Add permit rule for DHCPv4 server

7 files changed, 144 insertions, 0 deletions

diff --git a/windows/winfw/src/winfw/fwcontext.cpp b/windows/winfw/src/winfw/fwcontext.cpp
index b77ac82cb5..395b396cde 100644
--- a/windows/winfw/src/winfw/fwcontext.cpp
+++ b/windows/winfw/src/winfw/fwcontext.cpp
@@ -5,6 +5,7 @@
 #include "rules/blockall.h"
 #include "rules/ifirewallrule.h"
 #include "rules/permitdhcp.h"
+#include "rules/permitdhcpserver.h"
 #include "rules/permitlan.h"
 #include "rules/permitlanservice.h"
 #include "rules/permitloopback.h"
@@ -46,6 +47,7 @@ void AppendSettingsRules(FwContext::Ruleset &ruleset, const WinFwSettings &setti
 	{
 		ruleset.emplace_back(std::make_unique<rules::PermitLan>());
 		ruleset.emplace_back(std::make_unique<rules::PermitLanService>());
+		ruleset.emplace_back(std::make_unique<rules::PermitDhcpServer>());
 	}
 }
 
diff --git a/windows/winfw/src/winfw/mullvadguids.cpp b/windows/winfw/src/winfw/mullvadguids.cpp
index c96cbd4b4b..5cc5d5b631 100644
--- a/windows/winfw/src/winfw/mullvadguids.cpp
+++ b/windows/winfw/src/winfw/mullvadguids.cpp
@@ -45,6 +45,8 @@ DetailedWfpObjectRegistry MullvadGuids::BuildDetailedRegistry()
 	registry.insert(std::make_pair(WfpObjectType::Filter, FilterPermitDhcpV6_Outbound_Request()));
 	registry.insert(std::make_pair(WfpObjectType::Filter, FilterPermitDhcpV4_Inbound_Response()));
 	registry.insert(std::make_pair(WfpObjectType::Filter, FilterPermitDhcpV6_Inbound_Response()));
+	registry.insert(std::make_pair(WfpObjectType::Filter, FilterPermitDhcpV4Server_Inbound_Request()));
+	registry.insert(std::make_pair(WfpObjectType::Filter, FilterPermitDhcpV4Server_Outbound_Response()));
 	registry.insert(std::make_pair(WfpObjectType::Filter, FilterPermitVpnRelay()));
 	registry.insert(std::make_pair(WfpObjectType::Filter, FilterPermitVpnTunnel_Outbound_Ipv4()));
 	registry.insert(std::make_pair(WfpObjectType::Filter, FilterPermitVpnTunnel_Outbound_Ipv6()));
@@ -368,6 +370,34 @@ const GUID &MullvadGuids::FilterPermitDhcpV6_Inbound_Response()
 }
 
 //static
+const GUID &MullvadGuids::FilterPermitDhcpV4Server_Inbound_Request()
+{
+	static const GUID g =
+	{
+		0xa6c98ac3,
+		0xe06,
+		0x4fd2,
+		{ 0xb4, 0x5e, 0xb7, 0xef, 0x67, 0x4, 0x43, 0xbc }
+	};
+
+	return g;
+}
+
+//static
+const GUID &MullvadGuids::FilterPermitDhcpV4Server_Outbound_Response()
+{
+	static const GUID g =
+	{
+		0x57006c23,
+		0xc21f,
+		0x4d23,
+		{ 0x88, 0xf, 0x5a, 0x9d, 0x94, 0x6b, 0xc2, 0xf3 }
+	};
+
+	return g;
+}
+
+//static
 const GUID &MullvadGuids::FilterPermitVpnRelay()
 {
 	static const GUID g =
diff --git a/windows/winfw/src/winfw/mullvadguids.h b/windows/winfw/src/winfw/mullvadguids.h
index 3ea7bdd2c5..ca1f926e9b 100644
--- a/windows/winfw/src/winfw/mullvadguids.h
+++ b/windows/winfw/src/winfw/mullvadguids.h
@@ -48,6 +48,9 @@ public:
 	static const GUID &FilterPermitDhcpV4_Inbound_Response();
 	static const GUID &FilterPermitDhcpV6_Inbound_Response();
 
+	static const GUID &FilterPermitDhcpV4Server_Inbound_Request();
+	static const GUID &FilterPermitDhcpV4Server_Outbound_Response();
+
 	static const GUID &FilterPermitVpnRelay();
 
