summaryrefslogtreecommitdiff
path: root/src/openvpn/block_dns.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/openvpn/block_dns.c')
-rw-r--r--src/openvpn/block_dns.c380
1 files changed, 196 insertions, 184 deletions
diff --git a/src/openvpn/block_dns.c b/src/openvpn/block_dns.c
index cb3ce88..e31765e 100644
--- a/src/openvpn/block_dns.c
+++ b/src/openvpn/block_dns.c
@@ -5,7 +5,7 @@
* packet encryption, packet authentication, and
* packet compression.
*
- * Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
+ * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. <sales@openvpn.net>
* 2015-2016 <iam@valdikss.org.ru>
* 2016 Selva Nair <selva.nair@gmail.com>
*
@@ -53,60 +53,60 @@
#define FWPM_SESSION_FLAG_DYNAMIC 0x00000001
#endif
-// c38d57d1-05a7-4c33-904f-7fbceee60e82
+/* c38d57d1-05a7-4c33-904f-7fbceee60e82 */
DEFINE_GUID(
- FWPM_LAYER_ALE_AUTH_CONNECT_V4,
- 0xc38d57d1,
- 0x05a7,
- 0x4c33,
- 0x90, 0x4f, 0x7f, 0xbc, 0xee, 0xe6, 0x0e, 0x82
-);
-
-// 4a72393b-319f-44bc-84c3-ba54dcb3b6b4
+ FWPM_LAYER_ALE_AUTH_CONNECT_V4,
+ 0xc38d57d1,
+ 0x05a7,
+ 0x4c33,
+ 0x90, 0x4f, 0x7f, 0xbc, 0xee, 0xe6, 0x0e, 0x82
+ );
+
+/* 4a72393b-319f-44bc-84c3-ba54dcb3b6b4 */
DEFINE_GUID(
- FWPM_LAYER_ALE_AUTH_CONNECT_V6,
- 0x4a72393b,
- 0x319f,
- 0x44bc,
- 0x84, 0xc3, 0xba, 0x54, 0xdc, 0xb3, 0xb6, 0xb4
-);
-
-// d78e1e87-8644-4ea5-9437-d809ecefc971
+ FWPM_LAYER_ALE_AUTH_CONNECT_V6,
+ 0x4a72393b,
+ 0x319f,
+ 0x44bc,
+ 0x84, 0xc3, 0xba, 0x54, 0xdc, 0xb3, 0xb6, 0xb4
+ );
+
+/* d78e1e87-8644-4ea5-9437-d809ecefc971 */
DEFINE_GUID(
- FWPM_CONDITION_ALE_APP_ID,
- 0xd78e1e87,
- 0x8644,
- 0x4ea5,
- 0x94, 0x37, 0xd8, 0x09, 0xec, 0xef, 0xc9, 0x71
-);
-
-// c35a604d-d22b-4e1a-91b4-68f674ee674b
+ FWPM_CONDITION_ALE_APP_ID,
+ 0xd78e1e87,
+ 0x8644,
+ 0x4ea5,
+ 0x94, 0x37, 0xd8, 0x09, 0xec, 0xef, 0xc9, 0x71
+ );
+
+/* c35a604d-d22b-4e1a-91b4-68f674ee674b */
DEFINE_GUID(
- FWPM_CONDITION_IP_REMOTE_PORT,
- 0xc35a604d,
- 0xd22b,
- 0x4e1a,
- 0x91, 0xb4, 0x68, 0xf6, 0x74, 0xee, 0x67, 0x4b
-);
-
-// 4cd62a49-59c3-4969-b7f3-bda5d32890a4
+ FWPM_CONDITION_IP_REMOTE_PORT,
+ 0xc35a604d,
+ 0xd22b,
+ 0x4e1a,
+ 0x91, 0xb4, 0x68, 0xf6, 0x74, 0xee, 0x67, 0x4b
+ );
+
+/* 4cd62a49-59c3-4969-b7f3-bda5d32890a4 */
DEFINE_GUID(
- FWPM_CONDITION_IP_LOCAL_INTERFACE,
- 0x4cd62a49,
- 0x59c3,
- 0x4969,
- 0xb7, 0xf3, 0xbd, 0xa5, 0xd3, 0x28, 0x90, 0xa4
-);
+ FWPM_CONDITION_IP_LOCAL_INTERFACE,
+ 0x4cd62a49,
+ 0x59c3,
+ 0x4969,
+ 0xb7, 0xf3, 0xbd, 0xa5, 0xd3, 0x28, 0x90, 0xa4
+ );
/* UUID of WFP sublayer used by all instances of openvpn
- 2f660d7e-6a37-11e6-a181-001e8c6e04a2 */
+ * 2f660d7e-6a37-11e6-a181-001e8c6e04a2 */
DEFINE_GUID(
- OPENVPN_BLOCK_OUTSIDE_DNS_SUBLAYER,
- 0x2f660d7e,
- 0x6a37,
- 0x11e6,
- 0xa1, 0x81, 0x00, 0x1e, 0x8c, 0x6e, 0x04, 0xa2
-);
+ OPENVPN_BLOCK_OUTSIDE_DNS_SUBLAYER,
+ 0x2f660d7e,
+ 0x6a37,
+ 0x11e6,
+ 0xa1, 0x81, 0x00, 0x1e, 0x8c, 0x6e, 0x04, 0xa2
+ );
static WCHAR *FIREWALL_NAME = L"OpenVPN";
@@ -114,45 +114,49 @@ static WCHAR *FIREWALL_NAME = L"OpenVPN";
* Default msg handler does nothing
*/
static inline void
