nfqws: works without root now

init.d/sysv/functions

@@ -8,20 +8,21 @@ PIDDIR=/var/run
 
 IPSET_CR=$ZAPRET_BASE/ipset/create_ipset.sh
 
+WS_USER=tpws
+
 QNUM=200
 NFQWS=$ZAPRET_BASE/nfq/nfqws
-NFQWS_OPT_BASE="--qnum=$QNUM"
+NFQWS_OPT_BASE="--qnum=$QNUM --user=$WS_USER"
 
-TPWS_USER=tpws
 TPPORT_HTTP=1188
 TPPORT_HTTPS=1189
 TPWS=$ZAPRET_BASE/tpws/tpws
 TPWS_HOSTLIST=$ZAPRET_BASE/ipset/zapret-hosts.txt.gz
 [ -f "$TPWS_HOSTLIST" ] || TPWS_HOSTLIST=$ZAPRET_BASE/ipset/zapret-hosts-user.txt
-TPWS_OPT_BASE="--user=$TPWS_USER --bind-addr=127.0.0.1"
-TPWS_OPT_BASE6="--user=$TPWS_USER --bind-addr=::1"
+TPWS_OPT_BASE="--user=$WS_USER --bind-addr=127.0.0.1"
+TPWS_OPT_BASE6="--user=$WS_USER --bind-addr=::1"
 # first wait for lan to ifup, then wait for bind-wait-ip-linklocal seconds for link local address and bind-wait-ip for any ipv6 as the worst case
-TPWS_OPT_BASE6_PRE="--user=$TPWS_USER --bind-linklocal=prefer --bind-wait-ifup=30 --bind-wait-ip=30 --bind-wait-ip-linklocal=3"
+TPWS_OPT_BASE6_PRE="--user=$WS_USER --bind-linklocal=prefer --bind-wait-ifup=30 --bind-wait-ip=30 --bind-wait-ip-linklocal=3"
 TPWS_OPT_BASE_HTTP="--port=$TPPORT_HTTP"
 TPWS_OPT_BASE_HTTPS="--port=$TPPORT_HTTPS"
 
@@ -169,7 +170,7 @@ fw_tpws()
 		[ -n "$IFACE_LAN" ] && {
 			ipt_add_del $1 PREROUTING -t nat $IPT_ILAN -p tcp $2 -j DNAT --to 127.0.0.1:$4
 	 	}
-		ipt_add_del $1 OUTPUT -t nat $IPT_OWAN -m owner ! --uid-owner $TPWS_USER -p tcp $2 -j DNAT --to 127.0.0.1:$4
+		ipt_add_del $1 OUTPUT -t nat $IPT_OWAN -m owner ! --uid-owner $WS_USER -p tcp $2 -j DNAT --to 127.0.0.1:$4
 	}
 	[ "$DISABLE_IPV6" = "1" ] || {
 		print_op $1 "$3" "tpws" 6
@@ -177,7 +178,7 @@ fw_tpws()
 			dnat6_target
 			[ "$DNAT6_TARGET" != "-" ] && ipt6_add_del $1 PREROUTING -t nat $IPT_ILAN -p tcp $3 -j DNAT --to [$DNAT6_TARGET]:$4
 	 	}
-		ipt6_add_del $1 OUTPUT -t nat $IPT_OWAN -m owner ! --uid-owner $TPWS_USER -p tcp $3 -j DNAT --to [::1]:$4
+		ipt6_add_del $1 OUTPUT -t nat $IPT_OWAN -m owner ! --uid-owner $WS_USER -p tcp $3 -j DNAT --to [::1]:$4
 	}
 }
 fw_nfqws_pre()
@@ -266,16 +267,25 @@ do_daemon()
 }
 
 
-prepare_tpws()
+prepare_user()
 {
-	# $TPWS_USER is required to prevent redirection of the traffic originating from TPWS itself
+	# $WS_USER is required to prevent redirection of the traffic originating from TPWS itself
 	# otherwise infinite loop will occur
 	# also its good idea not to run tpws as root
-	id -u $TPWS_USER >/dev/null 2>/dev/null || useradd --no-create-home --system --shell /bin/false $TPWS_USER
+	id -u $WS_USER >/dev/null 2>/dev/null || useradd --no-create-home --system --shell /bin/false $WS_USER
+}
+prepare_tpws()
+{
+	prepare_user
+
 	# otherwise linux kernel will treat 127.0.0.1 as "martian" ip and refuse routing to it
 	# NOTE : kernels <3.6 do not have this feature. consider upgrading or change DNAT to REDIRECT and do not bind to 127.0.0.1
 	[ -n "$IFACE_LAN" ] && sysctl -qw net.ipv4.conf.$IFACE_LAN.route_localnet=1
 }
+prepare_nfqws()
+{
+	prepare_user
+}
 do_tpws()
 {
 	# $1 : 1 - run, 0 - stop
@@ -289,6 +299,15 @@ do_tpws()
 		[ -n "$IFACE_LAN" ] && do_daemon $1 $((660+$2)) $TPWS "$TPWS_OPT_BASE6_PRE --bind-iface6=$IFACE_LAN $3"
 	}
 }
+do_nfqws()
+{
+	# $1 : 1 - run, 0 - stop
+	# $2 : daemon number
+	# $3 : daemon args
+
+	[ "$1" = "1" ] && prepare_nfqws
+	do_daemon $1 $2 $NFQWS "$NFQWS_OPT_BASE $3"
+}
 
 
 create_ipset()
@@ -385,7 +404,7 @@ zapret_do_daemons()
 			do_tpws $1 1 "$TPWS_OPT_BASE_HTTP $TPWS_OPT_HTTP"
 			;;
 	    nfqws_ipset|nfqws_ipset_https|nfqws_all|nfqws_all_https)
-			do_daemon $1 1 $NFQWS "$NFQWS_OPT_BASE $NFQWS_OPT"
+			do_nfqws $1 1 "$NFQWS_OPT"
 			;;
 	    custom)
 			# PLACEHOLDER