update docs

.github/workflows/build.yml

@@ -104,7 +104,7 @@ jobs:
           fi
           MINSIZE="$OPTIMIZE $MINSIZE"
 
-          if [[ "$ARCH" == lexra ]] || [[ "$ARCH" == ppc ]] || [[ "$ARCH" == riscv64 ]] || [[ "$ARCH" == x86 ]] ; then
+          if [[ "$ARCH" == lexra ]] || [[ "$ARCH" == riscv64 ]] || [[ "$ARCH" == x86 ]] ; then
             # use classic lua
             wget -qO- https://www.lua.org/ftp/lua-${LUA_RELEASE}.tar.gz | tar -xz
             (

docs/changes.txt

@@ -249,6 +249,7 @@ v0.9.4
 * nfqws2: fixed wrong scale factor application to winsize
 * nfqws2: very old kernels compat
 
-v0.9.5
+v0.9.4.2
 
 * builder_linux: simple scripts to build static linux bins for any supported architecture
+* zapret-auto:  incompatible change.  cond_code  "code" parameter => "cond_code". to avoid collision with luaexec

docs/compile/build_howto_unix.txt

@@ -1,11 +1,21 @@
-debian,ubuntu :
+* debian,ubuntu :
 
 apt install make gcc zlib1g-dev libcap-dev libnetfilter-queue-dev libmnl-dev libsystemd-dev libluajit2-5.1-dev
 make -C /opt/zapret2 systemd
 
-linux static :
+* linux static :
+
+need any x86_64 classic linux distribution
+tested on debian/ubuntu/fedora 2020+
+if your distro is very exotic, old or not glibc based you can debootstrap a modern debian/ubuntu system and chroot to it
+NOTE: it's not possible to build luajit in chroot under standard openwrt kernel. build process requires 32-bit x86 support, kernel is compiled without it.
+NOTE: toolchains are pre-compiled for x86_64 glibc. they can't run on arm or anything that is not x86_64.
+
+optionally review "common.inc" for Lua and LuaJIT versions
+
+debian/ubuntu: apt install curl xz-utils bzip2 unzip make gcc gcc-multilib libc6-dev libcap-dev pkg-config
+fedora: dnf install curl xz bzip2 unzip make gcc glibc-devel glibc-devel.i686 libcap-devel pkg-config
 
-need any x86_64 classic linux distribution with curl, unzip, make, gcc, gcc-multilib
 copy directory "builder-linux" somethere with enough free disk space (up to 2G for all toolchains)
 run "get_toolchains.sh"
 select architectures you need or "ALL"
@@ -15,9 +25,7 @@ get static musl bins from "binaries" folder
 "zapret2" is downloaded from github master branch. if you need specific version - download manually to "zapret2" dir
 i586 and riscv64 targets are built with classic PUC Lua
 
-optionally review "common.inc" for Lua and LuaJIT versions
-
-FreeBSD :
+* FreeBSD :
 
 pkg install pkgconf
 pkg search luajit-2
@@ -25,7 +33,7 @@ pkg search luajit-2
 pkg install luajit-2.1.0.20250728
 make -C /opt/zapret2
 
-OpenBSD :
+* OpenBSD :
 
 pkg_add luajit gmake
 gmake -C /opt/zapret2 bsd

docs/compile/builder-linux/build_deps.sh

@@ -7,22 +7,22 @@ EXEDIR="$(cd "$EXEDIR"; pwd)"
 
 dl_deps()
 {
-	if [ -d "$DEPS" ]; then
-		dir_is_not_empty "$DEPS" && {
-			echo "deps dir is not empty. if you want to redownload - delete it."
-			return
-		}
-	else
-		mkdir "$DEPS"
-	fi
-	pushd "$DEPS"
-	curl -Lo - https://www.netfilter.org/pub/libnfnetlink/libnfnetlink-1.0.2.tar.bz2 | tar -xj
-	curl -Lo - https://www.netfilter.org/pub/libmnl/libmnl-1.0.5.tar.bz2 | tar -xj
-	curl -Lo - https://www.netfilter.org/pub/libnetfilter_queue/libnetfilter_queue-1.0.5.tar.bz2 | tar -xj
-	curl -Lo - https://zlib.net/zlib-1.3.1.tar.gz | tar -xz
-	curl -Lo - https://github.com/openresty/luajit2/archive/refs/tags/v${LUAJIT_RELEASE}.tar.gz | tar -xz
-	curl -Lo - https://www.lua.org/ftp/lua-${LUA_RELEASE}.tar.gz | tar -xz
-	popd
+	[ -d "$DEPS" ] || mkdir -p "$DEPS"
+	(
+	cd "$DEPS"
+	exists_dir libnfnetlink-* ||
+		curl -Lo - https://www.netfilter.org/pub/libnfnetlink/libnfnetlink-1.0.2.tar.bz2 | tar -xj || exit 5
+	exists_dir libmnl-* ||
+		curl -Lo - https://www.netfilter.org/pub/libmnl/libmnl-1.0.5.tar.bz2 | tar -xj || exit 5
+	exists_dir libnetfilter_queue-* ||
+		curl -Lo - https://www.netfilter.org/pub/libnetfilter_queue/libnetfilter_queue-1.0.5.tar.bz2 | tar -xj || exit 5
+	exists_dir zlib-* ||
+		curl -Lo - https://zlib.net/fossils/zlib-1.3.1.tar.gz | tar -xz || exit 5
+	exists_dir luajit2-* ||
+		curl -Lo - https://github.com/openresty/luajit2/archive/refs/tags/v${LUAJIT_RELEASE}.tar.gz | tar -xz || exit 5
+	exists_dir lua-* ||
+		curl -Lo - https://www.lua.org/ftp/lua-${LUA_RELEASE}.tar.gz | tar -xz || exit 5
+	)
 }
 
