Mirror/zapret
1
0
Fork 0
mirror of https://github.com/bol-van/zapret.git synced 2026-02-01 07:10:37 +03:00
Code Issues Packages Projects Releases Wiki Activity

nfqws: multi strategy

Browse Source
This commit is contained in:
bol-van
2024-09-17 19:57:21 +03:00
parent 8c94e3230e
commit c532ec4f75
30 changed files with 919 additions and 461 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
docs/readme.eng.md
View File

@@ -206,6 +206,10 @@ nfqws takes the following parameters:
--hostlist-auto-fail-time=<int> ; all failed attemps must be within these seconds (default : 60)
--hostlist-auto-retrans-threshold=<int> ; how many request retransmissions cause attempt to fail (default : 3)
--hostlist-auto-debug=<logfile> ; debug auto hostlist positives
--new ; begin new strategy
--filter-l3=ipv4|ipv6 ; L3 protocol filter. multiple comma separated values allowed.
--filter-tcp=[~]port1[-port2] ; TCP port filter. ~ means negation. setting tcp and not setting udp filter denies udp.
--filter-udp=[~]port1[-port2] ; UDP port filter. ~ means negation. setting udp and not setting tcp filter denies tcp.
```
The manipulation parameters can be combined in any way.
@@ -565,6 +569,29 @@ nfqws sees packets with internal network source address. If fragmented NAT does
This results in attempt to send packets to internet with internal IP address.
You need to use nftables instead with hook priority 101 or higher.
### multiple strategies
`nfqws` can apply different strategies to different requests. It's done with multiple desync profiles.
Profiles are delimited by the `--new` parameter. First profile is created automatically and does not require `--new`.
Each profile has a filter. By default it's empty and profile matches any packet.
Filter can have hard parameters : ip version and tcp/udp port range.
Hard parameters are always identified unambiguously even on zero-phase when hostname is unknown yet.
Hostlist can also act as a filter. They can be combined with hard parameters.
When a packet comes profiles are matched from the first to the last until first filter condition match.
Hard filter is matched first. If it does not match verification goes to the next profile.
If a profile matches hard filter and has autohostlist it's selected immediately.
If a profile matches hard filter and has normal hostlist(s) and hostname is unknown yet verification goes to the next profile.
Otherwise profile hostlist(s) are checked for the hostname. If it matches profile is selected.
Otherwise verification goes to the next profile.
It's possible that before getting hostname connection is served by one profile and after
hostname is revealed it's switched to another profile.
If you use 0-phase desync methods think carefully what can happen during strategy switch.
Use `--debug` logging to understand better what `nfqws` does.
IMPORTANT : multiple strategies exist only for the case when it's not possible to combine all to one strategy.
Copy-pasting blockcheck results of different websites to multiple strategies lead to the mess.
This way you may never unblock all resources and only confuse yourself.
## tpws