Remove debug output

shw-merge
dma 7 years ago
parent 2869f15ba1
commit 5f454f2c6b

@ -273,8 +273,7 @@ func (p *Policy) processPacket(pkt *nfqueue.NFQPacket, pinfo *procsnitch.Info, o
func (p *Policy) processPromptResult(pc pendingConnection) { func (p *Policy) processPromptResult(pc pendingConnection) {
p.pendingQueue = append(p.pendingQueue, pc) p.pendingQueue = append(p.pendingQueue, pc)
fmt.Println("im here now.. processing prompt result..") //fmt.Println("processPromptResult(): p.promptInProgress = ", p.promptInProgress)
fmt.Println("processPromptResult(): p.promptInProgress = ", p.promptInProgress)
if DoMultiPrompt || (!DoMultiPrompt && !p.promptInProgress) { if DoMultiPrompt || (!DoMultiPrompt && !p.promptInProgress) {
p.promptInProgress = true p.promptInProgress = true
go p.fw.dbus.prompt(p) go p.fw.dbus.prompt(p)
@ -337,7 +336,7 @@ func (p *Policy) processNewRule(r *Rule, scope FilterScope) bool {
} }
func (p *Policy) parseRule(s string, add bool) (*Rule, error) { func (p *Policy) parseRule(s string, add bool) (*Rule, error) {
log.Noticef("XXX: attempt to parse rule: |%s|\n", s) //log.Noticef("XXX: attempt to parse rule: |%s|\n", s)
r := new(Rule) r := new(Rule)
r.pid = -1 r.pid = -1
r.mode = RULE_MODE_PERMANENT r.mode = RULE_MODE_PERMANENT
@ -372,7 +371,7 @@ func (p *Policy) filterPending(rule *Rule) {
for _, pc := range p.pendingQueue { for _, pc := range p.pendingQueue {
if rule.match(pc.src(), pc.dst(), pc.dstPort(), pc.hostname(), pc.proto(), pc.procInfo().UID, pc.procInfo().GID, uidToUser(pc.procInfo().UID), gidToGroup(pc.procInfo().GID)) { if rule.match(pc.src(), pc.dst(), pc.dstPort(), pc.hostname(), pc.proto(), pc.procInfo().UID, pc.procInfo().GID, uidToUser(pc.procInfo().UID), gidToGroup(pc.procInfo().GID)) {
log.Infof("Adding rule for: %s", rule.getString(FirewallConfig.LogRedact)) log.Infof("Adding rule for: %s", rule.getString(FirewallConfig.LogRedact))
log.Noticef("%s > %s", rule.getString(FirewallConfig.LogRedact), pc.print()) // log.Noticef("%s > %s", rule.getString(FirewallConfig.LogRedact), pc.print())
if rule.rtype == RULE_ACTION_ALLOW { if rule.rtype == RULE_ACTION_ALLOW {
pc.accept() pc.accept()
} else if rule.rtype == RULE_ACTION_ALLOW_TLSONLY { } else if rule.rtype == RULE_ACTION_ALLOW_TLSONLY {
@ -650,7 +649,7 @@ func LookupSandboxProc(srcip net.IP, srcp uint16, dstip net.IP, dstp uint16, pro
rlines = append(rlines, strings.Join(ssplit, ":")) rlines = append(rlines, strings.Join(ssplit, ":"))
} }
log.Warningf("Looking for %s:%d => %s:%d \n %s\n******\n", srcip, srcp, dstip, dstp, data) // log.Warningf("Looking for %s:%d => %s:%d \n %s\n******\n", srcip, srcp, dstip, dstp, data)
if proto == "tcp" { if proto == "tcp" {
res = procsnitch.LookupTCPSocketProcessAll(srcip, srcp, dstip, dstp, rlines) res = procsnitch.LookupTCPSocketProcessAll(srcip, srcp, dstip, dstp, rlines)
@ -667,9 +666,9 @@ func LookupSandboxProc(srcip net.IP, srcp uint16, dstip net.IP, dstp uint16, pro
res.Sandbox = OzInitPids[i].Name res.Sandbox = OzInitPids[i].Name
res.ExePath = GetRealRoot(res.ExePath, OzInitPids[i].Pid) res.ExePath = GetRealRoot(res.ExePath, OzInitPids[i].Pid)
break break
} else { } /*else {
log.Warningf("*****\nCouldn't find proc for %s:%d => %s:%d \n %s\n******\n", srcip, srcp, dstip, dstp, data) log.Warningf("*****\nCouldn't find proc for %s:%d => %s:%d \n %s\n******\n", srcip, srcp, dstip, dstp, data)
} } */
} }
} }
@ -710,7 +709,7 @@ func findProcessForPacket(pkt *nfqueue.NFQPacket, reverse bool, strictness int)
return nil, optstr return nil, optstr
} }
