Merge branch 'support-v6-gateway'

7 files changed, 32 insertions, 60 deletions

diff --git a/windows/windns/src/windns/windns.cpp b/windows/windns/src/windns/windns.cpp
index fe674723e2..e082f0826e 100644
--- a/windows/windns/src/windns/windns.cpp
+++ b/windows/windns/src/windns/windns.cpp
@@ -104,8 +104,6 @@ WinDns_Set(
 	if (nullptr == g_Context
 		|| nullptr == ipv4Servers
 		|| 0 == numIpv4Servers
-		|| nullptr == ipv6Servers
-		|| 0 == numIpv6Servers
 		|| nullptr == recoverySink)
 	{
 		return false;
diff --git a/windows/winfw/src/winfw/fwcontext.cpp b/windows/winfw/src/winfw/fwcontext.cpp
index c25dbbbe0c..3a90c97b9f 100644
--- a/windows/winfw/src/winfw/fwcontext.cpp
+++ b/windows/winfw/src/winfw/fwcontext.cpp
@@ -89,7 +89,7 @@ bool FwContext::applyPolicyConnecting(const WinFwSettings &settings, const WinFw
 	return applyRuleset(ruleset);
 }
 
-bool FwContext::applyPolicyConnected(const WinFwSettings &settings, const WinFwRelay &relay, const wchar_t *tunnelInterfaceAlias, const wchar_t *primaryDns)
+bool FwContext::applyPolicyConnected(const WinFwSettings &settings, const WinFwRelay &relay, const wchar_t *tunnelInterfaceAlias, const wchar_t *v4Gateway, const wchar_t *v6Gateway)
 {
 	Ruleset ruleset;
 
@@ -110,9 +110,11 @@ bool FwContext::applyPolicyConnected(const WinFwSettings &settings, const WinFwR
 		tunnelInterfaceAlias
 	));
 
+	/// We currently expect DNS servers to only be ran on the tunnel gateway IPs
 	ruleset.emplace_back(std::make_unique<rules::RestrictDns>(
 		tunnelInterfaceAlias,
-		wfp::IpAddress(primaryDns)
+		wfp::IpAddress(v4Gateway),
+		(v6Gateway != nullptr) ? &wfp::IpAddress(v6Gateway) : nullptr
 	));
 
 	return applyRuleset(ruleset);
diff --git a/windows/winfw/src/winfw/fwcontext.h b/windows/winfw/src/winfw/fwcontext.h
index d4198be9e4..65c45ac539 100644
--- a/windows/winfw/src/winfw/fwcontext.h
+++ b/windows/winfw/src/winfw/fwcontext.h
@@ -14,7 +14,7 @@ public:
 	FwContext(uint32_t timeout);
 
 	bool applyPolicyConnecting(const WinFwSettings &settings, const WinFwRelay &relay);
-	bool applyPolicyConnected(const WinFwSettings &settings, const WinFwRelay &relay, const wchar_t *tunnelInterfaceAlias, const wchar_t *primaryDns);
+	bool applyPolicyConnected(const WinFwSettings &settings, const WinFwRelay &relay, const wchar_t *tunnelInterfaceAlias, const wchar_t *v4DnsHosts, const wchar_t *v6DnsHost);
 	bool applyPolicyBlocked(const WinFwSettings &settings);
 
 	bool reset();
diff --git a/windows/winfw/src/winfw/rules/restrictdns.cpp b/windows/winfw/src/winfw/rules/restrictdns.cpp
index d8a953fb3a..53c303cc47 100644
--- a/windows/winfw/src/winfw/rules/restrictdns.cpp
+++ b/windows/winfw/src/winfw/rules/restrictdns.cpp
@@ -12,9 +12,11 @@ using namespace wfp::conditions;
 namespace rules
 {
 
-RestrictDns::RestrictDns(const std::wstring &tunnelInterfaceAlias, const wfp::IpAddress &dns)
+RestrictDns::RestrictDns(const std::wstring &tunnelInterfaceAlias, const wfp::IpAddress v4DnsHost, wfp::IpAddress *v6DnsHost)
 	: m_tunnelInterfaceAlias(tunnelInterfaceAlias)
-	, m_dns(dns)
+	, m_v4DnsHost(v4DnsHost)
+	, m_v6DnsHost(v6DnsHost)
+
 {
 }
 
@@ -73,52 +75,29 @@ bool RestrictDns::apply(IObjectInstaller &objectInstaller)
 		}
 	}
 
-	//
-	// This next part is a little redundant since the entire rule could be defined
-	// using three filters. Let's use four filters to maintain some kind of readability.
-	//
-	// The reason it would be possible to use three filters is because the single DNS
-	// is going to be either v4 or v6, so all requests that cannot be sent to the DNS
-	// will have to be blocked (thereby shadowing one of the filters above).
-	//
 
 	filterBuilder
-		.name(L"Restrict DNS requests inside the VPN tunnel");
+		.name(L"Restrict IPv4 DNS requests inside the VPN tunnel")
+		.key(MullvadGuids::FilterRestrictDns_Outbound_Tunnel_Ipv4())
+		.layer(FWPM_LAYER_ALE_AUTH_CONNECT_V4);
 
