issue new verdict on configuration change

network/connection.go

@@ -107,16 +107,23 @@ type Connection struct { //nolint:maligned // TODO: fix alignment
 	// Resolver holds information about the resolver used to resolve
 	// Entity.Domain.
 	Resolver *resolver.ResolverInfo
-	// Verdict is the final decision that has been made for a connection.
+	// Verdict holds decisions that are made for a connection
 	// The verdict may change so any access to it must be guarded by the
 	// connection lock.
-	Verdict Verdict
+	Verdict struct {
+		// Current is the current decision that has been made for a connection.
+		Current Verdict
+		// PreviousVerdict holds the previous verdict value, if there wasn't previous it will hold VerdictUndecided
+		Previous Verdict
+		// UserVerdict holds the verdict that should be displayed in the user interface
+		User Verdict
+	}
 	// Reason holds information justifying the verdict, as well as additional
 	// information about the reason.
 	// Access to Reason must be guarded by the connection lock.
 	Reason Reason
 	// Started holds the number of seconds in UNIX epoch time at which
-	// the connection has been initated and first seen by the portmaster.
+	// the connection has been initiated and first seen by the portmaster.
 	// Started is only ever set when creating a new connection object
 	// and is considered immutable afterwards.
 	Started int64
@@ -142,7 +149,7 @@ type Connection struct { //nolint:maligned // TODO: fix alignment
 	// TunnelOpts holds options for tunneling the connection.
 	TunnelOpts *navigator.Options
 	// ProcessContext holds additional information about the process
-	// that iniated the connection. It is set once when the connection
+	// that initiated the connection. It is set once when the connection
 	// object is created and is considered immutable afterwards.
 	ProcessContext ProcessContext
 	// DNSContext holds additional information about the DNS request that was
@@ -159,7 +166,7 @@ type Connection struct { //nolint:maligned // TODO: fix alignment
 	// points and access to it must be guarded by the connection lock.
 	Internal bool
 	// process holds a reference to the actor process. That is, the
-	// process instance that initated the connection.
+	// process instance that initiated the connection.
 	process *process.Process
 	// pkgQueue is used to serialize packet handling for a single
 	// connection and is served by the connections packetHandler.
@@ -167,7 +174,7 @@ type Connection struct { //nolint:maligned // TODO: fix alignment
 	// firewallHandler is the firewall handler that is called for
 	// each packet sent to pktQueue.
 	firewallHandler FirewallHandler
-	// saveWhenFinished can be set to drue during the life-time of
+	// saveWhenFinished can be set to true during the life-time of
 	// a connection and signals the firewallHandler that a Save()
 	// should be issued after processing the connection.
 	saveWhenFinished bool
@@ -519,8 +526,11 @@ func (conn *Connection) Failed(reason, reasonOptionKey string) {
 	conn.FailedWithContext(reason, reasonOptionKey, nil)
 }
 
+// Reset resets all values of the connection.
 func (conn *Connection) Reset(reason, reasonOptionKey string) {
-	conn.Verdict = VerdictUndecided
+	conn.Verdict.Current = VerdictUndecided
+	conn.Verdict.Previous = VerdictUndecided
+	conn.Verdict.User = VerdictUndecided
 	conn.Reason.Msg = reason
 	conn.Reason.Context = nil
 
@@ -534,21 +544,37 @@ func (conn *Connection) Reset(reason, reasonOptionKey string) {
 
 // SetVerdict sets a new verdict for the connection, making sure it does not interfere with previous verdicts.
 func (conn *Connection) SetVerdict(newVerdict Verdict, reason, reasonOptionKey string, reasonCtx interface{}) (ok bool) {
-	if newVerdict >= conn.Verdict {
-		conn.Verdict = newVerdict
-		conn.Reason.Msg = reason
-		conn.Reason.Context = reasonCtx
+	// if newVerdict >= conn.Verdict.Current {
+	conn.SetVerdictDirectly(newVerdict)
 
-		conn.Reason.OptionKey = ""
-		conn.Reason.Profile = ""
-		if reasonOptionKey != "" && conn.Process() != nil {
-			conn.Reason.OptionKey = reasonOptionKey
-			conn.Reason.Profile = conn.Process().Profile().GetProfileSource(conn.Reason.OptionKey)
-		}
+	conn.Reason.Msg = reason
+	conn.Reason.Context = reasonCtx
 
-		return true
+	conn.Reason.OptionKey = ""
+	conn.Reason.Profile = ""
+	if reasonOptionKey != "" && conn.Process() != nil {
+		conn.Reason.OptionKey = reasonOptionKey
+		conn.Reason.Profile = conn.Process().Profile().GetProfileSource(conn.Reason.OptionKey)
+	}
+
+	return true
+	// }
+	// return false
+}
+
+// SetVerdictDirectly sets the new verdict and stores the previous value.
+func (conn *Connection) SetVerdictDirectly(newVerdict Verdict) {
+	if newVerdict == conn.Verdict.Current {
+		return
+	}
+	// Save previous verdict and set new one
+	conn.Verdict.Previous = conn.Verdict.Current
+	conn.Verdict.Current = newVerdict
+
+	// if a connection is accepted once it should always show as accepted
+	if conn.Verdict.User != VerdictAccept {
+		conn.Verdict.User = newVerdict
 	}
-	return false
 }
 
 // Process returns the connection's process.
@@ -675,7 +701,7 @@ func packetHandlerHandleConn(conn *Connection, pkt packet.Packet) {
 	}
 
 	// Log verdict.
-	log.Tracer(pkt.Ctx()).Infof("filter: connection %s %s: %s", conn, conn.Verdict.Verb(), conn.Reason.Msg)
+	log.Tracer(pkt.Ctx()).Infof("filter: connection %s %s: %s", conn, conn.Verdict.Current.Verb(), conn.Reason.Msg)
 	// Submit trace logs.
 	log.Tracer(pkt.Ctx()).Submit()