v2.12.1

.gitlab-ci.yml

@@ -9,6 +9,7 @@ variables:
   BUILD_MAC: 'y'
   BUILD_LINUX: 'y'
   BUILD_LINUX_ARM64: 'y'
+  BUILD_LINUX_CLI: 'y'
   GIT_DEPTH: 5 # Only grab the last 5 commits when cloning
   NEXUS_PATH_ROOT: 'https://nexus.int.windscribe.com/repository/client-desktop/client-desktop'
   NEXUS_PATH_DEPS: '$NEXUS_PATH_ROOT/dependencies/current'
@@ -553,7 +554,7 @@ build:aarch64_ubuntu_cli:installer:
       --upload-file build-exe/windscribe-cli_${VERSION}_arm64.deb "${NEXUS_PATH_BRANCH_UPLOAD}/${OS_IDENTIFIER}/windscribe-cli_${VERSION}_arm64.deb"
     - !reference [.package_vcpkg_cache, script]
   rules:
-    - if: $BUILD_LINUX_ARM64 == "y" && $CI_COMMIT_TAG == null && $CI_COMMIT_BRANCH != null && $NIGHTLY_TEST_BUILD != "y"
+    - if: $BUILD_LINUX_ARM64 == "y" && $BUILD_LINUX_CLI == "y" && $CI_COMMIT_TAG == null && $CI_COMMIT_BRANCH != null && $NIGHTLY_TEST_BUILD != "y"
 
 # We don't upload artifacts for merge requests
 build:aarch64_ubuntu:installer:mr:
@@ -578,7 +579,7 @@ build:aarch64_ubuntu_cli:installer:mr:
     - !reference [.build_linux_installer_common, script]
     - tools/build_all --ci-mode --sign --build-cli-only
   rules:
-    - if: $BUILD_LINUX_ARM64 == "y" && $CI_COMMIT_TAG == null && $CI_COMMIT_BRANCH == null && $NIGHTLY_TEST_BUILD != "y"
+    - if: $BUILD_LINUX_ARM64 == "y" && $BUILD_LINUX_CLI == "y" && $CI_COMMIT_TAG == null && $CI_COMMIT_BRANCH == null && $NIGHTLY_TEST_BUILD != "y"
 
 build:aarch64_ubuntu:installer:tagged:
   <<: *template_aarch64_ubuntu_build
@@ -610,7 +611,7 @@ build:aarch64_ubuntu_cli:installer:tagged:
     - curl --silent --show-error --fail -u "${NEXUS_USERNAME}:${NEXUS_PASSWORD}" --cacert tools/cacert.pem
       --upload-file build-exe/windscribe-cli_${VERSION}_arm64.deb "${NEXUS_PATH_TAGGED_UPLOAD}/${TAG}/windscribe-cli_${VERSION}_arm64.deb"
   rules:
-    - if: $BUILD_LINUX_ARM64 == "y" && $CI_COMMIT_TAG != null && $NIGHTLY_TEST_BUILD != "y"
+    - if: $BUILD_LINUX_ARM64 == "y" && $BUILD_LINUX_CLI == "y" && $CI_COMMIT_TAG != null && $NIGHTLY_TEST_BUILD != "y"
 
 build:rhel:installer:
   <<: *template_rhel_build
@@ -648,7 +649,7 @@ build:rhel_cli:installer:
       --upload-file build-exe/windscribe-cli_${VERSION}_amd64.deb "${NEXUS_PATH_BRANCH_UPLOAD}/${OS_IDENTIFIER}/windscribe-cli_${VERSION}_amd64.deb"
     - !reference [.package_vcpkg_cache, script]
   rules:
-    - if: $BUILD_LINUX == "y" && $CI_COMMIT_TAG == null && $CI_COMMIT_BRANCH != null && $NIGHTLY_TEST_BUILD != "y"
+    - if: $BUILD_LINUX == "y" && $BUILD_LINUX_CLI == "y" && $CI_COMMIT_TAG == null && $CI_COMMIT_BRANCH != null && $NIGHTLY_TEST_BUILD != "y"
 
