2021-12-08 17:20:44 +05:00
#!/bin/sh
EXEDIR = " $( dirname " $0 " ) "
EXEDIR = " $( cd " $EXEDIR " ; pwd ) "
ZAPRET_BASE = " $EXEDIR "
2022-02-15 19:15:36 +05:00
[ -f " $ZAPRET_BASE /config " ] && . " $ZAPRET_BASE /config "
. " $ZAPRET_BASE /common/base.sh "
. " $ZAPRET_BASE /common/dialog.sh "
. " $ZAPRET_BASE /common/elevate.sh "
. " $ZAPRET_BASE /common/fwtype.sh "
2021-12-08 17:20:44 +05:00
[ -n " $QNUM " ] || QNUM = 59780
2021-12-09 22:05:15 +05:00
[ -n " $TPPORT " ] || TPPORT = 993
2022-02-04 22:58:25 +05:00
[ -n " $TPWS_UID " ] || TPWS_UID = 1
[ -n " $TPWS_GID " ] || TPWS_GID = 3003
2021-12-08 17:20:44 +05:00
[ -n " $NFQWS " ] || NFQWS = " $ZAPRET_BASE /nfq/nfqws "
2021-12-12 18:03:07 +05:00
[ -n " $DVTWS " ] || DVTWS = " $ZAPRET_BASE /nfq/dvtws "
2021-12-09 22:05:15 +05:00
[ -n " $TPWS " ] || TPWS = " $ZAPRET_BASE /tpws/tpws "
2021-12-08 17:20:44 +05:00
[ -n " $MDIG " ] || MDIG = " $ZAPRET_BASE /mdig/mdig "
[ -n " $DESYNC_MARK " ] || DESYNC_MARK = 0x40000000
2021-12-13 12:38:00 +05:00
[ -n " $IPFW_RULE_NUM " ] || IPFW_RULE_NUM = 1
[ -n " $IPFW_DIVERT_PORT " ] || IPFW_DIVERT_PORT = 59780
2021-12-24 19:26:59 +05:00
[ -n " $DOMAINS " ] || DOMAINS = rutracker.org
2021-12-13 12:38:00 +05:00
[ -n " $CURL_MAX_TIME " ] || CURL_MAX_TIME = 5
[ -n " $MIN_TTL " ] || MIN_TTL = 1
[ -n " $MAX_TTL " ] || MAX_TTL = 12
2021-12-08 17:20:44 +05:00
HDRTEMP = /tmp/zapret-hdr.txt
ECHON = "echo -n"
2022-02-11 00:30:50 +05:00
NFT_TABLE = blockcheck
2022-01-10 12:44:00 +05:00
[ -n " $DNSCHECK_DNS " ] || DNSCHECK_DNS = "8.8.8.8 1.1.1.1 77.88.8.1"
[ -n " $DNSCHECK_DOM " ] || DNSCHECK_DOM = "pornhub.com putinhuylo.com rutracker.org nnmclub.to startmail.com"
2021-12-08 17:20:44 +05:00
DNSCHECK_DIG1 = /tmp/dig1.txt
DNSCHECK_DIG2 = /tmp/dig2.txt
DNSCHECK_DIGS = /tmp/digs.txt
killwait( )
{
# $1 - signal (-9, -2, ...)
# $2 - pid
kill $1 $2
# suppress job kill message
wait $2 2>/dev/null
}
exitp( )
{
local A
echo
echo press enter to continue
read A
exit $1
}
IPT( )
{
$IPTABLES -C " $@ " >/dev/null 2>/dev/null || $IPTABLES -I " $@ "
}
IPT_DEL( )
{
$IPTABLES -C " $@ " >/dev/null 2>/dev/null && $IPTABLES -D " $@ "
}
2021-12-12 18:03:07 +05:00
IPFW_ADD( )
{
ipfw -qf add $IPFW_RULE_NUM " $@ "
}
IPFW_DEL( )
{
2022-02-06 00:27:15 +05:00
ipfw -qf delete $IPFW_RULE_NUM 2>/dev/null
2021-12-12 18:03:07 +05:00
}
2022-01-04 02:11:10 +05:00
ipt6_has_raw( )
{
2022-01-11 02:28:44 +05:00
ip6tables -nL -t raw >/dev/null 2>/dev/null
}
2022-02-06 00:19:17 +05:00
ipt6_has_frag( )
{
ip6tables -A OUTPUT -m frag 2>/dev/null || return 1
ip6tables -D OUTPUT -m frag 2>/dev/null
}
2022-01-11 02:28:44 +05:00
ipt_has_nfq( )
{
# cannot just check /proc/net/ip_tables_targets because of iptables-nft or modules not loaded yet
2022-01-11 02:31:08 +05:00
local ipt
2022-01-11 02:28:44 +05:00
for ipt in iptables ip6tables; do
2022-01-11 02:31:08 +05:00
$ipt -A OUTPUT -t mangle -p 255 -j NFQUEUE --queue-num $QNUM --queue-bypass 2>/dev/null || return 1
2022-01-11 02:28:44 +05:00
$ipt -D OUTPUT -t mangle -p 255 -j NFQUEUE --queue-num $QNUM --queue-bypass 2>/dev/null
done
return 0
2022-01-04 02:11:10 +05:00
}
2022-02-11 00:30:50 +05:00
nft_has_nfq( )
{
local res = 1
nft delete table ${ NFT_TABLE } _test 2>/dev/null
nft add table ${ NFT_TABLE } _test 2>/dev/null && {
nft add chain ${ NFT_TABLE } _test test
nft add rule ${ NFT_TABLE } _test test queue num $QNUM bypass 2>/dev/null && res = 0
nft delete table ${ NFT_TABLE } _test
}
return $res
}
2021-12-08 17:20:44 +05:00
check_system( )
{
echo \* checking system
2021-12-12 18:03:07 +05:00
UNAME = $( uname)
2022-01-10 12:44:00 +05:00
SUBSYS =
2022-02-11 12:24:35 +05:00
# can be passed FWTYPE=iptables to override default nftables preference
2021-12-12 18:03:07 +05:00
case " $UNAME " in
Linux)
PKTWS = " $NFQWS "
PKTWSD = nfqws
2022-02-15 19:15:36 +05:00
linux_fwtype
[ " $FWTYPE " = iptables -o " $FWTYPE " = nftables ] || {
echo firewall type $FWTYPE not supported in $UNAME
exitp 5
}
2021-12-12 18:03:07 +05:00
; ;
FreeBSD)
PKTWS = " $DVTWS "
PKTWSD = dvtws
2022-02-11 00:30:50 +05:00
FWTYPE = ipfw
2021-12-12 18:03:07 +05:00
; ;
*)
echo $UNAME not supported
exitp 5
esac
2022-01-10 12:44:00 +05:00
echo $UNAME ${ SUBSYS : +/ $SUBSYS } detected
