Properly abort blocked connections

app/src/main/jni/netguard/ip.c

@@ -319,11 +319,14 @@ void handle_ip(const struct arguments *args,
         else if (protocol == IPPROTO_UDP)
             handle_udp(args, pkt, length, payload, uid, redirect, epoll_fd);
         else if (protocol == IPPROTO_TCP)
-            handle_tcp(args, pkt, length, payload, uid, redirect, epoll_fd);
+            handle_tcp(args, pkt, length, payload, uid, allowed, redirect, epoll_fd);
     }
     else {
         if (protocol == IPPROTO_UDP)
             block_udp(args, pkt, length, payload, uid);
+        if (protocol == IPPROTO_TCP)
+            handle_tcp(args, pkt, length, payload, uid, allowed, redirect, epoll_fd);
+
         log_android(ANDROID_LOG_WARN, "Address v%d p%d %s/%u syn %d not allowed",
                     version, protocol, dest, dport, syn);
     }

app/src/main/jni/netguard/netguard.h

@@ -407,7 +407,7 @@ void clear_tcp_data(struct tcp_session *cur);
 jboolean handle_tcp(const struct arguments *args,
                     const uint8_t *pkt, size_t length,
                     const uint8_t *payload,
-                    int uid, struct allowed *redirect,
+                    int uid, int allowed, struct allowed *redirect,
                     const int epoll_fd);
 
 void queue_tcp(const struct arguments *args,
@@ -436,6 +436,8 @@ int write_fin_ack(const struct arguments *args, struct tcp_session *cur);
 
 void write_rst(const struct arguments *args, struct tcp_session *cur);
 
+void write_rst_ack(const struct arguments *args, struct tcp_session *cur);
+
 ssize_t write_icmp(const struct arguments *args, const struct icmp_session *cur,
                    uint8_t *data, size_t datalen);
 

app/src/main/jni/netguard/tcp.c

@@ -621,7 +621,7 @@ void check_tcp_socket(const struct arguments *args,
 jboolean handle_tcp(const struct arguments *args,
                     const uint8_t *pkt, size_t length,
                     const uint8_t *payload,
-                    int uid, struct allowed *redirect,
+                    int uid, int allowed, struct allowed *redirect,
                     const int epoll_fd) {
     // Get headers
     const uint8_t version = (*pkt) >> 4;
@@ -793,6 +793,11 @@ jboolean handle_tcp(const struct arguments *args,
 
             s->next = ng_session;
             ng_session = s;
+
+            if (!allowed) {
+                log_android(ANDROID_LOG_WARN, "%s resetting blocked session", packet);
+                write_rst(args, &s->tcp);
+            }
         }
         else {
             log_android(ANDROID_LOG_WARN, "%s unknown session", packet);
@@ -1177,7 +1182,12 @@ int write_fin_ack(const struct arguments *args, struct tcp_session *cur) {
 }
 
 void write_rst(const struct arguments *args, struct tcp_session *cur) {
-    write_tcp(args, cur, NULL, 0, 0, 0, 0, 1);
+    int ack = 0;
+    if (cur->state == TCP_LISTEN) {
+        ack = 1;
+        cur->remote_seq++; // SYN
+    }
+    write_tcp(args, cur, NULL, 0, 0, ack, 0, 1);
     if (cur->state != TCP_CLOSE)
         cur->state = TCP_CLOSING;
 }