HACK: Allow relays on port 53 in WinFw

Add extra permissive filter in the blacklist sublayer to allow packets going to
the tunnel host if the daemon is trying to connect to the tunnel over port 53.

5 files changed, 50 insertions, 3 deletions

diff --git a/windows/winfw/src/winfw/fwcontext.cpp b/windows/winfw/src/winfw/fwcontext.cpp
index 49f8793572..bd89b3cf65 100644
--- a/windows/winfw/src/winfw/fwcontext.cpp
+++ b/windows/winfw/src/winfw/fwcontext.cpp
@@ -167,7 +167,8 @@ bool FwContext::applyPolicyConnected
 	ruleset.emplace_back(std::make_unique<rules::RestrictDns>(
 		tunnelInterfaceAlias,
 		wfp::IpAddress(v4DnsHost),
-		(v6DnsHost != nullptr) ? std::make_unique<wfp::IpAddress>(v6DnsHost) : nullptr
+		(v6DnsHost != nullptr) ? std::make_unique<wfp::IpAddress>(v6DnsHost) : nullptr,
+		(relay.port == 53) ? std::make_unique<wfp::IpAddress>(relay.ip) : nullptr
 	));
 
 	return applyRuleset(ruleset);
diff --git a/windows/winfw/src/winfw/mullvadguids.cpp b/windows/winfw/src/winfw/mullvadguids.cpp
index e73fac26ed..770c81f7db 100644
--- a/windows/winfw/src/winfw/mullvadguids.cpp
+++ b/windows/winfw/src/winfw/mullvadguids.cpp
@@ -52,6 +52,7 @@ DetailedWfpObjectRegistry MullvadGuids::BuildDetailedRegistry()
 	registry.insert(std::make_pair(WfpObjectType::Filter, FilterPermitVpnTunnel_Outbound_Ipv6()));
 	registry.insert(std::make_pair(WfpObjectType::Filter, FilterRestrictDns_Outbound_Ipv4()));
 	registry.insert(std::make_pair(WfpObjectType::Filter, FilterRestrictDns_Outbound_Tunnel_Ipv4()));
+	registry.insert(std::make_pair(WfpObjectType::Filter, FilterRestrictDns_HACK_TO_ALLOW_RELAY_ON_PORT_53()));
 	registry.insert(std::make_pair(WfpObjectType::Filter, FilterRestrictDns_Outbound_Ipv6()));
 	registry.insert(std::make_pair(WfpObjectType::Filter, FilterRestrictDns_Outbound_Tunnel_Ipv6()));
 	registry.insert(std::make_pair(WfpObjectType::Filter, FilterPermitVpnTunnelService_Ipv4()));
@@ -473,6 +474,20 @@ const GUID &MullvadGuids::FilterRestrictDns_Outbound_Tunnel_Ipv4()
 }
 
 //static
+const GUID& MullvadGuids::FilterRestrictDns_HACK_TO_ALLOW_RELAY_ON_PORT_53()
+{
+	static const GUID g =
+	{
+		0x6a613b73,
+		0x7308,
+		0x4ae4,
+		{ 0x91, 0x7d, 0xd2, 0xa2, 0x29, 0x17, 0xcc, 0x3f }
+	};
+
+	return g;
+}
+
+//static
 const GUID &MullvadGuids::FilterRestrictDns_Outbound_Ipv6()
 {
 	static const GUID g =
diff --git a/windows/winfw/src/winfw/mullvadguids.h b/windows/winfw/src/winfw/mullvadguids.h
index 3c3ca9702b..a2001a2bdb 100644
--- a/windows/winfw/src/winfw/mullvadguids.h
+++ b/windows/winfw/src/winfw/mullvadguids.h
@@ -58,6 +58,7 @@ public:
 
 	static const GUID &FilterRestrictDns_Outbound_Ipv4();
 	static const GUID &FilterRestrictDns_Outbound_Tunnel_Ipv4();
+	static const GUID &FilterRestrictDns_HACK_TO_ALLOW_RELAY_ON_PORT_53();
 	static const GUID &FilterRestrictDns_Outbound_Ipv6();
 	static const GUID &FilterRestrictDns_Outbound_Tunnel_Ipv6();
 
diff --git a/windows/winfw/src/winfw/rules/restrictdns.cpp b/windows/winfw/src/winfw/rules/restrictdns.cpp
index 41446db19a..2eb560d973 100644
--- a/windows/winfw/src/winfw/rules/restrictdns.cpp
+++ b/windows/winfw/src/winfw/rules/restrictdns.cpp
@@ -12,10 +12,14 @@ using namespace wfp::conditions;
 namespace rules
 {
 
