Fixed bug so that system-wide firewall settings match all traffic except sandboxed traffic.

shw_dev
shw 8 years ago
parent b567e5ce54
commit e895f204a7

@ -192,7 +192,7 @@ if name == "" {
} }
//log.Notice("XXX: Attempting to filter packet on rules -> ", fwo, " / rev lookup = ", name) //log.Notice("XXX: Attempting to filter packet on rules -> ", fwo, " / rev lookup = ", name)
result := p.rules.filterPacket(pkt, pinfo, srcip, name) result := p.rules.filterPacket(pkt, pinfo, srcip, name, optstr)
switch result { switch result {
case FILTER_DENY: case FILTER_DENY:
pkt.SetMark(1) pkt.SetMark(1)

@ -88,22 +88,21 @@ log.Notice("comparison: ", hostname, " / ", dst, " : ", dstPort, " -> ", xip, "
return r.addr == binary.BigEndian.Uint32(dst.To4()) return r.addr == binary.BigEndian.Uint32(dst.To4())
} }
func (rl *RuleList) filterPacket(p *nfqueue.NFQPacket, pinfo *procsnitch.Info, srcip net.IP, hostname string) FilterResult { func (rl *RuleList) filterPacket(p *nfqueue.NFQPacket, pinfo *procsnitch.Info, srcip net.IP, hostname, optstr string) FilterResult {
_, dstip := getPacketIP4Addrs(p) _, dstip := getPacketIP4Addrs(p)
_, dstp := getPacketPorts(p) _, dstp := getPacketPorts(p)
return rl.filter(p, srcip, dstip, dstp, hostname, pinfo) return rl.filter(p, srcip, dstip, dstp, hostname, pinfo, optstr)
} }
func (rl *RuleList) filter(pkt *nfqueue.NFQPacket, src, dst net.IP, dstPort uint16, hostname string, pinfo *procsnitch.Info) FilterResult { func (rl *RuleList) filter(pkt *nfqueue.NFQPacket, src, dst net.IP, dstPort uint16, hostname string, pinfo *procsnitch.Info, optstr string) FilterResult {
if rl == nil { if rl == nil {
return FILTER_PROMPT return FILTER_PROMPT
} }
result := FILTER_PROMPT result := FILTER_PROMPT
// saddr_ip := make(net.IP, 4) sandboxed := strings.HasPrefix(optstr, "Sandbox")
// binary.BigEndian.PutUint32(saddr_ip, r.saddr)
for _, r := range *rl { for _, r := range *rl {
log.Notice("------------ trying match of src ", src, " against: ", r, " | ", r.saddr) log.Notice("------------ trying match of src ", src, " against: ", r, " | ", r.saddr, " / optstr = ", optstr)
if r.saddr == nil && src != nil { if r.saddr == nil && src != nil && sandboxed {
log.Notice("! Skipping comparison against incompatible rule types: rule src = ", r.saddr, " / packet src = ", src) log.Notice("! Skipping comparison against incompatible rule types: rule src = ", r.saddr, " / packet src = ", src)
continue continue
} else if r.saddr != nil && !r.saddr.Equal(src) { } else if r.saddr != nil && !r.saddr.Equal(src) {

@ -197,7 +197,7 @@ func (c *socksChainSession) filterConnect() bool {
if ip == nil && hostname == "" { if ip == nil && hostname == "" {
return false return false
} }
result := policy.rules.filter(nil, nil, ip, port, hostname, pinfo) result := policy.rules.filter(nil, nil, ip, port, hostname, pinfo, "SOCKS")
switch result { switch result {
case FILTER_DENY: case FILTER_DENY:
return false return false

Loading…
Cancel
Save