drygdryg/zapret
1
0
Fork 0
mirror of https://github.com/bol-van/zapret.git synced 2025-05-10 07:42:57 +03:00
Code Issues Packages Projects Releases Wiki Activity

nfqws,tpws: do most checks before daemonize

Browse Source
This commit is contained in:
bol-van 2025-05-09 10:32:11 +03:00
parent e62fb2f0f4
commit 691a501b0d
5 changed files with 95 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
docs/changes.txt
View File

@ -492,5 +492,6 @@ nfqws: ipcache of hop count and host names
nfqws: --ctrack-disable nfqws: --ctrack-disable
tpws: ipcache of host names tpws: ipcache of host names
nfqws,tpws: set 1024 repeat limit to fakes and dups nfqws,tpws: set 1024 repeat limit to fakes and dups
nfqws,tpws: do more before daemonize
init.d: remove --ipset parameter prohibition init.d: remove --ipset parameter prohibition
init.d, blockcheck: drop time exceeded icmp for nfqws-related connections init.d, blockcheck: drop time exceeded icmp for nfqws-related connections

91
nfq/nfqws.c
View File

@ -288,19 +288,40 @@ static int nfq_main(void)
struct nfq_q_handle *qh = NULL; struct nfq_q_handle *qh = NULL;
int fd,e; int fd,e;
ssize_t rd; ssize_t rd;
FILE *Fpid = NULL;
sec_harden(); if (*params.pidfile && !(Fpid=fopen(params.pidfile,"w")))
if (params.droproot && !droproot(params.uid, params.gid) || !dropcaps()) {
DLOG_PERROR("create pidfile");
return 1; return 1;
}
if (params.droproot && !droproot(params.uid, params.gid) || !dropcaps())
goto err;
print_id(); print_id();
if (params.droproot && !test_list_files()) if (params.droproot && !test_list_files())
return 1; goto err;
pre_desync();
if (!nfq_init(&h,&qh)) if (!nfq_init(&h,&qh))
return 1; goto err;
if (params.daemon) daemonize();
// do it only after daemonize because daemonize needs fork
sec_harden();
if (Fpid)
{
if (fprintf(Fpid, "%d", getpid())<=0)
{
DLOG_PERROR("write pidfile");
goto err;
}
fclose(Fpid);
Fpid=NULL;
}
pre_desync();
notify_ready(); notify_ready();
fd = nfq_fd(h); fd = nfq_fd(h);
@ -326,6 +347,9 @@ static int nfq_main(void)
nfq_deinit(&h,&qh); nfq_deinit(&h,&qh);
return 0; return 0;
err:
if (Fpid) fclose(Fpid);
return 1;
} }
#elif defined(BSD) #elif defined(BSD)
@ -340,6 +364,13 @@ static int dvt_main(void)
socklen_t socklen; socklen_t socklen;
ssize_t rd,wr; ssize_t rd,wr;
fd_set fdset; fd_set fdset;
FILE *Fpid = NULL;
if (*params.pidfile && !(Fpid=fopen(params.pidfile,"w")))
{
DLOG_PERROR("create pidfile");
return 1;
}
{ {
struct sockaddr_in bp4; struct sockaddr_in bp4;
@ -391,12 +422,26 @@ static int dvt_main(void)
if (!rawsend_preinit(false,false)) if (!rawsend_preinit(false,false))
goto exiterr; goto exiterr;
if (params.droproot && !droproot(params.uid, params.gid)) if (params.droproot && !droproot(params.uid, params.gid))
goto exiterr; goto exiterr;
print_id(); print_id();
if (params.droproot && !test_list_files()) if (params.droproot && !test_list_files())
goto exiterr; goto exiterr;
if (params.daemon) daemonize();
if (Fpid)
{
if (fprintf(Fpid, "%d", getpid())<=0)
{
DLOG_PERROR("write pidfile");
goto exiterr;
}
fclose(Fpid);
Fpid=NULL;
}
pre_desync(); pre_desync();
for(;;) for(;;)
@ -464,6 +509,7 @@ static int dvt_main(void)
