Add persistent firewall filters iff block_when_disconnected or auto_connect is true (on Windows only)

13 files changed, 422 insertions, 9 deletions

diff --git a/windows/winfw/src/winfw/mullvadguids.cpp b/windows/winfw/src/winfw/mullvadguids.cpp
index 06edc3182e..0a22be1740 100644
--- a/windows/winfw/src/winfw/mullvadguids.cpp
+++ b/windows/winfw/src/winfw/mullvadguids.cpp
@@ -100,7 +100,7 @@ MullvadGuids::DetailedIdentityRegistry MullvadGuids::DetailedRegistry(IdentityQu
 {
 	std::multimap<WfpObjectType, GUID> registry;
 
-	if (IdentityQualifier::IncludeDeprecated == qualifier)
+	if (IdentityQualifier::IncludeDeprecated == (qualifier & IdentityQualifier::IncludeDeprecated))
 	{
 		registry = DeprecatedIdentities();
 	}
@@ -147,6 +147,22 @@ MullvadGuids::DetailedIdentityRegistry MullvadGuids::DetailedRegistry(IdentityQu
 	registry.insert(std::make_pair(WfpObjectType::Filter, Filter_Dns_PermitTunnel_Outbound_Ipv4()));
 	registry.insert(std::make_pair(WfpObjectType::Filter, Filter_Dns_PermitTunnel_Outbound_Ipv6()));
 
+	if (IdentityQualifier::IncludePersistent == (qualifier & IdentityQualifier::IncludePersistent))
+	{
+		registry.insert(std::make_pair(WfpObjectType::Provider, ProviderPersistent()));
+		registry.insert(std::make_pair(WfpObjectType::Sublayer, SublayerPersistent()));
+
+		registry.insert(std::make_pair(WfpObjectType::Filter, Filter_Boottime_BlockAll_Inbound_Ipv4()));
+		registry.insert(std::make_pair(WfpObjectType::Filter, Filter_Boottime_BlockAll_Outbound_Ipv4()));
+		registry.insert(std::make_pair(WfpObjectType::Filter, Filter_Boottime_BlockAll_Inbound_Ipv6()));
+		registry.insert(std::make_pair(WfpObjectType::Filter, Filter_Boottime_BlockAll_Outbound_Ipv6()));
+
+		registry.insert(std::make_pair(WfpObjectType::Filter, Filter_Persistent_BlockAll_Inbound_Ipv4()));
+		registry.insert(std::make_pair(WfpObjectType::Filter, Filter_Persistent_BlockAll_Outbound_Ipv4()));
+		registry.insert(std::make_pair(WfpObjectType::Filter, Filter_Persistent_BlockAll_Inbound_Ipv6()));
+		registry.insert(std::make_pair(WfpObjectType::Filter, Filter_Persistent_BlockAll_Outbound_Ipv6()));
+	}
+
 	return registry;
 }
 
@@ -165,6 +181,20 @@ const GUID &MullvadGuids::Provider()
 }
 
 //static
+const GUID &MullvadGuids::ProviderPersistent()
+{
+	static const GUID g =
+	{
+		0x2bc5bc63,
+		0x80b0,
+		0x4119,
+		{ 0x86, 0xd3, 0x6a, 0xfe, 0x0d, 0xff, 0x2a, 0x26 }
+	};
+
+	return g;
+}
+
+//static
 const GUID &MullvadGuids::SublayerBaseline()
 {
 	static const GUID g =
@@ -193,6 +223,132 @@ const GUID &MullvadGuids::SublayerDns()
 }
 