 # We don't upload artifacts for merge requests
 build:rhel:installer:mr:
@@ -673,7 +674,7 @@ build:rhel_cli:installer:mr:
     - !reference [.build_linux_installer_common, script]
     - tools/build_all --ci-mode --sign --build-deb --build-rpm --build-rpm-opensuse --build-cli-only
   rules:
-    - if: $BUILD_LINUX == "y" && $CI_COMMIT_TAG == null && $CI_COMMIT_BRANCH == null && $NIGHTLY_TEST_BUILD != "y"
+    - if: $BUILD_LINUX == "y" && $BUILD_LINUX_CLI == "y" && $CI_COMMIT_TAG == null && $CI_COMMIT_BRANCH == null && $NIGHTLY_TEST_BUILD != "y"
 
 build:rhel:installer:tagged:
   <<: *template_rhel_build
@@ -713,7 +714,7 @@ build:rhel_cli:installer:tagged:
     - curl --silent --show-error --fail -u "${NEXUS_USERNAME}:${NEXUS_PASSWORD}" --cacert tools/cacert.pem
       --upload-file build-exe/windscribe-cli_${VERSION}_amd64.deb "${NEXUS_PATH_TAGGED_UPLOAD}/${TAG}/windscribe-cli_${VERSION}_amd64.deb"
   rules:
-    - if: $BUILD_LINUX == "y" && $CI_COMMIT_TAG != null && $NIGHTLY_TEST_BUILD != "y"
+    - if: $BUILD_LINUX == "y" && $BUILD_LINUX_CLI == "y" && $CI_COMMIT_TAG != null && $NIGHTLY_TEST_BUILD != "y"
 
 .template_archlinux_build: &template_archlinux_build
   image: registry.gitlab.int.windscribe.com:5005/ws/client/desktop/client-desktop/arch
@@ -774,7 +775,7 @@ build:archlinux_cli:installer:
     - job: "build:rhel_cli:installer"
       optional: true
   rules:
-    - if: $BUILD_LINUX == "y" && $CI_COMMIT_TAG == null && $CI_COMMIT_BRANCH != null && $NIGHTLY_TEST_BUILD != "y"
+    - if: $BUILD_LINUX == "y" && $BUILD_LINUX_CLI == "y" && $CI_COMMIT_TAG == null && $CI_COMMIT_BRANCH != null && $NIGHTLY_TEST_BUILD != "y"
 
 build:archlinux:installer:tagged:
   <<: *template_archlinux_build
@@ -814,7 +815,7 @@ build:archlinux_cli:installer:tagged:
     - job: "build:rhel_cli:installer:tagged"
       optional: true
   rules:
-    - if: $BUILD_LINUX == "y" && $CI_COMMIT_TAG != null && $NIGHTLY_TEST_BUILD != "y"
+    - if: $BUILD_LINUX == "y" && $BUILD_LINUX_CLI == "y" && $CI_COMMIT_TAG != null && $NIGHTLY_TEST_BUILD != "y"
 
 build:artifact:links:
   tags: [win10qty6]

backend/linux/helper/firewallcontroller.cpp

@@ -9,8 +9,10 @@
 #include "logger.h"
 #include "utils.h"
 
-FirewallController::FirewallController() : connected_(false), splitTunnelEnabled_(false), splitTunnelExclude_(true)
+FirewallController::FirewallController() : splitTunnelEnabled_(false), splitTunnelExclude_(true)
 {
+    connectStatus_.isConnected = false;
+
     // If firewall on boot is enabled, restore boot rules
     if (Utils::isFileExists("/etc/windscribe/boot_rules.v4")) {
         Utils::executeCommand("iptables-restore", {"-n", "/etc/windscribe/boot_rules.v4"});
@@ -55,7 +57,7 @@ bool FirewallController::enable(bool ipv6, const std::string &rules)
     // reapply split tunneling rules if necessary
     setSplitTunnelIpExceptions(splitTunnelIps_);
     setSplitTunnelAppExceptions();
-    setSplitTunnelIngressRules(defaultAdapterIp_);
+    setSplitTunnelIngressRules();
 
     return 0;
 }
@@ -89,18 +91,16 @@ void FirewallController::disable()
     Utils::executeCommand("rm", {"-f", "/etc/windscribe/rules.v6"});
 }
 
