diff --git a/common/ipt.sh b/common/ipt.sh index 9790e7a..0976795 100644 --- a/common/ipt.sh +++ b/common/ipt.sh @@ -60,6 +60,13 @@ filter_apply_port_target() fi eval $1="\"\$$1 $f\"" } +filter_apply_port_target_quic() +{ + # $1 - var name of nftables filter + local f + f="-p udp --dport 443" + eval $1="\"\$$1 $f\"" +} filter_apply_ipset_target4() { # $1 - var name of ipv4 iptables filter @@ -303,6 +310,22 @@ zapret_do_firewall_rules_ipt() fw_nfqws_post6 $1 "$f6 $desync" $qns6 fi fi + + get_nfqws_qnums_quic qn qn6 + if [ -n "$qn" ]; then + f4= + filter_apply_port_target_quic f4 + f4="$f4 $first_packet_only" + filter_apply_ipset_target4 f4 + fw_nfqws_post4 $1 "$f4 $desync" $qn + fi + if [ -n "$qn6" ]; then + f6= + filter_apply_port_target_quic f6 + f6="$f6 $first_packet_only" + filter_apply_ipset_target6 f6 + fw_nfqws_post6 $1 "$f6 $desync" $qn6 + fi ;; custom) existf zapret_custom_firewall && zapret_custom_firewall $1 diff --git a/common/nft.sh b/common/nft.sh index 0fc44c6..f5df02b 100644 --- a/common/nft.sh +++ b/common/nft.sh @@ -270,6 +270,13 @@ nft_filter_apply_port_target() fi eval $1="\"\$$1 $f\"" } +nft_filter_apply_port_target_quic() +{ + # $1 - var name of nftables filter + local f + f="udp dport 443" + eval $1="\"\$$1 $f\"" +} nft_filter_apply_ipset_target4() { # $1 - var name of ipv4 nftables filter @@ -532,6 +539,22 @@ zapret_apply_firewall_rules_nft() nft_fw_nfqws_post6 "$f6 $desync" $qns6 fi fi + + get_nfqws_qnums_quic qn qn6 + if [ -n "$qn" ]; then + f4= + nft_filter_apply_port_target_quic f4 + f4="$f4 $first_packet_only" + nft_filter_apply_ipset_target4 f4 + nft_fw_nfqws_post4 "$f4 $desync" $qn + fi + if [ -n "$qn6" ]; then + f6= + nft_filter_apply_port_target_quic f6 + f6="$f6 $first_packet_only" + nft_filter_apply_ipset_target6 f6 + nft_fw_nfqws_post6 "$f6 $desync" $qn6 + fi ;; custom) existf zapret_custom_firewall_nft && zapret_custom_firewall_nft diff --git a/common/queue.sh b/common/queue.sh index b66216e..7d7fc52 100644 --- a/common/queue.sh +++ b/common/queue.sh @@ -43,3 +43,29 @@ get_nfqws_qnums() eval $4= fi } + +get_nfqws_qnums_quic() +{ + # $1 - var name for ipv4 quic + # $2 - var name for ipv6 quic + local _qn _qn6 + + [ "$DISABLE_IPV4" = "1" ] || { + _qn=$(($QNUM+10)) + } + [ "$DISABLE_IPV6" = "1" ] || { + _qn6=$(($QNUM+11)) + [ "$DISABLE_IPV4" = "1" ] || { + if [ "$NFQWS_OPT_DESYNC_QUIC" = "$NFQWS_OPT_DESYNC_QUIC6" ]; then + _qn6=$_qn; + fi + } + } + if [ "$MODE_QUIC" = 1 ]; then + eval $1=$_qn + eval $2=$_qn6 + else + eval $1= + eval $2= + fi +} diff --git a/config b/config index 1eb3dd1..18a759b 100644 --- a/config +++ b/config @@ -45,6 +45,8 @@ MODE_HTTP=1 MODE_HTTP_KEEPALIVE=0 # apply fooling to https MODE_HTTPS=1 +# apply fooling to quic +MODE_QUIC=0 # none,ipset,hostlist MODE_FILTER=none @@ -55,6 +57,8 @@ NFQWS_OPT_DESYNC="--dpi-desync=fake --dpi-desync-ttl=0 --dpi-desync-ttl6=0 --dpi #NFQWS_OPT_DESYNC_HTTPS="--wssize=1:6 --dpi-desync=split --dpi-desync-ttl=0 --dpi-desync-fooling=badsum" #NFQWS_OPT_DESYNC_HTTP6="--dpi-desync=split --dpi-desync-ttl=5 --dpi-desync-fooling=none" #NFQWS_OPT_DESYNC_HTTPS6="--wssize=1:6 --dpi-desync=split --dpi-desync-ttl=5 --dpi-desync-fooling=none" +NFQWS_OPT_DESYNC_QUIC="--dpi-desync=fake" +#NFQWS_OPT_DESYNC_QUIC6="--dpi-desync=hopbyhop" # CHOOSE TPWS DAEMON OPTIONS. run "tpws/tpws --help" for option list TPWS_OPT="--hostspell=HOST --split-http-req=method --split-pos=3" diff --git a/docs/changes.txt b/docs/changes.txt index 02202ee..a9c5537 100644 --- a/docs/changes.txt +++ b/docs/changes.txt @@ -233,3 +233,7 @@ v48 nfqws, tpws : multiple --hostlist and --hostlist-exclude support launch system, ipset : no more list merging. all lists are passed separately to nfqws and tpws nfqws : udplen fooling supports packet shrinking (negative increment value) + +v49 + +QUIC support integrated to the main system and setup diff --git a/docs/manual_setup.txt b/docs/manual_setup.txt index d804bfd..3cd43bd 100644 --- a/docs/manual_setup.txt +++ b/docs/manual_setup.txt @@ -152,12 +152,15 @@ opkg update opkg install iptables-mod-extra iptables-mod-nfqueue iptables-mod-filter iptables-mod-ipopt iptables-mod-conntrack-extra ipset curl (ipv6) opkg install ip6tables-mod-nat () opkg install gzip +() opkg install grep () opkg install coreutils-sort : gzip busybox . gzip . sort busybox . sort . +grep busybox -f. get_reestr_combined.sh. + , gnu grep iptables-mod-nfqueue , nfqws curl , ip get_user.sh diff --git a/docs/readme.eng.md b/docs/readme.eng.md index 4883683..1d3a19f 100644 --- a/docs/readme.eng.md +++ b/docs/readme.eng.md @@ -731,6 +731,10 @@ Enable https fooling : `MODE_HTTPS=1` +Enable quic fooling : + +`MODE_QUIC=1` + Host filtering mode : ``` none - apply fooling to all hosts @@ -767,6 +771,16 @@ It means if only `NFQWS_OPT_DESYNC` is defined all four take its value. If a variable is not defined, the value `NFQWS_OPT_DESYNC` is taken. +Separate QUIC options for ip protocol versions : + +``` +NFQWS_OPT_DESYNC_QUIC="--dpi-desync=fake" +NFQWS_OPT_DESYNC_QUIC6="--dpi-desync=hopbyhop" +``` + +If `NFQWS_OPT_DESYNC_QUIC6` is not specified `NFQWS_OPT_DESYNC_QUIC` is taken. + + flow offloading control (OpenWRT only) ``` diff --git a/docs/readme.txt b/docs/readme.txt index 71c7766..fb4ef67 100644 --- a/docs/readme.txt +++ b/docs/readme.txt @@ -1,4 +1,4 @@ -zapret v.48 +zapret v.49 English ------- @@ -926,6 +926,10 @@ MODE_HTTP_KEEPALIVE=0 MODE_HTTPS=1 +Применять ли дурение к QUIC : + +MODE_QUIC=0 + Режим фильтрации хостов : none - применять дурение ко всем хостам ipset - ограничить дурение ipset-ом zapret/zapret6 @@ -954,6 +958,11 @@ NFQWS_OPT_DESYNC_HTTPS6="--wssize=1:6 --dpi-desync=split --dpi-desync-ttl=5 --dp Если какая-то из переменных NFQWS_OPT_DESYNC_HTTP6/NFQWS_OPT_DESYNC_HTTPS6 не определена, берется значение NFQWS_OPT_DESYNC_HTTP/NFQWS_OPT_DESYNC_HTTPS. +Опции дурения для QUIC : +NFQWS_OPT_DESYNC_QUIC="--dpi-desync=fake" +NFQWS_OPT_DESYNC_QUIC6="--dpi-desync=hopbyhop" +Если NFQWS_OPT_DESYNC_QUIC6 не задано, то берется NFQWS_OPT_DESYNC_QUIC. + Настройка системы управления выборочным traffic offload (только openwrt) donttouch : выборочное управление отключено, используется системная настройка, простой инсталятор выключает системную настройку, если она не совместима с выбранным режимом none : выборочное управление отключено, простой инсталятор выключает системную настройку diff --git a/init.d/openwrt/functions b/init.d/openwrt/functions index 115d092..2ce3529 100644 --- a/init.d/openwrt/functions +++ b/init.d/openwrt/functions @@ -34,6 +34,7 @@ NFQWS_OPT_DESYNC_HTTP="${NFQWS_OPT_DESYNC_HTTP:-$NFQWS_OPT_DESYNC}" NFQWS_OPT_DESYNC_HTTPS="${NFQWS_OPT_DESYNC_HTTPS:-$NFQWS_OPT_DESYNC}" NFQWS_OPT_DESYNC_HTTP6="${NFQWS_OPT_DESYNC_HTTP6:-$NFQWS_OPT_DESYNC_HTTP}" NFQWS_OPT_DESYNC_HTTPS6="${NFQWS_OPT_DESYNC_HTTPS6:-$NFQWS_OPT_DESYNC_HTTPS}" +NFQWS_OPT_DESYNC_QUIC6="${NFQWS_OPT_DESYNC_QUIC6:-$NFQWS_OPT_DESYNC_QUIC}" @@ -142,7 +143,7 @@ list_nfqws_rules() { # $1 = '' for ipv4, '6' for ipv6 ip$1tables -S POSTROUTING -t mangle | \ - grep -E "NFQUEUE --queue-num $QNUM --queue-bypass|NFQUEUE --queue-num $(($QNUM+1)) --queue-bypass|NFQUEUE --queue-num $(($QNUM+2)) --queue-bypass|NFQUEUE --queue-num $(($QNUM+3)) --queue-bypass" | \ + grep -E "NFQUEUE --queue-num $QNUM --queue-bypass|NFQUEUE --queue-num $(($QNUM+1)) --queue-bypass|NFQUEUE --queue-num $(($QNUM+2)) --queue-bypass|NFQUEUE --queue-num $(($QNUM+3)) --queue-bypass|NFQUEUE --queue-num $(($QNUM+10)) --queue-bypass|NFQUEUE --queue-num $(($QNUM+11)) --queue-bypass" | \ sed -re 's/^-A POSTROUTING (.*) -j NFQUEUE.*$/\1/' -e "s/-m mark ! --mark $DESYNC_MARK\/$DESYNC_MARK//" } reverse_nfqws_rule() diff --git a/init.d/openwrt/zapret b/init.d/openwrt/zapret index ecf12ba..62e086c 100755 --- a/init.d/openwrt/zapret +++ b/init.d/openwrt/zapret @@ -152,6 +152,17 @@ start_daemons_procd() filter_apply_hostlist_target opt run_daemon 4 "$NFQWS" "$opt" } + get_nfqws_qnums_quic qn qn6 + [ -z "$qn" ] || { + opt="--qnum=$qn $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_QUIC" + filter_apply_hostlist_target opt + run_daemon 10 "$NFQWS" "$opt" + } + [ -z "$qn6" ] || [ "$qn6" = "$qn" ] || { + opt="--qnum=$qn6 $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_QUIC6" + filter_apply_hostlist_target opt + run_daemon 11 "$NFQWS" "$opt" + } ;; custom) existf zapret_custom_daemons && zapret_custom_daemons $1 diff --git a/init.d/sysv/functions b/init.d/sysv/functions index e509c9f..9382c45 100644 --- a/init.d/sysv/functions +++ b/init.d/sysv/functions @@ -302,6 +302,17 @@ zapret_do_daemons() filter_apply_hostlist_target opt do_nfqws $1 4 "$opt" } + get_nfqws_qnums_quic qn qn6 + [ -z "$qn" ] || { + opt="--qnum=$qn $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_QUIC" + filter_apply_hostlist_target opt + do_nfqws $1 10 "$opt" + } + [ -z "$qn6" ] || [ "$qn6" = "$qn" ] || { + opt="--qnum=$qn6 $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_QUIC6" + filter_apply_hostlist_target opt + do_nfqws $1 11 "$opt" + } ;; custom) existf zapret_custom_daemons && zapret_custom_daemons $1 diff --git a/install_easy.sh b/install_easy.sh index ebef8ff..22a5d58 100755 --- a/install_easy.sh +++ b/install_easy.sh @@ -165,7 +165,7 @@ select_mode_mode() vars="TPWS_OPT" ;; nfqws) - vars="NFQWS_OPT_DESYNC NFQWS_OPT_DESYNC_HTTP NFQWS_OPT_DESYNC_HTTPS NFQWS_OPT_DESYNC_HTTP6 NFQWS_OPT_DESYNC_HTTPS6" + vars="NFQWS_OPT_DESYNC NFQWS_OPT_DESYNC_HTTP NFQWS_OPT_DESYNC_HTTPS NFQWS_OPT_DESYNC_HTTP6 NFQWS_OPT_DESYNC_HTTPS6 NFQWS_OPT_DESYNC_QUIC NFQWS_OPT_DESYNC_QUIC6" ;; esac [ -n "$vars" ] && { @@ -215,6 +215,14 @@ select_mode_https() write_config_var MODE_HTTPS } } +select_mode_quic() +{ + [ "$MODE" != "filter" ] && [ "$MODE" != "tpws-socks" ] && [ "$MODE" != "tpws" ] && { + echo + ask_yes_no_var MODE_QUIC "enable quic support" + write_config_var MODE_QUIC + } +} select_mode_filter() { local filter="none ipset hostlist" @@ -230,6 +238,7 @@ select_mode() select_mode_http select_mode_keepalive select_mode_https + select_mode_quic select_mode_filter }