Merge pull request #132 from Waujito/custom_fakes

Custom fakes
Mention #148 in README Troubleshooting
2026-01-27 12:40:36 +03:00 · 2024-10-14 00:25:45 +03:00 · 2024-10-14 00:22:50 +03:00 · 2024-10-14 00:15:37 +03:00 · 2024-10-13 23:31:26 +03:00 · 2024-10-12 19:08:49 +03:00
25 changed files with 2953 additions and 1323 deletions
--- a/.github/workflows/build-ci.yml
+++ b/.github/workflows/build-ci.yml
@@ -43,8 +43,7 @@ jobs:
    runs-on: ubuntu-latest
    strategy:
      matrix:
-        # arch: [x86_64, x86, aarch64, armhf, armv7, ppc64le, s390x]
+        arch: [x86_64, x86, aarch64, armhf, armv7]
        arch: [x86_64, x86, aarch64, armhf]
        branch: [latest-stable]
    steps:
      - name: Checkout
@@ -77,7 +76,7 @@ jobs:
        shell: alpine.sh {0}
        run: |
          case $ARCH in
-            x86_64)  PLATFORM=x86_64 ;;
+            x86_64)  PLATFORM=x86-64 ;;
            x86)     PLATFORM=x86 ;;
            aarch64) PLATFORM=arm64 ;;
            armhf)   PLATFORM=arm ;;
@@ -85,14 +84,70 @@ jobs:
          esac
          make -j$(nproc) CC="ccache gcc -static-libgcc -static" || exit 1
          strip -s build/youtubeUnblock
-          rm -rf youtubeUnblock || true
+          cp -va build/youtubeUnblock .
-          mkdir youtubeUnblock
+          tar -czvf youtubeUnblock-$VERSION-$SHA-$PLATFORM-static.tar.gz youtubeUnblock youtubeUnblock.service README.md
          cp build/youtubeUnblock youtubeUnblock
          cp youtubeUnblock.service youtubeUnblock
          cp README.md youtubeUnblock
          tar -czvf youtubeUnblock-$VERSION-$SHA-$PLATFORM-static.tar.gz youtubeUnblock
          ccache --show-stats
      - name: Upload artifacts
        if: steps.build.outcome == 'success'
        uses: actions/upload-artifact@v4
        with:
          name: youtubeUnblock-static-${{ matrix.arch }}
          path: ./**/youtubeUnblock*.tar.gz
  build-static-cross:
    needs: prepare
    name: build ${{ matrix.arch }}
    runs-on: ubuntu-latest
    strategy:
      matrix:
        include:
          - arch: mips64el
            tool: mips64el-unknown-linux-musl
          - arch: mips64
            tool: mips64-unknown-linux-musl
          - arch: mipsel
            tool: mipsel-unknown-linux-musl
          - arch: mipselsf
            tool: mipsel-unknown-linux-muslsf
          - arch: mips
            tool: mips-unknown-linux-musl
          - arch: mipssf
            tool: mips-unknown-linux-muslsf
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Set up build tools
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          REPO: 'musl-cross/musl-cross'
          TOOL: ${{ matrix.tool }}
        run: |
          mkdir -p $HOME/tools
          gh api repos/$REPO/releases/latest --jq '.tag_name' |\
            xargs -I{} wget -qO- https://github.com/$REPO/releases/download/{}/$TOOL.tgz | tar -C $HOME/tools -xz || exit 1
          [ -d "$HOME/tools/$TOOL/bin" ] && echo "$HOME/tools/$TOOL/bin" >> $GITHUB_PATH
      - name: Build
        id: build
        env:
          ARCH: ${{ matrix.arch }}
          TOOL: ${{ matrix.tool }}
          VERSION: ${{ needs.prepare.outputs.version }}
          SHA: ${{ needs.prepare.outputs.sha }}
        run: |
          make -j$(nproc) \
            CC="$TOOL-gcc -static-libgcc -static" \
            LD=$TOOL-ld \
            AR=$TOOL-ar \
            NM=$TOOL-nm \
            STRIP=$TOOL-strip \
            CROSS_COMPILE_PLATFORM=$TOOL || exit 1
          $TOOL-strip -s build/youtubeUnblock
          cp -va build/youtubeUnblock .
          tar -czvf youtubeUnblock-$VERSION-$SHA-$ARCH-static.tar.gz youtubeUnblock youtubeUnblock.service README.md
      - name: Upload artifacts
        if: steps.build.outcome == 'success'
        uses: actions/upload-artifact@v4
@@ -169,10 +224,52 @@ jobs:
        if: steps.build.outcome == 'success'
        uses: actions/upload-artifact@v4
        with:
-          name: ${{ matrix.branch }}-${{ matrix.arch }}
+          name: youtubeUnblock-${{ matrix.branch }}-${{ matrix.arch }}
          path: /builder/youtubeUnblock*.ipk
          if-no-files-found: error
  build-openwrt-luci:
    needs: prepare
    runs-on: ubuntu-latest
    container:
      image: openwrt/sdk:x86_64-openwrt-23.05
      options: --user root
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          ref: 'openwrt'
      - name: Prepare build
        env:
          VERSION: ${{ needs.prepare.outputs.version }}
          SHA: ${{ needs.prepare.outputs.sha }}
        run: |
          sed -i "s/PKG_REV:=.*$/PKG_REV:=$SHA/;s/PKG_VERSION:=.*$/PKG_VERSION:=$VERSION-$SHA/" youtubeUnblock/Makefile
      - name: Build packages
        id: build
        env:
          VERSION: ${{ needs.prepare.outputs.version }}
          SHA: ${{ needs.prepare.outputs.sha }}
        working-directory: /builder
        run: |
          echo "src-link youtubeUnblock $GITHUB_WORKSPACE" >> feeds.conf
          cat feeds.conf
          ./scripts/feeds update youtubeUnblock
          ./scripts/feeds install -a -p youtubeUnblock
          make defconfig
          make package/luci-app-youtubeUnblock/compile V=s
          mv $(find ./bin -type f -name 'luci-app-youtubeUnblock*.ipk') ./luci-app-youtubeUnblock-$VERSION-$SHA.ipk
      - name: Upload packages
        if: steps.build.outcome == 'success'
        uses: actions/upload-artifact@v4
        with:
          name: luci-app-youtubeUnblock
          path: /builder/luci-app-youtubeUnblock*.ipk
          if-no-files-found: error
  build-entware:
    needs: prepare
    runs-on: ubuntu-latest
@@ -261,13 +358,13 @@ jobs:
        if: steps.build.outcome == 'success'
        uses: actions/upload-artifact@v4
        with:
-          name: entware-${{ matrix.arch }}
+          name: youtubeUnblock-entware-${{ matrix.arch }}
          path: ./**/youtubeUnblock*-entware.tar.gz
          if-no-files-found: error
  pre-release:
    if: github.event_name != 'pull_request' && github.ref_name == 'main'
-    needs: [build-static, build-openwrt, build-entware]
+    needs: [build-static, build-static-cross, build-openwrt, build-entware]
    permissions:
      contents: write
    runs-on: ubuntu-latest
@@ -281,7 +378,9 @@ jobs:
          repo_token: ${{ secrets.GITHUB_TOKEN }}
          automatic_release_tag: 'continuous'
          prerelease: true
          draft: true
          title: 'Development build'
          files: |
            ./**/youtubeUnblock*.ipk
            ./**/youtubeUnblock*.tar.gz
            ./**/luci-app-youtubeUnblock*.ipk
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -0,0 +1,202 @@
 # Tests whether the youtubeUnblock builds properly
 name: "youtubeUnblock build test"
 on:
  push:
    branches: [ "main" ]
    paths-ignore:
      - '.editorconfig'
      - '.gitignore'
      - 'LICENSE'
      - 'README.md'
  pull_request:
    branches: [ "main" ]
    paths-ignore:
      - '.editorconfig'
      - '.gitignore'
      - 'LICENSE'
      - 'README.md'
  workflow_dispatch:
 jobs:
  prepare:
    runs-on: ubuntu-latest
    outputs:
      version: ${{ steps.gh.outputs.version }}
      sha: ${{ steps.gh.outputs.sha }}
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          ref: 'openwrt'
      - name: GH
        id: gh
        env:
          REPO: ${{ github.repository }}
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        shell: bash
        run: |
          echo "version=$(cat youtubeUnblock/Makefile | grep PKG_VERSION | sed 's/PKG_VERSION:=//')" >> $GITHUB_OUTPUT
          if [[ "${{ github.event_name }}" != "pull_request" ]]; then
            echo "sha=$(echo ${GITHUB_SHA::7})" >> $GITHUB_OUTPUT
          else
            echo "sha=$(gh api repos/$REPO/commits/main --jq '.sha[:7]')" >> $GITHUB_OUTPUT
          fi
  build-static:
    needs: prepare
    name: build-static ${{ matrix.arch }}
    runs-on: ubuntu-latest
    strategy:
      matrix:
        arch: [x86_64]
        branch: [latest-stable]
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Build 
        id: build
        env:
          ARCH: ${{ matrix.arch }}
          VERSION: ${{ needs.prepare.outputs.version }}
          SHA: ${{ needs.prepare.outputs.sha }}
        shell: bash
        run: |
          make -j$(nproc)
          strip -s build/youtubeUnblock
          cp -va build/youtubeUnblock .
          tar -czvf static-youtubeUnblock-$VERSION-$SHA-$PLATFORM.tar.gz youtubeUnblock youtubeUnblock.service README.md
      - name: Upload artifacts
        if: steps.build.outcome == 'success'
        uses: actions/upload-artifact@v4
        with:
          name: static-youtubeUnblock-${{ matrix.arch }}
          path: ./**/static-youtubeUnblock*.tar.gz
  build-kmod:
    needs: prepare
    name: build-kmod ${{ matrix.kernel_version }}
    runs-on: ubuntu-latest
    strategy:
      matrix:
        include:
          - kernel_version: "6.6.52"
            source: "https://cdn.kernel.org/pub/linux/kernel/v6.x/linux-6.6.52.tar.xz"
            container_version: "24.04"
          - kernel_version: "5.15.167"
            source: "https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-5.15.167.tar.xz"
            container_version: "24.04"
          - kernel_version: "5.4.284"
            source: "https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-5.4.284.tar.xz"
            container_version: "24.04"
          - kernel_version: "4.19.322"
            source: "https://cdn.kernel.org/pub/linux/kernel/v4.x/linux-4.19.322.tar.xz"
            container_version: "24.04"
          - kernel_version: "4.4.302"
            source: "https://cdn.kernel.org/pub/linux/kernel/v4.x/linux-4.4.302.tar.xz"
            container_version: "24.04"
          - kernel_version: "3.10.108"
            source: "https://cdn.kernel.org/pub/linux/kernel/v3.x/linux-3.10.108.tar.xz"
            container_version: "16.04"
          - kernel_version: "3.0.101"
            source: "https://cdn.kernel.org/pub/linux/kernel/v3.x/linux-3.0.101.tar.xz"
            container_version: "14.04"
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Restore builder from cache
        id: cache-restore
        uses: actions/cache/restore@v4
        with:
          path: ~/builder.tar
          key: builder-${{ matrix.kernel_version }}
      - name: Load builder from cache
        if: steps.cache-restore.outputs.cache-hit == 'true'
        run: |
          docker import - builder < ~/builder.tar
      - name: Prepare build env
        if: steps.cache-restore.outputs.cache-hit != 'true'
        run: |
          mkdir ~/linux
          pwd
          ls /
          ls ~
      - name: Obtain kernel
        if: steps.cache-restore.outputs.cache-hit != 'true'
        run: |
          cd ~/linux
          wget ${{ matrix.source }} -O kernel.tar.xz -q
          tar -xf kernel.tar.xz
          rm -f kernel.tar.xz
          /bin/bash -c "mv linux-* linux"
          ls
          ls linux
      - name: Install docker
        if: steps.cache-restore.outputs.cache-hit != 'true'
        run: |
          cd ~/linux
          docker pull ubuntu:${{ matrix.container_version }}
          docker container create --name ubu_builder -w / ubuntu:${{ matrix.container_version }} tail -f /dev/null
          docker container start ubu_builder
          docker container exec ubu_builder bash -c "apt update && apt install -y build-essential flex bc bison libelf-dev elfutils libssl-dev"
          docker cp ./linux ubu_builder:/linux
      - name: Build kernel
        if: steps.cache-restore.outputs.cache-hit != 'true'
        run: |
          cd ~/linux
          docker container exec -w /linux ubu_builder bash -c 'make defconfig'
          docker container exec -w /linux ubu_builder bash -c 'make -j $(nproc)'
      - name: Export container
        if: steps.cache-restore.outputs.cache-hit != 'true'
        run: |
          cd ~/linux
          docker container kill ubu_builder
          docker container export ubu_builder > ubu_builder.tar
          docker container rm ubu_builder
          mv ./ubu_builder.tar ~/builder.tar
          docker import - builder < ~/builder.tar
      - name: Save kernel image to cache
        if: steps.cache-restore.outputs.cache-hit != 'true'
        id: cache-save
        uses: actions/cache/save@v4
        with:
          path: ~/builder.tar
          key: builder-${{ matrix.kernel_version }}
      - name: Build kernel module
        id: build
        env:
          VERSION: ${{ needs.prepare.outputs.version }}
          SHA: ${{ needs.prepare.outputs.sha }}
        shell: bash
        run: |
          docker run --rm -v ./:/youtubeUnblock -w /youtubeUnblock builder make kmake KERNEL_BUILDER_MAKEDIR:=/linux
          tar -czvf kmod-youtubeUnblock-$VERSION-$SHA-linux-${{ matrix.kernel_version }}.tar.gz kyoutubeUnblock.ko
      - name: Upload artifacts
        if: steps.build.outcome == 'success'
        uses: actions/upload-artifact@v4
        with:
          name: kmod-youtubeUnblock-linux-${{ matrix.kernel_version }}
          path: ./**/kmod-youtubeUnblock*.tar.gz
--- a/6
+++ b/6
@@ -1,3 +1,3 @@
-obj-m := ipt_YTUNBLOCK.o
+obj-m := kyoutubeUnblock.o
-ipt_YTUNBLOCK-objs := iptk_YTUNBLOCK.o mangle.o
+kyoutubeUnblock-objs := kytunblock.o mangle.o quic.o utils.o kargs.o tls.o
-ccflags-y := -std=gnu11 -Wno-unused-variable -DKERNEL_SPACE -DDEBUG
+ccflags-y := -std=gnu99 -DKERNEL_SPACE -Wno-error -Wno-declaration-after-statement
--- a/README.md
+++ b/README.md
@@ -12,12 +12,15 @@
  - [Troubleshooting](#troubleshooting)
    - [TV](#tv)
    - [Troubleshooting EPERMS (Operation not permitted)](#troubleshooting-eperms-operation-not-permitted)
  - [How it works:](#how-it-works)
  - [How it processes packets](#how-it-processes-packets)
  - [Compilation](#compilation)
  - [OpenWRT case](#openwrt-case)
    - [Building OpenWRT .ipk package](#building-openwrt-ipk-package)
    - [Building with toolchain](#building-with-toolchain)
  - [Kernel module](#kernel-module)
    - [Building kernel module](#building-kernel-module)
      - [Building on host system](#building-on-host-system)
      - [Building on any kernel](#building-on-any-kernel)
      - [Building with openwrt SDK](#building-with-openwrt-sdk)
 # youtubeUnblock
@@ -26,7 +29,22 @@ Bypasses Deep Packet Inspection (DPI) systems that relies on SNI. The package is
 The program was primarily developed to bypass YouTube Outage in Russia.
-The program is compatible with routers based on OpenWRT, Entware(Keenetic/ASUS) and host machines. The program offers binaries via Github Actions. The binaries of main branch are published in the [development pre-release](https://github.com/Waujito/youtubeUnblock/releases/tag/continuous). Check out [Github Actions](https://github.com/Waujito/youtubeUnblock/actions/workflows/build-ci.yml) if you want to see all the binaries compiled ever. You should know the arcitecture of your hardware to use binaries. On OpenWRT you can check it with command `grep ARCH /etc/openwrt_release`.
+```
 This program is free software: you can redistribute it and/or modify
 it under the terms of the GNU General Public License as published by
 the Free Software Foundation, either version 3 of the License, or
 (at your option) any later version.
 This program is distributed in the hope that it will be useful,
 but WITHOUT ANY WARRANTY; without even the implied warranty of
 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 GNU General Public License for more details.
 ```
 The program is distributed in two version:
 - A userspace application works on top of nfnetlink queue which requires nfnetlink modules in the kernel and firewall rules. This approach is default and normally should be used but it has some limitations on embedded devices which may have no nfnetlink support. Also this solution may break down the internet speed and CPU load on your device because of jumps between userspace and kernelspace for each packet (this behavior may be fixed with connbytes but it also requires conntrack kernel module).
 - A kernel module which integrates deeply within the netfilter stack and does not interact with the userspace firewall. The module requires only netfilter kernel support but it definetly present on every device connected to the Internet. The only difficulity is how to build it. I cannot provide modules within Github Actions for each single one kernel, even if we talk only about OpenWRT versions. If you want to learn more about the module, jump on [its section in the README](#kernel-module). Whats the benefits of the kernel module? The benefits come for some specific cases: the kernel module is the fastest thing that allows us to process every single packet sent to the linux network stack, while the normal youtubeUnblock requires connbytes to keep the internet speed. Speaking about connbytes, it also requires conntrack to operate, which may be a limitation on some transit-traffic machines. Also userspace youtubeUnblock requires modules for netlink queue, userspace firewall application and modules for it. The kernel module is much simpler and requires only the linux kernel with netfilter built in.
 The program is compatible with routers based on OpenWRT, Entware(Keenetic/ASUS) and host machines. The program offers binaries via Github Actions. The binaries are also available via [github releases](https://github.com/Waujito/youtubeUnblock/releases). Use the latest pre-release for the most up to date build. Check out [Github Actions](https://github.com/Waujito/youtubeUnblock/actions/workflows/build-ci.yml) if you want to see all the binaries compiled ever. You should know the arcitecture of your hardware to use binaries. On OpenWRT you can check it with command `grep ARCH /etc/openwrt_release`.
 On both OpenWRT and Entware install the program with opkg. If you got read-only filesystem error you may unpack the binary manually or specify opkg path `opkg -o <destdir>`.
@@ -36,9 +54,9 @@ For Windows use [GoodbyeDPI by ValdikSS](https://github.com/ValdikSS/GoodbyeDPI)
 ### OpenWRT pre configuration
-When you got the release package, you should install it. Go to your router interface and put it in via *System-Software-install_package* menu. Go to *System-Startup* menu, restart firewall and start **youtubeUnblock**. 
+When you got the release package, you should install it. Go to your router interface, to *System->Software*, do *Update lists* and install youtubeUnblock via *install_package* button. Then, you should go to *System-Startup* menu and reload the firewall (You may also do it within *Services->youtubeUnblock* menu). 
-To make it work you should register an iptables rule and install required kernel modules. The list of modules depends on the version of OpenWRT and which firewall do you use (iptables or nftables). 
+To make it work you should register an iptables rule and install required kernel modules. The list of modules depends on the version of OpenWRT and which firewall do you use (iptables or nftables). For most modern versions of OpenWRT (v23.x, v22.x) you should use nftables rules, for older ones it depends, but typically iptables.
 The common dependency is
 ```text
@@ -65,12 +83,25 @@ Next step is to add required firewall rules.
 For nftables on OpenWRT rules comes out-of-the-box and stored under `/usr/share/nftables.d/ruleset-post/537-youtubeUnblock.nft`. All you need is install requirements and do `/etc/init.d/firewall reload`. If no, go to [Firewall configuration](#firewall-configuration).
-Now we are ready to demonize the application.
+Now we go to the configuration. For OpenWRT here is configuration via [UCI](https://openwrt.org/docs/guide-user/base-system/uci) and [LuCI](https://openwrt.org/docs/guide-user/luci/start) available (CLI and GUI respectively).
-If you installed package from Github Actions or built it yourself with OpenWRT SDK, rc scripts are preinstalled. All you need is to do `/etc/init.d/youtubeUnblock start`.
+For **LuCI** aka **GUI** aka **web-interface of router** you should install **luci-app-youtubeUnblock** package like you did it with the normal youtubeUnblock package. Note, that lists of official opkg feeds should be loaded (**Do it with Update lists option**).
 Elsewhere copy `owrt/youtubeUnblock.owrt` to `/etc/init.d/youtubeUnblock` and put the program's binary into /usr/bin/. (Don't forget to `chmod +x` both). Now run `/etc/init.d/youtubeUnblock start`. 
-You can also run `/etc/init.d/youtubeUnblock enable` to force OpenWRT autostart on boot, but I don't recommend this since if the package has bugs you may lose access to the router (I think you will be able to reset it with reset settings tricks documented for your router). 
