Mirror/zapret-openwrt
1
0
Fork 0
mirror of https://github.com/remittor/zapret-openwrt.git synced 2025-12-06 03:26:49 +03:00
Code Issues Packages Projects Releases Wiki Activity

config: luci: Adapt settings for Zapret v66 (new config format)

Browse Source
This commit is contained in:
remittor
2024-10-26 17:34:48 +03:00
parent c67ce19626
commit f17b00c107
5 changed files with 162 additions and 172 deletions
Download Patch File Download Diff File Expand all files Collapse all files

120
luci-app-zapret/htdocs/luci-static/resources/view/zapret/settings.js
View File

@@ -64,10 +64,10 @@ return view.extend({
//o.value('iptables', 'iptables');
//o.value('ipfw', 'ipfw');
o = s.taboption(tabname, form.ListValue, 'MODE', _('MODE'));
o.value('nfqws', 'nfqws');
//o.value('tpws', 'tpws');
o = s.taboption(tabname, form.Flag, 'POSTNAT', _('POSTNAT'));
o.rmempty = false;
o.default = 1;
o = s.taboption(tabname, form.ListValue, 'FLOWOFFLOAD', _('FLOWOFFLOAD'));
o.value('donttouch', 'donttouch');
o.value('none', 'none');
@@ -92,44 +92,6 @@ return view.extend({
o.value('hostlist', 'hostlist');
o.value('autohostlist', 'autohostlist');
o = s.taboption(tabname, form.Flag, 'MODE_HTTP', _('MODE_HTTP'));
o.rmempty = false;
o.default = 0;
o = s.taboption(tabname, form.Flag, 'MODE_HTTP_KEEPALIVE', _('MODE_HTTP_KEEPALIVE'));
o.rmempty = false;
o.default = 0;
o = s.taboption(tabname, form.Value, 'HTTP_PORTS', _('HTTP_PORTS'));
o.rmempty = false;
o.datatype = 'string';
o = s.taboption(tabname, form.Flag, 'MODE_HTTPS', _('MODE_HTTPS'));
o.rmempty = false;
o.default = 0;
o = s.taboption(tabname, form.Value, 'HTTPS_PORTS', _('HTTPS_PORTS'));
o.rmempty = false;
o.datatype = 'string';
o = s.taboption(tabname, form.Flag, 'MODE_QUIC', _('MODE_QUIC'));
o.rmempty = false;
o.default = 0;
o = s.taboption(tabname, form.Value, 'QUIC_PORTS', _('QUIC_PORTS'));
o.rmempty = false;
o.datatype = 'string';
o = s.taboption(tabname, form.Value, 'DESYNC_MARK', _('DESYNC_MARK'));
//o.description = _("nfqws option for DPI desync attack");
o.rmempty = false;
o.datatype = 'string';
o = s.taboption(tabname, form.Value, 'DESYNC_MARK_POSTNAT', _('DESYNC_MARK_POSTNAT'));
//o.description = _("nfqws option for DPI desync attack");
o.rmempty = false;
o.datatype = 'string';
/* NFQWS_OPT_DESYNC tab */
tabname = 'nfqws_params';
@@ -173,34 +135,54 @@ return view.extend({
btn.onclick = () => new tools.longstrEditDialog('config', param, param, locname, rows, multiline).show();
};
o = s.taboption(tabname, form.Flag, 'NFQWS_ENABLE', _('NFQWS_ENABLE'));
o.rmempty = false;
o.default = 1;
o = s.taboption(tabname, form.Value, 'DESYNC_MARK', _('DESYNC_MARK'));
//o.description = _("nfqws option for DPI desync attack");
o.rmempty = false;
o.datatype = 'string';
o = s.taboption(tabname, form.Value, 'DESYNC_MARK_POSTNAT', _('DESYNC_MARK_POSTNAT'));
//o.description = _("nfqws option for DPI desync attack");
o.rmempty = false;
o.datatype = 'string';
o = s.taboption(tabname, form.Value, 'NFQWS_PORTS_TCP', _('NFQWS_PORTS_TCP'));
o.rmempty = false;
o.datatype = 'string';
o = s.taboption(tabname, form.Value, 'NFQWS_PORTS_UDP', _('NFQWS_PORTS_UDP'));
o.rmempty = false;
o.datatype = 'string';
o = s.taboption(tabname, form.Value, 'NFQWS_TCP_PKT_OUT', _('NFQWS_TCP_PKT_OUT'));
o.rmempty = false;
o.datatype = 'string';
o = s.taboption(tabname, form.Value, 'NFQWS_TCP_PKT_IN', _('NFQWS_TCP_PKT_IN'));
o.rmempty = false;
o.datatype = 'string';
o = s.taboption(tabname, form.Value, 'NFQWS_UDP_PKT_OUT', _('NFQWS_UDP_PKT_OUT'));
o.rmempty = false;
o.datatype = 'string';
o = s.taboption(tabname, form.Value, 'NFQWS_UDP_PKT_IN', _('NFQWS_UDP_PKT_IN'));
o.rmempty = false;
o.datatype = 'string';
o = s.taboption(tabname, form.Value, 'NFQWS_PORTS_TCP_KEEPALIVE', _('NFQWS_PORTS_TCP_KEEPALIVE'));
o.rmempty = false;
o.datatype = 'uinteger';
o = s.taboption(tabname, form.Value, 'NFQWS_PORTS_UDP_KEEPALIVE', _('NFQWS_PORTS_UDP_KEEPALIVE'));
o.rmempty = false;
o.datatype = 'uinteger';
add_delim(s);
add_param(s, 'NFQWS_OPT_DESYNC');
add_delim(s);
add_param(s, 'NFQWS_OPT_DESYNC_SUFFIX');
add_delim(s);
add_param(s, 'NFQWS_OPT_DESYNC_HTTP');
add_delim(s);
add_param(s, 'NFQWS_OPT_DESYNC_HTTP_SUFFIX');
add_delim(s);
add_param(s, 'NFQWS_OPT_DESYNC_HTTPS');
add_delim(s);
add_param(s, 'NFQWS_OPT_DESYNC_HTTPS_SUFFIX');
add_delim(s);
add_param(s, 'NFQWS_OPT_DESYNC_HTTP6');
add_delim(s);
add_param(s, 'NFQWS_OPT_DESYNC_HTTP6_SUFFIX');
add_delim(s);
add_param(s, 'NFQWS_OPT_DESYNC_HTTPS6');
add_delim(s);
add_param(s, 'NFQWS_OPT_DESYNC_HTTPS6_SUFFIX');
add_delim(s);
add_param(s, 'NFQWS_OPT_DESYNC_QUIC');
add_delim(s);
add_param(s, 'NFQWS_OPT_DESYNC_QUIC_SUFFIX');
add_delim(s);
add_param(s, 'NFQWS_OPT_DESYNC_QUIC6');
add_delim(s);
add_param(s, 'NFQWS_OPT_DESYNC_QUIC6_SUFFIX');
add_param(s, 'NFQWS_OPT', null, 18, 2);
/* AutoHostList settings */

19
zapret/Makefile
View File

@@ -119,6 +119,18 @@ define Package/$(PKG_NAME)/postinst
if [ -z "$${IPKG_INSTROOT}" ]; then
ZAPRET_CONFIG=/opt/zapret/config
ZAPRET_CONFIG_DEF="/opt/zapret/config.default"
# creating main config if its not exists
if [ ! -f "$${ZAPRET_CONFIG}" ]; then
cp -f "$${ZAPRET_CONFIG_DEF}" "$${ZAPRET_CONFIG}"
fi
# check obsolete format for main config
if grep -qE "^NFQWS_OPT_DESYNC=|^MODE_HTTP=|^MODE_HTTPS=|^MODE_QUIC=|^MODE=" "$${ZAPRET_CONFIG}" ; then
echo "Detect obsolute format for main config!"
ZAPRET_CONFIG_BACKUP="$${ZAPRET_CONFIG}.backup"
cp -f "$${ZAPRET_CONFIG}" "$${ZAPRET_CONFIG_BACKUP}"
echo "Current file $${ZAPRET_CONFIG} backuped to $${ZAPRET_CONFIG_BACKUP}"
cp -f "$${ZAPRET_CONFIG_DEF}" "$${ZAPRET_CONFIG}"
fi
# check existing uci-config
[ -f "/etc/config/zapret" ] && ZAPRET_CFG_EXISTS=1 || ZAPRET_CFG_EXISTS=0
# create or merge uci-config
@@ -126,11 +138,8 @@ if [ -z "$${IPKG_INSTROOT}" ]; then
[ "$${ZAPRET_CFG_EXISTS}" = "1" ] && echo "Config /etc/config/zapret merged with default uci-config"
# remove uci-default script from system dir (used into /etc/init.d/boot)
rm -f /etc/uci-defaults/zapret-uci-def-cfg.sh
# creating main config if its not exists
if [ ! -f "$${ZAPRET_CONFIG}" ]; then
cp -f "$${ZAPRET_CONFIG_DEF}" "$${ZAPRET_CONFIG}"
/opt/zapret/sync_config.sh
fi
# copy (sync) all params from uci-config to main config
/opt/zapret/sync_config.sh
# enable main service
/etc/init.d/zapret enable
# stop all

