vikarti.anatra/safing-portmaster
1
0
Fork 0
mirror of https://github.com/safing/portmaster synced 2025-09-01 18:19:12 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Merge pull request #187 from safing/feature/config-wording-update

Browse source 
Config wording update
This commit is contained in:
Patrick Pacher 2020-11-04 15:31:05 +01:00 committed by GitHub
commit 24d21341fd
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
9 changed files with 147 additions and 114 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
core/config.go
View file

@ -35,7 +35,7 @@ func registerConfig() error {
ReleaseLevel: config.ReleaseLevelStable,
DefaultValue: defaultDevMode,
Annotations: config.Annotations{
config.DisplayOrderAnnotation: 127,
config.DisplayOrderAnnotation: 512,
config.CategoryAnnotation: "Development",
},
})
@ -52,8 +52,8 @@ func registerConfig() error {
ReleaseLevel: config.ReleaseLevelStable,
DefaultValue: true, // TODO: turn off by default on unsupported systems
Annotations: config.Annotations{
config.DisplayOrderAnnotation: 32,
config.CategoryAnnotation: "General",
config.DisplayOrderAnnotation: -15,
config.CategoryAnnotation: "User Interface",
},
})
if err != nil {

10
firewall/config.go
View file

@ -18,7 +18,7 @@ var (
askTimeout config.IntOption
CfgOptionPermanentVerdictsKey = "filter/permanentVerdicts"
cfgOptionPermanentVerdictsOrder = 128
cfgOptionPermanentVerdictsOrder = 96
permanentVerdicts config.BoolOption
devMode config.BoolOption
@ -29,7 +29,7 @@ func registerConfig() error {
err := config.Register(&config.Option{
Name: "Permanent Verdicts",
Key: CfgOptionPermanentVerdictsKey,
Description: "With permanent verdicts, control of a connection is fully handed back to the OS after the initial decision. This brings a great performance increase, but makes it impossible to change the decision of a link later on.",
Description: "The Portmaster's system integration intercepts every single packet. Usually the first packet is enough for the Portmaster to set the verdict for a connection - ie. to allow or deny it. Making these verdicts permanent means that the Portmaster will tell the system integration that is does not want to see any more packets of that single connection. This brings a major performance increase.",
OptType: config.OptTypeBool,
ExpertiseLevel: config.ExpertiseLevelDeveloper,
ReleaseLevel: config.ReleaseLevelExperimental,
@ -50,7 +50,6 @@ func registerConfig() error {
Description: `In addition to showing prompt notifications in the Portmaster App, also send them to the Desktop. This requires the Portmaster Notifier to be running. Requires Desktop Notifications to be enabled.`,
OptType: config.OptTypeBool,
ExpertiseLevel: config.ExpertiseLevelUser,
ReleaseLevel: config.ReleaseLevelExperimental,
DefaultValue: true,
Annotations: config.Annotations{
config.DisplayOrderAnnotation: cfgOptionAskWithSystemNotificationsOrder,
@ -68,11 +67,10 @@ func registerConfig() error {
err = config.Register(&config.Option{
Name: "Prompt Timeout",
Key: CfgOptionAskTimeoutKey,
Description: "How long the Portmaster will wait for a reply to a prompt notification. Please note that Desktop Notifications might not respect this or have it's own limits.",
Description: "How long the Portmaster will wait for a reply to a prompt notification. Please note that Desktop Notifications might not respect this or have their own limits.",
OptType: config.OptTypeInt,
ExpertiseLevel: config.ExpertiseLevelUser,
ReleaseLevel: config.ReleaseLevelExperimental,
DefaultValue: 60,
DefaultValue: 20,
Annotations: config.Annotations{
config.DisplayOrderAnnotation: cfgOptionAskTimeoutOrder,
config.UnitAnnotation: "seconds",

