vikarti.anatra/safing-portmaster
1
0
Fork 0
mirror of https://github.com/safing/portmaster synced 2025-09-14 16:59:40 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Fix connection blocking on Linux

Browse source
This commit is contained in:
Daniel 2020-11-06 08:53:07 +01:00
parent 224ae219da
commit 28bb8ec6ca
2 changed files with 20 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

12
firewall/interception/nfq/packet.go
View file

@ -122,6 +122,12 @@ func (pkt *packet) Accept() error {
} }
func (pkt *packet) Block() error { func (pkt *packet) Block() error {
if pkt.Info().Protocol == pmpacket.ICMP {
// ICMP packets attributed to a blocked connection are always allowed, as
// rejection ICMP packets will have the same mark as the blocked
// connection. This is why we need to drop blocked ICMP packets instead.
return pkt.mark(MarkDrop)
}
return pkt.mark(MarkBlock) return pkt.mark(MarkBlock)
} }
@ -134,6 +140,12 @@ func (pkt *packet) PermanentAccept() error {
} }
func (pkt *packet) PermanentBlock() error { func (pkt *packet) PermanentBlock() error {
if pkt.Info().Protocol == pmpacket.ICMP {
// ICMP packets attributed to a blocked connection are always allowed, as
// rejection ICMP packets will have the same mark as the blocked
// connection. This is why we need to drop blocked ICMP packets instead.
return pkt.mark(MarkDropAlways)
}
return pkt.mark(MarkBlockAlways) return pkt.mark(MarkBlockAlways)
} }

8
firewall/interception/nfqueue_linux.go
View file

@ -60,10 +60,18 @@ func init() {
"filter C17 -m mark --mark 0 -j DROP", "filter C17 -m mark --mark 0 -j DROP",
"filter C17 -m mark --mark 1700 -j RETURN", "filter C17 -m mark --mark 1700 -j RETURN",
// Accepting ICMP packets with mark 1701 is required for rejecting to work,
// as the rejection ICMP packet will have the same mark. Blocked ICMP
// packets will always result in a drop within the Portmaster.
"filter C17 -m mark --mark 1701 -p icmp -j RETURN",
"filter C17 -m mark --mark 1701 -j REJECT --reject-with icmp-host-prohibited", "filter C17 -m mark --mark 1701 -j REJECT --reject-with icmp-host-prohibited",
"filter C17 -m mark --mark 1702 -j DROP", "filter C17 -m mark --mark 1702 -j DROP",
"filter C17 -j CONNMARK --save-mark", "filter C17 -j CONNMARK --save-mark",
"filter C17 -m mark --mark 1710 -j RETURN", "filter C17 -m mark --mark 1710 -j RETURN",
// Accepting ICMP packets with mark 1711 is required for rejecting to work,
// as the rejection ICMP packet will have the same mark. Blocked ICMP
// packets will always result in a drop within the Portmaster.
"filter C17 -m mark --mark 1711 -p icmp -j RETURN",
"filter C17 -m mark --mark 1711 -j REJECT --reject-with icmp-host-prohibited", "filter C17 -m mark --mark 1711 -j REJECT --reject-with icmp-host-prohibited",
"filter C17 -m mark --mark 1712 -j DROP", "filter C17 -m mark --mark 1712 -j DROP",
"filter C17 -m mark --mark 1717 -j RETURN", "filter C17 -m mark --mark 1717 -j RETURN",