AI inspired fixes

2026-03-13 22:03:09 +00:00 · 2026-01-10 18:54:26 +03:00
parent d18fec9053
commit 6bc0bf1b97
4 changed files with 94 additions and 107 deletions
--- a/common/installer.sh
+++ b/common/installer.sh
@@ -522,11 +522,6 @@ install_openwrt_firewall()
 {
 	echo \* installing firewall script $1

-	[ -n "MODE" ] || {
-		echo should specify MODE in $ZAPRET_CONFIG
-		exitp 7
-	}
-
 	echo "linking : $FW_SCRIPT_SRC => $OPENWRT_FW_INCLUDE"
 	ln -fs "$FW_SCRIPT_SRC" "$OPENWRT_FW_INCLUDE"

--- a/common/ipt.sh
+++ b/common/ipt.sh
@@ -41,7 +41,7 @@ ipt6_add_del()
 }
 ipt6a_add_del()
 {
-	on_off_function ipt6 ipt6a_del "$@"
+	on_off_function ipt6a ipt6_del "$@"
 }

 is_ipt_flow_offload_avail()
--- a/init.d/custom.d.examples.linux/50-nfqws-ipset
+++ b/init.d/custom.d.examples.linux/50-nfqws-ipset
@@ -1,30 +1,30 @@
 # this custom script demonstrates how to launch extra nfqws instance limited by ipset

 # can override in config :
-NFQWS_MY1_OPT="${NFQWS_MY1_OPT:---filter-udp=* --payload known,unknown --lua-desync=fake:blob=0x00000000000000000000000000000000:repeats=2:payload=all --new --filter-tcp=* --payload=known,unknown --lua-desync=multisplit}"
-NFQWS_MY1_SUBNETS4="${NFQWS_MY1_SUBNETS4:-173.194.0.0/16 108.177.0.0/17 74.125.0.0/16 64.233.160.0/19 172.217.0.0/16}"
-NFQWS_MY1_SUBNETS6="${NFQWS_MY1_SUBNETS6:-2a00:1450::/29}"
-NFQWS_MY1_PORTS_TCP=${NFQWS_MY1_PORTS_TCP:-$NFQWS_PORTS_TCP}
-NFQWS_MY1_PORTS_UDP=${NFQWS_MY1_PORTS_UDP:-$NFQWS_PORTS_UDP}
-NFQWS_MY1_TCP_PKT_OUT=${NFQWS_MY1_TCP_PKT_OUT:-$NFQWS_TCP_PKT_OUT}
-NFQWS_MY1_UDP_PKT_OUT=${NFQWS_MY1_UDP_PKT_OUT:-$NFQWS_UDP_PKT_OUT}
-NFQWS_MY1_TCP_PKT_IN=${NFQWS_MY1_TCP_PKT_IN:-$NFQWS_TCP_PKT_IN}
-NFQWS_MY1_UDP_PKT_IN=${NFQWS_MY1_UDP_PKT_IN:-$NFQWS_UDP_PKT_IN}
+NFQWS2_MY1_OPT="${NFQWS2_MY1_OPT:---filter-udp=* --payload known,unknown --lua-desync=fake:blob=0x00000000000000000000000000000000:repeats=2:payload=all --new --filter-tcp=* --payload=known,unknown --lua-desync=multisplit}"
+NFQWS2_MY1_SUBNETS4="${NFQWS2_MY1_SUBNETS4:-173.194.0.0/16 108.177.0.0/17 74.125.0.0/16 64.233.160.0/19 172.217.0.0/16}"
+NFQWS2_MY1_SUBNETS6="${NFQWS2_MY1_SUBNETS6:-2a00:1450::/29}"
+NFQWS2_MY1_PORTS_TCP=${NFQWS2_MY1_PORTS_TCP:-$NFQWS2_PORTS_TCP}
+NFQWS2_MY1_PORTS_UDP=${NFQWS2_MY1_PORTS_UDP:-$NFQWS2_PORTS_UDP}
+NFQWS2_MY1_TCP_PKT_OUT=${NFQWS2_MY1_TCP_PKT_OUT:-$NFQWS2_TCP_PKT_OUT}
+NFQWS2_MY1_UDP_PKT_OUT=${NFQWS2_MY1_UDP_PKT_OUT:-$NFQWS2_UDP_PKT_OUT}
+NFQWS2_MY1_TCP_PKT_IN=${NFQWS2_MY1_TCP_PKT_IN:-$NFQWS2_TCP_PKT_IN}
+NFQWS2_MY1_UDP_PKT_IN=${NFQWS2_MY1_UDP_PKT_IN:-$NFQWS2_UDP_PKT_IN}

