* Times. */
+	__u32   tcpi_last_data_sent;
+	__u32   tcpi_last_ack_sent;     /* Not remembered, sorry. */
+	__u32   tcpi_last_data_recv;
+	__u32   tcpi_last_ack_recv;
+
+	/* Metrics. */
+	__u32   tcpi_pmtu;
+	__u32   tcpi_rcv_ssthresh;
+	__u32   tcpi_rtt;
+	__u32   tcpi_rttvar;
+	__u32   tcpi_snd_ssthresh;
+	__u32   tcpi_snd_cwnd;
+	__u32   tcpi_advmss;
+	__u32   tcpi_reordering;
+
+	__u32   tcpi_rcv_rtt;
+	__u32   tcpi_rcv_space;
+
+	__u32   tcpi_total_retrans;
+
+	__u64   tcpi_pacing_rate;
+	__u64   tcpi_max_pacing_rate;
+	__u64   tcpi_bytes_acked;    /* RFC4898 tcpEStatsAppHCThruOctetsAcked */
+	__u64   tcpi_bytes_received; /* RFC4898 tcpEStatsAppHCThruOctetsReceived */
+	__u32   tcpi_segs_out;       /* RFC4898 tcpEStatsPerfSegsOut */
+	__u32   tcpi_segs_in;        /* RFC4898 tcpEStatsPerfSegsIn */
+
+	__u32   tcpi_notsent_bytes;
+	__u32   tcpi_min_rtt;
+	__u32   tcpi_data_segs_in;      /* RFC4898 tcpEStatsDataSegsIn */
+	__u32   tcpi_data_segs_out;     /* RFC4898 tcpEStatsDataSegsOut */
+
+	__u64   tcpi_delivery_rate;
+
+	__u64   tcpi_busy_time;      /* Time (usec) busy sending data */
+	__u64   tcpi_rwnd_limited;   /* Time (usec) limited by receive window */
+	__u64   tcpi_sndbuf_limited; /* Time (usec) limited by send buffer */
+
+	__u32   tcpi_delivered;
+	__u32   tcpi_delivered_ce;
+
+	__u64   tcpi_bytes_sent;     /* RFC4898 tcpEStatsPerfHCDataOctetsOut */
+	__u64   tcpi_bytes_retrans;  /* RFC4898 tcpEStatsPerfOctetsRetrans */
+	__u32   tcpi_dsack_dups;     /* RFC4898 tcpEStatsStackDSACKDups */
+	__u32   tcpi_reord_seen;     /* reordering events seen */
+
+	__u32   tcpi_rcv_ooopack;    /* Out-of-order packets received */
+
+	__u32   tcpi_snd_wnd;        /* peer's advertised receive window after
+								  * scaling (bytes)
+								  */
+	__u32   tcpi_rcv_wnd;        /* local advertised receive window after
+								  * scaling (bytes)
+								  */
+
+	__u32   tcpi_rehash;         /* PLB or timeout triggered rehash attempts */
+
+	__u16   tcpi_total_rto; /* Total number of RTO timeouts, including
+							 * SYN/SYN-ACK and recurring timeouts.
+							 */
+	__u16   tcpi_total_rto_recoveries;      /* Total number of RTO
+											 * recoveries, including any
+											 * unfinished recovery.
+											 */
+	__u32   tcpi_total_rto_time;    /* Total time spent in RTO recoveries
+									 * in milliseconds, including any
+									 * unfinished recovery.
+									 */
+};
+
+#endif

tpws/params.h

@@ -18,7 +18,7 @@
 #define HOSTLIST_AUTO_FAIL_THRESHOLD_DEFAULT	3
 #define	HOSTLIST_AUTO_FAIL_TIME_DEFAULT 	60
 
-#define FIX_SEG_DEFAULT_MAX_WAIT		30
+#define FIX_SEG_DEFAULT_MAX_WAIT		50
 
 enum bindll { unwanted=0, no, prefer, force };
 

tpws/protocol.c

@@ -151,7 +151,7 @@ void ResolveMultiPos(const uint8_t *data, size_t sz, t_l7proto l7proto, const st
 }
 
 
-const char *http_methods[] = { "GET /","POST /","HEAD /","OPTIONS /","PUT /","DELETE /","CONNECT /","TRACE /",NULL };
+const char *http_methods[] = { "GET /","POST /","HEAD /","OPTIONS ","PUT /","DELETE /","CONNECT ","TRACE /",NULL };
 const char *HttpMethod(const uint8_t *data, size_t len)
 {
 	const char **method;

tpws/redirect.c

@@ -9,12 +9,10 @@
 
 #include "params.h"
 #include "helpers.h"
+#include "linux_compat.h"
 
