|
|
@ -1,7 +1,7 @@
|
|
|
|
package sgfw
|
|
|
|
package sgfw
|
|
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
import (
|
|
|
|
"encoding/binary"
|
|
|
|
// "encoding/binary"
|
|
|
|
"fmt"
|
|
|
|
"fmt"
|
|
|
|
"io/ioutil"
|
|
|
|
"io/ioutil"
|
|
|
|
"net"
|
|
|
|
"net"
|
|
|
@ -71,8 +71,6 @@ func (r *Rule) getString(redact bool) string {
|
|
|
|
sbox := "|"
|
|
|
|
sbox := "|"
|
|
|
|
if r.sandbox != "" {
|
|
|
|
if r.sandbox != "" {
|
|
|
|
sbox = "|" + sbox
|
|
|
|
sbox = "|" + sbox
|
|
|
|
} else {
|
|
|
|
|
|
|
|
log.Notice("sandbox is ", r.sandbox)
|
|
|
|
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
return fmt.Sprintf("%s|%s%s%s%s%s", rtype, protostr, r.AddrString(redact), rmode, rpriv, sbox)
|
|
|
|
return fmt.Sprintf("%s|%s%s%s%s%s", rtype, protostr, r.AddrString(redact), rmode, rpriv, sbox)
|
|
|
@ -119,7 +117,7 @@ func (r *Rule) match(src net.IP, dst net.IP, dstPort uint16, hostname string, pr
|
|
|
|
return false
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
log.Notice("comparison: ", hostname, " / ", dst, " : ", dstPort, " -> ", r.addr, " / ", r.hostname, " : ", r.port)
|
|
|
|
// log.Notice("comparison: ", hostname, " / ", dst, " : ", dstPort, " -> ", r.addr, " / ", r.hostname, " : ", r.port)
|
|
|
|
if r.port != matchAny && r.port != dstPort {
|
|
|
|
if r.port != matchAny && r.port != dstPort {
|
|
|
|
return false
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
}
|
|
|
@ -127,7 +125,6 @@ func (r *Rule) match(src net.IP, dst net.IP, dstPort uint16, hostname string, pr
|
|
|
|
return true
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if r.hostname != "" {
|
|
|
|
if r.hostname != "" {
|
|
|
|
log.Notice("comparing hostname")
|
|
|
|
|
|
|
|
if strings.ContainsAny(r.hostname, "*") {
|
|
|
|
if strings.ContainsAny(r.hostname, "*") {
|
|
|
|
regstr := strings.Replace(r.hostname, "*", ".?", -1)
|
|
|
|
regstr := strings.Replace(r.hostname, "*", ".?", -1)
|
|
|
|
match, err := regexp.MatchString(regstr, hostname)
|
|
|
|
match, err := regexp.MatchString(regstr, hostname)
|
|
|
@ -144,7 +141,7 @@ func (r *Rule) match(src net.IP, dst net.IP, dstPort uint16, hostname string, pr
|
|
|
|
return true
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if proto == "icmp" {
|
|
|
|
if proto == "icmp" {
|
|
|
|
fmt.Printf("network = %v, src = %v, r.addr = %x, src to4 = %x\n", r.network, src, r.addr, binary.BigEndian.Uint32(src.To4()))
|
|
|
|
//fmt.Printf("network = %v, src = %v, r.addr = %x, src to4 = %x\n", r.network, src, r.addr, binary.BigEndian.Uint32(src.To4()))
|
|
|
|
if (r.network != nil && r.network.Contains(src)) || (r.addr.Equal(src)) {
|
|
|
|
if (r.network != nil && r.network.Contains(src)) || (r.addr.Equal(src)) {
|
|
|
|
return true
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
}
|
|
|
@ -169,10 +166,9 @@ func (rl *RuleList) filter(pkt *nfqueue.NFQPacket, src, dst net.IP, dstPort uint
|
|
|
|
}
|
|
|
|
}
|
|
|
|
// sandboxed := strings.HasPrefix(optstr, "SOCKS5|Tor / Sandbox")
|
|
|
|
// sandboxed := strings.HasPrefix(optstr, "SOCKS5|Tor / Sandbox")
|
|
|
|
for _, r := range *rl {
|
|
|
|
for _, r := range *rl {
|
|
|
|
log.Notice("fuck ", r)
|
|
|
|
|
|
|
|
nfqproto := ""
|
|
|
|
nfqproto := ""
|
|
|
|
log.Notice("------------ trying match of src ", src, " against: ", r, " | ", r.saddr, " / optstr = ", optstr, "; pid ", pinfo.Pid, " vs rule pid ", r.pid)
|
|
|
|
//log.Notice("------------ trying match of src ", src, " against: ", r, " | ", r.saddr, " / optstr = ", optstr, "; pid ", pinfo.Pid, " vs rule pid ", r.pid)
|
|
|
|
log.Notice("r.saddr: ", r.saddr, "src: ", src, "sandboxed ", sandboxed, "optstr: ", optstr)
|
|
|
|
//log.Notice("r.saddr: ", r.saddr, "src: ", src, "sandboxed ", sandboxed, "optstr: ", optstr)
|
|
|
|
if r.saddr == nil && src != nil && sandboxed {
|
|
|
|
if r.saddr == nil && src != nil && sandboxed {
|
|
|
|
log.Notice("! Skipping comparison against incompatible rule types: rule src = ", r.saddr, " / packet src = ", src)
|
|
|
|
log.Notice("! Skipping comparison against incompatible rule types: rule src = ", r.saddr, " / packet src = ", src)
|
|
|
|
// continue
|
|
|
|
// continue
|
|
|
@ -187,9 +183,8 @@ func (rl *RuleList) filter(pkt *nfqueue.NFQPacket, src, dst net.IP, dstPort uint
|
|
|
|
if pkt != nil {
|
|
|
|
if pkt != nil {
|
|
|
|
nfqproto = getNFQProto(pkt)
|
|
|
|
nfqproto = getNFQProto(pkt)
|
|
|
|
} else {
|
|
|
|
} else {
|
|
|
|
log.Noticef("Weird state: %v %v %v %v", r.port, dstPort, hostname, r.hostname)
|
|
|
|
|
|
|
|
if r.saddr == nil && src == nil && sandboxed == false && (r.port == dstPort || r.port == matchAny) && (r.addr.Equal(anyAddress) || r.hostname == "" || r.hostname == hostname) {
|
|
|
|
if r.saddr == nil && src == nil && sandboxed == false && (r.port == dstPort || r.port == matchAny) && (r.addr.Equal(anyAddress) || r.hostname == "" || r.hostname == hostname) {
|
|
|
|
log.Notice("+ Socks5 MATCH SUCCEEDED")
|
|
|
|
// log.Notice("+ Socks5 MATCH SUCCEEDED")
|
|
|
|
if r.rtype == RULE_ACTION_DENY {
|
|
|
|
if r.rtype == RULE_ACTION_DENY {
|
|
|
|
return FILTER_DENY
|
|
|
|
return FILTER_DENY
|
|
|
|
} else if r.rtype == RULE_ACTION_ALLOW {
|
|
|
|
} else if r.rtype == RULE_ACTION_ALLOW {
|
|
|
@ -202,13 +197,13 @@ func (rl *RuleList) filter(pkt *nfqueue.NFQPacket, src, dst net.IP, dstPort uint
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
log.Notice("r.saddr = ", r.saddr, "src = ", src, "\n")
|
|
|
|
// log.Notice("r.saddr = ", r.saddr, "src = ", src, "\n")
|
|
|
|
if r.pid >= 0 && r.pid != pinfo.Pid {
|
|
|
|
if r.pid >= 0 && r.pid != pinfo.Pid {
|
|
|
|
//log.Notice("! Skipping comparison of mismatching PIDs")
|
|
|
|
//log.Notice("! Skipping comparison of mismatching PIDs")
|
|
|
|
continue
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if r.match(src, dst, dstPort, hostname, nfqproto, pinfo.UID, pinfo.GID, uidToUser(pinfo.UID), gidToGroup(pinfo.GID)) {
|
|
|
|
if r.match(src, dst, dstPort, hostname, nfqproto, pinfo.UID, pinfo.GID, uidToUser(pinfo.UID), gidToGroup(pinfo.GID)) {
|
|
|
|
log.Notice("+ MATCH SUCCEEDED")
|
|
|
|
// log.Notice("+ MATCH SUCCEEDED")
|
|
|
|
dstStr := dst.String()
|
|
|
|
dstStr := dst.String()
|
|
|
|
if FirewallConfig.LogRedact {
|
|
|
|
if FirewallConfig.LogRedact {
|
|
|
|
dstStr = STR_REDACTED
|
|
|
|
dstStr = STR_REDACTED
|
|
|
@ -219,12 +214,10 @@ func (rl *RuleList) filter(pkt *nfqueue.NFQPacket, src, dst net.IP, dstPort uint
|
|
|
|
srcp, _ := getPacketPorts(pkt)
|
|
|
|
srcp, _ := getPacketPorts(pkt)
|
|
|
|
srcStr = fmt.Sprintf("%s:%d", srcip, srcp)
|
|
|
|
srcStr = fmt.Sprintf("%s:%d", srcip, srcp)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
log.Noticef("%s > %s %s %s -> %s:%d",
|
|
|
|
// log.Noticef("%s > %s %s %s -> %s:%d",
|
|
|
|
r.getString(FirewallConfig.LogRedact),
|
|
|
|
//r.getString(FirewallConfig.LogRedact), pinfo.ExePath, r.proto, srcStr, dstStr, dstPort)
|
|
|
|
pinfo.ExePath, r.proto,
|
|
|
|
|
|
|
|
srcStr,
|
|
|
|
|
|
|
|
dstStr, dstPort)
|
|
|
|
|
|
|
|
if r.rtype == RULE_ACTION_DENY {
|
|
|
|
if r.rtype == RULE_ACTION_DENY {
|
|
|
|
|
|
|
|
//TODO: Optionally redact below log entry
|
|
|
|
log.Warningf("DENIED outgoing connection attempt by %s from %s %s -> %s:%d",
|
|
|
|
log.Warningf("DENIED outgoing connection attempt by %s from %s %s -> %s:%d",
|
|
|
|
pinfo.ExePath, r.proto,
|
|
|
|
pinfo.ExePath, r.proto,
|
|
|
|
srcStr,
|
|
|
|
srcStr,
|
|
|
@ -242,11 +235,12 @@ func (rl *RuleList) filter(pkt *nfqueue.NFQPacket, src, dst net.IP, dstPort uint
|
|
|
|
result = FILTER_ALLOW_TLSONLY
|
|
|
|
result = FILTER_ALLOW_TLSONLY
|
|
|
|
return result
|
|
|
|
return result
|
|
|
|
}
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
|
|
|
|
log.Notice("+ MATCH FAILED")
|
|
|
|
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
/**else {
|
|
|
|
|
|
|
|
log.Notice("+ MATCH FAILED")
|
|
|
|
|
|
|
|
} */
|
|
|
|
}
|
|
|
|
}
|
|
|
|
log.Notice("--- RESULT = ", result)
|
|
|
|
// log.Notice("--- RESULT = ", result)
|
|
|
|
return result
|
|
|
|
return result
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
@ -281,7 +275,7 @@ func (r *Rule) parse(s string) bool {
|
|
|
|
return false
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
fmt.Printf("uid = %v, gid = %v, user = %v, group = %v, hostname = %v, sandbox = %v\n", r.uid, r.gid, r.uname, r.gname, r.hostname, r.sandbox)
|
|
|
|
// fmt.Printf("uid = %v, gid = %v, user = %v, group = %v, hostname = %v, sandbox = %v\n", r.uid, r.gid, r.uname, r.gname, r.hostname, r.sandbox)
|
|
|
|
|
|
|
|
|
|
|
|
if len(parts) == 6 && len(strings.TrimSpace(parts[5])) > 0 {
|
|
|
|
if len(parts) == 6 && len(strings.TrimSpace(parts[5])) > 0 {
|
|
|
|
r.saddr = net.ParseIP(parts[5])
|
|
|
|
r.saddr = net.ParseIP(parts[5])
|
|
|
|