From e895f204a70f5080438c37c2acf221b9c90a14d9 Mon Sep 17 00:00:00 2001 From: shw Date: Wed, 10 May 2017 18:25:34 +0000 Subject: [PATCH] Fixed bug so that system-wide firewall settings match all traffic except sandboxed traffic. --- sgfw/policy.go | 2 +- sgfw/rules.go | 13 ++++++------- sgfw/socks_server_chain.go | 2 +- 3 files changed, 8 insertions(+), 9 deletions(-) diff --git a/sgfw/policy.go b/sgfw/policy.go index 04de998..7288705 100644 --- a/sgfw/policy.go +++ b/sgfw/policy.go @@ -192,7 +192,7 @@ if name == "" { } //log.Notice("XXX: Attempting to filter packet on rules -> ", fwo, " / rev lookup = ", name) - result := p.rules.filterPacket(pkt, pinfo, srcip, name) + result := p.rules.filterPacket(pkt, pinfo, srcip, name, optstr) switch result { case FILTER_DENY: pkt.SetMark(1) diff --git a/sgfw/rules.go b/sgfw/rules.go index 2375e69..4ec45c1 100644 --- a/sgfw/rules.go +++ b/sgfw/rules.go @@ -88,22 +88,21 @@ log.Notice("comparison: ", hostname, " / ", dst, " : ", dstPort, " -> ", xip, " return r.addr == binary.BigEndian.Uint32(dst.To4()) } -func (rl *RuleList) filterPacket(p *nfqueue.NFQPacket, pinfo *procsnitch.Info, srcip net.IP, hostname string) FilterResult { +func (rl *RuleList) filterPacket(p *nfqueue.NFQPacket, pinfo *procsnitch.Info, srcip net.IP, hostname, optstr string) FilterResult { _, dstip := getPacketIP4Addrs(p) _, dstp := getPacketPorts(p) - return rl.filter(p, srcip, dstip, dstp, hostname, pinfo) + return rl.filter(p, srcip, dstip, dstp, hostname, pinfo, optstr) } -func (rl *RuleList) filter(pkt *nfqueue.NFQPacket, src, dst net.IP, dstPort uint16, hostname string, pinfo *procsnitch.Info) FilterResult { +func (rl *RuleList) filter(pkt *nfqueue.NFQPacket, src, dst net.IP, dstPort uint16, hostname string, pinfo *procsnitch.Info, optstr string) FilterResult { if rl == nil { return FILTER_PROMPT } result := FILTER_PROMPT -// saddr_ip := make(net.IP, 4) -// binary.BigEndian.PutUint32(saddr_ip, r.saddr) + sandboxed := strings.HasPrefix(optstr, "Sandbox") for _, r := range *rl { -log.Notice("------------ trying match of src ", src, " against: ", r, " | ", r.saddr) - if r.saddr == nil && src != nil { +log.Notice("------------ trying match of src ", src, " against: ", r, " | ", r.saddr, " / optstr = ", optstr) + if r.saddr == nil && src != nil && sandboxed { log.Notice("! Skipping comparison against incompatible rule types: rule src = ", r.saddr, " / packet src = ", src) continue } else if r.saddr != nil && !r.saddr.Equal(src) { diff --git a/sgfw/socks_server_chain.go b/sgfw/socks_server_chain.go index 1c97b48..f9e8daf 100644 --- a/sgfw/socks_server_chain.go +++ b/sgfw/socks_server_chain.go @@ -197,7 +197,7 @@ func (c *socksChainSession) filterConnect() bool { if ip == nil && hostname == "" { return false } - result := policy.rules.filter(nil, nil, ip, port, hostname, pinfo) + result := policy.rules.filter(nil, nil, ip, port, hostname, pinfo, "SOCKS") switch result { case FILTER_DENY: return false