summaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
Diffstat
-rw-r--r--talpid-core/src/firewall/mod.rs8
-rw-r--r--windows/winfw/src/winfw/rules/baseline/permitlan.cpp6
2 files changed, 13 insertions, 1 deletions
diff --git a/talpid-core/src/firewall/mod.rs b/talpid-core/src/firewall/mod.rs
index 7ab2e30e43..1ac58070f8 100644
--- a/talpid-core/src/firewall/mod.rs
+++ b/talpid-core/src/firewall/mod.rs
@@ -40,15 +40,21 @@ lazy_static! {
IpNetwork::V6(Ipv6Network::new(Ipv6Addr::new(0xfd00, 0, 0, 0, 0, 0, 0, 0), 8).unwrap()),
];
/// When "allow local network" is enabled the app will allow traffic to these networks.
- pub(crate) static ref ALLOWED_LAN_MULTICAST_NETS: [IpNetwork; 5] = [
+ pub(crate) static ref ALLOWED_LAN_MULTICAST_NETS: [IpNetwork; 8] = [
// Local network broadcast. Not routable
IpNetwork::V4(Ipv4Network::new(Ipv4Addr::new(255, 255, 255, 255), 32).unwrap()),
// Local subnetwork multicast. Not routable
IpNetwork::V4(Ipv4Network::new(Ipv4Addr::new(224, 0, 0, 0), 24).unwrap()),
// Local scope (mDNS and SSDP) address
IpNetwork::V4(Ipv4Network::new(Ipv4Addr::new(239, 255, 0, 0), 16).unwrap()),
+ // Interface-local IPv6 multicast.
+ IpNetwork::V6(Ipv6Network::new(Ipv6Addr::new(0xff01, 0, 0, 0, 0, 0, 0, 0), 16).unwrap()),
// Link-local IPv6 multicast. IPv6 equivalent of 224.0.0.0/24
IpNetwork::V6(Ipv6Network::new(Ipv6Addr::new(0xff02, 0, 0, 0, 0, 0, 0, 0), 16).unwrap()),
+ // Realm-local IPv6 multicast.
+ IpNetwork::V6(Ipv6Network::new(Ipv6Addr::new(0xff03, 0, 0, 0, 0, 0, 0, 0), 16).unwrap()),
+ // Admin-local IPv6 multicast.
+ IpNetwork::V6(Ipv6Network::new(Ipv6Addr::new(0xff04, 0, 0, 0, 0, 0, 0, 0), 16).unwrap()),
// Site-local IPv6 multicast.
IpNetwork::V6(Ipv6Network::new(Ipv6Addr::new(0xff05, 0, 0, 0, 0, 0, 0, 0), 16).unwrap()),
];
diff --git a/windows/winfw/src/winfw/rules/baseline/permitlan.cpp b/windows/winfw/src/winfw/rules/baseline/permitlan.cpp
index 21f082ce78..e655020287 100644
--- a/windows/winfw/src/winfw/rules/baseline/permitlan.cpp
+++ b/windows/winfw/src/winfw/rules/baseline/permitlan.cpp
@@ -110,10 +110,16 @@ bool PermitLan::applyIpv6(IObjectInstaller &objectInstaller) const
conditionBuilder.reset();
+ const wfp::IpNetwork interfaceLocalMulticast(wfp::IpAddress::Literal6({ 0xFF01, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0 }), 16);
const wfp::IpNetwork linkLocalMulticast(wfp::IpAddress::Literal6({ 0xFF02, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0 }), 16);
+ const wfp::IpNetwork realmLocalMulticast(wfp::IpAddress::Literal6({ 0xFF03, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0 }), 16);
+ const wfp::IpNetwork adminLocalMulticast(wfp::IpAddress::Literal6({ 0xFF04, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0 }), 16);
const wfp::IpNetwork siteLocalMulticast(wfp::IpAddress::Literal6({ 0xFF05, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0 }), 16);
+ conditionBuilder.add_condition(ConditionIp::Remote(interfaceLocalMulticast));
conditionBuilder.add_condition(ConditionIp::Remote(linkLocalMulticast));
+ conditionBuilder.add_condition(ConditionIp::Remote(realmLocalMulticast));
+ conditionBuilder.add_condition(ConditionIp::Remote(adminLocalMulticast));
conditionBuilder.add_condition(ConditionIp::Remote(siteLocalMulticast));
return objectInstaller.addFilter(filterBuilder, conditionBuilder);
Copyright © 2025 - 2026 Wayne Cole. WTFPL. Attribution appreciated. No warranty. Not liable for bodily damages.