Set tunneling options for (not) using community nodes

firewall/config.go

@@ -1,10 +1,9 @@
 package firewall
 
 import (
-	"github.com/safing/portbase/api"
 	"github.com/safing/portbase/config"
 	"github.com/safing/portbase/notifications"
-	"github.com/safing/portmaster/core"
+	"github.com/safing/spn/captain"
 )
 
 // Configuration Keys.
@@ -26,9 +25,6 @@ var (
 	CfgOptionDNSQueryInterceptionKey   = "filter/dnsQueryInterception"
 	cfgOptionDNSQueryInterceptionOrder = 97
 	dnsQueryInterception               config.BoolOption
-
-	devMode          config.BoolOption
-	apiListenAddress config.StringOption
 )
 
 func registerConfig() error {
@@ -108,8 +104,17 @@ func registerConfig() error {
 	}
 	askTimeout = config.Concurrent.GetAsInt(CfgOptionAskTimeoutKey, 60)
 
-	devMode = config.Concurrent.GetAsBool(core.CfgDevModeKey, false)
-	apiListenAddress = config.GetAsString(api.CfgDefaultListenAddressKey, "")
-
 	return nil
 }
+
+var (
+	filterEnabled     config.BoolOption
+	tunnelEnabled     config.BoolOption
+	useCommunityNodes config.BoolOption
+)
+
+func getConfig() {
+	filterEnabled = config.Concurrent.GetAsBool(CfgOptionEnableFilterKey, true)
+	tunnelEnabled = config.Concurrent.GetAsBool(captain.CfgOptionEnableSPNKey, false)
+	useCommunityNodes = config.Concurrent.GetAsBool(captain.CfgOptionUseCommunityNodesKey, true)
+}

firewall/filter.go

@@ -7,13 +7,10 @@ import (
 	"github.com/safing/portbase/modules/subsystems"
 	_ "github.com/safing/portmaster/core"
 	"github.com/safing/portmaster/intel/filterlists"
-	"github.com/safing/spn/captain"
 )
 
 var (
 	filterModule *modules.Module
-	filterEnabled config.BoolOption
-	tunnelEnabled config.BoolOption
 
 	unbreakFilterListIDs         = []string{"UNBREAK"}
 	resolvedUnbreakFilterListIDs []string
@@ -48,12 +45,12 @@ func filterPrep() (err error) {
 		return err
 	}
 
-	filterEnabled = config.Concurrent.GetAsBool(CfgOptionEnableFilterKey, true)
-	tunnelEnabled = config.Concurrent.GetAsBool(captain.CfgOptionEnableSPNKey, false)
 	return nil
 }
 
 func filterStart() error {
+	getConfig()
+
 	// TODO: Re-resolve IDs when filterlist index changes.
 	resolvedIDs, err := filterlists.ResolveListIDs(unbreakFilterListIDs)
 	if err != nil {

firewall/interception.go

@@ -13,9 +13,12 @@ import (
 	"github.com/tevino/abool"
 	"golang.org/x/sync/singleflight"
 
+	"github.com/safing/portbase/api"
+	"github.com/safing/portbase/config"
 	"github.com/safing/portbase/log"
 	"github.com/safing/portbase/modules"
 	"github.com/safing/portmaster/compat"
+	"github.com/safing/portmaster/core"
 	_ "github.com/safing/portmaster/core/base"
 	"github.com/safing/portmaster/firewall/inspection"
 	"github.com/safing/portmaster/firewall/interception"
@@ -43,7 +46,14 @@ var (
 	ownPID = os.Getpid()
 )
 
+// Config variables for interception module.
+var (
+	devMode          config.BoolOption
+	apiListenAddress config.StringOption
+)
+
 func init() {
+	// TODO: Move interception module to own package (dir).
 	interceptionModule = modules.Register("interception", interceptionPrep, interceptionStart, interceptionStop, "base", "updates", "network", "notifications")
 
 	network.SetDefaultFirewallHandler(defaultHandler)
@@ -54,6 +64,9 @@ func interceptionPrep() error {
 }
 
 func interceptionStart() error {
+	devMode = config.Concurrent.GetAsBool(core.CfgDevModeKey, false)
+	apiListenAddress = config.GetAsString(api.CfgDefaultListenAddressKey, "")
+
 	if err := registerMetrics(); err != nil {
 		return err
 	}

firewall/tunnel.go

@@ -114,6 +114,11 @@ func checkTunneling(ctx context.Context, conn *network.Connection, pkt packet.Pa
 		RoutingProfile:                layeredProfile.SPNRoutingAlgorithm(),
 	}
 
+	// Add required verified owners if community nodes should not be used.
+	if !useCommunityNodes() {
+		conn.TunnelOpts.RequireVerifiedOwners = captain.NonCommunityVerifiedOwners
+	}
+
 	// If we have any exit hub policies, we need to raise the routing algorithm at least to single-hop.
 	if conn.TunnelOpts.RoutingProfile == navigator.RoutingProfileHomeID &&
 		conn.TunnelOpts.HubPoliciesAreSet() {