91
zapret/config.default
View File

@@ -7,6 +7,10 @@
# override firewall type : iptables,nftables,ipfw
FWTYPE=nftables
# nftables only : set this to 0 to use pre-nat mode. default is post-nat.
# pre-nat mode disables some bypass techniques for forwarded traffic but allows to see client IP addresses in debug log
POSTNAT=1
# options for ipsets
# maximum number of elements in sets. also used for nft sets
SET_MAXELEM=522288
@@ -41,66 +45,53 @@ GZIP_LISTS=0
# set to "-" to disable reload
#LISTS_RELOAD="pfctl -f /etc/pf.conf"
# override ports
HTTP_PORTS=80
HTTPS_PORTS=443
QUIC_PORTS=443
# CHOOSE OPERATION MODE
# MODE : nfqws,tpws,tpws-socks,filter,custom
# nfqws : nfqws for dpi desync
# tpws : tpws transparent mode
# tpws-socks : tpws socks mode
# filter : no daemon, just create ipset or download hostlist
# custom : custom mode. should modify custom init script and add your own code
MODE=nfqws
MODE_HTTP=1
MODE_HTTP_KEEPALIVE=0
MODE_HTTPS=1
MODE_QUIC=1
# none,ipset,hostlist,autohostlist
MODE_FILTER=hostlist
# CHOOSE NFQWS DAEMON OPTIONS for DPI desync mode. run "nfq/nfqws --help" for option list
# mark bit used by nfqws to prevent loop
DESYNC_MARK=0x40000000
DESYNC_MARK_POSTNAT=0x20000000
NFQWS_OPT_DESYNC="--dpi-desync=fake,split2 --dpi-desync-ttl=7 --dpi-desync-ttl6=0 --dpi-desync-repeats=20 --dpi-desync-fooling=md5sig,badseq --dpi-desync-fake-tls=/opt/zapret/files/fake/tls_clienthello_www_google_com.bin"
TPWS_SOCKS_ENABLE=0
# tpws socks listens on this port on localhost and LAN interfaces
TPPORT_SOCKS=987
# use <HOSTLIST> placeholders to engage standard hostlists and autohostlist in ipset dir
# they are replaced to empty string if MODE_FILTER does not satisfy
TPWS_SOCKS_OPT="--filter-tcp=80 --methodeol <HOSTLIST> --new --filter-tcp=443 --split-tls=sni --disorder <HOSTLIST>"
NFQWS_OPT_DESYNC_SUFFIX=""
NFQWS_OPT_DESYNC_HTTP=""
NFQWS_OPT_DESYNC_HTTP_SUFFIX=""
NFQWS_OPT_DESYNC_HTTPS=""
NFQWS_OPT_DESYNC_HTTPS_SUFFIX=""
NFQWS_OPT_DESYNC_HTTP6=""
NFQWS_OPT_DESYNC_HTTP6_SUFFIX=""
NFQWS_OPT_DESYNC_HTTPS6=""
NFQWS_OPT_DESYNC_HTTPS6_SUFFIX=""
NFQWS_OPT_DESYNC_QUIC="--dpi-desync=fake,split2 --dpi-desync-repeats=15 --dpi-desync-fake-quic=/opt/zapret/files/fake/quic_initial_www_google_com.bin --new --dpi-desync=fake --dpi-desync-repeats=15"
NFQWS_OPT_DESYNC_QUIC_SUFFIX=""
NFQWS_OPT_DESYNC_QUIC6=""
NFQWS_OPT_DESYNC_QUIC6_SUFFIX=""
TPWS_ENABLE=0
TPWS_PORTS="80,443"
# use <HOSTLIST> placeholders to engage standard hostlists and autohostlist in ipset dir
# they are replaced to empty string if MODE_FILTER does not satisfy
TPWS_OPT="--filter-tcp=80 --methodeol <HOSTLIST> --new --filter-tcp=443 --split-tls=sni --disorder <HOSTLIST>"
# CHOOSE TPWS DAEMON OPTIONS. run "tpws/tpws --help" for option list
# SUFFIX VARS define additional lower priority desync profile. it's required if MODE_FILTER=hostlist and strategy has hostlist-incompatible 0-phase desync methods (mss)
TPWS_OPT="--hostspell=HOST --split-http-req=method --split-pos=3 --oob"
#TPWS_OPT_SUFFIX="--mss 88"
NFQWS_ENABLE=1
# redirect outgoing traffic with connbytes limiter applied in both directions.
NFQWS_PORTS_TCP="80,443"
NFQWS_PORTS_UDP="443"
# PKT_OUT means connbytes dir original
# PKT_IN means connbytes dir reply
# this is --dpi-desync-cutoff=nX kernel mode implementation for linux. it saves a lot of CPU.
NFQWS_TCP_PKT_OUT="9"
NFQWS_TCP_PKT_IN="3"
NFQWS_UDP_PKT_OUT="9"
NFQWS_UDP_PKT_IN="0"
# redirect outgoing traffic without connbytes limiter and incoming with connbytes limiter
# normally it's needed only for stateless DPI that matches every packet in a single TCP session
# typical example are plain HTTP keep alives
# this mode can be very CPU consuming. enable with care !
NFQWS_PORTS_TCP_KEEPALIVE=0
NFQWS_PORTS_UDP_KEEPALIVE=0
# use <HOSTLIST> placeholders to engage standard hostlists and autohostlist in ipset dir
# they are replaced to empty string if MODE_FILTER does not satisfy
NFQWS_OPT="--filter-tcp=80 <HOSTLIST> --dpi-desync=fake,split2 --dpi-desync-autottl=2 --dpi-desync-fooling=md5sig --new --filter-tcp=443 <HOSTLIST> --dpi-desync=fake,split2 --dpi-desync-repeats=11 --dpi-desync-fooling=md5sig --dpi-desync-fake-tls=/opt/zapret/files/fake/tls_clienthello_www_google_com.bin --new --filter-udp=443 <HOSTLIST> --dpi-desync=fake --dpi-desync-repeats=11 --dpi-desync-fake-tls=/opt/zapret/files/fake/tls_clienthello_www_google_com.bin --new --filter-udp=443 <HOSTLIST> --dpi-desync=fake --dpi-desync-repeats=11 --new --dpi-desync=fake,disorder2 --dpi-desync-autottl=2 --dpi-desync-fooling=md5sig"
# FlowOffload mode : donttouch,none,software,hardware
FLOWOFFLOAD=none

