update

5 months ago · 4810bf833e
42 changed files with 10657 additions and 306 deletions
--- a/binaries/linux-arm/ip2net
+++ b/binaries/linux-arm/ip2net
--- a/binaries/linux-arm/mdig
+++ b/binaries/linux-arm/mdig
--- a/binaries/linux-arm/nfqws
+++ b/binaries/linux-arm/nfqws
--- a/binaries/linux-arm/tpws
+++ b/binaries/linux-arm/tpws
--- a/blockcheck.sh
+++ b/blockcheck.sh
@ -41,22 +41,19 @@ CURL_MAX_TIME_QUIC=${CURL_MAX_TIME_QUIC:-$CURL_MAX_TIME}
 CURL_MAX_TIME_DOH=${CURL_MAX_TIME_DOH:-2}
 MIN_TTL=${MIN_TTL:-1}
 MAX_TTL=${MAX_TTL:-12}
 MIN_AUTOTTL_DELTA=${MIN_AUTOTTL_DELTA:-1}
 MAX_AUTOTTL_DELTA=${MAX_AUTOTTL_DELTA:-5}
 USER_AGENT=${USER_AGENT:-Mozilla}
 HTTP_PORT=${HTTP_PORT:-80}
 HTTPS_PORT=${HTTPS_PORT:-443}
 QUIC_PORT=${QUIC_PORT:-443}
 UNBLOCKED_DOM=${UNBLOCKED_DOM:-iana.org}
 PARALLEL_OUT=/tmp/zapret_parallel
 SIM_SUCCESS_RATE=${SIM_SUCCESS_RATE:-10}
 HDRTEMP=/tmp/zapret-hdr
 NFT_TABLE=blockcheck
 DNSCHECK_DNS=${DNSCHECK_DNS:-8.8.8.8 1.1.1.1 77.88.8.1}
-DNSCHECK_DOM=${DNSCHECK_DOM:-pornhub.com ej.ru rutracker.org www.torproject.org bbc.com}
+DNSCHECK_DOM=${DNSCHECK_DOM:-pornhub.com ntc.party rutracker.org www.torproject.org bbc.com}
 DOH_SERVERS=${DOH_SERVERS:-"https://cloudflare-dns.com/dns-query https://dns.google/dns-query https://dns.quad9.net/dns-query https://dns.adguard.com/dns-query https://common.dot.dns.yandex.net/dns-query"}
 DNSCHECK_DIG1=/tmp/dig1.txt
 DNSCHECK_DIG2=/tmp/dig2.txt
@ -219,7 +216,7 @@ doh_resolve()
 	# $1 - ip version 4/6
 	# $2 - hostname
 	# $3 - doh server URL. use $DOH_SERVER if empty
-	"$MDIG" --family=$1 --dns-make-query=$2 | "$CURL" --max-time $CURL_MAX_TIME_DOH -s --data-binary @- -H "Content-Type: application/dns-message" "${3:-$DOH_SERVER}" | "$MDIG" --dns-parse-query
+	$MDIG --family=$1 --dns-make-query=$2 | $CURL --max-time $CURL_MAX_TIME_DOH -s --data-binary @- -H "Content-Type: application/dns-message" "${3:-$DOH_SERVER}" | $MDIG --dns-parse-query
 }
 doh_find_working()
 {
@ -247,7 +244,7 @@ mdig_vars()
 	# $1 - ip version 4/6
 	# $2 - hostname
-	hostvar=$(echo $2 | sed -e 's/[\./?&#@%*$^:~=!()+-]/_/g')
+	hostvar=$(echo $2 | sed -e 's/[\.-]/_/g')
 	cachevar=DNSCACHE_${hostvar}_$1
 	countvar=${cachevar}_COUNT
 	eval count=\$${countvar}
@ -278,45 +275,41 @@ mdig_cache()
 mdig_resolve()
 {
 	# $1 - ip version 4/6
-	# $2 - var to receive result
+	# $2 - hostname
 	# $3 - hostname, possibly with uri : rutracker.org/xxx/xxxx
 	local hostvar cachevar countvar count n sdom
-	split_by_separator "$3" / sdom
+	local hostvar cachevar countvar count ip n
-	mdig_vars "$1" "$sdom"
+	mdig_vars "$@"
 	if [ -n "$count" ]; then
 		n=$(random 0 $(($count-1)))
-		eval $2=\$${cachevar}_$n
+		eval ip=\$${cachevar}_$n
 		echo $ip
 		return 0
 	else
-		mdig_cache "$1" "$sdom" && mdig_resolve "$1" "$2" "$sdom"
+		mdig_cache "$@" && mdig_resolve "$@"
 	fi
 }
 mdig_resolve_all()
 {
 	# $1 - ip version 4/6
-	# $2 - var to receive result
+	# $2 - hostname
 	# $3 - hostname
 	local hostvar cachevar countvar count ip__ ips__ n sdom
-	split_by_separator "$3" / sdom
+	local hostvar cachevar countvar count ip ips n
-	mdig_vars "$1" "$sdom"
+	mdig_vars "$@"
 	if [ -n "$count" ]; then
 		n=0
 		while [ "$n" -le $count ]; do
-			eval ip__=\$${cachevar}_$n
+			eval ip=\$${cachevar}_$n
-			if [ -n "$ips__" ]; then
+			if [ -n "$ips" ]; then
-				ips__="$ips__ $ip__"
+				ips="$ips $ip"
 			else
-				ips__="$ip__"
+				ips="$ip"
 			fi
 			n=$(($n + 1))
 		done
-		eval $2="\$ips__"
+		echo "$ips"
 		return 0
 	else
-		mdig_cache "$1" "$sdom" && mdig_resolve_all "$1" "$2" "$sdom"
+		mdig_cache "$@" && mdig_resolve_all "$@"
 	fi
 }
@ -418,16 +411,9 @@ check_system()
 	else
 		uname -a
 	fi
 	[ -f /etc/os-release ] && {
 		. /etc/os-release
 		[ -n "$PRETTY_NAME" ] && echo "distro: $PRETTY_NAME"
 		[ -n "$OPENWRT_RELEASE" ] && echo "openwrt release: $OPENWRT_RELEASE"
 		[ -n "$OPENWRT_BOARD" ] && echo "openwrt board: $OPENWRT_BOARD"
 		[ -n "$OPENWRT_ARCH" ] && echo "openwrt arch: $OPENWRT_ARCH"
 	}
 	echo firewall type is $FWTYPE
 	echo CURL=$CURL
-	"$CURL" --version
+	$CURL --version
 }
 zp_already_running()
@ -483,7 +469,7 @@ check_prerequisites()
 		exitp 6
 	}
-	local prog progs="$CURL"
+	local prog progs='curl'
 	[ "$SKIP_PKTWS" = 1 ] || {
 		case "$UNAME" in
 			Linux)
@ -599,12 +585,12 @@ curl_translate_code()
 curl_supports_tls13()
 {
 	local r
-	"$CURL" --tlsv1.3 -Is -o /dev/null --max-time 1 http://127.0.0.1:65535 2>/dev/null
+	$CURL --tlsv1.3 -Is -o /dev/null --max-time 1 http://127.0.0.1:65535 2>/dev/null
 	# return code 2 = init failed. likely bad command line options
 	[ $? = 2 ] && return 1
 	# curl can have tlsv1.3 key present but ssl library without TLS 1.3 support
 	# this is online test because there's no other way to trigger library incompatibility case
-	"$CURL" --tlsv1.3 --max-time 1 -Is -o /dev/null https://iana.org 2>/dev/null
+	$CURL --tlsv1.3 --max-time 1 -Is -o /dev/null https://iana.org 2>/dev/null
 	r=$?
 	[ $r != 4 -a $r != 35 ]
 }
@ -612,16 +598,16 @@ curl_supports_tls13()
 curl_supports_tlsmax()
 {
 	# supported only in OpenSSL and LibreSSL
-	"$CURL" --version | grep -Fq -e OpenSSL -e LibreSSL -e BoringSSL -e GnuTLS -e quictls || return 1
+	$CURL --version | grep -Fq -e OpenSSL -e LibreSSL -e BoringSSL -e GnuTLS -e quictls || return 1
 	# supported since curl 7.54
-	"$CURL" --tls-max 1.2 -Is -o /dev/null --max-time 1 http://127.0.0.1:65535 2>/dev/null
+	$CURL --tls-max 1.2 -Is -o /dev/null --max-time 1 http://127.0.0.1:65535 2>/dev/null
 	# return code 2 = init failed. likely bad command line options
 	[ $? != 2 ]
 }
 curl_supports_connect_to()
 {
-	"$CURL" --connect-to 127.0.0.1:: -o /dev/null --max-time 1 http://127.0.0.1:65535 2>/dev/null
+	$CURL --connect-to 127.0.0.1:: -o /dev/null --max-time 1 http://127.0.0.1:65535 2>/dev/null
 	[ "$?" != 2 ]
 }
@ -629,7 +615,7 @@ curl_supports_http3()
 {
 	# if it has http3 : curl: (3) HTTP/3 requested for non-HTTPS URL
 	# otherwise : curl: (2) option --http3-only: is unknown
-	"$CURL" --connect-to 127.0.0.1:: -o /dev/null --max-time 1 --http3-only http://127.0.0.1:65535 2>/dev/null
+	$CURL --connect-to 127.0.0.1:: -o /dev/null --max-time 1 --http3-only http://127.0.0.1:65535 2>/dev/null
 	[ "$?" != 2 ]
 }
@ -657,10 +643,10 @@ curl_with_subst_ip()
 		*:*) ip="[$ip]" ;;
 	esac
 	local connect_to="--connect-to $1::$ip${2:+:$2}" arg
-	shift ; shift ; shift;
+	shift ; shift ; shift
 	[ "$CURL_VERBOSE" = 1 ] && arg="-v"
 	[ "$CURL_CMD" = 1 ] && echo $CURL ${arg:+$arg }$connect_to "$@"
-	ALL_PROXY="$ALL_PROXY" "$CURL" ${arg:+$arg }$connect_to "$@"
+	ALL_PROXY="$ALL_PROXY" $CURL ${arg:+$arg }$connect_to "$@"
 }
 curl_with_dig()
 {
@ -669,13 +655,10 @@ curl_with_dig()
 	# $3 - port
 	# $4+ - curl params
 	local dom=$2 port=$3
-	local sdom suri ip
+	local ip=$(mdig_resolve $1 $dom)
 	split_by_separator "$dom" / sdom suri
 	mdig_resolve $1 ip $sdom
 	shift ; shift ; shift
 	if [ -n "$ip" ]; then
-		curl_with_subst_ip "$sdom" "$port" "$ip" "$@"
+		curl_with_subst_ip $dom $port $ip "$@"
 	else
 		return 6
 	fi
@ -738,7 +721,7 @@ curl_test_https_tls12()
 	# $3 - subst ip
 	# do not use tls 1.3 to make sure server certificate is not encrypted
-	curl_probe $1 $2 $HTTPS_PORT "$3" $HTTPS_HEAD -Ss -A "$USER_AGENT" --max-time $CURL_MAX_TIME $CURL_OPT --tlsv1.2 $TLSMAX12 "https://$2" -o /dev/null 2>&1
+	curl_probe $1 $2 $HTTPS_PORT "$3" -ISs -A "$USER_AGENT" --max-time $CURL_MAX_TIME $CURL_OPT --tlsv1.2 $TLSMAX12 "https://$2" -o /dev/null 2>&1
 }
 curl_test_https_tls13()
 {
@ -747,7 +730,7 @@ curl_test_https_tls13()
 	# $3 - subst ip
 	# force TLS1.3 mode
-	curl_probe $1 $2 $HTTPS_PORT "$3" $HTTPS_HEAD -Ss -A "$USER_AGENT" --max-time $CURL_MAX_TIME $CURL_OPT --tlsv1.3 $TLSMAX13 "https://$2" -o /dev/null 2>&1
+	curl_probe $1 $2 $HTTPS_PORT "$3" -ISs -A "$USER_AGENT" --max-time $CURL_MAX_TIME $CURL_OPT --tlsv1.3 $TLSMAX13 "https://$2" -o /dev/null 2>&1
 }
 curl_test_http3()
@ -756,7 +739,7 @@ curl_test_http3()
 	# $2 - domain name
 	# force QUIC only mode without tcp
-	curl_with_dig $1 $2 $QUIC_PORT $HTTPS_HEAD -Ss -A "$USER_AGENT" --max-time $CURL_MAX_TIME_QUIC --http3-only $CURL_OPT "https://$2" -o /dev/null 2>&1
+	curl_with_dig $1 $2 $QUIC_PORT -ISs -A "$USER_AGENT" --max-time $CURL_MAX_TIME_QUIC --http3-only $CURL_OPT "https://$2" -o /dev/null 2>&1
 }
 ipt_aux_scheme()
@ -820,7 +803,7 @@ nft_scheme()
 	make_comma_list iplist $3
 	nft add table inet $NFT_TABLE
-	nft "add chain inet $NFT_TABLE postnat { type filter hook postrouting priority 102; }"
+	nft "add chain inet $NFT_TABLE postnat { type filter hook output priority 102; }"
 	nft "add rule inet $NFT_TABLE postnat meta nfproto ipv${IPV} $1 dport $2 mark and $DESYNC_MARK == 0 ip${ipver} daddr {$iplist} ct mark set ct mark or $DESYNC_MARK queue num $QNUM"
 	# for strategies with incoming packets involved (autottl)
 	nft "add chain inet $NFT_TABLE prenat { type filter hook prerouting priority -102; }"
@ -1006,7 +989,7 @@ check_domain_port_block()
 	echo
 	echo \* port block tests ipv$IPV $1:$2
 	if netcat_setup; then
-		mdig_resolve_all $IPV ips $1
+		ips=$(mdig_resolve_all $IPV $1)
 		if [ -n "$ips" ]; then
 			for ip in $ips; do
 				if netcat_test $ip $2; then
@ -1080,17 +1063,6 @@ ws_curl_test()
 	# $3 - domain
 	# $4,$5,$6, ... - ws params
 	local code ws_start=$1 testf=$2 dom=$3
 	[ "$SIMULATE" = 1 ] && {
 		n=$(random 0 99)
 		if [ "$n" -lt "$SIM_SUCCESS_RATE" ]; then
 			echo "SUCCESS"
 			return 0
 		else
 			echo "FAILED"
 			return 7
 		fi
 	}
 	shift
 	shift
 	shift
@ -1113,7 +1085,7 @@ tpws_curl_test()
 		shift; shift;
 		strategy="$@"
 		strategy_append_extra_tpws
-		report_append "$dom" "$testf ipv${IPV}" "tpws ${WF:+$WF }$strategy"
+		report_append "ipv${IPV} $dom $testf : tpws ${WF:+$WF }$strategy"
 	}
 	return $code
 }
@ -1132,7 +1104,7 @@ pktws_curl_test()
 	[ "$code" = 0 ] && {
 		strategy="$@"
 		strategy_append_extra_pktws
-		report_append "$dom" "$testf ipv${IPV}" "$PKTWSD ${WF:+$WF }$strategy"
+		report_append "ipv${IPV} $dom $testf : $PKTWSD ${WF:+$WF }$strategy"
 	}
 	return $code
 }
@ -1172,35 +1144,8 @@ tpws_curl_test_update()
 report_append()
 {
 	# $1 - domain
 	# $2 - test function + ipver
 	# $3 - value
 	local hashstr hash hashvar hashcountvar val ct
 	# save resources if only one domain
 	[ "$DOMAINS_COUNT" -gt 1 ] && {
 		hashstr="$2 : $3"
 		hash="$(echo -n "$hashstr" | md5f)"
 		hashvar=RESHASH_${hash}
 		hashcountvar=${hashvar}_COUNTER
 		NRESHASH=${NRESHASH:-0}
 		eval val="\$$hashvar"
 		if [ -n "$val" ]; then
 			eval ct="\$$hashcountvar"
 			ct=$(($ct + 1))
 			eval $hashcountvar="\$ct"
 		else
 			eval $hashvar=\"$hashstr\"
 			eval $hashcountvar=1
 			eval RES_$NRESHASH="\$hash"
 			NRESHASH=$(($NRESHASH+1))
 		fi
 	}
 	NREPORT=${NREPORT:-0}
-	eval REPORT_${NREPORT}=\"$2 $1 : $3\"
+	eval REPORT_${NREPORT}=\"$@\"
 	NREPORT=$(($NREPORT+1))
 }
 report_print()
@ -1213,22 +1158,6 @@ report_print()
 		n=$(($n+1))
 	done
 }
 result_intersection_print()
 {
 	local n=0 hash hashvar hashcountvar ct val
 	while : ; do
 		eval hash=\"\$RES_$n\"
 		[ -n "$hash" ] || break
 		hashvar=RESHASH_${hash}
 		hashcountvar=${hashvar}_COUNTER
 		eval ct=\"\$$hashcountvar\"
 		[ "$ct" = "$DOMAINS_COUNT" ] && {
 			eval val=\"\$$hashvar\"
 			echo "$val"
 		}
 		n=$(($n + 1))
 	done
 }
 report_strategy()
 {
 	# $1 - test function
@ -1240,25 +1169,22 @@ report_strategy()
 		strategy="$(echo "$strategy" | xargs)"
 		echo "!!!!! $1: working strategy found for ipv${IPV} $2 : $3 $strategy !!!!!"
 		echo
 #		report_append "ipv${IPV} $2 $1 : $3 ${WF:+$WF }$strategy"
 		return 0
 	else
 		echo "$1: $3 strategy for ipv${IPV} $2 not found"
 		echo
-		report_append "$2" "$1 ipv${IPV}" "$3 not working"
+		report_append "ipv${IPV} $2 $1 : $3 not working"
 		return 1
 	fi
 }
 test_has_fakedsplit()
 {
 	contains "$1" fakedsplit || contains "$1" fakeddisorder
 }
 test_has_split()
 {
-	contains "$1" multisplit || contains "$1" multidisorder || test_has_fakedsplit "$1"
+	contains "$1" split || contains "$1" disorder
 }
-test_has_hostfakesplit()
+test_has_fakedsplit()
 {
-	contains "$1" hostfakesplit
+	contains "$1" fakedsplit || contains "$1" fakeddisorder
 }
 test_has_fake()
 {
@ -1284,7 +1210,7 @@ pktws_curl_test_update_vary()
 	# $5,$6,... - strategy
 	local testf=$1 sec=$2 domain=$3 desync=$4 proto splits= pos fake ret=1
-	local fake1=- fake2=- fake3=- fake4=-
+	local fake1=- fake2=- fake3=-
 	shift; shift; shift; shift
@ -1293,27 +1219,18 @@ pktws_curl_test_update_vary()
 	test_has_fake $desync && {
 		fake1="--dpi-desync-fake-$proto=0x00000000"
 		[ "$sec" = 0 ] || {
-			fake2='--dpi-desync-fake-tls=0x00000000 --dpi-desync-fake-tls=! --dpi-desync-fake-tls-mod=rnd,rndsni,dupsid'
+			fake2="--dpi-desync-fake-tls=0x00000000 --dpi-desync-fake-tls=! --dpi-desync-fake-tls-mod=rnd,rndsni,dupsid"
-			# this splits actual fake to '1603' and modified standard fake from offset 2
+			fake3="--dpi-desync-fake-tls-mod=rnd,dupsid,rndsni,padencap"
 			fake3='--dpi-desync-fake-tls=0x1603 --dpi-desync-fake-tls=!+2 --dpi-desync-fake-tls-mod=rnd,dupsid,rndsni --dpi-desync-fake-tcp-mod=seq'
 			fake4='--dpi-desync-fake-tls-mod=rnd,dupsid,rndsni,padencap'
 		}
 	}
 	if test_has_fakedsplit $desync ; then
 		splits="method+2 midsld"
 		[ "$sec" = 0 ] || splits="1 midsld"
 		# do not send fake first
 		fake1='--dpi-desync-fakedsplit-mod=altorder=1'
 	elif test_has_split $desync ; then
 		splits="method+2 midsld"
 		[ "$sec" = 0 ] || splits="1 midsld 1,midsld"
 	fi
-	test_has_hostfakesplit $desync && {
+	for fake in '' "$fake1" "$fake2" "$fake3" ; do
 		fake1="--dpi-desync-hostfakesplit-mod=altorder=1"
 		fake2="--dpi-desync-hostfakesplit-midhost=midsld"
 		fake3="--dpi-desync-hostfakesplit-mod=altorder=1 --dpi-desync-hostfakesplit-midhost=midsld"
 	}
 	for fake in '' "$fake1" "$fake2" "$fake3" "$fake4" ; do
 		[ "$fake" = "-" ] && continue
 		if [ -n "$splits" ]; then
 			for pos in $splits ; do
@ -1339,8 +1256,8 @@ pktws_check_domain_http_bypass_()
 	# $2 - encrypted test : 0 = plain, 1 - encrypted with server reply risk, 2 - encrypted without server reply risk
 	# $3 - domain
-	local ok ttls attls s f f2 e desync pos fooling frag sec="$2" delta orig splits
+	local ok ttls s f f2 e desync pos fooling frag sec="$2" delta orig splits
-	local need_split need_disorder need_fakedsplit need_hostfakesplit need_fakeddisorder need_fake need_wssize
+	local need_split need_disorder need_fakedsplit need_fakeddisorder need_fake need_wssize
 	local splits_http='method+2 midsld method+2,midsld'
 	local splits_tls='2 1 sniext+1 sniext+4 host+1 midsld 1,midsld 1,sniext+1,host+1,midsld-2,midsld,midsld+2,endhost-1'
@ -1351,7 +1268,6 @@ pktws_check_domain_http_bypass_()
 	}
 	ttls=$(seq -s ' ' $MIN_TTL $MAX_TTL)
 	attls=$(seq -s ' ' $MIN_AUTOTTL_DELTA $MAX_AUTOTTL_DELTA)
 	need_wssize=1
 	for e in '' '--wssize 1:6'; do
 		need_split=
@ -1386,33 +1302,25 @@ pktws_check_domain_http_bypass_()
 		done
 		need_fakedsplit=1
 		need_hostfakesplit=1
 		need_fakeddisorder=1
 		need_fake=1
-		for desync in fake ${need_split:+fakedsplit fake,multisplit fake,fakedsplit hostfakesplit fake,hostfakesplit} ${need_disorder:+fakeddisorder fake,multidisorder fake,fakeddisorder}; do
+		for desync in fake ${need_split:+fakedsplit fake,multisplit fake,fakedsplit} ${need_disorder:+fakeddisorder fake,multidisorder fake,fakeddisorder}; do
 			[ "$need_fake" = 0 ] && test_has_fake "$desync" && continue
 			[ "$need_fakedsplit" = 0 ] && contains "$desync" fakedsplit && continue
 			[ "$need_hostfakesplit" = 0 ] && contains "$desync" hostfakesplit && continue
 			[ "$need_fakeddisorder" = 0 ] && contains "$desync" fakeddisorder && continue
 			ok=0
 			for ttl in $ttls; do
-				# orig-ttl=1 with start/cutoff limiter drops empty ACK packet in response to SYN,ACK. it does not reach DPI or server.
