nfqws,tpws: do most checks before daemonize

2025-05-09 23:32:57 +03:00 · 2025-05-09 10:32:11 +03:00 · 2025-05-09 10:32:11 +03:00 · 691a501b0d
commit 691a501b0d
parent e62fb2f0f4
5 changed files with 95 additions and 28 deletions
--- a/docs/changes.txt
+++ b/docs/changes.txt
@ -492,5 +492,6 @@ nfqws: ipcache of hop count and host names
 nfqws: --ctrack-disable
 tpws: ipcache of host names
 nfqws,tpws: set 1024 repeat limit to fakes and dups
+nfqws,tpws: do more before daemonize
 init.d: remove --ipset parameter prohibition
 init.d, blockcheck: drop time exceeded icmp for nfqws-related connections
--- a/nfq/nfqws.c
+++ b/nfq/nfqws.c
@ -288,19 +288,40 @@ static int nfq_main(void)
 	struct nfq_q_handle *qh = NULL;
 	int fd,e;
 	ssize_t rd;
+	FILE *Fpid = NULL;

-	sec_harden();
-	if (params.droproot && !droproot(params.uid, params.gid) || !dropcaps())
+	if (*params.pidfile && !(Fpid=fopen(params.pidfile,"w")))
+	{
+		DLOG_PERROR("create pidfile");
 		return 1;
+	}
+
+	if (params.droproot && !droproot(params.uid, params.gid) || !dropcaps())
+		goto err;
 	print_id();
 	if (params.droproot && !test_list_files())
-		return 1;
-
-	pre_desync();
+		goto err;

 	if (!nfq_init(&h,&qh))
-		return 1;
+		goto err;

+	if (params.daemon) daemonize();
+
+	// do it only after daemonize because daemonize needs fork
+	sec_harden();
+
+	if (Fpid)
+	{
+		if (fprintf(Fpid, "%d", getpid())<=0)
+		{
+			DLOG_PERROR("write pidfile");
+			goto err;
+		}
+		fclose(Fpid);
+		Fpid=NULL;
+	}
+
+	pre_desync();
 	notify_ready();

 	fd = nfq_fd(h);
@ -326,6 +347,9 @@ static int nfq_main(void)

 	nfq_deinit(&h,&qh);
 	return 0;
+err:
+	if (Fpid) fclose(Fpid);
+	return 1;
 }

 #elif defined(BSD)
@ -340,6 +364,13 @@ static int dvt_main(void)
 	socklen_t socklen;
 	ssize_t rd,wr;
 	fd_set fdset;
+	FILE *Fpid = NULL;
+
+	if (*params.pidfile && !(Fpid=fopen(params.pidfile,"w")))
+	{
+		DLOG_PERROR("create pidfile");
+		return 1;
+	}

 	{
 		struct sockaddr_in bp4;
@ -391,12 +422,26 @@ static int dvt_main(void)
 	if (!rawsend_preinit(false,false))
 		goto exiterr;

+
 	if (params.droproot && !droproot(params.uid, params.gid))
 		goto exiterr;
 	print_id();
 	if (params.droproot && !test_list_files())
 		goto exiterr;

+	if (params.daemon) daemonize();
+
+	if (Fpid)
+	{
+		if (fprintf(Fpid, "%d", getpid())<=0)
+		{
+			DLOG_PERROR("write pidfile");
+			goto exiterr;
+		}
+		fclose(Fpid);
+		Fpid=NULL;
+	}
+
 	pre_desync();

 	for(;;)
@ -464,6 +509,7 @@ static int dvt_main(void)

 	res=0;
 exiterr:
+	if (Fpid) fclose(Fpid);
 	if (fd[0]!=-1) close(fd[0]);
 	if (fd[1]!=-1) close(fd[1]);
 	return res;
@ -483,7 +529,19 @@ static int win_main(const char *windivert_filter)
 	WINDIVERT_ADDRESS wa;
 	char ifname[IFNAMSIZ];

-	pre_desync();
+	if (params.daemon)
+	{
+		// cygwin loses current dir
+		char *cwd = get_current_dir_name();
+		daemonize();
+		chdir(cwd);
+	}
+
+	if (*params.pidfile && !writepid(params.pidfile))
+	{
+		DLOG_ERR("could not write pidfile");
+		return ERROR_TOO_MANY_OPEN_FILES; // code 4 = The system cannot open the file
+	}

 	if (!win_dark_init(&params.ssid_filter, &params.nlm_filter))
 	{
@ -491,6 +549,8 @@ static int win_main(const char *windivert_filter)
 		return w_win32_error;
 	}

+	pre_desync();
+
 	for(;;)
 	{
 		if (!logical_net_filter_match())
@ -1855,8 +1915,7 @@ int main(int argc, char **argv)
 #endif
 	int result, v;
 	int option_index = 0;
-	bool daemon = false, bSkip = false, bDry = false;
-	char pidfile[256];
+	bool bSkip = false, bDry = false;
 	struct hostlist_file *anon_hl = NULL, *anon_hl_exclude = NULL;
 	struct ipset_file *anon_ips = NULL, *anon_ips_exclude = NULL;
 #ifdef __CYGWIN__
@ -1873,7 +1932,6 @@ int main(int argc, char **argv)
 	PRINT_VER;

 	memset(&params, 0, sizeof(params));
-	*pidfile = 0;

 	struct desync_profile_list *dpl;
 	struct desync_profile *dp;
@ -1999,11 +2057,10 @@ int main(int argc, char **argv)
 			break;
 #endif
 		case IDX_DAEMON:
-			daemon = true;
+			params.daemon = true;
 			break;
 		case IDX_PIDFILE:
-			strncpy(pidfile, optarg, sizeof(pidfile));
-			pidfile[sizeof(pidfile) - 1] = '\0';
+			snprintf(params.pidfile,sizeof(params.pidfile),"%s",optarg);
 			break;
 #ifndef __CYGWIN__
 		case IDX_USER:
@ -2964,14 +3021,6 @@ int main(int argc, char **argv)
 		exit_clean(0);
 	}

-	if (daemon) daemonize();
-
-	if (*pidfile && !writepid(pidfile))
-	{
-		DLOG_ERR("could not write pidfile\n");
-		goto exiterr;
-	}
-
 	if (params.ctrack_disable)
 		DLOG_CONDUP("conntrack disabled ! some functions will not work. make sure it's what you want.\n");
 	else
--- a/nfq/params.h
+++ b/nfq/params.h
@ -170,6 +170,8 @@ struct params_s
 	char debug_logfile[PATH_MAX];
 	bool debug;

+	bool daemon;
+
 #ifdef __linux__
 	int qnum;
 #elif defined(BSD)
@ -187,6 +189,7 @@ struct params_s
 	uid_t uid;
 	gid_t gid;
 #endif
+	char pidfile[PATH_MAX];

 	char hostlist_auto_debuglog[PATH_MAX];

--- a/nfq/sec.c
+++ b/nfq/sec.c
@ -192,20 +192,21 @@ static bool set_seccomp(void)

 bool sec_harden(void)
 {
+	bool bRes = true;
 	if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0))
 	{
 		DLOG_PERROR("PR_SET_NO_NEW_PRIVS(prctl)");
-		return false;
+		bRes = false;
 	}
 #if ARCH_NR!=0
 	if (!set_seccomp())
 	{
 		DLOG_PERROR("seccomp");
 		if (errno==EINVAL) DLOG_ERR("seccomp: this can be safely ignored if kernel does not support seccomp\n");
-		return false;
+		bRes = false;
 	}
 #endif
-	return true;
+	return bRes;
 }


--- a/tpws/tpws.c
+++ b/tpws/tpws.c
@ -1832,6 +1832,7 @@ int main(int argc, char *argv[])
 	int i, listen_fd[MAX_BINDS], yes = 1, retval = 0, if_index, exit_v=EXIT_FAILURE;
 	struct salisten_s list[MAX_BINDS];
 	char ip_port[48];
+	FILE *Fpid = NULL;

 	set_console_io_buffering();
 	set_env_exedir(argv[0]);
@ -2078,11 +2079,9 @@ int main(int argc, char *argv[])
 	DLOG_CONDUP(params.proxy_type==CONN_TYPE_SOCKS ? "socks mode\n" : "transparent proxy mode\n");
 	if (!params.tamper) DLOG_CONDUP("TCP proxy mode (no tampering)\n");

-	if (params.daemon) daemonize();
-
-	if (*params.pidfile && !writepid(params.pidfile))
+	if (*params.pidfile && !(Fpid=fopen(params.pidfile,"w")))
 	{
-		DLOG_ERR("could not write pidfile\n");
+		DLOG_PERROR("create pidfile");
 		goto exiterr;
 	}

@ -2098,6 +2097,19 @@ int main(int argc, char *argv[])
 	if (params.droproot && !test_list_files())
 		goto exiterr;

+	if (params.daemon) daemonize();
+
+	if (Fpid)
+	{
+		if (fprintf(Fpid, "%d", getpid())<=0)
+		{
+			DLOG_PERROR("write pidfile");
+			goto exiterr;
+		}
+		fclose(Fpid);
+		Fpid=NULL;
+	}
+
 	//splice() causes the process to receive the SIGPIPE-signal if one part (for
 	//example a socket) is closed during splice(). I would rather have splice()
 	//fail and return -1, so blocking SIGPIPE.
@ -2114,6 +2126,7 @@ int main(int argc, char *argv[])
 	DLOG_CONDUP("Exiting\n");
 	
 exiterr:
+	if (Fpid) fclose(Fpid);
 	redir_close();
 	for(i=0;i<=params.binds_last;i++) if (listen_fd[i]!=-1) close(listen_fd[i]);
 	cleanup_params();