-void FirewallController::setSplitTunnelingEnabled(bool isConnected, bool isEnabled, bool isExclude, const std::string &defaultAdapter, const std::string &defaultAdapterIp)
+void FirewallController::setSplitTunnelingEnabled(CMD_SEND_CONNECT_STATUS connectStatus, bool isEnabled, bool isExclude)
 {
-    connected_ = isConnected;
+    prevAdapter_ = connectStatus.defaultAdapter.adapterName;
+
+    connectStatus_ = connectStatus;
     splitTunnelEnabled_ = isEnabled;
     splitTunnelExclude_ = isExclude;
-    prevAdapter_ = defaultAdapter_;
-    defaultAdapter_ = defaultAdapter;
-    defaultAdapterIp_ = defaultAdapterIp;
-
     setSplitTunnelIpExceptions(splitTunnelIps_);
     setSplitTunnelAppExceptions();
-    setSplitTunnelIngressRules(defaultAdapterIp_);
+    setSplitTunnelIngressRules();
 }
 
 void FirewallController::removeExclusiveIpRules()
@@ -136,23 +136,21 @@ void FirewallController::removeInclusiveAppRules()
     }
 }
 
-void FirewallController::setSplitTunnelIngressRules(const std::string &defaultAdapterIp)
+void FirewallController::setSplitTunnelIngressRules()
 {
-    if (!connected_ || !splitTunnelEnabled_ || splitTunnelExclude_) {
-        Logger::instance().out("Deleting ingress rules");
-        Utils::executeCommand("iptables", {"-D", "PREROUTING", "-t", "mangle", "-d", defaultAdapterIp.c_str(), "-j", "CONNMARK", "--set-mark", CGroups::instance().mark(), "-m", "comment", "--comment", kTag});
+    if (!connectStatus_.isConnected) {
+        Utils::executeCommand("iptables", {"-D", "PREROUTING", "-t", "mangle", "-i", connectStatus_.defaultAdapter.adapterName.c_str(), "!", "-s", connectStatus_.remoteIp.c_str(), "-j", "CONNMARK", "--set-mark", CGroups::instance().mark().c_str(), "-m", "comment", "--comment", kTag.c_str()});
         Utils::executeCommand("iptables", {"-D", "OUTPUT", "-t", "mangle", "-j", "CONNMARK", "--restore-mark", "-m", "comment", "--comment", kTag});
         return;
     }
 
-	Logger::instance().out("Adding ingress rules");
-	addRule({"PREROUTING", "-t", "mangle", "-d", defaultAdapterIp.c_str(), "-j", "CONNMARK", "--set-mark", CGroups::instance().mark(), "-m", "comment", "--comment", kTag});
+	addRule({"PREROUTING", "-t", "mangle", "-i", connectStatus_.defaultAdapter.adapterName.c_str(), "!", "-s", connectStatus_.remoteIp.c_str(), "-j", "CONNMARK", "--set-mark", CGroups::instance().mark(), "-m", "comment", "--comment", kTag});
 	addRule({"OUTPUT", "-t", "mangle", "-j", "CONNMARK", "--restore-mark", "-m", "comment", "--comment", kTag});
 }
 
 void FirewallController::setSplitTunnelAppExceptions()
 {
-    if (!connected_ || !splitTunnelEnabled_) {
+    if (!connectStatus_.isConnected || !splitTunnelEnabled_) {
         removeExclusiveAppRules();
         removeInclusiveAppRules();
         return;
@@ -161,7 +159,7 @@ void FirewallController::setSplitTunnelAppExceptions()
     if (splitTunnelExclude_) {
         removeInclusiveAppRules();
 
-        addRule({"POSTROUTING",  "-t", "nat", "-m", "cgroup", "--cgroup", CGroups::instance().netClassId(), "-o", defaultAdapter_.c_str(), "-j", "MASQUERADE", "-m", "comment", "--comment", kTag});
+        addRule({"POSTROUTING",  "-t", "nat", "-m", "cgroup", "--cgroup", CGroups::instance().netClassId(), "-o", connectStatus_.defaultAdapter.adapterName.c_str(), "-j", "MASQUERADE", "-m", "comment", "--comment", kTag});
         addRule({"OUTPUT", "-t", "mangle", "-m", "cgroup", "--cgroup", CGroups::instance().netClassId(), "-j", "MARK", "--set-mark", CGroups::instance().mark(), "-m", "comment", "--comment", kTag});
 
         // allow packets from excluded apps, if firewall is on
@@ -172,7 +170,7 @@ void FirewallController::setSplitTunnelAppExceptions()
     } else {
         removeExclusiveAppRules();
 
-        addRule({"POSTROUTING", "-t", "nat", "-m", "cgroup", "!", "--cgroup", CGroups::instance().netClassId(), "-o", defaultAdapter_.c_str(), "-j", "MASQUERADE", "-m", "comment", "--comment", kTag});
+        addRule({"POSTROUTING", "-t", "nat", "-m", "cgroup", "!", "--cgroup", CGroups::instance().netClassId(), "-o", connectStatus_.defaultAdapter.adapterName.c_str(), "-j", "MASQUERADE", "-m", "comment", "--comment", kTag});
         addRule({"OUTPUT", "-t", "mangle", "-m", "cgroup", "!", "--cgroup", CGroups::instance().netClassId(), "-j", "MARK", "--set-mark", CGroups::instance().mark(), "-m", "comment", "--comment", kTag});
 
         // For inclusive, allow all packets
@@ -185,7 +183,7 @@ void FirewallController::setSplitTunnelAppExceptions()
 
 void FirewallController::setSplitTunnelIpExceptions(const std::vector<std::string> &ips)
 {
-    if (!connected_ || !splitTunnelEnabled_ || !enabled()) {
+    if (!connectStatus_.isConnected || !splitTunnelEnabled_ || !enabled()) {
         removeInclusiveIpRules();
         removeExclusiveIpRules();
         splitTunnelIps_ = ips;

backend/linux/helper/firewallcontroller.h

@@ -2,6 +2,7 @@
 
 #include <string>
 #include <vector>
+#include "../../posix_common/helper_commands.h"
 
 class FirewallController
 {
@@ -19,32 +20,24 @@ class FirewallController
     bool enabled(const std::string &tag = kTag);
     void getRules(bool ipv6, std::string *outRules);
 
-    void setSplitTunnelingEnabled(
-        bool isConnected,
-        bool isEnabled,
-        bool isExclude,
-        const std::string &adapter,
-        const std::string &adapterIp);
+    void setSplitTunnelingEnabled(CMD_SEND_CONNECT_STATUS connectStatus_, bool isEnabled, bool isExclude);
     void setSplitTunnelIpExceptions(const std::vector<std::string> &ips);
 
 private:
     FirewallController();
     ~FirewallController();
 
-    bool connected_;
+    CMD_SEND_CONNECT_STATUS connectStatus_;
     bool splitTunnelEnabled_;
     bool splitTunnelExclude_;
     std::vector<std::string> splitTunnelIps_;
-    std::string defaultAdapter_;
-    std::string defaultAdapterIp_;
     std::string prevAdapter_;
-    std::string netclassid_;
 
     void removeExclusiveIpRules();
     void removeInclusiveIpRules();
     void removeExclusiveAppRules();
     void removeInclusiveAppRules();
     void setSplitTunnelAppExceptions();
-    void setSplitTunnelIngressRules(const std::string &defaultAdapterIp);
+    void setSplitTunnelIngressRules();
     void addRule(const std::vector<std::string> &args);
 };

backend/linux/helper/main.cpp

@@ -15,8 +15,10 @@ void handler_sigterm(int signum)
 
 int main(int argc, const char *argv[])
 {
-    UNUSED(argc);
-    UNUSED(argv);
+    if (argc > 1 && strcmp(argv[1], "--reset-mac-addresses") == 0) {
+        Utils::resetMacAddresses();
+        return EXIT_SUCCESS;
+    }
 
     signal(SIGSEGV, handler_sigterm);
     signal(SIGFPE, handler_sigterm);

backend/linux/helper/process_command.cpp

@@ -309,6 +309,43 @@ CMD_ANSWER setFirewallOnBoot(boost::archive::text_iarchive &ia)
     return answer;
 }
 