-default_msg_handler (DWORD err, const char *msg)
+default_msg_handler(DWORD err, const char *msg)
{
- return;
+ return;
}
#define CHECK_ERROR(err, msg) \
- if (err) { msg_handler (err, msg); goto out; }
+ if (err) { msg_handler(err, msg); goto out; }
/*
* Add a persistent sublayer with specified uuid.
*/
static DWORD
-add_sublayer (GUID uuid)
+add_sublayer(GUID uuid)
{
- FWPM_SESSION0 session;
- HANDLE engine = NULL;
- DWORD err = 0;
- FWPM_SUBLAYER0 sublayer;
+ FWPM_SESSION0 session;
+ HANDLE engine = NULL;
+ DWORD err = 0;
+ FWPM_SUBLAYER0 sublayer;
- memset (&session, 0, sizeof(session));
- memset (&sublayer, 0, sizeof(sublayer));
+ memset(&session, 0, sizeof(session));
+ memset(&sublayer, 0, sizeof(sublayer));
- err = FwpmEngineOpen0 (NULL, RPC_C_AUTHN_WINNT, NULL, &session, &engine);
- if (err != ERROR_SUCCESS)
- goto out;
+ err = FwpmEngineOpen0(NULL, RPC_C_AUTHN_WINNT, NULL, &session, &engine);
+ if (err != ERROR_SUCCESS)
+ {
+ goto out;
+ }
- sublayer.subLayerKey = uuid;
- sublayer.displayData.name = FIREWALL_NAME;
- sublayer.displayData.description = FIREWALL_NAME;
- sublayer.flags = 0;
- sublayer.weight = 0x100;
+ sublayer.subLayerKey = uuid;
+ sublayer.displayData.name = FIREWALL_NAME;
+ sublayer.displayData.description = FIREWALL_NAME;
+ sublayer.flags = 0;
+ sublayer.weight = 0x100;
- /* Add sublayer to the session */
- err = FwpmSubLayerAdd0 (engine, &sublayer, NULL);
+ /* Add sublayer to the session */
+ err = FwpmSubLayerAdd0(engine, &sublayer, NULL);
out:
- if (engine)
- FwpmEngineClose0 (engine);
- return err;
+ if (engine)
+ {
+ FwpmEngineClose0(engine);
+ }
+ return err;
}
/*
@@ -173,160 +177,168 @@ out:
*/
DWORD
-add_block_dns_filters (HANDLE *engine_handle,
- int index,
- const WCHAR *exe_path,
- block_dns_msg_handler_t msg_handler
+add_block_dns_filters(HANDLE *engine_handle,
+ int index,
+ const WCHAR *exe_path,
+ block_dns_msg_handler_t msg_handler
)
{
- FWPM_SESSION0 session = {0};
- FWPM_SUBLAYER0 *sublayer_ptr = NULL;
- NET_LUID tapluid;
- UINT64 filterid;
- FWP_BYTE_BLOB *openvpnblob = NULL;
- FWPM_FILTER0 Filter = {0};
- FWPM_FILTER_CONDITION0 Condition[2] = {0};
- DWORD err = 0;
-
- if (!msg_handler)
- msg_handler = default_msg_handler;
-
- /* Add temporary filters which don't survive reboots or crashes. */
- session.flags = FWPM_SESSION_FLAG_DYNAMIC;
-
- *engine_handle = NULL;
-
- err = FwpmEngineOpen0 (NULL, RPC_C_AUTHN_WINNT, NULL, &session, engine_handle);
- CHECK_ERROR (err, "FwpEngineOpen: open fwp session failed");
- msg_handler (0, "Block_DNS: WFP engine opened");
-
- /* Check sublayer exists and add one if it does not. */
- if (FwpmSubLayerGetByKey0 (*engine_handle, &OPENVPN_BLOCK_OUTSIDE_DNS_SUBLAYER, &sublayer_ptr)
- == ERROR_SUCCESS)
+ FWPM_SESSION0 session = {0};
+ FWPM_SUBLAYER0 *sublayer_ptr = NULL;
+ NET_LUID tapluid;
+ UINT64 filterid;
+ FWP_BYTE_BLOB *openvpnblob = NULL;
+ FWPM_FILTER0 Filter = {0};
+ FWPM_FILTER_CONDITION0 Condition[2] = {0};
+ DWORD err = 0;
+
+ if (!msg_handler)
{
- msg_handler (0, "Block_DNS: Using existing sublayer");