 	static const GUID &FilterPermitVpnTunnel_Outbound_Ipv4();
diff --git a/windows/winfw/src/winfw/rules/permitdhcpserver.cpp b/windows/winfw/src/winfw/rules/permitdhcpserver.cpp
new file mode 100644
index 0000000000..00d49a049f
--- /dev/null
+++ b/windows/winfw/src/winfw/rules/permitdhcpserver.cpp
@@ -0,0 +1,79 @@
+#include "stdafx.h"
+#include "permitdhcpserver.h"
+#include "winfw/mullvadguids.h"
+#include "libwfp/filterbuilder.h"
+#include "libwfp/conditionbuilder.h"
+#include "libwfp/ipaddress.h"
+#include "libwfp/conditions/conditionprotocol.h"
+#include "libwfp/conditions/conditionport.h"
+#include "libwfp/conditions/conditionip.h"
+
+using namespace wfp::conditions;
+
+namespace rules
+{
+
+namespace
+{
+
+static const uint32_t DHCPV4_CLIENT_PORT = 68;
+static const uint32_t DHCPV4_SERVER_PORT = 67;
+
+} // anonymous namespace
+
+bool PermitDhcpServer::apply(IObjectInstaller &objectInstaller)
+{
+	return applyIpv4(objectInstaller);
+}
+
+bool PermitDhcpServer::applyIpv4(IObjectInstaller &objectInstaller) const
+{
+	//
+	// #1 permit incoming DHCPv4 request
+	//
+
+	wfp::FilterBuilder filterBuilder;
+
+	filterBuilder
+		.key(MullvadGuids::FilterPermitDhcpV4Server_Inbound_Request())
+		.name(L"Permit inbound DHCPv4 request")
+		.description(L"This filter is part of a rule that permits DHCP server traffic")
+		.provider(MullvadGuids::Provider())
+		.layer(FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4)
+		.sublayer(MullvadGuids::SublayerWhitelist())
+		.weight(wfp::FilterBuilder::WeightClass::Max)
+		.permit();
+
+	{
+		wfp::ConditionBuilder conditionBuilder(FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4);
+
+		conditionBuilder.add_condition(ConditionProtocol::Udp());
+		conditionBuilder.add_condition(ConditionPort::Local(DHCPV4_SERVER_PORT));
+		conditionBuilder.add_condition(ConditionIp::Local(wfp::IpAddress::Literal({ 255, 255, 255, 255 })));
+		conditionBuilder.add_condition(ConditionPort::Remote(DHCPV4_CLIENT_PORT));
+
+		if (!objectInstaller.addFilter(filterBuilder, conditionBuilder))
+		{
+			return false;
+		}
+	}
+
+	//
+	// #2 permit outbound DHCPv4 response
+	//
+
+	filterBuilder
+		.key(MullvadGuids::FilterPermitDhcpV4Server_Outbound_Response())
+		.name(L"Permit outbound DHCPv4 response")
+		.layer(FWPM_LAYER_ALE_AUTH_CONNECT_V4);
+
+	wfp::ConditionBuilder conditionBuilder(FWPM_LAYER_ALE_AUTH_CONNECT_V4);
+
+	conditionBuilder.add_condition(ConditionProtocol::Udp());
+	conditionBuilder.add_condition(ConditionPort::Local(DHCPV4_SERVER_PORT));
+	conditionBuilder.add_condition(ConditionPort::Remote(DHCPV4_CLIENT_PORT));
+
+	return objectInstaller.addFilter(filterBuilder, conditionBuilder);
+}
+
+}
diff --git a/windows/winfw/src/winfw/rules/permitdhcpserver.h b/windows/winfw/src/winfw/rules/permitdhcpserver.h
new file mode 100644
index 0000000000..49e06bfb53
--- /dev/null
+++ b/windows/winfw/src/winfw/rules/permitdhcpserver.h
@@ -0,0 +1,22 @@
+#pragma once
+
+#include "ifirewallrule.h"
+
+namespace rules
+{
+
+class PermitDhcpServer : public IFirewallRule
+{
+public:
+
+	PermitDhcpServer() = default;
+	~PermitDhcpServer() = default;
+
+	bool apply(IObjectInstaller &objectInstaller) override;
+
+private:
+
+	bool applyIpv4(IObjectInstaller &objectInstaller) const;
+};
+
+}
diff --git a/windows/winfw/src/winfw/winfw.vcxproj b/windows/winfw/src/winfw/winfw.vcxproj
index e2db2fd432..cbd14ac9aa 100644
--- a/windows/winfw/src/winfw/winfw.vcxproj
+++ b/windows/winfw/src/winfw/winfw.vcxproj
@@ -25,6 +25,7 @@
     <ClCompile Include="objectpurger.cpp" />
     <ClCompile Include="rules\blockall.cpp" />
     <ClCompile Include="rules\permitdhcp.cpp" />
+    <ClCompile Include="rules\permitdhcpserver.cpp" />
     <ClCompile Include="rules\permitlan.cpp" />
     <ClCompile Include="rules\permitlanservice.cpp" />
     <ClCompile Include="rules\permitloopback.cpp" />
@@ -49,6 +50,7 @@
     <ClInclude Include="mullvadguids.h" />
     <ClInclude Include="mullvadobjects.h" />
     <ClInclude Include="objectpurger.h" />
+    <ClInclude Include="rules\permitdhcpserver.h" />
     <ClInclude Include="wfpobjecttype.h" />
     <ClInclude Include="rules\blockall.h" />
     <ClInclude Include="rules\ifirewallrule.h" />
diff --git a/windows/winfw/src/winfw/winfw.vcxproj.filters b/windows/winfw/src/winfw/winfw.vcxproj.filters
index 8ccdaa4627..c8bbb5beda 100644
--- a/windows/winfw/src/winfw/winfw.vcxproj.filters
+++ b/windows/winfw/src/winfw/winfw.vcxproj.filters
@@ -37,6 +37,9 @@
       <Filter>rules</Filter>
     </ClCompile>
     <ClCompile Include="objectpurger.cpp" />
+    <ClCompile Include="rules\permitdhcpserver.cpp">
+      <Filter>rules</Filter>
+    </ClCompile>
   </ItemGroup>
   <ItemGroup>
     <ClInclude Include="stdafx.h" />
@@ -81,6 +84,9 @@
     <ClInclude Include="wfpobjecttype.h" />
     <ClInclude Include="guidhash.h" />
     <ClInclude Include="objectpurger.h" />
+    <ClInclude Include="rules\permitdhcpserver.h">
+      <Filter>rules</Filter>
+    </ClInclude>
   </ItemGroup>
   <ItemGroup>
     <Filter Include="rules">