Add luci builder for apk

The key used primarily for OpenWRT apk

.github/workflows/build-ci.yml

@@ -168,6 +168,13 @@ jobs:
       matrix:
         branch:
           - openwrt-23.05
+          - SNAPSHOT
+        include:
+          - branch: SNAPSHOT
+            package_extension: apk
+          - branch: openwrt-23.05
+            package_extension: ipk
+
         arch:
           - aarch64_cortex-a53
           - aarch64_cortex-a72
@@ -195,6 +202,9 @@ jobs:
           - mipsel_74kc
           - mipsel_mips32
           - x86_64
+        exclude:
+          - branch: SNAPSHOT
+            arch: arm_mpcore
     container:
       image: openwrt/sdk:${{ matrix.arch }}-${{ matrix.branch }}
       options: --user root
@@ -210,7 +220,8 @@ jobs:
           RELEASE: ${{ needs.prepare.outputs.release }}
           SHA: ${{ needs.prepare.outputs.sha }}
         run: |
-          sed -i "s/PKG_REV:=.*$/PKG_REV:=$SHA/;s/PKG_VERSION:=.*$/PKG_VERSION:=$VERSION-$RELEASE-$SHA/" youtubeUnblock/Makefile
+          sed -i "s/PKG_REV:=.*$/PKG_REV:=$SHA/;s/PKG_VERSION:=.*$/PKG_VERSION:=$VERSION/;s/PKG_RELEASE:=.*$/PKG_RELEASE:=$RELEASE/;" youtubeUnblock/Makefile
+
 
       - name: Initilalize SDK
         id: init_sdk
@@ -222,6 +233,15 @@ jobs:
         run: |
           HOME=/builder ./setup.sh
 
+      - name: Add signing key
+        if: matrix.package_extension == 'apk'
+        id: signing_key
+        env:
+          SIGNING_KEY: ${{ secrets.EC_PRIVATE_KEY }}
+        working-directory: /builder
+        run: |
+          ([ -n "$SIGNING_KEY" ] && echo "$SIGNING_KEY" > private-key.pem) || true
+
       - name: Build packages
         id: build
         env:
@@ -236,21 +256,33 @@ jobs:
           ./scripts/feeds install -a -p youtubeUnblock
           make defconfig
           make package/youtubeUnblock/compile V=s
-          mv $(find ./bin -type f -name 'youtubeUnblock*.ipk') ./youtubeUnblock-$VERSION-$RELEASE-$SHA-${{ matrix.arch }}-${{ matrix.branch }}.ipk
+          mv $(find ./bin -type f -name "youtubeUnblock*.${{ matrix.package_extension }}") ./youtubeUnblock-$VERSION-$RELEASE-$SHA-${{ matrix.arch }}-${{ matrix.branch }}.${{ matrix.package_extension }}
 
       - name: Upload packages
         if: steps.build.outcome == 'success'
         uses: actions/upload-artifact@v4
         with:
           name: youtubeUnblock-${{ matrix.branch }}-${{ matrix.arch }}
-          path: /builder/youtubeUnblock*.ipk
+          path: /builder/youtubeUnblock*.${{ matrix.package_extension }}
           if-no-files-found: error
 
   build-openwrt-luci:
     needs: prepare
     runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        branch:
+          - openwrt-23.05
+          - SNAPSHOT
+        arch:
+          - x86_64
+        include:
+          - branch: SNAPSHOT
+            package_extension: apk
+          - branch: openwrt-23.05
+            package_extension: ipk
     container:
-      image: openwrt/sdk:x86_64-openwrt-23.05
+      image: openwrt/sdk:${{ matrix.arch }}-${{ matrix.branch }}
       options: --user root
     steps:
       - name: Checkout
@@ -258,14 +290,6 @@ jobs:
         with:
           ref: 'openwrt'
 
-      - name: Prepare build
-        env:
-          VERSION: ${{ needs.prepare.outputs.version }}
-          RELEASE: ${{ needs.prepare.outputs.release }}
-          SHA: ${{ needs.prepare.outputs.sha }}
-        run: |
-          sed -i "s/PKG_REV:=.*$/PKG_REV:=$SHA/;s/PKG_VERSION:=.*$/PKG_VERSION:=$VERSION-$RELEASE-$SHA/" youtubeUnblock/Makefile
-
       - name: Initilalize SDK
         id: init_sdk
         env:
@@ -276,6 +300,15 @@ jobs:
         run: |
           HOME=/builder ./setup.sh
 