- FwpmFreeMemory0 ((void **)&sublayer_ptr);
+ msg_handler = default_msg_handler;
}
- else
- { /* Add a new sublayer -- as another process may add it in the meantime,
- do not treat "already exists" as an error */
- err = add_sublayer (OPENVPN_BLOCK_OUTSIDE_DNS_SUBLAYER);
- if (err == FWP_E_ALREADY_EXISTS || err == ERROR_SUCCESS)
- msg_handler (0, "Block_DNS: Added a persistent sublayer with pre-defined UUID");
- else
- CHECK_ERROR (err, "add_sublayer: failed to add persistent sublayer");
+ /* Add temporary filters which don't survive reboots or crashes. */
+ session.flags = FWPM_SESSION_FLAG_DYNAMIC;
+
+ *engine_handle = NULL;
+
+ err = FwpmEngineOpen0(NULL, RPC_C_AUTHN_WINNT, NULL, &session, engine_handle);
+ CHECK_ERROR(err, "FwpEngineOpen: open fwp session failed");
+ msg_handler(0, "Block_DNS: WFP engine opened");
+
+ /* Check sublayer exists and add one if it does not. */
+ if (FwpmSubLayerGetByKey0(*engine_handle, &OPENVPN_BLOCK_OUTSIDE_DNS_SUBLAYER, &sublayer_ptr)
+ == ERROR_SUCCESS)
+ {
+ msg_handler(0, "Block_DNS: Using existing sublayer");
+ FwpmFreeMemory0((void **)&sublayer_ptr);
+ }
+ else
+ { /* Add a new sublayer -- as another process may add it in the meantime,
+ * do not treat "already exists" as an error */
+ err = add_sublayer(OPENVPN_BLOCK_OUTSIDE_DNS_SUBLAYER);
+
+ if (err == FWP_E_ALREADY_EXISTS || err == ERROR_SUCCESS)
+ {
+ msg_handler(0, "Block_DNS: Added a persistent sublayer with pre-defined UUID");
+ }
+ else
+ {
+ CHECK_ERROR(err, "add_sublayer: failed to add persistent sublayer");
+ }
}
- err = ConvertInterfaceIndexToLuid (index, &tapluid);
- CHECK_ERROR (err, "Convert interface index to luid failed");
+ err = ConvertInterfaceIndexToLuid(index, &tapluid);
+ CHECK_ERROR(err, "Convert interface index to luid failed");
- err = FwpmGetAppIdFromFileName0 (exe_path, &openvpnblob);
- CHECK_ERROR (err, "Get byte blob for openvpn executable name failed");
+ err = FwpmGetAppIdFromFileName0(exe_path, &openvpnblob);
+ CHECK_ERROR(err, "Get byte blob for openvpn executable name failed");
- /* Prepare filter. */
- Filter.subLayerKey = OPENVPN_BLOCK_OUTSIDE_DNS_SUBLAYER;
- Filter.displayData.name = FIREWALL_NAME;
- Filter.weight.type = FWP_UINT8;
- Filter.weight.uint8 = 0xF;
- Filter.filterCondition = Condition;
- Filter.numFilterConditions = 2;
+ /* Prepare filter. */
+ Filter.subLayerKey = OPENVPN_BLOCK_OUTSIDE_DNS_SUBLAYER;
+ Filter.displayData.name = FIREWALL_NAME;
+ Filter.weight.type = FWP_UINT8;
+ Filter.weight.uint8 = 0xF;
+ Filter.filterCondition = Condition;
+ Filter.numFilterConditions = 2;
- /* First filter. Permit IPv4 DNS queries from OpenVPN itself. */
- Filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V4;
- Filter.action.type = FWP_ACTION_PERMIT;
+ /* First filter. Permit IPv4 DNS queries from OpenVPN itself. */
+ Filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V4;
+ Filter.action.type = FWP_ACTION_PERMIT;
- Condition[0].fieldKey = FWPM_CONDITION_IP_REMOTE_PORT;
- Condition[0].matchType = FWP_MATCH_EQUAL;
- Condition[0].conditionValue.type = FWP_UINT16;
