diff options
-rw-r--r-- | service/firewall/blocker.go | 2 | ||||
-rw-r--r-- | service/firewall/rules.go | 22 |
2 files changed, 18 insertions, 6 deletions
diff --git a/service/firewall/blocker.go b/service/firewall/blocker.go index d0f39a90..8ef26278 100644 --- a/service/firewall/blocker.go +++ b/service/firewall/blocker.go @@ -198,7 +198,7 @@ func EnableFirewall(luid uint64, restrictDNS bool, restrictAll bool) error { } if restrictDNS { - err = blockDnsUnmatched(session, baseObjects) + err = blockDnsNonTun(session, baseObjects, luid) if err != nil { return wrapErr(err) } diff --git a/service/firewall/rules.go b/service/firewall/rules.go index b36ed87f..74d35609 100644 --- a/service/firewall/rules.go +++ b/service/firewall/rules.go @@ -873,8 +873,10 @@ func blockAllUnmatched(session uintptr, baseObjects *baseObjects) error { } // Block all DNS except what is matched by a permissive rule. -func blockDnsUnmatched(session uintptr, baseObjects *baseObjects) error { - condition := wtFwpmFilterCondition0{ +func blockDnsNonTun(session uintptr, baseObjects *baseObjects, ifLuid uint64) error { + var conditions [2]wtFwpmFilterCondition0 + + conditions[0] = wtFwpmFilterCondition0{ fieldKey: cFWPM_CONDITION_IP_REMOTE_PORT, matchType: cFWP_MATCH_EQUAL, conditionValue: wtFwpConditionValue0{ @@ -882,13 +884,23 @@ func blockDnsUnmatched(session uintptr, baseObjects *baseObjects) error { value: uintptr(53), }, } + conditions[1] = wtFwpmFilterCondition0{ + fieldKey: cFWPM_CONDITION_IP_LOCAL_INTERFACE, + matchType: cFWP_MATCH_NOT_EQUAL, + conditionValue: wtFwpConditionValue0{ + _type: cFWP_UINT64, + value: (uintptr)(unsafe.Pointer(&ifLuid)), + }, + } + + //TODO: we want to permit port 53 traffic coming from the wireguard service, in case people are using that port for tunneling. filter := wtFwpmFilter0{ providerKey: &baseObjects.provider, subLayerKey: baseObjects.blacklist, - weight: filterWeightMin(), - numFilterConditions: 1, - filterCondition: (*wtFwpmFilterCondition0)(unsafe.Pointer(&condition)), + weight: filterWeightMax(), + numFilterConditions: uint32(len(conditions)), + filterCondition: (*wtFwpmFilterCondition0)(unsafe.Pointer(&conditions[0])), action: wtFwpmAction0{ _type: cFWP_ACTION_BLOCK, }, |