Add compatibility assistant module

firewall/bypassing.go

@@ -4,6 +4,8 @@ import (
 	"context"
 	"strings"
 
+	"github.com/safing/portmaster/compat"
+
 	"github.com/safing/portmaster/nameserver/nsutil"
 	"github.com/safing/portmaster/network"
 	"github.com/safing/portmaster/network/packet"
@@ -30,6 +32,7 @@ func PreventBypassing(ctx context.Context, conn *network.Connection) (endpoints.
 		// Make an exception for ICMP, as these IPs are also often used for debugging.
 	default:
 		if conn.Entity.MatchLists(resolverFilterLists) {
+			compat.ReportSecureDNSBypassIssue(conn.Process())
 			return endpoints.Denied,
 				"blocked rogue connection to DNS resolver",
 				nsutil.BlockIP()

firewall/dns.go

@@ -170,6 +170,11 @@ func FilterResolvedDNS(
 		return nil
 	}
 
+	// Don't filter env responses.
+	if rrCache.Resolver.Type == resolver.ServerTypeEnv {
+		return rrCache
+	}
+
 	// special grant for connectivity domains
 	if checkConnectivityDomain(ctx, conn, layeredProfile, nil) {
 		// returns true if check triggered

firewall/interception.go

@@ -9,6 +9,8 @@ import (
 	"sync/atomic"
 	"time"
 
+	"github.com/safing/portmaster/compat"
+
 	"github.com/safing/spn/captain"
 
 	"github.com/google/gopacket/layers"
@@ -314,6 +316,13 @@ func fastTrackedPermit(pkt packet.Packet) (handled bool) {
 			_ = pkt.PermanentAccept()
 			return true
 		}
+
+	case compat.SystemIntegrationCheckProtocol:
+		if pkt.Info().Dst.Equal(compat.SystemIntegrationCheckDstIP) {
+			compat.SubmitSystemIntegrationCheckPacket(pkt)
+			_ = pkt.Drop()
+		}
+		return true
 	}
 
 	return false