diff options
| author | Linus Färnstrand <linus@mullvad.net> | 2018-10-31 17:30:44 +0100 |
|---|---|---|
| committer | Linus Färnstrand <linus@mullvad.net> | 2018-10-31 18:09:32 +0100 |
| commit | 95b3076cb5baf66212e228eef70dae4d9a91c5f6 (patch) | |
| tree | 7a1d01725e1e57b48cee53d7528deb2f15993dec | |
| parent | e1e05b3ff3d40a5084c0020446e651b4e053d521 (diff) | |
| download | mullvadvpn-95b3076cb5baf66212e228eef70dae4d9a91c5f6.tar.xz mullvadvpn-95b3076cb5baf66212e228eef70dae4d9a91c5f6.zip | |
Check server IP on incoming DHCPv6
| -rw-r--r-- | talpid-core/src/security/linux/mod.rs | 9 | ||||
| -rw-r--r-- | talpid-core/src/security/macos/mod.rs | 5 | ||||
| -rw-r--r-- | windows/winfw/src/winfw/rules/permitdhcp.cpp | 1 |
3 files changed, 10 insertions, 5 deletions
diff --git a/talpid-core/src/security/linux/mod.rs b/talpid-core/src/security/linux/mod.rs index ea1a8d4447..e57db996e7 100644 --- a/talpid-core/src/security/linux/mod.rs +++ b/talpid-core/src/security/linux/mod.rs @@ -221,8 +221,8 @@ impl<'a> PolicyBatch<'a> { { let mut out_v4 = Rule::new(&self.out_chain)?; check_port(&mut out_v4, Udp, End::Src, CLIENT_PORT_V4)?; - check_port(&mut out_v4, Udp, End::Dst, SERVER_PORT_V4)?; check_ip(&mut out_v4, End::Dst, IpAddr::V4(Ipv4Addr::BROADCAST))?; + check_port(&mut out_v4, Udp, End::Dst, SERVER_PORT_V4)?; add_verdict(&mut out_v4, &Verdict::Accept)?; self.batch.add(&out_v4, nftnl::MsgType::Add)?; } @@ -235,18 +235,19 @@ impl<'a> PolicyBatch<'a> { } for dhcpv6_server in &*super::DHCPV6_SERVER_ADDRS { let mut out_v6 = Rule::new(&self.out_chain)?; - check_port(&mut out_v6, Udp, End::Src, CLIENT_PORT_V6)?; check_net(&mut out_v6, End::Src, *super::LOCAL_INET6_NET)?; - check_port(&mut out_v6, Udp, End::Dst, SERVER_PORT_V6)?; + check_port(&mut out_v6, Udp, End::Src, CLIENT_PORT_V6)?; check_ip(&mut out_v6, End::Dst, *dhcpv6_server)?; + check_port(&mut out_v6, Udp, End::Dst, SERVER_PORT_V6)?; add_verdict(&mut out_v6, &Verdict::Accept)?; self.batch.add(&out_v6, nftnl::MsgType::Add)?; } { let mut in_v6 = Rule::new(&self.in_chain)?; + check_net(&mut in_v6, End::Src, *super::LOCAL_INET6_NET)?; check_port(&mut in_v6, Udp, End::Src, SERVER_PORT_V6)?; - check_port(&mut in_v6, Udp, End::Dst, CLIENT_PORT_V6)?; check_net(&mut in_v6, End::Dst, *super::LOCAL_INET6_NET)?; + check_port(&mut in_v6, Udp, End::Dst, CLIENT_PORT_V6)?; add_verdict(&mut in_v6, &Verdict::Accept)?; self.batch.add(&in_v6, nftnl::MsgType::Add)?; } diff --git a/talpid-core/src/security/macos/mod.rs b/talpid-core/src/security/macos/mod.rs index 4fb711e4da..4fae5368ec 100644 --- a/talpid-core/src/security/macos/mod.rs +++ b/talpid-core/src/security/macos/mod.rs @@ -268,7 +268,10 @@ impl NetworkSecurity { let allow_incoming_dhcp_v6 = dhcp_rule_builder .af(pfctl::AddrFamily::Ipv6) .direction(pfctl::Direction::In) - .from(server_port_v6) + .from(pfctl::Endpoint::new( + *super::LOCAL_INET6_NET, + server_port_v6, + )) .to(pfctl::Endpoint::new( *super::LOCAL_INET6_NET, client_port_v6, diff --git a/windows/winfw/src/winfw/rules/permitdhcp.cpp b/windows/winfw/src/winfw/rules/permitdhcp.cpp index 86bafbb71d..4650a3586f 100644 --- a/windows/winfw/src/winfw/rules/permitdhcp.cpp +++ b/windows/winfw/src/winfw/rules/permitdhcp.cpp @@ -117,6 +117,7 @@ bool PermitDhcp::apply(IObjectInstaller &objectInstaller) wfp::ConditionBuilder conditionBuilder(FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6); conditionBuilder.add_condition(ConditionProtocol::Udp()); + conditionBuilder.add_condition(ConditionIp::Remote(fe80, uint8_t(10))); conditionBuilder.add_condition(ConditionPort::Remote(547)); conditionBuilder.add_condition(ConditionIp::Local(fe80, uint8_t(10))); conditionBuilder.add_condition(ConditionPort::Local(546)); |