From 756603338b9783e603acb3c7d89048f5f539a8b4 Mon Sep 17 00:00:00 2001
From: Ivan Trubach <mr.trubach@icloud.com>
Date: Tue, 11 Mar 2025 06:57:02 +0300
Subject: [PATCH] nfqws,tpws: add support for systemd readiness notifications
---
Makefile | 13 ++++++++++
init.d/systemd/nfqws.service | 48 ++++++++++++++++++++++++++++++++++++
ip2net/Makefile | 2 ++
mdig/Makefile | 2 ++
nfq/Makefile | 5 ++++
nfq/nfqws.c | 15 +++++++++++
tpws/Makefile | 5 ++++
tpws/tpws.c | 14 +++++++++++
8 files changed, 104 insertions(+)
create mode 100644 init.d/systemd/nfqws.service
diff --git a/Makefile b/Makefile
index 00e6c20..5f6cfc0 100644
--- a/Makefile
+++ b/Makefile
@@ -15,6 +15,19 @@ all: clean
done \
done
+systemd: clean
+ @mkdir -p "$(TGT)"; \
+ for dir in $(DIRS); do \
+ find "$$dir" -type f \( -name "*.c" -o -name "*.h" -o -name "*akefile" \) -exec chmod -x {} \; ; \
+ $(MAKE) -C "$$dir" systemd || exit; \
+ for exe in "$$dir/"*; do \
+ if [ -f "$$exe" ] && [ -x "$$exe" ]; then \
+ mv -f "$$exe" "${TGT}" ; \
+ ln -fs "../${TGT}/$$(basename "$$exe")" "$$exe" ; \
+ fi \
+ done \
+ done
+
android: clean
@mkdir -p "$(TGT)"; \
for dir in $(DIRS); do \
diff --git a/init.d/systemd/nfqws.service b/init.d/systemd/nfqws.service
new file mode 100644
index 0000000..c4a3f5d
--- /dev/null
+++ b/init.d/systemd/nfqws.service
@@ -0,0 +1,48 @@
+# Example systemd service unit for nfqws. Adjust for your installation.
+
+[Unit]
+After=network.target
+
+[Service]
+Type=notify
+Restart=on-failure
+
+ExecSearchPath=/opt/zapret/binaries/my
+ExecStart=nfqws @${CONFIG_FILE}
+Environment=CONFIG_FILE=/etc/zapret/nfqws.config
+
+StateDirectory=nfqws
+StateDirectoryMode=0700
+WorkingDirectory=%S/nfqws
+
+DynamicUser=true
+AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW
+RestrictAddressFamilies=AF_NETLINK AF_UNIX AF_INET6 AF_INET
+
+LockPersonality=true
+MemoryDenyWriteExecute=true
+PrivateDevices=true
+PrivateMounts=true
+PrivateTmp=true
+ProcSubset=pid
+ProtectClock=true
+ProtectControlGroups=true
+ProtectHome=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectProc=invisible
+ProtectSystem=strict
+RemoveIPC=true
+RestrictNamespaces=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+SystemCallFilter=~@resources @privileged
+UMask=0077
+
+[Install]
+WantedBy=multi-user.target
diff --git a/ip2net/Makefile b/ip2net/Makefile
index 43c44ea..484f3d7 100644
--- a/ip2net/Makefile
+++ b/ip2net/Makefile
@@ -11,6 +11,8 @@ all: ip2net
ip2net: $(SRC_FILES)
$(CC) -s $(CFLAGS) -o ip2net $(SRC_FILES) $(LIBS) $(LDFLAGS)
+systemd: ip2net
+
android: ip2net
bsd: $(SRC_FILES)
diff --git a/mdig/Makefile b/mdig/Makefile
index 556fd83..21b6c84 100644
--- a/mdig/Makefile
+++ b/mdig/Makefile
@@ -12,6 +12,8 @@ all: mdig
mdig: $(SRC_FILES)
$(CC) -s $(CFLAGS) -o mdig $(SRC_FILES) $(LIBS) $(LDFLAGS)
+systemd: mdig
+
android: $(SRC_FILES)
$(CC) -s $(CFLAGS) -o mdig $(SRC_FILES) $(LIBS_ANDROID) $(LDFLAGS)
diff --git a/nfq/Makefile b/nfq/Makefile
index 52f95ba..85a29e4 100644
--- a/nfq/Makefile
+++ b/nfq/Makefile
@@ -1,8 +1,10 @@
CC ?= gcc
CFLAGS += -std=gnu99 -Os -flto=auto
+CFLAGS_SYSTEMD = -DUSE_SYSTEMD
CFLAGS_BSD = -Wno-address-of-packed-member
CFLAGS_CYGWIN = -Wno-address-of-packed-member -static
LIBS_LINUX = -lnetfilter_queue -lnfnetlink -lz
+LIBS_SYSTEMD = -lsystemd
LIBS_BSD = -lz
LIBS_CYGWIN = -lz -Lwindows/windivert -Iwindows -lwlanapi -lole32 -loleaut32
LIBS_CYGWIN32 = -lwindivert32
@@ -16,6 +18,9 @@ all: nfqws
nfqws: $(SRC_FILES)
$(CC) -s $(CFLAGS) -o nfqws $(SRC_FILES) $(LIBS_LINUX) $(LDFLAGS)
+systemd: $(SRC_FILES)
+ $(CC) -s $(CFLAGS) $(CFLAGS_SYSTEMD) -o nfqws $(SRC_FILES) $(LIBS_LINUX) $(LIBS_SYSTEMD) $(LDFLAGS)
+
android: nfqws
bsd: $(SRC_FILES)
diff --git a/nfq/nfqws.c b/nfq/nfqws.c
index 4963481..717cdbb 100644
--- a/nfq/nfqws.c
+++ b/nfq/nfqws.c
@@ -35,6 +35,10 @@
#include "win.h"
#endif
+#ifdef USE_SYSTEMD
+#include <systemd/sd-daemon.h>
+#endif
+
#ifdef __linux__
#include <libnetfilter_queue/libnetfilter_queue.h>
#define NF_DROP 0
@@ -271,6 +275,15 @@ exiterr:
return false;
}
+static void notify_ready(void)
+{
+#ifdef USE_SYSTEMD
+ int r = sd_notify(0, "READY=1");
+ if (r < 0)
+ DLOG_ERR("sd_notify: %s\n", strerror(-r));
+#endif
+}
+
static int nfq_main(void)
{
uint8_t buf[16384] __attribute__((aligned));
@@ -291,6 +304,8 @@ static int nfq_main(void)
if (!nfq_init(&h,&qh))
return 1;
+ notify_ready();
+
fd = nfq_fd(h);
do
{
diff --git a/tpws/Makefile b/tpws/Makefile
index 9210a63..a50bb5f 100644
--- a/tpws/Makefile
+++ b/tpws/Makefile
@@ -1,7 +1,9 @@
CC ?= gcc
CFLAGS += -std=gnu99 -Os -flto=auto
+CFLAGS_SYSTEMD = -DUSE_SYSTEMD
CFLAGS_BSD = -Wno-address-of-packed-member
LIBS = -lz -lpthread
+LIBS_SYSTEMD = -lz -lsystemd
LIBS_ANDROID = -lz
SRC_FILES = *.c
SRC_FILES_ANDROID = $(SRC_FILES) andr/*.c
@@ -11,6 +13,9 @@ all: tpws
tpws: $(SRC_FILES)
$(CC) -s $(CFLAGS) -o tpws $(SRC_FILES) $(LIBS) $(LDFLAGS)
+systemd: $(SRC_FILES)
+ $(CC) -s $(CFLAGS) $(CFLAGS_SYSTEMD) -o tpws $(SRC_FILES) $(LIBS_SYSTEMD) $(LDFLAGS)
+
android: $(SRC_FILES)
$(CC) -s $(CFLAGS) -o tpws $(SRC_FILES_ANDROID) $(LIBS_ANDROID) $(LDFLAGS)
diff --git a/tpws/tpws.c b/tpws/tpws.c
index 30f6703..fb794eb 100644
--- a/tpws/tpws.c
+++ b/tpws/tpws.c
@@ -30,6 +30,10 @@
#include <ifaddrs.h>
#endif
+#ifdef USE_SYSTEMD
+#include <systemd/sd-daemon.h>
+#endif
+
#include "tpws.h"
#ifdef BSD
@@ -1688,6 +1692,15 @@ static const char *bindll_s[] = { "unwanted","no","prefer","force" };
#define PRINT_VER printf("self-built version %s %s\n\n", __DATE__, __TIME__)
#endif
+static void notify_ready(void)
+{
+#ifdef USE_SYSTEMD
+ int r = sd_notify(0, "READY=1");
+ if (r < 0)
+ DLOG_ERR("sd_notify: %s\n", strerror(-r));
+#endif
+}
+
int main(int argc, char *argv[])
{
int i, listen_fd[MAX_BINDS], yes = 1, retval = 0, if_index, exit_v=EXIT_FAILURE;
@@ -1964,6 +1977,7 @@ int main(int argc, char *argv[])
signal(SIGHUP, onhup);
signal(SIGUSR2, onusr2);
+ notify_ready();
retval = event_loop(listen_fd,params.binds_last+1);
exit_v = retval < 0 ? EXIT_FAILURE : EXIT_SUCCESS;
DLOG_CONDUP("Exiting\n");