mirror of
https://github.com/safing/portmaster
synced 2025-04-22 03:49:09 +00:00
385 lines
9.4 KiB
Go
385 lines
9.4 KiB
Go
package firewall
|
|
|
|
import (
|
|
"context"
|
|
"fmt"
|
|
"net"
|
|
"os"
|
|
"sync/atomic"
|
|
"time"
|
|
|
|
"github.com/safing/portbase/log"
|
|
"github.com/safing/portbase/modules"
|
|
"github.com/safing/portmaster/firewall/inspection"
|
|
"github.com/safing/portmaster/firewall/interception"
|
|
"github.com/safing/portmaster/network"
|
|
"github.com/safing/portmaster/network/packet"
|
|
|
|
// module dependencies
|
|
_ "github.com/safing/portmaster/core"
|
|
_ "github.com/safing/portmaster/profile"
|
|
)
|
|
|
|
var (
|
|
// localNet net.IPNet
|
|
localhost net.IP
|
|
dnsServer net.IPNet
|
|
packetsAccepted *uint64
|
|
packetsBlocked *uint64
|
|
packetsDropped *uint64
|
|
|
|
localNet4 *net.IPNet
|
|
|
|
localhost4 = net.IPv4(127, 0, 0, 1)
|
|
localhost6 = net.IPv6loopback
|
|
|
|
tunnelNet4 *net.IPNet
|
|
tunnelNet6 *net.IPNet
|
|
tunnelEntry4 = net.IPv4(127, 0, 0, 17)
|
|
tunnelEntry6 = net.ParseIP("fd17::17")
|
|
)
|
|
|
|
func init() {
|
|
modules.Register("firewall", prep, start, stop, "core", "network", "nameserver", "profile", "updates")
|
|
}
|
|
|
|
func prep() (err error) {
|
|
|
|
err = registerConfig()
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
err = prepAPIAuth()
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
_, localNet4, err = net.ParseCIDR("127.0.0.0/24")
|
|
// Yes, this would normally be 127.0.0.0/8
|
|
// TODO: figure out any side effects
|
|
if err != nil {
|
|
return fmt.Errorf("firewall: failed to parse cidr 127.0.0.0/24: %s", err)
|
|
}
|
|
|
|
_, tunnelNet4, err = net.ParseCIDR("127.17.0.0/16")
|
|
if err != nil {
|
|
return fmt.Errorf("firewall: failed to parse cidr 127.17.0.0/16: %s", err)
|
|
}
|
|
_, tunnelNet6, err = net.ParseCIDR("fd17::/64")
|
|
if err != nil {
|
|
return fmt.Errorf("firewall: failed to parse cidr fd17::/64: %s", err)
|
|
}
|
|
|
|
var pA uint64
|
|
packetsAccepted = &pA
|
|
var pB uint64
|
|
packetsBlocked = &pB
|
|
var pD uint64
|
|
packetsDropped = &pD
|
|
|
|
return nil
|
|
}
|
|
|
|
func start() error {
|
|
startAPIAuth()
|
|
go statLogger()
|
|
go run()
|
|
go portsInUseCleaner()
|
|
|
|
return interception.Start()
|
|
}
|
|
|
|
func stop() error {
|
|
return interception.Stop()
|
|
}
|
|
|
|
func handlePacket(pkt packet.Packet) {
|
|
|
|
// allow localhost, for now
|
|
// if pkt.Info().Src.Equal(pkt.Info().Dst) {
|
|
// log.Debugf("accepting localhost communication: %s", pkt)
|
|
// pkt.PermanentAccept()
|
|
// return
|
|
// }
|
|
|
|
// allow local dns
|
|
if (pkt.Info().DstPort == 53 || pkt.Info().SrcPort == 53) && pkt.Info().Src.Equal(pkt.Info().Dst) {
|
|
log.Debugf("accepting local dns: %s", pkt)
|
|
pkt.PermanentAccept()
|
|
return
|
|
}
|
|
|
|
// allow api access, if address was parsed successfully
|
|
if apiPortSet {
|
|
if (pkt.Info().DstPort == apiPort || pkt.Info().SrcPort == apiPort) && pkt.Info().Src.Equal(pkt.Info().Dst) {
|
|
log.Debugf("accepting api connection: %s", pkt)
|
|
pkt.PermanentAccept()
|
|
return
|
|
}
|
|
}
|
|
|
|
// // redirect dns (if we know that it's not our own request)
|
|
// if pkt.IsOutbound() && intel.RemoteIsActiveNameserver(pkt) {
|
|
// log.Debugf("redirecting dns: %s", pkt)
|
|
// pkt.RedirToNameserver()
|
|
// }
|
|
|
|
// allow ICMP, IGMP and DHCP
|
|
// TODO: actually handle these
|
|
switch pkt.Info().Protocol {
|
|
case packet.ICMP:
|
|
log.Debugf("accepting ICMP: %s", pkt)
|
|
pkt.PermanentAccept()
|
|
return
|
|
case packet.ICMPv6:
|
|
log.Debugf("accepting ICMPv6: %s", pkt)
|
|
pkt.PermanentAccept()
|
|
return
|
|
case packet.IGMP:
|
|
log.Debugf("accepting IGMP: %s", pkt)
|
|
pkt.PermanentAccept()
|
|
return
|
|
case packet.UDP:
|
|
if pkt.Info().DstPort == 67 || pkt.Info().DstPort == 68 {
|
|
log.Debugf("accepting DHCP: %s", pkt)
|
|
pkt.PermanentAccept()
|
|
return
|
|
}
|
|
// TODO: Howto handle NetBios?
