summaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
authorDavid Lönnhager <david.l@mullvad.net>2020-01-02 11:06:37 +0100
committerDavid Lönnhager <david.l@mullvad.net>2020-01-02 11:06:37 +0100
commit04c26a00c0fc030f523d147fb1471001a52d8923 (patch)
tree6adf66aa3370cad9f875c6f916b0fd2eb23a755b
parent8c649ed364fb1db71ee76ae4685fc2debb5c0861 (diff)
parent6f2cafc447bf7a08b505cd762fd73e6ef44f288d (diff)
downloadmullvadvpn-04c26a00c0fc030f523d147fb1471001a52d8923.tar.xz
mullvadvpn-04c26a00c0fc030f523d147fb1471001a52d8923.zip
Merge branch 'restrictdns-update'
Diffstat
-rw-r--r--windows/winfw/src/winfw/fwcontext.cpp16
-rw-r--r--windows/winfw/src/winfw/mullvadguids.cpp69
-rw-r--r--windows/winfw/src/winfw/mullvadguids.h7
-rw-r--r--windows/winfw/src/winfw/rules/permittunneldns.cpp115
-rw-r--r--windows/winfw/src/winfw/rules/permittunneldns.h27
-rw-r--r--windows/winfw/src/winfw/rules/permitvpntunnel.cpp12
-rw-r--r--windows/winfw/src/winfw/rules/restrictdns.cpp143
-rw-r--r--windows/winfw/src/winfw/rules/restrictdns.h28
-rw-r--r--windows/winfw/src/winfw/winfw.vcxproj4
-rw-r--r--windows/winfw/src/winfw/winfw.vcxproj.filters12
10 files changed, 187 insertions, 246 deletions
diff --git a/windows/winfw/src/winfw/fwcontext.cpp b/windows/winfw/src/winfw/fwcontext.cpp
index bd89b3cf65..7b7c0d94c2 100644
--- a/windows/winfw/src/winfw/fwcontext.cpp
+++ b/windows/winfw/src/winfw/fwcontext.cpp
@@ -10,11 +10,11 @@
#include "rules/permitlan.h"
#include "rules/permitlanservice.h"
#include "rules/permitloopback.h"
+#include "rules/permittunneldns.h"
#include "rules/permitvpnrelay.h"
#include "rules/permitvpntunnel.h"
#include "rules/permitvpntunnelservice.h"
#include "rules/permitping.h"
-#include "rules/restrictdns.h"
#include "libwfp/transaction.h"
#include "libwfp/filterengine.h"
#include <functional>
@@ -164,11 +164,17 @@ bool FwContext::applyPolicyConnected
tunnelInterfaceAlias
));
- ruleset.emplace_back(std::make_unique<rules::RestrictDns>(
+ std::vector<wfp::IpAddress> dnsHosts;
+ dnsHosts.push_back(wfp::IpAddress(v4DnsHost));
+
+ if (nullptr != v6DnsHost)
+ {
+ dnsHosts.push_back(wfp::IpAddress(v6DnsHost));
+ }
+
+ ruleset.emplace_back(std::make_unique<rules::PermitTunnelDns>(
tunnelInterfaceAlias,
- wfp::IpAddress(v4DnsHost),
- (v6DnsHost != nullptr) ? std::make_unique<wfp::IpAddress>(v6DnsHost) : nullptr,
- (relay.port == 53) ? std::make_unique<wfp::IpAddress>(relay.ip) : nullptr
+ dnsHosts
));
return applyRuleset(ruleset);
diff --git a/windows/winfw/src/winfw/mullvadguids.cpp b/windows/winfw/src/winfw/mullvadguids.cpp
index 770c81f7db..ef27e4823c 100644
--- a/windows/winfw/src/winfw/mullvadguids.cpp
+++ b/windows/winfw/src/winfw/mullvadguids.cpp
@@ -50,11 +50,8 @@ DetailedWfpObjectRegistry MullvadGuids::BuildDetailedRegistry()
registry.insert(std::make_pair(WfpObjectType::Filter, FilterPermitVpnRelay()));
