Step one by Add Zapret

config_files/50-discord-media

@@ -0,0 +1,36 @@
+# this custom script runs desync to all discord media packets
+# NOTE: @ih requires nft 1.0.1+ and updated kernel version. it's confirmed to work on 5.15 (openwrt 23) and not work on 5.10 (openwrt 22)
+
+# can override in config :
+NFQWS_OPT_DESYNC_DISCORD_MEDIA="${NFQWS_OPT_DESYNC_DISCORD_MEDIA:---dpi-desync=fake --dpi-desync-repeats=2}"
+DISCORD_MEDIA_PORT_RANGE="${DISCORD_MEDIA_PORT_RANGE:-50000-50099}"
+
+alloc_dnum DNUM_DISCORD_MEDIA
+alloc_qnum QNUM_DISCORD_MEDIA
+
+zapret_custom_daemons()
+{
+	# $1 - 1 - add, 0 - stop
+
+	local opt="--qnum=$QNUM_DISCORD_MEDIA $NFQWS_OPT_DESYNC_DISCORD_MEDIA"
+	do_nfqws $1 $DNUM_DISCORD_MEDIA "$opt"
+}
+# size = 156 (8 udp header + 148 payload) && payload starts with 0x01000000
+zapret_custom_firewall()
+{
+        # $1 - 1 - run, 0 - stop
+
+	local DISABLE_IPV6=1
+	local port_range=$(replace_char - : $DISCORD_MEDIA_PORT_RANGE)
+	local f="-p udp --dport $port_range -m u32 --u32"
+	# this is simplified test to skip writing monstrous rule. instead of checking 64 bytes for zeroes only check 2 dwords for zero
+	fw_nfqws_post $1 "$f 0>>22&0x3C@4>>16=0x52&&0>>22&0x3C@8=0x00010046&&0>>22&0x3C@16=0&&0>>22&0x3C@76=0" '' $QNUM_DISCORD_MEDIA
+}
+zapret_custom_firewall_nft()
+{
+        # stop logic is not required
+
+	local DISABLE_IPV6=1
+	local f="udp dport $DISCORD_MEDIA_PORT_RANGE udp length == 82 @ih,0,32 0x00010046 @ih,64,128 0x00000000000000000000000000000000 @ih,192,128 0x00000000000000000000000000000000 @ih,320,128 0x00000000000000000000000000000000 @ih,448,128 0x00000000000000000000000000000000"
+	nft_fw_nfqws_post "$f" '' $QNUM_DISCORD_MEDIA
+}

config_files/50-stun4all

@@ -0,0 +1,31 @@
+# this custom script runs desync to all stun packets
+# NOTE: @ih requires nft 1.0.1+ and updated kernel version. it's confirmed to work on 5.15 (openwrt 23) and not work on 5.10 (openwrt 22)
+
+# can override in config :
+NFQWS_OPT_DESYNC_STUN="${NFQWS_OPT_DESYNC_STUN:---dpi-desync=fake --dpi-desync-repeats=2}"
+
+alloc_dnum DNUM_STUN4ALL
+alloc_qnum QNUM_STUN4ALL
+
+zapret_custom_daemons()
+{
+	# $1 - 1 - add, 0 - stop
+
+	local opt="--qnum=$QNUM_STUN4ALL $NFQWS_OPT_DESYNC_STUN"
+	do_nfqws $1 $DNUM_STUN4ALL "$opt"
+}
+# size = 156 (8 udp header + 148 payload) && payload starts with 0x01000000
+zapret_custom_firewall()
+{
+        # $1 - 1 - run, 0 - stop
+
+	local f='-p udp -m u32 --u32'
+	fw_nfqws_post $1 "$f 0>>22&0x3C@4>>16=28:65535&&0>>22&0x3C@12=0x2112A442&&0>>22&0x3C@8&0xC0000003=0" "$f 44>>16=28:65535&&52=0x2112A442&&48&0xC0000003=0" $QNUM_STUN4ALL
+}
+zapret_custom_firewall_nft()
+{
+        # stop logic is not required
+
+	local f="udp length >= 28 @ih,32,32 0x2112A442 @ih,0,2 0 @ih,30,2 0"
+	nft_fw_nfqws_post "$f" "$f" $QNUM_STUN4ALL
+}

config_files/50-wg4all

@@ -0,0 +1,32 @@
+# this custom script runs desync to all wireguard handshake initiation packets
+# NOTE: this works for original wireguard and may not work for 3rd party implementations such as xray
+# NOTE: @ih requires nft 1.0.1+ and updated kernel version. it's confirmed to work on 5.15 (openwrt 23) and not work on 5.10 (openwrt 22)
+
+# can override in config :
+NFQWS_OPT_DESYNC_WG="${NFQWS_OPT_DESYNC_WG:---dpi-desync=fake --dpi-desync-repeats=2}"
+
+alloc_dnum DNUM_WG4ALL
+alloc_qnum QNUM_WG4ALL
+
+zapret_custom_daemons()
+{
+	# $1 - 1 - add, 0 - stop
+
+	local opt="--qnum=$QNUM_WG4ALL $NFQWS_OPT_DESYNC_WG"
+	do_nfqws $1 $DNUM_WG4ALL "$opt"
+}
+# size = 156 (8 udp header + 148 payload) && payload starts with 0x01000000
+zapret_custom_firewall()
+{
+        # $1 - 1 - run, 0 - stop
+
+	local f='-p udp -m u32 --u32'
+	fw_nfqws_post $1 "$f 0>>22&0x3C@4>>16=0x9c&&0>>22&0x3C@8=0x01000000" "$f 44>>16=0x9c&&48=0x01000000" $QNUM_WG4ALL
+}
+zapret_custom_firewall_nft()
+{
+        # stop logic is not required
+
+	local f="udp length 156 @ih,0,32 0x01000000"
+	nft_fw_nfqws_post "$f" "$f" $QNUM_WG4ALL
+}

config_files/zapret

@@ -0,0 +1,57 @@
+
+config main 'config'
+	option run_on_boot '1'
+	option FWTYPE 'nftables'
+	option POSTNAT '1'
+	option FLOWOFFLOAD 'none'
+	option INIT_APPLY_FW '1'
+	option DISABLE_IPV4 '0'
+	option DISABLE_IPV6 '1'
+	option FILTER_TTL_EXPIRED_ICMP '1'
+	option MODE_FILTER 'hostlist'
+	option DISABLE_CUSTOM '0'
+	option WS_USER 'daemon'
+	option DAEMON_LOG_ENABLE '0'
+	option DAEMON_LOG_FILE '/tmp/zapret+<DAEMON_NAME>+<DAEMON_IDNUM>+<DAEMON_CFGNAME>.log'
+	option AUTOHOSTLIST_RETRANS_THRESHOLD '3'
+	option AUTOHOSTLIST_FAIL_THRESHOLD '3'
+	option AUTOHOSTLIST_FAIL_TIME '60'
+	option AUTOHOSTLIST_DEBUGLOG '0'
+	option NFQWS_ENABLE '1'
+	option DESYNC_MARK '0x40000000'
+	option DESYNC_MARK_POSTNAT '0x20000000'
+	option NFQWS_PORTS_TCP '80,443'
+	option NFQWS_PORTS_UDP '443'
+	option NFQWS_TCP_PKT_OUT '9'
+	option NFQWS_TCP_PKT_IN '3'
+	option NFQWS_UDP_PKT_OUT '9'
+	option NFQWS_UDP_PKT_IN '0'
+	option NFQWS_PORTS_TCP_KEEPALIVE '0'
+	option NFQWS_PORTS_UDP_KEEPALIVE '0'
+	option NFQWS_OPT '
+--filter-tcp=80 <HOSTLIST>
+--dpi-desync=fake,fakedsplit
+--dpi-desync-autottl=2
+--dpi-desync-fooling=badsum
+--new
+--filter-tcp=443 --hostlist=/opt/zapret/ipset/zapret-hosts-google.txt
+--dpi-desync=fake,multidisorder
+--dpi-desync-split-pos=1,midsld
+--dpi-desync-repeats=11
+--dpi-desync-fooling=badsum
+--dpi-desync-fake-tls-mod=rnd,dupsid,sni=www.google.com
+--new
+--filter-udp=443 --hostlist=/opt/zapret/ipset/zapret-hosts-google.txt
+--dpi-desync=fake
+--dpi-desync-repeats=11
+--dpi-desync-fake-quic=/opt/zapret/files/fake/quic_initial_www_google_com.bin
+--new
+--filter-udp=443 <HOSTLIST_NOAUTO>
+--dpi-desync=fake
+--dpi-desync-repeats=11
+--new
+--filter-tcp=443 <HOSTLIST>
+--dpi-desync=multidisorder
+--dpi-desync-split-pos=1,sniext+1,host+1,midsld-2,midsld,midsld+2,endhost-1
+'
+

config_files/zapret-hosts-user.txt

@@ -0,0 +1 @@
+test.com

universal_config_new_podkop.sh

@@ -491,7 +491,7 @@ checkPackageAndInstall "curl" "1"
 checkPackageAndInstall "unzip" "1"
 #checkPackageAndInstall "sing-box" "1"
 checkPackageAndInstall "opera-proxy" "1"
-checkPackageAndInstall "youtubeUnblock" "1"
+checkPackageAndInstall "zapret" "1"
 
 ###########
 manage_package "podkop" "enable" "stop"
@@ -533,9 +533,9 @@ if [ -z "$INSTALLED_VERSION" ]; then
 fi
 ###########
 
-opkg upgrade youtubeUnblock
-opkg upgrade luci-app-youtubeUnblock
-manage_package "youtubeUnblock" "enable" "start"
+opkg upgrade zapret
+opkg upgrade luci-app-zapret
+manage_package "zapret" "enable" "start"
 
 #проверяем установлени ли пакет dnsmasq-full
 if opkg list-installed | grep -q dnsmasq-full; then
@@ -553,11 +553,11 @@ uci set dhcp.@dnsmasq[0].confdir='/tmp/dnsmasq.d'
 uci commit dhcp
 
 DIR="/etc/config"
-DIR_BACKUP="/root/backup3"
+DIR_BACKUP="/root/backup4"
 config_files="network
 firewall
 doh-proxy
-youtubeUnblock
+zapret
 dhcp
 dns-failsafe-proxy"
 URL="https://raw.githubusercontent.com/routerich/RouterichAX3000_configs/refs/heads/beta_zapret"
@@ -654,34 +654,29 @@ then
   uci commit firewall
 fi
 
-printf "\033[32;1mCheck work youtubeUnblock..\033[0m\n"
+printf "\033[32;1mCheck work zapret.\033[0m\n"
 #install_youtubeunblock_packages
-opkg upgrade youtubeUnblock
-opkg upgrade luci-app-youtubeUnblock
-manage_package "youtubeUnblock" "enable" "start"
-wget -O "/etc/config/youtubeUnblock" "$URL/config_files/youtubeUnblockSecond"
+opkg upgrade zapret
+opkg upgrade luci-app-zapret
+manage_package "zapret" "enable" "start"
+wget -O "/etc/config/zapret" "$URL/config_files/zapret"
 manage_package "podkop" "enable" "stop"
-service youtubeUnblock restart
+service zapret restart
 
-isWorkYoutubeUnBlock=0
+isWorkZapret=0
 
 curl -f -o /dev/null -k --connect-to ::google.com -L -H "Host: mirror.gcr.io" --max-time 120 https://test.googlevideo.com/v2/cimg/android/blobs/sha256:2ab09b027e7f3a0c2e8bb1944ac46de38cebab7145f0bd6effebfe5492c818b6
 
 # Проверяем код выхода
 if [ $? -eq 0 ]; then
-	printf "\033[32;1myoutubeUnblock well work...\033[0m\n"
-	cronTask="0 4 * * * service youtubeUnblock restart"
-	str=$(grep -i "0 4 \* \* \* service youtubeUnblock restart" /etc/crontabs/root)
+	printf "\033[32;1mzapret well work...\033[0m\n"
+	cronTask="0 4 * * * service zapret restart"
+	str=$(grep -i "0 4 \* \* \* service zapret restart" /etc/crontabs/root)
 	if [ -z "$str" ] 
 	then
-		echo "Add cron task auto reboot service youtubeUnblock..."
+		echo "Add cron task auto reboot service zapret..."
 		echo "$cronTask" >> /etc/crontabs/root
 	fi
-	isWorkYoutubeUnBlock=1
-else
-	manage_package "youtubeUnblock" "disable" "stop"
-	printf "\033[32;1myoutubeUnblock not work...\033[0m\n"
-	isWorkYoutubeUnBlock=0
 	str=$(grep -i "0 4 \* \* \* service youtubeUnblock restart" /etc/crontabs/root)
 	if [ ! -z "$str" ]
 	then
@@ -689,6 +684,25 @@ else
 		cp -f "/etc/crontabs/temp" "/etc/crontabs/root"
 		rm -f "/etc/crontabs/temp"
 	fi
+	isWorkZapret=1
+else
+	manage_package "zapret" "disable" "stop"
+	printf "\033[32;1mzapret not work...\033[0m\n"
+	isWorkZapret=0
+	str=$(grep -i "0 4 \* \* \* service youtubeUnblock restart" /etc/crontabs/root)
+	if [ ! -z "$str" ]
+	then
+		grep -v "0 4 \* \* \* service youtubeUnblock restart" /etc/crontabs/root > /etc/crontabs/temp
+		cp -f "/etc/crontabs/temp" "/etc/crontabs/root"
+		rm -f "/etc/crontabs/temp"
+	fi
+	str=$(grep -i "0 4 \* \* \* service zapret restart" /etc/crontabs/root)
+	if [ ! -z "$str" ]
+	then
+		grep -v "0 4 \* \* \* service zapret restart" /etc/crontabs/root > /etc/crontabs/temp
+		cp -f "/etc/crontabs/temp" "/etc/crontabs/root"
+		rm -f "/etc/crontabs/temp"
+	fi
 fi
 
 isWorkOperaProxy=0
@@ -925,30 +939,30 @@ else
 	isWorkWARP=0
 fi
 
-echo "isWorkYoutubeUnBlock = $isWorkYoutubeUnBlock, isWorkOperaProxy = $isWorkOperaProxy, isWorkWARP = $isWorkWARP"
+echo "isWorkZapret = $isWorkZapret, isWorkOperaProxy = $isWorkOperaProxy, isWorkWARP = $isWorkWARP"
 
-if [ "$isWorkYoutubeUnBlock" = "1" ] && [ "$isWorkOperaProxy" = "1" ] && [ "$isWorkWARP" = "1" ] 
+if [ "$isWorkZapret" = "1" ] && [ "$isWorkOperaProxy" = "1" ] && [ "$isWorkWARP" = "1" ] 
 then
 	varByPass=1
-elif [ "$isWorkYoutubeUnBlock" = "0" ] && [ "$isWorkOperaProxy" = "1" ] && [ "$isWorkWARP" = "1" ] 
+elif [ "$isWorkZapret" = "0" ] && [ "$isWorkOperaProxy" = "1" ] && [ "$isWorkWARP" = "1" ] 
 then
 	varByPass=2
-elif [ "$isWorkYoutubeUnBlock" = "1" ] && [ "$isWorkOperaProxy" = "1" ] && [ "$isWorkWARP" = "0" ] 
+elif [ "$isWorkZapret" = "1" ] && [ "$isWorkOperaProxy" = "1" ] && [ "$isWorkWARP" = "0" ] 
 then
 	varByPass=3
-elif [ "$isWorkYoutubeUnBlock" = "0" ] && [ "$isWorkOperaProxy" = "1" ] && [ "$isWorkWARP" = "0" ] 
+elif [ "$isWorkZapret" = "0" ] && [ "$isWorkOperaProxy" = "1" ] && [ "$isWorkWARP" = "0" ] 
 then
 	varByPass=4
-elif [ "$isWorkYoutubeUnBlock" = "1" ] && [ "$isWorkOperaProxy" = "0" ] && [ "$isWorkWARP" = "0" ] 
+elif [ "$isWorkZapret" = "1" ] && [ "$isWorkOperaProxy" = "0" ] && [ "$isWorkWARP" = "0" ] 
 then
 	varByPass=5
-elif [ "$isWorkYoutubeUnBlock" = "0" ] && [ "$isWorkOperaProxy" = "0" ] && [ "$isWorkWARP" = "1" ] 
+elif [ "$isWorkZapret" = "0" ] && [ "$isWorkOperaProxy" = "0" ] && [ "$isWorkWARP" = "1" ] 
 then
 	varByPass=6
-elif [ "$isWorkYoutubeUnBlock" = "1" ] && [ "$isWorkOperaProxy" = "0" ] && [ "$isWorkWARP" = "1" ] 
+elif [ "$isWorkZapret" = "1" ] && [ "$isWorkOperaProxy" = "0" ] && [ "$isWorkWARP" = "1" ] 
 then
 	varByPass=7
-elif [ "$isWorkYoutubeUnBlock" = "0" ] && [ "$isWorkOperaProxy" = "0" ] && [ "$isWorkWARP" = "0" ] 
+elif [ "$isWorkZapret" = "0" ] && [ "$isWorkOperaProxy" = "0" ] && [ "$isWorkWARP" = "0" ] 
 then
 	varByPass=8
 fi
@@ -966,12 +980,18 @@ messageComplete=""
 case $varByPass in
 1)
 	nameFileReplacePodkop="podkopNewNoYoutube"
-	printf  "\033[32;1mStop and disabled service 'ruantiblock'...\033[0m\n"
+	printf  "\033[32;1mStop and disabled service 'ruantiblock' and 'youtubeUnblock'...\033[0m\n"
 	manage_package "ruantiblock" "disable" "stop"
-	wget -O "/etc/config/youtubeUnblock" "$URL/config_files/youtubeUnblockSecond"
-	service youtubeUnblock restart
+	manage_package "youtubeUnblock" "disable" "stop"
+	wget -O "/etc/config/zapret" "$URL/config_files/zapret"
+	wget -O "/opt/zapret/ipset/zapret-hosts-user.txt" "$URL/config_files/zapret-hosts-user.txt"
+	wget -O "/opt/zapret/init.d/openwrt/custom.d/50-stun4all" "$URL/config_files/50-stun4all"
+	wget -O "/opt/zapret/init.d/openwrt/custom.d/50-wg4all" "$URL/config_files/50-wg4all"
+	chmod +x "/opt/zapret/init.d/openwrt/custom.d/50-stun4all"
+	chmod +x "/opt/zapret/init.d/openwrt/custom.d/50-wg4all"
+	service zapret restart
 	deleteByPassGeoBlockComssDNS
-	messageComplete="ByPass block for Method 1: AWG WARP + youtubeunblock + Opera Proxy...Configured completed..."
+	messageComplete="ByPass block for Method 1: AWG WARP + zapret + Opera Proxy...Configured completed..."
 	;;
 2)
 	nameFileReplacePodkop="podkopNew"