diff --git a/sgfw/policy.go b/sgfw/policy.go index de4254f..35c1bd1 100644 --- a/sgfw/policy.go +++ b/sgfw/policy.go @@ -273,8 +273,7 @@ func (p *Policy) processPacket(pkt *nfqueue.NFQPacket, pinfo *procsnitch.Info, o func (p *Policy) processPromptResult(pc pendingConnection) { p.pendingQueue = append(p.pendingQueue, pc) - fmt.Println("im here now.. processing prompt result..") - fmt.Println("processPromptResult(): p.promptInProgress = ", p.promptInProgress) + //fmt.Println("processPromptResult(): p.promptInProgress = ", p.promptInProgress) if DoMultiPrompt || (!DoMultiPrompt && !p.promptInProgress) { p.promptInProgress = true go p.fw.dbus.prompt(p) @@ -337,7 +336,7 @@ func (p *Policy) processNewRule(r *Rule, scope FilterScope) bool { } func (p *Policy) parseRule(s string, add bool) (*Rule, error) { - log.Noticef("XXX: attempt to parse rule: |%s|\n", s) + //log.Noticef("XXX: attempt to parse rule: |%s|\n", s) r := new(Rule) r.pid = -1 r.mode = RULE_MODE_PERMANENT @@ -372,7 +371,7 @@ func (p *Policy) filterPending(rule *Rule) { for _, pc := range p.pendingQueue { if rule.match(pc.src(), pc.dst(), pc.dstPort(), pc.hostname(), pc.proto(), pc.procInfo().UID, pc.procInfo().GID, uidToUser(pc.procInfo().UID), gidToGroup(pc.procInfo().GID)) { log.Infof("Adding rule for: %s", rule.getString(FirewallConfig.LogRedact)) - log.Noticef("%s > %s", rule.getString(FirewallConfig.LogRedact), pc.print()) +// log.Noticef("%s > %s", rule.getString(FirewallConfig.LogRedact), pc.print()) if rule.rtype == RULE_ACTION_ALLOW { pc.accept() } else if rule.rtype == RULE_ACTION_ALLOW_TLSONLY { @@ -650,7 +649,7 @@ func LookupSandboxProc(srcip net.IP, srcp uint16, dstip net.IP, dstp uint16, pro rlines = append(rlines, strings.Join(ssplit, ":")) } - log.Warningf("Looking for %s:%d => %s:%d \n %s\n******\n", srcip, srcp, dstip, dstp, data) + // log.Warningf("Looking for %s:%d => %s:%d \n %s\n******\n", srcip, srcp, dstip, dstp, data) if proto == "tcp" { res = procsnitch.LookupTCPSocketProcessAll(srcip, srcp, dstip, dstp, rlines) @@ -667,9 +666,9 @@ func LookupSandboxProc(srcip net.IP, srcp uint16, dstip net.IP, dstp uint16, pro res.Sandbox = OzInitPids[i].Name res.ExePath = GetRealRoot(res.ExePath, OzInitPids[i].Pid) break - } else { + } /*else { log.Warningf("*****\nCouldn't find proc for %s:%d => %s:%d \n %s\n******\n", srcip, srcp, dstip, dstp, data) - } + } */ } } @@ -710,7 +709,7 @@ func findProcessForPacket(pkt *nfqueue.NFQPacket, reverse bool, strictness int) return nil, optstr } - log.Noticef("XXX proto = %s, from %v : %v -> %v : %v\n", proto, srcip, srcp, dstip, dstp) + // log.Noticef("XXX proto = %s, from %v : %v -> %v : %v\n", proto, srcip, srcp, dstip, dstp) var res *procsnitch.Info = nil diff --git a/sgfw/rules.go b/sgfw/rules.go index 1f891b7..33ae34f 100644 --- a/sgfw/rules.go +++ b/sgfw/rules.go @@ -1,7 +1,7 @@ package sgfw import ( - "encoding/binary" +// "encoding/binary" "fmt" "io/ioutil" "net" @@ -71,8 +71,6 @@ func (r *Rule) getString(redact bool) string { sbox := "|" if r.sandbox != "" { sbox = "|" + sbox - } else { - log.Notice("sandbox is ", r.sandbox) } return fmt.Sprintf("%s|%s%s%s%s%s", rtype, protostr, r.AddrString(redact), rmode, rpriv, sbox) @@ -119,7 +117,7 @@ func (r *Rule) match(src net.IP, dst net.IP, dstPort uint16, hostname string, pr return false } - log.Notice("comparison: ", hostname, " / ", dst, " : ", dstPort, " -> ", r.addr, " / ", r.hostname, " : ", r.port) + // log.Notice("comparison: ", hostname, " / ", dst, " : ", dstPort, " -> ", r.addr, " / ", r.hostname, " : ", r.port) if r.port != matchAny && r.port != dstPort { return false } @@ -127,7 +125,6 @@ func (r *Rule) match(src net.IP, dst net.IP, dstPort uint16, hostname string, pr return true } if r.hostname != "" { - log.Notice("comparing hostname") if strings.ContainsAny(r.hostname, "*") { regstr := strings.Replace(r.hostname, "*", ".?", -1) match, err := regexp.MatchString(regstr, hostname) @@ -144,7 +141,7 @@ func (r *Rule) match(src net.IP, dst net.IP, dstPort uint16, hostname string, pr return true } if proto == "icmp" { - fmt.Printf("network = %v, src = %v, r.addr = %x, src to4 = %x\n", r.network, src, r.addr, binary.BigEndian.Uint32(src.To4())) + //fmt.Printf("network = %v, src = %v, r.addr = %x, src to4 = %x\n", r.network, src, r.addr, binary.BigEndian.Uint32(src.To4())) if (r.network != nil && r.network.Contains(src)) || (r.addr.Equal(src)) { return true } @@ -169,10 +166,9 @@ func (rl *RuleList) filter(pkt *nfqueue.NFQPacket, src, dst net.IP, dstPort uint } // sandboxed := strings.HasPrefix(optstr, "SOCKS5|Tor / Sandbox") for _, r := range *rl { - log.Notice("fuck ", r) nfqproto := "" - log.Notice("------------ trying match of src ", src, " against: ", r, " | ", r.saddr, " / optstr = ", optstr, "; pid ", pinfo.Pid, " vs rule pid ", r.pid) - log.Notice("r.saddr: ", r.saddr, "src: ", src, "sandboxed ", sandboxed, "optstr: ", optstr) + //log.Notice("------------ trying match of src ", src, " against: ", r, " | ", r.saddr, " / optstr = ", optstr, "; pid ", pinfo.Pid, " vs rule pid ", r.pid) + //log.Notice("r.saddr: ", r.saddr, "src: ", src, "sandboxed ", sandboxed, "optstr: ", optstr) if r.saddr == nil && src != nil && sandboxed { log.Notice("! Skipping comparison against incompatible rule types: rule src = ", r.saddr, " / packet src = ", src) // continue @@ -187,9 +183,8 @@ func (rl *RuleList) filter(pkt *nfqueue.NFQPacket, src, dst net.IP, dstPort uint if pkt != nil { nfqproto = getNFQProto(pkt) } else { - log.Noticef("Weird state: %v %v %v %v", r.port, dstPort, hostname, r.hostname) if r.saddr == nil && src == nil && sandboxed == false && (r.port == dstPort || r.port == matchAny) && (r.addr.Equal(anyAddress) || r.hostname == "" || r.hostname == hostname) { - log.Notice("+ Socks5 MATCH SUCCEEDED") + // log.Notice("+ Socks5 MATCH SUCCEEDED") if r.rtype == RULE_ACTION_DENY { return FILTER_DENY } else if r.rtype == RULE_ACTION_ALLOW { @@ -202,13 +197,13 @@ func (rl *RuleList) filter(pkt *nfqueue.NFQPacket, src, dst net.IP, dstPort uint } } } - log.Notice("r.saddr = ", r.saddr, "src = ", src, "\n") + // log.Notice("r.saddr = ", r.saddr, "src = ", src, "\n") if r.pid >= 0 && r.pid != pinfo.Pid { //log.Notice("! Skipping comparison of mismatching PIDs") continue } if r.match(src, dst, dstPort, hostname, nfqproto, pinfo.UID, pinfo.GID, uidToUser(pinfo.UID), gidToGroup(pinfo.GID)) { - log.Notice("+ MATCH SUCCEEDED") + // log.Notice("+ MATCH SUCCEEDED") dstStr := dst.String() if FirewallConfig.LogRedact { dstStr = STR_REDACTED @@ -219,13 +214,11 @@ func (rl *RuleList) filter(pkt *nfqueue.NFQPacket, src, dst net.IP, dstPort uint srcp, _ := getPacketPorts(pkt) srcStr = fmt.Sprintf("%s:%d", srcip, srcp) } - log.Noticef("%s > %s %s %s -> %s:%d", - r.getString(FirewallConfig.LogRedact), - pinfo.ExePath, r.proto, - srcStr, - dstStr, dstPort) + // log.Noticef("%s > %s %s %s -> %s:%d", + //r.getString(FirewallConfig.LogRedact), pinfo.ExePath, r.proto, srcStr, dstStr, dstPort) if r.rtype == RULE_ACTION_DENY { - log.Warningf("DENIED outgoing connection attempt by %s from %s %s -> %s:%d", + //TODO: Optionally redact below log entry + log.Warningf("DENIED outgoing connection attempt by %s from %s %s -> %s:%d", pinfo.ExePath, r.proto, srcStr, dstStr, dstPort) @@ -242,11 +235,12 @@ func (rl *RuleList) filter(pkt *nfqueue.NFQPacket, src, dst net.IP, dstPort uint result = FILTER_ALLOW_TLSONLY return result } - } else { + } +/**else { log.Notice("+ MATCH FAILED") - } + } */ } - log.Notice("--- RESULT = ", result) + // log.Notice("--- RESULT = ", result) return result } @@ -281,7 +275,7 @@ func (r *Rule) parse(s string) bool { return false } - fmt.Printf("uid = %v, gid = %v, user = %v, group = %v, hostname = %v, sandbox = %v\n", r.uid, r.gid, r.uname, r.gname, r.hostname, r.sandbox) + // fmt.Printf("uid = %v, gid = %v, user = %v, group = %v, hostname = %v, sandbox = %v\n", r.uid, r.gid, r.uname, r.gname, r.hostname, r.sandbox) if len(parts) == 6 && len(strings.TrimSpace(parts[5])) > 0 { r.saddr = net.ParseIP(parts[5])