diff options
| author | David Lönnhager <david.l@mullvad.net> | 2025-09-18 17:22:18 +0200 |
|---|---|---|
| committer | David Lönnhager <david.l@mullvad.net> | 2025-09-18 17:22:18 +0200 |
| commit | c072667ffed6b4b698cec5a4a8adff00be88c3e5 (patch) | |
| tree | c1fe4b5354c23e939f97577ef7aadaf6eab5731e /windows | |
| parent | 923414f3f00b033dde8ed538ad05c18da4da6b27 (diff) | |
| parent | a074cb8e3625d5378c0be7954b1f5423479d071c (diff) | |
| download | mullvadvpn-c072667ffed6b4b698cec5a4a8adff00be88c3e5.tar.xz mullvadvpn-c072667ffed6b4b698cec5a4a8adff00be88c3e5.zip | |
Merge branch 'add-staggered-obfuscator'
Diffstat (limited to 'windows')
| -rw-r--r-- | windows/winfw/src/winfw/fwcontext.cpp | 22 | ||||
| -rw-r--r-- | windows/winfw/src/winfw/fwcontext.h | 4 | ||||
| -rw-r--r-- | windows/winfw/src/winfw/winfw.cpp | 64 | ||||
| -rw-r--r-- | windows/winfw/src/winfw/winfw.h | 10 |
4 files changed, 71 insertions, 29 deletions
diff --git a/windows/winfw/src/winfw/fwcontext.cpp b/windows/winfw/src/winfw/fwcontext.cpp index dc0a38b304..69a79537cd 100644 --- a/windows/winfw/src/winfw/fwcontext.cpp +++ b/windows/winfw/src/winfw/fwcontext.cpp @@ -191,7 +191,7 @@ FwContext::FwContext bool FwContext::applyPolicyConnecting ( const WinFwSettings &settings, - const WinFwEndpoint &relay, + const std::vector<WinFwEndpoint> &relays, const std::optional<wfp::IpAddress> &exitEndpointIp, const std::vector<std::wstring> &relayClients, const std::optional<std::wstring> &tunnelInterfaceAlias, @@ -203,7 +203,11 @@ bool FwContext::applyPolicyConnecting AppendNetBlockedRules(ruleset); AppendSettingsRules(ruleset, settings); - AppendRelayRules(ruleset, relay, relayClients); + + for (const auto &relay : relays) + { + AppendRelayRules(ruleset, relay, relayClients); + } if (allowedEndpoint.has_value()) { @@ -299,9 +303,9 @@ bool FwContext::applyPolicyConnecting bool FwContext::applyPolicyConnected ( const WinFwSettings &settings, - const WinFwEndpoint &relay, + const std::vector<WinFwEndpoint> &relays, const std::optional<wfp::IpAddress> &exitEndpointIp, - const std::vector<std::wstring> &relayClient, + const std::vector<std::wstring> &relayClients, const std::wstring &tunnelInterfaceAlias, const std::vector<wfp::IpAddress> &tunnelDnsServers, const std::vector<wfp::IpAddress> &nonTunnelDnsServers @@ -311,7 +315,11 @@ bool FwContext::applyPolicyConnected AppendNetBlockedRules(ruleset); AppendSettingsRules(ruleset, settings); - AppendRelayRules(ruleset, relay, relayClient); + + for (const auto &relay : relays) + { + AppendRelayRules(ruleset, relay, relayClients); + } if (!tunnelDnsServers.empty()) { @@ -327,14 +335,14 @@ bool FwContext::applyPolicyConnected } ruleset.emplace_back(std::make_unique<baseline::PermitVpnTunnel>( - relayClient, + relayClients, tunnelInterfaceAlias, std::nullopt, exitEndpointIp )); ruleset.emplace_back(std::make_unique<baseline::PermitVpnTunnelService>( - relayClient, + relayClients, tunnelInterfaceAlias, std::nullopt, exitEndpointIp diff --git a/windows/winfw/src/winfw/fwcontext.h b/windows/winfw/src/winfw/fwcontext.h index 8a4e4f0301..c8f3c2b4e5 100644 --- a/windows/winfw/src/winfw/fwcontext.h +++ b/windows/winfw/src/winfw/fwcontext.h @@ -27,7 +27,7 @@ public: bool applyPolicyConnecting ( const WinFwSettings &settings, - const WinFwEndpoint &relay, + const std::vector<WinFwEndpoint> &relays, const std::optional<wfp::IpAddress> &exitEndpointIp, const std::vector<std::wstring> &relayClients, const std::optional<std::wstring> &tunnelInterfaceAlias, @@ -38,7 +38,7 @@ public: bool applyPolicyConnected ( const WinFwSettings &settings, - const WinFwEndpoint &relay, + const std::vector<WinFwEndpoint> &relays, const std::optional<wfp::IpAddress> &exitEndpointIp, const std::vector<std::wstring> &relayClients, const std::wstring &tunnelInterfaceAlias, diff --git a/windows/winfw/src/winfw/winfw.cpp b/windows/winfw/src/winfw/winfw.cpp index 064532235c..6d79bf8356 100644 --- a/windows/winfw/src/winfw/winfw.cpp +++ b/windows/winfw/src/winfw/winfw.cpp @@ -328,7 +328,8 @@ WINFW_POLICY_STATUS WINFW_API WinFw_ApplyPolicyConnecting( const WinFwSettings *settings, - const WinFwEndpoint *relay, + size_t numRelays, + const WinFwEndpoint *relays, const wchar_t *exitEndpointIp, const wchar_t **relayClients, size_t relayClientsLen, @@ -349,9 +350,14 @@ WinFw_ApplyPolicyConnecting( THROW_ERROR("Invalid argument: settings"); } - if (nullptr == relay) + if (nullptr == relays) { - THROW_ERROR("Invalid argument: relay"); + THROW_ERROR("Invalid argument: relays"); + } + + if (0 == numRelays) + { + THROW_ERROR("Invalid argument: numRelays"); } if (nullptr == allowedTunnelTraffic) @@ -359,23 +365,33 @@ WinFw_ApplyPolicyConnecting( THROW_ERROR("Invalid argument: allowedTunnelTraffic"); } + std::vector<WinFwEndpoint> relayEndpoints; + relayEndpoints.reserve(numRelays); + for (size_t i = 0; i < numRelays; i++) + { + relayEndpoints.push_back(relays[i]); + } + const auto exitIpAddr = (exitEndpointIp != nullptr) ? std::make_optional(wfp::IpAddress(exitEndpointIp)) : std::nullopt; - const auto entryIpAddr = wfp::IpAddress(relay->ip); - if (entryIpAddr == exitIpAddr) + for (const auto &entryEndpoint : relayEndpoints) { - THROW_ERROR("Invalid argument: relay IP must not equal exitEndpointIp"); + const auto ipAddr = wfp::IpAddress(entryEndpoint.ip); + if (ipAddr == exitIpAddr) + { + THROW_ERROR("Invalid argument: relay IP must not equal exitEndpointIp"); + } } std::vector<std::wstring> relayClientWstrings; relayClientWstrings.reserve(relayClientsLen); - for(int i = 0; i < relayClientsLen; i++) { + for (size_t i = 0; i < relayClientsLen; i++) { relayClientWstrings.push_back(relayClients[i]); } return g_fwContext->applyPolicyConnecting( *settings, - *relay, + relayEndpoints, exitIpAddr, relayClientWstrings, tunnelInterfaceAlias != nullptr ? std::make_optional(tunnelInterfaceAlias) : std::nullopt, @@ -407,7 +423,8 @@ WINFW_POLICY_STATUS WINFW_API WinFw_ApplyPolicyConnected( const WinFwSettings *settings, - const WinFwEndpoint *relay, + size_t numRelays, + const WinFwEndpoint *relays, const wchar_t *exitEndpointIp, const wchar_t **relayClients, size_t relayClientsLen, @@ -430,9 +447,14 @@ WinFw_ApplyPolicyConnected( THROW_ERROR("Invalid argument: settings"); } - if (nullptr == relay) + if (nullptr == relays) { - THROW_ERROR("Invalid argument: relay"); + THROW_ERROR("Invalid argument: relays"); + } + + if (0 == numRelays) + { + THROW_ERROR("Invalid argument: numRelays"); } if (nullptr == tunnelInterfaceAlias) @@ -450,12 +472,22 @@ WinFw_ApplyPolicyConnected( THROW_ERROR("Invalid argument: nonTunnelDnsServers"); } + std::vector<WinFwEndpoint> relayEndpoints; + relayEndpoints.reserve(numRelays); + for (size_t i = 0; i < numRelays; i++) + { + relayEndpoints.push_back(relays[i]); + } + const auto exitIpAddr = (exitEndpointIp != nullptr) ? std::make_optional(wfp::IpAddress(exitEndpointIp)) : std::nullopt; - const auto entryIpAddr = wfp::IpAddress(relay->ip); - if (entryIpAddr == exitIpAddr) + for (const auto &entryEndpoint : relayEndpoints) { - THROW_ERROR("Invalid argument: relay IP must not equal exitEndpointIp"); + const auto ipAddr = wfp::IpAddress(entryEndpoint.ip); + if (ipAddr == exitIpAddr) + { + THROW_ERROR("Invalid argument: relay IP must not equal exitEndpointIp"); + } } std::vector<wfp::IpAddress> convertedTunnelDnsServers; @@ -499,13 +531,13 @@ WinFw_ApplyPolicyConnected( std::vector<std::wstring> relayClientWstrings; relayClientWstrings.reserve(relayClientsLen); - for(int i = 0; i < relayClientsLen; i++) { + for (size_t i = 0; i < relayClientsLen; i++) { relayClientWstrings.push_back(relayClients[i]); } return g_fwContext->applyPolicyConnected( *settings, - *relay, + relayEndpoints, exitIpAddr, relayClientWstrings, tunnelInterfaceAlias, diff --git a/windows/winfw/src/winfw/winfw.h b/windows/winfw/src/winfw/winfw.h index f3e26ea4aa..f4cd3b4bca 100644 --- a/windows/winfw/src/winfw/winfw.h +++ b/windows/winfw/src/winfw/winfw.h @@ -159,7 +159,7 @@ enum WINFW_POLICY_STATUS // // Apply restrictions in the firewall that block all traffic, except: // - What is specified by settings -// - Communication with the relay server +// - Communication with the relay server(s) // - Specified in-tunnel traffic, except DNS. // // Parameters: @@ -174,7 +174,8 @@ WINFW_POLICY_STATUS WINFW_API WinFw_ApplyPolicyConnecting( const WinFwSettings *settings, - const WinFwEndpoint *relay, + size_t numRelays, + const WinFwEndpoint *relays, const wchar_t *exitEndpointIp, const wchar_t **relayClient, size_t relayClientLen, @@ -188,7 +189,7 @@ WinFw_ApplyPolicyConnecting( // // Apply restrictions in the firewall that block all traffic, except: // - What is specified by settings -// - Communication with the relay server +// - Communication with the relay server(s) // - Non-DNS traffic inside the VPN tunnel // - DNS requests inside the VPN tunnel to any server in 'tunnelDnsServers' // - DNS requests outside the VPN tunnel to any server in 'nonTunnelDnsServers' @@ -208,7 +209,8 @@ WINFW_POLICY_STATUS WINFW_API WinFw_ApplyPolicyConnected( const WinFwSettings *settings, - const WinFwEndpoint *relay, + size_t numRelays, + const WinFwEndpoint *relays, const wchar_t *exitEndpointIp, const wchar_t **relayClient, size_t relayClientLen, |
