diff options
| author | David Lönnhager <david.l@mullvad.net> | 2020-11-23 16:51:59 +0100 |
|---|---|---|
| committer | David Lönnhager <david.l@mullvad.net> | 2020-11-24 12:30:10 +0100 |
| commit | 54d7272f8fe4784f4366f2d947f86a030d4ac55c (patch) | |
| tree | bc4985a9e40e1e23f7881ce381393d614a44639d | |
| parent | 78912f1b9aa1818f4adbb6cd02cd2fe8e9f0e89a (diff) | |
| download | mullvadvpn-54d7272f8fe4784f4366f2d947f86a030d4ac55c.tar.xz mullvadvpn-54d7272f8fe4784f4366f2d947f86a030d4ac55c.zip | |
Remove exclusions-specific routing rules
| -rw-r--r-- | talpid-core/src/firewall/linux.rs | 3 | ||||
| -rw-r--r-- | talpid-core/src/routing/linux.rs | 36 |
2 files changed, 5 insertions, 34 deletions
diff --git a/talpid-core/src/firewall/linux.rs b/talpid-core/src/firewall/linux.rs index 2a655c74ca..3c252313ce 100644 --- a/talpid-core/src/firewall/linux.rs +++ b/talpid-core/src/firewall/linux.rs @@ -295,6 +295,7 @@ impl<'a> PolicyBatch<'a> { rule.add_expr(&nft_expr!(cmp == split_tunnel::NET_CLS_CLASSID)); rule.add_expr(&nft_expr!(immediate data split_tunnel::MARK)); rule.add_expr(&nft_expr!(ct mark set)); + rule.add_expr(&nft_expr!(immediate data crate::linux::TUNNEL_FW_MARK)); rule.add_expr(&nft_expr!(meta mark set)); self.batch.add(&rule, nftnl::MsgType::Add); } @@ -307,7 +308,7 @@ impl<'a> PolicyBatch<'a> { self.batch.add(&rule, nftnl::MsgType::Add); let mut rule = Rule::new(&self.out_chain); - rule.add_expr(&nft_expr!(meta mark)); + rule.add_expr(&nft_expr!(ct mark)); rule.add_expr(&nft_expr!(cmp == split_tunnel::MARK)); add_verdict(&mut rule, &Verdict::Accept); self.batch.add(&rule, nftnl::MsgType::Add); diff --git a/talpid-core/src/routing/linux.rs b/talpid-core/src/routing/linux.rs index 4c13bbc76d..4ad51fbf43 100644 --- a/talpid-core/src/routing/linux.rs +++ b/talpid-core/src/routing/linux.rs @@ -1,7 +1,4 @@ -use crate::{ - routing::{imp::RouteManagerCommand, NetNode, Node, RequiredRoute, Route}, - split_tunnel, -}; +use crate::routing::{imp::RouteManagerCommand, NetNode, Node, RequiredRoute, Route}; use std::{ collections::{BTreeMap, HashSet}, io, @@ -13,7 +10,7 @@ use futures::{channel::mpsc::UnboundedReceiver, future::FutureExt, StreamExt, Tr use ipnetwork::IpNetwork; use lazy_static::lazy_static; use netlink_packet_route::{ - constants::{ARPHRD_LOOPBACK, FIB_RULE_INVERT, FR_ACT_TO_TBL, FR_ACT_UNREACHABLE}, + constants::{ARPHRD_LOOPBACK, FIB_RULE_INVERT, FR_ACT_TO_TBL}, link::{nlas::Nla as LinkNla, LinkMessage}, route::{nlas::Nla as RouteNla, RouteHeader, RouteMessage}, rtnl::{ @@ -69,38 +66,11 @@ lazy_static! { v6_rule.header.family = AF_INET6 as u8; v6_rule }; - static ref PROHIBIT_NON_DEFAULT_V6: RuleMessage = RuleMessage { - header: RuleHeader { - family: AF_INET6 as u8, - action: FR_ACT_UNREACHABLE, - ..RuleHeader::default() - }, - nlas: vec![RuleNla::FwMark(split_tunnel::MARK as u32),], - }; - static ref EXCLUSIONS_RULE_V4: RuleMessage = RuleMessage { - header: RuleHeader { - family: AF_INET as u8, - action: FR_ACT_TO_TBL, - ..RuleHeader::default() - }, - nlas: vec![ - RuleNla::FwMark(split_tunnel::MARK as u32), - RuleNla::Table(RT_TABLE_MAIN as u32), - ], - }; - static ref EXCLUSIONS_RULE_V6: RuleMessage = { - let mut v6_rule = EXCLUSIONS_RULE_V4.clone(); - v6_rule.header.family = AF_INET6 as u8; - v6_rule - }; - static ref ALL_RULES: [&'static RuleMessage; 7] = [ + static ref ALL_RULES: [&'static RuleMessage; 4] = [ &*NO_FWMARK_RULE_V4, &*NO_FWMARK_RULE_V6, &*SUPPRESS_RULE_V4, &*SUPPRESS_RULE_V6, - &*PROHIBIT_NON_DEFAULT_V6, - &*EXCLUSIONS_RULE_V4, - &*EXCLUSIONS_RULE_V6, ]; } |