Work on portmaster restructuring

firewall/firewall.go

@@ -1,14 +1,12 @@
-// Copyright Safing ICS Technologies GmbH. Use of this source code is governed by the AGPL license that can be found in the LICENSE file.
-
 package firewall
 
 import (
+	"fmt"
 	"net"
 	"os"
 	"sync/atomic"
 	"time"
 
-	"github.com/Safing/portbase/config"
 	"github.com/Safing/portbase/log"
 	"github.com/Safing/portbase/modules"
 	"github.com/Safing/portmaster/firewall/inspection"
@@ -20,7 +18,6 @@ import (
 )
 
 var (
-	firewallModule *modules.Module
 	// localNet        net.IPNet
 	localhost       net.IP
 	dnsServer       net.IPNet
@@ -154,11 +151,22 @@ func initialHandler(pkt packet.Packet, link *network.Link) {
 	// get Connection
 	connection, err := network.GetConnectionByFirstPacket(pkt)
 	if err != nil {
+		link.Lock()
 		if err != process.ErrConnectionNotFound {
 			log.Warningf("firewall: could not find process of packet (dropping link %s): %s", pkt.String(), err)
+			link.AddReason(fmt.Sprintf("could not find process or it does not exist (unsolicited packet): %s", err))
+		} else {
+			log.Warningf("firewall: internal error finding process of packet (dropping link %s): %s", pkt.String(), err)
+			link.AddReason(fmt.Sprintf("internal error finding process: %s", err))
 		}
-		link.UpdateVerdict(network.DROP)
-		verdict(pkt, network.DROP)
+		link.Unlock()
+
+		if pkt.IsInbound() {
+			network.UnknownIncomingConnection.AddLink(link)
+		} else {
+			network.UnknownDirectConnection.AddLink(link)
+		}
+		verdict(pkt, link.Verdict)
 		return
 	}
 

firewall/inspection/tls/const.go

@@ -1,5 +1,3 @@
-// Copyright Safing ICS Technologies GmbH. Use of this source code is governed by the AGPL license that can be found in the LICENSE file.
-
 package tls
 
 var (

firewall/inspection/tls/tls.go

@@ -1,5 +1,3 @@
-// Copyright Safing ICS Technologies GmbH. Use of this source code is governed by the AGPL license that can be found in the LICENSE file.
-
 package tls
 
 import (
@@ -12,14 +10,13 @@ import (
 	"github.com/google/gopacket/layers"
 	"github.com/google/gopacket/tcpassembly"
 
-	"github.com/Safing/safing-core/configuration"
-	"github.com/Safing/safing-core/crypto/verify"
-	"github.com/Safing/safing-core/firewall/inspection"
-	"github.com/Safing/safing-core/firewall/inspection/tls/tlslib"
-	"github.com/Safing/safing-core/log"
-	"github.com/Safing/safing-core/network"
-	"github.com/Safing/safing-core/network/netutils"
-	"github.com/Safing/safing-core/network/packet"
+	"github.com/Safing/portbase/log"
+	"github.com/Safing/portmaster/firewall/inspection"
+	"github.com/Safing/portmaster/firewall/inspection/tls/tlslib"
+	"github.com/Safing/portmaster/firewall/inspection/tls/verify"
+	"github.com/Safing/portmaster/network"
+	"github.com/Safing/portmaster/network/netutils"
+	"github.com/Safing/portmaster/network/packet"
 )
 
 // TODO:
@@ -31,8 +28,6 @@ var (
 	tlsInspectorIndex int
 	assemblerManager  *netutils.SimpleStreamAssemblerManager
 	assembler         *tcpassembly.Assembler
-
-	config = configuration.Get()
 )
 
 const (

firewall/inspection/tls/tls_test.go

@@ -6,7 +6,7 @@ import (
 	"fmt"
 	"testing"
 
-	"github.com/Safing/safing-core/firewall/inspection/tls/tlslib"
+	"github.com/Safing/portmaster/firewall/inspection/tls/tlslib"
 )
 
 var clientHelloSample = []byte{

firewall/inspection/tls/verify/cert.go

@@ -1,5 +1,3 @@
-// Copyright Safing ICS Technologies GmbH. Use of this source code is governed by the AGPL license that can be found in the LICENSE file.
-
 package verify
 
 import (
@@ -14,15 +12,15 @@ import (
 	"strings"
 
