summaryrefslogtreecommitdiffhomepage
path: root/talpid-core/src
diff options
context:
space:
mode:
authorDavid Lönnhager <david.l@mullvad.net>2024-10-02 11:25:04 +0200
committerDavid Lönnhager <david.l@mullvad.net>2024-10-04 09:54:18 +0200
commitee849a47cd5bda0db5cafef15e4679d1ddd173d2 (patch)
treefaeecfe212216380d4b859fb62c49e0371da7647 /talpid-core/src
parentb71ec360998a29f08c1220de627d078fac575b7c (diff)
downloadmullvadvpn-ee849a47cd5bda0db5cafef15e4679d1ddd173d2.tar.xz
mullvadvpn-ee849a47cd5bda0db5cafef15e4679d1ddd173d2.zip
Remove setting to leak traffic to apple networks
Diffstat (limited to 'talpid-core/src')
-rw-r--r--talpid-core/src/firewall/macos.rs51
-rw-r--r--talpid-core/src/firewall/mod.rs9
-rw-r--r--talpid-core/src/tunnel_state_machine/connected_state.rs21
-rw-r--r--talpid-core/src/tunnel_state_machine/connecting_state.rs13
-rw-r--r--talpid-core/src/tunnel_state_machine/disconnected_state.rs10
-rw-r--r--talpid-core/src/tunnel_state_machine/disconnecting_state.rs18
-rw-r--r--talpid-core/src/tunnel_state_machine/error_state.rs14
-rw-r--r--talpid-core/src/tunnel_state_machine/mod.rs21
8 files changed, 0 insertions, 157 deletions
diff --git a/talpid-core/src/firewall/macos.rs b/talpid-core/src/firewall/macos.rs
index 2a4c9c9a8b..5f674f2935 100644
--- a/talpid-core/src/firewall/macos.rs
+++ b/talpid-core/src/firewall/macos.rs
@@ -159,7 +159,6 @@ impl Firewall {
new_filter_rules.append(&mut self.get_allow_loopback_rules()?);
new_filter_rules.append(&mut self.get_allow_dhcp_client_rules()?);
new_filter_rules.append(&mut self.get_allow_ndp_rules()?);
-
new_filter_rules.append(&mut self.get_policy_specific_rules(policy)?);
let return_out_rule = self
@@ -300,7 +299,6 @@ impl Firewall {
allowed_endpoint,
allowed_tunnel_traffic,
redirect_interface,
- apple_services_bypass,
dns_redirect_port: _,
} => {
let mut rules = vec![self.get_allow_relay_rule(peer_endpoint)?];
@@ -338,10 +336,6 @@ impl Firewall {
rules.append(&mut self.get_allow_lan_rules()?);
}
- if *apple_services_bypass {
- rules.append(&mut self.get_apple_services_bypass_rules()?);
- }
-
Ok(rules)
}
FirewallPolicy::Connected {
@@ -350,7 +344,6 @@ impl Firewall {
allow_lan,
dns_config,
redirect_interface,
- apple_services_bypass,
dns_redirect_port: _,
} => {
let mut rules = vec![];
@@ -395,7 +388,6 @@ impl Firewall {
FirewallPolicy::Blocked {
allow_lan,
allowed_endpoint,
- apple_services_bypass,
..
} => {
let mut rules = Vec::new();
@@ -409,10 +401,6 @@ impl Firewall {
rules.append(&mut self.get_allow_lan_rules()?);
}
- if *apple_services_bypass {
- rules.append(&mut self.get_apple_services_bypass_rules()?);
- }
-
Ok(rules)
}
}
@@ -692,45 +680,6 @@ impl Firewall {
Ok(rules)
}
- /// Generate rules that allow traffic to the networks required for Apple push notification
- /// services to work. This is a hack to get around the fact that apple services in MacOS 15 has
- /// a bug where they don't respect the routing table.
- ///
- /// All allowed networks are part of apple-owned IP subnets.
- fn get_apple_services_bypass_rules(&self) -> Result<Vec<pfctl::FilterRule>> {
- // https://support.apple.com/en-us/102266
- let apple_networks: &[IpNetwork] = &[
- "17.249.0.0/16".parse().unwrap(),
- "17.252.0.0/16".parse().unwrap(),
- "17.57.144.0/22".parse().unwrap(),
- "17.188.128.0/18".parse().unwrap(),
- "17.188.20.0/23".parse().unwrap(),
- "2620:149:a44::/48".parse().unwrap(),
- "2403:300:a42::/48".parse().unwrap(),
- "2403:300:a51::/48".parse().unwrap(),
- "2a01:b740:a42::/48".parse().unwrap(),
- ];
-
- let apple_ports: &[u16] = &[443, 2197, 5223];
-
- let mut rules = vec![];
- for &net in apple_networks {
- for &port in apple_ports {
- let mut rule_builder = self.create_rule_builder(FilterRuleAction::Pass);
- rule_builder.quick(true);
- let allow_out = rule_builder
- .quick(true)
- .direction(pfctl::Direction::Out)
- .from(pfctl::Ip::Any)
- .to(Endpoint::new(pfctl::Ip::from(net), port))
- .keep_state(pfctl::StatePolicy::Keep)
- .build()?;
- rules.push(allow_out);
- }
- }
- Ok(rules)
- }
-
fn get_split_tunnel_rules(
&self,
from_interface: &str,
diff --git a/talpid-core/src/firewall/mod.rs b/talpid-core/src/firewall/mod.rs
index ee5ea3aaa0..17f74b17ee 100644
--- a/talpid-core/src/firewall/mod.rs
+++ b/talpid-core/src/firewall/mod.rs
@@ -94,9 +94,6 @@ pub enum FirewallPolicy {
/// Interface to redirect (VPN tunnel) traffic to
#[cfg(target_os = "macos")]
redirect_interface: Option<String>,
- /// Flag setting if we should leak traffic to apple services.
- #[cfg(target_os = "macos")]
- apple_services_bypass: bool,
/// Destination port for DNS traffic redirection. Traffic destined to `127.0.0.1:53` will
/// be redirected to `127.0.0.1:$dns_redirect_port`.
#[cfg(target_os = "macos")]
@@ -117,9 +114,6 @@ pub enum FirewallPolicy {
/// Interface to redirect (VPN tunnel) traffic to
#[cfg(target_os = "macos")]
redirect_interface: Option<String>,
- /// Flag setting if we should leak traffic to apple services.
- #[cfg(target_os = "macos")]
- apple_services_bypass: bool,
/// Destination port for DNS traffic redirection. Traffic destined to `127.0.0.1:53` will
/// be redirected to `127.0.0.1:$dns_redirect_port`.
#[cfg(target_os = "macos")]
@@ -136,9 +130,6 @@ pub enum FirewallPolicy {
/// be redirected to `127.0.0.1:$dns_redirect_port`.
#[cfg(target_os = "macos")]
dns_redirect_port: u16,
- /// Flag setting if we should leak traffic to apple services.
- #[cfg(target_os = "macos")]
- apple_services_bypass: bool,
},
}
diff --git a/talpid-core/src/tunnel_state_machine/connected_state.rs b/talpid-core/src/tunnel_state_machine/connected_state.rs
index f614b58267..d5eb5ac7b7 100644
--- a/talpid-core/src/tunnel_state_machine/connected_state.rs
+++ b/talpid-core/src/tunnel_state_machine/connected_state.rs
@@ -143,8 +143,6 @@ impl ConnectedState {
#[cfg(target_os = "macos")]
redirect_interface,
#[cfg(target_os = "macos")]
- apple_services_bypass: shared_values.apple_services_bypass,
- #[cfg(target_os = "macos")]
dns_redirect_port: shared_values.filtering_resolver.listening_port(),
}
}
@@ -391,25 +389,6 @@ impl ConnectedState {
}
SameState(self)
}
-
- #[cfg(target_os = "macos")]
- Some(TunnelCommand::AppleServicesBypass(complete_tx, apple_services_bypass)) => {
- let consequence = if shared_values.set_apple_services_bypass(apple_services_bypass)
- {
- match self.set_firewall_policy(shared_values) {
- Ok(()) => SameState(self),
- Err(error) => self.disconnect(
- shared_values,
- AfterDisconnect::Block(ErrorStateCause::SetFirewallPolicyError(error)),
- ),
- }
- } else {
- SameState(self)