 //static
+const GUID &MullvadGuids::SublayerPersistent()
+{
+	static const GUID g =
+	{
+		0x3c28881e,
+		0x8891,
+		0x4d61,
+		{ 0xb8, 0x7f, 0xf2, 0x72, 0x50, 0x2d, 0x10, 0x05 }
+	};
+
+	return g;
+}
+
+//static
+const GUID &MullvadGuids::Filter_Boottime_BlockAll_Outbound_Ipv4()
+{
+	static const GUID g =
+	{
+		0x5996aa42,
+		0x102b,
+		0x419f,
+		{ 0xad, 0x3d, 0x83, 0x5d, 0xb5, 0xb, 0x8b, 0x1 }
+	};
+
+	return g;
+}
+
+//static
+const GUID &MullvadGuids::Filter_Boottime_BlockAll_Inbound_Ipv4()
+{
+	static const GUID g =
+	{
+		0x6150b73d,
+		0x4dfa,
+		0x4c30,
+		{ 0x80, 0xeb, 0xe0, 0xee, 0x53, 0x51, 0x93, 0xda }
+	};
+
+	return g;
+}
+
+//static
+const GUID &MullvadGuids::Filter_Boottime_BlockAll_Outbound_Ipv6()
+{
+	static const GUID g =
+	{
+		0x139b8b26,
+		0x5037,
+		0x4929,
+		{ 0x92, 0x37, 0xe8, 0x73, 0xbd, 0xdd, 0x65, 0x1d }
+	};
+
+	return g;
+}
+
+//static
+const GUID &MullvadGuids::Filter_Boottime_BlockAll_Inbound_Ipv6()
+{
+	static const GUID g =
+	{
+		0x129927e2,
+		0x7a3a,
+		0x49bb,
+		{ 0xb9, 0x87, 0x36, 0x92, 0x56, 0x3a, 0x83, 0xf4 }
+	};
+
+	return g;
+}
+
+//static
+const GUID &MullvadGuids::Filter_Persistent_BlockAll_Outbound_Ipv4()
+{
+	static const GUID g =
+	{
+		0x79860c64,
+		0x9a5e,
+		0x48a3,
+		{ 0xb5, 0xf3, 0xd6, 0x4b, 0x41, 0x65, 0x9a, 0xa5 }
+	};
+
+	return g;
+}
+
+//static
+const GUID &MullvadGuids::Filter_Persistent_BlockAll_Inbound_Ipv4()
+{
+	static const GUID g =
+	{
+		0x9f177f14,
+		0xf090,
+		0x4fde,
+		{ 0x98, 0xf9, 0x84, 0x15, 0x31, 0x25, 0xa7, 0xc5 }
+	};
+
+	return g;
+}
+
+//static
+const GUID &MullvadGuids::Filter_Persistent_BlockAll_Outbound_Ipv6()
+{
+	static const GUID g =
+	{
+		0xa9b72749,
+		0xb1c1,
+		0x4483,
+		{ 0xa3, 0x71, 0x90, 0xe1, 0x86, 0x68, 0x53, 0x2e }
+	};
+
+	return g;
+}
+
+//static
+const GUID &MullvadGuids::Filter_Persistent_BlockAll_Inbound_Ipv6()
+{
+	static const GUID g =
+	{
+		0x333e7e5c,
+		0x9293,
+		0x4bda,
+		{ 0x8b, 0x19, 0xb6, 0x70, 0x19, 0x1c, 0xc4, 0x7c }
+	};
+
+	return g;
+}
+
+//static
 const GUID &MullvadGuids::Filter_Baseline_BlockAll_Outbound_Ipv4()
 {
 	static const GUID g =
diff --git a/windows/winfw/src/winfw/mullvadguids.h b/windows/winfw/src/winfw/mullvadguids.h
index 8e5970698c..11e396fc2b 100644
--- a/windows/winfw/src/winfw/mullvadguids.h
+++ b/windows/winfw/src/winfw/mullvadguids.h
@@ -19,10 +19,12 @@ private:
 
 public:
 
