Merge pull request #444 from amnezia-vpn/feature/killswitch
Kill Switch for desktop client
This commit is contained in:
commit
b45517bafd
31 changed files with 1299 additions and 115 deletions
518
client/platforms/linux/daemon/linuxfirewall.cpp
Normal file
518
client/platforms/linux/daemon/linuxfirewall.cpp
Normal file
|
@ -0,0 +1,518 @@
|
|||
// Copyright (c) 2023 Private Internet Access, Inc.
|
||||
//
|
||||
// This file is part of the Private Internet Access Desktop Client.
|
||||
//
|
||||
// The Private Internet Access Desktop Client is free software: you can
|
||||
// redistribute it and/or modify it under the terms of the GNU General Public
|
||||
// License as published by the Free Software Foundation, either version 3 of
|
||||
// the License, or (at your option) any later version.
|
||||
//
|
||||
// The Private Internet Access Desktop Client is distributed in the hope that
|
||||
// it will be useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||
// warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
// GNU General Public License for more details.
|
||||
//
|
||||
// You should have received a copy of the GNU General Public License
|
||||
// along with the Private Internet Access Desktop Client. If not, see
|
||||
// <https://www.gnu.org/licenses/>.
|
||||
|
||||
// Copyright (c) 2024 AmneziaVPN
|
||||
// This file has been modified for AmneziaVPN
|
||||
//
|
||||
// This file is based on the work of the Private Internet Access Desktop Client.
|
||||
// The original code of the Private Internet Access Desktop Client is copyrighted (c) 2023 Private Internet Access, Inc. and licensed under GPL3.
|
||||
//
|
||||
// The modified version of this file is distributed in the hope that it will be useful,
|
||||
// but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
// GNU General Public License for more details.
|
||||
//
|
||||
// You should have received a copy of the GNU General Public License
|
||||
// along with this file. If not, see <https://www.gnu.org/licenses/>.
|
||||
|
||||
#include "linuxfirewall.h"
|
||||
#include "logger.h"
|
||||
#include <QProcess>
|
||||
|
||||
#define BRAND_CODE "amn"
|
||||
|
||||
namespace {
|
||||
Logger logger("LinuxFirewall");
|
||||
} // namespace
|
||||
|
||||
namespace
|
||||
{
|
||||
const QString kAnchorName{BRAND_CODE "vpn"};
|
||||
const QString kPacketTag{"0x3211"};
|
||||
const QString kCGroupId{"0x567"};
|
||||
const QString enabledKeyTemplate = "enabled:%1:%2";
|
||||
const QString disabledKeyTemplate = "disabled:%1:%2";
|
||||
const QString kVpnGroupName = BRAND_CODE "vpn";
|
||||
QHash<QString, LinuxFirewall::FilterCallbackFunc> anchorCallbacks;
|
||||
}
|
||||
|
||||
QString LinuxFirewall::kRtableName = QStringLiteral("%1rt").arg(kAnchorName);
|
||||
QString LinuxFirewall::kOutputChain = QStringLiteral("OUTPUT");
|
||||
QString LinuxFirewall::kPostRoutingChain = QStringLiteral("POSTROUTING");
|
||||
QString LinuxFirewall::kPreRoutingChain = QStringLiteral("PREROUTING");
|
||||
QString LinuxFirewall::kRootChain = QStringLiteral("%1.anchors").arg(kAnchorName);
|
||||
QString LinuxFirewall::kFilterTable = QStringLiteral("filter");
|
||||
QString LinuxFirewall::kNatTable = QStringLiteral("nat");
|
||||
QString LinuxFirewall::kRawTable = QStringLiteral("raw");
|
||||
QString LinuxFirewall::kMangleTable = QStringLiteral("mangle");
|
||||
|
||||
static QString getCommand(LinuxFirewall::IPVersion ip)
|
||||
{
|
||||
return ip == LinuxFirewall::IPv6 ? QStringLiteral("ip6tables") : QStringLiteral("iptables");
|
||||
}
|
||||
|
||||
int LinuxFirewall::createChain(LinuxFirewall::IPVersion ip, const QString& chain, const QString& tableName)
|
||||
{
|
||||
if (ip == Both)
|
||||
{
|
||||
int result4 = createChain(IPv4, chain, tableName);
|
||||
int result6 = createChain(IPv6, chain, tableName);
|
||||
return result4 ? result4 : result6;
|
||||
}
|
||||
const QString cmd = getCommand(ip);
|
||||
return execute(QStringLiteral("%1 -N %2 -t %3 || %1 -F %2 -t %3").arg(cmd, chain, tableName));
|
||||
}
|
||||
|
||||
int LinuxFirewall::deleteChain(LinuxFirewall::IPVersion ip, const QString& chain, const QString& tableName)
|
||||
{
|
||||
if (ip == Both)
|
||||
{
|
||||
int result4 = deleteChain(IPv4, chain, tableName);
|
||||
int result6 = deleteChain(IPv6, chain, tableName);
|
||||
return result4 ? result4 : result6;
|
||||
}
|
||||
const QString cmd = getCommand(ip);
|
||||
return execute(QStringLiteral("if %1 -L %2 -n -t %3 > /dev/null 2> /dev/null ; then %1 -F %2 -t %3 && %1 -X %2 -t %3; fi").arg(cmd, chain, tableName));
|
||||
}
|
||||
|
||||
int LinuxFirewall::linkChain(LinuxFirewall::IPVersion ip, const QString& chain, const QString& parent, bool mustBeFirst, const QString& tableName)
|
||||
{
|
||||
if (ip == Both)
|
||||
{
|
||||
int result4 = linkChain(IPv4, chain, parent, mustBeFirst, tableName);
|
||||
int result6 = linkChain(IPv6, chain, parent, mustBeFirst, tableName);
|
||||
return result4 ? result4 : result6;
|
||||
}
|
||||
const QString cmd = getCommand(ip);
|
||||
if (mustBeFirst)
|
||||
{
|
||||
// This monster shell script does the following:
|
||||
// 1. Check if a rule with the appropriate target exists at the top of the parent chain
|
||||
// 2. If not, insert a jump rule at the top of the parent chain
|
||||
// 3. Look for and delete a single rule with the designated target at an index > 1
|
||||
// (we can't safely delete all rules at once since rule numbers change)
|
||||
// TODO: occasionally this script results in warnings in logs "Bad rule (does a matching rule exist in the chain?)" - this happens when
|
||||
// the e.g OUTPUT chain is empty but this script attempts to delete things from it anyway. It doesn't cause any problems, but we should still fix at some point..
