init.d launch scripts

init.d/custom.d.examples.linux/10-keenetic-udp-fix

@@ -0,0 +1,22 @@
+# This script fixes keenetic issue with nfqws generated udp packets
+# Keenetic uses proprietary ndmmark and does not masquerade without this mark
+# If not masqueraded packets go to WAN with LAN IP and get dropped by ISP
+
+# It's advised to set IFACE_WAN in config
+
+zapret_custom_firewall()
+{
+	# $1 - 1 - add, 0 - stop
+
+	local wan wanif rule
+
+	[ "$DISABLE_IPV4" = "1" ] || {
+		# use IFACE_WAN if defined. if not - search for interfaces with default route.
+		wanif=${IFACE_WAN:-$(sed -nre 's/^([^\t]+)\t00000000\t[0-9A-F]{8}\t[0-9A-F]{4}\t[0-9]+\t[0-9]+\t[0-9]+\t00000000.*$/\1/p' /proc/net/route | sort -u | xargs)}
+		for wan in $wanif; do
+			rule="-o $wan -p udp -m mark --mark $DESYNC_MARK/$DESYNC_MARK"
+			ipt_print_op $1 "$rule" "keenetic udp fix"
+			ipt_add_del $1 POSTROUTING -t nat $rule -j MASQUERADE
+		done
+	}
+}

init.d/custom.d.examples.linux/20-fw-extra

@@ -0,0 +1,66 @@
+# this custom script runs standard mode with extra firewall rules
+
+# config: use TPWS_ENABLE_OVERRIDE, NFQWS_ENABLE_OVERRIDE to enable standard mode daemons
+# standard and override switches cannot be enabled simultaneously !
+
+TPWS_ENABLE_OVERRIDE=${TPWS_ENABLE_OVERRIDE:-0}
+NFQWS_ENABLE_OVERRIDE=${NFQWS_ENABLE_OVERRIDE:-0}
+
+# config: some if these values must be set in config. not setting any of these makes this script meaningless.
+# pre vars put ipt/nft code to the rule beginning
+#FW_EXTRA_PRE_TPWS_IPT=
+#FW_EXTRA_PRE_TPWS_NFT=
+#FW_EXTRA_PRE_NFQWS_IPT="-m mark --mark 0x10000000/0x10000000"
+#FW_EXTRA_PRE_NFQWS_NFT="mark and 0x10000000 != 0"
+# post vars put ipt/nft code to the rule end
+#FW_EXTRA_POST_TPWS_IPT=
+#FW_EXTRA_POST_TPWS_NFT=
+#FW_EXTRA_POST_NFQWS_IPT=
+#FW_EXTRA_POST_NFQWS_NFT=
+
+check_std_intersect()
+{
+	[ "$TPWS_ENABLE_OVERRIDE" = 1 -a "$TPWS_ENABLE" = 1 ] && {
+		echo "ERROR ! both TPWS_ENABLE_OVERRIDE and TPWS_ENABLE are enabled"
+		return 1
+	}
+	[ "$NFQWS_ENABLE_OVERRIDE" = 1 -a "$NFQWS_ENABLE" = 1 ] && {
+		echo "ERROR ! both NFQWS_ENABLE_OVERRIDE and NFQWS_ENABLE are enabled"
+		return 1
+	}
+	return 0
+}
+
+zapret_custom_daemons()
+{
+	# $1 - 1 - add, 0 - stop
+
+	check_std_intersect || return
+
+	local TPWS_SOCKS_ENABLE=0 TPWS_ENABLE=$TPWS_ENABLE_OVERRIDE NFQWS_ENABLE=$NFQWS_ENABLE_OVERRIDE
+	standard_mode_daemons "$1"
+}
+zapret_custom_firewall()
+{
+        # $1 - 1 - run, 0 - stop
+
+	check_std_intersect || return
+
+	local FW_EXTRA_PRE FW_EXTRA_POST TPWS_ENABLE=$TPWS_ENABLE_OVERRIDE NFQWS_ENABLE=$NFQWS_ENABLE_OVERRIDE
+	FW_EXTRA_PRE="$FW_EXTRA_PRE_TPWS_IPT" FW_EXTRA_POST="$FW_EXTRA_POST_TPWS_IPT"
+	zapret_do_firewall_standard_tpws_rules_ipt $1
+	FW_EXTRA_PRE="$FW_EXTRA_PRE_NFQWS_IPT" FW_EXTRA_POST="$FW_EXTRA_POST_NFQWS_IPT"
+	zapret_do_firewall_standard_nfqws_rules_ipt $1
+}
+zapret_custom_firewall_nft()
+{
+        # stop logic is not required
+
+	check_std_intersect || return
+
+	local FW_EXTRA_PRE FW_EXTRA_POST TPWS_ENABLE=$TPWS_ENABLE_OVERRIDE NFQWS_ENABLE=$NFQWS_ENABLE_OVERRIDE
+	FW_EXTRA_PRE="$FW_EXTRA_PRE_TPWS_NFT" FW_EXTRA_POST="$FW_EXTRA_POST_TPWS_NFT"
+	zapret_apply_firewall_standard_tpws_rules_nft
+	FW_EXTRA_PRE="$FW_EXTRA_PRE_NFQWS_NFT" FW_EXTRA_POST="$FW_EXTRA_POST_NFQWS_NFT"
+	zapret_apply_firewall_standard_nfqws_rules_nft
+}