+CMD_ANSWER setMacAddress(boost::archive::text_iarchive &ia)
+{
+    CMD_ANSWER answer;
+    CMD_SET_MAC_ADDRESS cmd;
+    ia >> cmd;
+
+    if (cmd.macAddress.size() < 12) {
+        Logger::instance().out("Invalid MAC address");
+        answer.executed = 0;
+        return answer;
+    }
+
+    std::string mac =
+        cmd.macAddress.substr(0, 2) + ":" +
+        cmd.macAddress.substr(2, 2) + ":" +
+        cmd.macAddress.substr(4, 2) + ":" +
+        cmd.macAddress.substr(6, 2) + ":" +
+        cmd.macAddress.substr(8, 2) + ":" +
+        cmd.macAddress.substr(10, 2);
+
+    Logger::instance().out("Set MAC address on %s (%s - %s): %s", cmd.interface.c_str(), cmd.network.c_str(), (cmd.isWifi ? "wifi" : "ethernet"),  mac.c_str());
+
+    // reset addresses on other networks
+    Utils::resetMacAddresses(cmd.network);
+
+    std::string out;
+    if (cmd.isWifi) {
+        Utils::executeCommand("nmcli", {"connection", "modify", cmd.network.c_str(), "wifi.cloned-mac-address", mac.c_str()}, &out);
+    } else {
+        Utils::executeCommand("nmcli", {"connection", "modify", cmd.network.c_str(), "ethernet.cloned-mac-address", mac.c_str()}, &out);
+    }
+    // restart the connection
+    Utils::executeCommand("nmcli", {"connection", "up", cmd.network.c_str()});
+    answer.executed = 1;
+    return answer;
+}
+
 CMD_ANSWER taskKill(boost::archive::text_iarchive &ia)
 {
     CMD_ANSWER answer;
@@ -488,3 +525,15 @@ CMD_ANSWER startWstunnel(boost::archive::text_iarchive &ia)
     }
     return answer;
 }
+
+CMD_ANSWER resetMacAddresses(boost::archive::text_iarchive &ia)
+{
+    CMD_ANSWER answer;
+    CMD_RESET_MAC_ADDRESSES cmd;
+    ia >> cmd;
+
+    Logger::instance().out("Resetting MAC addresses");
+
+    answer.executed = Utils::resetMacAddresses(cmd.ignoreNetwork) ? 1 : 0;
+    return answer;
+}

backend/linux/helper/process_command.h

@@ -25,10 +25,12 @@ CMD_ANSWER checkFirewallState(boost::archive::text_iarchive &ia);
 CMD_ANSWER setFirewallRules(boost::archive::text_iarchive &ia);
 CMD_ANSWER getFirewallRules(boost::archive::text_iarchive &ia);
 CMD_ANSWER setFirewallOnBoot(boost::archive::text_iarchive &ia);
+CMD_ANSWER setMacAddress(boost::archive::text_iarchive &ia);
 CMD_ANSWER taskKill(boost::archive::text_iarchive &ia);
 CMD_ANSWER startCtrld(boost::archive::text_iarchive &ia);
 CMD_ANSWER startStunnel(boost::archive::text_iarchive &ia);
 CMD_ANSWER startWstunnel(boost::archive::text_iarchive &ia);
+CMD_ANSWER resetMacAddresses(boost::archive::text_iarchive &ia);
 
 static const std::map<const int, std::function<CMD_ANSWER(boost::archive::text_iarchive &)>> kCommands = {
     { HELPER_CMD_START_OPENVPN, startOpenvpn },
@@ -47,10 +49,12 @@ static const std::map<const int, std::function<CMD_ANSWER(boost::archive::text_i
     { HELPER_CMD_SET_FIREWALL_RULES, setFirewallRules },
     { HELPER_CMD_GET_FIREWALL_RULES, getFirewallRules },
     { HELPER_CMD_SET_FIREWALL_ON_BOOT, setFirewallOnBoot },
+    { HELPER_CMD_SET_MAC_ADDRESS, setMacAddress },
     { HELPER_CMD_TASK_KILL, taskKill },
     { HELPER_CMD_START_CTRLD, startCtrld },
     { HELPER_CMD_START_STUNNEL, startStunnel },
     { HELPER_CMD_START_WSTUNNEL, startWstunnel },
+    { HELPER_CMD_RESET_MAC_ADDRESSES, resetMacAddresses },
 };
 
 CMD_ANSWER processCommand(int cmdId, const std::string packet);

backend/linux/helper/split_tunneling/hostnames_manager/dns_resolver.cpp

@@ -12,7 +12,7 @@ DnsResolver::DnsResolver(std::function<void (std::map<std::string, HostInfo>)> r
     }, false);
 
 
-    if (!WSNet::initialize("", "", "", "", "", false, "en", "")) {
+    if (!WSNet::initialize("", "", "", "", "", "", false, "en", "")) {
         Logger::instance().out("WSNet::initialize failed");
     }