Add permit filters for incoming requests on the tunnel interface

author: Odd Stranne <odd@mullvad.net> 2018-07-09 20:10:03 +0200
committer: Odd Stranne <odd@mullvad.net> 2018-07-10 13:21:55 +0200
commit: c522145c8ebcc1e5cb48cace9eaeea0f6e0a3eca (patch)
tree: f80564bcf4418042339961725c3cd7ce1fb0e011 /windows
parent: 077372387c7a856efe6803d4e77a78d643ddd304 (diff)
download: mullvadvpn-c522145c8ebcc1e5cb48cace9eaeea0f6e0a3eca.tar.xz
mullvadvpn-c522145c8ebcc1e5cb48cace9eaeea0f6e0a3eca.zip
7 files changed, 126 insertions, 0 deletions
diff --git a/windows/winfw/src/winfw/fwcontext.cpp b/windows/winfw/src/winfw/fwcontext.cpp
index b97f350ec7..c20e70b37b 100644
--- a/windows/winfw/src/winfw/fwcontext.cpp
+++ b/windows/winfw/src/winfw/fwcontext.cpp
@@ -9,6 +9,7 @@
 #include "rules/permitloopback.h"
 #include "rules/permitvpnrelay.h"
 #include "rules/permitvpntunnel.h"
+#include "rules/permitvpntunnelservice.h"
 #include "rules/restrictdns.h"
 #include "libwfp/transaction.h"
 #include "libwfp/filterengine.h"
@@ -105,6 +106,10 @@ bool FwContext::applyPolicyConnected(const WinFwSettings &settings, const WinFwR
 		tunnelInterfaceAlias
 	));
 
+	ruleset.emplace_back(std::make_unique<rules::PermitVpnTunnelService>(
+		tunnelInterfaceAlias
+	));
+
 	ruleset.emplace_back(std::make_unique<rules::RestrictDns>(
 		tunnelInterfaceAlias,
 		wfp::IpAddress(primaryDns)
diff --git a/windows/winfw/src/winfw/mullvadguids.cpp b/windows/winfw/src/winfw/mullvadguids.cpp
index dbe00b6538..c1fac039fd 100644
--- a/windows/winfw/src/winfw/mullvadguids.cpp
+++ b/windows/winfw/src/winfw/mullvadguids.cpp
@@ -378,3 +378,31 @@ const GUID &MullvadGuids::FilterRestrictDns_Outbound_Tunnel_Ipv6()
 
