summaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
-rw-r--r--CHANGELOG.md5
-rw-r--r--Cargo.lock4
-rw-r--r--talpid-core/Cargo.toml2
-rw-r--r--talpid-core/src/firewall/macos.rs10
4 files changed, 17 insertions, 4 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md
index d37ca3025a..76dd17e16c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -29,6 +29,11 @@ Line wrap the file at 100 chars. Th
#### macOS
- DNS was not properly restored in some cases when using custom DNS.
+### Security
+#### macOS
+- Flush states on tunnel state changes. Previously, pre-existing connections could leak when
+ internet sharing was enabled on a device.
+
## [2024.2-beta1] - 2024-04-15
### Added
diff --git a/Cargo.lock b/Cargo.lock
index eedb5dd480..fb0d7780c6 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -2665,9 +2665,9 @@ dependencies = [
[[package]]
name = "pfctl"
-version = "0.4.5"
+version = "0.4.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c5e0c1e1bc65fb241166b7ec8278d89cc2432d41adcbe57ffe1095c81e1d7b44"
+checksum = "27590368dee28aa01e3024b639818a6bf0ad31635d9eca000aad63021a59284d"
dependencies = [
"derive_builder",
"errno 0.2.8",
diff --git a/talpid-core/Cargo.toml b/talpid-core/Cargo.toml
index da10c68513..923ce42a11 100644
--- a/talpid-core/Cargo.toml
+++ b/talpid-core/Cargo.toml
@@ -48,7 +48,7 @@ duct = "0.13"
[target.'cfg(target_os = "macos")'.dependencies]
async-trait = "0.1"
duct = "0.13"
-pfctl = "0.4.4"
+pfctl = "0.4.6"
subslice = "0.2"
system-configuration = "0.5.1"
hickory-proto = { git = "https://github.com/mullvad/hickory-dns", rev = "9e8f8c67fbcb6d2985503027362a3fb022529802" }
diff --git a/talpid-core/src/firewall/macos.rs b/talpid-core/src/firewall/macos.rs
index 07e74f45ff..b3502a8441 100644
--- a/talpid-core/src/firewall/macos.rs
+++ b/talpid-core/src/firewall/macos.rs
@@ -49,7 +49,15 @@ impl Firewall {
pub fn apply_policy(&mut self, policy: FirewallPolicy) -> Result<()> {
self.enable()?;
self.add_anchor()?;
- self.set_rules(policy)
+ self.set_rules(policy)?;
+
+ // When entering a secured state, clear connection states
+ // Otherwise, an existing connection may be approved by some other anchor, and leak
+ if let Err(error) = self.pf.clear_interface_states(pfctl::Interface::Any) {
+ log::error!("Failed to clear source state tracking nodes: {error}");
+ }
+
+ Ok(())
}
pub fn reset_policy(&mut self) -> Result<()> {