|
|
|
@ -1,7 +1,7 @@
|
|
|
|
package sgfw
|
|
|
|
package sgfw
|
|
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
import (
|
|
|
|
// "encoding/binary"
|
|
|
|
// "encoding/binary"
|
|
|
|
"fmt"
|
|
|
|
"fmt"
|
|
|
|
"io/ioutil"
|
|
|
|
"io/ioutil"
|
|
|
|
"net"
|
|
|
|
"net"
|
|
|
|
@ -184,7 +184,7 @@ func (rl *RuleList) filter(pkt *nfqueue.NFQPacket, src, dst net.IP, dstPort uint
|
|
|
|
nfqproto = getNFQProto(pkt)
|
|
|
|
nfqproto = getNFQProto(pkt)
|
|
|
|
} else {
|
|
|
|
} else {
|
|
|
|
if r.saddr == nil && src == nil && sandboxed == false && (r.port == dstPort || r.port == matchAny) && (r.addr.Equal(anyAddress) || r.hostname == "" || r.hostname == hostname) {
|
|
|
|
if r.saddr == nil && src == nil && sandboxed == false && (r.port == dstPort || r.port == matchAny) && (r.addr.Equal(anyAddress) || r.hostname == "" || r.hostname == hostname) {
|
|
|
|
// log.Notice("+ Socks5 MATCH SUCCEEDED")
|
|
|
|
// log.Notice("+ Socks5 MATCH SUCCEEDED")
|
|
|
|
if r.rtype == RULE_ACTION_DENY {
|
|
|
|
if r.rtype == RULE_ACTION_DENY {
|
|
|
|
return FILTER_DENY
|
|
|
|
return FILTER_DENY
|
|
|
|
} else if r.rtype == RULE_ACTION_ALLOW {
|
|
|
|
} else if r.rtype == RULE_ACTION_ALLOW {
|
|
|
|
@ -203,7 +203,7 @@ func (rl *RuleList) filter(pkt *nfqueue.NFQPacket, src, dst net.IP, dstPort uint
|
|
|
|
continue
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if r.match(src, dst, dstPort, hostname, nfqproto, pinfo.UID, pinfo.GID, uidToUser(pinfo.UID), gidToGroup(pinfo.GID)) {
|
|
|
|
if r.match(src, dst, dstPort, hostname, nfqproto, pinfo.UID, pinfo.GID, uidToUser(pinfo.UID), gidToGroup(pinfo.GID)) {
|
|
|
|
// log.Notice("+ MATCH SUCCEEDED")
|
|
|
|
// log.Notice("+ MATCH SUCCEEDED")
|
|
|
|
dstStr := dst.String()
|
|
|
|
dstStr := dst.String()
|
|
|
|
if FirewallConfig.LogRedact {
|
|
|
|
if FirewallConfig.LogRedact {
|
|
|
|
dstStr = STR_REDACTED
|
|
|
|
dstStr = STR_REDACTED
|
|
|
|
@ -214,11 +214,11 @@ func (rl *RuleList) filter(pkt *nfqueue.NFQPacket, src, dst net.IP, dstPort uint
|
|
|
|
srcp, _ := getPacketPorts(pkt)
|
|
|
|
srcp, _ := getPacketPorts(pkt)
|
|
|
|
srcStr = fmt.Sprintf("%s:%d", srcip, srcp)
|
|
|
|
srcStr = fmt.Sprintf("%s:%d", srcip, srcp)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
// log.Noticef("%s > %s %s %s -> %s:%d",
|
|
|
|
// log.Noticef("%s > %s %s %s -> %s:%d",
|
|
|
|
//r.getString(FirewallConfig.LogRedact), pinfo.ExePath, r.proto, srcStr, dstStr, dstPort)
|
|
|
|
//r.getString(FirewallConfig.LogRedact), pinfo.ExePath, r.proto, srcStr, dstStr, dstPort)
|
|
|
|
if r.rtype == RULE_ACTION_DENY {
|
|
|
|
if r.rtype == RULE_ACTION_DENY {
|
|
|
|
//TODO: Optionally redact below log entry
|
|
|
|
//TODO: Optionally redact below log entry
|
|
|
|
log.Warningf("DENIED outgoing connection attempt by %s from %s %s -> %s:%d",
|
|
|
|
log.Warningf("DENIED outgoing connection attempt by %s from %s %s -> %s:%d",
|
|
|
|
pinfo.ExePath, r.proto,
|
|
|
|
pinfo.ExePath, r.proto,
|
|
|
|
srcStr,
|
|
|
|
srcStr,
|
|
|
|
dstStr, dstPort)
|
|
|
|
dstStr, dstPort)
|
|
|
|
@ -235,8 +235,8 @@ func (rl *RuleList) filter(pkt *nfqueue.NFQPacket, src, dst net.IP, dstPort uint
|
|
|
|
result = FILTER_ALLOW_TLSONLY
|
|
|
|
result = FILTER_ALLOW_TLSONLY
|
|
|
|
return result
|
|
|
|
return result
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
/**else {
|
|
|
|
/**else {
|
|
|
|
log.Notice("+ MATCH FAILED")
|
|
|
|
log.Notice("+ MATCH FAILED")
|
|
|
|
} */
|
|
|
|
} */
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
dma
7 years ago