firewall: cleanup

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
author: Jason A. Donenfeld <Jason@zx2c4.com> 2019-05-07 21:38:47 +0200
committer: Jason A. Donenfeld <Jason@zx2c4.com> 2019-05-08 08:31:00 +0200
commit: 80ad4acc21e20c851b844bb7ff4a312ffd15badc (patch)
tree: da4d7f494032dd4bacf309a9fd7e1652dac84e52
parent: firewall: implode recurring address definitions (diff)
download: wireguard-windows-80ad4acc21e20c851b844bb7ff4a312ffd15badc.tar.xz
wireguard-windows-80ad4acc21e20c851b844bb7ff4a312ffd15badc.zip
6 files changed, 59 insertions, 58 deletions
diff --git a/service/firewall/blocker.go b/service/firewall/blocker.go
index 5e1fdab0..b47ef094 100644
--- a/service/firewall/blocker.go
+++ b/service/firewall/blocker.go
@@ -148,10 +148,13 @@ func EnableFirewall(luid uint64, restrictDNS bool, restrictAll bool) error {
 				return wrapErr(err)
 			}
 
+			/* TODO: actually evaluate if this does anything and if we need this. It's layer 2; our other rules are layer 3.
+			 *  In other words, if somebody complains, try enabling it. For now, keep it off.
 			err = permitHyperV(session, baseObjects, 15)
 			if err != nil {
 				return wrapErr(err)
 			}
+			*/
 		}
 
 		if restrictDNS {
diff --git a/service/firewall/helpers.go b/service/firewall/helpers.go
index cec61f44..7b882712 100644
--- a/service/firewall/helpers.go
+++ b/service/firewall/helpers.go
@@ -8,9 +8,9 @@ package firewall
 import (
 	"fmt"
 	"golang.org/x/sys/windows"
+	"os"
 	"runtime"
 	"syscall"
-	"os"
 	"unsafe"
 )
 
diff --git a/service/firewall/rules.go b/service/firewall/rules.go
index 1cec3ae6..2a9eb11a 100644
--- a/service/firewall/rules.go
+++ b/service/firewall/rules.go
@@ -12,7 +12,7 @@ import (
 )
 
 //
-// Known addresses. These should be const but there are initialization issues.
+// Known addresses.
 //
 var (
 	linkLocal = wtFwpV6AddrAndMask{[16]uint8{0xfe, 0x80}, 10}
@@ -579,20 +579,20 @@ func permitDhcpIpv6(session uintptr, baseObjects *baseObjects, weight uint8) err
 
 func permitNdp(session uintptr, baseObjects *baseObjects, weight uint8) error {
 
-	/*
-	 *  icmpv6 133: must be outgoing, dst must be FF02::2/128, hop limit must be 255
-	 *  icmpv6 134: must be incoming, src must be FE80::/10, hop limit must be 255
-	 *  icmpv6 135: either incoming or outgoing, hop limit must be 255
-	 *  icmpv6 136: either incoming or outgoing, hop limit must be 255
-	 *  icmpv6 137: must be incoming, src must be FE80::/10, hop limit must be 255
+	/* TODO: actually handle the hop limit somehow! The rules should vaguely be:
+	 *  - icmpv6 133: must be outgoing, dst must be FF02::2/128, hop limit must be 255
+	 *  - icmpv6 134: must be incoming, src must be FE80::/10, hop limit must be 255
+	 *  - icmpv6 135: either incoming or outgoing, hop limit must be 255
+	 *  - icmpv6 136: either incoming or outgoing, hop limit must be 255
+	 *  - icmpv6 137: must be incoming, src must be FE80::/10, hop limit must be 255
 	 */
 
-	 type filterDefinition struct {
+	type filterDefinition struct {
 		displayData *wtFwpmDisplayData0
-		conditions []wtFwpmFilterCondition0
-		layer windows.GUID
+		conditions  []wtFwpmFilterCondition0
+		layer       windows.GUID
 	}
-	
+
 	var defs []filterDefinition
 
 	//
@@ -629,8 +629,8 @@ func permitNdp(session uintptr, baseObjects *baseObjects, weight uint8) error {
 
 		defs = append(defs, filterDefinition{
 			displayData: displayData,
-			conditions: conditions,
-			layer: cFWPM_LAYER_ALE_AUTH_CONNECT_V6,
+			conditions:  conditions,
+			layer:       cFWPM_LAYER_ALE_AUTH_CONNECT_V6,
 		})
 	}
 
