blockcheck: partial OpenBSD support

This commit is contained in:
bol-van 2024-03-11 19:00:22 +03:00
parent d5ccd421df
commit b54f856c81

View File

@ -38,6 +38,8 @@ DNSCHECK_DIG1=/tmp/dig1.txt
DNSCHECK_DIG2=/tmp/dig2.txt DNSCHECK_DIG2=/tmp/dig2.txt
DNSCHECK_DIGS=/tmp/digs.txt DNSCHECK_DIGS=/tmp/digs.txt
unset PF_STATUS
PF_RULES_SAVE=/tmp/pf-zapret-save.conf
killwait() killwait()
{ {
@ -58,6 +60,65 @@ exitp()
exit $1 exit $1
} }
pf_is_avail()
{
[ -c /dev/pf ]
}
pf_status()
{
pfctl -qsi | sed -nre "s/^Status: ([^ ]+).*$/\1/p"
}
pf_is_enabled()
{
[ "$(pf_status)" = Enabled ]
}
pf_save()
{
PF_STATUS=0
pf_is_enabled && PF_STATUS=1
pfctl -sr >"$PF_RULES_SAVE"
}
pf_restore()
{
[ -n "$PF_STATUS" ] || return
if [ -f "$PF_RULES_SAVE" ]; then
pfctl -qf "$PF_RULES_SAVE"
else
echo | pfctl -qf -
fi
if [ "$PF_STATUS" = 1 ]; then
pfctl -qe
else
pfctl -qd
fi
}
pf_clean()
{
rm -f "$PF_RULES_SAVE"
}
opf_dvtws_anchor()
{
echo "set reassemble no"
echo "pass in quick proto tcp from port {80,443} flags SA/SA divert-packet port $IPFW_DIVERT_PORT no state"
echo "pass in quick proto tcp from port {80,443} no state"
echo "pass out quick proto tcp to port {80,443} divert-packet port $IPFW_DIVERT_PORT no state"
echo "pass"
}
opf_prepare_dvtws()
{
opf_dvtws_anchor | pfctl -qf -
pfctl -qe
}
cleanup()
{
case "$UNAME" in
OpenBSD)
pf_clean
;;
esac
}
IPT() IPT()
{ {
$IPTABLES -C "$@" >/dev/null 2>/dev/null || $IPTABLES -I "$@" $IPTABLES -C "$@" >/dev/null 2>/dev/null || $IPTABLES -I "$@"
@ -127,6 +188,11 @@ check_system()
FWTYPE=ipfw FWTYPE=ipfw
[ -f /etc/platform ] && read SUBSYS </etc/platform [ -f /etc/platform ] && read SUBSYS </etc/platform
;; ;;
OpenBSD)
PKTWS="$DVTWS"
PKTWSD=dvtws
FWTYPE=opf
;;
*) *)
echo $UNAME not supported echo $UNAME not supported
exitp 5 exitp 5
@ -189,6 +255,19 @@ check_prerequisites()
exitp 6 exitp 6
} }
;; ;;
OpenBSD)
progs="$progs pfctl"
pf_is_avail || {
echo pf is not available
exitp 6
}
# I dont know how to redirect traffic originating from the host itself
# even with route-to trick DIOCNATLOOK fails, thus making tpws unusable
# this trick works fine on MacOS but doesn't work on FreeBSD and OpenBSD
# socks version is also not a solution because I can't control ip version of the resolved domain
SKIP_TPWS=1
pf_save
;;
esac esac
for prog in $progs; do for prog in $progs; do
@ -367,6 +446,9 @@ pktws_ipt_prepare()
# for autottl mode # for autottl mode
IPFW_ADD divert $IPFW_DIVERT_PORT tcp from any $1 to me proto ip${IPV} tcpflags syn,ack in IPFW_ADD divert $IPFW_DIVERT_PORT tcp from any $1 to me proto ip${IPV} tcpflags syn,ack in
;; ;;
opf)
opf_prepare_dvtws
;;
esac esac
} }
pktws_ipt_unprepare() pktws_ipt_unprepare()
@ -393,6 +475,9 @@ pktws_ipt_unprepare()
ipfw) ipfw)
IPFW_DEL IPFW_DEL
;; ;;
opf)
pf_restore
;;
esac esac
} }
tpws_ipt_prepare() tpws_ipt_prepare()
@ -434,7 +519,7 @@ pktws_start()
Linux) Linux)
"$NFQWS" --uid $TPWS_UID:$TPWS_GID --dpi-desync-fwmark=$DESYNC_MARK --qnum=$QNUM "$@" >/dev/null & "$NFQWS" --uid $TPWS_UID:$TPWS_GID --dpi-desync-fwmark=$DESYNC_MARK --qnum=$QNUM "$@" >/dev/null &
;; ;;
FreeBSD) FreeBSD|OpenBSD)
"$DVTWS" --port=$IPFW_DIVERT_PORT "$@" >/dev/null & "$DVTWS" --port=$IPFW_DIVERT_PORT "$@" >/dev/null &
;; ;;
esac esac
@ -642,7 +727,9 @@ pktws_check_domain_bypass()
test_has_split $desync && pktws_curl_test_update $1 $3 $s --dpi-desync-split-pos=1 --dpi-desync-ttl=1 --dpi-desync-autottl=$delta $e test_has_split $desync && pktws_curl_test_update $1 $3 $s --dpi-desync-split-pos=1 --dpi-desync-ttl=1 --dpi-desync-autottl=$delta $e
} }
done done
f="badsum badseq md5sig datanoack" f=
[ "$UNAME" = "OpenBSD" ] || f="badsum"
f="$f badseq md5sig datanoack"
[ "$IPV" = 6 ] && f="$f hopbyhop hopbyhop2" [ "$IPV" = 6 ] && f="$f hopbyhop hopbyhop2"
for fooling in $f; do for fooling in $f; do
pktws_curl_test_update $1 $3 $s --dpi-desync-fooling=$fooling $e && warn_fool $fooling pktws_curl_test_update $1 $3 $s --dpi-desync-fooling=$fooling $e && warn_fool $fooling
@ -661,6 +748,8 @@ pktws_check_domain_bypass()
[ "$sec" = 1 ] || break [ "$sec" = 1 ] || break
done done
# OpenBSD has checksum issues with fragmented packets
if [ "$UNAME" != "OpenBSD" ]; then
[ "$IPV" = 4 -o -n "$IP6_DEFRAG_DISABLE" ] && { [ "$IPV" = 4 -o -n "$IP6_DEFRAG_DISABLE" ] && {
for frag in 24 32 40 64 80 104; do for frag in 24 32 40 64 80 104; do
tests="ipfrag2" tests="ipfrag2"
@ -670,6 +759,7 @@ pktws_check_domain_bypass()
done done
done done
} }
fi
report_strategy $1 $3 $PKTWSD report_strategy $1 $3 $PKTWSD
} }
@ -928,7 +1018,14 @@ ask_params()
pingtest() pingtest()
{ {
case "$UNAME" in
OpenBSD)
ping -c 1 -w 1 $1 >/dev/null
;;
*)
ping -c 1 -W 1 $1 >/dev/null ping -c 1 -W 1 $1 >/dev/null
;;
esac
} }
dnstest() dnstest()
{ {
@ -1048,6 +1145,7 @@ unprepare_all()
pktws_ipt_unprepare 443 pktws_ipt_unprepare 443
} }
ws_kill ws_kill
cleanup
} }
sigint() sigint()
{ {
@ -1056,6 +1154,11 @@ sigint()
unprepare_all unprepare_all
exitp 1 exitp 1
} }
sigint_cleanup()
{
cleanup
exit 1
}
sigpipe() sigpipe()
{ {
# must not write anything here to stdout # must not write anything here to stdout
@ -1068,9 +1171,11 @@ fix_sbin_path
check_system check_system
require_root require_root
check_prerequisites check_prerequisites
trap sigint_cleanup INT
check_dns check_dns
check_virt check_virt
ask_params ask_params
trap - INT
PID= PID=
NREPORT= NREPORT=
@ -1087,6 +1192,8 @@ done
trap - PIPE trap - PIPE
trap - INT trap - INT
cleanup
echo echo
echo \* SUMMARY echo \* SUMMARY
report_print report_print