init.d/custom.d.examples.linux/50-dht4all

@@ -0,0 +1,38 @@
+# this custom script runs desync to DHT packets with udp payload length 101..399 , without ipset/hostlist filtering
+# NOTE: @ih requires nft 1.0.1+ and updated kernel version. it's confirmed to work on 5.15 (openwrt 23) and not work on 5.10 (openwrt 22)
+
+# can override in config :
+NFQWS_OPT_DESYNC_DHT="${NFQWS_OPT_DESYNC_DHT:---payload dht --lua-desync=dht_dn}"
+
+alloc_dnum DNUM_DHT4ALL
+alloc_qnum QNUM_DHT4ALL
+
+zapret_custom_daemons()
+{
+	# $1 - 1 - add, 0 - stop
+
+	local opt="--qnum=$QNUM_DHT4ALL $NFQWS_OPT_DESYNC_DHT"
+	do_nfqws $1 $DNUM_DHT4ALL "$opt"
+}
+zapret_custom_firewall()
+{
+        # $1 - 1 - run, 0 - stop
+
+	local f uf4 uf6
+	local first_packet_only="$ipt_connbytes 1:1"
+
+	f='-p udp -m length --length 109:407 -m u32 --u32'
+	uf4='0>>22&0x3C@8>>16=0x6431'
+	uf6='48>>16=0x6431'
+	fw_nfqws_post $1 "$f $uf4 $first_packet_only"  "$f $uf6 $first_packet_only" $QNUM_DHT4ALL
+}
+zapret_custom_firewall_nft()
+{
+        # stop logic is not required
+
+        local f
+        local first_packet_only="$nft_connbytes 1"
+
+        f="meta length 109-407 meta l4proto udp @ih,0,16 0x6431"
+        nft_fw_nfqws_post "$f $first_packet_only" "$f $first_packet_only" $QNUM_DHT4ALL
+}

init.d/custom.d.examples.linux/50-discord-media

@@ -0,0 +1,35 @@
+# this custom script runs desync to all discord media packets
+# NOTE: @ih requires nft 1.0.1+ and updated kernel version. it's confirmed to work on 5.15 (openwrt 23) and not work on 5.10 (openwrt 22)
+
+# can override in config :
+NFQWS_OPT_DESYNC_DISCORD_MEDIA="${NFQWS_OPT_DESYNC_DISCORD_MEDIA:---payload discord_ip_discovery --lua-desync=fake:blob=0x00000000000000000000000000000000:repeats=2}"
+DISCORD_MEDIA_PORT_RANGE="${DISCORD_MEDIA_PORT_RANGE:-50000-50099}"
+
+alloc_dnum DNUM_DISCORD_MEDIA
+alloc_qnum QNUM_DISCORD_MEDIA
+
+zapret_custom_daemons()
+{
+	# $1 - 1 - add, 0 - stop
+
+	local opt="--qnum=$QNUM_DISCORD_MEDIA $NFQWS_OPT_DESYNC_DISCORD_MEDIA"
+	do_nfqws $1 $DNUM_DISCORD_MEDIA "$opt"
+}
+zapret_custom_firewall()
+{
+        # $1 - 1 - run, 0 - stop
+
+	local DISABLE_IPV6=1
+	local port_range=$(replace_char - : $DISCORD_MEDIA_PORT_RANGE)
+	local f="-p udp --dport $port_range -m u32 --u32"
+	# this is simplified test to skip writing monstrous rule. instead of checking 64 bytes for zeroes only check 2 dwords for zero
+	fw_nfqws_post $1 "$f 0>>22&0x3C@4>>16=0x52&&0>>22&0x3C@8=0x00010046&&0>>22&0x3C@16=0&&0>>22&0x3C@76=0" '' $QNUM_DISCORD_MEDIA
+}
+zapret_custom_firewall_nft()
+{
+        # stop logic is not required
+
+	local DISABLE_IPV6=1
+	local f="udp dport $DISCORD_MEDIA_PORT_RANGE udp length == 82 @ih,0,32 0x00010046 @ih,64,128 0x00000000000000000000000000000000 @ih,192,128 0x00000000000000000000000000000000 @ih,320,128 0x00000000000000000000000000000000 @ih,448,128 0x00000000000000000000000000000000"
+	nft_fw_nfqws_post "$f" '' $QNUM_DISCORD_MEDIA
+}

