func (p *Policy) processPacket(pkt *nfqueue.Packet, proc *ProcInfo) {
p.lock.Lock()
defer p.lock.Unlock()
name := p.fw.dns.Lookup(pkt.Dst)
log.Info("Lookup(%s): %s", pkt.Dst.String(), name)
result := p.rules.filter(pkt, proc, name)
switch result {
case FILTER_DENY:
pkt.Mark = 1
pkt.Accept()
case FILTER_ALLOW:
pkt.Accept()
case FILTER_PROMPT:
p.processPromptResult(&pendingPkt{policy: p, hostname: name, pkt: pkt, proc: proc})
default:
log.Warning("Unexpected filter result: %d", result)
}
}
func (fw *Firewall) filterPacket(pkt *nfqueue.Packet) {
if pkt.Protocol == nfqueue.UDP && pkt.SrcPort == 53 {
pkt.Accept()
fw.dns.processDNS(pkt)
return
}
proc := findProcessForPacket(pkt)
if proc == nil {
log.Warning("No proc found for %s", printPacket(pkt, fw.dns.Lookup(pkt.Dst)))
pkt.Accept()
return
}
log.Debug("filterPacket [%s] %s", proc.exePath, printPacket(pkt, fw.dns.Lookup(pkt.Dst)))
if basicAllowPacket(pkt) {
pkt.Accept()
return
}
fw.lock.Lock()
policy := fw.policyForPath(proc.exePath)
fw.lock.Unlock()
policy.processPacket(pkt, proc)
}