From 1d5f99dc1c45ddedaa59f9ccc946792b42273e36 Mon Sep 17 00:00:00 2001 From: "Jason A. Donenfeld" Date: Fri, 3 May 2019 22:36:17 +0200 Subject: firewall: DNS is TCP and UDP --- service/firewall/rules.go | 25 ++++++++++++++++++++++--- 1 file changed, 22 insertions(+), 3 deletions(-) (limited to 'service/firewall/rules.go') diff --git a/service/firewall/rules.go b/service/firewall/rules.go index ab356e70..7ac848b8 100644 --- a/service/firewall/rules.go +++ b/service/firewall/rules.go @@ -723,7 +723,9 @@ func blockAll(session uintptr, baseObjects *baseObjects, weight uint8) error { // Block all DNS except what is matched by a permissive rule. func blockDns(session uintptr, baseObjects *baseObjects, weight uint8) error { - condition := wtFwpmFilterCondition0{ + var conditions [3]wtFwpmFilterCondition0 + + conditions[0] = wtFwpmFilterCondition0{ fieldKey: cFWPM_CONDITION_IP_REMOTE_PORT, matchType: cFWP_MATCH_EQUAL, conditionValue: wtFwpConditionValue0{ @@ -731,13 +733,30 @@ func blockDns(session uintptr, baseObjects *baseObjects, weight uint8) error { value: uintptr(53), }, } + conditions[1] = wtFwpmFilterCondition0{ + fieldKey: cFWPM_CONDITION_IP_PROTOCOL, + matchType: cFWP_MATCH_EQUAL, + conditionValue: wtFwpConditionValue0{ + _type: cFWP_UINT8, + value: uintptr(cIPPROTO_UDP), + }, + } + // Repeat the condition type for logical OR. + conditions[2] = wtFwpmFilterCondition0{ + fieldKey: cFWPM_CONDITION_IP_PROTOCOL, + matchType: cFWP_MATCH_EQUAL, + conditionValue: wtFwpConditionValue0{ + _type: cFWP_UINT8, + value: uintptr(cIPPROTO_TCP), + }, + } filter := wtFwpmFilter0{ providerKey: &baseObjects.provider, subLayerKey: baseObjects.filters, weight: filterWeight(weight), - numFilterConditions: 1, - filterCondition: (*wtFwpmFilterCondition0)(unsafe.Pointer(&condition)), + numFilterConditions: uint32(len(conditions)), + filterCondition: (*wtFwpmFilterCondition0)(unsafe.Pointer(&conditions[0])), action: wtFwpmAction0{ _type: cFWP_ACTION_BLOCK, }, -- cgit v1.2.3-59-g8ed1b