blockcheck

blockcheck2.d/custom/10-list.sh

@@ -0,0 +1,58 @@
+LIST_HTTP="${LIST_HTTP:-$TESTDIR/list_http.txt}"
+LIST_HTTPS_TLS12="${LIST_HTTPS_TLS12:-$TESTDIR/list_https_tls12.txt}"
+LIST_HTTPS_TLS13="${LIST_HTTPS_TLS13:-$TESTDIR/list_https_tls13.txt}"
+LIST_QUIC="${LIST_QUIC:-$TESTDIR/list_quic.txt}"
+
+check_list()
+{
+	# $1 - test function
+	# $2 - domain
+	# $3 - file
+
+	local line ok=0
+	[ -f "$3" ] || {
+		echo "no strategy file '$3'"
+		return 1
+	}
+	while IFS= read -r line; do
+		case "$line" in
+			""|\#*) continue ;;
+		esac
+		line=$(echo "$line" | tr -d "\r\n")
+		eval pktws_curl_test_update "$1" "$2" $line && ok=1
+	done < "$3"
+
+	[ "$ok" = 1 ]
+}
+
+pktws_check_http()
+{
+	# $1 - test function
+	# $2 - domain
+
+	check_list "$1" "$2" "$LIST_HTTP"
+}
+
+pktws_check_https_tls12()
+{
+	# $1 - test function
+	# $2 - domain
+
+	check_list "$1" "$2" "$LIST_HTTPS_TLS12"
+}
+
+pktws_check_https_tls13()
+{
+	# $1 - test function
+	# $2 - domain
+
+	check_list "$1" "$2" "$LIST_HTTPS_TLS13"
+}
+
+pktws_check_http3()
+{
+	# $1 - test function
+	# $2 - domain
+
+	check_list "$1" "$2" "$LIST_QUIC"
+}

blockcheck2.d/custom/README.txt

@@ -0,0 +1,10 @@
+Простой тестер стратегий по списку из файла.
+Скопируйте эту директорию под другим именем в blockcheck2.d, отредактируйте list файлы, впишите туда свои стратегии.
+В диалоге blockcheck2.sh выберите тест с названием вашей директории.
+Можно комментировать строки символом '#' в начале строки.
+Альтернативный путь до файлов стратегий можно задать переменными LIST_HTTP, LIST_HTTPS_TLS12, LIST_HTTPS_TLS13, LIST_QUIC.
+
+This is simple strategy tester from a file.
+Copy this folder, write your strategies into list files and select your test in blockcheck2 dialog.
+Lines can be commented using the '#' symbol at the line start.
+Strategy list files paths can be overriden in env variables : LIST_HTTP, LIST_HTTPS_TLS12, LIST_HTTPS_TLS13, LIST_QUIC.

blockcheck2.d/custom/list_http.txt

@@ -0,0 +1,4 @@
+# write nfqws2 parameters here
+--payload=http_req --lua-desync=http_hostcase
+--payload=http_req --lua-desync=http_methodeol
+--payload=http_req --lua-desync=fake:blob=fake_default_http:tcp_ts=-1000

blockcheck2.d/custom/list_https_tls12.txt

@@ -0,0 +1,3 @@
+# write nfqws2 parameters here
+--payload tls_client_hello --lua-desync=fake:blob=fake_default_tls:tcp_ts=-1000
+--payload=tls_client_hello --lua-desync=fake:blob=0x00000000:tcp_md5:repeats=1 --lua-desync=fake:blob=fake_default_tls:tcp_md5:tls_mod=rnd,dupsid:repeats=1 --lua-desync=multisplit:pos=2

blockcheck2.d/custom/list_https_tls13.txt

@@ -0,0 +1,4 @@
+# write nfqws2 parameters here
+--payload tls_client_hello --lua-desync=fake:blob=fake_default_tls:tcp_ts=-1000
+--payload tls_client_hello --lua-desync=tcpseg:pos=0,-1:seqovl=1 --lua-desync=drop
+--payload tls_client_hello --lua-desync=luaexec:code="desync.pat=tls_mod(fake_default_tls,'rnd,rndsni,dupsid,padencap',desync.reasm_data)" --lua-desync=tcpseg:pos=0,-1:seqovl=#pat:seqovl_pattern=pat --lua-desync=drop

blockcheck2.d/custom/list_quic.txt

@@ -0,0 +1,3 @@
+# write nfqws2 parameters here
+--payload quic_initial --lua-desync=fake:blob=fake_default_quic:repeats=11
+--payload quic_initial --lua-desync=send:ipfrag --lua-desync=drop

blockcheck2.d/standard/10-http-basic.sh

@@ -0,0 +1,12 @@
+pktws_check_http()
+{
+	# $1 - test function
+	# $2 - domain
+	local s
+
+	[ "$NOTEST_BASIC_HTTP" = 1 ] && { echo "SKIPPED"; return; }
+
+	for s in 'http_hostcase' 'http_hostcase:spell=hoSt' 'http_domcase' 'http_methodeol'; do
+		pktws_curl_test_update $1 $2 --payload http_req --lua-desync=$s
+	done
+}

blockcheck2.d/standard/15-misc.sh

@@ -0,0 +1,38 @@
+. "$TESTDIR/def.inc"
+
+pktws_check_http()
+{
+	# $1 - test function
+	# $2 - domain
+
+	local PAYLOAD="--payload http_req" repeats ok
+
+	for repeats in 1 20 100 260; do
+		# send starting bytes of original payload
+		pktws_curl_test_update "$1" "$2" $PAYLOAD --lua-desync=tcpseg:pos=0,method+2:ip_id=rnd:repeats=$repeats && ok=1
+		pktws_curl_test_update "$1" "$2" $PAYLOAD --lua-desync=tcpseg:pos=0,midsld:ip_id=rnd:repeats=$repeats && ok=1
+		[ "$ok" = 1 -a "$SCANLEVEL" != force ] && break
+	done
+}
+
+pktws_check_https_tls12()
+{
+	# $1 - test function
+	# $2 - domain
+
+	local PAYLOAD="--payload tls_client_hello" repeats ok
+
+	for repeats in 1 20 100 260; do
+		# send starting bytes of original payload
+		pktws_curl_test_update "$1" "$2" $PAYLOAD --lua-desync=tcpseg:pos=0,1:ip_id=rnd:repeats=$repeats && ok=1
+		pktws_curl_test_update "$1" "$2" $PAYLOAD --lua-desync=tcpseg:pos=0,midsld:ip_id=rnd:repeats=$repeats && ok=1
+		[ "$ok" = 1 -a "$SCANLEVEL" != force ] && break
+	done
+}
+
+pktws_check_https_tls13()
+{
+	# $1 - test function
+	# $2 - domain
+	pktws_check_https_tls12 "$1" "$2"
+}

blockcheck2.d/standard/20-multi.sh

@@ -0,0 +1,66 @@
+pktws_simple_split_tests()
+{
+	# $1 - test function
+	# $2 - domain/uri
+	# $3 - splits
+	# $4 - PRE args for nfqws2
+	local pos ok ok_any pre="$4"
+	local splitf splitfs="multisplit multidisorder"
+
+	ok_any=0
+	for splitf in multisplit multidisorder; do
+		eval need_$splitf=0
+		ok=0
+		for pos in $3; do
+			pktws_curl_test_update $1 $2 $pre $PAYLOAD --lua-desync=$splitf:pos=$pos && ok=1
+		done
+		[ "$ok" = 1 -a "$SCANLEVEL" != force ] || eval need_$splitf=1
+		[ "$ok" = 1 ] && ok_any=1
+	done
+	[ "$ok_any" = 1 ]
+}
+
+
+pktws_check_http()
+{
+	# $1 - test function
+	# $2 - domain
+	local splits_http='method+2 midsld method+2,midsld'
+	local PAYLOAD="--payload http_req"
+
+	[ "$NOTEST_MULTI_HTTP" = 1 ] && { echo "SKIPPED"; return; }
+
+	pktws_simple_split_tests "$1" "$2" "$splits_http"
+}
+
+pktws_check_https_tls()
+{
+	# $1 - test function
+	# $2 - domain
+	# $3 - PRE args for nfqws2
+	local splits_tls='2 1 sniext+1 sniext+4 host+1 midsld 1,midsld 1,sniext+1,host+1,midsld-2,midsld,midsld+2,endhost-1'
+	local PAYLOAD="--payload tls_client_hello"
+
+	[ "$NOTEST_MULTI_HTTPS" = 1 ] && { echo "SKIPPED"; return; }
+
+	pktws_simple_split_tests "$1" "$2" "$splits_tls" "$3"
+}
+
+pktws_check_https_tls12()
+{
+	# $1 - test function
+	# $2 - domain
+	pktws_check_https_tls "$1" "$2" && [ "$SCANLEVEL" != force ] && return
+
+	# do not use 'need' values obtained with wssize
+	local need_multisplit_save=$need_multisplit need_multidisorder_save=$need_multidisorder
+	pktws_check_https_tls "$1" "$2" --lua-desync=wssize:wsize=1:scale=6
+	need_multisplit=$need_multisplit_save; need_multidisorder=$need_multidisorder_save
+}
+
+pktws_check_https_tls13()
+{
+	# $1 - test function
+	# $2 - domain
+	pktws_check_https_tls "$1" "$2"
+}

