mirrors/fort
1
0
Fork 0
mirror of https://github.com/tnodir/fort synced 2024-11-14 22:05:12 +00:00
Code Issues Packages Projects Releases Wiki Activity

Driver: Refactor connection meta handling

Browse Source
This commit is contained in:
Nodir Temirkhodjaev 2024-11-09 12:38:31 +05:00
parent adaa963498
commit 519725bd18
17 changed files with 194 additions and 179 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
src/driver/common/common_types.h
View File

@ -16,6 +16,7 @@ typedef struct ip6_addr_t
} ip6_addr_t;
typedef union ip_addr_t {
unsigned short v2;
unsigned int v4;
ip6_addr_t v6;
} ip_addr_t;

14
src/driver/common/fortconf.c
View File

@ -129,10 +129,10 @@ FORT_API BOOL fort_mem_eql(const void *p1, const void *p2, UINT32 len)
}
FORT_API BOOL fort_conf_ip_inlist(
const UINT32 *ip, const PFORT_CONF_ADDR_LIST addr_list, BOOL isIPv6)
const ip_addr_t ip, const PFORT_CONF_ADDR_LIST addr_list, BOOL isIPv6)
{
if (isIPv6) {
const ip6_addr_t *ip6 = (const ip6_addr_t *) ip;
const ip6_addr_t *ip6 = &ip.v6;
const PFORT_CONF_ADDR_LIST addr6_list = (const PFORT_CONF_ADDR_LIST)((const PCHAR) addr_list
+ FORT_CONF_ADDR4_LIST_SIZE(addr_list->ip_n, addr_list->pair_n));
@ -140,9 +140,9 @@ FORT_API BOOL fort_conf_ip_inlist(
|| fort_conf_ip6_inrange(
fort_conf_addr_list_pair6_ref(addr6_list), ip6, addr6_list->pair_n);
} else {
return fort_conf_ip4_inarr(fort_conf_addr_list_ip4_ref(addr_list), *ip, addr_list->ip_n)
return fort_conf_ip4_inarr(fort_conf_addr_list_ip4_ref(addr_list), ip.v4, addr_list->ip_n)
|| fort_conf_ip4_inrange(
fort_conf_addr_list_pair4_ref(addr_list), *ip, addr_list->pair_n);
fort_conf_addr_list_pair4_ref(addr_list), ip.v4, addr_list->pair_n);
}
}
@ -155,7 +155,7 @@ FORT_API PFORT_CONF_ADDR_GROUP fort_conf_addr_group_ref(const PFORT_CONF conf, i
}
static BOOL fort_conf_ip_included_check(const PFORT_CONF_ADDR_LIST addr_list,
fort_conf_zones_ip_included_func zone_func, void *ctx, const UINT32 *remote_ip,
fort_conf_zones_ip_included_func zone_func, void *ctx, const ip_addr_t remote_ip,
UINT32 zones_mask, BOOL list_is_empty, BOOL isIPv6)
{
return (!list_is_empty && fort_conf_ip_inlist(remote_ip, addr_list, isIPv6))
@ -163,8 +163,8 @@ static BOOL fort_conf_ip_included_check(const PFORT_CONF_ADDR_LIST addr_list,
}
FORT_API BOOL fort_conf_ip_included(const PFORT_CONF conf,
fort_conf_zones_ip_included_func zone_func, void *ctx, const UINT32 *remote_ip, BOOL isIPv6,
int addr_group_index)
fort_conf_zones_ip_included_func zone_func, void *ctx, const ip_addr_t remote_ip,
BOOL isIPv6, int addr_group_index)
{
const PFORT_CONF_ADDR_GROUP addr_group = fort_conf_addr_group_ref(conf, addr_group_index);

