mirror of
https://github.com/tailscale/tailscale.git
synced 2024-12-04 23:45:34 +00:00
ac3de93d5c
This is a fork of wireguard-windows's firewall package, with the firewall rules adjusted to better line up with tailscale's needs. The package was taken from commit 3cc76ed5f222ec82748ef3bd8c41d4b059e28cdb in our fork of wireguard-go. Signed-off-by: David Anderson <danderson@tailscale.com>
1087 lines
28 KiB
Go
1087 lines
28 KiB
Go
// +build windows
|
|
|
|
/* SPDX-License-Identifier: MIT
|
|
*
|
|
* Copyright (C) 2019-2021 WireGuard LLC. All Rights Reserved.
|
|
*/
|
|
|
|
package firewall
|
|
|
|
import (
|
|
"unsafe"
|
|
|
|
"golang.org/x/sys/windows"
|
|
)
|
|
|
|
//
|
|
// Known addresses.
|
|
//
|
|
var (
|
|
linkLocal = wtFwpV6AddrAndMask{[16]uint8{0xfe, 0x80}, 10}
|
|
|
|
linkLocalDHCPMulticast = wtFwpByteArray16{[16]uint8{0xFF, 0x02, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x2}}
|
|
siteLocalDHCPMulticast = wtFwpByteArray16{[16]uint8{0xFF, 0x05, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x3}}
|
|
|
|
linkLocalRouterMulticast = wtFwpByteArray16{[16]uint8{0xFF, 0x02, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2}}
|
|
)
|
|
|
|
func permitTunInterface(session uintptr, baseObjects *baseObjects, weight uint8, ifLUID uint64) error {
|
|
ifaceCondition := wtFwpmFilterCondition0{
|
|
fieldKey: cFWPM_CONDITION_IP_LOCAL_INTERFACE,
|
|
matchType: cFWP_MATCH_EQUAL,
|
|
conditionValue: wtFwpConditionValue0{
|
|
_type: cFWP_UINT64,
|
|
value: (uintptr)(unsafe.Pointer(&ifLUID)),
|
|
},
|
|
}
|
|
|
|
filter := wtFwpmFilter0{
|
|
providerKey: &baseObjects.provider,
|
|
subLayerKey: baseObjects.filters,
|
|
weight: filterWeight(weight),
|
|
numFilterConditions: 1,
|
|
filterCondition: (*wtFwpmFilterCondition0)(unsafe.Pointer(&ifaceCondition)),
|
|
action: wtFwpmAction0{
|
|
_type: cFWP_ACTION_PERMIT,
|
|
},
|
|
}
|
|
|
|
filterID := uint64(0)
|
|
|
|
//
|
|
// #1 Permit outbound IPv4 traffic.
|
|
//
|
|
{
|
|
displayData, err := createWtFwpmDisplayData0("Permit outbound IPv4 traffic on TUN", "")
|
|
if err != nil {
|
|
return wrapErr(err)
|
|
}
|
|
|
|
filter.displayData = *displayData
|
|
filter.layerKey = cFWPM_LAYER_ALE_AUTH_CONNECT_V4
|
|
|
|
err = fwpmFilterAdd0(session, &filter, 0, &filterID)
|
|
if err != nil {
|
|
return wrapErr(err)
|
|
}
|
|
}
|
|
|
|
//
|
|
// #2 Permit inbound IPv4 traffic.
|
|
//
|
|
{
|
|
displayData, err := createWtFwpmDisplayData0("Permit inbound IPv4 traffic on TUN", "")
|
|
if err != nil {
|
|
return wrapErr(err)
|
|
}
|
|
|
|
filter.displayData = *displayData
|
|
filter.layerKey = cFWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4
|
|
|
|
err = fwpmFilterAdd0(session, &filter, 0, &filterID)
|
|
if err != nil {
|
|
return wrapErr(err)
|
|
}
|
|
}
|
|
|
|
//
|
|
// #3 Permit outbound IPv6 traffic.
|
|
//
|
|
{
|
|
displayData, err := createWtFwpmDisplayData0("Permit outbound IPv6 traffic on TUN", "")
|
|
if err != nil {
|
|
return wrapErr(err)
|
|
}
|
|
|
|
filter.displayData = *displayData
|
|
filter.layerKey = cFWPM_LAYER_ALE_AUTH_CONNECT_V6
|
|
|
|
err = fwpmFilterAdd0(session, &filter, 0, &filterID)
|
|
if err != nil {
|
|
return wrapErr(err)
|
|
}
|
|
}
|
|
|
|
//
|
|
// #4 Permit inbound IPv6 traffic.
|
|
//
|
|
{
|
|
displayData, err := createWtFwpmDisplayData0("Permit inbound IPv6 traffic on TUN", "")
|
|
if err != nil {
|
|
return wrapErr(err)
|
|
}
|
|
|
|
filter.displayData = *displayData
|
|
filter.layerKey = cFWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6
|
|
|
|
err = fwpmFilterAdd0(session, &filter, 0, &filterID)
|
|
if err != nil {
|
|
return wrapErr(err)
|
|
}
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func permitWireGuardService(session uintptr, baseObjects *baseObjects, weight uint8) error {
|
|
var conditions [1]wtFwpmFilterCondition0
|
|
|
|
//
|
|
// First condition is the exe path of the current process.
|
|
//
|
|
appID, err := getCurrentProcessAppID()
|
|
if err != nil {
|
|
return wrapErr(err)
|
|
}
|
|
defer fwpmFreeMemory0(unsafe.Pointer(&appID))
|
|
|
|
conditions[0] = wtFwpmFilterCondition0{
|
|
fieldKey: cFWPM_CONDITION_ALE_APP_ID,
|
|
matchType: cFWP_MATCH_EQUAL,
|
|
conditionValue: wtFwpConditionValue0{
|
|
_type: cFWP_BYTE_BLOB_TYPE,
|
|
value: uintptr(unsafe.Pointer(appID)),
|
|
},
|
|
}
|
|
|
|
//
|
|
// Assemble the filter.
|
|
//
|
|
filter := wtFwpmFilter0{
|
|
providerKey: &baseObjects.provider,
|
|
subLayerKey: baseObjects.filters,
|
|
weight: filterWeight(weight),
|
|
flags: cFWPM_FILTER_FLAG_CLEAR_ACTION_RIGHT,
|
|
numFilterConditions: uint32(len(conditions)),
|
|
filterCondition: (*wtFwpmFilterCondition0)(unsafe.Pointer(&conditions)),
|
|
action: wtFwpmAction0{
|
|
_type: cFWP_ACTION_PERMIT,
|
|
},
|
|
}
|
|
|
|
filterID := uint64(0)
|
|
|
|
//
|
|
// #1 Permit outbound IPv4 traffic.
|
|
//
|
|
{
|
|
displayData, err := createWtFwpmDisplayData0("Permit unrestricted outbound traffic for WireGuard service (IPv4)", "")
|
|
if err != nil {
|
|
return wrapErr(err)
|
|
}
|
|
|
|
filter.displayData = *displayData
|
|
filter.layerKey = cFWPM_LAYER_ALE_AUTH_CONNECT_V4
|
|
|
|
err = fwpmFilterAdd0(session, &filter, 0, &filterID)
|
|
if err != nil {
|
|
return wrapErr(err)
|
|
}
|
|
}
|
|
|
|
//
|
|
// #2 Permit inbound IPv4 traffic.
|
|
//
|
|
{
|
|
displayData, err := createWtFwpmDisplayData0("Permit unrestricted inbound traffic for WireGuard service (IPv4)", "")
|
|
if err != nil {
|
|
return wrapErr(err)
|
|
}
|
|
|
|
filter.displayData = *displayData
|
|
filter.layerKey = cFWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4
|
|
|
|
err = fwpmFilterAdd0(session, &filter, 0, &filterID)
|
|
if err != nil {
|
|
return wrapErr(err)
|
|
}
|
|
}
|
|
|
|
//
|
|
// #3 Permit outbound IPv6 traffic.
|
|
//
|
|
{
|
|
displayData, err := createWtFwpmDisplayData0("Permit unrestricted outbound traffic for WireGuard service (IPv6)", "")
|
|
if err != nil {
|
|
return wrapErr(err)
|
|
}
|
|
|
|
filter.displayData = *displayData
|
|
filter.layerKey = cFWPM_LAYER_ALE_AUTH_CONNECT_V6
|
|
|
|
err = fwpmFilterAdd0(session, &filter, 0, &filterID)
|
|
if err != nil {
|
|
return wrapErr(err)
|
|
}
|
|
}
|
|
|
|
//
|
|
// #4 Permit inbound IPv6 traffic.
|
|
//
|
|
{
|
|
displayData, err := createWtFwpmDisplayData0("Permit unrestricted inbound traffic for WireGuard service (IPv6)", "")
|
|
if err != nil {
|
|
return wrapErr(err)
|
|
}
|
|
|
|
filter.displayData = *displayData
|
|
filter.layerKey = cFWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6
|
|
|
|
err = fwpmFilterAdd0(session, &filter, 0, &filterID)
|
|
if err != nil {
|
|
return wrapErr(err)
|
|
}
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func permitLoopback(session uintptr, baseObjects *baseObjects, weight uint8) error {
|
|
condition := wtFwpmFilterCondition0{
|
|
fieldKey: cFWPM_CONDITION_FLAGS,
|
|
matchType: cFWP_MATCH_FLAGS_ALL_SET,
|
|
conditionValue: wtFwpConditionValue0{
|
|
_type: cFWP_UINT32,
|
|
value: uintptr(cFWP_CONDITION_FLAG_IS_LOOPBACK),
|
|
},
|
|
}
|
|
|
|
filter := wtFwpmFilter0{
|
|
providerKey: &baseObjects.provider,
|
|
subLayerKey: baseObjects.filters,
|
|
weight: filterWeight(weight),
|
|
numFilterConditions: 1,
|
|
filterCondition: (*wtFwpmFilterCondition0)(unsafe.Pointer(&condition)),
|
|
action: wtFwpmAction0{
|
|
_type: cFWP_ACTION_PERMIT,
|
|
},
|
|
}
|
|
|
|
filterID := uint64(0)
|
|
|
|
//
|
|
// #1 Permit outbound IPv4 on loopback.
|
|
//
|
|
{
|
|
displayData, err := createWtFwpmDisplayData0("Permit outbound on loopback (IPv4)", "")
|
|
if err != nil {
|
|
return wrapErr(err)
|
|
}
|
|
|
|
filter.displayData = *displayData
|
|
filter.layerKey = cFWPM_LAYER_ALE_AUTH_CONNECT_V4
|
|
|
|
err = fwpmFilterAdd0(session, &filter, 0, &filterID)
|
|
if err != nil {
|
|
return wrapErr(err)
|
|
}
|
|
}
|
|
|
|
//
|
|
// #2 Permit inbound IPv4 on loopback.
|
|
//
|
|
{
|
|
displayData, err := createWtFwpmDisplayData0("Permit inbound on loopback (IPv4)", "")
|
|
if err != nil {
|
|
return wrapErr(err)
|
|
}
|
|
|
|
filter.displayData = *displayData
|
|
filter.layerKey = cFWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4
|
|
|
|
err = fwpmFilterAdd0(session, &filter, 0, &filterID)
|
|
if err != nil {
|
|
return wrapErr(err)
|
|
}
|
|
}
|
|
|
|
//
|
|
// #3 Permit outbound IPv6 on loopback.
