Fix SPN bootstrapping

firewall/interception.go

@@ -376,26 +376,32 @@ func initialHandler(conn *network.Connection, pkt packet.Packet) {
 		conn.Process().Profile() != nil &&
 		conn.Process().Profile().UseSPN() {
 
-		// Exclude requests of the SPN itself.
+		switch {
-		if !captain.IsExcepted(conn.Entity.IP) {
+		case captain.ClientBootstrapping() &&
-			conn.Tunneled = true
+			conn.Process().Pid == ownPID:
+			// Exclude the Portmaster during SPN bootstrapping.
 
-			// Check if client is ready.
+		case captain.IsExcepted(conn.Entity.IP) &&
-			if captain.ClientReady() {
+			conn.Process().Pid == ownPID:
-				// Queue request in sluice.
+			// Exclude requests of the SPN itself.
-				err := sluice.AwaitRequest(conn, crew.HandleSluiceRequest)
+
-				if err != nil {
+		case captain.ClientReady():
-					log.Tracer(pkt.Ctx()).Warningf("failed to rqeuest tunneling: %s", err)
+			// Queue request in sluice.
-					conn.Failed("failed to request tunneling", "")
+			err := sluice.AwaitRequest(conn, crew.HandleSluiceRequest)
-				} else {
+			if err != nil {
-					log.Tracer(pkt.Ctx()).Trace("filter: tunneling requested")
+				log.Tracer(pkt.Ctx()).Warningf("failed to rqeuest tunneling: %s", err)
-					conn.Verdict = network.VerdictRerouteToTunnel
+				conn.Failed("failed to request tunneling", "")
-				}
 			} else {
-				// Block connection as SPN is not ready yet.
+				log.Tracer(pkt.Ctx()).Trace("filter: tunneling requested")
-				log.Tracer(pkt.Ctx()).Trace("SPN not ready for tunneling")
+				conn.Verdict = network.VerdictRerouteToTunnel
-				conn.Failed("SPN not ready for tunneling", "")
+				conn.Tunneled = true
 			}
+
+		default:
+			// Block connection as SPN is not ready yet.
+			log.Tracer(pkt.Ctx()).Trace("SPN not ready for tunneling")
+			conn.Failed("SPN not ready for tunneling", "")
+
 		}
 	}