Driver: Refactor connection meta handling

src/driver/common/common_types.h

@@ -16,6 +16,7 @@ typedef struct ip6_addr_t
 } ip6_addr_t;
 
 typedef union ip_addr_t {
+    unsigned short v2;
     unsigned int v4;
     ip6_addr_t v6;
 } ip_addr_t;

src/driver/common/fortconf.c

@@ -129,10 +129,10 @@ FORT_API BOOL fort_mem_eql(const void *p1, const void *p2, UINT32 len)
 }
 
 FORT_API BOOL fort_conf_ip_inlist(
-        const UINT32 *ip, const PFORT_CONF_ADDR_LIST addr_list, BOOL isIPv6)
+        const ip_addr_t ip, const PFORT_CONF_ADDR_LIST addr_list, BOOL isIPv6)
 {
     if (isIPv6) {
-        const ip6_addr_t *ip6 = (const ip6_addr_t *) ip;
+        const ip6_addr_t *ip6 = &ip.v6;
         const PFORT_CONF_ADDR_LIST addr6_list = (const PFORT_CONF_ADDR_LIST)((const PCHAR) addr_list
                 + FORT_CONF_ADDR4_LIST_SIZE(addr_list->ip_n, addr_list->pair_n));
 
@@ -140,9 +140,9 @@ FORT_API BOOL fort_conf_ip_inlist(
                 || fort_conf_ip6_inrange(
                         fort_conf_addr_list_pair6_ref(addr6_list), ip6, addr6_list->pair_n);
     } else {
-        return fort_conf_ip4_inarr(fort_conf_addr_list_ip4_ref(addr_list), *ip, addr_list->ip_n)
+        return fort_conf_ip4_inarr(fort_conf_addr_list_ip4_ref(addr_list), ip.v4, addr_list->ip_n)
                 || fort_conf_ip4_inrange(
-                        fort_conf_addr_list_pair4_ref(addr_list), *ip, addr_list->pair_n);
+                        fort_conf_addr_list_pair4_ref(addr_list), ip.v4, addr_list->pair_n);
     }
 }
 
@@ -155,7 +155,7 @@ FORT_API PFORT_CONF_ADDR_GROUP fort_conf_addr_group_ref(const PFORT_CONF conf, i
 }
 
 static BOOL fort_conf_ip_included_check(const PFORT_CONF_ADDR_LIST addr_list,
-        fort_conf_zones_ip_included_func zone_func, void *ctx, const UINT32 *remote_ip,
+        fort_conf_zones_ip_included_func zone_func, void *ctx, const ip_addr_t remote_ip,
         UINT32 zones_mask, BOOL list_is_empty, BOOL isIPv6)
 {
     return (!list_is_empty && fort_conf_ip_inlist(remote_ip, addr_list, isIPv6))
@@ -163,8 +163,8 @@ static BOOL fort_conf_ip_included_check(const PFORT_CONF_ADDR_LIST addr_list,
 }
 
 FORT_API BOOL fort_conf_ip_included(const PFORT_CONF conf,
-        fort_conf_zones_ip_included_func zone_func, void *ctx, const UINT32 *remote_ip, BOOL isIPv6,
+        fort_conf_zones_ip_included_func zone_func, void *ctx, const ip_addr_t remote_ip,
-        int addr_group_index)
+        BOOL isIPv6, int addr_group_index)
 {
     const PFORT_CONF_ADDR_GROUP addr_group = fort_conf_addr_group_ref(conf, addr_group_index);
 

src/driver/common/fortconf.h

@@ -169,23 +169,31 @@ typedef struct fort_conf_rule_flag
     (sizeof(FORT_CONF_RULE) + ((rule)->has_zones ? sizeof(FORT_CONF_RULE_ZONES) : 0)               \
             + (rule)->set_count * sizeof(UINT16))
 
-typedef struct fort_conf_conn
+typedef struct fort_conf_meta_conn
 {
     UCHAR inbound : 1;
     UCHAR isIPv6 : 1;
     UCHAR is_loopback : 1;
     UCHAR is_local_net : 1;
+    UCHAR inherited : 1;
 
-    const UCHAR ip_proto;
+    UCHAR block_reason;
 
-    const UINT16 local_port;
+    UCHAR ip_proto;
-    const UINT16 remote_port;
 
-    const UINT32 *remote_ip;
+    UINT16 local_port;
-    const UINT32 *local_ip;
+    UINT16 remote_port;
-} FORT_CONF_CONN, *PFORT_CONF_CONN;
 
-typedef const FORT_CONF_CONN *PCCONF_CONN;
+    UINT32 process_id;
+
+    ip_addr_t local_ip;
+    ip_addr_t remote_ip;
+
+    FORT_APP_PATH path;
+    FORT_APP_PATH real_path;
+} FORT_CONF_META_CONN, *PFORT_CONF_META_CONN;
+
+typedef const FORT_CONF_META_CONN *PCFORT_CONF_META_CONN;
 
 typedef struct fort_conf_zones
 {
@@ -333,7 +341,7 @@ typedef FORT_APP_DATA fort_conf_app_exe_find_func(
         const PFORT_CONF conf, PVOID context, PCFORT_APP_PATH path);
 
 typedef BOOL fort_conf_zones_ip_included_func(
-        void *ctx, UINT32 zones_mask, const UINT32 *remote_ip, BOOL isIPv6);
+        void *ctx, UINT32 zones_mask, const ip_addr_t remote_ip, BOOL isIPv6);
 
 #if defined(__cplusplus)
 extern "C" {
@@ -346,7 +354,7 @@ FORT_API int fort_mem_cmp(const void *p1, const void *p2, UINT32 len);
 FORT_API BOOL fort_mem_eql(const void *p1, const void *p2, UINT32 len);
 
 FORT_API BOOL fort_conf_ip_inlist(
-        const UINT32 *ip, const PFORT_CONF_ADDR_LIST addr_list, BOOL isIPv6);
+        const ip_addr_t ip, const PFORT_CONF_ADDR_LIST addr_list, BOOL isIPv6);
 
 FORT_API PFORT_CONF_ADDR_GROUP fort_conf_addr_group_ref(
         const PFORT_CONF conf, int addr_group_index);
@@ -358,8 +366,8 @@ FORT_API PFORT_CONF_ADDR_GROUP fort_conf_addr_group_ref(
     ((PFORT_CONF_ADDR_LIST) ((addr_group)->data + (addr_group)->exclude_off))
 
 FORT_API BOOL fort_conf_ip_included(const PFORT_CONF conf,
-        fort_conf_zones_ip_included_func zone_func, void *ctx, const UINT32 *remote_ip, BOOL isIPv6,
+        fort_conf_zones_ip_included_func zone_func, void *ctx, const ip_addr_t remote_ip,
-        int addr_group_index);
+        BOOL isIPv6, int addr_group_index);
 
 #define fort_conf_ip_is_inet(conf, zone_func, ctx, remote_ip, isIPv6)                              \
     fort_conf_ip_included((conf), (zone_func), (ctx), (remote_ip), isIPv6, /*addr_group_index=*/0)

src/driver/common/fortlog.c

@@ -33,63 +33,63 @@ FORT_API void fort_log_blocked_header_read(
     *pid = *up;
 }
 
-void fort_log_blocked_ip_header_write(char *p, BOOL isIPv6, BOOL inbound, BOOL inherited,
+FORT_API void fort_log_blocked_ip_header_write(char *p, PCFORT_CONF_META_CONN conn, UINT32 path_len)
-        UCHAR block_reason, UCHAR ip_proto, UINT16 local_port, UINT16 remote_port,
-        const UINT32 *local_ip, const UINT32 *remote_ip, UINT32 pid, UINT32 path_len)
 {
     UINT32 *up = (UINT32 *) p;
 
-    *up++ = fort_log_flag_type(FORT_LOG_TYPE_BLOCKED_IP) | (isIPv6 ? FORT_LOG_FLAG_IP6 : 0)
+    *up++ = fort_log_flag_type(FORT_LOG_TYPE_BLOCKED_IP) | (conn->isIPv6 ? FORT_LOG_FLAG_IP6 : 0)
-            | (inbound ? FORT_LOG_FLAG_IP_INBOUND : 0) | path_len;
+            | (conn->inbound ? FORT_LOG_FLAG_IP_INBOUND : 0) | path_len;
-    *up++ = (inherited ? FORT_LOG_BLOCKED_IP_INHERITED : 0) | ((UINT32) block_reason << 8)
+    *up++ = (conn->inherited ? FORT_LOG_BLOCKED_IP_INHERITED : 0)
-            | ((UINT32) ip_proto << 16);
+            | ((UINT32) conn->block_reason << 8) | ((UINT32) conn->ip_proto << 16);
-    *up++ = local_port | ((UINT32) remote_port << 16);
+    *up++ = conn->local_port | ((UINT32) conn->remote_port << 16);
-    *up++ = pid;
+    *up++ = conn->process_id;
 
-    const int ip_size = FORT_IP_ADDR_SIZE(isIPv6);
+    const int ip_size = FORT_IP_ADDR_SIZE(conn->isIPv6);
-    RtlCopyMemory(up, local_ip, ip_size);
 
+    // Local IP
+    RtlCopyMemory(up, &conn->local_ip, ip_size);
+
+    // Remote IP
     up = (UINT32 *) ((PCHAR) up + ip_size);
-    RtlCopyMemory(up, remote_ip, ip_size);
+    RtlCopyMemory(up, &conn->remote_ip, ip_size);
 }
 
-void fort_log_blocked_ip_write(char *p, BOOL isIPv6, BOOL inbound, BOOL inherited,
+FORT_API void fort_log_blocked_ip_write(char *p, PCFORT_CONF_META_CONN conn, PCFORT_APP_PATH path)
-        UCHAR block_reason, UCHAR ip_proto, UINT16 local_port, UINT16 remote_port,
-        const UINT32 *local_ip, const UINT32 *remote_ip, UINT32 pid, PCFORT_APP_PATH path)
 {
     const UINT16 path_len = path->len;
 
-    fort_log_blocked_ip_header_write(p, isIPv6, inbound, inherited, block_reason, ip_proto,
+    fort_log_blocked_ip_header_write(p, conn, path_len);
-            local_port, remote_port, local_ip, remote_ip, pid, path_len);
 
     if (path_len != 0) {
-        RtlCopyMemory(p + FORT_LOG_BLOCKED_IP_HEADER_SIZE(isIPv6), path->buffer, path_len);
+        RtlCopyMemory(p + FORT_LOG_BLOCKED_IP_HEADER_SIZE(conn->isIPv6), path->buffer, path_len);
     }
 }
 
-void fort_log_blocked_ip_header_read(const char *p, BOOL *isIPv6, BOOL *inbound, BOOL *inherited,
+FORT_API void fort_log_blocked_ip_header_read(
-        UCHAR *block_reason, UCHAR *ip_proto, UINT16 *local_port, UINT16 *remote_port,
+        const char *p, PFORT_CONF_META_CONN conn, UINT32 *path_len)
-        UINT32 *local_ip, UINT32 *remote_ip, UINT32 *pid, UINT32 *path_len)
 {
     const UINT32 *up = (const UINT32 *) p;
 
-    *isIPv6 = (*up & FORT_LOG_FLAG_IP6) != 0;
+    conn->isIPv6 = (*up & FORT_LOG_FLAG_IP6) != 0;
-    *inbound = (*up & FORT_LOG_FLAG_IP_INBOUND) != 0;
+    conn->inbound = (*up & FORT_LOG_FLAG_IP_INBOUND) != 0;
     *path_len = (*up++ & ~FORT_LOG_FLAG_EX_MASK);
 
     const UCHAR flags = (UCHAR) *up;
-    *inherited = (flags & FORT_LOG_BLOCKED_IP_INHERITED) != 0;
+    conn->inherited = (flags & FORT_LOG_BLOCKED_IP_INHERITED) != 0;
-    *block_reason = (UCHAR) (*up >> 8);
+    conn->block_reason = (UCHAR) (*up >> 8);
-    *ip_proto = (UCHAR) (*up++ >> 16);
+    conn->ip_proto = (UCHAR) (*up++ >> 16);
-    *local_port = *((const UINT16 *) up);
+    conn->local_port = *((const UINT16 *) up);
-    *remote_port = (UINT16) (*up++ >> 16);
+    conn->remote_port = (UINT16) (*up++ >> 16);
-    *pid = *up++;
+    conn->process_id = *up++;
 
-    const int ip_size = FORT_IP_ADDR_SIZE(*isIPv6);
+    const int ip_size = FORT_IP_ADDR_SIZE(conn->isIPv6);
-    RtlCopyMemory(local_ip, up, ip_size);
 
+    // Local IP
+    RtlCopyMemory(&conn->local_ip, up, ip_size);
+
+    // Remote IP
     up = (const UINT32 *) ((const PCHAR) up + ip_size);
-    RtlCopyMemory(remote_ip, up, ip_size);
+    RtlCopyMemory(&conn->remote_ip, up, ip_size);
 }
 
 FORT_API void fort_log_proc_new_header_write(char *p, UINT32 pid, UINT32 path_len)

src/driver/common/fortlog.h

@@ -3,6 +3,8 @@
 
 #include "common.h"
 
+#include "fortconf.h"
+
 #define FORT_BUFFER_SIZE  (16 * 1024 - 64)
 #define FORT_LOG_PATH_MAX 512
 #define FORT_LOG_ALIGN    4
@@ -68,17 +70,13 @@ FORT_API void fort_log_blocked_write(char *p, BOOL blocked, UINT32 pid, PCFORT_A
 FORT_API void fort_log_blocked_header_read(
         const char *p, BOOL *blocked, UINT32 *pid, UINT32 *path_len);
 
-FORT_API void fort_log_blocked_ip_header_write(char *p, BOOL isIPv6, BOOL inbound, BOOL inherited,
+FORT_API void fort_log_blocked_ip_header_write(
-        UCHAR block_reason, UCHAR ip_proto, UINT16 local_port, UINT16 remote_port,
+        char *p, PCFORT_CONF_META_CONN conn, UINT32 path_len);
-        const UINT32 *local_ip, const UINT32 *remote_ip, UINT32 pid, UINT32 path_len);
 
-FORT_API void fort_log_blocked_ip_write(char *p, BOOL isIPv6, BOOL inbound, BOOL inherited,
+FORT_API void fort_log_blocked_ip_write(char *p, PCFORT_CONF_META_CONN conn, PCFORT_APP_PATH path);
-        UCHAR block_reason, UCHAR ip_proto, UINT16 local_port, UINT16 remote_port,
-        const UINT32 *local_ip, const UINT32 *remote_ip, UINT32 pid, PCFORT_APP_PATH path);
 
-FORT_API void fort_log_blocked_ip_header_read(const char *p, BOOL *isIPv6, BOOL *inbound,
+FORT_API void fort_log_blocked_ip_header_read(
-        BOOL *inherited, UCHAR *block_reason, UCHAR *ip_proto, UINT16 *local_port,
+        const char *p, PFORT_CONF_META_CONN conn, UINT32 *path_len);
-        UINT16 *remote_port, UINT32 *local_ip, UINT32 *remote_ip, UINT32 *pid, UINT32 *path_len);
 
 FORT_API void fort_log_proc_new_header_write(char *p, UINT32 pid, UINT32 path_len);
 

src/driver/fortbuf.c

@@ -189,18 +189,16 @@ FORT_API NTSTATUS fort_buffer_blocked_write(PFORT_BUFFER buf, BOOL blocked, UINT
     return status;
 }
 
-NTSTATUS fort_buffer_blocked_ip_write(PFORT_BUFFER buf, BOOL isIPv6, BOOL inbound, BOOL inherited,
+FORT_API NTSTATUS fort_buffer_blocked_ip_write(
-        UCHAR block_reason, UCHAR ip_proto, UINT16 local_port, UINT16 remote_port,
+        PFORT_BUFFER buf, PCFORT_CONF_META_CONN conn, PIRP *irp, ULONG_PTR *info)
-        const UINT32 *local_ip, const UINT32 *remote_ip, UINT32 pid, PCFORT_APP_PATH path,
-        PIRP *irp, ULONG_PTR *info)
 {
     FORT_CHECK_STACK(FORT_BUFFER_BLOCKED_IP_WRITE);
 
     NTSTATUS status;
 
-    const FORT_APP_PATH log_path = fort_buffer_adjust_log_path(path);
+    const FORT_APP_PATH log_path = fort_buffer_adjust_log_path(&conn->real_path);
 
-    const UINT32 len = FORT_LOG_BLOCKED_IP_SIZE(log_path.len, isIPv6);
+    const UINT32 len = FORT_LOG_BLOCKED_IP_SIZE(log_path.len, conn->isIPv6);
 
     KLOCK_QUEUE_HANDLE lock_queue;
     KeAcquireInStackQueuedSpinLock(&buf->lock, &lock_queue);
@@ -209,8 +207,7 @@ NTSTATUS fort_buffer_blocked_ip_write(PFORT_BUFFER buf, BOOL isIPv6, BOOL inboun
         status = fort_buffer_prepare(buf, len, &out, irp, info);
 
         if (NT_SUCCESS(status)) {
-            fort_log_blocked_ip_write(out, isIPv6, inbound, inherited, block_reason, ip_proto,
+            fort_log_blocked_ip_write(out, conn, &log_path);
-                    local_port, remote_port, local_ip, remote_ip, pid, &log_path);
         }
     }
     KeReleaseInStackQueuedSpinLock(&lock_queue);

src/driver/fortbuf.h

@@ -3,6 +3,7 @@
 
 #include "fortdrv.h"
 
