Merge 92ba6b439e6aed8557a315ebfcd350016159be52 into bd67b41f329702465d1d548ca2144b609e82927a

docs/changes.txt

@@ -456,3 +456,4 @@ nfqws,blockcheck: --dpi-desync-fake-tls-mod
 v70.1
 
 nfqws: --dpi-desync-fake-tls-mod=dupsid
+nfqws,tpws: test accessibility of list files after privs drop

ipset/get_antifilter_domains.sh

@@ -0,0 +1,40 @@
+#!/bin/sh
+
+IPSET_DIR="$(dirname "$0")"
+IPSET_DIR="$(cd "$IPSET_DIR"; pwd)"
+
+. "$IPSET_DIR/def.sh"
+
+TMPLIST="$TMPDIR/list.txt"
+
+URL="https://antifilter.download/list/domains.lst"
+
+dl()
+{
+  # $1 - url
+  # $2 - file
+  # $3 - minsize
+  # $4 - maxsize
+  curl -L -H "Accept-Encoding: gzip" -k --fail --max-time 60 --connect-timeout 10 --retry 4 --max-filesize 251658240 -o "$TMPLIST" "$1" ||
+  {
+   echo list download failed : $1
+   exit 2
+  }
+  dlsize=$(LANG=C wc -c "$TMPLIST" | xargs | cut -f 1 -d ' ')
+  if test $dlsize -lt $3; then
+   echo list is too small : $dlsize bytes. can be bad.
+   exit 2
+  fi
+  zzcat "$TMPLIST" | tr -d '\015' | zz "$2"
+  rm -f "$TMPLIST"
+}
+
+# useful in case ipban set is used in custom scripts
+FAIL=
+getipban || FAIL=1
+"$IPSET_DIR/create_ipset.sh"
+[ -n "$FAIL" ] && exit
+
+dl "$URL" "$ZHOSTLIST" 32768 4194304
+
+exit 0

nfq/nfqws.c

@@ -120,6 +120,29 @@ static uint8_t processPacketData(uint32_t *mark, const char *ifout, uint8_t *dat
 }
 
 
+static bool test_list_files()
+{
+	struct hostlist_file *hfile;
+	struct ipset_file *ifile;
+
+	LIST_FOREACH(hfile, &params.hostlists, next)
+		if (!file_mod_time(hfile->filename))
+		{
+			DLOG_PERROR("file_mod_time");
+			DLOG_ERR("cannot access hostlist file '%s'\n",hfile->filename);
+			return false;
+		}
+	LIST_FOREACH(ifile, &params.ipsets, next)
+		if (!file_mod_time(ifile->filename))
+		{
+			DLOG_PERROR("file_mod_time");
+			DLOG_ERR("cannot access ipset file '%s'\n",ifile->filename);
+			return false;
+		}
+	return true;
+}
+
+
 #ifdef __linux__
 static int nfq_cb(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, struct nfq_data *nfa, void *cookie)
 {
@@ -260,6 +283,8 @@ static int nfq_main(void)
 	if (params.droproot && !droproot(params.uid, params.gid))
 		return 1;
 	print_id();
+	if (params.droproot && !test_list_files())
+		return 1;
 
 	pre_desync();
 
@@ -357,6 +382,8 @@ static int dvt_main(void)
 	if (params.droproot && !droproot(params.uid, params.gid))
 		goto exiterr;
 	print_id();
+	if (params.droproot && !test_list_files())
+		goto exiterr;
 
 	pre_desync();
 

tpws/tpws.c

@@ -116,6 +116,27 @@ static int8_t block_sigpipe(void)
 	return 0;
 }
 
+static bool test_list_files()
+{
+	struct hostlist_file *hfile;
+	struct ipset_file *ifile;
+
+	LIST_FOREACH(hfile, &params.hostlists, next)
+		if (!file_mod_time(hfile->filename))
+		{
+			DLOG_PERROR("file_mod_time");
+			DLOG_ERR("cannot access hostlist file '%s'\n",hfile->filename);
+			return false;
+		}
+	LIST_FOREACH(ifile, &params.ipsets, next)
+		if (!file_mod_time(ifile->filename))
+		{
+			DLOG_PERROR("file_mod_time");
+			DLOG_ERR("cannot access ipset file '%s'\n",ifile->filename);
+			return false;
+		}
+	return true;
+}
 
 static bool is_interface_online(const char *ifname)
 {
@@ -1918,10 +1939,12 @@ int main(int argc, char *argv[])
 
 	set_ulimit();
 	sec_harden();
-
 	if (params.droproot && !droproot(params.uid,params.gid))
 		goto exiterr;
 	print_id();
+	if (params.droproot && !test_list_files())
+		goto exiterr;
+
 	//splice() causes the process to receive the SIGPIPE-signal if one part (for
 	//example a socket) is closed during splice(). I would rather have splice()
 	//fail and return -1, so blocking SIGPIPE.