@ -41,22 +41,19 @@ CURL_MAX_TIME_QUIC=${CURL_MAX_TIME_QUIC:-$CURL_MAX_TIME}
CURL_MAX_TIME_DOH = ${ CURL_MAX_TIME_DOH :- 2 }
MIN_TTL = ${ MIN_TTL :- 1 }
MAX_TTL = ${ MAX_TTL :- 12 }
MIN_AUTOTTL_DELTA = ${ MIN_AUTOTTL_DELTA :- 1 }
MAX_AUTOTTL_DELTA = ${ MAX_AUTOTTL_DELTA :- 5 }
USER_AGENT = ${ USER_AGENT :- Mozilla }
HTTP_PORT = ${ HTTP_PORT :- 80 }
HTTPS_PORT = ${ HTTPS_PORT :- 443 }
QUIC_PORT = ${ QUIC_PORT :- 443 }
UNBLOCKED_DOM = ${ UNBLOCKED_DOM :- iana .org }
PARALLEL_OUT = /tmp/zapret_parallel
SIM_SUCCESS_RATE = ${ SIM_SUCCESS_RATE :- 10 }
HDRTEMP = /tmp/zapret-hdr
NFT_TABLE = blockcheck
DNSCHECK_DNS = ${ DNSCHECK_DNS :- 8 .8.8.8 1.1.1.1 77.88.8.1 }
DNSCHECK_DOM = ${ DNSCHECK_DOM :- pornhub .com ej.ru rutracker.org www.torproject.org bbc.com }
DNSCHECK_DOM = ${ DNSCHECK_DOM :- pornhub .com ntc.party rutracker.org www.torproject.org bbc.com }
DOH_SERVERS = ${ DOH_SERVERS :- "https://cloudflare-dns.com/dns-query https://dns.google/dns-query https://dns.quad9.net/dns-query https://dns.adguard.com/dns-query https://common.dot.dns.yandex.net/dns-query" }
DNSCHECK_DIG1 = /tmp/dig1.txt
DNSCHECK_DIG2 = /tmp/dig2.txt
@ -219,7 +216,7 @@ doh_resolve()
# $1 - ip version 4/6
# $2 - hostname
# $3 - doh server URL. use $DOH_SERVER if empty
" $MDIG " = $1 --dns-make-query= $2 | " $CURL " $CURL_MAX_TIME_DOH -s --data-binary @- -H "Content-Type: application/dns-message" " ${ 3 :- $DOH_SERVER } " | " $MDIG "
$MDIG --family= $1 --dns-make-query= $2 | $CURL --max-time $CURL_MAX_TIME_DOH -s --data-binary @- -H "Content-Type: application/dns-message" " ${ 3 :- $DOH_SERVER } " | $MDIG --dns-parse-query
}
doh_find_working( )
{
@ -247,7 +244,7 @@ mdig_vars()
# $1 - ip version 4/6
# $2 - hostname
hostvar = $( echo $2 | sed -e 's/[\./?&#@%*$^:~=!()+ -]/_/g' )
hostvar = $( echo $2 | sed -e 's/[\.-]/_/g' )
cachevar = DNSCACHE_${ hostvar } _$1
countvar = ${ cachevar } _COUNT
eval count = \$ ${ countvar }
@ -278,45 +275,41 @@ mdig_cache()
mdig_resolve( )
{
# $1 - ip version 4/6
# $2 - var to receive result
# $3 - hostname, possibly with uri : rutracker.org/xxx/xxxx
local hostvar cachevar countvar count n sdom
# $2 - hostname
split_by_separator " $3 " / sdom
mdig_vars " $1 " " $sdom "
local hostvar cachevar countvar count ip n
mdig_vars " $@ "
if [ -n " $count " ] ; then
n = $( random 0 $(( $count - 1 )) )
eval $2 = \$ ${ cachevar } _$n
eval ip = \$ ${ cachevar } _$n
echo $ip
return 0
else
mdig_cache " $1 " " $sdom " && mdig_resolve " $1 " " $2 " " $sdom "
mdig_cache " $@ " && mdig_resolve " $@ "
fi
}
mdig_resolve_all( )
{
# $1 - ip version 4/6
# $2 - var to receive result
# $3 - hostname
local hostvar cachevar countvar count ip__ ips__ n sdom
# $2 - hostname
split_by_separator " $3 " / sdom
mdig_vars " $1 " " $sdom "
local hostvar cachevar countvar count ip ips n
mdig_vars " $@ "
if [ -n " $count " ] ; then
n = 0
while [ " $n " -le $count ] ; do
eval ip__ = \$ ${ cachevar } _$n
if [ -n " $ips__ " ] ; then
