Complete first alpha version

2018-12-12 19:18:23 +01:00
parent 8c11a35590
commit f35872ec51
36 changed files with 624 additions and 293 deletions
--- a/firewall/firewall.go
+++ b/firewall/firewall.go
@@ -38,7 +38,7 @@ var (
 )

 func init() {
-	modules.Register("firewall", prep, start, stop, "global", "network", "nameserver")
+	modules.Register("firewall", prep, start, stop, "global", "network", "nameserver", "profile")
 }

 func prep() (err error) {
@@ -112,12 +112,6 @@ func handlePacket(pkt packet.Packet) {
 		return
 	}

-	// allow anything that goes to a tunnel entrypoint
-	if pkt.IsOutbound() && (pkt.GetIPHeader().Dst.Equal(tunnelEntry4) || pkt.GetIPHeader().Dst.Equal(tunnelEntry6)) {
-		pkt.PermanentAccept()
-		return
-	}
-
 	// log.Debugf("firewall: pkt %s has ID %s", pkt, pkt.GetConnectionID())

 	// use this to time how long it takes process packet
@@ -147,7 +141,7 @@ func handlePacket(pkt packet.Packet) {
 		link.HandlePacket(pkt)
 		return
 	}
-	verdict(pkt, link.Verdict)
+	verdict(pkt, link.GetVerdict())

 }

@@ -156,42 +150,45 @@ func initialHandler(pkt packet.Packet, link *network.Link) {
 	// get Connection
 	connection, err := network.GetConnectionByFirstPacket(pkt)
 	if err != nil {
-		link.Lock()
 		if err != process.ErrConnectionNotFound {
 			log.Warningf("firewall: could not find process of packet (dropping link %s): %s", pkt.String(), err)
-			link.AddReason(fmt.Sprintf("could not find process or it does not exist (unsolicited packet): %s", err))
+			link.Deny(fmt.Sprintf("could not find process or it does not exist (unsolicited packet): %s", err))
 		} else {
 			log.Warningf("firewall: internal error finding process of packet (dropping link %s): %s", pkt.String(), err)
-			link.AddReason(fmt.Sprintf("internal error finding process: %s", err))
+			link.Deny(fmt.Sprintf("internal error finding process: %s", err))
 		}
-		link.Unlock()

 		if pkt.IsInbound() {
 			network.UnknownIncomingConnection.AddLink(link)
 		} else {
 			network.UnknownDirectConnection.AddLink(link)
 		}
-		verdict(pkt, link.Verdict)
-		return
-	}

-	// reroute dns requests to nameserver
-	if connection.Process().Pid != os.Getpid() && pkt.IsOutbound() && pkt.GetTCPUDPHeader() != nil && !pkt.GetIPHeader().Dst.Equal(localhost) && pkt.GetTCPUDPHeader().DstPort == 53 {
-		pkt.RerouteToNameserver()
+		verdict(pkt, link.GetVerdict())
+		link.StopFirewallHandler()
+
 		return
 	}

 	// add new Link to Connection (and save both)
 	connection.AddLink(link)

+	// reroute dns requests to nameserver
+	if connection.Process().Pid != os.Getpid() && pkt.IsOutbound() && pkt.GetTCPUDPHeader() != nil && !pkt.GetIPHeader().Dst.Equal(localhost) && pkt.GetTCPUDPHeader().DstPort == 53 {
+		link.RerouteToNameserver()
+		verdict(pkt, link.GetVerdict())
+		link.StopFirewallHandler()
+		return
+	}
+
 	// make a decision if not made already
-	if connection.Verdict == network.UNDECIDED {
+	if connection.GetVerdict() == network.UNDECIDED {
 		DecideOnConnection(connection, pkt)
 	}
-	if connection.Verdict != network.CANTSAY {
-		link.UpdateVerdict(connection.Verdict)
-	} else {
+	if connection.GetVerdict() == network.ACCEPT {
 		DecideOnLink(connection, link, pkt)
+	} else {
+		link.UpdateVerdict(connection.GetVerdict())
 	}

 	// log decision
@@ -205,7 +202,7 @@ func initialHandler(pkt packet.Packet, link *network.Link) {
 	// 	// tunnel link, but also inspect (after reroute)
 	// 	link.Tunneled = true
 	// 	link.SetFirewallHandler(inspectThenVerdict)
-	// 	verdict(pkt, link.Verdict)
+	// 	verdict(pkt, link.GetVerdict())
 	// case port17Active:
 	// 	// tunnel link, don't inspect
 	// 	link.Tunneled = true
@@ -216,7 +213,7 @@ func initialHandler(pkt packet.Packet, link *network.Link) {
 		inspectThenVerdict(pkt, link)
 	default:
 		link.StopFirewallHandler()
-		verdict(pkt, link.Verdict)
+		verdict(pkt, link.GetVerdict())
 	}

 }
@@ -225,10 +222,11 @@ func inspectThenVerdict(pkt packet.Packet, link *network.Link) {
 	pktVerdict, continueInspection := inspection.RunInspectors(pkt, link)
 	if continueInspection {
 		// do not allow to circumvent link decision: e.g. to ACCEPT packets from a DROP-ed link
-		if pktVerdict > link.Verdict {
+		linkVerdict := link.GetVerdict()
+		if pktVerdict > linkVerdict {
 			verdict(pkt, pktVerdict)
 		} else {
-			verdict(pkt, link.Verdict)
+			verdict(pkt, linkVerdict)
 		}
 		return
 	}
@@ -236,9 +234,11 @@ func inspectThenVerdict(pkt packet.Packet, link *network.Link) {
 	// we are done with inspecting
 	link.StopFirewallHandler()

+	link.Lock()
+	defer link.Unlock()
 	link.VerdictPermanent = permanentVerdicts()
 	if link.VerdictPermanent {
-		link.Save()
+		go link.Save()
 		permanentVerdict(pkt, link.Verdict)
 	} else {
 		verdict(pkt, link.Verdict)
@@ -259,6 +259,12 @@ func permanentVerdict(pkt packet.Packet, action network.Verdict) {
 		atomic.AddUint64(packetsDropped, 1)
 		pkt.PermanentDrop()
 		return
+	case network.RerouteToNameserver:
+		pkt.RerouteToNameserver()
+		return
+	case network.RerouteToTunnel:
+		pkt.RerouteToTunnel()
+		return
 	}
 	pkt.Drop()
 }
@@ -277,6 +283,12 @@ func verdict(pkt packet.Packet, action network.Verdict) {
 		atomic.AddUint64(packetsDropped, 1)
 		pkt.Drop()
 		return
+	case network.RerouteToNameserver:
+		pkt.RerouteToNameserver()
+		return
+	case network.RerouteToTunnel:
+		pkt.RerouteToTunnel()
+		return
 	}
 	pkt.Drop()
 }
@@ -295,18 +307,22 @@ func verdict(pkt packet.Packet, action network.Verdict) {
 // }

 func logInitialVerdict(link *network.Link) {
-	// switch link.Verdict {
+	// switch link.GetVerdict() {
 	// case network.ACCEPT:
 	// 	log.Infof("firewall: accepting new link: %s", link.String())
 	// case network.BLOCK:
 	// 	log.Infof("firewall: blocking new link: %s", link.String())
 	// case network.DROP:
 	// 	log.Infof("firewall: dropping new link: %s", link.String())
+	// case network.RerouteToNameserver:
+	// 	log.Infof("firewall: rerouting new link to nameserver: %s", link.String())
+	// case network.RerouteToTunnel:
+	// 	log.Infof("firewall: rerouting new link to tunnel: %s", link.String())
 	// }
 }

 func logChangedVerdict(link *network.Link) {
-	// switch link.Verdict {
+	// switch link.GetVerdict() {
 	// case network.ACCEPT:
 	// 	log.Infof("firewall: change! - now accepting link: %s", link.String())
 	// case network.BLOCK:
--- a/firewall/master.go
+++ b/firewall/master.go
@@ -8,6 +8,7 @@ import (
 	"github.com/Safing/portmaster/intel"
 	"github.com/Safing/portmaster/network"
 	"github.com/Safing/portmaster/network/packet"
+	"github.com/Safing/portmaster/profile"
 	"github.com/Safing/portmaster/status"

 	"github.com/agext/levenshtein"
@@ -59,10 +60,10 @@ func DecideOnConnectionBeforeIntel(connection *network.Connection, fqdn string)
 	permitted, ok := profileSet.CheckDomain(fqdn)
 	if ok {
 		if permitted {
-			log.Infof("firewall: accepting connection %s, domain is whitelisted", connection, domainElement, processElement)
+			log.Infof("firewall: accepting connection %s, domain is whitelisted", connection)
 			connection.Accept("domain is whitelisted")
 		} else {
-			log.Infof("firewall: denying connection %s, domain is blacklisted", connection, domainElement, processElement)
+			log.Infof("firewall: denying connection %s, domain is blacklisted", connection)
 			connection.Deny("domain is blacklisted")
 		}
 		return
@@ -70,7 +71,7 @@ func DecideOnConnectionBeforeIntel(connection *network.Connection, fqdn string)

 	switch profileSet.GetProfileMode() {
 	case profile.Whitelist:
-		log.Infof("firewall: denying connection %s, domain is not whitelisted", connection, domainElement, processElement)
+		log.Infof("firewall: denying connection %s, domain is not whitelisted", connection)
 		connection.Deny("domain is not whitelisted")
 	case profile.Prompt:

@@ -97,9 +98,9 @@ func DecideOnConnectionBeforeIntel(connection *network.Connection, fqdn string)
 						break matchLoop
 					}
 				}
-				if levenshtein.Match(domainElement, profile.Name, nil) > 0.5 {
+				if levenshtein.Match(domainElement, profileSet.UserProfile().Name, nil) > 0.5 {
 					matched = true
-					processElement = profile.Name
+					processElement = profileSet.UserProfile().Name
 					break matchLoop
 				}
 				if levenshtein.Match(domainElement, connection.Process().Name, nil) > 0.5 {
@@ -107,6 +108,11 @@ func DecideOnConnectionBeforeIntel(connection *network.Connection, fqdn string)
 					processElement = connection.Process().Name
 					break matchLoop
 				}
+				if levenshtein.Match(domainElement, connection.Process().ExecName, nil) > 0.5 {
+					matched = true
+					processElement = connection.Process().ExecName
+					break matchLoop
+				}
 			}

 			if matched {
@@ -115,15 +121,15 @@ func DecideOnConnectionBeforeIntel(connection *network.Connection, fqdn string)
 			}
 		}

-		if connection.Verdict != network.ACCEPT {
+		if connection.GetVerdict() != network.ACCEPT {
 			// TODO
-			log.Infof("firewall: accepting connection %s, domain permitted (prompting is not yet implemented)", connection, domainElement, processElement)
+			log.Infof("firewall: accepting connection %s, domain permitted (prompting is not yet implemented)", connection)
 			connection.Accept("domain permitted (prompting is not yet implemented)")
 		}

 	case profile.Blacklist:
-		log.Infof("firewall: denying connection %s, domain is not blacklisted", connection, domainElement, processElement)
-		connection.Deny("domain is not blacklisted")
+		log.Infof("firewall: accepting connection %s, domain is not blacklisted", connection)
+		connection.Accept("domain is not blacklisted")
 	}

 }
@@ -175,8 +181,8 @@ func DecideOnConnection(connection *network.Connection, pkt packet.Packet) {
 	}

 	// check if there is a profile
-	profileSet := connection.Process().ProfileSet
-	if profile == nil {
+	profileSet := connection.Process().ProfileSet()
+	if profileSet == nil {
 		log.Errorf("firewall: denying connection %s, no profile set", connection)
 		connection.Deny("no profile")
 		return
@@ -185,17 +191,17 @@ func DecideOnConnection(connection *network.Connection, pkt packet.Packet) {

 	// check connection type
 	switch connection.Domain {
-	case IncomingHost, IncomingLAN, IncomingInternet, IncomingInvalid:
+	case network.IncomingHost, network.IncomingLAN, network.IncomingInternet, network.IncomingInvalid:
 		if !profileSet.CheckFlag(profile.Service) {
 			log.Infof("firewall: denying connection %s, not a service", connection)
-			if connection.Domain == IncomingHost {
+			if connection.Domain == network.IncomingHost {
 				connection.Block("not a service")
 			} else {
 				connection.Drop("not a service")
 			}
 			return
 		}
-	case PeerLAN, PeerInternet, PeerInvalid: // Important: PeerHost is and should be missing!
+	case network.PeerLAN, network.PeerInternet, network.PeerInvalid: // Important: PeerHost is and should be missing!
 		if !profileSet.CheckFlag(profile.PeerToPeer) {
 			log.Infof("firewall: denying connection %s, peer to peer connections (to an IP) not allowed", connection)
 			connection.Deny("peer to peer connections (to an IP) not allowed")
@@ -205,54 +211,54 @@ func DecideOnConnection(connection *network.Connection, pkt packet.Packet) {

