diff --git a/src/driver/common/fortconf.h b/src/driver/common/fortconf.h index f827ff62..fc960b97 100644 --- a/src/driver/common/fortconf.h +++ b/src/driver/common/fortconf.h @@ -171,14 +171,16 @@ typedef struct fort_conf_rule_flag typedef struct fort_conf_meta_conn { - UCHAR is_reauth : 1; - UCHAR inbound : 1; - UCHAR isIPv6 : 1; - UCHAR is_tcp : 1; - UCHAR is_loopback : 1; - UCHAR is_local_net : 1; - UCHAR inherited : 1; - UCHAR blocked : 1; + UINT16 is_reauth : 1; + UINT16 inbound : 1; + UINT16 isIPv6 : 1; + UINT16 is_tcp : 1; + UINT16 is_loopback : 1; + UINT16 is_multicast : 1; + UINT16 is_local_net : 1; + UINT16 inherited : 1; + UINT16 blocked : 1; + UCHAR block_reason; UCHAR ip_proto; diff --git a/src/driver/fortcout.c b/src/driver/fortcout.c index dc1e5ae4..0808571f 100644 --- a/src/driver/fortcout.c +++ b/src/driver/fortcout.c @@ -360,7 +360,7 @@ inline static BOOL fort_callout_ale_check_filter_lan_flags( inline static BOOL fort_callout_ale_check_filter_inet_flags( PFORT_CONF_META_CONN conn, FORT_CONF_FLAGS conf_flags) { - if (conf_flags.block_inet_traffic) { + if (conf_flags.block_inet_traffic && !conn->is_multicast) { return TRUE; /* block Internet */ } @@ -510,20 +510,24 @@ inline static BOOL fort_callout_ale_is_local_address(PFORT_CALLOUT_ARG ca, { PFORT_CONF_META_CONN conn = &cx->conn; - conn->is_loopback = (classify_flags & FWP_CONDITION_FLAG_IS_LOOPBACK) != 0; - if (conf_flags.filter_locals) return FALSE; /* Loopback */ - if (!conn->is_loopback || conf_flags.block_traffic) - return FALSE; + conn->is_loopback = (classify_flags & FWP_CONDITION_FLAG_IS_LOOPBACK) != 0; + + if (conn->is_loopback) { + return !conf_flags.block_traffic; + } /* Multicast */ - if (!fort_addr_is_local_multicast(conn) || conf_flags.block_lan_traffic) - return FALSE; + conn->is_multicast = (UINT16) fort_addr_is_local_multicast(conn); - return TRUE; + if (conn->is_multicast) { + return !conf_flags.block_lan_traffic; + } + + return FALSE; } static void fort_callout_ale_classify(PFORT_CALLOUT_ARG ca)