Merge branch 'zabbius-main'

CI workflow

.editorconfig

@@ -0,0 +1,10 @@
+root = true
+
+[*]
+indent_style = tab
+indent_size = 8
+tab_width = 8
+
+[*.yml]
+indent_style = space
+indent_size = 2

.github/workflows/build-ci.yml

@@ -0,0 +1,282 @@
+name: CI
+
+on:
+  push:
+    branches:
+      - main
+    paths-ignore:
+      - '.editorconfig'
+      - '.gitignore'
+      - 'LICENSE'
+      - 'README.md'
+  workflow_dispatch:
+
+jobs:
+  prepare:
+    runs-on: ubuntu-latest
+    outputs:
+      version: ${{ steps.gh.outputs.version }}
+      sha: ${{ steps.gh.outputs.sha }}
+    steps:
+      - name: GH
+        id: gh
+        env:
+          REPO: ${{ github.repository }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        shell: bash
+        run: |
+          echo "version=$(gh api repos/$REPO/releases/latest --jq '.tag_name' | sed 's/v//')" >> $GITHUB_OUTPUT
+          if [[ "${{ github.event_name }}" != "pull_request" ]]; then
+            echo "sha=$(echo ${GITHUB_SHA::7})" >> $GITHUB_OUTPUT
+          else
+            echo "sha=$(gh api repos/$REPO/commits/main --jq '.sha[:7]')" >> $GITHUB_OUTPUT
+          fi
+
+  build-static:
+    needs: prepare
+    name: build ${{ matrix.arch }}
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        # arch: [x86_64, x86, aarch64, armhf, armv7, ppc64le, s390x]
+        arch: [x86_64, x86, aarch64, armhf]
+        branch: [latest-stable]
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up ccache
+        uses: actions/cache@v4
+        with:
+          path: ${{ github.workspace }}/.ccache
+          key: ccache-${{ matrix.arch }}-${{ github.run_id }}
+          restore-keys: ccache-${{ matrix.arch }}-
+
+      - name: Set up Alpine Linux for ${{ matrix.arch }}
+        uses: jirutka/setup-alpine@v1
+        with:
+          arch: ${{ matrix.arch }}
+          branch: ${{ matrix.branch }}
+          packages: >
+            bash build-base ccache coreutils findutils gawk git grep tar wget xz
+            autoconf automake libtool pkgconf linux-headers
+          shell-name: alpine.sh
+
+      - name: Build inside chroot
+        id: build
+        env:
+          ARCH: ${{ matrix.arch }}
+          CCACHE_DIR: ${{ github.workspace }}/.ccache
+          VERSION: ${{ needs.prepare.outputs.version }}
+          SHA: ${{ needs.prepare.outputs.sha }}
+        shell: alpine.sh {0}
+        run: |
+          case $ARCH in
+            x86_64)  PLATFORM=x86_64 ;;
+            x86)     PLATFORM=x86 ;;
+            aarch64) PLATFORM=arm64 ;;
+            armhf)   PLATFORM=arm ;;
+            *)       PLATFORM=$ARCH ;;
+          esac
+          make -j$(nproc) CC="ccache gcc -static-libgcc -static" || exit 1
+          strip -s build/youtubeUnblock
+          rm -rf youtubeUnblock || true
+          mkdir youtubeUnblock
+          cp build/youtubeUnblock youtubeUnblock
+          cp youtubeUnblock.service youtubeUnblock
+          cp README.md youtubeUnblock
+          tar -czvf youtubeUnblock-$VERSION-$SHA-$PLATFORM-static.tar.gz youtubeUnblock
+          ccache --show-stats
+
+      - name: Upload artifacts
+        if: steps.build.outcome == 'success'
+        uses: actions/upload-artifact@v4
+        with:
+          name: static-${{ matrix.arch }}
+          path: ./**/youtubeUnblock*.tar.gz
+
+  build-openwrt:
+    needs: prepare
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        branch:
+          - openwrt-23.05
+        arch:
+          - aarch64_cortex-a53
+          - aarch64_cortex-a72
+          - aarch64_generic
+          - arm_arm1176jzf-s_vfp
+          - arm_arm926ej-s
+          - arm_cortex-a15_neon-vfpv4
+          - arm_cortex-a5_vfpv4
+          - arm_cortex-a7
+          - arm_cortex-a7_neon-vfpv4
+          - arm_cortex-a7_vfpv4
+          - arm_cortex-a8_vfpv3
+          - arm_cortex-a9
+          - arm_cortex-a9_neon
+          - arm_cortex-a9_vfpv3-d16
+          - arm_fa526
+          - arm_mpcore
+          - arm_xscale
+          - mips64_octeonplus
+          - mips_24kc
+          - mips_4kec
+          - mips_mips32
+          - mipsel_24kc
+          - mipsel_24kc_24kf
+          - mipsel_74kc
+          - mipsel_mips32
+          - x86_64
+    container:
+      image: openwrt/sdk:${{ matrix.arch }}-${{ matrix.branch }}
+      options: --user root
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          ref: 'openwrt'
+
+      - name: Prepare build
+        env:
+          VERSION: ${{ needs.prepare.outputs.version }}
+          SHA: ${{ needs.prepare.outputs.sha }}
+        run: |
+          sed -i "s/PKG_REV:=.*$/PKG_REV:=$SHA/;s/PKG_VERSION:=.*$/PKG_VERSION:=$VERSION-$SHA/" youtubeUnblock/Makefile
+
+      - name: Build packages
+        id: build
+        env:
+          VERSION: ${{ needs.prepare.outputs.version }}
+          SHA: ${{ needs.prepare.outputs.sha }}
+        working-directory: /builder
+        run: |
+          echo "src-link youtubeUnblock $GITHUB_WORKSPACE" >> feeds.conf
+          cat feeds.conf
+          ./scripts/feeds update youtubeUnblock
+          ./scripts/feeds install -a -p youtubeUnblock
+          make defconfig
+          make package/youtubeUnblock/compile V=s
+          mv $(find ./bin -type f -name 'youtubeUnblock*.ipk') ./youtubeUnblock-$VERSION-$SHA-${{ matrix.arch }}-${{ matrix.branch }}.ipk
+
+      - name: Upload packages
+        if: steps.build.outcome == 'success'
+        uses: actions/upload-artifact@v4
+        with:
+          name: ${{ matrix.branch }}-${{ matrix.arch }}
+          path: /builder/youtubeUnblock*.ipk
+          if-no-files-found: error
+
+  build-entware:
+    needs: prepare
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        arch:
+          - aarch64-3.10
+          - armv7-3.2
+          - mips-3.4
+          - mipsel-3.4
+          - x64-3.2
+    steps:
+      - name: Set up Entware docker container
+        run: |
+          git clone --depth 1 https://github.com/Entware/docker.git
+          docker build docker --pull --tag builder
+          docker volume create entware-home
+
+      - name: Restore Entware from cache
+        id: cache-restore
+        uses: actions/cache/restore@v4
+        with:
+          path: ~/entware
+          key: entware-${{ matrix.arch }}
+
+      - name: Load Entware from cache
+        if: steps.cache-restore.outputs.cache-hit == 'true'
+        run: |
+          docker run --rm --mount source=entware-home,target=/backup_vol -v ~/entware:/backup ubuntu tar -xf /backup/entware.tar -C /backup_vol
+          docker run --rm --mount source=entware-home,target=/home/me -w /home/me ubuntu bash -c 'cp -r ./backup_vol/* ./'
+          docker run --rm --mount source=entware-home,target=/home/me -w /home/me ubuntu bash -c 'chown -R 1000:1000 ./* ./'
+
+      - name: Build Entware
+        if: steps.cache-restore.outputs.cache-hit != 'true'
+        run: |
+          docker run --rm -i --mount source=entware-home,target=/home/me -w /home/me --name builder builder git clone --depth 1 https://github.com/Entware/Entware.git
+          docker run --rm -i --mount source=entware-home,target=/home/me -w /home/me/Entware --name builder builder make package/symlinks
+          docker run --rm -i --mount source=entware-home,target=/home/me -w /home/me/Entware --name builder builder cp -v configs/${{ matrix.arch }}.config .config
+          docker run --rm -i --mount source=entware-home,target=/home/me -w /home/me/Entware --name builder builder make -j$(nproc) toolchain/install
+          docker run --rm --mount source=entware-home,target=/backup_vol -v ~/entware:/backup ubuntu tar -cf /backup/entware.tar /backup_vol
+
+      - name: Save Entware to cache
+        if: steps.cache-restore.outputs.cache-hit != 'true'
+        id: cache-save
+        uses: actions/cache/save@v4
+        with:
+          path: ~/entware
+          key: entware-${{ matrix.arch }}
+
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          ref: 'openwrt'
+
+      - name: Prepare build
+        env:
+          VERSION: ${{ needs.prepare.outputs.version }}
+          SHA: ${{ needs.prepare.outputs.sha }}
+        run: |
+          sed -i "s/PKG_REV:=.*$/PKG_REV:=$SHA/;s/PKG_VERSION:=.*$/PKG_VERSION:=$VERSION-$SHA/" youtubeUnblock/Makefile
+
+      - name: Build packages
+        id: build
+        run: |
+          echo "src-link youtubeUnblock /youtubeUnblock" | docker run --rm -i --mount source=entware-home,target=/home/me -v $GITHUB_WORKSPACE:/youtubeUnblock -w /home/me/Entware --name builder builder tee -a feeds.conf
+          docker run --rm -i --mount source=entware-home,target=/home/me -v $GITHUB_WORKSPACE:/youtubeUnblock -w /home/me/Entware --name builder builder ./scripts/feeds update youtubeUnblock
+          docker run --rm -i --mount source=entware-home,target=/home/me -v $GITHUB_WORKSPACE:/youtubeUnblock -w /home/me/Entware --name builder builder ./scripts/feeds install -a -p youtubeUnblock
+          echo "CONFIG_PACKAGE_youtubeUnblock=m" | docker run --rm -i --mount source=entware-home,target=/home/me -v $GITHUB_WORKSPACE:/youtubeUnblock -w /home/me/Entware --name builder builder tee -a .config
+          docker run --rm -i --mount source=entware-home,target=/home/me -v $GITHUB_WORKSPACE:/youtubeUnblock -w /home/me/Entware --name builder builder make package/youtubeUnblock/compile V=s
+
+      - name: Extract packages
+        if: steps.build.outcome == 'success'
+        shell: bash
+        env:
+          VERSION: ${{ needs.prepare.outputs.version }}
+          SHA: ${{ needs.prepare.outputs.sha }}
+        run: |
+          mkdir output
+          docker run --rm --user root -i --mount source=entware-home,target=/home/me -v $(pwd):/target -w /home/me/Entware --name builder builder find ./bin -type f -name 'youtubeUnblock*.ipk' -exec cp -v {} /target/output \;
+          rm -rf youtubeUnblock || true
+          mkdir youtubeUnblock
+          bash -c "cp -r ./output/* youtubeUnblock"
+          tar -czvf youtubeUnblock-$VERSION-$SHA-${{ matrix.arch }}-entware.tar.gz youtubeUnblock
+
+      - name: Upload packages
+        if: steps.build.outcome == 'success'
+        uses: actions/upload-artifact@v4
+        with:
+          name: entware-${{ matrix.arch }}
+          path: ./**/youtubeUnblock*-entware.tar.gz
+          if-no-files-found: error
+
+  pre-release:
+    if: github.event_name != 'pull_request' && github.ref_name == 'main'
+    needs: [build-static, build-openwrt, build-entware]
+    permissions:
+      contents: write
+    runs-on: ubuntu-latest
+    steps:
+      - name: Download artifacts
+        uses: actions/download-artifact@v4
+
+      - name: Upload assets
+        uses: slord399/action-automatic-releases@v1.0.1
+        with:
+          repo_token: ${{ secrets.GITHUB_TOKEN }}
+          automatic_release_tag: 'continuous'
+          prerelease: true
+          title: 'Development build'
+          files: |
+            ./**/youtubeUnblock*.ipk
+            ./**/youtubeUnblock*.tar.gz

.gitignore

@@ -4,3 +4,14 @@ build
 
 configure~
 
+# Kernel module files
+*.o
+.*
+*.mod.*
+*.mod
+modules.order
+Module.symvers
+*.so
+*.ko
+
+!/.github

Kbuild

@@ -0,0 +1,3 @@
+obj-m := ipt_YTUNBLOCK.o
+ipt_YTUNBLOCK-objs := iptk_YTUNBLOCK.o mangle.o
+ccflags-y := -std=gnu11 -Wno-unused-variable -DKERNEL_SPACE -DDEBUG

Makefile

@@ -1,91 +1,19 @@
-BUILD_DIR := $(CURDIR)/build
+USPACE_TARGETS := default all install uninstall dev run_dev
-DEPSDIR := $(BUILD_DIR)/deps
+KMAKE_TARGETS := kmake kload kunload kreload xmod xtclean
 
-CC := gcc
+.PHONY: $(USPACE_TARGETS) $(KMAKE_TARGETS) clean
-CCLD := $(CC)
+$(USPACE_TARGETS):
-LD := ld
+	@$(MAKE) -f uspace.mk $@
-CFLAGS:=-Wall -Wpedantic -Wno-unused-variable -I$(DEPSDIR)/include -Os
-LDFLAGS:=-L$(DEPSDIR)/lib -static
 
-LIBNFNETLINK_CFLAGS := -I$(DEPSDIR)/include
+$(KMAKE_TARGETS):
-LIBNFNETLINK_LIBS := -L$(DEPSDIR)/lib
+	@$(MAKE) -f kmake.mk $@
-LIBMNL_CFLAGS := -I$(DEPSDIR)/include
-LIBMNL_LIBS := -L$(DEPSDIR)/lib
-
-# PREFIX is environment variable, if not set default to /usr/local
-ifeq ($(PREFIX),)
-	PREFIX := /usr/local
-else
-	PREFIX := $(DESTDIR)
-endif
-
-export CC CCLD LD CFLAGS LDFLAGS LIBNFNETLINK_CFLAGS LIBNFNETLINK_LIBS LIBMNL_CFLAGS LIBMNL_LIBS
-
-APP:=$(BUILD_DIR)/youtubeUnblock
-
-SRCS := youtubeUnblock.c
-OBJS := $(SRCS:%.c=$(BUILD_DIR)/%.o)
-
-LIBNFNETLINK := $(DEPSDIR)/lib/libnfnetlink.a
-LIBMNL := $(DEPSDIR)/lib/libmnl.a
-LIBNETFILTER_QUEUE := $(DEPSDIR)/lib/libnetfilter_queue.a
-
-
-.PHONY: default all dev dev_attrs prepare_dirs
-default: all
-
-run_dev: dev
-	bash -c "sudo $(APP) 537"
-
-dev: dev_attrs all
-
-dev_attrs:
-	$(eval CFLAGS := $(CFLAGS) -DDEBUG -ggdb -g3)
-
-all: prepare_dirs $(APP)
-
-prepare_dirs:
-	mkdir -p $(BUILD_DIR)
-	mkdir -p $(DEPSDIR)
-
-$(LIBNFNETLINK):
-	cd deps/libnfnetlink && ./autogen.sh && ./configure --prefix=$(DEPSDIR) $(if $(CROSS_COMPILE_PLATFORM),--host=$(CROSS_COMPILE_PLATFORM),) --enable-static --disable-shared
-	$(MAKE) -C deps/libnfnetlink
-	$(MAKE) install -C deps/libnfnetlink
-	
-$(LIBMNL):
-	cd deps/libmnl && ./autogen.sh && ./configure --prefix=$(DEPSDIR) $(if $(CROSS_COMPILE_PLATFORM),--host=$(CROSS_COMPILE_PLATFORM),) --enable-static --disable-shared
-	$(MAKE) -C deps/libmnl
-	$(MAKE) install -C deps/libmnl
-
-$(LIBNETFILTER_QUEUE): $(LIBNFNETLINK) $(LIBMNL)
-	cd deps/libnetfilter_queue && ./autogen.sh && ./configure --prefix=$(DEPSDIR) $(if $(CROSS_COMPILE_PLATFORM),--host=$(CROSS_COMPILE_PLATFORM),) --enable-static --disable-shared
-	$(MAKE) -C deps/libnetfilter_queue
-	$(MAKE) install -C deps/libnetfilter_queue
-
-$(APP): $(OBJS) $(LIBNETFILTER_QUEUE) $(LIBMNL)
-	@echo 'CCLD $(APP)'
-	@$(CCLD) $(OBJS) -o $(APP) -L$(DEPSDIR)/lib -lmnl -lnetfilter_queue
-
-$(BUILD_DIR)/%.o: %.c $(LIBNETFILTER_QUEUE) $(LIBMNL)
-	@echo 'CC $@'
-	@$(CC) -c $(CFLAGS) $^ -o $@
-
-install: all
-	install -d $(PREFIX)/bin/
-	install -m 755 $(APP) $(PREFIX)/bin/
-	install -d $(PREFIX)/lib/systemd/system/
-	@cp youtubeUnblock.service $(BUILD_DIR)
-	@sed -i 's/$$(PREFIX)/$(subst /,\/,$(PREFIX))/g' $(BUILD_DIR)/youtubeUnblock.service
-	install -m 644 $(BUILD_DIR)/youtubeUnblock.service $(PREFIX)/lib/systemd/system/
-
-uninstall:
-	rm $(PREFIX)/bin/youtubeUnblock
-	rm $(PREFIX)/lib/systemd/system/youtubeUnblock.service
-	-systemctl disable youtubeUnblock.service
 
 clean:
-	rm -rf $(BUILD_DIR)
+	-@$(MAKE) -f uspace.mk clean
-	$(MAKE) distclean -C deps/libnetfilter_queue || true
+
-	$(MAKE) distclean -C deps/libmnl || true
+distclean: clean
-	$(MAKE) distclean -C deps/libnfnetlink || true
+	-@$(MAKE) -f uspace.mk distclean
+
+
+kclean:
+	-@$(MAKE) -f kmake.mk kclean

README.md

@@ -1,70 +1,280 @@
+- [youtubeUnblock](#youtubeunblock)
+  - [Configuration](#configuration)
+    - [OpenWRT pre configuration](#openwrt-pre-configuration)
+    - [Entware](#entware)
+    - [PC configuration](#pc-configuration)
+    - [Firewall configuration](#firewall-configuration)
+      - [nftables rules](#nftables-rules)
+      - [Iptables rules](#iptables-rules)
+  - [Check it](#check-it)
+  - [Flags](#flags)
+  - [Troubleshooting](#troubleshooting)
+    - [TV](#tv)
+    - [Troubleshooting EPERMS (Operation not permitted)](#troubleshooting-eperms-operation-not-permitted)
+  - [How it works:](#how-it-works)
+  - [How it processes packets](#how-it-processes-packets)
+  - [Compilation](#compilation)
+  - [OpenWRT case](#openwrt-case)
+    - [Building OpenWRT .ipk package](#building-openwrt-ipk-package)
+    - [Building with toolchain](#building-with-toolchain)
+
+
 # youtubeUnblock
-Bypasses Googlevideo detection systems that relies on SNI. The package is for Linux only. 
+
+Bypasses Deep Packet Inspection (DPI) systems that relies on SNI. The package is for Linux only. It is also fully compatible with routers running [OpenWRT](https://github.com/openwrt). 
+
+The program was primarily developed to bypass YouTube Outage in Russia, but it works good with other websites blocked by SNI. Adjust the list of websites via `--sni-domains` flag for the program.
+
+The program is compatible with routers based on OpenWRT, Entware(Keenetic/ASUS) and host machines. The program offers binaries via Github Actions. The binaries of main branch are published in the [development pre-release](https://github.com/Waujito/youtubeUnblock/releases/tag/continuous). Check out [Github Actions](https://github.com/Waujito/youtubeUnblock/actions/workflows/build-ci.yml) if you want to see all the binaries compiled ever. You should know the arcitecture of your hardware to use binaries. On OpenWRT you can check it with command `grep ARCH /etc/openwrt_release`.
+
+On both OpenWRT and Entware install the program with opkg. If you got read-only filesystem error you may unpack the binary manually or specify opkg path `opkg -o <destdir>`.
 
 For Windows use [GoodbyeDPI from ValdikSS](https://github.com/ValdikSS/GoodbyeDPI) (you can find how to use it for YouTube [here](https://github.com/ValdikSS/GoodbyeDPI/issues/378)) The same behavior is also implemented in [zapret package for linux](https://github.com/bol-van/zapret).
 
-## How it works:
+## Configuration
-Lets look from the DPIses side of view: All they have is ip and tcp information, higher-level data is encrypted. So from the IP header only IP address might be helpful for them. In tcp here is basically nothing. So they may handle IP addresses and process it. What's wrong? Google servers are on the way: It is very hard to handle all that infrastracture. One server may host multiple websites and it is very bad if them block, say Google Search trying to block googlevideo. But even if googlevideo servers have their own ip for only googlevideo purposes, here is a problem about how large is Google infrastracture and how much servers are here. The DPIs can't even parse normally all the servers, because each video may live on it's cache server. So what's else? Let's take a look at a TLS level. All information here is encrypted. All... Except hello messages! They are used to initialize handshake connections and hold tons of helpful information. If we talk about TLS v1.3, it is optimized to transfer as less information as possible unencrypted. But here is only one thing that may point us which domain the user wants to connect, the SNI extension. It transfers all domain names unencrypted. Exactly what we need! And DPIs may use this thing to detect google video connections and slow down them (In fact they are corrupting a tcp connection with bad packets).
 
