tpws systemd unit fix comment

nfqws: add support for systemd readiness notifications

Makefile

@@ -15,6 +15,19 @@ all:	clean
 		done \
 	done
 
+systemd: clean
+	@mkdir -p "$(TGT)"; \
+	for dir in $(DIRS); do \
+		find "$$dir" -type f  \( -name "*.c" -o -name "*.h" -o -name "*akefile" \) -exec chmod -x {} \; ; \
+		$(MAKE) -C "$$dir" systemd || exit; \
+		for exe in "$$dir/"*; do \
+			if [ -f "$$exe" ] && [ -x "$$exe" ]; then \
+				mv -f "$$exe" "${TGT}" ; \
+				ln -fs "../${TGT}/$$(basename "$$exe")" "$$exe" ; \
+			fi \
+		done \
+	done
+
 android: clean
 	@mkdir -p "$(TGT)"; \
 	for dir in $(DIRS); do \

docs/changes.txt

@@ -462,3 +462,5 @@ nfqws,tpws: --version
 v70.4
 
 nfqws,tpws: ^ prefix in hostlist to disable subdomain matches
+nfqws,tpws: optional systemd notify support. compile using 'make systemd'
+nfqws,tpws: systemd instance templates for nfqws and tpws

docs/readme.en.md

@@ -703,9 +703,9 @@ tpws is transparent proxy.
  --ipset-exclude=<filename>              ; ipset exclude filter (one ip/CIDR per line, ipv4 and ipv6 accepted, gzip supported, multiple ipsets allowed)
  --ipset-exclude-ip=<ip_list>            ; comma separated fixed subnet list
 
- --hostlist=<filename>                   ; only act on hosts in the list (one host per line, subdomains auto apply, gzip supported, multiple hostlists allowed)
+ --hostlist=<filename>                   ; only act on hosts in the list (one host per line, subdomains auto apply if not prefixed with '^', gzip supported, multiple hostlists allowed)
  --hostlist-domains=<domain_list>        ; comma separated fixed domain list
- --hostlist-exclude=<filename>           ; do not act on hosts in the list (one host per line, subdomains auto apply, gzip supported, multiple hostlists allowed)
+ --hostlist-exclude=<filename>           ; do not act on hosts in the list (one host per line, subdomains auto apply if not prefixed with '^', gzip supported, multiple hostlists allowed)
  --hostlist-exclude-domains=<domain_list> ; comma separated fixed domain list
  --hostlist-auto=<filename>              ; detect DPI blocks and build hostlist automatically
  --hostlist-auto-fail-threshold=<int>    ; how many failed attempts cause hostname to be added to auto hostlist (default : 3)

docs/readme.md

@@ -57,6 +57,7 @@ zapret является свободным и open source.
   - [Прикручивание к системе управления фаерволом или своей системе запуска](#прикручивание-к-системе-управления-фаерволом-или-своей-системе-запуска)
   - [Вариант custom](#вариант-custom)
   - [Простая установка](#простая-установка)
+  - [Установка под systemd](#установка-под-systemd)
   - [Простая установка на openwrt](#простая-установка-на-openwrt)
   - [Установка на openwrt в режиме острой нехватки места на диске](#установка-на-openwrt-в-режиме-острой-нехватки-места-на-диске)
   - [Android](#android)
@@ -2002,6 +2003,15 @@ zapret_custom_firewall_nft поднимает правила nftables.
 
 Деинсталляция выполняется через `uninstall_easy.sh`. После выполнения деинсталляции можно удалить каталог `/opt/zapret`.
 
+## Установка под systemd
+
+Если вам нравится systemd и хочется максимально под него заточиться, можно отказаться от скриптов запуска zapret
+и поднимать инстансы `tpws` и `nfqws` как отдельные юниты systemd. При этом вам придется вручную написать правила iptables/nftables
+и каким-то образом их поднимать. Например, написать дополнительный systemd unit для этого.
+Так же требуется собрать бинарники особым образом через `make systemd`.
+
+В комплекте zapret есть шаблоны `init.d/systemd/{nfqws@.service,tpws@.service}`.
+Краткий перечень команд для их использования приведен в комментариях в этих файлах.
 
