init.d launch scripts

init.d/custom.d.examples.linux/10-keenetic-udp-fix

@@ -0,0 +1,22 @@
+# This script fixes keenetic issue with nfqws generated udp packets
+# Keenetic uses proprietary ndmmark and does not masquerade without this mark
+# If not masqueraded packets go to WAN with LAN IP and get dropped by ISP
+
+# It's advised to set IFACE_WAN in config
+
+zapret_custom_firewall()
+{
+	# $1 - 1 - add, 0 - stop
+
+	local wan wanif rule
+
+	[ "$DISABLE_IPV4" = "1" ] || {
+		# use IFACE_WAN if defined. if not - search for interfaces with default route.
+		wanif=${IFACE_WAN:-$(sed -nre 's/^([^\t]+)\t00000000\t[0-9A-F]{8}\t[0-9A-F]{4}\t[0-9]+\t[0-9]+\t[0-9]+\t00000000.*$/\1/p' /proc/net/route | sort -u | xargs)}
+		for wan in $wanif; do
+			rule="-o $wan -p udp -m mark --mark $DESYNC_MARK/$DESYNC_MARK"
+			ipt_print_op $1 "$rule" "keenetic udp fix"
+			ipt_add_del $1 POSTROUTING -t nat $rule -j MASQUERADE
+		done
+	}
+}

init.d/custom.d.examples.linux/20-fw-extra

@@ -0,0 +1,66 @@
+# this custom script runs standard mode with extra firewall rules
+
+# config: use TPWS_ENABLE_OVERRIDE, NFQWS_ENABLE_OVERRIDE to enable standard mode daemons
+# standard and override switches cannot be enabled simultaneously !
+
+TPWS_ENABLE_OVERRIDE=${TPWS_ENABLE_OVERRIDE:-0}
+NFQWS_ENABLE_OVERRIDE=${NFQWS_ENABLE_OVERRIDE:-0}
+
+# config: some if these values must be set in config. not setting any of these makes this script meaningless.
+# pre vars put ipt/nft code to the rule beginning
+#FW_EXTRA_PRE_TPWS_IPT=
+#FW_EXTRA_PRE_TPWS_NFT=
+#FW_EXTRA_PRE_NFQWS_IPT="-m mark --mark 0x10000000/0x10000000"
+#FW_EXTRA_PRE_NFQWS_NFT="mark and 0x10000000 != 0"
+# post vars put ipt/nft code to the rule end
+#FW_EXTRA_POST_TPWS_IPT=
+#FW_EXTRA_POST_TPWS_NFT=
+#FW_EXTRA_POST_NFQWS_IPT=
+#FW_EXTRA_POST_NFQWS_NFT=
+
+check_std_intersect()
+{
+	[ "$TPWS_ENABLE_OVERRIDE" = 1 -a "$TPWS_ENABLE" = 1 ] && {
+		echo "ERROR ! both TPWS_ENABLE_OVERRIDE and TPWS_ENABLE are enabled"
+		return 1
+	}
+	[ "$NFQWS_ENABLE_OVERRIDE" = 1 -a "$NFQWS_ENABLE" = 1 ] && {
+		echo "ERROR ! both NFQWS_ENABLE_OVERRIDE and NFQWS_ENABLE are enabled"
+		return 1
+	}
+	return 0
+}
+
+zapret_custom_daemons()
+{
+	# $1 - 1 - add, 0 - stop
+
+	check_std_intersect || return
+
+	local TPWS_SOCKS_ENABLE=0 TPWS_ENABLE=$TPWS_ENABLE_OVERRIDE NFQWS_ENABLE=$NFQWS_ENABLE_OVERRIDE
+	standard_mode_daemons "$1"
+}
+zapret_custom_firewall()
+{
+        # $1 - 1 - run, 0 - stop
+
+	check_std_intersect || return
+
+	local FW_EXTRA_PRE FW_EXTRA_POST TPWS_ENABLE=$TPWS_ENABLE_OVERRIDE NFQWS_ENABLE=$NFQWS_ENABLE_OVERRIDE
+	FW_EXTRA_PRE="$FW_EXTRA_PRE_TPWS_IPT" FW_EXTRA_POST="$FW_EXTRA_POST_TPWS_IPT"
+	zapret_do_firewall_standard_tpws_rules_ipt $1
+	FW_EXTRA_PRE="$FW_EXTRA_PRE_NFQWS_IPT" FW_EXTRA_POST="$FW_EXTRA_POST_NFQWS_IPT"
+	zapret_do_firewall_standard_nfqws_rules_ipt $1
+}
+zapret_custom_firewall_nft()
+{
+        # stop logic is not required
+
+	check_std_intersect || return
+
+	local FW_EXTRA_PRE FW_EXTRA_POST TPWS_ENABLE=$TPWS_ENABLE_OVERRIDE NFQWS_ENABLE=$NFQWS_ENABLE_OVERRIDE
+	FW_EXTRA_PRE="$FW_EXTRA_PRE_TPWS_NFT" FW_EXTRA_POST="$FW_EXTRA_POST_TPWS_NFT"
+	zapret_apply_firewall_standard_tpws_rules_nft
+	FW_EXTRA_PRE="$FW_EXTRA_PRE_NFQWS_NFT" FW_EXTRA_POST="$FW_EXTRA_POST_NFQWS_NFT"
+	zapret_apply_firewall_standard_nfqws_rules_nft
+}

init.d/custom.d.examples.linux/50-dht4all

@@ -0,0 +1,38 @@
+# this custom script runs desync to DHT packets with udp payload length 101..399 , without ipset/hostlist filtering
+# NOTE: @ih requires nft 1.0.1+ and updated kernel version. it's confirmed to work on 5.15 (openwrt 23) and not work on 5.10 (openwrt 22)
+
+# can override in config :
+NFQWS_OPT_DESYNC_DHT="${NFQWS_OPT_DESYNC_DHT:---payload dht --lua-desync=dht_dn}"
+
+alloc_dnum DNUM_DHT4ALL
+alloc_qnum QNUM_DHT4ALL
+
+zapret_custom_daemons()
+{
+	# $1 - 1 - add, 0 - stop
+
+	local opt="--qnum=$QNUM_DHT4ALL $NFQWS_OPT_DESYNC_DHT"
+	do_nfqws $1 $DNUM_DHT4ALL "$opt"
+}
+zapret_custom_firewall()
+{
+        # $1 - 1 - run, 0 - stop
+
+	local f uf4 uf6
+	local first_packet_only="$ipt_connbytes 1:1"
+
+	f='-p udp -m length --length 109:407 -m u32 --u32'
+	uf4='0>>22&0x3C@8>>16=0x6431'
+	uf6='48>>16=0x6431'
+	fw_nfqws_post $1 "$f $uf4 $first_packet_only"  "$f $uf6 $first_packet_only" $QNUM_DHT4ALL
+}
+zapret_custom_firewall_nft()
+{
+        # stop logic is not required
+
+        local f
+        local first_packet_only="$nft_connbytes 1"
+
+        f="meta length 109-407 meta l4proto udp @ih,0,16 0x6431"
+        nft_fw_nfqws_post "$f $first_packet_only" "$f $first_packet_only" $QNUM_DHT4ALL
+}