+				pktws_curl_test_update_vary $1 $2 $3 $desync --dpi-desync-ttl=$ttl $e && {
-				# missing ACK is transmitted in the first data packet of TLS/HTTP proto
+					[ "$SCANLEVEL" = quick ] && return
-				for f in '' '--orig-ttl=1 --orig-mod-start=s1 --orig-mod-cutoff=d1'; do
+					ok=1
-					pktws_curl_test_update_vary $1 $2 $3 $desync --dpi-desync-ttl=$ttl $f $e && {
+					need_wssize=0
-						[ "$SCANLEVEL" = quick ] && return
+					break
-						ok=1
+				}
 						need_wssize=0
 						[ "$SCANLEVEL" = force ] || break
 					}
 				done
 				[ "$ok" = 1 ] && break
 			done
 			# only skip tests if TTL succeeded. do not skip if TTL failed but fooling succeeded
 			[ $ok = 1 -a "$SCANLEVEL" != force ] && {
 				[ "$desync" = fake ] && need_fake=0
 				[ "$desync" = fakedsplit ] && need_fakedsplit=0
 				[ "$desync" = hostfakesplit ] && need_hostfakesplit=0
 				[ "$desync" = fakeddisorder ] && need_fakeddisorder=0
 			}
 			f=
@ -1421,21 +1329,12 @@ pktws_check_domain_http_bypass_()
 			[ "$IPV" = 6 ] && f="$f hopbyhop hopbyhop2"
 			for fooling in $f; do
 				ok=0
 				f2=
 				pktws_curl_test_update_vary $1 $2 $3 $desync --dpi-desync-fooling=$fooling $e && {
 					warn_fool $fooling $desync
 					[ "$SCANLEVEL" = quick ] && return
 					need_wssize=0
 					ok=1
 				}
 				[ "$fooling" = badseq ] && {
 					[ "$ok" = 1 -a "$SCANLEVEL" != force ] && continue
 					# --dpi-desync-badseq-increment=0 leaves modified by default ack increment
 					pktws_curl_test_update_vary $1 $2 $3 $desync --dpi-desync-fooling=$fooling --dpi-desync-badseq-increment=0 $e && {
 						[ "$SCANLEVEL" = quick ] && return
 						need_wssize=0
 					}
 				}
 				[ "$fooling" = md5sig ] && {
 					[ "$ok" = 1 -a "$SCANLEVEL" != force ] && continue
 					pktws_curl_test_update_vary $1 $2 $3 $desync --dpi-desync-fooling=$fooling --dup=1 --dup-cutoff=n2 --dup-fooling=md5sig $e && {
@ -1500,30 +1399,18 @@ pktws_check_domain_http_bypass_()
 		need_fakedsplit=1
 		need_fakeddisorder=1
 		need_hostfakesplit=1
 		need_fake=1
-		for desync in fake ${need_split:+fakedsplit fake,multisplit fake,fakedsplit hostfakesplit fake,hostfakesplit} ${need_disorder:+fakeddisorder fake,multidisorder fake,fakeddisorder}; do
+		for desync in fake ${need_split:+fakedsplit fake,multisplit fake,fakedsplit} ${need_disorder:+fakeddisorder fake,multidisorder fake,fakeddisorder}; do
 			[ "$need_fake" = 0 ] && test_has_fake "$desync" && continue
 			[ "$need_fakedsplit" = 0 ] && contains "$desync" fakedsplit && continue
 			[ "$need_hostfakesplit" = 0 ] && contains "$desync" hostfakesplit && continue
 			[ "$need_fakeddisorder" = 0 ] && contains "$desync" fakeddisorder && continue
 			ok=0
-			# orig-ttl=1 with start/cutoff limiter drops empty ACK packet in response to SYN,ACK. it does not reach DPI or server.
+			for orig in '' 1 2 3; do
-			# missing ACK is transmitted in the first data packet of TLS/HTTP proto
+				for delta in 1 2 3 4 5; do
-			for delta in $attls; do
+					pktws_curl_test_update_vary $1 $2 $3 $desync ${orig:+--orig-autottl=+$orig} --dpi-desync-ttl=1 --dpi-desync-autottl=-$delta $e && ok=1
 				for f in '' '--orig-ttl=1 --orig-mod-start=s1 --orig-mod-cutoff=d1'; do
 					pktws_curl_test_update_vary $1 $2 $3 $desync --dpi-desync-ttl=1 --dpi-desync-autottl=-$delta $f $e && ok=1
 					[ "$ok" = 1 -a "$SCANLEVEL" != force ] && break
 				done
 				[ "$ok" = 1 -a "$SCANLEVEL" != force ] && break
 			done
 			[ "$SCANLEVEL" = force ] && {
 				for orig in 1 2 3; do
 					for delta in $attls; do
 						pktws_curl_test_update_vary $1 $2 $3 $desync ${orig:+--orig-autottl=+$orig} --dpi-desync-ttl=1 --dpi-desync-autottl=-$delta $e && ok=1
 					done
 					[ "$ok" = 1 -a "$SCANLEVEL" != force ] && break
 				done
 			}
 			[ "$ok" = 1 ] &&
 			{
 				echo "WARNING ! although autottl worked it requires testing on multiple domains to find out reliable delta"
@ -1533,7 +1420,6 @@ pktws_check_domain_http_bypass_()
 				[ "$SCANLEVEL" = force ] || {
 					[ "$desync" = fake ] && need_fake=0
 					[ "$desync" = fakedsplit ] && need_fakedsplit=0
 					[ "$desync" = hostfakesplit ] && need_hostfakesplit=0
 					[ "$desync" = fakeddisorder ] && need_fakeddisorder=0
 				}
 			}			
@ -1706,7 +1592,7 @@ check_dpi_ip_block()
 	echo "> testing $UNBLOCKED_DOM on it's original ip"
 	if curl_test $1 $UNBLOCKED_DOM; then
-		mdig_resolve $IPV unblocked_ip $UNBLOCKED_DOM
+		unblocked_ip=$(mdig_resolve $IPV $UNBLOCKED_DOM)
 		[ -n "$unblocked_ip" ] || {
 			echo $UNBLOCKED_DOM does not resolve. tests not possible.
 			return 1
@ -1715,7 +1601,7 @@ check_dpi_ip_block()
 		echo "> testing $blocked_dom on $unblocked_ip ($UNBLOCKED_DOM)"
 		curl_test $1 $blocked_dom $unblocked_ip detail
-		mdig_resolve_all $IPV blocked_ips $blocked_dom
+		blocked_ips=$(mdig_resolve_all $IPV $blocked_dom)
 		for blocked_ip in $blocked_ips; do
 			echo "> testing $UNBLOCKED_DOM on $blocked_ip ($blocked_dom)"
 			curl_test $1 $UNBLOCKED_DOM $blocked_ip detail
@ -1742,19 +1628,17 @@ check_domain_prolog()
 	local code
 	[ "$SIMULATE" = 1 ] && return 0
 	echo
 	echo \* $1 ipv$IPV $3
 	echo "- checking without DPI bypass"
 	curl_test $1 $3 && {
-		report_append "$3" "$1 ipv${IPV}" "working without bypass"
+		report_append "ipv${IPV} $3 $1 : working without bypass"
 		[ "$SCANLEVEL" = force ] || return 1
 	}
 	code=$?