 build_netlink()
@@ -31,7 +31,7 @@ build_netlink()
 		(
 		cd $i-*
 		[ -f "Makefile" ] && make clean
-		CFLAGS="$MINSIZE $CFLAGS" \
+		CFLAGS="$OPTIMIZE $MINSIZE $CFLAGS" \
 		LDFLAGS="$LDMINSIZE $LDFLAGS" \
 		./configure --prefix= --host=$TARGET CC=$CC LD=$LD --enable-static --disable-shared --disable-dependency-tracking
 		make install -j$nproc DESTDIR=$STAGING_DIR
@@ -44,7 +44,7 @@ build_zlib()
 (
 cd zlib-*
 [ -f "Makefile" ] && make clean
-CFLAGS="$MINSIZE $CFLAGS" \
+CFLAGS="$OPTIMIZE $MINSIZE $CFLAGS" \
 LDFLAGS="$LDMINSIZE $LDFLAGS" \
 ./configure --prefix= --static
 make install -j$nproc DESTDIR=$STAGING_DIR
@@ -55,7 +55,7 @@ build_lua()
 (
 	cd lua-${LUA_RELEASE}
 	make clean
-	make CC="$CC" AR="$AR rc" CFLAGS="$MINSIZE $CFLAGS" LDFLAGS="$LDMINSIZE $LDFLAGS" linux -j$nproc
+	make CC="$CC" AR="$AR rc" CFLAGS="$OPTIMIZE $MINSIZE $CFLAGS" LDFLAGS="$LDMINSIZE $LDFLAGS" linux -j$nproc
 	make install INSTALL_TOP="$STAGING_DIR" INSTALL_BIN="$STAGING_DIR/bin" INSTALL_INC="$STAGING_DIR/include/lua${LUA_VER}" INSTALL_LIB="$STAGING_DIR/lib"
 )
 }
@@ -64,7 +64,7 @@ build_luajit()
 (
 	cd luajit2-*
 	make clean
-	make BUILDMODE=static XCFLAGS=-DLUAJIT_DISABLE_FFI HOST_CC="$HOST_CC" CROSS= CC="$CC" TARGET_AR="$AR rcus" TARGET_STRIP=$STRIP TARGET_CFLAGS="$MINSIZE $CFLAGS" TARGET_LDFLAGS="$LDMINSIZE $LDFLAGS"
+	make BUILDMODE=static XCFLAGS=-DLUAJIT_DISABLE_FFI HOST_CC="$HOST_CC" CROSS= CC="$CC" TARGET_AR="$AR rcus" TARGET_STRIP=$STRIP TARGET_CFLAGS="$OPTIMIZE $MINSIZE $CFLAGS" TARGET_LDFLAGS="$LDMINSIZE $LDFLAGS"
 	make install PREFIX= DESTDIR="$STAGING_DIR"
 )
 }
@@ -83,6 +83,8 @@ build_luajit_for_target()
 	}
 }
 
+check_prog curl tar gzip bzip2 sed make cc pkg-config
+check_h_files
 dl_deps
 check_toolchains
 ask_target
@@ -90,7 +92,7 @@ ask_target
 for t in $TGT; do
 	buildenv $t
 	pushd "$DEPS"
-	bsd_files
+	install_h_files
 	build_netlink
 	build_zlib
 	build_lua

docs/compile/builder-linux/build_zapret1.sh

@@ -0,0 +1,62 @@
+#!/bin/bash
+
+EXEDIR="$(dirname "$0")"
+EXEDIR="$(cd "$EXEDIR"; pwd)"
+
+. "$EXEDIR/common.inc"
+
+ZDIR="zapret"
+ZBASE="$EXEDIR"
+BRANCH=master
+ZURL=https://github.com/bol-van/zapret/archive/refs/heads/${BRANCH}.zip
+ZBIN="$EXEDIR/binaries"
+
+dl_zapret1()
+{
+	if [ -d "$ZBASE/$ZDIR" ]; then
+		dir_is_not_empty "$ZBASE/$ZDIR" && {
+			echo "zapret dir is not empty. if you want to redownload - delete it."
+			return
+		}
+		rmdir "$ZBASE/$ZDIR"
+	fi
+	(
+	cd "$ZBASE"
+	curl -Lo /tmp/zapret.zip "$ZURL"
+	unzip /tmp/zapret.zip
+	rm /tmp/zapret.zip
+	mv zapret-${BRANCH} $ZDIR
+	)
+}
+
+check_prog curl unzip make
+dl_zapret1
+check_toolchains
+ask_target
+
+[ -d "$ZBIN" ] || mkdir -p "$ZBIN"
+
+for t in $TGT; do
+	buildenv $t
+
+	translate_target $t || {
+		echo COULD NOT TRANSLATE TARGET $t TO BIN DIR
+		continue
+	}
+
+	pushd $ZBASE/$ZDIR
+
+	make clean
+	OPTIMIZE=$OPTIMIZE \
+	CFLAGS="-static-libgcc -static -I$STAGING_DIR/include $MINSIZE $CFLAGS" \
+	LDFLAGS="-L$STAGING_DIR/lib $LDMINSIZE $LDFLAGS" \
+	make
+
+	[ -d "$ZBIN/$ZBINTARGET" ] || mkdir "$ZBIN/$ZBINTARGET"
+	cp -f binaries/my/* "$ZBIN/$ZBINTARGET"
+
+	popd
+
+	buildenv_clear
+done
+

docs/compile/builder-linux/build_zapret2.sh

@@ -20,53 +20,16 @@ dl_zapret2()
 		}
 		rmdir "$ZBASE/$ZDIR"
 	fi
-	pushd "$ZBASE"
+	(
+	cd "$ZBASE"
 	curl -Lo /tmp/zapret2.zip "$ZURL"
 	unzip /tmp/zapret2.zip
 	rm /tmp/zapret2.zip
 	mv zapret2-${BRANCH} $ZDIR
-	popd
-}
-
-translate_target()
-{
-	case $1 in
-		aarch64-unknown-linux-musl)
-			ZBINTARGET=linux-arm64
-			;;
-		arm-unknown-linux-musleabi)
-			ZBINTARGET=linux-arm
-			;;
-		x86_64-unknown-linux-musl)
-			ZBINTARGET=linux-x86_64
-			;;
-		i586-unknown-linux-musl)
-			ZBINTARGET=linux-x86
-			;;
-		mips-unknown-linux-muslsf)
-			ZBINTARGET=linux-mips
-			;;
-		mipsel-unknown-linux-muslsf)
-			ZBINTARGET=linux-mipsel
-			;;
-		mips64-unknown-linux-musl)
-			ZBINTARGET=linux-mips64
-			;;
-		mips64el-unknown-linux-musl)
-			ZBINTARGET=linux-mipsel64
-			;;
-		powerpc-unknown-linux-musl)
-			ZBINTARGET=linux-ppc
-			;;
-		riscv64-unknown-linux-musl)
-			ZBINTARGET=linux-riscv64
-			;;
-		*)
-			return 1
-	esac
-	return 0
+	)
 }
 
