Add custom routing for DNS server connections

2025-09-04 11:39:29 +00:00 · 2021-10-12 16:18:36 +02:00 · 2021-10-12 16:18:36 +02:00 · 960101d3a9
commit 960101d3a9
parent 0f48d32ac2
5 changed files with 46 additions and 111 deletions
--- a/firewall/interception.go
+++ b/firewall/interception.go
@ -328,6 +328,8 @@ func initialHandler(conn *network.Connection, pkt packet.Packet) {
 		conn.Accept("connection by Portmaster", noReasonOptionKey)
 		conn.Internal = true
 		// Set tunnel options.
 		setCustomTunnelOptionsForPortmaster(conn)
 	case pkt.IsOutbound() &&
 		pkt.Info().DstPort == 53 &&
--- a/firewall/master.go
+++ b/firewall/master.go
@ -141,6 +141,10 @@ func checkPortmasterConnection(ctx context.Context, conn *network.Connection, _
 		log.Tracer(ctx).Infof("filter: granting own connection %s", conn)
 		conn.Accept("connection by Portmaster", noReasonOptionKey)
 		conn.Internal = true
 		// Set tunnel options.
 		setCustomTunnelOptionsForPortmaster(conn)
 		return true
 	}
--- a/firewall/tunnel.go
+++ b/firewall/tunnel.go
@ -1,111 +1,23 @@
 package firewall
-// var (
+import (
-// 	TunnelNet4   *net.IPNet
+	"github.com/safing/portmaster/network"
-// 	TunnelNet6   *net.IPNet
+	"github.com/safing/portmaster/resolver"
-// 	TunnelEntry4 = net.IPv4(127, 0, 0, 17)
+	"github.com/safing/spn/navigator"
-// 	TunnelEntry6 = net.ParseIP("fd17::17")
+)
-//
+
-// 	ipToDomainMap     = make(map[string]*TunnelInfo)
+func setCustomTunnelOptionsForPortmaster(conn *network.Connection) {
-// 	ipToDomainMapLock sync.RWMutex
+	switch {
-// )
+	case !tunnelEnabled():
-//
+		// Ignore when tunneling is not enabled.
-// func init() {
+		return
-// 	var err error
+	case !conn.Entity.IPScope.IsGlobal():
-// 	_, TunnelNet4, err = net.ParseCIDR("127.17.0.0/16")
+		// Ignore if destination is not in global address space.
-// 	if err != nil {
+		return
-// 		log.Fatalf("portmaster: could not parse 127.17.0.0/16: %s", err)
+	case resolver.IsResolverAddress(conn.Entity.IP, conn.Entity.Port):
-// 	}
+		// Set custom tunnel options for DNS servers.
-// 	_, TunnelNet6, err = net.ParseCIDR("fd17::/64")
+		conn.TunnelOpts = &navigator.Options{
-// 	if err != nil {
+			RoutingProfile: navigator.RoutingProfileHomeName,
-// 		log.Fatalf("portmaster: could not parse fd17::/64: %s", err)
+		}
-// 	}
+	}
-//
+}
 // 	go tunnelInfoCleaner()
 // }
 //
 // type TunnelInfo struct {
 // 	IP      net.IP
 // 	Domain  string
 // 	RRCache *intel.RRCache
 // 	Expires int64
 // }
 //
 // func (ti *TunnelInfo) ExportTunnelIP() *intel.RRCache {
 // 	return &intel.RRCache{
 // 		Answer: []dns.RR{
 // 			&dns.A{
 // 				Hdr: dns.RR_Header{
 // 					Name:     ti.Domain,
 // 					Rrtype:   1,
 // 					Class:    1,
 // 					Ttl:      17,
 // 					Rdlength: 8,
 // 				},
 // 				A: ti.IP,
 // 			},
 // 		},
 // 	}
 // }
 //
 // func AssignTunnelIP(domain string) (*TunnelInfo, error) {
 // 	ipToDomainMapLock.Lock()
 // 	defer ipToDomainMapLock.Unlock()
 //
 // 	for i := 0; i < 100; i++ {
 // 		// get random IP
