Merge branch 'limit-dhcp-to-udp-macos'

2 files changed, 6 insertions, 0 deletions

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 120811e626..d8bde10194 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -40,6 +40,10 @@ Line wrap the file at 100 chars.                                              Th
 - Stop [CVE-2019-14899](https://seclists.org/oss-sec/2019/q4/122) by dropping all packets destined
   for the tunnel IP coming in on some other interface than the tunnel.
 
+#### macOS
+- Limit macOS firewall rules to only allow UDP packets in the rules meant to enable being a DHCPv4
+  *server* when local network sharing is enabled.
+
 
 ## [2019.10-beta2] - 2019-12-05
 ### Added
diff --git a/talpid-core/src/firewall/macos.rs b/talpid-core/src/firewall/macos.rs
index 3d93e754e4..acf9b68cc6 100644
--- a/talpid-core/src/firewall/macos.rs
+++ b/talpid-core/src/firewall/macos.rs
@@ -281,6 +281,7 @@ impl Firewall {
             .quick(true)
             .direction(pfctl::Direction::Out)
             .af(pfctl::AddrFamily::Ipv4)
+            .proto(pfctl::Proto::Udp)
             .from(pfctl::Port::from(super::DHCPV4_SERVER_PORT))
             .to(pfctl::Port::from(super::DHCPV4_CLIENT_PORT))
             .build()?;
@@ -288,6 +289,7 @@ impl Firewall {
             .create_rule_builder(FilterRuleAction::Pass)
             .quick(true)
             .direction(pfctl::Direction::In)
+            .proto(pfctl::Proto::Udp)
             .from(pfctl::Port::from(super::DHCPV4_CLIENT_PORT))
             .to(pfctl::Endpoint::new(
                 Ipv4Addr::BROADCAST,