diff options
| author | Linus Färnstrand <linus@mullvad.net> | 2017-11-29 16:55:08 +0100 |
|---|---|---|
| committer | Linus Färnstrand <linus@mullvad.net> | 2017-12-04 10:26:49 +0100 |
| commit | 2650f1cf272da4b1802704b34a12264dcf1009ea (patch) | |
| tree | eb3c8c392a5ca2a57011127fc19178b6fc9c045f | |
| parent | aa40241f8f92d9fd28575102f78391c1e80a52fa (diff) | |
| download | mullvadvpn-2650f1cf272da4b1802704b34a12264dcf1009ea.tar.xz mullvadvpn-2650f1cf272da4b1802704b34a12264dcf1009ea.zip | |
Remove redirect rule code bloat
| -rw-r--r-- | talpid-core/src/firewall/macos/mod.rs | 47 |
1 files changed, 24 insertions, 23 deletions
diff --git a/talpid-core/src/firewall/macos/mod.rs b/talpid-core/src/firewall/macos/mod.rs index 08e38a09c4..c4fbc6a76c 100644 --- a/talpid-core/src/firewall/macos/mod.rs +++ b/talpid-core/src/firewall/macos/mod.rs @@ -58,15 +58,12 @@ impl Firewall<Error> for PacketFilter { impl PacketFilter { fn set_rules(&mut self, policy: SecurityPolicy) -> Result<()> { let mut new_filter_rules = vec![]; - let mut new_redirect_rules = vec![]; new_filter_rules.append(&mut Self::get_allow_loopback_rules()?); new_filter_rules.append(&mut Self::get_allow_dhcp_rules()?); - let (mut policy_filter_rules, mut policy_redirect_rules) = - self.get_policy_specific_rules(policy)?; + let mut policy_filter_rules = self.get_policy_specific_rules(policy)?; new_filter_rules.append(&mut policy_filter_rules); - new_redirect_rules.append(&mut policy_redirect_rules); let drop_all_rule = pfctl::FilterRuleBuilder::default() .action(pfctl::FilterRuleAction::Drop) @@ -76,53 +73,57 @@ impl PacketFilter { let mut anchor_change = pfctl::AnchorChange::new(); anchor_change.set_filter_rules(new_filter_rules); - anchor_change.set_redirect_rules(new_redirect_rules); Ok(self.pf.set_rules(ANCHOR_NAME, anchor_change)?) } fn get_policy_specific_rules( &mut self, policy: SecurityPolicy, - ) -> Result<(Vec<pfctl::FilterRule>, Vec<pfctl::RedirectRule>)> { + ) -> Result<Vec<pfctl::FilterRule>> { match policy { SecurityPolicy::Connecting(relay_endpoint) => { - Ok((vec![Self::get_allow_relay_rule(relay_endpoint)?], vec![])) + Ok(vec![Self::get_allow_relay_rule(relay_endpoint)?]) } SecurityPolicy::Connected(relay_endpoint, tunnel) => { - let allow_dns_to_relay_rule = pfctl::FilterRuleBuilder::default() + let allow_tcp_dns_to_relay_rule = pfctl::FilterRuleBuilder::default() .action(pfctl::FilterRuleAction::Pass) .direction(pfctl::Direction::Out) .quick(true) .interface(&tunnel.interface) - .proto(pfctl::Proto::Udp) + .proto(pfctl::Proto::Tcp) .to(pfctl::Endpoint::new(tunnel.gateway, 53)) .build()?; - let reroute_dns_rule = pfctl::FilterRuleBuilder::default() + let allow_udp_dns_to_relay_rule = pfctl::FilterRuleBuilder::default() .action(pfctl::FilterRuleAction::Pass) .direction(pfctl::Direction::Out) .quick(true) - .route(pfctl::Route::route_to(pfctl::Interface::from("lo0"))) + .interface(&tunnel.interface) .proto(pfctl::Proto::Udp) - .to(pfctl::Port::from(53)) + .to(pfctl::Endpoint::new(tunnel.gateway, 53)) .build()?; - let block_all_other_dns_rule = pfctl::FilterRuleBuilder::default() + let block_tcp_dns_rule = pfctl::FilterRuleBuilder::default() .action(pfctl::FilterRuleAction::Drop) .direction(pfctl::Direction::Out) .quick(true) .proto(pfctl::Proto::Tcp) .to(pfctl::Port::from(53)) .build()?; + let block_udp_dns_rule = pfctl::FilterRuleBuilder::default() + .action(pfctl::FilterRuleAction::Drop) + .direction(pfctl::Direction::Out) + .quick(true) + .proto(pfctl::Proto::Udp) + .to(pfctl::Port::from(53)) + .build()?; - Ok(( - vec![ - allow_dns_to_relay_rule, - reroute_dns_rule, - block_all_other_dns_rule, - Self::get_allow_relay_rule(relay_endpoint)?, - Self::get_allow_tunnel_rule(tunnel.interface.as_str())?, - ], - vec![], - )) + Ok(vec![ + allow_tcp_dns_to_relay_rule, + allow_udp_dns_to_relay_rule, + block_tcp_dns_rule, + block_udp_dns_rule, + Self::get_allow_relay_rule(relay_endpoint)?, + Self::get_allow_tunnel_rule(tunnel.interface.as_str())?, + ]) } } } |