Add DHCPv6 firewall rules for Windows

3 files changed, 96 insertions, 13 deletions

diff --git a/windows/winfw/src/winfw/mullvadguids.cpp b/windows/winfw/src/winfw/mullvadguids.cpp
index 12b5e1ca63..0988e68814 100644
--- a/windows/winfw/src/winfw/mullvadguids.cpp
+++ b/windows/winfw/src/winfw/mullvadguids.cpp
@@ -296,7 +296,7 @@ const GUID &MullvadGuids::FilterPermitLoopback_Inbound_Ipv6()
 }
 
 //static
-const GUID &MullvadGuids::FilterPermitDhcp_Outbound_Request()
+const GUID &MullvadGuids::FilterPermitDhcpV4_Outbound_Request()
 {
 	static const GUID g =
 	{
@@ -310,7 +310,21 @@ const GUID &MullvadGuids::FilterPermitDhcp_Outbound_Request()
 }
 
 //static
-const GUID &MullvadGuids::FilterPermitDhcp_Inbound_Response()
+const GUID &MullvadGuids::FilterPermitDhcpV6_Outbound_Request()
+{
+	static const GUID g =
+	{
+		0x67bd69b0,
+		0x522d,
+		0x4631,
+		{ 0x9a, 0x8f, 0x1c, 0xee, 0xdf, 0x64, 0xb7, 0x2b }
+	};
+
+	return g;
+}
+
+//static
+const GUID &MullvadGuids::FilterPermitDhcpV4_Inbound_Response()
 {
 	static const GUID g =
 	{
@@ -324,6 +338,20 @@ const GUID &MullvadGuids::FilterPermitDhcp_Inbound_Response()
 }
 
 //static
+const GUID &MullvadGuids::FilterPermitDhcpV6_Inbound_Response()
+{
+	static const GUID g =
+	{
+		0x40dcfb6d,
+		0x2ee,
+		0x4531,
+		{ 0x86, 0x61, 0xc4, 0xc8, 0xa4, 0x3a, 0xf4, 0x23 }
+	};
+
+	return g;
+}
+
+//static
 const GUID &MullvadGuids::FilterPermitVpnRelay()
 {
 	static const GUID g =
diff --git a/windows/winfw/src/winfw/mullvadguids.h b/windows/winfw/src/winfw/mullvadguids.h
index 1fd81cce50..53bebaba13 100644
--- a/windows/winfw/src/winfw/mullvadguids.h
+++ b/windows/winfw/src/winfw/mullvadguids.h
@@ -33,8 +33,10 @@ public:
 	static const GUID &FilterPermitLoopback_Inbound_Ipv4();
 	static const GUID &FilterPermitLoopback_Inbound_Ipv6();
 
-	static const GUID &FilterPermitDhcp_Outbound_Request();
-	static const GUID &FilterPermitDhcp_Inbound_Response();
+	static const GUID &FilterPermitDhcpV4_Outbound_Request();
+	static const GUID &FilterPermitDhcpV6_Outbound_Request();
+	static const GUID &FilterPermitDhcpV4_Inbound_Response();
+	static const GUID &FilterPermitDhcpV6_Inbound_Response();
 
 	static const GUID &FilterPermitVpnRelay();
 
diff --git a/windows/winfw/src/winfw/rules/permitdhcp.cpp b/windows/winfw/src/winfw/rules/permitdhcp.cpp
index e92b88056e..86bafbb71d 100644
--- a/windows/winfw/src/winfw/rules/permitdhcp.cpp
+++ b/windows/winfw/src/winfw/rules/permitdhcp.cpp
@@ -25,13 +25,15 @@ bool PermitDhcp::apply(IObjectInstaller &objectInstaller)
 
 	wfp::FilterBuilder filterBuilder;
 