 	"github.com/cloudflare/cfssl/crypto/pkcs7"
-	datastore "github.com/ipfs/go-datastore"
 
-	"github.com/Safing/safing-core/crypto/hash"
-	"github.com/Safing/safing-core/database"
+	"github.com/Safing/portbase/crypto/hash"
+	"github.com/Safing/portbase/database"
+	"github.com/Safing/portbase/database/record"
 )
 
 // Cert saves a certificate.
 type Cert struct {
-	database.Base
+	record.Record
 
 	cert *x509.Certificate
 	Raw  []byte
@@ -120,7 +118,7 @@ func (m *Cert) CreateRevokedCert(caID string, serialNumber *big.Int) error {
 }
 
 // CreateInNamespace saves Cert with the provided name in the provided namespace.
-func (m *Cert) CreateInNamespace(namespace *datastore.Key, name string) error {
+func (m *Cert) CreateInNamespace(namespace string, name string) error {
 	return m.CreateObject(namespace, name, m)
 }
 
@@ -140,7 +138,7 @@ func GetCertWithSPKI(spki []byte) (*Cert, error) {
 }
 
 // GetCertFromNamespace gets Cert with the provided name from the provided namespace.
-func GetCertFromNamespace(namespace *datastore.Key, name string) (*Cert, error) {
+func GetCertFromNamespace(namespace string, name string) (*Cert, error) {
 	object, err := database.GetAndEnsureModel(namespace, name, certModel)
 	if err != nil {
 		return nil, err

firewall/inspection/tls/verify/cert_test.go

@@ -1,5 +1,3 @@
-// Copyright Safing ICS Technologies GmbH. Use of this source code is governed by the AGPL license that can be found in the LICENSE file.
-
 package verify
 
 import (

firewall/inspection/tls/verify/crl.go

@@ -1,5 +1,3 @@
-// Copyright Safing ICS Technologies GmbH. Use of this source code is governed by the AGPL license that can be found in the LICENSE file.
-
 package verify
 
 import (
@@ -14,16 +12,15 @@ import (
 	"sync"
 	"time"
 
-	datastore "github.com/ipfs/go-datastore"
-
-	"github.com/Safing/safing-core/crypto/hash"
-	"github.com/Safing/safing-core/database"
-	"github.com/Safing/safing-core/log"
+	"github.com/Safing/portbase/crypto/hash"
+	"github.com/Safing/portbase/database"
+	"github.com/Safing/portbase/database/record"
+	"github.com/Safing/portbase/log"
 )
 
 // CARevocationInfo saves Information on revokation of Certificates of a Certificate Authority.
 type CARevocationInfo struct {
-	database.Base
+	record.Record
 
 	CRLDistributionPoints []string
 	OCSPServers           []string
@@ -39,23 +36,17 @@ type CARevocationInfo struct {
 }
 
 var (
-	caRevocationInfoModel *CARevocationInfo // only use this as parameter for database.EnsureModel-like functions
-
 	dupCrlReqMap  = make(map[string]*sync.Mutex)
 	dupCrlReqLock sync.Mutex
 )
 
-func init() {
-	database.RegisterModel(caRevocationInfoModel, func() database.Model { return new(CARevocationInfo) })
-}
-
 // Create saves CARevocationInfo with the provided name in the default namespace.
 func (m *CARevocationInfo) Create(name string) error {
 	return m.CreateObject(&database.CARevocationInfoCache, name, m)
 }
 
 // CreateInNamespace saves CARevocationInfo with the provided name in the provided namespace.
-func (m *CARevocationInfo) CreateInNamespace(namespace *datastore.Key, name string) error {
+func (m *CARevocationInfo) CreateInNamespace(namespace string, name string) error {
 	return m.CreateObject(namespace, name, m)
 }
 
@@ -78,7 +69,7 @@ func GetCARevocationInfo(name string) (*CARevocationInfo, error) {
 }
 