-	enum class IdentityQualifier
+	enum class IdentityQualifier : uint32_t
 	{
-		IncludeDeprecated,
-		OnlyCurrent,
+		OnlyCurrent			= 0x00,
+		IncludeDeprecated	= 0x01,
+		IncludePersistent	= 0x02,
+		IncludeAll			= IncludeDeprecated | IncludePersistent,
 	};
 
 	static IdentityRegistry Registry(IdentityQualifier qualifier);
@@ -89,4 +91,31 @@ public:
 	static const GUID &Filter_Dns_PermitNonTunnel_Outbound_Ipv6();
 	static const GUID &Filter_Dns_PermitTunnel_Outbound_Ipv4();
 	static const GUID &Filter_Dns_PermitTunnel_Outbound_Ipv6();
+
+	//
+	// Persistent and boot-time filters
+	//
+
+	static const GUID &ProviderPersistent();
+	static const GUID &SublayerPersistent();
+
+	static const GUID &Filter_Boottime_BlockAll_Inbound_Ipv4();
+	static const GUID &Filter_Boottime_BlockAll_Outbound_Ipv4();
+	static const GUID &Filter_Boottime_BlockAll_Inbound_Ipv6();
+	static const GUID &Filter_Boottime_BlockAll_Outbound_Ipv6();
+
+	static const GUID &Filter_Persistent_BlockAll_Inbound_Ipv4();
+	static const GUID &Filter_Persistent_BlockAll_Outbound_Ipv4();
+	static const GUID &Filter_Persistent_BlockAll_Inbound_Ipv6();
+	static const GUID &Filter_Persistent_BlockAll_Outbound_Ipv6();
 };
+
+inline MullvadGuids::IdentityQualifier operator|(MullvadGuids::IdentityQualifier lhs, MullvadGuids::IdentityQualifier rhs)
+{
+	return static_cast<MullvadGuids::IdentityQualifier>(static_cast<uint32_t>(lhs) | static_cast<uint32_t>(rhs));
+}
+
+inline MullvadGuids::IdentityQualifier operator&(MullvadGuids::IdentityQualifier lhs, MullvadGuids::IdentityQualifier rhs)
+{
+	return static_cast<MullvadGuids::IdentityQualifier>(static_cast<uint32_t>(lhs) & static_cast<uint32_t>(rhs));
+}
diff --git a/windows/winfw/src/winfw/mullvadobjects.cpp b/windows/winfw/src/winfw/mullvadobjects.cpp
index b96f0dd743..d148a54d8d 100644
--- a/windows/winfw/src/winfw/mullvadobjects.cpp
+++ b/windows/winfw/src/winfw/mullvadobjects.cpp
@@ -44,3 +44,33 @@ std::unique_ptr<wfp::SublayerBuilder> MullvadObjects::SublayerDns()
 
 	return builder;
 }
+
+//static
+std::unique_ptr<wfp::ProviderBuilder> MullvadObjects::ProviderPersistent()
+{
+	auto builder = std::make_unique<wfp::ProviderBuilder>();
+
+	(*builder)
+		.name(L"Mullvad VPN persistent")
+		.description(L"Mullvad VPN firewall integration")
+		.persistent()
+		.key(MullvadGuids::ProviderPersistent());
+
+	return builder;
+}
+
+//static
+std::unique_ptr<wfp::SublayerBuilder> MullvadObjects::SublayerPersistent()
+{
+	auto builder = std::make_unique<wfp::SublayerBuilder>();
+
+	(*builder)
+		.name(L"Mullvad VPN persistent")
+		.description(L"Filters that restrict traffic before WinFw is initialized")
+		.key(MullvadGuids::SublayerPersistent())
+		.provider(MullvadGuids::ProviderPersistent())
+		.persistent()
+		.weight(MAXUINT16);
+
+	return builder;
+}
diff --git a/windows/winfw/src/winfw/mullvadobjects.h b/windows/winfw/src/winfw/mullvadobjects.h
index a1183c9018..cd4c0cd3dc 100644
--- a/windows/winfw/src/winfw/mullvadobjects.h
+++ b/windows/winfw/src/winfw/mullvadobjects.h
@@ -15,4 +15,7 @@ public:
 	static std::unique_ptr<wfp::ProviderBuilder> Provider();
 	static std::unique_ptr<wfp::SublayerBuilder> SublayerBaseline();
 	static std::unique_ptr<wfp::SublayerBuilder> SublayerDns();
+
+	static std::unique_ptr<wfp::ProviderBuilder> ProviderPersistent();
+	static std::unique_ptr<wfp::SublayerBuilder> SublayerPersistent();
 };
diff --git a/windows/winfw/src/winfw/objectpurger.cpp b/windows/winfw/src/winfw/objectpurger.cpp
index 1db397566c..dce36c99c8 100644
--- a/windows/winfw/src/winfw/objectpurger.cpp
+++ b/windows/winfw/src/winfw/objectpurger.cpp
@@ -29,7 +29,7 @@ ObjectPurger::RemovalFunctor ObjectPurger::GetRemoveFiltersFunctor()
 {
 	return [](wfp::FilterEngine &engine)
 	{
-		const auto registry = MullvadGuids::DetailedRegistry(MullvadGuids::IdentityQualifier::IncludeDeprecated);
+		const auto registry = MullvadGuids::DetailedRegistry(MullvadGuids::IdentityQualifier::IncludeAll);
 
