Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Filter only on reassembled packets in PF #6738

Merged
merged 2 commits into from
Sep 4, 2024
Merged

Filter only on reassembled packets in PF #6738

merged 2 commits into from
Sep 4, 2024

Conversation

dlon
Copy link
Member

@dlon dlon commented Sep 4, 2024
edited
Loading

This fixes an issue of fragments being blocked by PF. This was primarily noticed when using Shadowsocks and PQ but it fixes other issues as well.

Fix DES-1212.

This change is Reviewable

@dlon dlon requested a review from faern September 4, 2024 12:46
@linear Linear
Copy link

linear bot commented Sep 4, 2024

DES-1211 Add support for scrubbing/reassembly to pfctl-rs

@linear Linear
Copy link

linear bot commented Sep 4, 2024

DES-1212 Reassemble fragments in macOS firewall

faern
faern previously approved these changes Sep 4, 2024
View reviewed changes
Copy link
Member

@faern faern left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed 4 of 4 files at r1, all commit messages.
Reviewable status: all files reviewed, 1 unresolved discussion (waiting on @dlon)

talpid-core/src/firewall/macos.rs line 164 at r1 (raw file):

    fn get_scrub_rules() -> Result<Vec<pfctl::ScrubRule>> {
        let scrub_rule = pfctl::ScrubRuleBuilder::default()

If we just add a small comment about this rule I'm happy with the PR! The rule itself is not very self explanatory. Just a quick note about this rule being required to make PF process reassembled packets, not fragments.

@dlon dlon force-pushed the reassemble-before-pf-filter branch 3 times, most recently from e49e68b to a71423e Compare September 4, 2024 14:15
@dlon dlon requested a review from faern September 4, 2024 14:21
faern
faern approved these changes Sep 4, 2024
View reviewed changes
Copy link
Member

@faern faern left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed 1 of 1 files at r2, all commit messages.
Reviewable status: :shipit: complete! all files reviewed, all discussions resolved

dlon added 2 commits September 4, 2024 17:00
@dlon
Filter only on reassembled packets in PF
bb90f48 
This fixes an issue of fragments being blocked by PF, causing
instability and timeouts
@dlon
Update changelog
5740b9f
@dlon dlon force-pushed the reassemble-before-pf-filter branch from a71423e to 5740b9f Compare September 4, 2024 15:00
@dlon dlon merged commit 4491033 into main Sep 4, 2024
53 checks passed
@dlon dlon deleted the reassemble-before-pf-filter branch September 4, 2024 15:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@faern faern faern approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@dlon @faern