diff options
author | Jason A. Donenfeld <Jason@zx2c4.com> | 2019-08-27 09:17:19 -0600 |
---|---|---|
committer | Jason A. Donenfeld <Jason@zx2c4.com> | 2019-08-27 09:17:19 -0600 |
commit | 72bcd606919eee38379c21a4d870913bb75345db (patch) | |
tree | 3d8467ce4d1968097c7b1fc854937b638c9e635b /tunnel | |
parent | build: backport resume monitoring for timers (diff) | |
download | wireguard-windows-jd/no-dns-block.tar.xz wireguard-windows-jd/no-dns-block.zip |
firewall: do not block DNS when no kill-switchjd/no-dns-block
Diffstat (limited to 'tunnel')
-rw-r--r-- | tunnel/addressconfig.go | 31 | ||||
-rw-r--r-- | tunnel/firewall/blocker.go | 56 | ||||
-rw-r--r-- | tunnel/service.go | 12 |
3 files changed, 49 insertions, 50 deletions
diff --git a/tunnel/addressconfig.go b/tunnel/addressconfig.go index a1e5dc59..6032d452 100644 --- a/tunnel/addressconfig.go +++ b/tunnel/addressconfig.go @@ -178,24 +178,27 @@ func configureInterface(family winipcfg.AddressFamily, conf *conf.Config, tun *t return nil } -func enableFirewall(conf *conf.Config, tun *tun.NativeTun) error { - restrictAll := false - if len(conf.Peers) == 1 { - nextallowedip: - for _, allowedip := range conf.Peers[0].AllowedIPs { - if allowedip.Cidr == 0 { - for _, b := range allowedip.IP { - if b != 0 { - continue nextallowedip - } +func shouldEnableFirewall(conf *conf.Config) bool { + if len(conf.Peers) != 1 { + return false + } +nextallowedip: + for _, allowedip := range conf.Peers[0].AllowedIPs { + if allowedip.Cidr == 0 { + for _, b := range allowedip.IP { + if b != 0 { + continue nextallowedip } - restrictAll = true - break } + return true } } - if restrictAll && len(conf.Interface.DNS) == 0 { + return false +} + +func enableFirewall(conf *conf.Config, tun *tun.NativeTun) error { + if len(conf.Interface.DNS) == 0 { log.Println("Warning: no DNS server specified, despite having an allowed IPs of 0.0.0.0/0 or ::/0. There may be connectivity issues.") } - return firewall.EnableFirewall(tun.LUID(), conf.Interface.DNS, restrictAll) + return firewall.EnableFirewall(tun.LUID(), conf.Interface.DNS) } diff --git a/tunnel/firewall/blocker.go b/tunnel/firewall/blocker.go index 7da391ca..54645d24 100644 --- a/tunnel/firewall/blocker.go +++ b/tunnel/firewall/blocker.go @@ -101,7 +101,7 @@ func registerBaseObjects(session uintptr) (*baseObjects, error) { return bo, nil } -func EnableFirewall(luid uint64, restrictToDNSServers []net.IP, restrictAll bool) error { +func EnableFirewall(luid uint64, restrictToDNSServers []net.IP) error { if wfpSession != 0 { return errors.New("The firewall has already been enabled") } @@ -129,11 +129,9 @@ func EnableFirewall(luid uint64, restrictToDNSServers []net.IP, restrictAll bool } } - if restrictAll { - err = permitLoopback(session, baseObjects, 13) - if err != nil { - return wrapErr(err) - } + err = permitLoopback(session, baseObjects, 13) + if err != nil { + return wrapErr(err) } err = permitTunInterface(session, baseObjects, 12, luid) @@ -141,36 +139,32 @@ func EnableFirewall(luid uint64, restrictToDNSServers []net.IP, restrictAll bool return wrapErr(err) } - if restrictAll { - err = permitDHCPIPv4(session, baseObjects, 12) - if err != nil { - return wrapErr(err) - } + err = permitDHCPIPv4(session, baseObjects, 12) + if err != nil { + return wrapErr(err) + } - err = permitDHCPIPv6(session, baseObjects, 12) - if err != nil { - return wrapErr(err) - } + err = permitDHCPIPv6(session, baseObjects, 12) + if err != nil { + return wrapErr(err) + } - err = permitNdp(session, baseObjects, 12) - if err != nil { - return wrapErr(err) - } + err = permitNdp(session, baseObjects, 12) + if err != nil { + return wrapErr(err) + } - /* TODO: actually evaluate if this does anything and if we need this. It's layer 2; our other rules are layer 3. - * In other words, if somebody complains, try enabling it. For now, keep it off. - err = permitHyperV(session, baseObjects, 12) - if err != nil { - return wrapErr(err) - } - */ + /* TODO: actually evaluate if this does anything and if we need this. It's layer 2; our other rules are layer 3. + * In other words, if somebody complains, try enabling it. For now, keep it off. + err = permitHyperV(session, baseObjects, 12) + if err != nil { + return wrapErr(err) } + */ - if restrictAll { - err = blockAll(session, baseObjects, 0) - if err != nil { - return wrapErr(err) - } + err = blockAll(session, baseObjects, 0) + if err != nil { + return wrapErr(err) } return nil diff --git a/tunnel/service.go b/tunnel/service.go index b3699dd5..a9798103 100644 --- a/tunnel/service.go +++ b/tunnel/service.go @@ -164,11 +164,13 @@ func (service *tunnelService) Execute(args []string, r <-chan svc.ChangeRequest, } nativeTun = wintun.(*tun.NativeTun) - log.Println("Enabling firewall rules") - err = enableFirewall(conf, nativeTun) - if err != nil { - serviceError = services.ErrorFirewall - return + if shouldEnableFirewall(conf) { + log.Println("Enabling firewall rules (\"kill-switch\")") + err = enableFirewall(conf, nativeTun) + if err != nil { + serviceError = services.ErrorFirewall + return + } } log.Println("Dropping privileges") |