 	curl_has_reason_to_continue $code || {
-		report_append "$3" "$1 ipv${IPV}" "test aborted, no reason to continue. curl code $(curl_translate_code $code)"
+		report_append "ipv${IPV} $3 $1 : test aborted, no reason to continue. curl code $(curl_translate_code $code)"
 		return 1
 	}
 	return 0
@ -1766,8 +1650,6 @@ check_domain_http_tcp()
 	# $3 - encrypted test : 0 = plain, 1 - encrypted with server reply risk, 2 - encrypted without server reply risk
 	# $4 - domain
 	local ips
 	# in case was interrupted before
 	pktws_ipt_unprepare_tcp $2
 	ws_kill
@ -1784,8 +1666,7 @@ check_domain_http_tcp()
 	[ "$SKIP_PKTWS" = 1 ] || {
 		echo
 	        echo preparing $PKTWSD redirection
-		mdig_resolve_all $IPV ips $4
+		pktws_ipt_prepare_tcp $2 "$(mdig_resolve_all $IPV $4)"
 		pktws_ipt_prepare_tcp $2 "$ips"
 		pktws_check_domain_http_bypass $1 $3 $4
@ -1799,8 +1680,6 @@ check_domain_http_udp()
 	# $2 - port
 	# $3 - domain
 	local ips
 	# in case was interrupted before
 	pktws_ipt_unprepare_udp $2
 	ws_kill
@ -1810,8 +1689,7 @@ check_domain_http_udp()
 	[ "$SKIP_PKTWS" = 1 ] || {
 		echo
 	        echo preparing $PKTWSD redirection
-		mdig_resolve_all $IPV ips $3
+		pktws_ipt_prepare_udp $2 "$(mdig_resolve_all $IPV $3)"
 		pktws_ipt_prepare_udp $2 "$ips"
 		pktws_check_domain_http3_bypass $1 $3
@ -1870,9 +1748,6 @@ configure_curl_opt()
 	curl_supports_tls13 && TLS13=1
 	HTTP3=
 	curl_supports_http3 && HTTP3=1
 	HTTPS_HEAD=-I
 	[ "$CURL_HTTPS_GET" = 1 ] && HTTPS_HEAD=
 }
 linux_ipv6_defrag_can_be_disabled()
@ -1933,7 +1808,7 @@ ask_params()
 	curl_supports_connect_to || {
 		echo "installed curl does not support --connect-to option. pls install at least curl 7.49"
 		echo "current curl version:"
-		"$CURL" --version
+		$CURL --version
 		exitp 1
 	}
@ -1941,13 +1816,12 @@ ask_params()
 	[ -n "$DOMAINS" ] || {
 		DOMAINS="$DOMAINS_DEFAULT"
 		[ "$BATCH" = 1 ] || {
-			echo "specify domain(s) to test. multiple domains are space separated. URIs are supported (rutracker.org/forum/index.php)"
+			echo "specify domain(s) to test. multiple domains are space separated."
 			printf "domain(s) (default: $DOMAINS) : "
 			read dom
 			[ -n "$dom" ] && DOMAINS="$dom"
 		}
 	}
 	DOMAINS_COUNT="$(echo "$DOMAINS" | wc -w | trim)"
 	local IPVS_def=4
 	[ -n "$IPVS" ] || {
@ -2284,6 +2158,7 @@ sigsilent()
 	exit 1
 }
 fsleep_setup
 fix_sbin_path
 check_system
@ -2326,18 +2201,6 @@ cleanup
 echo
 echo \* SUMMARY
 report_print
 [ "$DOMAINS_COUNT" -gt 1 ] && {
 	echo
 	echo \* COMMON
 	result_intersection_print
 	echo
 	[ "$SCANLEVEL" = force ] || {
 		echo "blockcheck optimizes test sequence. To save time some strategies can be skipped if their test is considered useless."
 		echo "That's why COMMON intersection can miss strategies that would work for all domains."
 		echo "Use \"force\" scan level to test all strategies and generate trustable intersection."
 		echo "Current scan level was \"$SCANLEVEL\"".
 	}
 }
 echo
 echo "Please note this SUMMARY does not guarantee a magic pill for you to copy/paste and be happy."
 echo "Understanding how strategies work is very desirable."
--- a/common/base.sh
+++ b/common/base.sh
@ -4,10 +4,6 @@ which()
 	# 'command -v' replacement does not work exactly the same way. it outputs shell aliases if present
 	# $1 - executable name
 	local IFS=:
 	[ "$1" != "${1#/}" ] && [ -x "$1" ] && {
 		echo "$1"
 		return 0
 	}
 	for p in $PATH; do
 	    [ -x "$p/$1" ] && {
 		echo "$p/$1"
@ -97,18 +93,6 @@ trim()
 {
 	awk '{gsub(/^ +| +$/,"")}1'
 }
 split_by_separator()
 {
 	# $1 - string
 	# $2 - separator
 	# $3 - var name to get "before" part
 	# $4 - var name to get "after" part
 	local before="${1%%$2*}"
 	local after="${1#*$2}"
 	[ "$after" = "$1" ] && after=
 	[ -n "$3" ] && eval $3="\$before"
 	[ -n "$4" ] && eval $4="\$after"
 }
 dir_is_not_empty()
 {
@ -313,10 +297,10 @@ minsleep()
 replace_char()
 {
-	local a="$1"
+	local a=$1
-	local b="$2"
+	local b=$2
 	shift; shift
-	echo "$@" | tr "$a" "$b"
+	echo "$@" | tr $a $b
 }
 replace_str()
@ -334,12 +318,6 @@ setup_md5()
 	exists $MD5 || MD5=md5
 }
 md5f()
 {
 	setup_md5
 	$MD5 | cut -d ' ' -f1
 }
 setup_random()
 {
 	[ -n "$RCUT" ] && return
@ -352,6 +330,7 @@ random()
 {
 	# $1 - min, $2 - max
 	local r rs
 	setup_md5
 	setup_random
 	if [ -c /dev/urandom ]; then
 		read rs </dev/urandom
@ -359,7 +338,7 @@ random()
 		rs="$RANDOM$RANDOM$(date)"
 	fi
 	# shells use signed int64
-	r=1$(echo $rs | md5f | sed 's/[^0-9]//g' | $RCUT)
+	r=1$(echo $rs | $MD5 | sed 's/[^0-9]//g' | $RCUT)
 	echo $(( ($r % ($2-$1+1)) + $1 ))
 }
--- a/common/installer.sh
+++ b/common/installer.sh
@ -10,8 +10,9 @@ INIT_SCRIPT=/etc/init.d/zapret
 exitp()
 {
 	echo
-	echo press enter to continue
+	echo ALL DONE
-	read A
+	#echo press enter to continue
 	#read A
 	exit $1
 }
@ -703,7 +704,7 @@ removable_pkgs_openwrt()
 	for pkg in $PKGS2; do
 		check_package_exists_openwrt $pkg && PKGS="${PKGS:+$PKGS }$pkg"
 	done
-	PKGS="ipset iptables-mod-extra iptables-mod-nfqueue iptables-mod-filter iptables-mod-ipopt iptables-mod-conntrack-extra iptables-mod-u32 ip6tables-mod-nat ip6tables-extra kmod-nft-queue gzip coreutils-sort coreutils-sleep curl $PKGS"
+	PKGS="ipset iptables-mod-extra iptables-mod-nfqueue iptables-mod-filter iptables-mod-ipopt iptables-mod-conntrack-extra ip6tables-mod-nat ip6tables-extra kmod-nft-queue gzip coreutils-sort coreutils-sleep curl $PKGS"
 }
 openwrt_fix_broken_apk_uninstall_scripts()
@ -744,7 +745,7 @@ check_prerequisites_openwrt()
 		iptables)
 			pkg_iptables=iptables
 			check_package_exists_openwrt iptables-zz-legacy && pkg_iptables=iptables-zz-legacy
-			PKGS="$PKGS ipset $pkg_iptables iptables-mod-extra iptables-mod-nfqueue iptables-mod-filter iptables-mod-ipopt iptables-mod-conntrack-extra iptables-mod-u32"
+			PKGS="$PKGS ipset $pkg_iptables iptables-mod-extra iptables-mod-nfqueue iptables-mod-filter iptables-mod-ipopt iptables-mod-conntrack-extra"
 			check_package_exists_openwrt ip6tables-zz-legacy && pkg_iptables=ip6tables-zz-legacy
 			[ "$DISABLE_IPV6" = 1 ] || PKGS="$PKGS $pkg_iptables ip6tables-mod-nat ip6tables-extra"
 			;;
--- a/common/queue.sh
+++ b/common/queue.sh
@ -0,0 +1,85 @@
 apply_unspecified_desync_modes()
 {
 	NFQWS_OPT_DESYNC_HTTP="${NFQWS_OPT_DESYNC_HTTP:-$NFQWS_OPT_DESYNC}"
 	NFQWS_OPT_DESYNC_HTTP_SUFFIX="${NFQWS_OPT_DESYNC_HTTP_SUFFIX:-$NFQWS_OPT_DESYNC_SUFFIX}"
 	NFQWS_OPT_DESYNC_HTTPS="${NFQWS_OPT_DESYNC_HTTPS:-$NFQWS_OPT_DESYNC}"
 	NFQWS_OPT_DESYNC_HTTPS_SUFFIX="${NFQWS_OPT_DESYNC_HTTPS_SUFFIX:-$NFQWS_OPT_DESYNC_SUFFIX}"
 	NFQWS_OPT_DESYNC_HTTP6="${NFQWS_OPT_DESYNC_HTTP6:-$NFQWS_OPT_DESYNC_HTTP}"
 	NFQWS_OPT_DESYNC_HTTP6_SUFFIX="${NFQWS_OPT_DESYNC_HTTP6_SUFFIX:-$NFQWS_OPT_DESYNC_HTTP_SUFFIX}"
 	NFQWS_OPT_DESYNC_HTTPS6="${NFQWS_OPT_DESYNC_HTTPS6:-$NFQWS_OPT_DESYNC_HTTPS}"
 	NFQWS_OPT_DESYNC_HTTPS6_SUFFIX="${NFQWS_OPT_DESYNC_HTTPS6_SUFFIX:-$NFQWS_OPT_DESYNC_HTTPS_SUFFIX}"
 	NFQWS_OPT_DESYNC_QUIC6="${NFQWS_OPT_DESYNC_QUIC6:-$NFQWS_OPT_DESYNC_QUIC}"
 	NFQWS_OPT_DESYNC_QUIC6_SUFFIX="${NFQWS_OPT_DESYNC_QUIC6_SUFFIX:-$NFQWS_OPT_DESYNC_QUIC_SUFFIX}"
 }
 get_nfqws_qnums()
 {
 	# $1 - var name for ipv4 http
 	# $2 - var name for ipv4 https
 	# $3 - var name for ipv6 http
 	# $4 - var name for ipv6 https
 	local _qn _qns _qn6 _qns6
 	[ "$DISABLE_IPV4" = "1" ] || {
 		_qn=$QNUM
 		_qns=$_qn
 		[ "$NFQWS_OPT_DESYNC_HTTP $NFQWS_OPT_DESYNC_HTTP_SUFFIX" = "$NFQWS_OPT_DESYNC_HTTPS $NFQWS_OPT_DESYNC_HTTPS_SUFFIX" ] || _qns=$(($QNUM+1))
 	}
 	[ "$DISABLE_IPV6" = "1" ] || {
 		_qn6=$(($QNUM+2))
 		_qns6=$(($QNUM+3))
 		[ "$DISABLE_IPV4" = "1" ] || {
 			if [ "$NFQWS_OPT_DESYNC_HTTP6 $NFQWS_OPT_DESYNC_HTTP6_SUFFIX" = "$NFQWS_OPT_DESYNC_HTTP $NFQWS_OPT_DESYNC_HTTP_SUFFIX" ]; then
 				_qn6=$_qn;
 			elif [ "$NFQWS_OPT_DESYNC_HTTP6 $NFQWS_OPT_DESYNC_HTTP6_SUFFIX" = "$NFQWS_OPT_DESYNC_HTTPS $NFQWS_OPT_DESYNC_HTTPS_SUFFIX" ]; then
 				_qn6=$_qns;
 			fi
 			if [ "$NFQWS_OPT_DESYNC_HTTPS6 $NFQWS_OPT_DESYNC_HTTPS6_SUFFIX" = "$NFQWS_OPT_DESYNC_HTTP $NFQWS_OPT_DESYNC_HTTP_SUFFIX" ]; then
 				_qns6=$_qn;
 			elif [ "$NFQWS_OPT_DESYNC_HTTPS6 $NFQWS_OPT_DESYNC_HTTPS6_SUFFIX" = "$NFQWS_OPT_DESYNC_HTTPS $NFQWS_OPT_DESYNC_HTTPS_SUFFIX" ]; then
 				_qns6=$_qns;
 			fi
 		}
 		[ "$NFQWS_OPT_DESYNC_HTTPS6 $NFQWS_OPT_DESYNC_HTTPS6_SUFFIX" = "$NFQWS_OPT_DESYNC_HTTP6 $NFQWS_OPT_DESYNC_HTTP6_SUFFIX" ] && _qns6=$_qn6;
 	}
 	if [ "$MODE_HTTP" = 1 ]; then
 		eval $1=$_qn
 		eval $3=$_qn6
 	else
 		eval $1=
 		eval $3=
 	fi
 	if [ "$MODE_HTTPS" = 1 ]; then
 		eval $2=$_qns
 		eval $4=$_qns6
 	else
 		eval $2=
 		eval $4=
 	fi
 }
 get_nfqws_qnums_quic()
 {
 	# $1 - var name for ipv4 quic
 	# $2 - var name for ipv6 quic
 	local _qn _qn6
 	[ "$DISABLE_IPV4" = "1" ] || {
 		_qn=$(($QNUM+10))
 	}
 	[ "$DISABLE_IPV6" = "1" ] || {
 		_qn6=$(($QNUM+11))
 		[ "$DISABLE_IPV4" = "1" ] || {
 			if [ "$NFQWS_OPT_DESYNC_QUIC $NFQWS_OPT_DESYNC_QUIC_SUFFIX" = "$NFQWS_OPT_DESYNC_QUIC6 $NFQWS_OPT_DESYNC_QUIC6_SUFFIX" ]; then
 				_qn6=$_qn;
