aboutsummaryrefslogtreecommitdiffstatshomepage
diff options
context:
space:
mode:
Diffstat
-rw-r--r--tunnel/firewall/rules.go120
-rw-r--r--tunnel/firewall/types_windows.go49
2 files changed, 169 insertions, 0 deletions
diff --git a/tunnel/firewall/rules.go b/tunnel/firewall/rules.go
index 7bca508b..9ac3ba6e 100644
--- a/tunnel/firewall/rules.go
+++ b/tunnel/firewall/rules.go
@@ -822,6 +822,126 @@ func permitNdp(session uintptr, baseObjects *baseObjects, weight uint8) error {
return nil
}
+func permitNonExternalVSwitch(session uintptr, baseObjects *baseObjects, weight uint8) error {
+ //
+ // Only applicable on Win8+.
+ //
+ {
+ major, minor, _ := windows.RtlGetNtVersionNumbers()
+ win8plus := major > 6 || (major == 6 && minor >= 3)
+
+ if !win8plus {
+ return nil
+ }
+ }
+
+ conditions := []wtFwpmFilterCondition0{
+ {
+ fieldKey: cFWPM_CONDITION_VSWITCH_NETWORK_TYPE,
+ matchType: cFWP_MATCH_EQUAL,
+ conditionValue: wtFwpConditionValue0{
+ _type: cFWP_UINT8,
+ value: uintptr(cFWP_VSWITCH_NETWORK_TYPE_PRIVATE),
+ },
+ },
+ {
+ fieldKey: cFWPM_CONDITION_VSWITCH_NETWORK_TYPE,
+ matchType: cFWP_MATCH_EQUAL,
+ conditionValue: wtFwpConditionValue0{
+ _type: cFWP_UINT8,
+ value: uintptr(cFWP_VSWITCH_NETWORK_TYPE_INTERNAL),
+ },
+ },
+ }
+
+ filter := wtFwpmFilter0{
+ providerKey: &baseObjects.provider,
+ subLayerKey: baseObjects.filters,
+ weight: filterWeight(weight),
+ numFilterConditions: uint32(len(conditions)),
+ filterCondition: (*wtFwpmFilterCondition0)(unsafe.Pointer(&conditions[0])),
+ action: wtFwpmAction0{
+ _type: cFWP_ACTION_PERMIT,
+ },
+ }
+
+ filterID := uint64(0)
+
+ //
+ // #1 Outbound IPv4.
+ //
+ {
+ displayData, err := createWtFwpmDisplayData0("Permit vSwitch private/internal outbound (IPv4)", "")
+ if err != nil {
+ return wrapErr(err)
+ }
+
+ filter.displayData = *displayData
+ filter.layerKey = cFWPM_LAYER_EGRESS_VSWITCH_TRANSPORT_V4
+
+ err = fwpmFilterAdd0(session, &filter, 0, &filterID)
+ if err != nil {
+ return wrapErr(err)
+ }
+ }
+
+ //
+ // #2 Inbound IPv4.
+ //
+ {
+ displayData, err := createWtFwpmDisplayData0("Permit vSwitch private/internal inbound (IPv4)", "")
+ if err != nil {
+ return wrapErr(err)
+ }
+
+ filter.displayData = *displayData
+ filter.layerKey = cFWPM_LAYER_INGRESS_VSWITCH_TRANSPORT_V4
+
+ err = fwpmFilterAdd0(session, &filter, 0, &filterID)
+ if err != nil {
+ return wrapErr(err)
+ }
+ }
+
+ //
+ // #3 Outbound IPv6.
+ //
+ {
+ displayData, err := createWtFwpmDisplayData0("Permit vSwitch private/internal outbound (IPv6)", "")
+ if err != nil {
+ return wrapErr(err)
+ }
+
+ filter.displayData = *displayData
+ filter.layerKey = cFWPM_LAYER_EGRESS_VSWITCH_TRANSPORT_V6
+
+ err = fwpmFilterAdd0(session, &filter, 0, &filterID)
+ if err != nil {
+ return wrapErr(err)
+ }
+ }
+
+ //
+ // #4 Inbound IPv6.
