safing
diff --git a/‎cmds/portmaster-core/main.go‎
Lines changed: 3 additions & 0 deletions b/‎cmds/portmaster-core/main.go‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎firewall/dpi/assembler.go‎
Lines changed: 168 additions & 0 deletions b/‎firewall/dpi/assembler.go‎
Lines changed: 168 additions & 0 deletions
diff --git a/‎firewall/dpi/manager.go‎
Lines changed: 186 additions & 0 deletions b/‎firewall/dpi/manager.go‎
Lines changed: 186 additions & 0 deletions
@@ -13,6 +13,9 @@ import (
 	_ "github.com/safing/portmaster/core"
 	_ "github.com/safing/portmaster/firewall"
 	_ "github.com/safing/portmaster/firewall/inspection/encryption"
+	_ "github.com/safing/portmaster/firewall/inspection/http"
+	_ "github.com/safing/portmaster/firewall/inspection/tls"
+	_ "github.com/safing/portmaster/firewall/inspection/upnpigd"
 	_ "github.com/safing/portmaster/nameserver"
 	_ "github.com/safing/portmaster/ui"
 	_ "github.com/safing/spn/captain"
 
@@ -0,0 +1,168 @@
+package dpi
+
+import (
+	"fmt"
+
+	"github.com/google/gopacket"
+	"github.com/google/gopacket/layers"
+	"github.com/google/gopacket/reassembly"
+	"github.com/safing/portbase/log"
+	"github.com/safing/portmaster/network"
+)
+
+// Context implements reassembly.AssemblerContext.
+type Context struct {
+	CaptureInfo     gopacket.CaptureInfo
+	Connection      *network.Connection
+	Verdict         *network.Verdict
+	Reason          network.VerdictReason
+	Tracer          *log.ContextTracer
+	HandlerExecuted bool
+}
+
+func (c *Context) GetCaptureInfo() gopacket.CaptureInfo {
+	return c.CaptureInfo
+}
+
+type tcpStreamFactory struct {
+	manager *Manager
+}
+
+func (factory *tcpStreamFactory) New(net, transport gopacket.Flow, tcp *layers.TCP, ac reassembly.AssemblerContext) reassembly.Stream {
+	log.Infof("tcp-stream-factory: new stream for %s %s", net, transport)
+	fsmOptions := reassembly.TCPSimpleFSMOptions{
+		SupportMissingEstablishment: true,
+	}
+	stream := &tcpStream{
+		net:        net,
+		transport:  transport,
+		tcpstate:   reassembly.NewTCPSimpleFSM(fsmOptions),
+		ident:      fmt.Sprintf("%s:%s", net, transport),
+		optchecker: reassembly.NewTCPOptionCheck(),
+		manager:    factory.manager,
+	}
+	return stream
+}
+
+type tcpStream struct {
+	conn    *network.Connection
+	manager *Manager
+
+	tcpstate       *reassembly.TCPSimpleFSM
+	optchecker     reassembly.TCPOptionCheck
+	net, transport gopacket.Flow
+	ident          string
+}
+
+func (t *tcpStream) Accept(
+	tcp *layers.TCP,
+	ci gopacket.CaptureInfo,
+	dir reassembly.TCPFlowDirection,
+	nextSeq reassembly.Sequence,
+	start *bool,
+	ac reassembly.AssemblerContext) bool {
+
+	conn := ac.(*Context).Connection
+	if t.conn != nil && t.conn.ID != conn.ID {
+		// TODO(ppacher): for localhost to localhost connections this stream-reassembler will be called for both
+		// connections because gopacket's flow IDs collide with it's reverse tuple. That's on purpose so
+		// client->server and server->client packets are attributed correctly but it may cause errors if the
+		// portmaster sees both, the client and server side of a connection
+		if t.conn.LocalPort != conn.Entity.Port {
+			panic(fmt.Sprintf("TCPStream already has a connection object assigned: %s != %s", t.conn.ID, conn.ID))
+		}
+	}
+	t.conn = conn
+
+	if !t.tcpstate.CheckState(tcp, dir) {
+		log.Errorf("tcp-stream %s: fsm: packet rejected by FSM (state: %s)", t.ident, t.tcpstate.String())
+		return false
+	}
+
+	err := t.optchecker.Accept(tcp, ci, dir, nextSeq, start)
+	if err != nil {
+		log.Errorf("tcp-stream %s: option-checker: packet rejected: %s", t.ident, err)