 		// Resolve correct overload.
 		void (*deleter)(wfp::FilterEngine &, const GUID &) = wfp::ObjectDeleter::DeleteFilter;
@@ -43,6 +43,22 @@ ObjectPurger::RemovalFunctor ObjectPurger::GetRemoveAllFunctor()
 {
 	return [](wfp::FilterEngine &engine)
 	{
+		const auto registry = MullvadGuids::DetailedRegistry(MullvadGuids::IdentityQualifier::IncludeAll);
+
+		// Resolve correct overload.
+		void(*deleter)(wfp::FilterEngine &, const GUID &) = wfp::ObjectDeleter::DeleteFilter;
+
+		RemoveRange(engine, deleter, registry.equal_range(WfpObjectType::Filter));
+		RemoveRange(engine, wfp::ObjectDeleter::DeleteSublayer, registry.equal_range(WfpObjectType::Sublayer));
+		RemoveRange(engine, wfp::ObjectDeleter::DeleteProvider, registry.equal_range(WfpObjectType::Provider));
+	};
+}
+
+//static
+ObjectPurger::RemovalFunctor ObjectPurger::GetRemoveNonPersistentFunctor()
+{
+	return [](wfp::FilterEngine &engine)
+	{
 		const auto registry = MullvadGuids::DetailedRegistry(MullvadGuids::IdentityQualifier::IncludeDeprecated);
 
 		// Resolve correct overload.
diff --git a/windows/winfw/src/winfw/objectpurger.h b/windows/winfw/src/winfw/objectpurger.h
index 62f7ce2e11..7728aac694 100644
--- a/windows/winfw/src/winfw/objectpurger.h
+++ b/windows/winfw/src/winfw/objectpurger.h
@@ -15,6 +15,7 @@ public:
 
 	static RemovalFunctor GetRemoveFiltersFunctor();
 	static RemovalFunctor GetRemoveAllFunctor();
+	static RemovalFunctor GetRemoveNonPersistentFunctor();
 
