v1 Initial release v2 nfqws : command line options change. now using standard getopt. nfqws : added options for window size changing and "Host:" case change ISP support : tested on mns.ru and beeline (corbina) init scripts : rewritten init scripts for simple choise of ISP create_ipset : now using 'ipset restore', it works much faster readme : updated. now using UTF-8 charset. v3 tpws : added transparent proxy (supports TPROXY and DNAT). can help when ISP tracks whole HTTP session, not only the beginning ipset : added zapret-hosts-user.txt which contain user defined host names to be resolved and added to zapret ip list ISP support : dom.ru support via TPROXY/DNAT ISP support : successfully tested sknt.ru on 'domru' configuration other configs will probably also work, but cannot test compile : openwrt compile howto v4 tpws : added ability to insert extra space after http method : "GET /" => "GET /" ISP support : TKT support v5 nfqws : ipv6 support in nfqws v6 ipset : added "get_antizapret.sh" v7 tpws : added ability to insert "." after Host: name v8 openwrt init : removed hotplug.d/firewall because of race conditions. now only use /etc/firewall.user v9 ipban : added ipban ipset. place domains banned by ip to zapret-hosts-user-ipban.txt these IPs must be soxified for both http and https ISP support : tiera support ISP support : added DNS filtering to ubuntu and debian scripts v10 tpws : added split-pos option. split every message at specified position v11 ipset : scripts optimizations v12 nfqws : fix wrong tcp checksum calculation if packet length is odd and platform is big-endian v13 added binaries v14 change get_antizapret script to work with https://github.com/zapret-info/z-i/raw/master/dump.csv filter out 192.168.*, 127.*, 10.* from blocked ips v15 added --hostspell option to nfqws and tpws ISP support : beeline now catches "host" but other spellings still work openwrt/LEDE : changed init script to work with procd tpws, nfqws : minor cosmetic fixes v16 tpws: split-http-req=method : split inside method name, not after ISP support : mns.ru changed split pos to 3 (got redirect page with HEAD req : curl -I ej.ru) v17 ISP support : athome moved from nfqws to tpws because of instability and http request hangs tpws : added options unixeol,methodeol,hosttab v18 tpws,nfqws : added hostnospace option v19 tpws : added hostlist option v20 added ip2net. ip2net groups ips from iplist into subnets and reduces ipset size twice v21 added mdig. get_reestr.sh is *real* again v22 total review of init script logic dropped support of older debian 7 and ubuntu 12/14 systems install_bin.sh : auto binaries preparation docs: readme review. some new topics added, others deleted docs: VPN setup with policy based routing using wireguard docs: wireguard modding guide v23 major init system rewrite openwrt : separate firewall include /etc/firewall.zapret install_easy.sh : easy setup on openwrt, debian, ubuntu, centos, fedora, opensuse v24 separate config from init scripts gzip support in ipset/*.sh and tpws v25 init : move to native systemd units use links to units, init scripts and firewall includes, no more copying v26 ipv6 support tpws : advanced bind options v27 tpws : major connection code rewrite. originally it was derived from not top quality example , with many bugs and potential problems. next generation connection code uses nonblocking sockets. now its in EXPERIMENTAL state. v28 tpws : added socks5 support ipset : major RKN getlist rewrite. added antifilter.network support v29 nfqws : DPI desync attack ip exclude system v30 nfqws : DPI desync attack modes : fake,rst v31 nfqws : DPI desync attack modes : disorder,disorder2,split,split2. nfqws : DPI desync fooling mode : badseq. multiple modes supported v32 tpws : multiple binds init scripts : run only one instance of tpws in any case v33 openwrt : flow offloading support config : MODE refactoring v34 nfqws : dpi-desync 2 mode combos nfqws : dpi-desync without parameter no more supported. previously it meant "fake" nfqws : custom fake http request and tls client hello v35 limited FreeBSD and OpenBSD support v36 full FreeBSD and OpenBSD