2022-02-11 00:30:50 +05:00
echo firewall type is $FWTYPE
2021-12-12 18:03:07 +05:00
}
freebsd_module_loaded( )
{
# $1 - module name
2022-01-13 00:41:25 +05:00
kldstat -qm " ${ 1 } "
2021-12-12 18:03:07 +05:00
}
freebsd_modules_loaded( )
{
# $1,$2,$3, ... - module names
while [ -n " $1 " ] ; do
freebsd_module_loaded $1 || return 1
shift
done
return 0
2021-12-08 17:20:44 +05:00
}
check_prerequisites( )
{
echo \* checking prerequisites
2021-12-12 18:03:07 +05:00
[ -x " $PKTWS " ] && [ -x " $TPWS " ] && [ -x " $MDIG " ] || {
2021-12-13 01:34:04 +05:00
echo $PKTWS or $TPWS or $MDIG is not available. run \" $ZAPRET_BASE /install_bin.sh\" or make -C \" $ZAPRET_BASE \"
2021-12-08 17:20:44 +05:00
exitp 6
}
2022-01-11 02:46:32 +05:00
local prog progs = 'curl'
2021-12-12 18:03:07 +05:00
case " $UNAME " in
Linux)
2022-02-11 00:30:50 +05:00
case " $FWTYPE " in
iptables)
progs = " $progs iptables ip6tables "
ipt_has_nfq || {
echo NFQUEUE iptables or ip6tables target is missing. pls install modules.
[ " $SUBSYS " = openwrt ] && echo 'OpenWRT : opkg update ; opkg install iptables-mod-nfqueue'
exitp 6
}
; ;
nftables)
nft_has_nfq || {
echo nftables queue support is not available. pls install modules.
[ " $SUBSYS " = openwrt ] && echo 'OpenWRT : opkg update ; opkg install kmod-nft-queue'
exitp 6
}
; ;
esac
2021-12-12 18:03:07 +05:00
; ;
FreeBSD)
progs = " $progs ipfw "
freebsd_modules_loaded ipfw ipdivert || {
echo ipfw or ipdivert kernel module not loaded
exitp 6
}
2021-12-13 01:34:04 +05:00
[ " $( sysctl -qn net.inet.ip.fw.enable) " = 0 -o " $( sysctl -qn net.inet6.ip6.fw.enable) " = 0 ] && {
echo ipfw is disabled. use : ipfw enable firewall
exitp 6
}
2021-12-12 18:03:07 +05:00
; ;
esac
for prog in $progs ; do
2021-12-08 17:20:44 +05:00
exists $prog || {
echo $prog does not exist. please install
exitp 6
}
done
2021-12-12 18:03:07 +05:00
if exists nslookup; then
LOOKUP = nslookup
elif exists host; then
LOOKUP = host
else
echo nslookup or host does not exist. please install
exitp 6
fi
2021-12-08 17:20:44 +05:00
}
2021-12-25 14:22:47 +05:00
curl_translate_code( )
{
# $1 - code
$ECHON $1
case $1 in
0) $ECHON ": ok"
; ;
1) $ECHON ": unsupported protocol"
; ;
2) $ECHON ": early initialization code failed"
; ;
3) $ECHON ": the URL was not properly formatted"
; ;
4) $ECHON ": feature not supported by libcurl"
; ;
5) $ECHON ": could not resolve proxy"
; ;
6) $ECHON ": could not resolve host"
; ;
7) $ECHON ": could not connect"
; ;
8) $ECHON ": invalid server reply"
; ;
9) $ECHON ": remote access denied"
; ;
27) $ECHON ": out of memory"
; ;
2021-12-25 14:41:57 +05:00
28) $ECHON ": operation timed out"
; ;
35) $ECHON ": SSL connect error"
; ;
2021-12-25 14:22:47 +05:00
esac
}
2021-12-10 13:18:25 +05:00
curl_supports_tls13( )
{
curl --tlsv1.3 -Is -o /dev/null http://$LOCALHOST_IPT :65535 2>/dev/null
# return code 2 = init failed. likely bad command line options
2021-12-11 13:27:37 +05:00
[ $? = 2 ] && return 1
# curl can have tlsv1.3 key present but ssl library without TLS 1.3 support
# this is online test because there's no other way to trigger library incompatibility case
2022-01-22 20:16:38 +05:00
curl --tlsv1.3 --max-time $CURL_MAX_TIME -Is -o /dev/null https://w3.org 2>/dev/null
2021-12-11 13:27:37 +05:00
[ $? != 4 ]
2021-12-10 13:18:25 +05:00
}
2021-12-11 13:52:53 +05:00
curl_supports_tlsmax( )
{
2022-02-02 12:41:39 +05:00
# supported only in OpenSSL and LibreSSL
curl --version | grep -Fq -e OpenSSL -e LibreSSL || return 1
2021-12-11 13:52:53 +05:00
# supported since curl 7.54
curl --tls-max 1.2 -Is -o /dev/null http://$LOCALHOST_IPT :65535 2>/dev/null
# return code 2 = init failed. likely bad command line options
[ $? != 2 ]
}
2021-12-08 17:20:44 +05:00
hdrfile_http_code( )
{
# $1 - hdr file
sed -nre '1,1 s/^HTTP\/1\.[0,1] ([0-9]+) .*$/\1/p' " $1 "
}
hdrfile_location( )
{
# $1 - hdr file
# some DPIs return CRLF line ending
2022-01-22 20:08:05 +05:00
tr -d '\015' <" $1 " | sed -nre 's/^[Ll][Oo][Cc][Aa][Tt][Ii][Oo][Nn]:[ ]*([^ ]*)[ ]*$/\1/p'
2021-12-08 17:20:44 +05:00
}
curl_test_http( )
{
# $1 - ip version : 4/6
# $2 - domain name
local code loc
curl -${ 1 } SsD " $HDRTEMP " --max-time $CURL_MAX_TIME $CURL_OPT " http:// $2 " -o /dev/null 2>& 1 || {
code = $?
rm -f " $HDRTEMP "
return $code
}
code = $( hdrfile_http_code " $HDRTEMP " )
[ " $code " = 301 -o " $code " = 302 -o " $code " = 307 -o " $code " = 308 ] && {
loc = $( hdrfile_location " $HDRTEMP " )
2021-12-08 19:11:00 +05:00
echo " $loc " | grep -qE " ^https?://.* $2 (/| $) " ||
echo " $loc " | grep -vqE '^https?://' || {
2022-01-25 16:10:33 +05:00
echo suspicious redirection $code to : $loc
2021-12-08 17:20:44 +05:00
rm -f " $HDRTEMP "
return 254
}
}
rm -f " $HDRTEMP "
return 0
}
2021-12-10 13:18:25 +05:00
curl_test_https_tls12( )
2021-12-08 17:20:44 +05:00
{
# $1 - ip version : 4/6
# $2 - domain name
2021-12-10 13:18:25 +05:00
# do not use tls 1.3 to make sure server certificate is not encrypted
2022-02-06 13:07:25 +05:00
curl -${ 1 } ISs --max-time $CURL_MAX_TIME $CURL_OPT --tlsv1.2 $TLSMAX12 " https:// $2 " -o /dev/null 2>& 1
2021-12-10 13:18:25 +05:00
}
curl_test_https_tls13( )
{
# $1 - ip version : 4/6
# $2 - domain name
# force TLS1.3 mode
2022-02-06 13:05:45 +05:00
curl -${ 1 } ISs --max-time $CURL_MAX_TIME $CURL_OPT --tlsv1.3 $TLSMAX13 " https:// $2 " -o /dev/null 2>& 1
2021-12-08 17:20:44 +05:00
}
2021-12-12 18:03:07 +05:00
pktws_ipt_prepare( )
2021-12-08 17:20:44 +05:00
{
# $1 - port
2022-02-11 00:30:50 +05:00
case " $FWTYPE " in
iptables)
2022-01-04 14:59:12 +05:00
# to avoid possible INVALID state drop
IPT INPUT -p tcp --sport $1 ! --syn -j ACCEPT
IPT OUTPUT -p tcp --dport $1 -m conntrack --ctstate INVALID -j ACCEPT
if [ " $IPV " = 6 -a -n " $IP6_DEFRAG_DISABLE " ] ; then
# the only way to reliable disable ipv6 defrag. works only in 4.16+ kernels
2022-02-05 19:58:56 +05:00
IPT OUTPUT -t raw -p tcp -m frag -j CT --notrack
2022-01-04 14:59:12 +05:00
elif [ " $IPV " = 4 ] ; then
# enable fragments
IPT OUTPUT -f -j ACCEPT
fi
IPT POSTROUTING -t mangle -p tcp --dport $1 -m mark ! --mark $DESYNC_MARK /$DESYNC_MARK -j NFQUEUE --queue-num $QNUM
2021-12-12 18:03:07 +05:00
; ;
2022-02-11 00:30:50 +05:00
nftables)
nft add table inet $NFT_TABLE
[ " $IPV " = 6 -a -n " $IP6_DEFRAG_DISABLE " ] && {
2022-02-15 19:15:36 +05:00
nft " add chain inet $NFT_TABLE predefrag { type filter hook output priority -402; } "
2022-02-11 00:30:50 +05:00
nft " add rule inet $NFT_TABLE predefrag meta nfproto ipv ${ IPV } exthdr frag exists notrack "
}
2022-02-15 19:15:36 +05:00
nft " add chain inet $NFT_TABLE premangle { type filter hook output priority -152; } "
2022-02-11 00:30:50 +05:00
nft " add rule inet $NFT_TABLE premangle meta nfproto ipv ${ IPV } tcp dport $1 mark and 0x40000000 != 0x40000000 queue num $QNUM bypass "
; ;
ipfw)
IPFW_ADD divert $IPFW_DIVERT_PORT tcp from me to any $1 proto ip${ IPV } out not diverted not sockarg
2021-12-12 18:03:07 +05:00
; ;
esac
2021-12-08 17:20:44 +05:00
}
2021-12-12 18:03:07 +05:00
pktws_ipt_unprepare( )
2021-12-08 17:20:44 +05:00
{
# $1 - port
2022-02-11 00:30:50 +05:00
case " $FWTYPE " in
iptables)
2021-12-12 18:03:07 +05:00
IPT_DEL POSTROUTING -t mangle -p tcp --dport $1 -m mark ! --mark $DESYNC_MARK /$DESYNC_MARK -j NFQUEUE --queue-num $QNUM
2022-01-04 14:59:12 +05:00
IPT_DEL INPUT -p tcp --sport $1 ! --syn -j ACCEPT
IPT_DEL OUTPUT -p tcp --dport $1 -m conntrack --ctstate INVALID -j ACCEPT
if [ " $IPV " = 6 -a -n " $IP6_DEFRAG_DISABLE " ] ; then
2022-02-05 19:58:56 +05:00
IPT_DEL OUTPUT -t raw -p tcp -m frag -j CT --notrack
2022-01-04 14:59:12 +05:00
elif [ " $IPV " = 4 ] ; then
IPT_DEL OUTPUT -f -j ACCEPT
fi
2021-12-12 18:03:07 +05:00
; ;
2022-02-11 00:30:50 +05:00
nftables)
nft delete table inet $NFT_TABLE 2>/dev/null
; ;
ipfw)
2021-12-12 18:03:07 +05:00
IPFW_DEL
; ;
esac
2021-12-08 17:20:44 +05:00
}
2021-12-09 22:05:15 +05:00
tpws_ipt_prepare( )
{
# $1 - port
2022-02-11 00:30:50 +05:00
case " $FWTYPE " in
iptables)
2021-12-12 18:03:07 +05:00
IPT OUTPUT -t nat -p tcp --dport $1 -m owner ! --uid-owner $TPWS_UID -j DNAT --to $LOCALHOST_IPT :$TPPORT
; ;
2022-02-11 00:30:50 +05:00
nftables)
nft add table inet $NFT_TABLE
# -101 = pre dstnat
2022-02-15 19:15:36 +05:00
nft " add chain inet $NFT_TABLE output { type nat hook output priority -102; } "
2022-02-11 00:30:50 +05:00
nft " add rule inet $NFT_TABLE output tcp dport $1 skuid != $TPWS_UID dnat ip ${ IPVV } to $LOCALHOST_IPT : $TPPORT "
; ;
ipfw)
IPFW_ADD fwd $LOCALHOST ,$TPPORT tcp from me to any $1 proto ip${ IPV } not uid $TPWS_UID
2021-12-12 18:03:07 +05:00
; ;
esac
2021-12-09 22:05:15 +05:00
}
tpws_ipt_unprepare( )
{
# $1 - port
2022-02-11 00:30:50 +05:00
case " $FWTYPE " in
iptables)
2021-12-12 18:03:07 +05:00
IPT_DEL OUTPUT -t nat -p tcp --dport $1 -m owner ! --uid-owner $TPWS_UID -j DNAT --to $LOCALHOST_IPT :$TPPORT
; ;
2022-02-11 00:30:50 +05:00
nftables)
nft delete table inet $NFT_TABLE 2>/dev/null
; ;
ipfw)
2021-12-12 18:03:07 +05:00
IPFW_DEL
; ;
esac
}
pktws_start( )
{
case " $UNAME " in
Linux)
" $NFQWS " --dpi-desync-fwmark= $DESYNC_MARK --qnum= $QNUM " $@ " >/dev/null &
; ;
FreeBSD)
" $DVTWS " --port= $IPFW_DIVERT_PORT " $@ " >/dev/null &
; ;
esac
2021-12-09 22:13:38 +05:00
PID = $!