 // 		r, err := random.Bytes(2)
 // 		if err != nil {
 // 			return nil, err
 // 		}
 // 		randomIP := net.IPv4(127, 17, r[0], r[1])
 //
 // 		// clean after every 20 tries
 // 		if i > 0 && i%20 == 0 {
 // 			cleanExpiredTunnelInfos()
 // 		}
 //
 // 		// if it does not exist yet, set and return
 // 		_, ok := ipToDomainMap[randomIP.String()]
 // 		if !ok {
 // 			tunnelInfo := &TunnelInfo{
 // 				IP:      randomIP,
 // 				Domain:  domain,
 // 				Expires: time.Now().Add(5 * time.Minute).Unix(),
 // 			}
 // 			ipToDomainMap[randomIP.String()] = tunnelInfo
 // 			return tunnelInfo, nil
 // 		}
 // 	}
 //
 // 	return nil, errors.New("could not find available tunnel IP, please retry later")
 // }
 //
 // func GetTunnelInfo(tunnelIP net.IP) (tunnelInfo *TunnelInfo) {
 // 	ipToDomainMapLock.RLock()
 // 	defer ipToDomainMapLock.RUnlock()
 // 	var ok bool
 // 	tunnelInfo, ok = ipToDomainMap[tunnelIP.String()]
 // 	if ok && tunnelInfo.Expires >= time.Now().Unix() {
 // 		return tunnelInfo
 // 	}
 // 	return nil
 // }
 //
 // func tunnelInfoCleaner() {
 // 	for {
 // 		time.Sleep(5 * time.Minute)
 // 		ipToDomainMapLock.Lock()
 // 		cleanExpiredTunnelInfos()
 // 		ipToDomainMapLock.Unlock()
 // 	}
 // }
 //
 // func cleanExpiredTunnelInfos() {
 // 	now := time.Now().Unix()
 // 	for domain, tunnelInfo := range ipToDomainMap {
 // 		if tunnelInfo.Expires < now {
 // 			delete(ipToDomainMap, domain)
 // 		}
 // 	}
 // }
--- a/network/connection.go
+++ b/network/connection.go
@ -7,15 +7,15 @@ import (
 	"sync"
 	"time"
 	"github.com/safing/portmaster/netenv"
 	"github.com/safing/portbase/database/record"
 	"github.com/safing/portbase/log"
 	"github.com/safing/portmaster/intel"
 	"github.com/safing/portmaster/netenv"
 	"github.com/safing/portmaster/network/netutils"
 	"github.com/safing/portmaster/network/packet"
 	"github.com/safing/portmaster/process"
 	"github.com/safing/portmaster/resolver"
 	"github.com/safing/spn/navigator"
 )
 // FirewallHandler defines the function signature for a firewall
@ -137,6 +137,8 @@ type Connection struct { //nolint:maligned // TODO: fix alignment
 	Tunneled bool
 	// Encrypted is currently unused and MUST be ignored.
 	Encrypted bool
 	// TunnelOpts holds options for tunneling the connection.
 	TunnelOpts *navigator.Options
 	// ProcessContext holds additional information about the process
 	// that iniated the connection. It is set once when the connection
 	// object is created and is considered immutable afterwards.
--- a/resolver/resolvers.go
+++ b/resolver/resolvers.go
@ -395,3 +395,18 @@ func checkSearchScope(searchDomain string) (ok bool) {
 	return true
 }
 // IsResolverAddress returns whether the given ip and port match a configured resolver.
 func IsResolverAddress(ip net.IP, port uint16) bool {
 	resolversLock.RLock()
 	defer resolversLock.RUnlock()
 	// Check if the given IP and port matches a resolver.
 	for _, r := range globalResolvers {
 		if port == r.Info.Port && r.Info.IP.Equal(ip) {
 			return true
 		}
 	}
 	return false
 }