 			fi
 		}
 	}
 	if [ "$MODE_QUIC" = 1 ]; then
 		eval $1=$_qn
 		eval $2=$_qn6
 	else
 		eval $1=
 		eval $2=
 	fi
 }
--- a/config.default
+++ b/config.default
@ -1,14 +1,11 @@
 # this file is included from init scripts
 # change values here
 # can help in case /tmp has not enough space
-#TMPDIR=/opt/zapret/tmp
+#TMPDIR=/data/zapret/tmp
 # redefine user for zapret daemons. required on Keenetic
 #WS_USER=nobody
 # override firewall type : iptables,nftables,ipfw
-#FWTYPE=iptables
+FWTYPE=iptables
 # nftables only : set this to 0 to use pre-nat mode. default is post-nat.
 # pre-nat mode disables some bypass techniques for forwarded traffic but allows to see client IP addresses in debug log
 #POSTNAT=0
@ -47,12 +44,6 @@ GZIP_LISTS=1
 DESYNC_MARK=0x40000000
 DESYNC_MARK_POSTNAT=0x20000000
 # do not pass outgoing traffic to tpws/nfqws not marked with this bit
 # this setting allows to write your own rules to limit traffic that should be fooled
 # for example based on source IP or incoming interface name
 # no filter if not defined
 #FILTER_MARK=0x10000000
 TPWS_SOCKS_ENABLE=0
 # tpws socks listens on this port on localhost and LAN interfaces
 TPPORT_SOCKS=987
@ -74,10 +65,10 @@ TPWS_OPT="
 --filter-tcp=443 --split-pos=1,midsld --disorder <HOSTLIST>
 "
-NFQWS_ENABLE=0
+NFQWS_ENABLE=1
 # redirect outgoing traffic with connbytes limiter applied in both directions.
-NFQWS_PORTS_TCP=80,443
+NFQWS_PORTS_TCP=80,443,4244,5222-5228,5242,50318,59234
-NFQWS_PORTS_UDP=443
+NFQWS_PORTS_UDP=443,590-1400,3478-3481,5349,19294-19344
 # PKT_OUT means connbytes dir original
 # PKT_IN means connbytes dir reply
 # this is --dpi-desync-cutoff=nX kernel mode implementation for linux. it saves a lot of CPU.
@ -94,16 +85,75 @@ NFQWS_UDP_PKT_IN=0
 # use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
 # hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
 # <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
 # just notes: [email protected] /data/zapret/lists/ /data/zapret/files/fake/
 #GoogleVideo first UDP strats!!! UDP for Quick. You maybe need change only TCP or UDP or both strats. For enable starats just delete --skip
 #Стратегия DISCORD вместо просто fake. Если закомментировать - будет использоваться просто fake
 #NFQWS_OPT_DESYNC_DISCORD_MEDIA="--dpi-desync=fake --dpi-desync-autottl --dup=2 --dup-autottl --dup-cutoff=n3"
 #Стратегия ТГ, ВА и т.п. вместо просто fake. Если закомментировать - будет использоваться просто fake
 #NFQWS_OPT_DESYNC_STUN="--dpi-desync=fake --dpi-desync-autottl --dup=2 --dup-autottl --dup-cutoff=n3"
 NFQWS_OPT="
--filter-tcp=80 --dpi-desync=fake,multisplit --dpi-desync-split-pos=method+2 --dpi-desync-fooling=md5sig <HOSTLIST> --new
+--filter-tcp=80
--filter-tcp=443 --dpi-desync=fake,multidisorder --dpi-desync-split-pos=1,midsld --dpi-desync-fooling=badseq,md5sig <HOSTLIST> --new
+--hostlist=/data/zapret/ipset/zapret-hosts-user.txt
--filter-udp=443 --dpi-desync=fake --dpi-desync-repeats=6 <HOSTLIST_NOAUTO>
+--dpi-desync=fake,fakedsplit
 --dpi-desync-autottl=2
 --dpi-desync-fooling=md5sig
 --dpi-desync-fooling=datanoack
 --new
 --filter-tcp=443
 --hostlist=/data/zapret/ipset/zapret-hosts-google.txt
 --dpi-desync=fake,multisplit
 --dpi-desync-fake-tls=0x00000000
 --dpi-desync-fake-tls=!
 --dpi-desync-split-pos=1,midsld
 --dpi-desync-repeats=2
 --dpi-desync-fooling=badseq
 --dpi-desync-fake-tls-mod=rnd,dupsid,sni=www.google.com
 --new
 --filter-tcp=443
 --hostlist=/data/zapret/ipset/zapret-hosts-user.txt
 --dpi-desync=hostfakesplit
 --dpi-desync-hostfakesplit-mod=host=max.ru
 --dpi-desync-hostfakesplit-midhost=host-2
 --dpi-desync-split-seqovl=726
 --dpi-desync-fooling=badsum,badseq
 --dpi-desync-badseq-increment=0
 --new
 --filter-udp=443
 --hostlist=/data/zapret/ipset/zapret-hosts-user.txt
 --dpi-desync=fake,udplen
 --dpi-desync-fake-quic=/data/zapret/files/fake/quic_initial_www_google_com.bin
 --dpi-desync-repeats=20
 --dpi-desync-udplen-increment=24
 --new
 --filter-udp=443,590-1400,3478-3481,5349,19294-19344
 --filter-l7=stun
 --dpi-desync=fake
 --new
 --filter-udp=443,590-1400,3478-3481,5349,19294-19344
 --hostlist=/data/zapret/ipset/cust1.txt
 --dpi-desync=fake,udplen
 --dpi-desync-fake-quic=/data/zapret/files/fake/quic_initial_www_google_com.bin
 --dpi-desync-repeats=20
 --dpi-desync-udplen-increment=24
 --new
 --filter-tcp=443,4244,5222-5228,5242,50318,59234
 --hostlist=/data/zapret/ipset/cust1.txt
 --dpi-desync=fake,multisplit
 --dpi-desync-fake-tls=0x00000000
 --dpi-desync-fake-tls=!
 --dpi-desync-split-pos=1,midsld
 --dpi-desync-repeats=2
 --dpi-desync-fooling=badseq
 --dpi-desync-fake-tls-mod=rnd,dupsid,sni=www.google.com
 "
 # none,ipset,hostlist,autohostlist
-MODE_FILTER=none
+MODE_FILTER=hostlist
-# donttouch,none,software,hardware
+# openwrt only : donttouch,none,software,hardware
 FLOWOFFLOAD=donttouch
 # openwrt: specify networks to be treated as LAN. default is "lan"
@ -118,7 +168,7 @@ FLOWOFFLOAD=donttouch
 # it's possible to specify multiple interfaces like this : IFACE_LAN="eth0 eth1 eth2"
 # if IFACE_WAN6 is not defined it take the value of IFACE_WAN
 #IFACE_LAN=eth0
-#IFACE_WAN=eth1
+#IFACE_WAN=eth0
 #IFACE_WAN6="ipsec0 wireguard0 he_net"