log.Noticef("XXX proto = %s, from %v : %v -> %v : %v\n", proto, srcip, srcp, dstip, dstp) // log.Noticef("XXX proto = %s, from %v : %v -> %v : %v\n", proto, srcip, srcp, dstip, dstp)
var res *procsnitch.Info = nil var res *procsnitch.Info = nil

@ -1,7 +1,7 @@
package sgfw package sgfw
import ( import (
"encoding/binary" // "encoding/binary"
"fmt" "fmt"
"io/ioutil" "io/ioutil"
"net" "net"
@ -71,8 +71,6 @@ func (r *Rule) getString(redact bool) string {
sbox := "|" sbox := "|"
if r.sandbox != "" { if r.sandbox != "" {
sbox = "|" + sbox sbox = "|" + sbox
} else {
log.Notice("sandbox is ", r.sandbox)
} }
return fmt.Sprintf("%s|%s%s%s%s%s", rtype, protostr, r.AddrString(redact), rmode, rpriv, sbox) return fmt.Sprintf("%s|%s%s%s%s%s", rtype, protostr, r.AddrString(redact), rmode, rpriv, sbox)
@ -119,7 +117,7 @@ func (r *Rule) match(src net.IP, dst net.IP, dstPort uint16, hostname string, pr
return false return false
} }
log.Notice("comparison: ", hostname, " / ", dst, " : ", dstPort, " -> ", r.addr, " / ", r.hostname, " : ", r.port) // log.Notice("comparison: ", hostname, " / ", dst, " : ", dstPort, " -> ", r.addr, " / ", r.hostname, " : ", r.port)
if r.port != matchAny && r.port != dstPort { if r.port != matchAny && r.port != dstPort {
return false return false
} }
@ -127,7 +125,6 @@ func (r *Rule) match(src net.IP, dst net.IP, dstPort uint16, hostname string, pr
return true return true
} }
if r.hostname != "" { if r.hostname != "" {
log.Notice("comparing hostname")
if strings.ContainsAny(r.hostname, "*") { if strings.ContainsAny(r.hostname, "*") {
regstr := strings.Replace(r.hostname, "*", ".?", -1) regstr := strings.Replace(r.hostname, "*", ".?", -1)
match, err := regexp.MatchString(regstr, hostname) match, err := regexp.MatchString(regstr, hostname)
@ -144,7 +141,7 @@ func (r *Rule) match(src net.IP, dst net.IP, dstPort uint16, hostname string, pr
return true return true
} }
if proto == "icmp" { if proto == "icmp" {
fmt.Printf("network = %v, src = %v, r.addr = %x, src to4 = %x\n", r.network, src, r.addr, binary.BigEndian.Uint32(src.To4())) //fmt.Printf("network = %v, src = %v, r.addr = %x, src to4 = %x\n", r.network, src, r.addr, binary.BigEndian.Uint32(src.To4()))
if (r.network != nil && r.network.Contains(src)) || (r.addr.Equal(src)) { if (r.network != nil && r.network.Contains(src)) || (r.addr.Equal(src)) {
return true return true
} }
@ -169,10 +166,9 @@ func (rl *RuleList) filter(pkt *nfqueue.NFQPacket, src, dst net.IP, dstPort uint
} }
// sandboxed := strings.HasPrefix(optstr, "SOCKS5|Tor / Sandbox") // sandboxed := strings.HasPrefix(optstr, "SOCKS5|Tor / Sandbox")
for _, r := range *rl { for _, r := range *rl {
log.Notice("fuck ", r)
nfqproto := "" nfqproto := ""
log.Notice("------------ trying match of src ", src, " against: ", r, " | ", r.saddr, " / optstr = ", optstr, "; pid ", pinfo.Pid, " vs rule pid ", r.pid) //log.Notice("------------ trying match of src ", src, " against: ", r, " | ", r.saddr, " / optstr = ", optstr, "; pid ", pinfo.Pid, " vs rule pid ", r.pid)
log.Notice("r.saddr: ", r.saddr, "src: ", src, "sandboxed ", sandboxed, "optstr: ", optstr) //log.Notice("r.saddr: ", r.saddr, "src: ", src, "sandboxed ", sandboxed, "optstr: ", optstr)
if r.saddr == nil && src != nil && sandboxed { if r.saddr == nil && src != nil && sandboxed {
log.Notice("! Skipping comparison against incompatible rule types: rule src = ", r.saddr, " / packet src = ", src) log.Notice("! Skipping comparison against incompatible rule types: rule src = ", r.saddr, " / packet src = ", src)
// continue // continue
@ -187,9 +183,8 @@ func (rl *RuleList) filter(pkt *nfqueue.NFQPacket, src, dst net.IP, dstPort uint
