gsd
/
zapret
mirror of https://github.com/bol-van/zapret/
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

blockcheck: new strategies

master
bol-van 6 days ago
parent
fd506dfe08
commit
acfbbc58ac
2 changed files with 64 additions and 16 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 65
      blockcheck.sh
  2. 1
      docs/changes.txt

65
blockcheck.sh
View File

@ -47,6 +47,7 @@ HTTPS_PORT=${HTTPS_PORT:-443}
QUIC_PORT=${QUIC_PORT:-443} QUIC_PORT=${QUIC_PORT:-443}
UNBLOCKED_DOM=${UNBLOCKED_DOM:-iana.org} UNBLOCKED_DOM=${UNBLOCKED_DOM:-iana.org}
PARALLEL_OUT=/tmp/zapret_parallel PARALLEL_OUT=/tmp/zapret_parallel
SIM_SUCCESS_RATE=${SIM_SUCCESS_RATE:-10}
HDRTEMP=/tmp/zapret-hdr HDRTEMP=/tmp/zapret-hdr
@ -1063,6 +1064,17 @@ ws_curl_test()
# $3 - domain # $3 - domain
# $4,$5,$6, ... - ws params # $4,$5,$6, ... - ws params
local code ws_start=$1 testf=$2 dom=$3 local code ws_start=$1 testf=$2 dom=$3
[ "$SIMULATE" = 1 ] && {
n=$(random 0 99)
if [ "$n" -lt "$SIM_SUCCESS_RATE" ]; then
echo "SUCCESS"
return 0
else
echo "FAILED"
return 7
fi
}
shift shift
shift shift
shift shift
@ -1178,13 +1190,17 @@ report_strategy()
return 1 return 1
fi fi
} }
test_has_fakedsplit()
{
contains "$1" fakedsplit || contains "$1" fakeddisorder
}
test_has_split() test_has_split()
{ {
contains "$1" split || contains "$1" disorder contains "$1" multisplit || contains "$1" multidisorder || test_has_fakedsplit "$1"
} }
test_has_fakedsplit() test_has_hostfakesplit()
{ {
contains "$1" fakedsplit || contains "$1" fakeddisorder contains "$1" hostfakesplit
} }
test_has_fake() test_has_fake()
{ {
@ -1230,6 +1246,7 @@ pktws_curl_test_update_vary()
splits="method+2 midsld" splits="method+2 midsld"
[ "$sec" = 0 ] || splits="1 midsld 1,midsld" [ "$sec" = 0 ] || splits="1 midsld 1,midsld"
fi fi
test_has_hostfakesplit $desync && fake1="--dpi-desync-hostfakesplit-midhost=midsld"
for fake in '' "$fake1" "$fake2" "$fake3" ; do for fake in '' "$fake1" "$fake2" "$fake3" ; do
[ "$fake" = "-" ] && continue [ "$fake" = "-" ] && continue
if [ -n "$splits" ]; then if [ -n "$splits" ]; then
@ -1257,7 +1274,7 @@ pktws_check_domain_http_bypass_()
# $3 - domain # $3 - domain
local ok ttls s f f2 e desync pos fooling frag sec="$2" delta orig splits local ok ttls s f f2 e desync pos fooling frag sec="$2" delta orig splits
local need_split need_disorder need_fakedsplit need_fakeddisorder need_fake need_wssize local need_split need_disorder need_fakedsplit need_hostfakesplit need_fakeddisorder need_fake need_wssize
local splits_http='method+2 midsld method+2,midsld' local splits_http='method+2 midsld method+2,midsld'
local splits_tls='2 1 sniext+1 sniext+4 host+1 midsld 1,midsld 1,sniext+1,host+1,midsld-2,midsld,midsld+2,endhost-1' local splits_tls='2 1 sniext+1 sniext+4 host+1 midsld 1,midsld 1,sniext+1,host+1,midsld-2,midsld,midsld+2,endhost-1'
@ -1302,25 +1319,33 @@ pktws_check_domain_http_bypass_()
done done
need_fakedsplit=1 need_fakedsplit=1
need_hostfakesplit=1
need_fakeddisorder=1 need_fakeddisorder=1
need_fake=1 need_fake=1