init.d/custom.d.examples.linux/50-discord-media

@@ -0,0 +1,35 @@
+# this custom script runs desync to all discord media packets
+# NOTE: @ih requires nft 1.0.1+ and updated kernel version. it's confirmed to work on 5.15 (openwrt 23) and not work on 5.10 (openwrt 22)
+
+# can override in config :
+NFQWS_OPT_DESYNC_DISCORD_MEDIA="${NFQWS_OPT_DESYNC_DISCORD_MEDIA:---payload discord_ip_discovery --lua-desync=fake:blob=0x00000000000000000000000000000000:repeats=2}"
+DISCORD_MEDIA_PORT_RANGE="${DISCORD_MEDIA_PORT_RANGE:-50000-50099}"
+
+alloc_dnum DNUM_DISCORD_MEDIA
+alloc_qnum QNUM_DISCORD_MEDIA
+
+zapret_custom_daemons()
+{
+	# $1 - 1 - add, 0 - stop
+
+	local opt="--qnum=$QNUM_DISCORD_MEDIA $NFQWS_OPT_DESYNC_DISCORD_MEDIA"
+	do_nfqws $1 $DNUM_DISCORD_MEDIA "$opt"
+}
+zapret_custom_firewall()
+{
+        # $1 - 1 - run, 0 - stop
+
+	local DISABLE_IPV6=1
+	local port_range=$(replace_char - : $DISCORD_MEDIA_PORT_RANGE)
+	local f="-p udp --dport $port_range -m u32 --u32"
+	# this is simplified test to skip writing monstrous rule. instead of checking 64 bytes for zeroes only check 2 dwords for zero
+	fw_nfqws_post $1 "$f 0>>22&0x3C@4>>16=0x52&&0>>22&0x3C@8=0x00010046&&0>>22&0x3C@16=0&&0>>22&0x3C@76=0" '' $QNUM_DISCORD_MEDIA
+}
+zapret_custom_firewall_nft()
+{
+        # stop logic is not required
+
+	local DISABLE_IPV6=1
+	local f="udp dport $DISCORD_MEDIA_PORT_RANGE udp length == 82 @ih,0,32 0x00010046 @ih,64,128 0x00000000000000000000000000000000 @ih,192,128 0x00000000000000000000000000000000 @ih,320,128 0x00000000000000000000000000000000 @ih,448,128 0x00000000000000000000000000000000"
+	nft_fw_nfqws_post "$f" '' $QNUM_DISCORD_MEDIA
+}

