v1

Initial release

v2

nfqws : command line options change. now using standard getopt.
nfqws : added options for window size changing and "Host:" case change
ISP support : tested on mns.ru and beeline (corbina)
init scripts : rewritten init scripts for simple choise of ISP
create_ipset : now using 'ipset restore', it works much faster
readme : updated. now using UTF-8 charset.

v3

tpws : added transparent proxy (supports TPROXY and DNAT).
       can help when ISP tracks whole HTTP session, not only the beginning
ipset : added zapret-hosts-user.txt which contain user defined host names to be resolved
        and added to zapret ip list
ISP support : dom.ru support via TPROXY/DNAT
ISP support : successfully tested sknt.ru on 'domru' configuration
  other configs will probably also work, but cannot test
compile : openwrt compile howto

v4

tpws : added ability to insert extra space after http method : "GET /" => "GET  /"
ISP support : TKT support

v5

nfqws : ipv6 support in nfqws

v6

ipset : added "get_antizapret.sh"

v7

tpws : added ability to insert "." after Host: name

v8

openwrt init : removed hotplug.d/firewall because of race conditions. now only use /etc/firewall.user

v9

ipban : added ipban ipset. place domains banned by ip to zapret-hosts-user-ipban.txt
	these IPs must be soxified for both http and https
ISP support : tiera support
ISP support : added DNS filtering to ubuntu and debian scripts

v10

tpws : added split-pos option. split every message at specified position

v11

ipset : scripts optimizations

v12

nfqws : fix wrong tcp checksum calculation if packet length is odd and platform is big-endian

v13

added binaries

v14

change get_antizapret script to work with https://github.com/zapret-info/z-i/raw/master/dump.csv
filter out 192.168.*, 127.*, 10.* from blocked ips

v15

added --hostspell option to nfqws and tpws
ISP support : beeline now catches "host" but other spellings still work
openwrt/LEDE : changed init script to work with procd
tpws, nfqws : minor cosmetic fixes

v16

tpws: split-http-req=method : split inside method name, not after
ISP support : mns.ru changed split pos to 3 (got redirect page with HEAD req : curl -I ej.ru)

v17

ISP support : athome moved from nfqws to tpws because of instability and http request hangs
tpws : added options unixeol,methodeol,hosttab

v18

tpws,nfqws : added hostnospace option

v19

tpws : added hostlist option

v20

added ip2net. ip2net groups ips from iplist into subnets and reduces ipset size twice

v21

added mdig. get_reestr.sh is *real* again

v22

total review of init script logic
dropped support of older debian 7 and ubuntu 12/14 systems
install_bin.sh : auto binaries preparation
docs: readme review. some new topics added, others deleted
docs: VPN setup with policy based routing using wireguard
docs: wireguard modding guide

v23

major init system rewrite
openwrt : separate firewall include /etc/firewall.zapret
install_easy.sh : easy setup on openwrt, debian, ubuntu, centos, fedora, opensuse

v24

separate config from init scripts
gzip support in ipset/*.sh and tpws

v25

init : move to native systemd units
use links to units, init scripts and firewall includes, no more copying

v26

ipv6 support
tpws : advanced bind options

v27

tpws : major connection code rewrite. originally it was derived from not top quality example , with many bugs and potential problems.
next generation connection code uses nonblocking sockets. now its in EXPERIMENTAL state.

v28

tpws : added socks5 support
ipset : major RKN getlist rewrite. added antifilter.network support

v29

nfqws : DPI desync attack
ip exclude system

v30

nfqws : DPI desync attack modes : fake,rst

v31

nfqws : DPI desync attack modes : disorder,disorder2,split,split2.
nfqws : DPI desync fooling mode : badseq.  multiple modes supported

v32

tpws : multiple binds
init scripts : run only one instance of tpws in any case

v33

openwrt : flow offloading support
config : MODE refactoring

v34

nfqws : dpi-desync 2 mode combos
nfqws : dpi-desync without parameter no more supported. previously it meant "fake"
nfqws : custom fake http request and tls client hello

