mirror of
https://github.com/bol-van/zapret.git
synced 2024-12-23 14:53:18 +00:00
blockcheck: port and ip block tests
This commit is contained in:
parent
8a4eb6fc8f
commit
efc13032a1
215
blockcheck.sh
215
blockcheck.sh
@ -32,6 +32,8 @@ USER_AGENT=${USER_AGENT:-Mozilla}
|
|||||||
HTTP_PORT=${HTTP_PORT:-80}
|
HTTP_PORT=${HTTP_PORT:-80}
|
||||||
HTTPS_PORT=${HTTPS_PORT:-443}
|
HTTPS_PORT=${HTTPS_PORT:-443}
|
||||||
QUIC_PORT=${QUIC_PORT:-443}
|
QUIC_PORT=${QUIC_PORT:-443}
|
||||||
|
UNBLOCKED_DOM=${UNBLOCKED_DOM:-iana.org}
|
||||||
|
[ "$CURL_VERBOSE" = 1 ] && CURL_CMD=1
|
||||||
|
|
||||||
HDRTEMP=/tmp/zapret-hdr.txt
|
HDRTEMP=/tmp/zapret-hdr.txt
|
||||||
|
|
||||||
@ -187,23 +189,23 @@ nft_has_nfq()
|
|||||||
}
|
}
|
||||||
return $res
|
return $res
|
||||||
}
|
}
|
||||||
|
mdig_vars()
|
||||||
mdig_resolve()
|
|
||||||
{
|
{
|
||||||
# $1 - ip version 4/6
|
# $1 - ip version 4/6
|
||||||
# $2 - hostname
|
# $2 - hostname
|
||||||
|
|
||||||
local hostvar=$(echo $2 | sed -e 's/[\.-]/_/g')
|
hostvar=$(echo $2 | sed -e 's/[\.-]/_/g')
|
||||||
local cachevar=DNSCACHE_${hostvar}_$1
|
cachevar=DNSCACHE_${hostvar}_$1
|
||||||
local countvar=${cachevar}_COUNT
|
countvar=${cachevar}_COUNT
|
||||||
local count n ip ips
|
|
||||||
eval count=\$${countvar}
|
eval count=\$${countvar}
|
||||||
if [ -n "$count" ]; then
|
}
|
||||||
n=$(random 0 $(($count-1)))
|
mdig_cache()
|
||||||
eval ip=\$${cachevar}_$n
|
{
|
||||||
echo $ip
|
# $1 - ip version 4/6
|
||||||
return 0
|
# $2 - hostname
|
||||||
else
|
local hostvar cachevar countvar count ip ips
|
||||||
|
mdig_vars "$@"
