From e46b51a833cbc67c8d8fdd6793e6128947e0e6f5 Mon Sep 17 00:00:00 2001
From: aiamnezia <ai@amnezia.org>
Date: Thu, 24 Apr 2025 01:53:12 +0400
Subject: [PATCH] Add method to killswitch for expanding strickt mode
 exceptions list and fix allowTrafficTo() for Windows. Also Added cache in
 KillSwitch class for exceptions

---
 .../platforms/linux/daemon/linuxfirewall.cpp  |  3 --
 ipc/ipc_interface.rep                         |  1 +
 ipc/ipcserver.cpp                             |  5 ++++
 ipc/ipcserver.h                               |  1 +
 service/server/killswitch.cpp                 | 28 +++++++++++++++++--
 service/server/killswitch.h                   |  2 ++
 6 files changed, 34 insertions(+), 6 deletions(-)

diff --git a/client/platforms/linux/daemon/linuxfirewall.cpp b/client/platforms/linux/daemon/linuxfirewall.cpp
index 96194bc7..de88c962 100644
--- a/client/platforms/linux/daemon/linuxfirewall.cpp
+++ b/client/platforms/linux/daemon/linuxfirewall.cpp
@@ -455,9 +455,6 @@ void LinuxFirewall::updateDNSServers(const QStringList& servers)
 
 void LinuxFirewall::updateAllowNets(const QStringList& servers)
 {
-    static QStringList existingServers {};
-
-    existingServers = servers;
     execute(QStringLiteral("iptables -F %1.110.allowNets").arg(kAnchorName));
     for (const QString& rule : getAllowRule(servers))
         execute(QStringLiteral("iptables -A %1.110.allowNets %2").arg(kAnchorName, rule));
diff --git a/ipc/ipc_interface.rep b/ipc/ipc_interface.rep
index c692817d..489f860f 100644
--- a/ipc/ipc_interface.rep
+++ b/ipc/ipc_interface.rep
@@ -32,6 +32,7 @@ class IpcInterface
     SLOT( bool disableAllTraffic() );
     SLOT( bool refreshKillSwitch( bool enabled ) );
     SLOT( bool allowTrafficTo( const QStringList ranges ) );
+    SLOT( bool addKillSwitchExceptions( const QStringList ranges ) );
     SLOT( bool enablePeerTraffic( const QJsonObject &configStr) );
     SLOT( bool enableKillSwitch( const QJsonObject &excludeAddr, int vpnAdapterIndex) );
     SLOT( bool updateResolvers(const QString& ifname, const QList<QHostAddress>& resolvers) );
diff --git a/ipc/ipcserver.cpp b/ipc/ipcserver.cpp
index ced2987e..445ee954 100644
--- a/ipc/ipcserver.cpp
+++ b/ipc/ipcserver.cpp
@@ -184,6 +184,11 @@ bool IpcServer::allowTrafficTo(QStringList ranges)
     return KillSwitch::instance()->allowTrafficTo(ranges);
 }
 
+bool IpcServer::addKillSwitchExceptions(QStringList ranges)
+{
+    return KillSwitch::instance()->addAllowedRange(ranges);
+}
+
 bool IpcServer::disableAllTraffic()
 {
     return KillSwitch::instance()->disableAllTraffic();
diff --git a/ipc/ipcserver.h b/ipc/ipcserver.h
index 31cd007f..bbd11830 100644
--- a/ipc/ipcserver.h
+++ b/ipc/ipcserver.h
@@ -41,6 +41,7 @@ public:
     virtual bool disableKillSwitch() override;
     virtual bool refreshKillSwitch( bool enabled ) override;
     virtual bool updateResolvers(const QString& ifname, const QList<QHostAddress>& resolvers) override;
+    virtual bool addKillSwitchExceptions(QStringList ranges) override;
 
 private:
     int m_localpid = 0;
diff --git a/service/server/killswitch.cpp b/service/server/killswitch.cpp
index 9559e299..70bfeb4d 100644
--- a/service/server/killswitch.cpp
+++ b/service/server/killswitch.cpp
@@ -125,6 +125,7 @@ bool KillSwitch::disableKillSwitch() {
     return WindowsFirewall::create(this)->allowAllTraffic();
 #endif
 
+    m_allowedRanges.clear();
     return true;
 }
 
@@ -150,28 +151,49 @@ bool KillSwitch::disableAllTraffic() {
     MacOSFirewall::setAnchorEnabled(QStringLiteral("000.allowLoopback"), true);
     MacOSFirewall::setAnchorEnabled(QStringLiteral("250.blockIPv6"), true);
 #endif
+    m_allowedRanges.clear();
     return true;
 }
 
 bool KillSwitch::allowTrafficTo(const QStringList &ranges) {
 
+    m_allowedRanges = ranges;
+
 #ifdef Q_OS_LINUX
     LinuxFirewall::setAnchorEnabled(LinuxFirewall::IPv4, QStringLiteral("110.allowNets"), true);
-    LinuxFirewall::updateAllowNets(ranges);
+    LinuxFirewall::updateAllowNets(m_allowedRanges);
 #endif
 
 #ifdef Q_OS_MACOS
     MacOSFirewall::setAnchorEnabled(QStringLiteral("110.allowNets"), true);
-    MacOSFirewall::setAnchorTable(QStringLiteral("110.allowNets"), true, QStringLiteral("allownets"), ranges);
+    MacOSFirewall::setAnchorTable(QStringLiteral("110.allowNets"), true, QStringLiteral("allownets"), m_allowedRanges);
 #endif
 
 #ifdef Q_OS_WIN
-    WindowsFirewall::create(this)->allowTrafficRange(ranges);
+    if (isStrictKillSwitchEnabled()) {
+        WindowsFirewall::create(this)->enableInterface(-1);
+    }
+    WindowsFirewall::create(this)->allowTrafficRange(m_allowedRanges);
 #endif
 
     return true;
 }
 
+bool KillSwitch::addAllowedRange(const QStringList &ranges) {
+    for (const QString &range : ranges) {
+        if (!range.isEmpty() && !m_allowedRanges.contains(range)) {
+            m_allowedRanges.append(range);
+        }
+    }
+
+#ifdef Q_OS_WIN
+    WindowsFirewall::create(this)->allowTrafficRange(ranges);
+    return true;
+#else
+    return allowTrafficTo(m_allowedRanges);
+#endif
+}
+
 bool KillSwitch::enablePeerTraffic(const QJsonObject &configStr) {
 #ifdef Q_OS_WIN
     InterfaceConfig config;
diff --git a/service/server/killswitch.h b/service/server/killswitch.h
index 56ffbca5..12343df3 100644
--- a/service/server/killswitch.h
+++ b/service/server/killswitch.h
@@ -18,10 +18,12 @@ public:
     bool enablePeerTraffic(const QJsonObject &configStr);
     bool enableKillSwitch(const QJsonObject &configStr, int vpnAdapterIndex);
     bool allowTrafficTo(const QStringList &ranges);
+    bool addAllowedRange(const QStringList &ranges);
     bool isStrictKillSwitchEnabled();
 
 private:
     KillSwitch(QObject* parent) {};
+    QStringList m_allowedRanges;
     QSharedPointer<SecureQSettings> m_appSettigns;
 
 };