res=0; res=0;
exiterr: exiterr:
if (Fpid) fclose(Fpid);
if (fd[0]!=-1) close(fd[0]); if (fd[0]!=-1) close(fd[0]);
if (fd[1]!=-1) close(fd[1]); if (fd[1]!=-1) close(fd[1]);
return res; return res;
@ -483,7 +529,19 @@ static int win_main(const char *windivert_filter)
WINDIVERT_ADDRESS wa; WINDIVERT_ADDRESS wa;
char ifname[IFNAMSIZ]; char ifname[IFNAMSIZ];
pre_desync(); if (params.daemon)
{
// cygwin loses current dir
char *cwd = get_current_dir_name();
daemonize();
chdir(cwd);
}
if (*params.pidfile && !writepid(params.pidfile))
{
DLOG_ERR("could not write pidfile");
return ERROR_TOO_MANY_OPEN_FILES; // code 4 = The system cannot open the file
}
if (!win_dark_init(&params.ssid_filter, &params.nlm_filter)) if (!win_dark_init(&params.ssid_filter, &params.nlm_filter))
{ {
@ -491,6 +549,8 @@ static int win_main(const char *windivert_filter)
return w_win32_error; return w_win32_error;
} }
pre_desync();
for(;;) for(;;)
{ {
if (!logical_net_filter_match()) if (!logical_net_filter_match())
@ -1855,8 +1915,7 @@ int main(int argc, char **argv)
#endif #endif
int result, v; int result, v;
int option_index = 0; int option_index = 0;
bool daemon = false, bSkip = false, bDry = false; bool bSkip = false, bDry = false;
char pidfile[256];
struct hostlist_file *anon_hl = NULL, *anon_hl_exclude = NULL; struct hostlist_file *anon_hl = NULL, *anon_hl_exclude = NULL;
struct ipset_file *anon_ips = NULL, *anon_ips_exclude = NULL; struct ipset_file *anon_ips = NULL, *anon_ips_exclude = NULL;
#ifdef __CYGWIN__ #ifdef __CYGWIN__
@ -1873,7 +1932,6 @@ int main(int argc, char **argv)
PRINT_VER; PRINT_VER;
memset(&params, 0, sizeof(params)); memset(&params, 0, sizeof(params));
*pidfile = 0;
struct desync_profile_list *dpl; struct desync_profile_list *dpl;
struct desync_profile *dp; struct desync_profile *dp;
@ -1999,11 +2057,10 @@ int main(int argc, char **argv)
break; break;
#endif #endif
case IDX_DAEMON: case IDX_DAEMON:
daemon = true; params.daemon = true;
break; break;
case IDX_PIDFILE: case IDX_PIDFILE:
strncpy(pidfile, optarg, sizeof(pidfile)); snprintf(params.pidfile,sizeof(params.pidfile),"%s",optarg);
pidfile[sizeof(pidfile) - 1] = '\0';
break; break;
#ifndef __CYGWIN__ #ifndef __CYGWIN__
case IDX_USER: case IDX_USER:
@ -2964,14 +3021,6 @@ int main(int argc, char **argv)
exit_clean(0); exit_clean(0);
} }
if (daemon) daemonize();
if (*pidfile && !writepid(pidfile))
{
DLOG_ERR("could not write pidfile\n");
goto exiterr;
}
if (params.ctrack_disable) if (params.ctrack_disable)
DLOG_CONDUP("conntrack disabled ! some functions will not work. make sure it's what you want.\n"); DLOG_CONDUP("conntrack disabled ! some functions will not work. make sure it's what you want.\n");
else else

3
nfq/params.h
View File

@ -170,6 +170,8 @@ struct params_s
char debug_logfile[PATH_MAX]; char debug_logfile[PATH_MAX];
bool debug; bool debug;
bool daemon;
#ifdef __linux__ #ifdef __linux__
int qnum; int qnum;
#elif defined(BSD) #elif defined(BSD)
@ -187,6 +189,7 @@ struct params_s
uid_t uid; uid_t uid;
gid_t gid; gid_t gid;
#endif #endif
char pidfile[PATH_MAX];
char hostlist_auto_debuglog[PATH_MAX]; char hostlist_auto_debuglog[PATH_MAX];