|
|
//
|
|
{
|
|
displayData, err := createWtFwpmDisplayData0("Permit outbound on loopback (IPv6)", "")
|
|
if err != nil {
|
|
return wrapErr(err)
|
|
}
|
|
|
|
filter.displayData = *displayData
|
|
filter.layerKey = cFWPM_LAYER_ALE_AUTH_CONNECT_V6
|
|
|
|
err = fwpmFilterAdd0(session, &filter, 0, &filterID)
|
|
if err != nil {
|
|
return wrapErr(err)
|
|
}
|
|
}
|
|
|
|
//
|
|
// #4 Permit inbound IPv6 on loopback.
|
|
//
|
|
{
|
|
displayData, err := createWtFwpmDisplayData0("Permit inbound on loopback (IPv6)", "")
|
|
if err != nil {
|
|
return wrapErr(err)
|
|
}
|
|
|
|
filter.displayData = *displayData
|
|
filter.layerKey = cFWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6
|
|
|
|
err = fwpmFilterAdd0(session, &filter, 0, &filterID)
|
|
if err != nil {
|
|
return wrapErr(err)
|
|
}
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func permitDHCPIPv4(session uintptr, baseObjects *baseObjects, weight uint8) error {
|
|
//
|
|
// #1 Outbound DHCP request on IPv4.
|
|
//
|
|
{
|
|
var conditions [4]wtFwpmFilterCondition0
|
|
|
|
conditions[0].fieldKey = cFWPM_CONDITION_IP_PROTOCOL
|
|
conditions[0].matchType = cFWP_MATCH_EQUAL
|
|
conditions[0].conditionValue._type = cFWP_UINT8
|
|
conditions[0].conditionValue.value = uintptr(cIPPROTO_UDP)
|
|
|
|
conditions[1].fieldKey = cFWPM_CONDITION_IP_LOCAL_PORT
|
|
conditions[1].matchType = cFWP_MATCH_EQUAL
|
|
conditions[1].conditionValue._type = cFWP_UINT16
|
|
conditions[1].conditionValue.value = uintptr(68)
|
|
|
|
conditions[2].fieldKey = cFWPM_CONDITION_IP_REMOTE_PORT
|
|
conditions[2].matchType = cFWP_MATCH_EQUAL
|
|
conditions[2].conditionValue._type = cFWP_UINT16
|
|
conditions[2].conditionValue.value = uintptr(67)
|
|
|
|
conditions[3].fieldKey = cFWPM_CONDITION_IP_REMOTE_ADDRESS
|
|
conditions[3].matchType = cFWP_MATCH_EQUAL
|
|
conditions[3].conditionValue._type = cFWP_UINT32
|
|
conditions[3].conditionValue.value = uintptr(0xffffffff)
|
|
|
|
displayData, err := createWtFwpmDisplayData0("Permit outbound DHCP request (IPv4)", "")
|
|
if err != nil {
|
|
return wrapErr(err)
|
|
}
|
|
|
|
filter := wtFwpmFilter0{
|
|
displayData: *displayData,
|
|
providerKey: &baseObjects.provider,
|
|
layerKey: cFWPM_LAYER_ALE_AUTH_CONNECT_V4,
|
|
subLayerKey: baseObjects.filters,
|
|
weight: filterWeight(weight),
|
|
numFilterConditions: uint32(len(conditions)),
|
|
filterCondition: (*wtFwpmFilterCondition0)(unsafe.Pointer(&conditions)),
|
|
action: wtFwpmAction0{
|
|
_type: cFWP_ACTION_PERMIT,
|
|
},
|
|
}
|
|
|
|
filterID := uint64(0)
|
|
|
|
err = fwpmFilterAdd0(session, &filter, 0, &filterID)
|
|
if err != nil {
|
|
return wrapErr(err)
|
|
}
|
|
}
|
|
|
|
//
|
|
// #2 Inbound DHCP response on IPv4.
|
|
//
|
|
{
|
|
var conditions [3]wtFwpmFilterCondition0
|
|
|
|
conditions[0].fieldKey = cFWPM_CONDITION_IP_PROTOCOL
|
|
conditions[0].matchType = cFWP_MATCH_EQUAL
|
|
conditions[0].conditionValue._type = cFWP_UINT8
|
|
conditions[0].conditionValue.value = uintptr(cIPPROTO_UDP)
|
|
|
|
conditions[1].fieldKey = cFWPM_CONDITION_IP_LOCAL_PORT
|
|
conditions[1].matchType = cFWP_MATCH_EQUAL
|
|
conditions[1].conditionValue._type = cFWP_UINT16
|
|
conditions[1].conditionValue.value = uintptr(68)
|
|
|
|
conditions[2].fieldKey = cFWPM_CONDITION_IP_REMOTE_PORT
|
|
conditions[2].matchType = cFWP_MATCH_EQUAL
|
|
conditions[2].conditionValue._type = cFWP_UINT16
|
|
conditions[2].conditionValue.value = uintptr(67)
|
|
|
|
displayData, err := createWtFwpmDisplayData0("Permit inbound DHCP response (IPv4)", "")
|
|
if err != nil {
|
|
return wrapErr(err)
|
|
}
|
|
|
|
filter := wtFwpmFilter0{
|
|
displayData: *displayData,
|
|
providerKey: &baseObjects.provider,
|
|
layerKey: cFWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4,
|
|
subLayerKey: baseObjects.filters,
|
|
weight: filterWeight(weight),
|
|
numFilterConditions: uint32(len(conditions)),
|
|
filterCondition: (*wtFwpmFilterCondition0)(unsafe.Pointer(&conditions)),
|
|
action: wtFwpmAction0{
|
|
_type: cFWP_ACTION_PERMIT,
|
|
},
|
|
}
|
|
|
|
filterID := uint64(0)
|
|
|
|
err = fwpmFilterAdd0(session, &filter, 0, &filterID)
|
|
if err != nil {
|
|
return wrapErr(err)
|
|
}
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func permitDHCPIPv6(session uintptr, baseObjects *baseObjects, weight uint8) error {
|
|
//
|
|
// #1 Outbound DHCP request on IPv6.
