Merge branch 'develop' into feature/ui-revamp
This commit is contained in:
Patrick Pacher
@@ -121,9 +121,9 @@ func filterDNSResponse(conn *network.Connection, rrCache *resolver.RRCache) *res
|
||||
err,
|
||||
)
|
||||
}
|
||||
} else if rrCache.TTL > time.Now().Add(10*time.Second).Unix() {
|
||||
} else if rrCache.Expires > time.Now().Add(10*time.Second).Unix() {
|
||||
// Set a low TTL of 10 seconds if TTL is higher than that.
|
||||
rrCache.TTL = time.Now().Add(10 * time.Second).Unix()
|
||||
rrCache.Expires = time.Now().Add(10 * time.Second).Unix()
|
||||
err := rrCache.Save()
|
||||
if err != nil {
|
||||
log.Debugf(
|
||||
@@ -170,31 +170,28 @@ func DecideOnResolvedDNS(
|
||||
|
||||
updateIPsAndCNAMEs(q, rrCache, conn)
|
||||
|
||||
if mayBlockCNAMEs(conn) {
|
||||
if mayBlockCNAMEs(ctx, conn) {
|
||||
return nil
|
||||
}
|
||||
|
||||
// TODO: Gate17 integration
|
||||
// tunnelInfo, err := AssignTunnelIP(fqdn)
|
||||
|
||||
return updatedRR
|
||||
}
|
||||
|
||||
func mayBlockCNAMEs(conn *network.Connection) bool {
|
||||
func mayBlockCNAMEs(ctx context.Context, conn *network.Connection) bool {
|
||||
// if we have CNAMEs and the profile is configured to filter them
|
||||
// we need to re-check the lists and endpoints here
|
||||
if conn.Process().Profile().FilterCNAMEs() {
|
||||
conn.Entity.ResetLists()
|
||||
conn.Entity.EnableCNAMECheck(true)
|
||||
conn.Entity.EnableCNAMECheck(ctx, true)
|
||||
|
||||
result, reason := conn.Process().Profile().MatchEndpoint(conn.Entity)
|
||||
result, reason := conn.Process().Profile().MatchEndpoint(ctx, conn.Entity)
|
||||
if result == endpoints.Denied {
|
||||
conn.BlockWithContext(reason.String(), reason.Context())
|
||||
return true
|
||||
}
|
||||
|
||||
if result == endpoints.NoMatch {
|
||||
result, reason = conn.Process().Profile().MatchFilterLists(conn.Entity)
|
||||
result, reason = conn.Process().Profile().MatchFilterLists(ctx, conn.Entity)
|
||||
if result == endpoints.Denied {
|
||||
conn.BlockWithContext(reason.String(), reason.Context())
|
||||
return true
|
||||
@@ -205,10 +202,19 @@ func mayBlockCNAMEs(conn *network.Connection) bool {
|
||||
return false
|
||||
}
|
||||
|
||||
// updateIPsAndCNAMEs saves all the IP->Name mappings to the cache database and
|
||||
// updates the CNAMEs in the Connection's Entity.
|
||||
func updateIPsAndCNAMEs(q *resolver.Query, rrCache *resolver.RRCache, conn *network.Connection) {
|
||||
// save IP addresses to IPInfo
|
||||
// Get profileID for scoping IPInfo.
|
||||
var profileID string
|
||||
proc := conn.Process()
|
||||
if proc != nil {
|
||||
profileID = proc.LocalProfileKey
|
||||
}
|
||||
|
||||
// Collect IPs and CNAMEs.
|
||||
cnames := make(map[string]string)
|
||||
ips := make(map[string]struct{})
|
||||
ips := make([]net.IP, 0, len(rrCache.Answer))
|
||||
|
||||
for _, rr := range append(rrCache.Answer, rrCache.Extra...) {
|
||||
switch v := rr.(type) {
|
||||
@@ -216,19 +222,27 @@ func updateIPsAndCNAMEs(q *resolver.Query, rrCache *resolver.RRCache, conn *netw
|
||||
cnames[v.Hdr.Name] = v.Target
|
||||
|
||||
case *dns.A:
|
||||
ips[v.A.String()] = struct{}{}
|
||||
ips = append(ips, v.A)
|
||||
|
||||
case *dns.AAAA:
|
||||
ips[v.AAAA.String()] = struct{}{}
|
||||
ips = append(ips, v.AAAA)
|
||||
}
|
||||
}
|
||||
|
||||
for ip := range ips {
|
||||
record := resolver.ResolvedDomain{
|
||||
Domain: q.FQDN,
|
||||
// Package IPs and CNAMEs into IPInfo structs.
