AI inspired fixes

Typos

.github/ISSUE_TEMPLATE/issue-warning.md

@@ -11,7 +11,11 @@ Issues - это место для обращений к разработчику
 Discussions - место для обсуждения вопросов между пользователями.
 
 Все, что выходит за рамки багов и технически грамотных предложений, идей,
-вопросы типа "как мне это запустить", "что нажать", "что вписать" - будет безжалостно удаляться.
+вопросы типа "как мне это запустить", "что нажать", "что вписать", "перестало открываться" - будет безжалостно удаляться.
+Если вы не знаете как пользоваться, для вас что-то сложно, здесь - не место обучению программе или linux и не место для вопросов подобного рода.
+Поймите, пожалуйста, что zapret - это инструмент, а не готовое решение для пользователя. В его функциях нет кнопки "открыть сайты", поэтому
+если они перестали открываться - это не issue. Функцию "открыть сайты" дают только сборки - ищите их и все вопросы адресуйте туда.
+Если вы игнорируете данное требование, вы не достигните своих целей , а только добавите желания удалить ваш issue или при настойчивости забанить.
 Идите в дискуссии, не захламляйте issues.
 
 Here is the place for bugs only. All questions, especially user-like questions (non-technical) go to Discussions.

.github/workflows/build.yml

@@ -75,11 +75,11 @@ jobs:
           sudo dpkg --add-architecture i386
           sudo apt update -qq
           if [[ "$ARCH" == lexra ]]; then
-            sudo apt install -y libcap-dev libc6:i386 zlib1g:i386
+            sudo apt install -y pigz libcap-dev libc6:i386 zlib1g:i386
             URL=https://github.com/$REPO/raw/refs/heads/master/$DIR.txz
           else
             # luajit buildvm requires 32 bit executable on host platform for 32 bit cross targets
-            sudo apt install -y libcap-dev libc6-dev gcc-multilib
+            sudo apt install -y pigz libcap-dev libc6-dev gcc-multilib
             URL=https://github.com/$REPO/releases/download/latest/$TOOL.tar.xz
           fi
           mkdir -p $HOME/tools
@@ -108,7 +108,7 @@ jobs:
           export PKG_CONFIG_PATH=$DEPS_DIR/lib/pkgconfig
           export STAGING_DIR=$RUNNER_TEMP
 
-          if [[ "$ARCH" == lexra ]] || [[ "$ARCH" == ppc ]]; then
+          if [[ "$ARCH" == lexra ]] || [[ "$ARCH" == ppc ]] || [[ "$ARCH" == x86 ]] ; then
             # use classic lua
             wget -qO- https://www.lua.org/ftp/lua-${LUA_RELEASE}.tar.gz | tar -xz
             (
@@ -551,8 +551,9 @@ jobs:
           (
             cd ${{ env.repo_dir }}
             rm -rf binaries/{android*,freebsd*,win*} \
-                   init.d/{openrc,pfsense,runit,s6,systemd} \
+                   init.d/{openrc,pfsense,runit,s6,systemd,windivert.filter.examples} \
                    nfq2 ip2net mdig docs Makefile
+            pigz -11 lua/*.lua
           )
           tar --owner=0 --group=0 -czf ${{ env.repo_dir }}-openwrt-embedded.tar.gz ${{ env.repo_dir }}
 

blockcheck2.d/custom/10-list.sh

@@ -0,0 +1,58 @@
+LIST_HTTP="${LIST_HTTP:-$TESTDIR/list_http.txt}"
+LIST_HTTPS_TLS12="${LIST_HTTPS_TLS12:-$TESTDIR/list_https_tls12.txt}"
+LIST_HTTPS_TLS13="${LIST_HTTPS_TLS13:-$TESTDIR/list_https_tls13.txt}"
+LIST_QUIC="${LIST_QUIC:-$TESTDIR/list_quic.txt}"
+
+check_list()
+{
+	# $1 - test function
+	# $2 - domain
+	# $3 - file
+
+	local line ok=0
+	[ -f "$3" ] || {
+		echo "no strategy file '$3'"
+		return 1
+	}
+	while IFS= read -r line; do
+		case "$line" in
+			""|\#*) continue ;;
+		esac
+		line=$(echo "$line" | tr -d "\r\n")
+		eval pktws_curl_test_update "$1" "$2" $line && ok=1
+	done < "$3"
+
+	[ "$ok" = 1 ]
+}
+
+pktws_check_http()
+{
+	# $1 - test function
+	# $2 - domain
+
+	check_list "$1" "$2" "$LIST_HTTP"
+}
+
+pktws_check_https_tls12()
+{
+	# $1 - test function
+	# $2 - domain
+
+	check_list "$1" "$2" "$LIST_HTTPS_TLS12"
+}
+
+pktws_check_https_tls13()
+{
+	# $1 - test function
+	# $2 - domain
+
+	check_list "$1" "$2" "$LIST_HTTPS_TLS13"
+}
+
+pktws_check_http3()
+{
+	# $1 - test function
+	# $2 - domain
+
+	check_list "$1" "$2" "$LIST_QUIC"
+}

blockcheck2.d/custom/README.txt

@@ -0,0 +1,12 @@
+Простой тестер стратегий по списку из файла.
+Скопируйте эту директорию под другим именем в blockcheck2.d, отредактируйте list файлы, впишите туда свои стратегии.
+В диалоге blockcheck2.sh выберите тест с названием вашей директории.
+Можно комментировать строки символом '#' в начале строки.
+Параметры со спец символами типа "<" должны быть эскейпнуты по правилам shell.
+Альтернативный путь до файлов стратегий можно задать переменными LIST_HTTP, LIST_HTTPS_TLS12, LIST_HTTPS_TLS13, LIST_QUIC.
+
+This is simple strategy tester from a file.
+Copy this folder, write your strategies into list files and select your test in blockcheck2 dialog.
+Lines can be commented using the '#' symbol at the line start.
+Parameters with special symbols like "<" must be escaped.
+Strategy list files paths can be overriden in env variables : LIST_HTTP, LIST_HTTPS_TLS12, LIST_HTTPS_TLS13, LIST_QUIC.

blockcheck2.d/custom/list_http.txt

@@ -0,0 +1,5 @@
+# write nfqws2 parameters here
+# WARNING : parameters with special symbols like "<" must be escaped or will cause error
+--payload=http_req --lua-desync=http_hostcase
+--payload=http_req --lua-desync=http_methodeol
+--payload=http_req --lua-desync=fake:blob=fake_default_http:tcp_ts=-1000

blockcheck2.d/custom/list_https_tls12.txt

@@ -0,0 +1,4 @@
+# write nfqws2 parameters here
+# WARNING : parameters with special symbols like "<" must be escaped or will cause error
+--payload tls_client_hello --lua-desync=fake:blob=fake_default_tls:tcp_ts=-1000
+--payload=tls_client_hello --lua-desync=fake:blob=0x00000000:tcp_md5:repeats=1 --lua-desync=fake:blob=fake_default_tls:tcp_md5:tls_mod=rnd,dupsid:repeats=1 --lua-desync=multisplit:pos=2

blockcheck2.d/custom/list_https_tls13.txt

@@ -0,0 +1,5 @@
+# write nfqws2 parameters here
+# WARNING : parameters with special symbols like "<" must be escaped or will cause error
+--payload tls_client_hello --lua-desync=fake:blob=fake_default_tls:tcp_ts=-1000
+--payload tls_client_hello --lua-desync=tcpseg:pos=0,-1:seqovl=1 --lua-desync=drop
+--payload tls_client_hello --lua-desync=luaexec:code="desync.pat=tls_mod(fake_default_tls,'rnd,rndsni,dupsid,padencap',desync.reasm_data)" --lua-desync=tcpseg:pos=0,-1:seqovl=#pat:seqovl_pattern=pat --lua-desync=drop

blockcheck2.d/custom/list_quic.txt

@@ -0,0 +1,4 @@
+# write nfqws2 parameters here
+# WARNING : parameters with special symbols like "<" must be escaped or will cause error
+--payload quic_initial --lua-desync=fake:blob=fake_default_quic:repeats=11
+--payload quic_initial --lua-desync=send:ipfrag --lua-desync=drop

blockcheck2.d/standard/10-http-basic.sh

@@ -0,0 +1,12 @@
+pktws_check_http()
+{
+	# $1 - test function
+	# $2 - domain
+	local s
+
+	[ "$NOTEST_BASIC_HTTP" = 1 ] && { echo "SKIPPED"; return; }
+
+	for s in 'http_hostcase' 'http_hostcase:spell=hoSt' 'http_domcase' 'http_methodeol' 'http_unixeol'; do
+		pktws_curl_test_update $1 $2 --payload=http_req --lua-desync=$s
+	done
+}

blockcheck2.d/standard/15-misc.sh

@@ -0,0 +1,42 @@
+. "$TESTDIR/def.inc"
+
+pktws_check_http()
+{
+	# $1 - test function
+	# $2 - domain
+
+	local PAYLOAD="--payload=http_req" repeats ok
+
+	[ "$NOTEST_MISC_HTTP" = 1 ] && { echo "SKIPPED"; return; }
+
+	for repeats in 1 20 100 260; do
+		# send starting bytes of original payload
+		pktws_curl_test_update "$1" "$2" $PAYLOAD --lua-desync=tcpseg:pos=0,method+2:ip_id=rnd:repeats=$repeats && ok=1
+		pktws_curl_test_update "$1" "$2" $PAYLOAD --lua-desync=tcpseg:pos=0,midsld:ip_id=rnd:repeats=$repeats && ok=1
+		[ "$ok" = 1 -a "$SCANLEVEL" != force ] && break
+	done
+}
+
+pktws_check_https_tls12()
+{
+	# $1 - test function
+	# $2 - domain
+
+	local PAYLOAD="--payload=tls_client_hello" repeats ok
+
+	[ "$NOTEST_MISC_HTTPS" = 1 ] && { echo "SKIPPED"; return; }
+
+	for repeats in 1 20 100 260; do
+		# send starting bytes of original payload
+		pktws_curl_test_update "$1" "$2" $PAYLOAD --lua-desync=tcpseg:pos=0,1:ip_id=rnd:repeats=$repeats && ok=1
+		pktws_curl_test_update "$1" "$2" $PAYLOAD --lua-desync=tcpseg:pos=0,midsld:ip_id=rnd:repeats=$repeats && ok=1
+		[ "$ok" = 1 -a "$SCANLEVEL" != force ] && break
+	done
+}
+
+pktws_check_https_tls13()
+{
+	# $1 - test function
+	# $2 - domain
+	pktws_check_https_tls12 "$1" "$2"
+}

blockcheck2.d/standard/17-oob.sh

@@ -0,0 +1,39 @@
+. "$TESTDIR/def.inc"
+
+pktws_oob()
+{
+	# $1 - test function
+	# $2 - domain
+
+	local dropacks urp
+	for urp in b 0 2 midsld; do
+		pktws_curl_test_update "$1" "$2" --in-range=-s1 --lua-desync=oob:urp=$urp$dropack
+	done
+}
+
+pktws_check_http()
+{
+	# $1 - test function
+	# $2 - domain
+
+	[ "$NOTEST_OOB_HTTP" = 1 ] && { echo "SKIPPED"; return; }
+
+	pktws_oob "$@"
+}
+
+pktws_check_https_tls12()
+{
+	# $1 - test function
+	# $2 - domain
+
+	[ "$NOTEST_OOB_HTTPS" = 1 ] && { echo "SKIPPED"; return; }
+
+	pktws_oob "$@"
+}
+
+pktws_check_https_tls13()
+{
+	# $1 - test function
+	# $2 - domain
+	pktws_check_https_tls12 "$1" "$2"
+}

blockcheck2.d/standard/20-multi.sh

@@ -0,0 +1,74 @@
+. "$TESTDIR/def.inc"
+
+pktws_simple_split_tests()
+{
+	# $1 - test function
+	# $2 - domain/uri
+	# $3 - splits
+	# $4 - PRE args for nfqws2
+	local pos ok ok_any pre="$4" func
+	local splitf splitfs="multisplit multidisorder"
+
+	ok_any=0
+	for splitf in $splitfs; do
+		func=$splitf
+		[ "$func" = multidisorder ] && func=$MULTIDISORDER
+		eval need_$splitf=0
+		ok=0
+		for pos in $3; do
+			pktws_curl_test_update $1 $2 $pre $PAYLOAD --lua-desync=$func:pos=$pos && ok=1
+		done
+		[ "$ok" = 1 -a "$SCANLEVEL" != force ] || eval need_$splitf=1
+		[ "$ok" = 1 ] && ok_any=1
+	done
+	[ "$ok_any" = 1 ]
+}
+
+
+pktws_check_http()
+{
+	# $1 - test function
+	# $2 - domain
+	local splits_http='method+2 midsld method+2,midsld'
+	local PAYLOAD="--payload=http_req"
+
+	[ "$NOTEST_MULTI_HTTP" = 1 ] && { echo "SKIPPED"; return; }
+
+	pktws_simple_split_tests "$1" "$2" "$splits_http"
+}
+
+pktws_check_https_tls()
+{
+	# $1 - test function
+	# $2 - domain
+	# $3 - PRE args for nfqws2
+	local splits_tls='2 1 sniext+1 sniext+4 host+1 midsld 1,midsld 1,midsld,1220 1,sniext+1,host+1,midsld-2,midsld,midsld+2,endhost-1'
+	local PAYLOAD="--payload=tls_client_hello"
+
+	pktws_simple_split_tests "$1" "$2" "$splits_tls" "$3"
+}
+
+pktws_check_https_tls12()
+{
+	# $1 - test function
+	# $2 - domain
+
+	[ "$NOTEST_MULTI_HTTPS" = 1 ] && { echo "SKIPPED"; return; }
+
+	pktws_check_https_tls "$1" "$2" && [ "$SCANLEVEL" != force ] && return
+
+	# do not use 'need' values obtained with wssize
+	local need_multisplit_save=$need_multisplit need_multidisorder_save=$need_multidisorder
+	pktws_check_https_tls "$1" "$2" --lua-desync=wssize:wsize=1:scale=6
+	need_multisplit=$need_multisplit_save; need_multidisorder=$need_multidisorder_save
+}
+
+pktws_check_https_tls13()
+{
+	# $1 - test function
+	# $2 - domain
+
+	[ "$NOTEST_MULTI_HTTPS" = 1 ] && { echo "SKIPPED"; return; }
+
+	pktws_check_https_tls "$1" "$2"
+}

blockcheck2.d/standard/23-seqovl.sh

@@ -0,0 +1,92 @@
+. "$TESTDIR/def.inc"
+
+pktws_check_http()
+{
+	# $1 - test function
+	# $2 - domain
+
+	[ "$NOTEST_SEQOVL_HTTP" = 1 ] && { echo "SKIPPED"; return; }
+
+	local PAYLOAD="--payload=http_req"
+
+	local ok pat= split f f2
+
+	pat=${SEQOVL_PATTERN_HTTP:+seqovl_pat}
+	pat=${pat:-fake_default_http}
+
+	pktws_curl_test_update $1 $2 $PAYLOAD --lua-desync=tcpseg:pos=0,-1:seqovl=1 --lua-desync=drop
+	pktws_curl_test_update $1 $2 ${SEQOVL_PATTERN_HTTP:+--blob=$pat:@"$SEQOVL_PATTERN_HTTP" }$PAYLOAD --lua-desync=tcpseg:pos=0,-1:seqovl=#$pat:seqovl_pattern=$pat --lua-desync=drop
+
+	ok=0
+	for split in method+2 method+2,midsld; do
+		pktws_curl_test_update $1 $2 $PAYLOAD --lua-desync=multisplit:pos=$split:seqovl=1 && ok=1
+		pktws_curl_test_update $1 $2 ${SEQOVL_PATTERN_HTTP:+--blob=$pat:@"$SEQOVL_PATTERN_HTTP" }$PAYLOAD --lua-desync=multisplit:pos=$split:seqovl=#$pat:seqovl_pattern=$pat && ok=1
+		[ "$ok" = 1 -a "$SCANLEVEL" != force ] && break
+	done
+	for split in 'method+1 method+2' 'midsld-1 midsld' 'method+1 method+2,midsld'; do
+		f="$(extract_arg 1 $split)"
+		f2="$(extract_arg 2 $split)"
+		pktws_curl_test_update $1 $2 $PAYLOAD --lua-desync=$MULTIDISORDER:pos=$f2:seqovl=$f
+		pktws_curl_test_update $1 $2 ${SEQOVL_PATTERN_HTTP:+--blob=$pat:@"$SEQOVL_PATTERN_HTTP" }$PAYLOAD --lua-desync=$MULTIDISORDER:pos=$f2:seqovl=$f:seqovl_pattern=$pat
+	done
+}
+
+pktws_seqovl_tests_tls()
+{
+	# $1 - test function
+	# $2 - domain/uri
+	# $3 - PRE args for nfqws2
+
+	local ok ok_any
+	local testf=$1 domain="$2" pre="$3"
+	local pat rnd_mod padencap_mod split f f2
+	local PAYLOAD="--payload=tls_client_hello"
+
+	pat=${SEQOVL_PATTERN_HTTPS:+seqovl_pat}
+	pat=${pat:-fake_default_tls}
+	rnd_mod="--lua-init=$pat=tls_mod($pat,'rnd')"
+	padencap_mod="--lua-desync=luaexec:code=desync.pat=tls_mod($pat,'rnd,dupsid,padencap',desync.reasm_data)"
+
+	ok=0
+	pktws_curl_test_update $testf $domain $pre $PAYLOAD --lua-desync=tcpseg:pos=0,-1:seqovl=1 --lua-desync=drop && ok=1
+	pktws_curl_test_update $testf $domain ${SEQOVL_PATTERN_HTTPS:+--blob=$pat:@"$SEQOVL_PATTERN_HTTPS" }$rnd_mod $pre $PAYLOAD --lua-desync=tcpseg:pos=0,-1:seqovl=#$pat:seqovl_pattern=$pat --lua-desync=drop && ok=1
+	pktws_curl_test_update $testf $domain ${SEQOVL_PATTERN_HTTPS:+--blob=$pat:@"$SEQOVL_PATTERN_HTTPS" }$pre $PAYLOAD $padencap_mod --lua-desync=tcpseg:pos=0,-1:seqovl=#$pat:seqovl_pattern=$pat --lua-desync=drop && ok=1
+	ok_any=$ok
+
+	ok=0
+	for split in 10 10,sniext+1 10,sniext+4 10,midsld; do
+		pktws_curl_test_update $testf $domain $pre $PAYLOAD --lua-desync=multisplit:pos=$split:seqovl=1 && ok=1
+		pktws_curl_test_update $testf $domain ${SEQOVL_PATTERN_HTTPS:+--blob=$pat:@"$SEQOVL_PATTERN_HTTPS" }$rnd_mod $pre $PAYLOAD --lua-desync=multisplit:pos=$split:seqovl=#$pat:seqovl_pattern=$pat && ok=1
+		pktws_curl_test_update $testf $domain ${SEQOVL_PATTERN_HTTPS:+--blob=$pat:@"$SEQOVL_PATTERN_HTTPS" }$pre $PAYLOAD $padencap_mod --lua-desync=multisplit:pos=$split:seqovl=#$pat:seqovl_pattern=$pat && ok=1
+		[ "$ok" = 1 -a "$SCANLEVEL" != force ] && break
+	done
+	for split in '1 2' 'sniext sniext+1' 'sniext+3 sniext+4' 'midsld-1 midsld' '1 2,midsld'; do
+		f="$(extract_arg 1 $split)"
+		f2="$(extract_arg 2 $split)"
+		pktws_curl_test_update $1 $2 $PAYLOAD --lua-desync=$MULTIDISORDER:pos=$f2:seqovl=$f && ok=1
+		pktws_curl_test_update $testf $domain ${SEQOVL_PATTERN_HTTPS:+--blob=$pat:@"$SEQOVL_PATTERN_HTTPS" }$rnd_mod $pre $PAYLOAD --lua-desync=$MULTIDISORDER:pos=$f2:seqovl=$f:seqovl_pattern=$pat && ok=1
+	done
+	[ "$ok" = 1 ] && ok_any=1
+	[ "$ok_any" = 1 ]
+}
+
+pktws_check_https_tls12()
+{
+	# $1 - test function
+	# $2 - domain
+
+	[ "$NOTEST_SEQOVL_HTTPS" = 1 ] && { echo "SKIPPED"; return; }
+
+	pktws_seqovl_tests_tls "$1" "$2" && [ "$SCANLEVEL" != force ] && return
+	pktws_seqovl_tests_tls "$1" "$2" --lua-desync=wssize:wsize=1:scale=6
+}
+
+pktws_check_https_tls13()
+{
+	# $1 - test function
+	# $2 - domain
+
+	[ "$NOTEST_SEQOVL_HTTPS" = 1 ] && { echo "SKIPPED"; return; }
+
+	pktws_seqovl_tests_tls "$1" "$2"
+}

blockcheck2.d/standard/24-syndata.sh

@@ -0,0 +1,55 @@
+. "$TESTDIR/def.inc"
+
+pktws_check_http()
+{
+	# $1 - test function
+	# $2 - domain
+
+	local PAYLOAD="--payload=http_req" split
+
+	[ "$NOTEST_SYNDATA_HTTP" = 1 ] && { echo "SKIPPED"; return; }
+
+	for split in '' multisplit $MULTIDISORDER; do
+		pktws_curl_test_update "$1" "$2" --lua-desync=syndata ${split:+$PAYLOAD --lua-desync=$split}
+		pktws_curl_test_update "$1" "$2" --lua-desync=syndata:blob=fake_default_http $PAYLOAD ${split:+$PAYLOAD --lua-desync=$split}
+	done
+}
+
+pktws_check_https_tls()
+{
+	# $1 - test function
+	# $2 - domain
+	# $3 - PRE args for nfqws2
+
+	local PAYLOAD="--payload=tls_client_hello" ok=0 pre="$3" split
+
+	for split in '' multisplit $MULTIDISORDER; do
+		pktws_curl_test_update "$1" "$2" $pre --lua-desync=syndata ${split:+$PAYLOAD --lua-desync=$split} && ok=1
+		pktws_curl_test_update "$1" "$2" $pre --lua-desync=syndata:blob=0x1603 ${split:+$PAYLOAD --lua-desync=$split} && ok=1
+		pktws_curl_test_update "$1" "$2" $pre --lua-desync=syndata:blob=fake_default_tls:tls_mod=rnd,dupsid,rndsni ${split:+$PAYLOAD --lua-desync=$split} && ok=1
+		pktws_curl_test_update "$1" "$2" $pre --lua-desync=syndata:blob=fake_default_tls:tls_mod=rnd,dupsid,sni=google.com ${split:+$PAYLOAD --lua-desync=$split} && ok=1
+	done
+
+	[ "$ok" = 1 ]
+}
+
+pktws_check_https_tls12()
+{
+	# $1 - test function
+	# $2 - domain
+
+	[ "$NOTEST_SYNDATA_HTTPS" = 1 ] && { echo "SKIPPED"; return; }
+
+	pktws_check_https_tls "$1" "$2" && [ "$SCANLEVEL" != force ] && return
+	pktws_check_https_tls "$1" "$2" --lua-desync=wssize:wsize=1:scale=6
+}
+
+pktws_check_https_tls13()
+{
+	# $1 - test function
+	# $2 - domain
+
+	[ "$NOTEST_SYNDATA_HTTPS" = 1 ] && { echo "SKIPPED"; return; }
+
+	pktws_check_https_tls "$1" "$2"
+}

blockcheck2.d/standard/25-fake.sh

@@ -0,0 +1,153 @@
+. "$TESTDIR/def.inc"
+
+pktws_check_http()
+{
+	# $1 - test function
+	# $2 - domain
+	[ "$NOTEST_FAKE_HTTP" = 1 ] && { echo "SKIPPED"; return; }
+
+	local testf=$1 domain="$2"
+	local ok ok_any ttls attls f ff fake fooling
+	local PAYLOAD="--payload=http_req"
+
+	if [ -n "$FAKE_HTTP" ]; then
+		fake=fake_http
+	else
+		fake=fake_default_http
+	fi
+
+	need_fake=0
+
+	[ "$MAX_TTL" = 0 ] || ttls=$(seq -s ' ' $MIN_TTL $MAX_TTL)
+	[ "$MAX_AUTOTTL_DELTA" = 0 ] || attls=$(seq -s ' ' $MIN_AUTOTTL_DELTA $MAX_AUTOTTL_DELTA)
+
+	ok_any=0
+	ok=0
+	for ttl in $ttls; do
+		# orig-ttl=1 with start/cutoff limiter drops empty ACK packet in response to SYN,ACK. it does not reach DPI or server.
+		# missing ACK is transmitted in the first data packet of TLS/HTTP proto
+		for ff in $fake 0x00000000; do
+			for f in '' "--payload=empty --out-range=s1<d1 --lua-desync=pktmod:ip${IPVV}_ttl=1"; do
+				pktws_curl_test_update $testf $domain ${FAKE_HTTP:+--blob=$fake:@"$FAKE_HTTP" }$PAYLOAD "--lua-desync=fake:blob=${ff}:ip${IPVV}_ttl=$ttl:repeats=$FAKE_REPEATS" $f && {
+					ok=1
+					[ "$SCANLEVEL" = force ] || break
+				}
+			done
+		done
+		[ "$ok" = 1 ] && break
+	done
+	for fooling in $FOOLINGS_TCP; do
+		for ff in $fake 0x00000000; do
+			pktws_curl_test_update $testf $domain ${FAKE_HTTP:+--blob=fake_http:@"$FAKE_HTTP" }$PAYLOAD --lua-desync=fake:blob=$ff:$fooling:repeats=$FAKE_REPEATS && ok=1
+			# duplicate SYN with MD5
+			contains "$fooling" tcp_md5 && pktws_curl_test_update $testf $domain ${FAKE_HTTP:+--blob=$fake:@"$FAKE_HTTP" }$PAYLOAD --lua-desync=fake:blob=$ff:$fooling:repeats=$FAKE_REPEATS --payload=empty "--out-range=<s1" --lua-desync=send:$TCP_MD5 && ok=1
+		done
+	done
+	for ttl in $attls; do
+		for ff in $fake 0x00000000; do
+			for f in '' "--payload=empty --out-range=s1<d1 --lua-desync=pktmod:ip${IPVV}_ttl=1"; do
+				pktws_curl_test_update $testf $domain  ${FAKE_HTTP:+--blob=$fake:@"$FAKE_HTTP" }$PAYLOAD --lua-desync=fake:blob=$ff:ip${IPVV}_autottl=-$ttl,3-20:repeats=$FAKE_REPEATS $f && {
+					ok=1
+					[ "$SCANLEVEL" = force ] || break
+				}
+			done
+		done
+	done
+
+	[ $ok = 0 -a "$SCANLEVEL" != force ] && need_fake=1
+	[ $ok = 1 ] && ok_any=1
+	[ $ok_any = 1 ]
+}
+
+pktws_fake_https_vary_()
+{
+	local ok_any=0 testf=$1 domain="$2" fooling="$3" pre="$4" post="$5"
+	shift; shift; shift
+	pktws_curl_test_update $testf $domain ${FAKE_HTTPS:+--blob=$fake:@"$FAKE_HTTPS" }$pre $PAYLOAD --lua-desync=fake:blob=$fake:$fooling:repeats=$FAKE_REPEATS $post && ok_any=1
+	pktws_curl_test_update $testf $domain $pre $PAYLOAD --lua-desync=fake:blob=0x00000000:$fooling:repeats=$FAKE_REPEATS $post && ok_any=1
+	pktws_curl_test_update $testf $domain ${FAKE_HTTPS:+--blob=$fake:@"$FAKE_HTTPS" }$pre $PAYLOAD --lua-desync=fake:blob=0x00000000:$fooling:repeats=$FAKE_REPEATS --lua-desync=fake:blob=$fake:$fooling:tls_mod=rnd,dupsid:repeats=$FAKE_REPEATS $post && ok_any=1
+	pktws_curl_test_update $testf $domain ${FAKE_HTTPS:+--blob=$fake:@"$FAKE_HTTPS" }$pre $PAYLOAD --lua-desync=multisplit:blob=$fake:$fooling:pos=2:nodrop:repeats=$FAKE_REPEATS $post && ok_any=1
+	pktws_curl_test_update $testf $domain ${FAKE_HTTPS:+--blob=$fake:@"$FAKE_HTTPS" }$pre $PAYLOAD --lua-desync=fake:blob=$fake:$fooling:tls_mod=rnd,dupsid,padencap:repeats=$FAKE_REPEATS $post && ok_any=1
+	[ "$ok_any" = 1 ] && ok=1
+}
+pktws_fake_https_vary()
+{
+	local ok_any=0 fooling="$3"
+	pktws_fake_https_vary_ "$1" "$2" "$3" "$4" "$5" && ok_any=1
+	# duplicate SYN with MD5
+	contains "$fooling" tcp_md5 && \
+		pktws_fake_https_vary_  "$1" "$2" "$3" "$4" "${5:+$5 }--payload=empty --out-range=<s1 --lua-desync=send:$TCP_MD5" && ok_any=1
+	[ "$ok_any" = 1 ]
+}
+
+pktws_check_https_tls()
+{
+	# $1 - test function
+	# $2 - domain
+	# $3 - PRE args for nfqws2
+
+	local testf=$1 domain="$2" pre="$3"
+	local ok ok_any ttls attls f fake fooling
+	local PAYLOAD="--payload=tls_client_hello"
+
+	shift; shift
+
+	if [ -n "$FAKE_HTTPS" ]; then
+		fake=fake_tls
+	else
+		fake=fake_default_tls
+	fi
+
+	need_fake=0
+
+	ttls=$(seq -s ' ' $MIN_TTL $MAX_TTL)
+	attls=$(seq -s ' ' $MIN_AUTOTTL_DELTA $MAX_AUTOTTL_DELTA)
+
+	ok_any=0
+	ok=0
+	for ttl in $ttls; do
+		# orig-ttl=1 with start/cutoff limiter drops empty ACK packet in response to SYN,ACK. it does not reach DPI or server.
+		# missing ACK is transmitted in the first data packet of TLS/HTTP proto
+		for f in '' "--payload=empty --out-range=s1<d1 --lua-desync=pktmod:ip${IPVV}_ttl=1"; do
+			pktws_fake_https_vary $testf $domain "ip${IPVV}_ttl=$ttl" "$pre" "$f" && [ "$SCANLEVEL" != force ] && break
+		done
+		[ "$ok" = 1 ] && break
+	done
+	for fooling in $FOOLINGS_TCP; do
+		pktws_fake_https_vary $testf $domain "$fooling" "$pre"
+	done
+	for ttl in $attls; do
+		for f in '' "--payload=empty --out-range=s1<d1 --lua-desync=pktmod:ip${IPVV}_ttl=1"; do
+			pktws_fake_https_vary $testf $domain "ip${IPVV}_autottl=-$ttl,3-20" "$pre" "$f" && [ "$SCANLEVEL" != force ] && break
+		done
+	done
+
+	[ $ok = 0 -a "$SCANLEVEL" != force ] && need_fake=1
+	[ $ok = 1 ] && ok_any=1
+	[ $ok_any = 1 ]
+}
+
+pktws_check_https_tls12()
+{
+	# $1 - test function
+	# $2 - domain
+
+	[ "$NOTEST_FAKE_HTTPS" = 1 ] && { echo "SKIPPED"; return; }
+
+	pktws_check_https_tls "$1" "$2" && [ "$SCANLEVEL" != force ] && return
+
+	# do not use 'need' values obtained with wssize
+	local need_fake_save=$need_fake
+	pktws_check_https_tls "$1" "$2" --lua-desync=wssize:wsize=1:scale=6
+	need_fake=$need_fake_save
+}
+
+pktws_check_https_tls13()
+{
+	# $1 - test function
+	# $2 - domain
+
+	[ "$NOTEST_FAKE_HTTPS" = 1 ] && { echo "SKIPPED"; return; }
+
+	pktws_check_https_tls "$1" "$2"
+}

blockcheck2.d/standard/30-faked.sh

@@ -0,0 +1,108 @@
+. "$TESTDIR/def.inc"
+
+pktws_check_faked()
+{
+	# $1 - test function
+	# $2 - domain
+	# $3 - payload_type
+	# $4 - splits
+	# $5 - pattern
+	# $6 - PRE args for nfqws2
+	local testf=$1 domain="$2" pre="$6"
+	local ok ok_any ttls attls f fooling
+	local splitf splitfs= split splits="$4"
+	local PAYLOAD="--payload=$3"
+	local FAKED_PATTERN="$5"
+
+	[ "$MAX_TTL" = 0 ] || ttls=$(seq -s ' ' $MIN_TTL $MAX_TTL)
+	[ "$MAX_AUTOTTL_DELTA" = 0 ] || attls=$(seq -s ' ' $MIN_AUTOTTL_DELTA $MAX_AUTOTTL_DELTA)
+
+	# do not test fakedsplit if multisplit works
+	[ "$need_multisplit" = 0 -a "$SCANLEVEL" != force ] || splitfs=fakedsplit
+	# do not test fakeddisorder if multidisorder works
+	[ "$need_multidisorder" = 0 -a "$SCANLEVEL" != force ] || splitfs="${splitfs:+$splitfs }fakeddisorder"
+
+	ok_any=0
+	for splitf in $splitfs; do
+		ok=0
+		for ttl in $ttls; do
+			# orig-ttl=1 with start/cutoff limiter drops empty ACK packet in response to SYN,ACK. it does not reach DPI or server.
+			# missing ACK is transmitted in the first data packet of TLS/HTTP proto
+			for split in $splits; do
+				for f in '' "--payload=empty --out-range=s1<d1 --lua-desync=pktmod:ip${IPVV}_ttl=1"; do
+					pktws_curl_test_update $testf $domain ${FAKED_PATTERN:+--blob=faked_pat:@"$FAKED_PATTERN" }$pre $PAYLOAD --lua-desync=$splitf:${FAKED_PATTERN:+pattern=faked_pat:}pos=$split:ip${IPVV}_ttl=$ttl:repeats=$FAKE_REPEATS $f && {
+						ok=1
+						[ "$SCANLEVEL" = force ] || break
+					}
+				done
+			done
+			[ "$ok" = 1 ] && break
+		done
+		for fooling in $FOOLINGS_TCP; do
+			for split in $splits; do
+				pktws_curl_test_update $testf $domain ${FAKED_PATTERN:+--blob=faked_pat:@"$FAKED_PATTERN" }$pre $PAYLOAD --lua-desync=$splitf:${FAKED_PATTERN:+pattern=faked_pat:}pos=$split:$fooling && ok=1
+				# duplicate SYN with MD5
+				contains "$fooling" tcp_md5 && pktws_curl_test_update $testf $domain ${FAKED_PATTERN:+--blob=faked_pat:@"$FAKED_PATTERN" }$pre $PAYLOAD --lua-desync=$splitf:${FAKED_PATTERN:+pattern=faked_pat:}pos=$split:$fooling:repeats=$FAKE_REPEATS --payload=empty --out-range="<s1" --lua-desync=send:$TCP_MD5 && ok=1
+			done
+		done
+		for ttl in $attls; do
+			for split in $splits; do
+				for f in '' "--payload=empty --out-range=s1<d1 --lua-desync=pktmod:ip${IPVV}_ttl=1"; do
+					pktws_curl_test_update $testf $domain ${FAKED_PATTERN:+--blob=faked_pat:@"$FAKED_PATTERN" }$pre $PAYLOAD --lua-desync=$splitf:${FAKED_PATTERN:+pattern=faked_pat:}pos=$split:ip${IPVV}_autottl=-$ttl,3-20:repeats=$FAKE_REPEATS $f && {
+						ok=1
+						[ "$SCANLEVEL" = force ] || break
+					}
+				done
+			done
+		done
+		[ $ok = 0 -a "$SCANLEVEL" != force ] && eval need_$splitf=1
+		[ $ok = 1 ] && ok_any=1
+	done
+	[ "$ok_any" = 1 ]
+}
+
+pktws_check_http()
+{
+	# $1 - test function
+	# $2 - domain
+	# $3 - PRE args for nfqws2
+	[ "$NOTEST_FAKED_HTTP" = 1 ] && { echo "SKIPPED"; return; }
+
+	local splits='method+2 midsld method+2,midsld'
+	pktws_check_faked $1 "$2" http_req "$splits" "$FAKED_PATTERN_HTTP" "$3"
+}
+
+pktws_check_https_tls()
+{
+	# $1 - test function
+	# $2 - domain
+	# $3 - PRE args for nfqws2
+
+	local splits='2 1 sniext+1 sniext+4 host+1 midsld 1,midsld 1,sniext+1,host+1,midsld-2,midsld,midsld+2,endhost-1'
+	pktws_check_faked $1 "$2" tls_client_hello "$splits" "$FAKED_PATTERN_HTTPS" "$3"
+}
+
+pktws_check_https_tls12()
+{
+	# $1 - test function
+	# $2 - domain
+
+	[ "$NOTEST_FAKED_HTTPS" = 1 ] && { echo "SKIPPED"; return; }
+
+	pktws_check_https_tls "$1" "$2" && [ "$SCANLEVEL" != force ] && return
+
+	# do not use 'need' values obtained with wssize
+	local need_fakedsplit_save=$need_fakedsplit need_fakeddisorder_save=$need_fakeddisorder
+	pktws_check_https_tls "$1" "$2" --lua-desync=wssize:wsize=1:scale=6
+	need_fakedsplit=$need_fakedsplit_save need_fakeddisorder=$need_fakeddisorder_save
+}
+
+pktws_check_https_tls13()
+{
+	# $1 - test function
+	# $2 - domain
+
+	[ "$NOTEST_FAKED_HTTPS" = 1 ] && { echo "SKIPPED"; return; }
+
+	pktws_check_https_tls "$1" "$2"
+}

blockcheck2.d/standard/35-hostfake.sh

@@ -0,0 +1,104 @@
+. "$TESTDIR/def.inc"
+
+pktws_hostfake_vary_()
+{
+	local ok_any=0 testf=$1 domain="$2" fooling="$3" pre="$4" post="$5" disorder
+	shift; shift; shift
+
+	for disorder in '' 'disorder_after:'; do
+		pktws_curl_test_update $testf $domain $pre $PAYLOAD --lua-desync=hostfakesplit:${HOSTFAKE:+host=${HOSTFAKE}:}${disorder}$fooling:repeats=$FAKE_REPEATS $post && ok_any=1
+		pktws_curl_test_update $testf $domain $pre $PAYLOAD --lua-desync=hostfakesplit:${HOSTFAKE:+host=${HOSTFAKE}:}${disorder}nofake1:$fooling:repeats=$FAKE_REPEATS $post && ok_any=1
+		pktws_curl_test_update $testf $domain $pre $PAYLOAD --lua-desync=hostfakesplit:${HOSTFAKE:+host=${HOSTFAKE}:}${disorder}nofake2:$fooling:repeats=$FAKE_REPEATS $post && ok_any=1
+		pktws_curl_test_update $testf $domain $pre $PAYLOAD --lua-desync=hostfakesplit:${HOSTFAKE:+host=${HOSTFAKE}:}${disorder}midhost=midsld:$fooling:repeats=$FAKE_REPEATS $post && ok_any=1
+		pktws_curl_test_update $testf $domain $pre $PAYLOAD --lua-desync=hostfakesplit:${HOSTFAKE:+host=${HOSTFAKE}:}${disorder}nofake1:midhost=midsld:$fooling:repeats=$FAKE_REPEATS $post && ok_any=1
+		pktws_curl_test_update $testf $domain $pre $PAYLOAD --lua-desync=hostfakesplit:${HOSTFAKE:+host=${HOSTFAKE}:}${disorder}nofake2:midhost=midsld:$fooling:repeats=$FAKE_REPEATS $post && ok_any=1
+	done
+	[ "$ok_any" = 1 ] && ok=1
+}
+pktws_hostfake_vary()
+{
+	local ok_any=0 fooling="$3"
+	pktws_hostfake_vary_ "$1" "$2" "$3" "$4" "$5" && ok_any=1
+	# duplicate SYN with MD5
+	contains "$fooling" tcp_md5 && \
+		pktws_hostfake_vary_  "$1" "$2" "$3" "$4" "${5:+$5 }--payload=empty --out-range=<s1 --lua-desync=send:$TCP_MD5" && ok_any=1
+	[ "$ok_any" = 1 ]
+}
+
+
+pktws_check_hostfake()
+{
+	# $1 - test function
+	# $2 - domain
+	# $3 - payload_type
+	# $4 - PRE args for nfqws2
+	local testf=$1 domain="$2" pre="$4"
+	local ok ttls attls f fooling
+	local PAYLOAD="--payload=$3"
+
+	[ "$MAX_TTL" = 0 ] || ttls=$(seq -s ' ' $MIN_TTL $MAX_TTL)
+	[ "$MAX_AUTOTTL_DELTA" = 0 ] || attls=$(seq -s ' ' $MIN_AUTOTTL_DELTA $MAX_AUTOTTL_DELTA)
+
+	need_hostfakesplit=0
+	ok=0
+	for ttl in $ttls; do
+		# orig-ttl=1 with start/cutoff limiter drops empty ACK packet in response to SYN,ACK. it does not reach DPI or server.
+		# missing ACK is transmitted in the first data packet of TLS/HTTP proto
+		for f in '' "--payload=empty --out-range=s1<d1 --lua-desync=pktmod:ip${IPVV}_ttl=1"; do
+			pktws_hostfake_vary $testf $domain "ip${IPVV}_ttl=$ttl" "$pre" "$f" && [ "$SCANLEVEL" != force ] && break
+		done
+		[ "$ok" = 1 ] && break
+	done
+	for fooling in $FOOLINGS_TCP; do
+		pktws_hostfake_vary $testf $domain "$fooling" "$pre"
+	done
+	for ttl in $attls; do
+		for f in '' "--payload=empty --out-range=s1<d1 --lua-desync=pktmod:ip${IPVV}_ttl=1"; do
+			pktws_hostfake_vary $testf $domain "ip${IPVV}_autottl=-$ttl,3-20" "$pre" "$f" && [ "$SCANLEVEL" != force ] && break
+		done
+	done
+	[ $ok = 0 -a "$SCANLEVEL" != force ] && need_hostfakesplit=1
+	[ $ok = 1 ]
+}
+
+pktws_check_http()
+{
+	# $1 - test function
+	# $2 - domain
+	[ "$NOTEST_HOSTFAKE_HTTP" = 1 ] && { echo "SKIPPED"; return; }
+
+	pktws_check_hostfake $1 "$2" http_req
+}
+
+pktws_check_https_tls()
+{
+	# $1 - test function
+	# $2 - domain
+	# $3 - PRE args for nfqws2
+
+	pktws_check_hostfake $1 "$2" tls_client_hello "$3"
+}
+pktws_check_https_tls12()
+{
+	# $1 - test function
+	# $2 - domain
+
+	[ "$NOTEST_HOSTFAKE_HTTPS" = 1 ] && { echo "SKIPPED"; return; }
+
+	pktws_check_https_tls "$1" "$2" && [ "$SCANLEVEL" != force ] && return
+
+	# do not use 'need' values obtained with wssize
+	local need_hostfakesplit_save=$need_hostfakesplit
+	pktws_check_https_tls "$1" "$2" --lua-desync=wssize:wsize=1:scale=6
+	need_hostfakesplit=$need_hostfakesplit_save
+}
+
+pktws_check_https_tls13()
+{
+	# $1 - test function
+	# $2 - domain
+
+	[ "$NOTEST_HOSTFAKE_HTTPS" = 1 ] && { echo "SKIPPED"; return; }
+
+	pktws_check_https_tls "$1" "$2"
+}

blockcheck2.d/standard/50-fake-multi.sh

@@ -0,0 +1,164 @@
+. "$TESTDIR/def.inc"
+
+pktws_check_http()
+{
+	# $1 - test function
+	# $2 - domain
+	[ "$NOTEST_FAKE_MULTI_HTTP" = 1 ] && { echo "SKIPPED"; return 0; }
+
+	local testf=$1 domain="$2"
+	local ok ttls attls f ff fake fooling splitf splitfs= split splits='method+2 midsld method+2,midsld'
+	local PAYLOAD="--payload=http_req"
+
+	if [ -n "$FAKE_HTTP" ]; then
+		fake=fake_http
+	else
+		fake=fake_default_http
+	fi
+
+	[ "$MAX_TTL" = 0 ] || ttls=$(seq -s ' ' $MIN_TTL $MAX_TTL)
+	[ "$MAX_AUTOTTL_DELTA" = 0 ] || attls=$(seq -s ' ' $MIN_AUTOTTL_DELTA $MAX_AUTOTTL_DELTA)
+
+	# do not test fake + multisplit if multisplit works
+	[ "$need_multisplit" = 0 -a "$SCANLEVEL" != force ] || splitfs=multisplit
+	# do not test fake + multidisorder if multidisorder works
+	[ "$need_multidisorder" = 0 -a "$SCANLEVEL" != force ] || splitfs="${splitfs:+$splitfs }$MULTIDISORDER"
+
+	for splitf in $splitfs; do
+		ok=0
+		for ttl in $ttls; do
+			for split in $splits; do
+				# orig-ttl=1 with start/cutoff limiter drops empty ACK packet in response to SYN,ACK. it does not reach DPI or server.
+				# missing ACK is transmitted in the first data packet of TLS/HTTP proto
+				for ff in $fake 0x00000000; do
+					for f in '' "--payload=empty --out-range=s1<d1 --lua-desync=pktmod:ip${IPVV}_ttl=1"; do
+						pktws_curl_test_update $testf $domain ${FAKE_HTTP:+--blob=$fake:@"$FAKE_HTTP" }$PAYLOAD "--lua-desync=fake:blob=${ff}:ip${IPVV}_ttl=$ttl:repeats=$FAKE_REPEATS" --lua-desync=$splitf:pos=$split $f && {
+							ok=1
+							[ "$SCANLEVEL" = force ] || break
+						}
+					done
+				done
+			done
+			[ "$ok" = 1 ] && break
+		done
+		for fooling in $FOOLINGS_TCP; do
+			for split in $splits; do
+				for ff in $fake 0x00000000; do
+					pktws_curl_test_update $testf $domain ${FAKE_HTTP:+--blob=$fake:@"$FAKE_HTTP" }$PAYLOAD --lua-desync=fake:blob=$ff:$fooling:repeats=$FAKE_REPEATS --lua-desync=$splitf:pos=$split && ok=1
+					# duplicate SYN with MD5
+					contains "$fooling" tcp_md5 && pktws_curl_test_update $testf $domain ${FAKE_HTTP:+--blob=fake_http:@"$FAKE_HTTP" }$PAYLOAD --lua-desync=fake:blob=$ff:$fooling:repeats=$FAKE_REPEATS --lua-desync=$splitf:pos=$split --payload=empty "--out-range=<s1" --lua-desync=send:$TCP_MD5 && ok=1
+				done
+			done
+		done
+		for ttl in $attls; do
+			for split in $splits; do
+				for ff in $fake 0x00000000; do
+					for f in '' "--payload=empty --out-range=s1<d1 --lua-desync=pktmod:ip${IPVV}_ttl=1"; do
+						pktws_curl_test_update $testf $domain  ${FAKE_HTTP:+--blob=$fake:@"$FAKE_HTTP" }$PAYLOAD --lua-desync=fake:blob=$ff:ip${IPVV}_autottl=-$ttl,3-20:repeats=$FAKE_REPEATS --lua-desync=$splitf:pos=$split $f && {
+							ok=1
+							[ "$SCANLEVEL" = force ] || break
+						}
+					done
+				done
+			done
+		done
+	done
+}
+
+pktws_fake_https_vary_()
+{
+	local ok_any=0 testf=$1 domain="$2" fooling="$3" pre="$4" post="$5"
+	shift; shift; shift
+	pktws_curl_test_update $testf $domain ${FAKE_HTTPS:+--blob=$fake:@"$FAKE_HTTPS" }$pre $PAYLOAD --lua-desync=fake:blob=$fake:$fooling:repeats=$FAKE_REPEATS --lua-desync=$splitf:pos=$split $post && ok_any=1
+	pktws_curl_test_update $testf $domain $pre $PAYLOAD --lua-desync=fake:blob=0x00000000:$fooling:repeats=$FAKE_REPEATS --lua-desync=$splitf:pos=$split $post && ok_any=1
+	pktws_curl_test_update $testf $domain ${FAKE_HTTPS:+--blob=$fake:@"$FAKE_HTTPS" }$pre $PAYLOAD --lua-desync=fake:blob=0x00000000:$fooling:repeats=$FAKE_REPEATS --lua-desync=fake:blob=$fake:$fooling:tls_mod=rnd,dupsid:repeats=$FAKE_REPEATS --lua-desync=$splitf:pos=$split $post && ok_any=1
+	pktws_curl_test_update $testf $domain ${FAKE_HTTPS:+--blob=$fake:@"$FAKE_HTTPS" }$pre $PAYLOAD --lua-desync=multisplit:blob=$fake:$fooling:pos=2:nodrop:repeats=$FAKE_REPEATS --lua-desync=$splitf:pos=$split $post && ok_any=1
+	pktws_curl_test_update $testf $domain ${FAKE_HTTPS:+--blob=$fake:@"$FAKE_HTTPS" }$pre $PAYLOAD --lua-desync=fake:blob=$fake:$fooling:tls_mod=rnd,dupsid,padencap:repeats=$FAKE_REPEATS --lua-desync=$splitf:pos=$split $post && ok_any=1
+	[ "$ok_any" = 1 ] && ok=1
+}
+pktws_fake_https_vary()
+{
+	local ok_any=0 fooling="$3"
+	pktws_fake_https_vary_ "$1" "$2" "$3" "$4" "$5" && ok_any=1
+	# duplicate SYN with MD5
+	contains "$fooling" tcp_md5 && \
+		pktws_fake_https_vary_  "$1" "$2" "$3" "$4" "${5:+$5 }--payload=empty --out-range=<s1 --lua-desync=send:$TCP_MD5" && ok_any=1
+	[ "$ok_any" = 1 ]
+}
+
+pktws_check_https_tls()
+{
+	# $1 - test function
+	# $2 - domain
+	# $3 - PRE args for nfqws2
+
+	local testf=$1 domain="$2" pre="$3"
+	local ok ok_any ttls attls f fake fooling splitf splitfs= split splits='2 1 sniext+1 sniext+4 host+1 midsld 1,midsld 1,midsld,1220 1,sniext+1,host+1,midsld-2,midsld,midsld+2,endhost-1'
+	local PAYLOAD="--payload=tls_client_hello"
+
+	shift; shift
+
+	if [ -n "$FAKE_HTTPS" ]; then
+		fake=fake_tls
+	else
+		fake=fake_default_tls
+	fi
+
+	ttls=$(seq -s ' ' $MIN_TTL $MAX_TTL)
+	attls=$(seq -s ' ' $MIN_AUTOTTL_DELTA $MAX_AUTOTTL_DELTA)
+
+	# do not test fake + multisplit if multisplit works
+	[ "$need_multisplit" = 0 -a "$SCANLEVEL" != force ] || splitfs=multisplit
+	# do not test fake + multidisorder if multidisorder works
+	[ "$need_multidisorder" = 0 -a "$SCANLEVEL" != force ] || splitfs="${splitfs:+$splitfs }$MULTIDISORDER"
+
+	ok_any=0
+	for splitf in $splitfs; do
+		ok=0
+		for ttl in $ttls; do
+			for split in $splits; do
+				# orig-ttl=1 with start/cutoff limiter drops empty ACK packet in response to SYN,ACK. it does not reach DPI or server.
+				# missing ACK is transmitted in the first data packet of TLS/HTTP proto
+				for f in '' "--payload=empty --out-range=s1<d1 --lua-desync=pktmod:ip${IPVV}_ttl=1"; do
+					pktws_fake_https_vary $testf $domain "ip${IPVV}_ttl=$ttl" "$pre" "$f" && [ "$SCANLEVEL" != force ] && break
+				done
+			done
+			[ "$ok" = 1 ] && break
+		done
+		for fooling in $FOOLINGS_TCP; do
+			for split in $splits; do
+				pktws_fake_https_vary $testf $domain "$fooling" "$pre"
+			done
+		done
+		for ttl in $attls; do
+			for split in $splits; do
+				for f in '' "--payload=empty --out-range=s1<d1 --lua-desync=pktmod:ip${IPVV}_ttl=1"; do
+					pktws_fake_https_vary $testf $domain "ip${IPVV}_autottl=-$ttl,3-20" "$pre" "$f" && [ "$SCANLEVEL" != force ] && break
+				done
+			done
+		done
+		[ "$ok" = 1 ] && ok_any=1
+	done
+	[ "$ok_any" = 1 ]
+}
+
+pktws_check_https_tls12()
+{
+	# $1 - test function
+	# $2 - domain
+
+	[ "$NOTEST_FAKE_MULTI_HTTPS" = 1 ] && { echo "SKIPPED"; return 0; }
+
+	pktws_check_https_tls "$1" "$2" && [ "$SCANLEVEL" != force ] && return
+	pktws_check_https_tls "$1" "$2" --lua-desync=wssize:wsize=1:scale=6
+}
+
+pktws_check_https_tls13()
+{
+	# $1 - test function
+	# $2 - domain
+
+	[ "$NOTEST_FAKE_MULTI_HTTPS" = 1 ] && { echo "SKIPPED"; return 0; }
+
+	pktws_check_https_tls "$1" "$2"
+}

blockcheck2.d/standard/55-fake-faked.sh

@@ -0,0 +1,165 @@
+. "$TESTDIR/def.inc"
+
+pktws_check_http()
+{
+	# $1 - test function
+	# $2 - domain
+	[ "$NOTEST_FAKE_FAKED_HTTP" = 1 ] && { echo "SKIPPED"; return 0; }
+
+	local testf=$1 domain="$2"
+	local ok ttls attls f ff fake fooling splitf splitfs= split splits='method+2 midsld method+2,midsld'
+	local PAYLOAD="--payload=http_req"
+
+	if [ -n "$FAKE_HTTP" ]; then
+		fake=fake_http
+	else
+		fake=fake_default_http
+	fi
+
+	[ "$MAX_TTL" = 0 ] || ttls=$(seq -s ' ' $MIN_TTL $MAX_TTL)
+	[ "$MAX_AUTOTTL_DELTA" = 0 ] || attls=$(seq -s ' ' $MIN_AUTOTTL_DELTA $MAX_AUTOTTL_DELTA)
+
+	# do not test fake + multisplit if multisplit works
+	[ "$need_fakedsplit" = 0 -a "$SCANLEVEL" != force ] || splitfs=fakedsplit
+	# do not test fake + fakeddisorder if fakeddisorder works
+	[ "$need_fakeddisorder" = 0 -a "$SCANLEVEL" != force ] || splitfs="${splitfs:+$splitfs }fakeddisorder"
+
+	for splitf in $splitfs; do
+		ok=0
+		for ttl in $ttls; do
+			for split in $splits; do
+				# orig-ttl=1 with start/cutoff limiter drops empty ACK packet in response to SYN,ACK. it does not reach DPI or server.
+				# missing ACK is transmitted in the first data packet of TLS/HTTP proto
+				for ff in $fake 0x00000000; do
+					for f in '' "--payload=empty --out-range=s1<d1 --lua-desync=pktmod:ip${IPVV}_ttl=1"; do
+						pktws_curl_test_update $testf $domain ${FAKE_HTTP:+--blob=$fake:@"$FAKE_HTTP" }${FAKED_PATTERN_HTTP:+--blob=faked_pat:@"$FAKED_PATTERN_HTTP" }$PAYLOAD "--lua-desync=fake:blob=${ff}:ip${IPVV}_ttl=$ttl:repeats=$FAKE_REPEATS" --lua-desync=$splitf:${FAKED_PATTERN_HTTP:+pattern=faked_pat:}pos=$split:ip${IPVV}_ttl=$ttl:repeats=$FAKE_REPEATS $f && {
+							ok=1
+							[ "$SCANLEVEL" = force ] || break
+						}
+					done
+				done
+			done
+			[ "$ok" = 1 ] && break
+		done
+		for fooling in $FOOLINGS_TCP; do
+			for split in $splits; do
+				for ff in $fake 0x00000000; do
+					pktws_curl_test_update $testf $domain ${FAKE_HTTP:+--blob=$fake:@"$FAKE_HTTP" }${FAKED_PATTERN_HTTP:+--blob=faked_pat:@"$FAKED_PATTERN_HTTP" }$PAYLOAD --lua-desync=fake:blob=$ff:$fooling:repeats=$FAKE_REPEATS --lua-desync=$splitf:${FAKED_PATTERN_HTTP:+pattern=faked_pat:}pos=$split:$fooling:repeats=$FAKE_REPEATS && ok=1
+					# duplicate SYN with MD5
+					contains "$fooling" tcp_md5 && pktws_curl_test_update $testf $domain ${FAKE_HTTP:+--blob=$fake:@"$FAKE_HTTP" }${FAKED_PATTERN_HTTP:+--blob=faked_pat:@"$FAKED_PATTERN_HTTP" }$PAYLOAD --lua-desync=fake:blob=$ff:$fooling:repeats=$FAKE_REPEATS --lua-desync=$splitf:${FAKED_PATTERN_HTTP:+pattern=faked_pat:}pos=$split:$fooling:repeats=$FAKE_REPEATS --payload=empty "--out-range=<s1" --lua-desync=send:$TCP_MD5 && ok=1
+				done
+			done
+		done
+		for ttl in $attls; do
+			for split in $splits; do
+				for ff in $fake 0x00000000; do
+					for f in '' "--payload=empty --out-range=s1<d1 --lua-desync=pktmod:ip${IPVV}_ttl=1"; do
+						pktws_curl_test_update $testf $domain  ${FAKE_HTTP:+--blob=$fake:@"$FAKE_HTTP" }${FAKED_PATTERN_HTTP:+--blob=faked_pat:@"$FAKED_PATTERN_HTTP" }$PAYLOAD --lua-desync=fake:blob=$ff:ip${IPVV}_autottl=-$ttl,3-20:repeats=$FAKE_REPEATS --lua-desync=$splitf:${FAKED_PATTERN_HTTP:+pattern=faked_pat:}pos=$split:ip${IPVV}_autottl=-$ttl,3-20:repeats=$FAKE_REPEATS $f && {
+							ok=1
+							[ "$SCANLEVEL" = force ] || break
+						}
+					done
+				done
+			done
+		done
+	done
+}
+
+pktws_fake_https_vary_()
+{
+	local ok_any=0 testf=$1 domain="$2" fooling="$3" pre="$4" post="$5"
+	shift; shift; shift
+	pktws_curl_test_update $testf $domain ${FAKE_HTTPS:+--blob=$fake:@"$FAKE_HTTPS" }${FAKED_PATTERN_HTTPS:+--blob=faked_pat:@"$FAKED_PATTERN_HTTPS" }$pre $PAYLOAD --lua-desync=fake:blob=$fake:$fooling:repeats=$FAKE_REPEATS --lua-desync=$splitf:${FAKED_PATTERN_HTTPS+pattern=faked_pat:}pos=$split:$fooling $post && ok_any=1
+	pktws_curl_test_update $testf $domain ${FAKED_PATTERN_HTTPS:+--blob=faked_pat:@"$FAKED_PATTERN_HTTPS" }$pre $PAYLOAD --lua-desync=fake:blob=0x00000000:$fooling:repeats=$FAKE_REPEATS --lua-desync=$splitf:${FAKED_PATTERN_HTTPS+pattern=faked_pat:}pos=$split:$fooling $post && ok_any=1
+	pktws_curl_test_update $testf $domain ${FAKE_HTTPS:+--blob=$fake:@"$FAKE_HTTPS" }${FAKED_PATTERN_HTTPS:+--blob=faked_pat:@"$FAKED_PATTERN_HTTPS" }$pre $PAYLOAD --lua-desync=fake:blob=0x00000000:$fooling:repeats=$FAKE_REPEATS --lua-desync=fake:blob=$fake:$fooling:tls_mod=rnd,dupsid:repeats=$FAKE_REPEATS --lua-desync=$splitf:${FAKED_PATTERN_HTTPS+pattern=faked_pat:}pos=$split:$fooling $post && ok_any=1
+	pktws_curl_test_update $testf $domain ${FAKE_HTTPS:+--blob=$fake:@"$FAKE_HTTPS" }${FAKED_PATTERN_HTTPS:+--blob=faked_pat:@"$FAKED_PATTERN_HTTPS" }$pre $PAYLOAD --lua-desync=multisplit:blob=$fake:$fooling:pos=2:nodrop:repeats=$FAKE_REPEATS --lua-desync=$splitf:${FAKED_PATTERN_HTTPS+pattern=faked_pat:}pos=$split:$fooling $post && ok_any=1
+	pktws_curl_test_update $testf $domain ${FAKE_HTTPS:+--blob=$fake:@"$FAKE_HTTPS" }${FAKED_PATTERN_HTTPS:+--blob=faked_pat:@"$FAKED_PATTERN_HTTPS" }$pre $PAYLOAD --lua-desync=fake:blob=$fake:$fooling:tls_mod=rnd,dupsid,padencap:repeats=$FAKE_REPEATS --lua-desync=$splitf:${FAKED_PATTERN_HTTPS+pattern=faked_pat:}pos=$split:$fooling $post && ok_any=1
+	[ "$ok_any" = 1 ] && ok=1
+
+}
+pktws_fake_https_vary()
+{
+	local ok_any=0 fooling="$3"
+	pktws_fake_https_vary_ "$1" "$2" "$3" "$4" "$5" && ok_any=1
+	# duplicate SYN with MD5
+	contains "$fooling" tcp_md5 && \
+		pktws_fake_https_vary_  "$1" "$2" "$3" "$4" "${5:+$5 }--payload=empty --out-range=<s1 --lua-desync=send:$TCP_MD5" && ok_any=1
+	[ "$ok_any" = 1 ]
+}
+
+pktws_check_https_tls()
+{
+	# $1 - test function
+	# $2 - domain
+	# $3 - PRE args for nfqws2
+
+	local testf=$1 domain="$2" pre="$3"
+	local ok ok_any ttls attls f fake fooling splitf splitfs= split splits='2 1 sniext+1 sniext+4 host+1 midsld 1,midsld 1,sniext+1,host+1,midsld-2,midsld,midsld+2,endhost-1'
+	local PAYLOAD="--payload=tls_client_hello"
+
+	shift; shift
+
+	if [ -n "$FAKE_HTTPS" ]; then
+		fake=fake_tls
+	else
+		fake=fake_default_tls
+	fi
+
+	ttls=$(seq -s ' ' $MIN_TTL $MAX_TTL)
+	attls=$(seq -s ' ' $MIN_AUTOTTL_DELTA $MAX_AUTOTTL_DELTA)
+
+	# do not test fake + fakedsplit if fakedsplit works
+	[ "$need_fakedsplit" = 0 -a "$SCANLEVEL" != force ] || splitfs=fakedsplit
+	# do not test fake + fakeddisorder if fakeddisorder works
+	[ "$need_fakeddisorder" = 0 -a "$SCANLEVEL" != force ] || splitfs="${splitfs:+$splitfs }fakeddisorder"
+
+	ok_any=0
+	for splitf in $splitfs; do
+		ok=0
+		for ttl in $ttls; do
+			for split in $splits; do
+				# orig-ttl=1 with start/cutoff limiter drops empty ACK packet in response to SYN,ACK. it does not reach DPI or server.
+				# missing ACK is transmitted in the first data packet of TLS/HTTP proto
+				for f in '' "--payload=empty --out-range=s1<d1 --lua-desync=pktmod:ip${IPVV}_ttl=1"; do
+					pktws_fake_https_vary $testf $domain "ip${IPVV}_ttl=$ttl" "$pre" "$f" && [ "$SCANLEVEL" != force ] && break
+				done
+			done
+			[ "$ok" = 1 ] && break
+		done
+		for fooling in $FOOLINGS_TCP; do
+			for split in $splits; do
+				pktws_fake_https_vary $testf $domain "$fooling" "$pre"
+			done
+		done
+		for ttl in $attls; do
+			for split in $splits; do
+				for f in '' "--payload=empty --out-range=s1<d1 --lua-desync=pktmod:ip${IPVV}_ttl=1"; do
+					pktws_fake_https_vary $testf $domain "ip${IPVV}_autottl=-$ttl,3-20" "$pre" "$f" && [ "$SCANLEVEL" != force ] && break
+				done
+			done
+		done
+		[ "$ok" = 1 ] && ok_any=1
+	done
+	[ "$ok_any" = 1 ]
+}
+
+pktws_check_https_tls12()
+{
+	# $1 - test function
+	# $2 - domain
+
+	[ "$NOTEST_FAKE_FAKED_HTTPS" = 1 ] && { echo "SKIPPED"; return 0; }
+
+	pktws_check_https_tls "$1" "$2" && [ "$SCANLEVEL" != force ] && return
+	pktws_check_https_tls "$1" "$2" --lua-desync=wssize:wsize=1:scale=6
+}
+
+pktws_check_https_tls13()
+{
+	# $1 - test function
+	# $2 - domain
+
+	[ "$NOTEST_FAKE_FAKED_HTTPS" = 1 ] && { echo "SKIPPED"; return 0; }
+
+	pktws_check_https_tls "$1" "$2"
+}

blockcheck2.d/standard/60-fake-hostfake.sh

@@ -0,0 +1,117 @@
+. "$TESTDIR/def.inc"
+
+pktws_hostfake_vary_()
+{
+	local testf=$1 domain="$2" fooling="$3" pre="$4" post="$5" disorder
+	shift; shift; shift
+
+	for disorder in '' 'disorder_after:'; do
+		pktws_curl_test_update $testf $domain $pre ${FAKE:+--blob=$fake:@"$FAKE" }$PAYLOAD --lua-desync=fake:blob=$fake:$fooling:repeats=$FAKE_REPEATS --lua-desync=hostfakesplit:${HOSTFAKE:+host=${HOSTFAKE}:}${disorder}$fooling:repeats=$FAKE_REPEATS $post && ok=1
+		pktws_curl_test_update $testf $domain $pre ${FAKE:+--blob=$fake:@"$FAKE" }$PAYLOAD --lua-desync=fake:blob=$fake:$fooling:repeats=$FAKE_REPEATS --lua-desync=hostfakesplit:${HOSTFAKE:+host=${HOSTFAKE}:}${disorder}nofake1:$fooling:repeats=$FAKE_REPEATS $post && ok=1
+		pktws_curl_test_update $testf $domain $pre ${FAKE:+--blob=$fake:@"$FAKE" }$PAYLOAD --lua-desync=fake:blob=$fake:$fooling:repeats=$FAKE_REPEATS --lua-desync=hostfakesplit:${HOSTFAKE:+host=${HOSTFAKE}:}${disorder}nofake2:$fooling:repeats=$FAKE_REPEATS $post && ok=1
+		pktws_curl_test_update $testf $domain $pre ${FAKE:+--blob=$fake:@"$FAKE" }$PAYLOAD --lua-desync=fake:blob=$fake:$fooling:repeats=$FAKE_REPEATS --lua-desync=hostfakesplit:${HOSTFAKE:+host=${HOSTFAKE}:}${disorder}midhost=midsld:$fooling:repeats=$FAKE_REPEATS $post && ok=1
+		pktws_curl_test_update $testf $domain $pre ${FAKE:+--blob=$fake:@"$FAKE" }$PAYLOAD --lua-desync=fake:blob=$fake:$fooling:repeats=$FAKE_REPEATS --lua-desync=hostfakesplit:${HOSTFAKE:+host=${HOSTFAKE}:}${disorder}nofake1:midhost=midsld:$fooling:repeats=$FAKE_REPEATS $post && ok=1
+		pktws_curl_test_update $testf $domain $pre ${FAKE:+--blob=$fake:@"$FAKE" }$PAYLOAD --lua-desync=fake:blob=$fake:$fooling:repeats=$FAKE_REPEATS --lua-desync=hostfakesplit:${HOSTFAKE:+host=${HOSTFAKE}:}${disorder}nofake2:midhost=midsld:$fooling:repeats=$FAKE_REPEATS $post && ok=1
+	done
+}
+pktws_hostfake_vary()
+{
+	local fooling="$3"
+	pktws_hostfake_vary_ "$1" "$2" "$3" "$4" "$5"
+	# duplicate SYN with MD5
+	contains "$fooling" tcp_md5 && \
+		pktws_hostfake_vary_  "$1" "$2" "$3" "$4" "${5:+$5 }--payload=empty --out-range=<s1 --lua-desync=send:$TCP_MD5"
+}
+
+pktws_check_hostfake()
+{
+	# $1 - test function
+	# $2 - domain
+	# $3 - PRE args for nfqws2
+	local testf=$1 domain="$2" pre="$3"
+	local ok ttls attls f fooling
+
+	[ "$need_hostfakesplit" = 0 ] && return 0
+
+	[ "$MAX_TTL" = 0 ] || ttls=$(seq -s ' ' $MIN_TTL $MAX_TTL)
+	[ "$MAX_AUTOTTL_DELTA" = 0 ] || attls=$(seq -s ' ' $MIN_AUTOTTL_DELTA $MAX_AUTOTTL_DELTA)
+
+	ok=0
+	for ttl in $ttls; do
+		for f in '' "--payload=empty --out-range=s1<d1 --lua-desync=pktmod:ip${IPVV}_ttl=1"; do
+			pktws_hostfake_vary $testf $domain "ip${IPVV}_ttl=$ttl" "$pre" "$f" && {
+				ok=1
+				[ "$SCANLEVEL" = force ] || break
+			}
+		done
+		[ "$ok" = 1 ] && break
+	done
+	for fooling in $FOOLINGS_TCP; do
+		pktws_hostfake_vary $testf $domain "$fooling" "$pre" && ok=1
+	done
+	for ttl in $attls; do
+		for f in '' "--payload=empty --out-range=s1<d1 --lua-desync=pktmod:ip${IPVV}_ttl=1"; do
+			pktws_hostfake_vary $testf $domain "ip${IPVV}_autottl=-$ttl,3-20" "$pre" "$f" && {
+				ok=1
+				[ "$SCANLEVEL" = force ] || break
+			}
+		done
+	done
+	[ "$ok" = 1 ]
+}
+
+
+pktws_check_http()
+{
+	[ "$NOTEST_FAKE_HOSTFAKE_HTTP" = 1 ] && { echo "SKIPPED"; return 0; }
+
+	local PAYLOAD="--payload=http_req"
+	local FAKE="$FAKE_HTTP"
+
+	if [ -n "$FAKE_HTTP" ]; then
+		fake=fake_http
+	else
+		fake=fake_default_http
+	fi
+
+	pktws_check_hostfake "$1" "$2"
+}
+
+pktws_check_https_tls()
+{
+	# $1 - test function
+	# $2 - domain
+	# $3 - PRE args for nfqws2
+
+	local PAYLOAD="--payload=tls_client_hello"
+	local FAKE="$FAKE_HTTPS"
+
+	if [ -n "$FAKE_HTTPS" ]; then
+		fake=fake_tls
+	else
+		fake=fake_default_tls
+	fi
+
+	pktws_check_hostfake "$1" "$2" "$3"
+}
+
+pktws_check_https_tls12()
+{
+	# $1 - test function
+	# $2 - domain
+
+	[ "$NOTEST_FAKE_HOSTFAKE_HTTPS" = 1 ] && { echo "SKIPPED"; return 0; }
+
+	pktws_check_https_tls "$1" "$2" && [ "$SCANLEVEL" != force ] && return
+	pktws_check_https_tls "$1" "$2" --lua-desync=wssize:wsize=1:scale=6
+}
+
+pktws_check_https_tls13()
+{
+	# $1 - test function
+	# $2 - domain
+
+	[ "$NOTEST_FAKE_HOSTFAKE_HTTPS" = 1 ] && { echo "SKIPPED"; return 0; }
+
+	pktws_check_https_tls "$1" "$2"
+}

blockcheck2.d/standard/90-quic.sh

@@ -0,0 +1,36 @@
+. "$TESTDIR/def.inc"
+
+pktws_check_http3()
+{
+	# $1 - test function
+	# $2 - domain
+
+	[ "$NOTEST_QUIC" = 1 ] && { echo "SKIPPED"; return; }
+
+	local repeats fake pos fool
+	local PAYLOAD="--payload=quic_initial"
+
+	if [ -n "$FAKE_QUIC" ]; then
+		fake=fake_quic
+	else
+		fake=fake_default_quic
+	fi
+
+	for repeats in 1 2 5 10 20; do
+		pktws_curl_test_update $1 $2 ${FAKE_QUIC:+--blob=$fake:@"$FAKE_QUIC" }$PAYLOAD --lua-desync=fake:blob=$fake:repeats=$repeats && [ "$SCANLEVEL" != force ] && break
+	done
+
+	[ "$IPV" = 6 ] && {
+		for fool in ip6_hopbyhop ip6_destopt ip6_hopbyhop:ip6_destopt; do
+			pktws_curl_test_update $1 $2 $PAYLOAD --lua-desync=send:$fool --lua-desync=drop
+		done
+	}
+
+	for pos in 8 16 32 64; do
+		pktws_curl_test_update $1 $2 $PAYLOAD --lua-desync=send:ipfrag:ipfrag_pos_udp=$pos --lua-desync=drop && [ "$SCANLEVEL" != force ] && break
+	done
+
+	for pos in 8 16 32 64; do
+		pktws_curl_test_update $1 $2 ${FAKE_QUIC:+--blob=$fake:@"$FAKE_QUIC" }$PAYLOAD --lua-desync=fake:blob=$fake:repeats=$FAKE_REPEATS --lua-desync=send:ipfrag:ipfrag_pos_udp=$pos --lua-desync=drop && [ "$SCANLEVEL" != force ] && break
+	done
+}

blockcheck2.d/standard/def.inc

@@ -0,0 +1,21 @@
+FOOLINGS46_TCP=${FOOLINGS46_TCP:-"tcp_md5 badsum tcp_seq=-3000 tcp_seq=1000000 tcp_ack=-66000:tcp_ts_up tcp_ts=-1000 tcp_flags_unset=ACK tcp_flags_set=SYN"}
+FOOLINGS6_TCP=${FOOLINGS6_TCP:-"ip6_hopbyhop ip6_hopbyhop:ip6_hopbyhop2 ip6_destopt ip6_routing ip6_ah"}
+FOOLINGS_TCP="$FOOLINGS46_TCP"
+[ "$IPV" = 6 ] && FOOLINGS_TCP="$FOOLINGS_TCP $FOOLINGS6_TCP"
+FOOLINGS6_UDP="${FOOLINGS6_UDP:-$FOOLINGS6_TCP}"
+FOOLINGS_UDP="${FOOLINGS_UDP:-badsum}"
+[ "$IPV" = 6 ] && FOOLINGS_UDP="$FOOLINGS_UDP $FOOLINGS6_UDP"
+
+FAKE_REPEATS=${FAKE_REPEATS:-1}
+
+MIN_TTL=${MIN_TTL:-1}
+MAX_TTL=${MAX_TTL:-12}
+MIN_AUTOTTL_DELTA=${MIN_AUTOTTL_DELTA:-1}
+MAX_AUTOTTL_DELTA=${MAX_AUTOTTL_DELTA:-5}
+
+# can use MULTIDISORER=multidisorder_legacy
+MULTIDISORDER=${MULTIDISORDER:-multidisorder}
+
+TCP_MD5=tcp_md5
+# OpenBSD can occupy 24 bytes in tcp options in SYN packet leaving no space for the md5 header
+[ "$UNAME" = OpenBSD ] && TCP_MD5=$TCP_MD5:tcp_nop_del

common/base.sh

@@ -4,6 +4,10 @@ which()
 	# 'command -v' replacement does not work exactly the same way. it outputs shell aliases if present
 	# $1 - executable name
 	local IFS=:
+	[ "$1" != "${1#/}" ] && [ -x "$1" ] && {
+		echo "$1"
+		return 0
+	}
 	for p in $PATH; do
 	    [ -x "$p/$1" ] && {
 		echo "$p/$1"
@@ -91,7 +95,7 @@ end_with_newline()
 }
 trim()
 {
-	awk '{gsub(/^ +| +$/,"")}1'
+	awk '{gsub(/^[ \t]+|[ \t]+$/,"")}1'
 }
 split_by_separator()
 {
@@ -105,13 +109,17 @@ split_by_separator()
 	[ -n "$3" ] && eval $3="\$before"
 	[ -n "$4" ] && eval $4="\$after"
 }
+tolower()
+{
+	echo "$@" | tr 'A-Z' 'a-z'
+}
 
 dir_is_not_empty()
 {
 	# $1 - directory
 	local n
 	[ -d "$1" ] || return 1
-	n=$(ls "$1" | wc -c | xargs)
+	n=$(ls -A "$1" | wc -c | xargs)
 	[ "$n" != 0 ]
 }
 
@@ -164,15 +172,23 @@ unique()
 
 is_linked_to_busybox()
 {
-	local IFS F P
-	
+	local IFS F P BB
+
+	BB="$(which busybox)"
+
 	IFS=:
 	for path in $PATH; do
-		F=$path/$1
-		P="$(readlink $F)"
-		if [ -z "$P" ] && [ -x $F ] && [ ! -L $F ]; then return 1; fi
-		[ "${P%busybox*}" != "$P" ] && return
+		F="$path/$1"
+		if [ -L "$F" ]; then
+			P="$(readlink $F)"
+			if [ -z "$P" ] && [ -x $F ] && [ ! -L $F ]; then return 1; fi
+			[ "${P%busybox*}" != "$P" ] && return
+		elif [ -f "$F" -a -n "$BB" ]; then
+			# possible hardlink
+			[ $(get_dir_inode "$F") = $(get_dir_inode "$BB") ] && return
+		fi
 	done
+	return 1
 }
 get_dir_inode()
 {
@@ -327,7 +343,7 @@ setup_md5()
 {
 	[ -n "$MD5" ] && return
 	MD5=md5sum
-	exists $MD5 || MD5=md5
+	exists $MD5 || MD5="md5 -q"
 }
 
 md5f()
@@ -350,7 +366,7 @@ random()
 	local r rs
 	setup_random
 	if [ -c /dev/urandom ]; then
-		read rs </dev/urandom
+		rs=$(dd if=/dev/urandom count=1 bs=16 2>/dev/null | hexdump -e '1 "%02x"')
 	else
 		rs="$RANDOM$RANDOM$(date)"
 	fi
@@ -378,9 +394,9 @@ shell_name()
 process_exists()
 {
 	if exists pgrep; then
-		pgrep ^$1$ >/dev/null
+		pgrep "^$1$" >/dev/null
 	elif exists pidof; then
-		pidof $1 >/dev/null
+		pidof "$1" >/dev/null
 	else
 		return 1
 	fi 
@@ -412,10 +428,10 @@ alloc_num()
 
 std_ports()
 {
-	NFQWS2_PORTS_TCP_IPT=$(replace_char - : $NFQWS_PORTS_TCP)
-	NFQWS2_PORTS_TCP_KEEPALIVE_IPT=$(replace_char - : $NFQWS_PORTS_TCP_KEEPALIVE)
-	NFQWS2_PORTS_UDP_IPT=$(replace_char - : $NFQWS_PORTS_UDP)
-	NFQWS2_PORTS_UDP_KEEPALIVE_IPT=$(replace_char - : $NFQWS_PORTS_UDP_KEEPALIVE)
+	NFQWS2_PORTS_TCP_IPT=$(replace_char - : $NFQWS2_PORTS_TCP)
+	NFQWS2_PORTS_TCP_KEEPALIVE_IPT=$(replace_char - : $NFQWS2_PORTS_TCP_KEEPALIVE)
+	NFQWS2_PORTS_UDP_IPT=$(replace_char - : $NFQWS2_PORTS_UDP)
+	NFQWS2_PORTS_UDP_KEEPALIVE_IPT=$(replace_char - : $NFQWS2_PORTS_UDP_KEEPALIVE)
 }
 
 has_bad_ws_options()

common/custom.sh

@@ -0,0 +1,34 @@
+custom_runner()
+{
+	# $1 - function name
+	# $2+ - params
+
+	[ "$DISABLE_CUSTOM" = 1 ] && return 0
+
+	local n script FUNC=$1
+
+	shift
+
+	[ -d "$CUSTOM_DIR/custom.d" ] && {
+		dir_is_not_empty "$CUSTOM_DIR/custom.d" && {
+			for script in "$CUSTOM_DIR/custom.d/"*; do
+				[ -f "$script" ] || continue
+				unset -f $FUNC
+				. "$script"
+				existf $FUNC && $FUNC "$@"
+			done
+		}
+	}
+}
+
+alloc_qnum()
+{
+	# $1 - target var name
+	alloc_num NUMPOOL_QNUM $1 65300 65399
+}
+alloc_dnum()
+{
+	# alloc daemon number
+	# $1 - target var name
+	alloc_num NUMPOOL_DNUM $1 2000 2999
+}

common/dialog.sh

@@ -0,0 +1,57 @@
+read_yes_no()
+{
+	# $1 - default (Y/N)
+	local A
+	read A
+	[ -z "$A" ] || ([ "$A" != "Y" ] && [ "$A" != "y" ] && [ "$A" != "N" ] && [ "$A" != "n" ]) && A=$1
+	[ "$A" = "Y" ] || [ "$A" = "y" ] || [ "$A" = "1" ]
+}
+ask_yes_no()
+{
+	# $1 - default (Y/N or 0/1)
+	# $2 - text
+	local DEFAULT=$1
+	[ "$1" = "1" ] && DEFAULT=Y
+	[ "$1" = "0" ] && DEFAULT=N
+	[ -z "$DEFAULT" ] && DEFAULT=N
+	printf "$2 (default : $DEFAULT) (Y/N) ? "
+	read_yes_no $DEFAULT
+}
+ask_yes_no_var()
+{
+	# $1 - variable name for answer : 0/1
+	# $2 - text
+	local DEFAULT
+	eval DEFAULT="\$$1"
+	if ask_yes_no "$DEFAULT" "$2"; then
+		eval $1=1
+	else
+		eval $1=0
+	fi
+}
+ask_list()
+{
+	# $1 - mode var
+	# $2 - space separated value list
+	# $3 - (optional) default value
+	local M_DEFAULT
+	eval M_DEFAULT="\$$1"
+	local M_DEFAULT_VAR="$M_DEFAULT"
+	local M="" m
+
+	[ -n "$3" ] && { find_str_in_list "$M_DEFAULT" "$2" || M_DEFAULT="$3" ;}
+
+	n=1
+	for m in $2; do
+		echo $n : $m
+		n=$(($n+1))
+	done
+	printf "your choice (default : $M_DEFAULT) : "
+	read m
+	[ -n "$m" ] && M=$(echo $2 | cut -d ' ' -f$m 2>/dev/null)
+	[ -z "$M" ] && M="$M_DEFAULT"
+	echo selected : $M
+	eval $1="\"$M\""
+
+	[ "$M" != "$M_DEFAULT_VAR" ]
+}

common/elevate.sh

@@ -0,0 +1,28 @@
+require_root()
+{
+	local exe preserve_env
+	echo \* checking privileges
+	[ $(id -u) -ne "0" ] && {
+		echo root is required
+		exe="$EXEDIR/$(basename "$0")"
+		exists sudo && {
+			echo elevating with sudo
+			exec sudo -E sh "$exe"
+		}
+		exists su && {
+			echo elevating with su
+			case "$UNAME" in
+				Linux)
+					preserve_env="--preserve-environment"
+					;;
+				FreeBSD|OpenBSD|Darwin)
+					preserve_env="-m"
+					;;
+			esac
+			exec su $preserve_env root -c "sh \"$exe\""
+		}
+		echo su or sudo not found
+		exitp 2
+	}
+	HAVE_ROOT=1
+}

common/fwtype.sh

@@ -0,0 +1,64 @@
+linux_ipt_avail()
+{
+	exists iptables && exists ip6tables
+}
+linux_maybe_iptables_fwtype()
+{
+	linux_ipt_avail && FWTYPE=iptables
+}
+linux_nft_avail()
+{
+	exists nft
+}
+linux_fwtype()
+{
+	[ -n "$FWTYPE" ] && return
+
+	FWTYPE=unsupported
+
+	linux_get_subsys
+	if [ "$SUBSYS" = openwrt ] ; then
+		# linux kernel is new enough if fw4 is there
+		if [ -x /sbin/fw4 ] && linux_nft_avail ; then
+			FWTYPE=nftables
+		else
+			linux_maybe_iptables_fwtype
+		fi
+	else
+		SUBSYS=
+		# generic linux
+		# flowtable is implemented since kernel 4.16
+		if linux_nft_avail && linux_min_version 4 16; then
+			FWTYPE=nftables
+		else
+			linux_maybe_iptables_fwtype
+		fi
+	fi
+
+	export FWTYPE
+}
+
+get_fwtype()
+{
+	[ -n "$FWTYPE" ] && return
+
+	local UNAME="$(uname)"
+
+	case "$UNAME" in
+		Linux)
+			linux_fwtype
+			;;
+		FreeBSD)
+			if exists ipfw ; then
+				FWTYPE=ipfw
+			else
+				FWTYPE=unsupported
+			fi
+			;;
+		*)
+			FWTYPE=unsupported
+			;;
+	esac
+
+	export FWTYPE
+}

common/installer.sh

@@ -0,0 +1,800 @@
+GET_LIST_PREFIX=/ipset/get_
+
+SYSTEMD_DIR=/lib/systemd
+[ -d "$SYSTEMD_DIR" ] || SYSTEMD_DIR=/usr/lib/systemd
+[ -d "$SYSTEMD_DIR" ] && SYSTEMD_SYSTEM_DIR="$SYSTEMD_DIR/system"
+
+INIT_SCRIPT=/etc/init.d/zapret2
+
+
+exitp()
+{
+	echo
+	echo press enter to continue
+	read A
+	exit $1
+}
+
+extract_var_def()
+{
+	# $1 - var name
+	# this sed script parses single or multi line shell var assignments with optional ' or " enclosure
+	sed -n \
+"/^$1=\"/ {
+:s1
+/\".*\"/ {
+ p
+ b
+}
+N
+t c1
+b s1
+:c1
+}
+/^$1='/ {
+:s2
+/'.*'/ {
+ p
+ b
+}
+N
+t c2
+b s2
+:c2
+}
+/^$1=/p
+"
+}
+replace_var_def()
+{
+	# $1 - var name
+	# $2 - new val
+	# $3 - conf file
+	# this sed script replaces single or multi line shell var assignments with optional ' or " enclosure
+	local repl
+	if [ -z "$2" ]; then
+		repl="#$1="
+	elif contains "$2" " "; then
+		repl="$1=\"$2\""
+	else
+		repl="$1=$2"
+	fi
+	local script=\
+"/^#*[[:space:]]*$1=\"/ {
+:s1
+/\".*\"/ {
+ c\\
+$repl
+ b
+}
+N
+t c1
+b s1
+:c1
+}
+/^#*[[:space:]]*$1='/ {
+:s2
+/'.*'/ {
+ c\\
+$repl
+ b
+}
+N
+t c2
+b s2
+:c2
+}
+/^#*[[:space:]]*$1=/c\\
+$repl"
+	# there's incompatibility with -i option on BSD and busybox/GNU
+	if [ "$UNAME" = "Linux" ]; then
+		sed -i -e "$script" "$3"
+	else
+		sed -i '' -e "$script" "$3"
+	fi
+}
+
+parse_var_checked()
+{
+	# $1 - file name
+	# $2 - var name
+
+	local tmp="/tmp/zvar-pid-$$.sh"
+	local v
+	cat "$1" | extract_var_def "$2" >"$tmp"
+	. "$tmp"
+	rm -f "$tmp"
+	eval v="\$$2"
+	# trim
+	v="$(echo "$v" | trim)"
+	eval $2=\""$v"\"
+}
+parse_vars_checked()
+{
+	# $1 - file name
+	# $2,$3,... - var names
+	local f="$1"
+	shift
+	while [ -n "$1" ]; do
+		parse_var_checked "$f" $1
+		shift
+	done
+}
+edit_file()
+{
+	# $1 - file name
+	local ed="$EDITOR"
+	[ -n "$ed" ] || {
+		for e in mcedit nano vim vi; do
+			exists "$e" && {
+				ed="$e"
+				break
+			}
+		done
+	}
+	[ -n "$ed" ] && "$ed" "$1"
+}
+echo_var()
+{
+	local v delimeter delims=
+	eval v="\$$1"
+	if find_str_in_list $1 "$EDITVAR_NEWLINE_VARS"; then
+		echo "$1=\""
+		for delimeter in $EDITVAR_NEWLINE_DELIMETERS; do
+			delims="${delims:+$delims }-e "'"'"s/$delimeter/"'\\n'"$delimeter/g"'"'
+		done
+		echo "$v\"" | tr '\n' ' ' | tr -d '\r' | eval sed -e 's/^\ *//' -e 's/\ *$//' $delims
+	else
+		if contains "$v" " "; then
+			echo $1=\"$v\"
+		else
+			echo $1=$v
+		fi
+	fi
+}
+edit_vars()
+{
+	# $1,$2,... - var names
+	local n=1 var tmp="/tmp/zvars-pid-$$.txt"
+	rm -f "$tmp"
+	while : ; do
+		eval var="\${$n}"
+		[ -n "$var" ] || break
+		echo_var $var >> "$tmp"
+		n=$(($n+1))
+	done
+	edit_file "$tmp" && parse_vars_checked "$tmp" "$@"
+	rm -f "$tmp"
+}
+
+list_vars()
+{
+	while [ -n "$1" ] ; do
+		echo_var $1
+		shift
+	done
+	echo
+}
+
+openrc_test()
+{
+	exists rc-update || return 1
+	# some systems do not usse openrc-init but launch openrc from inittab
+	[ "$INIT" = "openrc-init" ] || grep -qE "sysinit.*openrc" /etc/inittab 2>/dev/null
+}
+check_system()
+{
+	# $1 - nonempty = do not fail on unknown rc system
+
+	echo \* checking system
+
+	SYSTEM=
+	SUBSYS=
+	SYSTEMCTL="$(whichq systemctl)"
+
+	get_fwtype
+	OPENWRT_FW3=
+	OPENWRT_FW4=
+
+	local info
+	UNAME=$(uname)
+	if [ "$UNAME" = "Linux" ]; then
+		# do not use 'exe' because it requires root
+		local INIT="$(sed 's/\x0/\n/g' /proc/1/cmdline | head -n 1)"
+		[ -L "$INIT" ] && INIT=$(readlink "$INIT")
+		INIT="$(basename "$INIT")"
+		# some distros include systemctl without systemd
+		if [ -d "$SYSTEMD_DIR" ] && [ -x "$SYSTEMCTL" ] && [ "$INIT" = "systemd" ]; then
+			SYSTEM=systemd
+			[ -f "$EXEDIR/init.d/sysv/functions" ] && . "$EXEDIR/init.d/sysv/functions"
+		elif [ -f "/etc/openwrt_release" ] && exists opkg || exists apk && exists uci && [ "$INIT" = "procd" ] ; then
+			SYSTEM=openwrt
+			OPENWRT_PACKAGER=opkg
+			OPENWRT_PACKAGER_INSTALL="opkg install"
+			OPENWRT_PACKAGER_UPDATE="opkg update"
+			exists apk && {
+				OPENWRT_PACKAGER=apk
+				OPENWRT_PACKAGER_INSTALL="apk add"
+				OPENWRT_PACKAGER_UPDATE=
+			}
+			info="package manager $OPENWRT_PACKAGER\n"
+			if openwrt_fw3 ; then
+				OPENWRT_FW3=1
+				info="${info}firewall fw3"
+				if is_ipt_flow_offload_avail; then
+					info="$info. hardware flow offloading requires iptables."
+				else
+					info="$info. flow offloading unavailable."
+				fi
+			elif openwrt_fw4; then
+				OPENWRT_FW4=1
+				info="${info}firewall fw4. flow offloading requires nftables."
+			fi
+			[ -f "$EXEDIR/init.d/openwrt/functions" ] && . "$EXEDIR/init.d/openwrt/functions"
+		elif openrc_test; then
+			SYSTEM=openrc
+			[ -f "$EXEDIR/init.d/sysv/functions" ] && . "$EXEDIR/init.d/sysv/functions"
+		else
+			echo system is not either systemd, openrc or openwrt based
+			echo easy installer can set up config settings but can\'t configure auto start
+			echo you have to do it manually. check readme.md for manual setup info.
+			if [ -n "$1" ] || ask_yes_no N "do you want to continue"; then
+			    SYSTEM=linux
+			else
+			    exitp 5
+			fi
+			[ -f "$EXEDIR/init.d/sysv/functions" ] && . "$EXEDIR/init.d/sysv/functions"
+		fi
+		linux_get_subsys
+	else
+		echo easy installer only supports Linux. check readme.md for supported systems and manual setup info.
+		exitp 5
+	fi
+	echo system is based on $SYSTEM
+	[ -n "$info" ] && printf "${info}\n"
+}
+
+get_free_space_mb()
+{
+    df -m "$1" | awk '/[0-9]%/{print $(NF-2)}'
+}
+get_ram_kb()
+{
+    grep MemTotal /proc/meminfo | awk '{print $2}'
+}
+get_ram_mb()
+{
+    local R=$(get_ram_kb)
+    echo $(($R/1024))
+}
+
+crontab_del()
+{
+	exists crontab || return
+
+	echo \* removing crontab entry
+
+	CRONTMP=/tmp/cron.tmp
+	crontab -l >$CRONTMP 2>/dev/null
+	if grep -q "$GET_LIST_PREFIX" $CRONTMP; then
+		echo removing following entries from crontab :
+		grep "$GET_LIST_PREFIX" $CRONTMP
+		grep -v "$GET_LIST_PREFIX" $CRONTMP >$CRONTMP.2
+		crontab $CRONTMP.2
+		rm -f $CRONTMP.2
+	fi
+	rm -f $CRONTMP
+}
+crontab_del_quiet()
+{
+	exists crontab || return
+
+	CRONTMP=/tmp/cron.tmp
+	crontab -l >$CRONTMP 2>/dev/null
+	if grep -q "$GET_LIST_PREFIX" $CRONTMP; then
+		grep -v "$GET_LIST_PREFIX" $CRONTMP >$CRONTMP.2
+		crontab $CRONTMP.2
+		rm -f $CRONTMP.2
+	fi
+	rm -f $CRONTMP
+}
+crontab_add()
+{
+	# $1 - hour min
+	# $2 - hour max
+	[ -x "$GET_LIST" ] &&	{
+		echo \* adding crontab entry
+
+		if exists crontab; then
+			CRONTMP=/tmp/cron.tmp
+			crontab -l >$CRONTMP 2>/dev/null
+			if grep -q "$GET_LIST_PREFIX" $CRONTMP; then
+				echo some entries already exist in crontab. check if this is corrent :
+				grep "$GET_LIST_PREFIX" $CRONTMP
+			else
+				end_with_newline <"$CRONTMP" || echo >>"$CRONTMP"
+				echo "$(random 0 59) $(random $1 $2) */2 * * $GET_LIST" >>$CRONTMP
+				crontab $CRONTMP
+			fi
+			rm -f $CRONTMP
+		else
+			echo '!!! CRON IS ABSENT !!! LISTS AUTO UPDATE WILL NOT WORK !!!'
+		fi
+	}
+}
+cron_ensure_running()
+{
+	# if no crontabs present in /etc/cron openwrt init script does not launch crond. this is default
+	[ "$SYSTEM" = "openwrt" ] && {
+		/etc/init.d/cron enable
+		/etc/init.d/cron start
+	}
+}
+
+
+service_start_systemd()
+{
+	echo \* starting zapret2 service
+
+	"$SYSTEMCTL" start zapret2 || {
+		echo could not start zapret2 service
+		exitp 30
+	}
+}
+service_stop_systemd()
+{
+	echo \* stopping zapret2 service
+
+	"$SYSTEMCTL" daemon-reload
+	"$SYSTEMCTL" disable zapret2
+	"$SYSTEMCTL" stop zapret2
+}
+service_remove_systemd()
+{
+	echo \* removing zapret2 service
+
+	rm -f "$SYSTEMD_SYSTEM_DIR/zapret2.service"
+	"$SYSTEMCTL" daemon-reload
+}
+timer_remove_systemd()
+{
+	echo \* removing zapret2-list-update timer
+
+	"$SYSTEMCTL" daemon-reload
+	"$SYSTEMCTL" disable zapret2-list-update.timer
+	"$SYSTEMCTL" stop zapret2-list-update.timer
+	rm -f "$SYSTEMD_SYSTEM_DIR/zapret2-list-update.service" "$SYSTEMD_SYSTEM_DIR/zapret2-list-update.timer"
+	"$SYSTEMCTL" daemon-reload
+}
+
+install_sysv_init()
+{
+	# $1 - "0"=disable
+	echo \* installing init script
+
+	[ -x "$INIT_SCRIPT" ] && {
+		"$INIT_SCRIPT" stop
+		"$INIT_SCRIPT" disable
+	}
+	ln -fs "$INIT_SCRIPT_SRC" "$INIT_SCRIPT"
+	[ "$1" != "0" ] && "$INIT_SCRIPT" enable
+}
+install_openrc_init()
+{
+	# $1 - "0"=disable
+	echo \* installing init script
+
+	[ -x "$INIT_SCRIPT" ] && {
+		"$INIT_SCRIPT" stop
+		rc-update del zapret2
+	}
+	ln -fs "$INIT_SCRIPT_SRC" "$INIT_SCRIPT"
+	[ "$1" != "0" ] && rc-update add zapret2
+}
+service_remove_openrc()
+{
+	echo \* removing zapret2 service
+
+	[ -x "$INIT_SCRIPT" ] && {
+		rc-update del zapret2
+		"$INIT_SCRIPT" stop
+	}
+	rm -f "$INIT_SCRIPT"
+}
+service_start_sysv()
+{
+	[ -x "$INIT_SCRIPT" ] && {
+		echo \* starting zapret2 service
+		"$INIT_SCRIPT" start || {
+			echo could not start zapret2 service
+			exitp 30
+		}
+	}
+}
+service_stop_sysv()
+{
+	[ -x "$INIT_SCRIPT" ] && {
+		echo \* stopping zapret2 service
+		"$INIT_SCRIPT" stop
+	}
+}
+service_remove_sysv()
+{
+	echo \* removing zapret2 service
+
+	[ -x "$INIT_SCRIPT" ] && {
+		"$INIT_SCRIPT" disable
+		"$INIT_SCRIPT" stop
+	}
+	rm -f "$INIT_SCRIPT"
+}
+
+check_kmod()
+{
+	[ -f "/lib/modules/$(uname -r)/$1.ko" ]
+}
+check_package_exists_openwrt()
+{
+	[ -n "$($OPENWRT_PACKAGER list $1)" ]
+}
+check_package_openwrt()
+{
+	case $OPENWRT_PACKAGER in
+		opkg)
+			[ -n "$(opkg list-installed $1)" ] && return 0
+			local what="$(opkg whatprovides $1 | tail -n +2 | head -n 1)"
+			[ -n "$what" ] || return 1
+			[ -n "$(opkg list-installed $what)" ]
+			;;
+		apk)
+			apk info -e $1
+			;;
+	esac
+}
+check_packages_openwrt()
+{
+	for pkg in $@; do
+		check_package_openwrt $pkg || return
+	done
+}
+
+install_openwrt_iface_hook()
+{
+	echo \* installing ifup hook
+
+	ln -fs "$OPENWRT_IFACE_HOOK" /etc/hotplug.d/iface
+}
+remove_openwrt_iface_hook()
+{
+	echo \* removing ifup hook
+
+	rm -f /etc/hotplug.d/iface/??-zapret2
+}
+openwrt_fw_section_find()
+{
+	# $1 - fw include postfix
+	# echoes section number
+
+	i=0
+	while true
+	do
+		path=$(uci -q get firewall.@include[$i].path)
+		[ -n "$path" ] || break
+		[ "$path" = "$OPENWRT_FW_INCLUDE$1" ] && {
+			echo $i
+			return 0
+		}
+		i=$(($i+1))
+	done
+	return 1
+}
+openwrt_fw_section_del()
+{
+	# $1 - fw include postfix
+
+	local id="$(openwrt_fw_section_find $1)"
+	[ -n "$id" ] && {
+		uci delete firewall.@include[$id] && uci commit firewall
+		rm -f "$OPENWRT_FW_INCLUDE$1"
+	}
+}
+openwrt_fw_section_add()
+{
+	openwrt_fw_section_find ||
+	{
+		uci add firewall include >/dev/null || return
+		echo -1
+	}
+}
+openwrt_fw_section_configure()
+{
+	local id="$(openwrt_fw_section_add $1)"
+	[ -z "$id" ] ||
+	 ! uci set firewall.@include[$id].path="$OPENWRT_FW_INCLUDE" ||
+	 ! uci set firewall.@include[$id].reload="1" ||
+	 ! uci commit firewall &&
+	{
+		echo could not add firewall include
+		exitp 50
+	}
+}
+install_openwrt_firewall()
+{
+	echo \* installing firewall script $1
+
+	echo "linking : $FW_SCRIPT_SRC => $OPENWRT_FW_INCLUDE"
+	ln -fs "$FW_SCRIPT_SRC" "$OPENWRT_FW_INCLUDE"
+
+	openwrt_fw_section_configure $1
+}
+restart_openwrt_firewall()
+{
+	echo \* restarting firewall
+
+	local FW=fw4
+	[ -n "$OPENWRT_FW3" ] && FW=fw3
+	exists $FW && $FW -q restart || {
+		echo could not restart firewall $FW
+	}
+}
+remove_openwrt_firewall()
+{
+	echo \* removing firewall script
+
+	openwrt_fw_section_del
+}
+
+clear_ipset()
+{
+	echo "* clearing ipset(s)"
+
+	# free some RAM
+	"$IPSET_DIR/create_ipset.sh" clear
+}
+
+
+
+write_config_var()
+{
+	# $1 - mode var
+	local M
+	eval M="\$$1"
+	# replace / => \/
+	#M=${M//\//\\\/}
+	M=$(echo $M | sed 's/\//\\\//g' | trim)
+	grep -q "^[[:space:]]*$1=\|^#*[[:space:]]*$1=" "$ZAPRET_CONFIG" || {
+		# var does not exist in config. add it
+		echo $1= >>"$ZAPRET_CONFIG"
+	}
+	replace_var_def $1 "$M" "$ZAPRET_CONFIG"
+}
+
+no_prereq_exit()
+{
+	echo could not install prerequisites
+	exitp 6
+}
+check_prerequisites_linux()
+{
+	echo \* checking prerequisites
+
+	local s cmd PKGS UTILS req="curl curl"
+	local APTGET DNF YUM PACMAN ZYPPER EOPKG APK
+	case "$FWTYPE" in
+		iptables)
+			req="$req iptables iptables ip6tables iptables ipset ipset"
+			;;
+		nftables)
+			req="$req nft nftables"
+			;;
+	esac
+
+	PKGS=$(for s in $req; do echo $s; done |
+		while read cmd; do
+			read pkg
+			exists $cmd || echo $pkg
+		done | sort -u | xargs)
+	UTILS=$(for s in $req; do echo $s; done |
+		while read cmd; do
+			read pkg
+			echo $cmd
+		done | sort -u | xargs)
+
+	if [ -z "$PKGS" ] ; then
+		echo required utilities exist : $UTILS
+	else
+		echo \* installing prerequisites
+
+		echo packages required : $PKGS
+
+		APTGET=$(whichq apt-get)
+		DNF=$(whichq dnf)
+		YUM=$(whichq yum)
+		PACMAN=$(whichq pacman)
+		ZYPPER=$(whichq zypper)
+		EOPKG=$(whichq eopkg)
+		APK=$(whichq apk)
+		if [ -x "$APTGET" ] ; then
+			"$APTGET" update
+			"$APTGET" install -y --no-install-recommends $PKGS dnsutils || no_prereq_exit
+		elif [ -x "$DNF" ] ; then
+			"$DNF" -y install $PKGS || no_prereq_exit
+		elif [ -x "$YUM" ] ; then
+			"$YUM" -y install $PKGS || no_prereq_exit
+		elif [ -x "$PACMAN" ] ; then
+			"$PACMAN" -Syy
+			"$PACMAN" --noconfirm -S $PKGS || no_prereq_exit
+		elif [ -x "$ZYPPER" ] ; then
+			"$ZYPPER" --non-interactive install $PKGS || no_prereq_exit
+		elif [ -x "$EOPKG" ] ; then
+			"$EOPKG" -y install $PKGS || no_prereq_exit
+		elif [ -x "$APK" ] ; then
+			"$APK" update
+			# for alpine
+			[ "$FWTYPE" = iptables ] && [ -n "$($APK list ip6tables)" ] && PKGS="$PKGS ip6tables"
+			"$APK" add $PKGS || no_prereq_exit
+		else
+			echo supported package manager not found
+			echo you must manually install : $UTILS
+			exitp 5
+		fi
+	fi
+}
+
+removable_pkgs_openwrt()
+{
+	local pkg PKGS2
+	[ -n "$OPENWRT_FW4" ] && PKGS2="$PKGS2 iptables-zz-legacy iptables ip6tables-zz-legacy ip6tables"
+	[ -n "$OPENWRT_FW3" ] && PKGS2="$PKGS2 nftables-json nftables-nojson nftables"
+	PKGS=
+	for pkg in $PKGS2; do
+		check_package_exists_openwrt $pkg && PKGS="${PKGS:+$PKGS }$pkg"
+	done
+	PKGS="ipset iptables-mod-extra iptables-mod-nfqueue iptables-mod-filter iptables-mod-ipopt iptables-mod-conntrack-extra iptables-mod-u32 ip6tables-mod-nat ip6tables-extra kmod-nft-queue gzip coreutils-sort coreutils-sleep curl $PKGS"
+}
+
+openwrt_fix_broken_apk_uninstall_scripts()
+{
+	# at least in early snapshots with apk removing gnu gzip, sort, ... does not restore links to busybox
+	# system may become unusable
+	exists sort || { echo fixing missing sort; ln -fs /bin/busybox /usr/bin/sort; }
+	exists gzip || { echo fixing missing gzip; ln -fs /bin/busybox /bin/gzip; }
+	exists sleep || { echo fixing missing sleep; ln -fs /bin/busybox /bin/sleep; }
+}
+
+remove_extra_pkgs_openwrt()
+{
+	local PKGS
+	echo \* remove dependencies
+	removable_pkgs_openwrt
+	echo these packages may have been installed by install_easy.sh : $PKGS
+	ask_yes_no N "do you want to remove them" && {
+		case $OPENWRT_PACKAGER in
+			opkg)
+				opkg remove --autoremove $PKGS
+				;;
+			apk)
+				apk del $PKGS
+				openwrt_fix_broken_apk_uninstall_scripts
+				;;
+		esac
+	}
+}
+
+check_prerequisites_openwrt()
+{
+	echo \* checking prerequisites
+
+	local PKGS="curl" UPD=0 local pkg_iptables
+
+	case "$FWTYPE" in
+		iptables)
+			pkg_iptables=iptables
+			check_package_exists_openwrt iptables-zz-legacy && pkg_iptables=iptables-zz-legacy
+			PKGS="$PKGS ipset $pkg_iptables iptables-mod-extra iptables-mod-nfqueue iptables-mod-filter iptables-mod-ipopt iptables-mod-conntrack-extra iptables-mod-u32"
+			check_package_exists_openwrt ip6tables-zz-legacy && pkg_iptables=ip6tables-zz-legacy
+			[ "$DISABLE_IPV6" = 1 ] || PKGS="$PKGS $pkg_iptables ip6tables-mod-nat ip6tables-extra"
+			;;
+		nftables)
+			PKGS="$PKGS nftables kmod-nft-nat kmod-nft-offload kmod-nft-queue"
+			;;
+	esac
+
+	if check_packages_openwrt $PKGS ; then
+		echo everything is present
+	else
+		echo \* installing prerequisites
+
+		$OPENWRT_PACKAGER_UPDATE
+		UPD=1
+		$OPENWRT_PACKAGER_INSTALL $PKGS || {
+			echo could not install prerequisites
+			exitp 6
+		}
+	fi
+
+	is_linked_to_busybox gzip && {
+		echo
+		echo your system uses default busybox gzip. its several times slower than GNU gzip.
+		echo ip/host list scripts will run much faster with GNU gzip
+		echo installer can install GNU gzip but it requires about 100 Kb space
+		if ask_yes_no N "do you want to install GNU gzip"; then
+			[ "$UPD" = "0" ] && {
+				$OPENWRT_PACKAGER_UPDATE
+				UPD=1
+			}
+			$OPENWRT_PACKAGER_INSTALL --force-overwrite gzip
+		fi
+	}
+	is_linked_to_busybox sort && {
+		echo
+		echo your system uses default busybox sort. its much slower and consumes much more RAM than GNU sort
+		echo ip/host list scripts will run much faster with GNU sort
+		echo installer can install GNU sort but it requires about 100 Kb space
+		if ask_yes_no N "do you want to install GNU sort"; then
+			[ "$UPD" = "0" ] && {
+				$OPENWRT_PACKAGER_UPDATE
+				UPD=1
+			}
+			$OPENWRT_PACKAGER_INSTALL --force-overwrite coreutils-sort
+		fi
+	}
+	[ "$FSLEEP" = 0 ] && is_linked_to_busybox sleep && {
+		echo
+		echo no methods of sub-second sleep were found.
+		echo if you want to speed up blockcheck install coreutils-sleep. it requires about 40 Kb space
+		if ask_yes_no N "do you want to install COREUTILS sleep"; then
+			[ "$UPD" = "0" ] && {
+				$OPENWRT_PACKAGER_UPDATE
+				UPD=1
+			}
+			$OPENWRT_PACKAGER_INSTALL --force-overwrite coreutils-sleep
+			fsleep_setup
+		fi
+	}
+}
+
+
+
+select_ipv6()
+{
+	local T=N
+
+	[ "$DISABLE_IPV6" != '1' ] && T=Y
+	local old6=$DISABLE_IPV6
+	echo
+	if ask_yes_no $T "enable ipv6 support"; then
+		DISABLE_IPV6=0
+	else
+		DISABLE_IPV6=1
+	fi
+	[ "$old6" != "$DISABLE_IPV6" ] && write_config_var DISABLE_IPV6
+}
+select_fwtype()
+{
+	echo
+	[ $(get_ram_mb) -le 400 ] && {
+		echo WARNING ! you are running a low RAM system
+		echo WARNING ! nft requires lots of RAM to load huge ip sets, much more than ipsets require
+		echo WARNING ! if you need large lists it may be necessary to fall back to iptables+ipset firewall
+	}
+	echo select firewall type :
+	ask_list FWTYPE "iptables nftables" "$FWTYPE"
+	# always write config var to prevent auto discovery every time
+	write_config_var FWTYPE
+}
+
+dry_run_nfqws_()
+{
+	local NFQWS="$ZAPRET_BASE/nfq2/nfqws2"
+	echo verifying nfqws options
+	"$NFQWS" --dry-run ${WS_USER:+--user=$WS_USER} "$@"
+}
+dry_run_nfqws()
+{
+	[ "$NFQWS2_ENABLE" = 1 ] || return 0
+	local opt="$NFQWS2_OPT" qn=${QNUM:-300}
+	filter_apply_hostlist_target opt
+	dry_run_nfqws_ --qnum=$qn $opt
+	echo NOTE ! LUA code validity cannot be verified at this stage !
+}

common/ipt.sh

@@ -0,0 +1,331 @@
+std_ports
+ipt_connbytes="-m connbytes --connbytes-dir=original --connbytes-mode=packets --connbytes"
+IPSET_EXCLUDE="-m set ! --match-set nozapret"
+IPSET_EXCLUDE6="-m set ! --match-set nozapret6"
+
+ipt()
+{
+	iptables $FW_EXTRA_PRE -C "$@" $FW_EXTRA_POST >/dev/null 2>/dev/null || iptables $FW_EXTRA_PRE -I "$@" $FW_EXTRA_POST
+}
+ipta()
+{
+	iptables $FW_EXTRA_PRE -C "$@" $FW_EXTRA_POST >/dev/null 2>/dev/null || iptables $FW_EXTRA_PRE -A "$@" $FW_EXTRA_POST
+}
+ipt_del()
+{
+	iptables $FW_EXTRA_PRE -C "$@" $FW_EXTRA_POST >/dev/null 2>/dev/null && iptables $FW_EXTRA_PRE -D "$@" $FW_EXTRA_POST
+}
+ipt_add_del()
+{
+	on_off_function ipt ipt_del "$@"
+}
+ipta_add_del()
+{
+	on_off_function ipta ipt_del "$@"
+}
+ipt6()
+{
+	ip6tables -C "$@" >/dev/null 2>/dev/null || ip6tables -I "$@"
+}
+ipt6a()
+{
+	ip6tables -C "$@" >/dev/null 2>/dev/null || ip6tables -A "$@"
+}
+ipt6_del()
+{
+	ip6tables -C "$@" >/dev/null 2>/dev/null && ip6tables -D "$@"
+}
+ipt6_add_del()
+{
+	on_off_function ipt6 ipt6_del "$@"
+}
+ipt6a_add_del()
+{
+	on_off_function ipt6a ipt6_del "$@"
+}
+
+is_ipt_flow_offload_avail()
+{
+	# $1 = '' for ipv4, '6' for ipv6
+	grep -q FLOWOFFLOAD 2>/dev/null /proc/net/ip$1_tables_targets
+}
+
+filter_apply_ipset_target4()
+{
+	# $1 - var name of ipv4 iptables filter
+	if [ "$MODE_FILTER" = "ipset" ]; then
+		eval $1="\"\$$1 -m set --match-set zapret dst\""
+	fi
+}
+filter_apply_ipset_target6()
+{
+	# $1 - var name of ipv6 iptables filter
+	if [ "$MODE_FILTER" = "ipset" ]; then
+		eval $1="\"\$$1 -m set --match-set zapret6 dst\""
+	fi
+}
+filter_apply_ipset_target()
+{
+	# $1 - var name of ipv4 iptables filter
+	# $2 - var name of ipv6 iptables filter
+	filter_apply_ipset_target4 $1
+	filter_apply_ipset_target6 $2
+}
+
+reverse_nfqws_rule_stream()
+{
+	sed -e 's/-o /-i /g' -e 's/--dport /--sport /g' -e 's/--dports /--sports /g' -e 's/ dst$/ src/' -e 's/ dst / src /g' -e 's/--connbytes-dir=original/--connbytes-dir=reply/g' -e "s/-m mark ! --mark $DESYNC_MARK\/$DESYNC_MARK//g"
+}
+reverse_nfqws_rule()
+{
+	echo "$@" | reverse_nfqws_rule_stream
+}
+
+ipt_mark_filter()
+{
+	[ -n "$FILTER_MARK" ] && echo "-m mark --mark $FILTER_MARK/$FILTER_MARK"
+}
+
+ipt_print_op()
+{
+	if [ "$1" = "1" ]; then
+		echo "Inserting ip$4tables rule for $3 : $2"
+	else
+		echo "Deleting ip$4tables rule for $3 : $2"
+	fi
+}
+
+
+
+_fw_nfqws_post4()
+{
+	# $1 - 1 - add, 0 - del
+	# $2 - iptable filter for ipv4
+	# $3 - queue number
+	# $4 - wan interface names space separated
+	[ "$DISABLE_IPV4" = "1" -o -z "$2" ] || {
+		local i
+
+		ipt_print_op $1 "$2" "nfqws postrouting (qnum $3)"
+
+		rule="$(ipt_mark_filter) -m mark ! --mark $DESYNC_MARK/$DESYNC_MARK $2 $IPSET_EXCLUDE dst -j NFQUEUE --queue-num $3 --queue-bypass"
+		if [ -n "$4" ] ; then
+			for i in $4; do
+				ipt_add_del $1 POSTROUTING -t mangle -o $i $rule
+			done
+		else
+			ipt_add_del $1 POSTROUTING -t mangle $rule
+		fi
+	}
+}
+_fw_nfqws_post6()
+{
+	# $1 - 1 - add, 0 - del
+	# $2 - iptable filter for ipv6
+	# $3 - queue number
+	# $4 - wan interface names space separated
+	[ "$DISABLE_IPV6" = "1" -o -z "$2" ] || {
+		local i
+
+		ipt_print_op $1 "$2" "nfqws postrouting (qnum $3)" 6
+
+		rule="$(ipt_mark_filter) -m mark ! --mark $DESYNC_MARK/$DESYNC_MARK $2 $IPSET_EXCLUDE6 dst -j NFQUEUE --queue-num $3 --queue-bypass"
+		if [ -n "$4" ] ; then
+			for i in $4; do
+				ipt6_add_del $1 POSTROUTING -t mangle -o $i $rule
+			done
+		else
+			ipt6_add_del $1 POSTROUTING -t mangle $rule
+		fi
+	}
+}
+fw_nfqws_post()
+{
+	# $1 - 1 - add, 0 - del
+	# $2 - iptable filter for ipv4
+	# $3 - iptable filter for ipv6
+	# $4 - queue number
+	fw_nfqws_post4 $1 "$2" $4
+	fw_nfqws_post6 $1 "$3" $4
+}
+
+_fw_nfqws_pre4()
+{
+	# $1 - 1 - add, 0 - del
+	# $2 - iptable filter for ipv4
+	# $3 - queue number
+	# $4 - wan interface names space separated
+	[ "$DISABLE_IPV4" = "1" -o -z "$2" ] || {
+		local i
+
+		ipt_print_op $1 "$2" "nfqws input+forward (qnum $3)"
+
+		rule="$2 $IPSET_EXCLUDE src -j NFQUEUE --queue-num $3 --queue-bypass"
+		if [ -n "$4" ] ; then
+			for i in $4; do
+				# iptables PREROUTING chain is before NAT. not possible to have DNATed ip's there
+				ipt_add_del $1 INPUT -t mangle -i $i $rule
+				ipt_add_del $1 FORWARD -t mangle -i $i $rule
+			done
+		else
+			ipt_add_del $1 INPUT -t mangle $rule
+			ipt_add_del $1 FORWARD -t mangle $rule
+		fi
+	}
+}
+_fw_nfqws_pre6()
+{
+	# $1 - 1 - add, 0 - del
+	# $2 - iptable filter for ipv6
+	# $3 - queue number
+	# $4 - wan interface names space separated
+	[ "$DISABLE_IPV6" = "1" -o -z "$2" ] || {
+		local i
+
+		ipt_print_op $1 "$2" "nfqws input+forward (qnum $3)" 6
+
+		rule="$2 $IPSET_EXCLUDE6 src -j NFQUEUE --queue-num $3 --queue-bypass"
+		if [ -n "$4" ] ; then
+			for i in $4; do
+				# iptables PREROUTING chain is before NAT. not possible to have DNATed ip's there
+				ipt6_add_del $1 INPUT -t mangle -i $i $rule
+				ipt6_add_del $1 FORWARD -t mangle -i $i $rule
+			done
+		else
+			ipt6_add_del $1 INPUT -t mangle $rule
+			ipt6_add_del $1 FORWARD -t mangle $rule
+		fi
+	}
+}
+fw_nfqws_pre()
+{
+	# $1 - 1 - add, 0 - del
+	# $2 - iptable filter for ipv4
+	# $3 - iptable filter for ipv6
+	# $4 - queue number
+	fw_nfqws_pre4 $1 "$2" $4
+	fw_nfqws_pre6 $1 "$3" $4
+}
+
+
+fw_reverse_nfqws_rule4()
+{
+	fw_nfqws_pre4 $1 "$(reverse_nfqws_rule "$2")" $3
+}
+fw_reverse_nfqws_rule6()
+{
+	fw_nfqws_pre6 $1 "$(reverse_nfqws_rule "$2")" $3
+}
+fw_reverse_nfqws_rule()
+{
+	# ensure that modes relying on incoming traffic work
+	# $1 - 1 - add, 0 - del
+	# $2 - rule4
+	# $3 - rule6
+	# $4 - queue number
+	fw_reverse_nfqws_rule4 $1 "$2" $4
+	fw_reverse_nfqws_rule6 $1 "$3" $4
+}
+
+ipt_first_packets()
+{
+	# $1 - packet count
+	[ -n "$1" -a "$1" != keepalive ] && [ "$1" -ge 1 ] && echo "$ipt_connbytes 1:$1"
+}
+ipt_do_nfqws_in_out()
+{
+	# $1 - 1 - add, 0 - del
+	# $2 - tcp,udp
+	# $3 - ports
+	# $4 - PKT_OUT. special value : 'keepalive'
+	# $5 - PKT_IN
+	local f4 f6 first_packets_only
+	[ -n "$3" ] || return
+	[ -n "$4" -a "$4" != 0 ] &&
+	{
+		first_packets_only="$(ipt_first_packets $4)"
+		f4="-p $2 -m multiport --dports $3 $first_packets_only"
+		f6=$f4
+		filter_apply_ipset_target f4 f6
+		fw_nfqws_post $1 "$f4" "$f6" $QNUM
+	}
+	[ -n "$5" -a "$5" != 0 ] &&
+	{
+		first_packets_only="$(ipt_first_packets $5)"
+		f4="-p $2 -m multiport --dports $3  $first_packets_only"
+		f6=$f4
+		filter_apply_ipset_target f4 f6
+		fw_reverse_nfqws_rule $1 "$f4" "$f6" $QNUM
+	}
+}
+
+zapret_do_firewall_standard_nfqws_rules_ipt()
+{
+	# $1 - 1 - add, 0 - del
+
+	[ "$NFQWS2_ENABLE" = 1 ] && {
+		ipt_do_nfqws_in_out $1 tcp "$NFQWS2_PORTS_TCP_IPT" "$NFQWS2_TCP_PKT_OUT" "$NFQWS2_TCP_PKT_IN"
+		ipt_do_nfqws_in_out $1 tcp "$NFQWS2_PORTS_TCP_KEEPALIVE_IPT" keepalive "$NFQWS2_TCP_PKT_IN"
+		ipt_do_nfqws_in_out $1 udp "$NFQWS2_PORTS_UDP_IPT" "$NFQWS2_UDP_PKT_OUT" "$NFQWS2_UDP_PKT_IN"
+		ipt_do_nfqws_in_out $1 udp "$NFQWS2_PORTS_UDP_KEEPALIVE_IPT" keepalive "$NFQWS2_UDP_PKT_IN"
+	}
+}
+zapret_do_firewall_standard_rules_ipt()
+{
+	# $1 - 1 - add, 0 - del
+
+	zapret_do_firewall_standard_nfqws_rules_ipt $1
+}
+
+zapret_do_firewall_rules_ipt()
+{
+	# $1 - 1 - add, 0 - del
+
+	zapret_do_firewall_standard_rules_ipt $1
+	custom_runner zapret_custom_firewall $1
+	zapret_do_icmp_filter $1
+}
+
+zapret_do_icmp_filter()
+{
+	# $1 - 1 - add, 0 - del
+
+	local FW_EXTRA_PRE= FW_EXTRA_POST=
+
+	[ "$FILTER_TTL_EXPIRED_ICMP" = 1 ] && {
+		[ "$DISABLE_IPV4" = 1 ] || {
+			ipt_add_del $1 POSTROUTING -t mangle -m mark --mark $DESYNC_MARK/$DESYNC_MARK -j CONNMARK --or-mark $DESYNC_MARK
+			ipt_add_del $1 INPUT -p icmp -m icmp --icmp-type time-exceeded -m connmark --mark $DESYNC_MARK/$DESYNC_MARK -j DROP
+			ipt_add_del $1 FORWARD -p icmp -m icmp --icmp-type time-exceeded -m connmark --mark $DESYNC_MARK/$DESYNC_MARK -j DROP
+		}
+		[ "$DISABLE_IPV6" = 1 ] || {
+			ipt6_add_del $1 POSTROUTING -t mangle -m mark --mark $DESYNC_MARK/$DESYNC_MARK -j CONNMARK --or-mark $DESYNC_MARK
+			ipt6_add_del $1 INPUT -p icmpv6 -m icmp6 --icmpv6-type time-exceeded -m connmark --mark $DESYNC_MARK/$DESYNC_MARK -j DROP
+			ipt6_add_del $1 FORWARD -p icmpv6 -m icmp6 --icmpv6-type time-exceeded -m connmark --mark $DESYNC_MARK/$DESYNC_MARK -j DROP
+		}
+	}
+}
+
+zapret_do_firewall_ipt()
+{
+	# $1 - 1 - add, 0 - del
+
+	if [ "$1" = 1 ]; then
+		echo Applying iptables
+	else
+		echo Clearing iptables
+	fi
+
+	# always create ipsets. ip_exclude ipset is required
+	[ "$1" = 1 ] && create_ipset no-update
+
+	zapret_do_firewall_rules_ipt "$@"
+
+	if [ "$1" = 1 ] ; then
+		existf flow_offloading_exempt && flow_offloading_exempt
+	else
+		existf flow_offloading_unexempt && flow_offloading_unexempt
+	fi
+
+	return 0
+}

common/linux_daemons.sh

@@ -0,0 +1,33 @@
+standard_mode_nfqws()
+{
+	# $1 - 1 - run, 0 - stop
+	local opt
+	[ "$NFQWS2_ENABLE" = 1 ] && check_bad_ws_options $1 "$NFQWS2_OPT" && {
+		opt="--qnum=$QNUM $NFQWS2_OPT"
+		filter_apply_hostlist_target opt
+		do_nfqws $1 1 "$opt"
+	}
+}
+standard_mode_daemons()
+{
+	# $1 - 1 - run, 0 - stop
+
+	standard_mode_nfqws $1
+}
+zapret_do_daemons()
+{
+	# $1 - 1 - run, 0 - stop
+
+	standard_mode_daemons $1
+	custom_runner zapret_custom_daemons $1
+
+	return 0
+}
+zapret_run_daemons()
+{
+	zapret_do_daemons 1 "$@"
+}
+zapret_stop_daemons()
+{
+	zapret_do_daemons 0 "$@"
+}

common/linux_fw.sh

@@ -0,0 +1,40 @@
+set_conntrack_liberal_mode()
+{
+	[ -n "$SKIP_CONNTRACK_LIBERAL_MODE" ] || sysctl -w net.netfilter.nf_conntrack_tcp_be_liberal=$1
+}
+zapret_do_firewall()
+{
+	linux_fwtype
+
+	[ "$1" = 1 -a -n "$INIT_FW_PRE_UP_HOOK" ] && $INIT_FW_PRE_UP_HOOK
+	[ "$1" = 0 -a -n "$INIT_FW_PRE_DOWN_HOOK" ] && $INIT_FW_PRE_DOWN_HOOK
+
+	case "$FWTYPE" in
+		iptables)
+			zapret_do_firewall_ipt "$@"
+			;;
+		nftables)
+			zapret_do_firewall_nft "$@"
+			;;
+	esac
+
+	# russian DPI sends RST,ACK with wrong ACK.
+	# this is sometimes treated by conntrack as invalid and connbytes fw rules do not pass RST packet to nfqws.
+	# switch on liberal mode on zapret firewall start and switch off on zapret firewall stop
+	# this is only required for processing incoming bad RSTs. incoming rules are only applied in autohostlist mode
+	# calling this after firewall because conntrack module can be not loaded before applying conntrack firewall rules
+	[ "$MODE_FILTER" = "autohostlist" ] && set_conntrack_liberal_mode $1
+
+	[ "$1" = 1 -a -n "$INIT_FW_POST_UP_HOOK" ] && $INIT_FW_POST_UP_HOOK
+	[ "$1" = 0 -a -n "$INIT_FW_POST_DOWN_HOOK" ] && $INIT_FW_POST_DOWN_HOOK
+
+	return 0
+}
+zapret_apply_firewall()
+{
+	zapret_do_firewall 1 "$@"
+}
+zapret_unapply_firewall()
+{
+	zapret_do_firewall 0 "$@"
+}

common/linux_iphelper.sh

@@ -0,0 +1,24 @@
+get_uevent_devtype()
+{
+	local DEVTYPE INTERFACE IFINDEX OF_NAME OF_FULLNAME OF_COMPATIBLE_N
+	[ -f "/sys/class/net/$1/uevent" ] && {
+		. "/sys/class/net/$1/uevent"
+		echo -n $DEVTYPE
+	}
+}
+resolve_lower_devices()
+{
+	# $1 - bridge interface name
+	[ -d "/sys/class/net/$1" ] && {
+		find "/sys/class/net/$1" -follow -maxdepth 1 -name "lower_*" |
+		{
+			local l lower lowers
+			while read lower; do
+				lower="$(basename "$lower")"
+				l="${lower#lower_*}"
+				[  "$l" != "$lower" ] && append_separator_list lowers ' ' '' "$l"
+			done
+			printf "$lowers"
+		}
+	}
+}

common/list.sh

@@ -0,0 +1,60 @@
+HOSTLIST_MARKER="<HOSTLIST>"
+HOSTLIST_NOAUTO_MARKER="<HOSTLIST_NOAUTO>"
+
+find_hostlists()
+{
+	[ -n "$HOSTLIST_BASE" ] || HOSTLIST_BASE="$ZAPRET_BASE/ipset"
+
+	HOSTLIST="$HOSTLIST_BASE/zapret-hosts.txt.gz"
+	[ -f "$HOSTLIST" ] || HOSTLIST="$HOSTLIST_BASE/zapret-hosts.txt"
+	[ -f "$HOSTLIST" ] || HOSTLIST=
+
+	HOSTLIST_USER="$HOSTLIST_BASE/zapret-hosts-user.txt.gz"
+	[ -f "$HOSTLIST_USER" ] || HOSTLIST_USER="$HOSTLIST_BASE/zapret-hosts-user.txt"
+	[ -f "$HOSTLIST_USER" ] || HOSTLIST_USER=
+
+	HOSTLIST_EXCLUDE="$HOSTLIST_BASE/zapret-hosts-user-exclude.txt.gz"
+	[ -f "$HOSTLIST_EXCLUDE" ] || HOSTLIST_EXCLUDE="$HOSTLIST_BASE/zapret-hosts-user-exclude.txt"
+	[ -f "$HOSTLIST_EXCLUDE" ] || HOSTLIST_EXCLUDE=
+
+	HOSTLIST_AUTO="$HOSTLIST_BASE/zapret-hosts-auto.txt"
+	HOSTLIST_AUTO_DEBUGLOG="$HOSTLIST_BASE/zapret-hosts-auto-debug.log"
+}
+
+filter_apply_hostlist_target()
+{
+	# $1 - var name of nfqws params
+
+	local v parm parm1 parm2 parm3 parm4 parm5 parm6 parm7 parm8 parm9 parm10 parm11 parm12 parm13 parmNA
+	eval v="\$$1"
+	if contains "$v" "$HOSTLIST_MARKER" || contains "$v" "$HOSTLIST_NOAUTO_MARKER"; then
+		[ "$MODE_FILTER" = hostlist -o "$MODE_FILTER" = autohostlist ] &&
+		{
+			find_hostlists
+			parm1="${HOSTLIST_USER:+--hostlist=$HOSTLIST_USER}"
+			parm2="${HOSTLIST:+--hostlist=$HOSTLIST}"
+			parm3="${HOSTLIST_EXCLUDE:+--hostlist-exclude=$HOSTLIST_EXCLUDE}"
+			[ "$MODE_FILTER" = autohostlist ] &&
+			{
+				parm4="--hostlist-auto=$HOSTLIST_AUTO"
+				parm5="${AUTOHOSTLIST_FAIL_THRESHOLD:+--hostlist-auto-fail-threshold=$AUTOHOSTLIST_FAIL_THRESHOLD}"
+				parm6="${AUTOHOSTLIST_FAIL_TIME:+--hostlist-auto-fail-time=$AUTOHOSTLIST_FAIL_TIME}"
+				parm7="${AUTOHOSTLIST_RETRANS_THRESHOLD:+--hostlist-auto-retrans-threshold=$AUTOHOSTLIST_RETRANS_THRESHOLD}"
+				parm8="${AUTOHOSTLIST_RETRANS_RESET:+--hostlist-auto-retrans-reset=$AUTOHOSTLIST_RETRANS_RESET}"
+				parm9="${AUTOHOSTLIST_RETRANS_MAXSEQ:+--hostlist-auto-retrans-maxseq=$AUTOHOSTLIST_RETRANS_MAXSEQ}"
+				parm10="${AUTOHOSTLIST_INCOMING_MAXSEQ:+--hostlist-auto-incoming-maxseq=$AUTOHOSTLIST_INCOMING_MAXSEQ}"
+				parm11="${AUTOHOSTLIST_UDP_IN:+--hostlist-auto-udp-in=$AUTOHOSTLIST_UDP_IN}"
+				parm12="${AUTOHOSTLIST_UDP_OUT:+--hostlist-auto-udp-out=$AUTOHOSTLIST_UDP_OUT}"
+				parm13="--hostlist=$HOSTLIST_AUTO"
+			}
+			parm="$parm1${parm2:+ $parm2}${parm3:+ $parm3}${parm4:+ $parm4}${parm5:+ $parm5}${parm6:+ $parm6}${parm7:+ $parm7}${parm8:+ $parm8}${parm9:+ $parm9}${parm10:+ $parm10}${parm11:+ $parm11}${parm12:+ $parm12}"
+			parmNA="$parm1${parm2:+ $parm2}${parm3:+ $parm3}${parm13:+ $parm13}"
+		}
+		v="$(replace_str $HOSTLIST_NOAUTO_MARKER "$parmNA" "$v")"
+		v="$(replace_str $HOSTLIST_MARKER "$parm" "$v")"
+		[ "$MODE_FILTER" = autohostlist -a "$AUTOHOSTLIST_DEBUGLOG" = 1 ] && {
+			v="$v --hostlist-auto-debug=$HOSTLIST_AUTO_DEBUGLOG"
+		}
+		eval $1=\""$v"\"
+	fi
+}

common/nft.sh

@@ -0,0 +1,727 @@
+[ -n "$ZAPRET_NFT_TABLE" ] || ZAPRET_NFT_TABLE=zapret2
+nft_connbytes="ct original packets"
+
+# required for : nft -f -
+create_dev_stdin
+std_ports
+
+nft_create_table()
+{
+	nft add table inet $ZAPRET_NFT_TABLE
+}
+nft_del_table()
+{
+	nft delete table inet $ZAPRET_NFT_TABLE 2>/dev/null
+}
+nft_list_table()
+{
+	nft -t list table inet $ZAPRET_NFT_TABLE
+}
+
+nft_add_chain()
+{
+	# $1 - chain
+	# $2 - params
+	nft add chain inet $ZAPRET_NFT_TABLE $1 "{ $2 }"
+}
+nft_del_chain()
+{
+	# $1 - chain
+	nft delete chain inet $ZAPRET_NFT_TABLE $1
+}
+
+nft_create_set()
+{
+	# $1 - set name
+	# $2 - params
+	nft create set inet $ZAPRET_NFT_TABLE $1 "{ $2 }" 2>/dev/null
+}
+nft_del_set()
+{
+	# $1 - set name
+	nft delete set inet $ZAPRET_NFT_TABLE $1
+}
+nft_flush_set()
+{
+	# $1 - set name
+	nft flush set inet $ZAPRET_NFT_TABLE $1
+}
+nft_flush_chain()
+{
+	# $1 - set name
+	nft flush chain inet $ZAPRET_NFT_TABLE $1
+}
+nft_set_exists()
+{
+	# $1 - set name
+	nft -t list set inet $ZAPRET_NFT_TABLE $1 2>/dev/null >/dev/null
+}
+nft_flush_chain()
+{
+	# $1 - chain name
+	nft flush chain inet $ZAPRET_NFT_TABLE $1
+}
+nft_chain_empty()
+{
+	# $1 - chain name
+	local count=$(nft list chain inet $ZAPRET_NFT_TABLE $1 | wc -l)
+	[ "$count" -le 4 ]
+}
+nft_rule_exists()
+{
+	# $1 - chain
+	# $2 - rule
+	local rule
+	# convert rule to nft output form
+	nft_flush_chain ruletest
+	nft_add_rule ruletest "$2"
+	rule=$(nft list chain inet $ZAPRET_NFT_TABLE ruletest | sed -n '3s/\t//gp')
+	nft_flush_chain ruletest
+	nft list chain inet $ZAPRET_NFT_TABLE $1 | trim | grep -qxF "$rule"
+}
+
+nft_del_all_chains_from_table()
+{
+	# $1 - table_name with or without family
+
+	# delete all chains with possible references to each other
+	# cannot just delete all in the list because of references
+	# avoid infinite loops
+	local chains deleted=1 error=1
+	while [ -n "$deleted" -a -n "$error" ]; do
+		chains=$(nft -t list table $1 2>/dev/null | sed -nre "s/^[ 	]*chain ([^ ]+) \{/\1/p" | xargs)
+		[ -n "$chains" ] || break
+		deleted=
+		error=
+		for chain in $chains; do
+			if nft delete chain $1 $chain 2>/dev/null; then
+				deleted=1
+			else
+				error=1
+			fi
+		done
+	done
+}
+
+# ipset checks cost some CPU. do not populate jump from hook until something is added to the chain
+nft_activate_chain4()
+{
+	# $1 - chain name
+	# $2 - saddr/daddr
+	local b rule markf= act flt_ifname
+	[ "$DISABLE_IPV4" = "1" ] || {
+		eval act="\$${1}_act4"
+		[ -n "$act" ] && return
+
+		b=0
+		nft_wanif_filter_present && b=1
+		flt_ifname="oifname"
+		starts_with "$1" pre && flt_ifname="iifname"
+
+		[ "$2" = daddr ] && markf=$(nft_mark_filter)
+		rule="meta mark and $DESYNC_MARK == 0 $markf"
+		[ $b = 1 ] && rule="$rule $flt_ifname @wanif"
+		rule="$rule ip $2 != @nozapret jump $1"
+		nft_rule_exists ${1}_hook "$rule" || nft_add_rule ${1}_hook $rule
+
+		eval ${1}_act4=1
+	}
+}
+nft_activate_chain6()
+{
+	# $1 - chain name
+	# $2 - saddr/daddr
+	local b rule markf= act flt_ifname
+	[ "$DISABLE_IPV6" = "1" ] || {
+		eval act="\$${1}_act6"
+		[ -n "$act" ] && return
+
+		b=0
+		nft_wanif6_filter_present && b=1
+		flt_ifname="oifname"
+		starts_with "$1" pre && flt_ifname="iifname"
+
+		[ "$2" = daddr ] && markf=$(nft_mark_filter)
+		rule="meta mark and $DESYNC_MARK == 0 $markf"
+		[ $b = 1 ] && rule="$rule $flt_ifname @wanif6"
+		rule="$rule ip6 $2 != @nozapret6 jump $1"
+		nft_rule_exists ${1}_hook "$rule" || nft_add_rule ${1}_hook $rule
+
+		eval ${1}_act6=1
+	}
+}
+
+nft_create_chains()
+{
+cat << EOF | nft -f -
+	add chain inet $ZAPRET_NFT_TABLE forward_hook { type filter hook forward priority -1; }
+	flush chain inet $ZAPRET_NFT_TABLE forward_hook
+
+	add chain inet $ZAPRET_NFT_TABLE flow_offload
+	flush chain inet $ZAPRET_NFT_TABLE flow_offload
+	add chain inet $ZAPRET_NFT_TABLE flow_offload_zapret
+	flush chain inet $ZAPRET_NFT_TABLE flow_offload_zapret
+	add chain inet $ZAPRET_NFT_TABLE flow_offload_always
+	flush chain inet $ZAPRET_NFT_TABLE flow_offload_always
+
+	add chain inet $ZAPRET_NFT_TABLE postrouting
+	flush chain inet $ZAPRET_NFT_TABLE postrouting
+	add chain inet $ZAPRET_NFT_TABLE postrouting_hook { type filter hook postrouting priority 99; }
+	flush chain inet $ZAPRET_NFT_TABLE postrouting_hook
+
+	add chain inet $ZAPRET_NFT_TABLE postnat
+	flush chain inet $ZAPRET_NFT_TABLE postnat
+	add chain inet $ZAPRET_NFT_TABLE postnat_hook { type filter hook postrouting priority 101; }
+	flush chain inet $ZAPRET_NFT_TABLE postnat_hook
+
+	add chain inet $ZAPRET_NFT_TABLE prerouting
+	flush chain inet $ZAPRET_NFT_TABLE prerouting
+	add chain inet $ZAPRET_NFT_TABLE prerouting_hook { type filter hook prerouting priority -99; }
+	flush chain inet $ZAPRET_NFT_TABLE prerouting_hook
+
+	add chain inet $ZAPRET_NFT_TABLE prenat_hook { type filter hook prerouting priority -101; }
+	flush chain inet $ZAPRET_NFT_TABLE prenat_hook
+	add chain inet $ZAPRET_NFT_TABLE prenat
+	flush chain inet $ZAPRET_NFT_TABLE prenat
+
+	add chain inet $ZAPRET_NFT_TABLE predefrag { type filter hook output priority -401; }
+	flush chain inet $ZAPRET_NFT_TABLE predefrag
+	add chain inet $ZAPRET_NFT_TABLE predefrag_nfqws
+	flush chain inet $ZAPRET_NFT_TABLE predefrag_nfqws
+	add rule inet $ZAPRET_NFT_TABLE predefrag mark and $DESYNC_MARK !=0 jump predefrag_nfqws comment "nfqws generated : avoid drop by INVALID conntrack state"
+	add rule inet $ZAPRET_NFT_TABLE predefrag_nfqws mark and $DESYNC_MARK_POSTNAT !=0 notrack comment "postnat traffic"
+	add rule inet $ZAPRET_NFT_TABLE predefrag_nfqws ip frag-off & 0x1fff != 0 notrack comment "ipfrag"
+	add rule inet $ZAPRET_NFT_TABLE predefrag_nfqws exthdr frag exists notrack comment "ipfrag"
+	add rule inet $ZAPRET_NFT_TABLE predefrag_nfqws tcp flags ! syn,rst,ack notrack comment "datanoack"
+
+	add set inet $ZAPRET_NFT_TABLE wanif { type ifname; }
+	add set inet $ZAPRET_NFT_TABLE wanif6 { type ifname; }
+	add set inet $ZAPRET_NFT_TABLE lanif { type ifname; }
+
+	add chain inet $ZAPRET_NFT_TABLE ruletest
+	flush chain inet $ZAPRET_NFT_TABLE ruletest
+EOF
+	[ -n "$POSTNAT_ALL" ] && {
+		nft_flush_chain predefrag_nfqws
+		nft_add_rule predefrag_nfqws notrack comment \"do not track nfqws generated packets to avoid nat tampering and defragmentation\"
+	}
+	[ "$FILTER_TTL_EXPIRED_ICMP" = 1 ] && {
+		if is_postnat; then
+			# can be caused by untracked nfqws-generated packets
+			nft_add_rule prerouting_hook icmp type time-exceeded ct state invalid drop
+		else
+			nft_add_rule postrouting_hook mark and $DESYNC_MARK != 0 ct mark set ct mark or $DESYNC_MARK comment \"nfqws related : prevent ttl expired socket errors\"
+		fi
+		[ "$DISABLE_IPV4" = "1" ] || {
+			nft_add_rule prerouting_hook icmp type time-exceeded ct mark and $DESYNC_MARK != 0 drop comment \"nfqws related : prevent ttl expired socket errors\"
+		}
+		[ "$DISABLE_IPV6" = "1" ] || {
+			nft_add_rule prerouting_hook icmpv6 type time-exceeded ct mark and $DESYNC_MARK != 0 drop comment \"nfqws related : prevent ttl expired socket errors\"
+		}
+	}
+}
+nft_del_chains()
+{
+	# do not delete all chains because of additional user hooks
+	# they must be inside zapret table to use nfsets
+
+cat << EOF | nft -f - 2>/dev/null
+	delete chain inet $ZAPRET_NFT_TABLE postrouting_hook
+	delete chain inet $ZAPRET_NFT_TABLE postnat_hook
+	delete chain inet $ZAPRET_NFT_TABLE prerouting_hook
+	delete chain inet $ZAPRET_NFT_TABLE prenat_hook
+	delete chain inet $ZAPRET_NFT_TABLE forward_hook
+	delete chain inet $ZAPRET_NFT_TABLE postrouting
+	delete chain inet $ZAPRET_NFT_TABLE postnat
+	delete chain inet $ZAPRET_NFT_TABLE prerouting
+	delete chain inet $ZAPRET_NFT_TABLE prenat
+	delete chain inet $ZAPRET_NFT_TABLE predefrag
+	delete chain inet $ZAPRET_NFT_TABLE predefrag_nfqws
+	delete chain inet $ZAPRET_NFT_TABLE flow_offload
+	delete chain inet $ZAPRET_NFT_TABLE flow_offload_zapret
+	delete chain inet $ZAPRET_NFT_TABLE flow_offload_always
+	delete chain inet $ZAPRET_NFT_TABLE ruletest
+EOF
+}
+nft_del_flowtable()
+{
+	nft delete flowtable inet $ZAPRET_NFT_TABLE ft 2>/dev/null
+}
+nft_create_or_update_flowtable()
+{
+	# $1 = flags ('offload' for hw offload)
+	# $2,$3,$4,... - interfaces
+	# can be called multiple times to add interfaces. interfaces can only be added , not removed
+	local flags=$1 devices makelist
+	shift
+	# warning ! nft versions at least up to 1.0.1 do not allow interface names starting with digit in flowtable and do not allow quoting
+	# warning ! openwrt fixes this in post-21.x snapshots with special nft patch
+	# warning ! in traditional linux distros nft is unpatched and will fail with quoted interface definitions if unfixed
+	[ -n "$flags" ] && flags="flags $flags;"
+	for makelist in make_quoted_comma_list make_comma_list; do
+		$makelist devices "$@"
+		[ -n "$devices" ] && devices="devices={$devices};"
+		nft add flowtable inet $ZAPRET_NFT_TABLE ft "{ hook ingress priority -1; $flags $devices }" && break
+	done
+}
+nft_flush_ifsets()
+{
+cat << EOF | nft -f -  2>/dev/null
+
+	for set in wanif wanif6 lanif; do
+		flush set inet $ZAPRET_NFT_TABLE $set
+	done
+EOF
+}
+nft_list_ifsets()
+{
+	for set in wanif wanif6 lanif; do
+		nft list set inet $ZAPRET_NFT_TABLE $set
+	done
+	nft list flowtable inet $ZAPRET_NFT_TABLE ft 2>/dev/null
+}
+
+nft_create_firewall()
+{
+	nft_create_table
+	nft_del_flowtable
+	nft_create_chains
+}
+nft_del_firewall()
+{
+	nft_del_chains
+	nft_del_flowtable
+	# leave ifsets and ipsets because they may be used by custom rules
+}
+
+nft_add_rule()
+{
+	# $1 - chain
+	# $2,$3,... - rule(s)
+	local chain="$1"
+	shift
+	nft add rule inet $ZAPRET_NFT_TABLE $chain $FW_EXTRA_PRE "$@"
+}
+nft_insert_rule()
+{
+	# $1 - chain
+	# $2,$3,... - rule(s)
+	local chain="$1"
+	shift
+	nft insert rule inet $ZAPRET_NFT_TABLE $chain $FW_EXTRA_PRE "$@"
+}
+nft_add_set_element()
+{
+	# $1 - set or map name
+	# $2 - element
+	[ -z "$2" ] || nft add element inet $ZAPRET_NFT_TABLE $1 "{ $2 }"
+}
+nft_add_set_elements()
+{
+	# $1 - set or map name
+	# $2,$3,... - element(s)
+	local set="$1" elements
+	shift
+	make_comma_list elements "$@"
+	nft_add_set_element $set "$elements"
+}
+nft_reverse_nfqws_rule()
+{
+	echo "$@" | sed -e 's/oifname /iifname /g' -e 's/dport /sport /g' -e 's/daddr /saddr /g' -e 's/ct original /ct reply /g' -e "s/mark and $DESYNC_MARK == 0//g"
+}
+nft_add_nfqws_flow_exempt_rule()
+{
+	# $1 - rule (must be all filters in one var)
+	local FW_EXTRA_POST= FW_EXTRA_PRE=
+	[ "$FLOWOFFLOAD" = 'software' -o "$FLOWOFFLOAD" = 'hardware' ] && \
+		nft_insert_rule flow_offload_zapret "$1" return comment \"direct flow offloading exemption\"
+}
+
+nft_apply_flow_offloading()
+{
+	# ft can be absent
+	nft_add_rule flow_offload_always flow add @ft 2>/dev/null && {
+		nft_add_rule flow_offload_always counter comment \"if offload works here must not be too much traffic\"
+
+		[ "$DISABLE_IPV4" = "1" ] || {
+			# allow only outgoing packets to initiate flow offload
+			nft_add_rule forward_hook meta l4proto "{ tcp, udp }" oifname @wanif jump flow_offload
+			nft_add_rule flow_offload ip daddr == @nozapret goto flow_offload_always
+		}
+		[ "$DISABLE_IPV6" = "1" ] || {
+			nft_add_rule forward_hook meta l4proto "{ tcp, udp }" oifname @wanif6 jump flow_offload
+			nft_add_rule flow_offload ip6 daddr == @nozapret6 goto flow_offload_always
+		}
+		nft_add_rule flow_offload jump flow_offload_zapret
+
+		nft_add_rule flow_offload_zapret goto flow_offload_always
+	}
+}
+
+
+
+nft_filter_apply_ipset_target4()
+{
+	# $1 - var name of ipv4 nftables filter
+	if [ "$MODE_FILTER" = "ipset" ]; then
+		eval $1="\"\$$1 ip daddr @zapret\""
+	fi
+}
+nft_filter_apply_ipset_target6()
+{
+	# $1 - var name of ipv6 nftables filter
+	if [ "$MODE_FILTER" = "ipset" ]; then
+		eval $1="\"\$$1 ip6 daddr @zapret6\""
+	fi
+}
+nft_filter_apply_ipset_target()
+{
+	# $1 - var name of ipv4 nftables filter
+	# $2 - var name of ipv6 nftables filter
+	nft_filter_apply_ipset_target4 $1
+	nft_filter_apply_ipset_target6 $2
+}
+
+nft_mark_filter()
+{
+	[ -n "$FILTER_MARK" ] && echo "mark and $FILTER_MARK != 0"
+}
+
+nft_script_add_ifset_element()
+{
+	# $1 - set name
+	# $2 - space separated elements
+	local elements
+	[ -n "$2" ] && {
+		make_quoted_comma_list elements $2
+		script="${script}
+add element inet $ZAPRET_NFT_TABLE $1 { $elements }"
+	}
+}
+nft_fill_ifsets()
+{
+	# $1 - space separated lan interface names
+	# $2 - space separated wan interface names
+	# $3 - space separated wan6 interface names
+	# 4,5,6 is needed for pppoe+openwrt case. looks like it's not easily possible to resolve ethernet device behind a pppoe interface
+	# $4 - space separated lan physical interface names (optional)
+	# $5 - space separated wan physical interface names (optional)
+	# $6 - space separated wan6 physical interface names (optional)
+
+	local script i j ALLDEVS devs b
+
+	# if large sets exist nft works very ineffectively
+	# looks like it analyzes the whole table blob to find required data pieces
+	# calling all in one shot helps not to waste cpu time many times
+
+	script="flush set inet $ZAPRET_NFT_TABLE wanif
+flush set inet $ZAPRET_NFT_TABLE wanif6
+flush set inet $ZAPRET_NFT_TABLE lanif"
+	nft_script_add_ifset_element lanif "$1"
+
+	[ "$DISABLE_IPV4" = "1" ] || nft_script_add_ifset_element wanif "$2"
+	[ "$DISABLE_IPV6" = "1" ] || nft_script_add_ifset_element wanif6 "$3"
+
+	echo "$script" | nft -f -
+
+	case "$FLOWOFFLOAD" in
+		software)
+			ALLDEVS=$(unique $1 $2 $3)
+			# unbound flowtable may cause error in older nft version
+			nft_create_or_update_flowtable '' $ALLDEVS 2>/dev/null
+			;;
+		hardware)
+			ALLDEVS=$(unique $1 $2 $3 $4 $5 $6)
+			# first create unbound flowtable. may cause error in older nft version
+			nft_create_or_update_flowtable 'offload' 2>/dev/null
+			# then add elements. some of them can cause error because unsupported
+			for i in $ALLDEVS; do
+				# bridge members must be added instead of the bridge itself
+				# some members may not support hw offload. example : lan1 lan2 lan3 support, wlan0 wlan1 - not
+				b=
+				devs=$(resolve_lower_devices $i)
+				for j in $devs; do
+					# do not display error if addition failed
+					nft_create_or_update_flowtable 'offload' $j && b=1 2>/dev/null
+				done
+				[ -n "$b" ] || {
+					# no lower devices added ? try to add interface itself
+					nft_create_or_update_flowtable 'offload' $i 2>/dev/null
+				}
+			done
+			;;
+	esac
+}
+
+nft_only()
+{
+	linux_fwtype
+
+	case "$FWTYPE" in
+		nftables)
+			"$@"
+			;;
+	esac
+}
+
+
+nft_print_op()
+{
+	echo "Inserting nftables ipv$3 rule for $2 : $1"
+}
+is_postnat()
+{
+	[ "$POSTNAT" != 0 -o "$POSTNAT_ALL" = 1 ]
+}
+get_postchain()
+{
+	if is_postnat ; then
+		echo -n postnat
+	else
+		echo -n postrouting
+	fi
+}
+get_prechain()
+{
+	if is_postnat ; then
+		echo -n prenat
+	else
+		echo -n prerouting
+	fi
+}
+_nft_fw_nfqws_post4()
+{
+	# $1 - filter ipv4
+	# $2 - queue number
+	# $3 - not-empty if wan interface filtering required
+
+	[ "$DISABLE_IPV4" = "1" -o -z "$1" ] || {
+		local filter="$1" port="$2" rule chain=$(get_postchain) setmark
+		nft_print_op "$filter" "nfqws postrouting (qnum $port)" 4
+		rule="meta nfproto ipv4 $filter"
+		is_postnat && setmark="meta mark set meta mark or $DESYNC_MARK_POSTNAT"
+		nft_insert_rule $chain $rule $setmark $CONNMARKER $FW_EXTRA_POST queue num $port bypass
+		nft_add_nfqws_flow_exempt_rule "$rule"
+		nft_activate_chain4 $chain daddr
+	}
+}
+_nft_fw_nfqws_post6()
+{
+	# $1 - filter ipv6
+	# $2 - queue number
+	# $3 - not-empty if wan interface filtering required
+
+	[ "$DISABLE_IPV6" = "1" -o -z "$1" ] || {
+		local filter="$1" port="$2" rule chain=$(get_postchain) setmark
+		nft_print_op "$filter" "nfqws postrouting (qnum $port)" 6
+		rule="meta nfproto ipv6 $filter"
+		is_postnat && setmark="meta mark set meta mark or $DESYNC_MARK_POSTNAT"
+		nft_insert_rule $chain $rule $setmark $CONNMARKER $FW_EXTRA_POST queue num $port bypass
+		nft_add_nfqws_flow_exempt_rule "$rule"
+		nft_activate_chain6 $chain daddr
+	}
+}
+nft_fw_nfqws_post()
+{
+	# $1 - filter ipv4
+	# $2 - filter ipv6
+	# $3 - queue number
+
+	nft_fw_nfqws_post4 "$1" $3
+	nft_fw_nfqws_post6 "$2" $3
+}
+
+_nft_fw_nfqws_pre4()
+{
+	# $1 - filter ipv4
+	# $2 - queue number
+	# $3 - not-empty if wan interface filtering required
+
+	[ "$DISABLE_IPV4" = "1" -o -z "$1" ] || {
+		local filter="$1" port="$2" rule chain=$(get_prechain)
+		nft_print_op "$filter" "nfqws prerouting (qnum $port)" 4
+		rule="meta nfproto ipv4 $filter"
+		nft_insert_rule $chain $rule $CONNMARKER $FW_EXTRA_POST queue num $port bypass
+		nft_activate_chain4 $chain saddr
+	}
+}
+_nft_fw_nfqws_pre6()
+{
+	# $1 - filter ipv6
+	# $2 - queue number
+	# $3 - not-empty if wan interface filtering required
+
+	[ "$DISABLE_IPV6" = "1" -o -z "$1" ] || {
+		local filter="$1" port="$2" rule chain=$(get_prechain)
+		nft_print_op "$filter" "nfqws prerouting (qnum $port)" 6
+		rule="meta nfproto ipv6 $filter"
+		nft_insert_rule $chain $rule $CONNMARKER $FW_EXTRA_POST queue num $port bypass
+		nft_activate_chain6 $chain saddr
+	}
+}
+nft_fw_nfqws_pre()
+{
+	# $1 - filter ipv4
+	# $2 - filter ipv6
+	# $3 - queue number
+
+	nft_fw_nfqws_pre4 "$1" $3
+	nft_fw_nfqws_pre6 "$2" $3
+}
+
+nft_fw_nfqws_both4()
+{
+	# $1 - filter ipv4
+	# $2 - queue number
+	nft_fw_nfqws_post4 "$@"
+	nft_fw_nfqws_pre4 "$(nft_reverse_nfqws_rule $1)" $2
+}
+nft_fw_nfqws_both6()
+{
+	# $1 - filter ipv6
+	# $2 - queue number
+	nft_fw_nfqws_post6 "$@"
+	nft_fw_nfqws_pre6 "$(nft_reverse_nfqws_rule $1)" $2
+}
+nft_fw_nfqws_both()
+{
+	# $1 - filter ipv4
+	# $2 - filter ipv6
+	# $3 - queue number
+	nft_fw_nfqws_both4 "$1" "$3"
+	nft_fw_nfqws_both6 "$2" "$3"
+}
+
+zapret_reload_ifsets()
+{
+	nft_only nft_create_table ; nft_fill_ifsets_overload
+	return 0
+}
+zapret_list_ifsets()
+{
+	nft_only nft_list_ifsets
+	return 0
+}
+zapret_list_table()
+{
+	nft_only nft_list_table
+	return 0
+}
+
+
+
+nft_fw_reverse_nfqws_rule4()
+{
+	nft_fw_nfqws_pre4 "$(nft_reverse_nfqws_rule "$1")" $2
+}
+nft_fw_reverse_nfqws_rule6()
+{
+	nft_fw_nfqws_pre6 "$(nft_reverse_nfqws_rule "$1")" $2
+}
+nft_fw_reverse_nfqws_rule()
+{
+	# ensure that modes relying on incoming traffic work
+	# $1 - rule4
+	# $2 - rule6
+	# $3 - queue number
+	nft_fw_reverse_nfqws_rule4 "$1" $3
+	nft_fw_reverse_nfqws_rule6 "$2" $3
+}
+
+nft_first_packets()
+{
+	# $1 - packet count
+	[ -n "$1" -a "$1" != keepalive ] && [ "$1" -ge 1 ] &&
+	{
+		if [ "$1" = 1 ] ; then
+			echo "$nft_connbytes 1"
+		else
+			echo "$nft_connbytes 1-$1"
+		fi
+	}
+}
+
+nft_apply_nfqws_in_out()
+{
+	# $1 - tcp,udp
+	# $2 - ports
+	# $3 - PKT_OUT. special value : 'keepalive'
+	# $4 - PKT_IN
+	local f4 f6 first_packets_only
+	[ -n "$2" ] || return
+	[ -n "$3" -a "$3" != 0 ] &&
+	{
+		first_packets_only="$(nft_first_packets $3)"
+		f4="$1 dport {$2} $first_packets_only"
+		f6=$f4
+		nft_filter_apply_ipset_target f4 f6
+		nft_fw_nfqws_post "$f4" "$f6" $QNUM
+	}
+	[ -n "$4" -a "$4" != 0 ] &&
+	{
+		first_packets_only="$(nft_first_packets $4)"
+		f4="$1 dport {$2} $first_packets_only"
+		f6=$f4
+		nft_filter_apply_ipset_target f4 f6
+		nft_fw_reverse_nfqws_rule "$f4" "$f6" $QNUM
+	}
+}
+
+zapret_apply_firewall_standard_nfqws_rules_nft()
+{
+	[ "$NFQWS2_ENABLE" = 1 ] && {
+		nft_apply_nfqws_in_out tcp "$NFQWS2_PORTS_TCP" "$NFQWS2_TCP_PKT_OUT" "$NFQWS2_TCP_PKT_IN"
+		nft_apply_nfqws_in_out tcp "$NFQWS2_PORTS_TCP_KEEPALIVE" keepalive "$NFQWS2_TCP_PKT_IN"
+		nft_apply_nfqws_in_out udp "$NFQWS2_PORTS_UDP" "$NFQWS2_UDP_PKT_OUT" "$NFQWS2_UDP_PKT_IN"
+		nft_apply_nfqws_in_out udp "$NFQWS2_PORTS_UDP_KEEPALIVE" keepalive "$NFQWS2_UDP_PKT_IN"
+	}
+}
+zapret_apply_firewall_standard_rules_nft()
+{
+	zapret_apply_firewall_standard_nfqws_rules_nft
+}
+
+zapret_apply_firewall_rules_nft()
+{
+	zapret_apply_firewall_standard_rules_nft
+	custom_runner zapret_custom_firewall_nft
+}
+
+zapret_apply_firewall_nft()
+{
+	echo Applying nftables
+
+	create_ipset no-update
+	nft_create_firewall
+	nft_fill_ifsets_overload
+
+	zapret_apply_firewall_rules_nft
+
+	[ "$FLOWOFFLOAD" = 'software' -o "$FLOWOFFLOAD" = 'hardware' ] && nft_apply_flow_offloading
+
+	return 0
+}
+zapret_unapply_firewall_nft()
+{
+	echo Clearing nftables
+
+	nft_del_firewall
+	custom_runner zapret_custom_firewall_nft_flush
+	return 0
+}
+zapret_do_firewall_nft()
+{
+	# $1 - 1 - add, 0 - del
+
+	if [ "$1" = 0 ] ; then
+		zapret_unapply_firewall_nft
+	else
+		zapret_apply_firewall_nft
+	fi
+
+	return 0
+}
+
+# ctmark is not available in POSTNAT mode
+CONNMARKER=
+[ "$FILTER_TTL_EXPIRED_ICMP" = 1 ] && is_postnat && CONNMARKER="ct mark set ct mark or $DESYNC_MARK"

