diff --git a/fw-settings/definitions/RuleEdit.ui b/fw-settings/definitions/RuleEdit.ui
index cb34054..4b11b9d 100644
--- a/fw-settings/definitions/RuleEdit.ui
+++ b/fw-settings/definitions/RuleEdit.ui
@@ -98,6 +98,7 @@
0
- Allow
+ - Allow TLS Only
- Deny
@@ -162,7 +163,7 @@
0
- 2
+ 3
2
@@ -184,6 +185,34 @@
1
+
+
+
+ 0
+ 2
+
+
+
+
+
+ 1
+ 2
+
+
False
diff --git a/fw-settings/definitions/rule_edit.go b/fw-settings/definitions/rule_edit.go
index 1ec46ab..325c071 100644
--- a/fw-settings/definitions/rule_edit.go
+++ b/fw-settings/definitions/rule_edit.go
@@ -108,6 +108,7 @@ func (*defRuleEdit) String() string {
0
- Allow
+ - Allow TLS Only
- Deny
@@ -172,7 +173,7 @@ func (*defRuleEdit) String() string {
0
- 2
+ 3
2
@@ -194,6 +195,34 @@ func (*defRuleEdit) String() string {
1
+
+
+
+ 0
+ 2
+
+
+
+
+
+ 1
+ 2
+
+
False
diff --git a/fw-settings/rule_edit.go b/fw-settings/rule_edit.go
index d3c2263..6269950 100644
--- a/fw-settings/rule_edit.go
+++ b/fw-settings/rule_edit.go
@@ -18,13 +18,15 @@ const (
)
type ruleEdit struct {
- row *ruleRow
- dialog *gtk.Dialog
- pathLabel *gtk.Label
- verbCombo *gtk.ComboBoxText
- hostEntry *gtk.Entry
- portEntry *gtk.Entry
- ok *gtk.Button
+ row *ruleRow
+ dialog *gtk.Dialog
+ pathLabel *gtk.Label
+ sandboxLabel *gtk.Label
+ sandboxTitle *gtk.Label
+ verbCombo *gtk.ComboBoxText
+ hostEntry *gtk.Entry
+ portEntry *gtk.Entry
+ ok *gtk.Button
}
func newRuleEdit(rr *ruleRow, saveasnew bool) *ruleEdit {
@@ -33,6 +35,8 @@ func newRuleEdit(rr *ruleRow, saveasnew bool) *ruleEdit {
b.getItems(
"dialog", &redit.dialog,
"path_label", &redit.pathLabel,
+ "sandbox_label", &redit.sandboxLabel,
+ "sandbox_title", &redit.sandboxTitle,
"verb_combo", &redit.verbCombo,
"host_entry", &redit.hostEntry,
"port_entry", &redit.portEntry,
@@ -54,9 +58,17 @@ func (re *ruleEdit) updateDialogFields() {
re.pathLabel.SetText(r.Path)
if sgfw.RuleAction(r.Verb) == sgfw.RULE_ACTION_ALLOW {
re.verbCombo.SetActiveID("allow")
+ } else if sgfw.RuleAction(r.Verb) == sgfw.RULE_ACTION_ALLOW_TLSONLY {
+ re.verbCombo.SetActiveID("allow_tls")
} else {
re.verbCombo.SetActiveID("deny")
}
+ if r.Sandbox != "" {
+ re.sandboxLabel.SetText(r.Sandbox)
+ } else {
+ re.sandboxLabel.SetVisible(false)
+ re.sandboxTitle.SetVisible(false)
+ }
target := strings.Split(r.Target, ":")
if len(target) != 2 {
return
@@ -67,7 +79,7 @@ func (re *ruleEdit) updateDialogFields() {
func (re *ruleEdit) validateFields() bool {
id := re.verbCombo.GetActiveID()
- if id != "allow" && id != "deny" {
+ if id != "allow" && id != "allow_tls" && id != "deny" {
return false
}
host, _ := re.hostEntry.GetText()
@@ -121,6 +133,8 @@ func (re *ruleEdit) updateRow() {
switch re.verbCombo.GetActiveID() {
case "allow":
r.Verb = uint16(sgfw.RULE_ACTION_ALLOW)
+ case "allow_tls":
+ r.Verb = uint16(sgfw.RULE_ACTION_ALLOW_TLSONLY)
case "deny":
r.Verb = uint16(sgfw.RULE_ACTION_DENY)
}
diff --git a/fw-settings/rules.go b/fw-settings/rules.go
index c184a4a..bb3d9f1 100644
--- a/fw-settings/rules.go
+++ b/fw-settings/rules.go
@@ -135,6 +135,9 @@ func getVerbText(rule *sgfw.DbusRule) string {
if sgfw.RuleAction(rule.Verb) == sgfw.RULE_ACTION_ALLOW {
return sgfw.RuleActionString[sgfw.RULE_ACTION_ALLOW] + ":"
}
+ if sgfw.RuleAction(rule.Verb) == sgfw.RULE_ACTION_ALLOW_TLSONLY {
+ return sgfw.RuleActionString[sgfw.RULE_ACTION_ALLOW_TLSONLY] + ":"
+ }
return sgfw.RuleActionString[sgfw.RULE_ACTION_DENY] + ":"
}
@@ -180,11 +183,24 @@ func (rr *ruleRow) onEdit() {
}
func (rr *ruleRow) onDelete() {
- body := fmt.Sprintf(`Are you sure you want to delete this rule:
