- Detect fingerprint changes and re-derive the profile ID
- Migrate profile to new ID while preserving all settings and creation time
- Update UI to handle profile navigation after fingerprint-triggered re-keying
- Emit EventMigrated for history DB and connection re-attribution
https://github.com/safing/portmaster/issues/1997
Proxy split tunnel connections bypassed both filter and tunnel checks,
leaving no code path to trigger the GeoIP lookup, so Country, ASN and
AS Org showed as N/A in the UI.
Add Entity.FetchLocation (GeoIP only, no filter lists) and call it
unconditionally at the start of FilterConnection.
Proxied egress connections from ownPID were still running through
checkTunneling(), causing them to be routed via SPN if Portmaster's
own profile had SPN enabled. Add a checkTunnel flag that is set to
false for isOwnSplitTunnelProxyConnection to preserve the original
app's routing decision.
Adds a "Split Tunnel" toggle to the app profile quick-settings bar,
mirroring splittun/use per-app setting.
Shows an interference dot when:
- splittun/usagePolicy has Exclude rules (yellow)
- SPN is active and routes all traffic, fully bypassing Split Tunnel (red)
- SPN is active and partially bypasses Split Tunnel (yellow)
Dot and interference checks are suppressed when the Split Tunneling
or SPN module is globally disabled.
- Replace "Safing Support" feature with Split Tunneling in features.go,
using a dedicated config key/scope and free package tier
- Fix feature-card component to prioritize ConfigKey over ConfigScope
when resolving the config lookup key
- Update NSIS installer to register service with properly quoted executable path
- Add runtime self-heal in portmaster-core on Windows service startup to protect users who update via in-app updater without re-running the installer
https://github.com/safing/portmaster-shadow/issues/43
Add PM_SPLIT_TUN_PORT (719) to fast_track_pm_packets so that redirected
packets arriving at the local split-tunnel proxy are permitted immediately
by the kext, matching the existing behaviour for the SPN port (717) and
the DNS port (53). This prevents internal proxy connections from being
reported to Portmaster and appearing in the connection monitor UI.
Also simplify fast_track_pm_packets by removing the redundant
match-on-direction branches, which were identical for Outbound and
Inbound.
Bump kext interface patch version to 2.1.1.0.
Add isOwnSplitTunnelProxyConnection to detect outbound connections
from Portmaster's own split-tunnel proxies. Replace the slice-returning
FindProxiedEgressConnection with a boolean HasProxiedEgressConnection
to avoid unnecessary allocations on each lookup.
Add DeleteUnmarkedConnections() to purge conntrack entries with mark=0
when firewall is activated. This forces applications with existing
connections to reconnect, allowing DNAT rules (like SPN) to apply.
Without this, connections established while Portmaster was paused or
stopped would bypass DNAT because netfilter's nat table is only
traversed for new connections.
Loopback connections are excluded from deletion to avoid disconnecting
local services.
https://github.com/safing/portmaster-shadow/issues/42
Rename ensureSPNCompatibility to reconcileCompatibilityState and extract the
implementation logic to improve code clarity and maintainability across all
platform implementations.
- Rename ensureWgSpnCompatRule to ensureWgCompatRule to reflect that it now
handles both SPN and Split Tunnel compatibility with WireGuard
- Add split tunnel configuration check alongside SPN check
- Update comments to clarify the rule applies to both SPN and Split Tunnel
- Ensure compatibility rule remains active when either SPN or split tunneling
is enabled
- New config.go registers the "splittun/enable" boolean option
- subsystems.ts: change ToggleOptionKey from splittun/use to splittun/enable
- Module Start/Stop replaced with enable()/disable() helpers driven by
the config option; a callback on EventConfigChange toggles state at runtime
- Logger interface changes from Debugf/Infof/Warnf/Errorf to
Debug/Info/Warn/Error with key-value args (slog-compatible)
- NewTCPProxy, NewTCPProxyWithConfig, NewUDPProxy, NewUDPProxyWithConfig
all gain a logPrefix string parameter
- noopLogger updated; resolveLogPrefix helper added
- README, tests, and benchmarks updated accordingly
- proxies.go: remove proxyLogger wrapper now that mgr.Manager satisfies
the new structured Logger interface directly
- SetLogLevel now writes a log line via writeLogLevelChange() so level
transitions are always visible regardless of old/new level
- slogLevel is now a shared *slog.LevelVar; all derived loggers pick up
changes instantly without recreating the handler
- slog.SetDefault is called only once (sync.Once) so handlers are stable
Introduces LocalBinding{IP, Interface} to carry both source-address
and device binding in a single DeciderFunc return value. On Linux,
SO_BINDTODEVICE is applied via net.Dialer.Control before connect(2),
forcing traffic through the specified interface regardless of the
routing table. Non-Linux platforms get a no-op stub.
Wires LocalBinding through TCPProxy, UDPProxy, and splittun's
proxyDecider/AwaitRequest so split-tunnelled connections are bound
to the correct physical interface.
Replaces scattered link-local exclusion checks with the new
isRoutableUnicastIP predicate (site-local or global scope only),
consistently applied in refreshIfaceCache, buildInterfaceInfoDirect,
hasRoutableIPv4, and hasRoutableIPv6. Updates tests accordingly.
Introduces mark 1719 for split-tunnel rerouting, mirroring the existing SPN mark (1717).
Adds FILTER RETURN and NAT DNAT rules for both IPv4 and IPv6 targeting port 719.
- proxies: shut down partially-started proxies on startup failure via
deferred cleanup; avoid nil-manager panic in stopProxies by falling
back to context.Background(); start UDP4 unconditionally and gate
TCP6/UDP6 on IPv6Enabled()
- requests: add 30s TTL to pending requests to prevent memory leaks
when OS drops a redirected connection before it reaches the proxy;
schedule deferred cleanup via module.mgr.Go so the goroutine only
runs when entries are registered and exits cleanly on module stop;
add expiry check in consumeRequest as a safety net; clear map on Stop
- requests: guard against nil LocalIP on public AwaitRequest API
Implement initial proof-of-concept for split tunnel functionality on Windows,
allowing applications to route traffic through a designated network interface
while bypassing default system routing.
Features:
- Split tunnel module with TCP/UDP proxy infrastructure
- Firewall integration with split tunnel verdict handling
- SplitTunneling context attached to connections
- Configuration options: enable toggle, interface selection, and policy rules
- UI display of split tunnel connection details in connection info panel
- Subsystem configuration for user-level access
Windows-specific implementation:
- Uses proxy-based interface routing on Windows
- Automatic or manual interface detection and binding
- Support for IPv4 and IPv6 traffic
Note: Linux implementation is under development. SPN takes precedence over
split tunnel when both are enabled, ensuring SPN connections bypass this feature.
- Refactor GetInterface* functions to return InterfaceInfo with IPv4/IPv6
addresses instead of just net.Interface
- Add pre-caching of first routable IPv4/IPv6 per interface to avoid repeated
address list scans
- Skip loopback interfaces in cache refresh
- Add GetBestPhysicalDefaultInterfaces() to detect which physical adapters
carry the default route per IP family, excluding VPNs/tunnels
- Implement platform-specific physical interface detection:
* Linux: reads /proc/net/route and /proc/net/ipv6_route, uses
/sys/class/net/*/device to identify real hardware
* Windows: uses GetAdaptersAddresses with IfType filtering
* Other platforms: returns not-supported error
- Add helper functions: buildInterfaceInfo, interfaceToInfo, buildInterfaceInfoDirect,
hasRoutableIPv4, hasRoutableIPv6
- Update tests to work with new InterfaceInfo return type and add coverage
for new features
Add interfaces.go with GetInterface, GetInterfaceByIP, GetInterfaceByMAC
and GetInterfaceByName for resolving local network interfaces by IP, MAC,
or name.
- Lazy init: no work until first call
- sync.RWMutex with double-checked locking for concurrent read throughput
- Refresh throttled to once per second to absorb rapid interface churn
(same NetworkChangedFlag pattern used across netenv)
- Only live, routable interfaces cached: FlagUp required; link-local and
address-less interfaces excluded as unsuitable for TCP/UDP tunneling
Add a new verdict (value 8) for routing connections through the split
tunnel. This prepares the infrastructure for the upcoming split-tunneling
feature without implementing the full feature yet.
Changes:
- Define VerdictRerouteToSplitTun in network/status.go with String() and Verb()
- Add RerouteToSplitTun() to the Packet interface and InfoPacket stub
- Implement RerouteToSplitTun() for windowskext (v1) and windowskext2 (v2) packets
- Map VerdictRerouteToSplitTun to KextVerdict 11 in kextinterface and kext2
- Handle the verdict in packet_handler.go dispatch, connection.go, api.go,
metrics.go and nameserver.go
- Add VerdictRerouteToSplitTun = 8 to Angular Verdict enum and update
stats counting, filter queries and verdict CSS class
(WIP) Note: Linux (nfq) implementation not updated yet. Therefore Linux build will fail.
- Change DeciderFunc signature to return (remoteIP net.IP,
remotePort uint16, localAddr string, extraInfo any, err error)
instead of a single "host:port" dest string
- Extract ConnContext, Metrics, sessionCache, and idCounter into
a new cache.go file
- Add a secondary destKey index to sessionCache for O(1)
FindProxiedEgressConnection lookups by upstream destination
- Attach per-session extraInfo and atomic byte/packet counters
to ConnContext
- Update TCP and UDP proxies, tests, and README accordingly
This fixes Linux-related issue when UI process do not start automatically after upgrade.
- replace direct current_exe relaunch usage with verified launch program resolution
- consider both current_exe and argv0, but only accept verified launchable file paths
- fail relaunch with explicit error when no safe executable path is available
- in reconnect flow, exit current UI only if relaunch spawn succeeds
- if relaunch request fails, keep current UI process running and continue normal startup
https://github.com/safing/portmaster-shadow/issues/40
- Add fixed output path for portmaster-core debug configurations
- Prevents creation of temporary debug binaries with random suffixes
- Reuses same binary across debug sessions
Alexandr Stelnykovych
Alexandr Stelnykovych
Alexandr Stelnykovych