github/portmaster
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

Add safe fallbacks for untrusted home nodes

Browse Source
This commit is contained in:
Daniel
2022-11-04 16:01:47 +01:00
parent 6868333425
commit 7e82d036c3
2 changed files with 17 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
firewall/tunnel.go
View File

@@ -137,12 +137,23 @@ func requestTunneling(ctx context.Context, conn *network.Connection) error {
conn.TunnelOpts.RequireVerifiedOwners = captain.NonCommunityVerifiedOwners
}
// If we have any exit hub policies, we need to raise the routing algorithm at least to single-hop.
if conn.TunnelOpts.RoutingProfile == navigator.RoutingProfileHomeID &&
conn.TunnelOpts.HubPoliciesAreSet() {
// Get routing profile for checking for upgrades.
routingProfile := navigator.GetRoutingProfile(conn.TunnelOpts.RoutingProfile)
// If we have any exit hub policies, we must be able to hop in order to follow the policy.
// Switch to single-hop routing to allow for routing with hub selection.
if routingProfile.MaxHops <= 1 && conn.TunnelOpts.HubPoliciesAreSet() {
conn.TunnelOpts.RoutingProfile = navigator.RoutingProfileSingleHopID
}
// If the current home node is not trusted, then upgrade at least to two hops.
if routingProfile.MinHops < 2 {
homeNode, _ := navigator.Main.GetHome()
if homeNode != nil && !homeNode.State.Has(navigator.StateTrusted) {
conn.TunnelOpts.RoutingProfile = navigator.RoutingProfileDoubleHopID
}
}
// Special handling for the internal DNS resolver.
if conn.Process().Pid == ownPID && resolver.IsResolverAddress(conn.Entity.IP, conn.Entity.Port) {
dnsExitHubPolicy, err := captain.GetDNSExitHubPolicy()