From 6fdc6c0a4f1c81650b4d6384008cd4f7a03afd87 Mon Sep 17 00:00:00 2001 From: Vladimir Stoilov Date: Thu, 8 Sep 2022 10:02:40 +0200 Subject: [PATCH] Refactoring --- firewall/interception.go | 7 +++++-- firewall/master.go | 1 - firewall/tunnel.go | 8 ++++---- network/connection.go | 6 +++--- 4 files changed, 12 insertions(+), 10 deletions(-) diff --git a/firewall/interception.go b/firewall/interception.go index a30d28be..67021e64 100644 --- a/firewall/interception.go +++ b/firewall/interception.go @@ -52,7 +52,7 @@ const ( func init() { // TODO: Move interception module to own package (dir). - interceptionModule = modules.Register("interception", interceptionPrep, interceptionStart, interceptionStop, "base", "updates", "network", "notifications", "profiles") + interceptionModule = modules.Register("interception", interceptionPrep, interceptionStart, interceptionStop, "base", "updates", "network", "notifications", "profiles", "captain") network.SetDefaultFirewallHandler(defaultHandler) } @@ -88,7 +88,7 @@ func interceptionPrep() error { } // Reset connections when spn is connected - // disconnecting is triggered on config change event because disconnection happens instantly + // connect and disconnecting is triggered on config change event but connecting takŠµs more time err = interceptionModule.RegisterEventHook( "captain", onSPNConnectEvent, @@ -117,6 +117,8 @@ func resetAllConnections() { if err != nil { log.Errorf("failed to reset all connections: %q", err) } + + // reset all connection firewall handlers. This will tell the master to rerun the firewall checks for _, id := range network.GetAllIDs() { conn, err := getConnectionByID(id) if err != nil { @@ -573,6 +575,7 @@ func issueVerdict(conn *network.Connection, pkt packet.Packet, verdict network.V } func updateVerdictBasedOnPreviousState(conn *network.Connection, pkt packet.Packet) { + // previously accepted or tunneled connections may need to be blocked if conn.Verdict.Current == network.VerdictAccept { if conn.Verdict.Previous == network.VerdictRerouteToTunnel && !conn.Tunneled { conn.SetVerdictDirectly(network.VerdictBlock) diff --git a/firewall/master.go b/firewall/master.go index 20da6cc5..d53a50ba 100644 --- a/firewall/master.go +++ b/firewall/master.go @@ -76,7 +76,6 @@ func DecideOnConnection(ctx context.Context, conn *network.Connection, pkt packe // Reset verdict for connection. log.Tracer(ctx).Infof("filter: re-evaluating verdict on %s", conn) - // conn.SetVerdictDirectly(network.VerdictUndecided) // Reset entity if it exists. if conn.Entity != nil { diff --git a/firewall/tunnel.go b/firewall/tunnel.go index 6c4c878f..77908723 100644 --- a/firewall/tunnel.go +++ b/firewall/tunnel.go @@ -101,7 +101,7 @@ func checkTunneling(ctx context.Context, conn *network.Connection, pkt packet.Pa // Check if ready. if !captain.ClientReady() { // Block connection as SPN is not ready yet. - //log.Tracer(pkt.Ctx()).Trace("SPN not ready for tunneling") + log.Tracer(pkt.Ctx()).Trace("SPN not ready for tunneling") conn.Failed("SPN not ready for tunneling", "") return } @@ -152,11 +152,11 @@ func checkTunneling(ctx context.Context, conn *network.Connection, pkt packet.Pa // Queue request in sluice. err = sluice.AwaitRequest(conn, crew.HandleSluiceRequest) if err != nil { - //log.Tracer(pkt.Ctx()).Warningf("failed to request tunneling: %s", err) + log.Tracer(pkt.Ctx()).Warningf("failed to request tunneling: %s", err) conn.Failed("failed to request tunneling", "") } else { - //log.Tracer(pkt.Ctx()).Trace("filter: tunneling requested") - //conn.SetVerdictDirectly(network.VerdictRerouteToTunnel) + log.Tracer(pkt.Ctx()).Trace("filter: tunneling requested") + // set the flag so the verdict can be updated conn.Tunneled = true } } diff --git a/network/connection.go b/network/connection.go index 3dd2e1ac..4f12e056 100644 --- a/network/connection.go +++ b/network/connection.go @@ -107,15 +107,15 @@ type Connection struct { //nolint:maligned // TODO: fix alignment // Resolver holds information about the resolver used to resolve // Entity.Domain. Resolver *resolver.ResolverInfo - // Verdict holds decisions that are made for a connection + // Verdict holds the decisions that are made for a connection // The verdict may change so any access to it must be guarded by the // connection lock. Verdict struct { // Current is the current decision that has been made for a connection. Current Verdict - // PreviousVerdict holds the previous verdict value, if there wasn't previous it will hold VerdictUndecided + // Previous holds the previous verdict value, if there wasn't previous it will VerdictUndecided Previous Verdict - // UserVerdict holds the verdict that should be displayed in the user interface + // User holds the verdict that should be displayed in the user interface User Verdict } // Reason holds information justifying the verdict, as well as additional