39
zapret/sync_config.sh
View File

@@ -80,37 +80,28 @@ if [ ! -f "$ZAPRET_CONFIG" ]; then
fi
fi
sync_param MODE
sync_param FWTYPE
sync_param POSTNAT
sync_param FLOWOFFLOAD
sync_param INIT_APPLY_FW
sync_param DISABLE_IPV4
sync_param DISABLE_IPV6
sync_param MODE_FILTER
sync_param DESYNC_MARK
sync_param DESYNC_MARK_POSTNAT
sync_param NFQWS_OPT_DESYNC str
sync_param NFQWS_OPT_DESYNC_SUFFIX str
sync_param MODE_HTTP
sync_param MODE_HTTP_KEEPALIVE
sync_param HTTP_PORTS
sync_param NFQWS_OPT_DESYNC_HTTP str
sync_param NFQWS_OPT_DESYNC_HTTP_SUFFIX str
sync_param NFQWS_OPT_DESYNC_HTTP6 str
sync_param NFQWS_OPT_DESYNC_HTTP6_SUFFIX str
sync_param MODE_HTTPS
sync_param HTTPS_PORTS
sync_param NFQWS_OPT_DESYNC_HTTPS str
sync_param NFQWS_OPT_DESYNC_HTTPS_SUFFIX str
sync_param NFQWS_OPT_DESYNC_HTTPS6 str
sync_param NFQWS_OPT_DESYNC_HTTPS6_SUFFIX str
sync_param MODE_QUIC
sync_param QUIC_PORTS
sync_param NFQWS_OPT_DESYNC_QUIC str
sync_param NFQWS_OPT_DESYNC_QUIC_SUFFIX str
sync_param NFQWS_OPT_DESYNC_QUIC6 str
sync_param NFQWS_OPT_DESYNC_QUIC6_SUFFIX str
sync_param AUTOHOSTLIST_RETRANS_THRESHOLD
sync_param AUTOHOSTLIST_FAIL_THRESHOLD
sync_param AUTOHOSTLIST_FAIL_TIME
sync_param AUTOHOSTLIST_DEBUGLOG
sync_param NFQWS_ENABLE
sync_param DESYNC_MARK
sync_param DESYNC_MARK_POSTNAT
sync_param NFQWS_PORTS_TCP str
sync_param NFQWS_PORTS_UDP str
sync_param NFQWS_TCP_PKT_OUT str
sync_param NFQWS_TCP_PKT_IN str
sync_param NFQWS_UDP_PKT_OUT str
sync_param NFQWS_UDP_PKT_IN str
sync_param NFQWS_PORTS_TCP_KEEPALIVE
sync_param NFQWS_PORTS_UDP_KEEPALIVE
sync_param NFQWS_OPT str