2021-12-08 17:20:44 +05:00
}
2021-12-09 22:05:15 +05:00
tpws_start( )
{
2022-02-04 22:58:25 +05:00
" $TPWS " --uid $TPWS_UID :$TPWS_GID --bind-addr= $LOCALHOST --port= $TPPORT " $@ " >/dev/null &
2021-12-09 22:13:38 +05:00
PID = $!
# give some time to initialize
sleep 1
2021-12-09 22:05:15 +05:00
}
2021-12-10 13:18:25 +05:00
ws_kill( )
{
[ -z " $PID " ] || {
killwait -9 $PID 2>/dev/null
PID =
}
}
2021-12-08 17:20:44 +05:00
curl_test( )
{
# $1 - test function
# $2 - domain
2021-12-22 14:31:45 +05:00
local code = 0 n = 0
while [ $n -lt $REPEATS ] ; do
n = $(( $n + 1 ))
[ $REPEATS -gt 1 ] && $ECHON " [attempt $n ] "
2022-01-04 14:59:12 +05:00
$1 " $IPV " $2 && {
2021-12-22 14:31:45 +05:00
[ $REPEATS -gt 1 ] && echo 'AVAILABLE'
continue
}
code = $?
done
2021-12-08 17:20:44 +05:00
if [ $code = 254 ] ; then
2021-12-22 14:31:45 +05:00
echo "UNAVAILABLE"
elif [ $code = 0 ] ; then
echo '!!!!! AVAILABLE !!!!!'
2021-12-08 17:20:44 +05:00
else
2021-12-22 14:31:45 +05:00
echo " UNAVAILABLE code= $code "
2021-12-08 17:20:44 +05:00
fi
return $code
}
2021-12-09 22:05:15 +05:00
ws_curl_test( )
2021-12-08 17:20:44 +05:00
{
2021-12-09 22:05:15 +05:00
# $1 - ws start function
# $2 - test function
# $3 - domain
# $4,$5,$6, ... - ws params
2021-12-09 22:13:38 +05:00
local code ws_start = $1 testf = $2 dom = $3
2021-12-09 22:05:15 +05:00
shift
2021-12-08 17:20:44 +05:00
shift
shift
2021-12-09 22:05:15 +05:00
$ws_start " $@ "
2021-12-08 17:20:44 +05:00
curl_test $testf $dom
code = $?
2021-12-10 13:18:25 +05:00
ws_kill
2021-12-08 17:20:44 +05:00
return $code
}
2021-12-09 22:05:15 +05:00
tpws_curl_test( )
{
# $1 - test function
# $2 - domain
# $3,$4,$5, ... - tpws params
echo - checking tpws $3 $4 $5 $6 $7 $8 $9
ws_curl_test tpws_start " $@ "
}
2021-12-12 18:03:07 +05:00
pktws_curl_test( )
2021-12-09 22:05:15 +05:00
{
# $1 - test function
# $2 - domain
2021-12-12 18:03:07 +05:00
# $3,$4,$5, ... - nfqws/dvtws params
echo - checking $PKTWSD $3 $4 $5 $6 $7 $8 $9
ws_curl_test pktws_start " $@ "
2021-12-09 22:05:15 +05:00
}
2021-12-23 21:12:09 +05:00
xxxws_curl_test_update( )
{
# $1 - xxx_curl_test function
# $2 - test function
# $3 - domain
# $4,$5,$6, ... - nfqws/dvtws params
local code xxxf = $1 testf = $2 dom = $3
shift
shift
shift
$xxxf $testf $dom " $@ "
code = $?
[ $code = 0 ] && strategy = " ${ strategy :- $@ } "
return $code
}
pktws_curl_test_update( )
{
xxxws_curl_test_update pktws_curl_test " $@ "
}
tpws_curl_test_update( )
{
xxxws_curl_test_update tpws_curl_test " $@ "
}
2021-12-25 14:22:47 +05:00
report_append( )
{
NREPORT = ${ NREPORT :- 0 }
eval REPORT_${ NREPORT } = \" $@ \"
NREPORT = $(( $NREPORT + 1 ))
}
report_print( )
{
local n = 0 s
NREPORT = ${ NREPORT :- 0 }
while [ $n -lt $NREPORT ] ; do
eval s = \" \$ { REPORT_$n } \"
echo $s
n = $(( $n + 1 ))
done
}
2021-12-24 21:24:01 +05:00
report_strategy( )
{
2021-12-25 14:22:47 +05:00
# $1 - test function
# $2 - domain
# $3 - daemon
2021-12-24 21:24:01 +05:00
echo
if [ -n " $strategy " ] ; then
2021-12-25 14:22:47 +05:00
echo " !!!!! $1 : working strategy found for ipv ${ IPV } $2 : $3 $strategy !!!!! "
2021-12-24 21:24:01 +05:00
echo
2021-12-25 14:22:47 +05:00
report_append " ipv ${ IPV } $2 $1 : $3 $strategy "
2021-12-24 21:24:01 +05:00
return 0
else
2021-12-25 14:22:47 +05:00
echo " $1 : $3 strategy for ipv ${ IPV } $2 not found "
2021-12-24 21:24:01 +05:00
echo
2021-12-25 14:22:47 +05:00
report_append " ipv ${ IPV } $2 $1 : $3 not working "
2021-12-24 21:24:01 +05:00
return 1
fi
}
2021-12-12 18:03:07 +05:00
pktws_check_domain_bypass( )
2021-12-08 17:20:44 +05:00
{
# $1 - test function
2021-12-09 18:38:02 +05:00
# $2 - encrypted test : 1/0
# $3 - domain
2022-02-01 22:35:52 +05:00
local strategy tests = 'fake' ttls s f e desync pos fooling frag sec = " $2 "
2021-12-08 17:20:44 +05:00
2021-12-09 18:38:02 +05:00
[ " $sec " = 0 ] && {
2021-12-09 22:05:15 +05:00
for s in '--hostcase' '--hostspell=hoSt' '--hostnospace' '--domcase' ; do
2021-12-23 21:12:09 +05:00
pktws_curl_test_update $1 $3 $s
2021-12-09 18:54:12 +05:00
done
2021-12-09 18:38:02 +05:00
}
2021-12-08 17:20:44 +05:00
2021-12-09 18:38:02 +05:00
s = "--dpi-desync=split2"
2022-02-09 12:16:28 +05:00
pktws_curl_test_update $1 $3 $s
[ " $? " != 0 -o " $FORCE " = 1 ] && {
2021-12-09 22:05:15 +05:00
tests = " $tests split fake,split2 fake,split "
2021-12-23 21:12:09 +05:00
[ " $sec " = 0 ] && pktws_curl_test_update $1 $3 $s --hostcase
2021-12-22 13:21:47 +05:00
for pos in 1 3 4 5 10 50 100; do
2021-12-09 22:05:15 +05:00
s = " --dpi-desync=split2 --dpi-desync-split-pos= $pos "
2021-12-23 21:12:09 +05:00
if pktws_curl_test_update $1 $3 $s ; then
2021-12-09 22:05:15 +05:00
break
2021-12-14 00:41:12 +05:00
elif [ " $sec " = 0 ] ; then
2021-12-23 21:12:09 +05:00
pktws_curl_test_update $1 $3 $s --hostcase
2021-12-09 22:05:15 +05:00
fi
done
2021-12-23 21:12:09 +05:00
}
2021-12-09 18:38:02 +05:00
2022-02-09 12:06:01 +05:00
pktws_curl_test_update $1 $3 --dpi-desync= disorder2
[ " $? " != 0 -o " $FORCE " = 1 ] && tests = " $tests disorder fake,disorder2 fake,disorder "
2021-12-08 17:20:44 +05:00
2021-12-08 18:30:21 +05:00
ttls = $( seq -s ' ' $MIN_TTL $MAX_TTL )
2021-12-13 19:01:50 +05:00
for e in '' '--wssize 1:6' ; do
[ -n " $e " ] && {
2021-12-23 21:12:09 +05:00
pktws_curl_test_update $1 $3 $e
2021-12-13 19:01:50 +05:00
for desync in split2 disorder2; do
2021-12-23 21:12:09 +05:00
pktws_curl_test_update $1 $3 --dpi-desync= $desync $e
2021-12-13 19:01:50 +05:00
done
}
for desync in $tests ; do
2021-12-23 21:12:09 +05:00
s = " --dpi-desync= $desync "
2021-12-09 18:38:02 +05:00
for ttl in $ttls ; do
2021-12-23 21:12:09 +05:00
pktws_curl_test_update $1 $3 $s --dpi-desync-ttl= $ttl $e && break
2021-12-09 18:38:02 +05:00
done
2022-02-01 22:35:52 +05:00
f = "badsum badseq md5sig"
[ " $IPV " = 6 ] && f = " $f hopbyhop hopbyhop2 "
for fooling in $f ; do
2021-12-23 21:12:09 +05:00
pktws_curl_test_update $1 $3 $s --dpi-desync-fooling= $fooling $e && [ " $fooling " = "md5sig" ] &&
echo 'WARNING ! although md5sig fooling worked it will not work on all sites. it typically works only on linux servers.'
