mirror of
https://github.com/bol-van/zapret.git
synced 2026-03-09 06:45:24 +00:00
autottl, datanoack, oob, postnat
This commit is contained in:
bol-van
@@ -337,19 +337,35 @@ pktws_ipt_prepare()
|
||||
# enable fragments
|
||||
IPT OUTPUT -f -j ACCEPT
|
||||
fi
|
||||
IPT POSTROUTING -t mangle -p tcp --dport $1 -m mark ! --mark $DESYNC_MARK/$DESYNC_MARK -j NFQUEUE --queue-num $QNUM
|
||||
IPT OUTPUT -t mangle -p tcp --dport $1 -m mark ! --mark $DESYNC_MARK/$DESYNC_MARK -j NFQUEUE --queue-num $QNUM
|
||||
IPT INPUT -t mangle -p tcp --sport $1 -m connbytes --connbytes-dir=original --connbytes-mode=packets --connbytes 1:1 -j NFQUEUE --queue-num $QNUM
|
||||
# enable everything generated by nfqws (works only in OUTPUT, not in FORWARD)
|
||||
# raw table may not be present
|
||||
IPT OUTPUT -t raw -m mark --mark $DESYNC_MARK/$DESYNC_MARK -j CT --notrack
|
||||
;;
|
||||
nftables)
|
||||
nft add table inet $NFT_TABLE
|
||||
[ "$IPV" = 6 -a -n "$IP6_DEFRAG_DISABLE" ] && {
|
||||
nft "add chain inet $NFT_TABLE predefrag { type filter hook output priority -402; }"
|
||||
nft "add rule inet $NFT_TABLE predefrag meta nfproto ipv${IPV} exthdr frag exists notrack"
|
||||
}
|
||||
nft "add chain inet $NFT_TABLE premangle { type filter hook output priority -152; }"
|
||||
nft "add rule inet $NFT_TABLE premangle meta nfproto ipv${IPV} tcp dport $1 mark and 0x40000000 != 0x40000000 queue num $QNUM"
|
||||
# prenat
|
||||
# [ "$IPV" = 6 -a -n "$IP6_DEFRAG_DISABLE" ] && {
|
||||
# nft "add chain inet $NFT_TABLE predefrag { type filter hook output priority -402; }"
|
||||
# nft "add rule inet $NFT_TABLE predefrag meta nfproto ipv${IPV} exthdr frag exists notrack"
|
||||
# }
|
||||
# nft "add chain inet $NFT_TABLE premangle { type filter hook output priority -152; }"
|
||||
# nft "add rule inet $NFT_TABLE premangle meta nfproto ipv${IPV} tcp dport $1 mark and 0x40000000 != 0x40000000 queue num $QNUM"
|
||||
# postnat. this is good because we need only output traffic
|
||||
nft "add chain inet $NFT_TABLE postnat { type filter hook output priority 102; }"
|
||||
nft "add rule inet $NFT_TABLE postnat meta nfproto ipv${IPV} tcp dport $1 mark and 0x40000000 != 0x40000000 queue num $QNUM"
|
||||
# for strategies with incoming packets involved (autottl)
|
||||
nft "add chain inet $NFT_TABLE prenat { type filter hook prerouting priority -102; }"
|
||||
nft "add rule inet $NFT_TABLE prenat meta nfproto ipv${IPV} tcp sport $1 ct original packets 1-1 queue num $QNUM"
|
||||
# enable everything generated by nfqws (works only in OUTPUT, not in FORWARD)
|
||||
nft "add chain inet $NFT_TABLE predefrag { type filter hook output priority -402; }"
|
||||
nft "add rule inet $NFT_TABLE predefrag meta nfproto ipv${IPV} mark and $DESYNC_MARK !=0 notrack"
|
||||
;;
|
||||
ipfw)
|
||||
IPFW_ADD divert $IPFW_DIVERT_PORT tcp from me to any $1 proto ip${IPV} out not diverted not sockarg
