From 226354db127db279bfd87b63a37efc02f9c3c452 Mon Sep 17 00:00:00 2001 From: bol-van Date: Wed, 13 Dec 2023 17:10:56 +0300 Subject: [PATCH] custom examples: refactor to use port overrides --- init.d/openwrt/custom-nfqws-quic4all | 4 +- init.d/openwrt/custom-nfqws-quic4all-complex | 65 -------------------- init.d/openwrt/custom-tpws4http-nfqws4https | 8 +-- init.d/sysv/custom-nfqws-quic4all | 4 +- init.d/sysv/custom-nfqws-quic4all-complex | 4 +- init.d/sysv/custom-tpws4http-nfqws4https | 8 +-- 6 files changed, 14 insertions(+), 79 deletions(-) delete mode 100644 init.d/openwrt/custom-nfqws-quic4all-complex diff --git a/init.d/openwrt/custom-nfqws-quic4all b/init.d/openwrt/custom-nfqws-quic4all index 4363d6c..ff8e9a9 100644 --- a/init.d/openwrt/custom-nfqws-quic4all +++ b/init.d/openwrt/custom-nfqws-quic4all @@ -28,7 +28,7 @@ zapret_custom_firewall() zapret_do_firewall_rules_ipt $1 - f="-p udp --dport 443" + f="-p udp -m multiport --dports $QUIC_PORTS_IPT" fw_nfqws_post $1 "$f $desync $first_packets_only" "$f $desync $first_packets_only" $QNUM2 } @@ -43,6 +43,6 @@ zapret_custom_firewall_nft() zapret_apply_firewall_rules_nft - f="udp dport 443" + f="udp dport {$QUIC_PORTS}" nft_fw_nfqws_post "$f $desync $first_packets_only" "$f $desync $first_packets_only" $QNUM2 } diff --git a/init.d/openwrt/custom-nfqws-quic4all-complex b/init.d/openwrt/custom-nfqws-quic4all-complex deleted file mode 100644 index d9ecf52..0000000 --- a/init.d/openwrt/custom-nfqws-quic4all-complex +++ /dev/null @@ -1,65 +0,0 @@ -# this custom script in addition to MODE=nfqws runs desync to all QUIC initial packets, without ipset/hostlist filtering -# and also sends special fake on the first outgoing packet with short header and udp.length>600 -# need to add to config : NFQWS_OPT_DESYNC_QUIC="--dpi-desync=fake" -# need to add to config : NFQWS_OPT_DESYNC_QUIC_SHORT_HEADER="--dpi-desync=fake --dpi-desync-any-protocol --dpi-desync-fake-unknown-udp=/opt/zapret/files/fake/quic_short_header.bin --dpi-desync-cutoff=n2" -# NOTE : do not use TTL fooling. chromium QUIC engine breaks sessions if TTL expired in transit received - -# this hack was first intended for TSPU but it appeared that it's overkill - -QNUM2=$(($QNUM+10)) -QNUM3=$(($QNUM+11)) - -zapret_custom_daemons() -{ - # stop logic is managed by procd - - local MODE_OVERRIDE=nfqws - local opt - - start_daemons_procd - - opt="--qnum=$QNUM2 $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_QUIC" - run_daemon 100 $NFQWS "$opt" - - opt="--qnum=$QNUM3 $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_QUIC_SHORT_HEADER" - run_daemon 101 $NFQWS "$opt" -} -zapret_custom_firewall() -{ - # $1 - 1 - run, 0 - stop - - local MODE_OVERRIDE=nfqws - local f - local first_packets_only="-m connbytes --connbytes-dir=original --connbytes-mode=packets --connbytes 1:3" - local desync="-m mark ! --mark $DESYNC_MARK/$DESYNC_MARK" - local udplen="-m length --length 601:1500" - local short_header4="-m u32 --u32 0>>22&0x3C@8>>24&0xC0=0x40" - - zapret_do_firewall_rules_ipt $1 - - f="-p udp --dport 443" - fw_nfqws_post $1 "$f $desync $first_packets_only" "$f $desync $first_packets_only" $QNUM2 - # this for ipv4 only. do not have access to ipv6 enabled TSPU to test - fw_nfqws_post $1 "$f $desync $udplen $short_header4" "" $QNUM3 - -} -zapret_custom_firewall_nft() -{ - # stop logic is not required - - local MODE_OVERRIDE=nfqws - local f - local first_packets_only="ct original packets 1-3" - local desync="mark and $DESYNC_MARK == 0" - local udplen="udp length 601-1500" - local short_header4="@th,64,2 1" - - zapret_apply_firewall_rules_nft - - f="udp dport 443" - nft_fw_nfqws_post "$f $desync $first_packets_only" "$f $desync $first_packets_only" $QNUM2 - # this for ipv4 only. do not have access to ipv6 enabled TSPU to test - nft_fw_nfqws_post "$f $desync $udplen $short_header4" "" $QNUM3 - # add flow offload exemption for the whole stream because we dont know when short_header rule triggers - nft_add_flow_offload_exemption "$f" "" "QUIC exemption for complex TSPU