diff options
| author |   Jason A. Donenfeld <Jason@zx2c4.com> | 2019-05-03 17:11:05 +0200 |
|---|---|---|
| committer | Jason A. Donenfeld <Jason@zx2c4.com> | 2019-05-03 17:11:40 +0200 |
| commit | a4b14d24c88803ffe88fd2db942770e35ebfcd15 (patch) | |
| tree | 65d7e4b6bf1ec597b8e17a441cfbae7d47663a08 | |
| parent | service: wire up firewall (diff) | |
| download | wireguard-windows-a4b14d24c88803ffe88fd2db942770e35ebfcd15.tar.xz wireguard-windows-a4b14d24c88803ffe88fd2db942770e35ebfcd15.zip | |
firewall: wrap errors because there are lots of syscalls
| -rw-r--r-- | service/firewall/blocker.go | 42 | ||||
| -rw-r--r-- | service/firewall/helpers.go | 24 | ||||
| -rw-r--r-- | service/firewall/rules.go | 124 |
3 files changed, 102 insertions, 88 deletions
diff --git a/service/firewall/blocker.go b/service/firewall/blocker.go index 66162448..d0f39a90 100644 --- a/service/firewall/blocker.go +++ b/service/firewall/blocker.go @@ -28,7 +28,7 @@ var wfpSession uintptr func createWfpSession() (uintptr, error) { sessionDisplayData, err := createWtFwpmDisplayData0("WireGuard", "WireGuard dynamic session") if err != nil { - return 0, err + return 0, wrapErr(err) } session := wtFwpmSession0{ @@ -41,7 +41,7 @@ func createWfpSession() (uintptr, error) { err = fwpmEngineOpen0(nil, cRPC_C_AUTHN_WINNT, nil, &session, unsafe.Pointer(&sessionHandle)) if err != nil { - return 0, err + return 0, wrapErr(err) } return sessionHandle, nil @@ -76,7 +76,7 @@ func registerBaseObjects(session uintptr) (*baseObjects, error) { { displayData, err := createWtFwpmDisplayData0("WireGuard", "The WireGuard provider") if err != nil { - return nil, err + return nil, wrapErr(err) } provider := wtFwpmProvider0{ providerKey: providerGuid, @@ -85,7 +85,7 @@ func registerBaseObjects(session uintptr) (*baseObjects, error) { err = fwpmProviderAdd0(session, &provider, 0) if err != nil { //TODO: cleanup entire call chain of these if failure? - return nil, err + return nil, wrapErr(err) } } @@ -95,7 +95,7 @@ func registerBaseObjects(session uintptr) (*baseObjects, error) { { displayData, err := createWtFwpmDisplayData0("WireGuard whitelist", "Permissive filters") if err != nil { - return nil, err + return nil, wrapErr(err) } sublayer := wtFwpmSublayer0{ subLayerKey: whitelistGuid, @@ -105,7 +105,7 @@ func registerBaseObjects(session uintptr) (*baseObjects, error) { } err = fwpmSubLayerAdd0(session, &sublayer, 0) if err != nil { - return nil, err + return nil, wrapErr(err) } } @@ -115,7 +115,7 @@ func registerBaseObjects(session uintptr) (*baseObjects, error) { { displayData, err := createWtFwpmDisplayData0("WireGuard blacklist", "Blocking filters") if err != nil { - return nil, err + return nil, wrapErr(err) } sublayer := wtFwpmSublayer0{ subLayerKey: blacklistGuid, @@ -125,7 +125,7 @@ func registerBaseObjects(session uintptr) (*baseObjects, error) { } err = fwpmSubLayerAdd0(session, &sublayer, 0) if err != nil { - return nil, err + return nil, wrapErr(err) } } @@ -143,28 +143,28 @@ func EnableFirewall(luid uint64, restrictDNS bool, restrictAll bool) error { session, err := createWfpSession() if err != nil { - return err + return wrapErr(err) } objectInstaller := func(session uintptr) error { baseObjects, err := registerBaseObjects(session) if err != nil { - return err + return wrapErr(err) } err = permitTunInterface(session, baseObjects, luid) if err != nil { - return err + return wrapErr(err) } err = permitWireGuardService(session, baseObjects) if err != nil { - return err + return wrapErr(err) } err = permitLoopback(session, baseObjects) if err != nil { - return err + return wrapErr(err) } /* We actually don't want to allow lan explicitly. This is controlled by the restrictAll rule. @@ -172,42 +172,42 @@ func EnableFirewall(luid uint64, restrictDNS bool, restrictAll bool) error { err = permitLanIpv4(session, baseObjects) if err != nil { - return err + return wrapErr(err) } err = permitLanIpv6(session, baseObjects) if err != nil { - return err + return wrapErr(err) } */ err = permitDhcpIpv4(session, baseObjects) if err != nil { - return err + return wrapErr(err) } err = permitDhcpIpv6(session, baseObjects) if err != nil { - return err + return wrapErr(err) } err = permitNdp(session, baseObjects) if err != nil { - return err + return wrapErr(err) } if restrictDNS { err = blockDnsUnmatched(session, baseObjects) if err != nil { - return err + return wrapErr(err) } } if restrictAll { err = blockAllUnmatched(session, baseObjects) if err != nil { - return err + return wrapErr(err) } } @@ -217,7 +217,7 @@ func EnableFirewall(luid uint64, restrictDNS bool, restrictAll bool) error { err = runTransaction(session, objectInstaller) if err != nil { fwpmEngineClose0(session) - return err + return wrapErr(err) } wfpSession = session diff --git a/service/firewall/helpers.go b/service/firewall/helpers.go index 642080cc..4aea0a19 100644 --- a/service/firewall/helpers.go +++ b/service/firewall/helpers.go @@ -7,6 +7,8 @@ package firewall import ( "fmt" + "runtime" + "syscall" "unsafe" "golang.org/x/sys/windows" @@ -148,19 +150,19 @@ func (dt wtFwpDataType) String() string { func runTransaction(session uintptr, operation wfpObjectInstaller) error { err := fwpmTransactionBegin0(session, 0) if err != nil { - return err + return wrapErr(err) } err = operation(session) if err != nil { fwpmTransactionAbort0(session) - return err + return wrapErr(err) } err = fwpmTransactionCommit0(session) if err != nil { fwpmTransactionAbort0(session) - return err + return wrapErr(err) } return nil @@ -169,12 +171,12 @@ func runTransaction(session uintptr, operation wfpObjectInstaller) error { func createWtFwpmDisplayData0(name, description string) (*wtFwpmDisplayData0, error) { namePtr, err := windows.UTF16PtrFromString(name) if err != nil { - return nil, err + return nil, wrapErr(err) } descriptionPtr, err := windows.UTF16PtrFromString(description) if err != nil { - return nil, err + return nil, wrapErr(err) } return &wtFwpmDisplayData0{ @@ -196,3 +198,15 @@ func filterWeightMin() wtFwpValue0 { value: 0, } } + +func wrapErr(err error) error { + if _, ok := err.(syscall.Errno); !ok { + return err + } + _, file, line, ok := runtime.Caller(1) + if !ok { + return fmt.Errorf("Firewall error at unknown location: %v", err) + } else { + return fmt.Errorf("Firewall error at %s:%d: %v", file, line, err) + } +} diff --git a/service/firewall/rules.go b/service/firewall/rules.go index 5a27d287..bae78602 100644 --- a/service/firewall/rules.go +++ b/service/firewall/rules.go @@ -40,7 +40,7 @@ func permitTunInterface(session uintptr, baseObjects *baseObjects, ifLuid uint64 { displayData, err := createWtFwpmDisplayData0("Permit outbound IPv4 traffic on TUN", "") if err != nil { - return err + return wrapErr(err) } filter.displayData = *displayData @@ -48,7 +48,7 @@ func permitTunInterface(session uintptr, baseObjects *baseObjects, ifLuid uint64 err = fwpmFilterAdd0(session, &filter, 0, &filterId) if err != nil { - return err + return wrapErr(err) } } @@ -58,7 +58,7 @@ func permitTunInterface(session uintptr, baseObjects *baseObjects, ifLuid uint64 { displayData, err := createWtFwpmDisplayData0("Permit inbound IPv4 traffic on TUN", "") if err != nil { - return err + return wrapErr(err) } filter.displayData = *displayData @@ -66,7 +66,7 @@ func permitTunInterface(session uintptr, baseObjects *baseObjects, ifLuid uint64 err = fwpmFilterAdd0(session, &filter, 0, &filterId) if err != nil { - return err + return wrapErr(err) } } @@ -76,7 +76,7 @@ func permitTunInterface(session uintptr, baseObjects *baseObjects, ifLuid uint64 { displayData, err := createWtFwpmDisplayData0("Permit outbound IPv6 traffic on TUN", "") if err != nil { - return err + return wrapErr(err) } filter.displayData = *displayData @@ -84,7 +84,7 @@ func permitTunInterface(session uintptr, baseObjects *baseObjects, ifLuid uint64 err = fwpmFilterAdd0(session, &filter, 0, &filterId) if err != nil { - return err + return wrapErr(err) } } @@ -94,7 +94,7 @@ func permitTunInterface(session uintptr, baseObjects *baseObjects, ifLuid uint64 { displayData, err := createWtFwpmDisplayData0("Permit inbound IPv6 traffic on TUN", "") if err != nil { - return err + return wrapErr(err) } filter.displayData = *displayData @@ -102,7 +102,7 @@ func permitTunInterface(session uintptr, baseObjects *baseObjects, ifLuid uint64 err = fwpmFilterAdd0(session, &filter, 0, &filterId) if err != nil { - return err + return wrapErr(err) } } @@ -118,7 +118,7 @@ func getCurrentProcessSecurityDescriptor() (uintptr, error) { sd := uintptr(0) err = getSecurityInfo(procHandle, cSE_KERNEL_OBJECT, 0, nil, nil, nil, nil, &sd) if err != nil { - return 0, err + return 0, wrapErr(err) } return sd, nil @@ -127,18 +127,18 @@ func getCurrentProcessSecurityDescriptor() (uintptr, error) { func getCurrentProcessAppId() (*wtFwpByteBlob, error) { currentFile, err := os.Executable() if err != nil { - return nil, err + return nil, wrapErr(err) } curFilePtr, err := windows.UTF16PtrFromString(currentFile) if err != nil { - return nil, err + return nil, wrapErr(err) } var appId *wtFwpByteBlob err = fwpmGetAppIdFromFileName0(curFilePtr, unsafe.Pointer(&appId)) if err != nil { - return nil, err + return nil, wrapErr(err) } return appId, nil } @@ -151,7 +151,7 @@ func permitWireGuardService(session uintptr, baseObjects *baseObjects) error { // appId, err := getCurrentProcessAppId() if err != nil { - return err + return wrapErr(err) } defer appId.free() @@ -170,7 +170,7 @@ func permitWireGuardService(session uintptr, baseObjects *baseObjects) error { // sd, err := getCurrentProcessSecurityDescriptor() if err != nil { - return err + return wrapErr(err) } defer windows.LocalFree(windows.Handle(sd)) @@ -205,7 +205,7 @@ func permitWireGuardService(session uintptr, baseObjects *baseObjects) error { { displayData, err := createWtFwpmDisplayData0("Permit unrestricted outbound traffic for WireGuard service (IPv4)", "") if err != nil { - return err + return wrapErr(err) } filter.displayData = *displayData @@ -213,7 +213,7 @@ func permitWireGuardService(session uintptr, baseObjects *baseObjects) error { err = fwpmFilterAdd0(session, &filter, 0, &filterId) if err != nil { - return err + return wrapErr(err) } } @@ -223,7 +223,7 @@ func permitWireGuardService(session uintptr, baseObjects *baseObjects) error { { displayData, err := createWtFwpmDisplayData0("Permit unrestricted inbound traffic for WireGuard service (IPv4)", "") if err != nil { - return err + return wrapErr(err) } filter.displayData = *displayData @@ -231,7 +231,7 @@ func permitWireGuardService(session uintptr, baseObjects *baseObjects) error { err = fwpmFilterAdd0(session, &filter, 0, &filterId) if err != nil { - return err + return wrapErr(err) } } @@ -241,7 +241,7 @@ func permitWireGuardService(session uintptr, baseObjects *baseObjects) error { { displayData, err := createWtFwpmDisplayData0("Permit unrestricted outbound traffic for WireGuard service (IPv6)", "") if err != nil { - return err + return wrapErr(err) } filter.displayData = *displayData @@ -249,7 +249,7 @@ func permitWireGuardService(session uintptr, baseObjects *baseObjects) error { err = fwpmFilterAdd0(session, &filter, 0, &filterId) if err != nil { - return err + return wrapErr(err) } } @@ -259,7 +259,7 @@ func permitWireGuardService(session uintptr, baseObjects *baseObjects) error { { displayData, err := createWtFwpmDisplayData0("Permit unrestricted inbound traffic for WireGuard service (IPv6)", "") if err != nil { - return err + return wrapErr(err) } filter.displayData = *displayData @@ -267,7 +267,7 @@ func permitWireGuardService(session uintptr, baseObjects *baseObjects) error { err = fwpmFilterAdd0(session, &filter, 0, &filterId) if err != nil { - return err + return wrapErr(err) } } @@ -325,7 +325,7 @@ func permitLanIpv4(session uintptr, baseObjects *baseObjects) error { { displayData, err := createWtFwpmDisplayData0("Permit outbound LAN traffic (IPv4)", "") if err != nil { - return err + return wrapErr(err) } filter.displayData = *displayData @@ -333,7 +333,7 @@ func permitLanIpv4(session uintptr, baseObjects *baseObjects) error { err = fwpmFilterAdd0(session, &filter, 0, &filterId) if err != nil { - return err + return wrapErr(err) } } @@ -343,7 +343,7 @@ func permitLanIpv4(session uintptr, baseObjects *baseObjects) error { { displayData, err := createWtFwpmDisplayData0("Permit inbound LAN traffic (IPv4)", "") if err != nil { - return err + return wrapErr(err) } filter.displayData = *displayData @@ -351,7 +351,7 @@ func permitLanIpv4(session uintptr, baseObjects *baseObjects) error { err = fwpmFilterAdd0(session, &filter, 0, &filterId) if err != nil { - return err + return wrapErr(err) } } @@ -392,7 +392,7 @@ func permitLanIpv6(session uintptr, baseObjects *baseObjects) error { { displayData, err := createWtFwpmDisplayData0("Permit outbound LAN traffic (IPv6)", "") if err != nil { - return err + return wrapErr(err) } filter.displayData = *displayData @@ -400,7 +400,7 @@ func permitLanIpv6(session uintptr, baseObjects *baseObjects) error { err = fwpmFilterAdd0(session, &filter, 0, &filterId) if err != nil { - return err + return wrapErr(err) } } @@ -410,7 +410,7 @@ func permitLanIpv6(session uintptr, baseObjects *baseObjects) error { { displayData, err := createWtFwpmDisplayData0("Permit inbound LAN traffic (IPv6)", "") if err != nil { - return err + return wrapErr(err) } filter.displayData = *displayData @@ -418,7 +418,7 @@ func permitLanIpv6(session uintptr, baseObjects *baseObjects) error { err = fwpmFilterAdd0(session, &filter, 0, &filterId) if err != nil { - return err + return wrapErr(err) } } @@ -454,7 +454,7 @@ func permitLoopback(session uintptr, baseObjects *baseObjects) error { { displayData, err := createWtFwpmDisplayData0("Permit outbound on loopback (IPv4)", "") if err != nil { - return err + return wrapErr(err) } filter.displayData = *displayData @@ -462,7 +462,7 @@ func permitLoopback(session uintptr, baseObjects *baseObjects) error { err = fwpmFilterAdd0(session, &filter, 0, &filterId) if err != nil { - return err + return wrapErr(err) } } @@ -472,7 +472,7 @@ func permitLoopback(session uintptr, baseObjects *baseObjects) error { { displayData, err := createWtFwpmDisplayData0("Permit inbound on loopback (IPv4)", "") if err != nil { - return err + return wrapErr(err) } filter.displayData = *displayData @@ -480,7 +480,7 @@ func permitLoopback(session uintptr, baseObjects *baseObjects) error { err = fwpmFilterAdd0(session, &filter, 0, &filterId) if err != nil { - return err + return wrapErr(err) } } @@ -490,7 +490,7 @@ func permitLoopback(session uintptr, baseObjects *baseObjects) error { { displayData, err := createWtFwpmDisplayData0("Permit outbound on loopback (IPv6)", "") if err != nil { - return err + return wrapErr(err) } filter.displayData = *displayData @@ -498,7 +498,7 @@ func permitLoopback(session uintptr, baseObjects *baseObjects) error { err = fwpmFilterAdd0(session, &filter, 0, &filterId) if err != nil { - return err + return wrapErr(err) } } @@ -508,7 +508,7 @@ func permitLoopback(session uintptr, baseObjects *baseObjects) error { { displayData, err := createWtFwpmDisplayData0("Permit inbound on loopback (IPv6)", "") if err != nil { - return err + return wrapErr(err) } filter.displayData = *displayData @@ -516,7 +516,7 @@ func permitLoopback(session uintptr, baseObjects *baseObjects) error { err = fwpmFilterAdd0(session, &filter, 0, &filterId) if err != nil { - return err + return wrapErr(err) } } @@ -552,7 +552,7 @@ func permitDhcpIpv4(session uintptr, baseObjects *baseObjects) error { displayData, err := createWtFwpmDisplayData0("Permit outbound DHCP request (IPv4)", "") if err != nil { - return err + return wrapErr(err) } filter := wtFwpmFilter0{ @@ -572,7 +572,7 @@ func permitDhcpIpv4(session uintptr, baseObjects *baseObjects) error { err = fwpmFilterAdd0(session, &filter, 0, &filterId) if err != nil { - return err + return wrapErr(err) } } @@ -599,7 +599,7 @@ func permitDhcpIpv4(session uintptr, baseObjects *baseObjects) error { displayData, err := createWtFwpmDisplayData0("Permit inbound DHCP response (IPv4)", "") if err != nil { - return err + return wrapErr(err) } filter := wtFwpmFilter0{ @@ -619,7 +619,7 @@ func permitDhcpIpv4(session uintptr, baseObjects *baseObjects) error { err = fwpmFilterAdd0(session, &filter, 0, &filterId) if err != nil { - return err + return wrapErr(err) } } @@ -671,7 +671,7 @@ func permitDhcpIpv6(session uintptr, baseObjects *baseObjects) error { displayData, err := createWtFwpmDisplayData0("Permit outbound DHCP request (IPv6)", "") if err != nil { - return err + return wrapErr(err) } filter := wtFwpmFilter0{ @@ -691,7 +691,7 @@ func permitDhcpIpv6(session uintptr, baseObjects *baseObjects) error { err = fwpmFilterAdd0(session, &filter, 0, &filterId) if err != nil { - return err + return wrapErr(err) } } @@ -728,7 +728,7 @@ func permitDhcpIpv6(session uintptr, baseObjects *baseObjects) error { displayData, err := createWtFwpmDisplayData0("Permit inbound DHCP response (IPv6)", "") if err != nil { - return err + return wrapErr(err) } filter := wtFwpmFilter0{ @@ -748,7 +748,7 @@ func permitDhcpIpv6(session uintptr, baseObjects *baseObjects) error { err = fwpmFilterAdd0(session, &filter, 0, &filterId) if err != nil { - return err + return wrapErr(err) } } @@ -804,7 +804,7 @@ func blockAllUnmatched(session uintptr, baseObjects *baseObjects) error { { displayData, err := createWtFwpmDisplayData0("Block all outbound (IPv4)", "") if err != nil { - return err + return wrapErr(err) } filter.displayData = *displayData @@ -812,7 +812,7 @@ func blockAllUnmatched(session uintptr, baseObjects *baseObjects) error { err = fwpmFilterAdd0(session, &filter, 0, &filterId) if err != nil { - return err + return wrapErr(err) } } @@ -822,7 +822,7 @@ func blockAllUnmatched(session uintptr, baseObjects *baseObjects) error { { displayData, err := createWtFwpmDisplayData0("Block all inbound (IPv4)", "") if err != nil { - return err + return wrapErr(err) } filter.displayData = *displayData @@ -830,7 +830,7 @@ func blockAllUnmatched(session uintptr, baseObjects *baseObjects) error { err = fwpmFilterAdd0(session, &filter, 0, &filterId) if err != nil { - return err + return wrapErr(err) } } @@ -840,7 +840,7 @@ func blockAllUnmatched(session uintptr, baseObjects *baseObjects) error { { displayData, err := createWtFwpmDisplayData0("Block all outbound (IPv6)", "") if err != nil { - return err + return wrapErr(err) } filter.displayData = *displayData @@ -848,7 +848,7 @@ func blockAllUnmatched(session uintptr, baseObjects *baseObjects) error { err = fwpmFilterAdd0(session, &filter, 0, &filterId) if err != nil { - return err + return wrapErr(err) } } @@ -858,7 +858,7 @@ func blockAllUnmatched(session uintptr, baseObjects *baseObjects) error { { displayData, err := createWtFwpmDisplayData0("Block all inbound (IPv6)", "") if err != nil { - return err + return wrapErr(err) } filter.displayData = *displayData @@ -866,7 +866,7 @@ func blockAllUnmatched(session uintptr, baseObjects *baseObjects) error { err = fwpmFilterAdd0(session, &filter, 0, &filterId) if err != nil { - return err + return wrapErr(err) } } @@ -903,7 +903,7 @@ func blockDnsUnmatched(session uintptr, baseObjects *baseObjects) error { { displayData, err := createWtFwpmDisplayData0("Block DNS outbound (IPv4)", "") if err != nil { - return err + return wrapErr(err) } filter.displayData = *displayData @@ -911,7 +911,7 @@ func blockDnsUnmatched(session uintptr, baseObjects *baseObjects) error { err = fwpmFilterAdd0(session, &filter, 0, &filterId) if err != nil { - return err + return wrapErr(err) } } @@ -921,7 +921,7 @@ func blockDnsUnmatched(session uintptr, baseObjects *baseObjects) error { { displayData, err := createWtFwpmDisplayData0("Block DNS inbound (IPv4)", "") if err != nil { - return err + return wrapErr(err) } filter.displayData = *displayData @@ -929,7 +929,7 @@ func blockDnsUnmatched(session uintptr, baseObjects *baseObjects) error { err = fwpmFilterAdd0(session, &filter, 0, &filterId) if err != nil { - return err + return wrapErr(err) } } @@ -939,7 +939,7 @@ func blockDnsUnmatched(session uintptr, baseObjects *baseObjects) error { { displayData, err := createWtFwpmDisplayData0("Block DNS outbound (IPv6)", "") if err != nil { - return err + return wrapErr(err) } filter.displayData = *displayData @@ -947,7 +947,7 @@ func blockDnsUnmatched(session uintptr, baseObjects *baseObjects) error { err = fwpmFilterAdd0(session, &filter, 0, &filterId) if err != nil { - return err + return wrapErr(err) } } @@ -957,7 +957,7 @@ func blockDnsUnmatched(session uintptr, baseObjects *baseObjects) error { { displayData, err := createWtFwpmDisplayData0("Block DNS inbound (IPv6)", "") if err != nil { - return err + return wrapErr(err) } filter.displayData = *displayData @@ -965,7 +965,7 @@ func blockDnsUnmatched(session uintptr, baseObjects *baseObjects) error { err = fwpmFilterAdd0(session, &filter, 0, &filterId) if err != nil { - return err + return wrapErr(err) } } |