winws build fix

nfqws: BSD/clang build fix
minor var spelling fix
2025-04-11 07:37:27 +05:00 · 2025-04-08 17:33:14 +03:00 · 2025-04-08 17:23:15 +03:00 · 2025-04-08 17:02:33 +03:00 · 2025-04-08 17:00:53 +03:00 · 2025-04-08 16:56:17 +03:00
34 changed files with 1545 additions and 824 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@ -401,6 +401,7 @@ jobs:
        uses: crazy-max/ghaction-upx@v3
        with:
          install-only: true
+          version: v4.2.4

      - name: Prepare binaries
        shell: bash
--- a/.gitignore
+++ b/.gitignore
@ -4,6 +4,7 @@ mdig/mdig
 nfq/dvtws
 nfq/nfqws
 nfq/winws.exe
+nfq/WinDivert*
 tpws/tpws
 binaries/my/
 ipset/zapret-ip*.txt
--- a/blockcheck.sh
+++ b/blockcheck.sh
@ -341,12 +341,19 @@ netcat_test()
 	}
 }

+tpws_can_fix_seg()
+{
+	# fix-seg requires kernel 4.6+
+	"$TPWS" --port 1 --dry-run --fix-seg >/dev/null 2>/dev/null
+}
+
 check_system()
 {
 	echo \* checking system

 	UNAME=$(uname)
 	SUBSYS=
+	FIX_SEG=
 	local s

 	# can be passed FWTYPE=iptables to override default nftables preference
@ -354,6 +361,14 @@ check_system()
 		Linux)
 			PKTWS="$NFQWS"
 			PKTWSD=nfqws
+			if [ -x "$TPWS" ] ; then
+				if tpws_can_fix_seg ; then
+					echo tpws supports --fix-seg on this system
+					FIX_SEG='--fix-seg'
+				else
+					echo tpws does not support --fix-seg on this system
+				fi
+			fi
 			linux_fwtype
 			[ "$FWTYPE" = iptables -o "$FWTYPE" = nftables ] || {
 				echo firewall type $FWTYPE not supported in $UNAME
@ -1168,7 +1183,7 @@ pktws_curl_test_update_vary()
 	[ "$sec" = 0 ] || proto=tls
 	test_has_fake $desync && {
 		zerofake="--dpi-desync-fake-$proto=0x00000000"
-		[ "$sec" = 0 ] || tlsmod="--dpi-desync-fake-tls-mod=rnd,rndsni,padencap"
+		[ "$sec" = 0 ] || tlsmod="--dpi-desync-fake-tls-mod=rnd,dupsid,rndsni,padencap"
 	}
 	if test_has_fakedsplit $desync ; then
 		splits="method+2 midsld"
@ -1430,6 +1445,11 @@ warn_mss()
 	[ -n "$1" ] && echo 'WARNING ! although mss worked it may not work on all sites and will likely cause significant slowdown. it may only be required for TLS1.2, not TLS1.3'
 	return 0
 }
+fix_seg()
+{
+	# $1 - split-pos
+	[ -n "$FIX_SEG" ] && contains "$1" , && echo "$FIX_SEG"
+}

 tpws_check_domain_http_bypass_()
 {
@ -1455,7 +1475,7 @@ tpws_check_domain_http_bypass_()
 		done
 		for s2 in '' '--hostcase' '--oob' '--disorder' ${oobdis:+"$oobdis"}; do
 			for s in $splits_http ; do
-				tpws_curl_test_update $1 $3 --split-pos=$s $s2 && [ "$SCANLEVEL" != force ] && {
+				tpws_curl_test_update $1 $3 --split-pos=$s $(fix_seg $s) $s2 && [ "$SCANLEVEL" != force ] && {
 					[ "$SCANLEVEL" = quick ] && return
 					break
 				}
@ -1470,7 +1490,7 @@ tpws_check_domain_http_bypass_()
 			s3=${mss:+--mss=$mss}
 			for s2 in '' '--oob' '--disorder' ${oobdis:+"$oobdis"}; do
 				for pos in $splits_tls; do
-					tpws_curl_test_update $1 $3 --split-pos=$pos $s2 $s3 && warn_mss $s3 && [ "$SCANLEVEL" != force ] && {
+					tpws_curl_test_update $1 $3 --split-pos=$pos $(fix_seg $pos) $s2 $s3 && warn_mss $s3 && [ "$SCANLEVEL" != force ] && {
 						[ "$SCANLEVEL" = quick ] && return
 						need_mss=0
 						break
@ -1478,7 +1498,7 @@ tpws_check_domain_http_bypass_()
 				done
 			done
 			for s in '' '--oob' '--disorder' ${oobdis:+"$oobdis"}; do
-				for s2 in '--tlsrec=midsld' '--tlsrec=sniext+1 --split-pos=midsld' '--tlsrec=sniext+4 --split-pos=midsld' '--tlsrec=sniext+1 --split-pos=1,midsld' '--tlsrec=sniext+4 --split-pos=1,midsld' ; do
+				for s2 in '--tlsrec=midsld' '--tlsrec=sniext+1 --split-pos=midsld' '--tlsrec=sniext+4 --split-pos=midsld' "--tlsrec=sniext+1 --split-pos=1,midsld $FIX_SEG" "--tlsrec=sniext+4 --split-pos=1,midsld $FIX_SEG" ; do
 					tpws_curl_test_update $1 $3 $s2 $s $s3 && warn_mss $s3 && [ "$SCANLEVEL" != force ] && {
 						[ "$SCANLEVEL" = quick ] && return
 						need_mss=0
--- a/docs/changes.txt
+++ b/docs/changes.txt
@ -466,3 +466,18 @@ nfqws,tpws: optional systemd notify support. compile using 'make systemd'
 nfqws,tpws: systemd instance templates for nfqws and tpws
 nfqws,tpws: separate droproot from dropcaps
 tpws: detect WSL 1 and warn about non-working options
+
+v70.5
+
+nfqws: multiple --dpi-desync-fake-xxx
+nfqws: support of inter-packet fragmented QUIC CRYPTO
+
+v70.6
+
+nfqws: detect Discord Voice IP discovery packets
+nfqws: detect STUN message packets
+nfqws: change SNI to specified value tls mod : --dpi-desync-fake-tls-mod sni=<sni>
+nfqws: update default TLS ClientHello fake. firefox 136.0.4 finger, no kyber, SNI=microsoft.com
+nfqws: multiple mods for multiple TLS fakes
+init.d: remove 50-discord
+blockcheck: use tpws --fix-seg on linux for multiple splits
--- a/docs/compile/build_howto_openwrt.txt
+++ b/docs/compile/build_howto_openwrt.txt
@ -12,10 +12,10 @@ Other packages may be required on your distribution. Look for the errors.

 examples :

-curl -o - https://downloads.openwrt.org/releases/23.05.5/targets/x86/64/openwrt-sdk-23.05.5-x86-64_gcc-12.3.0_musl.Linux-x86_64.tar.xz | tar -Jxvf -
+curl -o - https://downloads.openwrt.org/releases/23.05.5/targets/x86/64/openwrt-sdk-23.05.5-x86-64_gcc-12.3.0_musl.Linux-x86_64.tar.xz | tar -Jxv
 cd openwrt-sdk-23.05.5-x86-64_gcc-12.3.0_musl.Linux-x86_64

-curl -o - https://downloads.openwrt.org/snapshots/targets/x86/64/openwrt-sdk-x86-64_gcc-13.3.0_musl.Linux-x86_64.tar.zst | tar --zstd -xvf -
+curl -o - https://downloads.openwrt.org/snapshots/targets/x86/64/openwrt-sdk-x86-64_gcc-13.3.0_musl.Linux-x86_64.tar.zst | tar --zstd -xv
 cd openwrt-sdk-x86-64_gcc-13.3.0_musl.Linux-x86_64

 3) Install required libs
@ -48,7 +48,7 @@ static build :  make CFLAGS=-static package/{tpws,nfqws,mdig,ip2net}/compile
 executables only : build_dir/target/<progname>
 ipk or apk packages : bin/packages/*/base

-8) Installating to openwrt to use with zapret
+8) Installing to openwrt to use with zapret

 zapret with or without binaries should be already installed in /opt/zapret.
 Install ipk's or apk's with all compiled progs using opkg or apk.
--- a/docs/compile/build_howto_unix.txt
+++ b/docs/compile/build_howto_unix.txt
@ -1,7 +1,7 @@
 debian,ubuntu :

-apt install make gcc zlib1g-dev libcap-dev libnetfilter-queue-dev
-make -C /opt/zapret
+apt install make gcc zlib1g-dev libcap-dev libnetfilter-queue-dev libsystemd-dev
+make -C /opt/zapret systemd

 FreeBSD :

--- a/docs/readme.en.md
+++ b/docs/readme.en.md
@ -1,4 +1,4 @@
-# zapret v70.4
+# zapret v70.6

 # SCAMMER WARNING

@ -174,12 +174,14 @@ nfqws takes the following parameters:
 --dpi-desync-any-protocol=0|1                  ; 0(default)=desync only http and tls  1=desync any nonempty data packet
 --dpi-desync-fake-http=<filename>|0xHEX        ; file containing fake http request
 --dpi-desync-fake-tls=<filename>|0xHEX         ; file containing fake TLS ClientHello (for https)
- --dpi-desync-fake-tls-mod=mod[,mod]            ; comma separated list of TLS fake mods. available mods : none,rnd,rndsni,dupsid,padencap
+ --dpi-desync-fake-tls-mod=mod[,mod]            ; comma separated list of TLS fake mods. available mods : none,rnd,rndsni,sni=<sni>,dupsid,padencap
 --dpi-desync-fake-unknown=<filename>|0xHEX     ; file containing unknown protocol fake payload
 --dpi-desync-fake-syndata=<filename>|0xHEX     ; file containing SYN data payload
 --dpi-desync-fake-quic=<filename>|0xHEX        ; file containing fake QUIC Initial
 --dpi-desync-fake-wireguard=<filename>|0xHEX   ; file containing fake wireguard handshake initiation
 --dpi-desync-fake-dht=<filename>|0xHEX         ; file containing fake DHT (d1..e)
+ --dpi-desync-fake-discord=<filename>|0xHEX     ; file containing fake Discord voice connection initiation packet (IP Discovery)
+ --dpi-desync-fake-stun=<filename>|0xHEX        ; file containing fake STUN message
 --dpi-desync-fake-unknown-udp=<filename>|0xHEX ; file containing unknown udp protocol fake payload
 --dpi-desync-udplen-increment=<int>            ; increase or decrease udp packet length by N bytes (default 2). negative values decrease length.
 --dpi-desync-udplen-pattern=<filename>|0xHEX   ; udp tail fill pattern
@ -193,13 +195,13 @@ nfqws takes the following parameters:
 --hostlist-auto-fail-threshold=<int>           ; how many failed attempts cause hostname to be added to auto hostlist (default : 3)
 --hostlist-auto-fail-time=<int>                ; all failed attemps must be within these seconds (default : 60)
 --hostlist-auto-retrans-threshold=<int>        ; how many request retransmissions cause attempt to fail (default : 3)
- --hostlist-auto-debug=<logfile>        	; debug auto hostlist positives
+ --hostlist-auto-debug=<logfile>                ; debug auto hostlist positives
 --new                                          ; begin new strategy (new profile)
 --skip                                         ; do not use this profile
 --filter-l3=ipv4|ipv6                          ; L3 protocol filter. multiple comma separated values allowed.
 --filter-tcp=[~]port1[-port2]|*                ; TCP port filter. ~ means negation. setting tcp and not setting udp filter denies udp. comma separated list supported.
 --filter-udp=[~]port1[-port2]|*                ; UDP port filter. ~ means negation. setting udp and not setting tcp filter denies tcp. comma separated list supported.
- --filter-l7=[http|tls|quic|wireguard|dht|unknown] ; L6-L7 protocol filter. multiple comma separated values allowed.
+ --filter-l7=<proto>                            ; L6-L7 protocol filter. multiple comma separated values allowed. proto: http tls quic wireguard dht discord stun unknown
 --ipset=<filename>                             ; ipset include filter (one ip/CIDR per line, ipv4 and ipv6 accepted, gzip supported, multiple ipsets allowed)
 --ipset-ip=<ip_list>                           ; comma separated fixed subnet list
 --ipset-exclude=<filename>                     ; ipset exclude filter (one ip/CIDR per line, ipv4 and ipv6 accepted, gzip supported, multiple ipsets allowed)
@ -265,6 +267,12 @@ Fakes are separate generated by nfqws packets carrying false information for DPI

 `--dpi-desync-fooling` takes multiple comma separated values.

+
+Multiple parameters `--dpi-desync-fake-???` are supported except for the `--dpi-desync-fake-syndata`.
+Fakes are sent in the specified order. `--dpi-desync-repeats` resends each fake.
+Resulting order would be : `fake1 fake1 fake1 fake2 fake2 fake2 fake3 fake3 fake3 .....`
+
+
 ### FAKE mods

 **nfqws** has built-in TLS fake. It can be customized with `--dpi-desync-fake-tls` option.
@ -277,11 +285,20 @@ It's possible to use TLS Client Hello with any fingerprint and any SNI.
 * `rnd`. Randomize `random` and `session id` fields. Applied on every request.
 * `rndsni`. Randomize SNI. If SNI >=7 symbols random SLD is applied with known TLD. Otherwise filled with random symbols. Applied only once at startup.
 * `dupsid`. Copy `session ID` from original TLS Client Hello. Takes precedence over `rnd`. Applied on every request.
+ * `sni=<sni>`. Set specified SNI value. Changes TLS fake length, fixes lengths in TLS structure. Applied once at startup before `rndsni`.
 * `padencap`. Padding extension is extended by original TLS Client Hello size (including multi packet variation with kyber). Padding extension is added to the end if not present, otherwise it must be the last extension. All lengths are increased. Fake size is not changed. Can be useful if DPI does not analyze sequence numbers properly. Applied on every request.

 By default if custom fake is not defined `rnd,rndsni,dupsid` mods are applied. If defined - `none`.
 This behaviour is compatible with previous versions with addition of `dupsid`.

+If multiple TLS fakes are present each one takes the last mod.
+If a mod is specified after fake it replaces previous mod.
+This way it's possible to use different mods for every TLS fake.
+
+If a mod is set to non-TLS fake it causes error. Use `--dpi-desync-fake-tls-mod=none'.
+
+Example : `--dpi-desync-fake-tls=iana_org.bin --dpi-desync-fake-tls-mod=rndsni --dpi-desync-fake-tls=0xaabbccdd --dpi-desync-fake-tls-mod=none'
+
 ### TCP segmentation

 * `multisplit`. split request at specified in `--dpi-desync-split-pos` positions
@ -464,7 +481,7 @@ This option can resist DPIs that track outgoing UDP packet sizes.
 Requires that application protocol does not depend on udp payload size.

 QUIC initial packets are recognized. Decryption and hostname extraction is supported so `--hostlist` parameter will work.
-Wireguard handshake initiation and DHT packets are also recognized.
+Wireguard handshake initiation, DHT, STUN and [Discord Voice IP Discovery](https://discord.com/developers/docs/topics/voice-connections#ip-discovery) packets are also recognized.
 For other protocols desync use `--dpi-desync-any-protocol`.

 Conntrack supports udp. `--dpi-desync-cutoff` will work. UDP conntrack timeout can be set in the 4th parameter of `--ctrack-timeouts`.
@ -1434,12 +1451,8 @@ If this is the case then run another script in background and add some delay the

 Are welcome here :

-<img src=https://cdn-icons-png.flaticon.com/16/14446/14446252.png alt="USDT" style="vertical-align: middle;"/> USDT
-```
-0x3d52Ce15B7Be734c53fc9526ECbAB8267b63d66E
-```
+USDT `0x3d52Ce15B7Be734c53fc9526ECbAB8267b63d66E`

-<img src=https://cdn-icons-png.flaticon.com/16/5968/5968260.png  alt="USDT" style="vertical-align: middle;"/> BTC
-```
-bc1qhqew3mrvp47uk2vevt5sctp7p2x9m7m5kkchve
-```
+BTC  `bc1qhqew3mrvp47uk2vevt5sctp7p2x9m7m5kkchve`
+
+ETH  `0x3d52Ce15B7Be734c53fc9526ECbAB8267b63d66E`
--- a/docs/readme.md
+++ b/docs/readme.md
@ -1,4 +1,4 @@
-# zapret v70.4
+# zapret v70.6

 # ВНИМАНИЕ, остерегайтесь мошенников

@ -196,11 +196,13 @@ dvtws, собираемый из тех же исходников (см. [док
 --dpi-desync-any-protocol=0|1                      ; 0(default)=работать только по http request и tls clienthello  1=по всем непустым пакетам данных
 --dpi-desync-fake-http=<filename>|0xHEX	           ; файл, содержащий фейковый http запрос для dpi-desync=fake, на замену стандартному www.iana.org
 --dpi-desync-fake-tls=<filename>|0xHEX             ; файл, содержащий фейковый tls clienthello для dpi-desync=fake, на замену стандартному
--dpi-desync-fake-tls-mod=mod[,mod]                ; список через запятую режимов runtime модификации фейков : none,rnd,rndsni,dupsid,padencap
+--dpi-desync-fake-tls-mod=mod[,mod]                ; список через запятую режимов runtime модификации фейков : none,rnd,rndsni,sni=<sni>,dupsid,padencap
 --dpi-desync-fake-unknown=<filename>|0xHEX         ; файл, содержащий фейковый пейлоад неизвестного протокола для dpi-desync=fake, на замену стандартным нулям 256 байт
 --dpi-desync-fake-syndata=<filename>|0xHEX         ; файл, содержащий фейковый пейлоад пакета SYN для режима десинхронизации syndata
 --dpi-desync-fake-quic=<filename>|0xHEX            ; файл, содержащий фейковый QUIC Initial
 --dpi-desync-fake-dht=<filename>|0xHEX             ; файл, содержащий фейковый пейлоад DHT протокола для dpi-desync=fake, на замену стандартным нулям 64 байт
+--dpi-desync-fake-discord=<filename>|0xHEX         ; файл, содержащий фейковый пейлоад Discord протокола нахождения IP адреса для голосовых чатов для dpi-desync=fake, на замену стандартным нулям 64 байт
+--dpi-desync-fake-stun=<filename>|0xHEX            ; файл, содержащий фейковый пейлоад STUN протокола для dpi-desync=fake, на замену стандартным нулям 64 байт
 --dpi-desync-fake-unknown-udp=<filename>|0xHEX     ; файл, содержащий фейковый пейлоад неизвестного udp протокола для dpi-desync=fake, на замену стандартным нулям 64 байт
 --dpi-desync-udplen-increment=<int>                ; насколько увеличивать длину udp пейлоада в режиме udplen
 --dpi-desync-udplen-pattern=<filename>|0xHEX       ; чем добивать udp пакет в режиме udplen. по умолчанию - нули
@ -226,7 +228,7 @@ dvtws, собираемый из тех же исходников (см. [док
 --filter-l3=ipv4|ipv6                              ; фильтр версии ip для текущей стратегии
 --filter-tcp=[~]port1[-port2]|*                    ; фильтр портов tcp для текущей стратегии. ~ означает инверсию. установка фильтра tcp и неустановка фильтра udp запрещает udp. поддерживается список через запятую.
 --filter-udp=[~]port1[-port2]|*                    ; фильтр портов udp для текущей стратегии. ~ означает инверсию. установка фильтра udp и неустановка фильтра tcp запрещает tcp. поддерживается список через запятую.
--filter-l7=[http|tls|quic|wireguard|dht|unknown]  ; фильтр протокола L6-L7. поддерживается несколько значений через запятую.
+--filter-l7=<proto>                                ; фильтр протокола L6-L7. поддерживается несколько значений через запятую. proto : http tls quic wireguard dht discord stun unknown
 --ipset=<filename>                                 ; включающий ip list. на каждой строчке ip или cidr ipv4 или ipv6. поддерживается множество листов и gzip. перечитка автоматическая.
 --ipset-ip=<ip_list>                               ; фиксированный список подсетей через запятую. можно использовать # в начале для комментирования отдельных подсетей.
 --ipset-exclude=<filename>                         ; исключающий ip list. на каждой строчке ip или cidr ipv4 или ipv6. поддерживается множество листов и gzip. перечитка автоматическая.
@ -320,6 +322,10 @@ dvtws, собираемый из тех же исходников (см. [док

 Режимы дурения могут сочетаться в любых комбинациях. `--dpi-desync-fooling` берет множество значений через запятую.

