Merge branch 'macos-flush-states-for-transitions'

mullvad · Apr 19, 2024 · d54dcc6 · d54dcc6
2 parents 774b760 + 511a6e5
commit d54dcc6
Show file tree

Hide file tree

Showing 4 changed files with 17 additions and 4 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -29,6 +29,11 @@ Line wrap the file at 100 chars.                                              Th
 #### macOS
 - DNS was not properly restored in some cases when using custom DNS.
 
+### Security
+#### macOS
+- Flush states on tunnel state changes. Previously, pre-existing connections could leak when
+  internet sharing was enabled on a device.
+
 
 ## [2024.2-beta1] - 2024-04-15
 ### Added

diff --git a/Cargo.lock b/Cargo.lock
diff --git a/talpid-core/Cargo.toml b/talpid-core/Cargo.toml
@@ -48,7 +48,7 @@ duct = "0.13"
 [target.'cfg(target_os = "macos")'.dependencies]
 async-trait = "0.1"
 duct = "0.13"
-pfctl = "0.4.4"
+pfctl = "0.4.6"
 subslice = "0.2"
 system-configuration = "0.5.1"
 hickory-proto = { git = "https://github.com/mullvad/hickory-dns", rev = "9e8f8c67fbcb6d2985503027362a3fb022529802" }

diff --git a/talpid-core/src/firewall/macos.rs b/talpid-core/src/firewall/macos.rs
@@ -49,7 +49,15 @@ impl Firewall {
     pub fn apply_policy(&mut self, policy: FirewallPolicy) -> Result<()> {
         self.enable()?;
         self.add_anchor()?;
-        self.set_rules(policy)
+        self.set_rules(policy)?;
+
+        // When entering a secured state, clear connection states
+        // Otherwise, an existing connection may be approved by some other anchor, and leak
+        if let Err(error) = self.pf.clear_interface_states(pfctl::Interface::Any) {
+            log::error!("Failed to clear source state tracking nodes: {error}");
+        }
+
+        Ok(())
     }
 
     pub fn reset_policy(&mut self) -> Result<()> {