feature: fillswitch strict mode (#1333)

* Add allowed DNS list for killswitch * Windows killswitch strict mode backend part * Killswitch strict mode for Linux and MacOS * Windows fixes * feature: Add Kill Switch settings page with strict mode option * fix windows build after merge * Refresh killswitch mode when it toggled * Use HLM to store strictMode flag * Some Linux updates * feat: Enhance VerticalRadioButton with improved styling and disabled states * Refresh killSwitch state update * Fix build * refactor: Modularize header components * Change kill switch radio button styling * Fix strict kill switch mode handling * Refactor: Replace HeaderType with new Types for headers in QML pages * Remove deprecated HeaderType QML component * Refresh strict mode killswitch after global toggle change * Implement model, controller and UI for killswitch dns exceptions * Connect backend part and UI * Change label text to DNS exceptions * Remove HeaderType from PageSettingsApiDevices * Some pretty fixes * Fix problem with definition sequence of PageSettingsKillSwitchExceptions.pml elements * Add exclusion method for Windows firewall * Change ubuntu version in deploy script * Update ubuntu version in GH actions * Add confirmation popup for strict killswitch mode * Add qt standard path for build script * Add method to killswitch for expanding strickt mode exceptions list and fix allowTrafficTo() for Windows. Also Added cache in KillSwitch class for exceptions * Add insertion of gateway address to strict killswitch exceptions * Review fixes * buildfix and naming --------- Co-authored-by: aiamnezia <ai@amnezia.org>
2025-05-02 23:54:36 -07:00 · 2025-05-02 23:54:36 -07:00 · f6d7552b58
commit f6d7552b58
parent 5bd88ac2e9
88 changed files with 1718 additions and 418 deletions
--- a/ipc/ipc_interface.rep
+++ b/ipc/ipc_interface.rep
@ -29,6 +29,10 @@ class IpcInterface
    SLOT( void StopRoutingIpv6() );

    SLOT( bool disableKillSwitch() );
+    SLOT( bool disableAllTraffic() );
+    SLOT( bool refreshKillSwitch( bool enabled ) );
+    SLOT( bool addKillSwitchAllowedRange( const QStringList ranges ) );
+    SLOT( bool resetKillSwitchAllowedRange( const QStringList ranges ) );
    SLOT( bool enablePeerTraffic( const QJsonObject &configStr) );
    SLOT( bool enableKillSwitch( const QJsonObject &excludeAddr, int vpnAdapterIndex) );
    SLOT( bool updateResolvers(const QString& ifname, const QList<QHostAddress>& resolvers) );
--- a/ipc/ipcserver.cpp
+++ b/ipc/ipcserver.cpp
@ -8,21 +8,12 @@
 #include "logger.h"
 #include "router.h"

-#include "../core/networkUtilities.h"
-#include "../client/protocols/protocols_defs.h"
+#include "killswitch.h"
+
 #ifdef Q_OS_WIN
-    #include "../client/platforms/windows/daemon/windowsdaemon.h"
-    #include "../client/platforms/windows/daemon/windowsfirewall.h"
    #include "tapcontroller_win.h"
 #endif

-#ifdef Q_OS_LINUX
-    #include "../client/platforms/linux/daemon/linuxfirewall.h"
-#endif
-
-#ifdef Q_OS_MACOS
-    #include "../client/platforms/macos/daemon/macosfirewall.h"
-#endif

 IpcServer::IpcServer(QObject *parent) : IpcInterfaceSource(parent)

