You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

548 lines
13 KiB

package sgfw
9 years ago
import (
9 years ago
9 years ago
nfqueue ""
// ""
9 years ago
const matchAny = 0
//const noAddress = uint32(0xffffffff)
var anyAddress net.IP = net.IP{0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}
var noAddress net.IP = net.IP{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}
9 years ago
type Rule struct {
id uint
policy *Policy
mode RuleMode
8 years ago
rtype RuleAction
proto string
pid int
hostname string
network *net.IPNet
addr net.IP
saddr net.IP
port uint16
uid int
gid int
uname string
gname string
sandbox string
9 years ago
func (r *Rule) String() string {
return r.getString(false)
func (r *Rule) getString(redact bool) string {
8 years ago
rtype := RuleActionString[RULE_ACTION_DENY]
if r.rtype == RULE_ACTION_ALLOW {
rtype = RuleActionString[RULE_ACTION_ALLOW]
} else if r.rtype == RULE_ACTION_ALLOW_TLSONLY {
rtype = RuleActionString[RULE_ACTION_ALLOW_TLSONLY]
rmode := ""
if r.mode == RULE_MODE_SYSTEM {
8 years ago
rmode = "|" + RuleModeString[RULE_MODE_SYSTEM]
if r.mode == RULE_MODE_PERMANENT {
rmode = "|" + RuleModeString[RULE_MODE_PERMANENT]
9 years ago
protostr := ""
if r.proto != "tcp" {
protostr = r.proto + ":"
rpriv := fmt.Sprintf("|%d:%d", r.uid, r.gid)
sbox := "|"
if r.sandbox != "" {
sbox = "|" + sbox
} else {
log.Notice("sandbox is ", r.sandbox)
return fmt.Sprintf("%s|%s%s%s%s%s", rtype, protostr, r.AddrString(redact), rmode, rpriv, sbox)
func (r *Rule) AddrString(redact bool) string {
addr := "*"
port := "*"
9 years ago
if r.hostname != "" {
addr = r.hostname
} else if != nil {
addr =
} else if !addrMatchesAny(r.addr) && !addrMatchesNone(r.addr) {
// bs := make([]byte, 4)
// binary.BigEndian.PutUint32(bs, r.addr)
// addr = fmt.Sprintf("%d.%d.%d.%d", bs[0], bs[1], bs[2], bs[3])
addr = r.addr.String()
9 years ago
if r.port != matchAny || r.proto == "icmp" {
9 years ago
port = fmt.Sprintf("%d", r.port)
if redact && addr != "*" {
8 years ago
return fmt.Sprintf("%s:%s", addr, port)
9 years ago
type RuleList []*Rule
func (r *Rule) match(src net.IP, dst net.IP, dstPort uint16, hostname string, proto string, uid, gid int, uname, gname string) bool {
if r.proto != proto {
return false
if r.uid != -1 && r.uid != uid {
return false
} else if r.gid != -1 && r.gid != gid {
return false
} else if r.uname != "" && r.uname != uname {
return false
} else if r.gname != "" && r.gname != gname {
return false
log.Notice("comparison: ", hostname, " / ", dst, " : ", dstPort, " -> ", r.addr, " / ", r.hostname, " : ", r.port)
if r.port != matchAny && r.port != dstPort {
9 years ago
return false
if addrMatchesAny(r.addr) {
9 years ago
return true
if r.hostname != "" {
log.Notice("comparing hostname")
if strings.ContainsAny(r.hostname, "*") {
regstr := strings.Replace(r.hostname, "*", ".?", -1)
match, err := regexp.MatchString(regstr, hostname)
if err != nil {
log.Errorf("Error comparing hostname against mask %s: %v", regstr, err)
} else {
return match
return r.hostname == hostname
9 years ago
if != nil && {
return true
if proto == "icmp" {
fmt.Printf("network = %v, src = %v, r.addr = %x, src to4 = %x\n",, src, r.addr, binary.BigEndian.Uint32(src.To4()))
if ( != nil && || (r.addr.Equal(src)) {
return true
return r.addr.Equal(dst)
9 years ago
func (rl *RuleList) filterPacket(p *nfqueue.NFQPacket, pinfo *procsnitch.Info, srcip net.IP, hostname, optstr string) FilterResult {
_, dstip := getPacketIPAddrs(p)
_, dstp := getPacketPorts(p)
return rl.filter(p, srcip, dstip, dstp, hostname, pinfo, optstr)
func (rl *RuleList) filter(pkt *nfqueue.NFQPacket, src, dst net.IP, dstPort uint16, hostname string, pinfo *procsnitch.Info, optstr string) FilterResult {
9 years ago
if rl == nil {
sandboxed := false
if pinfo.Sandbox != "" {
sandboxed = true
// sandboxed := strings.HasPrefix(optstr, "SOCKS5|Tor / Sandbox")
9 years ago
for _, r := range *rl {
7 years ago
log.Notice("fuck ", r)