|
||||
return execute(QStringLiteral("if ! %1 -L %2 -n --line-numbers -t %4 2> /dev/null | awk 'int($1) == 1 && $2 == \"%3\" { found=1 } END { if(found==1) { exit 0 } else { exit 1 } }' ; then %1 -I %2 -j %3 -t %4 && %1 -L %2 -n --line-numbers -t %4 2> /dev/null | awk 'int($1) > 1 && $2 == \"%3\" { print $1; exit }' | xargs %1 -t %4 -D %2 ; fi").arg(cmd, parent, chain, tableName));
|
||||
}
|
||||
else
|
||||
return execute(QStringLiteral("if ! %1 -C %2 -j %3 -t %4 2> /dev/null ; then %1 -A %2 -j %3 -t %4; fi").arg(cmd, parent, chain, tableName));
|
||||
}
|
||||
|
||||
int LinuxFirewall::unlinkChain(LinuxFirewall::IPVersion ip, const QString& chain, const QString& parent, const QString& tableName)
|
||||
{
|
||||
if (ip == Both)
|
||||
{
|
||||
int result4 = unlinkChain(IPv4, chain, parent, tableName);
|
||||
int result6 = unlinkChain(IPv6, chain, parent, tableName);
|
||||
return result4 ? result4 : result6;
|
||||
}
|
||||
const QString cmd = getCommand(ip);
|
||||
return execute(QStringLiteral("if %1 -C %2 -j %3 -t %4 2> /dev/null ; then %1 -D %2 -j %3 -t %4; fi").arg(cmd, parent, chain, tableName));
|
||||
}
|
||||
|
||||
void LinuxFirewall::ensureRootAnchorPriority(LinuxFirewall::IPVersion ip)
|
||||
{
|
||||
linkChain(ip, kRootChain, kOutputChain, true);
|
||||
}
|
||||
|
||||
void LinuxFirewall::installAnchor(LinuxFirewall::IPVersion ip, const QString& anchor, const QStringList& rules, const QString& tableName,
|
||||
const FilterCallbackFunc& enableFunc, const FilterCallbackFunc& disableFunc)
|
||||
{
|
||||
if (ip == Both)
|
||||
{
|
||||
installAnchor(IPv4, anchor, rules, tableName, enableFunc, disableFunc);
|
||||
installAnchor(IPv6, anchor, rules, tableName, enableFunc, disableFunc);
|
||||
return;
|
||||
}
|
||||
|
||||
const QString cmd = getCommand(ip);
|
||||
const QString anchorChain = QStringLiteral("%1.a.%2").arg(kAnchorName, anchor);
|
||||
const QString actualChain = QStringLiteral("%1.%2").arg(kAnchorName, anchor);
|
||||
|
||||
// Start by defining a placeholder chain, which stays locked into place
|
||||
// in the root chain without being removed or recreated, ensuring the
|
||||
// intended precedence order.
|
||||
createChain(ip, anchorChain, tableName);
|
||||
linkChain(ip, anchorChain, kRootChain, false, tableName);
|
||||
|
||||
if(enableFunc)
|
||||
{
|
||||
const QString key = enabledKeyTemplate.arg(tableName, anchor);
|
||||
if(!anchorCallbacks.contains(key)) anchorCallbacks[key] = enableFunc;
|
||||
}
|
||||
if(disableFunc)
|
||||
{
|
||||
const QString key = disabledKeyTemplate.arg(tableName, anchor);
|
||||
if(!anchorCallbacks.contains(key)) anchorCallbacks[key] = disableFunc;
|
||||
}
|
||||
|
||||
// Create the actual rule chain, which we'll insert or remove from the
|
||||
// placeholder anchor when needed.
|
||||
createChain(ip, actualChain, tableName);
|
||||
for (const QString& rule : rules)
|
||||
execute(QStringLiteral("%1 -A %2 %3 -t %4").arg(cmd, actualChain, rule, tableName));
|
||||
}
|
||||
|
||||
void LinuxFirewall::uninstallAnchor(LinuxFirewall::IPVersion ip, const QString& anchor, const QString& tableName)
|
||||
{
|
||||
if (ip == Both)
|
||||
{
|
||||
uninstallAnchor(IPv4, anchor, tableName);
|
||||
uninstallAnchor(IPv6, anchor, tableName);
|
||||
return;
|
||||
}
|
||||
|
||||
const QString cmd = getCommand(ip);
|
||||
const QString anchorChain = QStringLiteral("%1.a.%2").arg(kAnchorName, anchor);
|
||||
const QString actualChain = QStringLiteral("%1.%2").arg(kAnchorName, anchor);
|
||||
|
||||
unlinkChain(ip, anchorChain, kRootChain, tableName);
|
||||
deleteChain(ip, anchorChain, tableName);
|
||||
deleteChain(ip, actualChain, tableName);
|
||||
}
|
||||
|
||||
QStringList LinuxFirewall::getDNSRules(const QStringList& servers)
|
||||
{
|
||||
QStringList result;
|
||||
for (const QString& server : servers)
|
||||
{
|
||||
result << QStringLiteral("-o amn0+ -d %1 -p udp --dport 53 -j ACCEPT").arg(server);
|
||||
result << QStringLiteral("-o amn0+ -d %1 -p tcp --dport 53 -j ACCEPT").arg(server);
|
||||
result << QStringLiteral("-o tun0+ -d %1 -p udp --dport 53 -j ACCEPT").arg(server);
|
||||
result << QStringLiteral("-o tun0+ -d %1 -p tcp --dport 53 -j ACCEPT").arg(server);
|
||||
}
|
||||
return result;
|
||||
}
|
||||
|
||||
QStringList LinuxFirewall::getAllowRule(const QStringList& servers)
|
||||
{
|
||||
QStringList result;
|
||||
for (const QString& server : servers)
|
||||
{
|
||||
result << QStringLiteral("-d %1 -j ACCEPT").arg(server);
|
||||
}
|
||||
return result;
|
||||
}
|
||||
|
||||
QStringList LinuxFirewall::getBlockRule(const QStringList& servers)
|
||||
{
|
||||
QStringList result;
|
||||
for (const QString& server : servers)
|
||||
{
|
||||
result << QStringLiteral("-d %1 -j REJECT").arg(server);
|
||||
}
|
||||
return result;
|
||||
}
|
||||
|
||||
|
||||
void LinuxFirewall::install()
|
||||
{
|
||||
// Clean up any existing rules if they exist.
|
||||
uninstall();
|
||||
|
||||
// Create a root filter chain to hold all our other anchors in order.
|
||||
createChain(Both, kRootChain, kFilterTable);
|
||||
|
||||
// Create a root raw chain
|
||||
createChain(Both, kRootChain, kRawTable);
|
||||
|
||||
// Create a root NAT chain
|
||||
createChain(Both, kRootChain, kNatTable);
|
||||
|
||||
// Create a root Mangle chain
|
||||
createChain(Both, kRootChain, kMangleTable);
|
||||
|
||||
// Install our filter rulesets in each corresponding anchor chain.
|
||||
installAnchor(Both, QStringLiteral("000.allowLoopback"), {
|
||||
QStringLiteral("-o lo+ -j ACCEPT"),
|
||||
});
|
||||
|
||||
installAnchor(IPv4, QStringLiteral("320.allowDNS"), {});
|
||||
|
||||
installAnchor(Both, QStringLiteral("310.blockDNS"), {
|
||||
QStringLiteral("-p udp --dport 53 -j REJECT"),
|
||||
QStringLiteral("-p tcp --dport 53 -j REJECT"),
|
||||
});
|
||||
installAnchor(IPv4, QStringLiteral("300.allowLAN"), {
|
||||
QStringLiteral("-d 10.0.0.0/8 -j ACCEPT"),
|
||||
QStringLiteral("-d 169.254.0.0/16 -j ACCEPT"),
|
||||
QStringLiteral("-d 172.16.0.0/12 -j ACCEPT"),
|
||||
QStringLiteral("-d 192.168.0.0/16 -j ACCEPT"),
|
||||
QStringLiteral("-d 224.0.0.0/4 -j ACCEPT"),
|
||||
QStringLiteral("-d 255.255.255.255/32 -j ACCEPT"),
|
||||
});
|
||||
installAnchor(IPv6, QStringLiteral("300.allowLAN"), {
|
||||
QStringLiteral("-d fc00::/7 -j ACCEPT"),
|
||||
QStringLiteral("-d fe80::/10 -j ACCEPT"),
|
||||
QStringLiteral("-d ff00::/8 -j ACCEPT"),
|
||||
});
|
||||
|
||||
|
||||
installAnchor(IPv4, QStringLiteral("290.allowDHCP"), {
|
||||
QStringLiteral("-p udp -d 255.255.255.255 --sport 68 --dport 67 -j ACCEPT"),
|
||||
});
|
||||
installAnchor(IPv6, QStringLiteral("290.allowDHCP"), {
|
||||
QStringLiteral("-p udp -d ff00::/8 --sport 546 --dport 547 -j ACCEPT"),
|
||||
});
|
||||
installAnchor(IPv6, QStringLiteral("250.blockIPv6"), {
|
||||
QStringLiteral("! -o lo+ -j REJECT"),
|
||||
});
|
||||
|
||||
installAnchor(Both, QStringLiteral("200.allowVPN"), {
|
||||
QStringLiteral("-o amn0+ -j ACCEPT"),
|
||||
QStringLiteral("-o tun0+ -j ACCEPT"),
|
||||
});
|
||||
|
||||
installAnchor(IPv4, QStringLiteral("120.blockNets"), {});
|
||||
|
||||
installAnchor(IPv4, QStringLiteral("110.allowNets"), {});
|
||||
|
||||
installAnchor(Both, QStringLiteral("100.blockAll"), {
|
||||
QStringLiteral("-j REJECT"),
|
||||
});
|
||||
// NAT rules
|
||||
installAnchor(Both, QStringLiteral("100.transIp"), {
|
||||
|
||||
// Only need the original interface, not the IP.
