diff --git a/firewall/interception.go b/firewall/interception.go index 706111b4..e5be02dc 100644 --- a/firewall/interception.go +++ b/firewall/interception.go @@ -177,9 +177,7 @@ func interceptionStart() error { interceptionModule.StartWorker("stat logger", statLogger) interceptionModule.StartWorker("packet handler", packetHandler) - err := interception.Start() - - return err + return interception.Start() } func interceptionStop() error { diff --git a/firewall/interception/interception_linux.go b/firewall/interception/interception_linux.go index f0f1d99f..5ee31eb2 100644 --- a/firewall/interception/interception_linux.go +++ b/firewall/interception/interception_linux.go @@ -21,6 +21,7 @@ func ResetVerdictOfAllConnections() error { return nfq.DeleteAllMarkedConnection() } +// UpdateVerdictOfConnection deletes the verdict of specific connection so in can be initialized again with the next packet func UpdateVerdictOfConnection(conn *network.Connection) error { return nfq.DeleteMarkedConnection(conn) } diff --git a/firewall/interception/interception_windows.go b/firewall/interception/interception_windows.go index d1931fb8..5a21f345 100644 --- a/firewall/interception/interception_windows.go +++ b/firewall/interception/interception_windows.go @@ -41,11 +41,13 @@ func ResetVerdictOfAllConnections() error { return windowskext.ClearCache() } +// UpdateVerdictOfConnection updates the verdict of specific connection in the kernel extension func UpdateVerdictOfConnection(conn *network.Connection) error { return windowskext.UpdateVerdict(conn) } -func GetVersion() (string, error) { +// GetKextVersion returns the version of the kernel extension +func GetKextVersion() (string, error) { version, err := windowskext.GetVersion() if err != nil { return "", err diff --git a/firewall/interception/nfq/conntrack.go b/firewall/interception/nfq/conntrack.go index ce494792..bcb10101 100644 --- a/firewall/interception/nfq/conntrack.go +++ b/firewall/interception/nfq/conntrack.go @@ -13,10 +13,9 @@ import ( "github.com/safing/portmaster/network" ) -var ( - nfct *ct.Nfct // Conntrack handler. NFCT: Network Filter Connection Tracking -) +var nfct *ct.Nfct // Conntrack handler. NFCT: Network Filter Connection Tracking +// InitNFCT initializes the network filter conntrack library func InitNFCT() error { var err error nfct, err = ct.Open(&ct.Config{}) @@ -26,6 +25,7 @@ func InitNFCT() error { return nil } +// DeinitNFCT deinitializes the network filter conntrack library func DeinitNFCT() { _ = nfct.Close() } @@ -82,6 +82,7 @@ func deleteMarkedConnections(nfct *ct.Nfct, f ct.Family) (deleted int) { return deleted } +// DeleteMarkedConnection removes a specific connection from the conntrack table func DeleteMarkedConnection(conn *network.Connection) error { if nfct == nil { return fmt.Errorf("nfq: nfct not initialized") @@ -100,7 +101,7 @@ func DeleteMarkedConnection(conn *network.Connection) error { } connections, err := nfct.Get(ct.Conntrack, ct.IPv4, con) if err != nil { - return fmt.Errorf("nfq: failed to find entry for connection %s: %s", conn.String(), err) + return fmt.Errorf("nfq: failed to find entry for connection %s: %w", conn.String(), err) } if len(connections) > 1 { @@ -108,7 +109,14 @@ func DeleteMarkedConnection(conn *network.Connection) error { } for _, connection := range connections { - nfct.Delete(ct.Conntrack, ct.IPv4, connection) + deleteErr := nfct.Delete(ct.Conntrack, ct.IPv4, connection) + if err == nil { + err = deleteErr + } + } + + if err != nil { + log.Warningf("nfq: error while deleting conntrack entries for connection %s: %s", conn.String(), err) } return nil diff --git a/firewall/interception/nfqueue_linux.go b/firewall/interception/nfqueue_linux.go index 54d7f91a..10de02b3 100644 --- a/firewall/interception/nfqueue_linux.go +++ b/firewall/interception/nfqueue_linux.go @@ -150,7 +150,7 @@ func activateNfqueueFirewall() error { if err := nfq.InitNFCT(); err != nil { return err } - nfq.DeleteAllMarkedConnection() + _ = nfq.DeleteAllMarkedConnection() return nil } @@ -171,7 +171,7 @@ func DeactivateNfqueueFirewall() error { } } - nfq.DeleteAllMarkedConnection() + _ = nfq.DeleteAllMarkedConnection() nfq.DeinitNFCT() return result.ErrorOrNil()