diff --git a/firewall/firewall.go b/firewall/firewall.go index 6468ee3f..1dfafa03 100644 --- a/firewall/firewall.go +++ b/firewall/firewall.go @@ -28,8 +28,6 @@ var ( packetsDropped *uint64 localNet4 *net.IPNet - // Yes, this would normally be 127.0.0.0/8 - // TODO: figure out any side effects localhost4 = net.IPv4(127, 0, 0, 1) localhost6 = net.IPv6loopback diff --git a/firewall/master.go b/firewall/master.go index 506e7ebb..117368c2 100644 --- a/firewall/master.go +++ b/firewall/master.go @@ -36,6 +36,7 @@ func DecideOnCommunicationBeforeIntel(comm *network.Communication, fqdn string) // check if communication needs reevaluation if comm.NeedsReevaluation() { + log.Infof("firewall: re-evaluating verdict on %s", comm) comm.ResetVerdict() } @@ -89,6 +90,7 @@ func DecideOnCommunicationBeforeIntel(comm *network.Communication, fqdn string) // DecideOnCommunicationAfterIntel makes a decision about a communication after the dns query is resolved and intel is gathered. func DecideOnCommunicationAfterIntel(comm *network.Communication, fqdn string, rrCache *intel.RRCache) { + // rrCache may be nil, when function is called for re-evaluation by DecideOnCommunication // check if need to run if comm.GetVerdict() != network.VerdictUndecided { @@ -353,9 +355,16 @@ func FilterDNSResponse(comm *network.Communication, fqdn string, rrCache *intel. // DecideOnCommunication makes a decision about a communication with its first packet. func DecideOnCommunication(comm *network.Communication, pkt packet.Packet) { - // check if communication needs reevaluation + // check if communication needs reevaluation, if it's not with a domain if comm.NeedsReevaluation() { + log.Infof("firewall: re-evaluating verdict on %s", comm) comm.ResetVerdict() + + // if communicating with a domain entity, re-evaluate with Before/AfterIntel + if strings.HasSuffix(comm.Domain, ".") { + DecideOnCommunicationBeforeIntel(comm, comm.Domain) + DecideOnCommunicationAfterIntel(comm, comm.Domain, nil) + } } // check if need to run