for desync in fake ${need_split:+fakedsplit fake,multisplit fake,fakedsplit} ${need_disorder:+fakeddisorder fake,multidisorder fake,fakeddisorder}; do for desync in fake ${need_split:+fakedsplit fake,multisplit fake,fakedsplit hostfakesplit fake,hostfakesplit} ${need_disorder:+fakeddisorder fake,multidisorder fake,fakeddisorder}; do
[ "$need_fake" = 0 ] && test_has_fake "$desync" && continue [ "$need_fake" = 0 ] && test_has_fake "$desync" && continue
[ "$need_fakedsplit" = 0 ] && contains "$desync" fakedsplit && continue [ "$need_fakedsplit" = 0 ] && contains "$desync" fakedsplit && continue
[ "$need_hostfakesplit" = 0 ] && contains "$desync" hostfakesplit && continue
[ "$need_fakeddisorder" = 0 ] && contains "$desync" fakeddisorder && continue [ "$need_fakeddisorder" = 0 ] && contains "$desync" fakeddisorder && continue
ok=0 ok=0
for ttl in $ttls; do for ttl in $ttls; do
pktws_curl_test_update_vary $1 $2 $3 $desync --dpi-desync-ttl=$ttl $e && { # orig-ttl=1 with start/cutoff limiter drops empty ACK packet in response to SYN,ACK. it does not reach DPI or server.
# missing ACK is transmitted in the first data packet of TLS/HTTP proto
for f in '' '--orig-ttl=1 --orig-mod-start=s1 --orig-mod-cutoff=d1'; do
pktws_curl_test_update_vary $1 $2 $3 $desync --dpi-desync-ttl=$ttl $f $e && {
[ "$SCANLEVEL" = quick ] && return [ "$SCANLEVEL" = quick ] && return
ok=1 ok=1
need_wssize=0 need_wssize=0
break [ "$SCANLEVEL" = force ] || break
} }
done done
[ "$ok" = 1 ] && break
done
# only skip tests if TTL succeeded. do not skip if TTL failed but fooling succeeded # only skip tests if TTL succeeded. do not skip if TTL failed but fooling succeeded
[ $ok = 1 -a "$SCANLEVEL" != force ] && { [ $ok = 1 -a "$SCANLEVEL" != force ] && {
[ "$desync" = fake ] && need_fake=0 [ "$desync" = fake ] && need_fake=0
[ "$desync" = fakedsplit ] && need_fakedsplit=0 [ "$desync" = fakedsplit ] && need_fakedsplit=0
[ "$desync" = hostfakesplit ] && need_hostfakesplit=0
[ "$desync" = fakeddisorder ] && need_fakeddisorder=0 [ "$desync" = fakeddisorder ] && need_fakeddisorder=0
} }
f= f=
@ -1329,12 +1354,21 @@ pktws_check_domain_http_bypass_()
[ "$IPV" = 6 ] && f="$f hopbyhop hopbyhop2" [ "$IPV" = 6 ] && f="$f hopbyhop hopbyhop2"
for fooling in $f; do for fooling in $f; do
ok=0 ok=0
f2=
pktws_curl_test_update_vary $1 $2 $3 $desync --dpi-desync-fooling=$fooling $e && { pktws_curl_test_update_vary $1 $2 $3 $desync --dpi-desync-fooling=$fooling $e && {
warn_fool $fooling $desync warn_fool $fooling $desync
[ "$SCANLEVEL" = quick ] && return [ "$SCANLEVEL" = quick ] && return
need_wssize=0 need_wssize=0
ok=1 ok=1
} }
[ "$fooling" = badseq ] && {
[ "$ok" = 1 -a "$SCANLEVEL" != force ] && continue
# --dpi-desync-badseq-increment=0 leaves modified by default ack increment
pktws_curl_test_update_vary $1 $2 $3 $desync --dpi-desync-fooling=$fooling --dpi-desync-badseq-increment=0 $e && {
[ "$SCANLEVEL" = quick ] && return
need_wssize=0
}
}
[ "$fooling" = md5sig ] && { [ "$fooling" = md5sig ] && {
[ "$ok" = 1 -a "$SCANLEVEL" != force ] && continue [ "$ok" = 1 -a "$SCANLEVEL" != force ] && continue
