mirror of https://github.com/M66B/NetGuard.git
Reset blocked TLS connections
This commit is contained in:
parent
78a0feb5a6
commit
c54e00a3a5
|
@ -293,13 +293,14 @@ void handle_ip(const struct arguments *args,
|
|||
}
|
||||
|
||||
// Get server name
|
||||
char server_name[TLS_SNI_LENGTH + 1];
|
||||
*server_name = 0;
|
||||
if (protocol == IPPROTO_TCP) {
|
||||
const struct tcphdr *tcphdr = (struct tcphdr *) payload;
|
||||
const uint8_t tcpoptlen = (uint8_t) ((tcphdr->doff - 5) * 4);
|
||||
const uint8_t *data = payload + sizeof(struct tcphdr) + tcpoptlen;
|
||||
const uint16_t datalen = (const uint16_t) (length - (data - pkt));
|
||||
|
||||
char server_name[TLS_SNI_LENGTH + 1];
|
||||
if (get_sni(data, datalen, server_name)) {
|
||||
log_android(ANDROID_LOG_INFO, "TLS server name: %s", server_name);
|
||||
dns_resolved(args, server_name, server_name, dest, -1);
|
||||
|
@ -307,15 +308,15 @@ void handle_ip(const struct arguments *args,
|
|||
}
|
||||
|
||||
log_android(ANDROID_LOG_DEBUG,
|
||||
"Packet v%d %s/%u > %s/%u proto %d flags %s uid %d",
|
||||
version, source, sport, dest, dport, protocol, flags, uid);
|
||||
"Packet v%d %s/%u > %s/%u proto %d flags %s uid %d sni %s",
|
||||
version, source, sport, dest, dport, protocol, flags, uid, server_name);
|
||||
|
||||
// Check if allowed
|
||||
int allowed = 0;
|
||||
struct allowed *redirect = NULL;
|
||||
if (protocol == IPPROTO_UDP && has_udp_session(args, pkt, payload))
|
||||
allowed = 1; // could be a lingering/blocked session
|
||||
else if (protocol == IPPROTO_TCP && (!syn || (uid == 0 && dport == 53)))
|
||||
else if (protocol == IPPROTO_TCP && (!syn || (uid == 0 && dport == 53)) && *server_name == 0)
|
||||
allowed = 1; // assume existing session
|
||||
else {
|
||||
jobject objPacket = create_packet(
|
||||
|
@ -337,6 +338,8 @@ void handle_ip(const struct arguments *args,
|
|||
} else {
|
||||
if (protocol == IPPROTO_UDP)
|
||||
block_udp(args, pkt, length, payload, uid);
|
||||
else if (protocol == IPPROTO_TCP && *server_name != 0 && !allowed)
|
||||
handle_tcp(args, pkt, length, payload, uid, allowed, redirect, epoll_fd); // RST
|
||||
|
||||
log_android(ANDROID_LOG_WARN, "Address v%d p%d %s/%u syn %d not allowed",
|
||||
version, protocol, dest, dport, syn);
|
||||
|
|
Loading…
Reference in New Issue