github/portmaster
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix tests and linters

Browse Source
This commit is contained in:
Daniel
2022-02-02 12:48:42 +01:00
parent f2fcad4d11
commit 60d8664e7b
171 changed files with 944 additions and 874 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
firewall/api.go
View File

@@ -11,16 +11,14 @@ import (
"strings"
"time"
"github.com/safing/portmaster/netenv"
"github.com/safing/portmaster/updates"
"github.com/safing/portbase/api"
"github.com/safing/portbase/dataroot"
"github.com/safing/portbase/log"
"github.com/safing/portbase/utils"
"github.com/safing/portmaster/netenv"
"github.com/safing/portmaster/network/packet"
"github.com/safing/portmaster/process"
"github.com/safing/portmaster/updates"
)
const (
@@ -79,13 +77,13 @@ func apiAuthenticator(r *http.Request, s *http.Server) (token *api.AuthToken, er
// get local IP/Port
localIP, localPort, err := parseHostPort(s.Addr)
if err != nil {
return nil, fmt.Errorf("failed to get local IP/Port: %s", err)
return nil, fmt.Errorf("failed to get local IP/Port: %w", err)
}
// get remote IP/Port
remoteIP, remotePort, err := parseHostPort(r.RemoteAddr)
if err != nil {
return nil, fmt.Errorf("failed to get remote IP/Port: %s", err)
return nil, fmt.Errorf("failed to get remote IP/Port: %w", err)
}
// Check if the request is even local.
@@ -151,11 +149,12 @@ func authenticateAPIRequest(ctx context.Context, pktInfo *packet.Info) (retry bo
// Go up up to two levels, if we don't match the path.
checkLevels := 2
checkLevelsLoop:
for i := 0; i < checkLevels+1; i++ {
// Check for eligible path.
switch proc.Pid {
case process.UnidentifiedProcessID, process.SystemProcessID:
break
break checkLevelsLoop
default: // normal process
// Check if the requesting process is in database root / updates dir.
if strings.HasPrefix(proc.Path, authenticatedPath) {

7
firewall/bypassing.go
View File

@@ -5,16 +5,13 @@ import (
"strings"
"github.com/safing/portmaster/compat"
"github.com/safing/portmaster/nameserver/nsutil"
"github.com/safing/portmaster/network"
"github.com/safing/portmaster/network/packet"
"github.com/safing/portmaster/profile/endpoints"
)
var (
resolverFilterLists = []string{"17-DNS"}
)
var resolverFilterLists = []string{"17-DNS"}
// PreventBypassing checks if the connection should be denied or permitted
// based on some bypass protection checks.
@@ -27,7 +24,7 @@ func PreventBypassing(ctx context.Context, conn *network.Connection) (endpoints.
}
// Block direct connections to known DNS resolvers.
switch packet.IPProtocol(conn.Entity.Protocol) {
switch packet.IPProtocol(conn.Entity.Protocol) { //nolint:exhaustive // Checking for specific values only.
case packet.ICMP, packet.ICMPv6:
// Make an exception for ICMP, as these IPs are also often used for debugging.
default:

7
firewall/dns.go
View File

@@ -2,10 +2,12 @@ package firewall
import (
"context"
"errors"
"net"
"strings"
"github.com/miekg/dns"
"github.com/safing/portbase/database"
"github.com/safing/portbase/log"
"github.com/safing/portmaster/network"
@@ -22,7 +24,6 @@ func filterDNSSection(
resolverScope netutils.IPScope,
sysResolver bool,
) ([]dns.RR, []string, int, string) {
// Will be filled 1:1 most of the time.
goodEntries := make([]dns.RR, 0, len(entries))
@@ -275,7 +276,7 @@ func UpdateIPsAndCNAMEs(q *resolver.Query, rrCache *resolver.RRCache, conn *netw
}
// Resolve all CNAMEs in the correct order and add the to the record.
var domain = q.FQDN
domain := q.FQDN
for {
nextDomain, isCNAME := cnames[domain]
if !isCNAME {
@@ -294,7 +295,7 @@ func UpdateIPsAndCNAMEs(q *resolver.Query, rrCache *resolver.RRCache, conn *netw
ipString := ip.String()
info, err := resolver.GetIPInfo(profileID, ipString)
if err != nil {
if err != database.ErrNotFound {
if !errors.Is(err, database.ErrNotFound) {
log.Errorf("nameserver: failed to search for IP info record: %s", err)
}