+Возможно задание множества фейков через повторение парамеров `--dpi-desync-fake-???`, кроме `--dpi-desync-fake-syndata`.
+Фейки будут отосланы в указанном порядке. `--dpi-desync-repeats` повторяет каждый отосланный фейк.
+Итоговый порядок будет такой : `fake1 fake1 fake1 fake2 fake2 fake2 fake3 fake3 fake3 .....`
+
 ### МОДИФИКАЦИЯ ФЕЙКОВ

 В nfqws зашит базовый вариант фейка для TLS. Его можно переопределить опцией `--dpi-desync-fake-tls`.
@ -334,11 +340,22 @@ dvtws, собираемый из тех же исходников (см. [док
 * `rnd`. Рандомизировать поля `random` и `session id`. Выполняется на каждый запрос.
 * `dupsid`. Копировать `session ID` из передаваемого TLS Client Hello. Имеет приоритет над `rnd`. Выполняется на каждый запрос.
 * `rndsni`. Рандомизировать SNI. Если SNI >=7 символов, применяется случайный домен 2 уровня с известным TLD, иначе заполняется случайными символами без точки. Выполняется один раз при старте.
+ * `sni=<sni>`. Заменить sni на указанное значение. Макс длина SNI - 63 байта. Общая длина TLS фейка и длины в структуре TLS Client Hello меняются. Выполняется один раз при старте. Если сочетается с `rndsni`, выполняется до него.
 * `padencap`. Расширяется padding extension на размер передаваемого TLS Client Hello (включая многопакетный вариант с kyber). Если padding отсутствует, он добавляется в конец. Если присутствует - требуется, чтобы padding шел последним extension. Правятся все длины, чтобы создать видимость включения передаваемого TLS Client Hello в padding extension. Размер фейка не изменяется. Расчет идет на DPI, который не анализирует sequence numbers должным образом. Выполняется на каждый запрос.

 По умолчанию если не задан собственный фейк для TLS используются модификации `rnd,rndsni,dupsid`. Если фейк задан, используется `none`.
 Это соответствует поведению программы более старых версий с добавлением функции `dupsid`.

+Если задан режим модификации и имеется множество TLS фейков, к каждому из них применяется последний режим модификации.
+Если режим модификации задан после фейка, то он замещает предыдущий режим.
+Таким образом можно использовать разные режимы модификации для разных фейков.
+При невозможности модифицировать фейк на этапе запуска программа завершается с ошибкой.
+
+Если сначала идет TLS фейк, для него задан режим однократной модификации, затем идет не TLS фейк, то будет ошибка.
+Нужно использовать `--dpi-desync-fake-tls-mod=none'.
+
+Пример : `--dpi-desync-fake-tls=iana_org.bin --dpi-desync-fake-tls-mod=rndsni --dpi-desync-fake-tls=0xaabbccdd --dpi-desync-fake-tls-mod=none'
+
 ### TCP СЕГМЕНТАЦИЯ

 * `multisplit`. нарезаем запрос на указанных в `--dpi-desync-split-pos` позициях.
@ -568,7 +585,8 @@ chrome рандомизирует фингерпринт TLS. SNI может о
 На текущий момент работает только с DHT.
 Поддерживается определение пакетов QUIC Initial с расшифровкой содержимого и имени хоста, то есть параметр
 `--hostlist` будет работать.
-Определяются пакеты wireguard handshake initiation и DHT (начинается с 'd1', кончается 'e').
+Определяются пакеты wireguard handshake initiation, DHT (начинается с 'd1', кончается 'e'), STUN и
+[Discord Voice IP Discovery](https://discord.com/developers/docs/topics/voice-connections#ip-discovery).
 Для десинхронизации других протоколов обязательно указывать `--dpi-desync-any-protocol`.
 Реализован conntrack для udp. Можно пользоваться --dpi-desync-cutoff. Таймаут conntrack для udp
 можно изменить 4-м параметром в `--ctrack-timeouts`.
@ -2350,12 +2368,8 @@ VPS можно приобрести в множестве мест. Сущест

 ## Поддержать разработчика

-<img src=https://cdn-icons-png.flaticon.com/16/14446/14446252.png alt="USDT" style="vertical-align: middle;"/> USDT
-```
-0x3d52Ce15B7Be734c53fc9526ECbAB8267b63d66E
-```
+USDT `0x3d52Ce15B7Be734c53fc9526ECbAB8267b63d66E`

-<img src=https://cdn-icons-png.flaticon.com/16/5968/5968260.png  alt="USDT" style="vertical-align: middle;"/> BTC
-```
-bc1qhqew3mrvp47uk2vevt5sctp7p2x9m7m5kkchve
-```
+BTC  `bc1qhqew3mrvp47uk2vevt5sctp7p2x9m7m5kkchve`
+
+ETH  `0x3d52Ce15B7Be734c53fc9526ECbAB8267b63d66E`
--- a/files/fake/discord-ip-discovery-with-port.bin
+++ b/files/fake/discord-ip-discovery-with-port.bin
--- a/files/fake/discord-ip-discovery-without-port.bin
+++ b/files/fake/discord-ip-discovery-without-port.bin
--- a/files/fake/isakmp_initiator_request.bin
+++ b/files/fake/isakmp_initiator_request.bin
--- a/files/fake/quic_initial_rr1---sn-xguxaxjvh-n8me_googlevideo_com_kyber_1.bin
+++ b/files/fake/quic_initial_rr1---sn-xguxaxjvh-n8me_googlevideo_com_kyber_1.bin
--- a/files/fake/quic_initial_rr1---sn-xguxaxjvh-n8me_googlevideo_com_kyber_2.bin
+++ b/files/fake/quic_initial_rr1---sn-xguxaxjvh-n8me_googlevideo_com_kyber_2.bin
--- a/files/fake/stun.bin
+++ b/files/fake/stun.bin
--- a/files/fake/tls_clienthello_www_google_com.bin
+++ b/files/fake/tls_clienthello_www_google_com.bin
--- a/init.d/custom.d.examples.linux/50-discord
+++ b/init.d/custom.d.examples.linux/50-discord
--- a/init.d/custom.d.examples.linux/50-nfqws-ipset
+++ b/init.d/custom.d.examples.linux/50-nfqws-ipset
@ -0,0 +1,74 @@
+# this custom script demonstrates how to launch extra nfqws instance limited by ipset. ipv4 only.
+
+# can override in config :
+NFQWS_OPT_DESYNC_NFQWS_MY1="${NFQWS_OPT_DESYNC_NFQWS_MY1:---dpi-desync=fake --dpi-desync-repeats=6 --dpi-desync-any-protocol}"
+NFQWS_MY1_PORTS=${NFQWS_MY1_PORTS:-6000-6009}
+NFQWS_MY1_SUBNETS="${NFQWS_MY1_SUBNETS:-34.0.48.0/21 34.0.56.0/23 34.0.59.0/24 34.0.60.0/24 34.0.62.0/23}"
+
+alloc_dnum DNUM_NFQWS_MY1
+alloc_qnum QNUM_NFQWS_MY1
+NFQWS_MY1_SET_NAME=my1nfqws4
+
+zapret_custom_daemons()
+{
+	# $1 - 1 - run, 0 - stop
+
+	local opt="--qnum=$QNUM_NFQWS_MY1 $NFQWS_OPT_DESYNC_NFQWS_MY1"
+	do_nfqws $1 $DNUM_NFQWS_MY1 "$opt"
+}
+
+zapret_custom_firewall()
+{
+	# $1 - 1 - run, 0 - stop
+
+	local f
+	local first_packets_only="$ipt_connbytes 1:3"
+	local NFQWS_MY1_PORTS_IPT=$(replace_char - : $NFQWS_MY1_PORTS)
+	local dest_set="-m set --match-set $NFQWS_MY1_SET_NAME dst"
+	local subnet
+
+	local DISABLE_IPV6=1
+
+	[ "$1" = 1 ] && {
+		ipset create $NFQWS_MY1_SET_NAME hash:net hashsize 8192 maxelem 4096 2>/dev/null
+		ipset flush $NFQWS_MY1_SET_NAME
+		for subnet in $NFQWS_MY1_SUBNETS; do
+			echo add $NFQWS_MY1_SET_NAME $subnet
+		done | ipset -! restore
+	}
+
+	f="-p udp -m multiport --dports $NFQWS_MY1_PORTS_IPT"
+	fw_nfqws_post $1 "$f $first_packets_only $dest_set" "" $QNUM_NFQWS_MY1
+
+	[ "$1" = 1 ] || {
+		ipset destroy $NFQWS_MY1_SET_NAME 2>/dev/null
+	}
+}
+
+zapret_custom_firewall_nft()
+{
+	# stop logic is not required
+
+	local f
+	local first_packets_only="$nft_connbytes 1-3"
+	local dest_set="ip daddr @$NFQWS_MY1_SET_NAME"
+	local subnets
+
+	local DISABLE_IPV6=1
+
+	make_comma_list subnets $NFQWS_MY1_SUBNETS
+	nft_create_set $NFQWS_MY1_SET_NAME "type ipv4_addr; size 4096; auto-merge; flags interval;"
+	nft_flush_set $NFQWS_MY1_SET_NAME
+	nft_add_set_element $NFQWS_MY1_SET_NAME "$subnets"
+
+	f="udp dport {$NFQWS_MY1_PORTS}"
+	nft_fw_nfqws_post "$f $first_packets_only $dest_set" "" $QNUM_NFQWS_MY1
+}
+
+zapret_custom_firewall_nft_flush()
+{
+	# this function is called after all nft fw rules are deleted
+	# however sets are not deleted. it's desired to clear sets here.
+
+	nft_del_set $NFQWS_MY1_SET_NAME 2>/dev/null
+}
--- a/ip2net/ip2net.c
+++ b/ip2net/ip2net.c
@ -225,6 +225,28 @@ static void exithelp(void)
 #define PRINT_VER printf("self-built version %s %s\n\n", __DATE__, __TIME__)
 #endif

+enum opt_indices {
+	IDX_HELP,
+	IDX_H,
+	IDX_4,
+	IDX_6,
+	IDX_PREFIX_LENGTH,
+	IDX_V4_THRESHOLD,
+	IDX_V6_THRESHOLD,
+	IDX_LAST,
+};
+
+static const struct option long_options[] = {
+	[IDX_HELP] = {"help", no_argument, 0, 0},
+	[IDX_H] = {"h", no_argument, 0, 0},
+	[IDX_4] = {"4", no_argument, 0, 0},
+	[IDX_6] = {"6", no_argument, 0, 0},
+	[IDX_PREFIX_LENGTH] = {"prefix-length", required_argument, 0, 0},
+	[IDX_V4_THRESHOLD] = {"v4-threshold", required_argument, 0, 0},
+	[IDX_V6_THRESHOLD] = {"v6-threshold", required_argument, 0, 0},
+	[IDX_LAST] = {NULL, 0, NULL, 0},
+};
+
 static void parse_params(int argc, char *argv[])
 {
 	int option_index = 0;
@ -236,33 +258,23 @@ static void parse_params(int argc, char *argv[])
 	params.pctdiv = DEFAULT_PCTDIV;
 	params.v6_threshold = DEFAULT_V6_THRESHOLD;

-	const struct option long_options[] = {
-		{ "help",no_argument,0,0 },// optidx=0
-		{ "h",no_argument,0,0 },// optidx=1
-		{ "4",no_argument,0,0 },// optidx=2
-		{ "6",no_argument,0,0 },// optidx=3
-		{ "prefix-length",required_argument,0,0 },// optidx=4
-		{ "v4-threshold",required_argument,0,0 },// optidx=5
-		{ "v6-threshold",required_argument,0,0 },// optidx=6
-		{ NULL,0,NULL,0 }
-	};
 	while ((v = getopt_long_only(argc, argv, "", long_options, &option_index)) != -1)
 	{
 		if (v) exithelp();
 		switch (option_index)
 		{
-		case 0:
-		case 1:
+		case IDX_HELP:
+		case IDX_H:
 			PRINT_VER;
 			exithelp();
 			break;
-		case 2:
+		case IDX_4:
 			params.ipv6 = false;
 			break;
-		case 3:
+		case IDX_6:
 			params.ipv6 = true;
 			break;
-		case 4:
+		case IDX_PREFIX_LENGTH:
 			i = sscanf(optarg,"%u-%u",&plen1,&plen2);
 			if (i == 1) plen2 = plen1;
 			if (i<=0 || plen2<plen1 || !plen1 || !plen2)
@ -271,7 +283,7 @@ static void parse_params(int argc, char *argv[])
 				exit(1);
 			}
 			break;
-		case 5:
+		case IDX_V4_THRESHOLD:
 			i = sscanf(optarg, "%u/%u", &params.pctmult, &params.pctdiv);
 			if (i!=2 || params.pctdiv<2 || params.pctmult<1 || params.pctmult>=params.pctdiv)
 			{
@ -279,7 +291,7 @@ static void parse_params(int argc, char *argv[])
 				exit(1);
 			}
 			break;
-		case 6:
+		case IDX_V6_THRESHOLD:
 			i = sscanf(optarg, "%u", &params.v6_threshold);
 			if (i != 1 || params.v6_threshold<1)
 			{
--- a/ipset/def.sh
+++ b/ipset/def.sh
@ -274,7 +274,9 @@ hup_zapret_daemons()
 if exists killall; then
  killall -HUP tpws nfqws dvtws 2>/dev/null
 elif exists pkill; then
-  pkill -HUP ^tpws$ ^nfqws$ ^dvtws$
+  pkill -HUP ^tpws$
+  pkill -HUP ^nfqws$
+  pkill -HUP ^dvtws$
 else
  echo no mass killer available ! cant HUP zapret daemons
 fi
--- a/mdig/mdig.c
+++ b/mdig/mdig.c
@ -467,25 +467,38 @@ static void exithelp(void)
 #define PRINT_VER printf("self-built version %s %s\n\n", __DATE__, __TIME__)
 #endif

+enum opt_indices {
+	IDX_HELP,
+	IDX_THREADS,
+	IDX_FAMILY,
+	IDX_VERBOSE,
+	IDX_STATS,
+	IDX_LOG_RESOLVED,
+	IDX_LOG_FAILED,
+	IDX_DNS_MAKE_QUERY,
+	IDX_DNS_PARSE_QUERY,
+	IDX_LAST,
+};
+
+static const struct option long_options[] = {
+	[IDX_HELP] = {"help", no_argument, 0, 0},
+	[IDX_THREADS] = {"threads", required_argument, 0, 0},
+	[IDX_FAMILY] = {"family", required_argument, 0, 0},
+	[IDX_VERBOSE] = {"verbose", no_argument, 0, 0},
+	[IDX_STATS] = {"stats", required_argument, 0, 0},
+	[IDX_LOG_RESOLVED] = {"log-resolved", required_argument, 0, 0},
+	[IDX_LOG_FAILED] = {"log-failed", required_argument, 0, 0},
+	[IDX_DNS_MAKE_QUERY] = {"dns-make-query", required_argument, 0, 0},
+	[IDX_DNS_PARSE_QUERY] = {"dns-parse-query", no_argument, 0, 0},
+	[IDX_LAST] = {NULL, 0, NULL, 0},
+};
+
 int main(int argc, char **argv)
 {
 	int r, v, option_index = 0;
 	char fn1[256],fn2[256];
 	char dom[256];

