diff options
| author | Odd Stranne <odd@mullvad.net> | 2019-05-27 10:45:31 +0200 |
|---|---|---|
| committer | Odd Stranne <odd@mullvad.net> | 2019-05-27 10:45:31 +0200 |
| commit | 513b791fd21fabfa8b9990b34eeb8a1871110a4a (patch) | |
| tree | 7b936c76c5b17735d341c4daae76895ed35429bd | |
| parent | 40de1e01c0ebe0d6bf1183e9a8ecc956d15a0bb5 (diff) | |
| parent | 946e244ac53a2004082eccc207d8b7bda4bd9c89 (diff) | |
| download | mullvadvpn-513b791fd21fabfa8b9990b34eeb8a1871110a4a.tar.xz mullvadvpn-513b791fd21fabfa8b9990b34eeb8a1871110a4a.zip | |
Merge branch 'win-fw-mdns-ndp'
20 files changed, 571 insertions, 414 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index f15d1b7bbb..27606a44cb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -32,10 +32,10 @@ Line wrap the file at 100 chars. Th - Add GUI translations for Italian, Japanese, Dutch, Portugese, Russian and Turkish. - Add missing GUI translations for Czech Republic, USA and UK in the select location view. - Add translations for the current location displayed on the main screen in the GUI. +- Allow a subset of NDP (Router solicitation, router advertisement and redirects) in the firewall. #### Linux - Add standard window decorations to the application window. -- Allow a subset of NDP (Router solicitation, router advertisement and redirects) in the firewall. ### Changed - Relax the allow local network rules slightly. only checking either source or destination IP field diff --git a/windows/libwfp b/windows/libwfp -Subproject 4065b5bdf56668ca09dd29bf83805f363126935 +Subproject 989468a6b1001cbcf8d405f4c20623747dac5f1 diff --git a/windows/winfw/src/winfw/fwcontext.cpp b/windows/winfw/src/winfw/fwcontext.cpp index b77ac82cb5..e5325f0b9c 100644 --- a/windows/winfw/src/winfw/fwcontext.cpp +++ b/windows/winfw/src/winfw/fwcontext.cpp @@ -5,6 +5,8 @@ #include "rules/blockall.h" #include "rules/ifirewallrule.h" #include "rules/permitdhcp.h" +#include "rules/permitndp.h" +#include "rules/permitdhcpserver.h" #include "rules/permitlan.h" #include "rules/permitlanservice.h" #include "rules/permitloopback.h" @@ -40,12 +42,14 @@ void AppendSettingsRules(FwContext::Ruleset &ruleset, const WinFwSettings &setti if (settings.permitDhcp) { ruleset.emplace_back(std::make_unique<rules::PermitDhcp>()); + ruleset.emplace_back(std::make_unique<rules::PermitNdp>()); } if (settings.permitLan) { ruleset.emplace_back(std::make_unique<rules::PermitLan>()); ruleset.emplace_back(std::make_unique<rules::PermitLanService>()); + ruleset.emplace_back(rules::PermitDhcpServer::WithExtent(rules::PermitDhcpServer::Extent::IPv4Only)); } } diff --git a/windows/winfw/src/winfw/mullvadguids.cpp b/windows/winfw/src/winfw/mullvadguids.cpp index e68312957f..010d41e44a 100644 --- a/windows/winfw/src/winfw/mullvadguids.cpp +++ b/windows/winfw/src/winfw/mullvadguids.cpp @@ -28,38 +28,37 @@ DetailedWfpObjectRegistry MullvadGuids::BuildDetailedRegistry() registry.insert(std::make_pair(WfpObjectType::Sublayer, SublayerWhitelist())); registry.insert(std::make_pair(WfpObjectType::Sublayer, SublayerBlacklist())); registry.insert(std::make_pair(WfpObjectType::Filter, FilterBlockAll_Outbound_Ipv4())); - registry.insert(std::make_pair(WfpObjectType::Filter, FilterBlockAll_Outbound_Ipv6())); registry.insert(std::make_pair(WfpObjectType::Filter, FilterBlockAll_Inbound_Ipv4())); + registry.insert(std::make_pair(WfpObjectType::Filter, FilterBlockAll_Outbound_Ipv6())); registry.insert(std::make_pair(WfpObjectType::Filter, FilterBlockAll_Inbound_Ipv6())); - registry.insert(std::make_pair(WfpObjectType::Filter, FilterPermitLan_10_8())); - registry.insert(std::make_pair(WfpObjectType::Filter, FilterPermitLan_172_16_12())); - registry.insert(std::make_pair(WfpObjectType::Filter, FilterPermitLan_192_168_16())); - registry.insert(std::make_pair(WfpObjectType::Filter, FilterPermitLan_169_254_16())); - registry.insert(std::make_pair(WfpObjectType::Filter, FilterPermitLan_Multicast())); - registry.insert(std::make_pair(WfpObjectType::Filter, FilterPermitLan_Ipv6_fe80_10())); - registry.insert(std::make_pair(WfpObjectType::Filter, FilterPermitLan_Ipv6_Multicast())); - registry.insert(std::make_pair(WfpObjectType::Filter, FilterPermitLanService_10_8())); - registry.insert(std::make_pair(WfpObjectType::Filter, FilterPermitLanService_172_16_12())); - registry.insert(std::make_pair(WfpObjectType::Filter, FilterPermitLanService_192_168_16())); - registry.insert(std::make_pair(WfpObjectType::Filter, FilterPermitLanService_169_254_16())); - registry.insert(std::make_pair(WfpObjectType::Filter, FilterPermitLanService_Ipv6_fe80_10())); + registry.insert(std::make_pair(WfpObjectType::Filter, FilterPermitLan_Outbound_Ipv4())); + registry.insert(std::make_pair(WfpObjectType::Filter, FilterPermitLan_Outbound_Multicast_Ipv4())); + registry.insert(std::make_pair(WfpObjectType::Filter, FilterPermitLan_Outbound_Ipv6())); + registry.insert(std::make_pair(WfpObjectType::Filter, FilterPermitLan_Outbound_Multicast_Ipv6())); + registry.insert(std::make_pair(WfpObjectType::Filter, FilterPermitLanService_Inbound_Ipv4())); + registry.insert(std::make_pair(WfpObjectType::Filter, FilterPermitLanService_Inbound_Ipv6())); registry.insert(std::make_pair(WfpObjectType::Filter, FilterPermitLoopback_Outbound_Ipv4())); - registry.insert(std::make_pair(WfpObjectType::Filter, FilterPermitLoopback_Outbound_Ipv6())); registry.insert(std::make_pair(WfpObjectType::Filter, FilterPermitLoopback_Inbound_Ipv4())); + registry.insert(std::make_pair(WfpObjectType::Filter, FilterPermitLoopback_Outbound_Ipv6())); registry.insert(std::make_pair(WfpObjectType::Filter, FilterPermitLoopback_Inbound_Ipv6())); - registry.insert(std::make_pair(WfpObjectType::Filter, FilterPermitDhcpV4_Outbound_Request())); - registry.insert(std::make_pair(WfpObjectType::Filter, FilterPermitDhcpV6_Outbound_Request())); - registry.insert(std::make_pair(WfpObjectType::Filter, FilterPermitDhcpV4_Inbound_Response())); - registry.insert(std::make_pair(WfpObjectType::Filter, FilterPermitDhcpV6_Inbound_Response())); + registry.insert(std::make_pair(WfpObjectType::Filter, FilterPermitDhcp_Outbound_Request_Ipv4())); + registry.insert(std::make_pair(WfpObjectType::Filter, FilterPermitDhcp_Inbound_Response_Ipv4())); + registry.insert(std::make_pair(WfpObjectType::Filter, FilterPermitDhcp_Outbound_Request_Ipv6())); + registry.insert(std::make_pair(WfpObjectType::Filter, FilterPermitDhcp_Inbound_Response_Ipv6())); + registry.insert(std::make_pair(WfpObjectType::Filter, FilterPermitDhcpServer_Inbound_Request_Ipv4())); + registry.insert(std::make_pair(WfpObjectType::Filter, FilterPermitDhcpServer_Outbound_Response_Ipv4())); registry.insert(std::make_pair(WfpObjectType::Filter, FilterPermitVpnRelay())); registry.insert(std::make_pair(WfpObjectType::Filter, FilterPermitVpnTunnel_Outbound_Ipv4())); registry.insert(std::make_pair(WfpObjectType::Filter, FilterPermitVpnTunnel_Outbound_Ipv6())); registry.insert(std::make_pair(WfpObjectType::Filter, FilterRestrictDns_Outbound_Ipv4())); - registry.insert(std::make_pair(WfpObjectType::Filter, FilterRestrictDns_Outbound_Ipv6())); registry.insert(std::make_pair(WfpObjectType::Filter, FilterRestrictDns_Outbound_Tunnel_Ipv4())); + registry.insert(std::make_pair(WfpObjectType::Filter, FilterRestrictDns_Outbound_Ipv6())); registry.insert(std::make_pair(WfpObjectType::Filter, FilterRestrictDns_Outbound_Tunnel_Ipv6())); registry.insert(std::make_pair(WfpObjectType::Filter, FilterPermitVpnTunnelService_Ipv4())); registry.insert(std::make_pair(WfpObjectType::Filter, FilterPermitVpnTunnelService_Ipv6())); + registry.insert(std::make_pair(WfpObjectType::Filter, FilterPermitNdp_Outbound_Router_Solicitation())); + registry.insert(std::make_pair(WfpObjectType::Filter, FilterPermitNdp_Inbound_Router_Advertisement())); + registry.insert(std::make_pair(WfpObjectType::Filter, FilterPermitNdp_Inbound_Redirect())); return