|
|
//
|
|
{
|
|
var conditions [6]wtFwpmFilterCondition0
|
|
|
|
conditions[0].fieldKey = cFWPM_CONDITION_IP_PROTOCOL
|
|
conditions[0].matchType = cFWP_MATCH_EQUAL
|
|
conditions[0].conditionValue._type = cFWP_UINT8
|
|
conditions[0].conditionValue.value = uintptr(cIPPROTO_UDP)
|
|
|
|
conditions[1].fieldKey = cFWPM_CONDITION_IP_REMOTE_ADDRESS
|
|
conditions[1].matchType = cFWP_MATCH_EQUAL
|
|
conditions[1].conditionValue._type = cFWP_BYTE_ARRAY16_TYPE
|
|
conditions[1].conditionValue.value = uintptr(unsafe.Pointer(&linkLocalDHCPMulticast))
|
|
|
|
// Repeat the condition type for logical OR.
|
|
conditions[2].fieldKey = cFWPM_CONDITION_IP_REMOTE_ADDRESS
|
|
conditions[2].matchType = cFWP_MATCH_EQUAL
|
|
conditions[2].conditionValue._type = cFWP_BYTE_ARRAY16_TYPE
|
|
conditions[2].conditionValue.value = uintptr(unsafe.Pointer(&siteLocalDHCPMulticast))
|
|
|
|
conditions[3].fieldKey = cFWPM_CONDITION_IP_REMOTE_PORT
|
|
conditions[3].matchType = cFWP_MATCH_EQUAL
|
|
conditions[3].conditionValue._type = cFWP_UINT16
|
|
conditions[3].conditionValue.value = uintptr(547)
|
|
|
|
conditions[4].fieldKey = cFWPM_CONDITION_IP_LOCAL_ADDRESS
|
|
conditions[4].matchType = cFWP_MATCH_EQUAL
|
|
conditions[4].conditionValue._type = cFWP_V6_ADDR_MASK
|
|
conditions[4].conditionValue.value = uintptr(unsafe.Pointer(&linkLocal))
|
|
|
|
conditions[5].fieldKey = cFWPM_CONDITION_IP_LOCAL_PORT
|
|
conditions[5].matchType = cFWP_MATCH_EQUAL
|
|
conditions[5].conditionValue._type = cFWP_UINT16
|
|
conditions[5].conditionValue.value = uintptr(546)
|
|
|
|
displayData, err := createWtFwpmDisplayData0("Permit outbound DHCP request (IPv6)", "")
|
|
if err != nil {
|
|
return wrapErr(err)
|
|
}
|
|
|
|
filter := wtFwpmFilter0{
|
|
displayData: *displayData,
|
|
providerKey: &baseObjects.provider,
|
|
layerKey: cFWPM_LAYER_ALE_AUTH_CONNECT_V6,
|
|
subLayerKey: baseObjects.filters,
|
|
weight: filterWeight(weight),
|
|
numFilterConditions: uint32(len(conditions)),
|
|
filterCondition: (*wtFwpmFilterCondition0)(unsafe.Pointer(&conditions)),
|
|
action: wtFwpmAction0{
|
|
_type: cFWP_ACTION_PERMIT,
|
|
},
|
|
}
|
|
|
|
filterID := uint64(0)
|
|
|
|
err = fwpmFilterAdd0(session, &filter, 0, &filterID)
|
|
if err != nil {
|
|
return wrapErr(err)
|
|
}
|
|
}
|
|
|
|
//
|
|
// #2 Inbound DHCP response on IPv6.
