summaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
authorJoakim Hulthe <joakim@hulthe.net>2025-05-08 12:00:43 +0200
committerJoakim Hulthe <joakim.hulthe@mullvad.net>2025-05-14 18:00:29 +0200
commit507c5201239d8d95216aa6b2980d15b031960964 (patch)
tree0fd9e3cd2e9675a38b4ccd9c2b37e9a1d5048d49
parent29455637cbb4a11133dbb3d9afb99403081a07a1 (diff)
downloadmullvadvpn-507c5201239d8d95216aa6b2980d15b031960964.tar.xz
mullvadvpn-507c5201239d8d95216aa6b2980d15b031960964.zip
Remove DNS route-to hack
Since we no longer run the local DNS resolver on a non-standard port, we don't need the PF rules that rewrite the destination port.
Diffstat
-rw-r--r--talpid-core/src/firewall/macos.rs52
-rw-r--r--talpid-core/src/firewall/mod.rs12
-rw-r--r--talpid-core/src/tunnel_state_machine/connected_state.rs2
-rw-r--r--talpid-core/src/tunnel_state_machine/connecting_state.rs2
-rw-r--r--talpid-core/src/tunnel_state_machine/disconnected_state.rs2
-rw-r--r--talpid-core/src/tunnel_state_machine/error_state.rs2
6 files changed, 1 insertions, 71 deletions
diff --git a/talpid-core/src/firewall/macos.rs b/talpid-core/src/firewall/macos.rs
index da22008db5..86cd8b6ef2 100644
--- a/talpid-core/src/firewall/macos.rs
+++ b/talpid-core/src/firewall/macos.rs
@@ -6,7 +6,7 @@ use std::sync::LazyLock;
use ipnetwork::IpNetwork;
use libc::{c_int, sysctlbyname};
-use pfctl::{DropAction, FilterRuleAction, Ip, RedirectRule, Uid};
+use pfctl::{DropAction, FilterRuleAction, Ip, Uid};
use talpid_types::net::{
AllowedEndpoint, AllowedTunnelTraffic, TransportProtocol, ALLOWED_LAN_MULTICAST_NETS,
ALLOWED_LAN_NETS,
@@ -211,7 +211,6 @@ impl Firewall {
let mut anchor_change = pfctl::AnchorChange::new();
anchor_change.set_scrub_rules(Self::get_scrub_rules()?);
anchor_change.set_filter_rules(new_filter_rules);
- anchor_change.set_redirect_rules(self.get_dns_redirect_rules(policy)?);
if *NAT_WORKAROUND {
anchor_change.set_nat_rules(self.get_nat_rules(policy)?);
}
@@ -229,53 +228,6 @@ impl Firewall {
Ok(vec![scrub_rule])
}
- fn get_dns_redirect_rules(
- &mut self,
- policy: &FirewallPolicy,
- ) -> Result<Vec<pfctl::RedirectRule>> {
- /// Redirect DNS requests to `port`. Technically this redirects UDP on port 53 to `port`.
- ///
- /// For this to work as expected, please make sure a DNS resolver is running on `port`.
- fn redirect_dns_to(port: u16) -> Result<Vec<RedirectRule>> {
- let redirect_dns = pfctl::RedirectRuleBuilder::default()
- .action(pfctl::RedirectRuleAction::Redirect)
- .interface("lo0")
- .proto(pfctl::Proto::Udp)
- .to(pfctl::Port::from(53))
- .redirect_to(pfctl::Port::from(port))
- .build()?;
- Ok(vec![redirect_dns])
- }
-
- let redirect_rules = if *crate::resolver::LOCAL_DNS_RESOLVER {
- match policy {
- FirewallPolicy::Connected { dns_config, .. } if dns_config.is_loopback() => {
- vec![]
- }
- FirewallPolicy::Blocked {
- dns_redirect_port, ..
- }
- | FirewallPolicy::Connecting {
- dns_redirect_port, ..
- }
- | FirewallPolicy::Connected {
- dns_redirect_port, ..
- } => redirect_dns_to(*dns_redirect_port)?,
- }
- } else {
- // Only apply redirect rules in the blocked state if we should *not* use our local DNS
- // resolver, since it will be running in the blocked state to work with Apple's captive
- // portal check.
- match policy {
- FirewallPolicy::Blocked {
- dns_redirect_port, ..
- } => redirect_dns_to(*dns_redirect_port)?,
- FirewallPolicy::Connecting { .. } | FirewallPolicy::Connected { .. } => vec![],
- }
- };
- Ok(redirect_rules)
- }
-
/// Force all traffic out on the VPN interface (except LAN and some other exceptions).
///
/// Some programs have been shown to bind their sockets directly to the physical network
@@ -370,7 +322,6 @@ impl Firewall {
allowed_endpoint,
allowed_tunnel_traffic,
redirect_interface,
- dns_redirect_port: _,
} => {
let mut rules = vec![self.get_allow_relay_rule(peer_endpoint)?];
rules.push(self.get_allowed_endpoint_rule(allowed_endpoint)?);
@@ -415,7 +366,6 @@ impl Firewall {
allow_lan,
dns_config,
redirect_interface,
- dns_redirect_port: _,
} => {
let mut rules = vec![];
diff --git a/talpid-core/src/firewall/mod.rs b/talpid-core/src/firewall/mod.rs
index 0bcbf3191e..eb400ae7fb 100644
--- a/talpid-core/src/firewall/mod.rs
+++ b/talpid-core/src/firewall/mod.rs
@@ -94,10 +94,6 @@ pub enum FirewallPolicy {
/// Interface to redirect (VPN tunnel) traffic to
#[cfg(target_os = "macos")]
redirect_interface: Option<String>,
- /// Destination port for DNS traffic redirection. Traffic destined to `127.0.0.1:53` will
- /// be redirected to `127.0.0.1:$dns_redirect_port`.
- #[cfg(target_os = "macos")]
- dns_redirect_port: u16,
},
/// Allow traffic only to server and over tunnel interface
@@ -114,10 +110,6 @@ pub enum FirewallPolicy {
/// Interface to redirect (VPN tunnel) traffic to
#[cfg(target_os = "macos")]
redirect_interface: Option<String>,
- /// Destination port for DNS traffic redirection. Traffic destined to `127.0.0.1:53` will
- /// be redirected to `127.0.0.1:$dns_redirect_port`.
- #[cfg(target_os = "macos")]
- dns_redirect_port: u16,
},
/// Block all network traffic in and out from the computer.
@@ -126,10 +118,6 @@ pub enum FirewallPolicy {
allow_lan: bool,
/// Host that should be reachable while in the blocked state.
allowed_endpoint: Option<AllowedEndpoint>,
- /// Destination port for DNS traffic redirection. Traffic destined to `127.0.0.1:53` will
- /// be redirected to `127.0.0.1:$dns_redirect_port`.
- #[cfg(target_os = "macos")]
- dns_redirect_port: u16,
},
}
diff --git a/talpid-core/src/tunnel_state_machine/connected_state.rs b/talpid-core/src/tunnel_state_machine/connected_state.rs
index d64d5033e3..9055194f9b 100644
--- a/talpid-core/src/tunnel_state_machine/connected_state.rs
+++ b/talpid-core/src/tunnel_state_machine/connected_state.rs
@@ -141,8 +141,6 @@ impl ConnectedState {
dns_config: Self::resolve_dns(&self.metadata, shared_values),
#[cfg(target_os = "macos")]
redirect_interface,
- #[cfg(target_os = "macos")]
- dns_redirect_port: shared_values.filtering_resolver.listening_addr().port(),
}
}
diff --git a/talpid-core/src/tunnel_state_machine/connecting_state.rs b/talpid-core/src/tunnel_state_machine/connecting_state.rs
index 92f19ca956..cdf324b5b1 100644
--- a/talpid-core/src/tunnel_state_machine/connecting_state.rs
+++ b/talpid-core/src/tunnel_state_machine/connecting_state.rs
@@ -200,8 +200,6 @@ impl ConnectingState {
allowed_tunnel_traffic,
#[cfg(target_os = "macos")]
redirect_interface,
- #[cfg(target_os = "macos")]
- dns_redirect_port: shared_values.filtering_resolver.listening_addr().port(),
};
shared_values
.firewall
diff --git a/talpid-core/src/tunnel_state_machine/disconnected_state.rs b/talpid-core/src/tunnel_state_machine/disconnected_state.rs
index 7f6e6e79ec..8f96ff7b90 100644
--- a/talpid-core/src/tunnel_state_machine/disconnected_state.rs
+++ b/talpid-core/src/tunnel_state_machine/disconnected_state.rs
@@ -78,8 +78,6 @@ impl DisconnectedState {
let policy = FirewallPolicy::Blocked {
allow_lan: shared_values.allow_lan,
allowed_endpoint: Some(shared_values.allowed_endpoint.clone()),
- #[cfg(target_os = "macos")]
- dns_redirect_port: shared_values.filtering_resolver.listening_addr().port(),
};
shared_values.firewall.apply_policy(policy).map_err(|e| {
diff --git a/talpid-core/src/tunnel_state_machine/error_state.rs b/talpid-core/src/tunnel_state_machine/error_state.rs
index c525f1398a..75afad4478 100644
--- a/talpid-core/src/tunnel_state_machine/error_state.rs
+++ b/talpid-core/src/tunnel_state_machine/error_state.rs
@@ -78,8 +78,6 @@ impl ErrorState {
let policy = FirewallPolicy::Blocked {
allow_lan: shared_values.allow_lan,
allowed_endpoint: Some(shared_values.allowed_endpoint.clone()),
- #[cfg(target_os = "macos")]
- dns_redirect_port: shared_values.filtering_resolver.listening_addr().port(),
};
#[cfg(target_os = "linux")]
Copyright © 2025 - 2026 Wayne Cole. WTFPL. Attribution appreciated. No warranty. Not liable for bodily damages.