Merge pull request #373 from safing/fix/intel-locking

Improve locking in intel/filterlists and intel/geoip

firewall/bypassing.go

@@ -1,6 +1,7 @@
 package firewall
 
 import (
+	"context"
 	"strings"
 
 	"github.com/safing/portmaster/nameserver/nsutil"
@@ -14,7 +15,7 @@ var (
 
 // PreventBypassing checks if the connection should be denied or permitted
 // based on some bypass protection checks.
-func PreventBypassing(conn *network.Connection) (endpoints.EPResult, string, nsutil.Responder) {
+func PreventBypassing(ctx context.Context, conn *network.Connection) (endpoints.EPResult, string, nsutil.Responder) {
 	// Block firefox canary domain to disable DoH
 	if strings.ToLower(conn.Entity.Domain) == "use-application-dns.net." {
 		return endpoints.Denied,
@@ -22,6 +23,10 @@ func PreventBypassing(conn *network.Connection) (endpoints.EPResult, string, nsu
 			nsutil.NxDomain()
 	}
 
+	if !conn.Entity.LoadLists(ctx) {
+		return endpoints.Undeterminable, "", nil
+	}
+
 	if conn.Entity.MatchLists(resolverFilterLists) {
 		return endpoints.Denied,
 			"blocked rogue connection to DNS resolver",

firewall/master.go

@@ -335,10 +335,10 @@ func checkConnectionScope(_ context.Context, conn *network.Connection, p *profil
 	return false
 }
 
-func checkBypassPrevention(_ context.Context, conn *network.Connection, p *profile.LayeredProfile, _ packet.Packet) bool {
+func checkBypassPrevention(ctx context.Context, conn *network.Connection, p *profile.LayeredProfile, _ packet.Packet) bool {
 	if p.PreventBypassing() {
 		// check for bypass protection
-		result, reason, reasonCtx := PreventBypassing(conn)
+		result, reason, reasonCtx := PreventBypassing(ctx, conn)
 		switch result {
 		case endpoints.Denied:
 			conn.BlockWithContext("bypass prevention: "+reason, profile.CfgOptionPreventBypassingKey, reasonCtx)

intel/filterlists/bloom.go

@@ -6,9 +6,9 @@ import (
 	"strings"
 	"sync"
 
-	"github.com/tannerryan/ring"
 	"github.com/safing/portbase/database/record"
 	"github.com/safing/portbase/log"
+	"github.com/tannerryan/ring"
 )
 
 var defaultFilter = newScopedBloom()
@@ -66,8 +66,8 @@ func (bf *scopedBloom) getBloomForType(entityType string) (*ring.Ring, error) {
 }
 
 func (bf *scopedBloom) add(scope, value string) {
-	bf.rw.RLock()
-	defer bf.rw.RUnlock()
+	bf.rw.Lock()
+	defer bf.rw.Unlock()
 
 	r, err := bf.getBloomForType(scope)
 	if err != nil {

intel/geoip/database.go

@@ -20,7 +20,7 @@ var (
 
 	geoDBv4Reader *maxminddb.Reader
 	geoDBv6Reader *maxminddb.Reader
-	dbLock        sync.Mutex
+	dbLock        sync.RWMutex
 
 	dbInUse    = abool.NewBool(false) // only activate if used for first time
 	dbDoReload = abool.NewBool(true)  // if database should be reloaded
@@ -35,6 +35,7 @@ func ReloadDatabases() error {
 
 	dbFileLock.Lock()
 	defer dbFileLock.Unlock()
+
 	dbLock.Lock()
 	defer dbLock.Unlock()
 

intel/geoip/lookup.go

@@ -15,8 +15,8 @@ func getReader(ip net.IP) *maxminddb.Reader {
 
 // GetLocation returns Location data of an IP address
 func GetLocation(ip net.IP) (record *Location, err error) {
-	dbLock.Lock()
-	defer dbLock.Unlock()
+	dbLock.RLock()
+	defer dbLock.RUnlock()
 
 	err = prepDatabaseForUse()
 	if err != nil {