diff options
| -rw-r--r-- | talpid-core/src/firewall/macos.rs | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/talpid-core/src/firewall/macos.rs b/talpid-core/src/firewall/macos.rs index 3bf6bc8db6..d23a48fd49 100644 --- a/talpid-core/src/firewall/macos.rs +++ b/talpid-core/src/firewall/macos.rs @@ -71,6 +71,7 @@ impl PacketFilter { .quick(true) .to(pfctl::Port::One(53, pfctl::PortUnaryModifier::Equal)) .keep_state(pfctl::StatePolicy::Keep) + .tcp_flags(Self::get_tcp_flags()) .build()?; let mut new_rules = self.get_loopback_rules()?; @@ -97,6 +98,7 @@ impl PacketFilter { .to(relay_endpoint) .proto(relay_endpoint) .keep_state(pfctl::StatePolicy::Keep) + .tcp_flags(Self::get_tcp_flags()) .quick(true) .build() } @@ -106,6 +108,7 @@ impl PacketFilter { .action(pfctl::RuleAction::Pass) .interface(tunnel_interface) .keep_state(pfctl::StatePolicy::Keep) + .tcp_flags(Self::get_tcp_flags()) .quick(true) .build() } @@ -115,11 +118,19 @@ impl PacketFilter { .action(pfctl::RuleAction::Pass) .interface("lo0") .keep_state(pfctl::StatePolicy::Keep) + .tcp_flags(Self::get_tcp_flags()) .quick(true) .build()?; Ok(vec![lo0_rule]) } + fn get_tcp_flags() -> pfctl::TcpFlags { + pfctl::TcpFlags::new( + &[pfctl::TcpFlag::Syn], + &[pfctl::TcpFlag::Syn, pfctl::TcpFlag::Ack], + ) + } + fn remove_rules(&mut self) -> Result<()> { // remove_anchor() does not deactivate active rules self.pf.flush_rules(ANCHOR_NAME, pfctl::RulesetKind::Filter) |