Implement review changes

firewall/bypassing.go

@@ -0,0 +1,19 @@
+package firewall
+
+import (
+	"strings"
+
+	"github.com/safing/portmaster/network"
+	"github.com/safing/portmaster/profile/endpoints"
+)
+
+// PreventBypassing checks if the connection should be denied or permitted
+// based on some bypass protection checks.
+func PreventBypassing(conn *network.Connection) (endpoints.EPResult, string) {
+	// Block firefox canary domain to disable DoH
+	if strings.ToLower(conn.Entity.Domain) == "use-application-dns.net." {
+		return endpoints.Denied, "blocked canary domain to prevent enabling DNS-over-HTTPs"
+	}
+
+	return endpoints.NoMatch, ""
+}

firewall/master.go

@@ -141,16 +141,21 @@ func DecideOnConnection(conn *network.Connection, pkt packet.Packet) { //nolint:
 		}
 	}
 
-	// check for bypass protection
-	result, reason := p.MatchBypassProtection(conn.Entity)
-	switch result {
-	case endpoints.Denied:
-		conn.Block("bypass prevention: " + reason)
-		return
-	case endpoints.Permitted:
-		conn.Accept("bypass prevention: " + reason)
-		return
-	case endpoints.NoMatch:
+	var result endpoints.EPResult
+	var reason string
+
+	if p.PreventBypassing() {
+		// check for bypass protection
+		result, reason := PreventBypassing(conn)
+		switch result {
+		case endpoints.Denied:
+			conn.Block("bypass prevention: " + reason)
+			return
+		case endpoints.Permitted:
+			conn.Accept("bypass prevention: " + reason)
+			return
+		case endpoints.NoMatch:
+		}
 	}
 
 	// check endpoints list