-RestrictDns::RestrictDns(const std::wstring &tunnelInterfaceAlias, const wfp::IpAddress v4DnsHost, std::unique_ptr<wfp::IpAddress> v6DnsHost)
+RestrictDns::RestrictDns(const std::wstring& tunnelInterfaceAlias,
+	const wfp::IpAddress v4DnsHost,
+	std::unique_ptr<wfp::IpAddress> v6DnsHost,
+	std::unique_ptr<wfp::IpAddress> relay)
 	: m_tunnelInterfaceAlias(tunnelInterfaceAlias)
 	, m_v4DnsHost(v4DnsHost)
 	, m_v6DnsHost(std::move(v6DnsHost))
+	, m_relayHost(std::move(relay))
 
 {
 }
@@ -33,6 +37,30 @@ bool RestrictDns::apply(IObjectInstaller &objectInstaller)
 	// TODO: Have each rule specify requirements?
 	//
 
+	if (nullptr != m_relayHost) {
+
+		filterBuilder
+			.key(MullvadGuids::FilterRestrictDns_Outbound_Ipv4())
+			.name(L"Permit relay connection over port 53 (IPv4)")
+			.key(MullvadGuids::FilterRestrictDns_HACK_TO_ALLOW_RELAY_ON_PORT_53())
+			.description(L"This filter is part of a rule that restricts DNS traffic")
+			.provider(MullvadGuids::Provider())
+			.layer(FWPM_LAYER_ALE_AUTH_CONNECT_V4)
+			.sublayer(MullvadGuids::SublayerBlacklist())
+			.weight(wfp::FilterBuilder::WeightClass::Max)
+			.permit();
+
+		wfp::ConditionBuilder conditionBuilder(FWPM_LAYER_ALE_AUTH_CONNECT_V4);
+
+		conditionBuilder.add_condition(ConditionPort::Remote(53));
+		conditionBuilder.add_condition(ConditionIp::Remote(*m_relayHost, CompareEq()));
+
+		if (!objectInstaller.addFilter(filterBuilder, conditionBuilder))
+		{
+			return false;
+		}
+	}
+
 	filterBuilder
 		.key(MullvadGuids::FilterRestrictDns_Outbound_Ipv4())
 		.name(L"Block DNS requests outside the VPN tunnel (IPv4)")
diff --git a/windows/winfw/src/winfw/rules/restrictdns.h b/windows/winfw/src/winfw/rules/restrictdns.h
index 0dba66a048..0b54a6465e 100644
--- a/windows/winfw/src/winfw/rules/restrictdns.h
+++ b/windows/winfw/src/winfw/rules/restrictdns.h
@@ -11,7 +11,7 @@ class RestrictDns : public IFirewallRule
 {
 public:
 
-	RestrictDns(const std::wstring &tunnelInterfaceAlias, const wfp::IpAddress v4DnsHost, std::unique_ptr<wfp::IpAddress> v6DnsHost);
+	RestrictDns(const std::wstring &tunnelInterfaceAlias, const wfp::IpAddress v4DnsHost, std::unique_ptr<wfp::IpAddress> v6DnsHost, std::unique_ptr<wfp::IpAddress> relay);
 
 	bool apply(IObjectInstaller &objectInstaller) override;
 
@@ -20,6 +20,8 @@ private:
 	const std::wstring m_tunnelInterfaceAlias;
 	const wfp::IpAddress m_v4DnsHost;
 	const std::unique_ptr<wfp::IpAddress> m_v6DnsHost;
+	// If connecting to relay on port 53, the traffic to port 53 should be allowed.
+	const std::unique_ptr<wfp::IpAddress> m_relayHost;
 
 };