diff --git a/README.md b/README.md index 08ef08d1..d28fedbc 100644 --- a/README.md +++ b/README.md @@ -30,7 +30,7 @@ With great defaults your privacy improves without any effort. And if you want to [![It's FOSS](https://safing.io/assets/img//external/itsfoss.png)](https://news.itsfoss.com/portmaster-1-release/)         -[![ghacks.net](https://safing.io/assets/img//external/ghacks.png)](https://www.ghacks.net/2022/05/16/first-look-at-portmaster-an-open-source-cross-platform-network-monitor/) +[![ghacks.net](https://safing.io/assets/img//external/ghacks.png)](https://www.ghacks.net/2022/11/08/portmaster-1-0-released-open-source-application-firewall/)     [![Techlore](https://safing.io/assets/img//external/techlore.png)](https://www.youtube.com/watch?v=E8cTRhGtmcM) diff --git a/firewall/tunnel.go b/firewall/tunnel.go index e062512c..ccaf81ff 100644 --- a/firewall/tunnel.go +++ b/firewall/tunnel.go @@ -137,12 +137,23 @@ func requestTunneling(ctx context.Context, conn *network.Connection) error { conn.TunnelOpts.RequireVerifiedOwners = captain.NonCommunityVerifiedOwners } - // If we have any exit hub policies, we need to raise the routing algorithm at least to single-hop. - if conn.TunnelOpts.RoutingProfile == navigator.RoutingProfileHomeID && - conn.TunnelOpts.HubPoliciesAreSet() { + // Get routing profile for checking for upgrades. + routingProfile := navigator.GetRoutingProfile(conn.TunnelOpts.RoutingProfile) + + // If we have any exit hub policies, we must be able to hop in order to follow the policy. + // Switch to single-hop routing to allow for routing with hub selection. + if routingProfile.MaxHops <= 1 && conn.TunnelOpts.HubPoliciesAreSet() { conn.TunnelOpts.RoutingProfile = navigator.RoutingProfileSingleHopID } + // If the current home node is not trusted, then upgrade at least to two hops. + if routingProfile.MinHops < 2 { + homeNode, _ := navigator.Main.GetHome() + if homeNode != nil && !homeNode.State.Has(navigator.StateTrusted) { + conn.TunnelOpts.RoutingProfile = navigator.RoutingProfileDoubleHopID + } + } + // Special handling for the internal DNS resolver. if conn.Process().Pid == ownPID && resolver.IsResolverAddress(conn.Entity.IP, conn.Entity.Port) { dnsExitHubPolicy, err := captain.GetDNSExitHubPolicy() diff --git a/go.mod b/go.mod index 37eea1e3..fdf93979 100644 --- a/go.mod +++ b/go.mod @@ -17,8 +17,8 @@ require ( github.com/miekg/dns v1.1.50 github.com/oschwald/maxminddb-golang v1.10.0 github.com/safing/jess v0.3.1 - github.com/safing/portbase v0.16.2 - github.com/safing/spn v0.5.4 + github.com/safing/portbase v0.16.3 + github.com/safing/spn v0.5.5 github.com/shirou/gopsutil v3.21.11+incompatible github.com/spf13/cobra v1.5.0 github.com/spkg/zipfs v0.7.1 diff --git a/go.sum b/go.sum index c43c7a47..b954e337 100644 --- a/go.sum +++ b/go.sum @@ -192,10 +192,14 @@ github.com/safing/jess v0.3.1/go.mod h1:aj73Eot1zm2ETkJuw9hJlIO8bRom52uBbsCHemvl github.com/safing/portbase v0.15.2/go.mod h1:5bHi99fz7Hh/wOsZUOI631WF9ePSHk57c4fdlOMS91Y= github.com/safing/portbase v0.16.2 h1:ZlCZBZkKmgJDR+sHSRbFc9mM8m9qYtu8agE1xCirvQU= github.com/safing/portbase v0.16.2/go.mod h1:mzNCWqPbO7vIYbbK5PElGbudwd2vx4YPNawymL8Aro8= +github.com/safing/portbase v0.16.3 h1:9P8h5KWg7zaeW66pYaW1RN+5jUUwhFo1ruKa80aX/do= +github.com/safing/portbase v0.16.3/go.mod h1:mzNCWqPbO7vIYbbK5PElGbudwd2vx4YPNawymL8Aro8= github.com/safing/spn v0.5.3 h1:aebwD3RI7OqtbBDK9HoqhKHcEH/i021Klrkl+dOq1Dc= github.com/safing/spn v0.5.3/go.mod h1:HYcGGze78wlwXZxF1UMqZ7GuA6ILqvNrO9v23EpFQvM= github.com/safing/spn v0.5.4 h1:9xM4a9kBSg0dV6eR7mEYLjVT5vvNX2PRO9cIP5l9F5A= github.com/safing/spn v0.5.4/go.mod h1:HYcGGze78wlwXZxF1UMqZ7GuA6ILqvNrO9v23EpFQvM= +github.com/safing/spn v0.5.5 h1:OpBOJCPLbx+1B5aMd0EQzP/0IgZGp/PFsso7ybUPuhs= +github.com/safing/spn v0.5.5/go.mod h1:HYcGGze78wlwXZxF1UMqZ7GuA6ILqvNrO9v23EpFQvM= github.com/satori/go.uuid v1.2.0 h1:0uYX9dsZ2yD7q2RtLRtPSdGDWzjeM3TbMJP9utgA0ww= github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0= github.com/seehuhn/fortuna v1.0.1 h1:lu9+CHsmR0bZnx5Ay646XvCSRJ8PJTi5UYJwDBX68H0= diff --git a/profile/config.go b/profile/config.go index 9ca174ed..5635873c 100644 --- a/profile/config.go +++ b/profile/config.go @@ -6,6 +6,7 @@ import ( "github.com/safing/portbase/config" "github.com/safing/portmaster/profile/endpoints" "github.com/safing/portmaster/status" + "github.com/safing/spn/navigator" ) // Configuration Keys. @@ -680,13 +681,12 @@ By default, the Portmaster tries to choose the node closest to the destination a cfgStringArrayOptions[CfgOptionExitHubPolicyKey] = cfgOptionExitHubPolicy // Select SPN Routing Algorithm - defaultRoutingAlg := "double-hop" err = config.Register(&config.Option{ Name: "Select SPN Routing Algorithm", Key: CfgOptionRoutingAlgorithmKey, - Description: "Select the routing algorithm for your connections through the SPN. Configure your preferred balance between speed and privacy.", + Description: "Select the routing algorithm for your connections through the SPN. Configure your preferred balance between speed and privacy. Portmaster may automatically upgrade the routing algorithm if necessary to protect your privacy.", OptType: config.OptTypeString, - DefaultValue: defaultRoutingAlg, + DefaultValue: navigator.DefaultRoutingProfileID, Annotations: config.Annotations{ config.DisplayHintAnnotation: config.DisplayHintOneOf, config.DisplayOrderAnnotation: cfgOptionRoutingAlgorithmOrder, @@ -718,7 +718,7 @@ By default, the Portmaster tries to choose the node closest to the destination a if err != nil { return err } - cfgOptionRoutingAlgorithm = config.Concurrent.GetAsString(CfgOptionRoutingAlgorithmKey, defaultRoutingAlg) + cfgOptionRoutingAlgorithm = config.Concurrent.GetAsString(CfgOptionRoutingAlgorithmKey, navigator.DefaultRoutingProfileID) cfgStringOptions[CfgOptionRoutingAlgorithmKey] = cfgOptionRoutingAlgorithm return nil