+ //
+ {
+ displayData, err := createWtFwpmDisplayData0("Permit vSwitch private/internal inbound (IPv6)", "")
+ if err != nil {
+ return wrapErr(err)
+ }
+
+ filter.displayData = *displayData
+ filter.layerKey = cFWPM_LAYER_INGRESS_VSWITCH_TRANSPORT_V6
+
+ err = fwpmFilterAdd0(session, &filter, 0, &filterID)
+ if err != nil {
+ return wrapErr(err)
+ }
+ }
+
+ return nil
+}
+
func permitHyperV(session uintptr, baseObjects *baseObjects, weight uint8) error {
//
// Only applicable on Win8+.
diff --git a/tunnel/firewall/types_windows.go b/tunnel/firewall/types_windows.go
index 9192c023..40a74058 100644
--- a/tunnel/firewall/types_windows.go
+++ b/tunnel/firewall/types_windows.go
@@ -163,6 +163,55 @@ type wtFwpmL2Flags uint32
const cFWP_CONDITION_L2_IS_VM2VM wtFwpmL2Flags = 0x00000010
+// 11d48b4b-e77a-40b4-9155-392c906c2608
+var cFWPM_CONDITION_VSWITCH_NETWORK_TYPE = windows.GUID{
+ Data1: 0x11d48b4b,
+ Data2: 0xe77a,
+ Data3: 0x40b4,
+ Data4: [8]byte{0x91, 0x55, 0x39, 0x2c, 0x90, 0x6c, 0x26, 0x08},
+}
+
+// b2696ff6-774f-4554-9f7d-3da3945f8e85
+var cFWPM_LAYER_INGRESS_VSWITCH_TRANSPORT_V4 = windows.GUID{
+ Data1: 0xb2696ff6,
+ Data2: 0x774f,
+ Data3: 0x4554,
+ Data4: [8]byte{0x9f, 0x7d, 0x3d, 0xa3, 0x94, 0x5f, 0x8e, 0x85},
+}
+
+// 5ee314fc-7d8a-47f4-b7e3-291a36da4e12
+var cFWPM_LAYER_INGRESS_VSWITCH_TRANSPORT_V6 = windows.GUID{
+ Data1: 0x5ee314fc,
+ Data2: 0x7d8a,
+ Data3: 0x47f4,
+ Data4: [8]byte{0xb7, 0xe3, 0x29, 0x1a, 0x36, 0xda, 0x4e, 0x12},
+}
+
+// b92350b6-91f0-46b6-bdc4-871dfd4a7c98
+var cFWPM_LAYER_EGRESS_VSWITCH_TRANSPORT_V4 = windows.GUID{
+ Data1: 0xb92350b6,
+ Data2: 0x91f0,
+ Data3: 0x46b6,
+ Data4: [8]byte{0xbd, 0xc4, 0x87, 0x1d, 0xfd, 0x4a, 0x7c, 0x98},
+}
+
+// 1b2def23-1881-40bd-82f4-4254e63141cb
+var cFWPM_LAYER_EGRESS_VSWITCH_TRANSPORT_V6 = windows.GUID{
+ Data1: 0x1b2def23,
+ Data2: 0x1881,
+ Data3: 0x40bd,
+ Data4: [8]byte{0x82, 0xf4, 0x42, 0x54, 0xe6, 0x31, 0x41, 0xcb},
+}
+
+type wtFwpVSwitchNetworkType uint32
+
+const (
+ cFWP_VSWITCH_NETWORK_TYPE_UNKNOWN wtFwpVSwitchNetworkType = 0
+ cFWP_VSWITCH_NETWORK_TYPE_PRIVATE wtFwpVSwitchNetworkType = 1
+ cFWP_VSWITCH_NETWORK_TYPE_INTERNAL wtFwpVSwitchNetworkType = 2
+ cFWP_VSWITCH_NETWORK_TYPE_EXTERNAL wtFwpVSwitchNetworkType = 3
+)
+
var cFWPM_CONDITION_FLAGS = windows.GUID{
Data1: 0x632ce23b,
Data2: 0x5167,
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.