Restore policies without any concern for DNS management

author: Odd Stranne <odd@mullvad.net> 2020-02-15 01:17:14 +0100
committer: Odd Stranne <odd@mullvad.net> 2020-02-19 20:46:18 +0100
commit: 9276b0f1436296a4ac45a511e8346623e65fa8b7 (patch)
tree: 06f1ad1a3a8f31e0b4742a55a5e73daf992859d3
parent: 85b61da9a8bcdb87c390ccfb66ecf3592d1b17ee (diff)
download: mullvadvpn-9276b0f1436296a4ac45a511e8346623e65fa8b7.tar.xz
mullvadvpn-9276b0f1436296a4ac45a511e8346623e65fa8b7.zip
5 files changed, 37 insertions, 217 deletions
diff --git a/windows/winfw/src/winfw/fwcontext.cpp b/windows/winfw/src/winfw/fwcontext.cpp
index 609f097336..5a7bdcc36c 100644
--- a/windows/winfw/src/winfw/fwcontext.cpp
+++ b/windows/winfw/src/winfw/fwcontext.cpp
@@ -2,34 +2,35 @@
 #include "fwcontext.h"
 #include "mullvadobjects.h"
 #include "objectpurger.h"
-#include "rules/blockall.h"
 #include "rules/ifirewallrule.h"
-#include "rules/permitdhcp.h"
-#include "rules/permitndp.h"
-#include "rules/permitdhcpserver.h"
-#include "rules/permitlan.h"
-#include "rules/permitlanservice.h"
-#include "rules/permitloopback.h"
-#include "rules/permitvpnrelay.h"
-#include "rules/permitvpntunnel.h"
-#include "rules/permitvpntunnelservice.h"
-#include "rules/permitping.h"
-#include "rules/restrictdns.h"
+#include "rules/baseline/blockall.h"
+#include "rules/baseline/permitdhcp.h"
+#include "rules/baseline/permitndp.h"
+#include "rules/baseline/permitdhcpserver.h"
+#include "rules/baseline/permitlan.h"
+#include "rules/baseline/permitlanservice.h"
+#include "rules/baseline/permitloopback.h"
+#include "rules/baseline/permitvpnrelay.h"
+#include "rules/baseline/permitvpntunnel.h"
+#include "rules/baseline/permitvpntunnelservice.h"
+#include "rules/baseline/permitping.h"
 #include <libwfp/transaction.h>
 #include <libwfp/filterengine.h>
 #include <libcommon/error.h>
 #include <functional>
 #include <utility>
 
+using namespace rules;
+
 namespace
 {
 
-rules::PermitVpnRelay::Protocol TranslateProtocol(WinFwProtocol protocol)
+baseline::PermitVpnRelay::Protocol TranslateProtocol(WinFwProtocol protocol)
 {
 	switch (protocol)
 	{
-		case Tcp: return rules::PermitVpnRelay::Protocol::Tcp;
-		case Udp: return rules::PermitVpnRelay::Protocol::Udp;
+		case Tcp: return baseline::PermitVpnRelay::Protocol::Tcp;
+		case Udp: return baseline::PermitVpnRelay::Protocol::Udp;
 		default:
 		{
 			THROW_ERROR("Missing case handler in switch clause");
@@ -41,23 +42,22 @@ void AppendSettingsRules(FwContext::Ruleset &ruleset, const WinFwSettings &setti
 {
 	if (settings.permitDhcp)
 	{
-		ruleset.emplace_back(std::make_unique<rules::PermitDhcp>());
-		ruleset.emplace_back(std::make_unique<rules::PermitNdp>());
+		ruleset.emplace_back(std::make_unique<baseline::PermitDhcp>());
+		ruleset.emplace_back(std::make_unique<baseline::PermitNdp>());
 	}
 
 	if (settings.permitLan)
 	{
-		ruleset.emplace_back(std::make_unique<rules::PermitLan>());
-		ruleset.emplace_back(std::make_unique<rules::PermitLanService>());
-		ruleset.emplace_back(rules::PermitDhcpServer::WithExtent(rules::PermitDhcpServer::Extent::IPv4Only));
+		ruleset.emplace_back(std::make_unique<baseline::PermitLan>());
+		ruleset.emplace_back(std::make_unique<baseline::PermitLanService>());
+		ruleset.emplace_back(baseline::PermitDhcpServer::WithExtent(baseline::PermitDhcpServer::Extent::IPv4Only));
 	}
 }
 
-void AppendNetBlockedRules(FwContext::Ruleset &ruleset, const std::optional<WinFwRelay> &relay, const std::optional<rules::RestrictDns::DnsHosts> &dnsHosts)
+void AppendNetBlockedRules(FwContext::Ruleset &ruleset)
 {
-	ruleset.emplace_back(std::make_unique<rules::BlockAll>());
-	ruleset.emplace_back(std::make_unique<rules::PermitLoopback>());
-	ruleset.emplace_back(std::make_unique<rules::RestrictDns>(relay, dnsHosts));
+	ruleset.emplace_back(std::make_unique<baseline::BlockAll>());
+	ruleset.emplace_back(std::make_unique<baseline::PermitLoopback>());
 }
 
 } // anonymous namespace
@@ -109,10 +109,10 @@ bool FwContext::applyPolicyConnecting
 {
 	Ruleset ruleset;
 
-	AppendNetBlockedRules(ruleset, relay, std::nullopt);
+	AppendNetBlockedRules(ruleset);
 	AppendSettingsRules(ruleset, settings);
 
-	ruleset.emplace_back(std::make_unique<rules::PermitVpnRelay>(
+	ruleset.emplace_back(std::make_unique<baseline::PermitVpnRelay>(
 		wfp::IpAddress(relay.ip),
 		relay.port,
 		TranslateProtocol(relay.protocol)
@@ -127,7 +127,7 @@ bool FwContext::applyPolicyConnecting
 
 		for (const auto &host : ph.hosts)
 		{
-			ruleset.emplace_back(std::make_unique<rules::PermitPing>(
+			ruleset.emplace_back(std::make_unique<baseline::PermitPing>(
 				ph.tunnelInterfaceAlias,
 				host
 			));
@@ -142,32 +142,26 @@ bool FwContext::applyPolicyConnected
 	const WinFwSettings &settings,
 	const WinFwRelay &relay,
 	const std::wstring &tunnelInterfaceAlias,
-	const wfp::IpAddress &v4DnsHost,
-	const std::optional<wfp::IpAddress> &v6DnsHost
+	const wfp::IpAddress & /*v4DnsHost*/,
+	const std::optional<wfp::IpAddress> &/*v6DnsHost*/
 )
 {
 	Ruleset ruleset;
 
-	rules::RestrictDns::DnsHosts dnsHosts =
-	{
-		tunnelInterfaceAlias,
-		v4DnsHost,
-		v6DnsHost
-	};
-	AppendNetBlockedRules(ruleset, relay, dnsHosts);
+	AppendNetBlockedRules(ruleset);
 	AppendSettingsRules(ruleset, settings);
 
-	ruleset.emplace_back(std::make_unique<rules::PermitVpnRelay>(
+	ruleset.emplace_back(std::make_unique<baseline::PermitVpnRelay>(
 		wfp::IpAddress(relay.ip),
 		relay.port,
 		TranslateProtocol(relay.protocol)
 	));
 
-	ruleset.emplace_back(std::make_unique<rules::PermitVpnTunnel>(
+	ruleset.emplace_back(std::make_unique<baseline::PermitVpnTunnel>(
 		tunnelInterfaceAlias
 	));
 
-	ruleset.emplace_back(std::make_unique<rules::PermitVpnTunnelService>(
+	ruleset.emplace_back(std::make_unique<baseline::PermitVpnTunnelService>(
 		tunnelInterfaceAlias
 	));
 
@@ -191,7 +185,7 @@ FwContext::Ruleset FwContext::composePolicyBlocked(const WinFwSettings &settings
 {
 	Ruleset ruleset;
 
-	AppendNetBlockedRules(ruleset, std::nullopt, std::nullopt);
+	AppendNetBlockedRules(ruleset);
 	AppendSettingsRules(ruleset, settings);
 
 	return ruleset;
@@ -237,8 +231,9 @@ bool FwContext::applyCommonBaseConfiguration(SessionController &controller, wfp:
 	// Install structural objects
 	//
 	return controller.addProvider(*MullvadObjects::Provider())
-		&& controller.addSublayer(*MullvadObjects::SublayerWhitelist())
-		&& controller.addSublayer(*MullvadObjects::SublayerBlacklist());
+		&& controller.addSublayer(*MullvadObjects::SublayerBaseline())
+		&& controller.addSublayer(*MullvadObjects::SublayerNonTunnelDns())
+		&& controller.addSublayer(*MullvadObjects::SublayerTunnelDns());
 }
 
 bool FwContext::applyRuleset(const Ruleset &ruleset)
diff --git a/windows/winfw/src/winfw/rules/restrictdns.cpp b/windows/winfw/src/winfw/rules/restrictdns.cpp
deleted file mode 100644
index 751e278233..0000000000
--- a/windows/winfw/src/winfw/rules/restrictdns.cpp
+++ /dev/null
@@ -1,132 +0,0 @@
-#include "stdafx.h"
-#include "restrictdns.h"
-#include "winfw/mullvadguids.h"
-#include "libwfp/filterbuilder.h"
-#include "libwfp/conditionbuilder.h"
-#include "libwfp/conditions/conditioninterface.h"
-#include "libwfp/conditions/conditionip.h"
-#include "libwfp/conditions/conditionport.h"
-
-using namespace wfp::conditions;
-
-namespace rules
-{
-
-RestrictDns::RestrictDns(
-	const std::optional<WinFwRelay> &relay,
-	const std::optional<DnsHosts> &dnsHosts
-)
-	: m_dnsHosts(dnsHosts)
-{
-	if (relay.has_value() && 53 == relay->port)
-	{
-		m_allowHost = std::make_optional(wfp::IpAddress(relay->ip));
-	}
-}
-
-bool RestrictDns::apply(IObjectInstaller &objectInstaller)
-{
-	wfp::FilterBuilder filterBuilder;
-
-	//
-	// Requires that the following rules are in effect:
-	//
-	// BlockAll
-	// PermitVpnTunnel
-	//
-	// TODO: Have each rule specify requirements?
-	//
-
-	filterBuilder
-		.provider(MullvadGuids::Provider())
-		.description(L"This filter is part of a rule that restricts DNS traffic")
-		.sublayer(MullvadGuids::SublayerBlacklist());
-
-	if (m_dnsHosts.has_value())
-	{
-		filterBuilder
-			.key(MullvadGuids::FilterRestrictDns_Outbound_Tunnel_Ipv4())
-			.name(L"Restrict DNS requests inside the VPN tunnel (IPv4)")
-			.layer(FWPM_LAYER_ALE_AUTH_CONNECT_V4)
-			.weight(MAXUINT16)
-			.permit();
-
-		{
-			wfp::ConditionBuilder conditionBuilder(FWPM_LAYER_ALE_AUTH_CONNECT_V4);
-
-			conditionBuilder.add_condition(ConditionInterface::Alias(m_dnsHosts->tunnelInterfaceAlias, CompareEq()));
-			conditionBuilder.add_condition(ConditionIp::Remote(m_dnsHosts->v4DnsHost, CompareEq()));
-
-			if (!objectInstaller.addFilter(filterBuilder, conditionBuilder))
-			{
-				return false;
-			}
-		}
-	}
-
-	filterBuilder
-		.key(MullvadGuids::FilterRestrictDns_Outbound_Ipv4())
-		.name(L"Block DNS requests outside the VPN tunnel (IPv4)")
-		.layer(FWPM_LAYER_ALE_AUTH_CONNECT_V4)
-		.weight(MAXUINT16 - 1)
-		.block();
-
-	{
-		wfp::ConditionBuilder conditionBuilder(FWPM_LAYER_ALE_AUTH_CONNECT_V4);
-		conditionBuilder.add_condition(ConditionPort::Remote(53));
-
-		//
-		// Allow DNS traffic over select host
-		//
-		if (m_allowHost.has_value())
-		{
-			conditionBuilder.add_condition(ConditionIp::Remote(*m_allowHost, CompareNeq()));
-		}
-
-		if (!objectInstaller.addFilter(filterBuilder, conditionBuilder))
-		{
-			return false;
-		}
-	}
-
-	//
-	// IPv6 also
-	//
-
-	if (m_dnsHosts.has_value() && m_dnsHosts->v6DnsHost.has_value())
-	{
-		filterBuilder
-			.key(MullvadGuids::FilterRestrictDns_Outbound_Tunnel_Ipv6())
-			.name(L"Restrict DNS requests inside the VPN tunnel (IPv6)")
-			.layer(FWPM_LAYER_ALE_AUTH_CONNECT_V6)
-			.weight(MAXUINT16)
-			.permit();
-
-		{
-			wfp::ConditionBuilder conditionBuilder(FWPM_LAYER_ALE_AUTH_CONNECT_V6);
-
-			conditionBuilder.add_condition(ConditionInterface::Alias(m_dnsHosts->tunnelInterfaceAlias, CompareEq()));
-			conditionBuilder.add_condition(ConditionIp::Remote(*m_dnsHosts->v6DnsHost, CompareEq()));
-
-			if (!objectInstaller.addFilter(filterBuilder, conditionBuilder))
-			{
-				return false;
-			}
-		}
-	}
-
-	filterBuilder
-		.key(MullvadGuids::FilterRestrictDns_Outbound_Ipv6())
-		.name(L"Block DNS requests outside the VPN tunnel (IPv6)")
-		.layer(FWPM_LAYER_ALE_AUTH_CONNECT_V6)
