func (p *Policy) processPacket(pkt *nfqueue.Packet, proc *ProcInfo) { p.lock.Lock() defer p.lock.Unlock() name := p.fw.dns.Lookup(pkt.Dst) log.Info("Lookup(%s): %s", pkt.Dst.String(), name) result := p.rules.filter(pkt, proc, name) switch result { case FILTER_DENY: pkt.Mark = 1 pkt.Accept() case FILTER_ALLOW: pkt.Accept() case FILTER_PROMPT: p.processPromptResult(&pendingPkt{policy: p, hostname: name, pkt: pkt, proc: proc}) default: log.Warning("Unexpected filter result: %d", result) } }
func (fw *Firewall) filterPacket(pkt *nfqueue.Packet) { if pkt.Protocol == nfqueue.UDP && pkt.SrcPort == 53 { pkt.Accept() fw.dns.processDNS(pkt) return } proc := findProcessForPacket(pkt) if proc == nil { log.Warning("No proc found for %s", printPacket(pkt, fw.dns.Lookup(pkt.Dst))) pkt.Accept() return } log.Debug("filterPacket [%s] %s", proc.exePath, printPacket(pkt, fw.dns.Lookup(pkt.Dst))) if basicAllowPacket(pkt) { pkt.Accept() return } fw.lock.Lock() policy := fw.policyForPath(proc.exePath) fw.lock.Unlock() policy.processPacket(pkt, proc) }