|
||||
// The interface should remain much more stable/unchangeable than the IP
|
||||
// (IP can change when changing networks, but interface only changes if adding/removing NICs)
|
||||
// this is just a stub rule - the real rule is set at run-time
|
||||
// and updates dynamically (via replaceAnchor) when our interface changes
|
||||
// it'll take this form: "-o <interface name> -j MASQUERADE"
|
||||
QStringLiteral("-j MASQUERADE")
|
||||
}, kNatTable);
|
||||
|
||||
// Mangle rules
|
||||
installAnchor(Both, QStringLiteral("100.tagPkts"), {
|
||||
QStringLiteral("-m cgroup --cgroup %1 -j MARK --set-mark %2").arg(kCGroupId, kPacketTag)
|
||||
}, kMangleTable, setupTrafficSplitting, teardownTrafficSplitting);
|
||||
|
||||
// A rule to mitigate CVE-2019-14899 - drop packets addressed to the local
|
||||
// VPN IP but that are not actually received on the VPN interface.
|
||||
// See here: https://seclists.org/oss-sec/2019/q4/122
|
||||
installAnchor(Both, QStringLiteral("100.vpnTunOnly"), {
|
||||
// To be replaced at runtime
|
||||
QStringLiteral("-j ACCEPT")
|
||||
}, kRawTable);
|
||||
|
||||
|
||||
// Insert our fitler root chain at the top of the OUTPUT chain.
|
||||
linkChain(Both, kRootChain, kOutputChain, true, kFilterTable);
|
||||
|
||||
// Insert our NAT root chain at the top of the POSTROUTING chain.
|
||||
linkChain(Both, kRootChain, kPostRoutingChain, true, kNatTable);
|
||||
|
||||
// Insert our Mangle root chain at the top of the OUTPUT chain.
|
||||
linkChain(Both, kRootChain, kOutputChain, true, kMangleTable);
|
||||
|
||||
// Insert our Raw root chain at the top of the PREROUTING chain.
|
||||
linkChain(Both, kRootChain, kPreRoutingChain, true, kRawTable);
|
||||
|
||||
setupTrafficSplitting();
|
||||
}
|
||||
|
||||
void LinuxFirewall::uninstall()
|
||||
{
|
||||
// Filter chain
|
||||
unlinkChain(Both, kRootChain, kOutputChain, kFilterTable);
|
||||
deleteChain(Both, kRootChain, kFilterTable);
|
||||
|
||||
// Raw chain
|
||||
unlinkChain(Both, kRootChain, kPreRoutingChain, kRawTable);
|
||||
deleteChain(Both, kRootChain, kRawTable);
|
||||
|
||||
// NAT chain
|
||||
unlinkChain(Both, kRootChain, kPostRoutingChain, kNatTable);
|
||||
deleteChain(Both, kRootChain, kNatTable);
|
||||
|
||||
// Mangle chain
|
||||
unlinkChain(Both, kRootChain, kOutputChain, kMangleTable);
|
||||
deleteChain(Both, kRootChain, kMangleTable);
|
||||
|
||||
// Remove filter anchors
|
||||
uninstallAnchor(Both, QStringLiteral("000.allowLoopback"));
|
||||
uninstallAnchor(Both, QStringLiteral("400.allowPIA"));
|
||||
uninstallAnchor(IPv4, QStringLiteral("320.allowDNS"));
|
||||
uninstallAnchor(Both, QStringLiteral("310.blockDNS"));
|
||||
uninstallAnchor(Both, QStringLiteral("300.allowLAN"));
|
||||
uninstallAnchor(Both, QStringLiteral("290.allowDHCP"));
|
||||
uninstallAnchor(IPv6, QStringLiteral("250.blockIPv6"));
|
||||
uninstallAnchor(Both, QStringLiteral("200.allowVPN"));
|
||||
uninstallAnchor(IPv4, QStringLiteral("120.blockNets"));
|
||||
uninstallAnchor(IPv4, QStringLiteral("110.allowNets"));
|
||||
uninstallAnchor(Both, QStringLiteral("100.blockAll"));
|
||||
|
||||
// Remove Nat anchors
|
||||
uninstallAnchor(Both, QStringLiteral("100.transIp"), kNatTable);
|
||||
|
||||
// Remove Mangle anchors
|
||||
uninstallAnchor(Both, QStringLiteral("100.tagPkts"), kMangleTable);
|
||||
|
||||
// Remove Raw anchors
|
||||
uninstallAnchor(Both, QStringLiteral("100.vpnTunOnly"), kRawTable);
|
||||
|
||||
teardownTrafficSplitting();
|
||||
|
||||
logger.debug() << "LinuxFirewall::uninstall() complete";
|
||||
}
|
||||
|
||||
bool LinuxFirewall::isInstalled()
|
||||
{
|
||||
return execute(QStringLiteral("iptables -C %1 -j %2 2> /dev/null").arg(kOutputChain, kRootChain)) == 0;
|
||||
}
|
||||
|
||||
void LinuxFirewall::enableAnchor(LinuxFirewall::IPVersion ip, const QString &anchor, const QString& tableName)
|
||||
{
|
||||
if (ip == Both)
|
||||
{
|
||||
enableAnchor(IPv4, anchor, tableName);
|
||||
enableAnchor(IPv6, anchor, tableName);
|
||||
return;
|
||||
}
|
||||
const QString cmd = getCommand(ip);
|
||||
const QString ipStr = ip == IPv6 ? QStringLiteral("(IPv6)") : QStringLiteral("(IPv4)");
|
||||
|
||||
execute(QStringLiteral("if %1 -C %5.a.%2 -j %5.%2 -t %4 2> /dev/null ; then echo '%2%3: ON' ; else echo '%2%3: OFF -> ON' ; %1 -A %5.a.%2 -j %5.%2 -t %4; fi").arg(cmd, anchor, ipStr, tableName, kAnchorName));
|
||||
}
|
||||
|
||||
void LinuxFirewall::replaceAnchor(LinuxFirewall::IPVersion ip, const QString &anchor, const QString &newRule, const QString& tableName)
|
||||
{
|
||||
if (ip == Both)
|
||||
{
|
||||
replaceAnchor(IPv4, anchor, newRule, tableName);
|
||||
replaceAnchor(IPv6, anchor, newRule, tableName);
|
||||
return;
|
||||
}
|
||||
const QString cmd = getCommand(ip);
|
||||
const QString ipStr = ip == IPv6 ? QStringLiteral("(IPv6)") : QStringLiteral("(IPv4)");
|
||||
|
||||
execute(QStringLiteral("%1 -R %7.%2 1 %3 -t %4 ; echo 'Replaced rule %7.%2 %5 with %6'").arg(cmd, anchor, newRule, tableName, ipStr, newRule, kAnchorName));
|
||||
}
|
||||
|
||||
void LinuxFirewall::disableAnchor(LinuxFirewall::IPVersion ip, const QString &anchor, const QString& tableName)
|
||||
{
|
||||
if (ip == Both)
|
||||
{
|
||||
disableAnchor(IPv4, anchor, tableName);
|
||||
disableAnchor(IPv6, anchor, tableName);
|
||||
return;
|
||||
}
|
||||
const QString cmd = getCommand(ip);
|
||||
const QString ipStr = ip == IPv6 ? QStringLiteral("(IPv6)") : QStringLiteral("(IPv4)");
|
||||
execute(QStringLiteral("if ! %1 -C %5.a.%2 -j %5.%2 -t %4 2> /dev/null ; then echo '%2%3: OFF' ; else echo '%2%3: ON -> OFF' ; %1 -F %5.a.%2 -t %4; fi").arg(cmd, anchor, ipStr, tableName, kAnchorName));
|
||||
}
|
||||
|
||||
bool LinuxFirewall::isAnchorEnabled(LinuxFirewall::IPVersion ip, const QString &anchor, const QString& tableName)
|
||||
{
|
||||
const QString cmd = getCommand(ip);
|
||||
return execute(QStringLiteral("%1 -C %4.a.%2 -j %4.%2 -t %3 2> /dev/null").arg(cmd, anchor, tableName, kAnchorName)) == 0;
|
||||
}
|
||||
|
||||
void LinuxFirewall::setAnchorEnabled(LinuxFirewall::IPVersion ip, const QString &anchor, bool enabled, const QString &tableName)
|
||||
{
|
||||
if (enabled)
|
||||
{
|
||||
enableAnchor(ip, anchor, tableName);
|
||||
const QString key = enabledKeyTemplate.arg(tableName, anchor);
|
||||
if(anchorCallbacks.contains(key)) anchorCallbacks[key]();
|
||||
}
|
||||
else
|
||||
{
|
||||
disableAnchor(ip, anchor, tableName);
|
||||
const QString key = disabledKeyTemplate.arg(tableName, anchor);
|
||||
if(anchorCallbacks.contains(key)) anchorCallbacks[key]();
|
||||
}
|
||||
}
|
||||
|
||||
void LinuxFirewall::updateDNSServers(const QStringList& servers)
|
||||
{
|
||||
static QStringList existingServers {};
|
||||
|
||||
existingServers = servers;
|
||||
execute(QStringLiteral("iptables -F %1.320.allowDNS").arg(kAnchorName));
|
||||
for (const QString& rule : getDNSRules(servers))
|
||||
execute(QStringLiteral("iptables -A %1.320.allowDNS %2").arg(kAnchorName, rule));
|
||||
}
|
||||
|
||||
void LinuxFirewall::updateAllowNets(const QStringList& servers)
|
||||
{
|
||||
static QStringList existingServers {};
|
||||
|
||||
existingServers = servers;
|
||||
execute(QStringLiteral("iptables -F %1.110.allowNets").arg(kAnchorName));
|
||||
for (const QString& rule : getAllowRule(servers))
|
||||
execute(QStringLiteral("iptables -A %1.110.allowNets %2").arg(kAnchorName, rule));
|
||||
}
|
||||
|
||||
void LinuxFirewall::updateBlockNets(const QStringList& servers)
|
||||
{
|
||||
static QStringList existingServers {};
|
||||
|
||||
existingServers = servers;
|
||||
execute(QStringLiteral("iptables -F %1.120.blockNets").arg(kAnchorName));
|
||||
for (const QString& rule : getBlockRule(servers))
|
||||
execute(QStringLiteral("iptables -A %1.120.blockNets %2").arg(kAnchorName, rule));
|
||||
}
|
||||
|
||||
int waitForExitCode(QProcess& process)
|
||||
{
|
||||
if (!process.waitForFinished() || process.error() == QProcess::FailedToStart)
|
||||
return -2;
|
||||
else if (process.exitStatus() != QProcess::NormalExit)
|
||||
return -1;
|
||||
else
|
||||
return process.exitCode();
|
||||
}
|
||||
|
||||
int LinuxFirewall::execute(const QString &command, bool ignoreErrors)
|
||||
{
|
||||
QProcess p;
|
||||
p.start(QStringLiteral("/bin/bash"), {QStringLiteral("-c"), command}, QProcess::ReadOnly);
|
||||
p.closeWriteChannel();
|
||||
|
||||
int exitCode = waitForExitCode(p);
|
||||
auto out = p.readAllStandardOutput().trimmed();
|
||||
auto err = p.readAllStandardError().trimmed();
|
||||
if ((exitCode != 0 || !err.isEmpty()) && !ignoreErrors)
|
||||
logger.warning() << "(" << exitCode << ") $ " << command;
|
||||
else if (false)
|
||||
logger.debug() << "(" << exitCode << ") $ " << command;
|
||||
if (!out.isEmpty())
|
||||
logger.info() << out;
|
||||
if (!err.isEmpty())
|
||||
logger.warning() << err;
|
||||
return exitCode;
|
||||
}
|
||||
|
||||
void LinuxFirewall::setupTrafficSplitting()
|
||||
{
|
||||
auto cGroupDir = "/sys/fs/cgroup/net_cls/" BRAND_CODE "vpnexclusions/";
|
||||
logger.info() << "Should be setting up cgroup in" << cGroupDir << "for traffic splitting";
|
||||
execute(QStringLiteral("if [ ! -d %1 ] ; then mkdir %1 ; sleep 0.1 ; echo %2 > %1/net_cls.classid ; fi").arg(cGroupDir).arg(kCGroupId));
|
||||
// Set a rule with priority 100 (lower priority than local but higher than main/default, 0 is highest priority)
|
||||
execute(QStringLiteral("if ! ip rule list | grep -q %1 ; then ip rule add from all fwmark %1 lookup %2 pri 100 ; fi").arg(kPacketTag, kRtableName));
|
||||
}
|
||||
|
||||
void LinuxFirewall::teardownTrafficSplitting()
|
||||
{
|
||||
logger.info() << "Tearing down cgroup and routing rules";
|
||||
execute(QStringLiteral("if ip rule list | grep -q %1; then ip rule del from all fwmark %1 lookup %2 2> /dev/null ; fi").arg(kPacketTag, kRtableName));
|
||||
execute(QStringLiteral("ip route flush table %1").arg(kRtableName));
|
||||
execute(QStringLiteral("ip route flush cache"));
|
||||
}
|
107
client/platforms/linux/daemon/linuxfirewall.h
Normal file
107
client/platforms/linux/daemon/linuxfirewall.h
Normal file
|
@ -0,0 +1,107 @@
|
|||
// Copyright (c) 2023 Private Internet Access, Inc.
|
||||
//
|
||||
// This file is part of the Private Internet Access Desktop Client.
|
||||
//
|
||||
// The Private Internet Access Desktop Client is free software: you can
|
||||
// redistribute it and/or modify it under the terms of the GNU General Public
|
||||
// License as published by the Free Software Foundation, either version 3 of
|
||||
// the License, or (at your option) any later version.
|
||||
//
|
||||
// The Private Internet Access Desktop Client is distributed in the hope that
|
||||
// it will be useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||
// warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
// GNU General Public License for more details.
|
||||
//
|
||||
// You should have received a copy of the GNU General Public License
|
||||
// along with the Private Internet Access Desktop Client. If not, see
|
||||
// <https://www.gnu.org/licenses/>.
|
||||
|
||||
// Copyright (c) 2024 AmneziaVPN
|
||||
// This file has been modified for AmneziaVPN
|
||||
//
|
||||
// This file is based on the work of the Private Internet Access Desktop Client.
|
||||
// The original code of the Private Internet Access Desktop Client is copyrighted (c) 2023 Private Internet Access, Inc. and licensed under GPL3.
|
||||
//
|
||||
// The modified version of this file is distributed in the hope that it will be useful,
|
||||
// but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
// GNU General Public License for more details.
|
||||
//
|
||||
// You should have received a copy of the GNU General Public License
|
||||
// along with this file. If not, see <https://www.gnu.org/licenses/>.
|
||||
|
||||
#ifndef LINUXFIREWALL_H
|
||||
#define LINUXFIREWALL_H
|
||||
|
||||
|
||||
#include <QString>
|
||||
#include <QStringList>
|
||||
|
||||
// Descriptor for a set of firewall rules to be appled.
|
||||
//
|
||||
struct FirewallParams
|
||||
{
|
||||
QStringList dnsServers;
|
||||
QVector<QString> excludeApps; // Apps to exclude if VPN exemptions are enabled
|
||||
QStringList allowAddrs;
|
||||
QStringList blockAddrs;
|
||||
// The follow flags indicate which general rulesets are needed. Note that
|
||||
// this is after some sanity filtering, i.e. an allow rule may be listed
|
||||
// as not needed if there were no block rules preceding it. The rulesets
|
||||
// should be thought of as in last-match order.
|
||||
|
||||
bool blockAll; // Block all traffic by default
|
||||
bool allowVPN; // Exempt traffic through VPN tunnel
|
||||
bool allowDHCP; // Exempt DHCP traffic
|
||||
bool blockIPv6; // Block all IPv6 traffic
|
||||
bool allowLAN; // Exempt LAN traffic, including IPv6 LAN traffic
|
||||
bool blockDNS; // Block all DNS traffic except specified DNS servers
|
||||
bool allowPIA; // Exempt PIA executables
|
||||
bool allowLoopback; // Exempt loopback traffic
|
||||
bool allowHnsd; // Exempt Handshake DNS traffic
|
||||
bool allowVpnExemptions; // Exempt specified traffic from the tunnel (route it over the physical uplink instead)
|
||||
bool allowNets;
|
||||
bool blockNets;
|
||||
};
|
||||
|
||||
class LinuxFirewall
|
||||
{
|
||||
public:
|
||||
enum IPVersion { IPv4, IPv6, Both };
|
||||
// Table names
|
||||
static QString kFilterTable, kNatTable, kMangleTable, kRtableName, kRawTable;
|
||||
public:
|
||||
using FilterCallbackFunc = std::function<void()>;
|
||||
private:
|
||||
static int createChain(IPVersion ip, const QString& chain, const QString& tableName = kFilterTable);
|
||||
static int deleteChain(IPVersion ip, const QString& chain, const QString& tableName = kFilterTable);
|
||||
static int linkChain(IPVersion ip, const QString& chain, const QString& parent, bool mustBeFirst = false, const QString& tableName = kFilterTable);
|
||||
static int unlinkChain(IPVersion ip, const QString& chain, const QString& parent, const QString& tableName = kFilterTable);
|
||||
static void installAnchor(IPVersion ip, const QString& anchor, const QStringList& rules, const QString& tableName = kFilterTable, const FilterCallbackFunc& enableFunc = {}, const FilterCallbackFunc& disableFunc = {});
|
||||
static void uninstallAnchor(IPVersion ip, const QString& anchor, const QString& tableName = kFilterTable);
|
||||
static QStringList getDNSRules(const QStringList& servers);
|
||||
static QStringList getAllowRule(const QStringList& servers);
|
||||
static QStringList getBlockRule(const QStringList& servers);
|
||||
static void setupTrafficSplitting();
|
||||
static void teardownTrafficSplitting();
|
||||
static int execute(const QString& command, bool ignoreErrors = false);
|
||||
private:
|
||||
// Chain names
|
||||
static QString kOutputChain, kRootChain, kPostRoutingChain, kPreRoutingChain;
|
||||
|
||||
public:
|
||||
static void install();
|
||||
static void uninstall();
|
||||
static bool isInstalled();
|
||||
static void ensureRootAnchorPriority(IPVersion ip = Both);
|
||||
static void enableAnchor(IPVersion ip, const QString& anchor, const QString& tableName = kFilterTable);
|
||||
static void disableAnchor(IPVersion ip, const QString& anchor, const QString& tableName = kFilterTable);
|
||||
static bool isAnchorEnabled(IPVersion ip, const QString& anchor, const QString& tableName = kFilterTable);
|
||||
static void setAnchorEnabled(IPVersion ip, const QString& anchor, bool enabled, const QString& tableName = kFilterTable);
|
||||
static void replaceAnchor(LinuxFirewall::IPVersion ip, const QString &anchor, const QString &newRule, const QString& tableName);
|
||||
static void updateDNSServers(const QStringList& servers);
|
||||
static void updateAllowNets(const QStringList& servers);
|
||||
static void updateBlockNets(const QStringList& servers);
|
||||
};
|
||||
|
||||
#endif // LINUXFIREWALL_H
|
|
@ -11,7 +11,9 @@
|
|||
#include <QFile>
|
||||
#include <QLocalSocket>
|
||||
#include <QTimer>
|
||||
#include <QThread>
|
||||
|
||||
#include "linuxfirewall.h"
|
||||
#include "leakdetector.h"
|
||||
#include "logger.h"
|
||||
|
||||
|
@ -116,7 +118,27 @@ bool WireguardUtilsLinux::addInterface(const InterfaceConfig& config) {
|
|||
int err = uapiErrno(uapiCommand(message));
|
||||
if (err != 0) {
|
||||
logger.error() << "Interface configuration failed:" << strerror(err);
|
||||
} else {
|
||||
FirewallParams params { };
|
||||
params.dnsServers.append(config.m_dnsServer);
|
||||
if (config.m_allowedIPAddressRanges.at(0).toString() == "0.0.0.0/0"){
|
||||
params.blockAll = true;
|
||||
if (config.m_excludedAddresses.size()) {
|
||||
params.allowNets = true;
|
||||
foreach (auto net, config.m_excludedAddresses) {
|
||||
params.allowAddrs.append(net.toUtf8());
|
||||
}
|
||||
}
|
||||
} else {
|
||||
params.blockNets = true;
|
||||
foreach (auto net, config.m_allowedIPAddressRanges) {
|
||||
params.blockAddrs.append(net.toString());
|
||||
}
|
||||
}
|
||||
|
||||
applyFirewallRules(params);
|
||||
}
|
||||
|
||||
return (err == 0);
|
||||
}
|
||||
|
||||
|
@ -140,6 +162,9 @@ bool WireguardUtilsLinux::deleteInterface() {
|
|||
// Garbage collect.
