Make sure that deprecated rule types are emptied in PF

Otherwise, these may be left over after an upgrade
author: David Lönnhager <david.l@mullvad.net> 2025-05-13 18:48:35 +0200
committer: Joakim Hulthe <joakim.hulthe@mullvad.net> 2025-05-14 18:00:35 +0200
commit: 49f0eea29f68f01dd52b7b783a1dabd88fc964c8 (patch)
tree: 388d04d931e5706adaa35614a7347299f249718b
parent: 4cdeede053eee4429d835f59f9d2d6a3aa7f1070 (diff)
download: mullvadvpn-49f0eea29f68f01dd52b7b783a1dabd88fc964c8.tar.xz
mullvadvpn-49f0eea29f68f01dd52b7b783a1dabd88fc964c8.zip
2 files changed, 10 insertions, 7 deletions
diff --git a/talpid-core/src/firewall/macos.rs b/talpid-core/src/firewall/macos.rs
index 77042dd43f..0f22641967 100644
--- a/talpid-core/src/firewall/macos.rs
+++ b/talpid-core/src/firewall/macos.rs
@@ -243,7 +243,13 @@ impl Firewall {
         anchor_change.set_filter_rules(new_filter_rules);
         if *NAT_WORKAROUND {
             anchor_change.set_nat_rules(self.get_nat_rules(policy)?);
+        } else {
+            // Make sure NAT ruleset is empty
+            anchor_change.set_nat_rules(vec![]);
         }
+        // Make sure redirect ruleset is empty
+        anchor_change.set_redirect_rules(vec![]);
+
         self.pf.set_rules(ANCHOR_NAME, anchor_change)?;
 
         Ok(())
@@ -906,9 +912,9 @@ impl Firewall {
         // remove_anchor() does not deactivate active rules
         self.pf
             .flush_rules(ANCHOR_NAME, pfctl::RulesetKind::Filter)?;
-        if *NAT_WORKAROUND {
-            self.pf.flush_rules(ANCHOR_NAME, pfctl::RulesetKind::Nat)?;
-        }
+        self.pf.flush_rules(ANCHOR_NAME, pfctl::RulesetKind::Nat)?;
+        self.pf
+            .flush_rules(ANCHOR_NAME, pfctl::RulesetKind::Redirect)?;
         self.pf
             .flush_rules(ANCHOR_NAME, pfctl::RulesetKind::Scrub)?;
         Ok(())
@@ -947,8 +953,6 @@ impl Firewall {
         }
         self.pf
             .try_add_anchor(ANCHOR_NAME, pfctl::AnchorKind::Filter)?;
-        self.pf
-            .try_add_anchor(ANCHOR_NAME, pfctl::AnchorKind::Redirect)?;
         Ok(())
     }
 
diff --git a/talpid-core/src/resolver.rs b/talpid-core/src/resolver.rs
index 7449b7ed8d..0f51e5023e 100644
--- a/talpid-core/src/resolver.rs
+++ b/talpid-core/src/resolver.rs
@@ -170,7 +170,7 @@ impl Resolver {
         query: LowerQuery,
         tx: oneshot::Sender<std::result::Result<Box<dyn LookupObject>, ResolveError>>,
     ) {
-         match self {
+        match self {
             Resolver::Blocking => {
                 let _ = tx.send(Self::resolve_blocked(query));
             }
@@ -182,7 +182,6 @@ impl Resolver {
                 });
             }
         };
-
     }
 
     /// Resolution in blocked state will return spoofed records for captive portal domains.
author	David Lönnhager <david.l@mullvad.net>	2025-05-13 18:48:35 +0200
committer	Joakim Hulthe <joakim.hulthe@mullvad.net>	2025-05-14 18:00:35 +0200
commit	49f0eea29f68f01dd52b7b783a1dabd88fc964c8 (patch)
tree	388d04d931e5706adaa35614a7347299f249718b
parent	4cdeede053eee4429d835f59f9d2d6a3aa7f1070 (diff)
download	mullvadvpn-49f0eea29f68f01dd52b7b783a1dabd88fc964c8.tar.xz mullvadvpn-49f0eea29f68f01dd52b7b783a1dabd88fc964c8.zip