Merge pull request #456 from safing/fix/patch-set-12

Fix SPN bootstrapping and other minor things

compat/module.go

@@ -7,6 +7,7 @@ import (
 	"github.com/safing/portbase/log"
 	"github.com/safing/portbase/modules"
 	"github.com/safing/portmaster/netenv"
+	"github.com/safing/portmaster/resolver"
 	"github.com/tevino/abool"
 )
 
@@ -15,11 +16,25 @@ var (
 
 	selfcheckTask           *modules.Task
 	selfcheckTaskRetryAfter = 10 * time.Second
+
+	// selfCheckIsFailing holds whether or not the self-check is currently
+	// failing. This helps other failure systems to not make noise when there is
+	// an underlying failure.
 	selfCheckIsFailing = abool.New()
+
+	// selfcheckFails counts how often the self check failed successively.
+	// selfcheckFails is not locked as it is only accessed by the self-check task.
+	selfcheckFails int
 )
 
 func init() {
 	module = modules.Register("compat", prep, start, stop, "base", "network", "interception", "netenv", "notifications")
+
+	// Workaround resolver integration.
+	// See resolver/compat.go for details.
+	resolver.CompatDNSCheckInternalDomainScope = DNSCheckInternalDomainScope
+	resolver.CompatSelfCheckIsFailing = SelfCheckIsFailing
+	resolver.CompatSubmitDNSCheckDomain = SubmitDNSCheckDomain
 }
 
 func prep() error {
@@ -55,6 +70,7 @@ func selfcheckTaskFunc(ctx context.Context, task *modules.Task) error {
 	issue, err := selfcheck(ctx)
 	if err == nil {
 		selfCheckIsFailing.UnSet()
+		selfcheckFails = 0
 		resetSystemIssue()
 		return nil
 	}
@@ -62,14 +78,18 @@ func selfcheckTaskFunc(ctx context.Context, task *modules.Task) error {
 	// Log result.
 	if issue != nil {
 		selfCheckIsFailing.Set()
+		selfcheckFails++
 
 		log.Errorf("compat: %s", err)
+		if selfcheckFails >= 3 {
 			issue.notify(err)
+		}
 
 		// Retry quicker when failed.
 		task.Schedule(time.Now().Add(selfcheckTaskRetryAfter))
 	} else {
 		selfCheckIsFailing.UnSet()
+		selfcheckFails = 0
 
 		// Only log internal errors, but don't notify.
 		log.Warningf("compat: %s", err)

compat/selfcheck.go

@@ -12,6 +12,7 @@ import (
 	"github.com/safing/portbase/log"
 	"github.com/safing/portbase/rng"
 	"github.com/safing/portmaster/network/packet"
+	"github.com/safing/portmaster/resolver"
 )
 
 var (
@@ -25,7 +26,7 @@ var (
 	systemIntegrationCheckPackets      = make(chan packet.Packet, 1)
 	systemIntegrationCheckWaitDuration = 3 * time.Second
 
-	DNSCheckInternalDomainScope string
+	DNSCheckInternalDomainScope = ".self-check." + resolver.InternalSpecialUseDomain
 	dnsCheckReceivedDomain      = make(chan string, 1)
 	dnsCheckWaitDuration        = 3 * time.Second
 	dnsCheckAnswerLock          sync.Mutex

firewall/interception.go

@@ -376,12 +376,16 @@ func initialHandler(conn *network.Connection, pkt packet.Packet) {
 		conn.Process().Profile() != nil &&
 		conn.Process().Profile().UseSPN() {
 
-		// Exclude requests of the SPN itself.
+		switch {
-		if !captain.IsExcepted(conn.Entity.IP) {
+		case captain.ClientBootstrapping() &&
-			conn.Tunneled = true
+			conn.Process().Pid == ownPID:
+			// Exclude the Portmaster during SPN bootstrapping.
 
-			// Check if client is ready.
+		case captain.IsExcepted(conn.Entity.IP) &&
-			if captain.ClientReady() {
+			conn.Process().Pid == ownPID:
+			// Exclude requests of the SPN itself.
+
+		case captain.ClientReady():
 			// Queue request in sluice.
 			err := sluice.AwaitRequest(conn, crew.HandleSluiceRequest)
 			if err != nil {
@@ -390,12 +394,14 @@ func initialHandler(conn *network.Connection, pkt packet.Packet) {
 			} else {
 				log.Tracer(pkt.Ctx()).Trace("filter: tunneling requested")
 				conn.Verdict = network.VerdictRerouteToTunnel
+				conn.Tunneled = true
 			}
-			} else {
+
+		default:
 			// Block connection as SPN is not ready yet.
 			log.Tracer(pkt.Ctx()).Trace("SPN not ready for tunneling")
 			conn.Failed("SPN not ready for tunneling", "")
-			}
+
 		}
 	}
 

netenv/online-status.go

@@ -404,6 +404,7 @@ func checkOnlineStatus(ctx context.Context) {
 
 	if ConnectedToSPN.IsSet() {
 		updateOnlineStatus(StatusOnline, nil, "connected to SPN")
+		return
 	}
 