+      - name: Add signing key
+        if: matrix.package_extension == 'apk'
+        id: signing_key
+        env:
+          SIGNING_KEY: ${{ secrets.EC_PRIVATE_KEY }}
+        working-directory: /builder
+        run: |
+          ([ -n "$SIGNING_KEY" ] && echo "$SIGNING_KEY" > private-key.pem) || true
+
       - name: Build packages
         id: build
         env:
@@ -290,14 +323,14 @@ jobs:
           ./scripts/feeds install -a -p youtubeUnblock
           make defconfig
           make package/luci-app-youtubeUnblock/compile V=s
-          mv $(find ./bin -type f -name 'luci-app-youtubeUnblock*.ipk') ./luci-app-youtubeUnblock-$VERSION-$RELEASE-$SHA.ipk
+          mv $(find ./bin -type f -name 'luci-app-youtubeUnblock*.${{ matrix.package_extension }}') ./luci-app-youtubeUnblock-$VERSION-$RELEASE-$SHA.${{ matrix.package_extension }}
 
       - name: Upload packages
         if: steps.build.outcome == 'success'
         uses: actions/upload-artifact@v4
         with:
-          name: luci-app-youtubeUnblock
+          name: luci-app-youtubeUnblock-${{ matrix.branch }}
-          path: /builder/luci-app-youtubeUnblock*.ipk
+          path: /builder/luci-app-youtubeUnblock*.${{ matrix.package_extension }}
           if-no-files-found: error
 
   build-entware:
@@ -328,7 +361,7 @@ jobs:
           RELEASE: ${{ needs.prepare.outputs.release }}
           SHA: ${{ needs.prepare.outputs.sha }}
         run: |
-          sed -i "s/PKG_REV:=.*$/PKG_REV:=$SHA/;s/PKG_VERSION:=.*$/PKG_VERSION:=$VERSION-$RELEASE-$SHA/" youtubeUnblockEntware/Makefile
+          sed -i "s/PKG_REV:=.*$/PKG_REV:=$SHA/;s/PKG_VERSION:=.*$/PKG_VERSION:=$VERSION/;s/PKG_RELEASE:=.*$/PKG_RELEASE:=$RELEASE/;" youtubeUnblockEntware/Makefile
 
       - name: Build packages
         id: build
@@ -375,5 +408,7 @@ jobs:
           title: 'Development build'
           files: |
             ./**/youtubeUnblock*.ipk
+            ./**/youtubeUnblock*.apk
             ./**/youtubeUnblock*.tar.gz
             ./**/luci-app-youtubeUnblock*.ipk
+            ./**/luci-app-youtubeUnblock*.apk

Makefile

@@ -1,8 +1,8 @@
 USPACE_TARGETS := default all install uninstall dev run_dev
 KMAKE_TARGETS := kmake kload kunload kreload xmod xtclean
 
-PKG_VERSION := 1.0.0
+PKG_VERSION := 1.1.1
-PKG_RELEASE := 10
+PKG_RELEASE := 1
 
 PKG_FULLVERSION := $(PKG_VERSION)-$(PKG_RELEASE)
 

README.md

@@ -9,7 +9,7 @@
     - [IPv6](#ipv6)
   - [Check it](#check-it)
   - [Flags](#flags)
-  - [UDP/QUIC/Voice Chats](#udpquicvoice-chats)
+  - [UDP/QUIC](#udpquic)
   - [Troubleshooting](#troubleshooting)
     - [TV](#tv)
     - [Troubleshooting EPERMS (Operation not permitted)](#troubleshooting-eperms-operation-not-permitted)
@@ -29,10 +29,22 @@
 
 # youtubeUnblock
 
-Bypasses Deep Packet Inspection (DPI) systems that relies on SNI. The package is for Linux only. It is also fully compatible with routers running [OpenWRT](https://github.com/openwrt). 
+Bypasses YouTube detection systems that rely on SNI. 
 
 The program was primarily developed to bypass YouTube Outage in Russia.
 
+The program should be used **only for the YouTube platform**. It is legal since access to YouTube **is not officially restricted in Russia**. You **MUST NOT** use the program for any other purpose. I respect all Russian laws and do not wish to break any.
+
+Starting with a YouTube speedup for my laptop, this project grew into a standalone tool that unblocks YouTube on a wide variety of devices. This project has fulfilled my dream of creating a massive, highly reliable, open-source GitHub project that helps people. I value all your feedback, and that is the reason I continue to maintain it. I learned many things while developing it, such as aspects of the Linux kernel networking stack. It is truly rewarding to explore new technologies while developing a project for people. This experience is incomparable to that of working on a mere pet project.
+
+**So, please use it only for YouTube and only in accordance with the laws of your country.**
+
+If you have any questions, suggestions, or problems, feel free to open an [issue](https://github.com/Waujito/youtubeUnblock/issues).
+
+You are also welcome to contact me directly using the links provided in my GitHub profile description; however, please contact me only if you have a special offer. For help with the program, it is preferable to make our conversation public by posting on [GitHub Discussions](https://github.com/Waujito/youtubeUnblock/discussions).
+
+The program is distributed under the GNU GPL v3 open-source license.
+
 ```
 This program is free software: you can redistribute it and/or modify
 it under the terms of the GNU General Public License as published by
@@ -44,6 +56,8 @@ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 GNU General Public License for more details.
 ```
 
+The program is for Linux only. It is also fully compatible with routers running [OpenWRT](https://github.com/openwrt). 
+
 The program is distributed in two version:
 - A userspace application works on top of nfnetlink queue which requires nfnetlink modules in the kernel and firewall rules. This approach is default and normally should be used but it has some limitations on embedded devices which may have no nfnetlink support. Also this solution may break down the internet speed and CPU load on your device because of jumps between userspace and kernelspace for each packet (this behavior may be fixed with connbytes but it also requires conntrack kernel module).
 - A kernel module which integrates deeply within the netfilter stack and does not interact with the userspace firewall. The module requires only netfilter kernel support but it definetly present on every device connected to the Internet. The only difficulity is how to build it. I cannot provide modules within Github Actions for each single one kernel, even if we talk only about OpenWRT versions. If you want to learn more about the module, jump on [its section in the README](#kernel-module). Whats the benefits of the kernel module? The benefits come for some specific cases: the kernel module is the fastest thing that allows us to process every single packet sent to the linux network stack, while the normal youtubeUnblock requires connbytes to keep the internet speed. Speaking about connbytes, it also requires conntrack to operate, which may be a limitation on some transit-traffic machines. Also userspace youtubeUnblock requires modules for netlink queue, userspace firewall application and modules for it. The kernel module is much simpler and requires only the linux kernel with netfilter built in.
@@ -52,15 +66,13 @@ The program is compatible with routers based on OpenWRT, Entware(Keenetic/ASUS)
 
 On both OpenWRT and Entware install the program with opkg. If you got read-only filesystem error you may unpack the binary manually or specify opkg path `opkg -o <destdir>`.
 
-For Windows use [GoodbyeDPI by ValdikSS](https://github.com/ValdikSS/GoodbyeDPI) (you can find how to use it for YouTube [here](https://github.com/ValdikSS/GoodbyeDPI/issues/378)) The same behavior is also implemented in [zapret package for linux](https://github.com/bol-van/zapret).
-
 ## Configuration
 
 ### OpenWRT pre configuration
 
 When you got the release package, you should install it. Go to your router interface, to *System->Software*, do *Update lists* and install youtubeUnblock via *install_package* button. Then, you should go to *System-Startup* menu and reload the firewall (You may also do it within *Services->youtubeUnblock* menu). 
 
-Since OpenWRT **main** branch switched to apk instead of opkg, but this is not released yet, here is not deploys for apk in **Releases**. But **apk is supported** in PR #196.
+Since OpenWRT **main** branch switched to apk instead of opkg, but this is not released yet, here is not deploys for apk in **Releases**. But **apk is supported** in PR #196. Note, that if you are on **24.10** you will get **UNTRUSTED SIGNATURE** error. Put youtubeUnblock.pem to `/etc/apk/keys/` or install youtubeUnblock with `--allow-untrusted` flag `apk add youtubeUnblock*.apk --allow-untrusted`.
 
 To make it work you should register an iptables rule and install required kernel modules. The list of modules depends on the version of OpenWRT and which firewall do you use (iptables or nftables). For most modern versions of OpenWRT (v23.x, v22.x) you should use nftables rules, for older ones it depends, but typically iptables.
 
@@ -281,19 +293,21 @@ Flags that do not scoped to a specific section, used over all the youtubeUnblock
 
 - `--udp-fake-len=<size of udp fake>` Size of udp fake payload (typically payload is zeroes). Defaults to 64.
 
-- `--udp-dport-filter=<5,6,200-500>` Filter the UDP destination ports. Defaults to no ports. Specifie the ports you want to be handled by youtubeUnblock.
+- `--udp-dport-filter=<5,6,200-500>` Filter the UDP destination ports. Defaults to no ports. Specifie the ports you want to be handled by youtubeUnblock. Please note, it may conflict with `--quic-drop` since `--quic-drop` setts `--udp-mode` to drop globally. So, make sure to handle it in a different config section.
+
+- `--udp-stun-filter` Filter all the UDP STUN request packets. Very useful for voice chats. Please note, it may conflict with `--quic-drop` since `--quic-drop` setts `--udp-mode` to drop globally. So, make sure to handle it in a different config section.
 
 - `--udp-faking-strategy={checksum|ttl|none}` Faking strategy for udp. `checksum` will fake UDP checksum, `ttl` won't fake but will make UDP content relatively small, `none` is no faking. Defaults to none.
 
 - `--udp-filter-quic={disabled|all|parse}` Enables QUIC filtering for UDP handler. If disabled, quic won't be processed, if all, all quic initial packets will be handled. `parse` will decrypt and parse QUIC initial message and match it with `--sni-domains`. Defaults to disabled.
 
-- `--quic-drop` Drop all QUIC packets which goes to youtubeUnblock. Won't affect any other UDP packets. Just an alias for `--udp-filter-quic=all --udp-mode=drop`.
+- `--quic-drop` Drop all QUIC packets which goes to youtubeUnblock. Won't affect any other UDP packets. Just an alias for `--udp-filter-quic=all --udp-mode=drop`. Please note, because of `--udp-mode=drop` it may conflict with other filter options. Make sure to use multiple sections.
 
 - `--no-dport-filter` By default, youtubeUnblock will filter for TLS and QUIC 443. If you want to disable it, pass this flag. (this does not affect `--udp-dport-filter`)
 
-## UDP/QUIC/Voice Chats
+## UDP/QUIC
 
-UDP is another communication protocol. Well-known technologies that use it are DNS, QUIC, voice chats. UDP does not provide reliable connection and its header is much simpler than TCP thus fragmentation is limited. The support provided primarily by faking. 
+UDP is another communication protocol. Well-known technologies that use it are DNS, QUIC. UDP does not provide reliable connection and its header is much simpler than TCP thus fragmentation is limited. The support provided primarily by faking. 
 
 **For UDP faking in kernel module** Make sure to decrease `--connbytes-limit` up to 5. This will allow not to process additional packets and prevent network flood.
 
@@ -303,7 +317,7 @@ QUIC is enabled with `--udp-filter-quic` flag. The flag supports two modes: `all
 
 **I recommend to use** `--udp-mode=drop --udp-filter-quic=parse`.
 
-For **other UDP protocols** I recommend to configure UDP support in the separate section from TCP, like `--fbegin --udp-dport-filter=50000-50099 --tls=disabled`. See more in flags related to udp and [tickets tagged with udp label](https://github.com/Waujito/youtubeUnblock/issues?q=label%3Audp+). 
+For **other UDP protocols** I recommend to configure UDP support in the separate section from TCP, like `--fbegin --udp-dport-filter=50000-50099 --tls=disabled`. **You should not pass `--quic-drop` here unless you are sure what you are doing**
 
 ## Troubleshooting
 
@@ -346,7 +360,7 @@ Where you have to replace 192.168.. with ip of your television.
 
 *EPERM* may occur in a lot of places but generally here are two: *mnl_cb_run* and when sending the packet via *rawsocket* (raw_frags_send and send fake sni).
 
-- **mnl_cb_run** *Operation not permitted* indicates that another instance of youtubeUnblock is running on the specified queue-num.
+- **mnl_cb_run** *Operation not permitted* indicates a problem in establishing a netfilter queue. This may occur due to various reasons, but the two most common are: issues with the nfqueue kernel modules and another instance of youtubeUnblock running with the same queue number. For the first issue, check that the kernel modules are installed and running. On OpenWRT, you might have forgotten to install the necessary dependencies [#openwrt-pre-configuration](#openwrt-pre-configuration). For the second issue, check for running youtubeUnblock instances by using the command `ps -e | grep youtubeUnblock`. If you find any, you can terminate them all with the command `killall youtubeUnblock`.
 