|
||||||
|
[ -n "$count" ] || {
|
||||||
# windows version of mdig outputs 0D0A line ending. remove 0D.
|
# windows version of mdig outputs 0D0A line ending. remove 0D.
|
||||||
ips="$(echo $2 | "$MDIG" --family=$1 | tr -d '\r' | xargs)"
|
ips="$(echo $2 | "$MDIG" --family=$1 | tr -d '\r' | xargs)"
|
||||||
[ -n "$ips" ] || return 1
|
[ -n "$ips" ] || return 1
|
||||||
@ -213,9 +215,77 @@ mdig_resolve()
|
|||||||
count=$(($count+1))
|
count=$(($count+1))
|
||||||
done
|
done
|
||||||
eval $countvar=$count
|
eval $countvar=$count
|
||||||
mdig_resolve "$@"
|
}
|
||||||
|
return 0
|
||||||
|
}
|
||||||
|
mdig_resolve()
|
||||||
|
{
|
||||||
|
# $1 - ip version 4/6
|
||||||
|
# $2 - hostname
|
||||||
|
|
||||||
|
local hostvar cachevar countvar count ip n
|
||||||
|
mdig_vars "$@"
|
||||||
|
if [ -n "$count" ]; then
|
||||||
|
n=$(random 0 $(($count-1)))
|
||||||
|
eval ip=\$${cachevar}_$n
|
||||||
|
echo $ip
|
||||||
|
return 0
|
||||||
|
else
|
||||||
|
mdig_cache "$@" && mdig_resolve "$@"
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
mdig_resolve_all()
|
||||||
|
{
|
||||||
|
# $1 - ip version 4/6
|
||||||
|
# $2 - hostname
|
||||||
|
|
||||||
|
local hostvar cachevar countvar count ip ips n
|
||||||
|
mdig_vars "$@"
|
||||||
|
if [ -n "$count" ]; then
|
||||||
|
n=0
|
||||||
|
while [ "$n" -le $count ]; do
|
||||||
|
eval ip=\$${cachevar}_$n
|
||||||
|
if [ -n "$ips" ]; then
|
||||||
|
ips="$ips $ip"
|
||||||
|
else
|
||||||
|
ips="$ip"
|
||||||
|
fi
|
||||||
|
n=$(($n + 1))
|
||||||
|
done
|
||||||
|
echo "$ips"
|
||||||
|
return 0
|
||||||
|
else
|
||||||
|
mdig_cache "$@" && mdig_resolve_all "$@"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
netcat_setup()
|
||||||
|
{
|
||||||
|
[ -n "$NCAT" ] || {
|
||||||
|
if exists ncat; then
|
||||||
|
NCAT=ncat
|
||||||
|
elif exists nc; then
|
||||||
|
# busybox netcat does not support any required options
|
||||||
|
is_linked_to_busybox nc && return 1
|
||||||
|
NCAT=nc
|
||||||
|
else
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
return 0
|
||||||
|
|
||||||
|
}
|
||||||
|
netcat_test()
|
||||||
|
{
|
||||||
|
# $1 - ip
|
||||||
|
# $2 - port
|
||||||
|
local cmd
|
||||||
|
netcat_setup && {
|
||||||
|
cmd="$NCAT -z -w 1 $1 $2"
|
||||||
|
echo $cmd
|
||||||
|
$cmd
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
check_system()
|
check_system()
|
||||||
{
|
{
|
||||||
@ -458,13 +528,17 @@ hdrfile_location()
|
|||||||
tr -d '\015' <"$1" | sed -nre 's/^[Ll][Oo][Cc][Aa][Tt][Ii][Oo][Nn]:[ ]*([^ ]*)[ ]*$/\1/p'
|
tr -d '\015' <"$1" | sed -nre 's/^[Ll][Oo][Cc][Aa][Tt][Ii][Oo][Nn]:[ ]*([^ ]*)[ ]*$/\1/p'
|
||||||
}
|
}
|
||||||
|
|
||||||
curl_connect_to()
|
curl_with_subst_ip()
|
||||||
{
|
{
|
||||||
# $1 - ip version : 4/6
|
# $1 - domain
|
||||||
# $2 - domain name
|
# $2 - port
|
||||||
# $3 - port
|
# $3 - ip
|
||||||
local ip=$(mdig_resolve $1 $2)
|
# $4+ - curl params
|
||||||
[ -n "$ip" ] && echo "--connect-to $2::[$ip]${3:+:$3}"
|
local connect_to="--connect-to $1::[$3]${2:+:$2}" arg
|
||||||
|
shift ; shift ; shift
|
||||||
|
[ "$CURL_VERBOSE" = 1 ] && arg="-v"
