summaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
authorDavid Lönnhager <david.l@mullvad.net>2024-10-04 09:57:36 +0200
committerDavid Lönnhager <david.l@mullvad.net>2024-10-04 09:57:36 +0200
commit20da5d4d090b2790165ee9e5438bb94788d45d2a (patch)
treef255601ceea2d558bf51d77f743e30b38a808b40
parentb6bb6b5ba7a1c6172b2f7cf5a98841a19c5cd092 (diff)
parent8b83ed21cbe0b320ad5141f4b751f72b077871a9 (diff)
downloadmullvadvpn-20da5d4d090b2790165ee9e5438bb94788d45d2a.tar.xz
mullvadvpn-20da5d4d090b2790165ee9e5438bb94788d45d2a.zip
Merge branch 'macos-add-stray-nat'
Diffstat
-rw-r--r--CHANGELOG.md4
-rw-r--r--Cargo.lock4
-rw-r--r--gui/locales/messages.pot20
-rw-r--r--gui/src/main/daemon-rpc.ts4
-rw-r--r--gui/src/main/default-settings.ts1
-rw-r--r--gui/src/main/index.ts3
-rw-r--r--gui/src/main/platform-version.ts15
-rw-r--r--gui/src/main/settings.ts6
-rw-r--r--gui/src/renderer/app.tsx4
-rw-r--r--gui/src/renderer/components/Settings.tsx68
-rw-r--r--gui/src/renderer/redux/settings/actions.ts14
-rw-r--r--gui/src/renderer/redux/settings/reducers.ts8
-rw-r--r--gui/src/renderer/redux/userinterface/actions.ts16
-rw-r--r--gui/src/renderer/redux/userinterface/reducers.ts8
-rw-r--r--gui/src/shared/daemon-rpc-types.ts1
-rw-r--r--gui/src/shared/ipc-schema.ts2
-rw-r--r--gui/test/e2e/setup/main.ts1
-rw-r--r--mullvad-daemon/src/lib.rs46
-rw-r--r--mullvad-daemon/src/management_interface.rs20
-rw-r--r--mullvad-management-interface/proto/management_interface.proto4
-rw-r--r--mullvad-management-interface/src/types/conversions/settings.rs7
-rw-r--r--mullvad-types/src/settings/mod.rs5
-rw-r--r--talpid-core/Cargo.toml2
-rw-r--r--talpid-core/src/firewall/macos.rs175
-rw-r--r--talpid-core/src/firewall/mod.rs21
-rw-r--r--talpid-core/src/tunnel_state_machine/connected_state.rs21
-rw-r--r--talpid-core/src/tunnel_state_machine/connecting_state.rs13
-rw-r--r--talpid-core/src/tunnel_state_machine/disconnected_state.rs10
-rw-r--r--talpid-core/src/tunnel_state_machine/disconnecting_state.rs18
-rw-r--r--talpid-core/src/tunnel_state_machine/error_state.rs14
-rw-r--r--talpid-core/src/tunnel_state_machine/mod.rs21
31 files changed, 126 insertions, 430 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 1234d9fc12..d548a36ba6 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -41,8 +41,8 @@ Line wrap the file at 100 chars. Th
### Fixed
#### macOS
-- Fix Apple leak toggle not working. The issue was that DNS queries to the tunnel resolver were
- being sent on the physical interface.
+- Fix Apple services not working by forcing stray connections out through the VPN tunnel. The
+ "bypass" toggle has been removed.
## [2024.6-beta1] - 2024-09-26
diff --git a/Cargo.lock b/Cargo.lock
index c34a60d2fb..79cdfc518f 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -3015,9 +3015,9 @@ dependencies = [
[[package]]
name = "pfctl"
-version = "0.6.0"
+version = "0.6.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "10824597de43012ff83ed8b044fd3aeeb3b93107e80303a86649c86742e27c5a"
+checksum = "a44e65c0d3523afa79a600a3964c3ac0fabdabe2d7c68da624b2bb0b441b9d61"
dependencies = [
"derive_builder",
"ioctl-sys 0.8.0",
diff --git a/gui/locales/messages.pot b/gui/locales/messages.pot
index 72e70ee4f1..e9ef237a3a 100644
--- a/gui/locales/messages.pot
+++ b/gui/locales/messages.pot
@@ -1527,34 +1527,14 @@ msgid "App version"
msgstr ""
msgctxt "settings-view"
-msgid "Apple services bypass"
-msgstr ""
-
-msgctxt "settings-view"
-msgid "Attention: this traffic will go outside of the VPN tunnel. Any application that tries to can bypass the VPN tunnel and send traffic to these Apple networks."
-msgstr ""
-
-msgctxt "settings-view"
-msgid "Enabling this setting allows traffic to specific Apple-owned networks to go outside of the VPN tunnel, allowing services like iMessage and FaceTime to work whilst using Mullvad."
-msgstr ""
-
-msgctxt "settings-view"
msgid "Multihop"
msgstr ""
msgctxt "settings-view"
-msgid "Some Apple services have an issue where the network settings set by Mullvad get ignored, this in turn blocks certain apps."
-msgstr ""
-
-msgctxt "settings-view"
msgid "Support"
msgstr ""
msgctxt "settings-view"
-msgid "This a temporary fix and we are currently working on a long-term solution."
-msgstr ""
-
-msgctxt "settings-view"
msgid "Update available. Install the latest app version to stay up to date."
msgstr ""
diff --git a/gui/src/main/daemon-rpc.ts b/gui/src/main/daemon-rpc.ts
index 76b7dcb3f6..c504efe2b9 100644
--- a/gui/src/main/daemon-rpc.ts
+++ b/gui/src/main/daemon-rpc.ts
@@ -421,10 +421,6 @@ export class DaemonRpc extends GrpcClient {
await this.call<grpcTypes.DnsOptions, Empty>(this.client.setDnsOptions, dnsOptions);
}
- public async setAppleServicesBypass(enabled: boolean): Promise<void> {
- await this.callBool<Empty>(this.client.setAppleServicesBypass, enabled);
- }
-
public async getVersionInfo(): Promise<IAppVersionInfo> {
const response = await this.callEmpty<grpcTypes.AppVersionInfo>(this.client.getVersionInfo);
return response.toObject();
diff --git a/gui/src/main/default-settings.ts b/gui/src/main/default-settings.ts
index 62f60cf65b..e11a7434e1 100644
--- a/gui/src/main/default-settings.ts
+++ b/gui/src/main/default-settings.ts
@@ -81,7 +81,6 @@ export function getDefaultSettings(): ISettings {
customLists: [],
apiAccessMethods: getDefaultApiAccessMethods(),
relayOverrides: [],
- appleServicesBypass: false,
};
}
diff --git a/gui/src/main/index.ts b/gui/src/main/index.ts
index 3eb0117ffa..400fe39d2a 100644
--- a/gui/src/main/index.ts
+++ b/gui/src/main/index.ts
@@ -56,7 +56,7 @@ import NotificationController, {
NotificationControllerDelegate,
NotificationSender,
} from './notification-controller';
-import { isMacOs13OrNewer, isMacOs14p6OrNewer } from './platform-version';
+import { isMacOs13OrNewer } from './platform-version';
import * as problemReport from './problem-report';
import { resolveBin } from './proc';
import ReconnectionBackoff from './reconnection-backoff';
@@ -775,7 +775,6 @@ class ApplicationMain
navigationHistory: this.navigationHistory,
currentApiAccessMethod: this.currentApiAccessMethod,
isMacOs13OrNewer: isMacOs13OrNewer(),
- isMacOs14p6OrNewer: isMacOs14p6OrNewer(),
}));
IpcMainEventChannel.map.handleGetData(async () => ({
diff --git a/gui/src/main/platform-version.ts b/gui/src/main/platform-version.ts
index 9b483fed65..027434d8d9 100644
--- a/gui/src/main/platform-version.ts
+++ b/gui/src/main/platform-version.ts
@@ -1,31 +1,24 @@
import os from 'os';
-export function isMacOs11OrNewer(): boolean {
+export function isMacOs11OrNewer() {
const [major] = parseVersion();
return process.platform === 'darwin' && major >= 20;
}
-export function isMacOs13OrNewer(): boolean {
+export function isMacOs13OrNewer() {
const [major] = parseVersion();
return process.platform === 'darwin' && major >= 22;
}
-export function isMacOs14p6OrNewer(): boolean {
- const [major, minor] = parseVersion();
- const darwin24 = major >= 24;
- const darwin236 = major == 23 && minor >= 6; // 23.6 is used by macOS 14.6
- return process.platform === 'darwin' && (darwin236 || darwin24);
-}
-
// Windows 11 has the internal version 10.0.22000+.
-export function isWindows11OrNewer(): boolean {
+export function isWindows11OrNewer() {
const [major, minor, patch] = parseVersion();
return (
process.platform === 'win32' && (major > 10 || (major === 10 && (minor > 0 || patch >= 22000)))
);
}
-function parseVersion(): number[] {
+function parseVersion() {
return os
.release()
.split('.')
diff --git a/gui/src/main/settings.ts b/gui/src/main/settings.ts
index d53219ec6d..03537ba581 100644
--- a/gui/src/main/settings.ts
+++ b/gui/src/main/settings.ts
@@ -72,9 +72,6 @@ export default class Settings implements Readonly<ISettings> {
IpcMainEventChannel.settings.handleSetDnsOptions((dns) => {
return this.daemonRpc.setDnsOptions(dns);
});
- IpcMainEventChannel.settings.handleSetAppleServicesBypass((enabled) => {
- return this.daemonRpc.setAppleServicesBypass(enabled);
- });
IpcMainEventChannel.autoStart.handleSet((autoStart: boolean) => {
return this.setAutoStart(autoStart);
});
@@ -190,9 +187,6 @@ export default class Settings implements Readonly<ISettings> {
public get relayOverrides() {
return this.settingsValue.relayOverrides;
}
- public get appleServicesBypass() {
- return this.settingsValue.appleServicesBypass;
- }
public get gui() {
return this.guiSettings;
diff --git a/gui/src/renderer/app.tsx b/gui/src/renderer/app.tsx
index 09c84ea673..6c40b0e908 100644
--- a/gui/src/renderer/app.tsx
+++ b/gui/src/renderer/app.tsx
@@ -246,7 +246,6 @@ export default class AppRenderer {
this.setChangelog(initialState.changelog, initialState.forceShowChanges);
this.setCurrentApiAccessMethod(initialState.currentApiAccessMethod);
this.reduxActions.userInterface.setIsMacOs13OrNewer(initialState.isMacOs13OrNewer);
- this.reduxActions.userInterface.setIsMacOs14p6OrNewer(initialState.isMacOs14p6OrNewer);
if (initialState.macOsScrollbarVisibility !== undefined) {
this.reduxActions.userInterface.setMacOsScrollbarVisibility(
@@ -325,8 +324,6 @@ export default class AppRenderer {
IpcRendererEventChannel.settings.updateBridgeSettings(bridgeSettings);
public setDnsOptions = (dnsOptions: IDnsOptions) =>
IpcRendererEventChannel.settings.setDnsOptions(dnsOptions);
- public setAppleServicesBypass = (enabled: boolean) =>
- IpcRendererEventChannel.settings.setAppleServicesBypass(enabled);
public clearAccountHistory = () => IpcRendererEventChannel.accountHistory.clear();
public setAutoConnect = (value: boolean) =>
IpcRendererEventChannel.guiSettings.setAutoConnect(value);
@@ -832,7 +829,6 @@ export default class AppRenderer {
reduxSettings.updateWireguardDaita(newSettings.tunnelOptions.wireguard.daita);
reduxSettings.updateBridgeState(newSettings.bridgeState);
reduxSettings.updateDnsOptions(newSettings.tunnelOptions.dns);
- reduxSettings.updateAppleServicesBypass(newSettings.appleServicesBypass);
reduxSettings.updateSplitTunnelingState(newSettings.splitTunnel.enableExclusions);
reduxSettings.updateObfuscationSettings(newSettings.obfuscationSettings);
reduxSettings.updateCustomLists(newSettings.customLists);
diff --git a/gui/src/renderer/components/Settings.tsx b/gui/src/renderer/components/Settings.tsx
index d76ebb242e..0a691d340f 100644
--- a/gui/src/renderer/components/Settings.tsx
+++ b/gui/src/renderer/components/Settings.tsx
@@ -7,20 +7,10 @@ import { useAppContext } from '../context';
import { useHistory } from '../lib/history';
import { RoutePath } from '../lib/routes';
import { useSelector } from '../redux/store';
-import {
- AriaDescribed,
- AriaDescription,
- AriaDescriptionGroup,
- AriaDetails,
- AriaInput,
- AriaInputGroup,
- AriaLabel,
-} from './AriaGroup';
+import { AriaDescribed, AriaDescription, AriaDescriptionGroup } from './AriaGroup';
import * as Cell from './cell';
-import InfoButton from './InfoButton';
import { BackAction } from './KeyboardNavigation';
import { Layout, SettingsContainer } from './Layout';
-import { ModalMessage } from './Modal';
import { NavigationBar, NavigationContainer, NavigationItems, TitleBarItem } from './NavigationBar';
import SettingsHeader, { HeaderTitle } from './SettingsHeader';
import {
@@ -38,8 +28,6 @@ export default function Support() {
const connectedToDaemon = useSelector((state) => state.userInterface.connectedToDaemon);
const isMacOs13OrNewer = useSelector((state) => state.userInterface.isMacOs13OrNewer);
- const isMacOs14p6OrNewer = useSelector((state) => state.userInterface.isMacOs14p6OrNewer);
-
const showSubSettings = loginState.type === 'ok' && connectedToDaemon;
const showSplitTunneling = window.env.platform !== 'darwin' || isMacOs13OrNewer;
@@ -91,12 +79,6 @@ export default function Support() {
<ApiAccessMethodsButton />
</Cell.Group>
- {isMacOs14p6OrNewer ? (
- <Cell.Group>
- <AppleServicesBypass />
- </Cell.Group>
- ) : null}
-
<Cell.Group>
<SupportButton />
<AppVersionButton />
@@ -283,54 +265,6 @@ function SupportButton() {
);
}
-function AppleServicesBypass() {
- const { setAppleServicesBypass } = useAppContext();
- const appleServicesBypass = useSelector((state) => state.settings.appleServicesBypass);
-
- return (
- <AriaInputGroup>
- <Cell.Container>
- <AriaLabel>
- <Cell.InputLabel>
- {messages.pgettext('settings-view', 'Apple services bypass')}
