MacOS OpenVPN/OpenVPN over Cloak killswitch

2023-12-23 16:04:17 +02:00 · 2023-12-23 16:04:17 +02:00 · a8f5e95fb1
commit a8f5e95fb1
parent a4f3d08c02
1 changed files with 47 additions and 25 deletions
--- a/ipc/ipcserver.cpp
+++ b/ipc/ipcserver.cpp
@ -214,33 +214,55 @@ bool IpcServer::enableKillSwitch(const QJsonObject &configStr, int vpnAdapterInd
 #endif
 #ifdef Q_OS_MACOS
    int splitTunnelType = configStr.value("splitTunnelType").toInt();
    QJsonArray splitTunnelSites = configStr.value("splitTunnelSites").toArray();
    bool blockAll = 0;
    bool allowNets = 0;
    bool blockNets = 0;
    QStringList allownets;
    QStringList blocknets;
-    if (configStr.value(amnezia::config_key::splitTunnelType) == 0) {
+    if (splitTunnelType == 0)
-        // double-check + ensure our firewall is installed and enabled. This is necessary as
+    {
-        // other software may disable pfctl before re-enabling with their own rules (e.g other VPNs)
+        blockAll = true;
-        if (!MacOSFirewall::isInstalled()) MacOSFirewall::install();
+    } else if (splitTunnelType == 1)
-
+    {
-        MacOSFirewall::ensureRootAnchorPriority();
+        blockNets = true;
-        MacOSFirewall::setAnchorEnabled(QStringLiteral("000.allowLoopback"), true);
+        for (auto v : splitTunnelSites) {
-        MacOSFirewall::setAnchorEnabled(QStringLiteral("100.blockAll"), true);
+            blocknets.append(v.toString());
-        MacOSFirewall::setAnchorEnabled(QStringLiteral("110.allowNets"), false);
+        }
-        MacOSFirewall::setAnchorTable(QStringLiteral("110.allowNets"), false,
+    } else if (splitTunnelType == 2) {
-                                      QStringLiteral("allownets"), QStringList());
+        blockAll = true;
-
+        allowNets = true;
-        MacOSFirewall::setAnchorEnabled(QStringLiteral("120.blockNets"), false);
+        for (auto v : splitTunnelSites) {
-        MacOSFirewall::setAnchorTable(QStringLiteral("120.blockNets"), false,
+            allownets.append(v.toString());
-                                      QStringLiteral("blocknets"), QStringList());
+        }
        MacOSFirewall::setAnchorEnabled(QStringLiteral("200.allowVPN"), true);
        MacOSFirewall::setAnchorEnabled(QStringLiteral("250.blockIPv6"), true);
        MacOSFirewall::setAnchorEnabled(QStringLiteral("290.allowDHCP"), true);
        MacOSFirewall::setAnchorEnabled(QStringLiteral("300.allowLAN"), true);
        QStringList dnsServers;
        dnsServers.append(configStr.value(amnezia::config_key::dns1).toString());
        dnsServers.append(configStr.value(amnezia::config_key::dns2).toString());
        MacOSFirewall::setAnchorEnabled(QStringLiteral("310.blockDNS"), true);
        MacOSFirewall::setAnchorTable(QStringLiteral("310.blockDNS"), true, QStringLiteral("dnsaddr"), dnsServers);
    }
    // double-check + ensure our firewall is installed and enabled. This is necessary as
    // other software may disable pfctl before re-enabling with their own rules (e.g other VPNs)
    if (!MacOSFirewall::isInstalled()) MacOSFirewall::install();
    MacOSFirewall::ensureRootAnchorPriority();
    MacOSFirewall::setAnchorEnabled(QStringLiteral("000.allowLoopback"), true);
    MacOSFirewall::setAnchorEnabled(QStringLiteral("100.blockAll"), blockAll);
    MacOSFirewall::setAnchorEnabled(QStringLiteral("110.allowNets"), allowNets);
    MacOSFirewall::setAnchorTable(QStringLiteral("110.allowNets"), allowNets,
                                  QStringLiteral("allownets"), allownets);
    MacOSFirewall::setAnchorEnabled(QStringLiteral("120.blockNets"), blockNets);
    MacOSFirewall::setAnchorTable(QStringLiteral("120.blockNets"), blockNets,
                                  QStringLiteral("blocknets"), blocknets);
    MacOSFirewall::setAnchorEnabled(QStringLiteral("200.allowVPN"), true);
    MacOSFirewall::setAnchorEnabled(QStringLiteral("250.blockIPv6"), true);
    MacOSFirewall::setAnchorEnabled(QStringLiteral("290.allowDHCP"), true);
    MacOSFirewall::setAnchorEnabled(QStringLiteral("300.allowLAN"), true);
    QStringList dnsServers;
    dnsServers.append(configStr.value(amnezia::config_key::dns1).toString());
    dnsServers.append(configStr.value(amnezia::config_key::dns2).toString());
    MacOSFirewall::setAnchorEnabled(QStringLiteral("310.blockDNS"), true);
    MacOSFirewall::setAnchorTable(QStringLiteral("310.blockDNS"), true, QStringLiteral("dnsaddr"), dnsServers);
 #endif
    return true;