Initial commit

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2016-2024 bol-van
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

luci-app-zapret/Makefile

@@ -0,0 +1,4 @@
+#
+# Copyright (с) 2024 remittor
+#
+

zapret/Makefile

@@ -0,0 +1,125 @@
+#
+# Copyright (<28>) 2024 remittor
+#
+
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=zapret
+PKG_VERSION:=1.63
+PKG_RELEASE:=20241008
+
+PKG_MAINTAINER:=bol-van
+PKG_LICENSE:=MIT
+PKG_LICENSE_FILES:=opt/zapret/docs/LICENSE.txt
+
+PKG_SOURCE_URL:=https://github.com/bol-van/zapret.git
+PKG_SOURCE_PROTO:=git
+PKG_SOURCE_VERSION:=2cd6db3ba5ac2fa1494bed1c1903bc3531c76bc5
+PKG_SOURCE_DATE:=2024-10-08
+
+#PKG_SOURCE:=zapret-master.tar.gz
+#PKG_HASH:=skip
+
+#PKG_BUILD_DEPENDS:=secilc/host policycoreutils/host
+
+include $(INCLUDE_DIR)/package.mk
+
+#TAR_OPTIONS:=--strip-components 1 $(TAR_OPTIONS)
+#TAR_CMD=$(HOST_TAR) -C $(1) $(TAR_OPTIONS)
+
+MAKE_PATH:=nfq
+
+define Package/$(PKG_NAME)
+	SECTION:=net
+	CATEGORY:=Network
+	TITLE:=$(PKG_NAME)
+	SUBMENU:=Zapret
+	URL:=https://github.com/bol-van/zapret
+	DEPENDS:= +nftables +curl +gzip +coreutils +coreutils-sort +coreutils-sleep
+	DEPENDS+= +kmod-nft-nat +kmod-nft-offload +kmod-nft-queue
+	DEPENDS+= +libnetfilter-queue +libcap +zlib
+	#DEPENDS+= +zapret-nfqws
+	#DEPENDS+= +zapret-ip2set
+	#DEPENDS+= +zapret-mdig
+	#DEPENDS+= +zapret-tpws
+endef
+
+define Build/Prepare
+	$(Build/Prepare/Default)
+	rm -f $(PKG_BUILD_DIR)/$(MAKE_PATH)/nfqws
+endef
+
+define Package/$(PKG_NAME)/conffiles
+/etc/config/zapret
+/opt/zapret/config
+/opt/zapret/youtube.txt
+endef
+
+#define Build/Configure
+#endef
+
+#define Build/Compile
+#endef
+
+define Package/$(PKG_NAME)/install
+	$(INSTALL_DIR) $(1)/opt/zapret
+	$(INSTALL_DIR) $(1)/opt/zapret/$(MAKE_PATH)
+	$(INSTALL_BIN) $(PKG_BUILD_DIR)/$(MAKE_PATH)/nfqws $(1)/opt/zapret/$(MAKE_PATH)/	
+	$(INSTALL_DIR) $(1)/opt/zapret/common
+	$(CP) $(PKG_BUILD_DIR)/common/* $(1)/opt/zapret/common/
+	$(INSTALL_DIR) $(1)/opt/zapret/docs
+	$(CP) $(PKG_BUILD_DIR)/docs/* $(1)/opt/zapret/docs/
+	$(INSTALL_DIR) $(1)/opt/zapret/files
+	$(CP) $(PKG_BUILD_DIR)/files/* $(1)/opt/zapret/files/
+	$(INSTALL_DIR) $(1)/opt/zapret/ipset
+	$(CP) $(PKG_BUILD_DIR)/ipset/* $(1)/opt/zapret/ipset/
+	$(INSTALL_BIN) $(PKG_BUILD_DIR)/blockcheck.sh  $(1)/opt/zapret/blockcheck.sh
+	$(INSTALL_BIN) $(PKG_BUILD_DIR)/config.default $(1)/opt/zapret/config.default
+	$(INSTALL_DIR) $(1)/opt/zapret/tmp
+	$(INSTALL_DIR) $(1)/opt/zapret/init.d/openwrt
+	$(CP) $(PKG_BUILD_DIR)/init.d/openwrt/* $(1)/opt/zapret/init.d/openwrt/
+	$(INSTALL_DIR) $(1)/etc/hotplug.d/iface
+	$(INSTALL_BIN) $(PKG_BUILD_DIR)/init.d/openwrt/90-zapret $(1)/etc/hotplug.d/iface/90-zapret
+	$(INSTALL_DIR) $(1)/etc/init.d
+	$(INSTALL_BIN) $(PKG_BUILD_DIR)/init.d/openwrt/zapret $(1)/etc/init.d/zapret
+	$(INSTALL_DIR) $(1)/etc/config
+	$(INSTALL_CONF) ./zapret.config $(1)/etc/config/zapret
+	$(INSTALL_CONF) ./config        $(1)/opt/zapret/config
+	$(INSTALL_CONF) ./youtube.txt   $(1)/opt/zapret/youtube.txt
+endef
+
+define Package/$(PKG_NAME)/postinst
+#!/bin/sh
+# check if we are on real system
+if [ -z "$${IPKG_INSTROOT}" ]; then
+	/etc/init.d/zapret enable
+	/etc/init.d/zapret stop_fw
+	/etc/init.d/zapret stop_daemons
+	/etc/init.d/zapret start
+	[ -x /sbin/fw4 ] && fw4 -q restart || fw3 -q restart
+fi
+exit 0
+endef
+
+define Package/$(PKG_NAME)/prerm
+#!/bin/sh
+# check if we are on real system
+if [ -n "$${IPKG_INSTROOT}" ]; then
+	EXEDIR=/opt/zapret
+	ZAPRET_BASE=/opt/zapret
+	ZAPRET_CONFIG=/opt/zapret/config
+	OPENWRT_FW_INCLUDE=/etc/firewall.zapret
+	. "$ZAPRET_CONFIG"
+	. "$ZAPRET_BASE/common/base.sh"
+	. "$ZAPRET_BASE/common/fwtype.sh"
+	. "$ZAPRET_BASE/common/installer.sh"
+	/etc/init.d/zapret disable
+	/etc/init.d/zapret stop
+	remove_openwrt_firewall
+	nft_del_table
+	restart_openwrt_firewall
+fi
+exit 0
+endef
+
+$(eval $(call BuildPackage,$(PKG_NAME)))