 #ifdef __linux__
  #include <linux/netfilter_ipv4.h>
- #ifndef IP6T_SO_ORIGINAL_DST
-  #define IP6T_SO_ORIGINAL_DST 80
- #endif
 #endif
 
 

tpws/tpws.c

@@ -176,6 +176,7 @@ static void exithelp(void)
 		" --debug=0|1|2|syslog|@<filename>\t; 1 and 2 means log to console and set debug level. for other targets use --debug-level.\n"
 		" --debug-level=0|1|2\t\t\t; specify debug level\n"
 		" --dry-run\t\t\t\t; verify parameters and exit with code 0 if successful\n"
+		" --comment=any_text\n"
 		"\nMULTI-STRATEGY:\n"
 		" --new\t\t\t\t\t; begin new strategy\n"
 		" --skip\t\t\t\t\t; do not use this strategy\n"
@@ -669,21 +670,22 @@ void parse_params(int argc, char *argv[])
 		{ "debug",optional_argument,0,0 },// optidx=45
 		{ "debug-level",required_argument,0,0 },// optidx=46
 		{ "dry-run",no_argument,0,0 },// optidx=47
-		{ "local-rcvbuf",required_argument,0,0 },// optidx=48
+		{ "comment",optional_argument,0,0 },// optidx=48
-		{ "local-sndbuf",required_argument,0,0 },// optidx=49
+		{ "local-rcvbuf",required_argument,0,0 },// optidx=49
-		{ "remote-rcvbuf",required_argument,0,0 },// optidx=50
+		{ "local-sndbuf",required_argument,0,0 },// optidx=50
-		{ "remote-sndbuf",required_argument,0,0 },// optidx=51
+		{ "remote-rcvbuf",required_argument,0,0 },// optidx=51
-		{ "socks",no_argument,0,0 },// optidx=52
+		{ "remote-sndbuf",required_argument,0,0 },// optidx=52
-		{ "no-resolve",no_argument,0,0 },// optidx=53
+		{ "socks",no_argument,0,0 },// optidx=53
-		{ "resolver-threads",required_argument,0,0 },// optidx=54
+		{ "no-resolve",no_argument,0,0 },// optidx=54
-		{ "skip-nodelay",no_argument,0,0 },// optidx=55
+		{ "resolver-threads",required_argument,0,0 },// optidx=55
-		{ "tamper-start",required_argument,0,0 },// optidx=56
+		{ "skip-nodelay",no_argument,0,0 },// optidx=56
-		{ "tamper-cutoff",required_argument,0,0 },// optidx=57
+		{ "tamper-start",required_argument,0,0 },// optidx=57
-		{ "connect-bind-addr",required_argument,0,0 },// optidx=58
+		{ "tamper-cutoff",required_argument,0,0 },// optidx=58
-
+		{ "connect-bind-addr",required_argument,0,0 },// optidx=59
-		{ "new",no_argument,0,0 },				// optidx=59
+
-		{ "skip",no_argument,0,0 },				// optidx=60
+		{ "new",no_argument,0,0 },				// optidx=60
-		{ "filter-l3",required_argument,0,0 },			// optidx=61
+		{ "skip",no_argument,0,0 },				// optidx=61
+		{ "filter-l3",required_argument,0,0 },			// optidx=62
 		{ "filter-tcp",required_argument,0,0 },			// optidx=63
 		{ "filter-l7",required_argument,0,0 },			// optidx=64
 		{ "ipset",required_argument,0,0 },			// optidx=65
@@ -692,17 +694,17 @@ void parse_params(int argc, char *argv[])
 		{ "ipset-exclude-ip",required_argument,0,0 },		// optidx=68
 
