From 026dc274f475a619ddb453d8658da5869a84cc36 Mon Sep 17 00:00:00 2001 From: Patrick Pacher Date: Tue, 17 Aug 2021 14:25:55 +0200 Subject: [PATCH] Fix bypass prevention not working as expected due to filterlists not matched for the entity --- firewall/bypassing.go | 7 ++++++- firewall/master.go | 4 ++-- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/firewall/bypassing.go b/firewall/bypassing.go index bfe76adf..6554643a 100644 --- a/firewall/bypassing.go +++ b/firewall/bypassing.go @@ -1,6 +1,7 @@ package firewall import ( + "context" "strings" "github.com/safing/portmaster/nameserver/nsutil" @@ -14,7 +15,7 @@ var ( // PreventBypassing checks if the connection should be denied or permitted // based on some bypass protection checks. -func PreventBypassing(conn *network.Connection) (endpoints.EPResult, string, nsutil.Responder) { +func PreventBypassing(ctx context.Context, conn *network.Connection) (endpoints.EPResult, string, nsutil.Responder) { // Block firefox canary domain to disable DoH if strings.ToLower(conn.Entity.Domain) == "use-application-dns.net." { return endpoints.Denied, @@ -22,6 +23,10 @@ func PreventBypassing(conn *network.Connection) (endpoints.EPResult, string, nsu nsutil.NxDomain() } + if !conn.Entity.LoadLists(ctx) { + return endpoints.Undeterminable, "", nil + } + if conn.Entity.MatchLists(resolverFilterLists) { return endpoints.Denied, "blocked rogue connection to DNS resolver", diff --git a/firewall/master.go b/firewall/master.go index 96292ff0..95ce467d 100644 --- a/firewall/master.go +++ b/firewall/master.go @@ -335,10 +335,10 @@ func checkConnectionScope(_ context.Context, conn *network.Connection, p *profil return false } -func checkBypassPrevention(_ context.Context, conn *network.Connection, p *profile.LayeredProfile, _ packet.Packet) bool { +func checkBypassPrevention(ctx context.Context, conn *network.Connection, p *profile.LayeredProfile, _ packet.Packet) bool { if p.PreventBypassing() { // check for bypass protection - result, reason, reasonCtx := PreventBypassing(conn) + result, reason, reasonCtx := PreventBypassing(ctx, conn) switch result { case endpoints.Denied: conn.BlockWithContext("bypass prevention: "+reason, profile.CfgOptionPreventBypassingKey, reasonCtx)