Merge branch 'reassemble-before-pf-filter'

mullvad · Sep 4, 2024 · 4491033 · 4491033
2 parents a9ff9d5 + 5740b9f
commit 4491033
Show file tree

Hide file tree

Showing 4 changed files with 20 additions and 4 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -44,6 +44,8 @@ Line wrap the file at 100 chars.                                              Th
 #### macOS
 - Exclude programs when executed using a relative path from a shell.
 - Reduce packet loss when using split tunneling.
+- Don't block fragmented packets in the PF firewall. Fixes various issues relating to connecting
+  (and general instability) when IP fragmentation is present.
 
 
 ## [2024.5] - 2024-09-03

diff --git a/Cargo.lock b/Cargo.lock
diff --git a/talpid-core/Cargo.toml b/talpid-core/Cargo.toml
@@ -47,7 +47,7 @@ duct = "0.13"
 [target.'cfg(target_os = "macos")'.dependencies]
 async-trait = "0.1"
 duct = "0.13"
-pfctl = "0.5.0"
+pfctl = "0.6.0"
 subslice = "0.2"
 system-configuration = "0.5.1"
 hickory-proto = "0.24.1"

diff --git a/talpid-core/src/firewall/macos.rs b/talpid-core/src/firewall/macos.rs
@@ -154,11 +154,21 @@ impl Firewall {
         new_filter_rules.push(drop_all_rule);
 
         let mut anchor_change = pfctl::AnchorChange::new();
+        anchor_change.set_scrub_rules(Self::get_scrub_rules()?);
         anchor_change.set_filter_rules(new_filter_rules);
         anchor_change.set_redirect_rules(self.get_dns_redirect_rules(policy)?);
         self.pf.set_rules(ANCHOR_NAME, anchor_change)
     }
 
+    fn get_scrub_rules() -> Result<Vec<pfctl::ScrubRule>> {
+        // Filter only reassembled packets. Without this, PF will filter based on individual
+        // fragments, which may not have complete transport-layer headers.
+        let scrub_rule = pfctl::ScrubRuleBuilder::default()
+            .action(pfctl::ScrubRuleAction::Scrub)
+            .build()?;
+        Ok(vec![scrub_rule])
+    }
+
     fn get_dns_redirect_rules(
         &mut self,
         policy: &FirewallPolicy,
@@ -773,14 +783,18 @@ impl Firewall {
             .try_add_anchor(ANCHOR_NAME, pfctl::AnchorKind::Filter)?;
         self.pf
             .try_add_anchor(ANCHOR_NAME, pfctl::AnchorKind::Redirect)?;
+        self.pf
+            .try_add_anchor(ANCHOR_NAME, pfctl::AnchorKind::Scrub)?;
         Ok(())
     }
 
     fn remove_anchor(&mut self) -> Result<()> {
         self.pf
-            .try_remove_anchor(ANCHOR_NAME, pfctl::AnchorKind::Filter)?;
+            .try_remove_anchor(ANCHOR_NAME, pfctl::AnchorKind::Scrub)?;
         self.pf
             .try_remove_anchor(ANCHOR_NAME, pfctl::AnchorKind::Redirect)?;
+        self.pf
+            .try_remove_anchor(ANCHOR_NAME, pfctl::AnchorKind::Filter)?;
         Ok(())
     }
 }