-NFQWS_MY1_IPSET_SIZE=${NFQWS_MY1_IPSET_SIZE:-4096}
-NFQWS_MY1_IPSET_OPT="${NFQWS_MY1_IPSET_OPT:-hash:net hashsize 8192 maxelem $NFQWS_MY1_IPSET_SIZE}"
+NFQWS2_MY1_IPSET_SIZE=${NFQWS2_MY1_IPSET_SIZE:-4096}
+NFQWS2_MY1_IPSET_OPT="${NFQWS2_MY1_IPSET_OPT:-hash:net hashsize 8192 maxelem $NFQWS2_MY1_IPSET_SIZE}"

-alloc_dnum DNUM_NFQWS_MY1
-alloc_qnum QNUM_NFQWS_MY1
-NFQWS_MY1_NAME4=my1nfqws4
-NFQWS_MY1_NAME6=my1nfqws6
+alloc_dnum DNUM_NFQWS2_MY1
+alloc_qnum QNUM_NFQWS2_MY1
+NFQWS2_MY1_NAME4=my1nfqws4
+NFQWS2_MY1_NAME6=my1nfqws6

 zapret_custom_daemons()
 {
 	# $1 - 1 - run, 0 - stop

-	local opt="--qnum=$QNUM_NFQWS_MY1 $NFQWS_MY1_OPT"
-	do_nfqws $1 $DNUM_NFQWS_MY1 "$opt"
+	local opt="--qnum=$QNUM_NFQWS2_MY1 $NFQWS2_MY1_OPT"
+	do_nfqws $1 $DNUM_NFQWS2_MY1 "$opt"
 }

 zapret_custom_firewall()
@@ -32,103 +32,103 @@ zapret_custom_firewall()
 	# $1 - 1 - run, 0 - stop

 	local f4 f6 subnet
-	local NFQWS_MY1_PORTS_TCP=$(replace_char - : $NFQWS_MY1_PORTS_TCP)
-	local NFQWS_MY1_PORTS_UDP=$(replace_char - : $NFQWS_MY1_PORTS_UDP)
+	local NFQWS2_MY1_PORTS_TCP=$(replace_char - : $NFQWS2_MY1_PORTS_TCP)
+	local NFQWS2_MY1_PORTS_UDP=$(replace_char - : $NFQWS2_MY1_PORTS_UDP)

 	[ "$1" = 1 -a "$DISABLE_IPV4" != 1 ] && {
-		ipset create $NFQWS_MY1_NAME4 $NFQWS_MY1_IPSET_OPT family inet 2>/dev/null
-		ipset flush $NFQWS_MY1_NAME4
-		for subnet in $NFQWS_MY1_SUBNETS4; do
-			echo add $NFQWS_MY1_NAME4 $subnet
+		ipset create $NFQWS2_MY1_NAME4 $NFQWS2_MY1_IPSET_OPT family inet 2>/dev/null
+		ipset flush $NFQWS2_MY1_NAME4
+		for subnet in $NFQWS2_MY1_SUBNETS4; do
+			echo add $NFQWS2_MY1_NAME4 $subnet
 		done | ipset -! restore
 	}
 	[ "$1" = 1 -a "$DISABLE_IPV6" != 1 ] && {
-		ipset create $NFQWS_MY1_NAME6 $NFQWS_MY1_IPSET_OPT family inet6 2>/dev/null
-		ipset flush $NFQWS_MY1_NAME6
-		for subnet in $NFQWS_MY1_SUBNETS6; do
-			echo add $NFQWS_MY1_NAME6 $subnet
+		ipset create $NFQWS2_MY1_NAME6 $NFQWS2_MY1_IPSET_OPT family inet6 2>/dev/null
+		ipset flush $NFQWS2_MY1_NAME6
+		for subnet in $NFQWS2_MY1_SUBNETS6; do
+			echo add $NFQWS2_MY1_NAME6 $subnet
 		done | ipset -! restore
 	}

-	[ -n "$NFQWS_MY1_PORTS_TCP" ] && {
-		[ -n "$NFQWS_MY1_TCP_PKT_OUT" -a "$NFQWS_MY1_TCP_PKT_OUT" != 0 ] && {
-			f4="-p tcp -m multiport --dports $NFQWS_MY1_PORTS_TCP $ipt_connbytes 1:$NFQWS_MY1_TCP_PKT_OUT -m set --match-set"
-			f6="$f4 $NFQWS_MY1_NAME6 dst"
-			f4="$f4 $NFQWS_MY1_NAME4 dst"
-			fw_nfqws_post $1 "$f4" "$f6" $QNUM_NFQWS_MY1
+	[ -n "$NFQWS2_MY1_PORTS_TCP" ] && {
+		[ -n "$NFQWS2_MY1_TCP_PKT_OUT" -a "$NFQWS2_MY1_TCP_PKT_OUT" != 0 ] && {
+			f4="-p tcp -m multiport --dports $NFQWS2_MY1_PORTS_TCP $ipt_connbytes 1:$NFQWS2_MY1_TCP_PKT_OUT -m set --match-set"
+			f6="$f4 $NFQWS2_MY1_NAME6 dst"
+			f4="$f4 $NFQWS2_MY1_NAME4 dst"
+			fw_nfqws_post $1 "$f4" "$f6" $QNUM_NFQWS2_MY1
 		}
-		[ -n "$NFQWS_MY1_TCP_PKT_IN" -a "$NFQWS_MY1_TCP_PKT_IN" != 0 ] && {
-			f4="-p tcp -m multiport --sports $NFQWS_MY1_PORTS_TCP $ipt_connbytes 1:$NFQWS_MY1_TCP_PKT_IN -m set --match-set"
-			f6="$f4 $NFQWS_MY1_NAME6 src"
-			f4="$f4 $NFQWS_MY1_NAME4 src"
-			fw_nfqws_pre $1 "$f4" "$f6" $QNUM_NFQWS_MY1
+		[ -n "$NFQWS2_MY1_TCP_PKT_IN" -a "$NFQWS2_MY1_TCP_PKT_IN" != 0 ] && {
+			f4="-p tcp -m multiport --sports $NFQWS2_MY1_PORTS_TCP $ipt_connbytes 1:$NFQWS2_MY1_TCP_PKT_IN -m set --match-set"
+			f6="$f4 $NFQWS2_MY1_NAME6 src"
+			f4="$f4 $NFQWS2_MY1_NAME4 src"
+			fw_nfqws_pre $1 "$f4" "$f6" $QNUM_NFQWS2_MY1
 		}
 	}
-	[ -n "$NFQWS_MY1_PORTS_UDP" ] && {
-		[ -n "$NFQWS_MY1_UDP_PKT_OUT" -a "$NFQWS_MY1_UDP_PKT_OUT" != 0 ] && {
-			f4="-p udp -m multiport --dports $NFQWS_MY1_PORTS_UDP $ipt_connbytes 1:$NFQWS_MY1_UDP_PKT_OUT -m set --match-set"
-			f6="$f4 $NFQWS_MY1_NAME6 dst"
-			f4="$f4 $NFQWS_MY1_NAME4 dst"
-			fw_nfqws_post $1 "$f4" "$f6" $QNUM_NFQWS_MY1
+	[ -n "$NFQWS2_MY1_PORTS_UDP" ] && {
+		[ -n "$NFQWS2_MY1_UDP_PKT_OUT" -a "$NFQWS2_MY1_UDP_PKT_OUT" != 0 ] && {
+			f4="-p udp -m multiport --dports $NFQWS2_MY1_PORTS_UDP $ipt_connbytes 1:$NFQWS2_MY1_UDP_PKT_OUT -m set --match-set"
+			f6="$f4 $NFQWS2_MY1_NAME6 dst"
+			f4="$f4 $NFQWS2_MY1_NAME4 dst"
+			fw_nfqws_post $1 "$f4" "$f6" $QNUM_NFQWS2_MY1
 		}
-		[ -n "$NFQWS_MY1_UDP_PKT_IN" -a "$NFQWS_MY1_UDP_PKT_IN" != 0 ] && {
-			f4="-p udp -m multiport --sports $NFQWS_MY1_PORTS_UDP $ipt_connbytes 1:$NFQWS_MY1_UDP_PKT_IN -m set --match-set"
-			f6="$f4 $NFQWS_MY1_NAME6 src"
-			f4="$f4 $NFQWS_MY1_NAME4 src"
-			fw_nfqws_pre $1 "$f4" "$f6" $QNUM_NFQWS_MY1
+		[ -n "$NFQWS2_MY1_UDP_PKT_IN" -a "$NFQWS2_MY1_UDP_PKT_IN" != 0 ] && {
+			f4="-p udp -m multiport --sports $NFQWS2_MY1_PORTS_UDP $ipt_connbytes 1:$NFQWS2_MY1_UDP_PKT_IN -m set --match-set"
+			f6="$f4 $NFQWS2_MY1_NAME6 src"
+			f4="$f4 $NFQWS2_MY1_NAME4 src"
+			fw_nfqws_pre $1 "$f4" "$f6" $QNUM_NFQWS2_MY1
 		}
 	}