registry; } @@ -135,20 +134,6 @@ const GUID &MullvadGuids::FilterBlockAll_Outbound_Ipv4() } //static -const GUID &MullvadGuids::FilterBlockAll_Outbound_Ipv6() -{ - static const GUID g = - { - 0x8ae5c389, - 0xd604, - 0x43df, - { 0x87, 0x4a, 0x5c, 0x86, 0x76, 0xc9, 0xc2, 0xb8 } - }; - - return g; -} - -//static const GUID &MullvadGuids::FilterBlockAll_Inbound_Ipv4() { static const GUID g = @@ -163,77 +148,50 @@ const GUID &MullvadGuids::FilterBlockAll_Inbound_Ipv4() } //static -const GUID &MullvadGuids::FilterBlockAll_Inbound_Ipv6() -{ - static const GUID g = - { - 0x18b8c1d2, - 0x5910, - 0x4b51, - { 0xa5, 0x48, 0x1e, 0xfc, 0xd5, 0x4b, 0x63, 0xe9 } - }; - - return g; -} - -//static -const GUID &MullvadGuids::FilterPermitLan_10_8() +const GUID &MullvadGuids::FilterBlockAll_Outbound_Ipv6() { static const GUID g = { - 0x73fe6348, - 0x62f4, - 0x4686, - { 0x95, 0x47, 0x51, 0xa8, 0x21, 0xb, 0xa3, 0x8f } + 0x8ae5c389, + 0xd604, + 0x43df, + { 0x87, 0x4a, 0x5c, 0x86, 0x76, 0xc9, 0xc2, 0xb8 } }; return g; } //static -const GUID &MullvadGuids::FilterPermitLan_172_16_12() +const GUID &MullvadGuids::FilterBlockAll_Inbound_Ipv6() { static const GUID g = { - 0x7a38dae, - 0x150f, - 0x47f1, - { 0xa6, 0xac, 0x99, 0x3, 0x48, 0x53, 0x83, 0x26 } + 0x18b8c1d2, + 0x5910, + 0x4b51, + { 0xa5, 0x48, 0x1e, 0xfc, 0xd5, 0x4b, 0x63, 0xe9 } }; return g; } -//static -const GUID &MullvadGuids::FilterPermitLan_192_168_16() -{ - static const GUID g = - { - 0x518bfc38, - 0xa7c5, - 0x42fe, - { 0xa3, 0xf2, 0xe1, 0x56, 0x24, 0xd7, 0x86, 0x1c } - }; - - return g; -} //static -const GUID &MullvadGuids::FilterPermitLan_169_254_16() +const GUID &MullvadGuids::FilterPermitLan_Outbound_Ipv4() { static const GUID g = { - 0x58718a9e, - 0x7ec1, - 0x4dee, - { 0x8d, 0x3f, 0x16, 0x5b, 0x95, 0x5d, 0xb5, 0x42 } + 0xb012b076, + 0x80d1, + 0x4628, + { 0x8d, 0x7b, 0xa5, 0x58, 0x8, 0xd8, 0xdc, 0xa4 } }; return g; } //static -const GUID &MullvadGuids::FilterPermitLan_Multicast() +const GUID &MullvadGuids::FilterPermitLan_Outbound_Multicast_Ipv4() { static const GUID g = { @@ -247,98 +205,56 @@ const GUID &MullvadGuids::FilterPermitLan_Multicast() } //static -const GUID &MullvadGuids::FilterPermitLan_Ipv6_fe80_10() +const GUID &MullvadGuids::FilterPermitLan_Outbound_Ipv6() { static const GUID g = { - 0x5733b308, - 0x5856, - 0x469f, - { 0xa9, 0xf2, 0x24, 0x87, 0x52, 0x61, 0xd1, 0x6 } + 0xacb22069, + 0xed33, + 0x4c6d, + { 0x9b, 0xc8, 0xcd, 0xfa, 0x6a, 0x1a, 0x10, 0x35 } }; return g; } //static -const GUID &MullvadGuids::FilterPermitLan_Ipv6_Multicast() +const GUID &MullvadGuids::FilterPermitLan_Outbound_Multicast_Ipv6() { static const GUID g = { - 0x7379135f, - 0x6ce5, - 0x4107, - { 0x8a, 0x69, 0xf8, 0xea, 0x5a, 0x92, 0xb4, 0x97 } + 0xb63d89ec, + 0xe145, + 0x4e29, + { 0x90, 0x87, 0xa7, 0x9b, 0xd6, 0xfc, 0x8b, 0x29 } }; return g; } //static -const GUID &MullvadGuids::FilterPermitLanService_10_8() +const GUID &MullvadGuids::FilterPermitLanService_Inbound_Ipv4() { static const GUID g = { - 0x24ed3b23, - 0x5d5a, - 0x4f1e, - { 0x8c, 0xfa, 0xfd, 0x68, 0x79, 0x6a, 0x83, 0x8a } + 0x5849930, + 0x40ae, + 0x41e4, + { 0x81, 0x68, 0x21, 0x94, 0x89, 0x8e, 0x6f, 0x8c } }; return g; } //static -const GUID &MullvadGuids::FilterPermitLanService_172_16_12() +const GUID &MullvadGuids::FilterPermitLanService_Inbound_Ipv6() { static const GUID g = { - 0xa925dc62, - 0x54ea, - 0x46f5, - { 0x9d, 0x37, 0xa9, 0x5a, 0xf2, 0x84, 0xc3, 0x6f } - }; - - return g; -} - -//static -const GUID &MullvadGuids::FilterPermitLanService_192_168_16() -{ - static const GUID g = - { - 0x97fd73cb, - 0x9bf0, - 0x47f2, - { 0x98, 0x69, 0xd1, 0x5e, 0xf3, 0x5c, 0x3a, 0x8 } - }; - - return g; -} - -//static -const GUID &MullvadGuids::FilterPermitLanService_169_254_16() -{ - static const GUID g = - { - 0x39d9b695, - 0x5c27, - 0x42a6, - { 0xba, 0xea, 0x8c, 0x4b, 0xe0, 0x7e, 0x66, 0x3e } - }; - - return g; -} - -//static -const GUID &MullvadGuids::FilterPermitLanService_Ipv6_fe80_10() -{ - static const GUID g = - { - 0xd1dff9da, - 0x1d12, - 0x4425, - { 0x82, 0x70, 0xdc, 0x7, 0x56, 0xff, 0xb9, 0xf2 } + 0xe8122820, + 0xe138, + 0x46b0, + { 0x96, 0x6f, 0x68, 0xa0, 0x6, 0xa2, 0xb5, 0xa2 } }; return g; @@ -359,28 +275,28 @@ const GUID &MullvadGuids::FilterPermitLoopback_Outbound_Ipv4() } //static -const GUID &MullvadGuids::FilterPermitLoopback_Outbound_Ipv6() +const GUID &MullvadGuids::FilterPermitLoopback_Inbound_Ipv4() { static const GUID g = { - 0x764d4944, - 0x8a1e, - 0x4d96, - { 0xbf, 0xf0, 0x8d, 0xa6, 0x4f, 0x31, 0x44, 0xa2 } + 0xb8efb500, + 0xc51, + 0x4550, + { 0xbf, 0x5c, 0x48, 0x54, 0xa6, 0xc8, 0x48, 0xb9 } }; return g; } //static -const GUID &MullvadGuids::FilterPermitLoopback_Inbound_Ipv4() +const GUID &MullvadGuids::FilterPermitLoopback_Outbound_Ipv6() { static const GUID g = { - 0xb8efb500, - 0xc51, - 0x4550, - { 0xbf, 0x5c, 0x48, 0x54, 0xa6, 0xc8, 0x48, 0xb9 } + 0x764d4944, + 0x8a1e, + 0x4d96, + { 0xbf, 0xf0, 0x8d, 0xa6, 0x4f, 0x31, 0x44, 0xa2 } }; return g; @@ -401,7 +317,7 @@ const GUID &MullvadGuids::FilterPermitLoopback_Inbound_Ipv6() } //static -const GUID &MullvadGuids::FilterPermitDhcpV4_Outbound_Request() +const GUID &MullvadGuids::FilterPermitDhcp_Outbound_Request_Ipv4() { static const GUID g = { @@ -415,35 +331,35 @@ const GUID &MullvadGuids::FilterPermitDhcpV4_Outbound_Request() } //static -const GUID &MullvadGuids::FilterPermitDhcpV6_Outbound_Request() +const GUID &MullvadGuids::FilterPermitDhcp_Inbound_Response_Ipv4() { static const GUID g = { - 0x67bd69b0, - 0x522d, - 0x4631, - { 0x9a, 0x8f, 0x1c, 0xee, 0xdf, 0x64, 0xb7, 0x2b } + 0x2db298d7, + 0x4108, + 0x47ff, + { 0x85, 0x99, 0xaf, 0xa5, 0xcb, 0x95, 0x9c, 0x25 } }; return g; } //static -const GUID &MullvadGuids::FilterPermitDhcpV4_Inbound_Response() +const GUID &MullvadGuids::FilterPermitDhcp_Outbound_Request_Ipv6() { static const GUID g = { - 0x2db298d7, - 0x4108, - 0x47ff, - { 0x85, 0x99, 0xaf, 0xa5, 0xcb, 0x95, 0x9c, 0x25 } + 0x67bd69b0, + 0x522d, + 0x4631, + { 0x9a, 0x8f, 0x1c, 0xee, 0xdf, 0x64, 0xb7, 0x2b } }; return g; } //static -const GUID &MullvadGuids::FilterPermitDhcpV6_Inbound_Response() +const GUID &MullvadGuids::FilterPermitDhcp_Inbound_Response_Ipv6() { static const GUID g = { @@ -457,6 +373,34 @@ const GUID &MullvadGuids::FilterPermitDhcpV6_Inbound_Response() } //static +const GUID &MullvadGuids::FilterPermitDhcpServer_Inbound_Request_Ipv4() +{ + static const GUID g = + { + 0xa6c98ac3, + 0xe06, + 0x4fd2, + { 0xb4, 0x5e, 0xb7, 0xef, 0x67, 0x4, 0x43, 0xbc } + }; + + return g; +} + +//static +const GUID &MullvadGuids::FilterPermitDhcpServer_Outbound_Response_Ipv4() +{ + static const GUID g = + { + 0x57006c23, + 0xc21f, + 0x4d23, + { 0x88, 0xf, 0x5a, 0x9d, 0x94, 0x6b, 0xc2, 0xf3 } + }; + + return g; +} + +//static const GUID &MullvadGuids::FilterPermitVpnRelay() { static const GUID g = @@ -513,28 +457,28 @@ const GUID &MullvadGuids::FilterRestrictDns_Outbound_Ipv4() } //static -const GUID &MullvadGuids::FilterRestrictDns_Outbound_Ipv6() +const GUID &MullvadGuids::FilterRestrictDns_Outbound_Tunnel_Ipv4() { static const GUID g = { - 0xcde477eb, - 0x2d8a, - 0x45b8, - { 0x9a, 0x3e, 0x9a, 0xa3, 0xbe, 0x4d, 0xe2, 0xb4 } + 0x790445dc, + 0xb23e, + 0x4ab4, + { 0x8e, 0x2f, 0xc7, 0x6, 0x55, 0x5f, 0x94, 0xff } }; return g; } //static -const GUID &MullvadGuids::FilterRestrictDns_Outbound_Tunnel_Ipv4() +const GUID &MullvadGuids::FilterRestrictDns_Outbound_Ipv6() { static const GUID g = { - 0x790445dc, - 0xb23e, - 0x4ab4, - { 0x8e, 0x2f, 0xc7, 0x6, 0x55, 0x5f, 0x94, 0xff } + 0xcde477eb, + 0x2d8a, + 0x45b8, + { 0x9a, 0x3e, 0x9a, 0xa3, 0xbe, 0x4d, 0xe2, 0xb4 } }; return g; @@ -581,3 +525,45 @@ const GUID &MullvadGuids::FilterPermitVpnTunnelService_Ipv6() return g; } + +//static +const GUID &MullvadGuids::FilterPermitNdp_Outbound_Router_Solicitation() +{ + static const GUID g = + { + 0xbc5a85e4, + 0x5319, + 0x4224, + { 0x8a, 0x27, 0x53, 0xeb, 0x61, 0xef, 0x3b, 0x1 } + }; + + return g; +} + +//static +const GUID &MullvadGuids::FilterPermitNdp_Inbound_Router_Advertisement() +{ + static const GUID g = + { + 0x4d996f1d, + 0x4915, + 0x4a6a, + { 0xbd, 0xf5, 0xb5, 0x1a, 0x2d, 0xbc, 0xb8, 0xe9 } + }; + + return g; +} + +//static +const GUID &MullvadGuids::FilterPermitNdp_Inbound_Redirect() +{ + static const GUID g = + { + 0xcec23a8, + 0x4fdd, + 0x4a96, + { 0xae, 0xba, 0x33, 0xd2, 0xa7, 0xf, 0x85, 0x22 } + }; + + return g; +} diff --git a/windows/winfw/src/winfw/mullvadguids.h b/windows/winfw/src/winfw/mullvadguids.h index 04cad0a6c8..d4fb470d90 100644 --- a/windows/winfw/src/winfw/mullvadguids.h +++ b/windows/winfw/src/winfw/mullvadguids.h @@ -26,33 +26,30 @@ public: static const GUID &SublayerBlacklist(); static const GUID &FilterBlockAll_Outbound_Ipv4(); - static const GUID &FilterBlockAll_Outbound_Ipv6(); static const GUID &FilterBlockAll_Inbound_Ipv4(); + static const GUID &FilterBlockAll_Outbound_Ipv6(); static const GUID &FilterBlockAll_Inbound_Ipv6(); - static const GUID &FilterPermitLan_10_8(); - static const GUID &FilterPermitLan_172_16_12(); - static const GUID &FilterPermitLan_192_168_16(); - static const GUID &FilterPermitLan_169_254_16(); - static const GUID &FilterPermitLan_Multicast(); - static const GUID &FilterPermitLan_Ipv6_fe80_10(); - static const GUID &FilterPermitLan_Ipv6_Multicast(); + static const GUID &FilterPermitLan_Outbound_Ipv4(); + static const GUID &FilterPermitLan_Outbound_Multicast_Ipv4(); + static const GUID &FilterPermitLan_Outbound_Ipv6(); + static const GUID &FilterPermitLan_Outbound_Multicast_Ipv6(); - static const GUID &FilterPermitLanService_10_8(); - static const GUID &FilterPermitLanService_172_16_12(); - static const GUID &FilterPermitLanService_192_168_16(); - static const GUID &FilterPermitLanService_169_254_16(); - static const GUID &FilterPermitLanService_Ipv6_fe80_10(); + static const GUID &FilterPermitLanService_Inbound_Ipv4(); + static const GUID &FilterPermitLanService_Inbound_Ipv6(); static const GUID &FilterPermitLoopback_Outbound_Ipv4(); - static const GUID &FilterPermitLoopback_Outbound_Ipv6(); static const GUID &FilterPermitLoopback_Inbound_Ipv4(); + static const GUID &FilterPermitLoopback_Outbound_Ipv6(); static const GUID &FilterPermitLoopback_Inbound_Ipv6(); - static const GUID &FilterPermitDhcpV4_Outbound_Request(); - static const GUID &FilterPermitDhcpV6_Outbound_Request(); - static const GUID &FilterPermitDhcpV4_Inbound_Response(); - static const GUID &FilterPermitDhcpV6_Inbound_Response(); + static const GUID &FilterPermitDhcp_Outbound_Request_Ipv4(); + static const GUID &FilterPermitDhcp_Inbound_Response_Ipv4(); + static const GUID &FilterPermitDhcp_Outbound_Request_Ipv6(); + static const GUID &FilterPermitDhcp_Inbound_Response_Ipv6(); + + static const GUID &FilterPermitDhcpServer_Inbound_Request_Ipv4(); + static const GUID &FilterPermitDhcpServer_Outbound_Response_Ipv4(); static const GUID &FilterPermitVpnRelay(); @@ -60,10 +57,14 @@ public: static const GUID &FilterPermitVpnTunnel_Outbound_Ipv6(); static const GUID &FilterRestrictDns_Outbound_Ipv4(); - static const GUID &FilterRestrictDns_Outbound_Ipv6(); static const GUID &FilterRestrictDns_Outbound_Tunnel_Ipv4(); + static const GUID &FilterRestrictDns_Outbound_Ipv6(); static const GUID &FilterRestrictDns_Outbound_Tunnel_Ipv6(); static const GUID &FilterPermitVpnTunnelService_Ipv4(); static const GUID &FilterPermitVpnTunnelService_Ipv6(); + + static const GUID &FilterPermitNdp_Outbound_Router_Solicitation(); + static const GUID &FilterPermitNdp_Inbound_Router_Advertisement(); + static const GUID &FilterPermitNdp_Inbound_Redirect(); }; diff --git a/windows/winfw/src/winfw/rules/blockall.cpp b/windows/winfw/src/winfw/rules/blockall.cpp index ff8ba5a065..7695ece765 100644 --- a/windows/winfw/src/winfw/rules/blockall.cpp +++ b/windows/winfw/src/winfw/rules/blockall.cpp @@ -17,7 +17,7 @@ bool BlockAll::apply(IObjectInstaller &objectInstaller) filterBuilder .key(MullvadGuids::FilterBlockAll_Outbound_Ipv4()) - .name(L"Block all outbound connections") + .name(L"Block all outbound connections (IPv4)") .description(L"This filter is part of a rule that restricts inbound and outbound traffic") .provider(MullvadGuids::Provider()) .layer(FWPM_LAYER_ALE_AUTH_CONNECT_V4) @@ -33,12 +33,13 @@ bool BlockAll::apply(IObjectInstaller &objectInstaller) } // - // #2 block outbound connections, ipv6 + // #2 block inbound connections, ipv4 // filterBuilder - .key(MullvadGuids::FilterBlockAll_Outbound_Ipv6()) - .layer(FWPM_LAYER_ALE_AUTH_CONNECT_V6); + .key(MullvadGuids::FilterBlockAll_Inbound_Ipv4()) + .name(L"Block all inbound connections (IPv4)") + .layer(FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4); if (false == objectInstaller.addFilter(filterBuilder, nullConditionBuilder)) { @@ -46,13 +47,13 @@ bool BlockAll::apply(IObjectInstaller &objectInstaller) } // - // #3 block inbound connections, ipv4 + // #3 block outbound connections, ipv6 // filterBuilder - .key(MullvadGuids::FilterBlockAll_Inbound_Ipv4()) - .name(L"Block all inbound connections") - .layer(FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4); + .key(MullvadGuids::FilterBlockAll_Outbound_Ipv6()) + .name(L"Block all outbound connections (IPv6)") + .layer(FWPM_LAYER_ALE_AUTH_CONNECT_V6); if (false == objectInstaller.addFilter(filterBuilder, nullConditionBuilder)) { @@ -65,6 +66,7 @@ bool BlockAll::apply(IObjectInstaller &objectInstaller) filterBuilder .key(MullvadGuids::FilterBlockAll_Inbound_Ipv6()) + .name(L"Block all inbound connections (IPv6)") .layer(FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6); return objectInstaller.addFilter(filterBuilder, nullConditionBuilder); diff --git a/windows/winfw/src/winfw/rules/permitdhcp.cpp b/windows/winfw/src/winfw/rules/permitdhcp.cpp index 4650a3586f..d2d7292746 100644 --- a/windows/winfw/src/winfw/rules/permitdhcp.cpp +++ b/windows/winfw/src/winfw/rules/permitdhcp.cpp @@ -4,18 +4,33 @@ #include "libwfp/filterbuilder.h" #include "libwfp/conditionbuilder.h" #include "libwfp/ipaddress.h" +#include "libwfp/ipnetwork.h" #include "libwfp/conditions/conditionprotocol.h" #include "libwfp/conditions/conditionport.h" #include "libwfp/conditions/conditionip.h" -#include "libwfp/conditions/conditionport.h" using namespace wfp::conditions; namespace rules { +namespace +{ + +static const uint32_t DHCPV4_CLIENT_PORT = 68; +static const uint32_t DHCPV4_SERVER_PORT = 67; +static const uint32_t DHCPV6_CLIENT_PORT = 546; +static const uint32_t DHCPV6_SERVER_PORT = 547; + +} // anonymous namespace + bool PermitDhcp::apply(IObjectInstaller &objectInstaller) { + return applyIpv4(objectInstaller) && applyIpv6(objectInstaller); +} + +bool PermitDhcp::applyIpv4(IObjectInstaller &objectInstaller) const +{ // // First UDP packet for a unique [remote address, port] tuple is mapped into: // @@ -25,15 +40,13 @@ bool PermitDhcp::apply(IObjectInstaller &objectInstaller) wfp::FilterBuilder filterBuilder; - const wfp::IpAddress::Literal6 fe80{ 0xFE80, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0 }; - // // #1 permit outbound DHCPv4 request // filterBuilder - .key(MullvadGuids::FilterPermitDhcpV4_Outbound_Request()) - .name(L"Permit outbound DHCPv4 request") + .key(MullvadGuids::FilterPermitDhcp_Outbound_Request_Ipv4()) + .name(L"Permit outbound DHCP request (IPv4)") .description(L"This filter is part of a rule that permits DHCP client traffic") .provider(MullvadGuids::Provider()) .layer(FWPM_LAYER_ALE_AUTH_CONNECT_V4) @@ -45,9 +58,9 @@ bool PermitDhcp::apply(IObjectInstaller &objectInstaller) wfp::ConditionBuilder conditionBuilder(FWPM_LAYER_ALE_AUTH_CONNECT_V4); conditionBuilder.add_condition(ConditionProtocol::Udp()); - conditionBuilder.add_condition(ConditionPort::Local(68)); + conditionBuilder.add_condition(ConditionPort::Local(DHCPV4_CLIENT_PORT)); conditionBuilder.add_condition(ConditionIp::Remote(wfp::IpAddress::Literal({ 255, 255, 255, 255 }))); - conditionBuilder.add_condition(ConditionPort::Remote(67)); + conditionBuilder.add_condition(ConditionPort::Remote(DHCPV4_SERVER_PORT)); if (!objectInstaller.addFilter(filterBuilder, conditionBuilder)) { @@ -56,48 +69,50 @@ bool PermitDhcp::apply(IObjectInstaller &objectInstaller) } // - // #2 permit outbound DHCPv6 request + // #2 permit inbound DHCPv4 response // filterBuilder - .key(MullvadGuids::FilterPermitDhcpV6_Outbound_Request()) - .name(L"Permit outbound DHCPv6 request") - .layer(FWPM_LAYER_ALE_AUTH_CONNECT_V6); + .key(MullvadGuids::FilterPermitDhcp_Inbound_Response_Ipv4()) + .name(L"Permit inbound DHCP response (IPv4)") + .layer(FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4); - { - wfp::ConditionBuilder conditionBuilder(FWPM_LAYER_ALE_AUTH_CONNECT_V6); + wfp::ConditionBuilder conditionBuilder(FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4); - const wfp::IpAddress::Literal6 linkLocal{ 0xFF02, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x2 }; - const wfp::IpAddress::Literal6 siteLocal{ 0xFF05, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x3 }; + conditionBuilder.add_condition(ConditionProtocol::Udp()); + conditionBuilder.add_condition(ConditionPort::Local(DHCPV4_CLIENT_PORT)); + conditionBuilder.add_condition(ConditionPort::Remote(DHCPV4_SERVER_PORT)); - conditionBuilder.add_condition(ConditionProtocol::Udp()); - conditionBuilder.add_condition(ConditionIp::Remote(linkLocal)); - conditionBuilder.add_condition(ConditionIp::Remote(siteLocal)); - conditionBuilder.add_condition(ConditionPort::Remote(547)); - conditionBuilder.add_condition(ConditionIp::Local(fe80, uint8_t(10))); - conditionBuilder.add_condition(ConditionPort::Local(546)); + return objectInstaller.addFilter(filterBuilder, conditionBuilder); +} - if (!objectInstaller.addFilter(filterBuilder, conditionBuilder)) - { - return false; - } - } +bool PermitDhcp::applyIpv6(IObjectInstaller &objectInstaller) const +{ + const wfp::IpNetwork linkLocal(wfp::IpAddress::Literal6({ 0xFE80, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0 }), 10); + + wfp::FilterBuilder filterBuilder; // - // #3 permit inbound DHCPv4 response + // #1 permit outbound DHCPv6 request // filterBuilder - .key(MullvadGuids::FilterPermitDhcpV4_Inbound_Response()) - .name(L"Permit inbound DHCPv4 response") - .layer(FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4); + .key(MullvadGuids::FilterPermitDhcp_Outbound_Request_Ipv6()) + .name(L"Permit outbound DHCP request (IPv6)") + .layer(FWPM_LAYER_ALE_AUTH_CONNECT_V6); { - wfp::ConditionBuilder conditionBuilder(FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4); + wfp::ConditionBuilder conditionBuilder(FWPM_LAYER_ALE_AUTH_CONNECT_V6); + + const wfp::IpAddress::Literal6 linkLocalDhcpMulticast({ 0xFF02, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x2 }); + const wfp::IpAddress::Literal6 siteLocalDhcpMulticast({ 0xFF05, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x3 }); conditionBuilder.add_condition(ConditionProtocol::Udp()); - conditionBuilder.add_condition(ConditionPort::Remote(67)); - conditionBuilder.add_condition(ConditionPort::Local(68)); + conditionBuilder.add_condition(ConditionIp::Local(linkLocal)); + conditionBuilder.add_condition(ConditionPort::Local(DHCPV6_CLIENT_PORT)); + conditionBuilder.add_condition(ConditionIp::Remote(linkLocalDhcpMulticast)); + conditionBuilder.add_condition(ConditionIp::Remote(siteLocalDhcpMulticast)); + conditionBuilder.add_condition(ConditionPort::Remote(DHCPV6_SERVER_PORT)); if (!objectInstaller.addFilter(filterBuilder, conditionBuilder)) { @@ -106,21 +121,21 @@ bool PermitDhcp::apply(IObjectInstaller &objectInstaller) } // - // #4 permit inbound DHCPv6 response + // #2 permit inbound DHCPv6 response // filterBuilder - .key(MullvadGuids::FilterPermitDhcpV6_Inbound_Response()) - .name(L"Permit inbound DHCPv6 response") + .key(MullvadGuids::FilterPermitDhcp_Inbound_Response_Ipv6()) + .name(L"Permit inbound DHCP response (IPv6)") .layer(FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6); wfp::ConditionBuilder conditionBuilder(FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6); conditionBuilder.add_condition(ConditionProtocol::Udp()); - conditionBuilder.add_condition(ConditionIp::Remote(fe80, uint8_t(10))); - conditionBuilder.add_condition(ConditionPort::Remote(547)); - conditionBuilder.add_condition(ConditionIp::Local(fe80, uint8_t(10))); - conditionBuilder.add_condition(ConditionPort::Local(546)); + conditionBuilder.add_condition(ConditionIp::Local(linkLocal)); + conditionBuilder.add_condition(ConditionPort::Local(DHCPV6_CLIENT_PORT)); + conditionBuilder.add_condition(ConditionIp::Remote(linkLocal)); + conditionBuilder.add_condition(ConditionPort::Remote(DHCPV6_SERVER_PORT)); return objectInstaller.addFilter(filterBuilder, conditionBuilder); } diff --git a/windows/winfw/src/winfw/rules/permitdhcp.h b/windows/winfw/src/winfw/rules/permitdhcp.h index 58bd90bfa5..5500829c0c 100644 --- a/windows/winfw/src/winfw/rules/permitdhcp.h +++ b/windows/winfw/src/winfw/rules/permitdhcp.h @@ -13,6 +13,11 @@ public: ~PermitDhcp() = default; bool apply(IObjectInstaller &objectInstaller) override; + +private: + + bool applyIpv4(IObjectInstaller &objectInstaller) const; + bool applyIpv6(IObjectInstaller &objectInstaller) const; }; } diff --git a/windows/winfw/src/winfw/rules/permitdhcpserver.cpp b/windows/winfw/src/winfw/rules/permitdhcpserver.cpp new file mode 100644 index 0000000000..6e22b146fa --- /dev/null +++ b/windows/winfw/src/winfw/rules/permitdhcpserver.cpp @@ -0,0 +1,91 @@ +#include "stdafx.h" +#include "permitdhcpserver.h" +#include "winfw/mullvadguids.h" +#include "libwfp/filterbuilder.h" +#include "libwfp/conditionbuilder.h" +#include "libwfp/ipaddress.h" +#include "libwfp/conditions/conditionprotocol.h" +#include "libwfp/conditions/conditionport.h" +#include "libwfp/conditions/conditionip.h" +#include <stdexcept> + +using namespace wfp::conditions; + +namespace rules +{ + +namespace +{ + +static const uint32_t DHCPV4_CLIENT_PORT = 68; +static const uint32_t DHCPV4_SERVER_PORT = 67; + +} // anonymous namespace + +//static +std::unique_ptr<PermitDhcpServer> PermitDhcpServer::WithExtent(Extent extent) +{ + if (extent != Extent::IPv4Only) + { + throw std::runtime_error("The only supported mode is IPv4Only"); + } + + return std::unique_ptr<PermitDhcpServer>(new PermitDhcpServer); +} + +bool PermitDhcpServer::apply(IObjectInstaller &objectInstaller) +{ + return applyIpv4(objectInstaller); +} + +bool PermitDhcpServer::applyIpv4(IObjectInstaller &objectInstaller) const +{ + // + // #1 permit incoming DHCPv4 request + // + + wfp::FilterBuilder filterBuilder; + + filterBuilder + .key(MullvadGuids::FilterPermitDhcpServer_Inbound_Request_Ipv4()) + .name(L"Permit inbound DHCP request (IPv4)") + .description(L"This filter is part of a rule that permits DHCP server traffic") + .provider(MullvadGuids::Provider()) + .layer(FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4) + .sublayer(MullvadGuids::SublayerWhitelist()) + .weight(wfp::FilterBuilder::WeightClass::Max) + .permit(); + + { + wfp::ConditionBuilder conditionBuilder(FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4); + + conditionBuilder.add_condition(ConditionProtocol::Udp()); + conditionBuilder.add_condition(ConditionPort::Local(DHCPV4_SERVER_PORT)); + conditionBuilder.add_condition(ConditionIp::Local(wfp::IpAddress::Literal({ 255, 255, 255, 255 }))); + conditionBuilder.add_condition(ConditionPort::Remote(DHCPV4_CLIENT_PORT)); + + if (!objectInstaller.addFilter(filterBuilder, conditionBuilder)) + { + return false; + } + } + + // + // #2 permit outbound DHCPv4 response + // + + filterBuilder + .key(MullvadGuids::FilterPermitDhcpServer_Outbound_Response_Ipv4()) + .name(L"Permit outbound DHCP response (IPv4)") + .layer(FWPM_LAYER_ALE_AUTH_CONNECT_V4); + + wfp::ConditionBuilder conditionBuilder(FWPM_LAYER_ALE_AUTH_CONNECT_V4); + + conditionBuilder.add_condition(ConditionProtocol::Udp()); + conditionBuilder.add_condition(ConditionPort::Local(DHCPV4_SERVER_PORT)); + conditionBuilder.add_condition(ConditionPort::Remote(DHCPV4_CLIENT_PORT)); + + return objectInstaller.addFilter(filterBuilder, conditionBuilder); +} + +} diff --git a/windows/winfw/src/winfw/rules/permitdhcpserver.h b/windows/winfw/src/winfw/rules/permitdhcpserver.h new file mode 100644 index 0000000000..93879b21a7 --- /dev/null +++ b/windows/winfw/src/winfw/rules/permitdhcpserver.h @@ -0,0 +1,31 @@ +#pragma once + +#include "ifirewallrule.h" +#include <memory> + +namespace rules +{ + +class PermitDhcpServer : public IFirewallRule +{ +public: + + enum class Extent + { + All, + IPv4Only, + IPv6Only + }; + + static std::unique_ptr<PermitDhcpServer> WithExtent(Extent extent); + + bool apply(IObjectInstaller &objectInstaller) override; + +private: + + PermitDhcpServer() = default; + + bool applyIpv4(IObjectInstaller &objectInstaller) const; +}; + +} diff --git a/windows/winfw/src/winfw/rules/permitlan.cpp b/windows/winfw/src/winfw/rules/permitlan.cpp index 4adc882163..e973bf29d8 100644 --- a/windows/winfw/src/winfw/rules/permitlan.cpp +++ b/windows/winfw/src/winfw/rules/permitlan.cpp @@ -4,6 +4,7 @@ #include "libwfp/filterbuilder.h" #include "libwfp/conditionbuilder.h" #include "libwfp/ipaddress.h" +#include "libwfp/ipnetwork.h" #include "libwfp/conditions/conditionip.h" using namespace wfp::conditions; @@ -21,12 +22,12 @@ bool PermitLan::applyIpv4(IObjectInstaller &objectInstaller) const wfp::FilterBuilder filterBuilder; // - // #1 locally-initiated on 10/8 + // #1 locally-initiated traffic // filterBuilder - .key(MullvadGuids::FilterPermitLan_10_8()) - .name(L"Permit locally-initiated traffic on 10/8") + .key(MullvadGuids::FilterPermitLan_Outbound_Ipv4()) + .name(L"Permit outbound LAN traffic (IPv4)") .description(L"This filter is part of a rule that permits LAN traffic") .provider(MullvadGuids::Provider()) .layer(FWPM_LAYER_ALE_AUTH_CONNECT_V4) @@ -36,8 +37,10 @@ bool PermitLan::applyIpv4(IObjectInstaller &objectInstaller) const wfp::ConditionBuilder conditionBuilder(FWPM_LAYER_ALE_AUTH_CONNECT_V4); - conditionBuilder.add_condition(ConditionIp::Local(wfp::IpAddress::Literal({ 10, 0, 0, 0 }), uint8_t(8))); - conditionBuilder.add_condition(ConditionIp::Remote(wfp::IpAddress::Literal({ 10, 0, 0, 0 }), uint8_t(8))); + conditionBuilder.add_condition(ConditionIp::Remote(wfp::IpNetwork(wfp::IpAddress::Literal({ 10, 0, 0, 0 }), 8))); + conditionBuilder.add_condition(ConditionIp::Remote(wfp::IpNetwork(wfp::IpAddress::Literal({ 172, 16, 0, 0 }), 12))); + conditionBuilder.add_condition(ConditionIp::Remote(wfp::IpNetwork(wfp::IpAddress::Literal({ 192, 168, 0, 0 }), 16))); + conditionBuilder.add_condition(ConditionIp::Remote(wfp::IpNetwork(wfp::IpAddress::Literal({ 169, 254, 0, 0 }), 16))); if (!objectInstaller.addFilter(filterBuilder, conditionBuilder)) { @@ -45,77 +48,23 @@ bool PermitLan::applyIpv4(IObjectInstaller &objectInstaller) const } // - // #2 locally-initiated on 172.16/12 - // - - filterBuilder - .key(MullvadGuids::FilterPermitLan_172_16_12()) - .name(L"Permit locally-initiated traffic on 172.16/12"); - - conditionBuilder.reset(); - - conditionBuilder.add_condition(ConditionIp::Local(wfp::IpAddress::Literal({ 172, 16, 0, 0 }), uint8_t(12))); - conditionBuilder.add_condition(ConditionIp::Remote(wfp::IpAddress::Literal({ 172, 16, 0, 0 }), uint8_t(12))); - - if (!objectInstaller.addFilter(filterBuilder, conditionBuilder)) - { - return false; - } - - // - // #3 locally-initiated on 192.168/16 - // - - filterBuilder - .key(MullvadGuids::FilterPermitLan_192_168_16()) - .name(L"Permit locally-initiated traffic on 192.168/16"); - - conditionBuilder.reset(); - - conditionBuilder.add_condition(ConditionIp::Local(wfp::IpAddress::Literal({ 192, 168, 0, 0 }), uint8_t(16))); - conditionBuilder.add_condition(ConditionIp::Remote(wfp::IpAddress::Literal({ 192, 168, 0, 0 }), uint8_t(16))); - - if (!objectInstaller.addFilter(filterBuilder, conditionBuilder)) - { - return false; - } - - // - // #4 locally-initiated on 169.254/16 + // #2 LAN to multicast // filterBuilder - .key(MullvadGuids::FilterPermitLan_169_254_16()) - .name(L"Permit locally-initiated traffic on 169.254/16"); + .key(MullvadGuids::FilterPermitLan_Outbound_Multicast_Ipv4()) + .name(L"Permit outbound LAN multicast traffic (IPv4)"); conditionBuilder.reset(); - conditionBuilder.add_condition(ConditionIp::Local(wfp::IpAddress::Literal({ 169, 254, 0, 0 }), uint8_t(16))); - conditionBuilder.add_condition(ConditionIp::Remote(wfp::IpAddress::Literal({ 169, 254, 0, 0 }), uint8_t(16))); - - if (!objectInstaller.addFilter(filterBuilder, conditionBuilder)) - { - return false; - } - - // - // #5 LAN to multicast - // - - filterBuilder - .key(MullvadGuids::FilterPermitLan_Multicast()) - .name(L"Permit locally-initiated multicast traffic"); - - conditionBuilder.reset(); + // Local subnet multicast. + conditionBuilder.add_condition(ConditionIp::Remote(wfp::IpNetwork(wfp::IpAddress::Literal({ 224, 0, 0, 0 }), 24))); - conditionBuilder.add_condition(ConditionIp::Local(wfp::IpAddress::Literal({ 10, 0, 0, 0 }), uint8_t(8))); - conditionBuilder.add_condition(ConditionIp::Local(wfp::IpAddress::Literal({ 172, 16, 0, 0 }), uint8_t(12))); - conditionBuilder.add_condition(ConditionIp::Local(wfp::IpAddress::Literal({ 192, 168, 0, 0 }), uint8_t(16))); - conditionBuilder.add_condition(ConditionIp::Local(wfp::IpAddress::Literal({ 169, 254, 0, 0 }), uint8_t(16))); - conditionBuilder.add_condition(ConditionIp::Remote(wfp::IpAddress::Literal({ 224, 0, 0, 0 }), uint8_t(24))); + // Simple Service Discovery Protocol (SSDP) address. + conditionBuilder.add_condition(ConditionIp::Remote(wfp::IpNetwork(wfp::IpAddress::Literal({ 239, 255, 255, 250 }), 32))); - // Special multicast for SSDP. - conditionBuilder.add_condition(ConditionIp::Remote(wfp::IpAddress::Literal({ 239, 255, 255, 250 }), uint8_t(32))); + // mDNS Service Discovery address. + conditionBuilder.add_condition(ConditionIp::Remote(wfp::IpNetwork(wfp::IpAddress::Literal({ 239, 255, 255, 251 }), 32))); return objectInstaller.addFilter(filterBuilder, conditionBuilder); } @@ -125,12 +74,12 @@ bool PermitLan::applyIpv6(IObjectInstaller &objectInstaller) const wfp::FilterBuilder filterBuilder; // - // #1 locally-initiated on fe80::/10 + // #1 locally-initiated traffic // filterBuilder - .key(MullvadGuids::FilterPermitLan_Ipv6_fe80_10()) - .name(L"Permit locally-initiated traffic on fe80::/10") + .key(MullvadGuids::FilterPermitLan_Outbound_Ipv6()) + .name(L"Permit outbound LAN traffic (IPv6)") .description(L"This filter is part of a rule that permits LAN traffic") .provider(MullvadGuids::Provider()) .layer(FWPM_LAYER_ALE_AUTH_CONNECT_V6) @@ -140,10 +89,9 @@ bool PermitLan::applyIpv6(IObjectInstaller &objectInstaller) const wfp::ConditionBuilder conditionBuilder(FWPM_LAYER_ALE_AUTH_CONNECT_V6); - wfp::IpAddress::Literal6 fe80 { 0xFE80, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0 }; + const wfp::IpNetwork linkLocal(wfp::IpAddress::Literal6({ 0xFE80, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0 }), 10); - conditionBuilder.add_condition(ConditionIp::Local(fe80, uint8_t(10))); - conditionBuilder.add_condition(ConditionIp::Remote(fe80, uint8_t(10))); + conditionBuilder.add_condition(ConditionIp::Remote(linkLocal)); if (!objectInstaller.addFilter(filterBuilder, conditionBuilder)) { @@ -155,15 +103,16 @@ bool PermitLan::applyIpv6(IObjectInstaller &objectInstaller) const // filterBuilder - .key(MullvadGuids::FilterPermitLan_Ipv6_Multicast()) - .name(L"Permit locally-initiated IPv6 multicast traffic"); + .key(MullvadGuids::FilterPermitLan_Outbound_Multicast_Ipv6()) + .name(L"Permit outbound LAN multicast traffic (IPv6)"); conditionBuilder.reset(); - wfp::IpAddress::Literal6 fe02{ 0xFE02, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0 }; + const wfp::IpNetwork linkLocalMulticast(wfp::IpAddress::Literal6({ 0xFF02, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0 }), 16); + const wfp::IpNetwork siteLocalMulticast(wfp::IpAddress::Literal6({ 0xFF05, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0 }), 16); - conditionBuilder.add_condition(ConditionIp::Local(fe80, uint8_t(10))); - conditionBuilder.add_condition(ConditionIp::Remote(fe02, uint8_t(16))); + conditionBuilder.add_condition(ConditionIp::Remote(linkLocalMulticast)); + conditionBuilder.add_condition(ConditionIp::Remote(siteLocalMulticast)); return objectInstaller.addFilter(filterBuilder, conditionBuilder); } diff --git a/windows/winfw/src/winfw/rules/permitlanservice.cpp b/windows/winfw/src/winfw/rules/permitlanservice.cpp index 8f23270b94..516aa3fcd7 100644 --- a/windows/winfw/src/winfw/rules/permitlanservice.cpp +++ b/windows/winfw/src/winfw/rules/permitlanservice.cpp @@ -4,6 +4,7 @@ #include "libwfp/filterbuilder.h" #include "libwfp/conditionbuilder.h" #include "libwfp/ipaddress.h" +#include "libwfp/ipnetwork.h" #include "libwfp/conditions/conditionip.h" using namespace wfp::conditions; @@ -21,12 +22,12 @@ bool PermitLanService::applyIpv4(IObjectInstaller &objectInstaller) const wfp::FilterBuilder filterBuilder; // - // #1 incoming request on 10/8 + // #1 incoming request // filterBuilder - .key(MullvadGuids::FilterPermitLanService_10_8()) - .name(L"Permit incoming requests on 10/8") + .key(MullvadGuids::FilterPermitLanService_Inbound_Ipv4()) + .name(L"Permit inbound LAN traffic (IPv4)") .description(L"This filter is part of a rule that permits hosting services in a LAN environment") .provider(MullvadGuids::Provider()) .layer(FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4) @@ -36,62 +37,10 @@ bool PermitLanService::applyIpv4(IObjectInstaller &objectInstaller) const wfp::ConditionBuilder conditionBuilder(FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4); - conditionBuilder.add_condition(ConditionIp::Local(wfp::IpAddress::Literal({ 10, 0, 0, 0 }), uint8_t(8))); - conditionBuilder.add_condition(ConditionIp::Remote(wfp::IpAddress::Literal({ 10, 0, 0, 0 }), uint8_t(8))); - - if (!objectInstaller.addFilter(filterBuilder, conditionBuilder)) - { - return false; - } - - // - // #2 incoming request on 172.16/12 - // - - filterBuilder - .key(MullvadGuids::FilterPermitLanService_172_16_12()) - .name(L"Permit incoming requests on 172.16/12"); - - conditionBuilder.reset(); - - conditionBuilder.add_condition(ConditionIp::Local(wfp::IpAddress::Literal({ 172, 16, 0, 0 }), uint8_t(12))); - conditionBuilder.add_condition(ConditionIp::Remote(wfp::IpAddress::Literal({ 172, 16, 0, 0 }), uint8_t(12))); - - if (!objectInstaller.addFilter(filterBuilder, conditionBuilder)) - { - return false; - } - - // - // #3 incoming request on 192.168/16 - // - - filterBuilder - .key(MullvadGuids::FilterPermitLanService_192_168_16()) - .name(L"Permit incoming requests on 192.168/16"); - - conditionBuilder.reset(); - - conditionBuilder.add_condition(ConditionIp::Local(wfp::IpAddress::Literal({ 192, 168, 0, 0 }), uint8_t(16))); - conditionBuilder.add_condition(ConditionIp::Remote(wfp::IpAddress::Literal({ 192, 168, 0, 0 }), uint8_t(16))); - - if (!objectInstaller.addFilter(filterBuilder, conditionBuilder)) - { - return false; - } - - // - // #4 incoming request on 169.254/16 - // - - filterBuilder - .key(MullvadGuids::FilterPermitLanService_169_254_16()) - .name(L"Permit incoming requests on 169.254/16"); - - conditionBuilder.reset(); - - conditionBuilder.add_condition(ConditionIp::Local(wfp::IpAddress::Literal({ 169, 254, 0, 0 }), uint8_t(16))); - conditionBuilder.add_condition(ConditionIp::Remote(wfp::IpAddress::Literal({ 169, 254, 0, 0 }), uint8_t(16))); + conditionBuilder.add_condition(ConditionIp::Remote(wfp::IpNetwork(wfp::IpAddress::Literal({ 10, 0, 0, 0 }), 8))); + conditionBuilder.add_condition(ConditionIp::Remote(wfp::IpNetwork(wfp::IpAddress::Literal({ 172, 16, 0, 0 }), 12))); + conditionBuilder.add_condition(ConditionIp::Remote(wfp::IpNetwork(wfp::IpAddress::Literal({ 192, 168, 0, 0 }), 16))); + conditionBuilder.add_condition(ConditionIp::Remote(wfp::IpNetwork(wfp::IpAddress::Literal({ 169, 254, 0, 0 }), 16))); return objectInstaller.addFilter(filterBuilder, conditionBuilder); } @@ -101,12 +50,12 @@ bool PermitLanService::applyIpv6(IObjectInstaller &objectInstaller) const wfp::FilterBuilder filterBuilder; // - // #1 incoming request on fe80::/10 + // #1 incoming request // filterBuilder - .key(MullvadGuids::FilterPermitLanService_Ipv6_fe80_10()) - .name(L"Permit incoming requests on fe80::/10") + .key(MullvadGuids::FilterPermitLanService_Inbound_Ipv6()) + .name(L"Permit inbound LAN traffic (IPv6)") .description(L"This filter is part of a rule that permits hosting services in a LAN environment") .provider(MullvadGuids::Provider()) .layer(FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6) @@ -116,10 +65,9 @@ bool PermitLanService::applyIpv6(IObjectInstaller &objectInstaller) const wfp::ConditionBuilder conditionBuilder(FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6); - wfp::IpAddress::Literal6 fe80{ 0xFE80, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0 }; + const wfp::IpNetwork linkLocal(wfp::IpAddress::Literal6{ 0xFE80, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0 }, 10); - conditionBuilder.add_condition(ConditionIp::Local(fe80, uint8_t(10))); - conditionBuilder.add_condition(ConditionIp::Remote(fe80, uint8_t(10))); + conditionBuilder.add_condition(ConditionIp::Remote(linkLocal)); return objectInstaller.addFilter(filterBuilder, conditionBuilder); } diff --git a/windows/winfw/src/winfw/rules/permitloopback.cpp b/windows/winfw/src/winfw/rules/permitloopback.cpp index f98fe4f756..99ee977b86 100644 --- a/windows/winfw/src/winfw/rules/permitloopback.cpp +++ b/windows/winfw/src/winfw/rules/permitloopback.cpp @@ -20,7 +20,7 @@ bool PermitLoopback::apply(IObjectInstaller &objectInstaller) filterBuilder .key(MullvadGuids::FilterPermitLoopback_Outbound_Ipv4()) - .name(L"Permit outbound connections on loopback") + .name(L"Permit outbound on loopback (IPv4)") .description(L"This filter is part of a rule that permits all loopback traffic") .provider(MullvadGuids::Provider()) .layer(FWPM_LAYER_ALE_AUTH_CONNECT_V4) @@ -40,15 +40,16 @@ bool PermitLoopback::apply(IObjectInstaller &objectInstaller) } // - // #2 permit outbound connections, ipv6 + // #2 permit inbound connections, ipv4 // filterBuilder - .key(MullvadGuids::FilterPermitLoopback_Outbound_Ipv6()) - .layer(FWPM_LAYER_ALE_AUTH_CONNECT_V6); + .key(MullvadGuids::FilterPermitLoopback_Inbound_Ipv4()) + .name(L"Permit inbound on loopback (IPv4)") + .layer(FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4); { - wfp::ConditionBuilder conditionBuilder(FWPM_LAYER_ALE_AUTH_CONNECT_V6); + wfp::ConditionBuilder conditionBuilder(FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4); conditionBuilder.add_condition(std::make_unique<ConditionLoopback>()); @@ -59,16 +60,16 @@ bool PermitLoopback::apply(IObjectInstaller &objectInstaller) } // - // #3 permit inbound connections, ipv4 + // #3 permit outbound connections, ipv6 // filterBuilder - .key(MullvadGuids::FilterPermitLoopback_Inbound_Ipv4()) - .name(L"Permit inbound connections on loopback") - .layer(FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4); + .key(MullvadGuids::FilterPermitLoopback_Outbound_Ipv6()) + .name(L"Permit outbound on loopback (IPv6)") + .layer(FWPM_LAYER_ALE_AUTH_CONNECT_V6); { - wfp::ConditionBuilder conditionBuilder(FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4); + wfp::ConditionBuilder conditionBuilder(FWPM_LAYER_ALE_AUTH_CONNECT_V6); conditionBuilder.add_condition(std::make_unique<ConditionLoopback>()); @@ -84,6 +85,7 @@ bool PermitLoopback::apply(IObjectInstaller &objectInstaller) filterBuilder .key(MullvadGuids::FilterPermitLoopback_Inbound_Ipv6()) + .name(L"Permit inbound on loopback (IPv6)") .layer(FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6); wfp::ConditionBuilder conditionBuilder(FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6); diff --git a/windows/winfw/src/winfw/rules/permitndp.cpp b/windows/winfw/src/winfw/rules/permitndp.cpp new file mode 100644 index 0000000000..2aca5d0d1b --- /dev/null +++ b/windows/winfw/src/winfw/rules/permitndp.cpp @@ -0,0 +1,89 @@ +#include "stdafx.h" +#include "permitndp.h" +#include "winfw/mullvadguids.h" +#include "libwfp/filterbuilder.h" +#include "libwfp/conditionbuilder.h" +#include "libwfp/ipaddress.h" +#include "libwfp/ipnetwork.h" +#include "libwfp/conditions/conditionprotocol.h" +#include "libwfp/conditions/conditionicmp.h" +#include "libwfp/conditions/conditionip.h" + +using namespace wfp::conditions; + +namespace rules +{ + +bool PermitNdp::apply(IObjectInstaller &objectInstaller) +{ + const wfp::IpNetwork linkLocal(wfp::IpAddress::Literal6({ 0xFE80, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0 }), 10); + const wfp::IpAddress::Literal6 linkLocalRouterMulticast{ 0xFF02, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2 }; + + wfp::FilterBuilder filterBuilder; + + // + // #1 permit outbound router solicitation + // + + filterBuilder + .key(MullvadGuids::FilterPermitNdp_Outbound_Router_Solicitation()) + .name(L"Permit outbound NDP router solicitation") + .layer(FWPM_LAYER_ALE_AUTH_CONNECT_V6); + + { + wfp::ConditionBuilder conditionBuilder(FWPM_LAYER_ALE_AUTH_CONNECT_V6); + + conditionBuilder.add_condition(ConditionProtocol::IcmpV6()); + conditionBuilder.add_condition(ConditionIcmp::Type(133)); + conditionBuilder.add_condition(ConditionIcmp::Code(0)); + conditionBuilder.add_condition(ConditionIp::Remote(linkLocalRouterMulticast)); + + if (!objectInstaller.addFilter(filterBuilder, conditionBuilder)) + { + return false; + } + } + + // + // #2 permit inbound router advertisement + // + + filterBuilder + .key(MullvadGuids::FilterPermitNdp_Inbound_Router_Advertisement()) + .name(L"Permit inbound NDP router advertisement") + .layer(FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6); + + { + wfp::ConditionBuilder conditionBuilder(FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6); + + conditionBuilder.add_condition(ConditionProtocol::IcmpV6()); + conditionBuilder.add_condition(ConditionIcmp::Type(134)); + conditionBuilder.add_condition(ConditionIcmp::Code(0)); + conditionBuilder.add_condition(ConditionIp::Remote(linkLocal)); + + if (!objectInstaller.addFilter(filterBuilder, conditionBuilder)) + { + return false; + } + } + + // + // #3 permit inbound redirect message + // + + filterBuilder + .key(MullvadGuids::FilterPermitNdp_Inbound_Redirect()) + .name(L"Permit inbound NDP redirect") + .layer(FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6); + + wfp::ConditionBuilder conditionBuilder(FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6); + + conditionBuilder.add_condition(ConditionProtocol::IcmpV6()); + conditionBuilder.add_condition(ConditionIcmp::Type(137)); + conditionBuilder.add_condition(ConditionIcmp::Code(0)); + conditionBuilder.add_condition(ConditionIp::Remote(linkLocal)); + + return objectInstaller.addFilter(filterBuilder, conditionBuilder); +} + +} diff --git a/windows/winfw/src/winfw/rules/permitndp.h b/windows/winfw/src/winfw/rules/permitndp.h new file mode 100644 index 0000000000..ebd53b62c2 --- /dev/null +++ b/windows/winfw/src/winfw/rules/permitndp.h @@ -0,0 +1,18 @@ +#pragma once + +#include "ifirewallrule.h" + +namespace rules +{ + +class PermitNdp : public IFirewallRule +{ +public: + + PermitNdp() = default; + ~PermitNdp() = default; + + bool apply(IObjectInstaller &objectInstaller) override; +}; + +} diff --git