diff options
| author | David Lönnhager <david.l@mullvad.net> | 2020-02-28 14:26:50 +0100 |
|---|---|---|
| committer | David Lönnhager <david.l@mullvad.net> | 2020-06-02 10:05:01 +0200 |
| commit | fded606538075006e744db27bcf8cc5709988a0b (patch) | |
| tree | 632066138ad73e0f34851ce47b4cd0c564d74aec | |
| parent | 65a64170a40cfff3fb4720ab23d2ce3bae4e363c (diff) | |
| download | mullvadvpn-fded606538075006e744db27bcf8cc5709988a0b.tar.xz mullvadvpn-fded606538075006e744db27bcf8cc5709988a0b.zip | |
Set routing table for marked packets
| -rw-r--r-- | talpid-core/src/firewall/linux.rs | 7 | ||||
| -rw-r--r-- | talpid-core/src/split.rs | 23 |
2 files changed, 24 insertions, 6 deletions
diff --git a/talpid-core/src/firewall/linux.rs b/talpid-core/src/firewall/linux.rs index 52327091ec..1005bac337 100644 --- a/talpid-core/src/firewall/linux.rs +++ b/talpid-core/src/firewall/linux.rs @@ -18,7 +18,6 @@ use talpid_types::net::{Endpoint, TransportProtocol}; /// Priority for rules that tag split tunneling packets. Equals NF_IP_PRI_MANGLE. const MANGLE_CHAIN_PRIORITY: i32 = libc::NF_IP_PRI_MANGLE; -const SPLIT_TUNNEL_MARK: i32 = 0xf41; pub type Result<T> = std::result::Result<T, Error>; @@ -243,20 +242,20 @@ impl<'a> PolicyBatch<'a> { let mut rule = Rule::new(&self.mangle_chain); rule.add_expr(&nft_expr!(meta cgroup)); rule.add_expr(&nft_expr!(cmp == split::NETCLS_CLASSID)); - rule.add_expr(&nft_expr!(immediate data SPLIT_TUNNEL_MARK)); + rule.add_expr(&nft_expr!(immediate data split::MARK)); rule.add_expr(&nft_expr!(ct mark set)); rule.add_expr(&nft_expr!(meta mark set)); self.batch.add(&rule, nftnl::MsgType::Add); let mut rule = Rule::new(&self.in_chain); rule.add_expr(&nft_expr!(ct mark)); - rule.add_expr(&nft_expr!(cmp == SPLIT_TUNNEL_MARK)); + rule.add_expr(&nft_expr!(cmp == split::MARK)); add_verdict(&mut rule, &Verdict::Accept); self.batch.add(&rule, nftnl::MsgType::Add); let mut rule = Rule::new(&self.out_chain); rule.add_expr(&nft_expr!(meta mark)); - rule.add_expr(&nft_expr!(cmp == SPLIT_TUNNEL_MARK)); + rule.add_expr(&nft_expr!(cmp == split::MARK)); add_verdict(&mut rule, &Verdict::Accept); self.batch.add(&rule, nftnl::MsgType::Add); } diff --git a/talpid-core/src/split.rs b/talpid-core/src/split.rs index 28d916c11a..18b43a15b2 100644 --- a/talpid-core/src/split.rs +++ b/talpid-core/src/split.rs @@ -3,11 +3,16 @@ use std::{ fs, io::{self, BufRead, BufReader, Write}, path::Path, + process::Command, }; const NETCLS_DIR: &str = "/sys/fs/cgroup/net_cls/"; + /// Identifies packets coming from the cgroup. pub const NETCLS_CLASSID: u32 = 0x4d9f41; +/// Value used to mark packets and associated connections. +pub const MARK: i32 = 0xf41; + const CGROUP_NAME: &str = "mullvad-exclusions"; static mut ROUTING_TABLE_ID: i32 = 19; const ROUTING_TABLE_NAME: &str = "mullvad_exclusions"; @@ -43,8 +48,22 @@ pub enum Error { } fn route_marked_packets() -> Result<(), Error> { - // TODO: route fwmark'd packets using this table (if they aren't already) - Ok(()) + // TODO: IPv6 + let mut cmd = Command::new("ip"); + cmd.args(&[ + "-4", + "rule", + "add", + "from", + "all", + "fwmark", + &MARK.to_string(), + "lookup", + ROUTING_TABLE_NAME, + ]); + + log::trace!("running cmd - {:?}", &cmd); + cmd.output().map(|_| ()).map_err(Error::RoutingTableSetup) } /// Set up policy-based routing for marked packets. |