blockcheck2, winws: multiple instances compat

blockcheck2.sh

@@ -26,7 +26,6 @@ CURL=${CURL:-curl}
 
 TEST_DEFAULT=${TEST_DEFAULT:-standard}
 DOMAINS_DEFAULT=${DOMAINS_DEFAULT:-rutracker.org}
-QNUM=${QNUM:-59781}
 SOCKS_PORT=${SOCKS_PORT:-1993}
 WS_UID=${WS_UID:-1}
 WS_GID=${WS_GID:-3003}
@@ -35,8 +34,6 @@ DVTWS2=${DVTWS2:-${ZAPRET_BASE}/nfq2/dvtws2}
 WINWS2=${WINWS2:-${ZAPRET_BASE}/nfq2/winws2}
 MDIG=${MDIG:-${ZAPRET_BASE}/mdig/mdig}
 DESYNC_MARK=0x10000000
-IPFW_RULE_NUM=${IPFW_RULE_NUM:-1}
-IPFW_DIVERT_PORT=${IPFW_DIVERT_PORT:-59780}
 CURL_MAX_TIME=${CURL_MAX_TIME:-2}
 CURL_MAX_TIME_QUIC=${CURL_MAX_TIME_QUIC:-$CURL_MAX_TIME}
 CURL_MAX_TIME_DOH=${CURL_MAX_TIME_DOH:-2}
@@ -45,12 +42,20 @@ HTTP_PORT=${HTTP_PORT:-80}
 HTTPS_PORT=${HTTPS_PORT:-443}
 QUIC_PORT=${QUIC_PORT:-443}
 UNBLOCKED_DOM=${UNBLOCKED_DOM:-iana.org}
-PARALLEL_OUT=/tmp/zapret_parallel
 SIM_SUCCESS_RATE=${SIM_SUCCESS_RATE:-10}
 
-HDRTEMP=/tmp/zapret-hdr
+IPFW_RULE_MAX=${IPFW_RULE_MAX:-999}
+IPFW_RULE_NUM=${IPFW_RULE_NUM:-$(($$ % $IPFW_RULE_MAX + 1))}
+IPFW_DIVERT_PORT=${IPFW_DIVERT_PORT:-$(($$ % 64536 + 1000))}
+QNUM=${QNUM:-$(($$ % 64536 + 1000))}
 
-NFT_TABLE=blockcheck
+IPSET_FILE=/tmp/blockcheck_ipset_$$.txt
+PARALLEL_OUT=/tmp/zapret_parallel_$$
+HDRTEMP=/tmp/zapret-hdr-$$
+NFT_TABLE=blockcheck$$
+IPT_OUT_CHAIN=blockcheck_output_$$
+IPT_IN_CHAIN=blockcheck_input_$$
+IPT_COMMENT="-m comment --comment blockcheck_$$"
 
 DNSCHECK_DNS=${DNSCHECK_DNS:-8.8.8.8 1.1.1.1 77.88.8.1}
 DNSCHECK_DOM=${DNSCHECK_DOM:-pornhub.com ej.ru rutracker.org www.torproject.org bbc.com}
@@ -59,7 +64,6 @@ DNSCHECK_DIG1=/tmp/dig1.txt
 DNSCHECK_DIG2=/tmp/dig2.txt
 DNSCHECK_DIGS=/tmp/digs.txt
 
-IPSET_FILE=/tmp/blockcheck_ipset.txt
 
 unset PF_STATUS
 PF_RULES_SAVE=/tmp/pf-zapret-save.conf
@@ -406,10 +410,16 @@ zp_already_running()
 {
 	case "$UNAME" in
 		CYGWIN)
-			win_process_exists $PKTWSD || win_process_exists winws || win_process_exists winws2 || win_process_exists goodbyedpi
+			win_process_exists $PKTWSD || win_process_exists winws || win_process_exists goodbyedpi
+			;;
+		FreeBSD|OpenBSD)
+			process_exists $PKTWSD || process_exists tpws || process_exists dvtws
+			;;
+		Linux)
+			process_exists $PKTWSD || process_exists tpws || process_exists nfqws
 			;;
 		*)
-			process_exists $PKTWSD || process_exists tpws || process_exists nfqws || process_exists nfqws2
+			return 1
 	esac
 }
 check_already()
@@ -732,24 +742,24 @@ ipt_aux_scheme()
 	# $3 - port
 
 	# to avoid possible INVALID state drop
-	[ "$2" = tcp ] && IPT_ADD_DEL $1 INPUT -p $2 --sport $3 ! --syn -j ACCEPT
+	[ "$2" = tcp ] && IPT_ADD_DEL $1 INPUT -p $2 --sport $3 ! $IPT_COMMENT --syn -j ACCEPT
 
 	local icmp_filter="-p icmp -m icmp --icmp-type"
 	[ "$IPV" = 6 ] && icmp_filter="-p icmpv6 -m icmp6 --icmpv6-type"
-	IPT_ADD_DEL $1 INPUT $icmp_filter time-exceeded -m connmark --mark $DESYNC_MARK/$DESYNC_MARK -j DROP 
+	IPT_ADD_DEL $1 INPUT $icmp_filter time-exceeded -m connmark --mark $DESYNC_MARK/$DESYNC_MARK $IPT_COMMENT -j DROP 
 
 	# for strategies with incoming packets involved (autottl)
-	IPT_ADD_DEL $1 OUTPUT -p $2 --dport $3 -m conntrack --ctstate INVALID -j ACCEPT
+	IPT_ADD_DEL $1 OUTPUT -p $2 --dport $3 -m conntrack --ctstate INVALID $IPT_COMMENT -j ACCEPT
 	if [ "$IPV" = 6 -a -n "$IP6_DEFRAG_DISABLE" ]; then
 		# the only way to reliable disable ipv6 defrag. works only in 4.16+ kernels
-		IPT_ADD_DEL $1 OUTPUT -t raw -p $2 -m frag -j CT --notrack
+		IPT_ADD_DEL $1 OUTPUT -t raw -p $2 -m frag $IPT_COMMENT -j CT --notrack
 	elif [ "$IPV" = 4 ]; then
 		# enable fragments
-		IPT_ADD_DEL $1 OUTPUT -f -j ACCEPT
+		IPT_ADD_DEL $1 OUTPUT -f $IPT_COMMENT -j ACCEPT
 	fi
 	# enable everything generated by nfqws (works only in OUTPUT, not in FORWARD)
 	# raw table may not be present
-	IPT_ADD_DEL $1 OUTPUT -t raw -m mark --mark $DESYNC_MARK/$DESYNC_MARK -j CT --notrack
+	IPT_ADD_DEL $1 OUTPUT -t raw -m mark --mark $DESYNC_MARK/$DESYNC_MARK $IPT_COMMENT -j CT --notrack
 }
 ipt_scheme()
 {
@@ -759,18 +769,18 @@ ipt_scheme()
 
 	local ip
 
-	$IPTABLES -t mangle -N blockcheck_output 2>/dev/null
-	$IPTABLES -t mangle -F blockcheck_output
-	IPT OUTPUT -t mangle -j blockcheck_output
+	$IPTABLES -t mangle -N $IPT_OUT_CHAIN 2>/dev/null
+	$IPTABLES -t mangle -F $IPT_OUT_CHAIN
+	IPT OUTPUT -t mangle -j $IPT_OUT_CHAIN
 
 	# prevent loop
-	$IPTABLES -t mangle -A blockcheck_output -m mark --mark $DESYNC_MARK/$DESYNC_MARK -j RETURN
-	$IPTABLES -t mangle -A blockcheck_output ! -p $1 -j RETURN
-	$IPTABLES -t mangle -A blockcheck_output -p $1 ! --dport $2 -j RETURN
+	$IPTABLES -t mangle -A $IPT_OUT_CHAIN -m mark --mark $DESYNC_MARK/$DESYNC_MARK -j RETURN
+	$IPTABLES -t mangle -A $IPT_OUT_CHAIN ! -p $1 -j RETURN
+	$IPTABLES -t mangle -A $IPT_OUT_CHAIN -p $1 ! --dport $2 -j RETURN
 
 	for ip in $3; do
-		$IPTABLES -t mangle -A blockcheck_output -d $ip -j CONNMARK --or-mark $DESYNC_MARK
-		$IPTABLES -t mangle -A blockcheck_output -d $ip -j NFQUEUE --queue-num $QNUM
+		$IPTABLES -t mangle -A $IPT_OUT_CHAIN -d $ip -j CONNMARK --or-mark $DESYNC_MARK
+		$IPTABLES -t mangle -A $IPT_OUT_CHAIN -d $ip -j NFQUEUE --queue-num $QNUM
 	done
 
 	ipt_aux_scheme 1 $1 $2
@@ -846,9 +856,9 @@ pktws_ipt_unprepare()
 	case "$FWTYPE" in
 		iptables)
 			ipt_aux_scheme 0 $1 $2
-			IPT_DEL OUTPUT -t mangle -j blockcheck_output
-			$IPTABLES -t mangle -F blockcheck_output 2>/dev/null
-			$IPTABLES -t mangle -X blockcheck_output 2>/dev/null
+			IPT_DEL OUTPUT -t mangle -j $IPT_OUT_CHAIN
+			$IPTABLES -t mangle -F $IPT_OUT_CHAIN 2>/dev/null
+			$IPTABLES -t mangle -X $IPT_OUT_CHAIN 2>/dev/null
 			;;
 		nftables)
 			nft delete table inet $NFT_TABLE 2>/dev/null
@@ -876,17 +886,17 @@ pktws_ipt_prepare_tcp()
 
 	pktws_ipt_prepare tcp $1 "$2"
 
