From c54e00a3a5fc67a167880a7331f796331f5bfa21 Mon Sep 17 00:00:00 2001
From: M66B <M66B@users.noreply.github.com>
Date: Mon, 28 Aug 2023 12:29:59 +0200
Subject: [PATCH] Reset blocked TLS connections

---
 app/src/main/jni/netguard/ip.c | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/app/src/main/jni/netguard/ip.c b/app/src/main/jni/netguard/ip.c
index c319721f..aafaf11b 100644
--- a/app/src/main/jni/netguard/ip.c
+++ b/app/src/main/jni/netguard/ip.c
@@ -293,13 +293,14 @@ void handle_ip(const struct arguments *args,
     }
 
     // Get server name
+    char server_name[TLS_SNI_LENGTH + 1];
+    *server_name = 0;
     if (protocol == IPPROTO_TCP) {
         const struct tcphdr *tcphdr = (struct tcphdr *) payload;
         const uint8_t tcpoptlen = (uint8_t) ((tcphdr->doff - 5) * 4);
         const uint8_t *data = payload + sizeof(struct tcphdr) + tcpoptlen;
         const uint16_t datalen = (const uint16_t) (length - (data - pkt));
 
-        char server_name[TLS_SNI_LENGTH + 1];
         if (get_sni(data, datalen, server_name)) {
             log_android(ANDROID_LOG_INFO, "TLS server name: %s", server_name);
             dns_resolved(args, server_name, server_name, dest, -1);
@@ -307,15 +308,15 @@ void handle_ip(const struct arguments *args,
     }
 
     log_android(ANDROID_LOG_DEBUG,
-                "Packet v%d %s/%u > %s/%u proto %d flags %s uid %d",
-                version, source, sport, dest, dport, protocol, flags, uid);
+                "Packet v%d %s/%u > %s/%u proto %d flags %s uid %d sni %s",
+                version, source, sport, dest, dport, protocol, flags, uid, server_name);
 
     // Check if allowed
     int allowed = 0;
     struct allowed *redirect = NULL;
     if (protocol == IPPROTO_UDP && has_udp_session(args, pkt, payload))
         allowed = 1; // could be a lingering/blocked session
-    else if (protocol == IPPROTO_TCP && (!syn || (uid == 0 && dport == 53)))
+    else if (protocol == IPPROTO_TCP && (!syn || (uid == 0 && dport == 53)) && *server_name == 0)
         allowed = 1; // assume existing session
     else {
         jobject objPacket = create_packet(
@@ -337,6 +338,8 @@ void handle_ip(const struct arguments *args,
     } else {
         if (protocol == IPPROTO_UDP)
             block_udp(args, pkt, length, payload, uid);
+        else if (protocol == IPPROTO_TCP && *server_name != 0 && !allowed)
+            handle_tcp(args, pkt, length, payload, uid, allowed, redirect, epoll_fd); // RST
 
         log_android(ANDROID_LOG_WARN, "Address v%d p%d %s/%u syn %d not allowed",
                     version, protocol, dest, dport, syn);