+LuCI configuration lives in **Services->youtubeUnblock** section. It is self descriptive, with description for each flag. Note, that after you push `Save & Apply` button, the configuration is applied automatically and the service is restarted.
 UCI configuration is available in /etc/config/youtubeUnblock file, in section `youtubeUnblock.youtubeUnblock`. The configuration is done with [flags](#flags). Note, that names of flags are not the same: you should replace `-` with `_`, you shouldn't use leading `--` for flag. Also you will enable toggle flags (without parameters) with `1`. 
 For example, to enable trace logs you should do
 ```sh
 uci set youtubeUnblock.youtubeUnblock.trace=1
 ```
 You can check the logs in CLI mode with `logread -l 200 | grep youtubeUnblock` command. 
 For uci, to save the configs you should do `uci commit` and then `reload_config` to restart the youtubeUnblock
 In CLI mode you will use youtubeUnblock as a normal init.d service:
 for example, you can enable it with `/etc/init.d/youtubeUnblock enable`.
 ### Entware
@@ -89,15 +120,19 @@ Copy `youtubeUnblock.service` to `/usr/lib/systemd/system` (you should change th
 On nftables you should put next nftables rules:
 ```sh
-nft add rule inet fw4 mangle_forward tcp dport 443 ct original "packets < 20" counter queue num 537 bypass
+nft add chain inet fw4 youtubeUnblock '{ type filter hook postrouting priority mangle - 1; policy accept; }'
-nft insert rule inet fw4 output mark and 0x8000 == 0x8000 counter accept
+nft add rule inet fw4 youtubeUnblock 'meta l4proto { tcp, udp } th dport 443 ct original packets < 20 counter queue num 537 bypass'
 nft insert rule inet fw4 output 'mark and 0x8000 == 0x8000 counter accept'
 ```
 #### Iptables rules
 On iptables you should put next iptables rules:
 ```sh
-iptables -t mangle -A FORWARD -p tcp --dport 443 -m connbytes --connbytes-dir original --connbytes-mode packets --connbytes 0:19 -j NFQUEUE --queue-num 537 --queue-bypass
+iptables -t mangle -N YOUTUBEUNBLOCK
 iptables -t mangle -A YOUTUBEUNBLOCK -p tcp --dport 443 -m connbytes --connbytes-dir original --connbytes-mode packets --connbytes 0:19 -j NFQUEUE --queue-num 537 --queue-bypass
 iptables -t mangle -A YOUTUBEUNBLOCK -p udp --dport 443 -m connbytes --connbytes-dir original --connbytes-mode packets --connbytes 0:19 -j NFQUEUE --queue-num 537 --queue-bypass
 iptables -t mangle -A POSTROUTING -j YOUTUBEUNBLOCK
 iptables -I OUTPUT -m mark --mark 32768/32768 -j ACCEPT
 ```
@@ -105,12 +140,13 @@ iptables -I OUTPUT -m mark --mark 32768/32768 -j ACCEPT
 For IPv6 on iptables you need to duplicate rules above for ip6tables:
 ```sh
-ip6tables -t mangle -A FORWARD -p tcp --dport 443 -m connbytes --connbytes-dir original --connbytes-mode packets --connbytes 0:19 -j NFQUEUE --queue-num 537 --queue-bypass
+ip6tables -t mangle -N YOUTUBEUNBLOCK
 ip6tables -t mangle -A YOUTUBEUNBLOCK -p tcp --dport 443 -m connbytes --connbytes-dir original --connbytes-mode packets --connbytes 0:19 -j NFQUEUE --queue-num 537 --queue-bypass
 ip6tables -t mangle -A YOUTUBEUNBLOCK -p udp --dport 443 -m connbytes --connbytes-dir original --connbytes-mode packets --connbytes 0:19 -j NFQUEUE --queue-num 537 --queue-bypass
 ip6tables -t mangle -A POSTROUTING -j YOUTUBEUNBLOCK
 ip6tables -I OUTPUT -m mark --mark 32768/32768 -j ACCEPT
 ```
 Note that above rules use *conntrack* to route only first 20 packets from the connection to **youtubeUnblock**. 
 If you got some troubles with it, for example **youtubeUnblock** doesn't detect YouTube, try to delete *connbytes* from the rules. But it is an unlikely behavior and you should probably check your ruleset.
@@ -137,7 +173,9 @@ Put flags to the **BINARY**, not an init script. If you are on OpenWRT you shoul
 Available flags:
- `--sni-domains=<comma separated domain list>|all` List of domains you want to be handled by SNI. Use this string if you want to change default domain list. Defaults to `googlevideo.com,ggpht.com,ytimg.com,youtube.com,play.google.com,youtu.be,googleapis.com,googleusercontent.com,gstatic.com,l.google.com`. You can pass **all** if you want for every *ClientHello* to be handled.
+- `--sni-domains=<comma separated domain list>|all` List of domains you want to be handled by SNI. Use this string if you want to change default domain list. Defaults to `googlevideo.com,ggpht.com,ytimg.com,youtube.com,play.google.com,youtu.be,googleapis.com,googleusercontent.com,gstatic.com,l.google.com`. You can pass **all** if you want for every *ClientHello* to be handled. You can exclude some domains with `--exclude-domains` flag.
 - `--exclude-domains=<comma separated domain list>` List of domains to be excluded from targetting.
 - `--queue-num=<number of netfilter queue>` The number of netfilter queue **youtubeUnblock** will be linked to. Defaults to **537**.
@@ -145,11 +183,15 @@ Available flags:
 - `--fake-sni-seq-len=<length>` This flag specifies **youtubeUnblock** to build a complicated construction of fake client hello packets. length determines how much fakes will be sent. Defaults to **1**.
- `--faking-strategy={randseq|ttl|tcp_check|pastseq}` This flag determines the strategy of fake packets invalidation. Defaults to `randseq`
+- `--fake-sni-type={default|custom|random}` This flag specifies which faking message type should be used for fake packets. For `random`, the message of random length and with random payload will be sent. For `default` the default payload (sni=www.google.com) is used. And for the `custom` option, the payload from `--fake-custom-payload` section utilized. Defaults to `default`.
 - `--fake-custom-payload=<payload>` Useful with `--fake-sni-type=custom`. You should specify the payload for fake message manually. Use hex format: `--fake-custom-payload=0001020304` mean that 5 bytes sequence: `0x00`, `0x01`, `0x02`, `0x03`, `0x04` used as fake.
 - `--faking-strategy={randseq|ttl|tcp_check|pastseq|md5sum}` This flag determines the strategy of fake packets invalidation. Defaults to `randseq`
  - `randseq` specifies that random sequence/acknowledgemend random will be set. This option may be handled by provider which uses *conntrack* with drop on invalid *conntrack* state firewall rule enabled. 
  - `ttl` specifies that packet will be invalidated after `--faking-ttl=n` hops. `ttl` is better but may cause issues if unconfigured. 
  - `pastseq` is like `randseq` but sequence number is not random but references the packet sent in the past (before current).
  - `tcp_check` will invalidate faking packet with invalid checksum. May be handled and dropped by some providers/TSPUs.
  - `md5sum` will invalidate faking packet with invalid TCP md5sum. md5sum is a TCP option which is handled by the destination server but may be skipped by TSPU.
 - `--faking-ttl=<ttl>` Tunes the time to live (TTL) of fake SNI messages. TTL is specified like that the packet will go through the DPI system and captured by it, but will not reach the destination server. Defaults to **8**.
@@ -189,8 +231,12 @@ Available flags:
 - `--packet-mark=<mark>` Use this option if youtubeUnblock conflicts with other systems rely on packet mark. Note that you may want to change accept rule for iptables to follow the mark.
 - `--fbegin` and `--fend` flags: youtubeUnblock supports multiple sets of strategies for specific filters. You may want to initiate a new set after the default one, like: `--sni-domains=googlevideo.com --faking-strategy=md5sum --fbegin --sni-domains=youtube.com --faking-strategy=tcp_check --fend --fbegin --sni-domains=l.google.com --faking-strategy=pastseq --fend`. Note, that the priority of these sets goes backwards: last is first, default (one that does not start with --fbegin) is last. If you start the new section, the default settings are implemented just like youtubeUnblock without any parameters. Note that the config above is just an example and won't work for you.
 ## Troubleshooting
 Check up [this issue](https://github.com/Waujito/youtubeUnblock/issues/148) for useful configs.
 If you got troubles with some sites and you sure that they are blocked by SNI (youtube for example), use may play around with [flags](#flags) and their combinations. At first it is recommended to try `--faking-strategy` flag and `--frag-sni-faked=1`.
 If you have troubles with some sites being proxied, you can play with flags values. For example, for someone `--faking-strategy=ttl` works. You should specify proper `--fake-sni-ttl=<ttl value>` where ttl is the amount of hops between you and DPI.
@@ -198,13 +244,13 @@ If you are on Chromium you may have to disable *kyber* (the feature that makes t
 If your browser is using QUIC it may not work properly. Disable it in Chrome in `chrome://flags` and in Firefox `network.http.http{2,3}.enable(d)` in `about:config` option.
 It seems like some TSPUs started to block wrongseq packets, so you should play around with faking strategies. I personally recommend to start with `md5sum` faking strategy.
 ### TV
 Televisions are the biggest headache. 
-In [this issue](https://github.com/Waujito/youtubeUnblock/issues/59) the problem has been resolved. 
+In [this issue](https://github.com/Waujito/youtubeUnblock/issues/59) the problem has been resolved. And now youtubeUnblock should work with default flags. If not, play around with faking strategies and other flags. Also you might be have to disable QUIC. To do it you may use `--quic-drop` [flag](#flags) with proper firewall configuration (check description of the flag). Note, that this flag won't disable gQUIC and some TVs may relay on it. To disable gQUIC you will need to block the entire 443 port for udp in firewall configuration:
 If you have troubles with televisions try `--faking-strategy=ttl` flag and play around with `--faking-ttl=n`. See [#flags](#flags) for more details. Also you might be have to disable QUIC. To do it you may use `--quic-drop` [flag](#flags) with proper firewall configuration (check description of the flag). Note, that this flag won't disable gQUIC and some TVs may relay on it. To disable gQUIC you will need to block the entire 443 port for udp in firewall configuration:
 For **nftables** do
 ```
@@ -229,28 +275,6 @@ Where you have to replace 192.168.. with ip of your television.
    * send fake sni EPERM: Fake SNI is out-of-state thing and will likely corrupt the connection (the behavior is expected). conntrack considers it as an invalid packet. By default OpenWRT set up to drop outgoing packets like this one. You may delete nftables/iptables rule that drops packets with invalid conntrack state, but I don't recommend to do this. The step 3 is better solution.
    * Step 3, ultimate solution. Use mark (don't confuse with connmark). The youtubeUnblock uses mark internally to avoid infinity packet loops (when the packet is sent by youtubeUnblock but on next step handled by itself). Currently it uses mark (1 << 15) = 32768. You should put iptables/nftables that ultimately accepts such marks at the very start of the filter OUTPUT chain: `iptables -I OUTPUT -m mark --mark 32768/32768 -j ACCEPT` or `nft insert rule inet fw4 output mark and 0x8000 == 0x8000 counter accept`.
 ## How it works:
 Let's look from the DPI systems side of view: All of they have an ip and tcp information, higher-level data is encrypted. So from the IP header only IP address might be helpful for them to limit user traffic. In TCP here is basically nothing. So they may handle IP addresses and process it. 
 What's wrong? Google servers are on the way: It is very hard to handle all that infrastructure. One server may host multiple websites and it is very bad if them blocks, for example, Google Search while trying to block YouTube (googlevideo). But even if YouTube servers have their own IP for only googlevideo purposes, here is a problem about how large is Google infrastracture and how much servers in it. The DPI systems can't even parse normally all the servers, because each video may live on its cache server [GGC](https://support.google.com/interconnect/answer/9058809?hl=en).
 So what's else? Let's take a look at a TLS level. All information here is encrypted. All... Except *ClientHello* messages! They are used to initialize handshake connections and hold tons of helpful information. If we talk about TLS version 1.3, it is optimized to transfer as less information as possible unencrypted. But here is only one thing that may point us which domain the user wants to connect, the SNI extension. It transfers all domain names unencrypted in plain text. Exactly what we need! And DPI systems may use this text to detect YouTube connections and slow down or reject them (In fact they are corrupting a TCP connection with bad packets).
 So we aim to somehow hide the SNI from them. How?
 - We can alter the SNI name in the tls packet to something else. But what's wrong with this? The server also uses SNI name for certificates (CN=). And if we change it, the server will return an invalid certificate which browser can't normally process, which may turn out to the MITM problem.
 - We can encrypt it. Here are a lot of investigations about SNI, but the server should support this technique. Also ISPs may block [encrypted SNI](https://en.wikipedia.org/wiki/Server_Name_Indication).
 - So what else can we do with the SNI info? If we can't hide it, let's rely on DPI systems weak spots. The DPI is an extremely high loaded infrastructure that analyzes every single packet sent to the Internet. And every performance-impacted feature should be avoided for them. One of this features is IP packet fragmentation. We can split the packet in the middle of SNI message and post it. For DPI fragmentation involves too much overhead: they should store a very big mapping table which maps IP id, Source ip and Destination ip. Also note that some packets may be lost and DPI should support auto-clean of that table. So just imagine how much memory and CPU time will this cost for DPI. But fragments are ok for clients and hosts. And that's the base idea behind this package. I have to mention here that the idea isn't mine, I get in here after some research for this side. Here already was a solution for Windows, GoodbyeDPI. I just made an alternative for Linux.
 You may read further in an [yt-dlp issue page](https://github.com/yt-dlp/yt-dlp/issues/10443) and in [ntc party forum](https://ntc.party/t/%D0%BE%D0%B1%D1%81%D1%83%D0%B6%D0%B4%D0%B5%D0%BD%D0%B8%D0%B5-%D0%B7%D0%B0%D0%BC%D0%B5%D0%B4%D0%BB%D0%B5%D0%BD%D0%B8%D0%B5-youtube-%D0%B2-%D1%80%D0%BE%D1%81%D1%81%D0%B8%D0%B8/8074).
 ## How it processes packets
 When the packet is joining the queue, the application checks SNI payload to be YouTube(googlevideo) (right how the DPI systems do), segmentate/fragmentates (both TCP and IP fragmentation techniques are supported) and posts the packet. Note that it is impossible to post two fragmented packets from one netfilter queue verdict. Instead, the application drops an original packet and makes another linux raw socket to post the packets in the network. To escape infinity loops the socket marks outgoing packets and the application automatically accepts it.
 ## Compilation
 Before compilation make sure `gcc`, `make`, `autoconf`, `automake`, `pkg-config` and `libtool` is installed. For Fedora `glibc-static` should be installed as well.
@@ -295,5 +319,66 @@ Take a look at `CROSS_COMPILE_PLATFORM` It is required by autotools but I think
 When compilation is done, the binary file will be in build directory. Copy it to your router. Note that a ssh access is likely to be required to proceed. *sshfs* don't work on my model so I injected the application to the router via *Software Upload Package* page. It has given me an error, but also a `/tmp/upload.ipk` file which I copied in root directory, `chmod +x` it and run.
 ## Kernel module
 This section describes the kernel module version of youtubeUnblock. The kernel module operates as a normal module inside the kernel and integrates within the netfilter stack to statelessly mangle the packets sent over the Internet.
 You can configure the module with its flags in insmod:
 ```
 insmod kyoutubeUnblock.ko fake_sni=1 exclude_domains=.ru quic_drop=1
 ```
 Note that the flags names are different from ones used for the regular youtubeUnblock(right like in UCI configuration for OpenWRT): replace `-` with `_` and no leading `--`. Also to configure togglers you should set them to `1` (`quic_drop=1`)
 Also a good thig to mention is verbosity. The kernel module combines --trace and --silent option to the one parameter `verbosity`. This parameter accepts 3 arguments: `trace`, `debug` and `silent`. I highly don't recommend to enable `trace` mod on router because it may cause huge problems with performance and even freeze your device. 
 Also a drop in replacement is supported for all the parameters excluding packet mark. A drop in replacement does not require module restart if you want to change the parameters. You can specify and check the parameters within module's directory inside the sysfs: `/sys/module/kyoutubeUnblock/parameters/`. For example, to set quic_drop to true you may use next command:
 ```sh
 echo 1 | sudo tee /sys/module/kyoutubeUnblock/parameters/quic_drop
 ```
 and 
 ```sh
 cat /sys/module/kyoutubeUnblock/parameters/quic_drop
 ```
 to check the parameter.
 ### Building kernel module
 #### Building on host system
 To build the kernel module on your host system you should install `linux-headers` which will provide build essential tools and `gcc` compiler suite. On host system you may build the module with 
 ```sh
 make kmake
 ```
 #### Building on any kernel
 To build the module for external kernel you should build that kernel locally and point make to it. Use `KERNEL_BUILDER_MAKEDIR=~/linux` flag for make, for example:
 ```
 make kmake KERNEL_BUILDER_MAKEDIR=~/linux
 ```
 Note, that the kernel should be already configured and built. See linux kernel building manuals for more information about your specific case.
 #### Building with openwrt SDK
 Building with openwrt SDK is not such a hard thing. The only thing you should do is to obtain the sdk. You can find it by looking to your architecture and version of the openwrt currently used. You should use the exactly your version of openwrt since kernels there change often. You can find the sdk in two ways: by downloading it from their site or by using the openwrt sdk docker container (recommended).
 If you decide to download the tar archive, follow next steps:
 For me the archive lives in https://downloads.openwrt.org/releases/23.05.3/targets/ramips/mt76x8/ and called `openwrt-sdk-23.05.3-ramips-mt76x8_gcc-12.3.0_musl.Linux-x86_64`. You will need to [install sdk requirements on your system](https://openwrt.org/docs/guide-developer/toolchain/install-buildsystem) If you have any problems, use docker ubuntu:24.04 image. Make sure to be a non-root user since some makesystem fails with it. Next, untar the SDK and cd into it. 
 Or you can obtain the docker image with sdk built-in: [https://hub.docker.com/u/openwrt/sdk](https://hub.docker.com/u/openwrt/sdk). In my case the image has tag `ramips-mt76x8-23.05.3`. A good thing here is that you don't need to install any dependencies inside the docker container. Also docker hub has a perfect search around tags if you don't sure which one corresponds to your device.
 When you unpacked/installed the sdk, you is ready to start with building the kernel module.
 Do
 ```sh
 echo "src-git youtubeUnblock https://github.com/Waujito/youtubeUnblock.git;openwrt" >> feeds.conf
 ./scripts/feeds update youtubeUnblock
 ./scripts/feeds install -a -p youtubeUnblock
 make defconfig
 make package/kyoutubeUnblock/compile V=s
 ```
 When the commands finish, the module is ready. Find it with `find bin -name "kmod-youtubeUnblock*.ipk"`, copy to your host and install to the router via gui software interface. The module should start immediately. If not, do `modprobe kyoutubeUnblock`.
 >If you have any questions/suggestions/problems feel free to open an [issue](https://github.com/Waujito/youtubeUnblock/issues).
