diff options
| author | Linus Färnstrand <linus@mullvad.net> | 2019-05-08 09:50:12 +0200 |
|---|---|---|
| committer | Linus Färnstrand <linus@mullvad.net> | 2019-05-08 14:12:32 +0200 |
| commit | 346b9a77beba94c85f05658869e70040f361ecb8 (patch) | |
| tree | e159afdf0c4d44594304cd5a52423f856c52c91f | |
| parent | 12f0aa81c5a06deec9d0d4fcee8735e4c356667e (diff) | |
| download | mullvadvpn-346b9a77beba94c85f05658869e70040f361ecb8.tar.xz mullvadvpn-346b9a77beba94c85f05658869e70040f361ecb8.zip | |
Update Linux firewall impl to use extracted DHCP ports
| -rw-r--r-- | talpid-core/src/firewall/linux.rs | 41 | ||||
| -rw-r--r-- | talpid-core/src/firewall/mod.rs | 4 |
2 files changed, 23 insertions, 22 deletions
diff --git a/talpid-core/src/firewall/linux.rs b/talpid-core/src/firewall/linux.rs index 1b9e8538b2..244b320098 100644 --- a/talpid-core/src/firewall/linux.rs +++ b/talpid-core/src/firewall/linux.rs @@ -200,6 +200,7 @@ impl<'a> PolicyBatch<'a> { out_chain.set_policy(nftnl::Policy::Drop); in_chain.set_policy(nftnl::Policy::Drop); + // A little dance that will make sure the table exists, but is cleared. batch.add(table, nftnl::MsgType::Add); batch.add(table, nftnl::MsgType::Del); batch.add(table, nftnl::MsgType::Add); @@ -238,40 +239,36 @@ impl<'a> PolicyBatch<'a> { fn add_dhcp_rules(&mut self) { use self::TransportProtocol::Udp; - const SERVER_PORT_V4: u16 = 67; - const CLIENT_PORT_V4: u16 = 68; - const SERVER_PORT_V6: u16 = 547; - const CLIENT_PORT_V6: u16 = 546; { let mut out_v4 = Rule::new(&self.out_chain); - check_port(&mut out_v4, Udp, End::Src, CLIENT_PORT_V4); + check_port(&mut out_v4, Udp, End::Src, super::DHCPV4_CLIENT_PORT); check_ip(&mut out_v4, End::Dst, IpAddr::V4(Ipv4Addr::BROADCAST)); - check_port(&mut out_v4, Udp, End::Dst, SERVER_PORT_V4); + check_port(&mut out_v4, Udp, End::Dst, super::DHCPV4_SERVER_PORT); add_verdict(&mut out_v4, &Verdict::Accept); self.batch.add(&out_v4, nftnl::MsgType::Add); } { let mut in_v4 = Rule::new(&self.in_chain); - check_port(&mut in_v4, Udp, End::Src, SERVER_PORT_V4); - check_port(&mut in_v4, Udp, End::Dst, CLIENT_PORT_V4); + check_port(&mut in_v4, Udp, End::Src, super::DHCPV4_SERVER_PORT); + check_port(&mut in_v4, Udp, End::Dst, super::DHCPV4_CLIENT_PORT); add_verdict(&mut in_v4, &Verdict::Accept); self.batch.add(&in_v4, nftnl::MsgType::Add); } for dhcpv6_server in &*super::DHCPV6_SERVER_ADDRS { let mut out_v6 = Rule::new(&self.out_chain); - check_net(&mut out_v6, End::Src, *super::DHCPV6_SRC_ADDR); - check_port(&mut out_v6, Udp, End::Src, CLIENT_PORT_V6); + check_net(&mut out_v6, End::Src, *super::IPV6_LINK_LOCAL); + check_port(&mut out_v6, Udp, End::Src, super::DHCPV6_CLIENT_PORT); check_ip(&mut out_v6, End::Dst, *dhcpv6_server); - check_port(&mut out_v6, Udp, End::Dst, SERVER_PORT_V6); + check_port(&mut out_v6, Udp, End::Dst, super::DHCPV6_SERVER_PORT); add_verdict(&mut