diff --git a/firewall/interception.go b/firewall/interception.go index 0e3fc9d1..c87a8c57 100644 --- a/firewall/interception.go +++ b/firewall/interception.go @@ -230,7 +230,7 @@ func initialHandler(conn *network.Connection, pkt packet.Packet) { } log.Tracer(pkt.Ctx()).Trace("filter: starting decision process") - DecideOnConnection(conn, pkt) + DecideOnConnection(pkt.Ctx(), conn, pkt) conn.Inspecting = false // TODO: enable inspecting again switch { diff --git a/firewall/master.go b/firewall/master.go index 84389ab6..7f194960 100644 --- a/firewall/master.go +++ b/firewall/master.go @@ -1,6 +1,7 @@ package firewall import ( + "context" "fmt" "os" "path/filepath" @@ -33,10 +34,10 @@ import ( // DecideOnConnection makes a decision about a connection. // When called, the connection and profile is already locked. -func DecideOnConnection(conn *network.Connection, pkt packet.Packet) { +func DecideOnConnection(ctx context.Context, conn *network.Connection, pkt packet.Packet) { // update profiles and check if communication needs reevaluation if conn.UpdateAndCheck() { - log.Tracer(pkt.Ctx()).Infof("filter: re-evaluating verdict on %s", conn) + log.Tracer(ctx).Infof("filter: re-evaluating verdict on %s", conn) conn.Verdict = network.VerdictUndecided if conn.Entity != nil { @@ -44,7 +45,7 @@ func DecideOnConnection(conn *network.Connection, pkt packet.Packet) { } } - var deciders = []func(*network.Connection, packet.Packet) bool{ + var deciders = []func(context.Context, *network.Connection, packet.Packet) bool{ checkPortmasterConnection, checkSelfCommunication, checkProfileExists, @@ -60,7 +61,7 @@ func DecideOnConnection(conn *network.Connection, pkt packet.Packet) { } for _, decider := range deciders { - if decider(conn, pkt) { + if decider(ctx, conn, pkt) { return } } @@ -71,10 +72,10 @@ func DecideOnConnection(conn *network.Connection, pkt packet.Packet) { // checkPortmasterConnection allows all connection that originate from // portmaster itself. -func checkPortmasterConnection(conn *network.Connection, pkt packet.Packet) bool { +func checkPortmasterConnection(ctx context.Context, conn *network.Connection, pkt packet.Packet) bool { // grant self if conn.Process().Pid == os.Getpid() { - log.Tracer(pkt.Ctx()).Infof("filter: granting own connection %s", conn) + log.Tracer(ctx).Infof("filter: granting own connection %s", conn) conn.Verdict = network.VerdictAccept conn.Internal = true return true @@ -84,7 +85,7 @@ func checkPortmasterConnection(conn *network.Connection, pkt packet.Packet) bool } // checkSelfCommunication checks if the process is communicating with itself. -func checkSelfCommunication(conn *network.Connection, pkt packet.Packet) bool { +func checkSelfCommunication(ctx context.Context, conn *network.Connection, pkt packet.Packet) bool { // check if process is communicating with itself if pkt != nil { // TODO: evaluate the case where different IPs in the 127/8 net are used. @@ -101,12 +102,12 @@ func checkSelfCommunication(conn *network.Connection, pkt packet.Packet) bool { DstPort: pktInfo.DstPort, }) if err != nil { - log.Tracer(pkt.Ctx()).Warningf("filter: failed to find local peer process PID: %s", err) + log.Tracer(ctx).Warningf("filter: failed to find local peer process PID: %s", err) } else { // get primary process - otherProcess, err := process.GetOrFindPrimaryProcess(pkt.Ctx(), otherPid) + otherProcess, err := process.GetOrFindPrimaryProcess(ctx, otherPid) if err != nil { - log.Tracer(pkt.Ctx()).Warningf("filter: failed to find load local peer process with PID %d: %s", otherPid, err) + log.Tracer(ctx).Warningf("filter: failed to find load local peer process with PID %d: %s", otherPid, err) } else if otherProcess.Pid == conn.Process().Pid { conn.Accept("connection to self") conn.Internal = true @@ -119,7 +120,7 @@ func checkSelfCommunication(conn *network.Connection, pkt packet.Packet) bool { return false } -func checkProfileExists(conn *network.Connection, _ packet.Packet) bool { +func checkProfileExists(_ context.Context, conn *network.Connection, _ packet.Packet) bool { if conn.Process().Profile() == nil { conn.Block("unknown process or profile") return true @@ -127,7 +128,7 @@ func checkProfileExists(conn *network.Connection, _ packet.Packet) bool { return false } -func checkEndpointLists(conn *network.Connection, _ packet.Packet) bool { +func checkEndpointLists(_ context.Context, conn *network.Connection, _ packet.Packet) bool { var result endpoints.EPResult var reason endpoints.Reason @@ -152,7 +153,7 @@ func checkEndpointLists(conn *network.Connection, _ packet.Packet) bool { return false } -func checkConnectionType(conn *network.Connection, _ packet.Packet) bool { +func checkConnectionType(ctx context.Context, conn *network.Connection, _ packet.Packet) bool { p := conn.Process().Profile() // check conn type @@ -177,7 +178,7 @@ func checkConnectionType(conn *network.Connection, _ packet.Packet) bool { return false } -func checkConnectionScope(conn *network.Connection, _ packet.Packet) bool { +func checkConnectionScope(_ context.Context, conn *network.Connection, _ packet.Packet) bool { p := conn.Process().Profile() // check scopes @@ -216,7 +217,7 @@ func checkConnectionScope(conn *network.Connection, _ packet.Packet) bool { return false } -func checkBypassPrevention(conn *network.Connection, _ packet.Packet) bool { +func checkBypassPrevention(_ context.Context, conn *network.Connection, _ packet.Packet) bool { if conn.Process().Profile().PreventBypassing() { // check for bypass protection result, reason, reasonCtx := PreventBypassing(conn) @@ -233,7 +234,7 @@ func checkBypassPrevention(conn *network.Connection, _ packet.Packet) bool { return false } -func checkFilterLists(conn *network.Connection, pkt packet.Packet) bool { +func checkFilterLists(ctx context.Context, conn *network.Connection, pkt packet.Packet) bool { // apply privacy filter lists p := conn.Process().Profile() @@ -245,12 +246,12 @@ func checkFilterLists(conn *network.Connection, pkt packet.Packet) bool { case endpoints.NoMatch: // nothing to do default: - log.Tracer(pkt.Ctx()).Debugf("filter: filter lists returned unsupported verdict: %s", result) + log.Tracer(ctx).Debugf("filter: filter lists returned unsupported verdict: %s", result) } return false } -func checkInbound(conn *network.Connection, _ packet.Packet) bool { +func checkInbound(_ context.Context, conn *network.Connection, _ packet.Packet) bool { // implicit default=block for inbound if conn.Inbound { conn.Drop("endpoint is not whitelisted (incoming is always default=block)") @@ -259,7 +260,7 @@ func checkInbound(conn *network.Connection, _ packet.Packet) bool { return false } -func checkDefaultPermit(conn *network.Connection, _ packet.Packet) bool { +func checkDefaultPermit(_ context.Context, conn *network.Connection, _ packet.Packet) bool { // check default action p := conn.Process().Profile() if p.DefaultAction() == profile.DefaultActionPermit { @@ -269,7 +270,7 @@ func checkDefaultPermit(conn *network.Connection, _ packet.Packet) bool { return false } -func checkAutoPermitRelated(conn *network.Connection, _ packet.Packet) bool { +func checkAutoPermitRelated(_ context.Context, conn *network.Connection, _ packet.Packet) bool { p := conn.Process().Profile() if !p.DisableAutoPermit() { related, reason := checkRelation(conn) @@ -281,7 +282,7 @@ func checkAutoPermitRelated(conn *network.Connection, _ packet.Packet) bool { return false } -func checkDefaultAction(conn *network.Connection, pkt packet.Packet) bool { +func checkDefaultAction(_ context.Context, conn *network.Connection, pkt packet.Packet) bool { p := conn.Process().Profile() if p.DefaultAction() == profile.DefaultActionAsk { prompt(conn, pkt) diff --git a/intel/block_reason.go b/intel/block_reason.go index 52ad159f..ad140f4f 100644 --- a/intel/block_reason.go +++ b/intel/block_reason.go @@ -71,9 +71,9 @@ func (br ListBlockReason) GetExtraRR(_ *dns.Msg, _ string, _ interface{}) []dns. for _, lm := range br { blockedBy, err := dns.NewRR(fmt.Sprintf( - `%s 0 IN TXT "was blocked by filter lists %s"`, + `%s 0 IN TXT "blocked by filter lists %s"`, lm.Entity, - strings.Join(lm.ActiveLists, ","), + strings.Join(lm.ActiveLists, ", "), )) if err == nil { rrs = append(rrs, blockedBy) @@ -85,7 +85,7 @@ func (br ListBlockReason) GetExtraRR(_ *dns.Msg, _ string, _ interface{}) []dns. wouldBeBlockedBy, err := dns.NewRR(fmt.Sprintf( `%s 0 IN TXT "would be blocked by filter lists %s"`, lm.Entity, - strings.Join(lm.InactiveLists, ","), + strings.Join(lm.InactiveLists, ", "), )) if err == nil { rrs = append(rrs, wouldBeBlockedBy) diff --git a/nameserver/nameserver.go b/nameserver/nameserver.go index 578d4450..97d51e8f 100644 --- a/nameserver/nameserver.go +++ b/nameserver/nameserver.go @@ -222,7 +222,7 @@ func handleRequest(ctx context.Context, w dns.ResponseWriter, query *dns.Msg) er } // check profile before we even get intel and rr - firewall.DecideOnConnection(conn, nil) + firewall.DecideOnConnection(ctx, conn, nil) switch conn.Verdict { case network.VerdictBlock: