mirror of
https://github.com/bol-van/zapret.git
synced 2024-12-23 06:42:34 +00:00
readme.eng update
This commit is contained in:
parent
5304a82dcd
commit
b41b8994bf
@ -7,7 +7,7 @@ The project is mainly aimed at the Russian audience to fight russian regulator n
|
||||
Some features of the project are russian reality specific (such as getting list of sites
|
||||
blocked by Roskomnadzor), but most others are common.
|
||||
|
||||
Mainly OpenWRT targeted but also supports traditional Linux, FreeBSD, OpenBSD, partially MacOS.
|
||||
Mainly OpenWRT targeted but also supports traditional Linux, FreeBSD, OpenBSD, Windows, partially MacOS.
|
||||
|
||||
Most features are also supported in Windows.
|
||||
|
||||
@ -386,9 +386,7 @@ Set up bridge networking.
|
||||
### CONNTRACK
|
||||
|
||||
nfqws is equipped with minimalistic connection tracking system (conntrack)
|
||||
It's enabled if some specific DPI circumvention methods are involved.
|
||||
|
||||
Currently these are `--wssize` and `--dpi-desync-cutoff` options.
|
||||
It's used if some specific DPI circumvention methods are involved and helps to reassemble multi-packet requests.
|
||||
|
||||
Conntrack can track connection phase : SYN,ESTABLISHED,FIN , packet counts in both directions , sequence numbers.
|
||||
|
||||
@ -462,8 +460,8 @@ Set conntrack timeouts appropriately.
|
||||
### Reassemble
|
||||
|
||||
nfqws supports reassemble of TLS and QUIC ClientHello.
|
||||
They can consist of multiple packets if kyber crypto is used (default from chromium 124).
|
||||
Chromium randomizes TLS fingerprint. SNI can be in any packet.
|
||||
They can consist of multiple packets if kyber crypto is used (default starting from chromium 124).
|
||||
Chromium randomizes TLS fingerprint. SNI can be in any packet or in-between.
|
||||
Stateful DPIs usually reassemble all packets in the request then apply block decision.
|
||||
If nfqws receives a partial ClientHello it begins reassemble session. Packets are delayed until it's finished.
|
||||
Then the first packet goes through desync using fully reassembled message. Other packets are sent
|
||||
@ -491,10 +489,14 @@ By default fake payload is 64 zeroes. Can be overriden using `--dpi-desync-fake-
|
||||
|
||||
### IP fragmentation
|
||||
|
||||
Modern network is very hostile to IP fragmentation. Fragmented packets are often not delivered or refragmented/reassembled on the way.
|
||||
Modern network can be very hostile to IP fragmentation. Fragmented packets are often not delivered or refragmented/reassembled on the way.
|
||||
Frag position is set independently for tcp and udp. By default 24 and 8, must be multiple of 8.
|
||||
Offset starts from the transport header.
|
||||
|
||||
tcp fragments are almost always filtered. It's absolutely not suitable for arbitrary websites.
|
||||
udp fragments have good chances to survive but not everywhere. It's good to assume success rate on QUIC between 50..75%.
|
||||
Likely more with your VPS. Sometimes filtered by DDoS protection.
|
||||
|
||||
There are important nuances when working with fragments in Linux.
|
||||
|
||||
ipv4 : Linux allows to send ipv4 fragments but standard firewall rules in OUTPUT chain can cause raw send to fail.
|
||||
|
Loading…
Reference in New Issue
Block a user