Remove pingable hosts

5 files changed, 1 insertions, 117 deletions

diff --git a/talpid-core/src/firewall/linux.rs b/talpid-core/src/firewall/linux.rs
index 755111a31b..773e8e4e3c 100644
--- a/talpid-core/src/firewall/linux.rs
+++ b/talpid-core/src/firewall/linux.rs
@@ -578,11 +578,9 @@ impl<'a> PolicyBatch<'a> {
             FirewallPolicy::Connecting {
                 peer_endpoint,
                 tunnel_interface,
-                pingable_hosts,
                 allow_lan,
                 allowed_endpoint,
             } => {
-                self.add_allow_icmp_pingable_hosts(&pingable_hosts);
                 self.add_allow_tunnel_endpoint_rules(peer_endpoint);
                 self.add_allow_endpoint_rules(allowed_endpoint);
 
@@ -688,29 +686,6 @@ impl<'a> PolicyBatch<'a> {
         self.batch.add(&out_rule, nftnl::MsgType::Add);
     }
 
-    fn add_allow_icmp_pingable_hosts(&mut self, pingable_hosts: &[IpAddr]) {
-        for host in pingable_hosts {
-            let icmp_proto = match &host {
-                IpAddr::V4(_) => libc::IPPROTO_ICMP as u8,
-                IpAddr::V6(_) => libc::IPPROTO_ICMPV6 as u8,
-            };
-
-            let mut out_rule = Rule::new(&self.out_chain);
-            check_ip(&mut out_rule, End::Dst, *host);
-            out_rule.add_expr(&nft_expr!(meta l4proto));
-            out_rule.add_expr(&nft_expr!(cmp == icmp_proto));
-            add_verdict(&mut out_rule, &Verdict::Accept);
-            self.batch.add(&out_rule, nftnl::MsgType::Add);
-
-            let mut in_rule = Rule::new(&self.in_chain);
-            check_ip(&mut in_rule, End::Src, *host);
-            in_rule.add_expr(&nft_expr!(meta l4proto));
-            in_rule.add_expr(&nft_expr!(cmp == icmp_proto));
-            add_verdict(&mut in_rule, &Verdict::Accept);
-            self.batch.add(&in_rule, nftnl::MsgType::Add);
-        }
-    }
-
     fn add_allow_dns_rules(
         &mut self,
         tunnel: &tunnel::TunnelMetadata,
diff --git a/talpid-core/src/firewall/macos.rs b/talpid-core/src/firewall/macos.rs
index f3048d61a8..38c7ff5b99 100644
--- a/talpid-core/src/firewall/macos.rs
+++ b/talpid-core/src/firewall/macos.rs
@@ -100,11 +100,9 @@ impl Firewall {
                 tunnel_interface,
                 allow_lan,
                 allowed_endpoint,
-                pingable_hosts,
             } => {
                 let mut rules = vec![self.get_allow_relay_rule(peer_endpoint)?];
                 rules.push(self.get_allowed_endpoint_rule(allowed_endpoint)?);
-                rules.extend(self.get_allow_pingable_hosts(&pingable_hosts)?);
 
                 // Important to block DNS after allow relay rule (so the relay can operate
                 // over port 53) but before allow LAN (so DNS does not leak to the LAN)
@@ -295,40 +293,6 @@ impl Firewall {
         Ok(vec![block_tcp_dns_rule, block_udp_dns_rule])
     }
 
-    fn get_allow_pingable_hosts(
-        &self,
-        pingable_hosts: &[IpAddr],
-    ) -> Result<Vec<pfctl::FilterRule>> {
-        let mut rules = vec![];
-        for host in pingable_hosts.iter() {
-            let icmp_proto = match &host {
-                IpAddr::V4(_) => pfctl::Proto::Icmp,
-                IpAddr::V6(_) => pfctl::Proto::IcmpV6,
-            };
-
-            let out_rule = self
-                .create_rule_builder(FilterRuleAction::Pass)
-                .quick(true)
-                .direction(pfctl::Direction::Out)
-                .proto(icmp_proto)
-                .to(pfctl::Endpoint::new(*host, 0))
-                .keep_state(pfctl::StatePolicy::Keep)
-                .build()?;
-            rules.push(out_rule);
-
-            let in_rule = self
-                .create_rule_builder(FilterRuleAction::Pass)
-                .quick(true)
-                .direction(pfctl::Direction::In)
-                .proto(icmp_proto)
-                .from(pfctl::Endpoint::new(*host, 0))
-                .keep_state(pfctl::StatePolicy::Keep)
-                .build()?;
-            rules.push(in_rule);
-        }
-        Ok(rules)
-    }
-
     fn get_allow_tunnel_rule(&self, tunnel_interface: &str) -> Result<pfctl::FilterRule> {
         Ok(self
             .create_rule_builder(FilterRuleAction::Pass)
diff --git a/talpid-core/src/firewall/mod.rs b/talpid-core/src/firewall/mod.rs
index 558b2b6040..1720cd2e25 100644
--- a/talpid-core/src/firewall/mod.rs
+++ b/talpid-core/src/firewall/mod.rs
@@ -105,8 +105,6 @@ pub enum FirewallPolicy {
         peer_endpoint: Endpoint,
         /// Tunnel interface alias.
         tunnel_interface: Option<String>,
-        /// Hosts that should be pingable whilst connecting.
-        pingable_hosts: Vec<IpAddr>,
         /// Flag setting if communication with LAN networks should be possible.
         allow_lan: bool,
         /// Host that should be reachable by the tunnel client while connecting.
@@ -147,18 +145,12 @@ impl fmt::Display for FirewallPolicy {
             FirewallPolicy::Connecting {
                 peer_endpoint,
                 tunnel_interface,
-                pingable_hosts,
                 allow_lan,
                 ..
             } => write!(
                 f,
-                "Connecting to {} with gateways {}, {} LAN, interface: {}",
+                "Connecting to {}, {} LAN, interface: {}",
                 peer_endpoint,
-                pingable_hosts
-                    .iter()
-                    .map(ToString::to_string)
-                    .collect::<Vec<String>>()
-                    .join(","),
                 if *allow_lan { "Allowing" } else { "Blocking" },
                 if let Some(alias) = tunnel_interface {
                     alias
diff --git a/talpid-core/src/firewall/windows.rs b/talpid-core/src/firewall/windows.rs
index 6a4fdad186..bfdec696aa 100644
--- a/talpid-core/src/firewall/windows.rs
+++ b/talpid-core/src/firewall/windows.rs
@@ -94,7 +94,6 @@ impl FirewallT for Firewall {
             FirewallPolicy::Connecting {
                 peer_endpoint,
                 tunnel_interface,
-                pingable_hosts,
                 allow_lan,
                 allowed_endpoint,
                 relay_client,
@@ -105,7 +104,6 @@ impl FirewallT for Firewall {
                     &cfg,
                     &tunnel_interface,
                     &allowed_endpoint,
-                    &pingable_hosts,
                     &relay_client,
                 )
             }
@@ -156,7 +154,6 @@ impl Firewall {
         winfw_settings: &WinFwSettings,
         tunnel_interface: &Option<String>,
         allowed_endpoint: &Endpoint,
-        pingable_hosts: &Vec<IpAddr>,
         relay_client: &Path,
     ) -> Result<(), Error> {
         trace!("Applying 'connecting' firewall policy");
@@ -170,25 +167,6 @@ impl Firewall {
         let mut relay_client: Vec<u16> = relay_client.as_os_str().encode_wide().collect();
         relay_client.push(0u16);
 
-        let pingable_addresses = pingable_hosts
-            .iter()
-            .map(|ip| widestring_ip(*ip))
-            .collect::<Vec<_>>();
-        let pingable_address_ptrs = pingable_addresses
-            .iter()
-            .map(|ip| ip.as_ptr())
-            .collect::<Vec<_>>();
-
-        let pingable_hosts = if !pingable_address_ptrs.is_empty() {
-            Some(WinFwPingableHosts {
-                interfaceAlias: ptr::null(),
-                addresses: pingable_address_ptrs.as_ptr(),
-                num_addresses: pingable_addresses.len(),
-            })
-        } else {
-            None
-        };
-
         let allowed_endpoint_ip = widestring_ip(allowed_endpoint.address.ip());
         let winfw_allowed_endpoint = Some(WinFwEndpoint {
             ip: allowed_endpoint_ip.as_ptr(),
@@ -211,7 +189,6 @@ impl Firewall {
                 &winfw_relay,
                 relay_client.as_ptr(),
                 interface_wstr_ptr,
-                pingable_hosts.as_ptr(),
                 winfw_allowed_endpoint.as_ptr(),
             )
             .into_result()
@@ -374,14 +351,6 @@ mod winfw {
         }
     }
 
-    #[repr(C)]
-    pub struct WinFwPingableHosts {
-        // a null pointer implies that all interfaces will be able to ping the supplied addresses
-        pub interfaceAlias: *const libc::wchar_t,
-        pub addresses: *const *const libc::wchar_t,
-        pub num_addresses: usize,
-    }
-
     #[allow(dead_code)]
     #[repr(u32)]
     #[derive(Clone, Copy)]
@@ -447,7 +416,6 @@ mod winfw {
             relay: &WinFwEndpoint,
             relayClient: *const libc::wchar_t,
             tunnelIfaceAlias: *const libc::wchar_t,
-            pingable_hosts: *const WinFwPingableHosts,
             allowed_endpoint: *const WinFwEndpoint,
         ) -> WinFwPolicyStatus;
 
diff --git a/talpid-core/src/tunnel_state_machine/connecting_state.rs b/talpid-core/src/tunnel_state_machine/connecting_state.rs
index fe87d00f0f..b46fe8e518 100644
--- a/talpid-core/src/tunnel_state_machine/connecting_state.rs
+++ b/talpid-core/src/tunnel_state_machine/connecting_state.rs
@@ -67,7 +67,6 @@ impl ConnectingState {
         let policy = FirewallPolicy::Connecting {
             peer_endpoint,
             tunnel_interface: tunnel_interface.clone(),
-            pingable_hosts: gateway_list_from_params(params),
             allow_lan: shared_values.allow_lan,
             allowed_endpoint: shared_values.allowed_endpoint.clone(),
             #[cfg(windows)]
@@ -549,17 +548,3 @@ impl TunnelState for ConnectingState {
         }
     }
 }
-
-fn gateway_list_from_params(params: &TunnelParameters) -> Vec<IpAddr> {
-    match params {
-        TunnelParameters::Wireguard(params) => {
-            let mut gateways = vec![params.connection.ipv4_gateway.into()];
-            if let Some(ipv6_gateway) = params.connection.ipv6_gateway {
-                gateways.push(ipv6_gateway.into())
-            };
-            gateways
-        }
-        // No gateway list required when connecting to openvpn
-        TunnelParameters::OpenVpn(_) => vec![],
-    }
-}