Add TLSGuard to SOCKS5 filter clients not coming from oz-daemon

shw-merge
dma 7 years ago
parent e7a803f84f
commit ed8c254404

@ -458,7 +458,7 @@ const PromptDialog = new Lang.Class({
Name: 'PromptDialog',
Extends: ModalDialog.ModalDialog,
_init: function(invocation, pid_known, sandboxed) {
_init: function(invocation, pid_known, sandboxed, tlsguard) {
this.parent({ styleClass: 'fw-prompt-dialog' });
this._invocation = invocation;
this.header = new PromptDialogHeader();
@ -471,7 +471,7 @@ const PromptDialog = new Lang.Class({
this.info = new DetailSection(sandboxed);
box.add_child(this.info.actor);
this.optionList = new OptionList(pid_known, sandboxed);
this.optionList = new OptionList(pid_known, tlsguard);
box.add_child(this.optionList.actor);
this.optionList.addOptions([
"Only PORT AND ADDRESS",
@ -479,7 +479,7 @@ const PromptDialog = new Lang.Class({
"Only PORT",
"Any Connection"]);
if (sandboxed) {
if (tlsguard) {
this.optionList.addTLSOption(true);
}
@ -548,12 +548,12 @@ const PromptDialog = new Lang.Class({
return this.optionList.tlsGuard;
},
update: function(application, icon, path, address, port, ip, origin, uid, gid, user, group, pid, proto, optstring, sandbox, expanded, expert, action) {
update: function(application, icon, path, address, port, ip, origin, uid, gid, user, group, pid, proto, tlsguard, optstring, sandbox, expanded, expert, action) {
this._address = address;
this._port = port;
this._proto = proto;
this._sandbox = sandbox;
this._tlsGuard;
this._tlsGuard = tlsguard;
let port_str = (proto+"").toUpperCase() + " Port "+ port;

@ -58,6 +58,7 @@ const FirewallPromptInterface = '<node> \
<arg type="s" direction="in" name="group" /> \
<arg type="i" direction="in" name="pid" /> \
<arg type="s" direction="in" name="sandbox" /> \
<arg type="b" direction="in" name="tlsguard" /> \
<arg type="s" direction="in" name="optstring" /> \
<arg type="b" direction="in" name="expanded" /> \
<arg type="b" direction="in" name="expert" /> \
@ -93,11 +94,11 @@ const FirewallPromptHandler = new Lang.Class({
},
RequestPromptAsync: function(params, invocation) {
let [app, icon, path, address, port, ip, origin, proto, uid, gid, user, group, pid, sandbox, optstring, expanded, expert, action] = params;
let [app, icon, path, address, port, ip, origin, proto, uid, gid, user, group, pid, sandbox, tlsguard, optstring, expanded, expert, action] = params;
// this._closeDialog();
this._dialog = new Dialog.PromptDialog(invocation, (pid >= 0), (sandbox != ""));
this._dialog = new Dialog.PromptDialog(invocation, (pid >= 0), (sandbox != ""), tlsguard);
this._invocation = invocation;
this._dialog.update(app, icon, path, address, port, ip, origin, uid, gid, user, group, pid, proto, optstring, sandbox, expanded, expert, action);
this._dialog.update(app, icon, path, address, port, ip, origin, uid, gid, user, group, pid, proto, tlsguard, optstring, sandbox, expanded, expert, action);
this._dialog.open();
},

@ -46,6 +46,7 @@ type pendingConnection interface {
dst() net.IP
dstPort() uint16
sandbox() string
socks() bool
accept()
acceptTLSOnly()
drop()
@ -78,6 +79,10 @@ func (pp *pendingPkt) sandbox() string {
return pp.pinfo.Sandbox
}
func (pp *pendingPkt) socks() bool {
return false
}
func (pp *pendingPkt) policy() *Policy {
return pp.pol
}

@ -162,6 +162,7 @@ func (p *prompter) processConnection(pc pendingConnection) {
gidToGroup(pc.procInfo().GID),
int32(pc.procInfo().Pid),
pc.sandbox(),
pc.socks(),
pc.getOptString(),
FirewallConfig.PromptExpanded,
FirewallConfig.PromptExpert,
@ -229,7 +230,7 @@ func (p *prompter) processConnection(pc pendingConnection) {
r.mode = RULE_MODE_PERMANENT
policy.fw.saveRules()
}
log.Warningf("Prompt returning rule: %v", rule)
log.Warningf("Prompt returning rule: %v", tempRule)
dbusp.alertRule("sgfw prompt added new rule")
}

@ -187,7 +187,19 @@ func (rl *RuleList) filter(pkt *nfqueue.NFQPacket, src, dst net.IP, dstPort uint
if pkt != nil {
nfqproto = getNFQProto(pkt)
} else {
log.Notice("Weird state.")
log.Noticef("Weird state: %v %v %v %v",r.port, dstPort, hostname, r.hostname)
if (r.saddr == nil && src == nil && sandboxed == false && (r.port == dstPort || r.port == matchAny) && (r.addr.Equal(anyAddress) || r.hostname == "" || r.hostname == hostname)) {
log.Notice("+ Socks5 MATCH SUCCEEDED")
if r.rtype == RULE_ACTION_DENY {
return FILTER_DENY
} else if r.rtype == RULE_ACTION_ALLOW {
return FILTER_ALLOW
} else if r.rtype == RULE_ACTION_ALLOW_TLSONLY {
return FILTER_ALLOW_TLSONLY
}
} else {
return FILTER_PROMPT
}
}
}
log.Notice("r.saddr = ", r.saddr, "src = ", src, "\n")

@ -63,6 +63,10 @@ func (sc *pendingSocksConnection) sandbox() string {
return sc.pinfo.Sandbox
}
func (sc *pendingSocksConnection) socks() bool {
return true
}
func (sc *pendingSocksConnection) policy() *Policy {
return sc.pol
}
@ -312,7 +316,7 @@ func (c *socksChainSession) filterConnect() (bool, bool) {
return false, false
}
result := policy.rules.filter(nil, nil, ip, port, hostname, pinfo, optstr)
log.Errorf("result %v", result)
log.Errorf("result %v len(RuleList): %d", result, len(policy.rules))
switch result {
case FILTER_DENY:
return false, false

Loading…
Cancel
Save