|
||||
for _, ip := range ips {
|
||||
// Never save domain attributions for localhost IPs.
|
||||
if netutils.ClassifyIP(ip) == netutils.HostLocal {
|
||||
continue
|
||||
}
|
||||
|
||||
// resolve all CNAMEs in the correct order.
|
||||
// Create new record for this IP.
|
||||
record := resolver.ResolvedDomain{
|
||||
Domain: q.FQDN,
|
||||
Expires: rrCache.Expires,
|
||||
}
|
||||
|
||||
// Resolve all CNAMEs in the correct order and add the to the record.
|
||||
var domain = q.FQDN
|
||||
for {
|
||||
nextDomain, isCNAME := cnames[domain]
|
||||
@@ -240,31 +254,30 @@ func updateIPsAndCNAMEs(q *resolver.Query, rrCache *resolver.RRCache, conn *netw
|
||||
domain = nextDomain
|
||||
}
|
||||
|
||||
// update the entity to include the cnames
|
||||
// Update the entity to include the CNAMEs of the query response.
|
||||
conn.Entity.CNAME = record.CNAMEs
|
||||
|
||||
// get the existing IP info or create a new one
|
||||
var save bool
|
||||
info, err := resolver.GetIPInfo(ip)
|
||||
// Check if there is an existing record for this DNS response.
|
||||
// Else create a new one.
|
||||
ipString := ip.String()
|
||||
info, err := resolver.GetIPInfo(profileID, ipString)
|
||||
if err != nil {
|
||||
if err != database.ErrNotFound {
|
||||
log.Errorf("nameserver: failed to search for IP info record: %s", err)
|
||||
}
|
||||
|
||||
info = &resolver.IPInfo{
|
||||
IP: ip,
|
||||
IP: ipString,
|
||||
ProfileID: profileID,
|
||||
}
|
||||
save = true
|
||||
}
|
||||
|
||||
// and the new resolved domain record and save
|
||||
if new := info.AddDomain(record); new {
|
||||
save = true
|
||||
}
|
||||
if save {
|
||||
if err := info.Save(); err != nil {
|
||||
log.Errorf("nameserver: failed to save IP info record: %s", err)
|
||||
}
|
||||
// Add the new record to the resolved domains for this IP and scope.
|
||||
info.AddDomain(record)
|
||||
|
||||
// Save if the record is new or has been updated.
|
||||
if err := info.Save(); err != nil {
|
||||
log.Errorf("nameserver: failed to save IP info record: %s", err)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -87,13 +87,13 @@ func fastTrackedPermit(pkt packet.Packet) (handled bool) {
|
||||
switch meta.Protocol {
|
||||
case packet.ICMP:
|
||||
// Always permit ICMP.
|
||||
log.Debugf("accepting ICMP: %s", pkt)
|
||||
log.Debugf("filter: fast-track accepting ICMP: %s", pkt)
|
||||
_ = pkt.PermanentAccept()
|
||||
return true
|
||||
|
||||
case packet.ICMPv6:
|
||||
// Always permit ICMPv6.
|
||||
log.Debugf("accepting ICMPv6: %s", pkt)
|
||||
log.Debugf("filter: fast-track accepting ICMPv6: %s", pkt)
|
||||
_ = pkt.PermanentAccept()
|
||||
return true
|
||||
|
||||
@@ -116,7 +116,7 @@ func fastTrackedPermit(pkt packet.Packet) (handled bool) {
|
||||
}
|
||||
|
||||
// Log and permit.
|
||||
log.Debugf("accepting DHCP: %s", pkt)
|
||||
log.Debugf("filter: fast-track accepting DHCP: %s", pkt)
|
||||
_ = pkt.PermanentAccept()
|
||||
return true
|
||||
|
||||
@@ -141,7 +141,7 @@ func fastTrackedPermit(pkt packet.Packet) (handled bool) {
|
||||
// Only allow to own IPs.
