From 5f454f2c6bfd020fd6a5c1e18f2c1612fb45fce9 Mon Sep 17 00:00:00 2001
From: dma <dma@subgraph.com>
Date: Wed, 20 Sep 2017 04:02:29 +0000
Subject: [PATCH] Remove debug output

---
 sgfw/policy.go | 15 +++++++--------
 sgfw/rules.go  | 40 +++++++++++++++++-----------------------
 2 files changed, 24 insertions(+), 31 deletions(-)

diff --git a/sgfw/policy.go b/sgfw/policy.go
index de4254f..35c1bd1 100644
--- a/sgfw/policy.go
+++ b/sgfw/policy.go
@@ -273,8 +273,7 @@ func (p *Policy) processPacket(pkt *nfqueue.NFQPacket, pinfo *procsnitch.Info, o
 
 func (p *Policy) processPromptResult(pc pendingConnection) {
 	p.pendingQueue = append(p.pendingQueue, pc)
-	fmt.Println("im here now.. processing prompt result..")
-	fmt.Println("processPromptResult(): p.promptInProgress = ", p.promptInProgress)
+	//fmt.Println("processPromptResult(): p.promptInProgress = ", p.promptInProgress)
 	if DoMultiPrompt || (!DoMultiPrompt && !p.promptInProgress) {
 		p.promptInProgress = true
 		go p.fw.dbus.prompt(p)
@@ -337,7 +336,7 @@ func (p *Policy) processNewRule(r *Rule, scope FilterScope) bool {
 }
 
 func (p *Policy) parseRule(s string, add bool) (*Rule, error) {
-	log.Noticef("XXX: attempt to parse rule: |%s|\n", s)
+	//log.Noticef("XXX: attempt to parse rule: |%s|\n", s)
 	r := new(Rule)
 	r.pid = -1
 	r.mode = RULE_MODE_PERMANENT
@@ -372,7 +371,7 @@ func (p *Policy) filterPending(rule *Rule) {
 	for _, pc := range p.pendingQueue {
 		if rule.match(pc.src(), pc.dst(), pc.dstPort(), pc.hostname(), pc.proto(), pc.procInfo().UID, pc.procInfo().GID, uidToUser(pc.procInfo().UID), gidToGroup(pc.procInfo().GID)) {
 			log.Infof("Adding rule for: %s", rule.getString(FirewallConfig.LogRedact))
-			log.Noticef("%s > %s", rule.getString(FirewallConfig.LogRedact), pc.print())
+//			log.Noticef("%s > %s", rule.getString(FirewallConfig.LogRedact), pc.print())
 			if rule.rtype == RULE_ACTION_ALLOW {
 				pc.accept()
 			} else if rule.rtype == RULE_ACTION_ALLOW_TLSONLY {
@@ -650,7 +649,7 @@ func LookupSandboxProc(srcip net.IP, srcp uint16, dstip net.IP, dstp uint16, pro
 				rlines = append(rlines, strings.Join(ssplit, ":"))
 			}
 
-			log.Warningf("Looking for %s:%d => %s:%d \n %s\n******\n", srcip, srcp, dstip, dstp, data) 
+		//	log.Warningf("Looking for %s:%d => %s:%d \n %s\n******\n", srcip, srcp, dstip, dstp, data) 
 
 			if proto == "tcp" {
 				res = procsnitch.LookupTCPSocketProcessAll(srcip, srcp, dstip, dstp, rlines)
@@ -667,9 +666,9 @@ func LookupSandboxProc(srcip net.IP, srcp uint16, dstip net.IP, dstp uint16, pro
 				res.Sandbox = OzInitPids[i].Name
 				res.ExePath = GetRealRoot(res.ExePath, OzInitPids[i].Pid)
 				break
-			} else {
+			} /*else {
 				log.Warningf("*****\nCouldn't find proc for %s:%d => %s:%d \n %s\n******\n", srcip, srcp, dstip, dstp, data)
-			}
+			} */
 		}
 
 	}
@@ -710,7 +709,7 @@ func findProcessForPacket(pkt *nfqueue.NFQPacket, reverse bool, strictness int)
 		return nil, optstr
 	}
 
