Merge branch 'develop' into fix/verdict-cache-update

README.md

@@ -30,7 +30,7 @@ With great defaults your privacy improves without any effort. And if you want to
 
 [![It's FOSS](https://safing.io/assets/img//external/itsfoss.png)](https://news.itsfoss.com/portmaster-1-release/)
        
-[![ghacks.net](https://safing.io/assets/img//external/ghacks.png)](https://www.ghacks.net/2022/05/16/first-look-at-portmaster-an-open-source-cross-platform-network-monitor/)
+[![ghacks.net](https://safing.io/assets/img//external/ghacks.png)](https://www.ghacks.net/2022/11/08/portmaster-1-0-released-open-source-application-firewall/)
    
 [![Techlore](https://safing.io/assets/img//external/techlore.png)](https://www.youtube.com/watch?v=E8cTRhGtmcM)
 

firewall/tunnel.go

@@ -137,12 +137,23 @@ func requestTunneling(ctx context.Context, conn *network.Connection) error {
 		conn.TunnelOpts.RequireVerifiedOwners = captain.NonCommunityVerifiedOwners
 	}
 
-	// If we have any exit hub policies, we need to raise the routing algorithm at least to single-hop.
+	// Get routing profile for checking for upgrades.
-	if conn.TunnelOpts.RoutingProfile == navigator.RoutingProfileHomeID &&
+	routingProfile := navigator.GetRoutingProfile(conn.TunnelOpts.RoutingProfile)
-		conn.TunnelOpts.HubPoliciesAreSet() {
+
+	// If we have any exit hub policies, we must be able to hop in order to follow the policy.
+	// Switch to single-hop routing to allow for routing with hub selection.
+	if routingProfile.MaxHops <= 1 && conn.TunnelOpts.HubPoliciesAreSet() {
 		conn.TunnelOpts.RoutingProfile = navigator.RoutingProfileSingleHopID
 	}
 
+	// If the current home node is not trusted, then upgrade at least to two hops.
+	if routingProfile.MinHops < 2 {
+		homeNode, _ := navigator.Main.GetHome()
+		if homeNode != nil && !homeNode.State.Has(navigator.StateTrusted) {
+			conn.TunnelOpts.RoutingProfile = navigator.RoutingProfileDoubleHopID
+		}
+	}
+
 	// Special handling for the internal DNS resolver.
 	if conn.Process().Pid == ownPID && resolver.IsResolverAddress(conn.Entity.IP, conn.Entity.Port) {
 		dnsExitHubPolicy, err := captain.GetDNSExitHubPolicy()

go.mod

@@ -17,8 +17,8 @@ require (
 	github.com/miekg/dns v1.1.50
 	github.com/oschwald/maxminddb-golang v1.10.0
 	github.com/safing/jess v0.3.1
-	github.com/safing/portbase v0.16.2
+	github.com/safing/portbase v0.16.3
-	github.com/safing/spn v0.5.4
+	github.com/safing/spn v0.5.5
 	github.com/shirou/gopsutil v3.21.11+incompatible
 	github.com/spf13/cobra v1.5.0
 	github.com/spkg/zipfs v0.7.1

go.sum

@@ -192,10 +192,14 @@ github.com/safing/jess v0.3.1/go.mod h1:aj73Eot1zm2ETkJuw9hJlIO8bRom52uBbsCHemvl
 github.com/safing/portbase v0.15.2/go.mod h1:5bHi99fz7Hh/wOsZUOI631WF9ePSHk57c4fdlOMS91Y=
 github.com/safing/portbase v0.16.2 h1:ZlCZBZkKmgJDR+sHSRbFc9mM8m9qYtu8agE1xCirvQU=
 github.com/safing/portbase v0.16.2/go.mod h1:mzNCWqPbO7vIYbbK5PElGbudwd2vx4YPNawymL8Aro8=
+github.com/safing/portbase v0.16.3 h1:9P8h5KWg7zaeW66pYaW1RN+5jUUwhFo1ruKa80aX/do=
+github.com/safing/portbase v0.16.3/go.mod h1:mzNCWqPbO7vIYbbK5PElGbudwd2vx4YPNawymL8Aro8=
 github.com/safing/spn v0.5.3 h1:aebwD3RI7OqtbBDK9HoqhKHcEH/i021Klrkl+dOq1Dc=
 github.com/safing/spn v0.5.3/go.mod h1:HYcGGze78wlwXZxF1UMqZ7GuA6ILqvNrO9v23EpFQvM=
 github.com/safing/spn v0.5.4 h1:9xM4a9kBSg0dV6eR7mEYLjVT5vvNX2PRO9cIP5l9F5A=
 github.com/safing/spn v0.5.4/go.mod h1:HYcGGze78wlwXZxF1UMqZ7GuA6ILqvNrO9v23EpFQvM=
+github.com/safing/spn v0.5.5 h1:OpBOJCPLbx+1B5aMd0EQzP/0IgZGp/PFsso7ybUPuhs=
+github.com/safing/spn v0.5.5/go.mod h1:HYcGGze78wlwXZxF1UMqZ7GuA6ILqvNrO9v23EpFQvM=
 github.com/satori/go.uuid v1.2.0 h1:0uYX9dsZ2yD7q2RtLRtPSdGDWzjeM3TbMJP9utgA0ww=
 github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0=
 github.com/seehuhn/fortuna v1.0.1 h1:lu9+CHsmR0bZnx5Ay646XvCSRJ8PJTi5UYJwDBX68H0=

profile/config.go

@@ -6,6 +6,7 @@ import (
 	"github.com/safing/portbase/config"
 	"github.com/safing/portmaster/profile/endpoints"
 	"github.com/safing/portmaster/status"
+	"github.com/safing/spn/navigator"
 )
 
 // Configuration Keys.
@@ -680,13 +681,12 @@ By default, the Portmaster tries to choose the node closest to the destination a
 	cfgStringArrayOptions[CfgOptionExitHubPolicyKey] = cfgOptionExitHubPolicy
 
 	// Select SPN Routing Algorithm
-	defaultRoutingAlg := "double-hop"
 	err = config.Register(&config.Option{
 		Name:         "Select SPN Routing Algorithm",
 		Key:          CfgOptionRoutingAlgorithmKey,
-		Description:  "Select the routing algorithm for your connections through the SPN. Configure your preferred balance between speed and privacy.",
+		Description:  "Select the routing algorithm for your connections through the SPN. Configure your preferred balance between speed and privacy. Portmaster may automatically upgrade the routing algorithm if necessary to protect your privacy.",
 		OptType:      config.OptTypeString,
-		DefaultValue: defaultRoutingAlg,
+		DefaultValue: navigator.DefaultRoutingProfileID,
 		Annotations: config.Annotations{
 			config.DisplayHintAnnotation:  config.DisplayHintOneOf,
 			config.DisplayOrderAnnotation: cfgOptionRoutingAlgorithmOrder,
@@ -718,7 +718,7 @@ By default, the Portmaster tries to choose the node closest to the destination a
 	if err != nil {
 		return err
 	}
-	cfgOptionRoutingAlgorithm = config.Concurrent.GetAsString(CfgOptionRoutingAlgorithmKey, defaultRoutingAlg)
+	cfgOptionRoutingAlgorithm = config.Concurrent.GetAsString(CfgOptionRoutingAlgorithmKey, navigator.DefaultRoutingProfileID)
 	cfgStringOptions[CfgOptionRoutingAlgorithmKey] = cfgOptionRoutingAlgorithm
 
 	return nil