Permit forwarding of LAN traffic

author: David Lönnhager <david.l@mullvad.net> 2021-04-12 13:31:16 +0200
committer: David Lönnhager <david.l@mullvad.net> 2021-04-16 17:41:46 +0200
commit: 7f073e37df07a22b34aeb67c8ec30cfdd31e0ce6 (patch)
tree: b276a5f5ac3814566317bd5042e34e53a7eae05c /talpid-core/src
parent: 0d7daca3cdf62a90d4133d579dfda6cd68292974 (diff)
download: mullvadvpn-7f073e37df07a22b34aeb67c8ec30cfdd31e0ce6.tar.xz
mullvadvpn-7f073e37df07a22b34aeb67c8ec30cfdd31e0ce6.zip
1 files changed, 20 insertions, 12 deletions
diff --git a/talpid-core/src/firewall/linux.rs b/talpid-core/src/firewall/linux.rs
index 7d696e3776..12b45a2d30 100644
--- a/talpid-core/src/firewall/linux.rs
+++ b/talpid-core/src/firewall/linux.rs
@@ -847,25 +847,33 @@ impl<'a> PolicyBatch<'a> {
     }
 
     fn add_allow_lan_rules(&mut self) {
+        // Output and forward chains
+        for chain in &[&self.out_chain, &self.forward_chain] {
+            // LAN -> LAN
+            for net in &*super::ALLOWED_LAN_NETS {
+                let mut out_rule = Rule::new(chain);
+                check_net(&mut out_rule, End::Dst, *net);
+                add_verdict(&mut out_rule, &Verdict::Accept);
+                self.batch.add(&out_rule, nftnl::MsgType::Add);
+            }
+
+            // LAN -> Multicast
+            for net in &*super::ALLOWED_LAN_MULTICAST_NETS {
+                let mut rule = Rule::new(chain);
+                check_net(&mut rule, End::Dst, *net);
+                add_verdict(&mut rule, &Verdict::Accept);
+                self.batch.add(&rule, nftnl::MsgType::Add);
+            }
+        }
+
+        // Input chain
         // LAN -> LAN
         for net in &*super::ALLOWED_LAN_NETS {
-            let mut out_rule = Rule::new(&self.out_chain);
-            check_net(&mut out_rule, End::Dst, *net);
-            add_verdict(&mut out_rule, &Verdict::Accept);
-            self.batch.add(&out_rule, nftnl::MsgType::Add);
-
             let mut in_rule = Rule::new(&self.in_chain);
             check_net(&mut in_rule, End::Src, *net);
             add_verdict(&mut in_rule, &Verdict::Accept);
             self.batch.add(&in_rule, nftnl::MsgType::Add);
         }
-        // LAN -> Multicast
-        for net in &*super::ALLOWED_LAN_MULTICAST_NETS {
-            let mut rule = Rule::new(&self.out_chain);
-            check_net(&mut rule, End::Dst, *net);
-            add_verdict(&mut rule, &Verdict::Accept);
-            self.batch.add(&rule, nftnl::MsgType::Add);
-        }
         self.add_dhcp_server_rules();
     }
author	David Lönnhager <david.l@mullvad.net>	2021-04-12 13:31:16 +0200
committer	David Lönnhager <david.l@mullvad.net>	2021-04-16 17:41:46 +0200
commit	7f073e37df07a22b34aeb67c8ec30cfdd31e0ce6 (patch)
tree	b276a5f5ac3814566317bd5042e34e53a7eae05c /talpid-core/src
parent	0d7daca3cdf62a90d4133d579dfda6cd68292974 (diff)
download	mullvadvpn-7f073e37df07a22b34aeb67c8ec30cfdd31e0ce6.tar.xz mullvadvpn-7f073e37df07a22b34aeb67c8ec30cfdd31e0ce6.zip