Support strict mode for system tethering

TODO: Set up rules when upstream interface not found.
2018-09-03 16:37:54 +08:00
parent 0342d97fb0
commit 89c26fe384
6 changed files with 13 additions and 6 deletions
--- a/mobile/src/main/java/be/mygod/vpnhotspot/App.kt
+++ b/mobile/src/main/java/be/mygod/vpnhotspot/App.kt
@@ -49,8 +49,9 @@ class App : Application() {
        val result = pref.getString(KEY_OPERATING_CHANNEL, null)?.toIntOrNull() ?: 0
        return if (result in 1..165) result else 0
    }
-    val masquerade: Boolean get() = pref.getBoolean("service.masquerade", true)
-    val dhcpWorkaround: Boolean get() = pref.getBoolean("service.dhcpWorkaround", false)
+    val masquerade get() = pref.getBoolean("service.masquerade", true)
+    val strict get() = app.pref.getBoolean("service.repeater.strict", false)
+    val dhcpWorkaround get() = pref.getBoolean("service.dhcpWorkaround", false)

    val cleanRoutings = Event0()
 }
--- a/mobile/src/main/java/be/mygod/vpnhotspot/LocalOnlyInterfaceManager.kt
+++ b/mobile/src/main/java/be/mygod/vpnhotspot/LocalOnlyInterfaceManager.kt
@@ -42,7 +42,7 @@ class LocalOnlyInterfaceManager(val downstream: String) : UpstreamMonitor.Callba
        try {
            this.dns = dns
            this.routing = Routing(upstream, downstream, owner).apply {
-                val strict = app.pref.getBoolean("service.repeater.strict", false)
+                val strict = app.strict
                if (strict && upstream == null) return@apply    // in this case, nothing to be done
                if (app.dhcpWorkaround) dhcpWorkaround()
                ipForward()                                     // local only interfaces need to enable ip_forward
--- a/mobile/src/main/java/be/mygod/vpnhotspot/TetheringService.kt
+++ b/mobile/src/main/java/be/mygod/vpnhotspot/TetheringService.kt
@@ -55,7 +55,9 @@ class TetheringService : IpNeighbourMonitoringService(), UpstreamMonitor.Callbac
                            // system tethering already has working forwarding rules
                            // so it doesn't make sense to add additional forwarding rules
                            rule()
+                            // here we always enforce strict mode as fallback is handled by system which we disable
                            forward()
+                            if (app.strict) overrideSystemRules()
                            if (app.masquerade) masquerade()
                            dnsRedirect(dns)
                            if (app.pref.getBoolean("service.disableIpv6", false)) disableIpv6()
--- a/mobile/src/main/java/be/mygod/vpnhotspot/net/Routing.kt
+++ b/mobile/src/main/java/be/mygod/vpnhotspot/net/Routing.kt
@@ -84,6 +84,11 @@ class Routing(val upstream: String?, private val downstream: String, ownerAddres
        stopScript.addFirst("$IPTABLES -D FORWARD -j vpnhotspot_fwd")
    }

+    fun overrideSystemRules() {
+        startScript.add("$IPTABLES -A vpnhotspot_fwd -i $downstream -j DROP")
+        stopScript.addFirst("$IPTABLES -D vpnhotspot_fwd -i $downstream -j DROP")
+    }
+
    fun masquerade(strict: Boolean = true) {
        val hostSubnet = "${hostAddress.address.hostAddress}/${hostAddress.networkPrefixLength}"
        startScript.add("quiet $IPTABLES -t nat -N vpnhotspot_masquerade 2>/dev/null")
--- a/mobile/src/main/res/values-zh-rCN/strings.xml
+++ b/mobile/src/main/res/values-zh-rCN/strings.xml
@@ -64,7 +64,7 @@
    <string name="settings_service_repeater_oc">Wi\u2011Fi 运行频段 (不稳定)</string>
    <string name="settings_service_repeater_oc_summary">"自动 (1\u201114 = 2.4GHz, 15\u2011165 = 5GHz)"</string>
    <string name="settings_service_repeater_strict">严格模式</string>
-    <string name="settings_service_repeater_strict_summary">只允许通过 VPN 隧道的包通过，不适用于系统共享</string>
+    <string name="settings_service_repeater_strict_summary">只允许通过 VPN 隧道的包通过</string>
    <string name="settings_service_disable_ipv6">禁用 IPv6 共享</string>
    <string name="settings_service_disable_ipv6_summary">防止 IPv6 VPN 泄漏。</string>
    <string name="settings_service_repeater_start_on_boot">开机自启动中继</string>
--- a/mobile/src/main/res/values/strings.xml
+++ b/mobile/src/main/res/values/strings.xml
@@ -69,8 +69,7 @@
    <string name="settings_service_repeater_oc">Operating Wi\u2011Fi channel (unstable)</string>
    <string name="settings_service_repeater_oc_summary">Auto (1\u201114 = 2.4GHz, 15\u2011165 = 5GHz)</string>
    <string name="settings_service_repeater_strict">Strict mode</string>
-    <string name="settings_service_repeater_strict_summary">Only allow packets that goes through VPN tunnel. Does not
-        apply to system tethering.</string>
+    <string name="settings_service_repeater_strict_summary">Only allow packets that goes through VPN tunnel.</string>
    <string name="settings_service_disable_ipv6">Disable IPv6 tethering</string>
    <string name="settings_service_disable_ipv6_summary">Enabling this option will prevent VPN leaks via IPv6.</string>
    <string name="settings_service_repeater_start_on_boot">Start repeater on boot</string>