a/windows/winfw/src/winfw/rules/permitvpntunnel.cpp b/windows/winfw/src/winfw/rules/permitvpntunnel.cpp index 39830e70ec..e21a99c04d 100644 --- a/windows/winfw/src/winfw/rules/permitvpntunnel.cpp +++ b/windows/winfw/src/winfw/rules/permitvpntunnel.cpp @@ -25,7 +25,7 @@ bool PermitVpnTunnel::apply(IObjectInstaller &objectInstaller) filterBuilder .key(MullvadGuids::FilterPermitVpnTunnel_Outbound_Ipv4()) - .name(L"Permit locally-initiated traffic on tunnel interface") + .name(L"Permit outbound on tunnel interface (IPv4)") .description(L"This filter is part of a rule that permits communications inside the VPN tunnel") .provider(MullvadGuids::Provider()) .layer(FWPM_LAYER_ALE_AUTH_CONNECT_V4) @@ -50,6 +50,7 @@ bool PermitVpnTunnel::apply(IObjectInstaller &objectInstaller) filterBuilder .key(MullvadGuids::FilterPermitVpnTunnel_Outbound_Ipv6()) + .name(L"Permit outbound on tunnel interface (IPv6)") .layer(FWPM_LAYER_ALE_AUTH_CONNECT_V6); wfp::ConditionBuilder conditionBuilder(FWPM_LAYER_ALE_AUTH_CONNECT_V6); diff --git a/windows/winfw/src/winfw/rules/permitvpntunnelservice.cpp b/windows/winfw/src/winfw/rules/permitvpntunnelservice.cpp index 182dad4067..bbdf9a6e2b 100644 --- a/windows/winfw/src/winfw/rules/permitvpntunnelservice.cpp +++ b/windows/winfw/src/winfw/rules/permitvpntunnelservice.cpp @@ -25,7 +25,7 @@ bool PermitVpnTunnelService::apply(IObjectInstaller &objectInstaller) filterBuilder .key(MullvadGuids::FilterPermitVpnTunnelService_Ipv4()) - .name(L"Permit incoming requests on VPN tunnel IPv4") + .name(L"Permit inbound on tunnel interface (IPv4)") .description(L"This filter is part of a rule that permits hosting services that listen on the tunnel interface") .provider(MullvadGuids::Provider()) .layer(FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4) @@ -48,7 +48,7 @@ bool PermitVpnTunnelService::apply(IObjectInstaller &objectInstaller) filterBuilder .key(MullvadGuids::FilterPermitVpnTunnelService_Ipv6()) - .name(L"Permit incoming requests on VPN tunnel IPv6") + .name(L"Permit inbound on tunnel interface (IPv6)") .layer(FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6); conditionBuilder.reset(FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6); diff --git a/windows/winfw/src/winfw/rules/restrictdns.cpp b/windows/winfw/src/winfw/rules/restrictdns.cpp index 9009dcc4ee..41446db19a 100644 --- a/windows/winfw/src/winfw/rules/restrictdns.cpp +++ b/windows/winfw/src/winfw/rules/restrictdns.cpp @@ -35,7 +35,7 @@ bool RestrictDns::apply(IObjectInstaller &objectInstaller) filterBuilder .key(MullvadGuids::FilterRestrictDns_Outbound_Ipv4()) - .name(L"Block DNS requests outside the VPN tunnel") + .name(L"Block DNS requests outside the VPN tunnel (IPv4)") .description(L"This filter is part of a rule that restricts DNS traffic") .provider(MullvadGuids::Provider()) .layer(FWPM_LAYER_ALE_AUTH_CONNECT_V4) @@ -55,19 +55,16 @@ bool RestrictDns::apply(IObjectInstaller &objectInstaller) } } - // - // IPv6 also - // - filterBuilder - .key(MullvadGuids::FilterRestrictDns_Outbound_Ipv6()) - .layer(FWPM_LAYER_ALE_AUTH_CONNECT_V6); + .name(L"Restrict DNS requests inside the VPN tunnel (IPv4)") + .key(MullvadGuids::FilterRestrictDns_Outbound_Tunnel_Ipv4()) + .layer(FWPM_LAYER_ALE_AUTH_CONNECT_V4); { - wfp::ConditionBuilder conditionBuilder(FWPM_LAYER_ALE_AUTH_CONNECT_V6); + wfp::ConditionBuilder conditionBuilder(FWPM_LAYER_ALE_AUTH_CONNECT_V4); conditionBuilder.add_condition(ConditionPort::Remote(53)); - conditionBuilder.add_condition(ConditionInterface::Alias(m_tunnelInterfaceAlias, CompareNeq())); + conditionBuilder.add_condition(ConditionIp::Remote(m_v4DnsHost, CompareNeq())); if (!objectInstaller.addFilter(filterBuilder, conditionBuilder)) { @@ -75,17 +72,20 @@ bool RestrictDns::apply(IObjectInstaller &objectInstaller) } } + // + // IPv6 also + // filterBuilder - .name(L"Restrict IPv4 DNS requests inside the VPN tunnel") - .key(MullvadGuids::FilterRestrictDns_Outbound_Tunnel_Ipv4()) - .layer(FWPM_LAYER_ALE_AUTH_CONNECT_V4); + .key(MullvadGuids::FilterRestrictDns_Outbound_Ipv6()) + .name(L"Block DNS requests outside the VPN tunnel (IPv6)") + .layer(FWPM_LAYER_ALE_AUTH_CONNECT_V6); { - wfp::ConditionBuilder conditionBuilder(FWPM_LAYER_ALE_AUTH_CONNECT_V4); + wfp::ConditionBuilder conditionBuilder(FWPM_LAYER_ALE_AUTH_CONNECT_V6); conditionBuilder.add_condition(ConditionPort::Remote(53)); - conditionBuilder.add_condition(ConditionIp::Remote(m_v4DnsHost, CompareNeq())); + conditionBuilder.add_condition(ConditionInterface::Alias(m_tunnelInterfaceAlias, CompareNeq())); if (!objectInstaller.addFilter(filterBuilder, conditionBuilder)) { @@ -93,19 +93,18 @@ bool RestrictDns::apply(IObjectInstaller &objectInstaller) } } - // - // Specified DNS is IPv6 - // filterBuilder - .name(L"Restrict IPv6 DNS requests inside the VPN tunnel") .key(MullvadGuids::FilterRestrictDns_Outbound_Tunnel_Ipv6()) + .name(L"Restrict DNS requests inside the VPN tunnel (IPv6)") .layer(FWPM_LAYER_ALE_AUTH_CONNECT_V6); { wfp::ConditionBuilder conditionBuilder(FWPM_LAYER_ALE_AUTH_CONNECT_V6); conditionBuilder.add_condition(ConditionPort::Remote(53)); - if (m_v6DnsHost != nullptr) { + + if (m_v6DnsHost != nullptr) + { conditionBuilder.add_condition(ConditionIp::Remote(*m_v6DnsHost, CompareNeq())); } diff --git a/windows/winfw/src/winfw/winfw.vcxproj b/windows/winfw/src/winfw/winfw.vcxproj index e2db2fd432..9ab1963930 100644 --- a/windows/winfw/src/winfw/winfw.vcxproj +++ b/windows/winfw/src/winfw/winfw.vcxproj @@ -25,9 +25,11 @@ <ClCompile Include="objectpurger.cpp" /> <ClCompile Include="rules\blockall.cpp" /> <ClCompile Include="rules\permitdhcp.cpp" /> + <ClCompile Include="rules\permitdhcpserver.cpp" /> <ClCompile Include="rules\permitlan.cpp" /> <ClCompile Include="rules\permitlanservice.cpp" /> <ClCompile Include="rules\permitloopback.cpp" /> + <ClCompile Include="rules\permitndp.cpp" /> <ClCompile Include="rules\permitvpntunnelservice.cpp" /> <ClCompile Include="rules\permitvpnrelay.cpp" /> <ClCompile Include="rules\permitvpntunnel.cpp" /> @@ -49,6 +51,8 @@ <ClInclude Include="mullvadguids.h" /> <ClInclude Include="mullvadobjects.h" /> <ClInclude Include="objectpurger.h" /> + <ClInclude Include="rules\permitdhcpserver.h" /> + <ClInclude Include="rules\permitndp.h" /> <ClInclude Include="wfpobjecttype.h" /> <ClInclude Include="rules\blockall.h" /> <ClInclude Include="rules\ifirewallrule.h" /> diff --git a/windows/winfw/src/winfw/winfw.vcxproj.filters b/windows/winfw/src/winfw/winfw.vcxproj.filters index 8ccdaa4627..0319b0214a 100644 --- a/windows/winfw/src/winfw/winfw.vcxproj.filters +++ b/windows/winfw/src/winfw/winfw.vcxproj.filters @@ -37,6 +37,12 @@ <Filter>rules</Filter> </ClCompile> <ClCompile Include="objectpurger.cpp" /> + <ClCompile Include="rules\permitdhcpserver.cpp"> + <Filter>rules</Filter> + </ClCompile> + <ClCompile Include="rules\permitndp.cpp"> + <Filter>rules</Filter> + </ClCompile> </ItemGroup> <ItemGroup> <ClInclude Include="stdafx.h" /> @@ -81,6 +87,12 @@ <ClInclude Include="wfpobjecttype.h" /> <ClInclude Include="guidhash.h" /> <ClInclude Include="objectpurger.h" /> + <ClInclude Include="rules\permitdhcpserver.h"> + <Filter>rules</Filter> + </ClInclude> + <ClInclude Include="rules\permitndp.h"> + <Filter>rules</Filter> + </ClInclude> </ItemGroup> <ItemGroup> <Filter Include="rules"> |