update docs

.github/workflows/build.yml

@@ -26,6 +26,8 @@ jobs:
             tool: aarch64-unknown-linux-musl
           - arch: arm
             tool: arm-unknown-linux-musleabi
+          - arch: arm-old
+            tool: arm-unknown-linux-musleabi
           # - arch: armhf
           #   tool: arm-unknown-linux-musleabihf
           # - arch: armv7
@@ -108,7 +110,7 @@ jobs:
           export PKG_CONFIG_PATH=$DEPS_DIR/lib/pkgconfig
           export STAGING_DIR=$RUNNER_TEMP
 
-          if [[ "$ARCH" == lexra ]] || [[ "$ARCH" == ppc ]] || [[ "$ARCH" == x86 ]]; then
+          if [[ "$ARCH" == lexra ]] || [[ "$ARCH" == ppc ]] || [[ "$ARCH" == x86 ]] || [[ "$ARCH" == arm-old ]]; then
             # use classic lua
             wget -qO- https://www.lua.org/ftp/lua-${LUA_RELEASE}.tar.gz | tar -xz
             (
@@ -527,6 +529,7 @@ jobs:
                 *-android-x86_64 )      run_dir android-x86_64 ;;
                 *-freebsd-x86_64 )      run_dir freebsd-x86_64 ;;
                 *-linux-arm )           run_dir linux-arm ;;
+                *-linux-arm-old )       run_dir linux-arm-old ;;
                 *-linux-arm64 )         run_dir linux-arm64 ;;
                 *-linux-mips64 )        run_dir linux-mips64 ;;
                 *-linux-mipselsf )      run_dir linux-mipsel ;;

blockcheck2.d/standard/20-multi.sh

@@ -5,10 +5,10 @@ pktws_simple_split_tests()
 	# $3 - splits
 	# $4 - PRE args for nfqws2
 	local pos ok ok_any pre="$4"
-	local splitf splitfs="multisplit multidisorder"
+	local splitf splitfs="multisplit $MULTIDISORDER"
 
 	ok_any=0
-	for splitf in multisplit multidisorder; do
+	for splitf in $splitfs; do
 		eval need_$splitf=0
 		ok=0
 		for pos in $3; do
@@ -38,7 +38,7 @@ pktws_check_https_tls()
 	# $1 - test function
 	# $2 - domain
 	# $3 - PRE args for nfqws2
-	local splits_tls='2 1 sniext+1 sniext+4 host+1 midsld 1,midsld 1,sniext+1,host+1,midsld-2,midsld,midsld+2,endhost-1'
+	local splits_tls='2 1 sniext+1 sniext+4 host+1 midsld 1,midsld 1,midsld,1220 1,sniext+1,host+1,midsld-2,midsld,midsld+2,endhost-1'
 	local PAYLOAD="--payload tls_client_hello"
 
 	[ "$NOTEST_MULTI_HTTPS" = 1 ] && { echo "SKIPPED"; return; }

blockcheck2.d/standard/23-seqovl.sh

@@ -24,8 +24,8 @@ pktws_check_http()
 	for split in 'method+1 method+2' 'midsld-1 midsld' 'method+1 method+2,midsld'; do
 		f="$(extract_arg 1 $split)"
 		f2="$(extract_arg 2 $split)"
-		pktws_curl_test_update $1 $2 $PAYLOAD --lua-desync=multidisorder:pos=$f2:seqovl=$f
-		pktws_curl_test_update $1 $2 ${SEQOVL_PATTERN_HTTP:+--blob=$pat:@"$SEQOVL_PATTERN_HTTP" }$PAYLOAD --lua-desync=multidisorder:pos=$f2:seqovl=$f:seqovl_pattern=$pat
+		pktws_curl_test_update $1 $2 $PAYLOAD --lua-desync=$MULTIDISORDER:pos=$f2:seqovl=$f
+		pktws_curl_test_update $1 $2 ${SEQOVL_PATTERN_HTTP:+--blob=$pat:@"$SEQOVL_PATTERN_HTTP" }$PAYLOAD --lua-desync=$MULTIDISORDER:pos=$f2:seqovl=$f:seqovl_pattern=$pat
 	done
 }
 
@@ -60,8 +60,8 @@ pktws_seqovl_tests_tls()
 	for split in '1 2' 'sniext sniext+1' 'sniext+3 sniext+4' 'midsld-1 midsld' '1 2,midsld'; do
 		f="$(extract_arg 1 $split)"
 		f2="$(extract_arg 2 $split)"
-		pktws_curl_test_update $1 $2 $PAYLOAD --lua-desync=multidisorder:pos=$f2:seqovl=$f && ok=1
-		pktws_curl_test_update $testf $domain ${SEQOVL_PATTERN_HTTPS:+--blob=$pat:@"$SEQOVL_PATTERN_HTTPS" }$rnd_mod $pre $PAYLOAD --lua-desync=multidisorder:pos=$f2:seqovl=$f:seqovl_pattern=$pat && ok=1
+		pktws_curl_test_update $1 $2 $PAYLOAD --lua-desync=$MULTIDISORDER:pos=$f2:seqovl=$f && ok=1
+		pktws_curl_test_update $testf $domain ${SEQOVL_PATTERN_HTTPS:+--blob=$pat:@"$SEQOVL_PATTERN_HTTPS" }$rnd_mod $pre $PAYLOAD --lua-desync=$MULTIDISORDER:pos=$f2:seqovl=$f:seqovl_pattern=$pat && ok=1
 	done
 	[ "$ok" = 1 ] && ok_any=1
 	[ "$ok_any" = 1 ]

blockcheck2.d/standard/24-syndata.sh

@@ -7,7 +7,7 @@ pktws_check_http()
 
 	local PAYLOAD="--payload http_req" split
 
-	for split in '' multisplit multidisorder; do
+	for split in '' multisplit $MULTIDISORDER; do
 		pktws_curl_test_update "$1" "$2" --lua-desync=syndata ${split:+$PAYLOAD --lua-desync=$split}
 		pktws_curl_test_update "$1" "$2" --lua-desync=syndata:blob=fake_default_http $PAYLOAD ${split:+$PAYLOAD --lua-desync=$split}
 	done
@@ -21,7 +21,7 @@ pktws_check_https_tls()
 
 	local PAYLOAD="--payload tls_client_hello" ok=0 pre="$3" split
 
-	for split in '' multisplit multidisorder; do
+	for split in '' multisplit $MULTIDISORDER; do
 		pktws_curl_test_update "$1" "$2" $pre --lua-desync=syndata ${split:+$PAYLOAD --lua-desync=$split} && ok=1
 		pktws_curl_test_update "$1" "$2" $pre --lua-desync=syndata:blob=0x1603 ${split:+$PAYLOAD --lua-desync=$split} && ok=1
 		pktws_curl_test_update "$1" "$2" $pre --lua-desync=syndata:blob=fake_default_tls:tls_mod=rnd,dupsid,rndsni ${split:+$PAYLOAD --lua-desync=$split} && ok=1

blockcheck2.d/standard/50-fake-multi.sh

@@ -22,7 +22,7 @@ pktws_check_http()
 	# do not test fake + multisplit if multisplit works
 	[ "$need_multisplit" = 0 -a "$SCANLEVEL" != force ] || splitfs=multisplit
 	# do not test fake + multidisorder if multidisorder works
-	[ "$need_multidisorder" = 0 -a "$SCANLEVEL" != force ] || splitfs="${splitfs:+$splitfs }multidisorder"
+	[ "$need_multidisorder" = 0 -a "$SCANLEVEL" != force ] || splitfs="${splitfs:+$splitfs }$MULTIDISORDER"
 
 	for splitf in $splitfs; do
 		ok=0
@@ -95,7 +95,7 @@ pktws_check_https_tls()
 	[ "$NOTEST_FAKE_MULTI_HTTPS" = 1 ] && { echo "SKIPPED"; return 0; }
 
 	local testf=$1 domain="$2" pre="$3"
-	local ok ok_any ttls attls f fake fooling splitf splitfs= split splits='2 1 sniext+1 sniext+4 host+1 midsld 1,midsld 1,sniext+1,host+1,midsld-2,midsld,midsld+2,endhost-1'
+	local ok ok_any ttls attls f fake fooling splitf splitfs= split splits='2 1 sniext+1 sniext+4 host+1 midsld 1,midsld 1,midsld,1220 1,sniext+1,host+1,midsld-2,midsld,midsld+2,endhost-1'
 	local PAYLOAD="--payload=tls_client_hello"
 
 	shift; shift
@@ -112,7 +112,7 @@ pktws_check_https_tls()
 	# do not test fake + multisplit if multisplit works
 	[ "$need_multisplit" = 0 -a "$SCANLEVEL" != force ] || splitfs=multisplit
 	# do not test fake + multidisorder if multidisorder works
-	[ "$need_multidisorder" = 0 -a "$SCANLEVEL" != force ] || splitfs="${splitfs:+$splitfs }multidisorder"
+	[ "$need_multidisorder" = 0 -a "$SCANLEVEL" != force ] || splitfs="${splitfs:+$splitfs }$MULTIDISORDER"
 
 	ok_any=0
 	for splitf in $splitfs; do

blockcheck2.d/standard/90-quic.sh

@@ -1,3 +1,5 @@
+. "$TESTDIR/def.inc"
+
 pktws_check_http3()
 {
 	# $1 - test function
@@ -5,7 +7,7 @@ pktws_check_http3()
 
 	[ "$NOTEST_QUIC" = 1 ] && { echo "SKIPPED"; return; }
 
-	local repeats fake pos
+	local repeats fake pos fool
 	local PAYLOAD="--payload quic_initial"
 
 	if [ -n "$FAKE_QUIC" ]; then
@@ -18,6 +20,12 @@ pktws_check_http3()
 		pktws_curl_test_update $1 $2 ${FAKE_QUIC:+--blob=$fake:@"$FAKE_QUIC" }$PAYLOAD --lua-desync=fake:blob=$fake:repeats=$repeats && [ "$SCANLEVEL" != force ] && break
 	done
 
+	[ "$IPV" = 6 ] && {
+		for fool in ip6_hopbyhop ip6_destopt ip6_hopbyhop:ip6_destopt; do
+			pktws_curl_test_update $1 $2 $PAYLOAD --lua-desync=send:$fool --lua-desync=drop
+		done
+	}
+
 	for pos in 8 16 32 64; do
 		pktws_curl_test_update $1 $2 $PAYLOAD --lua-desync=send:ipfrag:ipfrag_pos_udp=$pos --lua-desync=drop && [ "$SCANLEVEL" != force ] && break
 	done

blockcheck2.d/standard/def.inc

@@ -2,6 +2,16 @@ FOOLINGS46_TCP=${FOOLINGS46_TCP:-"tcp_md5 badsum tcp_seq=-3000 tcp_seq=1000000 t
 FOOLINGS6_TCP=${FOOLINGS6_TCP:-"ip6_hopbyhop ip6_hopbyhop:ip6_hopbyhop2 ip6_destopt ip6_routing ip6_ah"}
 FOOLINGS_TCP="$FOOLINGS46_TCP"
 [ "$IPV" = 6 ] && FOOLINGS_TCP="$FOOLINGS_TCP $FOOLINGS6_TCP"
+FOOLINGS6_UDP="${FOOLINGS6_UDP:-$FOOLINGS6_TCP}"
 FOOLINGS_UDP="${FOOLINGS_UDP:-badsum}"
+[ "$IPV" = 6 ] && FOOLINGS_UDP="$FOOLINGS_UDP $FOOLINGS6_UDP"
 
 FAKE_REPEATS=${FAKE_REPEATS:-1}
+
+MIN_TTL=${MIN_TTL:-1}
+MAX_TTL=${MAX_TTL:-12}
+MIN_AUTOTTL_DELTA=${MIN_AUTOTTL_DELTA:-1}
+MAX_AUTOTTL_DELTA=${MAX_AUTOTTL_DELTA:-5}
+
+# can use MULTIDISORER=multidisorder_legacy
+MULTIDISORDER=${MULTIDISORDER:-multidisorder}

blockcheck2.sh

@@ -40,10 +40,6 @@ IPFW_DIVERT_PORT=${IPFW_DIVERT_PORT:-59780}
 CURL_MAX_TIME=${CURL_MAX_TIME:-2}
 CURL_MAX_TIME_QUIC=${CURL_MAX_TIME_QUIC:-$CURL_MAX_TIME}
 CURL_MAX_TIME_DOH=${CURL_MAX_TIME_DOH:-2}
-MIN_TTL=${MIN_TTL:-1}
-MAX_TTL=${MAX_TTL:-12}
-MIN_AUTOTTL_DELTA=${MIN_AUTOTTL_DELTA:-1}
-MAX_AUTOTTL_DELTA=${MAX_AUTOTTL_DELTA:-5}
 USER_AGENT=${USER_AGENT:-Mozilla}
 HTTP_PORT=${HTTP_PORT:-80}
 HTTPS_PORT=${HTTPS_PORT:-443}

common/ipt.sh

@@ -2,8 +2,6 @@ std_ports
 ipt_connbytes="-m connbytes --connbytes-dir=original --connbytes-mode=packets --connbytes"
 IPSET_EXCLUDE="-m set ! --match-set nozapret"
 IPSET_EXCLUDE6="-m set ! --match-set nozapret6"
-IPBAN_EXCLUDE="-m set ! --match-set ipban"
-IPBAN_EXCLUDE6="-m set ! --match-set ipban6"
 
 ipt()
 {

config.default

@@ -97,11 +97,12 @@ FLOWOFFLOAD=donttouch
 #OPENWRT_WAN4="wan vpn"
 #OPENWRT_WAN6="wan6 vpn6"
 
-# for routers based on desktop linux and macos. has no effect in openwrt.
+# for routers based on classic linux. has no effect in openwrt.
 # CHOOSE LAN and optinally WAN/WAN6 NETWORK INTERFACES
 # or leave them commented if its not router
 # it's possible to specify multiple interfaces like this : IFACE_WAN="eth0 eth1 eth2"
 # if IFACE_WAN6 is not defined it take the value of IFACE_WAN
+#IFACE_LAN=eth0
 #IFACE_WAN=eth1
 #IFACE_WAN6="ipsec0 wireguard0 he_net"
 

docs/changes.txt

@@ -105,3 +105,23 @@ v0.7.2
 * zapret-lib: fix broken is_retransmission()
 * zapret-auto: add success detector logic
 * nfqws2: clean lua cutoff on profile change
+* zapret-auto: separate hostkey function
+
+v0.7.4
+
+* nfqws2, zapret-lib : check tcp sequence range overflow
+* zapret-lib: seq compare functions
+* nfqws2: add l3_len, l4_len to dissect
+* nfqws2: fix broken l7proto profile rediscovery
+* winws2: harden sandbox. disable child process execution , some UI interaction and desktop settings change
+
+v0.7.5
+
+* zapret-auto: orchestrator "repeater"
+* blockcheck2: check http3 with ipv6 exthdr
+* github actions: separate target arm-old with LUA classic, not JIT
+* zapret-auto: iff/neg in repeater
+* zapret-antidpi: multidisorder_legacy
+* ipset: remove get_reestr_hostlist.sh and get_reestr_resolve.sh because zapret-info does not and will probably not ever update
+* nfqws2: fix "reasm cancelled" if no incoming traffic redirected
+* blockcheck2: MULTIDISORDER=multidisorder_legacy

docs/readme.md

@@ -8,6 +8,20 @@ VPN. Может использоваться для частичной проз
 традиционные Linux-системы, FreeBSD, OpenBSD, Windows. В некоторых случаях возможна самостоятельная прикрутка
 решения к различным прошивкам.
 
+[Полный мануал](manual.md)
+
+
+## Поддержать разработчика
+
+Если вы считаете проект полезным и желаете поддержать разработку, направляйте ваши пожертвования на следующие адреса криптокошельков :
+
+USDT `0x3d52Ce15B7Be734c53fc9526ECbAB8267b63d66E`  (предпочительно сеть ERC-20)
+
+BTC  `bc1qhqew3mrvp47uk2vevt5sctp7p2x9m7m5kkchve`
+
+ETH  `0x3d52Ce15B7Be734c53fc9526ECbAB8267b63d66E`
+
+
 ## Чем это отличается от zapret1
 
 zapret2 является дальнейшим развитием проекта zapret.
@@ -38,7 +52,7 @@ zapret2 - инструмент для таких энтузиастов. Но э
 
 ## С чего начать
 
-Хотелось бы избежать "талмуда" на главной странице. Поэтому начнем со способа запуска *nfqws2* и описания способов портирования стратегий *nfqws1* - как в *nfqws2* сделать то же самое, что можно было в *nfqws1*.
+Хотелось бы избежать [талмуда](manual.md) на главной странице. Поэтому начнем со способа запуска *nfqws2* и описания способов портирования стратегий *nfqws1* - как в *nfqws2* сделать то же самое, что можно было в *nfqws1*.
 Когда вы поймете как это работает, вы можете посмотреть LUA код, находящийся "под капотом". Разобрать как он работает, попробовать написать что-то свое.
 "талмуд" обязательно будет, как он есть у любых более-менее сложных проектов. Он нужен как справочник.
 
@@ -153,7 +167,7 @@ range задается как `mX-mY`, `mX<mY`, `-mY`, `<mY`, `mX-`.
 Следующий профиль снова принимает значения по умолчанию.
 
 Что будет, если вы не напишите фильтр `--payload` для fake или multisplit ? В *nfqws1* без `--dpi-desync-any-protocol` они работали только по известным пейлоадам.
-В *nfqws2* "any protocol" - режим по умолчанию. Однако, функции из библиотеки `zapret-antidpi.lua` написаны так, что по умолчанию работают только по известные пейлоадам
+В *nfqws2* "any protocol" - режим по умолчанию. Однако, функции из библиотеки `zapret-antidpi.lua` написаны так, что по умолчанию работают только по известным пейлоадам
 и не работают по пустым пакетам или unknown - точно так же, как это было в *nfqws1*.
 Но лучше все-же писать фильтры `--payload`, потому что они работают на уровне C кода, который выполняется существенно быстрее, чем LUA.
 

init.d/custom.d.examples.linux/20-fw-extra

@@ -1,31 +1,22 @@
 # this custom script runs standard mode with extra firewall rules
 
-# config: use TPWS_ENABLE_OVERRIDE, NFQWS_ENABLE_OVERRIDE to enable standard mode daemons
+# config: use NFQWS2_ENABLE_OVERRIDE to enable standard mode daemons
 # standard and override switches cannot be enabled simultaneously !
 