|
||||
# this redirects all incoming traffic to the port, do not use it in real life !
|
||||
IPFW_ADD divert $IPFW_DIVERT_PORT tcp from any $1 to me proto ip${IPV} in not diverted not sockarg
|
||||
;;
|
||||
esac
|
||||
}
|
||||
@@ -358,7 +374,8 @@ pktws_ipt_unprepare()
|
||||
# $1 - port
|
||||
case "$FWTYPE" in
|
||||
iptables)
|
||||
IPT_DEL POSTROUTING -t mangle -p tcp --dport $1 -m mark ! --mark $DESYNC_MARK/$DESYNC_MARK -j NFQUEUE --queue-num $QNUM
|
||||
IPT_DEL OUTPUT -t mangle -p tcp --dport $1 -m mark ! --mark $DESYNC_MARK/$DESYNC_MARK -j NFQUEUE --queue-num $QNUM
|
||||
IPT_DEL INPUT -t mangle -p tcp --sport $1 -m connbytes --connbytes-dir=original --connbytes-mode=packets --connbytes 1:1 -j NFQUEUE --queue-num $QNUM
|
||||
|
||||
IPT_DEL INPUT -p tcp --sport $1 ! --syn -j ACCEPT
|
||||
IPT_DEL OUTPUT -p tcp --dport $1 -m conntrack --ctstate INVALID -j ACCEPT
|
||||
@@ -367,6 +384,8 @@ pktws_ipt_unprepare()
|
||||
elif [ "$IPV" = 4 ]; then
|
||||
IPT_DEL OUTPUT -f -j ACCEPT
|
||||
fi
|
||||
# raw table may not be present
|
||||
IPT_DEL OUTPUT -t raw -m mark --mark $DESYNC_MARK/$DESYNC_MARK -j CT --notrack
|
||||
;;
|
||||
nftables)
|
||||
nft delete table inet $NFT_TABLE 2>/dev/null
|
||||
@@ -556,9 +575,12 @@ test_has_split()
|
||||
{
|
||||
contains "$1" split || contains "$1" disorder
|
||||
}
|
||||
warn_md5sig()
|
||||
warn_fool()
|
||||
{
|
||||
echo 'WARNING ! although md5sig fooling worked it will not work on all sites. it typically works only on linux servers.'
|
||||
case "$1" in
|
||||
md5sig) echo 'WARNING ! although md5sig fooling worked it will not work on all sites. it typically works only on linux servers.' ;;
|
||||
datanoack) echo 'WARNING ! although datanoack fooling worked it breaks NAT and can only work with external IP. Additionally it may require nftables to work correctly.' ;;
|
||||
esac
|
||||
}
|
||||
pktws_check_domain_bypass()
|
||||
{
|
||||
@@ -615,11 +637,14 @@ pktws_check_domain_bypass()
|
||||
pktws_curl_test_update $1 $3 $s --dpi-desync-ttl=$ttl $e && break
|
||||
test_has_split $desync && pktws_curl_test_update $1 $3 $s --dpi-desync-split-pos=1 --dpi-desync-ttl=$ttl $e && break
|
||||
done
|
||||
f="badsum badseq md5sig"
|
||||
pktws_curl_test_update $1 $3 $s --dpi-desync-autottl $e || {
|
||||
test_has_split $desync && pktws_curl_test_update $1 $3 $s --dpi-desync-split-pos=1 --dpi-desync-autottl $e
|
||||
}
|
||||
f="badsum badseq md5sig datanoack"
|
||||
[ "$IPV" = 6 ] && f="$f hopbyhop hopbyhop2"
|
||||
for fooling in $f; do
|
||||
pktws_curl_test_update $1 $3 $s --dpi-desync-fooling=$fooling $e && [ "$fooling" = "md5sig" ] && warn_md5sig
|
||||
test_has_split $desync && pktws_curl_test_update $1 $3 $s --dpi-desync-split-pos=1 --dpi-desync-fooling=$fooling $e && [ "$fooling" = "md5sig" ] && warn_md5sig
|
||||
pktws_curl_test_update $1 $3 $s --dpi-desync-fooling=$fooling $e && warn_fool $fooling
|
||||
test_has_split $desync && pktws_curl_test_update $1 $3 $s --dpi-desync-split-pos=1 --dpi-desync-fooling=$fooling $e && warn_fool $fooling
|
||||
done
|
||||
done
|
||||
[ "$IPV" = 6 ] && {
|
||||
@@ -657,19 +682,19 @@ tpws_check_domain_bypass()
|
||||
'--hostpad=1024' '--hostpad=2048' '--hostpad=4096' '--hostpad=8192' '--hostpad=16384' ; do
|
||||
tpws_curl_test_update $1 $3 $s
|
||||
done
|
||||
for s2 in '' '--disorder'; do
|
||||
for s2 in '' '--disorder' '--oob'; do
|
||||
for s in '--split-http-req=method' '--split-http-req=method --hostcase' '--split-http-req=host' '--split-http-req=host --hostcase' ; do
|
||||
tpws_curl_test_update $1 $3 $s $s2
|
||||
done
|
||||
done
|
||||
else
|
||||
for s2 in '' '--disorder'; do
|
||||
for s2 in '' '--disorder' '--oob'; do
|
||||
for pos in 1 2 3 4 5 10 50 100; do
|
||||
s="--split-pos=$pos"
|
||||
tpws_curl_test_update $1 $3 $s $s2 && break
|
||||
done
|
||||
done
|
||||
for s2 in '--tlsrec=sni' '--tlsrec=sni --split-pos=10' '--tlsrec=sni --split-pos=10 --disorder'; do
|
||||
for s2 in '--tlsrec=sni' '--tlsrec=sni --split-pos=10' '--tlsrec=sni --split-pos=10 --disorder' '--tlsrec=sni --split-pos=10 --oob'; do
|
||||
tpws_curl_test_update $1 $3 $s2 && [ "$FORCE" != 1 ] && break
|
||||
done
|
||||
fi
|
||||
|
||||
Reference in New Issue
Block a user