init.d/custom.d.examples.linux/50-nfqws-ipset

@@ -0,0 +1,144 @@
+# this custom script demonstrates how to launch extra nfqws instance limited by ipset
+
+# can override in config :
+NFQWS_MY1_OPT="${NFQWS_MY1_OPT:---filter-udp=* --payload known,unknown --lua-desync=fake:blob=0x00000000000000000000000000000000:repeats=2:payload=all --new --filter-tcp=* --payload=known,unknown --lua-desync=multisplit}"
+NFQWS_MY1_SUBNETS4="${NFQWS_MY1_SUBNETS4:-173.194.0.0/16 108.177.0.0/17 74.125.0.0/16 64.233.160.0/19 172.217.0.0/16}"
+NFQWS_MY1_SUBNETS6="${NFQWS_MY1_SUBNETS6:-2a00:1450::/29}"
+NFQWS_MY1_PORTS_TCP=${NFQWS_MY1_PORTS_TCP:-$NFQWS_PORTS_TCP}
+NFQWS_MY1_PORTS_UDP=${NFQWS_MY1_PORTS_UDP:-$NFQWS_PORTS_UDP}
+NFQWS_MY1_TCP_PKT_OUT=${NFQWS_MY1_TCP_PKT_OUT:-$NFQWS_TCP_PKT_OUT}
+NFQWS_MY1_UDP_PKT_OUT=${NFQWS_MY1_UDP_PKT_OUT:-$NFQWS_UDP_PKT_OUT}
+NFQWS_MY1_TCP_PKT_IN=${NFQWS_MY1_TCP_PKT_IN:-$NFQWS_TCP_PKT_IN}
+NFQWS_MY1_UDP_PKT_IN=${NFQWS_MY1_UDP_PKT_IN:-$NFQWS_UDP_PKT_IN}
+
+NFQWS_MY1_IPSET_SIZE=${NFQWS_MY1_IPSET_SIZE:-4096}
+NFQWS_MY1_IPSET_OPT="${NFQWS_MY1_IPSET_OPT:-hash:net hashsize 8192 maxelem $NFQWS_MY1_IPSET_SIZE}"
+
+alloc_dnum DNUM_NFQWS_MY1
+alloc_qnum QNUM_NFQWS_MY1
+NFQWS_MY1_NAME4=my1nfqws4
+NFQWS_MY1_NAME6=my1nfqws6
+
+zapret_custom_daemons()
+{
+	# $1 - 1 - run, 0 - stop
+
+	local opt="--qnum=$QNUM_NFQWS_MY1 $NFQWS_MY1_OPT"
+	do_nfqws $1 $DNUM_NFQWS_MY1 "$opt"
+}
+
+zapret_custom_firewall()
+{
+	# $1 - 1 - run, 0 - stop
+
+	local f4 f6 subnet
+	local NFQWS_MY1_PORTS_TCP=$(replace_char - : $NFQWS_MY1_PORTS_TCP)
+	local NFQWS_MY1_PORTS_UDP=$(replace_char - : $NFQWS_MY1_PORTS_UDP)
+
+	[ "$1" = 1 -a "$DISABLE_IPV4" != 1 ] && {
+		ipset create $NFQWS_MY1_NAME4 $NFQWS_MY1_IPSET_OPT family inet 2>/dev/null
+		ipset flush $NFQWS_MY1_NAME4
+		for subnet in $NFQWS_MY1_SUBNETS4; do
+			echo add $NFQWS_MY1_NAME4 $subnet
+		done | ipset -! restore
+	}
+	[ "$1" = 1 -a "$DISABLE_IPV6" != 1 ] && {
+		ipset create $NFQWS_MY1_NAME6 $NFQWS_MY1_IPSET_OPT family inet6 2>/dev/null
+		ipset flush $NFQWS_MY1_NAME6
+		for subnet in $NFQWS_MY1_SUBNETS6; do
+			echo add $NFQWS_MY1_NAME6 $subnet
+		done | ipset -! restore
+	}
+
+	[ -n "$NFQWS_MY1_PORTS_TCP" ] && {
+		[ -n "$NFQWS_MY1_TCP_PKT_OUT" -a "$NFQWS_MY1_TCP_PKT_OUT" != 0 ] && {
+			f4="-p tcp -m multiport --dports $NFQWS_MY1_PORTS_TCP $ipt_connbytes 1:$NFQWS_MY1_TCP_PKT_OUT -m set --match-set"
+			f6="$f4 $NFQWS_MY1_NAME6 dst"
+			f4="$f4 $NFQWS_MY1_NAME4 dst"
+			fw_nfqws_post $1 "$f4" "$f6" $QNUM_NFQWS_MY1
+		}
+		[ -n "$NFQWS_MY1_TCP_PKT_IN" -a "$NFQWS_MY1_TCP_PKT_IN" != 0 ] && {
+			f4="-p tcp -m multiport --sports $NFQWS_MY1_PORTS_TCP $ipt_connbytes 1:$NFQWS_MY1_TCP_PKT_IN -m set --match-set"
+			f6="$f4 $NFQWS_MY1_NAME6 src"
+			f4="$f4 $NFQWS_MY1_NAME4 src"
+			fw_nfqws_pre $1 "$f4" "$f6" $QNUM_NFQWS_MY1
+		}
+	}
+	[ -n "$NFQWS_MY1_PORTS_UDP" ] && {
+		[ -n "$NFQWS_MY1_UDP_PKT_OUT" -a "$NFQWS_MY1_UDP_PKT_OUT" != 0 ] && {
+			f4="-p udp -m multiport --dports $NFQWS_MY1_PORTS_UDP $ipt_connbytes 1:$NFQWS_MY1_UDP_PKT_OUT -m set --match-set"
+			f6="$f4 $NFQWS_MY1_NAME6 dst"
+			f4="$f4 $NFQWS_MY1_NAME4 dst"
+			fw_nfqws_post $1 "$f4" "$f6" $QNUM_NFQWS_MY1
+		}
+		[ -n "$NFQWS_MY1_UDP_PKT_IN" -a "$NFQWS_MY1_UDP_PKT_IN" != 0 ] && {
+			f4="-p udp -m multiport --sports $NFQWS_MY1_PORTS_UDP $ipt_connbytes 1:$NFQWS_MY1_UDP_PKT_IN -m set --match-set"
+			f6="$f4 $NFQWS_MY1_NAME6 src"
+			f4="$f4 $NFQWS_MY1_NAME4 src"
+			fw_nfqws_pre $1 "$f4" "$f6" $QNUM_NFQWS_MY1
+		}
+	}
+
+	[ "$1" = 1 ] || {
+		ipset destroy $NFQWS_MY1_NAME4 2>/dev/null
+		ipset destroy $NFQWS_MY1_NAME6 2>/dev/null
+	}
+}
+
+zapret_custom_firewall_nft()
+{
+	local f4 f6 subnets
+	local first_packets_only="$nft_connbytes 1-$NFQWS_MY1_PKT_OUT"
+
+	[ "$DISABLE_IPV4" != 1 ] && {
+	        make_comma_list subnets $NFQWS_MY1_SUBNETS4
+		nft_create_set $NFQWS_MY1_NAME4 "type ipv4_addr; size $NFQWS_MY1_IPSET_SIZE; auto-merge; flags interval;"
+		nft_flush_set $NFQWS_MY1_NAME4
+		nft_add_set_element $NFQWS_MY1_NAME4 "$subnets"
+	}
+	[ "$DISABLE_IPV6" != 1 ] && {
+	        make_comma_list subnets $NFQWS_MY1_SUBNETS6
+		nft_create_set $NFQWS_MY1_NAME6 "type ipv6_addr; size $NFQWS_MY1_IPSET_SIZE; auto-merge; flags interval;"
+		nft_flush_set $NFQWS_MY1_NAME6
+		nft_add_set_element $NFQWS_MY1_NAME6 "$subnets"
+	}
+
+	[ -n "$NFQWS_MY1_PORTS_TCP" ] && {
+		[ -n "$NFQWS_MY1_TCP_PKT_OUT" -a "$NFQWS_MY1_TCP_PKT_OUT" != 0 ] && {
+			f4="tcp dport {$NFQWS_MY1_PORTS_TCP} $(nft_first_packets $NFQWS_MY1_TCP_PKT_OUT)"
+			f6="$f4 ip6 daddr @$NFQWS_MY1_NAME6"
+			f4="$f4 ip daddr @$NFQWS_MY1_NAME4"
+			nft_fw_nfqws_post $1 "$f4" "$f6" $QNUM_NFQWS_MY1
+		}
+		[ -n "$NFQWS_MY1_TCP_PKT_IN" -a "$NFQWS_MY1_TCP_PKT_IN" != 0 ] && {
+			f4="tcp sport {$NFQWS_MY1_PORTS_TCP} $(nft_first_packets $NFQWS_MY1_TCP_PKT_IN)"
+			f6="$f4 ip6 saddr @$NFQWS_MY1_NAME6"
+			f4="$f4 ip saddr @$NFQWS_MY1_NAME4"
+			nft_fw_nfqws_pre $1 "$f4" "$f6" $QNUM_NFQWS_MY1
+		}
+	}
+	[ -n "$NFQWS_MY1_PORTS_UDP" ] && {
+		[ -n "$NFQWS_MY1_UDP_PKT_OUT" -a "$NFQWS_MY1_UDP_PKT_OUT" != 0 ] && {
+			f4="udp dport {$NFQWS_MY1_PORTS_UDP} $(nft_first_packets $NFQWS_MY1_UDP_PKT_OUT)"
+			f6="$f4 ip6 daddr @$NFQWS_MY1_NAME6"
+			f4="$f4 ip daddr @$NFQWS_MY1_NAME4"
+			nft_fw_nfqws_post $1 "$f4" "$f6" $QNUM_NFQWS_MY1
+		}
+		[ -n "$NFQWS_MY1_UDP_PKT_IN" -a "$NFQWS_MY1_UDP_PKT_IN" != 0 ] && {
+			f4="udp sport {$NFQWS_MY1_PORTS_UDP} $(nft_first_packets $NFQWS_MY1_UDP_PKT_IN)"
+			f6="$f4 ip6 saddr @$NFQWS_MY1_NAME6"
+			f4="$f4 ip saddr @$NFQWS_MY1_NAME4"
+			nft_fw_nfqws_pre $1 "$f4" "$f6" $QNUM_NFQWS_MY1
+		}
+	}
+}
+
+
+zapret_custom_firewall_nft_flush()
+{
+	# this function is called after all nft fw rules are deleted
+	# however sets are not deleted. it's desired to clear sets here.
+
+	nft_del_set $NFQWS_MY1_NAME4 2>/dev/null
+	nft_del_set $NFQWS_MY1_NAME6 2>/dev/null
+}

init.d/custom.d.examples.linux/50-quic4all

@@ -0,0 +1,30 @@
+# this custom script runs desync to all IETF QUIC initials
+# NOTE: @ih requires nft 1.0.1+ and updated kernel version. it's confirmed to work on 5.15 (openwrt 23) and not work on 5.10 (openwrt 22)
+
+# can override in config :
+NFQWS_OPT_DESYNC_QUIC="${NFQWS_OPT_DESYNC_QUIC:---payload quic_initial --lua-desync=fake:blob=fake_default_quic:repeats=2}"
+
+alloc_dnum DNUM_QUIC4ALL
+alloc_qnum QNUM_QUIC4ALL
+
+zapret_custom_daemons()
+{
+	# $1 - 1 - add, 0 - stop
+
+	local opt="--qnum=$QNUM_QUIC4ALL $NFQWS_OPT_DESYNC_QUIC"
+	do_nfqws $1 $DNUM_QUIC4ALL "$opt"
+}
+zapret_custom_firewall()
+{
+        # $1 - 1 - run, 0 - stop
+
+	local f='-p udp -m u32 --u32'
+	fw_nfqws_post $1 "$f 0>>22&0x3C@4>>16=264:65535&&0>>22&0x3C@8>>28=0xC&&0>>22&0x3C@9=0x00000001" "$f 44>>16=264:65535&&48>>28=0xC&&49=0x00000001" $QNUM_QUIC4ALL
+}
+zapret_custom_firewall_nft()
+{
+        # stop logic is not required
+
+	local f="udp length >= 264 @ih,0,4 0xC @ih,8,32 0x00000001"
+	nft_fw_nfqws_post "$f" "$f" $QNUM_QUIC4ALL
+}

init.d/custom.d.examples.linux/50-stun4all

@@ -0,0 +1,30 @@
+# this custom script runs desync to all stun packets
+# NOTE: @ih requires nft 1.0.1+ and updated kernel version. it's confirmed to work on 5.15 (openwrt 23) and not work on 5.10 (openwrt 22)
+
+# can override in config :
+NFQWS_OPT_DESYNC_STUN="${NFQWS_OPT_DESYNC_STUN:---payload stun_binding_req --lua-desync=fake:blob=0x00000000000000000000000000000000:repeats=2}"
+
+alloc_dnum DNUM_STUN4ALL
+alloc_qnum QNUM_STUN4ALL
+
+zapret_custom_daemons()
+{
+	# $1 - 1 - add, 0 - stop
+
+	local opt="--qnum=$QNUM_STUN4ALL $NFQWS_OPT_DESYNC_STUN"
+	do_nfqws $1 $DNUM_STUN4ALL "$opt"
+}
+zapret_custom_firewall()
+{
+        # $1 - 1 - run, 0 - stop
+
+	local f='-p udp -m u32 --u32'
+	fw_nfqws_post $1 "$f 0>>22&0x3C@4>>16=28:65535&&0>>22&0x3C@12=0x2112A442&&0>>22&0x3C@8&0xC0000003=0" "$f 44>>16=28:65535&&52=0x2112A442&&48&0xC0000003=0" $QNUM_STUN4ALL
+}
+zapret_custom_firewall_nft()
+{
+        # stop logic is not required
+
+	local f="udp length >= 28 @ih,32,32 0x2112A442 @ih,0,2 0 @ih,30,2 0"
+	nft_fw_nfqws_post "$f" "$f" $QNUM_STUN4ALL
+}

init.d/custom.d.examples.linux/50-wg4all

@@ -0,0 +1,32 @@
+# this custom script runs desync to all wireguard handshake initiation packets
+# NOTE: this works for original wireguard and may not work for 3rd party implementations such as xray
+# NOTE: @ih requires nft 1.0.1+ and updated kernel version. it's confirmed to work on 5.15 (openwrt 23) and not work on 5.10 (openwrt 22)
+
+# can override in config :
+NFQWS_OPT_DESYNC_WG="${NFQWS_OPT_DESYNC_WG:---payload wireguard_initiation --lua-desync=fake:blob=0x00000000000000000000000000000000:repeats=2}"
+
+alloc_dnum DNUM_WG4ALL
+alloc_qnum QNUM_WG4ALL
+
+zapret_custom_daemons()
+{
+	# $1 - 1 - add, 0 - stop
+
+	local opt="--qnum=$QNUM_WG4ALL $NFQWS_OPT_DESYNC_WG"
+	do_nfqws $1 $DNUM_WG4ALL "$opt"
+}
+# size = 156 (8 udp header + 148 payload) && payload starts with 0x01000000
+zapret_custom_firewall()
+{
+        # $1 - 1 - run, 0 - stop
+
+	local f='-p udp -m u32 --u32'
+	fw_nfqws_post $1 "$f 0>>22&0x3C@4>>16=0x9c&&0>>22&0x3C@8=0x01000000" "$f 44>>16=0x9c&&48=0x01000000" $QNUM_WG4ALL
+}
+zapret_custom_firewall_nft()
+{
+        # stop logic is not required
+
+	local f="udp length 156 @ih,0,32 0x01000000"
+	nft_fw_nfqws_post "$f" "$f" $QNUM_WG4ALL
+}

init.d/openrc/zapret

@@ -0,0 +1,69 @@
+#!/sbin/openrc-run
+
+# zapret openrc to sysv adapter
+# on some systems (alpine) for unknown reason non-openrc-run scripts are not started from /etc/init.d
+
+EXEDIR=$(dirname "$RC_SERVICE")
+EXEDIR="$(cd "$EXEDIR"; pwd)"
+ZAPRET_BASE="$EXEDIR/../.."
+ZAPRET_INIT="$ZAPRET_BASE/init.d/sysv/zapret"
+
+extra_commands="start_fw stop_fw restart_fw start_daemons stop_daemons restart_daemons reload_ifsets list_ifsets list_table"
+description="extra commands :"
+description_stop_fw="Stop zapret firewall"
+description_start_fw="Start zapret firewall"
+description_restart_fw="Restart zapret firewall"
+description_reload_ifsets="Reload interface lists (nftables only)"
+description_list_ifsets="Display interface lists (nftables only)"
+description_list_table="Display zapret nftable (nftables only)"
+description_stop_daemons="Stop zapret daemons only"
+description_start_daemons="Start zapret daemons only"
+description_restart_daemons="Restart zapret firewall only"
+
+depend() {
+	rc-service -e networking && need networking
+}
+start()
+{
+	"$ZAPRET_INIT" start
+}
+stop()
+{
+	"$ZAPRET_INIT" stop
+}
+start_fw()
+{
+	"$ZAPRET_INIT" start_fw
+}
+stop_fw()
+{
+	"$ZAPRET_INIT" stop_fw
+}
+restart_fw()
+{
+	"$ZAPRET_INIT" restart_fw
+}
+start_daemons()
+{
+	"$ZAPRET_INIT" start_daemons
+}
+stop_daemons()
+{
+	"$ZAPRET_INIT" stop_daemons
+}
+restart_daemons()
+{
+	"$ZAPRET_INIT" restart_daemons
+}
+reload_ifsets()
+{
+	"$ZAPRET_INIT" reload_ifsets
+}
+list_ifsets()
+{
+	"$ZAPRET_INIT" list_ifsets
+}
+list_table()
+{
+	"$ZAPRET_INIT" list_table
+}

init.d/openwrt/90-zapret2

@@ -0,0 +1,46 @@
+#!/bin/sh
+
+ZAPRET=/etc/init.d/zapret2
+
+check_lan()
+{
+	IS_LAN=
+	[ -n "$OPENWRT_LAN" ] || OPENWRT_LAN=lan
+	for lan in $OPENWRT_LAN; do
+		[ "$INTERFACE" = "$lan" ] && {
+			IS_LAN=1
+			break
+		}
+	done
+}
+
+
+[ -n "$INTERFACE" ] && [ "$ACTION" = ifup -o "$ACTION" = ifdown ] && [ -x "$ZAPRET" ] && "$ZAPRET" enabled && {
+	SCRIPT=$(readlink "$ZAPRET")
+	if [ -n "$SCRIPT" ]; then
+		EXEDIR=$(dirname "$SCRIPT")
+		ZAPRET_BASE=$(readlink -f "$EXEDIR/../..")
+	else
+		ZAPRET_BASE=/opt/zapret2
+	fi
+	ZAPRET_RW=${ZAPRET_RW:-"$ZAPRET_BASE"}
+	ZAPRET_CONFIG=${ZAPRET_CONFIG:-"$ZAPRET_RW/config"}
+	CUSTOM_DIR="$ZAPRET_RW/init.d/openwrt"
+	. "$ZAPRET_CONFIG"
+	. "$ZAPRET_BASE/common/base.sh"
+	. "$ZAPRET_BASE/common/fwtype.sh"
+
+	linux_fwtype
+	case "$FWTYPE" in
+		nftables)
+			logger -t zapret reloading nftables ifsets due to $ACTION of $INTERFACE
+			"$ZAPRET" reload_ifsets
+			;;
+		iptables)
+			openwrt_fw3 || {
+				logger -t zapret reloading iptables due to $ACTION of $INTERFACE
+				"$ZAPRET" restart_fw
+			}
+			;;
+	esac
+}

init.d/openwrt/firewall.zapret2

@@ -0,0 +1,11 @@
+SCRIPT=$(readlink /etc/init.d/zapret2)
+if [ -n "$SCRIPT" ]; then
+ EXEDIR=$(dirname "$SCRIPT")
+ ZAPRET_BASE=$(readlink -f "$EXEDIR/../..")
+else
+ ZAPRET_BASE=/opt/zapret2
+fi
+
+. "$ZAPRET_BASE/init.d/openwrt/functions"
+
+zapret_apply_firewall

init.d/openwrt/functions

@@ -0,0 +1,218 @@
+. /lib/functions/network.sh
+
+ZAPRET_BASE=${ZAPRET_BASE:-/opt/zapret2}
+ZAPRET_RW=${ZAPRET_RW:-"$ZAPRET_BASE"}
+ZAPRET_CONFIG=${ZAPRET_CONFIG:-"$ZAPRET_RW/config"}
+. "$ZAPRET_CONFIG"
+. "$ZAPRET_BASE/common/base.sh"
+. "$ZAPRET_BASE/common/fwtype.sh"
+. "$ZAPRET_BASE/common/linux_iphelper.sh"
+. "$ZAPRET_BASE/common/ipt.sh"
+. "$ZAPRET_BASE/common/nft.sh"
+. "$ZAPRET_BASE/common/linux_fw.sh"
+. "$ZAPRET_BASE/common/linux_daemons.sh"
+. "$ZAPRET_BASE/common/list.sh"
+. "$ZAPRET_BASE/common/custom.sh"
+CUSTOM_DIR="$ZAPRET_RW/init.d/openwrt"
+
+QNUM=${QNUM:-300}
+WS_USER=${WS_USER:-daemon}
+DESYNC_MARK=${DESYNC_MARK:-0x40000000}
+DESYNC_MARK_POSTNAT=${DESYNC_MARK_POSTNAT:-0x20000000}
+OPENWRT_LAN=${OPENWRT_LAN:-lan}
+
+IPSET_CR="$ZAPRET_BASE/ipset/create_ipset.sh"
+
+# can be multiple ipv6 outgoing interfaces
+# uplink from isp, tunnelbroker, vpn, ...
+# want them all. who knows what's the real one that blocks sites
+# dont want any manual configuration - want to do it automatically
+# standard network_find_wan[6] return only the first
+# we use low level function from network.sh to avoid this limitation
+# it can change theoretically and stop working
+
+network_find_wan4_all()
+{
+	if [ -n "$OPENWRT_WAN4" ]; then
+		eval $1="\$OPENWRT_WAN4"
+	else
+		__network_ifstatus "$1" "" "[@.route[@.target='0.0.0.0' && !@.table]].interface" "" 10 2>/dev/null && return
+		network_find_wan $1
+	fi
+}
+network_find_wan_all()
+{
+	network_find_wan4_all "$@"
+}
+network_find_wan6_all()
+{
+	if [ -n "$OPENWRT_WAN6" ]; then
+		eval $1="\$OPENWRT_WAN6"
+	else
+		__network_ifstatus "$1" "" "[@.route[@.target='::' && !@.table]].interface" "" 10 2>/dev/null && return
+		network_find_wan6 $1
+	fi
+}
+network_find_wanX_devices()
+{
+	# $1 - ip version: 4 or 6
+	# $2 - variable to put result to
+	local ifaces
+	network_find_wan${1}_all ifaces
+	call_for_multiple_items network_get_device $2 "$ifaces"
+}
+
+
+fw_nfqws_prepost_x()
+{
+	# $1 - 1 - add, 0 - del
+	# $2 - filter
+	# $3 - queue number
+	# $4 - 4/6
+	# $5 - post/pre
+
+	local ifaces DWAN
+	network_find_wan${4}_all ifaces
+	call_for_multiple_items network_get_device DWAN "$ifaces"
+
+	[ -n "$DWAN" ] && _fw_nfqws_${5}${4} $1 "$2" $3 "$(unique $DWAN)"
+}
+fw_nfqws_post4()
+{
+	fw_nfqws_prepost_x  $1 "$2" $3 4 post
+}
+fw_nfqws_post6()
+{
+	fw_nfqws_prepost_x  $1 "$2" $3 6 post
+}
+fw_nfqws_pre4()
+{
+	fw_nfqws_prepost_x  $1 "$2" $3 4 pre
+}
+fw_nfqws_pre6()
+{
+	fw_nfqws_prepost_x  $1 "$2" $3 6 pre
+}
+
+create_ipset()
+{
+	echo "Creating ip list table (firewall type $FWTYPE)"
+	"$IPSET_CR" "$@"
+}
+
+list_nfqws_rules()
+{
+	# $1 = '' for ipv4, '6' for ipv6
+	ip$1tables -S POSTROUTING -t mangle | \
+		grep -E "NFQUEUE --queue-num $QNUM --queue-bypass|NFQUEUE --queue-num $(($QNUM+1)) --queue-bypass|NFQUEUE --queue-num $(($QNUM+2)) --queue-bypass|NFQUEUE --queue-num $(($QNUM+3)) --queue-bypass|NFQUEUE --queue-num $(($QNUM+10)) --queue-bypass|NFQUEUE --queue-num $(($QNUM+11)) --queue-bypass" | \
+		sed -re 's/^-A POSTROUTING (.*) -j NFQUEUE.*$/\1/' -e "s/-m mark ! --mark $DESYNC_MARK\/$DESYNC_MARK//"
+}
+apply_flow_offloading_enable_rule()
+{
+	# $1 = '' for ipv4, '6' for ipv6
+	local i off='-j FLOWOFFLOAD'
+	[ "$FLOWOFFLOAD" = "hardware" ] && off="$off --hw"
+	i="forwarding_rule_zapret -m comment --comment zapret_traffic_offloading_enable -m conntrack --ctstate RELATED,ESTABLISHED $off"
+	echo enabling ipv${1:-4} flow offloading : $i
+	ip$1tables -A $i
+}
+apply_flow_offloading_exempt_rule()
+{
+	# $1 = '' for ipv4, '6' for ipv6
+	local i v
+	v=$1
+	shift
+	i="forwarding_rule_zapret $@ -m comment --comment zapret_traffic_offloading_exemption -j RETURN"
+	echo applying ipv${v:-4} flow offloading exemption : $i
+	ip${v}tables -A $i
+}
+flow_offloading_unexempt_v()
+{
+	# $1 = '' for ipv4, '6' for ipv6
+	local DWAN
+	network_find_wanX_devices ${1:-4} DWAN
+	for i in $DWAN; do ipt$1_del FORWARD -o $i -j forwarding_rule_zapret ; done
+	ip$1tables -F forwarding_rule_zapret 2>/dev/null
+	ip$1tables -X forwarding_rule_zapret 2>/dev/null
+}
+flow_offloading_exempt_v()
+{
+	# $1 = '' for ipv4, '6' for ipv6
+	is_ipt_flow_offload_avail $1 || return 0
+
+	flow_offloading_unexempt_v $1
+
+	[ "$FLOWOFFLOAD" = 'software' -o "$FLOWOFFLOAD" = 'hardware' ] && {
+		ip$1tables -N forwarding_rule_zapret
+
+		# remove outgoing interface
+		list_nfqws_rules $1 | sed -re 's/-o +[^ ]+//g' |
+		while read rule; do
+			apply_flow_offloading_exempt_rule "$1" $rule
+		done
+
+		apply_flow_offloading_enable_rule $1
+
+		# only outgoing to WAN packets trigger flow offloading
+		local DWAN
+		network_find_wanX_devices ${1:-4} DWAN
+		for i in $DWAN; do ipt$1 FORWARD -o $i -j forwarding_rule_zapret; done
+	}
+	return 0
+}
+flow_offloading_exempt()
+{
+	[ "$DISABLE_IPV4" = "1" ] || flow_offloading_exempt_v
+	[ "$DISABLE_IPV6" = "1" ] || flow_offloading_exempt_v 6
+}
+flow_offloading_unexempt()
+{
+	[ "$DISABLE_IPV4" = "1" ] || flow_offloading_unexempt_v
+	[ "$DISABLE_IPV6" = "1" ] || flow_offloading_unexempt_v 6
+}
+
+nft_fill_ifsets_overload()
+{
+	local ifaces DLAN DWAN DWAN6 PDLAN PDWAN PDWAN6
+
+	call_for_multiple_items network_get_device DLAN "$OPENWRT_LAN"
+	call_for_multiple_items network_get_physdev PDLAN "$OPENWRT_LAN"
+
+	network_find_wan4_all ifaces
+	call_for_multiple_items network_get_device DWAN "$ifaces"
+	call_for_multiple_items network_get_physdev PDWAN "$ifaces"
+
+	network_find_wan6_all ifaces
+	call_for_multiple_items network_get_device DWAN6 "$ifaces"
+	call_for_multiple_items network_get_physdev PDWAN6 "$ifaces"
+
+	nft_fill_ifsets "$DLAN" "$DWAN" "$DWAN6" "$PDLAN" "$PDWAN" "$PDWAN6"
+}
+nft_wanif_filter_present()
+{
+	# in openwrt we always use wanif filter
+	return 0
+}
+nft_wanif6_filter_present()
+{
+	# in openwrt we always use wanif6 filter
+	return 0
+}
+
+
+nft_fw_nfqws_post4()
+{
+	_nft_fw_nfqws_post4 "$1" $2 always_apply_wan_filter
+}
+nft_fw_nfqws_post6()
+{
+	_nft_fw_nfqws_post6 "$1" $2 always_apply_wan_filter
+}
+nft_fw_nfqws_pre4()
+{
+	_nft_fw_nfqws_pre4 "$1" $2 always_apply_wan_filter
+}
+nft_fw_nfqws_pre6()
+{
+	_nft_fw_nfqws_pre6 "$1" $2 always_apply_wan_filter
+}

init.d/openwrt/zapret2

@@ -0,0 +1,135 @@
+#!/bin/sh /etc/rc.common
+
+USE_PROCD=1
+# after network
+START=21
+
+my_extra_command() {
+	local cmd="$1"
+	local help="$2"
+
+	local extra="$(printf "%-16s%s" "${cmd}" "${help}")"
+	EXTRA_HELP="${EXTRA_HELP}	${extra}
+"
+	EXTRA_COMMANDS="${EXTRA_COMMANDS} ${cmd}"
+}
+my_extra_command stop_fw "Stop zapret firewall (noop in iptables+fw3 case)"
+my_extra_command start_fw "Start zapret firewall (noop in iptables+fw3 case)"
+my_extra_command restart_fw "Restart zapret firewall (noop in iptables+fw3 case)"
+my_extra_command reload_ifsets "Reload interface lists (nftables only)"
+my_extra_command list_ifsets "Display interface lists (nftables only)"
+my_extra_command list_table "Display zapret nftable (nftables only)"
+my_extra_command stop_daemons "Stop zapret daemons only (=stop in iptables+fw3 case)"
+my_extra_command start_daemons "Start zapret daemons only (=start in iptables+fw3 case)"
+my_extra_command restart_daemons "Restart zapret firewall only (=restart in iptables+fw3 case)"
+
+SCRIPT=$(readlink /etc/init.d/zapret2)
+if [ -n "$SCRIPT" ]; then
+ EXEDIR=$(dirname "$SCRIPT")
+ ZAPRET_BASE=$(readlink -f "$EXEDIR/../..")
+else
+ ZAPRET_BASE=/opt/zapret2
+fi
+
+. "$ZAPRET_BASE/init.d/openwrt/functions"
+
+
+# !!!!! in old openwrt 21.x- with iptables firewall rules are configured separately
+# !!!!! in new openwrt >21.x with nftables firewall is configured here
+
+PIDDIR=/var/run
+
+USEROPT="--user=$WS_USER"
+NFQWS2="${NFQWS2:-$ZAPRET_BASE/nfq2/nfqws2}"
+LUAOPT="--lua-init=@$ZAPRET_BASE/lua/zapret-lib.lua --lua-init=@$ZAPRET_BASE/lua/zapret-antidpi.lua"
+NFQWS2_OPT_BASE="$USEROPT --fwmark=$DESYNC_MARK $LUAOPT"
+
+run_daemon()
+{
+	# $1 - daemon string id or number. can use 1,2,3,...
+	# $2 - daemon
+	# $3 - daemon args
+	# use $PIDDIR/$DAEMONBASE$1.pid as pidfile
+	local DAEMONBASE="$(basename "$2")"
+	echo "Starting daemon $1: $2 $3"
+	procd_open_instance
+	procd_set_param command $2 $3
+	procd_set_param pidfile $PIDDIR/$DAEMONBASE$1.pid
+	procd_close_instance
+}
+
+run_nfqws()
+{
+	run_daemon $1 "$NFQWS2" "$NFQWS2_OPT_BASE $2"
+}
+do_nfqws()
+{
+	[ "$1" = 0 ] || { shift; run_nfqws "$@"; }
+}
+
+start_daemons_procd()
+{
+	standard_mode_daemons 1
+	custom_runner zapret_custom_daemons 1
+
+	return 0
+}
+start_daemons()
+{
+	rc_procd start_daemons_procd "$@"
+}
+stop_daemons()
+{
+	local svc="$(basename ${basescript:-$initscript})"
+	procd_running "$svc" "$1" && procd_kill "$svc" "$1"
+}
+restart_daemons()
+{
+	stop_daemons
+	start_daemons
+}
+
+start_fw()
+{
+	zapret_apply_firewall
+}
+stop_fw()
+{
+	zapret_unapply_firewall
+}
+restart_fw()
+{
+	stop_fw
+	start_fw
+}
+reload_ifsets()
+{
+	zapret_reload_ifsets
+}
+list_ifsets()
+{
+	zapret_list_ifsets
+}
+list_table()
+{
+	zapret_list_table
+}
+
+start_service()
+{
+	start_daemons_procd
+	[ "$INIT_APPLY_FW" != "1" ] || {
+		linux_fwtype
+		openwrt_fw3_integration || start_fw
+	}
+}
+
+stop_service()
+{
+	# this procedure is called from stop()
+	# stop() already stop daemons
+	[ "$INIT_APPLY_FW" != "1" ] || {
+		linux_fwtype
+		openwrt_fw3_integration || stop_fw
+	}
+}

init.d/systemd/nfqws2@.service

@@ -0,0 +1,62 @@
+# Example systemd service unit for nfqws. Adjust for your installation.
+
+# WARNING ! This unit requires to compile nfqws using `make systemd`
+# WARNING ! This makefile target enables special systemd notify support.
+
+# PREPARE
+# install build depends
+# make -C /opt/zapret2 systemd
+# cp nfqws2\@.service /lib/systemd/system
+# systemctl daemon-reload
+
+# MANAGE INSTANCE
+# prepare /etc/zapret2/nfqws1.conf with nfqws parameters
+# systemctl start nfqws2@nfqws1
+# systemctl status nfqws2@nfqws1
+# systemctl restart nfqws2@nfqws1
+# systemctl enable nfqws2@nfqws1
+# systemctl disable nfqws2@nfqws1
+# systemctl stop nfqws2@nfqws1
+
+# DELETE
+# rm /lib/systemd/system/nfqws@.service
+# systemctl daemon-reload
+
+
+[Unit]
+After=network.target
+
+[Service]
+Type=notify
+Restart=on-failure
+
+ExecSearchPath=/opt/zapret2/nfq2
+ExecStart=nfqws2 @${CONFIG_DIR}/${INSTANCE}.conf
+Environment=CONFIG_DIR=/etc/zapret2
+Environment=INSTANCE=%i
+
+RestrictAddressFamilies=AF_NETLINK AF_UNIX AF_INET6 AF_INET
+
+LockPersonality=true
+MemoryDenyWriteExecute=true
+PrivateDevices=true
+PrivateMounts=true
+PrivateTmp=true
+ProcSubset=pid
+ProtectClock=true
+ProtectControlGroups=true
+ProtectHome=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectProc=invisible
+ProtectSystem=full
+RemoveIPC=true
+RestrictNamespaces=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+UMask=0077
+
+[Install]
+WantedBy=multi-user.target

init.d/systemd/zapret2-list-update.service

@@ -0,0 +1,13 @@
+[Unit]
+Description=zapret2 ip/host list update
+
+[Service]
+Restart=no
+IgnoreSIGPIPE=no
+KillMode=control-group
+GuessMainPID=no
+RemainAfterExit=no
+ExecStart=/opt/zapret2/ipset/get_config.sh
+
+[Install]
+WantedBy=multi-user.target

init.d/systemd/zapret2-list-update.timer

@@ -0,0 +1,11 @@
+[Unit]
+Description=zapret2 ip/host list update timer
+
+[Timer]
+OnCalendar=*-*-2,4,6,8,10,12,14,16,18,20,22,24,26,28,30 00:00:00
+RandomizedDelaySec=86400
+Persistent=true
+Unit=zapret2-list-update.service
+
+[Install]
+WantedBy=timers.target

init.d/systemd/zapret2.service

@@ -0,0 +1,17 @@
+[Unit]
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=forking
+Restart=no
+TimeoutSec=30sec
+IgnoreSIGPIPE=no
+KillMode=none
+GuessMainPID=no
+RemainAfterExit=no
+ExecStart=/opt/zapret2/init.d/sysv/zapret2 start
+ExecStop=/opt/zapret2/init.d/sysv/zapret2 stop
+
+[Install]
+WantedBy=multi-user.target

