matth
/
fw-daemon
mirror of https://github.com/subgraph/fw-daemon
1
1
Fork 0
Code Releases Activity

Settings: adding sandbox and allow tls to rule edit...

Browse Source
shw-merge
xSmurf 7 years ago
parent ef9a0a22c2
commit 119344dbfc
7 changed files with 135 additions and 43 deletions
Show Stats Download Patch File Download Diff File

31
fw-settings/definitions/RuleEdit.ui
Unescape View File

@ -98,6 +98,7 @@
<property name="active">0</property> <property name="active">0</property>
<items> <items>
<item id="allow" translatable="yes">Allow</item> <item id="allow" translatable="yes">Allow</item>
<item id="allow_tls" translatable="yes">Allow TLS Only</item>
<item id="deny" translatable="yes">Deny</item> <item id="deny" translatable="yes">Deny</item>
</items> </items>
</object> </object>
@ -162,7 +163,7 @@
</object> </object>
<packing> <packing>
<property name="left_attach">0</property> <property name="left_attach">0</property>
<property name="top_attach">2</property> <property name="top_attach">3</property>
<property name="width">2</property> <property name="width">2</property>
</packing> </packing>
</child> </child>
@ -184,6 +185,34 @@
<property name="top_attach">1</property> <property name="top_attach">1</property>
</packing> </packing>
</child> </child>
<child>
<object class="GtkLabel" id="sandbox_title">
<property name="visible">True</property>
<property name="can_focus">False</property>
<property name="halign">start</property>
<property name="hexpand">False</property>
<property name="label" translatable="yes">Sandbox:</property>
<attributes>
<attribute name="weight" value="bold"/>
</attributes>
</object>
<packing>
<property name="left_attach">0</property>
<property name="top_attach">2</property>
</packing>
</child>
<child>
<object class="GtkLabel" id="sandbox_label">
<property name="visible">True</property>
<property name="can_focus">False</property>
<property name="halign">start</property>
<property name="hexpand">True</property>
</object>
<packing>
<property name="left_attach">1</property>
<property name="top_attach">2</property>
</packing>
</child>
</object> </object>
<packing> <packing>
<property name="expand">False</property> <property name="expand">False</property>

31
fw-settings/definitions/rule_edit.go
Unescape View File

@ -108,6 +108,7 @@ func (*defRuleEdit) String() string {
<property name="active">0</property> <property name="active">0</property>
<items> <items>
<item id="allow" translatable="yes">Allow</item> <item id="allow" translatable="yes">Allow</item>
<item id="allow_tls" translatable="yes">Allow TLS Only</item>
<item id="deny" translatable="yes">Deny</item> <item id="deny" translatable="yes">Deny</item>
</items> </items>
</object> </object>
@ -172,7 +173,7 @@ func (*defRuleEdit) String() string {
</object> </object>
<packing> <packing>
<property name="left_attach">0</property> <property name="left_attach">0</property>
<property name="top_attach">2</property> <property name="top_attach">3</property>
<property name="width">2</property> <property name="width">2</property>
</packing> </packing>
</child> </child>
@ -194,6 +195,34 @@ func (*defRuleEdit) String() string {
<property name="top_attach">1</property> <property name="top_attach">1</property>
</packing> </packing>
</child> </child>
<child>
<object class="GtkLabel" id="sandbox_title">
<property name="visible">True</property>
<property name="can_focus">False</property>
<property name="halign">start</property>
<property name="hexpand">False</property>
<property name="label" translatable="yes">Sandbox:</property>
<attributes>
<attribute name="weight" value="bold"/>
</attributes>
</object>
<packing>
<property name="left_attach">0</property>
<property name="top_attach">2</property>
</packing>
</child>
<child>
<object class="GtkLabel" id="sandbox_label">
<property name="visible">True</property>
<property name="can_focus">False</property>
<property name="halign">start</property>
<property name="hexpand">True</property>
</object>
<packing>
<property name="left_attach">1</property>
<property name="top_attach">2</property>
</packing>
</child>
</object> </object>
<packing> <packing>
<property name="expand">False</property> <property name="expand">False</property>

