Block LAN when redirect-gateway block-local

Fixes #81
This commit is contained in:
Davide De Rosa 2019-05-01 17:15:41 +02:00
parent 13cae06a49
commit a693075e90
3 changed files with 43 additions and 0 deletions

View File

@ -648,6 +648,43 @@ extension TunnelKitProvider: SessionProxyDelegate {
// only set if there is a proxy (proxySettings set to non-nil above) // only set if there is a proxy (proxySettings set to non-nil above)
proxySettings?.exceptionList = cfg.sessionConfiguration.proxyBypassDomains ?? reply.options.proxyBypassDomains proxySettings?.exceptionList = cfg.sessionConfiguration.proxyBypassDomains ?? reply.options.proxyBypassDomains
// block LAN if desired
if routingPolicies?.contains(.blockLocal) ?? false {
let table = RoutingTable()
if isIPv4Gateway,
let gateway = table.defaultGateway4()?.gateway(),
let route = table.broadestRoute4(matchingDestination: gateway) {
route.partitioned().forEach {
let destination = $0.network()
guard let netmask = $0.networkMask() else {
return
}
log.info("Block local: Suppressing IPv4 route \(destination)/\($0.prefix())")
let included = NEIPv4Route(destinationAddress: destination, subnetMask: netmask)
included.gatewayAddress = reply.options.ipv4?.defaultGateway
ipv4Settings?.includedRoutes?.append(included)
}
}
if isIPv6Gateway,
let gateway = table.defaultGateway6()?.gateway(),
let route = table.broadestRoute6(matchingDestination: gateway) {
route.partitioned().forEach {
let destination = $0.network()
let prefix = $0.prefix()
log.info("Block local: Suppressing IPv6 route \(destination)/\($0.prefix())")
let included = NEIPv6Route(destinationAddress: destination, networkPrefixLength: prefix as NSNumber)
included.gatewayAddress = reply.options.ipv6?.defaultGateway
ipv6Settings?.includedRoutes?.append(included)
}
}
}
let newSettings = NEPacketTunnelNetworkSettings(tunnelRemoteAddress: remoteAddress) let newSettings = NEPacketTunnelNetworkSettings(tunnelRemoteAddress: remoteAddress)
newSettings.ipv4Settings = ipv4Settings newSettings.ipv4Settings = ipv4Settings
newSettings.ipv6Settings = ipv6Settings newSettings.ipv6Settings = ipv6Settings

View File

@ -723,6 +723,9 @@ public class ConfigurationParser {
case .ipv6: case .ipv6:
policies.insert(.IPv6) policies.insert(.IPv6)
case .blockLocal:
policies.insert(.blockLocal)
default: default:
// TODO: handle [auto]local and block-* // TODO: handle [auto]local and block-*

View File

@ -154,6 +154,9 @@ extension SessionProxy {
/// All IPv6 traffic goes through the VPN. /// All IPv6 traffic goes through the VPN.
case IPv6 case IPv6
/// Block LAN while connected.
case blockLocal
} }
/// :nodoc: /// :nodoc: