Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove Apple services workarounds for unaffected macOS versions #7256

Merged
merged 3 commits into from
Dec 2, 2024
Merged

Remove Apple services workarounds for unaffected macOS versions #7256

merged 3 commits into from
Dec 2, 2024

Conversation

MarkusPettersson98
Copy link
Contributor

@MarkusPettersson98 MarkusPettersson98 commented Nov 28, 2024
edited by faern
Loading

This PR gates the NAT filter rules that we introduced in #6911 to only the affected macOS versions, since we don't need them otherwise. They were added to mitigate the problem of Apple services not working properly together with the Mullvad VPN app as reported in #6521.

This PR additionally disables our local DNS resolver by default for the same macOS versions, which has been enabled since #6890. We found an issue with some services such as Orbstack setting the pf flag skip on loopback, which would mess with our redirect of DNS to our local DNS resolver. Hopefully this can help fix #7058 (at least partially).

This change is Reviewable

@linear Linear
Copy link

linear bot commented Nov 28, 2024

DES-1359 Remove macOS Apple app fix (NAT firewall rules) for macOS >=15.1

@MarkusPettersson98 MarkusPettersson98 force-pushed the remove-macos-apple-app-fix-nat-firewall-rules-for-macos-151-des-1359 branch from a2966d2 to a06f5a7 Compare November 28, 2024 13:12
dlon
dlon reviewed Nov 28, 2024
View reviewed changes
Copy link
Member

@dlon dlon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed 3 of 6 files at r1, 5 of 6 files at r3, all commit messages.
Reviewable status: 5 of 6 files reviewed, 2 unresolved discussions (waiting on @MarkusPettersson98)

talpid-core/src/resolver.rs line 48 at r1 (raw file):

Not

Nit: note

It could probably be rephrased to clarify that the setting doesn't affect the error/blocked state.

talpid-core/src/dns/macos.rs line 81 at r1 (raw file):

    }

    /// Construct a [DnsConfig] from the arguments and apply the desired addresses to all network services.

Is DnsConfig supposed to be DnsSettings?

dlon
dlon previously approved these changes Nov 28, 2024
View reviewed changes
Copy link
Member

@dlon dlon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed 1 of 6 files at r3.
Reviewable status: all files reviewed, 2 unresolved discussions (waiting on @MarkusPettersson98)

@MarkusPettersson98 MarkusPettersson98 force-pushed the remove-macos-apple-app-fix-nat-firewall-rules-for-macos-151-des-1359 branch from a06f5a7 to 2d31832 Compare November 28, 2024 13:33
MarkusPettersson98
MarkusPettersson98 commented Nov 28, 2024
View reviewed changes
Copy link
Contributor Author

@MarkusPettersson98 MarkusPettersson98 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewable status: 0 of 6 files reviewed, all discussions resolved (waiting on @dlon)

talpid-core/src/resolver.rs line 48 at r1 (raw file):

Previously, dlon (David Lönnhager) wrote…

Not

Nit: note

It could probably be rephrased to clarify that the setting doesn't affect the error/blocked state.

Done

talpid-core/src/dns/macos.rs line 81 at r1 (raw file):

Previously, dlon (David Lönnhager) wrote…

Is DnsConfig supposed to be DnsSettings?

Done

dlon
dlon previously approved these changes Nov 28, 2024
View reviewed changes
Copy link
Member

@dlon dlon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

:lgtm:

Reviewed 6 of 6 files at r5, all commit messages.
Reviewable status: :shipit: complete! all files reviewed, all discussions resolved

dlon
dlon previously approved these changes Nov 28, 2024
View reviewed changes
Copy link
Member

@dlon dlon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed 2 of 2 files at r6, all commit messages.
Reviewable status: :shipit: complete! all files reviewed, all discussions resolved

@hulthe hulthe added the Daemon Issues related to mullvad-daemon label Nov 28, 2024
@MarkusPettersson98 MarkusPettersson98 force-pushed the remove-macos-apple-app-fix-nat-firewall-rules-for-macos-151-des-1359 branch 3 times, most recently from a8d8998 to f0680f0 Compare December 2, 2024 09:41
@MarkusPettersson98 MarkusPettersson98 force-pushed the remove-macos-apple-app-fix-nat-firewall-rules-for-macos-151-des-1359 branch 5 times, most recently from 8038cba to 6d7161d Compare December 2, 2024 12:47
hulthe
hulthe requested changes Dec 2, 2024
View reviewed changes
Copy link
Contributor

@hulthe hulthe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed 3 of 6 files at r5, 1 of 2 files at r6.
Reviewable status: 2 of 6 files reviewed, 5 unresolved discussions (waiting on @dlon and @MarkusPettersson98)

talpid-core/src/tunnel_state_machine/connected_state.rs line 173 at r7 (raw file):

        // On macOS, configure only the local DNS resolver
        #[cfg(target_os = "macos")]
        // We do not want to forward DNS queries to *our* local resolver the DNS config

"if the DNS config is a loopback address"?

talpid-core/src/tunnel_state_machine/connected_state.rs line 182 at r7 (raw file):

                .map_err(BoxedError::new)?;
        } else {
            log::debug!("Enabling DNS forwarding");

🪒🐂 IMO the log statements shouldn't say "Enabling DNS forwarding", but instead "Enabling local DNS resolver", as forwarding queries isn't the point, it's an implementation detail.

talpid-core/src/tunnel_state_machine/connected_state.rs line 184 at r7 (raw file):

            log::debug!("Enabling DNS forwarding");
            let local_resolver_config = dns_config.addresses().collect();
            // Forward all DNS requests to our local DNS resolver

I think this comment is incorrect

AFAICT, enable_forward tells the local resolver to start forwarding queries to some external DNS resolver, i.e. nothing is forwarded to the local resolver.

talpid-core/src/tunnel_state_machine/connecting_state.rs line 56 at r7 (raw file):

    ) -> (Box<dyn TunnelState>, TunnelStateTransition) {
        #[cfg(target_os = "macos")]
        if *LOCAL_DNS_RESOLVER {

Do we not want to check dns_config.is_loopback() here as well?

talpid-core/src/firewall/macos.rs line 981 at r7 (raw file):

        let _ = self
            .pf
            .try_remove_anchor(ANCHOR_NAME, pfctl::AnchorKind::Nat);

Have you considered ignoring only some error kinds?

        self.pf
            .try_remove_anchor(ANCHOR_NAME, pfctl::AnchorKind::Nat)
            .or_else(|e| match e.kind() {
                pfctl::ErrorKind::AnchorDoesNotExist => Ok(()),
                _ => Err(e),
            })?;

@MarkusPettersson98 MarkusPettersson98 force-pushed the remove-macos-apple-app-fix-nat-firewall-rules-for-macos-151-des-1359 branch from 6d7161d to caefe8e Compare December 2, 2024 13:39
MarkusPettersson98
MarkusPettersson98 commented Dec 2, 2024
View reviewed changes
Copy link
Contributor Author

@MarkusPettersson98 MarkusPettersson98 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewable status: 2 of 6 files reviewed, 3 unresolved discussions (waiting on @dlon, @hulthe, and @MarkusPettersson98)

talpid-core/src/tunnel_state_machine/connected_state.rs line 173 at r7 (raw file):

Previously, hulthe (Joakim Hulthe) wrote…

"if the DNS config is a loopback address"?

Done.

talpid-core/src/tunnel_state_machine/connected_state.rs line 182 at r7 (raw file):

Previously, hulthe (Joakim Hulthe) wrote…

🪒🐂 IMO the log statements shouldn't say "Enabling DNS forwarding", but instead "Enabling local DNS resolver", as forwarding queries isn't the point, it's an implementation detail.

Done

talpid-core/src/tunnel_state_machine/connected_state.rs line 184 at r7 (raw file):

Previously, hulthe (Joakim Hulthe) wrote…

I think this comment is incorrect

AFAICT, enable_forward tells the local resolver to start forwarding queries to some external DNS resolver, i.e. nothing is forwarded to the local resolver.

Done

talpid-core/src/tunnel_state_machine/connecting_state.rs line 56 at r7 (raw file):

Previously, hulthe (Joakim Hulthe) wrote…

Do we not want to check dns_config.is_loopback() here as well?

