drygdryg/zapret
1
0
Fork 0
mirror of https://github.com/bol-van/zapret.git synced 2025-05-24 22:32:58 +03:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: drygdryg:2db1ebafe3542e0ad5c9b245137667266ec35a19
Branches Tags
drygdryg:master
drygdryg:v71
drygdryg:v70.6
drygdryg:v70.5
drygdryg:v70.4
drygdryg:v70.3
drygdryg:v70
drygdryg:v69.9
drygdryg:v69.8
drygdryg:v69.7
drygdryg:v69.6
drygdryg:v69.5
drygdryg:v69.4
drygdryg:v69.3
drygdryg:v69.2
drygdryg:v69.1
drygdryg:v69
drygdryg:v68
drygdryg:v67
drygdryg:v66
drygdryg:v65
drygdryg:v64
..
compare: drygdryg:8b73e2ea8e6882b191dca700f8c6ff8588bcb749
Branches Tags
drygdryg:master
drygdryg:v71
drygdryg:v70.6
drygdryg:v70.5
drygdryg:v70.4
drygdryg:v70.3
drygdryg:v70
drygdryg:v69.9
drygdryg:v69.8
drygdryg:v69.7
drygdryg:v69.6
drygdryg:v69.5
drygdryg:v69.4
drygdryg:v69.3
drygdryg:v69.2
drygdryg:v69.1
drygdryg:v69
drygdryg:v68
drygdryg:v67
drygdryg:v66
drygdryg:v65
drygdryg:v64

No commits in common. "2db1ebafe3542e0ad5c9b245137667266ec35a19" and "8b73e2ea8e6882b191dca700f8c6ff8588bcb749" have entirely different histories.
2db1ebafe3 ... 8b73e2ea8e

20 changed files with 15 additions and 222 deletions
Show Stats Expand all files Collapse all files

13
Makefile
View File

@ -15,19 +15,6 @@ all: clean
done \ done \
done done
systemd: clean
@mkdir -p "$(TGT)"; \
for dir in $(DIRS); do \
find "$$dir" -type f \( -name "*.c" -o -name "*.h" -o -name "*akefile" \) -exec chmod -x {} \; ; \
$(MAKE) -C "$$dir" systemd || exit; \
for exe in "$$dir/"*; do \
if [ -f "$$exe" ] && [ -x "$$exe" ]; then \
mv -f "$$exe" "${TGT}" ; \
ln -fs "../${TGT}/$$(basename "$$exe")" "$$exe" ; \
fi \
done \
done
android: clean android: clean
@mkdir -p "$(TGT)"; \ @mkdir -p "$(TGT)"; \
for dir in $(DIRS); do \ for dir in $(DIRS); do \

2
docs/changes.txt
View File

@ -462,5 +462,3 @@ nfqws,tpws: --version
v70.4 v70.4
nfqws,tpws: ^ prefix in hostlist to disable subdomain matches nfqws,tpws: ^ prefix in hostlist to disable subdomain matches
nfqws,tpws: optional systemd notify support. compile using 'make systemd'
nfqws,tpws: systemd instance templates for nfqws and tpws