- Condition[0].conditionValue.uint16 = 53;
+ Condition[0].fieldKey = FWPM_CONDITION_IP_REMOTE_PORT;
+ Condition[0].matchType = FWP_MATCH_EQUAL;
+ Condition[0].conditionValue.type = FWP_UINT16;
+ Condition[0].conditionValue.uint16 = 53;
- Condition[1].fieldKey = FWPM_CONDITION_ALE_APP_ID;
- Condition[1].matchType = FWP_MATCH_EQUAL;
- Condition[1].conditionValue.type = FWP_BYTE_BLOB_TYPE;
- Condition[1].conditionValue.byteBlob = openvpnblob;
+ Condition[1].fieldKey = FWPM_CONDITION_ALE_APP_ID;
+ Condition[1].matchType = FWP_MATCH_EQUAL;
+ Condition[1].conditionValue.type = FWP_BYTE_BLOB_TYPE;
+ Condition[1].conditionValue.byteBlob = openvpnblob;
- err = FwpmFilterAdd0(*engine_handle, &Filter, NULL, &filterid);
- CHECK_ERROR (err, "Add filter to permit IPv4 port 53 traffic from OpenVPN failed");
+ err = FwpmFilterAdd0(*engine_handle, &Filter, NULL, &filterid);
+ CHECK_ERROR(err, "Add filter to permit IPv4 port 53 traffic from OpenVPN failed");
- /* Second filter. Permit IPv6 DNS queries from OpenVPN itself. */
- Filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V6;
+ /* Second filter. Permit IPv6 DNS queries from OpenVPN itself. */
+ Filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V6;
- err = FwpmFilterAdd0(*engine_handle, &Filter, NULL, &filterid);
- CHECK_ERROR (err, "Add filter to permit IPv6 port 53 traffic from OpenVPN failed");
+ err = FwpmFilterAdd0(*engine_handle, &Filter, NULL, &filterid);
+ CHECK_ERROR(err, "Add filter to permit IPv6 port 53 traffic from OpenVPN failed");
- msg_handler (0, "Block_DNS: Added permit filters for exe_path");
+ msg_handler(0, "Block_DNS: Added permit filters for exe_path");
- /* Third filter. Block all IPv4 DNS queries. */
- Filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V4;
- Filter.action.type = FWP_ACTION_BLOCK;
- Filter.weight.type = FWP_EMPTY;
- Filter.numFilterConditions = 1;
+ /* Third filter. Block all IPv4 DNS queries. */
+ Filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V4;
+ Filter.action.type = FWP_ACTION_BLOCK;
+ Filter.weight.type = FWP_EMPTY;
+ Filter.numFilterConditions = 1;
- err = FwpmFilterAdd0(*engine_handle, &Filter, NULL, &filterid);
- CHECK_ERROR (err, "Add filter to block IPv4 DNS traffic failed");
+ err = FwpmFilterAdd0(*engine_handle, &Filter, NULL, &filterid);
+ CHECK_ERROR(err, "Add filter to block IPv4 DNS traffic failed");
- /* Forth filter. Block all IPv6 DNS queries. */
- Filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V6;
+ /* Forth filter. Block all IPv6 DNS queries. */
+ Filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V6;
- err = FwpmFilterAdd0(*engine_handle, &Filter, NULL, &filterid);
- CHECK_ERROR (err, "Add filter to block IPv6 DNS traffic failed");
+ err = FwpmFilterAdd0(*engine_handle, &Filter, NULL, &filterid);
+ CHECK_ERROR(err, "Add filter to block IPv6 DNS traffic failed");
- msg_handler (0, "Block_DNS: Added block filters for all interfaces");
+ msg_handler(0, "Block_DNS: Added block filters for all interfaces");
- /* Fifth filter. Permit IPv4 DNS queries from TAP.
