Add PQ support for multihop, and allow listing two endpoints in the

tunnel
author: Jonathan <jonathan@mullvad.net> 2023-02-16 15:41:54 +0100
committer: David Lönnhager <david.l@mullvad.net> 2023-02-28 10:07:52 +0100
commit: f2f7fa7109830a6c5cb695c8ca60bf3f84ab9c10 (patch)
tree: 17c77f7e99979323f9b4a7e92cda88230ea25832 /windows
parent: d1eb83161d45f7f98b7f4f705a9550d02e85a030 (diff)
download: mullvadvpn-f2f7fa7109830a6c5cb695c8ca60bf3f84ab9c10.tar.xz
mullvadvpn-f2f7fa7109830a6c5cb695c8ca60bf3f84ab9c10.zip
8 files changed, 246 insertions, 96 deletions
diff --git a/windows/winfw/src/winfw/fwcontext.cpp b/windows/winfw/src/winfw/fwcontext.cpp
index 3a8b5d2fe5..ac5e367587 100644
--- a/windows/winfw/src/winfw/fwcontext.cpp
+++ b/windows/winfw/src/winfw/fwcontext.cpp
@@ -218,12 +218,15 @@ bool FwContext::applyPolicyConnecting
 				));
 				break;
 			}
-			case WinFwAllowedTunnelTrafficType::Only:
+			case WinFwAllowedTunnelTrafficType::One:
 			{
-				const auto onlyEndpoint = std::make_optional(baseline::PermitVpnTunnel::Endpoint{
-					wfp::IpAddress(allowedTunnelTraffic.endpoint->ip),
-					allowedTunnelTraffic.endpoint->port,
-					allowedTunnelTraffic.endpoint->protocol
+				auto onlyEndpoint = std::make_optional<baseline::PermitVpnTunnel::Endpoints>({
+						baseline::PermitVpnTunnel::Endpoint{
+						wfp::IpAddress(allowedTunnelTraffic.entryEndpoint->ip),
+						allowedTunnelTraffic.entryEndpoint->port,
+						allowedTunnelTraffic.entryEndpoint->protocol
+						},
+						std::nullopt,
 				});
 				ruleset.emplace_back(std::make_unique<baseline::PermitVpnTunnel>(
 					*tunnelInterfaceAlias,
@@ -235,6 +238,30 @@ bool FwContext::applyPolicyConnecting
 				));
 				break;
 			}
+			case WinFwAllowedTunnelTrafficType::Two:
+			{
+				auto endpoints = std::make_optional<baseline::PermitVpnTunnel::Endpoints>({
+						baseline::PermitVpnTunnel::Endpoint{
+						wfp::IpAddress(allowedTunnelTraffic.entryEndpoint->ip),
+						allowedTunnelTraffic.entryEndpoint->port,
+						allowedTunnelTraffic.entryEndpoint->protocol
+						},
+						std::make_optional<baseline::PermitVpnTunnel::Endpoint>({
+								wfp::IpAddress(allowedTunnelTraffic.exitEndpoint->ip),
+								allowedTunnelTraffic.exitEndpoint->port,
+								allowedTunnelTraffic.exitEndpoint->protocol
+								})
+				});
+				ruleset.emplace_back(std::make_unique<baseline::PermitVpnTunnel>(
+							*tunnelInterfaceAlias,
+							endpoints
+							));
+				ruleset.emplace_back(std::make_unique<baseline::PermitVpnTunnelService>(
