summaryrefslogtreecommitdiffhomepage
path: root/windows
diff options
context:
space:
mode:
authorDavid Lönnhager <david.l@mullvad.net>2025-09-18 17:22:18 +0200
committerDavid Lönnhager <david.l@mullvad.net>2025-09-18 17:22:18 +0200
commitc072667ffed6b4b698cec5a4a8adff00be88c3e5 (patch)
treec1fe4b5354c23e939f97577ef7aadaf6eab5731e /windows
parent923414f3f00b033dde8ed538ad05c18da4da6b27 (diff)
parenta074cb8e3625d5378c0be7954b1f5423479d071c (diff)
downloadmullvadvpn-c072667ffed6b4b698cec5a4a8adff00be88c3e5.tar.xz
mullvadvpn-c072667ffed6b4b698cec5a4a8adff00be88c3e5.zip
Merge branch 'add-staggered-obfuscator'
Diffstat (limited to 'windows')
-rw-r--r--windows/winfw/src/winfw/fwcontext.cpp22
-rw-r--r--windows/winfw/src/winfw/fwcontext.h4
-rw-r--r--windows/winfw/src/winfw/winfw.cpp64
-rw-r--r--windows/winfw/src/winfw/winfw.h10
4 files changed, 71 insertions, 29 deletions
diff --git a/windows/winfw/src/winfw/fwcontext.cpp b/windows/winfw/src/winfw/fwcontext.cpp
index dc0a38b304..69a79537cd 100644
--- a/windows/winfw/src/winfw/fwcontext.cpp
+++ b/windows/winfw/src/winfw/fwcontext.cpp
@@ -191,7 +191,7 @@ FwContext::FwContext
bool FwContext::applyPolicyConnecting
(
const WinFwSettings &settings,
- const WinFwEndpoint &relay,
+ const std::vector<WinFwEndpoint> &relays,
const std::optional<wfp::IpAddress> &exitEndpointIp,
const std::vector<std::wstring> &relayClients,
const std::optional<std::wstring> &tunnelInterfaceAlias,
@@ -203,7 +203,11 @@ bool FwContext::applyPolicyConnecting
AppendNetBlockedRules(ruleset);
AppendSettingsRules(ruleset, settings);
- AppendRelayRules(ruleset, relay, relayClients);
+
+ for (const auto &relay : relays)
+ {
+ AppendRelayRules(ruleset, relay, relayClients);
+ }
if (allowedEndpoint.has_value())
{
@@ -299,9 +303,9 @@ bool FwContext::applyPolicyConnecting
bool FwContext::applyPolicyConnected
(
const WinFwSettings &settings,
- const WinFwEndpoint &relay,
+ const std::vector<WinFwEndpoint> &relays,
const std::optional<wfp::IpAddress> &exitEndpointIp,
- const std::vector<std::wstring> &relayClient,
+ const std::vector<std::wstring> &relayClients,
const std::wstring &tunnelInterfaceAlias,
const std::vector<wfp::IpAddress> &tunnelDnsServers,
const std::vector<wfp::IpAddress> &nonTunnelDnsServers
@@ -311,7 +315,11 @@ bool FwContext::applyPolicyConnected
AppendNetBlockedRules(ruleset);
AppendSettingsRules(ruleset, settings);
- AppendRelayRules(ruleset, relay, relayClient);
+
+ for (const auto &relay : relays)
+ {
+ AppendRelayRules(ruleset, relay, relayClients);
+ }
if (!tunnelDnsServers.empty())
{
@@ -327,14 +335,14 @@ bool FwContext::applyPolicyConnected
}
ruleset.emplace_back(std::make_unique<baseline::PermitVpnTunnel>(
- relayClient,
+ relayClients,
tunnelInterfaceAlias,
std::nullopt,
exitEndpointIp
));
ruleset.emplace_back(std::make_unique<baseline::PermitVpnTunnelService>(
- relayClient,
+ relayClients,
tunnelInterfaceAlias,
std::nullopt,
exitEndpointIp
diff --git a/windows/winfw/src/winfw/fwcontext.h b/windows/winfw/src/winfw/fwcontext.h
index 8a4e4f0301..c8f3c2b4e5 100644
--- a/windows/winfw/src/winfw/fwcontext.h
+++ b/windows/winfw/src/winfw/fwcontext.h
@@ -27,7 +27,7 @@ public:
bool applyPolicyConnecting
(
const WinFwSettings &settings,
- const WinFwEndpoint &relay,
+ const std::vector<WinFwEndpoint> &relays,
const std::optional<wfp::IpAddress> &exitEndpointIp,
const std::vector<std::wstring> &relayClients,
const std::optional<std::wstring> &tunnelInterfaceAlias,
@@ -38,7 +38,7 @@ public:
bool applyPolicyConnected
(
const WinFwSettings &settings,
- const WinFwEndpoint &relay,
+ const std::vector<WinFwEndpoint> &relays,
const std::optional<wfp::IpAddress> &exitEndpointIp,
const std::vector<std::wstring> &relayClients,
const std::wstring &tunnelInterfaceAlias,
diff --git a/windows/winfw/src/winfw/winfw.cpp b/windows/winfw/src/winfw/winfw.cpp
index 064532235c..6d79bf8356 100644
--- a/windows/winfw/src/winfw/winfw.cpp
+++ b/windows/winfw/src/winfw/winfw.cpp
@@ -328,7 +328,8 @@ WINFW_POLICY_STATUS
WINFW_API
WinFw_ApplyPolicyConnecting(
const WinFwSettings *settings,
- const WinFwEndpoint *relay,
+ size_t numRelays,
+ const WinFwEndpoint *relays,
const wchar_t *exitEndpointIp,
const wchar_t **relayClients,
size_t relayClientsLen,
@@ -349,9 +350,14 @@ WinFw_ApplyPolicyConnecting(
THROW_ERROR("Invalid argument: settings");
}
- if (nullptr == relay)
+ if (nullptr == relays)
{
- THROW_ERROR("Invalid argument: relay");
+ THROW_ERROR("Invalid argument: relays");
+ }
+
+ if (0 == numRelays)
+ {
+ THROW_ERROR("Invalid argument: numRelays");
}
if (nullptr == allowedTunnelTraffic)
@@ -359,23 +365,33 @@ WinFw_ApplyPolicyConnecting(
THROW_ERROR("Invalid argument: allowedTunnelTraffic");
}
+ std::vector<WinFwEndpoint> relayEndpoints;
+ relayEndpoints.reserve(numRelays);
+ for (size_t i = 0; i < numRelays; i++)
+ {
+ relayEndpoints.push_back(relays[i]);
+ }
+
const auto exitIpAddr = (exitEndpointIp != nullptr) ? std::make_optional(wfp::IpAddress(exitEndpointIp)) : std::nullopt;
- const auto entryIpAddr = wfp::IpAddress(relay->ip);
- if (entryIpAddr == exitIpAddr)
+ for (const auto &entryEndpoint : relayEndpoints)
{
- THROW_ERROR("Invalid argument: relay IP must not equal exitEndpointIp");
+ const auto ipAddr = wfp::IpAddress(entryEndpoint.ip);
+ if (ipAddr == exitIpAddr)
+ {
+ THROW_ERROR("Invalid argument: relay IP must not equal exitEndpointIp");
+ }
}
std::vector<std::wstring> relayClientWstrings;
relayClientWstrings.reserve(relayClientsLen);
- for(int i = 0; i < relayClientsLen; i++) {
+ for (size_t i = 0; i < relayClientsLen; i++) {
relayClientWstrings.push_back(relayClients[i]);
}
return g_fwContext->applyPolicyConnecting(
*settings,
- *relay,
+ relayEndpoints,
exitIpAddr,
relayClientWstrings,
tunnelInterfaceAlias != nullptr ? std::make_optional(tunnelInterfaceAlias) : std::nullopt,
@@ -407,7 +423,8 @@ WINFW_POLICY_STATUS
WINFW_API
WinFw_ApplyPolicyConnected(
const WinFwSettings *settings,
- const WinFwEndpoint *relay,
+ size_t numRelays,
+ const WinFwEndpoint *relays,
const wchar_t *exitEndpointIp,
const wchar_t **relayClients,
size_t relayClientsLen,
@@ -430,9 +447,14 @@ WinFw_ApplyPolicyConnected(
THROW_ERROR("Invalid argument: settings");
}
- if (nullptr == relay)
+ if (nullptr == relays)
{
- THROW_ERROR("Invalid argument: relay");
+ THROW_ERROR("Invalid argument: relays");
+ }
+
+ if (0 == numRelays)
+ {
+ THROW_ERROR("Invalid argument: numRelays");
}
if (nullptr == tunnelInterfaceAlias)
@@ -450,12 +472,22 @@ WinFw_ApplyPolicyConnected(
THROW_ERROR("Invalid argument: nonTunnelDnsServers");
}
+ std::vector<WinFwEndpoint> relayEndpoints;
+ relayEndpoints.reserve(numRelays);
+ for (size_t i = 0; i < numRelays; i++)
+ {
+ relayEndpoints.push_back(relays[i]);
+ }
+
const auto exitIpAddr = (exitEndpointIp != nullptr) ? std::make_optional(wfp::IpAddress(exitEndpointIp)) : std::nullopt;
- const auto entryIpAddr = wfp::IpAddress(relay->ip);
- if (entryIpAddr == exitIpAddr)
+ for (const auto &entryEndpoint : relayEndpoints)
{
- THROW_ERROR("Invalid argument: relay IP must not equal exitEndpointIp");
+ const auto ipAddr = wfp::IpAddress(entryEndpoint.ip);
+ if (ipAddr == exitIpAddr)
+ {
+ THROW_ERROR("Invalid argument: relay IP must not equal exitEndpointIp");
+ }
}
std::vector<wfp::IpAddress> convertedTunnelDnsServers;
@@ -499,13 +531,13 @@ WinFw_ApplyPolicyConnected(
std::vector<std::wstring> relayClientWstrings;
relayClientWstrings.reserve(relayClientsLen);
- for(int i = 0; i < relayClientsLen; i++) {
+ for (size_t i = 0; i < relayClientsLen; i++) {
relayClientWstrings.push_back(relayClients[i]);
}
return g_fwContext->applyPolicyConnected(
*settings,
- *relay,
+ relayEndpoints,
exitIpAddr,
relayClientWstrings,
tunnelInterfaceAlias,
diff --git a/windows/winfw/src/winfw/winfw.h b/windows/winfw/src/winfw/winfw.h
index f3e26ea4aa..f4cd3b4bca 100644
--- a/windows/winfw/src/winfw/winfw.h
+++ b/windows/winfw/src/winfw/winfw.h
@@ -159,7 +159,7 @@ enum WINFW_POLICY_STATUS
//
// Apply restrictions in the firewall that block all traffic, except:
// - What is specified by settings
-// - Communication with the relay server
+// - Communication with the relay server(s)
// - Specified in-tunnel traffic, except DNS.
//
// Parameters:
@@ -174,7 +174,8 @@ WINFW_POLICY_STATUS
WINFW_API
WinFw_ApplyPolicyConnecting(
const WinFwSettings *settings,
- const WinFwEndpoint *relay,
+ size_t numRelays,
+ const WinFwEndpoint *relays,
const wchar_t *exitEndpointIp,
const wchar_t **relayClient,
size_t relayClientLen,
@@ -188,7 +189,7 @@ WinFw_ApplyPolicyConnecting(
//
// Apply restrictions in the firewall that block all traffic, except:
// - What is specified by settings
-// - Communication with the relay server
+// - Communication with the relay server(s)
// - Non-DNS traffic inside the VPN tunnel
// - DNS requests inside the VPN tunnel to any server in 'tunnelDnsServers'
// - DNS requests outside the VPN tunnel to any server in 'nonTunnelDnsServers'
@@ -208,7 +209,8 @@ WINFW_POLICY_STATUS
WINFW_API
WinFw_ApplyPolicyConnected(
const WinFwSettings *settings,
- const WinFwEndpoint *relay,
+ size_t numRelays,
+ const WinFwEndpoint *relays,
const wchar_t *exitEndpointIp,
const wchar_t **relayClient,
size_t relayClientLen,