blockcheck2.d/standard/23-seqovl.sh

@@ -0,0 +1,94 @@
+pktws_check_http()
+{
+	# $1 - test function
+	# $2 - domain
+
+	[ "$NOTEST_SEQOVL_HTTP" = 1 ] && { echo "SKIPPED"; return; }
+
+	local PAYLOAD="--payload http_req"
+
+	local ok pat= split f f2
+
+	pat=${SEQOVL_PATTERN_HTTP:+seqovl_pat}
+	pat=${pat:-fake_default_http}
+
+	pktws_curl_test_update $1 $2 $PAYLOAD --lua-desync=tcpseg:pos=0,-1:seqovl=1 --lua-desync=drop
+	pktws_curl_test_update $1 $2 ${SEQOVL_PATTERN_HTTP:+--blob=$pat:@"$SEQOVL_PATTERN_HTTP" }$PAYLOAD --lua-desync=tcpseg:pos=0,-1:seqovl=#$pat:seqovl_pattern=$pat --lua-desync=drop
+
+	ok=0
+	for split in method+2 method+2,midsld; do
+		pktws_curl_test_update $1 $2 $PAYLOAD --lua-desync=multisplit:pos=$split:seqovl=1 && ok=1
+		pktws_curl_test_update $1 $2 ${SEQOVL_PATTERN_HTTP:+--blob=$pat:@"$SEQOVL_PATTERN_HTTP" }$PAYLOAD --lua-desync=multisplit:pos=$split:seqovl=#$pat:seqovl_pattern=$pat && ok=1
+		[ "$ok" = 1 -a "$SCANLEVEL" != force ] && break
+	done
+	for split in 'method+1 method+2' 'midsld-1 midsld' 'method+1 method+2,midsld'; do
+		f="$(extract_arg 1 $split)"
+		f2="$(extract_arg 2 $split)"
+		pktws_curl_test_update $1 $2 $PAYLOAD --lua-desync=multidisorder:pos=$f2:seqovl=$f
+		pktws_curl_test_update $1 $2 ${SEQOVL_PATTERN_HTTP:+--blob=$pat:@"$SEQOVL_PATTERN_HTTP" }$PAYLOAD --lua-desync=multidisorder:pos=$f2:seqovl=$f:seqovl_pattern=$pat
+	done
+}
+
+pktws_seqovl_tests_tls()
+{
+	# $1 - test function
+	# $2 - domain/uri
+	# $3 - PRE args for nfqws2
+	local ok ok_any
+	local testf=$1 domain="$2" pre="$3"
+	local pat rnd_mod padencap_mod split f f2
+	local PAYLOAD="--payload tls_client_hello"
+
+	pat=${SEQOVL_PATTERN_HTTPS:+seqovl_pat}
+	pat=${pat:-fake_default_tls}
+	rnd_mod="--lua-init=$pat=tls_mod($pat,'rnd')"
+	padencap_mod="--lua-desync=luaexec:code=desync.pat=tls_mod($pat,'rnd,dupsid,padencap',desync.reasm_data)"
+
+	ok=0
+	pktws_curl_test_update $testf $domain $pre $PAYLOAD --lua-desync=tcpseg:pos=0,-1:seqovl=1 --lua-desync=drop && ok=1
+	pktws_curl_test_update $testf $domain ${SEQOVL_PATTERN_HTTPS:+--blob=$pat:@"$SEQOVL_PATTERN_HTTPS" }$rnd_mod $pre $PAYLOAD --lua-desync=tcpseg:pos=0,-1:seqovl=#$pat:seqovl_pattern=$pat --lua-desync=drop && ok=1
+	pktws_curl_test_update $testf $domain ${SEQOVL_PATTERN_HTTPS:+--blob=$pat:@"$SEQOVL_PATTERN_HTTPS" }$pre $PAYLOAD $padencap_mod --lua-desync=tcpseg:pos=0,-1:seqovl=#pat:seqovl_pattern=pat --lua-desync=drop && ok=1
+	ok_any=$ok
+
+	ok=0
+	for split in 10 10,sniext+1 10,sniext+4 10,midsld; do
+		pktws_curl_test_update $testf $domain $pre $PAYLOAD --lua-desync=multisplit:pos=$split:seqovl=1 && ok=1
+		pktws_curl_test_update $testf $domain ${SEQOVL_PATTERN_HTTPS:+--blob=$pat:@"$SEQOVL_PATTERN_HTTPS" }$rnd_mod $pre $PAYLOAD --lua-desync=multisplit:pos=$split:seqovl=#$pat:seqovl_pattern=$pat && ok=1
+		pktws_curl_test_update $testf $domain ${SEQOVL_PATTERN_HTTPS:+--blob=$pat:@"$SEQOVL_PATTERN_HTTPS" }$pre $PAYLOAD $padencap_mod --lua-desync=multisplit:pos=$split:seqovl=#pat:seqovl_pattern=pat && ok=1
+		[ "$ok" = 1 -a "$SCANLEVEL" != force ] && break
+	done
+	for split in '1 2' 'sniext sniext+1' 'sniext+3 sniext+4' 'midsld-1 midsld' '1 2,midsld'; do
+		f="$(extract_arg 1 $split)"
+		f2="$(extract_arg 2 $split)"
+		pktws_curl_test_update $1 $2 $PAYLOAD --lua-desync=multidisorder:pos=$f2:seqovl=$f && ok=1
+		pktws_curl_test_update $testf $domain ${SEQOVL_PATTERN_HTTPS:+--blob=$pat:@"$SEQOVL_PATTERN_HTTPS" }$rnd_mod $pre $PAYLOAD --lua-desync=multidisorder:pos=$f2:seqovl=$f:seqovl_pattern=$pat && ok=1
+	done
+	[ "$ok" = 1 ] && ok_any=1
+	[ "$ok_any" = 1 ]
+}
+
+pktws_check_https_tls()
+{
+	# $1 - test function
+	# $2 - domain
+	# $3 - PRE args for nfqws2
+
+	[ "$NOTEST_SEQOVL_HTTPS" = 1 ] && { echo "SKIPPED"; return; }
+
+	pktws_seqovl_tests_tls "$1" "$2" "$3"
+}
+
+pktws_check_https_tls12()
+{
+	# $1 - test function
+	# $2 - domain
+	pktws_seqovl_tests_tls "$1" "$2" && [ "$SCANLEVEL" != force ] && return
+	pktws_seqovl_tests_tls "$1" "$2" --lua-desync=wssize:wsize=1:scale=6
+}
+
+pktws_check_https_tls13()
+{
+	# $1 - test function
+	# $2 - domain
+	pktws_seqovl_tests_tls "$1" "$2"
+}