pktws_curl_test_update_vary $1 $2 $3 $desync --dpi-desync-fooling=$fooling --dup=1 --dup-cutoff=n2 --dup-fooling=md5sig $e && { pktws_curl_test_update_vary $1 $2 $3 $desync --dpi-desync-fooling=$fooling --dup=1 --dup-cutoff=n2 --dup-fooling=md5sig $e && {
@ -1399,18 +1433,30 @@ pktws_check_domain_http_bypass_()
need_fakedsplit=1 need_fakedsplit=1
need_fakeddisorder=1 need_fakeddisorder=1
need_hostfakesplit=1
need_fake=1 need_fake=1
for desync in fake ${need_split:+fakedsplit fake,multisplit fake,fakedsplit} ${need_disorder:+fakeddisorder fake,multidisorder fake,fakeddisorder}; do for desync in fake ${need_split:+fakedsplit fake,multisplit fake,fakedsplit hostfakesplit fake,hostfakesplit} ${need_disorder:+fakeddisorder fake,multidisorder fake,fakeddisorder}; do
[ "$need_fake" = 0 ] && test_has_fake "$desync" && continue [ "$need_fake" = 0 ] && test_has_fake "$desync" && continue
[ "$need_fakedsplit" = 0 ] && contains "$desync" fakedsplit && continue [ "$need_fakedsplit" = 0 ] && contains "$desync" fakedsplit && continue
[ "$need_hostfakesplit" = 0 ] && contains "$desync" hostfakesplit && continue
[ "$need_fakeddisorder" = 0 ] && contains "$desync" fakeddisorder && continue [ "$need_fakeddisorder" = 0 ] && contains "$desync" fakeddisorder && continue
ok=0 ok=0
for orig in '' 1 2 3; do # orig-ttl=1 with start/cutoff limiter drops empty ACK packet in response to SYN,ACK. it does not reach DPI or server.
# missing ACK is transmitted in the first data packet of TLS/HTTP proto
for delta in 1 2 3 4 5; do
for f in '' '--orig-ttl=1 --orig-mod-start=s1 --orig-mod-cutoff=d1'; do
pktws_curl_test_update_vary $1 $2 $3 $desync --dpi-desync-ttl=1 --dpi-desync-autottl=-$delta $f $e && ok=1
[ "$ok" = 1 -a "$SCANLEVEL" != force ] && break
done
done
[ "$SCANLEVEL" = force ] && {
for orig in 1 2 3; do
for delta in 1 2 3 4 5; do for delta in 1 2 3 4 5; do
pktws_curl_test_update_vary $1 $2 $3 $desync ${orig:+--orig-autottl=+$orig} --dpi-desync-ttl=1 --dpi-desync-autottl=-$delta $e && ok=1 pktws_curl_test_update_vary $1 $2 $3 $desync ${orig:+--orig-autottl=+$orig} --dpi-desync-ttl=1 --dpi-desync-autottl=-$delta $e && ok=1
done done
[ "$ok" = 1 -a "$SCANLEVEL" != force ] && break [ "$ok" = 1 -a "$SCANLEVEL" != force ] && break
done done
}
[ "$ok" = 1 ] && [ "$ok" = 1 ] &&
{ {
echo "WARNING ! although autottl worked it requires testing on multiple domains to find out reliable delta" echo "WARNING ! although autottl worked it requires testing on multiple domains to find out reliable delta"
@ -1420,6 +1466,7 @@ pktws_check_domain_http_bypass_()
[ "$SCANLEVEL" = force ] || { [ "$SCANLEVEL" = force ] || {
[ "$desync" = fake ] && need_fake=0 [ "$desync" = fake ] && need_fake=0
[ "$desync" = fakedsplit ] && need_fakedsplit=0 [ "$desync" = fakedsplit ] && need_fakedsplit=0
[ "$desync" = hostfakesplit ] && need_hostfakesplit=0
[ "$desync" = fakeddisorder ] && need_fakeddisorder=0 [ "$desync" = fakeddisorder ] && need_fakeddisorder=0
} }
} }

1
docs/changes.txt
View File

@ -546,3 +546,4 @@ v71.5
winws: --wf-raw-part winws: --wf-raw-part
nfqws: --dpi-desync=hostfakesplit nfqws: --dpi-desync=hostfakesplit
blockcheck: new strategies

Write Preview
Loading…
Cancel
Save