gsd
/
zapret
mirror of https://github.com/bol-van/zapret/
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

nfqws,tpws: do most checks before daemonize

pull/1464/head
bol-van 3 months ago
parent
e62fb2f0f4
commit
691a501b0d
5 changed files with 95 additions and 28 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 1
      docs/changes.txt
  2. 91
      nfq/nfqws.c
  3. 3
      nfq/params.h
  4. 7
      nfq/sec.c
  5. 21
      tpws/tpws.c

1
docs/changes.txt
View File

@ -492,5 +492,6 @@ nfqws: ipcache of hop count and host names
nfqws: --ctrack-disable nfqws: --ctrack-disable
tpws: ipcache of host names tpws: ipcache of host names
nfqws,tpws: set 1024 repeat limit to fakes and dups nfqws,tpws: set 1024 repeat limit to fakes and dups
nfqws,tpws: do more before daemonize
init.d: remove --ipset parameter prohibition init.d: remove --ipset parameter prohibition
init.d, blockcheck: drop time exceeded icmp for nfqws-related connections init.d, blockcheck: drop time exceeded icmp for nfqws-related connections

91
nfq/nfqws.c
View File

@ -288,19 +288,40 @@ static int nfq_main(void)
struct nfq_q_handle *qh = NULL; struct nfq_q_handle *qh = NULL;
int fd,e; int fd,e;
ssize_t rd; ssize_t rd;
FILE *Fpid = NULL;
sec_harden(); if (*params.pidfile && !(Fpid=fopen(params.pidfile,"w")))
if (params.droproot && !droproot(params.uid, params.gid) || !dropcaps()) {
DLOG_PERROR("create pidfile");
return 1; return 1;
}
if (params.droproot && !droproot(params.uid, params.gid) || !dropcaps())
goto err;
print_id(); print_id();
if (params.droproot && !test_list_files()) if (params.droproot && !test_list_files())
return 1; goto err;
pre_desync();
if (!nfq_init(&h,&qh)) if (!nfq_init(&h,&qh))
return 1; goto err;
if (params.daemon) daemonize();
// do it only after daemonize because daemonize needs fork
sec_harden();
if (Fpid)
{
if (fprintf(Fpid, "%d", getpid())<=0)
{
DLOG_PERROR("write pidfile");
goto err;
}
fclose(Fpid);
Fpid=NULL;
}
pre_desync();
notify_ready(); notify_ready();
fd = nfq_fd(h); fd = nfq_fd(h);
@ -326,6 +347,9 @@ static int nfq_main(void)
nfq_deinit(&h,&qh); nfq_deinit(&h,&qh);
return 0; return 0;
err:
if (Fpid) fclose(Fpid);
return 1;
} }
#elif defined(BSD) #elif defined(BSD)
@ -340,6 +364,13 @@ static int dvt_main(void)
socklen_t socklen; socklen_t socklen;
ssize_t rd,wr; ssize_t rd,wr;
fd_set fdset; fd_set fdset;
FILE *Fpid = NULL;
if (*params.pidfile && !(Fpid=fopen(params.pidfile,"w")))
{
DLOG_PERROR("create pidfile");
return 1;
}
{ {
struct sockaddr_in bp4; struct sockaddr_in bp4;
@ -391,12 +422,26 @@ static int dvt_main(void)
if (!rawsend_preinit(false,false)) if (!rawsend_preinit(false,false))
goto exiterr; goto exiterr;
if (params.droproot && !droproot(params.uid, params.gid)) if (params.droproot && !droproot(params.uid, params.gid))
goto exiterr; goto exiterr;
print_id(); print_id();
if (params.droproot && !test_list_files()) if (params.droproot && !test_list_files())
goto exiterr; goto exiterr;
if (params.daemon) daemonize();
if (Fpid)
{
if (fprintf(Fpid, "%d", getpid())<=0)
{
DLOG_PERROR("write pidfile");
goto exiterr;
}
fclose(Fpid);
Fpid=NULL;
}
pre_desync(); pre_desync();
for(;;) for(;;)