v35

limited FreeBSD and OpenBSD support

v36

full FreeBSD and OpenBSD support

v37

limited MacOS support

v38

MacOS easy install

v39

nfqws: conntrack, wssize

v40

init scripts : IFACE_LAN, IFACE_WAN now accept multiple interfaces
init scripts : openwrt uses now OPENWRT_LAN parameter to override incoming interfaces for tpws

v41

install_easy : openrc support

v42

blockcheck.sh

v43

nfqws: UDP desync with conntrack support (any-protocol only for now)

v44

nfqws: ipfrag

v45

nfqws: hop-by-hop ipv6 desync and fooling

v46

big startup script refactoring to support nftables and new openwrt snapshot builds with firewall4

v47

nfqws: QUIC initial decryption
nfqws: udplen, fakeknown dpi desync modes

v48

nfqws, tpws : multiple --hostlist and --hostlist-exclude support
launch system, ipset : no more list merging. all lists are passed separately to nfqws and tpws
nfqws : udplen fooling supports packet shrinking (negative increment value)

v49

QUIC support integrated to the main system and setup

v50

DHT protocol support.
DPI desync mode 'tamper' for DHT.
HEX string support in addition to binary files.

v51

tpws --tlsrec attack.

v52

autohostlist mode

v53

nfqws: tcp session reassemble for TLS ClientHello

v54

tpws: out of band send when splitting (--oob)
nfqws: autottl
nfqws: datanoack fooling
nftables: use POSTNAT path for tcp redirections to allow NAT-breaking strategies. use additional mark bit DESYNC_MARK_POSTNAT.

v55

tpws: incompatible oob parameter change. it doesn't take oob byte anymore. instead it takes optional protocol filter - http or tls.
  the same is done with disorder. oob byte can be specified in parameter --oob-data.
blockcheck: quick mode, strategy order optimizations, QUIC protocol support
nfqws: syndata desync mode

v56

tpws: mss fooling
tpws: multi thread resolver. eliminates blocks related to hostname resolve.

v57

tpws: --nosplice option
nfqws: postnat fixes
nfqws: --dpi-desync-start option
nfqws: packet delay for kyber TLS and QUIC
nfqws: --dpi-desync-retrans obsolete
nfqws: --qnum is mandatory, no more default queue 0

v58

winws

v59

tpws: --split-tls
tpws: --tlsrec=sniext
nfqws: --dpi-desync-split-http-req, --dpi-desync-split-tls. multi segment TLS support for split.
blockcheck: mdig dns cache

v60

blockcheck: port block test, partial ip block test
nfqws: seqovl split/disorder modes

v61

C code cleanups
dvtws: do not use raw sockets. use divert.
nfqws,tpws: detect TLS 1.2 ClientHello from very old libraries with SSL 3.0 version in record layer
nfqws,tpws: debug log to file and syslog
tpws: --connect-bind-addr option
tpws: log local endpoint (including source port number) for remote leg

v62:

tpws: connection close logic rewrite. tcp user timeout parameters for local and remote leg.
nfqws: multi-strategy

v63:

tpws: multi-strategy

v64:

blockcheck: warn if dpi bypass software is already running
blockcheck: TPWS_EXTRA, NFQWS_EXTRA
init.d: multiple custom scripts

v65:

init.d: dynamic number allocation for dnum,tpws_port,qnum
init.d: FW_EXTRA_PRE, FW_EXTRA_POST
init.d: zapret_custom_firewall_nft_flush
nfqws,tpws: l7proto and client ip:port info in autohostlist debug log
nfqws,tpws: user mode ipset filter support
nfqws,tpws: l7proto filter support
tpws: fixed MSS apply in transparent mode
nfqws: fixed autottl apply if desync profile changed
tpws,nfqws: fixed 100% cpu hang on gzipped list with comments
ipset: get_refilter_ipsum.sh , get_refilter_domain.sh

v66:

init.d: rewrite traffic interception and daemon launch parameters in config file. this break compatibility with old versions.
init.d: openwrt-minimal : tpws launch for low storage openwrt devices

v67:

