UI: Add ability to "Block LAN and Internet Traffic"

"Block All Traffic" also blocks 127.0.0.0/8 and 255.255.255.255
2024-11-14 22:05:12 +00:00 · 2024-11-08 13:57:56 +05:00 · 2024-11-08 13:57:56 +05:00 · 0b0b520703
commit 0b0b520703
parent cd17b4cf0c
16 changed files with 91 additions and 44 deletions
--- a/src/driver/common/fortconf.h
+++ b/src/driver/common/fortconf.h
@ -29,6 +29,7 @@ typedef struct fort_conf_flags
    UINT32 filter_local_net : 1;

    UINT32 block_traffic : 1;
+    UINT32 block_lan_traffic : 1;
    UINT32 block_inet_traffic : 1;

    UINT32 allow_all_new : 1;
@ -46,7 +47,7 @@ typedef struct fort_conf_flags
    UINT32 log_blocked_ip : 1;
    UINT32 log_alerted_blocked_ip : 1;

-    UINT32 reserved_flags : 15; /* not used */
+    UINT32 reserved_flags : 14; /* not used */

    UINT16 group_bits;
    UINT16 reserved; /* not used */
--- a/src/driver/fortcnf.c
+++ b/src/driver/fortcnf.c
@ -42,18 +42,18 @@ FORT_API void fort_device_conf_open(PFORT_DEVICE_CONF device_conf)
    KeInitializeSpinLock(&device_conf->ref_lock);
 }

-FORT_API UCHAR fort_device_flag_set(PFORT_DEVICE_CONF device_conf, UCHAR flag, BOOL on)
+FORT_API UINT16 fort_device_flag_set(PFORT_DEVICE_CONF device_conf, UINT16 flag, BOOL on)
 {
-    return on ? InterlockedOr8(&device_conf->flags, flag)
-              : InterlockedAnd8(&device_conf->flags, ~flag);
+    return on ? InterlockedOr16(&device_conf->flags, flag)
+              : InterlockedAnd16(&device_conf->flags, ~flag);
 }

-static UCHAR fort_device_flags(PFORT_DEVICE_CONF device_conf)
+FORT_API UINT16 fort_device_flags(PFORT_DEVICE_CONF device_conf)
 {
    return fort_device_flag_set(device_conf, 0, TRUE);
 }

-FORT_API UCHAR fort_device_flag(PFORT_DEVICE_CONF device_conf, UCHAR flag)
+FORT_API UINT16 fort_device_flag(PFORT_DEVICE_CONF device_conf, UINT16 flag)
 {
    return fort_device_flags(device_conf) & flag;
 }
@ -336,6 +336,15 @@ FORT_API PFORT_CONF_REF fort_conf_ref_take(PFORT_DEVICE_CONF device_conf)
    return conf_ref;
 }

+static void fort_device_flags_conf_set(PFORT_DEVICE_CONF device_conf, FORT_CONF_FLAGS conf_flags)
+{
+    fort_device_flag_set(device_conf, FORT_DEVICE_BOOT_FILTER, conf_flags.boot_filter);
+    fort_device_flag_set(device_conf, FORT_DEVICE_BOOT_FILTER_LOCALS, conf_flags.filter_locals);
+
+    fort_device_flag_set(device_conf, FORT_DEVICE_BLOCK_TRAFFIC, conf_flags.block_traffic);
+    fort_device_flag_set(device_conf, FORT_DEVICE_BLOCK_LAN_TRAFFIC, conf_flags.block_lan_traffic);
+}
+
 FORT_API FORT_CONF_FLAGS fort_conf_ref_set(PFORT_DEVICE_CONF device_conf, PFORT_CONF_REF conf_ref)
 {
    FORT_CONF_FLAGS old_conf_flags;
@ -345,7 +354,7 @@ FORT_API FORT_CONF_FLAGS fort_conf_ref_set(PFORT_DEVICE_CONF device_conf, PFORT_
    if (old_conf_ref != NULL) {
        old_conf_flags = old_conf_ref->conf.flags;
    } else {
-        const UCHAR flags = fort_device_flag(device_conf, FORT_DEVICE_BOOT_MASK);
+        const UINT16 flags = fort_device_flag(device_conf, FORT_DEVICE_BOOT_MASK);

        RtlZeroMemory(&old_conf_flags, sizeof(FORT_CONF_FLAGS));
        old_conf_flags.boot_filter = (flags & FORT_DEVICE_BOOT_FILTER) != 0;
@ -363,9 +372,8 @@ FORT_API FORT_CONF_FLAGS fort_conf_ref_set(PFORT_DEVICE_CONF device_conf, PFORT_
            PFORT_CONF conf = &conf_ref->conf;

            conf_flags = conf->flags;
-            fort_device_flag_set(device_conf, FORT_DEVICE_BOOT_FILTER, conf_flags.boot_filter);
-            fort_device_flag_set(
-                    device_conf, FORT_DEVICE_BOOT_FILTER_LOCALS, conf_flags.filter_locals);
+
+            fort_device_flags_conf_set(device_conf, conf_flags);
        } else {
            RtlZeroMemory((void *) &conf_flags, sizeof(FORT_CONF_FLAGS));
            conf_flags.boot_filter = old_conf_flags.boot_filter;
@ -399,13 +407,11 @@ FORT_API FORT_CONF_FLAGS fort_conf_ref_flags_set(
            old_conf_flags = conf->flags;
            conf->flags = conf_flags;

-            fort_device_flag_set(device_conf, FORT_DEVICE_BOOT_FILTER, conf_flags.boot_filter);
-            fort_device_flag_set(
-                    device_conf, FORT_DEVICE_BOOT_FILTER_LOCALS, conf_flags.filter_locals);
+            fort_device_flags_conf_set(device_conf, conf_flags);

            device_conf->conf_flags = conf_flags;
        } else {
-            const UCHAR flags = fort_device_flag(device_conf, FORT_DEVICE_BOOT_MASK);
+            const UINT16 flags = fort_device_flag(device_conf, FORT_DEVICE_BOOT_MASK);

            RtlZeroMemory(&old_conf_flags, sizeof(FORT_CONF_FLAGS));
            old_conf_flags.boot_filter = (flags & FORT_DEVICE_BOOT_FILTER) != 0;
--- a/src/driver/fortcnf.h
+++ b/src/driver/fortcnf.h
@ -29,14 +29,16 @@ typedef struct fort_conf_ref
 #define FORT_DEVICE_BOOT_FILTER         0x01
 #define FORT_DEVICE_BOOT_FILTER_LOCALS  0x02
 #define FORT_DEVICE_BOOT_MASK           (FORT_DEVICE_BOOT_FILTER | FORT_DEVICE_BOOT_FILTER_LOCALS)
-#define FORT_DEVICE_IS_OPENED           0x04
-#define FORT_DEVICE_IS_VALIDATED        0x08
-#define FORT_DEVICE_POWER_OFF           0x10
-#define FORT_DEVICE_SHUTDOWN_REGISTERED 0x20
+#define FORT_DEVICE_BLOCK_TRAFFIC       0x04
+#define FORT_DEVICE_BLOCK_LAN_TRAFFIC   0x08
+#define FORT_DEVICE_IS_OPENED           0x10
+#define FORT_DEVICE_IS_VALIDATED        0x20
+#define FORT_DEVICE_POWER_OFF           0x40
+#define FORT_DEVICE_SHUTDOWN_REGISTERED 0x80

 typedef struct fort_device_conf
 {
-    UCHAR volatile flags;
+    UINT16 volatile flags;

    FORT_CONF_FLAGS volatile conf_flags;
    PFORT_CONF_REF volatile ref;
@ -53,9 +55,11 @@ extern "C" {

 FORT_API void fort_device_conf_open(PFORT_DEVICE_CONF device_conf);

-FORT_API UCHAR fort_device_flag_set(PFORT_DEVICE_CONF device_conf, UCHAR flag, BOOL on);
+FORT_API UINT16 fort_device_flag_set(PFORT_DEVICE_CONF device_conf, UINT16 flag, BOOL on);

-FORT_API UCHAR fort_device_flag(PFORT_DEVICE_CONF device_conf, UCHAR flag);
+FORT_API UINT16 fort_device_flags(PFORT_DEVICE_CONF device_conf);
+
+FORT_API UINT16 fort_device_flag(PFORT_DEVICE_CONF device_conf, UINT16 flag);

 FORT_API FORT_APP_DATA fort_conf_exe_find(
        const PFORT_CONF conf, PVOID context, PCFORT_APP_PATH path);
--- a/src/driver/fortcout.c
+++ b/src/driver/fortcout.c
@ -157,12 +157,9 @@ inline static BOOL fort_callout_ale_log_blocked_ip_check(
    return fort_callout_ale_log_blocked_ip_check_app(conf_flags, app_data);
 }

-inline static void fort_callout_ale_log_blocked_ip(PCFORT_CALLOUT_ARG ca,
-        PFORT_CALLOUT_ALE_EXTRA cx, PFORT_CONF_REF conf_ref, FORT_CONF_FLAGS conf_flags)
+inline static void fort_callout_ale_log_blocked_ip(
+        PCFORT_CALLOUT_ARG ca, PFORT_CALLOUT_ALE_EXTRA cx)
 {
-    if (!fort_callout_ale_log_blocked_ip_check(cx, conf_ref, conf_flags))
-        return;
-
    const UINT32 *local_ip = ca->isIPv6
            ? (const UINT32 *) ca->inFixedValues->incomingValue[ca->fi->localIp].value.byteArray16
            : &ca->inFixedValues->incomingValue[ca->fi->localIp].value.uint32;
@ -301,13 +298,19 @@ inline static BOOL fort_callout_ale_check_filter_flags(PCFORT_CALLOUT_ARG ca,
            (fort_conf_zones_ip_included_func *) &fort_conf_zones_ip_included, &fort_device()->conf,
            cx->remote_ip, ca->isIPv6);

-    if (!conf_flags.filter_local_net && cx->is_local_net) {
-        cx->blocked = FALSE;
-        return TRUE; /* allow Local Network */
-    }
+    if (cx->is_local_net) {
+        if (conf_flags.block_lan_traffic) {
+            return TRUE; /* block LAN */
+        }

-    if (conf_flags.block_inet_traffic && !cx->is_local_net) {
-        return TRUE; /* block Internet */
+        if (!conf_flags.filter_local_net) {
+            cx->blocked = FALSE;
+            return TRUE; /* allow Local Network */
+        }
+    } else {
+        if (conf_flags.block_inet_traffic) {
+            return TRUE; /* block Internet */
+        }
    }

    if (!fort_conf_ip_inet_included(&conf_ref->conf,
@ -339,7 +342,9 @@ inline static void fort_callout_ale_classify_blocked(PCFORT_CALLOUT_ARG ca,
        PFORT_CALLOUT_ALE_EXTRA cx, PFORT_CONF_REF conf_ref, FORT_CONF_FLAGS conf_flags)
 {
    /* Log the blocked connection */
-    fort_callout_ale_log_blocked_ip(ca, cx, conf_ref, conf_flags);
+    if (fort_callout_ale_log_blocked_ip_check(cx, conf_ref, conf_flags)) {
+        fort_callout_ale_log_blocked_ip(ca, cx);
+    }

    if (cx->drop_blocked) {
        /* Drop the connection */
@ -436,11 +441,20 @@ inline static void fort_callout_ale_by_conf(
 inline static BOOL fort_callout_ale_is_local_address(PFORT_CALLOUT_ARG ca,
        PCFORT_CALLOUT_ALE_EXTRA cx, PFORT_DEVICE_CONF device_conf, const UINT32 classify_flags)
 {
-    if (fort_device_flag(device_conf, FORT_DEVICE_BOOT_FILTER_LOCALS) != 0)
+    const UINT16 device_flags = fort_device_flags(device_conf);
+
+    if ((device_flags & FORT_DEVICE_BOOT_FILTER_LOCALS) != 0)
        return FALSE;

-    return ((classify_flags & FWP_CONDITION_FLAG_IS_LOOPBACK) != 0
-            || fort_addr_is_local_broadcast(cx->remote_ip, ca->isIPv6));
+    if ((classify_flags & FWP_CONDITION_FLAG_IS_LOOPBACK) == 0
+            || (device_flags & FORT_DEVICE_BLOCK_TRAFFIC) != 0)
+        return FALSE;
+
+    if (!fort_addr_is_local_broadcast(cx->remote_ip, ca->isIPv6)
+            || (device_flags & FORT_DEVICE_BLOCK_LAN_TRAFFIC) != 0)
+        return FALSE;
+
+    return TRUE;
 }

 static void fort_callout_ale_classify(PFORT_CALLOUT_ARG ca)
--- a/src/driver/fortdev.c
+++ b/src/driver/fortdev.c
@ -66,7 +66,7 @@ FORT_API NTSTATUS fort_device_create(PDEVICE_OBJECT device, PIRP irp)
    NTSTATUS status = STATUS_SUCCESS;

    /* Device opened */
-    const UCHAR flags = fort_device_flag_set(&fort_device()->conf, FORT_DEVICE_IS_OPENED, TRUE);
+    const UINT16 flags = fort_device_flag_set(&fort_device()->conf, FORT_DEVICE_IS_OPENED, TRUE);
    if ((flags & FORT_DEVICE_IS_OPENED) != 0) {
        status = STATUS_SHARING_VIOLATION; /* Only one client may connect */
    }
--- a/src/ui/conf/firewallconf.cpp
+++ b/src/ui/conf/firewallconf.cpp
@ -14,12 +14,13 @@ FirewallConf::FirewallConf(Settings *settings, QObject *parent) : QObject(parent

 int FirewallConf::blockTrafficIndex() const
 {
-    return m_blockInetTraffic ? 2 : (m_blockTraffic ? 1 : 0);
+    return m_blockInetTraffic ? 3 : (m_blockLanTraffic ? 2 : (m_blockTraffic ? 1 : 0));
 }

 void FirewallConf::setBlockTrafficIndex(int index)
 {
    m_blockTraffic = false;
+    m_blockLanTraffic = false;
    m_blockInetTraffic = false;

    switch (index) {
@ -28,7 +29,10 @@ void FirewallConf::setBlockTrafficIndex(int index)
    case 1: { // Block All Traffic
        m_blockTraffic = true;
    } break;
-    case 2: { // Block Internet Traffic
+    case 2: { // Block LAN & Internet Traffic
+        m_blockLanTraffic = true;
+    } break;
+    case 3: { // Block Internet Traffic
        m_blockInetTraffic = true;
    } break;
    }
@ -74,12 +78,13 @@ void FirewallConf::setFilterMode(FirewallConf::FilterMode mode)

 QStringList FirewallConf::blockTrafficNames()
 {
-    return { tr("Disabled"), tr("Block All Traffic"), tr("Block Internet Traffic") };
+    return { tr("Disabled"), tr("Block All Traffic"), tr("Block LAN and Internet Traffic"),
+        tr("Block Internet Traffic") };
 }

 QStringList FirewallConf::blockTrafficIconPaths()
 {
-    return { QString(), ":/icons/cross.png", ":/icons/hostname.png" };
+    return { QString(), ":/icons/cross.png", ":/icons/computer.png", ":/icons/hostname.png" };
 }

 QStringList FirewallConf::filterModeNames()
@ -291,6 +296,7 @@ void FirewallConf::copyFlags(const FirewallConf &o)
    m_filterLocals = o.filterLocals();
    m_filterLocalNet = o.filterLocalNet();
    m_blockTraffic = o.blockTraffic();
+    m_blockLanTraffic = o.blockLanTraffic();
    m_blockInetTraffic = o.blockInetTraffic();
    m_allowAllNew = o.allowAllNew();
    m_askToConnect = o.askToConnect();
@ -340,6 +346,7 @@ QVariant FirewallConf::flagsToVariant() const
    map["filterLocals"] = filterLocals();
    map["filterLocalNet"] = filterLocalNet();
    map["blockTraffic"] = blockTraffic();
+    map["blockLanTraffic"] = blockLanTraffic();
    map["blockInetTraffic"] = blockInetTraffic();
    map["allowAllNew"] = allowAllNew();
    map["askToConnect"] = askToConnect();
@ -374,6 +381,7 @@ void FirewallConf::flagsFromVariant(const QVariant &v)
    m_filterLocals = map["filterLocals"].toBool();
    m_filterLocalNet = map["filterLocalNet"].toBool();
    m_blockTraffic = map["blockTraffic"].toBool();
+    m_blockLanTraffic = map["blockLanTraffic"].toBool();
    m_blockInetTraffic = map["blockInetTraffic"].toBool();
    m_allowAllNew = map["allowAllNew"].toBool();
    m_askToConnect = map["askToConnect"].toBool();
--- a/src/ui/conf/firewallconf.h
+++ b/src/ui/conf/firewallconf.h
@ -68,6 +68,9 @@ public:
    bool blockTraffic() const { return m_blockTraffic; }
    void setBlockTraffic(bool v) { m_blockTraffic = v; }

+    bool blockLanTraffic() const { return m_blockLanTraffic; }
+    void setBlockLanTraffic(bool v) { m_blockLanTraffic = v; }
+
    bool blockInetTraffic() const { return m_blockInetTraffic; }
    void setBlockInetTraffic(bool v) { m_blockInetTraffic = v; }

@ -209,6 +212,7 @@ private:
    uint m_filterLocals : 1 = false;
    uint m_filterLocalNet : 1 = false;
    uint m_blockTraffic : 1 = false;
+    uint m_blockLanTraffic : 1 = false;
    uint m_blockInetTraffic : 1 = false;
    uint m_allowAllNew : 1 = false;
    uint m_askToConnect : 1 = false;
--- a/src/ui/control/controlmanager.cpp
+++ b/src/ui/control/controlmanager.cpp
@ -51,6 +51,7 @@ enum BlockAction : qint8 {
    BlockActionInvalid = -1,
    BlockActionNone = 0,
    BlockActionAll,
+    BlockActionLan,
    BlockActionInet,
 };

@ -72,6 +73,9 @@ BlockAction blockActionByText(const QString &commandText)
    if (commandText == "all")
        return BlockActionAll;

+    if (commandText == "lan")
+        return BlockActionLan;
+
    if (commandText == "internet")
        return BlockActionInet;

@ -82,7 +86,7 @@ bool processCommandBlock(const ProcessCommandArgs &p)
 {
    const BlockAction blockAction = blockActionByText(p.args.value(0).toString());
    if (blockAction == BlockActionInvalid) {
-        p.errorMessage = "Usage: block none|all|internet";
+        p.errorMessage = "Usage: block none|all|lan|internet";
        return false;
    }

--- a/src/ui/form/tray/trayicon.cpp
+++ b/src/ui/form/tray/trayicon.cpp
@ -520,6 +520,7 @@ void TrayIcon::setupTrayMenuBlockTraffic()
    static const char *const blockTrafficIniKeys[] = {
        HotKey::blockTrafficOff,
        HotKey::blockTraffic,
+        HotKey::blockLanTraffic,
        HotKey::blockInetTraffic,
    };

@ -742,7 +743,7 @@ QString TrayIcon::trayIconPath() const
    if (conf()->blockTraffic()) {
        return ":/icons/fort_red.png";
    }
-    if (conf()->blockInetTraffic()) {
+    if (conf()->blockLanTraffic() || conf()->blockInetTraffic()) {
        return ":/icons/fort_orange.png";
    }
    return ":/icons/fort.png";
--- a/src/ui/fort_icons.qrc
+++ b/src/ui/fort_icons.qrc
@ -17,6 +17,7 @@
    <file>icons/clock.png</file>
    <file>icons/coding.png</file>
    <file>icons/cog.png</file>
+    <file>icons/computer.png</file>
    <file>icons/computer-96.png</file>
    <file>icons/connect.png</file>
    <file>icons/control_end.png</file>
--- a/src/ui/fortsettings.cpp
+++ b/src/ui/fortsettings.cpp
@ -443,6 +443,7 @@ void FortSettings::writeConfIni(const FirewallConf &conf)
        setIniValue("filterLocals", conf.filterLocals());
        setIniValue("filterLocalNet", conf.filterLocalNet());
        setIniValue("blockTraffic", conf.blockTraffic());
+        setIniValue("blockLanTraffic", conf.blockLanTraffic());
        setIniValue("blockInetTraffic", conf.blockInetTraffic());
        setIniValue("allowAllNew", conf.allowAllNew());
        setIniValue("askToConnect", conf.askToConnect());
--- a/src/ui/icons/computer.png
+++ b/src/ui/icons/computer.png
--- a/src/ui/user/iniuser.cpp
+++ b/src/ui/user/iniuser.cpp
@ -15,6 +15,7 @@ const char *const list[] = {
    filter,
    blockTrafficOff,
    blockTraffic,
+    blockLanTraffic,
    blockInetTraffic,
    filterModeAutoLearn,
    filterModeAskToConnect,
--- a/src/ui/user/iniuser.h
+++ b/src/ui/user/iniuser.h
@ -17,6 +17,7 @@ const char *const filter = "filter";

 const char *const blockTrafficOff = "blockTrafficOff";
 const char *const blockTraffic = "blockTraffic";
+const char *const blockLanTraffic = "blockLanTraffic";
 const char *const blockInetTraffic = "blockInetTraffic";

 const char *const filterModeAutoLearn = "filterModeAutoLearn";
--- a/src/ui/util/conf/confdata.cpp
+++ b/src/ui/util/conf/confdata.cpp
@ -143,6 +143,7 @@ void ConfData::writeConfFlags(const FirewallConf &conf)
    confFlags->filter_local_net = conf.filterLocalNet();

    confFlags->block_traffic = conf.blockTraffic();
+    confFlags->block_lan_traffic = conf.blockLanTraffic();
    confFlags->block_inet_traffic = conf.blockInetTraffic();
    confFlags->allow_all_new = conf.allowAllNew();
    confFlags->ask_to_connect = conf.askToConnect();
--- a/src/version/fort_version.h
+++ b/src/version/fort_version.h
@ -16,6 +16,6 @@
 #define APP_UPDATES_URL		"https://github.com/tnodir/fort/releases"
 #define APP_UPDATES_API_URL	"https://api.github.com/repos/tnodir/fort/releases/latest"

-#define DRIVER_VERSION		41
+#define DRIVER_VERSION		42

 #endif // FORT_VERSION_H