 	return g;
 }
+
+//static
+const GUID &MullvadGuids::FilterPermitVpnTunnelService_Ipv4()
+{
+	static const GUID g =
+	{
+		0xf11a9ab4,
+		0x3dd6,
+		0x4cd9,
+		{ 0x9d, 0x95, 0xb0, 0x36, 0x22, 0x71, 0x6b, 0x3d }
+	};
+
+	return g;
+}
+
+//static
+const GUID &MullvadGuids::FilterPermitVpnTunnelService_Ipv6()
+{
+	static const GUID g =
+	{
+		0xe902e448,
+		0x1845,
+		0x42e5,
+		{ 0xad, 0xf3, 0x33, 0xb2, 0x7a, 0xd, 0x5d, 0x38 }
+	};
+
+	return g;
+}
diff --git a/windows/winfw/src/winfw/mullvadguids.h b/windows/winfw/src/winfw/mullvadguids.h
index 788b8b8b30..1f69a20127 100644
--- a/windows/winfw/src/winfw/mullvadguids.h
+++ b/windows/winfw/src/winfw/mullvadguids.h
@@ -42,4 +42,7 @@ public:
 	static const GUID &FilterRestrictDns_Outbound_Ipv6();
 	static const GUID &FilterRestrictDns_Outbound_Tunnel_Ipv4();
 	static const GUID &FilterRestrictDns_Outbound_Tunnel_Ipv6();
+
+	static const GUID &FilterPermitVpnTunnelService_Ipv4();
+	static const GUID &FilterPermitVpnTunnelService_Ipv6();
 };
diff --git a/windows/winfw/src/winfw/rules/permitvpntunnelservice.cpp b/windows/winfw/src/winfw/rules/permitvpntunnelservice.cpp
new file mode 100644
index 0000000000..182dad4067
--- /dev/null
+++ b/windows/winfw/src/winfw/rules/permitvpntunnelservice.cpp
@@ -0,0 +1,60 @@
+#include "stdafx.h"
+#include "permitvpntunnelservice.h"
+#include "winfw/mullvadguids.h"
+#include "libwfp/filterbuilder.h"
+#include "libwfp/conditionbuilder.h"
+#include "libwfp/conditions/conditioninterface.h"
+
+using namespace wfp::conditions;
+
+namespace rules
+{
+
+PermitVpnTunnelService::PermitVpnTunnelService(const std::wstring &tunnelInterfaceAlias)
+	: m_tunnelInterfaceAlias(tunnelInterfaceAlias)
+{
+}
+
+bool PermitVpnTunnelService::apply(IObjectInstaller &objectInstaller)
+{
+	wfp::FilterBuilder filterBuilder;
+
+	//
+	// #1 incoming request on Ipv4
+	//
+
+	filterBuilder
+		.key(MullvadGuids::FilterPermitVpnTunnelService_Ipv4())
+		.name(L"Permit incoming requests on VPN tunnel IPv4")
+		.description(L"This filter is part of a rule that permits hosting services that listen on the tunnel interface")
+		.provider(MullvadGuids::Provider())
+		.layer(FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4)
+		.sublayer(MullvadGuids::SublayerWhitelist())
+		.weight(wfp::FilterBuilder::WeightClass::Max)
+		.permit();
+
+	wfp::ConditionBuilder conditionBuilder(FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4);
+
+	conditionBuilder.add_condition(ConditionInterface::Alias(m_tunnelInterfaceAlias));
+
+	if (!objectInstaller.addFilter(filterBuilder, conditionBuilder))
+	{
+		return false;
+	}
+
+	//
+	// #2 incoming request on IPv6
+	//
+
+	filterBuilder
+		.key(MullvadGuids::FilterPermitVpnTunnelService_Ipv6())
+		.name(L"Permit incoming requests on VPN tunnel IPv6")
+		.layer(FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6);
+
+	conditionBuilder.reset(FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6);
+	conditionBuilder.add_condition(ConditionInterface::Alias(m_tunnelInterfaceAlias));
+
+	return objectInstaller.addFilter(filterBuilder, conditionBuilder);
+}
+
+}
diff --git a/windows/winfw/src/winfw/rules/permitvpntunnelservice.h b/windows/winfw/src/winfw/rules/permitvpntunnelservice.h
new file mode 100644
index 0000000000..adec88658b
--- /dev/null
+++ b/windows/winfw/src/winfw/rules/permitvpntunnelservice.h
@@ -0,0 +1,22 @@
+#pragma once
+
+#include "ifirewallrule.h"
+#include <string>
+
+namespace rules
+{
+
+class PermitVpnTunnelService : public IFirewallRule
+{
+public:
+
+	PermitVpnTunnelService(const std::wstring &tunnelInterfaceAlias);
+
+	bool apply(IObjectInstaller &objectInstaller) override;
+
+private:
+
+	const std::wstring m_tunnelInterfaceAlias;
+};
+
+}
diff --git a/windows/winfw/src/winfw/winfw.vcxproj b/windows/winfw/src/winfw/winfw.vcxproj
index f6c59f9486..3753f1d220 100644
--- a/windows/winfw/src/winfw/winfw.vcxproj
+++ b/windows/winfw/src/winfw/winfw.vcxproj
@@ -27,6 +27,7 @@
     <ClCompile Include="rules\permitlan.cpp" />
     <ClCompile Include="rules\permitlanservice.cpp" />
     <ClCompile Include="rules\permitloopback.cpp" />
+    <ClCompile Include="rules\permitvpntunnelservice.cpp" />
     <ClCompile Include="rules\permitvpnrelay.cpp" />
     <ClCompile Include="rules\permitvpntunnel.cpp" />
     <ClCompile Include="rules\restrictdns.cpp" />
@@ -51,6 +52,7 @@
     <ClInclude Include="rules\permitlan.h" />
     <ClInclude Include="rules\permitlanservice.h" />
     <ClInclude Include="rules\permitloopback.h" />
+    <ClInclude Include="rules\permitvpntunnelservice.h" />
     <ClInclude Include="rules\permitvpnrelay.h" />
     <ClInclude Include="rules\permitvpntunnel.h" />
     <ClInclude Include="rules\restrictdns.h" />
diff --git a/windows/winfw/src/winfw/winfw.vcxproj.filters b/windows/winfw/src/winfw/winfw.vcxproj.filters
index 1b7c0711f6..40283172a8 100644
--- a/windows/winfw/src/winfw/winfw.vcxproj.filters
+++ b/windows/winfw/src/winfw/winfw.vcxproj.filters
@@ -33,6 +33,9 @@
     <ClCompile Include="rules\restrictdns.cpp">
       <Filter>rules</Filter>
     </ClCompile>
+    <ClCompile Include="rules\permitvpntunnelservice.cpp">
+      <Filter>rules</Filter>
+    </ClCompile>
   </ItemGroup>
   <ItemGroup>
     <ClInclude Include="stdafx.h" />
@@ -71,6 +74,9 @@
     <ClInclude Include="rules\restrictdns.h">
       <Filter>rules</Filter>
     </ClInclude>
+    <ClInclude Include="rules\permitvpntunnelservice.h">
+      <Filter>rules</Filter>
+    </ClInclude>
   </ItemGroup>
   <ItemGroup>
     <Filter Include="rules">
author	Odd Stranne <odd@mullvad.net>	2018-07-09 20:10:03 +0200
committer	Odd Stranne <odd@mullvad.net>	2018-07-10 13:21:55 +0200
commit	c522145c8ebcc1e5cb48cace9eaeea0f6e0a3eca (patch)
tree	f80564bcf4418042339961725c3cd7ce1fb0e011 /windows
parent	077372387c7a856efe6803d4e77a78d643ddd304 (diff)
download	mullvadvpn-c522145c8ebcc1e5cb48cace9eaeea0f6e0a3eca.tar.xz mullvadvpn-c522145c8ebcc1e5cb48cace9eaeea0f6e0a3eca.zip