diff --git a/Makefile b/Makefile index 00e6c20..5f6cfc0 100644 --- a/Makefile +++ b/Makefile @@ -15,6 +15,19 @@ all: clean done \ done +systemd: clean + @mkdir -p "$(TGT)"; \ + for dir in $(DIRS); do \ + find "$$dir" -type f \( -name "*.c" -o -name "*.h" -o -name "*akefile" \) -exec chmod -x {} \; ; \ + $(MAKE) -C "$$dir" systemd || exit; \ + for exe in "$$dir/"*; do \ + if [ -f "$$exe" ] && [ -x "$$exe" ]; then \ + mv -f "$$exe" "${TGT}" ; \ + ln -fs "../${TGT}/$$(basename "$$exe")" "$$exe" ; \ + fi \ + done \ + done + android: clean @mkdir -p "$(TGT)"; \ for dir in $(DIRS); do \ diff --git a/init.d/systemd/nfqws.service b/init.d/systemd/nfqws.service new file mode 100644 index 0000000..c4a3f5d --- /dev/null +++ b/init.d/systemd/nfqws.service @@ -0,0 +1,48 @@ +# Example systemd service unit for nfqws. Adjust for your installation. + +[Unit] +After=network.target + +[Service] +Type=notify +Restart=on-failure + +ExecSearchPath=/opt/zapret/binaries/my +ExecStart=nfqws @${CONFIG_FILE} +Environment=CONFIG_FILE=/etc/zapret/nfqws.config + +StateDirectory=nfqws +StateDirectoryMode=0700 +WorkingDirectory=%S/nfqws + +DynamicUser=true +AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW +CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW +RestrictAddressFamilies=AF_NETLINK AF_UNIX AF_INET6 AF_INET + +LockPersonality=true +MemoryDenyWriteExecute=true +PrivateDevices=true +PrivateMounts=true +PrivateTmp=true +ProcSubset=pid +ProtectClock=true +ProtectControlGroups=true +ProtectHome=true +ProtectHostname=true +ProtectKernelLogs=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectProc=invisible +ProtectSystem=strict +RemoveIPC=true +RestrictNamespaces=true +RestrictRealtime=true +RestrictSUIDSGID=true +SystemCallArchitectures=native +SystemCallFilter=@system-service +SystemCallFilter=~@resources @privileged +UMask=0077 + +[Install] +WantedBy=multi-user.target diff --git a/ip2net/Makefile b/ip2net/Makefile index 43c44ea..484f3d7 100644 --- a/ip2net/Makefile +++ b/ip2net/Makefile @@ -11,6 +11,8 @@ all: ip2net ip2net: $(SRC_FILES) $(CC) -s $(CFLAGS) -o ip2net $(SRC_FILES) $(LIBS) $(LDFLAGS) +systemd: ip2net + android: ip2net bsd: $(SRC_FILES) diff --git a/mdig/Makefile b/mdig/Makefile index 556fd83..21b6c84 100644 --- a/mdig/Makefile +++ b/mdig/Makefile @@ -12,6 +12,8 @@ all: mdig mdig: $(SRC_FILES) $(CC) -s $(CFLAGS) -o mdig $(SRC_FILES) $(LIBS) $(LDFLAGS) +systemd: mdig + android: $(SRC_FILES) $(CC) -s $(CFLAGS) -o mdig $(SRC_FILES) $(LIBS_ANDROID) $(LDFLAGS) diff --git a/nfq/Makefile b/nfq/Makefile index 52f95ba..85a29e4 100644 --- a/nfq/Makefile +++ b/nfq/Makefile @@ -1,8 +1,10 @@ CC ?= gcc CFLAGS += -std=gnu99 -Os -flto=auto +CFLAGS_SYSTEMD = -DUSE_SYSTEMD CFLAGS_BSD = -Wno-address-of-packed-member CFLAGS_CYGWIN = -Wno-address-of-packed-member -static LIBS_LINUX = -lnetfilter_queue -lnfnetlink -lz +LIBS_SYSTEMD = -lsystemd LIBS_BSD = -lz LIBS_CYGWIN = -lz -Lwindows/windivert -Iwindows -lwlanapi -lole32 -loleaut32 LIBS_CYGWIN32 = -lwindivert32 @@ -16,6 +18,9 @@ all: nfqws nfqws: $(SRC_FILES) $(CC) -s $(CFLAGS) -o nfqws $(SRC_FILES) $(LIBS_LINUX) $(LDFLAGS) +systemd: $(SRC_FILES) + $(CC) -s $(CFLAGS) $(CFLAGS_SYSTEMD) -o nfqws $(SRC_FILES) $(LIBS_LINUX) $(LIBS_SYSTEMD) $(LDFLAGS) + android: nfqws bsd: $(SRC_FILES) diff --git a/nfq/helpers.c b/nfq/helpers.c index 00a0ce0..51188de 100644 --- a/nfq/helpers.c +++ b/nfq/helpers.c @@ -391,6 +391,12 @@ void fill_random_az09(uint8_t *p,size_t sz) } } +void disable_console_io_buffering(void) +{ + setvbuf(stdout, NULL, _IOLBF, 0); + setvbuf(stderr, NULL, _IOLBF, 0); +} + bool set_env_exedir(const char *argv0) { char *s,*d; diff --git a/nfq/helpers.h b/nfq/helpers.h index 6f3e5a6..04ef521 100644 --- a/nfq/helpers.h +++ b/nfq/helpers.h @@ -92,6 +92,7 @@ void fill_random_bytes(uint8_t *p,size_t sz); void fill_random_az(uint8_t *p,size_t sz); void fill_random_az09(uint8_t *p,size_t sz); +void disable_console_io_buffering(void); bool set_env_exedir(const char *argv0); diff --git a/nfq/nfqws.c b/nfq/nfqws.c index 4963481..cd2e359 100644 --- a/nfq/nfqws.c +++ b/nfq/nfqws.c @@ -35,6 +35,10 @@ #include "win.h" #endif +#ifdef USE_SYSTEMD +#include +#endif + #ifdef __linux__ #include #define NF_DROP 0 @@ -271,6 +275,15 @@ exiterr: return false; } +static void notify_ready(void) +{ +#ifdef USE_SYSTEMD + int r = sd_notify(0, "READY=1"); + if (r < 0) + DLOG_ERR("sd_notify: %s\n", strerror(-r)); +#endif +} + static int nfq_main(void) { uint8_t buf[16384] __attribute__((aligned)); @@ -291,6 +304,8 @@ static int nfq_main(void) if (!nfq_init(&h,&qh)) return 1; + notify_ready(); + fd = nfq_fd(h); do { @@ -484,7 +499,6 @@ static int win_main(const char *windivert_filter) if (!logical_net_filter_match()) { DLOG_CONDUP("logical network is not present. waiting it to appear.\n"); - fflush(stdout); do { if (bQuit) @@ -497,7 +511,6 @@ static int win_main(const char *windivert_filter) } while (!logical_net_filter_match()); DLOG_CONDUP("logical network now present\n"); - fflush(stdout); } if (!windivert_init(windivert_filter)) @@ -508,10 +521,6 @@ static int win_main(const char *windivert_filter) DLOG_CONDUP("windivert initialized. capture is started.\n"); - // cygwin auto flush fails when piping - fflush(stdout); - fflush(stderr); - for (id=0;;id++) { len = sizeof(packet); @@ -574,10 +583,6 @@ static int win_main(const char *windivert_filter) default: DLOG("packet: id=%u drop\n", id); } - - // cygwin auto flush fails when piping - fflush(stdout); - fflush(stderr); } } win_dark_deinit(); @@ -1409,6 +1414,7 @@ void check_dp(const struct desync_profile *dp) int main(int argc, char **argv) { + disable_console_io_buffering(); set_env_exedir(argv[0]); #ifdef __CYGWIN__ diff --git a/tpws/Makefile b/tpws/Makefile index 9210a63..a50bb5f 100644 --- a/tpws/Makefile +++ b/tpws/Makefile @@ -1,7 +1,9 @@ CC ?= gcc CFLAGS += -std=gnu99 -Os -flto=auto +CFLAGS_SYSTEMD = -DUSE_SYSTEMD CFLAGS_BSD = -Wno-address-of-packed-member LIBS = -lz -lpthread +LIBS_SYSTEMD = -lz -lsystemd LIBS_ANDROID = -lz SRC_FILES = *.c SRC_FILES_ANDROID = $(SRC_FILES) andr/*.c @@ -11,6 +13,9 @@ all: tpws tpws: $(SRC_FILES) $(CC) -s $(CFLAGS) -o tpws $(SRC_FILES) $(LIBS) $(LDFLAGS) +systemd: $(SRC_FILES) + $(CC) -s $(CFLAGS) $(CFLAGS_SYSTEMD) -o tpws $(SRC_FILES) $(LIBS_SYSTEMD) $(LDFLAGS) + android: $(SRC_FILES) $(CC) -s $(CFLAGS) -o tpws $(SRC_FILES_ANDROID) $(LIBS_ANDROID) $(LDFLAGS) diff --git a/tpws/helpers.c b/tpws/helpers.c index 3724856..710b81a 100644 --- a/tpws/helpers.c +++ b/tpws/helpers.c @@ -383,6 +383,11 @@ bool pf_is_empty(const port_filter *pf) return !pf->neg && !pf->from && !pf->to; } +void disable_console_io_buffering(void) +{ + setvbuf(stdout, NULL, _IOLBF, 0); + setvbuf(stderr, NULL, _IOLBF, 0); +} bool set_env_exedir(const char *argv0) { diff --git a/tpws/helpers.h b/tpws/helpers.h index cda4dcf..4b36662 100644 --- a/tpws/helpers.h +++ b/tpws/helpers.h @@ -82,6 +82,7 @@ bool pf_in_range(uint16_t port, const port_filter *pf); bool pf_parse(const char *s, port_filter *pf); bool pf_is_empty(const port_filter *pf); +void disable_console_io_buffering(void); bool set_env_exedir(const char *argv0); #ifndef IN_LOOPBACK diff --git a/tpws/tpws.c b/tpws/tpws.c index 30f6703..205dcb9 100644 --- a/tpws/tpws.c +++ b/tpws/tpws.c @@ -30,6 +30,10 @@ #include #endif +#ifdef USE_SYSTEMD +#include +#endif + #include "tpws.h" #ifdef BSD @@ -1688,12 +1692,22 @@ static const char *bindll_s[] = { "unwanted","no","prefer","force" }; #define PRINT_VER printf("self-built version %s %s\n\n", __DATE__, __TIME__) #endif +static void notify_ready(void) +{ +#ifdef USE_SYSTEMD + int r = sd_notify(0, "READY=1"); + if (r < 0) + DLOG_ERR("sd_notify: %s\n", strerror(-r)); +#endif +} + int main(int argc, char *argv[]) { int i, listen_fd[MAX_BINDS], yes = 1, retval = 0, if_index, exit_v=EXIT_FAILURE; struct salisten_s list[MAX_BINDS]; char ip_port[48]; + disable_console_io_buffering(); set_env_exedir(argv[0]); srand(time(NULL)); mask_from_preflen6_prepare(); @@ -1964,6 +1978,7 @@ int main(int argc, char *argv[]) signal(SIGHUP, onhup); signal(SIGUSR2, onusr2); + notify_ready(); retval = event_loop(listen_fd,params.binds_last+1); exit_v = retval < 0 ? EXIT_FAILURE : EXIT_SUCCESS; DLOG_CONDUP("Exiting\n"); diff --git a/tpws/tpws_conn.c b/tpws/tpws_conn.c index 1294e74..de6eed9 100644 --- a/tpws/tpws_conn.c +++ b/tpws/tpws_conn.c @@ -1755,8 +1755,6 @@ int event_loop(const int *listen_fd, size_t listen_fd_ct) // at least one leg was removed. recount legs print_legs(); } - - fflush(stderr); fflush(stdout); // for console messages } ex: