mirror of
https://github.com/bol-van/zapret.git
synced 2024-11-26 12:10:53 +03:00
blockcheck: do not require root if SKIP_PKTWS=1. preserve vars during elevation
This commit is contained in:
parent
f22dcb2487
commit
149a7ed927
112
blockcheck.sh
112
blockcheck.sh
@ -441,58 +441,62 @@ check_prerequisites()
|
||||
}
|
||||
|
||||
local prog progs='curl'
|
||||
case "$UNAME" in
|
||||
Linux)
|
||||
case "$FWTYPE" in
|
||||
iptables)
|
||||
progs="$progs iptables ip6tables"
|
||||
ipt_has_nfq || {
|
||||
echo NFQUEUE iptables or ip6tables target is missing. pls install modules.
|
||||
[ "$SKIP_PKTWS" = 1 ] || {
|
||||
case "$UNAME" in
|
||||
Linux)
|
||||
case "$FWTYPE" in
|
||||
iptables)
|
||||
ipt_has_nfq || {
|
||||
echo NFQUEUE iptables or ip6tables target is missing. pls install modules.
|
||||
exitp 6
|
||||
}
|
||||
progs="$progs iptables ip6tables"
|
||||
;;
|
||||
nftables)
|
||||
nft_has_nfq || {
|
||||
echo nftables queue support is not available. pls install modules.
|
||||
exitp 6
|
||||
}
|
||||
progs="$progs nft"
|
||||
;;
|
||||
esac
|
||||
;;
|
||||
FreeBSD)
|
||||
freebsd_modules_loaded ipfw ipdivert || {
|
||||
echo ipfw or ipdivert kernel module not loaded
|
||||
exitp 6
|
||||
}
|
||||
;;
|
||||
nftables)
|
||||
nft_has_nfq || {
|
||||
echo nftables queue support is not available. pls install modules.
|
||||
exitp 6
|
||||
}
|
||||
;;
|
||||
esac
|
||||
;;
|
||||
FreeBSD)
|
||||
progs="$progs ipfw"
|
||||
freebsd_modules_loaded ipfw ipdivert || {
|
||||
echo ipfw or ipdivert kernel module not loaded
|
||||
exitp 6
|
||||
}
|
||||
[ "$(sysctl -qn net.inet.ip.fw.enable)" = 0 -o "$(sysctl -qn net.inet6.ip6.fw.enable)" = 0 ] && {
|
||||
echo ipfw is disabled. use : ipfw enable firewall
|
||||
exitp 6
|
||||
}
|
||||
pf_is_avail && {
|
||||
pf_save
|
||||
[ "$SUBSYS" = "pfSense" ] && {
|
||||
# pfsense's ipfw may not work without these workarounds
|
||||
sysctl net.inet.ip.pfil.outbound=ipfw,pf 2>/dev/null
|
||||
sysctl net.inet.ip.pfil.inbound=ipfw,pf 2>/dev/null
|
||||
sysctl net.inet6.ip6.pfil.outbound=ipfw,pf 2>/dev/null
|
||||
sysctl net.inet6.ip6.pfil.inbound=ipfw,pf 2>/dev/null
|
||||
pfctl -qd
|
||||
pfctl -qe
|
||||
pf_restore
|
||||
}
|
||||
}
|
||||
;;
|
||||
OpenBSD|Darwin)
|
||||
progs="$progs pfctl"
|
||||
pf_is_avail || {
|
||||
echo pf is not available
|
||||
exitp 6
|
||||
}
|
||||
# no divert sockets in MacOS
|
||||
[ "$UNAME" = "Darwin" ] && SKIP_PKTWS=1
|
||||
pf_save
|
||||
;;
|
||||
[ "$(sysctl -qn net.inet.ip.fw.enable)" = 0 -o "$(sysctl -qn net.inet6.ip6.fw.enable)" = 0 ] && {
|
||||
echo ipfw is disabled. use : ipfw enable firewall
|
||||
exitp 6
|
||||
}
|
||||
pf_is_avail && {
|
||||
pf_save
|
||||
[ "$SUBSYS" = "pfSense" ] && {
|
||||
# pfsense's ipfw may not work without these workarounds
|
||||
sysctl net.inet.ip.pfil.outbound=ipfw,pf 2>/dev/null
|
||||
sysctl net.inet.ip.pfil.inbound=ipfw,pf 2>/dev/null
|
||||
sysctl net.inet6.ip6.pfil.outbound=ipfw,pf 2>/dev/null
|
||||
sysctl net.inet6.ip6.pfil.inbound=ipfw,pf 2>/dev/null
|
||||
pfctl -qd
|
||||
pfctl -qe
|
||||
pf_restore
|
||||
}
|
||||
}
|
||||
progs="$progs ipfw"
|
||||
;;
|
||||
OpenBSD|Darwin)
|
||||
pf_is_avail || {
|
||||
echo pf is not available
|
||||
exitp 6
|
||||
}
|
||||
pf_save
|
||||
progs="$progs pfctl"
|
||||
;;
|
||||
esac
|
||||
}
|
||||
|
||||
case "$UNAME" in
|
||||
CYGWIN)
|
||||
SKIP_TPWS=1
|
||||
;;
|
||||
@ -915,7 +919,9 @@ pktws_start()
|
||||
}
|
||||
tpws_start()
|
||||
{
|
||||
"$TPWS" --uid $TPWS_UID:$TPWS_GID --socks --bind-addr=127.0.0.1 --port=$SOCKS_PORT "$@" >/dev/null &
|
||||
local uid
|
||||
[ -n "$HAVE_ROOT" ] && uid="--uid $TPWS_UID:$TPWS_GID"
|
||||
"$TPWS" $uid --socks --bind-addr=127.0.0.1 --port=$SOCKS_PORT "$@" >/dev/null &
|
||||
PID=$!
