Fix routing for Portmaster connections

firewall/interception.go

@@ -322,39 +322,32 @@ func fastTrackedPermit(pkt packet.Packet) (handled bool) {
 func initialHandler(conn *network.Connection, pkt packet.Packet) {
 	log.Tracer(pkt.Ctx()).Trace("filter: handing over to connection-based handler")
 
-	// Check for pre-authenticated port.
-	if !conn.Inbound && localPortIsPreAuthenticated(conn.Entity.Protocol, conn.LocalPort) {
+	switch {
+	case !conn.Inbound && localPortIsPreAuthenticated(conn.Entity.Protocol, conn.LocalPort):
 		// Approve connection.
 		conn.Accept("connection by Portmaster", noReasonOptionKey)
 		conn.Internal = true
-		// Finalize connection.
-		conn.StopFirewallHandler()
-		issueVerdict(conn, pkt, 0, true)
-		return
-	}
 
-	// Redirect rogue dns requests to the Portmaster.
-	if pkt.IsOutbound() &&
+
+	case pkt.IsOutbound() &&
 		pkt.Info().DstPort == 53 &&
 		conn.Process().Pid != ownPID &&
 		nameserverIPMatcherReady.IsSet() &&
-		!nameserverIPMatcher(pkt.Info().Dst) {
+		!nameserverIPMatcher(pkt.Info().Dst):
+		// Reroute rogue dns queries back to Portmaster.
 		conn.Verdict = network.VerdictRerouteToNameserver
 		conn.Reason.Msg = "redirecting rogue dns query"
 		conn.Internal = true
+		// End directly, as no other processing is necessary.
 		conn.StopFirewallHandler()
 		issueVerdict(conn, pkt, 0, true)
 		return
-	}
 
-	// TODO: enable inspecting again
-	conn.Inspecting = false
-
-	// Filter, if enabled.
-	if filterEnabled() {
+	case filterEnabled():
 		log.Tracer(pkt.Ctx()).Trace("filter: starting decision process")
 		DecideOnConnection(pkt.Ctx(), conn, pkt)
-	} else {
+
+	default:
 		conn.Accept("privacy filter disabled", noReasonOptionKey)
 	}
 
@@ -366,6 +359,8 @@ func initialHandler(conn *network.Connection, pkt packet.Packet) {
 
 		// Exclude requests of the SPN itself.
 		if !captain.IsExcepted(conn.Entity.IP) {
+			conn.Tunneled = true
+
 			// Check if client is ready.
 			if captain.ClientReady() {
 				// Queue request in sluice.
@@ -385,6 +380,9 @@ func initialHandler(conn *network.Connection, pkt packet.Packet) {
 		}
 	}
 
+	// TODO: enable inspecting again
+	conn.Inspecting = false
+
 	switch {
 	case conn.Inspecting:
 		log.Tracer(pkt.Ctx()).Trace("filter: start inspecting")

go.sum

@@ -480,6 +480,7 @@ github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81P
 github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
 github.com/stretchr/testify v1.6.1 h1:hDPOHmpOpP40lSULcqw7IrRb/u7w6RpDC9399XyoNd0=
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw=
 github.com/tannerryan/ring v1.1.2 h1:iXayOjqHQOLzuy9GwSKuG3nhWfzQkldMlQivcgIr7gQ=
@@ -1000,6 +1001,7 @@ gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776 h1:tQIYjPdBoyREyB9XMu+nnTclpTYkz2zFM+lzLJFO4gQ=
 gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b h1:h8qDotaEPuJATrMmW04NCwg7v22aHH28wwpauUhK9Oo=
 gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=