separate desync options for http and https

4 years ago · f6d80e78b4
12 changed files with 84 additions and 149 deletions
--- a/4
+++ b/4
@ -40,7 +40,9 @@ MODE_FILTER=none

 # CHOOSE NFQWS DAEMON OPTIONS for DPI desync mode. run "nfq/nfqws --help" for option list
 DESYNC_MARK=0x40000000
-NFQWS_OPT_DESYNC="--dpi-desync=fake --dpi-desync-ttl=0 --dpi-desync-fooling=badsum --dpi-desync-fwmark=$DESYNC_MARK"
+NFQWS_OPT_DESYNC="--dpi-desync=fake --dpi-desync-ttl=0 --dpi-desync-fooling=badsum"
+#NFQWS_OPT_DESYNC_HTTP="--dpi-desync=split --dpi-desync-ttl=0 --dpi-desync-fooling=badsum"
+#NFQWS_OPT_DESYNC_HTTPS="--wssize=1:6 --dpi-desync=split --dpi-desync-ttl=0 --dpi-desync-fooling=badsum"

 # CHOOSE TPWS DAEMON OPTIONS. run "tpws/tpws --help" for option list
 TPWS_OPT="--hostspell=HOST --split-http-req=method --split-pos=3"
--- a/docs/readme.eng.txt
+++ b/docs/readme.eng.txt
@ -492,6 +492,13 @@ nfqws options for DPI desync attack:
 DESYNC_MARK=0x40000000
 NFQWS_OPT_DESYNC="--dpi-desync=fake --dpi-desync-ttl=0 --dpi-desync-fooling=badsum --dpi-desync-fwmark=$DESYNC_MARK"

+Separate nfqws options for http and https :
+
+NFQWS_OPT_DESYNC_HTTP="--dpi-desync=split --dpi-desync-ttl=0 --dpi-desync-fooling=badsum"
+NFQWS_OPT_DESYNC_HTTPS="--wssize=1:6 --dpi-desync=split --dpi-desync-ttl=0 --dpi-desync-fooling=badsum"
+
+If a variable is not defined, the value NFQWS_OPT_DESYNC is taken.
+
 flow offloading control (openwrt only)
 donttouch : disable system flow offloading setting if selected mode is incompatible with it, dont touch it otherwise and dont configure selective flow offloading
 none : always disable system flow offloading setting and dont configure selective flow offloading
--- a/docs/readme.txt
+++ b/docs/readme.txt
@ -720,7 +720,14 @@ TPWS_OPT="--hostspell=HOST --split-http-req=method --split-pos=3"
 Опции nfqws для атаки десинхронизации DPI :

 DESYNC_MARK=0x40000000
-NFQWS_OPT_DESYNC="--dpi-desync=fake --dpi-desync-ttl=0 --dpi-desync-fooling=badsum --dpi-desync-fwmark=$DESYNC_MARK"
+NFQWS_OPT_DESYNC="--dpi-desync=fake --dpi-desync-ttl=0 --dpi-desync-fooling=badsum"
+
+Задание раздельных опций nfqws для http и https :
+
+NFQWS_OPT_DESYNC_HTTP="--dpi-desync=split --dpi-desync-ttl=0 --dpi-desync-fooling=badsum"
+NFQWS_OPT_DESYNC_HTTPS="--wssize=1:6 --dpi-desync=split --dpi-desync-ttl=0 --dpi-desync-fooling=badsum"
+
+Если какая-то из переменных не определена, берется значение NFQWS_OPT_DESYNC.

