ForkMaster/zapret
1
0
Fork 0
mirror of https://github.com/bol-van/zapret.git synced 2024-09-22 09:42:51 +05:00
Code Issues Actions Packages Projects Releases Wiki Activity

blockcheck.sh : FreeBSD support

Browse Source
This commit is contained in:
bol-van 2021-12-12 16:03:07 +03:00
parent 8919cc321f
commit 28cfe87224
1 changed files with 157 additions and 45 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

202
blockcheck.sh
View File

@ -8,6 +8,7 @@ ZAPRET_BASE="$EXEDIR"
[ -n "$TPPORT" ] || TPPORT=993
[ -n "$TPWS_UID" ] || TPWS_UID=1
[ -n "$NFQWS" ] || NFQWS="$ZAPRET_BASE/nfq/nfqws"
[ -n "$DVTWS" ] || DVTWS="$ZAPRET_BASE/nfq/dvtws"
[ -n "$TPWS" ] || TPWS="$ZAPRET_BASE/tpws/tpws"
[ -n "$MDIG" ] || MDIG="$ZAPRET_BASE/mdig/mdig"
[ -n "$DESYNC_MARK" ] || DESYNC_MARK=0x40000000
@ -18,6 +19,9 @@ MAX_TTL=12
HDRTEMP=/tmp/zapret-hdr.txt
ECHON="echo -n"
IPFW_RULE_NUM=1
IPFW_DIVERT_PORT=59780
DNSCHECK_DNS="8.8.8.8 1.1.1.1 77.88.8.8"
DNSCHECK_DOM="pornhub.com putinhuylo.com rutracker.org nnmclub.to protonmail.com"
DNSCHECK_DIG1=/tmp/dig1.txt
@ -101,34 +105,90 @@ IPT_DEL()
{
$IPTABLES -C "$@" >/dev/null 2>/dev/null && $IPTABLES -D "$@"
}
IPFW_ADD()
{
ipfw -qf add $IPFW_RULE_NUM "$@"
}
IPFW_DEL()
{
ipfw -qf delete $IPFW_RULE_NUM
}
check_system()
{
echo \* checking system
local UNAME=$(uname)
[ "$UNAME" = "Linux" ] || {
echo $UNAME not supported
exitp 5
}
UNAME=$(uname)
case "$UNAME" in
Linux)
PKTWS="$NFQWS"
PKTWSD=nfqws
;;
FreeBSD)
PKTWS="$DVTWS"
PKTWSD=dvtws
;;
*)
echo $UNAME not supported
exitp 5
esac
}
freebsd_module_loaded()
{
# $1 - module name
kldstat | grep -q "${1}.ko"
}
freebsd_modules_loaded()
{
# $1,$2,$3, ... - module names
while [ -n "$1" ]; do
freebsd_module_loaded $1 || return 1
shift
done
return 0
}
check_prerequisites()
{
echo \* checking prerequisites
[ -x "$NFQWS" ] && [ -x "$TPWS" ] && [ -x "$MDIG" ] || {
echo $NFQWS or $TPWS or $MDIG is not available. run $ZAPRET_BASE/install_bin.sh
[ -x "$PKTWS" ] && [ -x "$TPWS" ] && [ -x "$MDIG" ] || {
echo $PKTWS or $TPWS or $MDIG is not available. run $ZAPRET_BASE/install_bin.sh
exitp 6
}
for prog in iptables ip6tables curl; do
local progs='curl'
case "$UNAME" in
Linux)
progs="$progs iptables ip6tables"
;;
FreeBSD)
progs="$progs ipfw"
freebsd_modules_loaded ipfw ipdivert || {
echo ipfw or ipdivert kernel module not loaded
exitp 6
}
;;
esac
for prog in $progs; do
exists $prog || {
echo $prog does not exist. please install
exitp 6
}
done
if exists nslookup; then
LOOKUP=nslookup
elif exists host; then
LOOKUP=host
else
echo nslookup or host does not exist. please install
exitp 6
fi
}
curl_supports_tls13()
@ -205,29 +265,68 @@ curl_test_https_tls13()
curl -${1}Ss --max-time $CURL_MAX_TIME $CURL_OPT --http1.1 --tlsv1.3 $TLSMAX13 "https://$2" -o /dev/null 2>&1
}
nfqws_ipt_prepare()
pktws_ipt_prepare()
{
# $1 - port
IPT POSTROUTING -t mangle -p tcp --dport $1 -m mark ! --mark $DESYNC_MARK/$DESYNC_MARK -j NFQUEUE --queue-num $QNUM
case "$UNAME" in
Linux)
IPT POSTROUTING -t mangle -p tcp --dport $1 -m mark ! --mark $DESYNC_MARK/$DESYNC_MARK -j NFQUEUE --queue-num $QNUM
;;
FreeBSD)
IPFW_ADD divert $IPFW_DIVERT_PORT tcp from any to any 80,443 out not diverted not sockarg
;;
esac
}
nfqws_ipt_unprepare()
pktws_ipt_unprepare()
{
# $1 - port
IPT_DEL POSTROUTING -t mangle -p tcp --dport $1 -m mark ! --mark $DESYNC_MARK/$DESYNC_MARK -j NFQUEUE --queue-num $QNUM
case "$UNAME" in
Linux)
IPT_DEL POSTROUTING -t mangle -p tcp --dport $1 -m mark ! --mark $DESYNC_MARK/$DESYNC_MARK -j NFQUEUE --queue-num $QNUM
;;
FreeBSD)
IPFW_DEL
;;
esac
}
tpws_ipt_prepare()
{
