vikarti.anatra/safing-portmaster
1
0
Fork 0
mirror of https://github.com/safing/portmaster synced 2025-09-02 18:49:14 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Switch to FilterConnection as main decision function

Browse source
This commit is contained in:
Daniel 2022-10-13 11:23:08 +02:00
parent 028986ed74
commit 75f4d43347
3 changed files with 24 additions and 15 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

33
firewall/interception.go
View file

@ -137,7 +137,7 @@ func resetAllConnectionVerdicts() {
previousVerdict := conn.Verdict.Firewall previousVerdict := conn.Verdict.Firewall
// Apply privacy filter and check tunneling. // Apply privacy filter and check tunneling.
filterConnection(ctx, conn, nil) FilterConnection(ctx, conn, nil, true, true)
// Stop existing SPN tunnel if not needed anymore. // Stop existing SPN tunnel if not needed anymore.
if conn.Verdict.Active != network.VerdictRerouteToTunnel && conn.TunnelContext != nil { if conn.Verdict.Active != network.VerdictRerouteToTunnel && conn.TunnelContext != nil {
@ -437,14 +437,17 @@ func fastTrackedPermit(pkt packet.Packet) (handled bool) {
} }
func initialHandler(conn *network.Connection, pkt packet.Packet) { func initialHandler(conn *network.Connection, pkt packet.Packet) {
log.Tracer(pkt.Ctx()).Trace("filter: handing over to connection-based handler") filterConnection := true
log.Tracer(pkt.Ctx()).Trace("filter: handing over to connection-based handler")
// Check for special (internal) connection cases. // Check for special (internal) connection cases.
switch { switch {
case !conn.Inbound && localPortIsPreAuthenticated(conn.Entity.Protocol, conn.LocalPort): case !conn.Inbound && localPortIsPreAuthenticated(conn.Entity.Protocol, conn.LocalPort):
// Approve connection. // Approve connection.
conn.Accept("connection by Portmaster", noReasonOptionKey) conn.Accept("connection by Portmaster", noReasonOptionKey)
conn.Internal = true conn.Internal = true
filterConnection = false
log.Tracer(pkt.Ctx()).Infof("filter: granting own pre-authenticated connection %s", conn)
// Redirect outbound DNS packets if enabled, // Redirect outbound DNS packets if enabled,
case dnsQueryInterception() && case dnsQueryInterception() &&
@ -461,9 +464,9 @@ func initialHandler(conn *network.Connection, pkt packet.Packet) {
conn.Entity.IPScope == netutils.LocalMulticast): conn.Entity.IPScope == netutils.LocalMulticast):
// Reroute rogue dns queries back to Portmaster. // Reroute rogue dns queries back to Portmaster.
conn.SetVerdictDirectly(network.VerdictRerouteToNameserver) conn.SetVerdict(network.VerdictRerouteToNameserver, "redirecting rogue dns query", "", nil)
conn.Reason.Msg = "redirecting rogue dns query"
conn.Internal = true conn.Internal = true
log.Tracer(pkt.Ctx()).Infof("filter: redirecting dns query %s to Portmaster", conn)
// End directly, as no other processing is necessary. // End directly, as no other processing is necessary.
conn.StopFirewallHandler() conn.StopFirewallHandler()
finalizeVerdict(conn) finalizeVerdict(conn)
@ -472,7 +475,7 @@ func initialHandler(conn *network.Connection, pkt packet.Packet) {
} }
// Apply privacy filter and check tunneling. // Apply privacy filter and check tunneling.
filterConnection(pkt.Ctx(), conn, pkt) FilterConnection(pkt.Ctx(), conn, pkt, filterConnection, true)
// Decide how to continue handling connection. // Decide how to continue handling connection.
switch { switch {
@ -486,12 +489,16 @@ func initialHandler(conn *network.Connection, pkt packet.Packet) {
} }
} }
func filterConnection(ctx context.Context, conn *network.Connection, pkt packet.Packet) { // FilterConnection runs all the filtering (and tunneling) procedures.
if filterEnabled() { func FilterConnection(ctx context.Context, conn *network.Connection, pkt packet.Packet, checkFilter, checkTunnel bool) {
log.Tracer(ctx).Trace("filter: starting decision process") if checkFilter {
DecideOnConnection(ctx, conn, pkt) if filterEnabled() {
} else { log.Tracer(ctx).Trace("filter: starting decision process")
conn.Accept("privacy filter disabled", noReasonOptionKey) decideOnConnection(ctx, conn, pkt)
// FIXME: nameserver calls this directly without finalizeVerdict.
} else {
conn.Accept("privacy filter disabled", noReasonOptionKey)
}
} }
// TODO: Enable inspection framework again. // TODO: Enable inspection framework again.
@ -511,7 +518,9 @@ func filterConnection(ctx context.Context, conn *network.Connection, pkt packet.
} }
// Check if connection should be tunneled. // Check if connection should be tunneled.
checkTunneling(ctx, conn) if checkTunnel {
checkTunneling(ctx, conn)
}
// Handle verdict records and transitions. // Handle verdict records and transitions.
finalizeVerdict(conn) finalizeVerdict(conn)

4
firewall/master.go
View file

@ -58,9 +58,9 @@ var defaultDeciders = []deciderFn{
checkAutoPermitRelated, checkAutoPermitRelated,
} }
// DecideOnConnection makes a decision about a connection. // decideOnConnection makes a decision about a connection.
// When called, the connection and profile is already locked. // When called, the connection and profile is already locked.
func DecideOnConnection(ctx context.Context, conn *network.Connection, pkt packet.Packet) { func decideOnConnection(ctx context.Context, conn *network.Connection, pkt packet.Packet) {
// Check if we have a process and profile. // Check if we have a process and profile.
layeredProfile := conn.Process().Profile() layeredProfile := conn.Process().Profile()
if layeredProfile == nil { if layeredProfile == nil {

2
nameserver/nameserver.go
View file

@ -222,7 +222,7 @@ func handleRequest(ctx context.Context, w dns.ResponseWriter, request *dns.Msg)
}() }()
// Check request with the privacy filter before resolving. // Check request with the privacy filter before resolving.
firewall.DecideOnConnection(ctx, conn, nil) firewall.FilterConnection(ctx, conn, nil, true, false)
// Check if there is a responder from the firewall. // Check if there is a responder from the firewall.
// In special cases, the firewall might want to respond the query itself. // In special cases, the firewall might want to respond the query itself.