- };
-
- let _ = complete_tx.send(());
- consequence
- }
}
}
diff --git a/talpid-core/src/tunnel_state_machine/connecting_state.rs b/talpid-core/src/tunnel_state_machine/connecting_state.rs
index 783769251a..bc38401147 100644
--- a/talpid-core/src/tunnel_state_machine/connecting_state.rs
+++ b/talpid-core/src/tunnel_state_machine/connecting_state.rs
@@ -184,8 +184,6 @@ impl ConnectingState {
#[cfg(target_os = "macos")]
redirect_interface,
#[cfg(target_os = "macos")]
- apple_services_bypass: shared_values.apple_services_bypass,
- #[cfg(target_os = "macos")]
dns_redirect_port: shared_values.filtering_resolver.listening_port(),
};
shared_values
@@ -559,17 +557,6 @@ impl ConnectingState {
}
SameState(self)
}
- #[cfg(target_os = "macos")]
- Some(TunnelCommand::AppleServicesBypass(complete_tx, apple_services_bypass)) => {
- let consequence = if shared_values.set_apple_services_bypass(apple_services_bypass)
- {
- self.reset_firewall(shared_values)
- } else {
- SameState(self)
- };
- let _ = complete_tx.send(());
- consequence
- }
}
}
diff --git a/talpid-core/src/tunnel_state_machine/disconnected_state.rs b/talpid-core/src/tunnel_state_machine/disconnected_state.rs
index f66bac4e76..baf6012103 100644
--- a/talpid-core/src/tunnel_state_machine/disconnected_state.rs
+++ b/talpid-core/src/tunnel_state_machine/disconnected_state.rs
@@ -78,8 +78,6 @@ impl DisconnectedState {
allowed_endpoint: Some(shared_values.allowed_endpoint.clone()),
#[cfg(target_os = "macos")]
dns_redirect_port: shared_values.filtering_resolver.listening_port(),
- #[cfg(target_os = "macos")]
- apple_services_bypass: shared_values.apple_services_bypass,
};
shared_values.firewall.apply_policy(policy).map_err(|e| {
@@ -236,14 +234,6 @@ impl TunnelState for DisconnectedState {
let _ = result_tx.send(shared_values.set_exclude_paths(paths).map(|_| ()));
SameState(self)
}
- #[cfg(target_os = "macos")]
- Some(TunnelCommand::AppleServicesBypass(complete_tx, apple_services_bypass)) => {
- if shared_values.set_apple_services_bypass(apple_services_bypass) {
- Self::set_firewall_policy(shared_values, false);
- }
- let _ = complete_tx.send(());
- SameState(self)
- }
None => {
Self::reset_dns(shared_values);
Finished
diff --git a/talpid-core/src/tunnel_state_machine/disconnecting_state.rs b/talpid-core/src/tunnel_state_machine/disconnecting_state.rs
index 16bed626e1..4a108788e1 100644
--- a/talpid-core/src/tunnel_state_machine/disconnecting_state.rs
+++ b/talpid-core/src/tunnel_state_machine/disconnecting_state.rs
@@ -92,12 +92,6 @@ impl DisconnectingState {
let _ = result_tx.send(shared_values.set_exclude_paths(paths).map(|_| ()));
AfterDisconnect::Nothing
}
- #[cfg(target_os = "macos")]
- Some(TunnelCommand::AppleServicesBypass(complete_tx, apple_services_bypass)) => {
- let _ = shared_values.set_apple_services_bypass(apple_services_bypass);
- let _ = complete_tx.send(());
- AfterDisconnect::Nothing
- }
},
AfterDisconnect::Block(reason) => match command {
Some(TunnelCommand::AllowLan(allow_lan, complete_tx)) => {
@@ -155,12 +149,6 @@ impl DisconnectingState {
let _ = result_tx.send(shared_values.set_exclude_paths(paths).map(|_| ()));
AfterDisconnect::Block(reason)
}
- #[cfg(target_os = "macos")]
- Some(TunnelCommand::AppleServicesBypass(complete_tx, apple_services_bypass)) => {
- let _ = shared_values.set_apple_services_bypass(apple_services_bypass);
- let _ = complete_tx.send(());
- AfterDisconnect::Block(reason)
- }
None => AfterDisconnect::Block(reason),
},
AfterDisconnect::Reconnect(retry_attempt) => match command {
