Fix module dependencies, split filter into interception and filter modules

2020-04-24 10:17:15 +02:00
parent 5c7739e28a
commit 95041d217c
8 changed files with 89 additions and 40 deletions
--- a/firewall/interception.go
+++ b/firewall/interception.go
@@ -0,0 +1,365 @@
+package firewall
+
+import (
+	"context"
+	"net"
+	"os"
+	"sync/atomic"
+	"time"
+
+	"github.com/safing/portbase/log"
+	"github.com/safing/portbase/modules"
+	"github.com/safing/portmaster/firewall/inspection"
+	"github.com/safing/portmaster/firewall/interception"
+	"github.com/safing/portmaster/network"
+	"github.com/safing/portmaster/network/packet"
+
+	// module dependencies
+	_ "github.com/safing/portmaster/core"
+	_ "github.com/safing/portmaster/profile"
+)
+
+var (
+	interceptionModule *modules.Module
+
+	// localNet        net.IPNet
+	// localhost net.IP
+	// dnsServer       net.IPNet
+	packetsAccepted *uint64
+	packetsBlocked  *uint64
+	packetsDropped  *uint64
+	packetsFailed   *uint64
+
+	// localNet4 *net.IPNet
+
+	localhost4 = net.IPv4(127, 0, 0, 1)
+	// localhost6 = net.IPv6loopback
+
+	// tunnelNet4 *net.IPNet
+	// tunnelNet6 *net.IPNet
+	// tunnelEntry4 = net.IPv4(127, 0, 0, 17)
+	// tunnelEntry6 = net.ParseIP("fd17::17")
+)
+
+func init() {
+	interceptionModule = modules.Register("interception", interceptionPrep, interceptionStart, interceptionStop, "base")
+
+	network.SetDefaultFirewallHandler(defaultHandler)
+}
+
+func interceptionPrep() (err error) {
+	err = prepAPIAuth()
+	if err != nil {
+		return err
+	}
+
+	// _, localNet4, err = net.ParseCIDR("127.0.0.0/24")
+	// // Yes, this would normally be 127.0.0.0/8
+	// // TODO: figure out any side effects
+	// if err != nil {
+	// 	return fmt.Errorf("filter: failed to parse cidr 127.0.0.0/24: %s", err)
+	// }
+
+	// _, tunnelNet4, err = net.ParseCIDR("127.17.0.0/16")
+	// if err != nil {
+	// 	return fmt.Errorf("filter: failed to parse cidr 127.17.0.0/16: %s", err)
+	// }
+	// _, tunnelNet6, err = net.ParseCIDR("fd17::/64")
+	// if err != nil {
+	// 	return fmt.Errorf("filter: failed to parse cidr fd17::/64: %s", err)
+	// }
+
+	packetsAccepted = new(uint64)
+	packetsBlocked = new(uint64)
+	packetsDropped = new(uint64)
+	packetsFailed = new(uint64)
+
+	return nil
+}
+
+func interceptionStart() error {
+	startAPIAuth()
+
+	interceptionModule.StartWorker("stat logger", func(ctx context.Context) error {
+		statLogger()
+		return nil
+	})
+
+	interceptionModule.StartWorker("packet handler", func(ctx context.Context) error {
+		run()
+		return nil
+	})
+
+	interceptionModule.StartWorker("ports state cleaner", func(ctx context.Context) error {
+		portsInUseCleaner()
+		return nil
+	})
+
+	return interception.Start()
+}
+
+func interceptionStop() error {
+	return interception.Stop()
+}
+
+func handlePacket(pkt packet.Packet) {
+
+	// allow localhost, for now
+	// if pkt.Info().Src.Equal(pkt.Info().Dst) {
+	// 	log.Debugf("accepting localhost communication: %s", pkt)
+	// 	pkt.PermanentAccept()
+	// 	return
+	// }
+
+	// for UX and performance
+	meta := pkt.Info()
+
+	// allow local dns
+	if (meta.DstPort == 53 || meta.SrcPort == 53) &&
+		(meta.Src.Equal(meta.Dst) || // Windows redirects back to same interface
+			meta.Src.Equal(localhost4) || // Linux sometimes does 127.0.0.1->127.0.0.53
+			meta.Dst.Equal(localhost4)) {
