Merge branch 'android-refactor-tun-config'

Author: dlon

CHANGELOG.md

@@ -40,6 +40,9 @@ Line wrap the file at 100 chars.                                              Th
 #### macOS
 - Fix intermittent failures to connect with PQ enabled.
 
+#### Android
+- Fix VPN service being recreated multiple times when toggling certain options.
+
 
 ## [2024.4] - 2024-07-23
 This release is identical to 2024.4-beta1.

Cargo.lock

@@ -26,10 +26,7 @@ open class TalpidVpnService : LifecycleVpnService() {
             }
         }
 
-    private val tunIsOpen
-        get() = activeTunStatus?.isOpen ?: false
-
-    private var currentTunConfig = defaultTunConfig()
+    private var currentTunConfig: TunConfig? = null
 
     // Used by JNI
     val connectivityListener = ConnectivityListener()
@@ -46,36 +43,33 @@ open class TalpidVpnService : LifecycleVpnService() {
         connectivityListener.unregister()
     }
 
-    fun getTun(config: TunConfig): CreateTunResult {
+    fun openTun(config: TunConfig): CreateTunResult {
         synchronized(this) {
             val tunStatus = activeTunStatus
 
-            if (config == currentTunConfig && tunIsOpen) {
-                return tunStatus!!
+            if (config == currentTunConfig && tunStatus != null && tunStatus.isOpen) {
+                return tunStatus
             } else {
-                val newTunStatus = createTun(config)
-
-                currentTunConfig = config
-                activeTunStatus = newTunStatus
-
-                return newTunStatus
+                return openTunImpl(config)
             }
         }
     }
 
-    fun createTun() {
-        synchronized(this) { activeTunStatus = createTun(currentTunConfig) }
-    }
-
-    fun recreateTunIfOpen(config: TunConfig) {
+    fun openTunForced(config: TunConfig): CreateTunResult {
         synchronized(this) {
-            if (tunIsOpen) {
-                currentTunConfig = config
-                activeTunStatus = createTun(config)
-            }
+            return openTunImpl(config)
         }
     }
 
+    private fun openTunImpl(config: TunConfig): CreateTunResult {
+        val newTunStatus = createTun(config)
+
+        currentTunConfig = config
+        activeTunStatus = newTunStatus
+
+        return newTunStatus
+    }
+
     fun closeTun() {
         synchronized(this) { activeTunStatus = null }
     }
@@ -151,8 +145,6 @@ open class TalpidVpnService : LifecycleVpnService() {
         }
     }
 
-    private external fun defaultTunConfig(): TunConfig
-
     private external fun waitForTunnelUp(tunFd: Int, isIpv6Enabled: Boolean)
 
     companion object {

android/lib/talpid/src/main/kotlin/net/mullvad/talpid/TalpidVpnService.kt

@@ -1,11 +1,8 @@
 use ipnetwork::IpNetwork;
-use jnix::{
-    jni::{
-        objects::JObject,
-        sys::{jboolean, jint, JNI_FALSE},
-        JNIEnv,
-    },
-    IntoJava, JnixEnv,
+use jnix::jni::{
+    objects::JObject,
+    sys::{jboolean, jint, JNI_FALSE},
+    JNIEnv,
 };
 use nix::sys::{
     select::{pselect, FdSet},
@@ -18,7 +15,6 @@ use std::{
     os::unix::io::RawFd,
     time::{Duration, Instant},
 };
-use talpid_tunnel::tun_provider::TunConfig;
 use talpid_types::ErrorExt;
 
 #[derive(Debug, thiserror::Error)]
@@ -33,17 +29,6 @@ enum Error {
     TunnelDeviceTimeout,
 }
 
-#[no_mangle]
-#[allow(non_snake_case)]
-pub extern "system" fn Java_net_mullvad_talpid_TalpidVpnService_defaultTunConfig<'env>(
-    env: JNIEnv<'env>,
-    _this: JObject<'_>,
-) -> JObject<'env> {
-    let env = JnixEnv::from(env);
-
-    TunConfig::default().into_java(&env).forget()
-}
-
 #[no_mangle]
 #[allow(non_snake_case)]
 pub extern "system" fn Java_net_mullvad_talpid_TalpidVpnService_waitForTunnelUp(

mullvad-jni/src/talpid_vpn_service.rs

@@ -12,7 +12,10 @@ use std::{
     fs, io,
     net::{IpAddr, Ipv4Addr},
 };
-use talpid_types::net::{AllowedEndpoint, AllowedTunnelTraffic, Endpoint, TransportProtocol};
+use talpid_types::net::{
+    AllowedEndpoint, AllowedTunnelTraffic, Endpoint, TransportProtocol, ALLOWED_LAN_MULTICAST_NETS,
+    ALLOWED_LAN_NETS,
+};
 
