Refactoring

firewall/interception.go

@@ -52,7 +52,7 @@ const (
 
 func init() {
 	// TODO: Move interception module to own package (dir).
-	interceptionModule = modules.Register("interception", interceptionPrep, interceptionStart, interceptionStop, "base", "updates", "network", "notifications", "profiles")
+	interceptionModule = modules.Register("interception", interceptionPrep, interceptionStart, interceptionStop, "base", "updates", "network", "notifications", "profiles", "captain")
 
 	network.SetDefaultFirewallHandler(defaultHandler)
 }
@@ -88,7 +88,7 @@ func interceptionPrep() error {
 	}
 
 	// Reset connections when spn is connected
-	// disconnecting is triggered on config change event because disconnection happens instantly
+	// connect and disconnecting is triggered on config change event but connecting takеs more time
 	err = interceptionModule.RegisterEventHook(
 		"captain",
 		onSPNConnectEvent,
@@ -117,6 +117,8 @@ func resetAllConnections() {
 	if err != nil {
 		log.Errorf("failed to reset all connections: %q", err)
 	}
+
+	// reset all connection firewall handlers. This will tell the master to rerun the firewall checks
 	for _, id := range network.GetAllIDs() {
 		conn, err := getConnectionByID(id)
 		if err != nil {
@@ -573,6 +575,7 @@ func issueVerdict(conn *network.Connection, pkt packet.Packet, verdict network.V
 }
 
 func updateVerdictBasedOnPreviousState(conn *network.Connection, pkt packet.Packet) {
+	// previously accepted or tunneled connections may need to be blocked
 	if conn.Verdict.Current == network.VerdictAccept {
 		if conn.Verdict.Previous == network.VerdictRerouteToTunnel && !conn.Tunneled {
 			conn.SetVerdictDirectly(network.VerdictBlock)

firewall/master.go

@@ -76,7 +76,6 @@ func DecideOnConnection(ctx context.Context, conn *network.Connection, pkt packe
 
 		// Reset verdict for connection.
 		log.Tracer(ctx).Infof("filter: re-evaluating verdict on %s", conn)
-		// conn.SetVerdictDirectly(network.VerdictUndecided)
 
 		// Reset entity if it exists.
 		if conn.Entity != nil {

firewall/tunnel.go

@@ -101,7 +101,7 @@ func checkTunneling(ctx context.Context, conn *network.Connection, pkt packet.Pa
 	// Check if ready.
 	if !captain.ClientReady() {
 		// Block connection as SPN is not ready yet.
-		//log.Tracer(pkt.Ctx()).Trace("SPN not ready for tunneling")
+		log.Tracer(pkt.Ctx()).Trace("SPN not ready for tunneling")
 		conn.Failed("SPN not ready for tunneling", "")
 		return
 	}
@@ -152,11 +152,11 @@ func checkTunneling(ctx context.Context, conn *network.Connection, pkt packet.Pa
 	// Queue request in sluice.
 	err = sluice.AwaitRequest(conn, crew.HandleSluiceRequest)
 	if err != nil {
-		//log.Tracer(pkt.Ctx()).Warningf("failed to request tunneling: %s", err)
+		log.Tracer(pkt.Ctx()).Warningf("failed to request tunneling: %s", err)
 		conn.Failed("failed to request tunneling", "")
 	} else {
-		//log.Tracer(pkt.Ctx()).Trace("filter: tunneling requested")
-		//conn.SetVerdictDirectly(network.VerdictRerouteToTunnel)
+		log.Tracer(pkt.Ctx()).Trace("filter: tunneling requested")
+		// set the flag so the verdict can be updated
 		conn.Tunneled = true
 	}
 }

network/connection.go

@@ -107,15 +107,15 @@ type Connection struct { //nolint:maligned // TODO: fix alignment
 	// Resolver holds information about the resolver used to resolve
 	// Entity.Domain.
 	Resolver *resolver.ResolverInfo
-	// Verdict holds decisions that are made for a connection
+	// Verdict holds the decisions that are made for a connection
 	// The verdict may change so any access to it must be guarded by the
 	// connection lock.
 	Verdict struct {
 		// Current is the current decision that has been made for a connection.
 		Current Verdict
-		// PreviousVerdict holds the previous verdict value, if there wasn't previous it will hold VerdictUndecided
+		// Previous holds the previous verdict value, if there wasn't previous it will VerdictUndecided
 		Previous Verdict
-		// UserVerdict holds the verdict that should be displayed in the user interface
+		// User holds the verdict that should be displayed in the user interface
 		User Verdict
 	}
 	// Reason holds information justifying the verdict, as well as additional