 # should start/stop command of init scripts apply firewall rules ?
--- a/files/fake/4pda.bin
+++ b/files/fake/4pda.bin
--- a/files/fake/max.bin
+++ b/files/fake/max.bin
--- a/files/fake/t2.bin
+++ b/files/fake/t2.bin
--- a/init.d/custom.d.examples.linux/50-dht4all
+++ b/init.d/custom.d.examples.linux/50-dht4all
@ -1,5 +1,4 @@
-# this custom script runs desync to DHT packets with udp payload length >=5 , without ipset/hostlist filtering
+# this custom script runs desync to DHT packets with udp payload length 101..399 , without ipset/hostlist filtering
 # NOTE: @ih requires nft 1.0.1+ and updated kernel version. it's confirmed to work on 5.15 (openwrt 23) and not work on 5.10 (openwrt 22)
 # can override in config :
 NFQWS_OPT_DESYNC_DHT="${NFQWS_OPT_DESYNC_DHT:---dpi-desync=tamper}"
@ -11,28 +10,28 @@ zapret_custom_daemons()
 {
 	# $1 - 1 - add, 0 - stop
-	local opt="--qnum=$QNUM_DHT4ALL $NFQWS_OPT_DESYNC_DHT"
+        local opt="--qnum=$QNUM_DHT4ALL $NFQWS_OPT_DESYNC_DHT"
 	do_nfqws $1 $DNUM_DHT4ALL "$opt"
 }
 zapret_custom_firewall()
 {
-	# $1 - 1 - run, 0 - stop
+        # $1 - 1 - run, 0 - stop
-	local f uf4 uf6
+        local f uf4 uf6
-	local first_packet_only="$ipt_connbytes 1:1"
+        local first_packet_only="$ipt_connbytes 1:1"
-	f='-p udp -m u32 --u32'
+        f='-p udp -m length --length 109:407 -m u32 --u32'
-	uf4='0>>22&0x3C@4>>16=13:0xFFFF&&0>>22&0x3C@8>>16=0x6431:0x6432'
+	uf4='0>>22&0x3C@8>>16=0x6431'
-	uf6='44>>16=13:0xFFFF&&48>>16=0x6431:0x6432'
+	uf6='48>>16=0x6431'
-	fw_nfqws_post $1 "$f $uf4 $first_packet_only"  "$f $uf6 $first_packet_only" $QNUM_DHT4ALL
+        fw_nfqws_post $1 "$f $uf4 $first_packet_only"  "$f $uf6 $first_packet_only" $QNUM_DHT4ALL
 }
 zapret_custom_firewall_nft()
 {
-	# stop logic is not required
+        # stop logic is not required
        local f
        local first_packet_only="$nft_connbytes 1"
-        f="udp length ge 13 meta l4proto udp @ih,0,16 0x6431-0x6432"
+        f="meta length 109-407 meta l4proto udp @th,64,16 0x6431"
        nft_fw_nfqws_post "$f $first_packet_only" "$f $first_packet_only" $QNUM_DHT4ALL
 }
--- a/init.d/custom.d.examples.linux/50-discord-media
+++ b/init.d/custom.d.examples.linux/50-discord-media
@ -1,8 +1,7 @@
 # this custom script runs desync to all discord media packets
 # NOTE: @ih requires nft 1.0.1+ and updated kernel version. it's confirmed to work on 5.15 (openwrt 23) and not work on 5.10 (openwrt 22)
 # can override in config :
-NFQWS_OPT_DESYNC_DISCORD_MEDIA="${NFQWS_OPT_DESYNC_DISCORD_MEDIA:---dpi-desync=fake --dpi-desync-repeats=2}"
+NFQWS_OPT_DESYNC_DISCORD_MEDIA="${NFQWS_OPT_DESYNC_DISCORD_MEDIA:---dpi-desync=fake}"
 DISCORD_MEDIA_PORT_RANGE="${DISCORD_MEDIA_PORT_RANGE:-50000-50099}"
 alloc_dnum DNUM_DISCORD_MEDIA
@ -15,6 +14,7 @@ zapret_custom_daemons()
 	local opt="--qnum=$QNUM_DISCORD_MEDIA $NFQWS_OPT_DESYNC_DISCORD_MEDIA"
 	do_nfqws $1 $DNUM_DISCORD_MEDIA "$opt"
 }
 # size = 156 (8 udp header + 148 payload) && payload starts with 0x01000000
 zapret_custom_firewall()
 {
        # $1 - 1 - run, 0 - stop
--- a/init.d/custom.d.examples.linux/50-stun4all
+++ b/init.d/custom.d.examples.linux/50-stun4all
@ -1,8 +1,7 @@
 # this custom script runs desync to all stun packets
 # NOTE: @ih requires nft 1.0.1+ and updated kernel version. it's confirmed to work on 5.15 (openwrt 23) and not work on 5.10 (openwrt 22)
 # can override in config :
-NFQWS_OPT_DESYNC_STUN="${NFQWS_OPT_DESYNC_STUN:---dpi-desync=fake --dpi-desync-repeats=2}"
+NFQWS_OPT_DESYNC_STUN="${NFQWS_OPT_DESYNC_STUN:---dpi-desync=fake}"
 alloc_dnum DNUM_STUN4ALL
 alloc_qnum QNUM_STUN4ALL
@ -14,6 +13,7 @@ zapret_custom_daemons()
 	local opt="--qnum=$QNUM_STUN4ALL $NFQWS_OPT_DESYNC_STUN"
 	do_nfqws $1 $DNUM_STUN4ALL "$opt"
 }
 # size = 156 (8 udp header + 148 payload) && payload starts with 0x01000000
 zapret_custom_firewall()
 {
        # $1 - 1 - run, 0 - stop
--- a/init.d/custom.d.examples.linux/50-wg4all
+++ b/init.d/custom.d.examples.linux/50-wg4all
@ -1,9 +1,8 @@
 # this custom script runs desync to all wireguard handshake initiation packets
-# NOTE: this works for original wireguard and may not work for 3rd party implementations such as xray
+# NOTE : this works for original wireguard and may not work for 3rd party implementations such as xray
 # NOTE: @ih requires nft 1.0.1+ and updated kernel version. it's confirmed to work on 5.15 (openwrt 23) and not work on 5.10 (openwrt 22)
 # can override in config :
-NFQWS_OPT_DESYNC_WG="${NFQWS_OPT_DESYNC_WG:---dpi-desync=fake --dpi-desync-repeats=2}"
+NFQWS_OPT_DESYNC_WG="${NFQWS_OPT_DESYNC_WG:---dpi-desync=fake}"
 alloc_dnum DNUM_WG4ALL
 alloc_qnum QNUM_WG4ALL
--- a/init.d/openwrt/90-zapret
+++ b/init.d/openwrt/90-zapret
@ -30,7 +30,7 @@ check_need_to_reload_tpws6()
 		EXEDIR=$(dirname "$SCRIPT")
 		ZAPRET_BASE=$(readlink -f "$EXEDIR/../..")
 	else
-		ZAPRET_BASE=/opt/zapret
+		ZAPRET_BASE=/data/zapret
 	fi
 	ZAPRET_RW=${ZAPRET_RW:-"$ZAPRET_BASE"}
 	ZAPRET_CONFIG=${ZAPRET_CONFIG:-"$ZAPRET_RW/config"}
--- a/init.d/openwrt/firewall.zapret
+++ b/init.d/openwrt/firewall.zapret
@ -3,7 +3,7 @@ if [ -n "$SCRIPT" ]; then
 EXEDIR=$(dirname "$SCRIPT")
 ZAPRET_BASE=$(readlink -f "$EXEDIR/../..")
 else
- ZAPRET_BASE=/opt/zapret
+ ZAPRET_BASE=/data/zapret
 fi
 . "$ZAPRET_BASE/init.d/openwrt/functions"
--- a/init.d/openwrt/functions
+++ b/init.d/openwrt/functions
@ -1,6 +1,6 @@
 . /lib/functions/network.sh
-ZAPRET_BASE=${ZAPRET_BASE:-/opt/zapret}
+ZAPRET_BASE=${ZAPRET_BASE:-/data/zapret}
 ZAPRET_RW=${ZAPRET_RW:-"$ZAPRET_BASE"}
 ZAPRET_CONFIG=${ZAPRET_CONFIG:-"$ZAPRET_RW/config"}
 . "$ZAPRET_CONFIG"
--- a/init.d/openwrt/zapret
+++ b/init.d/openwrt/zapret
@ -28,7 +28,7 @@ if [ -n "$SCRIPT" ]; then
 EXEDIR=$(dirname "$SCRIPT")
 ZAPRET_BASE=$(readlink -f "$EXEDIR/../..")
 else
- ZAPRET_BASE=/opt/zapret
+ ZAPRET_BASE=/data/zapret
 fi
 . "$ZAPRET_BASE/init.d/openwrt/functions"
--- a/install_bin.sh
+++ b/install_bin.sh
@ -31,7 +31,7 @@ select_test_method()
 	elif exists zsh && [ "$UNAME" != CYGWIN ] ; then
 		TEST=zsh
 	elif [ "$UNAME" != Darwin -a "$UNAME" != CYGWIN ]; then
-		if exists hexdump && exists dd; then
+		if exists hexdump and exists dd; then
 			# macos does not use ELF
 			TEST=elf
 			ELF=
--- a/install_easy.sh
+++ b/install_easy.sh
@ -5,7 +5,7 @@
 EXEDIR="$(dirname "$0")"
 EXEDIR="$(cd "$EXEDIR"; pwd)"
 ZAPRET_BASE=${ZAPRET_BASE:-"$EXEDIR"}
-ZAPRET_TARGET=${ZAPRET_TARGET:-/opt/zapret}
+ZAPRET_TARGET=${ZAPRET_TARGET:-/data/zapret}
 ZAPRET_TARGET_RW=${ZAPRET_RW:-"$ZAPRET_TARGET"}
 ZAPRET_TARGET_CONFIG="$ZAPRET_TARGET_RW/config"
 ZAPRET_RW=${ZAPRET_RW:-"$ZAPRET_BASE"}
@ -268,10 +268,10 @@ select_getlist()
 		echo
 		if ask_yes_no $D "do you want to auto download ip/host list"; then
 			if [ "$MODE_FILTER" = "hostlist" -o "$MODE_FILTER" = "autohostlist" ] ; then
-				GETLISTS="get_refilter_domains.sh get_antizapret_domains.sh get_reestr_resolvable_domains.sh"
+				GETLISTS="get_refilter_domains.sh get_antizapret_domains.sh get_reestr_resolvable_domains.sh get_reestr_hostlist.sh"
 				GETLIST_DEF="get_antizapret_domains.sh"
 			else
-				GETLISTS="get_user.sh get_refilter_ipsum.sh get_antifilter_ip.sh get_antifilter_ipsmart.sh get_antifilter_ipsum.sh get_antifilter_ipresolve.sh get_antifilter_allyouneed.sh get_reestr_preresolved.sh get_reestr_preresolved_smart.sh"