-	# for autottl mode
+	# for autottl mode and tcp_mss detection
 	case "$FWTYPE" in
 		iptables)
-			$IPTABLES -N blockcheck_input -t mangle 2>/dev/null
-			$IPTABLES -F blockcheck_input -t mangle 2>/dev/null
-			IPT INPUT -t mangle -j blockcheck_input
-			$IPTABLES -t mangle -A blockcheck_input ! -p tcp -j RETURN
-			$IPTABLES -t mangle -A blockcheck_input -p tcp ! --sport $1 -j RETURN
-			$IPTABLES -t mangle -A blockcheck_input -p tcp ! --tcp-flags SYN,ACK SYN,ACK -j RETURN
+			$IPTABLES -N $IPT_IN_CHAIN -t mangle 2>/dev/null
+			$IPTABLES -F $IPT_IN_CHAIN -t mangle 2>/dev/null
+			IPT INPUT -t mangle -j $IPT_IN_CHAIN
+			$IPTABLES -t mangle -A $IPT_IN_CHAIN ! -p tcp -j RETURN
+			$IPTABLES -t mangle -A $IPT_IN_CHAIN -p tcp ! --sport $1 -j RETURN
+			$IPTABLES -t mangle -A $IPT_IN_CHAIN -p tcp ! --tcp-flags SYN,ACK SYN,ACK -j RETURN
 			for ip in $2; do
-				$IPTABLES -A blockcheck_input -t mangle -s $ip -j NFQUEUE --queue-num $QNUM
+				$IPTABLES -A $IPT_IN_CHAIN -t mangle -s $ip -j NFQUEUE --queue-num $QNUM
 			done
 			;;
 		nftables)
@@ -910,9 +920,9 @@ pktws_ipt_unprepare_tcp()
 
 	case "$FWTYPE" in
 		iptables)
-			IPT_DEL INPUT -t mangle -j blockcheck_input
-			$IPTABLES -t mangle -F blockcheck_input 2>/dev/null
-			$IPTABLES -t mangle -X blockcheck_input 2>/dev/null
+			IPT_DEL INPUT -t mangle -j $IPT_IN_CHAIN
+			$IPTABLES -t mangle -F $IPT_IN_CHAIN 2>/dev/null
+			$IPTABLES -t mangle -X $IPT_IN_CHAIN 2>/dev/null
 			;;
 	esac
 }
@@ -940,7 +950,8 @@ pktws_start()
 			"$DVTWS2" --port=$IPFW_DIVERT_PORT --lua-init=@"$ZAPRET_BASE/lua/zapret-lib.lua" --lua-init=@"$ZAPRET_BASE/lua/zapret-antidpi.lua" "$@" >/dev/null &
 			;;
 		CYGWIN)
-			"$WINWS2" $WF --ipset="$IPSET_FILE" --lua-init=@"$ZAPRET_BASE/lua/zapret-lib.lua" --lua-init=@"$ZAPRET_BASE/lua/zapret-antidpi.lua" "$@" >/dev/null &
+			# allow multiple PKTWS instances with the same wf filter but different ipset
+			"$WINWS2" --wf-dup-check=0 $WF --ipset="$IPSET_FILE" --lua-init=@"$ZAPRET_BASE/lua/zapret-lib.lua" --lua-init=@"$ZAPRET_BASE/lua/zapret-antidpi.lua" "$@" >/dev/null &
 			;;
 	esac
 	PID=$!
@@ -1315,7 +1326,6 @@ check_domain_http_tcp()
 	local ips
 
 	# in case was interrupted before
-	pktws_ipt_unprepare_tcp $2
 	ws_kill
 
 	check_domain_prolog $1 $2 $4 || return
@@ -1343,7 +1353,6 @@ check_domain_http_udp()
 	local ips
 
 	# in case was interrupted before
-	pktws_ipt_unprepare_udp $2
 	ws_kill
 
 	check_domain_prolog $1 $2 $3 || return