- </Cell.InputLabel>
- </AriaLabel>
- <AriaDetails>
- <InfoButton>
- <ModalMessage>
- {messages.pgettext(
- 'settings-view',
- 'Some Apple services have an issue where the network settings set by Mullvad get ignored, this in turn blocks certain apps.',
- )}
- </ModalMessage>
- <ModalMessage>
- {messages.pgettext(
- 'settings-view',
- 'Enabling this setting allows traffic to specific Apple-owned networks to go outside of the VPN tunnel, allowing services like iMessage and FaceTime to work whilst using Mullvad.',
- )}
- </ModalMessage>
- <ModalMessage>
- {messages.pgettext(
- 'settings-view',
- 'Attention: this traffic will go outside of the VPN tunnel. Any application that tries to can bypass the VPN tunnel and send traffic to these Apple networks.',
- )}
- </ModalMessage>
- <ModalMessage>
- {messages.pgettext(
- 'settings-view',
- 'This a temporary fix and we are currently working on a long-term solution.',
- )}
- </ModalMessage>
- </InfoButton>
- </AriaDetails>
- <AriaInput>
- <Cell.Switch isOn={appleServicesBypass} onChange={setAppleServicesBypass} />
- </AriaInput>
- </Cell.Container>
- </AriaInputGroup>
- );
-}
-
function DebugButton() {
const history = useHistory();
const navigate = useCallback(() => history.push(RoutePath.debug), [history]);
diff --git a/gui/src/renderer/redux/settings/actions.ts b/gui/src/renderer/redux/settings/actions.ts
index 80ac3707c1..d2a3fb1c4a 100644
--- a/gui/src/renderer/redux/settings/actions.ts
+++ b/gui/src/renderer/redux/settings/actions.ts
@@ -93,11 +93,6 @@ export interface IUpdateDnsOptionsAction {
dns: IDnsOptions;
}
-export interface ISetAppleServicesBypass {
- type: 'SET_APPLE_SERVICES_BYPASS';
- enabled: boolean;
-}
-
export interface IUpdateSplitTunnelingStateAction {
type: 'UPDATE_SPLIT_TUNNELING_STATE';
enabled: boolean;
@@ -150,7 +145,6 @@ export type SettingsAction =
| IUpdateWireguardDaitaAction
| IUpdateAutoStartAction
| IUpdateDnsOptionsAction
- | ISetAppleServicesBypass
| IUpdateSplitTunnelingStateAction
| ISetSplitTunnelingApplicationsAction
| ISetObfuscationSettings
@@ -279,13 +273,6 @@ function updateDnsOptions(dns: IDnsOptions): IUpdateDnsOptionsAction {
};
}
-function updateAppleServicesBypass(enabled: boolean): ISetAppleServicesBypass {
- return {
- type: 'SET_APPLE_SERVICES_BYPASS',
- enabled,
- };
-}
-
function updateSplitTunnelingState(enabled: boolean): IUpdateSplitTunnelingStateAction {
return {
type: 'UPDATE_SPLIT_TUNNELING_STATE',
@@ -356,7 +343,6 @@ export default {
updateWireguardDaita,
updateAutoStart,
updateDnsOptions,
- updateAppleServicesBypass,
updateSplitTunnelingState,
setSplitTunnelingApplications,
updateObfuscationSettings,
diff --git a/gui/src/renderer/redux/settings/reducers.ts b/gui/src/renderer/redux/settings/reducers.ts
index 7f806c248c..6eb595467b 100644
--- a/gui/src/renderer/redux/settings/reducers.ts
+++ b/gui/src/renderer/redux/settings/reducers.ts
@@ -114,7 +114,6 @@ export interface ISettingsReduxState {
daita?: IDaitaSettings;
};
dns: IDnsOptions;
- appleServicesBypass: boolean;
splitTunneling: boolean;
splitTunnelingApplications: ISplitTunnelingApplication[];
obfuscationSettings: ObfuscationSettings;
@@ -182,7 +181,6 @@ const initialState: ISettingsReduxState = {
addresses: [],
},
},
- appleServicesBypass: false,
splitTunneling: false,
splitTunnelingApplications: [],
obfuscationSettings: {
@@ -312,12 +310,6 @@ export default function (
dns: action.dns,
};
- case 'SET_APPLE_SERVICES_BYPASS':
- return {
- ...state,
- appleServicesBypass: action.enabled,
- };
-
case 'UPDATE_SPLIT_TUNNELING_STATE':
return {
...state,
diff --git a/gui/src/renderer/redux/userinterface/actions.ts b/gui/src/renderer/redux/userinterface/actions.ts
index a5ee138464..238835318e 100644
--- a/gui/src/renderer/redux/userinterface/actions.ts
+++ b/gui/src/renderer/redux/userinterface/actions.ts
@@ -61,11 +61,6 @@ export interface ISetIsMacOs13OrNewer {
isMacOs13OrNewer: boolean;
}
-export interface ISetIsMacOs14p6OrNewer {
- type: 'SET_IS_MACOS14_6_OR_NEWER';
- isMacOs14p6OrNewer: boolean;
-}
-
export type UserInterfaceAction =
| IUpdateLocaleAction
| IUpdateWindowArrowPositionAction
@@ -78,8 +73,7 @@ export type UserInterfaceAction =
| ISetForceShowChanges
| ISetIsPerformingPostUpgrade
| ISetSelectLocationView
- | ISetIsMacOs13OrNewer
- | ISetIsMacOs14p6OrNewer;
+ | ISetIsMacOs13OrNewer;
function updateLocale(locale: string): IUpdateLocaleAction {
return {
@@ -166,13 +160,6 @@ function setIsMacOs13OrNewer(isMacOs13OrNewer: boolean): ISetIsMacOs13OrNewer {
};
}
-function setIsMacOs14p6OrNewer(isMacOs14p6OrNewer: boolean): ISetIsMacOs14p6OrNewer {
- return {
- type: 'SET_IS_MACOS14_6_OR_NEWER',
- isMacOs14p6OrNewer,
- };
-}
-
export default {
updateLocale,
updateWindowArrowPosition,
@@ -186,5 +173,4 @@ export default {
setIsPerformingPostUpgrade,
setSelectLocationView,
setIsMacOs13OrNewer,
- setIsMacOs14p6OrNewer,
};
diff --git a/gui/src/renderer/redux/userinterface/reducers.ts b/gui/src/renderer/redux/userinterface/reducers.ts
index b245522cec..89427e9b06 100644
--- a/gui/src/renderer/redux/userinterface/reducers.ts
+++ b/gui/src/renderer/redux/userinterface/reducers.ts
