diff --git a/docs/manual.en.md b/docs/manual.en.md
index 733a6c4..7211ad6 100644
--- a/docs/manual.en.md
+++ b/docs/manual.en.md
@@ -1,4 +1,5 @@
-This manual is mostly AI translated from russian
+> [!NOTE]
+> This manual is mostly AI translated from russian
# Contents
@@ -38,8 +39,8 @@
- [Dissect structure](#dissect-structure)
- [Handling multi-packet payloads](#handling-multi-packet-payloads)
- [The track table structure](#the-track-table-structure)
- - [icmp processing](#icmp-processing)
- - [raw ip processing](#raw-ip-processing)
+ - [ICMP processing](#icmp-processing)
+ - [raw IP processing](#raw-ip-processing)
- [nfqws2 C interface](#nfqws2-c-interface)
- [Base constants](#base-constants)
- [Standard blobs](#standard-blobs)
@@ -255,7 +256,7 @@
- [get\_refilter\_\*.sh](#get_refilter_sh)
- [get\_reestr\_\*.sh](#get_reestr_sh)
- [ipban system](#ipban-system)
- - [Startup scripts](#startup-scripts-1)
+ - [Init scripts](#init-scripts)
- [Firewall integration](#firewall-integration)
- [OpenWRT firewall integration](#openwrt-firewall-integration)
- [Custom scripts](#custom-scripts)
@@ -286,11 +287,11 @@ zapret2 is a packet manipulator primarily designed to perform various autonomous
# Project structure
-The core component of zapret2 is the **nfqws2** program (**dvtws2** on BSD, **winws2** on Windows). Written in C, it serves as the primary packet manipulator. It includes functions for packet interception, basic [filtering](#using-multiple-profiles), recognition of major protocols and payloads, support for host and IP [lists](#filtering-by-lists), [automated](#failure-detector-and-auto-hostlists) hostlists with block detection, a system of multiple [profiles](#using-multiple-profiles) (strategies), [raw packet transmission](#receiving-and-sending-packets), and other utility functions. However, it does not contain the logic for traffic modification itself; this is handled by Lua code called from [nfqws2](#nfqws2).
+The core component of zapret2 is the **nfqws2** program (**dvtws2** on BSD, **winws2** on Windows). Written in C, it serves as the primary packet manipulator. It includes functions for packet interception, basic [filtering](#using-multiple-profiles), recognition of major protocols and payloads, support for host and IP [lists](#filtering-by-lists), [automated](#autohostlist-failure-detector) hostlists with block detection, a system of multiple [profiles](#using-multiple-profiles) (strategies), [raw packet transmission](#receiving-and-sending-packets), and other utility functions. However, it does not contain the logic for traffic modification itself; this is handled by Lua code called from [nfqws2](#nfqws2).
Consequently, the Lua code is the next most critical part of the project. The base package includes the [zapret-lib.lua](#zapret-liblua-base-function-library) helper library, the [zapret-antidpi.lua](#zapret-antidpilua-dpi-attack-program-library) DPI attack library, and the [zapret-auto.lua](#zapret-autolua-automation-and-orchestration-library) orchestration library for dynamic decision-making. Additionally, it features `zapret-tests.lua` for testing C functions, `zapret-obfs.lua` for protocol obfuscation, and `zapret-pcap.lua` for capturing traffic into .cap files.
-Project requires LuaJIT-2.1+ or PUC Lua 5.3+. Older versions are not tested and not supported.
+The project requires LuaJIT-2.1+ or PUC Lua 5.3+. Older versions are not tested and not supported.
Traffic redirection from the kernel is handled by [iptables](#traffic-interception-using-iptables) and [nftables](#traffic-interception-using-nftables) in [Linux](#traffic-interception-in-the-linux-kernel), [ipfw](#traffic-interception-in-the-freebsd-kernel) in [FreeBSD](#traffic-interception-in-the-freebsd-kernel), and [pf](#traffic-interception-in-the-openbsd-kernel) in [OpenBSD](#traffic-interception-in-the-openbsd-kernel). On [Windows](#traffic-interception-in-the-windows-kernel), this functionality is built directly into the winws2 process via the WinDivert driver. The kernel interception scheme, nfqws2, and the Lua code constitute the project's minimal working core. Everything else is supplementary, secondary, or optional.
@@ -368,7 +369,7 @@ This is achieved using `iptables` or `nftables` via the NFQUEUE mechanism.
If you have to choose between `iptables` and `nftables`, you should definitely choose `nftables`. Support for `nftables` in the [startup scripts](#startup-scripts) is more robust, and the technology itself is much more "neighbor-friendly" toward rules from other programs because it uses separate tables. In `iptables`, everything is mixed together, and one program's rules might break another's. `iptables` should be considered a legacy option for compatibility when no other choice exists. In a modern Linux distribution, you should definitely avoid `iptables`. However, if you are using an older Linux version (kernel older than 5.15 or `nft` older than 1.0.1) and cannot upgrade, `iptables` is better, as older kernels and `nft` versions will have issues.
The following test examples are intended for custom startup systems or manual execution.
-The `zapret` startup scripts generate the necessary rules automatically; you do not need to write `ip/nf tables` rules yourself.
+The `zapret` startup scripts generate the necessary rules automatically; you do not need to write iptables/nftables rules yourself.
### Traffic interception using nftables
@@ -722,7 +723,7 @@ Specific parameters for winws2:
--wf-ipp-out=type[:code] ; WinDivert constructor: raw IP protocols for interception in the outgoing direction. Comma-separated list.
