Merge pull request #377 from safing/fix/cname-subdomain-checks

Fix CNAME and sub-domain matching for filterlists

firewall/bypassing.go

@@ -23,10 +23,6 @@ func PreventBypassing(ctx context.Context, conn *network.Connection) (endpoints.
 			nsutil.NxDomain()
 	}
 
-	if !conn.Entity.LoadLists(ctx) {
-		return endpoints.Undeterminable, "", nil
-	}
-
 	if conn.Entity.MatchLists(resolverFilterLists) {
 		return endpoints.Denied,
 			"blocked rogue connection to DNS resolver",

firewall/master.go

@@ -94,6 +94,11 @@ func DecideOnConnection(ctx context.Context, conn *network.Connection, pkt packe
 		}
 	}
 
+	// prepare the entity and resolve all filterlist matches
+	conn.Entity.ResolveSubDomainLists(ctx, layeredProfile.FilterSubDomains())
+	conn.Entity.EnableCNAMECheck(ctx, layeredProfile.FilterCNAMEs())
+	conn.Entity.LoadLists(ctx)
+
 	// DNS request from the system resolver require a special decision process,
 	// because the original requesting process is not known. Here, we only check
 	// global-only and the most important per-app aspects. The resulting

intel/entity.go

@@ -149,7 +149,7 @@ func (e *Entity) ResetLists() {
 // ResolveSubDomainLists enables or disables list lookups for
 // sub-domains.
 func (e *Entity) ResolveSubDomainLists(ctx context.Context, enabled bool) {
-	if e.domainListLoaded {
+	if e.domainListLoaded && enabled != e.resolveSubDomainLists {
 		log.Tracer(ctx).Warningf("intel/filterlists: tried to change sub-domain resolving for %s but lists are already fetched", e.Domain)
 	}
 	e.resolveSubDomainLists = enabled
@@ -158,7 +158,7 @@ func (e *Entity) ResolveSubDomainLists(ctx context.Context, enabled bool) {
 // EnableCNAMECheck enalbes or disables list lookups for
 // entity CNAMEs.
 func (e *Entity) EnableCNAMECheck(ctx context.Context, enabled bool) {
-	if e.domainListLoaded {
+	if e.domainListLoaded && enabled != e.checkCNAMEs {
 		log.Tracer(ctx).Warningf("intel/filterlists: tried to change CNAME resolving for %s but lists are already fetched", e.Domain)
 	}
 	e.checkCNAMEs = enabled
@@ -455,10 +455,8 @@ func (e *Entity) getIPLists(ctx context.Context) {
 
 // LoadLists searches all filterlists for all occurrences of
 // this entity.
-func (e *Entity) LoadLists(ctx context.Context) bool {
+func (e *Entity) LoadLists(ctx context.Context) {
 	e.getLists(ctx)
-
-	return e.ListOccurences != nil
 }
 
 // MatchLists matches the entities lists against a slice

profile/endpoints/endpoint-lists.go

@@ -17,10 +17,6 @@ type EndpointLists struct {
 
 // Matches checks whether the given entity matches this endpoint definition.
 func (ep *EndpointLists) Matches(ctx context.Context, entity *intel.Entity) (EPResult, Reason) {
-	if !entity.LoadLists(ctx) {
-		return Undeterminable, nil
-	}
-
 	if entity.MatchLists(ep.ListSet) {
 		return ep.match(ep, entity, ep.Lists, "filterlist contains", "filterlist", entity.ListBlockReason())
 	}

profile/profile-layered.go

@@ -326,8 +326,6 @@ func (lp *LayeredProfile) MatchFilterLists(ctx context.Context, entity *intel.En
 	for _, layer := range lp.layers {
 		// Search for the first layer that has filter lists set.
 		if layer.filterListsSet {
-			entity.LoadLists(ctx)
-
 			if entity.MatchLists(layer.filterListIDs) {
 				return endpoints.Denied, entity.ListBlockReason()
 			}
@@ -339,8 +337,6 @@ func (lp *LayeredProfile) MatchFilterLists(ctx context.Context, entity *intel.En
 	cfgLock.RLock()
 	defer cfgLock.RUnlock()
 	if len(cfgFilterLists) > 0 {
-		entity.LoadLists(ctx)
-
 		if entity.MatchLists(cfgFilterLists) {
 			return endpoints.Denied, entity.ListBlockReason()
 		}