# $1 - port
IPT OUTPUT -t nat -p tcp --dport $1 -m owner ! --uid-owner $TPWS_UID -j DNAT --to $LOCALHOST_IPT:$TPPORT
case "$UNAME" in
Linux)
IPT OUTPUT -t nat -p tcp --dport $1 -m owner ! --uid-owner $TPWS_UID -j DNAT --to $LOCALHOST_IPT:$TPPORT
;;
FreeBSD)
if [ "$IPV" = 4 ]; then
IPFW_ADD fwd 127.0.0.1,$TPPORT tcp from me to any 80,443 proto ip4 not uid $TPWS_UID
else
IPFW_ADD fwd ::1,$TPPORT tcp from me to any 80,443 proto ip6 not uid $TPWS_UID
fi
;;
esac
}
tpws_ipt_unprepare()
{
# $1 - port
IPT_DEL OUTPUT -t nat -p tcp --dport $1 -m owner ! --uid-owner $TPWS_UID -j DNAT --to $LOCALHOST_IPT:$TPPORT
case "$UNAME" in
Linux)
IPT_DEL OUTPUT -t nat -p tcp --dport $1 -m owner ! --uid-owner $TPWS_UID -j DNAT --to $LOCALHOST_IPT:$TPPORT
;;
FreeBSD)
IPFW_DEL
;;
esac
}
nfqws_start()
pktws_start()
{
"$NFQWS" --dpi-desync-fwmark=$DESYNC_MARK --qnum=$QNUM "$@" >/dev/null &
case "$UNAME" in
Linux)
"$NFQWS" --dpi-desync-fwmark=$DESYNC_MARK --qnum=$QNUM "$@" >/dev/null &
;;
FreeBSD)
"$DVTWS" --port=$IPFW_DIVERT_PORT "$@" >/dev/null &
;;
esac
PID=$!
}
tpws_start()
@ -286,15 +385,15 @@ tpws_curl_test()
echo - checking tpws $3 $4 $5 $6 $7 $8 $9
ws_curl_test tpws_start "$@"
}
nfqws_curl_test()
pktws_curl_test()
{
# $1 - test function
# $2 - domain
# $3,$4,$5, ... - nfqws params
echo - checking nfqws $3 $4 $5 $6 $7 $8 $9
ws_curl_test nfqws_start "$@"
# $3,$4,$5, ... - nfqws/dvtws params
echo - checking $PKTWSD $3 $4 $5 $6 $7 $8 $9
ws_curl_test pktws_start "$@"
}
nfqws_check_domain_bypass()
pktws_check_domain_bypass()
{
# $1 - test function
# $2 - encrypted test : 1/0
@ -304,35 +403,35 @@ nfqws_check_domain_bypass()
[ "$sec" = 0 ] && {
for s in '--hostcase' '--hostspell=hoSt' '--hostnospace' '--domcase'; do
nfqws_curl_test $1 $3 $s && strategy="${strategy:-$s}"
pktws_curl_test $1 $3 $s && strategy="${strategy:-$s}"
done
}
s="--dpi-desync=split2"
if nfqws_curl_test $1 $3 $s; then
if pktws_curl_test $1 $3 $s; then
strategy="${strategy:-$s}"
else
tests="$tests split fake,split2 fake,split"
[ "$sec" = 0 ] && {
s="$s --hostcase"
nfqws_curl_test $1 $3 $s && strategy="${strategy:-$s}"
pktws_curl_test $1 $3 $s && strategy="${strategy:-$s}"
}
for pos in 1 2 4 5 10 50 100; do
s="--dpi-desync=split2 --dpi-desync-split-pos=$pos"
if nfqws_curl_test $1 $3 $s; then
if pktws_curl_test $1 $3 $s; then
strategy="${strategy:-$s}"
break
else
[ "$sec" = 0 ] && {
s="$s --hostcase"
nfqws_curl_test $1 $3 $s && strategy="${strategy:-$s}"
pktws_curl_test $1 $3 $s && strategy="${strategy:-$s}"
}
fi
done
fi
s="--dpi-desync=disorder2"
if nfqws_curl_test $1 $3 $s; then
if pktws_curl_test $1 $3 $s; then
strategy="${strategy:-$s}"
else
tests="$tests disorder fake,disorder2 fake,disorder"
@ -343,7 +442,7 @@ nfqws_check_domain_bypass()
found=0
for ttl in $ttls; do
s="--dpi-desync=$desync --dpi-desync-ttl=$ttl"
nfqws_curl_test $1 $3 $s && {
pktws_curl_test $1 $3 $s && {
found=1
strategy="${strategy:-$s}"
break
@ -352,7 +451,7 @@ nfqws_check_domain_bypass()
[ "$sec" = 1 ] && [ "$found" = 0 ] && {
for ttl in $ttls; do
s="--dpi-desync=$desync --dpi-desync-ttl=$ttl --wssize 1:6"
nfqws_curl_test $1 $3 $s && {
pktws_curl_test $1 $3 $s && {
found=1
strategy="${strategy:-$s}"
break
@ -361,13 +460,13 @@ nfqws_check_domain_bypass()
}
for fooling in badsum md5sig badseq; do
s="--dpi-desync=$desync --dpi-desync-fooling=$fooling"
if nfqws_curl_test $1 $3 $s ; then
if pktws_curl_test $1 $3 $s ; then
strategy="${strategy:-$s}"
[ "$fooling" = "md5sig" ] && echo 'WARNING ! although md5sig fooling worked it will not work on all sites. it typically works only on linux servers.'
else
[ "$sec" = 1 ] && {
s="$s --wssize 1:6"
nfqws_curl_test $1 $3 $s && {
pktws_curl_test $1 $3 $s && {
strategy="${strategy:-$s}"
[ "$fooling" = "md5sig" ] && echo 'WARNING ! although md5sig fooling worked it will not work on all sites. it typically works only on linux servers.'
}
@ -378,12 +477,12 @@ nfqws_check_domain_bypass()
[ "$sec" = 1 ] && {
s="--wssize 1:6"
nfqws_curl_test $1 $3 $s && strategy="${strategy:-$s}"
pktws_curl_test $1 $3 $s && strategy="${strategy:-$s}"
}
echo
if [ -n "$strategy" ]; then
echo "!!!!! working strategy found : nfqws $strategy !!!!!"
echo "!!!!! working strategy found : $PKTWSD $strategy !!!!!"
return 0
else
echo 'working strategy not found'
@ -434,7 +533,7 @@ check_domain()
echo \* $1 $4
# in case was interrupted before
nfqws_ipt_unprepare $2
pktws_ipt_unprepare $2
tpws_ipt_unprepare $2
ws_kill
@ -457,13 +556,13 @@ check_domain()
echo
echo preparing nfqws redirection
nfqws_ipt_prepare $2
echo preparing $PKTWSD redirection
pktws_ipt_prepare $2
nfqws_check_domain_bypass $1 $3 $4
pktws_check_domain_bypass $1 $3 $4
echo clearing nfqws redirection
nfqws_ipt_unprepare $2
echo clearing $PKTWSD redirection
pktws_ipt_unprepare $2
}
check_domain_http()
{
@ -569,7 +668,7 @@ pingtest()
dnstest()
{
# $1 - dns server. empty for system resolver
nslookup w3.org $1 >/dev/null 2>/dev/null
"$LOOKUP" w3.org $1 >/dev/null 2>/dev/null
}
find_working_public_dns()
{
@ -581,12 +680,25 @@ find_working_public_dns()
done
return 1
}
lookup4()
{
# $1 - domain
# $2 - DNS
case "$LOOKUP" in
nslookup)
nslookup $1 $2 | sed -n '/Name:/,$p' | grep ^Address | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}'
;;
host)
host -t A $1 $2 | grep "has address" | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}'
;;
esac
}
check_dns_spoof()
{
# $1 - domain
# $2 - public DNS
echo $1 | "$EXEDIR/mdig/mdig" --family=4 >"$DNSCHECK_DIG1"
nslookup $1 $2 | sed -n '/Name:/,$p' | grep ^Address | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' >"$DNSCHECK_DIG2"
echo $1 | "$MDIG" --family=4 >"$DNSCHECK_DIG1"
lookup4 $1 $2 >"$DNSCHECK_DIG2"
# check whether system resolver returns anything other than public DNS
grep -qvFf "$DNSCHECK_DIG2" "$DNSCHECK_DIG1"
}
@ -628,7 +740,7 @@ check_dns()
done
else
echo no working public DNS was found. looks like public DNS blocked.
for dom in $DNSCHECK_DOM; do echo $dom; done | "$EXEDIR/mdig/mdig" --threads=10 --family=4 >"$DNSCHECK_DIGS"
for dom in $DNSCHECK_DOM; do echo $dom; done | "$MDIG" --threads=10 --family=4 >"$DNSCHECK_DIGS"
fi
echo checking resolved IP uniqueness for : $DNSCHECK_DOM
@ -667,8 +779,8 @@ sigint()
[ -n "$IPV" ] && {
tpws_ipt_unprepare 80
tpws_ipt_unprepare 443
nfqws_ipt_unprepare 80
nfqws_ipt_unprepare 443
pktws_ipt_unprepare 80
pktws_ipt_unprepare 443
}
ws_kill
exitp 1