+check_prog curl unzip make
 dl_zapret2
 check_toolchains
 ask_target
@@ -89,12 +52,15 @@ for t in $TGT; do
 	target_has_luajit $t && {
 		LUA_JIT=1
 		LCFLAGS="-I${STAGING_DIR}/include/luajit-${LUAJIT_VER}"
-		LLIB="-L${STAGING_DIR}/lib -lluajit-${LUAJIT_LUAVER}"
+		LLIB="-L${STAGING_DIR}/lib -lluajit-${LUAJIT_LUA_VER}"
 	}
 
-	OPTIMIZE=-Oz \
+	make clean
+	LUA_JIT=$LUA_JIT LUA_VER=$LUA_VER LUAJIT_LUA_VER=$LUAJIT_LUA_VER \
+	OPTIMIZE=$OPTIMIZE \
+	MINSIZE=$MINSIZE \
 	CFLAGS="-static-libgcc -static -I$STAGING_DIR/include $CFLAGS" \
-	LDFLAGS="-L$DEPS_DIR/lib $LDFLAGS" \
+	LDFLAGS="-L$STAGING_DIR/lib $LDFLAGS" \
 	make LUA_JIT=$LJIT LUA_CFLAGS="$LCFLAGS" LUA_LIB="$LLIB"
 
 	[ -d "$ZBIN/$ZBINTARGET" ] || mkdir "$ZBIN/$ZBINTARGET"

docs/compile/builder-linux/common.inc

@@ -4,16 +4,17 @@ EXEDIR="$(cd "$EXEDIR"; pwd)"
 TOOLCHAINS="$EXEDIR/toolchain"
 DEPS="$EXEDIR/deps"
 STAGE="$EXEDIR/staging"
-MINSIZE="-Oz -flto=auto -ffunction-sections -fdata-sections"
-LDMINSIZE="-Wl,--gc-sections -flto=auto"
-CFLAGS=""
-LDFLAGS="-lgcc_eh"
-HOSTCC=cc
-LUA_VER="5.5"
-LUA_RELEASE="5.5.0"
-LUAJIT_VER="2.1"
-LUAJIT_RELEASE="2.1-20250826"
-LUAJIT_LUAVER="5.1"
+OPTIMIZE=${OPTIMIZE:--Oz}
+MINSIZE="${MINSIZE:--flto=auto -ffunction-sections -fdata-sections}"
+LDMINSIZE="${LDMINSIZE:--Wl,--gc-sections -flto=auto}"
+#CFLAGS=""
+LDFLAGS="-lgcc_eh $LDFLAGS"
+HOSTCC=${HOSTCC:-cc}
+LUA_VER=${LUA_VER:-5.5}
+LUA_RELEASE=${LUA_RELEASE:-5.5.0}
+LUAJIT_VER=${LUAJIT_VER:-2.1}
+LUAJIT_RELEASE=${LUAJIT_RELEASE:-2.1-20250826}
+LUAJIT_LUA_VER=${LUAJIT_LUA_VER:-5.1}
 nproc=$(nproc)
 
 TARGETS="\
@@ -46,9 +47,26 @@ target_has_luajit()
 	return 1
 }
 
-bsd_files()
+REQD_H_FILES="/usr/include/sys/capability.h /usr/include/bits/libc-header-start.h"
+REQD_QUEUE_1="/usr/include/sys/queue.h"
+REQD_QUEUE_2="/usr/include/x86_64-linux-gnu/sys/queue.h"
+check_h_files()
 {
-	install -Dm644 -t $STAGING_DIR/include/sys /usr/include/x86_64-linux-gnu/sys/queue.h /usr/include/sys/capability.h
+	[ ! -f "$REQD_QUEUE_1" -a ! -f  "$REQD_QUEUE_2" ] && {
+		echo "could not find $REQD_QUEUE_1 or $REQD_QUEUE_2"
+		help_pkg
+		exit 10
+	}
+	check_file $REQD_H_FILES
+}
+install_h_files()
+{
+	if [ -f "$REQD_QUEUE_1" ]; then
+		install -Dm644 -t $STAGING_DIR/include/sys $REQD_QUEUE_1
+	elif [ -f "$REQD_QUEUE_2" ]; then
+		install -Dm644 -t $STAGING_DIR/include/sys $REQD_QUEUE_2
+	fi
+	install -Dm644 -t $STAGING_DIR/include/sys $REQD_H_FILES
 }
 
 buildenv()
@@ -78,6 +96,33 @@ buildenv_clear()
 	OLDPATH=
 }
 
+which()
+{
+	# on some systems 'which' command is considered deprecated and not installed by default
+	# 'command -v' replacement does not work exactly the same way. it outputs shell aliases if present
+	# $1 - executable name
+	local IFS=:
+	[ "$1" != "${1#/}" ] && [ -x "$1" ] && {
+		echo "$1"
+		return 0
+	}
+	for p in $PATH; do
+	    [ -x "$p/$1" ] && {
+		echo "$p/$1"
+		return 0
+	    }
+	done
+	return 1
+}
+exists()
+{
+	which "$1" >/dev/null 2>/dev/null
+}
+exists_dir()
+{
+	# use $1, ignore other args
+	[ -d "$1" ]
+}
 
