diff options
author | Jason A. Donenfeld <Jason@zx2c4.com> | 2019-05-03 18:11:40 +0200 |
---|---|---|
committer | Jason A. Donenfeld <Jason@zx2c4.com> | 2019-05-03 18:11:40 +0200 |
commit | 4a9a8764def6f1a1a503707e17cce8a9dd41e469 (patch) | |
tree | a06d4230e604a719c867e9ace66196cc2ef1584f | |
parent | firewall: pass blob of security descriptor instead of raw, and give dacl (diff) | |
download | wireguard-windows-4a9a8764def6f1a1a503707e17cce8a9dd41e469.tar.xz wireguard-windows-4a9a8764def6f1a1a503707e17cce8a9dd41e469.zip |
firewall: since DNS is a blacklist, we have to exclude our own interface
-rw-r--r-- | service/firewall/blocker.go | 2 | ||||
-rw-r--r-- | service/firewall/rules.go | 22 |
2 files changed, 18 insertions, 6 deletions
diff --git a/service/firewall/blocker.go b/service/firewall/blocker.go index d0f39a90..8ef26278 100644 --- a/service/firewall/blocker.go +++ b/service/firewall/blocker.go @@ -198,7 +198,7 @@ func EnableFirewall(luid uint64, restrictDNS bool, restrictAll bool) error { } if restrictDNS { - err = blockDnsUnmatched(session, baseObjects) + err = blockDnsNonTun(session, baseObjects, luid) if err != nil { return wrapErr(err) } diff --git a/service/firewall/rules.go b/service/firewall/rules.go index b36ed87f..74d35609 100644 --- a/service/firewall/rules.go +++ b/service/firewall/rules.go @@ -873,8 +873,10 @@ func blockAllUnmatched(session uintptr, baseObjects *baseObjects) error { } // Block all DNS except what is matched by a permissive rule. -func blockDnsUnmatched(session uintptr, baseObjects *baseObjects) error { - condition := wtFwpmFilterCondition0{ +func blockDnsNonTun(session uintptr, baseObjects *baseObjects, ifLuid uint64) error { + var conditions [2]wtFwpmFilterCondition0 + + conditions[0] = wtFwpmFilterCondition0{ fieldKey: cFWPM_CONDITION_IP_REMOTE_PORT, matchType: cFWP_MATCH_EQUAL, conditionValue: wtFwpConditionValue0{ @@ -882,13 +884,23 @@ func blockDnsUnmatched(session uintptr, baseObjects *baseObjects) error { value: uintptr(53), }, } + conditions[1] = wtFwpmFilterCondition0{ + fieldKey: cFWPM_CONDITION_IP_LOCAL_INTERFACE, + matchType: cFWP_MATCH_NOT_EQUAL, + conditionValue: wtFwpConditionValue0{ + _type: cFWP_UINT64, + value: (uintptr)(unsafe.Pointer(&ifLuid)), + }, + } + + //TODO: we want to permit port 53 traffic coming from the wireguard service, in case people are using that port for tunneling. filter := wtFwpmFilter0{ providerKey: &baseObjects.provider, subLayerKey: baseObjects.blacklist, - weight: filterWeightMin(), - numFilterConditions: 1, - filterCondition: (*wtFwpmFilterCondition0)(unsafe.Pointer(&condition)), + weight: filterWeightMax(), + numFilterConditions: uint32(len(conditions)), + filterCondition: (*wtFwpmFilterCondition0)(unsafe.Pointer(&conditions[0])), action: wtFwpmAction0{ _type: cFWP_ACTION_BLOCK, }, |