-So we aims to somehow hide the SNI from them. How?
+### OpenWRT pre configuration
-- We can alter the SNI name in the tls packet to something else. But what's wrong with this? The server also uses SNI name for certificates. And if we change it, the server will return an invalid certificate which browser can't normally process, which may turn out to the MITM problem.
-- We can encrypt it. Here are a lot of investigations about SNI, but the server should support the technique. Also ISPs may block encrypted SNI. [Check this Wikipedia page](https://en.wikipedia.org/wiki/Server_Name_Indication)
-- So what else can we do with the SNI info? If we can't hide it, let's rely on DPIs weak spots. The DPI is an extremly high loaded machine that analyzes every single packet sent to the Internet. And every performance-impacted feature should be avoided for them. One of this features is IP packet fragmentation. We can split the packet in the middle of SNI message and post it. For DPI fragmentation involves too much overhead: they should store a very big mapping table which maps IP id, Source ip and Destination ip. Also note that some packets may be lost and DPI should support auto-clean of that table. So just imagine how much memory and CPU time will this cost for DPI. But fragments are ok for clients and hosts. And that's the base idea behind this package. I have to mention here that the idea isn't mine, I get in here after some research for this side. Here already was a solution for Windows, GoodbyeDPI. I just made an alternative for Linux.
 
-You may read further in an [yt-dlp issue page](https://github.com/yt-dlp/yt-dlp/issues/10443) and in [ntc party forum](https://ntc.party/t/%D0%BE%D0%B1%D1%81%D1%83%D0%B6%D0%B4%D0%B5%D0%BD%D0%B8%D0%B5-%D0%B7%D0%B0%D0%BC%D0%B5%D0%B4%D0%BB%D0%B5%D0%BD%D0%B8%D0%B5-youtube-%D0%B2-%D1%80%D0%BE%D1%81%D1%81%D0%B8%D0%B8/8074).
+When you got the release package, you should install it. Go to your router interface and put it in via *System-Software-install_package* menu. Go to *System-Startup* menu, restart firewall and start **youtubeUnblock**. 
 
-## How it processes packets
+To make it work you should register an iptables rule and install required kernel modules. The list of modules depends on the version of OpenWRT and which firewall do you use (iptables or nftables). 
-When the packet is joining the queue, the application checks sni payload to be googlevideo (right how the DPIs do), segmentates/fragmentates (both TCP and IP fragmentation techniques are supported) and posts the packet. Note that it is impossible to post two fragmented packets from one netfilter queue verdict. Instead, the application drops an original packet and makes another linux raw socket to post the packets in the network. To escape infinity loops the socket marks outgoing packets and the application automatically accepts it.
 
-## Usage:
+The common dependency is
-Before compilation make sure `gcc`, `make`, `autoconf`, `automake`, `pkg-config` and `libtool` is installed. For Fedora `glibc-static` should be installed as well.
+ ```text
-Compile with `make`. Install with `make install`. The package include libnetfilter_queue, libnfnetlink and libmnl as static dependencies. The package requires linux-headers and kernel built with netfilter nfqueue support.
+ kmod-nfnetlink-queue
+ ``` 
+ but it is provided as dependency for another firewall packages. 
 
-You should also configure iptables for this to start working:
+So, if you are on **iptables** you should install: 
-```iptables -A OUTPUT -p tcp --dport 443 -j NFQUEUE --queue-num 537 --queue-bypass``` (or do ```nft add rule ip mangle OUTPUT tcp dport 443 counter queue num 537 bypass``` for nftables.)
+```text
-Here iptables serves every tcp packet, destinating port 443 for this userspace packet analyzer (via netfilter kernel module) queue-num may be any number from 0 to 65565. --queue-bypass allows traffic to pass if the application is down.
+kmod-ipt-nfqueue
+iptables-mod-nfqueue
+kmod-ipt-conntrack-extra
+iptables-mod-conntrack-extra
+```
+and of course, iptables user-space app should be available.
 
-Also tips to explicitly accept all important outgoing raw packets from youtubeUnblock from [Troubleshooting EPERMS](https://github.com/Waujito/youtubeUnblock?tab=readme-ov-file#troubleshooting-eperms-operation-not-permitted) may be useful to avoid issues.
+On **nftables** the dependencies are: 
+```text
+kmod-nft-queue
+kmod-nf-conntrack
+```
 
-Run an application with `youtubeUnblock 537` where `537` stands for the queue-num (must be the same as in the iptables rule).
+Next step is to add required firewall rules. 
 
-Systemd daemon is also available. Do `systemctl enable --now youtubeUnblock.service` after installation (uses queue-num `537`). Please, note that systemd will configure iptables automatically. If you have troubles with it, delete ExecStartPre and ExecStop from youtubeUnblock.service and configure iptables manually (may be a useful case for nftables).
+For nftables on OpenWRT rules comes out-of-the-box and stored under `/usr/share/nftables.d/ruleset-post/537-youtubeUnblock.nft`. All you need is install requirements and do `/etc/init.d/firewall reload`. If no, go to [Firewall configuration](#firewall-configuration).
 
-If you don't want youtubeUnblock to log on each googlevideo request pass -DSILENT as CFLAGS.
+Now we are ready to demonize the application.
 
-Also DNS over HTTPS (DOH) is preferred for additional anonimity. 
+If you installed package from Github Actions or built it yourself with OpenWRT SDK, rc scripts are preinstalled. All you need is to do `/etc/init.d/youtubeUnblock start`.
+Elsewhere copy `owrt/youtubeUnblock.owrt` to `/etc/init.d/youtubeUnblock` and put the program's binary into /usr/bin/. (Don't forget to `chmod +x` both). Now run `/etc/init.d/youtubeUnblock start`. 
+
+You can also run `/etc/init.d/youtubeUnblock enable` to force OpenWRT autostart on boot, but I don't recommend this since if the package has bugs you may lose access to the router (I think you will be able to reset it with reset settings tricks documented for your router). 
+
+### Entware
+
+For Entware on Keenetic here is an [installation guide (russian)](https://help.keenetic.com/hc/ru/articles/360021214160-%D0%A3%D1%81%D1%82%D0%B0%D0%BD%D0%BE%D0%B2%D0%BA%D0%B0-%D1%81%D0%B8%D1%81%D1%82%D0%B5%D0%BC%D1%8B-%D0%BF%D0%B0%D0%BA%D0%B5%D1%82%D0%BE%D0%B2-%D1%80%D0%B5%D0%BF%D0%BE%D0%B7%D0%B8%D1%82%D0%BE%D1%80%D0%B8%D1%8F-Entware-%D0%BD%D0%B0-USB-%D0%BD%D0%B0%D0%BA%D0%BE%D0%BF%D0%B8%D1%82%D0%B5%D0%BB%D1%8C). Note that if your Entware router is missing netfilter queue kernel modules, here is no way to deal with it since Entware does not offer kernel modules. You should probably try to install OpenWRT if the problem persist. You can check required modules with command `find /lib/modules/$(uname -r) -type f -name 'nfnetlink_queue.ko*'`. If that command return not null string, everything alright. All you need is to load the modules.
+
+To check whether the modules are loaded, do `lsmod | grep nfnetlink_queue`. If the program return nothing, you should load them manually. 
+```sh
+insmod /lib/modules/3.3.8/kernel/net/netfilter/nfnetlink_queue.ko
+insmod /lib/modules/3.3.8/kernel/net/netfilter/xt_NFQUEUE.ko
+```
+
+### PC configuration
+On local host make sure to change **FORWARD** to **OUTPUT** chain in the following Firewall rulesets.
+
+Copy `youtubeUnblock.service` to `/usr/lib/systemd/system` (you should change the path inside the file to the program position, for example `/usr/bin/youtubeUnblock`, also you may want to delete default iptables rule addition in systemd file to controll it manually). And run `systemctl start youtubeUnblock`.
+
+### Firewall configuration
+
+#### nftables rules
+
+On nftables you should put next nftables rules:
+```sh
+nft add rule inet fw4 mangle_forward tcp dport 443 ct original "packets < 20" counter queue num 537 bypass
+nft insert rule inet fw4 output mark and 0x8000 == 0x8000 counter accept
+```
+
+#### Iptables rules
+
+On iptables you should put next iptables rules:
+```sh
+iptables -t mangle -A FORWARD -p tcp --dport 443 -m connbytes --connbytes-dir original --connbytes-mode packets --connbytes 0:19 -j NFQUEUE --queue-num 537 --queue-bypass
+iptables -I OUTPUT -m mark --mark 32768/32768 -j ACCEPT
+```
+
+Note that above rules use *conntrack* to route only first 20 packets from the connection to **youtubeUnblock**. 
+If you got some troubles with it, for example **youtubeUnblock** doesn't detect YouTube, try to delete *connbytes* from the rules. But it is an unlikely behavior and you should probably check your ruleset.
+
+You can use `--queue-balance` with multiple instances of **youtubeUnblock** for performance. This behavior is supported via multithreading. Just pass `--threads=n` where n stands for an number of threads you want to be enabled. The n defaults to **1**. The maximum threads defaults to **16** but may be altered programmatically. Note, that if you are about to increase it, here is 100% chance that you are on the wrong way.
+
+Also [DNS over HTTPS](https://github.com/curl/curl/wiki/DNS-over-HTTPS) is preferred for additional anonymity. 
+
+## Check it
+
+Here is the command to test whether it working or not:
+```sh
+curl -o/dev/null -k --connect-to ::google.com -k -L -H Host:\ mirror.gcr.io https://test.googlevideo.com/v2/cimg/android/blobs/sha256:6fd8bdac3da660bde7bd0b6f2b6a46e1b686afb74b9a4614def32532b73f5eaa
+```
+
+It should return low speed without **youtubeUnblock** and faster with it. With **youtubeUnblock** the speed should be the same as fast with the next command:
+
+```sh
+curl -o/dev/null -k --connect-to ::google.com -k -L -H Host:\ mirror.gcr.io https://mirror.gcr.io/v2/cimg/android/blobs/sha256:6fd8bdac3da660bde7bd0b6f2b6a46e1b686afb74b9a4614def32532b73f5eaa
+```
+
+## Flags
+
+Available flags:
+
+- `--sni-domains=<comma separated domain list>|all` List of domains you want to be handled by SNI. Use this string if you want to change default domain list. Defaults is `googlevideo.com,ggpht.com,ytimg.com,youtube.com,play.google.com,youtu.be,googleapis.com,googleusercontent.com,gstatic.com,l.google.com`. You can pass **all** if you want for every *ClientHello* to be handled.
+
+- `--queue-num=<number of netfilter queue>` The number of netfilter queue **youtubeUnblock** will be linked to. Defaults to **537**.
+
+- `--fake-sni={0|1}` This flag enables fake-sni which forces **youtubeUnblock** to send at least three packets instead of one with TLS *ClientHello*: Fake *ClientHello*, 1st part of original *ClientHello*, 2nd part of original *ClientHello*. This flag may be related to some Operation not permitted error messages, so before open an issue refer to [Troubleshooting for EPERMS](#troubleshooting-eperms-operation-not-permitted). Defaults to **1**.
+
+- `--fake-sni-seq-len=<length>` This flag specifies **youtubeUnblock** to build a complicated construction of fake client hello packets. length determines how much fakes will be sent. Defaults to **1**.
+
+- `--faking-strategy={randseq|ttl|tcp_check|pastseq}` This flag determines the strategy of fake packets invalidation. Defaults to `randseq`
+  - `randseq` specifies that random sequence/acknowledgemend random will be set. This option may be handled by provider which uses *conntrack* with drop on invalid *conntrack* state firewall rule enabled. 
+  - `ttl` specifies that packet will be invalidated after `--faking-ttl=n` hops. `ttl` is better but may cause issues if unconfigured. 
+  - `pastseq` is like `randseq` but sequence number is not random but references the packet sent in the past (before current).
+  - `tcp_check` will invalidate faking packet with invalid checksum. May be handled and dropped by some providers/TSPUs.
+
+- `--faking-ttl=<ttl>` Tunes the time to live (TTL) of fake SNI messages. TTL is specified like that the packet will go through the DPI system and captured by it, but will not reach the destination server. Defaults to **8**.
+
+- `--frag={tcp,ip,none}` Specifies the fragmentation strategy for the packet. tcp is used by default. Ip fragmentation may be blocked by DPI system. None specifies no fragmentation. Probably this won't work, but may be will work for some fake sni strategies.
+
+- `--frag-sni-reverse={0|1}` Specifies **youtubeUnblock** to send *ClientHello* fragments in the reverse order. Defaults to **1**.
+
+- `--frag-sni-faked={0|1}` Specifies **youtubeUnblock** to send fake packets near *ClientHello* (fills payload with zeroes). Defaults to **0**.
+
+- `--frag-middle-sni={0|1}` With this options **youtubeUnblock** will split the packet in the middle of SNI data. Defaults to 1.
+
+- `--frag-sni-pos=<pos>` With this option **youtubeUnblock** will split the packet at the position pos. Defaults to 2.
+
+- `--quic-drop` Drop all QUIC packets which goes to youtubeUnblock. Won't affect any other UDP packets. Suitable for some TVs. Note, that for this option to work you should also add proxy udp to youtubeUnblock in firewall. `connbytes` may also be used with udp.
+
+- `--fk-winsize=<winsize>` Specifies window size for the fragmented TCP packet. Applicable if you want for response to be fragmented. May slowdown connection initialization.
+
+- `--sni-detection={parse|brute}` Specifies how to detect SNI. Parse will normally detect it by parsing the Client Hello message. Brute will go through the entire message and check possibility of SNI occurrence. Please note, that when `--sni-domains` option is not all brute will be O(nm) time complexity where n stands for length of the message and m is number of domains. Defaults to parse.
+
+- `--seg2delay=<delay>` This flag forces **youtubeUnblock** to wait a little bit before send the 2nd part of the split packet.
+
+- `--silent` Disables verbose mode.
+
+- `--trace` Maximum verbosity for debugging purposes.
+
+- `--no-gso` Disables support for Google Chrome fat packets which uses GSO. This feature is well tested now, so this flag probably won't fix anything.
+
+- `--threads=<threads number>` Specifies the amount of threads you want to be running for your program. This defaults to **1** and shouldn't be edited for normal use. If you have performance issues, consult [performance chaptr](https://github.com/Waujito/youtubeUnblock?tab=readme-ov-file#performance)
 
 ## Troubleshooting
-If you have any troubles with youtubeUnblock, here are some options to tune. If them don't work in your case, please, open an issue. You can pass these options in make CFLAGS (`make CFLAGS=...`) or edit CFLAGS variable in Makefile.
-Available flags:
-- -DUSE_SEG2_DELAY This flag forces youtubeUnblock to wait little bit before send the 2nd part of the split packet. You can tune the amount of time in `#define SEG2_DELAY 100` where 100 stands for milliseconds.
-- -DNO_FAKE_SNI This flag disables -DFAKE_SNI which forces youtubeUnblock to send at least three packets instead of one with TLS ClientHello: Fake ClientHello, 1st part of original ClientHello, 2nd part of original ClientHello. This flag may be related to some Operation not permitted error messages, so befor open an issue refer to FAQ for EPERMS.
-- -DNOUSE_GSO This flag disables fix for Google Chrome fat ClientHello. The GSO is well tested now, so this flag probably won't fix anything.
 
-If you are on Chromium you may have to disable kyber (the feature that makes the TLS ClientHello very fat). I've got the problem with it on router, so to escape possibly errors it is better to just disable it: in chrome://flags search for kyber and switch it to disabled state. 
+If you got troubles with some sites and you sure that they are blocked by SNI (youtube for example), use may play around with [flags](#flags) and their combinations. At first it is recommended to try `--faking-strategy` flag and `--frag-sni-faked=1`.
+If you have troubles with some sites being proxied, you can play with flags values. For example, for someone `--faking-strategy=ttl` works. You should specify proper `--fake-sni-ttl=<ttl value>` where ttl is the amount of hops between you and DPI.
+
+If you are on Chromium you may have to disable *kyber* (the feature that makes the TLS *ClientHello* very big). I've got the problem with it on router, so to escape possible errors, so it is better to disable it: in `chrome://flags` search for kyber and switch it to disabled state. Alternatively you may set `--sni-detection=brute` and probably adjust `--sni-domains` flag.
+
+If your browser is using QUIC it may not work properly. Disable it in Chrome in `chrome://flags` and in Firefox `network.http.http{2,3}.enable(d)` in `about:config` option.
+
+### TV
+
+Televisions are the biggest headache. 
+
+In [this issue](https://github.com/Waujito/youtubeUnblock/issues/59) the problem has been resolved. 
+
+If you have troubles with televisions try `--faking-strategy=ttl` flag and play around with `--faking-ttl=n`. See [#flags](#flags) for more details. Also you might be have to disable QUIC. To do it you may use `--quic-drop` [flag](#flags) with proper firewall configuration (check description of the flag). Note, that this flag won't disable gQUIC and some TVs may relay on it. To disable gQUIC you will need to block the entire 443 port for udp in firewall configuration:
+
+For **nftables** do
+```
+nft insert rule inet fw4 forward ip saddr 192.168.. udp dport 443 counter drop
+```
+
+For **iptables**
+```
+iptables -I OUTPUT --src 192.168.. -p udp --dport 443 -j DROP
+```
+
+Where you have to replace 192.168.. with ip of your television.
 
 ### Troubleshooting EPERMS (Operation not permitted)
-EPERM may occur in a lot of places but generally here are two: mnl_cb_run and when sending the packet via rawsocket (raw_frags_send and send fake sni).
+
-- mnl_cb_run Operation not permitted indicates that another instance of youtubeUnblock is running on the specified queue-num.
+*EPERM* may occur in a lot of places but generally here are two: *mnl_cb_run* and when sending the packet via *rawsocket* (raw_frags_send and send fake sni).
-- rawsocket Operation not permitted indicates that the packet is being dropped by nefilter rules. In fact this is a hint from the kernel that something wrong is going on and we should check the firewall rules. Before dive into the problem let's make it clean how the mangled packets are being sent. Nefilter queue provides us with the ability to mangle the packet on fly but that is not suitable for this program because we need to split the packet to at least two independent packets. So we are using [linux raw sockets](https://man7.org/linux/man-pages/man7/raw.7.html) which allows us to send any ipv4 packet. **The packet goes from the OUTPUT chain even when NFQUEUE is set up on FORWARD (suitable for OpenWRT).** So we need to escape packet rejects here.
+
+- **mnl_cb_run** *Operation not permitted* indicates that another instance of youtubeUnblock is running on the specified queue-num.
+
+- **rawsocket** *Operation not permitted* indicates that the packet is being dropped by nefilter rules. In fact this is a hint from the kernel that something wrong is going on and we should check the firewall rules. Before dive into the problem let's make it clean how the mangled packets are being sent. Nefilter queue provides us with the ability to mangle the packet on fly but that is not suitable for this program because we need to split the packet to at least two independent packets. So we are using [linux raw sockets](https://man7.org/linux/man-pages/man7/raw.7.html) which allows us to send any ipv4 packet. **The packet goes from the OUTPUT chain even when NFQUEUE is set up on FORWARD (suitable for OpenWRT).** So we need to escape packet rejects here.
     * raw_frags_send EPERM: just make sure outgoing traffic is allowed (RELATED,ESTABLISHED should work, if not, go to step 3)
     * send fake sni EPERM: Fake SNI is out-of-state thing and will likely corrupt the connection (the behavior is expected). conntrack considers it as an invalid packet. By default OpenWRT set up to drop outgoing packets like this one. You may delete nftables/iptables rule that drops packets with invalid conntrack state, but I don't recommend to do this. The step 3 is better solution.
     * Step 3, ultimate solution. Use mark (don't confuse with connmark). The youtubeUnblock uses mark internally to avoid infinity packet loops (when the packet is sent by youtubeUnblock but on next step handled by itself). Currently it uses mark (1 << 15) = 32768. You should put iptables/nftables that ultimately accepts such marks at the very start of the filter OUTPUT chain: `iptables -I OUTPUT -m mark --mark 32768/32768 -j ACCEPT` or `nft insert rule inet fw4 output mark and 0x8000 == 0x8000 counter accept`.
 
+## How it works:
+
+Let's look from the DPI systems side of view: All of they have an ip and tcp information, higher-level data is encrypted. So from the IP header only IP address might be helpful for them to limit user traffic. In TCP here is basically nothing. So they may handle IP addresses and process it. 
+
+What's wrong? Google servers are on the way: It is very hard to handle all that infrastructure. One server may host multiple websites and it is very bad if them blocks, for example, Google Search while trying to block YouTube (googlevideo). But even if YouTube servers have their own IP for only googlevideo purposes, here is a problem about how large is Google infrastracture and how much servers in it. The DPI systems can't even parse normally all the servers, because each video may live on its cache server [GGC](https://support.google.com/interconnect/answer/9058809?hl=en).
+
+So what's else? Let's take a look at a TLS level. All information here is encrypted. All... Except *ClientHello* messages! They are used to initialize handshake connections and hold tons of helpful information. If we talk about TLS version 1.3, it is optimized to transfer as less information as possible unencrypted. But here is only one thing that may point us which domain the user wants to connect, the SNI extension. It transfers all domain names unencrypted in plain text. Exactly what we need! And DPI systems may use this text to detect YouTube connections and slow down or reject them (In fact they are corrupting a TCP connection with bad packets).
+
+So we aim to somehow hide the SNI from them. How?
+
+- We can alter the SNI name in the tls packet to something else. But what's wrong with this? The server also uses SNI name for certificates (CN=). And if we change it, the server will return an invalid certificate which browser can't normally process, which may turn out to the MITM problem.
+
+- We can encrypt it. Here are a lot of investigations about SNI, but the server should support this technique. Also ISPs may block [encrypted SNI](https://en.wikipedia.org/wiki/Server_Name_Indication).
+
+- So what else can we do with the SNI info? If we can't hide it, let's rely on DPI systems weak spots. The DPI is an extremely high loaded infrastructure that analyzes every single packet sent to the Internet. And every performance-impacted feature should be avoided for them. One of this features is IP packet fragmentation. We can split the packet in the middle of SNI message and post it. For DPI fragmentation involves too much overhead: they should store a very big mapping table which maps IP id, Source ip and Destination ip. Also note that some packets may be lost and DPI should support auto-clean of that table. So just imagine how much memory and CPU time will this cost for DPI. But fragments are ok for clients and hosts. And that's the base idea behind this package. I have to mention here that the idea isn't mine, I get in here after some research for this side. Here already was a solution for Windows, GoodbyeDPI. I just made an alternative for Linux.
+
+You may read further in an [yt-dlp issue page](https://github.com/yt-dlp/yt-dlp/issues/10443) and in [ntc party forum](https://ntc.party/t/%D0%BE%D0%B1%D1%81%D1%83%D0%B6%D0%B4%D0%B5%D0%BD%D0%B8%D0%B5-%D0%B7%D0%B0%D0%BC%D0%B5%D0%B4%D0%BB%D0%B5%D0%BD%D0%B8%D0%B5-youtube-%D0%B2-%D1%80%D0%BE%D1%81%D1%81%D0%B8%D0%B8/8074).
+
+## How it processes packets
+
+When the packet is joining the queue, the application checks SNI payload to be YouTube(googlevideo) (right how the DPI systems do), segmentate/fragmentates (both TCP and IP fragmentation techniques are supported) and posts the packet. Note that it is impossible to post two fragmented packets from one netfilter queue verdict. Instead, the application drops an original packet and makes another linux raw socket to post the packets in the network. To escape infinity loops the socket marks outgoing packets and the application automatically accepts it.
+
+## Compilation
+
+Before compilation make sure `gcc`, `make`, `autoconf`, `automake`, `pkg-config` and `libtool` is installed. For Fedora `glibc-static` should be installed as well.
+
+Compile with `make`. Install with `make install`. The package include `libnetfilter_queue`, `libnfnetlink` and `libmnl` as static dependencies. The package requires `linux-headers` and kernel built with netfilter nfqueue support.
+
 ## OpenWRT case
-The package is also compatible with routers. The router should be running by free opensource linux-based system such as [OpenWRT](https://openwrt.org/). You should cross-compile it under your host machine. Be ready for compilation errors and a lot of googling about it. It is not such a trivial process! You can get crosscompilation toolsuite compatible with your router from OpenWRT repositories. For example, I have ramips/mt76x8 based router so for me the toolsuite is on https://downloads.openwrt.org/releases/23.05.3/targets/ramips/mt76x8/ and called `openwrt-toolchain-23.05.3-ramips-mt76x8_gcc-12.3.0_musl.Linux-x86_64.tar.xz`. You can find out more about your router model on it's openwrt page. When you download the toolsuite, untar it somewhere. Now we are ready for compilation. My cross gcc asked me to create a staging dir for it and pass it as an environment variable. Also you should notice toolsuite packages and replace my make command with yours. ```STAGING_DIR=temp make CC=/usr/bin/mipsel-openwrt-linux-gcc LD=/usr/bin/mipsel-openwrt-linux-ld AR=/usr/bin/mipsel-openwrt-linux-ar OBJDUMP=/usr/bin/mipsel-openwrt-linux-objdump NM=/usr/bin/mipsel-openwrt-linux-nm STRIP=/usr/bin/mipsel-openwrt-linux-strip CROSS_COMPILE_PLATFORM=mipsel-buildroot-linux-gnu```. Take a look at `CROSS_COMPILE_PLATFORM` It is required by autotools but I think it is not necessary. Anyways I put `mipsel-buildroot-linux-gnu` in here. For your model may be an [automake cross-compile manual](https://www.gnu.org/software/automake/manual/html_node/Cross_002dCompilation.html) will be helpful. When compilation is done, the binary file will be in build directory. Copy it to your router. Note that an ssh access is likely to be required to proceed. sshfs don't work on my model so I injected the application to the router via Software Upload Package page. It has given me an error, but also a `/tmp/upload.ipk` file which I copied in root directory, `chmod +x`-ed and run.
 
-Now let's talk about a router configuration. I installed a normal iptables user-space app: `xtables-legacy iptables-zz-legacy` and kernel/iptables nfqueue extensions: `iptables-mod-nfqueue kmod-ipt-nfqueue` and add `iptables -t mangle -A FORWARD -p tcp -m tcp --dport 443 -j NFQUEUE --queue-num 537 --queue-bypass` rule. 
+The package is also compatible with routers. The router should be running by linux-based system such as [OpenWRT](https://openwrt.org/).
 
-If you prefer nftables, this should work: `nft add rule inet fw4 mangle_forward tcp dport 443 counter queue num 537 bypass`. Note that kmod-nft-queue should be installed.
+You can build under OpenWRT with two options: first - through the SDK, which is preferred way and second is cross-compile manually with OpenWRT toolchain.
 
-Also you can copy `owrt/537-youtubeUnblock.nft` to `/usr/share/nftables.d/ruleset-post/537-youtubeUnblock.nft` and run `/etc/init.d/firewall reload`. This will reload the nftables ruleset and automatically link 537-youtubeUnblock.nft with it.
+### Building OpenWRT .ipk package
 
-Next step is to daemonize the application in openwrt. Copy `owrt/youtubeUnblock.owrt` to `/etc/init.d/youtubeUnblock` and put the program into /usr/bin/. (Don't forget to `chmod +x` both). Now run `/etc/init.d/youtubeUnblock start`. You can alo run `/etc/init.d/youtubeUnblock enable` to force OpenWRT autostart the program on boot, but I don't recommend this since if the packet has bug you may lose access to the router (I think you will be able to reset it with reset settings tricks documented for your router). 
+OpenWRT provides a high-level SDK for the package builds. 
 
-## Performance 
+First step is to download or compile OpenWRT SDK for your specific platform. The SDK can be compiled according to [this tutorial](https://openwrt.org/docs/guide-developer/toolchain/using_the_sdk). 
-If you have bad performance you can queue to youtubeUnblock only first, say, 20 packets from the connection. To do so, use nftables conntrack packets counter: `nft add rule inet fw4 mangle_forward tcp dport 443 ct original "packets < 20" counter queue num 537 bypass`. For my 1 CPU core device it worked pretty well. This works because we do care about only first packets with ClientHello. We don't need to process others.
 
-The same behavior is also possible in iptables: `iptables -t mangle -A FORWARD -p tcp -m tcp --dport 443 -m connbytes --connbytes-dir original --connbytes-mode packets --connbytes 0:19 -j NFQUEUE --queue-num 537 --queue-bypass`. (The package iptables-mod-conntrack-extra is required for connbytes on OpenWRT)
+Beside of raw source code of SDK, OpenWRT also offers precompiled SDKs for your router. You can find it on the router page. For example, I have ramips/mt76x8 based router so for me the sdk is on https://downloads.openwrt.org/releases/23.05.3/targets/ramips/mt76x8/ and called `openwrt-sdk-23.05.3-ramips-mt76x8_gcc-12.3.0_musl.Linux-x86_64`. 
 
-## If you have any questions/suggestions/problems feel free to open an issue.
+You will need to [install sdk requirements on your system](https://openwrt.org/docs/guide-developer/toolchain/install-buildsystem) If you have any problems, use docker ubuntu:24.04 image. Make sure to be a non-root user since some makesystem fails with it. Next, untar the SDK and cd into it. 
+
+Do 
+```sh
+echo "src-git youtubeUnblock https://github.com/Waujito/youtubeUnblock.git;openwrt" >> feeds.conf
+./scripts/feeds update youtubeUnblock
+./scripts/feeds install -a -p youtubeUnblock
+make package/youtubeUnblock/compile 
+```
+
+Now the packet is built and you can import it to the router. Find it in `bin/packages/<target>/youtubeUnblock/youtubeUnblock-<version>.ipk`. 
+
+### Building with toolchain
+
+The precompiled toolchain located near the SDK. For example it is called `openwrt-toolchain-23.05.3-ramips-mt76x8_gcc-12.3.0_musl.Linux-x86_64.tar.xz`. When you download the toolchain, untar it somewhere. Now we are ready for compilation. My cross gcc asked me to create a staging dir for it and pass it as an environment variable. Also you should notice toolsuite packages and replace my make command with yours. 
+
+```
+STAGING_DIR=temp make CC=/usr/bin/mipsel-openwrt-linux-gcc LD=/usr/bin/mipsel-openwrt-linux-ld AR=/usr/bin/mipsel-openwrt-linux-ar OBJDUMP=/usr/bin/mipsel-openwrt-linux-objdump NM=/usr/bin/mipsel-openwrt-linux-nm STRIP=/usr/bin/mipsel-openwrt-linux-strip CROSS_COMPILE_PLATFORM=mipsel-buildroot-linux-gnu
+```
+
+Take a look at `CROSS_COMPILE_PLATFORM` It is required by autotools but I think it is not necessary. Anyways I put `mipsel-buildroot-linux-gnu` in here. For your router model name maybe an [automake cross-compile manual](https://www.gnu.org/software/automake/manual/html_node/Cross_002dCompilation.html) will be helpful. 
+
+When compilation is done, the binary file will be in build directory. Copy it to your router. Note that a ssh access is likely to be required to proceed. *sshfs* don't work on my model so I injected the application to the router via *Software Upload Package* page. It has given me an error, but also a `/tmp/upload.ipk` file which I copied in root directory, `chmod +x` it and run.
+
+
+ >If you have any questions/suggestions/problems feel free to open an [issue](https://github.com/Waujito/youtubeUnblock/issues).

args.c

@@ -0,0 +1,408 @@
+#include "config.h"
+#include "raw_replacements.h"
+#include <stdbool.h>
+#include <errno.h>
+#include <stdio.h>
+#include <unistd.h>
+#include <getopt.h>
+#include <stdlib.h>
+#include <string.h>
+
+
+struct config_t config = {
+	.threads = THREADS_NUM,
+	.frag_sni_reverse = 1,
+	.frag_sni_faked = 0,
+	.fragmentation_strategy = FRAGMENTATION_STRATEGY,
+	.faking_strategy = FAKING_STRATEGY,
+	.faking_ttl = FAKE_TTL,
+	.fake_sni = 1,
+	.fake_sni_seq_len = 1,
+	.frag_middle_sni = 1,
+	.frag_sni_pos = 2,
+
+	.sni_detection = SNI_DETECTION_PARSE,
+
+#ifdef SEG2_DELAY
+	.seg2_delay = SEG2_DELAY,
+#else
+	.seg2_delay = 0,
+#endif
+
+#ifdef USE_GSO
+	.use_gso = true,
+#else
+	.use_gso = false,
+#endif
+
+#ifdef DEBUG
+	.verbose = 1,
+#else
+	.verbose = 0,
+#endif
+
+	.domains_str = defaul_snistr,
+	.domains_strlen = sizeof(defaul_snistr),
+
+	.queue_start_num = DEFAULT_QUEUE_NUM,
+	.fake_sni_pkt = fake_sni_old,
+	.fake_sni_pkt_sz = sizeof(fake_sni_old) - 1, // - 1 for null-terminator
+};
+
+#define OPT_SNI_DOMAINS		1
+#define OPT_FAKE_SNI 		2
+#define OPT_FAKING_TTL		3
+#define OPT_FAKING_STRATEGY	10
+#define OPT_FAKE_SNI_SEQ_LEN	11
+#define OPT_FRAG    		4
+#define OPT_FRAG_SNI_REVERSE	12
+#define OPT_FRAG_SNI_FAKED	13
+#define OPT_FRAG_MIDDLE_SNI	18
+#define OPT_FRAG_SNI_POS	19
+#define OPT_FK_WINSIZE		14
+#define OPT_TRACE		15
+#define OPT_QUIC_DROP		16
+#define OPT_SNI_DETECTION	17
+#define OPT_SEG2DELAY 		5
+#define OPT_THREADS 		6
+#define OPT_SILENT 		7
+#define OPT_NO_GSO 		8
+#define OPT_QUEUE_NUM		9
+
+#define OPT_MAX OPT_FRAG_SNI_POS
+
+static struct option long_opt[] = {
+	{"help",		0, 0, 'h'},
+	{"version",		0, 0, 'v'},
+	{"sni-domains",		1, 0, OPT_SNI_DOMAINS},
+	{"fake-sni",		1, 0, OPT_FAKE_SNI},
+	{"fake-sni-seq-len",	1, 0, OPT_FAKE_SNI_SEQ_LEN},
+	{"faking-strategy",	1, 0, OPT_FAKING_STRATEGY},
+	{"faking-ttl",		1, 0, OPT_FAKING_TTL},
+	{"frag",		1, 0, OPT_FRAG},
+	{"frag-sni-reverse",	1, 0, OPT_FRAG_SNI_REVERSE},
+	{"frag-sni-faked",	1, 0, OPT_FRAG_SNI_FAKED},
+	{"frag-middle-sni",	1, 0, OPT_FRAG_MIDDLE_SNI},
+	{"frag-sni-pos",	1, 0, OPT_FRAG_SNI_POS},
+	{"fk-winsize",		1, 0, OPT_FK_WINSIZE},
+	{"quic-drop",		0, 0, OPT_QUIC_DROP},
+	{"sni-detection",	1, 0, OPT_SNI_DETECTION},
+	{"seg2delay",		1, 0, OPT_SEG2DELAY},
+	{"threads",		1, 0, OPT_THREADS},
+	{"silent",		0, 0, OPT_SILENT},
+	{"trace",		0, 0, OPT_TRACE},
+	{"no-gso",		0, 0, OPT_NO_GSO},
+	{"queue-num",		1, 0, OPT_QUEUE_NUM},
+	{0,0,0,0}
+};
+
+static long parse_numeric_option(const char* value) {
+	errno = 0;
+
+	if (*value == '\0') {
+		errno = EINVAL;
+		return 0;
+	}
+
+	char* end;
+	long result = strtol(value, &end, 10);
+	if (*end != '\0') {
+		errno = EINVAL;
+		return 0;
+	}
+
+	return result;
+}
+
+void print_version() {
+  	printf("youtubeUnblock\n");	
+	printf("Bypasses deep packet inspection systems that relies on SNI\n");
+	printf("\n");
+}
+
+void print_usage(const char *argv0) {
+	print_version();
+
+	printf("Usage: %s [ OPTIONS ] \n", argv0);
+	printf("Options:\n");
+	printf("\t--queue-num=<number of netfilter queue>\n");
+	printf("\t--sni-domains=<comma separated domain list>|all\n");
+	printf("\t--fake-sni={1|0}\n");
+	printf("\t--fake-sni-seq-len=<length>\n");
+	printf("\t--faking-ttl=<ttl>\n");
+	printf("\t--faking-strategy={randseq|ttl|tcp_check|pastseq}\n");
+	printf("\t--frag={tcp,ip,none}\n");
+	printf("\t--frag-sni-reverse={0|1}\n");
+	printf("\t--frag-sni-faked={0|1}\n");
+	printf("\t--frag-middle-sni={0|1}\n");
+	printf("\t--frag-sni-pos=<pos>\n");
+	printf("\t--fk-winsize=<winsize>\n");
+	printf("\t--quic-drop\n");
+	printf("\t--sni-detection={parse|brute}\n");
+	printf("\t--seg2delay=<delay>\n");
+	printf("\t--threads=<threads number>\n");
+	printf("\t--silent\n");
+	printf("\t--trace\n");
+	printf("\t--no-gso\n");
+	printf("\n");
+}
+
+int parse_args(int argc, char *argv[]) {
+  	int opt;
+	int optIdx;
+	long num;
+
+	while ((opt = getopt_long(argc, argv, "hv", long_opt, &optIdx)) != -1) {
+		switch (opt) {
+		case 'h':
+			print_usage(argv[0]);
+			goto stop_exec;
+		case 'v':
+			print_version();
+			goto stop_exec;
+		case OPT_TRACE:
+			config.verbose = 2;
+			break;
+		case OPT_SILENT:
+			config.verbose = 0;
+			break;
+		case OPT_NO_GSO:
+			config.use_gso = 0;
+			break;
+		case OPT_QUIC_DROP:
+			config.quic_drop = 1;
+			break;
+		case OPT_SNI_DOMAINS:
+			if (!strcmp(optarg, "all")) {
+				config.all_domains = 1;
+			}
+
+			config.domains_str = optarg;
+			config.domains_strlen = strlen(config.domains_str);
+			break;
+		case OPT_SNI_DETECTION:
+			if (strcmp(optarg, "parse") == 0) {
+				config.sni_detection = SNI_DETECTION_PARSE;
+			} else if (strcmp(optarg, "brute") == 0) {
+				config.sni_detection = SNI_DETECTION_BRUTE;
+			} else {
+				goto invalid_opt;
+			}
+
+			break;
+		case OPT_FRAG:
+			if (strcmp(optarg, "tcp") == 0) {
+				config.fragmentation_strategy = FRAG_STRAT_TCP;
+			} else if (strcmp(optarg, "ip") == 0) {
+				config.fragmentation_strategy = FRAG_STRAT_IP;
+			} else if (strcmp(optarg, "none") == 0) {
+				config.fragmentation_strategy = FRAG_STRAT_NONE;
+			} else {
+				goto invalid_opt;
+			}
+
+			break;
+		case OPT_FRAG_SNI_FAKED:
+			if (strcmp(optarg, "1") == 0) {
+				config.frag_sni_faked = 1;
+			} else if (strcmp(optarg, "0") == 0) {
+				config.frag_sni_faked = 0;
+			} else {
+				goto invalid_opt;
+			}
+
+			break;
+		case OPT_FRAG_SNI_REVERSE:
+			if (strcmp(optarg, "1") == 0) {
+				config.frag_sni_reverse = 1;
+			} else if (strcmp(optarg, "0") == 0) {
+				config.frag_sni_reverse = 0;
+			} else {
+				goto invalid_opt;
+			}
+
+			break;
+		case OPT_FRAG_MIDDLE_SNI:
+			if (strcmp(optarg, "1") == 0) {
+				config.frag_middle_sni = 1;
+			} else if (strcmp(optarg, "0") == 0) {
+				config.frag_middle_sni = 0;
+			} else {
+				goto invalid_opt;
+			}
+
+			break;
+		case OPT_FRAG_SNI_POS:
+			num = parse_numeric_option(optarg);
+			if (errno != 0 || num < 0) {
+				goto invalid_opt;
+			}
+
+			config.frag_sni_pos = num;
+			break;
+		case OPT_FAKING_STRATEGY:
+			if (strcmp(optarg, "randseq") == 0) {
+				config.faking_strategy = FAKE_STRAT_RAND_SEQ;
+			} else if (strcmp(optarg, "ttl") == 0) {
+				config.faking_strategy = FAKE_STRAT_TTL;
+			} else if (strcmp(optarg, "tcp_check") == 0) {
+				config.faking_strategy = FAKE_STRAT_TCP_CHECK;
+			} else if (strcmp(optarg, "pastseq") == 0) {
+				config.faking_strategy = FAKE_STRAT_PAST_SEQ;
+			} else {
+				goto invalid_opt;
+			}
+
+			break;
+		case OPT_FAKING_TTL:
+			num = parse_numeric_option(optarg);
+			if (errno != 0 || num < 0 || num > 255) {
+				goto invalid_opt;
+			}
+
+			config.faking_ttl = num;
+			break;
+
+		case OPT_FAKE_SNI:
+			if (strcmp(optarg, "1") == 0) {
+				config.fake_sni = 1;				
+			} else if (strcmp(optarg, "0") == 0) {
+				config.fake_sni = 0;
+			} else {
+				goto invalid_opt;
+			}
+
+			break;
+		case OPT_FAKE_SNI_SEQ_LEN:
+			num = parse_numeric_option(optarg);
+			if (errno != 0 || num < 0 || num > 255) {
+				goto invalid_opt;
+			}
+
+			config.fake_sni_seq_len = num;
+			break;
+		case OPT_FK_WINSIZE:
+			num = parse_numeric_option(optarg);
+			if (errno != 0 || num < 0) {
+				goto invalid_opt;
+			}
+
+			config.fk_winsize = num;
+			break;
+		case OPT_SEG2DELAY:
+			num = parse_numeric_option(optarg);
+			if (errno != 0 || num < 0) {
+				goto invalid_opt;
+			}
+
+			config.seg2_delay = num;
+			break;
+		case OPT_THREADS:
+			num = parse_numeric_option(optarg);
+			if (errno != 0 || num < 0 || num > MAX_THREADS) {
+				goto invalid_opt;
+			}
+
+			config.threads = num;
+			break;
+		case OPT_QUEUE_NUM:
+			num = parse_numeric_option(optarg);
+			if (errno != 0 || num < 0) {
+				goto invalid_opt;
+			}
+
+			config.queue_start_num = num;
+			break;
+		default:
+			goto error;
+		}
+	}
+
+
+// out:
+	errno = 0;
+	return 0;
+stop_exec:
+	errno = 0;
+	return 1;
+
+invalid_opt:
+	printf("Invalid option %s\n", long_opt[optIdx].name);
+error:
+	print_usage(argv[0]);
+	errno = EINVAL;
+	return -1;
+}
+
+void print_welcome() {
+	switch (config.fragmentation_strategy) {
+		case FRAG_STRAT_TCP:
+			printf("Using TCP segmentation\n");
+			break;
+		case FRAG_STRAT_IP:
+			printf("Using IP fragmentation\n");
+			break;
+		default:
+			printf("SNI fragmentation is disabled\n");
+			break;
+	}
+
+	if (config.seg2_delay) {
+		printf("Some outgoing googlevideo request segments will be delayed for %d ms as of seg2_delay define\n", config.seg2_delay);
+	}
+
+	if (config.fake_sni) {
+		printf("Fake SNI will be sent before each target client hello\n");
+	} else {
+		printf("Fake SNI is disabled\n");
+	}
+
+	if (config.frag_sni_reverse) {
+		printf("Fragmentation Client Hello will be reversed\n");
+	}
+
+	if (config.frag_sni_faked) {
+		printf("Fooling packets will be sent near the original Client Hello\n");
+	}
+
+	if (config.fake_sni_seq_len > 1) {
+		printf("Faking sequence of length %d will be built as fake sni\n", config.fake_sni_seq_len);
+	}
+
+	switch (config.faking_strategy) {
+		case FAKE_STRAT_TTL:
+			printf("TTL faking strategy will be used with TTL %d\n", config.faking_ttl);
+			break;
+		case FAKE_STRAT_RAND_SEQ:
+			printf("Random seq faking strategy will be used\n");
+			break;
+		case FAKE_STRAT_TCP_CHECK:
+			printf("TCP checksum faking strategy will be used\n");
+			break;
+		case FAKE_STRAT_PAST_SEQ:
+			printf("Past seq faking strategy will be used\n");
+			break;
+	}
+
+	if (config.fk_winsize) {
+		printf("Response TCP window will be set to %d with the appropriate scale\n", config.fk_winsize);
+	}
+
+
+	if (config.use_gso) {
+		printf("GSO is enabled\n");
+	}
+
+	if (config.quic_drop) {
+		printf("All QUIC packets will be dropped\n");
+	}
+
+	if (config.sni_detection == SNI_DETECTION_BRUTE) {
+		printf("Server Name Extension will be parsed in the bruteforce mode\n");
+	}
+
+	if (config.all_domains) {
+		printf("All Client Hello will be targetted by youtubeUnblock!\n");
+	}
+
+}

args.h

@@ -0,0 +1,11 @@
+#ifndef ARGS_H
+#define ARGS_H
+
+void print_version();
+void print_usage(const char *argv0);
+int parse_args(int argc, char *argv[]);
+
+/* Prints starting messages */
+void print_welcome();
+
+#endif /* ARGS_H */

config.h

@@ -0,0 +1,107 @@
+#ifndef YTB_CONFIG_H
+#define YTB_CONFIG_H
+
+typedef int (*raw_send_t)(const unsigned char *data, unsigned int data_len);
+/**
+ * Sends the packet after delay_ms. The function should schedule send and return immediately
+ * (for example, open daemon thread)
+ */
+typedef void (*delayed_send_t)(const unsigned char *data, unsigned int data_len, unsigned int delay_ms);
+
+struct instance_config_t {
+	raw_send_t send_raw_packet;
+	delayed_send_t send_delayed_packet;
+};
+extern struct instance_config_t instance_config;
+
+struct config_t {
+	unsigned int queue_start_num;
+	int threads;
+	int use_gso;
+	int fragmentation_strategy;
+	int frag_sni_reverse;
+	int frag_sni_faked;
+	int faking_strategy;
+	int frag_middle_sni;
+	int frag_sni_pos;
+	unsigned char faking_ttl;
+	int fake_sni;
+	unsigned int fake_sni_seq_len;
+#define VERBOSE_INFO	0
+#define VERBOSE_DEBUG	1
+#define VERBOSE_TRACE	2
+	int verbose;
+	int quic_drop;
+#define SNI_DETECTION_PARSE 0
+#define SNI_DETECTION_BRUTE 1
+	int sni_detection;
+	/* In milliseconds */
+	unsigned int seg2_delay;
+	const char *domains_str;
+	unsigned int domains_strlen;
+	unsigned int all_domains;
+	const char *fake_sni_pkt;
+	unsigned int fake_sni_pkt_sz;
+	unsigned int fk_winsize;
+};
+
+extern struct config_t config;
+
+#define MAX_THREADS 16
+
+#ifndef THREADS_NUM
+#define THREADS_NUM 1
+#endif
+
+#if THREADS_NUM > MAX_THREADS
+#error "Too much threads"
+#endif
+
+#ifndef NOUSE_GSO
+#define USE_GSO
+#endif
+
+#define FRAG_STRAT_TCP	0
+#define FRAG_STRAT_IP	1
+#define FRAG_STRAT_NONE	2
+
+#ifndef FRAGMENTATION_STRATEGY
+#define FRAGMENTATION_STRATEGY FRAG_STRAT_TCP
+#endif
+
+#define RAWSOCKET_MARK (1 << 15)
+
+#ifdef USE_SEG2_DELAY
+#define SEG2_DELAY 100
+#endif
+
+#define FAKE_TTL 8
+
+// Will invalidate fake packets by out-of-ack_seq out-of-seq request
+#define FAKE_STRAT_RAND_SEQ	1
+// Will assume that GGC server is located further than FAKE_TTL
+// Thus, Fake packet will be eliminated automatically.
+#define FAKE_STRAT_TTL		2
+#define FAKE_STRAT_PAST_SEQ	3
+#define FAKE_STRAT_TCP_CHECK	4
+
+
+#ifndef FAKING_STRATEGY
+#define FAKING_STRATEGY FAKE_STRAT_RAND_SEQ
+#endif
+
+#if !defined(SILENT) && !defined(KERNEL_SPACE)
+#define DEBUG
+#endif
+
+// The Maximum Transmission Unit size for rawsocket
+// Larger packets will be fragmented. Applicable for Chrome's kyber.
+#define AVAILABLE_MTU 1500
+
+#define DEFAULT_QUEUE_NUM 537
+
+#define MAX_PACKET_SIZE 8192
+
+static const char defaul_snistr[] = "googlevideo.com,ggpht.com,ytimg.com,youtube.com,play.google.com,youtu.be,googleapis.com,googleusercontent.com,gstatic.com,l.google.com";
+
+#endif /* YTB_CONFIG_H */

deps/libnfnetlink/.gitignore

@@ -15,3 +15,4 @@ Makefile.in
 /stamp-h1
 
 /*.pc
+doxygen.cfg

deps/libnfnetlink/doxygen.cfg

@@ -1,180 +0,0 @@
-DOXYFILE_ENCODING      = UTF-8
-PROJECT_NAME           = libnfnetlink
-PROJECT_NUMBER         = 1.0.2
-OUTPUT_DIRECTORY       = doxygen
-CREATE_SUBDIRS         = NO
-OUTPUT_LANGUAGE        = English
-BRIEF_MEMBER_DESC      = YES
-REPEAT_BRIEF           = YES
-ABBREVIATE_BRIEF       = 
-ALWAYS_DETAILED_SEC    = NO
-INLINE_INHERITED_MEMB  = NO
-FULL_PATH_NAMES        = NO
-STRIP_FROM_PATH        = 
-STRIP_FROM_INC_PATH    = 
-SHORT_NAMES            = NO
-JAVADOC_AUTOBRIEF      = NO
-QT_AUTOBRIEF           = NO
-MULTILINE_CPP_IS_BRIEF = NO
-INHERIT_DOCS           = YES
-SEPARATE_MEMBER_PAGES  = NO
-TAB_SIZE               = 8
-ALIASES                = 
-OPTIMIZE_OUTPUT_FOR_C  = YES
-OPTIMIZE_OUTPUT_JAVA   = NO
-OPTIMIZE_FOR_FORTRAN   = NO
-OPTIMIZE_OUTPUT_VHDL   = NO
-BUILTIN_STL_SUPPORT    = NO
-CPP_CLI_SUPPORT        = NO
-SIP_SUPPORT            = NO
-DISTRIBUTE_GROUP_DOC   = NO
-SUBGROUPING            = YES
-TYPEDEF_HIDES_STRUCT   = NO
-EXTRACT_ALL            = NO
-EXTRACT_PRIVATE        = NO
-EXTRACT_STATIC         = NO
-EXTRACT_LOCAL_CLASSES  = YES
-EXTRACT_LOCAL_METHODS  = NO
-EXTRACT_ANON_NSPACES   = NO
-HIDE_UNDOC_MEMBERS     = NO
-HIDE_UNDOC_CLASSES     = NO
-HIDE_FRIEND_COMPOUNDS  = NO
-HIDE_IN_BODY_DOCS      = NO
-INTERNAL_DOCS          = NO
-CASE_SENSE_NAMES       = YES
-HIDE_SCOPE_NAMES       = NO
-SHOW_INCLUDE_FILES     = YES
-INLINE_INFO            = YES
-SORT_MEMBER_DOCS       = YES
-SORT_BRIEF_DOCS        = NO
-SORT_GROUP_NAMES       = NO
-SORT_BY_SCOPE_NAME     = NO
-GENERATE_TODOLIST      = YES
-GENERATE_TESTLIST      = YES
-GENERATE_BUGLIST       = YES
-GENERATE_DEPRECATEDLIST= YES
-ENABLED_SECTIONS       = 
-MAX_INITIALIZER_LINES  = 30
-SHOW_USED_FILES        = YES
-FILE_VERSION_FILTER    = 
-QUIET                  = NO
-WARNINGS               = YES
-WARN_IF_UNDOCUMENTED   = YES
-WARN_IF_DOC_ERROR      = YES
-WARN_NO_PARAMDOC       = NO
-WARN_FORMAT            = "$file:$line: $text"
-WARN_LOGFILE           = 
-INPUT                  = .
-INPUT_ENCODING         = UTF-8
-FILE_PATTERNS          = *.c libnfnetlink.h
-RECURSIVE              = YES
-EXCLUDE                = 
-EXCLUDE_SYMLINKS       = NO
-EXCLUDE_PATTERNS       = */.git/* .*.d
-EXCLUDE_SYMBOLS        = EXPORT_SYMBOL
-EXAMPLE_PATH           = 
-EXAMPLE_PATTERNS       = 
-EXAMPLE_RECURSIVE      = NO
-IMAGE_PATH             = 
-INPUT_FILTER           = 
-FILTER_PATTERNS        = 
-FILTER_SOURCE_FILES    = NO
-SOURCE_BROWSER         = YES
-INLINE_SOURCES         = NO
-STRIP_CODE_COMMENTS    = YES
-REFERENCED_BY_RELATION = NO
-REFERENCES_RELATION    = NO
-REFERENCES_LINK_SOURCE = YES
-USE_HTAGS              = NO
-VERBATIM_HEADERS       = YES
-ALPHABETICAL_INDEX     = NO
-COLS_IN_ALPHA_INDEX    = 5
-IGNORE_PREFIX          = 
-GENERATE_HTML          = YES
-HTML_OUTPUT            = html
-HTML_FILE_EXTENSION    = .html
-HTML_HEADER            = 
-HTML_STYLESHEET        = 
-GENERATE_HTMLHELP      = NO
-GENERATE_DOCSET        = NO
-DOCSET_FEEDNAME        = "Doxygen generated docs"
-DOCSET_BUNDLE_ID       = org.doxygen.Project
-HTML_DYNAMIC_SECTIONS  = NO
-CHM_FILE               = 
-HHC_LOCATION           = 
-GENERATE_CHI           = NO
-BINARY_TOC             = NO
-TOC_EXPAND             = NO
-DISABLE_INDEX          = NO
-ENUM_VALUES_PER_LINE   = 4
-GENERATE_TREEVIEW      = NO
-TREEVIEW_WIDTH         = 250
-GENERATE_LATEX         = NO
-LATEX_OUTPUT           = latex
-LATEX_CMD_NAME         = latex
-MAKEINDEX_CMD_NAME     = makeindex
-COMPACT_LATEX          = NO
-PAPER_TYPE             = a4wide
-EXTRA_PACKAGES         = 
-LATEX_HEADER           = 
-PDF_HYPERLINKS         = YES
-USE_PDFLATEX           = YES
-LATEX_BATCHMODE        = NO
-LATEX_HIDE_INDICES     = NO
-GENERATE_RTF           = NO
-RTF_OUTPUT             = rtf
-COMPACT_RTF            = NO
-RTF_HYPERLINKS         = NO
-RTF_STYLESHEET_FILE    = 
-RTF_EXTENSIONS_FILE    = 
-GENERATE_MAN           = YES
-MAN_OUTPUT             = man
-MAN_EXTENSION          = .3
-MAN_LINKS              = NO
-GENERATE_XML           = NO
-XML_OUTPUT             = xml
-XML_PROGRAMLISTING     = YES
-GENERATE_AUTOGEN_DEF   = NO
-GENERATE_PERLMOD       = NO
-PERLMOD_LATEX          = NO
-PERLMOD_PRETTY         = YES
-PERLMOD_MAKEVAR_PREFIX = 
-ENABLE_PREPROCESSING   = YES
-MACRO_EXPANSION        = NO
-EXPAND_ONLY_PREDEF     = NO
-SEARCH_INCLUDES        = YES
-INCLUDE_PATH           = 
-INCLUDE_FILE_PATTERNS  = 
-PREDEFINED             = 
-EXPAND_AS_DEFINED      = 
-SKIP_FUNCTION_MACROS   = YES
-TAGFILES               = 
-GENERATE_TAGFILE       = 
-ALLEXTERNALS           = NO
-EXTERNAL_GROUPS        = YES
-PERL_PATH              = /usr/bin/perl
-CLASS_DIAGRAMS         = YES
-MSCGEN_PATH            = 
-HIDE_UNDOC_RELATIONS   = YES
-HAVE_DOT               = YES
-CLASS_GRAPH            = YES
-COLLABORATION_GRAPH    = YES
-GROUP_GRAPHS           = YES
-UML_LOOK               = NO
-TEMPLATE_RELATIONS     = NO
-INCLUDE_GRAPH          = YES
-INCLUDED_BY_GRAPH      = YES
-CALL_GRAPH             = NO
-CALLER_GRAPH           = NO
-GRAPHICAL_HIERARCHY    = YES
-DIRECTORY_GRAPH        = YES
-DOT_IMAGE_FORMAT       = png
-DOT_PATH               = 
-DOTFILE_DIRS           = 
-DOT_GRAPH_MAX_NODES    = 50
-MAX_DOT_GRAPH_DEPTH    = 0
-DOT_TRANSPARENT        = YES
-DOT_MULTI_TARGETS      = NO
-GENERATE_LEGEND        = YES
-DOT_CLEANUP            = YES
-SEARCHENGINE           = NO

ipt_YTUNBLOCK.h

@@ -0,0 +1,6 @@
+#ifndef IPT_YTUNBLOCK_H
+#define IPT_YTUNBLOCK_H
+
+struct xt_ytunblock_tginfo {};
+
+#endif /* IPT_YTUNBLOCK_H */

