diff options
| author | Linus Färnstrand <linus@mullvad.net> | 2017-12-19 14:20:56 +0100 |
|---|---|---|
| committer | Linus Färnstrand <linus@mullvad.net> | 2017-12-20 15:19:24 +0100 |
| commit | 56eb76284126ea6e058c944cff84fee41cf099d1 (patch) | |
| tree | 77c269953c9a0fe4dbceeac50e716789de057e91 /talpid-core/src | |
| parent | 094f5b155032d8b937d2bf265791f7d00b23e29e (diff) | |
| download | mullvadvpn-56eb76284126ea6e058c944cff84fee41cf099d1.tar.xz mullvadvpn-56eb76284126ea6e058c944cff84fee41cf099d1.zip | |
Add allow_lan to SecurityPolicy
Diffstat (limited to 'talpid-core/src')
| -rw-r--r-- | talpid-core/src/firewall/macos/mod.rs | 47 | ||||
| -rw-r--r-- | talpid-core/src/firewall/mod.rs | 5 |
2 files changed, 44 insertions, 8 deletions
diff --git a/talpid-core/src/firewall/macos/mod.rs b/talpid-core/src/firewall/macos/mod.rs index 0ceab3fc34..f9f45338fa 100644 --- a/talpid-core/src/firewall/macos/mod.rs +++ b/talpid-core/src/firewall/macos/mod.rs @@ -1,6 +1,7 @@ extern crate pfctl; extern crate tokio_core; +use self::pfctl::ipnetwork::{IpNetwork, Ipv4Network}; use super::{Firewall, SecurityPolicy}; use std::net::Ipv4Addr; @@ -64,9 +65,7 @@ impl PacketFilter { new_filter_rules.append(&mut Self::get_allow_loopback_rules()?); new_filter_rules.append(&mut Self::get_allow_dhcp_rules()?); - - let mut policy_filter_rules = self.get_policy_specific_rules(policy)?; - new_filter_rules.append(&mut policy_filter_rules); + new_filter_rules.append(&mut self.get_policy_specific_rules(policy)?); let drop_all_rule = pfctl::FilterRuleBuilder::default() .action(pfctl::FilterRuleAction::Drop) @@ -84,12 +83,20 @@ impl PacketFilter { policy: SecurityPolicy, ) -> Result<Vec<pfctl::FilterRule>> { match policy { - SecurityPolicy::Connecting { relay_endpoint } => { - Ok(vec![Self::get_allow_relay_rule(relay_endpoint)?]) + SecurityPolicy::Connecting { + relay_endpoint, + allow_lan, + } => { + let mut rules = vec![Self::get_allow_relay_rule(relay_endpoint)?]; + if allow_lan { + rules.append(&mut Self::get_allow_lan_rules()?); + } + Ok(rules) } SecurityPolicy::Connected { relay_endpoint, tunnel, + allow_lan, } => { self.dns_monitor.set_dns(vec![tunnel.gateway.to_string()])?; @@ -124,14 +131,19 @@ impl PacketFilter { .to(pfctl::Port::from(53)) .build()?; - Ok(vec![ + let mut rules = vec![ allow_tcp_dns_to_relay_rule, allow_udp_dns_to_relay_rule, block_tcp_dns_rule, block_udp_dns_rule, Self::get_allow_relay_rule(relay_endpoint)?, Self::get_allow_tunnel_rule(tunnel.interface.as_str())?, - ]) + ]; + + if allow_lan { + rules.append(&mut Self::get_allow_lan_rules()?); + } + Ok(rules) } } } @@ -170,6 +182,27 @@ impl PacketFilter { Ok(vec![lo0_rule]) } + fn get_allow_lan_rules() -> Result<Vec<pfctl::FilterRule>> { + let private_nets = [ + Ipv4Network::new(Ipv4Addr::new(10, 0, 0, 0), 8).unwrap(), + Ipv4Network::new(Ipv4Addr::new(172, 16, 0, 0), 12).unwrap(), + Ipv4Network::new(Ipv4Addr::new(192, 168, 0, 0), 16).unwrap(), + ]; + let mut rules = vec![]; + for net in &private_nets { + let rule = pfctl::FilterRuleBuilder::default() + .action(pfctl::FilterRuleAction::Pass) + .keep_state(pfctl::StatePolicy::Keep) + .quick(true) + .af(pfctl::AddrFamily::Ipv4) + .from(pfctl::Ip::from(IpNetwork::V4(*net))) + .to(pfctl::Ip::from(IpNetwork::V4(*net))) + .build()?; + rules.push(rule); + } + Ok(rules) + } + fn get_allow_dhcp_rules() -> Result<Vec<pfctl::FilterRule>> { let broadcast_address = Ipv4Addr::new(255, 255, 255, 255); let server_port = pfctl::Port::from(67); diff --git a/talpid-core/src/firewall/mod.rs b/talpid-core/src/firewall/mod.rs index 98fe1f3e9c..c0f839817d 100644 --- a/talpid-core/src/firewall/mod.rs +++ b/talpid-core/src/firewall/mod.rs @@ -18,7 +18,6 @@ pub mod windows; #[cfg(windows)] use self::windows as imp; - error_chain!{ errors { /// Initialization error @@ -39,6 +38,8 @@ pub enum SecurityPolicy { Connecting { /// The relay endpoint that should be allowed. relay_endpoint: Endpoint, + /// Flag setting if communication with LAN networks should be possible. + allow_lan: bool, }, /// Allow traffic only to relay server and over tunnel interface @@ -47,6 +48,8 @@ pub enum SecurityPolicy { relay_endpoint: Endpoint, /// Metadata about the tunnel and tunnel interface. tunnel: ::tunnel::TunnelMetadata, + /// Flag setting if communication with LAN networks should be possible. + allow_lan: bool, }, } |
