docs

.github/workflows/build.yml

@@ -25,7 +25,7 @@ jobs:
           - arch: arm64
             tool: aarch64-unknown-linux-musl
           - arch: arm
-            tool: arm-unknown-linux-musleabi
+            tool: armv6-unknown-linux-musleabi
           - arch: mips64
             tool: mips64-unknown-linux-musl
           - arch: mipselsf
@@ -133,7 +133,7 @@ jobs:
             esac
             (
               cd luajit2-*
-              make BUILDMODE=static XCFLAGS="-DLUAJIT_DISABLE_FFI" HOST_CC="$HOSTCC" CROSS= CC="$CC" TARGET_AR="$AR rcus" TARGET_STRIP=$STRIP TARGET_CFLAGS="$CPU $MINSIZE $CFLAGS" TARGET_LDFLAGS="$CPU $LDMINSIZE $LDFLAGS" -j$(nproc)
+              make BUILDMODE=static XCFLAGS="-DLUAJIT_USE_SYSMALLOC -DLUAJIT_DISABLE_FFI" HOST_CC="$HOSTCC" CROSS= CC="$CC" TARGET_AR="$AR rcus" TARGET_STRIP=$STRIP TARGET_CFLAGS="$CPU $MINSIZE $CFLAGS" TARGET_LDFLAGS="$CPU $LDMINSIZE $LDFLAGS" -j$(nproc)
               make install PREFIX= DESTDIR=$DEPS_DIR
             )
             LJIT=1
@@ -236,6 +236,11 @@ jobs:
           export RANLIB=$TOOLCHAIN/bin/llvm-ranlib
           export STRIP=$TOOLCHAIN/bin/llvm-strip
           export PKG_CONFIG_PATH=$DEPS_DIR/lib/pkgconfig
+          case "$ABI" in
+            armeabi-v7a)
+              CPU="-mthumb"
+              ;;
+          esac
 
           # luajit
           wget -qO- https://github.com/openresty/luajit2/archive/refs/tags/v${LUAJIT_RELEASE}.tar.gz | tar -xz
@@ -248,7 +253,7 @@ jobs:
           esac
           (
             cd luajit2-*
-            make BUILDMODE=static XCFLAGS=-DLUAJIT_DISABLE_FFI HOST_CC="$HOSTCC" CROSS= CC="$CC" TARGET_AR="$AR rcus" TARGET_STRIP=$STRIP TARGET_CFLAGS="$MINSIZE $CFLAGS" TARGET_LDFLAGS="$LDMINSIZE $LDFLAGS" -j$(nproc)
+            make BUILDMODE=static XCFLAGS="-DLUAJIT_USE_SYSMALLOC -DLUAJIT_DISABLE_FFI" HOST_CC="$HOSTCC" CROSS= CC="$CC" TARGET_AR="$AR rcus" TARGET_STRIP=$STRIP TARGET_CFLAGS="$CPU $MINSIZE $CFLAGS" TARGET_LDFLAGS="$LDMINSIZE $LDFLAGS" -j$(nproc)
             make install PREFIX= DESTDIR=$DEPS_DIR
           )
           LJIT=1
@@ -264,7 +269,7 @@ jobs:
           for i in libmnl libnfnetlink libnetfilter_queue ; do
             (
               cd $i-*
-              CFLAGS="$MINSIZE -Wno-implicit-function-declaration $CFLAGS" \
+              CFLAGS="$CPU $MINSIZE -Wno-implicit-function-declaration $CFLAGS" \
               LDFLAGS="$LDMINSIZE $LDFLAGS" \
               ./configure --prefix= --host=$TARGET --enable-static --disable-shared --disable-dependency-tracking
               make install -j$(nproc) DESTDIR=$DEPS_DIR
@@ -273,7 +278,7 @@ jobs:
           done
 
