Windows Vista doesn't support non-equal matching of application name, it
is available only since Windows 7.
This commit splits 2 filtering conditions with non-equal matching to 2
filters each with 1 filtering condition: permit IPv4 (first filter)
and IPv6 (second filter) port 53 traffic from openvpn.exe instead
of blocking all non-openvpn.exe traffic on port 53 for both protocols.
Trac #648
Acked-by: Selva Nair <selva.nair@gmail.com>
Message-Id: <1452900938-3636-1-git-send-email-iam@valdikss.org.ru>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10998
Signed-off-by: Gert Doering <gert@greenie.muc.de>
... | ... |
@@ -1222,13 +1222,14 @@ win_wfp_block_dns (const NET_IFINDEX index) |
1222 | 1222 |
/* Prepare filter. */ |
1223 | 1223 |
Filter.subLayerKey = SubLayer.subLayerKey; |
1224 | 1224 |
Filter.displayData.name = FIREWALL_NAME; |
1225 |
- Filter.weight.type = FWP_EMPTY; |
|
1225 |
+ Filter.weight.type = FWP_UINT8; |
|
1226 |
+ Filter.weight.uint8 = 0xF; |
|
1226 | 1227 |
Filter.filterCondition = Condition; |
1227 | 1228 |
Filter.numFilterConditions = 2; |
1228 | 1229 |
|
1229 |
- /* First filter. Block IPv4 DNS queries except from OpenVPN itself. */ |
|
1230 |
+ /* First filter. Permit IPv4 DNS queries from OpenVPN itself. */ |
|
1230 | 1231 |
Filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V4; |
1231 |
- Filter.action.type = FWP_ACTION_BLOCK; |
|
1232 |
+ Filter.action.type = FWP_ACTION_PERMIT; |
|
1232 | 1233 |
|
1233 | 1234 |
Condition[0].fieldKey = FWPM_CONDITION_IP_REMOTE_PORT; |
1234 | 1235 |
Condition[0].matchType = FWP_MATCH_EQUAL; |
... | ... |
@@ -1236,26 +1237,44 @@ win_wfp_block_dns (const NET_IFINDEX index) |
1236 | 1236 |
Condition[0].conditionValue.uint16 = 53; |
1237 | 1237 |
|
1238 | 1238 |
Condition[1].fieldKey = FWPM_CONDITION_ALE_APP_ID; |
1239 |
- Condition[1].matchType = FWP_MATCH_NOT_EQUAL; |
|
1239 |
+ Condition[1].matchType = FWP_MATCH_EQUAL; |
|
1240 | 1240 |
Condition[1].conditionValue.type = FWP_BYTE_BLOB_TYPE; |
1241 | 1241 |
Condition[1].conditionValue.byteBlob = openvpnblob; |
1242 | 1242 |
|
1243 | 1243 |
/* Add filter condition to our interface. */ |
1244 | 1244 |
if (!win_wfp_add_filter(m_hEngineHandle, &Filter, NULL, &filterid)) |
1245 | 1245 |
goto err; |
1246 |
- dmsg (D_LOW, "Filter (Block IPv4 DNS) added with ID=%I64d", filterid); |
|
1246 |
+ dmsg (D_LOW, "Filter (Permit OpenVPN IPv4 DNS) added with ID=%I64d", filterid); |
|
1247 | 1247 |
|
1248 |
- /* Second filter. Block IPv6 DNS queries except from OpenVPN itself. */ |
|
1248 |
+ /* Second filter. Permit IPv6 DNS queries from OpenVPN itself. */ |
|
1249 | 1249 |
Filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V6; |
1250 | 1250 |
|
1251 | 1251 |
/* Add filter condition to our interface. */ |
1252 | 1252 |
if (!win_wfp_add_filter(m_hEngineHandle, &Filter, NULL, &filterid)) |
1253 | 1253 |
goto err; |
1254 |
+ dmsg (D_LOW, "Filter (Permit OpenVPN IPv6 DNS) added with ID=%I64d", filterid); |
|
1255 |
+ |
|
1256 |
+ /* Third filter. Block all IPv4 DNS queries. */ |
|
1257 |
+ Filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V4; |
|
1258 |
+ Filter.action.type = FWP_ACTION_BLOCK; |
|
1259 |
+ Filter.weight.type = FWP_EMPTY; |
|
1260 |
+ Filter.numFilterConditions = 1; |
|
1261 |
+ |
|
1262 |
+ if (!win_wfp_add_filter(m_hEngineHandle, &Filter, NULL, &filterid)) |
|
1263 |
+ goto err; |
|
1264 |
+ dmsg (D_LOW, "Filter (Block IPv4 DNS) added with ID=%I64d", filterid); |
|
1265 |
+ |
|
1266 |
+ /* Forth filter. Block all IPv6 DNS queries. */ |
|
1267 |
+ Filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V6; |
|
1268 |
+ |
|
1269 |
+ if (!win_wfp_add_filter(m_hEngineHandle, &Filter, NULL, &filterid)) |
|
1270 |
+ goto err; |
|
1254 | 1271 |
dmsg (D_LOW, "Filter (Block IPv6 DNS) added with ID=%I64d", filterid); |
1255 | 1272 |
|
1256 |
- /* Third filter. Permit IPv4 DNS queries from TAP. */ |
|
1273 |
+ /* Fifth filter. Permit IPv4 DNS queries from TAP. */ |
|
1257 | 1274 |
Filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V4; |
1258 | 1275 |
Filter.action.type = FWP_ACTION_PERMIT; |
1276 |
+ Filter.numFilterConditions = 2; |
|
1259 | 1277 |
|
1260 | 1278 |
Condition[1].fieldKey = FWPM_CONDITION_IP_LOCAL_INTERFACE; |
1261 | 1279 |
Condition[1].matchType = FWP_MATCH_EQUAL; |
... | ... |
@@ -1267,7 +1286,7 @@ win_wfp_block_dns (const NET_IFINDEX index) |
1267 | 1267 |
goto err; |
1268 | 1268 |
dmsg (D_LOW, "Filter (Permit IPv4 DNS queries from TAP) added with ID=%I64d", filterid); |
1269 | 1269 |
|
1270 |
- /* Forth filter. Permit IPv6 DNS queries from TAP. */ |
|
1270 |
+ /* Sixth filter. Permit IPv6 DNS queries from TAP. */ |
|
1271 | 1271 |
Filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V6; |
1272 | 1272 |
|
1273 | 1273 |
/* Add filter condition to our interface. */ |