Reduce log noise + honor log redact config option

8 years ago · a3e38de6e5
parent 139c4a08b8
commit a3e38de6e5
4 changed files with 30 additions and 11 deletions
--- a/sgfw/dns.go
+++ b/sgfw/dns.go
@ -69,7 +69,9 @@ func (dc *dnsCache) processDNS(pkt *nfqueue.NFQPacket) {
 			pinfo, _ = findProcessForPacket(pkt, true, procsnitch.MATCH_LOOSEST)

 			if pinfo == nil {
-				log.Warningf("Skipping attempted DNS cache entry for process that can't be found: %v -> %v\n", q.Name, dns.answer)
+				if !FirewallConfig.LogRedact {
+					log.Warningf("Skipping attempted DNS cache entry for process that can't be found: %v -> %v\n", q.Name, dns.answer)
+				}
 				return
 			}
 		}
@ -77,7 +79,11 @@ func (dc *dnsCache) processDNS(pkt *nfqueue.NFQPacket) {
 		dc.processRecordAddress(q.Name, dns.answer, pinfo.Pid)
 		return
 	}
-	log.Infof("Unhandled DNS message: %v", dns)
+	if !FirewallConfig.LogRedact {
+		log.Infof("Unhandled DNS message: %v", dns)
+	} else {
+		log.Infof("Unhandled DNS message [redacted]")
+	}

 }

@ -118,7 +124,11 @@ func (dc *dnsCache) processRecordAddress(name string, answers []dnsRR, pid int)
 		case *dnsRR_CNAME:
 			// Not that exotic; just ignore it
 		default:
-			log.Warningf("Unexpected RR type in answer section of A response: %v", rec)
+			if !FirewallConfig.LogRedact {
+				log.Warningf("Unexpected RR type in answer section of A response: %v", rec)
+			} else {
+				log.Warningf("Unexpected RR type in answer section of A response: [redacted]")
+			}
 		}

 		if aBytes == nil {
@ -134,7 +144,8 @@ func (dc *dnsCache) processRecordAddress(name string, answers []dnsRR, pid int)
 		if pid < 0 {
 			pid = 0
 		}
-		log.Noticef("______ Adding to dns map: %s: %s -> pid %d", name, ip, pid)
+
+//		log.Noticef("______ Adding to dns map: %s: %s -> pid %d", name, ip, pid)

 		_, ok := dc.ipMap[pid]
 		if !ok {
@ -169,8 +180,10 @@ func (dc *dnsCache) Lookup(ip net.IP, pid int) string {
 				// log.Noticef("XXX: LOOKUP on %v / %v = %v, ttl = %v / %v\n", pid, ip.String(), entry.name, entry.ttl, entry.exp)
 				return entry.name
 			} else {
-				log.Warningf("Skipping expired per-pid (%d) DNS cache entry: %s -> %s / exp. %v (%ds)\n",
+				if !FirewallConfig.LogRedact {
+					log.Warningf("Skipping expired per-pid (%d) DNS cache entry: %s -> %s / exp. %v (%ds)\n",
 					pid, ip.String(), entry.name, entry.exp, entry.ttl)
+				}
 			}
 		}
 	}
@ -182,8 +195,10 @@ func (dc *dnsCache) Lookup(ip net.IP, pid int) string {
 			str = entry.name
 			// log.Noticef("XXX: LOOKUP on %v / 0 RETURNING %v, ttl = %v / %v\n", ip.String(), str, entry.ttl, entry.exp)
 		} else {
-			log.Warningf("Skipping expired global DNS cache entry: %s -> %s / exp. %v (%ds)\n",
+			if !FirewallConfig.LogRedact {
+				log.Warningf("Skipping expired global DNS cache entry: %s -> %s / exp. %v (%ds)\n",
 				ip.String(), entry.name, entry.exp, entry.ttl)
+			}
 		}
 	}

--- a/sgfw/prompt.go
+++ b/sgfw/prompt.go
@ -230,7 +230,7 @@ func (p *prompter) processConnection(pc pendingConnection) {
 		r.mode = RULE_MODE_PERMANENT
 		policy.fw.saveRules()
 	}
-	log.Warningf("Prompt returning rule: %v", tempRule)
+	//log.Warningf("Prompt returning rule: %v", tempRule)
 	dbusp.alertRule("sgfw prompt added new rule")
 }

--- a/sgfw/socks_server_chain.go
+++ b/sgfw/socks_server_chain.go
@ -404,16 +404,20 @@ func (c *socksChainSession) handleConnect(tls bool) {
 func (c *socksChainSession) forwardTraffic(tls bool) {
 	if tls == true {
 		err := TLSGuard(c.clientConn, c.upstreamConn, c.req.Addr.addrStr)
+		dest := STR_REDACTED
+	        if !FirewallConfig.LogRedact {
+			dest = c.req.Addr.addrStr
+        	}

 		if err != nil {
 			if c.pinfo.Sandbox != "" {
-				log.Errorf("TLSGuard violation: Dropping traffic from %s (sandbox: %s) to %s: %v", c.pinfo.ExePath, c.pinfo.Sandbox, c.req.Addr.addrStr, err)
+				log.Errorf("TLSGuard violation: Dropping traffic from %s (sandbox: %s) to %s: %v", c.pinfo.ExePath, c.pinfo.Sandbox, dest, err)
 			} else {
-				log.Errorf("TLSGuard violation: Dropping traffic from %s (unsandboxed) to %s: %v", c.pinfo.ExePath, c.req.Addr.addrStr, err)
+				log.Errorf("TLSGuard violation: Dropping traffic from %s (unsandboxed) to %s: %v", c.pinfo.ExePath, dest, err)
 			}
 			return
 		} else {
-			log.Notice("TLSGuard approved certificate presented for connection to: ", c.req.Addr.addrStr)
+			log.Notice("TLSGuard approved certificate presented for connection to: ", dest)
 		}
 	}

--- a/vendor/github.com/subgraph/go-procsnitch/socket.go
+++ b/vendor/github.com/subgraph/go-procsnitch/socket.go
@ -125,7 +125,7 @@ func findUDPSocketAll(srcAddr net.IP, srcPort uint16, dstAddr net.IP, dstPort ui
 				*/

 				if (ss.local.port == srcPort && (ss.local.ip.Equal(net.IPv4(0,0,0,0)) && ss.remote.ip.Equal(net.IPv4(0,0,0,0)))) {
-					fmt.Printf("Matching for UDP socket bound to *:%d\n",ss.local.port)
+					// fmt.Printf("Matching for UDP socket bound to *:%d\n",ss.local.port)
 					return true
 				} else if (ss.remote.ip.Equal(dstAddr) && ss.local.port == srcPort && ss.local.ip.Equal(srcAddr)) {
 					return true