32
src/driver/common/fortconf.h
View File

@ -169,23 +169,31 @@ typedef struct fort_conf_rule_flag
(sizeof(FORT_CONF_RULE) + ((rule)->has_zones ? sizeof(FORT_CONF_RULE_ZONES) : 0) \
+ (rule)->set_count * sizeof(UINT16))
typedef struct fort_conf_conn
typedef struct fort_conf_meta_conn
{
UCHAR inbound : 1;
UCHAR isIPv6 : 1;
UCHAR is_loopback : 1;
UCHAR is_local_net : 1;
UCHAR inherited : 1;
const UCHAR ip_proto;
UCHAR block_reason;
const UINT16 local_port;
const UINT16 remote_port;
UCHAR ip_proto;
const UINT32 *remote_ip;
const UINT32 *local_ip;
} FORT_CONF_CONN, *PFORT_CONF_CONN;
UINT16 local_port;
UINT16 remote_port;
typedef const FORT_CONF_CONN *PCCONF_CONN;
UINT32 process_id;
ip_addr_t local_ip;
ip_addr_t remote_ip;
FORT_APP_PATH path;
FORT_APP_PATH real_path;
} FORT_CONF_META_CONN, *PFORT_CONF_META_CONN;
typedef const FORT_CONF_META_CONN *PCFORT_CONF_META_CONN;
typedef struct fort_conf_zones
{
@ -333,7 +341,7 @@ typedef FORT_APP_DATA fort_conf_app_exe_find_func(
const PFORT_CONF conf, PVOID context, PCFORT_APP_PATH path);
typedef BOOL fort_conf_zones_ip_included_func(
void *ctx, UINT32 zones_mask, const UINT32 *remote_ip, BOOL isIPv6);
void *ctx, UINT32 zones_mask, const ip_addr_t remote_ip, BOOL isIPv6);
#if defined(__cplusplus)
extern "C" {
@ -346,7 +354,7 @@ FORT_API int fort_mem_cmp(const void *p1, const void *p2, UINT32 len);
FORT_API BOOL fort_mem_eql(const void *p1, const void *p2, UINT32 len);
FORT_API BOOL fort_conf_ip_inlist(
const UINT32 *ip, const PFORT_CONF_ADDR_LIST addr_list, BOOL isIPv6);
const ip_addr_t ip, const PFORT_CONF_ADDR_LIST addr_list, BOOL isIPv6);
FORT_API PFORT_CONF_ADDR_GROUP fort_conf_addr_group_ref(
const PFORT_CONF conf, int addr_group_index);
@ -358,8 +366,8 @@ FORT_API PFORT_CONF_ADDR_GROUP fort_conf_addr_group_ref(
((PFORT_CONF_ADDR_LIST) ((addr_group)->data + (addr_group)->exclude_off))
FORT_API BOOL fort_conf_ip_included(const PFORT_CONF conf,
fort_conf_zones_ip_included_func zone_func, void *ctx, const UINT32 *remote_ip, BOOL isIPv6,
int addr_group_index);
fort_conf_zones_ip_included_func zone_func, void *ctx, const ip_addr_t remote_ip,
BOOL isIPv6, int addr_group_index);
#define fort_conf_ip_is_inet(conf, zone_func, ctx, remote_ip, isIPv6) \
fort_conf_ip_included((conf), (zone_func), (ctx), (remote_ip), isIPv6, /*addr_group_index=*/0)

64
src/driver/common/fortlog.c
View File

@ -33,63 +33,63 @@ FORT_API void fort_log_blocked_header_read(
*pid = *up;
}
void fort_log_blocked_ip_header_write(char *p, BOOL isIPv6, BOOL inbound, BOOL inherited,
UCHAR block_reason, UCHAR ip_proto, UINT16 local_port, UINT16 remote_port,
const UINT32 *local_ip, const UINT32 *remote_ip, UINT32 pid, UINT32 path_len)
FORT_API void fort_log_blocked_ip_header_write(char *p, PCFORT_CONF_META_CONN conn, UINT32 path_len)
{
UINT32 *up = (UINT32 *) p;
*up++ = fort_log_flag_type(FORT_LOG_TYPE_BLOCKED_IP) | (isIPv6 ? FORT_LOG_FLAG_IP6 : 0)
| (inbound ? FORT_LOG_FLAG_IP_INBOUND : 0) | path_len;
*up++ = (inherited ? FORT_LOG_BLOCKED_IP_INHERITED : 0) | ((UINT32) block_reason << 8)
| ((UINT32) ip_proto << 16);
*up++ = local_port | ((UINT32) remote_port << 16);
*up++ = pid;
*up++ = fort_log_flag_type(FORT_LOG_TYPE_BLOCKED_IP) | (conn->isIPv6 ? FORT_LOG_FLAG_IP6 : 0)
| (conn->inbound ? FORT_LOG_FLAG_IP_INBOUND : 0) | path_len;
*up++ = (conn->inherited ? FORT_LOG_BLOCKED_IP_INHERITED : 0)
| ((UINT32) conn->block_reason << 8) | ((UINT32) conn->ip_proto << 16);
*up++ = conn->local_port | ((UINT32) conn->remote_port << 16);
*up++ = conn->process_id;
const int ip_size = FORT_IP_ADDR_SIZE(isIPv6);
RtlCopyMemory(up, local_ip, ip_size);
const int ip_size = FORT_IP_ADDR_SIZE(conn->isIPv6);
// Local IP
RtlCopyMemory(up, &conn->local_ip, ip_size);
// Remote IP
up = (UINT32 *) ((PCHAR) up + ip_size);
RtlCopyMemory(up, remote_ip, ip_size);
RtlCopyMemory(up, &conn->remote_ip, ip_size);
}
void fort_log_blocked_ip_write(char *p, BOOL isIPv6, BOOL inbound, BOOL inherited,
UCHAR block_reason, UCHAR ip_proto, UINT16 local_port, UINT16 remote_port,
const UINT32 *local_ip, const UINT32 *remote_ip, UINT32 pid, PCFORT_APP_PATH path)
FORT_API void fort_log_blocked_ip_write(char *p, PCFORT_CONF_META_CONN conn, PCFORT_APP_PATH path)
{
const UINT16 path_len = path->len;
fort_log_blocked_ip_header_write(p, isIPv6, inbound, inherited, block_reason, ip_proto,
local_port, remote_port, local_ip, remote_ip, pid, path_len);
fort_log_blocked_ip_header_write(p, conn, path_len);
if (path_len != 0) {
RtlCopyMemory(p + FORT_LOG_BLOCKED_IP_HEADER_SIZE(isIPv6), path->buffer, path_len);
RtlCopyMemory(p + FORT_LOG_BLOCKED_IP_HEADER_SIZE(conn->isIPv6), path->buffer, path_len);
}
}
void fort_log_blocked_ip_header_read(const char *p, BOOL *isIPv6, BOOL *inbound, BOOL *inherited,
UCHAR *block_reason, UCHAR *ip_proto, UINT16 *local_port, UINT16 *remote_port,
UINT32 *local_ip, UINT32 *remote_ip, UINT32 *pid, UINT32 *path_len)
FORT_API void fort_log_blocked_ip_header_read(
const char *p, PFORT_CONF_META_CONN conn, UINT32 *path_len)
{
const UINT32 *up = (const UINT32 *) p;
*isIPv6 = (*up & FORT_LOG_FLAG_IP6) != 0;
*inbound = (*up & FORT_LOG_FLAG_IP_INBOUND) != 0;
conn->isIPv6 = (*up & FORT_LOG_FLAG_IP6) != 0;
conn->inbound = (*up & FORT_LOG_FLAG_IP_INBOUND) != 0;
*path_len = (*up++ & ~FORT_LOG_FLAG_EX_MASK);
const UCHAR flags = (UCHAR) *up;
*inherited = (flags & FORT_LOG_BLOCKED_IP_INHERITED) != 0;
*block_reason = (UCHAR) (*up >> 8);
*ip_proto = (UCHAR) (*up++ >> 16);
*local_port = *((const UINT16 *) up);
*remote_port = (UINT16) (*up++ >> 16);
*pid = *up++;
conn->inherited = (flags & FORT_LOG_BLOCKED_IP_INHERITED) != 0;
conn->block_reason = (UCHAR) (*up >> 8);
conn->ip_proto = (UCHAR) (*up++ >> 16);
conn->local_port = *((const UINT16 *) up);
conn->remote_port = (UINT16) (*up++ >> 16);
conn->process_id = *up++;
const int ip_size = FORT_IP_ADDR_SIZE(*isIPv6);
RtlCopyMemory(local_ip, up, ip_size);
const int ip_size = FORT_IP_ADDR_SIZE(conn->isIPv6);
// Local IP
RtlCopyMemory(&conn->local_ip, up, ip_size);
// Remote IP
up = (const UINT32 *) ((const PCHAR) up + ip_size);
RtlCopyMemory(remote_ip, up, ip_size);
RtlCopyMemory(&conn->remote_ip, up, ip_size);
}
FORT_API void fort_log_proc_new_header_write(char *p, UINT32 pid, UINT32 path_len)

