Improve trace logging
This commit is contained in:
Daniel
@@ -170,31 +170,28 @@ func DecideOnResolvedDNS(
|
||||
|
||||
updateIPsAndCNAMEs(q, rrCache, conn)
|
||||
|
||||
if mayBlockCNAMEs(conn) {
|
||||
if mayBlockCNAMEs(ctx, conn) {
|
||||
return nil
|
||||
}
|
||||
|
||||
// TODO: Gate17 integration
|
||||
// tunnelInfo, err := AssignTunnelIP(fqdn)
|
||||
|
||||
return updatedRR
|
||||
}
|
||||
|
||||
func mayBlockCNAMEs(conn *network.Connection) bool {
|
||||
func mayBlockCNAMEs(ctx context.Context, conn *network.Connection) bool {
|
||||
// if we have CNAMEs and the profile is configured to filter them
|
||||
// we need to re-check the lists and endpoints here
|
||||
if conn.Process().Profile().FilterCNAMEs() {
|
||||
conn.Entity.ResetLists()
|
||||
conn.Entity.EnableCNAMECheck(true)
|
||||
conn.Entity.EnableCNAMECheck(ctx, true)
|
||||
|
||||
result, reason := conn.Process().Profile().MatchEndpoint(conn.Entity)
|
||||
result, reason := conn.Process().Profile().MatchEndpoint(ctx, conn.Entity)
|
||||
if result == endpoints.Denied {
|
||||
conn.BlockWithContext(reason.String(), reason.Context())
|
||||
return true
|
||||
}
|
||||
|
||||
if result == endpoints.NoMatch {
|
||||
result, reason = conn.Process().Profile().MatchFilterLists(conn.Entity)
|
||||
result, reason = conn.Process().Profile().MatchFilterLists(ctx, conn.Entity)
|
||||
if result == endpoints.Denied {
|
||||
conn.BlockWithContext(reason.String(), reason.Context())
|
||||
return true
|
||||
|
||||
@@ -87,13 +87,13 @@ func fastTrackedPermit(pkt packet.Packet) (handled bool) {
|
||||
switch meta.Protocol {
|
||||
case packet.ICMP:
|
||||
// Always permit ICMP.
|
||||
log.Debugf("accepting ICMP: %s", pkt)
|
||||
log.Debugf("filter: fast-track accepting ICMP: %s", pkt)
|
||||
_ = pkt.PermanentAccept()
|
||||
return true
|
||||
|
||||
case packet.ICMPv6:
|
||||
// Always permit ICMPv6.
|
||||
log.Debugf("accepting ICMPv6: %s", pkt)
|
||||
log.Debugf("filter: fast-track accepting ICMPv6: %s", pkt)
|
||||
_ = pkt.PermanentAccept()
|
||||
return true
|
||||
|
||||
@@ -116,7 +116,7 @@ func fastTrackedPermit(pkt packet.Packet) (handled bool) {
|
||||
}
|
||||
|
||||
// Log and permit.
|
||||
log.Debugf("accepting DHCP: %s", pkt)
|
||||
log.Debugf("filter: fast-track accepting DHCP: %s", pkt)
|
||||
_ = pkt.PermanentAccept()
|
||||
return true
|
||||
|
||||
@@ -141,7 +141,7 @@ func fastTrackedPermit(pkt packet.Packet) (handled bool) {
|
||||
// Only allow to own IPs.
|
||||
dstIsMe, err := netenv.IsMyIP(meta.Dst)
|
||||
if err != nil {
|
||||
log.Warningf("filter: failed to check if IP is local: %s", err)
|
||||
log.Warningf("filter: failed to check if IP %s is local: %s", meta.Dst, err)
|
||||
}
|
||||
if !dstIsMe {
|
||||
return false
|
||||
@@ -150,9 +150,9 @@ func fastTrackedPermit(pkt packet.Packet) (handled bool) {
|
||||
// Log and permit.
|
||||
switch meta.DstPort {
|
||||
case 53:
|
||||
log.Debugf("accepting local dns: %s", pkt)
|
||||
log.Debugf("filter: fast-track accepting local dns: %s", pkt)
|
||||
case apiPort:
|
||||
log.Debugf("accepting api connection: %s", pkt)
|
||||
log.Debugf("filter: fast-track accepting api connection: %s", pkt)
|
||||
default:
|
||||
return false
|
||||
}
|
||||
@@ -165,7 +165,7 @@ func fastTrackedPermit(pkt packet.Packet) (handled bool) {
|
||||
}
|
||||
|
||||
func initialHandler(conn *network.Connection, pkt packet.Packet) {
|
||||
log.Tracer(pkt.Ctx()).Trace("filter: [initial handler]")
|
||||
log.Tracer(pkt.Ctx()).Trace("filter: handing over to connection-based handler")
|
||||
|
||||
// check for internal firewall bypass
|
||||
ps := getPortStatusAndMarkUsed(pkt.Info().LocalPort())
|
||||
|
||||
@@ -134,7 +134,7 @@ func checkProfileExists(_ context.Context, conn *network.Connection, _ packet.Pa
|
||||
return false
|
||||
}
|
||||
|
||||
func checkEndpointLists(_ context.Context, conn *network.Connection, _ packet.Packet) bool {
|
||||
func checkEndpointLists(ctx context.Context, conn *network.Connection, _ packet.Packet) bool {
|
||||
var result endpoints.EPResult
|
||||
var reason endpoints.Reason
|
||||
|
||||
@@ -143,9 +143,9 @@ func checkEndpointLists(_ context.Context, conn *network.Connection, _ packet.Pa
|
||||
|
||||
// check endpoints list
|
||||
if conn.Inbound {
|
||||
result, reason = p.MatchServiceEndpoint(conn.Entity)
|
||||
result, reason = p.MatchServiceEndpoint(ctx, conn.Entity)
|
||||
} else {
|
||||
result, reason = p.MatchEndpoint(conn.Entity)
|
||||
result, reason = p.MatchEndpoint(ctx, conn.Entity)
|
||||
}
|
||||
switch result {
|
||||
case endpoints.Denied:
|
||||
@@ -271,7 +271,7 @@ func checkFilterLists(ctx context.Context, conn *network.Connection, pkt packet.
|
||||
// apply privacy filter lists
|
||||
p := conn.Process().Profile()
|
||||
|
||||
result, reason := p.MatchFilterLists(conn.Entity)
|
||||
result, reason := p.MatchFilterLists(ctx, conn.Entity)
|
||||
switch result {
|
||||
case endpoints.Denied:
|
||||
conn.DenyWithContext(reason.String(), reason.Context())
|
||||
|
||||
Reference in New Issue
Block a user