diff options
| -rw-r--r-- | windows/winfw/src/winfw/fwcontext.cpp | 11 | ||||
| -rw-r--r-- | windows/winfw/src/winfw/rules/baseline/permitping.cpp | 35 | ||||
| -rw-r--r-- | windows/winfw/src/winfw/rules/baseline/permitping.h | 6 | ||||
| -rw-r--r-- | windows/winfw/src/winfw/rules/dns/permitnontunnel.cpp | 27 | ||||
| -rw-r--r-- | windows/winfw/src/winfw/rules/dns/permittunnel.cpp | 27 | ||||
| -rw-r--r-- | windows/winfw/src/winfw/rules/shared.cpp | 40 | ||||
| -rw-r--r-- | windows/winfw/src/winfw/rules/shared.h | 13 | ||||
| -rw-r--r-- | windows/winfw/src/winfw/winfw.vcxproj | 2 | ||||
| -rw-r--r-- | windows/winfw/src/winfw/winfw.vcxproj.filters | 6 |
9 files changed, 101 insertions, 66 deletions
diff --git a/windows/winfw/src/winfw/fwcontext.cpp b/windows/winfw/src/winfw/fwcontext.cpp index c5c4646082..54a7797a69 100644 --- a/windows/winfw/src/winfw/fwcontext.cpp +++ b/windows/winfw/src/winfw/fwcontext.cpp @@ -177,13 +177,10 @@ bool FwContext::applyPolicyConnecting { const auto &ph = pingableHosts.value(); - for (const auto &host : ph.hosts) - { - ruleset.emplace_back(std::make_unique<baseline::PermitPing>( - ph.tunnelInterfaceAlias, - host - )); - } + ruleset.emplace_back(std::make_unique<baseline::PermitPing>( + ph.tunnelInterfaceAlias, + ph.hosts + )); } return applyRuleset(ruleset); diff --git a/windows/winfw/src/winfw/rules/baseline/permitping.cpp b/windows/winfw/src/winfw/rules/baseline/permitping.cpp index 0fb388a953..d8849590eb 100644 --- a/windows/winfw/src/winfw/rules/baseline/permitping.cpp +++ b/windows/winfw/src/winfw/rules/baseline/permitping.cpp @@ -1,11 +1,13 @@ #include "stdafx.h" #include "permitping.h" #include <winfw/mullvadguids.h> +#include <winfw/rules/shared.h> #include <libwfp/filterbuilder.h> #include <libwfp/conditionbuilder.h> #include <libwfp/conditions/conditionip.h> #include <libwfp/conditions/conditioninterface.h> #include <libwfp/conditions/conditionprotocol.h> +#include <libcommon/error.h> using namespace wfp::conditions; @@ -15,21 +17,32 @@ namespace rules::baseline PermitPing::PermitPing ( std::optional<std::wstring> interfaceAlias, - const wfp::IpAddress &host + const std::vector<wfp::IpAddress> &hosts ) : m_interfaceAlias(std::move(interfaceAlias)) - , m_host(host) { + SplitAddresses(hosts, m_hostsIpv4, m_hostsIpv6); } bool PermitPing::apply(IObjectInstaller &objectInstaller) { - if (wfp::IpAddress::Type::Ipv4 == m_host.type()) + if (false == m_hostsIpv4.empty()) { - return applyIcmpv4(objectInstaller); + if (false == applyIcmpv4(objectInstaller)) + { + return false; + } } - return applyIcmpv6(objectInstaller); + if (false == m_hostsIpv6.empty()) + { + if (false == applyIcmpv6(objectInstaller)) + { + return false; + } + } + + return true; } bool PermitPing::applyIcmpv4(IObjectInstaller &objectInstaller) const @@ -52,9 +65,13 @@ bool PermitPing::applyIcmpv4(IObjectInstaller &objectInstaller) const wfp::ConditionBuilder conditionBuilder(FWPM_LAYER_ALE_AUTH_CONNECT_V4); - conditionBuilder.add_condition(ConditionIp::Remote(m_host)); conditionBuilder.add_condition(ConditionProtocol::Icmp()); + for (const auto &host : m_hostsIpv4) + { + conditionBuilder.add_condition(ConditionIp::Remote(host)); + } + if (m_interfaceAlias.has_value()) { conditionBuilder.add_condition(ConditionInterface::Alias(m_interfaceAlias.value())); @@ -83,9 +100,13 @@ bool PermitPing::applyIcmpv6(IObjectInstaller &objectInstaller) const wfp::ConditionBuilder conditionBuilder(FWPM_LAYER_ALE_AUTH_CONNECT_V6); - conditionBuilder.add_condition(ConditionIp::Remote(m_host)); conditionBuilder.add_condition(ConditionProtocol::IcmpV6()); + for (const auto &host : m_hostsIpv6) + { + conditionBuilder.add_condition(ConditionIp::Remote(host)); + } + if (m_interfaceAlias.has_value()) { conditionBuilder.add_condition(ConditionInterface::Alias(m_interfaceAlias.value())); diff --git a/windows/winfw/src/winfw/rules/baseline/permitping.h b/windows/winfw/src/winfw/rules/baseline/permitping.h index b7747296f7..438aafc3f9 100644 --- a/windows/winfw/src/winfw/rules/baseline/permitping.h +++ b/windows/winfw/src/winfw/rules/baseline/permitping.h @@ -4,6 +4,7 @@ #include <libwfp/ipaddress.h> #include <string> #include <optional> +#include <vector> namespace rules::baseline { @@ -12,14 +13,15 @@ class PermitPing : public IFirewallRule { public: - PermitPing(std::optional<std::wstring> interfaceAlias, const wfp::IpAddress &host); + PermitPing(std::optional<std::wstring> interfaceAlias, const std::vector<wfp::IpAddress> &hosts); bool apply(IObjectInstaller &objectInstaller) override; private: const std::optional<std::wstring> m_interfaceAlias; - const wfp::IpAddress m_host; + std::vector<wfp::IpAddress> m_hostsIpv4; + std::vector<wfp::IpAddress> m_hostsIpv6; bool applyIcmpv4(IObjectInstaller &objectInstaller) const; bool applyIcmpv6(IObjectInstaller &objectInstaller) const; diff --git a/windows/winfw/src/winfw/rules/dns/permitnontunnel.cpp b/windows/winfw/src/winfw/rules/dns/permitnontunnel.cpp index 0af09a2d8b..729254d1f4 100644 --- a/windows/winfw/src/winfw/rules/dns/permitnontunnel.cpp +++ b/windows/winfw/src/winfw/rules/dns/permitnontunnel.cpp @@ -2,6 +2,7 @@ #include "permitnontunnel.h" #include <winfw/mullvadguids.h> #include <winfw/rules/ports.h> +#include <winfw/rules/shared.h> #include <libwfp/filterbuilder.h> #include <libwfp/conditionbuilder.h> #include <libwfp/conditions/conditionport.h> @@ -17,31 +18,7 @@ namespace rules::dns PermitNonTunnel::PermitNonTunnel(std::optional<std::wstring> tunnelInterfaceAlias, const std::vector<wfp::IpAddress> &hosts) : m_tunnelInterfaceAlias(std::move(tunnelInterfaceAlias)) { - if (hosts.empty()) - { - THROW_ERROR("Invalid argument: No hosts specified"); - } - - for (const auto &host : hosts) - { - switch (host.type()) - { - case wfp::IpAddress::Type::Ipv4: - { - m_hostsIpv4.push_back(host); - break; - } - case wfp::IpAddress::Type::Ipv6: - { - m_hostsIpv6.push_back(host); - break; - } - default: - { - THROW_ERROR("Missing case handler in switch clause"); - } - } - } + SplitAddresses(hosts, m_hostsIpv4, m_hostsIpv6); } bool PermitNonTunnel::apply(IObjectInstaller &objectInstaller) diff --git a/windows/winfw/src/winfw/rules/dns/permittunnel.cpp b/windows/winfw/src/winfw/rules/dns/permittunnel.cpp index 64211ef17f..cc1af84223 100644 --- a/windows/winfw/src/winfw/rules/dns/permittunnel.cpp +++ b/windows/winfw/src/winfw/rules/dns/permittunnel.cpp @@ -2,6 +2,7 @@ #include "permittunnel.h" #include <winfw/mullvadguids.h> #include <winfw/rules/ports.h> +#include <winfw/rules/shared.h> #include <libwfp/filterbuilder.h> #include <libwfp/conditionbuilder.h> #include <libwfp/conditions/conditionport.h> @@ -17,31 +18,7 @@ namespace rules::dns PermitTunnel::PermitTunnel(const std::wstring &tunnelInterfaceAlias, const std::vector<wfp::IpAddress> &hosts) : m_tunnelInterfaceAlias(tunnelInterfaceAlias) { - if (hosts.empty()) - { - THROW_ERROR("Invalid argument: No hosts specified"); - } - - for (const auto &host : hosts) - { - switch (host.type()) - { - case wfp::IpAddress::Type::Ipv4: - { - m_hostsIpv4.push_back(host); - break; - } - case wfp::IpAddress::Type::Ipv6: - { - m_hostsIpv6.push_back(host); - break; - } - default: - { - THROW_ERROR("Missing case handler in switch clause"); - } - } - } + SplitAddresses(hosts, m_hostsIpv4, m_hostsIpv6); } bool PermitTunnel::apply(IObjectInstaller &objectInstaller) diff --git a/windows/winfw/src/winfw/rules/shared.cpp b/windows/winfw/src/winfw/rules/shared.cpp new file mode 100644 index 0000000000..66cbbdfc83 --- /dev/null +++ b/windows/winfw/src/winfw/rules/shared.cpp @@ -0,0 +1,40 @@ +#include "stdafx.h" +#include "shared.h" +#include <libcommon/error.h> + +namespace rules +{ + +void SplitAddresses(const IpSet &in, IpSet &outIpv4, IpSet &outIpv6) +{ + if (in.empty()) + { + THROW_ERROR("Invalid argument: No hosts specified"); + } + + outIpv4.clear(); + outIpv6.clear(); + + for (const auto &host : in) + { + switch (host.type()) + { + case wfp::IpAddress::Type::Ipv4: + { + outIpv4.push_back(host); + break; + } + case wfp::IpAddress::Type::Ipv6: + { + outIpv6.push_back(host); + break; + } + default: + { + THROW_ERROR("Missing case handler in switch clause"); + } + } + } +} + +} diff --git a/windows/winfw/src/winfw/rules/shared.h b/windows/winfw/src/winfw/rules/shared.h new file mode 100644 index 0000000000..1b08d3ed02 --- /dev/null +++ b/windows/winfw/src/winfw/rules/shared.h @@ -0,0 +1,13 @@ +#pragma once + +#include <vector> +#include <libwfp/ipaddress.h> + +namespace rules +{ + +using IpSet = std::vector<wfp::IpAddress>; + +void SplitAddresses(const IpSet &in, IpSet &outIpv4, IpSet &outIpv6); + +} diff --git a/windows/winfw/src/winfw/winfw.vcxproj b/windows/winfw/src/winfw/winfw.vcxproj index c3805cfec8..c999f5aaca 100644 --- a/windows/winfw/src/winfw/winfw.vcxproj +++ b/windows/winfw/src/winfw/winfw.vcxproj @@ -38,6 +38,7 @@ <ClCompile Include="rules\dns\blockall.cpp" /> <ClCompile Include="rules\dns\permitnontunnel.cpp" /> <ClCompile Include="rules\dns\permittunnel.cpp" /> + <ClCompile Include="rules\shared.cpp" /> <ClCompile Include="sessioncontroller.cpp" /> <ClCompile Include="sessionrecord.cpp" /> <ClCompile Include="stdafx.cpp"> @@ -71,6 +72,7 @@ <ClInclude Include="rules\dns\permitnontunnel.h" /> <ClInclude Include="rules\dns\permittunnel.h" /> <ClInclude Include="rules\ports.h" /> + <ClInclude Include="rules\shared.h" /> <ClInclude Include="wfpobjecttype.h" /> <ClInclude Include="rules\ifirewallrule.h" /> <ClInclude Include="sessioncontroller.h" /> diff --git a/windows/winfw/src/winfw/winfw.vcxproj.filters b/windows/winfw/src/winfw/winfw.vcxproj.filters index 40d7c95067..46c0594c10 100644 --- a/windows/winfw/src/winfw/winfw.vcxproj.filters +++ b/windows/winfw/src/winfw/winfw.vcxproj.filters @@ -55,6 +55,9 @@ <ClCompile Include="rules\dns\permittunnel.cpp"> <Filter>rules\dns</Filter> </ClCompile> + <ClCompile Include="rules\shared.cpp"> + <Filter>rules</Filter> + </ClCompile> </ItemGroup> <ItemGroup> <ClInclude Include="stdafx.h" /> @@ -120,6 +123,9 @@ <ClInclude Include="rules\dns\permittunnel.h"> <Filter>rules\dns</Filter> </ClInclude> + <ClInclude Include="rules\shared.h"> + <Filter>rules</Filter> + </ClInclude> </ItemGroup> <ItemGroup> <Filter Include="rules"> |