4
docs/readme.en.md
View File

@ -703,9 +703,9 @@ tpws is transparent proxy.
--ipset-exclude=<filename> ; ipset exclude filter (one ip/CIDR per line, ipv4 and ipv6 accepted, gzip supported, multiple ipsets allowed) --ipset-exclude=<filename> ; ipset exclude filter (one ip/CIDR per line, ipv4 and ipv6 accepted, gzip supported, multiple ipsets allowed)
--ipset-exclude-ip=<ip_list> ; comma separated fixed subnet list --ipset-exclude-ip=<ip_list> ; comma separated fixed subnet list
--hostlist=<filename> ; only act on hosts in the list (one host per line, subdomains auto apply if not prefixed with '^', gzip supported, multiple hostlists allowed) --hostlist=<filename> ; only act on hosts in the list (one host per line, subdomains auto apply, gzip supported, multiple hostlists allowed)
--hostlist-domains=<domain_list> ; comma separated fixed domain list --hostlist-domains=<domain_list> ; comma separated fixed domain list
--hostlist-exclude=<filename> ; do not act on hosts in the list (one host per line, subdomains auto apply if not prefixed with '^', gzip supported, multiple hostlists allowed) --hostlist-exclude=<filename> ; do not act on hosts in the list (one host per line, subdomains auto apply, gzip supported, multiple hostlists allowed)
--hostlist-exclude-domains=<domain_list> ; comma separated fixed domain list --hostlist-exclude-domains=<domain_list> ; comma separated fixed domain list
--hostlist-auto=<filename> ; detect DPI blocks and build hostlist automatically --hostlist-auto=<filename> ; detect DPI blocks and build hostlist automatically
--hostlist-auto-fail-threshold=<int> ; how many failed attempts cause hostname to be added to auto hostlist (default : 3) --hostlist-auto-fail-threshold=<int> ; how many failed attempts cause hostname to be added to auto hostlist (default : 3)

10
docs/readme.md
View File

@ -57,7 +57,6 @@ zapret является свободным и open source.
- [Прикручивание к системе управления фаерволом или своей системе запуска](#прикручивание-к-системе-управления-фаерволом-или-своей-системе-запуска) - [Прикручивание к системе управления фаерволом или своей системе запуска](#прикручивание-к-системе-управления-фаерволом-или-своей-системе-запуска)
- [Вариант custom](#вариант-custom) - [Вариант custom](#вариант-custom)
- [Простая установка](#простая-установка) - [Простая установка](#простая-установка)
- [Установка под systemd](#установка-под-systemd)
- [Простая установка на openwrt](#простая-установка-на-openwrt) - [Простая установка на openwrt](#простая-установка-на-openwrt)
- [Установка на openwrt в режиме острой нехватки места на диске](#установка-на-openwrt-в-режиме-острой-нехватки-места-на-диске) - [Установка на openwrt в режиме острой нехватки места на диске](#установка-на-openwrt-в-режиме-острой-нехватки-места-на-диске)
- [Android](#android) - [Android](#android)
@ -2003,15 +2002,6 @@ zapret_custom_firewall_nft поднимает правила nftables.
Деинсталляция выполняется через `uninstall_easy.sh`. После выполнения деинсталляции можно удалить каталог `/opt/zapret`. Деинсталляция выполняется через `uninstall_easy.sh`. После выполнения деинсталляции можно удалить каталог `/opt/zapret`.
## Установка под systemd
Если вам нравится systemd и хочется максимально под него заточиться, можно отказаться от скриптов запуска zapret
и поднимать инстансы `tpws` и `nfqws` как отдельные юниты systemd. При этом вам придется вручную написать правила iptables/nftables
и каким-то образом их поднимать. Например, написать дополнительный systemd unit для этого.
Так же требуется собрать бинарники особым образом через `make systemd`.
В комплекте zapret есть шаблоны `init.d/systemd/{nfqws@.service,tpws@.service}`.
Краткий перечень команд для их использования приведен в комментариях в этих файлах.
## Простая установка на openwrt ## Простая установка на openwrt