-	if (m_dns.type() == wfp::IpAddress::Type::Ipv4)
 	{
-		filterBuilder
-			.key(MullvadGuids::FilterRestrictDns_Outbound_Tunnel_Ipv4())
-			.layer(FWPM_LAYER_ALE_AUTH_CONNECT_V4);
-
-		{
-			wfp::ConditionBuilder conditionBuilder(FWPM_LAYER_ALE_AUTH_CONNECT_V4);
-
-			conditionBuilder.add_condition(ConditionPort::Remote(53));
-			conditionBuilder.add_condition(ConditionIp::Remote(m_dns, CompareNeq()));
-
-			if (!objectInstaller.addFilter(filterBuilder, conditionBuilder))
-			{
-				return false;
-			}
-		}
-
-		filterBuilder
-			.key(MullvadGuids::FilterRestrictDns_Outbound_Tunnel_Ipv6())
-			.layer(FWPM_LAYER_ALE_AUTH_CONNECT_V6);
-
-		wfp::ConditionBuilder conditionBuilder(FWPM_LAYER_ALE_AUTH_CONNECT_V6);
+		wfp::ConditionBuilder conditionBuilder(FWPM_LAYER_ALE_AUTH_CONNECT_V4);
 
 		conditionBuilder.add_condition(ConditionPort::Remote(53));
+		conditionBuilder.add_condition(ConditionIp::Remote(m_v4DnsHost, CompareNeq()));
 
-		return objectInstaller.addFilter(filterBuilder, conditionBuilder);
+		if (!objectInstaller.addFilter(filterBuilder, conditionBuilder))
+		{
+			return false;
+		}
 	}
 
 	//
 	// Specified DNS is IPv6
 	//
-
 	filterBuilder
+		.name(L"Restrict IPv6 DNS requests inside the VPN tunnel")
 		.key(MullvadGuids::FilterRestrictDns_Outbound_Tunnel_Ipv6())
 		.layer(FWPM_LAYER_ALE_AUTH_CONNECT_V6);
 
@@ -126,23 +105,12 @@ bool RestrictDns::apply(IObjectInstaller &objectInstaller)
 		wfp::ConditionBuilder conditionBuilder(FWPM_LAYER_ALE_AUTH_CONNECT_V6);
 
 		conditionBuilder.add_condition(ConditionPort::Remote(53));
-		conditionBuilder.add_condition(ConditionIp::Remote(m_dns, CompareNeq()));
-
-		if (!objectInstaller.addFilter(filterBuilder, conditionBuilder))
-		{
-			return false;
+		if (m_v6DnsHost != nullptr) {
+			conditionBuilder.add_condition(ConditionIp::Remote(*m_v6DnsHost, CompareNeq()));
 		}
-	}
 
-	filterBuilder
-		.key(MullvadGuids::FilterRestrictDns_Outbound_Tunnel_Ipv4())
-		.layer(FWPM_LAYER_ALE_AUTH_CONNECT_V4);
-
-	wfp::ConditionBuilder conditionBuilder(FWPM_LAYER_ALE_AUTH_CONNECT_V4);
-
-	conditionBuilder.add_condition(ConditionPort::Remote(53));
-
-	return objectInstaller.addFilter(filterBuilder, conditionBuilder);
+		return objectInstaller.addFilter(filterBuilder, conditionBuilder);
+	}
 }
 
 }
diff --git a/windows/winfw/src/winfw/rules/restrictdns.h b/windows/winfw/src/winfw/rules/restrictdns.h
index da09e970d3..ca3057a5cd 100644
--- a/windows/winfw/src/winfw/rules/restrictdns.h
+++ b/windows/winfw/src/winfw/rules/restrictdns.h
@@ -11,14 +11,16 @@ class RestrictDns : public IFirewallRule
 {
 public:
 
-	RestrictDns(const std::wstring &tunnelInterfaceAlias, const wfp::IpAddress &dns);
+	RestrictDns(const std::wstring &tunnelInterfaceAlias, const wfp::IpAddress v4DnsHost, wfp::IpAddress *v6DnsHost);
 	
 	bool apply(IObjectInstaller &objectInstaller) override;
 
 private:
 
 	const std::wstring m_tunnelInterfaceAlias;
-	const wfp::IpAddress m_dns;
+	const wfp::IpAddress m_v4DnsHost;
+	const wfp::IpAddress *m_v6DnsHost;
+
 };
 
 }
diff --git a/windows/winfw/src/winfw/winfw.cpp b/windows/winfw/src/winfw/winfw.cpp
index 233423d1cd..f391d691b2 100644
--- a/windows/winfw/src/winfw/winfw.cpp
+++ b/windows/winfw/src/winfw/winfw.cpp
@@ -117,7 +117,8 @@ WinFw_ApplyPolicyConnected(
 	const WinFwSettings &settings,
 	const WinFwRelay &relay,
 	const wchar_t *tunnelInterfaceAlias,
-	const wchar_t *primaryDns
+	const wchar_t *v4Gateway,
+	const wchar_t *v6Gateway
 )
 {
 	if (nullptr == g_fwContext)
@@ -127,7 +128,7 @@ WinFw_ApplyPolicyConnected(
 
 	try
 	{
-		return g_fwContext->applyPolicyConnected(settings, relay, tunnelInterfaceAlias, primaryDns);
+		return g_fwContext->applyPolicyConnected(settings, relay, tunnelInterfaceAlias, v4Gateway, v6Gateway);
 	}
 	catch (std::exception &err)
 	{
diff --git a/windows/winfw/src/winfw/winfw.h b/windows/winfw/src/winfw/winfw.h
index 38f92aacf2..f0c1adb2dc 100644
--- a/windows/winfw/src/winfw/winfw.h
+++ b/windows/winfw/src/winfw/winfw.h
@@ -123,7 +123,8 @@ WinFw_ApplyPolicyConnected(
 	const WinFwSettings &settings,
 	const WinFwRelay &relay,
 	const wchar_t *tunnelInterfaceAlias,
-	const wchar_t *primaryDns
+	const wchar_t *v4Gateway,
+	const wchar_t *v6Gateway
 );
 
 //