@@ -16,7 +16,6 @@ export interface IUserInterfaceReduxState {
isPerformingPostUpgrade: boolean;
selectLocationView: LocationType;
isMacOs13OrNewer: boolean;
- isMacOs14p6OrNewer: boolean;
}
const initialState: IUserInterfaceReduxState = {
@@ -31,7 +30,6 @@ const initialState: IUserInterfaceReduxState = {
isPerformingPostUpgrade: false,
selectLocationView: LocationType.exit,
isMacOs13OrNewer: true,
- isMacOs14p6OrNewer: true,
};
export default function (
@@ -90,12 +88,6 @@ export default function (
isMacOs13OrNewer: action.isMacOs13OrNewer,
};
- case 'SET_IS_MACOS14_6_OR_NEWER':
- return {
- ...state,
- isMacOs14p6OrNewer: action.isMacOs14p6OrNewer,
- };
-
default:
return state;
}
diff --git a/gui/src/shared/daemon-rpc-types.ts b/gui/src/shared/daemon-rpc-types.ts
index dcd12d8ccb..a22021a1d0 100644
--- a/gui/src/shared/daemon-rpc-types.ts
+++ b/gui/src/shared/daemon-rpc-types.ts
@@ -439,7 +439,6 @@ export interface ISettings {
customLists: CustomLists;
apiAccessMethods: ApiAccessMethodSettings;
relayOverrides: Array<RelayOverride>;
- appleServicesBypass: boolean;
}
export type BridgeState = 'auto' | 'on' | 'off';
diff --git a/gui/src/shared/ipc-schema.ts b/gui/src/shared/ipc-schema.ts
index ef3bb44c7b..b10c79623e 100644
--- a/gui/src/shared/ipc-schema.ts
+++ b/gui/src/shared/ipc-schema.ts
@@ -77,7 +77,6 @@ export interface IAppStateSnapshot {
navigationHistory?: IHistoryObject;
currentApiAccessMethod?: AccessMethodSetting;
isMacOs13OrNewer: boolean;
- isMacOs14p6OrNewer: boolean;
}
// The different types of requests are:
@@ -187,7 +186,6 @@ export const ipcSchema = {
setRelaySettings: invoke<RelaySettings, void>(),
updateBridgeSettings: invoke<BridgeSettings, void>(),
setDnsOptions: invoke<IDnsOptions, void>(),
- setAppleServicesBypass: invoke<boolean, void>(),
setObfuscationSettings: invoke<ObfuscationSettings, void>(),
addApiAccessMethod: invoke<NewAccessMethodSetting, string>(),
updateApiAccessMethod: invoke<AccessMethodSetting, void>(),
diff --git a/gui/test/e2e/setup/main.ts b/gui/test/e2e/setup/main.ts
index e344a53b90..d8f3ceee48 100644
--- a/gui/test/e2e/setup/main.ts
+++ b/gui/test/e2e/setup/main.ts
@@ -175,7 +175,6 @@ class ApplicationMain {
navigationHistory: undefined,
scrollPositions: {},
isMacOs13OrNewer: true,
- isMacOs14p6OrNewer: true,
}));
IpcMainEventChannel.guiSettings.handleSetPreferredLocale((locale) => {
diff --git a/mullvad-daemon/src/lib.rs b/mullvad-daemon/src/lib.rs
index 94df78682b..e833f1b82c 100644
--- a/mullvad-daemon/src/lib.rs
+++ b/mullvad-daemon/src/lib.rs
@@ -380,9 +380,6 @@ pub enum DaemonCommand {
ExportJsonSettings(ResponseTx<String, settings::patch::Error>),
/// Request the current feature indicators.
GetFeatureIndicators(oneshot::Sender<FeatureIndicators>),
- /// Set if we should leak traffic to Apple services.
- #[cfg(target_os = "macos")]
- SetAppleServicesBypass(ResponseTx<(), settings::Error>, bool),
}
/// All events that can happen in the daemon. Sent from various threads and exposed interfaces.
@@ -770,8 +767,6 @@ impl Daemon {
reset_firewall: *target_state != TargetState::Secured,
#[cfg(any(windows, target_os = "android", target_os = "macos"))]
exclude_paths,
- #[cfg(target_os = "macos")]
- apple_services_bypass: settings.apple_services_bypass,
},
parameters_generator.clone(),
log_dir,
@@ -1339,10 +1334,6 @@ impl Daemon {
ApplyJsonSettings(tx, blob) => self.on_apply_json_settings(tx, blob).await,
ExportJsonSettings(tx) => self.on_export_json_settings(tx),
GetFeatureIndicators(tx) => self.on_get_feature_indicators(tx),
- #[cfg(target_os = "macos")]
- SetAppleServicesBypass(tx, enabled) => {
- self.on_set_apple_services_bypass(tx, enabled).await
- }
}
}
@@ -2812,12 +2803,6 @@ impl Daemon {
let (tx, _rx) = oneshot::channel();
self.send_tunnel_command(TunnelCommand::AllowLan(self.settings.allow_lan, tx));
- #[cfg(target_os = "macos")]
- self.send_tunnel_command(TunnelCommand::AppleServicesBypass(
- oneshot::channel().0,
- self.settings.apple_services_bypass,
- ));
-
let (tx, _rx) = oneshot::channel();
let dns = dns::addresses_from_options(&self.settings.tunnel_options.dns_options);
self.send_tunnel_command(TunnelCommand::Dns(dns, tx));
@@ -2962,37 +2947,6 @@ impl Daemon {
Self::oneshot_send(tx, feature_indicators, "get_feature_indicators response");
}
- #[cfg(target_os = "macos")]
- async fn on_set_apple_services_bypass(
- &mut self,
- tx: ResponseTx<(), settings::Error>,
- enabled: bool,
- ) {
- let result = self
- .settings
- .update(|settings| settings.apple_services_bypass = enabled)
- .await;
-
- match result {
- Ok(settings_changed) => {
- if settings_changed {
- self.send_tunnel_command(TunnelCommand::AppleServicesBypass(
- oneshot_map(tx, |tx, ()| {
- Self::oneshot_send(tx, Ok(()), "set_apple_services_bypass response");
- }),
- enabled,
- ));
- } else {
- Self::oneshot_send(tx, Ok(()), "set_apple_services_bypass response");
- }
- }
- Err(e) => {
- log::error!("{}", e.display_chain_with_msg("Unable to save settings"));
- Self::oneshot_send(tx, Err(e), "set_apple_services_bypass response");
- }
- }
- }
-
/// Set the target state of the client. If it changed trigger the operations needed to
/// progress towards that state.