init.d/custom.d.examples.linux/50-nfqws-ipset

@@ -0,0 +1,144 @@
+# this custom script demonstrates how to launch extra nfqws instance limited by ipset
+
+# can override in config :
+NFQWS_MY1_OPT="${NFQWS_MY1_OPT:---filter-udp=* --payload known,unknown --lua-desync=fake:blob=0x00000000000000000000000000000000:repeats=2:payload=all --new --filter-tcp=* --payload=known,unknown --lua-desync=multisplit}"
+NFQWS_MY1_SUBNETS4="${NFQWS_MY1_SUBNETS4:-173.194.0.0/16 108.177.0.0/17 74.125.0.0/16 64.233.160.0/19 172.217.0.0/16}"
+NFQWS_MY1_SUBNETS6="${NFQWS_MY1_SUBNETS6:-2a00:1450::/29}"
+NFQWS_MY1_PORTS_TCP=${NFQWS_MY1_PORTS_TCP:-$NFQWS_PORTS_TCP}
+NFQWS_MY1_PORTS_UDP=${NFQWS_MY1_PORTS_UDP:-$NFQWS_PORTS_UDP}
+NFQWS_MY1_TCP_PKT_OUT=${NFQWS_MY1_TCP_PKT_OUT:-$NFQWS_TCP_PKT_OUT}
+NFQWS_MY1_UDP_PKT_OUT=${NFQWS_MY1_UDP_PKT_OUT:-$NFQWS_UDP_PKT_OUT}
+NFQWS_MY1_TCP_PKT_IN=${NFQWS_MY1_TCP_PKT_IN:-$NFQWS_TCP_PKT_IN}
+NFQWS_MY1_UDP_PKT_IN=${NFQWS_MY1_UDP_PKT_IN:-$NFQWS_UDP_PKT_IN}
+
+NFQWS_MY1_IPSET_SIZE=${NFQWS_MY1_IPSET_SIZE:-4096}
+NFQWS_MY1_IPSET_OPT="${NFQWS_MY1_IPSET_OPT:-hash:net hashsize 8192 maxelem $NFQWS_MY1_IPSET_SIZE}"
+
+alloc_dnum DNUM_NFQWS_MY1
+alloc_qnum QNUM_NFQWS_MY1
+NFQWS_MY1_NAME4=my1nfqws4
+NFQWS_MY1_NAME6=my1nfqws6
+
+zapret_custom_daemons()
+{
+	# $1 - 1 - run, 0 - stop
+
+	local opt="--qnum=$QNUM_NFQWS_MY1 $NFQWS_MY1_OPT"
+	do_nfqws $1 $DNUM_NFQWS_MY1 "$opt"
+}
+
+zapret_custom_firewall()
+{
+	# $1 - 1 - run, 0 - stop
+
+	local f4 f6 subnet
+	local NFQWS_MY1_PORTS_TCP=$(replace_char - : $NFQWS_MY1_PORTS_TCP)
+	local NFQWS_MY1_PORTS_UDP=$(replace_char - : $NFQWS_MY1_PORTS_UDP)
+
+	[ "$1" = 1 -a "$DISABLE_IPV4" != 1 ] && {
+		ipset create $NFQWS_MY1_NAME4 $NFQWS_MY1_IPSET_OPT family inet 2>/dev/null
+		ipset flush $NFQWS_MY1_NAME4
+		for subnet in $NFQWS_MY1_SUBNETS4; do
+			echo add $NFQWS_MY1_NAME4 $subnet
+		done | ipset -! restore
+	}
+	[ "$1" = 1 -a "$DISABLE_IPV6" != 1 ] && {
+		ipset create $NFQWS_MY1_NAME6 $NFQWS_MY1_IPSET_OPT family inet6 2>/dev/null
+		ipset flush $NFQWS_MY1_NAME6
+		for subnet in $NFQWS_MY1_SUBNETS6; do
+			echo add $NFQWS_MY1_NAME6 $subnet
+		done | ipset -! restore
+	}
+
+	[ -n "$NFQWS_MY1_PORTS_TCP" ] && {
+		[ -n "$NFQWS_MY1_TCP_PKT_OUT" -a "$NFQWS_MY1_TCP_PKT_OUT" != 0 ] && {
+			f4="-p tcp -m multiport --dports $NFQWS_MY1_PORTS_TCP $ipt_connbytes 1:$NFQWS_MY1_TCP_PKT_OUT -m set --match-set"
+			f6="$f4 $NFQWS_MY1_NAME6 dst"
+			f4="$f4 $NFQWS_MY1_NAME4 dst"
+			fw_nfqws_post $1 "$f4" "$f6" $QNUM_NFQWS_MY1
+		}
+		[ -n "$NFQWS_MY1_TCP_PKT_IN" -a "$NFQWS_MY1_TCP_PKT_IN" != 0 ] && {
+			f4="-p tcp -m multiport --sports $NFQWS_MY1_PORTS_TCP $ipt_connbytes 1:$NFQWS_MY1_TCP_PKT_IN -m set --match-set"
+			f6="$f4 $NFQWS_MY1_NAME6 src"
+			f4="$f4 $NFQWS_MY1_NAME4 src"
+			fw_nfqws_pre $1 "$f4" "$f6" $QNUM_NFQWS_MY1
+		}
+	}
+	[ -n "$NFQWS_MY1_PORTS_UDP" ] && {
+		[ -n "$NFQWS_MY1_UDP_PKT_OUT" -a "$NFQWS_MY1_UDP_PKT_OUT" != 0 ] && {
+			f4="-p udp -m multiport --dports $NFQWS_MY1_PORTS_UDP $ipt_connbytes 1:$NFQWS_MY1_UDP_PKT_OUT -m set --match-set"
+			f6="$f4 $NFQWS_MY1_NAME6 dst"
+			f4="$f4 $NFQWS_MY1_NAME4 dst"
+			fw_nfqws_post $1 "$f4" "$f6" $QNUM_NFQWS_MY1
+		}
+		[ -n "$NFQWS_MY1_UDP_PKT_IN" -a "$NFQWS_MY1_UDP_PKT_IN" != 0 ] && {
+			f4="-p udp -m multiport --sports $NFQWS_MY1_PORTS_UDP $ipt_connbytes 1:$NFQWS_MY1_UDP_PKT_IN -m set --match-set"
+			f6="$f4 $NFQWS_MY1_NAME6 src"
+			f4="$f4 $NFQWS_MY1_NAME4 src"
+			fw_nfqws_pre $1 "$f4" "$f6" $QNUM_NFQWS_MY1
+		}
+	}
+
+	[ "$1" = 1 ] || {
+		ipset destroy $NFQWS_MY1_NAME4 2>/dev/null
+		ipset destroy $NFQWS_MY1_NAME6 2>/dev/null
+	}
+}
+
+zapret_custom_firewall_nft()
+{
+	local f4 f6 subnets
+	local first_packets_only="$nft_connbytes 1-$NFQWS_MY1_PKT_OUT"
+
+	[ "$DISABLE_IPV4" != 1 ] && {
+	        make_comma_list subnets $NFQWS_MY1_SUBNETS4
+		nft_create_set $NFQWS_MY1_NAME4 "type ipv4_addr; size $NFQWS_MY1_IPSET_SIZE; auto-merge; flags interval;"
+		nft_flush_set $NFQWS_MY1_NAME4
+		nft_add_set_element $NFQWS_MY1_NAME4 "$subnets"
+	}
+	[ "$DISABLE_IPV6" != 1 ] && {
+	        make_comma_list subnets $NFQWS_MY1_SUBNETS6
+		nft_create_set $NFQWS_MY1_NAME6 "type ipv6_addr; size $NFQWS_MY1_IPSET_SIZE; auto-merge; flags interval;"
+		nft_flush_set $NFQWS_MY1_NAME6
+		nft_add_set_element $NFQWS_MY1_NAME6 "$subnets"
+	}
+
+	[ -n "$NFQWS_MY1_PORTS_TCP" ] && {
+		[ -n "$NFQWS_MY1_TCP_PKT_OUT" -a "$NFQWS_MY1_TCP_PKT_OUT" != 0 ] && {
+			f4="tcp dport {$NFQWS_MY1_PORTS_TCP} $(nft_first_packets $NFQWS_MY1_TCP_PKT_OUT)"
+			f6="$f4 ip6 daddr @$NFQWS_MY1_NAME6"
+			f4="$f4 ip daddr @$NFQWS_MY1_NAME4"
+			nft_fw_nfqws_post $1 "$f4" "$f6" $QNUM_NFQWS_MY1
+		}
+		[ -n "$NFQWS_MY1_TCP_PKT_IN" -a "$NFQWS_MY1_TCP_PKT_IN" != 0 ] && {
+			f4="tcp sport {$NFQWS_MY1_PORTS_TCP} $(nft_first_packets $NFQWS_MY1_TCP_PKT_IN)"
+			f6="$f4 ip6 saddr @$NFQWS_MY1_NAME6"
+			f4="$f4 ip saddr @$NFQWS_MY1_NAME4"
+			nft_fw_nfqws_pre $1 "$f4" "$f6" $QNUM_NFQWS_MY1
+		}
+	}
+	[ -n "$NFQWS_MY1_PORTS_UDP" ] && {
+		[ -n "$NFQWS_MY1_UDP_PKT_OUT" -a "$NFQWS_MY1_UDP_PKT_OUT" != 0 ] && {
+			f4="udp dport {$NFQWS_MY1_PORTS_UDP} $(nft_first_packets $NFQWS_MY1_UDP_PKT_OUT)"
+			f6="$f4 ip6 daddr @$NFQWS_MY1_NAME6"
+			f4="$f4 ip daddr @$NFQWS_MY1_NAME4"
+			nft_fw_nfqws_post $1 "$f4" "$f6" $QNUM_NFQWS_MY1
+		}
+		[ -n "$NFQWS_MY1_UDP_PKT_IN" -a "$NFQWS_MY1_UDP_PKT_IN" != 0 ] && {
+			f4="udp sport {$NFQWS_MY1_PORTS_UDP} $(nft_first_packets $NFQWS_MY1_UDP_PKT_IN)"
+			f6="$f4 ip6 saddr @$NFQWS_MY1_NAME6"
+			f4="$f4 ip saddr @$NFQWS_MY1_NAME4"
+			nft_fw_nfqws_pre $1 "$f4" "$f6" $QNUM_NFQWS_MY1
+		}
+	}
+}
+
+
+zapret_custom_firewall_nft_flush()
+{
+	# this function is called after all nft fw rules are deleted
+	# however sets are not deleted. it's desired to clear sets here.
+
+	nft_del_set $NFQWS_MY1_NAME4 2>/dev/null
+	nft_del_set $NFQWS_MY1_NAME6 2>/dev/null
+}

