feat: split daemon activation into bare bring-up and setPrimary

2026-06-23 02:00:20 +07:00 · 2026-05-18 16:44:42 +00:00
parent 82a18bd48b
commit b47f9e8c85
21 changed files with 295 additions and 427 deletions
@@ -39,8 +39,12 @@ bool IPUtilsMacos::addInterfaceIPs(const InterfaceConfig& config) {
 }

 bool IPUtilsMacos::setMTUAndUp(const InterfaceConfig& config) {
-  Q_UNUSED(config);
-  QString ifname = MacOSDaemon::instance()->m_wgutils->interfaceName();
+  WireguardUtils* wg = MacOSDaemon::instance()->wgutilsFor(config.m_ifname);
+  if (!wg) {
+    logger.error() << "No wireguard interface for" << config.m_ifname;
+    return false;
+  }
+  QString ifname = wg->interfaceName();
  struct ifreq ifr;

  // Create socket file descriptor to perform the ioctl operations on
@@ -80,8 +84,12 @@ bool IPUtilsMacos::setMTUAndUp(const InterfaceConfig& config) {
 }

 bool IPUtilsMacos::addIP4AddressToDevice(const InterfaceConfig& config) {
-  Q_UNUSED(config);
-  QString ifname = MacOSDaemon::instance()->m_wgutils->interfaceName();
+  WireguardUtils* wg = MacOSDaemon::instance()->wgutilsFor(config.m_ifname);
+  if (!wg) {
+    logger.error() << "No wireguard interface for" << config.m_ifname;
+    return false;
+  }
+  QString ifname = wg->interfaceName();
  struct ifaliasreq ifr;
  struct sockaddr_in* ifrAddr = (struct sockaddr_in*)&ifr.ifra_addr;
  struct sockaddr_in* ifrMask = (struct sockaddr_in*)&ifr.ifra_mask;
@@ -130,8 +138,12 @@ bool IPUtilsMacos::addIP4AddressToDevice(const InterfaceConfig& config) {
 }

 bool IPUtilsMacos::addIP6AddressToDevice(const InterfaceConfig& config) {
-  Q_UNUSED(config);
-  QString ifname = MacOSDaemon::instance()->m_wgutils->interfaceName();
+  WireguardUtils* wg = MacOSDaemon::instance()->wgutilsFor(config.m_ifname);
+  if (!wg) {
+    logger.error() << "No wireguard interface for" << config.m_ifname;
+    return false;
+  }
+  QString ifname = wg->interfaceName();
  struct in6_aliasreq ifr6;

  // Name the interface and set family
@@ -29,7 +29,6 @@ MacOSDaemon::MacOSDaemon() : Daemon(nullptr) {

  logger.debug() << "Daemon created";

-  m_wgutils = new WireguardUtilsMacos(this);
  m_dnsutils = new DnsUtilsMacos(this);
  m_iputils = new IPUtilsMacos(this);

@@ -11,8 +11,6 @@
 #include "wireguardutilsmacos.h"

 class MacOSDaemon final : public Daemon {
-  friend class IPUtilsMacos;
-
 public:
  MacOSDaemon();
  ~MacOSDaemon();
@@ -22,7 +20,6 @@ class MacOSDaemon final : public Daemon {
  bool deactivate(bool emitSignals = true) override;

 protected:
-  WireguardUtils* wgutils() const override { return m_wgutils; }
  DnsUtils* dnsutils() override { return m_dnsutils; }
  bool supportIPUtils() const override { return true; }
  IPUtils* iputils() override { return m_iputils; }
@@ -31,13 +28,7 @@ class MacOSDaemon final : public Daemon {
    return new WireguardUtilsMacos(this);
  }

-  void replaceActiveWgUtils(WireguardUtils* newUtils) override {
-    delete m_wgutils;
-    m_wgutils = static_cast<WireguardUtilsMacos*>(newUtils);
-  }
-
 private:
-  WireguardUtilsMacos* m_wgutils = nullptr;
  DnsUtilsMacos* m_dnsutils = nullptr;
  IPUtilsMacos* m_iputils = nullptr;
 };
@@ -36,35 +36,6 @@
 #include <QString>
 #include <QStringList>

-// Descriptor for a set of firewall rules to be appled.
-//
-struct FirewallParams
-{
-    QStringList dnsServers;
-    QVector<QString> excludeApps; // Apps to exclude if VPN exemptions are enabled
-
-    QStringList allowAddrs;
-    QStringList blockAddrs;
-
-    // The follow flags indicate which general rulesets are needed. Note that
-    // this is after some sanity filtering, i.e. an allow rule may be listed
-    // as not needed if there were no block rules preceding it. The rulesets
-    // should be thought of as in last-match order.
-
-    bool blockAll;      // Block all traffic by default
-    bool blockNets;
-    bool allowNets;
-    bool allowVPN;      // Exempt traffic through VPN tunnel
-    bool allowDHCP;     // Exempt DHCP traffic
-    bool blockIPv6;     // Block all IPv6 traffic
-    bool allowLAN;      // Exempt LAN traffic, including IPv6 LAN traffic
-    bool blockDNS;      // Block all DNS traffic except specified DNS servers
-    bool allowPIA;      // Exempt PIA executables
-    bool allowLoopback; // Exempt loopback traffic
-    bool allowHnsd;     // Exempt Handshake DNS traffic
-    bool allowVpnExemptions; // Exempt specified traffic from the tunnel (route it over the physical uplink instead)
-};
-
 class MacOSFirewall
 {