 // GetCARevocationInfoFromNamespace fetches CARevocationInfo with the provided name from the provided namespace.
-func GetCARevocationInfoFromNamespace(namespace *datastore.Key, name string) (*CARevocationInfo, error) {
+func GetCARevocationInfoFromNamespace(namespace string, name string) (*CARevocationInfo, error) {
 	object, err := database.GetAndEnsureModel(namespace, name, caRevocationInfoModel)
 	if err != nil {
 		return nil, err

firewall/inspection/tls/verify/ocsp.go

@@ -1,5 +1,3 @@
-// Copyright Safing ICS Technologies GmbH. Use of this source code is governed by the AGPL license that can be found in the LICENSE file.
-
 package verify
 
 import (
@@ -16,8 +14,8 @@ import (
 
 	"golang.org/x/crypto/ocsp"
 
-	"github.com/Safing/safing-core/crypto/hash"
-	"github.com/Safing/safing-core/log"
+	"github.com/Safing/portbase/crypto/hash"
+	"github.com/Safing/portbase/log"
 )
 
 var (

firewall/inspection/tls/verify/verify.go

@@ -1,5 +1,3 @@
-// Copyright Safing ICS Technologies GmbH. Use of this source code is governed by the AGPL license that can be found in the LICENSE file.
-
 package verify
 
 import (
@@ -8,9 +6,8 @@ import (
 	"fmt"
 	"time"
 
-	"github.com/Safing/safing-core/configuration"
-	"github.com/Safing/safing-core/crypto/hash"
-	"github.com/Safing/safing-core/database"
+	"github.com/Safing/portbase/crypto/hash"
+	"github.com/Safing/portbase/database"
 )
 
 // useful references:
@@ -24,10 +21,6 @@ import (
 // RE: https://www.grc.com/revocation/crlsets.htm
 // RE: RE: https://www.imperialviolet.org/2014/04/29/revocationagain.html
 
-var (
-	config = configuration.Get()
-)
-
 // FullCheckBytes does a full certificate check, certificates are provided as raw bytes.
 // It parses the raw certificates and calls FullCheck.
 func FullCheckBytes(name string, certBytes [][]byte) (bool, error) {

firewall/interception/interception_windows.go

@@ -1,12 +1,10 @@
-// Copyright Safing ICS Technologies GmbH. Use of this source code is governed by the AGPL license that can be found in the LICENSE file.
-
 package interception
 
 import (
-	"github.com/Safing/safing-core/firewall/interception/windivert"
-	"github.com/Safing/safing-core/log"
-	"github.com/Safing/safing-core/modules"
-	"github.com/Safing/safing-core/network/packet"
+	"github.com/Safing/portbase/log"
+	"github.com/Safing/portbase/modules"
+	"github.com/Safing/portmaster/firewall/interception/windivert"
+	"github.com/Safing/portmaster/network/packet"
 )
 