-TPWS_ENABLE_OVERRIDE=${TPWS_ENABLE_OVERRIDE:-0}
-NFQWS_ENABLE_OVERRIDE=${NFQWS_ENABLE_OVERRIDE:-0}
+NFQWS2_ENABLE_OVERRIDE=${NFQWS2_ENABLE_OVERRIDE:-0}
 
 # config: some if these values must be set in config. not setting any of these makes this script meaningless.
 # pre vars put ipt/nft code to the rule beginning
-#FW_EXTRA_PRE_TPWS_IPT=
-#FW_EXTRA_PRE_TPWS_NFT=
-#FW_EXTRA_PRE_NFQWS_IPT="-m mark --mark 0x10000000/0x10000000"
-#FW_EXTRA_PRE_NFQWS_NFT="mark and 0x10000000 != 0"
+#FW_EXTRA_PRE_NFQWS2_IPT="-m mark --mark 0x10000000/0x10000000"
+#FW_EXTRA_PRE_NFQWS2_NFT="mark and 0x10000000 != 0"
 # post vars put ipt/nft code to the rule end
-#FW_EXTRA_POST_TPWS_IPT=
-#FW_EXTRA_POST_TPWS_NFT=
-#FW_EXTRA_POST_NFQWS_IPT=
-#FW_EXTRA_POST_NFQWS_NFT=
+#FW_EXTRA_POST_NFQWS2_IPT=
+#FW_EXTRA_POST_NFQWS2_NFT=
 
 check_std_intersect()
 {
-	[ "$TPWS_ENABLE_OVERRIDE" = 1 -a "$TPWS_ENABLE" = 1 ] && {
-		echo "ERROR ! both TPWS_ENABLE_OVERRIDE and TPWS_ENABLE are enabled"
-		return 1
-	}
-	[ "$NFQWS_ENABLE_OVERRIDE" = 1 -a "$NFQWS_ENABLE" = 1 ] && {
-		echo "ERROR ! both NFQWS_ENABLE_OVERRIDE and NFQWS_ENABLE are enabled"
+	[ "$NFQWS2_ENABLE_OVERRIDE" = 1 -a "$NFQWS2_ENABLE" = 1 ] && {
+		echo "ERROR ! both NFQWS2_ENABLE_OVERRIDE and NFQWS2_ENABLE are enabled"
 		return 1
 	}
 	return 0
@@ -37,7 +28,7 @@ zapret_custom_daemons()
 
 	check_std_intersect || return
 
-	local TPWS_SOCKS_ENABLE=0 TPWS_ENABLE=$TPWS_ENABLE_OVERRIDE NFQWS_ENABLE=$NFQWS_ENABLE_OVERRIDE
+	local NFQWS2_ENABLE=$NFQWS2_ENABLE_OVERRIDE
 	standard_mode_daemons "$1"
 }
 zapret_custom_firewall()
@@ -46,10 +37,8 @@ zapret_custom_firewall()
 
 	check_std_intersect || return
 
-	local FW_EXTRA_PRE FW_EXTRA_POST TPWS_ENABLE=$TPWS_ENABLE_OVERRIDE NFQWS_ENABLE=$NFQWS_ENABLE_OVERRIDE
-	FW_EXTRA_PRE="$FW_EXTRA_PRE_TPWS_IPT" FW_EXTRA_POST="$FW_EXTRA_POST_TPWS_IPT"
-	zapret_do_firewall_standard_tpws_rules_ipt $1
-	FW_EXTRA_PRE="$FW_EXTRA_PRE_NFQWS_IPT" FW_EXTRA_POST="$FW_EXTRA_POST_NFQWS_IPT"
+	local FW_EXTRA_PRE FW_EXTRA_POST NFQWS2_ENABLE=$NFQWS2_ENABLE_OVERRIDE
+	FW_EXTRA_PRE="$FW_EXTRA_PRE_NFQWS2_IPT" FW_EXTRA_POST="$FW_EXTRA_POST_NFQWS2_IPT"
 	zapret_do_firewall_standard_nfqws_rules_ipt $1
 }
 zapret_custom_firewall_nft()
@@ -58,9 +47,7 @@ zapret_custom_firewall_nft()
 
 	check_std_intersect || return
 
-	local FW_EXTRA_PRE FW_EXTRA_POST TPWS_ENABLE=$TPWS_ENABLE_OVERRIDE NFQWS_ENABLE=$NFQWS_ENABLE_OVERRIDE
-	FW_EXTRA_PRE="$FW_EXTRA_PRE_TPWS_NFT" FW_EXTRA_POST="$FW_EXTRA_POST_TPWS_NFT"
-	zapret_apply_firewall_standard_tpws_rules_nft
-	FW_EXTRA_PRE="$FW_EXTRA_PRE_NFQWS_NFT" FW_EXTRA_POST="$FW_EXTRA_POST_NFQWS_NFT"
+	local FW_EXTRA_PRE FW_EXTRA_POST NFQWS2_ENABLE=$NFQWS2_ENABLE_OVERRIDE
+	FW_EXTRA_PRE="$FW_EXTRA_PRE_NFQWS2_NFT" FW_EXTRA_POST="$FW_EXTRA_POST_NFQWS2_NFT"
 	zapret_apply_firewall_standard_nfqws_rules_nft
 }

init.d/openwrt/90-zapret2

@@ -2,19 +2,6 @@
 
 ZAPRET=/etc/init.d/zapret2
 
-check_lan()
-{
-	IS_LAN=
-	[ -n "$OPENWRT_LAN" ] || OPENWRT_LAN=lan
-	for lan in $OPENWRT_LAN; do
-		[ "$INTERFACE" = "$lan" ] && {
-			IS_LAN=1
-			break
-		}
-	done
-}
-
-
 [ -n "$INTERFACE" ] && [ "$ACTION" = ifup -o "$ACTION" = ifdown ] && [ -x "$ZAPRET" ] && "$ZAPRET" enabled && {
 	SCRIPT=$(readlink "$ZAPRET")
 	if [ -n "$SCRIPT" ]; then

install_easy.sh

@@ -233,10 +233,10 @@ select_getlist()
 		echo
 		if ask_yes_no $D "do you want to auto download ip/host list"; then
 			if [ "$MODE_FILTER" = "hostlist" -o "$MODE_FILTER" = "autohostlist" ] ; then
-				GETLISTS="get_refilter_domains.sh get_antizapret_domains.sh get_reestr_resolvable_domains.sh get_reestr_hostlist.sh"
+				GETLISTS="get_refilter_domains.sh get_antizapret_domains.sh get_reestr_resolvable_domains.sh"
 				GETLIST_DEF="get_antizapret_domains.sh"
 			else
-				GETLISTS="get_user.sh get_refilter_ipsum.sh get_antifilter_ip.sh get_antifilter_ipsmart.sh get_antifilter_ipsum.sh get_antifilter_ipresolve.sh get_antifilter_allyouneed.sh get_reestr_resolve.sh get_reestr_preresolved.sh get_reestr_preresolved_smart.sh"
+				GETLISTS="get_user.sh get_refilter_ipsum.sh get_antifilter_ip.sh get_antifilter_ipsmart.sh get_antifilter_ipsum.sh get_antifilter_ipresolve.sh get_antifilter_allyouneed.sh get_reestr_preresolved.sh get_reestr_preresolved_smart.sh"
 				GETLIST_DEF="get_antifilter_allyouneed.sh"
 			fi
 			ask_list GETLIST "$GETLISTS" "$GETLIST_DEF" && write_config_var GETLIST

ipset/get_reestr_hostlist.sh

@@ -1,65 +0,0 @@
-#!/bin/sh
-
-IPSET_DIR="$(dirname "$0")"
-IPSET_DIR="$(cd "$IPSET_DIR"; pwd)"
-
-. "$IPSET_DIR/def.sh"
-
-ZREESTR="$TMPDIR/zapret.txt.gz"
-IPB="$TMPDIR/ipb.txt"
-ZURL_REESTR=https://raw.githubusercontent.com/zapret-info/z-i/master/dump.csv.gz
-
-dl_checked()
-{
-  # $1 - url
-  # $2 - file
-  # $3 - minsize
-  # $4 - maxsize
-  # $5 - maxtime
-  curl -k --fail --max-time $5 --connect-timeout 10 --retry 4 --max-filesize $4 -o "$2" "$1" ||
-  {
-   echo list download failed : $1
-   return 2
-  }
-  dlsize=$(LC_ALL=C LANG=C wc -c "$2" | xargs | cut -f 1 -d ' ')
-  if test $dlsize -lt $3; then
-   echo list is too small : $dlsize bytes. can be bad.
-   return 2
-  fi
-  return 0
-}
-
-reestr_list()
-{
- LC_ALL=C LANG=C gunzip -c "$ZREESTR" | cut -s -f2 -d';' | LC_ALL=C  LANG=C nice -n 5 sed -Ee 's/^\*\.(.+)$/\1/' -ne 's/^[a-z0-9A-Z._-]+$/&/p' | $AWK '{ print tolower($0) }'
-}
-reestr_extract_ip()
-{
- LC_ALL=C LANG=C gunzip -c | nice -n 5 $AWK -F ';' '($1 ~ /^([0-9]{1,3}\.){3}[0-9]{1,3}/) && (($2 == "" && $3 == "") || ($1 == $2)) {gsub(/ \| /, RS); print $1}' | LC_ALL=C  LANG=C $AWK '{split($1, a, /\|/); for (i in a) {print a[i]}}'
-}
-
-ipban_fin()
-{
- getipban
- "$IPSET_DIR/create_ipset.sh"
-}
-
-dl_checked "$ZURL_REESTR" "$ZREESTR" 204800 251658240 600 || {
- ipban_fin
- exit 2
-}
-
-reestr_list | sort -u | zz "$ZHOSTLIST"
-
-reestr_extract_ip <"$ZREESTR" >"$IPB"
-
-rm -f "$ZREESTR"
-[ "$DISABLE_IPV4" != "1" ] && $AWK '/^([0-9]{1,3}\.){3}[0-9]{1,3}($|(\/[0-9]{2}$))/' "$IPB" | cut_local | ip2net4 | zz "$ZIPLIST_IPBAN"
-[ "$DISABLE_IPV6" != "1" ] && $AWK '/^([0-9a-fA-F]{0,4}:){1,7}[0-9a-fA-F]{0,4}($|(\/[0-9]{2,3}$))/' "$IPB" | cut_local6 | ip2net6 | zz "$ZIPLIST_IPBAN6"
-rm -f "$IPB"
-
-hup_zapret_daemons
-
-ipban_fin
-
-exit 0

ipset/get_reestr_preresolved.sh

@@ -10,8 +10,8 @@ TMPLIST="$TMPDIR/list.txt"
 BASEURL="https://raw.githubusercontent.com/bol-van/rulist/main"
 URL4="$BASEURL/reestr_resolved4.txt"
 URL6="$BASEURL/reestr_resolved6.txt"
-IPB4="$BASEURL/reestr_ipban4.txt"
-IPB6="$BASEURL/reestr_ipban6.txt"
+#IPB4="$BASEURL/reestr_ipban4.txt"
+#IPB6="$BASEURL/reestr_ipban6.txt"
 
 dl()
 {
@@ -35,12 +35,12 @@ dl()
 