 	static bool Execute(RemovalFunctor f);
 };
diff --git a/windows/winfw/src/winfw/rules/persistent/blockall.cpp b/windows/winfw/src/winfw/rules/persistent/blockall.cpp
new file mode 100644
index 0000000000..7a3e51be3f
--- /dev/null
+++ b/windows/winfw/src/winfw/rules/persistent/blockall.cpp
@@ -0,0 +1,116 @@
+#include "stdafx.h"
+#include "blockall.h"
+#include <winfw/mullvadguids.h>
+#include <libwfp/filterbuilder.h>
+#include <libwfp/nullconditionbuilder.h>
+
+namespace rules::persistent
+{
+
+bool BlockAll::apply(IObjectInstaller &objectInstaller)
+{
+	wfp::FilterBuilder filterBuilder;
+
+	//
+	// Add boot-time filters (i.e., filters applied before BFE starts)
+	//
+
+	filterBuilder
+		.key(MullvadGuids::Filter_Boottime_BlockAll_Outbound_Ipv4())
+		.name(L"Block all outbound connections (IPv4)")
+		.description(L"This filter is part of a rule that restricts inbound and outbound traffic")
+		.provider(MullvadGuids::ProviderPersistent())
+		.layer(FWPM_LAYER_ALE_AUTH_CONNECT_V4)
+		.sublayer(MullvadGuids::SublayerPersistent())
+		.weight(wfp::FilterBuilder::WeightClass::Max)
+		.boottime()
+		.block();
+
+	wfp::NullConditionBuilder nullConditionBuilder;
+
+	if (false == objectInstaller.addFilter(filterBuilder, nullConditionBuilder))
+	{
+		return false;
+	}
+
+	filterBuilder
+		.key(MullvadGuids::Filter_Boottime_BlockAll_Inbound_Ipv4())
+		.name(L"Block all inbound connections (IPv4)")
+		.layer(FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4);
+
+	if (false == objectInstaller.addFilter(filterBuilder, nullConditionBuilder))
+	{
+		return false;
+	}
+
+	filterBuilder
+		.key(MullvadGuids::Filter_Boottime_BlockAll_Outbound_Ipv6())
+		.name(L"Block all outbound connections (IPv6)")
+		.layer(FWPM_LAYER_ALE_AUTH_CONNECT_V6);
+
+	if (false == objectInstaller.addFilter(filterBuilder, nullConditionBuilder))
+	{
+		return false;
+	}
+
+	filterBuilder
+		.key(MullvadGuids::Filter_Boottime_BlockAll_Inbound_Ipv6())
+		.name(L"Block all inbound connections (IPv6)")
+		.layer(FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6);
+
+	if (false == objectInstaller.addFilter(filterBuilder, nullConditionBuilder))
+	{
+		return false;
+	}
+
+	//
+	// Add persistent filters (i.e., filters applied when BFE has started)
+	//
+
+	wfp::FilterBuilder persistentFilterBuilder;
+
+	persistentFilterBuilder
+		.key(MullvadGuids::Filter_Persistent_BlockAll_Outbound_Ipv4())
+		.name(L"Block all outbound connections (IPv4)")
+		.description(L"This filter is part of a rule that restricts inbound and outbound traffic")
+		.provider(MullvadGuids::ProviderPersistent())
+		.layer(FWPM_LAYER_ALE_AUTH_CONNECT_V4)
+		.sublayer(MullvadGuids::SublayerPersistent())
+		.weight(wfp::FilterBuilder::WeightClass::Max)
+		.persistent()
+		.block();
+
+	if (false == objectInstaller.addFilter(persistentFilterBuilder, nullConditionBuilder))
+	{
+		return false;
+	}
+
+	persistentFilterBuilder
+		.key(MullvadGuids::Filter_Persistent_BlockAll_Inbound_Ipv4())
+		.name(L"Block all inbound connections (IPv4)")
+		.layer(FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4);
+
+	if (false == objectInstaller.addFilter(persistentFilterBuilder, nullConditionBuilder))
+	{
+		return false;
+	}
+
+	persistentFilterBuilder
+		.key(MullvadGuids::Filter_Persistent_BlockAll_Outbound_Ipv6())
+		.name(L"Block all outbound connections (IPv6)")
+		.layer(FWPM_LAYER_ALE_AUTH_CONNECT_V6);
+
+	if (false == objectInstaller.addFilter(persistentFilterBuilder, nullConditionBuilder))
+	{
+		return false;
+	}
+
+	persistentFilterBuilder
+		.key(MullvadGuids::Filter_Persistent_BlockAll_Inbound_Ipv6())
+		.name(L"Block all inbound connections (IPv6)")
+		.layer(FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6);
+
+	return objectInstaller.addFilter(persistentFilterBuilder, nullConditionBuilder);
+}
+
+}
diff --git a/windows/winfw/src/winfw/rules/persistent/blockall.h b/windows/winfw/src/winfw/rules/persistent/blockall.h
new file mode 100644
index 0000000000..4c6175c8d0
--- /dev/null
+++ b/windows/winfw/src/winfw/rules/persistent/blockall.h
@@ -0,0 +1,18 @@
+#pragma once
+
+#include <winfw/rules/ifirewallrule.h>
+
+namespace rules::persistent
+{
+
+class BlockAll : public IFirewallRule
+{
+public:
+
+	BlockAll() = default;
+	~BlockAll() = default;
+	
+	bool apply(IObjectInstaller &objectInstaller) override;
+};
+
+}
diff --git a/windows/winfw/src/winfw/sessioncontroller.cpp b/windows/winfw/src/winfw/sessioncontroller.cpp
index 83f6863c91..97a9e498d6 100644
--- a/windows/winfw/src/winfw/sessioncontroller.cpp
+++ b/windows/winfw/src/winfw/sessioncontroller.cpp
@@ -60,7 +60,7 @@ bool CheckpointKeyToIndex(const std::vector<SessionRecord> &container, uint32_t
 
 SessionController::SessionController(std::unique_ptr<wfp::FilterEngine> &&engine)
 	: m_engine(std::move(engine))
-	, m_identityRegistry(MullvadGuids::Registry(MullvadGuids::IdentityQualifier::OnlyCurrent))
+	, m_identityRegistry(MullvadGuids::Registry(MullvadGuids::IdentityQualifier::IncludePersistent))
 	, m_activeTransaction(false)
 {
 }
diff --git a/windows/winfw/src/winfw/winfw.cpp b/windows/winfw/src/winfw/winfw.cpp
index b94bff9938..4998feef7f 100644
--- a/windows/winfw/src/winfw/winfw.cpp
+++ b/windows/winfw/src/winfw/winfw.cpp
@@ -2,6 +2,8 @@
 #include "winfw.h"
 #include "fwcontext.h"
 #include "objectpurger.h"
+#include "mullvadobjects.h"
+#include "rules/persistent/blockall.h"
 #include <windows.h>
 #include <libcommon/error.h>
 #include <optional>
@@ -9,6 +11,8 @@
 namespace
 {
 
+constexpr uint32_t DEINITIALIZE_TIMEOUT = 5000;
+
 MullvadLogSink g_logSink = nullptr;
 void *g_logSinkContext = nullptr;
 
@@ -179,14 +183,41 @@ WinFw_Deinitialize(WINFW_CLEANUP_POLICY cleanupPolicy)
 	g_fwContext = nullptr;
 
 	//
-	// Only skip clean-up if this is what the caller requested
+	// Continue blocking if this is what the caller requested
 	// and if the current policy is "(net) blocked".
 	//
 
 	if (WINFW_CLEANUP_POLICY_CONTINUE_BLOCKING == cleanupPolicy
 		&& FwContext::Policy::Blocked == activePolicy)
 	{
-		return true;
+		try
+		{
+			auto engine = wfp::FilterEngine::StandardSession(DEINITIALIZE_TIMEOUT);
+			auto sessionController = std::make_unique<SessionController>(std::move(engine));
+
+			rules::persistent::BlockAll blockAll;
+
+			return sessionController->executeTransaction([&](SessionController &controller, wfp::FilterEngine &engine)
+			{
+				ObjectPurger::GetRemoveNonPersistentFunctor()(engine);
+
+				return controller.addProvider(*MullvadObjects::ProviderPersistent())
+					&& controller.addSublayer(*MullvadObjects::SublayerPersistent())
+					&& blockAll.apply(controller);
+			});
+		}
+		catch (std::exception & err)
+		{
+			if (nullptr != g_logSink)
+			{
+				g_logSink(MULLVAD_LOG_LEVEL_ERROR, err.what(), g_logSinkContext);
+			}
+			return false;
+		}
+		catch (...)
+		{
+			return false;
+		}
 	}
 
 	return WINFW_POLICY_STATUS_SUCCESS == WinFw_Reset();
diff --git a/windows/winfw/src/winfw/winfw.h b/windows/winfw/src/winfw/winfw.h
index 796b034762..b3f95a2cbf 100644
--- a/windows/winfw/src/winfw/winfw.h
+++ b/windows/winfw/src/winfw/winfw.h
@@ -92,10 +92,12 @@ WinFw_InitializeBlocked(
 	void *logSinkContext
 );
 
