diff options
| -rw-r--r-- | CHANGELOG.md | 3 | ||||
| -rw-r--r-- | talpid-core/src/security/linux/mod.rs | 26 | ||||
| -rw-r--r-- | talpid-core/src/security/macos/mod.rs | 17 | ||||
| -rw-r--r-- | talpid-core/src/security/mod.rs | 8 |
4 files changed, 50 insertions, 4 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index 3bd82da208..aa34d0602a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -26,6 +26,9 @@ Line wrap the file at 100 chars. Th ### Added - Replace repeated `Disconnecting` followed by `Connecting` notifications with a single `Reconnecting` notification. +- Allow packets to the fe80::/10 and fe02::/16 IPv6 networks when local network sharing is enabled. + Should allow IPv6 over the LAN, and mDNS host discovery which in turn should allow Apple AirDrop + and Handover. #### Linux - Add support for DNS configuration using resolvconf. diff --git a/talpid-core/src/security/linux/mod.rs b/talpid-core/src/security/linux/mod.rs index ecf9e671b5..e336fe21bd 100644 --- a/talpid-core/src/security/linux/mod.rs +++ b/talpid-core/src/security/linux/mod.rs @@ -311,7 +311,13 @@ impl<'a> PolicyBatch<'a> { check_net(&mut rule, End::Src, IpNetwork::V4(*net))?; check_net(&mut rule, End::Dst, IpNetwork::V4(*net))?; add_verdict(&mut rule, Verdict::Accept)?; - + self.batch.add(&rule, nftnl::MsgType::Add)?; + } + for net in &*super::LOCAL_INET6_NETS { + let mut rule = Rule::new(chain)?; + check_net(&mut rule, End::Src, IpNetwork::V6(*net))?; + check_net(&mut rule, End::Dst, IpNetwork::V6(*net))?; + add_verdict(&mut rule, Verdict::Accept)?; self.batch.add(&rule, nftnl::MsgType::Add)?; } } @@ -332,6 +338,17 @@ impl<'a> PolicyBatch<'a> { self.batch.add(&rule, nftnl::MsgType::Add)?; } + for net in &*super::LOCAL_INET6_NETS { + let mut rule = Rule::new(&self.out_chain)?; + check_net(&mut rule, End::Src, IpNetwork::V6(*net))?; + check_net( + &mut rule, + End::Dst, + IpNetwork::V6(*super::MULTICAST_INET6_NET), + )?; + add_verdict(&mut rule, Verdict::Accept)?; + self.batch.add(&rule, nftnl::MsgType::Add)?; + } Ok(()) } } @@ -404,7 +421,12 @@ fn check_net(rule: &mut Rule, end: End, net: IpNetwork) -> Result<()> { (IpNetwork::V6(_), End::Src) => nft_expr!(payload ipv6 saddr), (IpNetwork::V6(_), End::Dst) => nft_expr!(payload ipv6 daddr), })?; - rule.add_expr(&nft_expr!(bitwise mask net.mask(), xor 0))?; + match net { + IpNetwork::V4(_) => rule.add_expr(&nft_expr!(bitwise mask net.mask(), xor 0u32))?, + IpNetwork::V6(_) => { + rule.add_expr(&nft_expr!(bitwise mask net.mask(), xor &[0u16; 8][..]))? + } + }; rule.add_expr(&nft_expr!(cmp == net.ip()))?; Ok(()) diff --git a/talpid-core/src/security/macos/mod.rs b/talpid-core/src/security/macos/mod.rs index e5dd68b872..2d53ace804 100644 --- a/talpid-core/src/security/macos/mod.rs +++ b/talpid-core/src/security/macos/mod.rs @@ -212,6 +212,23 @@ impl NetworkSecurity { rules.push(allow_multicast); rules.push(allow_ssdp); } + for net in &*super::LOCAL_INET6_NETS { + let mut rule_builder = pfctl::FilterRuleBuilder::default(); + rule_builder + .action(pfctl::FilterRuleAction::Pass) + .quick(true) + .af(pfctl::AddrFamily::Ipv6) + .from(pfctl::Ip::from(ipnetwork_compat(IpNetwork::V6(*net)))); + let allow_net = rule_builder + .to(pfctl::Ip::from(ipnetwork_compat(IpNetwork::V6(*net)))) + .build()?; + let allow_multicast = rule_builder + .to(pfctl::Ip::from(ipnetwork_compat(IpNetwork::V6( + *super::MULTICAST_INET6_NET, + )))).build()?; + rules.push(allow_net); + rules.push(allow_multicast); + } Ok(rules) } diff --git a/talpid-core/src/security/mod.rs b/talpid-core/src/security/mod.rs index 70da5edea5..36b058e5e1 100644 --- a/talpid-core/src/security/mod.rs +++ b/talpid-core/src/security/mod.rs @@ -1,8 +1,8 @@ #[cfg(unix)] -use ipnetwork::Ipv4Network; +use ipnetwork::{Ipv4Network, Ipv6Network}; use std::fmt; #[cfg(unix)] -use std::net::{IpAddr, Ipv4Addr}; +use std::net::{IpAddr, Ipv4Addr, Ipv6Addr}; use std::path::Path; use talpid_types::net::Endpoint; @@ -29,8 +29,12 @@ lazy_static! { Ipv4Network::new(Ipv4Addr::new(172, 16, 0, 0), 12).unwrap(), Ipv4Network::new(Ipv4Addr::new(192, 168, 0, 0), 16).unwrap(), ]; + static ref LOCAL_INET6_NETS: [Ipv6Network; 1] = + [Ipv6Network::new(Ipv6Addr::new(0xfe80, 0, 0, 0, 0, 0, 0, 0), 10).unwrap(),]; static ref MULTICAST_NET: Ipv4Network = Ipv4Network::new(Ipv4Addr::new(224, 0, 0, 0), 24).unwrap(); + static ref MULTICAST_INET6_NET: Ipv6Network = + Ipv6Network::new(Ipv6Addr::new(0xfe02, 0, 0, 0, 0, 0, 0, 0), 16).unwrap(); static ref SSDP_IP: IpAddr = IpAddr::V4(Ipv4Addr::new(239, 255, 255, 250)); } |