- * Use a non-zero weight so that the permit filters get higher priority
- * over the block filter added with automatic weighting */
+ /* Fifth filter. Permit IPv4 DNS queries from TAP.
+ * Use a non-zero weight so that the permit filters get higher priority
+ * over the block filter added with automatic weighting */
- Filter.weight.type = FWP_UINT8;
- Filter.weight.uint8 = 0xE;
- Filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V4;
- Filter.action.type = FWP_ACTION_PERMIT;
- Filter.numFilterConditions = 2;
+ Filter.weight.type = FWP_UINT8;
+ Filter.weight.uint8 = 0xE;
+ Filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V4;
+ Filter.action.type = FWP_ACTION_PERMIT;
+ Filter.numFilterConditions = 2;
- Condition[1].fieldKey = FWPM_CONDITION_IP_LOCAL_INTERFACE;
- Condition[1].matchType = FWP_MATCH_EQUAL;
- Condition[1].conditionValue.type = FWP_UINT64;
- Condition[1].conditionValue.uint64 = &tapluid.Value;
+ Condition[1].fieldKey = FWPM_CONDITION_IP_LOCAL_INTERFACE;
+ Condition[1].matchType = FWP_MATCH_EQUAL;
+ Condition[1].conditionValue.type = FWP_UINT64;
+ Condition[1].conditionValue.uint64 = &tapluid.Value;
- err = FwpmFilterAdd0(*engine_handle, &Filter, NULL, &filterid);
- CHECK_ERROR (err, "Add filter to permit IPv4 DNS traffic through TAP failed");
+ err = FwpmFilterAdd0(*engine_handle, &Filter, NULL, &filterid);
+ CHECK_ERROR(err, "Add filter to permit IPv4 DNS traffic through TAP failed");
- /* Sixth filter. Permit IPv6 DNS queries from TAP.
- * Use same weight as IPv4 filter */
- Filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V6;
+ /* Sixth filter. Permit IPv6 DNS queries from TAP.
+ * Use same weight as IPv4 filter */
+ Filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V6;
- err = FwpmFilterAdd0(*engine_handle, &Filter, NULL, &filterid);
- CHECK_ERROR (err, "Add filter to permit IPv6 DNS traffic through TAP failed");
+ err = FwpmFilterAdd0(*engine_handle, &Filter, NULL, &filterid);
+ CHECK_ERROR(err, "Add filter to permit IPv6 DNS traffic through TAP failed");
- msg_handler (0, "Block_DNS: Added permit filters for TAP interface");
+ msg_handler(0, "Block_DNS: Added permit filters for TAP interface");
out:
- if (openvpnblob)
- FwpmFreeMemory0 ((void **)&openvpnblob);
+ if (openvpnblob)
+ {
+ FwpmFreeMemory0((void **)&openvpnblob);
+ }
- if (err && *engine_handle)
+ if (err && *engine_handle)
{
- FwpmEngineClose0 (*engine_handle);
- *engine_handle = NULL;
+ FwpmEngineClose0(*engine_handle);
+ *engine_handle = NULL;
}
- return err;
+ return err;
}
DWORD
-delete_block_dns_filters (HANDLE engine_handle)
+delete_block_dns_filters(HANDLE engine_handle)
{
- DWORD err = 0;
- /*
- * For dynamic sessions closing the engine removes all filters added in the session
- */
- if (engine_handle)
+ DWORD err = 0;
+ /*
+ * For dynamic sessions closing the engine removes all filters added in the session
+ */
+ if (engine_handle)
{
- err = FwpmEngineClose0(engine_handle);
+ err = FwpmEngineClose0(engine_handle);
}
- return err;
+ return err;
}
-#endif
+#endif /* ifdef _WIN32 */