diff options
| author | Linus Färnstrand <linus@mullvad.net> | 2019-05-07 15:58:48 +0200 |
|---|---|---|
| committer | Linus Färnstrand <linus@mullvad.net> | 2019-05-08 14:12:32 +0200 |
| commit | 6e19d1be2d1154dbcf523a3102c6ea549750b93c (patch) | |
| tree | 685a7dddc1360cedd4baec19209f843252e94fbb | |
| parent | 9efcd31574d18c34d9baff593c6364c314237ef5 (diff) | |
| download | mullvadvpn-6e19d1be2d1154dbcf523a3102c6ea549750b93c.tar.xz mullvadvpn-6e19d1be2d1154dbcf523a3102c6ea549750b93c.zip | |
Also allow NDP Redirect packets
| -rw-r--r-- | talpid-core/src/firewall/linux.rs | 22 | ||||
| -rw-r--r-- | talpid-core/src/firewall/mod.rs | 6 |
2 files changed, 23 insertions, 5 deletions
diff --git a/talpid-core/src/firewall/linux.rs b/talpid-core/src/firewall/linux.rs index a1bb4cc635..1b9e8538b2 100644 --- a/talpid-core/src/firewall/linux.rs +++ b/talpid-core/src/firewall/linux.rs @@ -278,7 +278,6 @@ impl<'a> PolicyBatch<'a> { // Outgoing Router solicitation (part of NDP) { let mut rule = Rule::new(&self.out_chain); - check_ip( &mut rule, End::Dst, @@ -303,7 +302,6 @@ impl<'a> PolicyBatch<'a> { // Incoming Router advertisement (part of NDP) { let mut rule = Rule::new(&self.in_chain); - check_net(&mut rule, End::Src, *super::ROUTER_ADVERTISEMENT_IN_SRC_NET); rule.add_expr(&nft_expr!(meta l4proto)); @@ -321,6 +319,26 @@ impl<'a> PolicyBatch<'a> { add_verdict(&mut rule, &Verdict::Accept); self.batch.add(&rule, nftnl::MsgType::Add); } + // Incoming Redirect (part of NDP) + { + let mut rule = Rule::new(&self.in_chain); + check_net(&mut rule, End::Src, *super::ROUTER_ADVERTISEMENT_IN_SRC_NET); + + rule.add_expr(&nft_expr!(meta l4proto)); + rule.add_expr(&nft_expr!(cmp == libc::IPPROTO_ICMPV6 as u8)); + + rule.add_expr(&Payload::Transport( + nftnl::expr::TransportHeaderField::Icmpv6(nftnl::expr::Icmpv6HeaderField::Type), + )); + rule.add_expr(&nft_expr!(cmp == 137u8)); + rule.add_expr(&nftnl::expr::Payload::Transport( + nftnl::expr::TransportHeaderField::Icmpv6(nftnl::expr::Icmpv6HeaderField::Code), + )); + rule.add_expr(&nft_expr!(cmp == 0u8)); + + add_verdict(&mut rule, &Verdict::Accept); + self.batch.add(&rule, nftnl::MsgType::Add); + } } fn add_policy_specific_rules(&mut self, policy: &FirewallPolicy) -> Result<()> { diff --git a/talpid-core/src/firewall/mod.rs b/talpid-core/src/firewall/mod.rs index 2315c6ccc3..a2fe5dea65 100644 --- a/talpid-core/src/firewall/mod.rs +++ b/talpid-core/src/firewall/mod.rs @@ -58,10 +58,10 @@ lazy_static! { Ipv6Addr::new(0xff02, 0, 0, 0, 0, 0, 1, 2), Ipv6Addr::new(0xff05, 0, 0, 0, 0, 0, 1, 3), ]; - // The firewall needs to always allow Router Solicitation/Advertisement (part of NDP) + // The firewall needs to always allow Router Solicitation/Advertisement/Redirect (part of NDP) // It should only allow ICMPv6 packets on these addresses. If the platform supports it - // it should check that the solicitation packet has ICMP type 133, code 0 for solicitation - // and type 134, code 0 for advertisement. + // it should check that the solicitation packet has ICMP type 133 and code 0. + // Advertisement packet type 134, code 0. And Redirect type 137, code 0. static ref ROUTER_SOLICITATION_OUT_DST_ADDR: Ipv6Addr = Ipv6Addr::new(0xff02, 0, 0, 0, 0, 0, 0, 2); static ref ROUTER_ADVERTISEMENT_IN_SRC_NET: Ipv6Network = Ipv6Network::new(Ipv6Addr::new(0xfe80, 0, 0, 0, 0, 0, 0, 0), 10).unwrap(); } |