Safing/portmaster
1
0
Fork 0
mirror of https://github.com/safing/portmaster.git synced 2026-05-20 20:40:36 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(firewall): skip SPN tunnel check for proxied split-tunnel connections

Browse Source 
Proxied egress connections from ownPID were still running through
checkTunneling(), causing them to be routed via SPN if Portmaster's
own profile had SPN enabled. Add a checkTunnel flag that is set to
false for isOwnSplitTunnelProxyConnection to preserve the original
app's routing decision.
This commit is contained in:
Alexandr Stelnykovych
2026-05-13 23:56:10 +03:00
parent d0141c468a
commit 15e5401734
1 changed files with 4 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
service/firewall/packet_handler.go
+4 -2
View File
@@ -465,6 +465,7 @@ func filterHandler(conn *network.Connection, pkt packet.Packet) {
}
filterConnection := true
checkTunnel := true
// Check for special (internal) connection cases.
switch {
@@ -476,10 +477,11 @@ func filterHandler(conn *network.Connection, pkt packet.Packet) {
log.Tracer(pkt.Ctx()).Infof("filter: granting own pre-authenticated connection %s", conn)
case !conn.Inbound && isOwnSplitTunnelProxyConnection(conn):
// Approve connection.
// Approve connection and skip tunnel check.
conn.Accept("split tunnel connection proxied by Portmaster", noReasonOptionKey)
conn.Internal = true
filterConnection = false
checkTunnel = false
log.Tracer(pkt.Ctx()).Infof("filter: granting own pre-authenticated proxied split tunnel connection %s", conn)
// Redirect outbound DNS packets if enabled,
@@ -513,7 +515,7 @@ func filterHandler(conn *network.Connection, pkt packet.Packet) {
}
// Apply privacy filter and check tunneling.
FilterConnection(pkt.Ctx(), conn, pkt, filterConnection, true)
FilterConnection(pkt.Ctx(), conn, pkt, filterConnection, checkTunnel)
// Decide how to continue handling connection.
switch {