diff options
| author | David Lönnhager <david.l@mullvad.net> | 2024-04-19 09:25:36 +0200 |
|---|---|---|
| committer | David Lönnhager <david.l@mullvad.net> | 2024-04-19 09:25:36 +0200 |
| commit | d54dcc638062b61ad9b650a366d14b16e3f52d4c (patch) | |
| tree | aa70975bcf39f8978ab200ef32e136bf82b069fe | |
| parent | 774b760b7bbdc14c27b21fc986e6bbd8a26db269 (diff) | |
| parent | 511a6e534e4f9b080ecf717c9a5fb9331d3b8e61 (diff) | |
| download | mullvadvpn-d54dcc638062b61ad9b650a366d14b16e3f52d4c.tar.xz mullvadvpn-d54dcc638062b61ad9b650a366d14b16e3f52d4c.zip | |
Merge branch 'macos-flush-states-for-transitions'
| -rw-r--r-- | CHANGELOG.md | 5 | ||||
| -rw-r--r-- | Cargo.lock | 4 | ||||
| -rw-r--r-- | talpid-core/Cargo.toml | 2 | ||||
| -rw-r--r-- | talpid-core/src/firewall/macos.rs | 10 |
4 files changed, 17 insertions, 4 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index d37ca3025a..76dd17e16c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -29,6 +29,11 @@ Line wrap the file at 100 chars. Th #### macOS - DNS was not properly restored in some cases when using custom DNS. +### Security +#### macOS +- Flush states on tunnel state changes. Previously, pre-existing connections could leak when + internet sharing was enabled on a device. + ## [2024.2-beta1] - 2024-04-15 ### Added diff --git a/Cargo.lock b/Cargo.lock index eedb5dd480..fb0d7780c6 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -2665,9 +2665,9 @@ dependencies = [ [[package]] name = "pfctl" -version = "0.4.5" +version = "0.4.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c5e0c1e1bc65fb241166b7ec8278d89cc2432d41adcbe57ffe1095c81e1d7b44" +checksum = "27590368dee28aa01e3024b639818a6bf0ad31635d9eca000aad63021a59284d" dependencies = [ "derive_builder", "errno 0.2.8", diff --git a/talpid-core/Cargo.toml b/talpid-core/Cargo.toml index da10c68513..923ce42a11 100644 --- a/talpid-core/Cargo.toml +++ b/talpid-core/Cargo.toml @@ -48,7 +48,7 @@ duct = "0.13" [target.'cfg(target_os = "macos")'.dependencies] async-trait = "0.1" duct = "0.13" -pfctl = "0.4.4" +pfctl = "0.4.6" subslice = "0.2" system-configuration = "0.5.1" hickory-proto = { git = "https://github.com/mullvad/hickory-dns", rev = "9e8f8c67fbcb6d2985503027362a3fb022529802" } diff --git a/talpid-core/src/firewall/macos.rs b/talpid-core/src/firewall/macos.rs index 07e74f45ff..b3502a8441 100644 --- a/talpid-core/src/firewall/macos.rs +++ b/talpid-core/src/firewall/macos.rs @@ -49,7 +49,15 @@ impl Firewall { pub fn apply_policy(&mut self, policy: FirewallPolicy) -> Result<()> { self.enable()?; self.add_anchor()?; - self.set_rules(policy) + self.set_rules(policy)?; + + // When entering a secured state, clear connection states + // Otherwise, an existing connection may be approved by some other anchor, and leak + if let Err(error) = self.pf.clear_interface_states(pfctl::Interface::Any) { + log::error!("Failed to clear source state tracking nodes: {error}"); + } + + Ok(()) } pub fn reset_policy(&mut self) -> Result<()> { |
