update docs

.github/workflows/build.yml

@@ -26,6 +26,8 @@ jobs:
             tool: aarch64-unknown-linux-musl
           - arch: arm
             tool: arm-unknown-linux-musleabi
+          - arch: arm-old
+            tool: arm-unknown-linux-musleabi
           # - arch: armhf
           #   tool: arm-unknown-linux-musleabihf
           # - arch: armv7
@@ -108,7 +110,7 @@ jobs:
           export PKG_CONFIG_PATH=$DEPS_DIR/lib/pkgconfig
           export STAGING_DIR=$RUNNER_TEMP
 
-          if [[ "$ARCH" == lexra ]] || [[ "$ARCH" == ppc ]] || [[ "$ARCH" == x86 ]]; then
+          if [[ "$ARCH" == lexra ]] || [[ "$ARCH" == ppc ]] || [[ "$ARCH" == x86 ]] || [[ "$ARCH" == arm-old ]]; then
             # use classic lua
             wget -qO- https://www.lua.org/ftp/lua-${LUA_RELEASE}.tar.gz | tar -xz
             (
@@ -527,6 +529,7 @@ jobs:
                 *-android-x86_64 )      run_dir android-x86_64 ;;
                 *-freebsd-x86_64 )      run_dir freebsd-x86_64 ;;
                 *-linux-arm )           run_dir linux-arm ;;
+                *-linux-arm-old )       run_dir linux-arm-old ;;
                 *-linux-arm64 )         run_dir linux-arm64 ;;
                 *-linux-mips64 )        run_dir linux-mips64 ;;
                 *-linux-mipselsf )      run_dir linux-mipsel ;;

blockcheck2.d/standard/20-multi.sh

@@ -5,10 +5,10 @@ pktws_simple_split_tests()
 	# $3 - splits
 	# $4 - PRE args for nfqws2
 	local pos ok ok_any pre="$4"
-	local splitf splitfs="multisplit multidisorder"
+	local splitf splitfs="multisplit $MULTIDISORDER"
 
 	ok_any=0
-	for splitf in multisplit multidisorder; do
+	for splitf in $splitfs; do
 		eval need_$splitf=0
 		ok=0
 		for pos in $3; do
@@ -38,7 +38,7 @@ pktws_check_https_tls()
 	# $1 - test function
 	# $2 - domain
 	# $3 - PRE args for nfqws2
-	local splits_tls='2 1 sniext+1 sniext+4 host+1 midsld 1,midsld 1,sniext+1,host+1,midsld-2,midsld,midsld+2,endhost-1'
+	local splits_tls='2 1 sniext+1 sniext+4 host+1 midsld 1,midsld 1,midsld,1220 1,sniext+1,host+1,midsld-2,midsld,midsld+2,endhost-1'
 	local PAYLOAD="--payload tls_client_hello"
 
 	[ "$NOTEST_MULTI_HTTPS" = 1 ] && { echo "SKIPPED"; return; }

blockcheck2.d/standard/23-seqovl.sh

@@ -24,8 +24,8 @@ pktws_check_http()
 	for split in 'method+1 method+2' 'midsld-1 midsld' 'method+1 method+2,midsld'; do
 		f="$(extract_arg 1 $split)"
 		f2="$(extract_arg 2 $split)"
-		pktws_curl_test_update $1 $2 $PAYLOAD --lua-desync=multidisorder:pos=$f2:seqovl=$f
-		pktws_curl_test_update $1 $2 ${SEQOVL_PATTERN_HTTP:+--blob=$pat:@"$SEQOVL_PATTERN_HTTP" }$PAYLOAD --lua-desync=multidisorder:pos=$f2:seqovl=$f:seqovl_pattern=$pat
+		pktws_curl_test_update $1 $2 $PAYLOAD --lua-desync=$MULTIDISORDER:pos=$f2:seqovl=$f
+		pktws_curl_test_update $1 $2 ${SEQOVL_PATTERN_HTTP:+--blob=$pat:@"$SEQOVL_PATTERN_HTTP" }$PAYLOAD --lua-desync=$MULTIDISORDER:pos=$f2:seqovl=$f:seqovl_pattern=$pat
 	done
 }
 
@@ -60,8 +60,8 @@ pktws_seqovl_tests_tls()
 	for split in '1 2' 'sniext sniext+1' 'sniext+3 sniext+4' 'midsld-1 midsld' '1 2,midsld'; do
 		f="$(extract_arg 1 $split)"
 		f2="$(extract_arg 2 $split)"
-		pktws_curl_test_update $1 $2 $PAYLOAD --lua-desync=multidisorder:pos=$f2:seqovl=$f && ok=1
-		pktws_curl_test_update $testf $domain ${SEQOVL_PATTERN_HTTPS:+--blob=$pat:@"$SEQOVL_PATTERN_HTTPS" }$rnd_mod $pre $PAYLOAD --lua-desync=multidisorder:pos=$f2:seqovl=$f:seqovl_pattern=$pat && ok=1
+		pktws_curl_test_update $1 $2 $PAYLOAD --lua-desync=$MULTIDISORDER:pos=$f2:seqovl=$f && ok=1
+		pktws_curl_test_update $testf $domain ${SEQOVL_PATTERN_HTTPS:+--blob=$pat:@"$SEQOVL_PATTERN_HTTPS" }$rnd_mod $pre $PAYLOAD --lua-desync=$MULTIDISORDER:pos=$f2:seqovl=$f:seqovl_pattern=$pat && ok=1
 	done
 	[ "$ok" = 1 ] && ok_any=1
 	[ "$ok_any" = 1 ]

blockcheck2.d/standard/24-syndata.sh

@@ -7,7 +7,7 @@ pktws_check_http()
 
 	local PAYLOAD="--payload http_req" split
 
-	for split in '' multisplit multidisorder; do
+	for split in '' multisplit $MULTIDISORDER; do
 		pktws_curl_test_update "$1" "$2" --lua-desync=syndata ${split:+$PAYLOAD --lua-desync=$split}
 		pktws_curl_test_update "$1" "$2" --lua-desync=syndata:blob=fake_default_http $PAYLOAD ${split:+$PAYLOAD --lua-desync=$split}
 	done
@@ -21,7 +21,7 @@ pktws_check_https_tls()
 
 	local PAYLOAD="--payload tls_client_hello" ok=0 pre="$3" split
 
-	for split in '' multisplit multidisorder; do
+	for split in '' multisplit $MULTIDISORDER; do
 		pktws_curl_test_update "$1" "$2" $pre --lua-desync=syndata ${split:+$PAYLOAD --lua-desync=$split} && ok=1
 		pktws_curl_test_update "$1" "$2" $pre --lua-desync=syndata:blob=0x1603 ${split:+$PAYLOAD --lua-desync=$split} && ok=1
 		pktws_curl_test_update "$1" "$2" $pre --lua-desync=syndata:blob=fake_default_tls:tls_mod=rnd,dupsid,rndsni ${split:+$PAYLOAD --lua-desync=$split} && ok=1