 dir_is_not_empty()
 {
@@ -168,3 +213,71 @@ check_toolchains()
 		exit 1
 	}
 }
+
+help_pkg()
+{
+	echo "debian/ubuntu: apt install curl xz-utils bzip2 unzip make gcc gcc-multilib libc6-dev libcap-dev pkg-config"
+	echo "fedora: dnf install curl xz bzip2 unzip make gcc glibc-devel glibc-devel.i686 libcap-devel pkg-config"
+}
+
+check_prog()
+{
+	while [ -n "$1" ]; do
+		exists $1 || {
+			echo $1 is not available
+			help_pkg
+			exit 10
+		}
+		shift
+	done
+}
+check_file()
+{
+	while [ -n "$1" ]; do
+		[ -f "$1" ] || {
+			echo $1 is not available
+			help_pkg
+			exit 10
+		}
+		shift
+	done
+}
+
+translate_target()
+{
+	case $1 in
+		aarch64-unknown-linux-musl)
+			ZBINTARGET=linux-arm64
+			;;
+		arm-unknown-linux-musleabi)
+			ZBINTARGET=linux-arm
+			;;
+		x86_64-unknown-linux-musl)
+			ZBINTARGET=linux-x86_64
+			;;
+		i586-unknown-linux-musl)
+			ZBINTARGET=linux-x86
+			;;
+		mips-unknown-linux-muslsf)
+			ZBINTARGET=linux-mips
+			;;
+		mipsel-unknown-linux-muslsf)
+			ZBINTARGET=linux-mipsel
+			;;
+		mips64-unknown-linux-musl)
+			ZBINTARGET=linux-mips64
+			;;
+		mips64el-unknown-linux-musl)
+			ZBINTARGET=linux-mipsel64
+			;;
+		powerpc-unknown-linux-musl)
+			ZBINTARGET=linux-ppc
+			;;
+		riscv64-unknown-linux-musl)
+			ZBINTARGET=linux-riscv64
+			;;
+		*)
+			return 1
+	esac
+	return 0
+}

docs/compile/builder-linux/get_toolchains.sh

@@ -7,13 +7,16 @@ EXEDIR="$(cd "$EXEDIR"; pwd)"
 
 BASEURL=https://github.com/bol-van/musl-cross/releases/download/latest
 
+check_prog curl tar xz
+
 [ -d "$TOOLCHAINS" ] || mkdir -p "$TOOLCHAINS"
 
 ask_target 1
 
-pushd "$TOOLCHAINS"
+(
+cd "$TOOLCHAINS"
 for t in $TGT; do
 	[ -d "$t" ] && rm -r "$t"
 	curl -Lo - "${BASEURL}/${t}.tar.xz" | tar -Jx
 done
-popd
+)

docs/manual.en.md

@@ -3554,11 +3554,16 @@ Aggregates verdicts v1 and v2. VERDICT_MODIFY overrides VERDICT_PASS, while VERD
 
 ```
 function plan_instance_execute(desync, verdict, instance)
+function plan_instance_execute_preapplied(desync, verdict, instance)
 ```
 
 Executes an [execution plan](#execution_plan) `instance`, taking into account the [instance cutoff](#instance_cutoff) and standard [payload](#in-profile-filters) and [range](#in-profile-filters) filters.
 Returns the aggregation of the current verdict and the `instance` verdict.
 
+The "preapplied" version does not apply execution plan, allowing the calling code to do so.
+Sometimes, to decide whether to call an instance, you need a desync table configured for the called instance.
+"preapplied" version allows to avoid double copying.
+
 ### plan_instance_pop
 
 ```
@@ -4473,7 +4478,7 @@ Returns `true` if the dissect is tcp and has tcp timestamp option.
 function cond_lua(desync)
 ```
 
-Executes a Lua code from the "code" argument. The code returns condition value. Direct addressing of the desync table is possible within the code.
+Executes a Lua code from the "cond_code" argument. The code returns condition value. Direct addressing of the desync table is possible within the code.
 
 
 # Auxiliary programs

docs/manual.md

@@ -3733,11 +3733,16 @@ function verdict_aggregate(v1, v2)
 
 ```
 function plan_instance_execute(desync, verdict, instance)
+function plan_instance_execute_preapplied(desync, verdict, instance)
 ```
 
 Выполняет элемент [execution plan](#execution_plan) `instance` с учетом [instance cutoff](#instance_cutoff) и стандартных фильтров [payload](#внутрипрофильные-фильтры) и [range](#внутрипрофильные-фильтры).
 Возвращает агрегацию verdict и вердикта `instance`.
 
+Вариант "preapplied" не выполняет apply_execution_plan, позволяя это сделат вызывающему коду.
+Иногда для принятия решения вызывать ли instance требуется таблица desync, настроенная на вызываемый инстанс.
+Чтобы не делать apply дважды (там копирование desync.arg) и существует этот вариант.
+
 ### plan_instance_pop
 
 ```
@@ -4652,7 +4657,7 @@ function cond_tcp_ts(desync)
 function cond_lua(desync)
 ```
 
-Выполняет Lua код из аргумента "code". Код возвращает значение условия через return. Возможна прямая адресация таблицы desync.
+Выполняет Lua код из аргумента "cond_code". Код возвращает значение условия через return. Возможна прямая адресация таблицы desync.
 
 # Вспомогательные программы
 

install_bin.sh

@@ -157,7 +157,7 @@ fi
 unset PKTWS
 case $UNAME in
 	Linux)
-		ARCHLIST="my linux-x86_64 linux-x86 linux-arm64 linux-arm linux-mips64 linux-mipsel linux-mips linux-lexra linux-ppc linux-riscv64"
+		ARCHLIST="my linux-x86_64 linux-x86 linux-arm64 linux-arm linux-mips64 linux-mipsel64 linux-mipsel linux-mips linux-lexra linux-ppc linux-riscv64"
 		PKTWS=nfqws2
 		;;
 	FreeBSD)

lua/zapret-auto.lua

@@ -411,19 +411,19 @@ function cond_tcp_has_ts(desync)
 end
 -- exec lua code in "code" arg and return it's result
 function cond_lua(desync)
-	if not desync.arg.code then
-		error("cond_lua: no 'code' parameter")
+	if not desync.arg.cond_code then
+		error("cond_lua: no 'cond_code' parameter")
 	end
-	local fname = desync.func_instance.."_cond_code"
+	local fname = desync.func_instance.."_cond_cond_code"
 	if not _G[fname] then
 		local err
-		_G[fname], err = load(desync.arg.code, fname)
+		_G[fname], err = load(desync.arg.cond_code, fname)
 		if not _G[fname] then
 			error(err)
 			return
 		end
 	end
-	-- allow dynamic code to access desync
+	-- allow dynamic cond_code to access desync
 	_G.desync = desync
 	local res, v = pcall(_G[fname])
 	_G.desync = nil
@@ -479,8 +479,10 @@ function per_instance_condition(ctx, desync)
 			if type(_G[instance.arg.cond])~="function" then
 				error("per_instance_condition: invalid 'iff' function '"..instance.arg.cond.."'")
 			end
+			-- preapply exec plan to feed cond function correct args
+			apply_execution_plan(desync, instance)
 			if logical_xor(_G[instance.arg.cond](desync), instance.arg.cond_neg) then
-				verdict = plan_instance_execute(desync, verdict, instance)
+				verdict = plan_instance_execute_preapplied(desync, verdict, instance)
 			else
 				DLOG("per_instance_condition: condition not satisfied. skipping '"..instance.func_instance.."'")
 			end

