tunnel: support turning off automatic routing table

This supports the familiar "Table = off" syntax as on Linux, and then
interprets other valid values as simply "on".

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

4 files changed, 30 insertions, 4 deletions

diff --git a/ui/confview.go b/ui/confview.go
index cc3bcad9..3d16f38f 100644
--- a/ui/confview.go
+++ b/ui/confview.go
@@ -51,6 +51,7 @@ type interfaceView struct {
 	addresses    *labelTextLine
 	dns          *labelTextLine
 	scripts      *labelTextLine
+	table        *labelTextLine
 	toggleActive *toggleActiveLine
 	lines        []widgetsLine
 }
@@ -307,6 +308,7 @@ func newInterfaceView(parent walk.Container) (*interfaceView, error) {
 		{l18n.Sprintf("Addresses:"), &iv.addresses},
 		{l18n.Sprintf("DNS servers:"), &iv.dns},
 		{l18n.Sprintf("Scripts:"), &iv.scripts},
+		{l18n.Sprintf("Table:"), &iv.table},
 	}
 	if iv.lines, err = createLabelTextLines(items, parent, &disposables); err != nil {
 		return nil, err
@@ -427,6 +429,12 @@ func (iv *interfaceView) apply(c *conf.Interface) {
 	} else {
 		iv.scripts.hide()
 	}
+
+	if c.TableOff {
+		iv.table.show(l18n.Sprintf("off"))
+	} else {
+		iv.table.hide()
+	}
 }
 
 func (pv *peerView) widgetsLines() []widgetsLine {
diff --git a/ui/editdialog.go b/ui/editdialog.go
index 71b71150..3b1521ff 100644
--- a/ui/editdialog.go
+++ b/ui/editdialog.go
@@ -129,7 +129,7 @@ func newEditDialog(owner walk.Form, tunnel *manager.Tunnel) (*EditDialog, error)
 		return nil, err
 	}
 	dlg.blockUntunneledTrafficCB.SetText(l18n.Sprintf("&Block untunneled traffic (kill-switch)"))
-	dlg.blockUntunneledTrafficCB.SetToolTipText(l18n.Sprintf("When a configuration has exactly one peer, and that peer has an allowed IPs containing at least one of 0.0.0.0/0 or ::/0, then the tunnel service engages a firewall ruleset to block all traffic that is neither to nor from the tunnel interface or is to the wrong DNS server, with special exceptions for DHCP and NDP."))
+	dlg.blockUntunneledTrafficCB.SetToolTipText(l18n.Sprintf("When a configuration has exactly one peer, and that peer has an allowed IPs containing at least one of 0.0.0.0/0 or ::/0, and the interface does not have table off, then the tunnel service engages a firewall ruleset to block all traffic that is neither to nor from the tunnel interface or is to the wrong DNS server, with special exceptions for DHCP and NDP."))
 	dlg.blockUntunneledTrafficCB.SetVisible(false)
 	dlg.blockUntunneledTrafficCB.CheckedChanged().Attach(dlg.onBlockUntunneledTrafficCBCheckedChanged)
 
diff --git a/ui/syntax/highlighter.go b/ui/syntax/highlighter.go
index d49cab32..a531854b 100644
--- a/ui/syntax/highlighter.go
+++ b/ui/syntax/highlighter.go
@@ -26,6 +26,7 @@ const (
 	highlightKeepalive
 	highlightComment
 	highlightDelimiter
+	highlightTable
 	highlightCmd
 	highlightError
 )
@@ -256,6 +257,10 @@ func (s stringSpan) isValidMTU() bool {
 	return s.isValidUint(false, 576, 65535)
 }
 
