From 80ad4acc21e20c851b844bb7ff4a312ffd15badc Mon Sep 17 00:00:00 2001 From: "Jason A. Donenfeld" Date: Tue, 7 May 2019 21:38:47 +0200 Subject: firewall: cleanup Signed-off-by: Jason A. Donenfeld --- service/firewall/blocker.go | 3 ++ service/firewall/helpers.go | 2 +- service/firewall/rules.go | 54 ++++++++++++++++----------------- service/firewall/types_windows.go | 22 ++++++-------- service/firewall/types_windows_386.go | 18 +++++------ service/firewall/types_windows_amd64.go | 18 +++++------ 6 files changed, 59 insertions(+), 58 deletions(-) diff --git a/service/firewall/blocker.go b/service/firewall/blocker.go index 5e1fdab0..b47ef094 100644 --- a/service/firewall/blocker.go +++ b/service/firewall/blocker.go @@ -148,10 +148,13 @@ func EnableFirewall(luid uint64, restrictDNS bool, restrictAll bool) error { return wrapErr(err) } + /* TODO: actually evaluate if this does anything and if we need this. It's layer 2; our other rules are layer 3. + * In other words, if somebody complains, try enabling it. For now, keep it off. err = permitHyperV(session, baseObjects, 15) if err != nil { return wrapErr(err) } + */ } if restrictDNS { diff --git a/service/firewall/helpers.go b/service/firewall/helpers.go index cec61f44..7b882712 100644 --- a/service/firewall/helpers.go +++ b/service/firewall/helpers.go @@ -8,9 +8,9 @@ package firewall import ( "fmt" "golang.org/x/sys/windows" + "os" "runtime" "syscall" - "os" "unsafe" ) diff --git a/service/firewall/rules.go b/service/firewall/rules.go index 1cec3ae6..2a9eb11a 100644 --- a/service/firewall/rules.go +++ b/service/firewall/rules.go @@ -12,7 +12,7 @@ import ( ) // -// Known addresses. These should be const but there are initialization issues. +// Known addresses. // var ( linkLocal = wtFwpV6AddrAndMask{[16]uint8{0xfe, 0x80}, 10} @@ -579,20 +579,20 @@ func permitDhcpIpv6(session uintptr, baseObjects *baseObjects, weight uint8) err func permitNdp(session uintptr, baseObjects *baseObjects, weight uint8) error { - /* - * icmpv6 133: must be outgoing, dst must be FF02::2/128, hop limit must be 255 - * icmpv6 134: must be incoming, src must be FE80::/10, hop limit must be 255 - * icmpv6 135: either incoming or outgoing, hop limit must be 255 - * icmpv6 136: either incoming or outgoing, hop limit must be 255 - * icmpv6 137: must be incoming, src must be FE80::/10, hop limit must be 255 + /* TODO: actually handle the hop limit somehow! The rules should vaguely be: + * - icmpv6 133: must be outgoing, dst must be FF02::2/128, hop limit must be 255 + * - icmpv6 134: must be incoming, src must be FE80::/10, hop limit must be 255 + * - icmpv6 135: either incoming or outgoing, hop limit must be 255 + * - icmpv6 136: either incoming or outgoing, hop limit must be 255 + * - icmpv6 137: must be incoming, src must be FE80::/10, hop limit must be 255 */ - type filterDefinition struct { + type filterDefinition struct { displayData *wtFwpmDisplayData0 - conditions []wtFwpmFilterCondition0 - layer windows.GUID + conditions []wtFwpmFilterCondition0 + layer windows.GUID } - + var defs []filterDefinition // @@ -629,8 +629,8 @@ func permitNdp(session uintptr, baseObjects *baseObjects, weight uint8) error { defs = append(defs, filterDefinition{ displayData: displayData, - conditions: conditions, - layer: cFWPM_LAYER_ALE_AUTH_CONNECT_V6, + conditions: conditions, + layer: cFWPM_LAYER_ALE_AUTH_CONNECT_V6, }) } @@ -668,8 +668,8 @@ func permitNdp(session uintptr, baseObjects *baseObjects, weight uint8) error { defs = append(defs, filterDefinition{ displayData: displayData, - conditions: conditions, - layer: cFWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6, + conditions: conditions, + layer: cFWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6, }) } @@ -702,14 +702,14 @@ func permitNdp(session uintptr, baseObjects *baseObjects, weight uint8) error { defs = append(defs, filterDefinition{ displayData: displayData, - conditions: conditions, - layer: cFWPM_LAYER_ALE_AUTH_CONNECT_V6, + conditions: conditions, + layer: cFWPM_LAYER_ALE_AUTH_CONNECT_V6, }) defs = append(defs, filterDefinition{ displayData: displayData, - conditions: conditions, - layer: cFWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6, + conditions: conditions, + layer: cFWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6, }) } @@ -742,14 +742,14 @@ func permitNdp(session uintptr, baseObjects *baseObjects, weight uint8) error { defs = append(defs, filterDefinition{ displayData: displayData, - conditions: conditions, - layer: cFWPM_LAYER_ALE_AUTH_CONNECT_V6, + conditions: conditions, + layer: cFWPM_LAYER_ALE_AUTH_CONNECT_V6, }) defs = append(defs, filterDefinition{ displayData: displayData, - conditions: conditions, - layer: cFWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6, + conditions: conditions, + layer: cFWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6, }) } @@ -787,8 +787,8 @@ func permitNdp(session uintptr, baseObjects *baseObjects, weight uint8) error { defs = append(defs, filterDefinition{ displayData: displayData, - conditions: conditions, - layer: cFWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6, + conditions: conditions, + layer: cFWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6, }) } @@ -807,7 +807,7 @@ func permitNdp(session uintptr, baseObjects *baseObjects, weight uint8) error { filter.displayData = *definition.displayData filter.layerKey = definition.layer filter.numFilterConditions = uint32(len(definition.conditions)) - filter.filterCondition = (*wtFwpmFilterCondition0)(unsafe.Pointer(&definition.conditions)) + filter.filterCondition = (*wtFwpmFilterCondition0)(unsafe.Pointer(&definition.conditions[0])) err := fwpmFilterAdd0(session, &filter, 0, &filterId) if err != nil { @@ -828,7 +828,7 @@ func permitHyperV(session uintptr, baseObjects *baseObjects, weight uint8) error panic(err) } - win8plus := v.MajorVersion > 6 || (v.MajorVersion == 6 && v.MinorVersion >= 3) + win8plus := v.MajorVersion > 6 || (v.MajorVersion == 6 && v.MinorVersion >= 3) if !win8plus { return nil diff --git a/service/firewall/types_windows.go b/service/firewall/types_windows.go index 8404a41b..5d247338 100644 --- a/service/firewall/types_windows.go +++ b/service/firewall/types_windows.go @@ -16,13 +16,13 @@ const ( wtFwpByteArray6_Size = 6 - wtFwpmAction0_Size = 20 + wtFwpmAction0_Size = 20 wtFwpmAction0_filterType_Offset = 4 - wtFwpV4AddrAndMask_Size = 8 + wtFwpV4AddrAndMask_Size = 8 wtFwpV4AddrAndMask_mask_Offset = 4 - wtFwpV6AddrAndMask_Size = 17 + wtFwpV6AddrAndMask_Size = 17 wtFwpV6AddrAndMask_prefixLength_Offset = 16 ) @@ -44,9 +44,9 @@ const ( cFWP_ACTION_CALLOUT_INSPECTION wtFwpActionType = wtFwpActionType(0x00000004 | cFWP_ACTION_FLAG_CALLOUT | cFWP_ACTION_FLAG_NON_TERMINATING) cFWP_ACTION_CALLOUT_UNKNOWN wtFwpActionType = wtFwpActionType(0x00000005 | cFWP_ACTION_FLAG_CALLOUT) cFWP_ACTION_CONTINUE wtFwpActionType = wtFwpActionType(0x00000006 | cFWP_ACTION_FLAG_NON_TERMINATING) - //wtFWP_ACTION_NONE wtFwpActionType = 0x00000007 - //wtFWP_ACTION_NONE_NO_MATCH wtFwpActionType = 0x00000008 - //wtFWP_ACTION_BITMAP_INDEX_SET wtFwpActionType = 0x00000009 + cFWP_ACTION_NONE wtFwpActionType = 0x00000007 + cFWP_ACTION_NONE_NO_MATCH wtFwpActionType = 0x00000008 + cFWP_ACTION_BITMAP_INDEX_SET wtFwpActionType = 0x00000009 ) // FWP_BYTE_BLOB defined in fwptypes.h @@ -169,9 +169,7 @@ var cFWPM_CONDITION_L2_FLAGS = windows.GUID{ type wtFwpmL2Flags uint32 -const ( - cFWP_CONDITION_L2_IS_VM2VM wtFwpmL2Flags = 0x00000010 -) +const cFWP_CONDITION_L2_IS_VM2VM wtFwpmL2Flags = 0x00000010 // Defined in fwpmtypes.h type wtFwpmFilterFlags uint32 @@ -380,9 +378,9 @@ type wtFwpmSublayer0 struct { type wtRpcCAuthN uint32 const ( - cRPC_C_AUTHN_NONE wtRpcCAuthN = 0 - cRPC_C_AUTHN_WINNT wtRpcCAuthN = 10 - cRPC_C_AUTHN_DEFAULT wtRpcCAuthN = 0xFFFFFFFF + cRPC_C_AUTHN_NONE wtRpcCAuthN = 0 + cRPC_C_AUTHN_WINNT wtRpcCAuthN = 10 + cRPC_C_AUTHN_DEFAULT wtRpcCAuthN = 0xFFFFFFFF ) // FWPM_PROVIDER0 defined in fwpmtypes.h diff --git a/service/firewall/types_windows_386.go b/service/firewall/types_windows_386.go index e2b48c78..3c07373b 100644 --- a/service/firewall/types_windows_386.go +++ b/service/firewall/types_windows_386.go @@ -8,16 +8,16 @@ package firewall import "golang.org/x/sys/windows" const ( - wtFwpByteBlob_Size = 8 + wtFwpByteBlob_Size = 8 wtFwpByteBlob_data_Offset = 4 - wtFwpConditionValue0_Size = 8 + wtFwpConditionValue0_Size = 8 wtFwpConditionValue0_uint8_Offset = 4 - wtFwpmDisplayData0_Size = 8 + wtFwpmDisplayData0_Size = 8 wtFwpmDisplayData0_description_Offset = 4 - wtFwpmFilter0_Size = 152 + wtFwpmFilter0_Size = 152 wtFwpmFilter0_displayData_Offset = 16 wtFwpmFilter0_flags_Offset = 24 wtFwpmFilter0_providerKey_Offset = 28 @@ -33,11 +33,11 @@ const ( wtFwpmFilter0_filterId_Offset = 136 wtFwpmFilter0_effectiveWeight_Offset = 144 - wtFwpmFilterCondition0_Size = 28 + wtFwpmFilterCondition0_Size = 28 wtFwpmFilterCondition0_matchType_Offset = 16 wtFwpmFilterCondition0_conditionValue_Offset = 20 - wtFwpmSession0_Size = 48 + wtFwpmSession0_Size = 48 wtFwpmSession0_displayData_Offset = 16 wtFwpmSession0_flags_Offset = 24 wtFwpmSession0_txnWaitTimeoutInMSec_Offset = 28 @@ -46,14 +46,14 @@ const ( wtFwpmSession0_username_Offset = 40 wtFwpmSession0_kernelMode_Offset = 44 - wtFwpmSublayer0_Size = 44 + wtFwpmSublayer0_Size = 44 wtFwpmSublayer0_displayData_Offset = 16 wtFwpmSublayer0_flags_Offset = 24 wtFwpmSublayer0_providerKey_Offset = 28 wtFwpmSublayer0_providerData_Offset = 32 wtFwpmSublayer0_weight_Offset = 40 - wtFwpProvider0_Size = 40 + wtFwpProvider0_Size = 40 wtFwpProvider0_displayData_Offset = 16 wtFwpProvider0_flags_Offset = 24 wtFwpProvider0_providerData_Offset = 28 @@ -61,7 +61,7 @@ const ( wtFwpTokenInformation_Size = 16 - wtFwpValue0_Size = 8 + wtFwpValue0_Size = 8 wtFwpValue0_value_Offset = 4 ) diff --git a/service/firewall/types_windows_amd64.go b/service/firewall/types_windows_amd64.go index 95ddd27a..0f04e5d3 100644 --- a/service/firewall/types_windows_amd64.go +++ b/service/firewall/types_windows_amd64.go @@ -8,16 +8,16 @@ package firewall import "golang.org/x/sys/windows" const ( - wtFwpByteBlob_Size = 16 + wtFwpByteBlob_Size = 16 wtFwpByteBlob_data_Offset = 8 - wtFwpConditionValue0_Size = 16 + wtFwpConditionValue0_Size = 16 wtFwpConditionValue0_uint8_Offset = 8 - wtFwpmDisplayData0_Size = 16 + wtFwpmDisplayData0_Size = 16 wtFwpmDisplayData0_description_Offset = 8 - wtFwpmFilter0_Size = 200 + wtFwpmFilter0_Size = 200 wtFwpmFilter0_displayData_Offset = 16 wtFwpmFilter0_flags_Offset = 32 wtFwpmFilter0_providerKey_Offset = 40 @@ -33,11 +33,11 @@ const ( wtFwpmFilter0_filterId_Offset = 176 wtFwpmFilter0_effectiveWeight_Offset = 184 - wtFwpmFilterCondition0_Size = 40 + wtFwpmFilterCondition0_Size = 40 wtFwpmFilterCondition0_matchType_Offset = 16 wtFwpmFilterCondition0_conditionValue_Offset = 24 - wtFwpmSession0_Size = 72 + wtFwpmSession0_Size = 72 wtFwpmSession0_displayData_Offset = 16 wtFwpmSession0_flags_Offset = 32 wtFwpmSession0_txnWaitTimeoutInMSec_Offset = 36 @@ -46,20 +46,20 @@ const ( wtFwpmSession0_username_Offset = 56 wtFwpmSession0_kernelMode_Offset = 64 - wtFwpmSublayer0_Size = 72 + wtFwpmSublayer0_Size = 72 wtFwpmSublayer0_displayData_Offset = 16 wtFwpmSublayer0_flags_Offset = 32 wtFwpmSublayer0_providerKey_Offset = 40 wtFwpmSublayer0_providerData_Offset = 48 wtFwpmSublayer0_weight_Offset = 64 - wtFwpProvider0_Size = 64 + wtFwpProvider0_Size = 64 wtFwpProvider0_displayData_Offset = 16 wtFwpProvider0_flags_Offset = 32 wtFwpProvider0_providerData_Offset = 40 wtFwpProvider0_serviceName_Offset = 56 - wtFwpValue0_Size = 16 + wtFwpValue0_Size = 16 wtFwpValue0_value_Offset = 8 ) -- cgit v1.2.3-59-g8ed1b