-	log.Noticef("XXX proto = %s, from %v : %v -> %v : %v\n", proto, srcip, srcp, dstip, dstp)
+	// log.Noticef("XXX proto = %s, from %v : %v -> %v : %v\n", proto, srcip, srcp, dstip, dstp)
 
 	var res *procsnitch.Info = nil
 
diff --git a/sgfw/rules.go b/sgfw/rules.go
index 1f891b7..33ae34f 100644
--- a/sgfw/rules.go
+++ b/sgfw/rules.go
@@ -1,7 +1,7 @@
 package sgfw
 
 import (
-	"encoding/binary"
+//	"encoding/binary"
 	"fmt"
 	"io/ioutil"
 	"net"
@@ -71,8 +71,6 @@ func (r *Rule) getString(redact bool) string {
 	sbox := "|"
 	if r.sandbox != "" {
 		sbox = "|" + sbox
-	} else {
-		log.Notice("sandbox is ", r.sandbox)
 	}
 
 	return fmt.Sprintf("%s|%s%s%s%s%s", rtype, protostr, r.AddrString(redact), rmode, rpriv, sbox)
@@ -119,7 +117,7 @@ func (r *Rule) match(src net.IP, dst net.IP, dstPort uint16, hostname string, pr
 		return false
 	}
 
-	log.Notice("comparison: ", hostname, " / ", dst, " : ", dstPort, " -> ", r.addr, " / ", r.hostname, " : ", r.port)
+	// log.Notice("comparison: ", hostname, " / ", dst, " : ", dstPort, " -> ", r.addr, " / ", r.hostname, " : ", r.port)
 	if r.port != matchAny && r.port != dstPort {
 		return false
 	}
@@ -127,7 +125,6 @@ func (r *Rule) match(src net.IP, dst net.IP, dstPort uint16, hostname string, pr
 		return true
 	}
 	if r.hostname != "" {
-		log.Notice("comparing hostname")
 		if strings.ContainsAny(r.hostname, "*") {
 			regstr := strings.Replace(r.hostname, "*", ".?", -1)
 			match, err := regexp.MatchString(regstr, hostname)
@@ -144,7 +141,7 @@ func (r *Rule) match(src net.IP, dst net.IP, dstPort uint16, hostname string, pr
 		return true
 	}
 	if proto == "icmp" {
-		fmt.Printf("network = %v, src = %v, r.addr = %x, src to4 = %x\n", r.network, src, r.addr, binary.BigEndian.Uint32(src.To4()))
+		//fmt.Printf("network = %v, src = %v, r.addr = %x, src to4 = %x\n", r.network, src, r.addr, binary.BigEndian.Uint32(src.To4()))
 		if (r.network != nil && r.network.Contains(src)) || (r.addr.Equal(src)) {
 			return true
 		}
@@ -169,10 +166,9 @@ func (rl *RuleList) filter(pkt *nfqueue.NFQPacket, src, dst net.IP, dstPort uint
 	}
 	// sandboxed := strings.HasPrefix(optstr, "SOCKS5|Tor / Sandbox")
 	for _, r := range *rl {
-		log.Notice("fuck ", r)
 		nfqproto := ""
-		log.Notice("------------ trying match of src ", src, " against: ", r, " | ", r.saddr, " / optstr = ", optstr, "; pid ", pinfo.Pid, " vs rule pid ", r.pid)
-		log.Notice("r.saddr: ", r.saddr, "src: ", src, "sandboxed ", sandboxed, "optstr: ", optstr)
+		//log.Notice("------------ trying match of src ", src, " against: ", r, " | ", r.saddr, " / optstr = ", optstr, "; pid ", pinfo.Pid, " vs rule pid ", r.pid)
+		//log.Notice("r.saddr: ", r.saddr, "src: ", src, "sandboxed ", sandboxed, "optstr: ", optstr)
 		if r.saddr == nil && src != nil && sandboxed {
 			log.Notice("! Skipping comparison against incompatible rule types: rule src = ", r.saddr, " / packet src = ", src)
 			// continue
@@ -187,9 +183,8 @@ func (rl *RuleList) filter(pkt *nfqueue.NFQPacket, src, dst net.IP, dstPort uint
 			if pkt != nil {
 				nfqproto = getNFQProto(pkt)
 			} else {
-				log.Noticef("Weird state: %v %v %v %v", r.port, dstPort, hostname, r.hostname)
 				if r.saddr == nil && src == nil && sandboxed == false && (r.port == dstPort || r.port == matchAny) && (r.addr.Equal(anyAddress) || r.hostname == "" || r.hostname == hostname) {
-					log.Notice("+ Socks5 MATCH SUCCEEDED")
+				//	log.Notice("+ Socks5 MATCH SUCCEEDED")
 					if r.rtype == RULE_ACTION_DENY {
 						return FILTER_DENY
 					} else if r.rtype == RULE_ACTION_ALLOW {
@@ -202,13 +197,13 @@ func (rl *RuleList) filter(pkt *nfqueue.NFQPacket, src, dst net.IP, dstPort uint
 				}
 			}
 		}
-		log.Notice("r.saddr = ", r.saddr, "src = ", src, "\n")
+		// log.Notice("r.saddr = ", r.saddr, "src = ", src, "\n")
 		if r.pid >= 0 && r.pid != pinfo.Pid {
 			//log.Notice("! Skipping comparison of mismatching PIDs")
 			continue
 		}
 		if r.match(src, dst, dstPort, hostname, nfqproto, pinfo.UID, pinfo.GID, uidToUser(pinfo.UID), gidToGroup(pinfo.GID)) {
-			log.Notice("+ MATCH SUCCEEDED")
+		//	log.Notice("+ MATCH SUCCEEDED")
 			dstStr := dst.String()
 			if FirewallConfig.LogRedact {
 				dstStr = STR_REDACTED
@@ -219,13 +214,11 @@ func (rl *RuleList) filter(pkt *nfqueue.NFQPacket, src, dst net.IP, dstPort uint
 				srcp, _ := getPacketPorts(pkt)
 				srcStr = fmt.Sprintf("%s:%d", srcip, srcp)
 			}
-			log.Noticef("%s > %s %s %s -> %s:%d",
-				r.getString(FirewallConfig.LogRedact),
-				pinfo.ExePath, r.proto,
-				srcStr,
-				dstStr, dstPort)
+		//	log.Noticef("%s > %s %s %s -> %s:%d",
+			//r.getString(FirewallConfig.LogRedact), pinfo.ExePath, r.proto, srcStr, dstStr, dstPort)
 			if r.rtype == RULE_ACTION_DENY {
-				log.Warningf("DENIED outgoing connection attempt by %s from %s %s -> %s:%d",
+					//TODO: Optionally redact below log entry
+					log.Warningf("DENIED outgoing connection attempt by %s from %s %s -> %s:%d",
 					pinfo.ExePath, r.proto,
 					srcStr,
 					dstStr, dstPort)
@@ -242,11 +235,12 @@ func (rl *RuleList) filter(pkt *nfqueue.NFQPacket, src, dst net.IP, dstPort uint
 				result = FILTER_ALLOW_TLSONLY
 				return result
 			}
-		} else {
+		} 
+/**else {
 			log.Notice("+ MATCH FAILED")
-		}
+		} */
 	}
-	log.Notice("--- RESULT = ", result)
+	// log.Notice("--- RESULT = ", result)
 	return result
 }
 
@@ -281,7 +275,7 @@ func (r *Rule) parse(s string) bool {
 		return false
 	}
 
-	fmt.Printf("uid = %v, gid = %v, user = %v, group = %v, hostname = %v, sandbox = %v\n", r.uid, r.gid, r.uname, r.gname, r.hostname, r.sandbox)
+	// fmt.Printf("uid = %v, gid = %v, user = %v, group = %v, hostname = %v, sandbox = %v\n", r.uid, r.gid, r.uname, r.gname, r.hostname, r.sandbox)
 
 	if len(parts) == 6 && len(strings.TrimSpace(parts[5])) > 0 {
 		r.saddr = net.ParseIP(parts[5])