-		.weight(MAXUINT16 - 1)
-		.block();
-
-	{
-		wfp::ConditionBuilder conditionBuilder(FWPM_LAYER_ALE_AUTH_CONNECT_V6);
-		conditionBuilder.add_condition(ConditionPort::Remote(53));
-		return objectInstaller.addFilter(filterBuilder, conditionBuilder);
-	}
-}
-
-}
diff --git a/windows/winfw/src/winfw/rules/restrictdns.h b/windows/winfw/src/winfw/rules/restrictdns.h
deleted file mode 100644
index 9cf0ad00a9..0000000000
--- a/windows/winfw/src/winfw/rules/restrictdns.h
+++ /dev/null
@@ -1,35 +0,0 @@
-#pragma once
-
-#include "ifirewallrule.h"
-#include "libwfp/ipaddress.h"
-#include "winfw/winfw.h"
-#include <optional>
-#include <string>
-#include <cstdint>
-
-namespace rules
-{
-
-class RestrictDns : public IFirewallRule
-{
-public:
-
-	struct DnsHosts
-	{
-		std::wstring tunnelInterfaceAlias;
-		wfp::IpAddress v4DnsHost;
-		std::optional<wfp::IpAddress> v6DnsHost;
-	};
-
-	RestrictDns(const std::optional<WinFwRelay> &relay, const std::optional<DnsHosts> &dnsHosts);
-
-	bool apply(IObjectInstaller &objectInstaller) override;
-
-private:
-
-	std::optional<wfp::IpAddress> m_allowHost;
-	const std::optional<DnsHosts> m_dnsHosts;
-
-};
-
-}
diff --git a/windows/winfw/src/winfw/winfw.vcxproj b/windows/winfw/src/winfw/winfw.vcxproj
index b2ba603aee..b32e349cf2 100644
--- a/windows/winfw/src/winfw/winfw.vcxproj
+++ b/windows/winfw/src/winfw/winfw.vcxproj
@@ -34,7 +34,6 @@
     <ClCompile Include="rules\baseline\permitvpnrelay.cpp" />
     <ClCompile Include="rules\baseline\permitvpntunnel.cpp" />
     <ClCompile Include="rules\baseline\permitvpntunnelservice.cpp" />
-    <ClCompile Include="rules\restrictdns.cpp" />
     <ClCompile Include="sessioncontroller.cpp" />
     <ClCompile Include="sessionrecord.cpp" />
     <ClCompile Include="stdafx.cpp">
@@ -65,7 +64,6 @@
     <ClInclude Include="rules\baseline\permitvpntunnelservice.h" />
     <ClInclude Include="wfpobjecttype.h" />
     <ClInclude Include="rules\ifirewallrule.h" />
-    <ClInclude Include="rules\restrictdns.h" />
     <ClInclude Include="sessioncontroller.h" />
     <ClInclude Include="sessionrecord.h" />
     <ClInclude Include="stdafx.h" />
diff --git a/windows/winfw/src/winfw/winfw.vcxproj.filters b/windows/winfw/src/winfw/winfw.vcxproj.filters
index 9c5fed6328..8137447901 100644
--- a/windows/winfw/src/winfw/winfw.vcxproj.filters
+++ b/windows/winfw/src/winfw/winfw.vcxproj.filters
@@ -9,9 +9,6 @@
     <ClCompile Include="mullvadguids.cpp" />
     <ClCompile Include="mullvadobjects.cpp" />
     <ClCompile Include="sessionrecord.cpp" />
-    <ClCompile Include="rules\restrictdns.cpp">
-      <Filter>rules</Filter>
-    </ClCompile>
     <ClCompile Include="objectpurger.cpp" />
     <ClCompile Include="rules\baseline\blockall.cpp">
       <Filter>rules\baseline</Filter>
@@ -60,9 +57,6 @@
     </ClInclude>
     <ClInclude Include="iobjectinstaller.h" />
     <ClInclude Include="sessionrecord.h" />
-    <ClInclude Include="rules\restrictdns.h">
-      <Filter>rules</Filter>
-    </ClInclude>
     <ClInclude Include="wfpobjecttype.h" />
     <ClInclude Include="guidhash.h" />
     <ClInclude Include="objectpurger.h" />
author	Odd Stranne <odd@mullvad.net>	2020-02-15 01:17:14 +0100
committer	Odd Stranne <odd@mullvad.net>	2020-02-19 20:46:18 +0100
commit	9276b0f1436296a4ac45a511e8346623e65fa8b7 (patch)
tree	06f1ad1a3a8f31e0b4742a55a5e73daf992859d3
parent	85b61da9a8bcdb87c390ccfb66ecf3592d1b17ee (diff)
download	mullvadvpn-9276b0f1436296a4ac45a511e8346623e65fa8b7.tar.xz mullvadvpn-9276b0f1436296a4ac45a511e8346623e65fa8b7.zip