Remove ICMP variants for allowed tunnel traffic

author: David Lönnhager <david.l@mullvad.net> 2022-06-14 15:32:06 +0200
committer: David Lönnhager <david.l@mullvad.net> 2022-06-15 13:43:08 +0200
commit: e60c68cfe6352d8ba3528eddbefa23c5a4ceae87 (patch)
tree: ee81a8b91a3f139373a7a4a565149d57658b4113 /windows
parent: 3c6e5f446d41d2607ef12efd5f8d14bd695e6625 (diff)
download: mullvadvpn-e60c68cfe6352d8ba3528eddbefa23c5a4ceae87.tar.xz
mullvadvpn-e60c68cfe6352d8ba3528eddbefa23c5a4ceae87.zip
5 files changed, 4 insertions, 39 deletions
diff --git a/windows/winfw/src/winfw/rules/baseline/permitvpntunnel.cpp b/windows/winfw/src/winfw/rules/baseline/permitvpntunnel.cpp
index d9a1af0f28..9c45d63c92 100644
--- a/windows/winfw/src/winfw/rules/baseline/permitvpntunnel.cpp
+++ b/windows/winfw/src/winfw/rules/baseline/permitvpntunnel.cpp
@@ -54,10 +54,7 @@ bool PermitVpnTunnel::apply(IObjectInstaller &objectInstaller)
 		if (m_tunnelOnlyEndpoint.has_value())
 		{
 			conditionBuilder.add_condition(ConditionIp::Remote(m_tunnelOnlyEndpoint->ip));
-			if (ProtocolHasPort(m_tunnelOnlyEndpoint->protocol))
-			{
-				conditionBuilder.add_condition(ConditionPort::Remote(m_tunnelOnlyEndpoint->port));
-			}
+			conditionBuilder.add_condition(ConditionPort::Remote(m_tunnelOnlyEndpoint->port));
 			conditionBuilder.add_condition(CreateProtocolCondition(m_tunnelOnlyEndpoint->protocol));
 		}
 
@@ -85,10 +82,7 @@ bool PermitVpnTunnel::apply(IObjectInstaller &objectInstaller)
 		if (m_tunnelOnlyEndpoint.has_value())
 		{
 			conditionBuilder.add_condition(ConditionIp::Remote(m_tunnelOnlyEndpoint->ip));
-			if (ProtocolHasPort(m_tunnelOnlyEndpoint->protocol))
-			{
-				conditionBuilder.add_condition(ConditionPort::Remote(m_tunnelOnlyEndpoint->port));
-			}
+			conditionBuilder.add_condition(ConditionPort::Remote(m_tunnelOnlyEndpoint->port));
 			conditionBuilder.add_condition(CreateProtocolCondition(m_tunnelOnlyEndpoint->protocol));
 		}
 
diff --git a/windows/winfw/src/winfw/rules/baseline/permitvpntunnelservice.cpp b/windows/winfw/src/winfw/rules/baseline/permitvpntunnelservice.cpp
index 42214b6a77..a4ff6a65e5 100644
--- a/windows/winfw/src/winfw/rules/baseline/permitvpntunnelservice.cpp
+++ b/windows/winfw/src/winfw/rules/baseline/permitvpntunnelservice.cpp
@@ -54,10 +54,7 @@ bool PermitVpnTunnelService::apply(IObjectInstaller &objectInstaller)
 		if (m_tunnelOnlyEndpoint.has_value())
 		{
 			conditionBuilder.add_condition(ConditionIp::Remote(m_tunnelOnlyEndpoint->ip));
-			if (ProtocolHasPort(m_tunnelOnlyEndpoint->protocol))
-			{
-				conditionBuilder.add_condition(ConditionPort::Remote(m_tunnelOnlyEndpoint->port));
-			}
+			conditionBuilder.add_condition(ConditionPort::Remote(m_tunnelOnlyEndpoint->port));
 			conditionBuilder.add_condition(CreateProtocolCondition(m_tunnelOnlyEndpoint->protocol));
 		}
 