-	static const struct option long_options[] = {
-			{"help",no_argument,0,0},			// optidx=0
-			{"threads",required_argument,0,0},		// optidx=1
-			{"family",required_argument,0,0},		// optidx=2
-			{"verbose",no_argument,0,0},			// optidx=3
-			{"stats",required_argument,0,0},		// optidx=4
-			{"log-resolved",required_argument,0,0},		// optidx=5
-			{"log-failed",required_argument,0,0},		// optidx=6
-			{"dns-make-query",required_argument,0,0},	// optidx=7
-			{"dns-parse-query",no_argument,0,0},		// optidx=8
-			{NULL,0,NULL,0}
-	};
-
 	memset(&glob, 0, sizeof(glob));
 	*fn1 = *fn2 = *dom = 0;
 	glob.family = FAMILY4;
@ -495,11 +508,11 @@ int main(int argc, char **argv)
 		if (v) exithelp();
 		switch (option_index)
 		{
-		case 0: /* help */
+		case IDX_HELP:
 			PRINT_VER;
 			exithelp();
 			break;
-		case 1: /* threads */
+		case IDX_THREADS:
 			glob.threads = optarg ? atoi(optarg) : 0;
 			if (glob.threads <= 0 || glob.threads > 100)
 			{
@ -507,7 +520,7 @@ int main(int argc, char **argv)
 				return 1;
 			}
 			break;
-		case 2: /* family */
+		case IDX_FAMILY:
 			if (!strcmp(optarg, "4"))
 				glob.family = FAMILY4;
 			else if (!strcmp(optarg, "6"))
@ -520,25 +533,25 @@ int main(int argc, char **argv)
 				return 1;
 			}
 			break;
-		case 3: /* verbose */
+		case IDX_VERBOSE:
 			glob.verbose = '\1';
 			break;
-		case 4: /* stats */
+		case IDX_STATS:
 			glob.stats_every = optarg ? atoi(optarg) : 0;
 			break;
-		case 5: /* log-resolved */
+		case IDX_LOG_RESOLVED:
 			strncpy(fn1,optarg,sizeof(fn1));
 			fn1[sizeof(fn1)-1] = 0;
 			break;
-		case 6: /* log-failed */
+		case IDX_LOG_FAILED:
 			strncpy(fn2,optarg,sizeof(fn2));
 			fn2[sizeof(fn2)-1] = 0;
 			break;
-		case 7: /* dns-make-query */
+		case IDX_DNS_MAKE_QUERY:
 			strncpy(dom,optarg,sizeof(dom));
 			dom[sizeof(dom)-1] = 0;
 			break;
-		case 8: /* dns-parse-query */
+		case IDX_DNS_PARSE_QUERY:
 			return dns_parse_query();
 		}
 	}
--- a/nfq/WinDivert.dll
+++ b/nfq/WinDivert.dll
--- a/nfq/WinDivert64.sys
+++ b/nfq/WinDivert64.sys
--- a/nfq/desync.c
+++ b/nfq/desync.c
@ -16,56 +16,73 @@ const char *fake_http_request_default = "GET / HTTP/1.1\r\nHost: www.iana.org\r\
                                        "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\n"
                                        "Accept-Encoding: gzip, deflate, br\r\n\r\n";

-// random : +11 size 32
-// random : +44 size 32
-// sni : gatech.edu +125 size 11
-const uint8_t fake_tls_clienthello_default[648] = {
-0x16,0x03,0x01,0x02,0x83,0x01,0x00,0x02,0x7f,0x03,0x03,0x98,0xfb,0x69,0x1d,0x31,
-0x66,0xc4,0xd8,0x07,0x25,0x2b,0x74,0x47,0x01,0x44,0x09,0x08,0xcf,0x13,0x67,0xe0,
-0x46,0x19,0x1f,0xcb,0xee,0xe6,0x8e,0x33,0xb9,0x91,0xa0,0x20,0xf2,0xed,0x56,0x73,
-0xa4,0x0a,0xce,0xa6,0xad,0xd2,0xfd,0x71,0xb8,0xb9,0xfd,0x06,0x0e,0xdd,0xf0,0x57,
-0x37,0x7d,0x96,0xb5,0x80,0x6e,0x54,0xe2,0x15,0xce,0x5f,0xff,0x00,0x22,0x13,0x01,
-0x13,0x03,0x13,0x02,0xc0,0x2b,0xc0,0x2f,0xcc,0xa9,0xcc,0xa8,0xc0,0x2c,0xc0,0x30,
-0xc0,0x0a,0xc0,0x09,0xc0,0x13,0xc0,0x14,0x00,0x9c,0x00,0x9d,0x00,0x2f,0x00,0x35,
-0x01,0x00,0x02,0x14,0x00,0x00,0x00,0x0f,0x00,0x0d,0x00,0x00,0x0a,0x67,0x61,0x74,
-0x65,0x63,0x68,0x2e,0x65,0x64,0x75,0x00,0x17,0x00,0x00,0xff,0x01,0x00,0x01,0x00,
-0x00,0x0a,0x00,0x0e,0x00,0x0c,0x00,0x1d,0x00,0x17,0x00,0x18,0x00,0x19,0x01,0x00,
-0x01,0x01,0x00,0x0b,0x00,0x02,0x01,0x00,0x00,0x10,0x00,0x0e,0x00,0x0c,0x02,0x68,
-0x32,0x08,0x68,0x74,0x74,0x70,0x2f,0x31,0x2e,0x31,0x00,0x05,0x00,0x05,0x01,0x00,
-0x00,0x00,0x00,0x00,0x22,0x00,0x0a,0x00,0x08,0x04,0x03,0x05,0x03,0x06,0x03,0x02,
-0x03,0x00,0x33,0x00,0x6b,0x00,0x69,0x00,0x1d,0x00,0x20,0x72,0xe5,0xce,0x58,0x31,
-0x3c,0x08,0xaa,0x2f,0xa8,0x40,0xe7,0x7a,0xdf,0x46,0x5b,0x63,0x62,0xc7,0xfa,0x49,
-0x18,0xac,0xa1,0x00,0x7c,0x42,0xc5,0x02,0x94,0x5c,0x44,0x00,0x17,0x00,0x41,0x04,
-0x8f,0x3e,0x5f,0xd4,0x7f,0x37,0x47,0xd3,0x33,0x70,0x38,0x7f,0x11,0x35,0xc1,0x55,
-0x8a,0x6c,0xc7,0x5a,0xd4,0xf7,0x31,0xbb,0x9e,0xee,0xd1,0x8f,0x74,0xdd,0x9b,0xbb,
-0x91,0xa1,0x72,0xda,0xeb,0xf6,0xc6,0x82,0x84,0xfe,0xb7,0xfd,0x7b,0xe1,0x9f,0xd2,
-0xb9,0x3e,0x83,0xa6,0x9c,0xac,0x81,0xe2,0x00,0xd5,0x19,0x55,0x91,0xa7,0x0c,0x29,
-0x00,0x2b,0x00,0x05,0x04,0x03,0x04,0x03,0x03,0x00,0x0d,0x00,0x18,0x00,0x16,0x04,
-0x03,0x05,0x03,0x06,0x03,0x08,0x04,0x08,0x05,0x08,0x06,0x04,0x01,0x05,0x01,0x06,
-0x01,0x02,0x03,0x02,0x01,0x00,0x1c,0x00,0x02,0x40,0x01,0xfe,0x0d,0x01,0x19,0x00,
-0x00,0x01,0x00,0x01,0xfe,0x00,0x20,0xae,0x8b,0x30,0x3c,0xf0,0xa9,0x0d,0xa1,0x69,
-0x95,0xb8,0xe2,0xed,0x08,0x6d,0x48,0xdf,0xf7,0x5b,0x9d,0x66,0xef,0x15,0x97,0xbc,
-0x2c,0x99,0x91,0x12,0x7a,0x35,0xd0,0x00,0xef,0xb1,0x8d,0xff,0x61,0x57,0x52,0xef,
-0xd6,0xea,0xbf,0xf3,0x6d,0x78,0x14,0x38,0xff,0xeb,0x58,0xe8,0x9d,0x59,0x4b,0xd5,
-0x9f,0x59,0x12,0xf9,0x03,0x9a,0x20,0x37,0x85,0x77,0xb1,0x4c,0xd8,0xef,0xa6,0xc8,
-0x54,0x8d,0x07,0x27,0x95,0xce,0xd5,0x37,0x4d,0x69,0x18,0xd4,0xfd,0x5e,0xdf,0x64,
-0xcc,0x10,0x2f,0x7f,0x0e,0xc9,0xfd,0xd4,0xd0,0x18,0x61,0x1b,0x57,0x8f,0x41,0x7f,
-0x6f,0x4f,0x5c,0xad,0x04,0xc6,0x5e,0x74,0x54,0x87,0xba,0x28,0xe6,0x11,0x0b,0x9d,
-0x3f,0x0b,0x6d,0xf4,0x2d,0xfc,0x31,0x4e,0xfd,0x49,0xe7,0x15,0x96,0xaf,0xee,0x9a,
-0x48,0x1b,0xae,0x5e,0x7c,0x20,0xbe,0xb4,0xec,0x68,0xb6,0x74,0x22,0xa0,0xec,0xff,
-0x19,0x96,0xe4,0x10,0x8f,0x3c,0x91,0x88,0xa1,0xcc,0x78,0xef,0x4e,0x0e,0xe3,0xb6,
-0x57,0x8c,0x33,0xef,0xaa,0xb0,0x1d,0x45,0x1c,0x02,0x4c,0xe2,0x80,0x30,0xe8,0x48,
-0x7a,0x09,0x71,0x94,0x7c,0xb6,0x75,0x81,0x1c,0xae,0xe3,0x3f,0xde,0xea,0x2b,0x45,
-0xcc,0xe3,0x64,0x09,0xf7,0x60,0x26,0x0c,0x7d,0xad,0x55,0x65,0xb6,0xf5,0x85,0x04,
-0x64,0x2f,0x97,0xd0,0x6a,0x06,0x36,0xcd,0x25,0xda,0x51,0xab,0xd6,0xf7,0x5e,0xeb,
-0xd4,0x03,0x39,0xa4,0xc4,0x2a,0x9c,0x17,0xe8,0xb0,0x9f,0xc0,0xd3,0x8c,0x76,0xdd,
-0xa1,0x0b,0x76,0x9f,0x23,0xfa,0xed,0xfb,0xd7,0x78,0x0f,0x00,0xf7,0x45,0x03,0x04,
-0x84,0x66,0x6b,0xec,0xc7,0xed,0xbc,0xe4
+// SNI - www.microsoft.com
+const uint8_t fake_tls_clienthello_default[680] = {
+  0x16, 0x03, 0x01, 0x02, 0xa3, 0x01, 0x00, 0x02, 0x9f, 0x03, 0x03, 0x41,
+  0x88, 0x82, 0x2d, 0x4f, 0xfd, 0x81, 0x48, 0x9e, 0xe7, 0x90, 0x65, 0x1f,
+  0xba, 0x05, 0x7b, 0xff, 0xa7, 0x5a, 0xf9, 0x5b, 0x8a, 0x8f, 0x45, 0x8b,
+  0x41, 0xf0, 0x3d, 0x1b, 0xdd, 0xe3, 0xf8, 0x20, 0x9b, 0x23, 0xa5, 0xd2,
+  0x21, 0x1e, 0x9f, 0xe7, 0x85, 0x6c, 0xfc, 0x61, 0x80, 0x3a, 0x3f, 0xba,
+  0xb9, 0x60, 0xba, 0xb3, 0x0e, 0x98, 0x27, 0x6c, 0xf7, 0x38, 0x28, 0x65,
+  0x80, 0x5d, 0x40, 0x38, 0x00, 0x22, 0x13, 0x01, 0x13, 0x03, 0x13, 0x02,
+  0xc0, 0x2b, 0xc0, 0x2f, 0xcc, 0xa9, 0xcc, 0xa8, 0xc0, 0x2c, 0xc0, 0x30,
+  0xc0, 0x0a, 0xc0, 0x09, 0xc0, 0x13, 0xc0, 0x14, 0x00, 0x9c, 0x00, 0x9d,
+  0x00, 0x2f, 0x00, 0x35, 0x01, 0x00, 0x02, 0x34, 0x00, 0x00, 0x00, 0x16,
+  0x00, 0x14, 0x00, 0x00, 0x11, 0x77, 0x77, 0x77, 0x2e, 0x6d, 0x69, 0x63,
+  0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x17,
+  0x00, 0x00, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00, 0x0a, 0x00, 0x0e, 0x00,
+  0x0c, 0x00, 0x1d, 0x00, 0x17, 0x00, 0x18, 0x00, 0x19, 0x01, 0x00, 0x01,
+  0x01, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x23, 0x00, 0x00, 0x00,
+  0x10, 0x00, 0x0e, 0x00, 0x0c, 0x02, 0x68, 0x32, 0x08, 0x68, 0x74, 0x74,
+  0x70, 0x2f, 0x31, 0x2e, 0x31, 0x00, 0x05, 0x00, 0x05, 0x01, 0x00, 0x00,
+  0x00, 0x00, 0x00, 0x22, 0x00, 0x0a, 0x00, 0x08, 0x04, 0x03, 0x05, 0x03,
+  0x06, 0x03, 0x02, 0x03, 0x00, 0x12, 0x00, 0x00, 0x00, 0x33, 0x00, 0x6b,
+  0x00, 0x69, 0x00, 0x1d, 0x00, 0x20, 0x69, 0x15, 0x16, 0x29, 0x6d, 0xad,
+  0xd5, 0x68, 0x88, 0x27, 0x2f, 0xde, 0xaf, 0xac, 0x3c, 0x4c, 0xa4, 0xe4,
+  0xd8, 0xc8, 0xfb, 0x41, 0x87, 0xf4, 0x76, 0x4e, 0x0e, 0xfa, 0x64, 0xc4,
+  0xe9, 0x29, 0x00, 0x17, 0x00, 0x41, 0x04, 0xfe, 0x62, 0xb9, 0x08, 0xc8,
+  0xc3, 0x2a, 0xb9, 0x87, 0x37, 0x84, 0x42, 0x6b, 0x5c, 0xcd, 0xc9, 0xca,
+  0x62, 0x38, 0xd3, 0xd9, 0x99, 0x8a, 0xc4, 0x2d, 0xc6, 0xd0, 0xa3, 0x60,
+  0xb2, 0x12, 0x54, 0x41, 0x8e, 0x52, 0x5e, 0xe3, 0xab, 0xf9, 0xc2, 0x07,
+  0x81, 0xdc, 0xf8, 0xf2, 0x6a, 0x91, 0x40, 0x2f, 0xcb, 0xa4, 0xff, 0x6f,
+  0x24, 0xc7, 0x4d, 0x77, 0x77, 0x2d, 0x6f, 0xe0, 0x77, 0xaa, 0x92, 0x00,
+  0x2b, 0x00, 0x05, 0x04, 0x03, 0x04, 0x03, 0x03, 0x00, 0x0d, 0x00, 0x18,
+  0x00, 0x16, 0x04, 0x03, 0x05, 0x03, 0x06, 0x03, 0x08, 0x04, 0x08, 0x05,
+  0x08, 0x06, 0x04, 0x01, 0x05, 0x01, 0x06, 0x01, 0x02, 0x03, 0x02, 0x01,
+  0x00, 0x2d, 0x00, 0x02, 0x01, 0x01, 0x00, 0x1c, 0x00, 0x02, 0x40, 0x01,
+  0x00, 0x1b, 0x00, 0x07, 0x06, 0x00, 0x01, 0x00, 0x02, 0x00, 0x03, 0xfe,
+  0x0d, 0x01, 0x19, 0x00, 0x00, 0x01, 0x00, 0x03, 0x21, 0x00, 0x20, 0x62,
+  0xe8, 0x83, 0xd8, 0x97, 0x05, 0x8a, 0xbe, 0xa1, 0xf2, 0x63, 0x4e, 0xce,
+  0x93, 0x84, 0x8e, 0xcf, 0xe7, 0xdd, 0xb2, 0xe4, 0x87, 0x06, 0xac, 0x11,
+  0x19, 0xbe, 0x0e, 0x71, 0x87, 0xf1, 0xa6, 0x00, 0xef, 0xd8, 0x6b, 0x27,
+  0x5e, 0xc0, 0xa7, 0x5d, 0x42, 0x4e, 0x8c, 0xdc, 0xf3, 0x9f, 0x1c, 0x51,
+  0x62, 0xef, 0xff, 0x5b, 0xed, 0xc8, 0xfd, 0xee, 0x6f, 0xbb, 0x88, 0x9b,
+  0xb1, 0x30, 0x9c, 0x66, 0x42, 0xab, 0x0f, 0x66, 0x89, 0x18, 0x8b, 0x11,
+  0xc1, 0x6d, 0xe7, 0x2a, 0xeb, 0x96, 0x3b, 0x7f, 0x52, 0x78, 0xdb, 0xf8,
+  0x6d, 0x04, 0xf7, 0x95, 0x1a, 0xa8, 0xf0, 0x64, 0x52, 0x07, 0x39, 0xf0,
+  0xa8, 0x1d, 0x0d, 0x16, 0x36, 0xb7, 0x18, 0x0e, 0xc8, 0x44, 0x27, 0xfe,
+  0xf3, 0x31, 0xf0, 0xde, 0x8c, 0x74, 0xf5, 0xa1, 0xd8, 0x8f, 0x6f, 0x45,
+  0x97, 0x69, 0x79, 0x5e, 0x2e, 0xd4, 0xb0, 0x2c, 0x0c, 0x1a, 0x6f, 0xcc,
+  0xce, 0x90, 0xc7, 0xdd, 0xc6, 0x60, 0x95, 0xf3, 0xc2, 0x19, 0xde, 0x50,
+  0x80, 0xbf, 0xde, 0xf2, 0x25, 0x63, 0x15, 0x26, 0x63, 0x09, 0x1f, 0xc5,
+  0xdf, 0x32, 0xf5, 0xea, 0x9c, 0xd2, 0xff, 0x99, 0x4e, 0x67, 0xa2, 0xe5,
+  0x1a, 0x94, 0x85, 0xe3, 0xdf, 0x36, 0xa5, 0x83, 0x4b, 0x0a, 0x1c, 0xaf,
+  0xd7, 0x48, 0xc9, 0x4b, 0x8a, 0x27, 0xdd, 0x58, 0x7f, 0x95, 0xf2, 0x6b,
+  0xde, 0x2b, 0x12, 0xd3, 0xec, 0x4d, 0x69, 0x37, 0x9c, 0x13, 0x9b, 0x16,
+  0xb0, 0x45, 0x52, 0x38, 0x77, 0x69, 0xef, 0xaa, 0x65, 0x19, 0xbc, 0xc2,
+  0x93, 0x4d, 0xb0, 0x1b, 0x7f, 0x5b, 0x41, 0xff, 0xaf, 0xba, 0x50, 0x51,
+  0xc3, 0xf1, 0x27, 0x09, 0x25, 0xf5, 0x60, 0x90, 0x09, 0xb1, 0xe5, 0xc0,
+  0xc7, 0x42, 0x78, 0x54, 0x3b, 0x23, 0x19, 0x7d, 0x8e, 0x72, 0x13, 0xb4,
+  0xd3, 0xcd, 0x63, 0xb6, 0xc4, 0x4a, 0x28, 0x3d, 0x45, 0x3e, 0x8b, 0xdb,
+  0x84, 0x4f, 0x78, 0x64, 0x30, 0x69, 0xe2, 0x1b
 };

