github/portmaster
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

Allow verdict to change from initial non-allow state

Browse Source
This commit is contained in:
Daniel
2022-10-10 14:15:13 +02:00
parent 763b35322a
commit 57d515b344
1 changed files with 15 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
firewall/interception.go
View File

@@ -635,12 +635,14 @@ var verdictRating = []network.Verdict{
}
func finalizeVerdict(conn *network.Connection) {
// Update worst verdict.
for _, worstVerdict := range verdictRating {
if conn.Verdict.Firewall == worstVerdict {
conn.Verdict.Worst = worstVerdict
// Update worst verdict at the end.
defer func() {
for _, worstVerdict := range verdictRating {
if conn.Verdict.Firewall == worstVerdict {
conn.Verdict.Worst = worstVerdict
}
}
}
}()
// Check for non-applicable verdicts.
// The earlier and clearer we do this, the better.
@@ -660,6 +662,14 @@ func finalizeVerdict(conn *network.Connection) {
// Apply first verdict without change.
conn.Verdict.Active = conn.Verdict.Firewall
case conn.Verdict.Worst == network.VerdictBlock ||
conn.Verdict.Worst == network.VerdictDrop ||
conn.Verdict.Worst == network.VerdictFailed ||
conn.Verdict.Worst == network.VerdictUndeterminable:
// Always allow to change verdict from any real initial/worst non-allowed state.
// Note: This check needs to happen before updating the Worst verdict.
conn.Verdict.Active = conn.Verdict.Firewall
case reference.IsPacketProtocol(conn.Entity.Protocol):
// For known packet protocols, apply firewall verdict unchanged.
conn.Verdict.Active = conn.Verdict.Firewall