@@ -219,12 +207,6 @@ impl DisconnectingState {
let _ = result_tx.send(shared_values.set_exclude_paths(paths).map(|_| ()));
AfterDisconnect::Reconnect(retry_attempt)
}
- #[cfg(target_os = "macos")]
- Some(TunnelCommand::AppleServicesBypass(complete_tx, apple_services_bypass)) => {
- let _ = shared_values.set_apple_services_bypass(apple_services_bypass);
- let _ = complete_tx.send(());
- AfterDisconnect::Reconnect(retry_attempt)
- }
},
};
diff --git a/talpid-core/src/tunnel_state_machine/error_state.rs b/talpid-core/src/tunnel_state_machine/error_state.rs
index 14885b0a60..eeaf48956b 100644
--- a/talpid-core/src/tunnel_state_machine/error_state.rs
+++ b/talpid-core/src/tunnel_state_machine/error_state.rs
@@ -78,8 +78,6 @@ impl ErrorState {
allowed_endpoint: Some(shared_values.allowed_endpoint.clone()),
#[cfg(target_os = "macos")]
dns_redirect_port: shared_values.filtering_resolver.listening_port(),
- #[cfg(target_os = "macos")]
- apple_services_bypass: shared_values.apple_services_bypass,
};
#[cfg(target_os = "linux")]
@@ -237,18 +235,6 @@ impl TunnelState for ErrorState {
let _ = result_tx.send(shared_values.set_exclude_paths(paths).map(|_| ()));
SameState(self)
}
- #[cfg(target_os = "macos")]
- Some(TunnelCommand::AppleServicesBypass(complete_tx, apple_services_bypass)) => {
- let consequence = if shared_values.set_apple_services_bypass(apple_services_bypass)
- {
- let _ = Self::set_firewall_policy(shared_values);
- SameState(self)
- } else {
- SameState(self)
- };
- let _ = complete_tx.send(());
- consequence
- }
}
}
}
diff --git a/talpid-core/src/tunnel_state_machine/mod.rs b/talpid-core/src/tunnel_state_machine/mod.rs
index 052dd74a49..e0ef07850d 100644
--- a/talpid-core/src/tunnel_state_machine/mod.rs
+++ b/talpid-core/src/tunnel_state_machine/mod.rs
@@ -104,9 +104,6 @@ pub struct InitialTunnelState {
/// Apps to exclude from the tunnel.
#[cfg(target_os = "android")]
pub exclude_paths: Vec<String>,
- /// Whether we should leak traffic to Apple services.
- #[cfg(target_os = "macos")]
- pub apple_services_bypass: bool,
}
/// Identifiers for various network resources that should be unique to a given instance of a tunnel
@@ -217,9 +214,6 @@ pub enum TunnelCommand {
oneshot::Sender<Result<(), split_tunnel::Error>>,
Vec<String>,
),
- /// Set if we should leak traffic to Apple services.
- #[cfg(target_os = "macos")]
- AppleServicesBypass(oneshot::Sender<()>, bool),
}
type TunnelCommandReceiver = stream::Fuse<mpsc::UnboundedReceiver<TunnelCommand>>;
@@ -389,8 +383,6 @@ impl TunnelStateMachine {
connectivity_check_was_enabled: None,
#[cfg(target_os = "macos")]
filtering_resolver,
- #[cfg(target_os = "macos")]
- apple_services_bypass: args.settings.apple_services_bypass,
};
tokio::task::spawn_blocking(move || {
@@ -494,9 +486,6 @@ struct SharedTunnelStateValues {
/// Filtering resolver handle
#[cfg(target_os = "macos")]
filtering_resolver: crate::resolver::ResolverHandle,
-
- #[cfg(target_os = "macos")]
- apple_services_bypass: bool,
}
impl SharedTunnelStateValues {
@@ -663,16 +652,6 @@ impl SharedTunnelStateValues {
}
}
}
-
- #[cfg(target_os = "macos")]
- pub fn set_apple_services_bypass(&mut self, apple_services_bypass: bool) -> bool {
- if self.apple_services_bypass != apple_services_bypass {
- self.apple_services_bypass = apple_services_bypass;
- true
- } else {
- false
- }
- }
}
/// Asynchronous result of an attempt to progress a state.
Copyright © 2025 - 2026 Wayne Cole. WTFPL. Attribution appreciated. No warranty. Not liable for bodily damages.