Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

pf: potentially problematic order of route-to rule #7701

Open
2 tasks done
pronebird opened this issue Feb 20, 2025 · 0 comments
Open
2 tasks done

pf: potentially problematic order of route-to rule #7701

pronebird opened this issue Feb 20, 2025 · 0 comments
Labels
enhancement macOS Issues related to macOS

Comments

@pronebird
Copy link
Contributor

pronebird commented Feb 20, 2025
edited
Loading

Is it a bug?

  • I know this is an issue with the app, and contacting Mullvad support is not relevant.

I have checked if others have reported this already

  • I have checked the issue tracker to see if others have reported similar issues.

Current Behavior

It's probably worth to report that pass out quick route-to (utun any) is applied before pass quick on utun on macOS 14.7.4 firewall implementation:

pass out quick route-to (utun4 any) all flags S/SA keep state
pass quick on utun4 all flags S/SA keep state

The relevant code: https://github.com/mullvad/mullvadvpn-app/blob/main/talpid-core/src/firewall/macos.rs#L450-L456

PF seems to be smart enough to avoid a loop in here, however it could be more logical to inverse the order of firewall rules. This is not particularly a bug so please adjust the github label.

Expected Behavior

I'd expect all traffic on utun to be quickly passed through before using heavier machinery such as route-to rules.

Steps to Reproduce

  1. Connect
  2. Execute sudo pfctl -sa -a mullvad
  3. Inspect the rules

Failure Logs



Operating system version


No response


Mullvad VPN app version


No response


Additional Information


No response

      		
    

      
  





        



            

              
            

        

      


      
    








      

    



      

  
            

    

      
    

    


      

          @pronebird
pronebird




          added
  the 

  bug

 label


      Feb 20, 2025

    

  



    

    

      
    

    


      

          @MarkusPettersson98
MarkusPettersson98




            added
      

  enhancement


      

  macOS

  Issues related to macOS

    and removed
      

  bug


  labels


      Feb 20, 2025

    

  












  
  

    

      

  





  




  
  

              

  
    Sign up for free
    to join this conversation on GitHub.
    Already have an account?
    Sign in to comment


  



  






  
                  




    

  


      
  

    Assignees
  



        

    No one assigned







      


  


  

    Labels
  



    

      

    enhancement

  

    macOS

  Issues related to macOS








      

  

    

        

    Projects
  


        




    None yet




  



      


  

    
  

    Milestone
  


      No milestone





    
      
          
  

    

      

        
          

            
    

    Development
  




              
    
No branches or pull requests







        
      

    

  


      

    

  
      

  

    

      2 participants
    

    

        
          @pronebird 
        
          @MarkusPettersson98