Make PermitPing capable of handling a set of hosts

author: Odd Stranne <odd@mullvad.net> 2020-02-19 23:42:28 +0100
committer: Odd Stranne <odd@mullvad.net> 2020-02-20 10:59:24 +0100
commit: 839ef00066b8a591a0ceda8608f75f58ef8a137a (patch)
tree: fff84211125db23c2473f68067ddc4f9d69d4301 /windows
parent: 11eb3b408be98d7ecbdcc561075010477c465df4 (diff)
download: mullvadvpn-839ef00066b8a591a0ceda8608f75f58ef8a137a.tar.xz
mullvadvpn-839ef00066b8a591a0ceda8608f75f58ef8a137a.zip
3 files changed, 36 insertions, 16 deletions
diff --git a/windows/winfw/src/winfw/fwcontext.cpp b/windows/winfw/src/winfw/fwcontext.cpp
index c5c4646082..54a7797a69 100644
--- a/windows/winfw/src/winfw/fwcontext.cpp
+++ b/windows/winfw/src/winfw/fwcontext.cpp
@@ -177,13 +177,10 @@ bool FwContext::applyPolicyConnecting
 	{
 		const auto &ph = pingableHosts.value();
 
-		for (const auto &host : ph.hosts)
-		{
-			ruleset.emplace_back(std::make_unique<baseline::PermitPing>(
-				ph.tunnelInterfaceAlias,
-				host
-			));
-		}
+		ruleset.emplace_back(std::make_unique<baseline::PermitPing>(
+			ph.tunnelInterfaceAlias,
+			ph.hosts
+		));
 	}
 
 	return applyRuleset(ruleset);
diff --git a/windows/winfw/src/winfw/rules/baseline/permitping.cpp b/windows/winfw/src/winfw/rules/baseline/permitping.cpp
index 0fb388a953..d8849590eb 100644
--- a/windows/winfw/src/winfw/rules/baseline/permitping.cpp
+++ b/windows/winfw/src/winfw/rules/baseline/permitping.cpp
@@ -1,11 +1,13 @@
 #include "stdafx.h"
 #include "permitping.h"
 #include <winfw/mullvadguids.h>
+#include <winfw/rules/shared.h>
 #include <libwfp/filterbuilder.h>
 #include <libwfp/conditionbuilder.h>
 #include <libwfp/conditions/conditionip.h>
 #include <libwfp/conditions/conditioninterface.h>
 #include <libwfp/conditions/conditionprotocol.h>
+#include <libcommon/error.h>
 
 using namespace wfp::conditions;
 
@@ -15,21 +17,32 @@ namespace rules::baseline
 PermitPing::PermitPing
 (
 	std::optional<std::wstring> interfaceAlias,
-	const wfp::IpAddress &host
+	const std::vector<wfp::IpAddress> &hosts
 )
 	: m_interfaceAlias(std::move(interfaceAlias))
-	, m_host(host)
 {
+	SplitAddresses(hosts, m_hostsIpv4, m_hostsIpv6);
 }
 
 bool PermitPing::apply(IObjectInstaller &objectInstaller)
 {
-	if (wfp::IpAddress::Type::Ipv4 == m_host.type())
+	if (false == m_hostsIpv4.empty())
 	{
-		return applyIcmpv4(objectInstaller);
+		if (false == applyIcmpv4(objectInstaller))
+		{
+			return false;
+		}
 	}
 
-	return applyIcmpv6(objectInstaller);
+	if (false == m_hostsIpv6.empty())
+	{
+		if (false == applyIcmpv6(objectInstaller))
+		{
+			return false;
+		}
+	}
+
+	return true;
 }
 
 bool PermitPing::applyIcmpv4(IObjectInstaller &objectInstaller) const
@@ -52,9 +65,13 @@ bool PermitPing::applyIcmpv4(IObjectInstaller &objectInstaller) const
 
 	wfp::ConditionBuilder conditionBuilder(FWPM_LAYER_ALE_AUTH_CONNECT_V4);
 
-	conditionBuilder.add_condition(ConditionIp::Remote(m_host));
 	conditionBuilder.add_condition(ConditionProtocol::Icmp());
 
+	for (const auto &host : m_hostsIpv4)
+	{
+		conditionBuilder.add_condition(ConditionIp::Remote(host));
+	}
+
 	if (m_interfaceAlias.has_value())
 	{
 		conditionBuilder.add_condition(ConditionInterface::Alias(m_interfaceAlias.value()));
@@ -83,9 +100,13 @@ bool PermitPing::applyIcmpv6(IObjectInstaller &objectInstaller) const
 
 	wfp::ConditionBuilder conditionBuilder(FWPM_LAYER_ALE_AUTH_CONNECT_V6);
 
-	conditionBuilder.add_condition(ConditionIp::Remote(m_host));
 	conditionBuilder.add_condition(ConditionProtocol::IcmpV6());
 
+	for (const auto &host : m_hostsIpv6)
+	{
+		conditionBuilder.add_condition(ConditionIp::Remote(host));
+	}
+
 	if (m_interfaceAlias.has_value())
 	{
 		conditionBuilder.add_condition(ConditionInterface::Alias(m_interfaceAlias.value()));
diff --git a/windows/winfw/src/winfw/rules/baseline/permitping.h b/windows/winfw/src/winfw/rules/baseline/permitping.h
index b7747296f7..438aafc3f9 100644
--- a/windows/winfw/src/winfw/rules/baseline/permitping.h
+++ b/windows/winfw/src/winfw/rules/baseline/permitping.h
@@ -4,6 +4,7 @@
 #include <libwfp/ipaddress.h>
 #include <string>
 #include <optional>
+#include <vector>
 
 namespace rules::baseline
 {
@@ -12,14 +13,15 @@ class PermitPing : public IFirewallRule
 {
 public:
 
-	PermitPing(std::optional<std::wstring> interfaceAlias, const wfp::IpAddress &host);
+	PermitPing(std::optional<std::wstring> interfaceAlias, const std::vector<wfp::IpAddress> &hosts);
 
 	bool apply(IObjectInstaller &objectInstaller) override;
 
 private:
 
 	const std::optional<std::wstring> m_interfaceAlias;
-	const wfp::IpAddress m_host;
+	std::vector<wfp::IpAddress> m_hostsIpv4;
+	std::vector<wfp::IpAddress> m_hostsIpv6;
 
 	bool applyIcmpv4(IObjectInstaller &objectInstaller) const;
 	bool applyIcmpv6(IObjectInstaller &objectInstaller) const;
author	Odd Stranne <odd@mullvad.net>	2020-02-19 23:42:28 +0100
committer	Odd Stranne <odd@mullvad.net>	2020-02-20 10:59:24 +0100
commit	839ef00066b8a591a0ceda8608f75f58ef8a137a (patch)
tree	fff84211125db23c2473f68067ddc4f9d69d4301 /windows
parent	11eb3b408be98d7ecbdcc561075010477c465df4 (diff)
download	mullvadvpn-839ef00066b8a591a0ceda8608f75f58ef8a137a.tar.xz mullvadvpn-839ef00066b8a591a0ceda8608f75f58ef8a137a.zip