@ -188,174 +179,37 @@ void IpcServer::setLogsEnabled(bool enabled)
    }
 }

+bool IpcServer::resetKillSwitchAllowedRange(QStringList ranges)
+{
+    return KillSwitch::instance()->resetAllowedRange(ranges);
+}
+
+bool IpcServer::addKillSwitchAllowedRange(QStringList ranges)
+{
+    return KillSwitch::instance()->addAllowedRange(ranges);
+}
+
+bool IpcServer::disableAllTraffic()
+{
+    return KillSwitch::instance()->disableAllTraffic();
+}
+
 bool IpcServer::enableKillSwitch(const QJsonObject &configStr, int vpnAdapterIndex)
 {
-#ifdef Q_OS_WIN
-    auto firewallManager = WindowsFirewall::create(this);
-    Q_ASSERT(firewallManager != nullptr);
-    return firewallManager->enableInterface(vpnAdapterIndex);
-#endif
-
-#if defined(Q_OS_LINUX) || defined(Q_OS_MACOS)
-    int splitTunnelType = configStr.value("splitTunnelType").toInt();
-    QJsonArray splitTunnelSites = configStr.value("splitTunnelSites").toArray();
-    bool blockAll = 0;
-    bool allowNets = 0;
-    bool blockNets = 0;
-    QStringList allownets;
-    QStringList blocknets;
-
-    if (splitTunnelType == 0) {
-        blockAll = true;
-        allowNets = true;
-        allownets.append(configStr.value("vpnServer").toString());
-    } else if (splitTunnelType == 1) {
-        blockNets = true;
-        for (auto v : splitTunnelSites) {
-            blocknets.append(v.toString());
-        }
-    } else if (splitTunnelType == 2) {
-        blockAll = true;
-        allowNets = true;
-        allownets.append(configStr.value("vpnServer").toString());
-        for (auto v : splitTunnelSites) {
-            allownets.append(v.toString());
-        }
-    }
-#endif
-
-#ifdef Q_OS_LINUX
-    // double-check + ensure our firewall is installed and enabled
-    if (!LinuxFirewall::isInstalled())
-        LinuxFirewall::install();
-    LinuxFirewall::setAnchorEnabled(LinuxFirewall::Both, QStringLiteral("000.allowLoopback"), true);
-    LinuxFirewall::setAnchorEnabled(LinuxFirewall::Both, QStringLiteral("100.blockAll"), blockAll);
-    LinuxFirewall::setAnchorEnabled(LinuxFirewall::IPv4, QStringLiteral("110.allowNets"), allowNets);
-    LinuxFirewall::updateAllowNets(allownets);
-    LinuxFirewall::setAnchorEnabled(LinuxFirewall::IPv4, QStringLiteral("120.blockNets"), blockAll);
-    LinuxFirewall::updateBlockNets(blocknets);
-    LinuxFirewall::setAnchorEnabled(LinuxFirewall::IPv4, QStringLiteral("200.allowVPN"), true);
-    LinuxFirewall::setAnchorEnabled(LinuxFirewall::IPv6, QStringLiteral("250.blockIPv6"), true);
-    LinuxFirewall::setAnchorEnabled(LinuxFirewall::Both, QStringLiteral("290.allowDHCP"), true);
-    LinuxFirewall::setAnchorEnabled(LinuxFirewall::Both, QStringLiteral("300.allowLAN"), true);
-    LinuxFirewall::setAnchorEnabled(LinuxFirewall::IPv4, QStringLiteral("310.blockDNS"), true);
-    QStringList dnsServers;
-    dnsServers.append(configStr.value(amnezia::config_key::dns1).toString());
-    dnsServers.append(configStr.value(amnezia::config_key::dns2).toString());
-    dnsServers.append("127.0.0.1");
-    dnsServers.append("127.0.0.53");
-    LinuxFirewall::updateDNSServers(dnsServers);
-    LinuxFirewall::setAnchorEnabled(LinuxFirewall::IPv4, QStringLiteral("320.allowDNS"), true);
-    LinuxFirewall::setAnchorEnabled(LinuxFirewall::Both, QStringLiteral("400.allowPIA"), true);
-#endif
-
-#ifdef Q_OS_MACOS
-
-    // double-check + ensure our firewall is installed and enabled. This is necessary as
-    // other software may disable pfctl before re-enabling with their own rules (e.g other VPNs)
-    if (!MacOSFirewall::isInstalled())
-        MacOSFirewall::install();
-
-    MacOSFirewall::ensureRootAnchorPriority();
-    MacOSFirewall::setAnchorEnabled(QStringLiteral("000.allowLoopback"), true);
-    MacOSFirewall::setAnchorEnabled(QStringLiteral("100.blockAll"), blockAll);
-    MacOSFirewall::setAnchorEnabled(QStringLiteral("110.allowNets"), allowNets);
-    MacOSFirewall::setAnchorTable(QStringLiteral("110.allowNets"), allowNets, QStringLiteral("allownets"), allownets);
-
-    MacOSFirewall::setAnchorEnabled(QStringLiteral("120.blockNets"), blockNets);
-    MacOSFirewall::setAnchorTable(QStringLiteral("120.blockNets"), blockNets, QStringLiteral("blocknets"), blocknets);
-    MacOSFirewall::setAnchorEnabled(QStringLiteral("200.allowVPN"), true);
-    MacOSFirewall::setAnchorEnabled(QStringLiteral("250.blockIPv6"), true);
-    MacOSFirewall::setAnchorEnabled(QStringLiteral("290.allowDHCP"), true);
-    MacOSFirewall::setAnchorEnabled(QStringLiteral("300.allowLAN"), true);
-
-    QStringList dnsServers;
-    dnsServers.append(configStr.value(amnezia::config_key::dns1).toString());
-    dnsServers.append(configStr.value(amnezia::config_key::dns2).toString());
-    MacOSFirewall::setAnchorEnabled(QStringLiteral("310.blockDNS"), true);
-    MacOSFirewall::setAnchorTable(QStringLiteral("310.blockDNS"), true, QStringLiteral("dnsaddr"), dnsServers);
-#endif
-
-    return true;
+    return KillSwitch::instance()->enableKillSwitch(configStr, vpnAdapterIndex);
 }