--- a/args.c
+++ b/args.c
@@ -1,5 +1,4 @@
 #include "config.h"
 #include "raw_replacements.h"
 #include <stdbool.h>
 #include <errno.h>
 #include <stdio.h>
@@ -7,58 +6,34 @@
 #include <getopt.h>
 #include <stdlib.h>
 #include <string.h>
 #include "types.h"
 #include "args.h"
 static char custom_fake_buf[MAX_FAKE_SIZE];
 struct config_t config = {
 	.threads = THREADS_NUM,
 	.frag_sni_reverse = 1,
 	.frag_sni_faked = 0,
 	.fragmentation_strategy = FRAGMENTATION_STRATEGY,
 	.faking_strategy = FAKING_STRATEGY,
 	.faking_ttl = FAKE_TTL,
 	.fake_sni = 1,
 	.fake_sni_seq_len = 1,
 	.frag_middle_sni = 1,
 	.frag_sni_pos = 1,
 	.use_ipv6 = 1,
 	.fakeseq_offset = 10000,
 	.mark = DEFAULT_RAWSOCKET_MARK,
 	.synfake = 0,
 	.synfake_len = 0,
 	.sni_detection = SNI_DETECTION_PARSE,
 #ifdef SEG2_DELAY
 	.seg2_delay = SEG2_DELAY,
 #else
 	.seg2_delay = 0,
 #endif
 #ifdef USE_GSO
 	.use_gso = true,
 #else
 	.use_gso = false,
 #endif
 #ifdef DEBUG
 	.verbose = 1,
 #else
 	.verbose = 0,
 #endif
 	.domains_str = defaul_snistr,
 	.domains_strlen = sizeof(defaul_snistr),
 	.queue_start_num = DEFAULT_QUEUE_NUM,
-	.fake_sni_pkt = fake_sni_old,
+	.mark = DEFAULT_RAWSOCKET_MARK,
-	.fake_sni_pkt_sz = sizeof(fake_sni_old) - 1, // - 1 for null-terminator
+	.use_ipv6 = 1,
 	.verbose = VERBOSE_DEBUG,
 	.use_gso = true,
 	.default_config = default_section_config,
 	.custom_configs_len = 0
 };
 #define OPT_SNI_DOMAINS		1
 #define OPT_EXCLUDE_DOMAINS	25
 #define OPT_FAKE_SNI 		2
 #define OPT_FAKING_TTL		3
 #define OPT_FAKING_STRATEGY	10
 #define OPT_FAKE_SNI_SEQ_LEN	11
 #define OPT_FAKE_SNI_TYPE	27
 #define OPT_FAKE_CUSTOM_PAYLOAD	28
 #define OPT_START_SECTION	29
 #define OPT_END_SECTION		30
 #define OPT_FRAG    		4
 #define OPT_FRAG_SNI_REVERSE	12
 #define OPT_FRAG_SNI_FAKED	13
@@ -79,16 +54,19 @@ struct config_t config = {
 #define OPT_NO_GSO 		8
 #define OPT_QUEUE_NUM		9
-#define OPT_MAX OPT_SYNFAKE_LEN
+#define OPT_MAX OPT_END_SECTION
 static struct option long_opt[] = {
 	{"help",		0, 0, 'h'},
 	{"version",		0, 0, 'v'},
 	{"sni-domains",		1, 0, OPT_SNI_DOMAINS},
 	{"exclude-domains",	1, 0, OPT_EXCLUDE_DOMAINS},
 	{"fake-sni",		1, 0, OPT_FAKE_SNI},
 	{"synfake",		1, 0, OPT_SYNFAKE},
 	{"synfake-len",		1, 0, OPT_SYNFAKE_LEN},
 	{"fake-sni-seq-len",	1, 0, OPT_FAKE_SNI_SEQ_LEN},
 	{"fake-sni-type",	1, 0, OPT_FAKE_SNI_TYPE},
 	{"fake-custom-payload", 1, 0, OPT_FAKE_CUSTOM_PAYLOAD},
 	{"faking-strategy",	1, 0, OPT_FAKING_STRATEGY},
 	{"fake-seq-offset",	1, 0, OPT_FAKE_SEQ_OFFSET},
 	{"faking-ttl",		1, 0, OPT_FAKING_TTL},
@@ -108,6 +86,8 @@ static struct option long_opt[] = {
 	{"no-ipv6",		0, 0, OPT_NO_IPV6},
 	{"queue-num",		1, 0, OPT_QUEUE_NUM},
 	{"packet-mark",		1, 0, OPT_PACKET_MARK},
 	{"fbegin",		0, 0, OPT_START_SECTION},
 	{"fend",		0, 0, OPT_END_SECTION},
 	{0,0,0,0}
 };
@@ -142,11 +122,14 @@ void print_usage(const char *argv0) {
 	printf("Options:\n");
 	printf("\t--queue-num=<number of netfilter queue>\n");
 	printf("\t--sni-domains=<comma separated domain list>|all\n");
 	printf("\t--exclude-domains=<comma separated domain list>\n");
 	printf("\t--fake-sni={1|0}\n");
 	printf("\t--fake-sni-seq-len=<length>\n");
 	printf("\t--fake-sni-type={default|random|custom}\n");
 	printf("\t--fake-custom-payload=<hex payload>\n");
 	printf("\t--fake-seq-offset=<offset>\n");
 	printf("\t--faking-ttl=<ttl>\n");
-	printf("\t--faking-strategy={randseq|ttl|tcp_check|pastseq}\n");
+	printf("\t--faking-strategy={randseq|ttl|tcp_check|pastseq|md5sum}\n");
 	printf("\t--synfake={1|0}\n");
 	printf("\t--synfake-len=<len>\n");
 	printf("\t--frag={tcp,ip,none}\n");
@@ -164,16 +147,27 @@ void print_usage(const char *argv0) {
 	printf("\t--trace\n");
 	printf("\t--no-gso\n");
 	printf("\t--no-ipv6\n");
 	printf("\t--fbegin\n");
 	printf("\t--fend\n");
 	printf("\n");
 }
 int parse_args(int argc, char *argv[]) {
  	int opt;
-	int optIdx;
+	int optIdx = 0;
 	long num;
 	struct section_config_t *sect_config = &config.default_config;
 #define SECT_ITER_DEFAULT	1
 #define SECT_ITER_INSIDE	2
 #define SECT_ITER_OUTSIDE	3
 	int section_iter = SECT_ITER_DEFAULT;
 	while ((opt = getopt_long(argc, argv, "hv", long_opt, &optIdx)) != -1) {
 		switch (opt) {
 /* config_t scoped configs */
 		case 'h':
 			print_usage(argv[0]);
 			goto stop_exec;
@@ -181,45 +175,98 @@ int parse_args(int argc, char *argv[]) {
 			print_version();
 			goto stop_exec;
 		case OPT_TRACE:
 			if (section_iter != SECT_ITER_DEFAULT)
 				goto invalid_opt;
 			config.verbose = 2;
 			break;
 		case OPT_SILENT:
 			if (section_iter != SECT_ITER_DEFAULT)
 				goto invalid_opt;
 			config.verbose = 0;
 			break;
 		case OPT_NO_GSO:
 			if (section_iter != SECT_ITER_DEFAULT)
 				goto invalid_opt;
 			config.use_gso = 0;
 			break;
 		case OPT_NO_IPV6:
 			if (section_iter != SECT_ITER_DEFAULT)
 				goto invalid_opt;
 			config.use_ipv6 = 0;
 			break;
-		case OPT_QUIC_DROP:
+		case OPT_THREADS:
-			config.quic_drop = 1;
+			if (section_iter != SECT_ITER_DEFAULT)
-			break;
+				goto invalid_opt;
 		case OPT_SNI_DOMAINS:
 			if (!strcmp(optarg, "all")) {
 				config.all_domains = 1;
 			}
-			config.domains_str = optarg;
+			num = parse_numeric_option(optarg);
-			config.domains_strlen = strlen(config.domains_str);
+			if (errno != 0 || num < 0 || num > MAX_THREADS) {
 			break;
 		case OPT_SNI_DETECTION:
 			if (strcmp(optarg, "parse") == 0) {
 				config.sni_detection = SNI_DETECTION_PARSE;
 			} else if (strcmp(optarg, "brute") == 0) {
 				config.sni_detection = SNI_DETECTION_BRUTE;
 			} else {
 				goto invalid_opt;
 			}
 			config.threads = num;
 			break;
 		case OPT_QUEUE_NUM:
 			if (section_iter != SECT_ITER_DEFAULT)
 				goto invalid_opt;
 			num = parse_numeric_option(optarg);
 			if (errno != 0 || num < 0) {
 				goto invalid_opt;
 			}
 			config.queue_start_num = num;
 			break;
 		case OPT_PACKET_MARK:
 			if (section_iter != SECT_ITER_DEFAULT)
 				goto invalid_opt;
 			num = parse_numeric_option(optarg);
 			if (errno != 0 || num < 0) {
 				goto invalid_opt;
 			}
 			config.mark = num;
 			break;
 		case OPT_START_SECTION:
 			if (section_iter != SECT_ITER_DEFAULT && section_iter != SECT_ITER_OUTSIDE)
 				goto invalid_opt;
 			sect_config = &config.custom_configs[config.custom_configs_len++];
 			*sect_config = (struct section_config_t)default_section_config;
 			section_iter = SECT_ITER_INSIDE;
 			break;
 		case OPT_END_SECTION:
 			if (section_iter != SECT_ITER_INSIDE)
 				goto invalid_opt;
 			section_iter = SECT_ITER_OUTSIDE;
 			sect_config = &config.default_config;
 			break;
 /* section_config_t scoped configs */
 		case OPT_SNI_DOMAINS:
 			if (!strcmp(optarg, "all")) {
 				sect_config->all_domains = 1;
 			}
 			sect_config->domains_str = optarg;
 			sect_config->domains_strlen = strlen(sect_config->domains_str);
 			break;
 		case OPT_EXCLUDE_DOMAINS:
 			sect_config->exclude_domains_str = optarg;
 			sect_config->exclude_domains_strlen = strlen(sect_config->exclude_domains_str);
 			break;
 		case OPT_FRAG:
 			if (strcmp(optarg, "tcp") == 0) {
-				config.fragmentation_strategy = FRAG_STRAT_TCP;
+				sect_config->fragmentation_strategy = FRAG_STRAT_TCP;
 			} else if (strcmp(optarg, "ip") == 0) {
-				config.fragmentation_strategy = FRAG_STRAT_IP;
+				sect_config->fragmentation_strategy = FRAG_STRAT_IP;
 			} else if (strcmp(optarg, "none") == 0) {
-				config.fragmentation_strategy = FRAG_STRAT_NONE;
+				sect_config->fragmentation_strategy = FRAG_STRAT_NONE;
 			} else {
 				goto invalid_opt;
 			}
@@ -227,9 +274,9 @@ int parse_args(int argc, char *argv[]) {
 			break;
 		case OPT_FRAG_SNI_FAKED:
 			if (strcmp(optarg, "1") == 0) {
-				config.frag_sni_faked = 1;
+				sect_config->frag_sni_faked = 1;
 			} else if (strcmp(optarg, "0") == 0) {
-				config.frag_sni_faked = 0;
+				sect_config->frag_sni_faked = 0;
 			} else {
 				goto invalid_opt;
 			}
@@ -237,9 +284,9 @@ int parse_args(int argc, char *argv[]) {
 			break;
 		case OPT_FRAG_SNI_REVERSE:
 			if (strcmp(optarg, "1") == 0) {
-				config.frag_sni_reverse = 1;
+				sect_config->frag_sni_reverse = 1;
 			} else if (strcmp(optarg, "0") == 0) {
-				config.frag_sni_reverse = 0;
+				sect_config->frag_sni_reverse = 0;
 			} else {
 				goto invalid_opt;
 			}
@@ -247,9 +294,9 @@ int parse_args(int argc, char *argv[]) {
 			break;
 		case OPT_FRAG_MIDDLE_SNI:
 			if (strcmp(optarg, "1") == 0) {
-				config.frag_middle_sni = 1;
+				sect_config->frag_middle_sni = 1;
 			} else if (strcmp(optarg, "0") == 0) {
-				config.frag_middle_sni = 0;
+				sect_config->frag_middle_sni = 0;
 			} else {
 				goto invalid_opt;
 			}
@@ -261,17 +308,19 @@ int parse_args(int argc, char *argv[]) {
 				goto invalid_opt;
 			}
-			config.frag_sni_pos = num;
+			sect_config->frag_sni_pos = num;
 			break;
 		case OPT_FAKING_STRATEGY:
 			if (strcmp(optarg, "randseq") == 0) {
-				config.faking_strategy = FAKE_STRAT_RAND_SEQ;
+				sect_config->faking_strategy = FAKE_STRAT_RAND_SEQ;
 			} else if (strcmp(optarg, "ttl") == 0) {
-				config.faking_strategy = FAKE_STRAT_TTL;
+				sect_config->faking_strategy = FAKE_STRAT_TTL;
 			} else if (strcmp(optarg, "tcp_check") == 0) {
-				config.faking_strategy = FAKE_STRAT_TCP_CHECK;
+				sect_config->faking_strategy = FAKE_STRAT_TCP_CHECK;
 			} else if (strcmp(optarg, "pastseq") == 0) {
-				config.faking_strategy = FAKE_STRAT_PAST_SEQ;
+				sect_config->faking_strategy = FAKE_STRAT_PAST_SEQ;
 			} else if (strcmp(optarg, "md5sum") == 0) {
 				sect_config->faking_strategy = FAKE_STRAT_TCP_MD5SUM;
 			} else {
 				goto invalid_opt;
 			}
@@ -283,21 +332,21 @@ int parse_args(int argc, char *argv[]) {
 				goto invalid_opt;
 			}
-			config.faking_ttl = num;
+			sect_config->faking_ttl = num;
 			break;
 		case OPT_FAKE_SEQ_OFFSET:
 			num = parse_numeric_option(optarg);
-			if (errno != 0 || num < 0) {
+			if (errno != 0) {
 				goto invalid_opt;
 			}
-			config.fakeseq_offset = num;
+			sect_config->fakeseq_offset = num;
 			break;
 		case OPT_FAKE_SNI:
 			if (strcmp(optarg, "1") == 0) {
-				config.fake_sni = 1;				
+				sect_config->fake_sni = 1;				
 			} else if (strcmp(optarg, "0") == 0) {
-				config.fake_sni = 0;
+				sect_config->fake_sni = 0;
 			} else {
 				goto invalid_opt;
 			}
@@ -309,7 +358,44 @@ int parse_args(int argc, char *argv[]) {
 				goto invalid_opt;
 			}
-			config.fake_sni_seq_len = num;
+			sect_config->fake_sni_seq_len = num;
 			break;
 		case OPT_FAKE_SNI_TYPE:
 			if (strcmp(optarg, "default") == 0) {
 				sect_config->fake_sni_type = FAKE_PAYLOAD_DEFAULT;
 			} else if (strcmp(optarg, "random") == 0) {
 				sect_config->fake_sni_type = FAKE_PAYLOAD_RANDOM;
 			} else if (strcmp(optarg, "custom") == 0) {
 				sect_config->fake_sni_type = FAKE_PAYLOAD_CUSTOM;
 			} else {
 				goto invalid_opt;
 			}
 			break;
 		case OPT_FAKE_CUSTOM_PAYLOAD: {
 				uint8_t *const custom_buf = (uint8_t *)custom_fake_buf;
 				const char *custom_hex_fake = optarg;
 				size_t custom_hlen = strlen(custom_hex_fake);
 				if ((custom_hlen & 1) == 1) {
 					printf("Custom fake hex should be divisible by two\n");
 					goto invalid_opt;
 				}
 				size_t custom_len = custom_hlen >> 1;
 				if (custom_len > MAX_FAKE_SIZE) {
 					printf("Custom fake is too large\n");
 					goto invalid_opt;
 				}
 				for (int i = 0; i < custom_len; i++) {
 					sscanf(custom_hex_fake + (i << 1), "%2hhx", custom_buf + i);
 				}
 				sect_config->fake_custom_pkt_sz = custom_len;
 				sect_config->fake_custom_pkt = (char *)custom_buf;
 			}
 			break;
 		case OPT_FK_WINSIZE:
 			num = parse_numeric_option(optarg);
@@ -317,66 +403,37 @@ int parse_args(int argc, char *argv[]) {
 				goto invalid_opt;
 			}
-			config.fk_winsize = num;
+			sect_config->fk_winsize = num;
 			break;
 		case OPT_SYNFAKE:
 			if (strcmp(optarg, "1") == 0) {
 				config.synfake = 1;
 			} else if (strcmp(optarg, "0") == 0) {
 				config.synfake = 0;
 			} else {
 				goto invalid_opt;
 			}
 			break;
 		case OPT_SYNFAKE_LEN:
 			num = parse_numeric_option(optarg);
 			if (errno != 0 || num < 0) {
 				goto invalid_opt;
 			}
 			config.synfake_len = num;
 			break;
 		case OPT_SEG2DELAY:
 			num = parse_numeric_option(optarg);
 			if (errno != 0 || num < 0) {
 				goto invalid_opt;
 			}
-			config.seg2_delay = num;
+			sect_config->seg2_delay = num;
 			break;
-		case OPT_THREADS:
+		case OPT_QUIC_DROP:
-			num = parse_numeric_option(optarg);
+			sect_config->quic_drop = 1;
-			if (errno != 0 || num < 0 || num > MAX_THREADS) {
+			break;
 		case OPT_SNI_DETECTION:
 			if (strcmp(optarg, "parse") == 0) {
 				sect_config->sni_detection = SNI_DETECTION_PARSE;
 			} else if (strcmp(optarg, "brute") == 0) {
 				sect_config->sni_detection = SNI_DETECTION_BRUTE;
 			} else {
 				goto invalid_opt;
 			}
 			config.threads = num;
 			break;
 		case OPT_QUEUE_NUM:
 			num = parse_numeric_option(optarg);
 			if (errno != 0 || num < 0) {
 				goto invalid_opt;
 			}
 			config.queue_start_num = num;
 			break;
 		case OPT_PACKET_MARK:
 			num = parse_numeric_option(optarg);
 			if (errno != 0 || num < 0) {
 				goto invalid_opt;
 			}
 			config.mark = num;
 			break;
 		default:
 			goto error;
 		}
 	}
 // out:
 	errno = 0;
 	return 0;
 stop_exec:
@@ -392,65 +449,6 @@ error:
 }
 void print_welcome() {
 	switch (config.fragmentation_strategy) {
 		case FRAG_STRAT_TCP:
 			printf("Using TCP segmentation\n");
 			break;
 		case FRAG_STRAT_IP:
 			printf("Using IP fragmentation\n");
 			break;
 		default:
 			printf("SNI fragmentation is disabled\n");
 			break;
 	}
 	if (config.seg2_delay) {
 		printf("Some outgoing googlevideo request segments will be delayed for %d ms as of seg2_delay define\n", config.seg2_delay);
 	}
 	if (config.fake_sni) {
 		printf("Fake SNI will be sent before each target client hello\n");
 	} else {
 		printf("Fake SNI is disabled\n");
 	}
 	if (config.frag_sni_reverse) {
 		printf("Fragmentation Client Hello will be reversed\n");
 	}
 	if (config.frag_sni_faked) {
 		printf("Fooling packets will be sent near the original Client Hello\n");
 	}
 	if (config.fake_sni_seq_len > 1) {
 		printf("Faking sequence of length %d will be built as fake sni\n", config.fake_sni_seq_len);
 	}
 	switch (config.faking_strategy) {
 		case FAKE_STRAT_TTL:
 			printf("TTL faking strategy will be used with TTL %d\n", config.faking_ttl);
 			break;
 		case FAKE_STRAT_RAND_SEQ:
 			printf("Random seq faking strategy will be used\n");
 			printf("Fake seq offset set to %u\n", config.fakeseq_offset);
 			break;
 		case FAKE_STRAT_TCP_CHECK:
 			printf("TCP checksum faking strategy will be used\n");
 			break;
 		case FAKE_STRAT_PAST_SEQ:
 			printf("Past seq faking strategy will be used\n");
 			break;
 	}
 	if (config.fk_winsize) {
 		printf("Response TCP window will be set to %d with the appropriate scale\n", config.fk_winsize);
 	}
 	if (config.synfake) {
 		printf("Fake SYN payload will be sent with each TCP request SYN packet\n");
 	}
 	if (config.use_gso) {
 		printf("GSO is enabled\n");
 	}
@@ -460,17 +458,88 @@ void print_welcome() {
 	} else {
 		printf("IPv6 is disabled\n");
 	}
 	printf("Detected %d config sections\n", config.custom_configs_len + 1);
 	printf("The sections will be processed in ordred they goes in this output");
-	if (config.quic_drop) {
+	ITER_CONFIG_SECTIONS(section) {
-		printf("All QUIC packets will be dropped\n");
+		int section_number = CONFIG_SECTION_NUMBER(section);
 		printf("Section #%d\n", section_number);
 		switch (section->fragmentation_strategy) {
 			case FRAG_STRAT_TCP:
 				printf("Using TCP segmentation\n");
 				break;
 			case FRAG_STRAT_IP:
 				printf("Using IP fragmentation\n");
 				break;
 			default:
 				printf("SNI fragmentation is disabled\n");
 				break;
 		}
 		if (section->seg2_delay) {
 			printf("Some outgoing googlevideo request segments will be delayed for %d ms as of seg2_delay define\n", section->seg2_delay);
 		}
 		if (section->fake_sni) {
 			printf("Fake SNI will be sent before each target client hello\n");
 		} else {
 			printf("Fake SNI is disabled\n");
 		}
 		if (section->frag_sni_reverse) {
 			printf("Fragmentation Client Hello will be reversed\n");
 		}
 		if (section->frag_sni_faked) {
 			printf("Fooling packets will be sent near the original Client Hello\n");
 		}
 		if (section->fake_sni_seq_len > 1) {
 			printf("Faking sequence of length %d will be built as fake sni\n", section->fake_sni_seq_len);
 		}
 		switch (section->faking_strategy) {
 			case FAKE_STRAT_TTL:
 				printf("TTL faking strategy will be used with TTL %d\n", section->faking_ttl);
 				break;
 			case FAKE_STRAT_RAND_SEQ:
 				printf("Random seq faking strategy will be used\n");
 				printf("Fake seq offset set to %u\n", section->fakeseq_offset);
 				break;
 			case FAKE_STRAT_TCP_CHECK:
 				printf("TCP checksum faking strategy will be used\n");
 				break;
 			case FAKE_STRAT_PAST_SEQ:
 				printf("Past seq faking strategy will be used\n");
 				break;
 			case FAKE_STRAT_TCP_MD5SUM:
 				printf("md5sum faking strategy will be used\n");
 				break;
 		}
 		if (section->fk_winsize) {
 			printf("Response TCP window will be set to %d with the appropriate scale\n", section->fk_winsize);
 		}
 		if (section->synfake) {
 			printf("Fake SYN payload will be sent with each TCP request SYN packet\n");
 		}
 		if (section->quic_drop) {
 			printf("All QUIC packets will be dropped\n");
 		}
 		if (section->sni_detection == SNI_DETECTION_BRUTE) {
 			printf("Server Name Extension will be parsed in the bruteforce mode\n");
 		}
 		if (section->all_domains) {
 			printf("All Client Hello will be targetted by youtubeUnblock!\n");
 		} else {
 			printf("Target sni domains: %s\n", section->domains_str);
 		}
 	}
 	if (config.sni_detection == SNI_DETECTION_BRUTE) {
 		printf("Server Name Extension will be parsed in the bruteforce mode\n");
 	}
 	if (config.all_domains) {
 		printf("All Client Hello will be targetted by youtubeUnblock!\n");
 	}
 }
--- a/config.h
+++ b/config.h
@@ -1,12 +1,18 @@
 #ifndef YTB_CONFIG_H
 #define YTB_CONFIG_H
 #ifndef KERNEL_SPACE
 #define USER_SPACE
 #endif
 #include "raw_replacements.h"
 typedef int (*raw_send_t)(const unsigned char *data, unsigned int data_len);
 /**
 * Sends the packet after delay_ms. The function should schedule send and return immediately
 * (for example, open daemon thread)
 */
-typedef void (*delayed_send_t)(const unsigned char *data, unsigned int data_len, unsigned int delay_ms);
+typedef int (*delayed_send_t)(const unsigned char *data, unsigned int data_len, unsigned int delay_ms);
 struct instance_config_t {
 	raw_send_t send_raw_packet;
@@ -14,11 +20,10 @@ struct instance_config_t {
 };
 extern struct instance_config_t instance_config;
-struct config_t {
+struct section_config_t {
-	unsigned int queue_start_num;
+	const char *domains_str;
-	int threads;
+	unsigned int domains_strlen;
-	int use_gso;
+
 	int use_ipv6;
 	int fragmentation_strategy;
 	int frag_sni_reverse;
 	int frag_sni_faked;
@@ -28,30 +33,97 @@ struct config_t {
 	unsigned char faking_ttl;
 	int fake_sni;
 	unsigned int fake_sni_seq_len;
 #define FAKE_PAYLOAD_RANDOM	0
 #define FAKE_PAYLOAD_CUSTOM	1
 // In default mode all other options will be skipped.
 #define FAKE_PAYLOAD_DEFAULT	2
 	int fake_sni_type;
 	int quic_drop;
 	/* In milliseconds */
 	unsigned int seg2_delay;
 	int synfake;
 	unsigned int synfake_len;
 	const char *exclude_domains_str;
 	unsigned int exclude_domains_strlen;
 	unsigned int all_domains;
 	const char *fake_sni_pkt;
 	unsigned int fake_sni_pkt_sz;
 	const char *fake_custom_pkt;
 	unsigned int fake_custom_pkt_sz;
 	unsigned int fk_winsize;
 	int fakeseq_offset;
 #define SNI_DETECTION_PARSE 0
 #define SNI_DETECTION_BRUTE 1
 	int sni_detection;
 };
 #define MAX_CONFIGLIST_LEN 64
 struct config_t {
 	unsigned int queue_start_num;
 	int threads;
 	int use_gso;
 	int use_ipv6;
 	unsigned int mark;
 #define VERBOSE_INFO	0
 #define VERBOSE_DEBUG	1
 #define VERBOSE_TRACE	2
 	int verbose;
-	int quic_drop;
+
-#define SNI_DETECTION_PARSE 0
+	struct section_config_t default_config;
-#define SNI_DETECTION_BRUTE 1
+	struct section_config_t custom_configs[MAX_CONFIGLIST_LEN];
-	int sni_detection;
+	int custom_configs_len;
 	/* In milliseconds */
 	unsigned int seg2_delay;
 	const char *domains_str;
 	unsigned int domains_strlen;
 	unsigned int all_domains;
 	const char *fake_sni_pkt;
 	unsigned int fake_sni_pkt_sz;
 	unsigned int fk_winsize;
 	unsigned int fakeseq_offset;
 	unsigned int mark;
 	int synfake;
 	unsigned int synfake_len;
 };
 extern struct config_t config;
 #define ITER_CONFIG_SECTIONS(section) \
 for (struct section_config_t *section = &config.default_config + config.custom_configs_len; section >= &config.default_config; section--)
 #define CONFIG_SECTION_NUMBER(section) (int)((section) - &config.default_config)
 #define default_section_config {				\
 	.frag_sni_reverse = 1,                                  \
 	.frag_sni_faked = 0,                                    \
 	.fragmentation_strategy = FRAGMENTATION_STRATEGY,       \
 	.faking_strategy = FAKING_STRATEGY,                     \
 	.faking_ttl = FAKE_TTL,                                 \
 	.fake_sni = 1,                                          \
 	.fake_sni_seq_len = 1,                                  \
 	.fake_sni_type = FAKE_PAYLOAD_DEFAULT,                  \
 	.frag_middle_sni = 1,                                   \
 	.frag_sni_pos = 1,                                      \
 	.fakeseq_offset = 10000,                                \
 	.synfake = 0,                                           \
 	.synfake_len = 0,                                       \
 	.quic_drop = 0,                                         \
                                                                \
 	.seg2_delay = 0,                                        \
                                                                \
 	.domains_str = defaul_snistr,                           \
 	.domains_strlen = sizeof(defaul_snistr),                \
                                                                \
 	.exclude_domains_str = "",                              \
 	.exclude_domains_strlen = 0,                            \
                                                                \
 	.fake_sni_pkt = fake_sni_old,                           \
 	.fake_sni_pkt_sz = sizeof(fake_sni_old) - 1,		\
 	.fake_custom_pkt = custom_fake_buf,                     \
 	.fake_custom_pkt_sz = 0,                                \
 	.sni_detection = SNI_DETECTION_PARSE,                   \
 }
 #define MAX_THREADS 16
 #ifndef THREADS_NUM
@@ -83,18 +155,30 @@ extern struct config_t config;
 #define FAKE_TTL 8
 // Will invalidate fake packets by out-of-ack_seq out-of-seq request
-#define FAKE_STRAT_RAND_SEQ	1
+#define FAKE_STRAT_RAND_SEQ	(1 << 0)
 // Will assume that GGC server is located further than FAKE_TTL
 // Thus, Fake packet will be eliminated automatically.
-#define FAKE_STRAT_TTL		2
+#define FAKE_STRAT_TTL		(1 << 1)
-#define FAKE_STRAT_PAST_SEQ	3
+#define FAKE_STRAT_PAST_SEQ	(1 << 2)
-#define FAKE_STRAT_TCP_CHECK	4
+#define FAKE_STRAT_TCP_CHECK	(1 << 3)
 #define FAKE_STRAT_TCP_MD5SUM	(1 << 4)
 #define FAKE_STRAT_COUNT	5
 /**
 * This macros iterates through all faking strategies and executes code under it.
 * destination strategy will be available under name of `strategy` variable.
 */
 #define ITER_FAKE_STRAT(fake_bitmask, strategy) \
 for (int strategy = 1; strategy <= (1 << FAKE_STRAT_COUNT); strategy <<= 1) \
 if ((fake_bitmask) & strategy) 
 #ifndef FAKING_STRATEGY
 #define FAKING_STRATEGY FAKE_STRAT_PAST_SEQ
 #endif
 #define MAX_FAKE_SIZE 1300
 #if !defined(SILENT) && !defined(KERNEL_SPACE)
 #define DEBUG
 #endif
@@ -107,6 +191,8 @@ extern struct config_t config;
 #define MAX_PACKET_SIZE 8192
-static const char defaul_snistr[] = "googlevideo.com,ggpht.com,ytimg.com,youtube.com,play.google.com,youtu.be,googleapis.com,googleusercontent.com,gstatic.com,l.google.com";
+#define DEFAULT_SNISTR "googlevideo.com,ggpht.com,ytimg.com,youtube.com,play.google.com,youtu.be,googleapis.com,googleusercontent.com,gstatic.com,l.google.com"
 static const char defaul_snistr[] = DEFAULT_SNISTR;
 #endif /* YTB_CONFIG_H */
--- a/ipt_YTUNBLOCK.h
+++ b/ipt_YTUNBLOCK.h
@@ -1,6 +0,0 @@
 #ifndef IPT_YTUNBLOCK_H
 #define IPT_YTUNBLOCK_H
 struct xt_ytunblock_tginfo {};
 #endif /* IPT_YTUNBLOCK_H */
--- a/iptk_YTUNBLOCK.c
+++ b/iptk_YTUNBLOCK.c
@@ -1,341 +0,0 @@
 #define _GNU_SOURCE
 // Kernel module for youtubeUnblock.
 // Make with make kmake && sudo iptables -t mangle -D OUTPUT 1 && sudo make kreload && sudo iptables -t mangle -I OUTPUT -p tcp -j YTUNBLOCK
 #include <linux/module.h>
 #include <linux/init.h>
 #include <linux/printk.h>
 #include <linux/mutex.h>
 #include <linux/socket.h>
 #include <linux/net.h>
 #include <linux/netfilter/x_tables.h>
 #include "ipt_YTUNBLOCK.h"
 #include "mangle.h"
 #include "config.h"
 #include "raw_replacements.h"
 MODULE_LICENSE("GPL");
 MODULE_VERSION("0.1");
 MODULE_AUTHOR("Vadim Vetrov <vetrovvd@gmail.com>");
 MODULE_DESCRIPTION("Linux kernel module for youtube unblock");
 static int rsfd;
 static struct socket *rawsocket;
 DEFINE_MUTEX(rslock);
 static int open_raw_socket(void) {
 	int ret = 0;
 	ret = sock_create(AF_INET, SOCK_RAW, IPPROTO_RAW, &rawsocket);
 	if (ret < 0) {
 		pr_alert("Unable to create raw socket\n");
 		goto err;
 	}
 	sockptr_t optval = {
 		.kernel = NULL,
 		.is_kernel = 1
 	};
 	int mark = RAWSOCKET_MARK;
 	optval.kernel = &mark;
 	ret = sock_setsockopt(rawsocket, SOL_SOCKET, SO_MARK, optval, sizeof(mark));
 	if (ret < 0)
 	{
 		pr_alert("setsockopt(SO_MARK, %d) failed\n", mark);
 		goto sr_err;
 	}
 	int one = 1;
 	optval.kernel = &one;
 	return 0;
 sr_err:
 	sock_release(rawsocket);
 err:
 	return ret;
 }
 static void close_raw_socket(void) {
 	sock_release(rawsocket);
 }
 #define AVAILABLE_MTU 1384
 static int send_raw_socket(const uint8_t *pkt, uint32_t pktlen) {
 	if (pktlen > AVAILABLE_MTU) {
 		pr_warn("The packet is too big and may cause issues!");
 		__u32 buff1_size = pktlen;
 		__u32 buff2_size = pktlen;
 		__u8 *buff1 = kmalloc(pktlen, GFP_ATOMIC);
 		if (buff1 == NULL) return -1;
 		__u8 *buff2 = kmalloc(pktlen, GFP_ATOMIC);
 		if (buff2 == NULL) {
 			kfree(buff1);
 			return -1;
 		}
 		int ret;
 #if defined(USE_TCP_SEGMENTATION) || defined(RAWSOCK_TCP_FSTRAT)
 		if ((ret = tcp4_frag(pkt, pktlen, AVAILABLE_MTU-128, 
 			buff1, &buff1_size, buff2, &buff2_size)) < 0)
 			return ret;
 #elif defined(USE_IP_FRAGMENTATION) || defined(RAWSOCK_IP_FSTRAT)
 		if ((ret = ip4_frag(pkt, pktlen, AVAILABLE_MTU-128, 
 			buff1, &buff1_size, buff2, &buff2_size)) < 0)
 			return ret;
 #else
 		pr_warn("send_raw_socket: Packet is too big but fragmentation is disabled! "
 			"Pass -DRAWSOCK_TCP_FSTRAT or -DRAWSOCK_IP_FSTRAT as CFLAGS "
 			"To enable it only for raw socket\n");
 		return -EINVAL;
 #endif
 		int sent = 0;
 		ret = send_raw_socket(buff1, buff1_size);
 		if (ret >= 0) sent += ret;
 		else {
 			kfree(buff1);
 			kfree(buff2);
 			return ret;
 		}
 		kfree(buff1);
 		ret = send_raw_socket(buff2, buff2_size);
 		if (ret >= 0) sent += ret;
 		else {
 			kfree(buff2);
 			return ret;
 		}
 		kfree(buff2);
 		return sent;
 	}
 	struct iphdr *iph;
 	int ret;
 	if ((ret = ip4_payload_split(
 	(uint8_t *)pkt, pktlen, &iph, NULL, NULL, NULL)) < 0) {
 		return ret;
 	}
 	struct sockaddr_in daddr = {
 		.sin_family = AF_INET,
 		.sin_port = 0,
 		.sin_addr = {
 			.s_addr = iph->daddr
 		}
 	};
 	struct msghdr msg;
 	struct kvec iov;
 	iov.iov_base = (__u8 *)pkt;
 	iov.iov_len = pktlen;
 	iov_iter_kvec(&msg.msg_iter, READ, &iov, 1, 1);
 	msg.msg_flags = 0;
 	msg.msg_name = &daddr;
 	msg.msg_namelen = sizeof(struct sockaddr_in);
 	msg.msg_control = NULL;
 	msg.msg_controllen = 0;
 	mutex_lock(&rslock);
 	ret = kernel_sendmsg(rawsocket, &msg, &iov, 1, pktlen);
 	mutex_unlock(&rslock);
 	return ret;
 }
 static unsigned int ykb_tg(struct sk_buff *skb, const struct xt_action_param *par) 
 {
 	if ((skb->mark & RAWSOCKET_MARK) == RAWSOCKET_MARK) 
 		return XT_CONTINUE;
 	if (skb->head == NULL) return XT_CONTINUE;
 	// TODO: Mallocs are bad!
 	uint32_t buflen = skb->len;
 	__u8 *buf = kmalloc(skb->len, GFP_ATOMIC);
 	if (buf == NULL) {
 		pr_err("Cannot alloc enough buffer space");
 		goto accept;
 	}
 	if (skb_copy_bits(skb, 0, buf, skb->len) < 0) {
 		pr_err("Unable copy bits\n");
 		goto ac_fkb;
 	}
 	struct iphdr *iph;
 	uint32_t iph_len;
 	struct tcphdr *tcph;
 	uint32_t tcph_len;
 	__u8 *payload;
 	uint32_t plen;
 	int ret = tcp4_payload_split(buf, buflen, &iph, &iph_len, 
 		    &tcph, &tcph_len, &payload, &plen);
 	if (ret < 0) 
 		goto ac_fkb;
 	struct verdict vrd = analyze_tls_data(payload, plen);
 	if (vrd.gvideo_hello) {
 		int ret;
 		pr_info("Googlevideo detected\n");
 		ip4_set_checksum(iph);
 		tcp4_set_checksum(tcph, iph);
 		uint32_t f1len = skb->len;
 		uint32_t f2len = skb->len;
 		__u8 *frag1 = kmalloc(f1len, GFP_ATOMIC);
 		if (!frag1) {
 			pr_err("Cannot alloc enough gv frag1 buffer space");
 			goto ac_fkb;
 		}
 		__u8 *frag2 = kmalloc(f2len, GFP_ATOMIC);
 		if (!frag2) {
 			pr_err("Cannot alloc enough gv frag1 buffer space");
 			kfree(frag1);
 			goto ac_fkb;
 		}
 #ifdef FAKE_SNI
 		uint32_t fksn_len = FAKE_SNI_MAXLEN;
 		__u8 *fksn_buf = kmalloc(fksn_len, GFP_ATOMIC);
 		if (!fksn_buf) {
 			pr_err("Cannot alloc enough gksn buffer space");
 			goto fallback;
 		}
 		ret = gen_fake_sni(iph, tcph, fksn_buf, &fksn_len);
 		if (ret < 0) {
 			pr_err("Cannot alloc enough gksn buffer space");
 			goto fksn_fb;
 		}
 #endif
 #if defined(USE_TCP_SEGMENTATION)
 		size_t ipd_offset = vrd.sni_offset;
 		size_t mid_offset = ipd_offset + vrd.sni_len / 2;
 		if ((ret = tcp4_frag(buf, skb->len, 
 			 mid_offset, frag1, &f1len, frag2, &f2len)) < 0) {
 			pr_err("tcp4_frag: %d", ret);
 			goto fksn_fb;
 		}
 #elif defined(USE_IP_FRAGMENTATION)
 		size_t ipd_offset = tcph_len + vrd.sni_offset;
 		size_t mid_offset = ipd_offset + vrd.sni_len / 2;
 		mid_offset += 8 - mid_offset % 8;
 		if ((ret = ip4_frag(buf, skb->len, 
 			 mid_offset, frag1, &f1len, frag2, &f2len)) < 0) {
 			pr_err("ip4_frag: %d", ret);
 			goto fksn_fb;
 		}
 #endif
 #ifdef FAKE_SNI
 		ret = send_raw_socket(fksn_buf, fksn_len);
 		if (ret < 0) {
 			pr_err("fksn_send: %d", ret);
 			goto fksn_fb;
 		}
 #endif
 #if defined(USE_NO_FRAGMENTATION)
 #ifdef SEG2_DELAY
 #error "SEG2_DELAY is incompatible with NO FRAGMENTATION"
 #endif
 		ret = send_raw_socket(buf, buflen);
 		if (ret < 0) {
 			pr_err("nofrag_send: %d", ret);
 		}
 		goto fksn_fb;
 #endif
 		ret = send_raw_socket(frag2, f2len);
 		if (ret < 0) {
 			pr_err("raw frag2 send: %d", ret);
 			goto fksn_fb;
 		}
 #ifdef SEG2_DELAY
 #error "Seg2 delay is unsupported yet for kmod"
 #else
 		ret = send_raw_socket(frag1, f1len);
 		if (ret < 0) {
 			pr_err("raw frag1 send: %d", ret);
 			goto fksn_fb;
 		}
 #endif
 fksn_fb:
 #ifdef FAKE_SNI
 		kfree(fksn_buf);
 #endif 
 fallback:
 #ifndef SEG2_DELAY
 		kfree(frag1);
 #endif
 		kfree(frag2);
 		kfree(buf);
 		kfree_skb(skb);
 		return NF_STOLEN;
 	}
 ac_fkb:
 	kfree(buf);
 accept:
 	return XT_CONTINUE;
 }
 static int ykb_chk(const struct xt_tgchk_param *par) {
 	return 0;
 }
 static struct xt_target ykb_tg_reg __read_mostly = {
 	.name		= "YTUNBLOCK",
 	.target		= ykb_tg,
 	.table		= "mangle",
 	.hooks		= (1 << NF_INET_LOCAL_OUT) | (1 << NF_INET_FORWARD), 
 	.targetsize	= sizeof(struct xt_ytunblock_tginfo),
 	.proto		= IPPROTO_TCP,
 	.family		= NFPROTO_IPV4,
 	.checkentry	= ykb_chk,
 	.me		= THIS_MODULE,
 };
 static int __init ykb_init(void) {
 	int ret = 0;
 	ret = open_raw_socket();
 	if (ret < 0) goto err;
 	ret = xt_register_target(&ykb_tg_reg);
 	if (ret < 0) goto close_rawsocket;
 	pr_info("youtubeUnblock kernel module started.\n");
 	return 0;
 close_rawsocket:
 	close_raw_socket();
 err:
 	return ret;
 }
 static void __exit ykb_destroy(void) {
 	xt_unregister_target(&ykb_tg_reg);
 	close_raw_socket();
 	pr_info("youtubeUnblock kernel module destroyed.\n");
 }
 module_init(ykb_init);
 module_exit(ykb_destroy);
--- a/kargs.c
+++ b/kargs.c
@@ -0,0 +1,481 @@
 #include "config.h"
 #include "types.h"
 #include <linux/moduleparam.h>
 #include "types.h"
 #define STR_MAXLEN 2048
 static char custom_fake_buf[MAX_FAKE_SIZE];
