blob: 6bdfc62cbd443192edb6e6b13a34325a22cd394d (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
|
use mullvad_daemon::settings::{self, SettingsPersister};
use talpid_core::firewall::{self, Firewall, FirewallPolicy};
#[derive(thiserror::Error, Debug)]
pub enum Error {
#[error("Failed to initialize firewall")]
Firewall(#[from] firewall::Error),
#[error("Failed to get settings path")]
Path(#[from] mullvad_paths::Error),
#[error("Failed to get settings")]
Settings(#[from] settings::Error),
}
pub async fn initialize_firewall() -> Result<(), Error> {
let mut firewall = Firewall::new(mullvad_types::TUNNEL_FWMARK)?;
let allow_lan = get_allow_lan().await.unwrap_or_else(|err| {
log::info!(
"Not allowing LAN traffic due to failing to read settings: {}",
err
);
false
});
let policy = FirewallPolicy::Blocked {
allow_lan,
allowed_endpoint: None,
};
log::info!("Applying firewall policy {policy}");
firewall.apply_policy(policy)?;
Ok(())
}
async fn get_allow_lan() -> Result<bool, Error> {
let path = mullvad_paths::settings_dir()?;
// NOTE: This may fail if the daemon has not been restarted after an upgrade.
// This will cause `allow_lan` to be disabled during early boot. This
// is probably acceptable.
let settings = SettingsPersister::read_only(&path).await;
Ok(settings.allow_lan)
}
|
