diff options
author | Jason A. Donenfeld <Jason@zx2c4.com> | 2020-11-19 18:23:00 +0100 |
---|---|---|
committer | Jason A. Donenfeld <Jason@zx2c4.com> | 2020-11-22 22:00:32 +0100 |
commit | 06447c39fad2398e4c35c56acc5e66cc1e581f65 (patch) | |
tree | bd9d332f9d114ce2ae8f147b637c4900438aa547 /tunnel | |
parent | installer: remove admin knobs in cleanup (diff) | |
download | wireguard-windows-06447c39fad2398e4c35c56acc5e66cc1e581f65.tar.xz wireguard-windows-06447c39fad2398e4c35c56acc5e66cc1e581f65.zip |
tunnel: only enable DNS blocking for 0/0 configs
This lets people use split tunnel DNS for the more common case.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Diffstat (limited to 'tunnel')
-rw-r--r-- | tunnel/addressconfig.go | 10 | ||||
-rw-r--r-- | tunnel/firewall/blocker.go | 56 | ||||
-rw-r--r-- | tunnel/service.go | 1 |
3 files changed, 28 insertions, 39 deletions
diff --git a/tunnel/addressconfig.go b/tunnel/addressconfig.go index 6aba9ce8..c293df1b 100644 --- a/tunnel/addressconfig.go +++ b/tunnel/addressconfig.go @@ -180,7 +180,6 @@ func configureInterface(family winipcfg.AddressFamily, conf *conf.Config, tun *t } func enableFirewall(conf *conf.Config, tun *tun.NativeTun) error { - restrictAll := false if len(conf.Peers) == 1 { nextallowedip: for _, allowedip := range conf.Peers[0].AllowedIPs { @@ -190,13 +189,10 @@ func enableFirewall(conf *conf.Config, tun *tun.NativeTun) error { continue nextallowedip } } - restrictAll = true - break + log.Println("Enabling firewall rules") + return firewall.EnableFirewall(tun.LUID(), conf.Interface.DNS) } } } - if restrictAll && len(conf.Interface.DNS) == 0 { - log.Println("Warning: no DNS server specified, despite having an allowed IPs of 0.0.0.0/0 or ::/0. There may be connectivity issues.") - } - return firewall.EnableFirewall(tun.LUID(), conf.Interface.DNS, restrictAll) + return nil } diff --git a/tunnel/firewall/blocker.go b/tunnel/firewall/blocker.go index 7da391ca..54645d24 100644 --- a/tunnel/firewall/blocker.go +++ b/tunnel/firewall/blocker.go @@ -101,7 +101,7 @@ func registerBaseObjects(session uintptr) (*baseObjects, error) { return bo, nil } -func EnableFirewall(luid uint64, restrictToDNSServers []net.IP, restrictAll bool) error { +func EnableFirewall(luid uint64, restrictToDNSServers []net.IP) error { if wfpSession != 0 { return errors.New("The firewall has already been enabled") } @@ -129,11 +129,9 @@ func EnableFirewall(luid uint64, restrictToDNSServers []net.IP, restrictAll bool } } - if restrictAll { - err = permitLoopback(session, baseObjects, 13) - if err != nil { - return wrapErr(err) - } + err = permitLoopback(session, baseObjects, 13) + if err != nil { + return wrapErr(err) } err = permitTunInterface(session, baseObjects, 12, luid) @@ -141,36 +139,32 @@ func EnableFirewall(luid uint64, restrictToDNSServers []net.IP, restrictAll bool return wrapErr(err) } - if restrictAll { - err = permitDHCPIPv4(session, baseObjects, 12) - if err != nil { - return wrapErr(err) - } + err = permitDHCPIPv4(session, baseObjects, 12) + if err != nil { + return wrapErr(err) + } - err = permitDHCPIPv6(session, baseObjects, 12) - if err != nil { - return wrapErr(err) - } + err = permitDHCPIPv6(session, baseObjects, 12) + if err != nil { + return wrapErr(err) + } - err = permitNdp(session, baseObjects, 12) - if err != nil { - return wrapErr(err) - } + err = permitNdp(session, baseObjects, 12) + if err != nil { + return wrapErr(err) + } - /* TODO: actually evaluate if this does anything and if we need this. It's layer 2; our other rules are layer 3. - * In other words, if somebody complains, try enabling it. For now, keep it off. - err = permitHyperV(session, baseObjects, 12) - if err != nil { - return wrapErr(err) - } - */ + /* TODO: actually evaluate if this does anything and if we need this. It's layer 2; our other rules are layer 3. + * In other words, if somebody complains, try enabling it. For now, keep it off. + err = permitHyperV(session, baseObjects, 12) + if err != nil { + return wrapErr(err) } + */ - if restrictAll { - err = blockAll(session, baseObjects, 0) - if err != nil { - return wrapErr(err) - } + err = blockAll(session, baseObjects, 0) + if err != nil { + return wrapErr(err) } return nil diff --git a/tunnel/service.go b/tunnel/service.go index 8b81f56d..33b5c116 100644 --- a/tunnel/service.go +++ b/tunnel/service.go @@ -171,7 +171,6 @@ func (service *tunnelService) Execute(args []string, r <-chan svc.ChangeRequest, log.Printf("Using Wintun/%d.%d", (wintunVersion>>16)&0xffff, wintunVersion&0xffff) } - log.Println("Enabling firewall rules") err = enableFirewall(conf, nativeTun) if err != nil { serviceError = services.ErrorFirewall |