From 75f4d43347b97508d74e43ec4933b8263d15113c Mon Sep 17 00:00:00 2001 From: Daniel Date: Thu, 13 Oct 2022 11:23:08 +0200 Subject: [PATCH] Switch to FilterConnection as main decision function --- firewall/interception.go | 33 +++++++++++++++++++++------------ firewall/master.go | 4 ++-- nameserver/nameserver.go | 2 +- 3 files changed, 24 insertions(+), 15 deletions(-) diff --git a/firewall/interception.go b/firewall/interception.go index 85ffa01e..8d4e1e52 100644 --- a/firewall/interception.go +++ b/firewall/interception.go @@ -137,7 +137,7 @@ func resetAllConnectionVerdicts() { previousVerdict := conn.Verdict.Firewall // Apply privacy filter and check tunneling. - filterConnection(ctx, conn, nil) + FilterConnection(ctx, conn, nil, true, true) // Stop existing SPN tunnel if not needed anymore. if conn.Verdict.Active != network.VerdictRerouteToTunnel && conn.TunnelContext != nil { @@ -437,14 +437,17 @@ func fastTrackedPermit(pkt packet.Packet) (handled bool) { } func initialHandler(conn *network.Connection, pkt packet.Packet) { - log.Tracer(pkt.Ctx()).Trace("filter: handing over to connection-based handler") + filterConnection := true + log.Tracer(pkt.Ctx()).Trace("filter: handing over to connection-based handler") // Check for special (internal) connection cases. switch { case !conn.Inbound && localPortIsPreAuthenticated(conn.Entity.Protocol, conn.LocalPort): // Approve connection. conn.Accept("connection by Portmaster", noReasonOptionKey) conn.Internal = true + filterConnection = false + log.Tracer(pkt.Ctx()).Infof("filter: granting own pre-authenticated connection %s", conn) // Redirect outbound DNS packets if enabled, case dnsQueryInterception() && @@ -461,9 +464,9 @@ func initialHandler(conn *network.Connection, pkt packet.Packet) { conn.Entity.IPScope == netutils.LocalMulticast): // Reroute rogue dns queries back to Portmaster. - conn.SetVerdictDirectly(network.VerdictRerouteToNameserver) - conn.Reason.Msg = "redirecting rogue dns query" + conn.SetVerdict(network.VerdictRerouteToNameserver, "redirecting rogue dns query", "", nil) conn.Internal = true + log.Tracer(pkt.Ctx()).Infof("filter: redirecting dns query %s to Portmaster", conn) // End directly, as no other processing is necessary. conn.StopFirewallHandler() finalizeVerdict(conn) @@ -472,7 +475,7 @@ func initialHandler(conn *network.Connection, pkt packet.Packet) { } // Apply privacy filter and check tunneling. - filterConnection(pkt.Ctx(), conn, pkt) + FilterConnection(pkt.Ctx(), conn, pkt, filterConnection, true) // Decide how to continue handling connection. switch { @@ -486,12 +489,16 @@ func initialHandler(conn *network.Connection, pkt packet.Packet) { } } -func filterConnection(ctx context.Context, conn *network.Connection, pkt packet.Packet) { - if filterEnabled() { - log.Tracer(ctx).Trace("filter: starting decision process") - DecideOnConnection(ctx, conn, pkt) - } else { - conn.Accept("privacy filter disabled", noReasonOptionKey) +// FilterConnection runs all the filtering (and tunneling) procedures. +func FilterConnection(ctx context.Context, conn *network.Connection, pkt packet.Packet, checkFilter, checkTunnel bool) { + if checkFilter { + if filterEnabled() { + log.Tracer(ctx).Trace("filter: starting decision process") + decideOnConnection(ctx, conn, pkt) + // FIXME: nameserver calls this directly without finalizeVerdict. + } else { + conn.Accept("privacy filter disabled", noReasonOptionKey) + } } // TODO: Enable inspection framework again. @@ -511,7 +518,9 @@ func filterConnection(ctx context.Context, conn *network.Connection, pkt packet. } // Check if connection should be tunneled. - checkTunneling(ctx, conn) + if checkTunnel { + checkTunneling(ctx, conn) + } // Handle verdict records and transitions. finalizeVerdict(conn) diff --git a/firewall/master.go b/firewall/master.go index bd7a9c7d..4e2aa9db 100644 --- a/firewall/master.go +++ b/firewall/master.go @@ -58,9 +58,9 @@ var defaultDeciders = []deciderFn{ checkAutoPermitRelated, } -// DecideOnConnection makes a decision about a connection. +// decideOnConnection makes a decision about a connection. // When called, the connection and profile is already locked. -func DecideOnConnection(ctx context.Context, conn *network.Connection, pkt packet.Packet) { +func decideOnConnection(ctx context.Context, conn *network.Connection, pkt packet.Packet) { // Check if we have a process and profile. layeredProfile := conn.Process().Profile() if layeredProfile == nil { diff --git a/nameserver/nameserver.go b/nameserver/nameserver.go index 0d000a1e..a13e98cd 100644 --- a/nameserver/nameserver.go +++ b/nameserver/nameserver.go @@ -222,7 +222,7 @@ func handleRequest(ctx context.Context, w dns.ResponseWriter, request *dns.Msg) }() // Check request with the privacy filter before resolving. - firewall.DecideOnConnection(ctx, conn, nil) + firewall.FilterConnection(ctx, conn, nil, true, false) // Check if there is a responder from the firewall. // In special cases, the firewall might want to respond the query itself.