30
fw-settings/rule_edit.go
Unescape View File

@ -18,13 +18,15 @@ const (
) )
type ruleEdit struct { type ruleEdit struct {
row *ruleRow row *ruleRow
dialog *gtk.Dialog dialog *gtk.Dialog
pathLabel *gtk.Label pathLabel *gtk.Label
verbCombo *gtk.ComboBoxText sandboxLabel *gtk.Label
hostEntry *gtk.Entry sandboxTitle *gtk.Label
portEntry *gtk.Entry verbCombo *gtk.ComboBoxText
ok *gtk.Button hostEntry *gtk.Entry
portEntry *gtk.Entry
ok *gtk.Button
} }
func newRuleEdit(rr *ruleRow, saveasnew bool) *ruleEdit { func newRuleEdit(rr *ruleRow, saveasnew bool) *ruleEdit {
@ -33,6 +35,8 @@ func newRuleEdit(rr *ruleRow, saveasnew bool) *ruleEdit {
b.getItems( b.getItems(
"dialog", &redit.dialog, "dialog", &redit.dialog,
"path_label", &redit.pathLabel, "path_label", &redit.pathLabel,
"sandbox_label", &redit.sandboxLabel,
"sandbox_title", &redit.sandboxTitle,
"verb_combo", &redit.verbCombo, "verb_combo", &redit.verbCombo,
"host_entry", &redit.hostEntry, "host_entry", &redit.hostEntry,
"port_entry", &redit.portEntry, "port_entry", &redit.portEntry,
@ -54,9 +58,17 @@ func (re *ruleEdit) updateDialogFields() {
re.pathLabel.SetText(r.Path) re.pathLabel.SetText(r.Path)
if sgfw.RuleAction(r.Verb) == sgfw.RULE_ACTION_ALLOW { if sgfw.RuleAction(r.Verb) == sgfw.RULE_ACTION_ALLOW {
re.verbCombo.SetActiveID("allow") re.verbCombo.SetActiveID("allow")
} else if sgfw.RuleAction(r.Verb) == sgfw.RULE_ACTION_ALLOW_TLSONLY {
re.verbCombo.SetActiveID("allow_tls")
} else { } else {
re.verbCombo.SetActiveID("deny") re.verbCombo.SetActiveID("deny")
} }
if r.Sandbox != "" {
re.sandboxLabel.SetText(r.Sandbox)
} else {
re.sandboxLabel.SetVisible(false)
re.sandboxTitle.SetVisible(false)
}
target := strings.Split(r.Target, ":") target := strings.Split(r.Target, ":")
if len(target) != 2 { if len(target) != 2 {
return return
@ -67,7 +79,7 @@ func (re *ruleEdit) updateDialogFields() {
func (re *ruleEdit) validateFields() bool { func (re *ruleEdit) validateFields() bool {
id := re.verbCombo.GetActiveID() id := re.verbCombo.GetActiveID()
if id != "allow" && id != "deny" { if id != "allow" && id != "allow_tls" && id != "deny" {
return false return false
} }
host, _ := re.hostEntry.GetText() host, _ := re.hostEntry.GetText()
@ -121,6 +133,8 @@ func (re *ruleEdit) updateRow() {
switch re.verbCombo.GetActiveID() { switch re.verbCombo.GetActiveID() {
case "allow": case "allow":
r.Verb = uint16(sgfw.RULE_ACTION_ALLOW) r.Verb = uint16(sgfw.RULE_ACTION_ALLOW)
case "allow_tls":
r.Verb = uint16(sgfw.RULE_ACTION_ALLOW_TLSONLY)
case "deny": case "deny":
r.Verb = uint16(sgfw.RULE_ACTION_DENY) r.Verb = uint16(sgfw.RULE_ACTION_DENY)
} }

20
fw-settings/rules.go
Unescape View File

@ -135,6 +135,9 @@ func getVerbText(rule *sgfw.DbusRule) string {
if sgfw.RuleAction(rule.Verb) == sgfw.RULE_ACTION_ALLOW { if sgfw.RuleAction(rule.Verb) == sgfw.RULE_ACTION_ALLOW {
return sgfw.RuleActionString[sgfw.RULE_ACTION_ALLOW] + ":" return sgfw.RuleActionString[sgfw.RULE_ACTION_ALLOW] + ":"
} }
if sgfw.RuleAction(rule.Verb) == sgfw.RULE_ACTION_ALLOW_TLSONLY {
return sgfw.RuleActionString[sgfw.RULE_ACTION_ALLOW_TLSONLY] + ":"
}
return sgfw.RuleActionString[sgfw.RULE_ACTION_DENY] + ":" return sgfw.RuleActionString[sgfw.RULE_ACTION_DENY] + ":"
} }
@ -180,11 +183,24 @@ func (rr *ruleRow) onEdit() {
} }
func (rr *ruleRow) onDelete() { func (rr *ruleRow) onDelete() {
body := fmt.Sprintf(`Are you sure you want to delete this rule: var body string
if rr.rule.Sandbox != "" {
ss := `Are you sure you want to delete this rule:
<b>Path:</b> %s <b>Path:</b> %s
<b>Rule:</b> %s %s`, rr.rule.Path, getVerbText(rr.rule), getTargetText(rr.rule)) <b>Sandbox:</b> %s
<b>Rule:</b> %s %s`
body = fmt.Sprintf(ss, rr.rule.Path, rr.rule.Sandbox, getVerbText(rr.rule), getTargetText(rr.rule))
} else {
ss := `Are you sure you want to delete this rule:
<b>Path:</b> %s
<b>Rule:</b> %s %s`
body = fmt.Sprintf(ss, rr.rule.Path, getVerbText(rr.rule), getTargetText(rr.rule))
}
d := gtk.MessageDialogNewWithMarkup( d := gtk.MessageDialogNewWithMarkup(
rr.rl.win, rr.rl.win,
gtk.DIALOG_DESTROY_WITH_PARENT, gtk.DIALOG_DESTROY_WITH_PARENT,

