Merge pull request #122 from safing/feature/spn-integration

Add SPN integration
safing · Aug 6, 2020 · 7ccd0d1 · 7ccd0d1
2 parents 1ce9049 + cdec623
commit 7ccd0d1
Show file tree

Hide file tree

Showing 9 changed files with 116 additions and 28 deletions.
diff --git a/.ci-inject-internal-deps.sh b/.ci-inject-internal-deps.sh
@@ -15,4 +15,8 @@ echo "
 [[constraint]]
   name = \"github.com/safing/portbase\"
   branch = \"${PORTBASE_BRANCH}\"
+
+[[constraint]]
+  name = \"github.com/safing/spn\"
+  branch = \"${PORTBASE_BRANCH}\"
 " >> $DEP_FILE
diff --git a/Gopkg.lock b/Gopkg.lock
diff --git a/Gopkg.toml b/Gopkg.toml
@@ -24,7 +24,7 @@
 #   go-tests = true
 #   unused-packages = true
 
-ignored = ["github.com/safing/portbase/*"]
+ignored = ["github.com/safing/portbase/*", "github.com/safing/spn/*"]
 
 [[constraint]]
   name = "github.com/miekg/dns"

diff --git a/cmds/portmaster-core/main.go b/cmds/portmaster-core/main.go
@@ -5,16 +5,24 @@ import (
 
 	"github.com/safing/portbase/info"
 	"github.com/safing/portbase/run"
+	"github.com/safing/spn/conf"
 
 	// include packages here
 	_ "github.com/safing/portbase/modules/subsystems"
 	_ "github.com/safing/portmaster/core"
 	_ "github.com/safing/portmaster/firewall"
 	_ "github.com/safing/portmaster/nameserver"
 	_ "github.com/safing/portmaster/ui"
+	_ "github.com/safing/spn/captain"
 )
 
 func main() {
-	info.Set("Portmaster", "0.4.18", "AGPLv3", true)
+	// set information
+	info.Set("Portmaster", "0.5.0", "AGPLv3", true)
+
+	// enable SPN client mode
+	conf.EnableClient(true)
+
+	// start
 	os.Exit(run.Run())
 }
diff --git a/firewall/interception.go b/firewall/interception.go
@@ -12,7 +12,10 @@ import (
 	"github.com/safing/portmaster/firewall/inspection"
 	"github.com/safing/portmaster/firewall/interception"
 	"github.com/safing/portmaster/network"
+	"github.com/safing/portmaster/network/netutils"
 	"github.com/safing/portmaster/network/packet"
+	"github.com/safing/spn/captain"
+	"github.com/safing/spn/sluice"
 
 	// module dependencies
 	_ "github.com/safing/portmaster/core/base"
@@ -222,6 +225,22 @@ func initialHandler(conn *network.Connection, pkt packet.Packet) {
 	DecideOnConnection(pkt.Ctx(), conn, pkt)
 	conn.Inspecting = false // TODO: enable inspecting again
 
+	// tunneling
+	// TODO: add implementation for forced tunneling
+	if pkt.IsOutbound() &&
+		captain.ClientReady() &&
+		netutils.IPIsGlobal(conn.Entity.IP) &&
+		conn.Verdict == network.VerdictAccept {
+		// try to tunnel
+		err := sluice.AwaitRequest(pkt.Info(), conn.Entity.Domain)
+		if err != nil {
+			log.Tracer(pkt.Ctx()).Tracef("filter: not tunneling: %s", err)
+		} else {
+			log.Tracer(pkt.Ctx()).Trace("filter: tunneling request")
+			conn.Verdict = network.VerdictRerouteToTunnel
+		}
+	}
+
 	switch {
 	case conn.Inspecting:
 		log.Tracer(pkt.Ctx()).Trace("filter: start inspecting")

diff --git a/firewall/interception/nfqueue_linux.go b/firewall/interception/nfqueue_linux.go
@@ -81,8 +81,8 @@ func init() {
 		"filter OUTPUT -j C17",
 		"filter INPUT -j C17",
 		"nat OUTPUT -m mark --mark 1799 -p udp -j DNAT --to 127.0.0.1:53",
-		"nat OUTPUT -m mark --mark 1717 -p tcp -j DNAT --to 127.0.0.17:1117",
-		"nat OUTPUT -m mark --mark 1717 -p udp -j DNAT --to 127.0.0.17:1117",
+		"nat OUTPUT -m mark --mark 1717 -p tcp -j DNAT --to 127.0.0.17:717",
+		"nat OUTPUT -m mark --mark 1717 -p udp -j DNAT --to 127.0.0.17:717",
 		// "nat OUTPUT -m mark --mark 1717 ! -p tcp ! -p udp -j DNAT --to 127.0.0.17",
 	}
 
@@ -116,8 +116,8 @@ func init() {
 		"filter OUTPUT -j C17",
 		"filter INPUT -j C17",
 		"nat OUTPUT -m mark --mark 1799 -p udp -j DNAT --to [::1]:53",
-		"nat OUTPUT -m mark --mark 1717 -p tcp -j DNAT --to [fd17::17]:1117",
-		"nat OUTPUT -m mark --mark 1717 -p udp -j DNAT --to [fd17::17]:1117",
+		"nat OUTPUT -m mark --mark 1717 -p tcp -j DNAT --to [fd17::17]:717",
+		"nat OUTPUT -m mark --mark 1717 -p udp -j DNAT --to [fd17::17]:717",
 		// "nat OUTPUT -m mark --mark 1717 ! -p tcp ! -p udp -j DNAT --to [fd17::17]",
 	}
 

diff --git a/intel/geoip/location.go b/intel/geoip/location.go
@@ -105,6 +105,7 @@ func PrimitiveNetworkProximity(from net.IP, to net.IP, ipVersion uint8) int {
 
 	switch ipVersion {
 	case 4:
+		// TODO: use ip.To4() and :4
 		a := binary.BigEndian.Uint32(from[12:])
 		b := binary.BigEndian.Uint32(to[12:])
 		if a > b {

diff --git a/updates/main.go b/updates/main.go
@@ -54,6 +54,10 @@ var (
 	updateASAP          bool
 	disableTaskSchedule bool
 
+	// MandatoryUpdates is a list of full identifiers that
+	// should always be kept up to date.
+	MandatoryUpdates []string
+
 	// UserAgent is an HTTP User-Agent that is used to add
 	// more context to requests made by the registry when
 	// fetching resources from the update server.
@@ -72,6 +76,24 @@ func init() {
 	module.RegisterEvent(ResourceUpdateEvent)
 
 	flag.StringVar(&userAgentFromFlag, "update-agent", "", "Sets the user agent for requests to the update server")
+
+	// initialize mandatory updates
+	if onWindows {
+		MandatoryUpdates = []string{
+			platform("core/portmaster-core.exe"),
+			platform("start/portmaster-start.exe"),
+			platform("app/portmaster-app.exe"),
+			platform("notifier/portmaster-notifier.exe"),
+			platform("notifier/portmaster-snoretoast.exe"),
+		}
+	} else {
+		MandatoryUpdates = []string{
+			platform("core/portmaster-core"),
+			platform("start/portmaster-start"),
+			platform("app/portmaster-app"),
+			platform("notifier/portmaster-notifier"),
+		}
+	}
 }
 
 func prep() error {
@@ -107,32 +129,14 @@ func start() error {
 		return err
 	}
 
-	var mandatoryUpdates []string
-	if onWindows {
-		mandatoryUpdates = []string{
-			platform("core/portmaster-core.exe"),
-			platform("start/portmaster-start.exe"),
-			platform("app/portmaster-app.exe"),
-			platform("notifier/portmaster-notifier.exe"),
-			platform("notifier/portmaster-snoretoast.exe"),
-		}
-	} else {
-		mandatoryUpdates = []string{
-			platform("core/portmaster-core"),
-			platform("start/portmaster-start"),
-			platform("app/portmaster-app"),
-			platform("notifier/portmaster-notifier"),
-		}
-	}
-
 	// create registry
 	registry = &updater.ResourceRegistry{
 		Name: ModuleName,
 		UpdateURLs: []string{
 			"https://updates.safing.io",
 		},
 		UserAgent:        UserAgent,
-		MandatoryUpdates: mandatoryUpdates,
+		MandatoryUpdates: MandatoryUpdates,
 		Beta:             releaseChannel() == releaseChannelBeta,
 		DevMode:          devMode(),
 		Online:           true,

diff --git a/updates/upgrader.go b/updates/upgrader.go
@@ -29,6 +29,9 @@ const (
 )
 
 var (
+	// UpgradeCore specifies if portmaster-core should be upgraded.
+	UpgradeCore = true
+
 	upgraderActive = abool.NewBool(false)
 	pmCtrlUpdate   *updater.File
 	pmCoreUpdate   *updater.File
@@ -58,9 +61,11 @@ func upgrader(_ context.Context, _ interface{}) error {
 		log.Warningf("updates: failed to upgrade portmaster-start: %s", err)
 	}
 
-	err = upgradeCoreNotify()
-	if err != nil {
-		log.Warningf("updates: failed to notify about core upgrade: %s", err)
+	if UpgradeCore {
+		err = upgradeCoreNotify()
+		if err != nil {
+			log.Warningf("updates: failed to notify about core upgrade: %s", err)
+		}
 	}
 
 	return nil