From 9316f1c3d4fc47fb4f806d9554bfc78a4a7357ed Mon Sep 17 00:00:00 2001
From: "Jason A. Donenfeld" <Jason@zx2c4.com>
Date: Fri, 3 May 2019 16:53:05 +0200
Subject: service: wire up firewall

---
 service/ifaceconfig.go | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

(limited to 'service/ifaceconfig.go')

diff --git a/service/ifaceconfig.go b/service/ifaceconfig.go
index d1f8f2d1..6f2320cf 100644
--- a/service/ifaceconfig.go
+++ b/service/ifaceconfig.go
@@ -12,6 +12,8 @@ import (
 	"golang.zx2c4.com/wireguard/device"
 	"golang.zx2c4.com/wireguard/tun"
 	"golang.zx2c4.com/wireguard/windows/conf"
+	"golang.zx2c4.com/wireguard/windows/service/firewall"
+	"log"
 	"net"
 	"sort"
 )
@@ -264,3 +266,26 @@ func configureInterface(conf *conf.Config, tun *tun.NativeTun) error {
 
 	return nil
 }
+
+func enableFirewall(conf *conf.Config, tun *tun.NativeTun) error {
+	guid := tun.GUID()
+	luid, err := winipcfg.InterfaceGuidToLuid(&guid)
+	if err != nil {
+		return err
+	}
+	restrictDNS := len(conf.Interface.Dns) > 0
+	restrictAll := false
+	for _, peer := range conf.Peers {
+		for _, allowedip := range peer.AllowedIPs {
+			if allowedip.Cidr == 0 {
+				restrictAll = true
+				break
+			}
+		}
+	}
+	if restrictAll && !restrictDNS {
+		name, _ := tun.Name()
+		log.Printf("[%s] Warning: no DNS server specified, despite having an allowed IPs of 0.0.0.0/0 or ::/0. There may be connectivity issues.", name)
+	}
+	return firewall.EnableFirewall(luid, restrictDNS, restrictAll)
+}
-- 
cgit v1.2.3-59-g8ed1b