diff options
Diffstat (limited to 'tunnel/firewall/rules.go')
-rw-r--r-- | tunnel/firewall/rules.go | 17 |
1 files changed, 7 insertions, 10 deletions
diff --git a/tunnel/firewall/rules.go b/tunnel/firewall/rules.go index 7bca508b..41632f98 100644 --- a/tunnel/firewall/rules.go +++ b/tunnel/firewall/rules.go @@ -1,6 +1,6 @@ /* SPDX-License-Identifier: MIT * - * Copyright (C) 2019 WireGuard LLC. All Rights Reserved. + * Copyright (C) 2019-2022 WireGuard LLC. All Rights Reserved. */ package firewall @@ -8,7 +8,7 @@ package firewall import ( "encoding/binary" "errors" - "net" + "net/netip" "runtime" "unsafe" @@ -582,7 +582,6 @@ func permitDHCPIPv6(session uintptr, baseObjects *baseObjects, weight uint8) err } func permitNdp(session uintptr, baseObjects *baseObjects, weight uint8) error { - /* TODO: actually handle the hop limit somehow! The rules should vaguely be: * - icmpv6 133: must be outgoing, dst must be FF02::2/128, hop limit must be 255 * - icmpv6 134: must be incoming, src must be FE80::/10, hop limit must be 255 @@ -985,7 +984,7 @@ func blockAll(session uintptr, baseObjects *baseObjects, weight uint8) error { } // Block all DNS traffic except towards specified DNS servers. -func blockDNS(except []net.IP, session uintptr, baseObjects *baseObjects, weightAllow uint8, weightDeny uint8) error { +func blockDNS(except []netip.Addr, session uintptr, baseObjects *baseObjects, weightAllow, weightDeny uint8) error { if weightDeny >= weightAllow { return errors.New("The allow weight must be greater than the deny weight") } @@ -1106,8 +1105,7 @@ func blockDNS(except []net.IP, session uintptr, baseObjects *baseObjects, weight allowConditionsV4 := make([]wtFwpmFilterCondition0, 0, len(denyConditions)+len(except)) allowConditionsV4 = append(allowConditionsV4, denyConditions...) for _, ip := range except { - ip4 := ip.To4() - if ip4 == nil { + if !ip.Is4() { continue } allowConditionsV4 = append(allowConditionsV4, wtFwpmFilterCondition0{ @@ -1115,7 +1113,7 @@ func blockDNS(except []net.IP, session uintptr, baseObjects *baseObjects, weight matchType: cFWP_MATCH_EQUAL, conditionValue: wtFwpConditionValue0{ _type: cFWP_UINT32, - value: uintptr(binary.BigEndian.Uint32(ip4)), + value: uintptr(binary.BigEndian.Uint32(ip.AsSlice())), }, }) } @@ -1124,11 +1122,10 @@ func blockDNS(except []net.IP, session uintptr, baseObjects *baseObjects, weight allowConditionsV6 := make([]wtFwpmFilterCondition0, 0, len(denyConditions)+len(except)) allowConditionsV6 = append(allowConditionsV6, denyConditions...) for _, ip := range except { - if ip.To4() != nil { + if !ip.Is6() { continue } - var address wtFwpByteArray16 - copy(address.byteArray16[:], ip) + address := wtFwpByteArray16{byteArray16: ip.As16()} allowConditionsV6 = append(allowConditionsV6, wtFwpmFilterCondition0{ fieldKey: cFWPM_CONDITION_IP_REMOTE_ADDRESS, matchType: cFWP_MATCH_EQUAL, |