out_v6, &Verdict::Accept); self.batch.add(&out_v6, nftnl::MsgType::Add); } { let mut in_v6 = Rule::new(&self.in_chain); - check_net(&mut in_v6, End::Src, *super::DHCPV6_SRC_ADDR); - check_port(&mut in_v6, Udp, End::Src, SERVER_PORT_V6); - check_net(&mut in_v6, End::Dst, *super::DHCPV6_SRC_ADDR); - check_port(&mut in_v6, Udp, End::Dst, CLIENT_PORT_V6); + check_net(&mut in_v6, End::Src, *super::IPV6_LINK_LOCAL); + check_port(&mut in_v6, Udp, End::Src, super::DHCPV6_SERVER_PORT); + check_net(&mut in_v6, End::Dst, *super::IPV6_LINK_LOCAL); + check_port(&mut in_v6, Udp, End::Dst, super::DHCPV6_CLIENT_PORT); add_verdict(&mut in_v6, &Verdict::Accept); self.batch.add(&in_v6, nftnl::MsgType::Add); } @@ -302,7 +299,7 @@ impl<'a> PolicyBatch<'a> { // Incoming Router advertisement (part of NDP) { let mut rule = Rule::new(&self.in_chain); - check_net(&mut rule, End::Src, *super::ROUTER_ADVERTISEMENT_IN_SRC_NET); + check_net(&mut rule, End::Src, *super::IPV6_LINK_LOCAL); rule.add_expr(&nft_expr!(meta l4proto)); rule.add_expr(&nft_expr!(cmp == libc::IPPROTO_ICMPV6 as u8)); @@ -322,7 +319,7 @@ impl<'a> PolicyBatch<'a> { // Incoming Redirect (part of NDP) { let mut rule = Rule::new(&self.in_chain); - check_net(&mut rule, End::Src, *super::ROUTER_ADVERTISEMENT_IN_SRC_NET); + check_net(&mut rule, End::Src, *super::IPV6_LINK_LOCAL); rule.add_expr(&nft_expr!(meta l4proto)); rule.add_expr(&nft_expr!(cmp == libc::IPPROTO_ICMPV6 as u8)); @@ -472,15 +469,15 @@ impl<'a> PolicyBatch<'a> { fn add_allow_lan_rules(&mut self) { // LAN -> LAN for net in &*super::ALLOWED_LAN_NETS { - let mut in_rule = Rule::new(&self.in_chain); - check_net(&mut in_rule, End::Src, *net); - add_verdict(&mut in_rule, &Verdict::Accept); - self.batch.add(&in_rule, nftnl::MsgType::Add); - let mut out_rule = Rule::new(&self.out_chain); check_net(&mut out_rule, End::Dst, *net); add_verdict(&mut out_rule, &Verdict::Accept); self.batch.add(&out_rule, nftnl::MsgType::Add); + + let mut in_rule = Rule::new(&self.in_chain); + check_net(&mut in_rule, End::Src, *net); + add_verdict(&mut in_rule, &Verdict::Accept); + self.batch.add(&in_rule, nftnl::MsgType::Add); } // LAN -> Multicast for net in &*super::ALLOWED_LAN_MULTICAST_NETS { diff --git a/talpid-core/src/firewall/mod.rs b/talpid-core/src/firewall/mod.rs index 2bfd782bfe..6561b3298b 100644 --- a/talpid-core/src/firewall/mod.rs +++ b/talpid-core/src/firewall/mod.rs @@ -57,9 +57,13 @@ lazy_static! { ]; static ref ROUTER_SOLICITATION_OUT_DST_ADDR: Ipv6Addr = Ipv6Addr::new(0xff02, 0, 0, 0, 0, 0, 0, 2); } +#[cfg(all(unix, not(target_os = "android")))] const DHCPV4_SERVER_PORT: u16 = 67; +#[cfg(all(unix, not(target_os = "android")))] const DHCPV4_CLIENT_PORT: u16 = 68; +#[cfg(all(unix, not(target_os = "android")))] const DHCPV6_SERVER_PORT: u16 = 547; +#[cfg(all(unix, not(target_os = "android")))] const DHCPV6_CLIENT_PORT: u16 = 546; |