From 4784799541052a406651fe705b8e56a090a3e802 Mon Sep 17 00:00:00 2001
From: Vladimir Stoilov <vladimir@safing.io>
Date: Fri, 14 Apr 2023 11:09:20 +0200
Subject: [PATCH] Add check for special android ip in online status check

---
 netenv/network-change.go |  2 +-
 netenv/online-status.go  | 35 ++++++++++++++++++++++++++++++-----
 resolver/main.go         |  4 ++++
 resolver/resolve.go      |  8 ++------
 4 files changed, 37 insertions(+), 12 deletions(-)

diff --git a/netenv/network-change.go b/netenv/network-change.go
index 503b2fe9..42fadae6 100644
--- a/netenv/network-change.go
+++ b/netenv/network-change.go
@@ -92,7 +92,7 @@ serviceLoop:
 			lastNetworkChecksum = newChecksum
 
 			if trigger {
-				triggerOnlineStatusInvestigation()
+				TriggerOnlineStatusInvestigation()
 			}
 			notifyOfNetworkChange()
 		}
diff --git a/netenv/online-status.go b/netenv/online-status.go
index ce782724..a6c267d0 100644
--- a/netenv/online-status.go
+++ b/netenv/online-status.go
@@ -37,6 +37,9 @@ var (
 	PortalTestIP  = net.IPv4(192, 0, 2, 1)
 	PortalTestURL = fmt.Sprintf("http://%s/", PortalTestIP)
 
+	// IP address -> 100.127.247.245 is a special ip used by the android VPN service. Must be ignored during online check.
+	IgnoreIPsOnlineStatusCheck = []net.IP{net.IPv4(100, 127, 247, 245)}
+
 	DNSTestDomain     = "online-check.safing.io."
 	DNSTestExpectedIP = net.IPv4(0, 65, 67, 75) // Ascii: \0ACK
 	DNSTestQueryFunc  func(ctx context.Context, fdqn string) (ips []net.IP, ok bool, err error)
@@ -178,7 +181,7 @@ func GetOnlineStatus() OnlineStatus {
 // CheckAndGetOnlineStatus triggers a new online status check and returns the result.
 func CheckAndGetOnlineStatus() OnlineStatus {
 	// trigger new investigation
-	triggerOnlineStatusInvestigation()
+	TriggerOnlineStatusInvestigation()
 	// wait for completion
 	onlineStatusInvestigationWg.Wait()
 	// return current status
@@ -328,18 +331,19 @@ func GetCaptivePortal() *CaptivePortal {
 // ReportSuccessfulConnection hints the online status monitoring system that a connection attempt was successful.
 func ReportSuccessfulConnection() {
 	if !onlineStatusQuickCheck.IsSet() {
-		triggerOnlineStatusInvestigation()
+		TriggerOnlineStatusInvestigation()
 	}
 }
 
 // ReportFailedConnection hints the online status monitoring system that a connection attempt has failed. This function has extremely low overhead and may be called as much as wanted.
 func ReportFailedConnection() {
 	if onlineStatusQuickCheck.IsSet() {
-		triggerOnlineStatusInvestigation()
+		TriggerOnlineStatusInvestigation()
 	}
 }
 
-func triggerOnlineStatusInvestigation() {
+// TriggerOnlineStatusInvestigation manually trigger online status check.
+func TriggerOnlineStatusInvestigation() {
 	if onlineStatusInvestigationInProgress.SetToIf(false, true) {
 		onlineStatusInvestigationWg.Add(1)
 	}
@@ -351,7 +355,7 @@ func triggerOnlineStatusInvestigation() {
 }
 
 func monitorOnlineStatus(ctx context.Context) error {
-	triggerOnlineStatusInvestigation()
+	TriggerOnlineStatusInvestigation()
 	for {
 		// wait for trigger
 		select {
@@ -395,6 +399,15 @@ func getDynamicStatusTrigger() <-chan time.Time {
 	}
 }
 
+func isIPPartOfList(list []net.IP, ip net.IP) bool {
+	for _, ignoreIP := range list {
+		if ignoreIP.Equal(ip) {
+			return true
+		}
+	}
+	return false
+}
+
 func checkOnlineStatus(ctx context.Context) {
 	// TODO: implement more methods
 	/*status, err := getConnectivityStateFromDbus()
@@ -423,7 +436,13 @@ func checkOnlineStatus(ctx context.Context) {
 		log.Warningf("network: failed to get assigned network addresses: %s", err)
 	} else {
 		var lan bool
+
 		for _, ip := range ipv4 {
+			// Filter special IP list
+			if isIPPartOfList(IgnoreIPsOnlineStatusCheck, ip) {
+				continue
+			}
+
 			switch netutils.GetIPScope(ip) { //nolint:exhaustive // Checking to specific values only.
 			case netutils.SiteLocal:
 				lan = true
@@ -433,7 +452,13 @@ func checkOnlineStatus(ctx context.Context) {
 				return
 			}
 		}
+
 		for _, ip := range ipv6 {
+			// Filter special IP list
+			if isIPPartOfList(IgnoreIPsOnlineStatusCheck, ip) {
+				continue
+			}
+
 			switch netutils.GetIPScope(ip) { //nolint:exhaustive // Checking to specific values only.
 			case netutils.SiteLocal, netutils.Global:
 				// IPv6 global addresses are also used in local networks
diff --git a/resolver/main.go b/resolver/main.go
index 672073e5..9170e6e3 100644
--- a/resolver/main.go
+++ b/resolver/main.go
@@ -16,6 +16,7 @@ import (
 	"github.com/safing/portbase/utils/debug"
 	_ "github.com/safing/portmaster/core/base"
 	"github.com/safing/portmaster/intel"
+	"github.com/safing/portmaster/netenv"
 )
 
 var module *modules.Module
@@ -25,6 +26,9 @@ func init() {
 }
 
 func prep() error {
+	// Set DNS test connectivity function for the online status check
+	netenv.DNSTestQueryFunc = testConnectivity
+
 	intel.SetReverseResolver(ResolveIPAndValidate)
 
 	if err := registerAPI(); err != nil {
diff --git a/resolver/resolve.go b/resolver/resolve.go
index e72c3e46..e23dfe51 100644
--- a/resolver/resolve.go
+++ b/resolver/resolve.go
@@ -523,10 +523,6 @@ func shouldResetCache(q *Query) (reset bool) {
 	return false
 }
 
-func init() {
-	netenv.DNSTestQueryFunc = testConnectivity
-}
-
 // testConnectivity test if resolving a query succeeds and returns whether the
 // query itself succeeded, separate from interpreting the result.
 func testConnectivity(ctx context.Context, fdqn string) (ips []net.IP, ok bool, err error) {
@@ -556,10 +552,10 @@ func testConnectivity(ctx context.Context, fdqn string) (ips []net.IP, ok bool,
 		}
 	case errors.Is(err, ErrNotFound):
 		return nil, true, err
-	case errors.Is(err, ErrBlocked):
-		return nil, true, err
 	case errors.Is(err, ErrNoCompliance):
 		return nil, true, err
+	case errors.Is(err, ErrBlocked):
+		return nil, true, err
 	default:
 		return nil, false, err
 	}