github/portmaster
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

Add SPN integration

Browse Source
This commit is contained in:
Daniel
2020-08-06 21:22:14 +02:00
parent 1ce9049ca0
commit cdec623033
9 changed files with 116 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
firewall/interception.go
View File

@@ -12,7 +12,10 @@ import (
"github.com/safing/portmaster/firewall/inspection"
"github.com/safing/portmaster/firewall/interception"
"github.com/safing/portmaster/network"
"github.com/safing/portmaster/network/netutils"
"github.com/safing/portmaster/network/packet"
"github.com/safing/spn/captain"
"github.com/safing/spn/sluice"
// module dependencies
_ "github.com/safing/portmaster/core/base"
@@ -222,6 +225,22 @@ func initialHandler(conn *network.Connection, pkt packet.Packet) {
DecideOnConnection(pkt.Ctx(), conn, pkt)
conn.Inspecting = false // TODO: enable inspecting again
// tunneling
// TODO: add implementation for forced tunneling
if pkt.IsOutbound() &&
captain.ClientReady() &&
netutils.IPIsGlobal(conn.Entity.IP) &&
conn.Verdict == network.VerdictAccept {
// try to tunnel
err := sluice.AwaitRequest(pkt.Info(), conn.Entity.Domain)
if err != nil {
log.Tracer(pkt.Ctx()).Tracef("filter: not tunneling: %s", err)
} else {
log.Tracer(pkt.Ctx()).Trace("filter: tunneling request")
conn.Verdict = network.VerdictRerouteToTunnel
}
}
switch {
case conn.Inspecting:
log.Tracer(pkt.Ctx()).Trace("filter: start inspecting")

8
firewall/interception/nfqueue_linux.go
View File

@@ -81,8 +81,8 @@ func init() {
"filter OUTPUT -j C17",
"filter INPUT -j C17",
"nat OUTPUT -m mark --mark 1799 -p udp -j DNAT --to 127.0.0.1:53",
"nat OUTPUT -m mark --mark 1717 -p tcp -j DNAT --to 127.0.0.17:1117",
"nat OUTPUT -m mark --mark 1717 -p udp -j DNAT --to 127.0.0.17:1117",
"nat OUTPUT -m mark --mark 1717 -p tcp -j DNAT --to 127.0.0.17:717",
"nat OUTPUT -m mark --mark 1717 -p udp -j DNAT --to 127.0.0.17:717",
// "nat OUTPUT -m mark --mark 1717 ! -p tcp ! -p udp -j DNAT --to 127.0.0.17",
}
@@ -116,8 +116,8 @@ func init() {
"filter OUTPUT -j C17",
"filter INPUT -j C17",
"nat OUTPUT -m mark --mark 1799 -p udp -j DNAT --to [::1]:53",
"nat OUTPUT -m mark --mark 1717 -p tcp -j DNAT --to [fd17::17]:1117",
"nat OUTPUT -m mark --mark 1717 -p udp -j DNAT --to [fd17::17]:1117",
"nat OUTPUT -m mark --mark 1717 -p tcp -j DNAT --to [fd17::17]:717",
"nat OUTPUT -m mark --mark 1717 -p udp -j DNAT --to [fd17::17]:717",
// "nat OUTPUT -m mark --mark 1717 ! -p tcp ! -p udp -j DNAT --to [fd17::17]",
}