diff options
| author | Linus Färnstrand <linus@mullvad.net> | 2020-04-03 10:00:58 +0200 |
|---|---|---|
| committer | Linus Färnstrand <linus@mullvad.net> | 2020-04-03 11:50:11 +0200 |
| commit | ba31bee6e84bea28ee0e01cf4da414b15826f985 (patch) | |
| tree | cc27028abdfa69b9b99406c16661bd492d8bac0b | |
| parent | d3dae68c25035c24292c849c222e73a57318484d (diff) | |
| download | mullvadvpn-ba31bee6e84bea28ee0e01cf4da414b15826f985.tar.xz mullvadvpn-ba31bee6e84bea28ee0e01cf4da414b15826f985.zip | |
Allow fc00::/7 instead of fd00::/8 for unique local addresses
| -rw-r--r-- | CHANGELOG.md | 3 | ||||
| -rw-r--r-- | docs/security.md | 2 | ||||
| -rw-r--r-- | talpid-core/src/firewall/mod.rs | 2 | ||||
| -rw-r--r-- | windows/winfw/src/winfw/rules/baseline/permitlan.cpp | 2 | ||||
| -rw-r--r-- | windows/winfw/src/winfw/rules/baseline/permitlanservice.cpp | 2 |
5 files changed, 7 insertions, 4 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index 3a4022d8d9..b77ae029fa 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -28,6 +28,9 @@ Line wrap the file at 100 chars. Th - Add WireGuard MTU setting. ### Changed +- Allow `fc00::/7` instead of `fd00::/8` in the firewall when local network sharing is enabled. + Should unblock all unique local addresses. + #### Windows - Windows 7 only: Address packet loss issues with OpenVPN on some systems by reverting the TAP adapter driver to an older NDIS 5 driver. diff --git a/docs/security.md b/docs/security.md index bcd1723177..6ec2547bba 100644 --- a/docs/security.md +++ b/docs/security.md @@ -76,7 +76,7 @@ The following network traffic is allowed or blocked independent of state: * `192.168.0.0/16` * `169.254.0.0/16` (Link-local IPv4 range) * `fe80::/10` (Link-local IPv6 range) - * `fd00::/8` (Unique-local range) + * `fc00::/7` (Unique local address (ULA) range) * Outgoing to any IP in a local, unroutable, multicast network, meaning these: * `224.0.0.0/24` (Local subnet IPv4 multicast) * `239.255.0.0/16` (IPv4 local scope. eg. SSDP and mDNS) diff --git a/talpid-core/src/firewall/mod.rs b/talpid-core/src/firewall/mod.rs index 1ac58070f8..110b0bb2a1 100644 --- a/talpid-core/src/firewall/mod.rs +++ b/talpid-core/src/firewall/mod.rs @@ -37,7 +37,7 @@ lazy_static! { IpNetwork::V4(Ipv4Network::new(Ipv4Addr::new(192, 168, 0, 0), 16).unwrap()), IpNetwork::V4(Ipv4Network::new(Ipv4Addr::new(169, 254, 0, 0), 16).unwrap()), IpNetwork::V6(Ipv6Network::new(Ipv6Addr::new(0xfe80, 0, 0, 0, 0, 0, 0, 0), 10).unwrap()), - IpNetwork::V6(Ipv6Network::new(Ipv6Addr::new(0xfd00, 0, 0, 0, 0, 0, 0, 0), 8).unwrap()), + IpNetwork::V6(Ipv6Network::new(Ipv6Addr::new(0xfc00, 0, 0, 0, 0, 0, 0, 0), 7).unwrap()), ]; /// When "allow local network" is enabled the app will allow traffic to these networks. pub(crate) static ref ALLOWED_LAN_MULTICAST_NETS: [IpNetwork; 8] = [ diff --git a/windows/winfw/src/winfw/rules/baseline/permitlan.cpp b/windows/winfw/src/winfw/rules/baseline/permitlan.cpp index e655020287..2397c78cdd 100644 --- a/windows/winfw/src/winfw/rules/baseline/permitlan.cpp +++ b/windows/winfw/src/winfw/rules/baseline/permitlan.cpp @@ -90,7 +90,7 @@ bool PermitLan::applyIpv6(IObjectInstaller &objectInstaller) const wfp::ConditionBuilder conditionBuilder(FWPM_LAYER_ALE_AUTH_CONNECT_V6); const wfp::IpNetwork linkLocal(wfp::IpAddress::Literal6({ 0xFE80, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0 }), 10); - const wfp::IpNetwork uniqueLocal(wfp::IpAddress::Literal6({ 0xFD00, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0 }), 8); + const wfp::IpNetwork uniqueLocal(wfp::IpAddress::Literal6({ 0xFC00, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0 }), 7); conditionBuilder.add_condition(ConditionIp::Remote(linkLocal)); conditionBuilder.add_condition(ConditionIp::Remote(uniqueLocal)); diff --git a/windows/winfw/src/winfw/rules/baseline/permitlanservice.cpp b/windows/winfw/src/winfw/rules/baseline/permitlanservice.cpp index 041afd5492..d729b4ad52 100644 --- a/windows/winfw/src/winfw/rules/baseline/permitlanservice.cpp +++ b/windows/winfw/src/winfw/rules/baseline/permitlanservice.cpp @@ -66,7 +66,7 @@ bool PermitLanService::applyIpv6(IObjectInstaller &objectInstaller) const wfp::ConditionBuilder conditionBuilder(FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6); const wfp::IpNetwork linkLocal(wfp::IpAddress::Literal6{ 0xFE80, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0 }, 10); - const wfp::IpNetwork uniqueLocal(wfp::IpAddress::Literal6({ 0xFD00, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0 }), 8); + const wfp::IpNetwork uniqueLocal(wfp::IpAddress::Literal6({ 0xFC00, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0 }), 7); conditionBuilder.add_condition(ConditionIp::Remote(linkLocal)); conditionBuilder.add_condition(ConditionIp::Remote(uniqueLocal)); |