Awesome Open Source
Awesome Open Source

zapret v.48 English ------- For english version refer to docs/readme.eng.txt ----------------- , , DPI. http(s), tcp udp , VPN. embedded - , openwrt. Linux , FreeBSD, OpenBSD, MacOS. . -------------------- docs/quick_start.txt ---------------- DPI. DPI , , . "", DPI RST, http redirect. , iptables RST / , . . DPI RST , . - . iptables . , . DPI , TCP , . ? , DPI . DPI http , TCP . , "GET / HTTP/1.1\r\nHost: kinozal.tv......" 2 : "GET ", "/ HTTP/1.1\r\nHost: kinozal.tv.....". DPI , "Host:" : , "host:". - : "GET /" => "GET /" : "Host: kinozal.tv." , DPI . DPI : https://habr.com/ru/post/335436 https://geneva.cs.umd.edu/papers/geneva_ccs19.pdf linux ----------------------------------------------- , : 1) DPI, RST . iptables. rutracker " - " . . , . 2) TCP . proxy transparent proxy. 3) TCP . NFQUEUE raw . 2 3 tpws nfqws . , iptables nftables. tcp transparent proxy : : iptables -t nat -I PREROUTING -i <_> -p tcp --dport 80 -j DNAT --to 127.0.0.127:988 : iptables -t nat -I OUTPUT -o <_> -p tcp --dport 80 -m owner ! --uid-owner tpws -j DNAT --to 127.0.0.127:988 DNAT localhost OUTPUT, PREROUTING route_localnet : sysctl -w net.ipv4.conf.<_>.route_localnet=1 "-j REDIRECT --to-port 988" DNAT , transparent proxy ip . - . () , , . . route_localnet . , 127.0.0.0/8 <_>. 127.0.0.1, iptables 127.0.0.1 lo, tpws IP 127.0.0.0/8, 127.0.0.127, lo IP. iptables -A INPUT ! -i lo -d 127.0.0.127 -j ACCEPT iptables -A INPUT ! -i lo -d 127.0.0.0/8 -j DROP owner tpws. tpws "tpws", . tpws socks proxy. iptables , socks (, ), . transparent proxy socks , transparent . NFQUEUE : iptables -t mangle -I POSTROUTING -o <_> -p tcp --dport 80 -j NFQUEUE --queue-num 200 --queue-bypass , , IP ipset zapret, : iptables -t mangle -I POSTROUTING -o <_> -p tcp --dport 80 -m set --match-set zapret dst -j NFQUEUE --queue-num 200 --queue-bypass DPI http , keep-alive . , . iptables -t mangle -I POSTROUTING -o <_> -p tcp --dport 80 -m connbytes --connbytes-dir=original --connbytes-mode=packets --connbytes 1:4 -m mark ! --mark 0x40000000/0x40000000 -m set --match-set zapret dst -j NFQUEUE --queue-num 200 --queue-bypass mark , nfqws. connbytes 1:4, iptables mark. , . (flow offloading, hardware nat, hardware acceleration), iptables . offloading netfilter. , . ( , openwrt 4.14) software flow offloading (SFO). , SFO, iptables. SFO DNAT/REDIRECT (tpws). offloading. , SFO, NFQUEUE flowtable. , nfqws window size changing, . Offload target iptables "FLOWOFFLOAD". offload. offload , tpws nfqws. openwrt offload. zapret offload openwrt. ip6tables -------------------------------- ip6tables , ipv4, . DNAT --to . : ip6tables -t nat -I OUTPUT -o <_> -p tcp --dport 80 -m owner ! --uid-owner tpws -j DNAT --to [::1]:988 route_localnet ipv6. DNAT localhost (::1) OUTPUT. PREROUTING DNAT global address link local address , . NFQUEUE . nftables ------------------------------- nftables docs/nftables_notes.txt , nftables ip RAM. nftables. nft 1.0.2 . / nft . , ubuntu 18.04 4.15 . 