+#include "common/fortconf.h"
 #include "common/fortlog.h"
 
 typedef struct fort_buffer_data
@@ -43,10 +44,8 @@ FORT_API NTSTATUS fort_buffer_prepare(
 FORT_API NTSTATUS fort_buffer_blocked_write(PFORT_BUFFER buf, BOOL blocked, UINT32 pid,
         PCFORT_APP_PATH path, PIRP *irp, ULONG_PTR *info);
 
-FORT_API NTSTATUS fort_buffer_blocked_ip_write(PFORT_BUFFER buf, BOOL isIPv6, BOOL inbound,
+FORT_API NTSTATUS fort_buffer_blocked_ip_write(
-        BOOL inherited, UCHAR block_reason, UCHAR ip_proto, UINT16 local_port, UINT16 remote_port,
+        PFORT_BUFFER buf, PCFORT_CONF_META_CONN conn, PIRP *irp, ULONG_PTR *info);
-        const UINT32 *local_ip, const UINT32 *remote_ip, UINT32 pid, PCFORT_APP_PATH path,
-        PIRP *irp, ULONG_PTR *info);
 
 FORT_API NTSTATUS fort_buffer_proc_new_write(
         PFORT_BUFFER buf, UINT32 pid, PCFORT_APP_PATH path, PIRP *irp, ULONG_PTR *info);

src/driver/fortcnf.c

@@ -452,8 +452,8 @@ FORT_API void fort_conf_zone_flag_set(PFORT_DEVICE_CONF device_conf, PFORT_CONF_
     ExReleaseSpinLockExclusive(&device_conf->lock, oldIrql);
 }
 
-FORT_API BOOL fort_conf_zones_ip_included(
+FORT_API BOOL fort_conf_zones_ip_included(PFORT_DEVICE_CONF device_conf, UINT32 zones_mask,
-        PFORT_DEVICE_CONF device_conf, UINT32 zones_mask, const UINT32 *remote_ip, BOOL isIPv6)
+        const ip_addr_t remote_ip, BOOL isIPv6)
 {
     BOOL res = FALSE;
 

src/driver/fortcnf.h

@@ -86,8 +86,8 @@ FORT_API void fort_conf_zones_set(PFORT_DEVICE_CONF device_conf, PFORT_CONF_ZONE
 FORT_API void fort_conf_zone_flag_set(
         PFORT_DEVICE_CONF device_conf, PFORT_CONF_ZONE_FLAG zone_flag);
 
-FORT_API BOOL fort_conf_zones_ip_included(
+FORT_API BOOL fort_conf_zones_ip_included(PFORT_DEVICE_CONF device_conf, UINT32 zones_mask,
-        PFORT_DEVICE_CONF device_conf, UINT32 zones_mask, const UINT32 *remote_ip, BOOL isIPv6);
+        const ip_addr_t remote_ip, BOOL isIPv6);
 
 #ifdef __cplusplus
 } // extern "C"

src/driver/fortcout.c

@@ -60,7 +60,7 @@ static FORT_APP_DATA fort_callout_ale_conf_app_data(
         return cx->app_data;
 
     const FORT_APP_DATA app_data =
-            fort_conf_app_find(&conf_ref->conf, &cx->path, fort_conf_exe_find, conf_ref);
+            fort_conf_app_find(&conf_ref->conf, &cx->conn.path, fort_conf_exe_find, conf_ref);
 
     fort_callout_ale_set_app_flags(cx, app_data);
 
@@ -80,7 +80,7 @@ inline static BOOL fort_callout_ale_associate_flow(
 
     BOOL log_stat = FALSE;
 
-    const NTSTATUS status = fort_flow_associate(&fort_device()->stat, flow_id, cx->process_id,
+    const NTSTATUS status = fort_flow_associate(&fort_device()->stat, flow_id, cx->conn.process_id,
             group_index, ca->isIPv6, is_tcp, ca->inbound, cx->is_reauth, &log_stat);
 
     if (!NT_SUCCESS(status)) {
@@ -89,13 +89,13 @@ inline static BOOL fort_callout_ale_associate_flow(
             TRACE(FORT_CALLOUT_FLOW_ASSOC_ERROR, status, 0, 0);
         }
 
-        cx->block_reason = FORT_BLOCK_REASON_REAUTH;
+        cx->conn.block_reason = FORT_BLOCK_REASON_REAUTH;
         return TRUE; /* block (Error) */
     }
 
     if (!log_stat) {
-        fort_buffer_proc_new_write(
+        fort_buffer_proc_new_write(&fort_device()->buffer, cx->conn.process_id, &cx->conn.real_path,
-                &fort_device()->buffer, cx->process_id, &cx->real_path, &cx->irp, &cx->info);
+                &cx->irp, &cx->info);
     }
 
     return FALSE;
@@ -124,16 +124,16 @@ inline static void fort_callout_ale_log_app_path(PFORT_CALLOUT_ALE_EXTRA cx,
 
     FORT_APP_ENTRY app_entry = {
         .app_data = app_data,
-        .path_len = cx->path.len,
+        .path_len = cx->conn.path.len,
     };
 
-    if (!NT_SUCCESS(fort_conf_ref_exe_add_path(conf_ref, &app_entry, &cx->path)))
+    if (!NT_SUCCESS(fort_conf_ref_exe_add_path(conf_ref, &app_entry, &cx->conn.path)))
         return;
 
     fort_callout_ale_set_app_flags(cx, app_data);
 