 var Packets chan packet.Packet

firewall/master.go

@@ -0,0 +1,391 @@
+package firewall
+
+import (
+	"net"
+	"os"
+	"strings"
+
+	"github.com/Safing/portbase/log"
+	"github.com/Safing/portmaster/intel"
+	"github.com/Safing/portmaster/network"
+	"github.com/Safing/portmaster/network/netutils"
+	"github.com/Safing/portmaster/network/packet"
+	"github.com/Safing/portmaster/port17/mode"
+	"github.com/Safing/portmaster/profiles"
+
+	"github.com/agext/levenshtein"
+)
+
+// Call order:
+//
+// 1. DecideOnConnectionBeforeIntel (if connecting to domain)
+//    is called when a DNS query is made, before the query is resolved
+// 2. DecideOnConnectionAfterIntel (if connecting to domain)
+//    is called when a DNS query is made, after the query is resolved
+// 3. DecideOnConnection
+//    is called when the first packet of the first link of the connection arrives
+// 4. DecideOnLink
+//		is called when when the first packet of a link arrives only if connection has verdict UNDECIDED or CANTSAY
+
+func DecideOnConnectionBeforeIntel(connection *network.Connection, fqdn string) {
+	// check:
+	// Profile.DomainWhitelist
+	// Profile.Flags
+	// - process specific: System, Admin, User
+	// - network specific: Internet, LocalNet
+
+	// grant self
+	if connection.Process().Pid == os.Getpid() {
+		log.Infof("sheriff: granting own connection %s", connection)
+		connection.Accept()
+		return
+	}
+
+	// check if there is a profile
+	profile := connection.Process().Profile
+	if profile == nil {
+		log.Infof("sheriff: no profile, denying connection %s", connection)
+		connection.AddReason("no profile")
+		connection.Block()
+		return
+	}
+
+	// check user class
+	if profile.Flags.Has(profiles.System) {
+		if !connection.Process().IsSystem() {
+			log.Infof("sheriff: denying connection %s, profile has System flag set, but process is not executed by System", connection)
+			connection.AddReason("must be executed by system")
+			connection.Block()
+			return
+		}
+	}
+	if profile.Flags.Has(profiles.Admin) {
+		if !connection.Process().IsAdmin() {
+			log.Infof("sheriff: denying connection %s, profile has Admin flag set, but process is not executed by Admin", connection)
+			connection.AddReason("must be executed by admin")
+			connection.Block()
+			return
+		}
+	}
+	if profile.Flags.Has(profiles.User) {
+		if !connection.Process().IsUser() {
+			log.Infof("sheriff: denying connection %s, profile has User flag set, but process is not executed by a User", connection)
+			connection.AddReason("must be executed by user")
+			connection.Block()
+			return
+		}
+	}
+
+	// check for any network access
+	if !profile.Flags.Has(profiles.Internet) && !profile.Flags.Has(profiles.LocalNet) {
+		log.Infof("sheriff: denying connection %s, profile denies Internet and local network access", connection)
+		connection.Block()
+		return
+	}
+
+	// check domain whitelist/blacklist
+	if len(profile.DomainWhitelist) > 0 {
+		matched := false
+		for _, entry := range profile.DomainWhitelist {
+			if !strings.HasSuffix(entry, ".") {
+				entry += "."
+			}
+			if strings.HasPrefix(entry, "*") {
+				if strings.HasSuffix(fqdn, strings.Trim(entry, "*")) {
+					matched = true
+					break
+				}
+			} else {
+				if entry == fqdn {
+					matched = true
+					break
+				}
+			}
+		}
+		if matched {
+			if profile.DomainWhitelistIsBlacklist {
+				log.Infof("sheriff: denying connection %s, profile has %s in domain blacklist", connection, fqdn)
+				connection.AddReason("domain blacklisted")
+				connection.Block()
+				return
+			}
+		} else {
+			if !profile.DomainWhitelistIsBlacklist {
+				log.Infof("sheriff: denying connection %s, profile does not have %s in domain whitelist", connection, fqdn)
+				connection.AddReason("domain not in whitelist")
+				connection.Block()
+				return
+			}
+		}
+	}
+
+}
+
+func DecideOnConnectionAfterIntel(connection *network.Connection, fqdn string, rrCache *intel.RRCache) *intel.RRCache {
+	// check:
+	// TODO: Profile.ClassificationBlacklist
+	// TODO: Profile.ClassificationWhitelist
+	// Profile.Flags
+	// - network specific: Strict