 #if defined(__FreeBSD__)
-		{ "enable-pf",no_argument,0,0 },// optidx=68
+		{ "enable-pf",no_argument,0,0 },// optidx=69
 #elif defined(__APPLE__)
-		{ "local-tcp-user-timeout",required_argument,0,0 },	// optidx=68
+		{ "local-tcp-user-timeout",required_argument,0,0 },	// optidx=69
-		{ "remote-tcp-user-timeout",required_argument,0,0 },	// optidx=69
+		{ "remote-tcp-user-timeout",required_argument,0,0 },	// optidx=70
 #elif defined(__linux__)
-		{ "local-tcp-user-timeout",required_argument,0,0 },	// optidx=68
+		{ "local-tcp-user-timeout",required_argument,0,0 },	// optidx=69
-		{ "remote-tcp-user-timeout",required_argument,0,0 },	// optidx=69
+		{ "remote-tcp-user-timeout",required_argument,0,0 },	// optidx=70
-		{ "mss",required_argument,0,0 },			// optidx=70
+		{ "mss",required_argument,0,0 },			// optidx=71
-		{ "fix-seg",optional_argument,0,0 },			// optidx=71
+		{ "fix-seg",optional_argument,0,0 },			// optidx=72
 #ifdef SPLICE_PRESENT
-		{ "nosplice",no_argument,0,0 },				// optidx=72
+		{ "nosplice",no_argument,0,0 },				// optidx=73
 #endif
 #endif
 		{ "hostlist-auto-retrans-threshold",optional_argument,0,0}, // ignored. for nfqws command line compatibility
@@ -711,10 +713,12 @@ void parse_params(int argc, char *argv[])
 	while ((v = getopt_long_only(argc, argv, "", long_options, &option_index)) != -1)
 	{
 		if (v)
+		{
 			if (bDry)
 				exit_clean(1);
 			else
 				exithelp_clean();
+		}
 		switch (option_index)
 		{
 		case 0:
@@ -1151,41 +1155,43 @@ void parse_params(int argc, char *argv[])
 		case 47: /* dry-run */
 			bDry = true;
 			break;
-		case 48: /* local-rcvbuf */
+		case 48: /* comment */
+			break;
+		case 49: /* local-rcvbuf */
 #ifdef __linux__
 			params.local_rcvbuf = atoi(optarg)/2;
 #else
 			params.local_rcvbuf = atoi(optarg);
 #endif
 			break;
-		case 49: /* local-sndbuf */
+		case 50: /* local-sndbuf */
 #ifdef __linux__
 			params.local_sndbuf = atoi(optarg)/2;
 #else
 			params.local_sndbuf = atoi(optarg);
 #endif
 			break;
-		case 50: /* remote-rcvbuf */
+		case 51: /* remote-rcvbuf */
 #ifdef __linux__
 			params.remote_rcvbuf = atoi(optarg)/2;
 #else
 			params.remote_rcvbuf = atoi(optarg);
 #endif
 			break;
-		case 51: /* remote-sndbuf */
+		case 52: /* remote-sndbuf */
 #ifdef __linux__
 			params.remote_sndbuf = atoi(optarg)/2;
 #else
 			params.remote_sndbuf = atoi(optarg);
 #endif
 			break;
-		case 52: /* socks */
+		case 53: /* socks */
 			params.proxy_type = CONN_TYPE_SOCKS;
 			break;
-		case 53: /* no-resolve */
+		case 54: /* no-resolve */
 			params.no_resolve = true;
 			break;
-		case 54: /* resolver-threads */
+		case 55: /* resolver-threads */
 			params.resolver_threads = atoi(optarg);
 			if (params.resolver_threads<1 || params.resolver_threads>300)
 			{
@@ -1193,10 +1199,10 @@ void parse_params(int argc, char *argv[])
 				exit_clean(1);
 			}
 			break;
-		case 55: /* skip-nodelay */
+		case 56: /* skip-nodelay */
 			params.skip_nodelay = true;
 			break;
-		case 56: /* tamper-start */
+		case 57: /* tamper-start */
 			{
 				const char *p=optarg;
 				if (*p=='n')
@@ -1210,7 +1216,7 @@ void parse_params(int argc, char *argv[])
 			}
 			params.tamper_lim = true;
 			break;
-		case 57: /* tamper-cutoff */
+		case 58: /* tamper-cutoff */
 			{
 				const char *p=optarg;
 				if (*p=='n')
@@ -1224,7 +1230,7 @@ void parse_params(int argc, char *argv[])
 			}
 			params.tamper_lim = true;
 			break;
-		case 58: /* connect-bind-addr */
+		case 59: /* connect-bind-addr */
 			{
 				char *p = strchr(optarg,'%');
 				if (p) *p++=0;
@@ -1252,7 +1258,7 @@ void parse_params(int argc, char *argv[])
 			break;
 