7
firewall/filter.go
View File

@@ -2,13 +2,12 @@ package firewall
import (
"github.com/safing/portbase/config"
"github.com/safing/portbase/modules/subsystems"
"github.com/safing/spn/captain"
"github.com/safing/portbase/modules"
"github.com/safing/portbase/modules/subsystems"
// module dependencies
// Dependency.
_ "github.com/safing/portmaster/core"
"github.com/safing/spn/captain"
)
var (

29
firewall/interception.go
View File

@@ -9,28 +9,25 @@ import (
"sync/atomic"
"time"
"github.com/safing/portmaster/compat"
"github.com/safing/spn/captain"
"github.com/google/gopacket/layers"
"github.com/safing/portmaster/netenv"
"golang.org/x/sync/singleflight"
"github.com/tevino/abool"
"golang.org/x/sync/singleflight"
"github.com/safing/portbase/log"
"github.com/safing/portbase/modules"
"github.com/safing/portmaster/compat"
// Dependency.
_ "github.com/safing/portmaster/core/base"
"github.com/safing/portmaster/firewall/inspection"
"github.com/safing/portmaster/firewall/interception"
"github.com/safing/portmaster/netenv"
"github.com/safing/portmaster/network"
"github.com/safing/portmaster/network/netutils"
"github.com/safing/portmaster/network/packet"
"github.com/safing/spn/captain"
"github.com/safing/spn/crew"
"github.com/safing/spn/sluice"
// module dependencies
_ "github.com/safing/portmaster/core/base"
)
var (
@@ -141,14 +138,14 @@ func getConnection(pkt packet.Packet) (*network.Connection, error) {
return conn, nil
})
if err != nil {
return nil, fmt.Errorf("failed to get connection: %s", err)
return nil, fmt.Errorf("failed to get connection: %w", err)
}
if newConn == nil {
return nil, errors.New("connection getter returned nil")
}
// Transform and log result.
conn := newConn.(*network.Connection)
conn := newConn.(*network.Connection) //nolint:forcetypeassert // Can only be a *network.Connection.
sharedIndicator := ""
if shared {
sharedIndicator = " (shared)"
@@ -188,7 +185,7 @@ func fastTrackedPermit(pkt packet.Packet) (handled bool) {
return true
}
switch meta.Protocol {
switch meta.Protocol { //nolint:exhaustive // Checking for specific values only.
case packet.ICMP, packet.ICMPv6:
// Load packet data.
err := pkt.LoadPacketData()
@@ -243,7 +240,7 @@ func fastTrackedPermit(pkt packet.Packet) (handled bool) {
}
// DHCP is only valid in local network scopes.
switch netutils.ClassifyIP(meta.Dst) {
switch netutils.ClassifyIP(meta.Dst) { //nolint:exhaustive // Checking for specific values only.
case netutils.HostLocal, netutils.LinkLocal, netutils.SiteLocal, netutils.LocalMulticast:
default:
return false
@@ -430,7 +427,6 @@ func initialHandler(conn *network.Connection, pkt packet.Packet) {
conn.StopFirewallHandler()
issueVerdict(conn, pkt, 0, true)
}
}
func defaultHandler(conn *network.Connection, pkt packet.Packet) {
@@ -494,6 +490,9 @@ func issueVerdict(conn *network.Connection, pkt packet.Packet, verdict network.V
case network.VerdictFailed:
atomic.AddUint64(packetsFailed, 1)
err = pkt.Drop()
case network.VerdictUndecided, network.VerdictUndeterminable:
log.Warningf("filter: tried to apply verdict %s to pkt %s: dropping instead", verdict, pkt)
fallthrough
default:
atomic.AddUint64(packetsDropped, 1)
err = pkt.Drop()

2
firewall/interception/interception.go
View File

@@ -25,7 +25,7 @@ func Start() error {
return nil
}
var inputPackets = Packets
inputPackets := Packets
if packetMetricsDestination != "" {
go metrics.writeMetrics()
inputPackets = make(chan packet.Packet)

4
firewall/interception/introspection.go
View File

@@ -58,7 +58,9 @@ func (pm *packetMetrics) writeMetrics() {
log.Errorf("Failed to create packet metrics file: %s", err)
return
}
defer f.Close()
defer func() {
_ = f.Close()
}()
for {
select {

18
firewall/interception/nfq/nfq.go
View File

@@ -1,4 +1,4 @@
// +build linux
// go:build linux
// Package nfq contains a nfqueue library experiment.
package nfq
@@ -10,15 +10,15 @@ import (
"sync/atomic"
"time"
"github.com/safing/portbase/log"
pmpacket "github.com/safing/portmaster/network/packet"
"github.com/florianl/go-nfqueue"
"github.com/tevino/abool"
"golang.org/x/sys/unix"
"github.com/florianl/go-nfqueue"
"github.com/safing/portbase/log"
pmpacket "github.com/safing/portmaster/network/packet"
)
// Queue wraps a nfqueue
// Queue wraps a nfqueue.
type Queue struct {
id uint16
afFamily uint8
@@ -32,7 +32,7 @@ type Queue struct {
}
func (q *Queue) getNfq() *nfqueue.Nfqueue {
return q.nf.Load().(*nfqueue.Nfqueue)
return q.nf.Load().(*nfqueue.Nfqueue) //nolint:forcetypeassert // TODO: Check.
}
// New opens a new nfQueue.
@@ -112,7 +112,7 @@ func (q *Queue) open(ctx context.Context) error {
}
if err := nf.RegisterWithErrorFunc(ctx, q.packetHandler(ctx), q.handleError); err != nil {
defer nf.Close()
_ = nf.Close()
return err
}
@@ -124,7 +124,7 @@ func (q *Queue) open(ctx context.Context) error {
func (q *Queue) handleError(e error) int {
// embedded interface is required to work-around some
// dep-vendoring weirdness
if opError, ok := e.(interface {
if opError, ok := e.(interface { //nolint:errorlint // TODO: Check if we can remove workaround.
Timeout() bool
Temporary() bool
}); ok {
@@ -153,7 +153,7 @@ func (q *Queue) handleError(e error) int {
// Close the existing socket
if nf := q.getNfq(); nf != nil {
nf.Close()
_ = nf.Close()
}
// Trigger a restart of the queue

6
firewall/interception/nfq/packet.go
View File

@@ -1,4 +1,4 @@
// +build linux
// go:build linux
package nfq
@@ -8,9 +8,9 @@ import (
"sync/atomic"
"time"
"github.com/florianl/go-nfqueue"
"github.com/tevino/abool"
"github.com/florianl/go-nfqueue"
"github.com/safing/portbase/log"
pmpacket "github.com/safing/portmaster/network/packet"
)
@@ -104,7 +104,7 @@ func (pkt *packet) setMark(mark int) error {
if err := pkt.queue.getNfq().SetVerdictWithMark(pkt.pktID, nfqueue.NfAccept, mark); err != nil {
// embedded interface is required to work-around some
// dep-vendoring weirdness
if opErr, ok := err.(interface {
if opErr, ok := err.(interface { //nolint:errorlint // TODO: Check if we can remove workaround.
Timeout() bool
Temporary() bool
}); ok {

6
firewall/interception/nfqueue_linux.go
View File

@@ -44,7 +44,6 @@ type nfQueue interface {
}
func init() {
v4chains = []string{
"mangle C170",
"mangle C171",
@@ -128,7 +127,6 @@ func init() {
// Reverse because we'd like to insert in a loop
_ = sort.Reverse(sort.StringSlice(v4once)) // silence vet (sort is used just like in the docs)
_ = sort.Reverse(sort.StringSlice(v6once)) // silence vet (sort is used just like in the docs)
}
func activateNfqueueFirewall() error {
@@ -241,7 +239,7 @@ func StartNfqueueInterception(packets chan<- packet.Packet) (err error) {
err = activateNfqueueFirewall()
if err != nil {
_ = Stop()
return fmt.Errorf("could not initialize nfqueue: %s", err)
return fmt.Errorf("could not initialize nfqueue: %w", err)
}
out4Queue, err = nfq.New(17040, false)
@@ -288,7 +286,7 @@ func StopNfqueueInterception() error {
err := DeactivateNfqueueFirewall()
if err != nil {
return fmt.Errorf("interception: error while deactivating nfqueue: %s", err)
return fmt.Errorf("interception: error while deactivating nfqueue: %w", err)
}
return nil