 	// 1) check for addresses

network/state/lookup.go

@@ -125,7 +125,7 @@ func (table *tcpTable) findSocket(pktInfo *packet.Info) (
 	for _, socketInfo := range table.listeners {
 		if localPort == socketInfo.Local.Port &&
 			(socketInfo.ListensAny || localIP.Equal(socketInfo.Local.IP)) {
-			return socketInfo, false
+			return socketInfo, true
 		}
 	}
 

resolver/compat.go

@@ -0,0 +1,12 @@
+package resolver
+
+import "net"
+
+// This is a workaround for enabling the resolver to work with the compat
+// module without importing it. Long-term, the network module should not import
+// the resolver package, as this breaks the SPN hub.
+var (
+	CompatDNSCheckInternalDomainScope string
+	CompatSelfCheckIsFailing          func() bool
+	CompatSubmitDNSCheckDomain        func(subdomain string) (respondWith net.IP)
+)

resolver/resolve.go

@@ -11,7 +11,6 @@ import (
 
 	"github.com/safing/portbase/database"
 	"github.com/safing/portbase/log"
-	"github.com/safing/portmaster/compat"
 	"github.com/safing/portmaster/netenv"
 )
 
@@ -407,7 +406,7 @@ resolveLoop:
 			err = fmt.Errorf("all %d query-compliant resolvers failed, last error: %s", len(resolvers), err)
 
 			if primarySource == ServerSourceConfigured &&
-				netenv.Online() && compat.SelfCheckIsFailing() {
+				netenv.Online() && CompatSelfCheckIsFailing() {
 				notifyAboutFailingResolvers(err)
 			} else {
 				resetFailingResolversNotification()

resolver/resolver-env.go

@@ -8,16 +8,15 @@ import (
 
 	"github.com/miekg/dns"
 	"github.com/safing/portbase/log"
-	"github.com/safing/portmaster/compat"
 	"github.com/safing/portmaster/netenv"
 	"github.com/safing/portmaster/network/netutils"
 )
 
 const (
-	internalSpecialUseDomain = "portmaster.home.arpa."
+	InternalSpecialUseDomain = "portmaster.home.arpa."
 
-	routerDomain        = "router.local." + internalSpecialUseDomain
+	routerDomain        = "router.local." + InternalSpecialUseDomain
-	captivePortalDomain = "captiveportal.local." + internalSpecialUseDomain
+	captivePortalDomain = "captiveportal.local." + InternalSpecialUseDomain
 )
 
 var (
@@ -38,11 +37,10 @@ var (
 
 func prepEnvResolver() (err error) {
 	netenv.SpecialCaptivePortalDomain = captivePortalDomain
-	compat.DNSCheckInternalDomainScope = ".self-check." + internalSpecialUseDomain
 
 	internalSpecialUseSOA, err = dns.NewRR(fmt.Sprintf(
 		"%s 17 IN SOA localhost. none.localhost. 0 0 0 0 0",
-		internalSpecialUseDomain,
+		InternalSpecialUseDomain,
 	))
 	if err != nil {
 		return err
@@ -50,7 +48,7 @@ func prepEnvResolver() (err error) {
 
 	internalSpecialUseComment, err = dns.NewRR(fmt.Sprintf(
 		`%s 17 IN TXT "This is a special use TLD of the Portmaster."`,
-		internalSpecialUseDomain,
+		InternalSpecialUseDomain,
 	))
 	return err
 }
@@ -94,9 +92,9 @@ func (er *envResolverConn) Query(ctx context.Context, q *Query) (*RRCache, error
 
 		// Check for suffix matches.
 		switch {
-		case strings.HasSuffix(q.FQDN, compat.DNSCheckInternalDomainScope):
+		case strings.HasSuffix(q.FQDN, CompatDNSCheckInternalDomainScope):
-			subdomain := strings.TrimSuffix(q.FQDN, compat.DNSCheckInternalDomainScope)
+			subdomain := strings.TrimSuffix(q.FQDN, CompatDNSCheckInternalDomainScope)
-			respondWith := compat.SubmitDNSCheckDomain(subdomain)
+			respondWith := CompatSubmitDNSCheckDomain(subdomain)
 
 			// We'll get an A record. Only respond if it's an A question.
 			if respondWith != nil && uint16(q.QType) == dns.TypeA {
@@ -110,7 +108,7 @@ func (er *envResolverConn) Query(ctx context.Context, q *Query) (*RRCache, error
 		}
 	case dns.TypeSOA:
 		// Direct query for the SOA record.
-		if q.FQDN == internalSpecialUseDomain {
+		if q.FQDN == InternalSpecialUseDomain {
 			return er.makeRRCache(q, []dns.RR{internalSpecialUseSOA}), nil
 		}
 	}

resolver/scopes.go

@@ -26,7 +26,7 @@ var (
 	// Internal Special-Use Domain
 	// Used by Portmaster for special addressing.
 	internalSpecialUseDomains = []string{
-		"." + internalSpecialUseDomain,
+		"." + InternalSpecialUseDomain,
 	}
 
 	// Multicast DNS