Implement initial proof-of-concept for split tunnel functionality on Windows,
allowing applications to route traffic through a designated network interface
while bypassing default system routing.
Features:
- Split tunnel module with TCP/UDP proxy infrastructure
- Firewall integration with split tunnel verdict handling
- SplitTunneling context attached to connections
- Configuration options: enable toggle, interface selection, and policy rules
- UI display of split tunnel connection details in connection info panel
- Subsystem configuration for user-level access
Windows-specific implementation:
- Uses proxy-based interface routing on Windows
- Automatic or manual interface detection and binding
- Support for IPv4 and IPv6 traffic
Note: Linux implementation is under development. SPN takes precedence over
split tunnel when both are enabled, ensuring SPN connections bypass this feature.
Add a new verdict (value 8) for routing connections through the split
tunnel. This prepares the infrastructure for the upcoming split-tunneling
feature without implementing the full feature yet.
Changes:
- Define VerdictRerouteToSplitTun in network/status.go with String() and Verb()
- Add RerouteToSplitTun() to the Packet interface and InfoPacket stub
- Implement RerouteToSplitTun() for windowskext (v1) and windowskext2 (v2) packets
- Map VerdictRerouteToSplitTun to KextVerdict 11 in kextinterface and kext2
- Handle the verdict in packet_handler.go dispatch, connection.go, api.go,
metrics.go and nameserver.go
- Add VerdictRerouteToSplitTun = 8 to Angular Verdict enum and update
stats counting, filter queries and verdict CSS class
(WIP) Note: Linux (nfq) implementation not updated yet. Therefore Linux build will fail.
Introduce mark 1709 (MarkAcceptFinal) and a corresponding
PermanentAcceptFinal() method that sets this mark on packets belonging
to Portmaster-owned outbound connections.
Add iptables rules (both IPv4 and IPv6, filter and mangle chains) to
ACCEPT packets/connections carrying mark 1709, so further OUTPUT rules from
third-party software (e.g. iVPN) cannot override the allow decision.
https://github.com/safing/portmaster-shadow/issues/34
Previously, the external verdict handler was placed in filterHandler,
which is only called for new packets. This meant it was silently
bypassed when connections were re-evaluated via resetConnectionVerdict.
Move the handler into FilterConnection so it is consistently applied
for all filtering paths, including verdict resets.
https://github.com/safing/portmaster-shadow/issues/34
Every connection verdict previously acquired an RWMutex to read IVPN
state. Replace it with atomic.Pointer[clientStatus] using an immutable
snapshot (copy-on-write) so reads are a single pointer load with no
locking on the per-packet hot path.
Apply the same pattern to the external verdict handler: replace a
data-racy plain function variable and two auxiliary atomic.Bool flags
with a single atomic.Pointer[ExtVerdictHandlerFunc]. Use CompareAndSwap
for set-once semantics. Move the load into the default branch of
filterHandler so pre-authenticated and DNS-redirect connections pay zero
cost.
Allow Portmaster to cooperate with the IVPN client:
- Accept IVPN VPN tunnel and service process connections
- Delegate DNS control to Portmaster when custom DNS is configured
- Auto-connect to IVPN daemon on startup and on ping
- Hook into firewall verdict pipeline via new ExtVerdictHandler
* [service] Subscribe to systemd-resolver events
* [service] Add disabled state to the resolver
* [service] Add ETW DNS event listener
* [service] DNS listener refactoring
* [service] Add windows core dll project
* [service] DNSListener refactoring, small bugfixes
* [service] Change dns bypass rule
* [service] Update gitignore
* [service] Remove shim from integration module
* [service] Add DNS packet analyzer
* [service] Add self-check in dns monitor
* [service] Fix go linter errors
* [CI] Add github workflow for the windows core dll
* [service] Minor fixes to the dns monitor
* Move portbase into monorepo
* Add new simple module mgr
* [WIP] Switch to new simple module mgr
* Add StateMgr and more worker variants
* [WIP] Switch more modules
* [WIP] Switch more modules
* [WIP] swtich more modules
* [WIP] switch all SPN modules
* [WIP] switch all service modules
* [WIP] Convert all workers to the new module system
* [WIP] add new task system to module manager
* [WIP] Add second take for scheduling workers
* [WIP] Add FIXME for bugs in new scheduler
* [WIP] Add minor improvements to scheduler
* [WIP] Add new worker scheduler
* [WIP] Fix more bug related to new module system
* [WIP] Fix start handing of the new module system
* [WIP] Improve startup process
* [WIP] Fix minor issues
* [WIP] Fix missing subsystem in settings
* [WIP] Initialize managers in constructor
* [WIP] Move module event initialization to constrictors
* [WIP] Fix setting for enabling and disabling the SPN module
* [WIP] Move API registeration into module construction
* [WIP] Update states mgr for all modules
* [WIP] Add CmdLine operation support
* Add state helper methods to module group and instance
* Add notification and module status handling to status package
* Fix starting issues
* Remove pilot widget and update security lock to new status data
* Remove debug logs
* Improve http server shutdown
* Add workaround for cleanly shutting down firewall+netquery
* Improve logging
* Add syncing states with notifications for new module system
* Improve starting, stopping, shutdown; resolve FIXMEs/TODOs
* [WIP] Fix most unit tests
* Review new module system and fix minor issues
* Push shutdown and restart events again via API
* Set sleep mode via interface
* Update example/template module
* [WIP] Fix spn/cabin unit test
* Remove deprecated UI elements
* Make log output more similar for the logging transition phase
* Switch spn hub and observer cmds to new module system
* Fix log sources
* Make worker mgr less error prone
* Fix tests and minor issues
* Fix observation hub
* Improve shutdown and restart handling
* Split up big connection.go source file
* Move varint and dsd packages to structures repo
* Improve expansion test
* Fix linter warnings
* Fix interception module on windows
* Fix linter errors
---------
Co-authored-by: Vladimir Stoilov <vladimir@safing.io>
