github: delete windivert filters from embedded build

Fix the annoying typo that got me confused on my attempt to set up

.gitattributes

@@ -2,3 +2,4 @@
 *.cmd eol=crlf
 *.bat eol=crlf
 init.d/windivert.filter.examples/** eol=crlf
+files/** binary

.github/workflows/build.yml

@@ -468,7 +468,7 @@ jobs:
           (
             cd ${{ env.repo_dir }}
             rm -rf binaries/{android*,freebsd*,mac*,win*,x86_64/tpws_wsl.tgz} \
-                   init.d/{openrc,macos,pfsense,runit,s6,systemd} \
+                   init.d/{openrc,macos,pfsense,runit,s6,systemd,windivert.filter.examples} \
                    tpws nfq ip2net mdig docs files/huawei Makefile
           )
           tar --owner=0 --group=0 -czf ${{ env.repo_dir }}-openwrt-embedded.tar.gz ${{ env.repo_dir }}

blockcheck.sh

@@ -56,7 +56,7 @@ HDRTEMP=/tmp/zapret-hdr
 NFT_TABLE=blockcheck
 
 DNSCHECK_DNS=${DNSCHECK_DNS:-8.8.8.8 1.1.1.1 77.88.8.1}
-DNSCHECK_DOM=${DNSCHECK_DOM:-pornhub.com ntc.party rutracker.org www.torproject.org bbc.com}
+DNSCHECK_DOM=${DNSCHECK_DOM:-pornhub.com ej.ru rutracker.org www.torproject.org bbc.com}
 DOH_SERVERS=${DOH_SERVERS:-"https://cloudflare-dns.com/dns-query https://dns.google/dns-query https://dns.quad9.net/dns-query https://dns.adguard.com/dns-query https://common.dot.dns.yandex.net/dns-query"}
 DNSCHECK_DIG1=/tmp/dig1.txt
 DNSCHECK_DIG2=/tmp/dig2.txt
@@ -219,7 +219,7 @@ doh_resolve()
 	# $1 - ip version 4/6
 	# $2 - hostname
 	# $3 - doh server URL. use $DOH_SERVER if empty
-	$MDIG --family=$1 --dns-make-query=$2 | $CURL --max-time $CURL_MAX_TIME_DOH -s --data-binary @- -H "Content-Type: application/dns-message" "${3:-$DOH_SERVER}" | $MDIG --dns-parse-query
+	"$MDIG" --family=$1 --dns-make-query=$2 | "$CURL" --max-time $CURL_MAX_TIME_DOH -s --data-binary @- -H "Content-Type: application/dns-message" "${3:-$DOH_SERVER}" | "$MDIG" --dns-parse-query
 }
 doh_find_working()
 {
@@ -247,7 +247,7 @@ mdig_vars()
 	# $1 - ip version 4/6
 	# $2 - hostname
 
-	hostvar=$(echo $2 | sed -e 's/[\.-]/_/g')
+	hostvar=$(echo $2 | sed -e 's/[\./?&#@%*$^:~=!()+-]/_/g')
 	cachevar=DNSCACHE_${hostvar}_$1
 	countvar=${cachevar}_COUNT
 	eval count=\$${countvar}
@@ -278,17 +278,18 @@ mdig_cache()
 mdig_resolve()
 {
 	# $1 - ip version 4/6
-	# $2 - hostname
+	# $2 - hostname, possibly with uri : rutracker.org/xxx/xxxx
+	local hostvar cachevar countvar count ip n sdom
 
-	local hostvar cachevar countvar count ip n
-	mdig_vars "$@"
+	split_by_separator "$2" / sdom
+	mdig_vars "$1" "$sdom"
 	if [ -n "$count" ]; then
 		n=$(random 0 $(($count-1)))
 		eval ip=\$${cachevar}_$n
 		echo $ip
 		return 0
 	else
-		mdig_cache "$@" && mdig_resolve "$@"
+		mdig_cache "$1" "$sdom" && mdig_resolve "$1" "$sdom"
 	fi
 }
 mdig_resolve_all()
@@ -296,8 +297,10 @@ mdig_resolve_all()
 	# $1 - ip version 4/6
 	# $2 - hostname
 
