diff options
| author | Odd Stranne <odd@mullvad.net> | 2020-06-08 15:35:09 +0200 |
|---|---|---|
| committer | Odd Stranne <odd@mullvad.net> | 2020-06-09 10:12:06 +0200 |
| commit | 5cde31bf205656e1a1f5c834b1e3d5c715bc4d12 (patch) | |
| tree | 3c65f84f48b7cfa4020c730f01eeb71d6e2f0b6b | |
| parent | f7c9ed742e707c4cf2301ba683bc5041c303446d (diff) | |
| download | mullvadvpn-5cde31bf205656e1a1f5c834b1e3d5c715bc4d12.tar.xz mullvadvpn-5cde31bf205656e1a1f5c834b1e3d5c715bc4d12.zip | |
Move PermitVpnRelay rule and make it limit access to set of approved applications
| -rw-r--r-- | windows/winfw/src/winfw/rules/baseline/permitvpnrelay.h | 30 | ||||
| -rw-r--r-- | windows/winfw/src/winfw/rules/multi/permitvpnrelay.cpp (renamed from windows/winfw/src/winfw/rules/baseline/permitvpnrelay.cpp) | 38 | ||||
| -rw-r--r-- | windows/winfw/src/winfw/rules/multi/permitvpnrelay.h | 47 |
3 files changed, 82 insertions, 33 deletions
diff --git a/windows/winfw/src/winfw/rules/baseline/permitvpnrelay.h b/windows/winfw/src/winfw/rules/baseline/permitvpnrelay.h deleted file mode 100644 index 8dd2c630f4..0000000000 --- a/windows/winfw/src/winfw/rules/baseline/permitvpnrelay.h +++ /dev/null @@ -1,30 +0,0 @@ -#pragma once - -#include <winfw/rules/ifirewallrule.h> -#include <libwfp/ipaddress.h> - -namespace rules::baseline -{ - -class PermitVpnRelay : public IFirewallRule -{ -public: - - enum class Protocol - { - Tcp, - Udp - }; - - PermitVpnRelay(const wfp::IpAddress &relay, uint16_t relayPort, Protocol protocol); - - bool apply(IObjectInstaller &objectInstaller) override; - -private: - - const wfp::IpAddress m_relay; - const uint16_t m_relayPort; - const Protocol m_protocol; -}; - -} diff --git a/windows/winfw/src/winfw/rules/baseline/permitvpnrelay.cpp b/windows/winfw/src/winfw/rules/multi/permitvpnrelay.cpp index daa21c3e35..db14ee4852 100644 --- a/windows/winfw/src/winfw/rules/baseline/permitvpnrelay.cpp +++ b/windows/winfw/src/winfw/rules/multi/permitvpnrelay.cpp @@ -6,11 +6,12 @@ #include <libwfp/conditions/conditionprotocol.h> #include <libwfp/conditions/conditionip.h> #include <libwfp/conditions/conditionport.h> +#include <libwfp/conditions/conditionapplication.h> #include <libcommon/error.h> using namespace wfp::conditions; -namespace rules::baseline +namespace rules::multi { namespace @@ -42,13 +43,39 @@ std::unique_ptr<ConditionProtocol> CreateProtocolCondition(PermitVpnRelay::Proto }; } +const GUID &TranslateSublayer(PermitVpnRelay::Sublayer sublayer) +{ + switch (sublayer) + { + case PermitVpnRelay::Sublayer::Baseline: return MullvadGuids::SublayerBaseline(); + case PermitVpnRelay::Sublayer::Dns: return MullvadGuids::SublayerDns(); + default: + { + THROW_ERROR("Missing case handler in switch clause"); + } + }; +} + } // anonymous namespace -PermitVpnRelay::PermitVpnRelay(const wfp::IpAddress &relay, uint16_t relayPort, Protocol protocol) +PermitVpnRelay::PermitVpnRelay +( + const wfp::IpAddress &relay, + uint16_t relayPort, + Protocol protocol, + const std::vector<std::wstring> &approvedApplications, + Sublayer sublayer +) : m_relay(relay) , m_relayPort(relayPort) , m_protocol(protocol) + , m_approvedApplications(approvedApplications) + , m_sublayer(sublayer) { + if (m_approvedApplications.empty()) + { + THROW_ERROR("Cannot configure relay access without list of approved applications"); + } } bool PermitVpnRelay::apply(IObjectInstaller &objectInstaller) @@ -65,7 +92,7 @@ bool PermitVpnRelay::apply(IObjectInstaller &objectInstaller) .description(L"This filter is part of a rule that permits communication with a VPN relay") .provider(MullvadGuids::Provider()) .layer(LayerFromIp(m_relay)) - .sublayer(MullvadGuids::SublayerBaseline()) + .sublayer(TranslateSublayer(m_sublayer)) .weight(wfp::FilterBuilder::WeightClass::Max) .permit(); @@ -75,6 +102,11 @@ bool PermitVpnRelay::apply(IObjectInstaller &objectInstaller) conditionBuilder.add_condition(ConditionPort::Remote(m_relayPort)); conditionBuilder.add_condition(CreateProtocolCondition(m_protocol)); + for (const auto &app : m_approvedApplications) + { + conditionBuilder.add_condition(std::make_unique<ConditionApplication>(app)); + } + return objectInstaller.addFilter(filterBuilder, conditionBuilder); } diff --git a/windows/winfw/src/winfw/rules/multi/permitvpnrelay.h b/windows/winfw/src/winfw/rules/multi/permitvpnrelay.h new file mode 100644 index 0000000000..e40fce159d --- /dev/null +++ b/windows/winfw/src/winfw/rules/multi/permitvpnrelay.h @@ -0,0 +1,47 @@ +#pragma once + +#include <winfw/rules/ifirewallrule.h> +#include <libwfp/ipaddress.h> +#include <string> +#include <vector> + +namespace rules::multi +{ + +class PermitVpnRelay : public IFirewallRule +{ +public: + + enum class Protocol + { + Tcp, + Udp + }; + + enum class Sublayer + { + Baseline, + Dns + }; + + PermitVpnRelay + ( + const wfp::IpAddress &relay, + uint16_t relayPort, + Protocol protocol, + const std::vector<std::wstring> &approvedApplications, + Sublayer sublayer + ); + + bool apply(IObjectInstaller &objectInstaller) override; + +private: + + const wfp::IpAddress m_relay; + const uint16_t m_relayPort; + const Protocol m_protocol; + const std::vector<std::wstring> m_approvedApplications; + const Sublayer m_sublayer; +}; + +} |