 	[ "$1" = 1 ] || {
-		ipset destroy $NFQWS_MY1_NAME4 2>/dev/null
-		ipset destroy $NFQWS_MY1_NAME6 2>/dev/null
+		ipset destroy $NFQWS2_MY1_NAME4 2>/dev/null
+		ipset destroy $NFQWS2_MY1_NAME6 2>/dev/null
 	}
 }

 zapret_custom_firewall_nft()
 {
 	local f4 f6 subnets
-	local first_packets_only="$nft_connbytes 1-$NFQWS_MY1_PKT_OUT"
+	local first_packets_only="$nft_connbytes 1-$NFQWS2_MY1_PKT_OUT"

 	[ "$DISABLE_IPV4" != 1 ] && {
-		make_comma_list subnets $NFQWS_MY1_SUBNETS4
-		nft_create_set $NFQWS_MY1_NAME4 "type ipv4_addr; size $NFQWS_MY1_IPSET_SIZE; auto-merge; flags interval;"
-		nft_flush_set $NFQWS_MY1_NAME4
-		nft_add_set_element $NFQWS_MY1_NAME4 "$subnets"
+		make_comma_list subnets $NFQWS2_MY1_SUBNETS4
+		nft_create_set $NFQWS2_MY1_NAME4 "type ipv4_addr; size $NFQWS2_MY1_IPSET_SIZE; auto-merge; flags interval;"
+		nft_flush_set $NFQWS2_MY1_NAME4
+		nft_add_set_element $NFQWS2_MY1_NAME4 "$subnets"
 	}
 	[ "$DISABLE_IPV6" != 1 ] && {
-		make_comma_list subnets $NFQWS_MY1_SUBNETS6
-		nft_create_set $NFQWS_MY1_NAME6 "type ipv6_addr; size $NFQWS_MY1_IPSET_SIZE; auto-merge; flags interval;"
-		nft_flush_set $NFQWS_MY1_NAME6
-		nft_add_set_element $NFQWS_MY1_NAME6 "$subnets"
+		make_comma_list subnets $NFQWS2_MY1_SUBNETS6
+		nft_create_set $NFQWS2_MY1_NAME6 "type ipv6_addr; size $NFQWS2_MY1_IPSET_SIZE; auto-merge; flags interval;"
+		nft_flush_set $NFQWS2_MY1_NAME6
+		nft_add_set_element $NFQWS2_MY1_NAME6 "$subnets"
 	}

-	[ -n "$NFQWS_MY1_PORTS_TCP" ] && {
-		[ -n "$NFQWS_MY1_TCP_PKT_OUT" -a "$NFQWS_MY1_TCP_PKT_OUT" != 0 ] && {
-			f4="tcp dport {$NFQWS_MY1_PORTS_TCP} $(nft_first_packets $NFQWS_MY1_TCP_PKT_OUT)"
-			f6="$f4 ip6 daddr @$NFQWS_MY1_NAME6"
-			f4="$f4 ip daddr @$NFQWS_MY1_NAME4"
-			nft_fw_nfqws_post $1 "$f4" "$f6" $QNUM_NFQWS_MY1
+	[ -n "$NFQWS2_MY1_PORTS_TCP" ] && {
+		[ -n "$NFQWS2_MY1_TCP_PKT_OUT" -a "$NFQWS2_MY1_TCP_PKT_OUT" != 0 ] && {
+			f4="tcp dport {$NFQWS2_MY1_PORTS_TCP} $(nft_first_packets $NFQWS2_MY1_TCP_PKT_OUT)"
+			f6="$f4 ip6 daddr @$NFQWS2_MY1_NAME6"
+			f4="$f4 ip daddr @$NFQWS2_MY1_NAME4"
+			nft_fw_nfqws_post $1 "$f4" "$f6" $QNUM_NFQWS2_MY1
 		}
-		[ -n "$NFQWS_MY1_TCP_PKT_IN" -a "$NFQWS_MY1_TCP_PKT_IN" != 0 ] && {
-			f4="tcp sport {$NFQWS_MY1_PORTS_TCP} $(nft_first_packets $NFQWS_MY1_TCP_PKT_IN)"
-			f6="$f4 ip6 saddr @$NFQWS_MY1_NAME6"
-			f4="$f4 ip saddr @$NFQWS_MY1_NAME4"
-			nft_fw_nfqws_pre $1 "$f4" "$f6" $QNUM_NFQWS_MY1
+		[ -n "$NFQWS2_MY1_TCP_PKT_IN" -a "$NFQWS2_MY1_TCP_PKT_IN" != 0 ] && {
+			f4="tcp sport {$NFQWS2_MY1_PORTS_TCP} $(nft_first_packets $NFQWS2_MY1_TCP_PKT_IN)"
+			f6="$f4 ip6 saddr @$NFQWS2_MY1_NAME6"
+			f4="$f4 ip saddr @$NFQWS2_MY1_NAME4"
+			nft_fw_nfqws_pre $1 "$f4" "$f6" $QNUM_NFQWS2_MY1
 		}
 	}
-	[ -n "$NFQWS_MY1_PORTS_UDP" ] && {
-		[ -n "$NFQWS_MY1_UDP_PKT_OUT" -a "$NFQWS_MY1_UDP_PKT_OUT" != 0 ] && {
-			f4="udp dport {$NFQWS_MY1_PORTS_UDP} $(nft_first_packets $NFQWS_MY1_UDP_PKT_OUT)"
-			f6="$f4 ip6 daddr @$NFQWS_MY1_NAME6"
-			f4="$f4 ip daddr @$NFQWS_MY1_NAME4"
-			nft_fw_nfqws_post $1 "$f4" "$f6" $QNUM_NFQWS_MY1
+	[ -n "$NFQWS2_MY1_PORTS_UDP" ] && {
+		[ -n "$NFQWS2_MY1_UDP_PKT_OUT" -a "$NFQWS2_MY1_UDP_PKT_OUT" != 0 ] && {
+			f4="udp dport {$NFQWS2_MY1_PORTS_UDP} $(nft_first_packets $NFQWS2_MY1_UDP_PKT_OUT)"
+			f6="$f4 ip6 daddr @$NFQWS2_MY1_NAME6"
+			f4="$f4 ip daddr @$NFQWS2_MY1_NAME4"
+			nft_fw_nfqws_post $1 "$f4" "$f6" $QNUM_NFQWS2_MY1
 		}
-		[ -n "$NFQWS_MY1_UDP_PKT_IN" -a "$NFQWS_MY1_UDP_PKT_IN" != 0 ] && {
-			f4="udp sport {$NFQWS_MY1_PORTS_UDP} $(nft_first_packets $NFQWS_MY1_UDP_PKT_IN)"
-			f6="$f4 ip6 saddr @$NFQWS_MY1_NAME6"
-			f4="$f4 ip saddr @$NFQWS_MY1_NAME4"
-			nft_fw_nfqws_pre $1 "$f4" "$f6" $QNUM_NFQWS_MY1
+		[ -n "$NFQWS2_MY1_UDP_PKT_IN" -a "$NFQWS2_MY1_UDP_PKT_IN" != 0 ] && {
+			f4="udp sport {$NFQWS2_MY1_PORTS_UDP} $(nft_first_packets $NFQWS2_MY1_UDP_PKT_IN)"
+			f6="$f4 ip6 saddr @$NFQWS2_MY1_NAME6"
+			f4="$f4 ip saddr @$NFQWS2_MY1_NAME4"
+			nft_fw_nfqws_pre $1 "$f4" "$f6" $QNUM_NFQWS2_MY1
 		}
 	}
 }
@@ -139,6 +139,6 @@ zapret_custom_firewall_nft_flush()
 	# this function is called after all nft fw rules are deleted
 	# however sets are not deleted. it's desired to clear sets here.