|
||||
# give some time to initialize
|
||||
minsleep
|
||||
@ -1942,7 +1948,9 @@ fsleep_setup
|
||||
fix_sbin_path
|
||||
check_system
|
||||
check_already
|
||||
[ "$UNAME" = CYGWIN ] || require_root
|
||||
# no divert sockets in MacOS
|
||||
[ "$UNAME" = "Darwin" ] && SKIP_PKTWS=1
|
||||
[ "$UNAME" != CYGWIN -a "$SKIP_PKTWS" != 1 ] && require_root
|
||||
check_prerequisites
|
||||
trap sigint_cleanup INT
|
||||
check_dns
|
||||
|
@ -1,13 +1,28 @@
|
||||
require_root()
|
||||
{
|
||||
local exe
|
||||
local exe preserve_env
|
||||
echo \* checking privileges
|
||||
[ $(id -u) -ne "0" ] && {
|
||||
echo root is required
|
||||
exe="$EXEDIR/$(basename "$0")"
|
||||
exists sudo && exec sudo sh "$exe"
|
||||
exists su && exec su root -c "sh \"$exe\""
|
||||
exists sudo && {
|
||||
echo elevating with sudo
|
||||
exec sudo -E sh "$exe"
|
||||
}
|
||||
exists su && {
|
||||
echo elevating with su
|
||||
case "$UNAME" in
|
||||
Linux)
|
||||
preserve_env="--preserve-environment"
|
||||
;;
|
||||
FreeBSD|OpenBSD|Darwin)
|
||||
preserve_env="-m"
|
||||
;;
|
||||
esac
|
||||
exec su $preserve_env root -c "sh \"$exe\""
|
||||
}
|
||||
echo su or sudo not found
|
||||
exitp 2
|
||||
}
|
||||
HAVE_ROOT=1
|
||||
}
|
||||
|
@ -352,3 +352,5 @@ nfqws,tpws: hostlist/ipset auto reload on file change. no more HUP.
|
||||
nfqws,tpws: --filter-tcp, --filter-udp take comma separated port range list
|
||||
config: <HOSTLIST_NOAUTO> marker
|
||||
binaries: remove zapret-winws. add win32.
|
||||
blockcheck, install_easy.sh: preserve user environment variables during elevation
|
||||
blockcheck: do not require root if SKIP_PKTWS=1
|
||||
|
@ -935,7 +935,7 @@ To use standard updatable hostlists from the `ipset` dir use `<HOSTLIST>` placeh
|
||||
with hostlist parameters if `MODE_FILTER` variable enables hostlists and is removed otherwise.
|
||||
Standard hostlists are expected in final (fallback) strategies closing groups of filter parameters.
|
||||
Don't use `<HOSTLIST>` in highly specialized profiles. Use your own filter or hostlist(s).
|
||||
`<HOSTLIST_NOAUTO>` marker uses standard autohostlist as usual hostlist thus disabling auto additions in this profile.
|
||||
`<HOSTLIST_AUTO>` marker uses standard autohostlist as usual hostlist thus disabling auto additions in this profile.
|
||||
If any other profile adds something this profile accepts the change automatically.
|
||||
|
||||
|
||||
|
@ -1282,7 +1282,7 @@ standard дает возможность провести исследовани
|
||||
force дает максимум проверок даже в случаях, когда ресурс работает без обхода или с более простыми стратегиями.
|
||||
|
||||
Есть ряд других параметров, которые не будут спрашиваться в диалоге, но которые можно переопределить через
|
||||
переменные. Переопределение работает только из рутового шелла. При повышении привилегий через su/sudo переменные теряются.
|
||||
переменные.
|
||||
|
||||
DOMAINS - список тестируемых доменов через пробел
|
||||
CURL_MAX_TIME - время таймаута curl в секундах
|
||||
|
Loading…
Reference in New Issue
Block a user