From b274f187d62b677513ab9eabf5a081e0a37a8d47 Mon Sep 17 00:00:00 2001
From: "Jason A. Donenfeld" <Jason@zx2c4.com>
Date: Sat, 4 May 2019 00:53:35 +0200
Subject: firewall: do not add unused permit rules when !restrictAll

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
---
 service/firewall/blocker.go | 34 ++++++++++++++++++----------------
 1 file changed, 18 insertions(+), 16 deletions(-)

diff --git a/service/firewall/blocker.go b/service/firewall/blocker.go
index 507c8946..b796aa7f 100644
--- a/service/firewall/blocker.go
+++ b/service/firewall/blocker.go
@@ -132,19 +132,21 @@ func EnableFirewall(luid uint64, restrictDNS bool, restrictAll bool) error {
 			return wrapErr(err)
 		}
 
-		err = permitDhcpIpv4(session, baseObjects, 15)
-		if err != nil {
-			return wrapErr(err)
-		}
+		if restrictAll {
+			err = permitDhcpIpv4(session, baseObjects, 15)
+			if err != nil {
+				return wrapErr(err)
+			}
 
-		err = permitDhcpIpv6(session, baseObjects, 15)
-		if err != nil {
-			return wrapErr(err)
-		}
+			err = permitDhcpIpv6(session, baseObjects, 15)
+			if err != nil {
+				return wrapErr(err)
+			}
 
-		err = permitNdp(session, baseObjects, 15)
-		if err != nil {
-			return wrapErr(err)
+			err = permitNdp(session, baseObjects, 15)
+			if err != nil {
+				return wrapErr(err)
+			}
 		}
 
 		if restrictDNS {
@@ -154,12 +156,12 @@ func EnableFirewall(luid uint64, restrictDNS bool, restrictAll bool) error {
 			}
 		}
 
-		err = permitLoopback(session, baseObjects, 13)
-		if err != nil {
-			return wrapErr(err)
-		}
-
 		if restrictAll {
+			err = permitLoopback(session, baseObjects, 13)
+			if err != nil {
+				return wrapErr(err)
+			}
+
 			err = blockAll(session, baseObjects, 0)
 			if err != nil {
 				return wrapErr(err)
-- 
cgit v1.2.3-59-g8ed1b