vikarti.anatra/safing-portmaster
1
0
Fork 0
mirror of https://github.com/safing/portmaster synced 2025-04-23 04:19:10 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions1

Clean up and adapt firewall package to recent changes

Browse source
This commit is contained in:
Daniel 2019-10-25 13:35:25 +02:00
parent 25b1d59663
commit 4348caa258
8 changed files with 24 additions and 13 deletions

12
firewall/config.go
View file

@ -20,8 +20,9 @@ func registerConfig() error {
Name: "Permanent Verdicts", Name: "Permanent Verdicts",
Key: "firewall/permanentVerdicts", Key: "firewall/permanentVerdicts",
Description: "With permanent verdicts, control of a connection is fully handed back to the OS after the initial decision. This brings a great performance increase, but makes it impossible to change the decision of a link later on.", Description: "With permanent verdicts, control of a connection is fully handed back to the OS after the initial decision. This brings a great performance increase, but makes it impossible to change the decision of a link later on.",
ExpertiseLevel: config.ExpertiseLevelExpert,
OptType: config.OptTypeBool, OptType: config.OptTypeBool,
ExpertiseLevel: config.ExpertiseLevelExpert,
ReleaseLevel: config.ReleaseLevelExperimental,
DefaultValue: true, DefaultValue: true,
}) })
if err != nil { if err != nil {
@ -33,8 +34,9 @@ func registerConfig() error {
Name: "Filter DNS Responses by Server Scope", Name: "Filter DNS Responses by Server Scope",
Key: "firewall/filterDNSByScope", Key: "firewall/filterDNSByScope",
Description: "This option will filter out DNS answers that are outside of the scope of the server. A server on the public Internet may not respond with a private LAN address.", Description: "This option will filter out DNS answers that are outside of the scope of the server. A server on the public Internet may not respond with a private LAN address.",
ExpertiseLevel: config.ExpertiseLevelExpert,
OptType: config.OptTypeInt, OptType: config.OptTypeInt,
ExpertiseLevel: config.ExpertiseLevelExpert,
ReleaseLevel: config.ReleaseLevelBeta,
ExternalOptType: "security level", ExternalOptType: "security level",
DefaultValue: 7, DefaultValue: 7,
ValidationRegex: "^(7|6|4)$", ValidationRegex: "^(7|6|4)$",
@ -48,8 +50,9 @@ func registerConfig() error {
Name: "Filter DNS Responses by Application Profile", Name: "Filter DNS Responses by Application Profile",
Key: "firewall/filterDNSByProfile", Key: "firewall/filterDNSByProfile",
Description: "This option will filter out DNS answers that an application would not be allowed to connect, based on its profile.", Description: "This option will filter out DNS answers that an application would not be allowed to connect, based on its profile.",
ExpertiseLevel: config.ExpertiseLevelExpert,
OptType: config.OptTypeInt, OptType: config.OptTypeInt,
ExpertiseLevel: config.ExpertiseLevelExpert,
ReleaseLevel: config.ReleaseLevelBeta,
ExternalOptType: "security level", ExternalOptType: "security level",
DefaultValue: 7, DefaultValue: 7,
ValidationRegex: "^(7|6|4)$", ValidationRegex: "^(7|6|4)$",
@ -63,8 +66,9 @@ func registerConfig() error {
Name: "Timeout for prompt notifications", Name: "Timeout for prompt notifications",
Key: "firewall/promptTimeout", Key: "firewall/promptTimeout",
Description: "Amount of time how long Portmaster will wait for a response when prompting about a connection via a notification. In seconds.", Description: "Amount of time how long Portmaster will wait for a response when prompting about a connection via a notification. In seconds.",
ExpertiseLevel: config.ExpertiseLevelUser,
OptType: config.OptTypeInt, OptType: config.OptTypeInt,
ExpertiseLevel: config.ExpertiseLevelUser,
ReleaseLevel: config.ReleaseLevelBeta,
DefaultValue: 60, DefaultValue: 60,
}) })
if err != nil { if err != nil {

2
firewall/dialer.go
View file

@ -5,10 +5,12 @@ import (
"net" "net"
"github.com/safing/portmaster/intel" "github.com/safing/portmaster/intel"
"github.com/safing/portmaster/network/environment"
) )
func init() { func init() {
intel.SetLocalAddrFactory(PermittedAddr) intel.SetLocalAddrFactory(PermittedAddr)
environment.SetLocalAddrFactory(PermittedAddr)
} }
// PermittedAddr returns an already permitted local address for the given network for reliable connectivity. // PermittedAddr returns an already permitted local address for the given network for reliable connectivity.

9
firewall/firewall.go
View file

@ -167,8 +167,11 @@ func handlePacket(pkt packet.Packet) {
// } // }
// } // }
pkt.SetCtx(log.AddTracer(context.Background())) traceCtx, tracer := log.AddTracer(context.Background())
log.Tracer(pkt.Ctx()).Tracef("firewall: handling packet: %s", pkt) if tracer != nil {
pkt.SetCtx(traceCtx)
tracer.Tracef("firewall: handling packet: %s", pkt)
}
// associate packet to link and handle // associate packet to link and handle
link, created := network.GetOrCreateLinkByPacket(pkt) link, created := network.GetOrCreateLinkByPacket(pkt)
@ -340,7 +343,7 @@ func issueVerdict(pkt packet.Packet, link *network.Link, verdict network.Verdict
link.Unlock() link.Unlock()
log.InfoTracef(pkt.Ctx(), "firewall: %s %s", link.Verdict, link) log.Tracer(pkt.Ctx()).Infof("firewall: %s %s", link.Verdict, link)
} }
// func tunnelHandler(pkt packet.Packet) { // func tunnelHandler(pkt packet.Packet) {

2
firewall/interception/nfqueue/doc.go Normal file
View file

@ -0,0 +1,2 @@
// Package nfqueue provides network interception capabilites on linux via iptables nfqueue.
package nfqueue

2
firewall/interception/nfqueue/nfqueue.go
View file

@ -64,7 +64,7 @@ func NewNFQueue(qid uint16) (nfq *NFQueue, err error) {
func (this *NFQueue) init() error { func (this *NFQueue) init() error {
var err error var err error
if this.h, err = C.nfq_open(); err != nil || this.h == nil { if this.h, err = C.nfq_open(); err != nil || this.h == nil {
fmt.Errorf("could not open nfqueue: %s", err) return fmt.Errorf("could not open nfqueue: %s", err)
} }
//if this.qh, err = C.nfq_create_queue(this.h, qid, C.get_cb(), unsafe.Pointer(nfq)); err != nil || this.qh == nil { //if this.qh, err = C.nfq_create_queue(this.h, qid, C.get_cb(), unsafe.Pointer(nfq)); err != nil || this.qh == nil {

4
firewall/master.go
View file

@ -139,7 +139,7 @@ func DecideOnCommunicationAfterIntel(comm *network.Communication, fqdn string, r
} }
// FilterDNSResponse filters a dns response according to the application profile and settings. // FilterDNSResponse filters a dns response according to the application profile and settings.
func FilterDNSResponse(comm *network.Communication, fqdn string, rrCache *intel.RRCache) *intel.RRCache { func FilterDNSResponse(comm *network.Communication, q *intel.Query, rrCache *intel.RRCache) *intel.RRCache {
// do not modify own queries - this should not happen anyway // do not modify own queries - this should not happen anyway
if comm.Process().Pid == os.Getpid() { if comm.Process().Pid == os.Getpid() {
return rrCache return rrCache
@ -228,7 +228,7 @@ func FilterDNSResponse(comm *network.Communication, fqdn string, rrCache *intel.
} }
// filter by endpoints // filter by endpoints
result, _ = profileSet.CheckEndpointIP(fqdn, ip, 0, 0, false) result, _ = profileSet.CheckEndpointIP(q.FQDN, ip, 0, 0, false)
if result == profile.Denied { if result == profile.Denied {
addressesRemoved++ addressesRemoved++
rrCache.FilteredEntries = append(rrCache.FilteredEntries, rr.String()) rrCache.FilteredEntries = append(rrCache.FilteredEntries, rr.String())

4
firewall/ports.go
View file

@ -4,8 +4,8 @@ import (
"sync" "sync"
"time" "time"
"github.com/safing/portbase/crypto/random"
"github.com/safing/portbase/log" "github.com/safing/portbase/log"
"github.com/safing/portbase/rng"
) )
type portStatus struct { type portStatus struct {
@ -48,7 +48,7 @@ func GetPermittedPort() uint16 {
for i := 0; i < 1000; i++ { for i := 0; i < 1000; i++ {
// generate port between 10000 and 65535 // generate port between 10000 and 65535
rN, err := random.Number(55535) rN, err := rng.Number(55535)
if err != nil { if err != nil {
log.Warningf("firewall: failed to generate random port: %s", err) log.Warningf("firewall: failed to generate random port: %s", err)
return 0 return 0

2
firewall/prompt.go
View file

@ -41,7 +41,7 @@ func prompt(comm *network.Communication, link *network.Link, pkt packet.Packet,
} }
return return
} }
nID = fmt.Sprintf("firewall-prompt-%d-%s-%s", comm.Process().Pid, comm.Domain, pkt.Info().RemoteIP) nID = fmt.Sprintf("firewall-prompt-%d-%s-%s", comm.Process().Pid, comm.Domain, pkt.Info().RemoteIP())
default: // connection to domain default: // connection to domain
nID = fmt.Sprintf("firewall-prompt-%d-%s", comm.Process().Pid, comm.Domain) nID = fmt.Sprintf("firewall-prompt-%d-%s", comm.Process().Pid, comm.Domain)
} }