+							*tunnelInterfaceAlias,
+							endpoints
+							));
+				break;
+			}
 			// For the "None" case, do nothing.
 		}
 	}
diff --git a/windows/winfw/src/winfw/mullvadguids.cpp b/windows/winfw/src/winfw/mullvadguids.cpp
index aeab958554..49e80107db 100644
--- a/windows/winfw/src/winfw/mullvadguids.cpp
+++ b/windows/winfw/src/winfw/mullvadguids.cpp
@@ -130,10 +130,14 @@ MullvadGuids::DetailedIdentityRegistry MullvadGuids::DetailedRegistry(IdentityQu
 	registry.insert(std::make_pair(WfpObjectType::Filter, Filter_Baseline_PermitDhcpServer_Outbound_Response_Ipv4()));
 	registry.insert(std::make_pair(WfpObjectType::Filter, Filter_Baseline_PermitVpnRelay()));
 	registry.insert(std::make_pair(WfpObjectType::Filter, Filter_Baseline_PermitEndpoint()));
-	registry.insert(std::make_pair(WfpObjectType::Filter, Filter_Baseline_PermitVpnTunnel_Outbound_Ipv4()));
-	registry.insert(std::make_pair(WfpObjectType::Filter, Filter_Baseline_PermitVpnTunnel_Outbound_Ipv6()));
-	registry.insert(std::make_pair(WfpObjectType::Filter, Filter_Baseline_PermitVpnTunnelService_Ipv4()));
-	registry.insert(std::make_pair(WfpObjectType::Filter, Filter_Baseline_PermitVpnTunnelService_Ipv6()));
+	registry.insert(std::make_pair(WfpObjectType::Filter, Filter_Baseline_PermitVpnTunnel_Outbound_Ipv4_Entry()));
+	registry.insert(std::make_pair(WfpObjectType::Filter, Filter_Baseline_PermitVpnTunnel_Outbound_Ipv6_Entry()));
+	registry.insert(std::make_pair(WfpObjectType::Filter, Filter_Baseline_PermitVpnTunnel_Outbound_Ipv4_Exit()));
+	registry.insert(std::make_pair(WfpObjectType::Filter, Filter_Baseline_PermitVpnTunnel_Outbound_Ipv6_Exit()));
+	registry.insert(std::make_pair(WfpObjectType::Filter, Filter_Baseline_PermitVpnTunnelService_Ipv4_Entry()));
+	registry.insert(std::make_pair(WfpObjectType::Filter, Filter_Baseline_PermitVpnTunnelService_Ipv6_Entry()));
+	registry.insert(std::make_pair(WfpObjectType::Filter, Filter_Baseline_PermitVpnTunnelService_Ipv4_Exit()));
+	registry.insert(std::make_pair(WfpObjectType::Filter, Filter_Baseline_PermitVpnTunnelService_Ipv6_Exit()));
 	registry.insert(std::make_pair(WfpObjectType::Filter, Filter_Baseline_PermitNdp_Outbound_Router_Solicitation()));
 	registry.insert(std::make_pair(WfpObjectType::Filter, Filter_Baseline_PermitNdp_Inbound_Router_Advertisement()));
 	registry.insert(std::make_pair(WfpObjectType::Filter, Filter_Baseline_PermitNdp_Outbound_Neighbor_Solicitation()));
@@ -663,7 +667,7 @@ const GUID &MullvadGuids::Filter_Baseline_PermitEndpoint()
 }
 
