Merge branch 'allow-169-254-private-net'

author: Linus Färnstrand <linus@mullvad.net> 2019-01-14 13:41:28 +0100
committer: Linus Färnstrand <linus@mullvad.net> 2019-01-14 13:41:28 +0100
commit: b08e79578b43f523baecba5d0a189faaa20a23fa (patch)
tree: 59b8e0a36f6ba184f7b6d0f5e2079e954b6f2cb9
parent: 64a86007db6b015069a12dcb920735b86d22f457 (diff)
parent: 4a9a125c9453ab904e3f2816315271f69b04c3ed (diff)
download: mullvadvpn-b08e79578b43f523baecba5d0a189faaa20a23fa.tar.xz
mullvadvpn-b08e79578b43f523baecba5d0a189faaa20a23fa.zip
6 files changed, 72 insertions, 2 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md
index d83a18fd5c..9e9d2afc13 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -28,6 +28,8 @@ Line wrap the file at 100 chars.                                              Th
   state as blocked when appropriate and also having a toggle switch for the setting in the Advanced
   Settings screen.
 - Add a drop-down warning to notify the user when the account credits are running low.
+- Allow the 169.254.0.0/16 private network in addition to the other networks allowed when local
+  network sharing is enabled.
 
 #### macOS
 - Add a monochromatic tray icon option for the GUI.
diff --git a/talpid-core/src/security/mod.rs b/talpid-core/src/security/mod.rs
index ff59c0507e..8a51155c97 100644
--- a/talpid-core/src/security/mod.rs
+++ b/talpid-core/src/security/mod.rs
@@ -25,10 +25,11 @@ pub use self::imp::{DnsError, Error};
 
 #[cfg(unix)]
 lazy_static! {
-    static ref PRIVATE_NETS: [IpNetwork; 3] = [
+    static ref PRIVATE_NETS: [IpNetwork; 4] = [
         IpNetwork::V4(Ipv4Network::new(Ipv4Addr::new(10, 0, 0, 0), 8).unwrap()),
         IpNetwork::V4(Ipv4Network::new(Ipv4Addr::new(172, 16, 0, 0), 12).unwrap()),
         IpNetwork::V4(Ipv4Network::new(Ipv4Addr::new(192, 168, 0, 0), 16).unwrap()),
+        IpNetwork::V4(Ipv4Network::new(Ipv4Addr::new(169, 254, 0, 0), 16).unwrap()),
     ];
     static ref LOCAL_INET6_NET: IpNetwork =
         IpNetwork::V6(Ipv6Network::new(Ipv6Addr::new(0xfe80, 0, 0, 0, 0, 0, 0, 0), 10).unwrap());
diff --git a/windows/winfw/src/winfw/mullvadguids.cpp b/windows/winfw/src/winfw/mullvadguids.cpp
index 0988e68814..8f717d329b 100644
--- a/windows/winfw/src/winfw/mullvadguids.cpp
+++ b/windows/winfw/src/winfw/mullvadguids.cpp
@@ -142,6 +142,20 @@ const GUID &MullvadGuids::FilterPermitLan_192_168_16()
 }
 
 //static
+const GUID &MullvadGuids::FilterPermitLan_169_254_16()
+{
+	static const GUID g =
+	{
+		0x58718a9e,
+		0x7ec1,
+		0x4dee,
+		{ 0x8d, 0x3f, 0x16, 0x5b, 0x95, 0x5d, 0xb5, 0x42 }
+	};
+
+	return g;
+}
+
+//static
 const GUID &MullvadGuids::FilterPermitLan_Multicast()
 {
 	static const GUID g =
@@ -226,6 +240,20 @@ const GUID &MullvadGuids::FilterPermitLanService_192_168_16()
 }
 
 //static
+const GUID &MullvadGuids::FilterPermitLanService_169_254_16()
+{
+	static const GUID g =
+	{
+		0x39d9b695,
+		0x5c27,
+		0x42a6,
+		{ 0xba, 0xea, 0x8c, 0x4b, 0xe0, 0x7e, 0x66, 0x3e }
+	};
+
+	return g;
+}
+
+//static
 const GUID &MullvadGuids::FilterPermitLanService_Ipv6_fe80_10()
 {
 	static const GUID g =
diff --git a/windows/winfw/src/winfw/mullvadguids.h b/windows/winfw/src/winfw/mullvadguids.h
index 53bebaba13..3b9e9bbecf 100644
--- a/windows/winfw/src/winfw/mullvadguids.h
+++ b/windows/winfw/src/winfw/mullvadguids.h
@@ -19,6 +19,7 @@ public:
 	static const GUID &FilterPermitLan_10_8();
 	static const GUID &FilterPermitLan_172_16_12();
 	static const GUID &FilterPermitLan_192_168_16();
+	static const GUID &FilterPermitLan_169_254_16();
 	static const GUID &FilterPermitLan_Multicast();
 	static const GUID &FilterPermitLan_Ipv6_fe80_10();
 	static const GUID &FilterPermitLan_Ipv6_Multicast();
@@ -26,6 +27,7 @@ public:
 	static const GUID &FilterPermitLanService_10_8();
 	static const GUID &FilterPermitLanService_172_16_12();
 	static const GUID &FilterPermitLanService_192_168_16();
+	static const GUID &FilterPermitLanService_169_254_16();
 	static const GUID &FilterPermitLanService_Ipv6_fe80_10();
 
 	static const GUID &FilterPermitLoopback_Outbound_Ipv4();
diff --git a/windows/winfw/src/winfw/rules/permitlan.cpp b/windows/winfw/src/winfw/rules/permitlan.cpp
index 00e06aa2bf..4adc882163 100644
--- a/windows/winfw/src/winfw/rules/permitlan.cpp
+++ b/windows/winfw/src/winfw/rules/permitlan.cpp
@@ -81,7 +81,25 @@ bool PermitLan::applyIpv4(IObjectInstaller &objectInstaller) const
 	}
 
 	//
-	// #4 LAN to multicast
+	// #4 locally-initiated on 169.254/16
+	//
+
+	filterBuilder
+		.key(MullvadGuids::FilterPermitLan_169_254_16())
+		.name(L"Permit locally-initiated traffic on 169.254/16");
+
+	conditionBuilder.reset();
+
+	conditionBuilder.add_condition(ConditionIp::Local(wfp::IpAddress::Literal({ 169, 254, 0, 0 }), uint8_t(16)));
+	conditionBuilder.add_condition(ConditionIp::Remote(wfp::IpAddress::Literal({ 169, 254, 0, 0 }), uint8_t(16)));
+
+	if (!objectInstaller.addFilter(filterBuilder, conditionBuilder))
+	{
+		return false;
+	}
+
+	//
+	// #5 LAN to multicast
 	//
 
 	filterBuilder
@@ -93,6 +111,7 @@ bool PermitLan::applyIpv4(IObjectInstaller &objectInstaller) const
 	conditionBuilder.add_condition(ConditionIp::Local(wfp::IpAddress::Literal({ 10, 0, 0, 0 }), uint8_t(8)));
 	conditionBuilder.add_condition(ConditionIp::Local(wfp::IpAddress::Literal({ 172, 16, 0, 0 }), uint8_t(12)));
 	conditionBuilder.add_condition(ConditionIp::Local(wfp::IpAddress::Literal({ 192, 168, 0, 0 }), uint8_t(16)));
+	conditionBuilder.add_condition(ConditionIp::Local(wfp::IpAddress::Literal({ 169, 254, 0, 0 }), uint8_t(16)));
 	conditionBuilder.add_condition(ConditionIp::Remote(wfp::IpAddress::Literal({ 224, 0, 0, 0 }), uint8_t(24)));
 
 	// Special multicast for SSDP.
diff --git a/windows/winfw/src/winfw/rules/permitlanservice.cpp b/windows/winfw/src/winfw/rules/permitlanservice.cpp
index 8a9db00913..8f23270b94 100644
--- a/windows/winfw/src/winfw/rules/permitlanservice.cpp
+++ b/windows/winfw/src/winfw/rules/permitlanservice.cpp
@@ -75,6 +75,24 @@ bool PermitLanService::applyIpv4(IObjectInstaller &objectInstaller) const
 	conditionBuilder.add_condition(ConditionIp::Local(wfp::IpAddress::Literal({ 192, 168, 0, 0 }), uint8_t(16)));
 	conditionBuilder.add_condition(ConditionIp::Remote(wfp::IpAddress::Literal({ 192, 168, 0, 0 }), uint8_t(16)));
 
+	if (!objectInstaller.addFilter(filterBuilder, conditionBuilder))
+	{
+		return false;
+	}
+
+	//
+	// #4 incoming request on 169.254/16
+	//
+
+	filterBuilder
+		.key(MullvadGuids::FilterPermitLanService_169_254_16())
+		.name(L"Permit incoming requests on 169.254/16");
+
+	conditionBuilder.reset();
+
+	conditionBuilder.add_condition(ConditionIp::Local(wfp::IpAddress::Literal({ 169, 254, 0, 0 }), uint8_t(16)));
+	conditionBuilder.add_condition(ConditionIp::Remote(wfp::IpAddress::Literal({ 169, 254, 0, 0 }), uint8_t(16)));
+
 	return objectInstaller.addFilter(filterBuilder, conditionBuilder);
 }
author	Linus Färnstrand <linus@mullvad.net>	2019-01-14 13:41:28 +0100
committer	Linus Färnstrand <linus@mullvad.net>	2019-01-14 13:41:28 +0100
commit	b08e79578b43f523baecba5d0a189faaa20a23fa (patch)
tree	59b8e0a36f6ba184f7b6d0f5e2079e954b6f2cb9
parent	64a86007db6b015069a12dcb920735b86d22f457 (diff)
parent	4a9a125c9453ab904e3f2816315271f69b04c3ed (diff)
download	mullvadvpn-b08e79578b43f523baecba5d0a189faaa20a23fa.tar.xz mullvadvpn-b08e79578b43f523baecba5d0a189faaa20a23fa.zip