Don't Drop() denied packets, just set a Mark on them

9 years ago · f8b331a987
parent a90827e88d
commit f8b331a987
2 changed files with 10 additions and 4 deletions
--- a/policy.go
+++ b/policy.go
@ -50,7 +50,8 @@ func (p *Policy) processPacket(pkt *nfqueue.Packet, proc *ProcInfo) {
 	result := p.rules.filter(pkt, proc, name)
 	switch result {
 	case FILTER_DENY:
-		pkt.Drop()
+		pkt.Mark = 1
+		pkt.Accept()
 	case FILTER_ALLOW:
 		pkt.Accept()
 	case FILTER_PROMPT:
@ -116,7 +117,8 @@ func (p *Policy) filterPending(rule *Rule) {
 			if rule.rtype == RULE_ALLOW {
 				pp.pkt.Accept()
 			} else {
-				pp.pkt.Drop()
+				pp.pkt.Mark = 1
+				pp.pkt.Accept()
 			}
 		} else {
 			remaining = append(remaining, pp)
--- a/prompt.go
+++ b/prompt.go
@ -98,7 +98,9 @@ func (p *prompter) processPacket(pp *pendingPkt) {
 	if err != nil {
 		log.Warning("Error sending dbus RequestPrompt message: %v", err)
 		pp.policy.removePending(pp)
-		pp.pkt.Drop()
+		pp.pkt.Mark = 1
+		pp.pkt.Accept()
+		//pp.pkt.Drop()
 		return
 	}
 	log.Debug("Received prompt response: %s [%s]", printScope(scope), rule)
@ -107,7 +109,9 @@ func (p *prompter) processPacket(pp *pendingPkt) {
 	if err != nil {
 		log.Warning("Error parsing rule string returned from dbus RequestPrompt: %v", err)
 		pp.policy.removePending(pp)
-		pp.pkt.Drop()
+		pp.pkt.Mark = 1
+		pp.pkt.Accept()
+		//pp.pkt.Drop()
 		return
 	}
 	if scope == APPLY_SESSION {