lua/zapret-lib.lua

@@ -153,7 +153,7 @@ function apply_arg_prefix(desync)
 		local c = string.sub(v,1,1)
 		if c=='#' then
 			local blb = blob(desync,string.sub(v,2))
-			desync.arg[a] = (type(blb)=='string' or type(blb)=='table') and #blb or 0
+			desync.arg[a] = tostring((type(blb)=='string' or type(blb)=='table') and #blb or 0)
 		elseif c=='%' then
 			desync.arg[a] = blob(desync,string.sub(v,2))
 		elseif c=='\\' then
@@ -192,8 +192,7 @@ function verdict_aggregate(v1, v2)
 	end
 	return bitor(v,vn)
 end
-function plan_instance_execute(desync, verdict, instance)
-	apply_execution_plan(desync, instance)
+function plan_instance_execute_preapplied(desync, verdict, instance)
 	if cutoff_shim_check(desync) then
 		DLOG("plan_instance_execute: not calling '"..desync.func_instance.."' because of voluntary cutoff")
 	elseif not payload_match_filter(desync.l7payload, instance.payload_filter) then
@@ -206,6 +205,10 @@ function plan_instance_execute(desync, verdict, instance)
 	end
 	return verdict
 end
+function plan_instance_execute(desync, verdict, instance)
+	apply_execution_plan(desync, instance)
+	return plan_instance_execute_preapplied(desync,verdict,instance)
+end
 function plan_instance_pop(desync)
 	return (desync.plan and #desync.plan>0) and table.remove(desync.plan, 1) or nil
 end
@@ -545,6 +548,7 @@ function blob(desync, name, def)
 				error("blob  '"..name.."' unavailable")
 			end
 		end
+		blob = tostring(blob)
 	end
 	return blob
 end

nfq2/conntrack.c

@@ -288,7 +288,7 @@ static bool ConntrackPoolFeedPool(t_conntrack_pool **pp, const struct dissect *d
 	}
 	return false;
 ok:
-	ctr->track.ipproto = proto;
+	ctr->track.pos.ipproto = proto;
 	if (ctrack) *ctrack = &ctr->track;
 	if (bReverse) *bReverse = b_rev;
 	return true;

nfq2/conntrack.h

@@ -53,7 +53,6 @@ typedef struct {
 typedef struct
 {
 	bool bCheckDone, bCheckResult, bCheckExcluded; // hostlist check result cache
-	uint8_t ipproto;
 
 	struct timespec t_start;
 

nfq2/conntrack_base.h

@@ -21,10 +21,10 @@ typedef struct
 	uint32_t ip6flow;
 
 	// tcp only state, not used in udp
-	uint32_t pos;		// TCP: seq_last+payload, ack_last+payload  UDP: sum of all seen payload lenghts including current
+	uint32_t pos;		// seq_last+payload, ack_last+payload
 	uint32_t uppos;		// max seen position. useful to detect retransmissions
 	uint32_t uppos_prev; 	// previous max seen position. useful to detect retransmissions
-	uint32_t seq_last;	// TCP: last seen seq and ack  UDP: sum of all seen payload lenghts NOT including current
+	uint32_t seq_last;	// last seen seq and ack
 	uint32_t seq0;		// starting seq and ack
 	uint16_t winsize;	// last seen window size
 	uint16_t mss;
@@ -38,5 +38,6 @@ typedef struct
 	struct timespec t_last;
 	t_connstate state;
 	t_ctrack_position client, server;
+	uint8_t ipproto;
 }
 t_ctrack_positions;

nfq2/darkmagic.c

@@ -335,7 +335,7 @@ void str_tcphdr(char *s, size_t s_len, const struct tcphdr *tcphdr)
 	if (tcphdr->th_flags & TH_PUSH) *f++='P';
 	if (tcphdr->th_flags & TH_URG) *f++='U';
 	*f=0;
-	snprintf(s,s_len,"sport=%u dport=%u flags=%s seq=%u ack_seq=%u",htons(tcphdr->th_sport),htons(tcphdr->th_dport),flags,htonl(tcphdr->th_seq),htonl(tcphdr->th_ack));
+	snprintf(s,s_len,"sport=%u dport=%u flags=%s seq=%u ack_seq=%u",ntohs(tcphdr->th_sport),ntohs(tcphdr->th_dport),flags,ntohl(tcphdr->th_seq),ntohl(tcphdr->th_ack));
 }
 void print_tcphdr(const struct tcphdr *tcphdr)
 {
@@ -345,7 +345,7 @@ void print_tcphdr(const struct tcphdr *tcphdr)
 }
 void str_udphdr(char *s, size_t s_len, const struct udphdr *udphdr)
 {
-	snprintf(s,s_len,"sport=%u dport=%u",htons(udphdr->uh_sport),htons(udphdr->uh_dport));
+	snprintf(s,s_len,"sport=%u dport=%u",ntohs(udphdr->uh_sport),ntohs(udphdr->uh_dport));
 }
 void print_udphdr(const struct udphdr *udphdr)
 {
@@ -922,11 +922,29 @@ BOOL SetMandatoryLabelObject(HANDLE h, SE_OBJECT_TYPE ObjType, DWORD dwMandatory
 