--wf-tcp-empty=[~]port1[-port2] ; WinDivert constructor: intercept empty TCP ACK packets. Default is no.
--wf-raw-part=|@ ; WinDivert constructor: partial WinDivert raw filter. Combined using OR principle. Multiple allowed.
- --wf-raw-filter=|@ ; WinDivert constructor: partial WinDivert raw фильтр. Combined using AND principle. Only one is allowed.
+ --wf-raw-filter=|@ ; WinDivert constructor: partial WinDivert raw filter. Combined using AND principle. Only one is allowed.
--wf-filter-lan=0|1 ; WinDivert constructor: filter out non-global IP addresses. Default is yes.
--wf-raw=|@ ; full WinDivert filter. Overrides the constructor.
--wf-dup-check[=0|1] ; 1 (default) = do not allow duplicate winws2 instances with the same wf filter
@@ -735,8 +736,8 @@ LOGICAL NETWORK FILTER:
## Protocol detection
-nfqws2 signatures the payload types of individual packets or groups of packets.
-All packets without data have payload empty. Undetermined payloads have payload type "unknown".
+nfqws2 signatures the payload types of individual packets or packet groups.
+All packets without data have payload type "empty", undetermined payloads - type "unknown".
The flow protocol is assigned after receiving the first known payload and remains with the flow for the rest of its existence.
In this case, subsequent payloads can have both a known type and an unknown one.
In payload and flow protocol filters special values are available - "all" and "known". "all" means any, "known" - not "empty" and not "unknown".
@@ -787,12 +788,13 @@ For TLS, HTTP, and QUIC protocols, there is typically only one jump because the
When writing strategies, they should be designed with this jump logic in mind.
If a strategy needs to start from the very first packet and continue working after a profile change, you must duplicate the calls across all profiles the flow might pass through.
-4 filter groups - tcp, udp, icmp, ipp are OR combined. If there're no filters in that groups - everything is allowed.
-If any defined - all undefined are blocked.
+Four filter groups - tcp, udp, icmp, ipp are OR combined. If there're no filters in these groups - everything is allowed.
+If any filters are defined - all undefined groups are blocked.
ipp filter does not work with tcp, udp and icmp. They are checked by their specific filters. For example, `--filter-ipp=6` does not work. What is meant could be achieved with `--filter-tcp=*`.
-icmp automatically assumes icmpv6 - they are processed the same they. However icmp types for [icmp](https://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml) and [icmpv6](https://www.iana.org/assignments/icmpv6-parameters/icmpv6-parameters.xhtml) differ.
+icmp filter matches both icmp and icmpv6 - they are processed the same they.
+However, icmp types differ between [icmp](https://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml) and [icmpv6](https://www.iana.org/assignments/icmpv6-parameters/icmpv6-parameters.xhtml).
### Profile templates
@@ -829,9 +831,9 @@ Any parameters applicable to profiles, including filters, are allowed within tem
### Filtering by ipsets
-- In case of tcp or udp server address is matched in client mode и and client address in [server mode](#server-mode).
-- related icmp use cached profile from the original packet.
-- Unrelated icmp and и raw ip are matched by either source or destination ip. To match ipset any of two must match.
+- For TCP and UDP the server address is matched in client mode and the client address in [server mode](#server-mode).
+- Related ICMP use the cached profile from the original packet.
+- Unrelated ICMP and и raw IP are matched by either source or destination ip. To match an ipset either IP must match.
### Filtering by lists
@@ -1467,12 +1469,12 @@ All multi-byte numeric values are automatically converted from network byte orde
icmp header is the first 8 bytes of ICMP. This part is mandatory for all icmp types - both ipv4 and ipv6.
Following data including optional headers or attached IP packet goes to payload.
-| Поле | Описание |
-| :---------- | :--------------------------------------------------- |
-| icmp_type | [icmp type](https://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml) |
-| icmp_code | [icmp code](https://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml) |
-| icmp_cksum | ICMP checksum |
-| icmp_data | 32-bit field at 4-byte offset |
+| Field | Description |
+| :--------- | :---------- |
+| icmp_type | [icmp type](https://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml) |
+| icmp_code | [icmp code](https://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml) |
+| icmp_cksum | ICMP checksum |
+| icmp_data | 32-bit field at 4-byte offset |
### Handling multi-packet payloads
@@ -1556,7 +1558,7 @@ However, the latter simple comparison will not work correctly, whereas the forme
It is impossible to track anything beyond that using sequences. Always keep in mind that when transferring large volumes of data, sequences cannot serve as a counter.
The `p*counter` fields are 64-bit counters, so they do not suffer from this issue.
-#### icmp processing
+#### ICMP processing
Some icmp types may contain an attached source packet to which icmp was generated. They are called "related."
Such payloads are recognized, they are used to search the original conntrack record.
@@ -1571,7 +1573,7 @@ without track.
conntrack works only with tcp and udp, it does not keep records of pings or other icmp types.
No counters change when icmp traverses the conntrack entry.
-#### raw ip processing
+#### raw IP processing
If the ip protocol is not recognized as tcp, udp, icmp, icmpv6, it is considered raw ip.
Dissect has ip/ip6 field and payload. Payload contains all data after L3 headers.
@@ -1603,7 +1605,7 @@ Before executing `--lua-init`, the C code sets up base constants, blobs, and C f
| TCP_BASE_LEN | number | Base TCP header size | 20 |
| UDP_BASE_LEN | number | UDP header size | 8 |
| TCP_KIND_END
TCP_KIND_NOOP
TCP_KIND_MSS
TCP_KIND_SCALE
TCP_KIND_SACK_PERM
TCP_KIND_SACK
TCP_KIND_TS
TCP_KIND_MD5
TCP_KIND_AO
TCP_KIND_FASTOPEN | number | TCP option type codes (kinds) | |
-| TH_FIN
TH_SYN
TH_RST
TH_PUSH
TH_ACK
TH_FIN
TH_URG
TH_ECE
TH_CWR | number | TCP flags | Can be combined using + |
+| TH_FIN
TH_SYN
TH_RST
TH_PUSH
TH_ACK
TH_URG
TH_ECE
TH_CWR | number | TCP flags | Can be combined using + |
| IP_MF | number | IP "more fragments" flag | 0x8000, part of the ip_off field |
| IP_DF | number | IP "don't fragment" flag | 0x4000, part of the ip_off field |
| IP_RF | number | IP "reserved" flag | 0x2000, part of the ip_off field |
@@ -1619,14 +1621,14 @@ Before executing `--lua-init`, the C code sets up base constants, blobs, and C f
| IPV6_FLOWLABEL_MASK | number | flow label in ip6_flow | 0x000FFFFF |
| IPV6_FLOWINFO_MASK | number | flow label and traffic class in ip6_flow | 0x0FFFFFFF |
| IPPROTO_IP
IPPROTO_IPV6
IPPROTO_ICMP
IPPROTO_ICMPV6
IPPROTO_TCP
IPPROTO_UDP
IPPROTO_SCTP
IPPROTO_HOPOPTS
IPPROTO_ROUTING
IPPROTO_FRAGMENT
IPPROTO_AH
IPPROTO_ESP
IPPROTO_DSTOPTS
IPPROTO_MH
IPPROTO_HIP
IPPROTO_SHIM6
IPPROTO_NONE | number | [IP protocol numbers](https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml) | used in IPv4 and IPv6 |
-| ICMP_ECHOREPLY
ICMP_DEST_UNREACH
ICMP_REDIRECT
ICMP_ECHO
ICMP_TIME_EXCEEDED
ICMP_PARAMETERPROB
ICMP_TIMESTAMP
ICMP_TIMESTAMPREPLY
ICMP_INFO_REQUEST
ICMP_INFO_REPLY | number | [icmp types](https://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml) |
-| ICMP_UNREACH_NET
ICMP_UNREACH_HOST
ICMP_UNREACH_PROTOCOL
ICMP_UNREACH_PORT
ICMP_UNREACH_NEEDFRAG
ICMP_UNREACH_SRCFAIL
ICMP_UNREACH_NET_UNKNOWN
ICMP_UNREACH_HOST_UNKNOWN
ICMP_UNREACH_NET_PROHIB
ICMP_UNREACH_HOST_PROHIB
ICMP_UNREACH_TOSNET
ICMP_UNREACH_TOSHOST
ICMP_UNREACH_FILTER_PROHIB
ICMP_UNREACH_HOST_PRECEDENCE
ICMP_UNREACH_PRECEDENCE_CUTOFF | number | icmp codes for destination unreachable |
-| ICMP_REDIRECT_NET
ICMP_REDIRECT_HOST
ICMP_REDIRECT_TOSNET
ICMP_REDIRECT_TOSHOST | number | icmp codes for redirect |
-| ICMP_TIMXCEED_INTRANS
ICMP_TIMXCEED_REASS | number | icmp codes for time exceeded |
-| ICMP6_ECHO_REQUEST
ICMP6_ECHO_REPLY
ICMP6_DST_UNREACH
ICMP6_PACKET_TOO_BIG
ICMP6_TIME_EXCEEDED
ICMP6_PARAM_PROB
MLD_LISTENER_QUERY
MLD_LISTENER_REPORT
MLD_LISTENER_REDUCTION
ND_ROUTER_SOLICIT
ND_ROUTER_ADVERT
ND_NEIGHBOR_SOLICIT
ND_NEIGHBOR_ADVERT
ND_REDIRECT | number | [icmpv6 types](https://www.iana.org/assignments/icmpv6-parameters/icmpv6-parameters.xhtml) |
-| ICMP6_DST_UNREACH_NOROUTE
ICMP6_DST_UNREACH_ADMIN
ICMP6_DST_UNREACH_BEYONDSCOPE
ICMP6_DST_UNREACH_ADDR
ICMP6_DST_UNREACH_NOPORT | number | icmpv6 codes for destination unreachable |
-| ICMP6_TIME_EXCEED_TRANSIT
ICMP6_TIME_EXCEED_REASSEMBLY | number | icmpv6 codes for time exceeded |
-| ICMP6_PARAMPROB_HEADER
ICMP6_PARAMPROB_NEXTHEADER
ICMP6_PARAMPROB_OPTION | number | icmpv6 codes for parameter problem |
+| ICMP_ECHOREPLY
ICMP_DEST_UNREACH
ICMP_REDIRECT
ICMP_ECHO
ICMP_TIME_EXCEEDEDICMP_TIMESTAMP
ICMP_TIMESTAMPREPLY
ICMP_INFO_REQUEST
ICMP_INFO_REPLY | number | [icmp types](https://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml) | |
+| ICMP_UNREACH_NET
ICMP_UNREACH_HOST
ICMP_UNREACH_PROTOCOL
ICMP_UNREACH_PORT
ICMP_UNREACH_NEEDFRAG
ICMP_UNREACH_SRCFAIL
ICMP_UNREACH_NET_UNKNOWN
ICMP_UNREACH_HOST_UNKNOWN
ICMP_UNREACH_NET_PROHIB
ICMP_UNREACH_HOST_PROHIB
ICMP_UNREACH_TOSNET
ICMP_UNREACH_TOSHOST
ICMP_UNREACH_FILTER_PROHIB
ICMP_UNREACH_HOST_PRECEDENCE
ICMP_UNREACH_PRECEDENCE_CUTOFF | number | icmp codes for destination unreachable | |
+| ICMP_REDIRECT_NET
ICMP_REDIRECT_HOST
ICMP_REDIRECT_TOSNET
ICMP_REDIRECT_TOSHOST | number | icmp codes for redirect | |
+| ICMP_TIMXCEED_INTRANS
ICMP_TIMXCEED_REASS | number | icmp codes for time exceeded | |
+| ICMP6_ECHO_REQUEST
ICMP6_ECHO_REPLY
ICMP6_DST_UNREACH
ICMP6_PACKET_TOO_BIG
ICMP6_TIME_EXCEEDED
ICMP6_PARAM_PROB
MLD_LISTENER_QUERY
MLD_LISTENER_REPORT
MLD_LISTENER_REDUCTION
ND_ROUTER_SOLICIT
ND_ROUTER_ADVERT
ND_NEIGHBOR_SOLICIT
ND_NEIGHBOR_ADVERT
ND_REDIRECT | number | [icmpv6 types](https://www.iana.org/assignments/icmpv6-parameters/icmpv6-parameters.xhtml) | |
+| ICMP6_DST_UNREACH_NOROUTE
ICMP6_DST_UNREACH_ADMIN
ICMP6_DST_UNREACH_BEYONDSCOPE
ICMP6_DST_UNREACH_ADDR
ICMP6_DST_UNREACH_NOPORT | number | icmpv6 code for destination unreachable |
+| ICMP6_TIME_EXCEED_TRANSIT
ICMP6_TIME_EXCEED_REASSEMBLY | number | icmpv6 codes for time exceeded | |
+| ICMP6_PARAMPROB_HEADER
ICMP6_PARAMPROB_NEXTHEADER
ICMP6_PARAMPROB_OPTION | number | icmpv6 codes for parameter problem | |
## Standard blobs
@@ -1993,7 +1995,7 @@ If you are reconstructing an IPv6 header separately and are not using the `ip6_p
`badsum` has been moved to reconstruction because TCP and UDP checksums are calculated based on the entire IP packet.
The checksum includes elements from the IP/IPv6 header, the entire TCP header, and the payload itself.
-Therefore, it is impossible to guaranteed a corrupted checksum by looking at individual parts alone.
+Therefore, it is impossible to guarantee a corrupted checksum by looking at individual parts alone.
No matter what value you input, there is a small probability (1/65536) that it will happen to be valid.
The packet is formed based on the L3 header, then the L4 header (TCP,UDP,ICMP, if present) is appended, followed by the payload.
@@ -2113,7 +2115,7 @@ If conntrack is disabled or the packet is not valid tcp or udp, nil is returned.
function get_source_ip(target)
```
-Get source IP (raw string) that would be use for connection the the target IP.
+Get source IP (raw string) that would be used for connection the the target IP.
Returns nil if destination is unreachable.
```
@@ -2126,10 +2128,10 @@ This is WinDivert compatible.
Interface table contents :
-| Поле | Тип | Описание |
+| Field | Type | Description |
| :---------------- | :----- | :------------------ |
| index | number | interface index |
-| mtu | number | MTU. for loopback can be 64K or oven 0xFFFFFFFF |
+| mtu | number | MTU. for loopback can be 64K or even 0xFFFFFFFF |
| flags | number | os-specific bit flags |
| ssid | string | wifi SSID if known. SSIDs are obtained only if `--filter-ssid` is used in any profile |
| guid
iftype
index6
speed_xmit
speed_recv
metric4
metric6
conntype
| number | (windows only) additional fields from GetAdaptersAddresses() |
@@ -2137,7 +2139,7 @@ Interface table contents :
Address contents :
-| Поле | Тип | Описание |
+| Field | Type | Description |
| :----------- | :----- | :------------------ |
| addr | string | ipv4 or ipv6 address - raw string |
| netmask | string | subnet mask - raw string |
@@ -3041,8 +3043,8 @@ function ip_proto(dis)
Functions discover ip protocol of the end payload.
* ip_proto_l3 - ipv4 - ip.ip_p , ipv6 - ip6.ip6_nxt or next from the last extension header. nil, if next field is not set.
-* ip_proto_l4 - IPPROTO_TCP, IPPROTO_UDP, IPPROTO_ICMP, IPPROTO_UDP depending on presence of tcp,udp,icmp,ip6. nil if tcp,udp,icmp are absent.
-* ip_proto - ip_proto_l4. если он вернул nil, то ip_proto_l3.
+* ip_proto_l4 - IPPROTO_TCP, IPPROTO_UDP, IPPROTO_ICMP, IPPROTO_ICMPV6 depending on presence of tcp,udp,icmp,ip6. nil if tcp,udp,icmp are absent.
+* ip_proto - ip_proto_l4. If it returned nil, then ip_proto_l3.
```
function fix_ip_proto(dis, proto)
@@ -3886,7 +3888,7 @@ function fakedsplit(ctx, desync)
- arg: [standard ipid](#standard-ipid)
- arg: [standard reconstruct](#standard-reconstruct)
- arg: [standard rawsend](#standard-rawsend)
-- arg: pos - a single [marker](#маркеры) acting as the split point. Defaults to "2".
+- arg: pos - a single [marker](#markers) acting as the split point. Defaults to "2".
- arg: seqovl - numeric value - an offset relative to the current sequence to create an additional segment part that extends to the left of the TCP window boundary.
- arg: seqovl_pattern - the [blob](#passing-blobs) used to fill the seqovl. Defaults to 0x00.
- arg: blob - replaces the current payload with the specified [blob](#passing-blobs).
@@ -4020,9 +4022,9 @@ function tcpseg(ctx, desync)
- arg: optional - skip the operation if a blob is specified but missing. If `seqovl_pattern` is specified but missing, use the 0x00 pattern.
- default payload filter - "known"
-Sends a part of the current dissect, [reasm](#reassembly-features), or an arbitrary blob, limited by two `pos` [markers](#markers) with optional application of the `seqovl` technique in the same way as in [multisplit](#multisplit). Additional segmentation is performed automatically if the MSS is exceeded.
+Sends a part of the current dissect, [reasm](#handling-multi-packet-payloads), or an arbitrary blob, limited by two `pos` [markers](#markers) with optional application of the `seqovl` technique in the same way as in [multisplit](#multisplit). Additional segmentation is performed automatically if the MSS is exceeded.
-In the case of [reasm](#reassembly-features), it only works when receiving its first part (as it operates on the reasm as a whole, not its individual parts).
+In the case of [reasm](#handling-multi-packet-payloads), it only works when receiving its first part (as it operates on the reasm as a whole, not its individual parts).
No verdict is issued.
@@ -4936,13 +4938,13 @@ A typical `ipban` usage scenario begins with creating an ipset from the saved li
create_ipset no-update
```
-You cannot be certain which will start first-your script or `zapret`.
+You cannot be certain which will start first : your script or `zapret`.
Startup must be synchronized and should not run in parallel.
The best way to achieve this is by using [INIT_FW_*_HOOK](#config-file).
-## Startup scripts
+## Init scripts
-These are available only for Linux and OpenWRT. The Linux version is located in `init.d/sysv`, and the OpenWRT version is in `init.d/openwrt`. The main executable is `zapret2`. The required action is passed via the `$1` argument. The startup procedure is split into starting the daemons (nfqws2 processes) and initializing the firewall (applying ip/nftables rules).
+These are available only for Linux and OpenWRT. The Linux version is located in `init.d/sysv`, and the OpenWRT version is in `init.d/openwrt`. The main executable is `zapret2`. The required action is passed via the `$1` argument. The startup procedure is split into starting the daemons (nfqws2 processes) and initializing the firewall (applying iptables/nftables rules).
| Command ($1) | Action |
| :----------------------------------------------- | :-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
@@ -5318,7 +5320,7 @@ On classic Linux distributions with systemd, you can use the provided template u
7. Stop: `systemctl stop nfqws2@INSTANCE`
8. Restart: `systemctl restart nfqws2@INSTANCE`
-This method does not apply ip/nf tables rules - you will have to handle that separately, as well as write the rules themselves. The rules must be placed somewhere so they are applied after the system starts. For example, you can create a separate systemd unit that runs a shell script or `nft -f /path/to/file.nft`.
+This method does not apply iptables/nftables rules - you will have to handle that separately, as well as write the rules themselves. The rules must be placed somewhere so they are applied after the system starts. For example, you can create a separate systemd unit that runs a shell script or `nft -f /path/to/file.nft`.
# Other firmwares
diff --git a/docs/manual.md b/docs/manual.md
index b044269..dd7c16a 100644
--- a/docs/manual.md
+++ b/docs/manual.md
@@ -402,7 +402,7 @@ ipset от iptables такое может провернуть даже на 64
Если стоит выбор между iptables или nftables, то однозначно выбирайте nftables. Поддержка nftables в [скриптах запуска](#скрипты-запуска) сделана более качественно, а сама технология nftables гораздо более уживчива к "соседям" - правилам разных программ, поскольку использует отдельные таблицы. В iptables все намешано в кучу, и одни программы , задающие iptables, могут попортить правила других программ. iptables можно рассматривать как legacy вариант для совместимости , когда иных вариантов нет. В современном дистрибутиве Linux точно не стоит выбирать iptables. Но если Linux более старый, ядро старее 5.15 или nft старее 1.0.1, а возможности обновить их нет, тогда лучше iptables. Со старыми ядрами и старым nft будут проблемы.
Приведенные далее тестовые примеры предназначены для своей системы запуска или запуска вручную.
-Скрипты запуска zapret сами генерируют необходимые правила, никаких ip/nf tables самому писать не нужно.
+Скрипты запуска zapret сами генерируют необходимые правила, никаких iptables/nftables самому писать не нужно.
### Перехват трафика с помощью nftables
@@ -1731,47 +1731,47 @@ desync.track всегда отсутствует.
| Поле | Тип | Примечание |
| :---- | :------- | :--------- |
-| qnum | number | номер очереди NFQUEUE | только в Linux |
-| divert_port | number | номер порта divert | только в BSD |
-| desync_fwmark | number | fwmark для Linux, sockarg для BSD, 0 в Windows | |
-| NFQWS2_VER | string | версия nfqws2 | строка, выводимая по --version |
-| NFQWS2_COMPAT_VER | number | порядковый номер несовместимых изменений интерфейса с nfqws2 | увеличивается на 1 после каждого изменения |
-| b_debug | bool | включен --debug | вывод отладочных сообщений |
-| b_daemon | bool | включен --daemon | демонизация процесса, отвязка от tty |
-| b_server | bool | включен --server | серверный режим |
-| b_ipcache_hostname | bool | включен --ipcache-hostname | кэширование имен хостов, соответствующих IP адресам |
-| b_ctrack_disable | bool | включен --ctrack-disable | отключен conntrack |
-| VERDICT_PASS
VERDICT_MODIFY
VERDICT_DROP
VERDICT_PRESERVE_NEXT | number | код вердикта desync функции
VERDICT_PRESERVE_NEXT складывается как бит |
-| DEFAULT_MSS | number | значение MSS по умолчанию | 1220 |
-| IP_BASE_LEN | number | базовый размер ipv4 хедера | 20 |
-| IP6_BASE_LEN | number | базовый размер ipv6 хедера | 40 |
-| TCP_BASE_LEN | number | базовый размер tcp хедера | 20 |
-| UDP_BASE_LEN | number | размер udp хедера | 8 |
+| qnum | number | номер очереди NFQUEUE | только в Linux |
+| divert_port | number | номер порта divert | только в BSD |
+| desync_fwmark | number | fwmark для Linux, sockarg для BSD, 0 в Windows | |
+| NFQWS2_VER | string | версия nfqws2 | строка, выводимая по --version |
+| NFQWS2_COMPAT_VER | number | порядковый номер несовместимых изменений интерфейса с nfqws2 | увеличивается на 1 после каждого изменения |
+| b_debug | bool | включен --debug | вывод отладочных сообщений |
+| b_daemon | bool | включен --daemon | демонизация процесса, отвязка от tty |
+| b_server | bool | включен --server | серверный режим |
+| b_ipcache_hostname | bool | включен --ipcache-hostname | кэширование имен хостов, соответствующих IP адресам |
+| b_ctrack_disable | bool | включен --ctrack-disable | отключен conntrack |
+| VERDICT_PASS
VERDICT_MODIFY
VERDICT_DROP
VERDICT_PRESERVE_NEXT | number | код вердикта desync функции
VERDICT_PRESERVE_NEXT складывается как бит |
+| DEFAULT_MSS | number | значение MSS по умолчанию | 1220 |
+| IP_BASE_LEN | number | базовый размер ipv4 хедера | 20 |
+| IP6_BASE_LEN | number | базовый размер ipv6 хедера | 40 |
+| TCP_BASE_LEN | number | базовый размер tcp хедера | 20 |
+| UDP_BASE_LEN | number | размер udp хедера | 8 |
| TCP_KIND_END
TCP_KIND_NOOP
TCP_KIND_MSS
TCP_KIND_SCALE
TCP_KIND_SACK_PERM
TCP_KIND_SACK
TCP_KIND_TS
TCP_KIND_MD5
TCP_KIND_AO
TCP_KIND_FASTOPEN | number | коды типов tcp опций (kinds) | |
-| TH_FIN
TH_SYN
TH_RST
TH_PUSH
TH_ACK
TH_FIN
TH_URG
TH_ECE
TH_CWR | number | tcp флаги | можно складывать через + |
-| IP_MF | number | флаг IP "more fragments" | 0x8000, часть поля ip_off |
-| IP_DF | number | флаг IP "dont fragment" | 0x4000, часть поля ip_off |
-| IP_RF | number | флаг IP "reserved" | 0x2000, часть поля ip_off |
-| IP_OFFMASK | number | битовая маска поля ip_off, соответствующая fragment offset | 0x1FFF |
-| IP_FLAGMASK | number | битовая маска поля ip_off, соответствующая IP флагам | 0xE000 |
-| IPTOS_ECN_MASK | number | битовая маска поля ip_tos, соответствующая ECN | 0x03 |
-| IPTOS_ECN_NOT_ECT | number | Not ECN-Capable Transport | 0x00 |
-| IPTOS_ECN_ECT1 | number | ECN Capable Transport(1) | 0x01 |
-| IPTOS_ECN_ECT0 | number | ECN Capable Transport(0) | 0x02 |
-| IPTOS_ECN_CE | number | Congestion Experienced | 0x03 |
-| IPTOS_DSCP_MASK | number | битовая маска поля ip_tos, соответствующая DSCP | 0xFC |
