init.d: multiple customs

common/custom.sh

@@ -0,0 +1,25 @@
+custom_runner()
+{
+	# $1 - function name
+	# $2+ - params
+
+	local n script FUNC=$1
+
+	shift
+
+	[ -f "$CUSTOM_DIR/custom" ] && {
+		unset -f $FUNC
+		. "$CUSTOM_DIR/custom"
+		existf $FUNC && $FUNC "$@"
+	}
+	[ -d "$CUSTOM_DIR/custom.d" ] && {
+		n=$(ls "$CUSTOM_DIR/custom.d" | wc -c | xargs)
+		[ "$n" = 0 ] || {
+			for script in "$CUSTOM_DIR/custom.d/"*; do
+				unset -f $FUNC
+				. "$script"
+				existf $FUNC && $FUNC "$@"
+			done
+		}
+	}
+}

common/ipt.sh

@@ -437,7 +437,7 @@ zapret_do_firewall_rules_ipt()
 			fi
 			;;
 		custom)
-	    		existf zapret_custom_firewall && zapret_custom_firewall $1
+			custom_runner zapret_custom_firewall $1
 			;;
 	esac
 }

common/nft.sh

@@ -705,7 +705,7 @@ zapret_apply_firewall_rules_nft()
 			POSTNAT=$POSTNAT_SAVE
 			;;
 		custom)
-	    		existf zapret_custom_firewall_nft && zapret_custom_firewall_nft
+			custom_runner zapret_custom_firewall_nft
 			;;
 	esac
 }

common/pf.sh

@@ -106,6 +106,11 @@ pf_anchor_zapret_tables()
 
 	eval $tblv="\"\$_tbl\""
 }
+pf_nat_reorder_rules()
+{
+	# this is dirty hack to move rdr above route-to and remove route-to dups
+	sort -rfu
+}
 pf_anchor_port_target()
 {
 	if [ "$MODE_HTTP" = "1" ] && [ "$MODE_HTTPS" = "1" ]; then
@@ -119,9 +124,17 @@ pf_anchor_port_target()
 
 pf_anchor_zapret_v4_tpws()
 {
-	# $1 - port
+	# $1 - tpws listen port
+	# $2 - rdr ports. defaults are used if empty
+
+	local rule port
+
+	if [ -n "$2" ]; then
+		port="{$2}"
+	else
+		port=$(pf_anchor_port_target)
+	fi
 
-	local rule port=$(pf_anchor_port_target)
 	for lan in $IFACE_LAN; do
 		for t in $tbl; do
 			 echo "rdr on $lan inet proto tcp from any to $t port $port -> 127.0.0.1 port $1"
@@ -144,7 +157,7 @@ pf_anchor_zapret_v4()
 {
 	local tbl port
 	[ "$DISABLE_IPV4" = "1" ] || {
-		case $MODE in
+		case "${MODE_OVERRIDE:-$MODE}" in
 			tpws)
 				[ ! "$MODE_HTTP" = "1" ] && [ ! "$MODE_HTTPS" = "1" ] && return
 				pf_anchor_zapret_tables tbl zapret-user "$ZIPLIST_USER" zapret "$ZIPLIST"
@@ -152,16 +165,24 @@ pf_anchor_zapret_v4()
 				;;
 			custom)
 				pf_anchor_zapret_tables tbl zapret-user "$ZIPLIST_USER" zapret "$ZIPLIST"
-				existf zapret_custom_firewall_v4 && zapret_custom_firewall_v4
+				custom_runner zapret_custom_firewall_v4 | pf_nat_reorder_rules
 				;;
 		esac
 	}
 }
 pf_anchor_zapret_v6_tpws()
 {
-	# $1 - port
+	# $1 - tpws listen port
+	# $2 - rdr ports. defaults are used if empty
+
+	local rule LL_LAN port
+
+	if [ -n "$2" ]; then
+		port="{$2}"
+	else
+		port=$(pf_anchor_port_target)
+	fi
 
-	local LL_LAN rule port=$(pf_anchor_port_target)
 	# LAN link local is only for router
 	for lan in $IFACE_LAN; do
 		LL_LAN=$(get_ipv6_linklocal $lan)
@@ -188,7 +209,7 @@ pf_anchor_zapret_v6()
 	local tbl port
 