+ var body string
+ if rr.rule.Sandbox != "" {
+ ss := `Are you sure you want to delete this rule:
Path: %s
- Rule: %s %s`, rr.rule.Path, getVerbText(rr.rule), getTargetText(rr.rule))
+ Sandbox: %s
+
+ Rule: %s %s`
+ body = fmt.Sprintf(ss, rr.rule.Path, rr.rule.Sandbox, getVerbText(rr.rule), getTargetText(rr.rule))
+ } else {
+ ss := `Are you sure you want to delete this rule:
+
+ Path: %s
+
+ Rule: %s %s`
+ body = fmt.Sprintf(ss, rr.rule.Path, getVerbText(rr.rule), getTargetText(rr.rule))
+ }
d := gtk.MessageDialogNewWithMarkup(
rr.rl.win,
gtk.DIALOG_DESTROY_WITH_PARENT,
diff --git a/sgfw/const.go b/sgfw/const.go
index 21a68b1..f0f8bd1 100644
--- a/sgfw/const.go
+++ b/sgfw/const.go
@@ -130,17 +130,18 @@ var FilterResultValue = map[string]FilterResult{
// DbusRule struct of the rule passed to the dbus interface
type DbusRule struct {
- ID uint32
- Net string
- Origin string
- Proto string
- Pid uint32
- Privs string
- App string
- Path string
- Verb uint16
- Target string
- Mode uint16
+ ID uint32
+ Net string
+ Origin string
+ Proto string
+ Pid uint32
+ Privs string
+ App string
+ Path string
+ Verb uint16
+ Target string
+ Mode uint16
+ Sandbox string
}
/*const (
diff --git a/sgfw/dbus.go b/sgfw/dbus.go
index 6736715..14547ce 100644
--- a/sgfw/dbus.go
+++ b/sgfw/dbus.go
@@ -153,18 +153,20 @@ func createDbusRule(r *Rule) DbusRule {
} else if r.gid >= 0 {
pstr += ":" + strconv.Itoa(r.gid)
}
+ log.Debugf("SANDBOX SANDBOX SANDBOX: %s", r.sandbox)
return DbusRule{
- ID: uint32(r.id),
- Net: netstr,
- Origin: ostr,
- Proto: r.proto,
- Pid: uint32(r.pid),
- Privs: pstr,
- App: path.Base(r.policy.path),
- Path: r.policy.path,
- Verb: uint16(r.rtype),
- Target: r.AddrString(false),
- Mode: uint16(r.mode),
+ ID: uint32(r.id),
+ Net: netstr,
+ Origin: ostr,
+ Proto: r.proto,
+ Pid: uint32(r.pid),
+ Privs: pstr,
+ App: path.Base(r.policy.path),
+ Path: r.policy.path,
+ Verb: uint16(r.rtype),
+ Target: r.AddrString(false),
+ Mode: uint16(r.mode),
+ Sandbox: r.sandbox,
}
}
@@ -223,6 +225,7 @@ func (ds *dbusServer) UpdateRule(rule DbusRule) *dbus.Error {
r.addr = tmp.addr
r.port = tmp.port
r.mode = RuleMode(rule.Mode)
+ r.sandbox = rule.Sandbox
r.policy.lock.Unlock()
if r.mode != RULE_MODE_SESSION {
ds.fw.saveRules()
diff --git a/sgfw/rules.go b/sgfw/rules.go
index abed5f9..1f891b7 100644
--- a/sgfw/rules.go
+++ b/sgfw/rules.go
@@ -187,16 +187,16 @@ func (rl *RuleList) filter(pkt *nfqueue.NFQPacket, src, dst net.IP, dstPort uint
if pkt != nil {
nfqproto = getNFQProto(pkt)
} else {
- log.Noticef("Weird state: %v %v %v %v",r.port, dstPort, hostname, r.hostname)
- if (r.saddr == nil && src == nil && sandboxed == false && (r.port == dstPort || r.port == matchAny) && (r.addr.Equal(anyAddress) || r.hostname == "" || r.hostname == hostname)) {
+ log.Noticef("Weird state: %v %v %v %v", r.port, dstPort, hostname, r.hostname)
+ if r.saddr == nil && src == nil && sandboxed == false && (r.port == dstPort || r.port == matchAny) && (r.addr.Equal(anyAddress) || r.hostname == "" || r.hostname == hostname) {
log.Notice("+ Socks5 MATCH SUCCEEDED")
- if r.rtype == RULE_ACTION_DENY {
- return FILTER_DENY
- } else if r.rtype == RULE_ACTION_ALLOW {
- return FILTER_ALLOW
- } else if r.rtype == RULE_ACTION_ALLOW_TLSONLY {
- return FILTER_ALLOW_TLSONLY
- }
+ if r.rtype == RULE_ACTION_DENY {
+ return FILTER_DENY
+ } else if r.rtype == RULE_ACTION_ALLOW {
+ return FILTER_ALLOW
+ } else if r.rtype == RULE_ACTION_ALLOW_TLSONLY {
+ return FILTER_ALLOW_TLSONLY
+ }
} else {
return FILTER_PROMPT
}