summaryrefslogtreecommitdiffhomepage
path: root/talpid-core/src
diff options
context:
space:
mode:
authorLinus Färnstrand <linus@mullvad.net>2018-10-31 17:30:44 +0100
committerLinus Färnstrand <linus@mullvad.net>2018-10-31 18:09:32 +0100
commit95b3076cb5baf66212e228eef70dae4d9a91c5f6 (patch)
tree7a1d01725e1e57b48cee53d7528deb2f15993dec /talpid-core/src
parente1e05b3ff3d40a5084c0020446e651b4e053d521 (diff)
downloadmullvadvpn-95b3076cb5baf66212e228eef70dae4d9a91c5f6.tar.xz
mullvadvpn-95b3076cb5baf66212e228eef70dae4d9a91c5f6.zip
Check server IP on incoming DHCPv6
Diffstat (limited to 'talpid-core/src')
-rw-r--r--talpid-core/src/security/linux/mod.rs9
-rw-r--r--talpid-core/src/security/macos/mod.rs5
2 files changed, 9 insertions, 5 deletions
diff --git a/talpid-core/src/security/linux/mod.rs b/talpid-core/src/security/linux/mod.rs
index ea1a8d4447..e57db996e7 100644
--- a/talpid-core/src/security/linux/mod.rs
+++ b/talpid-core/src/security/linux/mod.rs
@@ -221,8 +221,8 @@ impl<'a> PolicyBatch<'a> {
{
let mut out_v4 = Rule::new(&self.out_chain)?;
check_port(&mut out_v4, Udp, End::Src, CLIENT_PORT_V4)?;
- check_port(&mut out_v4, Udp, End::Dst, SERVER_PORT_V4)?;
check_ip(&mut out_v4, End::Dst, IpAddr::V4(Ipv4Addr::BROADCAST))?;
+ check_port(&mut out_v4, Udp, End::Dst, SERVER_PORT_V4)?;
add_verdict(&mut out_v4, &Verdict::Accept)?;
self.batch.add(&out_v4, nftnl::MsgType::Add)?;
}
@@ -235,18 +235,19 @@ impl<'a> PolicyBatch<'a> {
}
for dhcpv6_server in &*super::DHCPV6_SERVER_ADDRS {
let mut out_v6 = Rule::new(&self.out_chain)?;
- check_port(&mut out_v6, Udp, End::Src, CLIENT_PORT_V6)?;
check_net(&mut out_v6, End::Src, *super::LOCAL_INET6_NET)?;
- check_port(&mut out_v6, Udp, End::Dst, SERVER_PORT_V6)?;
+ check_port(&mut out_v6, Udp, End::Src, CLIENT_PORT_V6)?;
check_ip(&mut out_v6, End::Dst, *dhcpv6_server)?;
+ check_port(&mut out_v6, Udp, End::Dst, SERVER_PORT_V6)?;
add_verdict(&mut out_v6, &Verdict::Accept)?;
self.batch.add(&out_v6, nftnl::MsgType::Add)?;
}
{
let mut in_v6 = Rule::new(&self.in_chain)?;
+ check_net(&mut in_v6, End::Src, *super::LOCAL_INET6_NET)?;
check_port(&mut in_v6, Udp, End::Src, SERVER_PORT_V6)?;
- check_port(&mut in_v6, Udp, End::Dst, CLIENT_PORT_V6)?;
check_net(&mut in_v6, End::Dst, *super::LOCAL_INET6_NET)?;
+ check_port(&mut in_v6, Udp, End::Dst, CLIENT_PORT_V6)?;
add_verdict(&mut in_v6, &Verdict::Accept)?;
self.batch.add(&in_v6, nftnl::MsgType::Add)?;
}
diff --git a/talpid-core/src/security/macos/mod.rs b/talpid-core/src/security/macos/mod.rs
index 4fb711e4da..4fae5368ec 100644
--- a/talpid-core/src/security/macos/mod.rs
+++ b/talpid-core/src/security/macos/mod.rs
@@ -268,7 +268,10 @@ impl NetworkSecurity {
let allow_incoming_dhcp_v6 = dhcp_rule_builder
.af(pfctl::AddrFamily::Ipv6)
.direction(pfctl::Direction::In)
- .from(server_port_v6)
+ .from(pfctl::Endpoint::new(
+ *super::LOCAL_INET6_NET,
+ server_port_v6,
+ ))
.to(pfctl::Endpoint::new(
*super::LOCAL_INET6_NET,
client_port_v6,