Integrate SPN into interception
This commit is contained in:
@@ -3,6 +3,7 @@ package firewall
|
|||||||
import (
|
import (
|
||||||
"github.com/safing/portbase/config"
|
"github.com/safing/portbase/config"
|
||||||
"github.com/safing/portbase/modules/subsystems"
|
"github.com/safing/portbase/modules/subsystems"
|
||||||
|
"github.com/safing/spn/captain"
|
||||||
|
|
||||||
"github.com/safing/portbase/modules"
|
"github.com/safing/portbase/modules"
|
||||||
|
|
||||||
@@ -13,6 +14,7 @@ import (
|
|||||||
var (
|
var (
|
||||||
filterModule *modules.Module
|
filterModule *modules.Module
|
||||||
filterEnabled config.BoolOption
|
filterEnabled config.BoolOption
|
||||||
|
tunnelEnabled config.BoolOption
|
||||||
)
|
)
|
||||||
|
|
||||||
func init() {
|
func init() {
|
||||||
@@ -28,8 +30,8 @@ func init() {
|
|||||||
Key: CfgOptionEnableFilterKey,
|
Key: CfgOptionEnableFilterKey,
|
||||||
Description: "Start the Privacy Filter module. If turned off, all privacy filter protections are fully disabled on this device.",
|
Description: "Start the Privacy Filter module. If turned off, all privacy filter protections are fully disabled on this device.",
|
||||||
OptType: config.OptTypeBool,
|
OptType: config.OptTypeBool,
|
||||||
ExpertiseLevel: config.ExpertiseLevelUser,
|
ExpertiseLevel: config.ExpertiseLevelDeveloper,
|
||||||
ReleaseLevel: config.ReleaseLevelBeta,
|
ReleaseLevel: config.ReleaseLevelStable,
|
||||||
DefaultValue: true,
|
DefaultValue: true,
|
||||||
Annotations: config.Annotations{
|
Annotations: config.Annotations{
|
||||||
config.CategoryAnnotation: "General",
|
config.CategoryAnnotation: "General",
|
||||||
@@ -44,6 +46,7 @@ func filterPrep() (err error) {
|
|||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
filterEnabled = config.GetAsBool(CfgOptionEnableFilterKey, true)
|
filterEnabled = config.Concurrent.GetAsBool(CfgOptionEnableFilterKey, true)
|
||||||
|
tunnelEnabled = config.Concurrent.GetAsBool(captain.CfgOptionEnableSPNKey, false)
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -9,6 +9,8 @@ import (
|
|||||||
"sync/atomic"
|
"sync/atomic"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
|
"github.com/safing/spn/captain"
|
||||||
|
|
||||||
"github.com/google/gopacket/layers"
|
"github.com/google/gopacket/layers"
|
||||||
"github.com/safing/portmaster/netenv"
|
"github.com/safing/portmaster/netenv"
|
||||||
"golang.org/x/sync/singleflight"
|
"golang.org/x/sync/singleflight"
|
||||||
@@ -22,7 +24,7 @@ import (
|
|||||||
"github.com/safing/portmaster/network"
|
"github.com/safing/portmaster/network"
|
||||||
"github.com/safing/portmaster/network/netutils"
|
"github.com/safing/portmaster/network/netutils"
|
||||||
"github.com/safing/portmaster/network/packet"
|
"github.com/safing/portmaster/network/packet"
|
||||||
"github.com/safing/spn/captain"
|
"github.com/safing/spn/crew"
|
||||||
"github.com/safing/spn/sluice"
|
"github.com/safing/spn/sluice"
|
||||||
|
|
||||||
// module dependencies
|
// module dependencies
|
||||||
@@ -346,32 +348,41 @@ func initialHandler(conn *network.Connection, pkt packet.Packet) {
|
|||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
// check if filtering is enabled
|
// TODO: enable inspecting again
|
||||||
if !filterEnabled() {
|
conn.Inspecting = false
|
||||||
conn.Inspecting = false
|
|
||||||
|
// Filter, if enabled.
|
||||||
|
if filterEnabled() {
|
||||||
|
log.Tracer(pkt.Ctx()).Trace("filter: starting decision process")
|
||||||
|
DecideOnConnection(pkt.Ctx(), conn, pkt)
|
||||||
|
} else {
|
||||||
conn.Accept("privacy filter disabled", noReasonOptionKey)
|
conn.Accept("privacy filter disabled", noReasonOptionKey)
|
||||||
conn.StopFirewallHandler()
|
|
||||||
issueVerdict(conn, pkt, 0, true)
|
|
||||||
return
|
|
||||||
}
|
}
|
||||||
|
|
||||||
log.Tracer(pkt.Ctx()).Trace("filter: starting decision process")
|
// Tunnel, if enabled.
|
||||||
DecideOnConnection(pkt.Ctx(), conn, pkt)
|
if pkt.IsOutbound() && conn.Entity.IPScope.IsGlobal() &&
|
||||||
conn.Inspecting = false // TODO: enable inspecting again
|
tunnelEnabled() && conn.Verdict == network.VerdictAccept &&
|
||||||
|
conn.Process().Profile() != nil &&
|
||||||
|
conn.Process().Profile().UseSPN() {
|
||||||
|
|
||||||
// tunneling
|
// Exclude requests of the SPN itself.
|
||||||
// TODO: add implementation for forced tunneling
|
if !captain.IsExcepted(conn.Entity.IP) {
|
||||||
if pkt.IsOutbound() &&
|
// Check if client is ready.
|
||||||
captain.ClientReady() &&
|
if captain.ClientReady() {
|
||||||
conn.Entity.IPScope.IsGlobal() &&
|
// Queue request in sluice.
|
||||||
conn.Verdict == network.VerdictAccept {
|
err := sluice.AwaitRequest(conn, crew.HandleSluiceRequest)
|
||||||
// try to tunnel
|
if err != nil {
|
||||||
err := sluice.AwaitRequest(pkt.Info(), conn.Entity.Domain)
|
log.Tracer(pkt.Ctx()).Warningf("failed to rqeuest tunneling: %s", err)
|
||||||
if err != nil {
|
conn.Failed("failed to request tunneling", "")
|
||||||
log.Tracer(pkt.Ctx()).Tracef("filter: not tunneling: %s", err)
|
} else {
|
||||||
} else {
|
log.Tracer(pkt.Ctx()).Trace("filter: tunneling requested")
|
||||||
log.Tracer(pkt.Ctx()).Trace("filter: tunneling request")
|
conn.Verdict = network.VerdictRerouteToTunnel
|
||||||
conn.Verdict = network.VerdictRerouteToTunnel
|
}
|
||||||
|
} else {
|
||||||
|
// Block connection as SPN is not ready yet.
|
||||||
|
log.Tracer(pkt.Ctx()).Trace("SPN not ready for tunneling")
|
||||||
|
conn.Failed("SPN not ready for tunneling", "")
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user