mdig: --dns-make-query, --dns-parse-query for side-channel resolving (DoH)
blockcheck: use DoH resolvers if DNS spoof is detected
blockcheck: restring fooling to testing domain's IPs
nfqws,tpws: internal hostlist deduplication to save RAM
nfqws,tpws: hostlist/ipset auto reload on file change. no more HUP.
nfqws,tpws: --filter-tcp, --filter-udp take comma separated port range list
nfqws,tpws: @<config_file> - read config from a file
config: <HOSTLIST_NOAUTO> marker
binaries: remove zapret-winws. add win32.
blockcheck, install_easy.sh: preserve user environment variables during elevation
blockcheck: do not require root if SKIP_PKTWS=1

v68:

docs : move russian version to markdown
nfqws,tpws: use alternate $ sign for $<config_file>
repo: binaries removed from repo. git actions binaries build in releases.
uninstall_easy.sh: offer to remove dependencies in openwrt
install_easy.sh: allow to download lists in autohostlist filter mode

v69:

nfqws, tpws: multisplit/multidisorder support.
nfqws: name change split->fakedsplit, disorder->fakeddisorder. compat : old names are synonyms
nfqws: --dpi-desync-split-http-req, --dpi-desync-split-tls deprecated. compat : these parameters add split point to multisplit.
nfqws: --dpi-desync=split2|disorder2 deprecated. compat: they are now synonyms for multisplit/multidisorder
nfqws: cancel seqovl if MTU is exceeded (linux only). cancel seqovl for disorder if seqovl>=first_part_size.
nfqws: fixed splits in multiple TLS segments.
tpws: --split-http-req,--split-tls deprecated. compat : these parameters add split point to multisplit.
tpws: --tlsrec now takes pos markers. compat : old names are converted to pos markers
tpws: --tlsrec-pos deprecated. compat : sets absolute pos marker
nfqws,tpws: chown autohostlist, autohostlist debug log and debug log files after options parse
nfqws,tpws: set EXEDIR env var to use in @config (won't work for stadalone winws without /bin/sh)
dvtws: set random/increasing ip_id value in generated packets
mdig: fixed parsing of DNS reply in windows (stdin is opened as text, not binary)
tpws: support compile for android NDK api level >= 21 (Android 5.0)
tpws: --fix-seg segmentation fixer
repo: build for android NDK api level 21 (Android 5.0)
install_easy: support for APK package manager in openwrt
blockcheck: removed ignore CA question
blockcheck: removed IGNORE_CA, CURL_VERBOSE
blockcheck: added CURL_OPT
blockcheck: new strategies support
blockcheck: test sequence rework
blockcheck: view all working strategies in summary

v69.1:

init.d: keenetic udp fix custom
tpws: fixed incorrect hostlist checks

v69.2:

nfqws,tpws: --skip
nfqws: --methodeol
init.d: do not use pgrep in sysv for busybox compat

v69.3

nfqws,tpws: fixed ipsets and hostlists
all progs: version numbers for github, build date/time for self built
repo: light release for openwrt and embedded systems
repo: sha256sum

v69.4

nfqws: fakedsplit/fakeddisorder fakes for both split segments
nfqws: --dpi-desync-fakedsplit-pattern

v69.5

nfqws,tpws: --dry-run
install_easy: check tpws and nfqws options validity

v69.6

nfqws: set NETLINK_NO_ENOBUFS to fix possible nfq recv errors
init.d: unify custom scripts for linux
init.d: new custom scripts : 20-fw-extra, 50-wg4all

v69.7

nfqws,tpws: --comment
nfqws: trash flood warning
winws: exclude empty outgoing ack packets in windivert filter

v69.8

winws: accept empty outgoing RST and FIN packets for conntrack needs
repo: lexra build

v69.9

init.d: exclude ipban from tpws redirection
macos: fix install_easy
macos: fix national decimal separator in sleep
ipset: scripts maintenance

v70

blockcheck: override all dialog questions and enable batch mode
blockcheck: parallel attempts
nfqws: weaken wireguard initiation recognition. use len=148 and data[0]=1 signature
nfqws: apply split+seqovl only to the first reasm fragment
install_easy: dnf packager support
nfqws,tpws: hostlist/ipset track not only file mod time but also file size
nfqws,tpws,ipset: return lists reload on HUP
nfqws,blockcheck: --dpi-desync-fake-tls-mod

v70.1

nfqws: --dpi-desync-fake-tls-mod=dupsid