github/portmaster
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

Let decision reasons decide on the DNS reply

Browse Source
This commit is contained in:
Patrick Pacher
2020-04-30 13:44:10 +02:00
parent f89d0672b3
commit 2dda3813fa
7 changed files with 173 additions and 47 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
firewall/bypassing.go
View File

@@ -3,17 +3,18 @@ package firewall
import (
"strings"
"github.com/safing/portmaster/nameserver/nsutil"
"github.com/safing/portmaster/network"
"github.com/safing/portmaster/profile/endpoints"
)
// PreventBypassing checks if the connection should be denied or permitted
// based on some bypass protection checks.
func PreventBypassing(conn *network.Connection) (endpoints.EPResult, string) {
func PreventBypassing(conn *network.Connection) (endpoints.EPResult, string, nsutil.Responder) {
// Block firefox canary domain to disable DoH
if strings.ToLower(conn.Entity.Domain) == "use-application-dns.net." {
return endpoints.Denied, "blocked canary domain to prevent enabling DNS-over-HTTPs"
return endpoints.Denied, "blocked canary domain to prevent enabling DNS-over-HTTPs", nsutil.NxDomain()
}
return endpoints.NoMatch, ""
return endpoints.NoMatch, "", nil
}

6
firewall/master.go
View File

@@ -216,13 +216,13 @@ func checkConnectionScope(conn *network.Connection, _ packet.Packet) bool {
func checkBypassPrevention(conn *network.Connection, _ packet.Packet) bool {
if conn.Process().Profile().PreventBypassing() {
// check for bypass protection
result, reason := PreventBypassing(conn)
result, reason, reasonCtx := PreventBypassing(conn)
switch result {
case endpoints.Denied:
conn.Block("bypass prevention: " + reason)
conn.BlockWithContext("bypass prevention: "+reason, reasonCtx)
return true
case endpoints.Permitted:
conn.Accept("bypass prevention: " + reason)
conn.AcceptWithContext("bypass prevention: "+reason, reasonCtx)
return true
case endpoints.NoMatch:
}