65
init.d/systemd/nfqws@.service
View File

@ -1,65 +0,0 @@
# Example systemd service unit for nfqws. Adjust for your installation.
# WARNING ! This unit requires to compile nfqws using `make systemd`
# WARNING ! This makefile target enabled special systemd notify support.
# PREPARE
# install build depends
# make -C /opt/zapret systemd
# cp nfqws@service /lib/systemd/system
# systemctl daemon-reload
# MANAGE INSTANCE
# prepare /etc/zapret/nfqws1.conf with nfqws parameters
# systemctl start nfqws@nfqws1
# systemctl status nfqws@nfqws1
# systemctl restart nfqws@nfqws1
# systemctl enable nfqws@nfqws1
# systemctl disable nfqws@nfqws1
# systemctl stop nfqws@nfqws1
# DELETE
# rm /lib/systemd/system/nfqws@.service
# systemctl daemon-reload
[Unit]
After=network.target
[Service]
Type=notify
Restart=on-failure
ExecSearchPath=/opt/zapret/binaries/my
ExecStart=nfqws @${CONFIG_DIR}/${INSTANCE}.conf
Environment=CONFIG_DIR=/etc/zapret
Environment=INSTANCE=%i
RestrictAddressFamilies=AF_NETLINK AF_UNIX AF_INET6 AF_INET
LockPersonality=true
MemoryDenyWriteExecute=true
PrivateDevices=true
PrivateMounts=true
PrivateTmp=true
ProcSubset=pid
ProtectClock=true
ProtectControlGroups=true
ProtectHome=true
ProtectHostname=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectProc=invisible
ProtectSystem=full
RemoveIPC=true
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true
SystemCallArchitectures=native
SystemCallFilter=@system-service
SystemCallFilter=~@resources
UMask=0077
[Install]
WantedBy=multi-user.target

63
init.d/systemd/tpws@.service
View File

@ -1,63 +0,0 @@
# Example systemd service unit for tpws. Adjust for your installation.
# WARNING ! This unit requires to compile tpws using `make systemd`
# WARNING ! This makefile target enabled special systemd notify support.
# PREPARE
# install build depends
# make -C /opt/zapret systemd
# cp tpws@service /lib/systemd/system
# systemctl daemon-reload
# MANAGE INSTANCE
# prepare /etc/zapret/tpws1.conf with tpws parameters
# systemctl start tpws@tpws1
# systemctl status tpws@tpws1
# systemctl restart tpws@tpws1
# systemctl enable tpws@tpws1
# systemctl disable tpws@tpws1
# systemctl stop tpws@tpws1
# DELETE
# rm /lib/systemd/system/tpws@.service
# systemctl daemon-reload
[Unit]
After=network.target
[Service]
Type=notify
Restart=on-failure
ExecSearchPath=/opt/zapret/binaries/my
ExecStart=tpws @${CONFIG_DIR}/${INSTANCE}.conf
Environment=CONFIG_DIR=/etc/zapret
Environment=INSTANCE=%i
RestrictAddressFamilies=AF_NETLINK AF_UNIX AF_INET6 AF_INET
LockPersonality=true
MemoryDenyWriteExecute=true
PrivateDevices=true
PrivateMounts=true
PrivateTmp=true
ProcSubset=pid
ProtectClock=true
ProtectControlGroups=true
ProtectHome=true
ProtectHostname=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectProc=invisible
ProtectSystem=full
RemoveIPC=true
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true
SystemCallArchitectures=native
SystemCallFilter=@system-service
UMask=0077
[Install]
WantedBy=multi-user.target

9
install_easy.sh
View File

@ -69,14 +69,7 @@ check_bins()
echo found architecture "\"$arch\"" echo found architecture "\"$arch\""
elif [ -f "$EXEDIR/Makefile" ] && exists make; then elif [ -f "$EXEDIR/Makefile" ] && exists make; then
echo trying to compile echo trying to compile
case $SYSTEM in [ "$SYSTEM" = "macos" ] && make_target=mac
macos)
make_target=mac
;;
systemd)
make_target=systemd
;;
esac
CFLAGS="-march=native ${CFLAGS}" make -C "$EXEDIR" $make_target || { CFLAGS="-march=native ${CFLAGS}" make -C "$EXEDIR" $make_target || {
echo could not compile echo could not compile
make -C "$EXEDIR" clean make -C "$EXEDIR" clean

2
ip2net/Makefile
View File

@ -11,8 +11,6 @@ all: ip2net
ip2net: $(SRC_FILES) ip2net: $(SRC_FILES)
$(CC) -s $(CFLAGS) -o ip2net $(SRC_FILES) $(LIBS) $(LDFLAGS) $(CC) -s $(CFLAGS) -o ip2net $(SRC_FILES) $(LIBS) $(LDFLAGS)
systemd: ip2net
android: ip2net android: ip2net
bsd: $(SRC_FILES) bsd: $(SRC_FILES)

2
mdig/Makefile
View File

@ -12,8 +12,6 @@ all: mdig
mdig: $(SRC_FILES) mdig: $(SRC_FILES)
$(CC) -s $(CFLAGS) -o mdig $(SRC_FILES) $(LIBS) $(LDFLAGS) $(CC) -s $(CFLAGS) -o mdig $(SRC_FILES) $(LIBS) $(LDFLAGS)
systemd: mdig
android: $(SRC_FILES) android: $(SRC_FILES)
$(CC) -s $(CFLAGS) -o mdig $(SRC_FILES) $(LIBS_ANDROID) $(LDFLAGS) $(CC) -s $(CFLAGS) -o mdig $(SRC_FILES) $(LIBS_ANDROID) $(LDFLAGS)

5
nfq/Makefile
View File

@ -1,10 +1,8 @@
CC ?= gcc CC ?= gcc
CFLAGS += -std=gnu99 -Os -flto=auto CFLAGS += -std=gnu99 -Os -flto=auto
CFLAGS_SYSTEMD = -DUSE_SYSTEMD
CFLAGS_BSD = -Wno-address-of-packed-member CFLAGS_BSD = -Wno-address-of-packed-member
CFLAGS_CYGWIN = -Wno-address-of-packed-member -static CFLAGS_CYGWIN = -Wno-address-of-packed-member -static
LIBS_LINUX = -lnetfilter_queue -lnfnetlink -lz LIBS_LINUX = -lnetfilter_queue -lnfnetlink -lz
LIBS_SYSTEMD = -lsystemd
LIBS_BSD = -lz LIBS_BSD = -lz
LIBS_CYGWIN = -lz -Lwindows/windivert -Iwindows -lwlanapi -lole32 -loleaut32 LIBS_CYGWIN = -lz -Lwindows/windivert -Iwindows -lwlanapi -lole32 -loleaut32
LIBS_CYGWIN32 = -lwindivert32 LIBS_CYGWIN32 = -lwindivert32
@ -18,9 +16,6 @@ all: nfqws
nfqws: $(SRC_FILES) nfqws: $(SRC_FILES)
$(CC) -s $(CFLAGS) -o nfqws $(SRC_FILES) $(LIBS_LINUX) $(LDFLAGS) $(CC) -s $(CFLAGS) -o nfqws $(SRC_FILES) $(LIBS_LINUX) $(LDFLAGS)
systemd: $(SRC_FILES)
$(CC) -s $(CFLAGS) $(CFLAGS_SYSTEMD) -o nfqws $(SRC_FILES) $(LIBS_LINUX) $(LIBS_SYSTEMD) $(LDFLAGS)
android: nfqws android: nfqws
bsd: $(SRC_FILES) bsd: $(SRC_FILES)

BIN
nfq/WinDivert.dll
View File

Binary file not shown.

BIN
nfq/WinDivert64.sys
View File

Binary file not shown.

6
nfq/helpers.c
View File

@ -391,12 +391,6 @@ void fill_random_az09(uint8_t *p,size_t sz)
} }
} }
void set_console_io_buffering(void)
{
setvbuf(stdout, NULL, _IOLBF, 0);
setvbuf(stderr, NULL, _IOLBF, 0);
}
bool set_env_exedir(const char *argv0) bool set_env_exedir(const char *argv0)
{ {
char *s,*d; char *s,*d;

1
nfq/helpers.h
View File

@ -92,7 +92,6 @@ void fill_random_bytes(uint8_t *p,size_t sz);
void fill_random_az(uint8_t *p,size_t sz); void fill_random_az(uint8_t *p,size_t sz);
void fill_random_az09(uint8_t *p,size_t sz); void fill_random_az09(uint8_t *p,size_t sz);
void set_console_io_buffering(void);
bool set_env_exedir(const char *argv0); bool set_env_exedir(const char *argv0);

