github/portmaster
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

Switch from ACCEPT to RETURN when accepting a packet/connection with iptables

Browse Source 
This will ensure the Portmaster will not circumvent existing firewall rules.
This commit is contained in:
Daniel
2020-04-24 10:58:39 +02:00
parent 542577314b
commit fe7d146360
1 changed files with 6 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
firewall/interception/nfqueue_linux.go
View File

@@ -45,14 +45,14 @@ func init() {
"mangle C171 -m mark --mark 0 -j NFQUEUE --queue-num 17140 --queue-bypass",
"filter C17 -m mark --mark 0 -j DROP",
"filter C17 -m mark --mark 1700 -j ACCEPT",
"filter C17 -m mark --mark 1700 -j RETURN",
"filter C17 -m mark --mark 1701 -j REJECT --reject-with icmp-host-prohibited",
"filter C17 -m mark --mark 1702 -j DROP",
"filter C17 -j CONNMARK --save-mark",
"filter C17 -m mark --mark 1710 -j ACCEPT",
"filter C17 -m mark --mark 1710 -j RETURN",
"filter C17 -m mark --mark 1711 -j REJECT --reject-with icmp-host-prohibited",
"filter C17 -m mark --mark 1712 -j DROP",
"filter C17 -m mark --mark 1717 -j ACCEPT",
"filter C17 -m mark --mark 1717 -j RETURN",
}
v4once = []string{
@@ -80,14 +80,14 @@ func init() {
"mangle C171 -m mark --mark 0 -j NFQUEUE --queue-num 17160 --queue-bypass",
"filter C17 -m mark --mark 0 -j DROP",
"filter C17 -m mark --mark 1700 -j ACCEPT",
"filter C17 -m mark --mark 1700 -j RETURN",
"filter C17 -m mark --mark 1701 -j REJECT --reject-with icmp6-adm-prohibited",
"filter C17 -m mark --mark 1702 -j DROP",
"filter C17 -j CONNMARK --save-mark",
"filter C17 -m mark --mark 1710 -j ACCEPT",
"filter C17 -m mark --mark 1710 -j RETURN",
"filter C17 -m mark --mark 1711 -j REJECT --reject-with icmp6-adm-prohibited",
"filter C17 -m mark --mark 1712 -j DROP",
"filter C17 -m mark --mark 1717 -j ACCEPT",
"filter C17 -m mark --mark 1717 -j RETURN",
}
v6once = []string{