Windows Vista doesn't support non-equal matching of application name, it
is available only since Windows 7.
This commit splits 2 filtering conditions with non-equal matching to 2
filters each with 1 filtering condition: permit IPv4 (first filter)
and IPv6 (second filter) port 53 traffic from openvpn.exe instead
of blocking all non-openvpn.exe traffic on port 53 for both protocols.
Trac #648
Acked-by: Selva Nair <selva.nair@gmail.com>
Message-Id: <1452900938-3636-1-git-send-email-iam@valdikss.org.ru>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10998
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 236769150f64087c590c718c76916ee3c8c9d3b5)
... | ... |
@@ -1223,13 +1223,14 @@ win_wfp_block_dns (const NET_IFINDEX index) |
1223 | 1223 |
/* Prepare filter. */ |
1224 | 1224 |
Filter.subLayerKey = SubLayer.subLayerKey; |
1225 | 1225 |
Filter.displayData.name = FIREWALL_NAME; |
1226 |
- Filter.weight.type = FWP_EMPTY; |
|
1226 |
+ Filter.weight.type = FWP_UINT8; |
|
1227 |
+ Filter.weight.uint8 = 0xF; |
|
1227 | 1228 |
Filter.filterCondition = Condition; |
1228 | 1229 |
Filter.numFilterConditions = 2; |
1229 | 1230 |
|
1230 |
- /* First filter. Block IPv4 DNS queries except from OpenVPN itself. */ |
|
1231 |
+ /* First filter. Permit IPv4 DNS queries from OpenVPN itself. */ |
|
1231 | 1232 |
Filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V4; |
1232 |
- Filter.action.type = FWP_ACTION_BLOCK; |
|
1233 |
+ Filter.action.type = FWP_ACTION_PERMIT; |
|
1233 | 1234 |
|
1234 | 1235 |
Condition[0].fieldKey = FWPM_CONDITION_IP_REMOTE_PORT; |
1235 | 1236 |
Condition[0].matchType = FWP_MATCH_EQUAL; |
... | ... |
@@ -1237,26 +1238,44 @@ win_wfp_block_dns (const NET_IFINDEX index) |
1237 | 1237 |
Condition[0].conditionValue.uint16 = 53; |
1238 | 1238 |
|
1239 | 1239 |
Condition[1].fieldKey = FWPM_CONDITION_ALE_APP_ID; |
1240 |
- Condition[1].matchType = FWP_MATCH_NOT_EQUAL; |
|
1240 |
+ Condition[1].matchType = FWP_MATCH_EQUAL; |
|
1241 | 1241 |
Condition[1].conditionValue.type = FWP_BYTE_BLOB_TYPE; |
1242 | 1242 |
Condition[1].conditionValue.byteBlob = openvpnblob; |
1243 | 1243 |
|
1244 | 1244 |
/* Add filter condition to our interface. */ |
1245 | 1245 |
if (!win_wfp_add_filter(m_hEngineHandle, &Filter, NULL, &filterid)) |
1246 | 1246 |
goto err; |
1247 |
- dmsg (D_LOW, "Filter (Block IPv4 DNS) added with ID=%I64d", filterid); |
|
1247 |
+ dmsg (D_LOW, "Filter (Permit OpenVPN IPv4 DNS) added with ID=%I64d", filterid); |
|
1248 | 1248 |
|
1249 |
- /* Second filter. Block IPv6 DNS queries except from OpenVPN itself. */ |
|
1249 |
+ /* Second filter. Permit IPv6 DNS queries from OpenVPN itself. */ |
|
1250 | 1250 |
Filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V6; |
1251 | 1251 |
|
1252 | 1252 |
/* Add filter condition to our interface. */ |
1253 | 1253 |
if (!win_wfp_add_filter(m_hEngineHandle, &Filter, NULL, &filterid)) |
1254 | 1254 |
goto err; |
1255 |
+ dmsg (D_LOW, "Filter (Permit OpenVPN IPv6 DNS) added with ID=%I64d", filterid); |
|
1256 |
+ |
|
1257 |
+ /* Third filter. Block all IPv4 DNS queries. */ |
|
1258 |
+ Filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V4; |
|
1259 |
+ Filter.action.type = FWP_ACTION_BLOCK; |
|
1260 |
+ Filter.weight.type = FWP_EMPTY; |
|
1261 |
+ Filter.numFilterConditions = 1; |
|
1262 |
+ |
|
1263 |
+ if (!win_wfp_add_filter(m_hEngineHandle, &Filter, NULL, &filterid)) |
|
1264 |
+ goto err; |
|
1265 |
+ dmsg (D_LOW, "Filter (Block IPv4 DNS) added with ID=%I64d", filterid); |
|
1266 |
+ |
|
1267 |
+ /* Forth filter. Block all IPv6 DNS queries. */ |
|
1268 |
+ Filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V6; |
|
1269 |
+ |
|
1270 |
+ if (!win_wfp_add_filter(m_hEngineHandle, &Filter, NULL, &filterid)) |
|
1271 |
+ goto err; |
|
1255 | 1272 |
dmsg (D_LOW, "Filter (Block IPv6 DNS) added with ID=%I64d", filterid); |
1256 | 1273 |
|
1257 |
- /* Third filter. Permit IPv4 DNS queries from TAP. */ |
|
1274 |
+ /* Fifth filter. Permit IPv4 DNS queries from TAP. */ |
|
1258 | 1275 |
Filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V4; |
1259 | 1276 |
Filter.action.type = FWP_ACTION_PERMIT; |
1277 |
+ Filter.numFilterConditions = 2; |
|
1260 | 1278 |
|
1261 | 1279 |
Condition[1].fieldKey = FWPM_CONDITION_IP_LOCAL_INTERFACE; |
1262 | 1280 |
Condition[1].matchType = FWP_MATCH_EQUAL; |
... | ... |
@@ -1268,7 +1287,7 @@ win_wfp_block_dns (const NET_IFINDEX index) |
1268 | 1268 |
goto err; |
1269 | 1269 |
dmsg (D_LOW, "Filter (Permit IPv4 DNS queries from TAP) added with ID=%I64d", filterid); |
1270 | 1270 |
|
1271 |
- /* Forth filter. Permit IPv6 DNS queries from TAP. */ |
|
1271 |
+ /* Sixth filter. Permit IPv6 DNS queries from TAP. */ |
|
1272 | 1272 |
Filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V6; |
1273 | 1273 |
|
1274 | 1274 |
/* Add filter condition to our interface. */ |