diff --git a/firewall/config.go b/firewall/config.go index 702b6c95..b2f23486 100644 --- a/firewall/config.go +++ b/firewall/config.go @@ -1,10 +1,9 @@ package firewall import ( - "github.com/safing/portbase/api" "github.com/safing/portbase/config" "github.com/safing/portbase/notifications" - "github.com/safing/portmaster/core" + "github.com/safing/spn/captain" ) // Configuration Keys. @@ -26,9 +25,6 @@ var ( CfgOptionDNSQueryInterceptionKey = "filter/dnsQueryInterception" cfgOptionDNSQueryInterceptionOrder = 97 dnsQueryInterception config.BoolOption - - devMode config.BoolOption - apiListenAddress config.StringOption ) func registerConfig() error { @@ -108,8 +104,17 @@ func registerConfig() error { } askTimeout = config.Concurrent.GetAsInt(CfgOptionAskTimeoutKey, 60) - devMode = config.Concurrent.GetAsBool(core.CfgDevModeKey, false) - apiListenAddress = config.GetAsString(api.CfgDefaultListenAddressKey, "") - return nil } + +var ( + filterEnabled config.BoolOption + tunnelEnabled config.BoolOption + useCommunityNodes config.BoolOption +) + +func getConfig() { + filterEnabled = config.Concurrent.GetAsBool(CfgOptionEnableFilterKey, true) + tunnelEnabled = config.Concurrent.GetAsBool(captain.CfgOptionEnableSPNKey, false) + useCommunityNodes = config.Concurrent.GetAsBool(captain.CfgOptionUseCommunityNodesKey, true) +} diff --git a/firewall/filter.go b/firewall/filter.go index 390ef3f3..7fd5afba 100644 --- a/firewall/filter.go +++ b/firewall/filter.go @@ -7,13 +7,10 @@ import ( "github.com/safing/portbase/modules/subsystems" _ "github.com/safing/portmaster/core" "github.com/safing/portmaster/intel/filterlists" - "github.com/safing/spn/captain" ) var ( - filterModule *modules.Module - filterEnabled config.BoolOption - tunnelEnabled config.BoolOption + filterModule *modules.Module unbreakFilterListIDs = []string{"UNBREAK"} resolvedUnbreakFilterListIDs []string @@ -48,12 +45,12 @@ func filterPrep() (err error) { return err } - filterEnabled = config.Concurrent.GetAsBool(CfgOptionEnableFilterKey, true) - tunnelEnabled = config.Concurrent.GetAsBool(captain.CfgOptionEnableSPNKey, false) return nil } func filterStart() error { + getConfig() + // TODO: Re-resolve IDs when filterlist index changes. resolvedIDs, err := filterlists.ResolveListIDs(unbreakFilterListIDs) if err != nil { diff --git a/firewall/interception.go b/firewall/interception.go index ed582ba1..3ef6a62b 100644 --- a/firewall/interception.go +++ b/firewall/interception.go @@ -13,9 +13,12 @@ import ( "github.com/tevino/abool" "golang.org/x/sync/singleflight" + "github.com/safing/portbase/api" + "github.com/safing/portbase/config" "github.com/safing/portbase/log" "github.com/safing/portbase/modules" "github.com/safing/portmaster/compat" + "github.com/safing/portmaster/core" _ "github.com/safing/portmaster/core/base" "github.com/safing/portmaster/firewall/inspection" "github.com/safing/portmaster/firewall/interception" @@ -43,7 +46,14 @@ var ( ownPID = os.Getpid() ) +// Config variables for interception module. +var ( + devMode config.BoolOption + apiListenAddress config.StringOption +) + func init() { + // TODO: Move interception module to own package (dir). interceptionModule = modules.Register("interception", interceptionPrep, interceptionStart, interceptionStop, "base", "updates", "network", "notifications") network.SetDefaultFirewallHandler(defaultHandler) @@ -54,6 +64,9 @@ func interceptionPrep() error { } func interceptionStart() error { + devMode = config.Concurrent.GetAsBool(core.CfgDevModeKey, false) + apiListenAddress = config.GetAsString(api.CfgDefaultListenAddressKey, "") + if err := registerMetrics(); err != nil { return err } diff --git a/firewall/tunnel.go b/firewall/tunnel.go index 28f0e37d..f335bca4 100644 --- a/firewall/tunnel.go +++ b/firewall/tunnel.go @@ -114,6 +114,11 @@ func checkTunneling(ctx context.Context, conn *network.Connection, pkt packet.Pa RoutingProfile: layeredProfile.SPNRoutingAlgorithm(), } + // Add required verified owners if community nodes should not be used. + if !useCommunityNodes() { + conn.TunnelOpts.RequireVerifiedOwners = captain.NonCommunityVerifiedOwners + } + // If we have any exit hub policies, we need to raise the routing algorithm at least to single-hop. if conn.TunnelOpts.RoutingProfile == navigator.RoutingProfileHomeID && conn.TunnelOpts.HubPoliciesAreSet() {