 bool ensure_file_access(const char *filename)
 {
-	return SetMandatoryLabelFile(filename, SECURITY_MANDATORY_LOW_RID, 0);
+	bool b=false;
+	size_t l = cygwin_conv_path(CCP_POSIX_TO_WIN_W | CCP_ABSOLUTE, filename, NULL, 0);
+	WCHAR *wfilename = (WCHAR*)malloc(l);
+	if (wfilename)
+	{
+		if (!cygwin_conv_path(CCP_POSIX_TO_WIN_W | CCP_ABSOLUTE, filename, wfilename, l))
+			b = SetMandatoryLabelFileW(wfilename, SECURITY_MANDATORY_LOW_RID, 0);
+		free(wfilename);
+	}
+	return b;
 }
 bool ensure_dir_access(const char *dir)
 {
-	return SetMandatoryLabelFile(dir, SECURITY_MANDATORY_LOW_RID, OBJECT_INHERIT_ACE | CONTAINER_INHERIT_ACE);
+	bool b=false;
+	size_t l = cygwin_conv_path(CCP_POSIX_TO_WIN_W | CCP_ABSOLUTE, dir, NULL, 0);
+	WCHAR *wdir = (WCHAR*)malloc(l);
+	if (wdir)
+	{
+		if (!cygwin_conv_path(CCP_POSIX_TO_WIN_W | CCP_ABSOLUTE, dir, wdir, l))
+			b=SetMandatoryLabelFileW(wdir, SECURITY_MANDATORY_LOW_RID, OBJECT_INHERIT_ACE | CONTAINER_INHERIT_ACE);
+		free(wdir);
+	}
+	return b;
 }
 
 bool prepare_low_appdata()
@@ -2075,6 +2093,7 @@ static uint16_t wlan_get_family_id(struct mnl_socket* nl)
 static int wlan_info_attr_cb(const struct nlattr *attr, void *data)
 {
 	struct wlan_interface *wlan = (struct wlan_interface *)data;
+	size_t len;
 	switch(mnl_attr_get_type(attr))
 	{
 		case NL80211_ATTR_IFINDEX:
@@ -2086,12 +2105,10 @@ static int wlan_info_attr_cb(const struct nlattr *attr, void *data)
 			wlan->ifindex = mnl_attr_get_u32(attr);
 			break;
 		case NL80211_ATTR_SSID:
-			if (mnl_attr_validate(attr, MNL_TYPE_STRING) < 0)
-			{
-				DLOG_PERROR("mnl_attr_validate(ssid)");
-				return MNL_CB_ERROR;
-			}
-			snprintf(wlan->ssid,sizeof(wlan->ssid),"%s",mnl_attr_get_str(attr));
+			len = mnl_attr_get_payload_len(attr);
+			if (len>=sizeof(wlan->ssid)) len=sizeof(wlan->ssid)-1;
+			memcpy(wlan->ssid, mnl_attr_get_payload(attr), len);
+			wlan->ssid[len]=0;
 			break;
 		case NL80211_ATTR_IFNAME:
 			if (mnl_attr_validate(attr, MNL_TYPE_STRING) < 0)
@@ -2434,20 +2451,11 @@ bool make_writeable_dir()
 	if (mkdir(wrdir,0755) && errno!=EEXIST)
 		return false;
 
-	bool b = false;
+	bool b;
 #ifdef __CYGWIN__
-	size_t l = cygwin_conv_path(CCP_POSIX_TO_WIN_W | CCP_ABSOLUTE, wrdir, NULL, 0);
-	WCHAR *wwrdir = (WCHAR*)malloc(l);
-	if (wwrdir)
-	{
-		if (!cygwin_conv_path(CCP_POSIX_TO_WIN_W | CCP_ABSOLUTE, wrdir, wwrdir, l))
-			b = SetMandatoryLabelFileW(wwrdir, SECURITY_MANDATORY_LOW_RID, OBJECT_INHERIT_ACE | CONTAINER_INHERIT_ACE);
-		free(wwrdir);
-	}
+	b = ensure_dir_access(wrdir);
 #else
-	if (ensure_dir_access(wrdir))
-		b = true;
-	else
+	if (!(b=ensure_dir_access(wrdir)))
 	{
 		// could not chown. may be still accessible ?
 		char testfile[PATH_MAX];

nfq2/desync.c

@@ -556,7 +556,7 @@ static bool reasm_client_start(t_ctrack *ctrack, uint8_t proto, size_t sz, size_
 		// server gave us too small tcp window
 		// client will not send all pieces of reasm
 		// if we drop packets and wait for next pieces we will see nothing but retransmissions
-		DLOG("reasm cancelled because server window size %u is smaller than expected reasm size %u\n", ctrack->pos.server.winsize_calc, sz);
+		DLOG("reasm cancelled because server window size %u is smaller than expected reasm size %zu\n", ctrack->pos.server.winsize_calc, sz);
 		return false;
 	}
 	return reasm_start(ctrack, &ctrack->reasm_client, proto, (proto == IPPROTO_TCP) ? ctrack->pos.client.seq_last : 0, sz, szMax, data_payload, len_payload);
@@ -1581,14 +1581,14 @@ static uint8_t dpi_desync_tcp_packet_play(
 
 				if (!ReasmIsEmpty(&ps.ctrack->reasm_client))
 				{
-					if (rawpacket_queue(&ps.ctrack->delayed, &ps.dst, fwmark, desync_fwmark, ifin, ifout, dis->data_pkt, dis->len_pkt, dis->len_payload, &ps.ctrack->pos))
+					if (rawpacket_queue(&ps.ctrack->delayed, &ps.dst, fwmark, desync_fwmark, ifin, ifout, dis->data_pkt, dis->len_pkt, dis->len_payload, &ps.ctrack->pos, false))
 					{
 						DLOG("DELAY desync until reasm is complete (#%u)\n", rawpacket_queue_count(&ps.ctrack->delayed));
 					}
 					else
 					{
 						DLOG_ERR("rawpacket_queue failed !\n");
-						goto pass_reasm_cancel;
+						goto rediscover;
 					}
 					if (ReasmIsFull(&ps.ctrack->reasm_client))
 					{
@@ -1602,6 +1602,7 @@ static uint8_t dpi_desync_tcp_packet_play(
 		}
 	}
 