+
+	// check if there is a profile
+	profile := connection.Process().Profile
+	if profile == nil {
+		log.Infof("sheriff: no profile, denying connection %s", connection)
+		connection.AddReason("no profile")
+		connection.Block()
+		return rrCache
+	}
+
+	// check Strict flag
+	// TODO: drastically improve this!
+	if profile.Flags.Has(profiles.Strict) {
+		matched := false
+		pathElements := strings.Split(connection.Process().Path, "/")
+		if len(pathElements) > 2 {
+			pathElements = pathElements[len(pathElements)-2:]
+		}
+		domainElements := strings.Split(fqdn, ".")
+	matchLoop:
+		for _, domainElement := range domainElements {
+			for _, pathElement := range pathElements {
+				if levenshtein.Match(domainElement, pathElement, nil) > 0.5 {
+					matched = true
+					break matchLoop
+				}
+			}
+			if levenshtein.Match(domainElement, profile.Name, nil) > 0.5 {
+				matched = true
+				break matchLoop
+			}
+			if levenshtein.Match(domainElement, connection.Process().Name, nil) > 0.5 {
+				matched = true
+				break matchLoop
+			}
+		}
+		if !matched {
+			log.Infof("sheriff: denying connection %s, profile has declared Strict flag and no match to domain was found", connection)
+			connection.AddReason("domain does not relate to process")
+			connection.Block()
+			return rrCache
+		}
+	}
+
+	// tunneling
+	// TODO: link this to real status
+	port17Active := mode.Client()
+	if port17Active {
+		tunnelInfo, err := AssignTunnelIP(fqdn)
+		if err != nil {
+			log.Errorf("portmaster: could not get tunnel IP for routing %s: %s", connection, err)
+			return nil // return nxDomain
+		}
+		// save original reply
+		tunnelInfo.RRCache = rrCache
+		// return tunnel IP
+		return tunnelInfo.ExportTunnelIP()
+	}
+
+	return rrCache
+}
+
+func DecideOnConnection(connection *network.Connection, pkt packet.Packet) {
+	// check:
+	// Profile.Flags
+	// - process specific: System, Admin, User
+	// - network specific: Internet, LocalNet, Service, Directconnect
+
+	// grant self
+	if connection.Process().Pid == os.Getpid() {
+		log.Infof("sheriff: granting own connection %s", connection)
+		connection.Accept()
+		return
+	}
+
+	// check if there is a profile
+	profile := connection.Process().Profile
+	if profile == nil {
+		log.Infof("sheriff: no profile, denying connection %s", connection)
+		connection.AddReason("no profile")
+		connection.Block()
+		return
+	}
+
+	// check user class
+	if profile.Flags.Has(profiles.System) {
+		if !connection.Process().IsSystem() {
+			log.Infof("sheriff: denying connection %s, profile has System flag set, but process is not executed by System", connection)
+			connection.AddReason("must be executed by system")
+			connection.Block()
+			return
+		}
+	}
+	if profile.Flags.Has(profiles.Admin) {
+		if !connection.Process().IsAdmin() {
+			log.Infof("sheriff: denying connection %s, profile has Admin flag set, but process is not executed by Admin", connection)
+			connection.AddReason("must be executed by admin")
+			connection.Block()
+			return
+		}
+	}
+	if profile.Flags.Has(profiles.User) {
+		if !connection.Process().IsUser() {
+			log.Infof("sheriff: denying connection %s, profile has User flag set, but process is not executed by a User", connection)
+			connection.AddReason("must be executed by user")
+			connection.Block()
+			return
+		}
+	}
+
+	// check for any network access
+	if !profile.Flags.Has(profiles.Internet) && !profile.Flags.Has(profiles.LocalNet) {
+		log.Infof("sheriff: denying connection %s, profile denies Internet and local network access", connection)
+		connection.AddReason("no network access allowed")
+		connection.Block()
+		return
+	}
+
+	switch connection.Domain {
+	case "I":
+		// check Service flag
+		if !profile.Flags.Has(profiles.Service) {
+			log.Infof("sheriff: denying connection %s, profile does not declare service", connection)
+			connection.AddReason("not a service")
+			connection.Drop()
+			return
+		}
+		// check if incoming connections are allowed on any port, but only if there no other restrictions