 Настройка системы управления выборочным traffic offload (только openwrt)
 donttouch : выборочное управление отключено, используется системная настройка, простой инсталятор выключает системную настройку, если она не совместима с выбранным режимом
--- a/init.d/openwrt/custom-2nfqws
+++ b/init.d/openwrt/custom-2nfqws
@ -1,44 +0,0 @@
-# this custom script demonstrates how to use 2 copies of nfqws
-# it preserves config settings : MODE_HTTP, MODE_HTTP_KEEPALIVE, MODE_HTTPS, MODE_FILTER, NFQWS_OPT_DESYNC
-# NFQWS_OPT_DESYNC - parameters for http
-# NFQWS_OPT_DESYNC2 - parameters for https. you should add this variable to config file, its absent there
-
-QNUM2=$(($QNUM+1))
-
-zapret_custom_daemons()
-{
-	local opt
-
-	[ "$MODE_HTTP" = "1" ] && {
-		opt="$NFQWS_OPT_BASE $NFQWS_OPT_DESYNC"
-		filter_apply_hostlist_target opt
-		run_daemon 1 $NFQWS "$opt"
-	}
-
-	[ "$MODE_HTTPS" = "1" ] && {
-		opt="$NFQWS_OPT_BASE $NFQWS_OPT_DESYNC2 --qnum=$QNUM2"
-		filter_apply_hostlist_target opt
-		run_daemon 2 $NFQWS "$opt"
-	}
-}
-zapret_custom_firewall()
-{
-	local f4 f6
-	local first_packet_only="-m connbytes --connbytes-dir=original --connbytes-mode=packets --connbytes 1:4"
-	local desync="-m mark ! --mark $DESYNC_MARK/$DESYNC_MARK"
-
-	[ "$MODE_HTTP" = "1" ] && {
-		f4="--dport 80"
-		[ "$MODE_HTTP_KEEPALIVE" = "1" ] || f4="$f4 $first_packet_only"
-		f6=$f4
-		filter_apply_ipset_target f4 f6
-		fw_nfqws_post "$f4 $desync" "$f6 $desync" $QNUM
-	}
-	
-	[ "$MODE_HTTPS" = "1" ] && {
-		f4="--dport 443 $first_packet_only"
-		f6=$f4
-		filter_apply_ipset_target f4 f6
-		fw_nfqws_post "$f4 $desync" "$f6 $desync" $QNUM2
-	}
-}
--- a/init.d/openwrt/custom-tpws4http-nfqws4https
+++ b/init.d/openwrt/custom-tpws4http-nfqws4https
@ -6,13 +6,13 @@ zapret_custom_daemons()
 	local opt

 	[ "$MODE_HTTP" = "1" ] && {
-		opt="$TPWS_OPT"
+		opt="--port=$TPPORT $TPWS_OPT"
 		filter_apply_hostlist_target opt
 		run_tpws 1 "$opt"
 	}

 	[ "$MODE_HTTPS" = "1" ] && {
-		opt="$NFQWS_OPT_BASE $NFQWS_OPT_DESYNC"
+		opt="--qnum=$QNUM $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC"
 		filter_apply_hostlist_target opt
 		run_daemon 2 $NFQWS "$opt"
 	}
--- a/init.d/openwrt/custom.default
+++ b/init.d/openwrt/custom.default
@ -1,20 +0,0 @@
-# this script contain your special code to launch daemons and configure firewall
-# use helpers from "functions" file and "zapret" init script
-# in case of upgrade keep this file only, do not modify others
-
-zapret_custom_daemons()
-{
-	# PLACEHOLDER
-	echo !!! NEED ATTENTION !!!
-	echo Start daemon\(s\)
-	echo Study how other sections work
-
-	run_daemon 1 /bin/sleep 20
-}
-zapret_custom_firewall()
-{
-	# PLACEHOLDER
-	echo !!! NEED ATTENTION !!!
-	echo Configure iptables for required actions
-	echo Study how other sections work
-}
--- a/init.d/openwrt/functions
+++ b/init.d/openwrt/functions
@ -20,6 +20,9 @@ CUSTOM_SCRIPT="$ZAPRET_BASE/init.d/openwrt/custom"
 IPSET_EXCLUDE="-m set ! --match-set nozapret"
 IPSET_EXCLUDE6="-m set ! --match-set nozapret6"