 - **rawsocket** *Operation not permitted* indicates that the packet is being dropped by nefilter rules. In fact this is a hint from the kernel that something wrong is going on and we should check the firewall rules. Before dive into the problem let's make it clean how the mangled packets are being sent. Nefilter queue provides us with the ability to mangle the packet on fly but that is not suitable for this program because we need to split the packet to at least two independent packets. So we are using [linux raw sockets](https://man7.org/linux/man-pages/man7/raw.7.html) which allows us to send any ipv4 packet. **The packet goes from the OUTPUT chain even when NFQUEUE is set up on FORWARD (suitable for OpenWRT).** So we need to escape packet rejects here.
     * raw_frags_send EPERM: just make sure outgoing traffic is allowed (RELATED,ESTABLISHED should work, if not, go to step 3)
@@ -462,6 +476,12 @@ make kmake KERNEL_BUILDER_MAKEDIR=~/linux
 ```
 Note, that the kernel should be already configured and built. See linux kernel building manuals for more information about your specific case.
 
+**If you got a very large module, you can strip it and significiantly decrese the size:**
+
+```sh
+strip --strip-debug kyoutubeUnblock.ko
+```
+
 #### Building with openwrt SDK
 
 Building with openwrt SDK is not such a hard thing. The only thing you should do is to obtain the sdk. You can find it by looking to your architecture and version of the openwrt currently used. You should use the exactly your version of openwrt since kernels there change often. You can find the sdk in two ways: by downloading it from their site or by using the openwrt sdk docker container (recommended).
@@ -487,8 +507,3 @@ When the commands finish, the module is ready. Find it with `find bin -name "kmo
 
 ## Padavan
 YoutubeUnblock may also run on Padavan. [Check the manual here\[rus\]](Padavan.md)
-
-
- >If you have any questions/suggestions/problems feel free to open an [issue](https://github.com/Waujito/youtubeUnblock/issues).
-
-

src/args.c

@@ -333,6 +333,7 @@ enum {
 	OPT_UDP_FAKE_PAYLOAD_LEN,
 	OPT_UDP_FAKING_STRATEGY,
 	OPT_UDP_DPORT_FILTER,
+	OPT_UDP_STUN_FILTER,
 	OPT_UDP_FILTER_QUIC,
 	OPT_TLS_ENABLED,
 	OPT_CLS,
@@ -373,6 +374,7 @@ static struct option long_opt[] = {
 	{"udp-fake-len",	1, 0, OPT_UDP_FAKE_PAYLOAD_LEN},
 	{"udp-faking-strategy",	1, 0, OPT_UDP_FAKING_STRATEGY},
 	{"udp-dport-filter",	1, 0, OPT_UDP_DPORT_FILTER},
+	{"udp-stun-filter",	0, 0, OPT_UDP_STUN_FILTER},
 	{"udp-filter-quic",	1, 0, OPT_UDP_FILTER_QUIC},
 	{"no-dport-filter",	0, 0, OPT_NO_DPORT_FILTER},
 	{"threads",		1, 0, OPT_THREADS},
@@ -440,6 +442,7 @@ void print_usage(const char *argv0) {
 	printf("\t--udp-fake-len=<size of upd fake>\n");
 	printf("\t--udp-faking-strategy={checksum|ttl|none}\n");
 	printf("\t--udp-dport-filter=<5,6,200-500>\n");
+	printf("\t--udp-stun-filter\n");
 	printf("\t--udp-filter-quic={disabled|all|parse}\n");
 	printf("\t--no-dport-filter\n");
 	printf("\t--threads=<threads number>\n");
@@ -927,6 +930,9 @@ int yparse_args(struct config_t *config, int argc, char *argv[]) {
 			}
 			break;
 		}
+		case OPT_UDP_STUN_FILTER:
+			sect_config->udp_stun_filter = 1;
+			break;
 		case OPT_UDP_FILTER_QUIC:
 			if (strcmp(optarg, "disabled") == 0) {
 				sect_config->udp_filter_quic = UDP_FILTER_QUIC_DISABLED;
@@ -1051,6 +1057,8 @@ static size_t print_config_section(const struct section_config_t *section, char
 			}	
 
 			print_cnf_buf("--seg2delay=%d", section->seg2_delay);
+		} else {
+			print_cnf_buf("--fake-sni=0");
 		}
 	} else {
 		print_cnf_buf("--tls=disabled");
@@ -1099,6 +1107,10 @@ static size_t print_config_section(const struct section_config_t *section, char
 		break;
 	}
 
+	if (section->udp_stun_filter) {
+		print_cnf_buf("--udp-stun-filter");
+	}
+
 	if (section->udp_dport_range_len != 0) {
 
 		print_cnf_raw("--udp-dport-filter=");

src/config.h

@@ -107,6 +107,7 @@ struct section_config_t {
 
 	struct udp_dport_range *udp_dport_range;
 	int udp_dport_range_len;
+	int udp_stun_filter;
 	int udp_filter_quic;
 };
 
@@ -240,7 +241,7 @@ enum {
 	.fragmentation_strategy = FRAGMENTATION_STRATEGY,       \
 	.faking_strategy = FAKING_STRATEGY,                     \
 	.faking_ttl = FAKE_TTL,                                 \
-	.fake_sni = 1,                                          \
+	.fake_sni = 0,                                          \
 	.fake_sni_seq_len = 1,                                  \
 	.fake_sni_type = FAKE_PAYLOAD_DEFAULT,                  \
 	.fake_custom_pkt = NULL,				\

src/kytunblock.c

@@ -483,8 +483,8 @@ static NF_CALLBACK(ykb_nf_hook, skb) {
 	uint8_t *data_buf = NULL;
 	int nf_verdict = NF_ACCEPT;
 
+	kref_get(&cur_config->refcount);
 	struct config_t *config = cur_config;
-	kref_get(&config->refcount);
 
 	++global_stats.all_packet_counter;
 

src/mangle.c

@@ -345,6 +345,15 @@ int process_tcp_packet(const struct section_config_t *section, const uint8_t *ra
 			ipd_offset = target_sni_offset;
 			mid_offset = ipd_offset + vrd.target_sni_len / 2;
 
+			// hardcode googlevideo.com split
+			// googlevideo domains are very long, so
+			// it is possible for the entire domain to not be
+			// splitted (split goes for subdomain)
+			if (vrd.target_sni_len > 30) {
+				mid_offset = ipd_offset + 
+					vrd.target_sni_len - 12;
+			}
+
 			size_t poses[2];
 			int cnt = 0;
 

src/quic.c

@@ -426,6 +426,48 @@ out:
 	return 0;
 }
 
+int is_stun_message(const uint8_t *data, size_t dlen) {
+	size_t left_len = dlen;
+	const uint8_t *data_ptr = data;
+	uint16_t message_type;
+	uint16_t message_length;
+
+	if (left_len < 2 + 2 + 4 + 12) {
+		return 0;
+	}
+
+	message_type = *(uint16_t *)data_ptr;
+	data_ptr += 2;
+	left_len -= 2;
+
+	message_length = *(uint16_t *)data_ptr;
+	data_ptr += 2;
+	left_len -= 2;
+
+	data_ptr += 4;
+	left_len -= 4;
+	data_ptr += 12;
+	left_len -= 12;
+
+	message_type = ntohs(message_type);
+	message_length = ntohs(message_length);
+
+	if (left_len != message_length) {
+		return 0;
+	}
+
+	if ((message_type & (1 << 15)) || (message_type & (1 << 14))) {
+		return 0;
+	}
+
+	// Filter request only
+	if ((message_type & (1 << 4)) || (message_type & (1 << 8))) {
+		return 0;
+	}
+
+	return 1;
+}
+
 int detect_udp_filtered(const struct section_config_t *section,
 			const uint8_t *payload, size_t plen) {
 	const void *iph;
@@ -544,6 +586,11 @@ match_port:
 		}
 	}
 
+	if (section->udp_stun_filter && is_stun_message(data, dlen)) {
+		lgtrace_addp("STUN protocol detected");
+		goto approve;
+	}
+
 skip:
 	return 0;
 approve:

uspace.mk

@@ -109,7 +109,10 @@ $(BUILD_DIR)/test/%.o: test/%.c $(REQ) $(INCLUDE_DIR)/config.h
 	@echo 'CC $@'
 	$(CC) -c $(CFLAGS) $(LDFLAGS) $(TEST_CFLAGS) $< -o $@
 
-install: all
+install:
+ifeq (,$(wildcard $(APP)))
+	$(error Make the binary first)
+endif
 	install -d $(DESTDIR)$(PREFIX)/bin/
 	install -m 755 $(APP) $(DESTDIR)$(PREFIX)/bin/
 	install -d $(DESTDIR)$(PREFIX)/lib/systemd/system/

youtubeUnblock.pem

@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEoeHyI7xqf2Y5weRscJxUy/BRoKqT
+2dE9xFsZ2HKBTd2UMMkOwca+/BDXRZlxWGvcVNhDyLY9VGnZniF2JaH+Fw==
+-----END PUBLIC KEY-----