diff options
| author | Linus Färnstrand <linus@mullvad.net> | 2019-02-01 12:41:23 +0100 |
|---|---|---|
| committer | Linus Färnstrand <linus@mullvad.net> | 2019-02-01 12:41:23 +0100 |
| commit | 825a02ad1db2dd9cfa7d0f3798de90d23ddd78a1 (patch) | |
| tree | bff97a9406991888c62246ed44839a68c01a2578 | |
| parent | 86ea31a4a3a9d6f4c23043abd993a42170eb2ed2 (diff) | |
| download | mullvadvpn-825a02ad1db2dd9cfa7d0f3798de90d23ddd78a1.tar.xz mullvadvpn-825a02ad1db2dd9cfa7d0f3798de90d23ddd78a1.zip | |
Rename security module to firewall
14 files changed, 72 insertions, 72 deletions
diff --git a/mullvad-problem-report/src/main.rs b/mullvad-problem-report/src/main.rs index 8146b3e769..64e0b3c085 100644 --- a/mullvad-problem-report/src/main.rs +++ b/mullvad-problem-report/src/main.rs @@ -525,7 +525,7 @@ mod tests { #[test] fn doesnt_redact_not_ipv6() { - assert_does_not_redact("[talpid_core::security]"); + assert_does_not_redact("[talpid_core::firewall]"); } fn assert_redacts_ipv6(input: &str) { diff --git a/talpid-core/src/security/linux.rs b/talpid-core/src/firewall/linux.rs index 7f25e8c9f8..a60644ee7f 100644 --- a/talpid-core/src/security/linux.rs +++ b/talpid-core/src/firewall/linux.rs @@ -1,4 +1,4 @@ -use super::{NetworkSecurityT, SecurityPolicy}; +use super::{FirewallT, FirewallPolicy}; use crate::tunnel; use ipnetwork::IpNetwork; use lazy_static::lazy_static; @@ -64,20 +64,20 @@ enum End { } /// The Linux implementation for the firewall and DNS. -pub struct NetworkSecurity { +pub struct Firewall { table_name: CString, } -impl NetworkSecurityT for NetworkSecurity { +impl FirewallT for Firewall { type Error = Error; fn new() -> Result<Self> { - Ok(NetworkSecurity { + Ok(Firewall { table_name: TABLE_NAME.clone(), }) } - fn apply_policy(&mut self, policy: SecurityPolicy) -> Result<()> { + fn apply_policy(&mut self, policy: FirewallPolicy) -> Result<()> { let table = Table::new(&self.table_name, ProtoFamily::Inet)?; let batch = PolicyBatch::new(&table)?.finalize(&policy)?; self.send_and_process(&batch)?; @@ -100,7 +100,7 @@ impl NetworkSecurityT for NetworkSecurity { } } -impl NetworkSecurity { +impl Firewall { fn send_and_process(&self, batch: &FinalizedBatch) -> Result<()> { let socket = mnl::Socket::new(mnl::Bus::Netfilter).chain_err(|| ErrorKind::NetlinkOpenError)?; @@ -206,7 +206,7 @@ impl<'a> PolicyBatch<'a> { /// Finalize the nftnl message batch by adding every firewall rule needed to satisfy the given /// policy. - pub fn finalize(mut self, policy: &SecurityPolicy) -> Result<FinalizedBatch> { + pub fn finalize(mut self, policy: &FirewallPolicy) -> Result<FinalizedBatch> { self.add_loopback_rules()?; self.add_dhcp_rules()?; self.add_policy_specific_rules(policy)?; @@ -269,16 +269,16 @@ impl<'a> PolicyBatch<'a> { Ok(()) } - fn add_policy_specific_rules(&mut self, policy: &SecurityPolicy) -> Result<()> { + fn add_policy_specific_rules(&mut self, policy: &FirewallPolicy) -> Result<()> { let allow_lan = match policy { - SecurityPolicy::Connecting { + FirewallPolicy::Connecting { peer_endpoint, allow_lan, } => { self.add_allow_endpoint_rules(peer_endpoint)?; *allow_lan } - SecurityPolicy::Connected { + FirewallPolicy::Connected { peer_endpoint, tunnel, allow_lan, @@ -289,7 +289,7 @@ impl<'a> PolicyBatch<'a> { self.add_allow_tunnel_rules(tunnel)?; *allow_lan } - SecurityPolicy::Blocked { allow_lan } => *allow_lan, + FirewallPolicy::Blocked { allow_lan } => *allow_lan, }; if allow_lan { diff --git a/talpid-core/src/security/macos.rs b/talpid-core/src/firewall/macos.rs index 4e6f5e2325..6ffdd28df0 100644 --- a/talpid-core/src/security/macos.rs +++ b/talpid-core/src/firewall/macos.rs @@ -1,4 +1,4 @@ -use super::{NetworkSecurityT, SecurityPolicy}; +use super::{FirewallT, FirewallPolicy}; use pfctl::FilterRuleAction; use std::{ env, @@ -15,13 +15,13 @@ type Result<T> = ::std::result::Result<T, Error>; const ANCHOR_NAME: &'static str = "mullvad"; /// The macOS firewall and DNS implementation. -pub struct NetworkSecurity { +pub struct Firewall { pf: pfctl::PfCtl, pf_was_enabled: Option<bool>, rule_logging: RuleLogging, } -impl NetworkSecurityT for NetworkSecurity { +impl FirewallT for Firewall { type Error = Error; fn new() -> Result<Self> { @@ -36,14 +36,14 @@ impl NetworkSecurityT for NetworkSecurity { }; log::trace!("Firewall debug log policy: {:?}", rule_logging); - Ok(NetworkSecurity { + Ok(Firewall { pf: pfctl::PfCtl::new()?, pf_was_enabled: None, rule_logging, }) } - fn apply_policy(&mut self, policy: SecurityPolicy) -> Result<()> { + fn apply_policy(&mut self, policy: FirewallPolicy) -> Result<()> { self.enable()?; self.add_anchor()?; self.set_rules(policy) @@ -61,8 +61,8 @@ impl NetworkSecurityT for NetworkSecurity { } } -impl NetworkSecurity { - fn set_rules(&mut self, policy: SecurityPolicy) -> Result<()> { +impl Firewall { + fn set_rules(&mut self, policy: FirewallPolicy) -> Result<()> { let mut new_filter_rules = vec![]; new_filter_rules.append(&mut self.get_allow_loopback_rules()?); @@ -82,10 +82,10 @@ impl NetworkSecurity { fn get_policy_specific_rules( &mut self, - policy: SecurityPolicy, + policy: FirewallPolicy, ) -> Result<Vec<pfctl::FilterRule>> { match policy { - SecurityPolicy::Connecting { + FirewallPolicy::Connecting { peer_endpoint, allow_lan, } => { @@ -95,7 +95,7 @@ impl NetworkSecurity { } Ok(rules) } - SecurityPolicy::Connected { + FirewallPolicy::Connected { peer_endpoint, tunnel, allow_lan, @@ -145,7 +145,7 @@ impl NetworkSecurity { } Ok(rules) } - SecurityPolicy::Blocked { allow_lan } => { + FirewallPolicy::Blocked { allow_lan } => { let mut rules = Vec::new(); if allow_lan { rules.append(&mut self.get_allow_lan_rules()?); diff --git a/talpid-core/src/security/mod.rs b/talpid-core/src/firewall/mod.rs index 75bb4cef87..5163d4ed26 100644 --- a/talpid-core/src/security/mod.rs +++ b/talpid-core/src/firewall/mod.rs @@ -46,7 +46,7 @@ lazy_static! { /// A enum that describes network security strategy #[derive(Debug, Clone, Eq, PartialEq)] -pub enum SecurityPolicy { +pub enum FirewallPolicy { /// Allow traffic only to server Connecting { /// The peer endpoint that should be allowed. @@ -72,10 +72,10 @@ pub enum SecurityPolicy { }, } -impl fmt::Display for SecurityPolicy { +impl fmt::Display for FirewallPolicy { fn fmt(&self, f: &mut fmt::Formatter) -> Result<(), fmt::Error> { match self { - SecurityPolicy::Connecting { + FirewallPolicy::Connecting { peer_endpoint, allow_lan, } => write!( @@ -84,7 +84,7 @@ impl fmt::Display for SecurityPolicy { peer_endpoint, if *allow_lan { "Allowing" } else { "Blocking" } ), - SecurityPolicy::Connected { + FirewallPolicy::Connected { peer_endpoint, tunnel, allow_lan, @@ -102,7 +102,7 @@ impl fmt::Display for SecurityPolicy { tunnel.gateway, if *allow_lan { "Allowing" } else { "Blocking" } ), - SecurityPolicy::Blocked { allow_lan } => write!( + FirewallPolicy::Blocked { allow_lan } => write!( f, "Blocked, {} LAN", if *allow_lan { "Allowing" } else { "Blocking" } @@ -113,27 +113,27 @@ impl fmt::Display for SecurityPolicy { /// Manages network security of the computer/device. Can apply and enforce security policies /// by manipulating the OS firewall and DNS settings. -pub struct NetworkSecurity { - inner: imp::NetworkSecurity, +pub struct Firewall { + inner: imp::Firewall, } -impl NetworkSecurity { - /// Returns a new `NetworkSecurity`, ready to apply policies. +impl Firewall { + /// Returns a new `Firewall`, ready to apply policies. pub fn new() -> Result<Self, Error> { - Ok(NetworkSecurity { - inner: imp::NetworkSecurity::new()?, + Ok(Firewall { + inner: imp::Firewall::new()?, }) } - /// Applies and starts enforcing the given `SecurityPolicy` Makes sure it is being kept in place + /// Applies and starts enforcing the given `FirewallPolicy` Makes sure it is being kept in place /// until this method is called again with another policy, or until `reset_policy` is called. - pub fn apply_policy(&mut self, policy: SecurityPolicy) -> Result<(), Error> { + pub fn apply_policy(&mut self, policy: FirewallPolicy) -> Result<(), Error> { log::info!("Applying security policy: {}", policy); self.inner.apply_policy(policy) } - /// Resets/removes any currently enforced `SecurityPolicy`. Returns the system to the same state - /// it had before any policy was applied through this `NetworkSecurity` instance. + /// Resets/removes any currently enforced `FirewallPolicy`. Returns the system to the same state + /// it had before any policy was applied through this `Firewall` instance. pub fn reset_policy(&mut self) -> Result<(), Error> { log::info!("Resetting security policy"); self.inner.reset_policy() @@ -141,15 +141,15 @@ impl NetworkSecurity { } /// Abstract firewall interaction trait. Used by the OS specific implementations. -trait NetworkSecurityT: Sized { +trait FirewallT: Sized { /// The error type thrown by the implementer of this trait type Error: ::std::error::Error; /// Create new instance fn new() -> ::std::result::Result<Self, Self::Error>; - /// Enable the given SecurityPolicy - fn apply_policy(&mut self, policy: SecurityPolicy) -> ::std::result::Result<(), Self::Error>; + /// Enable the given FirewallPolicy + fn apply_policy(&mut self, policy: FirewallPolicy) -> ::std::result::Result<(), Self::Error>; /// Revert the system network security state to what it was before this instance started /// modifying the system. diff --git a/talpid-core/src/security/windows/ffi.rs b/talpid-core/src/firewall/windows/ffi.rs index 6c4d8381d4..6c4d8381d4 100644 --- a/talpid-core/src/security/windows/ffi.rs +++ b/talpid-core/src/firewall/windows/ffi.rs diff --git a/talpid-core/src/security/windows/mod.rs b/talpid-core/src/firewall/windows/mod.rs index afe8dbc472..398297cd59 100644 --- a/talpid-core/src/security/windows/mod.rs +++ b/talpid-core/src/firewall/windows/mod.rs @@ -1,7 +1,7 @@ use std::{net::IpAddr, ptr}; use self::winfw::*; -use super::{NetworkSecurityT, SecurityPolicy}; +use super::{FirewallT, FirewallPolicy}; use crate::winnet; use log::{debug, error, trace}; use talpid_types::net::Endpoint; @@ -54,9 +54,9 @@ error_chain! { const WINFW_TIMEOUT_SECONDS: u32 = 2; /// The Windows implementation for the firewall and DNS. -pub struct NetworkSecurity(()); +pub struct Firewall(()); -impl NetworkSecurityT for NetworkSecurity { +impl FirewallT for Firewall { type Error = Error; fn new() -> Result<Self> { @@ -69,19 +69,19 @@ impl NetworkSecurityT for NetworkSecurity { .into_result()? }; trace!("Successfully initialized windows firewall module"); - Ok(NetworkSecurity(())) + Ok(Firewall(())) } - fn apply_policy(&mut self, policy: SecurityPolicy) -> Result<()> { + fn apply_policy(&mut self, policy: FirewallPolicy) -> Result<()> { match policy { - SecurityPolicy::Connecting { + FirewallPolicy::Connecting { peer_endpoint, allow_lan, } => { let cfg = &WinFwSettings::new(allow_lan); self.set_connecting_state(&peer_endpoint, &cfg) } - SecurityPolicy::Connected { + FirewallPolicy::Connected { peer_endpoint, tunnel, allow_lan, @@ -89,7 +89,7 @@ impl NetworkSecurityT for NetworkSecurity { let cfg = &WinFwSettings::new(allow_lan); self.set_connected_state(&peer_endpoint, &cfg, &tunnel) } - SecurityPolicy::Blocked { allow_lan } => { + FirewallPolicy::Blocked { allow_lan } => { let cfg = &WinFwSettings::new(allow_lan); self.set_blocked_state(&cfg) } @@ -102,7 +102,7 @@ impl NetworkSecurityT for NetworkSecurity { } } -impl Drop for NetworkSecurity { +impl Drop for Firewall { fn drop(&mut self) { if unsafe { WinFw_Deinitialize().into_result().is_ok() } { trace!("Successfully deinitialized windows firewall module"); @@ -112,7 +112,7 @@ impl Drop for NetworkSecurity { } } -impl NetworkSecurity { +impl Firewall { fn set_connecting_state( &mut self, endpoint: &Endpoint, diff --git a/talpid-core/src/security/windows/system_state.rs b/talpid-core/src/firewall/windows/system_state.rs index f5e1d073dd..f5e1d073dd 100644 --- a/talpid-core/src/security/windows/system_state.rs +++ b/talpid-core/src/firewall/windows/system_state.rs diff --git a/talpid-core/src/lib.rs b/talpid-core/src/lib.rs index f0337970c5..d997d90c76 100644 --- a/talpid-core/src/lib.rs +++ b/talpid-core/src/lib.rs @@ -37,8 +37,8 @@ pub mod logging; /// Abstractions and extra features on `std::mpsc` pub mod mpsc; -/// Abstractions over operating system network security settings. -pub mod security; +/// Abstractions over operating system firewalls. +pub mod firewall; /// Abstractions over operating system DNS settings. pub mod dns; diff --git a/talpid-core/src/tunnel_state_machine/blocked_state.rs b/talpid-core/src/tunnel_state_machine/blocked_state.rs index abc782cd24..6fc25654a7 100644 --- a/talpid-core/src/tunnel_state_machine/blocked_state.rs +++ b/talpid-core/src/tunnel_state_machine/blocked_state.rs @@ -6,7 +6,7 @@ use super::{ ConnectingState, DisconnectedState, EventConsequence, ResultExt, SharedTunnelStateValues, TunnelCommand, TunnelState, TunnelStateTransition, TunnelStateWrapper, }; -use crate::security::SecurityPolicy; +use crate::firewall::FirewallPolicy; /// No tunnel is running and all network connections are blocked. pub struct BlockedState { @@ -15,7 +15,7 @@ pub struct BlockedState { impl BlockedState { fn set_security_policy(shared_values: &mut SharedTunnelStateValues) -> Option<BlockReason> { - let policy = SecurityPolicy::Blocked { + let policy = FirewallPolicy::Blocked { allow_lan: shared_values.allow_lan, }; @@ -27,7 +27,7 @@ impl BlockedState { Ok(()) => None, Err(error) => { log::error!("{}", error.display_chain()); - Some(BlockReason::SetSecurityPolicyError) + Some(BlockReason::SetFirewallPolicyError) } } } diff --git a/talpid-core/src/tunnel_state_machine/connected_state.rs b/talpid-core/src/tunnel_state_machine/connected_state.rs index b5a88c7181..c6e575ce04 100644 --- a/talpid-core/src/tunnel_state_machine/connected_state.rs +++ b/talpid-core/src/tunnel_state_machine/connected_state.rs @@ -14,7 +14,7 @@ use super::{ TunnelStateWrapper, }; use crate::{ - security::SecurityPolicy, + firewall::FirewallPolicy, tunnel::{CloseHandle, TunnelEvent, TunnelMetadata}, }; @@ -50,7 +50,7 @@ impl ConnectedState { // If a proxy is specified we need to pass it on as the peer endpoint. let peer_endpoint = self.get_endpoint_from_params(); - let policy = SecurityPolicy::Connected { + let policy = FirewallPolicy::Connected { peer_endpoint, tunnel: self.metadata.clone(), allow_lan: shared_values.allow_lan, @@ -117,7 +117,7 @@ impl ConnectedState { log::error!("{}", error.display_chain()); self.disconnect( shared_values, - AfterDisconnect::Block(BlockReason::SetSecurityPolicyError), + AfterDisconnect::Block(BlockReason::SetFirewallPolicyError), ) } } @@ -202,7 +202,7 @@ impl TunnelState for ConnectedState { ( connected_state.close_handle, connected_state.tunnel_close_event, - AfterDisconnect::Block(BlockReason::SetSecurityPolicyError), + AfterDisconnect::Block(BlockReason::SetFirewallPolicyError), ), ) } else if let Err(error) = connected_state.set_dns(shared_values) { diff --git a/talpid-core/src/tunnel_state_machine/connecting_state.rs b/talpid-core/src/tunnel_state_machine/connecting_state.rs index ad3712144a..06547e6446 100644 --- a/talpid-core/src/tunnel_state_machine/connecting_state.rs +++ b/talpid-core/src/tunnel_state_machine/connecting_state.rs @@ -23,7 +23,7 @@ use super::{ }; use crate::{ logging, - security::SecurityPolicy, + firewall::FirewallPolicy, tunnel::{self, CloseHandle, TunnelEvent, TunnelMetadata, TunnelMonitor}, }; @@ -71,7 +71,7 @@ impl ConnectingState { None => endpoint, }; - let policy = SecurityPolicy::Connecting { + let policy = FirewallPolicy::Connecting { peer_endpoint, allow_lan: shared_values.allow_lan, }; @@ -231,7 +231,7 @@ impl ConnectingState { ( self.close_handle, self.tunnel_close_event, - AfterDisconnect::Block(BlockReason::SetSecurityPolicyError), + AfterDisconnect::Block(BlockReason::SetFirewallPolicyError), ), )) } diff --git a/talpid-core/src/tunnel_state_machine/disconnected_state.rs b/talpid-core/src/tunnel_state_machine/disconnected_state.rs index 0634c75da4..6a66be499f 100644 --- a/talpid-core/src/tunnel_state_machine/disconnected_state.rs +++ b/talpid-core/src/tunnel_state_machine/disconnected_state.rs @@ -2,7 +2,7 @@ use super::{ BlockedState, ConnectingState, EventConsequence, ResultExt, SharedTunnelStateValues, TunnelCommand, TunnelState, TunnelStateTransition, TunnelStateWrapper, }; -use crate::security::SecurityPolicy; +use crate::firewall::FirewallPolicy; use error_chain::ChainedError; use futures::{sync::mpsc, Stream}; @@ -12,7 +12,7 @@ pub struct DisconnectedState; impl DisconnectedState { fn set_security_policy(shared_values: &mut SharedTunnelStateValues) { let result = if shared_values.block_when_disconnected { - let policy = SecurityPolicy::Blocked { + let policy = FirewallPolicy::Blocked { allow_lan: shared_values.allow_lan, }; shared_values diff --git a/talpid-core/src/tunnel_state_machine/mod.rs b/talpid-core/src/tunnel_state_machine/mod.rs index 5226c315e8..cbb7303129 100644 --- a/talpid-core/src/tunnel_state_machine/mod.rs +++ b/talpid-core/src/tunnel_state_machine/mod.rs @@ -29,13 +29,13 @@ use self::{ disconnected_state::DisconnectedState, disconnecting_state::{AfterDisconnect, DisconnectingState}, }; -use crate::{dns::DnsMonitor, mpsc::IntoSender, offline, security::NetworkSecurity}; +use crate::{dns::DnsMonitor, mpsc::IntoSender, offline, firewall::Firewall}; error_chain! { errors { /// An error occurred while setting up the network security. - NetworkSecurityError { - description("Network security error") + FirewallError { + description("Firewall error") } /// Unable to start the DNS settings monitor and enforcer. DnsMonitorError { @@ -181,7 +181,7 @@ impl TunnelStateMachine { cache_dir: impl AsRef<Path>, commands: mpsc::UnboundedReceiver<TunnelCommand>, ) -> Result<Self> { - let security = NetworkSecurity::new().chain_err(|| ErrorKind::NetworkSecurityError)?; + let security = Firewall::new().chain_err(|| ErrorKind::FirewallError)?; let dns_monitor = DnsMonitor::new(cache_dir).chain_err(|| ErrorKind::DnsMonitorError)?; let mut shared_values = SharedTunnelStateValues { security, @@ -262,7 +262,7 @@ pub trait TunnelParametersGenerator: Send + 'static { /// Values that are common to all tunnel states. struct SharedTunnelStateValues { - security: NetworkSecurity, + security: Firewall, dns_monitor: DnsMonitor, /// Should LAN access be allowed outside the tunnel. allow_lan: bool, diff --git a/talpid-types/src/tunnel.rs b/talpid-types/src/tunnel.rs index 07d0675bde..7c27c7c4a6 100644 --- a/talpid-types/src/tunnel.rs +++ b/talpid-types/src/tunnel.rs @@ -47,7 +47,7 @@ pub enum BlockReason { /// Failed to configure IPv6 because it's disabled in the platform. Ipv6Unavailable, /// Failed to set security policy. - SetSecurityPolicyError, + SetFirewallPolicyError, /// Failed to set system DNS server. SetDnsError, /// Failed to start connection to remote server. @@ -75,7 +75,7 @@ impl fmt::Display for BlockReason { ); } Ipv6Unavailable => "Failed to configure IPv6 because it's disabled in the platform", - SetSecurityPolicyError => "Failed to set security policy", + SetFirewallPolicyError => "Failed to set security policy", SetDnsError => "Failed to set system DNS server", StartTunnelError => "Failed to start connection to remote server", NoMatchingRelay => "No relay server matches the current settings", |