diff options
author | Jason A. Donenfeld <Jason@zx2c4.com> | 2019-05-03 22:36:17 +0200 |
---|---|---|
committer | Jason A. Donenfeld <Jason@zx2c4.com> | 2019-05-03 22:36:17 +0200 |
commit | 1d5f99dc1c45ddedaa59f9ccc946792b42273e36 (patch) | |
tree | 21a4939338a7c8f23b74a3566a38e69b1a77258f | |
parent | firewall: block dns before allowing localhost (diff) | |
download | wireguard-windows-1d5f99dc1c45ddedaa59f9ccc946792b42273e36.tar.xz wireguard-windows-1d5f99dc1c45ddedaa59f9ccc946792b42273e36.zip |
firewall: DNS is TCP and UDP
-rw-r--r-- | service/firewall/rules.go | 25 |
1 files changed, 22 insertions, 3 deletions
diff --git a/service/firewall/rules.go b/service/firewall/rules.go index ab356e70..7ac848b8 100644 --- a/service/firewall/rules.go +++ b/service/firewall/rules.go @@ -723,7 +723,9 @@ func blockAll(session uintptr, baseObjects *baseObjects, weight uint8) error { // Block all DNS except what is matched by a permissive rule. func blockDns(session uintptr, baseObjects *baseObjects, weight uint8) error { - condition := wtFwpmFilterCondition0{ + var conditions [3]wtFwpmFilterCondition0 + + conditions[0] = wtFwpmFilterCondition0{ fieldKey: cFWPM_CONDITION_IP_REMOTE_PORT, matchType: cFWP_MATCH_EQUAL, conditionValue: wtFwpConditionValue0{ @@ -731,13 +733,30 @@ func blockDns(session uintptr, baseObjects *baseObjects, weight uint8) error { value: uintptr(53), }, } + conditions[1] = wtFwpmFilterCondition0{ + fieldKey: cFWPM_CONDITION_IP_PROTOCOL, + matchType: cFWP_MATCH_EQUAL, + conditionValue: wtFwpConditionValue0{ + _type: cFWP_UINT8, + value: uintptr(cIPPROTO_UDP), + }, + } + // Repeat the condition type for logical OR. + conditions[2] = wtFwpmFilterCondition0{ + fieldKey: cFWPM_CONDITION_IP_PROTOCOL, + matchType: cFWP_MATCH_EQUAL, + conditionValue: wtFwpConditionValue0{ + _type: cFWP_UINT8, + value: uintptr(cIPPROTO_TCP), + }, + } filter := wtFwpmFilter0{ providerKey: &baseObjects.provider, subLayerKey: baseObjects.filters, weight: filterWeight(weight), - numFilterConditions: 1, - filterCondition: (*wtFwpmFilterCondition0)(unsafe.Pointer(&condition)), + numFilterConditions: uint32(len(conditions)), + filterCondition: (*wtFwpmFilterCondition0)(unsafe.Pointer(&conditions[0])), action: wtFwpmAction0{ _type: cFWP_ACTION_BLOCK, }, |