|
||||
dstIsMe, err := netenv.IsMyIP(meta.Dst)
|
||||
if err != nil {
|
||||
log.Warningf("filter: failed to check if IP is local: %s", err)
|
||||
log.Warningf("filter: failed to check if IP %s is local: %s", meta.Dst, err)
|
||||
}
|
||||
if !dstIsMe {
|
||||
return false
|
||||
@@ -150,9 +150,9 @@ func fastTrackedPermit(pkt packet.Packet) (handled bool) {
|
||||
// Log and permit.
|
||||
switch meta.DstPort {
|
||||
case 53:
|
||||
log.Debugf("accepting local dns: %s", pkt)
|
||||
log.Debugf("filter: fast-track accepting local dns: %s", pkt)
|
||||
case apiPort:
|
||||
log.Debugf("accepting api connection: %s", pkt)
|
||||
log.Debugf("filter: fast-track accepting api connection: %s", pkt)
|
||||
default:
|
||||
return false
|
||||
}
|
||||
@@ -165,7 +165,7 @@ func fastTrackedPermit(pkt packet.Packet) (handled bool) {
|
||||
}
|
||||
|
||||
func initialHandler(conn *network.Connection, pkt packet.Packet) {
|
||||
log.Tracer(pkt.Ctx()).Trace("filter: [initial handler]")
|
||||
log.Tracer(pkt.Ctx()).Trace("filter: handing over to connection-based handler")
|
||||
|
||||
// check for internal firewall bypass
|
||||
ps := getPortStatusAndMarkUsed(pkt.Info().LocalPort())
|
||||
|
||||
@@ -4,6 +4,7 @@ package windowskext
|
||||
|
||||
import (
|
||||
"encoding/binary"
|
||||
"errors"
|
||||
"net"
|
||||
|
||||
"github.com/tevino/abool"
|
||||
@@ -45,6 +46,11 @@ func Handler(packets chan packet.Packet) {
|
||||
|
||||
packetInfo, err := RecvVerdictRequest()
|
||||
if err != nil {
|
||||
// Check if we are done with processing.
|
||||
if errors.Is(err, ErrKextNotReady) {
|
||||
return
|
||||
}
|
||||
|
||||
log.Warningf("failed to get packet from windows kext: %s", err)
|
||||
continue
|
||||
}
|
||||
|
||||
@@ -134,7 +134,7 @@ func checkProfileExists(_ context.Context, conn *network.Connection, _ packet.Pa
|
||||
return false
|
||||
}
|
||||
|
||||
func checkEndpointLists(_ context.Context, conn *network.Connection, _ packet.Packet) bool {
|
||||
func checkEndpointLists(ctx context.Context, conn *network.Connection, _ packet.Packet) bool {
|
||||
var result endpoints.EPResult
|
||||
var reason endpoints.Reason
|
||||
|
||||
@@ -143,9 +143,9 @@ func checkEndpointLists(_ context.Context, conn *network.Connection, _ packet.Pa
|
||||
|
||||
// check endpoints list
|
||||
if conn.Inbound {
|
||||
result, reason = p.MatchServiceEndpoint(conn.Entity)
|
||||
result, reason = p.MatchServiceEndpoint(ctx, conn.Entity)
|
||||
} else {
|
||||
result, reason = p.MatchEndpoint(conn.Entity)
|
||||
result, reason = p.MatchEndpoint(ctx, conn.Entity)
|
||||
}
|
||||
switch result {
|
||||
case endpoints.Denied:
|
||||
@@ -271,7 +271,7 @@ func checkFilterLists(ctx context.Context, conn *network.Connection, pkt packet.
|
||||
// apply privacy filter lists
|
||||
p := conn.Process().Profile()
|
||||
|
||||
result, reason := p.MatchFilterLists(conn.Entity)
|
||||
result, reason := p.MatchFilterLists(ctx, conn.Entity)
|
||||
switch result {
|
||||
case endpoints.Denied:
|
||||
conn.DenyWithContext(reason.String(), reason.Context())
|
||||
|
||||
Reference in New Issue
Block a user