support v37 limited MacOS support v38 MacOS easy install v39 nfqws: conntrack, wssize v40 init scripts : IFACE_LAN, IFACE_WAN now accept multiple interfaces init scripts : openwrt uses now OPENWRT_LAN parameter to override incoming interfaces for tpws v41 install_easy : openrc support v42 blockcheck.sh v43 nfqws: UDP desync with conntrack support (any-protocol only for now) v44 nfqws: ipfrag v45 nfqws: hop-by-hop ipv6 desync and fooling v46 big startup script refactoring to support nftables and new openwrt snapshot builds with firewall4 v47 nfqws: QUIC initial decryption nfqws: udplen, fakeknown dpi desync modes v48 nfqws, tpws : multiple --hostlist and --hostlist-exclude support launch system, ipset : no more list merging. all lists are passed separately to nfqws and tpws nfqws : udplen fooling supports packet shrinking (negative increment value) v49 QUIC support integrated to the main system and setup v50 DHT protocol support. DPI desync mode 'tamper' for DHT. HEX string support in addition to binary files. v51 tpws --tlsrec attack. v52 autohostlist mode v53 nfqws: tcp session reassemble for TLS ClientHello v54 tpws: out of band send when splitting (--oob) nfqws: autottl nfqws: datanoack fooling nftables: use POSTNAT path for tcp redirections to allow NAT-breaking strategies. use additional mark bit DESYNC_MARK_POSTNAT. v55 tpws: incompatible oob parameter change. it doesn't take oob byte anymore. instead it takes optional protocol filter - http or tls. the same is done with disorder. oob byte can be specified in parameter --oob-data. blockcheck: quick mode, strategy order optimizations, QUIC protocol support nfqws: syndata desync mode v56 tpws: mss fooling tpws: multi thread resolver. eliminates blocks related to hostname resolve. v57 tpws: --nosplice option nfqws: postnat fixes nfqws: --dpi-desync-start option nfqws: packet delay for kyber TLS and QUIC nfqws: --dpi-desync-retrans obsolete nfqws: --qnum is mandatory, no more default queue 0 v58 winws v59 tpws: --split-tls tpws: --tlsrec=sniext nfqws: --dpi-desync-split-http-req, --dpi-desync-split-tls. multi segment TLS support for split. blockcheck: mdig dns cache v60 blockcheck: port block test, partial ip block test nfqws: seqovl split/disorder modes v61 C code cleanups dvtws: do not use raw sockets. use divert. nfqws,tpws: detect TLS 1.2 ClientHello from very old libraries with SSL 3.0 version in record layer nfqws,tpws: debug log to file and syslog tpws: --connect-bind-addr option tpws: log local endpoint (including source port number) for remote leg v62: tpws: connection close logic rewrite. tcp user timeout parameters for local and remote leg. nfqws: multi-strategy v63: tpws: multi-strategy v64: blockcheck: warn if dpi bypass software is already running blockcheck: TPWS_EXTRA, NFQWS_EXTRA init.d: multiple custom scripts v65: init.d: dynamic number allocation for dnum,tpws_port,qnum init.d: FW_EXTRA_PRE, FW_EXTRA_POST init.d: zapret_custom_firewall_nft_flush nfqws,tpws: l7proto and client ip:port info in autohostlist debug log nfqws,tpws: user mode ipset filter support nfqws,tpws: l7proto filter support tpws: fixed MSS apply in transparent mode nfqws: fixed autottl apply if desync profile changed tpws,nfqws: fixed 100% cpu hang on gzipped list with comments ipset: get_refilter_ipsum.sh , get_refilter_domain.sh v66: init.d: rewrite traffic interception and daemon launch parameters in config file. this break compatibility with old versions. init.d: openwrt-minimal : tpws launch for low storage openwrt devices v67: mdig: --dns-make-query, --dns-parse-query for side-channel resolving (DoH) blockcheck: use DoH resolvers if DNS spoof is detected blockcheck: restring fooling to testing domain's IPs nfqws,tpws: internal hostlist deduplication to save RAM nfqws,tpws: hostlist/ipset auto reload on file change. no more HUP. nfqws,tpws: --filter-tcp, --filter-udp take comma separated port range list nfqws,tpws: @ - read config from a file config: marker binaries: remove zapret-winws. add win32. blockcheck, install_easy.sh: preserve user environment variables during elevation blockcheck: do not require root if SKIP_PKTWS=1