26
nfq/nfqws.c
View File

@ -35,10 +35,6 @@
#include "win.h" #include "win.h"
#endif #endif
#ifdef USE_SYSTEMD
#include <systemd/sd-daemon.h>
#endif
#ifdef __linux__ #ifdef __linux__
#include <libnetfilter_queue/libnetfilter_queue.h> #include <libnetfilter_queue/libnetfilter_queue.h>
#define NF_DROP 0 #define NF_DROP 0
@ -275,15 +271,6 @@ exiterr:
return false; return false;
} }
static void notify_ready(void)
{
#ifdef USE_SYSTEMD
int r = sd_notify(0, "READY=1");
if (r < 0)
DLOG_ERR("sd_notify: %s\n", strerror(-r));
#endif
}
static int nfq_main(void) static int nfq_main(void)
{ {
uint8_t buf[16384] __attribute__((aligned)); uint8_t buf[16384] __attribute__((aligned));
@ -304,8 +291,6 @@ static int nfq_main(void)
if (!nfq_init(&h,&qh)) if (!nfq_init(&h,&qh))
return 1; return 1;
notify_ready();
fd = nfq_fd(h); fd = nfq_fd(h);
do do
{ {
@ -499,6 +484,7 @@ static int win_main(const char *windivert_filter)
if (!logical_net_filter_match()) if (!logical_net_filter_match())
{ {
DLOG_CONDUP("logical network is not present. waiting it to appear.\n"); DLOG_CONDUP("logical network is not present. waiting it to appear.\n");
fflush(stdout);
do do
{ {
if (bQuit) if (bQuit)
@ -511,6 +497,7 @@ static int win_main(const char *windivert_filter)
} }
while (!logical_net_filter_match()); while (!logical_net_filter_match());
DLOG_CONDUP("logical network now present\n"); DLOG_CONDUP("logical network now present\n");
fflush(stdout);
} }
if (!windivert_init(windivert_filter)) if (!windivert_init(windivert_filter))
@ -521,6 +508,10 @@ static int win_main(const char *windivert_filter)
DLOG_CONDUP("windivert initialized. capture is started.\n"); DLOG_CONDUP("windivert initialized. capture is started.\n");
// cygwin auto flush fails when piping
fflush(stdout);
fflush(stderr);
for (id=0;;id++) for (id=0;;id++)
{ {
len = sizeof(packet); len = sizeof(packet);
@ -583,6 +574,10 @@ static int win_main(const char *windivert_filter)
default: default:
DLOG("packet: id=%u drop\n", id); DLOG("packet: id=%u drop\n", id);
} }
// cygwin auto flush fails when piping
fflush(stdout);
fflush(stderr);
} }
} }
win_dark_deinit(); win_dark_deinit();
@ -1414,7 +1409,6 @@ void check_dp(const struct desync_profile *dp)
int main(int argc, char **argv) int main(int argc, char **argv)
{ {
set_console_io_buffering();
set_env_exedir(argv[0]); set_env_exedir(argv[0]);
#ifdef __CYGWIN__ #ifdef __CYGWIN__

5
tpws/Makefile
View File

@ -1,9 +1,7 @@
CC ?= gcc CC ?= gcc
CFLAGS += -std=gnu99 -Os -flto=auto CFLAGS += -std=gnu99 -Os -flto=auto
CFLAGS_SYSTEMD = -DUSE_SYSTEMD
CFLAGS_BSD = -Wno-address-of-packed-member CFLAGS_BSD = -Wno-address-of-packed-member
LIBS = -lz -lpthread LIBS = -lz -lpthread
LIBS_SYSTEMD = -lz -lsystemd
LIBS_ANDROID = -lz LIBS_ANDROID = -lz
SRC_FILES = *.c SRC_FILES = *.c
SRC_FILES_ANDROID = $(SRC_FILES) andr/*.c SRC_FILES_ANDROID = $(SRC_FILES) andr/*.c
@ -13,9 +11,6 @@ all: tpws
tpws: $(SRC_FILES) tpws: $(SRC_FILES)
$(CC) -s $(CFLAGS) -o tpws $(SRC_FILES) $(LIBS) $(LDFLAGS) $(CC) -s $(CFLAGS) -o tpws $(SRC_FILES) $(LIBS) $(LDFLAGS)
systemd: $(SRC_FILES)
$(CC) -s $(CFLAGS) $(CFLAGS_SYSTEMD) -o tpws $(SRC_FILES) $(LIBS_SYSTEMD) $(LDFLAGS)
android: $(SRC_FILES) android: $(SRC_FILES)
$(CC) -s $(CFLAGS) -o tpws $(SRC_FILES_ANDROID) $(LIBS_ANDROID) $(LDFLAGS) $(CC) -s $(CFLAGS) -o tpws $(SRC_FILES_ANDROID) $(LIBS_ANDROID) $(LDFLAGS)

