def punch_hole_in_firewall(ips):
if current_os() == 'macos':
pf = PFCtl()
ip_list = '{ ' + ', '.join(ips) + ' }'
pf.set_rules([
"pass in quick from {} no state".format(ip_list),
"pass out quick to {} no state".format(ip_list)
])
elif current_os() == 'windows':
L.warning(
"Ignoring option to open up firewall for {} on Windows".format(
', '.join(ips)))
else:
raise XVEx('Editing the firewall is only supported for PF/macOS')
class MacOSFirewall(Firewall):
def __init__(self, device, config):
super().__init__(device, config)
self._pfctl = None
self._current_rules = []
@staticmethod
def _block_ip_rules(ip):
return [
"block in quick from {} no state".format(ip),
"block out quick to {} no state".format(ip)
]
def block_ip(self, ip):
from xv_leak_tools.network.macos.pf_firewall import PFCtl
L.info("Adding outgoing IP block for {}".format(ip))
# Delay initialize the PFCtl object to prevent VPN application connect from removing our
# reference to the pf firewall. Some VPN apps take full ownership of the firewall which can
# mean that the firewall will be disabled unless we initialize here.
if self._pfctl is None:
self._pfctl = PFCtl()
self._current_rules += MacOSFirewall._block_ip_rules(ip)
self._pfctl.set_rules(self._current_rules)
def unblock_ip(self, ip):
if self._pfctl is None:
return
L.info("Removing outgoing IP block for {}".format(ip))
rules_to_remove = self._block_ip_rules(ip)
for rule_to_remove in rules_to_remove:
self._current_rules = [
rule for rule in self._current_rules if rule != rule_to_remove
]
self._pfctl.set_rules(self._current_rules)
def cleanup(self):
'''This doesn't flush the whole set of rules. It just removes any lingering test suite rules
'''
from xv_leak_tools.network.macos.pf_firewall import PFCtl
if self._pfctl is None:
self._pfctl = PFCtl()
self._pfctl.cleanup()