20.04 - . --------------------------- * DNS. . * IP. * , TCP , . , squid. tcpip , . Squid , , . . squid , . DPI, . , DPI IP "" , DPI . DPI , , , - . , , DPI. nfqws ----- - NFQUEUE. BSD - dvtws, (. bsd.txt). --debug=0|1 ; 1= --daemon ; --pidfile= ; PID --user= ; uid --uid=uid[:gid] ; uid --qnum=N ; N --bind-fix4 ; ipv4 --bind-fix6 ; ipv6 --wsize=[:] ; tcp window size SYN,ACK. scale_factor, ( !) --wssize=[:] ; tcp window size . scale_factor 0. (. conntrack !) --wssize-cutoff=[n|d|s]N ; server window size (n), (d), sequence (s) N --ctrack-timeouts=S:E:F[:U] ; conntrack SYN, ESTABLISHED, FIN, udp. 60:300:60:60 --hostcase ; "Host:" "host:". --hostnospace ; "Host:" "User-Agent:" --hostspell=HoST ; Host ( "HOST" "HoSt"). --hostcase --domcase ; Host: : TeSt.cOm --dpi-desync=[,][, ; fwmark , . default = 0x40000000 --dpi-desync-ttl= ; ttl --dpi-desync-ttl6= ; ipv6 hop limit . , ttl --dpi-desync-fooling= ; , . none md5sig badseq badsum hopbyhop hopbyhop2 --dpi-desync-retrans=0|1 ; ( fake,rst,rstack) 0(default)= 1= , 0.2 --dpi-desync-repeats= ; nfqws N ( ) --dpi-desync-skip-nosni=0|1 ; 1(default)= dpi desync hostname SNI, ESNI --dpi-desync-split-pos=<1..1500> ; ( split*, disorder*) --dpi-desync-badseq-increment= ; sequence number badseq. -10000 --dpi-desync-badack-increment= ; ack sequence number badseq. -66000 --dpi-desync-any-protocol=0|1 ; 0(default)= http request tls clienthello 1= --dpi-desync-fake-http= ; , http dpi-desync=fake, w3.org --dpi-desync-fake-tls= ; , tls clienthello dpi-desync=fake, w3.org --dpi-desync-fake-unknown= ; , dpi-desync=fake, 256 --dpi-desync-fake-quic= ; , QUIC Initial --dpi-desync-fake-unknown-udp= ; , udp dpi-desync=fake, 64 --dpi-desync-udplen-increment= ; udp udplen --dpi-desync-cutoff=[n|d|s]N ; dpi desync (n), (d), sequence (s) N --hostlist= ; . , . = --hostlist-exclude= ; . , . . --wsize . . wsize. DPI . tcp 3-way handshake . "GET / ..." TLS ClientHello. , - . , http https ( fake), ( rst, rstack), + (disorder), (split). fakeknown fake , . TCB desynchronization TCB teardown. , DPI, . : TTL, , tcp option "MD5 signature", sequence numbers. . * md5sig . md5 linux. * badsum , NAT, . NAT Linux . Linux . : sysctl net.netfilter.nf_conntrack_checksum=1 conntrack tcp udp state INVALID . iptables INVALID FORWARD. badsum . openwrt net.netfilter.nf_conntrack_checksum=0, , . nfqws , sysctl 0. nfqws , . NAT, , invalid packets . badsum. // rx-checksum offload, badsum . - , , . , mediatek. badsum , br-lan tcpdump. nfqws , . badsum . * badseq , DPI, sequence numbers. seq -10000. , DPI seq . , . --dpi-desync-any-protocol, badseq increment 0x80000000. , tcp window . , badseq DPI http, . DPI TLS badseq . * TTL - , . DPI , . ip exclude list, . ttl md5sig. , , "" TTL. , zapret-hosts-user-exclude.txt. TTL, . TTL : , . DPI. * hopbyhop ipv6. ipv6 extenstion header "hop-by-hop options". hopbyhop2 2 , . hop-by-hop , / . , DPI hop-by-hop, , , . . --dpi-desync-fooling . fake, rst, rstack . , . , . 0.2 , . , DPI. , .. . dpi-desync-retrans=1 connbytes iptables, . disorder 2 : 1. 2- 2. 1- , 3. 1- 4. 1- , . 2- . . --dpi-desync-split-pos , . - 2. , 1. DPI , . DPI tcp , . disorder2 . split disorder, : 1. 1- , 2. 1- 3. 1- , . 2- . 4. 2- split2 . --wsize. disorder2 split2 , ttl fooling . hopbyhop, destopt ipfrag1 ( fooling !) ipv6 "hop-by-hop options" , "destination options" "fragment" , . , , . . , . , DPI 0 next header ipv6 extension . , tcp udp, . , - DPI . 