-| IP6F_MORE_FRAG | number | бит "More fragment" поля ip6f_offlg из ipv6 fragment header | 0x0001 |
-| IPV6_FLOWLABEL_MASK | number | flow label в ip6_flow | 0x000FFFFF |
-| IPV6_FLOWINFO_MASK | number | flow label, traffic class в ip6_flow | 0x0FFFFFFF |
-| IPPROTO_IP
IPPROTO_IPV6
IPPROTO_IPIP
IPPROTO_ICMP
IPPROTO_ICMPV6
IPPROTO_TCP
IPPROTO_UDP
IPPROTO_SCTP
IPPROTO_HOPOPTS
IPPROTO_ROUTING
IPPROTO_FRAGMENT
IPPROTO_AH
IPPROTO_ESP
IPPROTO_DSTOPTS
IPPROTO_MH
IPPROTO_HIP
IPPROTO_SHIM6
IPPROTO_NONE | number | [номера IP протоколов](https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml) | используются в ipv4 и ipv6 |
-| ICMP_ECHOREPLY
ICMP_DEST_UNREACH
ICMP_REDIRECT
ICMP_ECHO
ICMP_TIME_EXCEEDED
ICMP_PARAMETERPROB
ICMP_TIMESTAMP
ICMP_TIMESTAMPREPLY
ICMP_INFO_REQUEST
ICMP_INFO_REPLY | number | [типы icmp](https://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml) |
-| ICMP_UNREACH_NET
ICMP_UNREACH_HOST
ICMP_UNREACH_PROTOCOL
ICMP_UNREACH_PORT
ICMP_UNREACH_NEEDFRAG
ICMP_UNREACH_SRCFAIL
ICMP_UNREACH_NET_UNKNOWN
ICMP_UNREACH_HOST_UNKNOWN
ICMP_UNREACH_NET_PROHIB
ICMP_UNREACH_HOST_PROHIB
ICMP_UNREACH_TOSNET
ICMP_UNREACH_TOSHOST
ICMP_UNREACH_FILTER_PROHIB
ICMP_UNREACH_HOST_PRECEDENCE
ICMP_UNREACH_PRECEDENCE_CUTOFF | number | коды icmp для destination unreachable |
-| ICMP_REDIRECT_NET
ICMP_REDIRECT_HOST
ICMP_REDIRECT_TOSNET
ICMP_REDIRECT_TOSHOST | number | коды icmp для icmp redirect |
-| ICMP_TIMXCEED_INTRANS
ICMP_TIMXCEED_REASS | number | коды icmp для time exceeded |
-| ICMP6_ECHO_REQUEST
ICMP6_ECHO_REPLY
ICMP6_DST_UNREACH
ICMP6_PACKET_TOO_BIG
ICMP6_TIME_EXCEEDED
ICMP6_PARAM_PROB
MLD_LISTENER_QUERY
MLD_LISTENER_REPORT
MLD_LISTENER_REDUCTION
ND_ROUTER_SOLICIT
ND_ROUTER_ADVERT
ND_NEIGHBOR_SOLICIT
ND_NEIGHBOR_ADVERT
ND_REDIRECT | number | [типы icmpv6](https://www.iana.org/assignments/icmpv6-parameters/icmpv6-parameters.xhtml) |
-| ICMP6_DST_UNREACH_NOROUTE
ICMP6_DST_UNREACH_ADMIN
ICMP6_DST_UNREACH_BEYONDSCOPE
ICMP6_DST_UNREACH_ADDR
ICMP6_DST_UNREACH_NOPORT | number | коды icmpv6 для destination unreachable |
-| ICMP6_TIME_EXCEED_TRANSIT
ICMP6_TIME_EXCEED_REASSEMBLY | number | коды icmpv6 для time exceeded |
-| ICMP6_PARAMPROB_HEADER
ICMP6_PARAMPROB_NEXTHEADER
ICMP6_PARAMPROB_OPTION | number | коды icmpv6 для parameter problem |
+| TH_FIN
TH_SYN
TH_RST
TH_PUSH
TH_ACK
TH_URG
TH_ECE
TH_CWR | number | tcp флаги | можно складывать через + |
+| IP_MF | number | флаг IP "more fragments" | 0x8000, часть поля ip_off |
+| IP_DF | number | флаг IP "dont fragment" | 0x4000, часть поля ip_off |
+| IP_RF | number | флаг IP "reserved" | 0x2000, часть поля ip_off |
+| IP_OFFMASK | number | битовая маска поля ip_off, соответствующая fragment offset | 0x1FFF |
+| IP_FLAGMASK | number | битовая маска поля ip_off, соответствующая IP флагам | 0xE000 |
+| IPTOS_ECN_MASK | number | битовая маска поля ip_tos, соответствующая ECN | 0x03|
+| IPTOS_ECN_NOT_ECT | number | Not ECN-Capable Transport | 0x00|
+| IPTOS_ECN_ECT1 | number | ECN Capable Transport(1) | 0x01|
+| IPTOS_ECN_ECT0 | number | ECN Capable Transport(0) | 0x02|
+| IPTOS_ECN_CE | number | Congestion Experienced | 0x03|
+| IPTOS_DSCP_MASK | number | битовая маска поля ip_tos, соответствующая DSCP | 0xFC|
+| IP6F_MORE_FRAG | number | бит "More fragment" поля ip6f_offlg из ipv6 fragment header | 0x0001 |
+| IPV6_FLOWLABEL_MASK | number | flow label в ip6_flow | 0x000FFFFF |
+| IPV6_FLOWINFO_MASK | number | flow label, traffic class в ip6_flow | 0x0FFFFFFF |
+| IPPROTO_IP
IPPROTO_IPV6
IPPROTO_IPIP
IPPROTO_ICMP
IPPROTO_ICMPV6
IPPROTO_TCP
IPPROTO_UDP
IPPROTO_SCTP
IPPROTO_HOPOPTS
IPPROTO_ROUTING
IPPROTO_FRAGMENT
IPPROTO_AH
IPPROTO_ESP
IPPROTO_DSTOPTS
IPPROTO_MH
IPPROTO_HIP
IPPROTO_SHIM6
IPPROTO_NONE | number | [номера IP протоколов](https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml) | используются в ipv4 и ipv6 |
+| ICMP_ECHOREPLY
ICMP_DEST_UNREACH
