diff options
| author | Andrej Mihajlov <and@mullvad.net> | 2017-08-28 18:29:38 +0100 |
|---|---|---|
| committer | Andrej Mihajlov <and@mullvad.net> | 2017-08-28 18:29:38 +0100 |
| commit | f829305fc06daeebd4fe6a595eecdc1ddf8c419e (patch) | |
| tree | d05dac5576d7035326071cbf85ea441a57251842 | |
| parent | d8c1fc6e5584ce98360fe9c979f543afa8d17346 (diff) | |
| parent | 10b4882d6c4f7a7b080e1fc145c83873602439bb (diff) | |
| download | mullvadvpn-f829305fc06daeebd4fe6a595eecdc1ddf8c419e.tar.xz mullvadvpn-f829305fc06daeebd4fe6a595eecdc1ddf8c419e.zip | |
Merge branch 'add-tcp-flags'
| -rw-r--r-- | talpid-core/src/firewall/macos.rs | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/talpid-core/src/firewall/macos.rs b/talpid-core/src/firewall/macos.rs index 3bf6bc8db6..d23a48fd49 100644 --- a/talpid-core/src/firewall/macos.rs +++ b/talpid-core/src/firewall/macos.rs @@ -71,6 +71,7 @@ impl PacketFilter { .quick(true) .to(pfctl::Port::One(53, pfctl::PortUnaryModifier::Equal)) .keep_state(pfctl::StatePolicy::Keep) + .tcp_flags(Self::get_tcp_flags()) .build()?; let mut new_rules = self.get_loopback_rules()?; @@ -97,6 +98,7 @@ impl PacketFilter { .to(relay_endpoint) .proto(relay_endpoint) .keep_state(pfctl::StatePolicy::Keep) + .tcp_flags(Self::get_tcp_flags()) .quick(true) .build() } @@ -106,6 +108,7 @@ impl PacketFilter { .action(pfctl::RuleAction::Pass) .interface(tunnel_interface) .keep_state(pfctl::StatePolicy::Keep) + .tcp_flags(Self::get_tcp_flags()) .quick(true) .build() } @@ -115,11 +118,19 @@ impl PacketFilter { .action(pfctl::RuleAction::Pass) .interface("lo0") .keep_state(pfctl::StatePolicy::Keep) + .tcp_flags(Self::get_tcp_flags()) .quick(true) .build()?; Ok(vec![lo0_rule]) } + fn get_tcp_flags() -> pfctl::TcpFlags { + pfctl::TcpFlags::new( + &[pfctl::TcpFlag::Syn], + &[pfctl::TcpFlag::Syn, pfctl::TcpFlag::Ack], + ) + } + fn remove_rules(&mut self) -> Result<()> { // remove_anchor() does not deactivate active rules self.pf.flush_rules(ANCHOR_NAME, pfctl::RulesetKind::Filter) |