Fix bypass prevention not working as expected due to filterlists not matched for the entity

firewall/bypassing.go

@@ -1,6 +1,7 @@
 package firewall
 
 import (
+	"context"
 	"strings"
 
 	"github.com/safing/portmaster/nameserver/nsutil"
@@ -14,7 +15,7 @@ var (
 
 // PreventBypassing checks if the connection should be denied or permitted
 // based on some bypass protection checks.
-func PreventBypassing(conn *network.Connection) (endpoints.EPResult, string, nsutil.Responder) {
+func PreventBypassing(ctx context.Context, conn *network.Connection) (endpoints.EPResult, string, nsutil.Responder) {
 	// Block firefox canary domain to disable DoH
 	if strings.ToLower(conn.Entity.Domain) == "use-application-dns.net." {
 		return endpoints.Denied,
@@ -22,6 +23,10 @@ func PreventBypassing(conn *network.Connection) (endpoints.EPResult, string, nsu
 			nsutil.NxDomain()
 	}
 
+	if !conn.Entity.LoadLists(ctx) {
+		return endpoints.Undeterminable, "", nil
+	}
+
 	if conn.Entity.MatchLists(resolverFilterLists) {
 		return endpoints.Denied,
 			"blocked rogue connection to DNS resolver",

firewall/master.go

@@ -335,10 +335,10 @@ func checkConnectionScope(_ context.Context, conn *network.Connection, p *profil
 	return false
 }
 
-func checkBypassPrevention(_ context.Context, conn *network.Connection, p *profile.LayeredProfile, _ packet.Packet) bool {
+func checkBypassPrevention(ctx context.Context, conn *network.Connection, p *profile.LayeredProfile, _ packet.Packet) bool {
 	if p.PreventBypassing() {
 		// check for bypass protection
-		result, reason, reasonCtx := PreventBypassing(conn)
+		result, reason, reasonCtx := PreventBypassing(ctx, conn)
 		switch result {
 		case endpoints.Denied:
 			conn.BlockWithContext("bypass prevention: "+reason, profile.CfgOptionPreventBypassingKey, reasonCtx)