 	// check network scope
 	switch connection.Domain {
-	case IncomingHost:
+	case network.IncomingHost:
 		if !profileSet.CheckFlag(profile.Localhost) {
 			log.Infof("firewall: denying connection %s, serving localhost not allowed", connection)
 			connection.Block("serving localhost not allowed")
 			return
 		}
-	case IncomingLAN:
+	case network.IncomingLAN:
 		if !profileSet.CheckFlag(profile.LAN) {
 			log.Infof("firewall: denying connection %s, serving LAN not allowed", connection)
 			connection.Deny("serving LAN not allowed")
 			return
 		}
-	case IncomingInternet:
+	case network.IncomingInternet:
 		if !profileSet.CheckFlag(profile.Internet) {
 			log.Infof("firewall: denying connection %s, serving Internet not allowed", connection)
 			connection.Deny("serving Internet not allowed")
 			return
 		}
-	case IncomingInvalid:
+	case network.IncomingInvalid:
 		log.Infof("firewall: denying connection %s, invalid IP address", connection)
 		connection.Drop("invalid IP address")
 		return
-	case PeerHost:
+	case network.PeerHost:
 		if !profileSet.CheckFlag(profile.Localhost) {
 			log.Infof("firewall: denying connection %s, accessing localhost not allowed", connection)
 			connection.Block("accessing localhost not allowed")
 			return
 		}
-	case PeerLAN:
+	case network.PeerLAN:
 		if !profileSet.CheckFlag(profile.LAN) {
 			log.Infof("firewall: denying connection %s, accessing the LAN not allowed", connection)
 			connection.Deny("accessing the LAN not allowed")
 			return
 		}
-	case PeerInternet:
+	case network.PeerInternet:
 		if !profileSet.CheckFlag(profile.Internet) {
 			log.Infof("firewall: denying connection %s, accessing the Internet not allowed", connection)
 			connection.Deny("accessing the Internet not allowed")
 			return
 		}
-	case PeerInvalid:
+	case network.PeerInvalid:
 		log.Infof("firewall: denying connection %s, invalid IP address", connection)
 		connection.Deny("invalid IP address")
 		return
 	}

 	log.Infof("firewall: accepting connection %s", connection)
-	connection.Accept()
+	connection.Accept("")
 }

 // DecideOnLink makes a decision about a link with the first packet.
@@ -264,8 +270,8 @@ func DecideOnLink(connection *network.Connection, link *network.Link, pkt packet
 	// Profile.ListenPorts

 	// check if there is a profile
-	profileSet := connection.Process().ProfileSet
-	if profile == nil {
+	profileSet := connection.Process().ProfileSet()
+	if profileSet == nil {
 		log.Infof("firewall: no profile, denying %s", link)
 		link.Block("no profile")
 		return
@@ -274,20 +280,20 @@ func DecideOnLink(connection *network.Connection, link *network.Link, pkt packet

 	// get remote Port
 	protocol := pkt.GetIPHeader().Protocol
-	var remotePort uint16
-	tcpUdpHeader := pkt.GetTCPUDPHeader()
-	if tcpUdpHeader != nil {
-		remotePort = tcpUdpHeader.DstPort
+	var dstPort uint16
+	tcpUDPHeader := pkt.GetTCPUDPHeader()
+	if tcpUDPHeader != nil {
+		dstPort = tcpUDPHeader.DstPort
 	}

 	// check port list
-	permitted, ok := profileSet.CheckPort(connection.Direction, protocol, remotePort)
+	permitted, ok := profileSet.CheckPort(connection.Direction, uint8(protocol), dstPort)
 	if ok {
 		if permitted {
 			log.Infof("firewall: accepting link %s", link)
 			link.Accept("port whitelisted")
 		} else {
-			log.Infof("firewall: denying link %s: port %d is blacklisted", link, remotePort)
+			log.Infof("firewall: denying link %s: port %d is blacklisted", link, dstPort)
 			link.Deny("port blacklisted")
 		}
 		return
@@ -295,14 +301,17 @@ func DecideOnLink(connection *network.Connection, link *network.Link, pkt packet

 	switch profileSet.GetProfileMode() {
 	case profile.Whitelist:
-		log.Infof("firewall: denying link %s: port %d is not whitelisted", link, remotePort)
+		log.Infof("firewall: denying link %s: port %d is not whitelisted", link, dstPort)
 		link.Deny("port is not whitelisted")
+		return
 	case profile.Prompt:
-		log.Infof("firewall: denying link %s: port %d is blacklisted", link, remotePort)
+		log.Infof("firewall: accepting link %s: port %d is blacklisted", link, dstPort)
 		link.Accept("port permitted (prompting is not yet implemented)")
+		return
 	case profile.Blacklist:
-		log.Infof("firewall: denying link %s: port %d is blacklisted", link, remotePort)
-		link.Deny("port is not blacklisted")
+		log.Infof("firewall: accepting link %s: port %d is not blacklisted", link, dstPort)
+		link.Accept("port is not blacklisted")
+		return
 	}

 	log.Infof("firewall: accepting link %s", link)