2021-12-13 19:01:50 +05:00
done
2021-12-09 18:50:31 +05:00
done
2022-02-02 17:18:35 +05:00
[ " $IPV " = 6 ] && {
2022-02-06 00:19:17 +05:00
f = "hopbyhop hopbyhop,split2 hopbyhop,disorder2 destopt destopt,split2 destopt,disorder2"
[ -n " $IP6_DEFRAG_DISABLE " ] && f = " $f ipfrag1 ipfrag1,split2 ipfrag1,disorder2 "
for desync in $f ; do
2022-02-02 17:18:35 +05:00
pktws_curl_test_update $1 $3 --dpi-desync= $desync $e
done
}
2021-12-13 19:01:50 +05:00
# do not do wssize test for http. it's useless
[ " $sec " = 1 ] || break
2021-12-08 17:20:44 +05:00
done
2022-01-04 00:17:39 +05:00
2022-01-04 14:59:12 +05:00
[ " $IPV " = 4 -o -n " $IP6_DEFRAG_DISABLE " ] && {
2022-01-04 02:11:10 +05:00
for frag in 24 32 40 64 80 104; do
2022-02-02 17:18:35 +05:00
tests = "ipfrag2"
2022-02-05 15:36:03 +05:00
[ " $IPV " = 6 ] && tests = " $tests hopbyhop,ipfrag2 destopt,ipfrag2 "
2022-02-02 17:18:35 +05:00
for desync in $tests ; do
pktws_curl_test_update $1 $3 --dpi-desync= $desync --dpi-desync-ipfrag-pos-tcp= $frag
done
2022-01-04 02:11:10 +05:00
done
}
2022-01-04 00:17:39 +05:00
2021-12-25 14:22:47 +05:00
report_strategy $1 $3 $PKTWSD
2021-12-08 17:20:44 +05:00
}
2021-12-09 22:05:15 +05:00
tpws_check_domain_bypass( )
{
# $1 - test function
# $2 - encrypted test : 1/0
# $3 - domain
2022-01-11 02:46:32 +05:00
local s pos strategy sec = " $2 "
2021-12-09 22:05:15 +05:00
if [ " $sec " = 0 ] ; then
for s in '--hostcase' '--hostspell=hoSt' '--split-http-req=method' '--split-http-req=method --hostcase' '--split-http-req=host' '--split-http-req=host --hostcase' \
'--hostdot' '--hosttab' '--hostnospace' '--methodspace' '--methodeol' '--unixeol' \
'--hostpad=1024' '--hostpad=2048' '--hostpad=4096' '--hostpad=8192' '--hostpad=16384' ; do
2021-12-23 21:12:09 +05:00
tpws_curl_test_update $1 $3 $s
2021-12-09 22:05:15 +05:00
done
else
for pos in 1 2 3 4 5 10 50 100; do
s = " --split-pos= $pos "
2021-12-23 21:12:09 +05:00
tpws_curl_test_update $1 $3 $s && break
2021-12-09 22:05:15 +05:00
done
fi
2021-12-25 14:22:47 +05:00
report_strategy $1 $3 tpws
2021-12-09 22:05:15 +05:00
}
2021-12-08 17:20:44 +05:00
check_domain( )
{
# $1 - test function
# $2 - port
2021-12-09 18:38:02 +05:00
# $3 - encrypted test : 1/0
# $4 - domain
2021-12-08 17:20:44 +05:00
2022-01-11 02:46:32 +05:00
local code c
2021-12-08 23:23:06 +05:00
2021-12-08 17:20:44 +05:00
echo
2021-12-24 19:26:59 +05:00
echo \* $1 ipv$IPV $4
2021-12-08 17:20:44 +05:00
# in case was interrupted before
2021-12-12 18:03:07 +05:00
pktws_ipt_unprepare $2
2021-12-09 22:22:28 +05:00
tpws_ipt_unprepare $2
2021-12-10 13:18:25 +05:00
ws_kill
2021-12-08 17:20:44 +05:00
echo "- checking without DPI bypass"
2021-12-25 14:22:47 +05:00
curl_test $1 $4 && {
report_append " ipv ${ IPV } $4 $1 : working without bypass "
2022-02-09 12:06:01 +05:00
[ " $FORCE " = 1 ] || return
2021-12-25 14:22:47 +05:00
}
2021-12-08 23:23:06 +05:00
code = $?
for c in 1 2 3 4 6 27 ; do
2021-12-25 14:22:47 +05:00
[ $code = $c ] && {
report_append " ipv ${ IPV } $4 $1 : test aborted, no reason to continue. curl code $( curl_translate_code $code ) "
return
}
2021-12-08 23:23:06 +05:00
done
2021-12-08 17:20:44 +05:00
2021-12-10 17:26:05 +05:00
echo
2021-12-09 22:05:15 +05:00
echo preparing tpws redirection
tpws_ipt_prepare $2
tpws_check_domain_bypass $1 $3 $4
echo clearing tpws redirection
tpws_ipt_unprepare $2
echo
2021-12-12 18:03:07 +05:00
echo preparing $PKTWSD redirection
pktws_ipt_prepare $2
2021-12-08 17:20:44 +05:00
2021-12-12 18:03:07 +05:00
pktws_check_domain_bypass $1 $3 $4
2021-12-08 17:20:44 +05:00
2021-12-12 18:03:07 +05:00
echo clearing $PKTWSD redirection
pktws_ipt_unprepare $2
2021-12-08 17:20:44 +05:00
}
check_domain_http( )
{
# $1 - domain
2021-12-09 18:38:02 +05:00
check_domain curl_test_http 80 0 $1
2021-12-08 17:20:44 +05:00
}
2021-12-10 13:18:25 +05:00
check_domain_https_tls12( )
{
# $1 - domain
check_domain curl_test_https_tls12 443 1 $1
}
check_domain_https_tls13( )
2021-12-08 17:20:44 +05:00
{
# $1 - domain
2021-12-10 13:18:25 +05:00
check_domain curl_test_https_tls13 443 1 $1
2021-12-08 17:20:44 +05:00
}
2021-12-09 22:22:28 +05:00
configure_ip_version( )
{
if [ " $IPV " = 6 ] ; then
2021-12-09 22:24:41 +05:00
LOCALHOST = ::1
2022-02-11 00:30:50 +05:00
LOCALHOST_IPT = [ ${ LOCALHOST } ]
IPVV = 6
2021-12-09 22:22:28 +05:00
else
IPTABLES = iptables
LOCALHOST = 127.0.0.1
2022-02-11 00:30:50 +05:00
LOCALHOST_IPT = $LOCALHOST
IPVV =
2021-12-09 22:22:28 +05:00
fi
2022-02-11 00:30:50 +05:00
IPTABLES = ip${ IPVV } tables
2021-12-09 22:22:28 +05:00
}
2021-12-11 13:52:53 +05:00
configure_curl_opt( )
{
TLSMAX12 =
TLSMAX13 =
curl_supports_tlsmax && {
TLSMAX12 = "--tls-max 1.2"
TLSMAX13 = "--tls-max 1.3"
}
TLS13 =
curl_supports_tls13 && TLS13 = 1
}
2021-12-09 22:22:28 +05:00
2022-02-11 00:30:50 +05:00
linux_ipv6_defrag_can_be_disabled( )
{
2022-02-15 19:15:36 +05:00
linux_min_version 4 16
2022-02-11 00:30:50 +05:00
}
2022-02-09 12:43:18 +05:00
configure_defrag( )
2022-02-09 12:06:01 +05:00
{
2022-02-11 00:30:50 +05:00
IP6_DEFRAG_DISABLE =
[ " $IPVS " = 4 ] && return
[ " $UNAME " = "Linux" ] && {
linux_ipv6_defrag_can_be_disabled || {
echo "WARNING ! ipv6 defrag can only be effectively disabled in linux kernel 4.16+"
echo "WARNING ! ipv6 ipfrag tests are disabled"
echo
return
}
}
case " $FWTYPE " in
iptables)
if ipt6_has_raw ; then
if ipt6_has_frag; then
IP6_DEFRAG_DISABLE = 1
2022-02-09 12:06:01 +05:00
else
2022-02-11 00:30:50 +05:00
echo "WARNING ! ip6tables does not have '-m frag' module, ipv6 ipfrag tests are disabled"
2022-02-09 12:06:01 +05:00
echo
fi
2022-02-11 00:30:50 +05:00
else
echo "WARNING ! ip6tables raw table is not available, ipv6 ipfrag tests are disabled"
echo
fi
[ -n " $IP6_DEFRAG_DISABLE " ] && {
local ipexe = " $( readlink -f $( whichq ip6tables) ) "
2022-02-15 19:15:36 +05:00
if contains " $ipexe " nft; then
2022-02-11 00:30:50 +05:00
echo " WARNING ! ipv6 ipfrag tests may have no effect if ip6tables-nft is used. current ip6tables point to : $ipexe "
else
echo "WARNING ! ipv6 ipfrag tests may have no effect if ip6table_raw kernel module is not loaded with parameter : raw_before_defrag=1"
fi
echo
2022-02-09 12:06:01 +05:00
}
; ;
*)
IP6_DEFRAG_DISABLE = 1
; ;
esac
}
2021-12-08 17:20:44 +05:00
ask_params( )
{
echo
echo NOTE ! this test should be run with zapret or any other bypass software disabled, without VPN
2021-12-24 19:26:59 +05:00
echo
2021-12-08 17:20:44 +05:00
2021-12-24 19:26:59 +05:00
echo "specify domain(s) to test. multiple domains are space separated."