13
firewall/dns.go
View file

@ -115,7 +115,18 @@ func filterDNSResponse(conn *network.Connection, rrCache *resolver.RRCache) *res
if len(rrCache.FilteredEntries) > 0 {
rrCache.Filtered = true
if validIPs == 0 {
conn.Block("no addresses returned for this domain are permitted", interveningOptionKey)
switch interveningOptionKey {
case profile.CfgOptionBlockScopeInternetKey:
conn.Block("Internet access blocked", interveningOptionKey)
case profile.CfgOptionBlockScopeLANKey:
conn.Block("LAN access blocked", interveningOptionKey)
case profile.CfgOptionBlockScopeLocalKey:
conn.Block("Localhost access blocked", interveningOptionKey)
case profile.CfgOptionRemoveOutOfScopeDNSKey:
conn.Block("DNS global/private split-view violation", interveningOptionKey)
default:
conn.Block("DNS response only contained to-be-blocked IPs", interveningOptionKey)
}
// If all entries are filtered, this could mean that these are broken/bogus resource records.
if rrCache.Expired() {

4
process/config.go
View file

@ -16,12 +16,12 @@ func registerConfiguration() error {
err := config.Register(&config.Option{
Name: "Process Detection",
Key: CfgOptionEnableProcessDetectionKey,
Description: "This option enables the attribution of network traffic to processes. This should be always enabled, and effectively disables app profiles if disabled.",
Description: "This option enables the attribution of network traffic to processes. This should always be enabled, and effectively disables app profiles if disabled.",
OptType: config.OptTypeBool,
ExpertiseLevel: config.ExpertiseLevelDeveloper,
DefaultValue: true,
Annotations: config.Annotations{
config.DisplayOrderAnnotation: 144,
config.DisplayOrderAnnotation: 528,
config.CategoryAnnotation: "Development",
},
})

147
profile/config.go
View file

@ -13,13 +13,18 @@ var (
cfgIntOptions = make(map[string]config.IntOption)
cfgBoolOptions = make(map[string]config.BoolOption)
// General
// Enable Filter Order = 0
CfgOptionDefaultActionKey = "filter/defaultAction"
cfgOptionDefaultAction config.StringOption
cfgOptionDefaultActionOrder = 1
// Prompt Timeout Order = 2
// Prompt Desktop Notifications Order = 2
// Prompt Timeout Order = 3
// Network Scopes
CfgOptionBlockScopeInternetKey = "filter/blockInternet"
cfgOptionBlockScopeInternet config.IntOption // security level option
@ -33,6 +38,8 @@ var (
cfgOptionBlockScopeLocal config.IntOption // security level option
cfgOptionBlockScopeLocalOrder = 18
// Connection Types
CfgOptionBlockP2PKey = "filter/blockP2P"
cfgOptionBlockP2P config.IntOption // security level option
cfgOptionBlockP2POrder = 19
@ -41,6 +48,8 @@ var (
cfgOptionBlockInbound config.IntOption // security level option
cfgOptionBlockInboundOrder = 20
// Rules
CfgOptionEndpointsKey = "filter/endpoints"
cfgOptionEndpoints config.StringArrayOption
cfgOptionEndpointsOrder = 32
@ -49,43 +58,47 @@ var (
cfgOptionServiceEndpoints config.StringArrayOption
cfgOptionServiceEndpointsOrder = 33
CfgOptionPreventBypassingKey = "filter/preventBypassing"
cfgOptionPreventBypassing config.IntOption // security level option
cfgOptionPreventBypassingOrder = 48
CfgOptionFilterListsKey = "filter/lists"
cfgOptionFilterLists config.StringArrayOption
cfgOptionFilterListsOrder = 64
cfgOptionFilterListsOrder = 34
CfgOptionFilterSubDomainsKey = "filter/includeSubdomains"
cfgOptionFilterSubDomains config.IntOption // security level option
cfgOptionFilterSubDomainsOrder = 65
cfgOptionFilterSubDomainsOrder = 35
// DNS Filtering
CfgOptionFilterCNAMEKey = "filter/includeCNAMEs"
cfgOptionFilterCNAME config.IntOption // security level option
cfgOptionFilterCNAMEOrder = 66
CfgOptionDisableAutoPermitKey = "filter/disableAutoPermit"
cfgOptionDisableAutoPermit config.IntOption // security level option
cfgOptionDisableAutoPermitOrder = 80
cfgOptionFilterCNAMEOrder = 48
CfgOptionRemoveOutOfScopeDNSKey = "filter/removeOutOfScopeDNS"
cfgOptionRemoveOutOfScopeDNS config.IntOption // security level option
cfgOptionRemoveOutOfScopeDNSOrder = 112
cfgOptionRemoveOutOfScopeDNSOrder = 49
CfgOptionRemoveBlockedDNSKey = "filter/removeBlockedDNS"
cfgOptionRemoveBlockedDNS config.IntOption // security level option
cfgOptionRemoveBlockedDNSOrder = 113
cfgOptionRemoveBlockedDNSOrder = 50
CfgOptionDomainHeuristicsKey = "filter/domainHeuristics"
cfgOptionDomainHeuristics config.IntOption // security level option
cfgOptionDomainHeuristicsOrder = 114
cfgOptionDomainHeuristicsOrder = 51
// Permanent Verdicts Order = 128
// Advanced
CfgOptionPreventBypassingKey = "filter/preventBypassing"
cfgOptionPreventBypassing config.IntOption // security level option
cfgOptionPreventBypassingOrder = 64
CfgOptionDisableAutoPermitKey = "filter/disableAutoPermit"
cfgOptionDisableAutoPermit config.IntOption // security level option
cfgOptionDisableAutoPermitOrder = 65
// Permanent Verdicts Order = 96
CfgOptionUseSPNKey = "spn/useSPN"
cfgOptionUseSPN config.BoolOption
cfgOptionUseSPNOrder = 128
cfgOptionUseSPNOrder = 129
)
func registerConfiguration() error {
@ -94,10 +107,9 @@ func registerConfiguration() error {
// ask - ask mode: if not verdict is found, the user is consulted
// block - allowlist mode: everything is blocked unless permitted
err := config.Register(&config.Option{
Name: "Default Action",
Key: CfgOptionDefaultActionKey,
// TODO: Discuss "when nothing else"
Description: `The default action when nothing else permits or blocks an outgoing connection. Inbound connections are always blocked by default.`,
Name: "Default Action",
Key: CfgOptionDefaultActionKey,
Description: `The default action when nothing else permits or blocks an outgoing connection. Incoming connections are always blocked by default.`,
OptType: config.OptTypeString,
DefaultValue: "permit",