@@ -62,7 +62,7 @@ bool WireguardUtilsMacos::addInterface(const InterfaceConfig& config) {
    return false;
  }

-  const QString ifname = config.m_ifname.isEmpty() ? QString(WG_INTERFACE) : config.m_ifname;
+  const QString ifname = config.m_ifname;

  QDir wgRuntimeDir(WG_RUNTIME_DIR);
  if (!wgRuntimeDir.exists()) {
@@ -146,30 +146,6 @@ bool WireguardUtilsMacos::addInterface(const InterfaceConfig& config) {
  int err = uapiErrno(uapiCommand(message));
  if (err != 0) {
    logger.error() << "Interface configuration failed:" << strerror(err);
-  } else {
-    if (config.m_killSwitchEnabled) {
-      FirewallParams params { };
-      params.dnsServers.append(config.m_primaryDnsServer);
-      if (!config.m_secondaryDnsServer.isEmpty()) {
-          params.dnsServers.append(config.m_secondaryDnsServer);
-      }
-
-      if (config.m_allowedIPAddressRanges.contains(IPAddress("0.0.0.0/0"))) {
-          params.blockAll = true;
-          if (config.m_excludedAddresses.size()) {
-              params.allowNets = true;
-              foreach (auto net, config.m_excludedAddresses) {
-                  params.allowAddrs.append(net.toUtf8());
-              }
-          }
-      } else {
-          params.blockNets = true;
-          foreach (auto net, config.m_allowedIPAddressRanges) {
-              params.blockAddrs.append(net.toString());
-          }
-      }
-      applyFirewallRules(params);
-    }
  }
  return (err == 0);
 }
@@ -455,28 +431,3 @@ QString WireguardUtilsMacos::waitForTunnelName(const QString& filename) {

  return QString();
 }
-
-void WireguardUtilsMacos::applyFirewallRules(FirewallParams& params)
-{
-  // double-check + ensure our firewall is installed and enabled. This is necessary as
-  // other software may disable pfctl before re-enabling with their own rules (e.g other VPNs)
-  if (!MacOSFirewall::isInstalled()) MacOSFirewall::install();
-
-  MacOSFirewall::ensureRootAnchorPriority();
-  MacOSFirewall::setAnchorEnabled(QStringLiteral("000.allowLoopback"), true);
-  MacOSFirewall::setAnchorEnabled(QStringLiteral("100.blockAll"), params.blockAll);
-  MacOSFirewall::setAnchorEnabled(QStringLiteral("110.allowNets"), params.allowNets);
-  MacOSFirewall::setAnchorTable(QStringLiteral("110.allowNets"), params.allowNets,
-                                QStringLiteral("allownets"), params.allowAddrs);
-
-  MacOSFirewall::setAnchorEnabled(QStringLiteral("120.blockNets"), params.blockNets);
-  MacOSFirewall::setAnchorTable(QStringLiteral("120.blockNets"), params.blockNets,
-                                QStringLiteral("blocknets"), params.blockAddrs);
-
-  MacOSFirewall::setAnchorEnabled(QStringLiteral("200.allowVPN"), true);
-  MacOSFirewall::setAnchorEnabled(QStringLiteral("250.blockIPv6"), true);
-  MacOSFirewall::setAnchorEnabled(QStringLiteral("290.allowDHCP"), true);
-  MacOSFirewall::setAnchorEnabled(QStringLiteral("300.allowLAN"), true);
-  MacOSFirewall::setAnchorEnabled(QStringLiteral("310.blockDNS"), true);
-  MacOSFirewall::setAnchorTable(QStringLiteral("310.blockDNS"), true, QStringLiteral("dnsaddr"), params.dnsServers);
-}
@@ -10,7 +10,6 @@

 #include "daemon/wireguardutils.h"
 #include "macosroutemonitor.h"
-#include "macosfirewall.h"

 class WireguardUtilsMacos final : public WireguardUtils {
  Q_OBJECT
@@ -38,8 +37,6 @@ class WireguardUtilsMacos final : public WireguardUtils {

  bool excludeLocalNetworks(const QList<IPAddress>& lanAddressRanges) override;

-  void applyFirewallRules(FirewallParams& params);
-
 signals:
  void backendFailure();