 bool IpcServer::disableKillSwitch()
 {
-#ifdef Q_OS_WIN
-    auto firewallManager = WindowsFirewall::create(this);
-    Q_ASSERT(firewallManager != nullptr);
-    return firewallManager->disableKillSwitch();
-#endif
-
-#ifdef Q_OS_LINUX
-    LinuxFirewall::uninstall();
-#endif
-
-#ifdef Q_OS_MACOS
-    MacOSFirewall::uninstall();
-#endif
-
-    return true;
+    return KillSwitch::instance()->disableKillSwitch();
 }

 bool IpcServer::enablePeerTraffic(const QJsonObject &configStr)
 {
-#ifdef Q_OS_WIN
-    InterfaceConfig config;
-    config.m_dnsServer = configStr.value(amnezia::config_key::dns1).toString();
-    config.m_serverPublicKey = "openvpn";
-    config.m_serverIpv4Gateway = configStr.value("vpnGateway").toString();
-    config.m_serverIpv4AddrIn = configStr.value("vpnServer").toString();
-    int vpnAdapterIndex = configStr.value("vpnAdapterIndex").toInt();
-    int inetAdapterIndex = configStr.value("inetAdapterIndex").toInt();
-
-    int splitTunnelType = configStr.value("splitTunnelType").toInt();
-    QJsonArray splitTunnelSites = configStr.value("splitTunnelSites").toArray();
-
-    QStringList AllowedIPAddesses;
-
-    // Use APP split tunnel
-    if (splitTunnelType == 0 || splitTunnelType == 2) {
-        config.m_allowedIPAddressRanges.append(IPAddress(QHostAddress("0.0.0.0"), 0));
-        config.m_allowedIPAddressRanges.append(IPAddress(QHostAddress("::"), 0));
-    }
-
-    if (splitTunnelType == 1) {
-        for (auto v : splitTunnelSites) {
-            QString ipRange = v.toString();
-            if (ipRange.split('/').size() > 1) {
-                config.m_allowedIPAddressRanges.append(
-                        IPAddress(QHostAddress(ipRange.split('/')[0]), atoi(ipRange.split('/')[1].toLocal8Bit())));
-            } else {
-                config.m_allowedIPAddressRanges.append(IPAddress(QHostAddress(ipRange), 32));
-            }
-        }
-    }
-
-    config.m_excludedAddresses.append(configStr.value("vpnServer").toString());
-    if (splitTunnelType == 2) {
-        for (auto v : splitTunnelSites) {
-            QString ipRange = v.toString();
-            config.m_excludedAddresses.append(ipRange);
-        }
-    }
-
-    for (const QJsonValue &i : configStr.value(amnezia::config_key::splitTunnelApps).toArray()) {
-        if (!i.isString()) {
-            break;
-        }
-        config.m_vpnDisabledApps.append(i.toString());
-    }
-
-    // killSwitch toggle
-    if (QVariant(configStr.value(amnezia::config_key::killSwitchOption).toString()).toBool()) {
-        auto firewallManager = WindowsFirewall::create(this);
-        Q_ASSERT(firewallManager != nullptr);
-        firewallManager->enablePeerTraffic(config);
-    }
-
-    WindowsDaemon::instance()->prepareActivation(config, inetAdapterIndex);
-    WindowsDaemon::instance()->activateSplitTunnel(config, vpnAdapterIndex);
-#endif
-    return true;
+    return KillSwitch::instance()->enablePeerTraffic(configStr);
+}
+
+bool IpcServer::refreshKillSwitch(bool enabled)
+{
+    return KillSwitch::instance()->refresh(enabled);
 }
--- a/ipc/ipcserver.h
+++ b/ipc/ipcserver.h
@ -34,9 +34,13 @@ public:
    virtual bool deleteTun(const QString &dev) override;
    virtual void StartRoutingIpv6() override;
    virtual void StopRoutingIpv6() override;
+    virtual bool disableAllTraffic() override;
+    virtual bool addKillSwitchAllowedRange(QStringList ranges) override;
+    virtual bool resetKillSwitchAllowedRange(QStringList ranges) override;
    virtual bool enablePeerTraffic(const QJsonObject &configStr) override;
    virtual bool enableKillSwitch(const QJsonObject &excludeAddr, int vpnAdapterIndex) override;
    virtual bool disableKillSwitch() override;
+    virtual bool refreshKillSwitch( bool enabled ) override;
    virtual bool updateResolvers(const QString& ifname, const QList<QHostAddress>& resolvers) override;

 private: