NetworkExtension: use excludedRoutes instead of binding on iOS

The networking stack there is to flaky and the notifier doesn't always
fire correctly. Hopefully excludedRoutes works well with XLAT; otherwise
we're in trouble.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

diff --git a/WireGuard/WireGuardNetworkExtension/PacketTunnelProvider.swift b/WireGuard/WireGuardNetworkExtension/PacketTunnelProvider.swift
index c4fefd4217d32fcd30746680b4bb592c93debba2..9aa466ff6a029d8c6888ca4509eabed20af42a58 100644 (file)
--- a/WireGuard/WireGuardNetworkExtension/PacketTunnelProvider.swift
+++ b/WireGuard/WireGuardNetworkExtension/PacketTunnelProvider.swift
@@ -147,7 +147,7 @@ class PacketTunnelProvider: NEPacketTunnelProvider {
         if let packetTunnelSettingsGenerator = packetTunnelSettingsGenerator {
             _ = packetTunnelSettingsGenerator.endpointUapiConfiguration().withGoString { return wgSetConfig(handle, $0) }
         }
-        #endif
+        #elseif os(macOS)
         var interfaces = path.availableInterfaces
         if let ifname = ifname {
             interfaces = interfaces.filter { $0.name != ifname }
@@ -155,6 +155,7 @@ class PacketTunnelProvider: NEPacketTunnelProvider {
         if let ifscope = interfaces.first?.index {
             wgBindInterfaceScope(handle, Int32(ifscope))
         }
+        #endif
     }
 }
 

diff --git a/WireGuard/WireGuardNetworkExtension/PacketTunnelSettingsGenerator.swift b/WireGuard/WireGuardNetworkExtension/PacketTunnelSettingsGenerator.swift
index a4ff7dd2505bf05482bfe2bbaaf2227e98fd169a..cc491af4d2cda4ae41654ec6f742ca9423d2a2f1 100644 (file)
--- a/WireGuard/WireGuardNetworkExtension/PacketTunnelSettingsGenerator.swift
+++ b/WireGuard/WireGuardNetworkExtension/PacketTunnelSettingsGenerator.swift
@@ -97,13 +97,16 @@ class PacketTunnelSettingsGenerator {
 
         let (ipv4Routes, ipv6Routes) = routes()
         let (ipv4IncludedRoutes, ipv6IncludedRoutes) = includedRoutes()
+        let (ipv4ExcludedRoutes, ipv6ExcludedRoutes) = excludedRoutes()
 
         let ipv4Settings = NEIPv4Settings(addresses: ipv4Routes.map { $0.destinationAddress }, subnetMasks: ipv4Routes.map { $0.destinationSubnetMask })
         ipv4Settings.includedRoutes = ipv4IncludedRoutes
+        ipv4Settings.excludedRoutes = ipv4ExcludedRoutes
         networkSettings.ipv4Settings = ipv4Settings
 
         let ipv6Settings = NEIPv6Settings(addresses: ipv6Routes.map { $0.destinationAddress }, networkPrefixLengths: ipv6Routes.map { $0.destinationNetworkPrefixLength })
         ipv6Settings.includedRoutes = ipv6IncludedRoutes
+        ipv6Settings.excludedRoutes = ipv6ExcludedRoutes
         networkSettings.ipv6Settings = ipv6Settings
 
         return networkSettings
@@ -153,4 +156,24 @@ class PacketTunnelSettingsGenerator {
         }
         return (ipv4IncludedRoutes, ipv6IncludedRoutes)
     }
+    private func excludedRoutes() -> ([NEIPv4Route]?, [NEIPv6Route]?) {
+        #if os(macOS)
+        return (nil, nil)
+        #elseif os(iOS)
+        var ipv4ExcludedRoutes = [NEIPv4Route]()
+        var ipv6ExcludedRoutes = [NEIPv6Route]()
+        for endpoint in resolvedEndpoints {
+            guard let host = endpoint?.host else { continue }
+            switch host {
+            case .ipv4(let v4):
+                ipv4ExcludedRoutes.append(NEIPv4Route(destinationAddress: "\(v4)", subnetMask: "255.255.255.255"))
+            case .ipv6(let v6):
+                ipv6ExcludedRoutes.append(NEIPv6Route(destinationAddress: "\(v6)", networkPrefixLength: 128))
+            default:
+                continue
+            }
+        }
+        return (ipv4ExcludedRoutes, ipv6ExcludedRoutes)
+        #endif
+    }
 }