Block LAN when redirect-gateway block-local

Fixes #81
2019-05-01 17:15:41 +02:00 · 2019-05-01 17:15:41 +02:00 · a693075e90
parent 13cae06a49
commit a693075e90
3 changed files with 43 additions and 0 deletions
--- a/TunnelKit/Sources/AppExtension/TunnelKitProvider.swift
+++ b/TunnelKit/Sources/AppExtension/TunnelKitProvider.swift
@ -648,6 +648,43 @@ extension TunnelKitProvider: SessionProxyDelegate {
        // only set if there is a proxy (proxySettings set to non-nil above)
        proxySettings?.exceptionList = cfg.sessionConfiguration.proxyBypassDomains ?? reply.options.proxyBypassDomains
        
+        // block LAN if desired
+        if routingPolicies?.contains(.blockLocal) ?? false {
+            let table = RoutingTable()
+            if isIPv4Gateway,
+                let gateway = table.defaultGateway4()?.gateway(),
+                let route = table.broadestRoute4(matchingDestination: gateway) {
+
+                route.partitioned().forEach {
+                    let destination = $0.network()
+                    guard let netmask = $0.networkMask() else {
+                        return
+                    }
+                    
+                    log.info("Block local: Suppressing IPv4 route \(destination)/\($0.prefix())")
+                    
+                    let included = NEIPv4Route(destinationAddress: destination, subnetMask: netmask)
+                    included.gatewayAddress = reply.options.ipv4?.defaultGateway
+                    ipv4Settings?.includedRoutes?.append(included)
+                }
+            }
+            if isIPv6Gateway,
+                let gateway = table.defaultGateway6()?.gateway(),
+                let route = table.broadestRoute6(matchingDestination: gateway) {
+
+                route.partitioned().forEach {
+                    let destination = $0.network()
+                    let prefix = $0.prefix()
+                    
+                    log.info("Block local: Suppressing IPv6 route \(destination)/\($0.prefix())")
+
+                    let included = NEIPv6Route(destinationAddress: destination, networkPrefixLength: prefix as NSNumber)
+                    included.gatewayAddress = reply.options.ipv6?.defaultGateway
+                    ipv6Settings?.includedRoutes?.append(included)
+                }
+            }
+        }
+        
        let newSettings = NEPacketTunnelNetworkSettings(tunnelRemoteAddress: remoteAddress)
        newSettings.ipv4Settings = ipv4Settings
        newSettings.ipv6Settings = ipv6Settings
--- a/TunnelKit/Sources/Core/ConfigurationParser.swift
+++ b/TunnelKit/Sources/Core/ConfigurationParser.swift
@ -723,6 +723,9 @@ public class ConfigurationParser {
                    
                case .ipv6:
                    policies.insert(.IPv6)
+                    
+                case .blockLocal:
+                    policies.insert(.blockLocal)

                default:
                    // TODO: handle [auto]local and block-*
--- a/TunnelKit/Sources/Core/SessionProxy+Configuration.swift
+++ b/TunnelKit/Sources/Core/SessionProxy+Configuration.swift
@ -154,6 +154,9 @@ extension SessionProxy {

        /// All IPv6 traffic goes through the VPN.
        case IPv6
+        
+        /// Block LAN while connected.
+        case blockLocal
    }
    
    /// :nodoc: