Implement redact addresses feature

8 years ago · d16b539bad
parent c3a0e4de6c
commit d16b539bad
6 changed files with 31 additions and 12 deletions
--- a/dbus.go
+++ b/dbus.go
@ -137,7 +137,7 @@ func createDbusRule(r *Rule) DbusRule {
 		App:    path.Base(r.policy.path),
 		Path:   r.policy.path,
 		Verb:   uint32(r.rtype),
-		Target: r.AddrString(),
+		Target: r.AddrString(false),
 	}
 }

@ -196,7 +196,7 @@ func (ds *dbusServer) UpdateRule(rule DbusRule) *dbus.Error {
 func (ds *dbusServer) GetConfig() (map[string]dbus.Variant, *dbus.Error) {
 	conf := make(map[string]dbus.Variant)
 	conf["loglevel"] = dbus.MakeVariant(int32(ds.fw.logBackend.GetLevel("sgfw")))
-	conf["logredact"] = dbus.MakeVariant(ds.fw.logRedact)
+	conf["logredact"] = dbus.MakeVariant(logRedact)
 	return conf, nil
 }

@ -208,7 +208,7 @@ func (ds *dbusServer) SetConfig(key string, val dbus.Variant) *dbus.Error {
 		ds.fw.logBackend.SetLevel(lvl, "sgfw")
 	case "logredact":
 		flag := val.Value().(bool)
-		ds.fw.logRedact = flag
+		logRedact = flag
 	}
 	return nil
 }
--- a/dns.go
+++ b/dns.go
@ -54,7 +54,9 @@ func (dc *dnsCache) processRecordA(name string, answers []dnsRR) {
 				name = name[:len(name)-1]
 			}
 			dc.ipMap[ip] = name
-			log.Info("Adding %s: %s", name, ip)
+			if !logRedact {
+				log.Info("Adding %s: %s", name, ip)
+			}
 		default:
 			log.Warning("Unexpected RR type in answer section of A response: %v", rec)
 		}
--- a/main.go
+++ b/main.go
@ -42,13 +42,14 @@ func setupLoggerBackend() logging.LeveledBackend {
 	return leveler
 }

+var logRedact bool
+
 type Firewall struct {
 	dbus *dbusServer
 	dns  *dnsCache

 	enabled bool

-	logRedact  bool
 	logBackend logging.LeveledBackend

 	lock      sync.Mutex
@ -148,7 +149,6 @@ func main() {
 		dbus:       ds,
 		dns:        NewDnsCache(),
 		enabled:    true,
-		logRedact:  false,
 		logBackend: logBackend,
 		policyMap:  make(map[string]*Policy),
 	}
--- a/policy.go
+++ b/policy.go
@ -47,7 +47,9 @@ func (p *Policy) processPacket(pkt *nfqueue.Packet, pinfo *proc.ProcInfo) {
 	p.lock.Lock()
 	defer p.lock.Unlock()
 	name := p.fw.dns.Lookup(pkt.Dst)
-	log.Info("Lookup(%s): %s", pkt.Dst.String(), name)
+	if !logRedact {
+		log.Info("Lookup(%s): %s", pkt.Dst.String(), name)
+	}
 	result := p.rules.filter(pkt, pinfo, name)
 	switch result {
 	case FILTER_DENY:
@ -142,7 +144,7 @@ func (p *Policy) filterPending(rule *Rule) {
 	remaining := []*pendingPkt{}
 	for _, pp := range p.pendingQueue {
 		if rule.match(pp.pkt, pp.hostname) {
-			log.Info("Also applying %s to %s", rule, printPacket(pp.pkt, pp.hostname))
+			log.Info("Also applying %s to %s", rule.getString(logRedact), printPacket(pp.pkt, pp.hostname))
 			if rule.rtype == RULE_ALLOW {
 				pp.pkt.Accept()
 			} else {
@ -178,6 +180,10 @@ func printPacket(pkt *nfqueue.Packet, hostname string) string {
 			return "???"
 		}
 	}()
+
+	if logRedact {
+		hostname = "[redacted]"
+	}
 	name := hostname
 	if name == "" {
 		name = pkt.Dst.String()
--- a/prompt.go
+++ b/prompt.go
@ -102,7 +102,6 @@ func (p *prompter) processPacket(pp *pendingPkt) {
 		pp.pkt.Accept()
 		return
 	}
-	log.Debug("Received prompt response: %s [%s]", printScope(scope), rule)

 	r, err := pp.policy.parseRule(rule, false)
 	if err != nil {
--- a/rules.go
+++ b/rules.go
@ -34,15 +34,19 @@ type Rule struct {
 }

 func (r *Rule) String() string {
+	return r.getString(false)
+}
+
+func (r *Rule) getString(redact bool) string {
 	rtype := "DENY"
 	if r.rtype == RULE_ALLOW {
 		rtype = "ALLOW"
 	}

-	return fmt.Sprintf("%s|%s", rtype, r.AddrString())
+	return fmt.Sprintf("%s|%s", rtype, r.AddrString(redact))
 }

-func (r *Rule) AddrString() string {
+func (r *Rule) AddrString(redact bool) string {
 	addr := "*"
 	port := "*"
 	if r.hostname != "" {
@ -57,6 +61,10 @@ func (r *Rule) AddrString() string {
 		port = fmt.Sprintf("%d", r.port)
 	}

+	if redact && addr != "*" {
+		addr = "[redacted]"
+	}
+
 	return fmt.Sprintf("%s:%s", addr, port)
 }

@ -90,7 +98,11 @@ func (rl *RuleList) filter(p *nfqueue.Packet, pinfo *proc.ProcInfo, hostname str
 	result := FILTER_PROMPT
 	for _, r := range *rl {
 		if r.match(p, hostname) {
-			log.Info("%s (%s -> %s:%d)", r, pinfo.ExePath, p.Dst.String(), p.DstPort)
+			dst := p.Dst.String()
+			if logRedact {
+				dst = "[redacted]"
+			}
+			log.Info("%s (%s -> %s:%d)", r.getString(logRedact), pinfo.ExePath, dst, p.DstPort)
 			if r.rtype == RULE_DENY {
 				return FILTER_DENY
 			} else if r.rtype == RULE_ALLOW {