@@ -84,10 +81,7 @@ bool PermitVpnTunnelService::apply(IObjectInstaller &objectInstaller)
 		if (m_tunnelOnlyEndpoint.has_value())
 		{
 			conditionBuilder.add_condition(ConditionIp::Remote(m_tunnelOnlyEndpoint->ip));
-			if (ProtocolHasPort(m_tunnelOnlyEndpoint->protocol))
-			{
-				conditionBuilder.add_condition(ConditionPort::Remote(m_tunnelOnlyEndpoint->port));
-			}
+			conditionBuilder.add_condition(ConditionPort::Remote(m_tunnelOnlyEndpoint->port));
 			conditionBuilder.add_condition(CreateProtocolCondition(m_tunnelOnlyEndpoint->protocol));
 		}
 
diff --git a/windows/winfw/src/winfw/rules/shared.cpp b/windows/winfw/src/winfw/rules/shared.cpp
index 1d1123e3eb..0ed80bbd70 100644
--- a/windows/winfw/src/winfw/rules/shared.cpp
+++ b/windows/winfw/src/winfw/rules/shared.cpp
@@ -45,25 +45,6 @@ std::unique_ptr<wfp::conditions::ConditionProtocol> CreateProtocolCondition(WinF
 	{
 		case WinFwProtocol::Tcp: return ConditionProtocol::Tcp();
 		case WinFwProtocol::Udp: return ConditionProtocol::Udp();
-		case WinFwProtocol::Icmp: return ConditionProtocol::Icmp();
-		case WinFwProtocol::IcmpV6: return ConditionProtocol::IcmpV6();
-		default:
-		{
-			THROW_ERROR("Missing case handler in switch clause");
-		}
-	};
-}
-
-bool ProtocolHasPort(WinFwProtocol protocol)
-{
-	switch (protocol)
-	{
-		case WinFwProtocol::Tcp:
-		case WinFwProtocol::Udp:
-			return true;
-		case WinFwProtocol::Icmp:
-		case WinFwProtocol::IcmpV6:
-			return false;
 		default:
 		{
 			THROW_ERROR("Missing case handler in switch clause");
diff --git a/windows/winfw/src/winfw/rules/shared.h b/windows/winfw/src/winfw/rules/shared.h
index 4f4da187ca..1fd55cb548 100644
--- a/windows/winfw/src/winfw/rules/shared.h
+++ b/windows/winfw/src/winfw/rules/shared.h
@@ -15,6 +15,4 @@ void SplitAddresses(const IpSet &in, IpSet &outIpv4, IpSet &outIpv6);
 
 std::unique_ptr<wfp::conditions::ConditionProtocol> CreateProtocolCondition(WinFwProtocol protocol);
 
-bool ProtocolHasPort(WinFwProtocol protocol);
-
 }
diff --git a/windows/winfw/src/winfw/winfw.h b/windows/winfw/src/winfw/winfw.h
index 6394893d91..7a7a1ca9e2 100644
--- a/windows/winfw/src/winfw/winfw.h
+++ b/windows/winfw/src/winfw/winfw.h
@@ -33,8 +33,6 @@ enum WinFwProtocol : uint8_t
 {
 	Tcp = 0,
 	Udp = 1,
-	Icmp = 2,
-	IcmpV6 = 3
 };
 
 typedef struct tag_WinFwEndpoint
author	David Lönnhager <david.l@mullvad.net>	2022-06-14 15:32:06 +0200
committer	David Lönnhager <david.l@mullvad.net>	2022-06-15 13:43:08 +0200
commit	e60c68cfe6352d8ba3528eddbefa23c5a4ceae87 (patch)
tree	ee81a8b91a3f139373a7a4a565149d57658b4113 /windows
parent	3c6e5f446d41d2607ef12efd5f8d14bd695e6625 (diff)
download	mullvadvpn-e60c68cfe6352d8ba3528eddbefa23c5a4ceae87.tar.xz mullvadvpn-e60c68cfe6352d8ba3528eddbefa23c5a4ceae87.zip