Merge branch 'wfpctl-default-permit-net'

7 files changed, 104 insertions, 32 deletions

diff --git a/wfpctl/src/extras/cli/commands/wfpctl/policy.cpp b/wfpctl/src/extras/cli/commands/wfpctl/policy.cpp
index e323260e48..3d4ce2aaf6 100644
--- a/wfpctl/src/extras/cli/commands/wfpctl/policy.cpp
+++ b/wfpctl/src/extras/cli/commands/wfpctl/policy.cpp
@@ -55,6 +55,12 @@ Policy::Policy(MessageSink messageSink)
 
 	m_dispatcher.addSubcommand
 	(
+		L"netblocked",
+		std::bind(&Policy::processNetBlocked, this)
+	);
+
+	m_dispatcher.addSubcommand
+	(
 		L"reset",
 		std::bind(&Policy::processReset, this)
 	);
@@ -143,6 +149,15 @@ void Policy::processConnected(const KeyValuePairs &arguments)
 		: L"Failed to apply policy."));
 }
 
+void Policy::processNetBlocked()
+{
+	auto success = Wfpctl_ApplyPolicyNetBlocked();
+
+	m_messageSink((success
+		? L"Successfully applied policy."
+		: L"Failed to apply policy."));
+}
+
 void Policy::processReset()
 {
 	auto success = Wfpctl_Reset();
diff --git a/wfpctl/src/extras/cli/commands/wfpctl/policy.h b/wfpctl/src/extras/cli/commands/wfpctl/policy.h
index 28d966fa21..524640d3e6 100644
--- a/wfpctl/src/extras/cli/commands/wfpctl/policy.h
+++ b/wfpctl/src/extras/cli/commands/wfpctl/policy.h
@@ -28,6 +28,7 @@ private:
 
 	void processConnecting(const KeyValuePairs &arguments);
 	void processConnected(const KeyValuePairs &arguments);
+	void processNetBlocked();
 	void processReset();
 };
 
diff --git a/wfpctl/src/wfpctl/wfpcontext.cpp b/wfpctl/src/wfpctl/wfpcontext.cpp
index 6d28a075d3..9783336216 100644
--- a/wfpctl/src/wfpctl/wfpcontext.cpp
+++ b/wfpctl/src/wfpctl/wfpcontext.cpp
@@ -32,6 +32,26 @@ rules::PermitVpnRelay::Protocol TranslateProtocol(WfpctlProtocol protocol)
 	};
 }
 
+void AppendSettingsRules(WfpContext::Ruleset &ruleset, const WfpctlSettings &settings)
+{
+	if (settings.permitDhcp)
+	{
+		ruleset.emplace_back(std::make_unique<rules::PermitDhcp>());
+	}
+
+	if (settings.permitLan)
+	{
+		ruleset.emplace_back(std::make_unique<rules::PermitLan>());
+		ruleset.emplace_back(std::make_unique<rules::PermitLanService>());
+	}
+}
+
+void AppendNetBlockedRules(WfpContext::Ruleset &ruleset)
+{
+	ruleset.emplace_back(std::make_unique<rules::BlockAll>());
+	ruleset.emplace_back(std::make_unique<rules::PermitLoopback>());
+}
+
 } // anonymous namespace
 
 WfpContext::WfpContext(uint32_t timeout)
@@ -56,7 +76,8 @@ bool WfpContext::applyPolicyConnecting(const WfpctlSettings &settings, const Wfp
 {
 	Ruleset ruleset;
 
-	appendSettingsRules(ruleset, settings);
+	AppendNetBlockedRules(ruleset);
+	AppendSettingsRules(ruleset, settings);
 
 	ruleset.emplace_back(std::make_unique<rules::PermitVpnRelay>(
 		wfp::IpAddress(relay.ip),
@@ -71,7 +92,8 @@ bool WfpContext::applyPolicyConnected(const WfpctlSettings &settings, const Wfpc
 {
 	Ruleset ruleset;
 
-	appendSettingsRules(ruleset, settings);
+	AppendNetBlockedRules(ruleset);
+	AppendSettingsRules(ruleset, settings);
 
 	ruleset.emplace_back(std::make_unique<rules::PermitVpnRelay>(
 		wfp::IpAddress(relay.ip),
@@ -91,6 +113,15 @@ bool WfpContext::applyPolicyConnected(const WfpctlSettings &settings, const Wfpc
 	return applyRuleset(ruleset);
 }
 
+bool WfpContext::applyPolicyNetBlocked()
+{
+	Ruleset ruleset;
+
+	AppendNetBlockedRules(ruleset);
+
+	return applyRuleset(ruleset);
+}
+
 bool WfpContext::reset()
 {
 	return m_sessionController->executeTransaction([this]()
@@ -100,20 +131,6 @@ bool WfpContext::reset()
 	});
 }
 
