mirror of
https://github.com/remittor/zapret-openwrt.git
synced 2026-03-14 06:22:46 +03:00
config: luci: Adapt settings for Zapret v66 (new config format)
This commit is contained in:
remittor
@@ -7,6 +7,10 @@
|
||||
# override firewall type : iptables,nftables,ipfw
|
||||
FWTYPE=nftables
|
||||
|
||||
# nftables only : set this to 0 to use pre-nat mode. default is post-nat.
|
||||
# pre-nat mode disables some bypass techniques for forwarded traffic but allows to see client IP addresses in debug log
|
||||
POSTNAT=1
|
||||
|
||||
# options for ipsets
|
||||
# maximum number of elements in sets. also used for nft sets
|
||||
SET_MAXELEM=522288
|
||||
@@ -41,66 +45,53 @@ GZIP_LISTS=0
|
||||
# set to "-" to disable reload
|
||||
#LISTS_RELOAD="pfctl -f /etc/pf.conf"
|
||||
|
||||
# override ports
|
||||
HTTP_PORTS=80
|
||||
HTTPS_PORTS=443
|
||||
QUIC_PORTS=443
|
||||
|
||||
# CHOOSE OPERATION MODE
|
||||
# MODE : nfqws,tpws,tpws-socks,filter,custom
|
||||
# nfqws : nfqws for dpi desync
|
||||
# tpws : tpws transparent mode
|
||||
# tpws-socks : tpws socks mode
|
||||
# filter : no daemon, just create ipset or download hostlist
|
||||
# custom : custom mode. should modify custom init script and add your own code
|
||||
MODE=nfqws
|
||||
|
||||
MODE_HTTP=1
|
||||
MODE_HTTP_KEEPALIVE=0
|
||||
MODE_HTTPS=1
|
||||
MODE_QUIC=1
|
||||
|
||||
# none,ipset,hostlist,autohostlist
|
||||
MODE_FILTER=hostlist
|
||||
|
||||
# CHOOSE NFQWS DAEMON OPTIONS for DPI desync mode. run "nfq/nfqws --help" for option list
|
||||
# mark bit used by nfqws to prevent loop
|
||||
DESYNC_MARK=0x40000000
|
||||
DESYNC_MARK_POSTNAT=0x20000000
|
||||
|
||||
|
||||
NFQWS_OPT_DESYNC="--dpi-desync=fake,split2 --dpi-desync-ttl=7 --dpi-desync-ttl6=0 --dpi-desync-repeats=20 --dpi-desync-fooling=md5sig,badseq --dpi-desync-fake-tls=/opt/zapret/files/fake/tls_clienthello_www_google_com.bin"
|
||||
TPWS_SOCKS_ENABLE=0
|
||||
# tpws socks listens on this port on localhost and LAN interfaces
|
||||
TPPORT_SOCKS=987
|
||||
# use <HOSTLIST> placeholders to engage standard hostlists and autohostlist in ipset dir
|
||||
# they are replaced to empty string if MODE_FILTER does not satisfy
|
||||
TPWS_SOCKS_OPT="--filter-tcp=80 --methodeol <HOSTLIST> --new --filter-tcp=443 --split-tls=sni --disorder <HOSTLIST>"
|
||||
|
||||
NFQWS_OPT_DESYNC_SUFFIX=""
|
||||
|
||||
NFQWS_OPT_DESYNC_HTTP=""
|
||||
|
||||
NFQWS_OPT_DESYNC_HTTP_SUFFIX=""
|
||||
|
||||
NFQWS_OPT_DESYNC_HTTPS=""
|
||||
|
||||
NFQWS_OPT_DESYNC_HTTPS_SUFFIX=""
|
||||
|
||||
NFQWS_OPT_DESYNC_HTTP6=""
|
||||
|
||||
NFQWS_OPT_DESYNC_HTTP6_SUFFIX=""
|
||||
|
||||
NFQWS_OPT_DESYNC_HTTPS6=""
|
||||
|
||||
NFQWS_OPT_DESYNC_HTTPS6_SUFFIX=""
|
||||
|
||||