-    fort_buffer_blocked_write(&fort_device()->buffer, cx->blocked, cx->process_id, &cx->real_path,
+    fort_buffer_blocked_write(&fort_device()->buffer, cx->blocked, cx->conn.process_id,
-            &cx->irp, &cx->info);
+            &cx->conn.real_path, &cx->irp, &cx->info);
 }
 
 inline static BOOL fort_callout_ale_log_blocked_ip_check_app(
@@ -146,7 +146,7 @@ inline static BOOL fort_callout_ale_log_blocked_ip_check_app(
 inline static BOOL fort_callout_ale_log_blocked_ip_check(
         PFORT_CALLOUT_ALE_EXTRA cx, PFORT_CONF_REF conf_ref, FORT_CONF_FLAGS conf_flags)
 {
-    if (cx->block_reason == FORT_BLOCK_REASON_UNKNOWN)
+    if (cx->conn.block_reason == FORT_BLOCK_REASON_UNKNOWN)
         return FALSE;
 
     if (!(conf_flags.ask_to_connect || conf_flags.log_blocked_ip))
@@ -157,31 +157,51 @@ inline static BOOL fort_callout_ale_log_blocked_ip_check(
     return fort_callout_ale_log_blocked_ip_check_app(conf_flags, app_data);
 }
 
+static ip_addr_t fort_callout_meta_ip(PFORT_CALLOUT_ARG ca, UCHAR ipIndex)
+{
+    ip_addr_t ip;
+    if (ca->isIPv6) {
+        ip.v6 = *((ip6_addr_t *) ca->inFixedValues->incomingValue[ipIndex].value.byteArray16);
+    } else {
+        ip.v4 = ca->inFixedValues->incomingValue[ipIndex].value.uint32;
+    }
+    return ip;
+}
+
+static void fort_callout_ale_fill_meta_conn(PCFORT_CALLOUT_ARG ca, PFORT_CALLOUT_ALE_EXTRA cx)
+{
+    if (cx->is_conn_filled)
+        return;
+
+    cx->is_conn_filled = TRUE;
+
+    PFORT_CONF_META_CONN conn = &cx->conn;
+
+    conn->ip_proto = ca->inFixedValues->incomingValue[ca->fi->ipProto].value.uint8;
+
+    conn->local_port = ca->inFixedValues->incomingValue[ca->fi->localPort].value.uint16;
+    conn->remote_port = ca->inFixedValues->incomingValue[ca->fi->remotePort].value.uint16;
+
+    conn->local_ip = fort_callout_meta_ip(ca, ca->fi->localIp);
+}
+
 inline static void fort_callout_ale_log_blocked_ip(
         PCFORT_CALLOUT_ARG ca, PFORT_CALLOUT_ALE_EXTRA cx)
 {
-    const UINT32 *local_ip = ca->isIPv6
+    fort_callout_ale_fill_meta_conn(ca, cx);
-            ? (const UINT32 *) ca->inFixedValues->incomingValue[ca->fi->localIp].value.byteArray16
-            : &ca->inFixedValues->incomingValue[ca->fi->localIp].value.uint32;
 
-    const UINT16 local_port = ca->inFixedValues->incomingValue[ca->fi->localPort].value.uint16;
+    fort_buffer_blocked_ip_write(&fort_device()->buffer, &cx->conn, &cx->irp, &cx->info);
-    const UINT16 remote_port = ca->inFixedValues->incomingValue[ca->fi->remotePort].value.uint16;
-    const UCHAR ip_proto = ca->inFixedValues->incomingValue[ca->fi->ipProto].value.uint8;
-
-    fort_buffer_blocked_ip_write(&fort_device()->buffer, ca->isIPv6, ca->inbound, cx->inherited,
-            cx->block_reason, ip_proto, local_port, remote_port, local_ip, cx->conn.remote_ip,
-            cx->process_id, &cx->real_path, &cx->irp, &cx->info);
 }
 
 inline static BOOL fort_callout_ale_add_pending(PCFORT_CALLOUT_ARG ca, PFORT_CALLOUT_ALE_EXTRA cx)
 {
     if (!fort_pending_add_packet(&fort_device()->pending, ca, cx)) {
-        cx->block_reason = FORT_BLOCK_REASON_ASK_LIMIT;
+        cx->conn.block_reason = FORT_BLOCK_REASON_ASK_LIMIT;
         return TRUE; /* block (error) */
     }
 
     cx->drop_blocked = TRUE;
-    cx->block_reason = FORT_BLOCK_REASON_ASK_PENDING;
+    cx->conn.block_reason = FORT_BLOCK_REASON_ASK_PENDING;
     return TRUE; /* drop (pending) */
 }
 
@@ -214,23 +234,23 @@ static BOOL fort_callout_ale_app_blocked(PCFORT_CALLOUT_ARG ca, PFORT_CALLOUT_AL
         FORT_CONF_FLAGS conf_flags, FORT_APP_DATA app_data)
 {
     if (fort_conf_app_group_blocked(conf_flags, app_data)) {
-        cx->block_reason = FORT_BLOCK_REASON_APP_GROUP_FOUND;
+        cx->conn.block_reason = FORT_BLOCK_REASON_APP_GROUP_FOUND;
         return TRUE; /* block Group */
     }
 
     if (app_data.flags.blocked) {
-        cx->block_reason = FORT_BLOCK_REASON_PROGRAM;
+        cx->conn.block_reason = FORT_BLOCK_REASON_PROGRAM;
         return TRUE; /* block Program */
     }
 
     if (app_data.flags.lan_only && !cx->conn.is_local_net) {
-        cx->block_reason = FORT_BLOCK_REASON_LAN_ONLY;
+        cx->conn.block_reason = FORT_BLOCK_REASON_LAN_ONLY;
         return TRUE; /* block LAN Only */
     }
 
     if (fort_callout_ale_ip_zone_check(ca, cx, app_data.reject_zones, /*included=*/TRUE)
             || fort_callout_ale_ip_zone_check(ca, cx, app_data.accept_zones, /*included=*/FALSE)) {
-        cx->block_reason = FORT_BLOCK_REASON_ZONE;
+        cx->conn.block_reason = FORT_BLOCK_REASON_ZONE;
         return TRUE; /* block Rejected or Not Accepted Zones */
     }
 
@@ -251,7 +271,7 @@ inline static BOOL fort_callout_ale_flags_allowed(
 
     /* Ignore */
     cx->ignore = TRUE;
-    cx->block_reason = FORT_BLOCK_REASON_NONE; /* Don't block or allow */
+    cx->conn.block_reason = FORT_BLOCK_REASON_NONE; /* Don't block or allow */
     return TRUE;
 }
 
@@ -315,7 +335,7 @@ inline static BOOL fort_callout_ale_check_filter_flags(PCFORT_CALLOUT_ARG ca,
     if (!fort_conf_ip_inet_included(&conf_ref->conf,
                 (fort_conf_zones_ip_included_func *) &fort_conf_zones_ip_included,
                 &fort_device()->conf, cx->conn.remote_ip, ca->isIPv6)) {
-        cx->block_reason = FORT_BLOCK_REASON_IP_INET;
+        cx->conn.block_reason = FORT_BLOCK_REASON_IP_INET;
         return TRUE; /* block address */
     }
 
@@ -371,16 +391,21 @@ inline static void fort_callout_ale_classify_action(PCFORT_CALLOUT_ARG ca,
 
 inline static void fort_callout_ale_fill_path(PCFORT_CALLOUT_ARG ca, PFORT_CALLOUT_ALE_EXTRA cx)
 {
-    PFORT_APP_PATH real_path = &cx->real_path;
+    if (cx->is_path_filled)
+        return;
+
+    cx->is_path_filled = TRUE;
+
+    PFORT_APP_PATH real_path = &cx->conn.real_path;
 
     real_path->len = (UINT16) (ca->inMetaValues->processPath->size
             - sizeof(WCHAR)); /* chop terminating zero */
     real_path->buffer = (PCWSTR) ca->inMetaValues->processPath->data;
 
-    PFORT_APP_PATH path = &cx->path;
+    PFORT_APP_PATH path = &cx->conn.path;
     BOOL inherited = FALSE;
 
-    if (fort_pstree_get_proc_name(&fort_device()->ps_tree, cx->process_id, path, &inherited)) {
+    if (fort_pstree_get_proc_name(&fort_device()->ps_tree, cx->conn.process_id, path, &inherited)) {
         if (!inherited) {
             *real_path = *path;
         }
@@ -388,19 +413,19 @@ inline static void fort_callout_ale_fill_path(PCFORT_CALLOUT_ARG ca, PFORT_CALLO
         *path = *real_path;
     }
 
-    cx->inherited = (UCHAR) inherited;
+    cx->conn.inherited = (UCHAR) inherited;
 }
 
 inline static void fort_callout_ale_check_conf(
         PCFORT_CALLOUT_ARG ca, PFORT_CALLOUT_ALE_EXTRA cx, PFORT_CONF_REF conf_ref)
 {
-    cx->process_id = (UINT32) ca->inMetaValues->processId;
+    cx->conn.process_id = (UINT32) ca->inMetaValues->processId;
 
     fort_callout_ale_fill_path(ca, cx);
 
     cx->blocked = TRUE;
     cx->ignore = FALSE;
-    cx->block_reason = FORT_BLOCK_REASON_UNKNOWN;
+    cx->conn.block_reason = FORT_BLOCK_REASON_UNKNOWN;
 
     const FORT_CONF_FLAGS conf_flags = conf_ref->conf.flags;
 
@@ -470,16 +495,12 @@ static void fort_callout_ale_classify(PFORT_CALLOUT_ARG ca)
         ca->inbound = (ca->inMetaValues->packetDirection == FWP_DIRECTION_INBOUND);
     }
 
-    const UINT32 *remote_ip = ca->isIPv6
-            ? (const UINT32 *) ca->inFixedValues->incomingValue[ca->fi->remoteIp].value.byteArray16
-            : &ca->inFixedValues->incomingValue[ca->fi->remoteIp].value.uint32;
-
     FORT_CALLOUT_ALE_EXTRA cx = {
         .is_reauth = is_reauth,
         .conn = {
                 .inbound = ca->inbound,
                 .isIPv6 = ca->isIPv6,
-                .remote_ip = remote_ip,
+                .remote_ip = fort_callout_meta_ip(ca, ca->fi->remoteIp),
         },
     };
 

src/driver/fortcoutarg.h

@@ -45,20 +45,15 @@ typedef struct fort_callout_ale_extra
 {
     UCHAR is_reauth : 1;
     UCHAR app_data_found : 1;
-    UCHAR inherited : 1;
     UCHAR drop_blocked : 1;
     UCHAR blocked : 1;
     UCHAR ignore : 1;
-    INT8 block_reason;
+    UCHAR is_path_filled : 1;
+    UCHAR is_conn_filled : 1;
 
     FORT_APP_DATA app_data;
 
-    UINT32 process_id;
+    FORT_CONF_META_CONN conn;
-
-    FORT_CONF_CONN conn;
-
-    FORT_APP_PATH path;
-    FORT_APP_PATH real_path;
 
     PIRP irp;
     ULONG_PTR info;

src/driver/fortpkt.c

@@ -1172,7 +1172,7 @@ static NTSTATUS fort_pending_proc_add_packet_locked(PFORT_PENDING pending, PCFOR
         PFORT_CALLOUT_ALE_EXTRA cx, PFORT_PENDING_PACKET pkt)
 {
     /* Create the Pending Process */
-    PFORT_PENDING_PROC proc = fort_pending_proc_get_check(pending, cx->process_id);
+    PFORT_PENDING_PROC proc = fort_pending_proc_get_check(pending, cx->conn.process_id);
     if (proc == NULL)
         return STATUS_INSUFFICIENT_RESOURCES;
 
@@ -1278,7 +1278,7 @@ FORT_API BOOL fort_pending_add_packet(
         return FALSE;
 
     /* Check the Process's Limits */
-    if (!fort_pending_proc_check_limits(pending, cx->process_id))
+    if (!fort_pending_proc_check_limits(pending, cx->conn.process_id))
         return FALSE;
 
     /* Create the Packet */

src/driver/fortutl.c

@@ -444,14 +444,13 @@ FORT_API void fort_ascii_downcase(PUNICODE_STRING dst, PCUNICODE_STRING src)
     }
 }
 
-FORT_API BOOL fort_addr_is_local_multicast(const UINT32 *ip, BOOL isIPv6)
+FORT_API BOOL fort_addr_is_local_multicast(const ip_addr_t ip, BOOL isIPv6)
 {
     if (isIPv6) {
-        const ip6_addr_t *ip6 = (const ip6_addr_t *) ip;
+        return ip.v2 == 0x2FF;
-        return ip6->addr16[0] == 0x2FF;
     }
 
-    return *ip == 0xFFFFFFFF;
+    return ip.v4 == 0xFFFFFFFF;
 }
 
 inline static UINT32 fort_bits_duplicate8(UINT32 v)

src/driver/fortutl.h

@@ -30,7 +30,7 @@ FORT_API DWORD fort_le_u32_read(const char *cp, int offset);
 
 FORT_API void fort_ascii_downcase(PUNICODE_STRING dst, PCUNICODE_STRING src);
 
-FORT_API BOOL fort_addr_is_local_multicast(const UINT32 *ip, BOOL isIPv6);
+FORT_API BOOL fort_addr_is_local_multicast(const ip_addr_t ip, BOOL isIPv6);
 
 FORT_API UINT32 fort_bits_duplicate16(UINT16 num);
 

src/ui/driver/drivercommon.cpp

@@ -142,20 +142,14 @@ void logBlockedHeaderRead(const char *input, int *blocked, quint32 *pid, quint32
     fort_log_blocked_header_read(input, blocked, pid, pathLen);
 }
 
-void logBlockedIpHeaderWrite(char *output, int isIPv6, int inbound, int inherited,
+void logBlockedIpHeaderWrite(char *output, PCFORT_CONF_META_CONN conn, quint32 pathLen)
-        quint8 blockReason, quint8 ipProto, quint16 localPort, quint16 remotePort,
-        const ip_addr_t *localIp, const ip_addr_t *remoteIp, quint32 pid, quint32 pathLen)
 {
-    fort_log_blocked_ip_header_write(output, isIPv6, inbound, inherited, blockReason, ipProto,
+    fort_log_blocked_ip_header_write(output, conn, pathLen);
-            localPort, remotePort, &localIp->v4, &remoteIp->v4, pid, pathLen);
 }
 
-void logBlockedIpHeaderRead(const char *input, int *isIPv6, int *inbound, int *inherited,
+void logBlockedIpHeaderRead(const char *input, PFORT_CONF_META_CONN conn, quint32 *pathLen)
-        quint8 *blockReason, quint8 *ipProto, quint16 *localPort, quint16 *remotePort,
-        ip_addr_t *localIp, ip_addr_t *remoteIp, quint32 *pid, quint32 *pathLen)
 {
-    fort_log_blocked_ip_header_read(input, isIPv6, inbound, inherited, blockReason, ipProto,
+    fort_log_blocked_ip_header_read(input, conn, pathLen);
-            localPort, remotePort, &localIp->v4, &remoteIp->v4, pid, pathLen);
 }
 
 void logProcNewHeaderWrite(char *output, quint32 pid, quint32 pathLen)
@@ -184,7 +178,7 @@ void logTimeRead(const char *input, int *systemTimeChanged, qint64 *unixTime)
 }
 
 bool confIpInRange(
-        const void *drvConf, const quint32 *ip, bool isIPv6, bool included, int addrGroupIndex)
+        const void *drvConf, const ip_addr_t ip, bool isIPv6, bool included, int addrGroupIndex)
 {
     const PFORT_CONF conf = (const PFORT_CONF) drvConf;
     const PFORT_CONF_ADDR_GROUP addr_group = fort_conf_addr_group_ref(conf, addrGroupIndex);
@@ -202,12 +196,16 @@ bool confIpInRange(
 
 bool confIp4InRange(const void *drvConf, quint32 ip, bool included, int addrGroupIndex)
 {
-    return confIpInRange(drvConf, &ip, /*isIPv6=*/false, included, addrGroupIndex);
+    const ip_addr_t ip_addr = { .v4 = ip };
+
+    return confIpInRange(drvConf, ip_addr, /*isIPv6=*/false, included, addrGroupIndex);
 }
 
-bool confIp6InRange(const void *drvConf, const ip6_addr_t ip, bool included, int addrGroupIndex)
+bool confIp6InRange(const void *drvConf, ip6_addr_t ip, bool included, int addrGroupIndex)
 {
-    return confIpInRange(drvConf, &ip.addr32[0], /*isIPv6=*/true, included, addrGroupIndex);
+    const ip_addr_t ip_addr = { .v6 = ip };
+
+    return confIpInRange(drvConf, ip_addr, /*isIPv6=*/true, included, addrGroupIndex);
 }
 
 FORT_APP_DATA confAppFind(const void *drvConf, const QString &kernelPath)

src/ui/driver/drivercommon.h

@@ -47,12 +47,8 @@ quint8 logType(const char *input);
 void logBlockedHeaderWrite(char *output, bool blocked, quint32 pid, quint32 pathLen);
 void logBlockedHeaderRead(const char *input, int *blocked, quint32 *pid, quint32 *pathLen);
 
-void logBlockedIpHeaderWrite(char *output, int isIPv6, int inbound, int inherited,
+void logBlockedIpHeaderWrite(char *output, PCFORT_CONF_META_CONN conn, quint32 pathLen);
-        quint8 blockReason, quint8 ipProto, quint16 localPort, quint16 remotePort,
+void logBlockedIpHeaderRead(const char *input, PFORT_CONF_META_CONN conn, quint32 *pathLen);
-        const ip_addr_t *localIp, const ip_addr_t *remoteIp, quint32 pid, quint32 pathLen);
-void logBlockedIpHeaderRead(const char *input, int *isIPv6, int *inbound, int *inherited,
-        quint8 *blockReason, quint8 *ipProto, quint16 *localPort, quint16 *remotePort,
-        ip_addr_t *localIp, ip_addr_t *remoteIp, quint32 *pid, quint32 *pathLen);
 
 void logProcNewHeaderWrite(char *output, quint32 pid, quint32 pathLen);
 void logProcNewHeaderRead(const char *input, quint32 *pid, quint32 *pathLen);
@@ -62,11 +58,11 @@ void logStatTrafHeaderRead(const char *input, quint16 *procCount);
 void logTimeWrite(char *output, int systemTimeChanged, qint64 unixTime);
 void logTimeRead(const char *input, int *systemTimeChanged, qint64 *unixTime);
 
-bool confIpInRange(const void *drvConf, const quint32 *ip, bool isIPv6 = false,
+bool confIpInRange(const void *drvConf, const ip_addr_t ip, bool isIPv6 = false,
         bool included = false, int addrGroupIndex = 0);
 bool confIp4InRange(const void *drvConf, quint32 ip, bool included = false, int addrGroupIndex = 0);
 bool confIp6InRange(
-        const void *drvConf, const ip6_addr_t ip, bool included = false, int addrGroupIndex = 0);
+        const void *drvConf, ip6_addr_t ip, bool included = false, int addrGroupIndex = 0);
 
 FORT_APP_DATA confAppFind(const void *drvConf, const QString &kernelPath);
 

src/ui/log/logbuffer.cpp

@@ -106,10 +106,20 @@ void LogBuffer::writeEntryBlockedIp(const LogEntryBlockedIp *logEntry)
 
     char *output = this->output();
 
-    DriverCommon::logBlockedIpHeaderWrite(output, logEntry->isIPv6(), logEntry->inbound(),
+    const FORT_CONF_META_CONN conn = {
-            logEntry->inherited(), logEntry->blockReason(), logEntry->ipProto(),
+        .inbound = logEntry->inbound(),
-            logEntry->localPort(), logEntry->remotePort(), &logEntry->localIp(),
+        .isIPv6 = logEntry->isIPv6(),
-            &logEntry->remoteIp(), logEntry->pid(), pathLen);
+        .inherited = logEntry->inherited(),
+        .block_reason = logEntry->blockReason(),
+        .ip_proto = logEntry->ipProto(),
+        .local_port = logEntry->localPort(),
+        .remote_port = logEntry->remotePort(),
+        .process_id = logEntry->pid(),
+        .local_ip = logEntry->localIp(),
+        .remote_ip = logEntry->remoteIp(),
+    };
+
+    DriverCommon::logBlockedIpHeaderWrite(output, &conn, pathLen);
 
     if (pathLen) {
         output += DriverCommon::logBlockedIpHeaderSize(logEntry->isIPv6());
@@ -125,37 +135,30 @@ void LogBuffer::readEntryBlockedIp(LogEntryBlockedIp *logEntry)
 
     const char *input = this->input();
 
-    int isIPv6;
+    FORT_CONF_META_CONN conn;
-    int inbound;
+    quint32 pathLen;
-    int inherited;
+
-    quint8 blockReason;
+    DriverCommon::logBlockedIpHeaderRead(input, &conn, &pathLen);
-    quint8 proto;
-    quint16 localPort;
-    quint16 remotePort;
-    ip_addr_t localIp, remoteIp;
-    quint32 pid, pathLen;
-    DriverCommon::logBlockedIpHeaderRead(input, &isIPv6, &inbound, &inherited, &blockReason, &proto,
-            &localPort, &remotePort, &localIp, &remoteIp, &pid, &pathLen);
 
     QString path;
     if (pathLen) {
-        input += DriverCommon::logBlockedIpHeaderSize(isIPv6 != 0);
+        input += DriverCommon::logBlockedIpHeaderSize(conn.isIPv6);
         path = QString::fromWCharArray((const wchar_t *) input, pathLen / int(sizeof(wchar_t)));
     }
 
-    logEntry->setIsIPv6(isIPv6 != 0);
+    logEntry->setIsIPv6(conn.isIPv6);
-    logEntry->setInbound(inbound != 0);
+    logEntry->setInbound(conn.inbound);
-    logEntry->setInherited(inherited != 0);
+    logEntry->setInherited(conn.inherited);
-    logEntry->setBlockReason(blockReason);
+    logEntry->setBlockReason(conn.block_reason);
-    logEntry->setIpProto(proto);
+    logEntry->setIpProto(conn.ip_proto);
-    logEntry->setLocalPort(localPort);
+    logEntry->setLocalPort(conn.local_port);
-    logEntry->setRemotePort(remotePort);
+    logEntry->setRemotePort(conn.remote_port);
-    logEntry->setLocalIp(localIp);
+    logEntry->setLocalIp(conn.local_ip);
-    logEntry->setRemoteIp(remoteIp);
+    logEntry->setRemoteIp(conn.remote_ip);
-    logEntry->setPid(pid);
+    logEntry->setPid(conn.process_id);
     logEntry->setKernelPath(path);
 
-    const int entrySize = int(DriverCommon::logBlockedIpSize(pathLen, isIPv6 != 0));
+    const int entrySize = int(DriverCommon::logBlockedIpSize(pathLen, conn.isIPv6));
     m_offset += entrySize;
 }