zapret/config

@@ -0,0 +1,144 @@
+# this file is included from init scripts
+# change values here
+
+# can help in case /tmp has not enough space
+#TMPDIR=/opt/zapret/tmp
+
+# override firewall type : iptables,nftables,ipfw
+FWTYPE=nftables
+
+# options for ipsets
+# maximum number of elements in sets. also used for nft sets
+SET_MAXELEM=522288
+
+# too low hashsize can cause memory allocation errors on low RAM systems , even if RAM is enough
+# too large hashsize will waste lots of RAM
+IPSET_OPT="hashsize 262144 maxelem $SET_MAXELEM"
+
+# dynamically generate additional ip. $1 = ipset/nfset/table name
+#IPSET_HOOK="/etc/zapret.ipset.hook"
+
+# options for ip2net. "-4" or "-6" auto added by ipset create script
+IP2NET_OPT4="--prefix-length=22-30 --v4-threshold=3/4"
+IP2NET_OPT6="--prefix-length=56-64 --v6-threshold=5"
+
+# options for auto hostlist
+AUTOHOSTLIST_RETRANS_THRESHOLD=3
+AUTOHOSTLIST_FAIL_THRESHOLD=3
+AUTOHOSTLIST_FAIL_TIME=60
+# 1 = debug autohostlist positives to ipset/zapret-hosts-auto-debug.log
+AUTOHOSTLIST_DEBUGLOG=0
+
+# number of parallel threads for domain list resolves
+MDIG_THREADS=30
+
+# ipset/*.sh can compress large lists
+GZIP_LISTS=0
+
+# command to reload ip/host lists after update
+# comment or leave empty for auto backend selection : ipset or ipfw if present
+# on BSD systems with PF no auto reloading happens. you must provide your own command
+# set to "-" to disable reload
+#LISTS_RELOAD="pfctl -f /etc/pf.conf"
+
+# override ports
+#HTTP_PORTS=80-81,85
+#HTTPS_PORTS=443,500-501
+#QUIC_PORTS=443,444
+
+# CHOOSE OPERATION MODE
+# MODE : nfqws,tpws,tpws-socks,filter,custom
+# nfqws : nfqws for dpi desync
+# tpws : tpws transparent mode
+# tpws-socks : tpws socks mode
+# filter : no daemon, just create ipset or download hostlist
+# custom : custom mode. should modify custom init script and add your own code
+MODE=nfqws
+
+MODE_HTTP=1
+MODE_HTTP_KEEPALIVE=0
+MODE_HTTPS=1
+MODE_QUIC=1
+
+# none,ipset,hostlist,autohostlist
+MODE_FILTER=autohostlist
+
+# CHOOSE NFQWS DAEMON OPTIONS for DPI desync mode. run "nfq/nfqws --help" for option list
+DESYNC_MARK=0x40000000
+DESYNC_MARK_POSTNAT=0x20000000
+
+
+NFQWS_OPT_DESYNC="--hostlist=/opt/zapret/youtube.txt --dpi-desync=fake,disorder2 --dpi-desync-split-pos=1 --dpi-desync-ttl=0 --dpi-desync-fooling=md5sig,badsum --dpi-desync-repeats=6 --dpi-desync-any-protocol --dpi-desync-cutoff=d4 --dpi-desync-fake-tls=/opt/zapret/files/fake/tls_clienthello_www_google_com.bin"
+
+NFQWS_OPT_DESYNC_SUFFIX=""
+
+NFQWS_OPT_DESYNC_HTTP=""
+