ips__ = " $ips__ $ip__ "
eval ip = \$ ${ cachevar } _$n
if [ -n " $ips " ] ; then
ips = " $ips $ip "
else
ips__ = " $ip__ "
ips = " $ip "
fi
n = $(( $n + 1 ))
done
eval $2 = "\$ips__ "
echo " $ips
return 0
else
mdig_cache " $1 " " $sdom " && mdig_resolve_all " $1 " " $2 " " $sdom "
mdig_cache " $@ " && mdig_resolve_all " $@ "
fi
}
@ -418,16 +411,9 @@ check_system()
else
uname -a
fi
[ -f /etc/os-release ] && {
. /etc/os-release
[ -n " $PRETTY_NAME " ] && echo " distro: $PRETTY_NAME "
[ -n " $OPENWRT_RELEASE " ] && echo " openwrt release: $OPENWRT_RELEASE "
[ -n " $OPENWRT_BOARD " ] && echo " openwrt board: $OPENWRT_BOARD "
[ -n " $OPENWRT_ARCH " ] && echo " openwrt arch: $OPENWRT_ARCH "
}
echo firewall type is $FWTYPE
echo CURL = $CURL
" $CURL "
$CURL --version
}
zp_already_running( )
@ -483,7 +469,7 @@ check_prerequisites()
exitp 6
}
local prog progs = " $CURL "
local prog progs = 'curl'
[ " $SKIP_PKTWS " = 1 ] || {
case " $UNAME " in
Linux)
@ -599,12 +585,12 @@ curl_translate_code()
curl_supports_tls13( )
{
local r
" $CURL " 1 http://127.0.0.1:65535 2>/dev/null
$CURL --tlsv1.3 -Is -o /dev/null --max-time 1 http://127.0.0.1:65535 2>/dev/null
# return code 2 = init failed. likely bad command line options
[ $? = 2 ] && return 1
# curl can have tlsv1.3 key present but ssl library without TLS 1.3 support
# this is online test because there's no other way to trigger library incompatibility case
" $CURL " 1 -Is -o /dev/null https://iana.org 2>/dev/null
$CURL --tlsv1.3 --max-time 1 -Is -o /dev/null https://iana.org 2>/dev/null
r = $?
[ $r != 4 -a $r != 35 ]
}
@ -612,16 +598,16 @@ curl_supports_tls13()
curl_supports_tlsmax( )
{
# supported only in OpenSSL and LibreSSL
" $CURL " | grep -Fq -e OpenSSL -e LibreSSL -e BoringSSL -e GnuTLS -e quictls || return 1
$CURL --version | grep -Fq -e OpenSSL -e LibreSSL -e BoringSSL -e GnuTLS -e quictls || return 1
# supported since curl 7.54
" $CURL " 1 http://127.0.0.1:65535 2>/dev/null
$CURL --tls-max 1.2 -Is -o /dev/null --max-time 1 http://127.0.0.1:65535 2>/dev/null
# return code 2 = init failed. likely bad command line options
[ $? != 2 ]
}
curl_supports_connect_to( )
{
" $CURL " 1 http://127.0.0.1:65535 2>/dev/null
$CURL --connect-to 127.0.0.1:: -o /dev/null --max-time 1 http://127.0.0.1:65535 2>/dev/null
[ " $? " != 2 ]
}
@ -629,7 +615,7 @@ curl_supports_http3()
{
# if it has http3 : curl: (3) HTTP/3 requested for non-HTTPS URL
# otherwise : curl: (2) option --http3-only: is unknown
" $CURL " 1 --http3-only http://127.0.0.1:65535 2>/dev/null
$CURL --connect-to 127.0.0.1:: -o /dev/null --max-time 1 --http3-only http://127.0.0.1:65535 2>/dev/null
[ " $? " != 2 ]
}
@ -657,10 +643,10 @@ curl_with_subst_ip()
*:*) ip = " [ $ip ] " ; ;
esac
local connect_to = " --connect-to $1 :: $ip ${ 2 : + : $2 } " arg
shift ; shift ; shift;
shift ; shift ; shift
[ " $CURL_VERBOSE " = 1 ] && arg = "-v"
[ " $CURL_CMD " = 1 ] && echo $CURL ${ arg : + $arg } $connect_to " $@ "
