Relax state flushing for PF

author: David Lönnhager <david.l@mullvad.net> 2024-10-01 10:02:57 +0200
committer: David Lönnhager <david.l@mullvad.net> 2024-10-03 15:53:55 +0200
commit: 732cd8ae60c0feaffd067419cd0857e3e794d295 (patch)
tree: d6301e8638ad95cc34b98f276688137c842e7bce
parent: a83f25cb6ef2eeea26fa0baa2939bce928b25fb8 (diff)
download: mullvadvpn-732cd8ae60c0feaffd067419cd0857e3e794d295.tar.xz
mullvadvpn-732cd8ae60c0feaffd067419cd0857e3e794d295.zip
1 files changed, 11 insertions, 0 deletions
diff --git a/talpid-core/src/firewall/macos.rs b/talpid-core/src/firewall/macos.rs
index c9549fa756..2dddc2381e 100644
--- a/talpid-core/src/firewall/macos.rs
+++ b/talpid-core/src/firewall/macos.rs
@@ -98,6 +98,17 @@ impl Firewall {
         let remote_address = state.remote_address()?;
         let proto = state.proto()?;
 
+        if local_address.ip().is_loopback() || remote_address.ip().is_loopback() {
+            // Ignore connections to localhost
+            return Ok(false);
+        }
+
+        if [5353, 53].contains(&remote_address.port()) {
+            // Ignore DNS states. The local resolver takes care of everything,
+            // and PQ seems to timeout if these states are flushed
+            return Ok(false);
+        }
+
         let Some(peer) = policy.peer_endpoint().map(|endpoint| endpoint.endpoint) else {
             // If there's no peer, there's also no tunnel. We have no states to preserve
             return Ok(true);
author	David Lönnhager <david.l@mullvad.net>	2024-10-01 10:02:57 +0200
committer	David Lönnhager <david.l@mullvad.net>	2024-10-03 15:53:55 +0200
commit	732cd8ae60c0feaffd067419cd0857e3e794d295 (patch)
tree	d6301e8638ad95cc34b98f276688137c842e7bce
parent	a83f25cb6ef2eeea26fa0baa2939bce928b25fb8 (diff)
download	mullvadvpn-732cd8ae60c0feaffd067419cd0857e3e794d295.tar.xz mullvadvpn-732cd8ae60c0feaffd067419cd0857e3e794d295.zip