+		log.Debugf("accepting local dns: %s", pkt)
+		_ = pkt.PermanentAccept()
+		return
+	}
+
+	// allow api access, if address was parsed successfully
+	if apiPortSet {
+		if (meta.DstPort == apiPort || meta.SrcPort == apiPort) && meta.Src.Equal(meta.Dst) {
+			log.Debugf("accepting api connection: %s", pkt)
+			_ = pkt.PermanentAccept()
+			return
+		}
+	}
+
+	// // redirect dns (if we know that it's not our own request)
+	// if pkt.IsOutbound() && intel.RemoteIsActiveNameserver(pkt) {
+	// 	log.Debugf("redirecting dns: %s", pkt)
+	// 	pkt.RedirToNameserver()
+	// }
+
+	// allow ICMP, IGMP and DHCP
+	// TODO: actually handle these
+	switch meta.Protocol {
+	case packet.ICMP:
+		log.Debugf("accepting ICMP: %s", pkt)
+		_ = pkt.PermanentAccept()
+		return
+	case packet.ICMPv6:
+		log.Debugf("accepting ICMPv6: %s", pkt)
+		_ = pkt.PermanentAccept()
+		return
+	case packet.IGMP:
+		log.Debugf("accepting IGMP: %s", pkt)
+		_ = pkt.PermanentAccept()
+		return
+	case packet.UDP:
+		if meta.DstPort == 67 || meta.DstPort == 68 {
+			log.Debugf("accepting DHCP: %s", pkt)
+			_ = pkt.PermanentAccept()
+			return
+		}
+		// TODO: Howto handle NetBios?
+	}
+
+	// log.Debugf("filter: pkt %s has ID %s", pkt, pkt.GetLinkID())
+
+	// use this to time how long it takes process packet
+	// timed := time.Now()
+	// defer log.Tracef("filter: took %s to process packet %s", time.Now().Sub(timed).String(), pkt)
+
+	// check if packet is destined for tunnel
+	// switch pkt.IPVersion() {
+	// case packet.IPv4:
+	// 	if TunnelNet4 != nil && TunnelNet4.Contains(meta.Dst) {
+	// 		tunnelHandler(pkt)
+	// 	}
+	// case packet.IPv6:
+	// 	if TunnelNet6 != nil && TunnelNet6.Contains(meta.Dst) {
+	// 		tunnelHandler(pkt)
+	// 	}
+	// }
+
+	traceCtx, tracer := log.AddTracer(context.Background())
+	if tracer != nil {
+		pkt.SetCtx(traceCtx)
+		tracer.Tracef("filter: handling packet: %s", pkt)
+	}
+
+	// associate packet to link and handle
+	conn, ok := network.GetConnection(pkt.GetConnectionID())
+	if ok {
+		tracer.Tracef("filter: assigned to connection %s", conn.ID)
+	} else {
+		conn = network.NewConnectionFromFirstPacket(pkt)
+		tracer.Tracef("filter: created new connection %s", conn.ID)
+		conn.SetFirewallHandler(initialHandler)
+	}
+
+	// handle packet
+	conn.HandlePacket(pkt)
+}
+
+func initialHandler(conn *network.Connection, pkt packet.Packet) {
+	log.Tracer(pkt.Ctx()).Trace("filter: [initial handler]")
+
+	// check for internal firewall bypass
+	ps := getPortStatusAndMarkUsed(pkt.Info().LocalPort())
+	if ps.isMe {
+		// approve
+		conn.Accept("internally approved")
+		conn.Internal = true
+		// finish
+		conn.StopFirewallHandler()
+		issueVerdict(conn, pkt, 0, true)
+		return
+	}
+
+	// reroute dns requests to nameserver
+	if conn.Process().Pid != os.Getpid() && pkt.IsOutbound() && pkt.Info().DstPort == 53 && !pkt.Info().Src.Equal(pkt.Info().Dst) {
+		conn.Verdict = network.VerdictRerouteToNameserver
+		conn.StopFirewallHandler()
+		issueVerdict(conn, pkt, 0, true)
+		return
+	}
+
+	// check if filtering is enabled
+	if !filterEnabled() {
+		conn.Inspecting = false
+		conn.SetVerdict(network.VerdictAccept, "privacy filter disabled", nil)
+		conn.StopFirewallHandler()
+		issueVerdict(conn, pkt, 0, true)
+		return
+	}
+
+	log.Tracer(pkt.Ctx()).Trace("filter: starting decision process")
+	DecideOnConnection(conn, pkt)
+	conn.Inspecting = false // TODO: enable inspecting again
+
+	switch {
+	case conn.Inspecting:
+		log.Tracer(pkt.Ctx()).Trace("filter: start inspecting")
+		conn.SetFirewallHandler(inspectThenVerdict)
+		inspectThenVerdict(conn, pkt)
+	default:
+		conn.StopFirewallHandler()
+		issueVerdict(conn, pkt, 0, true)
+	}
+
+}
+
+func defaultHandler(conn *network.Connection, pkt packet.Packet) {
+	issueVerdict(conn, pkt, 0, true)
+}
+
+func inspectThenVerdict(conn *network.Connection, pkt packet.Packet) {
+	pktVerdict, continueInspection := inspection.RunInspectors(conn, pkt)
+	if continueInspection {
+		issueVerdict(conn, pkt, pktVerdict, false)
+		return
+	}
+
+	// we are done with inspecting
+	conn.StopFirewallHandler()
+	issueVerdict(conn, pkt, 0, true)
+}
+
+func issueVerdict(conn *network.Connection, pkt packet.Packet, verdict network.Verdict, allowPermanent bool) {
+	// enable permanent verdict
+	if allowPermanent && !conn.VerdictPermanent {
+		conn.VerdictPermanent = permanentVerdicts()
+		if conn.VerdictPermanent {
+			conn.SaveWhenFinished()
+		}
+	}
+
+	// do not allow to circumvent decision: e.g. to ACCEPT packets from a DROP-ed connection
+	if verdict < conn.Verdict {
+		verdict = conn.Verdict
+	}
+
+	var err error
+	switch verdict {
+	case network.VerdictAccept:
+		atomic.AddUint64(packetsAccepted, 1)
+		if conn.VerdictPermanent {
+			err = pkt.PermanentAccept()
+		} else {
+			err = pkt.Accept()
+		}
+	case network.VerdictBlock:
+		atomic.AddUint64(packetsBlocked, 1)
+		if conn.VerdictPermanent {
+			err = pkt.PermanentBlock()
+		} else {
+			err = pkt.Block()
+		}
+	case network.VerdictDrop:
+		atomic.AddUint64(packetsDropped, 1)
+		if conn.VerdictPermanent {
+			err = pkt.PermanentDrop()
+		} else {
+			err = pkt.Drop()
+		}
+	case network.VerdictRerouteToNameserver:
+		err = pkt.RerouteToNameserver()
+	case network.VerdictRerouteToTunnel:
+		err = pkt.RerouteToTunnel()
+	case network.VerdictFailed:
+		atomic.AddUint64(packetsFailed, 1)
+		fallthrough
+	default:
+		atomic.AddUint64(packetsDropped, 1)
+		err = pkt.Drop()
+	}
+
+	if err != nil {
+		log.Warningf("filter: failed to apply verdict to pkt %s: %s", pkt, err)
+	}
+}
+
+// func tunnelHandler(pkt packet.Packet) {
+// 	tunnelInfo := GetTunnelInfo(pkt.Info().Dst)
+// 	if tunnelInfo == nil {
+// 		pkt.Block()
+// 		return
+// 	}
+//
+// 	entry.CreateTunnel(pkt, tunnelInfo.Domain, tunnelInfo.RRCache.ExportAllARecords())
+// 	log.Tracef("filter: rerouting %s to tunnel entry point", pkt)
+// 	pkt.RerouteToTunnel()
+// 	return
+// }
+
+func run() {
+	for {
+		select {
+		case <-interceptionModule.Stopping():
+			return
+		case pkt := <-interception.Packets:
+			handlePacket(pkt)
+		}
+	}
+}
+
+func statLogger() {
+	for {
+		select {
+		case <-interceptionModule.Stopping():
+			return
+		case <-time.After(10 * time.Second):
+			log.Tracef(
+				"filter: packets accepted %d, blocked %d, dropped %d, failed %d",
+				atomic.LoadUint64(packetsAccepted),
+				atomic.LoadUint64(packetsBlocked),
+				atomic.LoadUint64(packetsDropped),
+				atomic.LoadUint64(packetsFailed),
+			)
+			atomic.StoreUint64(packetsAccepted, 0)
+			atomic.StoreUint64(packetsBlocked, 0)
+			atomic.StoreUint64(packetsDropped, 0)
+			atomic.StoreUint64(packetsFailed, 0)
+		}
+	}
+}