nfqws,tpws: add support for systemd readiness notifications

3 weeks ago · 756603338b
8 changed files with 104 additions and 0 deletions
--- a/13
+++ b/13
@ -15,6 +15,19 @@ all:	clean
 		done \
 	done

+systemd: clean
+	@mkdir -p "$(TGT)"; \
+	for dir in $(DIRS); do \
+		find "$$dir" -type f  \( -name "*.c" -o -name "*.h" -o -name "*akefile" \) -exec chmod -x {} \; ; \
+		$(MAKE) -C "$$dir" systemd || exit; \
+		for exe in "$$dir/"*; do \
+			if [ -f "$$exe" ] && [ -x "$$exe" ]; then \
+				mv -f "$$exe" "${TGT}" ; \
+				ln -fs "../${TGT}/$$(basename "$$exe")" "$$exe" ; \
+			fi \
+		done \
+	done
+
 android: clean
 	@mkdir -p "$(TGT)"; \
 	for dir in $(DIRS); do \
--- a/init.d/systemd/nfqws.service
+++ b/init.d/systemd/nfqws.service
@ -0,0 +1,48 @@
+# Example systemd service unit for nfqws. Adjust for your installation.
+
+[Unit]
+After=network.target
+
+[Service]
+Type=notify
+Restart=on-failure
+
+ExecSearchPath=/opt/zapret/binaries/my
+ExecStart=nfqws @${CONFIG_FILE}
+Environment=CONFIG_FILE=/etc/zapret/nfqws.config
+
+StateDirectory=nfqws
+StateDirectoryMode=0700
+WorkingDirectory=%S/nfqws
+
+DynamicUser=true
+AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW
+RestrictAddressFamilies=AF_NETLINK AF_UNIX AF_INET6 AF_INET
+
+LockPersonality=true
+MemoryDenyWriteExecute=true
+PrivateDevices=true
+PrivateMounts=true
+PrivateTmp=true
+ProcSubset=pid
+ProtectClock=true
+ProtectControlGroups=true
+ProtectHome=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectProc=invisible
+ProtectSystem=strict
+RemoveIPC=true
+RestrictNamespaces=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+SystemCallFilter=~@resources @privileged
+UMask=0077
+
+[Install]
+WantedBy=multi-user.target
--- a/ip2net/Makefile
+++ b/ip2net/Makefile
@ -11,6 +11,8 @@ all: ip2net
 ip2net: $(SRC_FILES)
 	$(CC) -s $(CFLAGS) -o ip2net $(SRC_FILES) $(LIBS) $(LDFLAGS)

+systemd: ip2net
+
 android: ip2net

 bsd: $(SRC_FILES)
--- a/mdig/Makefile
+++ b/mdig/Makefile
@ -12,6 +12,8 @@ all: mdig
 mdig: $(SRC_FILES)
 	$(CC) -s $(CFLAGS) -o mdig $(SRC_FILES) $(LIBS) $(LDFLAGS)

+systemd: mdig
+
 android: $(SRC_FILES)
 	$(CC) -s $(CFLAGS) -o mdig $(SRC_FILES) $(LIBS_ANDROID) $(LDFLAGS)

--- a/nfq/Makefile
+++ b/nfq/Makefile
@ -1,8 +1,10 @@
 CC ?= gcc
 CFLAGS += -std=gnu99 -Os -flto=auto
+CFLAGS_SYSTEMD = -DUSE_SYSTEMD
 CFLAGS_BSD = -Wno-address-of-packed-member
 CFLAGS_CYGWIN = -Wno-address-of-packed-member -static
 LIBS_LINUX = -lnetfilter_queue -lnfnetlink -lz
+LIBS_SYSTEMD = -lsystemd
 LIBS_BSD = -lz
 LIBS_CYGWIN = -lz -Lwindows/windivert -Iwindows -lwlanapi -lole32 -loleaut32
 LIBS_CYGWIN32 = -lwindivert32
@ -16,6 +18,9 @@ all: nfqws
 nfqws: $(SRC_FILES)
 	$(CC) -s $(CFLAGS) -o nfqws $(SRC_FILES) $(LIBS_LINUX) $(LDFLAGS)

+systemd: $(SRC_FILES)
+	$(CC) -s $(CFLAGS) $(CFLAGS_SYSTEMD) -o nfqws $(SRC_FILES) $(LIBS_LINUX) $(LIBS_SYSTEMD) $(LDFLAGS)
+
 android: nfqws

 bsd: $(SRC_FILES)
--- a/nfq/nfqws.c
+++ b/nfq/nfqws.c
@ -35,6 +35,10 @@
 #include "win.h"
 #endif

+#ifdef USE_SYSTEMD
+#include <systemd/sd-daemon.h>
+#endif
+
 #ifdef __linux__
 #include <libnetfilter_queue/libnetfilter_queue.h>
 #define NF_DROP 0
@ -271,6 +275,15 @@ exiterr:
 	return false;
 }

+static void notify_ready(void)
+{
+#ifdef USE_SYSTEMD
+	int r = sd_notify(0, "READY=1");
+	if (r < 0)
+		DLOG_ERR("sd_notify: %s\n", strerror(-r));
+#endif
+}
+
 static int nfq_main(void)
 {
 	uint8_t buf[16384] __attribute__((aligned));
@ -291,6 +304,8 @@ static int nfq_main(void)
 	if (!nfq_init(&h,&qh))
 		return 1;

+	notify_ready();
+
 	fd = nfq_fd(h);
 	do
 	{
--- a/tpws/Makefile
+++ b/tpws/Makefile
@ -1,7 +1,9 @@
 CC ?= gcc
 CFLAGS += -std=gnu99 -Os -flto=auto
+CFLAGS_SYSTEMD = -DUSE_SYSTEMD
 CFLAGS_BSD = -Wno-address-of-packed-member
 LIBS = -lz -lpthread
+LIBS_SYSTEMD = -lz -lsystemd
 LIBS_ANDROID = -lz
 SRC_FILES = *.c
 SRC_FILES_ANDROID = $(SRC_FILES) andr/*.c
@ -11,6 +13,9 @@ all: tpws
 tpws: $(SRC_FILES)
 	$(CC) -s $(CFLAGS) -o tpws $(SRC_FILES) $(LIBS) $(LDFLAGS)

+systemd: $(SRC_FILES)
+	$(CC) -s $(CFLAGS) $(CFLAGS_SYSTEMD) -o tpws $(SRC_FILES) $(LIBS_SYSTEMD) $(LDFLAGS)
+
 android: $(SRC_FILES)
 	$(CC) -s $(CFLAGS) -o tpws $(SRC_FILES_ANDROID) $(LIBS_ANDROID) $(LDFLAGS)

--- a/tpws/tpws.c
+++ b/tpws/tpws.c
@ -30,6 +30,10 @@
 #include <ifaddrs.h>
 #endif

+#ifdef USE_SYSTEMD
+#include <systemd/sd-daemon.h>
+#endif
+
 #include "tpws.h"

 #ifdef BSD
@ -1688,6 +1692,15 @@ static const char *bindll_s[] = { "unwanted","no","prefer","force" };
 #define PRINT_VER printf("self-built version %s %s\n\n", __DATE__, __TIME__)
 #endif

+static void notify_ready(void)
+{
+#ifdef USE_SYSTEMD
+	int r = sd_notify(0, "READY=1");
+	if (r < 0)
+		DLOG_ERR("sd_notify: %s\n", strerror(-r));
+#endif
+}
+
 int main(int argc, char *argv[])
 {
 	int i, listen_fd[MAX_BINDS], yes = 1, retval = 0, if_index, exit_v=EXIT_FAILURE;
@ -1964,6 +1977,7 @@ int main(int argc, char *argv[])
 	signal(SIGHUP, onhup); 
 	signal(SIGUSR2, onusr2);

+	notify_ready();
 	retval = event_loop(listen_fd,params.binds_last+1);
 	exit_v = retval < 0 ? EXIT_FAILURE : EXIT_SUCCESS;
 	DLOG_CONDUP("Exiting\n");