CalvinBackup/ctrld
1
0
Fork 0
mirror of https://github.com/Control-D-Inc/ctrld.git synced 2026-05-27 12:52:27 +02:00
Code Issues Packages Projects Releases Wiki Activity

fix(darwin): correct pf rules tests

Browse Source
This commit is contained in:
Cuong Manh Le
2026-03-03 15:39:57 +07:00
committed by Cuong Manh Le
parent 2aaa78ef48
commit ca8d07d3f5
2 changed files with 36 additions and 42 deletions
Download Patch File Download Diff File Expand all files Collapse all files
cmd/cli/dns_intercept_darwin.go
-22
View File
@@ -1123,28 +1123,6 @@ func stringSlicesEqual(a, b []string) bool {
return true
}
// pfAnchorIsWiped checks if our pf anchor references have been removed from the
// running ruleset. This is a read-only check — it does NOT attempt to restore.
// Used to distinguish VPNs that wipe pf (Windscribe) from those that don't (Tailscale).
func (p *prog) pfAnchorIsWiped() bool {
rdrAnchorRef := fmt.Sprintf("rdr-anchor \"%s\"", pfAnchorName)
anchorRef := fmt.Sprintf("anchor \"%s\"", pfAnchorName)
natOut, err := exec.Command("pfctl", "-sn").CombinedOutput()
if err != nil {
return true // Can't check — assume wiped (safer)
}
if !strings.Contains(string(natOut), rdrAnchorRef) {
return true
}
filterOut, err := exec.Command("pfctl", "-sr").CombinedOutput()
if err != nil {
return true
}
return !strings.Contains(string(filterOut), anchorRef)
}
// pfStartStabilization enters stabilization mode, suppressing all pf restores
// until the VPN's ruleset stops changing. This prevents a death spiral where
// ctrld and the VPN repeatedly overwrite each other's pf rules.