mirror of https://github.com/M66B/NetGuard.git
Reset blocked TLS connections
This commit is contained in:
parent
78a0feb5a6
commit
c54e00a3a5
|
@ -293,13 +293,14 @@ void handle_ip(const struct arguments *args,
|
||||||
}
|
}
|
||||||
|
|
||||||
// Get server name
|
// Get server name
|
||||||
|
char server_name[TLS_SNI_LENGTH + 1];
|
||||||
|
*server_name = 0;
|
||||||
if (protocol == IPPROTO_TCP) {
|
if (protocol == IPPROTO_TCP) {
|
||||||
const struct tcphdr *tcphdr = (struct tcphdr *) payload;
|
const struct tcphdr *tcphdr = (struct tcphdr *) payload;
|
||||||
const uint8_t tcpoptlen = (uint8_t) ((tcphdr->doff - 5) * 4);
|
const uint8_t tcpoptlen = (uint8_t) ((tcphdr->doff - 5) * 4);
|
||||||
const uint8_t *data = payload + sizeof(struct tcphdr) + tcpoptlen;
|
const uint8_t *data = payload + sizeof(struct tcphdr) + tcpoptlen;
|
||||||
const uint16_t datalen = (const uint16_t) (length - (data - pkt));
|
const uint16_t datalen = (const uint16_t) (length - (data - pkt));
|
||||||
|
|
||||||
char server_name[TLS_SNI_LENGTH + 1];
|
|
||||||
if (get_sni(data, datalen, server_name)) {
|
if (get_sni(data, datalen, server_name)) {
|
||||||
log_android(ANDROID_LOG_INFO, "TLS server name: %s", server_name);
|
log_android(ANDROID_LOG_INFO, "TLS server name: %s", server_name);
|
||||||
dns_resolved(args, server_name, server_name, dest, -1);
|
dns_resolved(args, server_name, server_name, dest, -1);
|
||||||
|
@ -307,15 +308,15 @@ void handle_ip(const struct arguments *args,
|
||||||
}
|
}
|
||||||
|
|
||||||
log_android(ANDROID_LOG_DEBUG,
|
log_android(ANDROID_LOG_DEBUG,
|
||||||
"Packet v%d %s/%u > %s/%u proto %d flags %s uid %d",
|
"Packet v%d %s/%u > %s/%u proto %d flags %s uid %d sni %s",
|
||||||
version, source, sport, dest, dport, protocol, flags, uid);
|
version, source, sport, dest, dport, protocol, flags, uid, server_name);
|
||||||
|
|
||||||
// Check if allowed
|
// Check if allowed
|
||||||
int allowed = 0;
|
int allowed = 0;
|
||||||
struct allowed *redirect = NULL;
|
struct allowed *redirect = NULL;
|
||||||
if (protocol == IPPROTO_UDP && has_udp_session(args, pkt, payload))
|
if (protocol == IPPROTO_UDP && has_udp_session(args, pkt, payload))
|
||||||
allowed = 1; // could be a lingering/blocked session
|
allowed = 1; // could be a lingering/blocked session
|
||||||
else if (protocol == IPPROTO_TCP && (!syn || (uid == 0 && dport == 53)))
|
else if (protocol == IPPROTO_TCP && (!syn || (uid == 0 && dport == 53)) && *server_name == 0)
|
||||||
allowed = 1; // assume existing session
|
allowed = 1; // assume existing session
|
||||||
else {
|
else {
|
||||||
jobject objPacket = create_packet(
|
jobject objPacket = create_packet(
|
||||||
|
@ -337,6 +338,8 @@ void handle_ip(const struct arguments *args,
|
||||||
} else {
|
} else {
|
||||||
if (protocol == IPPROTO_UDP)
|
if (protocol == IPPROTO_UDP)
|
||||||
block_udp(args, pkt, length, payload, uid);
|
block_udp(args, pkt, length, payload, uid);
|
||||||
|
else if (protocol == IPPROTO_TCP && *server_name != 0 && !allowed)
|
||||||
|
handle_tcp(args, pkt, length, payload, uid, allowed, redirect, epoll_fd); // RST
|
||||||
|
|
||||||
log_android(ANDROID_LOG_WARN, "Address v%d p%d %s/%u syn %d not allowed",
|
log_android(ANDROID_LOG_WARN, "Address v%d p%d %s/%u syn %d not allowed",
|
||||||
version, protocol, dest, dport, syn);
|
version, protocol, dest, dport, syn);
|
||||||
|
|
Loading…
Reference in New Issue