 //static
-const GUID &MullvadGuids::Filter_Baseline_PermitVpnTunnel_Outbound_Ipv4()
+const GUID &MullvadGuids::Filter_Baseline_PermitVpnTunnel_Outbound_Ipv4_Entry()
 {
 	static const GUID g =
 	{
@@ -677,7 +681,7 @@ const GUID &MullvadGuids::Filter_Baseline_PermitVpnTunnel_Outbound_Ipv4()
 }
 
 //static
-const GUID &MullvadGuids::Filter_Baseline_PermitVpnTunnel_Outbound_Ipv6()
+const GUID &MullvadGuids::Filter_Baseline_PermitVpnTunnel_Outbound_Ipv6_Entry()
 {
 	static const GUID g =
 	{
@@ -691,7 +695,35 @@ const GUID &MullvadGuids::Filter_Baseline_PermitVpnTunnel_Outbound_Ipv6()
 }
 
 //static
-const GUID &MullvadGuids::Filter_Baseline_PermitVpnTunnelService_Ipv4()
+const GUID &MullvadGuids::Filter_Baseline_PermitVpnTunnel_Outbound_Ipv4_Exit()
+{
+	static const GUID g =
+	{
+		0x7e09435c,
+		0xefd7,
+		0x482d,
+		{ 0xa1, 0xec, 0x6c, 0xc3, 0x80, 0xac, 0xf3, 0xf1 }
+	};
+
+	return g;
+}
+
+//static
+const GUID &MullvadGuids::Filter_Baseline_PermitVpnTunnel_Outbound_Ipv6_Exit()
+{
+	static const GUID g =
+	{
+		0x276bc66f,
+		0xf9ef,
+		0x4428,
+		{ 0xb1, 0x5e, 0xd9, 0xe2, 0x6e, 0xf4, 0xf0, 0x06 }
+	};
+
+	return g;
+}
+
+//static
+const GUID &MullvadGuids::Filter_Baseline_PermitVpnTunnelService_Ipv4_Entry()
 {
 	static const GUID g =
 	{
@@ -705,7 +737,7 @@ const GUID &MullvadGuids::Filter_Baseline_PermitVpnTunnelService_Ipv4()
 }
 
 //static
-const GUID &MullvadGuids::Filter_Baseline_PermitVpnTunnelService_Ipv6()
+const GUID &MullvadGuids::Filter_Baseline_PermitVpnTunnelService_Ipv6_Entry()
 {
 	static const GUID g =
 	{
@@ -719,6 +751,35 @@ const GUID &MullvadGuids::Filter_Baseline_PermitVpnTunnelService_Ipv6()
 }
 
 //static
+const GUID &MullvadGuids::Filter_Baseline_PermitVpnTunnelService_Ipv4_Exit()
+{
+	static const GUID g =
+	{
+		0x98c99ac3,
+		0xaa54,
+		0x45e7,
+		{ 0x91, 0xc4, 0x61, 0x1a, 0x1e, 0xe2, 0x64, 0x83 }
+	};
+
+	return g;
+}
+
+//static
+const GUID &MullvadGuids::Filter_Baseline_PermitVpnTunnelService_Ipv6_Exit()
+{
+
+	static const GUID g =
+	{
+		0x01deb2b8,
+		0xb25d,
+		0x4e60,
+		{ 0x81, 0x52, 0xef, 0x3b, 0x40, 0xc0, 0x8e, 0xdc }
+	};
+
+	return g;
+}
+
+//static
 const GUID &MullvadGuids::Filter_Baseline_PermitNdp_Outbound_Router_Solicitation()
 {
 	static const GUID g =
diff --git a/windows/winfw/src/winfw/mullvadguids.h b/windows/winfw/src/winfw/mullvadguids.h
index abd06dc102..57d4cc4c91 100644
--- a/windows/winfw/src/winfw/mullvadguids.h
+++ b/windows/winfw/src/winfw/mullvadguids.h
@@ -71,11 +71,15 @@ public:
 
 	static const GUID &Filter_Baseline_PermitEndpoint();
 
-	static const GUID &Filter_Baseline_PermitVpnTunnel_Outbound_Ipv4();
-	static const GUID &Filter_Baseline_PermitVpnTunnel_Outbound_Ipv6();
+	static const GUID &Filter_Baseline_PermitVpnTunnel_Outbound_Ipv4_Entry();
+	static const GUID &Filter_Baseline_PermitVpnTunnel_Outbound_Ipv6_Entry();
+	static const GUID &Filter_Baseline_PermitVpnTunnel_Outbound_Ipv4_Exit();
+	static const GUID &Filter_Baseline_PermitVpnTunnel_Outbound_Ipv6_Exit();
 
-	static const GUID &Filter_Baseline_PermitVpnTunnelService_Ipv4();
-	static const GUID &Filter_Baseline_PermitVpnTunnelService_Ipv6();
+	static const GUID &Filter_Baseline_PermitVpnTunnelService_Ipv4_Entry();
+	static const GUID &Filter_Baseline_PermitVpnTunnelService_Ipv6_Entry();
+	static const GUID &Filter_Baseline_PermitVpnTunnelService_Ipv4_Exit();
+	static const GUID &Filter_Baseline_PermitVpnTunnelService_Ipv6_Exit();
 
 	static const GUID &Filter_Baseline_PermitNdp_Outbound_Router_Solicitation();
 	static const GUID &Filter_Baseline_PermitNdp_Inbound_Router_Advertisement();
diff --git a/windows/winfw/src/winfw/rules/baseline/permitvpntunnel.cpp b/windows/winfw/src/winfw/rules/baseline/permitvpntunnel.cpp
index 9c45d63c92..b5ea28aeeb 100644
--- a/windows/winfw/src/winfw/rules/baseline/permitvpntunnel.cpp
+++ b/windows/winfw/src/winfw/rules/baseline/permitvpntunnel.cpp
@@ -17,78 +17,101 @@ namespace rules::baseline
 
 PermitVpnTunnel::PermitVpnTunnel(
 	const std::wstring &tunnelInterfaceAlias,
-	const std::optional<Endpoint> &onlyEndpoint
+	const std::optional<Endpoints> &potentialEndpoints
 )
 	: m_tunnelInterfaceAlias(tunnelInterfaceAlias)
-	, m_tunnelOnlyEndpoint(onlyEndpoint)
+	, m_potentialEndpoints(potentialEndpoints)
 {
 }
 
-bool PermitVpnTunnel::apply(IObjectInstaller &objectInstaller)
+bool PermitVpnTunnel::AddEndpointFilter(const std::optional<Endpoint> &endpoint, const GUID &ipv4Guid, const GUID &ipv6Guid, IObjectInstaller &objectInstaller)
 {
 	wfp::FilterBuilder filterBuilder;
 
-	bool includeV4 = !m_tunnelOnlyEndpoint.has_value() || m_tunnelOnlyEndpoint->ip.type() == wfp::IpAddress::Ipv4;
-	bool includeV6 = !m_tunnelOnlyEndpoint.has_value() || m_tunnelOnlyEndpoint->ip.type() == wfp::IpAddress::Ipv6;
-
-	//
-	// #1 Permit outbound connections, IPv4.
-	//
-
 	filterBuilder
-		.key(MullvadGuids::Filter_Baseline_PermitVpnTunnel_Outbound_Ipv4())
-		.name(L"Permit outbound connections on tunnel interface (IPv4)")
 		.description(L"This filter is part of a rule that permits communications inside the VPN tunnel")
 		.provider(MullvadGuids::Provider())
-		.layer(FWPM_LAYER_ALE_AUTH_CONNECT_V4)
 		.sublayer(MullvadGuids::SublayerBaseline())
 		.weight(wfp::FilterBuilder::WeightClass::Medium)
 		.permit();
+    bool shouldAddV4Filter = !endpoint.has_value() || endpoint.value().ip.type() == wfp::IpAddress::Ipv4;
+    bool shouldAddV6Filter = !endpoint.has_value() || endpoint.value().ip.type() == wfp::IpAddress::Ipv6;
 