+NFQWS_OPT_DESYNC_HTTP="${NFQWS_OPT_DESYNC_HTTP:-$NFQWS_OPT_DESYNC}"
+NFQWS_OPT_DESYNC_HTTPS="${NFQWS_OPT_DESYNC_HTTPS:-$NFQWS_OPT_DESYNC}"
+
 exists()
 {
 which "$1" >/dev/null 2>/dev/null
@ -307,7 +310,8 @@ is_flow_offload_avail()
 list_nfqws_rules()
 {
 	# $1 = '' for ipv4, '6' for ipv6
-	ip$1tables -S POSTROUTING -t mangle  | grep "NFQUEUE --queue-num $QNUM --queue-bypass"  | sed -re 's/^-A POSTROUTING (.*) -j NFQUEUE.*$/\1/' -e "s/-m mark ! --mark $DESYNC_MARK\/$DESYNC_MARK//"
+	ip$1tables -S POSTROUTING -t mangle  | grep -E "NFQUEUE --queue-num $QNUM --queue-bypass|NFQUEUE --queue-num $(($QNUM+1)) --queue-bypass"  | \
+	sed -re 's/^-A POSTROUTING (.*) -j NFQUEUE.*$/\1/' -e "s/-m mark ! --mark $DESYNC_MARK\/$DESYNC_MARK//"
 }
 reverse_nfqws_rule()
 {
@ -374,6 +378,7 @@ zapret_apply_firewall()
 	local first_packet_only="-m connbytes --connbytes-dir=original --connbytes-mode=packets --connbytes 1:4"
 	local desync="-m mark ! --mark $DESYNC_MARK/$DESYNC_MARK"
 	local f4 f6
+	local qn

 	# always create ipsets. ip_exclude ipset is required
 	create_ipset no-update
@ -394,9 +399,16 @@ zapret_apply_firewall()
 			if [ ! "$MODE_HTTP" = "1" ] && [ ! "$MODE_HTTPS" = "1" ]; then
 				echo both http and https are disabled. not applying redirection.
 			else
-				if [ "$MODE_HTTP_KEEPALIVE" = "1" ]; then
+				if [ "$MODE_HTTP_KEEPALIVE" != "1" ] && [ "$NFQWS_OPT_DESYNC_HTTP" = "$NFQWS_OPT_DESYNC_HTTPS" ]; then
+					filter_apply_port_target f4
+					f4="$f4 $first_packet_only"
+					f6=$f4
+					filter_apply_ipset_target f4 f6
+					fw_nfqws_post "$f4 $desync" "$f6 $desync" $QNUM
+				else
 					if [ "$MODE_HTTP" = "1" ]; then
 						f4="--dport 80"
+						[ "$MODE_HTTP_KEEPALIVE" = "1" ] || f4="$f4 $first_packet_only"
 						f6=$f4
 						filter_apply_ipset_target f4 f6
 						fw_nfqws_post "$f4 $desync" "$f6 $desync" $QNUM
@ -405,14 +417,10 @@ zapret_apply_firewall()
 						f4="--dport 443 $first_packet_only"
 						f6=$f4
 						filter_apply_ipset_target f4 f6
-						fw_nfqws_post "$f4 $desync" "$f6 $desync" $QNUM
+						qn=$QNUM
+						[ "$NFQWS_OPT_DESYNC_HTTP" = "$NFQWS_OPT_DESYNC_HTTPS" ] || qn=$(($QNUM+1))
+						fw_nfqws_post "$f4 $desync" "$f6 $desync" $qn
 					fi
-				else
-					filter_apply_port_target f4
-					f4="$f4 $first_packet_only"
-					f6=$f4
-					filter_apply_ipset_target f4 f6
-					fw_nfqws_post "$f4 $desync" "$f6 $desync" $QNUM
 				fi
 			fi
 			;;
--- a/init.d/openwrt/zapret
+++ b/init.d/openwrt/zapret
@ -21,14 +21,14 @@ PIDDIR=/var/run

 NFQWS_USER=daemon
 NFQWS="$ZAPRET_BASE/nfq/nfqws"
-NFQWS_OPT_BASE="--qnum=$QNUM --user=$NFQWS_USER"
+NFQWS_OPT_BASE="--user=$NFQWS_USER --dpi-desync-fwmark=$DESYNC_MARK"