+		return false
+	}
+
+	return true
+}
+
+func (t *tcpStream) ReassembledSG(sg reassembly.ScatterGather, ac reassembly.AssemblerContext) {
+	c := ac.(*Context)
+	conn := c.Connection
+
+	dir, start, end, skip := sg.Info()
+	length, saved := sg.Lengths()
+	sgStats := sg.Stats()
+
+	data := sg.Fetch(length)
+	var ident string
+	if dir == reassembly.TCPDirClientToServer {
+		ident = fmt.Sprintf("%v %v(%s): ", t.net, t.transport, dir)
+		conn.OutgoingStream.Append(data)
+	} else {
+		ident = fmt.Sprintf("%v %v(%s): ", t.net.Reverse(), t.transport.Reverse(), dir)
+		conn.IncomingStream.Append(data)
+	}
+
+	c.Tracer.Debugf("tcp-stream %s: reassembled packet with %d bytes (start:%v,end:%v,skip:%d,saved:%d,nb:%d,%d,overlap:%d,%d)", ident, length, start, end, skip, saved, sgStats.Packets, sgStats.Chunks, sgStats.OverlapBytes, sgStats.OverlapPackets)
+
+	var (
+		verdict    network.Verdict
+		reason     network.VerdictReason
+		hasHandler bool
+	)
+	c.HandlerExecuted = true
+
+	all := conn.StreamHandlers()
+	for idx, sh := range all {
+		if sh == nil {
+			continue
+		}
+		name := fmt.Sprintf("%T", sh)
+		if n, ok := sh.(named); ok {
+			name = n.Name()
+		}
+
+		hasHandler = true
+		c.Tracer.Infof("inspector(%s, %d/%d): running stream inspector", name, idx+1, len(all))
+		v, r, err := sh.HandleStream(conn, network.FlowDirection(dir), data)
+		if err != nil {
+			c.Tracer.Errorf("inspector(%s): failed to run stream handler: %s", name, err)
+		}
+		if v == network.VerdictUndeterminable {
+			// not applicable anymore
+			c.Tracer.Debugf("inspector(%s): stream inspector is not applicable anymore", name)
+			conn.RemoveHandler(idx, sh)
+			continue
+		}
+		if err != nil {
+			continue
+		}
+
+		if v > network.VerdictUndecided {
+			c.Tracer.Infof("inspector(%s): stream inspector found a conclusion: %s", name, v.String())
+		}
+		if v > verdict {
+			verdict = v
+			reason = r
+		}
+	}
+	if hasHandler {
+		c.Verdict = &verdict
+		c.Reason = reason
+	}
+}
+
+func (t *tcpStream) ReassemblyComplete(ac reassembly.AssemblerContext) bool {
+	log.Infof("tcp-stream %s: connection closed", t.ident)
+
+	if t.conn == nil {
+		return true
+	}
+
+	log.Infof("tcp-stream: connection %s sent %d bytes and received %d bytes", t.conn.OutgoingStream.Length(), t.conn.IncomingStream.Length())
+
+	return true
+}
@@ -0,0 +1,186 @@
+package dpi
+
+import (
+	"fmt"
+
+	"github.com/google/gopacket"
+	"github.com/google/gopacket/ip4defrag"
+	"github.com/google/gopacket/layers"
+	"github.com/google/gopacket/reassembly"
+	"github.com/safing/portbase/log"
+	"github.com/safing/portmaster/network"
+	"github.com/safing/portmaster/network/packet"
+)
+
+type Manager struct {
+	defragv4  *ip4defrag.IPv4Defragmenter
+	pool      *reassembly.StreamPool
+	assembler *reassembly.Assembler
+}
+
+func NewManager() *Manager {
+	streamFactory := new(tcpStreamFactory)
+	streamPool := reassembly.NewStreamPool(streamFactory)
+	assembler := reassembly.NewAssembler(streamPool)
+
+	mng := &Manager{
+		defragv4:  ip4defrag.NewIPv4Defragmenter(),
+		pool:      streamPool,
+		assembler: assembler,
+	}
+
+	// make sure the streamFactory has a reference to the
+	// manager for dispatching reassembled streams.
+	streamFactory.manager = mng
+
+	return mng
+}
+
+type named interface{ Name() string }
+
+func (mng *Manager) HandlePacket(conn *network.Connection, p packet.Packet) (network.Verdict, network.VerdictReason, error) {
+	trace := log.Tracer(p.Ctx())
+
+	gp := p.Layers()
+
+	// if this is a IPv4 packet make sure we defrag it.