/// Returns a bool representing whether a state change was initiated.
diff --git a/mullvad-daemon/src/management_interface.rs b/mullvad-daemon/src/management_interface.rs
index 0d73354d93..b52c214a01 100644
--- a/mullvad-daemon/src/management_interface.rs
+++ b/mullvad-daemon/src/management_interface.rs
@@ -1070,26 +1070,6 @@ impl ManagementService for ManagementServiceImpl {
Ok(Response::new(feature_indicators))
}
-
- #[cfg(not(daita))]
- async fn set_enable_daita(&self, _: Request<bool>) -> ServiceResult<()> {
- Ok(Response::new(()))
- }
-
- #[cfg(not(target_os = "macos"))]
- async fn set_apple_services_bypass(&self, _: Request<bool>) -> ServiceResult<()> {
- Ok(Response::new(()))
- }
-
- #[cfg(target_os = "macos")]
- async fn set_apple_services_bypass(&self, request: Request<bool>) -> ServiceResult<()> {
- log::debug!("set_apple_services_bypass");
- let enabled = request.into_inner();
- let (tx, rx) = oneshot::channel();
- self.send_command_to_daemon(DaemonCommand::SetAppleServicesBypass(tx, enabled))?;
- self.wait_for_result(rx).await??;
- Ok(Response::new(()))
- }
}
impl ManagementServiceImpl {
diff --git a/mullvad-management-interface/proto/management_interface.proto b/mullvad-management-interface/proto/management_interface.proto
index 4e04bcf3c1..70d9e1ad2b 100644
--- a/mullvad-management-interface/proto/management_interface.proto
+++ b/mullvad-management-interface/proto/management_interface.proto
@@ -124,9 +124,6 @@ service ManagementService {
// Get current feature indicators
rpc GetFeatureIndicators(google.protobuf.Empty) returns (FeatureIndicators) {}
-
- // Set if we should leak traffic to Apple services.
- rpc SetAppleServicesBypass(google.protobuf.BoolValue) returns (google.protobuf.Empty) {}
}
message UUID { string value = 1; }
@@ -455,7 +452,6 @@ message Settings {
CustomListSettings custom_lists = 11;
ApiAccessMethodSettings api_access_methods = 12;
repeated RelayOverride relay_overrides = 13;
- bool apple_services_bypass = 14;
}
message RelayOverride {
diff --git a/mullvad-management-interface/src/types/conversions/settings.rs b/mullvad-management-interface/src/types/conversions/settings.rs
index 262e9f4233..d3be7f75a2 100644
--- a/mullvad-management-interface/src/types/conversions/settings.rs
+++ b/mullvad-management-interface/src/types/conversions/settings.rs
@@ -54,11 +54,6 @@ impl From<&mullvad_types::settings::Settings> for proto::Settings {
.cloned()
.map(proto::RelayOverride::from)
.collect(),
-
- #[cfg(target_os = "macos")]
- apple_services_bypass: settings.apple_services_bypass,
- #[cfg(not(target_os = "macos"))]
- apple_services_bypass: false,
}
}
}
@@ -203,8 +198,6 @@ impl TryFrom<proto::Settings> for mullvad_types::settings::Settings {
api_access_methods: mullvad_types::access_method::Settings::try_from(
api_access_methods_settings,
)?,
- #[cfg(target_os = "macos")]
- apple_services_bypass: settings.apple_services_bypass,
})
}
}
diff --git a/mullvad-types/src/settings/mod.rs b/mullvad-types/src/settings/mod.rs
index e3be50bf59..aeff904236 100644
--- a/mullvad-types/src/settings/mod.rs
+++ b/mullvad-types/src/settings/mod.rs
@@ -81,9 +81,6 @@ pub struct Settings {
pub api_access_methods: access_method::Settings,
/// If the daemon should allow communication with private (LAN) networks.
pub allow_lan: bool,
- /// If the daemon should allow communication with apple push notification services.
- #[cfg(target_os = "macos")]
- pub apple_services_bypass: bool,
/// Extra level of kill switch. When this setting is on, the disconnected state will block
/// the firewall to not allow any traffic in or out.
pub block_when_disconnected: bool,
@@ -211,8 +208,6 @@ impl Default for Settings {
#[cfg(any(windows, target_os = "android", target_os = "macos"))]
split_tunnel: SplitTunnelSettings::default(),
settings_version: CURRENT_SETTINGS_VERSION,
- #[cfg(target_os = "macos")]
- apple_services_bypass: false,
}
}
}
diff --git a/talpid-core/Cargo.toml b/talpid-core/Cargo.toml
index a0ddb45825..3207d485cb 100644
--- a/talpid-core/Cargo.toml
+++ b/talpid-core/Cargo.toml
@@ -47,7 +47,7 @@ duct = "0.13"
[target.'cfg(target_os = "macos")'.dependencies]
async-trait = "0.1"
duct = "0.13"
-pfctl = "0.6.0"
+pfctl = "0.6.1"
subslice = "0.2"
system-configuration = "0.5.1"
hickory-proto = "0.24.1"
diff --git a/talpid-core/src/firewall/macos.rs b/talpid-core/src/firewall/macos.rs
index 2dddc2381e..5f674f2935 100644
--- a/talpid-core/src/firewall/macos.rs
+++ b/talpid-core/src/firewall/macos.rs
@@ -1,7 +1,7 @@
use super::{FirewallArguments, FirewallPolicy};
use ipnetwork::IpNetwork;
use libc::{c_int, sysctlbyname};
-use pfctl::{DropAction, Endpoint, FilterRuleAction, Uid};
+use pfctl::{DropAction, FilterRuleAction, Ip, Uid};
use std::{
env, io,
net::{IpAddr, Ipv4Addr},
@@ -109,6 +109,16 @@ impl Firewall {
return Ok(false);
}
+ if policy.allow_lan() {
+ let net_is_lan = ALLOWED_LAN_NETS
+ .iter()
+ .chain(ALLOWED_LAN_MULTICAST_NETS.iter())
+ .any(|net| net.contains(remote_address.ip()));
+ if net_is_lan {
+ return Ok(false);
+ }
+ }
+
let Some(peer) = policy.peer_endpoint().map(|endpoint| endpoint.endpoint) else {
// If there's no peer, there's also no tunnel. We have no states to preserve
return Ok(true);
@@ -149,7 +159,6 @@ impl Firewall {
new_filter_rules.append(&mut self.get_allow_loopback_rules()?);
new_filter_rules.append(&mut self.get_allow_dhcp_client_rules()?);
new_filter_rules.append(&mut self.get_allow_ndp_rules()?);
-
new_filter_rules.append(&mut self.get_policy_specific_rules(policy)?);
let return_out_rule = self
@@ -169,7 +178,10 @@ impl Firewall {
anchor_change.set_scrub_rules(Self::get_scrub_rules()?);
anchor_change.set_filter_rules(new_filter_rules);
anchor_change.set_redirect_rules(self.get_dns_redirect_rules(policy)?);
- self.pf.set_rules(ANCHOR_NAME, anchor_change)
+ anchor_change.set_nat_rules(self.get_nat_rules(policy)?);
+ self.pf.set_rules(ANCHOR_NAME, anchor_change)?;
+
+ Ok(())
}
fn get_scrub_rules() -> Result<Vec<pfctl::ScrubRule>> {
@@ -207,6 +219,74 @@ impl Firewall {
Ok(redirect_rules)
}
+ fn get_nat_rules(&mut self, policy: &FirewallPolicy) -> Result<Vec<pfctl::NatRule>> {
+ let (FirewallPolicy::Connected {
+ peer_endpoint,
+ tunnel,
+ ..
