shw-merge v0.0.11
dma 7 years ago
parent 5f454f2c6b
commit 92276eed47

@ -371,7 +371,7 @@ func (p *Policy) filterPending(rule *Rule) {
for _, pc := range p.pendingQueue {
if rule.match(pc.src(), pc.dst(), pc.dstPort(), pc.hostname(), pc.proto(), pc.procInfo().UID, pc.procInfo().GID, uidToUser(pc.procInfo().UID), gidToGroup(pc.procInfo().GID)) {
log.Infof("Adding rule for: %s", rule.getString(FirewallConfig.LogRedact))
// log.Noticef("%s > %s", rule.getString(FirewallConfig.LogRedact), pc.print())
// log.Noticef("%s > %s", rule.getString(FirewallConfig.LogRedact), pc.print())
if rule.rtype == RULE_ACTION_ALLOW {
pc.accept()
} else if rule.rtype == RULE_ACTION_ALLOW_TLSONLY {
@ -528,33 +528,33 @@ func readFileDirect(filename string) ([]byte, error) {
fd := int(res)
data := make([]byte, 65535)
i := 0
val := 0
for i = 0; i < 65535; {
val, err = syscall.Read(fd, data[i:])
i += val
if err != nil && val != 0 {
return nil, err
}
if val == 0 {
break
}
}
data = data[0:i]
/*
val, err := syscall.Read(fd, data)
if err != nil {
return nil, err
i := 0
val := 0
for i = 0; i < 65535; {
val, err = syscall.Read(fd, data[i:])
i += val
if err != nil && val != 0 {
return nil, err
}
if val == 0 {
break
}
}
*/
data = data[0:i]
/*
val, err := syscall.Read(fd, data)
if err != nil {
return nil, err
}
*/
syscall.Close(fd)
/*
if val < 65535 {
data = data[0:val]
}
*/
/*
if val < 65535 {
data = data[0:val]
}
*/
return data, nil
}
@ -645,11 +645,11 @@ func LookupSandboxProc(srcip net.IP, srcp uint16, dstip net.IP, dstp uint16, pro
if len(ssplit) != 6 {
continue
}
rlines = append(rlines, strings.Join(ssplit, ":"))
}
// log.Warningf("Looking for %s:%d => %s:%d \n %s\n******\n", srcip, srcp, dstip, dstp, data)
// log.Warningf("Looking for %s:%d => %s:%d \n %s\n******\n", srcip, srcp, dstip, dstp, data)
if proto == "tcp" {
res = procsnitch.LookupTCPSocketProcessAll(srcip, srcp, dstip, dstp, rlines)

@ -1,7 +1,7 @@
package sgfw
import (
// "encoding/binary"
// "encoding/binary"
"fmt"
"io/ioutil"
"net"
@ -184,7 +184,7 @@ func (rl *RuleList) filter(pkt *nfqueue.NFQPacket, src, dst net.IP, dstPort uint
nfqproto = getNFQProto(pkt)
} else {
if r.saddr == nil && src == nil && sandboxed == false && (r.port == dstPort || r.port == matchAny) && (r.addr.Equal(anyAddress) || r.hostname == "" || r.hostname == hostname) {
// log.Notice("+ Socks5 MATCH SUCCEEDED")
// log.Notice("+ Socks5 MATCH SUCCEEDED")
if r.rtype == RULE_ACTION_DENY {
return FILTER_DENY
} else if r.rtype == RULE_ACTION_ALLOW {
@ -203,7 +203,7 @@ func (rl *RuleList) filter(pkt *nfqueue.NFQPacket, src, dst net.IP, dstPort uint
continue
}
if r.match(src, dst, dstPort, hostname, nfqproto, pinfo.UID, pinfo.GID, uidToUser(pinfo.UID), gidToGroup(pinfo.GID)) {
// log.Notice("+ MATCH SUCCEEDED")
// log.Notice("+ MATCH SUCCEEDED")
dstStr := dst.String()
if FirewallConfig.LogRedact {
dstStr = STR_REDACTED
@ -214,11 +214,11 @@ func (rl *RuleList) filter(pkt *nfqueue.NFQPacket, src, dst net.IP, dstPort uint
srcp, _ := getPacketPorts(pkt)
srcStr = fmt.Sprintf("%s:%d", srcip, srcp)
}
// log.Noticef("%s > %s %s %s -> %s:%d",
// log.Noticef("%s > %s %s %s -> %s:%d",
//r.getString(FirewallConfig.LogRedact), pinfo.ExePath, r.proto, srcStr, dstStr, dstPort)
if r.rtype == RULE_ACTION_DENY {
//TODO: Optionally redact below log entry
log.Warningf("DENIED outgoing connection attempt by %s from %s %s -> %s:%d",
//TODO: Optionally redact below log entry
log.Warningf("DENIED outgoing connection attempt by %s from %s %s -> %s:%d",
pinfo.ExePath, r.proto,
srcStr,
dstStr, dstPort)
@ -235,8 +235,8 @@ func (rl *RuleList) filter(pkt *nfqueue.NFQPacket, src, dst net.IP, dstPort uint
result = FILTER_ALLOW_TLSONLY
return result
}
}
/**else {
}
/**else {
log.Notice("+ MATCH FAILED")
} */
}

Loading…
Cancel
Save