v1

Initial release

v2

nfqws : command line options change. now using standard getopt.
nfqws : added options for window size changing and "Host:" case change
ISP support : tested on mns.ru and beeline (corbina)
init scripts : rewritten init scripts for simple choise of ISP
create_ipset : now using 'ipset restore', it works much faster
readme : updated. now using UTF-8 charset.

v3

tpws : added transparent proxy (supports TPROXY and DNAT).
       can help when ISP tracks whole HTTP session, not only the beginning
ipset : added zapret-hosts-user.txt which contain user defined host names to be resolved
        and added to zapret ip list
ISP support : dom.ru support via TPROXY/DNAT
ISP support : successfully tested sknt.ru on 'domru' configuration
  other configs will probably also work, but cannot test
compile : openwrt compile howto

v4

tpws : added ability to insert extra space after http method : "GET /" => "GET  /"
ISP support : TKT support

v5

nfqws : ipv6 support in nfqws

v6

ipset : added "get_antizapret.sh"

v7

tpws : added ability to insert "." after Host: name

v8

openwrt init : removed hotplug.d/firewall because of race conditions. now only use /etc/firewall.user

v9

ipban : added ipban ipset. place domains banned by ip to zapret-hosts-user-ipban.txt
	these IPs must be soxified for both http and https
ISP support : tiera support
ISP support : added DNS filtering to ubuntu and debian scripts

v10

tpws : added split-pos option. split every message at specified position

v11

ipset : scripts optimizations

v12

nfqws : fix wrong tcp checksum calculation if packet length is odd and platform is big-endian

v13

added binaries

v14

change get_antizapret script to work with https://github.com/zapret-info/z-i/raw/master/dump.csv
filter out 192.168.*, 127.*, 10.* from blocked ips

v15

added --hostspell option to nfqws and tpws
ISP support : beeline now catches "host" but other spellings still work
openwrt/LEDE : changed init script to work with procd
tpws, nfqws : minor cosmetic fixes

v16

tpws: split-http-req=method : split inside method name, not after
ISP support : mns.ru changed split pos to 3 (got redirect page with HEAD req : curl -I ej.ru)

v17

ISP support : athome moved from nfqws to tpws because of instability and http request hangs
tpws : added options unixeol,methodeol,hosttab

v18

tpws,nfqws : added hostnospace option

v19

tpws : added hostlist option

v20

added ip2net. ip2net groups ips from iplist into subnets and reduces ipset size twice

v21

added mdig. get_reestr.sh is *real* again

v22

total review of init script logic
dropped support of older debian 7 and ubuntu 12/14 systems
install_bin.sh : auto binaries preparation
docs: readme review. some new topics added, others deleted
docs: VPN setup with policy based routing using wireguard
docs: wireguard modding guide

v23

major init system rewrite
openwrt : separate firewall include /etc/firewall.zapret
install_easy.sh : easy setup on openwrt, debian, ubuntu, centos, fedora, opensuse

v24

separate config from init scripts
gzip support in ipset/*.sh and tpws

v25

init : move to native systemd units
use links to units, init scripts and firewall includes, no more copying

v26

ipv6 support
tpws : advanced bind options

v27

tpws : major connection code rewrite. originally it was derived from not top quality example , with many bugs and potential problems.
next generation connection code uses nonblocking sockets. now its in EXPERIMENTAL state.

v28

tpws : added socks5 support
ipset : major RKN getlist rewrite. added antifilter.network support

v29

nfqws : DPI desync attack
ip exclude system

v30

nfqws : DPI desync attack modes : fake,rst

v31

nfqws : DPI desync attack modes : disorder,disorder2,split,split2.
nfqws : DPI desync fooling mode : badseq.  multiple modes supported

v32

tpws : multiple binds
init scripts : run only one instance of tpws in any case

v33

openwrt : flow offloading support
config : MODE refactoring

v34

nfqws : dpi-desync 2 mode combos
nfqws : dpi-desync without parameter no more supported. previously it meant "fake"
nfqws : custom fake http request and tls client hello

v35

limited FreeBSD and OpenBSD support

v36

full FreeBSD and OpenBSD support

v37

limited MacOS support

v38

MacOS easy install

v39

nfqws: conntrack, wssize

v40

init scripts : IFACE_LAN, IFACE_WAN now accept multiple interfaces
init scripts : openwrt uses now OPENWRT_LAN parameter to override incoming interfaces for tpws

v41

install_easy : openrc support

v42

blockcheck.sh

v43

nfqws: UDP desync with conntrack support (any-protocol only for now)

v44

nfqws: ipfrag

v45

nfqws: hop-by-hop ipv6 desync and fooling

v46

big startup script refactoring to support nftables and new openwrt snapshot builds with firewall4

v47

nfqws: QUIC initial decryption
nfqws: udplen, fakeknown dpi desync modes

v48

nfqws, tpws : multiple --hostlist and --hostlist-exclude support
launch system, ipset : no more list merging. all lists are passed separately to nfqws and tpws
nfqws : udplen fooling supports packet shrinking (negative increment value)

v49

QUIC support integrated to the main system and setup

v50

DHT protocol support.
DPI desync mode 'tamper' for DHT.
HEX string support in addition to binary files.

v51

tpws --tlsrec attack.

v52

autohostlist mode

v53

nfqws: tcp session reassemble for TLS ClientHello

v54

tpws: out of band send when splitting (--oob)
nfqws: autottl
nfqws: datanoack fooling
nftables: use POSTNAT path for tcp redirections to allow NAT-breaking strategies. use additional mark bit DESYNC_MARK_POSTNAT.

v55

tpws: incompatible oob parameter change. it doesn't take oob byte anymore. instead it takes optional protocol filter - http or tls.
  the same is done with disorder. oob byte can be specified in parameter --oob-data.
blockcheck: quick mode, strategy order optimizations, QUIC protocol support
nfqws: syndata desync mode

v56

tpws: mss fooling
tpws: multi thread resolver. eliminates blocks related to hostname resolve.

v57

tpws: --nosplice option
nfqws: postnat fixes
nfqws: --dpi-desync-start option
nfqws: packet delay for kyber TLS and QUIC
nfqws: --dpi-desync-retrans obsolete
nfqws: --qnum is mandatory, no more default queue 0

v58

winws

v59

tpws: --split-tls
tpws: --tlsrec=sniext
nfqws: --dpi-desync-split-http-req, --dpi-desync-split-tls. multi segment TLS support for split.
blockcheck: mdig dns cache

v60

blockcheck: port block test, partial ip block test
nfqws: seqovl split/disorder modes

v61

C code cleanups
dvtws: do not use raw sockets. use divert.
nfqws,tpws: detect TLS 1.2 ClientHello from very old libraries with SSL 3.0 version in record layer
nfqws,tpws: debug log to file and syslog
tpws: --connect-bind-addr option
tpws: log local endpoint (including source port number) for remote leg

v62:

tpws: connection close logic rewrite. tcp user timeout parameters for local and remote leg.
nfqws: multi-strategy

v63:

tpws: multi-strategy

v64:

blockcheck: warn if dpi bypass software is already running
blockcheck: TPWS_EXTRA, NFQWS_EXTRA
init.d: multiple custom scripts

v65:

init.d: dynamic number allocation for dnum,tpws_port,qnum
init.d: FW_EXTRA_PRE, FW_EXTRA_POST
init.d: zapret_custom_firewall_nft_flush
nfqws,tpws: l7proto and client ip:port info in autohostlist debug log
nfqws,tpws: user mode ipset filter support
nfqws,tpws: l7proto filter support
tpws: fixed MSS apply in transparent mode
nfqws: fixed autottl apply if desync profile changed
tpws,nfqws: fixed 100% cpu hang on gzipped list with comments
ipset: get_refilter_ipsum.sh , get_refilter_domain.sh

v66:

init.d: rewrite traffic interception and daemon launch parameters in config file. this break compatibility with old versions.
init.d: openwrt-minimal : tpws launch for low storage openwrt devices

v67:

mdig: --dns-make-query, --dns-parse-query for side-channel resolving (DoH)
blockcheck: use DoH resolvers if DNS spoof is detected
blockcheck: restring fooling to testing domain's IPs
nfqws,tpws: internal hostlist deduplication to save RAM
nfqws,tpws: hostlist/ipset auto reload on file change. no more HUP.
nfqws,tpws: --filter-tcp, --filter-udp take comma separated port range list
nfqws,tpws: @<config_file> - read config from a file
config: <HOSTLIST_NOAUTO> marker
binaries: remove zapret-winws. add win32.
blockcheck, install_easy.sh: preserve user environment variables during elevation
blockcheck: do not require root if SKIP_PKTWS=1

v68:

readme.md : move russian version to markdown