From f8b331a9873cc4360fd1a5a704c29244c1ab7c67 Mon Sep 17 00:00:00 2001
From: brl <bruce@subgraph.com>
Date: Mon, 14 Dec 2015 19:43:23 +0000
Subject: [PATCH] Don't Drop() denied packets, just set a Mark on them

---
 policy.go | 6 ++++--
 prompt.go | 8 ++++++--
 2 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/policy.go b/policy.go
index d576803..054dd9d 100644
--- a/policy.go
+++ b/policy.go
@@ -50,7 +50,8 @@ func (p *Policy) processPacket(pkt *nfqueue.Packet, proc *ProcInfo) {
 	result := p.rules.filter(pkt, proc, name)
 	switch result {
 	case FILTER_DENY:
-		pkt.Drop()
+		pkt.Mark = 1
+		pkt.Accept()
 	case FILTER_ALLOW:
 		pkt.Accept()
 	case FILTER_PROMPT:
@@ -116,7 +117,8 @@ func (p *Policy) filterPending(rule *Rule) {
 			if rule.rtype == RULE_ALLOW {
 				pp.pkt.Accept()
 			} else {
-				pp.pkt.Drop()
+				pp.pkt.Mark = 1
+				pp.pkt.Accept()
 			}
 		} else {
 			remaining = append(remaining, pp)
diff --git a/prompt.go b/prompt.go
index 14df65e..71f7f96 100644
--- a/prompt.go
+++ b/prompt.go
@@ -98,7 +98,9 @@ func (p *prompter) processPacket(pp *pendingPkt) {
 	if err != nil {
 		log.Warning("Error sending dbus RequestPrompt message: %v", err)
 		pp.policy.removePending(pp)
-		pp.pkt.Drop()
+		pp.pkt.Mark = 1
+		pp.pkt.Accept()
+		//pp.pkt.Drop()
 		return
 	}
 	log.Debug("Received prompt response: %s [%s]", printScope(scope), rule)
@@ -107,7 +109,9 @@ func (p *prompter) processPacket(pp *pendingPkt) {
 	if err != nil {
 		log.Warning("Error parsing rule string returned from dbus RequestPrompt: %v", err)
 		pp.policy.removePending(pp)
-		pp.pkt.Drop()
+		pp.pkt.Mark = 1
+		pp.pkt.Accept()
+		//pp.pkt.Drop()
 		return
 	}
 	if scope == APPLY_SESSION {