blockcheck

blockcheck2.d/custom/10-list.sh

@@ -0,0 +1,58 @@
+LIST_HTTP="${LIST_HTTP:-$TESTDIR/list_http.txt}"
+LIST_HTTPS_TLS12="${LIST_HTTPS_TLS12:-$TESTDIR/list_https_tls12.txt}"
+LIST_HTTPS_TLS13="${LIST_HTTPS_TLS13:-$TESTDIR/list_https_tls13.txt}"
+LIST_QUIC="${LIST_QUIC:-$TESTDIR/list_quic.txt}"
+
+check_list()
+{
+	# $1 - test function
+	# $2 - domain
+	# $3 - file
+
+	local line ok=0
+	[ -f "$3" ] || {
+		echo "no strategy file '$3'"
+		return 1
+	}
+	while IFS= read -r line; do
+		case "$line" in
+			""|\#*) continue ;;
+		esac
+		line=$(echo "$line" | tr -d "\r\n")
+		eval pktws_curl_test_update "$1" "$2" $line && ok=1
+	done < "$3"
+
+	[ "$ok" = 1 ]
+}
+
+pktws_check_http()
+{
+	# $1 - test function
+	# $2 - domain
+
+	check_list "$1" "$2" "$LIST_HTTP"
+}
+
+pktws_check_https_tls12()
+{
+	# $1 - test function
+	# $2 - domain
+
+	check_list "$1" "$2" "$LIST_HTTPS_TLS12"
+}
+
+pktws_check_https_tls13()
+{
+	# $1 - test function
+	# $2 - domain
+
+	check_list "$1" "$2" "$LIST_HTTPS_TLS13"
+}
+
+pktws_check_http3()
+{
+	# $1 - test function
+	# $2 - domain
+
+	check_list "$1" "$2" "$LIST_QUIC"
+}

blockcheck2.d/custom/README.txt

@@ -0,0 +1,10 @@
+Простой тестер стратегий по списку из файла.
+Скопируйте эту директорию под другим именем в blockcheck2.d, отредактируйте list файлы, впишите туда свои стратегии.
+В диалоге blockcheck2.sh выберите тест с названием вашей директории.
+Можно комментировать строки символом '#' в начале строки.
+Альтернативный путь до файлов стратегий можно задать переменными LIST_HTTP, LIST_HTTPS_TLS12, LIST_HTTPS_TLS13, LIST_QUIC.
+
+This is simple strategy tester from a file.
+Copy this folder, write your strategies into list files and select your test in blockcheck2 dialog.
+Lines can be commented using the '#' symbol at the line start.
+Strategy list files paths can be overriden in env variables : LIST_HTTP, LIST_HTTPS_TLS12, LIST_HTTPS_TLS13, LIST_QUIC.

blockcheck2.d/custom/list_http.txt

@@ -0,0 +1,4 @@
+# write nfqws2 parameters here
+--payload=http_req --lua-desync=http_hostcase
+--payload=http_req --lua-desync=http_methodeol
+--payload=http_req --lua-desync=fake:blob=fake_default_http:tcp_ts=-1000

blockcheck2.d/custom/list_https_tls12.txt

@@ -0,0 +1,3 @@
+# write nfqws2 parameters here
+--payload tls_client_hello --lua-desync=fake:blob=fake_default_tls:tcp_ts=-1000
+--payload=tls_client_hello --lua-desync=fake:blob=0x00000000:tcp_md5:repeats=1 --lua-desync=fake:blob=fake_default_tls:tcp_md5:tls_mod=rnd,dupsid:repeats=1 --lua-desync=multisplit:pos=2

blockcheck2.d/custom/list_https_tls13.txt

@@ -0,0 +1,4 @@
+# write nfqws2 parameters here
+--payload tls_client_hello --lua-desync=fake:blob=fake_default_tls:tcp_ts=-1000
+--payload tls_client_hello --lua-desync=tcpseg:pos=0,-1:seqovl=1 --lua-desync=drop
+--payload tls_client_hello --lua-desync=luaexec:code="desync.pat=tls_mod(fake_default_tls,'rnd,rndsni,dupsid,padencap',desync.reasm_data)" --lua-desync=tcpseg:pos=0,-1:seqovl=#pat:seqovl_pattern=pat --lua-desync=drop

blockcheck2.d/custom/list_quic.txt

@@ -0,0 +1,3 @@
+# write nfqws2 parameters here
+--payload quic_initial --lua-desync=fake:blob=fake_default_quic:repeats=11
+--payload quic_initial --lua-desync=send:ipfrag --lua-desync=drop

blockcheck2.d/standard/10-http-basic.sh

@@ -0,0 +1,12 @@
+pktws_check_http()
+{
+	# $1 - test function
+	# $2 - domain
+	local s
+
+	[ "$NOTEST_BASIC_HTTP" = 1 ] && { echo "SKIPPED"; return; }
+
+	for s in 'http_hostcase' 'http_hostcase:spell=hoSt' 'http_domcase' 'http_methodeol'; do
+		pktws_curl_test_update $1 $2 --payload http_req --lua-desync=$s
+	done
+}

blockcheck2.d/standard/15-misc.sh

@@ -0,0 +1,38 @@
+. "$TESTDIR/def.inc"
+
+pktws_check_http()
+{
+	# $1 - test function
+	# $2 - domain
+
+	local PAYLOAD="--payload http_req" repeats ok
+
+	for repeats in 1 20 100 260; do
+		# send starting bytes of original payload
+		pktws_curl_test_update "$1" "$2" $PAYLOAD --lua-desync=tcpseg:pos=0,method+2:ip_id=rnd:repeats=$repeats && ok=1
+		pktws_curl_test_update "$1" "$2" $PAYLOAD --lua-desync=tcpseg:pos=0,midsld:ip_id=rnd:repeats=$repeats && ok=1
+		[ "$ok" = 1 -a "$SCANLEVEL" != force ] && break
+	done
+}
+
+pktws_check_https_tls12()
+{
+	# $1 - test function
+	# $2 - domain
+
+	local PAYLOAD="--payload tls_client_hello" repeats ok
+
+	for repeats in 1 20 100 260; do
+		# send starting bytes of original payload
+		pktws_curl_test_update "$1" "$2" $PAYLOAD --lua-desync=tcpseg:pos=0,1:ip_id=rnd:repeats=$repeats && ok=1
+		pktws_curl_test_update "$1" "$2" $PAYLOAD --lua-desync=tcpseg:pos=0,midsld:ip_id=rnd:repeats=$repeats && ok=1
+		[ "$ok" = 1 -a "$SCANLEVEL" != force ] && break
+	done
+}
+
+pktws_check_https_tls13()
+{
+	# $1 - test function
+	# $2 - domain
+	pktws_check_https_tls12 "$1" "$2"
+}

blockcheck2.d/standard/20-multi.sh

@@ -0,0 +1,66 @@
+pktws_simple_split_tests()
+{
+	# $1 - test function
+	# $2 - domain/uri
+	# $3 - splits
+	# $4 - PRE args for nfqws2
+	local pos ok ok_any pre="$4"
+	local splitf splitfs="multisplit multidisorder"
+
+	ok_any=0
+	for splitf in multisplit multidisorder; do
+		eval need_$splitf=0
+		ok=0
+		for pos in $3; do
+			pktws_curl_test_update $1 $2 $pre $PAYLOAD --lua-desync=$splitf:pos=$pos && ok=1
+		done
+		[ "$ok" = 1 -a "$SCANLEVEL" != force ] || eval need_$splitf=1
+		[ "$ok" = 1 ] && ok_any=1
+	done
+	[ "$ok_any" = 1 ]
+}
+
+
+pktws_check_http()
+{
+	# $1 - test function
+	# $2 - domain
+	local splits_http='method+2 midsld method+2,midsld'
+	local PAYLOAD="--payload http_req"
+
+	[ "$NOTEST_MULTI_HTTP" = 1 ] && { echo "SKIPPED"; return; }
+
+	pktws_simple_split_tests "$1" "$2" "$splits_http"
+}
+
+pktws_check_https_tls()
+{
+	# $1 - test function
+	# $2 - domain
+	# $3 - PRE args for nfqws2
+	local splits_tls='2 1 sniext+1 sniext+4 host+1 midsld 1,midsld 1,sniext+1,host+1,midsld-2,midsld,midsld+2,endhost-1'
+	local PAYLOAD="--payload tls_client_hello"
+
+	[ "$NOTEST_MULTI_HTTPS" = 1 ] && { echo "SKIPPED"; return; }
+
+	pktws_simple_split_tests "$1" "$2" "$splits_tls" "$3"
+}
+
+pktws_check_https_tls12()
+{
+	# $1 - test function
+	# $2 - domain
+	pktws_check_https_tls "$1" "$2" && [ "$SCANLEVEL" != force ] && return
+
+	# do not use 'need' values obtained with wssize
+	local need_multisplit_save=$need_multisplit need_multidisorder_save=$need_multidisorder
+	pktws_check_https_tls "$1" "$2" --lua-desync=wssize:wsize=1:scale=6
+	need_multisplit=$need_multisplit_save; need_multidisorder=$need_multidisorder_save
+}
+
+pktws_check_https_tls13()
+{
+	# $1 - test function
+	# $2 - domain
+	pktws_check_https_tls "$1" "$2"
+}

blockcheck2.d/standard/23-seqovl.sh

@@ -0,0 +1,94 @@
+pktws_check_http()
+{
+	# $1 - test function
+	# $2 - domain
+
+	[ "$NOTEST_SEQOVL_HTTP" = 1 ] && { echo "SKIPPED"; return; }
+
+	local PAYLOAD="--payload http_req"
+
+	local ok pat= split f f2
+
+	pat=${SEQOVL_PATTERN_HTTP:+seqovl_pat}
+	pat=${pat:-fake_default_http}
+
+	pktws_curl_test_update $1 $2 $PAYLOAD --lua-desync=tcpseg:pos=0,-1:seqovl=1 --lua-desync=drop
+	pktws_curl_test_update $1 $2 ${SEQOVL_PATTERN_HTTP:+--blob=$pat:@"$SEQOVL_PATTERN_HTTP" }$PAYLOAD --lua-desync=tcpseg:pos=0,-1:seqovl=#$pat:seqovl_pattern=$pat --lua-desync=drop
+
+	ok=0
+	for split in method+2 method+2,midsld; do
+		pktws_curl_test_update $1 $2 $PAYLOAD --lua-desync=multisplit:pos=$split:seqovl=1 && ok=1
+		pktws_curl_test_update $1 $2 ${SEQOVL_PATTERN_HTTP:+--blob=$pat:@"$SEQOVL_PATTERN_HTTP" }$PAYLOAD --lua-desync=multisplit:pos=$split:seqovl=#$pat:seqovl_pattern=$pat && ok=1
+		[ "$ok" = 1 -a "$SCANLEVEL" != force ] && break
+	done
+	for split in 'method+1 method+2' 'midsld-1 midsld' 'method+1 method+2,midsld'; do
+		f="$(extract_arg 1 $split)"
+		f2="$(extract_arg 2 $split)"
+		pktws_curl_test_update $1 $2 $PAYLOAD --lua-desync=multidisorder:pos=$f2:seqovl=$f
+		pktws_curl_test_update $1 $2 ${SEQOVL_PATTERN_HTTP:+--blob=$pat:@"$SEQOVL_PATTERN_HTTP" }$PAYLOAD --lua-desync=multidisorder:pos=$f2:seqovl=$f:seqovl_pattern=$pat
+	done
+}
+
+pktws_seqovl_tests_tls()
+{
+	# $1 - test function
+	# $2 - domain/uri
+	# $3 - PRE args for nfqws2
+	local ok ok_any
+	local testf=$1 domain="$2" pre="$3"
+	local pat rnd_mod padencap_mod split f f2
+	local PAYLOAD="--payload tls_client_hello"
+
+	pat=${SEQOVL_PATTERN_HTTPS:+seqovl_pat}
+	pat=${pat:-fake_default_tls}
+	rnd_mod="--lua-init=$pat=tls_mod($pat,'rnd')"
+	padencap_mod="--lua-desync=luaexec:code=desync.pat=tls_mod($pat,'rnd,dupsid,padencap',desync.reasm_data)"
+
+	ok=0
+	pktws_curl_test_update $testf $domain $pre $PAYLOAD --lua-desync=tcpseg:pos=0,-1:seqovl=1 --lua-desync=drop && ok=1
+	pktws_curl_test_update $testf $domain ${SEQOVL_PATTERN_HTTPS:+--blob=$pat:@"$SEQOVL_PATTERN_HTTPS" }$rnd_mod $pre $PAYLOAD --lua-desync=tcpseg:pos=0,-1:seqovl=#$pat:seqovl_pattern=$pat --lua-desync=drop && ok=1
+	pktws_curl_test_update $testf $domain ${SEQOVL_PATTERN_HTTPS:+--blob=$pat:@"$SEQOVL_PATTERN_HTTPS" }$pre $PAYLOAD $padencap_mod --lua-desync=tcpseg:pos=0,-1:seqovl=#pat:seqovl_pattern=pat --lua-desync=drop && ok=1
+	ok_any=$ok
+
+	ok=0
+	for split in 10 10,sniext+1 10,sniext+4 10,midsld; do
+		pktws_curl_test_update $testf $domain $pre $PAYLOAD --lua-desync=multisplit:pos=$split:seqovl=1 && ok=1
+		pktws_curl_test_update $testf $domain ${SEQOVL_PATTERN_HTTPS:+--blob=$pat:@"$SEQOVL_PATTERN_HTTPS" }$rnd_mod $pre $PAYLOAD --lua-desync=multisplit:pos=$split:seqovl=#$pat:seqovl_pattern=$pat && ok=1
+		pktws_curl_test_update $testf $domain ${SEQOVL_PATTERN_HTTPS:+--blob=$pat:@"$SEQOVL_PATTERN_HTTPS" }$pre $PAYLOAD $padencap_mod --lua-desync=multisplit:pos=$split:seqovl=#pat:seqovl_pattern=pat && ok=1
+		[ "$ok" = 1 -a "$SCANLEVEL" != force ] && break
+	done
+	for split in '1 2' 'sniext sniext+1' 'sniext+3 sniext+4' 'midsld-1 midsld' '1 2,midsld'; do
+		f="$(extract_arg 1 $split)"
+		f2="$(extract_arg 2 $split)"
+		pktws_curl_test_update $1 $2 $PAYLOAD --lua-desync=multidisorder:pos=$f2:seqovl=$f && ok=1
+		pktws_curl_test_update $testf $domain ${SEQOVL_PATTERN_HTTPS:+--blob=$pat:@"$SEQOVL_PATTERN_HTTPS" }$rnd_mod $pre $PAYLOAD --lua-desync=multidisorder:pos=$f2:seqovl=$f:seqovl_pattern=$pat && ok=1
+	done
+	[ "$ok" = 1 ] && ok_any=1
+	[ "$ok_any" = 1 ]
+}
+
+pktws_check_https_tls()
+{
+	# $1 - test function
+	# $2 - domain
+	# $3 - PRE args for nfqws2
+
+	[ "$NOTEST_SEQOVL_HTTPS" = 1 ] && { echo "SKIPPED"; return; }
+
+	pktws_seqovl_tests_tls "$1" "$2" "$3"
+}
+
+pktws_check_https_tls12()
+{
+	# $1 - test function
+	# $2 - domain
+	pktws_seqovl_tests_tls "$1" "$2" && [ "$SCANLEVEL" != force ] && return
+	pktws_seqovl_tests_tls "$1" "$2" --lua-desync=wssize:wsize=1:scale=6
+}
+
+pktws_check_https_tls13()
+{
+	# $1 - test function
+	# $2 - domain
+	pktws_seqovl_tests_tls "$1" "$2"
+}

blockcheck2.d/standard/25-fake.sh

@@ -0,0 +1,149 @@
+. "$TESTDIR/def.inc"
+
+pktws_check_http()
+{
+	# $1 - test function
+	# $2 - domain
+	[ "$NOTEST_FAKE_HTTP" = 1 ] && { echo "SKIPPED"; return; }
+
+	local testf=$1 domain="$2"
+	local ok ok_any ttls attls f ff fake fooling
+	local PAYLOAD="--payload=http_req"
+
+	if [ -n "$FAKE_HTTP" ]; then
+		fake=fake_http
+	else
+		fake=fake_default_http
+	fi
+
+	need_fake=0
+
+	ttls=$(seq -s ' ' $MIN_TTL $MAX_TTL)
+	attls=$(seq -s ' ' $MIN_AUTOTTL_DELTA $MAX_AUTOTTL_DELTA)
+
+	ok_any=0
+	ok=0
+	for ttl in $ttls; do
+		# orig-ttl=1 with start/cutoff limiter drops empty ACK packet in response to SYN,ACK. it does not reach DPI or server.
+		# missing ACK is transmitted in the first data packet of TLS/HTTP proto
+		for ff in $fake 0x00000000; do
+			for f in '' "--payload=empty --out-range=s1<d1 --lua-desync=pktmod:ip${IPVV}_ttl=1"; do
+				pktws_curl_test_update $testf $domain ${FAKE_HTTP:+--blob=$fake:@"$FAKE_HTTP" }$PAYLOAD "--lua-desync=fake:blob=${ff}:ip${IPVV}_ttl=$ttl:repeats=$FAKE_REPEATS" $f && {
+					ok=1
+					[ "$SCANLEVEL" = force ] || break
+				}
+			done
+		done
+		[ "$ok" = 1 ] && break
+	done
+	for fooling in $FOOLINGS_TCP; do
+		for ff in $fake 0x00000000; do
+			pktws_curl_test_update $testf $domain ${FAKE_HTTP:+--blob=fake_http:@"$FAKE_HTTP" }$PAYLOAD --lua-desync=fake:blob=$ff:$fooling:repeats=$FAKE_REPEATS && ok=1
+			# duplicate SYN with MD5
+			contains "$fooling" tcp_md5 && pktws_curl_test_update $testf $domain ${FAKE_HTTP:+--blob=$fake:@"$FAKE_HTTP" }$PAYLOAD --lua-desync=fake:blob=$ff:$fooling:repeats=$FAKE_REPEATS --payload empty "--out-range=<s1" --lua-desync=send:tcp_md5 && ok=1
+		done
+	done
+	for ttl in $attls; do
+		for ff in $fake 0x00000000; do
+			for f in '' "--payload=empty --out-range=s1<d1 --lua-desync=pktmod:ip${IPVV}_ttl=1"; do
+				pktws_curl_test_update $testf $domain  ${FAKE_HTTP:+--blob=$fake:@"$FAKE_HTTP" }$PAYLOAD --lua-desync=fake:blob=$ff:ip${IPVV}_autottl=-$ttl,3-20:repeats=$FAKE_REPEATS $f && {
+					ok=1
+					[ "$SCANLEVEL" = force ] || break
+				}
+			done
+		done
+	done
+
+	[ $ok = 0 -a "$SCANLEVEL" != force ] && need_fake=1
+	[ $ok = 1 ] && okany=1
+	[ $okany = 1 ]
+}
+
+pktws_fake_https_vary_()
+{
+	local ok_any=0 testf=$1 domain="$2" fooling="$3" pre="$4" post="$5"
+	shift; shift; shift
+	pktws_curl_test_update $testf $domain ${FAKE_HTTPS:+--blob=$fake:@"$FAKE_HTTPS" }$pre $PAYLOAD --lua-desync=fake:blob=$fake:$fooling:repeats=$FAKE_REPEATS $post && ok_any=1
+	pktws_curl_test_update $testf $domain $pre $PAYLOAD --lua-desync=fake:blob=0x00000000:$fooling:repeats=$FAKE_REPEATS $post && ok_any=1
+	pktws_curl_test_update $testf $domain ${FAKE_HTTPS:+--blob=$fake:@"$FAKE_HTTPS" }$pre $PAYLOAD --lua-desync=fake:blob=0x00000000:$fooling:repeats=$FAKE_REPEATS --lua-desync=fake:blob=$fake:$fooling:tls_mod=rnd,dupsid:repeats=$FAKE_REPEATS $post && ok_any=1
+	pktws_curl_test_update $testf $domain ${FAKE_HTTPS:+--blob=$fake:@"$FAKE_HTTPS" }$pre $PAYLOAD --lua-desync=multisplit:blob=$fake:$fooling:pos=2:nodrop:repeats=$FAKE_REPEATS $post && ok_any=1
+	pktws_curl_test_update $testf $domain ${FAKE_HTTPS:+--blob=$fake:@"$FAKE_HTTPS" }$pre $PAYLOAD --lua-desync=fake:blob=$fake:$fooling:tls_mod=rnd,dupsid,padencap:repeats=$FAKE_REPEATS $post && ok_any=1
+	[ "$ok_any" = 1 ] && ok=1
+}
+pktws_fake_https_vary()
+{
+	local ok_any=0 fooling="$3"
+	pktws_fake_https_vary_ "$1" "$2" "$3" "$4" "$5" && ok_any=1
+	# duplicate SYN with MD5
+	contains "$fooling" tcp_md5 && \
+		pktws_fake_https_vary_  "$1" "$2" "$3" "$4" "${5:+$5 }--payload=empty --out-range=<s1 --lua-desync=send:tcp_md5" && ok_any=1
+	[ "$ok_any" = 1 ]
+}
+
+pktws_check_https_tls()
+{
+	# $1 - test function
+	# $2 - domain
+	# $3 - PRE args for nfqws2
+
+	[ "$NOTEST_FAKE_HTTPS" = 1 ] && { echo "SKIPPED"; return; }
+
+	local testf=$1 domain="$2" pre="$3"
+	local ok ok_any ttls attls f fake fooling
+	local PAYLOAD="--payload=tls_client_hello"
+
+	shift; shift
+
+	if [ -n "$FAKE_HTTPS" ]; then
+		fake=fake_tls
+	else
+		fake=fake_default_tls
+	fi
+
+	need_fake=0
+
+	ttls=$(seq -s ' ' $MIN_TTL $MAX_TTL)
+	attls=$(seq -s ' ' $MIN_AUTOTTL_DELTA $MAX_AUTOTTL_DELTA)
+
+	ok_any=0
+	ok=0
+	for ttl in $ttls; do
+		# orig-ttl=1 with start/cutoff limiter drops empty ACK packet in response to SYN,ACK. it does not reach DPI or server.
+		# missing ACK is transmitted in the first data packet of TLS/HTTP proto
+		for f in '' "--payload=empty --out-range=s1<d1 --lua-desync=pktmod:ip${IPVV}_ttl=1"; do
+			pktws_fake_https_vary $testf $domain "ip${IPVV}_ttl=$ttl" "$pre" "$f" && [ "$SCANLEVEL" != force ] && break
+		done
+		[ "$ok" = 1 ] && break
+	done
+	for fooling in $FOOLINGS_TCP; do
+		pktws_fake_https_vary $testf $domain "$fooling" "$pre"
+	done
+	for ttl in $attls; do
+		for f in '' "--payload=empty --out-range=s1<d1 --lua-desync=pktmod:ip${IPVV}_ttl=1"; do
+			pktws_fake_https_vary $testf $domain "ip${IPVV}_autottl=-$ttl,3-20" "$pre" "$f" && [ "$SCANLEVEL" != force ] && break
+		done
+	done
+
+	[ $ok = 0 -a "$SCANLEVEL" != force ] && need_fake=1
+	[ $ok = 1 ] && okany=1
+	[ $okany = 1 ]
+}
+
+pktws_check_https_tls12()
+{
+	# $1 - test function
+	# $2 - domain
+	pktws_check_https_tls "$1" "$2" && [ "$SCANLEVEL" != force ] && return
+
+	# do not use 'need' values obtained with wssize
+	local need_fake_save=$need_fake
+	pktws_check_https_tls "$1" "$2" --lua-desync=wssize:wsize=1:scale=6
+	need_fake=$need_fake_save
+}
+
+pktws_check_https_tls13()
+{
+	# $1 - test function
+	# $2 - domain
+	pktws_check_https_tls "$1" "$2"
+}

blockcheck2.d/standard/30-faked.sh

@@ -0,0 +1,103 @@
+. "$TESTDIR/def.inc"
+
+pktws_check_faked()
+{
+	# $1 - test function
+	# $2 - domain
+	# $3 - payload_type
+	# $4 - splits
+	# $5 - pattern
+	# $6 - PRE args for nfqws2
+	local testf=$1 domain="$2" pre="$6"
+	local ok ok_any ttls attls f fooling
+	local splitf splitfs= split splits="$4"
+	local PAYLOAD="--payload=$3"
+	local FAKED_PATTERN="$5"
+
+	ttls=$(seq -s ' ' $MIN_TTL $MAX_TTL)
+	attls=$(seq -s ' ' $MIN_AUTOTTL_DELTA $MAX_AUTOTTL_DELTA)
+
+	# do not test fakedsplit if multisplit works
+	[ "$need_multisplit" = 0 -a "$SCANLEVEL" != force ] || splitfs=fakedsplit
+	# do not test fakeddisorder if multidisorder works
+	[ "$need_multidisorder" = 0 -a "$SCANLEVEL" != force ] || splitfs="${splitfs:+$splitfs }fakeddisorder"
+
+	ok_any=0
+	for splitf in $splitfs; do
+		ok=0
+		for ttl in $ttls; do
+			# orig-ttl=1 with start/cutoff limiter drops empty ACK packet in response to SYN,ACK. it does not reach DPI or server.
+			# missing ACK is transmitted in the first data packet of TLS/HTTP proto
+			for split in $splits; do
+				for f in '' "--payload=empty --out-range=s1<d1 --lua-desync=pktmod:ip${IPVV}_ttl=1"; do
+					pktws_curl_test_update $testf $domain ${FAKED_PATTERN:+--blob=faked_pat:@"$FAKED_PATTERN" }$pre $PAYLOAD --lua-desync=$splitf:${FAKED_PATTERN:+pattern=faked_pat:}pos=$split:ip${IPVV}_ttl=$ttl:repeats=$FAKE_REPEATS $f && {
+						ok=1
+						[ "$SCANLEVEL" = force ] || break
+					}
+				done
+			done
+			[ "$ok" = 1 ] && break
+		done
+		for fooling in $FOOLINGS_TCP; do
+			for split in $splits; do
+				pktws_curl_test_update $testf $domain ${FAKED_PATTERN:+--blob=faked_pat:@"$FAKED_PATTERN" }$pre $PAYLOAD --lua-desync=$splitf:${FAKED_PATTERN:+pattern=faked_pat:}pos=$split:$fooling && ok=1
+				# duplicate SYN with MD5
+				contains "$fooling" tcp_md5 && pktws_curl_test_update $testf $domain ${FAKED_PATTERN:+--blob=faked_pat:@"$FAKED_PATTERN" }$pre $PAYLOAD --lua-desync=$splitf:${FAKED_PATTERN:+pattern=faked_pat:}pos=$split:$fooling:repeats=$FAKE_REPEATS --payload empty --out-range="<s1" --lua-desync=send:tcp_md5 && ok=1
+			done
+		done
+		for ttl in $attls; do
+			for split in $splits; do
+				for f in '' "--payload=empty --out-range=s1<d1 --lua-desync=pktmod:ip${IPVV}_ttl=1"; do
+					pktws_curl_test_update $testf $domain ${FAKED_PATTERN:+--blob=faked_pat:@"$FAKED_PATTERN" }$pre $PAYLOAD --lua-desync=$splitf:${FAKED_PATTERN:+pattern=faked_pat:}pos=$split:ip${IPVV}_autottl=-$ttl,3-20:repeats=$FAKE_REPEATS $f && {
+						ok=1
+						[ "$SCANLEVEL" = force ] || break
+					}
+				done
+			done
+		done
+		[ $ok = 0 -a "$SCANLEVEL" != force ] && eval need_$splitf=1
+		[ $ok = 1 ] && ok_any=1
+	done
+	[ "$ok_any" = 1 ]
+}
+
+pktws_check_http()
+{
+	# $1 - test function
+	# $2 - domain
+	# $3 - PRE args for nfqws2
+	[ "$NOTEST_FAKED_HTTP" = 1 ] && { echo "SKIPPED"; return; }
+
+	local splits='method+2 midsld method+2,midsld'
+	pktws_check_faked $1 "$2" http_req "$splits" "$FAKED_PATTERN_HTTP" "$3"
+}
+
+pktws_check_https_tls()
+{
+	# $1 - test function
+	# $2 - domain
+	# $3 - PRE args for nfqws2
+	[ "$NOTEST_FAKED_HTTPS" = 1 ] && { echo "SKIPPED"; return; }
+
+	local splits='2 1 sniext+1 sniext+4 host+1 midsld 1,midsld 1,sniext+1,host+1,midsld-2,midsld,midsld+2,endhost-1'
+	pktws_check_faked $1 "$2" tls_client_hello "$splits" "$FAKED_PATTERN_HTTPS" "$3"
+}
+
+pktws_check_https_tls12()
+{
+	# $1 - test function
+	# $2 - domain
+	pktws_check_https_tls "$1" "$2" && [ "$SCANLEVEL" != force ] && return
+
+	# do not use 'need' values obtained with wssize
+	local need_fakedsplit_save=$need_fakedsplit need_fakeddisorder_save=$need_fakeddisorder
+	pktws_check_https_tls "$1" "$2" --lua-desync=wssize:wsize=1:scale=6
+	need_fakedsplit=$need_fakedsplit_save need_fakeddisorder=$need_fakeddisorder_save
+}
+
+pktws_check_https_tls13()
+{
+	# $1 - test function
+	# $2 - domain
+	pktws_check_https_tls "$1" "$2"
+}

blockcheck2.d/standard/35-hostfake.sh

@@ -0,0 +1,101 @@
+. "$TESTDIR/def.inc"
+
+
+pktws_hostfake_vary_()
+{
+	local ok_any=0 testf=$1 domain="$2" fooling="$3" pre="$4" post="$5" disorder
+	shift; shift; shift
+
+	for disorder in '' 'disorder_after:'; do
+		pktws_curl_test_update $testf $domain $pre $PAYLOAD --lua-desync=hostfakesplit:${HOSTFAKE:+host=${HOSTFAKE}:}${disorder}$fooling:repeats=$FAKE_REPEATS $post && ok_any=1
+		pktws_curl_test_update $testf $domain $pre $PAYLOAD --lua-desync=hostfakesplit:${HOSTFAKE:+host=${HOSTFAKE}:}${disorder}nofake1:$fooling:repeats=$FAKE_REPEATS $post && ok_any=1
+		pktws_curl_test_update $testf $domain $pre $PAYLOAD --lua-desync=hostfakesplit:${HOSTFAKE:+host=${HOSTFAKE}:}${disorder}nofake2:$fooling:repeats=$FAKE_REPEATS $post && ok_any=1
+		pktws_curl_test_update $testf $domain $pre $PAYLOAD --lua-desync=hostfakesplit:${HOSTFAKE:+host=${HOSTFAKE}:}${disorder}midhost=midsld:$fooling:repeats=$FAKE_REPEATS $post && ok_any=1
+		pktws_curl_test_update $testf $domain $pre $PAYLOAD --lua-desync=hostfakesplit:${HOSTFAKE:+host=${HOSTFAKE}:}${disorder}nofake1:midhost=midsld:$fooling:repeats=$FAKE_REPEATS $post && ok_any=1
+		pktws_curl_test_update $testf $domain $pre $PAYLOAD --lua-desync=hostfakesplit:${HOSTFAKE:+host=${HOSTFAKE}:}${disorder}nofake2:midhost=midsld:$fooling:repeats=$FAKE_REPEATS $post && ok_any=1
+	done
+	[ "$ok_any" = 1 ] && ok=1
+}
+pktws_hostfake_vary()
+{
+	local ok_any=0 fooling="$3"
+	pktws_hostfake_vary_ "$1" "$2" "$3" "$4" "$5" && ok_any=1
+	# duplicate SYN with MD5
+	contains "$fooling" tcp_md5 && \
+		pktws_hostfake_vary_  "$1" "$2" "$3" "$4" "${5:+$5 }--payload=empty --out-range=<s1 --lua-desync=send:tcp_md5" && ok_any=1
+	[ "$ok_any" = 1 ]
+}
+
+
+pktws_check_hostfake()
+{
+	# $1 - test function
+	# $2 - domain
+	# $3 - payload_type
+	# $4 - PRE args for nfqws2
+	local testf=$1 domain="$2" pre="$4"
+	local ok ttls attls f fooling
+	local PAYLOAD="--payload=$3"
+
+	ttls=$(seq -s ' ' $MIN_TTL $MAX_TTL)
+	attls=$(seq -s ' ' $MIN_AUTOTTL_DELTA $MAX_AUTOTTL_DELTA)
+
+	need_hostfakesplit=0
+	ok=0
+	for ttl in $ttls; do
+		# orig-ttl=1 with start/cutoff limiter drops empty ACK packet in response to SYN,ACK. it does not reach DPI or server.
+		# missing ACK is transmitted in the first data packet of TLS/HTTP proto
+		for f in '' "--payload=empty --out-range=s1<d1 --lua-desync=pktmod:ip${IPVV}_ttl=1"; do
+			pktws_hostfake_vary $testf $domain "ip${IPVV}_ttl=$ttl" "$pre" "$f" && [ "$SCANLEVEL" != force ] && break
+		done
+		[ "$ok" = 1 ] && break
+	done
+	for fooling in $FOOLINGS_TCP; do
+		pktws_hostfake_vary $testf $domain "$fooling" "$pre"
+	done
+	for ttl in $attls; do
+		for f in '' "--payload=empty --out-range=s1<d1 --lua-desync=pktmod:ip${IPVV}_ttl=1"; do
+			pktws_hostfake_vary $testf $domain "ip${IPVV}_autottl=-$ttl,3-20" "$pre" "$f" && [ "$SCANLEVEL" != force ] && break
+		done
+	done
+	[ $ok = 0 -a "$SCANLEVEL" != force ] && eval need_hostfake=1
+	[ $ok = 1 ]
+}
+
+pktws_check_http()
+{
+	# $1 - test function
+	# $2 - domain
+	[ "$NOTEST_HOSTFAKE_HTTP" = 1 ] && { echo "SKIPPED"; return; }
+
+	pktws_check_hostfake $1 "$2" http_req
+}
+
+pktws_check_https_tls()
+{
+	# $1 - test function
+	# $2 - domain
+	# $3 - PRE args for nfqws2
+
+	[ "$NOTEST_HOSTFAKE_HTTPS" = 1 ] && { echo "SKIPPED"; return; }
+
+	pktws_check_hostfake $1 "$2" tls_client_hello "$3"
+}
+pktws_check_https_tls12()
+{
+	# $1 - test function
+	# $2 - domain
+	pktws_check_https_tls "$1" "$2" && [ "$SCANLEVEL" != force ] && return
+
+	# do not use 'need' values obtained with wssize
+	local need_hostfakesplit_save=$need_hostfakesplit
+	pktws_check_https_tls "$1" "$2" --lua-desync=wssize:wsize=1:scale=6
+	need_hostfakesplit=$need_hostfakesplit_save
+}
+
+pktws_check_https_tls13()
+{
+	# $1 - test function
+	# $2 - domain
+	pktws_check_https_tls "$1" "$2"
+}

blockcheck2.d/standard/50-fake-multi.sh

@@ -0,0 +1,160 @@
+. "$TESTDIR/def.inc"
+
+pktws_check_http()
+{
+	# $1 - test function
+	# $2 - domain
+	[ "$NOTEST_FAKE_MULTI_HTTP" = 1 ] && { echo "SKIPPED"; return 0; }
+
+	local testf=$1 domain="$2"
+	local ok ttls attls f ff fake fooling splitf splitfs= split splits='method+2 midsld method+2,midsld'
+	local PAYLOAD="--payload=http_req"
+
+	if [ -n "$FAKE_HTTP" ]; then
+		fake=fake_http
+	else
+		fake=fake_default_http
+	fi
+
+	ttls=$(seq -s ' ' $MIN_TTL $MAX_TTL)
+	attls=$(seq -s ' ' $MIN_AUTOTTL_DELTA $MAX_AUTOTTL_DELTA)
+
+	# do not test fake + multisplit if multisplit works
+	[ "$need_multisplit" = 0 -a "$SCANLEVEL" != force ] || splitfs=multisplit
+	# do not test fake + multidisorder if multidisorder works
+	[ "$need_multidisorder" = 0 -a "$SCANLEVEL" != force ] || splitfs="${splitfs:+$splitfs }multidisorder"
+
+	for splitf in $splitfs; do
+		ok=0
+		for ttl in $ttls; do
+			for split in $splits; do
+				# orig-ttl=1 with start/cutoff limiter drops empty ACK packet in response to SYN,ACK. it does not reach DPI or server.
+				# missing ACK is transmitted in the first data packet of TLS/HTTP proto
+				for ff in $fake 0x00000000; do
+					for f in '' "--payload=empty --out-range=s1<d1 --lua-desync=pktmod:ip${IPVV}_ttl=1"; do
+						pktws_curl_test_update $testf $domain ${FAKE_HTTP:+--blob=$fake:@"$FAKE_HTTP" }$PAYLOAD "--lua-desync=fake:blob=${ff}:ip${IPVV}_ttl=$ttl:repeats=$FAKE_REPEATS" --lua-desync=$splitf:pos=$split $f && {
+							ok=1
+							[ "$SCANLEVEL" = force ] || break
+						}
+					done
+				done
+			done
+			[ "$ok" = 1 ] && break
+		done
+		for fooling in $FOOLINGS_TCP; do
+			for split in $splits; do
+				for ff in $fake 0x00000000; do
+					pktws_curl_test_update $testf $domain ${FAKE_HTTP:+--blob=$fake:@"$FAKE_HTTP" }$PAYLOAD --lua-desync=fake:blob=$ff:$fooling:repeats=$FAKE_REPEATS --lua-desync=$splitf:pos=$split && ok=1
+					# duplicate SYN with MD5
+					contains "$fooling" tcp_md5 && pktws_curl_test_update $testf $domain ${FAKE_HTTP:+--blob=fake_http:@"$FAKE_HTTP" }$PAYLOAD --lua-desync=fake:blob=$ff:$fooling:repeats=$FAKE_REPEATS --lua-desync=$splitf:pos=$split --payload empty "--out-range=<s1" --lua-desync=send:tcp_md5 && ok=1
+				done
+			done
+		done
+		for ttl in $attls; do
+			for split in $splits; do
+				for ff in $fake 0x00000000; do
+					for f in '' "--payload=empty --out-range=s1<d1 --lua-desync=pktmod:ip${IPVV}_ttl=1"; do
+						pktws_curl_test_update $testf $domain  ${FAKE_HTTP:+--blob=$fake:@"$FAKE_HTTP" }$PAYLOAD --lua-desync=fake:blob=$ff:ip${IPVV}_autottl=-$ttl,3-20:repeats=$FAKE_REPEATS --lua-desync=$splitf:pos=$split $f && {
+							ok=1
+							[ "$SCANLEVEL" = force ] || break
+						}
+					done
+				done
+			done
+		done
+	done
+}
+
+pktws_fake_https_vary_()
+{
+	local ok_any=0 testf=$1 domain="$2" fooling="$3" pre="$4" post="$5"
+	shift; shift; shift
+	pktws_curl_test_update $testf $domain ${FAKE_HTTPS:+--blob=$fake:@"$FAKE_HTTPS" }$pre $PAYLOAD --lua-desync=fake:blob=$fake:$fooling:repeats=$FAKE_REPEATS --lua-desync=$splitf:pos=$split $post && ok_any=1
+	pktws_curl_test_update $testf $domain $pre $PAYLOAD --lua-desync=fake:blob=0x00000000:$fooling:repeats=$FAKE_REPEATS --lua-desync=$splitf:pos=$split $post && ok_any=1
+	pktws_curl_test_update $testf $domain $pre $PAYLOAD --lua-desync=fake:blob=0x00000000:$fooling:repeats=$FAKE_REPEATS --lua-desync=fake:blob=$fake:$fooling:tls_mod=rnd,dupsid:repeats=$FAKE_REPEATS --lua-desync=$splitf:pos=$split $post && ok_any=1
+	pktws_curl_test_update $testf $domain ${FAKE_HTTPS:+--blob=$fake:@"$FAKE_HTTPS" }$pre $PAYLOAD --lua-desync=multisplit:blob=$fake:$fooling:pos=2:nodrop:repeats=$FAKE_REPEATS --lua-desync=$splitf:pos=$split $post && ok_any=1
+	pktws_curl_test_update $testf $domain ${FAKE_HTTPS:+--blob=$fake:@"$FAKE_HTTPS" }$pre $PAYLOAD --lua-desync=fake:blob=$fake:$fooling:tls_mod=rnd,dupsid,padencap:repeats=$FAKE_REPEATS --lua-desync=$splitf:pos=$split $post && ok_any=1
+	[ "$ok_any" = 1 ] && ok=1
+}
+pktws_fake_https_vary()
+{
+	local ok_any=0 fooling="$3"
+	pktws_fake_https_vary_ "$1" "$2" "$3" "$4" "$5" && ok_any=1
+	# duplicate SYN with MD5
+	contains "$fooling" tcp_md5 && \
+		pktws_fake_https_vary_  "$1" "$2" "$3" "$4" "${5:+$5 }--payload=empty --out-range=<s1 --lua-desync=send:tcp_md5" && ok_any=1
+	[ "$ok_any" = 1 ]
+}
+
+pktws_check_https_tls()
+{
+	# $1 - test function
+	# $2 - domain
+	# $3 - PRE args for nfqws2
+
+	[ "$NOTEST_FAKE_MULTI_HTTPS" = 1 ] && { echo "SKIPPED"; return 0; }
+
+	local testf=$1 domain="$2" pre="$3"
+	local ok ok_any ttls attls f fake fooling splitf splitfs= split splits='2 1 sniext+1 sniext+4 host+1 midsld 1,midsld 1,sniext+1,host+1,midsld-2,midsld,midsld+2,endhost-1'
+	local PAYLOAD="--payload=tls_client_hello"
+
+	shift; shift
+
+	if [ -n "$FAKE_HTTPS" ]; then
+		fake=fake_tls
+	else
+		fake=fake_default_tls
+	fi
+
+	ttls=$(seq -s ' ' $MIN_TTL $MAX_TTL)
+	attls=$(seq -s ' ' $MIN_AUTOTTL_DELTA $MAX_AUTOTTL_DELTA)
+
+	# do not test fake + multisplit if multisplit works
+	[ "$need_multisplit" = 0 -a "$SCANLEVEL" != force ] || splitfs=multisplit
+	# do not test fake + multidisorder if multidisorder works
+	[ "$need_multidisorder" = 0 -a "$SCANLEVEL" != force ] || splitfs="${splitfs:+$splitfs }multidisorder"
+
+	ok_any=0
+	for splitf in $splitfs; do
+		ok=0
+		for ttl in $ttls; do
+			for split in $splits; do
+				# orig-ttl=1 with start/cutoff limiter drops empty ACK packet in response to SYN,ACK. it does not reach DPI or server.
+				# missing ACK is transmitted in the first data packet of TLS/HTTP proto
+				for f in '' "--payload=empty --out-range=s1<d1 --lua-desync=pktmod:ip${IPVV}_ttl=1"; do
+					pktws_fake_https_vary $testf $domain "ip${IPVV}_ttl=$ttl" "$pre" "$f" && [ "$SCANLEVEL" != force ] && break
+				done
+			done
+			[ "$ok" = 1 ] && break
+		done
+		for fooling in $FOOLINGS_TCP; do
+			for split in $splits; do
+				pktws_fake_https_vary $testf $domain "$fooling" "$pre"
+			done
+		done
+		for ttl in $attls; do
+			for split in $splits; do
+				for f in '' "--payload=empty --out-range=s1<d1 --lua-desync=pktmod:ip${IPVV}_ttl=1"; do
+					pktws_fake_https_vary $testf $domain "ip${IPVV}_autottl=-$ttl,3-20" "$pre" "$f" && [ "$SCANLEVEL" != force ] && break
+				done
+			done
+		done
+		[ "$ok" = 1 ] && ok_any=1
+	done
+	[ "$ok_any" = 1 ]
+}
+
+pktws_check_https_tls12()
+{
+	# $1 - test function
+	# $2 - domain
+	pktws_check_https_tls "$1" "$2" && [ "$SCANLEVEL" != force ] && return
+	pktws_check_https_tls "$1" "$2" --lua-desync=wssize:wsize=1:scale=6
+}
+
+pktws_check_https_tls13()
+{
+	# $1 - test function
+	# $2 - domain
+	pktws_check_https_tls "$1" "$2"
+}

blockcheck2.d/standard/55-fake-faked.sh

@@ -0,0 +1,161 @@
+. "$TESTDIR/def.inc"
+
+pktws_check_http()
+{
+	# $1 - test function
+	# $2 - domain
+	[ "$NOTEST_FAKE_FAKED_HTTP" = 1 ] && { echo "SKIPPED"; return 0; }
+
+	local testf=$1 domain="$2"
+	local ok ttls attls f ff fake fooling splitf splitfs= split splits='method+2 midsld method+2,midsld'
+	local PAYLOAD="--payload=http_req"
+
+	if [ -n "$FAKE_HTTP" ]; then
+		fake=fake_http
+	else
+		fake=fake_default_http
+	fi
+
+	ttls=$(seq -s ' ' $MIN_TTL $MAX_TTL)
+	attls=$(seq -s ' ' $MIN_AUTOTTL_DELTA $MAX_AUTOTTL_DELTA)
+
+	# do not test fake + multisplit if multisplit works
+	[ "$need_fakedsplit" = 0 -a "$SCANLEVEL" != force ] || splitfs=fakedsplit
+	# do not test fake + fakeddisorder if fakeddisorder works
+	[ "$need_fakeddisorder" = 0 -a "$SCANLEVEL" != force ] || splitfs="${splitfs:+$splitfs }fakeddisorder"
+
+	for splitf in $splitfs; do
+		ok=0
+		for ttl in $ttls; do
+			for split in $splits; do
+				# orig-ttl=1 with start/cutoff limiter drops empty ACK packet in response to SYN,ACK. it does not reach DPI or server.
+				# missing ACK is transmitted in the first data packet of TLS/HTTP proto
+				for ff in $fake 0x00000000; do
+					for f in '' "--payload=empty --out-range=s1<d1 --lua-desync=pktmod:ip${IPVV}_ttl=1"; do
+						pktws_curl_test_update $testf $domain ${FAKE_HTTP:+--blob=$fake:@"$FAKE_HTTP" }${FAKED_PATTERN_HTTP:+--blob=faked_pat:@"$FAKED_PATTERN_HTTP" }$PAYLOAD "--lua-desync=fake:blob=${ff}:ip${IPVV}_ttl=$ttl:repeats=$FAKE_REPEATS" --lua-desync=$splitf:${FAKED_PATTERN_HTTP:+pattern=faked_pat:}pos=$split:ip${IPVV}_ttl=$ttl:repeats=$FAKE_REPEATS $f && {
+							ok=1
+							[ "$SCANLEVEL" = force ] || break
+						}
+					done
+				done
+			done
+			[ "$ok" = 1 ] && break
+		done
+		for fooling in $FOOLINGS_TCP; do
+			for split in $splits; do
+				for ff in $fake 0x00000000; do
+					pktws_curl_test_update $testf $domain ${FAKE_HTTP:+--blob=$fake:@"$FAKE_HTTP" }${FAKED_PATTERN_HTTP:+--blob=faked_pat:@"$FAKED_PATTERN_HTTP" }$PAYLOAD --lua-desync=fake:blob=$ff:$fooling:repeats=$FAKE_REPEATS --lua-desync=$splitf:${FAKED_PATTERN_HTTP:+pattern=faked_pat:}pos=$split:$fooling:repeats=$FAKE_REPEATS && ok=1
+					# duplicate SYN with MD5
+					contains "$fooling" tcp_md5 && pktws_curl_test_update $testf $domain ${FAKE_HTTP:+--blob=$fake:@"$FAKE_HTTP" }${FAKED_PATTERN_HTTP:+--blob=faked_pat:@"$FAKED_PATTERN_HTTP" }$PAYLOAD --lua-desync=fake:blob=$ff:$fooling:repeats=$FAKE_REPEATS --lua-desync=$splitf:${FAKED_PATTERN_HTTP:+pattern=faked_pat:}pos=$split:$fooling:repeats=$FAKE_REPEATS --payload empty "--out-range=<s1" --lua-desync=send:tcp_md5 && ok=1
+				done
+			done
+		done
+		for ttl in $attls; do
+			for split in $splits; do
+				for ff in $fake 0x00000000; do
+					for f in '' "--payload=empty --out-range=s1<d1 --lua-desync=pktmod:ip${IPVV}_ttl=1"; do
+						pktws_curl_test_update $testf $domain  ${FAKE_HTTP:+--blob=$fake:@"$FAKE_HTTP" }${FAKED_PATTERN_HTTP:+--blob=faked_pat:@"$FAKED_PATTERN_HTTP" }$PAYLOAD --lua-desync=fake:blob=$ff:ip${IPVV}_autottl=-$ttl,3-20:repeats=$FAKE_REPEATS --lua-desync=$splitf:${FAKED_PATTERN_HTTP:+pattern=faked_pat:}pos=$split:ip${IPVV}_autottl=-$ttl,3-20:repeats=$FAKE_REPEATS $f && {
+							ok=1
+							[ "$SCANLEVEL" = force ] || break
+						}
+					done
+				done
+			done
+		done
+	done
+}
+
+pktws_fake_https_vary_()
+{
+	local ok_any=0 testf=$1 domain="$2" fooling="$3" pre="$4" post="$5"
+	shift; shift; shift
+	pktws_curl_test_update $testf $domain ${FAKE_HTTPS:+--blob=$fake:@"$FAKE_HTTPS" }${FAKED_PATTERN_HTTPS:+--blob=faked_pat:@"$FAKED_PATTERN_HTTPS" }$pre $PAYLOAD --lua-desync=fake:blob=$fake:$fooling:repeats=$FAKE_REPEATS --lua-desync=$splitf:${FAKED_PATTERN_HTTPS+pattern=faked_pat:}pos=$split:$fooling $post && ok_any=1
+	pktws_curl_test_update $testf $domain ${FAKED_PATTERN_HTTPS:+--blob=faked_pat:@"$FAKED_PATTERN_HTTPS" }$pre $PAYLOAD --lua-desync=fake:blob=0x00000000:$fooling:repeats=$FAKE_REPEATS --lua-desync=$splitf:${FAKED_PATTERN_HTTPS+pattern=faked_pat:}pos=$split:$fooling $post && ok_any=1
+	pktws_curl_test_update $testf $domain ${FAKED_PATTERN_HTTPS:+--blob=faked_pat:@"$FAKED_PATTERN_HTTPS" }$pre $PAYLOAD --lua-desync=fake:blob=0x00000000:$fooling:repeats=$FAKE_REPEATS --lua-desync=fake:blob=$fake:$fooling:tls_mod=rnd,dupsid:repeats=$FAKE_REPEATS --lua-desync=$splitf:${FAKED_PATTERN_HTTPS+pattern=faked_pat:}pos=$split:$fooling $post && ok_any=1
+	pktws_curl_test_update $testf $domain ${FAKE_HTTPS:+--blob=$fake:@"$FAKE_HTTPS" }${FAKED_PATTERN_HTTPS:+--blob=faked_pat:@"$FAKED_PATTERN_HTTPS" }$pre $PAYLOAD --lua-desync=multisplit:blob=$fake:$fooling:pos=2:nodrop:repeats=$FAKE_REPEATS --lua-desync=$splitf:${FAKED_PATTERN_HTTPS+pattern=faked_pat:}pos=$split:$fooling $post && ok_any=1
+	pktws_curl_test_update $testf $domain ${FAKE_HTTPS:+--blob=$fake:@"$FAKE_HTTPS" }${FAKED_PATTERN_HTTPS:+--blob=faked_pat:@"$FAKED_PATTERN_HTTPS" }$pre $PAYLOAD --lua-desync=fake:blob=$fake:$fooling:tls_mod=rnd,dupsid,padencap:repeats=$FAKE_REPEATS --lua-desync=$splitf:${FAKED_PATTERN_HTTPS+pattern=faked_pat:}pos=$split:$fooling $post && ok_any=1
+	[ "$ok_any" = 1 ] && ok=1
+
+}
+pktws_fake_https_vary()
+{
+	local ok_any=0 fooling="$3"
+	pktws_fake_https_vary_ "$1" "$2" "$3" "$4" "$5" && ok_any=1
+	# duplicate SYN with MD5
+	contains "$fooling" tcp_md5 && \
+		pktws_fake_https_vary_  "$1" "$2" "$3" "$4" "${5:+$5 }--payload=empty --out-range=<s1 --lua-desync=send:tcp_md5" && ok_any=1
+	[ "$ok_any" = 1 ]
+}
+
+pktws_check_https_tls()
+{
+	# $1 - test function
+	# $2 - domain
+	# $3 - PRE args for nfqws2
+
+	[ "$NOTEST_FAKE_FAKED_HTTPS" = 1 ] && { echo "SKIPPED"; return 0; }
+
+	local testf=$1 domain="$2" pre="$3"
+	local ok ok_any ttls attls f fake fooling splitf splitfs= split splits='2 1 sniext+1 sniext+4 host+1 midsld 1,midsld 1,sniext+1,host+1,midsld-2,midsld,midsld+2,endhost-1'
+	local PAYLOAD="--payload=tls_client_hello"
+
+	shift; shift
+
+	if [ -n "$FAKE_HTTPS" ]; then
+		fake=fake_tls
+	else
+		fake=fake_default_tls
+	fi
+
+	ttls=$(seq -s ' ' $MIN_TTL $MAX_TTL)
+	attls=$(seq -s ' ' $MIN_AUTOTTL_DELTA $MAX_AUTOTTL_DELTA)
+
+	# do not test fake + fakedsplit if fakedsplit works
+	[ "$need_fakedsplit" = 0 -a "$SCANLEVEL" != force ] || splitfs=fakedsplit
+	# do not test fake + fakeddisorder if fakeddisorder works
+	[ "$need_fakeddisorder" = 0 -a "$SCANLEVEL" != force ] || splitfs="${splitfs:+$splitfs }fakeddisorder"
+
+	ok_any=0
+	for splitf in $splitfs; do
+		ok=0
+		for ttl in $ttls; do
+			for split in $splits; do
+				# orig-ttl=1 with start/cutoff limiter drops empty ACK packet in response to SYN,ACK. it does not reach DPI or server.
+				# missing ACK is transmitted in the first data packet of TLS/HTTP proto
+				for f in '' "--payload=empty --out-range=s1<d1 --lua-desync=pktmod:ip${IPVV}_ttl=1"; do
+					pktws_fake_https_vary $testf $domain "ip${IPVV}_ttl=$ttl" "$pre" "$f" && [ "$SCANLEVEL" != force ] && break
+				done
+			done
+			[ "$ok" = 1 ] && break
+		done
+		for fooling in $FOOLINGS_TCP; do
+			for split in $splits; do
+				pktws_fake_https_vary $testf $domain "$fooling" "$pre"
+			done
+		done
+		for ttl in $attls; do
+			for split in $splits; do
+				for f in '' "--payload=empty --out-range=s1<d1 --lua-desync=pktmod:ip${IPVV}_ttl=1"; do
+					pktws_fake_https_vary $testf $domain "ip${IPVV}_autottl=-$ttl,3-20" "$pre" "$f" && [ "$SCANLEVEL" != force ] && break
+				done
+			done
+		done
+		[ "$ok" = 1 ] && ok_any=1
+	done
+	[ "$ok_any" = 1 ]
+}
+
+pktws_check_https_tls12()
+{
+	# $1 - test function
+	# $2 - domain
+	pktws_check_https_tls "$1" "$2" && [ "$SCANLEVEL" != force ] && return
+	pktws_check_https_tls "$1" "$2" --lua-desync=wssize:wsize=1:scale=6
+}
+
+pktws_check_https_tls13()
+{
+	# $1 - test function
+	# $2 - domain
+	pktws_check_https_tls "$1" "$2"
+}

blockcheck2.d/standard/60-fake-hostfake.sh

@@ -0,0 +1,113 @@
+. "$TESTDIR/def.inc"
+
+pktws_hostfake_vary_()
+{
+	local testf=$1 domain="$2" fooling="$3" pre="$4" post="$5" disorder
+	shift; shift; shift
+
+	for disorder in '' 'disorder_after:'; do
+		pktws_curl_test_update $testf $domain $pre ${FAKE:+--blob=$fake:@"$FAKE" }$PAYLOAD --lua-desync=fake:blob=$fake:$fooling:repeats=$FAKE_REPEATS --lua-desync=hostfakesplit:${HOSTFAKE:+host=${HOSTFAKE}:}${disorder}$fooling:repeats=$FAKE_REPEATS $post && ok=1
+		pktws_curl_test_update $testf $domain $pre ${FAKE:+--blob=$fake:@"$FAKE" }$PAYLOAD --lua-desync=fake:blob=$fake:$fooling:repeats=$FAKE_REPEATS --lua-desync=hostfakesplit:${HOSTFAKE:+host=${HOSTFAKE}:}${disorder}nofake1:$fooling:repeats=$FAKE_REPEATS $post && ok=1
+		pktws_curl_test_update $testf $domain $pre ${FAKE:+--blob=$fake:@"$FAKE" }$PAYLOAD --lua-desync=fake:blob=$fake:$fooling:repeats=$FAKE_REPEATS --lua-desync=hostfakesplit:${HOSTFAKE:+host=${HOSTFAKE}:}${disorder}nofake2:$fooling:repeats=$FAKE_REPEATS $post && ok=1
+		pktws_curl_test_update $testf $domain $pre ${FAKE:+--blob=$fake:@"$FAKE" }$PAYLOAD --lua-desync=fake:blob=$fake:$fooling:repeats=$FAKE_REPEATS --lua-desync=hostfakesplit:${HOSTFAKE:+host=${HOSTFAKE}:}${disorder}midhost=midsld:$fooling:repeats=$FAKE_REPEATS $post && ok=1
+		pktws_curl_test_update $testf $domain $pre ${FAKE:+--blob=$fake:@"$FAKE" }$PAYLOAD --lua-desync=fake:blob=$fake:$fooling:repeats=$FAKE_REPEATS --lua-desync=hostfakesplit:${HOSTFAKE:+host=${HOSTFAKE}:}${disorder}nofake1:midhost=midsld:$fooling:repeats=$FAKE_REPEATS $post && ok=1
+		pktws_curl_test_update $testf $domain $pre ${FAKE:+--blob=$fake:@"$FAKE" }$PAYLOAD --lua-desync=fake:blob=$fake:$fooling:repeats=$FAKE_REPEATS --lua-desync=hostfakesplit:${HOSTFAKE:+host=${HOSTFAKE}:}${disorder}nofake2:midhost=midsld:$fooling:repeats=$FAKE_REPEATS $post && ok=1
+	done
+}
+pktws_hostfake_vary()
+{
+	local fooling="$3"
+	pktws_hostfake_vary_ "$1" "$2" "$3" "$4" "$5"
+	# duplicate SYN with MD5
+	contains "$fooling" tcp_md5 && \
+		pktws_hostfake_vary_  "$1" "$2" "$3" "$4" "${5:+$5 }--payload=empty --out-range=<s1 --lua-desync=send:tcp_md5"
+}
+
+pktws_check_hostfake()
+{
+	# $1 - test function
+	# $2 - domain
+	# $3 - PRE args for nfqws2
+	local testf=$1 domain="$2" pre="$3"
+	local ok ttls attls f fake fooling
+
+	[ "$need_hostfakesplit" = 0 ] && return 0
+
+	ttls=$(seq -s ' ' $MIN_TTL $MAX_TTL)
+	attls=$(seq -s ' ' $MIN_AUTOTTL_DELTA $MAX_AUTOTTL_DELTA)
+
+	ok=0
+	for ttl in $ttls; do
+		for f in '' "--payload=empty --out-range=s1<d1 --lua-desync=pktmod:ip${IPVV}_ttl=1"; do
+			pktws_hostfake_vary $testf $domain "ip${IPVV}_ttl=$ttl" "$pre" "$f" && {
+				ok=1
+				[ "$SCANLEVEL" = force ] || break
+			}
+		done
+		[ "$ok" = 1 ] && break
+	done
+	for fooling in $FOOLINGS_TCP; do
+		pktws_hostfake_vary $testf $domain "$fooling" "$pre" && ok=1
+	done
+	for ttl in $attls; do
+		for f in '' "--payload=empty --out-range=s1<d1 --lua-desync=pktmod:ip${IPVV}_ttl=1"; do
+			pktws_hostfake_vary $testf $domain "ip${IPVV}_autottl=-$ttl,3-20" "$pre" "$f" && {
+				ok=1
+				[ "$SCANLEVEL" = force ] || break
+			}
+		done
+	done
+	[ "$ok" = 1 ]
+}
+
+
+pktws_check_http()
+{
+	[ "$NOTEST_FAKE_HOSTFAKE_HTTP" = 1 ] && { echo "SKIPPED"; return 0; }
+
+	local PAYLOAD="--payload=http_req"
+	local FAKE="$FAKE_HTTP"
+
+	if [ -n "$FAKE_HTTP" ]; then
+		fake=bfake
+	else
+		fake=fake_default_http
+	fi
+
+	pktws_check_hostfake "$1" "$2"
+}
+
+pktws_check_https_tls()
+{
+	# $1 - test function
+	# $2 - domain
+	# $3 - PRE args for nfqws2
+
+	[ "$NOTEST_FAKE_HOSTFAKE_HTTPS" = 1 ] && { echo "SKIPPED"; return 0; }
+
+	local PAYLOAD="--payload=tls_client_hello"
+	local FAKE="$FAKE_HTTPS"
+
+	if [ -n "$FAKE_HTTPS" ]; then
+		fake=bfake
+	else
+		fake=fake_default_tls
+	fi
+
+	pktws_check_hostfake "$1" "$2" "$3"
+}
+
+pktws_check_https_tls12()
+{
+	# $1 - test function
+	# $2 - domain
+	pktws_check_https_tls "$1" "$2" && [ "$SCANLEVEL" != force ] && return
+	pktws_check_https_tls "$1" "$2" --lua-desync=wssize:wsize=1:scale=6
+}
+
+pktws_check_https_tls13()
+{
+	# $1 - test function
+	# $2 - domain
+	pktws_check_https_tls "$1" "$2"
+}

blockcheck2.d/standard/90-quic.sh

@@ -0,0 +1,28 @@
+pktws_check_http3()
+{
+	# $1 - test function
+	# $2 - domain
+
+	[ "$NOTEST_QUIC" = 1 ] && { echo "SKIPPED"; return; }
+
+	local repeats fake pos
+	local PAYLOAD="--payload quic_initial"
+
+	if [ -n "$FAKE_QUIC" ]; then
+		fake=fake_quic
+	else
+		fake=fake_default_quic
+	fi
+
+	for repeats in 1 2 5 10 20; do
+		pktws_curl_test_update $1 $2 ${FAKE_QUIC:+--blob=$fake:@"$FAKE_QUIC" }$PAYLOAD --lua-desync=fake:blob=$fake:repeats=$repeats && [ "$SCANLEVEL" != force ] && break
+	done
+
+	for pos in 8 16 32 64; do
+		pktws_curl_test_update $1 $2 $PAYLOAD --lua-desync=send:ipfrag:ipfrag_pos_udp=$pos --lua-desync=drop && [ "$SCANLEVEL" != force ] && break
+	done
+
+	for pos in 8 16 32 64; do
+		pktws_curl_test_update $1 $2 ${FAKE_QUIC:+--blob=$fake:@"$FAKE_QUIC" }$PAYLOAD --lua-desync=fake:blob=$fake:repeats=$FAKE_REPEATS --lua-desync=send:ipfrag:ipfrag_pos_udp=$pos --lua-desync=drop && [ "$SCANLEVEL" != force ] && break
+	done
+}

blockcheck2.d/standard/def.inc

@@ -0,0 +1,7 @@
+FOOLINGS46_TCP=${FOOLINGS46_TCP:-"tcp_md5 badsum tcp_seq=-3000 tcp_seq=1000000 tcp_ack=-66000:tcp_ts_up tcp_ts=-1000 tcp_flags_unset=ACK tcp_flags_set=SYN"}
+FOOLINGS6_TCP=${FOOLINGS6_TCP:-"ip6_hopbyhop ip6_hopbyhop:ip6_hopbyhop2 ip6_destopt ip6_routing ip6_ah"}
+FOOLINGS_TCP="$FOOLINGS46_TCP"
+[ "$IPV" = 6 ] && FOOLINGS_TCP="$FOOLINGS_TCP $FOOLINGS6_TCP"
+FOOLINGS_UDP="badsum"
+
+FAKE_REPEATS=${FAKE_REPEATS:-1}

common/base.sh

@@ -105,6 +105,10 @@ split_by_separator()
 	[ -n "$3" ] && eval $3="\$before"
 	[ -n "$4" ] && eval $4="\$after"
 }
+tolower()
+{
+	echo "$@" | tr 'A-Z' 'a-z'
+}
 
 dir_is_not_empty()
 {

common/dialog.sh

@@ -0,0 +1,58 @@
+read_yes_no()
+{
+	# $1 - default (Y/N)
+	local A
+	read A
+	[ -z "$A" ] || ([ "$A" != "Y" ] && [ "$A" != "y" ] && [ "$A" != "N" ] && [ "$A" != "n" ]) && A=$1
+	[ "$A" = "Y" ] || [ "$A" = "y" ] || [ "$A" = "1" ]
+}
+ask_yes_no()
+{
+	# $1 - default (Y/N or 0/1)
+	# $2 - text
+	local DEFAULT=$1
+	[ "$1" = "1" ] && DEFAULT=Y
+	[ "$1" = "0" ] && DEFAULT=N
+	[ -z "$DEFAULT" ] && DEFAULT=N
+	printf "$2 (default : $DEFAULT) (Y/N) ? "
+	read_yes_no $DEFAULT
+}
+ask_yes_no_var()
+{
+	# $1 - variable name for answer : 0/1
+	# $2 - text
+	local DEFAULT
+	eval DEFAULT="\$$1"
+	if ask_yes_no "$DEFAULT" "$2"; then
+		eval $1=1
+	else
+		eval $1=0
+	fi
+}
+ask_list()
+{
+	# $1 - mode var
+	# $2 - space separated value list
+	# $3 - (optional) default value
+	local M_DEFAULT
+	eval M_DEFAULT="\$$1"
+	local M_ALL=$M_DEFAULT
+	local M=""
+	local m
+
+	[ -n "$3" ] && { find_str_in_list "$M_DEFAULT" "$2" || M_DEFAULT="$3" ;}
+
+	n=1
+	for m in $2; do
+		echo $n : $m
+		n=$(($n+1))
+	done
+	printf "your choice (default : $M_DEFAULT) : "
+	read m
+	[ -n "$m" ] && M=$(echo $2 | cut -d ' ' -f$m 2>/dev/null)
+	[ -z "$M" ] && M="$M_DEFAULT"
+	echo selected : $M
+	eval $1="\"$M\""
+
+	[ "$M" != "$M_OLD" ]
+}

common/elevate.sh

@@ -0,0 +1,28 @@
+require_root()
+{
+	local exe preserve_env
+	echo \* checking privileges
+	[ $(id -u) -ne "0" ] && {
+		echo root is required
+		exe="$EXEDIR/$(basename "$0")"
+		exists sudo && {
+			echo elevating with sudo
+			exec sudo -E sh "$exe"
+		}
+		exists su && {
+			echo elevating with su
+			case "$UNAME" in
+				Linux)
+					preserve_env="--preserve-environment"
+					;;
+				FreeBSD|OpenBSD|Darwin)
+					preserve_env="-m"
+					;;
+			esac
+			exec su $preserve_env root -c "sh \"$exe\""
+		}
+		echo su or sudo not found
+		exitp 2
+	}
+	HAVE_ROOT=1
+}

common/fwtype.sh

@@ -0,0 +1,64 @@
+linux_ipt_avail()
+{
+	exists iptables && exists ip6tables
+}
+linux_maybe_iptables_fwtype()
+{
+	linux_ipt_avail && FWTYPE=iptables
+}
+linux_nft_avail()
+{
+	exists nft
+}
+linux_fwtype()
+{
+	[ -n "$FWTYPE" ] && return
+
+	FWTYPE=unsupported
+
+	linux_get_subsys
+	if [ "$SUBSYS" = openwrt ] ; then
+		# linux kernel is new enough if fw4 is there
+		if [ -x /sbin/fw4 ] && linux_nft_avail ; then
+			FWTYPE=nftables
+		else
+			linux_maybe_iptables_fwtype
+		fi
+	else
+		SUBSYS=
+		# generic linux
+		# flowtable is implemented since kernel 4.16
+		if linux_nft_avail && linux_min_version 4 16; then
+			FWTYPE=nftables
+		else
+			linux_maybe_iptables_fwtype
+		fi
+	fi
+
+	export FWTYPE
+}
+
+get_fwtype()
+{
+	[ -n "$FWTYPE" ] && return
+
+	local UNAME="$(uname)"
+
+	case "$UNAME" in
+		Linux)
+			linux_fwtype
+			;;
+		FreeBSD)
+			if exists ipfw ; then
+				FWTYPE=ipfw
+			else
+				FWTYPE=unsupported
+			fi
+			;;
+		*)
+			FWTYPE=unsupported
+			;;
+	esac
+
+	export FWTYPE
+}

common/virt.sh

@@ -0,0 +1,39 @@
+get_virt()
+{
+	local vm s v UNAME
+	UNAME=$(uname)
+	case "$UNAME" in
+		Linux)
+			if exists systemd-detect-virt; then
+				vm=$(systemd-detect-virt --vm)
+			elif [ -f /sys/class/dmi/id/product_name ]; then
+				read s </sys/class/dmi/id/product_name
+				for v in KVM QEMU VMware VMW VirtualBox Xen Bochs Parallels BHYVE Hyper-V; do
+					case "$s" in
+						"$v"*)
+						vm=$v
+						break
+					;;
+					esac
+				done
+			fi
+			;;
+	esac
+	echo "$vm" | awk '{print tolower($0)}'
+}
+check_virt()
+{
+	echo \* checking virtualization
+	local vm="$(get_virt)"
+	if [ -n "$vm" ]; then
+		if [ "$vm" = "none" ]; then
+			echo running on bare metal
+		else
+			echo "!!! WARNING. $vm virtualization detected !!!"
+			echo '!!! WARNING. vmware and virtualbox are known to break most of the DPI bypass techniques when network is NATed using internal hypervisor NAT !!!'
+			echo '!!! WARNING. if this is your case make sure you are bridged not NATed !!!'
+		fi
+	else
+		echo cannot detect
+	fi
+}

config.default

@@ -0,0 +1,123 @@
+# this file is included from init scripts
+# change values here
+
+# can help in case /tmp has not enough space
+#TMPDIR=/opt/zapret/tmp
+
+# redefine user for zapret daemons. required on Keenetic
+#WS_USER=nobody
+
+# override firewall type : iptables,nftables,ipfw
+#FWTYPE=iptables
+# nftables only : set this to 0 to use pre-nat mode. default is post-nat.
+# pre-nat mode disables some bypass techniques for forwarded traffic but allows to see client IP addresses in debug log
+#POSTNAT=0
+
+# options for ipsets
+# maximum number of elements in sets. also used for nft sets
+SET_MAXELEM=522288
+# too low hashsize can cause memory allocation errors on low RAM systems , even if RAM is enough
+# too large hashsize will waste lots of RAM
+IPSET_OPT="hashsize 262144 maxelem $SET_MAXELEM"
+# dynamically generate additional ip. $1 = ipset/nfset/table name
+#IPSET_HOOK="/etc/zapret.ipset.hook"
+
+# options for ip2net. "-4" or "-6" auto added by ipset create script
+IP2NET_OPT4="--prefix-length=22-30 --v4-threshold=3/4"
+IP2NET_OPT6="--prefix-length=56-64 --v6-threshold=5"
+# options for auto hostlist
+AUTOHOSTLIST_RETRANS_THRESHOLD=3
+AUTOHOSTLIST_FAIL_THRESHOLD=3
+AUTOHOSTLIST_FAIL_TIME=60
+# 1 = debug autohostlist positives to ipset/zapret-hosts-auto-debug.log
+AUTOHOSTLIST_DEBUGLOG=0
+
+# number of parallel threads for domain list resolves
+MDIG_THREADS=30
+
+# ipset/*.sh can compress large lists
+GZIP_LISTS=1
+# command to reload ip/host lists after update
+# comment or leave empty for auto backend selection : ipset or ipfw if present
+# on BSD systems with PF no auto reloading happens. you must provide your own command
+# set to "-" to disable reload
+#LISTS_RELOAD="pfctl -f /etc/pf.conf"
+
+# mark bit used by nfqws to prevent loop
+DESYNC_MARK=0x40000000
+DESYNC_MARK_POSTNAT=0x20000000
+
+# do not pass outgoing traffic to tpws/nfqws not marked with this bit
+# this setting allows to write your own rules to limit traffic that should be fooled
+# for example based on source IP or incoming interface name
+# no filter if not defined
+#FILTER_MARK=0x10000000
+
+
+NFQWS2_ENABLE=0
+# redirect outgoing traffic with connbytes limiter applied in both directions.
+NFQWS2_PORTS_TCP=80,443
+NFQWS2_PORTS_UDP=443
+# PKT_OUT means connbytes dir original
+# PKT_IN means connbytes dir reply
+# this is --dpi-desync-cutoff=nX kernel mode implementation for linux. it saves a lot of CPU.
+NFQWS2_TCP_PKT_OUT=$((6+$AUTOHOSTLIST_RETRANS_THRESHOLD))
+NFQWS2_TCP_PKT_IN=3
+NFQWS2_UDP_PKT_OUT=$((6+$AUTOHOSTLIST_RETRANS_THRESHOLD))
+NFQWS2_UDP_PKT_IN=0
+# redirect outgoing traffic without connbytes limiter and incoming with connbytes limiter
+# normally it's needed only for stateless DPI that matches every packet in a single TCP session
+# typical example are plain HTTP keep alives
+# this mode can be very CPU consuming. enable with care !
+#NFQWS2_PORTS_TCP_KEEPALIVE=80
+#NFQWS2_PORTS_UDP_KEEPALIVE=
+# use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
+# hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
+# <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
+NFQWS2_OPT="
+--filter-tcp=80 --payload=http_req --lua-desync=fake:blob=fake_default_http:tcp_md5 --lua-desync=multisplit:pos=method+2 <HOSTLIST> --new
+--filter-tcp=443 --payload=tls_client_hello --lua-desync=fake:blob=fake_default_tls:tcp_md5:tcp_seq=-10000 --lua-desync=multidisorder:pos=1,midsld <HOSTLIST> --new
+--filter-udp=443 --payload=quic_initial --lua-desync=fake:blob=fake_default_quic:repeats=6 <HOSTLIST_NOAUTO> --new
+"
+
+# none,ipset,hostlist,autohostlist
+MODE_FILTER=none
+
+# donttouch,none,software,hardware
+FLOWOFFLOAD=donttouch
+
+# openwrt: specify networks to be treated as WAN. default wans are interfaces with default route
+#OPENWRT_WAN4="wan vpn"
+#OPENWRT_WAN6="wan6 vpn6"
+
+# for routers based on desktop linux and macos. has no effect in openwrt.
+# optionally CHOOSE WAN/WAN6 NETWORK INTERFACES
+# or leave them commented if its not router
+# it's possible to specify multiple interfaces like this : IFACE_WAN="eth0 eth1 eth2"
+# if IFACE_WAN6 is not defined it take the value of IFACE_WAN
+#IFACE_WAN=eth1
+#IFACE_WAN6="ipsec0 wireguard0 he_net"
+
+# should start/stop command of init scripts apply firewall rules ?
+# not applicable to openwrt with firewall3+iptables
+INIT_APPLY_FW=1
+# firewall apply hooks
+#INIT_FW_PRE_UP_HOOK="/etc/firewall.zapret.hook.pre_up"
+#INIT_FW_POST_UP_HOOK="/etc/firewall.zapret.hook.post_up"
+#INIT_FW_PRE_DOWN_HOOK="/etc/firewall.zapret.hook.pre_down"
+#INIT_FW_POST_DOWN_HOOK="/etc/firewall.zapret.hook.post_down"
+
+# do not work with ipv4
+#DISABLE_IPV4=1
+# do not work with ipv6
+DISABLE_IPV6=1
+
+# drop icmp time exceeded messages for nfqws tampered connections
+# in POSTNAT mode this can interfere with default mtr/traceroute in tcp or udp mode. use source port not redirected to nfqws
+# set to 0 if you are not expecting connection breakage due to icmp in response to TCP SYN or UDP
+FILTER_TTL_EXPIRED_ICMP=1
+
+# select which init script will be used to get ip or host list
+# possible values : get_user.sh get_antizapret.sh get_combined.sh get_reestr.sh get_hostlist.sh
+# comment if not required
+#GETLIST=

docs/changes.txt

@@ -24,3 +24,13 @@ v0.1.5
 * nfqws2: # and % arg substitution
 * zapret-antidpi: luaexec
 * zapret-pcap: simple packet capture to .cap file
+
+v0.2
+
+* blockcheck2
+* nfqws2: several crash fixes
+* nfqws2: bu8,bu16,bu24,bu32,swap16,swap32 functions now work with negative int
+* nfqws2: getpid,gettid,uname,get_clock luacalls
+* zapret-lib: bugfixes
+* zapret-lib: remove ip6_hopbyhop_x2 fooling, separately add second hopbyhop header using ip6_hopbyhop2
+* zapret-pcap