From c395ad85f8a5e6585132cffb2dc87b338ea7e911 Mon Sep 17 00:00:00 2001
From: dma <dma@subgraph.com>
Date: Sun, 24 Sep 2017 16:53:55 +0000
Subject: [PATCH] Fix dumb bug where sgfw accepting DNS packet before passing
 to DNS processor

---
 sgfw/policy.go | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

diff --git a/sgfw/policy.go b/sgfw/policy.go
index cd82843..55336ef 100644
--- a/sgfw/policy.go
+++ b/sgfw/policy.go
@@ -252,6 +252,8 @@ func (p *Policy) processPacket(pkt *nfqueue.NFQPacket, pinfo *procsnitch.Info, o
 	dstip := net.IP(dstb)
 	srcip := net.IP(pkt.Packet.NetworkLayer().NetworkFlow().Src().Raw())
 	name := p.fw.dns.Lookup(dstip, pinfo.Pid)
+	log.Infof("Lookup(%s): %s", dstip.String(), name)
+
 	if !FirewallConfig.LogRedact {
 		log.Infof("Lookup(%s): %s", dstip.String(), name)
 	}
@@ -441,13 +443,22 @@ func printPacket(pkt *nfqueue.NFQPacket, hostname string, pinfo *procsnitch.Info
 }
 
 func (fw *Firewall) filterPacket(pkt *nfqueue.NFQPacket) {
+	isudp := pkt.Packet.Layer(layers.LayerTypeUDP) != nil
+
 	if basicAllowPacket(pkt) {
+		if isudp {
+			srcport, _ := getPacketUDPPorts(pkt)
+
+			if srcport == 53 {
+				fw.dns.processDNS(pkt)
+			}
+		}
+
 		pkt.Accept()
 		return
 	}
 
-	isudp := pkt.Packet.Layer(layers.LayerTypeUDP) != nil
-	if isudp {
+	/* if isudp {
 		srcport, _ := getPacketUDPPorts(pkt)
 
 		if srcport == 53 {
@@ -457,6 +468,7 @@ func (fw *Firewall) filterPacket(pkt *nfqueue.NFQPacket) {
 		}
 
 	}
+	*/
 	_, dstip := getPacketIPAddrs(pkt)
 	/*	_, dstp := getPacketPorts(pkt)
 		fwo := eatchAgainstOzRules(srcip, dstip, dstp)
@@ -786,6 +798,7 @@ func basicAllowPacket(pkt *nfqueue.NFQPacket) bool {
 	if pkt.Packet.Layer(layers.LayerTypeUDP) != nil {
 		_, dport := getPacketUDPPorts(pkt)
 		if dport == 53 {
+			//                   fw.dns.processDNS(pkt)
 			return true
 		}
 	}