drop time exceeded icmp for nfqws-related connections

docs/changes.txt

@@ -489,4 +489,7 @@ nfqws: --dpi-desync-fake-tls=! means default tls fake
 nfqws: --dup*
 nfqws: --orig*
 nfqws: ipcache of hop count and host names
+tpws: ipcache of host names
+nfqws,tpws: set 1024 repeat limit to fakes and dups
 init.d: remove --ipset parameter prohibition
+init.d, blockcheck: drop time exceeded icmp for nfqws-related connections

docs/iptables.txt

@@ -13,7 +13,6 @@ iptables -t mangle -I POSTROUTING -p udp --dport 443 -m mark ! --mark 0x40000000
 sysctl net.netfilter.nf_conntrack_tcp_be_liberal=1 
 iptables -t mangle -I POSTROUTING -p tcp -m multiport --dports 80,443 -m connbytes --connbytes-dir=original --connbytes-mode=packets --connbytes 1:12 -m mark ! --mark 0x40000000/0x40000000 -j NFQUEUE --queue-num 200 --queue-bypass
 iptables -t mangle -I PREROUTING -p tcp -m multiport --sports 80,443 -m connbytes --connbytes-dir=reply --connbytes-mode=packets --connbytes 1:3 -m mark ! --mark 0x40000000/0x40000000 -j NFQUEUE --queue-num 200 --queue-bypass
-iptables -t mangle -I PREROUTING -p udp -m multiport --sports 443 -m connbytes --connbytes-dir=reply --connbytes-mode=packets --connbytes 1:1 -m mark ! --mark 0x40000000/0x40000000 -j NFQUEUE --queue-num 200 --queue-bypass
 
 
 For TPROXY :

docs/nftables.txt

@@ -26,7 +26,6 @@ nft add rule inet ztest post meta mark and 0x40000000 == 0 udp dport 443 ct orig
 sysctl net.netfilter.nf_conntrack_tcp_be_liberal=1 
 nft add chain inet ztest pre "{type filter hook prerouting priority filter;}"
 nft add rule inet ztest pre tcp sport "{80,443}" ct reply packets 1-3 queue num 200 bypass
-nft add rule inet ztest pre udp sport 443 ct reply packets 1 queue num 200 bypass
 
 
 show rules   : nft list table inet ztest