Loading docs/changes.txt +1 −0 Original line number Diff line number Diff line Loading @@ -492,5 +492,6 @@ nfqws: ipcache of hop count and host names nfqws: --ctrack-disable tpws: ipcache of host names nfqws,tpws: set 1024 repeat limit to fakes and dups nfqws,tpws: do more before daemonize init.d: remove --ipset parameter prohibition init.d, blockcheck: drop time exceeded icmp for nfqws-related connections nfq/nfqws.c +70 −21 Original line number Diff line number Diff line Loading @@ -288,19 +288,40 @@ static int nfq_main(void) struct nfq_q_handle *qh = NULL; int fd,e; ssize_t rd; FILE *Fpid = NULL; sec_harden(); if (params.droproot && !droproot(params.uid, params.gid) || !dropcaps()) if (*params.pidfile && !(Fpid=fopen(params.pidfile,"w"))) { DLOG_PERROR("create pidfile"); return 1; } if (params.droproot && !droproot(params.uid, params.gid) || !dropcaps()) goto err; print_id(); if (params.droproot && !test_list_files()) return 1; pre_desync(); goto err; if (!nfq_init(&h,&qh)) return 1; goto err; if (params.daemon) daemonize(); // do it only after daemonize because daemonize needs fork sec_harden(); if (Fpid) { if (fprintf(Fpid, "%d", getpid())<=0) { DLOG_PERROR("write pidfile"); goto err; } fclose(Fpid); Fpid=NULL; } pre_desync(); notify_ready(); fd = nfq_fd(h); Loading @@ -326,6 +347,9 @@ static int nfq_main(void) nfq_deinit(&h,&qh); return 0; err: if (Fpid) fclose(Fpid); return 1; } #elif defined(BSD) Loading @@ -340,6 +364,13 @@ static int dvt_main(void) socklen_t socklen; ssize_t rd,wr; fd_set fdset; FILE *Fpid = NULL; if (*params.pidfile && !(Fpid=fopen(params.pidfile,"w"))) { DLOG_PERROR("create pidfile"); return 1; } { struct sockaddr_in bp4; Loading Loading @@ -391,12 +422,26 @@ static int dvt_main(void) if (!rawsend_preinit(false,false)) goto exiterr; if (params.droproot && !droproot(params.uid, params.gid)) goto exiterr; print_id(); if (params.droproot && !test_list_files()) goto exiterr; if (params.daemon) daemonize(); if (Fpid) { if (fprintf(Fpid, "%d", getpid())<=0) { DLOG_PERROR("write pidfile"); goto exiterr; } fclose(Fpid); Fpid=NULL; } pre_desync(); for(;;) Loading Loading @@ -464,6 +509,7 @@ static int dvt_main(void) res=0; exiterr: if (Fpid) fclose(Fpid); if (fd[0]!=-1) close(fd[0]); if (fd[1]!=-1) close(fd[1]); return res; Loading @@ -483,7 +529,19 @@ static int win_main(const char *windivert_filter) WINDIVERT_ADDRESS wa; char ifname[IFNAMSIZ]; pre_desync(); if (params.daemon) { // cygwin loses current dir char *cwd = get_current_dir_name(); daemonize(); chdir(cwd); } if (*params.pidfile && !writepid(params.pidfile)) { DLOG_ERR("could not write pidfile"); return ERROR_TOO_MANY_OPEN_FILES; // code 4 = The system cannot open the file } if (!win_dark_init(¶ms.ssid_filter, ¶ms.nlm_filter)) { Loading @@ -491,6 +549,8 @@ static int win_main(const char *windivert_filter) return w_win32_error; } pre_desync(); for(;;) { if (!logical_net_filter_match()) Loading Loading @@ -1855,8 +1915,7 @@ int main(int argc, char **argv) #endif int result, v; int option_index = 0; bool daemon = false, bSkip = false, bDry = false; char pidfile[256]; bool bSkip = false, bDry = false; struct hostlist_file *anon_hl = NULL, *anon_hl_exclude = NULL; struct ipset_file *anon_ips = NULL, *anon_ips_exclude = NULL; #ifdef __CYGWIN__ Loading @@ -1873,7 +1932,6 @@ int main(int argc, char **argv) PRINT_VER; memset(¶ms, 0, sizeof(params)); *pidfile = 0; struct desync_profile_list *dpl; struct desync_profile *dp; Loading Loading @@ -1999,11 +2057,10 @@ int main(int argc, char **argv) break; #endif case IDX_DAEMON: daemon = true; params.daemon = true; break; case IDX_PIDFILE: strncpy(pidfile, optarg, sizeof(pidfile)); pidfile[sizeof(pidfile) - 1] = '\0'; snprintf(params.pidfile,sizeof(params.pidfile),"%s",optarg); break; #ifndef __CYGWIN__ case IDX_USER: Loading Loading @@ -2964,14 +3021,6 @@ int main(int argc, char **argv) exit_clean(0); } if (daemon) daemonize(); if (*pidfile && !writepid(pidfile)) { DLOG_ERR("could not write pidfile\n"); goto exiterr; } if (params.ctrack_disable) DLOG_CONDUP("conntrack disabled ! some functions will not work. make sure it's what you want.\n"); else Loading nfq/params.h +3 −0 Original line number Diff line number Diff line Loading @@ -170,6 +170,8 @@ struct params_s char debug_logfile[PATH_MAX]; bool debug; bool daemon; #ifdef __linux__ int qnum; #elif defined(BSD) Loading @@ -187,6 +189,7 @@ struct params_s uid_t uid; gid_t gid; #endif char pidfile[PATH_MAX]; char hostlist_auto_debuglog[PATH_MAX]; Loading nfq/sec.c +4 −3 Original line number Diff line number Diff line Loading @@ -192,20 +192,21 @@ static bool set_seccomp(void) bool sec_harden(void) { bool bRes = true; if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { DLOG_PERROR("PR_SET_NO_NEW_PRIVS(prctl)"); return false; bRes = false; } #if ARCH_NR!=0 if (!set_seccomp()) { DLOG_PERROR("seccomp"); if (errno==EINVAL) DLOG_ERR("seccomp: this can be safely ignored if kernel does not support seccomp\n"); return false; bRes = false; } #endif return true; return bRes; } Loading tpws/tpws.c +17 −4 Original line number Diff line number Diff line Loading @@ -1832,6 +1832,7 @@ int main(int argc, char *argv[]) int i, listen_fd[MAX_BINDS], yes = 1, retval = 0, if_index, exit_v=EXIT_FAILURE; struct salisten_s list[MAX_BINDS]; char ip_port[48]; FILE *Fpid = NULL; set_console_io_buffering(); set_env_exedir(argv[0]); Loading Loading @@ -2078,11 +2079,9 @@ int main(int argc, char *argv[]) DLOG_CONDUP(params.proxy_type==CONN_TYPE_SOCKS ? "socks mode\n" : "transparent proxy mode\n"); if (!params.tamper) DLOG_CONDUP("TCP proxy mode (no tampering)\n"); if (params.daemon) daemonize(); if (*params.pidfile && !writepid(params.pidfile)) if (*params.pidfile && !(Fpid=fopen(params.pidfile,"w"))) { DLOG_ERR("could not write pidfile\n"); DLOG_PERROR("create pidfile"); goto exiterr; } Loading @@ -2098,6 +2097,19 @@ int main(int argc, char *argv[]) if (params.droproot && !test_list_files()) goto exiterr; if (params.daemon) daemonize(); if (Fpid) { if (fprintf(Fpid, "%d", getpid())<=0) { DLOG_PERROR("write pidfile"); goto exiterr; } fclose(Fpid); Fpid=NULL; } //splice() causes the process to receive the SIGPIPE-signal if one part (for //example a socket) is closed during splice(). I would rather have splice() //fail and return -1, so blocking SIGPIPE. Loading @@ -2114,6 +2126,7 @@ int main(int argc, char *argv[]) DLOG_CONDUP("Exiting\n"); exiterr: if (Fpid) fclose(Fpid); redir_close(); for(i=0;i<=params.binds_last;i++) if (listen_fd[i]!=-1) close(listen_fd[i]); cleanup_params(); Loading Loading
docs/changes.txt +1 −0 Original line number Diff line number Diff line Loading @@ -492,5 +492,6 @@ nfqws: ipcache of hop count and host names nfqws: --ctrack-disable tpws: ipcache of host names nfqws,tpws: set 1024 repeat limit to fakes and dups nfqws,tpws: do more before daemonize init.d: remove --ipset parameter prohibition init.d, blockcheck: drop time exceeded icmp for nfqws-related connections
nfq/nfqws.c +70 −21 Original line number Diff line number Diff line Loading @@ -288,19 +288,40 @@ static int nfq_main(void) struct nfq_q_handle *qh = NULL; int fd,e; ssize_t rd; FILE *Fpid = NULL; sec_harden(); if (params.droproot && !droproot(params.uid, params.gid) || !dropcaps()) if (*params.pidfile && !(Fpid=fopen(params.pidfile,"w"))) { DLOG_PERROR("create pidfile"); return 1; } if (params.droproot && !droproot(params.uid, params.gid) || !dropcaps()) goto err; print_id(); if (params.droproot && !test_list_files()) return 1; pre_desync(); goto err; if (!nfq_init(&h,&qh)) return 1; goto err; if (params.daemon) daemonize(); // do it only after daemonize because daemonize needs fork sec_harden(); if (Fpid) { if (fprintf(Fpid, "%d", getpid())<=0) { DLOG_PERROR("write pidfile"); goto err; } fclose(Fpid); Fpid=NULL; } pre_desync(); notify_ready(); fd = nfq_fd(h); Loading @@ -326,6 +347,9 @@ static int nfq_main(void) nfq_deinit(&h,&qh); return 0; err: if (Fpid) fclose(Fpid); return 1; } #elif defined(BSD) Loading @@ -340,6 +364,13 @@ static int dvt_main(void) socklen_t socklen; ssize_t rd,wr; fd_set fdset; FILE *Fpid = NULL; if (*params.pidfile && !(Fpid=fopen(params.pidfile,"w"))) { DLOG_PERROR("create pidfile"); return 1; } { struct sockaddr_in bp4; Loading Loading @@ -391,12 +422,26 @@ static int dvt_main(void) if (!rawsend_preinit(false,false)) goto exiterr; if (params.droproot && !droproot(params.uid, params.gid)) goto exiterr; print_id(); if (params.droproot && !test_list_files()) goto exiterr; if (params.daemon) daemonize(); if (Fpid) { if (fprintf(Fpid, "%d", getpid())<=0) { DLOG_PERROR("write pidfile"); goto exiterr; } fclose(Fpid); Fpid=NULL; } pre_desync(); for(;;) Loading Loading @@ -464,6 +509,7 @@ static int dvt_main(void) res=0; exiterr: if (Fpid) fclose(Fpid); if (fd[0]!=-1) close(fd[0]); if (fd[1]!=-1) close(fd[1]); return res; Loading @@ -483,7 +529,19 @@ static int win_main(const char *windivert_filter) WINDIVERT_ADDRESS wa; char ifname[IFNAMSIZ]; pre_desync(); if (params.daemon) { // cygwin loses current dir char *cwd = get_current_dir_name(); daemonize(); chdir(cwd); } if (*params.pidfile && !writepid(params.pidfile)) { DLOG_ERR("could not write pidfile"); return ERROR_TOO_MANY_OPEN_FILES; // code 4 = The system cannot open the file } if (!win_dark_init(¶ms.ssid_filter, ¶ms.nlm_filter)) { Loading @@ -491,6 +549,8 @@ static int win_main(const char *windivert_filter) return w_win32_error; } pre_desync(); for(;;) { if (!logical_net_filter_match()) Loading Loading @@ -1855,8 +1915,7 @@ int main(int argc, char **argv) #endif int result, v; int option_index = 0; bool daemon = false, bSkip = false, bDry = false; char pidfile[256]; bool bSkip = false, bDry = false; struct hostlist_file *anon_hl = NULL, *anon_hl_exclude = NULL; struct ipset_file *anon_ips = NULL, *anon_ips_exclude = NULL; #ifdef __CYGWIN__ Loading @@ -1873,7 +1932,6 @@ int main(int argc, char **argv) PRINT_VER; memset(¶ms, 0, sizeof(params)); *pidfile = 0; struct desync_profile_list *dpl; struct desync_profile *dp; Loading Loading @@ -1999,11 +2057,10 @@ int main(int argc, char **argv) break; #endif case IDX_DAEMON: daemon = true; params.daemon = true; break; case IDX_PIDFILE: strncpy(pidfile, optarg, sizeof(pidfile)); pidfile[sizeof(pidfile) - 1] = '\0'; snprintf(params.pidfile,sizeof(params.pidfile),"%s",optarg); break; #ifndef __CYGWIN__ case IDX_USER: Loading Loading @@ -2964,14 +3021,6 @@ int main(int argc, char **argv) exit_clean(0); } if (daemon) daemonize(); if (*pidfile && !writepid(pidfile)) { DLOG_ERR("could not write pidfile\n"); goto exiterr; } if (params.ctrack_disable) DLOG_CONDUP("conntrack disabled ! some functions will not work. make sure it's what you want.\n"); else Loading
nfq/params.h +3 −0 Original line number Diff line number Diff line Loading @@ -170,6 +170,8 @@ struct params_s char debug_logfile[PATH_MAX]; bool debug; bool daemon; #ifdef __linux__ int qnum; #elif defined(BSD) Loading @@ -187,6 +189,7 @@ struct params_s uid_t uid; gid_t gid; #endif char pidfile[PATH_MAX]; char hostlist_auto_debuglog[PATH_MAX]; Loading
nfq/sec.c +4 −3 Original line number Diff line number Diff line Loading @@ -192,20 +192,21 @@ static bool set_seccomp(void) bool sec_harden(void) { bool bRes = true; if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { DLOG_PERROR("PR_SET_NO_NEW_PRIVS(prctl)"); return false; bRes = false; } #if ARCH_NR!=0 if (!set_seccomp()) { DLOG_PERROR("seccomp"); if (errno==EINVAL) DLOG_ERR("seccomp: this can be safely ignored if kernel does not support seccomp\n"); return false; bRes = false; } #endif return true; return bRes; } Loading
tpws/tpws.c +17 −4 Original line number Diff line number Diff line Loading @@ -1832,6 +1832,7 @@ int main(int argc, char *argv[]) int i, listen_fd[MAX_BINDS], yes = 1, retval = 0, if_index, exit_v=EXIT_FAILURE; struct salisten_s list[MAX_BINDS]; char ip_port[48]; FILE *Fpid = NULL; set_console_io_buffering(); set_env_exedir(argv[0]); Loading Loading @@ -2078,11 +2079,9 @@ int main(int argc, char *argv[]) DLOG_CONDUP(params.proxy_type==CONN_TYPE_SOCKS ? "socks mode\n" : "transparent proxy mode\n"); if (!params.tamper) DLOG_CONDUP("TCP proxy mode (no tampering)\n"); if (params.daemon) daemonize(); if (*params.pidfile && !writepid(params.pidfile)) if (*params.pidfile && !(Fpid=fopen(params.pidfile,"w"))) { DLOG_ERR("could not write pidfile\n"); DLOG_PERROR("create pidfile"); goto exiterr; } Loading @@ -2098,6 +2097,19 @@ int main(int argc, char *argv[]) if (params.droproot && !test_list_files()) goto exiterr; if (params.daemon) daemonize(); if (Fpid) { if (fprintf(Fpid, "%d", getpid())<=0) { DLOG_PERROR("write pidfile"); goto exiterr; } fclose(Fpid); Fpid=NULL; } //splice() causes the process to receive the SIGPIPE-signal if one part (for //example a socket) is closed during splice(). I would rather have splice() //fail and return -1, so blocking SIGPIPE. Loading @@ -2114,6 +2126,7 @@ int main(int argc, char *argv[]) DLOG_CONDUP("Exiting\n"); exiterr: if (Fpid) fclose(Fpid); redir_close(); for(i=0;i<=params.binds_last;i++) if (listen_fd[i]!=-1) close(listen_fd[i]); cleanup_params(); Loading
