blockcheck2, winws: multiple instances compat

blockcheck2.sh

@@ -26,7 +26,6 @@ CURL=${CURL:-curl}
 
 TEST_DEFAULT=${TEST_DEFAULT:-standard}
 DOMAINS_DEFAULT=${DOMAINS_DEFAULT:-rutracker.org}
-QNUM=${QNUM:-59781}
 SOCKS_PORT=${SOCKS_PORT:-1993}
 WS_UID=${WS_UID:-1}
 WS_GID=${WS_GID:-3003}
@@ -35,8 +34,6 @@ DVTWS2=${DVTWS2:-${ZAPRET_BASE}/nfq2/dvtws2}
 WINWS2=${WINWS2:-${ZAPRET_BASE}/nfq2/winws2}
 MDIG=${MDIG:-${ZAPRET_BASE}/mdig/mdig}
 DESYNC_MARK=0x10000000
-IPFW_RULE_NUM=${IPFW_RULE_NUM:-1}
-IPFW_DIVERT_PORT=${IPFW_DIVERT_PORT:-59780}
 CURL_MAX_TIME=${CURL_MAX_TIME:-2}
 CURL_MAX_TIME_QUIC=${CURL_MAX_TIME_QUIC:-$CURL_MAX_TIME}
 CURL_MAX_TIME_DOH=${CURL_MAX_TIME_DOH:-2}
@@ -45,12 +42,20 @@ HTTP_PORT=${HTTP_PORT:-80}
 HTTPS_PORT=${HTTPS_PORT:-443}
 QUIC_PORT=${QUIC_PORT:-443}
 UNBLOCKED_DOM=${UNBLOCKED_DOM:-iana.org}
-PARALLEL_OUT=/tmp/zapret_parallel
 SIM_SUCCESS_RATE=${SIM_SUCCESS_RATE:-10}
 
-HDRTEMP=/tmp/zapret-hdr
+IPFW_RULE_MAX=${IPFW_RULE_MAX:-999}
+IPFW_RULE_NUM=${IPFW_RULE_NUM:-$(($$ % $IPFW_RULE_MAX + 1))}
+IPFW_DIVERT_PORT=${IPFW_DIVERT_PORT:-$(($$ % 64536 + 1000))}
+QNUM=${QNUM:-$(($$ % 64536 + 1000))}
 
-NFT_TABLE=blockcheck
+IPSET_FILE=/tmp/blockcheck_ipset_$$.txt
+PARALLEL_OUT=/tmp/zapret_parallel_$$
+HDRTEMP=/tmp/zapret-hdr-$$
+NFT_TABLE=blockcheck$$
+IPT_OUT_CHAIN=blockcheck_output_$$
+IPT_IN_CHAIN=blockcheck_input_$$
+IPT_COMMENT="-m comment --comment blockcheck_$$"
 
 DNSCHECK_DNS=${DNSCHECK_DNS:-8.8.8.8 1.1.1.1 77.88.8.1}
 DNSCHECK_DOM=${DNSCHECK_DOM:-pornhub.com ej.ru rutracker.org www.torproject.org bbc.com}
@@ -59,7 +64,6 @@ DNSCHECK_DIG1=/tmp/dig1.txt
 DNSCHECK_DIG2=/tmp/dig2.txt
 DNSCHECK_DIGS=/tmp/digs.txt
 
-IPSET_FILE=/tmp/blockcheck_ipset.txt
 
 unset PF_STATUS
 PF_RULES_SAVE=/tmp/pf-zapret-save.conf
@@ -406,10 +410,16 @@ zp_already_running()
 {
 	case "$UNAME" in
 		CYGWIN)
-			win_process_exists $PKTWSD || win_process_exists winws || win_process_exists winws2 || win_process_exists goodbyedpi
+			win_process_exists $PKTWSD || win_process_exists winws || win_process_exists goodbyedpi
+			;;
+		FreeBSD|OpenBSD)
+			process_exists $PKTWSD || process_exists tpws || process_exists dvtws
+			;;
+		Linux)
+			process_exists $PKTWSD || process_exists tpws || process_exists nfqws
 			;;
 		*)
-			process_exists $PKTWSD || process_exists tpws || process_exists nfqws || process_exists nfqws2
+			return 1
 	esac
 }
 check_already()
@@ -732,24 +742,24 @@ ipt_aux_scheme()
 	# $3 - port
 