 	[ "$DISABLE_IPV6" = "1" ] || {
-		case $MODE in
+		case "${MODE_OVERRIDE:-$MODE}" in
 			tpws)
 				[ ! "$MODE_HTTP" = "1" ] && [ ! "$MODE_HTTPS" = "1" ] && return
 				pf_anchor_zapret_tables tbl zapret6-user "$ZIPLIST_USER6" zapret6 "$ZIPLIST6"
@@ -196,7 +217,7 @@ pf_anchor_zapret_v6()
 				;;
 			custom)
 				pf_anchor_zapret_tables tbl zapret6-user "$ZIPLIST_USER6" zapret6 "$ZIPLIST6"
-				existf zapret_custom_firewall_v6 && zapret_custom_firewall_v6
+				custom_runner zapret_custom_firewall_v6 | pf_nat_reorder_rules
 				;;
 		esac
 	}

init.d/macos/custom.d.examples/10-inherit-tpws

@@ -0,0 +1,18 @@
+# this custom script applies tpws mode as it would be with MODE=tpws
+
+OVERRIDE=tpws
+
+zapret_custom_daemons()
+{
+	# $1 - 1 - run, 0 - stop
+
+	MODE_OVERRIDE=$OVERRIDE zapret_do_daemons $1
+}
+zapret_custom_firewall_v4()
+{
+	MODE_OVERRIDE=$OVERRIDE pf_anchor_zapret_v4
+}
+zapret_custom_firewall_v6()
+{
+	MODE_OVERRIDE=$OVERRIDE pf_anchor_zapret_v6
+}

init.d/macos/custom.d.examples/10-inherit-tpws-socks

@@ -0,0 +1,18 @@
+# this custom script applies tpws-socks mode as it would be with MODE=tpws-socks
+
+OVERRIDE=tpws-socks
+
+zapret_custom_daemons()
+{
+	# $1 - 1 - run, 0 - stop
+
+	MODE_OVERRIDE=$OVERRIDE zapret_do_daemons $1
+}
+zapret_custom_firewall_v4()
+{
+	MODE_OVERRIDE=$OVERRIDE pf_anchor_zapret_v4
+}
+zapret_custom_firewall_v6()
+{
+	MODE_OVERRIDE=$OVERRIDE pf_anchor_zapret_v6
+}

init.d/macos/custom-tpws → init.d/macos/custom.d.examples/50-extra-tpws

@@ -1,16 +1,20 @@
 # this script is an example describing how to run tpws on a custom port
 
-TPPORT_MY=987
+DNUM=100
+TPPORT_MY=${TPPORT_MY:-987}
+TPWS_OPT_MY=${TPWS_OPT_MY:-987}
+TPWS_OPT_SUFFIX_MY="${TPWS_OPT_SUFFIX_MY:-}"
+DPORTS_MY=${DPORTS_MY:-20443,20444,30000-30009}
 
 zapret_custom_daemons()
 {
 	# $1 - 1 - run, 0 - stop
 	local opt="--user=root --port=$TPPORT_MY"
 	tpws_apply_binds opt
-	opt="$opt $TPWS_OPT"
+	opt="$opt $TPWS_OPT_MY"
 	filter_apply_hostlist_target opt
-	filter_apply_suffix opt "$TPWS_OPT_SUFFIX"
+	filter_apply_suffix opt "$TPWS_OPT_SUFFIX_MY"
-	do_daemon $1 1 "$TPWS" "$opt"
+	do_daemon $1 $DNUM "$TPWS" "$opt"
 }
 
 # custom firewall functions echo rules for zapret-v4 and zapret-v6 anchors
@@ -18,9 +22,9 @@ zapret_custom_daemons()
 
 zapret_custom_firewall_v4()
 {
-	pf_anchor_zapret_v4_tpws $TPPORT_MY
+	pf_anchor_zapret_v4_tpws $TPPORT_MY $(replace_char - : $DPORTS_MY)
 }
 zapret_custom_firewall_v6()
 {
-	pf_anchor_zapret_v6_tpws $TPPORT_MY
+	pf_anchor_zapret_v6_tpws $TPPORT_MY $(replace_char - : $DPORTS_MY)
 }

init.d/macos/custom.default

@@ -1,21 +0,0 @@
-# this script contain your special code to launch daemons and configure firewall
-# use helpers from "functions" file
-# in case of upgrade keep this file only, do not modify others
-
-zapret_custom_daemons()
-{
-	# $1 - 1 - run, 0 - stop
-	:
-}
-
-# custom firewall functions echo rules for zapret-v4 and zapret-v6 anchors
-# they come after automated table definitions. so you can use <zapret> <zapret6> <zapret-user> ...
-
-zapret_custom_firewall_v4()
-{
-	:
-}
-zapret_custom_firewall_v6()
-{
-	:
-}

init.d/macos/functions

@@ -7,6 +7,8 @@ ZAPRET_CONFIG=${ZAPRET_CONFIG:-"$ZAPRET_RW/config"}
 . "$ZAPRET_BASE/common/base.sh"
 . "$ZAPRET_BASE/common/pf.sh"
 . "$ZAPRET_BASE/common/list.sh"
+. "$ZAPRET_BASE/common/custom.sh"
+CUSTOM_DIR="$ZAPRET_RW/init.d/macos"
 
 IPSET_DIR=$ZAPRET_BASE/ipset
 . "$IPSET_DIR/def.sh"
@@ -184,7 +186,7 @@ zapret_do_daemons()
 		filter)
 			;;
 		custom)
-			existf zapret_custom_daemons && zapret_custom_daemons $1
+			custom_runner zapret_custom_daemons $1
 			;;
 		*)
 			echo "unsupported MODE=$MODE"

init.d/openwrt/custom-reuse-builtin-mode

@@ -1,47 +0,0 @@
-# this custom script demonstrates how to reuse built-in modes and add something from yourself
-
-MY_TPPORT=$(($TPPORT + 1))
-MY_TPWS_OPT="--methodeol --hostcase"
-MY_DPORT=81
-
-zapret_custom_daemons()
-{
-	# stop logic is managed by procd
-
-	local MODE_OVERRIDE=tpws
-	local opt
-
-	start_daemons_procd
-
-	opt="--port=$MY_TPPORT $MY_TPWS_OPT"
-	filter_apply_hostlist_target opt
-	run_tpws 100 "$opt"
-}
-zapret_custom_firewall()
-{
-	# $1 - 1 - run, 0 - stop
-
-	local MODE_OVERRIDE=tpws
-	local f4 f6
-
-	zapret_do_firewall_rules_ipt $1
-
-	f4="-p tcp --dport $MY_DPORT"
-	f6=$f4
-	filter_apply_ipset_target f4 f6
-	fw_tpws $1 "$f4" "$f6" $MY_TPPORT
-}
-zapret_custom_firewall_nft()
-{
-	# stop logic is not required
-
-	local MODE_OVERRIDE=tpws
-	local f4 f6
-
-	zapret_apply_firewall_rules_nft
-
-	f4="tcp dport $MY_DPORT"
-	f6=$f4
-	nft_filter_apply_ipset_target f4 f6
-	nft_fw_tpws "$f4" "$f6" $MY_TPPORT
-}

init.d/openwrt/custom.d.examples/10-inherit-nfqws

@@ -0,0 +1,22 @@
+# this custom script applies nfqws mode as it would be with MODE=nfqws
+
+OVERRIDE=nfqws
+
+zapret_custom_daemons()
+{
+        # stop logic is managed by procd
+
+	MODE_OVERRIDE=$OVERRIDE start_daemons_procd
+}
+zapret_custom_firewall()
+{
+	# $1 - 1 - run, 0 - stop
+
+	MODE_OVERRIDE=$OVERRIDE zapret_do_firewall_rules_ipt $1
+}
+zapret_custom_firewall_nft()
+{
+	# stop logic is not required
+
+	MODE_OVERRIDE=$OVERRIDE zapret_apply_firewall_rules_nft
+}

init.d/openwrt/custom.d.examples/10-inherit-tpws

@@ -0,0 +1,22 @@
+# this custom script applies tpws mode as it would be with MODE=tpws
+
+OVERRIDE=tpws
+
+zapret_custom_daemons()
+{
+	# $1 - 1 - run, 0 - stop
+
+	MODE_OVERRIDE=$OVERRIDE start_daemons_procd
+}
+zapret_custom_firewall()
+{
+	# $1 - 1 - run, 0 - stop
+
+	MODE_OVERRIDE=$OVERRIDE zapret_do_firewall_rules_ipt $1
+}
+zapret_custom_firewall_nft()
+{
+	# stop logic is not required
+
+	MODE_OVERRIDE=$OVERRIDE zapret_apply_firewall_rules_nft
+}

init.d/openwrt/custom.d.examples/10-inherit-tpws-socks

@@ -0,0 +1,22 @@
+# this custom script applies tpws-socks mode as it would be with MODE=tpws-socks
+
+OVERRIDE=tpws-socks
+
+zapret_custom_daemons()
+{
+	# $1 - 1 - run, 0 - stop
+
+	MODE_OVERRIDE=$OVERRIDE start_daemons_procd
+}
+zapret_custom_firewall()
+{
+	# $1 - 1 - run, 0 - stop
+
+	MODE_OVERRIDE=$OVERRIDE zapret_do_firewall_rules_ipt $1
+}
+zapret_custom_firewall_nft()
+{
+	# stop logic is not required
+
+	MODE_OVERRIDE=$OVERRIDE zapret_apply_firewall_rules_nft
+}

init.d/sysv/custom-nfqws-dht4all → init.d/openwrt/custom.d.examples/50-dht4all

@@ -1,31 +1,24 @@
-# this custom script in addition to MODE=nfqws runs desync to DHT packets with udp payload length 101..399 , without ipset/hostlist filtering
+# this custom script runs desync to DHT packets with udp payload length 101..399 , without ipset/hostlist filtering
 # need to add to config : NFQWS_OPT_DESYNC_DHT="--dpi-desync=fake --dpi-desync-ttl=5"
 