NFQWS_OPT_DESYNC_QUIC="--dpi-desync=fake,split2 --dpi-desync-repeats=15 --dpi-desync-fake-quic=/opt/zapret/files/fake/quic_initial_www_google_com.bin --new --dpi-desync=fake --dpi-desync-repeats=15"
|
||||
|
||||
NFQWS_OPT_DESYNC_QUIC_SUFFIX=""
|
||||
|
||||
NFQWS_OPT_DESYNC_QUIC6=""
|
||||
|
||||
NFQWS_OPT_DESYNC_QUIC6_SUFFIX=""
|
||||
TPWS_ENABLE=0
|
||||
TPWS_PORTS="80,443"
|
||||
# use <HOSTLIST> placeholders to engage standard hostlists and autohostlist in ipset dir
|
||||
# they are replaced to empty string if MODE_FILTER does not satisfy
|
||||
TPWS_OPT="--filter-tcp=80 --methodeol <HOSTLIST> --new --filter-tcp=443 --split-tls=sni --disorder <HOSTLIST>"
|
||||
|
||||
|
||||
# CHOOSE TPWS DAEMON OPTIONS. run "tpws/tpws --help" for option list
|
||||
# SUFFIX VARS define additional lower priority desync profile. it's required if MODE_FILTER=hostlist and strategy has hostlist-incompatible 0-phase desync methods (mss)
|
||||
TPWS_OPT="--hostspell=HOST --split-http-req=method --split-pos=3 --oob"
|
||||
#TPWS_OPT_SUFFIX="--mss 88"
|
||||
NFQWS_ENABLE=1
|
||||
|
||||
# redirect outgoing traffic with connbytes limiter applied in both directions.
|
||||
NFQWS_PORTS_TCP="80,443"
|
||||
NFQWS_PORTS_UDP="443"
|
||||
|
||||
# PKT_OUT means connbytes dir original
|
||||
# PKT_IN means connbytes dir reply
|
||||
# this is --dpi-desync-cutoff=nX kernel mode implementation for linux. it saves a lot of CPU.
|
||||
NFQWS_TCP_PKT_OUT="9"
|
||||
NFQWS_TCP_PKT_IN="3"
|
||||
NFQWS_UDP_PKT_OUT="9"
|
||||
NFQWS_UDP_PKT_IN="0"
|
||||
|
||||
# redirect outgoing traffic without connbytes limiter and incoming with connbytes limiter
|
||||
# normally it's needed only for stateless DPI that matches every packet in a single TCP session
|
||||
# typical example are plain HTTP keep alives
|
||||
# this mode can be very CPU consuming. enable with care !
|
||||
NFQWS_PORTS_TCP_KEEPALIVE=0
|
||||
NFQWS_PORTS_UDP_KEEPALIVE=0
|
||||
|
||||
# use <HOSTLIST> placeholders to engage standard hostlists and autohostlist in ipset dir
|
||||
# they are replaced to empty string if MODE_FILTER does not satisfy
|
||||
NFQWS_OPT="--filter-tcp=80 <HOSTLIST> --dpi-desync=fake,split2 --dpi-desync-autottl=2 --dpi-desync-fooling=md5sig --new --filter-tcp=443 <HOSTLIST> --dpi-desync=fake,split2 --dpi-desync-repeats=11 --dpi-desync-fooling=md5sig --dpi-desync-fake-tls=/opt/zapret/files/fake/tls_clienthello_www_google_com.bin --new --filter-udp=443 <HOSTLIST> --dpi-desync=fake --dpi-desync-repeats=11 --dpi-desync-fake-tls=/opt/zapret/files/fake/tls_clienthello_www_google_com.bin --new --filter-udp=443 <HOSTLIST> --dpi-desync=fake --dpi-desync-repeats=11 --new --dpi-desync=fake,disorder2 --dpi-desync-autottl=2 --dpi-desync-fooling=md5sig"
|
||||
|
||||
|
||||
# FlowOffload mode : donttouch,none,software,hardware
|
||||
FLOWOFFLOAD=none
|
||||
|
||||
Reference in New Issue
Block a user