7
nfq/sec.c
View File

@ -192,20 +192,21 @@ static bool set_seccomp(void)
bool sec_harden(void) bool sec_harden(void)
{ {
bool bRes = true;
if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0))
{ {
DLOG_PERROR("PR_SET_NO_NEW_PRIVS(prctl)"); DLOG_PERROR("PR_SET_NO_NEW_PRIVS(prctl)");
return false; bRes = false;
} }
#if ARCH_NR!=0 #if ARCH_NR!=0
if (!set_seccomp()) if (!set_seccomp())
{ {
DLOG_PERROR("seccomp"); DLOG_PERROR("seccomp");
if (errno==EINVAL) DLOG_ERR("seccomp: this can be safely ignored if kernel does not support seccomp\n"); if (errno==EINVAL) DLOG_ERR("seccomp: this can be safely ignored if kernel does not support seccomp\n");
return false; bRes = false;
} }
#endif #endif
return true; return bRes;
} }

21
tpws/tpws.c
View File

@ -1832,6 +1832,7 @@ int main(int argc, char *argv[])
int i, listen_fd[MAX_BINDS], yes = 1, retval = 0, if_index, exit_v=EXIT_FAILURE; int i, listen_fd[MAX_BINDS], yes = 1, retval = 0, if_index, exit_v=EXIT_FAILURE;
struct salisten_s list[MAX_BINDS]; struct salisten_s list[MAX_BINDS];
char ip_port[48]; char ip_port[48];
FILE *Fpid = NULL;
set_console_io_buffering(); set_console_io_buffering();
set_env_exedir(argv[0]); set_env_exedir(argv[0]);
@ -2078,11 +2079,9 @@ int main(int argc, char *argv[])
DLOG_CONDUP(params.proxy_type==CONN_TYPE_SOCKS ? "socks mode\n" : "transparent proxy mode\n"); DLOG_CONDUP(params.proxy_type==CONN_TYPE_SOCKS ? "socks mode\n" : "transparent proxy mode\n");
if (!params.tamper) DLOG_CONDUP("TCP proxy mode (no tampering)\n"); if (!params.tamper) DLOG_CONDUP("TCP proxy mode (no tampering)\n");
if (params.daemon) daemonize(); if (*params.pidfile && !(Fpid=fopen(params.pidfile,"w")))
if (*params.pidfile && !writepid(params.pidfile))
{ {
DLOG_ERR("could not write pidfile\n"); DLOG_PERROR("create pidfile");
goto exiterr; goto exiterr;
} }
@ -2098,6 +2097,19 @@ int main(int argc, char *argv[])
if (params.droproot && !test_list_files()) if (params.droproot && !test_list_files())
goto exiterr; goto exiterr;
if (params.daemon) daemonize();
if (Fpid)
{
if (fprintf(Fpid, "%d", getpid())<=0)
{
DLOG_PERROR("write pidfile");
goto exiterr;
}
fclose(Fpid);
Fpid=NULL;
}
//splice() causes the process to receive the SIGPIPE-signal if one part (for //splice() causes the process to receive the SIGPIPE-signal if one part (for
//example a socket) is closed during splice(). I would rather have splice() //example a socket) is closed during splice(). I would rather have splice()
//fail and return -1, so blocking SIGPIPE. //fail and return -1, so blocking SIGPIPE.
@ -2114,6 +2126,7 @@ int main(int argc, char *argv[])
DLOG_CONDUP("Exiting\n"); DLOG_CONDUP("Exiting\n");
exiterr: exiterr:
if (Fpid) fclose(Fpid);
redir_close(); redir_close();
for(i=0;i<=params.binds_last;i++) if (listen_fd[i]!=-1) close(listen_fd[i]); for(i=0;i<=params.binds_last;i++) if (listen_fd[i]!=-1) close(listen_fd[i]);
cleanup_params(); cleanup_params();