|
||||
QDir wgRuntimeDir(WG_RUNTIME_DIR);
|
||||
QFile::remove(wgRuntimeDir.filePath(QString(WG_INTERFACE) + ".name"));
|
||||
|
||||
// double-check + ensure our firewall is installed and enabled
|
||||
LinuxFirewall::uninstall();
|
||||
return true;
|
||||
}
|
||||
|
||||
|
@ -252,6 +277,31 @@ QList<WireguardUtils::PeerStatus> WireguardUtilsLinux::getPeerStatus() {
|
|||
return peerList;
|
||||
}
|
||||
|
||||
|
||||
void WireguardUtilsLinux::applyFirewallRules(FirewallParams& params)
|
||||
{
|
||||
// double-check + ensure our firewall is installed and enabled
|
||||
if (!LinuxFirewall::isInstalled()) LinuxFirewall::install();
|
||||
|
||||
// Note: rule precedence is handled inside IpTablesFirewall
|
||||
LinuxFirewall::ensureRootAnchorPriority();
|
||||
|
||||
LinuxFirewall::setAnchorEnabled(LinuxFirewall::Both, QStringLiteral("000.allowLoopback"), true);
|
||||
LinuxFirewall::setAnchorEnabled(LinuxFirewall::Both, QStringLiteral("100.blockAll"), params.blockAll);
|
||||
LinuxFirewall::setAnchorEnabled(LinuxFirewall::IPv4, QStringLiteral("110.allowNets"), params.allowNets);
|
||||
LinuxFirewall::updateAllowNets(params.allowAddrs);
|
||||
LinuxFirewall::setAnchorEnabled(LinuxFirewall::IPv4, QStringLiteral("120.blockNets"), params.blockNets);
|
||||
LinuxFirewall::updateBlockNets(params.blockAddrs);
|
||||
LinuxFirewall::setAnchorEnabled(LinuxFirewall::IPv4, QStringLiteral("200.allowVPN"), true);
|
||||
LinuxFirewall::setAnchorEnabled(LinuxFirewall::IPv6, QStringLiteral("250.blockIPv6"), true);
|
||||
LinuxFirewall::setAnchorEnabled(LinuxFirewall::Both, QStringLiteral("290.allowDHCP"), true);
|
||||
LinuxFirewall::setAnchorEnabled(LinuxFirewall::Both, QStringLiteral("300.allowLAN"), true);
|
||||
LinuxFirewall::setAnchorEnabled(LinuxFirewall::IPv4, QStringLiteral("310.blockDNS"), true);
|
||||
LinuxFirewall::updateDNSServers(params.dnsServers);
|
||||
LinuxFirewall::setAnchorEnabled(LinuxFirewall::IPv4, QStringLiteral("320.allowDNS"), true);
|
||||
LinuxFirewall::setAnchorEnabled(LinuxFirewall::Both, QStringLiteral("400.allowPIA"), true);
|
||||
}
|
||||
|
||||
bool WireguardUtilsLinux::updateRoutePrefix(const IPAddress& prefix) {
|
||||
if (!m_rtmonitor) {
|
||||
return false;
|
||||
|
|
|
@ -8,8 +8,11 @@
|
|||
#include <QObject>
|
||||
#include <QProcess>
|
||||
|
||||
|
||||
#include "daemon/wireguardutils.h"
|
||||
#include "linuxroutemonitor.h"
|
||||
#include "linuxfirewall.h"
|
||||
|
||||
|
||||
class WireguardUtilsLinux final : public WireguardUtils {
|
||||
Q_OBJECT
|
||||
|
@ -34,7 +37,7 @@ public:
|
|||
|
||||
bool addExclusionRoute(const IPAddress& prefix) override;
|
||||
bool deleteExclusionRoute(const IPAddress& prefix) override;
|
||||
|
||||
void applyFirewallRules(FirewallParams& params);
|
||||
signals:
|
||||
void backendFailure();
|
||||
|
||||
|
|
199
client/platforms/macos/daemon/macosfirewall.cpp
Normal file
199
client/platforms/macos/daemon/macosfirewall.cpp
Normal file
|
@ -0,0 +1,199 @@
|
|||
// Copyright (c) 2023 Private Internet Access, Inc.
|
||||
//
|
||||
// This file is part of the Private Internet Access Desktop Client.
|
||||
//
|
||||
// The Private Internet Access Desktop Client is free software: you can
|
||||
// redistribute it and/or modify it under the terms of the GNU General Public
|
||||
// License as published by the Free Software Foundation, either version 3 of
|
||||
// the License, or (at your option) any later version.
|
||||
//
|
||||
// The Private Internet Access Desktop Client is distributed in the hope that
|
||||
// it will be useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||
// warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
// GNU General Public License for more details.
|
||||
//
|
||||
// You should have received a copy of the GNU General Public License
|
||||
// along with the Private Internet Access Desktop Client. If not, see
|
||||
// <https://www.gnu.org/licenses/>.
|
||||
|
||||
// Copyright (c) 2024 AmneziaVPN
|
||||
// This file has been modified for AmneziaVPN
|
||||
//
|
||||
// This file is based on the work of the Private Internet Access Desktop Client.
|
||||
// The original code of the Private Internet Access Desktop Client is copyrighted (c) 2023 Private Internet Access, Inc. and licensed under GPL3.
|
||||
//
|
||||
// The modified version of this file is distributed in the hope that it will be useful,
|
||||
// but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
// GNU General Public License for more details.
|
||||
//
|
||||
// You should have received a copy of the GNU General Public License
|
||||
// along with this file. If not, see <https://www.gnu.org/licenses/>.
|
||||
|
||||
#include "macosfirewall.h"
|
||||
#include "logger.h"
|
||||
#include <QProcess>
|
||||
#include <QCoreApplication>
|
||||
|
||||
#define BRAND_IDENTIFIER "amn"
|
||||
|
||||
namespace {
|
||||
Logger logger("MacOSFirewall");
|
||||
} // namespace
|
||||
|
||||
#include "macosfirewall.h"
|
||||
|
||||
#define ResourceDir qApp->applicationDirPath() + "/pf"
|
||||
#define DaemonDataDir qApp->applicationDirPath() + "/pf"
|
||||
|
||||
#include <QProcess>
|
||||
|
||||
static QString kRootAnchor = QStringLiteral(BRAND_IDENTIFIER);
|
||||
static QByteArray kPfWarning = "pfctl: Use of -f option, could result in flushing of rules\npresent in the main ruleset added by the system at startup.\nSee /etc/pf.conf for further details.\n";
|
||||
|
||||
int waitForExitCode(QProcess& process)
|
||||
{
|
||||
if (!process.waitForFinished() || process.error() == QProcess::FailedToStart)
|
||||
return -2;
|
||||
else if (process.exitStatus() != QProcess::NormalExit)
|
||||
return -1;
|
||||
else
|
||||
return process.exitCode();
|
||||
}
|
||||
|
||||
int MacOSFirewall::execute(const QString& command, bool ignoreErrors)
|
||||
{
|
||||
QProcess p;
|
||||
|
||||
p.start(QStringLiteral("/bin/bash"), { QStringLiteral("-c"), command }, QProcess::ReadOnly);
|
||||
p.closeWriteChannel();
|
||||
int exitCode = waitForExitCode(p);
|
||||
auto out = p.readAllStandardOutput().trimmed();
|
||||
|
||||
auto err = p.readAllStandardError().replace(kPfWarning, "").trimmed();
|
||||
if ((exitCode != 0 || !err.isEmpty()) && !ignoreErrors)
|
||||
logger.info() << "(" << exitCode << ") $ " << command;
|
||||
else if (false)
|
||||
logger.info() << "(" << exitCode << ") $ " << command;
|
||||
if (!out.isEmpty()) logger.info() << out;
|
||||
if (!err.isEmpty()) logger.info() << err;
|
||||
return exitCode;
|
||||
}
|
||||
|
||||
void MacOSFirewall::installRootAnchors()
|
||||
{
|
||||
logger.info() << "Installing PF root anchors";
|
||||
|
||||
// Append our NAT anchors by reading back and re-applying NAT rules only
|
||||
auto insertNatAnchors = QStringLiteral(
|
||||
"( "
|
||||
R"(pfctl -sn | grep -v '%1/*'; )" // Translation rules (includes both nat and rdr, despite the modifier being 'nat')
|
||||
R"(echo 'nat-anchor "%2/*"'; )" // PIA's translation anchors
|
||||
R"(echo 'rdr-anchor "%3/*"'; )"
|
||||
R"(echo 'load anchor "%4" from "%5/%6.conf"'; )" // Load the PIA anchors from file
|
||||
") | pfctl -N -f -").arg(kRootAnchor, kRootAnchor, kRootAnchor, kRootAnchor, ResourceDir, kRootAnchor);
|
||||
|
||||
execute(insertNatAnchors);
|
||||
|
||||
// Append our filter anchor by reading back and re-applying filter rules
|
||||
// only. pfctl -sr also includes scrub rules, but these will be ignored
|
||||
// due to -R.
|
||||
auto insertFilterAnchor = QStringLiteral(
|
||||
"( "
|
||||
R"(pfctl -sr | grep -v '%1/*'; )" // Filter rules (everything from pfctl -sr except 'scrub')
|
||||
R"(echo 'anchor "%2/*"'; )" // PIA's filter anchors
|
||||
R"(echo 'load anchor "%3" from "%4/%5.conf"'; )" // Load the PIA anchors from file
|
||||
" ) | pfctl -R -f -").arg(kRootAnchor, kRootAnchor, kRootAnchor, ResourceDir, kRootAnchor);
|
||||
execute(insertFilterAnchor);
|
||||
}
|
||||
|
||||
void MacOSFirewall::install()
|
||||
{
|
||||
// remove hard-coded (legacy) pia anchor from /etc/pf.conf if it exists
|
||||
execute(QStringLiteral("if grep -Fq '%1' /etc/pf.conf ; then echo \"`cat /etc/pf.conf | grep -vF '%1'`\" > /etc/pf.conf ; fi").arg(kRootAnchor));
|
||||
|
||||
// Clean up any existing rules if they exist.
|
||||
uninstall();
|
||||
|
||||
timespec waitTime{0, 10'000'000};
|
||||
::nanosleep(&waitTime, nullptr);
|
||||
|
||||
logger.info() << "Installing PF root anchor";
|
||||
|
||||
installRootAnchors();
|
||||
execute(QStringLiteral("pfctl -E 2>&1 | grep -F 'Token : ' | cut -c9- > '%1/pf.token'").arg(DaemonDataDir));
|
||||
}
|
||||
|
||||
|
||||
void MacOSFirewall::uninstall()
|
||||
{
|
||||
logger.info() << "Uninstalling PF root anchor";
|
||||
|
||||
execute(QStringLiteral("pfctl -q -a '%1' -F all").arg(kRootAnchor));
|
||||
execute(QStringLiteral("test -f '%1/pf.token' && pfctl -X `cat '%1/pf.token'` && rm '%1/pf.token'").arg(DaemonDataDir));
|
||||
execute(QStringLiteral("test -f /etc/pf.conf && pfctl -F all -f /etc/pf.conf"));
|
||||
}
|
||||
|
||||
bool MacOSFirewall::isInstalled()
|
||||
{
|
||||
return isPFEnabled() && isRootAnchorLoaded();
|
||||
}
|
||||
|
||||
bool MacOSFirewall::isPFEnabled()
|
||||
{
|
||||
return 0 == execute(QStringLiteral("test -s '%1/pf.token' && pfctl -s References | grep -qFf '%1/pf.token'").arg(DaemonDataDir), true);
|
||||
}
|
||||
|
||||
void MacOSFirewall::ensureRootAnchorPriority()
|
||||
{
|
||||
// We check whether our anchor appears last in the ruleset. If it does not, then remove it and re-add it last (this happens atomically).
|
||||
// Appearing last ensures priority.
|
||||
execute(QStringLiteral("if ! pfctl -sr | tail -1 | grep -qF '%1'; then echo -e \"$(pfctl -sr | grep -vF '%1')\\n\"'anchor \"%1\"' | pfctl -f - ; fi").arg(kRootAnchor));
|
||||
}
|
||||
|
||||
bool MacOSFirewall::isRootAnchorLoaded()
|
||||
{
|
||||
// Our Root anchor is loaded if:
|
||||
// 1. It is is included among the top-level anchors
|
||||
// 2. It is not empty (i.e it contains sub-anchors)
|
||||
return 0 == execute(QStringLiteral("pfctl -sr | grep -q '%1' && pfctl -q -a '%1' -s rules 2> /dev/null | grep -q .").arg(kRootAnchor), true);
|
||||
}
|
||||
|
||||
void MacOSFirewall::enableAnchor(const QString& anchor)
|
||||
{
|
||||
execute(QStringLiteral("if pfctl -q -a '%1/%2' -s rules 2> /dev/null | grep -q . ; then echo '%2: ON' ; else echo '%2: OFF -> ON' ; pfctl -q -a '%1/%2' -F all -f '%3/%1.%2.conf' ; fi").arg(kRootAnchor, anchor, ResourceDir));
|
||||
}
|
||||
|
||||
void MacOSFirewall::disableAnchor(const QString& anchor)
|
||||
{
|
||||
execute(QStringLiteral("if ! pfctl -q -a '%1/%2' -s rules 2> /dev/null | grep -q . ; then echo '%2: OFF' ; else echo '%2: ON -> OFF' ; pfctl -q -a '%1/%2' -F all ; fi").arg(kRootAnchor, anchor));
|
||||
}
|
||||
|
||||
bool MacOSFirewall::isAnchorEnabled(const QString& anchor)
|
||||
{
|
||||
return 0 == execute(QStringLiteral("pfctl -q -a '%1/%2' -s rules 2> /dev/null | grep -q .").arg(kRootAnchor, anchor), true);
|
||||
}
|
||||
|
||||
void MacOSFirewall::setAnchorEnabled(const QString& anchor, bool enabled)
|
||||
{
|
||||
if (enabled)
|
||||
enableAnchor(anchor);
|
||||
else
|
||||
disableAnchor(anchor);
|
||||
}
|
||||
|
||||
void MacOSFirewall::setAnchorTable(const QString& anchor, bool enabled, const QString& table, const QStringList& items)
|
||||
{
|
||||
if (enabled)
|
||||
execute(QStringLiteral("pfctl -q -a '%1/%2' -t '%3' -T replace %4").arg(kRootAnchor, anchor, table, items.join(' ')));
|
||||
else
|
||||
execute(QStringLiteral("pfctl -q -a '%1/%2' -t '%3' -T kill").arg(kRootAnchor, anchor, table), true);
|
||||
}
|
||||
|
||||
void MacOSFirewall::setAnchorWithRules(const QString& anchor, bool enabled, const QStringList &ruleList)
|
||||
{
|
||||
if (!enabled)
|
||||
return (void)execute(QStringLiteral("pfctl -q -a '%1/%2' -F rules").arg(kRootAnchor, anchor), true);
|
||||
else
|
||||
return (void)execute(QStringLiteral("echo -e \"%1\" | pfctl -q -a '%2/%3' -f -").arg(ruleList.join('\n'), kRootAnchor, anchor), true);
|
||||
}
|
90
client/platforms/macos/daemon/macosfirewall.h
Normal file
90
client/platforms/macos/daemon/macosfirewall.h
Normal file
|
@ -0,0 +1,90 @@
|
|||
// Copyright (c) 2023 Private Internet Access, Inc.
|
||||
//
|
||||
// This file is part of the Private Internet Access Desktop Client.
|
||||
//
|
||||
// The Private Internet Access Desktop Client is free software: you can
|
||||
// redistribute it and/or modify it under the terms of the GNU General Public
|
||||
// License as published by the Free Software Foundation, either version 3 of
|
||||
// the License, or (at your option) any later version.
|
||||
//
|
||||
// The Private Internet Access Desktop Client is distributed in the hope that
|
||||
// it will be useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||
// warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
// GNU General Public License for more details.
|
||||
//
|
||||
// You should have received a copy of the GNU General Public License
|
||||
// along with the Private Internet Access Desktop Client. If not, see
|
||||
// <https://www.gnu.org/licenses/>.
|
||||
|
||||
// Copyright (c) 2024 AmneziaVPN
|
||||
// This file has been modified for AmneziaVPN
|
||||
//
|
||||
// This file is based on the work of the Private Internet Access Desktop Client.
|
||||
// The original code of the Private Internet Access Desktop Client is copyrighted (c) 2023 Private Internet Access, Inc. and licensed under GPL3.
|
||||
//
|
||||
// The modified version of this file is distributed in the hope that it will be useful,
|
||||
// but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
// GNU General Public License for more details.
|
||||
//
|
||||
// You should have received a copy of the GNU General Public License
|
||||
// along with this file. If not, see <https://www.gnu.org/licenses/>.
|
||||
|
||||
#ifndef MACOSFIREWALL_H
|
||||
#define MACOSFIREWALL_H
|
||||
|
||||
#include <QString>
|
||||
#include <QStringList>
|
||||
|
||||
// Descriptor for a set of firewall rules to be appled.
|
||||
//
|
||||
struct FirewallParams
|
||||
{
|
||||
QStringList dnsServers;
|
||||
QVector<QString> excludeApps; // Apps to exclude if VPN exemptions are enabled
|
||||
|
||||
QStringList allowAddrs;
|
||||
QStringList blockAddrs;
|
||||
|
||||
// The follow flags indicate which general rulesets are needed. Note that
|
||||
// this is after some sanity filtering, i.e. an allow rule may be listed
|
||||
// as not needed if there were no block rules preceding it. The rulesets
|
||||
// should be thought of as in last-match order.
|
||||
|
||||
bool blockAll; // Block all traffic by default
|
||||
bool blockNets;
|
||||
bool allowNets;
|
||||
bool allowVPN; // Exempt traffic through VPN tunnel
|
||||
bool allowDHCP; // Exempt DHCP traffic
|
||||
bool blockIPv6; // Block all IPv6 traffic
|
||||
bool allowLAN; // Exempt LAN traffic, including IPv6 LAN traffic
|
||||
bool blockDNS; // Block all DNS traffic except specified DNS servers
|
||||
bool allowPIA; // Exempt PIA executables
|
||||
bool allowLoopback; // Exempt loopback traffic
|
||||
bool allowHnsd; // Exempt Handshake DNS traffic
|
||||
bool allowVpnExemptions; // Exempt specified traffic from the tunnel (route it over the physical uplink instead)
|
||||
};
|
||||
|
||||
class MacOSFirewall
|
||||
{
|
||||
|
||||
private:
|
||||
static int execute(const QString &command, bool ignoreErrors = false);
|
||||
static bool isPFEnabled();
|
||||
static bool isRootAnchorLoaded();
|
||||
|
||||
public:
|
||||
static void install();
|
||||
static void uninstall();
|
||||
static bool isInstalled();
|
||||
static void enableAnchor(const QString &anchor);
|
||||
static void disableAnchor(const QString &anchor);
|
||||
static bool isAnchorEnabled(const QString &anchor);
|
||||
static void setAnchorEnabled(const QString &anchor, bool enable);
|
||||
static void setAnchorTable(const QString &anchor, bool enabled, const QString &table, const QStringList &items);
|
||||
static void setAnchorWithRules(const QString &anchor, bool enabled, const QStringList &rules);
|
||||
static void ensureRootAnchorPriority();
|
||||
static void installRootAnchors();
|
||||
};
|
||||
|
||||
#endif // MACOSFIREWALL_H
|
|
@ -114,9 +114,30 @@ bool WireguardUtilsMacos::addInterface(const InterfaceConfig& config) {
|
|||
}
|
||||
|
||||
int err = uapiErrno(uapiCommand(message));
|
||||
|
||||
if (err != 0) {
|
||||
logger.error() << "Interface configuration failed:" << strerror(err);
|
||||
} else {
|
||||
FirewallParams params { };
|
||||
params.dnsServers.append(config.m_dnsServer);
|
||||
if (config.m_allowedIPAddressRanges.at(0).toString() == "0.0.0.0/0"){
|
||||
params.blockAll = true;
|
||||
if (config.m_excludedAddresses.size()) {
|
||||
params.allowNets = true;
|
||||
foreach (auto net, config.m_excludedAddresses) {
|
||||
params.allowAddrs.append(net.toUtf8());
|
||||
}
|
||||
}
|
||||
} else {
|
||||
params.blockNets = true;
|
||||
foreach (auto net, config.m_allowedIPAddressRanges) {
|
||||
params.blockAddrs.append(net.toString());
|
||||
}
|
||||
}
|
||||
|
||||
applyFirewallRules(params);
|
||||
}
|
||||
|
||||
return (err == 0);
|
||||
}
|
||||
|
||||
|
@ -140,6 +161,10 @@ bool WireguardUtilsMacos::deleteInterface() {
|
|||
// Garbage collect.
|
||||
QDir wgRuntimeDir(WG_RUNTIME_DIR);
|
||||
QFile::remove(wgRuntimeDir.filePath(QString(WG_INTERFACE) + ".name"));
|
||||
|
||||
// double-check + ensure our firewall is installed and enabled
|
||||
MacOSFirewall::uninstall();
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
|
@ -302,6 +327,31 @@ bool WireguardUtilsMacos::addExclusionRoute(const IPAddress& prefix) {
|
|||
return m_rtmonitor->addExclusionRoute(prefix);
|
||||
}
|
||||
|
||||
void WireguardUtilsMacos::applyFirewallRules(FirewallParams& params)
|
||||
{
|
||||
// double-check + ensure our firewall is installed and enabled. This is necessary as
|
||||
// other software may disable pfctl before re-enabling with their own rules (e.g other VPNs)
|
||||
if (!MacOSFirewall::isInstalled()) MacOSFirewall::install();
|
||||
|
||||
MacOSFirewall::ensureRootAnchorPriority();
|
||||
MacOSFirewall::setAnchorEnabled(QStringLiteral("000.allowLoopback"), true);
|
||||
MacOSFirewall::setAnchorEnabled(QStringLiteral("100.blockAll"), params.blockAll);
|
||||
MacOSFirewall::setAnchorEnabled(QStringLiteral("110.allowNets"), params.allowNets);
|
||||
MacOSFirewall::setAnchorTable(QStringLiteral("110.allowNets"), params.allowNets,
|
||||
QStringLiteral("allownets"), params.allowAddrs);
|
||||
|
||||
MacOSFirewall::setAnchorEnabled(QStringLiteral("120.blockNets"), params.blockNets);
|
||||
MacOSFirewall::setAnchorTable(QStringLiteral("120.blockNets"), params.blockNets,
|
||||
QStringLiteral("blocknets"), params.blockAddrs);
|
||||
|
||||
MacOSFirewall::setAnchorEnabled(QStringLiteral("200.allowVPN"), true);
|
||||
MacOSFirewall::setAnchorEnabled(QStringLiteral("250.blockIPv6"), true);
|
||||
MacOSFirewall::setAnchorEnabled(QStringLiteral("290.allowDHCP"), true);
|
||||
MacOSFirewall::setAnchorEnabled(QStringLiteral("300.allowLAN"), true);
|
||||
MacOSFirewall::setAnchorEnabled(QStringLiteral("310.blockDNS"), true);
|
||||
MacOSFirewall::setAnchorTable(QStringLiteral("310.blockDNS"), true, QStringLiteral("dnsaddr"), params.dnsServers);
|
||||
}
|
||||
|
||||
bool WireguardUtilsMacos::deleteExclusionRoute(const IPAddress& prefix) {
|
||||
if (!m_rtmonitor) {
|
||||
return false;
|
||||
|
|
|
@ -10,6 +10,7 @@
|
|||
|
||||
#include "daemon/wireguardutils.h"
|
||||
#include "macosroutemonitor.h"
|
||||
#include "macosfirewall.h"
|
||||
|
||||
class WireguardUtilsMacos final : public WireguardUtils {
|
||||
Q_OBJECT
|
||||
|
@ -34,6 +35,7 @@ class WireguardUtilsMacos final : public WireguardUtils {
|
|||
|
||||
bool addExclusionRoute(const IPAddress& prefix) override;
|
||||
bool deleteExclusionRoute(const IPAddress& prefix) override;
|
||||
void applyFirewallRules(FirewallParams& params);
|
||||
|
||||
signals:
|
||||
void backendFailure();
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue