diff options
| -rw-r--r-- | wfpctl/src/extras/cli/commands/wfpctl/policy.cpp | 15 | ||||
| -rw-r--r-- | wfpctl/src/extras/cli/commands/wfpctl/policy.h | 1 | ||||
| -rw-r--r-- | wfpctl/src/wfpctl/wfpcontext.cpp | 55 | ||||
| -rw-r--r-- | wfpctl/src/wfpctl/wfpcontext.h | 7 | ||||
| -rw-r--r-- | wfpctl/src/wfpctl/wfpctl.cpp | 30 | ||||
| -rw-r--r-- | wfpctl/src/wfpctl/wfpctl.def | 12 | ||||
| -rw-r--r-- | wfpctl/src/wfpctl/wfpctl.h | 16 |
7 files changed, 104 insertions, 32 deletions
diff --git a/wfpctl/src/extras/cli/commands/wfpctl/policy.cpp b/wfpctl/src/extras/cli/commands/wfpctl/policy.cpp index e323260e48..3d4ce2aaf6 100644 --- a/wfpctl/src/extras/cli/commands/wfpctl/policy.cpp +++ b/wfpctl/src/extras/cli/commands/wfpctl/policy.cpp @@ -55,6 +55,12 @@ Policy::Policy(MessageSink messageSink) m_dispatcher.addSubcommand ( + L"netblocked", + std::bind(&Policy::processNetBlocked, this) + ); + + m_dispatcher.addSubcommand + ( L"reset", std::bind(&Policy::processReset, this) ); @@ -143,6 +149,15 @@ void Policy::processConnected(const KeyValuePairs &arguments) : L"Failed to apply policy.")); } +void Policy::processNetBlocked() +{ + auto success = Wfpctl_ApplyPolicyNetBlocked(); + + m_messageSink((success + ? L"Successfully applied policy." + : L"Failed to apply policy.")); +} + void Policy::processReset() { auto success = Wfpctl_Reset(); diff --git a/wfpctl/src/extras/cli/commands/wfpctl/policy.h b/wfpctl/src/extras/cli/commands/wfpctl/policy.h index 28d966fa21..524640d3e6 100644 --- a/wfpctl/src/extras/cli/commands/wfpctl/policy.h +++ b/wfpctl/src/extras/cli/commands/wfpctl/policy.h @@ -28,6 +28,7 @@ private: void processConnecting(const KeyValuePairs &arguments); void processConnected(const KeyValuePairs &arguments); + void processNetBlocked(); void processReset(); }; diff --git a/wfpctl/src/wfpctl/wfpcontext.cpp b/wfpctl/src/wfpctl/wfpcontext.cpp index 6d28a075d3..9783336216 100644 --- a/wfpctl/src/wfpctl/wfpcontext.cpp +++ b/wfpctl/src/wfpctl/wfpcontext.cpp @@ -32,6 +32,26 @@ rules::PermitVpnRelay::Protocol TranslateProtocol(WfpctlProtocol protocol) }; } +void AppendSettingsRules(WfpContext::Ruleset &ruleset, const WfpctlSettings &settings) +{ + if (settings.permitDhcp) + { + ruleset.emplace_back(std::make_unique<rules::PermitDhcp>()); + } + + if (settings.permitLan) + { + ruleset.emplace_back(std::make_unique<rules::PermitLan>()); + ruleset.emplace_back(std::make_unique<rules::PermitLanService>()); + } +} + +void AppendNetBlockedRules(WfpContext::Ruleset &ruleset) +{ + ruleset.emplace_back(std::make_unique<rules::BlockAll>()); + ruleset.emplace_back(std::make_unique<rules::PermitLoopback>()); +} + } // anonymous namespace WfpContext::WfpContext(uint32_t timeout) @@ -56,7 +76,8 @@ bool WfpContext::applyPolicyConnecting(const WfpctlSettings &settings, const Wfp { Ruleset ruleset; - appendSettingsRules(ruleset, settings); + AppendNetBlockedRules(ruleset); + AppendSettingsRules(ruleset, settings); ruleset.emplace_back(std::make_unique<rules::PermitVpnRelay>( wfp::IpAddress(relay.ip), @@ -71,7 +92,8 @@ bool WfpContext::applyPolicyConnected(const WfpctlSettings &settings, const Wfpc { Ruleset ruleset; - appendSettingsRules(ruleset, settings); + AppendNetBlockedRules(ruleset); + AppendSettingsRules(ruleset, settings); ruleset.emplace_back(std::make_unique<rules::PermitVpnRelay>( wfp::IpAddress(relay.ip), @@ -91,6 +113,15 @@ bool WfpContext::applyPolicyConnected(const WfpctlSettings &settings, const Wfpc return applyRuleset(ruleset); } +bool WfpContext::applyPolicyNetBlocked() +{ + Ruleset ruleset; + + AppendNetBlockedRules(ruleset); + + return applyRuleset(ruleset); +} + bool WfpContext::reset() { return m_sessionController->executeTransaction([this]() @@ -100,20 +131,6 @@ bool WfpContext::reset() }); } -void WfpContext::appendSettingsRules(Ruleset &ruleset, const WfpctlSettings &settings) -{ - if (settings.permitDhcp) - { - ruleset.emplace_back(std::make_unique<rules::PermitDhcp>()); - } - - if (settings.permitLan) - { - ruleset.emplace_back(std::make_unique<rules::PermitLan>()); - ruleset.emplace_back(std::make_unique<rules::PermitLanService>()); - } -} - bool WfpContext::applyRuleset(const Ruleset &ruleset) { return m_sessionController->executeTransaction([&]() @@ -138,14 +155,10 @@ bool WfpContext::applyBaseConfiguration() { // // Install structural objects - // Apply block-all rule - // Apply permit loopback rule // return m_sessionController->addProvider(*MullvadObjects::Provider()) && m_sessionController->addSublayer(*MullvadObjects::SublayerWhitelist()) - && m_sessionController->addSublayer(*MullvadObjects::SublayerBlacklist()) - && rules::BlockAll().apply(*m_sessionController) - && rules::PermitLoopback().apply(*m_sessionController); + && m_sessionController->addSublayer(*MullvadObjects::SublayerBlacklist()); }); } diff --git a/wfpctl/src/wfpctl/wfpcontext.h b/wfpctl/src/wfpctl/wfpcontext.h index bfbb2a474c..23c25f0ca5 100644 --- a/wfpctl/src/wfpctl/wfpcontext.h +++ b/wfpctl/src/wfpctl/wfpcontext.h @@ -15,19 +15,18 @@ public: bool applyPolicyConnecting(const WfpctlSettings &settings, const WfpctlRelay &relay); bool applyPolicyConnected(const WfpctlSettings &settings, const WfpctlRelay &relay, const wchar_t *tunnelInterfaceAlias, const wchar_t *primaryDns); + bool applyPolicyNetBlocked(); bool reset(); + using Ruleset = std::vector<std::unique_ptr<rules::IFirewallRule> >; + private: WfpContext(const WfpContext &) = delete; WfpContext &operator=(const WfpContext &) = delete; bool applyBaseConfiguration(); - - using Ruleset = std::vector<std::unique_ptr<rules::IFirewallRule> >; - - void appendSettingsRules(Ruleset &ruleset, const WfpctlSettings &settings); bool applyRuleset(const Ruleset &ruleset); std::unique_ptr<SessionController> m_sessionController; diff --git a/wfpctl/src/wfpctl/wfpctl.cpp b/wfpctl/src/wfpctl/wfpctl.cpp index 84542a2ca0..5ac5617e0a 100644 --- a/wfpctl/src/wfpctl/wfpctl.cpp +++ b/wfpctl/src/wfpctl/wfpctl.cpp @@ -147,6 +147,36 @@ Wfpctl_ApplyPolicyConnected( WFPCTL_LINKAGE bool WFPCTL_API +Wfpctl_ApplyPolicyNetBlocked( +) +{ + if (nullptr == g_wfpContext) + { + return false; + } + + try + { + return g_wfpContext->applyPolicyNetBlocked(); + } + catch (std::exception &err) + { + if (nullptr != g_ErrorSink) + { + g_ErrorSink(err.what(), g_ErrorContext); + } + + return false; + } + catch (...) + { + return false; + } +} + +WFPCTL_LINKAGE +bool +WFPCTL_API Wfpctl_Reset() { if (nullptr == g_wfpContext) diff --git a/wfpctl/src/wfpctl/wfpctl.def b/wfpctl/src/wfpctl/wfpctl.def index fd1590b1aa..a175f1afb2 100644 --- a/wfpctl/src/wfpctl/wfpctl.def +++ b/wfpctl/src/wfpctl/wfpctl.def @@ -1,7 +1,9 @@ LIBRARY wfpctl EXPORTS - Wfpctl_ApplyPolicyConnected - Wfpctl_ApplyPolicyConnecting - Wfpctl_Deinitialize - Wfpctl_Initialize - Wfpctl_Reset
\ No newline at end of file + +Wfpctl_Initialize +Wfpctl_Deinitialize +Wfpctl_ApplyPolicyConnecting +Wfpctl_ApplyPolicyConnected +Wfpctl_ApplyPolicyNetBlocked +Wfpctl_Reset diff --git a/wfpctl/src/wfpctl/wfpctl.h b/wfpctl/src/wfpctl/wfpctl.h index d514d5876e..3d92b02760 100644 --- a/wfpctl/src/wfpctl/wfpctl.h +++ b/wfpctl/src/wfpctl/wfpctl.h @@ -86,7 +86,7 @@ Wfpctl_Deinitialize(); // // ApplyPolicyConnecting: // -// Apply restrictions in the firewall that blocks all traffic, except: +// Apply restrictions in the firewall that block all traffic, except: // - What is specified by settings // - Communication with the relay server // @@ -102,7 +102,7 @@ Wfpctl_ApplyPolicyConnecting( // // ApplyPolicyConnected: // -// Apply restrictions in the firewall that blocks all traffic, except: +// Apply restrictions in the firewall that block all traffic, except: // - What is specified by settings // - Communication with the relay server // - Non-DNS traffic inside the VPN tunnel @@ -127,6 +127,18 @@ Wfpctl_ApplyPolicyConnected( ); // +// ApplyPolicyNetBlocked: +// +// Apply restrictions in the firewall that block all traffic. +// +extern "C" +WFPCTL_LINKAGE +bool +WFPCTL_API +Wfpctl_ApplyPolicyNetBlocked( +); + +// // Reset: // // Clear the policy in effect, if any. |