github: delete windivert filters from embedded build

.gitattributes

@@ -2,3 +2,4 @@
 *.cmd eol=crlf
 *.bat eol=crlf
 init.d/windivert.filter.examples/** eol=crlf
+files/** binary

.github/workflows/build.yml

@@ -468,7 +468,7 @@ jobs:
           (
             cd ${{ env.repo_dir }}
             rm -rf binaries/{android*,freebsd*,mac*,win*,x86_64/tpws_wsl.tgz} \
-                   init.d/{openrc,macos,pfsense,runit,s6,systemd} \
+                   init.d/{openrc,macos,pfsense,runit,s6,systemd,windivert.filter.examples} \
                    tpws nfq ip2net mdig docs files/huawei Makefile
           )
           tar --owner=0 --group=0 -czf ${{ env.repo_dir }}-openwrt-embedded.tar.gz ${{ env.repo_dir }}

blockcheck.sh

@@ -56,7 +56,7 @@ HDRTEMP=/tmp/zapret-hdr
 NFT_TABLE=blockcheck
 
 DNSCHECK_DNS=${DNSCHECK_DNS:-8.8.8.8 1.1.1.1 77.88.8.1}
-DNSCHECK_DOM=${DNSCHECK_DOM:-pornhub.com ntc.party rutracker.org www.torproject.org bbc.com}
+DNSCHECK_DOM=${DNSCHECK_DOM:-pornhub.com ej.ru rutracker.org www.torproject.org bbc.com}
 DOH_SERVERS=${DOH_SERVERS:-"https://cloudflare-dns.com/dns-query https://dns.google/dns-query https://dns.quad9.net/dns-query https://dns.adguard.com/dns-query https://common.dot.dns.yandex.net/dns-query"}
 DNSCHECK_DIG1=/tmp/dig1.txt
 DNSCHECK_DIG2=/tmp/dig2.txt
@@ -219,7 +219,7 @@ doh_resolve()
 	# $1 - ip version 4/6
 	# $2 - hostname
 	# $3 - doh server URL. use $DOH_SERVER if empty
-	$MDIG --family=$1 --dns-make-query=$2 | $CURL --max-time $CURL_MAX_TIME_DOH -s --data-binary @- -H "Content-Type: application/dns-message" "${3:-$DOH_SERVER}" | $MDIG --dns-parse-query
+	"$MDIG" --family=$1 --dns-make-query=$2 | "$CURL" --max-time $CURL_MAX_TIME_DOH -s --data-binary @- -H "Content-Type: application/dns-message" "${3:-$DOH_SERVER}" | "$MDIG" --dns-parse-query
 }
 doh_find_working()
 {
@@ -247,7 +247,7 @@ mdig_vars()
 	# $1 - ip version 4/6
 	# $2 - hostname
 
-	hostvar=$(echo $2 | sed -e 's/[\.-/?&#@%*$^:~=!()]/_/g')
+	hostvar=$(echo $2 | sed -e 's/[\./?&#@%*$^:~=!()+-]/_/g')
 	cachevar=DNSCACHE_${hostvar}_$1
 	countvar=${cachevar}_COUNT
 	eval count=\$${countvar}
@@ -297,7 +297,7 @@ mdig_resolve_all()
 	# $1 - ip version 4/6
 	# $2 - hostname
 
-	local hostvar cachevar countvar count ip ips n
+	local hostvar cachevar countvar count ip ips n sdom
 
 	split_by_separator "$2" / sdom
 	mdig_vars "$1" "$sdom"
@@ -426,7 +426,7 @@ check_system()
 	}
 	echo firewall type is $FWTYPE
 	echo CURL=$CURL
-	$CURL --version
+	"$CURL" --version
 }
 
 zp_already_running()
@@ -598,12 +598,12 @@ curl_translate_code()
 curl_supports_tls13()
 {
 	local r
-	$CURL --tlsv1.3 -Is -o /dev/null --max-time 1 http://127.0.0.1:65535 2>/dev/null
+	"$CURL" --tlsv1.3 -Is -o /dev/null --max-time 1 http://127.0.0.1:65535 2>/dev/null
 	# return code 2 = init failed. likely bad command line options
 	[ $? = 2 ] && return 1
 	# curl can have tlsv1.3 key present but ssl library without TLS 1.3 support
 	# this is online test because there's no other way to trigger library incompatibility case
-	$CURL --tlsv1.3 --max-time 1 -Is -o /dev/null https://iana.org 2>/dev/null
+	"$CURL" --tlsv1.3 --max-time 1 -Is -o /dev/null https://iana.org 2>/dev/null
 	r=$?
 	[ $r != 4 -a $r != 35 ]
 }
@@ -611,16 +611,16 @@ curl_supports_tls13()
 curl_supports_tlsmax()
 {
 	# supported only in OpenSSL and LibreSSL
-	$CURL --version | grep -Fq -e OpenSSL -e LibreSSL -e BoringSSL -e GnuTLS -e quictls || return 1
+	"$CURL" --version | grep -Fq -e OpenSSL -e LibreSSL -e BoringSSL -e GnuTLS -e quictls || return 1
 	# supported since curl 7.54
-	$CURL --tls-max 1.2 -Is -o /dev/null --max-time 1 http://127.0.0.1:65535 2>/dev/null
+	"$CURL" --tls-max 1.2 -Is -o /dev/null --max-time 1 http://127.0.0.1:65535 2>/dev/null
 	# return code 2 = init failed. likely bad command line options
 	[ $? != 2 ]
 }
 