 TPWS="$ZAPRET_BASE/tpws/tpws"
 TPWS_LOCALHOST4=127.0.0.127
 HOSTLIST="$ZAPRET_BASE/ipset/zapret-hosts.txt.gz"
 [ -f "$HOSTLIST" ] || HOSTLIST="$ZAPRET_BASE/ipset/zapret-hosts.txt"
 [ -f "$HOSTLIST" ] || HOSTLIST="$ZAPRET_BASE/ipset/zapret-hosts-user.txt"
-TPWS_OPT_BASE="--user=$TPWS_USER --port=$TPPORT"
+TPWS_OPT_BASE="--user=$TPWS_USER"
 TPWS_OPT_BASE4="--bind-addr=$TPWS_LOCALHOST4"
 TPWS_OPT_BASE6="--bind-addr=::1"
 TPWS_WAIT="--bind-wait-ifup=30 --bind-wait-ip=30"
@ -99,20 +99,25 @@ start_service() {

 	case "${MODE}" in
 		tpws)
-			opt="$TPWS_OPT"
+			opt="--port=$TPPORT $TPWS_OPT"
 			filter_apply_hostlist_target opt
 			run_tpws 1 "$opt"
 			;;
 		tpws-socks)
-			opt="$TPWS_OPT_BASE --socks $TPWS_OPT"
+			opt="--port=$TPPORT $TPWS_OPT_BASE --socks $TPWS_OPT"
 			tpws_apply_socks_binds opt
 			filter_apply_hostlist_target opt
 			run_daemon 1 "$TPWS" "$opt"
 			;;
 		nfqws)
-			opt="$NFQWS_OPT_BASE $NFQWS_OPT_DESYNC"
+			opt="--qnum=$QNUM $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_HTTP"
 			filter_apply_hostlist_target opt
 			run_daemon 1 "$NFQWS" "$opt"
+			[ "$NFQWS_OPT_DESYNC_HTTP" = "$NFQWS_OPT_DESYNC_HTTPS" ] || {
+				opt="--qnum=$(($QNUM+1)) $NFQWS_OPT_BASE2 $NFQWS_OPT_DESYNC_HTTPS"
+				filter_apply_hostlist_target opt
+				run_daemon 2 "$NFQWS" "$opt"
+			}
 			;;
 		custom)
 	    		existf zapret_custom_daemons && zapret_custom_daemons $1
--- a/init.d/sysv/custom-2nfqws
+++ b/init.d/sysv/custom-2nfqws
@ -1,44 +0,0 @@
-# this custom script demonstrates how to use 2 copies of nfqws
-# it preserves config settings : MODE_HTTP, MODE_HTTP_KEEPALIVE, MODE_HTTPS, MODE_FILTER, NFQWS_OPT_DESYNC
-# NFQWS_OPT_DESYNC - parameters for http
-# NFQWS_OPT_DESYNC2 - parameters for https. you should add this variable to config file, its absent there
-
-QNUM2=$(($QNUM+1))
-
-zapret_custom_daemons()
-{
-	local opt
-
-	[ "$MODE_HTTP" = "1" ] && {
-		opt="$NFQWS_OPT_DESYNC"
-		filter_apply_hostlist_target opt
-		do_nfqws $1 1 "$opt"
-	}
-
-	[ "$MODE_HTTPS" = "1" ] && {
-		opt="$NFQWS_OPT_DESYNC2 --qnum=$QNUM2"
-		filter_apply_hostlist_target opt
-		do_nfqws $1 2 "$opt"
-	}
-}
-zapret_custom_firewall()
-{
-	local f4 f6
-	local first_packet_only="-m connbytes --connbytes-dir=original --connbytes-mode=packets --connbytes 1:4"
-	local desync="-m mark ! --mark $DESYNC_MARK/$DESYNC_MARK"
-
-	[ "$MODE_HTTP" = "1" ] && {
-		f4="--dport 80"
-		[ "$MODE_HTTP_KEEPALIVE" = "1" ] || f4="$f4 $first_packet_only"
-		f6=$f4
-		filter_apply_ipset_target f4 f6
-		fw_nfqws_post $1 "$f4 $desync" "$f6 $desync" $QNUM
-	}
-	
-	[ "$MODE_HTTPS" = "1" ] && {
-		f4="--dport 443 $first_packet_only"
-		f6=$f4
-		filter_apply_ipset_target f4 f6
-		fw_nfqws_post $1 "$f4 $desync" "$f6 $desync" $QNUM2
-	}
-}
--- a/init.d/sysv/custom-tpws4http-nfqws4https
+++ b/init.d/sysv/custom-tpws4http-nfqws4https
@ -6,13 +6,13 @@ zapret_custom_daemons()
 	local opt