-QNUM2=$(($QNUM+20))
+DNUM=101
+QNUM2=$(($DNUM * 5))
 
 zapret_custom_daemons()
 {
         # stop logic is managed by procd
 
-        local MODE_OVERRIDE=nfqws
+        local opt="--qnum=$QNUM2 $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_DHT"
-        local opt
+	run_daemon $DNUM $NFQWS "$opt"
-
-        zapret_do_daemons $1
-
-        opt="--qnum=$QNUM2 $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_DHT"
-	do_nfqws $1 100 "$opt"
 }
 zapret_custom_firewall()
 {
         # $1 - 1 - run, 0 - stop
 
-        local MODE_OVERRIDE=nfqws
         local f uf4 uf6
         local first_packet_only="$ipt_connbytes 1:1"
         local desync="-m mark ! --mark $DESYNC_MARK/$DESYNC_MARK"
 
-        zapret_do_firewall_rules_ipt $1
-
         f='-p udp -m length --length 109:407 -m u32 --u32'
 	uf4='0>>22&0x3C@8>>16=0x6431'
 	uf6='48>>16=0x6431'
@@ -36,13 +29,10 @@ zapret_custom_firewall_nft()
 {
         # stop logic is not required
 
-        local MODE_OVERRIDE=nfqws
         local f
         local first_packet_only="$nft_connbytes 1"
         local desync="mark and $DESYNC_MARK == 0"
 
-        zapret_apply_firewall_rules_nft
-
         f="meta length 109-407 meta l4proto udp @th,64,16 0x6431"
         nft_fw_nfqws_post "$f $desync $first_packet_only" "$f $desync $first_packet_only" $QNUM2
 }

init.d/sysv/custom-nfqws-quic4all → init.d/openwrt/custom.d.examples/50-quic4all

@@ -1,32 +1,25 @@
-# this custom script in addition to MODE=nfqws runs desync to all QUIC initial packets, without ipset/hostlist filtering
+# this custom script runs desync to all QUIC initial packets, without ipset/hostlist filtering
 # need to add to config : NFQWS_OPT_DESYNC_QUIC="--dpi-desync=fake"
 # NOTE : do not use TTL fooling. chromium QUIC engine breaks sessions if TTL expired in transit received
 
-QNUM2=$(($QNUM+10))
+DNUM=102
+QNUM2=$(($DNUM * 5))
 
 zapret_custom_daemons()
 {
 	# $1 - 1 - run, 0 - stop
 
-	local MODE_OVERRIDE=nfqws
+	local opt="--qnum=$QNUM2 $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_QUIC"
-	local opt
+	run_daemon $DNUM $NFQWS "$opt"
-
-	zapret_do_daemons $1
-
-	opt="--qnum=$QNUM2 $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_QUIC"
-	do_nfqws $1 100 "$opt"
 }
 zapret_custom_firewall()
 {
 	# $1 - 1 - run, 0 - stop
 
-	local MODE_OVERRIDE=nfqws
 	local f
 	local first_packets_only="$ipt_connbytes 1:3"
 	local desync="-m mark ! --mark $DESYNC_MARK/$DESYNC_MARK"
 
-	zapret_do_firewall_rules_ipt $1
-
 	f="-p udp -m multiport --dports $QUIC_PORTS_IPT"
 	fw_nfqws_post $1 "$f $desync $first_packets_only" "$f $desync $first_packets_only" $QNUM2
 
@@ -35,13 +28,10 @@ zapret_custom_firewall_nft()
 {
 	# stop logic is not required
 
-	local MODE_OVERRIDE=nfqws
 	local f
 	local first_packets_only="$nft_connbytes 1-3"
 	local desync="mark and $DESYNC_MARK == 0"
 
-	zapret_apply_firewall_rules_nft
-
 	f="udp dport {$QUIC_PORTS}"
 	nft_fw_nfqws_post "$f $desync $first_packets_only" "$f $desync $first_packets_only" $QNUM2
 }

init.d/openwrt/custom-tpws4http-nfqws4https → init.d/openwrt/custom.d.examples/50-tpws4http-nfqws4https

@@ -3,7 +3,7 @@
 
 zapret_custom_daemons()
 {
-	# stop logic is managed by procd
+	# $1 - 1 - run, 0 - stop
 
 	local opt
 
@@ -15,7 +15,7 @@ zapret_custom_daemons()
 	}
 
 	[ "$MODE_HTTPS" = "1" ] && {
-		opt="--qnum=$QNUM $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_HTTPS"
+		opt="--qnum=$QNUM $NFQWS_OPT_DESYNC_HTTPS"
 		filter_apply_hostlist_target opt
 		filter_apply_suffix opt "$NFQWS_OPT_DESYNC_HTTPS_SUFFIX"
 		run_daemon 2 $NFQWS "$opt"
@@ -41,6 +41,8 @@ zapret_custom_firewall()
 		f6=$f4
 		filter_apply_ipset_target f4 f6
 		fw_nfqws_post $1 "$f4 $desync" "$f6 $desync" $QNUM
+		# for modes that require incoming traffic
+		fw_reverse_nfqws_rule $1 "$f4" "$f6" $QNUM
 	}
 }
 zapret_custom_firewall_nft()

