diff --git a/firewall/bypassing.go b/firewall/bypassing.go index 6554643a..a7af6ee1 100644 --- a/firewall/bypassing.go +++ b/firewall/bypassing.go @@ -23,10 +23,6 @@ func PreventBypassing(ctx context.Context, conn *network.Connection) (endpoints. nsutil.NxDomain() } - if !conn.Entity.LoadLists(ctx) { - return endpoints.Undeterminable, "", nil - } - if conn.Entity.MatchLists(resolverFilterLists) { return endpoints.Denied, "blocked rogue connection to DNS resolver", diff --git a/firewall/master.go b/firewall/master.go index 58007799..d2fe21bb 100644 --- a/firewall/master.go +++ b/firewall/master.go @@ -94,6 +94,11 @@ func DecideOnConnection(ctx context.Context, conn *network.Connection, pkt packe } } + // prepare the entity and resolve all filterlist matches + conn.Entity.ResolveSubDomainLists(ctx, layeredProfile.FilterSubDomains()) + conn.Entity.EnableCNAMECheck(ctx, layeredProfile.FilterCNAMEs()) + conn.Entity.LoadLists(ctx) + // DNS request from the system resolver require a special decision process, // because the original requesting process is not known. Here, we only check // global-only and the most important per-app aspects. The resulting diff --git a/intel/entity.go b/intel/entity.go index d03cc3b6..a15a4af3 100644 --- a/intel/entity.go +++ b/intel/entity.go @@ -149,7 +149,7 @@ func (e *Entity) ResetLists() { // ResolveSubDomainLists enables or disables list lookups for // sub-domains. func (e *Entity) ResolveSubDomainLists(ctx context.Context, enabled bool) { - if e.domainListLoaded { + if e.domainListLoaded && enabled != e.resolveSubDomainLists { log.Tracer(ctx).Warningf("intel/filterlists: tried to change sub-domain resolving for %s but lists are already fetched", e.Domain) } e.resolveSubDomainLists = enabled @@ -158,7 +158,7 @@ func (e *Entity) ResolveSubDomainLists(ctx context.Context, enabled bool) { // EnableCNAMECheck enalbes or disables list lookups for // entity CNAMEs. func (e *Entity) EnableCNAMECheck(ctx context.Context, enabled bool) { - if e.domainListLoaded { + if e.domainListLoaded && enabled != e.checkCNAMEs { log.Tracer(ctx).Warningf("intel/filterlists: tried to change CNAME resolving for %s but lists are already fetched", e.Domain) } e.checkCNAMEs = enabled @@ -455,10 +455,8 @@ func (e *Entity) getIPLists(ctx context.Context) { // LoadLists searches all filterlists for all occurrences of // this entity. -func (e *Entity) LoadLists(ctx context.Context) bool { +func (e *Entity) LoadLists(ctx context.Context) { e.getLists(ctx) - - return e.ListOccurences != nil } // MatchLists matches the entities lists against a slice diff --git a/profile/endpoints/endpoint-lists.go b/profile/endpoints/endpoint-lists.go index 618c66d9..58e48be7 100644 --- a/profile/endpoints/endpoint-lists.go +++ b/profile/endpoints/endpoint-lists.go @@ -17,10 +17,6 @@ type EndpointLists struct { // Matches checks whether the given entity matches this endpoint definition. func (ep *EndpointLists) Matches(ctx context.Context, entity *intel.Entity) (EPResult, Reason) { - if !entity.LoadLists(ctx) { - return Undeterminable, nil - } - if entity.MatchLists(ep.ListSet) { return ep.match(ep, entity, ep.Lists, "filterlist contains", "filterlist", entity.ListBlockReason()) } diff --git a/profile/profile-layered.go b/profile/profile-layered.go index 27b33843..60948b28 100644 --- a/profile/profile-layered.go +++ b/profile/profile-layered.go @@ -326,8 +326,6 @@ func (lp *LayeredProfile) MatchFilterLists(ctx context.Context, entity *intel.En for _, layer := range lp.layers { // Search for the first layer that has filter lists set. if layer.filterListsSet { - entity.LoadLists(ctx) - if entity.MatchLists(layer.filterListIDs) { return endpoints.Denied, entity.ListBlockReason() } @@ -339,8 +337,6 @@ func (lp *LayeredProfile) MatchFilterLists(ctx context.Context, entity *intel.En cfgLock.RLock() defer cfgLock.RUnlock() if len(cfgFilterLists) > 0 { - entity.LoadLists(ctx) - if entity.MatchLists(cfgFilterLists) { return endpoints.Denied, entity.ListBlockReason() }