|
||||||
|
[ "$CURL_CMD" = 1 ] && echo curl ${arg:+$arg }$connect_to "$@"
|
||||||
|
ALL_PROXY="$ALL_PROXY" curl ${arg:+$arg }$connect_to "$@"
|
||||||
}
|
}
|
||||||
curl_with_dig()
|
curl_with_dig()
|
||||||
{
|
{
|
||||||
@ -472,22 +546,37 @@ curl_with_dig()
|
|||||||
# $2 - domain name
|
# $2 - domain name
|
||||||
# $3 - port
|
# $3 - port
|
||||||
# $4+ - curl params
|
# $4+ - curl params
|
||||||
local connect_to="$(curl_connect_to $1 $2 $3)"
|
local dom=$2 port=$3
|
||||||
[ -n "$connect_to" ] || {
|
local ip=$(mdig_resolve $1 $dom)
|
||||||
echo "could not resolve ipv$1 $2"
|
|
||||||
return 6
|
|
||||||
}
|
|
||||||
shift ; shift ; shift
|
shift ; shift ; shift
|
||||||
|
if [ -n "$ip" ]; then
|
||||||
ALL_PROXY="$ALL_PROXY" curl $connect_to "$@"
|
curl_with_subst_ip $dom $port $ip "$@"
|
||||||
|
else
|
||||||
|
return 6
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
curl_probe()
|
||||||
|
{
|
||||||
|
# $1 - ip version : 4/6
|
||||||
|
# $2 - domain name
|
||||||
|
# $3 - port
|
||||||
|
# $4 - subst ip
|
||||||
|
# $5+ - curl params
|
||||||
|
local ipv=$1 dom=$2 port=$3 subst=$4
|
||||||
|
shift; shift; shift; shift
|
||||||
|
if [ -n "$subst" ]; then
|
||||||
|
curl_with_subst_ip $dom $port $subst "$@"
|
||||||
|
else
|
||||||
|
curl_with_dig $ipv $dom $port "$@"
|
||||||
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
curl_test_http()
|
curl_test_http()
|
||||||
{
|
{
|
||||||
# $1 - ip version : 4/6
|
# $1 - ip version : 4/6
|
||||||
# $2 - domain name
|
# $2 - domain name
|
||||||
|
# $3 - subst ip
|
||||||
local code loc
|
local code loc
|
||||||
curl_with_dig $1 $2 $HTTP_PORT -SsD "$HDRTEMP" -A "$USER_AGENT" --max-time $CURL_MAX_TIME $CURL_OPT "http://$2" -o /dev/null 2>&1 || {
|
curl_probe $1 $2 $HTTP_PORT "$3" -SsD "$HDRTEMP" -A "$USER_AGENT" --max-time $CURL_MAX_TIME $CURL_OPT "http://$2" -o /dev/null 2>&1 || {
|
||||||
code=$?
|
code=$?
|
||||||
rm -f "$HDRTEMP"
|
rm -f "$HDRTEMP"
|
||||||
return $code
|
return $code
|
||||||
@ -514,17 +603,19 @@ curl_test_https_tls12()
|
|||||||
{
|
{
|
||||||
# $1 - ip version : 4/6
|
# $1 - ip version : 4/6
|
||||||
# $2 - domain name
|
# $2 - domain name
|
||||||
|
# $3 - subst ip
|
||||||
|
|
||||||
# do not use tls 1.3 to make sure server certificate is not encrypted
|
# do not use tls 1.3 to make sure server certificate is not encrypted
|
||||||
curl_with_dig $1 $2 $HTTPS_PORT -ISs -A "$USER_AGENT" --max-time $CURL_MAX_TIME $CURL_OPT --tlsv1.2 $TLSMAX12 "https://$2" -o /dev/null 2>&1
|
curl_probe $1 $2 $HTTPS_PORT "$3" -ISs -A "$USER_AGENT" --max-time $CURL_MAX_TIME $CURL_OPT --tlsv1.2 $TLSMAX12 "https://$2" -o /dev/null 2>&1
|
||||||
}
|
}
|
||||||
curl_test_https_tls13()
|
curl_test_https_tls13()
|
||||||
{
|
{
|
||||||
# $1 - ip version : 4/6
|
# $1 - ip version : 4/6
|
||||||
# $2 - domain name
|
# $2 - domain name
|
||||||
|
# $3 - subst ip
|
||||||
|
|
||||||
# force TLS1.3 mode
|
# force TLS1.3 mode
|
||||||
curl_with_dig $1 $2 $HTTPS_PORT -ISs -A "$USER_AGENT" --max-time $CURL_MAX_TIME $CURL_OPT --tlsv1.3 $TLSMAX13 "https://$2" -o /dev/null 2>&1
|
curl_probe $1 $2 $HTTPS_PORT "$3" -ISs -A "$USER_AGENT" --max-time $CURL_MAX_TIME $CURL_OPT --tlsv1.3 $TLSMAX13 "https://$2" -o /dev/null 2>&1
|
||||||
}
|
}
|
||||||
|
|
||||||
curl_test_http3()
|
curl_test_http3()
|
||||||
@ -699,16 +790,42 @@ ws_kill()
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
check_domain_port_block()
|
||||||
|
{
|
||||||
|
# $1 - domain
|
||||||
|
# $2 - port
|
||||||
|
local ip ips
|
||||||
|
echo
|
||||||
|
echo \* port block tests ipv$IPV $1:$2
|
||||||
|
if netcat_setup; then
|
||||||
|
ips=$(mdig_resolve_all $IPV $1)
|
||||||
|
if [ -n "$ips" ]; then
|
||||||
|
for ip in $ips; do
|
||||||
|
if netcat_test $ip $2; then
|
||||||
|
echo $ip connects
|
||||||
|
else
|
||||||
|
echo $ip does not connect. netcat code $?
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
else
|
||||||
|
echo "ipv${IPV} $1 does not resolve"
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
echo suitable netcat not found. busybox nc is not supported. pls install nmap ncat or openbsd netcat.
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
curl_test()
|
curl_test()
|
||||||
{
|
{
|
||||||
# $1 - test function
|
# $1 - test function
|
||||||
# $2 - domain
|
# $2 - domain
|
||||||
|
# $3 - subst ip
|
||||||
local code=0 n=0
|
local code=0 n=0
|
||||||
|
|
||||||
while [ $n -lt $REPEATS ]; do
|
while [ $n -lt $REPEATS ]; do
|
||||||
n=$(($n+1))
|
n=$(($n+1))
|
||||||
[ $REPEATS -gt 1 ] && printf "[attempt $n] "
|
[ $REPEATS -gt 1 ] && printf "[attempt $n] "
|
||||||
if $1 "$IPV" $2 ; then
|
if $1 "$IPV" $2 $3 ; then
|
||||||
[ $REPEATS -gt 1 ] && echo 'AVAILABLE'
|
[ $REPEATS -gt 1 ] && echo 'AVAILABLE'
|
||||||
else
|
else
|
||||||
code=$?
|
code=$?
|
||||||
@ -865,7 +982,7 @@ pktws_check_domain_http_bypass_()
|
|||||||
# $2 - encrypted test : 0 = plain, 1 - encrypted with server reply risk, 2 - encrypted without server reply risk
|
# $2 - encrypted test : 0 = plain, 1 - encrypted with server reply risk, 2 - encrypted without server reply risk
|
||||||
# $3 - domain
|
# $3 - domain
|
||||||
|
|
||||||
local tests='fake' ret ok ttls s f e desync pos fooling frag sec="$2" delta
|
local tests='fake' ret ok ttls s f e desync pos fooling frag sec="$2" delta hostcase
|
||||||
|
|
||||||
[ "$sec" = 0 ] && {
|
[ "$sec" = 0 ] && {
|
||||||
for s in '--hostcase' '--hostspell=hoSt' '--hostnospace' '--domcase'; do
|
for s in '--hostcase' '--hostspell=hoSt' '--hostnospace' '--domcase'; do
|
||||||
@ -1108,6 +1225,32 @@ tpws_check_domain_http_bypass()
|
|||||||
report_strategy $1 $3 tpws
|
report_strategy $1 $3 tpws
|
||||||
}
|
}
|
||||||
|
|
||||||
|
check_dpi_ip_block()
|
||||||
|
{
|
||||||
|
# $1 - test function
|
||||||
|
# $2 - domain
|
||||||
|
# $3 - port
|
||||||
|
|
||||||
|
local blocked_ip blocked_ips
|
||||||
|
|
||||||
|
echo
|
||||||
|
echo "- IP block tests (requires manual interpretation)"
|
||||||
|
|
||||||
|
unblocked_ip=$(mdig_resolve $IPV $UNBLOCKED_DOM)
|
||||||
|
[ -n "$unblocked_ip" ] || {
|
||||||
|
echo $UNBLOCKED_DOM does not resolve. tests not possible.
|
||||||
|
return 1
|
||||||
|
}
|
||||||
|
|
||||||
|
echo "testing $2 on $unblocked_ip ($UNBLOCKED_DOM)"
|
||||||
|
curl_test $1 $2 $unblocked_ip
|
||||||
|
|
||||||
|
blocked_ips=$(mdig_resolve_all $IPV $2)
|
||||||
|
for blocked_ip in $blocked_ips; do
|
||||||
|
echo "testing $UNBLOCKED_DOM on $blocked_ip ($2)"
|
||||||
|
curl_test $1 $UNBLOCKED_DOM $blocked_ip
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
curl_has_reason_to_continue()
|
curl_has_reason_to_continue()
|
||||||
{
|
{
|
||||||
@ -1154,6 +1297,8 @@ check_domain_http_tcp()
|
|||||||
|
|
||||||
check_domain_prolog $1 $2 $4 || return
|
check_domain_prolog $1 $2 $4 || return
|
||||||
|
|
||||||
|
check_dpi_ip_block $1 $4 $2
|
||||||
|
|
||||||
[ "$SKIP_TPWS" = 1 ] || {
|
[ "$SKIP_TPWS" = 1 ] || {
|
||||||
echo
|
echo
|
||||||
tpws_check_domain_http_bypass $1 $3 $4
|
tpws_check_domain_http_bypass $1 $3 $4
|
||||||
@ -1620,7 +1765,11 @@ trap sigpipe PIPE
|
|||||||
for dom in $DOMAINS; do
|
for dom in $DOMAINS; do
|
||||||
for IPV in $IPVS; do
|
for IPV in $IPVS; do
|
||||||
configure_ip_version
|
configure_ip_version
|
||||||
[ "$ENABLE_HTTP" = 1 ] && check_domain_http $dom
|
[ "$ENABLE_HTTP" = 1 ] && {
|
||||||
|
check_domain_port_block $dom $HTTP_PORT
|
||||||
|
check_domain_http $dom
|
||||||
|
}
|
||||||
|
[ "$ENABLE_HTTPS_TLS12" = 1 -o "$ENABLE_HTTPS_TLS13" = 1 ] && check_domain_port_block $dom $HTTPS_PORT
|
||||||
[ "$ENABLE_HTTPS_TLS12" = 1 ] && check_domain_https_tls12 $dom
|
[ "$ENABLE_HTTPS_TLS12" = 1 ] && check_domain_https_tls12 $dom
|
||||||
[ "$ENABLE_HTTPS_TLS13" = 1 ] && check_domain_https_tls13 $dom
|
[ "$ENABLE_HTTPS_TLS13" = 1 ] && check_domain_https_tls13 $dom
|
||||||
[ "$ENABLE_HTTP3" = 1 ] && check_domain_http3 $dom
|
[ "$ENABLE_HTTP3" = 1 ] && check_domain_http3 $dom
|
||||||
|
@ -293,7 +293,7 @@ random()
|
|||||||
rs="$RANDOM$RANDOM$(date)"
|
rs="$RANDOM$RANDOM$(date)"
|
||||||
fi
|
fi
|
||||||
# shells use signed int64
|
# shells use signed int64
|
||||||
r=1$(echo $rs | $MD5 | sed 's/[^0-9]//g' | head -c 17)
|
r=1$(echo $rs | $MD5 | sed 's/[^0-9]//g' | cut -c 1-17)
|
||||||
echo $(( ($r % ($2-$1+1)) + $1 ))
|
echo $(( ($r % ($2-$1+1)) + $1 ))
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user