v2.10.8

Windscribe · Apr 8, 2024 · a001a6f · a001a6f
1 parent 65d9b8a
commit a001a6f
Show file tree

Hide file tree

Showing 5 changed files with 40 additions and 37 deletions.
diff --git a/backend/linux/helper/firewallcontroller.cpp b/backend/linux/helper/firewallcontroller.cpp
@@ -88,8 +88,8 @@ void FirewallController::setSplitTunnelingEnabled(bool isConnected, bool isEnabl
 void FirewallController::removeExclusiveIpRules()
 {
     for (auto ip : splitTunnelIps_) {
-        Utils::executeCommand("iptables", {"-D", "windscribe_input", "-s", (ip + "/32").c_str(), "-j", "ACCEPT", "-m", "comment", "--comment", kTag});
-        Utils::executeCommand("iptables", {"-D", "windscribe_output", "-d", (ip + "/32").c_str(), "-j", "ACCEPT", "-m", "comment", "--comment", kTag});
+        Utils::executeCommand("iptables", {"-D", "windscribe_input", "-s", ip.c_str(), "-j", "ACCEPT", "-m", "comment", "--comment", kTag});
+        Utils::executeCommand("iptables", {"-D", "windscribe_output", "-d", ip.c_str(), "-j", "ACCEPT", "-m", "comment", "--comment", kTag});
     }
 }
 
@@ -167,15 +167,15 @@ void FirewallController::setSplitTunnelIpExceptions(const std::vector<std::strin
         // For exclusive, remove rules for addresses no longer in "ips"
         for (auto ip : splitTunnelIps_) {
             if (std::find(ips.begin(), ips.end(), ip) == ips.end()) {
-                Utils::executeCommand("iptables", {"-D", "windscribe_input", "-s", (ip + "/32").c_str(), "-j", "ACCEPT", "-m", "comment", "--comment", kTag});
-                Utils::executeCommand("iptables", {"-D", "windscribe_output", "-d", (ip + "/32").c_str(), "-j", "ACCEPT", "-m", "comment", "--comment", kTag});
+                Utils::executeCommand("iptables", {"-D", "windscribe_input", "-s", ip.c_str(), "-j", "ACCEPT", "-m", "comment", "--comment", kTag});
+                Utils::executeCommand("iptables", {"-D", "windscribe_output", "-d", ip.c_str(), "-j", "ACCEPT", "-m", "comment", "--comment", kTag});
             }
         }
 
         // Add rules for new IPs
         for (auto ip : ips) {
-            addRule({"windscribe_input", "-s", (ip + "/32").c_str(), "-j", "ACCEPT", "-m", "comment", "--comment", kTag});
-            addRule({"windscribe_output", "-d", (ip + "/32").c_str(), "-j", "ACCEPT", "-m", "comment", "--comment", kTag});
+            addRule({"windscribe_input", "-s", ip.c_str(), "-j", "ACCEPT", "-m", "comment", "--comment", kTag});
+            addRule({"windscribe_output", "-d", ip.c_str(), "-j", "ACCEPT", "-m", "comment", "--comment", kTag});
         }
     } else {
         removeExclusiveIpRules();

diff --git a/backend/linux/helper/split_tunneling/hostnames_manager/ip_routes.cpp b/backend/linux/helper/split_tunneling/hostnames_manager/ip_routes.cpp
@@ -58,15 +58,15 @@ void IpRoutes::clear()
 
 void IpRoutes::addRoute(const RouteDescr &rd)
 {
-    std::string cmd = "ip route add " + rd.ip + "/32" + " via " + rd.defaultRouteIp;
+    std::string cmd = "ip route add " + rd.ip + " via " + rd.defaultRouteIp;
     Logger::instance().out("cmd: %s", cmd.c_str());
 
     Utils::executeCommand(cmd);
 }
 
 void IpRoutes::deleteRoute(const RouteDescr &rd)
 {
-    std::string cmd = "ip route del " + rd.ip + "/32" + " via " + rd.defaultRouteIp;
+    std::string cmd = "ip route del " + rd.ip + " via " + rd.defaultRouteIp;
     Logger::instance().out("cmd: %s", cmd.c_str());
     Utils::executeCommand(cmd);
 }
diff --git a/client/common/changelog.txt b/client/common/changelog.txt
@@ -1,3 +1,9 @@
+2.10.8 (04/04/2024)
+Linux:
+   * Fixed split tunnel for IP assumes /32 subnet. #964
+   * Fixed split tunneling for distributions which mount cgroups v2 by default. #967
+
+
 2.10.7 (01/04/2024)
 All:
    * Fixed anti-censorship flag (TLS stuffing) does not work for server API. #951

diff --git a/client/common/version/windscribe_version.h b/client/common/version/windscribe_version.h
@@ -2,7 +2,7 @@
 
 #define WINDSCRIBE_MAJOR_VERSION 2
 #define WINDSCRIBE_MINOR_VERSION 10
-#define WINDSCRIBE_BUILD_VERSION 7
+#define WINDSCRIBE_BUILD_VERSION 8
 
 // only one of these should be enabled; neither -> stable
 //#define WINDSCRIBE_IS_BETA

diff --git a/installer/linux/common/etc/windscribe/cgroups-up b/installer/linux/common/etc/windscribe/cgroups-up
@@ -10,19 +10,30 @@ netclass=$7
 allow_lan=$8
 mode=$9
 
-net_cls_root="`mount -l -t cgroup | grep net_cls | cut -d ' ' -f 3 | head -n 1`"
+net_cls_root="`mount -l -t cgroup | grep "net_cls on" | cut -d ' ' -f 3 | head -n 1`"
 if [ ! -f "$net_cls_root/windscribe/net_cls.classid" ]; then
     modprobe cls_cgroup
     if [ $? -ne 0 ]; then
         echo "Could not load cls_cgroup module"
         exit 1
     fi
 
-    net_cls_root="`mount -l -t cgroup | grep net_cls | cut -d ' ' -f 3 | head -n 1`"
+    net_cls_root="`mount -l -t cgroup | grep "net_cls on" | cut -d ' ' -f 3 | head -n 1`"
     if [ -z "$net_cls_root" ]; then
+        if [ -d /sys/fs/cgroup/net_cls ]; then
+            # on some distros, cgroups v2 net_cls is mounted and it may be a symlink.  If so, unmount it and mount v1
+            mount -o remount,rw /sys/fs/cgroup
+
+            link="`readlink /sys/fs/cgroup/net_cls`"
+            if [ -n "$link" ]; then
+                umount /sys/fs/cgroup/${link}
+            fi
+            rm -f /sys/fs/cgroup/net_cls
+        fi
         mkdir -p /sys/fs/cgroup/net_cls
         mount -t cgroup -onet_cls net_cls /sys/fs/cgroup/net_cls
-        net_cls_root="`mount -l -t cgroup | grep net_cls | cut -d ' ' -f 3 | head -n 1`"
+
+        net_cls_root="`mount -l -t cgroup | grep "net_cls on" | cut -d ' ' -f 3 | head -n 1`"
         if [ -z "$net_cls_root" ]; then
             echo "Could not find cgroup root"
             exit 1
@@ -54,31 +65,17 @@ if [ ! -f "$net_cls_root/windscribe/net_cls.classid" ]; then
     echo "$netclass" > "$net_cls_root/windscribe/net_cls.classid"
 fi
 
-if [ "$allow_lan" = "allow" ]; then
-    if [ "$mode" == "inclusive" ]; then
-        # Allow IP rules to consult main routing table first, ignoring /0 or /1 routes
-        ip rule add priority 16383 table main suppress_prefixlength 1
-        priority="`ip rule show | grep 51820 | cut -d ":" -f1`" # priority of WireGuard rule, if it exists
-        if [ -n "$priority" ]; then
-            # WG uses the same ip rule mechanism, just adjust the WG rule
-            ip rule add priority $((priority - 1)) table main suppress_prefixlength 0
-        else
-            # For non-WG protocols, remove rule forcing other traffic into the tunnel
-            ip rule del priority 16385 table windscribe_include
-        fi
-    fi
-else
-    if [ "$mode" == "inclusive" ]; then
-        ip rule del priority 16383 table main suppress_prefixlength 1
-        priority="`ip rule show | grep 51820 | cut -d ":" -f1`" # priority of WireGuard rule, if it exists
-        if [ -n "$priority" ]; then
-            # WG uses the same ip rule mechanism, just adjust the WG rule
-            ip rule del priority $((priority - 1)) table main suppress_prefixlength 0
-        else
-            # For non-WG protocols, add rule forcing other traffic into the tunnel
-            ip rule add priority 16385 table windscribe_include
-        fi
-    fi
+if [ "$mode" == "inclusive" ]; then
+	# Allow IP rules to consult main routing table first, ignoring /0 or /1 routes
+	ip rule add priority 16383 table main suppress_prefixlength 1
+	priority="`ip rule show | grep 51820 | cut -d ":" -f1`" # priority of WireGuard rule, if it exists
+	if [ -n "$priority" ]; then
+		# WG uses the same ip rule mechanism, just adjust the WG rule
+		ip rule add priority $((priority - 1)) table main suppress_prefixlength 0
+	else
+		# For non-WG protocols, remove rule forcing other traffic into the tunnel
+		ip rule del priority 16385 table windscribe_include
+	fi
 fi
 
 # make sure to exit with code 0 since an above command may fail if we are adding a duplicate rule or