common/virt.sh

@@ -0,0 +1,39 @@
+get_virt()
+{
+	local vm s v UNAME
+	UNAME=$(uname)
+	case "$UNAME" in
+		Linux)
+			if exists systemd-detect-virt; then
+				vm=$(systemd-detect-virt --vm)
+			elif [ -f /sys/class/dmi/id/product_name ]; then
+				read s </sys/class/dmi/id/product_name
+				for v in KVM QEMU VMware VMW VirtualBox Xen Bochs Parallels BHYVE Hyper-V; do
+					case "$s" in
+						"$v"*)
+						vm=$v
+						break
+					;;
+					esac
+				done
+			fi
+			;;
+	esac
+	echo "$vm" | awk '{print tolower($0)}'
+}
+check_virt()
+{
+	echo \* checking virtualization
+	local vm="$(get_virt)"
+	if [ -n "$vm" ]; then
+		if [ "$vm" = "none" ]; then
+			echo running on bare metal
+		else
+			echo "!!! WARNING. $vm virtualization detected !!!"
+			echo '!!! WARNING. vmware and virtualbox are known to break most of the DPI bypass techniques when network is NATed using internal hypervisor NAT !!!'
+			echo '!!! WARNING. if this is your case make sure you are bridged not NATed !!!'
+		fi
+	else
+		echo cannot detect
+	fi
+}

config.default

@@ -0,0 +1,136 @@
+# this file is included from init scripts
+# change values here
+
+# can help in case /tmp has not enough space
+#TMPDIR=/opt/zapret2/tmp
+
+# redefine user for zapret daemons. required on Keenetic
+#WS_USER=nobody
+
+# override firewall type : iptables,nftables,ipfw
+#FWTYPE=iptables
+# nftables only : set this to 0 to use pre-nat mode. default is post-nat.
+# pre-nat mode disables some bypass techniques for forwarded traffic but allows to see client IP addresses in debug log
+#POSTNAT=0
+
+# options for ipsets
+# maximum number of elements in sets. also used for nft sets
+SET_MAXELEM=522288
+# too low hashsize can cause memory allocation errors on low RAM systems , even if RAM is enough
+# too large hashsize will waste lots of RAM
+IPSET_OPT="hashsize 262144 maxelem $SET_MAXELEM"
+# dynamically generate additional ip. $1 = ipset/nfset/table name
+#IPSET_HOOK="/etc/zapret2.ipset.hook"
+
+# options for ip2net. "-4" or "-6" auto added by ipset create script
+IP2NET_OPT4="--prefix-length=22-30 --v4-threshold=3/4"
+IP2NET_OPT6="--prefix-length=56-64 --v6-threshold=5"
+# options for auto hostlist
+# NOTE : in order for these adjustment to work it's required to redirect enough starting packets
+# NOTE : set PKT_IN, PKT_OUT variables appropriately
+AUTOHOSTLIST_INCOMING_MAXSEQ=4096
+AUTOHOSTLIST_RETRANS_MAXSEQ=32768
+AUTOHOSTLIST_RETRANS_RESET=1
+AUTOHOSTLIST_RETRANS_THRESHOLD=3
+AUTOHOSTLIST_FAIL_THRESHOLD=3
+AUTOHOSTLIST_FAIL_TIME=60
+AUTOHOSTLIST_UDP_IN=1
+AUTOHOSTLIST_UDP_OUT=4
+# 1 = debug autohostlist positives to ipset/zapret-hosts-auto-debug.log
+AUTOHOSTLIST_DEBUGLOG=0
+
+# number of parallel threads for domain list resolves
+MDIG_THREADS=30
+# EAI_AGAIN retries
+MDIG_EAGAIN=10
+# delay between EAI_AGAIN retries (ms)
+MDIG_EAGAIN_DELAY=500
+
+# ipset/*.sh can compress large lists
+GZIP_LISTS=1
+# command to reload ip/host lists after update
+# comment or leave empty for auto backend selection : ipset or ipfw if present
+# on BSD systems with PF no auto reloading happens. you must provide your own command
+# set to "-" to disable reload
+#LISTS_RELOAD="pfctl -f /etc/pf.conf"
+
+# mark bit used by nfqws to prevent loop
+DESYNC_MARK=0x40000000
+DESYNC_MARK_POSTNAT=0x20000000
+
+# do not pass outgoing traffic to nfqws not marked with this bit
+# this setting allows to write your own rules to limit traffic that should be fooled
+# for example based on source IP or incoming interface name
+# no filter if not defined
+#FILTER_MARK=0x10000000
+
+
+NFQWS2_ENABLE=0
+# redirect outgoing traffic with connbytes limiter applied in both directions.
+NFQWS2_PORTS_TCP=80,443
+NFQWS2_PORTS_UDP=443
+# PKT_OUT means connbytes dir original
+# PKT_IN means connbytes dir reply
+NFQWS2_TCP_PKT_OUT=20
+NFQWS2_TCP_PKT_IN=10
+NFQWS2_UDP_PKT_OUT=5
+NFQWS2_UDP_PKT_IN=3
+# redirect outgoing traffic without connbytes limiter and incoming with connbytes limiter
+# normally it's needed only for stateless DPI that matches every packet in a single TCP session
+# typical example are plain HTTP keep alives
+# this mode can be very CPU consuming. enable with care !
+#NFQWS2_PORTS_TCP_KEEPALIVE=80
+#NFQWS2_PORTS_UDP_KEEPALIVE=
+# use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
+# hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
+# <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
+NFQWS2_OPT="
+--filter-tcp=80 --filter-l7=http <HOSTLIST> --payload=http_req --lua-desync=fake:blob=fake_default_http:tcp_md5 --lua-desync=multisplit:pos=method+2 --new
+--filter-tcp=443 --filter-l7=tls <HOSTLIST> --payload=tls_client_hello --lua-desync=fake:blob=fake_default_tls:tcp_md5:tcp_seq=-10000 --lua-desync=multidisorder:pos=1,midsld --new
+--filter-udp=443 --filter-l7=quic <HOSTLIST_NOAUTO> --payload=quic_initial --lua-desync=fake:blob=fake_default_quic:repeats=6
+"
+
+# none,ipset,hostlist,autohostlist
+MODE_FILTER=none
+
+# donttouch,none,software,hardware
+FLOWOFFLOAD=donttouch
+
+# openwrt: specify networks to be treated as LAN. default is "lan"
+#OPENWRT_LAN="lan lan2 lan3"
+# openwrt: specify networks to be treated as WAN. default wans are interfaces with default route
+#OPENWRT_WAN4="wan vpn"
+#OPENWRT_WAN6="wan6 vpn6"
+
+# for routers based on classic linux. has no effect in openwrt.
+# CHOOSE LAN and optinally WAN/WAN6 NETWORK INTERFACES
+# or leave them commented if its not router
+# it's possible to specify multiple interfaces like this : IFACE_WAN="eth0 eth1 eth2"
+# if IFACE_WAN6 is not defined it take the value of IFACE_WAN
+#IFACE_LAN=eth0
+#IFACE_WAN=eth1
+#IFACE_WAN6="ipsec0 wireguard0 he_net"
+
+# should start/stop command of init scripts apply firewall rules ?
+# not applicable to openwrt with firewall3+iptables
+INIT_APPLY_FW=1
+# firewall apply hooks
+#INIT_FW_PRE_UP_HOOK="/etc/firewall.zapret2.hook.pre_up"
+#INIT_FW_POST_UP_HOOK="/etc/firewall.zapret2.hook.post_up"
+#INIT_FW_PRE_DOWN_HOOK="/etc/firewall.zapret2.hook.pre_down"
+#INIT_FW_POST_DOWN_HOOK="/etc/firewall.zapret2.hook.post_down"
+
+# do not work with ipv4
+#DISABLE_IPV4=1
+# do not work with ipv6
+DISABLE_IPV6=1
+
+# drop icmp time exceeded messages for nfqws tampered connections
+# in POSTNAT mode this can interfere with default mtr/traceroute in tcp or udp mode. use source port not redirected to nfqws
+# set to 0 if you are not expecting connection breakage due to icmp in response to TCP SYN or UDP
+FILTER_TTL_EXPIRED_ICMP=1
+
+# select which init script will be used to get ip or host list
+# possible values : get_user.sh get_antizapret.sh get_combined.sh get_reestr.sh get_hostlist.sh
+# comment if not required
+#GETLIST=

docs/changes.txt

@@ -12,3 +12,186 @@ v0.1.2
 * nfqws2: 'known' protocol and payload filter
 * nfqws2: 'aes_ctr' luacall
 * zapret-antidpi: rst
+* github actions: remove FFI from luajit
+
+v0.1.4
+
+* winws2: set low mandatory level in process token if possible : no --wlan-filter or --nlm-filter (no windivert reinit required)
+* nfqws2: optimize debug logging to file
+
+v0.1.5
+
+* nfqws2: # and % arg substitution
+* zapret-antidpi: luaexec
+* zapret-pcap: simple packet capture to .cap file
+
+v0.2
+
+* blockcheck2
+* nfqws2: several crash fixes
+* nfqws2: bu8,bu16,bu24,bu32,swap16,swap32 functions now work with negative int
+* nfqws2: getpid,gettid,uname,get_clock luacalls
+* zapret-lib: bugfixes
+* zapret-lib: remove ip6_hopbyhop_x2 fooling, separately add second hopbyhop header using ip6_hopbyhop2
+* zapret-pcap
+
+v0.3
+
+* init.d launch scripts
+* init.d: 40-webserver custom script
+* install_easy
+
+v0.4
+
+* nfqws2: profile names and cookies
+* nfqws2: profile templates
+* nfqws2: remove stun_binding_req, replace to stun. no more message type details
+* nfqws2: proper conntack position for replayed packets
+* nfqws2: execution_plan, execution_plan_cancel
+* blockcheck2: fix broken dns cache
+* nfqws2: LUA_COMPAT_VER tracking
+
+v0.5
+
+* nfqws2: u8add,u16add,u24add,u32add luacalls
+* nfqws2: abandon any arithmetics beyond 32bit (because lua 5.1 does not support 64 bit integers, store everything as double)
+* nfqws2: fix issues with 32-bit lua_Integer in lua<5.3 on 32-bit platforms
+* nfqws2: instance_cutoff luacall just warns and do nothing if ctx is nil
+* actions: build nfqws2 x86 binary with LUA 5.4, not with luajit
+* zapret-lib: http_reply, url and nld dissectors
+* zapret-lib: instance_cutoff_shim
+* zapret-auto: circular orchestrator
+
+v0.5.1
+
+* zapret-auto: separate failure detection logic
+* blockcheck2: fix broken http3 test
+
+v0.6
+
+* zapret-lib,zapret-antidpi: tls_mod_shim supports sni=%var subst
+* blockcheck2: syndata tests
+* nfqws2: reasm support negative overlaps. gaps are not supported.
+* nfqws2,zapret-auto: changed retransmission detection scheme.
+* zapret-auto: udp_in/udp_out failure detection
+
+v0.6.1
+
+* zapret-lib, zapret-auto: condition and stopif orchestrators
+* zapret-lib: detect_payload_str - sample lua payload detector
+* blockcheck2: unterminated string fix
+
+v0.7
+
+* nfqws2, zapret-lib : fix non-working % and # arg substitution under orchestrator
+* nfqws2, zapret-lib : structure conntrack in/out positions. pass in desync.track.pos.{client,server,direct,reverse} position tables
+* nfqws2: autohostlist: trigger RST and http redirect failures only within specified relative sequence
+* nfqws2: autohostlist: trigger http redirect failure if payload is http_req without connection proto check
+* nfqws2: push desync.track.pos.dt as float with nsec accuracy
+* zapret-auto: override host autostate key in automate_host_record
+* nfqws2: rewrite udp autohostlist failure detector logic
+
+v0.7.1
+
+* init.d: nft fix non-working incoming redirect
+* nfqws2: cancel reasm if server window size is smaller than expected reasm size
+* nfqws2: add EOL at the end of truncated buffered DLOG line if it's too large. increase log line buffer
+* nfqws2: autohostlist reset fail counter if udp_in > threshold
+* nfqws2: reduced default retrans maxseq to 32768
+* nfqws2: solved inability to get SSID using nl80211 on kernels 5.19+
+
+v0.7.2
+
+* zapret-lib: fix broken is_retransmission()
+* zapret-auto: add success detector logic
+* nfqws2: clean lua cutoff on profile change
+* zapret-auto: separate hostkey function
+
+v0.7.4
+
+* nfqws2, zapret-lib : check tcp sequence range overflow
+* zapret-lib: seq compare functions
+* nfqws2: add l3_len, l4_len to dissect
+* nfqws2: fix broken l7proto profile rediscovery
+* winws2: harden sandbox. disable child process execution , some UI interaction and desktop settings change
+
+v0.7.5
+
+* zapret-auto: orchestrator "repeater"
+* blockcheck2: check http3 with ipv6 exthdr
+* github actions: separate target arm-old with LUA classic, not JIT
+* zapret-auto: iff/neg in repeater
+* zapret-antidpi: multidisorder_legacy
+* ipset: remove get_reestr_hostlist.sh and get_reestr_resolve.sh because zapret-info does not and will probably not ever update
+* nfqws2: fix "reasm cancelled" if no incoming traffic redirected
+* blockcheck2: MULTIDISORDER=multidisorder_legacy
+
+v0.7.6
+
+* nfqws2: reevaluate profile on l7/host discovery in any direction
+* nfqws2: dtls protocol detection
+* nfqws2: autohostlist reset retransmitter to break long wait
+* zapret-auto: stadard_failure_detector reset retransmitter to break long wait
+* nfqws2, init.d, windivert : dht and wg detection changes
+
+v0.8.0
+
+* init.d: 50-dht4all NFQWS_OPT_DHT_PKT_OUT
+* nfqws2: (LUA_COMPAT_VER=4) support 48-bit arithmetics
+* github actions: remove arm-old target - luajit fail reason revealed
+* nfqws2: do not treat quic handshake messages as initials
+* zapret-lib: tls dissector/reconstructor
+* zapret-antidpi: tls_client_hello_clone
+* zapret-antidpi: "optional" arg to blob taking functions
+* nfqws2: support gzipped lua file. auto use script.lua.gz
+
+v0.8.1
+
+* nfqws2: fix bu48 crash and wrong results in bitset
+* zapret-lib: http_reconstruct_req
+* zapret-antidpi: http_unixeol
+* blockcheck2: http_unixeol test
+
+0.8.2
+
+* nfqws2: do not start if NFQWS2_COMPAT_VER unexpected
+* nfqws2: cache dns response IP addresses if --ipcache-hostname enabled
+* winws2: remove hardcoded filter for loopback
+* init.d: ressurect @lanif in nft scheme
+* init.d: fix broken @wanif/@wanif6 fill in sysv nft scheme
+* init.d: 80-dns-intercept
+* winws2: --wf-filter-loopback
+* blockcheck2: NOTEST_MISC_HTTP[S], NOTEST_SYNDATA_HTTP[S]
+
+0.8.3
+
+* nfqws2, zapret-lib: gzip compression and decompression
+* nfqws2: ignore trailing spaces and tabs in hostlists and ipsets. "host.com   " or "1.2.3.4 " are ok now
+* init.d: 99-lan-filter custom script
+* mdig: --eagain, --eagain-delay
+
+0.8.4
+
+* winws2: fix loopback large packets processing (up to 64K)
+* zapret-lib, zapret-antidpi: use numeric indexes in http dissects
+* nfqws2: move ctx from lightuserdata to userdata. prevents crashes on specific ARM cpus
+* nfqws2: alternative representation of payload filter in execution_plan item
+* nfqws2: --payload-disable
+* nfqws2: gracefully shutdown on SIGINT and SIGTERM
+* nfqws2: harden wireguard detection. do not detect if reserved bytes 1..3 != 0
+
+0.8.5
+
+* nfqws2: do not require / in the beginning of URI in http
+* zapret-lib: rawsend_dissect_segmented support URG
+* zapret-antidpi: oob
+* blockcheck2: 17-oob.sh
+* nfqws2: set desync.tcp_mss to minimum of both ends or default if at least one is unknown
+* zapret-lib: tcp_nop_del
+* blockcheck2: tcp_nop_del in SYN packets with md5 in openbsd
+
+0.8.6
+
+* winws2, blockcheck2: allow multiple instances in windows, linux, freebsd (not openbsd)
+* nfqws2: fix critical bug - wrong ipv6 dissection
+* zapret-auto: fix standard_failure_detector http redirect regression

docs/changes_compat.txt

@@ -0,0 +1,11 @@
+Here listed all api breaking changes.
+When something changes capable of breaking things NFQWS2_COMPAT_VER increases.
+
+v2
+* removed "stun_binding_req" specialized payload. replaced with common "stun" - any stun packets, not only binding request.
+every LUA relying on desync.l7payload should be revised.
+nfqws2 --payload option and init.d custom scripts must be updated.
+
+v3
+* restructured desync.track. pass positions in desync.track.pos.{client,server,direct,reverse}
+code relying on conntrack counters and sequence numbers must be rewritten

docs/compile/build_howto_unix.txt

@@ -5,6 +5,7 @@ make -C /opt/zapret2 systemd
 
 FreeBSD :
 
+pkg install pkgconf
 pkg search luajit-2
 # see what's the version available
 pkg install luajit-2.1.0.20250728

docs/compile/openwrt/package/zapret/ip2net/Makefile

@@ -24,8 +24,8 @@ define Build/Compile
 endef
 
 define Package/ip2net/install
-	$(INSTALL_DIR) $(1)/opt/zapret/binaries/my
-	$(INSTALL_BIN) $(PKG_BUILD_DIR)/ip2net $(1)/opt/zapret/binaries/my
+	$(INSTALL_DIR) $(1)/opt/zapret2/binaries/my
+	$(INSTALL_BIN) $(PKG_BUILD_DIR)/ip2net $(1)/opt/zapret2/binaries/my
 endef
 
 $(eval $(call BuildPackage,ip2net))

docs/compile/openwrt/package/zapret/mdig/Makefile

@@ -24,8 +24,8 @@ define Build/Compile
 endef
 
 define Package/mdig/install
-	$(INSTALL_DIR) $(1)/opt/zapret/binaries/my
-	$(INSTALL_BIN) $(PKG_BUILD_DIR)/mdig $(1)/opt/zapret/binaries/my
+	$(INSTALL_DIR) $(1)/opt/zapret2/binaries/my
+	$(INSTALL_BIN) $(PKG_BUILD_DIR)/mdig $(1)/opt/zapret2/binaries/my
 endef
 
 $(eval $(call BuildPackage,mdig))

docs/compile/openwrt/package/zapret/nfqws2/Makefile

@@ -31,7 +31,7 @@ endef
 
 define Build/Prepare
 	mkdir -p $(PKG_BUILD_DIR)
-	$(CP) ./nfq/* $(PKG_BUILD_DIR)/
+	$(CP) ./nfq2/* $(PKG_BUILD_DIR)/
 endef
 
 define Build/Compile
@@ -39,8 +39,8 @@ define Build/Compile
 endef
 
 define Package/nfqws2/install
-	$(INSTALL_DIR) $(1)/opt/zapret/binaries/my
-	$(INSTALL_BIN) $(PKG_BUILD_DIR)/nfqws2 $(1)/opt/zapret/binaries/my
+	$(INSTALL_DIR) $(1)/opt/zapret2/binaries/my
+	$(INSTALL_BIN) $(PKG_BUILD_DIR)/nfqws2 $(1)/opt/zapret2/binaries/my
 endef
 
 $(eval $(call BuildPackage,nfqws2))

docs/compile/openwrt/package/zapret/nfqws2/readme.txt

@@ -1 +1 @@
-Copy "nfq" folder here !
+Copy "nfq2" folder here !

docs/readme.md

@@ -1,4 +1,6 @@
-# zapret2 v0.1
+## English
+
+[Manual](manual.en.md)
 
 ## Зачем это нужно
 
@@ -10,6 +12,22 @@ VPN. Может использоваться для частичной проз
 традиционные Linux-системы, FreeBSD, OpenBSD, Windows. В некоторых случаях возможна самостоятельная прикрутка
 решения к различным прошивкам.
 
+[Полный мануал](manual.md)
+
+
+## Поддержать разработчика. Donations
+
+Если вы считаете проект полезным и желаете поддержать разработку, направляйте ваши пожертвования на следующие адреса криптокошельков :
+
+If you find this project useful and wish to donate here are crypto wallets :
+
+USDT `0x3d52Ce15B7Be734c53fc9526ECbAB8267b63d66E`  (предпочительно сеть ERC-20. ERC-20 preferred)
+
+BTC  `bc1qhqew3mrvp47uk2vevt5sctp7p2x9m7m5kkchve`
+
+ETH  `0x3d52Ce15B7Be734c53fc9526ECbAB8267b63d66E`
+
+
 ## Чем это отличается от zapret1
 
 zapret2 является дальнейшим развитием проекта zapret.
@@ -24,12 +42,12 @@ zapret2 является дальнейшим развитием проекта
 или хотя бы область , в которой их можно искать, плюс владеющий базовыми навыками программирования.
 
 *nfqws2* оставляет в себе практически тот же функционал - распознавание протоколов, реассемблинг, дешифровка, управление профилями, хостлисты, ipset-ы, базовая фильтрация.
-Но он полностью лишается возможностей самостоятельно воздействовать на трафик. Часть "дурения" переносится в скриптовой язык программирования LUA.
+Но он полностью лишается возможностей самостоятельно воздействовать на трафик. Часть "дурения" переносится в скриптовой язык программирования Lua.
 
-LUA код получает от C кода структурированное представление приходящих пакетов в виде дерева (диссекты), подобного тем, что вы видите в wireshark.
+Lua код получает от C кода структурированное представление приходящих пакетов в виде дерева (диссекты), подобного тем, что вы видите в wireshark.
 Туда же приходят результаты сборки или дешифровки частей некоторых протоколов (tls, quic).
 С код предоставляет функции-хелперы, позволяющие отсылать пакеты, работать с двоичными данными, разбирать TLS, искать маркер-позции и т.д.
-Имеется библиотека хелперов, написанных на LUA, а так же готовая библиотека программ атаки на DPI (стратегий), реализующая функции *nfqws1* в расширенном варианте
+Имеется библиотека хелперов, написанных на Lua, а так же готовая библиотека программ атаки на DPI (стратегий), реализующая функции *nfqws1* в расширенном варианте
 и с большей гибкостью.
 
 Вы всегда сможете взять и дописать что-то свое. В этом и есть смысл, чтобы борьбой с DPI смог заняться любой, кто разбирается в пакетах.
@@ -40,9 +58,8 @@ zapret2 - инструмент для таких энтузиастов. Но э
 
 ## С чего начать
 
-Хотелось бы избежать "талмуда" на главной странице. Поэтому начнем со способа запуска *nfqws2* и описания способов портирования стратегий *nfqws1* - как в *nfqws2* сделать то же самое, что можно было в *nfqws1*.
-Когда вы поймете как это работает, вы можете посмотреть LUA код, находящийся "под капотом". Разобрать как он работает, попробовать написать что-то свое.
-"талмуд" обязательно будет, как он есть у любых более-менее сложных проектов. Он нужен как справочник.
+Хотелось бы избежать [талмуда](manual.md) на главной странице. Поэтому начнем со способа запуска *nfqws2* и описания способов портирования стратегий *nfqws1* - как в *nfqws2* сделать то же самое, что можно было в *nfqws1*.
+Когда вы поймете как это работает, вы можете посмотреть Lua код, находящийся "под капотом". Разобрать как он работает, попробовать написать что-то свое, руководствуясь [талмудом](manual.md) как справочником.
 
 ### Механика обработки трафика
 
@@ -90,11 +107,11 @@ nfqws2 --qnum 200 --debug --lua-init=@zapret-lib.lua --lua-init=@zapret-antidpi.
   --payload=tls_client_hello,http_req --lua-desync=multisplit:pos=1:seqovl=5:seqovl_pattern=0x1603030000
 ```
 
-Данный пример предполагает, что в той же директории находятся файлы `zapret-lib.lua` - библиотека хелперов на LUA и `zapret-antidpi.lua` - библиотека базовых стратегий.
-`--lua-init` может содержать LUA код в виде строки. Так удобно писать простой код, например присвоить константу переменной, чтобы не создавать файлы ради этой мелочи.
+Данный пример предполагает, что в той же директории находятся файлы `zapret-lib.lua` - библиотека хелперов на Lua и `zapret-antidpi.lua` - библиотека базовых стратегий.
+`--lua-init` может содержать Lua код в виде строки. Так удобно писать простой код, например присвоить константу переменной, чтобы не создавать файлы ради этой мелочи.
 Либо подцепляется файл, если значение параметра начинается с `@`. Код из `--lua-init` выполняется 1 раз при старте.
 
-Далее указаны параметры `--lua-desync`. Они содержат имя LUA функции, вызываемой при обработке каждого пакета, проходящего через профиль мультистратегии.
+Далее указаны параметры `--lua-desync`. Они содержат имя Lua функции, вызываемой при обработке каждого пакета, проходящего через профиль мультистратегии.
 После двоеточия и через двоеточия следуют параметры для данной функции в формате `param[=value]`. В примере реализована стратегия
 
 ```
@@ -110,19 +127,19 @@ nfqws --qnum 200 --debug \
 Тип пейлоада - тип данных, содержащихся в пакете или группе пакетов. Например, протокол соединения может быть tls, а пейлоады - tls_client_hello, tls_server_hello, unknown.
 
 Другое важное отличие - отсутствие жестко определенных фаз десинхронизации. То, что вы раньше писали как `fake,multisplit` реализуется двумя
-последовательно вызываемыми LUA функциями. Их может быть столько, сколько нужно, учитывая логику прохождения пакетов и операций с ними, и у каждой могут быть свои параметры.
+последовательно вызываемыми Lua функциями. Их может быть столько, сколько нужно, учитывая логику прохождения пакетов и операций с ними, и у каждой могут быть свои параметры.
 Может даже несколько раз вызываться одна и так же функция с разными параметрами. Так, например, можно послать несколько фейков, причем с разными фулингами.
 Конкретный вызов `--lua-desync` функции называется инстансом. Инстанс - это связка имени функции, номера вызова внутри профиля и номера самого профиля.
 Это похоже на одну программу, которую можно запустить много раз с разными параметрами.
 
-Другое немаловажное отличие - поддержка автоматической tcp сегментации. Вам больше не нужно думать о размерах отсылаемых tcp пакетов.
+Другое немаловажное отличие - поддержка автоматической tcp сегментации средствами `zapret-lib.lua`. Вам больше не нужно думать о размерах отсылаемых tcp пакетов.
 По каждому соединению отслеживается MSS. Если пакет не влезает в MSS, выполняется сегментация.
 Например, это может случиться при отправке tls фейка с kyber. Или если вы режете kyber tls так, что одна из частей получается размером 1600 байт,
-что, очевидно, не влезает в MTU. Или если вы задали seqovl=10000. В *nfqws1* такое значение вызвало бы ошибку. В *nfqws2* будет отправлено
+что, очевидно, не влезает в MTU. Или если вы задали seqovl=10000. В *nfqws1* такое значение вызвало бы ошибку. Функция Lua `rawsend_dissect_segmented` отправит
 несколько tcp сегментов с начальным sequence -10000 общим размером 10000 байт, в последнем из которых будет кусок оригинального сообщения.
 
 В *nfqws2* нет жестко зашитых параметров кастомных фейков типа `--dpi-desync-fake-tls`, `dpi-desync-fake-http` и тд.
-Вместо них есть блобы. Блоб (blob) - это переменная LUA типа *string*, содержащая блок двоичных данных произвольной длины. От 1 байта до гигабайтов.
+Вместо них есть блобы. Блоб (blob) - это переменная Lua типа *string*, содержащая блок двоичных данных произвольной длины. От 1 байта до гигабайтов.
 *nfqws2* автоматически инициализирует блобы со стандартными фейками tls, http, quic, как это и было в *nfqws1*.
 Блобы могут быть заданы как hex-строка прямо в параметре desync функции, либо пред-загружены при старте с помощью параметра `--blob=name:0xHEX|[+ofs]@filename`
 
@@ -155,15 +172,15 @@ range задается как `mX-mY`, `mX<mY`, `-mY`, `<mY`, `mX-`.
 Следующий профиль снова принимает значения по умолчанию.
 
 Что будет, если вы не напишите фильтр `--payload` для fake или multisplit ? В *nfqws1* без `--dpi-desync-any-protocol` они работали только по известным пейлоадам.
-В *nfqws2* "any protocol" - режим по умолчанию. Однако, функции из библиотеки `zapret-antidpi.lua` написаны так, что по умолчанию работают только по известные пейлоадам
+В *nfqws2* "any protocol" - режим по умолчанию. Однако, функции из библиотеки `zapret-antidpi.lua` написаны так, что по умолчанию работают только по известным пейлоадам
 и не работают по пустым пакетам или unknown - точно так же, как это было в *nfqws1*.
-Но лучше все-же писать фильтры `--payload`, потому что они работают на уровне C кода, который выполняется существенно быстрее, чем LUA.
+Но лучше все-же писать фильтры `--payload`, потому что они работают на уровне C кода, который выполняется существенно быстрее, чем Lua.
 
 Диссект пакета проходит поочередно по всем `--lua-desync` инстансам профиля, для которых не выполняется условие отсечения (cutoff).
 Отсечение может быть по range, payload или добровольное отсечение. Последний вариант - когда инстанс сам отказывается обрабатывать пакеты
 по входящему, исходящему или обоим направлениям. Например, задача стратегии wsize - отреагировать только на пакет с tcp флагами SYN,ACK. После этого он не нужен, в коде вызывается функция отсечения.
 Это сделано для экономии ресурсов процессора.
-Если все инстансы в профиле точно никогда больше не будут вызваны по соединению + направлению - вошли в превышение верхней границы range или выполнили добровольный cutoff, то движок LUA не вызывается вообще.
+Если все инстансы в профиле точно никогда больше не будут вызваны по соединению + направлению - вошли в превышение верхней границы range или выполнили добровольный cutoff, то движок Lua не вызывается вообще.
 
 От инстанса к инстансу содержимое диссекта может ими меняться. Следующий инстанс видит изменения предыдущего.
 Каждый инстанс выносит свой вердикт - что делать с текущим диссектом. VERDICT_PASS - означает отправить как есть,
@@ -289,22 +306,21 @@ nfqws2 --lua-desync=send:ipfrag:ipfrag_pos_udp=8 --lua-desync=drop
 Но это решаемо. А что не решаемо - это перехват вторых частей kyber tls hello. Их невозможно опознать без связи с предыдущими фрагментами. Поэтому перехватывается весь порт.
 Для HTTP вопрос решаемый, поскольку там нет реассемблирования запросов, но http сейчас стал настолько редким, что и смысла нет заморачиваться.
 
-Везде расставлены фильтры профиля мультистратегии `--filter-l7`, фильтры по `--out-range` и по `--payload`.
-Зачем ? В основном для сокращения вызовов LUA кода, который заведомо медленнее C кода.
-Если пакет не попадет в профили с LUA - ни о каком вызове кода LUA речи быть не может.
-Если пакет попал в профиль с LUA, то после первых 10 пакетов с данными наступает отсечение по верхней границе range. Все LUA инстансы входят в состояние instance cutoff,
-соединение входит в состояние "lua cutoff" по направлению "out". Значит вызовов LUA не будет вообще. Не просто вызовов, а даже обращения к движку LUA
-с какой-либо целью. Будет только C код, который посмотрит на признак "cutoff" и сразу же отпустит пакет.
+Везде расставлены фильтры профиля мультистратегии `--filter-l7`, фильтры по `--out-range` и по `--payload`. Зачем ? В основном для сокращения вызовов Lua кода, который заведомо медленнее C кода.
+Если пакет не попадет в профили с Lua - ни о каком вызове кода Lua речи быть не может. Если пакет попал в профиль с Lua, то после первых 10 пакетов с данными наступает отсечение по верхней границе range. Все Lua инстансы входят в состояние instance cutoff, соединение входит в состояние "lua cutoff" по направлению "out". Значит вызовов Lua не будет вообще. Не просто вызовов, а даже обращения к движку Lua с какой-либо целью. Будет только C код, который посмотрит на признак "cutoff" и сразу же отпустит пакет.
 
-Так же везде расставлены фильтры по payload type. Отчасти так же с целью сократить вызовы LUA даже в пределах первых 10 пакетов с данными.
+Почему именно `-d10` ? Чтобы хватило для отработки большинства вариантов стратегий, учитывая возможные ретрансмиссии и плохую связь. В winws2 по умолчанию включен параметр `--wf-tcp-empty=0`. Он блокирует перехват пустых пакетов с ACK, что позволяет примерно в 2 раза сэкономить на процессоре при интенсивных скачиваниях. Пустые ACK в большинстве стратегий не нужны. Но это же и ломает счетчик "n" - он не будет показывать реальное количество пакетов по соединению. Счетчик "d" работать будет как надо.
+
+Почему нет "-d10" на udp ? Потому что используется windivert фильтр на пейлоад. Счетчики будут считать не реальное количество пакетов в потоке, а количество перехваченных с отфильтрованными пейлоадами. Причем если интервал между ними будет более 1 минуты, то счет будет начинаться заново, поскольку таймаут udp по умолчанию - 60 сек. После таймаута запись conntrack будет удалена. Следующий пакет пойдет как новый поток.
+
+Так же везде расставлены фильтры по payload type. Отчасти так же с целью сократить вызовы Lua даже в пределах первых 10 пакетов с данными.
 С другой стороны, даже при совпадении протокола соединения (`--filter-l7`) может пробежать не интересующий нас пейлоад.
 По умолчанию многие функции из `zapret-antidpi.lua` реагируют только на известные типы пейлоада, но не на конкретные, а на любые известные.
-Если допустить малореальный, но гипотетически возможный сценарий, что в рамках протокола http будет отправлен блок данных с tls или фраза, похожая на сообщение из xmpp,
-то тип пейлоада выскочит tls_client_hello или xmpp_stream, например. Лучше от этого сразу уберечься. Тем более что в других видах протоколов - xmpp, например, -
+Если допустить малореальный, но гипотетически возможный сценарий, что в рамках протокола http будет отправлен блок данных с tls или фраза, похожая на сообщение из xmpp, то тип пейлоада выскочит tls_client_hello или xmpp_stream, например. Лучше от этого сразу уберечься. Тем более что в других видах протоколов - xmpp, например, -
 пейлоады могут проскакивать нескольких типов вполне ожидаемо. Но работать надо не по всем.
 
 В фейке для TLS по умолчанию - fake_default_tls - однократно при старте меняется SNI с "www.microsoft.com" на случайный и рандомизируется поле "random" в TLS handshake.
-Это делается простой строчкой LUA кода. Больше нет никаких специальных параметров *nfqws2* для модификации пейлоадов.
+Это делается простой строчкой Lua кода. Больше нет никаких специальных параметров *nfqws2* для модификации пейлоадов.
 В профиле для youtube на лету меняется SNI на "www.google.com", копируется поле TLS "session id" с обрабатываемого в данный момент TLS handshake.
 
 ```
@@ -350,21 +366,49 @@ start "zapret: http,https,quic" /min "%~dp0winws2.exe" ^
    --lua-desync=multidisorder:pos=midsld ^
   --new ^
 --filter-udp=443 --filter-l7=quic --hostlist="%~dp0files\list-youtube.txt" ^
-  --out-range=-d10 ^
   --payload=quic_initial ^
    --lua-desync=fake:blob=quic_google:repeats=11 ^
   --new ^
 --filter-udp=443 --filter-l7=quic ^
-  --out-range=-d10 ^
   --payload=quic_initial ^
    --lua-desync=fake:blob=fake_default_quic:repeats=11 ^
   --new ^
 --filter-l7=wireguard,stun,discord ^
-  --out-range=-d10 ^
-  --payload=wireguard_initiation,wireguard_cookie,stun_binding_req,discord_ip_discovery ^
+  --payload=wireguard_initiation,wireguard_cookie,stun,discord_ip_discovery ^
    --lua-desync=fake:blob=0x00000000000000000000000000000000:repeats=2
 ```
 
+И напоследок стоит продемонстрировать как делаются нестандартные вещи. То, что очень непросто запрограммировать в чисто описательном виде
+в фиксированном коде, не превращая программу в монстро-комбайн, перегруженный частными функциями и разваливающийся под своей тяжестью со временем,
+когда эти частные функции перестают быть нужны и забываются.
+
+Надо послать исходный запрос с известным пейлоадом с seqovl случайного размера от 5 до 10 символов со случайным содержимым, состоящим из букв от ‘a’ до ‘z’.
+Здесь раскрывается не декларативный характер стратегий, а алгоритмический. Стратегия - это программа, и пишите ее вы на языке программирования.
+Для облегчения простых или стандартных действий есть готовые средства, так что далеко не всегда надо писать свою функцию.
+Частенько можно обойтись простенькими кусками Lua кода в дополнение к имеющимся.
+
+Здесь используется функция `luaexec`, предназначенная для динамического выполнения Lua кода в процессе обработки текущего диссекта.
+Она инициализирует требуемый blob, записывая его в таблицу desync, которая передается от инстанса к инстансу.
+Следующий инстанс `tcpseg` использует `rnd` как blob - источник seqovl паттерна.
+
+Символы `%` и `#` используются для разименования блобов и подстановки их размера соответственно. Реализовано на уровне C кода.
+desync функция получает уже подставленные значения. В данном случае seqovl устанавливается как размер сгенерированного блоба.
+
+Функция `tcpseg` предназначена для отсылки tcp сегмента - части текущего пейлоада (или реасма - сборки нескольких пакетов, например в случае tls kyber).
+`pos=0,-1` - это диапазон, состоящий из двух маркеров - начала и конца. 0 - положительный абсолютный маркер, соответствующий началу пакета.
+-1 - отрицательный абсолютный маркер, соответствующий концу пакета. Получается, мы отсылаем целиком текущий пейлоад, но с seqovl.
+`tcpseg` не дропает пакет. Его надо дропнуть отдельно. По умолчанию `tcpseg` работает только с известными пейлоадами, а функция `drop` - с любыми.
+Поэтому нужно ей указать дропать только известные пейлоады.
+
+Такая связка из 3 инстансов решает поставленную задачу без кучи частных параметров вида `--dpi-desync...`.
+
+```
+nfqws2 \
+ --lua-desync=luaexec:code='desync.rnd=brandom_az(math.random(5,10))' \
+ --lua-desync=tcpseg:pos=0,-1:seqovl=#rnd:seqovl_pattern=rnd \
+ --lua-desync=drop:payload=known
+```
+
 ### Какие есть еще параметры
 
 Как узнать какие есть еще функции и какие у них бывают параметры ? Смотрите `zapret-antidpi.lua`. Перед каждой функцией подробно описано какие параметры она берет.
@@ -374,4 +418,4 @@ start "zapret: http,https,quic" /min "%~dp0winws2.exe" ^
 ### Очень важный совет
 
 Научитесь пользоваться `--debug` логом. Без него будет очень сложно понять *nfqws2* на начальном этапе и приспособиться к новой схеме.
-Ошибок будет много. Особенно, когда вы начнете писать свой LUA код. Их надо читать.
+Ошибок будет много. Особенно, когда вы начнете писать свой Lua код. Их надо читать.

files/fake/rtsp_options.bin

@@ -0,0 +1,4 @@
+OPTIONS rtsp://10.2.2.2:8554/ RTSP/1.0
+CSeq: 2
+User-Agent: LibVLC/3.0.16 (LIVE555 Streaming Media v2016.11.28)
+

files/fake/sip_register.bin

@@ -0,0 +1,13 @@
+REGISTER sip:192.168.1.1 SIP/2.0
+Via: SIP/2.0/UDP 192.168.1.2:42931;rport;branch=z9hG4bKPj3fd2e8713ffcd90c43f6ce69f6c98461
+Max-Forwards: 50
+From: <sip:703@192.168.1.1>;tag=ca565d7bd4e24a6d80c631d395ee117e
+To: <sip:703@192.168.1.1>
+Call-ID: dfec38302b8cea3d83c1452527c895c1
+CSeq: 26139 REGISTER
+User-Agent: MicroSIP/3.21.5
+Contact: <sip:703@192.168.1.2:42931;ob>
+Expires: 300
+Allow: PRACK, INVITE, ACK, BYE, CANCEL, UPDATE, INFO, SUBSCRIBE, NOTIFY, REFER, MESSAGE, OPTIONS
+Content-Length:  0
+

files/fake/smtp_ehlo.bin

@@ -0,0 +1 @@
+EHLO delta.peach.mil

init.d/custom.d.examples.linux/10-keenetic-udp-fix

@@ -0,0 +1,22 @@
+# This script fixes keenetic issue with nfqws generated udp packets
+# Keenetic uses proprietary ndmmark and does not masquerade without this mark
+# If not masqueraded packets go to WAN with LAN IP and get dropped by ISP
+
+# It's advised to set IFACE_WAN in config
+
+zapret_custom_firewall()
+{
+	# $1 - 1 - add, 0 - stop
+
+	local wan wanif rule
+
+	[ "$DISABLE_IPV4" = "1" ] || {
+		# use IFACE_WAN if defined. if not - search for interfaces with default route.
+		wanif=${IFACE_WAN:-$(sed -nre 's/^([^\t]+)\t00000000\t[0-9A-F]{8}\t[0-9A-F]{4}\t[0-9]+\t[0-9]+\t[0-9]+\t00000000.*$/\1/p' /proc/net/route | sort -u | xargs)}
+		for wan in $wanif; do
+			rule="-o $wan -p udp -m mark --mark $DESYNC_MARK/$DESYNC_MARK"
+			ipt_print_op $1 "$rule" "keenetic udp fix"
+			ipt_add_del $1 POSTROUTING -t nat $rule -j MASQUERADE
+		done
+	}
+}

init.d/custom.d.examples.linux/20-fw-extra

@@ -0,0 +1,53 @@
+# this custom script runs standard mode with extra firewall rules
+
+# config: use NFQWS2_ENABLE_OVERRIDE to enable standard mode daemons
+# standard and override switches cannot be enabled simultaneously !
+
+NFQWS2_ENABLE_OVERRIDE=${NFQWS2_ENABLE_OVERRIDE:-0}
+
+# config: some if these values must be set in config. not setting any of these makes this script meaningless.
+# pre vars put ipt/nft code to the rule beginning
+#FW_EXTRA_PRE_NFQWS2_IPT="-m mark --mark 0x10000000/0x10000000"
+#FW_EXTRA_PRE_NFQWS2_NFT="mark and 0x10000000 != 0"
+# post vars put ipt/nft code to the rule end
+#FW_EXTRA_POST_NFQWS2_IPT=
+#FW_EXTRA_POST_NFQWS2_NFT=
+
+check_std_intersect()
+{
+	[ "$NFQWS2_ENABLE_OVERRIDE" = 1 -a "$NFQWS2_ENABLE" = 1 ] && {
+		echo "ERROR ! both NFQWS2_ENABLE_OVERRIDE and NFQWS2_ENABLE are enabled"
+		return 1
+	}
+	return 0
+}
+
+zapret_custom_daemons()
+{
+	# $1 - 1 - add, 0 - stop
+
+	check_std_intersect || return
+
+	local NFQWS2_ENABLE=$NFQWS2_ENABLE_OVERRIDE
+	standard_mode_daemons "$1"
+}
+zapret_custom_firewall()
+{
+	# $1 - 1 - run, 0 - stop
+
+	check_std_intersect || return
+
+	local FW_EXTRA_PRE FW_EXTRA_POST NFQWS2_ENABLE=$NFQWS2_ENABLE_OVERRIDE
+	FW_EXTRA_PRE="$FW_EXTRA_PRE_NFQWS2_IPT" FW_EXTRA_POST="$FW_EXTRA_POST_NFQWS2_IPT"
+	zapret_do_firewall_standard_nfqws_rules_ipt $1
+}
+zapret_custom_firewall_nft()
+{
+	# stop logic is not required
+
+	check_std_intersect || return
+
+	local FW_EXTRA_PRE FW_EXTRA_POST NFQWS2_ENABLE=$NFQWS2_ENABLE_OVERRIDE
+	FW_EXTRA_PRE="$FW_EXTRA_PRE_NFQWS2_NFT" FW_EXTRA_POST="$FW_EXTRA_POST_NFQWS2_NFT"
+	zapret_apply_firewall_standard_nfqws_rules_nft
+}

init.d/custom.d.examples.linux/40-webserver

@@ -0,0 +1,39 @@
+# this custom script runs nfqws2 in server mode for typical webserver
+
+WEBSERVER_DEFAULT_STRATEGY="
+--server
+--payload http_reply,tls_server_hello --lua-desync=fake:blob=0x00000000000000000000000000000000:badsum:repeats=2 --lua-desync=multisplit
+--payload empty --lua-desync=synack_split"
+
+# can override in config :
+NFQWS_OPT_DESYNC_WEBSERVER="${NFQWS_OPT_DESYNC_WEBSERVER:-$WEBSERVER_DEFAULT_STRATEGY}"
+WEBSERVER_PORTS="${WEBSERVER_PORTS:-80,443}"
+WEBSERVER_PKT_OUT="${WEBSERVER_PKT_OUT:-15}"
+
+alloc_dnum DNUM_WEBSERVER
+alloc_qnum QNUM_WEBSERVER
+
+zapret_custom_daemons()
+{
+	# $1 - 1 - add, 0 - stop
+
+	local opt="--qnum=$QNUM_WEBSERVER $NFQWS_OPT_DESYNC_WEBSERVER"
+	do_nfqws $1 $DNUM_WEBSERVER "$opt"
+}
+zapret_custom_firewall()
+{
+	# $1 - 1 - run, 0 - stop
+
+	local PORTS=$(replace_char - : $WEBSERVER_PORTS)
+	local first_packets=$(ipt_first_packets $WEBSERVER_PKT_OUT)
+	local f="-p tcp -m multiport --sports $PORTS $first_packets"
+	fw_nfqws_post $1 "$f" "$f" $QNUM_WEBSERVER
+}
+zapret_custom_firewall_nft()
+{
+	# stop logic is not required
+
+	local first_packets=$(nft_first_packets $WEBSERVER_PKT_OUT)
+	local f="tcp sport {$WEBSERVER_PORTS} $first_packets"
+	nft_fw_nfqws_post "$f" "$f" $QNUM_WEBSERVER
+}

init.d/custom.d.examples.linux/50-dht4all

@@ -0,0 +1,40 @@
+# this custom script runs desync to DHT packets with udp payload length >=5 , without ipset/hostlist filtering
+# NOTE: @ih requires nft 1.0.1+ and updated kernel version. it's confirmed to work on 5.15 (openwrt 23) and not work on 5.10 (openwrt 22)
+
+# can override in config :
+NFQWS_OPT_DESYNC_DHT="${NFQWS_OPT_DESYNC_DHT:---payload dht --lua-desync=dht_dn}"
+# set it to "keepalive" to fool all packets, not just the first. or set number of packets to be fooled.
+NFQWS_OPT_DHT_PKT_OUT=${NFQWS_OPT_DHT_PKT_OUT:-20}
+
+alloc_dnum DNUM_DHT4ALL
+alloc_qnum QNUM_DHT4ALL
+
+zapret_custom_daemons()
+{
+	# $1 - 1 - add, 0 - stop
+
+	local opt="--qnum=$QNUM_DHT4ALL $NFQWS_OPT_DESYNC_DHT"
+	do_nfqws $1 $DNUM_DHT4ALL "$opt"
+}
+zapret_custom_firewall()
+{
+	# $1 - 1 - run, 0 - stop
+
+	local f uf4 uf6
+	local first_packet_only=$(ipt_first_packets $NFQWS_OPT_DHT_PKT_OUT)
+
+	f='-p udp -m u32 --u32'
+	uf4='0>>22&0x3C@4>>16=13:0xFFFF&&0>>22&0x3C@8>>16=0x6431:0x6432'
+	uf6='44>>16=13:0xFFFF&&48>>16=0x6431:0x6432'
+	fw_nfqws_post $1 "$f $uf4 $first_packet_only"  "$f $uf6 $first_packet_only" $QNUM_DHT4ALL
+}
+zapret_custom_firewall_nft()
+{
+	# stop logic is not required
+
+        local f
+	local first_packet_only=$(nft_first_packets $NFQWS_OPT_DHT_PKT_OUT)
+
+        f="udp length ge 13 meta l4proto udp @ih,0,16 0x6431-0x6432"
+        nft_fw_nfqws_post "$f $first_packet_only" "$f $first_packet_only" $QNUM_DHT4ALL
+}

init.d/custom.d.examples.linux/50-discord-media

@@ -0,0 +1,35 @@
+# this custom script runs desync to all discord media packets
+# NOTE: @ih requires nft 1.0.1+ and updated kernel version. it's confirmed to work on 5.15 (openwrt 23) and not work on 5.10 (openwrt 22)
+
+# can override in config :
+NFQWS_OPT_DESYNC_DISCORD_MEDIA="${NFQWS_OPT_DESYNC_DISCORD_MEDIA:---payload discord_ip_discovery --lua-desync=fake:blob=0x00000000000000000000000000000000:repeats=2}"
+DISCORD_MEDIA_PORT_RANGE="${DISCORD_MEDIA_PORT_RANGE:-50000-50099}"
+
+alloc_dnum DNUM_DISCORD_MEDIA
+alloc_qnum QNUM_DISCORD_MEDIA
+
+zapret_custom_daemons()
+{
+	# $1 - 1 - add, 0 - stop
+
+	local opt="--qnum=$QNUM_DISCORD_MEDIA $NFQWS_OPT_DESYNC_DISCORD_MEDIA"
+	do_nfqws $1 $DNUM_DISCORD_MEDIA "$opt"
+}
+zapret_custom_firewall()
+{
+	# $1 - 1 - run, 0 - stop
+
+	local DISABLE_IPV6=1
+	local port_range=$(replace_char - : $DISCORD_MEDIA_PORT_RANGE)
+	local f="-p udp --dport $port_range -m u32 --u32"
+	# this is simplified test to skip writing monstrous rule. instead of checking 64 bytes for zeroes only check 2 dwords for zero
+	fw_nfqws_post $1 "$f 0>>22&0x3C@4>>16=0x52&&0>>22&0x3C@8=0x00010046&&0>>22&0x3C@16=0&&0>>22&0x3C@76=0" '' $QNUM_DISCORD_MEDIA
+}
+zapret_custom_firewall_nft()
+{
+	# stop logic is not required
+
+	local DISABLE_IPV6=1
+	local f="udp dport $DISCORD_MEDIA_PORT_RANGE udp length == 82 @ih,0,32 0x00010046 @ih,64,128 0x00000000000000000000000000000000 @ih,192,128 0x00000000000000000000000000000000 @ih,320,128 0x00000000000000000000000000000000 @ih,448,128 0x00000000000000000000000000000000"
+	nft_fw_nfqws_post "$f" '' $QNUM_DISCORD_MEDIA
+}

init.d/custom.d.examples.linux/50-nfqws-ipset

@@ -0,0 +1,144 @@
+# this custom script demonstrates how to launch extra nfqws instance limited by ipset
+
+# can override in config :
+NFQWS2_MY1_OPT="${NFQWS2_MY1_OPT:---filter-udp=* --payload known,unknown --lua-desync=fake:blob=0x00000000000000000000000000000000:repeats=2:payload=all --new --filter-tcp=* --payload=known,unknown --lua-desync=multisplit}"
+NFQWS2_MY1_SUBNETS4="${NFQWS2_MY1_SUBNETS4:-173.194.0.0/16 108.177.0.0/17 74.125.0.0/16 64.233.160.0/19 172.217.0.0/16}"
+NFQWS2_MY1_SUBNETS6="${NFQWS2_MY1_SUBNETS6:-2a00:1450::/29}"
+NFQWS2_MY1_PORTS_TCP=${NFQWS2_MY1_PORTS_TCP:-$NFQWS2_PORTS_TCP}
+NFQWS2_MY1_PORTS_UDP=${NFQWS2_MY1_PORTS_UDP:-$NFQWS2_PORTS_UDP}
+NFQWS2_MY1_TCP_PKT_OUT=${NFQWS2_MY1_TCP_PKT_OUT:-$NFQWS2_TCP_PKT_OUT}
+NFQWS2_MY1_UDP_PKT_OUT=${NFQWS2_MY1_UDP_PKT_OUT:-$NFQWS2_UDP_PKT_OUT}
+NFQWS2_MY1_TCP_PKT_IN=${NFQWS2_MY1_TCP_PKT_IN:-$NFQWS2_TCP_PKT_IN}
+NFQWS2_MY1_UDP_PKT_IN=${NFQWS2_MY1_UDP_PKT_IN:-$NFQWS2_UDP_PKT_IN}
+
+NFQWS2_MY1_IPSET_SIZE=${NFQWS2_MY1_IPSET_SIZE:-4096}
+NFQWS2_MY1_IPSET_OPT="${NFQWS2_MY1_IPSET_OPT:-hash:net hashsize 8192 maxelem $NFQWS2_MY1_IPSET_SIZE}"
+
+alloc_dnum DNUM_NFQWS2_MY1
+alloc_qnum QNUM_NFQWS2_MY1
+NFQWS2_MY1_NAME4=my1nfqws4
+NFQWS2_MY1_NAME6=my1nfqws6
+
+zapret_custom_daemons()
+{
+	# $1 - 1 - run, 0 - stop
+
+	local opt="--qnum=$QNUM_NFQWS2_MY1 $NFQWS2_MY1_OPT"
+	do_nfqws $1 $DNUM_NFQWS2_MY1 "$opt"
+}
+
+zapret_custom_firewall()
+{
+	# $1 - 1 - run, 0 - stop
+
+	local f4 f6 subnet
+	local NFQWS2_MY1_PORTS_TCP=$(replace_char - : $NFQWS2_MY1_PORTS_TCP)
+	local NFQWS2_MY1_PORTS_UDP=$(replace_char - : $NFQWS2_MY1_PORTS_UDP)
+
+	[ "$1" = 1 -a "$DISABLE_IPV4" != 1 ] && {
+		ipset create $NFQWS2_MY1_NAME4 $NFQWS2_MY1_IPSET_OPT family inet 2>/dev/null
+		ipset flush $NFQWS2_MY1_NAME4
+		for subnet in $NFQWS2_MY1_SUBNETS4; do
+			echo add $NFQWS2_MY1_NAME4 $subnet
+		done | ipset -! restore
+	}
+	[ "$1" = 1 -a "$DISABLE_IPV6" != 1 ] && {
+		ipset create $NFQWS2_MY1_NAME6 $NFQWS2_MY1_IPSET_OPT family inet6 2>/dev/null
+		ipset flush $NFQWS2_MY1_NAME6
+		for subnet in $NFQWS2_MY1_SUBNETS6; do
+			echo add $NFQWS2_MY1_NAME6 $subnet
+		done | ipset -! restore
+	}
+
+	[ -n "$NFQWS2_MY1_PORTS_TCP" ] && {
+		[ -n "$NFQWS2_MY1_TCP_PKT_OUT" -a "$NFQWS2_MY1_TCP_PKT_OUT" != 0 ] && {
+			f4="-p tcp -m multiport --dports $NFQWS2_MY1_PORTS_TCP $ipt_connbytes 1:$NFQWS2_MY1_TCP_PKT_OUT -m set --match-set"
+			f6="$f4 $NFQWS2_MY1_NAME6 dst"
+			f4="$f4 $NFQWS2_MY1_NAME4 dst"
+			fw_nfqws_post $1 "$f4" "$f6" $QNUM_NFQWS2_MY1
+		}
+		[ -n "$NFQWS2_MY1_TCP_PKT_IN" -a "$NFQWS2_MY1_TCP_PKT_IN" != 0 ] && {
+			f4="-p tcp -m multiport --sports $NFQWS2_MY1_PORTS_TCP $ipt_connbytes 1:$NFQWS2_MY1_TCP_PKT_IN -m set --match-set"
+			f6="$f4 $NFQWS2_MY1_NAME6 src"
+			f4="$f4 $NFQWS2_MY1_NAME4 src"
+			fw_nfqws_pre $1 "$f4" "$f6" $QNUM_NFQWS2_MY1
+		}
+	}
+	[ -n "$NFQWS2_MY1_PORTS_UDP" ] && {
+		[ -n "$NFQWS2_MY1_UDP_PKT_OUT" -a "$NFQWS2_MY1_UDP_PKT_OUT" != 0 ] && {
+			f4="-p udp -m multiport --dports $NFQWS2_MY1_PORTS_UDP $ipt_connbytes 1:$NFQWS2_MY1_UDP_PKT_OUT -m set --match-set"
+			f6="$f4 $NFQWS2_MY1_NAME6 dst"
+			f4="$f4 $NFQWS2_MY1_NAME4 dst"
+			fw_nfqws_post $1 "$f4" "$f6" $QNUM_NFQWS2_MY1
+		}
+		[ -n "$NFQWS2_MY1_UDP_PKT_IN" -a "$NFQWS2_MY1_UDP_PKT_IN" != 0 ] && {
+			f4="-p udp -m multiport --sports $NFQWS2_MY1_PORTS_UDP $ipt_connbytes 1:$NFQWS2_MY1_UDP_PKT_IN -m set --match-set"
+			f6="$f4 $NFQWS2_MY1_NAME6 src"
+			f4="$f4 $NFQWS2_MY1_NAME4 src"
+			fw_nfqws_pre $1 "$f4" "$f6" $QNUM_NFQWS2_MY1
+		}
+	}
+
+	[ "$1" = 1 ] || {
+		ipset destroy $NFQWS2_MY1_NAME4 2>/dev/null
+		ipset destroy $NFQWS2_MY1_NAME6 2>/dev/null
+	}
+}
+
+zapret_custom_firewall_nft()
+{
+	local f4 f6 subnets
+	local first_packets_only="$nft_connbytes 1-$NFQWS2_MY1_PKT_OUT"
+
+	[ "$DISABLE_IPV4" != 1 ] && {
+		make_comma_list subnets $NFQWS2_MY1_SUBNETS4
+		nft_create_set $NFQWS2_MY1_NAME4 "type ipv4_addr; size $NFQWS2_MY1_IPSET_SIZE; auto-merge; flags interval;"
+		nft_flush_set $NFQWS2_MY1_NAME4
+		nft_add_set_element $NFQWS2_MY1_NAME4 "$subnets"
+	}
+	[ "$DISABLE_IPV6" != 1 ] && {
+		make_comma_list subnets $NFQWS2_MY1_SUBNETS6
+		nft_create_set $NFQWS2_MY1_NAME6 "type ipv6_addr; size $NFQWS2_MY1_IPSET_SIZE; auto-merge; flags interval;"
+		nft_flush_set $NFQWS2_MY1_NAME6
+		nft_add_set_element $NFQWS2_MY1_NAME6 "$subnets"
+	}
+
+	[ -n "$NFQWS2_MY1_PORTS_TCP" ] && {
+		[ -n "$NFQWS2_MY1_TCP_PKT_OUT" -a "$NFQWS2_MY1_TCP_PKT_OUT" != 0 ] && {
+			f4="tcp dport {$NFQWS2_MY1_PORTS_TCP} $(nft_first_packets $NFQWS2_MY1_TCP_PKT_OUT)"
+			f6="$f4 ip6 daddr @$NFQWS2_MY1_NAME6"
+			f4="$f4 ip daddr @$NFQWS2_MY1_NAME4"
+			nft_fw_nfqws_post $1 "$f4" "$f6" $QNUM_NFQWS2_MY1
+		}
+		[ -n "$NFQWS2_MY1_TCP_PKT_IN" -a "$NFQWS2_MY1_TCP_PKT_IN" != 0 ] && {
+			f4="tcp sport {$NFQWS2_MY1_PORTS_TCP} $(nft_first_packets $NFQWS2_MY1_TCP_PKT_IN)"
+			f6="$f4 ip6 saddr @$NFQWS2_MY1_NAME6"
+			f4="$f4 ip saddr @$NFQWS2_MY1_NAME4"
+			nft_fw_nfqws_pre $1 "$f4" "$f6" $QNUM_NFQWS2_MY1
+		}
+	}
+	[ -n "$NFQWS2_MY1_PORTS_UDP" ] && {
+		[ -n "$NFQWS2_MY1_UDP_PKT_OUT" -a "$NFQWS2_MY1_UDP_PKT_OUT" != 0 ] && {
+			f4="udp dport {$NFQWS2_MY1_PORTS_UDP} $(nft_first_packets $NFQWS2_MY1_UDP_PKT_OUT)"
+			f6="$f4 ip6 daddr @$NFQWS2_MY1_NAME6"
+			f4="$f4 ip daddr @$NFQWS2_MY1_NAME4"
+			nft_fw_nfqws_post $1 "$f4" "$f6" $QNUM_NFQWS2_MY1
+		}
+		[ -n "$NFQWS2_MY1_UDP_PKT_IN" -a "$NFQWS2_MY1_UDP_PKT_IN" != 0 ] && {
+			f4="udp sport {$NFQWS2_MY1_PORTS_UDP} $(nft_first_packets $NFQWS2_MY1_UDP_PKT_IN)"
+			f6="$f4 ip6 saddr @$NFQWS2_MY1_NAME6"
+			f4="$f4 ip saddr @$NFQWS2_MY1_NAME4"
+			nft_fw_nfqws_pre $1 "$f4" "$f6" $QNUM_NFQWS2_MY1
+		}
+	}
+}
+
+
+zapret_custom_firewall_nft_flush()
+{
+	# this function is called after all nft fw rules are deleted
+	# however sets are not deleted. it's desired to clear sets here.
+
+	nft_del_set $NFQWS2_MY1_NAME4 2>/dev/null
+	nft_del_set $NFQWS2_MY1_NAME6 2>/dev/null
+}

init.d/custom.d.examples.linux/50-quic4all

@@ -0,0 +1,30 @@
+# this custom script runs desync to all IETF QUIC initials
+# NOTE: @ih requires nft 1.0.1+ and updated kernel version. it's confirmed to work on 5.15 (openwrt 23) and not work on 5.10 (openwrt 22)
+
+# can override in config :
+NFQWS_OPT_DESYNC_QUIC="${NFQWS_OPT_DESYNC_QUIC:---payload quic_initial --lua-desync=fake:blob=fake_default_quic:repeats=2}"
+
+alloc_dnum DNUM_QUIC4ALL
+alloc_qnum QNUM_QUIC4ALL
+
+zapret_custom_daemons()
+{
+	# $1 - 1 - add, 0 - stop
+
+	local opt="--qnum=$QNUM_QUIC4ALL $NFQWS_OPT_DESYNC_QUIC"
+	do_nfqws $1 $DNUM_QUIC4ALL "$opt"
+}
+zapret_custom_firewall()
+{
+	# $1 - 1 - run, 0 - stop
+
+	local f='-p udp -m u32 --u32'
+	fw_nfqws_post $1 "$f 0>>22&0x3C@4>>16=264:65535&&0>>22&0x3C@8>>28=0xC&&0>>22&0x3C@9=0x00000001" "$f 44>>16=264:65535&&48>>28=0xC&&49=0x00000001" $QNUM_QUIC4ALL
+}
+zapret_custom_firewall_nft()
+{
+	# stop logic is not required
+
+	local f="udp length >= 264 @ih,0,4 0xC @ih,8,32 0x00000001"
+	nft_fw_nfqws_post "$f" "$f" $QNUM_QUIC4ALL
+}

init.d/custom.d.examples.linux/50-stun4all

@@ -0,0 +1,30 @@
+# this custom script runs desync to all stun packets
+# NOTE: @ih requires nft 1.0.1+ and updated kernel version. it's confirmed to work on 5.15 (openwrt 23) and not work on 5.10 (openwrt 22)
+
+# can override in config :
+NFQWS_OPT_DESYNC_STUN="${NFQWS_OPT_DESYNC_STUN:---payload stun --lua-desync=fake:blob=0x00000000000000000000000000000000:repeats=2}"
+
+alloc_dnum DNUM_STUN4ALL
+alloc_qnum QNUM_STUN4ALL
+
+zapret_custom_daemons()
+{
+	# $1 - 1 - add, 0 - stop
+
+	local opt="--qnum=$QNUM_STUN4ALL $NFQWS_OPT_DESYNC_STUN"
+	do_nfqws $1 $DNUM_STUN4ALL "$opt"
+}
+zapret_custom_firewall()
+{
+	# $1 - 1 - run, 0 - stop
+
+	local f='-p udp -m u32 --u32'
+	fw_nfqws_post $1 "$f 0>>22&0x3C@4>>16=28:65535&&0>>22&0x3C@12=0x2112A442&&0>>22&0x3C@8&0xC0000003=0" "$f 44>>16=28:65535&&52=0x2112A442&&48&0xC0000003=0" $QNUM_STUN4ALL
+}
+zapret_custom_firewall_nft()
+{
+	# stop logic is not required
+
+	local f="udp length >= 28 @ih,32,32 0x2112A442 @ih,0,2 0 @ih,30,2 0"
+	nft_fw_nfqws_post "$f" "$f" $QNUM_STUN4ALL
+}

init.d/custom.d.examples.linux/50-wg4all

@@ -0,0 +1,38 @@
+# this custom script runs desync to all wireguard handshake initiation, response and cookie packets
+# NOTE: this works for original wireguard and may not work for 3rd party implementations such as xray
+# NOTE: @ih requires nft 1.0.1+ and updated kernel version. it's confirmed to work on 5.15 (openwrt 23) and not work on 5.10 (openwrt 22)
+
+# can override in config :
+NFQWS_OPT_DESYNC_WG="${NFQWS_OPT_DESYNC_WG:---payload wireguard_initiation,wireguard_response,wireguard_cookie --lua-desync=fake:blob=0x00000000000000000000000000000000:repeats=2}"
+
+alloc_dnum DNUM_WG4ALL
+alloc_qnum QNUM_WG4ALL
+
+zapret_custom_daemons()
+{
+	# $1 - 1 - add, 0 - stop
+
+	local opt="--qnum=$QNUM_WG4ALL $NFQWS_OPT_DESYNC_WG"
+	do_nfqws $1 $DNUM_WG4ALL "$opt"
+}
+# size = 156 (8 udp header + 148 payload) && payload starts with 0x01000000
+zapret_custom_firewall()
+{
+	# $1 - 1 - run, 0 - stop
+
+	local f='-p udp -m u32 --u32'
+	fw_nfqws_post $1 "$f 0>>22&0x3C@4>>16=156&&0>>22&0x3C@8=0x01000000" "$f 44>>16=156&&48=0x01000000" $QNUM_WG4ALL
+	fw_nfqws_post $1 "$f 0>>22&0x3C@4>>16=100&&0>>22&0x3C@8=0x02000000" "$f 44>>16=100&&48=0x02000000" $QNUM_WG4ALL
+	fw_nfqws_post $1 "$f 0>>22&0x3C@4>>16=72&&0>>22&0x3C@8=0x03000000" "$f 44>>16=72&&48=0x03000000" $QNUM_WG4ALL
+}
+zapret_custom_firewall_nft()
+{
+	# stop logic is not required
+
+	local f="udp length 156 @ih,0,32 0x01000000"
+	nft_fw_nfqws_post "$f" "$f" $QNUM_WG4ALL
+	local f="udp length 100 @ih,0,32 0x02000000"
+	nft_fw_nfqws_post "$f" "$f" $QNUM_WG4ALL
+	local f="udp length 72 @ih,0,32 0x03000000"
+	nft_fw_nfqws_post "$f" "$f" $QNUM_WG4ALL
+}

init.d/custom.d.examples.linux/80-dns-intercept

@@ -0,0 +1,62 @@
+# this custom script feeds dns response data to main nfqws2 instance
+# DISABLE_IPV{4,6} filters are not used intentionally. despite of not having wan ipv6 it's possible to query LAN DNS server over local ipv6
+
+zapret_custom_firewall()
+{
+	# $1 - 1 - run, 0 - stop
+	local filt="-p udp --sport 53"
+	local jump="-j NFQUEUE --queue-num $QNUM --queue-bypass"
+	local rule chain lan lanifs
+
+	get_lanif lanifs
+
+	# router
+	for lan in $lanifs; do
+		rule="-o $lan $filt $jump"
+		ipt_print_op $1 "$rule" "nfqws FORWARD (qnum $QNUM)"
+		ipt_add_del $1 FORWARD -t mangle $rule
+		ipt_print_op $1 "$rule" "nfqws FORWARD (qnum $QNUM)" 6
+		ipt6_add_del $1 FORWARD -t mangle $rule
+	done
+	# dns client server
+	for chain in INPUT OUTPUT ; do
+		rule="$filt $jump"
+		ipt_print_op $1 "$rule" "nfqws $chain (qnum $QNUM)"
+		ipt_add_del $1 $chain -t mangle $rule
+		ipt_print_op $1 "$rule" "nfqws $chain (qnum $QNUM)" 6
+		ipt6_add_del $1 $chain -t mangle $rule
+	done
+}
+
+zapret_custom_firewall_nft()
+{
+	# stop logic is not required
+
+	local rule="udp sport 53 queue num $QNUM bypass"
+
+	# router
+	nft_print_op "oifname @lanif $rule" "nfqws forward (qnum $QNUM)" "4+6"
+	nft_add_chain forward_dns_feed "type filter hook forward priority mangle;"
+	nft_flush_chain forward_dns_feed
+	nft_add_rule forward_dns_feed oifname @lanif $rule
+
+	# dns client
+	nft_print_op "$rule" "nfqws input (qnum $QNUM)" "4+6"
+	nft_add_chain input_dns_feed "type filter hook input priority mangle;"
+	nft_flush_chain input_dns_feed
+	nft_add_rule input_dns_feed $rule
+
+	# dns server
+	nft_print_op "$rule" "nfqws output (qnum $QNUM)" "4+6"
+	nft_add_chain output_dns_feed "type filter hook output priority mangle;"
+	nft_flush_chain output_dns_feed
+	nft_add_rule output_dns_feed $rule
+}
+
+zapret_custom_firewall_nft_flush()
+{
+	local chain
+	for chain in forward_dns_feed input_dns_feed output_dns_feed; do
+		nft_del_chain $chain 2>/dev/null
+	done
+}