init.d/sysv/functions

@@ -0,0 +1,191 @@
+# init script functions library for desktop linux systems
+
+ZAPRET_BASE=${ZAPRET_BASE:-/opt/zapret2}
+ZAPRET_RW=${ZAPRET_RW:-"$ZAPRET_BASE"}
+ZAPRET_CONFIG=${ZAPRET_CONFIG:-"$ZAPRET_RW/config"}
+. "$ZAPRET_CONFIG"
+. "$ZAPRET_BASE/common/base.sh"
+. "$ZAPRET_BASE/common/fwtype.sh"
+. "$ZAPRET_BASE/common/linux_iphelper.sh"
+. "$ZAPRET_BASE/common/ipt.sh"
+. "$ZAPRET_BASE/common/nft.sh"
+. "$ZAPRET_BASE/common/linux_fw.sh"
+. "$ZAPRET_BASE/common/linux_daemons.sh"
+. "$ZAPRET_BASE/common/list.sh"
+. "$ZAPRET_BASE/common/custom.sh"
+CUSTOM_DIR="$ZAPRET_RW/init.d/sysv"
+
+
+user_exists()
+{
+	id -u $1 >/dev/null 2>/dev/null
+}
+useradd_compat()
+{
+	# $1 - username
+	# skip for readonly systems
+	[ -w "/etc" ] && {
+		if exists useradd ; then
+			useradd --no-create-home --system --shell /bin/false $1
+		elif is_linked_to_busybox adduser ; then
+			# some systems may miss nogroup group in /etc/group
+			# adduser fails if it's absent and no group is specified
+			addgroup nogroup 2>/dev/null
+			# busybox has special adduser syntax
+			adduser -S -H -D $1
+		elif exists adduser; then
+			adduser --no-create-home --system --disabled-login $1
+		fi
+	}
+	user_exists $1
+}
+prepare_user()
+{
+	user_exists $WS_USER || {
+		# fallback to daemon if we cant add WS_USER
+		useradd_compat $WS_USER || {
+			for user in daemon nobody; do
+				user_exists $user && {
+					WS_USER=$user
+					return 0
+				}
+			done
+			return 1
+		}
+	}
+}
+
+# this complex user selection allows to survive in any locked/readonly/minimalistic environment
+[ -n "$WS_USER" ] || WS_USER=tpws
+if prepare_user; then
+ USEROPT="--user=$WS_USER"
+else
+ WS_USER=1
+ USEROPT="--uid $WS_USER:$WS_USER"
+fi
+
+PIDDIR=/var/run
+IPSET_CR="$ZAPRET_BASE/ipset/create_ipset.sh"
+
+DESYNC_MARK=${DESYNC_MARK:-0x40000000}
+DESYNC_MARK_POSTNAT=${DESYNC_MARK_POSTNAT:-0x20000000}
+
+QNUM=${QNUM:-300}
+NFQWS2="${NFQWS2:-$ZAPRET_BASE/nfq2/nfqws2}"
+LUAOPT="--lua-init=@$ZAPRET_BASE/lua/zapret-lib.lua --lua-init=@$ZAPRET_BASE/lua/zapret-antidpi.lua"
+NFQWS2_OPT_BASE="$USEROPT --fwmark=$DESYNC_MARK $LUAOPT"
+
+
+fw_nfqws_post4()
+{
+	_fw_nfqws_post4  $1 "$2" $3 "$IFACE_WAN"
+}
+fw_nfqws_post6()
+{
+	_fw_nfqws_post6  $1 "$2" $3 "${IFACE_WAN6:-$IFACE_WAN}"
+}
+fw_nfqws_pre4()
+{
+	_fw_nfqws_pre4  $1 "$2" $3 "$IFACE_WAN"
+}
+fw_nfqws_pre6()
+{
+	_fw_nfqws_pre6  $1 "$2" $3 "${IFACE_WAN6:-$IFACE_WAN}"
+}
+nft_fw_nfqws_post4()
+{
+	_nft_fw_nfqws_post4 "$1" $2 "$IFACE_WAN"
+}
+nft_fw_nfqws_post6()
+{
+	_nft_fw_nfqws_post6 "$1" $2 "${IFACE_WAN6:-$IFACE_WAN}"
+}
+nft_fw_nfqws_pre4()
+{
+	_nft_fw_nfqws_pre4 "$1" $2 "$IFACE_WAN"
+}
+nft_fw_nfqws_pre6()
+{
+	_nft_fw_nfqws_pre6 "$1" $2 "${IFACE_WAN6:-$IFACE_WAN}"
+}
+
+nft_wanif_filter_present()
+{
+	[ -n "$IFACE_WAN" ]
+}
+nft_wanif6_filter_present()
+{
+	[ -n "${IFACE_WAN6:-$IFACE_WAN}" ]
+}
+nft_fill_ifsets_overload()
+{
+	nft_fill_ifsets "$IFACE_WAN" "${IFACE_WAN6:-$IFACE_WAN}" "$IFACE_LAN"
+}
+
+
+run_daemon()
+{
+	# $1 - daemon number : 1,2,3,...
+	# $2 - daemon
+	# $3 - daemon args
+	# use $PIDDIR/$DAEMONBASE$1.pid as pidfile
+
+	local DAEMONBASE="$(basename "$2")"
+	local PID= PIDFILE=$PIDDIR/${DAEMONBASE}_$1.pid
+	echo "Starting daemon $1: $2 $3"
+
+	[ -f "$PIDFILE" ] && {
+		read PID <"$PIDFILE"
+		[ -d "/proc/$PID" ] || PID=
+	}
+
+	if [ -n "$PID" ]; then
+		echo already running
+	else
+		"$2" $3 >/dev/null &
+		PID=$!
+		if [ -n "$PID" ]; then
+			echo $PID >$PIDFILE
+		else
+			echo could not start daemon $1 : $2 $3
+			false
+		fi
+	fi
+}
+stop_daemon()
+{
+	# $1 - daemon number : 1,2,3,...
+	# $2 - daemon
+	# use $PIDDIR/$DAEMONBASE$1.pid as pidfile
+	local DAEMONBASE="$(basename "$2")"
+	local PID PIDFILE=$PIDDIR/${DAEMONBASE}_$1.pid
+	echo "Stopping daemon $1: $2"
+	if [ -f "$PIDFILE" ]; then
+		read PID <"$PIDFILE"
+		kill $PID
+		rm -f "$PIDFILE"
+	else
+		echo no pidfile : $PIDFILE
+	fi
+}
+do_daemon()
+{
+	# $1 - 1 - run, 0 - stop
+	on_off_function run_daemon stop_daemon "$@"
+}
+
+do_nfqws()
+{
+	# $1 : 1 - run, 0 - stop
+	# $2 : daemon number
+	# $3 : daemon args
+
+	do_daemon $1 $2 "$NFQWS2" "$NFQWS2_OPT_BASE $3"
+}
+
+
+create_ipset()
+{
+	echo "Creating ip list table (firewall type $FWTYPE)"
+	"$IPSET_CR" "$@"
+}

init.d/sysv/zapret2

@@ -0,0 +1,82 @@
+#!/bin/sh
+### BEGIN INIT INFO
+# Provides:		zapret
+# Required-Start:	$local_fs $network
+# Required-Stop:	$local_fs $network
+# Default-Start:     2 3 4 5
+# Default-Stop:      0 1 6
+### END INIT INFO
+
+SCRIPT=$(readlink -f "$0")
+EXEDIR=$(dirname "$SCRIPT")
+ZAPRET_BASE=$(readlink -f "$EXEDIR/../..")
+. "$EXEDIR/functions"
+
+NAME=zapret
+DESC=anti-zapret
+
+do_start()
+{
+	zapret_run_daemons
+	[ "$INIT_APPLY_FW" != "1" ] || { zapret_apply_firewall; }
+}
+do_stop()
+{
+	zapret_stop_daemons
+	[ "$INIT_APPLY_FW" != "1" ] || zapret_unapply_firewall
+}
+
+case "$1" in
+	start)
+		do_start
+		;;
+
+	stop)
+		do_stop
+		;;
+
+	restart)
+		do_stop
+		do_start
+		;;
+
+	start-fw|start_fw)
+		zapret_apply_firewall
+		;;
+	stop-fw|stop_fw)
+		zapret_unapply_firewall
+		;;
+
+	restart-fw|restart_fw)
+		zapret_unapply_firewall
+		zapret_apply_firewall
+		;;
+
+	start-daemons|start_daemons)
+		zapret_run_daemons
+		;;
+	stop-daemons|stop_daemons)
+		zapret_stop_daemons
+		;;
+	restart-daemons|restart_daemons)
+		zapret_stop_daemons
+		zapret_run_daemons
+		;;
+
+	reload-ifsets|reload_ifsets)
+		zapret_reload_ifsets
+		;;
+	list-ifsets|list_ifsets)
+		zapret_list_ifsets
+		;;
+	list-table|list_table)
+		zapret_list_table
+		;;
+
+  *)
+	echo "Usage: $SCRIPT {start|stop|restart|start-fw|stop-fw|restart-fw|start-daemons|stop-daemons|restart-daemons|reload-ifsets|list-ifsets|list-table}" >&2
+	exit 1
+	;;
+esac
+
+exit 0