 	[ "$MODE_HTTP" = "1" ] && {
-		opt="$TPWS_OPT"
+		opt="--port=$TPPORT $TPWS_OPT"
 		filter_apply_hostlist_target opt
 		do_tpws $1 1 "$opt"
 	}

 	[ "$MODE_HTTPS" = "1" ] && {
-		opt="$NFQWS_OPT_DESYNC"
+		opt="--qnum=$QNUM $NFQWS_OPT_DESYNC"
 		filter_apply_hostlist_target opt
 		do_nfqws $1 2 "$opt"
 	}
--- a/init.d/sysv/functions
+++ b/init.d/sysv/functions
@ -12,7 +12,9 @@ WS_USER=tpws

 [ -n "$QNUM" ] || QNUM=200
 NFQWS="$ZAPRET_BASE/nfq/nfqws"
-NFQWS_OPT_BASE="--qnum=$QNUM --user=$WS_USER"
+NFQWS_OPT_BASE="--user=$WS_USER --dpi-desync-fwmark=$DESYNC_MARK"
+NFQWS_OPT_DESYNC_HTTP="${NFQWS_OPT_DESYNC_HTTP:-$NFQWS_OPT_DESYNC}"
+NFQWS_OPT_DESYNC_HTTPS="${NFQWS_OPT_DESYNC_HTTPS:-$NFQWS_OPT_DESYNC}"

 [ -n "$TPPORT" ] || TPPORT=988
 TPWS="$ZAPRET_BASE/tpws/tpws"
@ -21,7 +23,7 @@ HOSTLIST="$ZAPRET_BASE/ipset/zapret-hosts.txt.gz"
 [ -f "$HOSTLIST" ] || HOSTLIST="$ZAPRET_BASE/ipset/zapret-hosts.txt"
 [ -f "$HOSTLIST" ] || HOSTLIST="$ZAPRET_BASE/ipset/zapret-hosts-user.txt"

-TPWS_OPT_BASE="--user=$WS_USER --port=$TPPORT"
+TPWS_OPT_BASE="--user=$WS_USER"
 TPWS_OPT_BASE4="--bind-addr=$TPWS_LOCALHOST4"
 TPWS_OPT_BASE6="--bind-addr=::1"
 TPWS_WAIT="--bind-wait-ifup=30 --bind-wait-ip=30"
@ -29,6 +31,7 @@ TPWS_WAIT_SOCKS6="$TPWS_WAIT --bind-wait-ip-linklocal=30"
 # first wait for lan to ifup, then wait for bind-wait-ip-linklocal seconds for link local address and bind-wait-ip for any ipv6 as the worst case
 TPWS_OPT_BASE6_PRE="--bind-linklocal=prefer $TPWS_WAIT --bind-wait-ip-linklocal=3"

