Switch to FilterConnection as main decision function

2025-09-01 18:19:12 +00:00 · 2022-10-13 11:23:08 +02:00 · 2022-10-13 11:23:08 +02:00 · 75f4d43347
commit 75f4d43347
parent 028986ed74
3 changed files with 24 additions and 15 deletions
--- a/firewall/interception.go
+++ b/firewall/interception.go
@ -137,7 +137,7 @@ func resetAllConnectionVerdicts() {
 			previousVerdict := conn.Verdict.Firewall

 			// Apply privacy filter and check tunneling.
-			filterConnection(ctx, conn, nil)
+			FilterConnection(ctx, conn, nil, true, true)

 			// Stop existing SPN tunnel if not needed anymore.
 			if conn.Verdict.Active != network.VerdictRerouteToTunnel && conn.TunnelContext != nil {
@ -437,14 +437,17 @@ func fastTrackedPermit(pkt packet.Packet) (handled bool) {
 }

 func initialHandler(conn *network.Connection, pkt packet.Packet) {
-	log.Tracer(pkt.Ctx()).Trace("filter: handing over to connection-based handler")
+	filterConnection := true

+	log.Tracer(pkt.Ctx()).Trace("filter: handing over to connection-based handler")
 	// Check for special (internal) connection cases.
 	switch {
 	case !conn.Inbound && localPortIsPreAuthenticated(conn.Entity.Protocol, conn.LocalPort):
 		// Approve connection.
 		conn.Accept("connection by Portmaster", noReasonOptionKey)
 		conn.Internal = true
+		filterConnection = false
+		log.Tracer(pkt.Ctx()).Infof("filter: granting own pre-authenticated connection %s", conn)

 		// Redirect outbound DNS packets if enabled,
 	case dnsQueryInterception() &&
@ -461,9 +464,9 @@ func initialHandler(conn *network.Connection, pkt packet.Packet) {
 			conn.Entity.IPScope == netutils.LocalMulticast):

 		// Reroute rogue dns queries back to Portmaster.
-		conn.SetVerdictDirectly(network.VerdictRerouteToNameserver)
-		conn.Reason.Msg = "redirecting rogue dns query"
+		conn.SetVerdict(network.VerdictRerouteToNameserver, "redirecting rogue dns query", "", nil)
 		conn.Internal = true
+		log.Tracer(pkt.Ctx()).Infof("filter: redirecting dns query %s to Portmaster", conn)
 		// End directly, as no other processing is necessary.
 		conn.StopFirewallHandler()
 		finalizeVerdict(conn)
@ -472,7 +475,7 @@ func initialHandler(conn *network.Connection, pkt packet.Packet) {
 	}

 	// Apply privacy filter and check tunneling.
-	filterConnection(pkt.Ctx(), conn, pkt)
+	FilterConnection(pkt.Ctx(), conn, pkt, filterConnection, true)

 	// Decide how to continue handling connection.
 	switch {
@ -486,12 +489,16 @@ func initialHandler(conn *network.Connection, pkt packet.Packet) {
 	}
 }

-func filterConnection(ctx context.Context, conn *network.Connection, pkt packet.Packet) {
-	if filterEnabled() {
-		log.Tracer(ctx).Trace("filter: starting decision process")
-		DecideOnConnection(ctx, conn, pkt)
-	} else {
-		conn.Accept("privacy filter disabled", noReasonOptionKey)
+// FilterConnection runs all the filtering (and tunneling) procedures.
+func FilterConnection(ctx context.Context, conn *network.Connection, pkt packet.Packet, checkFilter, checkTunnel bool) {
+	if checkFilter {
+		if filterEnabled() {
+			log.Tracer(ctx).Trace("filter: starting decision process")
+			decideOnConnection(ctx, conn, pkt)
+			// FIXME: nameserver calls this directly without finalizeVerdict.
+		} else {
+			conn.Accept("privacy filter disabled", noReasonOptionKey)
+		}
 	}

 	// TODO: Enable inspection framework again.
@ -511,7 +518,9 @@ func filterConnection(ctx context.Context, conn *network.Connection, pkt packet.
 	}

 	// Check if connection should be tunneled.
-	checkTunneling(ctx, conn)
+	if checkTunnel {
+		checkTunneling(ctx, conn)
+	}

 	// Handle verdict records and transitions.
 	finalizeVerdict(conn)
--- a/firewall/master.go
+++ b/firewall/master.go
@ -58,9 +58,9 @@ var defaultDeciders = []deciderFn{
 	checkAutoPermitRelated,
 }

-// DecideOnConnection makes a decision about a connection.
+// decideOnConnection makes a decision about a connection.
 // When called, the connection and profile is already locked.
-func DecideOnConnection(ctx context.Context, conn *network.Connection, pkt packet.Packet) {
+func decideOnConnection(ctx context.Context, conn *network.Connection, pkt packet.Packet) {
 	// Check if we have a process and profile.
 	layeredProfile := conn.Process().Profile()
 	if layeredProfile == nil {
--- a/nameserver/nameserver.go
+++ b/nameserver/nameserver.go
@ -222,7 +222,7 @@ func handleRequest(ctx context.Context, w dns.ResponseWriter, request *dns.Msg)
 	}()

 	// Check request with the privacy filter before resolving.
-	firewall.DecideOnConnection(ctx, conn, nil)
+	firewall.FilterConnection(ctx, conn, nil, true, false)

 	// Check if there is a responder from the firewall.
 	// In special cases, the firewall might want to respond the query itself.