Move the private and multicast nets up to generic firewall module

author: Linus Färnstrand <linus@mullvad.net> 2018-05-23 13:42:37 +0200
committer: Linus Färnstrand <linus@mullvad.net> 2018-07-02 12:16:33 +0200
commit: e66971febc35da8e867c85d206eebeca205aff17 (patch)
tree: b296229fa6cdfcb560688c0d0c2bba34401bfa09
parent: f65edff37fc2ca3f14c2e8e9cb840c9fa57e4752 (diff)
download: mullvadvpn-e66971febc35da8e867c85d206eebeca205aff17.tar.xz
mullvadvpn-e66971febc35da8e867c85d206eebeca205aff17.zip
4 files changed, 33 insertions, 11 deletions
diff --git a/talpid-core/Cargo.toml b/talpid-core/Cargo.toml
index 16de588b31..cf0c8b6ea8 100644
--- a/talpid-core/Cargo.toml
+++ b/talpid-core/Cargo.toml
@@ -9,8 +9,11 @@ license = "GPL-3.0"
 atty = "0.2"
 duct = "0.10"
 error-chain = "0.12"
+ipnetwork = "0.13"
 jsonrpc-core = { git = "https://github.com/paritytech/jsonrpc", tag = "v8.0.1" }
 jsonrpc-macros = { git = "https://github.com/paritytech/jsonrpc", tag = "v8.0.1" }
+lazy_static = "1.0"
+libc = "0.2.20"
 log = "0.4"
 os_pipe = "0.6"
 uuid = { version = "0.6", features = ["v4"] }
diff --git a/talpid-core/src/firewall/macos/mod.rs b/talpid-core/src/firewall/macos/mod.rs
index 394fd916d3..3ee77a22ac 100644
--- a/talpid-core/src/firewall/macos/mod.rs
+++ b/talpid-core/src/firewall/macos/mod.rs
@@ -1,9 +1,10 @@
 extern crate pfctl;
 extern crate tokio_core;
 
-use self::pfctl::ipnetwork::{IpNetwork, Ipv4Network};
 use super::{Firewall, SecurityPolicy};
 
+use ipnetwork::IpNetwork;
+
 use std::net::Ipv4Addr;
 use std::path::Path;
 
@@ -183,25 +184,21 @@ impl PacketFilter {
     }
 
     fn get_allow_lan_rules() -> Result<Vec<pfctl::FilterRule>> {
-        let private_nets = [
-            Ipv4Network::new(Ipv4Addr::new(10, 0, 0, 0), 8).unwrap(),
-            Ipv4Network::new(Ipv4Addr::new(172, 16, 0, 0), 12).unwrap(),
-            Ipv4Network::new(Ipv4Addr::new(192, 168, 0, 0), 16).unwrap(),
-        ];
-        let multicast_net = Ipv4Network::new(Ipv4Addr::new(224, 0, 0, 0), 24).unwrap();
         let mut rules = vec![];
-        for net in &private_nets {
+        for net in &*super::PRIVATE_NETS {
             let mut rule_builder = pfctl::FilterRuleBuilder::default();
             rule_builder
                 .action(pfctl::FilterRuleAction::Pass)
                 .quick(true)
                 .af(pfctl::AddrFamily::Ipv4)
-                .from(pfctl::Ip::from(IpNetwork::V4(*net)));
+                .from(pfctl::Ip::from(ipnetwork_compat(IpNetwork::V4(*net))));
             let allow_net = rule_builder
-                .to(pfctl::Ip::from(IpNetwork::V4(*net)))
+                .to(pfctl::Ip::from(ipnetwork_compat(IpNetwork::V4(*net))))
                 .build()?;
             let allow_multicast = rule_builder
-                .to(pfctl::Ip::from(IpNetwork::V4(multicast_net)))
+                .to(pfctl::Ip::from(ipnetwork_compat(IpNetwork::V4(
+                    *super::MULTICAST_NET,
+                ))))
                 .build()?;
             rules.push(allow_net);
             rules.push(allow_multicast);
@@ -288,3 +285,9 @@ fn as_pfctl_proto(protocol: net::TransportProtocol) -> pfctl::Proto {
         net::TransportProtocol::Tcp => pfctl::Proto::Tcp,
     }
 }
+
+/// Converts a network from the struct version that talpid-core uses to the version pfctl uses.
+fn ipnetwork_compat(net: ::ipnetwork::IpNetwork) -> pfctl::ipnetwork::IpNetwork {
+    pfctl::ipnetwork::IpNetwork::new(net.ip(), net.prefix())
+        .expect("IpNetwork versions not compatible")
+}
diff --git a/talpid-core/src/firewall/mod.rs b/talpid-core/src/firewall/mod.rs
index 2902e24ccd..78befd68af 100644
--- a/talpid-core/src/firewall/mod.rs
+++ b/talpid-core/src/firewall/mod.rs
@@ -1,6 +1,18 @@
 use std::path::Path;
+use ipnetwork::Ipv4Network;
+use std::net::Ipv4Addr;
 use talpid_types::net::Endpoint;
 
+#[cfg(unix)]
+lazy_static! {
+    static ref PRIVATE_NETS: [Ipv4Network; 3] = [
+        Ipv4Network::new(Ipv4Addr::new(10, 0, 0, 0), 8).unwrap(),
+        Ipv4Network::new(Ipv4Addr::new(172, 16, 0, 0), 12).unwrap(),
+        Ipv4Network::new(Ipv4Addr::new(192, 168, 0, 0), 16).unwrap(),
+    ];
+    static ref MULTICAST_NET: Ipv4Network =
+        Ipv4Network::new(Ipv4Addr::new(224, 0, 0, 0), 24).unwrap();
+}
 
 /// A enum that describes firewall rules strategy
 #[derive(Debug, Clone, Eq, PartialEq)]
diff --git a/talpid-core/src/lib.rs b/talpid-core/src/lib.rs
index ea8e9dd890..be46de881b 100644
--- a/talpid-core/src/lib.rs
+++ b/talpid-core/src/lib.rs
@@ -17,9 +17,13 @@ extern crate log;
 
 #[macro_use]
 extern crate error_chain;
+extern crate ipnetwork;
 extern crate jsonrpc_core;
 #[macro_use]
 extern crate jsonrpc_macros;
+#[macro_use]
+extern crate lazy_static;
+extern crate libc;
 extern crate shell_escape;
 extern crate uuid;
author	Linus Färnstrand <linus@mullvad.net>	2018-05-23 13:42:37 +0200
committer	Linus Färnstrand <linus@mullvad.net>	2018-07-02 12:16:33 +0200
commit	e66971febc35da8e867c85d206eebeca205aff17 (patch)
tree	b296229fa6cdfcb560688c0d0c2bba34401bfa09
parent	f65edff37fc2ca3f14c2e8e9cb840c9fa57e4752 (diff)
download	mullvadvpn-e66971febc35da8e867c85d206eebeca205aff17.tar.xz mullvadvpn-e66971febc35da8e867c85d206eebeca205aff17.zip