@ -464,6 +509,7 @@ static int dvt_main(void)
res=0; res=0;
exiterr: exiterr:
if (Fpid) fclose(Fpid);
if (fd[0]!=-1) close(fd[0]); if (fd[0]!=-1) close(fd[0]);
if (fd[1]!=-1) close(fd[1]); if (fd[1]!=-1) close(fd[1]);
return res; return res;
@ -483,7 +529,19 @@ static int win_main(const char *windivert_filter)
WINDIVERT_ADDRESS wa; WINDIVERT_ADDRESS wa;
char ifname[IFNAMSIZ]; char ifname[IFNAMSIZ];
pre_desync(); if (params.daemon)
{
// cygwin loses current dir
char *cwd = get_current_dir_name();
daemonize();
chdir(cwd);
}
if (*params.pidfile && !writepid(params.pidfile))
{
DLOG_ERR("could not write pidfile");
return ERROR_TOO_MANY_OPEN_FILES; // code 4 = The system cannot open the file
}
if (!win_dark_init(&params.ssid_filter, &params.nlm_filter)) if (!win_dark_init(&params.ssid_filter, &params.nlm_filter))
{ {
@ -491,6 +549,8 @@ static int win_main(const char *windivert_filter)
return w_win32_error; return w_win32_error;
} }
pre_desync();
for(;;) for(;;)
{ {
if (!logical_net_filter_match()) if (!logical_net_filter_match())
@ -1855,8 +1915,7 @@ int main(int argc, char **argv)
#endif #endif
int result, v; int result, v;
int option_index = 0; int option_index = 0;
bool daemon = false, bSkip = false, bDry = false; bool bSkip = false, bDry = false;
char pidfile[256];
struct hostlist_file *anon_hl = NULL, *anon_hl_exclude = NULL; struct hostlist_file *anon_hl = NULL, *anon_hl_exclude = NULL;
struct ipset_file *anon_ips = NULL, *anon_ips_exclude = NULL; struct ipset_file *anon_ips = NULL, *anon_ips_exclude = NULL;
#ifdef __CYGWIN__ #ifdef __CYGWIN__
@ -1873,7 +1932,6 @@ int main(int argc, char **argv)
PRINT_VER; PRINT_VER;
memset(&params, 0, sizeof(params)); memset(&params, 0, sizeof(params));
*pidfile = 0;
struct desync_profile_list *dpl; struct desync_profile_list *dpl;
struct desync_profile *dp; struct desync_profile *dp;
@ -1999,11 +2057,10 @@ int main(int argc, char **argv)
break; break;
#endif #endif
case IDX_DAEMON: case IDX_DAEMON:
daemon = true; params.daemon = true;
break; break;
case IDX_PIDFILE: case IDX_PIDFILE:
strncpy(pidfile, optarg, sizeof(pidfile)); snprintf(params.pidfile,sizeof(params.pidfile),"%s",optarg);
pidfile[sizeof(pidfile) - 1] = '\0';
break; break;
#ifndef __CYGWIN__ #ifndef __CYGWIN__
case IDX_USER: case IDX_USER:
@ -2964,14 +3021,6 @@ int main(int argc, char **argv)
exit_clean(0); exit_clean(0);
} }
if (daemon) daemonize();
if (*pidfile && !writepid(pidfile))
{
DLOG_ERR("could not write pidfile\n");
goto exiterr;
}
if (params.ctrack_disable) if (params.ctrack_disable)
DLOG_CONDUP("conntrack disabled ! some functions will not work. make sure it's what you want.\n"); DLOG_CONDUP("conntrack disabled ! some functions will not work. make sure it's what you want.\n");
else else

3
nfq/params.h
View File

@ -170,6 +170,8 @@ struct params_s
char debug_logfile[PATH_MAX]; char debug_logfile[PATH_MAX];
bool debug; bool debug;
bool daemon;
#ifdef __linux__ #ifdef __linux__
int qnum; int qnum;
#elif defined(BSD) #elif defined(BSD)
@ -187,6 +189,7 @@ struct params_s
uid_t uid; uid_t uid;
gid_t gid; gid_t gid;
#endif #endif
char pidfile[PATH_MAX];
char hostlist_auto_debuglog[PATH_MAX]; char hostlist_auto_debuglog[PATH_MAX];