iptk_YTUNBLOCK.c

@@ -0,0 +1,341 @@
+#define _GNU_SOURCE
+// Kernel module for youtubeUnblock.
+// Make with make kmake && sudo iptables -t mangle -D OUTPUT 1 && sudo make kreload && sudo iptables -t mangle -I OUTPUT -p tcp -j YTUNBLOCK
+#include <linux/module.h>
+#include <linux/init.h>
+#include <linux/printk.h>
+#include <linux/mutex.h>
+#include <linux/socket.h>
+#include <linux/net.h>
+#include <linux/netfilter/x_tables.h>
+#include "ipt_YTUNBLOCK.h"
+
+#include "mangle.h"
+#include "config.h"
+#include "raw_replacements.h"
+
+MODULE_LICENSE("GPL");
+MODULE_VERSION("0.1");
+MODULE_AUTHOR("Vadim Vetrov <vetrovvd@gmail.com>");
+MODULE_DESCRIPTION("Linux kernel module for youtube unblock");
+
+static int rsfd;
+static struct socket *rawsocket;
+DEFINE_MUTEX(rslock);
+
+static int open_raw_socket(void) {
+	int ret = 0;
+	ret = sock_create(AF_INET, SOCK_RAW, IPPROTO_RAW, &rawsocket);
+
+	if (ret < 0) {
+		pr_alert("Unable to create raw socket\n");
+		goto err;
+	}
+
+	sockptr_t optval = {
+		.kernel = NULL,
+		.is_kernel = 1
+	};
+
+	int mark = RAWSOCKET_MARK;
+	optval.kernel = &mark;
+	ret = sock_setsockopt(rawsocket, SOL_SOCKET, SO_MARK, optval, sizeof(mark));
+	if (ret < 0)
+	{
+		pr_alert("setsockopt(SO_MARK, %d) failed\n", mark);
+		goto sr_err;
+	}
+	int one = 1;
+	optval.kernel = &one;
+
+	return 0;
+sr_err:
+	sock_release(rawsocket);
+err:
+	return ret;
+}
+
+static void close_raw_socket(void) {
+	sock_release(rawsocket);
+}
+
+#define AVAILABLE_MTU 1384
+
+static int send_raw_socket(const uint8_t *pkt, uint32_t pktlen) {
+	
+	if (pktlen > AVAILABLE_MTU) {
+		pr_warn("The packet is too big and may cause issues!");
+
+		__u32 buff1_size = pktlen;
+		__u32 buff2_size = pktlen;
+		__u8 *buff1 = kmalloc(pktlen, GFP_ATOMIC);
+		if (buff1 == NULL) return -1;
+		__u8 *buff2 = kmalloc(pktlen, GFP_ATOMIC);
+		if (buff2 == NULL) {
+			kfree(buff1);
+			return -1;
+		}
+
+		int ret;
+
+#if defined(USE_TCP_SEGMENTATION) || defined(RAWSOCK_TCP_FSTRAT)
+		if ((ret = tcp4_frag(pkt, pktlen, AVAILABLE_MTU-128, 
+			buff1, &buff1_size, buff2, &buff2_size)) < 0)
+			return ret;
+#elif defined(USE_IP_FRAGMENTATION) || defined(RAWSOCK_IP_FSTRAT)
+		if ((ret = ip4_frag(pkt, pktlen, AVAILABLE_MTU-128, 
+			buff1, &buff1_size, buff2, &buff2_size)) < 0)
+			return ret;
+#else
+		pr_warn("send_raw_socket: Packet is too big but fragmentation is disabled! "
+			"Pass -DRAWSOCK_TCP_FSTRAT or -DRAWSOCK_IP_FSTRAT as CFLAGS "
+			"To enable it only for raw socket\n");
+		return -EINVAL;
+#endif
+
+		int sent = 0;
+		ret = send_raw_socket(buff1, buff1_size);
+
+		if (ret >= 0) sent += ret;
+		else {
+			kfree(buff1);
+			kfree(buff2);
+			return ret;
+		}
+
+		kfree(buff1);
+
+		ret = send_raw_socket(buff2, buff2_size);
+		if (ret >= 0) sent += ret;
+		else {
+			kfree(buff2);
+			return ret;
+		}
+
+		kfree(buff2);
+
+		return sent;
+	}
+
+	struct iphdr *iph;
+
+	int ret;
+	if ((ret = ip4_payload_split(
+	(uint8_t *)pkt, pktlen, &iph, NULL, NULL, NULL)) < 0) {
+		return ret;
+	}
+
+	struct sockaddr_in daddr = {
+		.sin_family = AF_INET,
+		.sin_port = 0,
+		.sin_addr = {
+			.s_addr = iph->daddr
+		}
+	};
+
+	struct msghdr msg;
+	struct kvec iov;
+	iov.iov_base = (__u8 *)pkt;
+	iov.iov_len = pktlen;
+	iov_iter_kvec(&msg.msg_iter, READ, &iov, 1, 1);
+
+	msg.msg_flags = 0;
+	msg.msg_name = &daddr;
+	msg.msg_namelen = sizeof(struct sockaddr_in);
+	msg.msg_control = NULL;
+	msg.msg_controllen = 0;
+
+	mutex_lock(&rslock);
+	ret = kernel_sendmsg(rawsocket, &msg, &iov, 1, pktlen);
+	mutex_unlock(&rslock);
+
+	return ret;
+}
+static unsigned int ykb_tg(struct sk_buff *skb, const struct xt_action_param *par) 
+{
+	if ((skb->mark & RAWSOCKET_MARK) == RAWSOCKET_MARK) 
+		return XT_CONTINUE;
+	
+	if (skb->head == NULL) return XT_CONTINUE;
+	
+	// TODO: Mallocs are bad!
+	uint32_t buflen = skb->len;
+	__u8 *buf = kmalloc(skb->len, GFP_ATOMIC);
+	if (buf == NULL) {
+		pr_err("Cannot alloc enough buffer space");
+		goto accept;
+	}
+	if (skb_copy_bits(skb, 0, buf, skb->len) < 0) {
+		pr_err("Unable copy bits\n");
+		goto ac_fkb;
+	}
+	struct iphdr *iph;
+	uint32_t iph_len;
+	struct tcphdr *tcph;
+	uint32_t tcph_len;
+	__u8 *payload;
+	uint32_t plen;
+
+	int ret = tcp4_payload_split(buf, buflen, &iph, &iph_len, 
+		    &tcph, &tcph_len, &payload, &plen);
+
+	if (ret < 0) 
+		goto ac_fkb;
+
+	struct verdict vrd = analyze_tls_data(payload, plen);
+
+	if (vrd.gvideo_hello) {
+		int ret;
+		pr_info("Googlevideo detected\n");
+
+		ip4_set_checksum(iph);
+		tcp4_set_checksum(tcph, iph);
+
+		uint32_t f1len = skb->len;
+		uint32_t f2len = skb->len;
+		__u8 *frag1 = kmalloc(f1len, GFP_ATOMIC);
+		if (!frag1) {
+			pr_err("Cannot alloc enough gv frag1 buffer space");
+			goto ac_fkb;
+		}
+		__u8 *frag2 = kmalloc(f2len, GFP_ATOMIC);
+		if (!frag2) {
+			pr_err("Cannot alloc enough gv frag1 buffer space");
+			kfree(frag1);
+			goto ac_fkb;
+		}
+
+
+#ifdef FAKE_SNI
+		uint32_t fksn_len = FAKE_SNI_MAXLEN;
+		__u8 *fksn_buf = kmalloc(fksn_len, GFP_ATOMIC);
+		if (!fksn_buf) {
+			pr_err("Cannot alloc enough gksn buffer space");
+			goto fallback;
+		}
+		
+		ret = gen_fake_sni(iph, tcph, fksn_buf, &fksn_len);
+		if (ret < 0) {
+			pr_err("Cannot alloc enough gksn buffer space");
+			goto fksn_fb;
+		}
+#endif
+
+#if defined(USE_TCP_SEGMENTATION)
+		size_t ipd_offset = vrd.sni_offset;
+		size_t mid_offset = ipd_offset + vrd.sni_len / 2;
+
+
+		if ((ret = tcp4_frag(buf, skb->len, 
+			 mid_offset, frag1, &f1len, frag2, &f2len)) < 0) {
+			pr_err("tcp4_frag: %d", ret);
+			goto fksn_fb;
+		}
+#elif defined(USE_IP_FRAGMENTATION)
+		size_t ipd_offset = tcph_len + vrd.sni_offset;
+		size_t mid_offset = ipd_offset + vrd.sni_len / 2;
+		mid_offset += 8 - mid_offset % 8;
+
+		if ((ret = ip4_frag(buf, skb->len, 
+			 mid_offset, frag1, &f1len, frag2, &f2len)) < 0) {
+			pr_err("ip4_frag: %d", ret);
+			goto fksn_fb;
+		}
+#endif
+
+#ifdef FAKE_SNI
+		ret = send_raw_socket(fksn_buf, fksn_len);
+		if (ret < 0) {
+			pr_err("fksn_send: %d", ret);
+			goto fksn_fb;
+		}
+#endif
+
+#if defined(USE_NO_FRAGMENTATION)
+#ifdef SEG2_DELAY
+#error "SEG2_DELAY is incompatible with NO FRAGMENTATION"
+#endif
+		ret = send_raw_socket(buf, buflen);
+		if (ret < 0) {
+			pr_err("nofrag_send: %d", ret);
+		}
+		goto fksn_fb;
+#endif
+
+		ret = send_raw_socket(frag2, f2len);
+		if (ret < 0) {
+			pr_err("raw frag2 send: %d", ret);
+			goto fksn_fb;
+		}
+
+#ifdef SEG2_DELAY
+#error "Seg2 delay is unsupported yet for kmod"
+#else
+		ret = send_raw_socket(frag1, f1len);
+		if (ret < 0) {
+			pr_err("raw frag1 send: %d", ret);
+			goto fksn_fb;
+		}
+#endif
+
+fksn_fb:
+#ifdef FAKE_SNI
+		kfree(fksn_buf);
+#endif 
+fallback:
+#ifndef SEG2_DELAY
+		kfree(frag1);
+#endif
+		kfree(frag2);
+		kfree(buf);
+		kfree_skb(skb);
+		return NF_STOLEN;
+	}
+ac_fkb:
+	kfree(buf);
+accept:
+	return XT_CONTINUE;
+}
+
+static int ykb_chk(const struct xt_tgchk_param *par) {
+	return 0;
+}
+
+
+static struct xt_target ykb_tg_reg __read_mostly = {
+	.name		= "YTUNBLOCK",
+	.target		= ykb_tg,
+	.table		= "mangle",
+	.hooks		= (1 << NF_INET_LOCAL_OUT) | (1 << NF_INET_FORWARD), 
+	.targetsize	= sizeof(struct xt_ytunblock_tginfo),
+	.proto		= IPPROTO_TCP,
+	.family		= NFPROTO_IPV4,
+	.checkentry	= ykb_chk,
+	.me		= THIS_MODULE,
+};
+
+static int __init ykb_init(void) {
+	int ret = 0;
+
+	ret = open_raw_socket();
+	if (ret < 0) goto err;
+
+	ret = xt_register_target(&ykb_tg_reg);
+	if (ret < 0) goto close_rawsocket;
+
+	pr_info("youtubeUnblock kernel module started.\n");
+	return 0;
+close_rawsocket:
+	close_raw_socket();
+err:
+	return ret;
+}
+
+static void __exit ykb_destroy(void) {
+	xt_unregister_target(&ykb_tg_reg);
+	close_raw_socket();
+	pr_info("youtubeUnblock kernel module destroyed.\n");
+}
+
+module_init(ykb_init);
+module_exit(ykb_destroy);

kmake.mk

@@ -0,0 +1,42 @@
+#Kernel module makes here
+PWD := $(CURDIR)
+
+CC	:= gcc 
+CCLD	:= $(CC)
+LD	:= ld
+CFLAGS	:=
+LDFLAGS	:=
+
+IPT_CFLAGS := -Wall -Wpedantic -O2
+
+.PHONY: kmake kload kunload kreload kclean kmclean xclean
+kmake: kmod xmod
+
+kmod:
+	$(MAKE) -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules
+
+xmod: libipt_YTUNBLOCK.so
+
+libipt_YTUNBLOCK.so: libipt_YTUNBLOCK.o
+	$(CCLD) -shared -fPIC ${IPT_CFLAGS} -o $@ $^;
+
+libipt_YTUNBLOCK.o: libipt_YTUNBLOCK.c
+	$(CC) ${IPT_CFLAGS} -D_INIT=lib$*_init -fPIC -c -o $@ $<;
+
+kload:
+	insmod ipt_YTUNBLOCK.ko
+	cp ./libipt_YTUNBLOCK.so /usr/lib/xtables/
+
+kunload:
+	-rmmod ipt_YTUNBLOCK
+	-/bin/rm /usr/lib/xtables/libipt_YTUNBLOCK.so
+
+kreload: kunload kload
+
+kclean: xtclean kmclean
+
+kmclean:
+	-$(MAKE) -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean
+
+xtclean:
+	-/bin/rm -f libipt_YTUNBLOCK.so libipt_YTUNBLOCK.o

libipt_YTUNBLOCK.c

@@ -0,0 +1,26 @@
+// Used to register target in iptables
+#include <stdio.h>
+#include <xtables.h>
+
+#include <linux/netfilter_ipv4/ip_tables.h>
+#include "ipt_YTUNBLOCK.h"
+
+#define _init __attribute__((constructor)) _INIT
+#define __maybe_unused __attribute__((__unused__))
+
+static void YTKB_help(void) {
+	printf("Youtube Unblock - bypass youtube slowdown DPI in Russia\n");
+}
+
+static struct xtables_target ykb_tg_reg = {
+	.name           = "YTUNBLOCK",
+	.version        = XTABLES_VERSION,
+	.family         = NFPROTO_IPV4,
+	.size           = XT_ALIGN(sizeof(struct xt_ytunblock_tginfo)),
+	.userspacesize  = XT_ALIGN(sizeof(struct xt_ytunblock_tginfo)),
+	.help           = YTKB_help,
+};
+
+void _init(void) {
+    xtables_register_target(&ykb_tg_reg);
+}

logging.h

@@ -0,0 +1,39 @@
+#ifndef LOGGING_H
+#define LOGGING_H
+#include "config.h"
+
+#define LOG_LEVEL (config.verbose)
+
+#ifdef KERNEL_SPACE
+#include <linux/printk.h>
+#define printf pr_info
+#define perror pr_err
+#define lgerror(msg, ret, ...) __extension__ ({		\
+	printf(msg ": %d\n", ##__VA_ARGS__, ret);	\
+})
+#else
+#include <stdio.h> // IWYU pragma: export
+#include <errno.h>
+#define lgerror(msg, ret, ...) __extension__ ({			\
+	errno = -(ret);						\
+	printf(msg ": %s\n", ##__VA_ARGS__, strerror(errno));	\
+})
+#endif /* PROGRAM_SPACE */
+
+
+#define lgdebugmsg(msg, ...) \
+(LOG_LEVEL >= VERBOSE_DEBUG ? printf(msg "\n", ##__VA_ARGS__) : 0)
+
+#define lgtracemsg(msg, ...) \
+(LOG_LEVEL >= VERBOSE_TRACE ? printf(msg "\n", ##__VA_ARGS__) : 0)
+
+#define lgtrace_start(msg, ...) \
+(LOG_LEVEL >= VERBOSE_TRACE ? printf("[TRACE] " msg " ( ", ##__VA_ARGS__) : 0)
+
+#define lgtrace_addp(msg, ...) \
+(LOG_LEVEL >= VERBOSE_TRACE ? printf(msg", ", ##__VA_ARGS__) : 0)
+
+#define lgtrace_end() \
+(LOG_LEVEL >= VERBOSE_TRACE ? printf(") \n") : 0)
+
+#endif /* LOGGING_H */

mangle.c

@@ -0,0 +1,768 @@
+#define _GNU_SOURCE
+#include "types.h" // IWYU pragma: keep
+#include "mangle.h"
+#include "config.h"
+#include "utils.h"
+#include "quic.h"
+#include "logging.h"
+
+#ifndef KERNEL_SCOPE
+#include <stdlib.h>
+#endif
+
+int process_packet(const uint8_t *raw_payload, uint32_t raw_payload_len) {
+	if (raw_payload_len > MAX_PACKET_SIZE) {
+		return PKT_ACCEPT;
+	}
+
+	const struct iphdr *iph;
+	uint32_t iph_len;
+	const uint8_t *ip_payload;
+	uint32_t ip_payload_len;
+
+	int ret;
+
+	ret = ip4_payload_split((uint8_t *)raw_payload, raw_payload_len,
+			 (struct iphdr **)&iph, &iph_len, 
+			 (uint8_t **)&ip_payload, &ip_payload_len);
+
+
+	if (ret < 0) 
+		goto accept;
+	
+	switch (iph->protocol) {
+	case IPPROTO_TCP:
+		return process_tcp4_packet(raw_payload, raw_payload_len);
+	case IPPROTO_UDP:
+		return process_udp4_packet(raw_payload, raw_payload_len);
+	default:
+		goto accept;
+	}
+	
+accept:
+	return PKT_ACCEPT;
+drop:
+	return PKT_DROP;
+}
+
+int process_tcp4_packet(const uint8_t *raw_payload, uint32_t raw_payload_len) {
+	const struct iphdr *iph;
+	uint32_t iph_len;
+	const struct tcphdr *tcph;
+	uint32_t tcph_len;
+	const uint8_t *data;
+	uint32_t dlen;
+
+	int ret = tcp4_payload_split((uint8_t *)raw_payload, raw_payload_len,
+			      (struct iphdr **)&iph, &iph_len, (struct tcphdr **)&tcph, &tcph_len,
+			      (uint8_t **)&data, &dlen);
+
+	if (ret < 0) {
+		goto accept;
+	}
+
+	struct tls_verdict vrd = analyze_tls_data(data, dlen);
+
+	if (vrd.target_sni) {
+		lgdebugmsg("Target SNI detected: %.*s", vrd.sni_len, data + vrd.sni_offset);
+
+		uint8_t payload[MAX_PACKET_SIZE];
+		uint32_t payload_len = raw_payload_len;
+		memcpy(payload, raw_payload, raw_payload_len);
+
+		struct iphdr *iph;
+		uint32_t iph_len;
+		struct tcphdr *tcph;
+		uint32_t tcph_len;
+		uint8_t *data;
+		uint32_t dlen;
+
+		int ret = tcp4_payload_split(payload, payload_len,
+				      &iph, &iph_len, &tcph, &tcph_len,
+				      &data, &dlen);
+
+		if (config.fk_winsize) {
+			tcph->window = htons(config.fk_winsize);
+		}
+
+		ip4_set_checksum(iph);
+		tcp4_set_checksum(tcph, iph);
+
+		
+		if (dlen > 1480 && config.verbose) {
+			lgdebugmsg("WARNING! Client Hello packet is too big and may cause issues!");
+		}
+
+		if (config.fake_sni) {
+			post_fake_sni(iph, iph_len, tcph, tcph_len, 
+				config.fake_sni_seq_len);	
+		}
+
+		size_t ipd_offset;
+		size_t mid_offset;
+
+		switch (config.fragmentation_strategy) {
+			case FRAG_STRAT_TCP: {
+				ipd_offset = vrd.sni_offset;
+				mid_offset = ipd_offset + vrd.sni_len / 2;
+
+				uint32_t poses[2];
+				int cnt = 0;
+
+				if (config.frag_sni_pos && dlen > config.frag_sni_pos) {
+					poses[cnt++] = config.frag_sni_pos;
+				}
+
+				if (config.frag_middle_sni) {
+					poses[cnt++] = mid_offset;
+				}
+
+				if (cnt > 1 && poses[0] > poses[1]) {
+					uint32_t tmp = poses[0];
+					poses[0] = poses[1];
+					poses[1] = tmp;
+				}
+
+				ret = send_tcp4_frags(payload, payload_len, poses, cnt, 0);
+				if (ret < 0) {
+					lgerror("tcp4 send frags", ret);
+					goto accept;
+				}
+
+				goto drop;
+			}
+			break;
+			case FRAG_STRAT_IP: {
+				ipd_offset = ((char *)data - (char *)tcph) + vrd.sni_offset;
+				mid_offset = ipd_offset + vrd.sni_len / 2;
+				mid_offset += 8 - mid_offset % 8;
+
+				uint32_t poses[2];
+				int cnt = 0;
+
+				if (config.frag_sni_pos && dlen > config.frag_sni_pos) {
+					poses[cnt] = config.frag_sni_pos + ((char *)data - (char *)tcph);
+					poses[cnt] += 8 - poses[cnt] % 8;
+					cnt++;
+				}
+
+				if (config.frag_middle_sni) {
+					poses[cnt++] = mid_offset;
+				}
+
+				if (cnt > 1 && poses[0] > poses[1]) {
+					uint32_t tmp = poses[0];
+					poses[0] = poses[1];
+					poses[1] = tmp;
+				}
+
+				ret = send_ip4_frags(payload, payload_len, poses, cnt, 0);
+				if (ret < 0) {
+					lgerror("ip4 send frags", ret);
+					goto accept;
+				}
+
+				goto drop;
+			}
+			break;
+			default:
+				ret = instance_config.send_raw_packet(payload, payload_len);
+				if (ret < 0) {
+					lgerror("raw pack send", ret);
+					goto accept;
+				}
+
+				goto drop;
+		}
+
+
+
+		goto drop;
+	}
+
+accept:
+	return PKT_ACCEPT;
+drop:
+	return PKT_DROP;
+}
+
+int process_udp4_packet(const uint8_t *pkt, uint32_t pktlen) {
+	const struct iphdr *iph;
+	uint32_t iph_len;
+	const struct udphdr *udph;
+	const uint8_t *data;
+	uint32_t dlen;
+
+	int ret = udp4_payload_split((uint8_t *)pkt, pktlen,
+			      (struct iphdr **)&iph, &iph_len, 
+			      (struct udphdr **)&udph,
+			      (uint8_t **)&data, &dlen);
+
+	lgtrace_start("Got udp packet");
+
+	if (ret < 0) {
+		lgtrace_addp("undefined");
+		goto accept;
+	}
+
+	if (dlen > 10 && config.verbose >= VERBOSE_TRACE) {
+		printf("UDP payload start: [ ");
+		for (int i = 0; i < 10; i++) {
+			printf("%02x ", data[i]);
+		}
+		printf("], ");
+	}
+
+	lgtrace_addp("QUIC probe");
+	const struct quic_lhdr *qch;
+	uint32_t qch_len;
+	struct quic_cids qci;
+	uint8_t *quic_raw_payload;
+	uint32_t quic_raw_plen;
+	ret = quic_parse_data((uint8_t *)data, dlen, 
+		 (struct quic_lhdr **)&qch, &qch_len, &qci, 
+		 &quic_raw_payload, &quic_raw_plen);
+
+	if (ret < 0) {
+		lgtrace_addp("undefined type");
+		goto accept;
+	}
+
+	lgtrace_addp("QUIC detected");
+	uint8_t qtype = qch->type;
+
+	if (config.quic_drop) {
+		goto drop;
+	}
+
+	if (qch->version == QUIC_V1)
+		qtype = quic_convtype_v1(qtype);
+	else if (qch->version == QUIC_V2) 
+		qtype = quic_convtype_v2(qtype);
+
+	if (qtype != QUIC_INITIAL_TYPE) {
+		lgtrace_addp("quic message type: %d", qtype);
+		goto accept;
+	}
+	
+	lgtrace_addp("quic initial message");
+
+accept:
+	lgtrace_addp("accepted");
+	lgtrace_end();
+
+	return PKT_ACCEPT;
+drop:
+	lgtrace_addp("dropped");
+	lgtrace_end();
+
+	return PKT_DROP;
+}
+
+int send_ip4_frags(const uint8_t *packet, uint32_t pktlen, const uint32_t *poses, uint32_t poses_sz, uint32_t dvs) {
+	if (poses_sz == 0) {
+		if (config.seg2_delay && ((dvs > 0) ^ config.frag_sni_reverse)) {
+			if (!instance_config.send_delayed_packet) {
+				return -EINVAL;
+			}
+
+			instance_config.send_delayed_packet(
+				packet, pktlen, config.seg2_delay);
+
+			return 0;
+		} else {
+			return instance_config.send_raw_packet(
+				packet, pktlen);
+		}
+	} else {
+		uint8_t frag1[MAX_PACKET_SIZE];
+		uint8_t frag2[MAX_PACKET_SIZE];
+		uint32_t f1len = MAX_PACKET_SIZE;
+		uint32_t f2len = MAX_PACKET_SIZE;
+
+		int ret;
+
+		if (dvs > poses[0]) {
+			lgerror("send_frags: Recursive dvs(%d) is more than poses0(%d)", -EINVAL, dvs, poses[0]);
+			return -EINVAL;
+		}
+
+		ret = ip4_frag(packet, pktlen, poses[0] - dvs, 
+			frag1, &f1len, frag2, &f2len);
+
+		if (ret < 0) {
+			lgerror("send_frags: frag: with context packet with size %d, position: %d, recursive dvs: %d", ret, pktlen, poses[0], dvs);
+			return ret;
+		}
+
+		if (config.frag_sni_reverse)
+			goto send_frag2;
+send_frag1:
+		ret = send_ip4_frags(frag1, f1len, NULL, 0, 0);
+		if (ret < 0) {
+			return ret;
+		}
+
+		if (config.frag_sni_reverse)
+			goto out;
+
+send_frag2:
+		dvs += poses[0];
+		ret = send_ip4_frags(frag2, f2len, poses + 1, poses_sz - 1, dvs);
+		if (ret < 0) {
+			return ret;
+		}
+
+		if (config.frag_sni_reverse)
+			goto send_frag1;
+	}
+
+out:
+	return 0;
+}
+
+int send_tcp4_frags(const uint8_t *packet, uint32_t pktlen, const uint32_t *poses, uint32_t poses_sz, uint32_t dvs) {
+	if (poses_sz == 0) {
+		if (config.seg2_delay && ((dvs > 0) ^ config.frag_sni_reverse)) {
+			if (!instance_config.send_delayed_packet) {
+				return -EINVAL;
+			}
+
+			instance_config.send_delayed_packet(
+				packet, pktlen, config.seg2_delay);
+
+			return 0;
+		} else {
+			return instance_config.send_raw_packet(
+				packet, pktlen);
+		}
+	} else {
+		uint8_t frag1[MAX_PACKET_SIZE];
+		uint8_t frag2[MAX_PACKET_SIZE];
+		uint8_t fake_pad[MAX_PACKET_SIZE];
+		uint32_t f1len = MAX_PACKET_SIZE;
+		uint32_t f2len = MAX_PACKET_SIZE;
+
+		int ret;
+
+		if (dvs > poses[0]) {
+			lgerror("send_frags: Recursive dvs(%d) is more than poses0(%d)", -EINVAL, dvs, poses[0]);
+			return -EINVAL;
+		}
+
+		ret = tcp4_frag(packet, pktlen, poses[0] - dvs, 
+			frag1, &f1len, frag2, &f2len);
+
+		if (ret < 0) {
+			lgerror("send_frags: frag: with context packet with size %d, position: %d, recursive dvs: %d", ret, pktlen, poses[0], dvs);
+			return ret;
+		}
+
+		if (config.frag_sni_reverse)
+			goto send_frag2;
+		
+send_frag1:
+		{
+			ret = send_tcp4_frags(frag1, f1len, NULL, 0, 0);
+			if (ret < 0) {
+				return ret;
+			}
+
+			if (config.frag_sni_reverse) 
+				goto out;
+		}
+
+send_fake:
+		if (config.frag_sni_faked) {
+			uint32_t iphfl, tcphfl;
+			ret = tcp4_payload_split(frag2, f2len, NULL, &iphfl, NULL, &tcphfl, NULL, NULL);
+			if (ret < 0) {
+				lgerror("Invalid frag2", ret);
+				return ret;
+			}
+			memcpy(fake_pad, frag2, iphfl + tcphfl);
+			memset(fake_pad + iphfl + tcphfl, 0, f2len - iphfl - tcphfl);
+			ret = fail4_packet(fake_pad, f2len);
+			if (ret < 0) {
+				lgerror("Failed to fail packet", ret);
+				return ret;
+			}
+			ret = send_tcp4_frags(fake_pad, f2len, NULL, 0, 0);
+			if (ret < 0) {
+				return ret;
+			}
+
+		}
+
+		if (config.frag_sni_reverse)
+			goto send_frag1;
+
+send_frag2:
+		{
+			dvs += poses[0];
+			ret = send_tcp4_frags(frag2, f2len, poses + 1, poses_sz - 1, dvs);
+			if (ret < 0) {
+				return ret;
+			}
+
+			if (config.frag_sni_reverse)
+				goto send_fake;
+		}
+	}
+out:
+	return 0;
+}
+
+int post_fake_sni(const struct iphdr *iph, unsigned int iph_len, 
+		     const struct tcphdr *tcph, unsigned int tcph_len,
+		     unsigned char sequence_len) {
+	uint8_t rfsiph[60];
+	uint8_t rfstcph[60];
+	int ret;
+
+	memcpy(rfsiph, iph, iph_len);
+	memcpy(rfstcph, tcph, tcph_len);
+
+	struct iphdr *fsiph = (void *)rfsiph;
+	struct tcphdr *fstcph = (void *)rfstcph;
+
+	for (int i = 0; i < sequence_len; i++) {
+		uint8_t fake_sni[MAX_PACKET_SIZE];
+		uint32_t fsn_len = MAX_PACKET_SIZE;
+		ret = gen_fake_sni(fsiph, fstcph, fake_sni, &fsn_len);
+		if (ret < 0) {
+			lgerror("gen_fake_sni", ret);
+			return ret;
+		}
+
+		ret = instance_config.send_raw_packet(fake_sni, fsn_len);
+		if (ret < 0) {
+			lgerror("send fake sni", ret);
+			return ret;
+		}
+
+		uint32_t iph_len;
+		uint32_t tcph_len;
+		uint32_t plen;
+		tcp4_payload_split(
+			fake_sni, fsn_len, 
+			&fsiph, &iph_len, &fstcph, &tcph_len,
+			NULL, &plen);
+
+
+		fstcph->seq = htonl(ntohl(fstcph->seq) + plen);
+		memcpy(rfsiph, fsiph, iph_len);
+		memcpy(rfstcph, fstcph, tcph_len);
+		fsiph = (void *)rfsiph;
+		fstcph = (void *)rfstcph;
+
+	}
+
+	return 0;
+}
+
+void z_function(const char *str, int *zbuf, size_t len) {
+	zbuf[0] = len;
+
+	ssize_t lh = 0, rh = 1;
+	for (ssize_t i = 1; i < len; i++) {
+		zbuf[i] = 0;
+		if (i < rh) {
+			zbuf[i] = min(zbuf[i - lh], rh - i);
+		}
+
+		while (i + zbuf[i] < len && str[zbuf[i]] == str[i + zbuf[i]])
+			zbuf[i]++;
+
+		if (i + zbuf[i] > rh) {
+			lh = i;
+			rh = i + zbuf[i];
+		}
+	}
+}
+
+#define TLS_CONTENT_TYPE_HANDSHAKE 0x16
+#define TLS_HANDSHAKE_TYPE_CLIENT_HELLO 0x01
+#define TLS_EXTENSION_SNI 0x0000
+#define TLS_EXTENSION_CLIENT_HELLO_ENCRYPTED 0xfe0d
+
+typedef uint8_t uint8_t;
+typedef uint32_t uint32_t;
+typedef uint16_t uint16_t;
+
+/**
+ * Processes tls payload of the tcp request.
+ * 
+ * data Payload data of TCP.
+ * dlen Length of `data`.
+ */
+struct tls_verdict analyze_tls_data(
+	const uint8_t *data, 
+	uint32_t dlen) 
+{
+	struct tls_verdict vrd = {0};
+
+	size_t i = 0;
+	const uint8_t *data_end = data + dlen;
+
+	while (i + 4 < dlen) {
+		const uint8_t *msgData = data + i;
+
+		uint8_t tls_content_type = *msgData;
+		uint8_t tls_vmajor = *(msgData + 1);
+		uint8_t tls_vminor = *(msgData + 2);
+		uint16_t message_length = ntohs(*(uint16_t *)(msgData + 3));
+		const uint8_t *message_length_ptr = msgData + 3;
+
+		if (tls_vmajor != 0x03) goto nextMessage;
+
+		if (i + 5 > dlen) break;
+
+		if (tls_content_type != TLS_CONTENT_TYPE_HANDSHAKE) 
+			goto nextMessage;
+
+		if (config.sni_detection == SNI_DETECTION_BRUTE) {
+			goto brute;
+		}
+
+		const uint8_t *handshakeProto = msgData + 5;
+
+		if (handshakeProto + 1 >= data_end) break;
+
+		uint8_t handshakeType = *handshakeProto;
+
+		if (handshakeType != TLS_HANDSHAKE_TYPE_CLIENT_HELLO)
+			goto nextMessage;
+
+		const uint8_t *msgPtr = handshakeProto;
+		msgPtr += 1; 
+		const uint8_t *handshakeProto_length_ptr = msgPtr + 1;
+		msgPtr += 3 + 2 + 32;
+
+		if (msgPtr + 1 >= data_end) break;
+		uint8_t sessionIdLength = *msgPtr;
+		msgPtr++;
+		msgPtr += sessionIdLength;
+
+		if (msgPtr + 2 >= data_end) break;
+		uint16_t ciphersLength = ntohs(*(uint16_t *)msgPtr);
+		msgPtr += 2;
+		msgPtr += ciphersLength;
+
+		if (msgPtr + 1 >= data_end) break;
+		uint8_t compMethodsLen = *msgPtr;
+		msgPtr++;
+		msgPtr += compMethodsLen;
+
+		if (msgPtr + 2 >= data_end) break;
+		uint16_t extensionsLen = ntohs(*(uint16_t *)msgPtr);
+		const uint8_t *extensionsLen_ptr = msgPtr;
+		msgPtr += 2;
+
+		const uint8_t *extensionsPtr = msgPtr;
+		const uint8_t *extensions_end = extensionsPtr + extensionsLen;
+		if (extensions_end > data_end) extensions_end = data_end;
+
+		while (extensionsPtr < extensions_end) {
+			const uint8_t *extensionPtr = extensionsPtr;
+			if (extensionPtr + 4 >= extensions_end) break;
+
+			uint16_t extensionType = 
+				ntohs(*(uint16_t *)extensionPtr);
+			extensionPtr += 2;
+
+			uint16_t extensionLen = 
+				ntohs(*(uint16_t *)extensionPtr);
+			const uint8_t *extensionLen_ptr = extensionPtr;
+			extensionPtr += 2;
+
+
+			if (extensionPtr + extensionLen > extensions_end) 
+				break;
+
+			if (extensionType != TLS_EXTENSION_SNI) 
+				goto nextExtension;
+
+			const uint8_t *sni_ext_ptr = extensionPtr;
+
+			if (sni_ext_ptr + 2 >= extensions_end) break;
+			uint16_t sni_ext_dlen = ntohs(*(uint16_t *)sni_ext_ptr);
+
+			const uint8_t *sni_ext_dlen_ptr = sni_ext_ptr;
+			sni_ext_ptr += 2;
+
+			const uint8_t *sni_ext_end = sni_ext_ptr + sni_ext_dlen;
+			if (sni_ext_end >= extensions_end) break;
+			
+			if (sni_ext_ptr + 3 >= sni_ext_end) break;
+			uint8_t sni_type = *sni_ext_ptr++;
+			uint16_t sni_len = ntohs(*(uint16_t *)sni_ext_ptr);
+			sni_ext_ptr += 2;
+
+			if (sni_ext_ptr + sni_len > sni_ext_end) break;
+
+			char *sni_name = (char *)sni_ext_ptr;
+
+			vrd.sni_offset = (uint8_t *)sni_name - data;
+			vrd.sni_len = sni_len;
+
+			if (config.all_domains) {
+				vrd.target_sni = 1;
+				goto out;
+			}
+
+
+			unsigned int j = 0;
+			for (unsigned int i = 0; i <= config.domains_strlen; i++) {
+				if (	i > j &&
+					(i == config.domains_strlen	||	
+					config.domains_str[i] == '\0'	||
+					config.domains_str[i] == ','	|| 
+					config.domains_str[i] == '\n'	)) {
+
+					unsigned int domain_len = (i - j);
+					const char *sni_startp = sni_name + sni_len - domain_len;
+					const char *domain_startp = config.domains_str + j;
+
+					if (sni_len >= domain_len &&
+						sni_len < 128 && 
+						!strncmp(sni_startp, 
+						domain_startp, 
+						domain_len)) {
+							vrd.target_sni = 1;
+					}
+
+					j = i + 1;
+				}
+			}
+
+nextExtension:
+			extensionsPtr += 2 + 2 + extensionLen;
+		}
+nextMessage:
+		i += 5 + message_length;
+	}
+
+out:
+	return vrd;
+
+brute:
+	if (config.all_domains) {
+		vrd.target_sni = 1;
+		vrd.sni_len = 0;
+		vrd.sni_offset = dlen / 2;
+		goto out;
+	}
+
+	unsigned int j = 0;
+	for (unsigned int i = 0; i <= config.domains_strlen; i++) {
+		if (	i > j &&
+			(i == config.domains_strlen	||	
+			config.domains_str[i] == '\0'	||
+			config.domains_str[i] == ','	|| 
+			config.domains_str[i] == '\n'	)) {
+
+			uint8_t buf[MAX_PACKET_SIZE]; 
+			int zbuf[MAX_PACKET_SIZE]; 
+			unsigned int domain_len = (i - j);
+			const char *domain_startp = config.domains_str + j;
+
+			if (domain_len + dlen + 1> MAX_PACKET_SIZE) continue;
+
+			memcpy(buf, domain_startp, domain_len);
+			memcpy(buf + domain_len, "#", 1);
+			memcpy(buf + domain_len + 1, data, dlen);
+
+			z_function((char *)buf, zbuf, domain_len + 1 + dlen);
+
+			for (unsigned int k = 0; k < dlen; k++) {
+				if (zbuf[k] == domain_len) {
+					vrd.target_sni = 1;
+					vrd.sni_len = domain_len;
+					vrd.sni_offset = (k - domain_len - 1);
+					goto out;
+				}
+			}
+
+
+			j = i + 1;
+		}
+	}
+
+	goto out;
+}
+
+
+int gen_fake_sni(const struct iphdr *iph, const struct tcphdr *tcph, 
+		 uint8_t *buf, uint32_t *buflen) {
+
+	if (!iph || !tcph || !buf || !buflen)
+		return -EINVAL;
+
+	int ip_len = iph->ihl * 4;
+	int tcph_len = tcph->doff * 4;
+
+	const char *data = config.fake_sni_pkt;
+	size_t data_len = config.fake_sni_pkt_sz;
+
+	size_t dlen = ip_len + tcph_len + data_len;
+
+	if (*buflen < dlen) 
+		return -ENOMEM;
+
+	memcpy(buf, iph, ip_len);
+	memcpy(buf + ip_len, tcph, tcph_len);
+	memcpy(buf + ip_len + tcph_len, data, data_len);
+
+	struct iphdr *niph = (struct iphdr *)buf;
+	struct tcphdr *ntcph = (struct tcphdr *)(buf + ip_len);
+
+	niph->protocol = IPPROTO_TCP;
+	niph->tot_len = htons(dlen);
+
+	fail4_packet(buf, *buflen);
+
+	*buflen = dlen;
+	return 0;
+}
+
+int fail4_packet(uint8_t *payload, uint32_t plen) {
+	struct iphdr *iph;
+	uint32_t iph_len;
+	struct tcphdr *tcph;
+	uint32_t tcph_len;
+	uint8_t *data;
+	uint32_t dlen;
+	int ret;
+
+	ret = tcp4_payload_split(payload, plen, 
+			&iph, &iph_len, &tcph, &tcph_len,
+			&data, &dlen);
+
+	if (ret < 0) {
+		return ret;
+	}
+
+	if (config.faking_strategy == FAKE_STRAT_RAND_SEQ) {
+#ifdef KERNEL_SCOPE
+		tcph->seq = 124;
+		tcph->ack_seq = 124;
+#else
+		tcph->seq = random();
+		tcph->ack_seq = random();
+#endif
+	} else if (config.faking_strategy == FAKE_STRAT_PAST_SEQ) {
+		tcph->seq = htonl(ntohl(tcph->seq) - dlen);
+	} else if (config.faking_strategy == FAKE_STRAT_TTL) {
+		iph->ttl = config.faking_ttl;
+	}
+
+	ip4_set_checksum(iph);
+	tcp4_set_checksum(tcph, iph);
+
+	if (config.faking_strategy == FAKE_STRAT_TCP_CHECK) {
+		tcph->check += 1;
+	}
+
+	return 0;
+}

mangle.h

@@ -0,0 +1,81 @@
+#ifndef YU_MANGLE_H
+#define YU_MANGLE_H
+
+#include "types.h"
+
+/**
+ * Result of analyze_tls_data function
+ */
+struct tls_verdict {
+	int target_sni; /* google video hello packet */
+	int sni_offset; /* offset from start of tcp _payload_ */
+	int sni_len;
+};
+
+/**
+ * Processes the packet and finds TLS Client Hello information inside it.
+ * data pointer points to start of TLS Message (TCP Payload)
+ */
+struct tls_verdict analyze_tls_data(const uint8_t *data, uint32_t dlen);
+
+
+/**
+ * Generates fake client hello message
+ */
+int gen_fake_sni(const struct iphdr *iph, const struct tcphdr *tcph, 
+		 uint8_t *buf, uint32_t *buflen);
+
+/**
+ * Invalidates the raw packet. The function aims to invalid the packet
+ * in such way as it will be accepted by DPI, but dropped by target server
+ */
+int fail4_packet(uint8_t *payload, uint32_t plen);
+
+#define PKT_ACCEPT	0
+#define PKT_DROP	1
+
+/**
+ * Processes the packet and returns verdict.
+ * This is the primary function that traverses the packet.
+ */
+int process_packet(const uint8_t *packet, uint32_t packet_len);
+
+
+/**
+ * Processe the TCP packet.
+ * Returns verdict.
+ */
+int process_tcp4_packet(const uint8_t *raw_payload, uint32_t raw_payload_len);
+
+
+/**
+ * Processes the UDP packet.
+ * Returns verdict.
+ */
+int process_udp4_packet(const uint8_t *pkt, uint32_t pktlen);
+
+/**
+ * Sends fake client hello.
+ */
+int post_fake_sni(const struct iphdr *iph, unsigned int iph_len, 
+		     const struct tcphdr *tcph, unsigned int tcph_len,
+		     unsigned char sequence_len);
+
+/**
+ * Splits packet by poses and posts.
+ * Poses are relative to start of TCP payload.
+ * dvs used internally and should be zero.
+ */
+int send_tcp4_frags(
+	const uint8_t *packet, uint32_t pktlen, 
+	const uint32_t *poses, uint32_t poses_len, uint32_t dvs);
+
+/**
+ * Splits packet by poses and posts.
+ * Poses are relative to start of TCP payload.
+ * dvs used internally and should be zero.
+ */
+int send_ip4_frags(
+	const uint8_t *packet, uint32_t pktlen, 
+	const uint32_t *poses, uint32_t poses_len, uint32_t dvs);
+#endif /* YU_MANGLE_H */

owrt/537-youtubeUnblock.nft

@@ -1,5 +1,5 @@
 #!/usr/sbin/nft -f
-# This file 
+# This file install nftables rules for openwrt
 
-insert rule inet fw4 mangle_forward tcp dport 443 ct original packets < 20 counter queue num 537 bypass
+add rule inet fw4 mangle_forward tcp dport 443 ct original packets < 20 counter queue num 537 bypass
 insert rule inet fw4 output mark and 0x8000 == 0x8000 counter accept

owrt/youtubeUnblock.owrt

@@ -1,13 +1,17 @@
 #!/bin/sh /etc/rc.common
 USE_PROCD=1
 
+START=50
+STOP=50
+
+
 # Openwrt procd script: https://openwrt.org/docs/guide-developer/procd-init-script-example
 # The program should be put into /usr/bin/
 # This file should be put into /etc/init.d/
 
 start_service() {
 	procd_open_instance
-	procd_set_param command /usr/bin/youtubeUnblock 537
+	procd_set_param command /usr/bin/youtubeUnblock
 
 	procd_set_param nice -20
 

quic.c

@@ -0,0 +1,140 @@
+#include "quic.h"
+#include "logging.h"
+
+
+/**
+ * Packet number.
+ */
+struct quic_pnumber {
+	uint8_t d1;
+	uint8_t d2;
+	uint8_t d3;
+	uint8_t d4;
+};
+
+uint64_t quic_parse_varlength(uint8_t *variable, uint64_t *mlen) {
+	if (mlen && *mlen == 0) return 0;
+	uint64_t vr = (*variable & 0x3F);
+	uint8_t len = 1 << (*variable >> 6);
+
+	if (mlen) {
+		if (*mlen < len) return 0;
+		*mlen = len;
+	}
+
+	++variable;
+	for (uint8_t i = 1; i < len; i++) {
+		vr = (vr << 8) + *variable;
+		++variable;
+	}
+
+	return vr;
+}
+
+int quic_parse_data(uint8_t *raw_payload, uint32_t raw_payload_len,
+		struct quic_lhdr **qch, uint32_t *qch_len,
+		struct quic_cids *qci,
+		uint8_t **payload, uint32_t *plen) {
+	if (	raw_payload == NULL || 
+		raw_payload_len < sizeof(struct quic_lhdr)) 
+		goto invalid_packet;
+
+	struct quic_lhdr *nqch = (struct quic_lhdr *)raw_payload;
+	uint32_t left_len = raw_payload_len - sizeof(struct quic_lhdr);
+	uint8_t *cur_rawptr = raw_payload + sizeof(struct quic_lhdr);
+	if (!nqch->fixed) {
+		lgtrace_addp("quic fixed uset");
+		return -EPROTO;
+	}
+
+	uint8_t found = 0;
+	for (uint8_t i = 0; i < sizeof(supported_versions); i++) {
+		if (ntohl(nqch->version) == supported_versions[i]) {
+			found = 1;
+		}
+	}
+
+	if (!found) {
+		lgtrace_addp("quic version undefined %d", ntohl(nqch->version));
+		return -EPROTO;
+	}
+
+	lgtrace_addp("quic version valid %d", ntohl(nqch->version));
+
+	if (left_len < 2) goto invalid_packet;
+	struct quic_cids nqci = {0};
+
+	nqci.dst_len = *cur_rawptr++;
+	left_len--;
+	if (left_len < nqci.dst_len) goto invalid_packet;
+	nqci.dst_id = cur_rawptr;
+	cur_rawptr += nqci.dst_len;
+	left_len -= nqci.dst_len;
+
+	nqci.src_len = *cur_rawptr++;
+	left_len--;
+	if (left_len < nqci.src_len) goto invalid_packet;
+	nqci.src_id = cur_rawptr;
+	cur_rawptr += nqci.src_len;
+	left_len -= nqci.src_len;
+
+	if (qch) *qch = nqch;
+	if (qch_len) {
+		*qch_len = sizeof(struct quic_lhdr) + 
+			nqci.src_len + nqci.dst_len;
+	}
+	if (qci) *qci = nqci;
+	if (payload) *payload = cur_rawptr;
+	if (plen) *plen = left_len;
+
+	return 0;
+
+invalid_packet:
+	return -EINVAL;
+}
+
+int quic_parse_initial_message(uint8_t *inpayload, uint32_t inplen,
+			const struct quic_lhdr *qch, 
+			struct quici_hdr *qhdr,
+			uint8_t **payload, uint32_t *plen) {
+	if (inplen < 3) goto invalid_packet;
+	struct quici_hdr nqhdr;
+
+	uint8_t *cur_ptr = inpayload;
+	uint32_t left_len = inplen;
+	uint64_t tlen = left_len;
+
+	nqhdr.token_len = quic_parse_varlength(cur_ptr, &tlen);
+	nqhdr.token = cur_ptr + tlen;
+	
+	if (left_len < nqhdr.token_len + tlen) 
+		goto invalid_packet;
+	cur_ptr += tlen + nqhdr.token_len;
+	left_len -= tlen + nqhdr.token_len;
+
+	tlen = left_len;
+	nqhdr.length = quic_parse_varlength(cur_ptr, &tlen);
+
+	if (left_len != nqhdr.length + tlen && 
+		left_len <= qch->number_length + 1)
+		goto invalid_packet;
+
+	uint32_t packet_number = 0;
+
+	for (uint8_t i = 0; i <= qch->number_length; i++) {
+		packet_number = (packet_number << 8) + *cur_ptr++;
+		left_len--;
+	}
+
+	nqhdr.packet_number = packet_number;
+
+	if (qhdr) *qhdr = nqhdr;
+	if (payload) *payload = cur_ptr;
+	if (plen) *plen = left_len;
+
+	return 0;
+
+invalid_packet:
+	lgerror("QUIC invalid Initial packet", -EINVAL);
+	return -EINVAL;
+}

quic.h

@@ -0,0 +1,128 @@
+#ifndef QUIC_H
+#define QUIC_H
+#include "types.h"
+
+
+/**
+* @macro
+*
+* :macro:`NGTCP2_INITIAL_SALT_V1` is a salt value which is used to
+* derive initial secret.  It is used for QUIC v1.
+*/
+#define QUIC_INITIAL_SALT_V1 \
+ "\x38\x76\x2c\xf7\xf5\x59\x34\xb3\x4d\x17\x9a\xe6\xa4\xc8\x0c\xad" \
+ "\xcc\xbb\x7f\x0a"
+
+/**
+* @macro
+*
+* :macro:`NGTCP2_INITIAL_SALT_V2` is a salt value which is used to
+* derive initial secret.  It is used for QUIC v2.
+*/
+#define QUIC_INITIAL_SALT_V2 \
+ "\x0d\xed\xe3\xde\xf7\x00\xa6\xdb\x81\x93\x81\xbe\x6e\x26\x9d\xcb" \
+ "\xf9\xbd\x2e\xd9"
+
+#define QUIC_INITIAL_TYPE	0
+#define QUIC_0_RTT_TYPE		1
+#define QUIC_HANDSHAKE_TYPE	2
+#define QUIC_RETRY_TYPE		3
+
+#define QUIC_INITIAL_TYPE_V1	0b00
+#define QUIC_0_RTT_TYPE_V1	0b01
+#define QUIC_HANDSHAKE_TYPE_V1	0b10
+#define QUIC_RETRY_TYPE_V1	0b11
+#define quic_convtype_v1(type) (type)
+
+#define QUIC_INITIAL_TYPE_V2	0b01
+#define QUIC_0_RTT_TYPE_V2	0b10
+#define QUIC_HANDSHAKE_TYPE_V2	0b11
+#define QUIC_RETRY_TYPE_V2	0b00
+#define quic_convtype_v2(type) (((type) + 1) & 0b11)
+
+#define QUIC_V1	1		// RFC 9000
+#define QUIC_V2	0x6b3343cf	// RFC 9369
+
+static const uint32_t supported_versions[] = {
+	QUIC_V1,
+	QUIC_V2,
+};
+
+/**
+ * Quic Large Header
+ */
+struct quic_lhdr {
+#if __BYTE_ORDER == __LITTLE_ENDIAN
+	uint8_t number_length:2;
+	uint8_t reserved:2;
+	uint8_t type:2;
+	uint8_t fixed:1;
+	uint8_t form:1;
+#elif __BYTE_ORDER == __BIG_ENDIAN
+	uint8_t form:1;
+	uint8_t fixed:1;
+	uint8_t type:2;
+	uint8_t reserved:2;
+	uint8_t number_length:2;
+#else
+#error "Undefined endian"
+#endif
+	uint32_t version;
+}__attribute__((packed));
+
+/**
+ * Quic Large Header Ids 
+ * (separated from the original header because of varying dst 
+ */
+struct quic_cids {
+	uint8_t dst_len;
+	uint8_t *dst_id;
+	uint8_t src_len;
+	uint8_t *src_id;
+};
+
+/**
+ * Parses QUIС raw data (UDP payload) to quic large header and 
+ * quic payload.
+ *
+ * \qch_len is sizeof(qch) + qci->dst_len + qci->src_id
+ * \payload is Type-Specific payload (#17.2).
+ */
+int quic_parse_data(uint8_t *raw_payload, uint32_t raw_payload_len,
+		struct quic_lhdr **qch, uint32_t *qch_len,
+		struct quic_cids *qci,
+		uint8_t **payload, uint32_t *plen);
+		
+
+/**
+ * Parses QUIC variable-length integer. (#16)
+ * \variable is a pointer to the sequence to be parsed
+ * (varlen integer in big endian format)
+ *
+ * \mlen Used to signal about variable length and validate left length
+ * in the buffer.
+ */
+uint64_t quic_parse_varlength(uint8_t *variable, uint64_t *mlen);
+
+// quici stands for QUIC Initial
+
+/**
+ * This structure should be parsed
+ */
+struct quici_hdr {
+	uint64_t token_len;
+	uint8_t *token;
+	uint64_t length;
+	uint32_t packet_number;
+};
+
+/**
+ * Parses QUIC initial payload.
+ * \inpayload is a raw QUIC payload (payload after quic large header)
+ */
+int quic_parse_initial_message(uint8_t *inpayload, uint32_t inplen,
+			const struct quic_lhdr *qch,
+			struct quici_hdr *qhdr,
+			uint8_t **payload, uint32_t *plen);
+
+#endif /* QUIC_H */

raw_replacements.h

@@ -1,6 +1,10 @@
 #ifndef RAW_REPLACEMENTS_H
 #define RAW_REPLACEMENTS_H
 
-const char fake_sni[] = "\276(\001\273\366\234|\335\213\222\023\330\200\030\001\366\350e\000\000\001\001\b\n}\355\267Hm/\217\347\026\003\001\004\316\001\000\004\312\003\003K+\272\314\340\306\374>dw%\f\223\346\225\270\270~\335\027\f\264\341H\267\357\303\216T\322[\371 \245\320\212V6\374\3706\232\0216B\325\273P\b\300>\0332>\362\323\033\322\301\204\022f8\223\214\000\"\023\001\023\003\023\002\300+\300/\314\251\314\250\300,\3000\300\n\300\t\300\023\300\024\000\234\000\235\000/\0005\001\000\004_\000\000\000\023\000\021\000\000\016www.google.com\000\027\000\000\377\001\000\001\000\000\n\000\016\000\f\000\035\000\027\000\030\000\031\001\000\001\001\000\v\000\002\001\000\000\020\000\v\000\t\bhttp/1.1\000\005\000\005\001\000\000\000\000\000\"\000\n\000\b\004\003\005\003\006\003\002\003\0003\000k\000i\000\035\000 \333C\212\234-\t\237#\202\\\231\311\022]\333\341t(\t\276U\373u\234\316J~,^|*Z\000\027\000A\004k\n\255\254\376X\226t\001;n~\033\034.\245\027\024\3762_\352$\374\346^f\fF,\201\275\263\336O\231\001\032\200\357dI\266y\031\323\311vR\232\004\r\366FT\004\335\326\356\256\230B\t\313\000*\000\000\000+\000\005\004\003\004\003\003\000\r\000\030\000\026\004\003\005\003\006\003\b\004\b\005\b\006\004\001\005\001\006\001\002\003\002\001\000-\000\002\001\001\000\034\000\002@\001\376\r\0029\000\000\001\000\003\344\000 \337\306\243\332Y\033\a\252\352\025\365Z\035\223\226\304\255\363\215G\356g\344%}7\217\033n\211^\201\002\017g\267\334\326OD}\336\341ZC\230\226'\225\313\357\211\\\242\273\030k\216\377U\315\206\2410\200\203\332Z\223\005\370\b\304\370f\017\200\023\241\223~?\270{\037b\312\001\270\227\366\356\352\002\314\351\006\237\241q\226\300\314\321o\247{\201\317\230}B\005T\3660\335\320\332r?S\217\tq\036\031\326I|\237]\311 c\f\024r\031\310W\373\257\314q)q\030\237\261\227\217Kd?\257'G\320\020\340\256ND\247\005\341\324\024OP>\370\350\270b\311wAj\t\311\213\365i\203\230x\207\354\245<\274\202\230c\v0Y\263\364\022\303a\200\022\031\314\271rl=\327\336\001\327\264\267\342\353\352=\354[u\224\260\257\034\004\232\023\226}\227\030e\221\"\350\207\027dId\324\305\362N:\035\307`\204\337\201;\221\320\266b\362hrH\345e\206\246%\006\020a4\3430\036\225\215\274\275\360Q&\271\237)\222uK\362\017o\220\226W\357\267#\357\v\023\354\213\2629\331\ad\005/~6k\000[\247\301\270\310qJ\004\303|m5\363\376Y\002\243}6\251x\024\331)GH\335\205rI\032\f\210\a\212\347]\271\030\347.\021\213\365\026\030\340/Ny\r\332\3577\3203\026iX}>\2507\327&XRXU!\017\270I\313\352\350^?\352Uss\017\266pF\222NI\245\307_\305#\361\352\243+-\266\317Q\036s\243\277\355{S&\023>\275\360\215\032V\237XOY\345u>\002\305\252T\354\035\327v{P\352M\233\366\221\270\377\251\261f+rF\201wL2W\266X\252\242X\2536I\337c\205uZ\254Fe\305h\t\371\376\216r\336Y\327h\347*\331\257-ZQ{(\336\226\206\017\037\036\021\341\027z\033\254\235\252\227\224\004?p\243\351\\\263\352\205\327#W\345\255\256\375\267bP\3047\363!*K\003t\212(\306\214P\215\3506j\025\375\213e\254s\000)\001\034\000\367\000\361\002\276W%\232?\326\223\277\211v\017\a\361\347\312N\226\024L\260v\210\271j\324[|\270\344\3773\321-\313b>~\310\253XIR\324)&;\033{g;)\344\255\226\370\347I\\y\020\324\360\211vC\310\226s\267|\273$\341\332\2045qh\245w\2255\214\316\030\255\301\326C\343\304=\245\231h`yd\000#s\002\370\374Z\0336\245\361\226\222\306\032k\2457\016h\314(R;\326T~EHH\352\307\023^\247\363\321`V\340\253Z\233\357\227I\373\337z\177\nv\261\252\371\017\226\223\345\005\315y4\b\236N0\2630\017\215c\305&L\260\346J\237\203Q(\335W\027|>\3553\275j\307?W5\3463kc\350\262C\361 \037w!\371}\214\"I\377|\331@a;\342\3566\312\272Z\327u7\204'\215YBLL\235\236\242\345\215\245T\211a\312\263\342\000! \221\202X$\302\317\203\246\207c{\231\330\264\324\\k\271\272\336\356\002|\261O\207\030+\367P\317\356";
+#define FAKE_SNI_MAXLEN 1500
+
+static const char fake_sni[] = "\026\003\001\002\000\001\000\001\374\003\003\323[\345\201f\362\200:B\356Uq\355X\315i\235*\021\367\331\272\a>\233\254\355\307/\342\372\265 \275\2459l&r\222\313\361\3729`\376\256\233\333O\001\373\33050\r\260f,\231\035  \324^\000>\023\002\023\003\023\001\300,\3000\000\237\314\251\314\250\314\252\300+\300/\000\236\300$\300(\000k\300#\300'\000g\300\n\300\024\0009\300\t\300\023\0003\000\235\000\234\000=\000<\0005\000/\000\377\001\000\001u\000\000\000\023\000\021\000\000\016www.google.com\000\v\000\004\003\000\001\002\000\n\000\026\000\024\000\035\000\027\000\036\000\031\000\030\001\000\001\001\001\002\001\003\001\004\000\020\000\016\000\f\002h2\bhttp/1.1\000\026\000\000\000\027\000\000\0001\000\000\000\r\0000\000.\004\003\005\003\006\003\b\a\b\b\b\032\b\033\b\034\b\t\b\n\b\v\b\004\b\005\b\006\004\001\005\001\006\001\003\003\003\001\003\002\004\002\005\002\006\002\000+\000\005\004\003\004\003\003\000-\000\002\001\001\0003\000&\000$\000\035\000 \004\224\206\021\256\f\222\266\3435\216\202\342\2573\341\3503\2107\341\023\016\240r|6\000^K\310s\000\025\000\255\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000";
+
+static const char fake_sni_old[] = "\026\003\001\004\316\001\000\004\312\003\003K+\272\314\340\306\374>dw%\f\223\346\225\270\270~\335\027\f\264\341H\267\357\303\216T\322[\371 \245\320\212V6\374\3706\232\0216B\325\273P\b\300>\0332>\362\323\033\322\301\204\022f8\223\214\000\"\023\001\023\003\023\002\300+\300/\314\251\314\250\300,\3000\300\n\300\t\300\023\300\024\000\234\000\235\000/\0005\001\000\004_\000\000\000\023\000\021\000\000\016www.google.com\000\027\000\000\377\001\000\001\000\000\n\000\016\000\f\000\035\000\027\000\030\000\031\001\000\001\001\000\v\000\002\001\000\000\020\000\v\000\t\bhttp/1.1\000\005\000\005\001\000\000\000\000\000\"\000\n\000\b\004\003\005\003\006\003\002\003\0003\000k\000i\000\035\000 \333C\212\234-\t\237#\202\\\231\311\022]\333\341t(\t\276U\373u\234\316J~,^|*Z\000\027\000A\004k\n\255\254\376X\226t\001;n~\033\034.\245\027\024\3762_\352$\374\346^f\fF,\201\275\263\336O\231\001\032\200\357dI\266y\031\323\311vR\232\004\r\366FT\004\335\326\356\256\230B\t\313\000*\000\000\000+\000\005\004\003\004\003\003\000\r\000\030\000\026\004\003\005\003\006\003\b\004\b\005\b\006\004\001\005\001\006\001\002\003\002\001\000-\000\002\001\001\000\034\000\002@\001\376\r\0029\000\000\001\000\003\344\000 \337\306\243\332Y\033\a\252\352\025\365Z\035\223\226\304\255\363\215G\356g\344%}7\217\033n\211^\201\002\017g\267\334\326OD}\336\341ZC\230\226'\225\313\357\211\\\242\273\030k\216\377U\315\206\2410\200\203\332Z\223\005\370\b\304\370f\017\200\023\241\223~?\270{\037b\312\001\270\227\366\356\352\002\314\351\006\237\241q\226\300\314\321o\247{\201\317\230}B\005T\3660\335\320\332r?S\217\tq\036\031\326I|\237]\311 c\f\024r\031\310W\373\257\314q)q\030\237\261\227\217Kd?\257'G\320\020\340\256ND\247\005\341\324\024OP>\370\350\270b\311wAj\t\311\213\365i\203\230x\207\354\245<\274\202\230c\v0Y\263\364\022\303a\200\022\031\314\271rl=\327\336\001\327\264\267\342\353\352=\354[u\224\260\257\034\004\232\023\226}\227\030e\221\"\350\207\027dId\324\305\362N:\035\307`\204\337\201;\221\320\266b\362hrH\345e\206\246%\006\020a4\3430\036\225\215\274\275\360Q&\271\237)\222uK\362\017o\220\226W\357\267#\357\v\023\354\213\2629\331\ad\005/~6k\000[\247\301\270\310qJ\004\303|m5\363\376Y\002\243}6\251x\024\331)GH\335\205rI\032\f\210\a\212\347]\271\030\347.\021\213\365\026\030\340/Ny\r\332\3577\3203\026iX}>\2507\327&XRXU!\017\270I\313\352\350^?\352Uss\017\266pF\222NI\245\307_\305#\361\352\243+-\266\317Q\036s\243\277\355{S&\023>\275\360\215\032V\237XOY\345u>\002\305\252T\354\035\327v{P\352M\233\366\221\270\377\251\261f+rF\201wL2W\266X\252\242X\2536I\337c\205uZ\254Fe\305h\t\371\376\216r\336Y\327h\347*\331\257-ZQ{(\336\226\206\017\037\036\021\341\027z\033\254\235\252\227\224\004?p\243\351\\\263\352\205\327#W\345\255\256\375\267bP\3047\363!*K\003t\212(\306\214P\215\3506j\025\375\213e\254s\000)\001\034\000\367\000\361\002\276W%\232?\326\223\277\211v\017\a\361\347\312N\226\024L\260v\210\271j\324[|\270\344\3773\321-\313b>~\310\253XIR\324)&;\033{g;)\344\255\226\370\347I\\y\020\324\360\211vC\310\226s\267|\273$\341\332\2045qh\245w\2255\214\316\030\255\301\326C\343\304=\245\231h`yd\000#s\002\370\374Z\0336\245\361\226\222\306\032k\2457\016h\314(R;\326T~EHH\352\307\023^\247\363\321`V\340\253Z\233\357\227I\373\337z\177\nv\261\252\371\017\226\223\345\005\315y4\b\236N0\2630\017\215c\305&L\260\346J\237\203Q(\335W\027|>\3553\275j\307?W5\3463kc\350\262C\361 \037w!\371}\214\"I\377|\331@a;\342\3566\312\272Z\327u7\204'\215YBLL\235\236\242\345\215\245T\211a\312\263\342\000! \221\202X$\302\317\203\246\207c{\231\330\264\324\\k\271\272\336\356\002|\261O\207\030+\367P\317\356";
 
 #endif /*RAW_REPLACEMENTS_H*/

types.h

@@ -0,0 +1,62 @@
+#define _GNU_SOURCE
+#ifndef TYPES_H
+#define TYPES_H
+#include <asm/byteorder.h>
+
+#ifdef KERNEL_SCOPE
+#include <linux/errno.h> // IWYU pragma: export
+#include <linux/string.h> // IWYU pragma: export
+
+#include <linux/types.h>
+typedef __u8	uint8_t;
+typedef __u16	uint16_t;
+typedef __u32 	uint32_t;
+typedef __u64 	uint64_t;
+typedef __i8	int8_t;
+typedef __i16	int16_t;
+typedef __i32	int32_t;
+typedef __i64	int64_t;
+#else /* USERSPACE_SCOPE */
+
+#include <errno.h>  // IWYU pragma: export
+#include <stdint.h> // IWYU pragma: export
+#include <string.h> // IWYU pragma: export
+
+#endif /* SCOPES */
+
+// Network specific structures
+#ifdef KERNEL_SPACE
+#include <linux/stddef.h> // IWYU pragma: export
+#include <linux/net.h> // IWYU pragma: export
+#include <linux/in.h> // IWYU pragma: export
+#include <linux/ip.h> // IWYU pragma: export
+#include <linux/tcp.h> // IWYU pragma: export
+
+/* from <netinet/ip.h> */
+#define	IP_RF 0x8000			/* reserved fragment flag */
+#define	IP_DF 0x4000			/* dont fragment flag */
+#define	IP_MF 0x2000			/* more fragments flag */
+#define	IP_OFFMASK 0x1fff		/* mask for fragmenting bits */
+#else
+#define USER_SPACE
+#include <arpa/inet.h>		// IWYU pragma: export
+#include <netinet/ip.h>		// IWYU pragma: export
+#include <netinet/tcp.h>	// IWYU pragma: export
+#include <netinet/udp.h>	// IWYU pragma: export
+#endif
+
+#define max(a,b)__extension__\
+({                           \
+    __typeof__ (a) _a = (a); \
+    __typeof__ (b) _b = (b); \
+    _a > _b ? _a : _b;       \
+})
+
+#define min(a,b)__extension__\
+({                           \
+    __typeof__ (a) _a = (a); \
+    __typeof__ (b) _b = (b); \
+    _a < _b ? _a : _b;       \
+})
+
+#endif /* TYPES_H */

uspace.mk

@@ -0,0 +1,100 @@
+#Userspace app makes here
+BUILD_DIR := $(CURDIR)/build
+DEPSDIR := $(BUILD_DIR)/deps
+
+CC:=gcc
+CCLD:=$(CC)
+LD:=ld
+override CFLAGS += -Wall -Wpedantic -Wno-unused-variable -I$(DEPSDIR)/include -std=gnu11
+override LDFLAGS += -L$(DEPSDIR)/lib
+
+LIBNFNETLINK_CFLAGS := -I$(DEPSDIR)/include
+LIBNFNETLINK_LIBS := -L$(DEPSDIR)/lib
+LIBMNL_CFLAGS := -I$(DEPSDIR)/include
+LIBMNL_LIBS := -L$(DEPSDIR)/lib
+
+# PREFIX is environment variable, if not set default to /usr/local
+ifeq ($(PREFIX),)
+	PREFIX := /usr/local
+endif
+
+export CC CCLD LD CFLAGS LDFLAGS LIBNFNETLINK_CFLAGS LIBNFNETLINK_LIBS LIBMNL_CFLAGS LIBMNL_LIBS
+
+APP:=$(BUILD_DIR)/youtubeUnblock
+
+SRCS := youtubeUnblock.c mangle.c args.c utils.c quic.c
+OBJS := $(SRCS:%.c=$(BUILD_DIR)/%.o)
+
+LIBNFNETLINK := $(DEPSDIR)/lib/libnfnetlink.la
+LIBMNL := $(DEPSDIR)/lib/libmnl.la
+LIBNETFILTER_QUEUE := $(DEPSDIR)/lib/libnetfilter_queue.la
+#LIBCRYPTO := $(DEPSDIR)/lib64/libcrypto.a
+
+.PHONY: default all dev dev_attrs prepare_dirs
+default: all
+
+run_dev: dev
+	bash -c "sudo $(APP)"
+
+dev: dev_attrs all
+
+dev_attrs:
+	$(eval CFLAGS := $(CFLAGS) -DDEBUG -ggdb -g3)
+
+all: prepare_dirs $(APP)
+
+prepare_dirs:
+	mkdir -p $(BUILD_DIR)
+	mkdir -p $(DEPSDIR)
+
+$(LIBCRYPTO):
+	cd deps/openssl && ./Configure --prefix=$(DEPSDIR) $(if $(CROSS_COMPILE_PLATFORM),--cross-compile-prefix=$(CROSS_COMPILE_PLATFORM)-,) --no-shared
+	$(MAKE) -C deps/openssl
+	$(MAKE) install_sw -C deps/openssl
+
+$(LIBNFNETLINK):
+	cd deps/libnfnetlink && ./autogen.sh && ./configure --prefix=$(DEPSDIR) $(if $(CROSS_COMPILE_PLATFORM),--host=$(CROSS_COMPILE_PLATFORM),) --enable-static --disable-shared
+	$(MAKE) -C deps/libnfnetlink
+	$(MAKE) install -C deps/libnfnetlink
+	
+$(LIBMNL):
+	cd deps/libmnl && ./autogen.sh && ./configure --prefix=$(DEPSDIR) $(if $(CROSS_COMPILE_PLATFORM),--host=$(CROSS_COMPILE_PLATFORM),) --enable-static --disable-shared
+	$(MAKE) -C deps/libmnl
+	$(MAKE) install -C deps/libmnl
+
+$(LIBNETFILTER_QUEUE): $(LIBNFNETLINK) $(LIBMNL) 
+	cd deps/libnetfilter_queue && ./autogen.sh && ./configure --prefix=$(DEPSDIR) $(if $(CROSS_COMPILE_PLATFORM),--host=$(CROSS_COMPILE_PLATFORM),) --enable-static --disable-shared
+	$(MAKE) -C deps/libnetfilter_queue
+	$(MAKE) install -C deps/libnetfilter_queue
+
+$(APP): $(OBJS) $(LIBNETFILTER_QUEUE) $(LIBMNL) $(LIBCRYPTO)
+	@echo 'CCLD $(APP)'
+	$(CCLD) $(OBJS) -o $(APP) $(LDFLAGS) -lmnl -lnetfilter_queue -lpthread
+
+$(BUILD_DIR)/%.o: %.c $(LIBNETFILTER_QUEUE) $(LIBMNL) $(LIBCRYPTO) config.h
+	@echo 'CC $@'
+	$(CC) -c $(CFLAGS) $(LDFLAGS) $< -o $@
+
+install: all
+	install -d $(DESTDIR)$(PREFIX)/bin/
+	install -m 755 $(APP) $(DESTDIR)$(PREFIX)/bin/
+	install -d $(DESTDIR)$(PREFIX)/lib/systemd/system/
+	@cp youtubeUnblock.service $(BUILD_DIR)
+	@sed -i 's/$$(PREFIX)/$(subst /,\/,$(PREFIX))/g' $(BUILD_DIR)/youtubeUnblock.service
+	install -m 644 $(BUILD_DIR)/youtubeUnblock.service $(DESTDIR)$(PREFIX)/lib/systemd/system/
+
+uninstall:
+	rm $(DESTDIR)$(PREFIX)/bin/youtubeUnblock
+	rm $(DESTDIR)$(PREFIX)/lib/systemd/system/youtubeUnblock.service
+	-systemctl disable youtubeUnblock.service
+
+clean:
+	find $(BUILD_DIR) -maxdepth 1 -type f | xargs rm -rf
+
+distclean: clean
+	rm -rf $(BUILD_DIR)
+	$(MAKE) distclean -C deps/libnetfilter_queue || true
+	$(MAKE) distclean -C deps/libmnl || true
+	$(MAKE) distclean -C deps/libnfnetlink || true
+	#$(MAKE) distclean -C deps/openssl || true
+

utils.c

@@ -0,0 +1,312 @@
+#include "utils.h"
+#include "logging.h"
+
+#ifdef KERNEL_SPACE
+#include <linux/ip.h>
+#else 
+#include <stdlib.h>
+#include <libnetfilter_queue/libnetfilter_queue_ipv4.h>
+#include <libnetfilter_queue/libnetfilter_queue_tcp.h>
+#endif
+
+
+void tcp4_set_checksum(struct tcphdr *tcph, struct iphdr *iph) 
+{
+#ifdef KERNEL_SPACE
+	uint32_t tcp_packet_len = ntohs(iph->tot_len) - (iph->ihl << 2);
+	tcph->check = 0;
+	tcph->check = csum_tcpudp_magic(
+		iph->saddr, iph->daddr, tcp_packet_len,
+		IPPROTO_TCP, 
+		csum_partial(tcph, tcp_packet_len, 0));
+#else
+	nfq_tcp_compute_checksum_ipv4(tcph, iph);
+#endif
+}
+
+void ip4_set_checksum(struct iphdr *iph) 
+{
+#ifdef KERNEL_SPACE
+	iph->check = 0;
+	iph->check = ip_fast_csum(iph, iph->ihl);
+#else
+	nfq_ip_set_checksum(iph);
+#endif
+}
+
+
+int ip4_payload_split(uint8_t *pkt, uint32_t buflen,
+		       struct iphdr **iph, uint32_t *iph_len, 
+		       uint8_t **payload, uint32_t *plen) {
+	if (pkt == NULL || buflen < sizeof(struct iphdr)) {
+		lgerror("ip4_payload_split: pkt|buflen", -EINVAL);
+		return -EINVAL;
+	}
+
+	struct iphdr *hdr = (struct iphdr *)pkt;
+	if (hdr->version != IPVERSION) {
+		lgerror("ip4_payload_split: ipversion", -EINVAL);
+		return -EINVAL;
+	}
+
+	uint32_t hdr_len = hdr->ihl * 4;
+	uint32_t pktlen = ntohs(hdr->tot_len);
+	if (buflen < pktlen || hdr_len > pktlen) {
+		lgerror("ip4_payload_split: buflen cmp pktlen", -EINVAL);
+		return -EINVAL;
+	}
+
+	if (iph) 
+		*iph = hdr;
+	if (iph_len)
+		*iph_len = hdr_len;
+	if (payload)
+		*payload = pkt + hdr_len;
+	if (plen)
+		*plen = pktlen - hdr_len;
+
+	return 0;
+}
+
+int tcp4_payload_split(uint8_t *pkt, uint32_t buflen,
+		       struct iphdr **iph, uint32_t *iph_len,
+		       struct tcphdr **tcph, uint32_t *tcph_len,
+		       uint8_t **payload, uint32_t *plen) {
+	struct iphdr *hdr;
+	uint32_t hdr_len;
+	struct tcphdr *thdr;
+	uint32_t thdr_len;
+	
+	uint8_t *tcph_pl;
+	uint32_t tcph_plen;
+
+	if (ip4_payload_split(pkt, buflen, &hdr, &hdr_len, 
+			&tcph_pl, &tcph_plen)){
+		return -EINVAL;
+	}
+
+
+	if (
+		hdr->protocol != IPPROTO_TCP || 
+		tcph_plen < sizeof(struct tcphdr)) {
+		return -EINVAL;
+	}
+
+
+	thdr = (struct tcphdr *)(tcph_pl);
+	thdr_len = thdr->doff * 4;
+
+	if (thdr_len > tcph_plen) {
+		return -EINVAL;
+	}
+
+	if (iph) *iph = hdr;
+	if (iph_len) *iph_len = hdr_len;
+	if (tcph) *tcph = thdr;
+	if (tcph_len) *tcph_len = thdr_len;
+	if (payload) *payload = tcph_pl + thdr_len;
+	if (plen) *plen = tcph_plen - thdr_len;
+
+	return 0;
+}
+
+int udp4_payload_split(uint8_t *pkt, uint32_t buflen,
+		       struct iphdr **iph, uint32_t *iph_len,
+		       struct udphdr **udph,
+		       uint8_t **payload, uint32_t *plen) {
+	struct iphdr *hdr;
+	uint32_t hdr_len;
+	struct udphdr *uhdr;
+	uint32_t uhdr_len;
+	
+	uint8_t *ip_ph;
+	uint32_t ip_phlen;
+
+	if (ip4_payload_split(pkt, buflen, &hdr, &hdr_len, 
+			&ip_ph, &ip_phlen)){
+		return -EINVAL;
+	}
+
+
+	if (
+		hdr->protocol != IPPROTO_UDP || 
+		ip_phlen < sizeof(struct udphdr)) {
+		return -EINVAL;
+	}
+
+
+	uhdr = (struct udphdr *)(ip_ph);
+	if (uhdr->len != 0 && ntohs(uhdr->len) != ip_phlen) {
+		return -EINVAL;
+	}
+
+	if (iph) *iph = hdr;
+	if (iph_len) *iph_len = hdr_len;
+	if (udph) *udph = uhdr;
+	if (payload) *payload = ip_ph + sizeof(struct udphdr);
+	if (plen) *plen = ip_phlen - sizeof(struct udphdr);
+
+	return 0;
+}
+
+// split packet to two ipv4 fragments.
+int ip4_frag(const uint8_t *pkt, uint32_t buflen, uint32_t payload_offset, 
+			uint8_t *frag1, uint32_t *f1len, 
+			uint8_t *frag2, uint32_t *f2len) {
+	
+	struct iphdr *hdr;
+	const uint8_t *payload;
+	uint32_t plen;
+	uint32_t hdr_len;
+	int ret;
+
+	if (!frag1 || !f1len || !frag2 || !f2len)
+		return -EINVAL;
+
+	if ((ret = ip4_payload_split(
+		(uint8_t *)pkt, buflen, 
+		&hdr, &hdr_len, (uint8_t **)&payload, &plen)) < 0) {
+		lgerror("ipv4_frag: TCP Header extract error", ret);
+		return -EINVAL;
+	}
+
+	if (plen <= payload_offset) {
+		return -EINVAL;
+	}
+
+	if (payload_offset & ((1 << 3) - 1)) {
+		lgerror("ipv4_frag: Payload offset MUST be a multiply of 8!", -EINVAL);
+
+		return -EINVAL;
+	}
+
+	uint32_t f1_plen = payload_offset;
+	uint32_t f1_dlen = f1_plen + hdr_len;
+
+	uint32_t f2_plen = plen - payload_offset;
+	uint32_t f2_dlen = f2_plen + hdr_len;
+
+	if (*f1len < f1_dlen || *f2len < f2_dlen) {
+		return -ENOMEM;
+	}
+	*f1len = f1_dlen;
+	*f2len = f2_dlen;
+
+	memcpy(frag1, hdr, hdr_len);
+	memcpy(frag2, hdr, hdr_len);
+
+	memcpy(frag1 + hdr_len, payload, f1_plen);
+	memcpy(frag2 + hdr_len, payload + payload_offset, f2_plen);
+
+	struct iphdr *f1_hdr = (void *)frag1;
+	struct iphdr *f2_hdr = (void *)frag2;
+
+	uint16_t f1_frag_off = ntohs(f1_hdr->frag_off);
+	uint16_t f2_frag_off = ntohs(f2_hdr->frag_off);
+
+	f1_frag_off &= IP_OFFMASK;
+	f1_frag_off |= IP_MF;
+	
+	if ((f2_frag_off & ~IP_OFFMASK) == IP_MF) {
+		f2_frag_off &= IP_OFFMASK;
+		f2_frag_off |= IP_MF;
+	} else {
+		f2_frag_off &= IP_OFFMASK;
+	}
+	
+	f2_frag_off += (uint16_t)payload_offset / 8;
+
+	f1_hdr->frag_off = htons(f1_frag_off);
+	f1_hdr->tot_len = htons(f1_dlen);
+
+	f2_hdr->frag_off = htons(f2_frag_off);
+	f2_hdr->tot_len = htons(f2_dlen);
+
+
+	lgdebugmsg("Packet split in portion %u %u", f1_plen, f2_plen);
+
+	ip4_set_checksum(f1_hdr);
+	ip4_set_checksum(f2_hdr);
+
+	return 0;
+}
+
+// split packet to two tcp-on-ipv4 segments.
+int tcp4_frag(const uint8_t *pkt, uint32_t buflen, uint32_t payload_offset, 
+			uint8_t *seg1, uint32_t *s1len, 
+			uint8_t *seg2, uint32_t *s2len) {
+
+	struct iphdr *hdr;
+	uint32_t hdr_len;
+	struct tcphdr *tcph;
+	uint32_t tcph_len;
+	uint32_t plen;
+	const uint8_t *payload;
+	int ret;
+
+	if (!seg1 || !s1len || !seg2 || !s2len)
+		return -EINVAL;
+
+	if ((ret = tcp4_payload_split((uint8_t *)pkt, buflen,
+				&hdr, &hdr_len,
+				&tcph, &tcph_len,
+				(uint8_t **)&payload, &plen)) < 0) {
+		lgerror("tcp4_frag: tcp4_payload_split", ret);
+
+		return -EINVAL;
+	}
+
+
+	if (
+		ntohs(hdr->frag_off) & IP_MF || 
+		ntohs(hdr->frag_off) & IP_OFFMASK) {
+		lgdebugmsg("tcp4_frag: frag value: %d",
+			ntohs(hdr->frag_off));
+		lgerror("tcp4_frag: ip fragmentation is set", -EINVAL);
+		return -EINVAL;
+	}
+
+
+	if (plen <= payload_offset) {
+		return -EINVAL;
+	}
+
+	uint32_t s1_plen = payload_offset;
+	uint32_t s1_dlen = s1_plen + hdr_len + tcph_len;
+
+	uint32_t s2_plen = plen - payload_offset;
+	uint32_t s2_dlen = s2_plen + hdr_len + tcph_len;
+
+	if (*s1len < s1_dlen || *s2len < s2_dlen) 
+		return -ENOMEM;
+
+	*s1len = s1_dlen;
+	*s2len = s2_dlen;
+
+	memcpy(seg1, hdr, hdr_len);
+	memcpy(seg2, hdr, hdr_len);
+
+	memcpy(seg1 + hdr_len, tcph, tcph_len);
+	memcpy(seg2 + hdr_len, tcph, tcph_len);
+
+	memcpy(seg1 + hdr_len + tcph_len, payload, s1_plen);
+	memcpy(seg2 + hdr_len + tcph_len, payload + payload_offset, s2_plen);
+
+	struct iphdr *s1_hdr = (void *)seg1;
+	struct iphdr *s2_hdr = (void *)seg2;
+
+	struct tcphdr *s1_tcph = (void *)(seg1 + hdr_len);
+	struct tcphdr *s2_tcph = (void *)(seg2 + hdr_len);
+
+	s1_hdr->tot_len = htons(s1_dlen);
+	s2_hdr->tot_len = htons(s2_dlen);
+
+	s2_tcph->seq = htonl(ntohl(s2_tcph->seq) + payload_offset);
+
+	lgdebugmsg("Packet split in portion %u %u", s1_plen, s2_plen);
+
+	tcp4_set_checksum(s1_tcph, s1_hdr);
+	tcp4_set_checksum(s2_tcph, s2_hdr);
+
+	return 0;
+}

utils.h

@@ -0,0 +1,51 @@
+#ifndef UTILS_H
+#define UTILS_H
+
+#include "types.h"
+
+/**
+ * Splits the packet to two IP fragments on position payload_offset.
+ * payload_offset indicates the position relatively to start of IP payload
+ * (start of transport header)
+ */
+int ip4_frag(const uint8_t *pkt, uint32_t pktlen, 
+			uint32_t payload_offset, 
+			uint8_t *frag1, uint32_t *f1len, 
+			uint8_t *frag2, uint32_t *f2len);
+
+/**
+ * Splits the packet to two TCP segments on position payload_offset
+ * payload_offset indicates the position relatively to start of TCP payload.
+ */
+int tcp4_frag(const uint8_t *pkt, uint32_t pktlen, 
+			uint32_t payload_offset, 
+			uint8_t *seg1, uint32_t *s1len, 
+			uint8_t *seg2, uint32_t *s2len);
+
+/**
+ * Splits the raw packet payload to ip header and ip payload.
+ */
+int ip4_payload_split(uint8_t *pkt, uint32_t buflen,
+		       struct iphdr **iph, uint32_t *iph_len, 
+		       uint8_t **payload, uint32_t *plen);
+
+/**
+ * Splits the raw packet payload to ip header, tcp header and tcp payload.
+ */
+int tcp4_payload_split(uint8_t *pkt, uint32_t buflen,
+		       struct iphdr **iph, uint32_t *iph_len,
+		       struct tcphdr **tcph, uint32_t *tcph_len,
+		       uint8_t **payload, uint32_t *plen);
+
+/**
+ * Splits the raw packet payload to ip header, udp header and udp payload.
+ */
+int udp4_payload_split(uint8_t *pkt, uint32_t buflen,
+		       struct iphdr **iph, uint32_t *iph_len,
+		       struct udphdr **udph,
+		       uint8_t **payload, uint32_t *plen);
+
+void tcp4_set_checksum(struct tcphdr *tcph, struct iphdr *iph);
+void ip4_set_checksum(struct iphdr *iph);
+
+#endif /* UTILS_H */

youtubeUnblock.service

@@ -5,9 +5,9 @@ Description=youtubeUnblock
 StandardError=journal
 StandardOutput=journal
 StandardInput=null
-ExecStartPre=iptables -t mangle -A OUTPUT -p tcp --dport 443 -j NFQUEUE --queue-num 537 --queue-bypass
+ExecStartPre=iptables -t mangle -A OUTPUT -p tcp -m tcp --dport 443 -m connbytes --connbytes-dir original --connbytes-mode packets --connbytes 0:19 -j NFQUEUE --queue-num 537 --queue-bypass
-ExecStart=$(PREFIX)/bin/youtubeUnblock 537
+ExecStart=$(PREFIX)/bin/youtubeUnblock
-ExecStop=iptables -t mangle -D OUTPUT -p tcp --dport 443 -j NFQUEUE --queue-num 537 --queue-bypass
+ExecStop=iptables -t mangle -D OUTPUT -p tcp -m tcp --dport 443 -m connbytes --connbytes-dir original --connbytes-mode packets --connbytes 0:19 -j NFQUEUE --queue-num 537 --queue-bypass
 
 [Install]
 WantedBy=multi-user.target