Annotations: config.Annotations{
@ -111,16 +123,16 @@ func registerConfiguration() error {
Value: "permit",
Description: "Permit all connections",
},
{
Name: "Prompt",
Value: "ask",
Description: "Always ask for a decision",
},
{
Name: "Block",
Value: "block",
Description: "Block all connections",
},
{
Name: "Prompt",
Value: "ask",
Description: "Prompt for decisions",
},
},
})
if err != nil {
@ -131,10 +143,10 @@ func registerConfiguration() error {
// Disable Auto Permit
err = config.Register(&config.Option{
// TODO: Discuss
// TODO: Check how to best handle negation here.
Name: "Disable Auto Permit",
Key: CfgOptionDisableAutoPermitKey,
Description: `Auto Permit searches for a relation between an app and the destination of a connection - if there is a correlation, the connection will be permitted. This setting is negated in order to provide a streamlined user experience, where "higher settings" provide more protection.`,
Description: `Auto Permit searches for a relation between an app and the destination of a connection - if there is a correlation, the connection will be permitted.`,
OptType: config.OptTypeInt,
ReleaseLevel: config.ReleaseLevelBeta,
DefaultValue: status.SecurityLevelsAll,
@ -181,7 +193,7 @@ Examples:
err = config.Register(&config.Option{
Name: "Outgoing Rules",
Key: CfgOptionEndpointsKey,
Description: "Rules that apply to outgoing network connections. Network Scope restrictions still apply.",
Description: "Rules that apply to outgoing network connections. Cannot overrule Network Scopes and Connection Types (see above).",
Help: filterListHelp,
OptType: config.OptTypeStringArray,
DefaultValue: []string{},
@ -201,12 +213,13 @@ Examples:
// Service Endpoint Filter List
err = config.Register(&config.Option{
Name: "Incoming Rules",
Key: CfgOptionServiceEndpointsKey,
Description: "Rules that apply to incoming network connections. Network Scope restrictions and the incoming permission still apply. Also note that the default action for incoming connections is to always block.",
Help: filterListHelp,
OptType: config.OptTypeStringArray,
DefaultValue: []string{"+ Localhost"},
Name: "Incoming Rules",
Key: CfgOptionServiceEndpointsKey,
Description: "Rules that apply to incoming network connections. Cannot overrule Network Scopes and Connection Types (see above). Also note that the default action for incoming connections is to always block.",
Help: filterListHelp,
OptType: config.OptTypeStringArray,
DefaultValue: []string{"+ Localhost"},
ExpertiseLevel: config.ExpertiseLevelExpert,
Annotations: config.Annotations{
config.StackableAnnotation: true,
config.DisplayHintAnnotation: endpoints.DisplayHintEndpointList,
@ -260,16 +273,16 @@ Examples:
// Include CNAMEs
err = config.Register(&config.Option{
Name: "Check Domain Aliases",
Name: "Block Domain Aliases",
Key: CfgOptionFilterCNAMEKey,
Description: "In addition to checking a domain against rules and filter lists, also check it's resolved CNAMEs.",
Description: "Block a domain if a resolved CNAME (alias) is blocked by a rule or filter list.",
OptType: config.OptTypeInt,
DefaultValue: status.SecurityLevelsAll,
ExpertiseLevel: config.ExpertiseLevelExpert,
Annotations: config.Annotations{
config.DisplayHintAnnotation: status.DisplayHintSecurityLevel,
config.DisplayOrderAnnotation: cfgOptionFilterCNAMEOrder,
config.CategoryAnnotation: "DNS",
config.CategoryAnnotation: "DNS Filtering",
},
PossibleValues: status.SecurityLevelValues,
})
@ -281,16 +294,16 @@ Examples:
// Include subdomains
err = config.Register(&config.Option{
Name: "Check Subdomains",
Name: "Block Subdomains of Filter List Entries",
Key: CfgOptionFilterSubDomainsKey,
Description: "Also block a domain if any parent domain is blocked by a filter list",
Description: "Additionally block all subdomains of entries in selected filter lists.",
OptType: config.OptTypeInt,
DefaultValue: status.SecurityLevelsAll,
PossibleValues: status.SecurityLevelValues,
Annotations: config.Annotations{