blockcheck2.d/standard/50-fake-multi.sh

@@ -22,7 +22,7 @@ pktws_check_http()
 	# do not test fake + multisplit if multisplit works
 	[ "$need_multisplit" = 0 -a "$SCANLEVEL" != force ] || splitfs=multisplit
 	# do not test fake + multidisorder if multidisorder works
-	[ "$need_multidisorder" = 0 -a "$SCANLEVEL" != force ] || splitfs="${splitfs:+$splitfs }multidisorder"
+	[ "$need_multidisorder" = 0 -a "$SCANLEVEL" != force ] || splitfs="${splitfs:+$splitfs }$MULTIDISORDER"
 
 	for splitf in $splitfs; do
 		ok=0
@@ -95,7 +95,7 @@ pktws_check_https_tls()
 	[ "$NOTEST_FAKE_MULTI_HTTPS" = 1 ] && { echo "SKIPPED"; return 0; }
 
 	local testf=$1 domain="$2" pre="$3"
-	local ok ok_any ttls attls f fake fooling splitf splitfs= split splits='2 1 sniext+1 sniext+4 host+1 midsld 1,midsld 1,sniext+1,host+1,midsld-2,midsld,midsld+2,endhost-1'
+	local ok ok_any ttls attls f fake fooling splitf splitfs= split splits='2 1 sniext+1 sniext+4 host+1 midsld 1,midsld 1,midsld,1220 1,sniext+1,host+1,midsld-2,midsld,midsld+2,endhost-1'
 	local PAYLOAD="--payload=tls_client_hello"
 
 	shift; shift
@@ -112,7 +112,7 @@ pktws_check_https_tls()
 	# do not test fake + multisplit if multisplit works
 	[ "$need_multisplit" = 0 -a "$SCANLEVEL" != force ] || splitfs=multisplit
 	# do not test fake + multidisorder if multidisorder works
-	[ "$need_multidisorder" = 0 -a "$SCANLEVEL" != force ] || splitfs="${splitfs:+$splitfs }multidisorder"
+	[ "$need_multidisorder" = 0 -a "$SCANLEVEL" != force ] || splitfs="${splitfs:+$splitfs }$MULTIDISORDER"
 
 	ok_any=0
 	for splitf in $splitfs; do

blockcheck2.d/standard/90-quic.sh

@@ -1,3 +1,5 @@
+. "$TESTDIR/def.inc"
+
 pktws_check_http3()
 {
 	# $1 - test function
@@ -5,7 +7,7 @@ pktws_check_http3()
 
 	[ "$NOTEST_QUIC" = 1 ] && { echo "SKIPPED"; return; }
 
-	local repeats fake pos
+	local repeats fake pos fool
 	local PAYLOAD="--payload quic_initial"
 
 	if [ -n "$FAKE_QUIC" ]; then
@@ -18,6 +20,12 @@ pktws_check_http3()
 		pktws_curl_test_update $1 $2 ${FAKE_QUIC:+--blob=$fake:@"$FAKE_QUIC" }$PAYLOAD --lua-desync=fake:blob=$fake:repeats=$repeats && [ "$SCANLEVEL" != force ] && break
 	done
 
+	[ "$IPV" = 6 ] && {
+		for fool in ip6_hopbyhop ip6_destopt ip6_hopbyhop:ip6_destopt; do
+			pktws_curl_test_update $1 $2 $PAYLOAD --lua-desync=send:$fool --lua-desync=drop
+		done
+	}
+
 	for pos in 8 16 32 64; do
 		pktws_curl_test_update $1 $2 $PAYLOAD --lua-desync=send:ipfrag:ipfrag_pos_udp=$pos --lua-desync=drop && [ "$SCANLEVEL" != force ] && break
 	done

blockcheck2.d/standard/def.inc

@@ -2,6 +2,16 @@ FOOLINGS46_TCP=${FOOLINGS46_TCP:-"tcp_md5 badsum tcp_seq=-3000 tcp_seq=1000000 t
 FOOLINGS6_TCP=${FOOLINGS6_TCP:-"ip6_hopbyhop ip6_hopbyhop:ip6_hopbyhop2 ip6_destopt ip6_routing ip6_ah"}
 FOOLINGS_TCP="$FOOLINGS46_TCP"
 [ "$IPV" = 6 ] && FOOLINGS_TCP="$FOOLINGS_TCP $FOOLINGS6_TCP"
+FOOLINGS6_UDP="${FOOLINGS6_UDP:-$FOOLINGS6_TCP}"
 FOOLINGS_UDP="${FOOLINGS_UDP:-badsum}"
+[ "$IPV" = 6 ] && FOOLINGS_UDP="$FOOLINGS_UDP $FOOLINGS6_UDP"
 
 FAKE_REPEATS=${FAKE_REPEATS:-1}
+
+MIN_TTL=${MIN_TTL:-1}
+MAX_TTL=${MAX_TTL:-12}
+MIN_AUTOTTL_DELTA=${MIN_AUTOTTL_DELTA:-1}
+MAX_AUTOTTL_DELTA=${MAX_AUTOTTL_DELTA:-5}
+
+# can use MULTIDISORER=multidisorder_legacy
+MULTIDISORDER=${MULTIDISORDER:-multidisorder}

blockcheck2.sh

@@ -40,10 +40,6 @@ IPFW_DIVERT_PORT=${IPFW_DIVERT_PORT:-59780}
 CURL_MAX_TIME=${CURL_MAX_TIME:-2}
 CURL_MAX_TIME_QUIC=${CURL_MAX_TIME_QUIC:-$CURL_MAX_TIME}
 CURL_MAX_TIME_DOH=${CURL_MAX_TIME_DOH:-2}
-MIN_TTL=${MIN_TTL:-1}
-MAX_TTL=${MAX_TTL:-12}
-MIN_AUTOTTL_DELTA=${MIN_AUTOTTL_DELTA:-1}
-MAX_AUTOTTL_DELTA=${MAX_AUTOTTL_DELTA:-5}
 USER_AGENT=${USER_AGENT:-Mozilla}
 HTTP_PORT=${HTTP_PORT:-80}
 HTTPS_PORT=${HTTPS_PORT:-443}

common/ipt.sh

@@ -2,8 +2,6 @@ std_ports
 ipt_connbytes="-m connbytes --connbytes-dir=original --connbytes-mode=packets --connbytes"
 IPSET_EXCLUDE="-m set ! --match-set nozapret"
 IPSET_EXCLUDE6="-m set ! --match-set nozapret6"
-IPBAN_EXCLUDE="-m set ! --match-set ipban"
-IPBAN_EXCLUDE6="-m set ! --match-set ipban6"
 
 ipt()
 {

config.default

@@ -97,11 +97,12 @@ FLOWOFFLOAD=donttouch
 #OPENWRT_WAN4="wan vpn"
 #OPENWRT_WAN6="wan6 vpn6"
 
