Skip to content

Commit

Permalink
Publicly define constants for LAN IPs
Browse files Browse the repository at this point in the history
  • Loading branch information
dlon committed Aug 9, 2024
1 parent aedf04c commit f69125b
Show file tree
Hide file tree
Showing 7 changed files with 63 additions and 66 deletions.
11 changes: 7 additions & 4 deletions talpid-core/src/firewall/linux.rs
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,10 @@ use std::{
fs, io,
net::{IpAddr, Ipv4Addr},
};
use talpid_types::net::{AllowedEndpoint, AllowedTunnelTraffic, Endpoint, TransportProtocol};
use talpid_types::net::{
AllowedEndpoint, AllowedTunnelTraffic, Endpoint, TransportProtocol, ALLOWED_LAN_MULTICAST_NETS,
ALLOWED_LAN_NETS,
};

/// Priority for rules that tag split tunneling packets. Equals NF_IP_PRI_MANGLE.
const MANGLE_CHAIN_PRIORITY: i32 = libc::NF_IP_PRI_MANGLE;
Expand Down Expand Up @@ -840,15 +843,15 @@ impl<'a> PolicyBatch<'a> {
// Output and forward chains
for chain in &[&self.out_chain, &self.forward_chain] {
// LAN -> LAN
for net in &*super::ALLOWED_LAN_NETS {
for net in &*ALLOWED_LAN_NETS {
let mut out_rule = Rule::new(chain);
check_net(&mut out_rule, End::Dst, *net);
add_verdict(&mut out_rule, &Verdict::Accept);
self.batch.add(&out_rule, nftnl::MsgType::Add);
}

// LAN -> Multicast
for net in &*super::ALLOWED_LAN_MULTICAST_NETS {
for net in &*ALLOWED_LAN_MULTICAST_NETS {
let mut rule = Rule::new(chain);
check_net(&mut rule, End::Dst, *net);
add_verdict(&mut rule, &Verdict::Accept);
Expand All @@ -858,7 +861,7 @@ impl<'a> PolicyBatch<'a> {

// Input chain
// LAN -> LAN
for net in &*super::ALLOWED_LAN_NETS {
for net in &*ALLOWED_LAN_NETS {
let mut in_rule = Rule::new(&self.in_chain);
check_net(&mut in_rule, End::Src, *net);
add_verdict(&mut in_rule, &Verdict::Accept);
Expand Down
8 changes: 5 additions & 3 deletions talpid-core/src/firewall/macos.rs
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,9 @@ use std::{
ptr,
};
use subslice::SubsliceExt;
use talpid_types::net::{self, AllowedEndpoint, AllowedTunnelTraffic};
use talpid_types::net::{
self, AllowedEndpoint, AllowedTunnelTraffic, ALLOWED_LAN_MULTICAST_NETS, ALLOWED_LAN_NETS,
};

pub use pfctl::Error;

Expand Down Expand Up @@ -494,7 +496,7 @@ impl Firewall {

fn get_allow_lan_rules(&self) -> Result<Vec<pfctl::FilterRule>> {
let mut rules = vec![];
for net in &*super::ALLOWED_LAN_NETS {
for net in &*ALLOWED_LAN_NETS {
let mut rule_builder = self.create_rule_builder(FilterRuleAction::Pass);
rule_builder.quick(true);
let allow_out = rule_builder
Expand All @@ -510,7 +512,7 @@ impl Firewall {
rules.push(allow_out);
rules.push(allow_in);
}
for multicast_net in &*super::ALLOWED_LAN_MULTICAST_NETS {
for multicast_net in &*ALLOWED_LAN_MULTICAST_NETS {
let allow_multicast_out = self
.create_rule_builder(FilterRuleAction::Pass)
.quick(true)
Expand Down
41 changes: 3 additions & 38 deletions talpid-core/src/firewall/mod.rs
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ use std::{
fmt,
net::{IpAddr, Ipv4Addr, Ipv6Addr},
};
use talpid_types::net::{AllowedEndpoint, AllowedTunnelTraffic};
use talpid_types::net::{AllowedEndpoint, AllowedTunnelTraffic, ALLOWED_LAN_NETS};

#[cfg(target_os = "macos")]
#[path = "macos.rs"]
Expand All @@ -24,39 +24,6 @@ mod imp;

pub use self::imp::Error;

