summaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
Diffstat
-rw-r--r--talpid-core/src/security/linux/mod.rs22
1 files changed, 14 insertions, 8 deletions
diff --git a/talpid-core/src/security/linux/mod.rs b/talpid-core/src/security/linux/mod.rs
index 0fb5b394be..c892b24ee3 100644
--- a/talpid-core/src/security/linux/mod.rs
+++ b/talpid-core/src/security/linux/mod.rs
@@ -276,18 +276,24 @@ impl<'a> PolicyBatch<'a> {
tunnel: &tunnel::TunnelMetadata,
protocol: TransportProtocol,
) -> Result<()> {
- let mut rule = Rule::new(&self.out_chain)?;
+ // allow DNS traffic to the tunnel gateway
+ let mut allow_rule = Rule::new(&self.out_chain)?;
- check_iface(&mut rule, Direction::Out, &tunnel.interface[..])?;
- check_port(&mut rule, protocol, End::Dst, 53)?;
- check_l3proto(&mut rule, IpAddr::V4(tunnel.gateway))?;
+ check_iface(&mut allow_rule, Direction::Out, &tunnel.interface[..])?;
+ check_port(&mut allow_rule, protocol, End::Dst, 53)?;
+ check_l3proto(&mut allow_rule, IpAddr::V4(tunnel.gateway))?;
- rule.add_expr(&nft_expr!(payload ipv4 daddr))?;
- rule.add_expr(&nft_expr!(cmp != tunnel.gateway))?;
+ allow_rule.add_expr(&nft_expr!(payload ipv4 daddr))?;
+ allow_rule.add_expr(&nft_expr!(cmp == tunnel.gateway))?;
- add_verdict(&mut rule, &Verdict::Drop)?;
+ add_verdict(&mut allow_rule, &Verdict::Accept)?;
+ self.batch.add(&allow_rule, nftnl::MsgType::Add)?;
+
+ let mut block_rule = Rule::new(&self.out_chain)?;
+ check_port(&mut block_rule, protocol, End::Dst, 53)?;
+ add_verdict(&mut block_rule, &Verdict::Drop)?;
+ self.batch.add(&block_rule, nftnl::MsgType::Add)?;
- self.batch.add(&rule, nftnl::MsgType::Add)?;
Ok(())
}
Copyright © 2025 - 2026 Wayne Cole. WTFPL. Attribution appreciated. No warranty. Not liable for bodily damages.