 struct config_t config = {
 	.threads = THREADS_NUM,
 	.queue_start_num = DEFAULT_QUEUE_NUM,
 	.mark = DEFAULT_RAWSOCKET_MARK,
 	.use_ipv6 = 1,
 	.verbose = VERBOSE_DEBUG,
 	.use_gso = 1,
 	.default_config = default_section_config,
 	.custom_configs_len = 0
 };
 #define def_section (&config.default_config)
 static int unumeric_set(const char *val, const struct kernel_param *kp) {
 	int n = 0, ret;
 	ret = kstrtoint(val, 10, &n);
 	if (ret != 0 || n < 0)
 		return -EINVAL;
 	return param_set_int(val, kp);
 }
 static int boolean_set(const char *val, const struct kernel_param *kp) {
 	int n = 0, ret;
 	ret = kstrtoint(val, 10, &n);
 	if (ret != 0 || (n != 0 && n != 1))
 		return -EINVAL;
 	return param_set_int(val, kp);
 }
 static int inverse_boolean_set(const char *val, const struct kernel_param *kp) {
 	int n = 0, ret;
 	ret = kstrtoint(val, 10, &n);
 	if (ret != 0 || (n != 0 && n != 1))
 		return -EINVAL;
 	n = !n;
 	if (kp->arg == NULL) 
 		return -EINVAL;
 	*(int *)kp->arg = n;
 	return 0;
 }
 static int inverse_boolean_get(char *buffer, const struct kernel_param *kp) {
 	if (*(int *)kp->arg == 0) {
 		buffer[0] = '1';
 	} else {
 		buffer[0] = '0';
 	}
 	buffer[1] = '\0';
 	return strlen(buffer);
 }
 static const struct kernel_param_ops unumeric_parameter_ops = {
 	.set = unumeric_set,
 	.get = param_get_int
 };
 static const struct kernel_param_ops boolean_parameter_ops = {
 	.set = boolean_set,
 	.get = param_get_int
 };
 static const struct kernel_param_ops inverse_boolean_ops = {
 	.set = inverse_boolean_set,
 	.get = inverse_boolean_get,
 };
 module_param_cb(fake_sni, &boolean_parameter_ops, &def_section->fake_sni, 0664);
 module_param_cb(fake_sni_seq_len, &unumeric_parameter_ops, &def_section->fake_sni_seq_len, 0664);
 module_param_cb(faking_ttl, &unumeric_parameter_ops, &def_section->faking_ttl, 0664);
 module_param_cb(fake_seq_offset, &unumeric_parameter_ops, &def_section->fakeseq_offset, 0664);
 module_param_cb(frag_sni_reverse, &unumeric_parameter_ops, &def_section->frag_sni_reverse, 0664);
 module_param_cb(frag_sni_faked, &boolean_parameter_ops, &def_section->frag_sni_faked, 0664);
 module_param_cb(frag_middle_sni, &boolean_parameter_ops, &def_section->frag_middle_sni, 0664);
 module_param_cb(frag_sni_pos, &unumeric_parameter_ops, &def_section->frag_sni_pos, 0664);
 module_param_cb(fk_winsize, &unumeric_parameter_ops, &def_section->fk_winsize, 0664);
 module_param_cb(synfake, &boolean_parameter_ops, &def_section->synfake, 0664);
 module_param_cb(synfake_len, &unumeric_parameter_ops, &def_section->synfake_len, 0664);
 module_param_cb(packet_mark, &unumeric_parameter_ops, &config.mark, 0664);
 // module_param_cb(seg2delay, &unumeric_parameter_ops, &def_section->seg2_delay, 0664);
 static int sni_domains_set(const char *val, const struct kernel_param *kp) {
 	size_t len;
 	int ret;
 	len = strnlen(val, STR_MAXLEN + 1);
 	if (len == STR_MAXLEN + 1) {
 		pr_err("%s: string parameter too long\n", kp->name);
 		return -ENOSPC;
 	}
 	if (len >= 1 && val[len - 1] == '\n') {
 		len--;
 	}
 	ret = param_set_charp(val, kp);
 	if (ret < 0) {
 		def_section->domains_strlen = 0;
 	} else {
 		def_section->domains_strlen = len;
 		if (len == 3 && !strncmp(val, "all", len)) {
 			def_section->all_domains = 1;
 		} else {
 			def_section->all_domains = 0;
 		}
 	}
 	return ret;
 }
 static const struct kernel_param_ops sni_domains_ops = {
 	.set = sni_domains_set,
 	.get = param_get_charp,
 };
 module_param_cb(sni_domains, &sni_domains_ops, &def_section->domains_str, 0664);
 static int exclude_domains_set(const char *val, const struct kernel_param *kp) {
 	size_t len;
 	int ret;
 	len = strnlen(val, STR_MAXLEN + 1);
 	if (len == STR_MAXLEN + 1) {
 		pr_err("%s: string parameter too long\n", kp->name);
 		return -ENOSPC;
 	}
 	ret = param_set_charp(val, kp);
 	if (ret < 0) {
 		def_section->exclude_domains_strlen = 0;
 	} else {
 		def_section->exclude_domains_strlen = len;
 	}
 	return ret;
 }
 static const struct kernel_param_ops exclude_domains_ops = {
 	.set = exclude_domains_set,
 	.get = param_get_charp,
 };
 module_param_cb(exclude_domains, &exclude_domains_ops, &def_section->exclude_domains_str, 0664);
 module_param_cb(no_ipv6, &inverse_boolean_ops, &config.use_ipv6, 0664);
 module_param_cb(quic_drop, &boolean_parameter_ops, &def_section->quic_drop, 0664);
 static int verbosity_set(const char *val, const struct kernel_param *kp) {
 	size_t len;
 	len = strnlen(val, STR_MAXLEN + 1);
 	if (len == STR_MAXLEN + 1) {
 		pr_err("%s: string parameter too long\n", kp->name);
 		return -ENOSPC;
 	}
 	if (len >= 1 && val[len - 1] == '\n') {
 		len--;
 	}
 	if (strncmp(val, "trace", len) == 0) {
 		*(int *)kp->arg = VERBOSE_TRACE;
 	} else if (strncmp(val, "debug", len) == 0) {
 		*(int *)kp->arg = VERBOSE_DEBUG;
 	} else if (strncmp(val, "silent", len) == 0) {
 		*(int *)kp->arg = VERBOSE_INFO;
 	} else {
 		return -EINVAL;
 	}
 	return 0;
 }
 static int verbosity_get(char *buffer, const struct kernel_param *kp) {
 	switch (*(int *)kp->arg) {
 		case VERBOSE_TRACE:
 			strcpy(buffer, "trace\n");
 			break;
 		case VERBOSE_DEBUG:
 			strcpy(buffer, "debug\n");
 			break;
 		case VERBOSE_INFO:
 			strcpy(buffer, "silent\n");
 			break;
 		default:
 			strcpy(buffer, "unknown\n");
 	}
 	return strlen(buffer);
 }
 static const struct kernel_param_ops verbosity_ops = {
 	.set = verbosity_set,
 	.get = verbosity_get,
 };
 module_param_cb(verbosity, &verbosity_ops, &config.verbose, 0664);
 static int frag_strat_set(const char *val, const struct kernel_param *kp) {
 	size_t len;
 	len = strnlen(val, STR_MAXLEN + 1);
 	if (len == STR_MAXLEN + 1) {
 		pr_err("%s: string parameter too long\n", kp->name);
 		return -ENOSPC;
 	}
 	if (len >= 1 && val[len - 1] == '\n') {
 		len--;
 	}
 	if (strncmp(val, "tcp", len) == 0) {
 		*(int *)kp->arg = FRAG_STRAT_TCP;
 	} else if (strncmp(val, "ip", len) == 0) {
 		*(int *)kp->arg = FRAG_STRAT_IP;
 	} else if (strncmp(val, "none", len) == 0) {
 		*(int *)kp->arg = FRAG_STRAT_NONE;
 	} else {
 		return -EINVAL;
 	}
 	return 0;
 }
 static int frag_strat_get(char *buffer, const struct kernel_param *kp) {
 	switch (*(int *)kp->arg) {
 		case FRAG_STRAT_TCP:
 			strcpy(buffer, "tcp\n");
 			break;
 		case FRAG_STRAT_IP:
 			strcpy(buffer, "ip\n");
 			break;
 		case FRAG_STRAT_NONE:
 			strcpy(buffer, "none\n");
 			break;
 		default:
 			strcpy(buffer, "unknown\n");
 	}
 	return strlen(buffer);
 }
 static const struct kernel_param_ops frag_strat_ops = {
 	.set = frag_strat_set,
 	.get = frag_strat_get,
 };
 module_param_cb(fragmentation_strategy, &frag_strat_ops, &def_section->fragmentation_strategy, 0664);
 static int fake_strat_set(const char *val, const struct kernel_param *kp) {
 	size_t len;
 	len = strnlen(val, STR_MAXLEN + 1);
 	if (len == STR_MAXLEN + 1) {
 		pr_err("%s: string parameter too long\n", kp->name);
 		return -ENOSPC;
 	}
 	if (len >= 1 && val[len - 1] == '\n') {
 		len--;
 	}
 	if (strncmp(val, "randseq", len) == 0) {
 		*(int *)kp->arg = FAKE_STRAT_RAND_SEQ;
 	} else if (strncmp(val, "ttl", len) == 0) {
 		*(int *)kp->arg = FAKE_STRAT_TTL;
 	} else if (strncmp(val, "tcp_check", len) == 0) {
 		*(int *)kp->arg = FAKE_STRAT_TCP_CHECK;
 	} else if (strncmp(val, "pastseq", len) == 0) {
 		*(int *)kp->arg = FAKE_STRAT_PAST_SEQ;
 	} else if (strncmp(val, "md5sum", len) == 0) {
 		*(int *)kp->arg = FAKE_STRAT_TCP_MD5SUM;
 	} else {
 		return -EINVAL;
 	}
 	return 0;
 }
 static int fake_strat_get(char *buffer, const struct kernel_param *kp) {
 	switch (*(int *)kp->arg) {
 		case FAKE_STRAT_RAND_SEQ:
 			strcpy(buffer, "randseq\n");
 			break;
 		case FAKE_STRAT_TTL:
 			strcpy(buffer, "ttl\n");
 			break;
 		case FAKE_STRAT_TCP_CHECK:
 			strcpy(buffer, "tcp_check\n");
 			break;
 		case FAKE_STRAT_PAST_SEQ:
 			strcpy(buffer, "pastseq\n");
 			break;
 		case FAKE_STRAT_TCP_MD5SUM:
 			strcpy(buffer, "md5sum\n");
 			break;
 		default:
 			strcpy(buffer, "unknown\n");
 	}
 	return strlen(buffer);
 }
 static const struct kernel_param_ops fake_strat_ops = {
 	.set = fake_strat_set,
 	.get = fake_strat_get,
 };
 module_param_cb(faking_strategy, &fake_strat_ops, &def_section->faking_strategy, 0664);
 static int sni_detection_set(const char *val, const struct kernel_param *kp) {
 	size_t len;
 	len = strnlen(val, STR_MAXLEN + 1);
 	if (len == STR_MAXLEN + 1) {
 		pr_err("%s: string parameter too long\n", kp->name);
 		return -ENOSPC;
 	}
 	if (len >= 1 && val[len - 1] == '\n') {
 		len--;
 	}
 	if (strncmp(val, "parse", len) == 0) {
 		*(int *)kp->arg = SNI_DETECTION_PARSE;
 	} else if (strncmp(val, "brute", len) == 0) {
 		*(int *)kp->arg = SNI_DETECTION_BRUTE;
 	} else {
 		return -EINVAL;
 	}
 	return 0;
 }
 static int sni_detection_get(char *buffer, const struct kernel_param *kp) {
 	switch (*(int *)kp->arg) {
 		case SNI_DETECTION_PARSE:
 			strcpy(buffer, "parse\n");
 			break;
 		case SNI_DETECTION_BRUTE:
 			strcpy(buffer, "brute\n");
 			break;
 		default:
 			strcpy(buffer, "unknown\n");
 	}
 	return strlen(buffer);
 }
 static const struct kernel_param_ops sni_detection_ops = {
 	.set = sni_detection_set,
 	.get = sni_detection_get,
 };
 module_param_cb(sni_detection, &sni_detection_ops, &def_section->sni_detection, 0664);
 static int fake_type_set(const char *val, const struct kernel_param *kp) {
 	size_t len;
 	len = strnlen(val, STR_MAXLEN + 1);
 	if (len == STR_MAXLEN + 1) {
 		pr_err("%s: string parameter too long\n", kp->name);
 		return -ENOSPC;
 	}
 	if (len >= 1 && val[len - 1] == '\n') {
 		len--;
 	}
 	if (strncmp(val, "default", len) == 0) {
 		*(int *)kp->arg = FAKE_PAYLOAD_DEFAULT;
 	} else if (strncmp(val, "custom", len) == 0) {
 		*(int *)kp->arg = FAKE_PAYLOAD_CUSTOM;
 	} else if (strncmp(val, "random", len) == 0) {
 		*(int *)kp->arg = FAKE_PAYLOAD_RANDOM;
 	} else {
 		return -EINVAL;
 	}
 	return 0;
 }
 static int fake_type_get(char *buffer, const struct kernel_param *kp) {
 	switch (*(int *)kp->arg) {
 		case FAKE_PAYLOAD_DEFAULT:
 			strcpy(buffer, "default\n");
 			break;
 		case FAKE_PAYLOAD_RANDOM:
 			strcpy(buffer, "random\n");
 			break;
 		case FAKE_PAYLOAD_CUSTOM:
 			strcpy(buffer, "custom\n");
 			break;
 		default:
 			strcpy(buffer, "unknown\n");
 	}
 	return strlen(buffer);
 }
 static const struct kernel_param_ops fake_type_ops = {
 	.set = fake_type_set,
 	.get = fake_type_get,
 };
 module_param_cb(fake_sni_type, &fake_type_ops, &def_section->fake_sni_type, 0664);
 static int fake_custom_pl_set(const char *val, const struct kernel_param *kp) {
 	size_t len;
 	len = strnlen(val, STR_MAXLEN + 1);
 	if (len == STR_MAXLEN + 1) {
 		pr_err("%s: string parameter too long\n", kp->name);
 		return -ENOSPC;
 	}
 	if (len >= 1 && val[len - 1] == '\n') {
 		len--;
 	}
 	uint8_t *const custom_buf = (uint8_t *)custom_fake_buf;
 	const char *custom_hex_fake = val;
 	size_t custom_hlen = len;
 	if ((custom_hlen & 1) == 1) {
 		return -EINVAL;
 	}
 	size_t custom_len = custom_hlen >> 1;
 	if (custom_len > MAX_FAKE_SIZE) {
 		return -EINVAL;
 	}
 	for (int i = 0; i < custom_len; i++) {
 		sscanf(custom_hex_fake + (i << 1), "%2hhx", custom_buf + i);
 	}
 	def_section->fake_custom_pkt_sz = custom_len;
 	def_section->fake_custom_pkt = (char *)custom_buf;
 	return 0;
 }
 static int fake_custom_pl_get(char *buffer, const struct kernel_param *kp) {
 	int cflen = def_section->fake_custom_pkt_sz;
 	const uint8_t *cbf_data = def_section->fake_custom_pkt;
 	int bflen = def_section->fake_custom_pkt_sz << 1;
 	for (int i = 0; i < cflen; i++) {
 		sprintf(buffer + (i << 1), "%02x", *((unsigned char *)cbf_data + i));
 	}
 	return bflen;
 }
 static const struct kernel_param_ops fake_custom_pl_ops = {
 	.set = fake_custom_pl_set,
 	.get = fake_custom_pl_get,
 };
 module_param_cb(fake_custom_payload, &fake_custom_pl_ops, &def_section->fake_custom_pkt, 0664);
--- a/kmake.mk
+++ b/kmake.mk
@@ -7,36 +7,23 @@ LD	:= ld
 CFLAGS	:=
 LDFLAGS	:=
-IPT_CFLAGS := -Wall -Wpedantic -O2
+KERNEL_BUILDER_MAKEDIR:=/lib/modules/$(shell uname -r)/build
 .PHONY: kmake kload kunload kreload kclean kmclean xclean
-kmake: kmod xmod
+kmake: kmod
 kmod:
-	$(MAKE) -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules
+	$(MAKE) -C $(KERNEL_BUILDER_MAKEDIR) M=$(PWD) modules
 xmod: libipt_YTUNBLOCK.so
 libipt_YTUNBLOCK.so: libipt_YTUNBLOCK.o
 	$(CCLD) -shared -fPIC ${IPT_CFLAGS} -o $@ $^;
 libipt_YTUNBLOCK.o: libipt_YTUNBLOCK.c
 	$(CC) ${IPT_CFLAGS} -D_INIT=lib$*_init -fPIC -c -o $@ $<;
 kload:
-	insmod ipt_YTUNBLOCK.ko
+	insmod kyoutubeUnblock.ko
 	cp ./libipt_YTUNBLOCK.so /usr/lib/xtables/
 kunload:
-	-rmmod ipt_YTUNBLOCK
+	-rmmod kyoutubeUnblock
 	-/bin/rm /usr/lib/xtables/libipt_YTUNBLOCK.so
 kreload: kunload kload
-kclean: xtclean kmclean
+kclean: kmclean
 kmclean:
-	-$(MAKE) -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean
+	-$(MAKE) -C $(KERNEL_BUILDER_MAKEDIR) M=$(PWD) clean
 xtclean:
 	-/bin/rm -f libipt_YTUNBLOCK.so libipt_YTUNBLOCK.o
--- a/kytunblock.c
+++ b/kytunblock.c
@@ -0,0 +1,414 @@
 #ifndef KERNEL_SPACE
 #error "You are trying to compile the kernel module not in the kernel space"
 #endif
 // Kernel module for youtubeUnblock.
 // Build with make kmake 
 #include <linux/module.h>
 #include <linux/init.h>
 #include <linux/mutex.h>
 #include <linux/socket.h>
 #include <linux/net.h>
 #include <linux/kernel.h>
 #include <linux/version.h>
 #include <linux/netfilter.h>
 #include <linux/netfilter_ipv4.h>
 #include <linux/netfilter_ipv6.h>
 #include "mangle.h"
 #include "config.h"
 #include "utils.h"
 #include "logging.h"
 MODULE_LICENSE("GPL");
 MODULE_VERSION("0.3.2");
 MODULE_AUTHOR("Vadim Vetrov <vetrovvd@gmail.com>");
 MODULE_DESCRIPTION("Linux kernel module for youtubeUnblock");
 static struct socket *rawsocket;
 static struct socket *raw6socket;
 static int open_raw_socket(void) {
 	int ret = 0;
 	ret = sock_create(AF_INET, SOCK_RAW, IPPROTO_RAW, &rawsocket);
 	if (ret < 0) {
 		pr_alert("Unable to create raw socket\n");
 		goto err;
 	}
 	// That's funny, but this is how it is done in the kernel
 	// https://elixir.bootlin.com/linux/v3.17.7/source/net/core/sock.c#L916
 	rawsocket->sk->sk_mark=config.mark;
 	return 0;
 err:
 	return ret;
 }
 static void close_raw_socket(void) {
 	sock_release(rawsocket);
 }
 static int send_raw_ipv4(const uint8_t *pkt, uint32_t pktlen) {
 	int ret = 0;
 	if (pktlen > AVAILABLE_MTU) return -ENOMEM;
 	struct iphdr *iph;
 	if ((ret = ip4_payload_split(
 	(uint8_t *)pkt, pktlen, &iph, NULL, NULL, NULL)) < 0) {
 		return ret;
 	}
 	struct sockaddr_in daddr = {
 		.sin_family = AF_INET,
 		.sin_port = 0,
 		.sin_addr = {
 			.s_addr = iph->daddr
 		}
 	};
 	struct msghdr msg;
 	struct kvec iov;
 	memset(&msg, 0, sizeof(msg));
 	iov.iov_base = (__u8 *)pkt;
 	iov.iov_len = pktlen;
 	msg.msg_flags = 0;
 	msg.msg_name = &daddr;
 	msg.msg_namelen = sizeof(struct sockaddr_in);
 	msg.msg_control = NULL;
 	msg.msg_controllen = 0;
 	ret = kernel_sendmsg(rawsocket, &msg, &iov, 1, pktlen);
 	return ret;
 }
 static int open_raw6_socket(void) {
 	int ret = 0;
 	ret = sock_create(AF_INET6, SOCK_RAW, IPPROTO_RAW, &raw6socket);
 	if (ret < 0) {
 		pr_alert("Unable to create raw socket\n");
 		goto err;
 	}
 	// That's funny, but this is how it is done in the kernel
 	// https://elixir.bootlin.com/linux/v3.17.7/source/net/core/sock.c#L916
 	raw6socket->sk->sk_mark=config.mark;
 	return 0;
 err:
 	return ret;
 }
 static void close_raw6_socket(void) {
 	sock_release(raw6socket);
 }
 static int send_raw_ipv6(const uint8_t *pkt, uint32_t pktlen) {
 	int ret = 0;
 	if (pktlen > AVAILABLE_MTU) return -ENOMEM;
 	struct ip6_hdr *iph;
 	if ((ret = ip6_payload_split(
 	(uint8_t *)pkt, pktlen, &iph, NULL, NULL, NULL)) < 0) {
 		return ret;
 	}
 	struct sockaddr_in6 daddr = {
 		.sin6_family = AF_INET6,
 		/* Always 0 for raw socket */
 		.sin6_port = 0,
 		.sin6_addr = iph->ip6_dst
 	};
 	struct kvec iov;
 	struct msghdr msg;
 	memset(&msg, 0, sizeof(msg));
 	iov.iov_base = (__u8 *)pkt;
 	iov.iov_len = pktlen;
 	msg.msg_flags = 0;
 	msg.msg_name = &daddr;
 	msg.msg_namelen = sizeof(struct sockaddr_in6);
 	msg.msg_control = NULL;
 	msg.msg_controllen = 0;
 	ret = kernel_sendmsg(raw6socket, &msg, &iov, 1, pktlen);
 	return ret;
 }
 static int send_raw_socket(const uint8_t *pkt, uint32_t pktlen) {
 	int ret;
 	if (pktlen > AVAILABLE_MTU) {
 		lgdebug("The packet is too big and may cause issues!");
 		NETBUF_ALLOC(buff1, MAX_PACKET_SIZE);
 		if (!NETBUF_CHECK(buff1)) {
 			lgerror("Allocation error", -ENOMEM);
 			return -ENOMEM;
 		}
 		NETBUF_ALLOC(buff2, MAX_PACKET_SIZE);
 		if (!NETBUF_CHECK(buff2)) {
 			lgerror("Allocation error", -ENOMEM);
 			NETBUF_FREE(buff2);
 			return -ENOMEM;
 		}
 		uint32_t buff1_size = MAX_PACKET_SIZE;
 		uint32_t buff2_size = MAX_PACKET_SIZE;
 		if ((ret = tcp_frag(pkt, pktlen, AVAILABLE_MTU-128,
 			buff1, &buff1_size, buff2, &buff2_size)) < 0) {
 			goto erret_lc;
 		}
 		int sent = 0;
 		ret = send_raw_socket(buff1, buff1_size);
 		if (ret >= 0) sent += ret;
 		else {
 			goto erret_lc;
 		}
 		ret = send_raw_socket(buff2, buff2_size);
 		if (ret >= 0) sent += ret;
 		else {
 			goto erret_lc;
 		}
 		NETBUF_FREE(buff1);
 		NETBUF_FREE(buff2);
 		return sent;
 erret_lc:
 		NETBUF_FREE(buff1);
 		NETBUF_FREE(buff2);
 		return ret;
 	}
 	int ipvx = netproto_version(pkt, pktlen);
 	if (ipvx == IP4VERSION) {
 		return send_raw_ipv4(pkt, pktlen);
 	} else if (ipvx == IP6VERSION) {
 		return send_raw_ipv6(pkt, pktlen);
 	} else {
 		printf("proto version %d is unsupported\n", ipvx);
 		return -EINVAL;
 	}
 	lgtrace_addp("raw_sock_send: %d", ret);
 	return ret;
 }
 static int delay_packet_send(const unsigned char *data, unsigned int data_len, unsigned int delay_ms) {
 	pr_info("delay_packet_send won't work on current youtubeUnblock version");
 	return send_raw_socket(data, data_len);
 }
 struct instance_config_t instance_config = {
 	.send_raw_packet = send_raw_socket,
 	.send_delayed_packet = delay_packet_send,
 };
 /* If this is a Red Hat-based kernel (Red Hat, CentOS, Fedora, etc)... */
 #ifdef RHEL_RELEASE_CODE
 #if RHEL_RELEASE_CODE >= RHEL_RELEASE_VERSION(7, 2)
 #define NF_CALLBACK(name, skb) unsigned int name( \
 		const struct nf_hook_ops *ops, \
 		struct sk_buff *skb, \
 		const struct net_device *in, \
 		const struct net_device *out, \
 		const struct nf_hook_state *state) \
 #elif RHEL_RELEASE_CODE >= RHEL_RELEASE_VERSION(7, 0)
 #define NF_CALLBACK(name, skb) unsigned int name( \
 		const struct nf_hook_ops *ops, \
 		struct sk_buff *skb, \
 		const struct net_device *in, \
 		const struct net_device *out, \
 		int (*okfn)(struct sk_buff *))
 #else
 #error "Sorry; this version of RHEL is not supported because it's kind of old."
 #endif /* RHEL_RELEASE_CODE >= x */
 /* If this NOT a RedHat-based kernel (Ubuntu, Debian, SuSE, etc)... */
 #else
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 4, 0)
 #define NF_CALLBACK(name, skb) unsigned int name( \
 		void *priv, \
 		struct sk_buff *skb, \
 		const struct nf_hook_state *state)
 #elif LINUX_VERSION_CODE >= KERNEL_VERSION(4, 1, 0)
 #define NF_CALLBACK(name, skb) unsigned int name( \
 		const struct nf_hook_ops *ops, \
 		struct sk_buff *skb, \
 		const struct nf_hook_state *state)
 #elif LINUX_VERSION_CODE >= KERNEL_VERSION(3, 13, 0)
 #define NF_CALLBACK(name, skb) unsigned int name( \
 		const struct nf_hook_ops *ops, \
 		struct sk_buff *skb, \
 		const struct net_device *in, \
 		const struct net_device *out, \
 		int (*okfn)(struct sk_buff *))
 #elif LINUX_VERSION_CODE >= KERNEL_VERSION(3, 0, 0)
 #define NF_CALLBACK(name, skb) unsigned int name( \
 		unsigned int hooknum, \
 		struct sk_buff *skb, \
 		const struct net_device *in, \
 		const struct net_device *out, \
 		int (*okfn)(struct sk_buff *))
 #else
 #error "Linux < 3.0 isn't supported at all."
 #endif /* LINUX_VERSION_CODE > n */
 #endif /* RHEL or not RHEL */
 static NF_CALLBACK(ykb_nf_hook, skb) {
 	int ret;
 	if ((skb->mark & config.mark) == config.mark) 
 		goto accept;
 	if (skb->head == NULL) 
 		goto accept;
 	if (skb->len > MAX_PACKET_SIZE)
 		goto accept;
 	ret = skb_linearize(skb);
 	if (ret < 0) {
 		lgerror("Cannot linearize", ret);
 		goto accept;
 	}
 	int vrd = process_packet(skb->data, skb->len);
 	switch(vrd) {
 		case PKT_ACCEPT:
 			goto accept;
 		case PKT_DROP:
 			goto drop;
 	}
 accept:
 	return NF_ACCEPT;
 drop:
 	kfree_skb(skb);
 	return NF_STOLEN;
 }
 static struct nf_hook_ops ykb_nf_reg __read_mostly = {
 	.hook		= ykb_nf_hook,
 	.pf		= NFPROTO_IPV4,
 	.hooknum	= NF_INET_POST_ROUTING,
 	.priority	= NF_IP_PRI_MANGLE,
 };
 static struct nf_hook_ops ykb6_nf_reg __read_mostly = {
 	.hook		= ykb_nf_hook,
 	.pf		= NFPROTO_IPV6,
 	.hooknum	= NF_INET_POST_ROUTING,
 	.priority	= NF_IP6_PRI_MANGLE,
 };
 static int __init ykb_init(void) {
 	int ret = 0;
 	ret = open_raw_socket();
 	if (ret < 0) goto err;
 	if (config.use_ipv6) {
 		ret = open_raw6_socket();
 		if (ret < 0) goto close_rawsocket;
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(4,13,0)
 		struct net *n;
 		for_each_net(n) {
 			ret = nf_register_net_hook(n, &ykb6_nf_reg);
 			if (ret < 0) 
 				lgerror("bad rat",ret);
 		}
 #else
 		nf_register_hook(&ykb6_nf_reg);
 #endif
 	}
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(4,13,0)
 	struct net *n;
 	for_each_net(n) {
 		ret = nf_register_net_hook(n, &ykb_nf_reg);
 		if (ret < 0) 
 			lgerror("bad rat",ret);
 	}
 #else
 	nf_register_hook(&ykb_nf_reg);
 #endif
 	pr_info("youtubeUnblock kernel module started.\n");
 	return 0;
 close_rawsocket:
 	close_raw_socket();
 err:
 	return ret;
 }
 static void __exit ykb_destroy(void) {
 	if (config.use_ipv6) {
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(4,13,0)
 		struct net *n;
 		for_each_net(n)
 			nf_unregister_net_hook(n, &ykb6_nf_reg);
 #else
 		nf_unregister_hook(&ykb6_nf_reg);
 #endif
 		close_raw6_socket();
 	}
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(4,13,0)
 	struct net *n;
 	for_each_net(n)
 		nf_unregister_net_hook(n, &ykb_nf_reg);
 #else
 	nf_unregister_hook(&ykb_nf_reg);
 #endif
 	close_raw_socket();
 	pr_info("youtubeUnblock kernel module destroyed.\n");
 }
 module_init(ykb_init);
 module_exit(ykb_destroy);
--- a/libipt_YTUNBLOCK.c
+++ b/libipt_YTUNBLOCK.c
@@ -1,26 +0,0 @@
 // Used to register target in iptables
 #include <stdio.h>
 #include <xtables.h>
 #include <linux/netfilter_ipv4/ip_tables.h>
 #include "ipt_YTUNBLOCK.h"
 #define _init __attribute__((constructor)) _INIT
 #define __maybe_unused __attribute__((__unused__))
 static void YTKB_help(void) {
 	printf("Youtube Unblock - bypass youtube slowdown DPI in Russia\n");
 }
 static struct xtables_target ykb_tg_reg = {
 	.name           = "YTUNBLOCK",
 	.version        = XTABLES_VERSION,
 	.family         = NFPROTO_IPV4,
 	.size           = XT_ALIGN(sizeof(struct xt_ytunblock_tginfo)),
 	.userspacesize  = XT_ALIGN(sizeof(struct xt_ytunblock_tginfo)),
 	.help           = YTKB_help,
 };
 void _init(void) {
    xtables_register_target(&ykb_tg_reg);
 }
--- a/logging.h
+++ b/logging.h
@@ -5,11 +5,12 @@
 #define LOG_LEVEL (config.verbose)
 #ifdef KERNEL_SPACE
-#include <linux/printk.h>
+#include <linux/kernel.h>
 #include <linux/module.h>
 #define printf pr_info
 #define perror pr_err
 #define lgerror(msg, ret, ...) __extension__ ({		\
-	printf(msg ": %d\n", ##__VA_ARGS__, ret);	\
+	pr_err(msg ": %d\n", ##__VA_ARGS__, ret);	\
 })
 #else
 #include <stdio.h> // IWYU pragma: export
--- a/mangle.c
+++ b/mangle.c
--- a/mangle.h
+++ b/mangle.h
@@ -2,38 +2,12 @@
 #define YU_MANGLE_H
 #include "types.h"
-
+#include "tls.h"
 /**
 * Result of analyze_tls_data function
 */
 struct tls_verdict {
 	int target_sni; /* google video hello packet */
 	int sni_offset; /* offset from start of tcp _payload_ */
 	int sni_len;
 };
 /**
 * Processes the packet and finds TLS Client Hello information inside it.
 * data pointer points to start of TLS Message (TCP Payload)
 */
 struct tls_verdict analyze_tls_data(const uint8_t *data, uint32_t dlen);
 /**
 * Generates fake client hello message
 */
 int gen_fake_sni(const void *iph, uint32_t iph_len, 
 		 const struct tcphdr *tcph, uint32_t tcph_len, 
 		 uint8_t *buf, uint32_t *buflen);
 /**
 * Invalidates the raw packet. The function aims to invalid the packet
 * in such way as it will be accepted by DPI, but dropped by target server
 */
 int fail_packet(uint8_t *payload, uint32_t plen);
 #define PKT_ACCEPT	0
 #define PKT_DROP	1
 // Used for section config
 #define PKT_CONTINUE	2
 /**
 * Processes the packet and returns verdict.
@@ -46,28 +20,30 @@ int process_packet(const uint8_t *packet, uint32_t packet_len);
 * Processe the TCP packet.
 * Returns verdict.
 */
-int process_tcp_packet(const uint8_t *raw_payload, uint32_t raw_payload_len);
+int process_tcp_packet(const struct section_config_t *section, const uint8_t *raw_payload, uint32_t raw_payload_len);
 /**
 * Processes the UDP packet.
 * Returns verdict.
 */
-int process_udp4_packet(const uint8_t *pkt, uint32_t pktlen);
+int process_udp_packet(const struct section_config_t *section, const uint8_t *pkt, uint32_t pktlen);
 /**
 * Sends fake client hello.
 */
-int post_fake_sni(const void *iph, unsigned int iph_len, 
+int post_fake_sni(struct fake_type f_type, 
-		     const struct tcphdr *tcph, unsigned int tcph_len,
+		const void *iph, unsigned int iph_len, 
-		     unsigned char sequence_len);
+		const struct tcphdr *tcph, unsigned int tcph_len);
 /**
 * Splits packet by poses and posts.
 * Poses are relative to start of TCP payload.
 * dvs used internally and should be zero.
 */
-int send_tcp_frags(
+int send_tcp_frags(const struct section_config_t *section,
 	const uint8_t *packet, uint32_t pktlen, 
 	const uint32_t *poses, uint32_t poses_len, uint32_t dvs);
@@ -76,7 +52,7 @@ int send_tcp_frags(
 * Poses are relative to start of TCP payload.
 * dvs used internally and should be zero.
 */
-int send_ip4_frags(
+int send_ip4_frags(const struct section_config_t *section,
 	const uint8_t *packet, uint32_t pktlen, 
 	const uint32_t *poses, uint32_t poses_len, uint32_t dvs);
 #endif /* YU_MANGLE_H */
--- a/owrt/537-youtubeUnblock.nft
+++ b/owrt/537-youtubeUnblock.nft
@@ -1,5 +0,0 @@
 #!/usr/sbin/nft -f
 # This file install nftables rules for openwrt
 add rule inet fw4 mangle_forward tcp dport 443 ct original packets < 20 counter queue num 537 bypass
 insert rule inet fw4 output mark and 0x8000 == 0x8000 counter accept
--- a/owrt/youtubeUnblock.owrt
+++ b/owrt/youtubeUnblock.owrt
@@ -1,22 +0,0 @@
 #!/bin/sh /etc/rc.common
 USE_PROCD=1
 START=50
 STOP=50
 # Openwrt procd script: https://openwrt.org/docs/guide-developer/procd-init-script-example
 # The program should be put into /usr/bin/
 # This file should be put into /etc/init.d/
 start_service() {
 	procd_open_instance
 	procd_set_param command /usr/bin/youtubeUnblock
 	procd_set_param nice -20
 	procd_set_param stdout 1
 	procd_set_param stderr 1
 	procd_close_instance
 }
--- a/quic.c
+++ b/quic.c
@@ -48,7 +48,7 @@ int quic_parse_data(uint8_t *raw_payload, uint32_t raw_payload_len,
 	}
 	uint8_t found = 0;
-	for (uint8_t i = 0; i < sizeof(supported_versions); i++) {
+	for (uint8_t i = 0; i < 2; i++) {
 		if (ntohl(nqch->version) == supported_versions[i]) {
 			found = 1;
 		}
--- a/tls.c
+++ b/tls.c
@@ -0,0 +1,354 @@
 #include "types.h"
 #include "tls.h"
 #include "config.h"
 #include "logging.h"
 #include "utils.h"
 #ifndef KERNEL_SPACE
 #include <fcntl.h>
 #include <unistd.h>
 #endif
 #define TLS_CONTENT_TYPE_HANDSHAKE 0x16
 #define TLS_HANDSHAKE_TYPE_CLIENT_HELLO 0x01
 #define TLS_EXTENSION_SNI 0x0000
 #define TLS_EXTENSION_CLIENT_HELLO_ENCRYPTED 0xfe0d
 /**
 * Processes tls payload of the tcp request.
 * 
 * data Payload data of TCP.
 * dlen Length of `data`.
 */
 struct tls_verdict analyze_tls_data(
 	const struct section_config_t *section,
 	const uint8_t *data, 
 	uint32_t dlen) 
 {
 	struct tls_verdict vrd = {0};
 	size_t i = 0;
 	const uint8_t *data_end = data + dlen;
 	while (i + 4 < dlen) {
 		const uint8_t *msgData = data + i;
 		uint8_t tls_content_type = *msgData;
 		uint8_t tls_vmajor = *(msgData + 1);
 		uint16_t message_length = ntohs(*(uint16_t *)(msgData + 3));
 		if (tls_vmajor != 0x03) goto nextMessage;
 		if (i + 5 > dlen) break;
 		if (tls_content_type != TLS_CONTENT_TYPE_HANDSHAKE) 
 			goto nextMessage;
 		if (section->sni_detection == SNI_DETECTION_BRUTE) {
 			goto brute;
 		}
 		const uint8_t *handshakeProto = msgData + 5;
 		if (handshakeProto + 1 >= data_end) break;
 		uint8_t handshakeType = *handshakeProto;
 		if (handshakeType != TLS_HANDSHAKE_TYPE_CLIENT_HELLO)
 			goto nextMessage;
 		const uint8_t *msgPtr = handshakeProto;
 		msgPtr += 1; 
 		msgPtr += 3 + 2 + 32;
 		if (msgPtr + 1 >= data_end) break;
 		uint8_t sessionIdLength = *msgPtr;
 		msgPtr++;
 		msgPtr += sessionIdLength;
 		if (msgPtr + 2 >= data_end) break;
 		uint16_t ciphersLength = ntohs(*(uint16_t *)msgPtr);
 		msgPtr += 2;
 		msgPtr += ciphersLength;
 		if (msgPtr + 1 >= data_end) break;
 		uint8_t compMethodsLen = *msgPtr;
 		msgPtr++;
 		msgPtr += compMethodsLen;
 		if (msgPtr + 2 >= data_end) break;
 		uint16_t extensionsLen = ntohs(*(uint16_t *)msgPtr);
 		msgPtr += 2;
 		const uint8_t *extensionsPtr = msgPtr;
 		const uint8_t *extensions_end = extensionsPtr + extensionsLen;
 		if (extensions_end > data_end) extensions_end = data_end;
 		while (extensionsPtr < extensions_end) {
 			const uint8_t *extensionPtr = extensionsPtr;
 			if (extensionPtr + 4 >= extensions_end) break;
 			uint16_t extensionType = 
 				ntohs(*(uint16_t *)extensionPtr);
 			extensionPtr += 2;
 			uint16_t extensionLen = 
 				ntohs(*(uint16_t *)extensionPtr);
 			extensionPtr += 2;
 			if (extensionPtr + extensionLen > extensions_end) 
 				break;
 			if (extensionType != TLS_EXTENSION_SNI) 
 				goto nextExtension;
 			const uint8_t *sni_ext_ptr = extensionPtr;
 			if (sni_ext_ptr + 2 >= extensions_end) break;
 			uint16_t sni_ext_dlen = ntohs(*(uint16_t *)sni_ext_ptr);
 			sni_ext_ptr += 2;
 			const uint8_t *sni_ext_end = sni_ext_ptr + sni_ext_dlen;
 			if (sni_ext_end >= extensions_end) break;
 			if (sni_ext_ptr + 3 >= sni_ext_end) break;
 			sni_ext_ptr++;
 			uint16_t sni_len = ntohs(*(uint16_t *)sni_ext_ptr);
 			sni_ext_ptr += 2;
 			if (sni_ext_ptr + sni_len > sni_ext_end) break;
 			char *sni_name = (char *)sni_ext_ptr;
 			vrd.sni_offset = (uint8_t *)sni_name - data;
 			vrd.sni_target_offset = vrd.sni_offset;
 			vrd.sni_len = sni_len;
 			vrd.sni_target_len = vrd.sni_len;
 			if (section->all_domains) {
 				vrd.target_sni = 1;
 				goto check_domain;
 			}
 			unsigned int j = 0;
 			for (unsigned int i = 0; i <= section->domains_strlen; i++) {
 				if (	i > j &&
 					(i == section->domains_strlen	||	
 					section->domains_str[i] == '\0'	||
 					section->domains_str[i] == ','	|| 
 					section->domains_str[i] == '\n'	)) {
 					unsigned int domain_len = (i - j);
 					const char *sni_startp = sni_name + sni_len - domain_len;
 					const char *domain_startp = section->domains_str + j;
 					if (sni_len >= domain_len &&
 						sni_len < 128 && 
 						!strncmp(sni_startp, 
 						domain_startp, 
 						domain_len)) {
 							vrd.target_sni = 1;
 							vrd.sni_target_offset = (const uint8_t *)sni_startp - data;
 							vrd.sni_target_len = domain_len;
 							goto check_domain;
 					}
 					j = i + 1;
 				}
 			}
 check_domain:
 			if (vrd.target_sni == 1 && section->exclude_domains_strlen != 0) {
 				unsigned int j = 0;
 				for (unsigned int i = 0; i <= section->exclude_domains_strlen; i++) {
 					if (	i > j &&
 						(i == section->exclude_domains_strlen	||	
 						section->exclude_domains_str[i] == '\0'	||
 						section->exclude_domains_str[i] == ','	|| 
 						section->exclude_domains_str[i] == '\n'	)) {
 						unsigned int domain_len = (i - j);
 						const char *sni_startp = sni_name + sni_len - domain_len;
 						const char *domain_startp = section->exclude_domains_str + j;
 						if (sni_len >= domain_len &&
 							sni_len < 128 && 
 							!strncmp(sni_startp, 
 							domain_startp, 
 							domain_len)) {
 							vrd.target_sni = 0;
 							lgdebugmsg("Excluded SNI: %.*s", 
 								vrd.sni_len, data + vrd.sni_offset);
 							goto out;
 						}
 						j = i + 1;
 					}
 				}
 			}
 			goto out;
 nextExtension:
 			extensionsPtr += 2 + 2 + extensionLen;
 		}
 nextMessage:
 		i += 5 + message_length;
 	}
 out:
 	return vrd;
 brute:
 	if (section->all_domains) {
 		vrd.target_sni = 1;
 		vrd.sni_len = 0;
 		vrd.sni_offset = dlen / 2;
 		goto out;
 	}
 	unsigned int j = 0;
 	for (unsigned int i = 0; i <= section->domains_strlen; i++) {
 		if (	i > j &&
 			(i == section->domains_strlen	||	
 			section->domains_str[i] == '\0'	||
 			section->domains_str[i] == ','	|| 
 			section->domains_str[i] == '\n'	)) {
 			unsigned int domain_len = (i - j);
 			const char *domain_startp = section->domains_str + j;
 			if (domain_len + dlen + 1> MAX_PACKET_SIZE) { 
 				continue;
 			}
 			NETBUF_ALLOC(buf, MAX_PACKET_SIZE);
 			if (!NETBUF_CHECK(buf)) {
 				lgerror("Allocation error", -ENOMEM);
 				goto out;
 			}
 			NETBUF_ALLOC(nzbuf, MAX_PACKET_SIZE * sizeof(int));
 			if (!NETBUF_CHECK(nzbuf)) {
 				lgerror("Allocation error", -ENOMEM);
 				NETBUF_FREE(buf);
 				goto out;
 			}
 			int *zbuf = (void *)nzbuf;
 			memcpy(buf, domain_startp, domain_len);
 			memcpy(buf + domain_len, "#", 1);
 			memcpy(buf + domain_len + 1, data, dlen);
 			z_function((char *)buf, zbuf, domain_len + 1 + dlen);
 			for (unsigned int k = 0; k < dlen; k++) {
 				if (zbuf[k] == domain_len) {
 					vrd.target_sni = 1;
 					vrd.sni_len = domain_len;
 					vrd.sni_offset = (k - domain_len - 1);
 					vrd.sni_target_offset = vrd.sni_offset;
 					vrd.sni_target_len = vrd.sni_len;
 					NETBUF_FREE(buf);
 					NETBUF_FREE(nzbuf);
 					goto out;
 				}
 			}
 			j = i + 1;
 			NETBUF_FREE(buf);
 			NETBUF_FREE(nzbuf);
 		}
 	}
 	goto out;
 }
 int gen_fake_sni(struct fake_type type,
 		const void *ipxh, uint32_t iph_len, 
 		const struct tcphdr *tcph, uint32_t tcph_len,
 		uint8_t *buf, uint32_t *buflen) {
 	uint32_t data_len = type.fake_len;
 	int ret;
 	if (type.type == FAKE_PAYLOAD_RANDOM && data_len == 0) {
 		data_len = (uint32_t)randint() % 1200;
 	}
 	if (!ipxh || !tcph || !buf || !buflen)
 		return -EINVAL;
 	int ipxv = netproto_version(ipxh, iph_len);
 	if (ipxv == IP4VERSION) {
 		const struct iphdr *iph = ipxh;
 		memcpy(buf, iph, iph_len);
 		struct iphdr *niph = (struct iphdr *)buf;
 		niph->protocol = IPPROTO_TCP;
 	} else if (ipxv == IP6VERSION) {
 		const struct ip6_hdr *iph = ipxh;
 		iph_len = sizeof(struct ip6_hdr);
 		memcpy(buf, iph, iph_len);
 		struct ip6_hdr *niph = (struct ip6_hdr *)buf;
 		niph->ip6_nxt = IPPROTO_TCP;
 	} else {
 		return -EINVAL;
 	}
 	uint32_t dlen = iph_len + tcph_len + data_len;
 	if (*buflen < dlen) 
 		return -ENOMEM;
 	memcpy(buf + iph_len, tcph, tcph_len);
 	uint8_t *bfdptr = buf + iph_len + tcph_len;
 	switch (type.type) {
 		case FAKE_PAYLOAD_DATA:
 			memcpy(bfdptr, type.fake_data, data_len);
 			break;
 		default: // FAKE_PAYLOAD_RANDOM
 #ifdef KERNEL_SPACE
 			get_random_bytes(bfdptr, data_len);
 #else /* KERNEL_SPACE */
 #if _NO_GETRANDOM
 			ret = open("/dev/urandom", O_RDONLY);
 			if (ret < 0) {
 				lgerror("Unable to open /dev/urandom", ret);
 				return ret;
 			}
 			read(ret, bfdptr, data_len);
 			close(ret);
 #else /* _NO_GETRANDOM */
 			getrandom(bfdptr, data_len, 0);
 #endif /* _NO_GETRANDOM */
 #endif /* KERNEL_SPACE */
 	}
 	if (ipxv == IP4VERSION) {
 		struct iphdr *niph = (struct iphdr *)buf;
 		niph->tot_len = htons(dlen);
 	} else if (ipxv == IP6VERSION) {
 		struct ip6_hdr *niph = (struct ip6_hdr *)buf;
 		niph->ip6_plen = htons(dlen - iph_len);
 	}
 	fail_packet(type.strategy, buf, &dlen, *buflen);
 	*buflen = dlen;
 	return 0;
 }
--- a/tls.h
+++ b/tls.h
@@ -0,0 +1,34 @@
 #ifndef TLS_H
 #define TLS_H
 #include "types.h"
 #include "utils.h"
 /**
 * Result of analyze_tls_data function
 */
 struct tls_verdict {
 	int target_sni; /* google video hello packet */
 	int sni_offset; /* offset from start of tcp _payload_ */
 	int sni_target_offset; /* offset of target domain instead of entire sni */
 	int sni_target_len; /* offset of target domain instead of entire sni */
 	int sni_len;
 };
 /**
 * Processes the packet and finds TLS Client Hello information inside it.
 * data pointer points to start of TLS Message (TCP Payload)
 */
 struct tls_verdict analyze_tls_data(const struct section_config_t *section, const uint8_t *data, uint32_t dlen);
 /**
 * Generates the fake client hello message
 */
 int gen_fake_sni(struct fake_type type,
 		const void *iph, uint32_t iph_len, 
 		const struct tcphdr *tcph, uint32_t tcph_len, 
 		uint8_t *buf, uint32_t *buflen);
 #endif /* TLS_H */
--- a/types.h
+++ b/types.h
@@ -3,26 +3,26 @@
 #define TYPES_H
 #include <asm/byteorder.h>
-#ifdef KERNEL_SCOPE
+#ifdef KERNEL_SPACE
 #include <linux/errno.h> // IWYU pragma: export
 #include <linux/string.h> // IWYU pragma: export
 #include <linux/types.h>
-typedef __u8	uint8_t;
+#else /* USER_SPACE */
 typedef __u16	uint16_t;
 typedef __u32 	uint32_t;
 typedef __u64 	uint64_t;
 typedef __i8	int8_t;
 typedef __i16	int16_t;
 typedef __i32	int32_t;
 typedef __i64	int64_t;
 #else /* USERSPACE_SCOPE */
 #include <errno.h>  // IWYU pragma: export
 #include <stdint.h> // IWYU pragma: export
 #include <string.h> // IWYU pragma: export
 #include <stdlib.h> // IWYU pragma: export
-#endif /* SCOPES */
+
 #define _NO_GETRANDOM ((__GLIBC__ <= 2 && __GLIBC_MINOR__ < 25))
 #if !_NO_GETRANDOM
 #include <sys/random.h> // IWYU pragma: export
 #endif
 #endif /* SPACES */
 // Network specific structures
 #ifdef KERNEL_SPACE
@@ -30,15 +30,36 @@ typedef __i64	int64_t;
 #include <linux/net.h> // IWYU pragma: export
 #include <linux/in.h> // IWYU pragma: export
 #include <linux/ip.h> // IWYU pragma: export
 #include <linux/ipv6.h> // IWYU pragma: export
 #include <linux/tcp.h> // IWYU pragma: export
 #include <linux/version.h>
 #define ip6_hdr ipv6hdr
 /* from <netinet/ip.h> */
 #define	IP_RF 0x8000			/* reserved fragment flag */
 #define	IP_DF 0x4000			/* dont fragment flag */
 #define	IP_MF 0x2000			/* more fragments flag */
 #define	IP_OFFMASK 0x1fff		/* mask for fragmenting bits */
 #ifdef __LITTLE_ENDIAN
 #define __BIG_ENDIAN 4321
 #define __BYTE_ORDER __LITTLE_ENDIAN
 #elif defined(__BIG_ENDIAN)
 #define __LITTLE_ENDIAN 1234
 #define __BYTE_ORDER __BIG_ENDIAN
 #else
-#define USER_SPACE
+#error "Unsupported endian"
 #endif
 #define ip6_plen payload_len
 #define ip6_nxt nexthdr
 #define ip6_hops hop_limit
 #define ip6_hlim hop_limit
 #define ip6_src saddr
 #define ip6_dst daddr
 #else /* USER_SPACE */
 #include <arpa/inet.h>		// IWYU pragma: export
 #include <netinet/ip.h>		// IWYU pragma: export
 #include <netinet/ip6.h>	// IWYU pragma: export
@@ -46,6 +67,8 @@ typedef __i64	int64_t;
 #include <netinet/udp.h>	// IWYU pragma: export
 #endif
 #ifndef KERNEL_SPACE
 #define max(a,b)__extension__\
 ({                           \
    __typeof__ (a) _a = (a); \
@@ -60,4 +83,40 @@ typedef __i64	int64_t;
    _a < _b ? _a : _b;       \
 })
 #endif /* not a KERNEL_SPACE */
 /**
 * Use NETBUF_ALLOC and NETBUF_FREE as an abstraction of memory allocation.
 * Do not use it within expressions, consider these defines as separate statements.
 *
 * Use NETBUF_CHECK to check that buffer was properly allocated.
 */
 #ifdef KERNEL_SPACE
 #include <linux/gfp.h>
 #define NETBUF_ALLOC(buf, buf_len) __u8* buf = kmalloc(buf_len, GFP_KERNEL);
 #define NETBUF_CHECK(buf) ((buf) != NULL)
 #define NETBUF_FREE(buf) kfree(buf);
 #elif defined(ALLOC_MALLOC)
 #include <stdlib.h>
 #define NETBUF_ALLOC(buf, buf_len) __u8* buf = malloc(buf_len);
 #define NETBUF_CHECK(buf) ((buf) != NULL)
 #define NETBUF_FREE(buf) free(buf);
 #else
 #define NETBUF_ALLOC(buf, buf_len) __u8 buf[buf_len];
 #define NETBUF_CHECK(buf) (1)
 #define NETBUF_FREE(buf) ;
 #endif
 static inline int randint(void) {
 	int rnd;
 #ifdef KERNEL_SPACE
 		get_random_bytes(&rnd, sizeof(rnd));
 #else
 		rnd = random();
 #endif
 	return rnd;
 }
 #endif /* TYPES_H */
--- a/uspace.mk
+++ b/uspace.mk
@@ -31,7 +31,7 @@ export CC CCLD LD CFLAGS LDFLAGS LIBNFNETLINK_CFLAGS LIBNFNETLINK_LIBS LIBMNL_CF
 APP:=$(BUILD_DIR)/youtubeUnblock
-SRCS := youtubeUnblock.c mangle.c args.c utils.c quic.c
+SRCS := youtubeUnblock.c mangle.c args.c utils.c quic.c tls.c
 OBJS := $(SRCS:%.c=$(BUILD_DIR)/%.o)
 LIBNFNETLINK := $(DEPSDIR)/lib/libnfnetlink.la
--- a/utils.c
+++ b/utils.c
@@ -1,14 +1,19 @@
 #include "utils.h"
 #include "logging.h"
-#include <netinet/in.h>
+#include "types.h"
-#ifdef KERNEL_SPACE
+#ifndef KERNEL_SPACE 
 #include <linux/ip.h>
 #else 
 #include <stdlib.h>
 #include <libnetfilter_queue/libnetfilter_queue_ipv4.h>
 #include <libnetfilter_queue/libnetfilter_queue_ipv6.h>
 #include <libnetfilter_queue/libnetfilter_queue_tcp.h>
 #else
 #if (LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 24))
 	#include <net/ip6_checksum.h>
 	#include <net/checksum.h>
 #else
 	#include <net/checksum.h>
 #endif
 #endif
@@ -37,9 +42,14 @@ void ip4_set_checksum(struct iphdr *iph)
 }
 void tcp6_set_checksum(struct tcphdr *tcph, struct ip6_hdr *iph) {
-	uint16_t old_check = ntohs(tcph->check);
+#ifdef KERNEL_SPACE
-
+	tcph->check = 0;
 	tcph->check = csum_ipv6_magic(&iph->saddr, &iph->daddr, 
 		 ntohs(iph->ip6_plen), IPPROTO_TCP, 
 		 csum_partial(tcph, ntohs(iph->ip6_plen), 0));
 #else
 	nfq_tcp_compute_checksum_ipv6(tcph, iph);
 #endif
 }
 int set_ip_checksum(void *iph, uint32_t iphb_len) {
@@ -157,7 +167,7 @@ int ip6_payload_split(uint8_t *pkt, uint32_t buflen,
 	}
 	uint32_t hdr_len = sizeof(struct ip6_hdr);
-	uint32_t pktlen = ntohs(hdr->ip6_ctlun.ip6_un1.ip6_un1_plen);
+	uint32_t pktlen = ntohs(hdr->ip6_plen);
 	if (buflen < pktlen) {
 		lgerror("ip6_payload_split: buflen cmp pktlen: %d %d", -EINVAL, buflen, pktlen);
 		return -EINVAL;
@@ -194,7 +204,7 @@ int tcp6_payload_split(uint8_t *pkt, uint32_t buflen,
 	if (
-		hdr->ip6_ctlun.ip6_un1.ip6_un1_nxt != IPPROTO_TCP || 
+		hdr->ip6_nxt != IPPROTO_TCP || 
 		tcph_plen < sizeof(struct tcphdr)) {
 		return -EINVAL;
 	}
@@ -240,7 +250,6 @@ int udp4_payload_split(uint8_t *pkt, uint32_t buflen,
 	struct iphdr *hdr;
 	uint32_t hdr_len;
 	struct udphdr *uhdr;
 	uint32_t uhdr_len;
 	uint8_t *ip_ph;
 	uint32_t ip_phlen;
@@ -272,6 +281,59 @@ int udp4_payload_split(uint8_t *pkt, uint32_t buflen,
 	return 0;
 }
 int udp6_payload_split(uint8_t *pkt, uint32_t buflen,
 		       struct ip6_hdr **iph, uint32_t *iph_len,
 		       struct udphdr **udph,
 		       uint8_t **payload, uint32_t *plen) {
 	struct ip6_hdr *hdr;
 	uint32_t hdr_len;
 	struct udphdr *uhdr;
 	uint8_t *ip_ph;
 	uint32_t ip_phlen;
 	if (ip6_payload_split(pkt, buflen, &hdr, &hdr_len, 
 			&ip_ph, &ip_phlen)){
 		return -EINVAL;
 	}
 	if (
 		hdr->ip6_nxt != IPPROTO_UDP || 
 		ip_phlen < sizeof(struct udphdr)) {
 		return -EINVAL;
 	}
 	uhdr = (struct udphdr *)(ip_ph);
 	if (uhdr->len != 0 && ntohs(uhdr->len) != ip_phlen) {
 		return -EINVAL;
 	}
 	if (iph) *iph = hdr;
 	if (iph_len) *iph_len = hdr_len;
 	if (udph) *udph = uhdr;
 	if (payload) *payload = ip_ph + sizeof(struct udphdr);
 	if (plen) *plen = ip_phlen - sizeof(struct udphdr);
 	return 0;
 }
 int udp_payload_split(uint8_t *pkt, uint32_t buflen,
 		      void **iph, uint32_t *iph_len,
 		      struct udphdr **udph,
 		      uint8_t **payload, uint32_t *plen) {
 	int netvers = netproto_version(pkt, buflen);
 	if (netvers == IP4VERSION) {
 		return udp4_payload_split(pkt, buflen, (struct iphdr **)iph, iph_len, udph, payload, plen);
 	} else if (netvers == IP6VERSION) {
 		return udp6_payload_split(pkt, buflen, (struct ip6_hdr **)iph, iph_len, udph, payload, plen);
 	} else {
 		lgerror("Internet Protocol version is unsupported", -EINVAL);
 		return -EINVAL;
 	}
 }
 // split packet to two ipv4 fragments.