nfqproto := ""
log.Notice("------------ trying match of src ", src, " against: ", r, " | ", r.saddr, " / optstr = ", optstr, "; pid ", pinfo.Pid, " vs rule pid ",
log.Notice("r.saddr: ", r.saddr, "src: ", src, "sandboxed ", sandboxed, "optstr: ", optstr)
if r.saddr == nil && src != nil && sandboxed {
log.Notice("! Skipping comparison against incompatible rule types: rule src = ", r.saddr, " / packet src = ", src)
// continue
} else if r.saddr == nil && src == nil && sandboxed {
// continue
// r.match(src, dst, dstPort, hostname, nil, pinfo.UID, pinfo.GID, uidToUser(pinfo.UID), gidToGroup(pinfo.GID))
nfqproto = "tcp"
} else if r.saddr != nil && !r.saddr.Equal(src) && r.proto != "icmp" {
log.Notice("! Skipping comparison of mismatching source ips")
} else {
if pkt != nil {
nfqproto = getNFQProto(pkt)
} else {
log.Noticef("Weird state: %v %v %v %v", r.port, dstPort, hostname, r.hostname)
if r.saddr == nil && src == nil && sandboxed == false && (r.port == dstPort || r.port == matchAny) && (r.addr.Equal(anyAddress) || r.hostname == "" || r.hostname == hostname) {
log.Notice("+ Socks5 MATCH SUCCEEDED")
if r.rtype == RULE_ACTION_DENY {
} else if r.rtype == RULE_ACTION_ALLOW {
} else if r.rtype == RULE_ACTION_ALLOW_TLSONLY {
} else {
log.Notice("r.saddr = ", r.saddr, "src = ", src, "\n")
if >= 0 && != pinfo.Pid {
//log.Notice("! Skipping comparison of mismatching PIDs")
if r.match(src, dst, dstPort, hostname, nfqproto, pinfo.UID, pinfo.GID, uidToUser(pinfo.UID), gidToGroup(pinfo.GID)) {
log.Notice("+ MATCH SUCCEEDED")
dstStr := dst.String()
if FirewallConfig.LogRedact {
8 years ago
8 years ago
if pkt != nil {
srcip, _ := getPacketIPAddrs(pkt)
srcp, _ := getPacketPorts(pkt)
srcStr = fmt.Sprintf("%s:%d", srcip, srcp)
log.Noticef("%s > %s %s %s -> %s:%d",
pinfo.ExePath, r.proto,
dstStr, dstPort)
8 years ago
if r.rtype == RULE_ACTION_DENY {
log.Warningf("DENIED outgoing connection attempt by %s from %s %s -> %s:%d",
pinfo.ExePath, r.proto,
dstStr, dstPort)
9 years ago
8 years ago
} else if r.rtype == RULE_ACTION_ALLOW {
9 years ago
return result
7 years ago
if r.saddr != nil {
return result
} else if r.rtype == RULE_ACTION_ALLOW_TLSONLY {
return result
7 years ago
} else {
log.Notice("+ MATCH FAILED")
9 years ago
log.Notice("--- RESULT = ", result)
9 years ago
return result
func parseError(s string) error {
return fmt.Errorf("unable to parse rule string: %s", s)
func (r *Rule) parse(s string) bool {
r.addr = noAddress
r.saddr = nil
9 years ago
parts := strings.Split(s, "|")
if len(parts) < 4 || len(parts) > 6 {
log.Notice("invalid number ", len(parts), " of rule parts in line ", s)
9 years ago
return false
if parts[2] == "SYSTEM" {
} else if parts[2] == "PERMANENT" {
} else if parts[2] != "" {
log.Notice("invalid rule mode ", parts[2], " in line ", s)
return false
if !r.parsePrivs(parts[3]) {
log.Notice("invalid privs ", parts[3], " in line ", s)
return false
if !r.parseSandbox(parts[4]) {
log.Notice("invalid sandbox ", parts[4], "in line ", s)
return false
fmt.Printf("uid = %v, gid = %v, user = %v, group = %v, hostname = %v, sandbox = %v\n", r.uid, r.gid, r.uname, r.gname, r.hostname, r.sandbox)
if len(parts) == 6 && len(strings.TrimSpace(parts[5])) > 0 {
r.saddr = net.ParseIP(parts[5])
if r.saddr == nil {
log.Notice("invalid source IP ", parts[5], " in line ", s)
return false
9 years ago
return r.parseVerb(parts[0]) && r.parseTarget(parts[1])
func (r *Rule) parseSandbox(p string) bool {
r.sandbox = p
return true
func (r *Rule) parsePrivs(p string) bool {
toks := strings.Split(p, ":")
if len(toks) > 2 {
return false
r.uid, r.gid = -1, -1
r.uname, r.gname = "", ""
ustr := toks[0]
uid, err := strconv.Atoi(ustr)
if err != nil {
r.uname = ustr
} else {
r.uid = uid
if len(toks) > 1 {
gstr := toks[1]
gid, err := strconv.Atoi(gstr)
if err != nil {
r.gname = gstr
} else {
r.gid = gid
return true
9 years ago
func (r *Rule) parseVerb(v string) bool {
switch v {
8 years ago
case RuleActionString[RULE_ACTION_ALLOW]:
9 years ago
return true
return true
8 years ago
case RuleActionString[RULE_ACTION_DENY]:
9 years ago
return true
return false
func (r *Rule) parseTarget(t string) bool {
addrPort := strings.Split(t, ":")
if len(addrPort) < 2 {
9 years ago
return false
sind := 0
lind := len(addrPort) - 1
if addrPort[0] == "udp" || addrPort[0] == "icmp" || addrPort[0] == "tcp" {
r.proto = addrPort[0]
} else {
r.proto = "tcp"
newAddr := strings.Join(addrPort[sind:lind], ":")
return r.parseAddr(newAddr) && r.parsePort(addrPort[lind])
// return r.parseAddr(addrPort[sind]) && r.parsePort(addrPort[sind+1])
9 years ago
func (r *Rule) parseAddr(a string) bool {
if a == "*" {
r.hostname = ""
r.addr = anyAddress
9 years ago
return true
// if strings.IndexFunc(a, unicode.IsLetter) != -1 {
if net.ParseIP(a) == nil {
9 years ago
r.hostname = a
return true
// ip := net.ParseIP(a)
ip, ipnet, err := net.ParseCIDR(a)
if err != nil || ip == nil {
ip = net.ParseIP(a)
if ip == nil {
return false
} else { = ipnet
9 years ago
r.addr = ip
9 years ago
return true
func (r *Rule) parsePort(p string) bool {
if p == "*" {
r.port = matchAny
return true
var err error
port, err := strconv.ParseUint(p, 10, 16)
if err != nil || (port == 0 && r.proto != "icmp") || port > 0xFFFF {
9 years ago
return false
r.port = uint16(port)
return true
const ruleFile = "/var/lib/sgfw/sgfw_rules"
9 years ago
func maybeCreateDir(dir string) error {
_, err := os.Stat(dir)
if os.IsNotExist(err) {
return os.MkdirAll(dir, 0755)
9 years ago
return err
func rulesPath() (string, error) {
if err := maybeCreateDir(path.Dir(ruleFile)); err != nil {
return ruleFile, err
return ruleFile, nil
9 years ago
func (fw *Firewall) saveRules() {
defer fw.lock.Unlock()
p, err := rulesPath()
9 years ago
if err != nil {
log.Warningf("Failed to open %s for writing: %v", p, err)
f, err := os.Create(p)
if err != nil {
log.Warningf("Failed to open %s for writing: %v", p, err)
9 years ago
defer f.Close()
for _, p := range fw.policies {
savePolicy(f, p)
func savePolicy(f *os.File, p *Policy) {
defer p.lock.Unlock()
if !p.hasPersistentRules() {
7 years ago
log.Warningf("p.path: ", p.path)
if !writeLine(f, "["+p.sandbox+"|"+p.path+"]") {
9 years ago
for _, r := range p.rules {
if r.mode != RULE_MODE_SESSION {
9 years ago
if !writeLine(f, r.String()) {
func writeLine(f *os.File, line string) bool {
_, err := f.WriteString(line + "\n")
if err != nil {
log.Warningf("Error writing to rule file: %v", err)
9 years ago
return false
return true
func (fw *Firewall) loadRules() {
defer fw.lock.Unlock()
p, err := rulesPath()
if err != nil {
log.Warningf("Failed to open %s for reading: %v", p, err)
bs, err := ioutil.ReadFile(p)
9 years ago
if err != nil {
if !os.IsNotExist(err) {
log.Warningf("Failed to open %s for reading: %v", p, err)
9 years ago
var policy *Policy
for _, line := range strings.Split(string(bs), "\n") {
if strings.HasPrefix(line, "[") && strings.HasSuffix(line, "]") {
policy = fw.processPathLine(line)
} else {
trimmed := strings.TrimSpace(line)
if len(trimmed) > 0 && trimmed[:1] != "#" {
processRuleLine(policy, trimmed)
9 years ago
func (fw *Firewall) processPathLine(line string) *Policy {
pathLine := line[1 : len(line)-1]
toks := strings.Split(pathLine, "|")
7 years ago
policy := fw.policyForPathAndSandbox(toks[1], toks[0])
9 years ago
defer policy.lock.Unlock()
policy.rules = nil
return policy
func processRuleLine(policy *Policy, line string) {
if policy == nil {
log.Warningf("Cannot process rule line without first seeing policy key line: %s", line)
9 years ago
_, err := policy.parseRule(line, true)
9 years ago
if err != nil {
log.Warningf("Error parsing rule (%s): %v", line, err)
9 years ago
func addrMatchesAny(addr net.IP) bool {
any := anyAddress
if addr.To4() != nil {
any = net.IP{0, 0, 0, 0}
return any.Equal(addr)
func addrMatchesNone(addr net.IP) bool {
none := noAddress
if addr.To4() != nil {
none = net.IP{0xff, 0xff, 0xff, 0xff}
return none.Equal(addr)