Always set src_valid_mark when connecting

4 files changed, 34 insertions, 1 deletions

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 5aeb8a66e2..6ffd8d025d 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -36,6 +36,9 @@ Line wrap the file at 100 chars.                                              Th
 - Add TV banner for better user experience and requirements.
 - Style StatucBar and NavigationBar to make our app a bit more beautiful.
 
+#### Linux
+- Always enable `src_valid_mark` config option when connecting to allow policty based routing.
+
 ### Changed
 - Update Electron from 11.0.2 to 11.2.1 which includes a newer Chromium version and
   security patches.
diff --git a/README.md b/README.md
index f9d8181385..7a1c82af09 100644
--- a/README.md
+++ b/README.md
@@ -411,6 +411,12 @@ echo "org.gradle.jvmargs=-Xmx4608M" >> ~/.gradle/gradle.properties
     * Set to `"pass"` to add logging to rules allowing packets.
     * Set to `"drop"` to add logging to rules blocking packets.
 
+* `TALPID_FIREWALL_DONT_SET_SRC_VALID_MARK` - Forces the daemon to not set `src_valid_mark` config
+    on Linux. The kernel config option is set because otherwise strict reverse path filtering may
+    prevent relay traffic from reaching the daemon. If `rp_filter` is set to `1` on the interface
+    that will be receiving relay traffic, and `src_valid_mark` is not set to `1`, the daemon will
+    not be able to receive relay traffic.
+
 * `TALPID_DNS_MODULE` - Allows changing the method that will be used for DNS configuration on Linux.
   By default this is automatically detected, but you can set it to one of the options below to
   choose a specific method:
diff --git a/talpid-core/src/firewall/linux.rs b/talpid-core/src/firewall/linux.rs
index 86007b5843..eb57ea0de6 100644
--- a/talpid-core/src/firewall/linux.rs
+++ b/talpid-core/src/firewall/linux.rs
@@ -76,6 +76,10 @@ lazy_static! {
     static ref ADD_COUNTERS: bool = env::var("TALPID_FIREWALL_DEBUG")
         .map(|v| v != "0")
         .unwrap_or(false);
+
+    static ref DONT_SET_SRC_VALID_MARK: bool = env::var("TALPID_FIREWALL_DONT_SET_SRC_VALID_MARK")
+        .map(|v| v != "0")
+        .unwrap_or(false);
 }
 
 #[derive(Debug, Copy, Clone, Eq, PartialEq, Hash)]
@@ -114,6 +118,7 @@ impl FirewallT for Firewall {
         };
         let batch = PolicyBatch::new(&tables).finalize(&policy)?;
         self.send_and_process(&batch)?;
+        Self::apply_kernel_config(&policy);
         self.verify_tables(&[&TABLE_NAME, &MANGLE_TABLE_NAME_V4, &MANGLE_TABLE_NAME_V6])
     }
 
@@ -139,6 +144,19 @@ impl FirewallT for Firewall {
 }
 
 impl Firewall {
+    fn apply_kernel_config(policy: &FirewallPolicy) {
+        if *DONT_SET_SRC_VALID_MARK {
+            log::debug!("Not setting src_valid_mark");
+            return;
+        }
+
+        if let FirewallPolicy::Connecting { .. } = policy {
+            if let Err(err) = crate::linux::set_src_valid_mark_sysctl() {
+                log::error!("Failed to apply src_valid_mark: {}", err);
+            }
+        }
+    }
+
     fn send_and_process(&self, batch: &FinalizedBatch) -> Result<()> {
         let socket = mnl::Socket::new(mnl::Bus::Netfilter).map_err(Error::NetlinkOpenError)?;
         socket.send_all(batch).map_err(Error::NetlinkSendError)?;
diff --git a/talpid-core/src/linux/mod.rs b/talpid-core/src/linux/mod.rs
index 69328ff28a..6c070c1985 100644
--- a/talpid-core/src/linux/mod.rs
+++ b/talpid-core/src/linux/mod.rs
@@ -1,8 +1,10 @@
 use std::{
     ffi::{self, CString},
-    io,
+    fs, io,
 };
 
+const PROC_SYS_NET_IPV4_CONF_SRC_VALID_MARK: &str = "/proc/sys/net/ipv4/conf/all/src_valid_mark";
+
 /// Converts an interface name into the corresponding index.
 pub fn iface_index(name: &str) -> Result<libc::c_uint, IfaceIndexLookupError> {
     let c_name = CString::new(name)
@@ -29,3 +31,7 @@ pub enum IfaceIndexLookupError {
 // b"mole" is [ 0x6d, 0x6f 0x6c, 0x65 ]
 pub const TUNNEL_FW_MARK: u32 = 0x6d6f6c65;
 pub const TUNNEL_TABLE_ID: u32 = 0x6d6f6c65;
+
+pub fn set_src_valid_mark_sysctl() -> io::Result<()> {
+    fs::write(PROC_SYS_NET_IPV4_CONF_SRC_VALID_MARK, b"1")
+}