@@ -668,8 +668,8 @@ func permitNdp(session uintptr, baseObjects *baseObjects, weight uint8) error {
 
 		defs = append(defs, filterDefinition{
 			displayData: displayData,
-			conditions: conditions,
-			layer: cFWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6,
+			conditions:  conditions,
+			layer:       cFWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6,
 		})
 	}
 
@@ -702,14 +702,14 @@ func permitNdp(session uintptr, baseObjects *baseObjects, weight uint8) error {
 
 		defs = append(defs, filterDefinition{
 			displayData: displayData,
-			conditions: conditions,
-			layer: cFWPM_LAYER_ALE_AUTH_CONNECT_V6,
+			conditions:  conditions,
+			layer:       cFWPM_LAYER_ALE_AUTH_CONNECT_V6,
 		})
 
 		defs = append(defs, filterDefinition{
 			displayData: displayData,
-			conditions: conditions,
-			layer: cFWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6,
+			conditions:  conditions,
+			layer:       cFWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6,
 		})
 	}
 
@@ -742,14 +742,14 @@ func permitNdp(session uintptr, baseObjects *baseObjects, weight uint8) error {
 
 		defs = append(defs, filterDefinition{
 			displayData: displayData,
-			conditions: conditions,
-			layer: cFWPM_LAYER_ALE_AUTH_CONNECT_V6,
+			conditions:  conditions,
+			layer:       cFWPM_LAYER_ALE_AUTH_CONNECT_V6,
 		})
 
 		defs = append(defs, filterDefinition{
 			displayData: displayData,
-			conditions: conditions,
-			layer: cFWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6,
+			conditions:  conditions,
+			layer:       cFWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6,
 		})
 	}
 
@@ -787,8 +787,8 @@ func permitNdp(session uintptr, baseObjects *baseObjects, weight uint8) error {
 
 		defs = append(defs, filterDefinition{
 			displayData: displayData,
-			conditions: conditions,
-			layer: cFWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6,
+			conditions:  conditions,
+			layer:       cFWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6,
 		})
 	}
 
@@ -807,7 +807,7 @@ func permitNdp(session uintptr, baseObjects *baseObjects, weight uint8) error {
 		filter.displayData = *definition.displayData
 		filter.layerKey = definition.layer
 		filter.numFilterConditions = uint32(len(definition.conditions))
-		filter.filterCondition = (*wtFwpmFilterCondition0)(unsafe.Pointer(&definition.conditions))
+		filter.filterCondition = (*wtFwpmFilterCondition0)(unsafe.Pointer(&definition.conditions[0]))
 
 		err := fwpmFilterAdd0(session, &filter, 0, &filterId)
 		if err != nil {
@@ -828,7 +828,7 @@ func permitHyperV(session uintptr, baseObjects *baseObjects, weight uint8) error
 			panic(err)
 		}
 
-		win8plus := v.MajorVersion > 6 ||  (v.MajorVersion == 6 && v.MinorVersion >= 3)
+		win8plus := v.MajorVersion > 6 || (v.MajorVersion == 6 && v.MinorVersion >= 3)
 
 		if !win8plus {
 			return nil
diff --git a/service/firewall/types_windows.go b/service/firewall/types_windows.go
index 8404a41b..5d247338 100644
--- a/service/firewall/types_windows.go
+++ b/service/firewall/types_windows.go
@@ -16,13 +16,13 @@ const (
 
 	wtFwpByteArray6_Size = 6
 
-	wtFwpmAction0_Size = 20
+	wtFwpmAction0_Size              = 20
 	wtFwpmAction0_filterType_Offset = 4
 
-	wtFwpV4AddrAndMask_Size = 8
+	wtFwpV4AddrAndMask_Size        = 8
 	wtFwpV4AddrAndMask_mask_Offset = 4
 
-	wtFwpV6AddrAndMask_Size = 17
+	wtFwpV6AddrAndMask_Size                = 17
 	wtFwpV6AddrAndMask_prefixLength_Offset = 16
 )
 
@@ -44,9 +44,9 @@ const (
 	cFWP_ACTION_CALLOUT_INSPECTION  wtFwpActionType = wtFwpActionType(0x00000004 | cFWP_ACTION_FLAG_CALLOUT | cFWP_ACTION_FLAG_NON_TERMINATING)
 	cFWP_ACTION_CALLOUT_UNKNOWN     wtFwpActionType = wtFwpActionType(0x00000005 | cFWP_ACTION_FLAG_CALLOUT)
 	cFWP_ACTION_CONTINUE            wtFwpActionType = wtFwpActionType(0x00000006 | cFWP_ACTION_FLAG_NON_TERMINATING)
-	//wtFWP_ACTION_NONE                wtFwpActionType = 0x00000007
-	//wtFWP_ACTION_NONE_NO_MATCH       wtFwpActionType = 0x00000008
-	//wtFWP_ACTION_BITMAP_INDEX_SET    wtFwpActionType = 0x00000009
+	cFWP_ACTION_NONE                wtFwpActionType = 0x00000007
+	cFWP_ACTION_NONE_NO_MATCH       wtFwpActionType = 0x00000008
+	cFWP_ACTION_BITMAP_INDEX_SET    wtFwpActionType = 0x00000009
 )
 
 // FWP_BYTE_BLOB defined in fwptypes.h
@@ -169,9 +169,7 @@ var cFWPM_CONDITION_L2_FLAGS = windows.GUID{
 
 type wtFwpmL2Flags uint32
 
-const (
-	cFWP_CONDITION_L2_IS_VM2VM wtFwpmL2Flags = 0x00000010
-)
+const cFWP_CONDITION_L2_IS_VM2VM wtFwpmL2Flags = 0x00000010
 
 // Defined in fwpmtypes.h
 type wtFwpmFilterFlags uint32
@@ -380,9 +378,9 @@ type wtFwpmSublayer0 struct {
 type wtRpcCAuthN uint32
 
 const (
-	cRPC_C_AUTHN_NONE          wtRpcCAuthN = 0
-	cRPC_C_AUTHN_WINNT         wtRpcCAuthN = 10
-	cRPC_C_AUTHN_DEFAULT       wtRpcCAuthN = 0xFFFFFFFF
+	cRPC_C_AUTHN_NONE    wtRpcCAuthN = 0
+	cRPC_C_AUTHN_WINNT   wtRpcCAuthN = 10
+	cRPC_C_AUTHN_DEFAULT wtRpcCAuthN = 0xFFFFFFFF
 )
 
 // FWPM_PROVIDER0 defined in fwpmtypes.h
diff --git a/service/firewall/types_windows_386.go b/service/firewall/types_windows_386.go
index e2b48c78..3c07373b 100644
--- a/service/firewall/types_windows_386.go
+++ b/service/firewall/types_windows_386.go
@@ -8,16 +8,16 @@ package firewall
 import "golang.org/x/sys/windows"
 
 const (
-	wtFwpByteBlob_Size = 8
+	wtFwpByteBlob_Size        = 8
 	wtFwpByteBlob_data_Offset = 4
 
-	wtFwpConditionValue0_Size = 8
+	wtFwpConditionValue0_Size         = 8
 	wtFwpConditionValue0_uint8_Offset = 4
 
-	wtFwpmDisplayData0_Size = 8
+	wtFwpmDisplayData0_Size               = 8
 	wtFwpmDisplayData0_description_Offset = 4
 
-	wtFwpmFilter0_Size = 152
+	wtFwpmFilter0_Size                       = 152
 	wtFwpmFilter0_displayData_Offset         = 16
 	wtFwpmFilter0_flags_Offset               = 24
 	wtFwpmFilter0_providerKey_Offset         = 28
@@ -33,11 +33,11 @@ const (
 	wtFwpmFilter0_filterId_Offset            = 136
 	wtFwpmFilter0_effectiveWeight_Offset     = 144
 
-	wtFwpmFilterCondition0_Size = 28
+	wtFwpmFilterCondition0_Size                  = 28
 	wtFwpmFilterCondition0_matchType_Offset      = 16
 	wtFwpmFilterCondition0_conditionValue_Offset = 20
 
-	wtFwpmSession0_Size = 48
+	wtFwpmSession0_Size                        = 48
 	wtFwpmSession0_displayData_Offset          = 16
 	wtFwpmSession0_flags_Offset                = 24
 	wtFwpmSession0_txnWaitTimeoutInMSec_Offset = 28
@@ -46,14 +46,14 @@ const (
 	wtFwpmSession0_username_Offset             = 40
 	wtFwpmSession0_kernelMode_Offset           = 44
 
-	wtFwpmSublayer0_Size = 44
+	wtFwpmSublayer0_Size                = 44
 	wtFwpmSublayer0_displayData_Offset  = 16
 	wtFwpmSublayer0_flags_Offset        = 24
 	wtFwpmSublayer0_providerKey_Offset  = 28
 	wtFwpmSublayer0_providerData_Offset = 32
 	wtFwpmSublayer0_weight_Offset       = 40
 
-	wtFwpProvider0_Size = 40
+	wtFwpProvider0_Size                = 40
 	wtFwpProvider0_displayData_Offset  = 16
 	wtFwpProvider0_flags_Offset        = 24
 	wtFwpProvider0_providerData_Offset = 28
@@ -61,7 +61,7 @@ const (
 
 	wtFwpTokenInformation_Size = 16
 
-	wtFwpValue0_Size = 8
+	wtFwpValue0_Size         = 8
 	wtFwpValue0_value_Offset = 4
 )
 
diff --git a/service/firewall/types_windows_amd64.go b/service/firewall/types_windows_amd64.go
index 95ddd27a..0f04e5d3 100644
--- a/service/firewall/types_windows_amd64.go
+++ b/service/firewall/types_windows_amd64.go
@@ -8,16 +8,16 @@ package firewall
 import "golang.org/x/sys/windows"
 
 const (
-	wtFwpByteBlob_Size = 16
+	wtFwpByteBlob_Size        = 16
 	wtFwpByteBlob_data_Offset = 8
 
-	wtFwpConditionValue0_Size = 16
+	wtFwpConditionValue0_Size         = 16
 	wtFwpConditionValue0_uint8_Offset = 8
 
-	wtFwpmDisplayData0_Size = 16
+	wtFwpmDisplayData0_Size               = 16
 	wtFwpmDisplayData0_description_Offset = 8
 
-	wtFwpmFilter0_Size = 200
+	wtFwpmFilter0_Size                       = 200
 	wtFwpmFilter0_displayData_Offset         = 16
 	wtFwpmFilter0_flags_Offset               = 32
 	wtFwpmFilter0_providerKey_Offset         = 40
@@ -33,11 +33,11 @@ const (
 	wtFwpmFilter0_filterId_Offset            = 176
 	wtFwpmFilter0_effectiveWeight_Offset     = 184
 
-	wtFwpmFilterCondition0_Size = 40
+	wtFwpmFilterCondition0_Size                  = 40
 	wtFwpmFilterCondition0_matchType_Offset      = 16
 	wtFwpmFilterCondition0_conditionValue_Offset = 24
 
-	wtFwpmSession0_Size = 72
+	wtFwpmSession0_Size                        = 72
 	wtFwpmSession0_displayData_Offset          = 16
 	wtFwpmSession0_flags_Offset                = 32
 	wtFwpmSession0_txnWaitTimeoutInMSec_Offset = 36
@@ -46,20 +46,20 @@ const (
 	wtFwpmSession0_username_Offset             = 56
 	wtFwpmSession0_kernelMode_Offset           = 64
 
-	wtFwpmSublayer0_Size = 72
+	wtFwpmSublayer0_Size                = 72
 	wtFwpmSublayer0_displayData_Offset  = 16
 	wtFwpmSublayer0_flags_Offset        = 32
 	wtFwpmSublayer0_providerKey_Offset  = 40
 	wtFwpmSublayer0_providerData_Offset = 48
 	wtFwpmSublayer0_weight_Offset       = 64
 
-	wtFwpProvider0_Size = 64
+	wtFwpProvider0_Size                = 64
 	wtFwpProvider0_displayData_Offset  = 16
 	wtFwpProvider0_flags_Offset        = 32
 	wtFwpProvider0_providerData_Offset = 40
 	wtFwpProvider0_serviceName_Offset  = 56
 
-	wtFwpValue0_Size = 16
+	wtFwpValue0_Size         = 16
 	wtFwpValue0_value_Offset = 8
 )
author	Jason A. Donenfeld <Jason@zx2c4.com>	2019-05-07 21:38:47 +0200
committer	Jason A. Donenfeld <Jason@zx2c4.com>	2019-05-08 08:31:00 +0200
commit	80ad4acc21e20c851b844bb7ff4a312ffd15badc (patch)
tree	da4d7f494032dd4bacf309a9fd7e1652dac84e52
parent	firewall: implode recurring address definitions (diff)
download	wireguard-windows-80ad4acc21e20c851b844bb7ff4a312ffd15badc.tar.xz wireguard-windows-80ad4acc21e20c851b844bb7ff4a312ffd15badc.zip