mirrors/fort
1
0
Fork 0
mirror of https://github.com/tnodir/fort synced 2024-11-15 08:46:03 +00:00
Code Issues Packages Projects Releases Wiki Activity

Driver: Use one transaction for provider reauth.

Browse Source
This commit is contained in:
Nodir Temirkhodjaev 2018-01-10 07:13:22 +05:00
parent 9fbe90e1f9
commit 4741bb1c4e
3 changed files with 115 additions and 72 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

101
src/common/fortprov.c
View File

@ -1,25 +1,23 @@
/* Fort Firewall Driver Provider (Un)Registration */
static DWORD
fort_prov_open (HANDLE *enginep)
{
return FwpmEngineOpen0(NULL, RPC_C_AUTHN_WINNT, NULL, NULL, enginep);
}
#define fort_prov_open(engine) FwpmEngineOpen0(NULL, RPC_C_AUTHN_WINNT, NULL, NULL, (engine))
#define fort_prov_close(engine) FwpmEngineClose0(engine)
#define fort_prov_trans_begin(engine) FwpmTransactionBegin0((engine), 0)
#define fort_prov_trans_commit(engine) FwpmTransactionCommit0(engine)
#define fort_prov_trans_abort(engine) FwpmTransactionAbort0(engine)
static void
fort_prov_close (HANDLE engine)
fort_prov_unregister (HANDLE transEngine)
{
FwpmEngineClose0(engine);
}
static void
fort_prov_unregister (void)
{
HANDLE engine;
HANDLE engine = transEngine;
if (!transEngine) {
if (fort_prov_open(&engine))
return;
fort_prov_trans_begin(engine);
}
FwpmFilterDeleteByKey0(engine, (GUID *) &FORT_GUID_FILTER_CONNECT_V4);
FwpmFilterDeleteByKey0(engine, (GUID *) &FORT_GUID_FILTER_ACCEPT_V4);
FwpmFilterDeleteByKey0(engine, (GUID *) &FORT_GUID_FILTER_CLOSURE_V4);
@ -39,28 +37,38 @@ fort_prov_unregister (void)
FwpmCalloutDeleteByKey0(engine, (GUID *) &FORT_GUID_CALLOUT_OUT_TRANSPORT_V4);
FwpmProviderDeleteByKey0(engine, (GUID *) &FORT_GUID_PROVIDER);
if (!transEngine) {
fort_prov_trans_commit(engine);
fort_prov_close(engine);
}
}
static void
fort_prov_flow_unregister (void)
fort_prov_flow_unregister (HANDLE transEngine)
{
HANDLE engine;
HANDLE engine = transEngine;
if (!transEngine) {
if (fort_prov_open(&engine))
return;
fort_prov_trans_begin(engine);
}
FwpmFilterDeleteByKey0(engine, (GUID *) &FORT_GUID_FILTER_CLOSURE_V4);
FwpmFilterDeleteByKey0(engine, (GUID *) &FORT_GUID_FILTER_STREAM_V4);
FwpmFilterDeleteByKey0(engine, (GUID *) &FORT_GUID_FILTER_DATAGRAM_V4);
FwpmFilterDeleteByKey0(engine, (GUID *) &FORT_GUID_FILTER_IN_TRANSPORT_V4);
FwpmFilterDeleteByKey0(engine, (GUID *) &FORT_GUID_FILTER_OUT_TRANSPORT_V4);
if (!transEngine) {
fort_prov_trans_commit(engine);
fort_prov_close(engine);
}
}
static DWORD
fort_prov_register (BOOL is_boot)
fort_prov_register (HANDLE transEngine, BOOL is_boot)
{
FWPM_PROVIDER0 provider;
FWPM_CALLOUT0 ocallout4, icallout4;
@ -68,13 +76,17 @@ fort_prov_register (BOOL is_boot)
FWPM_CALLOUT0 itcallout4, otcallout4;
FWPM_SUBLAYER0 sublayer;
FWPM_FILTER0 ofilter4, ifilter4;
HANDLE engine;
HANDLE engine = transEngine;
const UINT32 filter_flags = is_boot ? 0 : FWPM_FILTER_FLAG_PERMIT_IF_CALLOUT_UNREGISTERED;
DWORD status;
if (!transEngine) {
if ((status = fort_prov_open(&engine)))
goto end;
fort_prov_trans_begin(engine);
}
RtlZeroMemory(&provider, sizeof(FWPM_PROVIDER0));
provider.flags = is_boot ? FWPM_PROVIDER_FLAG_PERSISTENT : 0;
provider.providerKey = FORT_GUID_PROVIDER;
@ -157,8 +169,7 @@ fort_prov_register (BOOL is_boot)
ifilter4.action.type = FWP_ACTION_CALLOUT_UNKNOWN;
ifilter4.action.calloutKey = FORT_GUID_CALLOUT_ACCEPT_V4;
if ((status = FwpmTransactionBegin0(engine, 0))
|| (status = FwpmProviderAdd0(engine, &provider, NULL))
if ((status = FwpmProviderAdd0(engine, &provider, NULL))
|| (status = FwpmCalloutAdd0(engine, &ocallout4, NULL, NULL))
|| (status = FwpmCalloutAdd0(engine, &icallout4, NULL, NULL))
|| (status = FwpmCalloutAdd0(engine, &ccallout4, NULL, NULL))
@ -168,30 +179,39 @@ fort_prov_register (BOOL is_boot)
|| (status = FwpmCalloutAdd0(engine, &otcallout4, NULL, NULL))
|| (status = FwpmSubLayerAdd0(engine, &sublayer, NULL))
|| (status = FwpmFilterAdd0(engine, &ofilter4, NULL, NULL))
|| (status = FwpmFilterAdd0(engine, &ifilter4, NULL, NULL))
|| (status = FwpmTransactionCommit0(engine))) {
FwpmTransactionAbort0(engine);
|| (status = FwpmFilterAdd0(engine, &ifilter4, NULL, NULL))) {
fort_prov_trans_abort(engine);
}
if (!transEngine) {
if (!status) {
status = fort_prov_trans_commit(engine);
}
fort_prov_close(engine);
}
end:
return status;
}
static DWORD
fort_prov_flow_register (BOOL speed_limit)
fort_prov_flow_register (HANDLE transEngine, BOOL speed_limit)
{
FWPM_FILTER0 cfilter4, sfilter4, dfilter4;
FWPM_FILTER0 itfilter4, otfilter4;
HANDLE engine;
HANDLE engine = transEngine;
const UINT32 filter_flags = FWPM_FILTER_FLAG_PERMIT_IF_CALLOUT_UNREGISTERED
| FWP_CALLOUT_FLAG_ALLOW_MID_STREAM_INSPECTION;
DWORD status;
if (!transEngine) {
if ((status = fort_prov_open(&engine)))
goto end;
fort_prov_trans_begin(engine);
}
RtlZeroMemory(&cfilter4, sizeof(FWPM_FILTER0));
cfilter4.flags = 0;
cfilter4.filterKey = FORT_GUID_FILTER_CLOSURE_V4;
@ -242,19 +262,24 @@ fort_prov_flow_register (BOOL speed_limit)
otfilter4.action.type = FWP_ACTION_CALLOUT_UNKNOWN;
otfilter4.action.calloutKey = FORT_GUID_CALLOUT_OUT_TRANSPORT_V4;
if ((status = FwpmTransactionBegin0(engine, 0))
|| (status = FwpmFilterAdd0(engine, &cfilter4, NULL, NULL))
if ((status = FwpmFilterAdd0(engine, &cfilter4, NULL, NULL))
|| (status = FwpmFilterAdd0(engine, &sfilter4, NULL, NULL))
|| (status = FwpmFilterAdd0(engine, &dfilter4, NULL, NULL))
#if 0
|| (speed_limit && ((status = FwpmFilterAdd0(engine, &itfilter4, NULL, NULL))
|| (status = FwpmFilterAdd0(engine, &otfilter4, NULL, NULL))))
#endif
|| (status = FwpmTransactionCommit0(engine))) {
FwpmTransactionAbort0(engine);
) {
fort_prov_trans_abort(engine);
}
if (!transEngine) {
if (!status) {
status = fort_prov_trans_commit(engine);
}
fort_prov_close(engine);
}
end:
return status;
@ -282,16 +307,17 @@ fort_prov_is_boot (void)
}
static DWORD
fort_prov_reauth (void)
fort_prov_reauth (HANDLE transEngine)
{
HANDLE engine;
HANDLE engine = transEngine;
DWORD status;
if (!transEngine) {
if ((status = fort_prov_open(&engine)))
return status;
goto end;
if ((status = FwpmTransactionBegin0(engine, 0)))
return status;
fort_prov_trans_begin(engine);
}
status = FwpmFilterDeleteByKey0(engine, (GUID *) &FORT_GUID_FILTER_REAUTH_IN);
if (!status) {
@ -319,10 +345,17 @@ fort_prov_reauth (void)
FwpmFilterAdd0(engine, &ofilter, NULL, NULL);
}
FwpmTransactionCommit0(engine);
if (!transEngine) {
if (!status) {
status = fort_prov_trans_commit(engine);
} else {
fort_prov_trans_abort(engine);
}
fort_prov_close(engine);
}
end:
return status;
}

58
src/driver/fortdrv.c
View File

@ -637,6 +637,7 @@ fort_callout_force_reauth (PDEVICE_OBJECT device,
const FORT_CONF_FLAGS old_conf_flags,
const FORT_CONF_FLAGS conf_flags)
{
HANDLE engine;
NTSTATUS status;
UNUSED(device);
@ -645,16 +646,17 @@ fort_callout_force_reauth (PDEVICE_OBJECT device,
fort_stat_clear(&g_device->stat);
}
if ((status = fort_prov_open(&engine)))
goto end;
fort_prov_trans_begin(engine);
/* Check provider filters */
if (old_conf_flags.prov_boot != conf_flags.prov_boot) {
fort_prov_unregister();
fort_prov_unregister(engine);
status = fort_prov_register(conf_flags.prov_boot);
if (!NT_SUCCESS(status)) {
DbgPrintEx(DPFLTR_IHVNETWORK_ID, DPFLTR_ERROR_LEVEL,
"FORT: Prov. Register: Error: %d\n", status);
return status;
}
if ((status = fort_prov_register(engine, conf_flags.prov_boot)))
goto cleanup;
goto stat;
}
@ -662,32 +664,40 @@ fort_callout_force_reauth (PDEVICE_OBJECT device,
/* Check flow filter */
if (old_conf_flags.log_stat != conf_flags.log_stat) {
if (old_conf_flags.log_stat) {
fort_prov_flow_unregister();
fort_prov_flow_unregister(engine);
}
stat:
if (conf_flags.log_stat) {
status = fort_prov_flow_register(&g_device->stat.limit_bits != 0);
if (!NT_SUCCESS(status)) {
DbgPrintEx(DPFLTR_IHVNETWORK_ID, DPFLTR_ERROR_LEVEL,
"FORT: Prov. Flow Register: Error: %d\n", status);
return status;
}
if ((status = fort_prov_flow_register(engine,
(&g_device->stat.limit_bits != 0))))
goto cleanup;
}
}
/* Force reauth filter */
status = fort_prov_reauth();
if (!NT_SUCCESS(status)) {
DbgPrintEx(DPFLTR_IHVNETWORK_ID, DPFLTR_ERROR_LEVEL,
"FORT: Prov. Reauth: Error: %d\n", status);
return status;
}
if ((status = fort_prov_reauth(engine)))
goto cleanup;
fort_timer_update(&g_device->timer,
(conf_flags.log_blocked || conf_flags.log_stat));
return STATUS_SUCCESS;
cleanup:
if (NT_SUCCESS(status)) {
status = fort_prov_trans_commit(engine);
} else {
fort_prov_trans_abort(engine);
}
fort_prov_close(engine);
end:
if (!NT_SUCCESS(status)) {
DbgPrintEx(DPFLTR_IHVNETWORK_ID, DPFLTR_ERROR_LEVEL,
"FORT: Callout Reauth: Error: %d\n", status);
}
return status;
}
static void
@ -901,7 +911,7 @@ fort_driver_unload (PDRIVER_OBJECT driver)
fort_timer_close(&g_device->timer);
if (!g_device->prov_boot) {
fort_prov_unregister();
fort_prov_unregister(0);
}
fort_callout_remove();
@ -983,7 +993,7 @@ DriverEntry (PDRIVER_OBJECT driver, PUNICODE_STRING reg_path)
{
g_device->prov_boot = fort_prov_is_boot();
fort_prov_unregister();
fort_prov_unregister(0);
}
/* Install callouts */
@ -991,7 +1001,7 @@ DriverEntry (PDRIVER_OBJECT driver, PUNICODE_STRING reg_path)
/* Register filters provider */
if (NT_SUCCESS(status)) {
status = fort_prov_register(g_device->prov_boot);
status = fort_prov_register(0, g_device->prov_boot);
}
}
}

2
src/ui/fortcommon.cpp
View File

@ -167,5 +167,5 @@ bool FortCommon::confAppBlocked(const void *drvConf, int appIndex)
void FortCommon::provUnregister()
{
fort_prov_unregister();
fort_prov_unregister(0);
}