diff options
| author | Markus Pettersson <markus.pettersson@mullvad.net> | 2025-10-07 09:41:36 +0200 |
|---|---|---|
| committer | Markus Pettersson <markus.pettersson@mullvad.net> | 2025-10-07 09:41:36 +0200 |
| commit | 93c2133fe37d18a5114b0cb5fef60c6dc8a9465f (patch) | |
| tree | 69dd0d157680292983a8871318f890f05f5c490d | |
| parent | d45a7ce46f3da679362aac438bc8bd7af5ebd5bd (diff) | |
| parent | e888bc277dd724bd4ee285a5b673a5b449269e0f (diff) | |
| download | mullvadvpn-93c2133fe37d18a5114b0cb5fef60c6dc8a9465f.tar.xz mullvadvpn-93c2133fe37d18a5114b0cb5fef60c6dc8a9465f.zip | |
Merge branch 'const-networks'
| -rw-r--r-- | mullvad-daemon/src/dns.rs | 3 | ||||
| -rw-r--r-- | mullvad-daemon/src/settings/mod.rs | 2 | ||||
| -rw-r--r-- | talpid-core/src/firewall/linux.rs | 40 | ||||
| -rw-r--r-- | talpid-core/src/firewall/macos.rs | 34 | ||||
| -rw-r--r-- | talpid-core/src/firewall/mod.rs | 41 | ||||
| -rw-r--r-- | talpid-tunnel/src/tun_provider/mod.rs | 25 | ||||
| -rw-r--r-- | talpid-types/src/bin/generate-cpp-lannetworks.rs | 4 | ||||
| -rw-r--r-- | talpid-types/src/net/allowed_nets.rs | 72 |
8 files changed, 105 insertions, 116 deletions
diff --git a/mullvad-daemon/src/dns.rs b/mullvad-daemon/src/dns.rs index 9b0ae9163c..cf0c1e9084 100644 --- a/mullvad-daemon/src/dns.rs +++ b/mullvad-daemon/src/dns.rs @@ -54,8 +54,9 @@ pub fn addresses_from_options(options: &DnsOptions) -> DnsConfig { .custom_options .addresses .iter() + .copied() // Private IP ranges should not be tunneled - .partition(|&addr| is_local_address(addr)); + .partition(|addr| is_local_address(*addr)); DnsConfig::from_addresses(&tunnel_config, &non_tunnel_config) } } diff --git a/mullvad-daemon/src/settings/mod.rs b/mullvad-daemon/src/settings/mod.rs index 2fb0abcad0..a30d4f5400 100644 --- a/mullvad-daemon/src/settings/mod.rs +++ b/mullvad-daemon/src/settings/mod.rs @@ -512,6 +512,7 @@ impl Display for SettingsSummary<'_> { .custom_options .addresses .iter() + .copied() .any(is_local_address); let contains_public = self .settings @@ -520,6 +521,7 @@ impl Display for SettingsSummary<'_> { .custom_options .addresses .iter() + .copied() .any(|addr| !is_local_address(addr)); match (contains_public, contains_local) { diff --git a/talpid-core/src/firewall/linux.rs b/talpid-core/src/firewall/linux.rs index f49733c9f2..d5978656e7 100644 --- a/talpid-core/src/firewall/linux.rs +++ b/talpid-core/src/firewall/linux.rs @@ -465,11 +465,11 @@ impl<'a> PolicyBatch<'a> { } for chain in &[&self.out_chain, &self.forward_chain] { - for dhcpv6_server in &*super::DHCPV6_SERVER_ADDRS { + for dhcpv6_server in super::DHCPV6_SERVER_ADDRS { let mut out_v6 = Rule::new(chain); - check_net(&mut out_v6, End::Src, *super::IPV6_LINK_LOCAL); + check_net(&mut out_v6, End::Src, super::IPV6_LINK_LOCAL); check_port(&mut out_v6, Udp, End::Src, super::DHCPV6_CLIENT_PORT); - check_ip(&mut out_v6, End::Dst, *dhcpv6_server); + check_ip(&mut out_v6, End::Dst, dhcpv6_server); check_port(&mut out_v6, Udp, End::Dst, super::DHCPV6_SERVER_PORT); add_verdict(&mut out_v6, &Verdict::Accept); self.batch.add(&out_v6, nftnl::MsgType::Add); @@ -477,9 +477,9 @@ impl<'a> PolicyBatch<'a> { } for chain in &[&self.in_chain, &self.forward_chain] { let mut in_v6 = Rule::new(chain); - check_net(&mut in_v6, End::Src, *super::IPV6_LINK_LOCAL); + check_net(&mut in_v6, End::Src, super::IPV6_LINK_LOCAL); check_port(&mut in_v6, Udp, End::Src, super::DHCPV6_SERVER_PORT); - check_net(&mut in_v6, End::Dst, *super::IPV6_LINK_LOCAL); + check_net(&mut in_v6, End::Dst, super::IPV6_LINK_LOCAL); check_port(&mut in_v6, Udp, End::Dst, super::DHCPV6_CLIENT_PORT); add_verdict(&mut in_v6, &Verdict::Accept); self.batch.add(&in_v6, nftnl::MsgType::Add); @@ -493,11 +493,7 @@ impl<'a> PolicyBatch<'a> { // Outgoing Router solicitation (part of NDP) for chain in &[&self.out_chain, &self.forward_chain] { let mut rule = Rule::new(chain); - check_ip( - &mut rule, - End::Dst, - *super::ROUTER_SOLICITATION_OUT_DST_ADDR, - ); + check_ip(&mut rule, End::Dst, super::ROUTER_SOLICITATION_OUT_DST_ADDR); check_icmpv6(&mut rule, 133, 0); add_verdict(&mut rule, &Verdict::Accept); self.batch.add(&rule, nftnl::MsgType::Add); @@ -505,7 +501,7 @@ impl<'a> PolicyBatch<'a> { // Incoming Router advertisement (part of NDP) for chain in &[&self.in_chain, &self.forward_chain] { let mut rule = Rule::new(chain); - check_net(&mut rule, End::Src, *super::IPV6_LINK_LOCAL); + check_net(&mut rule, End::Src, super::IPV6_LINK_LOCAL); check_icmpv6(&mut rule, 134, 0); add_verdict(&mut rule, &Verdict::Accept); self.batch.add(&rule, nftnl::MsgType::Add); @@ -513,7 +509,7 @@ impl<'a> PolicyBatch<'a> { // Incoming Redirect (part of NDP) for chain in &[&self.in_chain, &self.forward_chain] { let mut rule = Rule::new(chain); - check_net(&mut rule, End::Src, *super::IPV6_LINK_LOCAL); + check_net(&mut rule, End::Src, super::IPV6_LINK_LOCAL); check_icmpv6(&mut rule, 137, 0); add_verdict(&mut rule, &Verdict::Accept); self.batch.add(&rule, nftnl::MsgType::Add); @@ -521,14 +517,14 @@ impl<'a> PolicyBatch<'a> { // Outgoing Neighbor solicitation (part of NDP) for chain in &[&self.out_chain, &self.forward_chain] { let mut rule = Rule::new(chain); - check_net(&mut rule, End::Dst, *super::SOLICITED_NODE_MULTICAST); + check_net(&mut rule, End::Dst, super::SOLICITED_NODE_MULTICAST); check_icmpv6(&mut rule, 135, 0); add_verdict(&mut rule, &Verdict::Accept); self.batch.add(&rule, nftnl::MsgType::Add); } for chain in &[&self.out_chain, &self.forward_chain] { let mut rule = Rule::new(chain); - check_net(&mut rule, End::Dst, *super::IPV6_LINK_LOCAL); + check_net(&mut rule, End::Dst, super::IPV6_LINK_LOCAL); check_icmpv6(&mut rule, 135, 0); add_verdict(&mut rule, &Verdict::Accept); self.batch.add(&rule, nftnl::MsgType::Add); @@ -536,7 +532,7 @@ impl<'a> PolicyBatch<'a> { // Incoming Neighbor solicitation (part of NDP) for chain in &[&self.in_chain, &self.forward_chain] { let mut rule = Rule::new(chain); - check_net(&mut rule, End::Src, *super::IPV6_LINK_LOCAL); + check_net(&mut rule, End::Src, super::IPV6_LINK_LOCAL); check_icmpv6(&mut rule, 135, 0); add_verdict(&mut rule, &Verdict::Accept); self.batch.add(&rule, nftnl::MsgType::Add); @@ -544,7 +540,7 @@ impl<'a> PolicyBatch<'a> { // Outgoing Neighbor advertisement (part of NDP) for chain in &[&self.out_chain, &self.forward_chain] { let mut rule = Rule::new(chain); - check_net(&mut rule, End::Dst, *super::IPV6_LINK_LOCAL); + check_net(&mut rule, End::Dst, super::IPV6_LINK_LOCAL); check_icmpv6(&mut rule, 136, 0); add_verdict(&mut rule, &Verdict::Accept); self.batch.add(&rule, nftnl::MsgType::Add); @@ -888,17 +884,17 @@ impl<'a> PolicyBatch<'a> { // Output and forward chains for chain in &[&self.out_chain, &self.forward_chain] { // LAN -> LAN - for net in &*ALLOWED_LAN_NETS { + for net in ALLOWED_LAN_NETS { let mut out_rule = Rule::new(chain); - check_net(&mut out_rule, End::Dst, *net); + check_net(&mut out_rule, End::Dst, net); add_verdict(&mut out_rule, &Verdict::Accept); self.batch.add(&out_rule, nftnl::MsgType::Add); } // LAN -> Multicast - for net in &*ALLOWED_LAN_MULTICAST_NETS { + for net in ALLOWED_LAN_MULTICAST_NETS { let mut rule = Rule::new(chain); - check_net(&mut rule, End::Dst, *net); + check_net(&mut rule, End::Dst, net); add_verdict(&mut rule, &Verdict::Accept); self.batch.add(&rule, nftnl::MsgType::Add); } @@ -906,9 +902,9 @@ impl<'a> PolicyBatch<'a> { // Input chain // LAN -> LAN - for net in &*ALLOWED_LAN_NETS { + for net in ALLOWED_LAN_NETS { let mut in_rule = Rule::new(&self.in_chain); - check_net(&mut in_rule, End::Src, *net); + check_net(&mut in_rule, End::Src, net); add_verdict(&mut in_rule, &Verdict::Accept); self.batch.add(&in_rule, nftnl::MsgType::Add); } diff --git a/talpid-core/src/firewall/macos.rs b/talpid-core/src/firewall/macos.rs index 020b8d713c..d6f86ec2e6 100644 --- a/talpid-core/src/firewall/macos.rs +++ b/talpid-core/src/firewall/macos.rs @@ -698,29 +698,29 @@ impl Firewall { fn get_allow_lan_rules(&self) -> Result<Vec<pfctl::FilterRule>> { let mut rules = vec![]; - for net in &*ALLOWED_LAN_NETS { + for net in ALLOWED_LAN_NETS { let mut rule_builder = self.create_rule_builder(FilterRuleAction::Pass); rule_builder.quick(true); let allow_out = rule_builder .direction(pfctl::Direction::Out) .from(pfctl::Ip::Any) .keep_state(pfctl::StatePolicy::Keep) - .to(pfctl::Ip::from(*net)) + .to(pfctl::Ip::from(net)) .build()?; let allow_in = rule_builder .direction(pfctl::Direction::In) - .from(pfctl::Ip::from(*net)) + .from(pfctl::Ip::from(net)) .to(pfctl::Ip::Any) .build()?; rules.push(allow_out); rules.push(allow_in); } - for multicast_net in &*ALLOWED_LAN_MULTICAST_NETS { + for multicast_net in ALLOWED_LAN_MULTICAST_NETS { let allow_multicast_out = self .create_rule_builder(FilterRuleAction::Pass) .quick(true) .direction(pfctl::Direction::Out) - .to(pfctl::Ip::from(*multicast_net)) + .to(pfctl::Ip::from(multicast_net)) .build()?; rules.push(allow_multicast_out); } @@ -800,15 +800,15 @@ impl Firewall { // DHCPv6 dhcp_rule_builder.af(pfctl::AddrFamily::Ipv6); - for dhcpv6_server in &*super::DHCPV6_SERVER_ADDRS { + for dhcpv6_server in super::DHCPV6_SERVER_ADDRS { let allow_outgoing_dhcp_v6 = dhcp_rule_builder .direction(pfctl::Direction::Out) .from(pfctl::Endpoint::new( - IpNetwork::V6(*super::IPV6_LINK_LOCAL), + IpNetwork::V6(super::IPV6_LINK_LOCAL), pfctl::Port::from(super::DHCPV6_CLIENT_PORT), )) .to(pfctl::Endpoint::new( - *dhcpv6_server, + dhcpv6_server, pfctl::Port::from(super::DHCPV6_SERVER_PORT), )) .build()?; @@ -817,11 +817,11 @@ impl Firewall { let allow_incoming_dhcp_v6 = dhcp_rule_builder .direction(pfctl::Direction::In) .from(pfctl::Endpoint::new( - pfctl::Ip::from(IpNetwork::V6(*super::IPV6_LINK_LOCAL)), + pfctl::Ip::from(IpNetwork::V6(super::IPV6_LINK_LOCAL)), pfctl::Port::from(super::DHCPV6_SERVER_PORT), )) .to(pfctl::Endpoint::new( - pfctl::Ip::from(IpNetwork::V6(*super::IPV6_LINK_LOCAL)), + pfctl::Ip::from(IpNetwork::V6(super::IPV6_LINK_LOCAL)), pfctl::Port::from(super::DHCPV6_CLIENT_PORT), )) .build()?; @@ -843,21 +843,21 @@ impl Firewall { .clone() .direction(pfctl::Direction::Out) .icmp_type(pfctl::IcmpType::Icmp6(pfctl::Icmp6Type::RouterSol)) - .to(*super::ROUTER_SOLICITATION_OUT_DST_ADDR) + .to(super::ROUTER_SOLICITATION_OUT_DST_ADDR) .build()?, // Incoming router advertisement from `fe80::/10` ndp_rule_builder .clone() .direction(pfctl::Direction::In) .icmp_type(pfctl::IcmpType::Icmp6(pfctl::Icmp6Type::RouterAdv)) - .from(pfctl::Ip::from(IpNetwork::V6(*super::IPV6_LINK_LOCAL))) + .from(pfctl::Ip::from(IpNetwork::V6(super::IPV6_LINK_LOCAL))) .build()?, // Incoming Redirect from `fe80::/10` ndp_rule_builder .clone() .direction(pfctl::Direction::In) .icmp_type(pfctl::IcmpType::Icmp6(pfctl::Icmp6Type::Redir)) - .from(pfctl::Ip::from(IpNetwork::V6(*super::IPV6_LINK_LOCAL))) + .from(pfctl::Ip::from(IpNetwork::V6(super::IPV6_LINK_LOCAL))) .build()?, // Outgoing neighbor solicitation to `ff02::1:ff00:0/104` and `fe80::/10` ndp_rule_builder @@ -865,28 +865,28 @@ impl Firewall { .direction(pfctl::Direction::Out) .icmp_type(pfctl::IcmpType::Icmp6(pfctl::Icmp6Type::NeighbrSol)) .to(pfctl::Ip::from(IpNetwork::V6( - *super::SOLICITED_NODE_MULTICAST, + super::SOLICITED_NODE_MULTICAST, ))) .build()?, ndp_rule_builder .clone() .direction(pfctl::Direction::Out) .icmp_type(pfctl::IcmpType::Icmp6(pfctl::Icmp6Type::NeighbrSol)) - .to(pfctl::Ip::from(IpNetwork::V6(*super::IPV6_LINK_LOCAL))) + .to(pfctl::Ip::from(IpNetwork::V6(super::IPV6_LINK_LOCAL))) .build()?, // Incoming neighbor solicitation from `fe80::/10` ndp_rule_builder .clone() .direction(pfctl::Direction::In) .icmp_type(pfctl::IcmpType::Icmp6(pfctl::Icmp6Type::NeighbrSol)) - .from(pfctl::Ip::from(IpNetwork::V6(*super::IPV6_LINK_LOCAL))) + .from(pfctl::Ip::from(IpNetwork::V6(super::IPV6_LINK_LOCAL))) .build()?, // Outgoing neighbor advertisement to fe80::/10` ndp_rule_builder .clone() .direction(pfctl::Direction::Out) .icmp_type(pfctl::IcmpType::Icmp6(pfctl::Icmp6Type::NeighbrAdv)) - .to(pfctl::Ip::from(IpNetwork::V6(*super::IPV6_LINK_LOCAL))) + .to(pfctl::Ip::from(IpNetwork::V6(super::IPV6_LINK_LOCAL))) .build()?, // Incoming neighbor advertisement from anywhere ndp_rule_builder diff --git a/talpid-core/src/firewall/mod.rs b/talpid-core/src/firewall/mod.rs index a13a447aa1..bb5ab1a2c9 100644 --- a/talpid-core/src/firewall/mod.rs +++ b/talpid-core/src/firewall/mod.rs @@ -4,7 +4,6 @@ use ipnetwork::{IpNetwork, Ipv4Network, Ipv6Network}; use std::{ fmt, net::{IpAddr, Ipv4Addr, Ipv6Addr}, - sync::LazyLock, }; use talpid_types::net::{ALLOWED_LAN_NETS, AllowedEndpoint, AllowedTunnelTraffic}; @@ -27,29 +26,24 @@ mod imp; pub use self::imp::Error; #[cfg(any(target_os = "linux", target_os = "macos"))] -static IPV6_LINK_LOCAL: LazyLock<Ipv6Network> = - LazyLock::new(|| Ipv6Network::new(Ipv6Addr::new(0xfe80, 0, 0, 0, 0, 0, 0, 0), 10).unwrap()); +const IPV6_LINK_LOCAL: Ipv6Network = + Ipv6Network::new_checked(Ipv6Addr::new(0xfe80, 0, 0, 0, 0, 0, 0, 0), 10).unwrap(); /// The allowed target addresses of outbound DHCPv6 requests #[cfg(any(target_os = "linux", target_os = "macos"))] -static DHCPV6_SERVER_ADDRS: LazyLock<[Ipv6Addr; 2]> = LazyLock::new(|| { - [ - Ipv6Addr::new(0xff02, 0, 0, 0, 0, 0, 1, 2), - Ipv6Addr::new(0xff05, 0, 0, 0, 0, 0, 1, 3), - ] -}); +const DHCPV6_SERVER_ADDRS: [Ipv6Addr; 2] = [ + Ipv6Addr::new(0xff02, 0, 0, 0, 0, 0, 1, 2), + Ipv6Addr::new(0xff05, 0, 0, 0, 0, 0, 1, 3), +]; + #[cfg(any(target_os = "linux", target_os = "macos"))] -static ROUTER_SOLICITATION_OUT_DST_ADDR: LazyLock<Ipv6Addr> = - LazyLock::new(|| Ipv6Addr::new(0xff02, 0, 0, 0, 0, 0, 0, 2)); +const ROUTER_SOLICITATION_OUT_DST_ADDR: Ipv6Addr = Ipv6Addr::new(0xff02, 0, 0, 0, 0, 0, 0, 2); #[cfg(any(target_os = "linux", target_os = "macos"))] -static SOLICITED_NODE_MULTICAST: LazyLock<Ipv6Network> = LazyLock::new(|| { - Ipv6Network::new(Ipv6Addr::new(0xff02, 0, 0, 0, 0, 1, 0xFF00, 0), 104).unwrap() -}); -static LOOPBACK_NETS: LazyLock<[IpNetwork; 2]> = LazyLock::new(|| { - [ - IpNetwork::V4(Ipv4Network::new(Ipv4Addr::new(127, 0, 0, 0), 8).unwrap()), - IpNetwork::V6(Ipv6Network::new(Ipv6Addr::new(0, 0, 0, 0, 0, 0, 0, 1), 128).unwrap()), - ] -}); +const SOLICITED_NODE_MULTICAST: Ipv6Network = + Ipv6Network::new_checked(Ipv6Addr::new(0xff02, 0, 0, 0, 0, 1, 0xFF00, 0), 104).unwrap(); +const LOOPBACK_NETS: [IpNetwork; 2] = [ + IpNetwork::V4(Ipv4Network::new_checked(Ipv4Addr::new(127, 0, 0, 0), 8).unwrap()), + IpNetwork::V6(Ipv6Network::new_checked(Ipv6Addr::new(0, 0, 0, 0, 0, 0, 0, 1), 128).unwrap()), +]; #[cfg(all(unix, not(target_os = "android")))] const DHCPV4_SERVER_PORT: u16 = 67; @@ -63,11 +57,10 @@ const DHCPV6_CLIENT_PORT: u16 = 546; const ROOT_UID: u32 = 0; /// Returns whether an address belongs to a private subnet. -pub fn is_local_address(address: &IpAddr) -> bool { - let address = *address; - (*ALLOWED_LAN_NETS) +pub fn is_local_address(address: IpAddr) -> bool { + ALLOWED_LAN_NETS .iter() - .chain(&*LOOPBACK_NETS) + .chain(&LOOPBACK_NETS) .any(|net| net.contains(address)) } diff --git a/talpid-tunnel/src/tun_provider/mod.rs b/talpid-tunnel/src/tun_provider/mod.rs index 8942186e07..7174427df2 100644 --- a/talpid-tunnel/src/tun_provider/mod.rs +++ b/talpid-tunnel/src/tun_provider/mod.rs @@ -1,11 +1,8 @@ #[cfg(target_os = "android")] use crate::tun_provider::imp::VpnServiceConfig; use cfg_if::cfg_if; -use ipnetwork::IpNetwork; -use std::{ - net::{IpAddr, Ipv4Addr, Ipv6Addr}, - sync::LazyLock, -}; +use ipnetwork::{IpNetwork, Ipv4Network, Ipv6Network}; +use std::net::{IpAddr, Ipv4Addr, Ipv6Addr}; cfg_if! { if #[cfg(target_os = "android")] { @@ -113,20 +110,16 @@ pub fn blocking_config() -> TunConfig { mtu: 1380, ipv4_gateway: Ipv4Addr::new(10, 64, 0, 1), ipv6_gateway: None, - routes: DEFAULT_ROUTES.clone(), + routes: DEFAULT_ROUTES.to_vec(), allow_lan: false, dns_servers: None, excluded_packages: vec![], } } -static DEFAULT_ROUTES: LazyLock<Vec<IpNetwork>> = - LazyLock::new(|| vec![*IPV4_DEFAULT_ROUTE, *IPV6_DEFAULT_ROUTE]); -static IPV4_DEFAULT_ROUTE: LazyLock<IpNetwork> = LazyLock::new(|| { - IpNetwork::new(IpAddr::V4(Ipv4Addr::UNSPECIFIED), 0) - .expect("Invalid IP network prefix for IPv4 address") -}); -static IPV6_DEFAULT_ROUTE: LazyLock<IpNetwork> = LazyLock::new(|| { - IpNetwork::new(IpAddr::V6(Ipv6Addr::UNSPECIFIED), 0) - .expect("Invalid IP network prefix for IPv6 address") -}); +const DEFAULT_ROUTES: [IpNetwork; 2] = [ + IpNetwork::V4(IPV4_DEFAULT_ROUTE), + IpNetwork::V6(IPV6_DEFAULT_ROUTE), +]; +const IPV4_DEFAULT_ROUTE: Ipv4Network = Ipv4Network::new_checked(Ipv4Addr::UNSPECIFIED, 0).unwrap(); +const IPV6_DEFAULT_ROUTE: Ipv6Network = Ipv6Network::new_checked(Ipv6Addr::UNSPECIFIED, 0).unwrap(); diff --git a/talpid-types/src/bin/generate-cpp-lannetworks.rs b/talpid-types/src/bin/generate-cpp-lannetworks.rs index 977b7ca541..18db692e90 100644 --- a/talpid-types/src/bin/generate-cpp-lannetworks.rs +++ b/talpid-types/src/bin/generate-cpp-lannetworks.rs @@ -15,12 +15,12 @@ fn generate_allowed_nets_cpp_header(mut w: impl Write) -> io::Result<()> { writeln!(w)?; let (ipv4_nets, ipv6_nets): (Vec<IpNetwork>, _) = - (*ALLOWED_LAN_NETS).iter().partition(|net| net.is_ipv4()); + ALLOWED_LAN_NETS.iter().partition(|net| net.is_ipv4()); generate_ip_network_cpp_definitions(&mut w, "g_ipv4LanNets", &ipv4_nets)?; generate_ip_network_cpp_definitions(&mut w, "g_ipv6LanNets", &ipv6_nets)?; let (ipv4_multicast_nets, ipv6_multicast_nets): (Vec<IpNetwork>, _) = - (*ALLOWED_LAN_MULTICAST_NETS) + ALLOWED_LAN_MULTICAST_NETS .iter() .partition(|net| net.is_ipv4()); generate_ip_network_cpp_definitions(&mut w, "g_ipv4MulticastNets", &ipv4_multicast_nets)?; diff --git a/talpid-types/src/net/allowed_nets.rs b/talpid-types/src/net/allowed_nets.rs index 26d48b8f77..03776ad56c 100644 --- a/talpid-types/src/net/allowed_nets.rs +++ b/talpid-types/src/net/allowed_nets.rs @@ -1,38 +1,42 @@ use ipnetwork::{IpNetwork, Ipv4Network, Ipv6Network}; -use std::{ - net::{Ipv4Addr, Ipv6Addr}, - sync::LazyLock, -}; +use std::net::{Ipv4Addr, Ipv6Addr}; /// When "allow local network" is enabled the app will allow traffic to and from these networks. -pub static ALLOWED_LAN_NETS: LazyLock<[IpNetwork; 6]> = LazyLock::new(|| { - [ - IpNetwork::V4(Ipv4Network::new(Ipv4Addr::new(10, 0, 0, 0), 8).unwrap()), - IpNetwork::V4(Ipv4Network::new(Ipv4Addr::new(172, 16, 0, 0), 12).unwrap()), - IpNetwork::V4(Ipv4Network::new(Ipv4Addr::new(192, 168, 0, 0), 16).unwrap()), - IpNetwork::V4(Ipv4Network::new(Ipv4Addr::new(169, 254, 0, 0), 16).unwrap()), - IpNetwork::V6(Ipv6Network::new(Ipv6Addr::new(0xfe80, 0, 0, 0, 0, 0, 0, 0), 10).unwrap()), - IpNetwork::V6(Ipv6Network::new(Ipv6Addr::new(0xfc00, 0, 0, 0, 0, 0, 0, 0), 7).unwrap()), - ] -}); +pub const ALLOWED_LAN_NETS: [IpNetwork; 6] = [ + v4(Ipv4Addr::new(10, 0, 0, 0), 8), + v4(Ipv4Addr::new(172, 16, 0, 0), 12), + v4(Ipv4Addr::new(192, 168, 0, 0), 16), + v4(Ipv4Addr::new(169, 254, 0, 0), 16), + v6(Ipv6Addr::new(0xfe80, 0, 0, 0, 0, 0, 0, 0), 10), + v6(Ipv6Addr::new(0xfc00, 0, 0, 0, 0, 0, 0, 0), 7), +]; + /// When "allow local network" is enabled the app will allow traffic to these networks. -pub static ALLOWED_LAN_MULTICAST_NETS: LazyLock<[IpNetwork; 8]> = LazyLock::new(|| { - [ - // Local network broadcast. Not routable - IpNetwork::V4(Ipv4Network::new(Ipv4Addr::new(255, 255, 255, 255), 32).unwrap()), - // Local subnetwork multicast. Not routable - IpNetwork::V4(Ipv4Network::new(Ipv4Addr::new(224, 0, 0, 0), 24).unwrap()), - // Admin-local IPv4 multicast. - IpNetwork::V4(Ipv4Network::new(Ipv4Addr::new(239, 0, 0, 0), 8).unwrap()), - // Interface-local IPv6 multicast. - IpNetwork::V6(Ipv6Network::new(Ipv6Addr::new(0xff01, 0, 0, 0, 0, 0, 0, 0), 16).unwrap()), - // Link-local IPv6 multicast. IPv6 equivalent of 224.0.0.0/24 - IpNetwork::V6(Ipv6Network::new(Ipv6Addr::new(0xff02, 0, 0, 0, 0, 0, 0, 0), 16).unwrap()), - // Realm-local IPv6 multicast. - IpNetwork::V6(Ipv6Network::new(Ipv6Addr::new(0xff03, 0, 0, 0, 0, 0, 0, 0), 16).unwrap()), - // Admin-local IPv6 multicast. - IpNetwork::V6(Ipv6Network::new(Ipv6Addr::new(0xff04, 0, 0, 0, 0, 0, 0, 0), 16).unwrap()), - // Site-local IPv6 multicast. - IpNetwork::V6(Ipv6Network::new(Ipv6Addr::new(0xff05, 0, 0, 0, 0, 0, 0, 0), 16).unwrap()), - ] -}); +pub const ALLOWED_LAN_MULTICAST_NETS: [IpNetwork; 8] = [ + // Local network broadcast. Not routable + v4(Ipv4Addr::new(255, 255, 255, 255), 32), + // Local subnetwork multicast. Not routable + v4(Ipv4Addr::new(224, 0, 0, 0), 24), + // Admin-local IPv4 multicast. + v4(Ipv4Addr::new(239, 0, 0, 0), 8), + // Interface-local IPv6 multicast. + v6(Ipv6Addr::new(0xff01, 0, 0, 0, 0, 0, 0, 0), 16), + // Link-local IPv6 multicast. IPv6 equivalent of 224.0.0.0/24 + v6(Ipv6Addr::new(0xff02, 0, 0, 0, 0, 0, 0, 0), 16), + // Realm-local IPv6 multicast. + v6(Ipv6Addr::new(0xff03, 0, 0, 0, 0, 0, 0, 0), 16), + // Admin-local IPv6 multicast. + v6(Ipv6Addr::new(0xff04, 0, 0, 0, 0, 0, 0, 0), 16), + // Site-local IPv6 multicast. + v6(Ipv6Addr::new(0xff05, 0, 0, 0, 0, 0, 0, 0), 16), +]; + +// Short-hand for `IpNetwork::V4(Ipv4Network::new_checked(address, prefix).unwrap())`. +const fn v4(address: Ipv4Addr, prefix: u8) -> IpNetwork { + IpNetwork::V4(Ipv4Network::new_checked(address, prefix).unwrap()) +} + +// Short-hand for `IpNetwork::V6(Ipv6Network::new_checked(address, prefix).unwrap())`. +const fn v6(address: Ipv6Addr, prefix: u8) -> IpNetwork { + IpNetwork::V6(Ipv6Network::new_checked(address, prefix).unwrap()) +} |