+// UNSOLVED: if reasm is cancelled all packets except the last are passed as is without lua desync
 rediscover:
 	if (!dp_rediscovery(&ps))
 		goto pass_reasm_cancel;
@@ -1648,6 +1649,7 @@ static const uint8_t *dns_extract_name(const uint8_t *a, const uint8_t *b, const
 	size_t nl, off;
 	const uint8_t *p;
 	bool bptr = (*a & 0xC0)==0xC0;
+	uint8_t x,y;
 
 	if (bptr)
 	{
@@ -1666,9 +1668,8 @@ static const uint8_t *dns_extract_name(const uint8_t *a, const uint8_t *b, const
 		// do not support mixed ptr+real
 		if ((*p & 0xC0) || (p+*p+1)>=e || (*p+1)>=(name_size-nl)) return NULL;
 		if (nl)	name[nl++] = '.';
-		memcpy(name + nl, p + 1, *p);
-		nl += *p;
-		p += *p + 1;
+		for(y=*p++,x=0 ; x<y ; x++,p++) name[nl+x] = tolower(*p);
+		nl += y;
 	}
 	name[nl] = 0;
 	return bptr ? a+2 : p+1;
@@ -1781,7 +1782,7 @@ static uint8_t dpi_desync_udp_packet_play(
 						else
 						{
 							DLOG("QUIC reasm is too long. cancelling.\n");
-							goto pass_reasm_cancel;
+							goto rediscover_cancel;
 						}
 					}
 					size_t hello_offset, hello_len, defrag_len = sizeof(defrag);
@@ -1805,18 +1806,18 @@ static uint8_t dpi_desync_udp_packet_play(
 								{
 									// preallocate max buffer to avoid reallocs that cause memory copy
 									if (!reasm_client_start(ps.ctrack, IPPROTO_UDP, UDP_MAX_REASM, UDP_MAX_REASM, clean, clean_len))
-										goto pass_reasm_cancel;
+										goto rediscover_cancel;
 								}
 								if (!ReasmIsEmpty(&ps.ctrack->reasm_client))
 								{
-									if (rawpacket_queue(&ps.ctrack->delayed, &ps.dst, fwmark, desync_fwmark, ifin, ifout, dis->data_pkt, dis->len_pkt, dis->len_payload, &ps.ctrack->pos))
+									if (rawpacket_queue(&ps.ctrack->delayed, &ps.dst, fwmark, desync_fwmark, ifin, ifout, dis->data_pkt, dis->len_pkt, dis->len_payload, &ps.ctrack->pos, false))
 									{
 										DLOG("DELAY desync until reasm is complete (#%u)\n", rawpacket_queue_count(&ps.ctrack->delayed));
 									}
 									else
 									{
 										DLOG_ERR("rawpacket_queue failed !\n");
-										goto pass_reasm_cancel;
+										goto rediscover_cancel;
 									}
 									if (bReqFull)
 									{
@@ -1847,16 +1848,16 @@ static uint8_t dpi_desync_udp_packet_play(
 								{
 									// preallocate max buffer to avoid reallocs that cause memory copy
 									if (!reasm_client_start(ps.ctrack, IPPROTO_UDP, UDP_MAX_REASM, UDP_MAX_REASM, clean, clean_len))
-										goto pass_reasm_cancel;
+										goto rediscover_cancel;
 								}
-								if (rawpacket_queue(&ps.ctrack->delayed, &ps.dst, fwmark, desync_fwmark, ifin, ifout, dis->data_pkt, dis->len_pkt, dis->len_payload, &ps.ctrack->pos))
+								if (rawpacket_queue(&ps.ctrack->delayed, &ps.dst, fwmark, desync_fwmark, ifin, ifout, dis->data_pkt, dis->len_pkt, dis->len_payload, &ps.ctrack->pos, false))
 								{
 									DLOG("DELAY desync until reasm is complete (#%u)\n", rawpacket_queue_count(&ps.ctrack->delayed));
 								}
 								else
 								{
 									DLOG_ERR("rawpacket_queue failed !\n");
-									goto pass_reasm_cancel;
+									goto rediscover_cancel;
 								}
 								return ct_new_postnat_fix(ps.ctrack, dis, mod_pkt, len_mod_pkt);
 							}
@@ -1881,18 +1882,16 @@ static uint8_t dpi_desync_udp_packet_play(
 			feed_dns_response(dis->data_payload, dis->len_payload);
 	} // len_payload
 
+// UNSOLVED: if reasm is cancelled all packets except the last are passed as is without lua desync
+rediscover_cancel:
 	reasm_client_cancel(ps.ctrack);
 
 	if (!dp_rediscovery(&ps))
 		goto pass;
 
 	ps.verdict = desync(ps.dp, fwmark, ifin, ifout, ps.bReverseFixed, ps.ctrack_replay, tpos, ps.l7payload, ps.l7proto, dis, ps.sdip4, ps.sdip6, ps.sdport, mod_pkt, len_mod_pkt, replay_piece, replay_piece_count, reasm_offset, NULL, 0, data_decrypt, len_decrypt);
-
 pass:
 	return (!ps.bReverse && (ps.verdict & VERDICT_MASK) == VERDICT_DROP) ? ct_new_postnat_fix(ps.ctrack, dis, mod_pkt, len_mod_pkt) : ps.verdict;
-pass_reasm_cancel:
-	reasm_client_cancel(ps.ctrack);
-	goto pass;
 }
 
 // conntrack is supported only for RELATED icmp
@@ -2146,12 +2145,24 @@ static bool replay_queue(struct rawpacket_tailhead *q)
 	struct rawpacket *rp;
 	size_t offset;
 	unsigned int i, count;
-	bool b = true;
 	uint8_t mod[RECONSTRUCT_MAX_SIZE];
 	size_t modlen;
+	uint32_t seq0;
+	t_ctrack_position *pos;
+	bool b = true, bseq;
 
-	for (i = 0, offset = 0, count = rawpacket_queue_count(q); (rp = rawpacket_dequeue(q)); offset += rp->len_payload, rawpacket_free(rp), i++)
+	for (i = 0, offset = 0, count = rawpacket_queue_count(q); (rp = rawpacket_dequeue(q)); rawpacket_free(rp), i++)
 	{
+		// TCP: track reasm_offset using sequence numbers
+		if ((bseq = rp->tpos_present && rp->tpos.ipproto==IPPROTO_TCP))
+		{
+			pos = rp->server_side ? &rp->tpos.server : &rp->tpos.client;
+			if (i)
+				offset = pos->seq_last - seq0;
+			else
+				seq0 = pos->seq_last;
+		}
+
 		DLOG("REPLAYING delayed packet #%u offset %zu\n", i+1, offset);
 		modlen = sizeof(mod);
 		uint8_t verdict = dpi_desync_packet_play(i, count, offset, rp->fwmark_orig, rp->ifin, rp->ifout, rp->tpos_present ? &rp->tpos : NULL, rp->packet, rp->len, mod, &modlen);
@@ -2169,6 +2180,9 @@ static bool replay_queue(struct rawpacket_tailhead *q)
 			DLOG("DROPPING delayed packet #%u\n", i+1);
 			break;
 		}
+
+		if (!bseq)
+			offset += rp->len_payload;
 	}
 	return b;
 }