+		if !!profile.Flags.Has(profiles.Internet) && !!profile.Flags.Has(profiles.LocalNet) && len(profile.ListenPorts) == 0 {
+			log.Infof("sheriff: granting connection %s, profile allows incoming connections from anywhere and on any port", connection)
+			connection.Accept()
+			return
+		}
+	case "D":
+		// check Directconnect flag
+		if !profile.Flags.Has(profiles.Directconnect) {
+			log.Infof("sheriff: denying connection %s, profile does not declare direct connections", connection)
+			connection.AddReason("direct connections (without DNS) not allowed")
+			connection.Drop()
+			return
+		}
+	}
+
+	log.Infof("sheriff: could not decide on connection %s, deciding on per-link basis", connection)
+	connection.CantSay()
+}
+
+func DecideOnLink(connection *network.Connection, link *network.Link, pkt packet.Packet) {
+	// check:
+	// Profile.Flags
+	// - network specific: Internet, LocalNet
+	// Profile.ConnectPorts
+	// Profile.ListenPorts
+
+	// check if there is a profile
+	profile := connection.Process().Profile
+	if profile == nil {
+		log.Infof("sheriff: no profile, denying %s", link)
+		link.AddReason("no profile")
+		link.UpdateVerdict(network.BLOCK)
+		return
+	}
+
+	// check LocalNet and Internet flags
+	var remoteIP net.IP
+	if connection.Direction {
+		remoteIP = pkt.GetIPHeader().Src
+	} else {
+		remoteIP = pkt.GetIPHeader().Dst
+	}
+	if netutils.IPIsLocal(remoteIP) {
+		if !profile.Flags.Has(profiles.LocalNet) {
+			log.Infof("sheriff: dropping link %s, profile does not allow communication in the local network", link)
+			link.AddReason("profile does not allow access to local network")
+			link.UpdateVerdict(network.BLOCK)
+			return
+		}
+	} else {
+		if !profile.Flags.Has(profiles.Internet) {
+			log.Infof("sheriff: dropping link %s, profile does not allow communication with the Internet", link)
+			link.AddReason("profile does not allow access to the Internet")
+			link.UpdateVerdict(network.BLOCK)
+			return
+		}
+	}
+
+	// check connect ports
+	if connection.Domain != "I" && len(profile.ConnectPorts) > 0 {
+
+		tcpUdpHeader := pkt.GetTCPUDPHeader()
+		if tcpUdpHeader == nil {
+			log.Infof("sheriff: blocking link %s, profile has declared connect port whitelist, but link is not TCP/UDP", link)
+			link.AddReason("profile has declared connect port whitelist, but link is not TCP/UDP")
+			link.UpdateVerdict(network.BLOCK)
+			return
+		}
+
+		// packet *should* be outbound, but we could be deciding on an already active connection.
+		var remotePort uint16
+		if connection.Direction {
+			remotePort = tcpUdpHeader.SrcPort
+		} else {
+			remotePort = tcpUdpHeader.DstPort
+		}
+
+		matched := false
+		for _, port := range profile.ConnectPorts {
+			if remotePort == port {
+				matched = true
+				break
+			}
+		}
+
+		if !matched {
+			log.Infof("sheriff: blocking link %s, remote port %d not in profile connect port whitelist", link, remotePort)
+			link.AddReason("destination port not in whitelist")
+			link.UpdateVerdict(network.BLOCK)
+			return
+		}
+
+	}
+
+	// check listen ports
+	if connection.Domain == "I" && len(profile.ListenPorts) > 0 {
+
+		tcpUdpHeader := pkt.GetTCPUDPHeader()
+		if tcpUdpHeader == nil {
+			log.Infof("sheriff: dropping link %s, profile has declared listen port whitelist, but link is not TCP/UDP", link)
+			link.AddReason("profile has declared listen port whitelist, but link is not TCP/UDP")
+			link.UpdateVerdict(network.DROP)
+			return
+		}
+
+		// packet *should* be inbound, but we could be deciding on an already active connection.
+		var localPort uint16
+		if connection.Direction {
+			localPort = tcpUdpHeader.DstPort
+		} else {
+			localPort = tcpUdpHeader.SrcPort
+		}
+
+		matched := false
+		for _, port := range profile.ListenPorts {
+			if localPort == port {
+				matched = true
+				break
+			}
+		}
+
+		if !matched {
+			log.Infof("sheriff: blocking link %s, local port %d not in profile listen port whitelist", link, localPort)
+			link.AddReason("listen port not in whitelist")
+			link.UpdateVerdict(network.BLOCK)
+			return
+		}
+
+	}
+
+	log.Infof("sheriff: accepting link %s", link)
+	link.UpdateVerdict(network.ACCEPT)
+
+}

firewall/module.go

@@ -0,0 +1,19 @@
+package firewall
+
+import (
+	"github.com/Safing/portbase/modules"
+
+	_ "github.com/Safing/portmaster/network"
+)
+
+func init() {
+	modules.Register("firewall", nil, start, stop, "network")
+}
+
+func start() error {
+	return registerAsDatabase()
+}
+
+func stop() error {
+
+}

firewall/tunnel.go

@@ -0,0 +1,123 @@
+package firewall
+
+import (
+	"errors"
+	"log"
+	"net"
+	"sync"
+	"time"
+
+	"github.com/Safing/portbase/crypto/random"
+	"github.com/Safing/portmaster/intel"
+	"github.com/miekg/dns"
+)
+
+var (
+	TunnelNet4   *net.IPNet
+	TunnelNet6   *net.IPNet
+	TunnelEntry4 = net.IPv4(127, 0, 0, 17)
+	TunnelEntry6 = net.ParseIP("fd17::17")
+
+	ipToDomainMap     = make(map[string]*TunnelInfo)
+	ipToDomainMapLock sync.RWMutex
+)
+
+func init() {
+	var err error
+	_, TunnelNet4, err = net.ParseCIDR("127.17.0.0/16")
+	if err != nil {
+		log.Fatalf("portmaster: could not parse 127.17.0.0/16: %s", err)
+	}
+	_, TunnelNet6, err = net.ParseCIDR("fd17::/64")
+	if err != nil {
+		log.Fatalf("portmaster: could not parse fd17::/64: %s", err)
+	}
+
+	go tunnelInfoCleaner()
+}
+
+type TunnelInfo struct {
+	IP      net.IP
+	Domain  string
+	RRCache *intel.RRCache
+	Expires int64
+}
+
+func (ti *TunnelInfo) ExportTunnelIP() *intel.RRCache {
+	return &intel.RRCache{
+		Answer: []dns.RR{
+			&dns.A{
+				Hdr: dns.RR_Header{
+					Name:     ti.Domain,
+					Rrtype:   1,
+					Class:    1,
+					Ttl:      17,
+					Rdlength: 8,
+				},
+				A: ti.IP,
+			},
+		},
+	}
+}
+
+func AssignTunnelIP(domain string) (*TunnelInfo, error) {
+	ipToDomainMapLock.Lock()
+	defer ipToDomainMapLock.Unlock()
+
+	for i := 0; i < 100; i++ {
+		// get random IP
+		r, err := random.Bytes(2)
+		if err != nil {
+			return nil, err
+		}
+		randomIP := net.IPv4(127, 17, r[0], r[1])
+
+		// clean after every 20 tries
+		if i > 0 && i%20 == 0 {
+			cleanExpiredTunnelInfos()
+		}
+
+		// if it does not exist yet, set and return
+		_, ok := ipToDomainMap[randomIP.String()]
+		if !ok {
+			tunnelInfo := &TunnelInfo{
+				IP:      randomIP,
+				Domain:  domain,
+				Expires: time.Now().Add(5 * time.Minute).Unix(),
+			}
+			ipToDomainMap[randomIP.String()] = tunnelInfo
+			return tunnelInfo, nil
+		}
+	}
+
+	return nil, errors.New("could not find available tunnel IP, please retry later")
+}
+
+func GetTunnelInfo(tunnelIP net.IP) (tunnelInfo *TunnelInfo) {
+	ipToDomainMapLock.RLock()
+	defer ipToDomainMapLock.RUnlock()
+	var ok bool
+	tunnelInfo, ok = ipToDomainMap[tunnelIP.String()]
+	if ok && tunnelInfo.Expires >= time.Now().Unix() {
+		return tunnelInfo
+	}
+	return nil
+}
+
+func tunnelInfoCleaner() {
+	for {
+		time.Sleep(5 * time.Minute)
+		ipToDomainMapLock.Lock()
+		cleanExpiredTunnelInfos()
+		ipToDomainMapLock.Unlock()
+	}
+}
+
+func cleanExpiredTunnelInfos() {
+	now := time.Now().Unix()
+	for domain, tunnelInfo := range ipToDomainMap {
+		if tunnelInfo.Expires < now {
+			delete(ipToDomainMap, domain)
+		}
+	}
+}