-enum WINFW_CLEANUP_POLICY
+enum WINFW_CLEANUP_POLICY : uint32_t
 {
 	// Continue blocking if this happens to be the active policy
 	// otherwise reset the firewall.
+	// This adds persistent blocking filters that are active until
+	// WinFw is reinitialized.
 	WINFW_CLEANUP_POLICY_CONTINUE_BLOCKING = 0,
 
 	// Remove all objects that have been registered with WFP.
diff --git a/windows/winfw/src/winfw/winfw.vcxproj b/windows/winfw/src/winfw/winfw.vcxproj
index 85a6e0d0b4..8f9c37f919 100644
--- a/windows/winfw/src/winfw/winfw.vcxproj
+++ b/windows/winfw/src/winfw/winfw.vcxproj
@@ -38,6 +38,7 @@
     <ClCompile Include="rules\dns\permitnontunnel.cpp" />
     <ClCompile Include="rules\dns\permittunnel.cpp" />
     <ClCompile Include="rules\multi\permitvpnrelay.cpp" />
+    <ClCompile Include="rules\persistent\blockall.cpp" />
     <ClCompile Include="rules\shared.cpp" />
     <ClCompile Include="sessioncontroller.cpp" />
     <ClCompile Include="sessionrecord.cpp" />
@@ -71,6 +72,7 @@
     <ClInclude Include="rules\dns\permitnontunnel.h" />
     <ClInclude Include="rules\dns\permittunnel.h" />
     <ClInclude Include="rules\multi\permitvpnrelay.h" />
+    <ClInclude Include="rules\persistent\blockall.h" />
     <ClInclude Include="rules\ports.h" />
     <ClInclude Include="rules\shared.h" />
     <ClInclude Include="wfpobjecttype.h" />
diff --git a/windows/winfw/src/winfw/winfw.vcxproj.filters b/windows/winfw/src/winfw/winfw.vcxproj.filters
index 9ac82e87fb..312045876e 100644
--- a/windows/winfw/src/winfw/winfw.vcxproj.filters
+++ b/windows/winfw/src/winfw/winfw.vcxproj.filters
@@ -58,6 +58,9 @@
     <ClCompile Include="rules\multi\permitvpnrelay.cpp">
       <Filter>rules\multi</Filter>
     </ClCompile>
+    <ClCompile Include="rules\persistent\blockall.cpp">
+      <Filter>rules\persistent</Filter>
+    </ClCompile>
   </ItemGroup>
   <ItemGroup>
     <ClInclude Include="stdafx.h" />
@@ -126,6 +129,9 @@
     <ClInclude Include="rules\multi\permitvpnrelay.h">
       <Filter>rules\multi</Filter>
     </ClInclude>
+    <ClInclude Include="rules\persistent\blockall.h">
+      <Filter>rules\persistent</Filter>
+    </ClInclude>
   </ItemGroup>
   <ItemGroup>
     <Filter Include="rules">
@@ -140,6 +146,9 @@
     <Filter Include="rules\multi">
       <UniqueIdentifier>{005cce7c-ed9d-4675-8e4f-759c9682b77e}</UniqueIdentifier>
     </Filter>
+    <Filter Include="rules\persistent">
+      <UniqueIdentifier>{d98577af-1119-4c3a-8a04-d24f461ee61c}</UniqueIdentifier>
+    </Filter>
   </ItemGroup>
   <ItemGroup>
     <None Include="winfw.def" />