7
nfq/sec.c
View File

@ -192,20 +192,21 @@ static bool set_seccomp(void)
bool sec_harden(void) bool sec_harden(void)
{ {
bool bRes = true;
if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0))
{ {
DLOG_PERROR("PR_SET_NO_NEW_PRIVS(prctl)"); DLOG_PERROR("PR_SET_NO_NEW_PRIVS(prctl)");
return false; bRes = false;
} }
#if ARCH_NR!=0 #if ARCH_NR!=0
if (!set_seccomp()) if (!set_seccomp())
{ {
DLOG_PERROR("seccomp"); DLOG_PERROR("seccomp");
if (errno==EINVAL) DLOG_ERR("seccomp: this can be safely ignored if kernel does not support seccomp\n"); if (errno==EINVAL) DLOG_ERR("seccomp: this can be safely ignored if kernel does not support seccomp\n");
return false; bRes = false;
} }
#endif #endif
return true; return bRes;
} }

21
tpws/tpws.c
View File

@ -1832,6 +1832,7 @@ int main(int argc, char *argv[])
int i, listen_fd[MAX_BINDS], yes = 1, retval = 0, if_index, exit_v=EXIT_FAILURE; int i, listen_fd[MAX_BINDS], yes = 1, retval = 0, if_index, exit_v=EXIT_FAILURE;
struct salisten_s list[MAX_BINDS]; struct salisten_s list[MAX_BINDS];
char ip_port[48]; char ip_port[48];
FILE *Fpid = NULL;
set_console_io_buffering(); set_console_io_buffering();
set_env_exedir(argv[0]); set_env_exedir(argv[0]);
@ -2078,11 +2079,9 @@ int main(int argc, char *argv[])
DLOG_CONDUP(params.proxy_type==CONN_TYPE_SOCKS ? "socks mode\n" : "transparent proxy mode\n"); DLOG_CONDUP(params.proxy_type==CONN_TYPE_SOCKS ? "socks mode\n" : "transparent proxy mode\n");
if (!params.tamper) DLOG_CONDUP("TCP proxy mode (no tampering)\n"); if (!params.tamper) DLOG_CONDUP("TCP proxy mode (no tampering)\n");
if (params.daemon) daemonize(); if (*params.pidfile && !(Fpid=fopen(params.pidfile,"w")))
if (*params.pidfile && !writepid(params.pidfile))
{ {
DLOG_ERR("could not write pidfile\n"); DLOG_PERROR("create pidfile");
goto exiterr; goto exiterr;
} }
@ -2098,6 +2097,19 @@ int main(int argc, char *argv[])
if (params.droproot && !test_list_files()) if (params.droproot && !test_list_files())
goto exiterr; goto exiterr;
if (params.daemon) daemonize();
if (Fpid)
{
if (fprintf(Fpid, "%d", getpid())<=0)
{
DLOG_PERROR("write pidfile");
goto exiterr;
}
fclose(Fpid);
Fpid=NULL;
}
//splice() causes the process to receive the SIGPIPE-signal if one part (for //splice() causes the process to receive the SIGPIPE-signal if one part (for
//example a socket) is closed during splice(). I would rather have splice() //example a socket) is closed during splice(). I would rather have splice()
//fail and return -1, so blocking SIGPIPE. //fail and return -1, so blocking SIGPIPE.
@ -2114,6 +2126,7 @@ int main(int argc, char *argv[])
DLOG_CONDUP("Exiting\n"); DLOG_CONDUP("Exiting\n");
exiterr: exiterr:
if (Fpid) fclose(Fpid);
redir_close(); redir_close();
for(i=0;i<=params.binds_last;i++) if (listen_fd[i]!=-1) close(listen_fd[i]); for(i=0;i<=params.binds_last;i++) if (listen_fd[i]!=-1) close(listen_fd[i]);
cleanup_params(); cleanup_params();

Write Preview
Loading…
Cancel
Save