+NFQWS_OPT_DESYNC_HTTP_SUFFIX=""
+
+NFQWS_OPT_DESYNC_HTTPS=""
+
+NFQWS_OPT_DESYNC_HTTPS_SUFFIX=""
+
+NFQWS_OPT_DESYNC_HTTP6=""
+
+NFQWS_OPT_DESYNC_HTTP6_SUFFIX=""
+
+NFQWS_OPT_DESYNC_HTTPS6=""
+
+NFQWS_OPT_DESYNC_HTTPS6_SUFFIX=""
+
+NFQWS_OPT_DESYNC_QUIC="--hostlist=/opt/zapret/youtube.txt --dpi-desync=fake --dpi-desync-repeats=6 --dpi-desync-ttl=0 --dpi-desync-any-protocol --dpi-desync-cutoff=d4 --dpi-desync-fooling=md5sig,badsum --dpi-desync-fake-quic=/opt/zapret/files/fake/quic_initial_google_com.bin"
+
+NFQWS_OPT_DESYNC_QUIC_SUFFIX=""
+
+NFQWS_OPT_DESYNC_QUIC6=""
+
+NFQWS_OPT_DESYNC_QUIC6_SUFFIX=""
+
+
+# CHOOSE TPWS DAEMON OPTIONS. run "tpws/tpws --help" for option list
+# SUFFIX VARS define additional lower priority desync profile. it's required if MODE_FILTER=hostlist and strategy has hostlist-incompatible 0-phase desync methods (mss)
+TPWS_OPT="--hostspell=HOST --split-http-req=method --split-pos=3 --oob"
+#TPWS_OPT_SUFFIX="--mss 88"
+
+# FlowOffload mode : donttouch,none,software,hardware
+FLOWOFFLOAD=none
+
+# openwrt: specify networks to be treated as LAN. default is "lan"
+#OPENWRT_LAN="lan lan2 lan3"
+
+# openwrt: specify networks to be treated as WAN. default wans are interfaces with default route
+#OPENWRT_WAN4="wan vpn"
+#OPENWRT_WAN6="wan6 vpn6"
+
+# for routers based on desktop linux and macos. has no effect in openwrt.
+# CHOOSE LAN and optinally WAN/WAN6 NETWORK INTERFACES
+# or leave them commented if its not router
+# it's possible to specify multiple interfaces like this : IFACE_LAN="eth0 eth1 eth2"
+# if IFACE_WAN6 is not defined it take the value of IFACE_WAN
+#IFACE_LAN=eth0
+#IFACE_WAN=eth1
+#IFACE_WAN6="ipsec0 wireguard0 he_net"
+
+# should start/stop command of init scripts apply firewall rules ?
+# not applicable to openwrt with firewall3+iptables
+INIT_APPLY_FW=1
+
+# firewall apply hooks
+#INIT_FW_PRE_UP_HOOK="/etc/firewall.zapret.hook.pre_up"
+#INIT_FW_POST_UP_HOOK="/etc/firewall.zapret.hook.post_up"
+#INIT_FW_PRE_DOWN_HOOK="/etc/firewall.zapret.hook.pre_down"
+#INIT_FW_POST_DOWN_HOOK="/etc/firewall.zapret.hook.post_down"
+
+# do not work with ipv4
+DISABLE_IPV4=0
+
+# do not work with ipv6
+DISABLE_IPV6=1
+
+# select which init script will be used to get ip or host list
+# possible values : get_user.sh get_antizapret.sh get_combined.sh get_reestr.sh get_hostlist.sh
+# comment if not required
+#GETLIST=get_antizapret_domains.sh
+#GETLIST=get_antifilter_ipsmart.sh

zapret/youtube.txt

@@ -0,0 +1 @@
+googlevideo.com

zapret/zapret.config

@@ -0,0 +1,2 @@
+config zapret
+	option startup '0'