hack" -} diff --git a/init.d/openwrt/custom-tpws4http-nfqws4https b/init.d/openwrt/custom-tpws4http-nfqws4https index 8c82ad9..347232c 100644 --- a/init.d/openwrt/custom-tpws4http-nfqws4https +++ b/init.d/openwrt/custom-tpws4http-nfqws4https @@ -28,14 +28,14 @@ zapret_custom_firewall() local desync="-m mark ! --mark $DESYNC_MARK/$DESYNC_MARK" [ "$MODE_HTTP" = "1" ] && { - f4="-p tcp --dport 80" + f4="-p tcp -m multiport --dports $HTTP_PORTS_IPT" f6=$f4 filter_apply_ipset_target f4 f6 fw_tpws $1 "$f4" "$f6" $TPPORT } [ "$MODE_HTTPS" = "1" ] && { - f4="-p tcp --dport 443 $first_packet_only" + f4="-p tcp -m multiport --dports $HTTPS_PORTS_IPT $first_packet_only" f6=$f4 filter_apply_ipset_target f4 f6 fw_nfqws_post $1 "$f4 $desync" "$f6 $desync" $QNUM @@ -50,14 +50,14 @@ zapret_custom_firewall_nft() local desync="mark and $DESYNC_MARK == 0" [ "$MODE_HTTP" = "1" ] && { - f4="tcp dport 80" + f4="tcp dport {$HTTP_PORTS}" f6=$f4 nft_filter_apply_ipset_target f4 f6 nft_fw_tpws "$f4" "$f6" $TPPORT } [ "$MODE_HTTPS" = "1" ] && { - f4="tcp dport 443 $first_packet_only" + f4="tcp dport {$HTTPS_PORTS} $first_packet_only" f6=$f4 nft_filter_apply_ipset_target f4 f6 nft_fw_nfqws_post "$f4 $desync" "$f6 $desync" $QNUM diff --git a/init.d/sysv/custom-nfqws-quic4all b/init.d/sysv/custom-nfqws-quic4all index af0f719..a59c181 100644 --- a/init.d/sysv/custom-nfqws-quic4all +++ b/init.d/sysv/custom-nfqws-quic4all @@ -28,7 +28,7 @@ zapret_custom_firewall() zapret_do_firewall_rules_ipt $1 - f="-p udp --dport 443" + f="-p udp -m multiport --dports $QUIC_PORTS_IPT" fw_nfqws_post $1 "$f $desync $first_packets_only" "$f $desync $first_packets_only" $QNUM2 } @@ -43,6 +43,6 @@ zapret_custom_firewall_nft() zapret_apply_firewall_rules_nft - f="udp dport 443" + f="udp dport {$QUIC_PORTS}" nft_fw_nfqws_post "$f $desync $first_packets_only" "$f $desync $first_packets_only" $QNUM2 } diff --git a/init.d/sysv/custom-nfqws-quic4all-complex b/init.d/sysv/custom-nfqws-quic4all-complex index 31c090e..d5450b1 100644 --- a/init.d/sysv/custom-nfqws-quic4all-complex +++ b/init.d/sysv/custom-nfqws-quic4all-complex @@ -37,7 +37,7 @@ zapret_custom_firewall() zapret_do_firewall_rules_ipt $1 - f="-p udp --dport 443" + f="-p udp -m multiport --dports $QUIC_PORTS_IPT" fw_nfqws_post $1 "$f $desync $first_packets_only" "$f $desync $first_packets_only" $QNUM2 # this for ipv4 only. do not have access to ipv6 enabled TSPU to test fw_nfqws_post $1 "$f $desync $udplen $short_header4" "" $QNUM3 @@ -56,7 +56,7 @@ zapret_custom_firewall_nft() zapret_apply_firewall_rules_nft - f="udp dport 443" + f="udp dport {$QUIC_PORTS}" nft_fw_nfqws_post "$f $desync $first_packets_only" "$f $desync $first_packets_only" $QNUM2 # this for ipv4 only. do not have access to ipv6 enabled TSPU to test nft_fw_nfqws_post "$f $desync $udplen $short_header4" "" $QNUM3 diff --git a/init.d/sysv/custom-tpws4http-nfqws4https b/init.d/sysv/custom-tpws4http-nfqws4https index 9680c23..f0e33fc 100644 --- a/init.d/sysv/custom-tpws4http-nfqws4https +++ b/init.d/sysv/custom-tpws4http-nfqws4https @@ -28,14 +28,14 @@ zapret_custom_firewall() local desync="-m mark ! --mark $DESYNC_MARK/$DESYNC_MARK" [ "$MODE_HTTP" = "1" ] && { - f4="-p tcp --dport 80" + f4="-p tcp -m multiport --dports $HTTP_PORTS_IPT" f6=$f4 filter_apply_ipset_target f4 f6 fw_tpws $1 "$f4" "$f6" $TPPORT } [ "$MODE_HTTPS" = "1" ] && { - f4="-p tcp --dport 443 $first_packet_only" + f4="-p tcp -m multiport --dports $HTTPS_PORTS_IPT $first_packet_only" f6=$f4 filter_apply_ipset_target f4 f6 fw_nfqws_post $1 "$f4 $desync" "$f6 $desync" $QNUM @@ -50,14 +50,14 @@ zapret_custom_firewall_nft() local desync="mark and $DESYNC_MARK == 0" [ "$MODE_HTTP" = "1" ] && { - f4="tcp dport 80" + f4="tcp dport {$HTTP_PORTS}" f6=$f4 nft_filter_apply_ipset_target f4 f6 nft_fw_tpws "$f4" "$f6" $TPPORT } [ "$MODE_HTTPS" = "1" ] && { - f4="tcp dport 443 $first_packet_only" + f4="tcp dport {$HTTPS_PORTS} $first_packet_only" f6=$f4 nft_filter_apply_ipset_target f4 f6 nft_fw_nfqws_post "$f4 $desync" "$f6 $desync" $QNUM