Support strict mode for system tethering

TODO: Set up rules when upstream interface not found.
2018-09-03 16:37:54 +08:00
parent 0342d97fb0
commit 89c26fe384
6 changed files with 13 additions and 6 deletions
--- a/mobile/src/main/java/be/mygod/vpnhotspot/App.kt
+++ b/mobile/src/main/java/be/mygod/vpnhotspot/App.kt
@@ -49,8 +49,9 @@ class App : Application() {
        val result = pref.getString(KEY_OPERATING_CHANNEL, null)?.toIntOrNull() ?: 0
        return if (result in 1..165) result else 0
    }
-    val masquerade: Boolean get() = pref.getBoolean("service.masquerade", true)
-    val dhcpWorkaround: Boolean get() = pref.getBoolean("service.dhcpWorkaround", false)
+    val masquerade get() = pref.getBoolean("service.masquerade", true)
+    val strict get() = app.pref.getBoolean("service.repeater.strict", false)
+    val dhcpWorkaround get() = pref.getBoolean("service.dhcpWorkaround", false)

    val cleanRoutings = Event0()
 }
--- a/mobile/src/main/java/be/mygod/vpnhotspot/LocalOnlyInterfaceManager.kt
+++ b/mobile/src/main/java/be/mygod/vpnhotspot/LocalOnlyInterfaceManager.kt
@@ -42,7 +42,7 @@ class LocalOnlyInterfaceManager(val downstream: String) : UpstreamMonitor.Callba
        try {
            this.dns = dns
            this.routing = Routing(upstream, downstream, owner).apply {
-                val strict = app.pref.getBoolean("service.repeater.strict", false)
+                val strict = app.strict
                if (strict && upstream == null) return@apply    // in this case, nothing to be done
                if (app.dhcpWorkaround) dhcpWorkaround()
                ipForward()                                     // local only interfaces need to enable ip_forward
--- a/mobile/src/main/java/be/mygod/vpnhotspot/TetheringService.kt
+++ b/mobile/src/main/java/be/mygod/vpnhotspot/TetheringService.kt
@@ -55,7 +55,9 @@ class TetheringService : IpNeighbourMonitoringService(), UpstreamMonitor.Callbac
                            // system tethering already has working forwarding rules
                            // so it doesn't make sense to add additional forwarding rules
                            rule()
+                            // here we always enforce strict mode as fallback is handled by system which we disable
                            forward()
+                            if (app.strict) overrideSystemRules()
                            if (app.masquerade) masquerade()
                            dnsRedirect(dns)
                            if (app.pref.getBoolean("service.disableIpv6", false)) disableIpv6()
--- a/mobile/src/main/java/be/mygod/vpnhotspot/net/Routing.kt
+++ b/mobile/src/main/java/be/mygod/vpnhotspot/net/Routing.kt
@@ -84,6 +84,11 @@ class Routing(val upstream: String?, private val downstream: String, ownerAddres
        stopScript.addFirst("$IPTABLES -D FORWARD -j vpnhotspot_fwd")
    }

+    fun overrideSystemRules() {
+        startScript.add("$IPTABLES -A vpnhotspot_fwd -i $downstream -j DROP")
+        stopScript.addFirst("$IPTABLES -D vpnhotspot_fwd -i $downstream -j DROP")
+    }
+
    fun masquerade(strict: Boolean = true) {
        val hostSubnet = "${hostAddress.address.hostAddress}/${hostAddress.networkPrefixLength}"
        startScript.add("quiet $IPTABLES -t nat -N vpnhotspot_masquerade 2>/dev/null")