           # zapret2
-          CFLAGS="-DZAPRET_GH_VER=${{ github.ref_name }} -DZAPRET_GH_HASH=${{ github.sha }} -I$DEPS_DIR/include" \
+          CFLAGS="-DZAPRET_GH_VER=${{ github.ref_name }} -DZAPRET_GH_HASH=${{ github.sha }} -I$DEPS_DIR/include $CPU" \
           LDFLAGS="-L$DEPS_DIR/lib" \
           make -C zapret2 LUA_JIT=$LJIT LUA_CFLAGS="$LCFLAGS" LUA_LIB="$LLIB" -j$(nproc) android
 
@@ -329,7 +334,7 @@ jobs:
           wget -qO- https://github.com/openresty/luajit2/archive/refs/tags/v${LUAJIT_RELEASE}.tar.gz | tar -xz
           (
             cd luajit2-*
-            make BUILDMODE=static XCFLAGS="$PIC -DLUAJIT_DISABLE_FFI" HOST_CC=gcc CC=$CC TARGET_CFLAGS="$MINSIZE $CFLAGS $PIC" TARGET_LDFLAGS="$LDMINSIZE $LDFLAGS"
+            make BUILDMODE=static XCFLAGS="$PIC -DLUAJIT_USE_SYSMALLOC -DLUAJIT_DISABLE_FFI" HOST_CC=gcc CC=$CC TARGET_CFLAGS="$MINSIZE $CFLAGS $PIC" TARGET_LDFLAGS="$LDMINSIZE $LDFLAGS"
             make install PREFIX= DESTDIR=$DEPS_DIR
           )
 
@@ -442,7 +447,7 @@ jobs:
           wget -q https://github.com/openresty/luajit2/archive/refs/tags/v${LUAJIT_RELEASE}.tar.gz &&
           tar -xzf v${LUAJIT_RELEASE}.tar.gz &&
           rm -f v${LUAJIT_RELEASE}.tar.gz &&
-          make -C luajit2-${LUAJIT_RELEASE} BUILDMODE=static XCFLAGS="-DLUAJIT_DISABLE_FFI -ffat-lto-objects" TARGET_CFLAGS="$MINSIZE $CFLAGS" TARGET_LDFLAGS="$LDMINSIZE $LDFLAGS" &&
+          make -C luajit2-${LUAJIT_RELEASE} BUILDMODE=static XCFLAGS="-DLUAJIT_USE_SYSMALLOC -DLUAJIT_DISABLE_FFI -ffat-lto-objects" TARGET_CFLAGS="$MINSIZE $CFLAGS" TARGET_LDFLAGS="$LDMINSIZE $LDFLAGS" &&
           make -C luajit2-${LUAJIT_RELEASE} install
 
       - name: Build winws

common/base.sh

@@ -438,6 +438,13 @@ has_bad_ws_options()
 		echo "Kernel ipsets should be used instead. Write custom scripts and filter IPs in kernel."
 		echo
 	}
+	contains "$1" "--ipset=$ZAPRET_BASE" || contains "$1" "--ipset-exclude=$ZAPRET_BASE" ||
+	contains "$1" "--hostlist=$ZAPRET_BASE" || contains "$1" "--hostlist-exclude=$ZAPRET_BASE" && {
+		echo
+		echo "WARNING !!! you store ipset or hostlist files inside '$ZAPRET_BASE'"
+		echo "It's not recommended. install_easy.sh will delete them during update."
+		echo
+	}
 	
 	return 1
 }

docs/changes.txt

@@ -263,3 +263,6 @@ v0.9.4.3
 0.9.4.4
 
 * winws2, dvtws2: ASLR
+* github, linux-builder: reduce arm executable size by 20% - move to armv7+thumb
+* init.d: warn if hostlist/ipset files are inside zapret2 root
+* zapret-lib: do not call apply_arg_prefix in apply_execution_plan - call it right before instance execute

docs/compile/builder-linux/build_deps.sh

@@ -61,10 +61,12 @@ build_lua()
 }
 build_luajit()
 {
+	local CFL="$CFLAGS"
 (
 	cd luajit2-*
+	CFLAGS="-Os"
 	make clean
-	make BUILDMODE=static CFLAGS="-O2" XCFLAGS="-DLUAJIT_DISABLE_FFI $CFLAGS_PIC" HOST_CC="$HOST_CC" CROSS= CC="$CC" TARGET_AR="$AR rcus" TARGET_STRIP=$STRIP TARGET_CFLAGS="$OPTIMIZE $MINSIZE $CFLAGS" TARGET_LDFLAGS="$CPU $LDMINSIZE $LDFLAGS"
+	make BUILDMODE=static XCFLAGS="-DLUAJIT_USE_SYSMALLOC -DLUAJIT_DISABLE_FFI $CFLAGS_PIC" HOST_CC="$HOST_CC" CROSS= CC="$CC" TARGET_AR="$AR rcus" TARGET_STRIP=$STRIP TARGET_CFLAGS="$OPTIMIZE $MINSIZE $CFL" TARGET_LDFLAGS="$CPU $LDMINSIZE $LDFLAGS"
 	make install PREFIX= DESTDIR="$STAGING_DIR"
 )
 }
@@ -91,8 +93,9 @@ ask_target
 
 CFLAGS_BASE="$CFLAGS"
 for t in $TGT; do
-        CFLAGS="$CFLAGS_BASE $CFLAGS_PIC"
+        CFLAGS="$CFLAGS_BASE"
 	buildenv $t
+	CFLAGS="$CFLAGS $CFLAGS_PIC"
 	pushd "$DEPS"
 	install_h_files
 	build_netlink

docs/compile/builder-linux/build_zapret1.sh

@@ -38,7 +38,7 @@ ask_target
 
 CFLAGS_BASE="$CFLAGS"
 for t in $TGT; do
-        CFLAGS="$CFLAGS_BASE $MINSIZE $CFLAGS_PIC"
+        CFLAGS="$CFLAGS_BASE $MINSIZE"
 	buildenv $t
 
 	translate_target $t || {
@@ -50,7 +50,7 @@ for t in $TGT; do
 
 	make clean
 	OPTIMIZE=$OPTIMIZE \
-	CFLAGS="-static-libgcc -I$STAGING_DIR/include $CFLAGS" \
+	CFLAGS="-static-libgcc -I$STAGING_DIR/include $CFLAGS $CFLAGS_PIC" \
 	LDFLAGS="-L$STAGING_DIR/lib $LDMINSIZE $LDFLAGS_PIE $LDFLAGS" \
 	make
 

docs/compile/builder-linux/common.inc

@@ -23,7 +23,7 @@ nproc=$(nproc)
 
 TARGETS="\
 aarch64-unknown-linux-musl \
-arm-unknown-linux-musleabi \
+armv6-unknown-linux-musleabi \
 i586-unknown-linux-musl \
 x86_64-unknown-linux-musl \
 mips-unknown-linux-muslsf \
@@ -38,7 +38,7 @@ target_has_luajit()
 {
 	case "$1" in
 		aarch64-unknown-linux-musl| \
-		arm-unknown-linux-musleabi| \
+		armv6-unknown-linux-musleabi| \
 		x86_64-unknown-linux-musl| \
 		mips-unknown-linux-muslsf| \
 		mips64-unknown-linux-musl| \
@@ -100,8 +100,8 @@ buildenv()
 	# not all archs support -static-pie. if does not support - it produces dynamic executable
 	# "-static -static-pie" causes segfaults
 	case $1 in
-		arm-*)
-			CPU="-mcpu=cortex-a7 -mthumb -msoft-float $CFLAGS"
+		armv6-*)
+			CPU="-mthumb -msoft-float"
 			CFLAGS="$CPU $CFLAGS"
 			;;
 		mips*)
@@ -273,7 +273,7 @@ translate_target()
 		aarch64-unknown-linux-musl)
 			ZBINTARGET=linux-arm64
 			;;
-		arm-unknown-linux-musleabi)
+		armv6-unknown-linux-musleabi)
 			ZBINTARGET=linux-arm
 			;;
 		x86_64-unknown-linux-musl)

docs/manual.en.md

@@ -3531,7 +3531,8 @@ Checks the [instance cutoff](#instance_cutoff) state for `desync.func_instance`
 function apply_arg_prefix(desync)
 ```
 
-Performs substitution of argument values from `desync.arg` that start with `%` and `#`.
+Performs substitution of argument values from `desync.arg` that start with `%`, `#`,  `\`.
+Multiple calls are safe but do not update desync.arg if blobs were changed.
 
 ### apply_execution_plan
 
@@ -3540,6 +3541,8 @@ function apply_execution_plan(desync, instance)
 ```
 
 Copies the instance identification and its arguments from an [execution plan](#execution_plan) `instance` into the desync object, thereby recreating the desync state as if the `instance` were called directly by C code.
+With one exception : apply_arg_prefix is not applied because args can refer a blob created by previous conditionally executed instances.
+
 The [execution plan](#execution_plan) is provided by the C function `execution_plan()` as an array of `instance` elements.
 
 ### verdict_aggregate
@@ -3558,6 +3561,7 @@ function plan_instance_execute_preapplied(desync, verdict, instance)
 ```
 
 Executes an [execution plan](#execution_plan) `instance`, taking into account the [instance cutoff](#instance_cutoff) and standard [payload](#in-profile-filters) and [range](#in-profile-filters) filters.
+Calls apply_arg_prefix right before calling the instance.
 Returns the aggregation of the current verdict and the `instance` verdict.
 
 The "preapplied" version does not apply execution plan, allowing the calling code to do so.
@@ -4479,6 +4483,7 @@ function cond_lua(desync)
 ```
 
 Executes a Lua code from the "cond_code" argument. The code returns condition value. Direct addressing of the desync table is possible within the code.
+desync.arg is passed without called "apply_arg_prefix" : `%`, `#`, `\` remain as is without substitution because can refer blobs created by previous conditionally executed instances.
 
 
 # Auxiliary programs

docs/manual.md

@@ -3709,7 +3709,8 @@ function cutoff_shim_check(desync)
 function apply_arg_prefix(desync)
 ```
 
-Выполняет подстановку значений аргументов из desync.arg, начинающихся с `%` и `#`.
+Выполняет подстановку значений аргументов из desync.arg, начинающихся с `%` и `#`, `\`.
+Функция ставит специальную метку в desync.arg , чтобы избежать двойного разименования. Повторные вызовы безопасны, но не обновляют desync.arg при изменении блобов.
 
 ### apply_execution_plan
 
@@ -3719,6 +3720,8 @@ function apply_execution_plan(desync, instance)
 
 Копирует в desync идентификацию инстанса и его аргументы из элемента [execution plan](#execution_plan) `instance`,
 тем самым воссоздает состояние desync, как если бы `instance` был вызван напрямую C кодом.
+За одним исключением : apply_arg_prefix не применяется, поскольку может содержать несуществующие блоб, существование которого зависит от условного выполнения предыдущих истансов.
+
 [execution plan](#execution_plan) выдается C функцией `execution_plan()` как массив, элементами которого являются `instance`.
 
 ### verdict_aggregate
@@ -3737,6 +3740,7 @@ function plan_instance_execute_preapplied(desync, verdict, instance)
 ```
 
 Выполняет элемент [execution plan](#execution_plan) `instance` с учетом [instance cutoff](#instance_cutoff) и стандартных фильтров [payload](#внутрипрофильные-фильтры) и [range](#внутрипрофильные-фильтры).
+При совпадении условий непосредственно перед вызовом выполняет apply_arg_prefix.
 Возвращает агрегацию verdict и вердикта `instance`.
 