registry.insert(std::make_pair(WfpObjectType::Filter, FilterPermitVpnTunnel_Outbound_Ipv4()));
registry.insert(std::make_pair(WfpObjectType::Filter, FilterPermitVpnTunnel_Outbound_Ipv6()));
- registry.insert(std::make_pair(WfpObjectType::Filter, FilterRestrictDns_Outbound_Ipv4()));
- registry.insert(std::make_pair(WfpObjectType::Filter, FilterRestrictDns_Outbound_Tunnel_Ipv4()));
- registry.insert(std::make_pair(WfpObjectType::Filter, FilterRestrictDns_HACK_TO_ALLOW_RELAY_ON_PORT_53()));
- registry.insert(std::make_pair(WfpObjectType::Filter, FilterRestrictDns_Outbound_Ipv6()));
- registry.insert(std::make_pair(WfpObjectType::Filter, FilterRestrictDns_Outbound_Tunnel_Ipv6()));
+ registry.insert(std::make_pair(WfpObjectType::Filter, FilterPermitTunnelDns_Ipv4()));
+ registry.insert(std::make_pair(WfpObjectType::Filter, FilterPermitTunnelDns_Ipv6()));
registry.insert(std::make_pair(WfpObjectType::Filter, FilterPermitVpnTunnelService_Ipv4()));
registry.insert(std::make_pair(WfpObjectType::Filter, FilterPermitVpnTunnelService_Ipv6()));
registry.insert(std::make_pair(WfpObjectType::Filter, FilterPermitNdp_Outbound_Router_Solicitation()));
@@ -446,70 +443,28 @@ const GUID &MullvadGuids::FilterPermitVpnTunnel_Outbound_Ipv6()
}
//static
-const GUID &MullvadGuids::FilterRestrictDns_Outbound_Ipv4()
+const GUID &MullvadGuids::FilterPermitTunnelDns_Ipv4()
{
static const GUID g =
{
- 0xc0792b44,
- 0xfc3c,
- 0x42e8,
- { 0xa6, 0x60, 0x25, 0x4b, 0xd0, 0x4, 0xb1, 0x9d }
+ 0x60474363,
+ 0x42b7,
+ 0x44ad,
+ { 0xa6, 0xdb, 0x9c, 0x4a, 0x4d, 0x3c, 0xde, 0x4a }
};
return g;
}
//static
-const GUID &MullvadGuids::FilterRestrictDns_Outbound_Tunnel_Ipv4()
+const GUID &MullvadGuids::FilterPermitTunnelDns_Ipv6()
{
static const GUID g =
{
- 0x790445dc,
- 0xb23e,
- 0x4ab4,
- { 0x8e, 0x2f, 0xc7, 0x6, 0x55, 0x5f, 0x94, 0xff }
- };
-
- return g;
-}
-
-//static
-const GUID& MullvadGuids::FilterRestrictDns_HACK_TO_ALLOW_RELAY_ON_PORT_53()
-{
- static const GUID g =
- {
- 0x6a613b73,
- 0x7308,
- 0x4ae4,
- { 0x91, 0x7d, 0xd2, 0xa2, 0x29, 0x17, 0xcc, 0x3f }
- };
-
- return g;
-}
-
-//static
-const GUID &MullvadGuids::FilterRestrictDns_Outbound_Ipv6()
-{
- static const GUID g =
- {
- 0xcde477eb,
- 0x2d8a,
- 0x45b8,
- { 0x9a, 0x3e, 0x9a, 0xa3, 0xbe, 0x4d, 0xe2, 0xb4 }
- };
-
- return g;
-}
-
-//static
-const GUID &MullvadGuids::FilterRestrictDns_Outbound_Tunnel_Ipv6()
-{
- static const GUID g =
- {
- 0xacc90d87,
- 0xab77,
- 0x4cf4,
- { 0x84, 0xee, 0x1d, 0x68, 0x95, 0xf0, 0x66, 0xc2 }
+ 0xa832ce1d,
+ 0xa250,
+ 0x42be,
+ { 0x8b, 0x97, 0x2, 0xb7, 0x9f, 0x9c, 0x5e, 0x1 }
};
return g;
diff --git a/windows/winfw/src/winfw/mullvadguids.h b/windows/winfw/src/winfw/mullvadguids.h
index a2001a2bdb..8a32c1c9df 100644
--- a/windows/winfw/src/winfw/mullvadguids.h
+++ b/windows/winfw/src/winfw/mullvadguids.h
@@ -56,11 +56,8 @@ public:
static const GUID &FilterPermitVpnTunnel_Outbound_Ipv4();
