Make packet generation more conformant to networks

NHAS · Oct 31, 2024 · 5715a54 · 5715a54
1 parent 1bfb08e
commit 5715a54
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 19 deletions.
diff --git a/internal/router/debug.go b/internal/router/debug.go
@@ -3,6 +3,7 @@ package router
 import (
 	"encoding/binary"
 	"fmt"
+	"log"
 	"net"
 
 	"github.com/NHAS/wag/internal/routetypes"
@@ -37,29 +38,35 @@ func createPacket(src, dst net.IP, proto, port int) []byte {
 		Protocol: proto,
 	}
 
+	if proto == routetypes.ANY {
+		iphdr.Protocol = routetypes.TCP
+	}
+
 	pkt := pkthdr{
 		src: 3884,
 		dst: uint16(port),
 	}
 
-	content := []byte{}
+	var content []byte
 	switch proto {
 	case routetypes.UDP:
 		content = pkt.Udp()
 	case routetypes.TCP:
 		content = pkt.Tcp()
-
 	case routetypes.ICMP:
 		content = pkt.Icmp()
-
 	default:
 		content = pkt.Any()
 	}
 
 	iphdr.TotalLen = ipv4.HeaderLen + len(content)
 
-	hdrbytes, _ := iphdr.Marshal()
+	hdrbytes, err := iphdr.Marshal()
+	if err != nil {
+		log.Fatal(err)
+	}
 	hdrbytes = append(hdrbytes, content...)
+
 	return hdrbytes
 }
 
@@ -123,9 +130,7 @@ func (p *pkthdr) UnpackAny(b []byte) {
 }
 
 func (p *pkthdr) Any() []byte {
-	r := make([]byte, 9) // 1 byte over as we need to fake some data
-
-	//icmp isnt parsed, other than proto and length
+	r := make([]byte, 21) // 1 byte over as we need to fake some data
 
 	binary.BigEndian.PutUint16(r, p.src)
 	binary.BigEndian.PutUint16(r[2:], p.dst)

diff --git a/internal/router/firewall.go b/internal/router/firewall.go
@@ -147,7 +147,6 @@ func (f *Firewall) Evaluate(src, dst netip.AddrPort, proto uint16) bool {
 		policies, ok = f.addressToPolicies[dst.Addr()]
 		if !ok || policies == nil {
 			f.RUnlock()
-			log.Println("src/dst not device")
 			return false
 		}
 
@@ -158,8 +157,6 @@ func (f *Firewall) Evaluate(src, dst netip.AddrPort, proto uint16) bool {
 	policy := policies.tableLookup(targetAddr.Addr())
 	if policy == nil {
 		f.RUnlock()
-		log.Println("no policy table")
-
 		return false
 	}
 
@@ -178,8 +175,6 @@ func (f *Firewall) Evaluate(src, dst netip.AddrPort, proto uint16) bool {
 	action := false
 	for _, decision := range *policy {
 
-		log.Println(src, "->", dst, decision, "dproto: ", decision.Proto, "proto:", proto, "eval: ", (decision.Proto == routetypes.ANY || decision.Proto == proto), (decision.Is(routetypes.SINGLE) && (decision.LowerPort == routetypes.ANY || decision.LowerPort == targetAddr.Port())), (decision.Is(routetypes.RANGE) && (decision.LowerPort <= targetAddr.Port() && decision.UpperPort >= targetAddr.Port())))
-
 		//      ANY = 0
 		//      If we match the protocol,
 		//      If type is SINGLE and the port is either any, or equal
@@ -190,17 +185,12 @@ func (f *Firewall) Evaluate(src, dst netip.AddrPort, proto uint16) bool {
 				(decision.Is(routetypes.RANGE) && (decision.LowerPort <= targetAddr.Port() && decision.UpperPort >= targetAddr.Port()))) {
 
 			if decision.Is(routetypes.DENY) {
-				log.Println("deny")
-
 				return false
 			} else if decision.Is(routetypes.PUBLIC) {
-
 				action = true
 			} else {
 				action = authorized
 				if !action {
-					log.Println("mfa deny and unauthorized")
-
 					return false
 				}
 			}

diff --git a/internal/router/firewall_test.go b/internal/router/firewall_test.go
@@ -851,7 +851,9 @@ func TestPortRestrictions(t *testing.T) {
 
 		packet := packets[i]
 
-		if testFw.Test(packet) != expectedResults[i] {
+		decision := testFw.Test(packet)
+
+		if decision != expectedResults[i] {
 
 			var iphdr ipv4.Header
 			err := iphdr.Parse(packet)
@@ -880,7 +882,7 @@ func TestPortRestrictions(t *testing.T) {
 
 			//m, _ := testFw.GetRules()
 			//t.Logf("%+v", m)
-			t.Fatalf("%s program did not %t packet instead did: %t", info, expectedResults[i], testFw.Test(packet))
+			t.Fatalf("%s program did not %t packet instead did: %t", info, expectedResults[i], decision)
 		}
 	}