Allow any own local connection

2025-09-02 02:29:12 +00:00 · 2022-10-13 14:21:06 +02:00 · 2022-10-13 14:21:06 +02:00 · 68b69dd896
commit 68b69dd896
parent 329f7b0f66
1 changed files with 26 additions and 7 deletions
--- a/firewall/master.go
+++ b/firewall/master.go
@ -141,15 +141,34 @@ func runDeciders(ctx context.Context, selectedDeciders []deciderFn, conn *networ
 // checkPortmasterConnection allows all connection that originate from
 // portmaster itself.
 func checkPortmasterConnection(ctx context.Context, conn *network.Connection, _ *profile.LayeredProfile, _ packet.Packet) bool {
-	// Grant own outgoing connections.
-	if conn.Process().Pid == ownPID && !conn.Inbound {
+	// Grant own outgoing or local connections.
+
+	// Blocking our own connections can lead to a very literal deadlock.
+	// This can currently happen, as fast-tracked connections are also
+	// reset in the OS integration and might show up in the connection
+	// handling if a packet in the other direction hits the firewall first.
+
+	// Ignore other processes.
+	if conn.Process().Pid != ownPID {
+		return false
+	}
+
+	// Ignore inbound connection if non-local.
+	if conn.Inbound {
+		myIP, err := netenv.IsMyIP(conn.Entity.IP)
+		if err != nil {
+			log.Tracer(ctx).Debugf("filter: failed to check if %s is own IP for granting own connection: %s", conn.Entity.IP, err)
+			return false
+		}
+		if !myIP {
+			return false
+		}
+	}
+
 	log.Tracer(ctx).Infof("filter: granting own connection %s", conn)
 	conn.Accept("connection by Portmaster", noReasonOptionKey)
 	conn.Internal = true
 	return true
-	}
-
-	return false
 }

 // checkSelfCommunication checks if the process is communicating with itself.