Working on portmaster restructure
This commit is contained in:
Daniel
@@ -8,7 +8,7 @@ var (
|
||||
permanentVerdicts config.BoolOption
|
||||
)
|
||||
|
||||
func prep() error {
|
||||
func registerConfig() error {
|
||||
err := config.Register(&config.Option{
|
||||
Name: "Permanent Verdicts",
|
||||
Key: "firewall/permanentVerdicts",
|
||||
@@ -20,5 +20,7 @@ func prep() error {
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
configuredNameServers = config.Concurrent.GetAsBool("firewall/permanentVerdicts", true)
|
||||
permanentVerdicts = config.Concurrent.GetAsBool("firewall/permanentVerdicts", true)
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
@@ -24,8 +24,6 @@ var (
|
||||
packetsBlocked *uint64
|
||||
packetsDropped *uint64
|
||||
|
||||
config = configuration.Get()
|
||||
|
||||
localNet4 *net.IPNet
|
||||
// Yes, this would normally be 127.0.0.0/8
|
||||
// TODO: figure out any side effects
|
||||
@@ -40,11 +38,16 @@ var (
|
||||
)
|
||||
|
||||
func init() {
|
||||
modules.Register("firewall", prep, start, stop, "database", "nameserver")
|
||||
modules.Register("firewall", prep, start, stop, "global", "network", "nameserver")
|
||||
}
|
||||
|
||||
func prep() (err error) {
|
||||
|
||||
err = registerConfig()
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
_, localNet4, err = net.ParseCIDR("127.0.0.0/24")
|
||||
// Yes, this would normally be 127.0.0.0/8
|
||||
// TODO: figure out any side effects
|
||||
@@ -71,15 +74,18 @@ func prep() (err error) {
|
||||
return nil
|
||||
}
|
||||
|
||||
func start() {
|
||||
// start interceptor
|
||||
interception.Start()
|
||||
|
||||
func start() error {
|
||||
go statLogger()
|
||||
go run()
|
||||
// go run()
|
||||
// go run()
|
||||
// go run()
|
||||
|
||||
return interception.Start()
|
||||
}
|
||||
|
||||
func stop() error {
|
||||
return interception.Stop()
|
||||
}
|
||||
|
||||
func handlePacket(pkt packet.Packet) {
|
||||
@@ -119,16 +125,16 @@ func handlePacket(pkt packet.Packet) {
|
||||
// defer log.Tracef("firewall: took %s to process packet %s", time.Now().Sub(timed).String(), pkt)
|
||||
|
||||
// check if packet is destined for tunnel
|
||||
switch pkt.IPVersion() {
|
||||
case packet.IPv4:
|
||||
if TunnelNet4 != nil && TunnelNet4.Contains(pkt.GetIPHeader().Dst) {
|
||||
tunnelHandler(pkt)
|
||||
}
|
||||
case packet.IPv6:
|
||||
if TunnelNet6 != nil && TunnelNet6.Contains(pkt.GetIPHeader().Dst) {
|
||||
tunnelHandler(pkt)
|
||||
}
|
||||
}
|
||||
// switch pkt.IPVersion() {
|
||||
// case packet.IPv4:
|
||||
// if TunnelNet4 != nil && TunnelNet4.Contains(pkt.GetIPHeader().Dst) {
|
||||
// tunnelHandler(pkt)
|
||||
// }
|
||||
// case packet.IPv6:
|
||||
// if TunnelNet6 != nil && TunnelNet6.Contains(pkt.GetIPHeader().Dst) {
|
||||
// tunnelHandler(pkt)
|
||||
// }
|
||||
// }
|
||||
|
||||
// associate packet to link and handle
|
||||
link, created := network.GetOrCreateLinkByPacket(pkt)
|
||||
@@ -175,11 +181,8 @@ func initialHandler(pkt packet.Packet, link *network.Link) {
|
||||
return
|
||||
}
|
||||
|
||||
// persist connection
|
||||
connection.CreateInProcessNamespace()
|
||||
|
||||
// add new Link to Connection
|
||||
connection.AddLink(link, pkt)
|
||||
// add new Link to Connection (and save both)
|
||||
connection.AddLink(link)
|
||||
|
||||
// make a decision if not made already
|
||||
if connection.Verdict == network.UNDECIDED {
|
||||
|
||||
@@ -41,24 +41,28 @@ func RunInspectors(pkt packet.Packet, link *network.Link) (network.Verdict, bool
|
||||
// inspectorsLock.Lock()
|
||||
// defer inspectorsLock.Unlock()
|
||||
|
||||
if link.ActiveInspectors == nil {
|
||||
link.ActiveInspectors = make([]bool, len(inspectors), len(inspectors))
|
||||
activeInspectors := link.GetActiveInspectors()
|
||||
if activeInspectors == nil {
|
||||
activeInspectors = make([]bool, len(inspectors), len(inspectors))
|
||||
link.SetActiveInspectors(activeInspectors)
|
||||
}
|
||||
|
||||
if link.InspectorData == nil {
|
||||
link.InspectorData = make(map[uint8]interface{})
|
||||
inspectorData := link.GetInspectorData()
|
||||
if inspectorData == nil {
|
||||
inspectorData = make(map[uint8]interface{})
|
||||
link.SetInspectorData(inspectorData)
|
||||
}
|
||||
|
||||
continueInspection := false
|
||||
verdict := network.UNDECIDED
|
||||
|
||||
for key, skip := range link.ActiveInspectors {
|
||||
for key, skip := range activeInspectors {
|
||||
|
||||
if skip {
|
||||
continue
|
||||
}
|
||||
if link.Verdict > inspectVerdicts[key] {
|
||||
link.ActiveInspectors[key] = true
|
||||
activeInspectors[key] = true
|
||||
continue
|
||||
}
|
||||
|
||||
@@ -79,16 +83,16 @@ func RunInspectors(pkt packet.Packet, link *network.Link) (network.Verdict, bool
|
||||
continueInspection = true
|
||||
case BLOCK_LINK:
|
||||
link.UpdateVerdict(network.BLOCK)
|
||||
link.ActiveInspectors[key] = true
|
||||
activeInspectors[key] = true
|
||||
if verdict < network.BLOCK {
|
||||
verdict = network.BLOCK
|
||||
}
|
||||
case DROP_LINK:
|
||||
link.UpdateVerdict(network.DROP)
|
||||
link.ActiveInspectors[key] = true
|
||||
activeInspectors[key] = true
|
||||
verdict = network.DROP
|
||||
case STOP_INSPECTING:
|
||||
link.ActiveInspectors[key] = true
|
||||
activeInspectors[key] = true
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@@ -5,5 +5,16 @@ package interception
|
||||
import "github.com/Safing/portmaster/network/packet"
|
||||
|
||||
var (
|
||||
// Packets channel for feeding the firewall.
|
||||
Packets = make(chan packet.Packet, 1000)
|
||||
)
|
||||
|
||||
// Start starts the interception.
|
||||
func Start() error {
|
||||
return StartNfqueueInterception()
|
||||
}
|
||||
|
||||
// Stop starts the interception.
|
||||
func Stop() error {
|
||||
return StopNfqueueInterception()
|
||||
}
|
||||
|
||||
@@ -1,8 +1,8 @@
|
||||
package interception
|
||||
|
||||
import (
|
||||
"github.com/Safing/portbase/log"
|
||||
"github.com/Safing/portbase/modules"
|
||||
"fmt"
|
||||
|
||||
"github.com/Safing/portmaster/firewall/interception/windivert"
|
||||
"github.com/Safing/portmaster/network/packet"
|
||||
)
|
||||
@@ -10,20 +10,22 @@ import (
|
||||
var Packets chan packet.Packet
|
||||
|
||||
func init() {
|
||||
// Packets channel for feeding the firewall.
|
||||
Packets = make(chan packet.Packet, 1000)
|
||||
}
|
||||
|
||||
func Start() {
|
||||
|
||||
windivertModule := modules.Register("Firewall:Interception:WinDivert", 192)
|
||||
// Start starts the interception.
|
||||
func Start() error {
|
||||
|
||||
wd, err := windivert.New("/WinDivert.dll", "")
|
||||
if err != nil {
|
||||
log.Criticalf("firewall/interception: could not init windivert: %s", err)
|
||||
} else {
|
||||
wd.Packets(Packets)
|
||||
return fmt.Errorf("firewall/interception: could not init windivert: %s", err)
|
||||
}
|
||||
|
||||
<-windivertModule.Stop
|
||||
windivertModule.StopComplete()
|
||||
return wd.Packets(Packets)
|
||||
}
|
||||
|
||||
// Stop starts the interception.
|
||||
func Stop() error {
|
||||
return nil
|
||||
}
|
||||
|
||||
@@ -1,7 +1,3 @@
|
||||
// Copyright Safing ICS Technologies GmbH. Use of this source code is governed by the AGPL license that can be found in the LICENSE file.
|
||||
|
||||
// +build linux
|
||||
|
||||
package interception
|
||||
|
||||
import (
|
||||
@@ -106,8 +102,8 @@ func init() {
|
||||
}
|
||||
|
||||
// Reverse because we'd like to insert in a loop
|
||||
sort.Reverse(sort.StringSlice(v4once))
|
||||
sort.Reverse(sort.StringSlice(v6once))
|
||||
_ = sort.Reverse(sort.StringSlice(v4once)) // silence vet (sort is used just like in the docs)
|
||||
_ = sort.Reverse(sort.StringSlice(v6once)) // silence vet (sort is used just like in the docs)
|
||||
|
||||
}
|
||||
|
||||
@@ -133,9 +129,10 @@ func activateNfqueueFirewall() error {
|
||||
}
|
||||
}
|
||||
|
||||
var ok bool
|
||||
for _, rule := range v4once {
|
||||
splittedRule := strings.Split(rule, " ")
|
||||
ok, err := ip4tables.Exists(splittedRule[0], splittedRule[1], splittedRule[2:]...)
|
||||
ok, err = ip4tables.Exists(splittedRule[0], splittedRule[1], splittedRule[2:]...)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
@@ -189,9 +186,10 @@ func deactivateNfqueueFirewall() error {
|
||||
return err
|
||||
}
|
||||
|
||||
var ok bool
|
||||
for _, rule := range v4once {
|
||||
splittedRule := strings.Split(rule, " ")
|
||||
ok, err := ip4tables.Exists(splittedRule[0], splittedRule[1], splittedRule[2:]...)
|
||||
ok, err = ip4tables.Exists(splittedRule[0], splittedRule[1], splittedRule[2:]...)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
@@ -204,10 +202,10 @@ func deactivateNfqueueFirewall() error {
|
||||
|
||||
for _, chain := range v4chains {
|
||||
splittedRule := strings.Split(chain, " ")
|
||||
if err := ip4tables.ClearChain(splittedRule[0], splittedRule[1]); err != nil {
|
||||
if err = ip4tables.ClearChain(splittedRule[0], splittedRule[1]); err != nil {
|
||||
return err
|
||||
}
|
||||
if err := ip4tables.DeleteChain(splittedRule[0], splittedRule[1]); err != nil {
|
||||
if err = ip4tables.DeleteChain(splittedRule[0], splittedRule[1]); err != nil {
|
||||
return err
|
||||
}
|
||||
}
|
||||
@@ -244,8 +242,8 @@ func deactivateNfqueueFirewall() error {
|
||||
return nil
|
||||
}
|
||||
|
||||
// Start starts the nfqueue interception.
|
||||
func Start() (err error) {
|
||||
// StartNfqueueInterception starts the nfqueue interception.
|
||||
func StartNfqueueInterception() (err error) {
|
||||
|
||||
err = activateNfqueueFirewall()
|
||||
if err != nil {
|
||||
@@ -278,8 +276,8 @@ func Start() (err error) {
|
||||
return nil
|
||||
}
|
||||
|
||||
// Stop stops the nfqueue interception.
|
||||
func Stop() error {
|
||||
// StopNfqueueInterception stops the nfqueue interception.
|
||||
func StopNfqueueInterception() error {
|
||||
defer close(shutdownSignal)
|
||||
|
||||
if out4Queue != nil {
|
||||
@@ -1,19 +0,0 @@
|
||||
package firewall
|
||||
|
||||
import (
|
||||
"github.com/Safing/portbase/modules"
|
||||
|
||||
_ "github.com/Safing/portmaster/network"
|
||||
)
|
||||
|
||||
func init() {
|
||||
modules.Register("firewall", nil, start, stop, "network")
|
||||
}
|
||||
|
||||
func start() error {
|
||||
return registerAsDatabase()
|
||||
}
|
||||
|
||||
func stop() error {
|
||||
|
||||
}
|
||||
Reference in New Issue
Block a user