-	if (includeV4)
+	if (shouldAddV4Filter)
 	{
+		filterBuilder
+			.key(ipv4Guid)
+			.name(L"Permit outbound connections on tunnel interface (IPv4)")
+			.layer(FWPM_LAYER_ALE_AUTH_CONNECT_V4);
+	
 		wfp::ConditionBuilder conditionBuilder(FWPM_LAYER_ALE_AUTH_CONNECT_V4);
-
+	
 		conditionBuilder.add_condition(ConditionInterface::Alias(m_tunnelInterfaceAlias));
-
-		if (m_tunnelOnlyEndpoint.has_value())
+		if (endpoint.has_value())
 		{
-			conditionBuilder.add_condition(ConditionIp::Remote(m_tunnelOnlyEndpoint->ip));
-			conditionBuilder.add_condition(ConditionPort::Remote(m_tunnelOnlyEndpoint->port));
-			conditionBuilder.add_condition(CreateProtocolCondition(m_tunnelOnlyEndpoint->protocol));
+			conditionBuilder.add_condition(ConditionIp::Remote(endpoint.value().ip));
+			conditionBuilder.add_condition(ConditionPort::Remote(endpoint.value().port));
+			conditionBuilder.add_condition(CreateProtocolCondition(endpoint.value().protocol));
 		}
-
+	
 		if (!objectInstaller.addFilter(filterBuilder, conditionBuilder))
 		{
 			return false;
 		}
 	}
-
-	//
-	// #2 Permit outbound connections, IPv6.
-	//
-
-	filterBuilder
-		.key(MullvadGuids::Filter_Baseline_PermitVpnTunnel_Outbound_Ipv6())
-		.name(L"Permit outbound connections on tunnel interface (IPv6)")
-		.layer(FWPM_LAYER_ALE_AUTH_CONNECT_V6);
-
-	if (includeV6)
+	
+	if (shouldAddV6Filter)
 	{
+		filterBuilder
+			.key(ipv6Guid)
+			.name(L"Permit outbound connections on tunnel interface (IPv6)")
+			.layer(FWPM_LAYER_ALE_AUTH_CONNECT_V6);
+	
 		wfp::ConditionBuilder conditionBuilder(FWPM_LAYER_ALE_AUTH_CONNECT_V6);
-
+	
 		conditionBuilder.add_condition(ConditionInterface::Alias(m_tunnelInterfaceAlias));
-
-		if (m_tunnelOnlyEndpoint.has_value())
+		if (endpoint.has_value())
 		{
-			conditionBuilder.add_condition(ConditionIp::Remote(m_tunnelOnlyEndpoint->ip));
-			conditionBuilder.add_condition(ConditionPort::Remote(m_tunnelOnlyEndpoint->port));
-			conditionBuilder.add_condition(CreateProtocolCondition(m_tunnelOnlyEndpoint->protocol));
+			conditionBuilder.add_condition(ConditionIp::Remote(endpoint.value().ip));
+			conditionBuilder.add_condition(ConditionPort::Remote(endpoint.value().port));
+			conditionBuilder.add_condition(CreateProtocolCondition(endpoint.value().protocol));
 		}
 
-		return objectInstaller.addFilter(filterBuilder, conditionBuilder);
+		if (!objectInstaller.addFilter(filterBuilder, conditionBuilder))
+		{
+			return false;
+		}
 	}
+	return true;
+}
+
 
+bool PermitVpnTunnel::apply(IObjectInstaller &objectInstaller)
+{
+	if (!m_potentialEndpoints.has_value())
+	{
+		return AddEndpointFilter(
+			std::nullopt,
+			MullvadGuids::Filter_Baseline_PermitVpnTunnel_Outbound_Ipv4_Entry(),
+			MullvadGuids::Filter_Baseline_PermitVpnTunnel_Outbound_Ipv6_Entry(),
+			objectInstaller
+		);
+	}
+	AddEndpointFilter(
+			std::make_optional<Endpoint>(m_potentialEndpoints.value().entryEndpoint),
+			MullvadGuids::Filter_Baseline_PermitVpnTunnel_Outbound_Ipv4_Entry(),
+			MullvadGuids::Filter_Baseline_PermitVpnTunnel_Outbound_Ipv6_Entry(),
+			objectInstaller
+		);
+	if (m_potentialEndpoints.value().exitEndpoint.has_value())
+	{
+		AddEndpointFilter(
+				m_potentialEndpoints.value().exitEndpoint.value(),
+				MullvadGuids::Filter_Baseline_PermitVpnTunnel_Outbound_Ipv4_Exit(),
+				MullvadGuids::Filter_Baseline_PermitVpnTunnel_Outbound_Ipv6_Exit(),
+				objectInstaller
+			);
+	}
 	return true;
 }
 
diff --git a/windows/winfw/src/winfw/rules/baseline/permitvpntunnel.h b/windows/winfw/src/winfw/rules/baseline/permitvpntunnel.h
index ee030a9f43..a89ac46d98 100644
--- a/windows/winfw/src/winfw/rules/baseline/permitvpntunnel.h
+++ b/windows/winfw/src/winfw/rules/baseline/permitvpntunnel.h
@@ -19,17 +19,23 @@ public:
 		WinFwProtocol protocol;
 	};
 
+	struct Endpoints {
+		Endpoint entryEndpoint;
+		std::optional<Endpoint> exitEndpoint;
+	};
+
 	PermitVpnTunnel(
 		const std::wstring &tunnelInterfaceAlias,
-		const std::optional<Endpoint> &onlyEndpoint
+		const std::optional<Endpoints> &potentialEndpoints
 	);
 	
 	bool apply(IObjectInstaller &objectInstaller) override;
 
 private:
+	bool AddEndpointFilter(const std::optional<Endpoint> &endpoint, const GUID &ipv4Guid, const GUID &ipv6Guid, IObjectInstaller &objectInstaller);
 
 	const std::wstring m_tunnelInterfaceAlias;
-	const std::optional<Endpoint> m_tunnelOnlyEndpoint;
+	const std::optional<Endpoints> m_potentialEndpoints;
 };
 
 }
diff --git a/windows/winfw/src/winfw/rules/baseline/permitvpntunnelservice.cpp b/windows/winfw/src/winfw/rules/baseline/permitvpntunnelservice.cpp
index a4ff6a65e5..0cb773725b 100644
--- a/windows/winfw/src/winfw/rules/baseline/permitvpntunnelservice.cpp
+++ b/windows/winfw/src/winfw/rules/baseline/permitvpntunnelservice.cpp
@@ -14,30 +14,22 @@ using namespace wfp::conditions;
 
 namespace rules::baseline
 {
+using Endpoint = PermitVpnTunnel::Endpoint;
 
 PermitVpnTunnelService::PermitVpnTunnelService(
 	const std::wstring &tunnelInterfaceAlias,
-	const std::optional<PermitVpnTunnel::Endpoint> &onlyEndpoint
+	const std::optional<PermitVpnTunnel::Endpoints> &potentialEndpoints
 )
 	: m_tunnelInterfaceAlias(tunnelInterfaceAlias)
-	, m_tunnelOnlyEndpoint(onlyEndpoint)
+	, m_potentialEndpoints(potentialEndpoints)
 {
 }
 
-bool PermitVpnTunnelService::apply(IObjectInstaller &objectInstaller)
+bool PermitVpnTunnelService::AddEndpointFilter(const std::optional<PermitVpnTunnel::Endpoint> &endpoint, const GUID &ipv4Guid, const GUID &ipv6Guid, IObjectInstaller &objectInstaller)
 {
 	wfp::FilterBuilder filterBuilder;
 
-	bool includeV4 = !m_tunnelOnlyEndpoint.has_value() || m_tunnelOnlyEndpoint->ip.type() == wfp::IpAddress::Ipv4;
-	bool includeV6 = !m_tunnelOnlyEndpoint.has_value() || m_tunnelOnlyEndpoint->ip.type() == wfp::IpAddress::Ipv6;
-
-	//
-	// #1 Permit inbound connections, IPv4.
-	//
-
 	filterBuilder
-		.key(MullvadGuids::Filter_Baseline_PermitVpnTunnelService_Ipv4())
-		.name(L"Permit inbound connections on tunnel interface (IPv4)")
 		.description(L"This filter is part of a rule that permits hosting services that listen on the tunnel interface")
 		.provider(MullvadGuids::Provider())
 		.layer(FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4)
@@ -45,17 +37,24 @@ bool PermitVpnTunnelService::apply(IObjectInstaller &objectInstaller)
 		.weight(wfp::FilterBuilder::WeightClass::Medium)
 		.permit();
 
-	wfp::ConditionBuilder conditionBuilder(FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4);
+    bool shouldAddV4Filter = !endpoint.has_value() || endpoint.value().ip.type() == wfp::IpAddress::Ipv4;
+    bool shouldAddV6Filter = !endpoint.has_value() || endpoint.value().ip.type() == wfp::IpAddress::Ipv6;
 
-	if (includeV4)
+	if (shouldAddV4Filter)
 	{
-		conditionBuilder.add_condition(ConditionInterface::Alias(m_tunnelInterfaceAlias));
+		filterBuilder
+			.key(ipv4Guid)
+			.name(L"Permit inbound connections on tunnel interface (IPv4)")
+			.layer(FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4);
+
+		wfp::ConditionBuilder conditionBuilder(FWPM_LAYER_ALE_AUTH_CONNECT_V4);
 
-		if (m_tunnelOnlyEndpoint.has_value())
+		conditionBuilder.add_condition(ConditionInterface::Alias(m_tunnelInterfaceAlias));
+		if (endpoint.has_value())
 		{
-			conditionBuilder.add_condition(ConditionIp::Remote(m_tunnelOnlyEndpoint->ip));
-			conditionBuilder.add_condition(ConditionPort::Remote(m_tunnelOnlyEndpoint->port));
-			conditionBuilder.add_condition(CreateProtocolCondition(m_tunnelOnlyEndpoint->protocol));
+			conditionBuilder.add_condition(ConditionIp::Remote(endpoint.value().ip));
+			conditionBuilder.add_condition(ConditionPort::Remote(endpoint.value().port));
+			conditionBuilder.add_condition(CreateProtocolCondition(endpoint.value().protocol));
 		}
 
 		if (!objectInstaller.addFilter(filterBuilder, conditionBuilder))
@@ -64,30 +63,57 @@ bool PermitVpnTunnelService::apply(IObjectInstaller &objectInstaller)
 		}
 	}
 
-	//
-	// #2 Permit inbound connections, IPv6.
-	//
-
-	if (includeV6)
+	if (shouldAddV6Filter)
 	{
 		filterBuilder
-			.key(MullvadGuids::Filter_Baseline_PermitVpnTunnelService_Ipv6())
+			.key(ipv6Guid)
 			.name(L"Permit inbound connections on tunnel interface (IPv6)")
 			.layer(FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6);
 
-		conditionBuilder.reset(FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6);
-		conditionBuilder.add_condition(ConditionInterface::Alias(m_tunnelInterfaceAlias));
+		wfp::ConditionBuilder conditionBuilder(FWPM_LAYER_ALE_AUTH_CONNECT_V6);
 
-		if (m_tunnelOnlyEndpoint.has_value())
+		conditionBuilder.add_condition(ConditionInterface::Alias(m_tunnelInterfaceAlias));
+		if (endpoint.has_value())
 		{
-			conditionBuilder.add_condition(ConditionIp::Remote(m_tunnelOnlyEndpoint->ip));
-			conditionBuilder.add_condition(ConditionPort::Remote(m_tunnelOnlyEndpoint->port));
-			conditionBuilder.add_condition(CreateProtocolCondition(m_tunnelOnlyEndpoint->protocol));
+			conditionBuilder.add_condition(ConditionIp::Remote(endpoint.value().ip));
+			conditionBuilder.add_condition(ConditionPort::Remote(endpoint.value().port));
+			conditionBuilder.add_condition(CreateProtocolCondition(endpoint.value().protocol));
 		}
 
-		return objectInstaller.addFilter(filterBuilder, conditionBuilder);
+		if (!objectInstaller.addFilter(filterBuilder, conditionBuilder))
+		{
+			return false;
+		}
 	}
+	return true;
+}
 
