diff options
| author | David Lönnhager <david.l@mullvad.net> | 2020-01-31 15:09:21 +0100 |
|---|---|---|
| committer | David Lönnhager <david.l@mullvad.net> | 2020-03-16 09:47:52 +0100 |
| commit | 55d4f158fed0dee5febdcb8e9c92fd969a66d331 (patch) | |
| tree | b1718559a997ccdc8f4ac0f270e490b144869b4c | |
| parent | b7727d18bce4060403252a673e0ed4c93a844db6 (diff) | |
| download | mullvadvpn-55d4f158fed0dee5febdcb8e9c92fd969a66d331.tar.xz mullvadvpn-55d4f158fed0dee5febdcb8e9c92fd969a66d331.zip | |
More permissive IPv6 multicasting
| -rw-r--r-- | talpid-core/src/firewall/mod.rs | 8 | ||||
| -rw-r--r-- | windows/winfw/src/winfw/rules/baseline/permitlan.cpp | 6 |
2 files changed, 13 insertions, 1 deletions
diff --git a/talpid-core/src/firewall/mod.rs b/talpid-core/src/firewall/mod.rs index 7ab2e30e43..1ac58070f8 100644 --- a/talpid-core/src/firewall/mod.rs +++ b/talpid-core/src/firewall/mod.rs @@ -40,15 +40,21 @@ lazy_static! { IpNetwork::V6(Ipv6Network::new(Ipv6Addr::new(0xfd00, 0, 0, 0, 0, 0, 0, 0), 8).unwrap()), ]; /// When "allow local network" is enabled the app will allow traffic to these networks. - pub(crate) static ref ALLOWED_LAN_MULTICAST_NETS: [IpNetwork; 5] = [ + pub(crate) static ref ALLOWED_LAN_MULTICAST_NETS: [IpNetwork; 8] = [ // Local network broadcast. Not routable IpNetwork::V4(Ipv4Network::new(Ipv4Addr::new(255, 255, 255, 255), 32).unwrap()), // Local subnetwork multicast. Not routable IpNetwork::V4(Ipv4Network::new(Ipv4Addr::new(224, 0, 0, 0), 24).unwrap()), // Local scope (mDNS and SSDP) address IpNetwork::V4(Ipv4Network::new(Ipv4Addr::new(239, 255, 0, 0), 16).unwrap()), + // Interface-local IPv6 multicast. + IpNetwork::V6(Ipv6Network::new(Ipv6Addr::new(0xff01, 0, 0, 0, 0, 0, 0, 0), 16).unwrap()), // Link-local IPv6 multicast. IPv6 equivalent of 224.0.0.0/24 IpNetwork::V6(Ipv6Network::new(Ipv6Addr::new(0xff02, 0, 0, 0, 0, 0, 0, 0), 16).unwrap()), + // Realm-local IPv6 multicast. + IpNetwork::V6(Ipv6Network::new(Ipv6Addr::new(0xff03, 0, 0, 0, 0, 0, 0, 0), 16).unwrap()), + // Admin-local IPv6 multicast. + IpNetwork::V6(Ipv6Network::new(Ipv6Addr::new(0xff04, 0, 0, 0, 0, 0, 0, 0), 16).unwrap()), // Site-local IPv6 multicast. IpNetwork::V6(Ipv6Network::new(Ipv6Addr::new(0xff05, 0, 0, 0, 0, 0, 0, 0), 16).unwrap()), ]; diff --git a/windows/winfw/src/winfw/rules/baseline/permitlan.cpp b/windows/winfw/src/winfw/rules/baseline/permitlan.cpp index 21f082ce78..e655020287 100644 --- a/windows/winfw/src/winfw/rules/baseline/permitlan.cpp +++ b/windows/winfw/src/winfw/rules/baseline/permitlan.cpp @@ -110,10 +110,16 @@ bool PermitLan::applyIpv6(IObjectInstaller &objectInstaller) const conditionBuilder.reset(); + const wfp::IpNetwork interfaceLocalMulticast(wfp::IpAddress::Literal6({ 0xFF01, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0 }), 16); const wfp::IpNetwork linkLocalMulticast(wfp::IpAddress::Literal6({ 0xFF02, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0 }), 16); + const wfp::IpNetwork realmLocalMulticast(wfp::IpAddress::Literal6({ 0xFF03, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0 }), 16); + const wfp::IpNetwork adminLocalMulticast(wfp::IpAddress::Literal6({ 0xFF04, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0 }), 16); const wfp::IpNetwork siteLocalMulticast(wfp::IpAddress::Literal6({ 0xFF05, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0 }), 16); + conditionBuilder.add_condition(ConditionIp::Remote(interfaceLocalMulticast)); conditionBuilder.add_condition(ConditionIp::Remote(linkLocalMulticast)); + conditionBuilder.add_condition(ConditionIp::Remote(realmLocalMulticast)); + conditionBuilder.add_condition(ConditionIp::Remote(adminLocalMulticast)); conditionBuilder.add_condition(ConditionIp::Remote(siteLocalMulticast)); return objectInstaller.addFilter(filterBuilder, conditionBuilder); |