From fc837e14fa8fa6f79f2a176326be1231bded2cd5 Mon Sep 17 00:00:00 2001
From: bol-van <none@none.none>
Date: Tue, 12 Aug 2025 10:53:45 +0300
Subject: [PATCH] windivert filter examples

---
 .gitattributes                                |  1 +
 init.d/windivert.filter.examples/README.txt   | 12 ++++++++
 .../windivert.discord_media+stun.txt          | 28 +++++++++++++++++++
 .../windivert.discord_media.txt               | 25 +++++++++++++++++
 .../windivert.stun.txt                        |  8 ++++++
 .../windivert.wireguard.txt                   |  8 ++++++
 6 files changed, 82 insertions(+)
 create mode 100644 init.d/windivert.filter.examples/README.txt
 create mode 100644 init.d/windivert.filter.examples/windivert.discord_media+stun.txt
 create mode 100644 init.d/windivert.filter.examples/windivert.discord_media.txt
 create mode 100644 init.d/windivert.filter.examples/windivert.stun.txt
 create mode 100644 init.d/windivert.filter.examples/windivert.wireguard.txt

diff --git a/.gitattributes b/.gitattributes
index 8ecdb83..bf6d17c 100644
--- a/.gitattributes
+++ b/.gitattributes
@@ -1,3 +1,4 @@
 * text=auto eol=lf
 *.cmd eol=crlf
 *.bat eol=crlf
+init.d/windivert.filter.examples/** eol=crlf
diff --git a/init.d/windivert.filter.examples/README.txt b/init.d/windivert.filter.examples/README.txt
new file mode 100644
index 0000000..96720a6
--- /dev/null
+++ b/init.d/windivert.filter.examples/README.txt
@@ -0,0 +1,12 @@
+Цель этих фильтров - отсекать полезную нагрузку в режиме ядра, не насилуя процессор перенаправлением целого потока на winws.
+Задействуются через `winws --wf-raw=@filename`.
+Однако, язык фильтров windivert не содержит операций с битовыми полями, сдвигов и побитовой логики.
+Поэтому фильтры получились более слабыми, способными передавать неправильную нагрузку.
+Дофильтрация производится силами winws.
+
+Пример инстанса для пробития медиапотоков в discord : `winws --wf-raw=@windivert.discord_media+stun.txt --dpi-desync=fake`
+
+These filters are invoked using `winws --wf-raw=@filename`.
+Filters are kernel mode and save great amount of CPU.
+However windivert cannot filter by bit fields, lacks shift and bitwise logic operations.
+Filters are relaxed and can pass wrong payloads. Finer filtering is done by winws.
diff --git a/init.d/windivert.filter.examples/windivert.discord_media+stun.txt b/init.d/windivert.filter.examples/windivert.discord_media+stun.txt
new file mode 100644
index 0000000..9698bda
--- /dev/null
+++ b/init.d/windivert.filter.examples/windivert.discord_media+stun.txt
@@ -0,0 +1,28 @@
+!impostor and !loopback and
+ (outbound and
+  ((udp.DstPort>=50000 and udp.DstPort<=50099 and
+    udp.PayloadLength=74 and
+    udp.Payload32[0]=0x00010046 and
+    udp.Payload32[2]=0 and
+    udp.Payload32[3]=0 and
+    udp.Payload32[4]=0 and
+    udp.Payload32[5]=0 and
+    udp.Payload32[6]=0 and
+    udp.Payload32[7]=0 and
+    udp.Payload32[8]=0 and
+    udp.Payload32[9]=0 and
+    udp.Payload32[10]=0 and
+    udp.Payload32[11]=0 and
+    udp.Payload32[12]=0 and
+    udp.Payload32[13]=0 and
+    udp.Payload32[14]=0 and
+    udp.Payload32[15]=0 and
+    udp.Payload32[16]=0 and
+    udp.Payload32[17]=0)
+   or
+   (udp.PayloadLength>=20 and
+    udp.Payload32[1]=0x2112A442)) and
+  ( ((ip.DstAddr < 127.0.0.1 or ip.DstAddr > 127.255.255.255) and (ip.DstAddr < 10.0.0.0 or ip.DstAddr > 10.255.255.255) and (ip.DstAddr < 192.168.0.0 or ip.DstAddr > 192.168.255.255) and (ip.DstAddr < 172.16.0.0 or ip.DstAddr > 172.31.255.255) and (ip.DstAddr < 169.254.0.0 or ip.DstAddr > 169.254.255.255)) or
+     ((ipv6.DstAddr > ::1) and (ipv6.DstAddr < 2001::0 or ipv6.DstAddr >= 2001:1::0) and (ipv6.DstAddr < fc00::0 or ipv6.DstAddr >= fe00::0) and (ipv6.DstAddr < fe80::0 or ipv6.DstAddr >= fec0::0) and (ipv6.DstAddr < ff00::0 or ipv6.DstAddr >= ffff::0))
+    )
+ )
diff --git a/init.d/windivert.filter.examples/windivert.discord_media.txt b/init.d/windivert.filter.examples/windivert.discord_media.txt
new file mode 100644
index 0000000..f12a4df
--- /dev/null
+++ b/init.d/windivert.filter.examples/windivert.discord_media.txt
@@ -0,0 +1,25 @@
+!impostor and !loopback and
+ (outbound and
+  udp.DstPort>=50000 and udp.DstPort<=50099 and
+  udp.PayloadLength=74 and
+  udp.Payload32[0]=0x00010046 and
+  udp.Payload32[2]=0 and
+  udp.Payload32[3]=0 and
+  udp.Payload32[4]=0 and
+  udp.Payload32[5]=0 and
+  udp.Payload32[6]=0 and
+  udp.Payload32[7]=0 and
+  udp.Payload32[8]=0 and
+  udp.Payload32[9]=0 and
+  udp.Payload32[10]=0 and
+  udp.Payload32[11]=0 and
+  udp.Payload32[12]=0 and
+  udp.Payload32[13]=0 and
+  udp.Payload32[14]=0 and
+  udp.Payload32[15]=0 and
+  udp.Payload32[16]=0 and
+  udp.Payload32[17]=0 and
+  ( ((ip.DstAddr < 127.0.0.1 or ip.DstAddr > 127.255.255.255) and (ip.DstAddr < 10.0.0.0 or ip.DstAddr > 10.255.255.255) and (ip.DstAddr < 192.168.0.0 or ip.DstAddr > 192.168.255.255) and (ip.DstAddr < 172.16.0.0 or ip.DstAddr > 172.31.255.255) and (ip.DstAddr < 169.254.0.0 or ip.DstAddr > 169.254.255.255)) or
+     ((ipv6.DstAddr > ::1) and (ipv6.DstAddr < 2001::0 or ipv6.DstAddr >= 2001:1::0) and (ipv6.DstAddr < fc00::0 or ipv6.DstAddr >= fe00::0) and (ipv6.DstAddr < fe80::0 or ipv6.DstAddr >= fec0::0) and (ipv6.DstAddr < ff00::0 or ipv6.DstAddr >= ffff::0))
+    )
+ )
diff --git a/init.d/windivert.filter.examples/windivert.stun.txt b/init.d/windivert.filter.examples/windivert.stun.txt
new file mode 100644
index 0000000..58089d5
--- /dev/null
+++ b/init.d/windivert.filter.examples/windivert.stun.txt
@@ -0,0 +1,8 @@
+!impostor and !loopback and
+ (outbound and
+  udp.PayloadLength>=20 and
+  udp.Payload32[1]=0x2112A442 and
+  ( ((ip.DstAddr < 127.0.0.1 or ip.DstAddr > 127.255.255.255) and (ip.DstAddr < 10.0.0.0 or ip.DstAddr > 10.255.255.255) and (ip.DstAddr < 192.168.0.0 or ip.DstAddr > 192.168.255.255) and (ip.DstAddr < 172.16.0.0 or ip.DstAddr > 172.31.255.255) and (ip.DstAddr < 169.254.0.0 or ip.DstAddr > 169.254.255.255)) or
+     ((ipv6.DstAddr > ::1) and (ipv6.DstAddr < 2001::0 or ipv6.DstAddr >= 2001:1::0) and (ipv6.DstAddr < fc00::0 or ipv6.DstAddr >= fe00::0) and (ipv6.DstAddr < fe80::0 or ipv6.DstAddr >= fec0::0) and (ipv6.DstAddr < ff00::0 or ipv6.DstAddr >= ffff::0))
+    )
+ )
diff --git a/init.d/windivert.filter.examples/windivert.wireguard.txt b/init.d/windivert.filter.examples/windivert.wireguard.txt
new file mode 100644
index 0000000..839b3ff
--- /dev/null
+++ b/init.d/windivert.filter.examples/windivert.wireguard.txt
@@ -0,0 +1,8 @@
+!impostor and !loopback and
+ (outbound and
+  udp.PayloadLength=148 and
+  udp.Payload[0]=0x01 and
+  ( ((ip.DstAddr < 127.0.0.1 or ip.DstAddr > 127.255.255.255) and (ip.DstAddr < 10.0.0.0 or ip.DstAddr > 10.255.255.255) and (ip.DstAddr < 192.168.0.0 or ip.DstAddr > 192.168.255.255) and (ip.DstAddr < 172.16.0.0 or ip.DstAddr > 172.31.255.255) and (ip.DstAddr < 169.254.0.0 or ip.DstAddr > 169.254.255.255)) or
+     ((ipv6.DstAddr > ::1) and (ipv6.DstAddr < 2001::0 or ipv6.DstAddr >= 2001:1::0) and (ipv6.DstAddr < fc00::0 or ipv6.DstAddr >= fe00::0) and (ipv6.DstAddr < fe80::0 or ipv6.DstAddr >= fec0::0) and (ipv6.DstAddr < ff00::0 or ipv6.DstAddr >= ffff::0))
+    )
+ )