Cleanup deny log some...

socks-filter
xSmurf 8 years ago
parent 0cd66aa0d9
commit 7506c980ef

@ -63,7 +63,7 @@ func (pp *pendingPkt) drop() {
}
func (pp *pendingPkt) print() string {
return printPacket(pp.pkt, pp.name)
return printPacket(pp.pkt, pp.name, pp.pinfo)
}
type Policy struct {
@ -203,7 +203,8 @@ func (p *Policy) filterPending(rule *Rule) {
remaining := []pendingConnection{}
for _, pc := range p.pendingQueue {
if rule.match(pc.dst(), pc.dstPort(), pc.hostname()) {
log.Infof("Also applying %s to %s", rule.getString(FirewallConfig.LogRedact), pc.print())
log.Infof("Adding rule for: %s", rule.getString(FirewallConfig.LogRedact))
log.Noticef("%s > %s", rule.getString(FirewallConfig.LogRedact), pc.print())
if rule.rtype == RULE_ALLOW {
pc.accept()
} else {
@ -227,7 +228,7 @@ func (p *Policy) hasPersistentRules() bool {
return false
}
func printPacket(pkt *nfqueue.Packet, hostname string) string {
func printPacket(pkt *nfqueue.Packet, hostname string, pinfo *procsnitch.Info) string {
proto := func() string {
switch pkt.Protocol {
case nfqueue.TCP:
@ -246,7 +247,11 @@ func printPacket(pkt *nfqueue.Packet, hostname string) string {
if name == "" {
name = pkt.Dst.String()
}
return fmt.Sprintf("(%s %s:%d --> %s:%d)", proto, pkt.Src, pkt.SrcPort, name, pkt.DstPort)
if (pinfo == nil) {
return fmt.Sprintf("(%s %s:%d -> %s:%d)", proto, pkt.Src, pkt.SrcPort, name, pkt.DstPort)
} else {
return fmt.Sprintf("%s %s %s:%d -> %s:%d", pinfo.ExePath, proto, pkt.Src, pkt.SrcPort, name, pkt.DstPort)
}
}
func (fw *Firewall) filterPacket(pkt *nfqueue.Packet) {
@ -257,7 +262,7 @@ func (fw *Firewall) filterPacket(pkt *nfqueue.Packet) {
}
pinfo := findProcessForPacket(pkt)
if pinfo == nil {
log.Warningf("No proc found for %s", printPacket(pkt, fw.dns.Lookup(pkt.Dst)))
log.Warningf("No proc found for %s", printPacket(pkt, fw.dns.Lookup(pkt.Dst), nil))
pkt.Accept()
return
}
@ -271,8 +276,7 @@ func (fw *Firewall) filterPacket(pkt *nfqueue.Packet) {
}
}
}
//log.Debugf("pinfo: [%d] %s > %s", pinfo.ParentPid, pinfo.CmdLine, pinfo.ParentExePath)
log.Debugf("filterPacket [%s] %s", ppath, printPacket(pkt, fw.dns.Lookup(pkt.Dst)))
log.Debugf("filterPacket [%s] %s", ppath, printPacket(pkt, fw.dns.Lookup(pkt.Dst), nil))
if basicAllowPacket(pkt) {
pkt.Accept()
return

@ -104,10 +104,10 @@ const (
)
func (rl *RuleList) filterPacket(p *nfqueue.Packet, pinfo *procsnitch.Info, hostname string) FilterResult {
return rl.filter(p.Dst, p.DstPort, hostname, pinfo)
return rl.filter(p, p.Dst, p.DstPort, hostname, pinfo)
}
func (rl *RuleList) filter(dst net.IP, dstPort uint16, hostname string, pinfo *procsnitch.Info) FilterResult {
func (rl *RuleList) filter(pkt *nfqueue.Packet, dst net.IP, dstPort uint16, hostname string, pinfo *procsnitch.Info) FilterResult {
if rl == nil {
return FILTER_PROMPT
}
@ -118,7 +118,15 @@ func (rl *RuleList) filter(dst net.IP, dstPort uint16, hostname string, pinfo *p
if FirewallConfig.LogRedact {
dstStr = "[redacted]"
}
log.Infof("%s (%s -> %s:%d)", r.getString(FirewallConfig.LogRedact), pinfo.ExePath, dstStr, dstPort)
srcStr := "[uknown]"
if pkt != nil {
srcStr = fmt.Sprintf("%s:%d", pkt.Src, pkt.SrcPort)
}
log.Noticef("%s > %s %s %s -> %s:%d",
r.getString(FirewallConfig.LogRedact),
pinfo.ExePath, "TCP",
srcStr,
dstStr, dstPort)
if r.rtype == RULE_DENY {
return FILTER_DENY
} else if r.rtype == RULE_ALLOW {

@ -189,7 +189,7 @@ func (c *socksChainSession) filterConnect() bool {
if ip == nil && hostname == "" {
return false
}
result := policy.rules.filter(ip, port, hostname, pinfo)
result := policy.rules.filter(nil, ip, port, hostname, pinfo)
switch result {
case FILTER_DENY:
return false

Loading…
Cancel
Save