No, this was the behaviour before 2024.6, so we just revert to that if LOCAL_DNS_RESOLVER is false:)

@MarkusPettersson98 MarkusPettersson98 force-pushed the remove-macos-apple-app-fix-nat-firewall-rules-for-macos-151-des-1359 branch from caefe8e to eb04b57 Compare December 2, 2024 13:45
MarkusPettersson98
MarkusPettersson98 commented Dec 2, 2024
View reviewed changes
Copy link
Contributor Author

@MarkusPettersson98 MarkusPettersson98 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewable status: 2 of 6 files reviewed, 2 unresolved discussions (waiting on @dlon and @hulthe)

talpid-core/src/firewall/macos.rs line 981 at r7 (raw file):

Previously, hulthe (Joakim Hulthe) wrote…

Have you considered ignoring only some error kinds?

        self.pf
            .try_remove_anchor(ANCHOR_NAME, pfctl::AnchorKind::Nat)
            .or_else(|e| match e.kind() {
                pfctl::ErrorKind::AnchorDoesNotExist => Ok(()),
                _ => Err(e),
            })?;

Turns out this was already the case with try_remove_anchor, it ignores pfctl::Error::AnchorDoesNotExist error! Added a comment to explain that we rely on this behaviour

hulthe
hulthe previously approved these changes Dec 2, 2024
View reviewed changes
Copy link
Contributor

@hulthe hulthe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed 1 of 6 files at r5, 1 of 2 files at r6, 2 of 3 files at r10, 2 of 2 files at r11, all commit messages.
Reviewable status: :shipit: complete! all files reviewed, all discussions resolved

talpid-core/src/firewall/macos.rs line 981 at r7 (raw file):

Previously, MarkusPettersson98 (Markus Pettersson) wrote…

Turns out this was already the case with try_remove_anchor, it ignores pfctl::Error::AnchorDoesNotExist error! Added a comment to explain that we rely on this behaviour

5/7 perfect code

talpid-core/src/tunnel_state_machine/connecting_state.rs line 56 at r7 (raw file):

Previously, MarkusPettersson98 (Markus Pettersson) wrote…

No, this was the behaviour before 2024.6, so we just revert to that if LOCAL_DNS_RESOLVER is false:)

coolio

@MarkusPettersson98 MarkusPettersson98 force-pushed the remove-macos-apple-app-fix-nat-firewall-rules-for-macos-151-des-1359 branch 2 times, most recently from 280d51a to f024120 Compare December 2, 2024 14:05
@MarkusPettersson98 MarkusPettersson98 force-pushed the remove-macos-apple-app-fix-nat-firewall-rules-for-macos-151-des-1359 branch 2 times, most recently from 4ccdf9f to f045fa1 Compare December 2, 2024 14:25
@MarkusPettersson98
Improve documentation on how to debug pf
7cd9973
@MarkusPettersson98
Disable Apple services workaroudns for unaffected macOS versions
3bae761 
Do not apply redirect rules for DNS requests to port 53 to loopback on
macOS versions that do not need the apple services NAT-redirect
workaround. This effectively reverts to the old behaviour were a local
DNS resolver is used only in the blocked and connecting states for macOS
versions *not* in the version range 14.6 <= version < 15.1.

Revert the nat redirect rules that were added to force traffic through
the tunnel interface. This hack is no longer needed since it was fixed
by apple in macOS 15.1.
@MarkusPettersson98 MarkusPettersson98 force-pushed the remove-macos-apple-app-fix-nat-firewall-rules-for-macos-151-des-1359 branch from f045fa1 to 3bae761 Compare December 2, 2024 14:27
hulthe
hulthe previously approved these changes Dec 2, 2024
View reviewed changes
Copy link
Contributor

@hulthe hulthe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed 1 of 5 files at r12, 4 of 4 files at r13, all commit messages.
Reviewable status: :shipit: complete! all files reviewed, all discussions resolved

hulthe
hulthe approved these changes Dec 2, 2024
View reviewed changes
Copy link
Contributor

@hulthe hulthe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed 1 of 1 files at r14, all commit messages.
Reviewable status: :shipit: complete! all files reviewed, all discussions resolved

@MarkusPettersson98 MarkusPettersson98 merged commit 8bc1412 into main Dec 2, 2024
57 checks passed
@MarkusPettersson98 MarkusPettersson98 deleted the remove-macos-apple-app-fix-nat-firewall-rules-for-macos-151-des-1359 branch December 2, 2024 14:49
@MarkusPettersson98 MarkusPettersson98 mentioned this pull request Dec 2, 2024
Open
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hulthe hulthe hulthe approved these changes

@dlon dlon dlon left review comments

Assignees
No one assigned
Labels
Daemon Issues related to mullvad-daemon
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Outgoing connections not working after 2024.6 update
3 participants
@MarkusPettersson98 @dlon @hulthe