diff --git a/src/driver/common/common_types.h b/src/driver/common/common_types.h index b9c440c1..b081a093 100644 --- a/src/driver/common/common_types.h +++ b/src/driver/common/common_types.h @@ -16,6 +16,7 @@ typedef struct ip6_addr_t } ip6_addr_t; typedef union ip_addr_t { + unsigned short v2; unsigned int v4; ip6_addr_t v6; } ip_addr_t; diff --git a/src/driver/common/fortconf.c b/src/driver/common/fortconf.c index af72f62c..cea7e674 100644 --- a/src/driver/common/fortconf.c +++ b/src/driver/common/fortconf.c @@ -129,10 +129,10 @@ FORT_API BOOL fort_mem_eql(const void *p1, const void *p2, UINT32 len) } FORT_API BOOL fort_conf_ip_inlist( - const UINT32 *ip, const PFORT_CONF_ADDR_LIST addr_list, BOOL isIPv6) + const ip_addr_t ip, const PFORT_CONF_ADDR_LIST addr_list, BOOL isIPv6) { if (isIPv6) { - const ip6_addr_t *ip6 = (const ip6_addr_t *) ip; + const ip6_addr_t *ip6 = &ip.v6; const PFORT_CONF_ADDR_LIST addr6_list = (const PFORT_CONF_ADDR_LIST)((const PCHAR) addr_list + FORT_CONF_ADDR4_LIST_SIZE(addr_list->ip_n, addr_list->pair_n)); @@ -140,9 +140,9 @@ FORT_API BOOL fort_conf_ip_inlist( || fort_conf_ip6_inrange( fort_conf_addr_list_pair6_ref(addr6_list), ip6, addr6_list->pair_n); } else { - return fort_conf_ip4_inarr(fort_conf_addr_list_ip4_ref(addr_list), *ip, addr_list->ip_n) + return fort_conf_ip4_inarr(fort_conf_addr_list_ip4_ref(addr_list), ip.v4, addr_list->ip_n) || fort_conf_ip4_inrange( - fort_conf_addr_list_pair4_ref(addr_list), *ip, addr_list->pair_n); + fort_conf_addr_list_pair4_ref(addr_list), ip.v4, addr_list->pair_n); } } @@ -155,7 +155,7 @@ FORT_API PFORT_CONF_ADDR_GROUP fort_conf_addr_group_ref(const PFORT_CONF conf, i } static BOOL fort_conf_ip_included_check(const PFORT_CONF_ADDR_LIST addr_list, - fort_conf_zones_ip_included_func zone_func, void *ctx, const UINT32 *remote_ip, + fort_conf_zones_ip_included_func zone_func, void *ctx, const ip_addr_t remote_ip, UINT32 zones_mask, BOOL list_is_empty, BOOL isIPv6) { return (!list_is_empty && fort_conf_ip_inlist(remote_ip, addr_list, isIPv6)) @@ -163,8 +163,8 @@ static BOOL fort_conf_ip_included_check(const PFORT_CONF_ADDR_LIST addr_list, } FORT_API BOOL fort_conf_ip_included(const PFORT_CONF conf, - fort_conf_zones_ip_included_func zone_func, void *ctx, const UINT32 *remote_ip, BOOL isIPv6, - int addr_group_index) + fort_conf_zones_ip_included_func zone_func, void *ctx, const ip_addr_t remote_ip, + BOOL isIPv6, int addr_group_index) { const PFORT_CONF_ADDR_GROUP addr_group = fort_conf_addr_group_ref(conf, addr_group_index); diff --git a/src/driver/common/fortconf.h b/src/driver/common/fortconf.h index a7486a86..eb2ed2bf 100644 --- a/src/driver/common/fortconf.h +++ b/src/driver/common/fortconf.h @@ -169,23 +169,31 @@ typedef struct fort_conf_rule_flag (sizeof(FORT_CONF_RULE) + ((rule)->has_zones ? sizeof(FORT_CONF_RULE_ZONES) : 0) \ + (rule)->set_count * sizeof(UINT16)) -typedef struct fort_conf_conn +typedef struct fort_conf_meta_conn { UCHAR inbound : 1; UCHAR isIPv6 : 1; UCHAR is_loopback : 1; UCHAR is_local_net : 1; + UCHAR inherited : 1; - const UCHAR ip_proto; + UCHAR block_reason; - const UINT16 local_port; - const UINT16 remote_port; + UCHAR ip_proto; - const UINT32 *remote_ip; - const UINT32 *local_ip; -} FORT_CONF_CONN, *PFORT_CONF_CONN; + UINT16 local_port; + UINT16 remote_port; -typedef const FORT_CONF_CONN *PCCONF_CONN; + UINT32 process_id; + + ip_addr_t local_ip; + ip_addr_t remote_ip; + + FORT_APP_PATH path; + FORT_APP_PATH real_path; +} FORT_CONF_META_CONN, *PFORT_CONF_META_CONN; + +typedef const FORT_CONF_META_CONN *PCFORT_CONF_META_CONN; typedef struct fort_conf_zones { @@ -333,7 +341,7 @@ typedef FORT_APP_DATA fort_conf_app_exe_find_func( const PFORT_CONF conf, PVOID context, PCFORT_APP_PATH path); typedef BOOL fort_conf_zones_ip_included_func( - void *ctx, UINT32 zones_mask, const UINT32 *remote_ip, BOOL isIPv6); + void *ctx, UINT32 zones_mask, const ip_addr_t remote_ip, BOOL isIPv6); #if defined(__cplusplus) extern "C" { @@ -346,7 +354,7 @@ FORT_API int fort_mem_cmp(const void *p1, const void *p2, UINT32 len); FORT_API BOOL fort_mem_eql(const void *p1, const void *p2, UINT32 len); FORT_API BOOL fort_conf_ip_inlist( - const UINT32 *ip, const PFORT_CONF_ADDR_LIST addr_list, BOOL isIPv6); + const ip_addr_t ip, const PFORT_CONF_ADDR_LIST addr_list, BOOL isIPv6); FORT_API PFORT_CONF_ADDR_GROUP fort_conf_addr_group_ref( const PFORT_CONF conf, int addr_group_index); @@ -358,8 +366,8 @@ FORT_API PFORT_CONF_ADDR_GROUP fort_conf_addr_group_ref( ((PFORT_CONF_ADDR_LIST) ((addr_group)->data + (addr_group)->exclude_off)) FORT_API BOOL fort_conf_ip_included(const PFORT_CONF conf, - fort_conf_zones_ip_included_func zone_func, void *ctx, const UINT32 *remote_ip, BOOL isIPv6, - int addr_group_index); + fort_conf_zones_ip_included_func zone_func, void *ctx, const ip_addr_t remote_ip, + BOOL isIPv6, int addr_group_index); #define fort_conf_ip_is_inet(conf, zone_func, ctx, remote_ip, isIPv6) \ fort_conf_ip_included((conf), (zone_func), (ctx), (remote_ip), isIPv6, /*addr_group_index=*/0) diff --git a/src/driver/common/fortlog.c b/src/driver/common/fortlog.c index a57018f5..10b7c076 100644 --- a/src/driver/common/fortlog.c +++ b/src/driver/common/fortlog.c @@ -33,63 +33,63 @@ FORT_API void fort_log_blocked_header_read( *pid = *up; } -void fort_log_blocked_ip_header_write(char *p, BOOL isIPv6, BOOL inbound, BOOL inherited, - UCHAR block_reason, UCHAR ip_proto, UINT16 local_port, UINT16 remote_port, - const UINT32 *local_ip, const UINT32 *remote_ip, UINT32 pid, UINT32 path_len) +FORT_API void fort_log_blocked_ip_header_write(char *p, PCFORT_CONF_META_CONN conn, UINT32 path_len) { UINT32 *up = (UINT32 *) p; - *up++ = fort_log_flag_type(FORT_LOG_TYPE_BLOCKED_IP) | (isIPv6 ? FORT_LOG_FLAG_IP6 : 0) - | (inbound ? FORT_LOG_FLAG_IP_INBOUND : 0) | path_len; - *up++ = (inherited ? FORT_LOG_BLOCKED_IP_INHERITED : 0) | ((UINT32) block_reason << 8) - | ((UINT32) ip_proto << 16); - *up++ = local_port | ((UINT32) remote_port << 16); - *up++ = pid; + *up++ = fort_log_flag_type(FORT_LOG_TYPE_BLOCKED_IP) | (conn->isIPv6 ? FORT_LOG_FLAG_IP6 : 0) + | (conn->inbound ? FORT_LOG_FLAG_IP_INBOUND : 0) | path_len; + *up++ = (conn->inherited ? FORT_LOG_BLOCKED_IP_INHERITED : 0) + | ((UINT32) conn->block_reason << 8) | ((UINT32) conn->ip_proto << 16); + *up++ = conn->local_port | ((UINT32) conn->remote_port << 16); + *up++ = conn->process_id; - const int ip_size = FORT_IP_ADDR_SIZE(isIPv6); - RtlCopyMemory(up, local_ip, ip_size); + const int ip_size = FORT_IP_ADDR_SIZE(conn->isIPv6); + // Local IP + RtlCopyMemory(up, &conn->local_ip, ip_size); + + // Remote IP up = (UINT32 *) ((PCHAR) up + ip_size); - RtlCopyMemory(up, remote_ip, ip_size); + RtlCopyMemory(up, &conn->remote_ip, ip_size); } -void fort_log_blocked_ip_write(char *p, BOOL isIPv6, BOOL inbound, BOOL inherited, - UCHAR block_reason, UCHAR ip_proto, UINT16 local_port, UINT16 remote_port, - const UINT32 *local_ip, const UINT32 *remote_ip, UINT32 pid, PCFORT_APP_PATH path) +FORT_API void fort_log_blocked_ip_write(char *p, PCFORT_CONF_META_CONN conn, PCFORT_APP_PATH path) { const UINT16 path_len = path->len; - fort_log_blocked_ip_header_write(p, isIPv6, inbound, inherited, block_reason, ip_proto, - local_port, remote_port, local_ip, remote_ip, pid, path_len); + fort_log_blocked_ip_header_write(p, conn, path_len); if (path_len != 0) { - RtlCopyMemory(p + FORT_LOG_BLOCKED_IP_HEADER_SIZE(isIPv6), path->buffer, path_len); + RtlCopyMemory(p + FORT_LOG_BLOCKED_IP_HEADER_SIZE(conn->isIPv6), path->buffer, path_len); } } -void fort_log_blocked_ip_header_read(const char *p, BOOL *isIPv6, BOOL *inbound, BOOL *inherited, - UCHAR *block_reason, UCHAR *ip_proto, UINT16 *local_port, UINT16 *remote_port, - UINT32 *local_ip, UINT32 *remote_ip, UINT32 *pid, UINT32 *path_len) +FORT_API void fort_log_blocked_ip_header_read( + const char *p, PFORT_CONF_META_CONN conn, UINT32 *path_len) { const UINT32 *up = (const UINT32 *) p; - *isIPv6 = (*up & FORT_LOG_FLAG_IP6) != 0; - *inbound = (*up & FORT_LOG_FLAG_IP_INBOUND) != 0; + conn->isIPv6 = (*up & FORT_LOG_FLAG_IP6) != 0; + conn->inbound = (*up & FORT_LOG_FLAG_IP_INBOUND) != 0; *path_len = (*up++ & ~FORT_LOG_FLAG_EX_MASK); const UCHAR flags = (UCHAR) *up; - *inherited = (flags & FORT_LOG_BLOCKED_IP_INHERITED) != 0; - *block_reason = (UCHAR) (*up >> 8); - *ip_proto = (UCHAR) (*up++ >> 16); - *local_port = *((const UINT16 *) up); - *remote_port = (UINT16) (*up++ >> 16); - *pid = *up++; + conn->inherited = (flags & FORT_LOG_BLOCKED_IP_INHERITED) != 0; + conn->block_reason = (UCHAR) (*up >> 8); + conn->ip_proto = (UCHAR) (*up++ >> 16); + conn->local_port = *((const UINT16 *) up); + conn->remote_port = (UINT16) (*up++ >> 16); + conn->process_id = *up++; - const int ip_size = FORT_IP_ADDR_SIZE(*isIPv6); - RtlCopyMemory(local_ip, up, ip_size); + const int ip_size = FORT_IP_ADDR_SIZE(conn->isIPv6); + // Local IP + RtlCopyMemory(&conn->local_ip, up, ip_size); + + // Remote IP up = (const UINT32 *) ((const PCHAR) up + ip_size); - RtlCopyMemory(remote_ip, up, ip_size); + RtlCopyMemory(&conn->remote_ip, up, ip_size); } FORT_API void fort_log_proc_new_header_write(char *p, UINT32 pid, UINT32 path_len) diff --git a/src/driver/common/fortlog.h b/src/driver/common/fortlog.h index 7f94a3d8..a0742769 100644 --- a/src/driver/common/fortlog.h +++ b/src/driver/common/fortlog.h @@ -3,6 +3,8 @@ #include "common.h" +#include "fortconf.h" + #define FORT_BUFFER_SIZE (16 * 1024 - 64) #define FORT_LOG_PATH_MAX 512 #define FORT_LOG_ALIGN 4 @@ -68,17 +70,13 @@ FORT_API void fort_log_blocked_write(char *p, BOOL blocked, UINT32 pid, PCFORT_A FORT_API void fort_log_blocked_header_read( const char *p, BOOL *blocked, UINT32 *pid, UINT32 *path_len); -FORT_API void fort_log_blocked_ip_header_write(char *p, BOOL isIPv6, BOOL inbound, BOOL inherited, - UCHAR block_reason, UCHAR ip_proto, UINT16 local_port, UINT16 remote_port, - const UINT32 *local_ip, const UINT32 *remote_ip, UINT32 pid, UINT32 path_len); +FORT_API void fort_log_blocked_ip_header_write( + char *p, PCFORT_CONF_META_CONN conn, UINT32 path_len); -FORT_API void fort_log_blocked_ip_write(char *p, BOOL isIPv6, BOOL inbound, BOOL inherited, - UCHAR block_reason, UCHAR ip_proto, UINT16 local_port, UINT16 remote_port, - const UINT32 *local_ip, const UINT32 *remote_ip, UINT32 pid, PCFORT_APP_PATH path); +FORT_API void fort_log_blocked_ip_write(char *p, PCFORT_CONF_META_CONN conn, PCFORT_APP_PATH path); -FORT_API void fort_log_blocked_ip_header_read(const char *p, BOOL *isIPv6, BOOL *inbound, - BOOL *inherited, UCHAR *block_reason, UCHAR *ip_proto, UINT16 *local_port, - UINT16 *remote_port, UINT32 *local_ip, UINT32 *remote_ip, UINT32 *pid, UINT32 *path_len); +FORT_API void fort_log_blocked_ip_header_read( + const char *p, PFORT_CONF_META_CONN conn, UINT32 *path_len); FORT_API void fort_log_proc_new_header_write(char *p, UINT32 pid, UINT32 path_len); diff --git a/src/driver/fortbuf.c b/src/driver/fortbuf.c index 801b3907..1672d87d 100644 --- a/src/driver/fortbuf.c +++ b/src/driver/fortbuf.c @@ -189,18 +189,16 @@ FORT_API NTSTATUS fort_buffer_blocked_write(PFORT_BUFFER buf, BOOL blocked, UINT return status; } -NTSTATUS fort_buffer_blocked_ip_write(PFORT_BUFFER buf, BOOL isIPv6, BOOL inbound, BOOL inherited, - UCHAR block_reason, UCHAR ip_proto, UINT16 local_port, UINT16 remote_port, - const UINT32 *local_ip, const UINT32 *remote_ip, UINT32 pid, PCFORT_APP_PATH path, - PIRP *irp, ULONG_PTR *info) +FORT_API NTSTATUS fort_buffer_blocked_ip_write( + PFORT_BUFFER buf, PCFORT_CONF_META_CONN conn, PIRP *irp, ULONG_PTR *info) { FORT_CHECK_STACK(FORT_BUFFER_BLOCKED_IP_WRITE); NTSTATUS status; - const FORT_APP_PATH log_path = fort_buffer_adjust_log_path(path); + const FORT_APP_PATH log_path = fort_buffer_adjust_log_path(&conn->real_path); - const UINT32 len = FORT_LOG_BLOCKED_IP_SIZE(log_path.len, isIPv6); + const UINT32 len = FORT_LOG_BLOCKED_IP_SIZE(log_path.len, conn->isIPv6); KLOCK_QUEUE_HANDLE lock_queue; KeAcquireInStackQueuedSpinLock(&buf->lock, &lock_queue); @@ -209,8 +207,7 @@ NTSTATUS fort_buffer_blocked_ip_write(PFORT_BUFFER buf, BOOL isIPv6, BOOL inboun status = fort_buffer_prepare(buf, len, &out, irp, info); if (NT_SUCCESS(status)) { - fort_log_blocked_ip_write(out, isIPv6, inbound, inherited, block_reason, ip_proto, - local_port, remote_port, local_ip, remote_ip, pid, &log_path); + fort_log_blocked_ip_write(out, conn, &log_path); } } KeReleaseInStackQueuedSpinLock(&lock_queue); diff --git a/src/driver/fortbuf.h b/src/driver/fortbuf.h index 0e3b81b4..fec2d0ff 100644 --- a/src/driver/fortbuf.h +++ b/src/driver/fortbuf.h @@ -3,6 +3,7 @@ #include "fortdrv.h" +#include "common/fortconf.h" #include "common/fortlog.h" typedef struct fort_buffer_data @@ -43,10 +44,8 @@ FORT_API NTSTATUS fort_buffer_prepare( FORT_API NTSTATUS fort_buffer_blocked_write(PFORT_BUFFER buf, BOOL blocked, UINT32 pid, PCFORT_APP_PATH path, PIRP *irp, ULONG_PTR *info); -FORT_API NTSTATUS fort_buffer_blocked_ip_write(PFORT_BUFFER buf, BOOL isIPv6, BOOL inbound, - BOOL inherited, UCHAR block_reason, UCHAR ip_proto, UINT16 local_port, UINT16 remote_port, - const UINT32 *local_ip, const UINT32 *remote_ip, UINT32 pid, PCFORT_APP_PATH path, - PIRP *irp, ULONG_PTR *info); +FORT_API NTSTATUS fort_buffer_blocked_ip_write( + PFORT_BUFFER buf, PCFORT_CONF_META_CONN conn, PIRP *irp, ULONG_PTR *info); FORT_API NTSTATUS fort_buffer_proc_new_write( PFORT_BUFFER buf, UINT32 pid, PCFORT_APP_PATH path, PIRP *irp, ULONG_PTR *info); diff --git a/src/driver/fortcnf.c b/src/driver/fortcnf.c index 772d83b4..2ead6a9a 100644 --- a/src/driver/fortcnf.c +++ b/src/driver/fortcnf.c @@ -452,8 +452,8 @@ FORT_API void fort_conf_zone_flag_set(PFORT_DEVICE_CONF device_conf, PFORT_CONF_ ExReleaseSpinLockExclusive(&device_conf->lock, oldIrql); } -FORT_API BOOL fort_conf_zones_ip_included( - PFORT_DEVICE_CONF device_conf, UINT32 zones_mask, const UINT32 *remote_ip, BOOL isIPv6) +FORT_API BOOL fort_conf_zones_ip_included(PFORT_DEVICE_CONF device_conf, UINT32 zones_mask, + const ip_addr_t remote_ip, BOOL isIPv6) { BOOL res = FALSE; diff --git a/src/driver/fortcnf.h b/src/driver/fortcnf.h index 5866b36d..986bb24a 100644 --- a/src/driver/fortcnf.h +++ b/src/driver/fortcnf.h @@ -86,8 +86,8 @@ FORT_API void fort_conf_zones_set(PFORT_DEVICE_CONF device_conf, PFORT_CONF_ZONE FORT_API void fort_conf_zone_flag_set( PFORT_DEVICE_CONF device_conf, PFORT_CONF_ZONE_FLAG zone_flag); -FORT_API BOOL fort_conf_zones_ip_included( - PFORT_DEVICE_CONF device_conf, UINT32 zones_mask, const UINT32 *remote_ip, BOOL isIPv6); +FORT_API BOOL fort_conf_zones_ip_included(PFORT_DEVICE_CONF device_conf, UINT32 zones_mask, + const ip_addr_t remote_ip, BOOL isIPv6); #ifdef __cplusplus } // extern "C" diff --git a/src/driver/fortcout.c b/src/driver/fortcout.c index 25e904c7..09038b17 100644 --- a/src/driver/fortcout.c +++ b/src/driver/fortcout.c @@ -60,7 +60,7 @@ static FORT_APP_DATA fort_callout_ale_conf_app_data( return cx->app_data; const FORT_APP_DATA app_data = - fort_conf_app_find(&conf_ref->conf, &cx->path, fort_conf_exe_find, conf_ref); + fort_conf_app_find(&conf_ref->conf, &cx->conn.path, fort_conf_exe_find, conf_ref); fort_callout_ale_set_app_flags(cx, app_data); @@ -80,7 +80,7 @@ inline static BOOL fort_callout_ale_associate_flow( BOOL log_stat = FALSE; - const NTSTATUS status = fort_flow_associate(&fort_device()->stat, flow_id, cx->process_id, + const NTSTATUS status = fort_flow_associate(&fort_device()->stat, flow_id, cx->conn.process_id, group_index, ca->isIPv6, is_tcp, ca->inbound, cx->is_reauth, &log_stat); if (!NT_SUCCESS(status)) { @@ -89,13 +89,13 @@ inline static BOOL fort_callout_ale_associate_flow( TRACE(FORT_CALLOUT_FLOW_ASSOC_ERROR, status, 0, 0); } - cx->block_reason = FORT_BLOCK_REASON_REAUTH; + cx->conn.block_reason = FORT_BLOCK_REASON_REAUTH; return TRUE; /* block (Error) */ } if (!log_stat) { - fort_buffer_proc_new_write( - &fort_device()->buffer, cx->process_id, &cx->real_path, &cx->irp, &cx->info); + fort_buffer_proc_new_write(&fort_device()->buffer, cx->conn.process_id, &cx->conn.real_path, + &cx->irp, &cx->info); } return FALSE; @@ -124,16 +124,16 @@ inline static void fort_callout_ale_log_app_path(PFORT_CALLOUT_ALE_EXTRA cx, FORT_APP_ENTRY app_entry = { .app_data = app_data, - .path_len = cx->path.len, + .path_len = cx->conn.path.len, }; - if (!NT_SUCCESS(fort_conf_ref_exe_add_path(conf_ref, &app_entry, &cx->path))) + if (!NT_SUCCESS(fort_conf_ref_exe_add_path(conf_ref, &app_entry, &cx->conn.path))) return; fort_callout_ale_set_app_flags(cx, app_data); - fort_buffer_blocked_write(&fort_device()->buffer, cx->blocked, cx->process_id, &cx->real_path, - &cx->irp, &cx->info); + fort_buffer_blocked_write(&fort_device()->buffer, cx->blocked, cx->conn.process_id, + &cx->conn.real_path, &cx->irp, &cx->info); } inline static BOOL fort_callout_ale_log_blocked_ip_check_app( @@ -146,7 +146,7 @@ inline static BOOL fort_callout_ale_log_blocked_ip_check_app( inline static BOOL fort_callout_ale_log_blocked_ip_check( PFORT_CALLOUT_ALE_EXTRA cx, PFORT_CONF_REF conf_ref, FORT_CONF_FLAGS conf_flags) { - if (cx->block_reason == FORT_BLOCK_REASON_UNKNOWN) + if (cx->conn.block_reason == FORT_BLOCK_REASON_UNKNOWN) return FALSE; if (!(conf_flags.ask_to_connect || conf_flags.log_blocked_ip)) @@ -157,31 +157,51 @@ inline static BOOL fort_callout_ale_log_blocked_ip_check( return fort_callout_ale_log_blocked_ip_check_app(conf_flags, app_data); } +static ip_addr_t fort_callout_meta_ip(PFORT_CALLOUT_ARG ca, UCHAR ipIndex) +{ + ip_addr_t ip; + if (ca->isIPv6) { + ip.v6 = *((ip6_addr_t *) ca->inFixedValues->incomingValue[ipIndex].value.byteArray16); + } else { + ip.v4 = ca->inFixedValues->incomingValue[ipIndex].value.uint32; + } + return ip; +} + +static void fort_callout_ale_fill_meta_conn(PCFORT_CALLOUT_ARG ca, PFORT_CALLOUT_ALE_EXTRA cx) +{ + if (cx->is_conn_filled) + return; + + cx->is_conn_filled = TRUE; + + PFORT_CONF_META_CONN conn = &cx->conn; + + conn->ip_proto = ca->inFixedValues->incomingValue[ca->fi->ipProto].value.uint8; + + conn->local_port = ca->inFixedValues->incomingValue[ca->fi->localPort].value.uint16; + conn->remote_port = ca->inFixedValues->incomingValue[ca->fi->remotePort].value.uint16; + + conn->local_ip = fort_callout_meta_ip(ca, ca->fi->localIp); +} + inline static void fort_callout_ale_log_blocked_ip( PCFORT_CALLOUT_ARG ca, PFORT_CALLOUT_ALE_EXTRA cx) { - const UINT32 *local_ip = ca->isIPv6 - ? (const UINT32 *) ca->inFixedValues->incomingValue[ca->fi->localIp].value.byteArray16 - : &ca->inFixedValues->incomingValue[ca->fi->localIp].value.uint32; + fort_callout_ale_fill_meta_conn(ca, cx); - const UINT16 local_port = ca->inFixedValues->incomingValue[ca->fi->localPort].value.uint16; - const UINT16 remote_port = ca->inFixedValues->incomingValue[ca->fi->remotePort].value.uint16; - const UCHAR ip_proto = ca->inFixedValues->incomingValue[ca->fi->ipProto].value.uint8; - - fort_buffer_blocked_ip_write(&fort_device()->buffer, ca->isIPv6, ca->inbound, cx->inherited, - cx->block_reason, ip_proto, local_port, remote_port, local_ip, cx->conn.remote_ip, - cx->process_id, &cx->real_path, &cx->irp, &cx->info); + fort_buffer_blocked_ip_write(&fort_device()->buffer, &cx->conn, &cx->irp, &cx->info); } inline static BOOL fort_callout_ale_add_pending(PCFORT_CALLOUT_ARG ca, PFORT_CALLOUT_ALE_EXTRA cx) { if (!fort_pending_add_packet(&fort_device()->pending, ca, cx)) { - cx->block_reason = FORT_BLOCK_REASON_ASK_LIMIT; + cx->conn.block_reason = FORT_BLOCK_REASON_ASK_LIMIT; return TRUE; /* block (error) */ } cx->drop_blocked = TRUE; - cx->block_reason = FORT_BLOCK_REASON_ASK_PENDING; + cx->conn.block_reason = FORT_BLOCK_REASON_ASK_PENDING; return TRUE; /* drop (pending) */ } @@ -214,23 +234,23 @@ static BOOL fort_callout_ale_app_blocked(PCFORT_CALLOUT_ARG ca, PFORT_CALLOUT_AL FORT_CONF_FLAGS conf_flags, FORT_APP_DATA app_data) { if (fort_conf_app_group_blocked(conf_flags, app_data)) { - cx->block_reason = FORT_BLOCK_REASON_APP_GROUP_FOUND; + cx->conn.block_reason = FORT_BLOCK_REASON_APP_GROUP_FOUND; return TRUE; /* block Group */ } if (app_data.flags.blocked) { - cx->block_reason = FORT_BLOCK_REASON_PROGRAM; + cx->conn.block_reason = FORT_BLOCK_REASON_PROGRAM; return TRUE; /* block Program */ } if (app_data.flags.lan_only && !cx->conn.is_local_net) { - cx->block_reason = FORT_BLOCK_REASON_LAN_ONLY; + cx->conn.block_reason = FORT_BLOCK_REASON_LAN_ONLY; return TRUE; /* block LAN Only */ } if (fort_callout_ale_ip_zone_check(ca, cx, app_data.reject_zones, /*included=*/TRUE) || fort_callout_ale_ip_zone_check(ca, cx, app_data.accept_zones, /*included=*/FALSE)) { - cx->block_reason = FORT_BLOCK_REASON_ZONE; + cx->conn.block_reason = FORT_BLOCK_REASON_ZONE; return TRUE; /* block Rejected or Not Accepted Zones */ } @@ -251,7 +271,7 @@ inline static BOOL fort_callout_ale_flags_allowed( /* Ignore */ cx->ignore = TRUE; - cx->block_reason = FORT_BLOCK_REASON_NONE; /* Don't block or allow */ + cx->conn.block_reason = FORT_BLOCK_REASON_NONE; /* Don't block or allow */ return TRUE; } @@ -315,7 +335,7 @@ inline static BOOL fort_callout_ale_check_filter_flags(PCFORT_CALLOUT_ARG ca, if (!fort_conf_ip_inet_included(&conf_ref->conf, (fort_conf_zones_ip_included_func *) &fort_conf_zones_ip_included, &fort_device()->conf, cx->conn.remote_ip, ca->isIPv6)) { - cx->block_reason = FORT_BLOCK_REASON_IP_INET; + cx->conn.block_reason = FORT_BLOCK_REASON_IP_INET; return TRUE; /* block address */ } @@ -371,16 +391,21 @@ inline static void fort_callout_ale_classify_action(PCFORT_CALLOUT_ARG ca, inline static void fort_callout_ale_fill_path(PCFORT_CALLOUT_ARG ca, PFORT_CALLOUT_ALE_EXTRA cx) { - PFORT_APP_PATH real_path = &cx->real_path; + if (cx->is_path_filled) + return; + + cx->is_path_filled = TRUE; + + PFORT_APP_PATH real_path = &cx->conn.real_path; real_path->len = (UINT16) (ca->inMetaValues->processPath->size - sizeof(WCHAR)); /* chop terminating zero */ real_path->buffer = (PCWSTR) ca->inMetaValues->processPath->data; - PFORT_APP_PATH path = &cx->path; + PFORT_APP_PATH path = &cx->conn.path; BOOL inherited = FALSE; - if (fort_pstree_get_proc_name(&fort_device()->ps_tree, cx->process_id, path, &inherited)) { + if (fort_pstree_get_proc_name(&fort_device()->ps_tree, cx->conn.process_id, path, &inherited)) { if (!inherited) { *real_path = *path; } @@ -388,19 +413,19 @@ inline static void fort_callout_ale_fill_path(PCFORT_CALLOUT_ARG ca, PFORT_CALLO *path = *real_path; } - cx->inherited = (UCHAR) inherited; + cx->conn.inherited = (UCHAR) inherited; } inline static void fort_callout_ale_check_conf( PCFORT_CALLOUT_ARG ca, PFORT_CALLOUT_ALE_EXTRA cx, PFORT_CONF_REF conf_ref) { - cx->process_id = (UINT32) ca->inMetaValues->processId; + cx->conn.process_id = (UINT32) ca->inMetaValues->processId; fort_callout_ale_fill_path(ca, cx); cx->blocked = TRUE; cx->ignore = FALSE; - cx->block_reason = FORT_BLOCK_REASON_UNKNOWN; + cx->conn.block_reason = FORT_BLOCK_REASON_UNKNOWN; const FORT_CONF_FLAGS conf_flags = conf_ref->conf.flags; @@ -470,16 +495,12 @@ static void fort_callout_ale_classify(PFORT_CALLOUT_ARG ca) ca->inbound = (ca->inMetaValues->packetDirection == FWP_DIRECTION_INBOUND); } - const UINT32 *remote_ip = ca->isIPv6 - ? (const UINT32 *) ca->inFixedValues->incomingValue[ca->fi->remoteIp].value.byteArray16 - : &ca->inFixedValues->incomingValue[ca->fi->remoteIp].value.uint32; - FORT_CALLOUT_ALE_EXTRA cx = { .is_reauth = is_reauth, .conn = { .inbound = ca->inbound, .isIPv6 = ca->isIPv6, - .remote_ip = remote_ip, + .remote_ip = fort_callout_meta_ip(ca, ca->fi->remoteIp), }, }; diff --git a/src/driver/fortcoutarg.h b/src/driver/fortcoutarg.h index 3c9412b2..d2284840 100644 --- a/src/driver/fortcoutarg.h +++ b/src/driver/fortcoutarg.h @@ -45,20 +45,15 @@ typedef struct fort_callout_ale_extra { UCHAR is_reauth : 1; UCHAR app_data_found : 1; - UCHAR inherited : 1; UCHAR drop_blocked : 1; UCHAR blocked : 1; UCHAR ignore : 1; - INT8 block_reason; + UCHAR is_path_filled : 1; + UCHAR is_conn_filled : 1; FORT_APP_DATA app_data; - UINT32 process_id; - - FORT_CONF_CONN conn; - - FORT_APP_PATH path; - FORT_APP_PATH real_path; + FORT_CONF_META_CONN conn; PIRP irp; ULONG_PTR info; diff --git a/src/driver/fortpkt.c b/src/driver/fortpkt.c index bc120a64..cdf179d6 100644 --- a/src/driver/fortpkt.c +++ b/src/driver/fortpkt.c @@ -1172,7 +1172,7 @@ static NTSTATUS fort_pending_proc_add_packet_locked(PFORT_PENDING pending, PCFOR PFORT_CALLOUT_ALE_EXTRA cx, PFORT_PENDING_PACKET pkt) { /* Create the Pending Process */ - PFORT_PENDING_PROC proc = fort_pending_proc_get_check(pending, cx->process_id); + PFORT_PENDING_PROC proc = fort_pending_proc_get_check(pending, cx->conn.process_id); if (proc == NULL) return STATUS_INSUFFICIENT_RESOURCES; @@ -1278,7 +1278,7 @@ FORT_API BOOL fort_pending_add_packet( return FALSE; /* Check the Process's Limits */ - if (!fort_pending_proc_check_limits(pending, cx->process_id)) + if (!fort_pending_proc_check_limits(pending, cx->conn.process_id)) return FALSE; /* Create the Packet */ diff --git a/src/driver/fortutl.c b/src/driver/fortutl.c index 1ce528ba..86bc63e0 100644 --- a/src/driver/fortutl.c +++ b/src/driver/fortutl.c @@ -444,14 +444,13 @@ FORT_API void fort_ascii_downcase(PUNICODE_STRING dst, PCUNICODE_STRING src) } } -FORT_API BOOL fort_addr_is_local_multicast(const UINT32 *ip, BOOL isIPv6) +FORT_API BOOL fort_addr_is_local_multicast(const ip_addr_t ip, BOOL isIPv6) { if (isIPv6) { - const ip6_addr_t *ip6 = (const ip6_addr_t *) ip; - return ip6->addr16[0] == 0x2FF; + return ip.v2 == 0x2FF; } - return *ip == 0xFFFFFFFF; + return ip.v4 == 0xFFFFFFFF; } inline static UINT32 fort_bits_duplicate8(UINT32 v) diff --git a/src/driver/fortutl.h b/src/driver/fortutl.h index 968ed2f4..53e790dd 100644 --- a/src/driver/fortutl.h +++ b/src/driver/fortutl.h @@ -30,7 +30,7 @@ FORT_API DWORD fort_le_u32_read(const char *cp, int offset); FORT_API void fort_ascii_downcase(PUNICODE_STRING dst, PCUNICODE_STRING src); -FORT_API BOOL fort_addr_is_local_multicast(const UINT32 *ip, BOOL isIPv6); +FORT_API BOOL fort_addr_is_local_multicast(const ip_addr_t ip, BOOL isIPv6); FORT_API UINT32 fort_bits_duplicate16(UINT16 num); diff --git a/src/ui/driver/drivercommon.cpp b/src/ui/driver/drivercommon.cpp index 4fb5c18a..4f052e7e 100644 --- a/src/ui/driver/drivercommon.cpp +++ b/src/ui/driver/drivercommon.cpp @@ -142,20 +142,14 @@ void logBlockedHeaderRead(const char *input, int *blocked, quint32 *pid, quint32 fort_log_blocked_header_read(input, blocked, pid, pathLen); } -void logBlockedIpHeaderWrite(char *output, int isIPv6, int inbound, int inherited, - quint8 blockReason, quint8 ipProto, quint16 localPort, quint16 remotePort, - const ip_addr_t *localIp, const ip_addr_t *remoteIp, quint32 pid, quint32 pathLen) +void logBlockedIpHeaderWrite(char *output, PCFORT_CONF_META_CONN conn, quint32 pathLen) { - fort_log_blocked_ip_header_write(output, isIPv6, inbound, inherited, blockReason, ipProto, - localPort, remotePort, &localIp->v4, &remoteIp->v4, pid, pathLen); + fort_log_blocked_ip_header_write(output, conn, pathLen); } -void logBlockedIpHeaderRead(const char *input, int *isIPv6, int *inbound, int *inherited, - quint8 *blockReason, quint8 *ipProto, quint16 *localPort, quint16 *remotePort, - ip_addr_t *localIp, ip_addr_t *remoteIp, quint32 *pid, quint32 *pathLen) +void logBlockedIpHeaderRead(const char *input, PFORT_CONF_META_CONN conn, quint32 *pathLen) { - fort_log_blocked_ip_header_read(input, isIPv6, inbound, inherited, blockReason, ipProto, - localPort, remotePort, &localIp->v4, &remoteIp->v4, pid, pathLen); + fort_log_blocked_ip_header_read(input, conn, pathLen); } void logProcNewHeaderWrite(char *output, quint32 pid, quint32 pathLen) @@ -184,7 +178,7 @@ void logTimeRead(const char *input, int *systemTimeChanged, qint64 *unixTime) } bool confIpInRange( - const void *drvConf, const quint32 *ip, bool isIPv6, bool included, int addrGroupIndex) + const void *drvConf, const ip_addr_t ip, bool isIPv6, bool included, int addrGroupIndex) { const PFORT_CONF conf = (const PFORT_CONF) drvConf; const PFORT_CONF_ADDR_GROUP addr_group = fort_conf_addr_group_ref(conf, addrGroupIndex); @@ -202,12 +196,16 @@ bool confIpInRange( bool confIp4InRange(const void *drvConf, quint32 ip, bool included, int addrGroupIndex) { - return confIpInRange(drvConf, &ip, /*isIPv6=*/false, included, addrGroupIndex); + const ip_addr_t ip_addr = { .v4 = ip }; + + return confIpInRange(drvConf, ip_addr, /*isIPv6=*/false, included, addrGroupIndex); } -bool confIp6InRange(const void *drvConf, const ip6_addr_t ip, bool included, int addrGroupIndex) +bool confIp6InRange(const void *drvConf, ip6_addr_t ip, bool included, int addrGroupIndex) { - return confIpInRange(drvConf, &ip.addr32[0], /*isIPv6=*/true, included, addrGroupIndex); + const ip_addr_t ip_addr = { .v6 = ip }; + + return confIpInRange(drvConf, ip_addr, /*isIPv6=*/true, included, addrGroupIndex); } FORT_APP_DATA confAppFind(const void *drvConf, const QString &kernelPath) diff --git a/src/ui/driver/drivercommon.h b/src/ui/driver/drivercommon.h index 725d02e9..88510169 100644 --- a/src/ui/driver/drivercommon.h +++ b/src/ui/driver/drivercommon.h @@ -47,12 +47,8 @@ quint8 logType(const char *input); void logBlockedHeaderWrite(char *output, bool blocked, quint32 pid, quint32 pathLen); void logBlockedHeaderRead(const char *input, int *blocked, quint32 *pid, quint32 *pathLen); -void logBlockedIpHeaderWrite(char *output, int isIPv6, int inbound, int inherited, - quint8 blockReason, quint8 ipProto, quint16 localPort, quint16 remotePort, - const ip_addr_t *localIp, const ip_addr_t *remoteIp, quint32 pid, quint32 pathLen); -void logBlockedIpHeaderRead(const char *input, int *isIPv6, int *inbound, int *inherited, - quint8 *blockReason, quint8 *ipProto, quint16 *localPort, quint16 *remotePort, - ip_addr_t *localIp, ip_addr_t *remoteIp, quint32 *pid, quint32 *pathLen); +void logBlockedIpHeaderWrite(char *output, PCFORT_CONF_META_CONN conn, quint32 pathLen); +void logBlockedIpHeaderRead(const char *input, PFORT_CONF_META_CONN conn, quint32 *pathLen); void logProcNewHeaderWrite(char *output, quint32 pid, quint32 pathLen); void logProcNewHeaderRead(const char *input, quint32 *pid, quint32 *pathLen); @@ -62,11 +58,11 @@ void logStatTrafHeaderRead(const char *input, quint16 *procCount); void logTimeWrite(char *output, int systemTimeChanged, qint64 unixTime); void logTimeRead(const char *input, int *systemTimeChanged, qint64 *unixTime); -bool confIpInRange(const void *drvConf, const quint32 *ip, bool isIPv6 = false, +bool confIpInRange(const void *drvConf, const ip_addr_t ip, bool isIPv6 = false, bool included = false, int addrGroupIndex = 0); bool confIp4InRange(const void *drvConf, quint32 ip, bool included = false, int addrGroupIndex = 0); bool confIp6InRange( - const void *drvConf, const ip6_addr_t ip, bool included = false, int addrGroupIndex = 0); + const void *drvConf, ip6_addr_t ip, bool included = false, int addrGroupIndex = 0); FORT_APP_DATA confAppFind(const void *drvConf, const QString &kernelPath); diff --git a/src/ui/log/logbuffer.cpp b/src/ui/log/logbuffer.cpp index 93205a26..c8b0bebb 100644 --- a/src/ui/log/logbuffer.cpp +++ b/src/ui/log/logbuffer.cpp @@ -106,10 +106,20 @@ void LogBuffer::writeEntryBlockedIp(const LogEntryBlockedIp *logEntry) char *output = this->output(); - DriverCommon::logBlockedIpHeaderWrite(output, logEntry->isIPv6(), logEntry->inbound(), - logEntry->inherited(), logEntry->blockReason(), logEntry->ipProto(), - logEntry->localPort(), logEntry->remotePort(), &logEntry->localIp(), - &logEntry->remoteIp(), logEntry->pid(), pathLen); + const FORT_CONF_META_CONN conn = { + .inbound = logEntry->inbound(), + .isIPv6 = logEntry->isIPv6(), + .inherited = logEntry->inherited(), + .block_reason = logEntry->blockReason(), + .ip_proto = logEntry->ipProto(), + .local_port = logEntry->localPort(), + .remote_port = logEntry->remotePort(), + .process_id = logEntry->pid(), + .local_ip = logEntry->localIp(), + .remote_ip = logEntry->remoteIp(), + }; + + DriverCommon::logBlockedIpHeaderWrite(output, &conn, pathLen); if (pathLen) { output += DriverCommon::logBlockedIpHeaderSize(logEntry->isIPv6()); @@ -125,37 +135,30 @@ void LogBuffer::readEntryBlockedIp(LogEntryBlockedIp *logEntry) const char *input = this->input(); - int isIPv6; - int inbound; - int inherited; - quint8 blockReason; - quint8 proto; - quint16 localPort; - quint16 remotePort; - ip_addr_t localIp, remoteIp; - quint32 pid, pathLen; - DriverCommon::logBlockedIpHeaderRead(input, &isIPv6, &inbound, &inherited, &blockReason, &proto, - &localPort, &remotePort, &localIp, &remoteIp, &pid, &pathLen); + FORT_CONF_META_CONN conn; + quint32 pathLen; + + DriverCommon::logBlockedIpHeaderRead(input, &conn, &pathLen); QString path; if (pathLen) { - input += DriverCommon::logBlockedIpHeaderSize(isIPv6 != 0); + input += DriverCommon::logBlockedIpHeaderSize(conn.isIPv6); path = QString::fromWCharArray((const wchar_t *) input, pathLen / int(sizeof(wchar_t))); } - logEntry->setIsIPv6(isIPv6 != 0); - logEntry->setInbound(inbound != 0); - logEntry->setInherited(inherited != 0); - logEntry->setBlockReason(blockReason); - logEntry->setIpProto(proto); - logEntry->setLocalPort(localPort); - logEntry->setRemotePort(remotePort); - logEntry->setLocalIp(localIp); - logEntry->setRemoteIp(remoteIp); - logEntry->setPid(pid); + logEntry->setIsIPv6(conn.isIPv6); + logEntry->setInbound(conn.inbound); + logEntry->setInherited(conn.inherited); + logEntry->setBlockReason(conn.block_reason); + logEntry->setIpProto(conn.ip_proto); + logEntry->setLocalPort(conn.local_port); + logEntry->setRemotePort(conn.remote_port); + logEntry->setLocalIp(conn.local_ip); + logEntry->setRemoteIp(conn.remote_ip); + logEntry->setPid(conn.process_id); logEntry->setKernelPath(path); - const int entrySize = int(DriverCommon::logBlockedIpSize(pathLen, isIPv6 != 0)); + const int entrySize = int(DriverCommon::logBlockedIpSize(pathLen, conn.isIPv6)); m_offset += entrySize; }