 Вариант "preapplied" не выполняет apply_execution_plan, позволяя это сделат вызывающему коду.
@@ -4658,6 +4662,7 @@ function cond_lua(desync)
 ```
 
 Выполняет Lua код из аргумента "cond_code". Код возвращает значение условия через return. Возможна прямая адресация таблицы desync.
+desync.arg передаются с НЕ разименованными `%`, `#`, `\`, поскольку разименование может ссылаться на блобы, создаваемые предыдущими условно вызываемыми инстансами.
 
 # Вспомогательные программы
 

lua/zapret-antidpi.lua

@@ -1210,8 +1210,8 @@ function udplen(ctx, desync)
 				else
 					desync.dis.payload = string.sub(desync.dis.payload,1,len+inc)
 					DLOG("udplen: "..len.." => "..#desync.dis.payload)
+					return VERDICT_MODIFY
 				end
-				return VERDICT_MODIFY
 			end
 		end
 	end

lua/zapret-lib.lua

@@ -149,6 +149,8 @@ end
 
 -- applies # and $ prefixes. #var means var length, %var means var value
 function apply_arg_prefix(desync)
+	-- prevent double apply
+	if desync.arg.__prefix_applied then return end
 	for a,v in pairs(desync.arg) do
 		local c = string.sub(v,1,1)
 		if c=='#' then
@@ -163,6 +165,7 @@ function apply_arg_prefix(desync)
 			end
 		end
 	end
+	desync.arg.__prefix_applied = true
 end
 -- copy instance identification and args from execution plan to desync table
 -- NOTE : to not lose VERDICT_MODIFY dissect changes pass original desync table
@@ -173,7 +176,7 @@ function apply_execution_plan(desync, instance)
 	desync.func_n = instance.func_n
 	desync.func_instance = instance.func_instance
 	desync.arg = deepcopy(instance.arg)
-	apply_arg_prefix(desync)
+	-- no apply_arg_prefix here because it may refer non-existing blobs
 end
 -- produce resulting verdict from 2 verdicts
 function verdict_aggregate(v1, v2)
@@ -200,6 +203,9 @@ function plan_instance_execute_preapplied(desync, verdict, instance)
 	elseif not pos_check_range(desync, instance.range) then
 		DLOG("plan_instance_execute: not calling '"..desync.func_instance.."' because pos "..pos_str(desync,instance.range.from).." "..pos_str(desync,instance.range.to).." is out of range '"..pos_range_str(instance.range).."'")
 	else
+		-- condition is satisfied. here blobs must be referenced
+		apply_arg_prefix(desync)
+		desync.arg.__prefix_applied = nil
 		DLOG("plan_instance_execute: calling '"..desync.func_instance.."'")
 		verdict = verdict_aggregate(verdict,_G[instance.func](nil, desync))
 	end
@@ -632,7 +638,7 @@ function tls_mod_shim(desync, blob, modlist, payload)
 		if not val then
 			error("tls_mod_shim: non-existent var '"..var.."'")
 		end
-		modlist = string.sub(modlist,1,p1+3)..val..string.sub(modlist,p2+1)
+		modlist = string.sub(modlist,1,p1+3)..tostring(val)..string.sub(modlist,p2+1)
 	end
 	return tls_mod(blob,modlist,payload)
 end
@@ -962,7 +968,7 @@ function apply_fooling(desync, dis, fooling_options)
 			end
 		end
 		if fooling_options.tcp_ts_up then
-			move_ts_top(dis.tcp.options)
+			move_ts_top()
 		end
 	end
 	if dis.ip6 then

lua/zapret-tests.lua

@@ -780,6 +780,7 @@ function test_csum()
 	print( raw==udpb and "UDP RECONSTRUCT OK" or "UDP RECONSTRUCT FAILED" )
 	test_assert(raw==udpb)
 
+	ip.ip_p = IPPROTO_UDP