|
|
}
|
|
|
|
// log.Debugf("firewall: pkt %s has ID %s", pkt, pkt.GetLinkID())
|
|
|
|
// use this to time how long it takes process packet
|
|
// timed := time.Now()
|
|
// defer log.Tracef("firewall: took %s to process packet %s", time.Now().Sub(timed).String(), pkt)
|
|
|
|
// check if packet is destined for tunnel
|
|
// switch pkt.IPVersion() {
|
|
// case packet.IPv4:
|
|
// if TunnelNet4 != nil && TunnelNet4.Contains(pkt.Info().Dst) {
|
|
// tunnelHandler(pkt)
|
|
// }
|
|
// case packet.IPv6:
|
|
// if TunnelNet6 != nil && TunnelNet6.Contains(pkt.Info().Dst) {
|
|
// tunnelHandler(pkt)
|
|
// }
|
|
// }
|
|
|
|
traceCtx, tracer := log.AddTracer(context.Background())
|
|
if tracer != nil {
|
|
pkt.SetCtx(traceCtx)
|
|
tracer.Tracef("firewall: handling packet: %s", pkt)
|
|
}
|
|
|
|
// associate packet to link and handle
|
|
link, created := network.GetOrCreateLinkByPacket(pkt)
|
|
defer func() {
|
|
go link.SaveIfNeeded()
|
|
}()
|
|
if created {
|
|
link.SetFirewallHandler(initialHandler)
|
|
link.HandlePacket(pkt)
|
|
return
|
|
}
|
|
if link.FirewallHandlerIsSet() {
|
|
link.HandlePacket(pkt)
|
|
return
|
|
}
|
|
issueVerdict(pkt, link, 0, true)
|
|
}
|
|
|
|
func initialHandler(pkt packet.Packet, link *network.Link) {
|
|
log.Tracer(pkt.Ctx()).Trace("firewall: [initial handler]")
|
|
|
|
// check for internal firewall bypass
|
|
ps := getPortStatusAndMarkUsed(pkt.Info().LocalPort())
|
|
if ps.isMe {
|
|
// connect to comms
|
|
comm, err := network.GetOwnComm(pkt)
|
|
if err != nil {
|
|
// log.Warningf("firewall: could not get own comm: %s", err)
|
|
log.Tracer(pkt.Ctx()).Warningf("firewall: could not get own comm: %s", err)
|
|
} else {
|
|
comm.AddLink(link)
|
|
}
|
|
defer func() {
|
|
go comm.SaveIfNeeded()
|
|
}()
|
|
|
|
// approve
|
|
link.Accept("internally approved")
|
|
log.Tracer(pkt.Ctx()).Tracef("firewall: internally approved link (via local port %d)", pkt.Info().LocalPort())
|
|
|
|
// finish
|
|
link.StopFirewallHandler()
|
|
issueVerdict(pkt, link, 0, true)
|
|
return
|
|
}
|
|
|
|
// get Communication
|
|
comm, err := network.GetCommunicationByFirstPacket(pkt)
|
|
if err != nil {
|
|
log.Tracer(pkt.Ctx()).Warningf("firewall: could not get process, denying link: %s", err)
|
|
|
|
// get "unknown" comm
|
|
link.Deny(fmt.Sprintf("could not get process: %s", err))
|
|
comm, err = network.GetUnknownCommunication(pkt)
|
|
|
|
if err != nil {
|
|
// all failed
|
|
log.Tracer(pkt.Ctx()).Errorf("firewall: could not get unknown comm: %s", err)
|
|
link.UpdateVerdict(network.VerdictDrop)
|
|
link.StopFirewallHandler()
|
|
issueVerdict(pkt, link, 0, true)
|
|
return
|
|
}
|
|
}
|
|
defer func() {
|
|
go comm.SaveIfNeeded()
|
|
}()
|
|
|
|
// add new Link to Communication (and save both)
|
|
comm.AddLink(link)
|
|
log.Tracer(pkt.Ctx()).Tracef("firewall: link attached to %s", comm)
|
|
|
|
// reroute dns requests to nameserver
|
|
if comm.Process().Pid != os.Getpid() && pkt.IsOutbound() && pkt.Info().DstPort == 53 && !pkt.Info().Src.Equal(pkt.Info().Dst) {
|
|
link.UpdateVerdict(network.VerdictRerouteToNameserver)
|
|
link.StopFirewallHandler()
|
|
issueVerdict(pkt, link, 0, true)
|
|
return
|
|
}
|
|
|
|
log.Tracer(pkt.Ctx()).Trace("firewall: starting decision process")
|
|
|
|
DecideOnCommunication(comm, pkt)
|
|
DecideOnLink(comm, link, pkt)
|
|
|
|
// TODO: link this to real status
|
|
// gate17Active := mode.Client()
