Pass DNS servers to the firewall

author: David Lönnhager <david.l@mullvad.net> 2020-10-14 15:23:55 +0200
committer: David Lönnhager <david.l@mullvad.net> 2020-10-22 09:33:58 +0200
commit: 846e1c35246b8e72cfadfb95e3b80bbafe03bac4 (patch)
tree: 1831acceabb09273082639a7222b069761b1a518
parent: f84ac368b9b993ff1511c2a8ce180369bfba2165 (diff)
download: mullvadvpn-846e1c35246b8e72cfadfb95e3b80bbafe03bac4.tar.xz
mullvadvpn-846e1c35246b8e72cfadfb95e3b80bbafe03bac4.zip
3 files changed, 24 insertions, 14 deletions
diff --git a/talpid-core/src/firewall/mod.rs b/talpid-core/src/firewall/mod.rs
index 658fba72ae..9c7cff22b1 100644
--- a/talpid-core/src/firewall/mod.rs
+++ b/talpid-core/src/firewall/mod.rs
@@ -111,6 +111,8 @@ pub enum FirewallPolicy {
         tunnel: crate::tunnel::TunnelMetadata,
         /// Flag setting if communication with LAN networks should be possible.
         allow_lan: bool,
+        /// Servers that are allowed to respond to DNS requests.
+        dns_servers: Vec<IpAddr>,
         /// A process that is allowed to send packets to the relay.
         #[cfg(windows)]
         relay_client: PathBuf,
diff --git a/talpid-core/src/firewall/windows.rs b/talpid-core/src/firewall/windows.rs
index 52062c3494..70af82942e 100644
--- a/talpid-core/src/firewall/windows.rs
+++ b/talpid-core/src/firewall/windows.rs
@@ -99,10 +99,11 @@ impl FirewallT for Firewall {
                 peer_endpoint,
                 tunnel,
                 allow_lan,
+                dns_servers,
                 relay_client,
             } => {
                 let cfg = &WinFwSettings::new(allow_lan);
-                self.set_connected_state(&peer_endpoint, &cfg, &tunnel, &relay_client)
+                self.set_connected_state(&peer_endpoint, &cfg, &tunnel, &dns_servers, &relay_client)
             }
             FirewallPolicy::Blocked { allow_lan } => {
                 let cfg = &WinFwSettings::new(allow_lan);
@@ -192,6 +193,7 @@ impl Firewall {
         endpoint: &Endpoint,
         winfw_settings: &WinFwSettings,
         tunnel_metadata: &crate::tunnel::TunnelMetadata,
+        dns_servers: &[IpAddr],
         relay_client: &Path,
     ) -> Result<(), Error> {
         trace!("Applying 'connected' firewall policy");
diff --git a/talpid-core/src/tunnel_state_machine/connected_state.rs b/talpid-core/src/tunnel_state_machine/connected_state.rs
index 87068783e1..b561fc7a83 100644
--- a/talpid-core/src/tunnel_state_machine/connected_state.rs
+++ b/talpid-core/src/tunnel_state_machine/connected_state.rs
@@ -8,6 +8,7 @@ use crate::{
     tunnel::{CloseHandle, TunnelEvent, TunnelMetadata},
 };
 use futures::{channel::mpsc, stream::Fuse, StreamExt};
+use std::net::IpAddr;
 use talpid_types::{
     net::TunnelParameters,
     tunnel::{ErrorStateCause, FirewallPolicyError},
@@ -75,11 +76,25 @@ impl ConnectedState {
             })
     }
 
+    fn get_dns_servers(&self, shared_values: &SharedTunnelStateValues) -> Vec<IpAddr> {
+        if let Some(ref servers) = shared_values.custom_dns {
+            servers.clone()
+        } else {
+            let mut dns_ips = vec![];
+            dns_ips.push(self.metadata.ipv4_gateway.into());
+            if let Some(ipv6_gateway) = self.metadata.ipv6_gateway {
+                dns_ips.push(ipv6_gateway.into());
+            };
+            dns_ips
+        }
+    }
+
     fn get_firewall_policy(&self, shared_values: &SharedTunnelStateValues) -> FirewallPolicy {
         FirewallPolicy::Connected {
             peer_endpoint: self.tunnel_parameters.get_next_hop_endpoint(),
             tunnel: self.metadata.clone(),
             allow_lan: shared_values.allow_lan,
+            dns_servers: self.get_dns_servers(shared_values),
             #[cfg(windows)]
             relay_client: TunnelMonitor::get_relay_client(
                 &shared_values.resource_dir,
@@ -91,21 +106,12 @@ impl ConnectedState {
     }
 
     fn set_dns(&self, shared_values: &mut SharedTunnelStateValues) -> Result<(), BoxedError> {
-        let mut default_dns = vec![];
-
-        let dns_ips = if let Some(ref servers) = shared_values.custom_dns {
-            servers
-        } else {
-            default_dns.push(self.metadata.ipv4_gateway.into());
-            if let Some(ipv6_gateway) = self.metadata.ipv6_gateway {
-                default_dns.push(ipv6_gateway.into());
-            };
-            &default_dns
-        };
-
         shared_values
             .dns_monitor
-            .set(&self.metadata.interface, &dns_ips)
+            .set(
+                &self.metadata.interface,
+                &self.get_dns_servers(shared_values),
+            )
             .map_err(BoxedError::new)?;
 
         #[cfg(target_os = "linux")]
author	David Lönnhager <david.l@mullvad.net>	2020-10-14 15:23:55 +0200
committer	David Lönnhager <david.l@mullvad.net>	2020-10-22 09:33:58 +0200
commit	846e1c35246b8e72cfadfb95e3b80bbafe03bac4 (patch)
tree	1831acceabb09273082639a7222b069761b1a518
parent	f84ac368b9b993ff1511c2a8ce180369bfba2165 (diff)
download	mullvadvpn-846e1c35246b8e72cfadfb95e3b80bbafe03bac4.tar.xz mullvadvpn-846e1c35246b8e72cfadfb95e3b80bbafe03bac4.zip