if pkt != nil { if pkt != nil {
nfqproto = getNFQProto(pkt) nfqproto = getNFQProto(pkt)
} else { } else {
log.Noticef("Weird state: %v %v %v %v", r.port, dstPort, hostname, r.hostname)
if r.saddr == nil && src == nil && sandboxed == false && (r.port == dstPort || r.port == matchAny) && (r.addr.Equal(anyAddress) || r.hostname == "" || r.hostname == hostname) { if r.saddr == nil && src == nil && sandboxed == false && (r.port == dstPort || r.port == matchAny) && (r.addr.Equal(anyAddress) || r.hostname == "" || r.hostname == hostname) {
log.Notice("+ Socks5 MATCH SUCCEEDED") // log.Notice("+ Socks5 MATCH SUCCEEDED")
if r.rtype == RULE_ACTION_DENY { if r.rtype == RULE_ACTION_DENY {
return FILTER_DENY return FILTER_DENY
} else if r.rtype == RULE_ACTION_ALLOW { } else if r.rtype == RULE_ACTION_ALLOW {
@ -202,13 +197,13 @@ func (rl *RuleList) filter(pkt *nfqueue.NFQPacket, src, dst net.IP, dstPort uint
} }
} }
} }
log.Notice("r.saddr = ", r.saddr, "src = ", src, "\n") // log.Notice("r.saddr = ", r.saddr, "src = ", src, "\n")
if r.pid >= 0 && r.pid != pinfo.Pid { if r.pid >= 0 && r.pid != pinfo.Pid {
//log.Notice("! Skipping comparison of mismatching PIDs") //log.Notice("! Skipping comparison of mismatching PIDs")
continue continue
} }
if r.match(src, dst, dstPort, hostname, nfqproto, pinfo.UID, pinfo.GID, uidToUser(pinfo.UID), gidToGroup(pinfo.GID)) { if r.match(src, dst, dstPort, hostname, nfqproto, pinfo.UID, pinfo.GID, uidToUser(pinfo.UID), gidToGroup(pinfo.GID)) {
log.Notice("+ MATCH SUCCEEDED") // log.Notice("+ MATCH SUCCEEDED")
dstStr := dst.String() dstStr := dst.String()
if FirewallConfig.LogRedact { if FirewallConfig.LogRedact {
dstStr = STR_REDACTED dstStr = STR_REDACTED
@ -219,13 +214,11 @@ func (rl *RuleList) filter(pkt *nfqueue.NFQPacket, src, dst net.IP, dstPort uint
srcp, _ := getPacketPorts(pkt) srcp, _ := getPacketPorts(pkt)
srcStr = fmt.Sprintf("%s:%d", srcip, srcp) srcStr = fmt.Sprintf("%s:%d", srcip, srcp)
} }
log.Noticef("%s > %s %s %s -> %s:%d", // log.Noticef("%s > %s %s %s -> %s:%d",
r.getString(FirewallConfig.LogRedact), //r.getString(FirewallConfig.LogRedact), pinfo.ExePath, r.proto, srcStr, dstStr, dstPort)
pinfo.ExePath, r.proto,
srcStr,
dstStr, dstPort)
if r.rtype == RULE_ACTION_DENY { if r.rtype == RULE_ACTION_DENY {
log.Warningf("DENIED outgoing connection attempt by %s from %s %s -> %s:%d", //TODO: Optionally redact below log entry
log.Warningf("DENIED outgoing connection attempt by %s from %s %s -> %s:%d",
pinfo.ExePath, r.proto, pinfo.ExePath, r.proto,
srcStr, srcStr,
dstStr, dstPort) dstStr, dstPort)
@ -242,11 +235,12 @@ func (rl *RuleList) filter(pkt *nfqueue.NFQPacket, src, dst net.IP, dstPort uint
result = FILTER_ALLOW_TLSONLY result = FILTER_ALLOW_TLSONLY
return result return result
} }
} else { }
/**else {
log.Notice("+ MATCH FAILED") log.Notice("+ MATCH FAILED")
} } */
} }
log.Notice("--- RESULT = ", result) // log.Notice("--- RESULT = ", result)
return result return result
} }
@ -281,7 +275,7 @@ func (r *Rule) parse(s string) bool {
return false return false
} }
fmt.Printf("uid = %v, gid = %v, user = %v, group = %v, hostname = %v, sandbox = %v\n", r.uid, r.gid, r.uname, r.gname, r.hostname, r.sandbox) // fmt.Printf("uid = %v, gid = %v, user = %v, group = %v, hostname = %v, sandbox = %v\n", r.uid, r.gid, r.uname, r.gname, r.hostname, r.sandbox)
if len(parts) == 6 && len(strings.TrimSpace(parts[5])) > 0 { if len(parts) == 6 && len(strings.TrimSpace(parts[5])) > 0 {
r.saddr = net.ParseIP(parts[5]) r.saddr = net.ParseIP(parts[5])

Loading…
Cancel
Save