/// When "allow local network" is enabled the app will allow traffic to and from these networks.
pub(crate) static ALLOWED_LAN_NETS: Lazy<[IpNetwork; 6]> = Lazy::new(|| {
[
IpNetwork::V4(Ipv4Network::new(Ipv4Addr::new(10, 0, 0, 0), 8).unwrap()),
IpNetwork::V4(Ipv4Network::new(Ipv4Addr::new(172, 16, 0, 0), 12).unwrap()),
IpNetwork::V4(Ipv4Network::new(Ipv4Addr::new(192, 168, 0, 0), 16).unwrap()),
IpNetwork::V4(Ipv4Network::new(Ipv4Addr::new(169, 254, 0, 0), 16).unwrap()),
IpNetwork::V6(Ipv6Network::new(Ipv6Addr::new(0xfe80, 0, 0, 0, 0, 0, 0, 0), 10).unwrap()),
IpNetwork::V6(Ipv6Network::new(Ipv6Addr::new(0xfc00, 0, 0, 0, 0, 0, 0, 0), 7).unwrap()),
]
});
/// When "allow local network" is enabled the app will allow traffic to these networks.
#[cfg(any(target_os = "linux", target_os = "macos", target_os = "android"))]
pub(crate) static ALLOWED_LAN_MULTICAST_NETS: Lazy<[IpNetwork; 8]> = Lazy::new(|| {
[
// Local network broadcast. Not routable
IpNetwork::V4(Ipv4Network::new(Ipv4Addr::new(255, 255, 255, 255), 32).unwrap()),
// Local subnetwork multicast. Not routable
IpNetwork::V4(Ipv4Network::new(Ipv4Addr::new(224, 0, 0, 0), 24).unwrap()),
// Admin-local IPv4 multicast.
IpNetwork::V4(Ipv4Network::new(Ipv4Addr::new(239, 0, 0, 0), 8).unwrap()),
// Interface-local IPv6 multicast.
IpNetwork::V6(Ipv6Network::new(Ipv6Addr::new(0xff01, 0, 0, 0, 0, 0, 0, 0), 16).unwrap()),
// Link-local IPv6 multicast. IPv6 equivalent of 224.0.0.0/24
IpNetwork::V6(Ipv6Network::new(Ipv6Addr::new(0xff02, 0, 0, 0, 0, 0, 0, 0), 16).unwrap()),
// Realm-local IPv6 multicast.
IpNetwork::V6(Ipv6Network::new(Ipv6Addr::new(0xff03, 0, 0, 0, 0, 0, 0, 0), 16).unwrap()),
// Admin-local IPv6 multicast.
IpNetwork::V6(Ipv6Network::new(Ipv6Addr::new(0xff04, 0, 0, 0, 0, 0, 0, 0), 16).unwrap()),
// Site-local IPv6 multicast.
IpNetwork::V6(Ipv6Network::new(Ipv6Addr::new(0xff05, 0, 0, 0, 0, 0, 0, 0), 16).unwrap()),
]
});
#[cfg(any(target_os = "linux", target_os = "macos"))]
static IPV6_LINK_LOCAL: Lazy<Ipv6Network> =
Lazy::new(|| Ipv6Network::new(Ipv6Addr::new(0xfe80, 0, 0, 0, 0, 0, 0, 0), 10).unwrap());
Expand All @@ -76,10 +43,8 @@ static SOLICITED_NODE_MULTICAST: Lazy<Ipv6Network> =
Lazy::new(|| Ipv6Network::new(Ipv6Addr::new(0xff02, 0, 0, 0, 0, 1, 0xFF00, 0), 104).unwrap());
static LOOPBACK_NETS: Lazy<[IpNetwork; 2]> = Lazy::new(|| {
[
IpNetwork::V4(ipnetwork::Ipv4Network::new(Ipv4Addr::new(127, 0, 0, 0), 8).unwrap()),
IpNetwork::V6(
ipnetwork::Ipv6Network::new(Ipv6Addr::new(0, 0, 0, 0, 0, 0, 0, 1), 128).unwrap(),
),
IpNetwork::V4(Ipv4Network::new(Ipv4Addr::new(127, 0, 0, 0), 8).unwrap()),
IpNetwork::V6(Ipv6Network::new(Ipv6Addr::new(0, 0, 0, 0, 0, 0, 0, 1), 128).unwrap()),
]
});

Expand Down
6 changes: 0 additions & 6 deletions talpid-core/src/tunnel_state_machine/mod.rs
Original file line number Diff line number Diff line change
Expand Up @@ -141,12 +141,6 @@ pub async fn spawn(
#[cfg(target_os = "android")]
initial_settings.dns_servers.clone(),
#[cfg(target_os = "android")]
crate::firewall::ALLOWED_LAN_NETS
.iter()
.chain(crate::firewall::ALLOWED_LAN_MULTICAST_NETS.iter())
.cloned()
.collect(),
#[cfg(target_os = "android")]
initial_settings.exclude_paths.clone(),
);

Expand Down
23 changes: 10 additions & 13 deletions talpid-tunnel/src/tun_provider/android/mod.rs
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ use std::{
os::unix::io::{AsRawFd, RawFd},
sync::Arc,
};
use talpid_types::net::{ALLOWED_LAN_MULTICAST_NETS, ALLOWED_LAN_NETS};
use talpid_types::{android::AndroidContext, ErrorExt};

/// Errors that occur while setting up VpnService tunnel.
Expand Down Expand Up @@ -57,7 +58,6 @@ pub struct AndroidTunProvider {
last_tun_config: Option<(TunConfig, bool)>,
allow_lan: bool,
custom_dns_servers: Option<Vec<IpAddr>>,
allowed_lan_networks: Vec<IpNetwork>,
excluded_packages: Vec<String>,
}

Expand All @@ -67,7 +67,6 @@ impl AndroidTunProvider {
context: AndroidContext,
allow_lan: bool,
custom_dns_servers: Option<Vec<IpAddr>>,
allowed_lan_networks: Vec<IpNetwork>,
excluded_packages: Vec<String>,
) -> Self {
let env = JnixEnv::from(
Expand All @@ -85,7 +84,6 @@ impl AndroidTunProvider {
last_tun_config: None,
allow_lan,
custom_dns_servers,
allowed_lan_networks,
excluded_packages,
}
}
Expand Down Expand Up @@ -129,7 +127,6 @@ impl AndroidTunProvider {
fn get_tun_inner(&mut self, config: TunConfig, blocking: bool) -> Result<VpnServiceTun, Error> {
let service_config = VpnServiceConfig::new(
config.clone(),
&self.allowed_lan_networks,
self.allow_lan,
if !blocking {
self.custom_dns_servers.clone()
Expand Down Expand Up @@ -293,13 +290,12 @@ struct VpnServiceConfig {
impl VpnServiceConfig {
pub fn new(
tun_config: TunConfig,
allowed_lan_networks: &[IpNetwork],
allow_lan: bool,
dns_servers: Option<Vec<IpAddr>>,
excluded_packages: Vec<String>,
) -> VpnServiceConfig {
let dns_servers = Self::resolve_dns_servers(&tun_config, dns_servers);
let routes = Self::resolve_routes(&tun_config, allowed_lan_networks, allow_lan);
let routes = Self::resolve_routes(&tun_config, allow_lan);

VpnServiceConfig {
addresses: tun_config.addresses,
Expand All @@ -318,11 +314,7 @@ impl VpnServiceConfig {

/// Potentially subtract LAN nets from the VPN service routes, excepting gateways.
/// This prevents LAN traffic from going in the tunnel.
fn resolve_routes(
config: &TunConfig,
allowed_lan_networks: &[IpNetwork],
allow_lan: bool,
) -> Vec<InetNetwork> {
fn resolve_routes(config: &TunConfig, allow_lan: bool) -> Vec<InetNetwork> {
if !allow_lan {
return config
.routes
Expand All @@ -339,8 +331,7 @@ impl VpnServiceConfig {
.into_iter()
.collect::<Vec<IpNetwork>>();

let (original_lan_ipv4_networks, original_lan_ipv6_networks) = allowed_lan_networks
.iter()
let (original_lan_ipv4_networks, original_lan_ipv6_networks) = Self::allowed_lan_networks()
.cloned()
.partition::<Vec<_>, _>(|network| network.is_ipv4());

Expand All @@ -367,6 +358,12 @@ impl VpnServiceConfig {
.map(InetNetwork::from)
.collect()
}

fn allowed_lan_networks() -> impl Iterator<Item = &'static IpNetwork> {
ALLOWED_LAN_NETS
.iter()
.chain(ALLOWED_LAN_MULTICAST_NETS.iter())
}
}