-# for routers based on desktop linux and macos. has no effect in openwrt.
+# for routers based on classic linux. has no effect in openwrt.
 # CHOOSE LAN and optinally WAN/WAN6 NETWORK INTERFACES
 # or leave them commented if its not router
 # it's possible to specify multiple interfaces like this : IFACE_WAN="eth0 eth1 eth2"
 # if IFACE_WAN6 is not defined it take the value of IFACE_WAN
+#IFACE_LAN=eth0
 #IFACE_WAN=eth1
 #IFACE_WAN6="ipsec0 wireguard0 he_net"
 

docs/changes.txt

@@ -110,7 +110,18 @@ v0.7.2
 v0.7.4
 
 * nfqws2, zapret-lib : check tcp sequence range overflow
-* zapret-lib : seq compare functions
+* zapret-lib: seq compare functions
 * nfqws2: add l3_len, l4_len to dissect
 * nfqws2: fix broken l7proto profile rediscovery
 * winws2: harden sandbox. disable child process execution , some UI interaction and desktop settings change
+
+v0.7.5
+
+* zapret-auto: orchestrator "repeater"
+* blockcheck2: check http3 with ipv6 exthdr
+* github actions: separate target arm-old with LUA classic, not JIT
+* zapret-auto: iff/neg in repeater
+* zapret-antidpi: multidisorder_legacy
+* ipset: remove get_reestr_hostlist.sh and get_reestr_resolve.sh because zapret-info does not and will probably not ever update
+* nfqws2: fix "reasm cancelled" if no incoming traffic redirected
+* blockcheck2: MULTIDISORDER=multidisorder_legacy

docs/readme.md

@@ -8,6 +8,20 @@ VPN. Может использоваться для частичной проз
 традиционные Linux-системы, FreeBSD, OpenBSD, Windows. В некоторых случаях возможна самостоятельная прикрутка
 решения к различным прошивкам.
 
+[Полный мануал](manual.md)
+
+
+## Поддержать разработчика
+
+Если вы считаете проект полезным и желаете поддержать разработку, направляйте ваши пожертвования на следующие адреса криптокошельков :
+
+USDT `0x3d52Ce15B7Be734c53fc9526ECbAB8267b63d66E`  (предпочительно сеть ERC-20)
+
+BTC  `bc1qhqew3mrvp47uk2vevt5sctp7p2x9m7m5kkchve`
+
+ETH  `0x3d52Ce15B7Be734c53fc9526ECbAB8267b63d66E`
+
+
 ## Чем это отличается от zapret1
 
 zapret2 является дальнейшим развитием проекта zapret.
@@ -38,7 +52,7 @@ zapret2 - инструмент для таких энтузиастов. Но э
 
 ## С чего начать
 
-Хотелось бы избежать "талмуда" на главной странице. Поэтому начнем со способа запуска *nfqws2* и описания способов портирования стратегий *nfqws1* - как в *nfqws2* сделать то же самое, что можно было в *nfqws1*.
+Хотелось бы избежать [талмуда](manual.md) на главной странице. Поэтому начнем со способа запуска *nfqws2* и описания способов портирования стратегий *nfqws1* - как в *nfqws2* сделать то же самое, что можно было в *nfqws1*.
 Когда вы поймете как это работает, вы можете посмотреть LUA код, находящийся "под капотом". Разобрать как он работает, попробовать написать что-то свое.
 "талмуд" обязательно будет, как он есть у любых более-менее сложных проектов. Он нужен как справочник.
 
@@ -153,7 +167,7 @@ range задается как `mX-mY`, `mX<mY`, `-mY`, `<mY`, `mX-`.
 Следующий профиль снова принимает значения по умолчанию.
 
 Что будет, если вы не напишите фильтр `--payload` для fake или multisplit ? В *nfqws1* без `--dpi-desync-any-protocol` они работали только по известным пейлоадам.
-В *nfqws2* "any protocol" - режим по умолчанию. Однако, функции из библиотеки `zapret-antidpi.lua` написаны так, что по умолчанию работают только по известные пейлоадам
+В *nfqws2* "any protocol" - режим по умолчанию. Однако, функции из библиотеки `zapret-antidpi.lua` написаны так, что по умолчанию работают только по известным пейлоадам
 и не работают по пустым пакетам или unknown - точно так же, как это было в *nfqws1*.
 Но лучше все-же писать фильтры `--payload`, потому что они работают на уровне C кода, который выполняется существенно быстрее, чем LUA.
 

init.d/custom.d.examples.linux/20-fw-extra

@@ -1,31 +1,22 @@
 # this custom script runs standard mode with extra firewall rules
 
-# config: use TPWS_ENABLE_OVERRIDE, NFQWS_ENABLE_OVERRIDE to enable standard mode daemons
+# config: use NFQWS2_ENABLE_OVERRIDE to enable standard mode daemons
 # standard and override switches cannot be enabled simultaneously !
 
-TPWS_ENABLE_OVERRIDE=${TPWS_ENABLE_OVERRIDE:-0}
-NFQWS_ENABLE_OVERRIDE=${NFQWS_ENABLE_OVERRIDE:-0}
+NFQWS2_ENABLE_OVERRIDE=${NFQWS2_ENABLE_OVERRIDE:-0}
 
 # config: some if these values must be set in config. not setting any of these makes this script meaningless.
 # pre vars put ipt/nft code to the rule beginning
-#FW_EXTRA_PRE_TPWS_IPT=
-#FW_EXTRA_PRE_TPWS_NFT=
-#FW_EXTRA_PRE_NFQWS_IPT="-m mark --mark 0x10000000/0x10000000"
-#FW_EXTRA_PRE_NFQWS_NFT="mark and 0x10000000 != 0"
+#FW_EXTRA_PRE_NFQWS2_IPT="-m mark --mark 0x10000000/0x10000000"
+#FW_EXTRA_PRE_NFQWS2_NFT="mark and 0x10000000 != 0"
 # post vars put ipt/nft code to the rule end
-#FW_EXTRA_POST_TPWS_IPT=
-#FW_EXTRA_POST_TPWS_NFT=
-#FW_EXTRA_POST_NFQWS_IPT=
-#FW_EXTRA_POST_NFQWS_NFT=
+#FW_EXTRA_POST_NFQWS2_IPT=
+#FW_EXTRA_POST_NFQWS2_NFT=
 
 check_std_intersect()
 {
-	[ "$TPWS_ENABLE_OVERRIDE" = 1 -a "$TPWS_ENABLE" = 1 ] && {
-		echo "ERROR ! both TPWS_ENABLE_OVERRIDE and TPWS_ENABLE are enabled"
-		return 1
-	}
-	[ "$NFQWS_ENABLE_OVERRIDE" = 1 -a "$NFQWS_ENABLE" = 1 ] && {
-		echo "ERROR ! both NFQWS_ENABLE_OVERRIDE and NFQWS_ENABLE are enabled"
+	[ "$NFQWS2_ENABLE_OVERRIDE" = 1 -a "$NFQWS2_ENABLE" = 1 ] && {
+		echo "ERROR ! both NFQWS2_ENABLE_OVERRIDE and NFQWS2_ENABLE are enabled"
 		return 1
 	}
 	return 0
@@ -37,7 +28,7 @@ zapret_custom_daemons()
 
 	check_std_intersect || return
 
-	local TPWS_SOCKS_ENABLE=0 TPWS_ENABLE=$TPWS_ENABLE_OVERRIDE NFQWS_ENABLE=$NFQWS_ENABLE_OVERRIDE
+	local NFQWS2_ENABLE=$NFQWS2_ENABLE_OVERRIDE
 	standard_mode_daemons "$1"
 }
 zapret_custom_firewall()
@@ -46,10 +37,8 @@ zapret_custom_firewall()
 