$ECHON " domain(s) (default: $DOMAINS ) : "
2021-12-08 17:20:44 +05:00
local dom
read dom
2021-12-24 19:26:59 +05:00
[ -n " $dom " ] && DOMAINS = " $dom "
2021-12-08 17:20:44 +05:00
2021-12-24 19:26:59 +05:00
$ECHON "ip protocol version(s) - 4, 6 or 46 for both (default: 4) : "
read IPVS
[ -n " $IPVS " ] || IPVS = 4
[ " $IPVS " = 4 -o " $IPVS " = 6 -o " $IPVS " = 46 ] || {
echo 'invalid ip version(s). should be 4, 6 or 46.'
2021-12-08 17:20:44 +05:00
exitp 1
}
2021-12-24 19:26:59 +05:00
[ " $IPVS " = 46 ] && IPVS = "4 6"
2021-12-11 13:52:53 +05:00
configure_curl_opt
2021-12-08 17:20:44 +05:00
ENABLE_HTTP = 1
ask_yes_no_var ENABLE_HTTP "check http"
2022-02-02 12:59:44 +05:00
[ -z " $TLSMAX12 " -a -n " $TLS13 " ] && echo "WARNING ! your curl version or TLS library does not support tls-max option. TLS 1.2 tests may use TLS 1.3+ protocols"
2021-12-11 14:08:05 +05:00
2021-12-10 13:18:25 +05:00
ENABLE_HTTPS_TLS12 = 1
ask_yes_no_var ENABLE_HTTPS_TLS12 "check https tls 1.2"
ENABLE_HTTPS_TLS13 = 0
2021-12-10 17:26:05 +05:00
echo
2021-12-11 13:52:53 +05:00
if [ -n " $TLS13 " ] ; then
2021-12-10 13:18:25 +05:00
echo "TLS 1.3 is the new standard for encrypted communications over TCP"
2021-12-10 17:16:02 +05:00
echo "its the most important feature for DPI bypass is encrypted TLS ServerHello"
2021-12-10 13:18:25 +05:00
echo "more and more sites enable TLS 1.3 but still there're many sites with only TLS 1.2 support"
2021-12-10 13:22:42 +05:00
echo "with TLS 1.3 more DPI bypass strategies can work but they may not apply to all sites"
2021-12-10 13:18:25 +05:00
echo "if a strategy works with TLS 1.2 it will also work with TLS 1.3"
echo "if nothing works with TLS 1.2 this test may find TLS1.3 only strategies"
2021-12-24 21:13:23 +05:00
echo " make sure that $DOMAINS support TLS 1.3 otherwise all test will return an error "
2021-12-10 13:18:25 +05:00
ask_yes_no_var ENABLE_HTTPS_TLS13 "check https tls 1.3"
else
echo "installed curl version does not support TLS 1.3 . tests disabled."
fi
2021-12-08 17:20:44 +05:00
IGNORE_CA = 0
CURL_OPT =
2021-12-10 13:18:25 +05:00
[ $ENABLE_HTTPS_TLS13 = 1 -o $ENABLE_HTTPS_TLS12 = 1 ] && {
echo
2021-12-22 14:31:45 +05:00
echo "on limited systems like openwrt CA certificates might not be installed to preserve space"
echo "in such a case curl cannot verify server certificate and you should either install ca-bundle or disable verification"
echo "however disabling verification will break https check if ISP does MitM attack and substitutes server certificate"
2021-12-08 17:20:44 +05:00
ask_yes_no_var IGNORE_CA "do not verify server certificate"
[ " $IGNORE_CA " = 1 ] && CURL_OPT = -k
}
2021-12-22 14:31:45 +05:00
echo
echo "sometimes ISPs use multiple DPIs or load balancing. bypass strategies may work unstable."
$ECHON "how many times to repeat each test (default: 1) : "
read REPEATS
REPEATS = $(( 0 + ${ REPEATS :- 1 } ))
[ " $REPEATS " = 0 ] && {
echo invalid repeat count
exitp 1
}
2021-12-13 19:01:50 +05:00
echo
2022-02-09 12:06:01 +05:00
FORCE = 0
ask_yes_no_var FORCE "do all tests despite of result ?"