24
firewall/master.go
View File

@@ -6,11 +6,12 @@ import (
"path/filepath"
"strings"
"github.com/safing/portmaster/detection/dga"
"github.com/safing/portmaster/netenv"
"github.com/agext/levenshtein"
"golang.org/x/net/publicsuffix"
"github.com/safing/portbase/log"
"github.com/safing/portmaster/detection/dga"
"github.com/safing/portmaster/netenv"
"github.com/safing/portmaster/network"
"github.com/safing/portmaster/network/netutils"
"github.com/safing/portmaster/network/packet"
@@ -18,8 +19,6 @@ import (
"github.com/safing/portmaster/process"
"github.com/safing/portmaster/profile"
"github.com/safing/portmaster/profile/endpoints"
"github.com/agext/levenshtein"
)
// Call order:
@@ -215,6 +214,8 @@ func checkEndpointLists(ctx context.Context, conn *network.Connection, p *profil
case endpoints.Permitted:
conn.AcceptWithContext(reason.String(), optionKey, reason.Context())
return true
case endpoints.NoMatch:
return false
}
return false
@@ -236,6 +237,8 @@ func checkEndpointListsForSystemResolverDNSRequests(ctx context.Context, conn *n
case endpoints.Permitted:
conn.AcceptWithContext(reason.String(), profile.CfgOptionEndpointsKey, reason.Context())
return true
case endpoints.NoMatch:
return false
}
}
}
@@ -345,7 +348,9 @@ func checkConnectionScope(_ context.Context, conn *network.Connection, p *profil
conn.Block("Localhost access blocked", profile.CfgOptionBlockScopeLocalKey) // Block Outbound / Drop Inbound
return true
}
default: // netutils.Unknown and netutils.Invalid
case netutils.Undefined, netutils.Invalid:
fallthrough
default:
conn.Deny("invalid IP", noReasonOptionKey) // Block Outbound / Drop Inbound
return true
}
@@ -358,14 +363,19 @@ func checkBypassPrevention(ctx context.Context, conn *network.Connection, p *pro
// check for bypass protection
result, reason, reasonCtx := PreventBypassing(ctx, conn)
switch result {
case endpoints.Denied:
case endpoints.Denied, endpoints.MatchError:
// Also block on MatchError to be on the safe side.
// PreventBypassing does not use any data that needs to be loaded, so it should not fail anyway.
conn.BlockWithContext("bypass prevention: "+reason, profile.CfgOptionPreventBypassingKey, reasonCtx)
return true
case endpoints.Permitted:
conn.AcceptWithContext("bypass prevention: "+reason, profile.CfgOptionPreventBypassingKey, reasonCtx)
return true
case endpoints.NoMatch:
return false
}
}
return false
}
@@ -378,6 +388,8 @@ func checkFilterLists(ctx context.Context, conn *network.Connection, p *profile.
return true
case endpoints.NoMatch:
// nothing to do
case endpoints.Permitted, endpoints.MatchError:
fallthrough
default:
log.Tracer(ctx).Debugf("filter: filter lists returned unsupported verdict: %s", result)
}

8
firewall/preauth.go
View File

@@ -1,16 +1,14 @@
package firewall
import (
"fmt"
"net"
"strconv"
"sync"
"github.com/safing/portmaster/netenv"
"github.com/safing/portmaster/network"
"github.com/safing/portmaster/network/packet"
"fmt"
"net"
"github.com/safing/portmaster/netenv"
"github.com/safing/portmaster/resolver"
)

2
firewall/prompt.go
View File

@@ -16,7 +16,7 @@ import (
)
const (
// notification action IDs
// notification action IDs.
allowDomainAll = "allow-domain-all"
allowDomainDistinct = "allow-domain-distinct"
blockDomainAll = "block-domain-all"