added Reject to the list of DefaultActions(s)

We only offered two options for the DefaultAction option: allow/deny. Since a long time ago we support "reject"ing connections, but it was not configurable as the DefaultAction. (cherry picked from commit f5f30b1)
evilsocket · Jun 12, 2024 · 91190c8 · 91190c8
1 parent 8895d6f
commit 91190c8
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 7 deletions.
diff --git a/daemon/main.go b/daemon/main.go
@@ -344,7 +344,7 @@ func onPacket(packet netfilter.Packet) {
 	// Parse the connection state
 	con := conman.Parse(packet, uiClient.InterceptUnknown())
 	if con == nil {
-		applyDefaultAction(&packet)
+		applyDefaultAction(&packet, nil)
 		return
 	}
 	// accept our own connections
@@ -364,12 +364,15 @@ func onPacket(packet netfilter.Packet) {
 	stats.OnConnectionEvent(con, r, r == nil)
 }
 
-func applyDefaultAction(packet *netfilter.Packet) {
+func applyDefaultAction(packet *netfilter.Packet, con *conman.Connection) {
 	if uiClient.DefaultAction() == rule.Allow {
 		packet.SetVerdictAndMark(netfilter.NF_ACCEPT, packet.Mark)
-	} else {
-		packet.SetVerdict(netfilter.NF_DROP)
+		return
+	}
+	if uiClient.DefaultAction() == rule.Reject && con != nil {
+		netlink.KillSocket(con.Protocol, con.SrcIP, con.SrcPort, con.DstIP, con.DstPort)
 	}
+	packet.SetVerdict(netfilter.NF_DROP)
 }
 
 func acceptOrDeny(packet *netfilter.Packet, con *conman.Connection) *rule.Rule {
@@ -382,7 +385,7 @@ func acceptOrDeny(packet *netfilter.Packet, con *conman.Connection) *rule.Rule {
 		// send a request to the UI client if
 		// 1) connected and running and 2) we are not already asking
 		if uiClient.Connected() == false || uiClient.GetIsAsking() == true {
-			applyDefaultAction(packet)
+			applyDefaultAction(packet, con)
 			log.Debug("UI is not running or busy, connected: %v, running: %v", uiClient.Connected(), uiClient.GetIsAsking())
 			return nil
 		}
@@ -424,7 +427,7 @@ func acceptOrDeny(packet *netfilter.Packet, con *conman.Connection) *rule.Rule {
 		r = uiClient.Ask(con)
 		if r == nil {
 			log.Error("Invalid rule received, applying default action")
-			applyDefaultAction(packet)
+			applyDefaultAction(packet, con)
 			return nil
 		}
 		ok := false
@@ -466,7 +469,7 @@ func acceptOrDeny(packet *netfilter.Packet, con *conman.Connection) *rule.Rule {
 	}
 
 	if r.Enabled == false {
-		applyDefaultAction(packet)
+		applyDefaultAction(packet, con)
 		ruleName := log.Green(r.Name)
 		log.Info("DISABLED (%s) %s %s -> %s:%d (%s)", uiClient.DefaultAction(), log.Bold(log.Green("✔")), log.Bold(con.Process.Path), log.Bold(con.To()), con.DstPort, ruleName)
 

diff --git a/ui/opensnitch/res/preferences.ui b/ui/opensnitch/res/preferences.ui
@@ -1482,6 +1482,14 @@ Temporary rules will still be valid, and you can use them when prompted to allow
                 <normaloff>../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../.designer/backup</normaloff>../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../.designer/backup</iconset>
               </property>
              </item>
+             <item>
+              <property name="text">
+               <string>reject</string>
+              </property>
+              <property name="icon">
+               <iconset theme="window-close"/>
+              </property>
+             </item>
             </widget>
            </item>
            <item row="4" column="1">