 getuser && {
  [ "$DISABLE_IPV4" != "1" ] && {
- 	dl "$URL4" "$ZIPLIST" 32768 4194304
- 	dl "$IPB4" "$ZIPLIST_IPBAN" 8192 1048576
+	dl "$URL4" "$ZIPLIST" 4096 4194304
+#	dl "$IPB4" "$ZIPLIST_IPBAN" 8192 1048576
  }
  [ "$DISABLE_IPV6" != "1" ] && {
- 	dl "$URL6" "$ZIPLIST6" 8192 4194304
- 	dl "$IPB6" "$ZIPLIST_IPBAN6" 128 1048576
+	dl "$URL6" "$ZIPLIST6" 2048 4194304
+#	dl "$IPB6" "$ZIPLIST_IPBAN6" 128 1048576
  }
 }
 

ipset/get_reestr_preresolved_smart.sh

@@ -10,8 +10,8 @@ TMPLIST="$TMPDIR/list.txt"
 BASEURL="https://raw.githubusercontent.com/bol-van/rulist/main"
 URL4="$BASEURL/reestr_smart4.txt"
 URL6="$BASEURL/reestr_smart6.txt"
-IPB4="$BASEURL/reestr_ipban4.txt"
-IPB6="$BASEURL/reestr_ipban6.txt"
+#IPB4="$BASEURL/reestr_ipban4.txt"
+#IPB6="$BASEURL/reestr_ipban6.txt"
 
 dl()
 {
@@ -35,12 +35,12 @@ dl()
 
 getuser && {
  [ "$DISABLE_IPV4" != "1" ] && {
- 	dl "$URL4" "$ZIPLIST" 32768 4194304
- 	dl "$IPB4" "$ZIPLIST_IPBAN" 8192 1048576
+	dl "$URL4" "$ZIPLIST" 4096 4194304
+#	dl "$IPB4" "$ZIPLIST_IPBAN" 8192 1048576
  }
  [ "$DISABLE_IPV6" != "1" ] && {
- 	dl "$URL6" "$ZIPLIST6" 8192 4194304
- 	dl "$IPB6" "$ZIPLIST_IPBAN6" 128 1048576
+	dl "$URL6" "$ZIPLIST6" 2048 4194304
+#	dl "$IPB6" "$ZIPLIST_IPBAN6" 128 1048576
  }
 }
 

ipset/get_reestr_resolvable_domains.sh

@@ -9,8 +9,8 @@ TMPLIST="$TMPDIR/list_nethub.txt"
 
 BASEURL="https://raw.githubusercontent.com/bol-van/rulist/main"
 URL="$BASEURL/reestr_hostname_resolvable.txt"
-IPB4="$BASEURL/reestr_ipban4.txt"
-IPB6="$BASEURL/reestr_ipban6.txt"
+#IPB4="$BASEURL/reestr_ipban4.txt"
+#IPB6="$BASEURL/reestr_ipban6.txt"
 
 dl()
 {
@@ -36,8 +36,8 @@ dl "$URL" "$ZHOSTLIST" 65536 67108864
 
 hup_zapret_daemons
 
-[ "$DISABLE_IPV4" != "1" ] && dl "$IPB4" "$ZIPLIST_IPBAN" 8192 1048576
-[ "$DISABLE_IPV6" != "1" ] && dl "$IPB6" "$ZIPLIST_IPBAN6" 128 1048576
+#[ "$DISABLE_IPV4" != "1" ] && dl "$IPB4" "$ZIPLIST_IPBAN" 8192 1048576
+#[ "$DISABLE_IPV6" != "1" ] && dl "$IPB6" "$ZIPLIST_IPBAN6" 128 1048576
 
 getipban
 "$IPSET_DIR/create_ipset.sh"

ipset/get_reestr_resolve.sh

@@ -1,83 +0,0 @@
-#!/bin/sh
-
-IPSET_DIR="$(dirname "$0")"
-IPSET_DIR="$(cd "$IPSET_DIR"; pwd)"
-
-. "$IPSET_DIR/def.sh"
-
-ZREESTR="$TMPDIR/zapret.txt.gz"
-ZDIG="$TMPDIR/zapret-dig.txt"
-IPB="$TMPDIR/ipb.txt"
-ZIPLISTTMP="$TMPDIR/zapret-ip.txt"
-#ZURL=https://reestr.rublacklist.net/api/current
-ZURL_REESTR=https://raw.githubusercontent.com/zapret-info/z-i/master/dump.csv.gz
-
-dl_checked()
-{
-  # $1 - url
-  # $2 - file
-  # $3 - minsize
-  # $4 - maxsize
-  # $5 - maxtime
-  curl -k --fail --max-time $5 --connect-timeout 10 --retry 4 --max-filesize $4 -o "$2" "$1" ||
-  {
-   echo list download failed : $1
-   return 2
-  }
-  dlsize=$(LC_ALL=C LANG=C wc -c "$2" | xargs | cut -f 1 -d ' ')
-  if test $dlsize -lt $3; then
-   echo list is too small : $dlsize bytes. can be bad.
-   return 2
-  fi
-  return 0
-}
-
-reestr_list()
-{
- LC_ALL=C LANG=C gunzip -c "$ZREESTR" | cut -s -f2 -d';' | LC_ALL=C LANG=C nice -n 5 sed -Ee 's/^\*\.(.+)$/\1/' -ne 's/^[a-z0-9A-Z._-]+$/&/p' | $AWK '{ print tolower($0) }'
-}
-reestr_extract_ip()
-{
- LC_ALL=C LANG=C gunzip -c | nice -n 5 $AWK -F ';' '($1 ~ /^([0-9]{1,3}\.){3}[0-9]{1,3}/) && (($2 == "" && $3 == "") || ($1 == $2)) {gsub(/ \| /, RS); print $1}' | LC_ALL=C LANG=C $AWK '{split($1, a, /\|/); for (i in a) {print a[i]}}'
-}
-
-getuser && {
- # both disabled
- [ "$DISABLE_IPV4" = "1" ] && [ "$DISABLE_IPV6" = "1" ] && exit 0
-
- dl_checked "$ZURL_REESTR" "$ZREESTR" 204800 251658240 600 || exit 2
- 
- echo preparing ipban list ..
- 
- reestr_extract_ip <"$ZREESTR" >"$IPB"
- [ "$DISABLE_IPV4" != "1" ] && $AWK '/^([0-9]{1,3}\.){3}[0-9]{1,3}($|(\/[0-9]{2}$))/' "$IPB" | cut_local | ip2net4 | zz "$ZIPLIST_IPBAN"
- [ "$DISABLE_IPV6" != "1" ] && $AWK '/^([0-9a-fA-F]{0,4}:){1,7}[0-9a-fA-F]{0,4}($|(\/[0-9]{2,3}$))/' "$IPB" | cut_local6 | ip2net6 | zz "$ZIPLIST_IPBAN6"
- rm -f "$IPB"
-
- echo preparing dig list ..
- reestr_list | sort -u >"$ZDIG"
-
- rm -f "$ZREESTR"
-
- echo digging started. this can take long ...
-
- [ "$DISABLE_IPV4" != "1" ] && {
-  filedigger "$ZDIG" 4 | cut_local >"$ZIPLISTTMP" || {
-   rm -f "$ZDIG"
-   exit 1
-  }
-  ip2net4 <"$ZIPLISTTMP" | zz "$ZIPLIST"
-  rm -f "$ZIPLISTTMP"
- }
- [ "$DISABLE_IPV6" != "1" ] && {
-  filedigger "$ZDIG" 6 | cut_local6 >"$ZIPLISTTMP" || {
-   rm -f "$ZDIG"
-   exit 1
-  }
-  ip2net6 <"$ZIPLISTTMP" | zz "$ZIPLIST6"
-  rm -f "$ZIPLISTTMP"
- }
- rm -f "$ZDIG"
-}
-
-"$IPSET_DIR/create_ipset.sh"

lua/zapret-antidpi.lua

@@ -416,7 +416,49 @@ function multisplit(ctx, desync)
 	end
 end
 
+-- internal function for code deduplication. do not call directly
+function pos_normalize(pos, low, hi)
+	return (pos>=low and pos<hi) and (pos-low+1) or nil
+end
+-- internal function for code deduplication. do not call directly
+function pos_array_normalize(pos, low, hi)
+	-- remove positions outside of hi,low range. normalize others to low
+	local i=1
+	while i<=#pos do
+		pos[i] = pos_normalize(pos[i], low, hi)
+		if pos[i] then
+			i = i + 1
+		else
+			table.remove(pos, i);
+		end
+	end
+end
+-- internal function for code deduplication. do not call directly
+function multidisorder_send(desync, data, seqovl, pos)
+	for i=#pos,0,-1 do
+		local pos_start = pos[i] or 1
+		local pos_end = i<#pos and pos[i+1]-1 or #data
+		local part = string.sub(data,pos_start,pos_end)
+		local ovl=0
+		if i==1 and seqovl and seqovl>0 then
+			if seqovl>=pos[1] then
+				DLOG("multidisorder: seqovl cancelled because seqovl "..(seqovl-1).." is not less than the first split pos "..(pos[1]-1))
+			else
+				ovl = seqovl - 1
+				local pat = desync.arg.seqovl_pattern and blob(desync,desync.arg.seqovl_pattern) or "\x00"
+				part = pattern(pat,1,ovl)..part
+			end
+		end
+		if b_debug then DLOG("multidisorder: sending part "..(i+1).." "..(pos_start-1).."-"..(pos_end-1).." len="..#part.." seqovl="..ovl.." : "..hexdump_dlog(part)) end
+		if not rawsend_payload_segmented(desync,part,pos_start-1-ovl) then
+			return VERDICT_PASS
+		end
+	end
+	return VERDICT_DROP
+end
+
 -- nfqws1 : "--dpi-desync=multidisorder"
+-- algorithm is not 100% the same as in nfqws1. multi-segment queries can produce different segment ordering.
 -- standard args : direction, payload, fooling, ip_id, rawsend, reconstruct, ipfrag
 -- arg : pos=<postmarker list> . position marker list. example : "1,host,midsld+1,-10"
 -- arg : seqovl=N . decrease seq number of the second segment in the original order by N and fill N bytes with pattern (default - all zero). N must be less than the first split pos.
@@ -440,32 +482,16 @@ function multidisorder(ctx, desync)
 			if b_debug then DLOG("multidisorder: resolved split pos: "..table.concat(zero_based_pos(pos)," ")) end
 			delete_pos_1(pos) -- cannot split at the first byte
 			if #pos>0 then
-				for i=#pos,0,-1 do
-					local pos_start = pos[i] or 1
-					local pos_end = i<#pos and pos[i+1]-1 or #data
-					local part = string.sub(data,pos_start,pos_end)
-					local seqovl=0
-					if i==1 and desync.arg.seqovl then
-						seqovl = resolve_pos(data, desync.l7payload, desync.arg.seqovl)
-						if not seqovl then
-							DLOG("multidisorder: seqovl cancelled because could not resolve marker '"..desync.arg.seqovl.."'")
-							seqovl = 0
-						else
-							seqovl = seqovl - 1
-							if seqovl>=(pos[1]-1) then
-								DLOG("multidisorder: seqovl cancelled because seqovl "..seqovl.." is not less than the first split pos "..(pos[1]-1))
-								seqovl = 0
-							else
-								local pat = desync.arg.seqovl_pattern and blob(desync,desync.arg.seqovl_pattern) or "\x00"
-								part = pattern(pat,1,seqovl)..part
-							end
-						end
-					end
-					if b_debug then DLOG("multidisorder: sending part "..(i+1).." "..(pos_start-1).."-"..(pos_end-1).." len="..#part.." seqovl="..seqovl.." : "..hexdump_dlog(part)) end
-					if not rawsend_payload_segmented(desync,part,pos_start-1-seqovl) then
-						return VERDICT_PASS
+				local seqovl
+				if desync.arg.seqovl then
+					seqovl = resolve_pos(data, desync.l7payload, desync.arg.seqovl)
+					if not seqovl then
+						DLOG("multidisorder: seqovl cancelled because could not resolve marker '"..desync.arg.seqovl.."'")
 					end
 				end
+				if multidisorder_send(desync, data, seqovl, pos)==VERDICT_PASS then
+					return VERDICT_PASS
+				end
 				replay_drop_set(desync)
 				return desync.arg.nodrop and VERDICT_PASS or VERDICT_DROP
 			else
@@ -481,6 +507,59 @@ function multidisorder(ctx, desync)
 	end
 end
 
+-- nfqws1 : "--dpi-desync=multidisorder". segment ordering is the same as in nfqws1
+-- standard args : direction, payload, fooling, ip_id, rawsend, reconstruct, ipfrag
+-- arg : pos=<postmarker list> . position marker list. example : "1,host,midsld+1,-10"
+-- arg : seqovl=N . decrease seq number of the second segment in the original order by N and fill N bytes with pattern (default - all zero). N must be less than the first split pos.
+-- arg : seqovl_pattern=<blob> . override pattern
+function multidisorder_legacy(ctx, desync)
+	if not desync.dis.tcp then
+		instance_cutoff_shim(ctx, desync)
+		return
+	end
+	direction_cutoff_opposite(ctx, desync)
+	-- by default process only outgoing known payloads
+	local data = desync.dis.payload
+	local fulldata = desync.reasm_data
+	if #data>0 and direction_check(desync) and payload_check(desync) then
+		local range_low = (desync.reasm_offset or 0) + 1
+		local range_hi = range_low + #data
+		local spos = desync.arg.pos or "2"
+		-- check debug to save CPU
+		if b_debug then DLOG("multidisorder_legacy: split pos: "..spos) end
+		local pos = resolve_multi_pos(fulldata, desync.l7payload, spos)
+		if b_debug then DLOG("multidisorder_legacy: resolved split pos: "..table.concat(zero_based_pos(pos)," ")) end
+		DLOG("multidisorder_legacy: reasm piece range: "..(range_low-1).."-"..(range_hi-2))
+		pos_array_normalize(pos, range_low, range_hi)
+		delete_pos_1(pos) -- cannot split at the first byte
+		if #pos>0 then
+			if b_debug then DLOG("multidisorder_legacy: normalized split pos: "..table.concat(zero_based_pos(pos)," ")) end
+			local seqovl
+			if desync.arg.seqovl then
+				seqovl = resolve_pos(fulldata, desync.l7payload, desync.arg.seqovl)
+				if seqovl then
+					DLOG("multidisorder_legacy: resolved seqovl pos: "..(seqovl-1))
+					seqovl = pos_normalize(seqovl, range_low, range_hi)
+					if seqovl then
+						DLOG("multidisorder_legacy: normalized seqovl pos: "..(seqovl-1))
+					else
+						DLOG("multidisorder_legacy: normalized seqovl pos is outside of the reasm piece range")
+					end
+				else
+					DLOG("multidisorder_legacy: seqovl cancelled because could not resolve marker '"..desync.arg.seqovl.."'")
+				end
+			end
+			return multidisorder_send(desync, data, seqovl, pos)
+		else
+			DLOG("multidisorder_legacy: no normalized split pos in this packet")
+			-- send as is with applied options
+			if rawsend_payload_segmented(desync) then
+				return VERDICT_DROP
+			end
+		end
+	end
+end
+
 -- nfqws1 : "--dpi-desync=hostfakesplit"
 -- standard args : direction, payload, fooling, ip_id, rawsend, reconstruct. FOOLING AND REPEATS APPLIED ONLY TO FAKES.
 -- arg : host=<str> - hostname template. generate hosts like "random.template". example : e8nzn.vk.com
@@ -616,7 +695,7 @@ function fakedsplit(ctx, desync)
 			local pos = resolve_pos(data, desync.l7payload, spos)
 			if pos then
 				if pos == 1 then
-					DLOG("multidisorder: split pos resolved to 0. cannot split.")
+					DLOG("fakedsplit: split pos resolved to 0. cannot split.")
 				else
 					if b_debug then DLOG("fakedsplit: resolved split pos: "..tostring(pos-1)) end
 
@@ -709,7 +788,7 @@ function fakeddisorder(ctx, desync)
 			local pos = resolve_pos(data, desync.l7payload, spos)
 			if pos then
 				if pos == 1 then
-					DLOG("multidisorder: split pos resolved to 0. cannot split.")
+					DLOG("fakeddisorder: split pos resolved to 0. cannot split.")
 				else
 					if b_debug then DLOG("fakeddisorder: resolved split pos: "..tostring(pos-1)) end
 

lua/zapret-auto.lua

@@ -9,7 +9,7 @@
 function standard_hostkey(desync)
 	local hostkey = desync.track and desync.track.hostname
 	if hostkey then
-		if desync.arg.nld and tonumber(desync.arg.nld)>0 then
+		if desync.arg.nld and tonumber(desync.arg.nld)>0 and not (desync.track and desync.track.hostname_is_ip) then
 			-- dissect_nld returns nil if domain is invalid or does not have this NLD
 			-- fall back to original hostkey if it fails
 			local hktemp = dissect_nld(hostkey, tonumber(desync.arg.nld))
@@ -20,7 +20,6 @@ function standard_hostkey(desync)
 	elseif not desync.arg.reqhost then
 		hostkey = host_ip(desync)
 	end
-	-- prevent nld for ip addresses
 	return hostkey
 end
 
@@ -284,12 +283,13 @@ end
 -- if 'final' arg is present in an orchestrated instance it stops rotation
 -- arg: fails=N - failture count threshold. default is 3
 -- arg: time=<sec> - if last failure happened earlier than `maxtime` seconds ago - reset failure counter. default is 60.
--- arg: reqhost - pass with no tampering if hostname is unavailable
 -- arg: success_detector - success detector function name
 -- arg: failure_detector - failure detector function name
+-- arg: hostkey - hostkey generator function name
 -- args for failure detector - see standard_failure_detector or your own detector
 -- args for success detector - see standard_success_detector or your own detector
--- test case: nfqws2 --qnum 200 --debug --lua-init=@zapret-lib.lua --lua-init=@zapret-auto.lua --in-range=-s34228 --lua-desync=circular --lua-desync=argdebug:strategy=1 --lua-desync=argdebug:strategy=2
+-- args for hostkey generator - see standard_hostkey or your own generator
+-- test case: --in-range=-s34228 --lua-desync=circular --lua-desync=argdebug:strategy=1 --lua-desync=argdebug:strategy=2
 function circular(ctx, desync)
 	local function count_strategies(hrec)
 		if not hrec.ctstrategy then
@@ -377,7 +377,7 @@ function cond_random(desync)
 	return math.random(0,99)<(tonumber(desync.arg.percent) or 50)
 end
 -- this iif function detects packets having 'arg.pattern' string in their payload
--- test case : nfqws2 --qnum 200 --debug --lua-init=@zapret-lib.lua --lua-init=@zapret-auto.lua --lua-desync=condition:iff=cond_payload_str:pattern=1234 --lua-desync=argdebug:testarg=1 --lua-desync=argdebug:testarg=2:morearg=xyz
+-- test case : --lua-desync=condition:iff=cond_payload_str:pattern=1234 --lua-desync=argdebug:testarg=1 --lua-desync=argdebug:testarg=2:morearg=xyz
 -- test case (true)  : echo aaz1234zzz | ncat -4u 1.1.1.1 443
 -- test case (false) : echo aaze124zzz | ncat -4u 1.1.1.1 443
 function cond_payload_str(desync)
@@ -399,7 +399,7 @@ end
 -- for example, this can be used by custom protocol detectors
 -- arg: iff - condition function. takes desync as arg and returns bool. (cant use 'if' because of reserved word)
 -- arg: neg - invert condition function result
--- test case : nfqws2 --qnum 200 --debug --lua-init=@zapret-lib.lua --lua-init=@zapret-auto.lua --lua-desync=condition:iff=cond_random --lua-desync=argdebug:testarg=1 --lua-desync=argdebug:testarg=2:morearg=xyz
+-- test case : --lua-desync=condition:iff=cond_random --lua-desync=argdebug:testarg=1 --lua-desync=argdebug:testarg=2:morearg=xyz
 function condition(ctx, desync)
 	require_iff(desync, "condition")
 	orchestrate(ctx, desync)
@@ -415,7 +415,7 @@ end
 -- can be used with other orchestrators to stop execution conditionally
 -- arg: iff - condition function. takes desync as arg and returns bool. (cant use 'if' because of reserved word)
 -- arg: neg - invert condition function result
--- test case : nfqws2 --qnum 200 --debug --lua-init=@zapret-lib.lua --lua-init=@zapret-auto.lua --in-range=-s1 --lua-desync=circular --lua-desync=stopif:iff=cond_random:strategy=1 --lua-desync=argdebug:strategy=1 --lua-desync=argdebug:strategy=2
+-- test case : --in-range=-s1 --lua-desync=circular --lua-desync=stopif:iff=cond_random:strategy=1 --lua-desync=argdebug:strategy=1 --lua-desync=argdebug:strategy=2
 function stopif(ctx, desync)
 	require_iff(desync, "stopif")
 	orchestrate(ctx, desync)
@@ -427,3 +427,61 @@ function stopif(ctx, desync)
 		DLOG("stopif: false")
 	end
 end
+
+-- repeat following 'instances' 'repeats' times, execute others with no tampering
+-- arg: instances - number of following instances to be repeated. 1 by default
+-- arg: repeats - number of repeats
+-- arg: iff - condition function to continue execution. takes desync as arg and returns bool. (cant use 'if' because of reserved word)
+-- arg: neg - invert condition function result
+-- arg: stop - do not replay remaining execution plan after 'instances'
+-- arg: clear - clear execution plan after 'instances'
+-- test case : --lua-desync=repeater:repeats=2:instances=2 --lua-desync=argdebug:v=1 --lua-desync=argdebug:v=2 --lua-desync=argdebug:v=3
+function repeater(ctx, desync)
+	local repeats = tonumber(desync.arg.repeats)
+	if not repeats then
+		error("repeat: missing 'repeats'")
+	end
+	local iff = desync.arg.iff or "cond_true"
+	if type(_G[iff])~="function" then
+		error(name..": invalid 'iff' function '"..iff.."'")
+	end
+	orchestrate(ctx, desync)
+	local neg = desync.arg.neg
+	local stop = desync.arg.stop
+	local clear = desync.arg.clear
+	local verdict = VERDICT_PASS
+	local instances = tonumber(desync.arg.instances) or 1
+	local repinst = desync.func_instance
+	if instances>#desync.plan then
+		instances = #desync.plan
+	end
+	-- save plan copy
+	local plancopy = deepcopy(desync.plan)
+	for r=1,repeats do
+		if not logical_xor(_G[iff](desync), neg) then
+			DLOG("repeater: break by iff")
+			break
+		end
+		DLOG("repeater: "..repinst.." "..r.."/"..repeats)
+		-- nested orchestrators can also pop
+		local ct_end = #desync.plan - instances
+		repeat
+			local instance = plan_instance_pop(desync)
+			verdict = plan_instance_execute(desync, verdict, instance)
+		until #desync.plan <= ct_end
+		-- rollback desync plan
+		desync.plan = deepcopy(plancopy)
+	end
+	-- remove repeated instances from desync plan
+	for i=1,instances do
+		table.remove(desync.plan,1)
+	end
+	if clear then
+		plan_clear(desync)
+		return verdict
+	elseif stop then
+		return verdict
+	end
+	-- replay the rest
+	return verdict_aggregate(verdict, replay_execution_plan(desync))
+end

lua/zapret-lib.lua

@@ -76,7 +76,7 @@ end
 -- arg: pattern - substring for search inside reasm_data or desync.dis.payload
 -- arg: payload - set desync.l7payload to this if detected
 -- arg: undetected - set desync.l7payload to this if not detected
--- test case : nfqws2 --qnum 200 --debug --lua-init=@zapret-lib.lua --lua-init=@zapret-antidpi.lua --lua-init=@zapret-auto.lua --lua-desync=detect_payload_str:pattern=1234:payload=my --lua-desync=fake:blob=0x1234:payload=my
+-- test case : --lua-desync=detect_payload_str:pattern=1234:payload=my --lua-desync=fake:blob=0x1234:payload=my
 function detect_payload_str(ctx, desync)
 	if not desync.arg.pattern then
 		error("detect_payload_str: missing 'pattern'")
@@ -190,7 +190,7 @@ function plan_instance_execute(desync, verdict, instance)
 	return verdict
 end
 function plan_instance_pop(desync)
-	return (desync.plan and #desync.plan>0) and table.remove(desync.plan, 1)
+	return (desync.plan and #desync.plan>0) and table.remove(desync.plan, 1) or nil
 end
 function plan_clear(desync)
 	while table.remove(desync.plan) do end
@@ -227,13 +227,19 @@ function replay_execution_plan(desync)
 end
 -- this function demonstrates how to stop execution of upcoming desync instances and take over their job
 -- this can be used, for example, for orchestrating conditional processing without modifying of desync functions code
--- test case : nfqws2 --qnum 200 --debug --lua-init=@zapret-lib.lua --lua-desync=desync_orchestrator_example --lua-desync=pass --lua-desync=pass
+-- test case : --lua-desync=desync_orchestrator_example --lua-desync=pass --lua-desync=pass
 function desync_orchestrator_example(ctx, desync)
 	DLOG("orchestrator: taking over upcoming desync instances")
 	orchestrate(ctx, desync)
 	return replay_execution_plan(desync)
 end
 
+-- if seq is over 2G s and p position comparision can be wrong
+function pos_counter_overflow(desync, mode, reverse)
+	if not desync.track or not desync.track.tcp or (mode~='s' and mode~='p') then return false end
+	local track_pos = reverse and desync.track.pos.reverse or desync.track.pos.direct
+	return track_pos.tcp.rseq_over_2G
+end
 -- these functions duplicate range check logic from C code
 -- mode must be n,d,b,s,x,a
 -- pos is {mode,pos}
@@ -265,7 +271,7 @@ function pos_get(desync, mode, reverse)
 	return 0
 end
 function pos_check_from(desync, range)
-	if range.from.mode == 'x' then return false end
+	if range.from.mode == 'x' or pos_counter_overflow(desync, range.from.mode) then return false end
 	if range.from.mode ~= 'a' then
 		if desync.track then
 			return pos_get(desync, range.from.mode) >= range.from.pos
@@ -277,7 +283,7 @@ function pos_check_from(desync, range)
 end
 function pos_check_to(desync, range)
 	local ps
-	if range.to.mode == 'x' then return false end
+	if range.to.mode == 'x' or pos_counter_overflow(desync, range.to.mode) then return false end
 	if range.to.mode ~= 'a' then
 		if desync.track then
 			ps = pos_get(desync, range.to.mode)
@@ -297,8 +303,31 @@ end
 function pos_str(desync, pos)
 	return pos.mode..pos_get(desync, pos.mode)
 end
+
+-- sequence comparision functions. they work only within 2G interval
+-- seq1>=seq2
+function seq_ge(seq1, seq2)
+	return 0==bitand(u32add(seq1, -seq2), 0x80000000)
+end
+-- seq1>seq2
+function seq_gt(seq1, seq2)
+	return seq1~=seq2 and seq_ge(seq1, seq2)
+end
+-- seq1<seq2
+function seq_lt(seq1, seq2)
+	return 0~=bitand(u32add(seq1, -seq2), 0x80000000)
+end
+-- seq1<=seq2
+function seq_le(seq1, seq2)
+	return seq1==seq2 or 0~=bitand(u32add(seq1, -seq2), 0x80000000)
+end
+-- seq_low<=seq<=seq_hi
+function seq_within(seq, seq_low, seq_hi)
+	return seq_ge(seq, seq_low) and seq_le(seq, seq_hi)
+end
+
 function is_retransmission(desync)
-	return desync.track and desync.track.pos.direct.tcp and 0==bitand(u32add(desync.track.pos.direct.tcp.uppos_prev, -desync.track.pos.direct.tcp.pos), 0x80000000)
+	return desync.track and desync.track.pos.direct.tcp and seq_ge(desync.track.pos.direct.tcp.uppos_prev, desync.track.pos.direct.tcp.pos)
 end
 
 -- prepare standard rawsend options from desync
@@ -801,6 +830,7 @@ end
 -- ip6_hopbyhop[=hex] - add hopbyhop ipv6 header with optional data. data size must be 6+N*8. all zero by default.
 -- ip6_hopbyhop2[=hex] - add second hopbyhop ipv6 header with optional data. data size must be 6+N*8. all zero by default.
 -- ip6_destopt[=hex] - add destopt ipv6 header with optional data. data size must be 6+N*8. all zero by default.
+-- ip6_destopt2[=hex] - add second destopt ipv6 header with optional data. data size must be 6+N*8. all zero by default.
 -- ip6_routing[=hex] - add routing ipv6 header with optional data. data size must be 6+N*8. all zero by default.
 -- ip6_ah[=hex] - add authentication ipv6 header with optional data. data size must be 6+N*4. 0000 + 4 random bytes by default.
 

lua/zapret-pcap.lua

@@ -16,7 +16,7 @@ function pcap_write(file, raw)
 	pcap_write_packet(file, raw)
 end
 
--- test case : nfqws2 --qnum 200 --debug --lua-init=@zapret-lib.lua --lua-init=@zapret-pcap.lua --writeable=zdir --in-range=a --lua-desync=pcap:file=test.pcap
+-- test case : --writeable=zdir --in-range=a --lua-desync=pcap:file=test.pcap
 -- arg : file=<filename> - file for storing pcap data. if --writeable is specified and filename is relative - append filename to writeable path
 -- arg : keep - do not overwrite file, append packets to existing
 function pcap(ctx, desync)

lua/zapret-wgobfs.lua

@@ -1,4 +1,4 @@
--- test case : nfqws2 --qnum 200 --debug --lua-init=@zapret-wgobfs.lua --in-range=a --out-range=a --lua-desync=wgobfs:secret=mycoolpassword
+-- test case : --in-range=a --out-range=a --lua-desync=wgobfs:secret=mycoolpassword
 -- encrypt standard wireguard messages - initiation, response, cookie - and change udp packet size
 -- do not encrypt data messages and keepalives
 -- wgobfs adds maximum of 30+padmax bytes to udp size

nfq2/conntrack.c

@@ -155,6 +155,11 @@ static void ConntrackApplyPos(const struct tcphdr *tcp, t_ctrack *t, bool bRever
 	if (direct->scale != SCALE_NONE) direct->winsize_calc <<= direct->scale;
 	if (mss && !direct->mss) direct->mss = mss;
 	if (scale != SCALE_NONE) direct->scale = scale;
+
+	if (!direct->rseq_over_2G && ((direct->seq_last - direct->seq0) & 0x80000000))
+		direct->rseq_over_2G = true;
+	if (!reverse->rseq_over_2G && ((reverse->seq_last - reverse->seq0) & 0x80000000))
+		reverse->rseq_over_2G = true;
 }
 
 // non-tcp packets are passed with tcphdr=NULL but len_payload filled
@@ -208,19 +213,7 @@ static void ConntrackFeedPacket(t_ctrack *t, bool bReverse, const struct tcphdr
 
 		ConntrackApplyPos(tcphdr, t, bReverse, len_payload);
 	}
-	else
-	{
-		if (bReverse)
-		{
-			t->pos.server.seq_last = t->pos.server.pos;
-			t->pos.server.pos += len_payload;
-		}
-		else
-		{
-			t->pos.client.seq_last = t->pos.client.pos;
-			t->pos.client.pos += len_payload;
-		}
-	}
+
 	clock_gettime(CLOCK_REALTIME, &t->pos.t_last);
 	// make sure t_start gets exactly the same value as first t_last
 	if (!t->t_start.tv_sec) t->t_start = t->pos.t_last;

nfq2/conntrack_base.h

@@ -17,17 +17,18 @@ typedef struct
 	uint64_t pcounter;	// packet counter
 	uint64_t pdcounter;	// data packet counter (with payload)
 	uint64_t pbcounter;	// transferred byte counter. includes retransmissions. it's not the same as relative seq.
+
+	// tcp only state, not used in udp
 	uint32_t pos;		// TCP: seq_last+payload, ack_last+payload  UDP: sum of all seen payload lenghts including current
 	uint32_t uppos;		// max seen position. useful to detect retransmissions
 	uint32_t uppos_prev; 	// previous max seen position. useful to detect retransmissions
 	uint32_t seq_last;	// TCP: last seen seq and ack  UDP: sum of all seen payload lenghts NOT including current
-
-	// tcp only state, not used in udp
 	uint32_t seq0;		// starting seq and ack
 	uint16_t winsize;	// last seen window size
 	uint16_t mss;
 	uint32_t winsize_calc;	// calculated window size
 	uint8_t scale;		// last seen window scale factor. SCALE_NONE if none
+	bool rseq_over_2G;
 } t_ctrack_position;
 
 typedef struct

nfq2/darkmagic.c

@@ -718,13 +718,36 @@ bool prepare_low_appdata()
 	return b;
 }
 
+BOOL JobSandbox()
+{
+	BOOL bRes = FALSE;
+	HANDLE hJob;
+	JOBOBJECT_BASIC_LIMIT_INFORMATION basic_limit;
+	JOBOBJECT_BASIC_UI_RESTRICTIONS basic_ui;
+
+	if (hJob = CreateJobObjectW(NULL, NULL))
+	{
+		basic_limit.LimitFlags = JOB_OBJECT_LIMIT_ACTIVE_PROCESS;
+		// prevent child process creation
+		basic_limit.ActiveProcessLimit = 1;
+		// prevent some UI interaction and settings change
+		basic_ui.UIRestrictionsClass = JOB_OBJECT_UILIMIT_DESKTOP | JOB_OBJECT_UILIMIT_DISPLAYSETTINGS | JOB_OBJECT_UILIMIT_EXITWINDOWS | JOB_OBJECT_UILIMIT_GLOBALATOMS | JOB_OBJECT_UILIMIT_HANDLES | JOB_OBJECT_UILIMIT_READCLIPBOARD | JOB_OBJECT_UILIMIT_SYSTEMPARAMETERS | JOB_OBJECT_UILIMIT_WRITECLIPBOARD;
+		bRes = SetInformationJobObject(hJob, JobObjectBasicLimitInformation, &basic_limit, sizeof(basic_limit)) &&
+			SetInformationJobObject(hJob, JobObjectBasicUIRestrictions, &basic_ui, sizeof(basic_ui)) &&
+			AssignProcessToJobObject(hJob, GetCurrentProcess());
+		w_win32_error = GetLastError();
+		CloseHandle(hJob);
+	}
+	return bRes;
+}
+
 
 #define WINDIVERT_DEVICE_NAME "WinDivert"
-static bool b_isandbox_set = false;
+static bool b_sandbox_set = false;
 bool win_sandbox(void)
 {
 	// there's no way to return privs
-	if (!b_isandbox_set)
+	if (!b_sandbox_set)
 	{
 		if (!RemoveTokenPrivs())
 			return FALSE;
@@ -734,8 +757,9 @@ bool win_sandbox(void)
 			return FALSE;
 		if (!LowMandatoryLevel())
 			return false;
-		// for LUA code to find where to store files
-		b_isandbox_set = true;
+		if (!JobSandbox())
+			return false;
+		b_sandbox_set = true;
 	}
 	return true;
 }

nfq2/desync.c

@@ -415,7 +415,8 @@ static bool reasm_start(t_ctrack *ctrack, t_reassemble *reasm, uint8_t proto, ui
 static bool reasm_client_start(t_ctrack *ctrack, uint8_t proto, size_t sz, size_t szMax, const uint8_t *data_payload, size_t len_payload)
 {
 	if (!ctrack) return false;
-	if (proto==IPPROTO_TCP && ctrack->pos.server.winsize_calc < sz)
+	// if winsize_calc==0 it means we dont know server window size - no incoming packets redirected ?
+	if (proto==IPPROTO_TCP && ctrack->pos.server.winsize_calc && (ctrack->pos.server.winsize_calc < sz))
 	{
 		// this is rare but possible situation
 		// server gave us too small tcp window
@@ -505,7 +506,10 @@ static uint8_t ct_new_postnat_fix(const t_ctrack *ctrack, const struct dissect *
 	return VERDICT_DROP;
 }
 
-
+static bool pos_overflow(const t_ctrack_position *pos, char mode)
+{
+	return (mode=='s' || mode=='p') && pos && pos->rseq_over_2G;
+}
 static uint64_t pos_get(const t_ctrack_position *pos, char mode)
 {
 	if (pos)
@@ -524,7 +528,7 @@ static uint64_t pos_get(const t_ctrack_position *pos, char mode)
 static bool check_pos_from(const t_ctrack_position *pos, const struct packet_range *range)
 {
 	uint64_t ps;
-	if (range->from.mode == 'x') return false;
+	if ((range->from.mode == 'x') || pos_overflow(pos,range->from.mode)) return false;
 	if (range->from.mode != 'a')
 	{
 		if (pos)
@@ -540,7 +544,7 @@ static bool check_pos_from(const t_ctrack_position *pos, const struct packet_ran
 static bool check_pos_to(const t_ctrack_position *pos, const struct packet_range *range)
 {
 	uint64_t ps;
-	if (range->to.mode == 'x') return false;
+	if (range->to.mode == 'x' || pos_overflow(pos,range->to.mode)) return false;
 	if (range->to.mode != 'a')
 	{
 		if (pos)
@@ -707,7 +711,7 @@ static uint8_t desync(
 	struct func_list *func;
 	int ref_arg = LUA_NOREF, status;
 	bool b, b_cutoff_all, b_unwanted_payload;
-	t_lua_desync_context ctx = { .dp = dp, .ctrack = ctrack, .dis = dis, .cancel = false, .incoming = bIncoming };
+	t_lua_desync_context ctx = { .magic = 0, .dp = dp, .ctrack = ctrack, .dis = dis, .cancel = false, .incoming = bIncoming };
 	const char *sDirection = bIncoming ? "in" : "out";
 	struct packet_range *range;
 	size_t l;
@@ -754,10 +758,12 @@ static uint8_t desync(
 					DLOG("* lua '%s' : voluntary cutoff\n", instance);
 				else if (check_pos_cutoff(pos, range))
 				{
-					DLOG("* lua '%s' : %s pos %c%llu %c%llu is beyond range %c%u%c%c%u (ctrack %s)\n",
+					DLOG("* lua '%s' : %s pos %c%llu %c%llu overflow %u %u is beyond range %c%u%c%c%u (ctrack %s)\n",
 						instance, sDirection,
 						range->from.mode, pos_get(pos, range->from.mode),
 						range->to.mode, pos_get(pos, range->to.mode),
+						pos_overflow(pos, range->from.mode),
+						pos_overflow(pos, range->to.mode),
 						range->from.mode, range->from.pos,
 						range->upper_cutoff ? '<' : '-',
 						range->to.mode, range->to.pos,
@@ -855,8 +861,14 @@ static uint8_t desync(
 							lua_pushf_str("func", func->func);
 							lua_pushf_int("func_n", ctx.func_n);
 							lua_pushf_str("func_instance", instance);
-							int initial_stack_top = lua_gettop(params.L);
+
+							// lua should not store and access ctx outside of this call
+							// if this happens make our best to prevent access to bad memory
+							// this is not crash-proof but better than nothing
+							ctx.magic = MAGIC_CTX; // mark struct as valid
 							status = lua_pcall(params.L, 2, LUA_MULTRET, 0);
+							ctx.magic = 0; // mark struct as invalid
+
 							if (status)
 							{
 								lua_dlog_error();
@@ -1310,8 +1322,8 @@ static uint8_t dpi_desync_tcp_packet_play(
 		bool bDiscoveredL7;
 		if (ctrack_replay)
 		{
-			bDiscoveredL7 = !ctrack_replay->l7proto_discovered && ctrack_replay->l7proto != L7_UNKNOWN;
-			ctrack_replay->l7proto_discovered = true;
+			if ((bDiscoveredL7 = !ctrack_replay->l7proto_discovered && ctrack_replay->l7proto != L7_UNKNOWN))
+				ctrack_replay->l7proto_discovered = true;
 		}
 		else
 			bDiscoveredL7 = l7proto != L7_UNKNOWN;
@@ -1755,8 +1767,8 @@ static uint8_t dpi_desync_udp_packet_play(
 			bool bDiscoveredL7;
 			if (ctrack_replay)
 			{
-				bDiscoveredL7 = !ctrack_replay->l7proto_discovered && l7proto != L7_UNKNOWN;
-				ctrack_replay->l7proto_discovered = true;
+				if ((bDiscoveredL7 = !ctrack_replay->l7proto_discovered && l7proto != L7_UNKNOWN))
+					ctrack_replay->l7proto_discovered = true;
 			}
 			else
 				bDiscoveredL7 = l7proto != L7_UNKNOWN;

nfq2/lua.c

@@ -690,6 +690,22 @@ static int luacall_clock_gettime(lua_State *L)
 	}
 	LUA_STACK_GUARD_RETURN(L,2)
 }
+
+static t_lua_desync_context *lua_desync_ctx()
+{
+	if (lua_isnil(params.L,1))
+		luaL_error(params.L, "missing ctx");
+	if (!lua_islightuserdata(params.L,1))
+		luaL_error(params.L, "bad ctx - invalid data type");
+
+	t_lua_desync_context *ctx = lua_touserdata(params.L,1);
+	// ensure it's really ctx. LUA could pass us any lightuserdata pointer
+	if (ctx->magic!=MAGIC_CTX)
+		luaL_error(params.L, "bad ctx - magic bytes invalid");
+
+	return ctx;
+}
+
 static int luacall_instance_cutoff(lua_State *L)
 {
 	// out : instance_name.profile_number[0]
@@ -699,16 +715,12 @@ static int luacall_instance_cutoff(lua_State *L)
 
 	LUA_STACK_GUARD_ENTER(L)
 
-	const t_lua_desync_context *ctx;
-
 	if (lua_isnil(L,1))
 		// this can happen in orchestrated function. they do not have their own ctx and they cant cutoff
 		DLOG("instance cutoff not possible because missing ctx\n");
 	else
 	{
-		if (!lua_islightuserdata(L,1))
-			luaL_error(L, "instance_cutoff expect desync context in the first argument");
-		ctx = lua_touserdata(L,1);
+		const t_lua_desync_context *ctx = lua_desync_ctx();
 
 		int argc=lua_gettop(L);
 		bool bIn,bOut;
@@ -720,7 +732,6 @@ static int luacall_instance_cutoff(lua_State *L)
 		}
 		else
 			bIn = bOut = true;
-
 		if (ctx->ctrack)
 		{
 			DLOG("instance cutoff for '%s' in=%u out=%u\n",ctx->instance,bIn,bOut);
@@ -785,11 +796,7 @@ static int luacall_lua_cutoff(lua_State *L)
 
 	LUA_STACK_GUARD_ENTER(L)
 
-	t_lua_desync_context *ctx;
-
-	if (!lua_islightuserdata(L,1))
-		luaL_error(L, "lua_cutoff expect desync context in the first argument");
-	ctx = lua_touserdata(L,1);
+	t_lua_desync_context *ctx = lua_desync_ctx();
 
 	int argc=lua_gettop(L);
 	bool bIn,bOut;
@@ -821,11 +828,7 @@ static int luacall_execution_plan(lua_State *L)
 
 	LUA_STACK_GUARD_ENTER(L)
 
-	const t_lua_desync_context *ctx;
-
-	if (!lua_islightuserdata(L,1))
-		luaL_error(L, "execution_plan expect desync context in the first argument");
-	ctx = lua_touserdata(L,1);
+	t_lua_desync_context *ctx = lua_desync_ctx();
 
 	lua_newtable(L);
 
@@ -862,11 +865,7 @@ static int luacall_execution_plan_cancel(lua_State *L)
 {
 	lua_check_argc(L,"execution_plan_cancel",1);
 
-	t_lua_desync_context *ctx;
-
-	if (!lua_islightuserdata(L,1))
-		luaL_error(L, "execution_plan_cancel expect desync context in the first argument");
-	ctx = lua_touserdata(L,1);
+	t_lua_desync_context *ctx = lua_desync_ctx();
 
 	DLOG("execution plan cancel from '%s'\n",ctx->instance);
 
@@ -881,11 +880,7 @@ static int luacall_raw_packet(lua_State *L)
 
 	LUA_STACK_GUARD_ENTER(L)
 
-	const t_lua_desync_context *ctx;
-
-	if (!lua_islightuserdata(L,1))
-		luaL_error(L, "raw_packet expect desync context in the first argument");
-	ctx = lua_touserdata(L,1);
+	const t_lua_desync_context *ctx = lua_desync_ctx();
 
 	lua_pushlstring(L, (const char*)ctx->dis->data_pkt, ctx->dis->len_pkt);
 
@@ -1251,13 +1246,15 @@ void lua_push_dissect(const struct dissect *dis)
 
 	if (dis)
 	{
-		lua_createtable(params.L, 0, 7);
+		lua_createtable(params.L, 0, 9);
 		lua_pushf_iphdr(dis->ip, dis->len_l3);
 		lua_pushf_ip6hdr(dis->ip6, dis->len_l3);
 		lua_pushf_tcphdr(dis->tcp, dis->len_l4);
 		lua_pushf_udphdr(dis->udp, dis->len_l4);
 		lua_pushf_int("l4proto",dis->proto);
 		lua_pushf_int("transport_len",dis->transport_len);
+		lua_pushf_int("l3_len",dis->len_l3);
+		lua_pushf_int("l4_len",dis->len_l4);
 		lua_pushf_raw("payload",dis->data_payload,dis->len_payload);
 	}
 	else
@@ -1282,10 +1279,11 @@ void lua_pushf_ctrack_pos(const t_ctrack *ctrack, const t_ctrack_position *pos)
 	if (ctrack->ipproto == IPPROTO_TCP)
 	{
 		lua_pushliteral(params.L, "tcp");
-		lua_createtable(params.L, 0, 10);
+		lua_createtable(params.L, 0, 11);
 		lua_pushf_lint("seq0", pos->seq0);
 		lua_pushf_lint("seq", pos->seq_last);
 		lua_pushf_lint("rseq", pos->seq_last - pos->seq0);
+		lua_pushf_bool("rseq_over_2G", pos->rseq_over_2G);
 		lua_pushf_int("pos", pos->pos - pos->seq0);
 		lua_pushf_int("uppos", pos->uppos - pos->seq0);
 		lua_pushf_int("uppos_prev", pos->uppos_prev - pos->seq0);
@@ -2135,7 +2133,7 @@ static int luacall_csum_ip4_fix(lua_State *L)
 }
 static int luacall_csum_tcp_fix(lua_State *L)
 {
-	// csum_ip4_fix(ip_header, tcp_header, payload) returns tcp_header
+	// csum_tcp_fix(ip_header, tcp_header, payload) returns tcp_header
 	lua_check_argc(L,"csum_tcp_fix",3);
 
 	LUA_STACK_GUARD_ENTER(L)
@@ -2176,7 +2174,7 @@ static int luacall_csum_tcp_fix(lua_State *L)
 }
 static int luacall_csum_udp_fix(lua_State *L)
 {
-	// csum_ip4_fix(ip_header, tcp_header, payload) returns tcp_header
+	// csum_udp_fix(ip_header, udp_header, payload) returns udp_header
 	lua_check_argc(L,"csum_udp_fix",3);
 
 	LUA_STACK_GUARD_ENTER(L)
@@ -3000,9 +2998,11 @@ static void lua_init_const(void)
 		{"IP_OFFMASK",IP_OFFMASK},
 		{"IP_FLAGMASK",IP_RF|IP_DF|IP_MF},
 		{"IPTOS_ECN_MASK",IPTOS_ECN_MASK},
+		{"IPTOS_ECN_NOT_ECT",0},
 		{"IPTOS_ECN_ECT1",IPTOS_ECN_ECT1},
 		{"IPTOS_ECN_ECT0",IPTOS_ECN_ECT0},
 		{"IPTOS_ECN_CE",IPTOS_ECN_CE},
+		{"IPTOS_DSCP_MASK",0xF0},
 		{"IP6F_MORE_FRAG",0x0001}, // in ip6.h it's defined depending of machine byte order
 
 		{"IPPROTO_IP",IPPROTO_IP},

nfq2/lua.h

@@ -101,7 +101,9 @@ bool lua_reconstruct_tcphdr(int idx, struct tcphdr *tcp, size_t *len);
 bool lua_reconstruct_udphdr(int idx, struct udphdr *udp);
 bool lua_reconstruct_dissect(int idx, uint8_t *buf, size_t *len, bool badsum, bool ip6_preserve_next);
 
+#define MAGIC_CTX	0xE73DC935
 typedef struct {
+	uint32_t magic;
 	unsigned int func_n;
 	const char *func, *instance;
 	const struct desync_profile *dp;

nfq2/nfqws.c

@@ -630,6 +630,7 @@ static int win_main()
 		{
 			res=w_win32_error; goto ex;
 		}
+
 		if (!win_sandbox())
 		{
 			res=w_win32_error;
@@ -637,7 +638,6 @@ static int win_main()
 			goto ex;
 		}
 
-
 		// init LUA only here because of possible sandbox. no LUA code with high privs
 		if (!params.L && !lua_init())
 		{
@@ -1812,6 +1812,7 @@ int main(int argc, char **argv)
 						fprintf(stderr, "cannot create %s\n", params.debug_logfile);
 						exit_clean(1);
 					}
+					fclose(F);
 					params.debug = true;
 					params.debug_target = LOG_TARGET_FILE;
 				}