gsd
/
zapret
mirror of https://github.com/bol-van/zapret/
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

blockcheck: restrict fooling only to domain's IPs

pull/666/head
bol-van 5 months ago
parent
8446470de3
commit
6e8dbb045a
1 changed files with 102 additions and 27 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 129
      blockcheck.sh

129
blockcheck.sh
View File

@ -58,6 +58,8 @@ DNSCHECK_DIG1=/tmp/dig1.txt
DNSCHECK_DIG2=/tmp/dig2.txt
DNSCHECK_DIGS=/tmp/digs.txt
IPSET_FILE=/tmp/blockcheck_ipset.txt
unset PF_STATUS
PF_RULES_SAVE=/tmp/pf-zapret-save.conf
@ -130,19 +132,22 @@ opf_dvtws_anchor()
{
# $1 - tcp/udp
# $2 - port
local family=inet
# $3 - ip list
local iplist family=inet
[ "$IPV" = 6 ] && family=inet6
make_comma_list iplist "$3"
echo "set reassemble no"
[ "$1" = tcp ] && echo "pass in quick $family proto $1 from port $2 flags SA/SA divert-packet port $IPFW_DIVERT_PORT no state"
echo "pass in quick $family proto $1 from port $2 no state"
echo "pass out quick $family proto $1 to port $2 divert-packet port $IPFW_DIVERT_PORT no state"
[ "$1" = tcp ] && echo "pass in quick $family proto $1 from {$iplist} port $2 flags SA/SA divert-packet port $IPFW_DIVERT_PORT no state"
echo "pass in quick $family proto $1 from {$iplist} port $2 no state"
echo "pass out quick $family proto $1 to {$iplist} port $2 divert-packet port $IPFW_DIVERT_PORT no state"
echo "pass"
}
opf_prepare_dvtws()
{
# $1 - tcp/udp
# $2 - port
opf_dvtws_anchor $1 $2 | pfctl -qf -
# $3 - ip list
opf_dvtws_anchor $1 $2 "$3" | pfctl -qf -
pfctl -qe
}
@ -700,13 +705,12 @@ curl_test_http3()
curl_with_dig $1 $2 $QUIC_PORT -ISs -A "$USER_AGENT" --max-time $CURL_MAX_TIME_QUIC --http3-only $CURL_OPT "https://$2" -o /dev/null 2>&1
}
ipt_scheme()
ipt_aux_scheme()
{
# $1 - 1 - add , 0 - del
# $2 - tcp/udp
# $3 - port
IPT_ADD_DEL $1 OUTPUT -t mangle -p $2 --dport $3 -m mark ! --mark $DESYNC_MARK/$DESYNC_MARK -j NFQUEUE --queue-num $QNUM
# to avoid possible INVALID state drop
[ "$2" = tcp ] && IPT_ADD_DEL $1 INPUT -p $2 --sport $3 ! --syn -j ACCEPT
# for strategies with incoming packets involved (autottl)
@ -722,13 +726,42 @@ ipt_scheme()
# raw table may not be present
IPT_ADD_DEL $1 OUTPUT -t raw -m mark --mark $DESYNC_MARK/$DESYNC_MARK -j CT --notrack
}
ipt_scheme()
{
# $1 - tcp/udp
# $2 - port
# $3 - ip list
local ip
$IPTABLES -t mangle -N blockcheck_output 2>/dev/null
$IPTABLES -t mangle -F blockcheck_output
IPT OUTPUT -t mangle -j blockcheck_output
# prevent loop
$IPTABLES -t mangle -A blockcheck_output -m mark --mark $DESYNC_MARK/$DESYNC_MARK -j RETURN
$IPTABLES -t mangle -A blockcheck_output ! -p $1 -j RETURN
$IPTABLES -t mangle -A blockcheck_output -p $1 ! --dport $2 -j RETURN
for ip in $3; do
$IPTABLES -t mangle -A blockcheck_output -d $ip -j NFQUEUE --queue-num $QNUM
done
ipt_aux_scheme 1 $1 $2
}
nft_scheme()
{
