diff options
| author | Linus Färnstrand <linus@mullvad.net> | 2018-09-04 12:34:37 +0200 |
|---|---|---|
| committer | Linus Färnstrand <linus@mullvad.net> | 2018-09-05 15:20:07 +0200 |
| commit | 7ddbb9598bec5b25713a2e159d539b286f172898 (patch) | |
| tree | 72b16ff07691369f9918134beac2141ed42b2443 /talpid-core | |
| parent | e1e8b371ab146916ee5074102800c197f2232302 (diff) | |
| download | mullvadvpn-7ddbb9598bec5b25713a2e159d539b286f172898.tar.xz mullvadvpn-7ddbb9598bec5b25713a2e159d539b286f172898.zip | |
Add "blocked" security policy and implement in firewalls
Diffstat (limited to 'talpid-core')
| -rw-r--r-- | talpid-core/src/security/linux/mod.rs | 22 | ||||
| -rw-r--r-- | talpid-core/src/security/macos/mod.rs | 7 | ||||
| -rw-r--r-- | talpid-core/src/security/mod.rs | 6 | ||||
| -rw-r--r-- | talpid-core/src/security/windows/mod.rs | 46 |
4 files changed, 59 insertions, 22 deletions
diff --git a/talpid-core/src/security/linux/mod.rs b/talpid-core/src/security/linux/mod.rs index e904f03966..de29219298 100644 --- a/talpid-core/src/security/linux/mod.rs +++ b/talpid-core/src/security/linux/mod.rs @@ -220,24 +220,28 @@ impl<'a> PolicyBatch<'a> { } fn add_policy_specific_rules(&mut self, policy: &SecurityPolicy) -> Result<()> { - let (relay_endpoint, allow_lan, tunnel) = match policy { + let allow_lan = match policy { SecurityPolicy::Connecting { relay_endpoint, allow_lan, - } => (relay_endpoint, *allow_lan, None), + } => { + self.add_allow_endpoint_rules(relay_endpoint)?; + *allow_lan + } SecurityPolicy::Connected { relay_endpoint, tunnel, allow_lan, - } => (relay_endpoint, *allow_lan, Some(tunnel)), + } => { + self.add_allow_endpoint_rules(relay_endpoint)?; + self.add_dns_rule(tunnel, TransportProtocol::Udp)?; + self.add_dns_rule(tunnel, TransportProtocol::Tcp)?; + self.add_allow_tunnel_rules(tunnel)?; + *allow_lan + } + SecurityPolicy::Blocked { allow_lan } => *allow_lan, }; - self.add_allow_endpoint_rules(relay_endpoint)?; - if let Some(tunnel) = tunnel { - self.add_dns_rule(tunnel, TransportProtocol::Udp)?; - self.add_dns_rule(tunnel, TransportProtocol::Tcp)?; - self.add_allow_tunnel_rules(tunnel)?; - } if allow_lan { self.add_allow_lan_rules()?; } diff --git a/talpid-core/src/security/macos/mod.rs b/talpid-core/src/security/macos/mod.rs index b7477f81e8..331f2f29ec 100644 --- a/talpid-core/src/security/macos/mod.rs +++ b/talpid-core/src/security/macos/mod.rs @@ -147,6 +147,13 @@ impl MacosNetworkSecurity { } Ok(rules) } + SecurityPolicy::Blocked { allow_lan } => { + let mut rules = Vec::new(); + if allow_lan { + rules.append(&mut Self::get_allow_lan_rules()?); + } + Ok(rules) + } } } diff --git a/talpid-core/src/security/mod.rs b/talpid-core/src/security/mod.rs index a37bb23253..5dcbc87dd3 100644 --- a/talpid-core/src/security/mod.rs +++ b/talpid-core/src/security/mod.rs @@ -36,6 +36,12 @@ pub enum SecurityPolicy { /// Flag setting if communication with LAN networks should be possible. allow_lan: bool, }, + + /// Block all network traffic in and out from the computer. + Blocked { + /// Flag setting if communication with LAN networks should be possible. + allow_lan: bool, + }, } /// Abstract firewall interaction trait diff --git a/talpid-core/src/security/windows/mod.rs b/talpid-core/src/security/windows/mod.rs index 6789674971..75f712ee50 100644 --- a/talpid-core/src/security/windows/mod.rs +++ b/talpid-core/src/security/windows/mod.rs @@ -19,30 +19,35 @@ mod system_state; use self::dns::WinDns; -error_chain!{ - errors{ +error_chain! { + errors { /// Failure to initialize windows firewall module - Initialization{ + Initialization { description("Failed to initialise windows firewall module") } /// Failure to deinitialize windows firewall module - Deinitialization{ + Deinitialization { description("Failed to deinitialize windows firewall module") } - /// Failure to apply a firewall _connected_ policy - ApplyingConnectedPolicy{ + /// Failure to apply a firewall _connecting_ policy + ApplyingConnectingPolicy { description("Failed to apply firewall policy for when the daemon is connecting to a tunnel") } - /// Failure to apply a firewall _connecting_ policy - ApplyingConnectingPolicy{ + /// Failure to apply a firewall _connected_ policy + ApplyingConnectedPolicy { description("Failed to apply firewall policy for when the daemon is connected to a tunnel") } + /// Failure to apply firewall _blocked_ policy + ApplyingBlockedPolicy { + description("Failed to apply blocked security policy") + } + /// Failure to reset firewall policies - ResettingPolicy{ + ResettingPolicy { description("Failed to reset firewall policies") } } @@ -93,6 +98,10 @@ impl NetworkSecurity for WindowsNetworkSecurity { let cfg = &WinFwSettings::new(allow_lan); self.set_connected_state(&relay_endpoint, &cfg, &tunnel) } + SecurityPolicy::Blocked { allow_lan } => { + let cfg = &WinFwSettings::new(allow_lan); + self.set_blocked_state(&cfg) + } } } @@ -177,6 +186,11 @@ impl WindowsNetworkSecurity { ).into_result() } } + + fn set_blocked_state(&mut self, winfw_settings: &WinFwSettings) -> Result<()> { + trace!("Applying 'blocked' firewall policy"); + unsafe { WinFw_ApplyPolicyBlocked(winfw_settings).into_result() } + } } @@ -227,13 +241,14 @@ mod winfw { ffi_error!(InitializationResult, ErrorKind::Initialization.into()); ffi_error!(DeinitializationResult, ErrorKind::Deinitialization.into()); ffi_error!( - ApplyConnectedResult, - ErrorKind::ApplyingConnectedPolicy.into() - ); - ffi_error!( ApplyConnectingResult, ErrorKind::ApplyingConnectingPolicy.into() ); + ffi_error!( + ApplyConnectedResult, + ErrorKind::ApplyingConnectedPolicy.into() + ); + ffi_error!(ApplyBlockedResult, ErrorKind::ApplyingBlockedPolicy.into()); ffi_error!(ResettingPolicyResult, ErrorKind::ResettingPolicy.into()); extern "system" { @@ -261,6 +276,11 @@ mod winfw { primaryDns: *const libc::wchar_t, ) -> ApplyConnectedResult; + #[link_name(WinFw_ApplyPolicyBlocked)] + pub fn WinFw_ApplyPolicyBlocked( + settings: &WinFwSettings, + ) -> ApplyBlockedResult; + #[link_name(WinFw_Reset)] pub fn WinFw_Reset() -> ResettingPolicyResult; } |