 	raw = reconstruct_dissect({ip=ip, udp=udp, payload=payload})
 	dis1 = dissect(raw)
 	ip.ip_p = IPPROTO_UDP

nfq2/lua.c

@@ -1868,7 +1868,7 @@ static bool lua_reconstruct_ip6exthdr(lua_State *L, int idx, struct ip6_hdr *ip6
 {
 	LUA_STACK_GUARD_ENTER(L)
 	// proto = last header type
-	if (*len<sizeof(struct tcphdr)) return false;
+	if (*len<sizeof(struct ip6_hdr)) return false;
 
 	uint8_t *last_proto = &ip6->ip6_ctlun.ip6_un1.ip6_un1_nxt;
 	size_t filled = sizeof(struct ip6_hdr);
@@ -2031,7 +2031,7 @@ bool lua_reconstruct_iphdr(lua_State *L, int idx, struct ip *ip, size_t *len)
 
 	LUA_STACK_GUARD_ENTER(L)
 
-	if (*len<sizeof(struct ip) || lua_type(L,-1)!=LUA_TTABLE) return false;
+	if (*len<sizeof(struct ip) || lua_type(L,idx)!=LUA_TTABLE) return false;
 
 	ip->ip_v = IPVERSION;
 
@@ -2201,7 +2201,7 @@ err:
 }
 bool lua_reconstruct_tcphdr(lua_State *L, int idx, struct tcphdr *tcp, size_t *len)
 {
-	if (*len<sizeof(struct tcphdr) || lua_type(L,-1)!=LUA_TTABLE) return false;
+	if (*len<sizeof(struct tcphdr) || lua_type(L,idx)!=LUA_TTABLE) return false;
 
 	LUA_STACK_GUARD_ENTER(L)
 
@@ -2276,7 +2276,7 @@ static int luacall_reconstruct_tcphdr(lua_State *L)
 
 bool lua_reconstruct_udphdr(lua_State *L, int idx, struct udphdr *udp)
 {
-	if (lua_type(L,-1)!=LUA_TTABLE) return false;
+	if (lua_type(L,idx)!=LUA_TTABLE) return false;
 
 	LUA_STACK_GUARD_ENTER(L)
 
@@ -2320,7 +2320,7 @@ static int luacall_reconstruct_udphdr(lua_State *L)
 
 bool lua_reconstruct_icmphdr(lua_State *L, int idx, struct icmp46 *icmp)
 {
-	if (lua_type(L,-1)!=LUA_TTABLE) return false;
+	if (lua_type(L,idx)!=LUA_TTABLE) return false;
 
 	LUA_STACK_GUARD_ENTER(L)
 

nfq2/protocol.c

@@ -331,7 +331,7 @@ bool IsHttpReply(const uint8_t *data, size_t len)
 		data[10]>='0' && data[10]<='9' &&
 		data[11]>='0' && data[11]<='9';
 }
-int HttpReplyCode(const uint8_t *data, size_t len)
+int HttpReplyCode(const uint8_t *data)
 {
 	return (data[9]-'0')*100 + (data[10]-'0')*10 + (data[11]-'0');
 }
@@ -370,7 +370,7 @@ bool HttpReplyLooksLikeDPIRedirect(const uint8_t *data, size_t len, const char *
 	
 	if (!host || !*host || !IsHttpReply(data, len)) return false;
 	
-	code = HttpReplyCode(data,len);
+	code = HttpReplyCode(data);
 	
 	if ((code!=302 && code!=307) || !HttpExtractHeader(data,len,"\nLocation:",loc,sizeof(loc))) return false;
 

nfq2/protocol.h

@@ -104,7 +104,7 @@ bool HttpExtractHeader(const uint8_t *data, size_t len, const char *header, char
 bool HttpExtractHost(const uint8_t *data, size_t len, char *host, size_t len_host);
 bool IsHttpReply(const uint8_t *data, size_t len);
 // must be pre-checked by IsHttpReply
-int HttpReplyCode(const uint8_t *data, size_t len);
+int HttpReplyCode(const uint8_t *data);
 // must be pre-checked by IsHttpReply
 bool HttpReplyLooksLikeDPIRedirect(const uint8_t *data, size_t len, const char *host);
 

nfq2/win.c

@@ -28,12 +28,6 @@ bool service_run(int argc, char *argv[])
 	return StartServiceCtrlDispatcherA(ServiceTable);
 }
 
-static void service_set_status(DWORD state)
-{
-	ServiceStatus.dwCurrentState = state;
-	SetServiceStatus(hStatus, &ServiceStatus);
-}
-
 // Control handler function
 void service_controlhandler(DWORD request)
 {