-	local hostvar cachevar countvar count ip ips n
-	mdig_vars "$@"
+	local hostvar cachevar countvar count ip ips n sdom
+
+	split_by_separator "$2" / sdom
+	mdig_vars "$1" "$sdom"
 	if [ -n "$count" ]; then
 		n=0
 		while [ "$n" -le $count ]; do
@@ -312,7 +315,7 @@ mdig_resolve_all()
 		echo "$ips"
 		return 0
 	else
-		mdig_cache "$@" && mdig_resolve_all "$@"
+		mdig_cache "$1" "$sdom" && mdig_resolve_all "$1" "$sdom"
 	fi
 }
 
@@ -423,7 +426,7 @@ check_system()
 	}
 	echo firewall type is $FWTYPE
 	echo CURL=$CURL
-	$CURL --version
+	"$CURL" --version
 }
 
 zp_already_running()
@@ -595,12 +598,12 @@ curl_translate_code()
 curl_supports_tls13()
 {
 	local r
-	$CURL --tlsv1.3 -Is -o /dev/null --max-time 1 http://127.0.0.1:65535 2>/dev/null
+	"$CURL" --tlsv1.3 -Is -o /dev/null --max-time 1 http://127.0.0.1:65535 2>/dev/null
 	# return code 2 = init failed. likely bad command line options
 	[ $? = 2 ] && return 1
 	# curl can have tlsv1.3 key present but ssl library without TLS 1.3 support
 	# this is online test because there's no other way to trigger library incompatibility case
-	$CURL --tlsv1.3 --max-time 1 -Is -o /dev/null https://iana.org 2>/dev/null
+	"$CURL" --tlsv1.3 --max-time 1 -Is -o /dev/null https://iana.org 2>/dev/null
 	r=$?
 	[ $r != 4 -a $r != 35 ]
 }
@@ -608,16 +611,16 @@ curl_supports_tls13()
 curl_supports_tlsmax()
 {
 	# supported only in OpenSSL and LibreSSL
-	$CURL --version | grep -Fq -e OpenSSL -e LibreSSL -e BoringSSL -e GnuTLS -e quictls || return 1
+	"$CURL" --version | grep -Fq -e OpenSSL -e LibreSSL -e BoringSSL -e GnuTLS -e quictls || return 1
 	# supported since curl 7.54
-	$CURL --tls-max 1.2 -Is -o /dev/null --max-time 1 http://127.0.0.1:65535 2>/dev/null
+	"$CURL" --tls-max 1.2 -Is -o /dev/null --max-time 1 http://127.0.0.1:65535 2>/dev/null
 	# return code 2 = init failed. likely bad command line options
 	[ $? != 2 ]
 }
 
 curl_supports_connect_to()
 {
-	$CURL --connect-to 127.0.0.1:: -o /dev/null --max-time 1 http://127.0.0.1:65535 2>/dev/null
+	"$CURL" --connect-to 127.0.0.1:: -o /dev/null --max-time 1 http://127.0.0.1:65535 2>/dev/null
 	[ "$?" != 2 ]
 }
 
@@ -625,7 +628,7 @@ curl_supports_http3()
 {
 	# if it has http3 : curl: (3) HTTP/3 requested for non-HTTPS URL
 	# otherwise : curl: (2) option --http3-only: is unknown
-	$CURL --connect-to 127.0.0.1:: -o /dev/null --max-time 1 --http3-only http://127.0.0.1:65535 2>/dev/null
+	"$CURL" --connect-to 127.0.0.1:: -o /dev/null --max-time 1 --http3-only http://127.0.0.1:65535 2>/dev/null
 	[ "$?" != 2 ]
 }
 
@@ -653,10 +656,10 @@ curl_with_subst_ip()
 		*:*) ip="[$ip]" ;;
 	esac
 	local connect_to="--connect-to $1::$ip${2:+:$2}" arg
-	shift ; shift ; shift
+	shift ; shift ; shift;
 	[ "$CURL_VERBOSE" = 1 ] && arg="-v"
 	[ "$CURL_CMD" = 1 ] && echo $CURL ${arg:+$arg }$connect_to "$@"
-	ALL_PROXY="$ALL_PROXY" $CURL ${arg:+$arg }$connect_to "$@"
+	ALL_PROXY="$ALL_PROXY" "$CURL" ${arg:+$arg }$connect_to "$@"
 }
 curl_with_dig()
 {
@@ -665,10 +668,13 @@ curl_with_dig()
 	# $3 - port
 	# $4+ - curl params
 	local dom=$2 port=$3
-	local ip=$(mdig_resolve $1 $dom)
+	local sdom suri ip
+
+	split_by_separator "$dom" / sdom suri
+	ip=$(mdig_resolve $1 $sdom)
 	shift ; shift ; shift
 	if [ -n "$ip" ]; then
-		curl_with_subst_ip $dom $port $ip "$@"
+		curl_with_subst_ip "$sdom" "$port" "$ip" "$@"
 	else
 		return 6
 	fi
@@ -731,7 +737,7 @@ curl_test_https_tls12()
 	# $3 - subst ip
 
 	# do not use tls 1.3 to make sure server certificate is not encrypted
-	curl_probe $1 $2 $HTTPS_PORT "$3" -ISs -A "$USER_AGENT" --max-time $CURL_MAX_TIME $CURL_OPT --tlsv1.2 $TLSMAX12 "https://$2" -o /dev/null 2>&1
+	curl_probe $1 $2 $HTTPS_PORT "$3" $HTTPS_HEAD -Ss -A "$USER_AGENT" --max-time $CURL_MAX_TIME $CURL_OPT --tlsv1.2 $TLSMAX12 "https://$2" -o /dev/null 2>&1
 }
 curl_test_https_tls13()
 {
@@ -740,7 +746,7 @@ curl_test_https_tls13()
 	# $3 - subst ip
 
 	# force TLS1.3 mode
-	curl_probe $1 $2 $HTTPS_PORT "$3" -ISs -A "$USER_AGENT" --max-time $CURL_MAX_TIME $CURL_OPT --tlsv1.3 $TLSMAX13 "https://$2" -o /dev/null 2>&1
+	curl_probe $1 $2 $HTTPS_PORT "$3" $HTTPS_HEAD -Ss -A "$USER_AGENT" --max-time $CURL_MAX_TIME $CURL_OPT --tlsv1.3 $TLSMAX13 "https://$2" -o /dev/null 2>&1
 }
 
 curl_test_http3()
@@ -749,7 +755,7 @@ curl_test_http3()
 	# $2 - domain name
 
 	# force QUIC only mode without tcp
-	curl_with_dig $1 $2 $QUIC_PORT -ISs -A "$USER_AGENT" --max-time $CURL_MAX_TIME_QUIC --http3-only $CURL_OPT "https://$2" -o /dev/null 2>&1
+	curl_with_dig $1 $2 $QUIC_PORT $HTTPS_HEAD -Ss -A "$USER_AGENT" --max-time $CURL_MAX_TIME_QUIC --http3-only $CURL_OPT "https://$2" -o /dev/null 2>&1
 }
 
 ipt_aux_scheme()
@@ -1857,6 +1863,9 @@ configure_curl_opt()
 	curl_supports_tls13 && TLS13=1
 	HTTP3=
 	curl_supports_http3 && HTTP3=1
+
+	HTTPS_HEAD=-I
+	[ "$CURL_HTTPS_GET" = 1 ] && HTTPS_HEAD=
 }
 
 linux_ipv6_defrag_can_be_disabled()
@@ -1917,7 +1926,7 @@ ask_params()
 	curl_supports_connect_to || {
 		echo "installed curl does not support --connect-to option. pls install at least curl 7.49"
 		echo "current curl version:"
-		$CURL --version
+		"$CURL" --version
 		exitp 1
 	}
 
@@ -1925,7 +1934,7 @@ ask_params()
 	[ -n "$DOMAINS" ] || {
 		DOMAINS="$DOMAINS_DEFAULT"
 		[ "$BATCH" = 1 ] || {
-			echo "specify domain(s) to test. multiple domains are space separated."
+			echo "specify domain(s) to test. multiple domains are space separated. URIs are supported (rutracker.org/forum/index.php)"
 			printf "domain(s) (default: $DOMAINS) : "
 			read dom
 			[ -n "$dom" ] && DOMAINS="$dom"
@@ -2268,7 +2277,6 @@ sigsilent()
 	exit 1
 }
 
-
 fsleep_setup
 fix_sbin_path
 check_system

common/base.sh

@@ -93,6 +93,18 @@ trim()
 {
 	awk '{gsub(/^ +| +$/,"")}1'
 }
+split_by_separator()
+{
+	# $1 - string
+	# $2 - separator
+	# $3 - var name to get "before" part
+	# $4 - var name to get "after" part
+	local before="${1%%$2*}"
+	local after="${1#*$2}"
+	[ "$after" = "$1" ] && after=
+	[ -n "$3" ] && eval $3="\$before"
+	[ -n "$4" ] && eval $4="\$after"
+}
 
 dir_is_not_empty()
 {

docs/changes.txt

@@ -568,3 +568,7 @@ nfqws: --wssize-forced-cutoff
 nfqws: --orig-tcp-flags, --dup-tcp-flags, --dpi-desync-tcp-flags
 nfqws: --dup-ip-id
 
+73.3
+
+blockcheck: support URIs
+blockcheck: CURL_HTTPS_GET=1 suppresses -I curl option for https (HEAD -> GET)

docs/readme.md

@@ -1,4 +1,4 @@
-# zapret v72.2
+# zapret v72.3
 
 # ВНИМАНИЕ, остерегайтесь мошенников
 
@@ -1665,7 +1665,7 @@ LISTS_RELOAD=-  отключает перезагрузку листов.
 
 В системе запуска это обыграно следующим образом.
 Присутствуют 2 include списка :
-`ipset/zapret-hosts-users.txt.gz` или `ipset/zapret-hosts-users.txt`,
+`ipset/zapret-hosts-user.txt.gz` или `ipset/zapret-hosts-user.txt`,
 `ipset/zapret-hosts.txt.gz` или `ipset/zapret-hosts.txt`
 и 1 exclude список
 `ipset/zapret-hosts-user-exclude.txt.gz` или `ipset/zapret-hosts-user-exclude.txt`
@@ -1816,6 +1816,7 @@ CURL_MAX_TIME_QUIC - время таймаута curl для quic. если не
 CURL_MAX_TIME_DOH - время таймаута curl для DoH серверов
 CURL_CMD=1 - показывать команды curl
 CURL_OPT - дополнительные параметры curl. `-k` - игнор сертификатов. `-v` - подробный вывод протокола
+CURL_HTTPS_GET=1 - использовать метод GET вместо HEAD для https
 DOMAINS - список тестируемых доменов через пробел
 IPVS=4|6|46 - тестируемые версии ip протокола
 ENABLE_HTTP=0|1 - включить тест plain http

docs/windows.en.md

@@ -7,7 +7,7 @@ tpws is static binary. It doesn't need a distribution.
 
 Install `WSL` : `dism.exe /online /enable-feature /featurename:Microsoft-Windows-Subsystem-Linux /all`
 
-Copy `binaries/x86_64/tpws_wsl.tgz` to the target system.
+From release copy `binaries/linux-x86_64/tpws_wsl.tgz` to the target system.
 Run : `wsl --import tpws "%USERPROFILE%\tpws" tpws_wsl.tgz`
 
 Run tpws : `wsl -d tpws --exec /tpws --uid=1 --no-resolve --socks --bind-addr=127.0.0.1 --port=1080 <fooling_options>`
@@ -16,7 +16,7 @@ Configure socks as `127.0.0.1:1080` in a browser or another program.
 
 Cleanup : `wsl --unregister tpws`
 
-Tested in windows 10 build 19041 (20.04).
+Tested in windows 10 build 19041 (20.04) with WSL1.
 
 `--oob` , `--mss` and `--disorder` do not work.
 RST detection in autohostlist scheme may not work.

docs/windows.md

@@ -12,7 +12,7 @@ tpws в режиме socks можно запускать под более-ме
 Установить WSL : 
  `dism.exe /online /enable-feature /featurename:Microsoft-Windows-Subsystem-Linux /all`
 
-Скопировать на целевую систему `binaries/x86_64/tpws_wsl.tgz`.
+Из релиза скопировать на целевую систему `binaries/linux-x86_64/tpws_wsl.tgz`.
 
 Выполнить :
  `wsl --import tpws "%USERPROFILE%\tpws" tpws_wsl.tgz`
@@ -24,8 +24,12 @@ tpws в режиме socks можно запускать под более-ме
 
 Удаление : `wsl --unregister tpws`
 
+
 > [!NOTE]
-> Проверено на windows 10 build 19041 (20.04).
+> Проверено на windows 10 build 19041 (20.04) под WSL1. На WSL2 эти команды могут не сработать.
+Если у вас есть WSL2, значит у вас есть работающая виртуалка с linux.
+Если вы умеете с ней обращаться, tpws на ней запустить возможно без всяких проблем.
+
 
 Возможные проблемы: 
 - Не работают функции `--oob` и `--mss` из-за ограничений реализации WSL.

ipset/zapret-hosts-user-exclude.txt.default

@@ -3,6 +3,7 @@
 172.16.0.0/12
 192.168.0.0/16
 169.254.0.0/16
+100.64.0.0/10
 ::1
 fc00::/7
 fe80::/10

nfq/crypto/aes-gcm.c

@@ -5,9 +5,11 @@ int aes_gcm_crypt(int mode, uint8_t *output, const uint8_t *input, size_t input_
 	int ret = 0;
 	gcm_context ctx;
 
-	gcm_setkey(&ctx, key, (const uint)key_len);
-	ret = gcm_crypt_and_tag(&ctx, mode, iv, iv_len, adata, adata_len, input, output, input_length, atag, atag_len);
-	gcm_zero_ctx(&ctx);
+	if (!(ret = gcm_setkey(&ctx, key, (const uint)key_len)))
+	{
+		ret = gcm_crypt_and_tag(&ctx, mode, iv, iv_len, adata, adata_len, input, output, input_length, atag, atag_len);
+		gcm_zero_ctx(&ctx);
+	}
 
 	return ret;
 }

nfq/crypto/aes.c

@@ -367,7 +367,7 @@ int aes_setkey(aes_context *ctx,   // AES context provided by our caller
 	}
 
 #if AES_DECRYPTION
-	if (mode == DECRYPT)   // expand our key for encryption or decryption
+	if (mode == AES_DECRYPT)   // expand our key for encryption or decryption
 		return(aes_set_decryption_key(ctx, key, keysize));
 	else     /* ENCRYPT */
 #endif /* AES_DECRYPTION */
@@ -399,7 +399,7 @@ int aes_cipher(aes_context *ctx,
 
 #if AES_DECRYPTION  // whether AES decryption is supported
 
-	if (ctx->mode == DECRYPT)
+	if (ctx->mode == AES_DECRYPT)
 	{
 		for (i = (ctx->rounds >> 1) - 1; i > 0; i--)
 		{

nfq/crypto/gcm.c

@@ -246,7 +246,7 @@ int gcm_setkey(gcm_context *ctx,   // pointer to caller-provided gcm context
  *
  ******************************************************************************/
 int gcm_start(gcm_context *ctx,    // pointer to user-provided GCM context
-	int mode,            // GCM_ENCRYPT or GCM_DECRYPT
+	int mode,            // AES_ENCRYPT or AES_DECRYPT
 	const uchar *iv,     // pointer to initialization vector
 	size_t iv_len,       // IV length in bytes (should == 12)
 	const uchar *add,    // ptr to additional AEAD data (NULL if none)
@@ -288,6 +288,7 @@ int gcm_start(gcm_context *ctx,    // pointer to user-provided GCM context
 		for (i = 0; i < 16; i++) ctx->y[i] ^= work_buf[i];
 		gcm_mult(ctx, ctx->y, ctx->y);
 	}
+
 	if ((ret = aes_cipher(&ctx->aes_ctx, ctx->y, ctx->base_ectr)) != 0)
 		return(ret);
 
@@ -427,7 +428,7 @@ int gcm_finish(gcm_context *ctx,   // pointer to user-provided GCM context
  ******************************************************************************/
 int gcm_crypt_and_tag(
 	gcm_context *ctx,       // gcm context with key already setup
-	int mode,               // cipher direction: GCM_ENCRYPT or GCM_DECRYPT
+	int mode,               // cipher direction: AES_ENCRYPT or AES_DECRYPT
 	const uchar *iv,        // pointer to the 12-byte initialization vector
 	size_t iv_len,          // byte length if the IV. should always be 12
 	const uchar *add,       // pointer to the non-ciphered additional data

nfq/darkmagic.c

@@ -936,7 +936,6 @@ void proto_skip_ipv6(uint8_t **data, size_t *len, uint8_t *proto_type, uint8_t *
 		{
 		case 0: // Hop-by-Hop Options
 		case 43: // routing
-		case 51: // authentication
 		case 60: // Destination Options
 		case 135: // mobility
 		case 139: // Host Identity Protocol Version v2
@@ -947,6 +946,11 @@ void proto_skip_ipv6(uint8_t **data, size_t *len, uint8_t *proto_type, uint8_t *
 		case 44: // fragment. length fixed to 8, hdrlen field defined as reserved
 			hdrlen = 8;
 			break;
+		case 51: // authentication
+			// special case. length in ah header is in 32-bit words minus 2
+			if (*len < 2) return; // error
+			hdrlen = 8 + ((*data)[1] << 2);
+			break;
 		case 59: // no next header
 			return; // error
 		default:

nfq/desync.c

@@ -1205,12 +1205,6 @@ static uint8_t dpi_desync_tcp_packet_play(bool replay, size_t reasm_offset, uint
 			DLOG("using cached desync profile %d\n", dp->n);
 		else if (!ctrack_replay->dp_search_complete)
 		{
-			if (!ctrack_replay->hostname && !bReverse)
-			{
-				if (ipcache_get_hostname(dis->ip ? &dis->ip->ip_dst : NULL, dis->ip6 ? &dis->ip6->ip6_dst : NULL, host, sizeof(host), &ctrack_replay->hostname_is_ip) && *host)
-					if (!(ctrack_replay->hostname = strdup(host)))
-						DLOG_ERR("strdup(host): out of memory\n");
-			}
 			dp = ctrack_replay->dp = dp_find(&params.desync_profiles, IPPROTO_TCP, (struct sockaddr *)&dst, ctrack_replay->hostname, ctrack_replay->hostname_is_ip, ctrack_replay->l7proto, ssid, NULL, NULL, NULL);
 			ctrack_replay->dp_search_complete = true;
 		}
@@ -2811,12 +2805,6 @@ static uint8_t dpi_desync_udp_packet_play(bool replay, size_t reasm_offset, uint
 			DLOG("using cached desync profile %d\n", dp->n);
 		else if (!ctrack_replay->dp_search_complete)
 		{
-			if (!ctrack_replay->hostname && !bReverse)
-			{
-				if (ipcache_get_hostname(dis->ip ? &dis->ip->ip_dst : NULL, dis->ip6 ? &dis->ip6->ip6_dst : NULL, host, sizeof(host), &ctrack_replay->hostname_is_ip) && *host)
-					if (!(ctrack_replay->hostname = strdup(host)))
-						DLOG_ERR("strdup(host): out of memory\n");
-			}
 			dp = ctrack_replay->dp = dp_find(&params.desync_profiles, IPPROTO_UDP, (struct sockaddr *)&dst, ctrack_replay->hostname, ctrack_replay->hostname_is_ip, ctrack_replay->l7proto, ssid, NULL, NULL, NULL);
 			ctrack_replay->dp_search_complete = true;
 		}
@@ -3198,7 +3186,7 @@ static uint8_t dpi_desync_udp_packet_play(bool replay, size_t reasm_offset, uint
 					if (ctrack_replay->hostname_ah_check)
 					{
 						// first request is not retrans
-						if (!bDiscoveredHostname)
+						if (!bDiscoveredHostname && !reasm_offset)
 							process_retrans_fail(ctrack_replay, IPPROTO_UDP, (struct sockaddr*)&src);
 					}
 				}

nfq/protocol.c

@@ -52,14 +52,6 @@ bool l7_proto_match(t_l7proto l7proto, uint32_t filter_l7)
 		(l7proto==STUN && (filter_l7 & L7_PROTO_STUN));
 }
 
-#define PM_ABS		0
-#define PM_HOST		1
-#define PM_HOST_END	2
-#define PM_HOST_SLD	3
-#define PM_HOST_MIDSLD	4
-#define PM_HOST_ENDSLD	5
-#define PM_HTTP_METHOD	6
-#define PM_SNI_EXT	7
 bool IsHostMarker(uint8_t posmarker)
 {
 	switch(posmarker)