ALL_PROXY = " $ALL_PROXY " " $CURL " ${ arg : + $arg } $connect_to " $@ "
ALL_PROXY = " $ALL_PROXY " $CURL ${ arg : + $arg } $connect_to " $@ "
}
curl_with_dig( )
{
@ -669,13 +655,10 @@ curl_with_dig()
# $3 - port
# $4+ - curl params
local dom = $2 port = $3
local sdom suri ip
split_by_separator " $dom " / sdom suri
mdig_resolve $1 ip $sdom
local ip = $( mdig_resolve $1 $dom )
shift ; shift ; shift
if [ -n " $ip " ] ; then
curl_with_subst_ip " $s dom " " $port " " $ip " " $@ "
curl_with_subst_ip $dom $port $ip " $@ "
else
return 6
fi
@ -738,7 +721,7 @@ curl_test_https_tls12()
# $3 - subst ip
# do not use tls 1.3 to make sure server certificate is not encrypted
curl_probe $1 $2 $HTTPS_PORT " $3 " $HTTPS_HEAD " $USER_AGENT " --max-time $CURL_MAX_TIME $CURL_OPT --tlsv1.2 $TLSMAX12 " https:// $2 " -o /dev/null 2>& 1
curl_probe $1 $2 $HTTPS_PORT " $3 " -I Ss -A " $USER_AGENT " --max-time $CURL_MAX_TIME $CURL_OPT --tlsv1.2 $TLSMAX12 " https:// $2 " -o /dev/null 2>& 1
}
curl_test_https_tls13( )
{
@ -747,7 +730,7 @@ curl_test_https_tls13()
# $3 - subst ip
# force TLS1.3 mode
curl_probe $1 $2 $HTTPS_PORT " $3 " $HTTPS_HEAD " $USER_AGENT " --max-time $CURL_MAX_TIME $CURL_OPT --tlsv1.3 $TLSMAX13 " https:// $2 " -o /dev/null 2>& 1
curl_probe $1 $2 $HTTPS_PORT " $3 " -I Ss -A " $USER_AGENT " --max-time $CURL_MAX_TIME $CURL_OPT --tlsv1.3 $TLSMAX13 " https:// $2 " -o /dev/null 2>& 1
}
curl_test_http3( )
@ -756,7 +739,7 @@ curl_test_http3()
# $2 - domain name
# force QUIC only mode without tcp
curl_with_dig $1 $2 $QUIC_PORT $HTTPS_HEAD " $USER_AGENT " --max-time $CURL_MAX_TIME_QUIC --http3-only $CURL_OPT " https:// $2 " -o /dev/null 2>& 1
curl_with_dig $1 $2 $QUIC_PORT -I Ss -A " $USER_AGENT " --max-time $CURL_MAX_TIME_QUIC --http3-only $CURL_OPT " https:// $2 " -o /dev/null 2>& 1
}
ipt_aux_scheme( )
@ -820,7 +803,7 @@ nft_scheme()
make_comma_list iplist $3
nft add table inet $NFT_TABLE
nft " add chain inet $NFT_TABLE postnat { type filter hook postrouting priority 102; } "
nft " add chain inet $NFT_TABLE postnat { type filter hook output priority 102; } "
nft " add rule inet $NFT_TABLE postnat meta nfproto ipv ${ IPV } $1 dport $2 mark and $DESYNC_MARK == 0 ip ${ ipver } daddr { $iplist } ct mark set ct mark or $DESYNC_MARK queue num $QNUM "
# for strategies with incoming packets involved (autottl)
nft " add chain inet $NFT_TABLE prenat { type filter hook prerouting priority -102; } "
@ -1006,7 +989,7 @@ check_domain_port_block()
echo
echo \* port block tests ipv$IPV $1 :$2
if netcat_setup; then
mdig_resolve_all $IPV ips $1
ips = $( $IPV $1 )
if [ -n " $ips " ] ; then
for ip in $ips ; do
if netcat_test $ip $2 ; then
@ -1080,17 +1063,6 @@ ws_curl_test()
# $3 - domain
# $4,$5,$6, ... - ws params
local code ws_start = $1 testf = $2 dom = $3
[ " $SIMULATE " = 1 ] && {
n = $( random 0 99)
if [ " $n " -lt " $SIM_SUCCESS_RATE " ] ; then
echo "SUCCESS"
return 0
else
echo "FAILED"
return 7
fi
}
shift
shift
shift
@ -1113,7 +1085,7 @@ tpws_curl_test()
shift; shift;
strategy = " $@ "
strategy_append_extra_tpws
report_append " $dom " " $testf ipv ${ IPV } " " ${ WF : + $WF } $strategy "
report_append " ipv ${ IPV } $dom $testf : tpws ${ WF : + $WF } $strategy "
}
return $code
}
@ -1132,7 +1104,7 @@ pktws_curl_test()
[ " $code " = 0 ] && {
strategy = " $@ "
strategy_append_extra_pktws
report_append " $dom " " $testf ipv ${ IPV } " " $PKTWSD ${ WF : + $WF } $strategy "
report_append " ipv ${ IPV } $dom $testf : $PKTWSD ${ WF : + $WF } $strategy "
}
return $code
}
@ -1172,35 +1144,8 @@ tpws_curl_test_update()
report_append( )
{
# $1 - domain
# $2 - test function + ipver
# $3 - value
local hashstr hash hashvar hashcountvar val ct
# save resources if only one domain
[ " $DOMAINS_COUNT " -gt 1 ] && {
hashstr = " $2 : $3 "
hash = " $( echo -n " $hashstr " | md5f) "
hashvar = RESHASH_${ hash }
hashcountvar = ${ hashvar } _COUNTER
NRESHASH = ${ NRESHASH :- 0 }
eval val = " \$ $hashvar "
if [ -n " $val " ] ; then
eval ct = " \$ $hashcountvar "
ct = $(( $ct + 1 ))
eval $hashcountvar = "\$ct"
else
eval $hashvar = \" $hashstr \"
eval $hashcountvar = 1
eval RES_$NRESHASH = "\$hash"
NRESHASH = $(( $NRESHASH + 1 ))
fi
}
NREPORT = ${ NREPORT :- 0 }
eval REPORT_${ NREPORT } = \" $2 $1 : $3 \"
eval REPORT_${ NREPORT } = \" $@ \"
NREPORT = $(( $NREPORT + 1 ))
}
report_print( )
@ -1213,22 +1158,6 @@ report_print()
n = $(( $n + 1 ))
done
}
result_intersection_print( )
{
local n = 0 hash hashvar hashcountvar ct val
while : ; do
eval hash = \" \$ RES_$n \"
[ -n " $hash " ] || break
hashvar = RESHASH_${ hash }
hashcountvar = ${ hashvar } _COUNTER
eval ct = \" \$ $hashcountvar \"
[ " $ct " = " $DOMAINS_COUNT " ] && {
eval val = \" \$ $hashvar \"
echo " $val "
}
n = $(( $n + 1 ))
done
}
report_strategy( )
{
# $1 - test function
@ -1240,25 +1169,22 @@ report_strategy()
strategy = " $( echo " $strategy " | xargs) "
echo " !!!!! $1 : working strategy found for ipv ${ IPV } $2 : $3 $strategy !!!!! "
echo
# report_append "ipv${IPV} $2 $1 : $3 ${WF:+$WF }$strategy"
return 0
else
echo " $1 : $3 strategy for ipv ${ IPV } $2 not found "
echo
report_append " $2 " " $1 ipv ${ IPV } " " $3 not working "
report_append " ipv ${ IPV } $2 $1 : $3 not working "
return 1
fi
}
test_has_fakedsplit( )
{
contains " $1 " fakedsplit || contains " $1 " fakeddisorder
}
test_has_split( )
{
contains " $1 " multi split || contains " $1 " multi disorder || test_has_fakedsplit " $1 "
contains " $1 " split || contains " $1 " disorder
}
test_has_host fakesplit( )
test_has_faked split( )
{
contains " $1 " host fakesplit
contains " $1 " faked split || contains " $1 " fakeddisorder
}
test_has_fake( )
{
@ -1284,7 +1210,7 @@ pktws_curl_test_update_vary()
# $5,$6,... - strategy
local testf = $1 sec = $2 domain = $3 desync = $4 proto splits = pos fake ret = 1
local fake1 = - fake2 = - fake3 = - fake4 = -
local fake1 = - fake2 = - fake3 = -
shift; shift; shift; shift
@ -1293,27 +1219,18 @@ pktws_curl_test_update_vary()
test_has_fake $desync && {
fake1 = " --dpi-desync-fake- $proto =0x00000000 "
[ " $sec " = 0 ] || {
fake2 = '--dpi-desync-fake-tls=0x00000000 --dpi-desync-fake-tls=! --dpi-desync-fake-tls-mod=rnd,rndsni,dupsid'
# this splits actual fake to '1603' and modified standard fake from offset 2
fake3 = '--dpi-desync-fake-tls=0x1603 --dpi-desync-fake-tls=!+2 --dpi-desync-fake-tls-mod=rnd,dupsid,rndsni --dpi-desync-fake-tcp-mod=seq'
fake4 = '--dpi-desync-fake-tls-mod=rnd,dupsid,rndsni,padencap'
fake2 = "--dpi-desync-fake-tls=0x00000000 --dpi-desync-fake-tls=! --dpi-desync-fake-tls-mod=rnd,rndsni,dupsid"
fake3 = "--dpi-desync-fake-tls-mod=rnd,dupsid,rndsni,padencap"
}
}
if test_has_fakedsplit $desync ; then
splits = "method+2 midsld"
[ " $sec " = 0 ] || splits = "1 midsld"
# do not send fake first
fake1 = '--dpi-desync-fakedsplit-mod=altorder=1'
elif test_has_split $desync ; then
splits = "method+2 midsld"
[ " $sec " = 0 ] || splits = "1 midsld 1,midsld"
fi
test_has_hostfakesplit $desync && {
fake1 = "--dpi-desync-hostfakesplit-mod=altorder=1"
fake2 = "--dpi-desync-hostfakesplit-midhost=midsld"
fake3 = "--dpi-desync-hostfakesplit-mod=altorder=1 --dpi-desync-hostfakesplit-midhost=midsld"
}
for fake in '' " $fake1 " " $fake2 " " $fake3 " " $fake4 " ; do
for fake in '' " $fake1 " " $fake2 " " $fake3 " ; do
[ " $fake " = "-" ] && continue
if [ -n " $splits " ] ; then
for pos in $splits ; do
@ -1339,8 +1256,8 @@ pktws_check_domain_http_bypass_()
# $2 - encrypted test : 0 = plain, 1 - encrypted with server reply risk, 2 - encrypted without server reply risk
# $3 - domain
local ok ttls attls s f f2 e desync pos fooling frag sec = " $2 " delta orig splits
local need_split need_disorder need_fakedsplit need_hostfakesplit need_ fakeddisorder need_fake need_wssize
local ok ttls s f f2 e desync pos fooling frag sec = " $2 " delta orig splits
local need_split need_disorder need_fakedsplit need_fakeddisorder need_fake need_wssize
local splits_http = 'method+2 midsld method+2,midsld'
local splits_tls = '2 1 sniext+1 sniext+4 host+1 midsld 1,midsld 1,sniext+1,host+1,midsld-2,midsld,midsld+2,endhost-1'
@ -1351,7 +1268,6 @@ pktws_check_domain_http_bypass_()
}
ttls = $( seq -s ' ' $MIN_TTL $MAX_TTL )
attls = $( seq -s ' ' $MIN_AUTOTTL_DELTA $MAX_AUTOTTL_DELTA )
need_wssize = 1
for e in '' '--wssize 1:6' ; do
need_split =
@ -1386,33 +1302,25 @@ pktws_check_domain_http_bypass_()
done
need_fakedsplit = 1
need_hostfakesplit = 1
need_fakeddisorder = 1
need_fake = 1
for desync in fake ${ need_split : +fakedsplit fake,multisplit fake,fakedsplit hostfakesplit fake,hostfakesplit } ${ need_disorder : +fakeddisorder fake,multidisorder fake,fakeddisorder } ; do
for desync in fake ${ need_split : +fakedsplit fake,multisplit fake,fakedsplit } ${ need_disorder : +fakeddisorder fake,multidisorder fake,fakeddisorder } ; do
[ " $need_fake " = 0 ] && test_has_fake " $desync " && continue
[ " $need_fakedsplit " = 0 ] && contains " $desync " fakedsplit && continue
[ " $need_hostfakesplit " = 0 ] && contains " $desync " hostfakesplit && continue
[ " $need_fakeddisorder " = 0 ] && contains " $desync " fakeddisorder && continue
ok = 0
for ttl in $ttls ; do
# orig-ttl=1 with start/cutoff limiter drops empty ACK packet in response to SYN,ACK. it does not reach DPI or server.
# missing ACK is transmitted in the first data packet of TLS/HTTP proto
for f in '' '--orig-ttl=1 --orig-mod-start=s1 --orig-mod-cutoff=d1' ; do
pktws_curl_test_update_vary $1 $2 $3 $desync --dpi-desync-ttl= $ttl $f $e && {
[ " $SCANLEVEL " = quick ] && return
ok = 1
need_wssize = 0
[ " $SCANLEVEL " = force ] || break
}
done
[ " $ok " = 1 ] && break
pktws_curl_test_update_vary $1 $2 $3 $desync --dpi-desync-ttl= $ttl $e && {
[ " $SCANLEVEL " = quick ] && return
ok = 1
need_wssize = 0
break
}
done
# only skip tests if TTL succeeded. do not skip if TTL failed but fooling succeeded
[ $ok = 1 -a " $SCANLEVEL " != force ] && {
[ " $desync " = fake ] && need_fake = 0
[ " $desync " = fakedsplit ] && need_fakedsplit = 0
[ " $desync " = hostfakesplit ] && need_hostfakesplit = 0
[ " $desync " = fakeddisorder ] && need_fakeddisorder = 0
}
f =
@ -1421,21 +1329,12 @@ pktws_check_domain_http_bypass_()
[ " $IPV " = 6 ] && f = " $f hopbyhop hopbyhop2 "
for fooling in $f ; do
ok = 0
f2 =
pktws_curl_test_update_vary $1 $2 $3 $desync --dpi-desync-fooling= $fooling $e && {
warn_fool $fooling $desync
[ " $SCANLEVEL " = quick ] && return
need_wssize = 0
ok = 1
}
[ " $fooling " = badseq ] && {
[ " $ok " = 1 -a " $SCANLEVEL " != force ] && continue
# --dpi-desync-badseq-increment=0 leaves modified by default ack increment
pktws_curl_test_update_vary $1 $2 $3 $desync --dpi-desync-fooling= $fooling --dpi-desync-badseq-increment= 0 $e && {
[ " $SCANLEVEL " = quick ] && return
need_wssize = 0
}
}
[ " $fooling " = md5sig ] && {
[ " $ok " = 1 -a " $SCANLEVEL " != force ] && continue
pktws_curl_test_update_vary $1 $2 $3 $desync --dpi-desync-fooling= $fooling --dup= 1 --dup-cutoff= n2 --dup-fooling= md5sig $e && {
@ -1500,30 +1399,18 @@ pktws_check_domain_http_bypass_()
need_fakedsplit = 1
need_fakeddisorder = 1
need_hostfakesplit = 1
need_fake = 1
for desync in fake ${ need_split : +fakedsplit fake,multisplit fake,fakedsplit hostfakesplit fake,hostfakesplit } ${ need_disorder : +fakeddisorder fake,multidisorder fake,fakeddisorder } ; do
for desync in fake ${ need_split : +fakedsplit fake,multisplit fake,fakedsplit } ${ need_disorder : +fakeddisorder fake,multidisorder fake,fakeddisorder } ; do
[ " $need_fake " = 0 ] && test_has_fake " $desync " && continue
[ " $need_fakedsplit " = 0 ] && contains " $desync " fakedsplit && continue
[ " $need_hostfakesplit " = 0 ] && contains " $desync " hostfakesplit && continue
[ " $need_fakeddisorder " = 0 ] && contains " $desync " fakeddisorder && continue
ok = 0
# orig-ttl=1 with start/cutoff limiter drops empty ACK packet in response to SYN,ACK. it does not reach DPI or server.
# missing ACK is transmitted in the first data packet of TLS/HTTP proto
for delta in $attls ; do
for f in '' '--orig-ttl=1 --orig-mod-start=s1 --orig-mod-cutoff=d1' ; do
pktws_curl_test_update_vary $1 $2 $3 $desync --dpi-desync-ttl= 1 --dpi-desync-autottl= -$delta $f $e && ok = 1
[ " $ok " = 1 -a " $SCANLEVEL " != force ] && break
for orig in '' 1 2 3; do
for delta in 1 2 3 4 5; do
pktws_curl_test_update_vary $1 $2 $3 $desync ${ orig : +--orig-autottl=+ $orig } --dpi-desync-ttl= 1 --dpi-desync-autottl= -$delta $e && ok = 1
done
[ " $ok " = 1 -a " $SCANLEVEL " != force ] && break
done
[ " $SCANLEVEL " = force ] && {
for orig in 1 2 3; do
for delta in $attls ; do
pktws_curl_test_update_vary $1 $2 $3 $desync ${ orig : +--orig-autottl=+ $orig } --dpi-desync-ttl= 1 --dpi-desync-autottl= -$delta $e && ok = 1
done
[ " $ok " = 1 -a " $SCANLEVEL " != force ] && break
done
}
[ " $ok " = 1 ] &&
{
echo "WARNING ! although autottl worked it requires testing on multiple domains to find out reliable delta"
@ -1533,7 +1420,6 @@ pktws_check_domain_http_bypass_()
[ " $SCANLEVEL " = force ] || {
[ " $desync " = fake ] && need_fake = 0
[ " $desync " = fakedsplit ] && need_fakedsplit = 0
[ " $desync " = hostfakesplit ] && need_hostfakesplit = 0
[ " $desync " = fakeddisorder ] && need_fakeddisorder = 0
}
}
@ -1706,7 +1592,7 @@ check_dpi_ip_block()
echo " > testing $UNBLOCKED_DOM on it's original ip "
if curl_test $1 $UNBLOCKED_DOM ; then
mdig_resolve $IPV unblocked_ip $UNBLOCKED_DOM
unblocked_ip = $( $IPV $UNBLOCKED_DOM )
[ -n " $unblocked_ip " ] || {
echo $UNBLOCKED_DOM does not resolve. tests not possible.
return 1
@ -1715,7 +1601,7 @@ check_dpi_ip_block()
echo " > testing $blocked_dom on $unblocked_ip ( $UNBLOCKED_DOM ) "
curl_test $1 $blocked_dom $unblocked_ip detail
mdig_resolve_all $IPV blocked_ips $blocked_dom
blocked_ips = $( $IPV $blocked_dom )
for blocked_ip in $blocked_ips ; do
echo " > testing $UNBLOCKED_DOM on $blocked_ip ( $blocked_dom ) "
curl_test $1 $UNBLOCKED_DOM $blocked_ip detail
@ -1742,19 +1628,17 @@ check_domain_prolog()
local code
[ " $SIMULATE " = 1 ] && return 0
echo
echo \* $1 ipv$IPV $3
echo "- checking without DPI bypass"
curl_test $1 $3 && {
report_append " $3 " " $1 ipv ${ IPV } " "working without bypass "
report_append " ipv ${ IPV } $3 $1 : working without bypass
[ " $SCANLEVEL " = force ] || return 1
}
code = $?
