mirror of
https://github.com/bol-van/zapret.git
synced 2025-01-18 14:10:34 +05:00
127 lines
4.8 KiB
Plaintext
127 lines
4.8 KiB
Plaintext
# this file is included from init scripts
|
|
# change values here
|
|
|
|
# can help in case /tmp has not enough space
|
|
#TMPDIR=/opt/zapret/tmp
|
|
|
|
# redefine user for zapret daemons. required on Keenetic
|
|
#WS_USER=nobody
|
|
|
|
# override firewall type : iptables,nftables,ipfw
|
|
#FWTYPE=iptables
|
|
|
|
# options for ipsets
|
|
# maximum number of elements in sets. also used for nft sets
|
|
SET_MAXELEM=522288
|
|
# too low hashsize can cause memory allocation errors on low RAM systems , even if RAM is enough
|
|
# too large hashsize will waste lots of RAM
|
|
IPSET_OPT="hashsize 262144 maxelem $SET_MAXELEM"
|
|
# dynamically generate additional ip. $1 = ipset/nfset/table name
|
|
#IPSET_HOOK="/etc/zapret.ipset.hook"
|
|
|
|
# options for ip2net. "-4" or "-6" auto added by ipset create script
|
|
IP2NET_OPT4="--prefix-length=22-30 --v4-threshold=3/4"
|
|
IP2NET_OPT6="--prefix-length=56-64 --v6-threshold=5"
|
|
# options for auto hostlist
|
|
AUTOHOSTLIST_RETRANS_THRESHOLD=3
|
|
AUTOHOSTLIST_FAIL_THRESHOLD=3
|
|
AUTOHOSTLIST_FAIL_TIME=60
|
|
# 1 = debug autohostlist positives to ipset/zapret-hosts-auto-debug.log
|
|
AUTOHOSTLIST_DEBUGLOG=0
|
|
|
|
# number of parallel threads for domain list resolves
|
|
MDIG_THREADS=30
|
|
|
|
# ipset/*.sh can compress large lists
|
|
GZIP_LISTS=1
|
|
# command to reload ip/host lists after update
|
|
# comment or leave empty for auto backend selection : ipset or ipfw if present
|
|
# on BSD systems with PF no auto reloading happens. you must provide your own command
|
|
# set to "-" to disable reload
|
|
#LISTS_RELOAD="pfctl -f /etc/pf.conf"
|
|
|
|
# override ports
|
|
#HTTP_PORTS=80-81,85
|
|
#HTTPS_PORTS=443,500-501
|
|
#QUIC_PORTS=443,444
|
|
|
|
# CHOOSE OPERATION MODE
|
|
# MODE : nfqws,tpws,tpws-socks,filter,custom
|
|
# nfqws : nfqws for dpi desync
|
|
# tpws : tpws transparent mode
|
|
# tpws-socks : tpws socks mode
|
|
# filter : no daemon, just create ipset or download hostlist
|
|
# custom : custom mode. should modify custom init script and add your own code
|
|
MODE=tpws
|
|
# apply fooling to http
|
|
MODE_HTTP=1
|
|
# for nfqws only. support http keep alives. enable only if DPI checks for http request in any outgoing packet
|
|
MODE_HTTP_KEEPALIVE=0
|
|
# apply fooling to https
|
|
MODE_HTTPS=1
|
|
# apply fooling to quic
|
|
MODE_QUIC=0
|
|
# none,ipset,hostlist,autohostlist
|
|
MODE_FILTER=none
|
|
|
|
# CHOOSE NFQWS DAEMON OPTIONS for DPI desync mode. run "nfq/nfqws --help" for option list
|
|
# SUFFIX VARS define additional lower priority desync profile. it's required if MODE_FILTER=hostlist and strategy has hostlist-incompatible 0-phase desync methods (syndata,wssize)
|
|
DESYNC_MARK=0x40000000
|
|
DESYNC_MARK_POSTNAT=0x20000000
|
|
NFQWS_OPT_DESYNC="--dpi-desync=fake --dpi-desync-ttl=0 --dpi-desync-ttl6=0 --dpi-desync-fooling=badsum"
|
|
#NFQWS_OPT_DESYNC_SUFFIX="--dpi-desync=syndata"
|
|
#NFQWS_OPT_DESYNC_HTTP=""
|
|
#NFQWS_OPT_DESYNC_HTTP_SUFFIX="--dpi-desync=syndata"
|
|
#NFQWS_OPT_DESYNC_HTTPS=""
|
|
#NFQWS_OPT_DESYNC_HTTPS_SUFFIX="--wssize 1:6"
|
|
#NFQWS_OPT_DESYNC_HTTP6=""
|
|
#NFQWS_OPT_DESYNC_HTTP6_SUFFIX="--dpi-desync=syndata"
|
|
#NFQWS_OPT_DESYNC_HTTPS6=""
|
|
#NFQWS_OPT_DESYNC_HTTPS6_SUFFIX="--wssize 1:6"
|
|
NFQWS_OPT_DESYNC_QUIC="--dpi-desync=fake --dpi-desync-repeats=6"
|
|
#NFQWS_OPT_DESYNC_QUIC_SUFFIX=""
|
|
#NFQWS_OPT_DESYNC_QUIC6="--dpi-desync=hopbyhop"
|
|
#NFQWS_OPT_DESYNC_QUIC6_SUFFIX=""
|
|
|
|
# CHOOSE TPWS DAEMON OPTIONS. run "tpws/tpws --help" for option list
|
|
# SUFFIX VARS define additional lower priority desync profile. it's required if MODE_FILTER=hostlist and strategy has hostlist-incompatible 0-phase desync methods (mss)
|
|
TPWS_OPT="--hostspell=HOST --split-http-req=method --split-pos=3 --oob"
|
|
#TPWS_OPT_SUFFIX="--mss 88"
|
|
|
|
# openwrt only : donttouch,none,software,hardware
|
|
FLOWOFFLOAD=donttouch
|
|
|
|
# openwrt: specify networks to be treated as LAN. default is "lan"
|
|
#OPENWRT_LAN="lan lan2 lan3"
|
|
# openwrt: specify networks to be treated as WAN. default wans are interfaces with default route
|
|
#OPENWRT_WAN4="wan vpn"
|
|
#OPENWRT_WAN6="wan6 vpn6"
|
|
|
|
# for routers based on desktop linux and macos. has no effect in openwrt.
|
|
# CHOOSE LAN and optinally WAN/WAN6 NETWORK INTERFACES
|
|
# or leave them commented if its not router
|
|
# it's possible to specify multiple interfaces like this : IFACE_LAN="eth0 eth1 eth2"
|
|
# if IFACE_WAN6 is not defined it take the value of IFACE_WAN
|
|
#IFACE_LAN=eth0
|
|
#IFACE_WAN=eth1
|
|
#IFACE_WAN6="ipsec0 wireguard0 he_net"
|
|
|
|
# should start/stop command of init scripts apply firewall rules ?
|
|
# not applicable to openwrt with firewall3+iptables
|
|
INIT_APPLY_FW=1
|
|
# firewall apply hooks
|
|
#INIT_FW_PRE_UP_HOOK="/etc/firewall.zapret.hook.pre_up"
|
|
#INIT_FW_POST_UP_HOOK="/etc/firewall.zapret.hook.post_up"
|
|
#INIT_FW_PRE_DOWN_HOOK="/etc/firewall.zapret.hook.pre_down"
|
|
#INIT_FW_POST_DOWN_HOOK="/etc/firewall.zapret.hook.post_down"
|
|
|
|
# do not work with ipv4
|
|
#DISABLE_IPV4=1
|
|
# do not work with ipv6
|
|
DISABLE_IPV6=1
|
|
|
|
# select which init script will be used to get ip or host list
|
|
# possible values : get_user.sh get_antizapret.sh get_combined.sh get_reestr.sh get_hostlist.sh
|
|
# comment if not required
|
|
GETLIST=get_antifilter_ipsmart.sh
|