|
|
//
|
|
{
|
|
var conditions [5]wtFwpmFilterCondition0
|
|
|
|
conditions[0].fieldKey = cFWPM_CONDITION_IP_PROTOCOL
|
|
conditions[0].matchType = cFWP_MATCH_EQUAL
|
|
conditions[0].conditionValue._type = cFWP_UINT8
|
|
conditions[0].conditionValue.value = uintptr(cIPPROTO_UDP)
|
|
|
|
conditions[1].fieldKey = cFWPM_CONDITION_IP_REMOTE_ADDRESS
|
|
conditions[1].matchType = cFWP_MATCH_EQUAL
|
|
conditions[1].conditionValue._type = cFWP_V6_ADDR_MASK
|
|
conditions[1].conditionValue.value = uintptr(unsafe.Pointer(&linkLocal))
|
|
|
|
conditions[2].fieldKey = cFWPM_CONDITION_IP_REMOTE_PORT
|
|
conditions[2].matchType = cFWP_MATCH_EQUAL
|
|
conditions[2].conditionValue._type = cFWP_UINT16
|
|
conditions[2].conditionValue.value = uintptr(547)
|
|
|
|
conditions[3].fieldKey = cFWPM_CONDITION_IP_LOCAL_ADDRESS
|
|
conditions[3].matchType = cFWP_MATCH_EQUAL
|
|
conditions[3].conditionValue._type = cFWP_V6_ADDR_MASK
|
|
conditions[3].conditionValue.value = uintptr(unsafe.Pointer(&linkLocal))
|
|
|
|
conditions[4].fieldKey = cFWPM_CONDITION_IP_LOCAL_PORT
|
|
conditions[4].matchType = cFWP_MATCH_EQUAL
|
|
conditions[4].conditionValue._type = cFWP_UINT16
|
|
conditions[4].conditionValue.value = uintptr(546)
|
|
|
|
displayData, err := createWtFwpmDisplayData0("Permit inbound DHCP response (IPv6)", "")
|
|
if err != nil {
|
|
return wrapErr(err)
|
|
}
|
|
|
|
filter := wtFwpmFilter0{
|
|
displayData: *displayData,
|
|
providerKey: &baseObjects.provider,
|
|
layerKey: cFWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6,
|
|
subLayerKey: baseObjects.filters,
|
|
weight: filterWeight(weight),
|
|
numFilterConditions: uint32(len(conditions)),
|
|
filterCondition: (*wtFwpmFilterCondition0)(unsafe.Pointer(&conditions)),
|
|
action: wtFwpmAction0{
|
|
_type: cFWP_ACTION_PERMIT,
|
|
},
|
|
}
|
|
|
|
filterID := uint64(0)
|
|
|
|
err = fwpmFilterAdd0(session, &filter, 0, &filterID)
|
|
if err != nil {
|
|
return wrapErr(err)
|
|
}
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func permitNdp(session uintptr, baseObjects *baseObjects, weight uint8) error {
|
|
|
|
/* TODO: actually handle the hop limit somehow! The rules should vaguely be:
|
|
* - icmpv6 133: must be outgoing, dst must be FF02::2/128, hop limit must be 255
|
|
* - icmpv6 134: must be incoming, src must be FE80::/10, hop limit must be 255
|
|
* - icmpv6 135: either incoming or outgoing, hop limit must be 255
|
|
* - icmpv6 136: either incoming or outgoing, hop limit must be 255
|
|
* - icmpv6 137: must be incoming, src must be FE80::/10, hop limit must be 255
|
|
*/
|
|
|
|
type filterDefinition struct {
|
|
displayData *wtFwpmDisplayData0
|
|
conditions []wtFwpmFilterCondition0
|
|
layer windows.GUID
|
|
}
|
|
|
|
var defs []filterDefinition
|
|
|
|
//
|
|
// Router Solicitation Message
|
|
// ICMP type 133, code 0. Outgoing.
|
|
//
|
|
{
|
|
conditions := make([]wtFwpmFilterCondition0, 4)
|
|
|
|
conditions[0].fieldKey = cFWPM_CONDITION_IP_PROTOCOL
|
|
conditions[0].matchType = cFWP_MATCH_EQUAL
|
|
conditions[0].conditionValue._type = cFWP_UINT8
|
|
conditions[0].conditionValue.value = uintptr(cIPPROTO_ICMPV6)
|
|
|
|
conditions[1].fieldKey = cFWPM_CONDITION_ICMP_TYPE
|
|
conditions[1].matchType = cFWP_MATCH_EQUAL
|
|
conditions[1].conditionValue._type = cFWP_UINT16
|
|
conditions[1].conditionValue.value = uintptr(133)
|
|
|
|
conditions[2].fieldKey = cFWPM_CONDITION_ICMP_CODE
|
|
conditions[2].matchType = cFWP_MATCH_EQUAL
|
|
conditions[2].conditionValue._type = cFWP_UINT16
|
|
conditions[2].conditionValue.value = uintptr(0)
|
|
|
|
conditions[3].fieldKey = cFWPM_CONDITION_IP_REMOTE_ADDRESS
|
|
conditions[3].matchType = cFWP_MATCH_EQUAL
|
|
conditions[3].conditionValue._type = cFWP_BYTE_ARRAY16_TYPE
|
|
conditions[3].conditionValue.value = uintptr(unsafe.Pointer(&linkLocalRouterMulticast))
|
|
|
|
displayData, err := createWtFwpmDisplayData0("Permit NDP type 133", "")
|
|
if err != nil {
|
|
return wrapErr(err)
|
|
}
|
|
|
|
defs = append(defs, filterDefinition{
|
|
displayData: displayData,
|
|
conditions: conditions,
|
|
layer: cFWPM_LAYER_ALE_AUTH_CONNECT_V6,
|
|
})
|
|
}
|
|
|
|
//
|
|
// Router Advertisement Message
|
|
// ICMP type 134, code 0. Incoming.
|
|
//
|
|
{
|
|
conditions := make([]wtFwpmFilterCondition0, 4)
|
|
|
|
conditions[0].fieldKey = cFWPM_CONDITION_IP_PROTOCOL
|
|
conditions[0].matchType = cFWP_MATCH_EQUAL
|
|
conditions[0].conditionValue._type = cFWP_UINT8
|
|
conditions[0].conditionValue.value = uintptr(cIPPROTO_ICMPV6)
|
|
|
|
conditions[1].fieldKey = cFWPM_CONDITION_ICMP_TYPE
|
|
conditions[1].matchType = cFWP_MATCH_EQUAL
|
|
conditions[1].conditionValue._type = cFWP_UINT16
|
|
conditions[1].conditionValue.value = uintptr(134)
|
|
|
|
conditions[2].fieldKey = cFWPM_CONDITION_ICMP_CODE
|
|
conditions[2].matchType = cFWP_MATCH_EQUAL
|
|
conditions[2].conditionValue._type = cFWP_UINT16
|
|
conditions[2].conditionValue.value = uintptr(0)
|
|
|
|
conditions[3].fieldKey = cFWPM_CONDITION_IP_REMOTE_ADDRESS
|
|
conditions[3].matchType = cFWP_MATCH_EQUAL
|
|
conditions[3].conditionValue._type = cFWP_V6_ADDR_MASK
|
|
conditions[3].conditionValue.value = uintptr(unsafe.Pointer(&linkLocal))
|
|
|
|
displayData, err := createWtFwpmDisplayData0("Permit NDP type 134", "")
|
|
if err != nil {
|
|
return wrapErr(err)
|
|
}
|
|
|
|
defs = append(defs, filterDefinition{
|
|
displayData: displayData,
|
|
conditions: conditions,
|
|
layer: cFWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6,
|
|
})
|
|
}
|
|
|
|
//
|
|
// Neighbor Solicitation Message
|
|
// ICMP type 135, code 0. Bi-directional.