-	nft_del_set $NFQWS_MY1_NAME4 2>/dev/null
-	nft_del_set $NFQWS_MY1_NAME6 2>/dev/null
+	nft_del_set $NFQWS2_MY1_NAME4 2>/dev/null
+	nft_del_set $NFQWS2_MY1_NAME6 2>/dev/null
 }
--- a/nfq2/protocol.c
+++ b/nfq2/protocol.c
@@ -989,24 +989,18 @@ bool IsQUICCryptoHello(const uint8_t *data, size_t len, size_t *hello_offset, si
 uint8_t QUICDraftVersion(uint32_t version)
 {
 	/* IETF Draft versions */
-	if ((version >> 8) == 0xff0000) {
+	if ((version >> 8) == 0xff0000)
 		return (uint8_t)version;
-	}
 	/* Facebook mvfst, based on draft -22. */
-	if (version == 0xfaceb001) {
+	if (version == 0xfaceb001)
 		return 22;
-	}
 	/* Facebook mvfst, based on draft -27. */
-	if (version == 0xfaceb002 || version == 0xfaceb00e) {
+	if (version == 0xfaceb002 || version == 0xfaceb00e)
 		return 27;
-	}
 	/* GQUIC Q050, T050 and T051: they are not really based on any drafts,
 	 * but we must return a sensible value */
-	if (version == 0x51303530 ||
-		version == 0x54303530 ||
-		version == 0x54303531) {
+	if (version == 0x51303530 || version == 0x54303530 || version == 0x54303531)
 		return 27;
-	}
 	/* https://tools.ietf.org/html/draft-ietf-quic-transport-32#section-15
 	   "Versions that follow the pattern 0x?a?a?a?a are reserved for use in
 	   forcing version negotiation to be exercised"
@@ -1014,19 +1008,17 @@ uint8_t QUICDraftVersion(uint32_t version)
 	   used to select a proper salt (which depends on the version itself), but
 	   we don't have a real version here! Let's hope that we need to handle
 	   only latest drafts... */
-	if ((version & 0x0F0F0F0F) == 0x0a0a0a0a) {
+	if ((version & 0x0F0F0F0F) == 0x0a0a0a0a)
 		return 29;
-	}
 	/* QUIC (final?) constants for v1 are defined in draft-33, but draft-34 is the
 	   final draft version */
-	if (version == 0x00000001) {
+	if (version == 0x00000001)
 		return 34;
-	}
 	/* QUIC Version 2 */
 	/* TODO: for the time being use 100 as a number for V2 and let see how v2 drafts evolve */
-	if (version == 0x709A50C4) {
+	if ((version == 0x709A50C4) || (version == 0x6b3343cf))
 		return 100;
-	}
+
 	return 0;
 }

@@ -1036,7 +1028,7 @@ static bool is_quic_draft_max(uint32_t draft_version, uint8_t max_version)
 }
 static bool is_quic_v2(uint32_t version)
 {
-    return version == 0x6b3343cf;
+    return (version == 0x709A50C4) || (version == 0x6b3343cf);
 }

 static bool quic_hkdf_expand_label(const uint8_t *secret, uint8_t secret_len, const char *label, uint8_t *out, size_t out_len)