Garbage dump commit of current progress.

shw_dev
shw 8 years ago
parent 08266cca76
commit 9069c91606

@ -55,6 +55,7 @@ func (dc *dnsCache) processRecordA(name string, answers []dnsRR) {
if strings.HasSuffix(name, ".") { if strings.HasSuffix(name, ".") {
name = name[:len(name)-1] name = name[:len(name)-1]
} }
log.Notice("______ Adding to dns map: %s: %s", name, ip)
dc.ipMap[ip] = name dc.ipMap[ip] = name
if !FirewallConfig.LogRedact { if !FirewallConfig.LogRedact {
log.Infof("Adding %s: %s", name, ip) log.Infof("Adding %s: %s", name, ip)

@ -38,7 +38,23 @@ func ruleExists(rule sandboxRule) int {
return -1 return -1
} }
func ReceiverLoop(c net.Conn) { func addFWRule(fw *Firewall, whitelist bool, srchost, dsthost string, dstport uint16) error {
policy := fw.PolicyForPath("*")
rulestr := ""
if whitelist {
rulestr += "ALLOW"
} else {
rulestr += "DENY"
}
rulestr += "|" + dsthost + ":" + strconv.Itoa(int(dstport)) + "|SESSION|" + srchost
_, err := policy.parseRule(rulestr, true)
return err
}
func ReceiverLoop(fw *Firewall, c net.Conn) {
defer c.Close() defer c.Close()
bio := bufio.NewReader(c) bio := bufio.NewReader(c)
@ -104,21 +120,16 @@ func ReceiverLoop(c net.Conn) {
w = false w = false
} }
srcip := net.ParseIP(tokens[2]) srchost := tokens[2]
dsthost := tokens[3]
srcip := net.ParseIP(srchost)
if srcip == nil { if srcip == nil {
log.Notice("IPC received invalid source host: ", tokens[2]) log.Notice("IP conversion failed: ", srchost)
c.Write([]byte("Bad command: source host address was invalid")) srcip = net.IP{0,0,0,0}
return
} }
dstip := net.ParseIP(tokens[3]) dstip := net.IP{0,0,0,0}
if dstip == nil {
log.Notice("IPC received invalid destination host: ", tokens[3])
c.Write([]byte("Bad command: dst host address was invalid"))
return
}
dstport, err := strconv.Atoi(tokens[4]) dstport, err := strconv.Atoi(tokens[4])
@ -151,6 +162,12 @@ func ReceiverLoop(c net.Conn) {
if add { if add {
log.Notice("Adding new rule to oz sandbox/fw: ", rule) log.Notice("Adding new rule to oz sandbox/fw: ", rule)
sandboxRules = append(sandboxRules, rule) sandboxRules = append(sandboxRules, rule)
err := addFWRule(fw, w, srchost, dsthost, uint16(dstport))
if err != nil {
log.Error("Error adding dynamic OZ firewall rule to fw-daemon: ", err)
} else {
log.Notice("XXX: rule also successfully added to fw-daemon")
}
} else { } else {
log.Notice("Removing new rule from oz sandbox/fw: ", rule) log.Notice("Removing new rule from oz sandbox/fw: ", rule)
sandboxRules = append(sandboxRules[:exists], sandboxRules[exists+1:]...) sandboxRules = append(sandboxRules[:exists], sandboxRules[exists+1:]...)
@ -167,7 +184,7 @@ func ReceiverLoop(c net.Conn) {
} }
func OzReceiver() { func OzReceiver(fw *Firewall) {
log.Notice("XXX: dispatching oz receiver...") log.Notice("XXX: dispatching oz receiver...")
os.Remove(ReceiverSocketPath) os.Remove(ReceiverSocketPath)
lfd, err := net.Listen("unix", ReceiverSocketPath) lfd, err := net.Listen("unix", ReceiverSocketPath)
@ -181,7 +198,7 @@ func OzReceiver() {
log.Fatal("Could not accept receiver client:", err) log.Fatal("Could not accept receiver client:", err)
} }
go ReceiverLoop(fd) go ReceiverLoop(fw, fd)
} }
} }

@ -29,7 +29,7 @@ type sandboxRule struct {
} }
var sandboxRules = []sandboxRule { var sandboxRules = []sandboxRule {
{ net.IP{172,16,1,42}, net.IP{140,211,166,134}, 21, false }, // { net.IP{172,16,1,42}, net.IP{140,211,166,134}, 21, false },
} }
type pendingConnection interface { type pendingConnection interface {
@ -168,14 +168,22 @@ func (p *Policy) processPacket(pkt *nfqueue.NFQPacket, pinfo *procsnitch.Info) {
dstb := pkt.Packet.NetworkLayer().NetworkFlow().Dst().Raw() dstb := pkt.Packet.NetworkLayer().NetworkFlow().Dst().Raw()
dstip := net.IP(dstb) dstip := net.IP(dstb)
srcip := net.IP(pkt.Packet.NetworkLayer().NetworkFlow().Src().Raw()) srcip := net.IP(pkt.Packet.NetworkLayer().NetworkFlow().Src().Raw())
_, dstp := getPacketPorts(pkt) // _, dstp := getPacketPorts(pkt)
name := p.fw.dns.Lookup(dstip) name := p.fw.dns.Lookup(dstip)
if !FirewallConfig.LogRedact { if !FirewallConfig.LogRedact {
log.Infof("Lookup(%s): %s", dstip.String(), name) log.Infof("Lookup(%s): %s", dstip.String(), name)
} }
fwo := matchAgainstOzRules(srcip, dstip, dstp) // fwo := matchAgainstOzRules(srcip, dstip, dstp)
log.Notice("XXX: Attempting to filter packet on rules -> ", fwo)
result := p.rules.filterPacket(pkt, pinfo, name) if name == "" {
/* log.Notice("XXXXXXXXXXXXx trying better rev lookup:")
net.LookupAddr(dstip.String())
name = p.fw.dns.Lookup(dstip)
log.Notice("NOW ITS: ", name) */
}
//log.Notice("XXX: Attempting to filter packet on rules -> ", fwo, " / rev lookup = ", name)
result := p.rules.filterPacket(pkt, pinfo, srcip, name)
switch result { switch result {
case FILTER_DENY: case FILTER_DENY:
pkt.SetMark(1) pkt.SetMark(1)
@ -238,6 +246,7 @@ func (p *Policy) processNewRule(r *Rule, scope FilterScope) bool {
} }
func (p *Policy) parseRule(s string, add bool) (*Rule, error) { func (p *Policy) parseRule(s string, add bool) (*Rule, error) {
log.Noticef("XXX: attempt to parse rule: |%s|\n", s)
r := new(Rule) r := new(Rule)
r.mode = RULE_MODE_PERMANENT r.mode = RULE_MODE_PERMANENT
r.policy = p r.policy = p
@ -269,7 +278,7 @@ func (p *Policy) removeRule(r *Rule) {
func (p *Policy) filterPending(rule *Rule) { func (p *Policy) filterPending(rule *Rule) {
remaining := []pendingConnection{} remaining := []pendingConnection{}
for _, pc := range p.pendingQueue { for _, pc := range p.pendingQueue {
if rule.match(pc.dst(), pc.dstPort(), pc.hostname()) { if rule.match(pc.src(), pc.dst(), pc.dstPort(), pc.hostname()) {
log.Infof("Adding rule for: %s", rule.getString(FirewallConfig.LogRedact)) log.Infof("Adding rule for: %s", rule.getString(FirewallConfig.LogRedact))
log.Noticef("%s > %s", rule.getString(FirewallConfig.LogRedact), pc.print()) log.Noticef("%s > %s", rule.getString(FirewallConfig.LogRedact), pc.print())
if rule.rtype == RULE_ACTION_ALLOW { if rule.rtype == RULE_ACTION_ALLOW {
@ -340,8 +349,8 @@ func (fw *Firewall) filterPacket(pkt *nfqueue.NFQPacket) {
} }
} }
srcip, dstip := getPacketIP4Addrs(pkt) _, dstip := getPacketIP4Addrs(pkt)
_, dstp := getPacketPorts(pkt) /* _, dstp := getPacketPorts(pkt)
fwo := matchAgainstOzRules(srcip, dstip, dstp) fwo := matchAgainstOzRules(srcip, dstip, dstp)
log.Notice("XXX: Attempting [2] to filter packet on rules -> ", fwo) log.Notice("XXX: Attempting [2] to filter packet on rules -> ", fwo)
@ -354,7 +363,7 @@ func (fw *Firewall) filterPacket(pkt *nfqueue.NFQPacket) {
pkt.SetMark(1) pkt.SetMark(1)
pkt.Accept() pkt.Accept()
return return
} } */
ppath := "*" ppath := "*"
@ -380,9 +389,11 @@ func (fw *Firewall) filterPacket(pkt *nfqueue.NFQPacket) {
log.Debugf("filterPacket [%s] %s", ppath, printPacket(pkt, fw.dns.Lookup(dstip), nil)) log.Debugf("filterPacket [%s] %s", ppath, printPacket(pkt, fw.dns.Lookup(dstip), nil))
if basicAllowPacket(pkt) { if basicAllowPacket(pkt) {
pkt.Accept() pkt.Accept()
//log.Notice("XXX: passed basicallowpacket")
return return
} }
policy := fw.PolicyForPath(ppath) policy := fw.PolicyForPath(ppath)
//log.Notice("XXX: flunked basicallowpacket; policy = ", policy)
policy.processPacket(pkt, pinfo) policy.processPacket(pkt, pinfo)
} }
@ -452,7 +463,7 @@ func getPacketPorts(pkt *nfqueue.NFQPacket) (uint16, uint16) {
return s, d return s, d
} }
func matchAgainstOzRules(srci, dsti net.IP, dstp uint16) int { /*func matchAgainstOzRules(srci, dsti net.IP, dstp uint16) int {
for i := 0; i < len(sandboxRules); i++ { for i := 0; i < len(sandboxRules); i++ {
@ -468,4 +479,4 @@ func matchAgainstOzRules(srci, dsti net.IP, dstp uint16) int {
} }
return OZ_FWRULE_NONE return OZ_FWRULE_NONE
} } */

@ -89,6 +89,10 @@ func (p *prompter) processConnection(pc pendingConnection) {
return return
} }
if pc.src() != nil {
rule += "|" + pc.src().String()
}
r, err := policy.parseRule(rule, false) r, err := policy.parseRule(rule, false)
if err != nil { if err != nil {
log.Warningf("Error parsing rule string returned from dbus RequestPrompt: %v", err) log.Warningf("Error parsing rule string returned from dbus RequestPrompt: %v", err)

@ -26,6 +26,7 @@ type Rule struct {
rtype RuleAction rtype RuleAction
hostname string hostname string
addr uint32 addr uint32
saddr net.IP
port uint16 port uint16
} }
@ -70,7 +71,11 @@ func (r *Rule) AddrString(redact bool) string {
type RuleList []*Rule type RuleList []*Rule
func (r *Rule) match(dst net.IP, dstPort uint16, hostname string) bool { func (r *Rule) match(src net.IP, dst net.IP, dstPort uint16, hostname string) bool {
xip := make(net.IP, 4)
binary.BigEndian.PutUint32(xip, r.addr)
log.Notice("comparison: ", hostname, " / ", dst, " : ", dstPort, " -> ", xip, " : ", r.port)
if r.port != matchAny && r.port != dstPort { if r.port != matchAny && r.port != dstPort {
return false return false
} }
@ -83,19 +88,29 @@ func (r *Rule) match(dst net.IP, dstPort uint16, hostname string) bool {
return r.addr == binary.BigEndian.Uint32(dst.To4()) return r.addr == binary.BigEndian.Uint32(dst.To4())
} }
func (rl *RuleList) filterPacket(p *nfqueue.NFQPacket, pinfo *procsnitch.Info, hostname string) FilterResult { func (rl *RuleList) filterPacket(p *nfqueue.NFQPacket, pinfo *procsnitch.Info, srcip net.IP, hostname string) FilterResult {
_, dstip := getPacketIP4Addrs(p) _, dstip := getPacketIP4Addrs(p)
_, dstp := getPacketPorts(p) _, dstp := getPacketPorts(p)
return rl.filter(p, dstip, dstp, hostname, pinfo) return rl.filter(p, srcip, dstip, dstp, hostname, pinfo)
} }
func (rl *RuleList) filter(pkt *nfqueue.NFQPacket, dst net.IP, dstPort uint16, hostname string, pinfo *procsnitch.Info) FilterResult { func (rl *RuleList) filter(pkt *nfqueue.NFQPacket, src, dst net.IP, dstPort uint16, hostname string, pinfo *procsnitch.Info) FilterResult {
if rl == nil { if rl == nil {
return FILTER_PROMPT return FILTER_PROMPT
} }
result := FILTER_PROMPT result := FILTER_PROMPT
// saddr_ip := make(net.IP, 4)
// binary.BigEndian.PutUint32(saddr_ip, r.saddr)
for _, r := range *rl { for _, r := range *rl {
if r.match(dst, dstPort, hostname) { log.Notice("------------ trying match of src ", src, " against: ", r, " | ", r.saddr)
if r.saddr == nil && src != nil {
log.Notice("! Skipping comparison against incompatible rule types: rule src = ", r.saddr, " / packet src = ", src)
continue
} else if r.saddr != nil && !r.saddr.Equal(src) {
log.Notice("! Skipping comparison of mismatching source ips")
}
if r.match(src, dst, dstPort, hostname) {
log.Notice("+ MATCH SUCCEEDED")
dstStr := dst.String() dstStr := dst.String()
if FirewallConfig.LogRedact { if FirewallConfig.LogRedact {
dstStr = STR_REDACTED dstStr = STR_REDACTED
@ -116,8 +131,9 @@ func (rl *RuleList) filter(pkt *nfqueue.NFQPacket, dst net.IP, dstPort uint16, h
} else if r.rtype == RULE_ACTION_ALLOW { } else if r.rtype == RULE_ACTION_ALLOW {
result = FILTER_ALLOW result = FILTER_ALLOW
} }
} } else { log.Notice("+ MATCH FAILED") }
} }
log.Notice("--- RESULT = ", result)
return result return result
} }
@ -127,13 +143,24 @@ func parseError(s string) error {
func (r *Rule) parse(s string) bool { func (r *Rule) parse(s string) bool {
r.addr = noAddress r.addr = noAddress
r.saddr = nil
parts := strings.Split(s, "|") parts := strings.Split(s, "|")
if len(parts) < 2 { if len(parts) < 2 {
return false return false
} }
if len(parts) >= 3 && parts[2] == "SYSTEM" { if len(parts) >= 3 && parts[2] == "SYSTEM" {
r.mode = RULE_MODE_SYSTEM r.mode = RULE_MODE_SYSTEM
if len(parts) > 4 {
r.saddr = net.ParseIP(parts[3])
}
} else if len(parts) > 3 {
r.saddr = net.ParseIP(parts[3])
} else if len(parts) > 2 {
r.saddr = net.ParseIP(parts[2])
} }
fmt.Println("----- rule parser: srcip = ", r.saddr)
return r.parseVerb(parts[0]) && r.parseTarget(parts[1]) return r.parseVerb(parts[0]) && r.parseTarget(parts[1])
} }

@ -223,7 +223,7 @@ func Main() {
log.Notice("Did not find SOCKS5 configuration file at", defaultSocksCfgPath, "; ignoring subsystem...") log.Notice("Did not find SOCKS5 configuration file at", defaultSocksCfgPath, "; ignoring subsystem...")
} }
go OzReceiver() go OzReceiver(fw)
fw.runFilter() fw.runFilter()

@ -193,7 +193,7 @@ func (c *socksChainSession) filterConnect() bool {
if ip == nil && hostname == "" { if ip == nil && hostname == "" {
return false return false
} }
result := policy.rules.filter(nil, ip, port, hostname, pinfo) result := policy.rules.filter(nil, nil, ip, port, hostname, pinfo)
switch result { switch result {
case FILTER_DENY: case FILTER_DENY:
return false return false

Loading…
Cancel
Save