diff options
| -rw-r--r-- | talpid-types/src/net/mod.rs | 11 | ||||
| -rw-r--r-- | talpid-wireguard/src/wireguard_go/mod.rs | 6 | ||||
| -rw-r--r-- | wireguard-go-rs/libwg/libwg_android.go | 82 | ||||
| -rw-r--r-- | wireguard-go-rs/src/lib.rs | 9 |
4 files changed, 21 insertions, 87 deletions
diff --git a/talpid-types/src/net/mod.rs b/talpid-types/src/net/mod.rs index 1ec8ba46c5..e53b3fa54a 100644 --- a/talpid-types/src/net/mod.rs +++ b/talpid-types/src/net/mod.rs @@ -435,15 +435,26 @@ impl AllowedClients { } } +/// What [`Endpoint`]s to allow the client to send traffic to and receive from. +/// +/// In some cases we want to restrict what IP addresses the client may communicate with even +/// inside of the tunnel, for example while negotiating a PQ-safe PSK with an ephemeral peer. #[derive(Debug, Clone, Eq, PartialEq, Hash)] pub enum AllowedTunnelTraffic { + /// Block all traffic inside the tunnel. None, + /// Allow all traffic inside the tunnel. This is the normal mode of operation. All, + /// Only allow communication with this specific endpoint. This will usually be a relay during a + /// short amount of time. One(Endpoint), + /// Only allow communication with these two specific endpoints. The intended use case for this + /// is while negotiating for example a PSK with both the entry & exit relays in a multihop setup. Two(Endpoint, Endpoint), } impl AllowedTunnelTraffic { + /// Do we currently allow traffic to all endpoints? pub fn all(&self) -> bool { matches!(self, AllowedTunnelTraffic::All) } diff --git a/talpid-wireguard/src/wireguard_go/mod.rs b/talpid-wireguard/src/wireguard_go/mod.rs index e94f786fd1..97e88ba7af 100644 --- a/talpid-wireguard/src/wireguard_go/mod.rs +++ b/talpid-wireguard/src/wireguard_go/mod.rs @@ -121,9 +121,9 @@ impl WgGoTunnel { let private_ip = private_ip(config); let handle = wireguard_go_rs::Tunnel::turn_on_multihop( - exit_config_str, - entry_config_str, - private_ip, + &exit_config_str, + &entry_config_str, + &private_ip, tunnel_fd, Some(logging::wg_go_logging_callback), logging_context.0, diff --git a/wireguard-go-rs/libwg/libwg_android.go b/wireguard-go-rs/libwg/libwg_android.go index a439bce3fb..9f488230a9 100644 --- a/wireguard-go-rs/libwg/libwg_android.go +++ b/wireguard-go-rs/libwg/libwg_android.go @@ -167,9 +167,9 @@ func wgTurnOnMultihop(cExitSettings *C.char, cEntrySettings *C.char, privateIp * // Create the stuff that needs context := tunnelcontainer.Context{ - Device: exitDevice, + Device: exitDevice, EntryDevice: entryDevice, - Logger: logger, + Logger: logger, } handle, err := tunnels.Insert(context) @@ -184,82 +184,6 @@ func wgTurnOnMultihop(cExitSettings *C.char, cEntrySettings *C.char, privateIp * } -//export wgTurnOnMultihop -/*func wgTurnOnMultihop(mtu int, exitSettings *C.char, entrySettings *C.char, privateIp *C.char, fd int32, logSink LogSink, logContext LogContext) C.int32_t { - logger := logging.NewLogger(logSink, logging.LogContext(logContext)) - - if exitSettings == nil { - logger.Errorf("exitSettings is null\n") - return ERROR_INVALID_ARGUMENT - } - - if entrySettings == nil { - logger.Errorf("exitSettings is null\n") - return ERROR_INVALID_ARGUMENT - } - - // OLD - // settings := goStringFixed(cSettings) - // NEW - exitConfigString := goStringFixed(exitSettings) - entryConfigString := goStringFixed(entrySettings) - exitEndpoint := parseEndpointFromConfig(exitConfigString) - if exitEndpoint == nil { - return -10 // TODO: Define this error, previously '' errNoEndpointInConfig - } - - ip, err := netip.ParseAddr(goStringFixed(privateIp)) - if err != nil { - logger.Errorf("Failed to parse private IP: %v", err) - return -10 // TODO: Define this error, previously '' errBadIPString - } - - // OLD - // device := device.NewDevice(tunDevice, conn.NewStdNetBind(), logger) - // NEW - // ip: First hop - // exitEndpoint: Last hop - // TODO: Is this mtu the correct one? - singleTunMtu := mtu - 80 - singletun := multihoptun.NewMultihopTun(ip, exitEndpoint.Addr(), exitEndpoint.Port(), singleTunMtu) - entryDev := device.NewDevice(&singletun, conn.NewStdNetBind(), logger) - - tunDevice, _, err := tun.CreateUnmonitoredTUNFromFD(fd) - if err != nil { - logger.Errorf("%s\n", err) - unix.Close(fd) - if err.Error() == "bad file descriptor" { - return ERROR_INTERMITTENT_FAILURE - } - return ERROR_GENERAL_FAILURE - } - exitDev := device.NewDevice(tunDevice, singletun.Binder(), logger) - - setErr := device.IpcSetOperation(bufio.NewReader(strings.NewReader(settings))) - if setErr != nil { - logger.Errorf("%s\n", setErr) - device.Close() - return ERROR_INTERMITTENT_FAILURE - } - - device.DisableSomeRoamingForBrokenMobileSemantics() - device.Up() - - // context := tunnelcontainer.Context{ - // Device: device, - // Logger: logger, - // } - - handle, err := addTunnelFromDevice(exitDev, entryDev, exitSettings, entrySettings, logger) - if err != nil { - logger.Errorf("%s\n", err) - device.Close() - return ERROR_GENERAL_FAILURE - } - - return C.int32_t(handle) -}*/ - func addTunnelFromDevice(exitDev *device.Device, entryDev *device.Device, exitSettings string, entrySettings string, logger *device.Logger) (*tunnelHandle, error) { err := bringUpDevice(exitDev, exitSettings, logger) if err != nil { @@ -321,7 +245,7 @@ func wgGetSocketV4(tunnelHandle int32) C.int32_t { device := tunnel.EntryDevice if device == nil { device = tunnel.Device - } + } peek := device.Bind().(conn.PeekLookAtSocketFd) fd, err := peek.PeekLookAtSocketFd4() if err != nil { diff --git a/wireguard-go-rs/src/lib.rs b/wireguard-go-rs/src/lib.rs index 321189ff5c..8049498107 100644 --- a/wireguard-go-rs/src/lib.rs +++ b/wireguard-go-rs/src/lib.rs @@ -6,8 +6,6 @@ //! //! The [`Tunnel`] type provides a safe Rust wrapper around the C FFI. -// TODO: Add a new function wgTurnOnMultihop for android. - #![cfg(unix)] use core::{ @@ -212,12 +210,14 @@ impl Tunnel { /// Get the file descriptor of the tunnel IPv4 socket. #[cfg(target_os = "android")] pub fn get_socket_v4(&self) -> Fd { + // SAFETY: self.handle is a valid pointer to an active wireguard-go tunnel. unsafe { ffi::wgGetSocketV4(self.handle) } } /// Get the file descriptor of the tunnel IPv6 socket. #[cfg(target_os = "android")] pub fn get_socket_v6(&self) -> Fd { + // SAFETY: self.handle is a valid pointer to an active wireguard-go tunnel. unsafe { ffi::wgGetSocketV6(self.handle) } } } @@ -290,11 +290,11 @@ mod ffi { ) -> i32; /// Creates a new wireguard tunnel, uses the specific interface name, and file descriptors - /// for the tunnel device and logging. For targets other than android, this also takes an - /// MTU value. + /// for the tunnel device and logging. /// /// Positive return values are tunnel handles for this specific wireguard tunnel instance. /// Negative return values signify errors. + #[cfg(target_os = "android")] pub fn wgTurnOnMultihop( exit_settings: *const c_char, entry_settings: *const c_char, @@ -304,7 +304,6 @@ mod ffi { logging_context: LoggingContext, ) -> i32; - /// Pass a handle that was created by wgTurnOn to stop a wireguard tunnel. /// /// Negative return values signify errors. |