 	check_std_intersect || return
 
-	local FW_EXTRA_PRE FW_EXTRA_POST TPWS_ENABLE=$TPWS_ENABLE_OVERRIDE NFQWS_ENABLE=$NFQWS_ENABLE_OVERRIDE
-	FW_EXTRA_PRE="$FW_EXTRA_PRE_TPWS_IPT" FW_EXTRA_POST="$FW_EXTRA_POST_TPWS_IPT"
-	zapret_do_firewall_standard_tpws_rules_ipt $1
-	FW_EXTRA_PRE="$FW_EXTRA_PRE_NFQWS_IPT" FW_EXTRA_POST="$FW_EXTRA_POST_NFQWS_IPT"
+	local FW_EXTRA_PRE FW_EXTRA_POST NFQWS2_ENABLE=$NFQWS2_ENABLE_OVERRIDE
+	FW_EXTRA_PRE="$FW_EXTRA_PRE_NFQWS2_IPT" FW_EXTRA_POST="$FW_EXTRA_POST_NFQWS2_IPT"
 	zapret_do_firewall_standard_nfqws_rules_ipt $1
 }
 zapret_custom_firewall_nft()
@@ -58,9 +47,7 @@ zapret_custom_firewall_nft()
 
 	check_std_intersect || return
 
-	local FW_EXTRA_PRE FW_EXTRA_POST TPWS_ENABLE=$TPWS_ENABLE_OVERRIDE NFQWS_ENABLE=$NFQWS_ENABLE_OVERRIDE
-	FW_EXTRA_PRE="$FW_EXTRA_PRE_TPWS_NFT" FW_EXTRA_POST="$FW_EXTRA_POST_TPWS_NFT"
-	zapret_apply_firewall_standard_tpws_rules_nft
-	FW_EXTRA_PRE="$FW_EXTRA_PRE_NFQWS_NFT" FW_EXTRA_POST="$FW_EXTRA_POST_NFQWS_NFT"
+	local FW_EXTRA_PRE FW_EXTRA_POST NFQWS2_ENABLE=$NFQWS2_ENABLE_OVERRIDE
+	FW_EXTRA_PRE="$FW_EXTRA_PRE_NFQWS2_NFT" FW_EXTRA_POST="$FW_EXTRA_POST_NFQWS2_NFT"
 	zapret_apply_firewall_standard_nfqws_rules_nft
 }

init.d/openwrt/90-zapret2

@@ -2,19 +2,6 @@
 
 ZAPRET=/etc/init.d/zapret2
 
-check_lan()
-{
-	IS_LAN=
-	[ -n "$OPENWRT_LAN" ] || OPENWRT_LAN=lan
-	for lan in $OPENWRT_LAN; do
-		[ "$INTERFACE" = "$lan" ] && {
-			IS_LAN=1
-			break
-		}
-	done
-}
-
-
 [ -n "$INTERFACE" ] && [ "$ACTION" = ifup -o "$ACTION" = ifdown ] && [ -x "$ZAPRET" ] && "$ZAPRET" enabled && {
 	SCRIPT=$(readlink "$ZAPRET")
 	if [ -n "$SCRIPT" ]; then

install_easy.sh

@@ -233,10 +233,10 @@ select_getlist()
 		echo
 		if ask_yes_no $D "do you want to auto download ip/host list"; then
 			if [ "$MODE_FILTER" = "hostlist" -o "$MODE_FILTER" = "autohostlist" ] ; then
-				GETLISTS="get_refilter_domains.sh get_antizapret_domains.sh get_reestr_resolvable_domains.sh get_reestr_hostlist.sh"
+				GETLISTS="get_refilter_domains.sh get_antizapret_domains.sh get_reestr_resolvable_domains.sh"
 				GETLIST_DEF="get_antizapret_domains.sh"
 			else
-				GETLISTS="get_user.sh get_refilter_ipsum.sh get_antifilter_ip.sh get_antifilter_ipsmart.sh get_antifilter_ipsum.sh get_antifilter_ipresolve.sh get_antifilter_allyouneed.sh get_reestr_resolve.sh get_reestr_preresolved.sh get_reestr_preresolved_smart.sh"
+				GETLISTS="get_user.sh get_refilter_ipsum.sh get_antifilter_ip.sh get_antifilter_ipsmart.sh get_antifilter_ipsum.sh get_antifilter_ipresolve.sh get_antifilter_allyouneed.sh get_reestr_preresolved.sh get_reestr_preresolved_smart.sh"
 				GETLIST_DEF="get_antifilter_allyouneed.sh"
 			fi
 			ask_list GETLIST "$GETLISTS" "$GETLIST_DEF" && write_config_var GETLIST

ipset/get_reestr_hostlist.sh

@@ -1,65 +0,0 @@
-#!/bin/sh
-
-IPSET_DIR="$(dirname "$0")"
-IPSET_DIR="$(cd "$IPSET_DIR"; pwd)"
-
-. "$IPSET_DIR/def.sh"
-
-ZREESTR="$TMPDIR/zapret.txt.gz"
-IPB="$TMPDIR/ipb.txt"
-ZURL_REESTR=https://raw.githubusercontent.com/zapret-info/z-i/master/dump.csv.gz
-
-dl_checked()
-{
-  # $1 - url
-  # $2 - file
-  # $3 - minsize
-  # $4 - maxsize
-  # $5 - maxtime
-  curl -k --fail --max-time $5 --connect-timeout 10 --retry 4 --max-filesize $4 -o "$2" "$1" ||
-  {
-   echo list download failed : $1
-   return 2
-  }
-  dlsize=$(LC_ALL=C LANG=C wc -c "$2" | xargs | cut -f 1 -d ' ')
-  if test $dlsize -lt $3; then
-   echo list is too small : $dlsize bytes. can be bad.
-   return 2
-  fi
-  return 0
-}
-
-reestr_list()
-{
- LC_ALL=C LANG=C gunzip -c "$ZREESTR" | cut -s -f2 -d';' | LC_ALL=C  LANG=C nice -n 5 sed -Ee 's/^\*\.(.+)$/\1/' -ne 's/^[a-z0-9A-Z._-]+$/&/p' | $AWK '{ print tolower($0) }'
-}
-reestr_extract_ip()
-{
- LC_ALL=C LANG=C gunzip -c | nice -n 5 $AWK -F ';' '($1 ~ /^([0-9]{1,3}\.){3}[0-9]{1,3}/) && (($2 == "" && $3 == "") || ($1 == $2)) {gsub(/ \| /, RS); print $1}' | LC_ALL=C  LANG=C $AWK '{split($1, a, /\|/); for (i in a) {print a[i]}}'
-}
-
-ipban_fin()
-{
- getipban
- "$IPSET_DIR/create_ipset.sh"
-}
-
-dl_checked "$ZURL_REESTR" "$ZREESTR" 204800 251658240 600 || {
- ipban_fin
- exit 2
-}
-
-reestr_list | sort -u | zz "$ZHOSTLIST"
-
-reestr_extract_ip <"$ZREESTR" >"$IPB"
-
-rm -f "$ZREESTR"
-[ "$DISABLE_IPV4" != "1" ] && $AWK '/^([0-9]{1,3}\.){3}[0-9]{1,3}($|(\/[0-9]{2}$))/' "$IPB" | cut_local | ip2net4 | zz "$ZIPLIST_IPBAN"
-[ "$DISABLE_IPV6" != "1" ] && $AWK '/^([0-9a-fA-F]{0,4}:){1,7}[0-9a-fA-F]{0,4}($|(\/[0-9]{2,3}$))/' "$IPB" | cut_local6 | ip2net6 | zz "$ZIPLIST_IPBAN6"
-rm -f "$IPB"
-
-hup_zapret_daemons
-
-ipban_fin
-
-exit 0

