diff --git a/blockcheck2.sh b/blockcheck2.sh index f2eed49..b1f899f 100755 --- a/blockcheck2.sh +++ b/blockcheck2.sh @@ -26,7 +26,6 @@ CURL=${CURL:-curl} TEST_DEFAULT=${TEST_DEFAULT:-standard} DOMAINS_DEFAULT=${DOMAINS_DEFAULT:-rutracker.org} -QNUM=${QNUM:-59781} SOCKS_PORT=${SOCKS_PORT:-1993} WS_UID=${WS_UID:-1} WS_GID=${WS_GID:-3003} @@ -35,8 +34,6 @@ DVTWS2=${DVTWS2:-${ZAPRET_BASE}/nfq2/dvtws2} WINWS2=${WINWS2:-${ZAPRET_BASE}/nfq2/winws2} MDIG=${MDIG:-${ZAPRET_BASE}/mdig/mdig} DESYNC_MARK=0x10000000 -IPFW_RULE_NUM=${IPFW_RULE_NUM:-1} -IPFW_DIVERT_PORT=${IPFW_DIVERT_PORT:-59780} CURL_MAX_TIME=${CURL_MAX_TIME:-2} CURL_MAX_TIME_QUIC=${CURL_MAX_TIME_QUIC:-$CURL_MAX_TIME} CURL_MAX_TIME_DOH=${CURL_MAX_TIME_DOH:-2} @@ -45,12 +42,20 @@ HTTP_PORT=${HTTP_PORT:-80} HTTPS_PORT=${HTTPS_PORT:-443} QUIC_PORT=${QUIC_PORT:-443} UNBLOCKED_DOM=${UNBLOCKED_DOM:-iana.org} -PARALLEL_OUT=/tmp/zapret_parallel SIM_SUCCESS_RATE=${SIM_SUCCESS_RATE:-10} -HDRTEMP=/tmp/zapret-hdr +IPFW_RULE_MAX=${IPFW_RULE_MAX:-999} +IPFW_RULE_NUM=${IPFW_RULE_NUM:-$(($$ % $IPFW_RULE_MAX + 1))} +IPFW_DIVERT_PORT=${IPFW_DIVERT_PORT:-$(($$ % 64536 + 1000))} +QNUM=${QNUM:-$(($$ % 64536 + 1000))} -NFT_TABLE=blockcheck +IPSET_FILE=/tmp/blockcheck_ipset_$$.txt +PARALLEL_OUT=/tmp/zapret_parallel_$$ +HDRTEMP=/tmp/zapret-hdr-$$ +NFT_TABLE=blockcheck$$ +IPT_OUT_CHAIN=blockcheck_output_$$ +IPT_IN_CHAIN=blockcheck_input_$$ +IPT_COMMENT="-m comment --comment blockcheck_$$" DNSCHECK_DNS=${DNSCHECK_DNS:-8.8.8.8 1.1.1.1 77.88.8.1} DNSCHECK_DOM=${DNSCHECK_DOM:-pornhub.com ej.ru rutracker.org www.torproject.org bbc.com} @@ -59,7 +64,6 @@ DNSCHECK_DIG1=/tmp/dig1.txt DNSCHECK_DIG2=/tmp/dig2.txt DNSCHECK_DIGS=/tmp/digs.txt -IPSET_FILE=/tmp/blockcheck_ipset.txt unset PF_STATUS PF_RULES_SAVE=/tmp/pf-zapret-save.conf @@ -406,10 +410,16 @@ zp_already_running() { case "$UNAME" in CYGWIN) - win_process_exists $PKTWSD || win_process_exists winws || win_process_exists winws2 || win_process_exists goodbyedpi + win_process_exists $PKTWSD || win_process_exists winws || win_process_exists goodbyedpi + ;; + FreeBSD|OpenBSD) + process_exists $PKTWSD || process_exists tpws || process_exists dvtws + ;; + Linux) + process_exists $PKTWSD || process_exists tpws || process_exists nfqws ;; *) - process_exists $PKTWSD || process_exists tpws || process_exists nfqws || process_exists nfqws2 + return 1 esac } check_already() @@ -732,24 +742,24 @@ ipt_aux_scheme() # $3 - port # to avoid possible INVALID state drop - [ "$2" = tcp ] && IPT_ADD_DEL $1 INPUT -p $2 --sport $3 ! --syn -j ACCEPT + [ "$2" = tcp ] && IPT_ADD_DEL $1 INPUT -p $2 --sport $3 ! $IPT_COMMENT --syn -j ACCEPT local icmp_filter="-p icmp -m icmp --icmp-type" [ "$IPV" = 6 ] && icmp_filter="-p icmpv6 -m icmp6 --icmpv6-type" - IPT_ADD_DEL $1 INPUT $icmp_filter time-exceeded -m connmark --mark $DESYNC_MARK/$DESYNC_MARK -j DROP + IPT_ADD_DEL $1 INPUT $icmp_filter time-exceeded -m connmark --mark $DESYNC_MARK/$DESYNC_MARK $IPT_COMMENT -j DROP # for strategies with incoming packets involved (autottl) - IPT_ADD_DEL $1 OUTPUT -p $2 --dport $3 -m conntrack --ctstate INVALID -j ACCEPT + IPT_ADD_DEL $1 OUTPUT -p $2 --dport $3 -m conntrack --ctstate INVALID $IPT_COMMENT -j ACCEPT if [ "$IPV" = 6 -a -n "$IP6_DEFRAG_DISABLE" ]; then # the only way to reliable disable ipv6 defrag. works only in 4.16+ kernels - IPT_ADD_DEL $1 OUTPUT -t raw -p $2 -m frag -j CT --notrack + IPT_ADD_DEL $1 OUTPUT -t raw -p $2 -m frag $IPT_COMMENT -j CT --notrack elif [ "$IPV" = 4 ]; then # enable fragments - IPT_ADD_DEL $1 OUTPUT -f -j ACCEPT + IPT_ADD_DEL $1 OUTPUT -f $IPT_COMMENT -j ACCEPT fi # enable everything generated by nfqws (works only in OUTPUT, not in FORWARD) # raw table may not be present - IPT_ADD_DEL $1 OUTPUT -t raw -m mark --mark $DESYNC_MARK/$DESYNC_MARK -j CT --notrack + IPT_ADD_DEL $1 OUTPUT -t raw -m mark --mark $DESYNC_MARK/$DESYNC_MARK $IPT_COMMENT -j CT --notrack } ipt_scheme() { @@ -759,18 +769,18 @@ ipt_scheme() local ip - $IPTABLES -t mangle -N blockcheck_output 2>/dev/null - $IPTABLES -t mangle -F blockcheck_output - IPT OUTPUT -t mangle -j blockcheck_output + $IPTABLES -t mangle -N $IPT_OUT_CHAIN 2>/dev/null + $IPTABLES -t mangle -F $IPT_OUT_CHAIN + IPT OUTPUT -t mangle -j $IPT_OUT_CHAIN # prevent loop - $IPTABLES -t mangle -A blockcheck_output -m mark --mark $DESYNC_MARK/$DESYNC_MARK -j RETURN - $IPTABLES -t mangle -A blockcheck_output ! -p $1 -j RETURN - $IPTABLES -t mangle -A blockcheck_output -p $1 ! --dport $2 -j RETURN + $IPTABLES -t mangle -A $IPT_OUT_CHAIN -m mark --mark $DESYNC_MARK/$DESYNC_MARK -j RETURN + $IPTABLES -t mangle -A $IPT_OUT_CHAIN ! -p $1 -j RETURN + $IPTABLES -t mangle -A $IPT_OUT_CHAIN -p $1 ! --dport $2 -j RETURN for ip in $3; do - $IPTABLES -t mangle -A blockcheck_output -d $ip -j CONNMARK --or-mark $DESYNC_MARK - $IPTABLES -t mangle -A blockcheck_output -d $ip -j NFQUEUE --queue-num $QNUM + $IPTABLES -t mangle -A $IPT_OUT_CHAIN -d $ip -j CONNMARK --or-mark $DESYNC_MARK + $IPTABLES -t mangle -A $IPT_OUT_CHAIN -d $ip -j NFQUEUE --queue-num $QNUM done ipt_aux_scheme 1 $1 $2 @@ -846,9 +856,9 @@ pktws_ipt_unprepare() case "$FWTYPE" in iptables) ipt_aux_scheme 0 $1 $2 - IPT_DEL OUTPUT -t mangle -j blockcheck_output - $IPTABLES -t mangle -F blockcheck_output 2>/dev/null - $IPTABLES -t mangle -X blockcheck_output 2>/dev/null + IPT_DEL OUTPUT -t mangle -j $IPT_OUT_CHAIN + $IPTABLES -t mangle -F $IPT_OUT_CHAIN 2>/dev/null + $IPTABLES -t mangle -X $IPT_OUT_CHAIN 2>/dev/null ;; nftables) nft delete table inet $NFT_TABLE 2>/dev/null @@ -876,17 +886,17 @@ pktws_ipt_prepare_tcp() pktws_ipt_prepare tcp $1 "$2" - # for autottl mode + # for autottl mode and tcp_mss detection case "$FWTYPE" in iptables) - $IPTABLES -N blockcheck_input -t mangle 2>/dev/null - $IPTABLES -F blockcheck_input -t mangle 2>/dev/null - IPT INPUT -t mangle -j blockcheck_input - $IPTABLES -t mangle -A blockcheck_input ! -p tcp -j RETURN - $IPTABLES -t mangle -A blockcheck_input -p tcp ! --sport $1 -j RETURN - $IPTABLES -t mangle -A blockcheck_input -p tcp ! --tcp-flags SYN,ACK SYN,ACK -j RETURN + $IPTABLES -N $IPT_IN_CHAIN -t mangle 2>/dev/null + $IPTABLES -F $IPT_IN_CHAIN -t mangle 2>/dev/null + IPT INPUT -t mangle -j $IPT_IN_CHAIN + $IPTABLES -t mangle -A $IPT_IN_CHAIN ! -p tcp -j RETURN + $IPTABLES -t mangle -A $IPT_IN_CHAIN -p tcp ! --sport $1 -j RETURN + $IPTABLES -t mangle -A $IPT_IN_CHAIN -p tcp ! --tcp-flags SYN,ACK SYN,ACK -j RETURN for ip in $2; do - $IPTABLES -A blockcheck_input -t mangle -s $ip -j NFQUEUE --queue-num $QNUM + $IPTABLES -A $IPT_IN_CHAIN -t mangle -s $ip -j NFQUEUE --queue-num $QNUM done ;; nftables) @@ -910,9 +920,9 @@ pktws_ipt_unprepare_tcp() case "$FWTYPE" in iptables) - IPT_DEL INPUT -t mangle -j blockcheck_input - $IPTABLES -t mangle -F blockcheck_input 2>/dev/null - $IPTABLES -t mangle -X blockcheck_input 2>/dev/null + IPT_DEL INPUT -t mangle -j $IPT_IN_CHAIN + $IPTABLES -t mangle -F $IPT_IN_CHAIN 2>/dev/null + $IPTABLES -t mangle -X $IPT_IN_CHAIN 2>/dev/null ;; esac } @@ -940,7 +950,8 @@ pktws_start() "$DVTWS2" --port=$IPFW_DIVERT_PORT --lua-init=@"$ZAPRET_BASE/lua/zapret-lib.lua" --lua-init=@"$ZAPRET_BASE/lua/zapret-antidpi.lua" "$@" >/dev/null & ;; CYGWIN) - "$WINWS2" $WF --ipset="$IPSET_FILE" --lua-init=@"$ZAPRET_BASE/lua/zapret-lib.lua" --lua-init=@"$ZAPRET_BASE/lua/zapret-antidpi.lua" "$@" >/dev/null & + # allow multiple PKTWS instances with the same wf filter but different ipset + "$WINWS2" --wf-dup-check=0 $WF --ipset="$IPSET_FILE" --lua-init=@"$ZAPRET_BASE/lua/zapret-lib.lua" --lua-init=@"$ZAPRET_BASE/lua/zapret-antidpi.lua" "$@" >/dev/null & ;; esac PID=$! @@ -1315,7 +1326,6 @@ check_domain_http_tcp() local ips # in case was interrupted before - pktws_ipt_unprepare_tcp $2 ws_kill check_domain_prolog $1 $2 $4 || return @@ -1343,7 +1353,6 @@ check_domain_http_udp() local ips # in case was interrupted before - pktws_ipt_unprepare_udp $2 ws_kill check_domain_prolog $1 $2 $3 || return diff --git a/docs/changes.txt b/docs/changes.txt index 0ab81b6..3067a8c 100644 --- a/docs/changes.txt +++ b/docs/changes.txt @@ -189,4 +189,7 @@ v0.8.1 * nfqws2: set desync.tcp_mss to minimum of both ends or default if at least one is unknown * zapret-lib: tcp_nop_del * blockcheck2: tcp_nop_del in SYN packets with md5 in openbsd -* nfqws2: detect http proxy protocol as http + +0.8.6 + +* winws2, blockcheck2: allow multiple instances in windows, linux, freebsd (not openbsd) diff --git a/nfq2/nfqws.c b/nfq2/nfqws.c index 9cdfa87..dfb16bd 100644 --- a/nfq2/nfqws.c +++ b/nfq2/nfqws.c @@ -1441,6 +1441,7 @@ static void exithelp(void) " --wf-filter-lan=0|1\t\t\t\t\t; add excluding filter for non-global IP (default : 1)\n" " --wf-filter-loopback=0|1\t\t\t\t; add excluding filter for loopback (default : 1)\n" " --wf-raw=|@\t\t\t\t; full raw windivert filter string or filename. replaces --wf-tcp,--wf-udp,--wf-raw-part\n" + " --wf-dup-check=0|1\t\t\t\t\t; 1 (default) = do not allow duplicate winws2 instances with the same wf filter\n" " --wf-save=\t\t\t\t\t; save windivert filter string to a file and exit\n" "\nLOGICAL NETWORK FILTER:\n" " --ssid-filter=ssid1[,ssid2,ssid3,...]\t\t\t; enable winws2 only if any of specified wifi SSIDs connected\n" @@ -1635,6 +1636,7 @@ enum opt_indices { IDX_WF_RAW_PART, IDX_WF_FILTER_LAN, IDX_WF_FILTER_LOOPBACK, + IDX_WF_DUP_CHECK, IDX_WF_SAVE, IDX_SSID_FILTER, IDX_NLM_FILTER, @@ -1727,6 +1729,7 @@ static const struct option long_options[] = { [IDX_WF_FILTER_LAN] = {"wf-filter-lan", required_argument, 0, 0}, [IDX_WF_FILTER_LOOPBACK] = {"wf-filter-loopback", required_argument, 0, 0}, [IDX_WF_SAVE] = {"wf-save", required_argument, 0, 0}, + [IDX_WF_DUP_CHECK] = {"wf-dup-check", optional_argument, 0, 0}, [IDX_SSID_FILTER] = {"ssid-filter", required_argument, 0, 0}, [IDX_NLM_FILTER] = {"nlm-filter", required_argument, 0, 0}, [IDX_NLM_LIST] = {"nlm-list", optional_argument, 0, 0}, @@ -1762,7 +1765,7 @@ int main(int argc, char **argv) #endif int result, v; int option_index = 0; - bool bSkip = false, bDry = false, bTemplate; + bool bSkip = false, bDry = false, bDupCheck = true, bTemplate; struct hostlist_file *anon_hl = NULL, *anon_hl_exclude = NULL; struct ipset_file *anon_ips = NULL, *anon_ips_exclude = NULL; uint64_t payload_type=0; @@ -2498,6 +2501,9 @@ int main(int argc, char **argv) strncpy(wf_save_file, optarg, sizeof(wf_save_file)); wf_save_file[sizeof(wf_save_file) - 1] = '\0'; break; + case IDX_WF_DUP_CHECK: + bDupCheck = !optarg || !!atoi(optarg); + break; case IDX_SSID_FILTER: hash_ssid_filter = hash_jen(optarg, strlen(optarg)); if (!parse_strlist(optarg, ¶ms.ssid_filter)) @@ -2693,7 +2699,8 @@ int main(int argc, char **argv) exit_clean(1); } } - HANDLE hMutexArg; + HANDLE hMutexArg = NULL; + if (bDupCheck) { char mutex_name[128]; snprintf(mutex_name, sizeof(mutex_name), "Global\\winws2_arg_%u_%u_%u_%u_%u_%u_%u_%u_%u_%u_%u_%u",