|
|
//
|
|
{
|
|
conditions := make([]wtFwpmFilterCondition0, 3)
|
|
|
|
conditions[0].fieldKey = cFWPM_CONDITION_IP_PROTOCOL
|
|
conditions[0].matchType = cFWP_MATCH_EQUAL
|
|
conditions[0].conditionValue._type = cFWP_UINT8
|
|
conditions[0].conditionValue.value = uintptr(cIPPROTO_ICMPV6)
|
|
|
|
conditions[1].fieldKey = cFWPM_CONDITION_ICMP_TYPE
|
|
conditions[1].matchType = cFWP_MATCH_EQUAL
|
|
conditions[1].conditionValue._type = cFWP_UINT16
|
|
conditions[1].conditionValue.value = uintptr(135)
|
|
|
|
conditions[2].fieldKey = cFWPM_CONDITION_ICMP_CODE
|
|
conditions[2].matchType = cFWP_MATCH_EQUAL
|
|
conditions[2].conditionValue._type = cFWP_UINT16
|
|
conditions[2].conditionValue.value = uintptr(0)
|
|
|
|
displayData, err := createWtFwpmDisplayData0("Permit NDP type 135", "")
|
|
if err != nil {
|
|
return wrapErr(err)
|
|
}
|
|
|
|
defs = append(defs, filterDefinition{
|
|
displayData: displayData,
|
|
conditions: conditions,
|
|
layer: cFWPM_LAYER_ALE_AUTH_CONNECT_V6,
|
|
})
|
|
|
|
defs = append(defs, filterDefinition{
|
|
displayData: displayData,
|
|
conditions: conditions,
|
|
layer: cFWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6,
|
|
})
|
|
}
|
|
|
|
//
|
|
// Neighbor Advertisement Message
|
|
// ICMP type 136, code 0. Bi-directional.
|
|
//
|
|
{
|
|
conditions := make([]wtFwpmFilterCondition0, 3)
|
|
|
|
conditions[0].fieldKey = cFWPM_CONDITION_IP_PROTOCOL
|
|
conditions[0].matchType = cFWP_MATCH_EQUAL
|
|
conditions[0].conditionValue._type = cFWP_UINT8
|
|
conditions[0].conditionValue.value = uintptr(cIPPROTO_ICMPV6)
|
|
|
|
conditions[1].fieldKey = cFWPM_CONDITION_ICMP_TYPE
|
|
conditions[1].matchType = cFWP_MATCH_EQUAL
|
|
conditions[1].conditionValue._type = cFWP_UINT16
|
|
conditions[1].conditionValue.value = uintptr(136)
|
|
|
|
conditions[2].fieldKey = cFWPM_CONDITION_ICMP_CODE
|
|
conditions[2].matchType = cFWP_MATCH_EQUAL
|
|
conditions[2].conditionValue._type = cFWP_UINT16
|
|
conditions[2].conditionValue.value = uintptr(0)
|
|
|
|
displayData, err := createWtFwpmDisplayData0("Permit NDP type 136", "")
|
|
if err != nil {
|
|
return wrapErr(err)
|
|
}
|
|
|
|
defs = append(defs, filterDefinition{
|
|
displayData: displayData,
|
|
conditions: conditions,
|
|
layer: cFWPM_LAYER_ALE_AUTH_CONNECT_V6,
|
|
})
|
|
|
|
defs = append(defs, filterDefinition{
|
|
displayData: displayData,
|
|
conditions: conditions,
|
|
layer: cFWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6,
|
|
})
|
|
}
|
|
|
|
//
|
|
// Redirect Message
|
|
// ICMP type 137, code 0. Incoming.
|
|
//
|
|
{
|
|
conditions := make([]wtFwpmFilterCondition0, 4)
|
|
|
|
conditions[0].fieldKey = cFWPM_CONDITION_IP_PROTOCOL
|
|
conditions[0].matchType = cFWP_MATCH_EQUAL
|
|
conditions[0].conditionValue._type = cFWP_UINT8
|
|
conditions[0].conditionValue.value = uintptr(cIPPROTO_ICMPV6)
|
|
|
|
conditions[1].fieldKey = cFWPM_CONDITION_ICMP_TYPE
|
|
conditions[1].matchType = cFWP_MATCH_EQUAL
|
|
conditions[1].conditionValue._type = cFWP_UINT16
|
|
conditions[1].conditionValue.value = uintptr(137)
|
|
|
|
conditions[2].fieldKey = cFWPM_CONDITION_ICMP_CODE
|
|
conditions[2].matchType = cFWP_MATCH_EQUAL
|
|
conditions[2].conditionValue._type = cFWP_UINT16
|
|
conditions[2].conditionValue.value = uintptr(0)
|
|
|
|
conditions[3].fieldKey = cFWPM_CONDITION_IP_REMOTE_ADDRESS
|
|
conditions[3].matchType = cFWP_MATCH_EQUAL
|
|
conditions[3].conditionValue._type = cFWP_V6_ADDR_MASK
|
|
conditions[3].conditionValue.value = uintptr(unsafe.Pointer(&linkLocal))
|
|
|
|
displayData, err := createWtFwpmDisplayData0("Permit NDP type 137", "")
|
|
if err != nil {
|
|
return wrapErr(err)
|
|
}
|
|
|
|
defs = append(defs, filterDefinition{
|
|
displayData: displayData,
|
|
conditions: conditions,
|
|
layer: cFWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6,
|
|
})
|
|
}
|
|
|
|
filter := wtFwpmFilter0{
|
|
providerKey: &baseObjects.provider,
|
|
subLayerKey: baseObjects.filters,
|
|
weight: filterWeight(weight),
|
|
action: wtFwpmAction0{
|
|
_type: cFWP_ACTION_PERMIT,
|
|
},
|
|
}
|
|
|
|
filterID := uint64(0)
|
|
|
|
for _, definition := range defs {
|
|
filter.displayData = *definition.displayData
|
|
filter.layerKey = definition.layer
|
|
filter.numFilterConditions = uint32(len(definition.conditions))
|
|
filter.filterCondition = (*wtFwpmFilterCondition0)(unsafe.Pointer(&definition.conditions[0]))
|
|
|
|
err := fwpmFilterAdd0(session, &filter, 0, &filterID)
|
|
if err != nil {
|
|
return wrapErr(err)
|
|
}
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func permitHyperV(session uintptr, baseObjects *baseObjects, weight uint8) error {
|
|
//
|
|
// Only applicable on Win8+.
|
|
//
|
|
{
|
|
major, minor, _ := windows.RtlGetNtVersionNumbers()
|
|
win8plus := major > 6 || (major == 6 && minor >= 3)
|
|
|
|
if !win8plus {
|
|
return nil
|
|
}
|
|
}
|
|
|
|
condition := wtFwpmFilterCondition0{
|
|
fieldKey: cFWPM_CONDITION_L2_FLAGS,
|
|
matchType: cFWP_MATCH_EQUAL,
|
|
conditionValue: wtFwpConditionValue0{
|
|
_type: cFWP_UINT32,
|
|
value: uintptr(cFWP_CONDITION_L2_IS_VM2VM),
|
|
},
|
|
}
|
|
|
|
filter := wtFwpmFilter0{
|
|
providerKey: &baseObjects.provider,
|
|
subLayerKey: baseObjects.filters,
|
|
weight: filterWeight(weight),
|
|
numFilterConditions: 1,
|
|
filterCondition: (*wtFwpmFilterCondition0)(unsafe.Pointer(&condition)),
|
|
action: wtFwpmAction0{
|
|
_type: cFWP_ACTION_PERMIT,
|
|
},
|
|
}
|
|
|
|
filterID := uint64(0)
|
|
|
|
//
|
|
// #1 Outbound.
|
|
//
|
|
{
|
|
displayData, err := createWtFwpmDisplayData0("Permit Hyper-V => Hyper-V outbound", "")
|
|
if err != nil {
|
|
return wrapErr(err)
|
|
}
|
|
|
|
filter.displayData = *displayData
|
|
filter.layerKey = cFWPM_LAYER_OUTBOUND_MAC_FRAME_NATIVE
|
|
|
|
err = fwpmFilterAdd0(session, &filter, 0, &filterID)
|
|
if err != nil {
|
|
return wrapErr(err)
|
|
}
|
|
}
|
|
|
|
//
|
|
// #2 Inbound.
|
|
//
|
|
{
|
|
displayData, err := createWtFwpmDisplayData0("Permit Hyper-V => Hyper-V inbound", "")
|
|
if err != nil {
|
|
return wrapErr(err)
|
|
}
|
|
|
|
filter.displayData = *displayData
|
|
filter.layerKey = cFWPM_LAYER_INBOUND_MAC_FRAME_NATIVE
|
|
|
|
err = fwpmFilterAdd0(session, &filter, 0, &filterID)
|
|
if err != nil {
|
|
return wrapErr(err)
|
|
}
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// Block all traffic except what is explicitly permitted by other rules.
|
|
func blockAll(session uintptr, baseObjects *baseObjects, weight uint8) error {
|
|
filter := wtFwpmFilter0{
|
|
providerKey: &baseObjects.provider,
|
|
subLayerKey: baseObjects.filters,
|
|
weight: filterWeight(weight),
|
|
action: wtFwpmAction0{
|
|
_type: cFWP_ACTION_BLOCK,
|
|
},
|
|
}
|
|
|
|
filterID := uint64(0)
|
|
|
|
//
|
|
// #1 Block outbound traffic on IPv4.
|
|
//
|
|
{
|
|
displayData, err := createWtFwpmDisplayData0("Block all outbound (IPv4)", "")
|
|
if err != nil {
|
|
return wrapErr(err)
|
|
}
|
|
|
|
filter.displayData = *displayData
|
|
filter.layerKey = cFWPM_LAYER_ALE_AUTH_CONNECT_V4
|
|
|
|
err = fwpmFilterAdd0(session, &filter, 0, &filterID)
|
|
if err != nil {
|
|
return wrapErr(err)
|
|
}
|
|
}
|
|
|
|
//
|
|
// #2 Block inbound traffic on IPv4.
|
|
//
|
|
{
|
|
displayData, err := createWtFwpmDisplayData0("Block all inbound (IPv4)", "")
|
|
if err != nil {
|
|
return wrapErr(err)
|
|
}
|
|
|
|
filter.displayData = *displayData
|
|
filter.layerKey = cFWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4
|
|
|
|
err = fwpmFilterAdd0(session, &filter, 0, &filterID)
|
|
if err != nil {
|
|
return wrapErr(err)
|
|
}
|
|
}
|
|
|
|
//
|
|
// #3 Block outbound traffic on IPv6.
|
|
//
|
|
{
|
|
displayData, err := createWtFwpmDisplayData0("Block all outbound (IPv6)", "")
|
|
if err != nil {
|
|
return wrapErr(err)
|
|
}
|
|
|
|
filter.displayData = *displayData
|
|
filter.layerKey = cFWPM_LAYER_ALE_AUTH_CONNECT_V6
|
|
|
|
err = fwpmFilterAdd0(session, &filter, 0, &filterID)
|
|
if err != nil {
|
|
return wrapErr(err)
|
|
}
|
|
}
|
|
|
|
//
|
|
// #4 Block inbound traffic on IPv6.
|
|
//
|
|
{
|
|
displayData, err := createWtFwpmDisplayData0("Block all inbound (IPv6)", "")
|
|
if err != nil {
|
|
return wrapErr(err)
|
|
}
|
|
|
|
filter.displayData = *displayData
|
|
filter.layerKey = cFWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6
|
|
|
|
err = fwpmFilterAdd0(session, &filter, 0, &filterID)
|
|
if err != nil {
|
|
return wrapErr(err)
|
|
}
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// Allow DNS traffic. This is less ironclad than upstream
|
|
// wireguard-windows, but until we rework our DNS configuration
|
|
// capability, it's difficult for us to identify the correct DNS
|
|
// servers to specifically allow here.
|
|
func allowDNS(session uintptr, baseObjects *baseObjects) error {
|
|
allowConditions := []wtFwpmFilterCondition0{
|
|
{
|
|
fieldKey: cFWPM_CONDITION_IP_REMOTE_PORT,
|
|
matchType: cFWP_MATCH_EQUAL,
|
|
conditionValue: wtFwpConditionValue0{
|
|
_type: cFWP_UINT16,
|
|
value: uintptr(53),
|
|
},
|
|
},
|
|
{
|
|
fieldKey: cFWPM_CONDITION_IP_PROTOCOL,
|
|
matchType: cFWP_MATCH_EQUAL,
|
|
conditionValue: wtFwpConditionValue0{
|
|
_type: cFWP_UINT8,
|
|
value: uintptr(cIPPROTO_UDP),
|
|
},
|
|
},
|
|
// Repeat the condition type for logical OR.
|
|
{
|
|
fieldKey: cFWPM_CONDITION_IP_PROTOCOL,
|
|
matchType: cFWP_MATCH_EQUAL,
|
|
conditionValue: wtFwpConditionValue0{
|
|
_type: cFWP_UINT8,
|
|
value: uintptr(cIPPROTO_TCP),
|
|
},
|
|
},
|
|
}
|
|
|
|
filter := wtFwpmFilter0{
|
|
providerKey: &baseObjects.provider,
|
|
subLayerKey: baseObjects.filters,
|
|
weight: filterWeight(15),
|
|
numFilterConditions: uint32(len(allowConditions)),
|
|
filterCondition: (*wtFwpmFilterCondition0)(unsafe.Pointer(&allowConditions[0])),
|
|
action: wtFwpmAction0{
|
|
_type: cFWP_ACTION_PERMIT,
|
|
},
|
|
}
|
|
|
|
filterID := uint64(0)
|
|
|
|
//
|
|
// #1 Allow IPv4 outbound DNS.
|
|
//
|
|
{
|
|
displayData, err := createWtFwpmDisplayData0("Allow DNS outbound (IPv4)", "")
|
|
if err != nil {
|
|
return wrapErr(err)
|
|
}
|
|
|
|
filter.displayData = *displayData
|
|
filter.layerKey = cFWPM_LAYER_ALE_AUTH_CONNECT_V4
|
|
|
|
err = fwpmFilterAdd0(session, &filter, 0, &filterID)
|
|
if err != nil {
|
|
return wrapErr(err)
|
|
}
|
|
}
|
|
|
|
//
|
|
// #2 Allow IPv4 inbound DNS.
|
|
//
|
|
{
|
|
displayData, err := createWtFwpmDisplayData0("Allow DNS inbound (IPv4)", "")
|
|
if err != nil {
|
|
return wrapErr(err)
|
|
}
|
|
|
|
filter.displayData = *displayData
|
|
filter.layerKey = cFWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4
|
|
|
|
err = fwpmFilterAdd0(session, &filter, 0, &filterID)
|
|
if err != nil {
|
|
return wrapErr(err)
|
|
}
|
|
}
|
|
|
|
//
|
|
// #3 Allow IPv6 outbound DNS.
|
|
//
|
|
{
|
|
displayData, err := createWtFwpmDisplayData0("Allow DNS outbound (IPv6)", "")
|
|
if err != nil {
|
|
return wrapErr(err)
|
|
}
|
|
|
|
filter.displayData = *displayData
|
|
filter.layerKey = cFWPM_LAYER_ALE_AUTH_CONNECT_V6
|
|
|
|
err = fwpmFilterAdd0(session, &filter, 0, &filterID)
|
|
if err != nil {
|
|
return wrapErr(err)
|
|
}
|
|
}
|
|
|
|
//
|
|
// #4 Allow IPv6 inbound DNS.
|
|
//
|
|
{
|
|
displayData, err := createWtFwpmDisplayData0("Allow DNS inbound (IPv6)", "")
|
|
if err != nil {
|
|
return wrapErr(err)
|
|
}
|
|
|
|
filter.displayData = *displayData
|
|
filter.layerKey = cFWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6
|
|
|
|
err = fwpmFilterAdd0(session, &filter, 0, &filterID)
|
|
if err != nil {
|
|
return wrapErr(err)
|
|
}
|
|
}
|
|
|
|
return nil
|
|
}
|