init.d/custom.d.examples.linux/99-lan-filter

@@ -0,0 +1,145 @@
+# this custom script sets FILTER_MARK to specified source ips
+
+# NOTE !!! SCRIPT REQUIRES FILTER_MARK VAR IN CONFIG FILE !!!
+# NOTE !!! WITHOUT FILTER_MARK IT DOES NOTHING !!!
+
+# NOTE !!! ON NON-OPENWRT SYSTEMS SCRIPT REQUIRES IFACE_LAN VAR IN CONFIG FILE !!!
+
+# can override in config :
+# LAN ip/cidr list to be fooled. elements are space separated
+FILTER_LAN_IP="${FILTER_LAN_IP:-192.168.0.0/16}"
+FILTER_LAN_IP6="${FILTER_LAN_IP6:-fc00::/7}"
+# allow fooling from local system (0|1) ?
+FILTER_LAN_ALLOW_OUTPUT="${FILTER_LAN_ALLOW_OUTPUT:-1}"
+
+FILTER_LAN_SET="lanfilter"
+FILTER_LAN_SET6="${FILTER_LAN_SET}6"
+FILTER_LAN_IPSET_SIZE=${FILTER_LAN_IPSET_SIZE:-256}
+FILTER_LAN_IPSET_OPT="${FILTER_LAN_IPSET_OPT:-hash:net hashsize 8192 maxelem $FILTER_LAN_IPSET_SIZE}"
+
+filter_mark_check()
+{
+	[ -n "$FILTER_MARK" ] || {
+		echo "WARNING ! lan filter cannot work without FILTER_MARK set in config"
+		return 1
+	}
+	[ "$DISABLE_IPV4" = 1 -a "$DISABLE_IPV6" = 1 ] && return 1
+	return 0
+}
+
+zapret_custom_firewall()
+{
+	# $1 - 1 - run, 0 - stop
+
+	filter_mark_check || return
+
+	local subnet lanifs rule
+	local setmark="-j MARK --set-mark $FILTER_MARK/$FILTER_MARK"
+	local filt4="-m set --match-set $FILTER_LAN_SET src"
+	local filt6="-m set --match-set $FILTER_LAN_SET6 src"
+
+	get_lanif lanifs
+
+	[ "$DISABLE_IPV4" != 1 ] && {
+		[ "$FILTER_LAN_ALLOW_OUTPUT" = 1 ] && {
+			ipt_print_op $1 "$setmark" "filter output"
+			ipt_add_del $1 OUTPUT -t mangle $setmark
+		}
+		[ -n "$lanifs" ] && {
+			[ "$1" = 1 ] && {
+				ipset create $FILTER_LAN_SET $FILTER_LAN_IPSET_OPT family inet 2>/dev/null
+				ipset flush $FILTER_LAN_SET
+				for subnet in $FILTER_LAN_IP; do
+					echo add $FILTER_LAN_SET $subnet
+				done | ipset -! restore
+			}
+			for lan in $lanifs; do
+				rule="-i $lan $filt4 $setmark"
+				ipt_print_op $1 "$rule" "filter forward"
+				ipt_add_del $1 FORWARD -t mangle $rule
+			done
+		}
+	}
+	[ "$DISABLE_IPV6" != 1 ] && {
+		[ "$FILTER_LAN_ALLOW_OUTPUT" = 1 ] && {
+			ipt_print_op $1 "$setmark" "filter output" 6
+			ipt6_add_del $1 OUTPUT -t mangle $setmark
+		}
+		[ -n "$lanifs" ] && {
+			[ "$1" = 1 ] && {
+				ipset create $FILTER_LAN_SET6 $FILTER_LAN_IPSET_OPT family inet6 2>/dev/null
+				ipset flush $FILTER_LAN_SET6
+				for subnet in $FILTER_LAN_IP6; do
+					echo add $FILTER_LAN_SET6 $subnet
+				done | ipset -! restore
+			}
+			for lan in $lanifs; do
+				rule="-i $lan $filt6 $setmark"
+				ipt_print_op $1 "$rule" "filter forward" 6
+				ipt6_add_del $1 FORWARD -t mangle $rule
+			done
+		}
+	}
+
+	[ "$1" = 1 ] || {
+		ipset destroy $FILTER_LAN_SET 2>/dev/null
+		ipset destroy $FILTER_LAN_SET6 2>/dev/null
+	}
+}
+
+zapret_custom_firewall_nft()
+{
+	filter_mark_check || return
+
+	local subnets rule
+	local setmark="meta mark set meta mark or $FILTER_MARK"
+	local filt4="ip saddr == @$FILTER_LAN_SET"
+	local filt6="ip6 saddr == @$FILTER_LAN_SET6"
+	local lanif="iifname @lanif"
+
+	nft_add_chain forward_lan_filter "type filter hook forward priority mangle;"
+	nft_flush_chain forward_lan_filter
+
+	if [ "$FILTER_LAN_ALLOW_OUTPUT" = 1 ]; then
+		nft_add_chain output_lan_filter "type filter hook output priority mangle;"
+		nft_flush_chain output_lan_filter
+		nft_print_op "$setmark" "filter output" "4+6"
+		nft_add_rule output_lan_filter $setmark
+	else
+		nft_del_chain output_lan_filter 2>/dev/null
+	fi
+
+	[ "$DISABLE_IPV4" != 1 ] && {
+		make_comma_list subnets $FILTER_LAN_IP
+		nft_create_set $FILTER_LAN_SET "type ipv4_addr; size $FILTER_LAN_IPSET_SIZE; auto-merge; flags interval;"
+		nft_flush_set $FILTER_LAN_SET
+		nft_add_set_element $FILTER_LAN_SET "$subnets"
+
+		rule="$lanif $filt4 $setmark"
+		nft_print_op "$rule" "filter forward" "4"
+		nft_add_rule forward_lan_filter $rule
+	}
+	[ "$DISABLE_IPV6" != 1 ] && {
+		make_comma_list subnets $FILTER_LAN_IP6
+		nft_create_set $FILTER_LAN_SET6 "type ipv6_addr; size $FILTER_LAN_IPSET_SIZE; auto-merge; flags interval;"
+		nft_flush_set $FILTER_LAN_SET6
+		nft_add_set_element $FILTER_LAN_SET6 "$subnets"
+
+		rule="$lanif $filt6 $setmark"
+		nft_print_op "$rule" "filter forward" "6"
+		nft_add_rule forward_lan_filter $rule
+	}
+}
+
+
+zapret_custom_firewall_nft_flush()
+{
+	# this function is called after all nft fw rules are deleted
+	# however sets are not deleted. it's desired to clear sets here.
+
+	nft_del_chain forward_lan_filter 2>/dev/null
+	nft_del_chain output_lan_filter 2>/dev/null
+
+	nft_del_set $FILTER_LAN_SET 2>/dev/null
+	nft_del_set $FILTER_LAN_SET6 2>/dev/null
+}

init.d/openrc/zapret2

@@ -0,0 +1,69 @@
+#!/sbin/openrc-run
+
+# zapret openrc to sysv adapter
+# on some systems (alpine) for unknown reason non-openrc-run scripts are not started from /etc/init.d
+
+EXEDIR=$(dirname "$RC_SERVICE")
+EXEDIR="$(cd "$EXEDIR"; pwd)"
+ZAPRET_BASE="$EXEDIR/../.."
+ZAPRET_INIT="$ZAPRET_BASE/init.d/sysv/zapret2"
+
+extra_commands="start_fw stop_fw restart_fw start_daemons stop_daemons restart_daemons reload_ifsets list_ifsets list_table"
+description="extra commands :"
+description_stop_fw="Stop zapret firewall"
+description_start_fw="Start zapret firewall"
+description_restart_fw="Restart zapret firewall"
+description_reload_ifsets="Reload interface lists (nftables only)"
+description_list_ifsets="Display interface lists (nftables only)"
+description_list_table="Display zapret nftable (nftables only)"
+description_stop_daemons="Stop zapret daemons only"
+description_start_daemons="Start zapret daemons only"
+description_restart_daemons="Restart zapret firewall only"
+
+depend() {
+	rc-service -e networking && need networking
+}
+start()
+{
+	"$ZAPRET_INIT" start
+}
+stop()
+{
+	"$ZAPRET_INIT" stop
+}
+start_fw()
+{
+	"$ZAPRET_INIT" start_fw
+}
+stop_fw()
+{
+	"$ZAPRET_INIT" stop_fw
+}
+restart_fw()
+{
+	"$ZAPRET_INIT" restart_fw
+}
+start_daemons()
+{
+	"$ZAPRET_INIT" start_daemons
+}
+stop_daemons()
+{
+	"$ZAPRET_INIT" stop_daemons
+}
+restart_daemons()
+{
+	"$ZAPRET_INIT" restart_daemons
+}
+reload_ifsets()
+{
+	"$ZAPRET_INIT" reload_ifsets
+}
+list_ifsets()
+{
+	"$ZAPRET_INIT" list_ifsets
+}
+list_table()
+{
+	"$ZAPRET_INIT" list_table
+}

init.d/openwrt/90-zapret2

@@ -0,0 +1,33 @@
+#!/bin/sh
+
+ZAPRET=/etc/init.d/zapret2
+
+[ -n "$INTERFACE" ] && [ "$ACTION" = ifup -o "$ACTION" = ifdown ] && [ -x "$ZAPRET" ] && "$ZAPRET" enabled && {
+	SCRIPT=$(readlink "$ZAPRET")
+	if [ -n "$SCRIPT" ]; then
+		EXEDIR=$(dirname "$SCRIPT")
+		ZAPRET_BASE=$(readlink -f "$EXEDIR/../..")
+	else
+		ZAPRET_BASE=/opt/zapret2
+	fi
+	ZAPRET_RW=${ZAPRET_RW:-"$ZAPRET_BASE"}
+	ZAPRET_CONFIG=${ZAPRET_CONFIG:-"$ZAPRET_RW/config"}
+	CUSTOM_DIR="$ZAPRET_RW/init.d/openwrt"
+	. "$ZAPRET_CONFIG"
+	. "$ZAPRET_BASE/common/base.sh"
+	. "$ZAPRET_BASE/common/fwtype.sh"
+
+	linux_fwtype
+	case "$FWTYPE" in
+		nftables)
+			logger -t zapret reloading nftables ifsets due to $ACTION of $INTERFACE
+			"$ZAPRET" reload_ifsets
+			;;
+		iptables)
+			openwrt_fw3 || {
+				logger -t zapret reloading iptables due to $ACTION of $INTERFACE
+				"$ZAPRET" restart_fw
+			}
+			;;
+	esac
+}

init.d/openwrt/firewall.zapret2

@@ -0,0 +1,11 @@
+SCRIPT=$(readlink /etc/init.d/zapret2)
+if [ -n "$SCRIPT" ]; then
+ EXEDIR=$(dirname "$SCRIPT")
+ ZAPRET_BASE=$(readlink -f "$EXEDIR/../..")
+else
+ ZAPRET_BASE=/opt/zapret2
+fi
+
+. "$ZAPRET_BASE/init.d/openwrt/functions"
+
+zapret_apply_firewall

init.d/openwrt/functions

@@ -0,0 +1,230 @@
+. /lib/functions/network.sh
+
+ZAPRET_BASE=${ZAPRET_BASE:-/opt/zapret2}
+ZAPRET_RW=${ZAPRET_RW:-"$ZAPRET_BASE"}
+ZAPRET_CONFIG=${ZAPRET_CONFIG:-"$ZAPRET_RW/config"}
+. "$ZAPRET_CONFIG"
+. "$ZAPRET_BASE/common/base.sh"
+. "$ZAPRET_BASE/common/fwtype.sh"
+. "$ZAPRET_BASE/common/linux_iphelper.sh"
+. "$ZAPRET_BASE/common/ipt.sh"
+. "$ZAPRET_BASE/common/nft.sh"
+. "$ZAPRET_BASE/common/linux_fw.sh"
+. "$ZAPRET_BASE/common/linux_daemons.sh"
+. "$ZAPRET_BASE/common/list.sh"
+. "$ZAPRET_BASE/common/custom.sh"
+CUSTOM_DIR="$ZAPRET_RW/init.d/openwrt"
+
+QNUM=${QNUM:-300}
+WS_USER=${WS_USER:-daemon}
+DESYNC_MARK=${DESYNC_MARK:-0x40000000}
+DESYNC_MARK_POSTNAT=${DESYNC_MARK_POSTNAT:-0x20000000}
+OPENWRT_LAN=${OPENWRT_LAN:-lan}
+
+IPSET_CR="$ZAPRET_BASE/ipset/create_ipset.sh"
+
+# can be multiple ipv6 outgoing interfaces
+# uplink from isp, tunnelbroker, vpn, ...
+# want them all. who knows what's the real one that blocks sites
+# dont want any manual configuration - want to do it automatically
+# standard network_find_wan[6] return only the first
+# we use low level function from network.sh to avoid this limitation
+# it can change theoretically and stop working
+
+network_find_wan4_all()
+{
+	if [ -n "$OPENWRT_WAN4" ]; then
+		eval $1="\$OPENWRT_WAN4"
+	else
+		__network_ifstatus "$1" "" "[@.route[@.target='0.0.0.0' && !@.table]].interface" "" 10 2>/dev/null && return
+		network_find_wan $1
+	fi
+}
+network_find_wan_all()
+{
+	network_find_wan4_all "$@"
+}
+network_find_wan6_all()
+{
+	if [ -n "$OPENWRT_WAN6" ]; then
+		eval $1="\$OPENWRT_WAN6"
+	else
+		__network_ifstatus "$1" "" "[@.route[@.target='::' && !@.table]].interface" "" 10 2>/dev/null && return
+		network_find_wan6 $1
+	fi
+}
+network_find_wanX_devices()
+{
+	# $1 - ip version: 4 or 6
+	# $2 - variable to put result to
+	local ifaces
+	network_find_wan${1}_all ifaces
+	call_for_multiple_items network_get_device $2 "$ifaces"
+}
+
+get_wanif46()
+{
+	# $1 - 4/6
+	# $2 - var to receive interface list
+	local ifaces
+	network_find_wan${1}_all ifaces
+	call_for_multiple_items network_get_device $2 "$ifaces"
+}
+get_lanif()
+{
+	# $1 - var to receive interface list
+	call_for_multiple_items network_get_device $1 "$OPENWRT_LAN"
+}
+
+
+fw_nfqws_prepost_x()
+{
+	# $1 - 1 - add, 0 - del
+	# $2 - filter
+	# $3 - queue number
+	# $4 - 4/6
+	# $5 - post/pre
+
+	local DWAN
+	get_wanif46 $4 DWAN
+	[ -n "$DWAN" ] && _fw_nfqws_${5}${4} $1 "$2" $3 "$(unique $DWAN)"
+}
+fw_nfqws_post4()
+{
+	fw_nfqws_prepost_x  $1 "$2" $3 4 post
+}
+fw_nfqws_post6()
+{
+	fw_nfqws_prepost_x  $1 "$2" $3 6 post
+}
+fw_nfqws_pre4()
+{
+	fw_nfqws_prepost_x  $1 "$2" $3 4 pre
+}
+fw_nfqws_pre6()
+{
+	fw_nfqws_prepost_x  $1 "$2" $3 6 pre
+}
+
+create_ipset()
+{
+	echo "Creating ip list table (firewall type $FWTYPE)"
+	"$IPSET_CR" "$@"
+}
+
+list_nfqws_rules()
+{
+	# $1 = '' for ipv4, '6' for ipv6
+	ip$1tables -S POSTROUTING -t mangle | \
+		grep -E "NFQUEUE --queue-num $QNUM --queue-bypass|NFQUEUE --queue-num $(($QNUM+1)) --queue-bypass|NFQUEUE --queue-num $(($QNUM+2)) --queue-bypass|NFQUEUE --queue-num $(($QNUM+3)) --queue-bypass|NFQUEUE --queue-num $(($QNUM+10)) --queue-bypass|NFQUEUE --queue-num $(($QNUM+11)) --queue-bypass" | \
+		sed -re 's/^-A POSTROUTING (.*) -j NFQUEUE.*$/\1/' -e "s/-m mark ! --mark $DESYNC_MARK\/$DESYNC_MARK//"
+}
+apply_flow_offloading_enable_rule()
+{
+	# $1 = '' for ipv4, '6' for ipv6
+	local i off='-j FLOWOFFLOAD'
+	[ "$FLOWOFFLOAD" = "hardware" ] && off="$off --hw"
+	i="forwarding_rule_zapret -m comment --comment zapret_traffic_offloading_enable -m conntrack --ctstate RELATED,ESTABLISHED $off"
+	echo enabling ipv${1:-4} flow offloading : $i
+	ip$1tables -A $i
+}
+apply_flow_offloading_exempt_rule()
+{
+	# $1 = '' for ipv4, '6' for ipv6
+	local i v
+	v=$1
+	shift
+	i="forwarding_rule_zapret $@ -m comment --comment zapret_traffic_offloading_exemption -j RETURN"
+	echo applying ipv${v:-4} flow offloading exemption : $i
+	ip${v}tables -A $i
+}
+flow_offloading_unexempt_v()
+{
+	# $1 = '' for ipv4, '6' for ipv6
+	local DWAN
+	network_find_wanX_devices ${1:-4} DWAN
+	for i in $DWAN; do ipt$1_del FORWARD -o $i -j forwarding_rule_zapret ; done
+	ip$1tables -F forwarding_rule_zapret 2>/dev/null
+	ip$1tables -X forwarding_rule_zapret 2>/dev/null
+}
+flow_offloading_exempt_v()
+{
+	# $1 = '' for ipv4, '6' for ipv6
+	is_ipt_flow_offload_avail $1 || return 0
+
+	flow_offloading_unexempt_v $1
+
+	[ "$FLOWOFFLOAD" = 'software' -o "$FLOWOFFLOAD" = 'hardware' ] && {
+		ip$1tables -N forwarding_rule_zapret
+
+		# remove outgoing interface
+		list_nfqws_rules $1 | sed -re 's/-o +[^ ]+//g' |
+		while read rule; do
+			apply_flow_offloading_exempt_rule "$1" $rule
+		done
+
+		apply_flow_offloading_enable_rule $1
+
+		# only outgoing to WAN packets trigger flow offloading
+		local DWAN
+		network_find_wanX_devices ${1:-4} DWAN
+		for i in $DWAN; do ipt$1 FORWARD -o $i -j forwarding_rule_zapret; done
+	}
+	return 0
+}
+flow_offloading_exempt()
+{
+	[ "$DISABLE_IPV4" = "1" ] || flow_offloading_exempt_v
+	[ "$DISABLE_IPV6" = "1" ] || flow_offloading_exempt_v 6
+}
+flow_offloading_unexempt()
+{
+	[ "$DISABLE_IPV4" = "1" ] || flow_offloading_unexempt_v
+	[ "$DISABLE_IPV6" = "1" ] || flow_offloading_unexempt_v 6
+}
+
+nft_fill_ifsets_overload()
+{
+	local ifaces DLAN DWAN DWAN6 PDLAN PDWAN PDWAN6
+
+	call_for_multiple_items network_get_device DLAN "$OPENWRT_LAN"
+	call_for_multiple_items network_get_physdev PDLAN "$OPENWRT_LAN"
+
+	network_find_wan4_all ifaces
+	call_for_multiple_items network_get_device DWAN "$ifaces"
+	call_for_multiple_items network_get_physdev PDWAN "$ifaces"
+
+	network_find_wan6_all ifaces
+	call_for_multiple_items network_get_device DWAN6 "$ifaces"
+	call_for_multiple_items network_get_physdev PDWAN6 "$ifaces"
+
+	nft_fill_ifsets "$DLAN" "$DWAN" "$DWAN6" "$PDLAN" "$PDWAN" "$PDWAN6"
+}
+nft_wanif_filter_present()
+{
+	# in openwrt we always use wanif filter
+	return 0
+}
+nft_wanif6_filter_present()
+{
+	# in openwrt we always use wanif6 filter
+	return 0
+}
+
+
+nft_fw_nfqws_post4()
+{
+	_nft_fw_nfqws_post4 "$1" $2 always_apply_wan_filter
+}
+nft_fw_nfqws_post6()
+{
+	_nft_fw_nfqws_post6 "$1" $2 always_apply_wan_filter
+}
+nft_fw_nfqws_pre4()
+{
+	_nft_fw_nfqws_pre4 "$1" $2 always_apply_wan_filter
+}
+nft_fw_nfqws_pre6()
+{
+	_nft_fw_nfqws_pre6 "$1" $2 always_apply_wan_filter
+}

init.d/openwrt/zapret2

@@ -0,0 +1,135 @@
+#!/bin/sh /etc/rc.common
+
+USE_PROCD=1
+# after network
+START=21
+
+my_extra_command() {
+	local cmd="$1"
+	local help="$2"
+
+	local extra="$(printf "%-16s%s" "${cmd}" "${help}")"
+	EXTRA_HELP="${EXTRA_HELP}	${extra}
+"
+	EXTRA_COMMANDS="${EXTRA_COMMANDS} ${cmd}"
+}
+my_extra_command stop_fw "Stop zapret firewall (noop in iptables+fw3 case)"
+my_extra_command start_fw "Start zapret firewall (noop in iptables+fw3 case)"
+my_extra_command restart_fw "Restart zapret firewall (noop in iptables+fw3 case)"
+my_extra_command reload_ifsets "Reload interface lists (nftables only)"
+my_extra_command list_ifsets "Display interface lists (nftables only)"
+my_extra_command list_table "Display zapret nftable (nftables only)"
+my_extra_command stop_daemons "Stop zapret daemons only (=stop in iptables+fw3 case)"
+my_extra_command start_daemons "Start zapret daemons only (=start in iptables+fw3 case)"
+my_extra_command restart_daemons "Restart zapret firewall only (=restart in iptables+fw3 case)"
+
+SCRIPT=$(readlink /etc/init.d/zapret2)
+if [ -n "$SCRIPT" ]; then
+ EXEDIR=$(dirname "$SCRIPT")
+ ZAPRET_BASE=$(readlink -f "$EXEDIR/../..")
+else
+ ZAPRET_BASE=/opt/zapret2
+fi
+
+. "$ZAPRET_BASE/init.d/openwrt/functions"
+
+
+# !!!!! in old openwrt 21.x- with iptables firewall rules are configured separately
+# !!!!! in new openwrt >21.x with nftables firewall is configured here
+
+PIDDIR=/var/run
+
+USEROPT="--user=$WS_USER"
+NFQWS2="${NFQWS2:-$ZAPRET_BASE/nfq2/nfqws2}"
+LUAOPT="--lua-init=@$ZAPRET_BASE/lua/zapret-lib.lua --lua-init=@$ZAPRET_BASE/lua/zapret-antidpi.lua --lua-init=@$ZAPRET_BASE/lua/zapret-auto.lua"
+NFQWS2_OPT_BASE="$USEROPT --fwmark=$DESYNC_MARK $LUAOPT"
+
+run_daemon()
+{
+	# $1 - daemon string id or number. can use 1,2,3,...
+	# $2 - daemon
+	# $3 - daemon args
+	# use $PIDDIR/$DAEMONBASE$1.pid as pidfile
+	local DAEMONBASE="$(basename "$2")"
+	echo "Starting daemon $1: $2 $3"
+	procd_open_instance
+	procd_set_param command $2 $3
+	procd_set_param pidfile $PIDDIR/${DAEMONBASE}_$1.pid
+	procd_close_instance
+}
+
+run_nfqws()
+{
+	run_daemon $1 "$NFQWS2" "$NFQWS2_OPT_BASE $2"
+}
+do_nfqws()
+{
+	[ "$1" = 0 ] || { shift; run_nfqws "$@"; }
+}
+
+start_daemons_procd()
+{
+	standard_mode_daemons 1
+	custom_runner zapret_custom_daemons 1
+
+	return 0
+}
+start_daemons()
+{
+	rc_procd start_daemons_procd "$@"
+}
+stop_daemons()
+{
+	local svc="$(basename ${basescript:-$initscript})"
+	procd_running "$svc" "$1" && procd_kill "$svc" "$1"
+}
+restart_daemons()
+{
+	stop_daemons
+	start_daemons
+}
+
+start_fw()
+{
+	zapret_apply_firewall
+}
+stop_fw()
+{
+	zapret_unapply_firewall
+}
+restart_fw()
+{
+	stop_fw
+	start_fw
+}
+reload_ifsets()
+{
+	zapret_reload_ifsets
+}
+list_ifsets()
+{
+	zapret_list_ifsets
+}
+list_table()
+{
+	zapret_list_table
+}
+
+start_service()
+{
+	start_daemons_procd
+	[ "$INIT_APPLY_FW" != "1" ] || {
+		linux_fwtype
+		openwrt_fw3_integration || start_fw
+	}
+}
+
+stop_service()
+{
+	# this procedure is called from stop()
+	# stop() already stop daemons
+	[ "$INIT_APPLY_FW" != "1" ] || {
+		linux_fwtype
+		openwrt_fw3_integration || stop_fw
+	}
+}

init.d/pfsense/zapret2.sh

@@ -0,0 +1,27 @@
+#!/bin/sh
+
+# this file should be placed to /usr/local/etc/rc.d and chmod 755
+
+# copy 'lua' dir there
+ZDIR=/usr/local/etc/zapret2
+
+# prepare system
+
+kldload ipfw
+kldload ipdivert
+
+# for older pfsense versions. newer do not have these sysctls
+sysctl net.inet.ip.pfil.outbound=ipfw,pf
+sysctl net.inet.ip.pfil.inbound=ipfw,pf
+sysctl net.inet6.ip6.pfil.outbound=ipfw,pf
+sysctl net.inet6.ip6.pfil.inbound=ipfw,pf
+
+# required for newer pfsense versions (2.6.0 tested) to return ipfw to functional state
+pfctl -d ; pfctl -e
+
+# add ipfw rules and start daemon
+
+ipfw delete 100
+ipfw add 100 divert 990 tcp from any to any 80,443 out not diverted not sockarg
+pkill ^dvtws2$
+dvtws2 --daemon --port 990 --lua-init=@$ZDIR/zapret-lib.lua --lua-init=@$ZDIR/zapret-antidpi.lua --lua-desync=multisplit

init.d/runit/zapret2/finish

@@ -0,0 +1,2 @@
+#!/bin/sh
+/opt/zapret2/init.d/sysv/zapret2 stop

init.d/runit/zapret2/run

@@ -0,0 +1,3 @@
+#!/bin/sh
+/opt/zapret2/init.d/sysv/zapret2 start
+exec chpst -b zapret2 sleep infinity

init.d/s6/zapret2/down

@@ -0,0 +1,2 @@
+#!/bin/execlineb -P
+exec /opt/zapret2/init.d/sysv/zapret2 stop

init.d/s6/zapret2/type

@@ -0,0 +1 @@
+oneshot

init.d/s6/zapret2/up

@@ -0,0 +1,2 @@
+#!/bin/execlineb -P
+exec /opt/zapret2/init.d/sysv/zapret2 start

init.d/systemd/nfqws2@.service

@@ -0,0 +1,62 @@
+# Example systemd service unit for nfqws. Adjust for your installation.
+
+# WARNING ! This unit requires to compile nfqws using `make systemd`
+# WARNING ! This makefile target enables special systemd notify support.
+
+# PREPARE
+# install build depends
+# make -C /opt/zapret2 systemd
+# cp nfqws2\@.service /lib/systemd/system
+# systemctl daemon-reload
+
+# MANAGE INSTANCE
+# prepare /etc/zapret2/nfqws1.conf with nfqws parameters
+# systemctl start nfqws2@nfqws1
+# systemctl status nfqws2@nfqws1
+# systemctl restart nfqws2@nfqws1
+# systemctl enable nfqws2@nfqws1
+# systemctl disable nfqws2@nfqws1
+# systemctl stop nfqws2@nfqws1
+
+# DELETE
+# rm /lib/systemd/system/nfqws@.service
+# systemctl daemon-reload
+
+
+[Unit]
+After=network.target
+
+[Service]
+Type=notify
+Restart=on-failure
+
+ExecSearchPath=/opt/zapret2/nfq2
+ExecStart=nfqws2 @${CONFIG_DIR}/${INSTANCE}.conf
+Environment=CONFIG_DIR=/etc/zapret2
+Environment=INSTANCE=%i
+
+RestrictAddressFamilies=AF_NETLINK AF_UNIX AF_INET6 AF_INET
+
+LockPersonality=true
+MemoryDenyWriteExecute=true
+PrivateDevices=true
+PrivateMounts=true
+PrivateTmp=true
+ProcSubset=pid
+ProtectClock=true
+ProtectControlGroups=true
+ProtectHome=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectProc=invisible
+ProtectSystem=full
+RemoveIPC=true
+RestrictNamespaces=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+UMask=0077
+
+[Install]
+WantedBy=multi-user.target

init.d/systemd/zapret2-list-update.service

@@ -0,0 +1,13 @@
+[Unit]
+Description=zapret2 ip/host list update
+
+[Service]
+Restart=no
+IgnoreSIGPIPE=no
+KillMode=control-group
+GuessMainPID=no
+RemainAfterExit=no
+ExecStart=/opt/zapret2/ipset/get_config.sh
+
+[Install]
+WantedBy=multi-user.target

init.d/systemd/zapret2-list-update.timer

@@ -0,0 +1,11 @@
+[Unit]
+Description=zapret2 ip/host list update timer
+
+[Timer]
+OnCalendar=*-*-2,4,6,8,10,12,14,16,18,20,22,24,26,28,30 00:00:00
+RandomizedDelaySec=86400
+Persistent=true
+Unit=zapret2-list-update.service
+
+[Install]
+WantedBy=timers.target

init.d/systemd/zapret2.service

@@ -0,0 +1,17 @@
+[Unit]
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=forking
+Restart=no
+TimeoutSec=30sec
+IgnoreSIGPIPE=no
+KillMode=none
+GuessMainPID=no
+RemainAfterExit=no
+ExecStart=/opt/zapret2/init.d/sysv/zapret2 start
+ExecStop=/opt/zapret2/init.d/sysv/zapret2 stop
+
+[Install]
+WantedBy=multi-user.target

init.d/sysv/functions

@@ -0,0 +1,211 @@
+# init script functions library for desktop linux systems
+
+ZAPRET_BASE=${ZAPRET_BASE:-/opt/zapret2}
+ZAPRET_RW=${ZAPRET_RW:-"$ZAPRET_BASE"}
+ZAPRET_CONFIG=${ZAPRET_CONFIG:-"$ZAPRET_RW/config"}
+. "$ZAPRET_CONFIG"
+. "$ZAPRET_BASE/common/base.sh"
+. "$ZAPRET_BASE/common/fwtype.sh"
+. "$ZAPRET_BASE/common/linux_iphelper.sh"
+. "$ZAPRET_BASE/common/ipt.sh"
+. "$ZAPRET_BASE/common/nft.sh"
+. "$ZAPRET_BASE/common/linux_fw.sh"
+. "$ZAPRET_BASE/common/linux_daemons.sh"
+. "$ZAPRET_BASE/common/list.sh"
+. "$ZAPRET_BASE/common/custom.sh"
+CUSTOM_DIR="$ZAPRET_RW/init.d/sysv"
+
+
+user_exists()
+{
+	id -u $1 >/dev/null 2>/dev/null
+}
+useradd_compat()
+{
+	# $1 - username
+	# skip for readonly systems
+	[ -w "/etc" ] && {
+		if exists useradd ; then
+			useradd --no-create-home --system --shell /bin/false $1
+		elif is_linked_to_busybox adduser ; then
+			# some systems may miss nogroup group in /etc/group
+			# adduser fails if it's absent and no group is specified
+			addgroup nogroup 2>/dev/null
+			# busybox has special adduser syntax
+			adduser -S -H -D $1
+		elif exists adduser; then
+			adduser --no-create-home --system --disabled-login $1
+		fi
+	}
+	user_exists $1
+}
+prepare_user()
+{
+	user_exists $WS_USER || {
+		# fallback to daemon if we cant add WS_USER
+		useradd_compat $WS_USER || {
+			for user in daemon nobody; do
+				user_exists $user && {
+					WS_USER=$user
+					return 0
+				}
+			done
+			return 1
+		}
+	}
+}
+
+# this complex user selection allows to survive in any locked/readonly/minimalistic environment
+[ -n "$WS_USER" ] || WS_USER=tpws
+if prepare_user; then
+ USEROPT="--user=$WS_USER"
+else
+ WS_USER=1
+ USEROPT="--uid $WS_USER:$WS_USER"
+fi
+
+PIDDIR=/var/run
+IPSET_CR="$ZAPRET_BASE/ipset/create_ipset.sh"
+
+DESYNC_MARK=${DESYNC_MARK:-0x40000000}
+DESYNC_MARK_POSTNAT=${DESYNC_MARK_POSTNAT:-0x20000000}
+
+QNUM=${QNUM:-300}
+NFQWS2="${NFQWS2:-$ZAPRET_BASE/nfq2/nfqws2}"
+LUAOPT="--lua-init=@$ZAPRET_BASE/lua/zapret-lib.lua --lua-init=@$ZAPRET_BASE/lua/zapret-antidpi.lua --lua-init=@$ZAPRET_BASE/lua/zapret-auto.lua"
+NFQWS2_OPT_BASE="$USEROPT --fwmark=$DESYNC_MARK $LUAOPT"
+
+get_wanif46()
+{
+	# $1 - 4/6
+	# $2 - var to receive interface list
+	case $1 in
+		6)
+			eval $2="\${IFACE_WAN6:-$IFACE_WAN}"
+			;;
+		4)
+			eval $2="\$IFACE_WAN"
+			;;
+		*)
+			eval $2=
+	esac
+}
+get_lanif()
+{
+	# $1 - var to receive interface list
+	eval $1="\$IFACE_LAN"
+}
+
+fw_nfqws_post4()
+{
+	_fw_nfqws_post4  $1 "$2" $3 "$IFACE_WAN"
+}
+fw_nfqws_post6()
+{
+	_fw_nfqws_post6  $1 "$2" $3 "${IFACE_WAN6:-$IFACE_WAN}"
+}
+fw_nfqws_pre4()
+{
+	_fw_nfqws_pre4  $1 "$2" $3 "$IFACE_WAN"
+}
+fw_nfqws_pre6()
+{
+	_fw_nfqws_pre6  $1 "$2" $3 "${IFACE_WAN6:-$IFACE_WAN}"
+}
+nft_fw_nfqws_post4()
+{
+	_nft_fw_nfqws_post4 "$1" $2 "$IFACE_WAN"
+}
+nft_fw_nfqws_post6()
+{
+	_nft_fw_nfqws_post6 "$1" $2 "${IFACE_WAN6:-$IFACE_WAN}"
+}
+nft_fw_nfqws_pre4()
+{
+	_nft_fw_nfqws_pre4 "$1" $2 "$IFACE_WAN"
+}
+nft_fw_nfqws_pre6()
+{
+	_nft_fw_nfqws_pre6 "$1" $2 "${IFACE_WAN6:-$IFACE_WAN}"
+}
+
+nft_wanif_filter_present()
+{
+	[ -n "$IFACE_WAN" ]
+}
+nft_wanif6_filter_present()
+{
+	[ -n "${IFACE_WAN6:-$IFACE_WAN}" ]
+}
+nft_fill_ifsets_overload()
+{
+	nft_fill_ifsets "$IFACE_LAN" "$IFACE_WAN" "${IFACE_WAN6:-$IFACE_WAN}"
+}
+
+
+run_daemon()
+{
+	# $1 - daemon number : 1,2,3,...
+	# $2 - daemon
+	# $3 - daemon args
+	# use $PIDDIR/$DAEMONBASE$1.pid as pidfile
+
+	local DAEMONBASE="$(basename "$2")"
+	local PID= PIDFILE=$PIDDIR/${DAEMONBASE}_$1.pid
+	echo "Starting daemon $1: $2 $3"
+
+	[ -f "$PIDFILE" ] && {
+		read PID <"$PIDFILE"
+		[ -d "/proc/$PID" ] || PID=
+	}
+
+	if [ -n "$PID" ]; then
+		echo already running
+	else
+		"$2" $3 >/dev/null &
+		PID=$!
+		if [ -n "$PID" ]; then
+			echo $PID >$PIDFILE
+		else
+			echo could not start daemon $1 : $2 $3
+			false
+		fi
+	fi
+}
+stop_daemon()
+{
+	# $1 - daemon number : 1,2,3,...
+	# $2 - daemon
+	# use $PIDDIR/$DAEMONBASE$1.pid as pidfile
+	local DAEMONBASE="$(basename "$2")"
+	local PID PIDFILE=$PIDDIR/${DAEMONBASE}_$1.pid
+	echo "Stopping daemon $1: $2"
+	if [ -f "$PIDFILE" ]; then
+		read PID <"$PIDFILE"
+		kill $PID
+		rm -f "$PIDFILE"
+	else
+		echo no pidfile : $PIDFILE
+	fi
+}
+do_daemon()
+{
+	# $1 - 1 - run, 0 - stop
+	on_off_function run_daemon stop_daemon "$@"
+}
+
+do_nfqws()
+{
+	# $1 : 1 - run, 0 - stop
+	# $2 : daemon number
+	# $3 : daemon args
+
+	do_daemon $1 $2 "$NFQWS2" "$NFQWS2_OPT_BASE $3"
+}
+
+
+create_ipset()
+{
+	echo "Creating ip list table (firewall type $FWTYPE)"
+	"$IPSET_CR" "$@"
+}

init.d/sysv/zapret2

@@ -0,0 +1,82 @@
+#!/bin/sh
+### BEGIN INIT INFO
+# Provides:		zapret
+# Required-Start:	$local_fs $network
+# Required-Stop:	$local_fs $network
+# Default-Start:     2 3 4 5
+# Default-Stop:      0 1 6
+### END INIT INFO
+
+SCRIPT=$(readlink -f "$0")
+EXEDIR=$(dirname "$SCRIPT")
+ZAPRET_BASE=$(readlink -f "$EXEDIR/../..")
+. "$EXEDIR/functions"
+
+NAME=zapret
+DESC=anti-zapret
+
+do_start()
+{
+	zapret_run_daemons
+	[ "$INIT_APPLY_FW" != "1" ] || { zapret_apply_firewall; }
+}
+do_stop()
+{
+	zapret_stop_daemons
+	[ "$INIT_APPLY_FW" != "1" ] || zapret_unapply_firewall
+}
+
+case "$1" in
+	start)
+		do_start
+		;;
+
+	stop)
+		do_stop
+		;;
+
+	restart)
+		do_stop
+		do_start
+		;;
+
+	start-fw|start_fw)
+		zapret_apply_firewall
+		;;
+	stop-fw|stop_fw)
+		zapret_unapply_firewall
+		;;
+
+	restart-fw|restart_fw)
+		zapret_unapply_firewall
+		zapret_apply_firewall
+		;;
+
+	start-daemons|start_daemons)
+		zapret_run_daemons
+		;;
+	stop-daemons|stop_daemons)
+		zapret_stop_daemons
+		;;
+	restart-daemons|restart_daemons)
+		zapret_stop_daemons
+		zapret_run_daemons
+		;;
+
+	reload-ifsets|reload_ifsets)
+		zapret_reload_ifsets
+		;;
+	list-ifsets|list_ifsets)
+		zapret_list_ifsets
+		;;
+	list-table|list_table)
+		zapret_list_table
+		;;
+
+  *)
+	echo "Usage: $SCRIPT {start|stop|restart|start-fw|stop-fw|restart-fw|start-daemons|stop-daemons|restart-daemons|reload-ifsets|list-ifsets|list-table}" >&2
+	exit 1
+	;;
+esac
+
+exit 0

init.d/windivert.filter.examples/README.txt

@@ -0,0 +1,14 @@
+Цель этих фильтров - отсекать полезную нагрузку в режиме ядра, не насилуя процессор перенаправлением целого потока на winws.
+Задействуются через `winws --wf-raw-part=@filename`. Может быть несколько частичных фильтров. Они могут сочетаться с --wf-tcp и --wf-udp.
+Однако, язык фильтров windivert не содержит операций с битовыми полями, сдвигов и побитовой логики.
+Поэтому фильтры получились более слабыми, способными передавать неправильную нагрузку.
+Дофильтрация производится силами winws.
+
+Описание языка фильтров : https://reqrypt.org/windivert-doc.html#filter_language
+Пример инстанса для пробития медиапотоков в discord : `winws --wf-raw-part=@windivert_part.discord_media.txt --wf-raw-part=@windivert_part.stun.txt --filter-l7=stun,discord --dpi-desync=fake`
+
+
+These filters are invoked using `winws --wf-raw-part=@filename`. Multiple filter parts are supported. They can be combined with --wf-tcp and --wf-udp.
+Filters are kernel mode and save great amount of CPU.
+However windivert cannot filter by bit fields, lacks shift and bitwise logic operations.
+Filters are relaxed and can pass wrong payloads. Finer filtering is done by winws.