65
zapret/uci-def-cfg.sh
View File

@@ -22,40 +22,57 @@ function set_default_values
local TAB="$( echo -n -e '\t' )"
uci batch <<-EOF
set $cfgname.config.autostart='0'
# settings for zapret service
set $cfgname.config.FWTYPE='nftables'
set $cfgname.config.MODE='nfqws'
set $cfgname.config.POSTNAT='1'
set $cfgname.config.FLOWOFFLOAD='none'
set $cfgname.config.INIT_APPLY_FW='1'
set $cfgname.config.DISABLE_IPV4='0'
set $cfgname.config.DISABLE_IPV6='1'
set $cfgname.config.MODE_FILTER='hostlist'
set $cfgname.config.DESYNC_MARK='0x40000000'
set $cfgname.config.DESYNC_MARK_POSTNAT='0x20000000'
set $cfgname.config.NFQWS_OPT_DESYNC='--dpi-desync=fake,split2 --dpi-desync-ttl=7 --dpi-desync-ttl6=0 --dpi-desync-repeats=20 --dpi-desync-fooling=md5sig,badseq --dpi-desync-fake-tls=/opt/zapret/files/fake/tls_clienthello_www_google_com.bin'
set $cfgname.config.NFQWS_OPT_DESYNC_SUFFIX="$TAB"
set $cfgname.config.MODE_HTTP='1'
set $cfgname.config.MODE_HTTP_KEEPALIVE='0'
set $cfgname.config.HTTP_PORTS='80'
set $cfgname.config.NFQWS_OPT_DESYNC_HTTP="$TAB"
set $cfgname.config.NFQWS_OPT_DESYNC_HTTP_SUFFIX="$TAB"
set $cfgname.config.NFQWS_OPT_DESYNC_HTTP6="$TAB"
set $cfgname.config.NFQWS_OPT_DESYNC_HTTP6_SUFFIX="$TAB"
set $cfgname.config.MODE_HTTPS='1'
set $cfgname.config.HTTPS_PORTS='443'
set $cfgname.config.NFQWS_OPT_DESYNC_HTTPS="$TAB"
set $cfgname.config.NFQWS_OPT_DESYNC_HTTPS_SUFFIX="$TAB"
set $cfgname.config.NFQWS_OPT_DESYNC_HTTPS6="$TAB"
set $cfgname.config.NFQWS_OPT_DESYNC_HTTPS6_SUFFIX="$TAB"
set $cfgname.config.MODE_QUIC='1'
set $cfgname.config.QUIC_PORTS='443'
set $cfgname.config.NFQWS_OPT_DESYNC_QUIC='--dpi-desync=fake,split2 --dpi-desync-repeats=15 --dpi-desync-fake-quic=/opt/zapret/files/fake/quic_initial_www_google_com.bin --new --dpi-desync=fake --dpi-desync-repeats=15'
set $cfgname.config.NFQWS_OPT_DESYNC_QUIC_SUFFIX="$TAB"
set $cfgname.config.NFQWS_OPT_DESYNC_QUIC6="$TAB"
set $cfgname.config.NFQWS_OPT_DESYNC_QUIC6_SUFFIX="$TAB"
# autohostlist options
set $cfgname.config.AUTOHOSTLIST_RETRANS_THRESHOLD='3'
set $cfgname.config.AUTOHOSTLIST_FAIL_THRESHOLD='3'
set $cfgname.config.AUTOHOSTLIST_FAIL_TIME='60'
set $cfgname.config.AUTOHOSTLIST_DEBUGLOG='0'
# nfqws options
set $cfgname.config.NFQWS_ENABLE='1'
set $cfgname.config.DESYNC_MARK='0x40000000'
set $cfgname.config.DESYNC_MARK_POSTNAT='0x20000000'
set $cfgname.config.NFQWS_PORTS_TCP='80,443'
set $cfgname.config.NFQWS_PORTS_UDP='443'
set $cfgname.config.NFQWS_TCP_PKT_OUT='9'
set $cfgname.config.NFQWS_TCP_PKT_IN='3'
set $cfgname.config.NFQWS_UDP_PKT_OUT='9'
set $cfgname.config.NFQWS_UDP_PKT_IN='0'
set $cfgname.config.NFQWS_PORTS_TCP_KEEPALIVE='0'
set $cfgname.config.NFQWS_PORTS_UDP_KEEPALIVE='0'
set $cfgname.config.NFQWS_OPT="
--filter-tcp=80 <HOSTLIST>
--dpi-desync=fake,split2
--dpi-desync-autottl=2
--dpi-desync-fooling=md5sig
--new
--filter-tcp=443 <HOSTLIST>
--dpi-desync=fake,split2
--dpi-desync-repeats=11
--dpi-desync-fooling=md5sig
--dpi-desync-fake-tls=/opt/zapret/files/fake/tls_clienthello_www_google_com.bin
--new
--filter-udp=443 <HOSTLIST>
--dpi-desync=fake
--dpi-desync-repeats=11
--dpi-desync-fake-tls=/opt/zapret/files/fake/tls_clienthello_www_google_com.bin
--new
--filter-udp=443 <HOSTLIST>
--dpi-desync=fake
--dpi-desync-repeats=11
--new
--dpi-desync=fake,disorder2
--dpi-desync-autottl=2
--dpi-desync-fooling=md5sig
"
# save changes
commit $cfgname
EOF
return 0