init.d/openwrt/custom.default

@@ -1,33 +0,0 @@
-# this script contain your special code to launch daemons and configure firewall
-# use helpers from "functions" file and "zapret" init script
-# in case of upgrade keep this file only, do not modify others
-
-zapret_custom_daemons()
-{
-	# stop logic is managed by procd
-
-	# PLACEHOLDER
-	echo !!! NEED ATTENTION !!!
-	echo Start daemon\(s\)
-	echo Study how other sections work
-
-	run_daemon 1 /bin/sleep 20
-}
-zapret_custom_firewall()
-{
-	# $1 - 1 - run, 0 - stop
-
-	# PLACEHOLDER
-	echo !!! NEED ATTENTION !!!
-	echo Configure iptables for required actions
-	echo Study how other sections work
-}
-zapret_custom_firewall_nft()
-{
-	# stop logic is not required
-
-	# PLACEHOLDER
-	echo !!! NEED ATTENTION !!!
-	echo Configure nftables for required actions
-	echo Study how other sections work
-}

init.d/openwrt/functions

@@ -12,6 +12,8 @@ ZAPRET_CONFIG=${ZAPRET_CONFIG:-"$ZAPRET_RW/config"}
 . "$ZAPRET_BASE/common/nft.sh"
 . "$ZAPRET_BASE/common/linux_fw.sh"
 . "$ZAPRET_BASE/common/list.sh"
+. "$ZAPRET_BASE/common/custom.sh"
+CUSTOM_DIR="$ZAPRET_RW/init.d/openwrt"
 
 [ -n "$QNUM" ] || QNUM=200
 [ -n "$TPPORT" ] || TPPORT=988
@@ -27,9 +29,6 @@ LINKLOCAL_WAIT_SEC=5
 
 IPSET_CR="$ZAPRET_BASE/ipset/create_ipset.sh"
 
-CUSTOM_SCRIPT="$ZAPRET_BASE/init.d/openwrt/custom"
-[ -f "$CUSTOM_SCRIPT" ] && . "$CUSTOM_SCRIPT"
-
 IPSET_EXCLUDE="-m set ! --match-set nozapret"
 IPSET_EXCLUDE6="-m set ! --match-set nozapret6"
 

init.d/openwrt/zapret

@@ -173,7 +173,7 @@ start_daemons_procd()
 			}
 			;;
 		custom)
-	    		existf zapret_custom_daemons && zapret_custom_daemons $1
+	    		custom_runner zapret_custom_daemons $1
 			;;
 	esac
 

init.d/sysv/custom-reuse-builtin-mode

@@ -1,47 +0,0 @@
-# this custom script demonstrates how to reuse built-in modes and add something from yourself
-
-MY_TPPORT=$(($TPPORT + 1))
-MY_TPWS_OPT="--methodeol --hostcase"
-MY_DPORT=81
-
-zapret_custom_daemons()
-{
-	# $1 - 1 - run, 0 - stop
-
-	local MODE_OVERRIDE=tpws
-	local opt
-
-	zapret_do_daemons $1
-
-	opt="--port=$MY_TPPORT $MY_TPWS_OPT"
-	filter_apply_hostlist_target opt
-	do_tpws $1 100 "$opt"
-}
-zapret_custom_firewall()
-{
-	# $1 - 1 - run, 0 - stop
-
-	local MODE_OVERRIDE=tpws
-	local f4 f6
-
-	zapret_do_firewall_rules_ipt $1
-
-	f4="-p tcp --dport $MY_DPORT"
-	f6=$f4
-	filter_apply_ipset_target f4 f6
-	fw_tpws $1 "$f4" "$f6" $MY_TPPORT
-}
-zapret_custom_firewall_nft()
-{
-	# stop logic is not required
-
-	local MODE_OVERRIDE=tpws
-	local f4 f6
-
-	zapret_apply_firewall_rules_nft
-
-	f4="tcp dport $MY_DPORT"
-	f6=$f4
-	nft_filter_apply_ipset_target f4 f6
-	nft_fw_tpws "$f4" "$f6" $MY_TPPORT
-}

init.d/sysv/custom.d.examples/10-inherit-nfqws

@@ -0,0 +1,22 @@
+# this custom script applies nfqws mode as it would be with MODE=nfqws
+
+OVERRIDE=nfqws
+
+zapret_custom_daemons()
+{
+	# $1 - 1 - run, 0 - stop
+
+	MODE_OVERRIDE=$OVERRIDE zapret_do_daemons $1
+}
+zapret_custom_firewall()
+{
+	# $1 - 1 - run, 0 - stop
+
+	MODE_OVERRIDE=$OVERRIDE zapret_do_firewall_rules_ipt $1
+}
+zapret_custom_firewall_nft()
+{
+	# stop logic is not required
+
+	MODE_OVERRIDE=$OVERRIDE zapret_apply_firewall_rules_nft
+}

init.d/sysv/custom.d.examples/10-inherit-tpws

@@ -0,0 +1,22 @@
+# this custom script applies tpws mode as it would be with MODE=tpws
+
+OVERRIDE=tpws
+
+zapret_custom_daemons()
+{
+	# $1 - 1 - run, 0 - stop
+
+	MODE_OVERRIDE=$OVERRIDE zapret_do_daemons $1
+}
+zapret_custom_firewall()
+{
+	# $1 - 1 - run, 0 - stop
+
+	MODE_OVERRIDE=$OVERRIDE zapret_do_firewall_rules_ipt $1
+}
+zapret_custom_firewall_nft()
+{
+	# stop logic is not required
+
+	MODE_OVERRIDE=$OVERRIDE zapret_apply_firewall_rules_nft
+}

init.d/sysv/custom.d.examples/10-inherit-tpws-socks

@@ -0,0 +1,22 @@
+# this custom script applies tpws-socks mode as it would be with MODE=tpws-socks
+
+OVERRIDE=tpws-socks
+
+zapret_custom_daemons()
+{
+	# $1 - 1 - run, 0 - stop
+
+	MODE_OVERRIDE=$OVERRIDE zapret_do_daemons $1
+}
+zapret_custom_firewall()
+{
+	# $1 - 1 - run, 0 - stop
+
+	MODE_OVERRIDE=$OVERRIDE zapret_do_firewall_rules_ipt $1
+}
+zapret_custom_firewall_nft()
+{
+	# stop logic is not required
+
+	MODE_OVERRIDE=$OVERRIDE zapret_apply_firewall_rules_nft
+}

init.d/openwrt/custom-nfqws-dht4all → init.d/sysv/custom.d.examples/50-dht4all

@@ -1,47 +1,39 @@
-# this custom script in addition to MODE=nfqws runs desync to DHT packets with udp payload length 101..399 , without ipset/hostlist filtering
+# this custom script runs desync to DHT packets with udp payload length 101..399 , without ipset/hostlist filtering
 # need to add to config : NFQWS_OPT_DESYNC_DHT="--dpi-desync=fake --dpi-desync-ttl=5"
 
-QNUM2=$(($QNUM+20))
+DNUM=101
+QNUM2=$(($DNUM * 5))
 
 zapret_custom_daemons()
 {
         # stop logic is managed by procd
 
-        local MODE_OVERRIDE=nfqws
+        local opt="--qnum=$QNUM2 $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_DHT"
-        local opt
+	do_nfqws $1 $DNUM "$opt"
-
-        start_daemons_procd
-
-        opt="--qnum=$QNUM2 $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_DHT"
-        run_daemon 100 $NFQWS "$opt"
 }
 zapret_custom_firewall()
 {
         # $1 - 1 - run, 0 - stop
 
-        local MODE_OVERRIDE=nfqws
         local f uf4 uf6
         local first_packet_only="$ipt_connbytes 1:1"
         local desync="-m mark ! --mark $DESYNC_MARK/$DESYNC_MARK"
 
-        zapret_do_firewall_rules_ipt $1
-
         f='-p udp -m length --length 109:407 -m u32 --u32'
 	uf4='0>>22&0x3C@8>>16=0x6431'
 	uf6='48>>16=0x6431'
         fw_nfqws_post $1 "$f $uf4 $desync $first_packet_only"  "$f $uf6 $desync $first_packet_only" $QNUM2
+
 }
 zapret_custom_firewall_nft()
 {
         # stop logic is not required
 
-        local MODE_OVERRIDE=nfqws
         local f
         local first_packet_only="$nft_connbytes 1"
         local desync="mark and $DESYNC_MARK == 0"
 
-        zapret_apply_firewall_rules_nft
-
         f="meta length 109-407 meta l4proto udp @th,64,16 0x6431"
         nft_fw_nfqws_post "$f $desync $first_packet_only" "$f $desync $first_packet_only" $QNUM2
 }
+

init.d/openwrt/custom-nfqws-quic4all → init.d/sysv/custom.d.examples/50-quic4all

@@ -1,32 +1,25 @@
-# this custom script in addition to MODE=nfqws runs desync to all QUIC initial packets, without ipset/hostlist filtering
+# this custom script runs desync to all QUIC initial packets, without ipset/hostlist filtering
 # need to add to config : NFQWS_OPT_DESYNC_QUIC="--dpi-desync=fake"
 # NOTE : do not use TTL fooling. chromium QUIC engine breaks sessions if TTL expired in transit received
 