+	const wfp::IpAddress::Literal6 fe80{ 0xFE80, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0 };
+
 	//
-	// #1 permit outbound DHCP request
+	// #1 permit outbound DHCPv4 request
 	//
 
 	filterBuilder
-		.key(MullvadGuids::FilterPermitDhcp_Outbound_Request())
-		.name(L"Permit outbound DHCP request")
+		.key(MullvadGuids::FilterPermitDhcpV4_Outbound_Request())
+		.name(L"Permit outbound DHCPv4 request")
 		.description(L"This filter is part of a rule that permits DHCP client traffic")
 		.provider(MullvadGuids::Provider())
 		.layer(FWPM_LAYER_ALE_AUTH_CONNECT_V4)
@@ -54,19 +56,70 @@ bool PermitDhcp::apply(IObjectInstaller &objectInstaller)
 	}
 
 	//
-	// #2 permit inbound DHCP response
+	// #2 permit outbound DHCPv6 request
+	//
+
+	filterBuilder
+		.key(MullvadGuids::FilterPermitDhcpV6_Outbound_Request())
+		.name(L"Permit outbound DHCPv6 request")
+		.layer(FWPM_LAYER_ALE_AUTH_CONNECT_V6);
+
+	{
+		wfp::ConditionBuilder conditionBuilder(FWPM_LAYER_ALE_AUTH_CONNECT_V6);
+
+		const wfp::IpAddress::Literal6 linkLocal{ 0xFF02, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x2 };
+		const wfp::IpAddress::Literal6 siteLocal{ 0xFF05, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x3 };
+
+		conditionBuilder.add_condition(ConditionProtocol::Udp());
+		conditionBuilder.add_condition(ConditionIp::Remote(linkLocal));
+		conditionBuilder.add_condition(ConditionIp::Remote(siteLocal));
+		conditionBuilder.add_condition(ConditionPort::Remote(547));
+		conditionBuilder.add_condition(ConditionIp::Local(fe80, uint8_t(10)));
+		conditionBuilder.add_condition(ConditionPort::Local(546));
+
+		if (!objectInstaller.addFilter(filterBuilder, conditionBuilder))
+		{
+			return false;
+		}
+	}
+
+	//
+	// #3 permit inbound DHCPv4 response
 	//
 
 	filterBuilder
-		.key(MullvadGuids::FilterPermitDhcp_Inbound_Response())
-		.name(L"Permit inbound DHCP response")
+		.key(MullvadGuids::FilterPermitDhcpV4_Inbound_Response())
+		.name(L"Permit inbound DHCPv4 response")
 		.layer(FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4);
 
-	wfp::ConditionBuilder conditionBuilder(FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4);
+	{
+		wfp::ConditionBuilder conditionBuilder(FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4);
+
+		conditionBuilder.add_condition(ConditionProtocol::Udp());
+		conditionBuilder.add_condition(ConditionPort::Remote(67));
+		conditionBuilder.add_condition(ConditionPort::Local(68));
+
+		if (!objectInstaller.addFilter(filterBuilder, conditionBuilder))
+		{
+			return false;
+		}
+	}
+
+	//
+	// #4 permit inbound DHCPv6 response
+	//
+
+	filterBuilder
+		.key(MullvadGuids::FilterPermitDhcpV6_Inbound_Response())
+		.name(L"Permit inbound DHCPv6 response")
+		.layer(FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6);
+
+	wfp::ConditionBuilder conditionBuilder(FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6);
 
 	conditionBuilder.add_condition(ConditionProtocol::Udp());
-	conditionBuilder.add_condition(ConditionPort::Remote(67));
-	conditionBuilder.add_condition(ConditionPort::Local(68));
+	conditionBuilder.add_condition(ConditionPort::Remote(547));
+	conditionBuilder.add_condition(ConditionIp::Local(fe80, uint8_t(10)));
+	conditionBuilder.add_condition(ConditionPort::Local(546));
 
 	return objectInstaller.addFilter(filterBuilder, conditionBuilder);
 }