-void WfpContext::appendSettingsRules(Ruleset &ruleset, const WfpctlSettings &settings)
-{
-	if (settings.permitDhcp)
-	{
-		ruleset.emplace_back(std::make_unique<rules::PermitDhcp>());
-	}
-
-	if (settings.permitLan)
-	{
-		ruleset.emplace_back(std::make_unique<rules::PermitLan>());
-		ruleset.emplace_back(std::make_unique<rules::PermitLanService>());
-	}
-}
-
 bool WfpContext::applyRuleset(const Ruleset &ruleset)
 {
 	return m_sessionController->executeTransaction([&]()
@@ -138,14 +155,10 @@ bool WfpContext::applyBaseConfiguration()
 	{
 		//
 		// Install structural objects
-		// Apply block-all rule
-		// Apply permit loopback rule
 		//
 
 		return m_sessionController->addProvider(*MullvadObjects::Provider())
 			&& m_sessionController->addSublayer(*MullvadObjects::SublayerWhitelist())
-			&& m_sessionController->addSublayer(*MullvadObjects::SublayerBlacklist())
-			&& rules::BlockAll().apply(*m_sessionController)
-			&& rules::PermitLoopback().apply(*m_sessionController);
+			&& m_sessionController->addSublayer(*MullvadObjects::SublayerBlacklist());
 	});
 }
diff --git a/wfpctl/src/wfpctl/wfpcontext.h b/wfpctl/src/wfpctl/wfpcontext.h
index bfbb2a474c..23c25f0ca5 100644
--- a/wfpctl/src/wfpctl/wfpcontext.h
+++ b/wfpctl/src/wfpctl/wfpcontext.h
@@ -15,19 +15,18 @@ public:
 
 	bool applyPolicyConnecting(const WfpctlSettings &settings, const WfpctlRelay &relay);
 	bool applyPolicyConnected(const WfpctlSettings &settings, const WfpctlRelay &relay, const wchar_t *tunnelInterfaceAlias, const wchar_t *primaryDns);
+	bool applyPolicyNetBlocked();
 
 	bool reset();
 
+	using Ruleset = std::vector<std::unique_ptr<rules::IFirewallRule> >;
+
 private:
 
 	WfpContext(const WfpContext &) = delete;
 	WfpContext &operator=(const WfpContext &) = delete;
 
 	bool applyBaseConfiguration();
-
-	using Ruleset = std::vector<std::unique_ptr<rules::IFirewallRule> >;
-
-	void appendSettingsRules(Ruleset &ruleset, const WfpctlSettings &settings);
 	bool applyRuleset(const Ruleset &ruleset);
 
 	std::unique_ptr<SessionController> m_sessionController;
diff --git a/wfpctl/src/wfpctl/wfpctl.cpp b/wfpctl/src/wfpctl/wfpctl.cpp
index 84542a2ca0..5ac5617e0a 100644
--- a/wfpctl/src/wfpctl/wfpctl.cpp
+++ b/wfpctl/src/wfpctl/wfpctl.cpp
@@ -147,6 +147,36 @@ Wfpctl_ApplyPolicyConnected(
 WFPCTL_LINKAGE
 bool
 WFPCTL_API
+Wfpctl_ApplyPolicyNetBlocked(
+)
+{
+	if (nullptr == g_wfpContext)
+	{
+		return false;
+	}
+
+	try
+	{
+		return g_wfpContext->applyPolicyNetBlocked();
+	}
+	catch (std::exception &err)
+	{
+		if (nullptr != g_ErrorSink)
+		{
+			g_ErrorSink(err.what(), g_ErrorContext);
+		}
+
+		return false;
+	}
+	catch (...)
+	{
+		return false;
+	}
+}
+
+WFPCTL_LINKAGE
+bool
+WFPCTL_API
 Wfpctl_Reset()
 {
 	if (nullptr == g_wfpContext)
diff --git a/wfpctl/src/wfpctl/wfpctl.def b/wfpctl/src/wfpctl/wfpctl.def
index fd1590b1aa..a175f1afb2 100644
--- a/wfpctl/src/wfpctl/wfpctl.def
+++ b/wfpctl/src/wfpctl/wfpctl.def
@@ -1,7 +1,9 @@
 LIBRARY wfpctl
 EXPORTS
-            Wfpctl_ApplyPolicyConnected
-            Wfpctl_ApplyPolicyConnecting
-            Wfpctl_Deinitialize
-            Wfpctl_Initialize
-            Wfpctl_Reset
\ No newline at end of file
+
+Wfpctl_Initialize
+Wfpctl_Deinitialize
+Wfpctl_ApplyPolicyConnecting
+Wfpctl_ApplyPolicyConnected
+Wfpctl_ApplyPolicyNetBlocked
+Wfpctl_Reset
diff --git a/wfpctl/src/wfpctl/wfpctl.h b/wfpctl/src/wfpctl/wfpctl.h
index d514d5876e..3d92b02760 100644
--- a/wfpctl/src/wfpctl/wfpctl.h
+++ b/wfpctl/src/wfpctl/wfpctl.h
@@ -86,7 +86,7 @@ Wfpctl_Deinitialize();
 //
 // ApplyPolicyConnecting:
 //
-// Apply restrictions in the firewall that blocks all traffic, except:
+// Apply restrictions in the firewall that block all traffic, except:
 // - What is specified by settings
 // - Communication with the relay server
 //
@@ -102,7 +102,7 @@ Wfpctl_ApplyPolicyConnecting(
 //
 // ApplyPolicyConnected:
 //
-// Apply restrictions in the firewall that blocks all traffic, except:
+// Apply restrictions in the firewall that block all traffic, except:
 // - What is specified by settings
 // - Communication with the relay server
 // - Non-DNS traffic inside the VPN tunnel
@@ -127,6 +127,18 @@ Wfpctl_ApplyPolicyConnected(
 );
 
 //
+// ApplyPolicyNetBlocked:
+//
+// Apply restrictions in the firewall that block all traffic.
+//
+extern "C"
+WFPCTL_LINKAGE
+bool
+WFPCTL_API
+Wfpctl_ApplyPolicyNetBlocked(
+);
+
+//
 // Reset:
 //
 // Clear the policy in effect, if any.