5
tpws/helpers.c
View File

@ -383,11 +383,6 @@ bool pf_is_empty(const port_filter *pf)
return !pf->neg && !pf->from && !pf->to; return !pf->neg && !pf->from && !pf->to;
} }
void set_console_io_buffering(void)
{
setvbuf(stdout, NULL, _IOLBF, 0);
setvbuf(stderr, NULL, _IOLBF, 0);
}
bool set_env_exedir(const char *argv0) bool set_env_exedir(const char *argv0)
{ {

1
tpws/helpers.h
View File

@ -82,7 +82,6 @@ bool pf_in_range(uint16_t port, const port_filter *pf);
bool pf_parse(const char *s, port_filter *pf); bool pf_parse(const char *s, port_filter *pf);
bool pf_is_empty(const port_filter *pf); bool pf_is_empty(const port_filter *pf);
void set_console_io_buffering(void);
bool set_env_exedir(const char *argv0); bool set_env_exedir(const char *argv0);
#ifndef IN_LOOPBACK #ifndef IN_LOOPBACK

1
tpws/tpws.c
View File

@ -1694,7 +1694,6 @@ int main(int argc, char *argv[])
struct salisten_s list[MAX_BINDS]; struct salisten_s list[MAX_BINDS];
char ip_port[48]; char ip_port[48];
set_console_io_buffering();
set_env_exedir(argv[0]); set_env_exedir(argv[0]);
srand(time(NULL)); srand(time(NULL));
mask_from_preflen6_prepare(); mask_from_preflen6_prepare();

17
tpws/tpws_conn.c
View File

@ -16,10 +16,6 @@
#include <fcntl.h> #include <fcntl.h>
#include <netdb.h> #include <netdb.h>
#ifdef USE_SYSTEMD
#include <systemd/sd-daemon.h>
#endif
#include "tpws.h" #include "tpws.h"
#include "tpws_conn.h" #include "tpws_conn.h"
#include "redirect.h" #include "redirect.h"
@ -29,15 +25,6 @@
#include "hostlist.h" #include "hostlist.h"
#include "linux_compat.h" #include "linux_compat.h"
static void notify_ready(void)
{
#ifdef USE_SYSTEMD
int r = sd_notify(0, "READY=1");
if (r < 0)
DLOG_ERR("sd_notify: %s\n", strerror(-r));
#endif
}
// keep separate legs counter. counting every time thousands of legs can consume cpu // keep separate legs counter. counting every time thousands of legs can consume cpu
static int legs_local, legs_remote; static int legs_local, legs_remote;
/* /*
@ -1555,8 +1542,6 @@ int event_loop(const int *listen_fd, size_t listen_fd_ct)
VPRINT("initialized multi threaded resolver with %d threads\n",resolver_thread_count()); VPRINT("initialized multi threaded resolver with %d threads\n",resolver_thread_count());
} }
notify_ready();
for(;;) for(;;)
{ {
ReloadCheck(); ReloadCheck();
@ -1770,6 +1755,8 @@ int event_loop(const int *listen_fd, size_t listen_fd_ct)
// at least one leg was removed. recount legs // at least one leg was removed. recount legs
print_legs(); print_legs();
} }
fflush(stderr); fflush(stdout); // for console messages
} }
ex: ex: