issue new verdict on configuration change

2022-09-05 17:14:45 +02:00
parent 0423dfbbbf
commit fdc8ef5698
18 changed files with 298 additions and 83 deletions
--- a/network/api.go
+++ b/network/api.go
@@ -152,7 +152,7 @@ func AddNetworkDebugData(di *debug.Info, profile, where string) {

 		// Count.
 		total++
-		switch conn.Verdict { //nolint:exhaustive
+		switch conn.Verdict.Current { //nolint:exhaustive
 		case VerdictAccept,
 			VerdictRerouteToNameserver,
 			VerdictRerouteToTunnel:
@@ -232,7 +232,7 @@ func (conn *Connection) debugInfoLine() string {

 	return fmt.Sprintf(
 		"% 14s %s%- 25s %s-%s P#%d [%s] %s - by %s @ %s",
-		conn.Verdict.Verb(),
+		conn.Verdict.Current.Verb(),
 		connectionData,
 		conn.fmtDomainComponent(),
 		time.Unix(conn.Started, 0).Format("15:04:05"),
--- a/network/api_test.go
+++ b/network/api_test.go
@@ -40,7 +40,15 @@ var connectionTestData = []*Connection{
 			Country:       "",
 			ASN:           0,
 		},
-		Verdict: 4,
+		Verdict: struct {
+			Current  Verdict
+			Previous Verdict
+			User     Verdict
+		}{
+			Current:  2,
+			Previous: 2,
+			User:     2,
+		},
 		Reason: Reason{
 			Msg:       "incoming connection blocked by default",
 			OptionKey: "filter/serviceEndpoints",
@@ -80,7 +88,15 @@ var connectionTestData = []*Connection{
 			Country:       "DE",
 			ASN:           16509,
 		},
-		Verdict: 2,
+		Verdict: struct {
+			Current  Verdict
+			Previous Verdict
+			User     Verdict
+		}{
+			Current:  2,
+			Previous: 2,
+			User:     2,
+		},
 		Reason: Reason{
 			Msg:       "default permit",
 			OptionKey: "filter/defaultAction",
@@ -123,7 +139,15 @@ var connectionTestData = []*Connection{
 			Country: "US",
 			ASN:     15169,
 		},
-		Verdict: 2,
+		Verdict: struct {
+			Current  Verdict
+			Previous Verdict
+			User     Verdict
+		}{
+			Current:  2,
+			Previous: 2,
+			User:     2,
+		},
 		Reason: Reason{
 			Msg:       "default permit",
 			OptionKey: "filter/defaultAction",
--- a/network/connection.go
+++ b/network/connection.go
@@ -107,16 +107,23 @@ type Connection struct { //nolint:maligned // TODO: fix alignment
 	// Resolver holds information about the resolver used to resolve
 	// Entity.Domain.
 	Resolver *resolver.ResolverInfo
-	// Verdict is the final decision that has been made for a connection.
+	// Verdict holds decisions that are made for a connection
 	// The verdict may change so any access to it must be guarded by the
 	// connection lock.
-	Verdict Verdict
+	Verdict struct {
+		// Current is the current decision that has been made for a connection.
+		Current Verdict
+		// PreviousVerdict holds the previous verdict value, if there wasn't previous it will hold VerdictUndecided
+		Previous Verdict
+		// UserVerdict holds the verdict that should be displayed in the user interface
+		User Verdict
+	}
 	// Reason holds information justifying the verdict, as well as additional
 	// information about the reason.
 	// Access to Reason must be guarded by the connection lock.
 	Reason Reason
 	// Started holds the number of seconds in UNIX epoch time at which
-	// the connection has been initated and first seen by the portmaster.
+	// the connection has been initiated and first seen by the portmaster.
 	// Started is only ever set when creating a new connection object
 	// and is considered immutable afterwards.
 	Started int64
@@ -142,7 +149,7 @@ type Connection struct { //nolint:maligned // TODO: fix alignment
 	// TunnelOpts holds options for tunneling the connection.
 	TunnelOpts *navigator.Options
 	// ProcessContext holds additional information about the process
-	// that iniated the connection. It is set once when the connection
+	// that initiated the connection. It is set once when the connection
 	// object is created and is considered immutable afterwards.
 	ProcessContext ProcessContext
 	// DNSContext holds additional information about the DNS request that was
@@ -159,7 +166,7 @@ type Connection struct { //nolint:maligned // TODO: fix alignment
 	// points and access to it must be guarded by the connection lock.
 	Internal bool
 	// process holds a reference to the actor process. That is, the
-	// process instance that initated the connection.
+	// process instance that initiated the connection.
 	process *process.Process
 	// pkgQueue is used to serialize packet handling for a single
 	// connection and is served by the connections packetHandler.
@@ -167,7 +174,7 @@ type Connection struct { //nolint:maligned // TODO: fix alignment
 	// firewallHandler is the firewall handler that is called for
 	// each packet sent to pktQueue.
 	firewallHandler FirewallHandler
-	// saveWhenFinished can be set to drue during the life-time of
+	// saveWhenFinished can be set to true during the life-time of
 	// a connection and signals the firewallHandler that a Save()
 	// should be issued after processing the connection.
 	saveWhenFinished bool
@@ -519,8 +526,11 @@ func (conn *Connection) Failed(reason, reasonOptionKey string) {
 	conn.FailedWithContext(reason, reasonOptionKey, nil)
 }

+// Reset resets all values of the connection.
 func (conn *Connection) Reset(reason, reasonOptionKey string) {
-	conn.Verdict = VerdictUndecided
+	conn.Verdict.Current = VerdictUndecided
+	conn.Verdict.Previous = VerdictUndecided
+	conn.Verdict.User = VerdictUndecided
 	conn.Reason.Msg = reason
 	conn.Reason.Context = nil

@@ -534,21 +544,37 @@ func (conn *Connection) Reset(reason, reasonOptionKey string) {

 // SetVerdict sets a new verdict for the connection, making sure it does not interfere with previous verdicts.
 func (conn *Connection) SetVerdict(newVerdict Verdict, reason, reasonOptionKey string, reasonCtx interface{}) (ok bool) {
-	if newVerdict >= conn.Verdict {
-		conn.Verdict = newVerdict
-		conn.Reason.Msg = reason
-		conn.Reason.Context = reasonCtx
+	// if newVerdict >= conn.Verdict.Current {
+	conn.SetVerdictDirectly(newVerdict)

-		conn.Reason.OptionKey = ""
-		conn.Reason.Profile = ""
-		if reasonOptionKey != "" && conn.Process() != nil {
-			conn.Reason.OptionKey = reasonOptionKey
-			conn.Reason.Profile = conn.Process().Profile().GetProfileSource(conn.Reason.OptionKey)
-		}
+	conn.Reason.Msg = reason
+	conn.Reason.Context = reasonCtx

-		return true
+	conn.Reason.OptionKey = ""
+	conn.Reason.Profile = ""
+	if reasonOptionKey != "" && conn.Process() != nil {
+		conn.Reason.OptionKey = reasonOptionKey
+		conn.Reason.Profile = conn.Process().Profile().GetProfileSource(conn.Reason.OptionKey)
+	}
+
+	return true
+	// }
+	// return false
+}
+
+// SetVerdictDirectly sets the new verdict and stores the previous value.
+func (conn *Connection) SetVerdictDirectly(newVerdict Verdict) {
+	if newVerdict == conn.Verdict.Current {
+		return
+	}
+	// Save previous verdict and set new one
+	conn.Verdict.Previous = conn.Verdict.Current
+	conn.Verdict.Current = newVerdict
+
+	// if a connection is accepted once it should always show as accepted
+	if conn.Verdict.User != VerdictAccept {
+		conn.Verdict.User = newVerdict
 	}
-	return false
 }

 // Process returns the connection's process.
@@ -675,7 +701,7 @@ func packetHandlerHandleConn(conn *Connection, pkt packet.Packet) {
 	}

 	// Log verdict.
-	log.Tracer(pkt.Ctx()).Infof("filter: connection %s %s: %s", conn, conn.Verdict.Verb(), conn.Reason.Msg)
+	log.Tracer(pkt.Ctx()).Infof("filter: connection %s %s: %s", conn, conn.Verdict.Current.Verb(), conn.Reason.Msg)
 	// Submit trace logs.
 	log.Tracer(pkt.Ctx()).Submit()

--- a/network/dns.go
+++ b/network/dns.go
@@ -115,7 +115,7 @@ func writeOpenDNSRequestsToDB() {
 // ReplyWithDNS creates a new reply to the given request with the data from the RRCache, and additional informational records.
 func (conn *Connection) ReplyWithDNS(ctx context.Context, request *dns.Msg) *dns.Msg {
 	// Select request responder.
-	switch conn.Verdict {
+	switch conn.Verdict.Current {
 	case VerdictBlock:
 		return nsutil.BlockIP().ReplyWithDNS(ctx, request)
 	case VerdictDrop:
@@ -136,7 +136,7 @@ func (conn *Connection) ReplyWithDNS(ctx context.Context, request *dns.Msg) *dns
 func (conn *Connection) GetExtraRRs(ctx context.Context, request *dns.Msg) []dns.RR {
 	// Select level to add the verdict record with.
 	var level log.Severity
-	switch conn.Verdict {
+	switch conn.Verdict.Current {
 	case VerdictFailed:
 		level = log.ErrorLevel
 	case VerdictUndecided, VerdictUndeterminable,
@@ -148,7 +148,7 @@ func (conn *Connection) GetExtraRRs(ctx context.Context, request *dns.Msg) []dns
 	}

 	// Create resource record with verdict and reason.
-	rr, err := nsutil.MakeMessageRecord(level, fmt.Sprintf("%s: %s", conn.Verdict.Verb(), conn.Reason.Msg))
+	rr, err := nsutil.MakeMessageRecord(level, fmt.Sprintf("%s: %s", conn.Verdict.Current.Verb(), conn.Reason.Msg))
 	if err != nil {
 		log.Tracer(ctx).Warningf("filter: failed to add informational record to reply: %s", err)
 		return nil
--- a/network/metrics.go
+++ b/network/metrics.go
@@ -119,7 +119,7 @@ func (conn *Connection) addToMetrics() {
 	}

 	// Check the verdict.
-	switch conn.Verdict { //nolint:exhaustive // Not critical.
+	switch conn.Verdict.Current { //nolint:exhaustive // Not critical.
 	case VerdictBlock, VerdictDrop:
 		blockedOutConnCounter.Inc()
 		conn.addedToMetrics = true
--- a/network/packet/packet.go
+++ b/network/packet/packet.go
@@ -224,7 +224,7 @@ func (pkt *Base) FmtRemoteAddress() string {
 	return fmt.Sprintf("%s:%s:%s", pkt.info.Protocol.String(), pkt.FmtRemoteIP(), pkt.FmtRemotePort())
 }

-// Packet is an interface to a network packet to provide object behaviour the same across all systems.
+// Packet is an interface to a network packet to provide object behavior the same across all systems.
 type Packet interface {
 	// Verdicts.
 	Accept() error