init.d/custom.d.examples.linux/50-quic4all

@@ -0,0 +1,30 @@
+# this custom script runs desync to all IETF QUIC initials
+# NOTE: @ih requires nft 1.0.1+ and updated kernel version. it's confirmed to work on 5.15 (openwrt 23) and not work on 5.10 (openwrt 22)
+
+# can override in config :
+NFQWS_OPT_DESYNC_QUIC="${NFQWS_OPT_DESYNC_QUIC:---payload quic_initial --lua-desync=fake:blob=fake_default_quic:repeats=2}"
+
+alloc_dnum DNUM_QUIC4ALL
+alloc_qnum QNUM_QUIC4ALL
+
+zapret_custom_daemons()
+{
+	# $1 - 1 - add, 0 - stop
+
+	local opt="--qnum=$QNUM_QUIC4ALL $NFQWS_OPT_DESYNC_QUIC"
+	do_nfqws $1 $DNUM_QUIC4ALL "$opt"
+}
+zapret_custom_firewall()
+{
+        # $1 - 1 - run, 0 - stop
+
+	local f='-p udp -m u32 --u32'
+	fw_nfqws_post $1 "$f 0>>22&0x3C@4>>16=264:65535&&0>>22&0x3C@8>>28=0xC&&0>>22&0x3C@9=0x00000001" "$f 44>>16=264:65535&&48>>28=0xC&&49=0x00000001" $QNUM_QUIC4ALL
+}
+zapret_custom_firewall_nft()
+{
+        # stop logic is not required
+
+	local f="udp length >= 264 @ih,0,4 0xC @ih,8,32 0x00000001"
+	nft_fw_nfqws_post "$f" "$f" $QNUM_QUIC4ALL
+}