+
 [ -n "$IFACE_WAN" ] && IPT_OWAN="-o $IFACE_WAN"
 [ -n "$IFACE_WAN" ] && IPT_IWAN="-i $IFACE_WAN"
 [ -n "$IFACE_LAN" ] && IPT_ILAN="-i $IFACE_LAN"
@ -214,7 +217,7 @@ fw_tpws4()
 	# $3 - tpws port
 	[ "$DISABLE_IPV4" = "1" ] || {
 		[ "$1" = 1 ] && prepare_tpws_fw4
-		print_op $1 "$2" "tpws"
+		print_op $1 "$2" "tpws (port $3)"
 		[ -n "$IFACE_LAN" ] && {
 			ipt_add_del $1 PREROUTING -t nat $IPT_ILAN -p tcp $2 $IPSET_EXCLUDE dst -j DNAT --to $TPWS_LOCALHOST4:$3
 	 	}
@ -227,7 +230,7 @@ fw_tpws6()
 	# $2 - iptable filter for ipv6
 	# $3 - tpws port
 	[ "$DISABLE_IPV6" = "1" ] || {
-		print_op $1 "$2" "tpws" 6
+		print_op $1 "$2" "tpws (port $3)" 6
 		[ -n "$IFACE_LAN" ] && {
 			dnat6_target
 			[ "$DNAT6_TARGET" != "-" ] && ipt6_add_del $1 PREROUTING -t nat $IPT_ILAN -p tcp $2 $IPSET_EXCLUDE6 dst -j DNAT --to [$DNAT6_TARGET]:$3
@ -252,7 +255,7 @@ fw_nfqws_pre4()
 	# $2 - iptable filter for ipv4
 	# $3 - queue number
 	[ "$DISABLE_IPV4" = "1" ] || {
-		print_op $1 "$2" "nfqws prerouting"
+		print_op $1 "$2" "nfqws prerouting (qnum $3)"
 		ipt_add_del $1 PREROUTING -t mangle $IPT_IWAN -p tcp $2 $IPSET_EXCLUDE src -j NFQUEUE --queue-num $3 --queue-bypass
 	}
 }
@ -262,7 +265,7 @@ fw_nfqws_pre6()
 	# $2 - iptable filter for ipv6
 	# $3 - queue number
 	[ "$DISABLE_IPV6" = "1" ] || {
-		print_op $1 "$2" "nfqws prerouting" 6
+		print_op $1 "$2" "nfqws prerouting (qnum $3)" 6
 		ipt6_add_del $1 PREROUTING -t mangle $IPT_IWAN -p tcp $2 $IPSET_EXCLUDE6 src -j NFQUEUE --queue-num $3 --queue-bypass
 	}
 }
@ -281,7 +284,7 @@ fw_nfqws_post4()
 	# $2 - iptable filter for ipv4
 	# $3 - queue number
 	[ "$DISABLE_IPV4" = "1" ] || {
-		print_op $1 "$2" "nfqws postrouting"
+		print_op $1 "$2" "nfqws postrouting (qnum $3)"
 		ipt_add_del $1 POSTROUTING -t mangle $IPT_OWAN -p tcp $2 $IPSET_EXCLUDE dst -j NFQUEUE --queue-num $3 --queue-bypass
 	}
 }
@ -291,7 +294,7 @@ fw_nfqws_post6()
 	# $2 - iptable filter for ipv6
 	# $3 - queue number
 	[ "$DISABLE_IPV6" = "1" ] || {
-		print_op $1 "$2" "nfqws postrouting" 6
+		print_op $1 "$2" "nfqws postrouting (qnum $3)" 6
 		ipt6_add_del $1 POSTROUTING -t mangle $IPT_OWAN -p tcp $2 $IPSET_EXCLUDE6 dst -j NFQUEUE --queue-num $3 --queue-bypass
 	}
 }
@ -458,6 +461,7 @@ zapret_do_firewall()
 	local first_packet_only="-m connbytes --connbytes-dir=original --connbytes-mode=packets --connbytes 1:4"
 	local desync="-m mark ! --mark $DESYNC_MARK/$DESYNC_MARK"
 	local f4 f6
+	local qn

 	# always create ipsets. ip_exclude ipset is required
 	[ "$1" != "1" ] || create_ipset no-update
@ -478,9 +482,16 @@ zapret_do_firewall()
 			if [ ! "$MODE_HTTP" = "1" ] && [ ! "$MODE_HTTPS" = "1" ]; then
 				echo both http and https are disabled. not applying redirection.
 			else
-				if [ "$MODE_HTTP_KEEPALIVE" = "1" ]; then
+				if [ "$MODE_HTTP_KEEPALIVE" != "1" ] && [ "$NFQWS_OPT_DESYNC_HTTP" = "$NFQWS_OPT_DESYNC_HTTPS" ]; then
+					filter_apply_port_target f4
+					f4="$f4 $first_packet_only"
+					f6=$f4
+					filter_apply_ipset_target f4 f6
+					fw_nfqws_post $1 "$f4 $desync" "$f6 $desync" $QNUM
+				else
 					if [ "$MODE_HTTP" = "1" ]; then
 						f4="--dport 80"
+						[ "$MODE_HTTP_KEEPALIVE" = "1" ] || f4="$f4 $first_packet_only"
 						f6=$f4
 						filter_apply_ipset_target f4 f6
 						fw_nfqws_post $1 "$f4 $desync" "$f6 $desync" $QNUM
@ -489,14 +500,10 @@ zapret_do_firewall()
 						f4="--dport 443 $first_packet_only"
 						f6=$f4
 						filter_apply_ipset_target f4 f6
-						fw_nfqws_post $1 "$f4 $desync" "$f6 $desync" $QNUM
+						qn=$QNUM
+						[ "$NFQWS_OPT_DESYNC_HTTP" = "$NFQWS_OPT_DESYNC_HTTPS" ] || qn=$(($QNUM+1))
+						fw_nfqws_post $1 "$f4 $desync" "$f6 $desync" $qn
 					fi
-				else
-					filter_apply_port_target f4
-					f4="$f4 $first_packet_only"
-					f6=$f4
-					filter_apply_ipset_target f4 f6
-					fw_nfqws_post $1 "$f4 $desync" "$f6 $desync" $QNUM
 				fi
 			fi
 			;;
@ -523,20 +530,25 @@ zapret_do_daemons()

 	case "${MODE}" in
 		tpws)
-			opt="$TPWS_OPT"
+			opt="--port=$TPPORT $TPWS_OPT"
 			filter_apply_hostlist_target opt
 			do_tpws $1 1 "$opt"
 			;;
 		tpws-socks)
-			opt="$TPWS_OPT_BASE --socks $TPWS_OPT"
+			opt="--port=$TPPORT $TPWS_OPT_BASE --socks $TPWS_OPT"
 			tpws_apply_socks_binds opt
 			filter_apply_hostlist_target opt
 			do_daemon $1 1 "$TPWS" "$opt"
 			;;
 		nfqws)
-			opt="$NFQWS_OPT_DESYNC"
+			opt="--qnum=$QNUM $NFQWS_OPT_DESYNC_HTTP"
 			filter_apply_hostlist_target opt
 			do_nfqws $1 1 "$opt"
+			[ "$NFQWS_OPT_DESYNC_HTTP" = "$NFQWS_OPT_DESYNC_HTTPS" ] || {
+				opt="--qnum=$(($QNUM+1)) $NFQWS_OPT_DESYNC_HTTPS"
+				filter_apply_hostlist_target opt
+				do_nfqws $1 2 "$opt"
+			}
 			;;
 		custom)
 	    		existf zapret_custom_daemons && zapret_custom_daemons $1
--- a/install_easy.sh
+++ b/install_easy.sh
@ -306,8 +306,10 @@ select_mode_mode()
 			;;
 		nfqws)
 			echo
-			echo nfqws options : $NFQWS_OPT_DESYNC
-			echo to change : edit NFQWS_OPT_DESYNC in $ZAPRET_CONFIG
+			echo "nfqws options (default) : $NFQWS_OPT_DESYNC"
+			echo "nfqws options (http)    : $NFQWS_OPT_DESYNC_HTTP"
+			echo "nfqws options (https)   : $NFQWS_OPT_DESYNC_HTTPS"
+			echo to change : edit NFQWS_OPT_DESYNC, NFQWS_OPT_DESYNC_HTTP, NFQWS_OPT_DESYNC_HTTPS in $ZAPRET_CONFIG
 			;;
 	esac
 }