Add 'PermitNdp' rule

7 files changed, 166 insertions, 0 deletions

diff --git a/windows/winfw/src/winfw/fwcontext.cpp b/windows/winfw/src/winfw/fwcontext.cpp
index 395b396cde..4cff5d7166 100644
--- a/windows/winfw/src/winfw/fwcontext.cpp
+++ b/windows/winfw/src/winfw/fwcontext.cpp
@@ -5,6 +5,7 @@
 #include "rules/blockall.h"
 #include "rules/ifirewallrule.h"
 #include "rules/permitdhcp.h"
+#include "rules/permitndp.h"
 #include "rules/permitdhcpserver.h"
 #include "rules/permitlan.h"
 #include "rules/permitlanservice.h"
@@ -41,6 +42,7 @@ void AppendSettingsRules(FwContext::Ruleset &ruleset, const WinFwSettings &setti
 	if (settings.permitDhcp)
 	{
 		ruleset.emplace_back(std::make_unique<rules::PermitDhcp>());
+		ruleset.emplace_back(std::make_unique<rules::PermitNdp>());
 	}
 
 	if (settings.permitLan)
diff --git a/windows/winfw/src/winfw/mullvadguids.cpp b/windows/winfw/src/winfw/mullvadguids.cpp
index 5cc5d5b631..29e38a3b49 100644
--- a/windows/winfw/src/winfw/mullvadguids.cpp
+++ b/windows/winfw/src/winfw/mullvadguids.cpp
@@ -56,6 +56,9 @@ DetailedWfpObjectRegistry MullvadGuids::BuildDetailedRegistry()
 	registry.insert(std::make_pair(WfpObjectType::Filter, FilterRestrictDns_Outbound_Tunnel_Ipv6()));
 	registry.insert(std::make_pair(WfpObjectType::Filter, FilterPermitVpnTunnelService_Ipv4()));
 	registry.insert(std::make_pair(WfpObjectType::Filter, FilterPermitVpnTunnelService_Ipv6()));
+	registry.insert(std::make_pair(WfpObjectType::Filter, FilterPermitNdp_Outbound_Router_Solicitation()));
+	registry.insert(std::make_pair(WfpObjectType::Filter, FilterPermitNdp_Inbound_Router_Advertisement()));
+	registry.insert(std::make_pair(WfpObjectType::Filter, FilterPermitNdp_Inbound_Redirect()));
 
 	return registry;
 }
@@ -522,3 +525,45 @@ const GUID &MullvadGuids::FilterPermitVpnTunnelService_Ipv6()
 
 	return g;
 }
+
+//static
+const GUID &MullvadGuids::FilterPermitNdp_Outbound_Router_Solicitation()
+{
+	static const GUID g =
+	{
+		0xbc5a85e4,
+		0x5319,
+		0x4224,
+		{ 0x8a, 0x27, 0x53, 0xeb, 0x61, 0xef, 0x3b, 0x1 }
+	};
+
+	return g;
+}
+
+//static
+const GUID &MullvadGuids::FilterPermitNdp_Inbound_Router_Advertisement()
+{
+	static const GUID g =
+	{
+		0x4d996f1d,
+		0x4915,
+		0x4a6a,
+		{ 0xbd, 0xf5, 0xb5, 0x1a, 0x2d, 0xbc, 0xb8, 0xe9 }
+	};
+
+	return g;
+}
+
+//static
+const GUID &MullvadGuids::FilterPermitNdp_Inbound_Redirect()
+{
+	static const GUID g =
+	{
+		0xcec23a8,
+		0x4fdd,
+		0x4a96,
+		{ 0xae, 0xba, 0x33, 0xd2, 0xa7, 0xf, 0x85, 0x22 }
+	};
+
+	return g;
+}
diff --git a/windows/winfw/src/winfw/mullvadguids.h b/windows/winfw/src/winfw/mullvadguids.h
index ca1f926e9b..c2a8c8537e 100644
--- a/windows/winfw/src/winfw/mullvadguids.h
+++ b/windows/winfw/src/winfw/mullvadguids.h
@@ -63,4 +63,8 @@ public:
 
 	static const GUID &FilterPermitVpnTunnelService_Ipv4();
 	static const GUID &FilterPermitVpnTunnelService_Ipv6();
+
+	static const GUID &FilterPermitNdp_Outbound_Router_Solicitation();
+	static const GUID &FilterPermitNdp_Inbound_Router_Advertisement();
+	static const GUID &FilterPermitNdp_Inbound_Redirect();
 };
diff --git a/windows/winfw/src/winfw/rules/permitndp.cpp b/windows/winfw/src/winfw/rules/permitndp.cpp
new file mode 100644
index 0000000000..2aca5d0d1b
--- /dev/null
+++ b/windows/winfw/src/winfw/rules/permitndp.cpp
@@ -0,0 +1,89 @@
+#include "stdafx.h"
+#include "permitndp.h"
+#include "winfw/mullvadguids.h"
+#include "libwfp/filterbuilder.h"
+#include "libwfp/conditionbuilder.h"
+#include "libwfp/ipaddress.h"
+#include "libwfp/ipnetwork.h"
+#include "libwfp/conditions/conditionprotocol.h"
+#include "libwfp/conditions/conditionicmp.h"
+#include "libwfp/conditions/conditionip.h"
+
+using namespace wfp::conditions;
+
+namespace rules
+{
+
+bool PermitNdp::apply(IObjectInstaller &objectInstaller)
+{
+	const wfp::IpNetwork linkLocal(wfp::IpAddress::Literal6({ 0xFE80, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0 }), 10);
+	const wfp::IpAddress::Literal6 linkLocalRouterMulticast{ 0xFF02, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2 };
+
+	wfp::FilterBuilder filterBuilder;
+
+	//
+	// #1 permit outbound router solicitation
+	//
+
+	filterBuilder
+		.key(MullvadGuids::FilterPermitNdp_Outbound_Router_Solicitation())
+		.name(L"Permit outbound NDP router solicitation")
+		.layer(FWPM_LAYER_ALE_AUTH_CONNECT_V6);
+
+	{
+		wfp::ConditionBuilder conditionBuilder(FWPM_LAYER_ALE_AUTH_CONNECT_V6);
+
+		conditionBuilder.add_condition(ConditionProtocol::IcmpV6());
+		conditionBuilder.add_condition(ConditionIcmp::Type(133));
+		conditionBuilder.add_condition(ConditionIcmp::Code(0));
+		conditionBuilder.add_condition(ConditionIp::Remote(linkLocalRouterMulticast));
+
+		if (!objectInstaller.addFilter(filterBuilder, conditionBuilder))
+		{
+			return false;
+		}
+	}
+
+	//
+	// #2 permit inbound router advertisement
+	//
+
+	filterBuilder
+		.key(MullvadGuids::FilterPermitNdp_Inbound_Router_Advertisement())
+		.name(L"Permit inbound NDP router advertisement")
+		.layer(FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6);
+
+	{
+		wfp::ConditionBuilder conditionBuilder(FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6);
+
+		conditionBuilder.add_condition(ConditionProtocol::IcmpV6());
+		conditionBuilder.add_condition(ConditionIcmp::Type(134));
+		conditionBuilder.add_condition(ConditionIcmp::Code(0));
+		conditionBuilder.add_condition(ConditionIp::Remote(linkLocal));
+
+		if (!objectInstaller.addFilter(filterBuilder, conditionBuilder))
+		{
+			return false;
+		}
+	}
+
+	//
+	// #3 permit inbound redirect message
+	//
+
+	filterBuilder
+		.key(MullvadGuids::FilterPermitNdp_Inbound_Redirect())
+		.name(L"Permit inbound NDP redirect")
+		.layer(FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6);
+
+	wfp::ConditionBuilder conditionBuilder(FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6);
+
+	conditionBuilder.add_condition(ConditionProtocol::IcmpV6());
+	conditionBuilder.add_condition(ConditionIcmp::Type(137));
+	conditionBuilder.add_condition(ConditionIcmp::Code(0));
+	conditionBuilder.add_condition(ConditionIp::Remote(linkLocal));
+
+	return objectInstaller.addFilter(filterBuilder, conditionBuilder);
+}
+
+}
diff --git a/windows/winfw/src/winfw/rules/permitndp.h b/windows/winfw/src/winfw/rules/permitndp.h
new file mode 100644
index 0000000000..ebd53b62c2
--- /dev/null
+++ b/windows/winfw/src/winfw/rules/permitndp.h
@@ -0,0 +1,18 @@
+#pragma once
+
+#include "ifirewallrule.h"
+
+namespace rules
+{
+
+class PermitNdp : public IFirewallRule
+{
+public:
+
+	PermitNdp() = default;
+	~PermitNdp() = default;
+	
+	bool apply(IObjectInstaller &objectInstaller) override;
+};
+
+}
diff --git a/windows/winfw/src/winfw/winfw.vcxproj b/windows/winfw/src/winfw/winfw.vcxproj
index cbd14ac9aa..9ab1963930 100644
--- a/windows/winfw/src/winfw/winfw.vcxproj
+++ b/windows/winfw/src/winfw/winfw.vcxproj
@@ -29,6 +29,7 @@
     <ClCompile Include="rules\permitlan.cpp" />
     <ClCompile Include="rules\permitlanservice.cpp" />
     <ClCompile Include="rules\permitloopback.cpp" />
+    <ClCompile Include="rules\permitndp.cpp" />
     <ClCompile Include="rules\permitvpntunnelservice.cpp" />
     <ClCompile Include="rules\permitvpnrelay.cpp" />
     <ClCompile Include="rules\permitvpntunnel.cpp" />
@@ -51,6 +52,7 @@
     <ClInclude Include="mullvadobjects.h" />
     <ClInclude Include="objectpurger.h" />
     <ClInclude Include="rules\permitdhcpserver.h" />
+    <ClInclude Include="rules\permitndp.h" />
     <ClInclude Include="wfpobjecttype.h" />
     <ClInclude Include="rules\blockall.h" />
     <ClInclude Include="rules\ifirewallrule.h" />
diff --git a/windows/winfw/src/winfw/winfw.vcxproj.filters b/windows/winfw/src/winfw/winfw.vcxproj.filters
index c8bbb5beda..0319b0214a 100644
--- a/windows/winfw/src/winfw/winfw.vcxproj.filters
+++ b/windows/winfw/src/winfw/winfw.vcxproj.filters
@@ -40,6 +40,9 @@
     <ClCompile Include="rules\permitdhcpserver.cpp">
       <Filter>rules</Filter>
     </ClCompile>
+    <ClCompile Include="rules\permitndp.cpp">
+      <Filter>rules</Filter>
+    </ClCompile>
   </ItemGroup>
   <ItemGroup>
     <ClInclude Include="stdafx.h" />
@@ -87,6 +90,9 @@
     <ClInclude Include="rules\permitdhcpserver.h">
       <Filter>rules</Filter>
     </ClInclude>
+    <ClInclude Include="rules\permitndp.h">
+      <Filter>rules</Filter>
+    </ClInclude>
   </ItemGroup>
   <ItemGroup>
     <Filter Include="rules">