aboutsummaryrefslogtreecommitdiffstatshomepage
path: root/tunnel/firewall/rules.go
diff options
context:
space:
mode:
Diffstat (limited to 'tunnel/firewall/rules.go')
-rw-r--r--tunnel/firewall/rules.go120
1 files changed, 120 insertions, 0 deletions
diff --git a/tunnel/firewall/rules.go b/tunnel/firewall/rules.go
index 7bca508b..9ac3ba6e 100644
--- a/tunnel/firewall/rules.go
+++ b/tunnel/firewall/rules.go
@@ -822,6 +822,126 @@ func permitNdp(session uintptr, baseObjects *baseObjects, weight uint8) error {
return nil
}
+func permitNonExternalVSwitch(session uintptr, baseObjects *baseObjects, weight uint8) error {
+ //
+ // Only applicable on Win8+.
+ //
+ {
+ major, minor, _ := windows.RtlGetNtVersionNumbers()
+ win8plus := major > 6 || (major == 6 && minor >= 3)
+
+ if !win8plus {
+ return nil
+ }
+ }
+
+ conditions := []wtFwpmFilterCondition0{
+ {
+ fieldKey: cFWPM_CONDITION_VSWITCH_NETWORK_TYPE,
+ matchType: cFWP_MATCH_EQUAL,
+ conditionValue: wtFwpConditionValue0{
+ _type: cFWP_UINT8,
+ value: uintptr(cFWP_VSWITCH_NETWORK_TYPE_PRIVATE),
+ },
+ },
+ {
+ fieldKey: cFWPM_CONDITION_VSWITCH_NETWORK_TYPE,
+ matchType: cFWP_MATCH_EQUAL,
+ conditionValue: wtFwpConditionValue0{
+ _type: cFWP_UINT8,
+ value: uintptr(cFWP_VSWITCH_NETWORK_TYPE_INTERNAL),
+ },
+ },
+ }
+
+ filter := wtFwpmFilter0{
+ providerKey: &baseObjects.provider,
+ subLayerKey: baseObjects.filters,
+ weight: filterWeight(weight),
+ numFilterConditions: uint32(len(conditions)),
+ filterCondition: (*wtFwpmFilterCondition0)(unsafe.Pointer(&conditions[0])),
+ action: wtFwpmAction0{
+ _type: cFWP_ACTION_PERMIT,
+ },
+ }
+
+ filterID := uint64(0)
+
+ //
+ // #1 Outbound IPv4.
+ //
+ {
+ displayData, err := createWtFwpmDisplayData0("Permit vSwitch private/internal outbound (IPv4)", "")
+ if err != nil {
+ return wrapErr(err)
+ }
+
+ filter.displayData = *displayData
+ filter.layerKey = cFWPM_LAYER_EGRESS_VSWITCH_TRANSPORT_V4
+
+ err = fwpmFilterAdd0(session, &filter, 0, &filterID)
+ if err != nil {
+ return wrapErr(err)
+ }
+ }
+
+ //
+ // #2 Inbound IPv4.
+ //
+ {
+ displayData, err := createWtFwpmDisplayData0("Permit vSwitch private/internal inbound (IPv4)", "")
+ if err != nil {
+ return wrapErr(err)
+ }
+
+ filter.displayData = *displayData
+ filter.layerKey = cFWPM_LAYER_INGRESS_VSWITCH_TRANSPORT_V4
+
+ err = fwpmFilterAdd0(session, &filter, 0, &filterID)
+ if err != nil {
+ return wrapErr(err)
+ }
+ }
+
+ //
+ // #3 Outbound IPv6.
+ //
+ {
+ displayData, err := createWtFwpmDisplayData0("Permit vSwitch private/internal outbound (IPv6)", "")
+ if err != nil {
+ return wrapErr(err)
+ }
+
+ filter.displayData = *displayData
+ filter.layerKey = cFWPM_LAYER_EGRESS_VSWITCH_TRANSPORT_V6
+
+ err = fwpmFilterAdd0(session, &filter, 0, &filterID)
+ if err != nil {
+ return wrapErr(err)
+ }
+ }
+
+ //
+ // #4 Inbound IPv6.
+ //
+ {
+ displayData, err := createWtFwpmDisplayData0("Permit vSwitch private/internal inbound (IPv6)", "")
+ if err != nil {
+ return wrapErr(err)
+ }
+
+ filter.displayData = *displayData
+ filter.layerKey = cFWPM_LAYER_INGRESS_VSWITCH_TRANSPORT_V6
+
+ err = fwpmFilterAdd0(session, &filter, 0, &filterID)
+ if err != nil {
+ return wrapErr(err)
+ }
+ }
+
+ return nil
+}
+
func permitHyperV(session uintptr, baseObjects *baseObjects, weight uint8) error {
//
// Only applicable on Win8+.
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.