 curl_supports_connect_to()
 {
-	$CURL --connect-to 127.0.0.1:: -o /dev/null --max-time 1 http://127.0.0.1:65535 2>/dev/null
+	"$CURL" --connect-to 127.0.0.1:: -o /dev/null --max-time 1 http://127.0.0.1:65535 2>/dev/null
 	[ "$?" != 2 ]
 }
 
@@ -628,7 +628,7 @@ curl_supports_http3()
 {
 	# if it has http3 : curl: (3) HTTP/3 requested for non-HTTPS URL
 	# otherwise : curl: (2) option --http3-only: is unknown
-	$CURL --connect-to 127.0.0.1:: -o /dev/null --max-time 1 --http3-only http://127.0.0.1:65535 2>/dev/null
+	"$CURL" --connect-to 127.0.0.1:: -o /dev/null --max-time 1 --http3-only http://127.0.0.1:65535 2>/dev/null
 	[ "$?" != 2 ]
 }
 
@@ -648,19 +648,18 @@ hdrfile_location()
 curl_with_subst_ip()
 {
 	# $1 - domain
-	# $2 - uri
-	# $3 - port
-	# $4 - ip
-	# $5+ - curl params
-	local ip="$4"
+	# $2 - port
+	# $3 - ip
+	# $4+ - curl params
+	local ip="$3"
 	case "$ip" in
 		*:*) ip="[$ip]" ;;
 	esac
-	local connect_to="--connect-to $1::$ip${3:+:$3}" arg
-	shift ; shift ; shift; shift
+	local connect_to="--connect-to $1::$ip${2:+:$2}" arg
+	shift ; shift ; shift;
 	[ "$CURL_VERBOSE" = 1 ] && arg="-v"
 	[ "$CURL_CMD" = 1 ] && echo $CURL ${arg:+$arg }$connect_to "$@"
-	ALL_PROXY="$ALL_PROXY" $CURL ${arg:+$arg }$connect_to "$@"
+	ALL_PROXY="$ALL_PROXY" "$CURL" ${arg:+$arg }$connect_to "$@"
 }
 curl_with_dig()
 {
@@ -675,7 +674,7 @@ curl_with_dig()
 	ip=$(mdig_resolve $1 $sdom)
 	shift ; shift ; shift
 	if [ -n "$ip" ]; then
-		curl_with_subst_ip "$sdom" "$suri" $port $ip "$@"
+		curl_with_subst_ip "$sdom" "$port" "$ip" "$@"
 	else
 		return 6
 	fi
@@ -1927,7 +1926,7 @@ ask_params()
 	curl_supports_connect_to || {
 		echo "installed curl does not support --connect-to option. pls install at least curl 7.49"
 		echo "current curl version:"
-		$CURL --version
+		"$CURL" --version
 		exitp 1
 	}
 

docs/windows.en.md

@@ -7,7 +7,7 @@ tpws is static binary. It doesn't need a distribution.
 
 Install `WSL` : `dism.exe /online /enable-feature /featurename:Microsoft-Windows-Subsystem-Linux /all`
 
-Copy `binaries/x86_64/tpws_wsl.tgz` to the target system.
+From release copy `binaries/linux-x86_64/tpws_wsl.tgz` to the target system.
 Run : `wsl --import tpws "%USERPROFILE%\tpws" tpws_wsl.tgz`
 
 Run tpws : `wsl -d tpws --exec /tpws --uid=1 --no-resolve --socks --bind-addr=127.0.0.1 --port=1080 <fooling_options>`
@@ -16,7 +16,7 @@ Configure socks as `127.0.0.1:1080` in a browser or another program.
 
 Cleanup : `wsl --unregister tpws`
 
-Tested in windows 10 build 19041 (20.04).
+Tested in windows 10 build 19041 (20.04) with WSL1.
 
 `--oob` , `--mss` and `--disorder` do not work.
 RST detection in autohostlist scheme may not work.

docs/windows.md

@@ -12,7 +12,7 @@ tpws в режиме socks можно запускать под более-ме
 Установить WSL : 
  `dism.exe /online /enable-feature /featurename:Microsoft-Windows-Subsystem-Linux /all`
 
-Скопировать на целевую систему `binaries/x86_64/tpws_wsl.tgz`.
+Из релиза скопировать на целевую систему `binaries/linux-x86_64/tpws_wsl.tgz`.
 
 Выполнить :
  `wsl --import tpws "%USERPROFILE%\tpws" tpws_wsl.tgz`
@@ -24,8 +24,12 @@ tpws в режиме socks можно запускать под более-ме
 
 Удаление : `wsl --unregister tpws`
 
+
 > [!NOTE]
-> Проверено на windows 10 build 19041 (20.04).
+> Проверено на windows 10 build 19041 (20.04) под WSL1. На WSL2 эти команды могут не сработать.
+Если у вас есть WSL2, значит у вас есть работающая виртуалка с linux.
+Если вы умеете с ней обращаться, tpws на ней запустить возможно без всяких проблем.
+
 
 Возможные проблемы: 
 - Не работают функции `--oob` и `--mss` из-за ограничений реализации WSL.

ipset/zapret-hosts-user-exclude.txt.default

@@ -3,6 +3,7 @@
 172.16.0.0/12
 192.168.0.0/16
 169.254.0.0/16
+100.64.0.0/10
 ::1
 fc00::/7
 fe80::/10

nfq/crypto/aes-gcm.c

@@ -5,9 +5,11 @@ int aes_gcm_crypt(int mode, uint8_t *output, const uint8_t *input, size_t input_
 	int ret = 0;
 	gcm_context ctx;
 
-	gcm_setkey(&ctx, key, (const uint)key_len);
-	ret = gcm_crypt_and_tag(&ctx, mode, iv, iv_len, adata, adata_len, input, output, input_length, atag, atag_len);
-	gcm_zero_ctx(&ctx);
+	if (!(ret = gcm_setkey(&ctx, key, (const uint)key_len)))
+	{
+		ret = gcm_crypt_and_tag(&ctx, mode, iv, iv_len, adata, adata_len, input, output, input_length, atag, atag_len);
+		gcm_zero_ctx(&ctx);
+	}
 
 	return ret;
 }

nfq/crypto/aes.c

@@ -367,7 +367,7 @@ int aes_setkey(aes_context *ctx,   // AES context provided by our caller
 	}
 
 #if AES_DECRYPTION
-	if (mode == DECRYPT)   // expand our key for encryption or decryption
+	if (mode == AES_DECRYPT)   // expand our key for encryption or decryption
 		return(aes_set_decryption_key(ctx, key, keysize));
 	else     /* ENCRYPT */
 #endif /* AES_DECRYPTION */
@@ -399,7 +399,7 @@ int aes_cipher(aes_context *ctx,
 
 #if AES_DECRYPTION  // whether AES decryption is supported
 
-	if (ctx->mode == DECRYPT)
+	if (ctx->mode == AES_DECRYPT)
 	{
 		for (i = (ctx->rounds >> 1) - 1; i > 0; i--)
 		{

nfq/crypto/gcm.c

@@ -246,7 +246,7 @@ int gcm_setkey(gcm_context *ctx,   // pointer to caller-provided gcm context
  *
  ******************************************************************************/
 int gcm_start(gcm_context *ctx,    // pointer to user-provided GCM context
-	int mode,            // GCM_ENCRYPT or GCM_DECRYPT
+	int mode,            // AES_ENCRYPT or AES_DECRYPT
 	const uchar *iv,     // pointer to initialization vector
 	size_t iv_len,       // IV length in bytes (should == 12)
 	const uchar *add,    // ptr to additional AEAD data (NULL if none)
@@ -288,6 +288,7 @@ int gcm_start(gcm_context *ctx,    // pointer to user-provided GCM context
 		for (i = 0; i < 16; i++) ctx->y[i] ^= work_buf[i];
 		gcm_mult(ctx, ctx->y, ctx->y);
 	}
+
 	if ((ret = aes_cipher(&ctx->aes_ctx, ctx->y, ctx->base_ectr)) != 0)
 		return(ret);
 
@@ -427,7 +428,7 @@ int gcm_finish(gcm_context *ctx,   // pointer to user-provided GCM context
  ******************************************************************************/
 int gcm_crypt_and_tag(
 	gcm_context *ctx,       // gcm context with key already setup
-	int mode,               // cipher direction: GCM_ENCRYPT or GCM_DECRYPT
+	int mode,               // cipher direction: AES_ENCRYPT or AES_DECRYPT
 	const uchar *iv,        // pointer to the 12-byte initialization vector
 	size_t iv_len,          // byte length if the IV. should always be 12
 	const uchar *add,       // pointer to the non-ciphered additional data

nfq/darkmagic.c

@@ -936,7 +936,6 @@ void proto_skip_ipv6(uint8_t **data, size_t *len, uint8_t *proto_type, uint8_t *
 		{
 		case 0: // Hop-by-Hop Options
 		case 43: // routing
-		case 51: // authentication
 		case 60: // Destination Options
 		case 135: // mobility
 		case 139: // Host Identity Protocol Version v2
@@ -947,6 +946,11 @@ void proto_skip_ipv6(uint8_t **data, size_t *len, uint8_t *proto_type, uint8_t *
 		case 44: // fragment. length fixed to 8, hdrlen field defined as reserved
 			hdrlen = 8;
 			break;
+		case 51: // authentication
+			// special case. length in ah header is in 32-bit words minus 2
+			if (*len < 2) return; // error
+			hdrlen = 8 + ((*data)[1] << 2);
+			break;
 		case 59: // no next header
 			return; // error
 		default:

nfq/desync.c

@@ -1205,12 +1205,6 @@ static uint8_t dpi_desync_tcp_packet_play(bool replay, size_t reasm_offset, uint
 			DLOG("using cached desync profile %d\n", dp->n);
 		else if (!ctrack_replay->dp_search_complete)
 		{
-			if (!ctrack_replay->hostname && !bReverse)
-			{
-				if (ipcache_get_hostname(dis->ip ? &dis->ip->ip_dst : NULL, dis->ip6 ? &dis->ip6->ip6_dst : NULL, host, sizeof(host), &ctrack_replay->hostname_is_ip) && *host)
-					if (!(ctrack_replay->hostname = strdup(host)))
-						DLOG_ERR("strdup(host): out of memory\n");
-			}
 			dp = ctrack_replay->dp = dp_find(&params.desync_profiles, IPPROTO_TCP, (struct sockaddr *)&dst, ctrack_replay->hostname, ctrack_replay->hostname_is_ip, ctrack_replay->l7proto, ssid, NULL, NULL, NULL);
 			ctrack_replay->dp_search_complete = true;
 		}
@@ -2811,12 +2805,6 @@ static uint8_t dpi_desync_udp_packet_play(bool replay, size_t reasm_offset, uint
 			DLOG("using cached desync profile %d\n", dp->n);
 		else if (!ctrack_replay->dp_search_complete)
 		{
-			if (!ctrack_replay->hostname && !bReverse)
-			{
-				if (ipcache_get_hostname(dis->ip ? &dis->ip->ip_dst : NULL, dis->ip6 ? &dis->ip6->ip6_dst : NULL, host, sizeof(host), &ctrack_replay->hostname_is_ip) && *host)
-					if (!(ctrack_replay->hostname = strdup(host)))
-						DLOG_ERR("strdup(host): out of memory\n");
-			}
 			dp = ctrack_replay->dp = dp_find(&params.desync_profiles, IPPROTO_UDP, (struct sockaddr *)&dst, ctrack_replay->hostname, ctrack_replay->hostname_is_ip, ctrack_replay->l7proto, ssid, NULL, NULL, NULL);
 			ctrack_replay->dp_search_complete = true;
 		}
@@ -3198,7 +3186,7 @@ static uint8_t dpi_desync_udp_packet_play(bool replay, size_t reasm_offset, uint
 					if (ctrack_replay->hostname_ah_check)
 					{
 						// first request is not retrans
-						if (!bDiscoveredHostname)
+						if (!bDiscoveredHostname && !reasm_offset)
 							process_retrans_fail(ctrack_replay, IPPROTO_UDP, (struct sockaddr*)&src);
 					}
 				}

nfq/protocol.c

@@ -52,14 +52,6 @@ bool l7_proto_match(t_l7proto l7proto, uint32_t filter_l7)
 		(l7proto==STUN && (filter_l7 & L7_PROTO_STUN));
 }
 
-#define PM_ABS		0
-#define PM_HOST		1
-#define PM_HOST_END	2
-#define PM_HOST_SLD	3
-#define PM_HOST_MIDSLD	4
-#define PM_HOST_ENDSLD	5
-#define PM_HTTP_METHOD	6
-#define PM_SNI_EXT	7
 bool IsHostMarker(uint8_t posmarker)
 {
 	switch(posmarker)