-QNUM2=$(($QNUM+10))
+DNUM=102
+QNUM2=$(($DNUM * 5))
 
 zapret_custom_daemons()
 {
-	# stop logic is managed by procd
+	# $1 - 1 - run, 0 - stop
-
-	local MODE_OVERRIDE=nfqws
-	local opt
-
-	start_daemons_procd
 
-	opt="--qnum=$QNUM2 $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_QUIC"
+	local opt="--qnum=$QNUM2 $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_QUIC"
-	run_daemon 100 $NFQWS "$opt"
+	do_nfqws $1 $DNUM "$opt"
 }
 zapret_custom_firewall()
 {
 	# $1 - 1 - run, 0 - stop
 
-	local MODE_OVERRIDE=nfqws
 	local f
 	local first_packets_only="$ipt_connbytes 1:3"
 	local desync="-m mark ! --mark $DESYNC_MARK/$DESYNC_MARK"
 
-	zapret_do_firewall_rules_ipt $1
-
 	f="-p udp -m multiport --dports $QUIC_PORTS_IPT"
 	fw_nfqws_post $1 "$f $desync $first_packets_only" "$f $desync $first_packets_only" $QNUM2
 
@@ -35,13 +28,10 @@ zapret_custom_firewall_nft()
 {
 	# stop logic is not required
 
-	local MODE_OVERRIDE=nfqws
 	local f
 	local first_packets_only="$nft_connbytes 1-3"
 	local desync="mark and $DESYNC_MARK == 0"
 
-	zapret_apply_firewall_rules_nft
-
 	f="udp dport {$QUIC_PORTS}"
 	nft_fw_nfqws_post "$f $desync $first_packets_only" "$f $desync $first_packets_only" $QNUM2
 }

init.d/sysv/custom.default

@@ -1,34 +0,0 @@
-# this script contain your special code to launch daemons and configure firewall
-# use helpers from "functions" file
-# in case of upgrade keep this file only, do not modify others
-
-zapret_custom_daemons()
-{
-	# $1 - 1 - run, 0 - stop
-
-	# PLACEHOLDER
-	echo !!! NEED ATTENTION !!!
-	echo Start daemon\(s\)
-	echo Study how other sections work
-
-	do_daemon $1 1 /bin/sleep 20
-}
-zapret_custom_firewall()
-{
-	# $1 - 1 - run, 0 - stop
-
-	# PLACEHOLDER
-	echo !!! NEED ATTENTION !!!
-	echo Configure iptables for required actions
-	echo Study how other sections work
-}
-
-zapret_custom_firewall_nft()
-{
-	# stop logic is not required
-
-	# PLACEHOLDER
-	echo !!! NEED ATTENTION !!!
-	echo Configure nftables for required actions
-	echo Study how other sections work
-}

init.d/sysv/functions

@@ -12,6 +12,8 @@ ZAPRET_CONFIG=${ZAPRET_CONFIG:-"$ZAPRET_RW/config"}
 . "$ZAPRET_BASE/common/nft.sh"
 . "$ZAPRET_BASE/common/linux_fw.sh"
 . "$ZAPRET_BASE/common/list.sh"
+. "$ZAPRET_BASE/common/custom.sh"
+CUSTOM_DIR="$ZAPRET_RW/init.d/sysv"
 
 
 user_exists()
@@ -91,9 +93,6 @@ TPWS_OPT_BASE6_PRE="--bind-linklocal=prefer $TPWS_WAIT --bind-wait-ip-linklocal=
 # max wait time for the link local ipv6 on the LAN interface
 LINKLOCAL_WAIT_SEC=5
 
-CUSTOM_SCRIPT="$ZAPRET_BASE/init.d/sysv/custom"
-[ -f "$CUSTOM_SCRIPT" ] && . "$CUSTOM_SCRIPT"
-
 IPSET_EXCLUDE="-m set ! --match-set nozapret"
 IPSET_EXCLUDE6="-m set ! --match-set nozapret6"
 
@@ -341,7 +340,7 @@ zapret_do_daemons()
 			}
 			;;
 		custom)
-	    		existf zapret_custom_daemons && zapret_custom_daemons $1
+			custom_runner zapret_custom_daemons $1
 			;;
 	esac
 

install_easy.sh

@@ -138,6 +138,15 @@ select_mode_mode()
 			echo ..edited..
 		done
 	}
+	[ "$MODE" = custom ] && {
+		echo
+		echo "current custom scripts :"
+		[ -f "$CUSTOM_DIR/custom" ] && echo "legacy custom script $CUSTOM_DIR/custom"
+		echo "$CUSTOM_DIR/custom.d :"
+		[ -d "$CUSTOM_DIR/custom.d" ] && ls "$CUSTOM_DIR/custom.d"
+		echo "Make sure this is ok"
+		echo
+	}
 }
 select_mode_http()
 {
@@ -393,7 +402,7 @@ default_files()
 	for dir in openwrt sysv macos; do
 		[ -d "$1/init.d/$dir" ] && {
 			[ -d "$2/init.d/$dir" ] || mkdir -p "$2/init.d/$dir"
-			[ -f "$2/init.d/$dir/custom" ] || cp "$1/init.d/$dir/custom.default" "$2/init.d/$dir/custom"
+			[ -d "$2/init.d/$dir/custom.d" ] || mkdir -p "$2/init.d/$dir/custom.d"
 		}
 	done
 }
@@ -484,7 +493,11 @@ _backup_settings()
 {
 	local i=0
 	for f in "$@"; do
+		# safety check
+		[ -z "$f" -o "$f" = "/" ] && continue
+
 		[ -f "$ZAPRET_TARGET/$f" ] && cp -f "$ZAPRET_TARGET/$f" "/tmp/zapret-bkp-$i"
+		[ -d "$ZAPRET_TARGET/$f" ] && cp -rf "$ZAPRET_TARGET/$f" "/tmp/zapret-bkp-$i"
 		i=$(($i+1))
 	done
 }
@@ -492,7 +505,14 @@ _restore_settings()
 {
 	local i=0
 	for f in "$@"; do
+		# safety check
+		[ -z "$f" -o "$f" = "/" ] && continue
+
 		[ -f "/tmp/zapret-bkp-$i" ] && mv -f "/tmp/zapret-bkp-$i" "$ZAPRET_TARGET/$f" || rm -f "/tmp/zapret-bkp-$i"
+		[ -d "/tmp/zapret-bkp-$i" ] && {
+			[ -d "$ZAPRET_TARGET/$f" ] && rm -r "$ZAPRET_TARGET/$f"
+			mv -f "/tmp/zapret-bkp-$i" "$ZAPRET_TARGET/$f" || rm -r "/tmp/zapret-bkp-$i"
+		}
 		i=$(($i+1))
 	done
 }
@@ -500,7 +520,7 @@ backup_restore_settings()
 {
 	# $1 - 1 - backup, 0 - restore
 	local mode=$1
-	on_off_function _backup_settings _restore_settings $mode "config" "init.d/sysv/custom" "init.d/openwrt/custom" "init.d/macos/custom" "ipset/zapret-hosts-user.txt" "ipset/zapret-hosts-user-exclude.txt" "ipset/zapret-hosts-user-ipban.txt" "ipset/zapret-hosts-auto.txt"
+	on_off_function _backup_settings _restore_settings $mode "config" "init.d/sysv/custom" "init.d/sysv/custom.d" "init.d/openwrt/custom" "init.d/openwrt/custom.d" "init.d/macos/custom" "init.d/macos/custom.d" "ipset/zapret-hosts-user.txt" "ipset/zapret-hosts-user-exclude.txt" "ipset/zapret-hosts-user-ipban.txt" "ipset/zapret-hosts-auto.txt"
 }
 
 check_location()
@@ -623,6 +643,7 @@ check_dns()
 install_systemd()
 {
 	INIT_SCRIPT_SRC="$EXEDIR/init.d/sysv/zapret"
+	CUSTOM_DIR="$ZAPRET_RW/init.d/sysv"
 
 	check_bins
 	require_root
@@ -650,6 +671,8 @@ _install_sysv()
 {
 	# $1 - install init script
 
+	CUSTOM_DIR="$ZAPRET_RW/init.d/sysv"
+
 	check_bins
 	require_root
 	check_readonly_system
@@ -687,6 +710,7 @@ install_openrc()
 install_linux()
 {
 	INIT_SCRIPT_SRC="$EXEDIR/init.d/sysv/zapret"
+	CUSTOM_DIR="$ZAPRET_RW/init.d/sysv"
 
 	check_bins
 	require_root
@@ -757,6 +781,7 @@ deoffload_openwrt_firewall()
 install_openwrt()
 {
 	INIT_SCRIPT_SRC="$EXEDIR/init.d/openwrt/zapret"
+	CUSTOM_DIR="$ZAPRET_RW/init.d/openwrt"
 	FW_SCRIPT_SRC="$EXEDIR/init.d/openwrt/firewall.zapret"
 	OPENWRT_FW_INCLUDE=/etc/firewall.zapret
 	OPENWRT_IFACE_HOOK="$EXEDIR/init.d/openwrt/90-zapret"
@@ -829,6 +854,7 @@ macos_fw_reload_trigger_set()
 install_macos()
 {
 	INIT_SCRIPT_SRC="$EXEDIR/init.d/macos/zapret"
+	CUSTOM_DIR="$ZAPRET_RW/init.d/macos"
 
 	# compile before root
 	check_bins