 ## Простая установка на openwrt
 

init.d/systemd/nfqws@.service

@@ -0,0 +1,65 @@
+# Example systemd service unit for nfqws. Adjust for your installation.
+
+# WARNING ! This unit requires to compile nfqws using `make systemd`
+# WARNING ! This makefile target enabled special systemd notify support.
+
+# PREPARE
+# install build depends
+# make -C /opt/zapret systemd
+# cp nfqws@service /lib/systemd/system
+# systemctl daemon-reload
+
+# MANAGE INSTANCE
+# prepare /etc/zapret/nfqws1.conf with nfqws parameters
+# systemctl start nfqws@nfqws1
+# systemctl status nfqws@nfqws1
+# systemctl restart nfqws@nfqws1
+# systemctl enable nfqws@nfqws1
+# systemctl disable nfqws@nfqws1
+# systemctl stop nfqws@nfqws1
+
+# DELETE
+# rm /lib/systemd/system/nfqws@.service
+# systemctl daemon-reload
+
+
+[Unit]
+After=network.target
+
+[Service]
+Type=notify
+Restart=on-failure
+
+ExecSearchPath=/opt/zapret/binaries/my
+ExecStart=nfqws @${CONFIG_DIR}/${INSTANCE}.conf
+Environment=CONFIG_DIR=/etc/zapret
+Environment=INSTANCE=%i
+
+RestrictAddressFamilies=AF_NETLINK AF_UNIX AF_INET6 AF_INET
+
+LockPersonality=true
+MemoryDenyWriteExecute=true
+PrivateDevices=true
+PrivateMounts=true
+PrivateTmp=true
+ProcSubset=pid
+ProtectClock=true
+ProtectControlGroups=true
+ProtectHome=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectProc=invisible
+ProtectSystem=full
+RemoveIPC=true
+RestrictNamespaces=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+SystemCallFilter=~@resources
+UMask=0077
+
+[Install]
+WantedBy=multi-user.target

init.d/systemd/tpws@.service

@@ -0,0 +1,63 @@
+# Example systemd service unit for tpws. Adjust for your installation.
+
+# WARNING ! This unit requires to compile tpws using `make systemd`
+# WARNING ! This makefile target enabled special systemd notify support.
+
+# PREPARE
+# install build depends
+# make -C /opt/zapret systemd
+# cp tpws@service /lib/systemd/system
+# systemctl daemon-reload
+
+# MANAGE INSTANCE
+# prepare /etc/zapret/tpws1.conf with tpws parameters
+# systemctl start tpws@tpws1
+# systemctl status tpws@tpws1
+# systemctl restart tpws@tpws1
+# systemctl enable tpws@tpws1
+# systemctl disable tpws@tpws1
+# systemctl stop tpws@tpws1
+
+# DELETE
+# rm /lib/systemd/system/tpws@.service
+# systemctl daemon-reload
+
+
+[Unit]
+After=network.target
+
+[Service]
+Type=notify
+Restart=on-failure
+
+ExecSearchPath=/opt/zapret/binaries/my
+ExecStart=tpws @${CONFIG_DIR}/${INSTANCE}.conf
+Environment=CONFIG_DIR=/etc/zapret
+Environment=INSTANCE=%i
+
+RestrictAddressFamilies=AF_NETLINK AF_UNIX AF_INET6 AF_INET
+
+LockPersonality=true
+MemoryDenyWriteExecute=true
+PrivateDevices=true
+PrivateMounts=true
+PrivateTmp=true
+ProcSubset=pid
+ProtectClock=true
+ProtectControlGroups=true
+ProtectHome=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectProc=invisible
+ProtectSystem=full
+RemoveIPC=true
+RestrictNamespaces=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+UMask=0077
+
+[Install]
+WantedBy=multi-user.target

install_easy.sh

@@ -69,7 +69,14 @@ check_bins()
 		echo found architecture "\"$arch\""
 	elif [ -f "$EXEDIR/Makefile" ] && exists make; then
 		echo trying to compile
-		[ "$SYSTEM" = "macos" ] && make_target=mac
+		case $SYSTEM in
+			macos)
+				make_target=mac
+				;;
+			systemd)
+				make_target=systemd
+				;;
+		esac
 		CFLAGS="-march=native ${CFLAGS}" make -C "$EXEDIR" $make_target || {
 			echo could not compile
 			make -C "$EXEDIR" clean

ip2net/Makefile

@@ -11,6 +11,8 @@ all: ip2net
 ip2net: $(SRC_FILES)
 	$(CC) -s $(CFLAGS) -o ip2net $(SRC_FILES) $(LIBS) $(LDFLAGS)
 