2022-01-04 02:11:10 +05:00
2022-02-09 12:06:01 +05:00
echo
2022-02-09 12:43:18 +05:00
configure_defrag
2021-12-08 17:20:44 +05:00
}
pingtest( )
{
ping -c 1 -W 1 $1 >/dev/null
}
dnstest( )
{
# $1 - dns server. empty for system resolver
2021-12-12 18:03:07 +05:00
" $LOOKUP " w3.org $1 >/dev/null 2>/dev/null
2021-12-08 17:20:44 +05:00
}
find_working_public_dns( )
{
2022-01-11 02:46:32 +05:00
local dns
2021-12-08 17:20:44 +05:00
for dns in $DNSCHECK_DNS ; do
pingtest $dns && dnstest $dns && {
PUBDNS = $dns
return 0
}
done
return 1
}
2021-12-12 18:03:07 +05:00
lookup4( )
{
# $1 - domain
# $2 - DNS
case " $LOOKUP " in
nslookup)
nslookup $1 $2 | sed -n '/Name:/,$p' | grep ^Address | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}'
; ;
host)
host -t A $1 $2 | grep "has address" | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}'
; ;
esac
}
2021-12-08 17:20:44 +05:00
check_dns_spoof( )
{
# $1 - domain
# $2 - public DNS
2021-12-12 18:03:07 +05:00
echo $1 | " $MDIG " --family= 4 >" $DNSCHECK_DIG1 "
lookup4 $1 $2 >" $DNSCHECK_DIG2 "
2021-12-08 17:20:44 +05:00
# check whether system resolver returns anything other than public DNS
grep -qvFf " $DNSCHECK_DIG2 " " $DNSCHECK_DIG1 "
}
check_dns_cleanup( )
{
rm -f " $DNSCHECK_DIG1 " " $DNSCHECK_DIG2 " " $DNSCHECK_DIGS " 2>/dev/null
}
check_dns( )
{
2022-01-11 02:46:32 +05:00
local C1 C2 dom
2021-12-08 17:20:44 +05:00
echo \* checking DNS
[ -f " $DNSCHECK_DIGS " ] && rm -f " $DNSCHECK_DIGS "
dnstest || {
echo -- DNS is not working. It's either misconfigured or blocked or you don' t have inet access.
return 1
}
echo system DNS is working
if find_working_public_dns ; then
echo comparing system resolver to public DNS : $PUBDNS
for dom in $DNSCHECK_DOM ; do
if check_dns_spoof $dom $PUBDNS ; then
echo $dom : MISMATCH
echo -- system resolver :
cat " $DNSCHECK_DIG1 "
echo -- $PUBDNS :
cat " $DNSCHECK_DIG2 "
check_dns_cleanup
echo -- POSSIBLE DNS HIJACK DETECTED. ZAPRET WILL NOT HELP YOU IN CASE DNS IS SPOOFED !!!
echo -- DNS CHANGE OR DNSCRYPT MAY BE REQUIRED
return 1
else
echo $dom : OK
cat " $DNSCHECK_DIG1 " >>" $DNSCHECK_DIGS "
fi
done
else
echo no working public DNS was found. looks like public DNS blocked.
2021-12-12 18:03:07 +05:00
for dom in $DNSCHECK_DOM ; do echo $dom ; done | " $MDIG " --threads= 10 --family= 4 >" $DNSCHECK_DIGS "
2021-12-08 17:20:44 +05:00
fi
echo checking resolved IP uniqueness for : $DNSCHECK_DOM
echo censor\' s DNS can return equal result for multiple blocked domains.
C1 = $( wc -l <" $DNSCHECK_DIGS " )
C2 = $( sort -u " $DNSCHECK_DIGS " | wc -l)
[ " $C1 " -eq 0 ] &&
{
echo -- DNS is not working. It's either misconfigured or blocked or you don' t have inet access.
check_dns_cleanup
return 1
}
[ " $C1 " = " $C2 " ] ||
{
echo system dns resolver has returned equal IPs for some domains checked above \( $C1 total, $C2 unique\)
echo non-unique IPs :
sort " $DNSCHECK_DIGS " | uniq -d
echo -- POSSIBLE DNS HIJACK DETECTED. ZAPRET WILL NOT HELP YOU IN CASE DNS IS SPOOFED !!!
echo -- DNSCRYPT MAY BE REQUIRED
check_dns_cleanup
return 1
}
echo all resolved IPs are unique
echo -- DNS looks good
echo -- NOTE this check is Russia targeted. In your country other domains may be blocked.
check_dns_cleanup
return 0
}
2021-12-24 15:19:52 +05:00
unprepare_all( )
2021-12-08 17:20:44 +05:00
{
2021-12-24 15:21:08 +05:00
# make sure we are not in a middle state that impacts connectivity
2021-12-24 19:32:35 +05:00
rm -f " $HDRTEMP "
2021-12-09 22:22:28 +05:00
[ -n " $IPV " ] && {
tpws_ipt_unprepare 80
tpws_ipt_unprepare 443
2021-12-12 18:03:07 +05:00
pktws_ipt_unprepare 80
pktws_ipt_unprepare 443
2021-12-09 22:22:28 +05:00
}
2021-12-10 13:18:25 +05:00
ws_kill
2021-12-24 15:19:52 +05:00
}
sigint( )
{
echo
echo terminating...
unprepare_all
2021-12-08 19:18:14 +05:00
exitp 1
2021-12-08 17:20:44 +05:00
}
2021-12-24 15:19:52 +05:00
sigpipe( )
{
# must not write anything here to stdout
unprepare_all
exit 1
}
2021-12-08 17:20:44 +05:00
2021-12-25 14:22:47 +05:00
2021-12-08 17:20:44 +05:00
check_system
check_prerequisites
require_root
check_dns
ask_params
2021-12-10 13:18:25 +05:00
PID =
2021-12-25 14:22:47 +05:00
NREPORT =
2021-12-24 15:19:52 +05:00
trap sigint INT
trap sigpipe PIPE
2021-12-24 19:26:59 +05:00
for dom in $DOMAINS ; do
for IPV in $IPVS ; do
configure_ip_version
[ " $ENABLE_HTTP " = 1 ] && check_domain_http $dom
[ " $ENABLE_HTTPS_TLS12 " = 1 ] && check_domain_https_tls12 $dom
[ " $ENABLE_HTTPS_TLS13 " = 1 ] && check_domain_https_tls13 $dom
done
done
2021-12-24 15:19:52 +05:00
trap - PIPE
trap - INT
2021-12-08 23:12:41 +05:00
2021-12-25 14:22:47 +05:00
echo
echo \* SUMMARY
report_print
2021-12-08 23:12:41 +05:00
exitp 0