From a001a6f29b787efb8530ad4cd31b89b7b6138447 Mon Sep 17 00:00:00 2001
From: Jonathan Martin <bernerdad@users.noreply.github.com>
Date: Mon, 8 Apr 2024 10:09:37 -0700
Subject: [PATCH] v2.10.8

---
 backend/linux/helper/firewallcontroller.cpp   | 12 ++---
 .../hostnames_manager/ip_routes.cpp           |  4 +-
 client/common/changelog.txt                   |  6 +++
 client/common/version/windscribe_version.h    |  2 +-
 .../linux/common/etc/windscribe/cgroups-up    | 53 +++++++++----------
 5 files changed, 40 insertions(+), 37 deletions(-)

diff --git a/backend/linux/helper/firewallcontroller.cpp b/backend/linux/helper/firewallcontroller.cpp
index 6bc65f28..f1038a49 100644
--- a/backend/linux/helper/firewallcontroller.cpp
+++ b/backend/linux/helper/firewallcontroller.cpp
@@ -88,8 +88,8 @@ void FirewallController::setSplitTunnelingEnabled(bool isConnected, bool isEnabl
 void FirewallController::removeExclusiveIpRules()
 {
     for (auto ip : splitTunnelIps_) {
-        Utils::executeCommand("iptables", {"-D", "windscribe_input", "-s", (ip + "/32").c_str(), "-j", "ACCEPT", "-m", "comment", "--comment", kTag});
-        Utils::executeCommand("iptables", {"-D", "windscribe_output", "-d", (ip + "/32").c_str(), "-j", "ACCEPT", "-m", "comment", "--comment", kTag});
+        Utils::executeCommand("iptables", {"-D", "windscribe_input", "-s", ip.c_str(), "-j", "ACCEPT", "-m", "comment", "--comment", kTag});
+        Utils::executeCommand("iptables", {"-D", "windscribe_output", "-d", ip.c_str(), "-j", "ACCEPT", "-m", "comment", "--comment", kTag});
     }
 }
 
@@ -167,15 +167,15 @@ void FirewallController::setSplitTunnelIpExceptions(const std::vector<std::strin
         // For exclusive, remove rules for addresses no longer in "ips"
         for (auto ip : splitTunnelIps_) {
             if (std::find(ips.begin(), ips.end(), ip) == ips.end()) {
-                Utils::executeCommand("iptables", {"-D", "windscribe_input", "-s", (ip + "/32").c_str(), "-j", "ACCEPT", "-m", "comment", "--comment", kTag});
-                Utils::executeCommand("iptables", {"-D", "windscribe_output", "-d", (ip + "/32").c_str(), "-j", "ACCEPT", "-m", "comment", "--comment", kTag});
+                Utils::executeCommand("iptables", {"-D", "windscribe_input", "-s", ip.c_str(), "-j", "ACCEPT", "-m", "comment", "--comment", kTag});
+                Utils::executeCommand("iptables", {"-D", "windscribe_output", "-d", ip.c_str(), "-j", "ACCEPT", "-m", "comment", "--comment", kTag});
             }
         }
 
         // Add rules for new IPs
         for (auto ip : ips) {
-            addRule({"windscribe_input", "-s", (ip + "/32").c_str(), "-j", "ACCEPT", "-m", "comment", "--comment", kTag});
-            addRule({"windscribe_output", "-d", (ip + "/32").c_str(), "-j", "ACCEPT", "-m", "comment", "--comment", kTag});
+            addRule({"windscribe_input", "-s", ip.c_str(), "-j", "ACCEPT", "-m", "comment", "--comment", kTag});
+            addRule({"windscribe_output", "-d", ip.c_str(), "-j", "ACCEPT", "-m", "comment", "--comment", kTag});
         }
     } else {
         removeExclusiveIpRules();
diff --git a/backend/linux/helper/split_tunneling/hostnames_manager/ip_routes.cpp b/backend/linux/helper/split_tunneling/hostnames_manager/ip_routes.cpp
index 3c5ae50f..f21d07d2 100644
--- a/backend/linux/helper/split_tunneling/hostnames_manager/ip_routes.cpp
+++ b/backend/linux/helper/split_tunneling/hostnames_manager/ip_routes.cpp
@@ -58,7 +58,7 @@ void IpRoutes::clear()
 
 void IpRoutes::addRoute(const RouteDescr &rd)
 {
-    std::string cmd = "ip route add " + rd.ip + "/32" + " via " + rd.defaultRouteIp;
+    std::string cmd = "ip route add " + rd.ip + " via " + rd.defaultRouteIp;
     Logger::instance().out("cmd: %s", cmd.c_str());
 
     Utils::executeCommand(cmd);
@@ -66,7 +66,7 @@ void IpRoutes::addRoute(const RouteDescr &rd)
 
 void IpRoutes::deleteRoute(const RouteDescr &rd)
 {
-    std::string cmd = "ip route del " + rd.ip + "/32" + " via " + rd.defaultRouteIp;
+    std::string cmd = "ip route del " + rd.ip + " via " + rd.defaultRouteIp;
     Logger::instance().out("cmd: %s", cmd.c_str());
     Utils::executeCommand(cmd);
 }
diff --git a/client/common/changelog.txt b/client/common/changelog.txt
index 33865a51..faaff3ee 100644
--- a/client/common/changelog.txt
+++ b/client/common/changelog.txt
@@ -1,3 +1,9 @@
+2.10.8 (04/04/2024)
+Linux:
+   * Fixed split tunnel for IP assumes /32 subnet. #964
+   * Fixed split tunneling for distributions which mount cgroups v2 by default. #967
+
+
 2.10.7 (01/04/2024)
 All:
    * Fixed anti-censorship flag (TLS stuffing) does not work for server API. #951
diff --git a/client/common/version/windscribe_version.h b/client/common/version/windscribe_version.h
index 1c177ca6..941a4c1e 100644
--- a/client/common/version/windscribe_version.h
+++ b/client/common/version/windscribe_version.h
@@ -2,7 +2,7 @@
 
 #define WINDSCRIBE_MAJOR_VERSION 2
 #define WINDSCRIBE_MINOR_VERSION 10
-#define WINDSCRIBE_BUILD_VERSION 7
+#define WINDSCRIBE_BUILD_VERSION 8
 
 // only one of these should be enabled; neither -> stable
 //#define WINDSCRIBE_IS_BETA
diff --git a/installer/linux/common/etc/windscribe/cgroups-up b/installer/linux/common/etc/windscribe/cgroups-up
index 78ed3b4a..30f6a01c 100755
--- a/installer/linux/common/etc/windscribe/cgroups-up
+++ b/installer/linux/common/etc/windscribe/cgroups-up
@@ -10,7 +10,7 @@ netclass=$7
 allow_lan=$8
 mode=$9
 
-net_cls_root="`mount -l -t cgroup | grep net_cls | cut -d ' ' -f 3 | head -n 1`"
+net_cls_root="`mount -l -t cgroup | grep "net_cls on" | cut -d ' ' -f 3 | head -n 1`"
 if [ ! -f "$net_cls_root/windscribe/net_cls.classid" ]; then
     modprobe cls_cgroup
     if [ $? -ne 0 ]; then
@@ -18,11 +18,22 @@ if [ ! -f "$net_cls_root/windscribe/net_cls.classid" ]; then
         exit 1
     fi
 
-    net_cls_root="`mount -l -t cgroup | grep net_cls | cut -d ' ' -f 3 | head -n 1`"
+    net_cls_root="`mount -l -t cgroup | grep "net_cls on" | cut -d ' ' -f 3 | head -n 1`"
     if [ -z "$net_cls_root" ]; then
+        if [ -d /sys/fs/cgroup/net_cls ]; then
+            # on some distros, cgroups v2 net_cls is mounted and it may be a symlink.  If so, unmount it and mount v1
+            mount -o remount,rw /sys/fs/cgroup
+
+            link="`readlink /sys/fs/cgroup/net_cls`"
+            if [ -n "$link" ]; then
+                umount /sys/fs/cgroup/${link}
+            fi
+            rm -f /sys/fs/cgroup/net_cls
+        fi
         mkdir -p /sys/fs/cgroup/net_cls
         mount -t cgroup -onet_cls net_cls /sys/fs/cgroup/net_cls
-        net_cls_root="`mount -l -t cgroup | grep net_cls | cut -d ' ' -f 3 | head -n 1`"
+
+        net_cls_root="`mount -l -t cgroup | grep "net_cls on" | cut -d ' ' -f 3 | head -n 1`"
         if [ -z "$net_cls_root" ]; then
             echo "Could not find cgroup root"
             exit 1
@@ -54,31 +65,17 @@ if [ ! -f "$net_cls_root/windscribe/net_cls.classid" ]; then
     echo "$netclass" > "$net_cls_root/windscribe/net_cls.classid"
 fi
 
-if [ "$allow_lan" = "allow" ]; then
-    if [ "$mode" == "inclusive" ]; then
-        # Allow IP rules to consult main routing table first, ignoring /0 or /1 routes
-        ip rule add priority 16383 table main suppress_prefixlength 1
-        priority="`ip rule show | grep 51820 | cut -d ":" -f1`" # priority of WireGuard rule, if it exists
-        if [ -n "$priority" ]; then
-            # WG uses the same ip rule mechanism, just adjust the WG rule
-            ip rule add priority $((priority - 1)) table main suppress_prefixlength 0
-        else
-            # For non-WG protocols, remove rule forcing other traffic into the tunnel
-            ip rule del priority 16385 table windscribe_include
-        fi
-    fi
-else
-    if [ "$mode" == "inclusive" ]; then
-        ip rule del priority 16383 table main suppress_prefixlength 1
-        priority="`ip rule show | grep 51820 | cut -d ":" -f1`" # priority of WireGuard rule, if it exists
-        if [ -n "$priority" ]; then
-            # WG uses the same ip rule mechanism, just adjust the WG rule
-            ip rule del priority $((priority - 1)) table main suppress_prefixlength 0
-        else
-            # For non-WG protocols, add rule forcing other traffic into the tunnel
-            ip rule add priority 16385 table windscribe_include
-        fi
-    fi
+if [ "$mode" == "inclusive" ]; then
+	# Allow IP rules to consult main routing table first, ignoring /0 or /1 routes
+	ip rule add priority 16383 table main suppress_prefixlength 1
+	priority="`ip rule show | grep 51820 | cut -d ":" -f1`" # priority of WireGuard rule, if it exists
+	if [ -n "$priority" ]; then
+		# WG uses the same ip rule mechanism, just adjust the WG rule
+		ip rule add priority $((priority - 1)) table main suppress_prefixlength 0
+	else
+		# For non-WG protocols, remove rule forcing other traffic into the tunnel
+		ip rule del priority 16385 table windscribe_include
+	fi
 fi
 
 # make sure to exit with code 0 since an above command may fail if we are adding a duplicate rule or