Prepare intel entity data earlier in the decision process
This commit is contained in:
Patrick Pacher
@@ -23,10 +23,6 @@ func PreventBypassing(ctx context.Context, conn *network.Connection) (endpoints.
|
|||||||
nsutil.NxDomain()
|
nsutil.NxDomain()
|
||||||
}
|
}
|
||||||
|
|
||||||
if !conn.Entity.LoadLists(ctx) {
|
|
||||||
return endpoints.Undeterminable, "", nil
|
|
||||||
}
|
|
||||||
|
|
||||||
if conn.Entity.MatchLists(resolverFilterLists) {
|
if conn.Entity.MatchLists(resolverFilterLists) {
|
||||||
return endpoints.Denied,
|
return endpoints.Denied,
|
||||||
"blocked rogue connection to DNS resolver",
|
"blocked rogue connection to DNS resolver",
|
||||||
|
|||||||
@@ -94,6 +94,11 @@ func DecideOnConnection(ctx context.Context, conn *network.Connection, pkt packe
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// prepare the entity and resolve all filterlist matches
|
||||||
|
conn.Entity.ResolveSubDomainLists(ctx, layeredProfile.FilterSubDomains())
|
||||||
|
conn.Entity.EnableCNAMECheck(ctx, layeredProfile.FilterCNAMEs())
|
||||||
|
conn.Entity.LoadLists(ctx)
|
||||||
|
|
||||||
// DNS request from the system resolver require a special decision process,
|
// DNS request from the system resolver require a special decision process,
|
||||||
// because the original requesting process is not known. Here, we only check
|
// because the original requesting process is not known. Here, we only check
|
||||||
// global-only and the most important per-app aspects. The resulting
|
// global-only and the most important per-app aspects. The resulting
|
||||||
|
|||||||
@@ -149,7 +149,7 @@ func (e *Entity) ResetLists() {
|
|||||||
// ResolveSubDomainLists enables or disables list lookups for
|
// ResolveSubDomainLists enables or disables list lookups for
|
||||||
// sub-domains.
|
// sub-domains.
|
||||||
func (e *Entity) ResolveSubDomainLists(ctx context.Context, enabled bool) {
|
func (e *Entity) ResolveSubDomainLists(ctx context.Context, enabled bool) {
|
||||||
if e.domainListLoaded {
|
if e.domainListLoaded && enabled != e.resolveSubDomainLists {
|
||||||
log.Tracer(ctx).Warningf("intel/filterlists: tried to change sub-domain resolving for %s but lists are already fetched", e.Domain)
|
log.Tracer(ctx).Warningf("intel/filterlists: tried to change sub-domain resolving for %s but lists are already fetched", e.Domain)
|
||||||
}
|
}
|
||||||
e.resolveSubDomainLists = enabled
|
e.resolveSubDomainLists = enabled
|
||||||
@@ -158,7 +158,7 @@ func (e *Entity) ResolveSubDomainLists(ctx context.Context, enabled bool) {
|
|||||||
// EnableCNAMECheck enalbes or disables list lookups for
|
// EnableCNAMECheck enalbes or disables list lookups for
|
||||||
// entity CNAMEs.
|
// entity CNAMEs.
|
||||||
func (e *Entity) EnableCNAMECheck(ctx context.Context, enabled bool) {
|
func (e *Entity) EnableCNAMECheck(ctx context.Context, enabled bool) {
|
||||||
if e.domainListLoaded {
|
if e.domainListLoaded && enabled != e.checkCNAMEs {
|
||||||
log.Tracer(ctx).Warningf("intel/filterlists: tried to change CNAME resolving for %s but lists are already fetched", e.Domain)
|
log.Tracer(ctx).Warningf("intel/filterlists: tried to change CNAME resolving for %s but lists are already fetched", e.Domain)
|
||||||
}
|
}
|
||||||
e.checkCNAMEs = enabled
|
e.checkCNAMEs = enabled
|
||||||
@@ -455,10 +455,8 @@ func (e *Entity) getIPLists(ctx context.Context) {
|
|||||||
|
|
||||||
// LoadLists searches all filterlists for all occurrences of
|
// LoadLists searches all filterlists for all occurrences of
|
||||||
// this entity.
|
// this entity.
|
||||||
func (e *Entity) LoadLists(ctx context.Context) bool {
|
func (e *Entity) LoadLists(ctx context.Context) {
|
||||||
e.getLists(ctx)
|
e.getLists(ctx)
|
||||||
|
|
||||||
return e.ListOccurences != nil
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// MatchLists matches the entities lists against a slice
|
// MatchLists matches the entities lists against a slice
|
||||||
|
|||||||
@@ -17,10 +17,6 @@ type EndpointLists struct {
|
|||||||
|
|
||||||
// Matches checks whether the given entity matches this endpoint definition.
|
// Matches checks whether the given entity matches this endpoint definition.
|
||||||
func (ep *EndpointLists) Matches(ctx context.Context, entity *intel.Entity) (EPResult, Reason) {
|
func (ep *EndpointLists) Matches(ctx context.Context, entity *intel.Entity) (EPResult, Reason) {
|
||||||
if !entity.LoadLists(ctx) {
|
|
||||||
return Undeterminable, nil
|
|
||||||
}
|
|
||||||
|
|
||||||
if entity.MatchLists(ep.ListSet) {
|
if entity.MatchLists(ep.ListSet) {
|
||||||
return ep.match(ep, entity, ep.Lists, "filterlist contains", "filterlist", entity.ListBlockReason())
|
return ep.match(ep, entity, ep.Lists, "filterlist contains", "filterlist", entity.ListBlockReason())
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -326,8 +326,6 @@ func (lp *LayeredProfile) MatchFilterLists(ctx context.Context, entity *intel.En
|
|||||||
for _, layer := range lp.layers {
|
for _, layer := range lp.layers {
|
||||||
// Search for the first layer that has filter lists set.
|
// Search for the first layer that has filter lists set.
|
||||||
if layer.filterListsSet {
|
if layer.filterListsSet {
|
||||||
entity.LoadLists(ctx)
|
|
||||||
|
|
||||||
if entity.MatchLists(layer.filterListIDs) {
|
if entity.MatchLists(layer.filterListIDs) {
|
||||||
return endpoints.Denied, entity.ListBlockReason()
|
return endpoints.Denied, entity.ListBlockReason()
|
||||||
}
|
}
|
||||||
@@ -339,8 +337,6 @@ func (lp *LayeredProfile) MatchFilterLists(ctx context.Context, entity *intel.En
|
|||||||
cfgLock.RLock()
|
cfgLock.RLock()
|
||||||
defer cfgLock.RUnlock()
|
defer cfgLock.RUnlock()
|
||||||
if len(cfgFilterLists) > 0 {
|
if len(cfgFilterLists) > 0 {
|
||||||
entity.LoadLists(ctx)
|
|
||||||
|
|
||||||
if entity.MatchLists(cfgFilterLists) {
|
if entity.MatchLists(cfgFilterLists) {
|
||||||
return endpoints.Denied, entity.ListBlockReason()
|
return endpoints.Denied, entity.ListBlockReason()
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user