+	ipv4Layer := gp.Layer(layers.LayerTypeIPv4)
+	if ipv4Layer != nil {
+		ipv4 := ipv4Layer.(*layers.IPv4)
+		l := ipv4.Length
+
+		newip4, err := mng.defragv4.DefragIPv4(ipv4)
+		if err != nil {
+			return 0, nil, fmt.Errorf("failed to de-fragment: %w", err)
+		}
+		if newip4 == nil {
+			// this is a fragmented packet
+			// wait for the next one
+			trace.Debugf("tcp-stream-manager: fragmented IPv4 packet ...")
+			return 0, nil, nil
+		}
+		if newip4.Length != l {
+			pb, ok := gp.(gopacket.PacketBuilder)
+			if !ok {
+				return 0, nil, fmt.Errorf("expected a PacketBuilder, got %T", p)
+			}
+			trace.Debugf("decoding re-assembled packet ...")
+			nextDecoder := newip4.NextLayerType()
+			nextDecoder.Decode(newip4.Payload, pb)
+		}
+	}
+
+	var (
+		verdict          network.Verdict
+		reason           network.VerdictReason
+		hasActiveHandler bool
+	)
+	for idx, pk := range conn.PacketHandlers() {
+		if pk == nil {
+			continue
+		}
+		name := fmt.Sprintf("%T", pk)
+		if n, ok := pk.(named); ok {
+			name = n.Name()
+		}
+
+		hasActiveHandler = true
+
+		trace.Infof("%s: running packet inspector", name)
+		v, r, err := pk.HandlePacket(conn, gp)
+		if err != nil {
+			trace.Errorf("inspector(%s): failed to call packet handler: %s", name, err)
+		}
+		if v == network.VerdictUndeterminable {
+			// this handler is not applicable for conn anymore
+			trace.Debugf("inspector(%s): packet inspector is not applicable for this connection anymore ...", name)
+			conn.RemoveHandler(idx, pk)
+			continue
+		}
+		if err != nil {
+			continue
+		}
+
+		if v > network.VerdictUndecided {
+			trace.Infof("inspector(%s): packet inspector found a conclusion: %s", name, v.String())
+		}
+		if v > verdict {
+			verdict = v
+			reason = r
+		}
+	}
+
+	// handle TCP stream reassembling
+	tcp := gp.Layer(layers.LayerTypeTCP)
+	if tcp != nil {
+		tcp := tcp.(*layers.TCP)
+		c := &Context{
+			CaptureInfo: gp.Metadata().CaptureInfo,
+			Connection:  conn,
+			Tracer:      trace,
+		}
+
+		// reassemble the stream and call any stream handlers of the connection
+		mng.assembler.AssembleWithContext(gp.NetworkLayer().NetworkFlow(), tcp, c)
+		if !c.HandlerExecuted {
+			// if we did not even try to execute the handler
+			// we need to assume there are still active ones.
+			// This may happen we we are still waiting for
+			// an IP frame ...
+			hasActiveHandler = true
+		} else {
+			if c.Verdict != nil {
+				hasActiveHandler = true
+				if *c.Verdict > verdict {
+					verdict = *c.Verdict
+				}
+			}
+		}
+	}
+
+	udp := gp.Layer(layers.LayerTypeUDP)
+	if udp != nil {
+		payload := gp.ApplicationLayer().Payload()
+		for idx, uh := range conn.DgramHandlers() {
+			if uh == nil {
+				continue
+			}
+			name := fmt.Sprintf("%T", uh)
+			if n, ok := uh.(named); ok {
+				name = n.Name()
+			}
+
+			hasActiveHandler = true
+			trace.Infof("inspector(%s): running dgram inspector", name)
+			v, r, err := uh.HandleDGRAM(conn, network.FlowDirection(!conn.Inbound), payload)
+			if err != nil {
+				trace.Errorf("inspector(%s): failed to run dgram handler: %s", name, err)
+			}
+			if v == network.VerdictUndeterminable {
+				trace.Debugf("inspector(%s): dgram inspector is not applicable for this connection anymore ...", name)
+				conn.RemoveHandler(idx, uh)
+				continue
+			}
+			if err != nil {
+				continue
+			}
+
+			if v > network.VerdictUndecided {
+				trace.Infof("inspector(%s): dgram inspector found a conclusion: %s", name, v.String())
+			}
+			if v > verdict {
+				verdict = v
+				reason = r
+			}
+		}
+	}
+
+	if !hasActiveHandler || verdict > network.VerdictUndeterminable {
+		trace.Infof("stopping inspection %s: hasActiveHandler=%v verdict=%s", conn.ID, hasActiveHandler, verdict.String())
+		// we don't have any active handlers anymore so
+		// there's no need to continue inspection
+		conn.Inspecting = false
+	}
+
+	return verdict, reason, nil
+}