2- , "ipfrag1+ipfrag2". , "hopbyhop,split2" tcp 2 , hop-by-hop. "hopbyhop,ipfrag2" : ipv6,hop-by-hop,fragment,tcp/udp. "ipfrag1" . . "IP ". DPI, , ServerHello, . ClientHello ACK ACK sequence, ClientHello+1. disorder (SACK), ACK. ACK SACK RST , DPI . RST ACK , , DPI . DPI , ClientHello ServerHello. . fake . ServerHello, ServerHello --wssize (. conntrack). , - . - TLS 1.3. . . TLS 1.3. DPI. Host: http SNI TLS ClientHello. . gzip. iptables : iptables -t mangle -I POSTROUTING -o <_> -p tcp -m multiport --dports 80,443 -m connbytes --connbytes-dir=original --connbytes-mode=packets --connbytes 1:4 -m mark ! --mark 0x40000000/0x40000000 -j NFQUEUE --queue-num 200 --queue-bypass , DPI http keep-alive . , https http : iptables -t mangle -I POSTROUTING -o <_> -p tcp --dport 443 -m connbytes --connbytes-dir=original --connbytes-mode=packets --connbytes 1:4 -m mark ! --mark 0x40000000/0x40000000 -j NFQUEUE --queue-num 200 --queue-bypass iptables -t mangle -I POSTROUTING -o <_> -p tcp --dport 80 -m mark ! --mark 0x40000000/0x40000000 -j NFQUEUE --queue-num 200 --queue-bypass mark , . nfqws fwmark . nfqws , iptables mark connbytes, . - . - . . connbytes, mark. . --connbytes 1:4 : 1 - 0- wssize 2 - 3- 3-way handshake 3 - 4 - . , dpi-desync 3 . 0 . synack. 0 hostlist. . 1- fake,rst,rstack. 2- disorder,disorder2,split,split2,ipfrag2. , DPI. SYNACK geneva "TCB turnaround". DPI . !!! NAT, DPI NAT. NAT , . linux firewall, OUTPUT. : -A OUTPUT -m state --state INVALID -j DROP openwrt drop INVALID OUTPUT FORWARD /etc/config/firewall : config zone option name 'wan' ......... option masq_allow_invalid '1' , OUTPUT . . /etc/firewall.user : iptables -D zone_wan_output -m comment --comment '!fw3' -j zone_wan_dest_ACCEPT ip6tables -D zone_wan_output -m comment --comment '!fw3' -j zone_wan_dest_ACCEPT , INVALID FORWARD LAN. , SYN,ACK . . , synack , INVALID. VM virtualbox vmware NAT nfqws. ttl, . bridge. CONNTRACK nfqws tcp (conntrack). DPI. --wssize --dpi-desync-cutoff. conntrack : SYN,ESTABLISHED,FIN , , sequence numbers. conntrack "" . SYN SYN,ACK. conntrack, iptables nfqws , connbytes. UDP UDP . . , UDP . src_ip,src_port,dst_ip,dst_port . conntrack - , , sequence numbers . - nfqws, , . , . . --ctrack-timeouts. --wssize tcp window , . , window size , (, TLS ClientHello). conntrack, . wssize, . linux connbytes, BSD . http(s) http TLS ClientHello. http(s), --wssize-cutoff. , wssize . d data payload, s - relative sequence number, + 1. http request TLS ClientHello, wssize , wssize-cutoff. , ESTABLISHED --ctrack-timeouts. - 5 . , nfqws . connbytes, ESTABLISHED, . conntrack SIGUSR1 nfqws : killall -SIGUSR1 nfqws. nfqws stdout. SYN window size TCP extension "scaling factor". scaling factor , window size : 0=>1, 1=>2, 2=>4, ..., 8=>256, ... wssize scaling factor . Scaling factor , , . ServerHello, DPI, --wssize=1:6 . - scale_factor , window size . 64:0, . , , DPI . --wssize hostlist, , . --wssize / , DPI, . --dpi-desync-cutoff , dpi-desync. n,d,s --wssize-cutoff. --dpi-desync-any-protocol=1. conntrack. conntrack --dpi-desync-cutoff, dpi desync . UDP udp . udp , ip. UDP fake,hopbyhop,destopt,ipfrag1,ipfrag2,udplen. fake,hopbyhop,destopt ipfrag2 udplen. udplen udp --dpi-desync-udplen-increment . . DPI, . , udp . QUIC Initial , --hostlist . --dpi-desync-any-protocol. conntrack udp. --dpi-desync-cutoff. conntrack udp 4- --ctrack-timeouts. fake stateful DPI, . fake - 64 . --dpi-desync-fake-unknown-udp. IP . , . . , . ipv4/ipv6. linux . tcp udp. 24 8 , 8. . Linux, . ipv4 : Linux ipv4 , iptables OUTPUT . ipv6 : conntrack. -. - , - . <4.16 , , nf_conntrack, nf_defrag_ipv6. . 4.16+ . NOTRACK. , blockcheck.sh. ip6table_raw raw_before_defrag=1. openwrt /etc/modules.d. iptables-legacy iptables-nft. legacy, /etc/modprobe.d/ip6table_raw.conf : options ip6table_raw raw_before_defrag=1 ip6tables : update-alternatives --config ip6tables iptables-nft, . . nft.c : { .name = "PREROUTING", .type = "filter", .prio = -300, /* NF_IP_PRI_RAW */ .hook = NF_INET_PRE_ROUTING, }, { .name = "OUTPUT", .type = "filter", .prio = -300, /* NF_IP_PRI_RAW */ .hook = NF_INET_LOCAL_OUT, }, -300 -450. , blockcheck.sh . , nftables. netfilter hook . -401 . iptables NAT, , NAT. MASQUERADE , NFQUEUE . nfqws source , NAT. src ip 192.168.x.x. , . - iptables nftables. 101 . tpws ----- tpws - transparent proxy. --debug=0|1|2 ; output : 0(default)=, 1=, 2= --daemon ; --pidfile= ; PID --user= ; uid --uid=uid[:gid] ; uid --bind-addr ; . ipv4 ipv6 ; ipv6 link local, : fe80::1%br-lan --bind-linklocal=no|unwanted|prefer|force ; no : global ipv6 ; unwanted (default) : global, - LL ; prefer : LL, - global ; force : LL --bind-iface4= ; ipv4 iface --bind-iface6= ; ipv6 iface --bind-wait-ifup= ; N --bind-wait-ip= ; N IP ( --bind-wait-ifup - ) --bind-wait-ip-linklocal= ; --bind-wait-ip ; --bind-linklocal=unwanted : LL N ; --bind-linklocal=prefer : global address N --bind-wait-only ; . 0 , 0. --socks ; socks4/5 proxy --no-resolve ; socks5 --port= ; --maxconn= ; --maxfiles= ; (setrlimit). (X*connections+16), X=6 tcp proxy mode, X=4 . ; 1.5. maxfiles (X*connections)*1.5+16 --max-orphan-time=; tpws - , , ; ( NAT, firewall, ...) ; linux . , , ; tpws , , . ; N , . 5 . 0 ; --local-rcvbuf= ; SO_RCVBUF client-proxy --local-sndbuf= ; SO_SNDBUF client-proxy --remote-rcvbuf= ; SO_RCVBUF proxy-target --remote-sndbuf= ; SO_SNDBUF proxy-target --skip-nodelay ; TCP_NODELAY. split. --split-http-req=method|host ; http : (GET,POST) Host --split-pos= ; . , -http. split-http-req http. --split-any-protocol ; split-pos . - http TLS ClientHello --hostcase ; "Host:". "host:". --hostspell=HoST ; Host ( "HOST" "HoSt"). --hostcase --hostdot ; : "Host: kinozal.tv." --hosttab ; : "Host: kinozal.tv\t" --hostnospace ; "Host:" --hostpad= ; - Host: --domcase ; Host: : TeSt.cOm --methodspace ; : "GET /" => "GET /" --methodeol ; : "GET /" => "\r\nGET /" --unixeol ; 0D0A 0A 0A --hostlist= ; , filename. . ; . ; 1 . ; HUP ; gzip. ; , . = ; Host: http SNI TLS ClientHello. --hostlist-exclude= ; . , . http split-http-req split-pos. split-pos http TLS ClientHello. , --split-any-protocol. , . (SNDBUF) . TCP_NODELAY , send ip , ip . , send , , . , - , DPI. MSS, MTU . DPI, TCP , . http - . , . , , , 2 send ip . : tpws send, http(s). tpws IP ( 32 ). . --bind-iface* --bind-addr . --bind-* . ipv4 --bind-addr "0.0.0.0", ipv6 - "::". --bind-addr="" - ipv4 ipv6. link local ipv6 (fe80::/8) : --bind-iface6 --bind-linklocal=no : fc00::/7, --bind-iface6 --bind-linklocal=unwanted : fc00::/7, , link local. --bind-iface6 --bind-linklocal=prefer : link local, fc00::/7, . --bind-iface6 --bind-linklocal=force : link local , . link-local address : --bind-iface6=fe80::aaaa:bbbb:cccc:dddd%iface-name --bind-wait* , IP , , . ifup - , IP . " X link local address". ip, , : --bind-addr=192.168.5.3 --bind-wait-ip=20 transparent , socks - . rcvbuf sndbuf setsockopt SO_RCVBUF SO_SNDBUF . , tpws "tcp proxy mode". , splice . - , . TCP , DPI IP TCP. , , linux - sysctl. tpws, - , , . tpws , , , socks . tpws . ( windows). . 2 . 4pda.ru. "--socks" ( 1..1023). socks 4 5 . . IP , tpws, localhost, . socks5 (curl : --socks5-hostname firefox : socks_remote_dns=true). tpws , . ( ), . tpws , . DoS tpws. tpws , - . , , --no-resolve tpws. --hostpad= - Host: . , 2K. http - 64K, , http . DPI, TCP . , bytes http . padding MTU, DPI , --split- , DPI. 4K 8K, . --skip-nodelay , MTU MTU , tpws. VPN. MTU - 1 . tcp proxy , . IP ------------------------------------------- !!! nftables ipset-. RAM !!! . , 100K nfset 256 Mb. !!! , iptables+ipset. 1) ipset/zapret-hosts-user.txt ipset/get_user.sh ipset/zapret-ip-user.txt IP . C get_reestr_* : 2) ipset/get_reestr_resolve.sh rublacklist ip ipset/zapret-ip.txt.gz. IP , , . , , IP : http "" "Host:" IP . , . mdig ( ). , , , . RAM TMPDIR 3) ipset/get_reestr_ip.sh IP ipset zapret/zapret6 RAM TMPDIR 4) ipset/get_reestr_combined.sh. , IP https, DPI. IP https IP ipset ipban, ipset zapret. RAM TMPDIR C get_antifilter_* antifilter.network antifilter.download : 5) ipset/get_antifilter_ip.sh. https://antifilter.download/list/ip.lst. 6) ipset/get_antifilter_ipsmart.sh. https://antifilter.network/download/ipsmart.lst. ip.lst /32 /22 , 64 Mb RAM 7) ipset/get_antifilter_ipsum.sh. https://antifilter.download/list/ipsum.lst. ip.lst /24 , 64 Mb RAM 8) ipset/get_antifilter_ipresolve.sh. https://antifilter.download/list/ipresolve.lst. - , get_reestr_resolve IP, 64 Mb 9) ipset/get_antifilter_allyouneed.sh. https://antifilter.download/list/allyouneed.lst. , ipsum.lst subnet.lst. , 64 Mb RAM ipset. 2-9 1. 10) ipset/get_config.sh. , GETLIST config , ipset nozapret/nozapret6. . . RAM . , . wifi, 2 ( ). zapret-ip.txt zapret-ipban.txt .gz. . GZIP_LISTS=0. 2 , , extroot - . , , . ipset ipset/create_ipset.sh. "no-update", ipset, . , . ipset, . , create_ipset "no-update". "no-update". IP . ipset ip2net. IP . ip2net , . ip2net C, . . ipset/zapret-hosts-user-ipban.txt. ip ipset "ipban". proxy "redsocks" VPN. IPV6 : ipv6, , "6" . zapret-ip.txt => zapret-ip6.txt ipset- zapret6 ipban6. antifilter ipv6 . IP. zapret-hosts-user-exclude.txt, zapret-ip-exclude.txt zapret-ip-exclude6.txt. ipset- nozapret nozapret6. , init , ipset. IP . zapret-hosts-user-exclude.txt , ipv4 ipv6 . FreeBSD. ipset/*.sh FreeBSD. ipset lookup ipfw . ipfw ipset ipv4, ipv6 , . LISTS_RELOAD . BSD PF. LISTS_RELOAD=- . ip2net ------ ip2net ipv4 ipv6 ip . stdin, stdout. -4 ; - ipv4 ( ) -6 ; - ipv6 --prefix-length=min[-max] ; . : 22-30 (ipv4), 56-64 (ipv6) --v4-threshold=mul/div ; ipv4 : , mul/div . : 3/4 --v6-threshold=N ; ipv6 : ip ip/prefix ip1-ip2. stdout . ipset. ipset hash:net ip1-ip2 ip/prefix. ipfw FreeBSD ip/prefix, ip1-ip2. ip2net , IP . , . ipv4 (mul/div. , 3/4), ipv6 . : , - . , ( ). , v6_threshold=2 prefix_length=32-64, ipv6 : 1234:5678:aaaa::5 1234:5678:aaaa::6 1234:5678:aaac::5 : 1234:5678:aaa8::/45 /32. , , /45 . v6_threshold=4, : 1234:5678:aaaa::5 1234:5678:aaaa::6 1234:5678:aaac::5 ip , . prefix_length=56-64, : 1234:5678:aaaa::/64 1234:5678:aaac::5 , . ip2net , . , mul/div - . 32 bit . : 5000000/10000000. 1/2 - . ---------------------------- ipset tpws nfqws . include (--hostlist) exclude (--hostlist-exclude). , 2 . exclude list. . include list . . . . - . exclude - , . include - . - include, exclude. . 2 include : ipset/zapret-hosts-users.txt.gz ipset/zapret-hosts-users.txt ipset/zapret-hosts.txt.gz ipset/zapret-hosts.txt 1 exclude ipset/zapret-hosts-users-exclude.txt.gz ipset/zapret-hosts-users-exclude.txt MODE_FILTER=hostlist nfqws tpws , . include , , include . , , exclude. - zapret-hosts-users.txt. . . , "ru" "*.ru". "*.ru" . ipset/get_reestr_hostlist.sh ipset/get_antizapret_domains.sh - ipset/zapret-hosts.txt.gz. , nfqws tpws . , HUP. HUP . - , . ipset HUP . ipset. tpws nfqws , (http, tls, quic). , , RAM ! RAM oom, . ------------------- . DNS DPI . blockcheck.sh. DNS , DNS, DNS . : 8.8.8.8, 8.8.4.4, 1.1.1.1, 1.0.0.1, 9.9.9.9 DNS DNS, dnscrypt. - yandex 77.88.8.88 1253 udp tcp 53 77.88.8.88:1253 iptables/nftables. DNS . blockcheck . -, , . blockcheck.sh , : ./blockcheck.sh | tee /tmp/blockcheck.txt DPI , /opt/zapret/config. , DPI . , DPI . . curl. , connection reset . blockcheck.sh . split 2-. , 4-. . . , . ---------------- /opt/zapret/config . . linux iptables nftables. linux nftables, nft. openwrt nftables firewall4. FWTYPE=iptables : tpws - tpws transparent tpws-socks - tpws socks localhost LAN ( IFACE_LAN - OpenWRT). 988 nfqws - nfqws filter - ipset hostlist custom - init iptables MODE=tpws HTTP : MODE_HTTP=1 http tcp (http keeaplive). nfqws. . tpws http keepalive MODE_HTTP_KEEPALIVE=0 HTTPS : MODE_HTTPS=1 : none - ipset - ipset- zapret/zapret6 hostlist - MODE_FILTER=none tpws : TPWS_OPT="--hostspell=HOST --split-http-req=method --split-pos=3" nfqws DPI : DESYNC_MARK=0x40000000 NFQWS_OPT_DESYNC="--dpi-desync=fake --dpi-desync-ttl=0 --dpi-desync-fooling=badsum" nfqws http https ip 4,6 : NFQWS_OPT_DESYNC_HTTP="--dpi-desync=split --dpi-desync-ttl=0 --dpi-desync-fooling=badsum" NFQWS_OPT_DESYNC_HTTPS="--wssize=1:6 --dpi-desync=split --dpi-desync-ttl=0 --dpi-desync-fooling=badsum" NFQWS_OPT_DESYNC_HTTP6="--dpi-desync=split --dpi-desync-ttl=5 --dpi-desync-fooling=none" NFQWS_OPT_DESYNC_HTTPS6="--wssize=1:6 --dpi-desync=split --dpi-desync-ttl=5 --dpi-desync-fooling=none" - NFQWS_OPT_DESYNC_HTTP/NFQWS_OPT_DESYNC_HTTPS , NFQWS_OPT_DESYNC. - NFQWS_OPT_DESYNC_HTTP6/NFQWS_OPT_DESYNC_HTTPS6 , NFQWS_OPT_DESYNC_HTTP/NFQWS_OPT_DESYNC_HTTPS. traffic offload ( openwrt) donttouch : , , , none : , software : software, hardware : hardware, FLOWOFFLOAD=donttouch GETLIST install_easy.sh ip . get_config.sh (crontab systemd timer). , . , . ipv4 ipv6. "1", . #DISABLE_IPV4=1 DISABLE_IPV6=1 DNS mdig (1..100). , , DNS ? MDIG_THREADS=30 . /tmp . ( ), . TMPDIR=/opt/zapret/tmp ipset- nfset- SET_MAXELEM=262144 IPSET_OPT="hashsize 262144 maxelem 2097152" , ip . $1 = stdout. nfset . IPSET_HOOK="/etc/zapret.ipset.hook" dmesg . , , ipset , ipset . , hashsize, ipset (create_ipset.sh). , . hashsize. hashsize, ipset . hashsize . ip2net. ipv4 ipv6. IP2NET_OPT4="--prefix-length=22-30 --v4-threshold=3/4" IP2NET_OPT6="--prefix-length=56-64 --v6-threshold=5" ipset/*.sh. . GZIP_LISTS=1 ip . , ipset ipfw . BSD PF . : pfctl -f /etc/pf.conf pfctl ( FreeBSD, OpenBSD 6.8) : pfctl -Tl -f /etc/pf.conf "-" backend. #LISTS_RELOAD="pfctl -f /etc/pf.conf" #LISTS_RELOAD=- openwrt 'lan'. tpws. : OPENWRT_LAN="lan lan2 lan3" INIT_APPLY_FW=1 init iptables. , . , , . openwrt firewall3+iptables. openwrt : , : IFACE_LAN=eth0 IFACE_WAN=eth1 : , .. zapret. , . : IFACE_LAN="eth0 eth1 eth2" ---------------------------------------------------------------------- - , . iptables zapret. iptables tpws nfqws. iptables : /opt/zapret/init.d/sysv/zapret start_fw /opt/zapret/init.d/sysv/zapret stop_fw /opt/zapret/init.d/sysv/zapret restart_fw : /opt/zapret/init.d/sysv/zapret start_daemons /opt/zapret/init.d/sysv/zapret stop_daemons /opt/zapret/init.d/sysv/zapret restart_daemons nftables , . nf- "zapret". , . nftables : set- , lan, wan wan6. . flow table ingress hook. /opt/zapret/init.d/sysv/zapret list_ifsets set- , lan, wan wan6. linux IFACE_LAN, IFACE_WAN. openwrt . lanif OPENWRT_LAN. lan wan ingress hook flow table. /opt/zapret/init.d/sysv/zapret reload_ifsets set-. nft -t list table inet zapret /opt/zapret/init.d/sysv/zapret list_table zapret : INIT_FW_PRE_UP_HOOK="/etc/firewall.zapret.hook.pre_up" INIT_FW_POST_UP_HOOK="/etc/firewall.zapret.hook.post_up" INIT_FW_PRE_DOWN_HOOK="/etc/firewall.zapret.hook.pre_down" INIT_FW_POST_DOWN_HOOK="/etc/firewall.zapret.hook.post_down" config. , nftables set-, ipban/ipban6. nfset- , zapret, / zapret . custom -------------- custom shell include /opt/zapret/init.d/sysv/custom /opt/zapret/init.d/openwrt/custom : zapret_custom_daemons zapret_custom_firewall zapret_custom_firewall_nft custom , "functions" "zapret". iptables . , / ipv6, , , ... , {ip,nf}tables . openwrt sysv . sysv , . $1 (0 1). openwrt procd. iptables nftables. , . iptables nftables - . custom custom-tpws4http-nfqws4https tpws http nfqws https. config. . custom-nfqws-quic4all nfqws QUIC ipset/hostlist ( ip - ipset nozapret). QUIC, white list ip vk.com. custom-nfqws-quic4all-complex - custom-nfqws-quic4all, , . udp:443 quic short header >=601 . ----------------- install_easy.sh ( manual_setup.txt). OpenWRT, linux systemd openrc MacOS. " ". , , . : ipset curl (alpine) iptables ip6tables. . - 99%. , make. gcc, make -dev . : install_easy.sh make openwrt . WAN LAN . . . LAN WAN . , tpws , LAN WAN. tpws , : LAN , WAN . nfqws , WAN. . uninstall_easy.sh openwrt ---------------------------- . zapret /tmp. : /tmp/zapret/install_easy.sh /opt/zapret : config install_easy.sh uninstall_easy.sh install_bin.sh init.d/openwrt/* ipset/* binaries/< >/{tpws,nfqws,ip2net,mdig} zapret tmp RAM : rm -r /tmp/zapret " ". Android ------- nfqws tpws transparent proxy. tpws --socks. Android NFQUEUE. nfqws . ipset. ipset " " " ". . tpws , - . android /etc/passwd, --user . user id --uid. gid 3003 (AID_INET). permission denied . : --uid 1:3003 iptables : "! --uid-owner 1" "! --uid-owner tpws". iptables tpws, . : magisk : /data/adb/service.d supersu : /system/su.d nfqws . uid (0x7FFFFFFF) . , . , power . , , suspend UID. UID . UID android power saving. , , wifi . suspend nfqueue linux . UID (--uid 1 ) . android 8.1 , mediatek. tpws android , . adb shell /data/local/tmp/, . mkdir /data/local/tmp/zapret adb push tpws /data/local/tmp/zapret chmod 755 /data/local/tmp/zapret /data/local/tmp/zapret/tpws chcon u:object_r:system_file:s0 /data/local/tmp/zapret/tpws huawei --------------------------------- E3372, E8372, E5770 . 2 . vxworks, - linux. 4pda telnet adb. . E8372. . offload- . linux. OUTPUT , FORWARD =>wan tcpdump. tpws . nfqueue . https://github.com/im-0/unfuck-nfqueue-on-e3372h, huawei open source. , . /proc/config.gz. unfuck_nfqueue.ko. NFQUEUE nfqws arm . offload- nfqws, tpws tcp proxy nfqws. NFQUEUE OUTPUT. connbytes , . . - /system/etc/autorun.sh. zapret, autorun.sh "&". sleep 5, iptables huawei. . tcp . , curl : curl www.ru curl: (7) Failed to connect to www.ru port 80: Host is unreachable EHOSTUNREACH (errno -113). tpws. , , . tcpdump eth_x SYN , ICMP. - TCP . , SYN , . , - . tcp , , , - , . tpws , tpws. , , tcp . , conntrack. conntrack . hardware offload. . - , . , tpws ip . ipset . , , - . files/huawei. ! , , . arm, curl : https://github.com/bol-van/bins FreeBSD, OpenBSD, MacOS ----------------------- docs/bsd.txt Windows (WSL) ------------- tpws socks - windows 10 windows server WSL. , WSL, . tpws - , . WSL : dism.exe /online /enable-feature /featurename:Microsoft-Windows-Subsystem-Linux /all binaries/x86_64/tpws_wsl.tgz. : wsl --import tpws "%USERPROFILE%\tpws" tpws_wsl.tgz : wsl --exec /tpws --uid=1 --no-resolve --socks --bind-addr=127.0.0.1 --port=1080 <_> socks 127.0.0.1:1080 . : wsl --unregister tpws windows 10 build 19041 (20.04). . Windows GoodByeDPI, ( nfqws). --------------- : PC, android, , , . , linux. . . , . . , upx segfault. , upx . . : * shell * * r/w * - * cron * flow offload netfilter * * iptables (/usr/lib/iptables/lib*.so) * ( ipset, curl) ( ) * sh , zapret . , tpws -j REDIRECT 80. tpws, , . REDIRECT . , . NFQUEUE, ipset - . . . User mode , . , r/w, entware. . entware user-mode , /opt. , . sysv init script , " ". - , entware. PATH. . Openwrt linux embedded devices. , : * root shell. , * r/w. openwrt. squashfs root (r/o), , nvram. r/w . , , , . r/w - , , USB, , unix . fat ntfs. * (extroot) (overlay) * opkg * flow offload , , * , opkg. . * iptables, opkg * * SDK, ------------------------------------- , . socks5 iptables+redsocks, iptables+iproute+vpn. redsocks openwrt redsocks.txt. iproute+wireguard - wireguard_iproute_openwrt.txt. VPS ------------------------------------ VPS - . , . VPS . . VPS vpn . , . , , , , . , , . . VPN . VPN __ __ . . , VPN. . . , DPI vpn IP , VPN. , , vpn VPN, DPI , . VPS , . , . , , . VPS . VPS . , : https://vps.today/ VPN , (). VPS. Openvz openvpn, wireguard, ipsec, , kernel mode. kernel mode , linux . kvm, xen, hyper-v, vmware. , VPN , , "" IP. , , , , , ssh socks proxy . linux . , .

Related Awesome Lists
Top Programming Languages
Top Projects

Get A Weekly Email With Trending Projects For These Topics
No Spam. Unsubscribe easily at any time.
C (184,010
Tcp (9,446
Openwrt (3,250
Russian (2,044
Iptables (1,750
Dpi (639
Censorship Circumvention (92
Wireguard Mod (3