Merge branch 'rename-firewall-concept'

author: Linus Färnstrand <linus@mullvad.net> 2018-08-27 22:07:40 +0200
committer: Linus Färnstrand <linus@mullvad.net> 2018-08-27 22:07:40 +0200
commit: 34ec7e5d40da9a9fb3ef9c0858a27db18fca8682 (patch)
tree: b0a8f85ff7de2d9718493cfddc954228ae5435eb
parent: efbf7c5f060b1a91ef260b76af4a3bbdf21d0278 (diff)
parent: 90b04e8d6ea85e95d174a416c70017581be166e7 (diff)
download: mullvadvpn-34ec7e5d40da9a9fb3ef9c0858a27db18fca8682.tar.xz
mullvadvpn-34ec7e5d40da9a9fb3ef9c0858a27db18fca8682.zip
16 files changed, 49 insertions, 51 deletions
diff --git a/mullvad-daemon/src/tunnel_state_machine/connected_state.rs b/mullvad-daemon/src/tunnel_state_machine/connected_state.rs
index dda19befb7..88b12e3ec8 100644
--- a/mullvad-daemon/src/tunnel_state_machine/connected_state.rs
+++ b/mullvad-daemon/src/tunnel_state_machine/connected_state.rs
@@ -1,7 +1,7 @@
 use futures::sync::{mpsc, oneshot};
 use futures::{Async, Future, Stream};
 
-use talpid_core::firewall::{Firewall, SecurityPolicy};
+use talpid_core::security::{NetworkSecurity, SecurityPolicy};
 use talpid_core::tunnel::{CloseHandle, TunnelEvent, TunnelMetadata};
 use talpid_types::net::TunnelEndpoint;
 
@@ -51,7 +51,7 @@ impl ConnectedState {
 
         debug!("Setting security policy: {:?}", policy);
         shared_values
-            .firewall
+            .security
             .apply_policy(policy)
             .chain_err(|| "Failed to apply security policy for connected state")
     }
diff --git a/mullvad-daemon/src/tunnel_state_machine/connecting_state.rs b/mullvad-daemon/src/tunnel_state_machine/connecting_state.rs
index 7138bfece9..c05d85d217 100644
--- a/mullvad-daemon/src/tunnel_state_machine/connecting_state.rs
+++ b/mullvad-daemon/src/tunnel_state_machine/connecting_state.rs
@@ -8,7 +8,7 @@ use futures::sink::Wait;
 use futures::sync::{mpsc, oneshot};
 use futures::{Async, Future, Sink, Stream};
 
-use talpid_core::firewall::{Firewall, SecurityPolicy};
+use talpid_core::security::{NetworkSecurity, SecurityPolicy};
 use talpid_core::tunnel::{CloseHandle, TunnelEvent, TunnelMetadata, TunnelMonitor};
 use talpid_types::net::{TunnelEndpoint, TunnelEndpointData};
 
@@ -69,7 +69,7 @@ impl ConnectingState {
 
         debug!("Setting security policy: {:?}", policy);
         shared_values
-            .firewall
+            .security
             .apply_policy(policy)
             .chain_err(|| "Failed to apply security policy for connecting state")
     }
diff --git a/mullvad-daemon/src/tunnel_state_machine/disconnected_state.rs b/mullvad-daemon/src/tunnel_state_machine/disconnected_state.rs
index 702d6aefe6..a64f2ca543 100644
--- a/mullvad-daemon/src/tunnel_state_machine/disconnected_state.rs
+++ b/mullvad-daemon/src/tunnel_state_machine/disconnected_state.rs
@@ -2,7 +2,7 @@ use error_chain::ChainedError;
 use futures::sync::mpsc;
 use futures::Stream;
 
-use talpid_core::firewall::Firewall;
+use talpid_core::security::NetworkSecurity;
 
 use super::{
     ConnectingState, Error, EventConsequence, SharedTunnelStateValues, StateEntryResult,
@@ -15,7 +15,7 @@ pub struct DisconnectedState;
 impl DisconnectedState {
     fn reset_security_policy(shared_values: &mut SharedTunnelStateValues) {
         debug!("Resetting security policy");
-        if let Err(error) = shared_values.firewall.reset_policy() {
+        if let Err(error) = shared_values.security.reset_policy() {
             let chained_error = Error::with_chain(error, "Failed to reset security policy");
             error!("{}", chained_error.display_chain());
         }
diff --git a/mullvad-daemon/src/tunnel_state_machine/mod.rs b/mullvad-daemon/src/tunnel_state_machine/mod.rs
index f328af6663..29e1e5869a 100644
--- a/mullvad-daemon/src/tunnel_state_machine/mod.rs
+++ b/mullvad-daemon/src/tunnel_state_machine/mod.rs
@@ -17,8 +17,8 @@ use futures::{Async, Future, Poll, Stream};
 use tokio_core::reactor::Core;
 
 use mullvad_types::account::AccountToken;
-use talpid_core::firewall::{Firewall, FirewallProxy};
 use talpid_core::mpsc::IntoSender;
+use talpid_core::security::{NetworkSecurity, NetworkSecurityImpl};
 use talpid_types::net::{TunnelEndpoint, TunnelOptions};
 
 use self::connected_state::{ConnectedState, ConnectedStateBootstrap};
@@ -28,8 +28,8 @@ use self::disconnecting_state::{AfterDisconnect, DisconnectingState};
 
 error_chain! {
     errors {
-        FirewallError {
-            description("Firewall error")
+        NetworkSecurityError {
+            description("Network security error")
         }
         ReactorError {
             description("Failed to initialize tunnel state machine event loop executor")
@@ -144,8 +144,9 @@ impl TunnelStateMachine {
         cache_dir: P,
         commands: mpsc::UnboundedReceiver<TunnelCommand>,
     ) -> Result<Self> {
-        let firewall = FirewallProxy::new(cache_dir).chain_err(|| ErrorKind::FirewallError)?;
-        let mut shared_values = SharedTunnelStateValues { firewall };
+        let security =
+            NetworkSecurityImpl::new(cache_dir).chain_err(|| ErrorKind::NetworkSecurityError)?;
+        let mut shared_values = SharedTunnelStateValues { security };
 
         let initial_state = TunnelStateWrapper::new(&mut shared_values, ())
             .expect("Failed to create initial tunnel state");
@@ -211,7 +212,7 @@ impl<T: TunnelState> From<EventConsequence<T>> for TunnelStateMachineAction {
 
 /// Values that are common to all tunnel states.
 struct SharedTunnelStateValues {
-    firewall: FirewallProxy,
+    security: NetworkSecurityImpl,
 }
 
 /// Asynchronous result of an attempt to progress a state.
diff --git a/mullvad-problem-report/src/main.rs b/mullvad-problem-report/src/main.rs
index d43cfc8a4b..de98bec2c1 100644
--- a/mullvad-problem-report/src/main.rs
+++ b/mullvad-problem-report/src/main.rs
@@ -628,8 +628,8 @@ mod tests {
     #[test]
     fn doesnt_redact_not_ipv6() {
         let report = ProblemReport::new(vec![]);
-        let actual = report.redact("[talpid_core::firewall]");
-        assert_eq!("[talpid_core::firewall]", actual);
+        let actual = report.redact("[talpid_core::security]");
+        assert_eq!("[talpid_core::security]", actual);
     }
 
     fn assert_redacts_ipv6(input: &str) {
diff --git a/talpid-core/src/lib.rs b/talpid-core/src/lib.rs
index de3bd84ea6..1ee4d3b6ad 100644
--- a/talpid-core/src/lib.rs
+++ b/talpid-core/src/lib.rs
@@ -50,7 +50,7 @@ pub mod tunnel;
 /// Abstractions and extra features on `std::mpsc`
 pub mod mpsc;
 
-/// Abstractions over different firewalls
-pub mod firewall;
+/// Abstractions over operating system network security settings.
+pub mod security;
 
 mod mktemp;
diff --git a/talpid-core/src/firewall/linux/dns.rs b/talpid-core/src/security/linux/dns.rs
index a85e45cbfb..a85e45cbfb 100644
--- a/talpid-core/src/firewall/linux/dns.rs
+++ b/talpid-core/src/security/linux/dns.rs
diff --git a/talpid-core/src/firewall/linux/mod.rs b/talpid-core/src/security/linux/mod.rs
index eab081396a..e904f03966 100644
--- a/talpid-core/src/firewall/linux/mod.rs
+++ b/talpid-core/src/security/linux/mod.rs
@@ -18,7 +18,7 @@ use std::io;
 use std::net::{IpAddr, Ipv4Addr};
 use std::path::Path;
 
-use super::{Firewall, SecurityPolicy};
+use super::{NetworkSecurity, SecurityPolicy};
 
 mod dns;
 use self::dns::DnsSettings;
@@ -71,17 +71,17 @@ enum End {
     Dst,
 }
 
-/// The Linux implementation for the `Firewall` trait.
-pub struct Netfilter {
+/// The Linux implementation for the `NetworkSecurity` trait.
+pub struct LinuxNetworkSecurity {
     dns_settings: DnsSettings,
     table_name: CString,
 }
 
-impl Firewall for Netfilter {
+impl NetworkSecurity for LinuxNetworkSecurity {
     type Error = Error;
 
-    fn new<P: AsRef<Path>>(_cache_dir: P) -> Result<Self> {
-        Ok(Netfilter {
+    fn new(_cache_dir: impl AsRef<Path>) -> Result<Self> {
+        Ok(LinuxNetworkSecurity {
             dns_settings: DnsSettings::new()?,
             table_name: TABLE_NAME.clone(),
         })
@@ -117,7 +117,7 @@ impl Firewall for Netfilter {
     }
 }
 
-impl Netfilter {
+impl LinuxNetworkSecurity {
     fn send_and_process(&self, batch: &FinalizedBatch) -> Result<()> {
         let socket =
             mnl::Socket::new(mnl::Bus::Netfilter).chain_err(|| ErrorKind::NetlinkOpenError)?;
diff --git a/talpid-core/src/firewall/macos/dns.rs b/talpid-core/src/security/macos/dns.rs
index 5cadf3f58d..5cadf3f58d 100644
--- a/talpid-core/src/firewall/macos/dns.rs
+++ b/talpid-core/src/security/macos/dns.rs
diff --git a/talpid-core/src/firewall/macos/mod.rs b/talpid-core/src/security/macos/mod.rs
index 0e6301c618..b7477f81e8 100644
--- a/talpid-core/src/firewall/macos/mod.rs
+++ b/talpid-core/src/security/macos/mod.rs
@@ -1,7 +1,7 @@
 extern crate pfctl;
 extern crate tokio_core;
 
-use super::{Firewall, SecurityPolicy};
+use super::{NetworkSecurity, SecurityPolicy};
 
 use ipnetwork::IpNetwork;
 
@@ -25,19 +25,18 @@ error_chain! {
 /// replaced by allowing the anchor name to be configured from the public API of this crate.
 const ANCHOR_NAME: &'static str = "mullvad";
 
-/// The macOS firewall implementation. Acting as converter between the `Firewall` trait API
-/// and actual PF firewall rules and other protective measures to keep the `SecurityPolicy`.
-pub struct PacketFilter {
+/// The macOS firewall and DNS implementation.
+pub struct MacosNetworkSecurity {
     pf: pfctl::PfCtl,
     pf_was_enabled: Option<bool>,
     dns_monitor: DnsMonitor,
 }
 
-impl Firewall for PacketFilter {
+impl NetworkSecurity for MacosNetworkSecurity {
     type Error = Error;
 
-    fn new<P: AsRef<Path>>(_cache_dir: P) -> Result<Self> {
-        Ok(PacketFilter {
+    fn new(_cache_dir: impl AsRef<Path>) -> Result<Self> {
+        Ok(MacosNetworkSecurity {
             pf: pfctl::PfCtl::new()?,
             pf_was_enabled: None,
             dns_monitor: DnsMonitor::new()?,
@@ -62,7 +61,7 @@ impl Firewall for PacketFilter {
     }
 }
 
-impl PacketFilter {
+impl MacosNetworkSecurity {
     fn set_rules(&mut self, policy: SecurityPolicy) -> Result<()> {
         let mut new_filter_rules = vec![];
 
diff --git a/talpid-core/src/firewall/mod.rs b/talpid-core/src/security/mod.rs
index 3b5aa04703..a37bb23253 100644
--- a/talpid-core/src/firewall/mod.rs
+++ b/talpid-core/src/security/mod.rs
@@ -16,7 +16,7 @@ lazy_static! {
         Ipv4Network::new(Ipv4Addr::new(224, 0, 0, 0), 24).unwrap();
 }
 
-/// A enum that describes firewall rules strategy
+/// A enum that describes network security strategy
 #[derive(Debug, Clone, Eq, PartialEq)]
 pub enum SecurityPolicy {
     /// Allow traffic only to relay server
@@ -39,20 +39,18 @@ pub enum SecurityPolicy {
 }
 
 /// Abstract firewall interaction trait
-pub trait Firewall {
+pub trait NetworkSecurity: Sized {
     /// The error type thrown by the implementer of this trait
     type Error: ::std::error::Error;
 
-    /// Create new instance of Firewall
-    fn new<P: AsRef<Path>>(cache_dir: P) -> ::std::result::Result<Self, Self::Error>
-    where
-        Self: Sized;
+    /// Create new instance
+    fn new(cache_dir: impl AsRef<Path>) -> ::std::result::Result<Self, Self::Error>;
 
-    /// Enable firewall and set firewall rules based on SecurityPolicy
+    /// Enable the given SecurityPolicy
     fn apply_policy(&mut self, policy: SecurityPolicy) -> ::std::result::Result<(), Self::Error>;
 
-    /// Remove firewall rules applied by active SecurityPolicy and
-    /// revert firewall to its original state
+    /// Revert the system network security state to what it was before this instance started
+    /// modifying the system.
     fn reset_policy(&mut self) -> ::std::result::Result<(), Self::Error>;
 }
 
@@ -60,14 +58,14 @@ pub trait Firewall {
 #[cfg(target_os = "macos")]
 mod macos;
 #[cfg(target_os = "macos")]
-pub use self::macos::{Error, ErrorKind, PacketFilter as FirewallProxy, Result};
+pub use self::macos::{Error, ErrorKind, MacosNetworkSecurity as NetworkSecurityImpl, Result};
 
 #[cfg(target_os = "linux")]
 mod linux;
 #[cfg(target_os = "linux")]
-pub use self::linux::{Error, ErrorKind, Netfilter as FirewallProxy, Result};
+pub use self::linux::{Error, ErrorKind, LinuxNetworkSecurity as NetworkSecurityImpl, Result};
 
 #[cfg(windows)]
 mod windows;
 #[cfg(windows)]
-pub use self::windows::{Error, ErrorKind, Result, WindowsFirewall as FirewallProxy};
+pub use self::windows::{Error, ErrorKind, Result, WindowsNetworkSecurity as NetworkSecurityImpl};
diff --git a/talpid-core/src/firewall/windows/dns.rs b/talpid-core/src/security/windows/dns.rs
index 73593e7ccb..73593e7ccb 100644
--- a/talpid-core/src/firewall/windows/dns.rs
+++ b/talpid-core/src/security/windows/dns.rs
diff --git a/talpid-core/src/firewall/windows/ffi.rs b/talpid-core/src/security/windows/ffi.rs
index 029989359e..029989359e 100644
--- a/talpid-core/src/firewall/windows/ffi.rs
+++ b/talpid-core/src/security/windows/ffi.rs
diff --git a/talpid-core/src/firewall/windows/mod.rs b/talpid-core/src/security/windows/mod.rs
index 4068cd0970..6789674971 100644
--- a/talpid-core/src/firewall/windows/mod.rs
+++ b/talpid-core/src/security/windows/mod.rs
@@ -1,6 +1,6 @@
 extern crate widestring;
 
-use super::{Firewall, SecurityPolicy};
+use super::{NetworkSecurity, SecurityPolicy};
 use std::net::IpAddr;
 use std::path::Path;
 use std::ptr;
@@ -55,15 +55,15 @@ error_chain!{
 
 const WINFW_TIMEOUT_SECONDS: u32 = 2;
 
-/// The Windows implementation for the `Firewall` trait.
-pub struct WindowsFirewall {
+/// The Windows implementation for the `NetworkSecurity` trait.
+pub struct WindowsNetworkSecurity {
     dns: WinDns,
 }
 
-impl Firewall for WindowsFirewall {
+impl NetworkSecurity for WindowsNetworkSecurity {
     type Error = Error;
 
-    fn new<P: AsRef<Path>>(cache_dir: P) -> Result<Self> {
+    fn new(cache_dir: impl AsRef<Path>) -> Result<Self> {
         let windns = WinDns::new(cache_dir)?;
         unsafe {
             WinFw_Initialize(
@@ -73,7 +73,7 @@ impl Firewall for WindowsFirewall {
             ).into_result()?
         };
         trace!("Successfully initialized windows firewall module");
-        Ok(WindowsFirewall { dns: windns })
+        Ok(WindowsNetworkSecurity { dns: windns })
     }
 
     fn apply_policy(&mut self, policy: SecurityPolicy) -> Result<()> {
@@ -104,7 +104,7 @@ impl Firewall for WindowsFirewall {
     }
 }
 
-impl Drop for WindowsFirewall {
+impl Drop for WindowsNetworkSecurity {
     fn drop(&mut self) {
         if unsafe { WinFw_Deinitialize().into_result().is_ok() } {
             trace!("Successfully deinitialized windows firewall module");
@@ -114,7 +114,7 @@ impl Drop for WindowsFirewall {
     }
 }
 
-impl WindowsFirewall {
+impl WindowsNetworkSecurity {
     fn set_connecting_state(
         &mut self,
         endpoint: &Endpoint,
diff --git a/talpid-core/src/firewall/windows/route.rs b/talpid-core/src/security/windows/route.rs
index 6ecf336956..6ecf336956 100644
--- a/talpid-core/src/firewall/windows/route.rs
+++ b/talpid-core/src/security/windows/route.rs
diff --git a/talpid-core/src/firewall/windows/system_state.rs b/talpid-core/src/security/windows/system_state.rs
index cdc36f4e36..cdc36f4e36 100644
--- a/talpid-core/src/firewall/windows/system_state.rs
+++ b/talpid-core/src/security/windows/system_state.rs
author	Linus Färnstrand <linus@mullvad.net>	2018-08-27 22:07:40 +0200
committer	Linus Färnstrand <linus@mullvad.net>	2018-08-27 22:07:40 +0200
commit	34ec7e5d40da9a9fb3ef9c0858a27db18fca8682 (patch)
tree	b0a8f85ff7de2d9718493cfddc954228ae5435eb
parent	efbf7c5f060b1a91ef260b76af4a3bbdf21d0278 (diff)
parent	90b04e8d6ea85e95d174a416c70017581be166e7 (diff)
download	mullvadvpn-34ec7e5d40da9a9fb3ef9c0858a27db18fca8682.tar.xz mullvadvpn-34ec7e5d40da9a9fb3ef9c0858a27db18fca8682.zip