Reevaluate and update firewall core logic
This commit is contained in:
Daniel
@@ -58,8 +58,8 @@ func prep() error {
|
||||
ExpertiseLevel: config.ExpertiseLevelExpert,
|
||||
OptType: config.OptTypeInt,
|
||||
ExternalOptType: "security level",
|
||||
DefaultValue: 3,
|
||||
ValidationRegex: "^(1|2|3)$",
|
||||
DefaultValue: 7,
|
||||
ValidationRegex: "^(7|6|4)$",
|
||||
})
|
||||
if err != nil {
|
||||
return err
|
||||
@@ -73,8 +73,8 @@ func prep() error {
|
||||
ExpertiseLevel: config.ExpertiseLevelExpert,
|
||||
OptType: config.OptTypeInt,
|
||||
ExternalOptType: "security level",
|
||||
DefaultValue: 3,
|
||||
ValidationRegex: "^(1|2|3)$",
|
||||
DefaultValue: 7,
|
||||
ValidationRegex: "^(7|6|4)$",
|
||||
})
|
||||
if err != nil {
|
||||
return err
|
||||
@@ -88,8 +88,8 @@ func prep() error {
|
||||
ExpertiseLevel: config.ExpertiseLevelExpert,
|
||||
OptType: config.OptTypeInt,
|
||||
ExternalOptType: "security level",
|
||||
DefaultValue: 3,
|
||||
ValidationRegex: "^(1|2|3)$",
|
||||
DefaultValue: 7,
|
||||
ValidationRegex: "^(7|6|4)$",
|
||||
})
|
||||
if err != nil {
|
||||
return err
|
||||
|
||||
@@ -7,11 +7,11 @@ import (
|
||||
"github.com/Safing/portbase/modules"
|
||||
|
||||
// module dependencies
|
||||
_ "github.com/Safing/portmaster/global"
|
||||
_ "github.com/Safing/portmaster/core"
|
||||
)
|
||||
|
||||
func init() {
|
||||
modules.Register("intel", prep, start, nil, "global")
|
||||
modules.Register("intel", prep, start, nil, "core")
|
||||
}
|
||||
|
||||
func start() error {
|
||||
|
||||
@@ -27,7 +27,9 @@ type NameRecord struct {
|
||||
Ns []string
|
||||
Extra []string
|
||||
TTL int64
|
||||
Filtered bool
|
||||
|
||||
Server string
|
||||
ServerScope int8
|
||||
}
|
||||
|
||||
func makeNameRecordKey(domain string, question string) string {
|
||||
|
||||
@@ -15,7 +15,6 @@ import (
|
||||
|
||||
"github.com/Safing/portbase/database"
|
||||
"github.com/Safing/portbase/log"
|
||||
"github.com/Safing/portmaster/network/netutils"
|
||||
"github.com/Safing/portmaster/status"
|
||||
)
|
||||
|
||||
@@ -304,13 +303,6 @@ func tryResolver(resolver *Resolver, lastFailBoundary int64, fqdn string, qtype
|
||||
}
|
||||
resolver.Initialized.SetToIf(false, true)
|
||||
|
||||
// remove localhost entries, remove LAN entries if server is in global IP space.
|
||||
if resolver.ServerIPScope == netutils.Global {
|
||||
rrCache.FilterEntries(true, false, false)
|
||||
} else {
|
||||
rrCache.FilterEntries(true, true, false)
|
||||
}
|
||||
|
||||
return rrCache, true
|
||||
}
|
||||
|
||||
@@ -357,11 +349,13 @@ func query(resolver *Resolver, fqdn string, qtype dns.Type) (*RRCache, error) {
|
||||
}
|
||||
|
||||
new := &RRCache{
|
||||
Domain: fqdn,
|
||||
Question: qtype,
|
||||
Answer: reply.Answer,
|
||||
Ns: reply.Ns,
|
||||
Extra: reply.Extra,
|
||||
Domain: fqdn,
|
||||
Question: qtype,
|
||||
Answer: reply.Answer,
|
||||
Ns: reply.Ns,
|
||||
Extra: reply.Extra,
|
||||
Server: resolver.Server,
|
||||
ServerScope: resolver.ServerIPScope,
|
||||
}
|
||||
|
||||
// TODO: check if reply.Answer is valid
|
||||
|
||||
104
intel/rrcache.go
104
intel/rrcache.go
@@ -5,11 +5,8 @@ package intel
|
||||
import (
|
||||
"fmt"
|
||||
"net"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"github.com/Safing/portbase/log"
|
||||
"github.com/Safing/portmaster/network/netutils"
|
||||
"github.com/miekg/dns"
|
||||
)
|
||||
|
||||
@@ -23,10 +20,14 @@ type RRCache struct {
|
||||
Extra []dns.RR
|
||||
TTL int64
|
||||
|
||||
Server string
|
||||
ServerScope int8
|
||||
|
||||
updated int64
|
||||
servedFromCache bool
|
||||
requestingNew bool
|
||||
Filtered bool
|
||||
FilteredEntries []string
|
||||
}
|
||||
|
||||
// Clean sets all TTLs to 17 and sets cache expiry with specified minimum.
|
||||
@@ -79,10 +80,11 @@ func (m *RRCache) ExportAllARecords() (ips []net.IP) {
|
||||
// ToNameRecord converts the RRCache to a NameRecord for cleaner persistence.
|
||||
func (m *RRCache) ToNameRecord() *NameRecord {
|
||||
new := &NameRecord{
|
||||
Domain: m.Domain,
|
||||
Question: m.Question.String(),
|
||||
TTL: m.TTL,
|
||||
Filtered: m.Filtered,
|
||||
Domain: m.Domain,
|
||||
Question: m.Question.String(),
|
||||
TTL: m.TTL,
|
||||
Server: m.Server,
|
||||
ServerScope: m.ServerScope,
|
||||
}
|
||||
|
||||
// stringify RR entries
|
||||
@@ -136,7 +138,8 @@ func GetRRCache(domain string, question dns.Type) (*RRCache, error) {
|
||||
}
|
||||
}
|
||||
|
||||
rrCache.Filtered = nameRecord.Filtered
|
||||
rrCache.Server = nameRecord.Server
|
||||
rrCache.ServerScope = nameRecord.ServerScope
|
||||
rrCache.servedFromCache = true
|
||||
return rrCache, nil
|
||||
}
|
||||
@@ -175,82 +178,23 @@ func (m *RRCache) IsNXDomain() bool {
|
||||
return len(m.Answer) == 0
|
||||
}
|
||||
|
||||
// Duplicate returns a duplicate of the cache. slices are not copied, but referenced.
|
||||
func (m *RRCache) Duplicate() *RRCache {
|
||||
// ShallowCopy returns a shallow copy of the cache. slices are not copied, but referenced.
|
||||
func (m *RRCache) ShallowCopy() *RRCache {
|
||||
return &RRCache{
|
||||
Domain: m.Domain,
|
||||
Question: m.Question,
|
||||
Answer: m.Answer,
|
||||
Ns: m.Ns,
|
||||
Extra: m.Extra,
|
||||
TTL: m.TTL,
|
||||
Domain: m.Domain,
|
||||
Question: m.Question,
|
||||
Answer: m.Answer,
|
||||
Ns: m.Ns,
|
||||
Extra: m.Extra,
|
||||
TTL: m.TTL,
|
||||
|
||||
Server: m.Server,
|
||||
ServerScope: m.ServerScope,
|
||||
|
||||
updated: m.updated,
|
||||
servedFromCache: m.servedFromCache,
|
||||
requestingNew: m.requestingNew,
|
||||
Filtered: m.Filtered,
|
||||
FilteredEntries: m.FilteredEntries,
|
||||
}
|
||||
}
|
||||
|
||||
// FilterEntries filters resource records according to the given permission scope.
|
||||
func (m *RRCache) FilterEntries(internet, lan, host bool) {
|
||||
var filtered bool
|
||||
|
||||
m.Answer, filtered = filterEntries(m, m.Answer, internet, lan, host)
|
||||
if filtered {
|
||||
m.Filtered = true
|
||||
}
|
||||
m.Extra, filtered = filterEntries(m, m.Extra, internet, lan, host)
|
||||
if filtered {
|
||||
m.Filtered = true
|
||||
}
|
||||
}
|
||||
|
||||
func filterEntries(m *RRCache, entries []dns.RR, internet, lan, host bool) (filteredEntries []dns.RR, filtered bool) {
|
||||
filteredEntries = make([]dns.RR, 0, len(entries))
|
||||
var classification int8
|
||||
var deletedEntries []string
|
||||
|
||||
entryLoop:
|
||||
for _, rr := range entries {
|
||||
|
||||
classification = -1
|
||||
switch v := rr.(type) {
|
||||
case *dns.A:
|
||||
classification = netutils.ClassifyIP(v.A)
|
||||
case *dns.AAAA:
|
||||
classification = netutils.ClassifyIP(v.AAAA)
|
||||
}
|
||||
|
||||
if classification >= 0 {
|
||||
switch {
|
||||
case !internet && classification == netutils.Global:
|
||||
filtered = true
|
||||
deletedEntries = append(deletedEntries, rr.String())
|
||||
continue entryLoop
|
||||
case !lan && (classification == netutils.SiteLocal || classification == netutils.LinkLocal):
|
||||
filtered = true
|
||||
deletedEntries = append(deletedEntries, rr.String())
|
||||
continue entryLoop
|
||||
case !host && classification == netutils.HostLocal:
|
||||
filtered = true
|
||||
deletedEntries = append(deletedEntries, rr.String())
|
||||
continue entryLoop
|
||||
}
|
||||
}
|
||||
|
||||
filteredEntries = append(filteredEntries, rr)
|
||||
}
|
||||
|
||||
if len(deletedEntries) > 0 {
|
||||
log.Infof("intel: filtered DNS replies for %s%s: %s (Settings: Int=%v LAN=%v Host=%v)",
|
||||
m.Domain,
|
||||
m.Question.String(),
|
||||
strings.Join(deletedEntries, ", "),
|
||||
internet,
|
||||
lan,
|
||||
host,
|
||||
)
|
||||
}
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user