init.d/windivert.filter.examples/windivert_part.dht.txt

@@ -0,0 +1 @@
+udp.Length>=5 and udp.Payload[0]=0x64 and udp.Payload[1]>=0x31 and udp.Payload[1]<=0x32

init.d/windivert.filter.examples/windivert_part.discord_media.txt

@@ -0,0 +1,20 @@
+  outbound and ip and
+  udp.DstPort>=50000 and udp.DstPort<=50099 and
+  udp.PayloadLength=74 and
+  udp.Payload32[0]=0x00010046 and
+  udp.Payload32[2]=0 and
+  udp.Payload32[3]=0 and
+  udp.Payload32[4]=0 and
+  udp.Payload32[5]=0 and
+  udp.Payload32[6]=0 and
+  udp.Payload32[7]=0 and
+  udp.Payload32[8]=0 and
+  udp.Payload32[9]=0 and
+  udp.Payload32[10]=0 and
+  udp.Payload32[11]=0 and
+  udp.Payload32[12]=0 and
+  udp.Payload32[13]=0 and
+  udp.Payload32[14]=0 and
+  udp.Payload32[15]=0 and
+  udp.Payload32[16]=0 and
+  udp.Payload32[17]=0

init.d/windivert.filter.examples/windivert_part.quic_initial_ietf.txt

@@ -0,0 +1,4 @@
+  outbound and
+  udp.PayloadLength>=256 and
+  udp.Payload[0]>=0xC0 and udp.Payload[0]<0xD0 and
+  udp.Payload[1]=0 and udp.Payload16[1]=0 and udp.Payload[4]=1

init.d/windivert.filter.examples/windivert_part.stun.txt

@@ -0,0 +1,3 @@
+  outbound and
+  udp.PayloadLength>=20 and
+  udp.Payload32[1]=0x2112A442 and udp.Payload[0]<0x40

init.d/windivert.filter.examples/windivert_part.wireguard.txt

@@ -0,0 +1,3 @@
+udp.PayloadLength=148 and udp.Payload32[0]=0x01000000 or
+udp.PayloadLength=92 and udp.Payload32[0]=0x02000000 or
+udp.PayloadLength=64 and udp.Payload32[0]=0x03000000

install_bin.sh

@@ -30,8 +30,8 @@ select_test_method()
 		TEST=bash
 	elif exists zsh && [ "$UNAME" != CYGWIN ] ; then
 		TEST=zsh
-	elif [ "$UNAME" != Darwin -a "$UNAME" != CYGWIN ]; then
-		if exists hexdump and exists dd; then
+	elif [ "$UNAME" != CYGWIN ]; then
+		if exists hexdump && exists dd; then
 			# macos does not use ELF
 			TEST=elf
 			ELF=
@@ -64,12 +64,6 @@ select_test_method()
 
 }
 
-disable_antivirus()
-{
-	# $1 - dir
-	[ "$UNAME" = Darwin ] && find "$1" -maxdepth 1 -type f -perm +111 -exec xattr -d com.apple.quarantine {} \; 2>/dev/null
-}
-
 check_dir()
 {
 	local dir="$BINDIR/$1"
@@ -77,7 +71,6 @@ check_dir()
 	local out
 	if [ -f "$exe" ]; then
 		if [ -x "$exe" ]; then
-			disable_antivirus "$dir"
 			case $TEST in
 				bash)
 					out=$(echo 0.0.0.0 | bash -c "\"$exe"\" 2>/dev/null)
@@ -143,8 +136,7 @@ if [ ! -d "$BINDIR" ] || ! dir_is_not_empty "$BINDIR" ]; then
 			echo "to compile on other systems : make"
 			;;
 		Darwin)
-			echo "you need to download release from github or build binaries from source"
-			echo "to compile : make mac"
+			echo "macos is not supported"
 			;;
 		FreeBSD)
 			echo "you need to download release from github or build binaries from source"
@@ -168,9 +160,6 @@ case $UNAME in
 		ARCHLIST="my linux-x86_64 linux-x86 linux-arm64 linux-arm linux-mips64 linux-mipsel linux-mips linux-lexra linux-ppc"
 		PKTWS=nfqws2
 		;;
-	Darwin)
-		ARCHLIST="my mac64"
-		;;
 	FreeBSD)
 		ARCHLIST="my freebsd-x86_64"
 		PKTWS=dvtws2

install_easy.sh

@@ -0,0 +1,833 @@
+#!/bin/sh
+
+# automated script for easy installing zapret
+
+EXEDIR="$(dirname "$0")"
+EXEDIR="$(cd "$EXEDIR"; pwd)"
+ZAPRET_BASE=${ZAPRET_BASE:-"$EXEDIR"}
+ZAPRET_TARGET=${ZAPRET_TARGET:-/opt/zapret2}
+ZAPRET_TARGET_RW=${ZAPRET_RW:-"$ZAPRET_TARGET"}
+ZAPRET_TARGET_CONFIG="$ZAPRET_TARGET_RW/config"
+ZAPRET_RW=${ZAPRET_RW:-"$ZAPRET_BASE"}
+ZAPRET_CONFIG=${ZAPRET_CONFIG:-"$ZAPRET_RW/config"}
+ZAPRET_CONFIG_DEFAULT="$ZAPRET_BASE/config.default"
+IPSET_DIR="$ZAPRET_BASE/ipset"
+
+[ -f "$ZAPRET_CONFIG" ] || {
+	ZAPRET_CONFIG_DIR="$(dirname "$ZAPRET_CONFIG")"
+	[ -d "$ZAPRET_CONFIG_DIR" ] || mkdir -p "$ZAPRET_CONFIG_DIR"
+	cp "$ZAPRET_CONFIG_DEFAULT" "$ZAPRET_CONFIG"
+}
+. "$ZAPRET_CONFIG"
+. "$ZAPRET_BASE/common/base.sh"
+. "$ZAPRET_BASE/common/elevate.sh"
+. "$ZAPRET_BASE/common/fwtype.sh"
+. "$ZAPRET_BASE/common/dialog.sh"
+. "$ZAPRET_BASE/common/ipt.sh"
+. "$ZAPRET_BASE/common/installer.sh"
+. "$ZAPRET_BASE/common/virt.sh"
+. "$ZAPRET_BASE/common/list.sh"
+
+GET_LIST="$IPSET_DIR/get_config.sh"
+
+check_readonly_system()
+{
+	local RO
+	echo \* checking readonly system
+        case $SYSTEM in
+		systemd)
+			[ -w "$SYSTEMD_SYSTEM_DIR" ] || RO=1
+			;;
+		openrc)
+			[ -w "$(dirname "$INIT_SCRIPT")" ] || RO=1
+			;;
+	esac
+	[ -z "$RO" ] || {
+		echo '!!! READONLY SYSTEM DETECTED !!!'
+		echo '!!! WILL NOT BE ABLE TO CONFIGURE STARTUP !!!'
+		echo '!!! MANUAL STARTUP CONFIGURATION IS REQUIRED !!!'
+		ask_yes_no N "do you want to continue" || exitp 5
+	}
+}
+
+check_source()
+{
+	local bad=0
+
+	echo \* checking source files
+	case $SYSTEM in
+		systemd)
+			[ -f "$EXEDIR/init.d/systemd/zapret2.service" ] || bad=1
+			;;
+		openrc)
+			[ -f "$EXEDIR/init.d/openrc/zapret2" ] || bad=1
+			;;
+       esac
+       [ "$bad" = 1 ] && {
+               echo 'some critical files are missing'
+               echo 'are you sure you are not using embedded release ? you need full version for traditional systems'
+               exitp 5
+       }
+}
+
+check_bins()
+{
+	echo \* checking executables
+
+	fix_perms_bin_test "$EXEDIR"
+	local arch="$(get_bin_arch)"
+	local make_target
+	local cf="-march=native"
+	[ "$FORCE_BUILD" = "1" ] && {
+		echo forced build mode
+		if [ "$arch" = "my" ]; then
+			echo already compiled
+		else
+			arch=""
+		fi
+	}
+	if [ -n "$arch" ] ; then
+		echo found architecture "\"$arch\""
+	elif [ -f "$EXEDIR/Makefile" ] && exists make; then
+		echo trying to compile
+		case $SYSTEM in
+			systemd)
+				make_target=systemd
+				;;
+		esac
+		CFLAGS="${cf:+$cf }${CFLAGS}" OPTIMIZE=-O2 make -C "$EXEDIR" $make_target || {
+			echo could not compile
+			make -C "$EXEDIR" clean
+			exitp 8
+		}
+		echo compiled
+	else
+		echo build tools not found
+		exitp 8
+	fi
+}
+
+call_install_bin()
+{
+	sh "$EXEDIR/install_bin.sh" $1
+}
+get_bin_arch()
+{
+	call_install_bin getarch
+}
+
+install_binaries()
+{
+	echo \* installing binaries
+
+	call_install_bin || {
+		echo compatible binaries not found
+		exitp 8
+	}
+}
+
+ws_opt_validate()
+{
+	# ПРИМЕЧАНИЕ ДЛЯ РАСПРОСТРАНИТЕЛЕЙ КОПИПАСТЫ
+	# ЭТОТ КОД СДЕЛАН СПЕЦИАЛЬНО ДЛЯ ВАС, ЧТОБЫ ВЫ НЕ ПОСТИЛИ В СЕТЬ ПЛОХИЕ РЕЦЕПТЫ
+	# ЕСЛИ ВАМ ХОЧЕТСЯ ЕГО УДАЛИТЬ И НАПИСАТЬ ИНСТРУКЦИЮ КАК ЕГО УДАЛЯТЬ, ВЫ ДЕЛАЕТЕ ХРЕНОВУЮ УСЛУГУ. НАПИШИТЕ ЛУЧШЕ custom script.
+	# custom script - ЭТО ФАЙЛИК, КОТОРЫЙ ДОСТАТОЧНО СКОПИРОВАТЬ В НУЖНУЮ ДИРЕКТОРИЮ, ЧТОБЫ ОН СДЕЛАЛ ТОЖЕ САМОЕ, НО ЭФФЕКТИВНО.
+	# ФИЛЬТРАЦИЯ ПО IPSET В ЯДРЕ НЕСРАВНИМО ЭФФЕКТИВНЕЕ, ЧЕМ ПЕРЕКИДЫВАТЬ ВСЕ ПАКЕТЫ В nfqws И ТАМ ФИЛЬТРОВАТЬ
+	# --ipset СУЩЕСТВУЕТ ТОЛЬКО ДЛЯ ВИНДЫ И LINUX СИСТЕМ БЕЗ ipset (НАПРИМЕР, Android).
+	# И ТОЛЬКО ПО ЭТОЙ ПРИЧИНЕ ОНО НЕ ВЫКИНУТО ПОЛНОСТЬЮ ИЗ LINUX ВЕРСИИ
+	has_bad_ws_options "$1" && {
+		help_bad_ws_options
+		return 1
+	}
+	return 0
+}
+nfqws_opt_validate()
+{
+	ws_opt_validate "$1" || return 1
+	dry_run_nfqws || {
+		echo invalid nfqws2 options
+		return 1
+	}
+}
+
+select_mode_group()
+{
+	# $1 - ENABLE var name
+	# $2 - ask text
+	# $3 - vars
+	# $4 - validator func
+	# $5 - validator func param var
+
+	local enabled var v edited bad Y param
+
+	echo
+	ask_yes_no_var $1 "$2"
+	write_config_var $1
+	eval enabled=\$$1
+	[ "$enabled" = 1 ] && {
+		echo
+		while  : ; do
+			list_vars $3
+			bad=0; Y=N
+			[ -n "$4" ] && {
+				eval param="\$$5"
+				$4 "$param"; bad=$?
+				[ "$bad" = 1 ] && Y=Y
+			}
+			ask_yes_no $Y "do you want to edit the options" || {
+				[ "$bad" = 1 ] && {
+					echo installer will not allow to use bad options. exiting.
+					exitp 3
+				}
+				[ -n "$edited" ] && {
+					for var in $3; do
+						write_config_var $var
+					done
+				}
+				break
+			}
+			edit_vars $3
+			edited=1
+			echo ..edited..
+		done
+	}
+}
+
+select_mode_nfqws()
+{
+	local EDITVAR_NEWLINE_DELIMETERS="--new --out-range --in-range --payload" EDITVAR_NEWLINE_VARS="NFQWS2_OPT"
+	select_mode_group NFQWS2_ENABLE "enable nfqws2 ?" "NFQWS2_PORTS_TCP NFQWS2_PORTS_UDP NFQWS2_TCP_PKT_OUT NFQWS2_TCP_PKT_IN NFQWS2_UDP_PKT_OUT NFQWS2_UDP_PKT_IN NFQWS2_PORTS_TCP_KEEPALIVE NFQWS2_PORTS_UDP_KEEPALIVE NFQWS2_OPT" nfqws_opt_validate NFQWS2_OPT
+}
+
+select_mode_mode()
+{
+	select_mode_nfqws
+
+	echo
+	echo "current custom scripts in $CUSTOM_DIR/custom.d:"
+	[ -d "$CUSTOM_DIR/custom.d" ] && ls "$CUSTOM_DIR/custom.d"
+	echo "Make sure this is ok"
+	echo
+}
+
+select_mode_filter()
+{
+	local filter="none ipset hostlist autohostlist"
+	echo
+	echo select filtering :
+	ask_list MODE_FILTER "$filter" none && write_config_var MODE_FILTER
+}
+
+select_mode()
+{
+	select_mode_filter
+	select_mode_mode
+	select_mode_iface
+}
+
+select_getlist()
+{
+	if [ "$MODE_FILTER" = "ipset" -o "$MODE_FILTER" = "hostlist" -o "$MODE_FILTER" = "autohostlist" ]; then
+		local D=N
+		[ -n "$GETLIST" ] && D=Y
+		echo
+		if ask_yes_no $D "do you want to auto download ip/host list"; then
+			if [ "$MODE_FILTER" = "hostlist" -o "$MODE_FILTER" = "autohostlist" ] ; then
+				GETLISTS="get_refilter_domains.sh get_antizapret_domains.sh get_reestr_resolvable_domains.sh"
+				GETLIST_DEF="get_antizapret_domains.sh"
+			else
+				GETLISTS="get_user.sh get_refilter_ipsum.sh get_antifilter_ip.sh get_antifilter_ipsmart.sh get_antifilter_ipsum.sh get_antifilter_ipresolve.sh get_antifilter_allyouneed.sh get_reestr_preresolved.sh get_reestr_preresolved_smart.sh"
+				GETLIST_DEF="get_antifilter_allyouneed.sh"
+			fi
+			ask_list GETLIST "$GETLISTS" "$GETLIST_DEF" && write_config_var GETLIST
+			return
+		fi
+	fi
+	GETLIST=""
+	write_config_var GETLIST
+}
+
+ask_config()
+{
+	select_mode
+	select_getlist
+}
+
+ask_config_offload()
+{
+	[ "$FWTYPE" = nftables ] || is_ipt_flow_offload_avail && {
+		echo
+		echo flow offloading can greatly increase speed on slow devices and high speed links \(usually 150+ mbits\)
+		if [ "$SYSTEM" = openwrt ]; then
+			echo unfortuantely its not compatible with most nfqws options. nfqws traffic must be exempted from flow offloading.
+			echo donttouch = disable system flow offloading setting if nfqws mode was selected, dont touch it otherwise and dont configure selective flow offloading
+			echo none = always disable system flow offloading setting and dont configure selective flow offloading
+			echo software = always disable system flow offloading setting and configure selective software flow offloading
+			echo hardware = always disable system flow offloading setting and configure selective hardware flow offloading
+		else
+			echo offloading is applicable only to forwarded traffic. it has no effect on outgoing traffic
+			echo hardware flow offloading is available only on specific supporting hardware. most likely will not work on a generic system
+		fi
+		echo offloading likely breaks traffic shaper
+		echo select flow offloading :
+		local options="none software hardware"
+		local default="none"
+		[ "$SYSTEM" = openwrt ] && {
+			options="donttouch none software hardware"
+			default="donttouch"
+		}
+		ask_list FLOWOFFLOAD "$options" $default && write_config_var FLOWOFFLOAD
+	}
+}
+
+ask_config_tmpdir()
+{
+	# ask tmpdir change for low ram systems with enough free disk space
+	[ -n "$GETLIST" ] && [ $(get_free_space_mb "$EXEDIR/tmp") -ge 128 ] && [ $(get_ram_mb) -le 400 ] && {
+		echo
+		echo /tmp in openwrt is tmpfs. on low RAM systems there may be not enough RAM to store downloaded files
+		echo default tmpfs has size of 50% RAM
+		echo "RAM  : $(get_ram_mb) Mb"
+		echo "DISK : $(get_free_space_mb "$EXEDIR/tmp") Mb"
+		echo select temp file location
+		[ -z "$TMPDIR" ] && TMPDIR=/tmp
+		ask_list TMPDIR "/tmp $EXEDIR/tmp" && {
+		    [ "$TMPDIR" = "/tmp" ] && TMPDIR=
+		    write_config_var TMPDIR
+		}
+	}
+}
+
+nft_flow_offload()
+{
+	[ "$UNAME" = Linux -a "$FWTYPE" = nftables ] && [ "$FLOWOFFLOAD" = software -o "$FLOWOFFLOAD" = hardware ]
+}
+
+ask_iface()
+{
+	# $1 - var to ask
+	# $2 - additional name for empty string synonim
+
+	local ifs i0 def new
+	eval def="\$$1"
+
+	[ -n "$2" ] && i0="$2 "
+	ifs="$(ls /sys/class/net)"
+	[ -z "$def" ] && eval $1="$2"
+	ask_list $1 "$i0$ifs" && {
+		eval new="\$$1"
+		[ "$new" = "$2" ] && eval $1=""
+		write_config_var $1
+	}
+}
+ask_iface_lan()
+{
+	echo LAN interface :
+	local opt
+	nft_flow_offload || opt=NONE
+	ask_iface IFACE_LAN $opt
+}
+ask_iface_wan()
+{
+	echo WAN interface :
+	local opt
+	nft_flow_offload || opt=ANY
+	ask_iface IFACE_WAN $opt
+}
+
+select_mode_iface()
+{
+	# openwrt has its own interface management scheme
+	# LAN interface names are used only to setup flow offloading rules
+
+	[ "$SYSTEM" = "openwrt" ] && return
+
+	ask_iface_lan
+	ask_iface_wan
+}
+
+default_files()
+{
+	# $1 - ro location
+	# $2 - rw location (can be equal to $1)
+	[ -d "$2/ipset" ] || mkdir -p "$2/ipset"
+	[ -f "$2/ipset/zapret-hosts-user-exclude.txt" ] || cp "$1/ipset/zapret-hosts-user-exclude.txt.default" "$2/ipset/zapret-hosts-user-exclude.txt"
+	[ -f "$2/ipset/zapret-hosts-user.txt" ] || echo nonexistent.domain >> "$2/ipset/zapret-hosts-user.txt"
+	[ -f "$2/ipset/zapret-hosts-user-ipban.txt" ] || touch "$2/ipset/zapret-hosts-user-ipban.txt"
+	for dir in openwrt sysv macos; do
+		[ -d "$1/init.d/$dir" ] && {
+			[ -d "$2/init.d/$dir" ] || mkdir -p "$2/init.d/$dir"
+			[ -d "$2/init.d/$dir/custom.d" ] || mkdir -p "$2/init.d/$dir/custom.d"
+		}
+	done
+}
+copy_all()
+{
+	local dir
+
+	cp -R "$1" "$2"
+	[ -d "$2/tmp" ] || mkdir "$2/tmp"
+}
+copy_openwrt()
+{
+	local ARCH="$(get_bin_arch)"
+	local BINDIR="$1/binaries/$ARCH"
+	local file
+
+	[ -d "$2" ] || mkdir -p "$2"
+
+	mkdir "$2/nfq2" "$2/ip2net" "$2/mdig" "$2/binaries" "$2/binaries/$ARCH" "$2/init.d" "$2/tmp" "$2/files"
+	cp -R "$1/files/fake" "$2/files"
+	cp -R "$1/common" "$1/ipset" "$1/blockcheck2.d" "$1/lua" "$2"
+	cp -R "$1/init.d/openwrt" "$1/init.d/custom.d.examples.linux" "$2/init.d"
+	cp "$1/config" "$1/config.default" "$1/install_easy.sh" "$1/uninstall_easy.sh" "$1/install_bin.sh" "$1/install_prereq.sh" "$1/blockcheck2.sh" "$2"
+	cp "$BINDIR/nfqws2" "$BINDIR/ip2net" "$BINDIR/mdig" "$2/binaries/$ARCH"
+}
+
+fix_perms_bin_test()
+{
+	[ -d "$1" ] || return
+	find "$1/binaries" -name ip2net ! -perm -111 -exec chmod +x {} \;
+}
+fix_perms()
+{
+	[ -d "$1" ] || return
+	find "$1" -type d -exec chmod 755 {} \;
+	find "$1" -type f -exec chmod 644 {} \;
+	local chow
+	case "$UNAME" in
+		Linux)
+			chow=root:root
+			;;
+		*)
+			chow=root:wheel
+	esac
+	chown -R $chow "$1"
+	find "$1/binaries" '(' -name dvtws2 -o -name nfqws2 -o -name ip2net -o -name mdig ')' -exec chmod 755 {} \;
+	for f in \
+install_bin.sh \
+blockcheck2.sh \
+install_easy.sh \
+install_prereq.sh \
+files/huawei/E8372/zapret-ip \
+files/huawei/E8372/unzapret-ip \
+files/huawei/E8372/run-zapret-hostlist \
+files/huawei/E8372/unzapret \
+files/huawei/E8372/zapret \
+files/huawei/E8372/run-zapret-ip \
+ipset/get_exclude.sh \
+ipset/clear_lists.sh \
+ipset/create_ipset.sh \
+ipset/get_config.sh \
+ipset/get_user.sh \
+ipset/get_ipban.sh \
+ipset/get_refilter_domains.sh \
+ipset/get_refilter_ipsum.sh \
+ipset/get_reestr_resolvable_domains.sh \
+ipset/get_reestr_preresolved.sh \
+ipset/get_reestr_preresolved_smart.sh \
+ipset/get_reestr_resolve.sh \
+ipset/get_reestr_hostlist.sh \
+ipset/get_antifilter_allyouneed.sh \
+ipset/get_antifilter_ipsum.sh \
+ipset/get_antifilter_ipsmart.sh \
+ipset/get_antifilter_ip.sh \
+ipset/get_antifilter_ipresolve.sh \
+ipset/get_antizapret_domains.sh \
+init.d/pfsense/zapret2.sh \
+init.d/runit/zapret2/run \
+init.d/runit/zapret2/finish \
+init.d/openrc/zapret2 \
+init.d/sysv/zapret2 \
+init.d/openwrt/zapret2 \
+uninstall_easy.sh \
+	; do chmod 755 "$1/$f" 2>/dev/null ; done
+}
+
+
+_backup_settings()
+{
+	local i=0
+	for f in "$@"; do
+		# safety check
+		[ -z "$f" -o "$f" = "/" ] && continue
+
+		[ -f "$ZAPRET_TARGET/$f" ] && cp -f "$ZAPRET_TARGET/$f" "/tmp/zapret2-bkp-$i"
+		[ -d "$ZAPRET_TARGET/$f" ] && cp -rf "$ZAPRET_TARGET/$f" "/tmp/zapret2-bkp-$i"
+		i=$(($i+1))
+	done
+}
+_restore_settings()
+{
+	local i=0
+	for f in "$@"; do
+		# safety check
+		[ -z "$f" -o "$f" = "/" ] && continue
+
+		[ -f "/tmp/zapret2-bkp-$i" ] && {
+			mv -f "/tmp/zapret2-bkp-$i" "$ZAPRET_TARGET/$f" || rm -f "/tmp/zapret2-bkp-$i"
+		}
+		[ -d "/tmp/zapret2-bkp-$i" ] && {
+			[ -d "$ZAPRET_TARGET/$f" ] && rm -r "$ZAPRET_TARGET/$f"
+			mv -f "/tmp/zapret2-bkp-$i" "$ZAPRET_TARGET/$f" || rm -r "/tmp/zapret2-bkp-$i"
+		}
+		i=$(($i+1))
+	done
+}
+backup_restore_settings()
+{
+	# $1 - 1 - backup, 0 - restore
+	local mode=$1
+	on_off_function _backup_settings _restore_settings $mode "config" "init.d/sysv/custom.d" "init.d/openwrt/custom.d" "ipset/zapret-hosts-user.txt" "ipset/zapret-hosts-user-exclude.txt" "ipset/zapret-hosts-user-ipban.txt" "ipset/zapret-hosts-auto.txt"
+}
+
+check_location()
+{
+	# $1 - copy function
+
+	echo \* checking location
+	# use inodes in case something is linked
+	if [ -d "$ZAPRET_TARGET" ] && [ $(get_dir_inode "$EXEDIR") = $(get_dir_inode "$ZAPRET_TARGET") ]; then
+		default_files "$ZAPRET_TARGET" "$ZAPRET_RW"
+	else
+		local rwdir=0
+		[ $(get_dir_inode "$ZAPRET_BASE") = $(get_dir_inode "$ZAPRET_RW") ] || rwdir=1
+		echo
+		echo easy install is supported only from default location : $ZAPRET_TARGET
+		echo currently its run from $EXEDIR
+		if ask_yes_no N "do you want the installer to copy it for you"; then
+			local keep=N
+			if [ -d "$ZAPRET_TARGET" ]; then
+				echo
+				echo installer found existing $ZAPRET_TARGET
+				echo directory needs to be replaced. config and custom scripts can be kept or replaced with clean version
+				if ask_yes_no N "do you want to delete all files there and copy this version"; then
+					echo
+					if [ $rwdir != 1 ]; then
+						ask_yes_no Y "keep config, custom scripts and user lists" && keep=Y
+						[ "$keep" = "Y" ] && backup_restore_settings 1
+					fi
+					rm -r "$ZAPRET_TARGET"
+				else
+					echo refused to overwrite $ZAPRET_TARGET. exiting
+					exitp 3
+				fi
+			fi
+			local B="$(dirname "$ZAPRET_TARGET")"
+			[ -d "$B" ] || mkdir -p "$B"
+			$1 "$EXEDIR" "$ZAPRET_TARGET"
+			fix_perms "$ZAPRET_TARGET"
+			[ "$keep" = "Y" ] && backup_restore_settings 0
+			echo relaunching itself from $ZAPRET_TARGET
+			exec "$ZAPRET_TARGET/$(basename "$0")"
+		else
+			echo copying aborted. exiting
+			exitp 3
+		fi
+	fi
+	echo running from $EXEDIR
+}
+
+
+service_install_systemd()
+{
+	echo \* installing zapret service
+
+	if [ -w "$SYSTEMD_SYSTEM_DIR" ] ; then
+		rm -f "$INIT_SCRIPT"
+		cp -f "$EXEDIR/init.d/systemd/zapret2.service" "$SYSTEMD_SYSTEM_DIR"
+		"$SYSTEMCTL" daemon-reload
+		"$SYSTEMCTL" enable zapret2 || {
+			echo could not enable systemd service
+			exitp 20
+		}
+	else
+		echo '!!! READONLY SYSTEM DETECTED !!! CANNOT INSTALL SYSTEMD UNITS !!!'
+	fi
+}
+
+timer_install_systemd()
+{
+	echo \* installing zapret2-list-update timer
+
+	if [ -w "$SYSTEMD_SYSTEM_DIR" ] ; then
+		"$SYSTEMCTL" disable zapret2-list-update.timer
+		"$SYSTEMCTL" stop zapret2-list-update.timer
+		cp -f "$EXEDIR/init.d/systemd/zapret2-list-update.service" "$SYSTEMD_SYSTEM_DIR"
+		cp -f "$EXEDIR/init.d/systemd/zapret2-list-update.timer" "$SYSTEMD_SYSTEM_DIR"
+		"$SYSTEMCTL" daemon-reload
+		"$SYSTEMCTL" enable zapret2-list-update.timer || {
+			echo could not enable zapret2-list-update.timer
+			exitp 20
+		}
+		"$SYSTEMCTL" start zapret2-list-update.timer || {
+			echo could not start zapret2-list-update.timer
+			exitp 30
+		}
+	else
+		echo '!!! READONLY SYSTEM DETECTED !!! CANNOT INSTALL SYSTEMD UNITS !!!'
+	fi
+}
+
+download_list()
+{
+	[ -x "$GET_LIST" ] &&	{
+		echo \* downloading blocked ip/host list
+
+		# can be txt or txt.gz
+		"$IPSET_DIR/clear_lists.sh"
+		"$GET_LIST"
+	}
+}
+
+
+dnstest()
+{
+	# $1 - dns server. empty for system resolver
+	nslookup w3.org $1 >/dev/null 2>/dev/null
+}
+check_dns()
+{
+	echo \* checking DNS
+
+	dnstest || {
+		echo -- DNS is not working. It's either misconfigured or blocked or you don't have inet access.
+		return 1
+	}
+	echo system DNS is working
+	return 0
+}
+
+
+install_systemd()
+{
+	INIT_SCRIPT_SRC="$EXEDIR/init.d/sysv/zapret2"
+	CUSTOM_DIR="$ZAPRET_RW/init.d/sysv"
+
+	check_bins
+	require_root
+	check_readonly_system
+	check_location copy_all
+	check_dns
+	check_virt
+	service_stop_systemd
+	select_fwtype
+	check_prerequisites_linux
+	install_binaries
+	select_ipv6
+	ask_config_offload
+	ask_config
+	service_install_systemd
+	download_list
+	# in case its left from old version of zapret
+	crontab_del_quiet
+	# now we use systemd timers
+	timer_install_systemd
+	service_start_systemd
+}
+
+_install_sysv()
+{
+	# $1 - install init script
+
+	CUSTOM_DIR="$ZAPRET_RW/init.d/sysv"
+
+	check_bins
+	require_root
+	check_readonly_system
+	check_location copy_all
+	check_dns
+	check_virt
+	service_stop_sysv
+	select_fwtype
+	check_prerequisites_linux
+	install_binaries
+	select_ipv6
+	ask_config_offload
+	ask_config
+	$1
+	download_list
+	crontab_del_quiet
+	# desktop system. more likely up at daytime
+	crontab_add 10 22
+	service_start_sysv
+}
+
+install_sysv()
+{
+	INIT_SCRIPT_SRC="$EXEDIR/init.d/sysv/zapret2"
+	_install_sysv install_sysv_init
+}
+
+install_openrc()
+{
+	INIT_SCRIPT_SRC="$EXEDIR/init.d/openrc/zapret2"
+	_install_sysv install_openrc_init
+}
+
+
+install_linux()
+{
+	INIT_SCRIPT_SRC="$EXEDIR/init.d/sysv/zapret2"
+	CUSTOM_DIR="$ZAPRET_RW/init.d/sysv"
+
+	check_bins
+	require_root
+	check_location copy_all
+	check_dns
+	check_virt
+	select_fwtype
+	check_prerequisites_linux
+	install_binaries
+	select_ipv6
+	ask_config_offload
+	ask_config
+	download_list
+	crontab_del_quiet
+	# desktop system. more likely up at daytime
+	crontab_add 10 22
+
+	echo
+	echo '!!! WARNING. YOUR SETUP IS INCOMPLETE !!!'
+	echo you must manually add to auto start : $INIT_SCRIPT_SRC start
+	echo make sure it\'s executed after your custom/firewall iptables configuration
+	echo "if your system uses sysv init : ln -fs $INIT_SCRIPT_SRC /etc/init.d/zapret ; chkconfig zapret on"
+}
+
+
+deoffload_openwrt_firewall()
+{
+	echo \* checking flow offloading
+
+	[ "$FWTYPE" = "nftables" ] || is_ipt_flow_offload_avail || {
+		echo unavailable
+		return
+	}
+
+	local fo=$(uci -q get firewall.@defaults[0].flow_offloading)
+
+	if [ "$fo" = "1" ] ; then
+		local mod=0
+		printf "system wide flow offloading detected. "
+		case $FLOWOFFLOAD in
+			donttouch)
+				if [ "$NFQWS2_ENABLE" = "1" ]; then
+					echo its incompatible with nfqws tcp data tampering. disabling
+					uci set firewall.@defaults[0].flow_offloading=0
+					mod=1
+				else
+					if dir_is_not_empty "$CUSTOM_DIR/custom.d" ; then
+						echo
+						echo !!! CUSTOM SCRIPTS ARE PRESENT !!! only you can decide whether flow offloading is compatible.
+						echo !!! CUSTOM SCRIPTS ARE PRESENT !!! if they use nfqws they will not work. you have to disable system-wide offloading.
+					else
+						echo its compatible with selected options. not disabling
+					fi
+				fi
+			;;
+		*)
+			echo zapret will disable system wide offloading setting and add selective rules if required
+			uci set firewall.@defaults[0].flow_offloading=0
+			mod=1
+		esac
+		[ "$mod" = "1" ] && uci commit firewall
+	else
+		echo system wide software flow offloading disabled. ok
+	fi
+}
+
+
+
+install_openwrt()
+{
+	INIT_SCRIPT_SRC="$EXEDIR/init.d/openwrt/zapret2"
+	CUSTOM_DIR="$ZAPRET_RW/init.d/openwrt"
+	FW_SCRIPT_SRC="$EXEDIR/init.d/openwrt/firewall.zapret2"
+	OPENWRT_FW_INCLUDE=/etc/firewall.zapret2
+	OPENWRT_IFACE_HOOK="$EXEDIR/init.d/openwrt/90-zapret2"
+
+	check_bins
+	require_root
+	check_location copy_openwrt
+	install_binaries
+	check_dns
+	check_virt
+
+	local FWTYPE_OLD=$FWTYPE
+
+	echo \* stopping current firewall rules/daemons
+	"$INIT_SCRIPT_SRC" stop_fw
+	"$INIT_SCRIPT_SRC" stop_daemons
+
+	select_fwtype
+	select_ipv6
+	check_prerequisites_openwrt
+	ask_config
+	ask_config_tmpdir
+	ask_config_offload
+	# stop and reinstall sysv init
+	install_sysv_init
+	[ "$FWTYPE_OLD" != "$FWTYPE" -a "$FWTYPE_OLD" = iptables -a -n "$OPENWRT_FW3" ] && remove_openwrt_firewall
+	# free some RAM
+	clear_ipset
+	download_list
+	crontab_del_quiet
+	# router system : works 24/7. night is the best time
+	crontab_add 0 6
+	cron_ensure_running
+	install_openwrt_iface_hook
+	# in case of nftables or iptables without fw3 sysv init script also controls firewall
+	[ -n "$OPENWRT_FW3" -a "$FWTYPE" = iptables ] && install_openwrt_firewall
+	service_start_sysv
+	deoffload_openwrt_firewall
+	restart_openwrt_firewall
+}
+
+
+
+remove_pf_zapret_hooks()
+{
+	echo \* removing zapret PF hooks
+
+	pf_anchors_clear
+}
+
+macos_fw_reload_trigger_clear()
+{
+	LISTS_RELOAD=
+	write_config_var LISTS_RELOAD
+}
+macos_fw_reload_trigger_set()
+{
+	LISTS_RELOAD="$INIT_SCRIPT_SRC reload-fw-tables"
+	write_config_var LISTS_RELOAD
+}
+
+
+
+# build binaries, do not use precompiled
+[ "$1" = "make" ] && FORCE_BUILD=1
+
+umask 0022
+fix_sbin_path
+fsleep_setup
+check_system
+check_source
+
+case $SYSTEM in
+	systemd)
+		install_systemd
+		;;
+	openrc)
+		install_openrc
+		;;
+	linux)
+		install_linux
+		;;
+	openwrt)
+		install_openwrt
+		;;
+esac
+
+
+exitp 0

install_prereq.sh

@@ -0,0 +1,51 @@
+#!/bin/sh
+
+# install prerequisites
+
+EXEDIR="$(dirname "$0")"
+EXEDIR="$(cd "$EXEDIR"; pwd)"
+ZAPRET_BASE=${ZAPRET_BASE:-"$EXEDIR"}
+ZAPRET_RW=${ZAPRET_RW:-"$ZAPRET_BASE"}
+ZAPRET_CONFIG=${ZAPRET_CONFIG:-"$ZAPRET_RW/config"}
+ZAPRET_CONFIG_DEFAULT="$ZAPRET_BASE/config.default"
+
+[ -f "$ZAPRET_CONFIG" ] || {
+	ZAPRET_CONFIG_DIR="$(dirname "$ZAPRET_CONFIG")"
+	[ -d "$ZAPRET_CONFIG_DIR" ] || mkdir -p "$ZAPRET_CONFIG_DIR"
+	cp "$ZAPRET_CONFIG_DEFAULT" "$ZAPRET_CONFIG"
+}
+
+. "$ZAPRET_CONFIG"
+. "$ZAPRET_BASE/common/base.sh"
+. "$ZAPRET_BASE/common/elevate.sh"
+. "$ZAPRET_BASE/common/fwtype.sh"
+. "$ZAPRET_BASE/common/dialog.sh"
+. "$ZAPRET_BASE/common/installer.sh"
+. "$ZAPRET_BASE/common/ipt.sh"
+
+umask 0022
+fix_sbin_path
+fsleep_setup
+check_system accept_unknown_rc
+[ $UNAME = "Linux" ] || {
+	echo no prerequisites required for $UNAME
+	exitp 0
+}
+require_root
+
+case $UNAME in
+	Linux)
+		select_fwtype
+		case $SYSTEM in
+			openwrt)
+				select_ipv6
+				check_prerequisites_openwrt
+				;;
+			*)
+				check_prerequisites_linux
+				;;
+		esac
+		;;
+esac
+
+exitp 0

ip2net/ip2net.c

@@ -49,7 +49,7 @@ static int ucmp(const void * a, const void * b, void *arg)
 }
 static uint32_t mask_from_bitcount(uint32_t zct)
 {
-	return zct<32 ? ~((1 << zct) - 1) : 0;
+	return zct<32 ? ~((1u << zct) - 1) : 0;
 }
 // make presorted array unique. return number of unique items.
 // 1,1,2,3,3,0,0,0 (ct=8) => 1,2,3,0 (ct=4)
@@ -138,7 +138,7 @@ static void mask_from_bitcount6_make(uint32_t zct, struct in6_addr *a)
 		int32_t n = (127 - zct) >> 3;
 		memset(a->s6_addr,0xFF,n);
 		memset(a->s6_addr+n,0x00,16-n);
-		a->s6_addr[n] = ~((1 << (zct & 7)) - 1);
+		a->s6_addr[n] = ~((1u << (zct & 7)) - 1);
 	}
 }
 static struct in6_addr ip6_mask[129];

ipset/antifilter.helper

@@ -0,0 +1,19 @@
+get_antifilter()
+{
+ # $1 - list url
+ # $2 - target file
+ local ZIPLISTTMP="$TMPDIR/zapret-ip.txt"
+
+ [ "$DISABLE_IPV4" != "1" ] && {
+  curl --fail --max-time 150 --connect-timeout 20 --max-filesize 41943040 -k -L "$1" | cut_local >"$ZIPLISTTMP" &&
+  {
+   dlsize=$(LC_ALL=C LANG=C wc -c "$ZIPLISTTMP" | xargs | cut -f 1 -d ' ')
+   if [ $dlsize -lt 102400 ]; then
+    echo list file is too small. can be bad.
+    exit 2
+   fi
+   ip2net4 <"$ZIPLISTTMP" | zz "$2"
+   rm -f "$ZIPLISTTMP"
+  }
+ }
+}