+func (s stringSpan) isValidTable() bool {
+	return s.isSame("off") || s.isSame("auto") || s.isSame("main") || s.isValidUint(false, 0, (1<<32)-1)
+}
+
 func (s stringSpan) isValidPersistentKeepAlive() bool {
 	if s.isSame("off") {
 		return true
@@ -360,6 +365,7 @@ const (
 	fieldAddress
 	fieldDNS
 	fieldMTU
+	fieldTable
 	fieldPreUp
 	fieldPostUp
 	fieldPreDown
@@ -395,6 +401,8 @@ func (s stringSpan) field() field {
 		return fieldDNS
 	case s.isCaselessSame("MTU"):
 		return fieldMTU
+	case s.isCaselessSame("Table"):
+		return fieldTable
 	case s.isCaselessSame("PublicKey"):
 		return fieldPublicKey
 	case s.isCaselessSame("PresharedKey"):
@@ -508,6 +516,8 @@ func (hsa *highlightSpanArray) highlightValue(parent stringSpan, s stringSpan, s
 		hsa.append(parent.s, s, validateHighlight(s.isValidKey(), highlightPresharedKey))
 	case fieldMTU:
 		hsa.append(parent.s, s, validateHighlight(s.isValidMTU(), highlightMTU))
+	case fieldTable:
+		hsa.append(parent.s, s, validateHighlight(s.isValidTable(), highlightTable))
 	case fieldPreUp, fieldPostUp, fieldPreDown, fieldPostDown:
 		hsa.append(parent.s, s, validateHighlight(s.isValidPrePostUpDown(), highlightCmd))
 	case fieldListenPort:
diff --git a/ui/syntax/syntaxedit.go b/ui/syntax/syntaxedit.go
index 26cd533f..42f6e7b7 100644
--- a/ui/syntax/syntaxedit.go
+++ b/ui/syntax/syntaxedit.go
@@ -100,6 +100,7 @@ var stylemap = map[highlight]spanStyle{
 	highlightHost:         spanStyle{color: win.RGB(0x0E, 0x0E, 0xFF)},
 	highlightPort:         spanStyle{color: win.RGB(0x81, 0x5F, 0x03)},
 	highlightMTU:          spanStyle{color: win.RGB(0x1C, 0x00, 0xCF)},
+	highlightTable:        spanStyle{color: win.RGB(0x1C, 0x00, 0xCF)},
 	highlightKeepalive:    spanStyle{color: win.RGB(0x1C, 0x00, 0xCF)},
 	highlightComment:      spanStyle{color: win.RGB(0x53, 0x65, 0x79), effects: win.CFE_ITALIC},
 	highlightDelimiter:    spanStyle{color: win.RGB(0x00, 0x00, 0x00)},
@@ -110,6 +111,8 @@ var stylemap = map[highlight]spanStyle{
 func (se *SyntaxEdit) evaluateUntunneledBlocking(cfg string, spans []highlightSpan) {
 	state := InevaluableBlockingUntunneledTraffic
 	var onAllowedIPs,
+		onTable,
+		tableOff,
 		seenPeer,
 		seen00v6,
 		seen00v4,
@@ -132,10 +135,13 @@ func (se *SyntaxEdit) evaluateUntunneledBlocking(cfg string, spans []highlightSp
 			} else {
 				goto done
 			}
-			break
 		case highlightField:
 			onAllowedIPs = strings.EqualFold(cfg[span.s:span.s+span.len], "AllowedIPs")
-			break
+			onTable = strings.EqualFold(cfg[span.s:span.s+span.len], "Table")
+		case highlightTable:
+			if onTable {
+				tableOff = cfg[span.s:span.s+span.len] == "off"
+			}
 		case highlightIP:
 			if !onAllowedIPs || !seenPeer {
 				break
@@ -166,9 +172,11 @@ func (se *SyntaxEdit) evaluateUntunneledBlocking(cfg string, spans []highlightSp
 					seen80001v6 = true
 				}
 			}
-			break
 		}
 	}
+	if tableOff {
+		return
+	}
 
 	if seen00v4 || seen00v6 {
 		state = BlockingUntunneledTraffic