extern/netbird
1
0
Fork 0
mirror of https://github.com/netbirdio/netbird.git synced 2025-02-23 05:31:28 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix rule order to solve DNS resolver issue

Browse Source
This commit is contained in:
Pascal Fischer 2023-07-11 19:58:21 +02:00
parent e074c24487
commit 6e264d9de7
1 changed files with 28 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
client/firewall/uspfilter/uspfilter.go
View File

@ -241,20 +241,32 @@ func (m *Manager) dropFilter(packetData []byte, rules map[string]RuleSet, isInco
} }
} }
if len(rules["0.0.0.0"]) > 0 || len(rules["::"]) > 0 { filter, ok := validateRule(ip, packetData, rules[ip.String()], d)
return false if ok {
return filter
}
filter, ok = validateRule(ip, packetData, rules["0.0.0.0"], d)
if ok {
return filter
}
filter, ok = validateRule(ip, packetData, rules["::"], d)
if ok {
return filter
} }
payloadLayer := d.decoded[1] // default policy is DROP ALL
return true
}
// check if IP address match by IP func validateRule(ip net.IP, packetData []byte, rules map[string]Rule, d *decoder) (bool, bool) {
for _, rule := range rules[ip.String()] { payloadLayer := d.decoded[1]
for _, rule := range rules {
if rule.matchByIP && !ip.Equal(rule.ip) { if rule.matchByIP && !ip.Equal(rule.ip) {
continue continue
} }
if rule.protoLayer == layerTypeAll { if rule.protoLayer == layerTypeAll {
return rule.drop return rule.drop, true
} }
if payloadLayer != rule.protoLayer { if payloadLayer != rule.protoLayer {
@ -264,38 +276,36 @@ func (m *Manager) dropFilter(packetData []byte, rules map[string]RuleSet, isInco
switch payloadLayer { switch payloadLayer {
case layers.LayerTypeTCP: case layers.LayerTypeTCP:
if rule.sPort == 0 && rule.dPort == 0 { if rule.sPort == 0 && rule.dPort == 0 {
return rule.drop return rule.drop, true
} }
if rule.sPort != 0 && rule.sPort == uint16(d.tcp.SrcPort) { if rule.sPort != 0 && rule.sPort == uint16(d.tcp.SrcPort) {
return rule.drop return rule.drop, true
} }
if rule.dPort != 0 && rule.dPort == uint16(d.tcp.DstPort) { if rule.dPort != 0 && rule.dPort == uint16(d.tcp.DstPort) {
return rule.drop return rule.drop, true
} }
case layers.LayerTypeUDP: case layers.LayerTypeUDP:
// if rule has UDP hook (and if we are here we match this rule) // if rule has UDP hook (and if we are here we match this rule)
// we ignore rule.drop and call this hook // we ignore rule.drop and call this hook
if rule.udpHook != nil { if rule.udpHook != nil {
return rule.udpHook(packetData) return rule.udpHook(packetData), true
} }
if rule.sPort == 0 && rule.dPort == 0 { if rule.sPort == 0 && rule.dPort == 0 {
return rule.drop return rule.drop, true
} }
if rule.sPort != 0 && rule.sPort == uint16(d.udp.SrcPort) { if rule.sPort != 0 && rule.sPort == uint16(d.udp.SrcPort) {
return rule.drop return rule.drop, true
} }
if rule.dPort != 0 && rule.dPort == uint16(d.udp.DstPort) { if rule.dPort != 0 && rule.dPort == uint16(d.udp.DstPort) {
return rule.drop return rule.drop, true
} }
return rule.drop return rule.drop, true
case layers.LayerTypeICMPv4, layers.LayerTypeICMPv6: case layers.LayerTypeICMPv4, layers.LayerTypeICMPv6:
return rule.drop return rule.drop, true
} }
} }
return false, false
// default policy is DROP ALL
return true
} }
// SetNetwork of the wireguard interface to which filtering applied // SetNetwork of the wireguard interface to which filtering applied