 	# to avoid possible INVALID state drop
-	[ "$2" = tcp ] && IPT_ADD_DEL $1 INPUT -p $2 --sport $3 ! --syn -j ACCEPT
+	[ "$2" = tcp ] && IPT_ADD_DEL $1 INPUT -p $2 --sport $3 ! $IPT_COMMENT --syn -j ACCEPT
 
 	local icmp_filter="-p icmp -m icmp --icmp-type"
 	[ "$IPV" = 6 ] && icmp_filter="-p icmpv6 -m icmp6 --icmpv6-type"
-	IPT_ADD_DEL $1 INPUT $icmp_filter time-exceeded -m connmark --mark $DESYNC_MARK/$DESYNC_MARK -j DROP 
+	IPT_ADD_DEL $1 INPUT $icmp_filter time-exceeded -m connmark --mark $DESYNC_MARK/$DESYNC_MARK $IPT_COMMENT -j DROP 
 
 	# for strategies with incoming packets involved (autottl)
-	IPT_ADD_DEL $1 OUTPUT -p $2 --dport $3 -m conntrack --ctstate INVALID -j ACCEPT
+	IPT_ADD_DEL $1 OUTPUT -p $2 --dport $3 -m conntrack --ctstate INVALID $IPT_COMMENT -j ACCEPT
 	if [ "$IPV" = 6 -a -n "$IP6_DEFRAG_DISABLE" ]; then
 		# the only way to reliable disable ipv6 defrag. works only in 4.16+ kernels
-		IPT_ADD_DEL $1 OUTPUT -t raw -p $2 -m frag -j CT --notrack
+		IPT_ADD_DEL $1 OUTPUT -t raw -p $2 -m frag $IPT_COMMENT -j CT --notrack
 	elif [ "$IPV" = 4 ]; then
 		# enable fragments
-		IPT_ADD_DEL $1 OUTPUT -f -j ACCEPT
+		IPT_ADD_DEL $1 OUTPUT -f $IPT_COMMENT -j ACCEPT
 	fi
 	# enable everything generated by nfqws (works only in OUTPUT, not in FORWARD)
 	# raw table may not be present
-	IPT_ADD_DEL $1 OUTPUT -t raw -m mark --mark $DESYNC_MARK/$DESYNC_MARK -j CT --notrack
+	IPT_ADD_DEL $1 OUTPUT -t raw -m mark --mark $DESYNC_MARK/$DESYNC_MARK $IPT_COMMENT -j CT --notrack
 }
 ipt_scheme()
 {
@@ -759,18 +769,18 @@ ipt_scheme()
 
 	local ip
 
-	$IPTABLES -t mangle -N blockcheck_output 2>/dev/null
-	$IPTABLES -t mangle -F blockcheck_output
-	IPT OUTPUT -t mangle -j blockcheck_output
+	$IPTABLES -t mangle -N $IPT_OUT_CHAIN 2>/dev/null
+	$IPTABLES -t mangle -F $IPT_OUT_CHAIN
+	IPT OUTPUT -t mangle -j $IPT_OUT_CHAIN
 
 	# prevent loop
-	$IPTABLES -t mangle -A blockcheck_output -m mark --mark $DESYNC_MARK/$DESYNC_MARK -j RETURN
-	$IPTABLES -t mangle -A blockcheck_output ! -p $1 -j RETURN
-	$IPTABLES -t mangle -A blockcheck_output -p $1 ! --dport $2 -j RETURN
+	$IPTABLES -t mangle -A $IPT_OUT_CHAIN -m mark --mark $DESYNC_MARK/$DESYNC_MARK -j RETURN
+	$IPTABLES -t mangle -A $IPT_OUT_CHAIN ! -p $1 -j RETURN
+	$IPTABLES -t mangle -A $IPT_OUT_CHAIN -p $1 ! --dport $2 -j RETURN
 
 	for ip in $3; do
-		$IPTABLES -t mangle -A blockcheck_output -d $ip -j CONNMARK --or-mark $DESYNC_MARK
-		$IPTABLES -t mangle -A blockcheck_output -d $ip -j NFQUEUE --queue-num $QNUM
+		$IPTABLES -t mangle -A $IPT_OUT_CHAIN -d $ip -j CONNMARK --or-mark $DESYNC_MARK
+		$IPTABLES -t mangle -A $IPT_OUT_CHAIN -d $ip -j NFQUEUE --queue-num $QNUM
 	done
 
 	ipt_aux_scheme 1 $1 $2
@@ -846,9 +856,9 @@ pktws_ipt_unprepare()
 	case "$FWTYPE" in
 		iptables)
 			ipt_aux_scheme 0 $1 $2
-			IPT_DEL OUTPUT -t mangle -j blockcheck_output
-			$IPTABLES -t mangle -F blockcheck_output 2>/dev/null
-			$IPTABLES -t mangle -X blockcheck_output 2>/dev/null
+			IPT_DEL OUTPUT -t mangle -j $IPT_OUT_CHAIN
+			$IPTABLES -t mangle -F $IPT_OUT_CHAIN 2>/dev/null
+			$IPTABLES -t mangle -X $IPT_OUT_CHAIN 2>/dev/null
 			;;
 		nftables)
 			nft delete table inet $NFT_TABLE 2>/dev/null
@@ -876,17 +886,17 @@ pktws_ipt_prepare_tcp()
 
 	pktws_ipt_prepare tcp $1 "$2"
 
-	# for autottl mode
+	# for autottl mode and tcp_mss detection
 	case "$FWTYPE" in
 		iptables)
-			$IPTABLES -N blockcheck_input -t mangle 2>/dev/null
-			$IPTABLES -F blockcheck_input -t mangle 2>/dev/null
-			IPT INPUT -t mangle -j blockcheck_input
-			$IPTABLES -t mangle -A blockcheck_input ! -p tcp -j RETURN
-			$IPTABLES -t mangle -A blockcheck_input -p tcp ! --sport $1 -j RETURN
-			$IPTABLES -t mangle -A blockcheck_input -p tcp ! --tcp-flags SYN,ACK SYN,ACK -j RETURN
+			$IPTABLES -N $IPT_IN_CHAIN -t mangle 2>/dev/null
+			$IPTABLES -F $IPT_IN_CHAIN -t mangle 2>/dev/null
+			IPT INPUT -t mangle -j $IPT_IN_CHAIN
+			$IPTABLES -t mangle -A $IPT_IN_CHAIN ! -p tcp -j RETURN
+			$IPTABLES -t mangle -A $IPT_IN_CHAIN -p tcp ! --sport $1 -j RETURN
+			$IPTABLES -t mangle -A $IPT_IN_CHAIN -p tcp ! --tcp-flags SYN,ACK SYN,ACK -j RETURN
 			for ip in $2; do
-				$IPTABLES -A blockcheck_input -t mangle -s $ip -j NFQUEUE --queue-num $QNUM
+				$IPTABLES -A $IPT_IN_CHAIN -t mangle -s $ip -j NFQUEUE --queue-num $QNUM
 			done
 			;;
 		nftables)
@@ -910,9 +920,9 @@ pktws_ipt_unprepare_tcp()
 
 	case "$FWTYPE" in
 		iptables)
-			IPT_DEL INPUT -t mangle -j blockcheck_input
-			$IPTABLES -t mangle -F blockcheck_input 2>/dev/null
-			$IPTABLES -t mangle -X blockcheck_input 2>/dev/null
+			IPT_DEL INPUT -t mangle -j $IPT_IN_CHAIN
+			$IPTABLES -t mangle -F $IPT_IN_CHAIN 2>/dev/null
+			$IPTABLES -t mangle -X $IPT_IN_CHAIN 2>/dev/null
 			;;
 	esac
 }
@@ -940,7 +950,8 @@ pktws_start()
 			"$DVTWS2" --port=$IPFW_DIVERT_PORT --lua-init=@"$ZAPRET_BASE/lua/zapret-lib.lua" --lua-init=@"$ZAPRET_BASE/lua/zapret-antidpi.lua" "$@" >/dev/null &
 			;;
 		CYGWIN)
-			"$WINWS2" $WF --ipset="$IPSET_FILE" --lua-init=@"$ZAPRET_BASE/lua/zapret-lib.lua" --lua-init=@"$ZAPRET_BASE/lua/zapret-antidpi.lua" "$@" >/dev/null &
+			# allow multiple PKTWS instances with the same wf filter but different ipset
+			"$WINWS2" --wf-dup-check=0 $WF --ipset="$IPSET_FILE" --lua-init=@"$ZAPRET_BASE/lua/zapret-lib.lua" --lua-init=@"$ZAPRET_BASE/lua/zapret-antidpi.lua" "$@" >/dev/null &
 			;;
 	esac
 	PID=$!
@@ -1315,7 +1326,6 @@ check_domain_http_tcp()
 	local ips
 
 	# in case was interrupted before
-	pktws_ipt_unprepare_tcp $2
 	ws_kill
 
 	check_domain_prolog $1 $2 $4 || return
@@ -1343,7 +1353,6 @@ check_domain_http_udp()
 	local ips
 
 	# in case was interrupted before
-	pktws_ipt_unprepare_udp $2
 	ws_kill
 
 	check_domain_prolog $1 $2 $3 || return

docs/changes.txt

@@ -189,4 +189,7 @@ v0.8.1
 * nfqws2: set desync.tcp_mss to minimum of both ends or default if at least one is unknown
 * zapret-lib: tcp_nop_del
 * blockcheck2: tcp_nop_del in SYN packets with md5 in openbsd
-* nfqws2: detect http proxy protocol as http
+
+0.8.6
+
+* winws2, blockcheck2: allow multiple instances in windows, linux, freebsd (not openbsd)

nfq2/nfqws.c

@@ -1441,6 +1441,7 @@ static void exithelp(void)
 		" --wf-filter-lan=0|1\t\t\t\t\t; add excluding filter for non-global IP (default : 1)\n"
 		" --wf-filter-loopback=0|1\t\t\t\t; add excluding filter for loopback (default : 1)\n"
 		" --wf-raw=<filter>|@<filename>\t\t\t\t; full raw windivert filter string or filename. replaces --wf-tcp,--wf-udp,--wf-raw-part\n"
+		" --wf-dup-check=0|1\t\t\t\t\t; 1 (default) = do not allow duplicate winws2 instances with the same wf filter\n"
 		" --wf-save=<filename>\t\t\t\t\t; save windivert filter string to a file and exit\n"
 		"\nLOGICAL NETWORK FILTER:\n"
 		" --ssid-filter=ssid1[,ssid2,ssid3,...]\t\t\t; enable winws2 only if any of specified wifi SSIDs connected\n"
@@ -1635,6 +1636,7 @@ enum opt_indices {
 	IDX_WF_RAW_PART,
 	IDX_WF_FILTER_LAN,
 	IDX_WF_FILTER_LOOPBACK,
+	IDX_WF_DUP_CHECK,
 	IDX_WF_SAVE,
 	IDX_SSID_FILTER,
 	IDX_NLM_FILTER,
@@ -1727,6 +1729,7 @@ static const struct option long_options[] = {
 	[IDX_WF_FILTER_LAN] = {"wf-filter-lan", required_argument, 0, 0},
 	[IDX_WF_FILTER_LOOPBACK] = {"wf-filter-loopback", required_argument, 0, 0},
 	[IDX_WF_SAVE] = {"wf-save", required_argument, 0, 0},
+	[IDX_WF_DUP_CHECK] = {"wf-dup-check", optional_argument, 0, 0},
 	[IDX_SSID_FILTER] = {"ssid-filter", required_argument, 0, 0},
 	[IDX_NLM_FILTER] = {"nlm-filter", required_argument, 0, 0},
 	[IDX_NLM_LIST] = {"nlm-list", optional_argument, 0, 0},
@@ -1762,7 +1765,7 @@ int main(int argc, char **argv)
 #endif
 	int result, v;
 	int option_index = 0;
-	bool bSkip = false, bDry = false, bTemplate;
+	bool bSkip = false, bDry = false, bDupCheck = true, bTemplate;
 	struct hostlist_file *anon_hl = NULL, *anon_hl_exclude = NULL;
 	struct ipset_file *anon_ips = NULL, *anon_ips_exclude = NULL;
 	uint64_t payload_type=0;
@@ -2498,6 +2501,9 @@ int main(int argc, char **argv)
 			strncpy(wf_save_file, optarg, sizeof(wf_save_file));
 			wf_save_file[sizeof(wf_save_file) - 1] = '\0';
 			break;
+		case IDX_WF_DUP_CHECK:
+			bDupCheck = !optarg || !!atoi(optarg);
+			break;
 		case IDX_SSID_FILTER:
 			hash_ssid_filter = hash_jen(optarg, strlen(optarg));
 			if (!parse_strlist(optarg, &params.ssid_filter))
@@ -2693,7 +2699,8 @@ int main(int argc, char **argv)
 			exit_clean(1);
 		}
 	}
-	HANDLE hMutexArg;
+	HANDLE hMutexArg = NULL;
+	if (bDupCheck)
 	{
 		char mutex_name[128];
 		snprintf(mutex_name, sizeof(mutex_name), "Global\\winws2_arg_%u_%u_%u_%u_%u_%u_%u_%u_%u_%u_%u_%u",