23
sgfw/const.go
Unescape View File

@ -130,17 +130,18 @@ var FilterResultValue = map[string]FilterResult{
// DbusRule struct of the rule passed to the dbus interface // DbusRule struct of the rule passed to the dbus interface
type DbusRule struct { type DbusRule struct {
ID uint32 ID uint32
Net string Net string
Origin string Origin string
Proto string Proto string
Pid uint32 Pid uint32
Privs string Privs string
App string App string
Path string Path string
Verb uint16 Verb uint16
Target string Target string
Mode uint16 Mode uint16
Sandbox string
} }
/*const ( /*const (

25
sgfw/dbus.go
Unescape View File

@ -153,18 +153,20 @@ func createDbusRule(r *Rule) DbusRule {
} else if r.gid >= 0 { } else if r.gid >= 0 {
pstr += ":" + strconv.Itoa(r.gid) pstr += ":" + strconv.Itoa(r.gid)
} }
log.Debugf("SANDBOX SANDBOX SANDBOX: %s", r.sandbox)
return DbusRule{ return DbusRule{
ID: uint32(r.id), ID: uint32(r.id),
Net: netstr, Net: netstr,
Origin: ostr, Origin: ostr,
Proto: r.proto, Proto: r.proto,
Pid: uint32(r.pid), Pid: uint32(r.pid),
Privs: pstr, Privs: pstr,
App: path.Base(r.policy.path), App: path.Base(r.policy.path),
Path: r.policy.path, Path: r.policy.path,
Verb: uint16(r.rtype), Verb: uint16(r.rtype),
Target: r.AddrString(false), Target: r.AddrString(false),
Mode: uint16(r.mode), Mode: uint16(r.mode),
Sandbox: r.sandbox,
} }
} }
@ -223,6 +225,7 @@ func (ds *dbusServer) UpdateRule(rule DbusRule) *dbus.Error {
r.addr = tmp.addr r.addr = tmp.addr
r.port = tmp.port r.port = tmp.port
r.mode = RuleMode(rule.Mode) r.mode = RuleMode(rule.Mode)
r.sandbox = rule.Sandbox
r.policy.lock.Unlock() r.policy.lock.Unlock()
if r.mode != RULE_MODE_SESSION { if r.mode != RULE_MODE_SESSION {
ds.fw.saveRules() ds.fw.saveRules()

18
sgfw/rules.go
Unescape View File

@ -187,16 +187,16 @@ func (rl *RuleList) filter(pkt *nfqueue.NFQPacket, src, dst net.IP, dstPort uint
if pkt != nil { if pkt != nil {
nfqproto = getNFQProto(pkt) nfqproto = getNFQProto(pkt)
} else { } else {
log.Noticef("Weird state: %v %v %v %v",r.port, dstPort, hostname, r.hostname) log.Noticef("Weird state: %v %v %v %v", r.port, dstPort, hostname, r.hostname)
if (r.saddr == nil && src == nil && sandboxed == false && (r.port == dstPort || r.port == matchAny) && (r.addr.Equal(anyAddress) || r.hostname == "" || r.hostname == hostname)) { if r.saddr == nil && src == nil && sandboxed == false && (r.port == dstPort || r.port == matchAny) && (r.addr.Equal(anyAddress) || r.hostname == "" || r.hostname == hostname) {
log.Notice("+ Socks5 MATCH SUCCEEDED") log.Notice("+ Socks5 MATCH SUCCEEDED")
if r.rtype == RULE_ACTION_DENY { if r.rtype == RULE_ACTION_DENY {
return FILTER_DENY return FILTER_DENY
} else if r.rtype == RULE_ACTION_ALLOW { } else if r.rtype == RULE_ACTION_ALLOW {
return FILTER_ALLOW return FILTER_ALLOW
} else if r.rtype == RULE_ACTION_ALLOW_TLSONLY { } else if r.rtype == RULE_ACTION_ALLOW_TLSONLY {
return FILTER_ALLOW_TLSONLY return FILTER_ALLOW_TLSONLY
} }
} else { } else {
return FILTER_PROMPT return FILTER_PROMPT
} }

Write Preview
Loading…
Cancel
Save