Permit NDP unreachability and DAD checks on Windows

3 files changed, 159 insertions, 2 deletions

diff --git a/windows/winfw/src/winfw/mullvadguids.cpp b/windows/winfw/src/winfw/mullvadguids.cpp
index f5693d7751..8a9de5fe0f 100644
--- a/windows/winfw/src/winfw/mullvadguids.cpp
+++ b/windows/winfw/src/winfw/mullvadguids.cpp
@@ -136,6 +136,10 @@ MullvadGuids::DetailedIdentityRegistry MullvadGuids::DetailedRegistry(IdentityQu
 	registry.insert(std::make_pair(WfpObjectType::Filter, Filter_Baseline_PermitVpnTunnelService_Ipv6()));
 	registry.insert(std::make_pair(WfpObjectType::Filter, Filter_Baseline_PermitNdp_Outbound_Router_Solicitation()));
 	registry.insert(std::make_pair(WfpObjectType::Filter, Filter_Baseline_PermitNdp_Inbound_Router_Advertisement()));
+	registry.insert(std::make_pair(WfpObjectType::Filter, Filter_Baseline_PermitNdp_Outbound_Neighbor_Solicitation()));
+	registry.insert(std::make_pair(WfpObjectType::Filter, Filter_Baseline_PermitNdp_Inbound_Neighbor_Solicitation()));
+	registry.insert(std::make_pair(WfpObjectType::Filter, Filter_Baseline_PermitNdp_Outbound_Neighbor_Advertisement()));
+	registry.insert(std::make_pair(WfpObjectType::Filter, Filter_Baseline_PermitNdp_Inbound_Neighbor_Advertisement()));
 	registry.insert(std::make_pair(WfpObjectType::Filter, Filter_Baseline_PermitNdp_Inbound_Redirect()));
 	registry.insert(std::make_pair(WfpObjectType::Filter, Filter_Baseline_PermitDns_Outbound_Ipv4()));
 	registry.insert(std::make_pair(WfpObjectType::Filter, Filter_Baseline_PermitDns_Outbound_Ipv6()));
@@ -741,6 +745,62 @@ const GUID &MullvadGuids::Filter_Baseline_PermitNdp_Inbound_Router_Advertisement
 }
 
 //static
+const GUID &MullvadGuids::Filter_Baseline_PermitNdp_Outbound_Neighbor_Solicitation()
+{
+	static const GUID g =
+	{
+		0x8cc5348a,
+		0xf736,
+		0x4ec4,
+		{ 0x8e, 0x8f, 0xd7, 0x13, 0x17, 0xd4, 0xc2, 0xb8 }
+	};
+
+	return g;
+}
+
+//static
+const GUID &MullvadGuids::Filter_Baseline_PermitNdp_Inbound_Neighbor_Solicitation()
+{
+	static const GUID g =
+	{
+		0x0c95bb19,
+		0x40a2,
+		0x48ee,
+		{ 0xa7, 0xca, 0x5b, 0x61, 0x2c, 0xab, 0x5f, 0x9d }
+	};
+
+	return g;
+}
+
+//static
+const GUID &MullvadGuids::Filter_Baseline_PermitNdp_Outbound_Neighbor_Advertisement()
+{
+	static const GUID g =
+	{
+		0x932042c4,
+		0x2275,
+		0x4c3e,
+		{ 0x85, 0xe8, 0xf9, 0xa2, 0x77, 0x18, 0x19, 0x5c }
+	};
+
+	return g;
+}
+
+//static
+const GUID &MullvadGuids::Filter_Baseline_PermitNdp_Inbound_Neighbor_Advertisement()
+{
+	static const GUID g =
+	{
+		0xc0e39478,
+		0x7920,
+		0x4632,
+		{ 0x82, 0x12, 0x2a, 0xe5, 0xd2, 0x6f, 0x39, 0x5c }
+	};
+
+	return g;
+}
+
+//static
 const GUID &MullvadGuids::Filter_Baseline_PermitNdp_Inbound_Redirect()
 {
 	static const GUID g =
diff --git a/windows/winfw/src/winfw/mullvadguids.h b/windows/winfw/src/winfw/mullvadguids.h
index f8b9fbb770..ed064a9409 100644
--- a/windows/winfw/src/winfw/mullvadguids.h
+++ b/windows/winfw/src/winfw/mullvadguids.h
@@ -79,6 +79,10 @@ public:
 
 	static const GUID &Filter_Baseline_PermitNdp_Outbound_Router_Solicitation();
 	static const GUID &Filter_Baseline_PermitNdp_Inbound_Router_Advertisement();
+	static const GUID &Filter_Baseline_PermitNdp_Outbound_Neighbor_Solicitation();
+	static const GUID &Filter_Baseline_PermitNdp_Inbound_Neighbor_Solicitation();
+	static const GUID &Filter_Baseline_PermitNdp_Outbound_Neighbor_Advertisement();
+	static const GUID &Filter_Baseline_PermitNdp_Inbound_Neighbor_Advertisement();
 	static const GUID &Filter_Baseline_PermitNdp_Inbound_Redirect();
 
 	static const GUID &Filter_Baseline_PermitDns_Outbound_Ipv4();
diff --git a/windows/winfw/src/winfw/rules/baseline/permitndp.cpp b/windows/winfw/src/winfw/rules/baseline/permitndp.cpp
index 60c95ec8e9..3c5bb32d76 100644
--- a/windows/winfw/src/winfw/rules/baseline/permitndp.cpp
+++ b/windows/winfw/src/winfw/rules/baseline/permitndp.cpp
@@ -18,6 +18,7 @@ bool PermitNdp::apply(IObjectInstaller &objectInstaller)
 {
 	const wfp::IpNetwork linkLocal(wfp::IpAddress::Literal6({ 0xFE80, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0 }), 10);
 	const wfp::IpAddress::Literal6 linkLocalRouterMulticast{ 0xFF02, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2 };
+	const wfp::IpNetwork solicitedNodeMulticast(wfp::IpAddress::Literal6({ 0xFF02, 0, 0, 0, 0, 1, 0xFF00, 0 }), 104);
 
 	wfp::FilterBuilder filterBuilder;
 
@@ -81,12 +82,104 @@ bool PermitNdp::apply(IObjectInstaller &objectInstaller)
 		.name(L"Permit inbound NDP redirect")
 		.layer(FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6);
 
+	{
+		wfp::ConditionBuilder conditionBuilder(FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6);
+
+		conditionBuilder.add_condition(ConditionProtocol::IcmpV6());
+		conditionBuilder.add_condition(ConditionIcmp::Type(137));
+		conditionBuilder.add_condition(ConditionIcmp::Code(0));
+		conditionBuilder.add_condition(ConditionIp::Remote(linkLocal));
+
+		if (!objectInstaller.addFilter(filterBuilder, conditionBuilder))
+		{
+			return false;
+		}
+	}
+
+	//
+	// #4 Permit outbound neighbor solicitation.
+	//
+
+	filterBuilder
+		.key(MullvadGuids::Filter_Baseline_PermitNdp_Outbound_Neighbor_Solicitation())
+		.name(L"Permit outbound NDP neighbor solicitation")
+		.layer(FWPM_LAYER_ALE_AUTH_CONNECT_V6);
+
+	{
+		wfp::ConditionBuilder conditionBuilder(FWPM_LAYER_ALE_AUTH_CONNECT_V6);
+
+		conditionBuilder.add_condition(ConditionProtocol::IcmpV6());
+		conditionBuilder.add_condition(ConditionIcmp::Type(135));
+		conditionBuilder.add_condition(ConditionIcmp::Code(0));
+		conditionBuilder.add_condition(ConditionIp::Remote(solicitedNodeMulticast));
+		conditionBuilder.add_condition(ConditionIp::Remote(linkLocal));
+
+		if (!objectInstaller.addFilter(filterBuilder, conditionBuilder))
+		{
+			return false;
+		}
+	}
+
+	//
+	// #5 Permit inbound neighbor solicitation.
+	//
+
+	filterBuilder
+		.key(MullvadGuids::Filter_Baseline_PermitNdp_Inbound_Neighbor_Solicitation())
+		.name(L"Permit inbound NDP neighbor solicitation")
+		.layer(FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6);
+
+	{
+		wfp::ConditionBuilder conditionBuilder(FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6);
+
+		conditionBuilder.add_condition(ConditionProtocol::IcmpV6());
+		conditionBuilder.add_condition(ConditionIcmp::Type(135));
+		conditionBuilder.add_condition(ConditionIcmp::Code(0));
+		conditionBuilder.add_condition(ConditionIp::Remote(linkLocal));
+
+		if (!objectInstaller.addFilter(filterBuilder, conditionBuilder))
+		{
+			return false;
+		}
+	}
+
+	//
+	// #6 Permit outbound neighbor advertisement.
+	//
+
+	filterBuilder
+		.key(MullvadGuids::Filter_Baseline_PermitNdp_Outbound_Neighbor_Advertisement())
+		.name(L"Permit outbound NDP neighbor advertisement")
+		.layer(FWPM_LAYER_ALE_AUTH_CONNECT_V6);
+
+	{
+		wfp::ConditionBuilder conditionBuilder(FWPM_LAYER_ALE_AUTH_CONNECT_V6);
+
+		conditionBuilder.add_condition(ConditionProtocol::IcmpV6());
+		conditionBuilder.add_condition(ConditionIcmp::Type(136));
+		conditionBuilder.add_condition(ConditionIcmp::Code(0));
+		conditionBuilder.add_condition(ConditionIp::Remote(linkLocal));
+
+		if (!objectInstaller.addFilter(filterBuilder, conditionBuilder))
+		{
+			return false;
+		}
+	}
+
+	//
+	// #7 Permit inbound neighbor advertisement.
+	//
+
+	filterBuilder
+		.key(MullvadGuids::Filter_Baseline_PermitNdp_Inbound_Neighbor_Advertisement())
+		.name(L"Permit inbound NDP neighbor advertisement")
+		.layer(FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6);
+
 	wfp::ConditionBuilder conditionBuilder(FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6);
 
 	conditionBuilder.add_condition(ConditionProtocol::IcmpV6());
-	conditionBuilder.add_condition(ConditionIcmp::Type(137));
+	conditionBuilder.add_condition(ConditionIcmp::Type(136));
 	conditionBuilder.add_condition(ConditionIcmp::Code(0));
-	conditionBuilder.add_condition(ConditionIp::Remote(linkLocal));
 
 	return objectInstaller.addFilter(filterBuilder, conditionBuilder);
 }