|
|
|
|
switch {
|
|
// case gate17Active && link.Inspect:
|
|
// // tunnel link, but also inspect (after reroute)
|
|
// link.Tunneled = true
|
|
// link.SetFirewallHandler(inspectThenVerdict)
|
|
// verdict(pkt, link.GetVerdict())
|
|
// case gate17Active:
|
|
// // tunnel link, don't inspect
|
|
// link.Tunneled = true
|
|
// link.StopFirewallHandler()
|
|
// permanentVerdict(pkt, network.VerdictAccept)
|
|
case link.Inspect:
|
|
log.Tracer(pkt.Ctx()).Trace("firewall: start inspecting")
|
|
link.SetFirewallHandler(inspectThenVerdict)
|
|
inspectThenVerdict(pkt, link)
|
|
default:
|
|
link.StopFirewallHandler()
|
|
issueVerdict(pkt, link, 0, true)
|
|
}
|
|
|
|
}
|
|
|
|
func inspectThenVerdict(pkt packet.Packet, link *network.Link) {
|
|
pktVerdict, continueInspection := inspection.RunInspectors(pkt, link)
|
|
if continueInspection {
|
|
issueVerdict(pkt, link, pktVerdict, false)
|
|
return
|
|
}
|
|
|
|
// we are done with inspecting
|
|
link.StopFirewallHandler()
|
|
issueVerdict(pkt, link, 0, true)
|
|
}
|
|
|
|
func issueVerdict(pkt packet.Packet, link *network.Link, verdict network.Verdict, allowPermanent bool) {
|
|
link.Lock()
|
|
|
|
// enable permanent verdict
|
|
if allowPermanent && !link.VerdictPermanent {
|
|
link.VerdictPermanent = permanentVerdicts()
|
|
if link.VerdictPermanent {
|
|
link.SaveWhenFinished()
|
|
}
|
|
}
|
|
|
|
// do not allow to circumvent link decision: e.g. to ACCEPT packets from a DROP-ed link
|
|
if verdict < link.Verdict {
|
|
verdict = link.Verdict
|
|
}
|
|
|
|
switch verdict {
|
|
case network.VerdictAccept:
|
|
atomic.AddUint64(packetsAccepted, 1)
|
|
if link.VerdictPermanent {
|
|
pkt.PermanentAccept()
|
|
} else {
|
|
pkt.Accept()
|
|
}
|
|
case network.VerdictBlock:
|
|
atomic.AddUint64(packetsBlocked, 1)
|
|
if link.VerdictPermanent {
|
|
pkt.PermanentBlock()
|
|
} else {
|
|
pkt.Block()
|
|
}
|
|
case network.VerdictDrop:
|
|
atomic.AddUint64(packetsDropped, 1)
|
|
if link.VerdictPermanent {
|
|
pkt.PermanentDrop()
|
|
} else {
|
|
pkt.Drop()
|
|
}
|
|
case network.VerdictRerouteToNameserver:
|
|
pkt.RerouteToNameserver()
|
|
case network.VerdictRerouteToTunnel:
|
|
pkt.RerouteToTunnel()
|
|
default:
|
|
atomic.AddUint64(packetsDropped, 1)
|
|
pkt.Drop()
|
|
}
|
|
|
|
link.Unlock()
|
|
|
|
log.Tracer(pkt.Ctx()).Infof("firewall: %s %s", link.Verdict, link)
|
|
}
|
|
|
|
// func tunnelHandler(pkt packet.Packet) {
|
|
// tunnelInfo := GetTunnelInfo(pkt.Info().Dst)
|
|
// if tunnelInfo == nil {
|
|
// pkt.Block()
|
|
// return
|
|
// }
|
|
//
|
|
// entry.CreateTunnel(pkt, tunnelInfo.Domain, tunnelInfo.RRCache.ExportAllARecords())
|
|
// log.Tracef("firewall: rerouting %s to tunnel entry point", pkt)
|
|
// pkt.RerouteToTunnel()
|
|
// return
|
|
// }
|
|
|
|
func run() {
|
|
for {
|
|
select {
|
|
case <-modules.ShuttingDown():
|
|
return
|
|
case pkt := <-interception.Packets:
|
|
handlePacket(pkt)
|
|
}
|
|
}
|
|
}
|
|
|
|
func statLogger() {
|
|
for {
|
|
select {
|
|
case <-modules.ShuttingDown():
|
|
return
|
|
case <-time.After(10 * time.Second):
|
|
log.Tracef("firewall: packets accepted %d, blocked %d, dropped %d", atomic.LoadUint64(packetsAccepted), atomic.LoadUint64(packetsBlocked), atomic.LoadUint64(packetsDropped))
|
|
atomic.StoreUint64(packetsAccepted, 0)
|
|
atomic.StoreUint64(packetsBlocked, 0)
|
|
atomic.StoreUint64(packetsDropped, 0)
|
|
}
|
|
}
|
|
}
|