summaryrefslogtreecommitdiffhomepage
path: root/talpid-core/src
diff options
context:
space:
mode:
authorLinus Färnstrand <linus@mullvad.net>2017-12-19 14:20:56 +0100
committerLinus Färnstrand <linus@mullvad.net>2017-12-20 15:19:24 +0100
commit56eb76284126ea6e058c944cff84fee41cf099d1 (patch)
tree77c269953c9a0fe4dbceeac50e716789de057e91 /talpid-core/src
parent094f5b155032d8b937d2bf265791f7d00b23e29e (diff)
downloadmullvadvpn-56eb76284126ea6e058c944cff84fee41cf099d1.tar.xz
mullvadvpn-56eb76284126ea6e058c944cff84fee41cf099d1.zip
Add allow_lan to SecurityPolicy
Diffstat (limited to 'talpid-core/src')
-rw-r--r--talpid-core/src/firewall/macos/mod.rs47
-rw-r--r--talpid-core/src/firewall/mod.rs5
2 files changed, 44 insertions, 8 deletions
diff --git a/talpid-core/src/firewall/macos/mod.rs b/talpid-core/src/firewall/macos/mod.rs
index 0ceab3fc34..f9f45338fa 100644
--- a/talpid-core/src/firewall/macos/mod.rs
+++ b/talpid-core/src/firewall/macos/mod.rs
@@ -1,6 +1,7 @@
extern crate pfctl;
extern crate tokio_core;
+use self::pfctl::ipnetwork::{IpNetwork, Ipv4Network};
use super::{Firewall, SecurityPolicy};
use std::net::Ipv4Addr;
@@ -64,9 +65,7 @@ impl PacketFilter {
new_filter_rules.append(&mut Self::get_allow_loopback_rules()?);
new_filter_rules.append(&mut Self::get_allow_dhcp_rules()?);
-
- let mut policy_filter_rules = self.get_policy_specific_rules(policy)?;
- new_filter_rules.append(&mut policy_filter_rules);
+ new_filter_rules.append(&mut self.get_policy_specific_rules(policy)?);
let drop_all_rule = pfctl::FilterRuleBuilder::default()
.action(pfctl::FilterRuleAction::Drop)
@@ -84,12 +83,20 @@ impl PacketFilter {
policy: SecurityPolicy,
) -> Result<Vec<pfctl::FilterRule>> {
match policy {
- SecurityPolicy::Connecting { relay_endpoint } => {
- Ok(vec![Self::get_allow_relay_rule(relay_endpoint)?])
+ SecurityPolicy::Connecting {
+ relay_endpoint,
+ allow_lan,
+ } => {
+ let mut rules = vec![Self::get_allow_relay_rule(relay_endpoint)?];
+ if allow_lan {
+ rules.append(&mut Self::get_allow_lan_rules()?);
+ }
+ Ok(rules)
}
SecurityPolicy::Connected {
relay_endpoint,
tunnel,
+ allow_lan,
} => {
self.dns_monitor.set_dns(vec![tunnel.gateway.to_string()])?;
@@ -124,14 +131,19 @@ impl PacketFilter {
.to(pfctl::Port::from(53))
.build()?;
- Ok(vec![
+ let mut rules = vec![
allow_tcp_dns_to_relay_rule,
allow_udp_dns_to_relay_rule,
block_tcp_dns_rule,
block_udp_dns_rule,
Self::get_allow_relay_rule(relay_endpoint)?,
Self::get_allow_tunnel_rule(tunnel.interface.as_str())?,
- ])
+ ];
+
+ if allow_lan {
+ rules.append(&mut Self::get_allow_lan_rules()?);
+ }
+ Ok(rules)
}
}
}
@@ -170,6 +182,27 @@ impl PacketFilter {
Ok(vec![lo0_rule])
}
+ fn get_allow_lan_rules() -> Result<Vec<pfctl::FilterRule>> {
+ let private_nets = [
+ Ipv4Network::new(Ipv4Addr::new(10, 0, 0, 0), 8).unwrap(),
+ Ipv4Network::new(Ipv4Addr::new(172, 16, 0, 0), 12).unwrap(),
+ Ipv4Network::new(Ipv4Addr::new(192, 168, 0, 0), 16).unwrap(),
+ ];
+ let mut rules = vec![];
+ for net in &private_nets {
+ let rule = pfctl::FilterRuleBuilder::default()
+ .action(pfctl::FilterRuleAction::Pass)
+ .keep_state(pfctl::StatePolicy::Keep)
+ .quick(true)
+ .af(pfctl::AddrFamily::Ipv4)
+ .from(pfctl::Ip::from(IpNetwork::V4(*net)))
+ .to(pfctl::Ip::from(IpNetwork::V4(*net)))
+ .build()?;
+ rules.push(rule);
+ }
+ Ok(rules)
+ }
+
fn get_allow_dhcp_rules() -> Result<Vec<pfctl::FilterRule>> {
let broadcast_address = Ipv4Addr::new(255, 255, 255, 255);
let server_port = pfctl::Port::from(67);
diff --git a/talpid-core/src/firewall/mod.rs b/talpid-core/src/firewall/mod.rs
index 98fe1f3e9c..c0f839817d 100644
--- a/talpid-core/src/firewall/mod.rs
+++ b/talpid-core/src/firewall/mod.rs
@@ -18,7 +18,6 @@ pub mod windows;
#[cfg(windows)]
use self::windows as imp;
-
error_chain!{
errors {
/// Initialization error
@@ -39,6 +38,8 @@ pub enum SecurityPolicy {
Connecting {
/// The relay endpoint that should be allowed.
relay_endpoint: Endpoint,
+ /// Flag setting if communication with LAN networks should be possible.
+ allow_lan: bool,
},
/// Allow traffic only to relay server and over tunnel interface
@@ -47,6 +48,8 @@ pub enum SecurityPolicy {
relay_endpoint: Endpoint,
/// Metadata about the tunnel and tunnel interface.
tunnel: ::tunnel::TunnelMetadata,
+ /// Flag setting if communication with LAN networks should be possible.
+ allow_lan: bool,
},
}