Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Block all traffic when device is connecting or reconnecting #5547

Closed
wants to merge 1 commit into from
Closed

Block all traffic when device is connecting or reconnecting #5547

wants to merge 1 commit into from

Conversation

buggmagnet
Copy link
Contributor

@buggmagnet buggmagnet commented Dec 4, 2023
edited by faern
Loading

This PR extend's @pinkisemils's fix for blocking traffic when in error state to the connecting and reconnecting states too.

This change is Reviewable

@buggmagnet buggmagnet added the iOS Issues related to iOS label Dec 4, 2023
@buggmagnet buggmagnet self-assigned this Dec 4, 2023
@linear Linear
Copy link

linear bot commented Dec 4, 2023

IOS-406 Stop leaking DNS traffic when connecting or reconnecting

buggmagnet
buggmagnet commented Dec 4, 2023
View reviewed changes
Copy link
Contributor Author

@buggmagnet buggmagnet left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewable status: 0 of 3 files reviewed, 1 unresolved discussion

ios/PacketTunnelCore/Actor/PacketTunnelActor+ErrorState.swift line 123 at r1 (raw file):

            config.interfaceAddresses = [IPAddressRange(from: "10.64.0.1/8")!]
            config.peer = TunnelPeer(
                endpoint: .ipv4(IPv4Endpoint(string: "127.0.0.1:9090")!),

What's the likelihood of someone having a socks5 proxy running at that same address @pinkisemils ?
Otherwise we could simply choose a random port instead here, and keep the localhost address.

buggmagnet
buggmagnet commented Dec 4, 2023
View reviewed changes
Copy link
Contributor Author

@buggmagnet buggmagnet left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewable status: 0 of 3 files reviewed, 1 unresolved discussion

ios/PacketTunnelCore/Actor/PacketTunnelActor+ErrorState.swift line 123 at r1 (raw file):

Previously, buggmagnet wrote…

What's the likelihood of someone having a socks5 proxy running at that same address @pinkisemils ?
Otherwise we could simply choose a random port instead here, and keep the localhost address.

I'm saying socks5 cause I saw a couple of examples for user ran services on localhost, I think 8080 is also a popular one.

pinkisemils
pinkisemils reviewed Dec 5, 2023
View reviewed changes
Copy link
Collaborator

@pinkisemils pinkisemils left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewable status: 0 of 3 files reviewed, 1 unresolved discussion (waiting on @buggmagnet)

ios/PacketTunnelCore/Actor/PacketTunnelActor+ErrorState.swift line 123 at r1 (raw file):

Previously, buggmagnet wrote…

I'm saying socks5 cause I saw a couple of examples for user ran services on localhost, I think 8080 is also a popular one.

Picking a random port would be better. You can also specify a random octet for the last part of the address - 127.0.0.123 is also a valid localhost address.

pinkisemils
pinkisemils requested changes Dec 5, 2023
View reviewed changes
Copy link
Collaborator

@pinkisemils pinkisemils left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewable status: 0 of 3 files reviewed, 2 unresolved discussions (waiting on @buggmagnet)

ios/PacketTunnelCore/Actor/PacketTunnelActor+NetworkReachability.swift line 59 at r1 (raw file):

                state = .connecting(connState)
                Task {
                    await blockAllTrafficUntilDeviceIsConnected()

Setting the tunnel config here is moot - the existing tunnel config should already be blocking traffic. And reconfiguring the tunnel to be blocking is moot too - the tunnel will be reconfigured to connect anyway.

rablador
rablador reviewed Dec 5, 2023
View reviewed changes
Copy link
Contributor

@rablador rablador left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed 3 of 3 files at r1, all commit messages.
Reviewable status: all files reviewed, 2 unresolved discussions (waiting on @buggmagnet)

@buggmagnet buggmagnet force-pushed the stop-leaking-dns-traffic-when-connecting-or-reconnecting-ios-406 branch from 103068f to e6537d5 Compare December 5, 2023 13:43
buggmagnet
buggmagnet commented Dec 5, 2023
View reviewed changes
Copy link
Contributor Author

@buggmagnet buggmagnet left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewable status: all files reviewed, 1 unresolved discussion (waiting on @pinkisemils)

ios/PacketTunnelCore/Actor/PacketTunnelActor+ErrorState.swift line 123 at r1 (raw file):

Previously, pinkisemils (Emīls Piņķis) wrote…

Picking a random port would be better. You can also specify a random octet for the last part of the address - 127.0.0.123 is also a valid localhost address.

Done

ios/PacketTunnelCore/Actor/PacketTunnelActor+NetworkReachability.swift line 59 at r1 (raw file):

Previously, pinkisemils (Emīls Piņķis) wrote…

Setting the tunnel config here is moot - the existing tunnel config should already be blocking traffic. And reconfiguring the tunnel to be blocking is moot too - the tunnel will be reconfigured to connect anyway.

Done.

pinkisemils
pinkisemils requested changes Dec 5, 2023
View reviewed changes
Copy link
Collaborator

@pinkisemils pinkisemils left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewable status: 1 of 3 files reviewed, 2 unresolved discussions (waiting on @buggmagnet and @rablador)

ios/PacketTunnelCore/Actor/PacketTunnelActor+KeyPolicy.swift line 137 at r2 (raw file):

                state = .connecting(connState)
                Task {
                    await blockAllTrafficUntilDeviceIsConnected()

When in the connecting state, the app will end up calling adapter.start(realWireGuardConfiguration) soon after anyway - I don't think this matters much. The point of this change would be to change the DNS config to the config that's passed to WireGuard before we've received a ping back from the relay and then only set the DNS config.

@rablador rablador requested a review from pinkisemils December 5, 2023 13:54
rablador
rablador reviewed Dec 5, 2023
View reviewed changes
Copy link
Contributor

@rablador rablador left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed 2 of 2 files at r2, all commit messages.
Reviewable status: all files reviewed, 2 unresolved discussions (waiting on @buggmagnet and @pinkisemils)

@buggmagnet buggmagnet closed this Dec 5, 2023
@buggmagnet buggmagnet deleted the stop-leaking-dns-traffic-when-connecting-or-reconnecting-ios-406 branch June 27, 2024 11:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rablador rablador rablador left review comments

@pinkisemils pinkisemils Awaiting requested review from pinkisemils

Assignees

@buggmagnet buggmagnet

Labels
iOS Issues related to iOS
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@buggmagnet @rablador @pinkisemils