Fixed bug so that system-wide firewall settings match all traffic except sandboxed traffic.

shw_dev
shw 8 years ago
parent b567e5ce54
commit e895f204a7

@ -192,7 +192,7 @@ if name == "" {
}
//log.Notice("XXX: Attempting to filter packet on rules -> ", fwo, " / rev lookup = ", name)
result := p.rules.filterPacket(pkt, pinfo, srcip, name)
result := p.rules.filterPacket(pkt, pinfo, srcip, name, optstr)
switch result {
case FILTER_DENY:
pkt.SetMark(1)

@ -88,22 +88,21 @@ log.Notice("comparison: ", hostname, " / ", dst, " : ", dstPort, " -> ", xip, "
return r.addr == binary.BigEndian.Uint32(dst.To4())
}
func (rl *RuleList) filterPacket(p *nfqueue.NFQPacket, pinfo *procsnitch.Info, srcip net.IP, hostname string) FilterResult {
func (rl *RuleList) filterPacket(p *nfqueue.NFQPacket, pinfo *procsnitch.Info, srcip net.IP, hostname, optstr string) FilterResult {
_, dstip := getPacketIP4Addrs(p)
_, dstp := getPacketPorts(p)
return rl.filter(p, srcip, dstip, dstp, hostname, pinfo)
return rl.filter(p, srcip, dstip, dstp, hostname, pinfo, optstr)
}
func (rl *RuleList) filter(pkt *nfqueue.NFQPacket, src, dst net.IP, dstPort uint16, hostname string, pinfo *procsnitch.Info) FilterResult {
func (rl *RuleList) filter(pkt *nfqueue.NFQPacket, src, dst net.IP, dstPort uint16, hostname string, pinfo *procsnitch.Info, optstr string) FilterResult {
if rl == nil {
return FILTER_PROMPT
}
result := FILTER_PROMPT
// saddr_ip := make(net.IP, 4)
// binary.BigEndian.PutUint32(saddr_ip, r.saddr)
sandboxed := strings.HasPrefix(optstr, "Sandbox")
for _, r := range *rl {
log.Notice("------------ trying match of src ", src, " against: ", r, " | ", r.saddr)
if r.saddr == nil && src != nil {
log.Notice("------------ trying match of src ", src, " against: ", r, " | ", r.saddr, " / optstr = ", optstr)
if r.saddr == nil && src != nil && sandboxed {
log.Notice("! Skipping comparison against incompatible rule types: rule src = ", r.saddr, " / packet src = ", src)
continue
} else if r.saddr != nil && !r.saddr.Equal(src) {

@ -197,7 +197,7 @@ func (c *socksChainSession) filterConnect() bool {
if ip == nil && hostname == "" {
return false
}
result := policy.rules.filter(nil, nil, ip, port, hostname, pinfo)
result := policy.rules.filter(nil, nil, ip, port, hostname, pinfo, "SOCKS")
switch result {
case FILTER_DENY:
return false

Loading…
Cancel
Save