aboutsummaryrefslogtreecommitdiffstatshomepage
diff options
context:
space:
mode:
authorJason A. Donenfeld <Jason@zx2c4.com>2019-05-03 18:11:40 +0200
committerJason A. Donenfeld <Jason@zx2c4.com>2019-05-03 18:11:40 +0200
commit4a9a8764def6f1a1a503707e17cce8a9dd41e469 (patch)
treea06d4230e604a719c867e9ace66196cc2ef1584f
parentfirewall: pass blob of security descriptor instead of raw, and give dacl (diff)
downloadwireguard-windows-4a9a8764def6f1a1a503707e17cce8a9dd41e469.tar.xz
wireguard-windows-4a9a8764def6f1a1a503707e17cce8a9dd41e469.zip
firewall: since DNS is a blacklist, we have to exclude our own interface
Diffstat
-rw-r--r--service/firewall/blocker.go2
-rw-r--r--service/firewall/rules.go22
2 files changed, 18 insertions, 6 deletions
diff --git a/service/firewall/blocker.go b/service/firewall/blocker.go
index d0f39a90..8ef26278 100644
--- a/service/firewall/blocker.go
+++ b/service/firewall/blocker.go
@@ -198,7 +198,7 @@ func EnableFirewall(luid uint64, restrictDNS bool, restrictAll bool) error {
}
if restrictDNS {
- err = blockDnsUnmatched(session, baseObjects)
+ err = blockDnsNonTun(session, baseObjects, luid)
if err != nil {
return wrapErr(err)
}
diff --git a/service/firewall/rules.go b/service/firewall/rules.go
index b36ed87f..74d35609 100644
--- a/service/firewall/rules.go
+++ b/service/firewall/rules.go
@@ -873,8 +873,10 @@ func blockAllUnmatched(session uintptr, baseObjects *baseObjects) error {
}
// Block all DNS except what is matched by a permissive rule.
-func blockDnsUnmatched(session uintptr, baseObjects *baseObjects) error {
- condition := wtFwpmFilterCondition0{
+func blockDnsNonTun(session uintptr, baseObjects *baseObjects, ifLuid uint64) error {
+ var conditions [2]wtFwpmFilterCondition0
+
+ conditions[0] = wtFwpmFilterCondition0{
fieldKey: cFWPM_CONDITION_IP_REMOTE_PORT,
matchType: cFWP_MATCH_EQUAL,
conditionValue: wtFwpConditionValue0{
@@ -882,13 +884,23 @@ func blockDnsUnmatched(session uintptr, baseObjects *baseObjects) error {
value: uintptr(53),
},
}
+ conditions[1] = wtFwpmFilterCondition0{
+ fieldKey: cFWPM_CONDITION_IP_LOCAL_INTERFACE,
+ matchType: cFWP_MATCH_NOT_EQUAL,
+ conditionValue: wtFwpConditionValue0{
+ _type: cFWP_UINT64,
+ value: (uintptr)(unsafe.Pointer(&ifLuid)),
+ },
+ }
+
+ //TODO: we want to permit port 53 traffic coming from the wireguard service, in case people are using that port for tunneling.
filter := wtFwpmFilter0{
providerKey: &baseObjects.provider,
subLayerKey: baseObjects.blacklist,
- weight: filterWeightMin(),
- numFilterConditions: 1,
- filterCondition: (*wtFwpmFilterCondition0)(unsafe.Pointer(&condition)),
+ weight: filterWeightMax(),
+ numFilterConditions: uint32(len(conditions)),
+ filterCondition: (*wtFwpmFilterCondition0)(unsafe.Pointer(&conditions[0])),
action: wtFwpmAction0{
_type: cFWP_ACTION_BLOCK,
},
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.