+ }
+ | FirewallPolicy::Connecting {
+ peer_endpoint,
+ tunnel: Some(tunnel),
+ ..
+ }) = policy
+ else {
+ return Ok(vec![]);
+ };
+
+ let mut rules = vec![];
+
+ // no nat from/to localhost
+ let no_nat_localhost = pfctl::NatRuleBuilder::default()
+ .interface("lo0")
+ .action(pfctl::NatRuleAction::NoNat)
+ .build()?;
+ rules.push(no_nat_localhost);
+
+ // no nat to LAN nets
+ for net in ALLOWED_LAN_NETS
+ .iter()
+ .chain(ALLOWED_LAN_MULTICAST_NETS.iter())
+ {
+ let rule = pfctl::NatRuleBuilder::default()
+ .action(pfctl::NatRuleAction::NoNat)
+ .to(pfctl::Ip::from(*net))
+ .build()?;
+ rules.push(rule);
+ }
+
+ // no nat to [vpn ip]
+ let no_nat_to_vpn_server = pfctl::NatRuleBuilder::default()
+ .action(pfctl::NatRuleAction::NoNat)
+ .to(peer_endpoint.endpoint.address.ip())
+ .build()?;
+ rules.push(no_nat_to_vpn_server);
+
+ // no nat on [tun interface]
+ let no_nat_on_tun = pfctl::NatRuleBuilder::default()
+ .action(pfctl::NatRuleAction::NoNat)
+ .interface(&tunnel.interface)
+ .build()?;
+ rules.push(no_nat_on_tun);
+
+ // Masquerade other traffic via VPN utun
+ for ip in &tunnel.ips {
+ // nat from {inet,inet6} any to any -> [tun ip]
+ let nat_primary_to_tun = pfctl::NatRuleBuilder::default()
+ .action(pfctl::NatRuleAction::Nat {
+ nat_to: pfctl::NatEndpoint::from(pfctl::Ip::from(*ip)),
+ })
+ .from(Ip::Net(match ip {
+ IpAddr::V4(_) => "0.0.0.0/0".parse().unwrap(),
+ IpAddr::V6(_) => "::/0".parse().unwrap(),
+ }))
+ .build()?;
+ rules.push(nat_primary_to_tun);
+ }
+
+ Ok(rules)
+ }
+
fn get_policy_specific_rules(
&mut self,
policy: &FirewallPolicy,
@@ -219,7 +299,6 @@ impl Firewall {
allowed_endpoint,
allowed_tunnel_traffic,
redirect_interface,
- apple_services_bypass,
dns_redirect_port: _,
} => {
let mut rules = vec![self.get_allow_relay_rule(peer_endpoint)?];
@@ -257,10 +336,6 @@ impl Firewall {
rules.append(&mut self.get_allow_lan_rules()?);
}
- if *apple_services_bypass {
- rules.append(&mut self.get_apple_services_bypass_rules()?);
- }
-
Ok(rules)
}
FirewallPolicy::Connected {
@@ -269,7 +344,6 @@ impl Firewall {
allow_lan,
dns_config,
redirect_interface,
- apple_services_bypass,
dns_redirect_port: _,
} => {
let mut rules = vec![];
@@ -295,10 +369,6 @@ impl Firewall {
rules.append(&mut self.get_allow_lan_rules()?);
}
- if *apple_services_bypass {
- rules.append(&mut self.get_apple_services_bypass_rules()?);
- }
-
if let Some(redirect_interface) = redirect_interface {
enable_forwarding();
@@ -306,6 +376,7 @@ impl Firewall {
&mut self.get_split_tunnel_rules(&tunnel.interface, redirect_interface)?,
);
} else {
+ rules.push(self.route_everything_to(&tunnel.interface)?);
rules.extend(self.get_allow_tunnel_rules(
tunnel.interface.as_str(),
&AllowedTunnelTraffic::All,
@@ -317,7 +388,6 @@ impl Firewall {
FirewallPolicy::Blocked {
allow_lan,
allowed_endpoint,
- apple_services_bypass,
..
} => {
let mut rules = Vec::new();
@@ -331,15 +401,24 @@ impl Firewall {
rules.append(&mut self.get_allow_lan_rules()?);
}
- if *apple_services_bypass {
- rules.append(&mut self.get_apple_services_bypass_rules()?);
- }
-
Ok(rules)
}
}
}
+ /// Route outbound traffic to the selected interface
+ fn route_everything_to(&self, interface: &str) -> Result<pfctl::FilterRule> {
+ self.create_rule_builder(FilterRuleAction::Pass)
+ .quick(true)
+ .direction(pfctl::Direction::Out)
+ .route(pfctl::Route::RouteTo(pfctl::PoolAddr::from(
+ pfctl::Interface::from(&interface),
+ )))
+ .keep_state(pfctl::StatePolicy::Keep)
+ .tcp_flags(Self::get_tcp_flags())
+ .build()
+ }
+
fn get_allow_local_dns_rules_when_connected(
&self,
tunnel: &crate::tunnel::TunnelMetadata,
@@ -554,6 +633,7 @@ impl Firewall {
let allow_out = rule_builder
.direction(pfctl::Direction::Out)
.from(pfctl::Ip::Any)
+ .keep_state(pfctl::StatePolicy::Keep)
.to(pfctl::Ip::from(*net))
.build()?;
let allow_in = rule_builder
@@ -600,45 +680,6 @@ impl Firewall {
Ok(rules)
}
- /// Generate rules that allow traffic to the networks required for Apple push notification
- /// services to work. This is a hack to get around the fact that apple services in MacOS 15 has
- /// a bug where they don't respect the routing table.
- ///
- /// All allowed networks are part of apple-owned IP subnets.
- fn get_apple_services_bypass_rules(&self) -> Result<Vec<pfctl::FilterRule>> {
- // https://support.apple.com/en-us/102266
- let apple_networks: &[IpNetwork] = &[
- "17.249.0.0/16".parse().unwrap(),
- "17.252.0.0/16".parse().unwrap(),
- "17.57.144.0/22".parse().unwrap(),
- "17.188.128.0/18".parse().unwrap(),
- "17.188.20.0/23".parse().unwrap(),
- "2620:149:a44::/48".parse().unwrap(),
- "2403:300:a42::/48".parse().unwrap(),
- "2403:300:a51::/48".parse().unwrap(),
- "2a01:b740:a42::/48".parse().unwrap(),
- ];
-
- let apple_ports: &[u16] = &[443, 2197, 5223];
-
- let mut rules = vec![];
- for &net in apple_networks {
- for &port in apple_ports {
- let mut rule_builder = self.create_rule_builder(FilterRuleAction::Pass);
- rule_builder.quick(true);
- let allow_out = rule_builder
- .quick(true)
- .direction(pfctl::Direction::Out)
- .from(pfctl::Ip::Any)
- .to(Endpoint::new(pfctl::Ip::from(net), port))
- .keep_state(pfctl::StatePolicy::Keep)
- .build()?;
- rules.push(allow_out);
- }
- }
- Ok(rules)
- }
-
fn get_split_tunnel_rules(
&self,
from_interface: &str,
@@ -658,17 +699,7 @@ impl Firewall {
.keep_state(pfctl::StatePolicy::Keep)
.interface(to_interface)
.build()?;
- let redir_rule = self
- .create_rule_builder(FilterRuleAction::Pass)
- .quick(true)
- .direction(pfctl::Direction::Out)
- .route(pfctl::Route::RouteTo(pfctl::PoolAddr::from(
- pfctl::Interface::from(to_interface),
- )))
- .keep_state(pfctl::StatePolicy::Keep)
- .tcp_flags(Self::get_tcp_flags())
- .interface(from_interface)
- .build()?;
+ let redir_rule = self.route_everything_to(to_interface)?;
Ok(vec![tunnel_rule, allow_rule, redir_rule])
}
@@ -861,11 +892,13 @@ impl Firewall {
fn add_anchor(&mut self) -> Result<()> {
self.pf
+ .try_add_anchor(ANCHOR_NAME, pfctl::AnchorKind::Scrub)?;
+ self.pf
+ .try_add_anchor(ANCHOR_NAME, pfctl::AnchorKind::Nat)?;
+ self.pf
.try_add_anchor(ANCHOR_NAME, pfctl::AnchorKind::Filter)?;
self.pf
.try_add_anchor(ANCHOR_NAME, pfctl::AnchorKind::Redirect)?;
- self.pf
- .try_add_anchor(ANCHOR_NAME, pfctl::AnchorKind::Scrub)?;
Ok(())
}
@@ -873,6 +906,8 @@ impl Firewall {
self.pf
.try_remove_anchor(ANCHOR_NAME, pfctl::AnchorKind::Scrub)?;
self.pf
+ .try_remove_anchor(ANCHOR_NAME, pfctl::AnchorKind::Nat)?;
+ self.pf
.try_remove_anchor(ANCHOR_NAME, pfctl::AnchorKind::Redirect)?;
self.pf
.try_remove_anchor(ANCHOR_NAME, pfctl::AnchorKind::Filter)?;
diff --git a/talpid-core/src/firewall/mod.rs b/talpid-core/src/firewall/mod.rs
index af3db8dcb3..17f74b17ee 100644
--- a/talpid-core/src/firewall/mod.rs
+++ b/talpid-core/src/firewall/mod.rs
@@ -94,10 +94,6 @@ pub enum FirewallPolicy {
/// Interface to redirect (VPN tunnel) traffic to
#[cfg(target_os = "macos")]
redirect_interface: Option<String>,
-
- /// Flag setting if we should leak traffic to apple services.
- #[cfg(target_os = "macos")]
- apple_services_bypass: bool,
/// Destination port for DNS traffic redirection. Traffic destined to `127.0.0.1:53` will
/// be redirected to `127.0.0.1:$dns_redirect_port`.
#[cfg(target_os = "macos")]
@@ -118,10 +114,6 @@ pub enum FirewallPolicy {
/// Interface to redirect (VPN tunnel) traffic to
#[cfg(target_os = "macos")]
redirect_interface: Option<String>,
-
- /// Flag setting if we should leak traffic to apple services.
- #[cfg(target_os = "macos")]
- apple_services_bypass: bool,
/// Destination port for DNS traffic redirection. Traffic destined to `127.0.0.1:53` will
/// be redirected to `127.0.0.1:$dns_redirect_port`.
#[cfg(target_os = "macos")]
@@ -138,10 +130,6 @@ pub enum FirewallPolicy {
/// be redirected to `127.0.0.1:$dns_redirect_port`.
#[cfg(target_os = "macos")]
dns_redirect_port: u16,
-
- /// Flag setting if we should leak traffic to apple services.
- #[cfg(target_os = "macos")]
- apple_services_bypass: bool,
},
}
@@ -178,6 +166,15 @@ impl FirewallPolicy {
_ => &AllowedTunnelTraffic::None,
}
}
+
+ /// Return whether LAN traffic is allowed
+ pub fn allow_lan(&self) -> bool {
+ match self {
+ FirewallPolicy::Connecting { allow_lan, .. }
+ | FirewallPolicy::Connected { allow_lan, .. }
+ | FirewallPolicy::Blocked { allow_lan, .. } => *allow_lan,
+ }
+ }
}
impl fmt::Display for FirewallPolicy {
diff --git a/talpid-core/src/tunnel_state_machine/connected_state.rs b/talpid-core/src/tunnel_state_machine/connected_state.rs
index f614b58267..d5eb5ac7b7 100644
--- a/talpid-core/src/tunnel_state_machine/connected_state.rs
+++ b/talpid-core/src/tunnel_state_machine/connected_state.rs
@@ -143,8 +143,6 @@ impl ConnectedState {
#[cfg(target_os = "macos")]
redirect_interface,
#[cfg(target_os = "macos")]
- apple_services_bypass: shared_values.apple_services_bypass,
- #[cfg(target_os = "macos")]
dns_redirect_port: shared_values.filtering_resolver.listening_port(),
}
}
@@ -391,25 +389,6 @@ impl ConnectedState {
}
SameState(self)
}
-
- #[cfg(target_os = "macos")]
- Some(TunnelCommand::AppleServicesBypass(complete_tx, apple_services_bypass)) => {
- let consequence = if shared_values.set_apple_services_bypass(apple_services_bypass)
- {
- match self.set_firewall_policy(shared_values) {
- Ok(()) => SameState(self),
- Err(error) => self.disconnect(
- shared_values,
- AfterDisconnect::Block(ErrorStateCause::SetFirewallPolicyError(error)),
- ),
- }
- } else {
- SameState(self)
- };
-
- let _ = complete_tx.send(());
- consequence
- }
}
}
diff --git a/talpid-core/src/tunnel_state_machine/connecting_state.rs b/talpid-core/src/tunnel_state_machine/connecting_state.rs
index 783769251a..bc38401147 100644
--- a/talpid-core/src/tunnel_state_machine/connecting_state.rs
+++ b/talpid-core/src/tunnel_state_machine/connecting_state.rs
@@ -184,8 +184,6 @@ impl ConnectingState {
#[cfg(target_os = "macos")]
redirect_interface,
#[cfg(target_os = "macos")]
- apple_services_bypass: shared_values.apple_services_bypass,
- #[cfg(target_os = "macos")]
dns_redirect_port: shared_values.filtering_resolver.listening_port(),
};
shared_values
@@ -559,17 +557,6 @@ impl ConnectingState {
}
SameState(self)
}
- #[cfg(target_os = "macos")]
- Some(TunnelCommand::AppleServicesBypass(complete_tx, apple_services_bypass)) => {
- let consequence = if shared_values.set_apple_services_bypass(apple_services_bypass)
- {
- self.reset_firewall(shared_values)
- } else {
- SameState(self)
- };
- let _ = complete_tx.send(());
- consequence
- }
}
}
diff --git a/talpid-core/src/tunnel_state_machine/disconnected_state.rs b/talpid-core/src/tunnel_state_machine/disconnected_state.rs
index f66bac4e76..baf6012103 100644
--- a/talpid-core/src/tunnel_state_machine/disconnected_state.rs
+++ b/talpid-core/src/tunnel_state_machine/disconnected_state.rs
@@ -78,8 +78,6 @@ impl DisconnectedState {
allowed_endpoint: Some(shared_values.allowed_endpoint.clone()),
#[cfg(target_os = "macos")]
dns_redirect_port: shared_values.filtering_resolver.listening_port(),
- #[cfg(target_os = "macos")]
- apple_services_bypass: shared_values.apple_services_bypass,
};
shared_values.firewall.apply_policy(policy).map_err(|e| {
@@ -236,14 +234,6 @@ impl TunnelState for DisconnectedState {
let _ = result_tx.send(shared_values.set_exclude_paths(paths).map(|_| ()));
SameState(self)
}
- #[cfg(target_os = "macos")]
- Some(TunnelCommand::AppleServicesBypass(complete_tx, apple_services_bypass)) => {
- if shared_values.set_apple_services_bypass(apple_services_bypass) {
- Self::set_firewall_policy(shared_values, false);
- }
- let _ = complete_tx.send(());
- SameState(self)
- }
None => {
Self::reset_dns(shared_values);
Finished
diff --git a/talpid-core/src/tunnel_state_machine/disconnecting_state.rs b/talpid-core/src/tunnel_state_machine/disconnecting_state.rs
index 16bed626e1..4a108788e1 100644
--- a/talpid-core/src/tunnel_state_machine/disconnecting_state.rs
+++ b/talpid-core/src/tunnel_state_machine/disconnecting_state.rs
@@ -92,12 +92,6 @@ impl DisconnectingState {
let _ = result_tx.send(shared_values.set_exclude_paths(paths).map(|_| ()));
AfterDisconnect::Nothing
}
- #[cfg(target_os = "macos")]
- Some(TunnelCommand::AppleServicesBypass(complete_tx, apple_services_bypass)) => {
- let _ = shared_values.set_apple_services_bypass(apple_services_bypass);
- let _ = complete_tx.send(());
- AfterDisconnect::Nothing
- }
},
AfterDisconnect::Block(reason) => match command {
Some(TunnelCommand::AllowLan(allow_lan, complete_tx)) => {
@@ -155,12 +149,6 @@ impl DisconnectingState {
let _ = result_tx.send(shared_values.set_exclude_paths(paths).map(|_| ()));
AfterDisconnect::Block(reason)
}
- #[cfg(target_os = "macos")]
- Some(TunnelCommand::AppleServicesBypass(complete_tx, apple_services_bypass)) => {
- let _ = shared_values.set_apple_services_bypass(apple_services_bypass);
- let _ = complete_tx.send(());
- AfterDisconnect::Block(reason)
- }
None => AfterDisconnect::Block(reason),
},
AfterDisconnect::Reconnect(retry_attempt) => match command {
@@ -219,12 +207,6 @@ impl DisconnectingState {
let _ = result_tx.send(shared_values.set_exclude_paths(paths).map(|_| ()));
AfterDisconnect::Reconnect(retry_attempt)
}
- #[cfg(target_os = "macos")]
- Some(TunnelCommand::AppleServicesBypass(complete_tx, apple_services_bypass)) => {
- let _ = shared_values.set_apple_services_bypass(apple_services_bypass);
- let _ = complete_tx.send(());
- AfterDisconnect::Reconnect(retry_attempt)
- }
},
};
diff --git a/talpid-core/src/tunnel_state_machine/error_state.rs b/talpid-core/src/tunnel_state_machine/error_state.rs
index 14885b0a60..eeaf48956b 100644
--- a/talpid-core/src/tunnel_state_machine/error_state.rs
+++ b/talpid-core/src/tunnel_state_machine/error_state.rs
@@ -78,8 +78,6 @@ impl ErrorState {
allowed_endpoint: Some(shared_values.allowed_endpoint.clone()),
#[cfg(target_os = "macos")]
dns_redirect_port: shared_values.filtering_resolver.listening_port(),
- #[cfg(target_os = "macos")]
- apple_services_bypass: shared_values.apple_services_bypass,
};
#[cfg(target_os = "linux")]
@@ -237,18 +235,6 @@ impl TunnelState for ErrorState {
let _ = result_tx.send(shared_values.set_exclude_paths(paths).map(|_| ()));
SameState(self)
}
- #[cfg(target_os = "macos")]
- Some(TunnelCommand::AppleServicesBypass(complete_tx, apple_services_bypass)) => {
- let consequence = if shared_values.set_apple_services_bypass(apple_services_bypass)
- {
- let _ = Self::set_firewall_policy(shared_values);
- SameState(self)
- } else {
- SameState(self)
- };
- let _ = complete_tx.send(());
- consequence
- }
}
}
}
diff --git a/talpid-core/src/tunnel_state_machine/mod.rs b/talpid-core/src/tunnel_state_machine/mod.rs
index 052dd74a49..e0ef07850d 100644
--- a/talpid-core/src/tunnel_state_machine/mod.rs
+++ b/talpid-core/src/tunnel_state_machine/mod.rs
@@ -104,9 +104,6 @@ pub struct InitialTunnelState {
/// Apps to exclude from the tunnel.
#[cfg(target_os = "android")]
pub exclude_paths: Vec<String>,
- /// Whether we should leak traffic to Apple services.
- #[cfg(target_os = "macos")]
- pub apple_services_bypass: bool,
}
/// Identifiers for various network resources that should be unique to a given instance of a tunnel
@@ -217,9 +214,6 @@ pub enum TunnelCommand {
oneshot::Sender<Result<(), split_tunnel::Error>>,
Vec<String>,
),
- /// Set if we should leak traffic to Apple services.
- #[cfg(target_os = "macos")]
- AppleServicesBypass(oneshot::Sender<()>, bool),
}
type TunnelCommandReceiver = stream::Fuse<mpsc::UnboundedReceiver<TunnelCommand>>;
@@ -389,8 +383,6 @@ impl TunnelStateMachine {
connectivity_check_was_enabled: None,
#[cfg(target_os = "macos")]
filtering_resolver,
- #[cfg(target_os = "macos")]
- apple_services_bypass: args.settings.apple_services_bypass,
};
tokio::task::spawn_blocking(move || {
@@ -494,9 +486,6 @@ struct SharedTunnelStateValues {
/// Filtering resolver handle
#[cfg(target_os = "macos")]
filtering_resolver: crate::resolver::ResolverHandle,
-
- #[cfg(target_os = "macos")]
- apple_services_bypass: bool,
}
impl SharedTunnelStateValues {
@@ -663,16 +652,6 @@ impl SharedTunnelStateValues {
}
}
}
-
- #[cfg(target_os = "macos")]
- pub fn set_apple_services_bypass(&mut self, apple_services_bypass: bool) -> bool {
- if self.apple_services_bypass != apple_services_bypass {
- self.apple_services_bypass = apple_services_bypass;
- true
- } else {
- false
- }
- }
}
/// Asynchronous result of an attempt to progress a state.
Copyright © 2025 - 2026 Wayne Cole. WTFPL. Attribution appreciated. No warranty. Not liable for bodily damages.