+				GETLISTS="get_user.sh get_refilter_ipsum.sh get_antifilter_ip.sh get_antifilter_ipsmart.sh get_antifilter_ipsum.sh get_antifilter_ipresolve.sh get_antifilter_allyouneed.sh get_reestr_resolve.sh get_reestr_preresolved.sh get_reestr_preresolved_smart.sh"
 				GETLIST_DEF="get_antifilter_allyouneed.sh"
 			fi
 			ask_list GETLIST "$GETLISTS" "$GETLIST_DEF" && write_config_var GETLIST
@ -829,12 +829,12 @@ install_openwrt()
 	"$INIT_SCRIPT_SRC" stop_fw
 	"$INIT_SCRIPT_SRC" stop_daemons
-	select_fwtype
+	#select_fwtype
-	select_ipv6
+	#select_ipv6
-	check_prerequisites_openwrt
+	#check_prerequisites_openwrt
-	ask_config
+	#ask_config
-	ask_config_tmpdir
+	#ask_config_tmpdir
-	ask_config_offload
+	#ask_config_offload
 	# stop and reinstall sysv init
 	install_sysv_init
 	[ "$FWTYPE_OLD" != "$FWTYPE" -a "$FWTYPE_OLD" = iptables -a -n "$OPENWRT_FW3" ] && remove_openwrt_firewall
--- a/install_patch.sh
+++ b/install_patch.sh
@ -0,0 +1,19 @@
 #!/bin/sh
 DIR_PATCH=/etc/crontabs/patches
 ZAPRET_RW=/data/zapret
 if [ ! -d $DIR_PATCH ]; then
 	mkdir -p $DIR_PATCH
 	chown root $DIR_PATCH
 	chmod 0755 $DIR_PATCH
 fi
 	cp $ZAPRET_RW/zapret_patch.sh $DIR_PATCH/
 	chmod +x $DIR_PATCH/zapret_patch.sh	
 	FILE_FOR_EDIT=/etc/crontabs/root
 	grep -v "/zapret_patch.sh" $FILE_FOR_EDIT > $FILE_FOR_EDIT.new
 	echo "*/1 * * * * /etc/crontabs/patches/zapret_patch.sh >/dev/null 2>&1" >> $FILE_FOR_EDIT.new
 	mv $FILE_FOR_EDIT.new $FILE_FOR_EDIT
 	/etc/init.d/cron restart
--- a/ipset/cust1.txt
+++ b/ipset/cust1.txt
@ -0,0 +1,26 @@
 t.me
 telegra.ph
 telesco.pe
 telegram.me
 telegram.org
 telegram.dog
 telegram.com
 telegram.dev
 telegram.app
 wa.me
 whatsapp-plus.info
 whatsapp-plus.me
 whatsapp-plus.net
 whatsapp.cc
 whatsapp.com
 whatsapp.info
 whatsapp.net
 whatsapp.org
 whatsapp.tv
 whatsappbrand.com
 graph.whatsapp.com
 graph.whatsapp.net
 fbcdn.net
 g.whatsapp.net
 whatsapp.com
 whatsapp.net
--- a/ipset/cust1ip.txt
+++ b/ipset/cust1ip.txt
@ -0,0 +1,12 @@
 31.13.65.50
 31.13.66.49
 31.13.66.56
 57.144.23.32
 157.240.1.60
 157.240.14.60
 149.154.160.0/20
 91.108.4.0/22
 91.108.8.0/22
 91.108.12.0/22
 91.108.16.0/22
 91.108.20.0/22
--- a/ipset/get_reestr_hostlist.sh
+++ b/ipset/get_reestr_hostlist.sh
@ -0,0 +1,65 @@
 #!/bin/sh
 IPSET_DIR="$(dirname "$0")"
 IPSET_DIR="$(cd "$IPSET_DIR"; pwd)"
 . "$IPSET_DIR/def.sh"
 ZREESTR="$TMPDIR/zapret.txt.gz"
 IPB="$TMPDIR/ipb.txt"
 ZURL_REESTR=https://raw.githubusercontent.com/zapret-info/z-i/master/dump.csv.gz
 dl_checked()
 {
  # $1 - url
  # $2 - file
  # $3 - minsize
  # $4 - maxsize
  # $5 - maxtime
  curl -k --fail --max-time $5 --connect-timeout 10 --retry 4 --max-filesize $4 -o "$2" "$1" ||
  {
   echo list download failed : $1
   return 2
  }
  dlsize=$(LC_ALL=C LANG=C wc -c "$2" | xargs | cut -f 1 -d ' ')
  if test $dlsize -lt $3; then
   echo list is too small : $dlsize bytes. can be bad.
   return 2
  fi
  return 0
 }
 reestr_list()
 {
 LC_ALL=C LANG=C gunzip -c "$ZREESTR" | cut -s -f2 -d';' | LC_ALL=C  LANG=C nice -n 5 sed -Ee 's/^\*\.(.+)$/\1/' -ne 's/^[a-z0-9A-Z._-]+$/&/p' | $AWK '{ print tolower($0) }'
 }
 reestr_extract_ip()
 {
 LC_ALL=C LANG=C gunzip -c | nice -n 5 $AWK -F ';' '($1 ~ /^([0-9]{1,3}\.){3}[0-9]{1,3}/) && (($2 == "" && $3 == "") || ($1 == $2)) {gsub(/ \| /, RS); print $1}' | LC_ALL=C  LANG=C $AWK '{split($1, a, /\|/); for (i in a) {print a[i]}}'
 }
 ipban_fin()
 {
 getipban
 "$IPSET_DIR/create_ipset.sh"
 }
 dl_checked "$ZURL_REESTR" "$ZREESTR" 204800 251658240 600 || {
 ipban_fin
 exit 2
 }
 reestr_list | sort -u | zz "$ZHOSTLIST"
 reestr_extract_ip <"$ZREESTR" >"$IPB"
 rm -f "$ZREESTR"
 [ "$DISABLE_IPV4" != "1" ] && $AWK '/^([0-9]{1,3}\.){3}[0-9]{1,3}($|(\/[0-9]{2}$))/' "$IPB" | cut_local | ip2net4 | zz "$ZIPLIST_IPBAN"
 [ "$DISABLE_IPV6" != "1" ] && $AWK '/^([0-9a-fA-F]{0,4}:){1,7}[0-9a-fA-F]{0,4}($|(\/[0-9]{2,3}$))/' "$IPB" | cut_local6 | ip2net6 | zz "$ZIPLIST_IPBAN6"
 rm -f "$IPB"
 hup_zapret_daemons
 ipban_fin
 exit 0
--- a/ipset/get_reestr_preresolved.sh
+++ b/ipset/get_reestr_preresolved.sh
@ -10,8 +10,8 @@ TMPLIST="$TMPDIR/list.txt"
 BASEURL="https://raw.githubusercontent.com/bol-van/rulist/main"
 URL4="$BASEURL/reestr_resolved4.txt"
 URL6="$BASEURL/reestr_resolved6.txt"
-#IPB4="$BASEURL/reestr_ipban4.txt"
+IPB4="$BASEURL/reestr_ipban4.txt"
-#IPB6="$BASEURL/reestr_ipban6.txt"
+IPB6="$BASEURL/reestr_ipban6.txt"
 dl()
 {
@ -35,12 +35,12 @@ dl()
 getuser && {
 [ "$DISABLE_IPV4" != "1" ] && {
-	dl "$URL4" "$ZIPLIST" 4096 4194304
+ 	dl "$URL4" "$ZIPLIST" 32768 4194304
-#	dl "$IPB4" "$ZIPLIST_IPBAN" 8192 1048576
+ 	dl "$IPB4" "$ZIPLIST_IPBAN" 8192 1048576
 }
 [ "$DISABLE_IPV6" != "1" ] && {
-	dl "$URL6" "$ZIPLIST6" 2048 4194304
+ 	dl "$URL6" "$ZIPLIST6" 8192 4194304
-#	dl "$IPB6" "$ZIPLIST_IPBAN6" 128 1048576
+ 	dl "$IPB6" "$ZIPLIST_IPBAN6" 128 1048576
 }
 }
--- a/ipset/get_reestr_preresolved_smart.sh
+++ b/ipset/get_reestr_preresolved_smart.sh
@ -10,8 +10,8 @@ TMPLIST="$TMPDIR/list.txt"
 BASEURL="https://raw.githubusercontent.com/bol-van/rulist/main"
 URL4="$BASEURL/reestr_smart4.txt"
 URL6="$BASEURL/reestr_smart6.txt"
-#IPB4="$BASEURL/reestr_ipban4.txt"
+IPB4="$BASEURL/reestr_ipban4.txt"
-#IPB6="$BASEURL/reestr_ipban6.txt"
+IPB6="$BASEURL/reestr_ipban6.txt"
 dl()
 {
@ -35,12 +35,12 @@ dl()
 getuser && {
 [ "$DISABLE_IPV4" != "1" ] && {
-	dl "$URL4" "$ZIPLIST" 4096 4194304
+ 	dl "$URL4" "$ZIPLIST" 32768 4194304
-#	dl "$IPB4" "$ZIPLIST_IPBAN" 8192 1048576
+ 	dl "$IPB4" "$ZIPLIST_IPBAN" 8192 1048576
 }
 [ "$DISABLE_IPV6" != "1" ] && {
-	dl "$URL6" "$ZIPLIST6" 2048 4194304
+ 	dl "$URL6" "$ZIPLIST6" 8192 4194304
-#	dl "$IPB6" "$ZIPLIST_IPBAN6" 128 1048576
+ 	dl "$IPB6" "$ZIPLIST_IPBAN6" 128 1048576
 }
 }
--- a/ipset/get_reestr_resolvable_domains.sh
+++ b/ipset/get_reestr_resolvable_domains.sh
@ -9,8 +9,8 @@ TMPLIST="$TMPDIR/list_nethub.txt"
 BASEURL="https://raw.githubusercontent.com/bol-van/rulist/main"
 URL="$BASEURL/reestr_hostname_resolvable.txt"
-#IPB4="$BASEURL/reestr_ipban4.txt"
+IPB4="$BASEURL/reestr_ipban4.txt"
-#IPB6="$BASEURL/reestr_ipban6.txt"
+IPB6="$BASEURL/reestr_ipban6.txt"
 dl()
 {
@ -36,8 +36,8 @@ dl "$URL" "$ZHOSTLIST" 65536 67108864
 hup_zapret_daemons
-#[ "$DISABLE_IPV4" != "1" ] && dl "$IPB4" "$ZIPLIST_IPBAN" 8192 1048576
+[ "$DISABLE_IPV4" != "1" ] && dl "$IPB4" "$ZIPLIST_IPBAN" 8192 1048576
-#[ "$DISABLE_IPV6" != "1" ] && dl "$IPB6" "$ZIPLIST_IPBAN6" 128 1048576
+[ "$DISABLE_IPV6" != "1" ] && dl "$IPB6" "$ZIPLIST_IPBAN6" 128 1048576
 getipban
 "$IPSET_DIR/create_ipset.sh"
--- a/ipset/get_reestr_resolve.sh
+++ b/ipset/get_reestr_resolve.sh
@ -0,0 +1,83 @@
 #!/bin/sh
 IPSET_DIR="$(dirname "$0")"
 IPSET_DIR="$(cd "$IPSET_DIR"; pwd)"
 . "$IPSET_DIR/def.sh"
 ZREESTR="$TMPDIR/zapret.txt.gz"
 ZDIG="$TMPDIR/zapret-dig.txt"
 IPB="$TMPDIR/ipb.txt"
 ZIPLISTTMP="$TMPDIR/zapret-ip.txt"
 #ZURL=https://reestr.rublacklist.net/api/current
 ZURL_REESTR=https://raw.githubusercontent.com/zapret-info/z-i/master/dump.csv.gz
 dl_checked()
 {
  # $1 - url
  # $2 - file
  # $3 - minsize
  # $4 - maxsize
  # $5 - maxtime
  curl -k --fail --max-time $5 --connect-timeout 10 --retry 4 --max-filesize $4 -o "$2" "$1" ||
  {
   echo list download failed : $1
   return 2
  }
  dlsize=$(LC_ALL=C LANG=C wc -c "$2" | xargs | cut -f 1 -d ' ')
  if test $dlsize -lt $3; then
   echo list is too small : $dlsize bytes. can be bad.
   return 2
  fi
  return 0
 }
 reestr_list()
 {
 LC_ALL=C LANG=C gunzip -c "$ZREESTR" | cut -s -f2 -d';' | LC_ALL=C LANG=C nice -n 5 sed -Ee 's/^\*\.(.+)$/\1/' -ne 's/^[a-z0-9A-Z._-]+$/&/p' | $AWK '{ print tolower($0) }'
 }
 reestr_extract_ip()
 {
 LC_ALL=C LANG=C gunzip -c | nice -n 5 $AWK -F ';' '($1 ~ /^([0-9]{1,3}\.){3}[0-9]{1,3}/) && (($2 == "" && $3 == "") || ($1 == $2)) {gsub(/ \| /, RS); print $1}' | LC_ALL=C LANG=C $AWK '{split($1, a, /\|/); for (i in a) {print a[i]}}'
 }
 getuser && {
 # both disabled
 [ "$DISABLE_IPV4" = "1" ] && [ "$DISABLE_IPV6" = "1" ] && exit 0
 dl_checked "$ZURL_REESTR" "$ZREESTR" 204800 251658240 600 || exit 2
 echo preparing ipban list ..
 reestr_extract_ip <"$ZREESTR" >"$IPB"
 [ "$DISABLE_IPV4" != "1" ] && $AWK '/^([0-9]{1,3}\.){3}[0-9]{1,3}($|(\/[0-9]{2}$))/' "$IPB" | cut_local | ip2net4 | zz "$ZIPLIST_IPBAN"
 [ "$DISABLE_IPV6" != "1" ] && $AWK '/^([0-9a-fA-F]{0,4}:){1,7}[0-9a-fA-F]{0,4}($|(\/[0-9]{2,3}$))/' "$IPB" | cut_local6 | ip2net6 | zz "$ZIPLIST_IPBAN6"
 rm -f "$IPB"
 echo preparing dig list ..
 reestr_list | sort -u >"$ZDIG"
 rm -f "$ZREESTR"
 echo digging started. this can take long ...
 [ "$DISABLE_IPV4" != "1" ] && {
  filedigger "$ZDIG" 4 | cut_local >"$ZIPLISTTMP" || {
   rm -f "$ZDIG"
   exit 1
  }
  ip2net4 <"$ZIPLISTTMP" | zz "$ZIPLIST"
  rm -f "$ZIPLISTTMP"
 }
 [ "$DISABLE_IPV6" != "1" ] && {
  filedigger "$ZDIG" 6 | cut_local6 >"$ZIPLISTTMP" || {
   rm -f "$ZDIG"
   exit 1
  }
  ip2net6 <"$ZIPLISTTMP" | zz "$ZIPLIST6"
  rm -f "$ZIPLISTTMP"
 }
 rm -f "$ZDIG"
 }
 "$IPSET_DIR/create_ipset.sh"
--- a/lists/autohostlist.txt
+++ b/lists/autohostlist.txt
@ -0,0 +1 @@
 example.goida
--- a/lists/cloudflare-ipset.txt
+++ b/lists/cloudflare-ipset.txt
--- a/lists/cloudflare-ipset_v6.txt
+++ b/lists/cloudflare-ipset_v6.txt
--- a/lists/mycdnlist.txt
+++ b/lists/mycdnlist.txt
@ -0,0 +1,15 @@
 cloudflare-ech.com
 discord-attachments-uploads-prd.storage.googleapis.com
 cdn.betterttv.net
 cdn.frankerfacez.com
 detectportal.firefox.com
 4pda.ws
 phncdn.com
 etahub.com
 xvideos-cdn.com
 doppiocdn.live
 ingest.sentry.io
 cdnbunny.org
 cdn.strapsco.com
 i.kym-cdn.com
 doppiocdn.media
--- a/lists/myhostlist.txt
+++ b/lists/myhostlist.txt
@ -0,0 +1,14 @@
 radiofrance.fr
 rtmps.youtube.com
 donationalerts.com
 nexusmods.com
 vpngate.net
 codenames.game
 phpmyadmin.net
 adtidy.org
 exitgames.com
 btdig.com
 tntracker.org
 rgpub.io
 dradis-prod.rdatasrv.net
 viber.com
--- a/lists/netrogat.txt
+++ b/lists/netrogat.txt
@ -0,0 +1,26 @@
 pinterest.com
 netflix.com
 vsetop.org
 jnn-pa.googleapis.com
 twitch.tv
 ttvnw.net
 static-cdn.jtvnw.net
 steamcommunity.com
 steampowered.com
 tarkov.com
 escapefromtarkov.com
 browser-intake-datadoghq.com
 datadoghq.com
 gosuslugi.ru
 vkvideo.ru
 okcdn.ru
 api.mycdn.me
 rutube.ru
 vk.com
 ogs.google.com
 encrypted-tbn0.gstatic.com
 encrypted-tbn3.gstatic.com
 encrypted-tbn1.gstatic.com
 encrypted-tbn2.gstatic.com
 raw.githubusercontent.com
--- a/lists/russia-discord.txt
+++ b/lists/russia-discord.txt
@ -0,0 +1,9 @@
 discord.com
 discord.gg
 discordapp.com
 discordapp.io
 discordapp.net
 discord.media
 discordcdn.com
 discordstatus.com
 discord-attachments-uploads-prd.storage.googleapis.com
--- a/lists/russia-youtube-rtmps.txt
+++ b/lists/russia-youtube-rtmps.txt
@ -0,0 +1,33 @@
 64.233.161.134
 64.233.162.134
 64.233.163.134
 64.233.164.134
 64.233.165.134
 64.233.184.134
 74.125.131.134
 74.125.205.134
 108.177.14.134
 142.250.64.76
 142.250.64.108
 142.250.65.172
 142.250.65.204
 142.250.72.108
 142.250.80.44
 142.250.80.76
 142.250.80.108
 142.250.150.134
 142.250.176.204
 142.251.1.134
 142.251.35.172
 142.251.40.108
 142.251.40.140
 142.251.40.172
 142.251.40.204
 142.251.40.236
 142.251.41.12
 173.194.73.134
 173.194.220.134
 173.194.221.134
 173.194.222.134
 209.85.233.134
 216.58.209.204
--- a/lists/russia-youtube.txt
+++ b/lists/russia-youtube.txt
@ -0,0 +1,21 @@
 youtube.com
 yt.be
 youtu.be
 youtubekids.com
 ggpht.com
 ytimg.com
 gvt1.com
 googleusercontent.com
 ytimg.l.google.com
 jnn-pa.googleapis.com
 manifest.googlevideo.com
 googleadservices.com
 youtube-nocookie.com
 youtube-ui.l.google.com
 youtubeembeddedplayer.googleapis.com
 youtube.googleapis.com
 youtubei.googleapis.com
 yt-video-upload.l.google.com
 wide-youtube.l.google.com
 play.google.com
--- a/lists/russia-youtubeQ.txt
+++ b/lists/russia-youtubeQ.txt
@ -0,0 +1,13 @@
 youtube.com
 googlevideo.com
 gvt1.com
 play.google.com
 ytimg.com
 ggpht.com
 googleusercontent.com
 jnn-pa.googleapis.com
 googleadservices.com
 youtubeembeddedplayer.googleapis.com
 youtube.googleapis.com
 youtubei.googleapis.com
--- a/test.sh
+++ b/test.sh
@ -0,0 +1,82 @@
 #!/bin/sh
 GREEN="\033[1;32m"
 RED="\033[1;31m"
 NC="\033[0m"
 echo -e "${GREEN}===== Доступность сайтов =====${NC}"
 SITES=$(cat <<'EOF'
 gosuslugi.ru
 esia.gosuslugi.ru
 nalog.ru
 lkfl2.nalog.ru
 rutube.ru
 youtube.com
 instagram.com
 rutor.info
 ntc.party
 rutracker.org
 epidemz.net.co
 nnmclub.to
 openwrt.org
 sxyprn.net
 pornhub.com
 discord.com
 x.com
 filmix.my
 flightradar24.com
 cdn77.com
 play.google.com
 genderize.io
 EOF
 )
 # Очистка списка от пустых строк и комментариев
 sites_clean=$(echo "$SITES" | grep -v '^#' | grep -v '^\s*$')
 # Подсчёт количества
 total=$(echo "$sites_clean" | wc -l)
 half=$(( (total + 1) / 2 ))
 # Формируем список без ведущего пробела
 sites_list=""
 for site in $sites_clean; do
    [ -z "$sites_list" ] && sites_list="$site" || sites_list="$sites_list $site"
 done
 # Цикл вывода в две колонки
 idx=1
 while [ $idx -le $half ]; do
    left=$(echo "$sites_list" | cut -d' ' -f$idx)
    right_idx=$((idx + half))
    right=$(echo "$sites_list" | cut -d' ' -f$right_idx)
    # Выравнивание по 25 символам
    left_pad=$(printf "%-25s" "$left")
    right_pad=$( [ -n "$right" ] && printf "%-25s" "$right" || echo "" )
    # Реалистичная проверка: User-Agent браузера, следование редиректам, увеличенные таймауты
    if curl -ILs --connect-timeout 5 --max-time 12 \
        -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0 Safari/537.36" \
        "https://$left" >/dev/null 2>&1; then
        left_color="[${GREEN}OK${NC}] "
    else
        left_color="[${RED}FAIL${NC}] "
    fi
    if [ -n "$right" ]; then
        if curl -ILs --connect-timeout 5 --max-time 12 \
            -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0 Safari/537.36" \
            "https://$right" >/dev/null 2>&1; then
            right_color="[${GREEN}OK${NC}] "
        else
            right_color="[${RED}FAIL${NC}] "
        fi
        echo -e "$left_color$left_pad $right_color$right_pad"
    else
        echo -e "$left_color$left_pad"
    fi
    idx=$((idx + 1))
 done
--- a/zapret_patch.sh
+++ b/zapret_patch.sh
@ -0,0 +1,6 @@
 #!/bin/sh
 [ -e "/tmp/zapret_patch.log" ] && return 0
 /data/zapret/install_easy.sh
 echo "zapret reinstalled" > /tmp/zapret_patch.log