diff options
| author | Andrej Mihajlov <and@mullvad.net> | 2020-03-06 13:47:58 +0100 |
|---|---|---|
| committer | Andrej Mihajlov <and@mullvad.net> | 2020-03-06 13:47:58 +0100 |
| commit | 672d9e3d105cc0e1af91f412292683cc068db676 (patch) | |
| tree | ff91116ddd3f1b0f6ffe23acb1432e39d8b3cd34 | |
| parent | 95f421f2178eaefd2ea46cc94c98628d3ff69cfd (diff) | |
| parent | 3c375dcfd8a37ad7d1b49510f90e4359f9478ff9 (diff) | |
| download | mullvadvpn-672d9e3d105cc0e1af91f412292683cc068db676.tar.xz mullvadvpn-672d9e3d105cc0e1af91f412292683cc068db676.zip | |
Merge branch 'fix-dns-over-tcp-when-lan-sharing-enabled-macos'
| -rw-r--r-- | CHANGELOG.md | 4 | ||||
| -rw-r--r-- | talpid-core/src/firewall/macos.rs | 26 |
2 files changed, 26 insertions, 4 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index 8719297c50..d08c6c0574 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -42,6 +42,10 @@ Line wrap the file at 100 chars. Th ### Fixed - Fix bug that could lead to Javascript error dialog to appear upon the desktop app termination. +#### macOS +- Fix firewall rules to properly handle DNS requests over TCP when "Local network sharing" is + disabled. Previously DNS requests over TCP would timeout. + #### Android - Make sure the settings screen is scrollable so that devices with small screens can access the quit button. diff --git a/talpid-core/src/firewall/macos.rs b/talpid-core/src/firewall/macos.rs index 41898f36cd..462a2b4fc7 100644 --- a/talpid-core/src/firewall/macos.rs +++ b/talpid-core/src/firewall/macos.rs @@ -116,6 +116,15 @@ impl Firewall { .to(pfctl::Endpoint::new(tunnel.ipv4_gateway, 53)) .build()?; rules.push(allow_tcp_dns_to_relay_rule); + let allow_tcp_dns_from_relay_rule = self + .create_rule_builder(FilterRuleAction::Pass) + .direction(pfctl::Direction::In) + .quick(true) + .interface(&tunnel.interface) + .proto(pfctl::Proto::Tcp) + .from(pfctl::Endpoint::new(tunnel.ipv4_gateway, 53)) + .build()?; + rules.push(allow_tcp_dns_from_relay_rule); let allow_udp_dns_to_relay_rule = self .create_rule_builder(FilterRuleAction::Pass) .direction(pfctl::Direction::Out) @@ -127,7 +136,7 @@ impl Firewall { rules.push(allow_udp_dns_to_relay_rule); if let Some(ipv6_gateway) = tunnel.ipv6_gateway { - let v6_dns_rule_tcp = self + let allow_tcp_dns6_to_relay_rule = self .create_rule_builder(FilterRuleAction::Pass) .direction(pfctl::Direction::Out) .quick(true) @@ -135,8 +144,17 @@ impl Firewall { .proto(pfctl::Proto::Tcp) .to(pfctl::Endpoint::new(ipv6_gateway, 53)) .build()?; - rules.push(v6_dns_rule_tcp); - let v6_dns_rule_udp = self + rules.push(allow_tcp_dns6_to_relay_rule); + let allow_tcp_dns6_from_relay_rule = self + .create_rule_builder(FilterRuleAction::Pass) + .direction(pfctl::Direction::In) + .quick(true) + .interface(&tunnel.interface) + .proto(pfctl::Proto::Tcp) + .from(pfctl::Endpoint::new(ipv6_gateway, 53)) + .build()?; + rules.push(allow_tcp_dns6_from_relay_rule); + let allow_udp_dns6_to_relay_rule = self .create_rule_builder(FilterRuleAction::Pass) .direction(pfctl::Direction::Out) .quick(true) @@ -144,7 +162,7 @@ impl Firewall { .proto(pfctl::Proto::Udp) .to(pfctl::Endpoint::new(ipv6_gateway, 53)) .build()?; - rules.push(v6_dns_rule_udp); + rules.push(allow_udp_dns6_to_relay_rule); } rules.push(self.get_allow_relay_rule(peer_endpoint)?); |