diff options
| -rw-r--r-- | CHANGELOG.md | 4 | ||||
| -rw-r--r-- | talpid-core/src/firewall/linux.rs | 14 |
2 files changed, 16 insertions, 2 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index c6b11b1526..a527310da8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -48,6 +48,10 @@ Line wrap the file at 100 chars. Th - Fix inconsistent behavior of the quick-settings tile when logged out. It would sometimes enter the blocking state and sometimes open the UI for the user to login. Now it always opens the UI. +#### Linux +- Fix split tunneling rules preventing `systemd-resolved` from performing DNS lookups for excluded + processes. + ## [2020.6-beta2] - 2020-08-27 This release is for Android only. diff --git a/talpid-core/src/firewall/linux.rs b/talpid-core/src/firewall/linux.rs index f4a3e07378..fff660f960 100644 --- a/talpid-core/src/firewall/linux.rs +++ b/talpid-core/src/firewall/linux.rs @@ -280,14 +280,14 @@ impl<'a> PolicyBatch<'a> { /// policy. pub fn finalize(mut self, policy: &FirewallPolicy) -> Result<FinalizedBatch> { self.add_loopback_rules()?; - self.add_split_tunneling_rules(); + self.add_split_tunneling_rules()?; self.add_dhcp_client_rules(); self.add_policy_specific_rules(policy)?; Ok(self.batch.finalize()) } - fn add_split_tunneling_rules(&mut self) { + fn add_split_tunneling_rules(&mut self) -> Result<()> { let mangle_chains = [&self.mangle_chain_v4, &self.mangle_chain_v6]; for chain in &mangle_chains { let mut rule = Rule::new(chain); @@ -314,12 +314,22 @@ impl<'a> PolicyBatch<'a> { let nat_chains = [&self.nat_chain_v4, &self.nat_chain_v6]; for chain in &nat_chains { let mut rule = Rule::new(chain); + + // Don't masquerade packets on the loopback device. + let iface_index = crate::linux::iface_index("lo") + .map_err(|e| Error::LookupIfaceIndexError("lo".to_string(), e))?; + rule.add_expr(&nft_expr!(meta oif)); + rule.add_expr(&nft_expr!(cmp != iface_index)); + rule.add_expr(&nft_expr!(ct mark)); rule.add_expr(&nft_expr!(cmp == split_tunnel::MARK)); + rule.add_expr(&nft_expr!(masquerade)); add_verdict(&mut rule, &Verdict::Accept); self.batch.add(&rule, nftnl::MsgType::Add); } + + Ok(()) } fn add_loopback_rules(&mut self) -> Result<()> { |