matth
/
fw-daemon
mirror of https://github.com/subgraph/fw-daemon
1
1
Fork 0
Code Releases Activity

Reduce log noise + honor log redact config option

Browse Source
master
dma 7 years ago
parent 139c4a08b8
commit a3e38de6e5
4 changed files with 30 additions and 11 deletions
Show Stats Download Patch File Download Diff File

27
sgfw/dns.go
Unescape View File

@ -69,7 +69,9 @@ func (dc *dnsCache) processDNS(pkt *nfqueue.NFQPacket) {
pinfo, _ = findProcessForPacket(pkt, true, procsnitch.MATCH_LOOSEST) pinfo, _ = findProcessForPacket(pkt, true, procsnitch.MATCH_LOOSEST)
if pinfo == nil { if pinfo == nil {
log.Warningf("Skipping attempted DNS cache entry for process that can't be found: %v -> %v\n", q.Name, dns.answer) if !FirewallConfig.LogRedact {
log.Warningf("Skipping attempted DNS cache entry for process that can't be found: %v -> %v\n", q.Name, dns.answer)
}
return return
} }
} }
@ -77,7 +79,11 @@ func (dc *dnsCache) processDNS(pkt *nfqueue.NFQPacket) {
dc.processRecordAddress(q.Name, dns.answer, pinfo.Pid) dc.processRecordAddress(q.Name, dns.answer, pinfo.Pid)
return return
} }
log.Infof("Unhandled DNS message: %v", dns) if !FirewallConfig.LogRedact {
log.Infof("Unhandled DNS message: %v", dns)
} else {
log.Infof("Unhandled DNS message [redacted]")
}
} }
@ -118,7 +124,11 @@ func (dc *dnsCache) processRecordAddress(name string, answers []dnsRR, pid int)
case *dnsRR_CNAME: case *dnsRR_CNAME:
// Not that exotic; just ignore it // Not that exotic; just ignore it
default: default:
log.Warningf("Unexpected RR type in answer section of A response: %v", rec) if !FirewallConfig.LogRedact {
log.Warningf("Unexpected RR type in answer section of A response: %v", rec)
} else {
log.Warningf("Unexpected RR type in answer section of A response: [redacted]")
}
} }
if aBytes == nil { if aBytes == nil {
@ -134,7 +144,8 @@ func (dc *dnsCache) processRecordAddress(name string, answers []dnsRR, pid int)
if pid < 0 { if pid < 0 {
pid = 0 pid = 0
} }
log.Noticef("______ Adding to dns map: %s: %s -> pid %d", name, ip, pid)
// log.Noticef("______ Adding to dns map: %s: %s -> pid %d", name, ip, pid)
_, ok := dc.ipMap[pid] _, ok := dc.ipMap[pid]
if !ok { if !ok {
@ -169,8 +180,10 @@ func (dc *dnsCache) Lookup(ip net.IP, pid int) string {
// log.Noticef("XXX: LOOKUP on %v / %v = %v, ttl = %v / %v\n", pid, ip.String(), entry.name, entry.ttl, entry.exp) // log.Noticef("XXX: LOOKUP on %v / %v = %v, ttl = %v / %v\n", pid, ip.String(), entry.name, entry.ttl, entry.exp)
return entry.name return entry.name
} else { } else {
log.Warningf("Skipping expired per-pid (%d) DNS cache entry: %s -> %s / exp. %v (%ds)\n", if !FirewallConfig.LogRedact {
log.Warningf("Skipping expired per-pid (%d) DNS cache entry: %s -> %s / exp. %v (%ds)\n",
pid, ip.String(), entry.name, entry.exp, entry.ttl) pid, ip.String(), entry.name, entry.exp, entry.ttl)
}
} }
} }
} }
@ -182,8 +195,10 @@ func (dc *dnsCache) Lookup(ip net.IP, pid int) string {
str = entry.name str = entry.name
// log.Noticef("XXX: LOOKUP on %v / 0 RETURNING %v, ttl = %v / %v\n", ip.String(), str, entry.ttl, entry.exp) // log.Noticef("XXX: LOOKUP on %v / 0 RETURNING %v, ttl = %v / %v\n", ip.String(), str, entry.ttl, entry.exp)
} else { } else {
log.Warningf("Skipping expired global DNS cache entry: %s -> %s / exp. %v (%ds)\n", if !FirewallConfig.LogRedact {
log.Warningf("Skipping expired global DNS cache entry: %s -> %s / exp. %v (%ds)\n",
ip.String(), entry.name, entry.exp, entry.ttl) ip.String(), entry.name, entry.exp, entry.ttl)
}
} }
} }

2
sgfw/prompt.go
Unescape View File

@ -230,7 +230,7 @@ func (p *prompter) processConnection(pc pendingConnection) {
r.mode = RULE_MODE_PERMANENT r.mode = RULE_MODE_PERMANENT
policy.fw.saveRules() policy.fw.saveRules()
} }
log.Warningf("Prompt returning rule: %v", tempRule) //log.Warningf("Prompt returning rule: %v", tempRule)
dbusp.alertRule("sgfw prompt added new rule") dbusp.alertRule("sgfw prompt added new rule")
} }

10
sgfw/socks_server_chain.go
Unescape View File

@ -404,16 +404,20 @@ func (c *socksChainSession) handleConnect(tls bool) {
func (c *socksChainSession) forwardTraffic(tls bool) { func (c *socksChainSession) forwardTraffic(tls bool) {
if tls == true { if tls == true {
err := TLSGuard(c.clientConn, c.upstreamConn, c.req.Addr.addrStr) err := TLSGuard(c.clientConn, c.upstreamConn, c.req.Addr.addrStr)
dest := STR_REDACTED
if !FirewallConfig.LogRedact {
dest = c.req.Addr.addrStr
}
if err != nil { if err != nil {
if c.pinfo.Sandbox != "" { if c.pinfo.Sandbox != "" {
log.Errorf("TLSGuard violation: Dropping traffic from %s (sandbox: %s) to %s: %v", c.pinfo.ExePath, c.pinfo.Sandbox, c.req.Addr.addrStr, err) log.Errorf("TLSGuard violation: Dropping traffic from %s (sandbox: %s) to %s: %v", c.pinfo.ExePath, c.pinfo.Sandbox, dest, err)
} else { } else {
log.Errorf("TLSGuard violation: Dropping traffic from %s (unsandboxed) to %s: %v", c.pinfo.ExePath, c.req.Addr.addrStr, err) log.Errorf("TLSGuard violation: Dropping traffic from %s (unsandboxed) to %s: %v", c.pinfo.ExePath, dest, err)
} }
return return
} else { } else {
log.Notice("TLSGuard approved certificate presented for connection to: ", c.req.Addr.addrStr) log.Notice("TLSGuard approved certificate presented for connection to: ", dest)
} }
} }

2
vendor/github.com/subgraph/go-procsnitch/socket.go generated vendored
Unescape View File

@ -125,7 +125,7 @@ func findUDPSocketAll(srcAddr net.IP, srcPort uint16, dstAddr net.IP, dstPort ui
*/ */
if (ss.local.port == srcPort && (ss.local.ip.Equal(net.IPv4(0,0,0,0)) && ss.remote.ip.Equal(net.IPv4(0,0,0,0)))) { if (ss.local.port == srcPort && (ss.local.ip.Equal(net.IPv4(0,0,0,0)) && ss.remote.ip.Equal(net.IPv4(0,0,0,0)))) {
fmt.Printf("Matching for UDP socket bound to *:%d\n",ss.local.port) // fmt.Printf("Matching for UDP socket bound to *:%d\n",ss.local.port)
return true return true
} else if (ss.remote.ip.Equal(dstAddr) && ss.local.port == srcPort && ss.local.ip.Equal(srcAddr)) { } else if (ss.remote.ip.Equal(dstAddr) && ss.local.port == srcPort && ss.local.ip.Equal(srcAddr)) {
return true return true

Write Preview
Loading…
Cancel
Save