flush conntrack at start

evilsocket · Feb 28, 2021 · 616681e · 616681e
1 parent 0b978c0
commit 616681e
Showing 1 changed file with 9 additions and 2 deletions.
diff --git a/daemon/firewall/rules.go b/daemon/firewall/rules.go
@@ -10,6 +10,7 @@ import (
 	"github.com/evilsocket/opensnitch/daemon/core"
 	"github.com/evilsocket/opensnitch/daemon/log"
 	"github.com/fsnotify/fsnotify"
+	"github.com/vishvananda/netlink"
 )
 
 // Action is the modifier we apply to a rule.
@@ -90,8 +91,8 @@ func QueueDNSResponses(enable bool, logError bool, qNum int) (err4, err6 error)
 // QueueConnections inserts the firewall rule which redirects connections to us.
 // They are queued until the user denies/accept them, or reaches a timeout.
 // OUTPUT -t mangle -m conntrack --ctstate NEW,RELATED -j NFQUEUE --queue-num 0 --queue-bypass
-func QueueConnections(enable bool, logError bool, qNum int) (err4, err6 error) {
-	return RunRule(INSERT, enable, logError, []string{
+func QueueConnections(enable bool, logError bool, qNum int) (error, error) {
+	err4, err6 := RunRule(INSERT, enable, logError, []string{
 		"OUTPUT",
 		"-t", "mangle",
 		"-m", "conntrack",
@@ -100,6 +101,12 @@ func QueueConnections(enable bool, logError bool, qNum int) (err4, err6 error) {
 		"--queue-num", fmt.Sprintf("%d", qNum),
 		"--queue-bypass",
 	})
+	// flush conntrack as soon as netfilter rule is set. This ensures that already-established
+	// connections will go to netfilter queue.
+	if err := netlink.ConntrackTableFlush(netlink.ConntrackTable); err != nil {
+		log.Error("error in ConntrackTableFlush %s", err)
+	}
+	return err4, err6
 }
 
 // CreateSystemRule create the custom firewall chains and adds them to system.