diff options
| author | Andrej Mihajlov <and@mullvad.net> | 2020-03-10 16:55:19 +0100 |
|---|---|---|
| committer | Andrej Mihajlov <and@mullvad.net> | 2020-03-10 16:55:19 +0100 |
| commit | 548a2c025da264ab2d929f1ac1e255950a8e2cdf (patch) | |
| tree | b75023d5d5d7161eef82fdc7b286c914ec673744 | |
| parent | f4281a5a78a11230a166d4f17c36a568acfe59b4 (diff) | |
| parent | c4ac4cfa3f6671e2f62b224bc002e9f7b8c98292 (diff) | |
| download | mullvadvpn-548a2c025da264ab2d929f1ac1e255950a8e2cdf.tar.xz mullvadvpn-548a2c025da264ab2d929f1ac1e255950a8e2cdf.zip | |
Merge branch 'change-back-to-stateful-dns-tcp'
| -rw-r--r-- | talpid-core/src/firewall/macos.rs | 30 |
1 files changed, 8 insertions, 22 deletions
diff --git a/talpid-core/src/firewall/macos.rs b/talpid-core/src/firewall/macos.rs index 462a2b4fc7..111bc66bc8 100644 --- a/talpid-core/src/firewall/macos.rs +++ b/talpid-core/src/firewall/macos.rs @@ -113,18 +113,11 @@ impl Firewall { .quick(true) .interface(&tunnel.interface) .proto(pfctl::Proto::Tcp) + .keep_state(pfctl::StatePolicy::Keep) + .tcp_flags(Self::get_tcp_flags()) .to(pfctl::Endpoint::new(tunnel.ipv4_gateway, 53)) .build()?; rules.push(allow_tcp_dns_to_relay_rule); - let allow_tcp_dns_from_relay_rule = self - .create_rule_builder(FilterRuleAction::Pass) - .direction(pfctl::Direction::In) - .quick(true) - .interface(&tunnel.interface) - .proto(pfctl::Proto::Tcp) - .from(pfctl::Endpoint::new(tunnel.ipv4_gateway, 53)) - .build()?; - rules.push(allow_tcp_dns_from_relay_rule); let allow_udp_dns_to_relay_rule = self .create_rule_builder(FilterRuleAction::Pass) .direction(pfctl::Direction::Out) @@ -136,25 +129,18 @@ impl Firewall { rules.push(allow_udp_dns_to_relay_rule); if let Some(ipv6_gateway) = tunnel.ipv6_gateway { - let allow_tcp_dns6_to_relay_rule = self + let v6_dns_rule_tcp = self .create_rule_builder(FilterRuleAction::Pass) .direction(pfctl::Direction::Out) .quick(true) .interface(&tunnel.interface) .proto(pfctl::Proto::Tcp) + .keep_state(pfctl::StatePolicy::Keep) + .tcp_flags(Self::get_tcp_flags()) .to(pfctl::Endpoint::new(ipv6_gateway, 53)) .build()?; - rules.push(allow_tcp_dns6_to_relay_rule); - let allow_tcp_dns6_from_relay_rule = self - .create_rule_builder(FilterRuleAction::Pass) - .direction(pfctl::Direction::In) - .quick(true) - .interface(&tunnel.interface) - .proto(pfctl::Proto::Tcp) - .from(pfctl::Endpoint::new(ipv6_gateway, 53)) - .build()?; - rules.push(allow_tcp_dns6_from_relay_rule); - let allow_udp_dns6_to_relay_rule = self + rules.push(v6_dns_rule_tcp); + let v6_dns_rule_udp = self .create_rule_builder(FilterRuleAction::Pass) .direction(pfctl::Direction::Out) .quick(true) @@ -162,7 +148,7 @@ impl Firewall { .proto(pfctl::Proto::Udp) .to(pfctl::Endpoint::new(ipv6_gateway, 53)) .build()?; - rules.push(allow_udp_dns6_to_relay_rule); + rules.push(v6_dns_rule_udp); } rules.push(self.get_allow_relay_rule(peer_endpoint)?); |