ipset/get_reestr_preresolved.sh

@@ -10,8 +10,8 @@ TMPLIST="$TMPDIR/list.txt"
 BASEURL="https://raw.githubusercontent.com/bol-van/rulist/main"
 URL4="$BASEURL/reestr_resolved4.txt"
 URL6="$BASEURL/reestr_resolved6.txt"
-IPB4="$BASEURL/reestr_ipban4.txt"
-IPB6="$BASEURL/reestr_ipban6.txt"
+#IPB4="$BASEURL/reestr_ipban4.txt"
+#IPB6="$BASEURL/reestr_ipban6.txt"
 
 dl()
 {
@@ -35,12 +35,12 @@ dl()
 
 getuser && {
  [ "$DISABLE_IPV4" != "1" ] && {
- 	dl "$URL4" "$ZIPLIST" 32768 4194304
- 	dl "$IPB4" "$ZIPLIST_IPBAN" 8192 1048576
+	dl "$URL4" "$ZIPLIST" 4096 4194304
+#	dl "$IPB4" "$ZIPLIST_IPBAN" 8192 1048576
  }
  [ "$DISABLE_IPV6" != "1" ] && {
- 	dl "$URL6" "$ZIPLIST6" 8192 4194304
- 	dl "$IPB6" "$ZIPLIST_IPBAN6" 128 1048576
+	dl "$URL6" "$ZIPLIST6" 2048 4194304
+#	dl "$IPB6" "$ZIPLIST_IPBAN6" 128 1048576
  }
 }
 

ipset/get_reestr_preresolved_smart.sh

@@ -10,8 +10,8 @@ TMPLIST="$TMPDIR/list.txt"
 BASEURL="https://raw.githubusercontent.com/bol-van/rulist/main"
 URL4="$BASEURL/reestr_smart4.txt"
 URL6="$BASEURL/reestr_smart6.txt"
-IPB4="$BASEURL/reestr_ipban4.txt"
-IPB6="$BASEURL/reestr_ipban6.txt"
+#IPB4="$BASEURL/reestr_ipban4.txt"
+#IPB6="$BASEURL/reestr_ipban6.txt"
 
 dl()
 {
@@ -35,12 +35,12 @@ dl()
 
 getuser && {
  [ "$DISABLE_IPV4" != "1" ] && {
- 	dl "$URL4" "$ZIPLIST" 32768 4194304
- 	dl "$IPB4" "$ZIPLIST_IPBAN" 8192 1048576
+	dl "$URL4" "$ZIPLIST" 4096 4194304
+#	dl "$IPB4" "$ZIPLIST_IPBAN" 8192 1048576
  }
  [ "$DISABLE_IPV6" != "1" ] && {
- 	dl "$URL6" "$ZIPLIST6" 8192 4194304
- 	dl "$IPB6" "$ZIPLIST_IPBAN6" 128 1048576
+	dl "$URL6" "$ZIPLIST6" 2048 4194304
+#	dl "$IPB6" "$ZIPLIST_IPBAN6" 128 1048576
  }
 }
 

ipset/get_reestr_resolvable_domains.sh

@@ -9,8 +9,8 @@ TMPLIST="$TMPDIR/list_nethub.txt"
 
 BASEURL="https://raw.githubusercontent.com/bol-van/rulist/main"
 URL="$BASEURL/reestr_hostname_resolvable.txt"
-IPB4="$BASEURL/reestr_ipban4.txt"
-IPB6="$BASEURL/reestr_ipban6.txt"
+#IPB4="$BASEURL/reestr_ipban4.txt"
+#IPB6="$BASEURL/reestr_ipban6.txt"
 
 dl()
 {
@@ -36,8 +36,8 @@ dl "$URL" "$ZHOSTLIST" 65536 67108864
 
 hup_zapret_daemons
 
-[ "$DISABLE_IPV4" != "1" ] && dl "$IPB4" "$ZIPLIST_IPBAN" 8192 1048576
-[ "$DISABLE_IPV6" != "1" ] && dl "$IPB6" "$ZIPLIST_IPBAN6" 128 1048576
+#[ "$DISABLE_IPV4" != "1" ] && dl "$IPB4" "$ZIPLIST_IPBAN" 8192 1048576
+#[ "$DISABLE_IPV6" != "1" ] && dl "$IPB6" "$ZIPLIST_IPBAN6" 128 1048576
 
 getipban
 "$IPSET_DIR/create_ipset.sh"

ipset/get_reestr_resolve.sh

@@ -1,83 +0,0 @@
-#!/bin/sh
-
-IPSET_DIR="$(dirname "$0")"
-IPSET_DIR="$(cd "$IPSET_DIR"; pwd)"
-
-. "$IPSET_DIR/def.sh"
-
-ZREESTR="$TMPDIR/zapret.txt.gz"
-ZDIG="$TMPDIR/zapret-dig.txt"
-IPB="$TMPDIR/ipb.txt"
-ZIPLISTTMP="$TMPDIR/zapret-ip.txt"
-#ZURL=https://reestr.rublacklist.net/api/current
-ZURL_REESTR=https://raw.githubusercontent.com/zapret-info/z-i/master/dump.csv.gz
-
-dl_checked()
-{
-  # $1 - url
-  # $2 - file
-  # $3 - minsize
-  # $4 - maxsize
-  # $5 - maxtime
-  curl -k --fail --max-time $5 --connect-timeout 10 --retry 4 --max-filesize $4 -o "$2" "$1" ||
-  {
-   echo list download failed : $1
-   return 2
-  }
-  dlsize=$(LC_ALL=C LANG=C wc -c "$2" | xargs | cut -f 1 -d ' ')
-  if test $dlsize -lt $3; then
-   echo list is too small : $dlsize bytes. can be bad.
-   return 2
-  fi
-  return 0
-}
-
-reestr_list()
-{
- LC_ALL=C LANG=C gunzip -c "$ZREESTR" | cut -s -f2 -d';' | LC_ALL=C LANG=C nice -n 5 sed -Ee 's/^\*\.(.+)$/\1/' -ne 's/^[a-z0-9A-Z._-]+$/&/p' | $AWK '{ print tolower($0) }'
-}
-reestr_extract_ip()
-{
- LC_ALL=C LANG=C gunzip -c | nice -n 5 $AWK -F ';' '($1 ~ /^([0-9]{1,3}\.){3}[0-9]{1,3}/) && (($2 == "" && $3 == "") || ($1 == $2)) {gsub(/ \| /, RS); print $1}' | LC_ALL=C LANG=C $AWK '{split($1, a, /\|/); for (i in a) {print a[i]}}'
-}
-
-getuser && {
- # both disabled
- [ "$DISABLE_IPV4" = "1" ] && [ "$DISABLE_IPV6" = "1" ] && exit 0
-
- dl_checked "$ZURL_REESTR" "$ZREESTR" 204800 251658240 600 || exit 2
- 
- echo preparing ipban list ..
- 
- reestr_extract_ip <"$ZREESTR" >"$IPB"
- [ "$DISABLE_IPV4" != "1" ] && $AWK '/^([0-9]{1,3}\.){3}[0-9]{1,3}($|(\/[0-9]{2}$))/' "$IPB" | cut_local | ip2net4 | zz "$ZIPLIST_IPBAN"
- [ "$DISABLE_IPV6" != "1" ] && $AWK '/^([0-9a-fA-F]{0,4}:){1,7}[0-9a-fA-F]{0,4}($|(\/[0-9]{2,3}$))/' "$IPB" | cut_local6 | ip2net6 | zz "$ZIPLIST_IPBAN6"
- rm -f "$IPB"
-
- echo preparing dig list ..
- reestr_list | sort -u >"$ZDIG"
-
- rm -f "$ZREESTR"
-
- echo digging started. this can take long ...
-
- [ "$DISABLE_IPV4" != "1" ] && {
-  filedigger "$ZDIG" 4 | cut_local >"$ZIPLISTTMP" || {
-   rm -f "$ZDIG"
-   exit 1
-  }
-  ip2net4 <"$ZIPLISTTMP" | zz "$ZIPLIST"
-  rm -f "$ZIPLISTTMP"
- }
- [ "$DISABLE_IPV6" != "1" ] && {
-  filedigger "$ZDIG" 6 | cut_local6 >"$ZIPLISTTMP" || {
-   rm -f "$ZDIG"
-   exit 1
-  }
-  ip2net6 <"$ZIPLISTTMP" | zz "$ZIPLIST6"
-  rm -f "$ZIPLISTTMP"
- }
- rm -f "$ZDIG"
-}
-
-"$IPSET_DIR/create_ipset.sh"

lua/zapret-antidpi.lua

@@ -416,7 +416,49 @@ function multisplit(ctx, desync)
 	end
 end
 
+-- internal function for code deduplication. do not call directly
+function pos_normalize(pos, low, hi)
+	return (pos>=low and pos<hi) and (pos-low+1) or nil
+end
+-- internal function for code deduplication. do not call directly
+function pos_array_normalize(pos, low, hi)
+	-- remove positions outside of hi,low range. normalize others to low
+	local i=1
+	while i<=#pos do
+		pos[i] = pos_normalize(pos[i], low, hi)
+		if pos[i] then
+			i = i + 1
+		else
+			table.remove(pos, i);
+		end
+	end
+end
+-- internal function for code deduplication. do not call directly
+function multidisorder_send(desync, data, seqovl, pos)
+	for i=#pos,0,-1 do
+		local pos_start = pos[i] or 1
+		local pos_end = i<#pos and pos[i+1]-1 or #data
+		local part = string.sub(data,pos_start,pos_end)
+		local ovl=0
+		if i==1 and seqovl and seqovl>0 then
+			if seqovl>=pos[1] then
+				DLOG("multidisorder: seqovl cancelled because seqovl "..(seqovl-1).." is not less than the first split pos "..(pos[1]-1))
+			else
+				ovl = seqovl - 1
+				local pat = desync.arg.seqovl_pattern and blob(desync,desync.arg.seqovl_pattern) or "\x00"
+				part = pattern(pat,1,ovl)..part
+			end
+		end
+		if b_debug then DLOG("multidisorder: sending part "..(i+1).." "..(pos_start-1).."-"..(pos_end-1).." len="..#part.." seqovl="..ovl.." : "..hexdump_dlog(part)) end
+		if not rawsend_payload_segmented(desync,part,pos_start-1-ovl) then
+			return VERDICT_PASS
+		end
+	end
+	return VERDICT_DROP
+end
+
 -- nfqws1 : "--dpi-desync=multidisorder"
+-- algorithm is not 100% the same as in nfqws1. multi-segment queries can produce different segment ordering.
 -- standard args : direction, payload, fooling, ip_id, rawsend, reconstruct, ipfrag
 -- arg : pos=<postmarker list> . position marker list. example : "1,host,midsld+1,-10"
 -- arg : seqovl=N . decrease seq number of the second segment in the original order by N and fill N bytes with pattern (default - all zero). N must be less than the first split pos.
@@ -440,32 +482,16 @@ function multidisorder(ctx, desync)
 			if b_debug then DLOG("multidisorder: resolved split pos: "..table.concat(zero_based_pos(pos)," ")) end
 			delete_pos_1(pos) -- cannot split at the first byte
 			if #pos>0 then
-				for i=#pos,0,-1 do
-					local pos_start = pos[i] or 1
-					local pos_end = i<#pos and pos[i+1]-1 or #data
-					local part = string.sub(data,pos_start,pos_end)
-					local seqovl=0
-					if i==1 and desync.arg.seqovl then
-						seqovl = resolve_pos(data, desync.l7payload, desync.arg.seqovl)
-						if not seqovl then
-							DLOG("multidisorder: seqovl cancelled because could not resolve marker '"..desync.arg.seqovl.."'")
-							seqovl = 0
-						else
-							seqovl = seqovl - 1
-							if seqovl>=(pos[1]-1) then
-								DLOG("multidisorder: seqovl cancelled because seqovl "..seqovl.." is not less than the first split pos "..(pos[1]-1))
-								seqovl = 0
-							else
-								local pat = desync.arg.seqovl_pattern and blob(desync,desync.arg.seqovl_pattern) or "\x00"
-								part = pattern(pat,1,seqovl)..part
-							end
-						end
-					end
-					if b_debug then DLOG("multidisorder: sending part "..(i+1).." "..(pos_start-1).."-"..(pos_end-1).." len="..#part.." seqovl="..seqovl.." : "..hexdump_dlog(part)) end
-					if not rawsend_payload_segmented(desync,part,pos_start-1-seqovl) then
-						return VERDICT_PASS
+				local seqovl
+				if desync.arg.seqovl then
+					seqovl = resolve_pos(data, desync.l7payload, desync.arg.seqovl)
+					if not seqovl then
+						DLOG("multidisorder: seqovl cancelled because could not resolve marker '"..desync.arg.seqovl.."'")
 					end
 				end
+				if multidisorder_send(desync, data, seqovl, pos)==VERDICT_PASS then
+					return VERDICT_PASS
+				end
 				replay_drop_set(desync)
 				return desync.arg.nodrop and VERDICT_PASS or VERDICT_DROP
 			else
@@ -481,6 +507,59 @@ function multidisorder(ctx, desync)
 	end
 end
 
+-- nfqws1 : "--dpi-desync=multidisorder". segment ordering is the same as in nfqws1
+-- standard args : direction, payload, fooling, ip_id, rawsend, reconstruct, ipfrag
+-- arg : pos=<postmarker list> . position marker list. example : "1,host,midsld+1,-10"
+-- arg : seqovl=N . decrease seq number of the second segment in the original order by N and fill N bytes with pattern (default - all zero). N must be less than the first split pos.
+-- arg : seqovl_pattern=<blob> . override pattern
+function multidisorder_legacy(ctx, desync)
+	if not desync.dis.tcp then
+		instance_cutoff_shim(ctx, desync)
+		return
+	end
+	direction_cutoff_opposite(ctx, desync)
+	-- by default process only outgoing known payloads
+	local data = desync.dis.payload
+	local fulldata = desync.reasm_data
+	if #data>0 and direction_check(desync) and payload_check(desync) then
+		local range_low = (desync.reasm_offset or 0) + 1
+		local range_hi = range_low + #data
+		local spos = desync.arg.pos or "2"
+		-- check debug to save CPU
+		if b_debug then DLOG("multidisorder_legacy: split pos: "..spos) end
+		local pos = resolve_multi_pos(fulldata, desync.l7payload, spos)
+		if b_debug then DLOG("multidisorder_legacy: resolved split pos: "..table.concat(zero_based_pos(pos)," ")) end
+		DLOG("multidisorder_legacy: reasm piece range: "..(range_low-1).."-"..(range_hi-2))
+		pos_array_normalize(pos, range_low, range_hi)
+		delete_pos_1(pos) -- cannot split at the first byte
+		if #pos>0 then
+			if b_debug then DLOG("multidisorder_legacy: normalized split pos: "..table.concat(zero_based_pos(pos)," ")) end
+			local seqovl
+			if desync.arg.seqovl then
+				seqovl = resolve_pos(fulldata, desync.l7payload, desync.arg.seqovl)
+				if seqovl then
+					DLOG("multidisorder_legacy: resolved seqovl pos: "..(seqovl-1))
+					seqovl = pos_normalize(seqovl, range_low, range_hi)
+					if seqovl then
+						DLOG("multidisorder_legacy: normalized seqovl pos: "..(seqovl-1))
+					else
+						DLOG("multidisorder_legacy: normalized seqovl pos is outside of the reasm piece range")
+					end
+				else
+					DLOG("multidisorder_legacy: seqovl cancelled because could not resolve marker '"..desync.arg.seqovl.."'")
+				end
+			end
+			return multidisorder_send(desync, data, seqovl, pos)
+		else
+			DLOG("multidisorder_legacy: no normalized split pos in this packet")
+			-- send as is with applied options
+			if rawsend_payload_segmented(desync) then
+				return VERDICT_DROP
+			end
+		end
+	end
+end
+
 -- nfqws1 : "--dpi-desync=hostfakesplit"
 -- standard args : direction, payload, fooling, ip_id, rawsend, reconstruct. FOOLING AND REPEATS APPLIED ONLY TO FAKES.
 -- arg : host=<str> - hostname template. generate hosts like "random.template". example : e8nzn.vk.com
@@ -616,7 +695,7 @@ function fakedsplit(ctx, desync)
 			local pos = resolve_pos(data, desync.l7payload, spos)
 			if pos then
 				if pos == 1 then
-					DLOG("multidisorder: split pos resolved to 0. cannot split.")
+					DLOG("fakedsplit: split pos resolved to 0. cannot split.")
 				else
 					if b_debug then DLOG("fakedsplit: resolved split pos: "..tostring(pos-1)) end
 
@@ -709,7 +788,7 @@ function fakeddisorder(ctx, desync)
 			local pos = resolve_pos(data, desync.l7payload, spos)
 			if pos then
 				if pos == 1 then
-					DLOG("multidisorder: split pos resolved to 0. cannot split.")
+					DLOG("fakeddisorder: split pos resolved to 0. cannot split.")
 				else
 					if b_debug then DLOG("fakeddisorder: resolved split pos: "..tostring(pos-1)) end
 

lua/zapret-auto.lua

@@ -289,7 +289,7 @@ end
 -- args for failure detector - see standard_failure_detector or your own detector
 -- args for success detector - see standard_success_detector or your own detector
 -- args for hostkey generator - see standard_hostkey or your own generator
--- test case: nfqws2 --qnum 200 --debug --lua-init=@zapret-lib.lua --lua-init=@zapret-auto.lua --in-range=-s34228 --lua-desync=circular --lua-desync=argdebug:strategy=1 --lua-desync=argdebug:strategy=2
+-- test case: --in-range=-s34228 --lua-desync=circular --lua-desync=argdebug:strategy=1 --lua-desync=argdebug:strategy=2
 function circular(ctx, desync)
 	local function count_strategies(hrec)
 		if not hrec.ctstrategy then
@@ -377,7 +377,7 @@ function cond_random(desync)
 	return math.random(0,99)<(tonumber(desync.arg.percent) or 50)
 end
 -- this iif function detects packets having 'arg.pattern' string in their payload
--- test case : nfqws2 --qnum 200 --debug --lua-init=@zapret-lib.lua --lua-init=@zapret-auto.lua --lua-desync=condition:iff=cond_payload_str:pattern=1234 --lua-desync=argdebug:testarg=1 --lua-desync=argdebug:testarg=2:morearg=xyz
+-- test case : --lua-desync=condition:iff=cond_payload_str:pattern=1234 --lua-desync=argdebug:testarg=1 --lua-desync=argdebug:testarg=2:morearg=xyz
 -- test case (true)  : echo aaz1234zzz | ncat -4u 1.1.1.1 443
 -- test case (false) : echo aaze124zzz | ncat -4u 1.1.1.1 443
 function cond_payload_str(desync)
@@ -399,7 +399,7 @@ end
 -- for example, this can be used by custom protocol detectors
 -- arg: iff - condition function. takes desync as arg and returns bool. (cant use 'if' because of reserved word)
 -- arg: neg - invert condition function result
--- test case : nfqws2 --qnum 200 --debug --lua-init=@zapret-lib.lua --lua-init=@zapret-auto.lua --lua-desync=condition:iff=cond_random --lua-desync=argdebug:testarg=1 --lua-desync=argdebug:testarg=2:morearg=xyz
+-- test case : --lua-desync=condition:iff=cond_random --lua-desync=argdebug:testarg=1 --lua-desync=argdebug:testarg=2:morearg=xyz
 function condition(ctx, desync)
 	require_iff(desync, "condition")
 	orchestrate(ctx, desync)
@@ -415,7 +415,7 @@ end
 -- can be used with other orchestrators to stop execution conditionally
 -- arg: iff - condition function. takes desync as arg and returns bool. (cant use 'if' because of reserved word)
 -- arg: neg - invert condition function result
--- test case : nfqws2 --qnum 200 --debug --lua-init=@zapret-lib.lua --lua-init=@zapret-auto.lua --in-range=-s1 --lua-desync=circular --lua-desync=stopif:iff=cond_random:strategy=1 --lua-desync=argdebug:strategy=1 --lua-desync=argdebug:strategy=2
+-- test case : --in-range=-s1 --lua-desync=circular --lua-desync=stopif:iff=cond_random:strategy=1 --lua-desync=argdebug:strategy=1 --lua-desync=argdebug:strategy=2
 function stopif(ctx, desync)
 	require_iff(desync, "stopif")
 	orchestrate(ctx, desync)
@@ -427,3 +427,61 @@ function stopif(ctx, desync)
 		DLOG("stopif: false")
 	end
 end
+
+-- repeat following 'instances' 'repeats' times, execute others with no tampering
+-- arg: instances - number of following instances to be repeated. 1 by default
+-- arg: repeats - number of repeats
+-- arg: iff - condition function to continue execution. takes desync as arg and returns bool. (cant use 'if' because of reserved word)
+-- arg: neg - invert condition function result
+-- arg: stop - do not replay remaining execution plan after 'instances'
+-- arg: clear - clear execution plan after 'instances'
+-- test case : --lua-desync=repeater:repeats=2:instances=2 --lua-desync=argdebug:v=1 --lua-desync=argdebug:v=2 --lua-desync=argdebug:v=3
+function repeater(ctx, desync)
+	local repeats = tonumber(desync.arg.repeats)
+	if not repeats then
+		error("repeat: missing 'repeats'")
+	end
+	local iff = desync.arg.iff or "cond_true"
+	if type(_G[iff])~="function" then
+		error(name..": invalid 'iff' function '"..iff.."'")
+	end
+	orchestrate(ctx, desync)
+	local neg = desync.arg.neg
+	local stop = desync.arg.stop
+	local clear = desync.arg.clear
+	local verdict = VERDICT_PASS
+	local instances = tonumber(desync.arg.instances) or 1
+	local repinst = desync.func_instance
+	if instances>#desync.plan then
+		instances = #desync.plan
+	end
+	-- save plan copy
+	local plancopy = deepcopy(desync.plan)
+	for r=1,repeats do
+		if not logical_xor(_G[iff](desync), neg) then
+			DLOG("repeater: break by iff")
+			break
+		end
+		DLOG("repeater: "..repinst.." "..r.."/"..repeats)
+		-- nested orchestrators can also pop
+		local ct_end = #desync.plan - instances
+		repeat
+			local instance = plan_instance_pop(desync)
+			verdict = plan_instance_execute(desync, verdict, instance)
+		until #desync.plan <= ct_end
+		-- rollback desync plan
+		desync.plan = deepcopy(plancopy)
+	end
+	-- remove repeated instances from desync plan
+	for i=1,instances do
+		table.remove(desync.plan,1)
+	end
+	if clear then
+		plan_clear(desync)
+		return verdict
+	elseif stop then
+		return verdict
+	end
+	-- replay the rest
+	return verdict_aggregate(verdict, replay_execution_plan(desync))
+end

lua/zapret-lib.lua

@@ -76,7 +76,7 @@ end
 -- arg: pattern - substring for search inside reasm_data or desync.dis.payload
 -- arg: payload - set desync.l7payload to this if detected
 -- arg: undetected - set desync.l7payload to this if not detected
--- test case : nfqws2 --qnum 200 --debug --lua-init=@zapret-lib.lua --lua-init=@zapret-antidpi.lua --lua-init=@zapret-auto.lua --lua-desync=detect_payload_str:pattern=1234:payload=my --lua-desync=fake:blob=0x1234:payload=my
+-- test case : --lua-desync=detect_payload_str:pattern=1234:payload=my --lua-desync=fake:blob=0x1234:payload=my
 function detect_payload_str(ctx, desync)
 	if not desync.arg.pattern then
 		error("detect_payload_str: missing 'pattern'")
@@ -190,7 +190,7 @@ function plan_instance_execute(desync, verdict, instance)
 	return verdict
 end
 function plan_instance_pop(desync)
-	return (desync.plan and #desync.plan>0) and table.remove(desync.plan, 1)
+	return (desync.plan and #desync.plan>0) and table.remove(desync.plan, 1) or nil
 end
 function plan_clear(desync)
 	while table.remove(desync.plan) do end
@@ -227,7 +227,7 @@ function replay_execution_plan(desync)
 end
 -- this function demonstrates how to stop execution of upcoming desync instances and take over their job
 -- this can be used, for example, for orchestrating conditional processing without modifying of desync functions code
--- test case : nfqws2 --qnum 200 --debug --lua-init=@zapret-lib.lua --lua-desync=desync_orchestrator_example --lua-desync=pass --lua-desync=pass
+-- test case : --lua-desync=desync_orchestrator_example --lua-desync=pass --lua-desync=pass
 function desync_orchestrator_example(ctx, desync)
 	DLOG("orchestrator: taking over upcoming desync instances")
 	orchestrate(ctx, desync)

lua/zapret-pcap.lua

@@ -16,7 +16,7 @@ function pcap_write(file, raw)
 	pcap_write_packet(file, raw)
 end
 
--- test case : nfqws2 --qnum 200 --debug --lua-init=@zapret-lib.lua --lua-init=@zapret-pcap.lua --writeable=zdir --in-range=a --lua-desync=pcap:file=test.pcap
+-- test case : --writeable=zdir --in-range=a --lua-desync=pcap:file=test.pcap
 -- arg : file=<filename> - file for storing pcap data. if --writeable is specified and filename is relative - append filename to writeable path
 -- arg : keep - do not overwrite file, append packets to existing
 function pcap(ctx, desync)

lua/zapret-wgobfs.lua

@@ -1,4 +1,4 @@
--- test case : nfqws2 --qnum 200 --debug --lua-init=@zapret-wgobfs.lua --in-range=a --out-range=a --lua-desync=wgobfs:secret=mycoolpassword
+-- test case : --in-range=a --out-range=a --lua-desync=wgobfs:secret=mycoolpassword
 -- encrypt standard wireguard messages - initiation, response, cookie - and change udp packet size
 -- do not encrypt data messages and keepalives
 -- wgobfs adds maximum of 30+padmax bytes to udp size

nfq2/darkmagic.c

@@ -743,11 +743,11 @@ BOOL JobSandbox()
 
 
 #define WINDIVERT_DEVICE_NAME "WinDivert"
-static bool b_isandbox_set = false;
+static bool b_sandbox_set = false;
 bool win_sandbox(void)
 {
 	// there's no way to return privs
-	if (!b_isandbox_set)
+	if (!b_sandbox_set)
 	{
 		if (!RemoveTokenPrivs())
 			return FALSE;
@@ -759,8 +759,7 @@ bool win_sandbox(void)
 			return false;
 		if (!JobSandbox())
 			return false;
-		// for LUA code to find where to store files
-		b_isandbox_set = true;
+		b_sandbox_set = true;
 	}
 	return true;
 }

nfq2/desync.c

@@ -415,7 +415,8 @@ static bool reasm_start(t_ctrack *ctrack, t_reassemble *reasm, uint8_t proto, ui
 static bool reasm_client_start(t_ctrack *ctrack, uint8_t proto, size_t sz, size_t szMax, const uint8_t *data_payload, size_t len_payload)
 {
 	if (!ctrack) return false;
-	if (proto==IPPROTO_TCP && ctrack->pos.server.winsize_calc < sz)
+	// if winsize_calc==0 it means we dont know server window size - no incoming packets redirected ?
+	if (proto==IPPROTO_TCP && ctrack->pos.server.winsize_calc && (ctrack->pos.server.winsize_calc < sz))
 	{
 		// this is rare but possible situation
 		// server gave us too small tcp window
@@ -1321,7 +1322,7 @@ static uint8_t dpi_desync_tcp_packet_play(
 		bool bDiscoveredL7;
 		if (ctrack_replay)
 		{
-			if (bDiscoveredL7 = !ctrack_replay->l7proto_discovered && ctrack_replay->l7proto != L7_UNKNOWN)
+			if ((bDiscoveredL7 = !ctrack_replay->l7proto_discovered && ctrack_replay->l7proto != L7_UNKNOWN))
 				ctrack_replay->l7proto_discovered = true;
 		}
 		else

nfq2/nfqws.c

@@ -1812,6 +1812,7 @@ int main(int argc, char **argv)
 						fprintf(stderr, "cannot create %s\n", params.debug_logfile);
 						exit_clean(1);
 					}
+					fclose(F);
 					params.debug = true;
 					params.debug_target = LOG_TARGET_FILE;
 				}