From dba6078f2cd7f41ef5127b5d1c0e06744d7f1c62 Mon Sep 17 00:00:00 2001 From: Vadim Vetrov Date: Sat, 14 Sep 2024 10:58:22 +0300 Subject: [PATCH] Update nftables to allow quic drop --- youtubeUnblock/files/luasrc/model/cbi/youtubeUnblock.lua | 4 +++- youtubeUnblock/files/nftables.d/537-youtubeUnblock.nft | 5 +++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/youtubeUnblock/files/luasrc/model/cbi/youtubeUnblock.lua b/youtubeUnblock/files/luasrc/model/cbi/youtubeUnblock.lua index 8d5808a..916f224 100644 --- a/youtubeUnblock/files/luasrc/model/cbi/youtubeUnblock.lua +++ b/youtubeUnblock/files/luasrc/model/cbi/youtubeUnblock.lua @@ -13,7 +13,9 @@ o = s:option(ListValue, "faking_strategy", "faking strategy",
  • randseq specifies that random sequence/acknowledgemend random will be set. This option may be handled by provider which uses conntrack with drop on invalid conntrack state firewall rule enabled.
  • ttl specifies that packet will be invalidated after --faking-ttl=n hops. ttl is better but may cause issues if unconfigured.
  • pastseq is like randseq but sequence number is not random but references the packet sent in the past (before current).
  • -
  • tcp_check will invalidate faking packet with invalid checksum. May be handled and dropped by some providers/TSPUs.
  • +
  • tcp_check will invalidate faking packet with invalid checksum. May be handled and dropped by some providers/TSPUs.
  • +
  • md5sum will invalidate faking packet with invalid TCP md5sum. md5sum is a TCP option which is handled by the destination server but may be skipped by TSPU.
  • + ]]) o:value("pastseq", "pastseq") o:value("randseq", "randseq") diff --git a/youtubeUnblock/files/nftables.d/537-youtubeUnblock.nft b/youtubeUnblock/files/nftables.d/537-youtubeUnblock.nft index 6a49c14..a3a4687 100644 --- a/youtubeUnblock/files/nftables.d/537-youtubeUnblock.nft +++ b/youtubeUnblock/files/nftables.d/537-youtubeUnblock.nft @@ -1,5 +1,6 @@ #!/usr/sbin/nft -f -# This file +# This file will be applied automatically for nftables -add rule inet fw4 mangle_forward tcp dport 443 ct original packets < 20 counter queue num 537 bypass +add chain inet fw4 youtubeUnblock { type filter hook postrouting priority mangle - 1; policy accept; } +add rule inet fw4 youtubeUnblock meta l4proto { tcp, udp } th dport 443 ct original packets < 20 counter queue num 537 bypass insert rule inet fw4 output mark and 0x8000 == 0x8000 counter accept