firewall: introduce incomplete untested prototype

This doesn't support NDP yet, and some major things are still left to be
decided, but this is the beginning of something that can be debugged
into shape.

Signed-off-by: Odd Stranne <odd@mullvad.net>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: Aleksandar Pesic <peske.nis@gmail.com>

1 files changed, 198 insertions, 0 deletions

diff --git a/service/firewall/helpers.go b/service/firewall/helpers.go
new file mode 100644
index 00000000..642080cc
--- /dev/null
+++ b/service/firewall/helpers.go
@@ -0,0 +1,198 @@
+/* SPDX-License-Identifier: MIT
+ *
+ * Copyright (C) 2019 WireGuard LLC. All Rights Reserved.
+ */
+
+package firewall
+
+import (
+	"fmt"
+	"unsafe"
+
+	"golang.org/x/sys/windows"
+)
+
+func (bb *wtFwpByteBlob) free() {
+	if bb != nil {
+		fwpmFreeMemory0(unsafe.Pointer(&bb))
+	}
+}
+
+func (m wtFwpMatchType) String() string {
+	switch m {
+	case cFWP_MATCH_EQUAL:
+		return "FWP_MATCH_EQUAL"
+	case cFWP_MATCH_GREATER:
+		return "FWP_MATCH_GREATER"
+	case cFWP_MATCH_LESS:
+		return "FWP_MATCH_LESS"
+	case cFWP_MATCH_GREATER_OR_EQUAL:
+		return "FWP_MATCH_GREATER_OR_EQUAL"
+	case cFWP_MATCH_LESS_OR_EQUAL:
+		return "FWP_MATCH_LESS_OR_EQUAL"
+	case cFWP_MATCH_RANGE:
+		return "FWP_MATCH_RANGE"
+	case cFWP_MATCH_FLAGS_ALL_SET:
+		return "FWP_MATCH_FLAGS_ALL_SET"
+	case cFWP_MATCH_FLAGS_ANY_SET:
+		return "FWP_MATCH_FLAGS_ANY_SET"
+	case cFWP_MATCH_FLAGS_NONE_SET:
+		return "FWP_MATCH_FLAGS_NONE_SET"
+	case cFWP_MATCH_EQUAL_CASE_INSENSITIVE:
+		return "FWP_MATCH_EQUAL_CASE_INSENSITIVE"
+	case cFWP_MATCH_NOT_EQUAL:
+		return "FWP_MATCH_NOT_EQUAL"
+	case cFWP_MATCH_PREFIX:
+		return "FWP_MATCH_PREFIX"
+	case cFWP_MATCH_NOT_PREFIX:
+		return "FWP_MATCH_NOT_PREFIX"
+	case cFWP_MATCH_TYPE_MAX:
+		return "FWP_MATCH_TYPE_MAX"
+	default:
+		return fmt.Sprintf("FwpMatchType_UNKNOWN(%d)", m)
+	}
+}
+
+func (ff wtFwpmFilterFlags) String() string {
+	switch ff {
+	case cFWPM_FILTER_FLAG_NONE:
+		return "FWPM_FILTER_FLAG_NONE"
+	case cFWPM_FILTER_FLAG_PERSISTENT:
+		return "FWPM_FILTER_FLAG_PERSISTENT"
+	case cFWPM_FILTER_FLAG_BOOTTIME:
+		return "FWPM_FILTER_FLAG_BOOTTIME"
+	case cFWPM_FILTER_FLAG_HAS_PROVIDER_CONTEXT:
+		return "FWPM_FILTER_FLAG_HAS_PROVIDER_CONTEXT"
+	case cFWPM_FILTER_FLAG_CLEAR_ACTION_RIGHT:
+		return "FWPM_FILTER_FLAG_CLEAR_ACTION_RIGHT"
+	case cFWPM_FILTER_FLAG_PERMIT_IF_CALLOUT_UNREGISTERED:
+		return "FWPM_FILTER_FLAG_PERMIT_IF_CALLOUT_UNREGISTERED"
+	case cFWPM_FILTER_FLAG_DISABLED:
+		return "FWPM_FILTER_FLAG_DISABLED"
+	case cFWPM_FILTER_FLAG_INDEXED:
+		return "FWPM_FILTER_FLAG_INDEXED"
+	case cFWPM_FILTER_FLAG_HAS_SECURITY_REALM_PROVIDER_CONTEXT:
+		return "FWPM_FILTER_FLAG_HAS_SECURITY_REALM_PROVIDER_CONTEXT"
+	case cFWPM_FILTER_FLAG_SYSTEMOS_ONLY:
+		return "FWPM_FILTER_FLAG_SYSTEMOS_ONLY"
+	case cFWPM_FILTER_FLAG_GAMEOS_ONLY:
+		return "FWPM_FILTER_FLAG_GAMEOS_ONLY"
+	case cFWPM_FILTER_FLAG_SILENT_MODE:
+		return "FWPM_FILTER_FLAG_SILENT_MODE"
+	case cFWPM_FILTER_FLAG_IPSEC_NO_ACQUIRE_INITIATE:
+		return "FWPM_FILTER_FLAG_IPSEC_NO_ACQUIRE_INITIATE"
+	default:
+		return fmt.Sprintf("FwpmFilterFlags_UNKNOWN(%d)", ff)
+	}
+}
+
+func (dt wtFwpDataType) String() string {
+	switch dt {
+	case cFWP_EMPTY:
+		return "FWP_EMPTY"
+	case cFWP_UINT8:
+		return "FWP_UINT8"
+	case cFWP_UINT16:
+		return "FWP_UINT16"
+	case cFWP_UINT32:
+		return "FWP_UINT32"
+	case cFWP_UINT64:
+		return "FWP_UINT64"
+	case cFWP_INT8:
+		return "FWP_INT8"
+	case cFWP_INT16:
+		return "FWP_INT16"
+	case cFWP_INT32:
+		return "FWP_INT32"
+	case cFWP_INT64:
+		return "FWP_INT64"
+	case cFWP_FLOAT:
+		return "FWP_FLOAT"
+	case cFWP_DOUBLE:
+		return "FWP_DOUBLE"
+	case cFWP_BYTE_ARRAY16_TYPE:
+		return "FWP_BYTE_ARRAY16_TYPE"
+	case cFWP_BYTE_BLOB_TYPE:
+		return "FWP_BYTE_BLOB_TYPE"
+	case cFWP_SID:
+		return "FWP_SID"
+	case cFWP_SECURITY_DESCRIPTOR_TYPE:
+		return "FWP_SECURITY_DESCRIPTOR_TYPE"
+	case cFWP_TOKEN_INFORMATION_TYPE:
+		return "FWP_TOKEN_INFORMATION_TYPE"
+	case cFWP_TOKEN_ACCESS_INFORMATION_TYPE:
+		return "FWP_TOKEN_ACCESS_INFORMATION_TYPE"
+	case cFWP_UNICODE_STRING_TYPE:
+		return "FWP_UNICODE_STRING_TYPE"
+	case cFWP_BYTE_ARRAY6_TYPE:
+		return "FWP_BYTE_ARRAY6_TYPE"
+	case cFWP_BITMAP_INDEX_TYPE:
+		return "FWP_BITMAP_INDEX_TYPE"
+	case cFWP_BITMAP_ARRAY64_TYPE:
+		return "FWP_BITMAP_ARRAY64_TYPE"
+	case cFWP_SINGLE_DATA_TYPE_MAX:
+		return "FWP_SINGLE_DATA_TYPE_MAX"
+	case cFWP_V4_ADDR_MASK:
+		return "FWP_V4_ADDR_MASK"
+	case cFWP_V6_ADDR_MASK:
+		return "FWP_V6_ADDR_MASK"
+	case cFWP_RANGE_TYPE:
+		return "FWP_RANGE_TYPE"
+	case cFWP_DATA_TYPE_MAX:
+		return "FWP_DATA_TYPE_MAX"
+	default:
+		return fmt.Sprintf("FwpDataType_UNKNOWN(%d)", dt)
+	}
+}
+
+func runTransaction(session uintptr, operation wfpObjectInstaller) error {
+	err := fwpmTransactionBegin0(session, 0)
+	if err != nil {
+		return err
+	}
+
+	err = operation(session)
+	if err != nil {
+		fwpmTransactionAbort0(session)
+		return err
+	}
+
+	err = fwpmTransactionCommit0(session)
+	if err != nil {
+		fwpmTransactionAbort0(session)
+		return err
+	}
+
+	return nil
+}
+
+func createWtFwpmDisplayData0(name, description string) (*wtFwpmDisplayData0, error) {
+	namePtr, err := windows.UTF16PtrFromString(name)
+	if err != nil {
+		return nil, err
+	}
+
+	descriptionPtr, err := windows.UTF16PtrFromString(description)
+	if err != nil {
+		return nil, err
+	}
+
+	return &wtFwpmDisplayData0{
+		name:        namePtr,
+		description: descriptionPtr,
+	}, nil
+}
+
+func filterWeightMax() wtFwpValue0 {
+	return wtFwpValue0{
+		_type: cFWP_UINT8,
+		value: 15,
+	}
+}
+
+func filterWeightMin() wtFwpValue0 {
+	return wtFwpValue0{
+		_type: cFWP_UINT8,
+		value: 0,
+	}
+}