ICMP_REDIRECT
ICMP_ECHO
ICMP_TIME_EXCEEDEDICMP_TIMESTAMP
ICMP_TIMESTAMPREPLY
ICMP_INFO_REQUEST
ICMP_INFO_REPLY | number | [типы icmp](https://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml) | |
+| ICMP_UNREACH_NET
ICMP_UNREACH_HOST
ICMP_UNREACH_PROTOCOL
ICMP_UNREACH_PORT
ICMP_UNREACH_NEEDFRAG
ICMP_UNREACH_SRCFAIL
ICMP_UNREACH_NET_UNKNOWN
ICMP_UNREACH_HOST_UNKNOWN
ICMP_UNREACH_NET_PROHIB
ICMP_UNREACH_HOST_PROHIB
ICMP_UNREACH_TOSNET
ICMP_UNREACH_TOSHOST
ICMP_UNREACH_FILTER_PROHIB
ICMP_UNREACH_HOST_PRECEDENCE
ICMP_UNREACH_PRECEDENCE_CUTOFF | number | коды icmp для destination unreachable | |
+| ICMP_REDIRECT_NET
ICMP_REDIRECT_HOST
ICMP_REDIRECT_TOSNET
ICMP_REDIRECT_TOSHOST | number | коды icmp для icmp redirect | |
+| ICMP_TIMXCEED_INTRANS
ICMP_TIMXCEED_REASS | number | коды icmp для time exceeded | |
+| ICMP6_ECHO_REQUEST
ICMP6_ECHO_REPLY
ICMP6_DST_UNREACH
ICMP6_PACKET_TOO_BIG
ICMP6_TIME_EXCEEDED
ICMP6_PARAM_PROB
MLD_LISTENER_QUERY
MLD_LISTENER_REPORT
MLD_LISTENER_REDUCTION
ND_ROUTER_SOLICIT
ND_ROUTER_ADVERT
ND_NEIGHBOR_SOLICIT
ND_NEIGHBOR_ADVERT
ND_REDIRECT | number | [типы icmpv6](https://www.iana.org/assignments/icmpv6-parameters/icmpv6-parameters.xhtml) | |
+| ICMP6_DST_UNREACH_NOROUTE
ICMP6_DST_UNREACH_ADMIN
ICMP6_DST_UNREACH_BEYONDSCOPE
ICMP6_DST_UNREACH_ADDR
ICMP6_DST_UNREACH_NOPORT | number | коды icmpv6 для destination unreachable | |
+| ICMP6_TIME_EXCEED_TRANSIT
ICMP6_TIME_EXCEED_REASSEMBLY | number | коды icmpv6 для time exceeded | |
+| ICMP6_PARAMPROB_HEADER
ICMP6_PARAMPROB_NEXTHEADER
ICMP6_PARAMPROB_OPTION | number | коды icmpv6 для parameter problem | |
## Стандартные блобы
@@ -3214,7 +3214,7 @@ function ip_proto(dis)
Функции "додумывают" ip protocol полезной нагрузки диссекта dis.
* ip_proto_l3 - ipv4 - ip.ip_p , ipv6 - ip6.ip6_nxt или next из последнего extension header. nil, если next пуст.
-* ip_proto_l4 - IPPROTO_TCP, IPPROTO_UDP, IPPROTO_ICMP, IPPROTO_UDP в зависимости от наличия в диссекте tcp,udp,icmp,ip6. nil, если tcp,udp,icmp отсутствуют.
+* ip_proto_l4 - IPPROTO_TCP, IPPROTO_UDP, IPPROTO_ICMP, IPPROTO_ICMPV6 в зависимости от наличия в диссекте tcp,udp,icmp,ip6. nil, если tcp,udp,icmp отсутствуют.
* ip_proto - ip_proto_l4. если он вернул nil, то ip_proto_l3.
```
@@ -5126,7 +5126,7 @@ create_ipset no-update
## Стартовые скрипты
-Имеются только для Linux и OpenWRT. Вариант для Linux - в `init.d/sysv`, для OpenWRT - в `init.d/openwrt`. Основной исполняемый файл - `zapret2`. Требуемое действие передается в аргументе `$1`. Процедура запуска разделена на запуск демонов - процессов nfqws2, и запуск firewall - выставление правил ip/nf tables.
+Имеются только для Linux и OpenWRT. Вариант для Linux - в `init.d/sysv`, для OpenWRT - в `init.d/openwrt`. Основной исполняемый файл - `zapret2`. Требуемое действие передается в аргументе `$1`. Процедура запуска разделена на запуск демонов - процессов nfqws2, и запуск firewall - выставление правил iptables/nftables.
| Команда ($1) | Действие |
| :----------------------------------------------- | :---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
@@ -5502,7 +5502,7 @@ rc-update add zapret2
7. Останов : `systemctl stop nfqws2@INSTANCE`
8. Перезапуск : `systemctl restart nfqws2@INSTANCE`
-Этот способ не поднимает правила ip/nf tables - вам это придется сделать отдельно, как и написать сами правила. Правила нужно прописать куда-то, чтобы они поднимались после старта системы. Например, можно сделать отдельный systemd unit с запуском шелл скрипта или `nft -f /path/to/file.nft`.
+Этот способ не поднимает правила iptables/nftables - вам это придется сделать отдельно, как и написать сами правила. Правила нужно прописать куда-то, чтобы они поднимались после старта системы. Например, можно сделать отдельный systemd unit с запуском шелл скрипта или `nft -f /path/to/file.nft`.
# Другие прошивки