init.d/custom.d.examples.linux/50-stun4all

@@ -0,0 +1,30 @@
+# this custom script runs desync to all stun packets
+# NOTE: @ih requires nft 1.0.1+ and updated kernel version. it's confirmed to work on 5.15 (openwrt 23) and not work on 5.10 (openwrt 22)
+
+# can override in config :
+NFQWS_OPT_DESYNC_STUN="${NFQWS_OPT_DESYNC_STUN:---payload stun_binding_req --lua-desync=fake:blob=0x00000000000000000000000000000000:repeats=2}"
+
+alloc_dnum DNUM_STUN4ALL
+alloc_qnum QNUM_STUN4ALL
+
+zapret_custom_daemons()
+{
+	# $1 - 1 - add, 0 - stop
+
+	local opt="--qnum=$QNUM_STUN4ALL $NFQWS_OPT_DESYNC_STUN"
+	do_nfqws $1 $DNUM_STUN4ALL "$opt"
+}
+zapret_custom_firewall()
+{
+        # $1 - 1 - run, 0 - stop
+
+	local f='-p udp -m u32 --u32'
+	fw_nfqws_post $1 "$f 0>>22&0x3C@4>>16=28:65535&&0>>22&0x3C@12=0x2112A442&&0>>22&0x3C@8&0xC0000003=0" "$f 44>>16=28:65535&&52=0x2112A442&&48&0xC0000003=0" $QNUM_STUN4ALL
+}
+zapret_custom_firewall_nft()
+{
+        # stop logic is not required
+
+	local f="udp length >= 28 @ih,32,32 0x2112A442 @ih,0,2 0 @ih,30,2 0"
+	nft_fw_nfqws_post "$f" "$f" $QNUM_STUN4ALL
+}

init.d/custom.d.examples.linux/50-wg4all

@@ -0,0 +1,32 @@
+# this custom script runs desync to all wireguard handshake initiation packets
+# NOTE: this works for original wireguard and may not work for 3rd party implementations such as xray
+# NOTE: @ih requires nft 1.0.1+ and updated kernel version. it's confirmed to work on 5.15 (openwrt 23) and not work on 5.10 (openwrt 22)
+
+# can override in config :
+NFQWS_OPT_DESYNC_WG="${NFQWS_OPT_DESYNC_WG:---payload wireguard_initiation --lua-desync=fake:blob=0x00000000000000000000000000000000:repeats=2}"
+
+alloc_dnum DNUM_WG4ALL
+alloc_qnum QNUM_WG4ALL
+
+zapret_custom_daemons()
+{
+	# $1 - 1 - add, 0 - stop
+
+	local opt="--qnum=$QNUM_WG4ALL $NFQWS_OPT_DESYNC_WG"
+	do_nfqws $1 $DNUM_WG4ALL "$opt"
+}
+# size = 156 (8 udp header + 148 payload) && payload starts with 0x01000000
+zapret_custom_firewall()
+{
+        # $1 - 1 - run, 0 - stop
+
+	local f='-p udp -m u32 --u32'
+	fw_nfqws_post $1 "$f 0>>22&0x3C@4>>16=0x9c&&0>>22&0x3C@8=0x01000000" "$f 44>>16=0x9c&&48=0x01000000" $QNUM_WG4ALL
+}
+zapret_custom_firewall_nft()
+{
+        # stop logic is not required
+
+	local f="udp length 156 @ih,0,32 0x01000000"
+	nft_fw_nfqws_post "$f" "$f" $QNUM_WG4ALL
+}