diff options
| author | David Lönnhager <david.l@mullvad.net> | 2024-04-17 11:04:04 +0200 |
|---|---|---|
| committer | David Lönnhager <david.l@mullvad.net> | 2024-04-19 09:25:08 +0200 |
| commit | a38d103f5e901ce1da2fde4278c2cad03cd92194 (patch) | |
| tree | 412aa07566a70a9e7954827c57531c0b1cb2200d | |
| parent | f7050a927b5062ce24a4071a78c894963f1408fe (diff) | |
| download | mullvadvpn-a38d103f5e901ce1da2fde4278c2cad03cd92194.tar.xz mullvadvpn-a38d103f5e901ce1da2fde4278c2cad03cd92194.zip | |
Flush PF states using pfctl-rs
This fixes already-existing connections leaking when entering secured
states, e.g. when internet sharing was enabled
| -rw-r--r-- | talpid-core/src/firewall/macos.rs | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/talpid-core/src/firewall/macos.rs b/talpid-core/src/firewall/macos.rs index 07e74f45ff..b3502a8441 100644 --- a/talpid-core/src/firewall/macos.rs +++ b/talpid-core/src/firewall/macos.rs @@ -49,7 +49,15 @@ impl Firewall { pub fn apply_policy(&mut self, policy: FirewallPolicy) -> Result<()> { self.enable()?; self.add_anchor()?; - self.set_rules(policy) + self.set_rules(policy)?; + + // When entering a secured state, clear connection states + // Otherwise, an existing connection may be approved by some other anchor, and leak + if let Err(error) = self.pf.clear_interface_states(pfctl::Interface::Any) { + log::error!("Failed to clear source state tracking nodes: {error}"); + } + + Ok(()) } pub fn reset_policy(&mut self) -> Result<()> { |
