diff options
-rw-r--r-- | tunnel/firewall/rules.go | 120 | ||||
-rw-r--r-- | tunnel/firewall/types_windows.go | 49 |
2 files changed, 169 insertions, 0 deletions
diff --git a/tunnel/firewall/rules.go b/tunnel/firewall/rules.go index 7bca508b..9ac3ba6e 100644 --- a/tunnel/firewall/rules.go +++ b/tunnel/firewall/rules.go @@ -822,6 +822,126 @@ func permitNdp(session uintptr, baseObjects *baseObjects, weight uint8) error { return nil } +func permitNonExternalVSwitch(session uintptr, baseObjects *baseObjects, weight uint8) error { + // + // Only applicable on Win8+. + // + { + major, minor, _ := windows.RtlGetNtVersionNumbers() + win8plus := major > 6 || (major == 6 && minor >= 3) + + if !win8plus { + return nil + } + } + + conditions := []wtFwpmFilterCondition0{ + { + fieldKey: cFWPM_CONDITION_VSWITCH_NETWORK_TYPE, + matchType: cFWP_MATCH_EQUAL, + conditionValue: wtFwpConditionValue0{ + _type: cFWP_UINT8, + value: uintptr(cFWP_VSWITCH_NETWORK_TYPE_PRIVATE), + }, + }, + { + fieldKey: cFWPM_CONDITION_VSWITCH_NETWORK_TYPE, + matchType: cFWP_MATCH_EQUAL, + conditionValue: wtFwpConditionValue0{ + _type: cFWP_UINT8, + value: uintptr(cFWP_VSWITCH_NETWORK_TYPE_INTERNAL), + }, + }, + } + + filter := wtFwpmFilter0{ + providerKey: &baseObjects.provider, + subLayerKey: baseObjects.filters, + weight: filterWeight(weight), + numFilterConditions: uint32(len(conditions)), + filterCondition: (*wtFwpmFilterCondition0)(unsafe.Pointer(&conditions[0])), + action: wtFwpmAction0{ + _type: cFWP_ACTION_PERMIT, + }, + } + + filterID := uint64(0) + + // + // #1 Outbound IPv4. + // + { + displayData, err := createWtFwpmDisplayData0("Permit vSwitch private/internal outbound (IPv4)", "") + if err != nil { + return wrapErr(err) + } + + filter.displayData = *displayData + filter.layerKey = cFWPM_LAYER_EGRESS_VSWITCH_TRANSPORT_V4 + + err = fwpmFilterAdd0(session, &filter, 0, &filterID) + if err != nil { + return wrapErr(err) + } + } + + // + // #2 Inbound IPv4. + // + { + displayData, err := createWtFwpmDisplayData0("Permit vSwitch private/internal inbound (IPv4)", "") + if err != nil { + return wrapErr(err) + } + + filter.displayData = *displayData + filter.layerKey = cFWPM_LAYER_INGRESS_VSWITCH_TRANSPORT_V4 + + err = fwpmFilterAdd0(session, &filter, 0, &filterID) + if err != nil { + return wrapErr(err) + } + } + + // + // #3 Outbound IPv6. + // + { + displayData, err := createWtFwpmDisplayData0("Permit vSwitch private/internal outbound (IPv6)", "") + if err != nil { + return wrapErr(err) + } + + filter.displayData = *displayData + filter.layerKey = cFWPM_LAYER_EGRESS_VSWITCH_TRANSPORT_V6 + + err = fwpmFilterAdd0(session, &filter, 0, &filterID) + if err != nil { + return wrapErr(err) + } + } + + // + // #4 Inbound IPv6. + // + { + displayData, err := createWtFwpmDisplayData0("Permit vSwitch private/internal inbound (IPv6)", "") + if err != nil { + return wrapErr(err) + } + + filter.displayData = *displayData + filter.layerKey = cFWPM_LAYER_INGRESS_VSWITCH_TRANSPORT_V6 + + err = fwpmFilterAdd0(session, &filter, 0, &filterID) + if err != nil { + return wrapErr(err) + } + } + + return nil +} + func permitHyperV(session uintptr, baseObjects *baseObjects, weight uint8) error { // // Only applicable on Win8+. diff --git a/tunnel/firewall/types_windows.go b/tunnel/firewall/types_windows.go index 9192c023..40a74058 100644 --- a/tunnel/firewall/types_windows.go +++ b/tunnel/firewall/types_windows.go @@ -163,6 +163,55 @@ type wtFwpmL2Flags uint32 const cFWP_CONDITION_L2_IS_VM2VM wtFwpmL2Flags = 0x00000010 +// 11d48b4b-e77a-40b4-9155-392c906c2608 +var cFWPM_CONDITION_VSWITCH_NETWORK_TYPE = windows.GUID{ + Data1: 0x11d48b4b, + Data2: 0xe77a, + Data3: 0x40b4, + Data4: [8]byte{0x91, 0x55, 0x39, 0x2c, 0x90, 0x6c, 0x26, 0x08}, +} + +// b2696ff6-774f-4554-9f7d-3da3945f8e85 +var cFWPM_LAYER_INGRESS_VSWITCH_TRANSPORT_V4 = windows.GUID{ + Data1: 0xb2696ff6, + Data2: 0x774f, + Data3: 0x4554, + Data4: [8]byte{0x9f, 0x7d, 0x3d, 0xa3, 0x94, 0x5f, 0x8e, 0x85}, +} + +// 5ee314fc-7d8a-47f4-b7e3-291a36da4e12 +var cFWPM_LAYER_INGRESS_VSWITCH_TRANSPORT_V6 = windows.GUID{ + Data1: 0x5ee314fc, + Data2: 0x7d8a, + Data3: 0x47f4, + Data4: [8]byte{0xb7, 0xe3, 0x29, 0x1a, 0x36, 0xda, 0x4e, 0x12}, +} + +// b92350b6-91f0-46b6-bdc4-871dfd4a7c98 +var cFWPM_LAYER_EGRESS_VSWITCH_TRANSPORT_V4 = windows.GUID{ + Data1: 0xb92350b6, + Data2: 0x91f0, + Data3: 0x46b6, + Data4: [8]byte{0xbd, 0xc4, 0x87, 0x1d, 0xfd, 0x4a, 0x7c, 0x98}, +} + +// 1b2def23-1881-40bd-82f4-4254e63141cb +var cFWPM_LAYER_EGRESS_VSWITCH_TRANSPORT_V6 = windows.GUID{ + Data1: 0x1b2def23, + Data2: 0x1881, + Data3: 0x40bd, + Data4: [8]byte{0x82, 0xf4, 0x42, 0x54, 0xe6, 0x31, 0x41, 0xcb}, +} + +type wtFwpVSwitchNetworkType uint32 + +const ( + cFWP_VSWITCH_NETWORK_TYPE_UNKNOWN wtFwpVSwitchNetworkType = 0 + cFWP_VSWITCH_NETWORK_TYPE_PRIVATE wtFwpVSwitchNetworkType = 1 + cFWP_VSWITCH_NETWORK_TYPE_INTERNAL wtFwpVSwitchNetworkType = 2 + cFWP_VSWITCH_NETWORK_TYPE_EXTERNAL wtFwpVSwitchNetworkType = 3 +) + var cFWPM_CONDITION_FLAGS = windows.GUID{ Data1: 0x632ce23b, Data2: 0x5167, |