static const GUID &FilterPermitVpnTunnel_Outbound_Ipv6();
- static const GUID &FilterRestrictDns_Outbound_Ipv4();
- static const GUID &FilterRestrictDns_Outbound_Tunnel_Ipv4();
- static const GUID &FilterRestrictDns_HACK_TO_ALLOW_RELAY_ON_PORT_53();
- static const GUID &FilterRestrictDns_Outbound_Ipv6();
- static const GUID &FilterRestrictDns_Outbound_Tunnel_Ipv6();
+ static const GUID &FilterPermitTunnelDns_Ipv4();
+ static const GUID &FilterPermitTunnelDns_Ipv6();
static const GUID &FilterPermitVpnTunnelService_Ipv4();
static const GUID &FilterPermitVpnTunnelService_Ipv6();
diff --git a/windows/winfw/src/winfw/rules/permittunneldns.cpp b/windows/winfw/src/winfw/rules/permittunneldns.cpp
new file mode 100644
index 0000000000..57c1d39763
--- /dev/null
+++ b/windows/winfw/src/winfw/rules/permittunneldns.cpp
@@ -0,0 +1,115 @@
+#include "stdafx.h"
+#include "permittunneldns.h"
+#include "winfw/mullvadguids.h"
+#include "libwfp/filterbuilder.h"
+#include "libwfp/conditionbuilder.h"
+#include "libwfp/conditions/comparison.h"
+#include "libwfp/conditions/conditioninterface.h"
+#include "libwfp/conditions/conditionip.h"
+#include "libwfp/conditions/conditionport.h"
+
+using namespace wfp::conditions;
+
+namespace
+{
+
+constexpr uint16_t DNS_PORT = 53;
+
+} // anonymous namespace
+
+namespace rules
+{
+
+PermitTunnelDns::PermitTunnelDns(
+ const std::wstring &tunnelInterfaceAlias,
+ const std::vector<wfp::IpAddress> &dnsHosts
+)
+ : m_tunnelInterfaceAlias(tunnelInterfaceAlias)
+{
+ for (const auto &host : dnsHosts)
+ {
+ if (wfp::IpAddress::Ipv4 == host.type())
+ {
+ m_v4DnsHosts.push_back(host);
+ }
+ else
+ {
+ m_v6DnsHosts.push_back(host);
+ }
+ }
+}
+
+bool PermitTunnelDns::apply(IObjectInstaller &objectInstaller)
+{
+ //
+ // Permit outbound DNS traffic to specific servers (IPv4)
+ //
+
+ wfp::FilterBuilder filterBuilder;
+
+ filterBuilder
+ .provider(MullvadGuids::Provider())
+ .description(L"This filter is part of a rule that permits DNS traffic inside the VPN tunnel")
+ .sublayer(MullvadGuids::SublayerWhitelist())
+ .weight(wfp::FilterBuilder::WeightClass::Max)
+ .permit();
+
+ if (!m_v4DnsHosts.empty())
+ {
+ filterBuilder
+ .key(MullvadGuids::FilterPermitTunnelDns_Ipv4())
+ .name(L"Permit select outbound DNS traffic on tunnel interface (IPv4)")
+ .layer(FWPM_LAYER_ALE_AUTH_CONNECT_V4);
+
+ wfp::ConditionBuilder conditionBuilder(FWPM_LAYER_ALE_AUTH_CONNECT_V4);
+ conditionBuilder.add_condition(ConditionInterface::Alias(m_tunnelInterfaceAlias));
+
+ for (const auto &host : m_v4DnsHosts)
+ {
+ // Multiple conditions of same type are OR'ed
+ conditionBuilder.add_condition(ConditionIp::Remote(host));
+ }
+
+ conditionBuilder.add_condition(ConditionPort::Remote(DNS_PORT));
+
+ if (!objectInstaller.addFilter(filterBuilder, conditionBuilder))
+ {
+ return false;
+ }
+ }
+
+ //
+ // Permit outbound DNS traffic to specific servers (IPv6)
+ //
+
+ if (!m_v6DnsHosts.empty())
+ {
+ filterBuilder
+ .key(MullvadGuids::FilterPermitTunnelDns_Ipv6())
+ .name(L"Permit select outbound DNS traffic on tunnel interface (IPv6)")
+ .layer(FWPM_LAYER_ALE_AUTH_CONNECT_V6);
+
+ wfp::ConditionBuilder conditionBuilder(FWPM_LAYER_ALE_AUTH_CONNECT_V6);
+ conditionBuilder.add_condition(ConditionInterface::Alias(m_tunnelInterfaceAlias));
+
+ for (const auto &host : m_v6DnsHosts)
+ {
+ // Multiple conditions of same type are OR'ed
+ if (wfp::IpAddress::Ipv6 == host.type())
+ {
+ conditionBuilder.add_condition(ConditionIp::Remote(host));
+ }
+ }
+
+ conditionBuilder.add_condition(ConditionPort::Remote(DNS_PORT));
+
+ if (!objectInstaller.addFilter(filterBuilder, conditionBuilder))
+ {
+ return false;
+ }
+ }
+
+ return true;
+}
+
+}
diff --git a/windows/winfw/src/winfw/rules/permittunneldns.h b/windows/winfw/src/winfw/rules/permittunneldns.h
new file mode 100644
index 0000000000..eec22b0924
--- /dev/null
+++ b/windows/winfw/src/winfw/rules/permittunneldns.h
@@ -0,0 +1,27 @@
+#pragma once
+
+#include "ifirewallrule.h"
+#include "libwfp/ipaddress.h"
+#include <string>
+#include <cstdint>
+
+namespace rules
+{
+
+class PermitTunnelDns : public IFirewallRule
+{
+public:
+
+ PermitTunnelDns(const std::wstring &tunnelInterfaceAlias, const std::vector<wfp::IpAddress> &dnsHosts);
+
+ bool apply(IObjectInstaller &objectInstaller) override;
+
+private:
+
+ const std::wstring m_tunnelInterfaceAlias;
+ std::vector<wfp::IpAddress> m_v4DnsHosts;
+ std::vector<wfp::IpAddress> m_v6DnsHosts;
+
+};
+
+}
diff --git a/windows/winfw/src/winfw/rules/permitvpntunnel.cpp b/windows/winfw/src/winfw/rules/permitvpntunnel.cpp
index e21a99c04d..a757f5e164 100644
--- a/windows/winfw/src/winfw/rules/permitvpntunnel.cpp
+++ b/windows/winfw/src/winfw/rules/permitvpntunnel.cpp
@@ -4,9 +4,17 @@
#include "libwfp/filterbuilder.h"
#include "libwfp/conditionbuilder.h"
#include "libwfp/conditions/conditioninterface.h"
+#include "libwfp/conditions/conditionport.h"
using namespace wfp::conditions;
+namespace
+{
+
+constexpr uint16_t DNS_PORT = 53;
+
+} // anonymous namespace
+
namespace rules
{
@@ -21,6 +29,7 @@ bool PermitVpnTunnel::apply(IObjectInstaller &objectInstaller)
//
// #1 permit locally-initiated traffic on tunnel interface, ipv4
+ // except DNS requests
//
filterBuilder
@@ -37,6 +46,7 @@ bool PermitVpnTunnel::apply(IObjectInstaller &objectInstaller)
wfp::ConditionBuilder conditionBuilder(FWPM_LAYER_ALE_AUTH_CONNECT_V4);
conditionBuilder.add_condition(ConditionInterface::Alias(m_tunnelInterfaceAlias));
+ conditionBuilder.add_condition(ConditionPort::Remote(DNS_PORT, CompareNeq()));
if (!objectInstaller.addFilter(filterBuilder, conditionBuilder))
{
@@ -46,6 +56,7 @@ bool PermitVpnTunnel::apply(IObjectInstaller &objectInstaller)
//
// #2 permit locally-initiated traffic on tunnel interface, ipv6
+ // except DNS requests
//
filterBuilder
@@ -56,6 +67,7 @@ bool PermitVpnTunnel::apply(IObjectInstaller &objectInstaller)
wfp::ConditionBuilder conditionBuilder(FWPM_LAYER_ALE_AUTH_CONNECT_V6);
conditionBuilder.add_condition(ConditionInterface::Alias(m_tunnelInterfaceAlias));
+ conditionBuilder.add_condition(ConditionPort::Remote(DNS_PORT, CompareNeq()));
return objectInstaller.addFilter(filterBuilder, conditionBuilder);
}
diff --git a/windows/winfw/src/winfw/rules/restrictdns.cpp b/windows/winfw/src/winfw/rules/restrictdns.cpp
deleted file mode 100644
index 2eb560d973..0000000000
--- a/windows/winfw/src/winfw/rules/restrictdns.cpp
+++ /dev/null
@@ -1,143 +0,0 @@
-#include "stdafx.h"
-#include "restrictdns.h"
-#include "winfw/mullvadguids.h"
-#include "libwfp/filterbuilder.h"
-#include "libwfp/conditionbuilder.h"
-#include "libwfp/conditions/conditioninterface.h"
-#include "libwfp/conditions/conditionip.h"
-#include "libwfp/conditions/conditionport.h"
-
-using namespace wfp::conditions;
-
-namespace rules
-{
-
-RestrictDns::RestrictDns(const std::wstring& tunnelInterfaceAlias,
- const wfp::IpAddress v4DnsHost,
- std::unique_ptr<wfp::IpAddress> v6DnsHost,
- std::unique_ptr<wfp::IpAddress> relay)
- : m_tunnelInterfaceAlias(tunnelInterfaceAlias)
- , m_v4DnsHost(v4DnsHost)
- , m_v6DnsHost(std::move(v6DnsHost))
- , m_relayHost(std::move(relay))
-
-{
-}
-
-bool RestrictDns::apply(IObjectInstaller &objectInstaller)
-{
- wfp::FilterBuilder filterBuilder;
-
- //
- // Requires that the following rules are in effect:
- //
- // BlockAll
- // PermitVpnTunnel
- //
- // TODO: Have each rule specify requirements?
- //
-
- if (nullptr != m_relayHost) {
-
- filterBuilder
- .key(MullvadGuids::FilterRestrictDns_Outbound_Ipv4())
- .name(L"Permit relay connection over port 53 (IPv4)")
- .key(MullvadGuids::FilterRestrictDns_HACK_TO_ALLOW_RELAY_ON_PORT_53())
- .description(L"This filter is part of a rule that restricts DNS traffic")
- .provider(MullvadGuids::Provider())
- .layer(FWPM_LAYER_ALE_AUTH_CONNECT_V4)
- .sublayer(MullvadGuids::SublayerBlacklist())
- .weight(wfp::FilterBuilder::WeightClass::Max)
- .permit();
-
- wfp::ConditionBuilder conditionBuilder(FWPM_LAYER_ALE_AUTH_CONNECT_V4);
-
- conditionBuilder.add_condition(ConditionPort::Remote(53));
- conditionBuilder.add_condition(ConditionIp::Remote(*m_relayHost, CompareEq()));
-
- if (!objectInstaller.addFilter(filterBuilder, conditionBuilder))
- {
- return false;
- }
- }
-
- filterBuilder
- .key(MullvadGuids::FilterRestrictDns_Outbound_Ipv4())
- .name(L"Block DNS requests outside the VPN tunnel (IPv4)")
- .description(L"This filter is part of a rule that restricts DNS traffic")
- .provider(MullvadGuids::Provider())
- .layer(FWPM_LAYER_ALE_AUTH_CONNECT_V4)
- .sublayer(MullvadGuids::SublayerBlacklist())
- .weight(wfp::FilterBuilder::WeightClass::Max)
- .block();
-
- {
- wfp::ConditionBuilder conditionBuilder(FWPM_LAYER_ALE_AUTH_CONNECT_V4);
-
- conditionBuilder.add_condition(ConditionPort::Remote(53));
- conditionBuilder.add_condition(ConditionInterface::Alias(m_tunnelInterfaceAlias, CompareNeq()));
-
- if (!objectInstaller.addFilter(filterBuilder, conditionBuilder))
- {
- return false;
- }
- }
-
- filterBuilder
- .name(L"Restrict DNS requests inside the VPN tunnel (IPv4)")
- .key(MullvadGuids::FilterRestrictDns_Outbound_Tunnel_Ipv4())
- .layer(FWPM_LAYER_ALE_AUTH_CONNECT_V4);
-
- {
- wfp::ConditionBuilder conditionBuilder(FWPM_LAYER_ALE_AUTH_CONNECT_V4);
-
- conditionBuilder.add_condition(ConditionPort::Remote(53));
- conditionBuilder.add_condition(ConditionIp::Remote(m_v4DnsHost, CompareNeq()));
-
- if (!objectInstaller.addFilter(filterBuilder, conditionBuilder))
- {
- return false;
- }
- }
-
- //
- // IPv6 also
- //
-
- filterBuilder
- .key(MullvadGuids::FilterRestrictDns_Outbound_Ipv6())
- .name(L"Block DNS requests outside the VPN tunnel (IPv6)")
- .layer(FWPM_LAYER_ALE_AUTH_CONNECT_V6);
-
- {
- wfp::ConditionBuilder conditionBuilder(FWPM_LAYER_ALE_AUTH_CONNECT_V6);
-
- conditionBuilder.add_condition(ConditionPort::Remote(53));
- conditionBuilder.add_condition(ConditionInterface::Alias(m_tunnelInterfaceAlias, CompareNeq()));
-
- if (!objectInstaller.addFilter(filterBuilder, conditionBuilder))
- {
- return false;
- }
- }
-
- filterBuilder
- .key(MullvadGuids::FilterRestrictDns_Outbound_Tunnel_Ipv6())
- .name(L"Restrict DNS requests inside the VPN tunnel (IPv6)")
- .layer(FWPM_LAYER_ALE_AUTH_CONNECT_V6);
-
- {
- wfp::ConditionBuilder conditionBuilder(FWPM_LAYER_ALE_AUTH_CONNECT_V6);
-
- conditionBuilder.add_condition(ConditionPort::Remote(53));
-
- if (m_v6DnsHost != nullptr)
- {
- conditionBuilder.add_condition(ConditionIp::Remote(*m_v6DnsHost, CompareNeq()));
- }
-
- return objectInstaller.addFilter(filterBuilder, conditionBuilder);
- }
-}
-
-}
diff --git a/windows/winfw/src/winfw/rules/restrictdns.h b/windows/winfw/src/winfw/rules/restrictdns.h
deleted file mode 100644
index 0b54a6465e..0000000000
--- a/windows/winfw/src/winfw/rules/restrictdns.h
+++ /dev/null
@@ -1,28 +0,0 @@
-#pragma once
-
-#include "ifirewallrule.h"
-#include "libwfp/ipaddress.h"
-#include <string>
-
-namespace rules
-{
-
-class RestrictDns : public IFirewallRule
-{
-public:
-
- RestrictDns(const std::wstring &tunnelInterfaceAlias, const wfp::IpAddress v4DnsHost, std::unique_ptr<wfp::IpAddress> v6DnsHost, std::unique_ptr<wfp::IpAddress> relay);
-
- bool apply(IObjectInstaller &objectInstaller) override;
-
-private:
-
- const std::wstring m_tunnelInterfaceAlias;
- const wfp::IpAddress m_v4DnsHost;
- const std::unique_ptr<wfp::IpAddress> m_v6DnsHost;
- // If connecting to relay on port 53, the traffic to port 53 should be allowed.
- const std::unique_ptr<wfp::IpAddress> m_relayHost;
-
-};
-
-}
diff --git a/windows/winfw/src/winfw/winfw.vcxproj b/windows/winfw/src/winfw/winfw.vcxproj
index 15da42ec0f..7b35c8b939 100644
--- a/windows/winfw/src/winfw/winfw.vcxproj
+++ b/windows/winfw/src/winfw/winfw.vcxproj
@@ -23,6 +23,7 @@
<ClCompile Include="mullvadguids.cpp" />
<ClCompile Include="mullvadobjects.cpp" />
<ClCompile Include="objectpurger.cpp" />
+ <ClCompile Include="rules\permittunneldns.cpp" />
<ClCompile Include="rules\blockall.cpp" />
<ClCompile Include="rules\permitdhcp.cpp" />
<ClCompile Include="rules\permitdhcpserver.cpp" />
@@ -34,7 +35,6 @@
<ClCompile Include="rules\permitvpntunnelservice.cpp" />
<ClCompile Include="rules\permitvpnrelay.cpp" />
<ClCompile Include="rules\permitvpntunnel.cpp" />
- <ClCompile Include="rules\restrictdns.cpp" />
<ClCompile Include="sessioncontroller.cpp" />
<ClCompile Include="sessionrecord.cpp" />
<ClCompile Include="stdafx.cpp">
@@ -52,6 +52,7 @@
<ClInclude Include="mullvadguids.h" />
<ClInclude Include="mullvadobjects.h" />
<ClInclude Include="objectpurger.h" />
+ <ClInclude Include="rules\permittunneldns.h" />
<ClInclude Include="rules\permitdhcpserver.h" />
<ClInclude Include="rules\permitndp.h" />
<ClInclude Include="rules\permitping.h" />
@@ -65,7 +66,6 @@
<ClInclude Include="rules\permitvpntunnelservice.h" />
<ClInclude Include="rules\permitvpnrelay.h" />
<ClInclude Include="rules\permitvpntunnel.h" />
- <ClInclude Include="rules\restrictdns.h" />
<ClInclude Include="sessioncontroller.h" />
<ClInclude Include="sessionrecord.h" />
<ClInclude Include="stdafx.h" />
diff --git a/windows/winfw/src/winfw/winfw.vcxproj.filters b/windows/winfw/src/winfw/winfw.vcxproj.filters
index a758a1c9ec..c491cb2a8d 100644
--- a/windows/winfw/src/winfw/winfw.vcxproj.filters
+++ b/windows/winfw/src/winfw/winfw.vcxproj.filters
@@ -30,9 +30,6 @@
<Filter>rules</Filter>
</ClCompile>
<ClCompile Include="sessionrecord.cpp" />
- <ClCompile Include="rules\restrictdns.cpp">
- <Filter>rules</Filter>
- </ClCompile>
<ClCompile Include="rules\permitvpntunnelservice.cpp">
<Filter>rules</Filter>
</ClCompile>
@@ -46,6 +43,9 @@
<ClCompile Include="rules\permitping.cpp">
<Filter>rules</Filter>
</ClCompile>
+ <ClCompile Include="rules\permittunneldns.cpp">
+ <Filter>rules</Filter>
+ </ClCompile>
</ItemGroup>
<ItemGroup>
<ClInclude Include="stdafx.h" />
@@ -81,9 +81,6 @@
<Filter>rules</Filter>
</ClInclude>
<ClInclude Include="sessionrecord.h" />
- <ClInclude Include="rules\restrictdns.h">
- <Filter>rules</Filter>
- </ClInclude>
<ClInclude Include="rules\permitvpntunnelservice.h">
<Filter>rules</Filter>
</ClInclude>
@@ -99,6 +96,9 @@
<ClInclude Include="rules\permitping.h">
<Filter>rules</Filter>
</ClInclude>
+ <ClInclude Include="rules\permittunneldns.h">
+ <Filter>rules</Filter>
+ </ClInclude>
</ItemGroup>
<ItemGroup>
<Filter Include="rules">
Copyright © 2025 - 2026 Wayne Cole. WTFPL. Attribution appreciated. No warranty. Not liable for bodily damages.