 /// Priority for rules that tag split tunneling packets. Equals NF_IP_PRI_MANGLE.
 const MANGLE_CHAIN_PRIORITY: i32 = libc::NF_IP_PRI_MANGLE;
@@ -840,15 +843,15 @@ impl<'a> PolicyBatch<'a> {
         // Output and forward chains
         for chain in &[&self.out_chain, &self.forward_chain] {
             // LAN -> LAN
-            for net in &*super::ALLOWED_LAN_NETS {
+            for net in &*ALLOWED_LAN_NETS {
                 let mut out_rule = Rule::new(chain);
                 check_net(&mut out_rule, End::Dst, *net);
                 add_verdict(&mut out_rule, &Verdict::Accept);
                 self.batch.add(&out_rule, nftnl::MsgType::Add);
             }
 
             // LAN -> Multicast
-            for net in &*super::ALLOWED_LAN_MULTICAST_NETS {
+            for net in &*ALLOWED_LAN_MULTICAST_NETS {
                 let mut rule = Rule::new(chain);
                 check_net(&mut rule, End::Dst, *net);
                 add_verdict(&mut rule, &Verdict::Accept);
@@ -858,7 +861,7 @@ impl<'a> PolicyBatch<'a> {
 
         // Input chain
         // LAN -> LAN
-        for net in &*super::ALLOWED_LAN_NETS {
+        for net in &*ALLOWED_LAN_NETS {
             let mut in_rule = Rule::new(&self.in_chain);
             check_net(&mut in_rule, End::Src, *net);
             add_verdict(&mut in_rule, &Verdict::Accept);

talpid-core/src/firewall/linux.rs

@@ -8,7 +8,9 @@ use std::{
     ptr,
 };
 use subslice::SubsliceExt;
-use talpid_types::net::{self, AllowedEndpoint, AllowedTunnelTraffic};
+use talpid_types::net::{
+    self, AllowedEndpoint, AllowedTunnelTraffic, ALLOWED_LAN_MULTICAST_NETS, ALLOWED_LAN_NETS,
+};
 
 pub use pfctl::Error;
 
@@ -494,7 +496,7 @@ impl Firewall {
 
     fn get_allow_lan_rules(&self) -> Result<Vec<pfctl::FilterRule>> {
         let mut rules = vec![];
-        for net in &*super::ALLOWED_LAN_NETS {
+        for net in &*ALLOWED_LAN_NETS {
             let mut rule_builder = self.create_rule_builder(FilterRuleAction::Pass);
             rule_builder.quick(true);
             let allow_out = rule_builder
@@ -510,7 +512,7 @@ impl Firewall {
             rules.push(allow_out);
             rules.push(allow_in);
         }
-        for multicast_net in &*super::ALLOWED_LAN_MULTICAST_NETS {
+        for multicast_net in &*ALLOWED_LAN_MULTICAST_NETS {
             let allow_multicast_out = self
                 .create_rule_builder(FilterRuleAction::Pass)
                 .quick(true)

talpid-core/src/firewall/macos.rs

@@ -4,7 +4,7 @@ use std::{
     fmt,
     net::{IpAddr, Ipv4Addr, Ipv6Addr},
 };
-use talpid_types::net::{AllowedEndpoint, AllowedTunnelTraffic};
+use talpid_types::net::{AllowedEndpoint, AllowedTunnelTraffic, ALLOWED_LAN_NETS};
 
 #[cfg(target_os = "macos")]
 #[path = "macos.rs"]
@@ -24,39 +24,6 @@ mod imp;
 
 pub use self::imp::Error;
 
-/// When "allow local network" is enabled the app will allow traffic to and from these networks.
-pub(crate) static ALLOWED_LAN_NETS: Lazy<[IpNetwork; 6]> = Lazy::new(|| {
-    [
-        IpNetwork::V4(Ipv4Network::new(Ipv4Addr::new(10, 0, 0, 0), 8).unwrap()),
-        IpNetwork::V4(Ipv4Network::new(Ipv4Addr::new(172, 16, 0, 0), 12).unwrap()),
-        IpNetwork::V4(Ipv4Network::new(Ipv4Addr::new(192, 168, 0, 0), 16).unwrap()),
-        IpNetwork::V4(Ipv4Network::new(Ipv4Addr::new(169, 254, 0, 0), 16).unwrap()),
-        IpNetwork::V6(Ipv6Network::new(Ipv6Addr::new(0xfe80, 0, 0, 0, 0, 0, 0, 0), 10).unwrap()),
-        IpNetwork::V6(Ipv6Network::new(Ipv6Addr::new(0xfc00, 0, 0, 0, 0, 0, 0, 0), 7).unwrap()),
-    ]
-});
-/// When "allow local network" is enabled the app will allow traffic to these networks.
-#[cfg(any(target_os = "linux", target_os = "macos", target_os = "android"))]
-pub(crate) static ALLOWED_LAN_MULTICAST_NETS: Lazy<[IpNetwork; 8]> = Lazy::new(|| {
-    [
-        // Local network broadcast. Not routable
-        IpNetwork::V4(Ipv4Network::new(Ipv4Addr::new(255, 255, 255, 255), 32).unwrap()),
-        // Local subnetwork multicast. Not routable
-        IpNetwork::V4(Ipv4Network::new(Ipv4Addr::new(224, 0, 0, 0), 24).unwrap()),
-        // Admin-local IPv4 multicast.
-        IpNetwork::V4(Ipv4Network::new(Ipv4Addr::new(239, 0, 0, 0), 8).unwrap()),
-        // Interface-local IPv6 multicast.
-        IpNetwork::V6(Ipv6Network::new(Ipv6Addr::new(0xff01, 0, 0, 0, 0, 0, 0, 0), 16).unwrap()),
-        // Link-local IPv6 multicast. IPv6 equivalent of 224.0.0.0/24
-        IpNetwork::V6(Ipv6Network::new(Ipv6Addr::new(0xff02, 0, 0, 0, 0, 0, 0, 0), 16).unwrap()),
-        // Realm-local IPv6 multicast.
-        IpNetwork::V6(Ipv6Network::new(Ipv6Addr::new(0xff03, 0, 0, 0, 0, 0, 0, 0), 16).unwrap()),
-        // Admin-local IPv6 multicast.
-        IpNetwork::V6(Ipv6Network::new(Ipv6Addr::new(0xff04, 0, 0, 0, 0, 0, 0, 0), 16).unwrap()),
-        // Site-local IPv6 multicast.
-        IpNetwork::V6(Ipv6Network::new(Ipv6Addr::new(0xff05, 0, 0, 0, 0, 0, 0, 0), 16).unwrap()),
-    ]
-});
 #[cfg(any(target_os = "linux", target_os = "macos"))]
 static IPV6_LINK_LOCAL: Lazy<Ipv6Network> =
     Lazy::new(|| Ipv6Network::new(Ipv6Addr::new(0xfe80, 0, 0, 0, 0, 0, 0, 0), 10).unwrap());
@@ -76,10 +43,8 @@ static SOLICITED_NODE_MULTICAST: Lazy<Ipv6Network> =
     Lazy::new(|| Ipv6Network::new(Ipv6Addr::new(0xff02, 0, 0, 0, 0, 1, 0xFF00, 0), 104).unwrap());
 static LOOPBACK_NETS: Lazy<[IpNetwork; 2]> = Lazy::new(|| {
     [
-        IpNetwork::V4(ipnetwork::Ipv4Network::new(Ipv4Addr::new(127, 0, 0, 0), 8).unwrap()),
-        IpNetwork::V6(
-            ipnetwork::Ipv6Network::new(Ipv6Addr::new(0, 0, 0, 0, 0, 0, 0, 1), 128).unwrap(),
-        ),
+        IpNetwork::V4(Ipv4Network::new(Ipv4Addr::new(127, 0, 0, 0), 8).unwrap()),
+        IpNetwork::V6(Ipv6Network::new(Ipv6Addr::new(0, 0, 0, 0, 0, 0, 0, 1), 128).unwrap()),
     ]
 });