diff options
| author | David Lönnhager <david.l@mullvad.net> | 2021-04-12 13:18:20 +0200 |
|---|---|---|
| committer | David Lönnhager <david.l@mullvad.net> | 2021-04-16 17:41:46 +0200 |
| commit | baf8e862426ef16c5c94a4498569ff1f28272678 (patch) | |
| tree | f5d9211f1dc8f79aefe6a41a3cc9e0ece183e555 | |
| parent | 5da8724dabde03ee94ab03d48cb95cd1ad480c3a (diff) | |
| download | mullvadvpn-baf8e862426ef16c5c94a4498569ff1f28272678.tar.xz mullvadvpn-baf8e862426ef16c5c94a4498569ff1f28272678.zip | |
Add nftables forward chain
| -rw-r--r-- | talpid-core/src/firewall/linux.rs | 13 |
1 files changed, 11 insertions, 2 deletions
diff --git a/talpid-core/src/firewall/linux.rs b/talpid-core/src/firewall/linux.rs index 19aa94a54c..5e73ea12b0 100644 --- a/talpid-core/src/firewall/linux.rs +++ b/talpid-core/src/firewall/linux.rs @@ -61,6 +61,7 @@ lazy_static! { static ref TABLE_NAME: CString = CString::new("mullvad").unwrap(); static ref IN_CHAIN_NAME: CString = CString::new("input").unwrap(); static ref OUT_CHAIN_NAME: CString = CString::new("output").unwrap(); + static ref FORWARD_CHAIN_NAME: CString = CString::new("forward").unwrap(); static ref PREROUTING_CHAIN_NAME: CString = CString::new("prerouting").unwrap(); /// We need two separate tables for compatibility with older kernels (holds true for kernel @@ -229,6 +230,7 @@ struct PolicyBatch<'a> { batch: Batch, in_chain: Chain<'a>, out_chain: Chain<'a>, + forward_chain: Chain<'a>, prerouting_chain: Chain<'a>, mangle_chain_v4: Chain<'a>, mangle_chain_v6: Chain<'a>, @@ -246,16 +248,22 @@ impl<'a> PolicyBatch<'a> { prerouting_chain.set_type(nftnl::ChainType::Filter); let mut out_chain = Chain::new(&*OUT_CHAIN_NAME, &tables.main); - let mut in_chain = Chain::new(&*IN_CHAIN_NAME, &tables.main); out_chain.set_hook(nftnl::Hook::Out, 0); - in_chain.set_hook(nftnl::Hook::In, 0); out_chain.set_policy(nftnl::Policy::Drop); + + let mut in_chain = Chain::new(&*IN_CHAIN_NAME, &tables.main); + in_chain.set_hook(nftnl::Hook::In, 0); in_chain.set_policy(nftnl::Policy::Drop); + let mut forward_chain = Chain::new(&*FORWARD_CHAIN_NAME, &tables.main); + forward_chain.set_hook(nftnl::Hook::Forward, 0); + forward_chain.set_policy(nftnl::Policy::Drop); + Self::flush_table(&mut batch, &tables.main); batch.add(&prerouting_chain, nftnl::MsgType::Add); batch.add(&out_chain, nftnl::MsgType::Add); batch.add(&in_chain, nftnl::MsgType::Add); + batch.add(&forward_chain, nftnl::MsgType::Add); Self::flush_table(&mut batch, &tables.mangle_v4); @@ -289,6 +297,7 @@ impl<'a> PolicyBatch<'a> { batch, in_chain, out_chain, + forward_chain, prerouting_chain, mangle_chain_v4, mangle_chain_v6, |