curl_has_reason_to_continue $code || {
report_append " $3 " " $1 ipv ${ IPV } " " $( curl_translate_code $code ) "
report_append " ipv ${ IPV } $3 $1 : test aborted, no reason to continue. curl code $( curl_translate_code $code ) "
return 1
}
return 0
@ -1766,8 +1650,6 @@ check_domain_http_tcp()
# $3 - encrypted test : 0 = plain, 1 - encrypted with server reply risk, 2 - encrypted without server reply risk
# $4 - domain
local ips
# in case was interrupted before
pktws_ipt_unprepare_tcp $2
ws_kill
@ -1784,8 +1666,7 @@ check_domain_http_tcp()
[ " $SKIP_PKTWS " = 1 ] || {
echo
echo preparing $PKTWSD redirection
mdig_resolve_all $IPV ips $4
pktws_ipt_prepare_tcp $2 " $ips "
pktws_ipt_prepare_tcp $2 " $( mdig_resolve_all $IPV $4 ) "
pktws_check_domain_http_bypass $1 $3 $4
@ -1799,8 +1680,6 @@ check_domain_http_udp()
# $2 - port
# $3 - domain
local ips
# in case was interrupted before
pktws_ipt_unprepare_udp $2
ws_kill
@ -1810,8 +1689,7 @@ check_domain_http_udp()
[ " $SKIP_PKTWS " = 1 ] || {
echo
echo preparing $PKTWSD redirection
mdig_resolve_all $IPV ips $3
pktws_ipt_prepare_udp $2 " $ips "
pktws_ipt_prepare_udp $2 " $( mdig_resolve_all $IPV $3 ) "
pktws_check_domain_http3_bypass $1 $3
@ -1870,9 +1748,6 @@ configure_curl_opt()
curl_supports_tls13 && TLS13 = 1
HTTP3 =
curl_supports_http3 && HTTP3 = 1
HTTPS_HEAD = -I
[ " $CURL_HTTPS_GET " = 1 ] && HTTPS_HEAD =
}
linux_ipv6_defrag_can_be_disabled( )
@ -1933,7 +1808,7 @@ ask_params()
curl_supports_connect_to || {
echo "installed curl does not support --connect-to option. pls install at least curl 7.49"
echo "current curl version:"
" $CURL "
$CURL --version
exitp 1
}
@ -1941,13 +1816,12 @@ ask_params()
[ -n " $DOMAINS " ] || {
DOMAINS = " $DOMAINS_DEFAULT "
[ " $BATCH " = 1 ] || {
echo "specify domain(s) to test. multiple domains are space separated. URIs are supported (rutracker.org/forum/index.php) "
echo "specify domain(s) to test. multiple domains are space separated."
printf " domain(s) (default: $DOMAINS ) : "
read dom
[ -n " $dom " ] && DOMAINS = " $dom "
}
}
DOMAINS_COUNT = " $( echo " $DOMAINS " | wc -w | trim) "
local IPVS_def = 4
[ -n " $IPVS " ] || {
@ -2284,6 +2158,7 @@ sigsilent()
exit 1
}
fsleep_setup
fix_sbin_path
check_system
@ -2326,18 +2201,6 @@ cleanup
echo
echo \* SUMMARY
report_print
[ " $DOMAINS_COUNT " -gt 1 ] && {
echo
echo \* COMMON
result_intersection_print
echo
[ " $SCANLEVEL " = force ] || {
echo "blockcheck optimizes test sequence. To save time some strategies can be skipped if their test is considered useless."
echo "That's why COMMON intersection can miss strategies that would work for all domains."
echo "Use \"force\" scan level to test all strategies and generate trustable intersection."
echo " Current scan level was \" $SCANLEVEL \" " .
}
}
echo
echo "Please note this SUMMARY does not guarantee a magic pill for you to copy/paste and be happy."
echo "Understanding how strategies work is very desirable."
commensal
5 months ago