+bool PermitVpnTunnelService::apply(IObjectInstaller &objectInstaller)
+{
+	if (!m_potentialEndpoints.has_value())
+	{
+		return AddEndpointFilter(
+			std::nullopt,
+			MullvadGuids::Filter_Baseline_PermitVpnTunnelService_Ipv4_Entry(),
+			MullvadGuids::Filter_Baseline_PermitVpnTunnelService_Ipv6_Entry(),
+			objectInstaller
+		);
+	}
+	AddEndpointFilter(
+			std::make_optional<Endpoint>(m_potentialEndpoints.value().entryEndpoint),
+			MullvadGuids::Filter_Baseline_PermitVpnTunnelService_Ipv4_Entry(),
+			MullvadGuids::Filter_Baseline_PermitVpnTunnelService_Ipv6_Entry(),
+			objectInstaller
+		);
+	if (m_potentialEndpoints.value().exitEndpoint.has_value())
+	{
+		AddEndpointFilter(
+				m_potentialEndpoints.value().exitEndpoint.value(),
+				MullvadGuids::Filter_Baseline_PermitVpnTunnelService_Ipv4_Exit(),
+				MullvadGuids::Filter_Baseline_PermitVpnTunnelService_Ipv6_Exit(),
+				objectInstaller
+			);
+	}
 	return true;
 }
 
diff --git a/windows/winfw/src/winfw/rules/baseline/permitvpntunnelservice.h b/windows/winfw/src/winfw/rules/baseline/permitvpntunnelservice.h
index 8011659b97..8b21dc2264 100644
--- a/windows/winfw/src/winfw/rules/baseline/permitvpntunnelservice.h
+++ b/windows/winfw/src/winfw/rules/baseline/permitvpntunnelservice.h
@@ -16,15 +16,16 @@ public:
 
 	PermitVpnTunnelService(
 		const std::wstring &tunnelInterfaceAlias,
-		const std::optional<PermitVpnTunnel::Endpoint> &onlyEndpoint
+		const std::optional<PermitVpnTunnel::Endpoints> &potentialEndpoints
 	);
 
 	bool apply(IObjectInstaller &objectInstaller) override;
 
 private:
+	bool AddEndpointFilter(const std::optional<PermitVpnTunnel::Endpoint> &endpoint, const GUID &ipv4Guid, const GUID &ipv6Guid, IObjectInstaller &objectInstaller);
 
 	const std::wstring m_tunnelInterfaceAlias;
-	const std::optional<PermitVpnTunnel::Endpoint> m_tunnelOnlyEndpoint;
+	const std::optional<PermitVpnTunnel::Endpoints> m_potentialEndpoints;
 };
 
 }
diff --git a/windows/winfw/src/winfw/winfw.h b/windows/winfw/src/winfw/winfw.h
index 7a7a1ca9e2..c5498d3969 100644
--- a/windows/winfw/src/winfw/winfw.h
+++ b/windows/winfw/src/winfw/winfw.h
@@ -59,13 +59,15 @@ enum WinFwAllowedTunnelTrafficType : uint8_t
 {
 	None,
 	All,
-	Only
+	One,
+	Two
 };
 
 typedef struct tag_WinFwAllowedTunnelTraffic
 {
 	WinFwAllowedTunnelTrafficType type;
-	WinFwEndpoint *endpoint;
+	WinFwEndpoint *entryEndpoint;
+	WinFwEndpoint *exitEndpoint;
 }
 WinFwAllowedTunnelTraffic;
 
@@ -181,9 +183,9 @@ WinFw_ApplyPolicyConnecting(
 // Parameters:
 //
 // tunnelInterfaceAlias:
-//   Friendly name of VPN tunnel interface
+//	 Friendly name of VPN tunnel interface
 // dnsServers:
-//   Array of string-encoded IP addresses of DNS servers to use
+//	 Array of string-encoded IP addresses of DNS servers to use
 //
 extern "C"
 WINFW_LINKAGE
author	Jonathan <jonathan@mullvad.net>	2023-02-16 15:41:54 +0100
committer	David Lönnhager <david.l@mullvad.net>	2023-02-28 10:07:52 +0100
commit	f2f7fa7109830a6c5cb695c8ca60bf3f84ab9c10 (patch)
tree	17c77f7e99979323f9b4a7e92cda88230ea25832 /windows
parent	d1eb83161d45f7f98b7f4f705a9550d02e85a030 (diff)
download	mullvadvpn-f2f7fa7109830a6c5cb695c8ca60bf3f84ab9c10.tar.xz mullvadvpn-f2f7fa7109830a6c5cb695c8ca60bf3f84ab9c10.zip