 
-		case 59: /* new */
+		case 60: /* new */
 			if (bSkip)
 			{
 				dp_clear(dp);
@@ -1273,31 +1279,31 @@ void parse_params(int argc, char *argv[])
 			anon_hl = anon_hl_exclude = NULL;
 			anon_ips = anon_ips_exclude = NULL;
 			break;
-		case 60: /* skip */
+		case 61: /* skip */
 			bSkip = true;
 			break;
-		case 61: /* filter-l3 */
+		case 62: /* filter-l3 */
 			if (!wf_make_l3(optarg,&dp->filter_ipv4,&dp->filter_ipv6))
 			{
 				DLOG_ERR("bad value for --filter-l3\n");
 				exit_clean(1);
 			}
 			break;
-		case 62: /* filter-tcp */
+		case 63: /* filter-tcp */
 			if (!parse_pf_list(optarg,&dp->pf_tcp))
 			{
 				DLOG_ERR("Invalid port filter : %s\n",optarg);
 				exit_clean(1);
 			}
 			break;
-		case 63: /* filter-l7 */
+		case 64: /* filter-l7 */
 			if (!parse_l7_list(optarg,&dp->filter_l7))
 			{
 				DLOG_ERR("Invalid l7 filter : %s\n",optarg);
 				exit_clean(1);
 			}
 			break;
-		case 64: /* ipset */
+		case 65: /* ipset */
 			if (bSkip) break;
 			if (!RegisterIpset(dp, false, optarg))
 			{
@@ -1306,7 +1312,7 @@ void parse_params(int argc, char *argv[])
 			}
 			params.tamper = true;
 			break;
-		case 65: /* ipset-ip */
+		case 66: /* ipset-ip */
 			if (bSkip) break;
 			if (!anon_ips && !(anon_ips=RegisterIpset(dp, false, NULL)))
 			{
@@ -1320,7 +1326,7 @@ void parse_params(int argc, char *argv[])
 			}
 			params.tamper = true;
 			break;
-		case 66: /* ipset-exclude */
+		case 67: /* ipset-exclude */
 			if (bSkip) break;
 			if (!RegisterIpset(dp, true, optarg))
 			{
@@ -1329,7 +1335,7 @@ void parse_params(int argc, char *argv[])
 			}
 			params.tamper = true;
 			break;
-		case 67: /* ipset-exclude-ip */
+		case 68: /* ipset-exclude-ip */
 			if (bSkip) break;
 			if (!anon_ips_exclude && !(anon_ips_exclude=RegisterIpset(dp, true, NULL)))
 			{
@@ -1345,11 +1351,11 @@ void parse_params(int argc, char *argv[])
 			break;
 
 #if defined(__FreeBSD__)
-		case 68: /* enable-pf */
+		case 69: /* enable-pf */
 			params.pf_enable = true;
 			break;
 #elif defined(__linux__) || defined(__APPLE__)
-		case 68: /* local-tcp-user-timeout */
+		case 69: /* local-tcp-user-timeout */
 			params.tcp_user_timeout_local = atoi(optarg);
 			if (params.tcp_user_timeout_local<0 || params.tcp_user_timeout_local>86400)
 			{
@@ -1357,7 +1363,7 @@ void parse_params(int argc, char *argv[])
 				exit_clean(1);
 			}
 			break;
-		case 69: /* remote-tcp-user-timeout */
+		case 70: /* remote-tcp-user-timeout */
 			params.tcp_user_timeout_remote = atoi(optarg);
 			if (params.tcp_user_timeout_remote<0 || params.tcp_user_timeout_remote>86400)
 			{
@@ -1368,7 +1374,7 @@ void parse_params(int argc, char *argv[])
 #endif
 
 #if defined(__linux__)
-		case 70: /* mss */
+		case 71: /* mss */
 			// this option does not work in any BSD and MacOS. OS may accept but it changes nothing
 			dp->mss = atoi(optarg);
 			if (dp->mss<88 || dp->mss>32767)
@@ -1377,7 +1383,7 @@ void parse_params(int argc, char *argv[])
 				exit_clean(1);
 			}
 			break;
-		case 71: /* fix-seg */
+		case 72: /* fix-seg */
 			if (!params.fix_seg_avail)
 			{
 				DLOG_ERR("--fix-seg is supported since kernel 4.6\n");
@@ -1397,7 +1403,7 @@ void parse_params(int argc, char *argv[])
 				params.fix_seg = FIX_SEG_DEFAULT_MAX_WAIT;
 			break;
 #ifdef SPLICE_PRESENT
-		case 72: /* nosplice */
+		case 73: /* nosplice */
 			params.nosplice = true;
 			break;
 #endif

tpws/tpws_conn.c

@@ -23,6 +23,7 @@
 #include "socks.h"
 #include "helpers.h"
 #include "hostlist.h"
+#include "linux_compat.h"
 
 // keep separate legs counter. counting every time thousands of legs can consume cpu
 static int legs_local, legs_remote;