blockcheck2.d/standard/25-fake.sh

@@ -0,0 +1,149 @@
+. "$TESTDIR/def.inc"
+
+pktws_check_http()
+{
+	# $1 - test function
+	# $2 - domain
+	[ "$NOTEST_FAKE_HTTP" = 1 ] && { echo "SKIPPED"; return; }
+
+	local testf=$1 domain="$2"
+	local ok ok_any ttls attls f ff fake fooling
+	local PAYLOAD="--payload=http_req"
+
+	if [ -n "$FAKE_HTTP" ]; then
+		fake=fake_http
+	else
+		fake=fake_default_http
+	fi
+
+	need_fake=0
+
+	ttls=$(seq -s ' ' $MIN_TTL $MAX_TTL)
+	attls=$(seq -s ' ' $MIN_AUTOTTL_DELTA $MAX_AUTOTTL_DELTA)
+
+	ok_any=0
+	ok=0
+	for ttl in $ttls; do
+		# orig-ttl=1 with start/cutoff limiter drops empty ACK packet in response to SYN,ACK. it does not reach DPI or server.
+		# missing ACK is transmitted in the first data packet of TLS/HTTP proto
+		for ff in $fake 0x00000000; do
+			for f in '' "--payload=empty --out-range=s1<d1 --lua-desync=pktmod:ip${IPVV}_ttl=1"; do
+				pktws_curl_test_update $testf $domain ${FAKE_HTTP:+--blob=$fake:@"$FAKE_HTTP" }$PAYLOAD "--lua-desync=fake:blob=${ff}:ip${IPVV}_ttl=$ttl:repeats=$FAKE_REPEATS" $f && {
+					ok=1
+					[ "$SCANLEVEL" = force ] || break
+				}
+			done
+		done
+		[ "$ok" = 1 ] && break
+	done
+	for fooling in $FOOLINGS_TCP; do
+		for ff in $fake 0x00000000; do
+			pktws_curl_test_update $testf $domain ${FAKE_HTTP:+--blob=fake_http:@"$FAKE_HTTP" }$PAYLOAD --lua-desync=fake:blob=$ff:$fooling:repeats=$FAKE_REPEATS && ok=1
+			# duplicate SYN with MD5
+			contains "$fooling" tcp_md5 && pktws_curl_test_update $testf $domain ${FAKE_HTTP:+--blob=$fake:@"$FAKE_HTTP" }$PAYLOAD --lua-desync=fake:blob=$ff:$fooling:repeats=$FAKE_REPEATS --payload empty "--out-range=<s1" --lua-desync=send:tcp_md5 && ok=1
+		done
+	done
+	for ttl in $attls; do
+		for ff in $fake 0x00000000; do
+			for f in '' "--payload=empty --out-range=s1<d1 --lua-desync=pktmod:ip${IPVV}_ttl=1"; do
+				pktws_curl_test_update $testf $domain  ${FAKE_HTTP:+--blob=$fake:@"$FAKE_HTTP" }$PAYLOAD --lua-desync=fake:blob=$ff:ip${IPVV}_autottl=-$ttl,3-20:repeats=$FAKE_REPEATS $f && {
+					ok=1
+					[ "$SCANLEVEL" = force ] || break
+				}
+			done
+		done
+	done
+
+	[ $ok = 0 -a "$SCANLEVEL" != force ] && need_fake=1
+	[ $ok = 1 ] && okany=1
+	[ $okany = 1 ]
+}
+
+pktws_fake_https_vary_()
+{
+	local ok_any=0 testf=$1 domain="$2" fooling="$3" pre="$4" post="$5"
+	shift; shift; shift
+	pktws_curl_test_update $testf $domain ${FAKE_HTTPS:+--blob=$fake:@"$FAKE_HTTPS" }$pre $PAYLOAD --lua-desync=fake:blob=$fake:$fooling:repeats=$FAKE_REPEATS $post && ok_any=1
+	pktws_curl_test_update $testf $domain $pre $PAYLOAD --lua-desync=fake:blob=0x00000000:$fooling:repeats=$FAKE_REPEATS $post && ok_any=1
+	pktws_curl_test_update $testf $domain ${FAKE_HTTPS:+--blob=$fake:@"$FAKE_HTTPS" }$pre $PAYLOAD --lua-desync=fake:blob=0x00000000:$fooling:repeats=$FAKE_REPEATS --lua-desync=fake:blob=$fake:$fooling:tls_mod=rnd,dupsid:repeats=$FAKE_REPEATS $post && ok_any=1
+	pktws_curl_test_update $testf $domain ${FAKE_HTTPS:+--blob=$fake:@"$FAKE_HTTPS" }$pre $PAYLOAD --lua-desync=multisplit:blob=$fake:$fooling:pos=2:nodrop:repeats=$FAKE_REPEATS $post && ok_any=1
+	pktws_curl_test_update $testf $domain ${FAKE_HTTPS:+--blob=$fake:@"$FAKE_HTTPS" }$pre $PAYLOAD --lua-desync=fake:blob=$fake:$fooling:tls_mod=rnd,dupsid,padencap:repeats=$FAKE_REPEATS $post && ok_any=1
+	[ "$ok_any" = 1 ] && ok=1
+}
+pktws_fake_https_vary()
+{
+	local ok_any=0 fooling="$3"
+	pktws_fake_https_vary_ "$1" "$2" "$3" "$4" "$5" && ok_any=1
+	# duplicate SYN with MD5
+	contains "$fooling" tcp_md5 && \
+		pktws_fake_https_vary_  "$1" "$2" "$3" "$4" "${5:+$5 }--payload=empty --out-range=<s1 --lua-desync=send:tcp_md5" && ok_any=1
+	[ "$ok_any" = 1 ]
+}
+
+pktws_check_https_tls()
+{
+	# $1 - test function
+	# $2 - domain
+	# $3 - PRE args for nfqws2
+
+	[ "$NOTEST_FAKE_HTTPS" = 1 ] && { echo "SKIPPED"; return; }
+
+	local testf=$1 domain="$2" pre="$3"
+	local ok ok_any ttls attls f fake fooling
+	local PAYLOAD="--payload=tls_client_hello"
+
+	shift; shift
+
+	if [ -n "$FAKE_HTTPS" ]; then
+		fake=fake_tls
+	else
+		fake=fake_default_tls
+	fi
+
+	need_fake=0
+
+	ttls=$(seq -s ' ' $MIN_TTL $MAX_TTL)
+	attls=$(seq -s ' ' $MIN_AUTOTTL_DELTA $MAX_AUTOTTL_DELTA)
+
+	ok_any=0
+	ok=0
+	for ttl in $ttls; do
+		# orig-ttl=1 with start/cutoff limiter drops empty ACK packet in response to SYN,ACK. it does not reach DPI or server.
+		# missing ACK is transmitted in the first data packet of TLS/HTTP proto
+		for f in '' "--payload=empty --out-range=s1<d1 --lua-desync=pktmod:ip${IPVV}_ttl=1"; do
+			pktws_fake_https_vary $testf $domain "ip${IPVV}_ttl=$ttl" "$pre" "$f" && [ "$SCANLEVEL" != force ] && break
+		done
+		[ "$ok" = 1 ] && break
+	done
+	for fooling in $FOOLINGS_TCP; do
+		pktws_fake_https_vary $testf $domain "$fooling" "$pre"
+	done
+	for ttl in $attls; do
+		for f in '' "--payload=empty --out-range=s1<d1 --lua-desync=pktmod:ip${IPVV}_ttl=1"; do
+			pktws_fake_https_vary $testf $domain "ip${IPVV}_autottl=-$ttl,3-20" "$pre" "$f" && [ "$SCANLEVEL" != force ] && break
+		done
+	done
+
+	[ $ok = 0 -a "$SCANLEVEL" != force ] && need_fake=1
+	[ $ok = 1 ] && okany=1
+	[ $okany = 1 ]
+}
+
+pktws_check_https_tls12()
+{
+	# $1 - test function
+	# $2 - domain
+	pktws_check_https_tls "$1" "$2" && [ "$SCANLEVEL" != force ] && return
+
+	# do not use 'need' values obtained with wssize
+	local need_fake_save=$need_fake
+	pktws_check_https_tls "$1" "$2" --lua-desync=wssize:wsize=1:scale=6
+	need_fake=$need_fake_save
+}
+
+pktws_check_https_tls13()
+{
+	# $1 - test function
+	# $2 - domain
+	pktws_check_https_tls "$1" "$2"
+}

blockcheck2.d/standard/30-faked.sh

@@ -0,0 +1,103 @@
+. "$TESTDIR/def.inc"
+
+pktws_check_faked()
+{
+	# $1 - test function
+	# $2 - domain
+	# $3 - payload_type
+	# $4 - splits
+	# $5 - pattern
+	# $6 - PRE args for nfqws2
+	local testf=$1 domain="$2" pre="$6"
+	local ok ok_any ttls attls f fooling
+	local splitf splitfs= split splits="$4"
+	local PAYLOAD="--payload=$3"
+	local FAKED_PATTERN="$5"
+
+	ttls=$(seq -s ' ' $MIN_TTL $MAX_TTL)
+	attls=$(seq -s ' ' $MIN_AUTOTTL_DELTA $MAX_AUTOTTL_DELTA)
+
+	# do not test fakedsplit if multisplit works
+	[ "$need_multisplit" = 0 -a "$SCANLEVEL" != force ] || splitfs=fakedsplit
+	# do not test fakeddisorder if multidisorder works
+	[ "$need_multidisorder" = 0 -a "$SCANLEVEL" != force ] || splitfs="${splitfs:+$splitfs }fakeddisorder"
+
+	ok_any=0
+	for splitf in $splitfs; do
+		ok=0
+		for ttl in $ttls; do
+			# orig-ttl=1 with start/cutoff limiter drops empty ACK packet in response to SYN,ACK. it does not reach DPI or server.
+			# missing ACK is transmitted in the first data packet of TLS/HTTP proto
+			for split in $splits; do
+				for f in '' "--payload=empty --out-range=s1<d1 --lua-desync=pktmod:ip${IPVV}_ttl=1"; do
+					pktws_curl_test_update $testf $domain ${FAKED_PATTERN:+--blob=faked_pat:@"$FAKED_PATTERN" }$pre $PAYLOAD --lua-desync=$splitf:${FAKED_PATTERN:+pattern=faked_pat:}pos=$split:ip${IPVV}_ttl=$ttl:repeats=$FAKE_REPEATS $f && {
+						ok=1
+						[ "$SCANLEVEL" = force ] || break
+					}
+				done
+			done
+			[ "$ok" = 1 ] && break
+		done
+		for fooling in $FOOLINGS_TCP; do
+			for split in $splits; do
+				pktws_curl_test_update $testf $domain ${FAKED_PATTERN:+--blob=faked_pat:@"$FAKED_PATTERN" }$pre $PAYLOAD --lua-desync=$splitf:${FAKED_PATTERN:+pattern=faked_pat:}pos=$split:$fooling && ok=1
+				# duplicate SYN with MD5
+				contains "$fooling" tcp_md5 && pktws_curl_test_update $testf $domain ${FAKED_PATTERN:+--blob=faked_pat:@"$FAKED_PATTERN" }$pre $PAYLOAD --lua-desync=$splitf:${FAKED_PATTERN:+pattern=faked_pat:}pos=$split:$fooling:repeats=$FAKE_REPEATS --payload empty --out-range="<s1" --lua-desync=send:tcp_md5 && ok=1
+			done
+		done
+		for ttl in $attls; do
+			for split in $splits; do
+				for f in '' "--payload=empty --out-range=s1<d1 --lua-desync=pktmod:ip${IPVV}_ttl=1"; do
+					pktws_curl_test_update $testf $domain ${FAKED_PATTERN:+--blob=faked_pat:@"$FAKED_PATTERN" }$pre $PAYLOAD --lua-desync=$splitf:${FAKED_PATTERN:+pattern=faked_pat:}pos=$split:ip${IPVV}_autottl=-$ttl,3-20:repeats=$FAKE_REPEATS $f && {
+						ok=1
+						[ "$SCANLEVEL" = force ] || break
+					}
+				done
+			done
+		done
+		[ $ok = 0 -a "$SCANLEVEL" != force ] && eval need_$splitf=1
+		[ $ok = 1 ] && ok_any=1
+	done
+	[ "$ok_any" = 1 ]
+}
+
+pktws_check_http()
+{
+	# $1 - test function
+	# $2 - domain
+	# $3 - PRE args for nfqws2
+	[ "$NOTEST_FAKED_HTTP" = 1 ] && { echo "SKIPPED"; return; }
+
+	local splits='method+2 midsld method+2,midsld'
+	pktws_check_faked $1 "$2" http_req "$splits" "$FAKED_PATTERN_HTTP" "$3"
+}
+
+pktws_check_https_tls()
+{
+	# $1 - test function
+	# $2 - domain
+	# $3 - PRE args for nfqws2
+	[ "$NOTEST_FAKED_HTTPS" = 1 ] && { echo "SKIPPED"; return; }
+
+	local splits='2 1 sniext+1 sniext+4 host+1 midsld 1,midsld 1,sniext+1,host+1,midsld-2,midsld,midsld+2,endhost-1'
+	pktws_check_faked $1 "$2" tls_client_hello "$splits" "$FAKED_PATTERN_HTTPS" "$3"
+}
+
+pktws_check_https_tls12()
+{
+	# $1 - test function
+	# $2 - domain
+	pktws_check_https_tls "$1" "$2" && [ "$SCANLEVEL" != force ] && return
+
+	# do not use 'need' values obtained with wssize
+	local need_fakedsplit_save=$need_fakedsplit need_fakeddisorder_save=$need_fakeddisorder
+	pktws_check_https_tls "$1" "$2" --lua-desync=wssize:wsize=1:scale=6
+	need_fakedsplit=$need_fakedsplit_save need_fakeddisorder=$need_fakeddisorder_save
+}
+
+pktws_check_https_tls13()
+{
+	# $1 - test function
+	# $2 - domain
+	pktws_check_https_tls "$1" "$2"
+}

blockcheck2.d/standard/35-hostfake.sh

@@ -0,0 +1,101 @@
+. "$TESTDIR/def.inc"
+
+
+pktws_hostfake_vary_()
+{
+	local ok_any=0 testf=$1 domain="$2" fooling="$3" pre="$4" post="$5" disorder
+	shift; shift; shift
+
+	for disorder in '' 'disorder_after:'; do
+		pktws_curl_test_update $testf $domain $pre $PAYLOAD --lua-desync=hostfakesplit:${HOSTFAKE:+host=${HOSTFAKE}:}${disorder}$fooling:repeats=$FAKE_REPEATS $post && ok_any=1
+		pktws_curl_test_update $testf $domain $pre $PAYLOAD --lua-desync=hostfakesplit:${HOSTFAKE:+host=${HOSTFAKE}:}${disorder}nofake1:$fooling:repeats=$FAKE_REPEATS $post && ok_any=1
+		pktws_curl_test_update $testf $domain $pre $PAYLOAD --lua-desync=hostfakesplit:${HOSTFAKE:+host=${HOSTFAKE}:}${disorder}nofake2:$fooling:repeats=$FAKE_REPEATS $post && ok_any=1
+		pktws_curl_test_update $testf $domain $pre $PAYLOAD --lua-desync=hostfakesplit:${HOSTFAKE:+host=${HOSTFAKE}:}${disorder}midhost=midsld:$fooling:repeats=$FAKE_REPEATS $post && ok_any=1
+		pktws_curl_test_update $testf $domain $pre $PAYLOAD --lua-desync=hostfakesplit:${HOSTFAKE:+host=${HOSTFAKE}:}${disorder}nofake1:midhost=midsld:$fooling:repeats=$FAKE_REPEATS $post && ok_any=1
+		pktws_curl_test_update $testf $domain $pre $PAYLOAD --lua-desync=hostfakesplit:${HOSTFAKE:+host=${HOSTFAKE}:}${disorder}nofake2:midhost=midsld:$fooling:repeats=$FAKE_REPEATS $post && ok_any=1
+	done
+	[ "$ok_any" = 1 ] && ok=1
+}
+pktws_hostfake_vary()
+{
+	local ok_any=0 fooling="$3"
+	pktws_hostfake_vary_ "$1" "$2" "$3" "$4" "$5" && ok_any=1
+	# duplicate SYN with MD5
+	contains "$fooling" tcp_md5 && \
+		pktws_hostfake_vary_  "$1" "$2" "$3" "$4" "${5:+$5 }--payload=empty --out-range=<s1 --lua-desync=send:tcp_md5" && ok_any=1
+	[ "$ok_any" = 1 ]
+}
+
+
+pktws_check_hostfake()
+{
+	# $1 - test function
+	# $2 - domain
+	# $3 - payload_type
+	# $4 - PRE args for nfqws2
+	local testf=$1 domain="$2" pre="$4"
+	local ok ttls attls f fooling
+	local PAYLOAD="--payload=$3"
+
+	ttls=$(seq -s ' ' $MIN_TTL $MAX_TTL)
+	attls=$(seq -s ' ' $MIN_AUTOTTL_DELTA $MAX_AUTOTTL_DELTA)
+
+	need_hostfakesplit=0
+	ok=0
+	for ttl in $ttls; do
+		# orig-ttl=1 with start/cutoff limiter drops empty ACK packet in response to SYN,ACK. it does not reach DPI or server.
+		# missing ACK is transmitted in the first data packet of TLS/HTTP proto
+		for f in '' "--payload=empty --out-range=s1<d1 --lua-desync=pktmod:ip${IPVV}_ttl=1"; do
+			pktws_hostfake_vary $testf $domain "ip${IPVV}_ttl=$ttl" "$pre" "$f" && [ "$SCANLEVEL" != force ] && break
+		done
+		[ "$ok" = 1 ] && break
+	done
+	for fooling in $FOOLINGS_TCP; do
+		pktws_hostfake_vary $testf $domain "$fooling" "$pre"
+	done
+	for ttl in $attls; do
+		for f in '' "--payload=empty --out-range=s1<d1 --lua-desync=pktmod:ip${IPVV}_ttl=1"; do
+			pktws_hostfake_vary $testf $domain "ip${IPVV}_autottl=-$ttl,3-20" "$pre" "$f" && [ "$SCANLEVEL" != force ] && break
+		done
+	done
+	[ $ok = 0 -a "$SCANLEVEL" != force ] && eval need_hostfake=1
+	[ $ok = 1 ]
+}
+
+pktws_check_http()
+{
+	# $1 - test function
+	# $2 - domain
+	[ "$NOTEST_HOSTFAKE_HTTP" = 1 ] && { echo "SKIPPED"; return; }
+
+	pktws_check_hostfake $1 "$2" http_req
+}
+
+pktws_check_https_tls()
+{
+	# $1 - test function
+	# $2 - domain
+	# $3 - PRE args for nfqws2
+
+	[ "$NOTEST_HOSTFAKE_HTTPS" = 1 ] && { echo "SKIPPED"; return; }
+
+	pktws_check_hostfake $1 "$2" tls_client_hello "$3"
+}
+pktws_check_https_tls12()
+{
+	# $1 - test function
+	# $2 - domain
+	pktws_check_https_tls "$1" "$2" && [ "$SCANLEVEL" != force ] && return
+
+	# do not use 'need' values obtained with wssize
+	local need_hostfakesplit_save=$need_hostfakesplit
+	pktws_check_https_tls "$1" "$2" --lua-desync=wssize:wsize=1:scale=6
+	need_hostfakesplit=$need_hostfakesplit_save
+}
+
+pktws_check_https_tls13()
+{
+	# $1 - test function
+	# $2 - domain
+	pktws_check_https_tls "$1" "$2"
+}

blockcheck2.d/standard/50-fake-multi.sh

@@ -0,0 +1,160 @@
+. "$TESTDIR/def.inc"
+
+pktws_check_http()
+{
+	# $1 - test function
+	# $2 - domain
+	[ "$NOTEST_FAKE_MULTI_HTTP" = 1 ] && { echo "SKIPPED"; return 0; }
+
+	local testf=$1 domain="$2"
+	local ok ttls attls f ff fake fooling splitf splitfs= split splits='method+2 midsld method+2,midsld'
+	local PAYLOAD="--payload=http_req"
+
+	if [ -n "$FAKE_HTTP" ]; then
+		fake=fake_http
+	else
+		fake=fake_default_http
+	fi
+
+	ttls=$(seq -s ' ' $MIN_TTL $MAX_TTL)
+	attls=$(seq -s ' ' $MIN_AUTOTTL_DELTA $MAX_AUTOTTL_DELTA)
+
+	# do not test fake + multisplit if multisplit works
+	[ "$need_multisplit" = 0 -a "$SCANLEVEL" != force ] || splitfs=multisplit
+	# do not test fake + multidisorder if multidisorder works
+	[ "$need_multidisorder" = 0 -a "$SCANLEVEL" != force ] || splitfs="${splitfs:+$splitfs }multidisorder"
+
+	for splitf in $splitfs; do
+		ok=0
+		for ttl in $ttls; do
+			for split in $splits; do
+				# orig-ttl=1 with start/cutoff limiter drops empty ACK packet in response to SYN,ACK. it does not reach DPI or server.
+				# missing ACK is transmitted in the first data packet of TLS/HTTP proto
+				for ff in $fake 0x00000000; do
+					for f in '' "--payload=empty --out-range=s1<d1 --lua-desync=pktmod:ip${IPVV}_ttl=1"; do
+						pktws_curl_test_update $testf $domain ${FAKE_HTTP:+--blob=$fake:@"$FAKE_HTTP" }$PAYLOAD "--lua-desync=fake:blob=${ff}:ip${IPVV}_ttl=$ttl:repeats=$FAKE_REPEATS" --lua-desync=$splitf:pos=$split $f && {
+							ok=1
+							[ "$SCANLEVEL" = force ] || break
+						}
+					done
+				done
+			done
+			[ "$ok" = 1 ] && break
+		done
+		for fooling in $FOOLINGS_TCP; do
+			for split in $splits; do
+				for ff in $fake 0x00000000; do
+					pktws_curl_test_update $testf $domain ${FAKE_HTTP:+--blob=$fake:@"$FAKE_HTTP" }$PAYLOAD --lua-desync=fake:blob=$ff:$fooling:repeats=$FAKE_REPEATS --lua-desync=$splitf:pos=$split && ok=1
+					# duplicate SYN with MD5
+					contains "$fooling" tcp_md5 && pktws_curl_test_update $testf $domain ${FAKE_HTTP:+--blob=fake_http:@"$FAKE_HTTP" }$PAYLOAD --lua-desync=fake:blob=$ff:$fooling:repeats=$FAKE_REPEATS --lua-desync=$splitf:pos=$split --payload empty "--out-range=<s1" --lua-desync=send:tcp_md5 && ok=1
+				done
+			done
+		done
+		for ttl in $attls; do
+			for split in $splits; do
+				for ff in $fake 0x00000000; do
+					for f in '' "--payload=empty --out-range=s1<d1 --lua-desync=pktmod:ip${IPVV}_ttl=1"; do
+						pktws_curl_test_update $testf $domain  ${FAKE_HTTP:+--blob=$fake:@"$FAKE_HTTP" }$PAYLOAD --lua-desync=fake:blob=$ff:ip${IPVV}_autottl=-$ttl,3-20:repeats=$FAKE_REPEATS --lua-desync=$splitf:pos=$split $f && {
+							ok=1
+							[ "$SCANLEVEL" = force ] || break
+						}
+					done
+				done
+			done
+		done
+	done
+}
+
+pktws_fake_https_vary_()
+{
+	local ok_any=0 testf=$1 domain="$2" fooling="$3" pre="$4" post="$5"
+	shift; shift; shift
+	pktws_curl_test_update $testf $domain ${FAKE_HTTPS:+--blob=$fake:@"$FAKE_HTTPS" }$pre $PAYLOAD --lua-desync=fake:blob=$fake:$fooling:repeats=$FAKE_REPEATS --lua-desync=$splitf:pos=$split $post && ok_any=1
+	pktws_curl_test_update $testf $domain $pre $PAYLOAD --lua-desync=fake:blob=0x00000000:$fooling:repeats=$FAKE_REPEATS --lua-desync=$splitf:pos=$split $post && ok_any=1
+	pktws_curl_test_update $testf $domain $pre $PAYLOAD --lua-desync=fake:blob=0x00000000:$fooling:repeats=$FAKE_REPEATS --lua-desync=fake:blob=$fake:$fooling:tls_mod=rnd,dupsid:repeats=$FAKE_REPEATS --lua-desync=$splitf:pos=$split $post && ok_any=1
+	pktws_curl_test_update $testf $domain ${FAKE_HTTPS:+--blob=$fake:@"$FAKE_HTTPS" }$pre $PAYLOAD --lua-desync=multisplit:blob=$fake:$fooling:pos=2:nodrop:repeats=$FAKE_REPEATS --lua-desync=$splitf:pos=$split $post && ok_any=1
+	pktws_curl_test_update $testf $domain ${FAKE_HTTPS:+--blob=$fake:@"$FAKE_HTTPS" }$pre $PAYLOAD --lua-desync=fake:blob=$fake:$fooling:tls_mod=rnd,dupsid,padencap:repeats=$FAKE_REPEATS --lua-desync=$splitf:pos=$split $post && ok_any=1
+	[ "$ok_any" = 1 ] && ok=1
+}
+pktws_fake_https_vary()
+{
+	local ok_any=0 fooling="$3"
+	pktws_fake_https_vary_ "$1" "$2" "$3" "$4" "$5" && ok_any=1
+	# duplicate SYN with MD5
+	contains "$fooling" tcp_md5 && \
+		pktws_fake_https_vary_  "$1" "$2" "$3" "$4" "${5:+$5 }--payload=empty --out-range=<s1 --lua-desync=send:tcp_md5" && ok_any=1
+	[ "$ok_any" = 1 ]
+}
+
+pktws_check_https_tls()
+{
+	# $1 - test function
+	# $2 - domain
+	# $3 - PRE args for nfqws2
+
+	[ "$NOTEST_FAKE_MULTI_HTTPS" = 1 ] && { echo "SKIPPED"; return 0; }
+
+	local testf=$1 domain="$2" pre="$3"
+	local ok ok_any ttls attls f fake fooling splitf splitfs= split splits='2 1 sniext+1 sniext+4 host+1 midsld 1,midsld 1,sniext+1,host+1,midsld-2,midsld,midsld+2,endhost-1'
+	local PAYLOAD="--payload=tls_client_hello"
+
+	shift; shift
+
+	if [ -n "$FAKE_HTTPS" ]; then
+		fake=fake_tls
+	else
+		fake=fake_default_tls
+	fi
+
+	ttls=$(seq -s ' ' $MIN_TTL $MAX_TTL)
+	attls=$(seq -s ' ' $MIN_AUTOTTL_DELTA $MAX_AUTOTTL_DELTA)
+
+	# do not test fake + multisplit if multisplit works
+	[ "$need_multisplit" = 0 -a "$SCANLEVEL" != force ] || splitfs=multisplit
+	# do not test fake + multidisorder if multidisorder works
+	[ "$need_multidisorder" = 0 -a "$SCANLEVEL" != force ] || splitfs="${splitfs:+$splitfs }multidisorder"
+
+	ok_any=0
+	for splitf in $splitfs; do
+		ok=0
+		for ttl in $ttls; do
+			for split in $splits; do
+				# orig-ttl=1 with start/cutoff limiter drops empty ACK packet in response to SYN,ACK. it does not reach DPI or server.
+				# missing ACK is transmitted in the first data packet of TLS/HTTP proto
+				for f in '' "--payload=empty --out-range=s1<d1 --lua-desync=pktmod:ip${IPVV}_ttl=1"; do
+					pktws_fake_https_vary $testf $domain "ip${IPVV}_ttl=$ttl" "$pre" "$f" && [ "$SCANLEVEL" != force ] && break
+				done
+			done
+			[ "$ok" = 1 ] && break
+		done
+		for fooling in $FOOLINGS_TCP; do
+			for split in $splits; do
+				pktws_fake_https_vary $testf $domain "$fooling" "$pre"
+			done
+		done
+		for ttl in $attls; do
+			for split in $splits; do
+				for f in '' "--payload=empty --out-range=s1<d1 --lua-desync=pktmod:ip${IPVV}_ttl=1"; do
+					pktws_fake_https_vary $testf $domain "ip${IPVV}_autottl=-$ttl,3-20" "$pre" "$f" && [ "$SCANLEVEL" != force ] && break
+				done
+			done
+		done
+		[ "$ok" = 1 ] && ok_any=1
+	done
+	[ "$ok_any" = 1 ]
+}
+
+pktws_check_https_tls12()
+{
+	# $1 - test function
+	# $2 - domain
+	pktws_check_https_tls "$1" "$2" && [ "$SCANLEVEL" != force ] && return
+	pktws_check_https_tls "$1" "$2" --lua-desync=wssize:wsize=1:scale=6
+}
+
+pktws_check_https_tls13()
+{
+	# $1 - test function
+	# $2 - domain
+	pktws_check_https_tls "$1" "$2"
+}

blockcheck2.d/standard/55-fake-faked.sh

@@ -0,0 +1,161 @@
+. "$TESTDIR/def.inc"
+
+pktws_check_http()
+{
+	# $1 - test function
+	# $2 - domain
+	[ "$NOTEST_FAKE_FAKED_HTTP" = 1 ] && { echo "SKIPPED"; return 0; }
+
+	local testf=$1 domain="$2"
+	local ok ttls attls f ff fake fooling splitf splitfs= split splits='method+2 midsld method+2,midsld'
+	local PAYLOAD="--payload=http_req"
+
+	if [ -n "$FAKE_HTTP" ]; then
+		fake=fake_http
+	else
+		fake=fake_default_http
+	fi
+
+	ttls=$(seq -s ' ' $MIN_TTL $MAX_TTL)
+	attls=$(seq -s ' ' $MIN_AUTOTTL_DELTA $MAX_AUTOTTL_DELTA)
+
+	# do not test fake + multisplit if multisplit works
+	[ "$need_fakedsplit" = 0 -a "$SCANLEVEL" != force ] || splitfs=fakedsplit
+	# do not test fake + fakeddisorder if fakeddisorder works
+	[ "$need_fakeddisorder" = 0 -a "$SCANLEVEL" != force ] || splitfs="${splitfs:+$splitfs }fakeddisorder"
+
+	for splitf in $splitfs; do
+		ok=0
+		for ttl in $ttls; do
+			for split in $splits; do
+				# orig-ttl=1 with start/cutoff limiter drops empty ACK packet in response to SYN,ACK. it does not reach DPI or server.
+				# missing ACK is transmitted in the first data packet of TLS/HTTP proto
+				for ff in $fake 0x00000000; do
+					for f in '' "--payload=empty --out-range=s1<d1 --lua-desync=pktmod:ip${IPVV}_ttl=1"; do
+						pktws_curl_test_update $testf $domain ${FAKE_HTTP:+--blob=$fake:@"$FAKE_HTTP" }${FAKED_PATTERN_HTTP:+--blob=faked_pat:@"$FAKED_PATTERN_HTTP" }$PAYLOAD "--lua-desync=fake:blob=${ff}:ip${IPVV}_ttl=$ttl:repeats=$FAKE_REPEATS" --lua-desync=$splitf:${FAKED_PATTERN_HTTP:+pattern=faked_pat:}pos=$split:ip${IPVV}_ttl=$ttl:repeats=$FAKE_REPEATS $f && {
+							ok=1
+							[ "$SCANLEVEL" = force ] || break
+						}
+					done
+				done
+			done
+			[ "$ok" = 1 ] && break
+		done
+		for fooling in $FOOLINGS_TCP; do
+			for split in $splits; do
+				for ff in $fake 0x00000000; do
+					pktws_curl_test_update $testf $domain ${FAKE_HTTP:+--blob=$fake:@"$FAKE_HTTP" }${FAKED_PATTERN_HTTP:+--blob=faked_pat:@"$FAKED_PATTERN_HTTP" }$PAYLOAD --lua-desync=fake:blob=$ff:$fooling:repeats=$FAKE_REPEATS --lua-desync=$splitf:${FAKED_PATTERN_HTTP:+pattern=faked_pat:}pos=$split:$fooling:repeats=$FAKE_REPEATS && ok=1
+					# duplicate SYN with MD5
+					contains "$fooling" tcp_md5 && pktws_curl_test_update $testf $domain ${FAKE_HTTP:+--blob=$fake:@"$FAKE_HTTP" }${FAKED_PATTERN_HTTP:+--blob=faked_pat:@"$FAKED_PATTERN_HTTP" }$PAYLOAD --lua-desync=fake:blob=$ff:$fooling:repeats=$FAKE_REPEATS --lua-desync=$splitf:${FAKED_PATTERN_HTTP:+pattern=faked_pat:}pos=$split:$fooling:repeats=$FAKE_REPEATS --payload empty "--out-range=<s1" --lua-desync=send:tcp_md5 && ok=1
+				done
+			done
+		done
+		for ttl in $attls; do
+			for split in $splits; do
+				for ff in $fake 0x00000000; do
+					for f in '' "--payload=empty --out-range=s1<d1 --lua-desync=pktmod:ip${IPVV}_ttl=1"; do
+						pktws_curl_test_update $testf $domain  ${FAKE_HTTP:+--blob=$fake:@"$FAKE_HTTP" }${FAKED_PATTERN_HTTP:+--blob=faked_pat:@"$FAKED_PATTERN_HTTP" }$PAYLOAD --lua-desync=fake:blob=$ff:ip${IPVV}_autottl=-$ttl,3-20:repeats=$FAKE_REPEATS --lua-desync=$splitf:${FAKED_PATTERN_HTTP:+pattern=faked_pat:}pos=$split:ip${IPVV}_autottl=-$ttl,3-20:repeats=$FAKE_REPEATS $f && {
+							ok=1
+							[ "$SCANLEVEL" = force ] || break
+						}
+					done
+				done
+			done
+		done
+	done
+}
+
+pktws_fake_https_vary_()
+{
+	local ok_any=0 testf=$1 domain="$2" fooling="$3" pre="$4" post="$5"
+	shift; shift; shift
+	pktws_curl_test_update $testf $domain ${FAKE_HTTPS:+--blob=$fake:@"$FAKE_HTTPS" }${FAKED_PATTERN_HTTPS:+--blob=faked_pat:@"$FAKED_PATTERN_HTTPS" }$pre $PAYLOAD --lua-desync=fake:blob=$fake:$fooling:repeats=$FAKE_REPEATS --lua-desync=$splitf:${FAKED_PATTERN_HTTPS+pattern=faked_pat:}pos=$split:$fooling $post && ok_any=1
+	pktws_curl_test_update $testf $domain ${FAKED_PATTERN_HTTPS:+--blob=faked_pat:@"$FAKED_PATTERN_HTTPS" }$pre $PAYLOAD --lua-desync=fake:blob=0x00000000:$fooling:repeats=$FAKE_REPEATS --lua-desync=$splitf:${FAKED_PATTERN_HTTPS+pattern=faked_pat:}pos=$split:$fooling $post && ok_any=1
+	pktws_curl_test_update $testf $domain ${FAKED_PATTERN_HTTPS:+--blob=faked_pat:@"$FAKED_PATTERN_HTTPS" }$pre $PAYLOAD --lua-desync=fake:blob=0x00000000:$fooling:repeats=$FAKE_REPEATS --lua-desync=fake:blob=$fake:$fooling:tls_mod=rnd,dupsid:repeats=$FAKE_REPEATS --lua-desync=$splitf:${FAKED_PATTERN_HTTPS+pattern=faked_pat:}pos=$split:$fooling $post && ok_any=1
+	pktws_curl_test_update $testf $domain ${FAKE_HTTPS:+--blob=$fake:@"$FAKE_HTTPS" }${FAKED_PATTERN_HTTPS:+--blob=faked_pat:@"$FAKED_PATTERN_HTTPS" }$pre $PAYLOAD --lua-desync=multisplit:blob=$fake:$fooling:pos=2:nodrop:repeats=$FAKE_REPEATS --lua-desync=$splitf:${FAKED_PATTERN_HTTPS+pattern=faked_pat:}pos=$split:$fooling $post && ok_any=1
+	pktws_curl_test_update $testf $domain ${FAKE_HTTPS:+--blob=$fake:@"$FAKE_HTTPS" }${FAKED_PATTERN_HTTPS:+--blob=faked_pat:@"$FAKED_PATTERN_HTTPS" }$pre $PAYLOAD --lua-desync=fake:blob=$fake:$fooling:tls_mod=rnd,dupsid,padencap:repeats=$FAKE_REPEATS --lua-desync=$splitf:${FAKED_PATTERN_HTTPS+pattern=faked_pat:}pos=$split:$fooling $post && ok_any=1
+	[ "$ok_any" = 1 ] && ok=1
+
+}
+pktws_fake_https_vary()
+{
+	local ok_any=0 fooling="$3"
+	pktws_fake_https_vary_ "$1" "$2" "$3" "$4" "$5" && ok_any=1
+	# duplicate SYN with MD5
+	contains "$fooling" tcp_md5 && \
+		pktws_fake_https_vary_  "$1" "$2" "$3" "$4" "${5:+$5 }--payload=empty --out-range=<s1 --lua-desync=send:tcp_md5" && ok_any=1
+	[ "$ok_any" = 1 ]
+}
+
+pktws_check_https_tls()
+{
+	# $1 - test function
+	# $2 - domain
+	# $3 - PRE args for nfqws2
+
+	[ "$NOTEST_FAKE_FAKED_HTTPS" = 1 ] && { echo "SKIPPED"; return 0; }
+
+	local testf=$1 domain="$2" pre="$3"
+	local ok ok_any ttls attls f fake fooling splitf splitfs= split splits='2 1 sniext+1 sniext+4 host+1 midsld 1,midsld 1,sniext+1,host+1,midsld-2,midsld,midsld+2,endhost-1'
+	local PAYLOAD="--payload=tls_client_hello"
+
+	shift; shift
+
+	if [ -n "$FAKE_HTTPS" ]; then
+		fake=fake_tls
+	else
+		fake=fake_default_tls
+	fi
+
+	ttls=$(seq -s ' ' $MIN_TTL $MAX_TTL)
+	attls=$(seq -s ' ' $MIN_AUTOTTL_DELTA $MAX_AUTOTTL_DELTA)
+
+	# do not test fake + fakedsplit if fakedsplit works
+	[ "$need_fakedsplit" = 0 -a "$SCANLEVEL" != force ] || splitfs=fakedsplit
+	# do not test fake + fakeddisorder if fakeddisorder works
+	[ "$need_fakeddisorder" = 0 -a "$SCANLEVEL" != force ] || splitfs="${splitfs:+$splitfs }fakeddisorder"
+
+	ok_any=0
+	for splitf in $splitfs; do
+		ok=0
+		for ttl in $ttls; do
+			for split in $splits; do
+				# orig-ttl=1 with start/cutoff limiter drops empty ACK packet in response to SYN,ACK. it does not reach DPI or server.
+				# missing ACK is transmitted in the first data packet of TLS/HTTP proto
+				for f in '' "--payload=empty --out-range=s1<d1 --lua-desync=pktmod:ip${IPVV}_ttl=1"; do
+					pktws_fake_https_vary $testf $domain "ip${IPVV}_ttl=$ttl" "$pre" "$f" && [ "$SCANLEVEL" != force ] && break
+				done
+			done
+			[ "$ok" = 1 ] && break
+		done
+		for fooling in $FOOLINGS_TCP; do
+			for split in $splits; do
+				pktws_fake_https_vary $testf $domain "$fooling" "$pre"
+			done
+		done
+		for ttl in $attls; do
+			for split in $splits; do
+				for f in '' "--payload=empty --out-range=s1<d1 --lua-desync=pktmod:ip${IPVV}_ttl=1"; do
+					pktws_fake_https_vary $testf $domain "ip${IPVV}_autottl=-$ttl,3-20" "$pre" "$f" && [ "$SCANLEVEL" != force ] && break
+				done
+			done
+		done
+		[ "$ok" = 1 ] && ok_any=1
+	done
+	[ "$ok_any" = 1 ]
+}
+
+pktws_check_https_tls12()
+{
+	# $1 - test function
+	# $2 - domain
+	pktws_check_https_tls "$1" "$2" && [ "$SCANLEVEL" != force ] && return
+	pktws_check_https_tls "$1" "$2" --lua-desync=wssize:wsize=1:scale=6
+}
+
+pktws_check_https_tls13()
+{
+	# $1 - test function
+	# $2 - domain
+	pktws_check_https_tls "$1" "$2"
+}

blockcheck2.d/standard/60-fake-hostfake.sh

@@ -0,0 +1,113 @@
+. "$TESTDIR/def.inc"
+
+pktws_hostfake_vary_()
+{
+	local testf=$1 domain="$2" fooling="$3" pre="$4" post="$5" disorder
+	shift; shift; shift
+
+	for disorder in '' 'disorder_after:'; do
+		pktws_curl_test_update $testf $domain $pre ${FAKE:+--blob=$fake:@"$FAKE" }$PAYLOAD --lua-desync=fake:blob=$fake:$fooling:repeats=$FAKE_REPEATS --lua-desync=hostfakesplit:${HOSTFAKE:+host=${HOSTFAKE}:}${disorder}$fooling:repeats=$FAKE_REPEATS $post && ok=1
+		pktws_curl_test_update $testf $domain $pre ${FAKE:+--blob=$fake:@"$FAKE" }$PAYLOAD --lua-desync=fake:blob=$fake:$fooling:repeats=$FAKE_REPEATS --lua-desync=hostfakesplit:${HOSTFAKE:+host=${HOSTFAKE}:}${disorder}nofake1:$fooling:repeats=$FAKE_REPEATS $post && ok=1
+		pktws_curl_test_update $testf $domain $pre ${FAKE:+--blob=$fake:@"$FAKE" }$PAYLOAD --lua-desync=fake:blob=$fake:$fooling:repeats=$FAKE_REPEATS --lua-desync=hostfakesplit:${HOSTFAKE:+host=${HOSTFAKE}:}${disorder}nofake2:$fooling:repeats=$FAKE_REPEATS $post && ok=1
+		pktws_curl_test_update $testf $domain $pre ${FAKE:+--blob=$fake:@"$FAKE" }$PAYLOAD --lua-desync=fake:blob=$fake:$fooling:repeats=$FAKE_REPEATS --lua-desync=hostfakesplit:${HOSTFAKE:+host=${HOSTFAKE}:}${disorder}midhost=midsld:$fooling:repeats=$FAKE_REPEATS $post && ok=1
+		pktws_curl_test_update $testf $domain $pre ${FAKE:+--blob=$fake:@"$FAKE" }$PAYLOAD --lua-desync=fake:blob=$fake:$fooling:repeats=$FAKE_REPEATS --lua-desync=hostfakesplit:${HOSTFAKE:+host=${HOSTFAKE}:}${disorder}nofake1:midhost=midsld:$fooling:repeats=$FAKE_REPEATS $post && ok=1
+		pktws_curl_test_update $testf $domain $pre ${FAKE:+--blob=$fake:@"$FAKE" }$PAYLOAD --lua-desync=fake:blob=$fake:$fooling:repeats=$FAKE_REPEATS --lua-desync=hostfakesplit:${HOSTFAKE:+host=${HOSTFAKE}:}${disorder}nofake2:midhost=midsld:$fooling:repeats=$FAKE_REPEATS $post && ok=1
+	done
+}
+pktws_hostfake_vary()
+{
+	local fooling="$3"
+	pktws_hostfake_vary_ "$1" "$2" "$3" "$4" "$5"
+	# duplicate SYN with MD5
+	contains "$fooling" tcp_md5 && \
+		pktws_hostfake_vary_  "$1" "$2" "$3" "$4" "${5:+$5 }--payload=empty --out-range=<s1 --lua-desync=send:tcp_md5"
+}
+
+pktws_check_hostfake()
+{
+	# $1 - test function
+	# $2 - domain
+	# $3 - PRE args for nfqws2
+	local testf=$1 domain="$2" pre="$3"
+	local ok ttls attls f fake fooling
+
+	[ "$need_hostfakesplit" = 0 ] && return 0
+
+	ttls=$(seq -s ' ' $MIN_TTL $MAX_TTL)
+	attls=$(seq -s ' ' $MIN_AUTOTTL_DELTA $MAX_AUTOTTL_DELTA)
+
+	ok=0
+	for ttl in $ttls; do
+		for f in '' "--payload=empty --out-range=s1<d1 --lua-desync=pktmod:ip${IPVV}_ttl=1"; do
+			pktws_hostfake_vary $testf $domain "ip${IPVV}_ttl=$ttl" "$pre" "$f" && {
+				ok=1
+				[ "$SCANLEVEL" = force ] || break
+			}
+		done
+		[ "$ok" = 1 ] && break
+	done
+	for fooling in $FOOLINGS_TCP; do
+		pktws_hostfake_vary $testf $domain "$fooling" "$pre" && ok=1
+	done
+	for ttl in $attls; do
+		for f in '' "--payload=empty --out-range=s1<d1 --lua-desync=pktmod:ip${IPVV}_ttl=1"; do
+			pktws_hostfake_vary $testf $domain "ip${IPVV}_autottl=-$ttl,3-20" "$pre" "$f" && {
+				ok=1
+				[ "$SCANLEVEL" = force ] || break
+			}
+		done
+	done
+	[ "$ok" = 1 ]
+}
+
+
+pktws_check_http()
+{
+	[ "$NOTEST_FAKE_HOSTFAKE_HTTP" = 1 ] && { echo "SKIPPED"; return 0; }
+
+	local PAYLOAD="--payload=http_req"
+	local FAKE="$FAKE_HTTP"
+
+	if [ -n "$FAKE_HTTP" ]; then
+		fake=bfake
+	else
+		fake=fake_default_http
+	fi
+
+	pktws_check_hostfake "$1" "$2"
+}
+
+pktws_check_https_tls()
+{
+	# $1 - test function
+	# $2 - domain
+	# $3 - PRE args for nfqws2
+
+	[ "$NOTEST_FAKE_HOSTFAKE_HTTPS" = 1 ] && { echo "SKIPPED"; return 0; }
+
+	local PAYLOAD="--payload=tls_client_hello"
+	local FAKE="$FAKE_HTTPS"
+
+	if [ -n "$FAKE_HTTPS" ]; then
+		fake=bfake
+	else
+		fake=fake_default_tls
+	fi
+
+	pktws_check_hostfake "$1" "$2" "$3"
+}
+
+pktws_check_https_tls12()
+{
+	# $1 - test function
+	# $2 - domain
+	pktws_check_https_tls "$1" "$2" && [ "$SCANLEVEL" != force ] && return
+	pktws_check_https_tls "$1" "$2" --lua-desync=wssize:wsize=1:scale=6
+}
+
+pktws_check_https_tls13()
+{
+	# $1 - test function
+	# $2 - domain
+	pktws_check_https_tls "$1" "$2"
+}

blockcheck2.d/standard/90-quic.sh

@@ -0,0 +1,28 @@
+pktws_check_http3()
+{
+	# $1 - test function
+	# $2 - domain
+
+	[ "$NOTEST_QUIC" = 1 ] && { echo "SKIPPED"; return; }
+
+	local repeats fake pos
+	local PAYLOAD="--payload quic_initial"
+
+	if [ -n "$FAKE_QUIC" ]; then
+		fake=fake_quic
+	else
+		fake=fake_default_quic
+	fi
+
+	for repeats in 1 2 5 10 20; do
+		pktws_curl_test_update $1 $2 ${FAKE_QUIC:+--blob=$fake:@"$FAKE_QUIC" }$PAYLOAD --lua-desync=fake:blob=$fake:repeats=$repeats && [ "$SCANLEVEL" != force ] && break
+	done
+
+	for pos in 8 16 32 64; do
+		pktws_curl_test_update $1 $2 $PAYLOAD --lua-desync=send:ipfrag:ipfrag_pos_udp=$pos --lua-desync=drop && [ "$SCANLEVEL" != force ] && break
+	done
+
+	for pos in 8 16 32 64; do
+		pktws_curl_test_update $1 $2 ${FAKE_QUIC:+--blob=$fake:@"$FAKE_QUIC" }$PAYLOAD --lua-desync=fake:blob=$fake:repeats=$FAKE_REPEATS --lua-desync=send:ipfrag:ipfrag_pos_udp=$pos --lua-desync=drop && [ "$SCANLEVEL" != force ] && break
+	done
+}

blockcheck2.d/standard/def.inc

@@ -0,0 +1,7 @@
+FOOLINGS46_TCP=${FOOLINGS46_TCP:-"tcp_md5 badsum tcp_seq=-3000 tcp_seq=1000000 tcp_ack=-66000:tcp_ts_up tcp_ts=-1000 tcp_flags_unset=ACK tcp_flags_set=SYN"}
+FOOLINGS6_TCP=${FOOLINGS6_TCP:-"ip6_hopbyhop ip6_hopbyhop:ip6_hopbyhop2 ip6_destopt ip6_routing ip6_ah"}
+FOOLINGS_TCP="$FOOLINGS46_TCP"
+[ "$IPV" = 6 ] && FOOLINGS_TCP="$FOOLINGS_TCP $FOOLINGS6_TCP"
+FOOLINGS_UDP="badsum"
+
+FAKE_REPEATS=${FAKE_REPEATS:-1}