From: "Jason A. Donenfeld" <Jason@zx2c4.com>
To: Eric Kuck <eric@bluelinelabs.com>
Cc: WireGuard mailing list <wireguard@lists.zx2c4.com>
Subject: "Exclude Private IPs" in Android App
Date: Thu, 5 Jul 2018 19:46:31 +0200 [thread overview]
Message-ID: <CAHmME9pZZeQautpRT99R-gC9sxjsodgJK_1SLHd0mwU3hCsf_A@mail.gmail.com> (raw)
Hey Eric,
While you're iterating on the "Excluded Applications" feature, what
would you think of also taking a stab at the "Exclude Private IPs"
feature? It's kind of in the same ballpark and works over the same
code you're currently playing with.
First some background: Some people don't want packets intended for
their local network to go through a tunnel. On desktop linux's
wg-quick(8), this is the default with some very clever use of
ip-rule(8)'s suppress_prefixlength parameter. It works perfectly 100%
of the time, without any need for heuristics. I've written to the
folks I know working on Android's networking stack to allow for the
same kind of clever thing, but if that happens, it'd of course be
quite a ways off. So in the meantime, rather than introducing a switch
called "exclude local networks", which would have all sorts of races
with detecting local networks and making decisions about network types
and such, plus the need to toggle VpnService in a racy way, etc, I
have a much cleaner idea: "Exclude Private IPs".
"Exclude Private IPs" works in the most dumb and straightforward way
possible, that is guaranteed to not fail. We add a checkbox underneath
"AllowedIPs". The checkbox is visible if "0.0.0.0/0" or ${MAGICRANGE}
is included in the AllowedIPs; otherwise it is hidden. When the
checkbox is checked, it replaces 0.0.0.0/0 with ${MAGICRANGE}. When
the checkbox is unchecked, it replaces (after sorting) ${MAGICRANGE}
with "0.0.0.0/0". ${MAGICRANGE} is defined to be 0.0.0.0/0 modulo
RFC1918:
"0.0.0.0/5,8.0.0.0/7,11.0.0.0/8,12.0.0.0/6,16.0.0.0/4,32.0.0.0/3,64.0.0.0/2=
,128.0.0.0/3,160.0.0.0/5,168.0.0.0/6,172.0.0.0/12,172.32.0.0/11,172.64.0.0/=
10,172.128.0.0/9,173.0.0.0/8,174.0.0.0/7,176.0.0.0/4,192.0.0.0/9,192.128.0.=
0/11,192.160.0.0/13,192.169.0.0/16,192.170.0.0/15,192.172.0.0/14,192.176.0.=
0/12,192.192.0.0/10,193.0.0.0/8,194.0.0.0/7,196.0.0.0/6,200.0.0.0/5,208.0.0=
.0/4"
I think this approach will be simple and consistent, and implementing
this as a static modification of AllowedIPs rather than runtime set
subtraction makes it more obvious what's going on.
What do you think of that idea?
Jason
next reply other threads:[~2018-07-05 17:39 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-07-05 17:46 Jason A. Donenfeld [this message]
2018-07-05 19:07 ` Denis Kisselev
2018-07-05 19:24 ` Jason A. Donenfeld
2018-07-05 19:37 ` Denis Kisselev
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAHmME9pZZeQautpRT99R-gC9sxjsodgJK_1SLHd0mwU3hCsf_A@mail.gmail.com \
--to=jason@zx2c4.com \
--cc=eric@bluelinelabs.com \
--cc=wireguard@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).