Cleanup deny log some...

socks-filter
xSmurf 8 years ago
parent 0cd66aa0d9
commit 7506c980ef

@ -63,7 +63,7 @@ func (pp *pendingPkt) drop() {
} }
func (pp *pendingPkt) print() string { func (pp *pendingPkt) print() string {
return printPacket(pp.pkt, pp.name) return printPacket(pp.pkt, pp.name, pp.pinfo)
} }
type Policy struct { type Policy struct {
@ -203,7 +203,8 @@ func (p *Policy) filterPending(rule *Rule) {
remaining := []pendingConnection{} remaining := []pendingConnection{}
for _, pc := range p.pendingQueue { for _, pc := range p.pendingQueue {
if rule.match(pc.dst(), pc.dstPort(), pc.hostname()) { if rule.match(pc.dst(), pc.dstPort(), pc.hostname()) {
log.Infof("Also applying %s to %s", rule.getString(FirewallConfig.LogRedact), pc.print()) log.Infof("Adding rule for: %s", rule.getString(FirewallConfig.LogRedact))
log.Noticef("%s > %s", rule.getString(FirewallConfig.LogRedact), pc.print())
if rule.rtype == RULE_ALLOW { if rule.rtype == RULE_ALLOW {
pc.accept() pc.accept()
} else { } else {
@ -227,7 +228,7 @@ func (p *Policy) hasPersistentRules() bool {
return false return false
} }
func printPacket(pkt *nfqueue.Packet, hostname string) string { func printPacket(pkt *nfqueue.Packet, hostname string, pinfo *procsnitch.Info) string {
proto := func() string { proto := func() string {
switch pkt.Protocol { switch pkt.Protocol {
case nfqueue.TCP: case nfqueue.TCP:
@ -246,7 +247,11 @@ func printPacket(pkt *nfqueue.Packet, hostname string) string {
if name == "" { if name == "" {
name = pkt.Dst.String() name = pkt.Dst.String()
} }
return fmt.Sprintf("(%s %s:%d --> %s:%d)", proto, pkt.Src, pkt.SrcPort, name, pkt.DstPort) if (pinfo == nil) {
return fmt.Sprintf("(%s %s:%d -> %s:%d)", proto, pkt.Src, pkt.SrcPort, name, pkt.DstPort)
} else {
return fmt.Sprintf("%s %s %s:%d -> %s:%d", pinfo.ExePath, proto, pkt.Src, pkt.SrcPort, name, pkt.DstPort)
}
} }
func (fw *Firewall) filterPacket(pkt *nfqueue.Packet) { func (fw *Firewall) filterPacket(pkt *nfqueue.Packet) {
@ -257,7 +262,7 @@ func (fw *Firewall) filterPacket(pkt *nfqueue.Packet) {
} }
pinfo := findProcessForPacket(pkt) pinfo := findProcessForPacket(pkt)
if pinfo == nil { if pinfo == nil {
log.Warningf("No proc found for %s", printPacket(pkt, fw.dns.Lookup(pkt.Dst))) log.Warningf("No proc found for %s", printPacket(pkt, fw.dns.Lookup(pkt.Dst), nil))
pkt.Accept() pkt.Accept()
return return
} }
@ -271,8 +276,7 @@ func (fw *Firewall) filterPacket(pkt *nfqueue.Packet) {
} }
} }
} }
//log.Debugf("pinfo: [%d] %s > %s", pinfo.ParentPid, pinfo.CmdLine, pinfo.ParentExePath) log.Debugf("filterPacket [%s] %s", ppath, printPacket(pkt, fw.dns.Lookup(pkt.Dst), nil))
log.Debugf("filterPacket [%s] %s", ppath, printPacket(pkt, fw.dns.Lookup(pkt.Dst)))
if basicAllowPacket(pkt) { if basicAllowPacket(pkt) {
pkt.Accept() pkt.Accept()
return return

@ -104,10 +104,10 @@ const (
) )
func (rl *RuleList) filterPacket(p *nfqueue.Packet, pinfo *procsnitch.Info, hostname string) FilterResult { func (rl *RuleList) filterPacket(p *nfqueue.Packet, pinfo *procsnitch.Info, hostname string) FilterResult {
return rl.filter(p.Dst, p.DstPort, hostname, pinfo) return rl.filter(p, p.Dst, p.DstPort, hostname, pinfo)
} }
func (rl *RuleList) filter(dst net.IP, dstPort uint16, hostname string, pinfo *procsnitch.Info) FilterResult { func (rl *RuleList) filter(pkt *nfqueue.Packet, dst net.IP, dstPort uint16, hostname string, pinfo *procsnitch.Info) FilterResult {
if rl == nil { if rl == nil {
return FILTER_PROMPT return FILTER_PROMPT
} }
@ -118,7 +118,15 @@ func (rl *RuleList) filter(dst net.IP, dstPort uint16, hostname string, pinfo *p
if FirewallConfig.LogRedact { if FirewallConfig.LogRedact {
dstStr = "[redacted]" dstStr = "[redacted]"
} }
log.Infof("%s (%s -> %s:%d)", r.getString(FirewallConfig.LogRedact), pinfo.ExePath, dstStr, dstPort) srcStr := "[uknown]"
if pkt != nil {
srcStr = fmt.Sprintf("%s:%d", pkt.Src, pkt.SrcPort)
}
log.Noticef("%s > %s %s %s -> %s:%d",
r.getString(FirewallConfig.LogRedact),
pinfo.ExePath, "TCP",
srcStr,
dstStr, dstPort)
if r.rtype == RULE_DENY { if r.rtype == RULE_DENY {
return FILTER_DENY return FILTER_DENY
} else if r.rtype == RULE_ALLOW { } else if r.rtype == RULE_ALLOW {

@ -189,7 +189,7 @@ func (c *socksChainSession) filterConnect() bool {
if ip == nil && hostname == "" { if ip == nil && hostname == "" {
return false return false
} }
result := policy.rules.filter(ip, port, hostname, pinfo) result := policy.rules.filter(nil, ip, port, hostname, pinfo)
switch result { switch result {
case FILTER_DENY: case FILTER_DENY:
return false return false

Loading…
Cancel
Save