#[derive(Clone, Debug, Eq, PartialEq, IntoJava)]
Expand Down
38 changes: 37 additions & 1 deletion talpid-types/src/net/mod.rs
Original file line number Diff line number Diff line change
@@ -1,11 +1,13 @@
use ipnetwork::{IpNetwork, Ipv4Network, Ipv6Network};
use obfuscation::ObfuscatorConfig;
use serde::{Deserialize, Serialize};
#[cfg(windows)]
use std::path::PathBuf;
use std::{
fmt,
net::{IpAddr, SocketAddr},
net::{IpAddr, Ipv4Addr, Ipv6Addr, SocketAddr},
str::FromStr,
sync::LazyLock,
};

use self::proxy::{CustomProxy, Socks5Local};
Expand All @@ -15,6 +17,40 @@ pub mod openvpn;
pub mod proxy;
pub mod wireguard;

/// When "allow local network" is enabled the app will allow traffic to and from these networks.
pub static ALLOWED_LAN_NETS: LazyLock<[IpNetwork; 6]> = LazyLock::new(|| {
[
IpNetwork::V4(Ipv4Network::new(Ipv4Addr::new(10, 0, 0, 0), 8).unwrap()),
IpNetwork::V4(Ipv4Network::new(Ipv4Addr::new(172, 16, 0, 0), 12).unwrap()),
IpNetwork::V4(Ipv4Network::new(Ipv4Addr::new(192, 168, 0, 0), 16).unwrap()),
IpNetwork::V4(Ipv4Network::new(Ipv4Addr::new(169, 254, 0, 0), 16).unwrap()),
IpNetwork::V6(Ipv6Network::new(Ipv6Addr::new(0xfe80, 0, 0, 0, 0, 0, 0, 0), 10).unwrap()),
IpNetwork::V6(Ipv6Network::new(Ipv6Addr::new(0xfc00, 0, 0, 0, 0, 0, 0, 0), 7).unwrap()),
]
});

/// When "allow local network" is enabled the app will allow traffic to these networks.
pub static ALLOWED_LAN_MULTICAST_NETS: LazyLock<[IpNetwork; 8]> = LazyLock::new(|| {
[
// Local network broadcast. Not routable
IpNetwork::V4(Ipv4Network::new(Ipv4Addr::new(255, 255, 255, 255), 32).unwrap()),
// Local subnetwork multicast. Not routable
IpNetwork::V4(Ipv4Network::new(Ipv4Addr::new(224, 0, 0, 0), 24).unwrap()),
// Admin-local IPv4 multicast.
IpNetwork::V4(Ipv4Network::new(Ipv4Addr::new(239, 0, 0, 0), 8).unwrap()),
// Interface-local IPv6 multicast.
IpNetwork::V6(Ipv6Network::new(Ipv6Addr::new(0xff01, 0, 0, 0, 0, 0, 0, 0), 16).unwrap()),
// Link-local IPv6 multicast. IPv6 equivalent of 224.0.0.0/24
IpNetwork::V6(Ipv6Network::new(Ipv6Addr::new(0xff02, 0, 0, 0, 0, 0, 0, 0), 16).unwrap()),
// Realm-local IPv6 multicast.
IpNetwork::V6(Ipv6Network::new(Ipv6Addr::new(0xff03, 0, 0, 0, 0, 0, 0, 0), 16).unwrap()),
// Admin-local IPv6 multicast.
IpNetwork::V6(Ipv6Network::new(Ipv6Addr::new(0xff04, 0, 0, 0, 0, 0, 0, 0), 16).unwrap()),
// Site-local IPv6 multicast.
IpNetwork::V6(Ipv6Network::new(Ipv6Addr::new(0xff05, 0, 0, 0, 0, 0, 0, 0), 16).unwrap()),
]
});

/// TunnelParameters are used to encapsulate all the data needed to start a tunnel. This is enum
/// should be generated by implementations of the trait
/// `talpid-core::tunnel_state_machine::TunnelParametersGenerator`
Expand Down
2 changes: 1 addition & 1 deletion windows/winfw/src/winfw/winfw.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@ std::optional<T> MakeOptional(T* object)
//
// Networks for which DNS requests can be made on all network adapters.
//
// This should be synchronized with `ALLOWED_LAN_NETS` in talpid-core,
// This should be synchronized with `ALLOWED_LAN_NETS` in talpid-types,
// but it also includes loopback addresses.
//
wfp::IpNetwork g_privateIpRanges[] = {
Expand Down

0 comments on commit f69125b

Please sign in to comment.