nfq2/lua.c

@@ -1248,6 +1248,7 @@ void lua_push_blob(lua_State *L, int idx_desync, const char *blob)
 		lua_pop(L,1);
 		lua_getglobal(L, blob);
 	}
+	lua_tostring(L,-1);
 }
 void lua_pushf_blob(lua_State *L, int idx_desync, const char *field, const char *blob)
 {
@@ -1657,7 +1658,7 @@ void lua_pushf_ctrack_pos(lua_State *L, const t_ctrack *ctrack, const t_ctrack_p
 	lua_pushf_lint(L,"pdcounter", pos->pdcounter);
 	lua_pushf_lint(L,"pbcounter", pos->pbcounter);
 	if (pos->ip6flow) lua_pushf_int(L,"ip6_flow", pos->ip6flow);
-	if (ctrack->ipproto == IPPROTO_TCP)
+	if (ctrack->pos.ipproto == IPPROTO_TCP)
 	{
 		lua_pushliteral(L, "tcp");
 		lua_createtable(L, 0, 11);
@@ -1779,7 +1780,10 @@ void lua_pushf_args(lua_State *L, const struct str2_list_head *args, int idx_des
 				lua_push_blob(L, idx_desync, val+1);
 				lua_Integer len = lua_rawlen(L, -1);
 				lua_pop(L,1);
-				lua_pushf_int(L, var, len);
+				lua_pushstring(L, var);
+				lua_pushinteger(L, len);
+				lua_tostring(L,-1); // force string type in arg
+				lua_rawset(L,-3);
 			}
 			else
 				lua_pushf_str(L, var, val);

nfq2/packet_queue.c

@@ -26,7 +26,14 @@ void rawpacket_queue_destroy(struct rawpacket_tailhead *q)
 	while((rp = rawpacket_dequeue(q))) rawpacket_free(rp);
 }
 
-struct rawpacket *rawpacket_queue(struct rawpacket_tailhead *q,const struct sockaddr_storage* dst,uint32_t fwmark_orig,uint32_t fwmark,const char *ifin,const char *ifout,const void *data,size_t len,size_t len_payload,const t_ctrack_positions *tpos)
+struct rawpacket *rawpacket_queue(
+	struct rawpacket_tailhead *q,
+	const struct sockaddr_storage* dst,
+	uint32_t fwmark_orig,uint32_t fwmark,
+	const char *ifin,const char *ifout,
+	const void *data,size_t len,size_t len_payload,
+	const t_ctrack_positions *tpos,
+	bool server_side)
 {
 	struct rawpacket *rp = malloc(sizeof(struct rawpacket));
 	if (!rp) return NULL;
@@ -61,6 +68,7 @@ struct rawpacket *rawpacket_queue(struct rawpacket_tailhead *q,const struct sock
 	}
 	else
 		rp->tpos_present = false;
+	rp->server_side = server_side;
 	
 	TAILQ_INSERT_TAIL(q, rp, next);
 	

nfq2/packet_queue.h

@@ -18,6 +18,7 @@ struct rawpacket
 	uint8_t *packet;
 	t_ctrack_positions tpos;
 	bool tpos_present;
+	bool server_side;		// true = reasm of packets from the server side
 	TAILQ_ENTRY(rawpacket) next;
 };
 TAILQ_HEAD(rawpacket_tailhead, rawpacket);
@@ -26,6 +27,6 @@ void rawpacket_queue_init(struct rawpacket_tailhead *q);
 void rawpacket_queue_destroy(struct rawpacket_tailhead *q);
 bool rawpacket_queue_empty(const struct rawpacket_tailhead *q);
 unsigned int rawpacket_queue_count(const struct rawpacket_tailhead *q);
-struct rawpacket *rawpacket_queue(struct rawpacket_tailhead *q,const struct sockaddr_storage* dst,uint32_t fwmark_orig,uint32_t fwmark,const char *ifin,const char *ifout,const void *data,size_t len,size_t len_payload,const t_ctrack_positions *tpos);
+struct rawpacket *rawpacket_queue(struct rawpacket_tailhead *q,const struct sockaddr_storage* dst,uint32_t fwmark_orig,uint32_t fwmark,const char *ifin,const char *ifout,const void *data,size_t len,size_t len_payload,const t_ctrack_positions *tpos,bool server_side);
 struct rawpacket *rawpacket_dequeue(struct rawpacket_tailhead *q);
 void rawpacket_free(struct rawpacket *rp);

nfq2/protocol.c

@@ -248,7 +248,7 @@ void ResolveMultiPos(const uint8_t *data, size_t sz, t_l7payload l7payload, cons
 }
 
 
-static const char *http_methods[] = { "GET ","POST ","HEAD ","OPTIONS ","PUT ","DELETE ","CONNECT ","TRACE ",NULL };
+static const char *http_methods[] = { "GET ","POST ","HEAD ","OPTIONS ","PUT ","DELETE ","CONNECT ","TRACE ", "PATCH ", NULL };
 static const char *HttpMethod(const uint8_t *data, size_t len)
 {
 	const char **method;
@@ -1337,14 +1337,12 @@ bool IsQUICInitial(const uint8_t *data, size_t len)
 {
 	// too small packets are not likely to be initials
 	// long header, fixed bit
-	if (len < 128 || (data[0] & 0xF0)!=0xC0) return false;
+	if (len < 128) return false;
 
 	uint32_t ver = QUICExtractVersion(data,len);
 	if (QUICDraftVersion(ver) < 11) return false;
 
-	// quic v1 : initial packets are 00b
-	// quic v2 : initial packets are 01b
-	if ((data[0] & 0x30) != (is_quic_v2(ver) ? 0x10 : 0x00)) return false;
+	if ((data[0] & 0xF0) != (is_quic_v2(ver) ? 0xD0 : 0xC0)) return false;
 
 	uint64_t offset=5, sz, sz2;