+systemd: ip2net
+
 android: ip2net
 
 bsd: $(SRC_FILES)

mdig/Makefile

@@ -12,6 +12,8 @@ all: mdig
 mdig: $(SRC_FILES)
 	$(CC) -s $(CFLAGS) -o mdig $(SRC_FILES) $(LIBS) $(LDFLAGS)
 
+systemd: mdig
+
 android: $(SRC_FILES)
 	$(CC) -s $(CFLAGS) -o mdig $(SRC_FILES) $(LIBS_ANDROID) $(LDFLAGS)
 

nfq/Makefile

@@ -1,8 +1,10 @@
 CC ?= gcc
 CFLAGS += -std=gnu99 -Os -flto=auto
+CFLAGS_SYSTEMD = -DUSE_SYSTEMD
 CFLAGS_BSD = -Wno-address-of-packed-member
 CFLAGS_CYGWIN = -Wno-address-of-packed-member -static
 LIBS_LINUX = -lnetfilter_queue -lnfnetlink -lz
+LIBS_SYSTEMD = -lsystemd
 LIBS_BSD = -lz
 LIBS_CYGWIN = -lz -Lwindows/windivert -Iwindows -lwlanapi -lole32 -loleaut32
 LIBS_CYGWIN32 = -lwindivert32
@@ -16,6 +18,9 @@ all: nfqws
 nfqws: $(SRC_FILES)
 	$(CC) -s $(CFLAGS) -o nfqws $(SRC_FILES) $(LIBS_LINUX) $(LDFLAGS)
 
+systemd: $(SRC_FILES)
+	$(CC) -s $(CFLAGS) $(CFLAGS_SYSTEMD) -o nfqws $(SRC_FILES) $(LIBS_LINUX) $(LIBS_SYSTEMD) $(LDFLAGS)
+
 android: nfqws
 
 bsd: $(SRC_FILES)

nfq/helpers.c

@@ -391,6 +391,12 @@ void fill_random_az09(uint8_t *p,size_t sz)
 	}
 }
 
+void set_console_io_buffering(void)
+{
+	setvbuf(stdout, NULL, _IOLBF, 0);
+	setvbuf(stderr, NULL, _IOLBF, 0);
+}
+
 bool set_env_exedir(const char *argv0)
 {
 	char *s,*d;

nfq/helpers.h

@@ -92,6 +92,7 @@ void fill_random_bytes(uint8_t *p,size_t sz);
 void fill_random_az(uint8_t *p,size_t sz);
 void fill_random_az09(uint8_t *p,size_t sz);
 
+void set_console_io_buffering(void);
 bool set_env_exedir(const char *argv0);
 
 

nfq/nfqws.c

@@ -35,6 +35,10 @@
 #include "win.h"
 #endif
 
+#ifdef USE_SYSTEMD
+#include <systemd/sd-daemon.h>
+#endif
+
 #ifdef __linux__
 #include <libnetfilter_queue/libnetfilter_queue.h>
 #define NF_DROP 0
@@ -271,6 +275,15 @@ exiterr:
 	return false;
 }
 
+static void notify_ready(void)
+{
+#ifdef USE_SYSTEMD
+	int r = sd_notify(0, "READY=1");
+	if (r < 0)
+		DLOG_ERR("sd_notify: %s\n", strerror(-r));
+#endif
+}
+
 static int nfq_main(void)
 {
 	uint8_t buf[16384] __attribute__((aligned));
@@ -291,6 +304,8 @@ static int nfq_main(void)
 	if (!nfq_init(&h,&qh))
 		return 1;
 
+	notify_ready();
+
 	fd = nfq_fd(h);
 	do
 	{
@@ -484,7 +499,6 @@ static int win_main(const char *windivert_filter)
 		if (!logical_net_filter_match())
 		{
 			DLOG_CONDUP("logical network is not present. waiting it to appear.\n");
-			fflush(stdout);
 			do
 			{
 				if (bQuit)
@@ -497,7 +511,6 @@ static int win_main(const char *windivert_filter)
 			}
 			while (!logical_net_filter_match());
 			DLOG_CONDUP("logical network now present\n");
-			fflush(stdout);
 		}
 
 		if (!windivert_init(windivert_filter))
@@ -508,10 +521,6 @@ static int win_main(const char *windivert_filter)
 
 		DLOG_CONDUP("windivert initialized. capture is started.\n");
 
-		// cygwin auto flush fails when piping
-		fflush(stdout);
-		fflush(stderr);
-
 		for (id=0;;id++)
 		{
 			len = sizeof(packet);
@@ -574,10 +583,6 @@ static int win_main(const char *windivert_filter)
 				default:
 					DLOG("packet: id=%u drop\n", id);
 			}
-	
-			// cygwin auto flush fails when piping
-			fflush(stdout);
-			fflush(stderr);
 		}
 	}
 	win_dark_deinit();
@@ -1409,6 +1414,7 @@ void check_dp(const struct desync_profile *dp)
 
 int main(int argc, char **argv)
 {
+	set_console_io_buffering();
 	set_env_exedir(argv[0]);
 
 #ifdef __CYGWIN__

tpws/Makefile

@@ -1,7 +1,9 @@
 CC ?= gcc
 CFLAGS += -std=gnu99 -Os -flto=auto
+CFLAGS_SYSTEMD = -DUSE_SYSTEMD
 CFLAGS_BSD = -Wno-address-of-packed-member
 LIBS = -lz -lpthread
+LIBS_SYSTEMD = -lz -lsystemd
 LIBS_ANDROID = -lz
 SRC_FILES = *.c
 SRC_FILES_ANDROID = $(SRC_FILES) andr/*.c
@@ -11,6 +13,9 @@ all: tpws
 tpws: $(SRC_FILES)
 	$(CC) -s $(CFLAGS) -o tpws $(SRC_FILES) $(LIBS) $(LDFLAGS)
 
+systemd: $(SRC_FILES)
+	$(CC) -s $(CFLAGS) $(CFLAGS_SYSTEMD) -o tpws $(SRC_FILES) $(LIBS_SYSTEMD) $(LDFLAGS)
+
 android: $(SRC_FILES)
 	$(CC) -s $(CFLAGS) -o tpws $(SRC_FILES_ANDROID) $(LIBS_ANDROID) $(LDFLAGS)
 

tpws/helpers.c

@@ -383,6 +383,11 @@ bool pf_is_empty(const port_filter *pf)
 	return !pf->neg && !pf->from && !pf->to;
 }
 
+void set_console_io_buffering(void)
+{
+	setvbuf(stdout, NULL, _IOLBF, 0);
+	setvbuf(stderr, NULL, _IOLBF, 0);
+}
 
 bool set_env_exedir(const char *argv0)
 {

tpws/helpers.h

@@ -82,6 +82,7 @@ bool pf_in_range(uint16_t port, const port_filter *pf);
 bool pf_parse(const char *s, port_filter *pf);
 bool pf_is_empty(const port_filter *pf);
 
+void set_console_io_buffering(void);
 bool set_env_exedir(const char *argv0);
 
 #ifndef IN_LOOPBACK

tpws/tpws.c

@@ -1694,6 +1694,7 @@ int main(int argc, char *argv[])
 	struct salisten_s list[MAX_BINDS];
 	char ip_port[48];
 
+	set_console_io_buffering();
 	set_env_exedir(argv[0]);
 	srand(time(NULL));
 	mask_from_preflen6_prepare();

tpws/tpws_conn.c

@@ -16,6 +16,10 @@
 #include <fcntl.h>
 #include <netdb.h>
 
+#ifdef USE_SYSTEMD
+#include <systemd/sd-daemon.h>
+#endif
+
 #include "tpws.h"
 #include "tpws_conn.h"
 #include "redirect.h"
@@ -25,6 +29,15 @@
 #include "hostlist.h"
 #include "linux_compat.h"
 
+static void notify_ready(void)
+{
+#ifdef USE_SYSTEMD
+	int r = sd_notify(0, "READY=1");
+	if (r < 0)
+		DLOG_ERR("sd_notify: %s\n", strerror(-r));
+#endif
+}
+
 // keep separate legs counter. counting every time thousands of legs can consume cpu
 static int legs_local, legs_remote;
 /*
@@ -1542,6 +1555,8 @@ int event_loop(const int *listen_fd, size_t listen_fd_ct)
 		VPRINT("initialized multi threaded resolver with %d threads\n",resolver_thread_count());
 	}
 
+	notify_ready();
+
 	for(;;)
 	{
 		ReloadCheck();
@@ -1755,8 +1770,6 @@ int event_loop(const int *listen_fd, size_t listen_fd_ct)
 			// at least one leg was removed. recount legs
 			print_legs();
 		}
-
-		fflush(stderr); fflush(stdout); // for console messages
 	}
 
 ex: