summaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
authorDavid Lönnhager <david.l@mullvad.net>2024-04-17 11:04:04 +0200
committerDavid Lönnhager <david.l@mullvad.net>2024-04-19 09:25:08 +0200
commita38d103f5e901ce1da2fde4278c2cad03cd92194 (patch)
tree412aa07566a70a9e7954827c57531c0b1cb2200d
parentf7050a927b5062ce24a4071a78c894963f1408fe (diff)
downloadmullvadvpn-a38d103f5e901ce1da2fde4278c2cad03cd92194.tar.xz
mullvadvpn-a38d103f5e901ce1da2fde4278c2cad03cd92194.zip
Flush PF states using pfctl-rs
This fixes already-existing connections leaking when entering secured states, e.g. when internet sharing was enabled
-rw-r--r--talpid-core/src/firewall/macos.rs10
1 files changed, 9 insertions, 1 deletions
diff --git a/talpid-core/src/firewall/macos.rs b/talpid-core/src/firewall/macos.rs
index 07e74f45ff..b3502a8441 100644
--- a/talpid-core/src/firewall/macos.rs
+++ b/talpid-core/src/firewall/macos.rs
@@ -49,7 +49,15 @@ impl Firewall {
pub fn apply_policy(&mut self, policy: FirewallPolicy) -> Result<()> {
self.enable()?;
self.add_anchor()?;
- self.set_rules(policy)
+ self.set_rules(policy)?;
+
+ // When entering a secured state, clear connection states
+ // Otherwise, an existing connection may be approved by some other anchor, and leak
+ if let Err(error) = self.pf.clear_interface_states(pfctl::Interface::Any) {
+ log::error!("Failed to clear source state tracking nodes: {error}");
+ }
+
+ Ok(())
}
pub fn reset_policy(&mut self) -> Result<()> {