config.DisplayHintAnnotation: status.DisplayHintSecurityLevel,
config.DisplayOrderAnnotation: cfgOptionFilterSubDomainsOrder,
config.CategoryAnnotation: "DNS",
config.CategoryAnnotation: "Rules",
},
})
if err != nil {
@ -303,7 +316,7 @@ Examples:
err = config.Register(&config.Option{
Name: "Block Device-Local Connections",
Key: CfgOptionBlockScopeLocalKey,
Description: "Block all internal connections on your own device, ie. localhost.",
Description: "Block all internal connections on your own device, ie. localhost. Is stronger than Rules (see below).",
OptType: config.OptTypeInt,
ExpertiseLevel: config.ExpertiseLevelExpert,
DefaultValue: status.SecurityLevelOff,
@ -311,7 +324,7 @@ Examples:
Annotations: config.Annotations{
config.DisplayHintAnnotation: status.DisplayHintSecurityLevel,
config.DisplayOrderAnnotation: cfgOptionBlockScopeLocalOrder,
config.CategoryAnnotation: "Scopes & Types",
config.CategoryAnnotation: "Network Scope",
},
})
if err != nil {
@ -324,14 +337,14 @@ Examples:
err = config.Register(&config.Option{
Name: "Block LAN",
Key: CfgOptionBlockScopeLANKey,
Description: "Block all connections from and to the Local Area Network.",
Description: "Block all connections from and to the Local Area Network. Is stronger than Rules (see below).",
OptType: config.OptTypeInt,
DefaultValue: status.SecurityLevelsHighAndExtreme,
PossibleValues: status.AllSecurityLevelValues,
Annotations: config.Annotations{
config.DisplayHintAnnotation: status.DisplayHintSecurityLevel,
config.DisplayOrderAnnotation: cfgOptionBlockScopeLANOrder,
config.CategoryAnnotation: "Scopes & Types",
config.CategoryAnnotation: "Network Scope",
},
})
if err != nil {
@ -342,16 +355,16 @@ Examples:
// Block Scope Internet
err = config.Register(&config.Option{
Name: "Block Internet",
Name: "Block Internet Access",
Key: CfgOptionBlockScopeInternetKey,
Description: "Block connections from and to the Internet.",
Description: "Block connections from and to the Internet. Is stronger than Rules (see below).",
OptType: config.OptTypeInt,
DefaultValue: status.SecurityLevelOff,
PossibleValues: status.AllSecurityLevelValues,
Annotations: config.Annotations{
config.DisplayHintAnnotation: status.DisplayHintSecurityLevel,
config.DisplayOrderAnnotation: cfgOptionBlockScopeInternetOrder,
config.CategoryAnnotation: "Scopes & Types",
config.CategoryAnnotation: "Network Scope",
},
})
if err != nil {
@ -364,14 +377,14 @@ Examples:
err = config.Register(&config.Option{
Name: "Block P2P/Direct Connections",
Key: CfgOptionBlockP2PKey,
Description: "These are connections that are established directly to an IP address or peer on the Internet without resolving a domain name via DNS first.",
Description: "These are connections that are established directly to an IP address or peer on the Internet without resolving a domain name via DNS first. Is stronger than Rules (see below).",
OptType: config.OptTypeInt,
DefaultValue: status.SecurityLevelExtreme,
PossibleValues: status.SecurityLevelValues,
Annotations: config.Annotations{
config.DisplayHintAnnotation: status.DisplayHintSecurityLevel,
config.DisplayOrderAnnotation: cfgOptionBlockP2POrder,
config.CategoryAnnotation: "Scopes & Types",
config.CategoryAnnotation: "Connection Types",
},
})
if err != nil {
@ -384,14 +397,14 @@ Examples:
err = config.Register(&config.Option{
Name: "Block Incoming Connections",
Key: CfgOptionBlockInboundKey,
Description: "Connections initiated towards your device from the LAN or Internet. This will usually only be the case if you are running a network service or are using peer to peer software.",
Description: "Connections initiated towards your device from the LAN or Internet. This will usually only be the case if you are running a network service or are using peer to peer software. Is stronger than Rules (see below).",
OptType: config.OptTypeInt,
DefaultValue: status.SecurityLevelsHighAndExtreme,
PossibleValues: status.SecurityLevelValues,
Annotations: config.Annotations{
config.DisplayHintAnnotation: status.DisplayHintSecurityLevel,
config.DisplayOrderAnnotation: cfgOptionBlockInboundOrder,
config.CategoryAnnotation: "Scopes & Types",
config.CategoryAnnotation: "Connection Types",
},
})
if err != nil {
@ -402,17 +415,17 @@ Examples:
// Filter Out-of-Scope DNS Records
err = config.Register(&config.Option{
Name: "Enforce global/private split-view",
Name: "Enforce Global/Private Split-View",
Key: CfgOptionRemoveOutOfScopeDNSKey,
Description: "Remove private IP addresses from public DNS responses.",
Description: "Reject private IP addresses (RFC1918 et al.) from public DNS responses.",
OptType: config.OptTypeInt,
ExpertiseLevel: config.ExpertiseLevelExpert,
ExpertiseLevel: config.ExpertiseLevelDeveloper,
DefaultValue: status.SecurityLevelsAll,
PossibleValues: status.SecurityLevelValues,
Annotations: config.Annotations{
config.DisplayHintAnnotation: status.DisplayHintSecurityLevel,
config.DisplayOrderAnnotation: cfgOptionRemoveOutOfScopeDNSOrder,
config.CategoryAnnotation: "DNS",
config.CategoryAnnotation: "DNS Filtering",
},
})
if err != nil {
@ -423,17 +436,17 @@ Examples:
// Filter DNS Records that would be blocked
err = config.Register(&config.Option{
Name: "Remove blocked records",
Name: "Reject Blocked IPs",
Key: CfgOptionRemoveBlockedDNSKey,
Description: "Remove blocked IP addresses from DNS responses.",
Description: "Reject blocked IP addresses directly from the DNS response instead of handing them over to the app and blocking a resulting connection.",
OptType: config.OptTypeInt,
ExpertiseLevel: config.ExpertiseLevelExpert,
ExpertiseLevel: config.ExpertiseLevelDeveloper,
DefaultValue: status.SecurityLevelsAll,
PossibleValues: status.SecurityLevelValues,
Annotations: config.Annotations{
config.DisplayHintAnnotation: status.DisplayHintSecurityLevel,
config.DisplayOrderAnnotation: cfgOptionRemoveBlockedDNSOrder,
config.CategoryAnnotation: "DNS",
config.CategoryAnnotation: "DNS Filtering",
},
})
if err != nil {
@ -444,9 +457,9 @@ Examples:
// Domain heuristics
err = config.Register(&config.Option{
Name: "Domain Heuristics",
Name: "Enable Domain Heuristics",
Key: CfgOptionDomainHeuristicsKey,
Description: "Domain Heuristics checks for suspicious domain names and blocks them. This option currently targets domain names generated by malware and DNS data exfiltration channels.",
Description: "Checks for suspicious domain names and blocks them. This option currently targets domain names generated by malware and DNS data exfiltration channels.",
OptType: config.OptTypeInt,
ExpertiseLevel: config.ExpertiseLevelExpert,
DefaultValue: status.SecurityLevelsAll,
@ -454,7 +467,7 @@ Examples:
Annotations: config.Annotations{
config.DisplayHintAnnotation: status.DisplayHintSecurityLevel,
config.DisplayOrderAnnotation: cfgOptionDomainHeuristicsOrder,
config.CategoryAnnotation: "DNS",
config.CategoryAnnotation: "DNS Filtering",
},
})
if err != nil {
@ -464,9 +477,10 @@ Examples:
// Bypass prevention
err = config.Register(&config.Option{
Name: "Prevent Bypassing",
Name: "Block Bypassing",
Key: CfgOptionPreventBypassingKey,
Description: `Prevent apps from bypassing the privacy filter:
Description: `Prevent apps from bypassing the privacy filter.
Current Features:
- Disable Firefox' internal DNS-over-HTTPs resolver`,
OptType: config.OptTypeInt,
ExpertiseLevel: config.ExpertiseLevelUser,
@ -489,9 +503,8 @@ Examples:
err = config.Register(&config.Option{
Name: "Use SPN",
Key: CfgOptionUseSPNKey,
Description: "Route connection through the Safing Privacy Network. If it is unavailable for any reason, connections will be blocked.",
Description: "Route connections through the Safing Privacy Network. If it is disabled or unavailable for any reason, connections will be blocked.",
OptType: config.OptTypeBool,
ReleaseLevel: config.ReleaseLevelExperimental,
DefaultValue: true,
Annotations: config.Annotations{
config.DisplayOrderAnnotation: cfgOptionUseSPNOrder,

29
resolver/config.go
View file

@ -82,8 +82,12 @@ func prepConfig() error {
Name: "DNS Servers",
Key: CfgOptionNameServersKey,
Description: "DNS Servers to use for resolving DNS requests.",
Help: strings.ReplaceAll(`DNS Servers are configured in a URL format. This allows you to specify special settings for a resolver. If you just want to use a resolver at IP 10.2.3.4, please enter: "dns://10.2.3.4"
The format is: "protocol://ip:port?parameter=value&parameter=value"
Help: strings.ReplaceAll(`DNS Servers are used in the order as entered. The first one will be used as the primary DNS Server. Only if it fails, will the other servers be used as a fallback - in their respective order. If all fail, or if no DNS Server is configured here, the Portmaster will use the one configured in your system or network.
Additionally, if it is more likely that the DNS Server of your system or network has a (better) answer to a request, they will be asked first. This will be the case for special local domains and domain spaces announced on the current network.
DNS Servers are configured in a URL format. This allows you to specify special settings for a resolver. If you just want to use a resolver at IP 10.2.3.4, please enter: "dns://10.2.3.4"
The format is: "protocol://ip:port?parameter=value&parameter=value"
- Protocol
- "dot": DNS-over-TLS (recommended)
@ -152,7 +156,7 @@ The format is: "protocol://ip:port?parameter=value&parameter=value"
err = config.Register(&config.Option{
Name: "Retry Timeout",
Key: CfgOptionNameserverRetryRateKey,
Description: "Timeout between retries when a resolver fails.",
Description: "Timeout between retries when a DNS server fails.",
OptType: config.OptTypeInt,
ExpertiseLevel: config.ExpertiseLevelExpert,
ReleaseLevel: config.ReleaseLevelStable,
@ -169,9 +173,9 @@ The format is: "protocol://ip:port?parameter=value&parameter=value"
nameserverRetryRate = config.Concurrent.GetAsInt(CfgOptionNameserverRetryRateKey, 600)
err = config.Register(&config.Option{
Name: "Ignore system resolvers",
Name: "Ignore System/Network Servers",
Key: CfgOptionNoAssignedNameserversKey,
Description: "Ignore resolvers that were acquired from the operating system.",
Description: "Ignore DNS servers configured in your system or network.",
OptType: config.OptTypeInt,
ExpertiseLevel: config.ExpertiseLevelExpert,
ReleaseLevel: config.ReleaseLevelStable,
@ -209,7 +213,7 @@ The format is: "protocol://ip:port?parameter=value&parameter=value"
noMulticastDNS = status.SecurityLevelOption(CfgOptionNoMulticastDNSKey)
err = config.Register(&config.Option{
Name: "Enforce secure DNS",
Name: "Enforce Secure DNS",
Key: CfgOptionNoInsecureProtocolsKey,
Description: "Never resolve using insecure protocols, ie. plain DNS.",
OptType: config.OptTypeInt,
@ -229,14 +233,17 @@ The format is: "protocol://ip:port?parameter=value&parameter=value"
noInsecureProtocols = status.SecurityLevelOption(CfgOptionNoInsecureProtocolsKey)
err = config.Register(&config.Option{
Name: "Block unofficial TLDs",
Key: CfgOptionDontResolveSpecialDomainsKey,
Description: fmt.Sprintf("Block %s.", formatScopeList(specialServiceDomains)),
Name: "Block Unofficial TLDs",
Key: CfgOptionDontResolveSpecialDomainsKey,
Description: fmt.Sprintf(
"Block %s. Unofficial domains may pose a security risk. This does not affect .onion domains in the Tor Browser.",
formatScopeList(specialServiceDomains),
),
OptType: config.OptTypeInt,
ExpertiseLevel: config.ExpertiseLevelExpert,
ReleaseLevel: config.ReleaseLevelStable,
DefaultValue: status.SecurityLevelsAll,
PossibleValues: status.SecurityLevelValues,
PossibleValues: status.AllSecurityLevelValues,
Annotations: config.Annotations{
config.DisplayOrderAnnotation: cfgOptionDontResolveSpecialDomainsOrder,
config.DisplayHintAnnotation: status.DisplayHintSecurityLevel,
@ -254,7 +261,7 @@ The format is: "protocol://ip:port?parameter=value&parameter=value"
func formatScopeList(list []string) string {
formatted := make([]string, 0, len(list))
for _, domain := range list {
formatted = append(formatted, strings.Trim(domain, "."))
formatted = append(formatted, strings.TrimRight(domain, "."))
}
return strings.Join(formatted, ", ")
}

12
resolver/resolvers.go
View file

@ -204,28 +204,32 @@ func getSystemResolvers() (resolvers []*Resolver) {
return resolvers
}
const missingResolversErrorID = "missing-resolvers"
func loadResolvers() {
// TODO: what happens when a lot of processes want to reload at once? we do not need to run this multiple times in a short time frame.
resolversLock.Lock()
defer resolversLock.Unlock()
// Resolve module error about missing resolvers.
module.Resolve(missingResolversErrorID)
newResolvers := append(
getConfiguredResolvers(configuredNameServers()),
getSystemResolvers()...,
)
if len(newResolvers) == 0 {
msg := "no (valid) dns servers found in (user) configuration or system, falling back to defaults"
msg := "no (valid) dns servers found in configuration or system, falling back to defaults"
log.Warningf("resolver: %s", msg)
module.Warning("no-valid-user-resolvers", msg)
module.Warning(missingResolversErrorID, msg)
// load defaults directly, overriding config system
newResolvers = getConfiguredResolvers(defaultNameServers)
if len(newResolvers) == 0 {
msg = "no (valid) dns servers found in configuration or system"
log.Criticalf("resolver: %s", msg)
module.Error("no-valid-default-resolvers", msg)
return
module.Error(missingResolversErrorID, msg)
}
}

36
updates/config.go
View file

@ -14,11 +14,11 @@ const (
var (
releaseChannel config.StringOption
devMode config.BoolOption
disableUpdates config.BoolOption
enableUpdates config.BoolOption
previousReleaseChannel string
updatesCurrentlyDisabled bool
previousDevMode bool
previousReleaseChannel string
updatesCurrentlyEnabled bool
previousDevMode bool
)
func registerConfig() error {
@ -42,9 +42,9 @@ func registerConfig() error {
},
},
Annotations: config.Annotations{
config.DisplayOrderAnnotation: 1,
config.DisplayOrderAnnotation: -4,
config.DisplayHintAnnotation: config.DisplayHintOneOf,
config.CategoryAnnotation: "Expertise & Release",
config.CategoryAnnotation: "Updates",
},
})
if err != nil {
@ -52,17 +52,17 @@ func registerConfig() error {
}
err = config.Register(&config.Option{
Name: "Disable Updates",
Key: disableUpdatesKey,
Description: "Disable automatic updates. This affects all kinds of updates, including intelligence feeds and broadcast notifications.",
Name: "Automatic Updates",
Key: enableUpdatesKey,
Description: "Enable automatic checking, downloading and applying of updates. This affects all kinds of updates, including intelligence feeds and broadcast notifications.",
OptType: config.OptTypeBool,
ExpertiseLevel: config.ExpertiseLevelExpert,
ReleaseLevel: config.ReleaseLevelStable,
RequiresRestart: false,
DefaultValue: false,
DefaultValue: true,
Annotations: config.Annotations{
config.DisplayOrderAnnotation: 64,
config.CategoryAnnotation: "General",
config.DisplayOrderAnnotation: -12,
config.CategoryAnnotation: "Updates",
},
})
if err != nil {
@ -76,8 +76,8 @@ func initConfig() {
releaseChannel = config.GetAsString(releaseChannelKey, releaseChannelStable)
previousReleaseChannel = releaseChannel()
disableUpdates = config.GetAsBool(disableUpdatesKey, false)
updatesCurrentlyDisabled = disableUpdates()
enableUpdates = config.GetAsBool(enableUpdatesKey, true)
updatesCurrentlyEnabled = enableUpdates()
devMode = config.GetAsBool(cfgDevModeKey, false)
previousDevMode = devMode()
@ -99,10 +99,10 @@ func updateRegistryConfig(_ context.Context, _ interface{}) error {
changed = true
}
if disableUpdates() != updatesCurrentlyDisabled {
updatesCurrentlyDisabled = disableUpdates()
if enableUpdates() != updatesCurrentlyEnabled {
updatesCurrentlyEnabled = enableUpdates()
changed = true
forceUpdate = !updatesCurrentlyDisabled
forceUpdate = updatesCurrentlyEnabled
}
if changed {
@ -113,7 +113,7 @@ func updateRegistryConfig(_ context.Context, _ interface{}) error {
module.Resolve(updateFailed)
_ = TriggerUpdate()
log.Infof("updates: automatic updates enabled again.")
} else if updatesCurrentlyDisabled {
} else if !updatesCurrentlyEnabled {
module.Warning(updateFailed, "Automatic updates are disabled! This also affects security updates and threat intelligence.")
log.Warningf("updates: automatic updates are now disabled.")
}

4
updates/main.go
View file

@ -20,7 +20,7 @@ const (
releaseChannelStable = "stable"
releaseChannelBeta = "beta"
disableUpdatesKey = "core/disableUpdates"
enableUpdatesKey = "core/automaticUpdates"
// ModuleName is the name of the update module
// and can be used when declaring module dependencies.
@ -245,7 +245,7 @@ func DisableUpdateSchedule() error {
}
func checkForUpdates(ctx context.Context) (err error) {
if updatesCurrentlyDisabled {
if !updatesCurrentlyEnabled {
log.Debugf("updates: automatic updates are disabled")
return nil
}