 int ip4_frag(const uint8_t *pkt, uint32_t buflen, uint32_t payload_offset, 
 			uint8_t *frag1, uint32_t *f1len, 
@@ -356,7 +418,6 @@ int tcp_frag(const uint8_t *pkt, uint32_t buflen, uint32_t payload_offset,
 			uint8_t *seg1, uint32_t *s1len, 
 			uint8_t *seg2, uint32_t *s2len) {
 	// struct ip6_hdr *hdr6;
 	void *hdr;
 	uint32_t hdr_len;
 	struct tcphdr *tcph;
@@ -423,11 +484,16 @@ int tcp_frag(const uint8_t *pkt, uint32_t buflen, uint32_t payload_offset,
 		struct iphdr *s2_hdr = (void *)seg2;
 		s1_hdr->tot_len = htons(s1_dlen);
 		s2_hdr->tot_len = htons(s2_dlen);
 		s1_hdr->id = randint();
 		s2_hdr->id = randint();
 		set_ip_checksum(s1_hdr, sizeof(struct iphdr));
 		set_ip_checksum(s2_hdr, sizeof(struct iphdr));
 	} else {
 		struct ip6_hdr *s1_hdr = (void *)seg1;
 		struct ip6_hdr *s2_hdr = (void *)seg2;
-		s1_hdr->ip6_ctlun.ip6_un1.ip6_un1_plen = htons(s1_dlen - hdr_len);
+		s1_hdr->ip6_plen = htons(s1_dlen - hdr_len);
-		s2_hdr->ip6_ctlun.ip6_un1.ip6_un1_plen = htons(s2_dlen - hdr_len);
+		s2_hdr->ip6_plen = htons(s2_dlen - hdr_len);
 	}
 	struct tcphdr *s1_tcph = (void *)(seg1 + hdr_len);
@@ -440,3 +506,183 @@ int tcp_frag(const uint8_t *pkt, uint32_t buflen, uint32_t payload_offset,
 	return 0;
 }
 void z_function(const char *str, int *zbuf, size_t len) {
 	zbuf[0] = len;
 	int lh = 0, rh = 1;
 	for (int i = 1; i < (int)len; i++) {
 		zbuf[i] = 0;
 		if (i < rh) {
 			zbuf[i] = min(zbuf[i - lh], rh - i);
 		}
 		while (i + zbuf[i] < len && str[zbuf[i]] == str[i + zbuf[i]])
 			zbuf[i]++;
 		if (i + zbuf[i] > rh) {
 			lh = i;
 			rh = i + zbuf[i];
 		}
 	}
 }
 void shift_data(uint8_t *data, uint32_t dlen, uint32_t delta) {
 	uint8_t *ndptr = data + delta + dlen;
 	uint8_t *dptr = data + dlen;
 	uint8_t *ndlptr = data;
 	for (size_t i = dlen + 1; i > 0; i--) {
 		*ndptr = *dptr;
 		--ndptr, --dptr;
 	}
 	for (size_t i = 0; i < delta; i++) {
 		*ndlptr++ = 0;
 	}
 }
 #define TCP_MD5SIG_LEN 16
 #define TCP_MD5SIG_KIND 19
 struct tcp_md5sig_opt {
 	uint8_t kind;
 	uint8_t len;
 	uint8_t sig[TCP_MD5SIG_LEN];
 };
 #define TCP_MD5SIG_OPT_LEN (sizeof(struct tcp_md5sig_opt))
 // Real length of the option, with NOOP fillers
 #define TCP_MD5SIG_OPT_RLEN 20
 int fail_packet(struct failing_strategy strategy, uint8_t *payload, uint32_t *plen, uint32_t avail_buflen) {
 	void *iph;
 	uint32_t iph_len;
 	struct tcphdr *tcph;
 	uint32_t tcph_len;
 	uint8_t *data;
 	uint32_t dlen;
 	int ret;
 	ret = tcp_payload_split(payload, *plen, 
 			&iph, &iph_len, &tcph, &tcph_len,
 			&data, &dlen);
 	uint32_t ipxv = netproto_version(payload, *plen);
 	if (ret < 0) {
 		return ret;
 	}
 	if (strategy.strategy == FAKE_STRAT_RAND_SEQ) {
 		lgtrace("fake seq: %u -> ", ntohl(tcph->seq));
 		tcph->seq = htonl(ntohl(tcph->seq) - (strategy.randseq_offset + dlen));
 		lgtrace_addp("%u", ntohl(tcph->seq));
 	} else if (strategy.strategy == FAKE_STRAT_PAST_SEQ) {
 		lgtrace("fake seq: %u -> ", ntohl(tcph->seq));
 		tcph->seq = htonl(ntohl(tcph->seq) - dlen);
 		lgtrace_addp("%u", ntohl(tcph->seq));
 	} else if (strategy.strategy == FAKE_STRAT_TTL) {
 		lgtrace_addp("set fake ttl to %d", strategy.faking_ttl);
 		if (ipxv == IP4VERSION) {
 			((struct iphdr *)iph)->ttl = strategy.faking_ttl;
 		} else if (ipxv == IP6VERSION) {
 			((struct ip6_hdr *)iph)->ip6_hops = strategy.faking_ttl;
 		} else {
 			lgerror("fail_packet: IP version is unsupported", -EINVAL);
 			return -EINVAL;
 		}
 	} else if (strategy.strategy == FAKE_STRAT_TCP_MD5SUM) {
 		int optp_len = tcph_len - sizeof(struct tcphdr);
 		int delta = TCP_MD5SIG_OPT_RLEN - optp_len;
 		lgtrace_addp("Incr delta %d: %d -> %d", delta, optp_len, optp_len + delta);
 		if (delta > 0) {
 			if (avail_buflen - *plen < delta) {
 				return -1;
 			}
 			shift_data(data, dlen, delta);
 			data += delta;
 			tcph_len = tcph_len + delta;
 			tcph->doff = tcph_len >> 2;
 			if (ipxv == IP4VERSION) {
 				((struct iphdr *)iph)->tot_len = htons(ntohs(((struct iphdr *)iph)->tot_len) + delta);
 			} else if (ipxv == IP6VERSION) {
 				((struct ip6_hdr *)iph)->ip6_plen = htons(ntohs(((struct ip6_hdr *)iph)->ip6_plen) + delta);
 			} else {
 				lgerror("fail_packet: IP version is unsupported", -EINVAL);
 				return -EINVAL;
 			}
 			optp_len += delta;
 			*plen += delta;
 		}
 		uint8_t *optplace = (uint8_t *)tcph + sizeof(struct tcphdr);
 		struct tcp_md5sig_opt *mdopt = (void *)optplace;
 		mdopt->kind = TCP_MD5SIG_KIND;
 		mdopt->len = TCP_MD5SIG_OPT_LEN;
 		optplace += sizeof(struct tcp_md5sig_opt);
 		optp_len -= sizeof(struct tcp_md5sig_opt);
 		while (optp_len-- > 0) {
 			*optplace++ = 0x01;
 		}
 	}
 	if (ipxv == IP4VERSION) {
 		((struct iphdr *)iph)->frag_off = 0;
 	}
 	set_ip_checksum(iph, iph_len);
 	set_tcp_checksum(tcph, iph, iph_len);
 	if (strategy.strategy == FAKE_STRAT_TCP_CHECK) {
 		lgtrace_addp("break fake tcp checksum");
 		tcph->check += 1;
 	}
 	return 0;
 }
 int seqovl_packet(uint8_t *payload, uint32_t *plen, uint32_t seq_delta) {
 	int ipxv = netproto_version(payload, *plen);
 	void *iph;
 	uint32_t iph_len;
 	struct tcphdr *tcph;
 	uint32_t tcph_len;
 	uint8_t *data;
 	uint32_t dlen;
 	int ret = tcp_payload_split(payload, *plen,
 			      &iph, &iph_len, &tcph, &tcph_len,
 			      &data, &dlen);
 	if (ret < 0) {
 		return -1;
 	}
 	if (ipxv == IP4VERSION) {
 		struct iphdr *ip4h = iph;
 		ip4h->tot_len = htons(ntohs(ip4h->tot_len) + seq_delta); 
 	} else if (ipxv == IP6VERSION) {
 		struct ip6_hdr *ip6h = iph;
 		ip6h->ip6_plen = htons(ntohs(ip6h->ip6_plen) + seq_delta); 
 	} else {
 		return -1;
 	}
 	tcph->seq = htons(ntohs(tcph->seq) - seq_delta);
 	shift_data(data, dlen, seq_delta);
 	*plen += seq_delta;
 	set_ip_checksum(iph, iph_len);
 	set_tcp_checksum(tcph, iph, iph_len);
 	return 0;
 }
--- a/utils.h
+++ b/utils.h
@@ -2,6 +2,7 @@
 #define UTILS_H
 #include "types.h"
 #include "config.h"
 #define IP4VERSION 4
 #define IP6VERSION 6
@@ -81,6 +82,16 @@ int udp4_payload_split(uint8_t *pkt, uint32_t buflen,
 		       struct udphdr **udph,
 		       uint8_t **payload, uint32_t *plen);
 int udp6_payload_split(uint8_t *pkt, uint32_t buflen,
 		       struct ip6_hdr **iph, uint32_t *iph_len,
 		       struct udphdr **udph,
 		       uint8_t **payload, uint32_t *plen);
 int udp_payload_split(uint8_t *pkt, uint32_t buflen,
 		      void **iph, uint32_t *iph_len,
 		      struct udphdr **udph,
 		      uint8_t **payload, uint32_t *plen);
 void tcp4_set_checksum(struct tcphdr *tcph, struct iphdr *iph);
 void ip4_set_checksum(struct iphdr *iph);
 void ip6_set_checksum(struct ip6_hdr *iph);
@@ -89,4 +100,94 @@ void tcp6_set_checksum(struct tcphdr *tcph, struct ip6_hdr *iph);
 int  set_ip_checksum(void *iph, uint32_t iphb_len);
 int  set_tcp_checksum(struct tcphdr *tcph, void *iph, uint32_t iphb_len);
 void z_function(const char *str, int *zbuf, size_t len);
 /**
 * Shifts data left delta bytes. Fills delta buffer with zeroes.
 */
 void shift_data(uint8_t *data, uint32_t dlen, uint32_t delta);
 struct failing_strategy {
 	unsigned int strategy;
 	uint8_t faking_ttl;
 	uint32_t randseq_offset;
 };
 struct fake_type {
 #define FAKE_PAYLOAD_RANDOM	0
 #define FAKE_PAYLOAD_DATA	1
 // In default mode all other options will be skipped.
 #define FAKE_PAYLOAD_DEFAULT	2
 	int type;	
 	// Length of the final fake message. 
 	// Pass 0 in RANDOM mode to make it random
 	uint16_t fake_len;
 	// Payload of the fake message of fake_len length. 
 	// Will be omitted in RANDOM mode.
 	const char *fake_data;
 	unsigned int sequence_len;
 	// If non-0 the packet send will be delayed for n milliseconds
 	unsigned int seg2delay;
 	// faking strategy of the fake packet.
 	// Does not support bitmask, pass standalone strategy.
 	// Pass 0 if you don't want any faking procedures.
 	struct failing_strategy strategy;
 };
 /**
 * Invalidates the raw packet. The function aims to invalid the packet
 * in such way as it will be accepted by DPI, but dropped by target server
 *
 * Does not support bitmask, pass standalone strategy.
 */
 int fail_packet(struct failing_strategy strategy, uint8_t *payload, uint32_t *plen, uint32_t avail_buflen);
 /**
 * Shifts the payload right and pushes zeroes before it. Useful for TCP TLS faking.
 */
 int seqovl_packet(uint8_t *payload, uint32_t *plen, uint32_t seq_delta);
 static inline struct failing_strategy args_default_failing_strategy(const struct section_config_t *section) {
 	struct failing_strategy fl_strat = {
 		.strategy = (unsigned int)section->faking_strategy,
 		.faking_ttl = section->faking_ttl,
 		.randseq_offset = (uint32_t)section->fakeseq_offset
 	};
 	return fl_strat;
 }
 static inline struct fake_type args_default_fake_type(const struct section_config_t *section) {
 	struct fake_type f_type = {
 		.sequence_len = section->fake_sni_seq_len,
 		.strategy = args_default_failing_strategy(section),
 	};
 	switch (section->fake_sni_type) {
 		case FAKE_PAYLOAD_RANDOM:
 			f_type.type = FAKE_PAYLOAD_RANDOM;
 			break;
 		case FAKE_PAYLOAD_CUSTOM:
 			f_type.type = FAKE_PAYLOAD_CUSTOM;
 			f_type.fake_data = section->fake_custom_pkt;
 			f_type.fake_len = section->fake_custom_pkt_sz;
 			break;
 		default:
 			f_type.type = FAKE_PAYLOAD_CUSTOM;
 			f_type.fake_data = section->fake_sni_pkt;
 			f_type.fake_len = section->fake_sni_pkt_sz;
 	}
 	return f_type;
 }
 #endif /* UTILS_H */
--- a/youtubeUnblock.c
+++ b/youtubeUnblock.c
@@ -234,9 +234,6 @@ static int send_raw_ipv6(const uint8_t *pkt, uint32_t pktlen) {
 		.sin6_addr = iph->ip6_dst
 	};
 	tcp6_set_checksum((void *)(uint8_t *)pkt + sizeof(struct ip6_hdr), (void *)pkt);
 	if (config.threads != 1)
 		pthread_mutex_lock(&rawsocket_lock);
@@ -267,27 +264,11 @@ static int send_raw_socket(const uint8_t *pkt, uint32_t pktlen) {
 		uint8_t buff2[MNL_SOCKET_BUFFER_SIZE];
 		uint32_t buff2_size = MNL_SOCKET_BUFFER_SIZE;
-		switch (config.fragmentation_strategy) {
+		if ((ret = tcp_frag(pkt, pktlen, AVAILABLE_MTU-128,
-			case FRAG_STRAT_TCP:
+			buff1, &buff1_size, buff2, &buff2_size)) < 0) {
 				if ((ret = tcp_frag(pkt, pktlen, AVAILABLE_MTU-128,
 					buff1, &buff1_size, buff2, &buff2_size)) < 0) {
-					errno = -ret;
+			errno = -ret;
-					return ret;
+			return ret;
 				}
 				break;
 			case FRAG_STRAT_IP:
 				if ((ret = ip4_frag(pkt, pktlen, AVAILABLE_MTU-128,
 					buff1, &buff1_size, buff2, &buff2_size)) < 0) {
 					errno = -ret;
 					return ret;
 				}
 				break;
 			default:
 				errno = EINVAL;
 				printf("send_raw_socket: Packet is too big but fragmentation is disabled!\n");
 				return -EINVAL;
 		}
 		int sent = 0;
@@ -309,17 +290,19 @@ static int send_raw_socket(const uint8_t *pkt, uint32_t pktlen) {
 	int ipvx = netproto_version(pkt, pktlen);
-	if (ipvx == IP4VERSION) 
+	if (ipvx == IP4VERSION) {
-		return send_raw_ipv4(pkt, pktlen);
+		ret = send_raw_ipv4(pkt, pktlen);
-	else if (ipvx == IP6VERSION) 
+	} else if (ipvx == IP6VERSION) {
-		return send_raw_ipv6(pkt, pktlen);
+		ret = send_raw_ipv6(pkt, pktlen);
 	} else {
 		printf("proto version %d is unsupported\n", ipvx);
 		return -EINVAL;
 	}
-	printf("proto version %d is unsupported\n", ipvx);
+	lgtrace_addp("raw_sock_send: %d", ret);
-	return -EINVAL;
+	return ret;
 }
 struct packet_data {
 	uint32_t id;
 	uint16_t hw_proto;
@@ -378,7 +361,7 @@ void *delay_packet_send_fn(void *data) {
 	return NULL;
 }
-void delay_packet_send(const unsigned char *data, unsigned int data_len, unsigned int delay_ms) {
+int delay_packet_send(const unsigned char *data, unsigned int data_len, unsigned int delay_ms) {
 	struct dps_t *dpdt = malloc(sizeof(struct dps_t));
 	dpdt->pkt = malloc(data_len);
 	memcpy(dpdt->pkt, data, data_len);
@@ -387,6 +370,9 @@ void delay_packet_send(const unsigned char *data, unsigned int data_len, unsigne
 	pthread_t thr;
 	pthread_create(&thr, NULL, delay_packet_send_fn, dpdt);
 	pthread_detach(thr);
 	lgtrace_addp("Scheduled packet send after %d ms", delay_ms);
 	return 0;
 }
 static int queue_cb(const struct nlmsghdr *nlh, void *data) {
Author	SHA1	Message	Date
Vadim Vetrov	ee56b67d20	Merge pull request #132 from Waujito/custom_fakes Custom fakes	2024-10-14 00:25:45 +03:00
Vadim Vetrov	ed08feaf20	Mention #148 in README Troubleshooting	2024-10-14 00:22:50 +03:00
Vadim Vetrov	96cf0365ee	Fix possible errors on older compilers	2024-10-14 00:15:37 +03:00
Vadim Vetrov	4c7b63fa7f	Add multiple sections with config sets for various domains	2024-10-13 23:31:26 +03:00
Vadim Vetrov	58f4802f64	Update kernel module parameters	2024-10-12 19:08:49 +03:00
Vadim Vetrov	05cc0054d8	Fix getrandom on older versions	2024-10-12 16:55:27 +03:00
Vadim Vetrov	e9b033ccca	Update faking strategies Use random ip4 id for frags, use sequential ip4 id for fakes	2024-10-12 12:23:06 +03:00
Vadim Vetrov	30bc3a8d3f	Update workflow for separate luci-app-youtubeUnblock	2024-10-11 22:37:26 +03:00
Vadim Vetrov	c617f238af	Descibe benefits of kernel module As asked in #128	2024-09-29 13:23:16 +03:00
Vadim Vetrov	43ca3fe07e	Mention about opkg update Asked in #123	2024-09-29 13:02:38 +03:00
Vadim Vetrov	9dc40bbdf1	Fix split on preset domain list	2024-09-28 23:06:45 +03:00
Vadim Vetrov	666b3575fc	Fix kmod fake, update kmod verbosity settings	2024-09-28 22:45:35 +03:00
Vadim Vetrov	263a04bb95	Kernel module code cleanup	2024-09-28 22:17:11 +03:00
Vadim Vetrov	6b21e9b3b3	Add checker for kernel module	2024-09-28 21:29:54 +03:00
Vadim Vetrov	98a3fd5acd	Add workflow for test build	2024-09-28 14:02:55 +03:00
Vadim Vetrov	3ee979f7d1	Enhance middle sni split Instead of real middle sni we use targetted middle sni for explicit (not all) sni domain list	2024-09-28 11:31:46 +03:00
Vadim Vetrov	82c49119d3	Add more custom fake message, random fake message	2024-09-26 18:11:05 +03:00
Vadim Vetrov	0fe45ec33f	Delete owrt directory The scripts moved to the openwrt branch https://github.com/Waujito/youtubeUnblock/tree/openwrt	2024-09-21 21:16:19 +03:00
Vadim Vetrov	43d0118767	Describe the new release delivery system	2024-09-21 19:27:47 +03:00
Vadim Vetrov	79df04cb07	Update CI workflow	2024-09-21 19:20:29 +03:00
Vadim Vetrov	2d1b58bc6d	Delete workflow for kmod	2024-09-21 18:16:09 +03:00
Vadim Vetrov	cdb26833ba	Merge pull request #98 from Waujito/kmod Kernel module	2024-09-21 08:11:01 -07:00
Vadim Vetrov	c786a44dd5	Fix warnings	2024-09-20 23:06:59 +03:00
Vadim Vetrov	2fd3107401	Fix memcpy	2024-09-19 22:48:25 +03:00
Vadim Vetrov	5415bc37ec	Compatibility for kernel version 3	2024-09-19 21:55:15 +03:00
Vadim Vetrov	3187b3ca61	Delete mutexes from rawsocket The program works in sync way with kernel	2024-09-19 16:47:18 +03:00
Vadim Vetrov	1cacac7adc	Add notices about kernel module and openwrt sdk	2024-09-17 19:28:13 +03:00
Vadim Vetrov	6eaa0a67c8	Merge branch 'main' into kmod	2024-09-17 19:10:18 +03:00
Vadim Vetrov	edbfe120c5	Update README.md	2024-09-17 19:04:33 +03:00
Vadim Vetrov	7e71c5e9b8	Update README.md	2024-09-15 21:40:14 -07:00
Vadim Vetrov	1ade21aa22	Update README for kernel module	2024-09-16 00:28:10 +03:00
Vadim Vetrov	49a48c33cf	Update kernel module arguments	2024-09-15 22:21:24 +03:00
Vadim Vetrov	5e28fe83c2	Allow allocate in user-space with malloc	2024-09-14 20:37:19 +03:00
Vadim Vetrov	d93763ac44	Merge branch 'main' into kmod	2024-09-14 20:17:25 +03:00
Vadim Vetrov	85d3843273	Update README.md	2024-09-14 04:23:33 -07:00
Vadim Vetrov	f0826606e3	Delete development branches	2024-09-14 12:27:37 +03:00
Vadim Vetrov	c2158a7450	Merge pull request #113 from Waujito/luci_upd Openwrt LuCI support Part 2	2024-09-14 02:26:31 -07:00
Vadim Vetrov	740df8979f	Add sections about restart after settings apply	2024-09-14 12:24:20 +03:00
Vadim Vetrov	7e73fa2613	Add documentation for LuCI and UCI	2024-09-14 11:39:10 +03:00
Vadim Vetrov	8c405b81df	Log ip version for udp	2024-09-14 11:18:45 +03:00
Vadim Vetrov	2ff83c6030	Update firewall rules	2024-09-14 11:08:38 +03:00
Vadim Vetrov	9f5f194a37	Support for luci in actions	2024-09-13 21:14:01 +03:00
Vadim Vetrov	e38e0e7bd9	Add md5sum faking strategy	2024-09-13 19:11:17 +03:00
Vadim Vetrov	aef2b5b469	Merge pull request #108 from spvkgn/musl-cross CI: Add MIPS	2024-09-10 07:06:25 -07:00
spvkgn	bbd9f29a67	CI: add armv7 static build	2024-09-10 14:23:35 +05:00
spvkgn	ec9f5bb20c	CI: add job for MIPS arches	2024-09-10 14:23:35 +05:00
Vadim Vetrov	7919f82f4b	Delete kmod from workflow The systems and kernels are very various so we can't offer modules for all the systems. It is just easier to simply delete it.	2024-09-07 16:25:11 +03:00
Vadim Vetrov	ed6979cbcd	Merge branch 'main' into kmod	2024-09-07 15:52:31 +03:00
Vadim Vetrov	b3668f07ba	Add flags for kernel module	2024-09-07 15:51:25 +03:00
Vadim Vetrov	31aa309198	Fix #104 Infinity loop with default parameters Fixes infinity loop with default parameters for youtubeUnblock when trying to connect not handled website. The commit is also related to issue #100 where the support for --exclude-domains flag was added	2024-09-07 09:24:35 +03:00
Vadim Vetrov	7d01d0974d	Update README.md	2024-09-03 21:46:47 +03:00
Vadim Vetrov	5f2e423dfa	Add --exclude-domains flag. Fix #100	2024-09-03 21:23:29 +03:00
Vadim Vetrov	f96ac2252b	CI devices	2024-09-02 14:29:02 +03:00
Vadim Vetrov	1e6a9496f6	Fix compilationg errors for some kernels	2024-09-02 13:41:25 +03:00
Vadim Vetrov	c0dc5d2652	CI for kernel module	2024-09-02 02:06:35 +03:00
Vadim Vetrov	8bb5368b85	Fix setsockopt (deleted it)	2024-09-02 01:48:23 +03:00
Vadim Vetrov	b249903ead	CI for kmod	2024-09-02 01:29:09 +03:00
Vadim Vetrov	5870df44df	Linearize instead of kmalloc	2024-09-02 00:11:58 +03:00
Vadim Vetrov	b20f15086e	Kernel versions	2024-09-01 23:52:37 +03:00
Vadim Vetrov	5eeff9bc0d	Use netfilter hook instead of iptables target KISS principle is in action. No need to specify rules, just insmod youtubeUnblock and it works!	2024-09-01 20:58:50 +03:00
Vadim Vetrov	5e327497bb	Split raw socket logic from iptables kernel module, add udp over ipv6 support	2024-09-01 19:56:38 +03:00
Vadim Vetrov	731da0dd50	Delete redunant checksum setter	2024-09-01 16:53:11 +03:00
Vadim Vetrov	9c839a5094	IPv6 for kernel module	2024-09-01 16:52:41 +03:00
Vadim Vetrov	27629ba0cc	Kernel module basic ipv4 with debug settings	2024-09-01 16:07:47 +03:00