 #define PKTDATA_MAXDUMP 32
 #define IP_MAXDUMP 80

+#define TCP_MAX_REASM 16384
+#define UDP_MAX_REASM 16384
+
 bool desync_valid_zero_stage(enum dpi_desync_mode mode)
 {
 	return mode==DESYNC_SYNACK || mode==DESYNC_SYNDATA;
@ -606,45 +623,53 @@ static uint16_t IP4_IP_ID_FIX(const struct ip *ip)
 // fake_mod buffer must at least sizeof(desync_profile->fake_tls)
 // size does not change
 // return : true - altered, false - not altered
-static bool runtime_tls_mod(const struct desync_profile *dp, uint8_t *fake_mod, const uint8_t *payload, size_t payload_len)
+static bool runtime_tls_mod(int fake_n,const struct fake_tls_mod_cache *modcache, const struct fake_tls_mod *tls_mod, const uint8_t *fake_data, size_t fake_data_size, const uint8_t *payload, size_t payload_len, uint8_t *fake_mod)
 {
 	bool b=false;
-	if (dp->fake_tls_mod & FAKE_TLS_MOD_PADENCAP)
+	if (modcache) // it's filled only if it's TLS
 	{
-		size_t sz_rec = pntoh16(dp->fake_tls+3) + payload_len;
-		size_t sz_handshake = pntoh24(dp->fake_tls+6) + payload_len;
-		size_t sz_ext = pntoh16(dp->fake_tls+dp->fake_tls_extlen_offset) + payload_len;
-		size_t sz_pad = pntoh16(dp->fake_tls+dp->fake_tls_padlen_offset) + payload_len;
-		if ((sz_rec & ~0xFFFF) || (sz_handshake & ~0xFFFFFF) || (sz_ext & ~0xFFFF) || (sz_pad & ~0xFFFF))
-			DLOG("cannot apply padencap tls mod. length overflow.\n");
-		else
+		if (tls_mod->mod & FAKE_TLS_MOD_PADENCAP)
 		{
-			memcpy(fake_mod,dp->fake_tls,dp->fake_tls_size);
-			phton16(fake_mod+3,(uint16_t)sz_rec);
-			phton24(fake_mod+6,(uint32_t)sz_handshake);
-			phton16(fake_mod+dp->fake_tls_extlen_offset,(uint16_t)sz_ext);
-			phton16(fake_mod+dp->fake_tls_padlen_offset,(uint16_t)sz_pad);
-			b=true;
+			size_t sz_rec = pntoh16(fake_data+3) + payload_len;
+			size_t sz_handshake = pntoh24(fake_data+6) + payload_len;
+			size_t sz_ext = pntoh16(fake_data+modcache->extlen_offset) + payload_len;
+			size_t sz_pad = pntoh16(fake_data+modcache->padlen_offset) + payload_len;
+			if ((sz_rec & ~0xFFFF) || (sz_handshake & ~0xFFFFFF) || (sz_ext & ~0xFFFF) || (sz_pad & ~0xFFFF))
+				DLOG("fake[%d] cannot apply padencap tls mod. length overflow.\n", fake_n);
+			else
+			{
+				memcpy(fake_mod,fake_data,fake_data_size);
+				phton16(fake_mod+3,(uint16_t)sz_rec);
+				phton24(fake_mod+6,(uint32_t)sz_handshake);
+				phton16(fake_mod+modcache->extlen_offset,(uint16_t)sz_ext);
+				phton16(fake_mod+modcache->padlen_offset,(uint16_t)sz_pad);
+				b=true;
+				DLOG("fake[%d] applied padencap tls mod. sizes increased by %zu bytes.\n", fake_n, payload_len);
+			}
 		}
-	}
-	if (dp->fake_tls_mod & FAKE_TLS_MOD_RND)
-	{
-		if (!b)	memcpy(fake_mod,dp->fake_tls,dp->fake_tls_size);
-		fill_random_bytes(fake_mod+11,32); // random
-		fill_random_bytes(fake_mod+44,fake_mod[43]); // session id
-		b=true;
-	}
-	if (dp->fake_tls_mod & FAKE_TLS_MOD_DUP_SID)
-	{
-		if (dp->fake_tls[43]!=payload[43])
-			DLOG("cannot apply dupsid tls mod. fake and orig session id length mismatch.\n");
-		else if (payload_len<(44+payload[43]))
-			DLOG("cannot apply dupsid tls mod. data payload is not valid.\n");
-		else
+		if (tls_mod->mod & FAKE_TLS_MOD_RND)
 		{
-			if (!b)	memcpy(fake_mod,dp->fake_tls,dp->fake_tls_size);
-			memcpy(fake_mod+44,payload+44,fake_mod[43]); // session id
+			if (!b)	memcpy(fake_mod,fake_data,fake_data_size);
+			fill_random_bytes(fake_mod+11,32); // random
+			fill_random_bytes(fake_mod+44,fake_mod[43]); // session id
 			b=true;
+			DLOG("fake[%d] applied rnd tls mod\n", fake_n);
+		}
+		if (tls_mod->mod & FAKE_TLS_MOD_DUP_SID)
+		{
+			if (payload_len<44)
+				DLOG("fake[%d] cannot apply dupsid tls mod. data payload is too short.\n",fake_n);
+			else if (fake_data[43]!=payload[43])
+				DLOG("fake[%d] cannot apply dupsid tls mod. fake and orig session id length mismatch.\n",fake_n);
+			else if (payload_len<(44+payload[43]))
+				DLOG("fake[%d] cannot apply dupsid tls mod. data payload is not valid.\n",fake_n);
+			else
+			{
+				if (!b)	memcpy(fake_mod,fake_data,fake_data_size);
+				memcpy(fake_mod+44,payload+44,fake_mod[43]); // session id
+				b=true;
+				DLOG("fake[%d] applied dupsid tls mod\n", fake_n);
+			}
 		}
 	}
 	return b;
@ -880,8 +905,8 @@ static uint8_t dpi_desync_tcp_packet_play(bool replay, size_t reasm_offset, uint

 	if (!(dis->tcp->th_flags & TH_SYN) && dis->len_payload)
 	{
-		const uint8_t *fake;
-		size_t fake_size;
+		struct blob_collection_head *fake;
+
 		char host[256];
 		bool bHaveHost=false;
 		uint8_t *p, *phost=NULL;
@ -893,7 +918,6 @@ static uint8_t dpi_desync_tcp_packet_play(bool replay, size_t reasm_offset, uint
 		int i;
 		uint16_t ip_id;
 		t_l7proto l7proto = UNKNOWN;
-		uint8_t fake_mod[sizeof(dp->fake_tls)];

 		if (replay)
 		{
@ -952,7 +976,7 @@ static uint8_t dpi_desync_tcp_packet_play(bool replay, size_t reasm_offset, uint
 					!(ctrack->req_seq_finalized && seq_within(ctrack->seq_last, ctrack->req_seq_start, ctrack->req_seq_end)))
 				{
 					// do not reconstruct unexpected large payload (they are feeding garbage ?)
-					if (!reasm_orig_start(ctrack,IPPROTO_TCP,TLSRecordLen(dis->data_payload),16384,dis->data_payload,dis->len_payload))
+					if (!reasm_orig_start(ctrack,IPPROTO_TCP,TLSRecordLen(dis->data_payload),TCP_MAX_REASM,dis->data_payload,dis->len_payload))
 					{
 						reasm_orig_cancel(ctrack);
 						return verdict;
@ -1183,16 +1207,13 @@ static uint8_t dpi_desync_tcp_packet_play(bool replay, size_t reasm_offset, uint
 		switch(l7proto)
 		{
 			case HTTP:
-				fake = dp->fake_http;
-				fake_size = dp->fake_http_size;
+				fake = &dp->fake_http;
 				break;
 			case TLS:
-				fake = runtime_tls_mod(dp,fake_mod,rdata_payload,rlen_payload) ? fake_mod : dp->fake_tls;
-				fake_size = dp->fake_tls_size;
+				fake = &dp->fake_tls;
 				break;
 			default:
-				fake = dp->fake_unknown;
-				fake_size = dp->fake_unknown_size;
+				fake = &dp->fake_unknown;
 				break;
 		}
 		if (dp->desync_mode==DESYNC_MULTISPLIT || dp->desync_mode==DESYNC_MULTIDISORDER || dp->desync_mode2==DESYNC_MULTISPLIT || dp->desync_mode2==DESYNC_MULTIDISORDER)
@ -1273,13 +1294,8 @@ static uint8_t dpi_desync_tcp_packet_play(bool replay, size_t reasm_offset, uint
 		else
 			seqovl_pos = 0;

-		// we do not need reasm buffer anymore
-		reasm_orig_cancel(ctrack);
-		rdata_payload=NULL;
-
 		uint32_t fooling_orig = FOOL_NONE;
 		bool bFake = false;
-		pkt1_len = sizeof(pkt1);
 		switch(dp->desync_mode)
 		{
 			case DESYNC_FAKE_KNOWN:
@ -1291,28 +1307,69 @@ static uint8_t dpi_desync_tcp_packet_play(bool replay, size_t reasm_offset, uint
 				}
 			case DESYNC_FAKE:
 				if (reasm_offset) break;
-				if (!prepare_tcp_segment((struct sockaddr *)&src, (struct sockaddr *)&dst, flags_orig, dis->tcp->th_seq, dis->tcp->th_ack, dis->tcp->th_win, scale_factor, timestamps,
-					ttl_fake,IP4_TOS(dis->ip),IP4_IP_ID_FIX(dis->ip),IP6_FLOW(dis->ip6),
-					dp->desync_fooling_mode,dp->desync_badseq_increment,dp->desync_badseq_ack_increment,
-					fake, fake_size, pkt1, &pkt1_len))
+
 				{
-					return verdict;
+					struct blob_item *fake_item;
+					uint8_t *fake_data;
+					uint8_t fake_data_buf[FAKE_MAX_TCP];
+					int n=0;
+
+					ip_id = IP4_IP_ID_FIX(dis->ip);
+
+					LIST_FOREACH(fake_item, fake, next)
+					{
+						n++;
+						switch(l7proto)
+						{
+							case TLS:
+								if ((fake_item->size <= sizeof(fake_data_buf)) &&
+									runtime_tls_mod(n,(struct fake_tls_mod_cache *)fake_item->extra,(struct fake_tls_mod *)fake_item->extra2, fake_item->data, fake_item->size, rdata_payload, rlen_payload, fake_data_buf))
+								{
+									fake_data = fake_data_buf;
+									break;
+								}
+							default:
+								fake_data = fake_item->data;
+						}
+						pkt1_len = sizeof(pkt1);
+						if (!prepare_tcp_segment((struct sockaddr *)&src, (struct sockaddr *)&dst, flags_orig, dis->tcp->th_seq, dis->tcp->th_ack, dis->tcp->th_win, scale_factor, timestamps,
+							ttl_fake,IP4_TOS(dis->ip),ip_id,IP6_FLOW(dis->ip6),
+							dp->desync_fooling_mode,dp->desync_badseq_increment,dp->desync_badseq_ack_increment,
+							fake_data, fake_item->size, pkt1, &pkt1_len))
+						{
+							reasm_orig_cancel(ctrack);
+							return verdict;
+						}
+						DLOG("sending fake[%d] : ", n);
+						hexdump_limited_dlog(fake_data,fake_item->size,PKTDATA_MAXDUMP); DLOG("\n");
+						if (!rawsend_rep(dp->desync_repeats,(struct sockaddr *)&dst, desync_fwmark, ifout , pkt1, pkt1_len))
+						{
+							reasm_orig_cancel(ctrack);
+							return verdict;
+						}
+						ip_id=IP4_IP_ID_NEXT(ip_id);
+					}
 				}
-				DLOG("sending fake : ");
-				hexdump_limited_dlog(fake,fake_size,PKTDATA_MAXDUMP); DLOG("\n");
 				bFake = true;
 				break;
 			case DESYNC_RST:
 			case DESYNC_RSTACK:
 				if (reasm_offset) break;
+				pkt1_len = sizeof(pkt1);
 				if (!prepare_tcp_segment((struct sockaddr *)&src, (struct sockaddr *)&dst, TH_RST | (dp->desync_mode==DESYNC_RSTACK ? TH_ACK:0), dis->tcp->th_seq, dis->tcp->th_ack, dis->tcp->th_win, scale_factor, timestamps,
 					ttl_fake,IP4_TOS(dis->ip),IP4_IP_ID_FIX(dis->ip),IP6_FLOW(dis->ip6),
 					dp->desync_fooling_mode,dp->desync_badseq_increment,dp->desync_badseq_ack_increment,
 					NULL, 0, pkt1, &pkt1_len))
 				{
+					reasm_orig_cancel(ctrack);
 					return verdict;
 				}
 				DLOG("sending fake RST/RSTACK\n");
+				if (!rawsend_rep(dp->desync_repeats,(struct sockaddr *)&dst, desync_fwmark, ifout , pkt1, pkt1_len))
+				{
+					reasm_orig_cancel(ctrack);
+					return verdict;
+				}
 				bFake = true;
 				break;
 			case DESYNC_HOPBYHOP:
@ -1323,8 +1380,12 @@ static uint8_t dpi_desync_tcp_packet_play(bool replay, size_t reasm_offset, uint
 					(!split_pos && (dp->desync_mode2==DESYNC_FAKEDSPLIT || dp->desync_mode2==DESYNC_FAKEDDISORDER)) ||
 					(!multisplit_count && (dp->desync_mode2==DESYNC_MULTISPLIT || dp->desync_mode2==DESYNC_MULTIDISORDER))))
 				{
+					reasm_orig_cancel(ctrack);
+					rdata_payload=NULL;
+
+					pkt1_len = sizeof(pkt1);
 					if (!prepare_tcp_segment((struct sockaddr *)&src, (struct sockaddr *)&dst, flags_orig, dis->tcp->th_seq, dis->tcp->th_ack, dis->tcp->th_win, scale_factor, timestamps,
-						ttl_orig,IP4_TOS(dis->ip),IP4_IP_ID_FIX(dis->ip),IP6_FLOW(dis->ip6),
+						ttl_orig,0,0,IP6_FLOW(dis->ip6),
 						fooling_orig,0,0,
 						dis->data_payload, dis->len_payload, pkt1, &pkt1_len))
 					{
@ -1341,11 +1402,9 @@ static uint8_t dpi_desync_tcp_packet_play(bool replay, size_t reasm_offset, uint
 				break;
 		}

-		if (bFake)
-		{
-			if (!rawsend_rep(dp->desync_repeats,(struct sockaddr *)&dst, desync_fwmark, ifout , pkt1, pkt1_len))
-				return verdict;
-		}
+		// we do not need reasm buffer anymore
+		reasm_orig_cancel(ctrack);
+		rdata_payload=NULL;

 		enum dpi_desync_mode desync_mode = dp->desync_mode2==DESYNC_NONE ? dp->desync_mode : dp->desync_mode2;
 		switch(desync_mode)
@ -1875,8 +1934,7 @@ static uint8_t dpi_desync_udp_packet_play(bool replay, size_t reasm_offset, uint

 	if (dis->len_payload)
 	{
-		const uint8_t *fake;
-		size_t fake_size;
+		struct blob_collection_head *fake;
 		char host[256];
 		bool bHaveHost=false;
 		uint16_t ip_id;
@ -1917,29 +1975,82 @@ static uint8_t dpi_desync_udp_packet_play(bool replay, size_t reasm_offset, uint
 						return verdict; // cannot be first packet
 					}
 				}
-
-				uint8_t defrag[16384];
+				uint8_t defrag[UDP_MAX_REASM];
 				size_t hello_offset, hello_len, defrag_len = sizeof(defrag);
-				if (QUICDefragCrypto(pclean,clean_len,defrag,&defrag_len))
+				bool bFull;
+				if (QUICDefragCrypto(pclean,clean_len,defrag,&defrag_len,&bFull))
 				{
-					bool bIsHello = IsQUICCryptoHello(defrag, defrag_len, &hello_offset, &hello_len);
-					bool bReqFull = bIsHello ? IsTLSHandshakeFull(defrag+hello_offset,hello_len) : false;
-
-					DLOG(bIsHello ? bReqFull ? "packet contains full TLS ClientHello\n" : "packet contains partial TLS ClientHello\n" : "packet does not contain TLS ClientHello\n");
-
-					if (ctrack)
+					if (bFull)
 					{
-						if (bIsHello && !bReqFull && ReasmIsEmpty(&ctrack->reasm_orig))
+						DLOG("QUIC initial contains CRYPTO with full fragment coverage\n");
+
+						bool bIsHello = IsQUICCryptoHello(defrag, defrag_len, &hello_offset, &hello_len);
+						bool bReqFull = bIsHello ? IsTLSHandshakeFull(defrag+hello_offset,hello_len) : false;
+
+						DLOG(bIsHello ? bReqFull ? "packet contains full TLS ClientHello\n" : "packet contains partial TLS ClientHello\n" : "packet does not contain TLS ClientHello\n");
+
+						if (ctrack)
 						{
-							// preallocate max buffer to avoid reallocs that cause memory copy
-							if (!reasm_orig_start(ctrack,IPPROTO_UDP,16384,16384,clean,clean_len))
+							if (bIsHello && !bReqFull && ReasmIsEmpty(&ctrack->reasm_orig))
+							{
+								// preallocate max buffer to avoid reallocs that cause memory copy
+								if (!reasm_orig_start(ctrack,IPPROTO_UDP,UDP_MAX_REASM,UDP_MAX_REASM,clean,clean_len))
+								{
+									reasm_orig_cancel(ctrack);
+									return verdict;
+								}
+							}
+							if (!ReasmIsEmpty(&ctrack->reasm_orig))
+							{
+								verdict_udp_csum_fix(verdict, dis->udp, dis->transport_len, dis->ip, dis->ip6);
+								if (rawpacket_queue(&ctrack->delayed, &dst, desync_fwmark, ifout, dis->data_pkt, dis->len_pkt, dis->len_payload))
+								{
+									DLOG("DELAY desync until reasm is complete (#%u)\n", rawpacket_queue_count(&ctrack->delayed));
+								}
+								else
+								{
+									DLOG_ERR("rawpacket_queue failed !\n");
+									reasm_orig_cancel(ctrack);
+									return verdict;
+								}
+								if (bReqFull)
+								{
+									replay_queue(&ctrack->delayed);
+									reasm_orig_fin(ctrack);
+								}
+								return ct_new_postnat_fix_udp(ctrack, dis->ip, dis->ip6, dis->udp, &dis->len_pkt);
+							}
+						}
+
+						if (bIsHello)
+						{
+							bHaveHost = TLSHelloExtractHostFromHandshake(defrag + hello_offset, hello_len, host, sizeof(host), TLS_PARTIALS_ENABLE);
+							if (!bHaveHost && dp->desync_skip_nosni)
 							{
 								reasm_orig_cancel(ctrack);
+								DLOG("not applying tampering to QUIC ClientHello without hostname in the SNI\n");
 								return verdict;
 							}
 						}
-						if (!ReasmIsEmpty(&ctrack->reasm_orig))
+						else
 						{
+							if (!quic_reasm_cancel(ctrack,"QUIC initial without ClientHello")) return verdict;
+						}
+					}
+					else
+					{
+						DLOG("QUIC initial contains CRYPTO with partial fragment coverage\n");
+						if (ctrack)
+						{
+							if (ReasmIsEmpty(&ctrack->reasm_orig))
+							{
+								// preallocate max buffer to avoid reallocs that cause memory copy
+								if (!reasm_orig_start(ctrack,IPPROTO_UDP,UDP_MAX_REASM,UDP_MAX_REASM,clean,clean_len))
+								{
+									reasm_orig_cancel(ctrack);
+									return verdict;
+								}
+							}
 							verdict_udp_csum_fix(verdict, dis->udp, dis->transport_len, dis->ip, dis->ip6);
 							if (rawpacket_queue(&ctrack->delayed, &dst, desync_fwmark, ifout, dis->data_pkt, dis->len_pkt, dis->len_payload))
 							{
@ -1951,28 +2062,9 @@ static uint8_t dpi_desync_udp_packet_play(bool replay, size_t reasm_offset, uint
 								reasm_orig_cancel(ctrack);
 								return verdict;
 							}
-							if (bReqFull)
-							{
-								replay_queue(&ctrack->delayed);
-								reasm_orig_fin(ctrack);
-							}
 							return ct_new_postnat_fix_udp(ctrack, dis->ip, dis->ip6, dis->udp, &dis->len_pkt);
 						}
-					}
-			
-					if (bIsHello)
-					{
-						bHaveHost = TLSHelloExtractHostFromHandshake(defrag + hello_offset, hello_len, host, sizeof(host), TLS_PARTIALS_ENABLE);
-						if (!bHaveHost && dp->desync_skip_nosni)
-						{
-							reasm_orig_cancel(ctrack);
-							DLOG("not applying tampering to QUIC ClientHello without hostname in the SNI\n");
-							return verdict;
-						}
-					}
-					else
-					{
-						if (!quic_reasm_cancel(ctrack,"QUIC initial without ClientHello")) return verdict;
+						if (!quic_reasm_cancel(ctrack,"QUIC initial fragmented CRYPTO")) return verdict;
 					}
 				}
 				else
@ -1991,7 +2083,7 @@ static uint8_t dpi_desync_udp_packet_play(bool replay, size_t reasm_offset, uint
 		{
 			// received payload without host. it means we are out of the request retransmission phase. stop counter
 			ctrack_stop_retrans_counter(ctrack);
-			
+
 			reasm_orig_cancel(ctrack);

 			if (IsWireguardHandshakeInitiation(dis->data_payload,dis->len_payload))
@ -2006,6 +2098,18 @@ static uint8_t dpi_desync_udp_packet_play(bool replay, size_t reasm_offset, uint
 				l7proto = DHT;
 				if (ctrack && ctrack->l7proto==UNKNOWN) ctrack->l7proto = l7proto;
 			}
+			else if (IsDiscordIpDiscoveryRequest(dis->data_payload,dis->len_payload))
+			{
+				DLOG("packet contains discord voice IP discovery\n");
+				l7proto = DISCORD;
+				if (ctrack && ctrack->l7proto==UNKNOWN) ctrack->l7proto = l7proto;
+			}
+			else if (IsStunMessage(dis->data_payload,dis->len_payload))
+			{
+				DLOG("packet contains STUN message\n");
+				l7proto = STUN;
+				if (ctrack && ctrack->l7proto==UNKNOWN) ctrack->l7proto = l7proto;
+			}
 			else
 			{
 				if (!dp->desync_any_proto)
@ -2110,20 +2214,22 @@ static uint8_t dpi_desync_udp_packet_play(bool replay, size_t reasm_offset, uint
 		switch(l7proto)
 		{
 			case QUIC:
-				fake = dp->fake_quic;
-				fake_size = dp->fake_quic_size;
+				fake = &dp->fake_quic;
 				break;
 			case WIREGUARD:
-				fake = dp->fake_wg;
-				fake_size = dp->fake_wg_size;
+				fake = &dp->fake_wg;
 				break;
 			case DHT:
-				fake = dp->fake_dht;
-				fake_size = dp->fake_dht_size;
+				fake = &dp->fake_dht;
+				break;
+			case DISCORD:
+				fake = &dp->fake_discord;
+				break;
+			case STUN:
+				fake = &dp->fake_stun;
 				break;
 			default:
-				fake = dp->fake_unknown_udp;
-				fake_size = dp->fake_unknown_udp_size;
+				fake = &dp->fake_unknown_udp;
 				break;
 		}

@ -2140,7 +2246,6 @@ static uint8_t dpi_desync_udp_packet_play(bool replay, size_t reasm_offset, uint
 		}

 		bool bFake = false;
-		pkt1_len = sizeof(pkt1);
 		switch(dp->desync_mode)
 		{
 			case DESYNC_FAKE_KNOWN:
@ -2150,12 +2255,30 @@ static uint8_t dpi_desync_udp_packet_play(bool replay, size_t reasm_offset, uint
 					break;
 				}
 			case DESYNC_FAKE:
-				if (!prepare_udp_segment((struct sockaddr *)&src, (struct sockaddr *)&dst, ttl_fake, IP4_TOS(dis->ip),IP4_IP_ID_FIX(dis->ip),IP6_FLOW(dis->ip6), dp->desync_fooling_mode, NULL, 0, 0, fake, fake_size, pkt1, &pkt1_len))
-					return verdict;
-				DLOG("sending fake : ");
-				hexdump_limited_dlog(fake,fake_size,PKTDATA_MAXDUMP); DLOG("\n");
-				if (!rawsend_rep(dp->desync_repeats,(struct sockaddr *)&dst, desync_fwmark, ifout , pkt1, pkt1_len))
-					return verdict;
+				{
+					struct blob_item *fake_item;
+					int n=0;
+
+					ip_id = IP4_IP_ID_FIX(dis->ip);
+
+					LIST_FOREACH(fake_item, fake, next)
+					{
+						n++;
+						pkt1_len = sizeof(pkt1);
+						if (!prepare_udp_segment((struct sockaddr *)&src, (struct sockaddr *)&dst,
+							ttl_fake, IP4_TOS(dis->ip),ip_id,IP6_FLOW(dis->ip6),
+							dp->desync_fooling_mode, NULL, 0, 0,
+							fake_item->data, fake_item->size, pkt1, &pkt1_len))
+						{
+							return verdict;
+						}
+						DLOG("sending fake[%d] : ", n);
+						hexdump_limited_dlog(fake_item->data,fake_item->size,PKTDATA_MAXDUMP); DLOG("\n");
+						if (!rawsend_rep(dp->desync_repeats,(struct sockaddr *)&dst, desync_fwmark, ifout , pkt1, pkt1_len))
+							return verdict;
+						ip_id=IP4_IP_ID_NEXT(ip_id);
+					}
+				}
 				bFake = true;
 				break;
 			case DESYNC_HOPBYHOP:
@ -2164,9 +2287,9 @@ static uint8_t dpi_desync_udp_packet_play(bool replay, size_t reasm_offset, uint
 				fooling_orig = (dp->desync_mode==DESYNC_HOPBYHOP) ? FOOL_HOPBYHOP : (dp->desync_mode==DESYNC_DESTOPT) ? FOOL_DESTOPT : FOOL_IPFRAG1;
 				if (dis->ip6 && (dp->desync_mode2==DESYNC_NONE || !desync_valid_second_stage_udp(dp->desync_mode2)))
 				{
+					pkt1_len = sizeof(pkt1);
 					if (!prepare_udp_segment((struct sockaddr *)&src, (struct sockaddr *)&dst,
-						ttl_orig,IP4_TOS(dis->ip),IP4_IP_ID_FIX(dis->ip),IP6_FLOW(dis->ip6),
-						fooling_orig,NULL,0,0,
+						ttl_orig,0,0,IP6_FLOW(dis->ip6),fooling_orig,NULL,0,0,
 						dis->data_payload, dis->len_payload, pkt1, &pkt1_len))
 					{
 						return verdict;
--- a/nfq/desync.h
+++ b/nfq/desync.h
@ -41,7 +41,7 @@ enum dpi_desync_mode {
 };

 extern const char *fake_http_request_default;
-extern const uint8_t fake_tls_clienthello_default[648];
+extern const uint8_t fake_tls_clienthello_default[680];
 void randomize_default_tls_payload(uint8_t *p);

 enum dpi_desync_mode desync_mode_from_string(const char *s);
--- a/nfq/nfqws.c
+++ b/nfq/nfqws.c
--- a/nfq/params.c
+++ b/nfq/params.c
@ -65,6 +65,7 @@ static int DLOG_VA(const char *format, int syslog_priority, bool condup, va_list
 	{
 		va_copy(args2,args);
 		DLOG_CON(format,syslog_priority,args2);
+		va_end(args2);
 	}
 	if (params.debug)
 	{
@ -184,18 +185,7 @@ void dp_init(struct desync_profile *dp)
 	dp->desync_ipfrag_pos_udp = IPFRAG_UDP_DEFAULT;
 	dp->desync_ipfrag_pos_tcp = IPFRAG_TCP_DEFAULT;
 	dp->desync_repeats = 1;
-	dp->fake_tls_size = sizeof(fake_tls_clienthello_default);
-	memcpy(dp->fake_tls,fake_tls_clienthello_default,dp->fake_tls_size);
-	dp->fake_tls_mod = 0;
-	dp->fake_http_size = strlen(fake_http_request_default);
-	memcpy(dp->fake_http,fake_http_request_default,dp->fake_http_size);
-	dp->fake_quic_size = 620; // must be 601+ for TSPU hack
-	dp->fake_quic[0] = 0x40; // russian TSPU QUIC short header fake
-	dp->fake_wg_size = 64;
-	dp->fake_dht_size = 64;
-	dp->fake_unknown_size = 256;
 	dp->fake_syndata_size = 16;
-	dp->fake_unknown_udp_size = 64;
 	dp->wscale=-1; // default - dont change scale factor (client)
 	dp->desync_ttl6 = 0xFF; // unused
 	dp->desync_badseq_increment = BADSEQ_INCREMENT_DEFAULT;
@ -207,11 +197,50 @@ void dp_init(struct desync_profile *dp)
 	dp->hostlist_auto_retrans_threshold = HOSTLIST_AUTO_RETRANS_THRESHOLD_DEFAULT;
 	dp->filter_ipv4 = dp->filter_ipv6 = true;
 }
+bool dp_fake_defaults(struct desync_profile *dp)
+{
+	struct blob_item *item;
+	if (blob_collection_empty(&dp->fake_http))
+		if (!blob_collection_add_blob(&dp->fake_http,fake_http_request_default,strlen(fake_http_request_default),0))
+			return false;
+	if (blob_collection_empty(&dp->fake_tls))
+	{
+		if (!(item=blob_collection_add_blob(&dp->fake_tls,fake_tls_clienthello_default,sizeof(fake_tls_clienthello_default),4+sizeof(((struct fake_tls_mod*)0)->sni))))
+			return false;
+		if (!(item->extra2 = malloc(sizeof(struct fake_tls_mod))))
+			return false;
+		*(struct fake_tls_mod*)item->extra2 = dp->tls_mod_last;
+	}
+	if (blob_collection_empty(&dp->fake_unknown))
+	{
+		if (!(item=blob_collection_add_blob(&dp->fake_unknown,NULL,256,0)))
+			return false;
+		memset(item->data,0,item->size);
+	}
+	if (blob_collection_empty(&dp->fake_quic))
+	{
+		if (!(item=blob_collection_add_blob(&dp->fake_quic,NULL,620,0)))
+			return false;
+		memset(item->data,0,item->size);
+		item->data[0] = 0x40;
+	}
+	struct blob_collection_head **fake,*fakes_z64[] = {&dp->fake_wg, &dp->fake_dht, &dp->fake_discord, &dp->fake_stun, &dp->fake_unknown_udp,NULL};
+	for(fake=fakes_z64;*fake;fake++)
+	{
+		if (blob_collection_empty(*fake))
+		{
+			if (!(item=blob_collection_add_blob(*fake,NULL,64,0)))
+				return false;
+			memset(item->data,0,item->size);
+		}
+	}
+	return true;
+}
 struct desync_profile_list *dp_list_add(struct desync_profile_list_head *head)
 {
 	struct desync_profile_list *entry = calloc(1,sizeof(struct desync_profile_list));
 	if (!entry) return NULL;
-	
+
 	dp_init(&entry->dp);

 	// add to the tail
@ -235,6 +264,8 @@ static void dp_clear_dynamic(struct desync_profile *dp)
 	port_filters_destroy(&dp->pf_tcp);
 	port_filters_destroy(&dp->pf_udp);
 	HostFailPoolDestroy(&dp->hostlist_auto_fail_counters);
+	struct blob_collection_head **fake,*fakes[] = {&dp->fake_http, &dp->fake_tls, &dp->fake_unknown, &dp->fake_unknown_udp, &dp->fake_quic, &dp->fake_wg, &dp->fake_dht, &dp->fake_discord, &dp->fake_stun, NULL};
+	for(fake=fakes;*fake;fake++) blob_collection_destroy(*fake);
 }
 void dp_clear(struct desync_profile *dp)
 {
--- a/nfq/params.h
+++ b/nfq/params.h
@ -44,10 +44,24 @@
 #define FAKE_TLS_MOD_RND		0x10
 #define FAKE_TLS_MOD_DUP_SID		0x20
 #define FAKE_TLS_MOD_RND_SNI		0x40
-#define FAKE_TLS_MOD_PADENCAP		0x80
+#define FAKE_TLS_MOD_SNI		0x80
+#define FAKE_TLS_MOD_PADENCAP		0x100
+
+#define FAKE_MAX_TCP	1460
+#define FAKE_MAX_UDP	1472

 enum log_target { LOG_TARGET_CONSOLE=0, LOG_TARGET_FILE, LOG_TARGET_SYSLOG };

+struct fake_tls_mod_cache
+{
+	size_t extlen_offset, padlen_offset;
+};
+struct fake_tls_mod
+{
+	char sni[64];
+	uint32_t mod;
+};
+
 struct desync_profile
 {
 	int n;	// number of the profile
@ -74,12 +88,13 @@ struct desync_profile
 	autottl desync_autottl, desync_autottl6;
 	uint32_t desync_fooling_mode;
 	uint32_t desync_badseq_increment, desync_badseq_ack_increment;
-	uint8_t fake_http[1460],fake_unknown[1460],fake_syndata[1460],seqovl_pattern[1460],fsplit_pattern[1460];
-	uint8_t fake_unknown_udp[1472],udplen_pattern[1472],fake_quic[1472],fake_wg[1472],fake_dht[1472];
-	size_t fake_http_size,fake_quic_size,fake_wg_size,fake_dht_size,fake_unknown_size,fake_syndata_size,fake_unknown_udp_size;

-	uint8_t fake_tls[1460],fake_tls_mod;
-	size_t fake_tls_size, fake_tls_extlen_offset, fake_tls_padlen_offset;
+	struct blob_collection_head fake_http,fake_tls,fake_unknown,fake_unknown_udp,fake_quic,fake_wg,fake_dht,fake_discord,fake_stun;
+	uint8_t fake_syndata[FAKE_MAX_TCP],seqovl_pattern[FAKE_MAX_TCP],fsplit_pattern[FAKE_MAX_TCP],udplen_pattern[FAKE_MAX_UDP];
+	size_t fake_syndata_size;
+
+	struct fake_tls_mod tls_mod_last;
+	struct blob_item *tls_fake_last;

 	int udplen_increment;

@ -113,6 +128,7 @@ void dp_entry_destroy(struct desync_profile_list *entry);
 void dp_list_destroy(struct desync_profile_list_head *head);
 bool dp_list_have_autohostlist(struct desync_profile_list_head *head);
 void dp_init(struct desync_profile *dp);
+bool dp_fake_defaults(struct desync_profile *dp);
 void dp_clear(struct desync_profile *dp);

 struct params_s
--- a/nfq/pools.c
+++ b/nfq/pools.c
@ -517,3 +517,65 @@ bool port_filters_deny_if_empty(struct port_filters_head *head)
 	if (LIST_FIRST(head)) return true;
 	return pf_parse("0",&pf) && port_filter_add(head,&pf);
 }
+
+
+		
+struct blob_item *blob_collection_add(struct blob_collection_head *head)
+{
+	struct blob_item *entry = calloc(1,sizeof(struct blob_item));
+	if (entry)
+	{
+		// insert to the end
+		struct blob_item *itemc,*iteml=LIST_FIRST(head);
+		if (iteml)
+		{
+			while ((itemc=LIST_NEXT(iteml,next))) iteml = itemc;
+			LIST_INSERT_AFTER(iteml, entry, next);
+		}
+		else
+			LIST_INSERT_HEAD(head, entry, next);
+	}
+	return entry;
+}
+struct blob_item *blob_collection_add_blob(struct blob_collection_head *head, const void *data, size_t size, size_t size_reserve)
+{
+	struct blob_item *entry = calloc(1,sizeof(struct blob_item));
+	if (!entry) return NULL;
+	if (!(entry->data = malloc(size+size_reserve))) 
+	{
+		free(entry);
+		return NULL;
+	}
+	if (data) memcpy(entry->data,data,size);
+	entry->size = size;
+	entry->size_buf = size+size_reserve;
+	
+	// insert to the end
+	struct blob_item *itemc,*iteml=LIST_FIRST(head);
+	if (iteml)
+	{
+		while ((itemc=LIST_NEXT(iteml,next))) iteml = itemc;
+		LIST_INSERT_AFTER(iteml, entry, next);
+	}
+	else
+		LIST_INSERT_HEAD(head, entry, next);
+
+	return entry;
+}
+
+void blob_collection_destroy(struct blob_collection_head *head)
+{
+	struct blob_item *entry;
+	while ((entry = LIST_FIRST(head)))
+	{
+		LIST_REMOVE(entry, next);
+		free(entry->extra);
+		free(entry->extra2);
+		free(entry->data);
+		free(entry);
+	}
+}
+bool blob_collection_empty(const struct blob_collection_head *head)
+{
+	return !LIST_FIRST(head);
+}
--- a/nfq/pools.h
+++ b/nfq/pools.h
@ -146,3 +146,18 @@ bool port_filter_add(struct port_filters_head *head, const port_filter *pf);
 void port_filters_destroy(struct port_filters_head *head);
 bool port_filters_in_range(const struct port_filters_head *head, uint16_t port);
 bool port_filters_deny_if_empty(struct port_filters_head *head);
+
+
+struct blob_item {
+	uint8_t *data;	// main data blob
+	size_t size;	// main data blob size
+	size_t size_buf;// main data blob allocated size
+	void *extra;	// any data without size
+	void *extra2;	// any data without size
+	LIST_ENTRY(blob_item) next;
+};
+LIST_HEAD(blob_collection_head, blob_item);
+struct blob_item *blob_collection_add(struct blob_collection_head *head);
+struct blob_item *blob_collection_add_blob(struct blob_collection_head *head, const void *data, size_t size, size_t size_reserve);
+void blob_collection_destroy(struct blob_collection_head *head);
+bool blob_collection_empty(const struct blob_collection_head *head);
--- a/nfq/protocol.c
+++ b/nfq/protocol.c
@ -35,6 +35,8 @@ const char *l7proto_str(t_l7proto l7)
 		case QUIC: return "quic";
 		case WIREGUARD: return "wireguard";
 		case DHT: return "dht";
+		case DISCORD: return "discord";
+		case STUN: return "stun";
 		default: return "unknown";
 	}
 }
@ -45,7 +47,9 @@ bool l7_proto_match(t_l7proto l7proto, uint32_t filter_l7)
 		(l7proto==TLS && (filter_l7 & L7_PROTO_TLS)) ||
 		(l7proto==QUIC && (filter_l7 & L7_PROTO_QUIC)) ||
 		(l7proto==WIREGUARD && (filter_l7 & L7_PROTO_WIREGUARD)) ||
-		(l7proto==DHT && (filter_l7 & L7_PROTO_DHT));
+		(l7proto==DHT && (filter_l7 & L7_PROTO_DHT)) ||
+		(l7proto==DISCORD && (filter_l7 & L7_PROTO_DISCORD)) ||
+		(l7proto==STUN && (filter_l7 & L7_PROTO_STUN));
 }

 #define PM_ABS		0
@ -844,7 +848,16 @@ bool QUICDecryptInitial(const uint8_t *data, size_t data_len, uint8_t *clean, si
 	return !memcmp(data + pn_offset + pkn_len + cryptlen, atag, 16);
 }

-bool QUICDefragCrypto(const uint8_t *clean,size_t clean_len, uint8_t *defrag,size_t *defrag_len)
+struct range64
+{
+	uint64_t offset,len;
+};
+#define MAX_DEFRAG_PIECES	128
+static int cmp_range64(const void * a, const void * b)
+{
+	return (((struct range64*)a)->offset < ((struct range64*)b)->offset) ? -1 : (((struct range64*)a)->offset > ((struct range64*)b)->offset) ? 1 : 0;
+}
+bool QUICDefragCrypto(const uint8_t *clean,size_t clean_len, uint8_t *defrag,size_t *defrag_len, bool *bFull)
 {
 	// Crypto frame can be split into multiple chunks
 	// chromium randomly splits it and pads with zero/one bytes to force support the standard
@ -853,13 +866,15 @@ bool QUICDefragCrypto(const uint8_t *clean,size_t clean_len, uint8_t *defrag,siz
 	if (*defrag_len<10) return false;
 	uint8_t *defrag_data = defrag+10;
 	size_t defrag_data_len = *defrag_len-10;
-
 	uint8_t ft;
 	uint64_t offset,sz,szmax=0,zeropos=0,pos=0;
 	bool found=false;
+	struct range64 ranges[MAX_DEFRAG_PIECES];
+	int i,range=0;

 	while(pos<clean_len)
 	{
+		// frame type
 		ft = clean[pos];
 		pos++;
 		if (ft>1) // 00 - padding, 01 - ping
@ -867,6 +882,7 @@ bool QUICDefragCrypto(const uint8_t *clean,size_t clean_len, uint8_t *defrag,siz
 			if (ft!=6) return false; // dont want to know all possible frame type formats

 			if (pos>=clean_len) return false;
+			if (range>=MAX_DEFRAG_PIECES) return false;

 			if ((pos+tvb_get_size(clean[pos])>=clean_len)) return false;
 			pos += tvb_get_varint(clean+pos, &offset);
@ -875,7 +891,7 @@ bool QUICDefragCrypto(const uint8_t *clean,size_t clean_len, uint8_t *defrag,siz
 			pos += tvb_get_varint(clean+pos, &sz);
 			if ((pos+sz)>clean_len) return false;

-			if ((offset+sz)>defrag_data_len) return false;
+			if ((offset+sz)>defrag_data_len) return false; // defrag buf overflow
 			if (zeropos < offset)
 				// make sure no uninitialized gaps exist in case of not full fragment coverage
 				memset(defrag_data+zeropos,0,offset-zeropos);
@ -886,6 +902,10 @@ bool QUICDefragCrypto(const uint8_t *clean,size_t clean_len, uint8_t *defrag,siz

 			found=true;
 			pos+=sz;
+
+			ranges[range].offset = offset;
+			ranges[range].len = sz;
+			range++;
 		}
 	}
 	if (found)
@ -897,6 +917,23 @@ bool QUICDefragCrypto(const uint8_t *clean,size_t clean_len, uint8_t *defrag,siz
 		phton64(defrag+2,szmax);
 		defrag[2] |= 0xC0; // 64 bit value
 		*defrag_len = (size_t)(szmax+10);
+
+		qsort(ranges, range, sizeof(*ranges), cmp_range64);
+
+		//for(i=0 ; i<range ; i++)
+		//	printf("RANGE %zu len %zu\n",ranges[i].offset,ranges[i].len);
+
+		for(i=0,offset=0,*bFull=true ; i<range ; i++)
+		{
+			if (ranges[i].offset!=offset)
+			{
+				*bFull = false;
+				break;
+			}
+			offset += ranges[i].len;
+		}
+
+		//printf("bFull=%u\n",*bFull);
 	}
 	return found;
 }
@ -973,3 +1010,18 @@ bool IsDhtD1(const uint8_t *data, size_t len)
 {
 	return len>=7 && data[0]=='d' && data[1]=='1' && data[len-1]=='e';
 }
+bool IsDiscordIpDiscoveryRequest(const uint8_t *data, size_t len)
+{
+	return len==74 &&
+		data[0]==0 && data[1]==1 &&
+		data[2]==0 && data[3]==70 &&
+		data[8]==0 && memcmp(&data[8],&data[9],63)==0; // address is not set in requests
+}
+bool IsStunMessage(const uint8_t *data, size_t len)
+{
+	return len>=20 && // header size
+		(data[0]&0xC0)==0 && // 2 most significant bits must be zeroes
+		(data[3]&0b11)==0 && // length must be a multiple of 4
+		ntohl(*(uint32_t*)(&data[4]))==0x2112A442 && // magic cookie
+		ntohs(*(uint16_t*)(&data[2]))==len-20;
+}
--- a/nfq/protocol.h
+++ b/nfq/protocol.h
@ -7,12 +7,14 @@
 #include "crypto/aes-gcm.h"
 #include "helpers.h"

-typedef enum {UNKNOWN=0, HTTP, TLS, QUIC, WIREGUARD, DHT} t_l7proto;
+typedef enum {UNKNOWN=0, HTTP, TLS, QUIC, WIREGUARD, DHT, DISCORD, STUN} t_l7proto;
 #define L7_PROTO_HTTP		0x00000001
 #define L7_PROTO_TLS		0x00000002
 #define L7_PROTO_QUIC		0x00000004
 #define L7_PROTO_WIREGUARD	0x00000008
 #define L7_PROTO_DHT		0x00000010
+#define L7_PROTO_DISCORD	0x00000020
+#define L7_PROTO_STUN		0x00000040
 #define L7_PROTO_UNKNOWN	0x80000000
 const char *l7proto_str(t_l7proto l7);
 bool l7_proto_match(t_l7proto l7proto, uint32_t filter_l7);
@ -72,6 +74,8 @@ bool TLSHelloExtractHostFromHandshake(const uint8_t *data, size_t len, char *hos

 bool IsWireguardHandshakeInitiation(const uint8_t *data, size_t len);
 bool IsDhtD1(const uint8_t *data, size_t len);
+bool IsDiscordIpDiscoveryRequest(const uint8_t *data, size_t len);
+bool IsStunMessage(const uint8_t *data, size_t len);

 #define QUIC_MAX_CID_LENGTH  20
 typedef struct quic_cid {
@ -87,5 +91,6 @@ uint8_t QUICDraftVersion(uint32_t version);
 bool QUICExtractDCID(const uint8_t *data, size_t len, quic_cid_t *cid);

 bool QUICDecryptInitial(const uint8_t *data, size_t data_len, uint8_t *clean, size_t *clean_len);
-bool QUICDefragCrypto(const uint8_t *clean,size_t clean_len, uint8_t *defrag,size_t *defrag_len);
+// returns true if crypto frames were found . bFull = true if crypto frame fragments have full coverage
+bool QUICDefragCrypto(const uint8_t *clean,size_t clean_len, uint8_t *defrag,size_t *defrag_len, bool *bFull);
 //bool QUICExtractHostFromInitial(const uint8_t *data, size_t data_len, char *host, size_t len_host, bool *bDecryptOK, bool *bIsCryptoHello);
--- a/tpws/Makefile
+++ b/tpws/Makefile
@ -3,7 +3,7 @@ CFLAGS += -std=gnu99 -Os -flto=auto
 CFLAGS_SYSTEMD = -DUSE_SYSTEMD
 CFLAGS_BSD = -Wno-address-of-packed-member
 LIBS = -lz -lpthread
-LIBS_SYSTEMD = -lz -lsystemd
+LIBS_SYSTEMD = -lsystemd
 LIBS_ANDROID = -lz
 SRC_FILES = *.c
 SRC_FILES_ANDROID = $(SRC_FILES) andr/*.c
@ -14,7 +14,7 @@ tpws: $(SRC_FILES)
 	$(CC) -s $(CFLAGS) -o tpws $(SRC_FILES) $(LIBS) $(LDFLAGS)

 systemd: $(SRC_FILES)
-	$(CC) -s $(CFLAGS) $(CFLAGS_SYSTEMD) -o tpws $(SRC_FILES) $(LIBS_SYSTEMD) $(LDFLAGS)
+	$(CC) -s $(CFLAGS) $(CFLAGS_SYSTEMD) -o tpws $(SRC_FILES) $(LIBS) $(LIBS_SYSTEMD) $(LDFLAGS)

 android: $(SRC_FILES)
 	$(CC) -s $(CFLAGS) -o tpws $(SRC_FILES_ANDROID) $(LIBS_ANDROID) $(LDFLAGS)
--- a/tpws/params.c
+++ b/tpws/params.c
@ -50,6 +50,7 @@ static int DLOG_VA(const char *format, int syslog_priority, bool condup, int lev
 	{
 		va_copy(args2,args);
 		DLOG_CON(format,syslog_priority,args2);
+		va_end(args2);
 	}
 	if (params.debug>=level)
 	{
--- a/tpws/tpws.c
+++ b/tpws/tpws.c
@ -610,6 +610,188 @@ static bool check_oob_disorder(const struct desync_profile *dp)
 }
 #endif

+enum opt_indices {
+	IDX_HELP,
+	IDX_H,
+	IDX_BIND_ADDR,
+	IDX_BIND_IFACE4,
+	IDX_BIND_IFACE6,
+	IDX_BIND_LINKLOCAL,
+	IDX_BIND_WAIT_IFUP,
+	IDX_BIND_WAIT_IP,
+	IDX_BIND_WAIT_IP_LINKLOCAL,
+	IDX_BIND_WAIT_ONLY,
+	IDX_PORT,
+	IDX_DAEMON,
+	IDX_USER,
+	IDX_UID,
+	IDX_MAXCONN,
+	IDX_MAXFILES,
+	IDX_MAX_ORPHAN_TIME,
+	IDX_HOSTCASE,
+	IDX_HOSTSPELL,
+	IDX_HOSTDOT,
+	IDX_HOSTNOSPACE,
+	IDX_HOSTPAD,
+	IDX_DOMCASE,
+	IDX_SPLIT_HTTP_REQ,
+	IDX_SPLIT_TLS,
+	IDX_SPLIT_POS,
+	IDX_SPLIT_ANY_PROTOCOL,
+	IDX_DISORDER,
+	IDX_OOB,
+	IDX_OOB_DATA,
+	IDX_METHODSPACE,
+	IDX_METHODEOL,
+	IDX_HOSTTAB,
+	IDX_UNIXEOL,
+	IDX_TLSREC,
+	IDX_TLSREC_POS,
+	IDX_HOSTLIST,
+	IDX_HOSTLIST_DOMAINS,
+	IDX_HOSTLIST_EXCLUDE,
+	IDX_HOSTLIST_EXCLUDE_DOMAINS,
+	IDX_HOSTLIST_AUTO,
+	IDX_HOSTLIST_AUTO_FAIL_THRESHOLD,
+	IDX_HOSTLIST_AUTO_FAIL_TIME,
+	IDX_HOSTLIST_AUTO_DEBUG,
+	IDX_PIDFILE,
+	IDX_DEBUG,
+	IDX_DEBUG_LEVEL,
+	IDX_DRY_RUN,
+	IDX_VERSION,
+	IDX_COMMENT,
+	IDX_LOCAL_RCVBUF,
+	IDX_LOCAL_SNDBUF,
+	IDX_REMOTE_RCVBUF,
+	IDX_REMOTE_SNDBUF,
+	IDX_SOCKS,
+	IDX_NO_RESOLVE,
+	IDX_RESOLVER_THREADS,
+	IDX_SKIP_NODELAY,
+	IDX_TAMPER_START,
+	IDX_TAMPER_CUTOFF,
+	IDX_CONNECT_BIND_ADDR,
+
+	IDX_NEW,
+	IDX_SKIP,
+	IDX_FILTER_L3,
+	IDX_FILTER_TCP,
+	IDX_FILTER_L7,
+	IDX_IPSET,
+	IDX_IPSET_IP,
+	IDX_IPSET_EXCLUDE,
+	IDX_IPSET_EXCLUDE_IP,
+
+#if defined(__FreeBSD__)
+	IDX_ENABLE_PF,
+#elif defined(__APPLE__)
+	IDX_LOCAL_TCP_USER_TIMEOUT,
+	IDX_REMOTE_TCP_USER_TIMEOUT,
+#elif defined(__linux__)
+	IDX_LOCAL_TCP_USER_TIMEOUT,
+	IDX_REMOTE_TCP_USER_TIMEOUT,
+	IDX_MSS,
+	IDX_FIX_SEG,
+#ifdef SPLICE_PRESENT
+	IDX_NOSPLICE,
+#endif
+#endif
+	IDX_HOSTLIST_AUTO_RETRANS_THRESHOLD, // ignored. for nfqws command line compatibility
+	IDX_LAST,
+};
+
+static const struct option long_options[] = {
+	[IDX_HELP] = {"help", no_argument, 0, 0},
+	[IDX_H] = {"h", no_argument, 0, 0},
+	[IDX_BIND_ADDR] = {"bind-addr", required_argument, 0, 0},
+	[IDX_BIND_IFACE4] = {"bind-iface4", required_argument, 0, 0},
+	[IDX_BIND_IFACE6] = {"bind-iface6", required_argument, 0, 0},
+	[IDX_BIND_LINKLOCAL] = {"bind-linklocal", required_argument, 0, 0},
+	[IDX_BIND_WAIT_IFUP] = {"bind-wait-ifup", required_argument, 0, 0},
+	[IDX_BIND_WAIT_IP] = {"bind-wait-ip", required_argument, 0, 0},
+	[IDX_BIND_WAIT_IP_LINKLOCAL] = {"bind-wait-ip-linklocal", required_argument, 0, 0},
+	[IDX_BIND_WAIT_ONLY] = {"bind-wait-only", no_argument, 0, 0},
+	[IDX_PORT] = {"port", required_argument, 0, 0},
+	[IDX_DAEMON] = {"daemon", no_argument, 0, 0},
+	[IDX_USER] = {"user", required_argument, 0, 0},
+	[IDX_UID] = {"uid", required_argument, 0, 0},
+	[IDX_MAXCONN] = {"maxconn", required_argument, 0, 0},
+	[IDX_MAXFILES] = {"maxfiles", required_argument, 0, 0},
+	[IDX_MAX_ORPHAN_TIME] = {"max-orphan-time", required_argument, 0, 0},
+	[IDX_HOSTCASE] = {"hostcase", no_argument, 0, 0},
+	[IDX_HOSTSPELL] = {"hostspell", required_argument, 0, 0},
+	[IDX_HOSTDOT] = {"hostdot", no_argument, 0, 0},
+	[IDX_HOSTNOSPACE] = {"hostnospace", no_argument, 0, 0},
+	[IDX_HOSTPAD] = {"hostpad", required_argument, 0, 0},
+	[IDX_DOMCASE] = {"domcase", no_argument, 0, 0},
+	[IDX_SPLIT_HTTP_REQ] = {"split-http-req", required_argument, 0, 0},
+	[IDX_SPLIT_TLS] = {"split-tls", required_argument, 0, 0},
+	[IDX_SPLIT_POS] = {"split-pos", required_argument, 0, 0},
+	[IDX_SPLIT_ANY_PROTOCOL] = {"split-any-protocol", optional_argument, 0, 0},
+	[IDX_DISORDER] = {"disorder", optional_argument, 0, 0},
+	[IDX_OOB] = {"oob", optional_argument, 0, 0},
+	[IDX_OOB_DATA] = {"oob-data", required_argument, 0, 0},
+	[IDX_METHODSPACE] = {"methodspace", no_argument, 0, 0},
+	[IDX_METHODEOL] = {"methodeol", no_argument, 0, 0},
+	[IDX_HOSTTAB] = {"hosttab", no_argument, 0, 0},
+	[IDX_UNIXEOL] = {"unixeol", no_argument, 0, 0},
+	[IDX_TLSREC] = {"tlsrec", required_argument, 0, 0},
+	[IDX_TLSREC_POS] = {"tlsrec-pos", required_argument, 0, 0},
+	[IDX_HOSTLIST] = {"hostlist", required_argument, 0, 0},
+	[IDX_HOSTLIST_DOMAINS] = {"hostlist-domains", required_argument, 0, 0},
+	[IDX_HOSTLIST_EXCLUDE] = {"hostlist-exclude", required_argument, 0, 0},
+	[IDX_HOSTLIST_EXCLUDE_DOMAINS] = {"hostlist-exclude-domains", required_argument, 0, 0},
+	[IDX_HOSTLIST_AUTO] = {"hostlist-auto", required_argument, 0, 0},
+	[IDX_HOSTLIST_AUTO_FAIL_THRESHOLD] = {"hostlist-auto-fail-threshold", required_argument, 0, 0},
+	[IDX_HOSTLIST_AUTO_FAIL_TIME] = {"hostlist-auto-fail-time", required_argument, 0, 0},
+	[IDX_HOSTLIST_AUTO_DEBUG] = {"hostlist-auto-debug", required_argument, 0, 0},
+	[IDX_PIDFILE] = {"pidfile", required_argument, 0, 0},
+	[IDX_DEBUG] = {"debug", optional_argument, 0, 0},
+	[IDX_DEBUG_LEVEL] = {"debug-level", required_argument, 0, 0},
+	[IDX_DRY_RUN] = {"dry-run", no_argument, 0, 0},
+	[IDX_VERSION] = {"version", no_argument, 0, 0},
+	[IDX_COMMENT] = {"comment", optional_argument, 0, 0},
+	[IDX_LOCAL_RCVBUF] = {"local-rcvbuf", required_argument, 0, 0},
+	[IDX_LOCAL_SNDBUF] = {"local-sndbuf", required_argument, 0, 0},
+	[IDX_REMOTE_RCVBUF] = {"remote-rcvbuf", required_argument, 0, 0},
+	[IDX_REMOTE_SNDBUF] = {"remote-sndbuf", required_argument, 0, 0},
+	[IDX_SOCKS] = {"socks", no_argument, 0, 0},
+	[IDX_NO_RESOLVE] = {"no-resolve", no_argument, 0, 0},
+	[IDX_RESOLVER_THREADS] = {"resolver-threads", required_argument, 0, 0},
+	[IDX_SKIP_NODELAY] = {"skip-nodelay", no_argument, 0, 0},
+	[IDX_TAMPER_START] = {"tamper-start", required_argument, 0, 0},
+	[IDX_TAMPER_CUTOFF] = {"tamper-cutoff", required_argument, 0, 0},
+	[IDX_CONNECT_BIND_ADDR] = {"connect-bind-addr", required_argument, 0, 0},
+
+	[IDX_NEW] = {"new", no_argument, 0, 0},
+	[IDX_SKIP] = {"skip", no_argument, 0, 0},
+	[IDX_FILTER_L3] = {"filter-l3", required_argument, 0, 0},
+	[IDX_FILTER_TCP] = {"filter-tcp", required_argument, 0, 0},
+	[IDX_FILTER_L7] = {"filter-l7", required_argument, 0, 0},
+	[IDX_IPSET] = {"ipset", required_argument, 0, 0},
+	[IDX_IPSET_IP] = {"ipset-ip", required_argument, 0, 0},
+	[IDX_IPSET_EXCLUDE] = {"ipset-exclude", required_argument, 0, 0},
+	[IDX_IPSET_EXCLUDE_IP] = {"ipset-exclude-ip", required_argument, 0, 0},
+
+#if defined(__FreeBSD__)
+	[IDX_ENABLE_PF] = {"enable-pf", no_argument, 0, 0},
+#elif defined(__APPLE__)
+	[IDX_LOCAL_TCP_USER_TIMEOUT] = {"local-tcp-user-timeout", required_argument, 0, 0},
+	[IDX_REMOTE_TCP_USER_TIMEOUT] = {"remote-tcp-user-timeout", required_argument, 0, 0},
+#elif defined(__linux__)
+	[IDX_LOCAL_TCP_USER_TIMEOUT] = {"local-tcp-user-timeout", required_argument, 0, 0},
+	[IDX_REMOTE_TCP_USER_TIMEOUT] = {"remote-tcp-user-timeout", required_argument, 0, 0},
+	[IDX_MSS] = {"mss", required_argument, 0, 0},
+	[IDX_FIX_SEG] = {"fix-seg", optional_argument, 0, 0},
+#ifdef SPLICE_PRESENT
+	[IDX_NOSPLICE] = {"nosplice", no_argument, 0, 0},
+#endif
+#endif
+	[IDX_HOSTLIST_AUTO_RETRANS_THRESHOLD] = {"hostlist-auto-retrans-threshold", optional_argument, 0, 0},
+	[IDX_LAST] = {NULL, 0, NULL, 0},
+};
+
 void parse_params(int argc, char *argv[])
 {
 	int option_index = 0;
@ -664,96 +846,6 @@ void parse_params(int argc, char *argv[])
 	}
 #endif
 	
-	const struct option long_options[] = {
-		{ "help",no_argument,0,0 },// optidx=0
-		{ "h",no_argument,0,0 },// optidx=1
-		{ "bind-addr",required_argument,0,0 },// optidx=2
-		{ "bind-iface4",required_argument,0,0 },// optidx=3
-		{ "bind-iface6",required_argument,0,0 },// optidx=4
-		{ "bind-linklocal",required_argument,0,0 },// optidx=5
-		{ "bind-wait-ifup",required_argument,0,0 },// optidx=6
-		{ "bind-wait-ip",required_argument,0,0 },// optidx=7
-		{ "bind-wait-ip-linklocal",required_argument,0,0 },// optidx=8
-		{ "bind-wait-only",no_argument,0,0 },// optidx=9
-		{ "port",required_argument,0,0 },// optidx=10
-		{ "daemon",no_argument,0,0 },// optidx=11
-		{ "user",required_argument,0,0 },// optidx=12
-		{ "uid",required_argument,0,0 },// optidx=13
-		{ "maxconn",required_argument,0,0 },// optidx=14
-		{ "maxfiles",required_argument,0,0 },// optidx=15
-		{ "max-orphan-time",required_argument,0,0 },// optidx=16
-		{ "hostcase",no_argument,0,0 },// optidx=17
-		{ "hostspell",required_argument,0,0 },// optidx=18
-		{ "hostdot",no_argument,0,0 },// optidx=19
-		{ "hostnospace",no_argument,0,0 },// optidx=20
-		{ "hostpad",required_argument,0,0 },// optidx=21
-		{ "domcase",no_argument,0,0 },// optidx=22
-		{ "split-http-req",required_argument,0,0 },// optidx=23
-		{ "split-tls",required_argument,0,0 },// optidx=24
-		{ "split-pos",required_argument,0,0 },// optidx=25
-		{ "split-any-protocol",optional_argument,0,0},// optidx=26
-		{ "disorder",optional_argument,0,0 },// optidx=27
-		{ "oob",optional_argument,0,0 },// optidx=28
-		{ "oob-data",required_argument,0,0 },// optidx=29
-		{ "methodspace",no_argument,0,0 },// optidx=30
-		{ "methodeol",no_argument,0,0 },// optidx=31
-		{ "hosttab",no_argument,0,0 },// optidx=32
-		{ "unixeol",no_argument,0,0 },// optidx=33
-		{ "tlsrec",required_argument,0,0 },// optidx=34
-		{ "tlsrec-pos",required_argument,0,0 },// optidx=35
-		{ "hostlist",required_argument,0,0 },// optidx=36
-		{ "hostlist-domains",required_argument,0,0 },// optidx=37
-		{ "hostlist-exclude",required_argument,0,0 },// optidx=38
-		{ "hostlist-exclude-domains",required_argument,0,0 },// optidx=39
-		{ "hostlist-auto",required_argument,0,0}, // optidx=40
-		{ "hostlist-auto-fail-threshold",required_argument,0,0}, // optidx=41
-		{ "hostlist-auto-fail-time",required_argument,0,0},	// optidx=42
-		{ "hostlist-auto-debug",required_argument,0,0}, // optidx=43
-		{ "pidfile",required_argument,0,0 },// optidx=44
-		{ "debug",optional_argument,0,0 },// optidx=45
-		{ "debug-level",required_argument,0,0 },// optidx=46
-		{ "dry-run",no_argument,0,0 },// optidx=47
-		{ "version",no_argument,0,0 },// optidx=48
-		{ "comment",optional_argument,0,0 },// optidx=49
-		{ "local-rcvbuf",required_argument,0,0 },// optidx=50
-		{ "local-sndbuf",required_argument,0,0 },// optidx=51
-		{ "remote-rcvbuf",required_argument,0,0 },// optidx=52
-		{ "remote-sndbuf",required_argument,0,0 },// optidx=53
-		{ "socks",no_argument,0,0 },// optidx=54
-		{ "no-resolve",no_argument,0,0 },// optidx=55
-		{ "resolver-threads",required_argument,0,0 },// optidx=56
-		{ "skip-nodelay",no_argument,0,0 },// optidx=57
-		{ "tamper-start",required_argument,0,0 },// optidx=58
-		{ "tamper-cutoff",required_argument,0,0 },// optidx=59
-		{ "connect-bind-addr",required_argument,0,0 },// optidx=60
-
-		{ "new",no_argument,0,0 },				// optidx=61
-		{ "skip",no_argument,0,0 },				// optidx=62
-		{ "filter-l3",required_argument,0,0 },			// optidx=63
-		{ "filter-tcp",required_argument,0,0 },			// optidx=64
-		{ "filter-l7",required_argument,0,0 },			// optidx=65
-		{ "ipset",required_argument,0,0 },			// optidx=66
-		{ "ipset-ip",required_argument,0,0 },			// optidx=67
-		{ "ipset-exclude",required_argument,0,0 },		// optidx=68
-		{ "ipset-exclude-ip",required_argument,0,0 },		// optidx=69
-
-#if defined(__FreeBSD__)
-		{ "enable-pf",no_argument,0,0 },// optidx=69
-#elif defined(__APPLE__)
-		{ "local-tcp-user-timeout",required_argument,0,0 },	// optidx=79
-		{ "remote-tcp-user-timeout",required_argument,0,0 },	// optidx=71
-#elif defined(__linux__)
-		{ "local-tcp-user-timeout",required_argument,0,0 },	// optidx=70
-		{ "remote-tcp-user-timeout",required_argument,0,0 },	// optidx=71
-		{ "mss",required_argument,0,0 },			// optidx=72
-		{ "fix-seg",optional_argument,0,0 },			// optidx=73
-#ifdef SPLICE_PRESENT
-		{ "nosplice",no_argument,0,0 },				// optidx=74
-#endif
-#endif
-		{ "hostlist-auto-retrans-threshold",optional_argument,0,0}, // ignored. for nfqws command line compatibility
-		{ NULL,0,NULL,0 }
-	};
 	while ((v = getopt_long_only(argc, argv, "", long_options, &option_index)) != -1)
 	{
 		if (v)
@ -765,11 +857,11 @@ void parse_params(int argc, char *argv[])
 		}
 		switch (option_index)
 		{
-		case 0:
-		case 1:
+		case IDX_HELP:
+		case IDX_H:
 			exithelp_clean();
 			break;
-		case 2: /* bind-addr */
+		case IDX_BIND_ADDR:
 			nextbind_clean();
 			{
 				char *p = strchr(optarg,'%');
@ -782,19 +874,19 @@ void parse_params(int argc, char *argv[])
 			}
 			params.binds[params.binds_last].bindaddr[sizeof(params.binds[params.binds_last].bindaddr) - 1] = 0;
 			break;
-		case 3: /* bind-iface4 */
+		case IDX_BIND_IFACE4:
 			nextbind_clean();
 			params.binds[params.binds_last].bind_if6=false;
 			strncpy(params.binds[params.binds_last].bindiface, optarg, sizeof(params.binds[params.binds_last].bindiface));
 			params.binds[params.binds_last].bindiface[sizeof(params.binds[params.binds_last].bindiface) - 1] = 0;
 			break;
-		case 4: /* bind-iface6 */
+		case IDX_BIND_IFACE6:
 			nextbind_clean();
 			params.binds[params.binds_last].bind_if6=true;
 			strncpy(params.binds[params.binds_last].bindiface, optarg, sizeof(params.binds[params.binds_last].bindiface));
 			params.binds[params.binds_last].bindiface[sizeof(params.binds[params.binds_last].bindiface) - 1] = 0;
 			break;
-		case 5: /* bind-linklocal */
+		case IDX_BIND_LINKLOCAL:
 			checkbind_clean();
 			params.binds[params.binds_last].bindll = true;
 			if (!strcmp(optarg, "no"))
@ -811,22 +903,22 @@ void parse_params(int argc, char *argv[])
 				exit_clean(1);
 			}
 			break;
-		case 6: /* bind-wait-ifup */
+		case IDX_BIND_WAIT_IFUP:
 			checkbind_clean();
 			params.binds[params.binds_last].bind_wait_ifup = atoi(optarg);
 			break;
-		case 7: /* bind-wait-ip */
+		case IDX_BIND_WAIT_IP:
 			checkbind_clean();
 			params.binds[params.binds_last].bind_wait_ip = atoi(optarg);
 			break;
-		case 8: /* bind-wait-ip-linklocal */
+		case IDX_BIND_WAIT_IP_LINKLOCAL:
 			checkbind_clean();
 			params.binds[params.binds_last].bind_wait_ip_ll = atoi(optarg);
 			break;
-		case 9: /* bind-wait-only */
+		case IDX_BIND_WAIT_ONLY:
 			params.bind_wait_only = true;
 			break;
-		case 10: /* port */
+		case IDX_PORT:
 			i = atoi(optarg);
 			if (i <= 0 || i > 65535)
 			{
@ -835,10 +927,10 @@ void parse_params(int argc, char *argv[])
 			}
 			params.port = (uint16_t)i;
 			break;
-		case 11: /* daemon */
+		case IDX_DAEMON:
 			params.daemon = true;
 			break;
-		case 12: /* user */
+		case IDX_USER:
 		{
 			struct passwd *pwd = getpwnam(optarg);
 			if (!pwd)
@ -851,7 +943,7 @@ void parse_params(int argc, char *argv[])
 			params.droproot = true;
 			break;
 		}
-		case 13: /* uid */
+		case IDX_UID:
 			params.gid=0x7FFFFFFF; // default git. drop gid=0
 			params.droproot = true;
 			if (sscanf(optarg,"%u:%u",&params.uid,&params.gid)<1)
@ -860,7 +952,7 @@ void parse_params(int argc, char *argv[])
 				exit_clean(1);
 			}
 			break;
-		case 14: /* maxconn */
+		case IDX_MAXCONN:
 			params.maxconn = atoi(optarg);
 			if (params.maxconn <= 0 || params.maxconn > 10000)
 			{
@ -868,7 +960,7 @@ void parse_params(int argc, char *argv[])
 				exit_clean(1);
 			}
 			break;
-		case 15: /* maxfiles */
+		case IDX_MAXFILES:
 			params.maxfiles = atoi(optarg);
 			if (params.maxfiles < 0)
 			{
@ -876,7 +968,7 @@ void parse_params(int argc, char *argv[])
 				exit_clean(1);
 			}
 			break;
-		case 16: /* max-orphan-time */
+		case IDX_MAX_ORPHAN_TIME:
 			params.max_orphan_time = atoi(optarg);
 			if (params.max_orphan_time < 0)
 			{
@ -884,11 +976,11 @@ void parse_params(int argc, char *argv[])
 				exit_clean(1);
 			}
 			break;
-		case 17: /* hostcase */
+		case IDX_HOSTCASE:
 			dp->hostcase = true;
 			params.tamper = true;
 			break;
-		case 18: /* hostspell */
+		case IDX_HOSTSPELL:
 			if (strlen(optarg) != 4)
 			{
 				DLOG_ERR("hostspell must be exactly 4 chars long\n");
@ -898,23 +990,23 @@ void parse_params(int argc, char *argv[])
 			memcpy(dp->hostspell, optarg, 4);
 			params.tamper = true;
 			break;
-		case 19: /* hostdot */
+		case IDX_HOSTDOT:
 			dp->hostdot = true;
 			params.tamper = true;
 			break;
-		case 20: /* hostnospace */
+		case IDX_HOSTNOSPACE:
 			dp->hostnospace = true;
 			params.tamper = true;
 			break;
-		case 21: /* hostpad */
+		case IDX_HOSTPAD:
 			dp->hostpad = atoi(optarg);
 			params.tamper = true;
 			break;
-		case 22: /* domcase */
+		case IDX_DOMCASE:
 			dp->domcase = true;
 			params.tamper = true;
 			break;
-		case 23: /* split-http-req */
+		case IDX_SPLIT_HTTP_REQ:
 			DLOG_CONDUP("WARNING ! --split-http-req is deprecated. use --split-pos with markers.\n",MAX_SPLITS);
 			if (dp->split_count>=MAX_SPLITS)
 			{
@ -929,7 +1021,7 @@ void parse_params(int argc, char *argv[])
 			dp->split_count++;
 			params.tamper = true;
 			break;
-		case 24: /* split-tls */
+		case IDX_SPLIT_TLS:
 			// obsolete arg
 			DLOG_CONDUP("WARNING ! --split-tls is deprecated. use --split-pos with markers.\n",MAX_SPLITS);
 			if (dp->split_count>=MAX_SPLITS)
@ -945,7 +1037,7 @@ void parse_params(int argc, char *argv[])
 			dp->split_count++;
 			params.tamper = true;
 			break;
-		case 25: /* split-pos */
+		case IDX_SPLIT_POS:
 			{
 				int ct;
 				if (!parse_split_pos_list(optarg,dp->splits+dp->split_count,MAX_SPLITS-dp->split_count,&ct))
@ -957,10 +1049,10 @@ void parse_params(int argc, char *argv[])
 			}
 			params.tamper = true;
 			break;
-		case 26: /* split-any-protocol */
+		case IDX_SPLIT_ANY_PROTOCOL:
 			dp->split_any_protocol = true;
 			break;
-		case 27: /* disorder */
+		case IDX_DISORDER:
 			if (optarg)
 			{
 				if (!strcmp(optarg,"http")) dp->disorder_http=true;
@ -981,7 +1073,7 @@ void parse_params(int argc, char *argv[])
 			}
 #endif
 			break;
-		case 28: /* oob */
+		case IDX_OOB:
 			if (optarg)
 			{
 				if (!strcmp(optarg,"http")) dp->oob_http=true;
@ -1002,7 +1094,7 @@ void parse_params(int argc, char *argv[])
 			}
 #endif
 			break;
-		case 29: /* oob-data */
+		case IDX_OOB_DATA:
 			{
 				size_t l = strlen(optarg);
 				unsigned int bt;
@ -1015,23 +1107,23 @@ void parse_params(int argc, char *argv[])
 				else dp->oob_byte = (uint8_t)bt;
 			}
 			break;
-		case 30: /* methodspace */
+		case IDX_METHODSPACE:
 			dp->methodspace = true;
 			params.tamper = true;
 			break;
-		case 31: /* methodeol */
+		case IDX_METHODEOL:
 			dp->methodeol = true;
 			params.tamper = true;
 			break;
-		case 32: /* hosttab */
+		case IDX_HOSTTAB:
 			dp->hosttab = true;
 			params.tamper = true;
 			break;
-		case 33: /* unixeol */
+		case IDX_UNIXEOL:
 			dp->unixeol = true;
 			params.tamper = true;
 			break;
-		case 34: /* tlsrec */
+		case IDX_TLSREC:
 			if (!parse_split_pos(optarg, &dp->tlsrec) && !parse_tlspos(optarg, &dp->tlsrec))
 			{
 				DLOG_ERR("Invalid argument for tlsrec\n");
@ -1039,7 +1131,7 @@ void parse_params(int argc, char *argv[])
 			}
 			params.tamper = true;
 			break;
-		case 35: /* tlsrec-pos */
+		case IDX_TLSREC_POS:
 			// obsolete arg
 			i = atoi(optarg);
 			dp->tlsrec.marker = PM_ABS;
@ -1051,7 +1143,7 @@ void parse_params(int argc, char *argv[])
 			}
 			params.tamper = true;
 			break;
-		case 36: /* hostlist */
+		case IDX_HOSTLIST:
 			if (bSkip) break;
 			if (!RegisterHostlist(dp, false, optarg))
 			{
@ -1060,7 +1152,7 @@ void parse_params(int argc, char *argv[])
 			}
 			params.tamper = true;
 			break;
-		case 37: /* hostlist-domains */
+		case IDX_HOSTLIST_DOMAINS:
 			if (bSkip) break;
 			if (!anon_hl && !(anon_hl=RegisterHostlist(dp, false, NULL)))
 			{
@ -1074,7 +1166,7 @@ void parse_params(int argc, char *argv[])
 			}
 			params.tamper = true;
 			break;
-		case 38: /* hostlist-exclude */
+		case IDX_HOSTLIST_EXCLUDE:
 			if (bSkip) break;
 			if (!RegisterHostlist(dp, true, optarg))
 			{
@ -1083,7 +1175,7 @@ void parse_params(int argc, char *argv[])
 			}
 			params.tamper = true;
 			break;
-		case 39: /* hostlist-exclude-domains */
+		case IDX_HOSTLIST_EXCLUDE_DOMAINS:
 			if (bSkip) break;
 			if (!anon_hl_exclude && !(anon_hl_exclude=RegisterHostlist(dp, true, NULL)))
 			{
@ -1097,7 +1189,7 @@ void parse_params(int argc, char *argv[])
 			}
 			params.tamper = true;
 			break;
-		case 40: /* hostlist-auto */
+		case IDX_HOSTLIST_AUTO:
 			if (bSkip) break;
 			if (dp->hostlist_auto)
 			{
@ -1126,7 +1218,7 @@ void parse_params(int argc, char *argv[])
 			}
 			params.tamper = true; // need to detect blocks and update autohostlist. cannot just slice.
 			break;
-		case 41: /* hostlist-auto-fail-threshold */
+		case IDX_HOSTLIST_AUTO_FAIL_THRESHOLD:
 			dp->hostlist_auto_fail_threshold = (uint8_t)atoi(optarg);
 			if (dp->hostlist_auto_fail_threshold<1 || dp->hostlist_auto_fail_threshold>20)
 			{
@ -1134,7 +1226,7 @@ void parse_params(int argc, char *argv[])
 				exit_clean(1);
 			}
 			break;
-		case 42: /* hostlist-auto-fail-time */
+		case IDX_HOSTLIST_AUTO_FAIL_TIME:
 			dp->hostlist_auto_fail_time = (uint8_t)atoi(optarg);
 			if (dp->hostlist_auto_fail_time<1)
 			{
@ -1142,7 +1234,7 @@ void parse_params(int argc, char *argv[])
 				exit_clean(1);
 			}
 			break;
-		case 43: /* hostlist-auto-debug */
+		case IDX_HOSTLIST_AUTO_DEBUG:
 			{
 				FILE *F = fopen(optarg,"a+t");
 				if (!F)
@ -1155,11 +1247,11 @@ void parse_params(int argc, char *argv[])
 				params.hostlist_auto_debuglog[sizeof(params.hostlist_auto_debuglog) - 1] = '\0';
 			}
 			break;
-		case 44: /* pidfile */
+		case IDX_PIDFILE:
 			strncpy(params.pidfile,optarg,sizeof(params.pidfile));
 			params.pidfile[sizeof(params.pidfile)-1]='\0';
 			break;
-		case 45: /* debug */
+		case IDX_DEBUG:
 			if (optarg)
 			{
 				if (*optarg=='@')
@ -1193,52 +1285,52 @@ void parse_params(int argc, char *argv[])
 				params.debug_target = LOG_TARGET_CONSOLE;
 			}
 			break;
-		case 46: /* debug-level */
+		case IDX_DEBUG_LEVEL:
 			params.debug = atoi(optarg);
 			break;
-		case 47: /* dry-run */
+		case IDX_DRY_RUN:
 			bDry = true;
 			break;
-		case 48: /* version */
+		case IDX_VERSION:
 			exit_clean(0);
 			break;
-		case 49: /* comment */
+		case IDX_COMMENT:
 			break;
-		case 50: /* local-rcvbuf */
+		case IDX_LOCAL_RCVBUF:
 #ifdef __linux__
 			params.local_rcvbuf = atoi(optarg)/2;
 #else
 			params.local_rcvbuf = atoi(optarg);
 #endif
 			break;
-		case 51: /* local-sndbuf */
+		case IDX_LOCAL_SNDBUF:
 #ifdef __linux__
 			params.local_sndbuf = atoi(optarg)/2;
 #else
 			params.local_sndbuf = atoi(optarg);
 #endif
 			break;
-		case 52: /* remote-rcvbuf */
+		case IDX_REMOTE_RCVBUF:
 #ifdef __linux__
 			params.remote_rcvbuf = atoi(optarg)/2;
 #else
 			params.remote_rcvbuf = atoi(optarg);
 #endif
 			break;
-		case 53: /* remote-sndbuf */
+		case IDX_REMOTE_SNDBUF:
 #ifdef __linux__
 			params.remote_sndbuf = atoi(optarg)/2;
 #else
 			params.remote_sndbuf = atoi(optarg);
 #endif
 			break;
-		case 54: /* socks */
+		case IDX_SOCKS:
 			params.proxy_type = CONN_TYPE_SOCKS;
 			break;
-		case 55: /* no-resolve */
+		case IDX_NO_RESOLVE:
 			params.no_resolve = true;
 			break;
-		case 56: /* resolver-threads */
+		case IDX_RESOLVER_THREADS:
 			params.resolver_threads = atoi(optarg);
 			if (params.resolver_threads<1 || params.resolver_threads>300)
 			{
@ -1246,10 +1338,10 @@ void parse_params(int argc, char *argv[])
 				exit_clean(1);
 			}
 			break;
-		case 57: /* skip-nodelay */
+		case IDX_SKIP_NODELAY:
 			params.skip_nodelay = true;
 			break;
-		case 58: /* tamper-start */
+		case IDX_TAMPER_START:
 			{
 				const char *p=optarg;
 				if (*p=='n')
@ -1263,7 +1355,7 @@ void parse_params(int argc, char *argv[])
 			}
 			params.tamper_lim = true;
 			break;
-		case 59: /* tamper-cutoff */
+		case IDX_TAMPER_CUTOFF:
 			{
 				const char *p=optarg;
 				if (*p=='n')
@ -1277,7 +1369,7 @@ void parse_params(int argc, char *argv[])
 			}
 			params.tamper_lim = true;
 			break;
-		case 60: /* connect-bind-addr */
+		case IDX_CONNECT_BIND_ADDR:
 			{
 				char *p = strchr(optarg,'%');
 				if (p) *p++=0;
@ -1305,7 +1397,7 @@ void parse_params(int argc, char *argv[])
 			break;


-		case 61: /* new */
+		case IDX_NEW:
 			if (bSkip)
 			{
 				dp_clear(dp);
@ -1326,31 +1418,31 @@ void parse_params(int argc, char *argv[])
 			anon_hl = anon_hl_exclude = NULL;
 			anon_ips = anon_ips_exclude = NULL;
 			break;
-		case 62: /* skip */
+		case IDX_SKIP:
 			bSkip = true;
 			break;
-		case 63: /* filter-l3 */
+		case IDX_FILTER_L3:
 			if (!wf_make_l3(optarg,&dp->filter_ipv4,&dp->filter_ipv6))
 			{
 				DLOG_ERR("bad value for --filter-l3\n");
 				exit_clean(1);
 			}
 			break;
-		case 64: /* filter-tcp */
+		case IDX_FILTER_TCP:
 			if (!parse_pf_list(optarg,&dp->pf_tcp))
 			{
 				DLOG_ERR("Invalid port filter : %s\n",optarg);
 				exit_clean(1);
 			}
 			break;
-		case 65: /* filter-l7 */
+		case IDX_FILTER_L7:
 			if (!parse_l7_list(optarg,&dp->filter_l7))
 			{
 				DLOG_ERR("Invalid l7 filter : %s\n",optarg);
 				exit_clean(1);
 			}
 			break;
-		case 66: /* ipset */
+		case IDX_IPSET:
 			if (bSkip) break;
 			if (!RegisterIpset(dp, false, optarg))
 			{
@ -1359,7 +1451,7 @@ void parse_params(int argc, char *argv[])
 			}
 			params.tamper = true;
 			break;
-		case 67: /* ipset-ip */
+		case IDX_IPSET_IP:
 			if (bSkip) break;
 			if (!anon_ips && !(anon_ips=RegisterIpset(dp, false, NULL)))
 			{
@ -1373,7 +1465,7 @@ void parse_params(int argc, char *argv[])
 			}
 			params.tamper = true;
 			break;
-		case 68: /* ipset-exclude */
+		case IDX_IPSET_EXCLUDE:
 			if (bSkip) break;
 			if (!RegisterIpset(dp, true, optarg))
 			{
@ -1382,7 +1474,7 @@ void parse_params(int argc, char *argv[])
 			}
 			params.tamper = true;
 			break;
-		case 69: /* ipset-exclude-ip */
+		case IDX_IPSET_EXCLUDE_IP:
 			if (bSkip) break;
 			if (!anon_ips_exclude && !(anon_ips_exclude=RegisterIpset(dp, true, NULL)))
 			{
@ -1398,11 +1490,11 @@ void parse_params(int argc, char *argv[])
 			break;

 #if defined(__FreeBSD__)
-		case 70: /* enable-pf */
+		case IDX_ENABLE_PF:
 			params.pf_enable = true;
 			break;
 #elif defined(__linux__) || defined(__APPLE__)
-		case 70: /* local-tcp-user-timeout */
+		case IDX_LOCAL_TCP_USER_TIMEOUT:
 			params.tcp_user_timeout_local = atoi(optarg);
 			if (params.tcp_user_timeout_local<0 || params.tcp_user_timeout_local>86400)
 			{
@ -1410,7 +1502,7 @@ void parse_params(int argc, char *argv[])
 				exit_clean(1);
 			}
 			break;
-		case 71: /* remote-tcp-user-timeout */
+		case IDX_REMOTE_TCP_USER_TIMEOUT:
 			params.tcp_user_timeout_remote = atoi(optarg);
 			if (params.tcp_user_timeout_remote<0 || params.tcp_user_timeout_remote>86400)
 			{
@ -1421,7 +1513,7 @@ void parse_params(int argc, char *argv[])
 #endif

 #if defined(__linux__)
-		case 72: /* mss */
+		case IDX_MSS:
 			// this option does not work in any BSD and MacOS. OS may accept but it changes nothing
 			dp->mss = atoi(optarg);
 			if (dp->mss<88 || dp->mss>32767)
@ -1430,7 +1522,7 @@ void parse_params(int argc, char *argv[])
 				exit_clean(1);
 			}
 			break;
-		case 73: /* fix-seg */
+		case IDX_FIX_SEG:
 			if (!params.fix_seg_avail)
 			{
 				DLOG_ERR("--fix-seg is supported since kernel 4.6\n");
@ -1450,7 +1542,7 @@ void parse_params(int argc, char *argv[])
 				params.fix_seg = FIX_SEG_DEFAULT_MAX_WAIT;
 			break;
 #ifdef SPLICE_PRESENT
-		case 74: /* nosplice */
+		case IDX_NOSPLICE:
 			params.nosplice = true;
 			break;
 #endif
Author	SHA1	Message	Date
bol-van	b12b1a5a17	winws build fix	2025-04-08 17:33:14 +03:00
bol-van	8022e2576d	nfqws: BSD/clang build fix	2025-04-08 17:23:15 +03:00
bol-van	f4ea264ba9	minor var spelling fix	2025-04-08 17:02:33 +03:00
bol-van	061acb27e4	Merge pull request #1334 from tie/master use enum for option indices	2025-04-08 17:00:53 +03:00
Ivan Trubach	8eb830d304	use enum for option indices	2025-04-08 16:56:17 +03:00
bol-van	2fb93c6add	blockcheck: test tpws exists	2025-04-08 16:17:40 +03:00
bol-van	ad5c246629	blockcheck: test whether tpws supports fix-seg	2025-04-08 16:15:06 +03:00
bol-van	58e73d0331	github actions: do not use broken upx 5.0.0	2025-04-07 17:52:11 +03:00
bol-van	9ebeff621a	readme.en : update ver	2025-04-07 10:16:30 +03:00
bol-van	69df271a16	readme: update crypto addresses	2025-04-07 10:15:36 +03:00
bol-van	e285b2401d	isakmp fake	2025-04-06 16:42:56 +03:00
bol-van	6e1e7e43bc	nfqws: optimize tls mod parse	2025-04-06 11:53:57 +03:00
bol-van	d04419a60c	nfqws: safety check	2025-04-06 11:43:25 +03:00
bol-van	fc1bf47e82	update changes.txt	2025-04-06 11:34:43 +03:00
bol-van	929df3f094	nfqws: support different tls mods for every tls fake	2025-04-06 11:29:58 +03:00
bol-van	7272b243cb	blockcheck: optimize	2025-04-05 18:13:16 +03:00
bol-van	72d48d957a	update changes.txt	2025-04-05 18:10:46 +03:00
bol-van	f4069d484a	update changes.txt	2025-04-05 18:10:18 +03:00
bol-van	1c82b0a6af	blockcheck: --fix seg only if multiple split pos	2025-04-05 16:35:26 +03:00
bol-van	c08e69aa65	blockcheck: --fix seg only if multiple split pos	2025-04-05 16:31:22 +03:00
bol-van	8097f08020	ipset: some pkill's do not support multiple patterns	2025-04-05 13:56:31 +03:00
bol-van	4cae291e6f	blockcheck: remove fix-seg for single split	2025-04-05 12:32:16 +03:00
bol-van	82ad5508dc	blockcheck: --fix-seg for tpws multisplits	2025-04-05 12:24:43 +03:00
bol-van	fa8ddcfc79	desync.h fix	2025-04-05 11:53:59 +03:00
bol-van	b560e32e18	nfqws: update default tls fake	2025-04-05 09:45:44 +03:00
bol-van	67e1aee8a8	update compile docs	2025-04-04 17:38:52 +03:00
bol-van	1d8385a9b4	update compile docs	2025-04-04 17:37:49 +03:00
bol-van	340dec62a7	update changes.txt	2025-04-04 15:13:58 +03:00
bol-van	db4585c02f	remove discord custom	2025-04-04 15:03:06 +03:00
bol-van	e792ca67ef	nfqws: display original SNI value	2025-04-04 14:32:37 +03:00
bol-van	e5e53db6b8	nfqws: fixes	2025-04-04 14:20:36 +03:00
bol-van	e14ee9d1fe	nfqws: fix wrong and mask	2025-04-04 14:09:45 +03:00
bol-van	360506ba4e	discord and stun fakes	2025-04-04 13:58:46 +03:00
bol-van	aa769e05c6	nfqws: minor optimize	2025-04-04 13:58:33 +03:00
bol-van	6b0bc7a96b	nfqws: tls mod set sni	2025-04-04 13:24:02 +03:00
bol-van	93bdfdb6be	nfqws: loop for multiple blob cleanup	2025-04-04 09:25:46 +03:00
bol-van	6d95eada2b	Merge pull request #1316 from tie/master nfqws: also add stun l7proto to CLI help output	2025-04-03 21:33:39 +03:00
bol-van	e452ee8688	nfqws: cosmetics	2025-04-03 21:32:28 +03:00
bol-van	6e746f94cd	nfqws: help text cosmetics	2025-04-03 21:29:38 +03:00
Ivan Trubach	9fd61e5d38	nfqws: also add stun l7proto to CLI help output	2025-04-03 21:28:46 +03:00
bol-van	0c0fba4461	Merge pull request #1314 from tie/master nfqws: detect Discord Voice IP Discovery and STUN packets	2025-04-03 21:27:10 +03:00
Ivan Trubach	056e4c588a	nfqws: detect STUN message packets	2025-04-03 21:02:42 +03:00
Ivan Trubach	4b288643ac	nfqws: detect Discord Voice IP Discovery packets	2025-04-03 17:55:02 +03:00
bol-van	cbdee74e5f	Merge pull request #1301 from Lost-gamer/master update discord subnets	2025-04-01 10:25:22 +03:00
bol-van	743eb5a4a2	tpws makefile support systemd target for old systems	2025-03-31 16:26:00 +03:00
Lost	4e8e3a9ed9	update discord subnets	2025-03-31 10:25:52 +03:00
bol-van	b9b91a0e68	replace tls fake google	2025-03-26 12:09:49 +03:00
bol-van	9de7b66eef	update build docs	2025-03-25 13:44:27 +03:00
bol-van	a2ffa3455d	nfqws: minor beautify text	2025-03-24 11:20:51 +03:00
bol-van	60b97dbed0	nfqws: remove debug printfs	2025-03-24 11:14:38 +03:00
bol-van	e56e4f5f35	update changes	2025-03-24 10:32:02 +03:00
bol-van	5305ea83c8	fakes: GGC kyber with inter-packet CRYPTO frag	2025-03-24 09:44:50 +03:00
bol-van	14b3dd459b	nfqws: define reasm buffer sizes	2025-03-24 09:34:37 +03:00
bol-van	66fda2c33d	nfqws: support QUIC multi packet CRYPTO fragmentation	2025-03-23 23:29:16 +03:00
bol-van	77df43b9cb	nfqws: minor optimize	2025-03-22 13:03:31 +03:00
bol-van	85f2b37c88	update docs	2025-03-21 21:00:47 +03:00
bol-van	e2d600fcc6	update docs	2025-03-21 20:58:53 +03:00
bol-van	37eda0ad98	nfqws: mod skipped DLOG_ERR -> DLOG	2025-03-21 19:40:25 +03:00
bol-van	770be21e1c	nfqws: fix custom tls fake fallback logic	2025-03-21 19:09:37 +03:00
bol-van	1b880d42f9	nfqws,tpws: missing va_end	2025-03-21 17:33:57 +03:00
bol-van	6387315c0b	nfqws: multiple fakes	2025-03-21 17:12:36 +03:00
bol-van	3d4b395bfe	ignore windivert files in nfq	2025-03-21 14:23:19 +03:00
bol-van	55950ed7d0	remove bad files	2025-03-21 14:22:28 +03:00
bol-van	f2b0341484	blockcheck: add dupsid to tls-mod	2025-03-20 18:14:35 +03:00