# $1 - tcp/udp
# $2 - port
# $3 - ip list
local iplist ipver=$IPV
[ "$IPV" = 6 ] || ipver=
make_comma_list iplist $3
nft add table inet $NFT_TABLE
nft "add chain inet $NFT_TABLE postnat { type filter hook output priority 102; }"
nft "add rule inet $NFT_TABLE postnat meta nfproto ipv${IPV} $1 dport $2 mark and $DESYNC_MARK != $DESYNC_MARK queue num $QNUM"
nft "add rule inet $NFT_TABLE postnat meta nfproto ipv${IPV} $1 dport $2 mark and $DESYNC_MARK != $DESYNC_MARK ip${ipver} daddr {$iplist} queue num $QNUM"
# for strategies with incoming packets involved (autottl)
nft "add chain inet $NFT_TABLE prenat { type filter hook prerouting priority -102; }"
# enable everything generated by nfqws (works only in OUTPUT, not in FORWARD)
@ -740,23 +773,33 @@ pktws_ipt_prepare()
{
# $1 - tcp/udp
# $2 - port
# $3 - ip list
local ip
case "$FWTYPE" in
iptables)
ipt_scheme 1 $1 $2
ipt_scheme $1 $2 "$3"
;;
nftables)
nft_scheme $1 $2
nft_scheme $1 $2 "$3"
;;
ipfw)
# disable PF to avoid interferences
pf_is_avail && pfctl -qd
IPFW_ADD divert $IPFW_DIVERT_PORT $1 from me to any $2 proto ip${IPV} out not diverted not sockarg
for ip in $3; do
IPFW_ADD divert $IPFW_DIVERT_PORT $1 from me to $ip $2 proto ip${IPV} out not diverted not sockarg
done
;;
opf)
opf_prepare_dvtws $1 $2
opf_prepare_dvtws $1 $2 "$3"
;;
windivert)
WF="--wf-l3=ipv${IPV} --wf-${1}=$2"
rm -f "$IPSET_FILE"
for ip in $3; do
echo $ip >>"$IPSET_FILE"
done
;;
esac
@ -765,9 +808,13 @@ pktws_ipt_unprepare()
{
# $1 - tcp/udp
# $2 - port
case "$FWTYPE" in
iptables)
ipt_scheme 0 $1 $2
ipt_aux_scheme 0 $1 $2
IPT_DEL OUTPUT -t mangle -j blockcheck_output
$IPTABLES -t mangle -F blockcheck_output 2>/dev/null
$IPTABLES -t mangle -X blockcheck_output 2>/dev/null
;;
nftables)
nft delete table inet $NFT_TABLE 2>/dev/null
@ -781,6 +828,7 @@ pktws_ipt_unprepare()
;;
windivert)
unset WF
rm -f "$IPSET_FILE"
;;
esac
}
@ -788,21 +836,37 @@ pktws_ipt_unprepare()
pktws_ipt_prepare_tcp()
{
# $1 - port
# $2 - ip list
pktws_ipt_prepare tcp $1
local ip iplist ipver
pktws_ipt_prepare tcp $1 "$2"
case "$FWTYPE" in
iptables)
# for autottl
IPT INPUT -t mangle -p tcp --sport $1 -m connbytes --connbytes-dir=original --connbytes-mode=packets --connbytes 1:1 -j NFQUEUE --queue-num $QNUM
$IPTABLES -N blockcheck_input -t mangle 2>/dev/null
$IPTABLES -F blockcheck_input -t mangle 2>/dev/null
IPT INPUT -t mangle -j blockcheck_input
$IPTABLES -t mangle -A blockcheck_input ! -p tcp -j RETURN
$IPTABLES -t mangle -A blockcheck_input -p tcp ! --sport $1 -j RETURN
$IPTABLES -t mangle -A blockcheck_input -m connbytes --connbytes-dir=reply --connbytes-mode=packets ! --connbytes 1 -j RETURN
for ip in $2; do
$IPTABLES -A blockcheck_input -t mangle -s $ip -j NFQUEUE --queue-num $QNUM
done
;;
nftables)
ipver=$IPV
[ "$IPV" = 6 ] || ipver=
# for autottl
nft "add rule inet $NFT_TABLE prenat meta nfproto ipv${IPV} tcp sport $1 ct original packets 1 queue num $QNUM"
make_comma_list iplist $2
nft "add rule inet $NFT_TABLE prenat meta nfproto ipv${IPV} tcp sport $1 ip${ipver} saddr {$iplist} ct original packets 1 queue num $QNUM"
;;
ipfw)
# for autottl mode
IPFW_ADD divert $IPFW_DIVERT_PORT tcp from any $1 to me proto ip${IPV} tcpflags syn,ack in not diverted not sockarg
for ip in $2; do
IPFW_ADD divert $IPFW_DIVERT_PORT tcp from $ip $1 to me proto ip${IPV} tcpflags syn,ack in not diverted not sockarg
done
;;
esac
}
@ -814,15 +878,18 @@ pktws_ipt_unprepare_tcp()
case "$FWTYPE" in
iptables)
IPT_DEL INPUT -t mangle -p tcp --sport $1 -m connbytes --connbytes-dir=original --connbytes-mode=packets --connbytes 1:1 -j NFQUEUE --queue-num $QNUM
IPT_DEL INPUT -t mangle -j blockcheck_input
$IPTABLES -t mangle -F blockcheck_input 2>/dev/null
$IPTABLES -t mangle -X blockcheck_input 2>/dev/null
;;
esac
}
pktws_ipt_prepare_udp()
{
# $1 - port
# $2 - ip list
pktws_ipt_prepare udp $1
pktws_ipt_prepare udp $1 "$2"
}
pktws_ipt_unprepare_udp()
{
@ -841,7 +908,7 @@ pktws_start()
"$DVTWS" --port=$IPFW_DIVERT_PORT "$@" >/dev/null &
;;
CYGWIN)
"$WINWS" $WF "$@" >/dev/null &
"$WINWS" $WF --ipset="$IPSET_FILE" "$@" >/dev/null &
;;
esac
PID=$!
@ -1215,7 +1282,7 @@ pktws_check_domain_http3_bypass_()
{
# $1 - test function
# $2 - domain
local f desync frag tests rep
for rep in '' 2 5 10 20; do
@ -1413,7 +1480,7 @@ check_domain_http_tcp()
[ "$SKIP_PKTWS" = 1 ] || {
echo
echo preparing $PKTWSD redirection
pktws_ipt_prepare_tcp $2
pktws_ipt_prepare_tcp $2 "$(mdig_resolve_all $IPV $4)"
pktws_check_domain_http_bypass $1 $3 $4
@ -1436,7 +1503,7 @@ check_domain_http_udp()
[ "$SKIP_PKTWS" = 1 ] || {
echo
echo preparing $PKTWSD redirection
pktws_ipt_prepare_udp $2
pktws_ipt_prepare_udp $2 "$(mdig_resolve_all $IPV $3)"
pktws_check_domain_http3_bypass $1 $3
@ -1756,7 +1823,7 @@ check_dns_cleanup()
{
rm -f "$DNSCHECK_DIG1" "$DNSCHECK_DIG2" "$DNSCHECK_DIGS" 2>/dev/null
}
check_dns()
check_dns_()
{
local C1 C2 dom
@ -1799,8 +1866,8 @@ check_dns()
for dom in $DNSCHECK_DOM; do echo $dom; done | "$MDIG" --threads=10 --family=4 >"$DNSCHECK_DIGS"
fi
echo checking resolved IP uniqueness for : $DNSCHECK_DOM
echo censor\'s DNS can return equal result for multiple blocked domains.
echo "checking resolved IP uniqueness for : $DNSCHECK_DOM"
echo "censor's DNS can return equal result for multiple blocked domains."
C1=$(wc -l <"$DNSCHECK_DIGS")
C2=$(sort -u "$DNSCHECK_DIGS" | wc -l)
[ "$C1" -eq 0 ] &&
@ -1828,6 +1895,14 @@ check_dns()
return 0
}
check_dns()
{
local r
check_dns_
r=$?
[ "$SECURE_DNS" = 1 ] && doh_find_working
return $r
}
unprepare_all()
{
@ -1860,6 +1935,7 @@ sigsilent()
exit 1
}
fsleep_setup
fix_sbin_path
check_system
@ -1868,7 +1944,6 @@ check_already
check_prerequisites
trap sigint_cleanup INT
check_dns
[ "$SECURE_DNS" = 1 ] && doh_find_working
check_virt
ask_params
trap - INT

Write Preview
Loading…
Cancel
Save