16
src/driver/common/fortlog.h
View File

@ -3,6 +3,8 @@
#include "common.h"
#include "fortconf.h"
#define FORT_BUFFER_SIZE (16 * 1024 - 64)
#define FORT_LOG_PATH_MAX 512
#define FORT_LOG_ALIGN 4
@ -68,17 +70,13 @@ FORT_API void fort_log_blocked_write(char *p, BOOL blocked, UINT32 pid, PCFORT_A
FORT_API void fort_log_blocked_header_read(
const char *p, BOOL *blocked, UINT32 *pid, UINT32 *path_len);
FORT_API void fort_log_blocked_ip_header_write(char *p, BOOL isIPv6, BOOL inbound, BOOL inherited,
UCHAR block_reason, UCHAR ip_proto, UINT16 local_port, UINT16 remote_port,
const UINT32 *local_ip, const UINT32 *remote_ip, UINT32 pid, UINT32 path_len);
FORT_API void fort_log_blocked_ip_header_write(
char *p, PCFORT_CONF_META_CONN conn, UINT32 path_len);
FORT_API void fort_log_blocked_ip_write(char *p, BOOL isIPv6, BOOL inbound, BOOL inherited,
UCHAR block_reason, UCHAR ip_proto, UINT16 local_port, UINT16 remote_port,
const UINT32 *local_ip, const UINT32 *remote_ip, UINT32 pid, PCFORT_APP_PATH path);
FORT_API void fort_log_blocked_ip_write(char *p, PCFORT_CONF_META_CONN conn, PCFORT_APP_PATH path);
FORT_API void fort_log_blocked_ip_header_read(const char *p, BOOL *isIPv6, BOOL *inbound,
BOOL *inherited, UCHAR *block_reason, UCHAR *ip_proto, UINT16 *local_port,
UINT16 *remote_port, UINT32 *local_ip, UINT32 *remote_ip, UINT32 *pid, UINT32 *path_len);
FORT_API void fort_log_blocked_ip_header_read(
const char *p, PFORT_CONF_META_CONN conn, UINT32 *path_len);
FORT_API void fort_log_proc_new_header_write(char *p, UINT32 pid, UINT32 path_len);

13
src/driver/fortbuf.c
View File

@ -189,18 +189,16 @@ FORT_API NTSTATUS fort_buffer_blocked_write(PFORT_BUFFER buf, BOOL blocked, UINT
return status;
}
NTSTATUS fort_buffer_blocked_ip_write(PFORT_BUFFER buf, BOOL isIPv6, BOOL inbound, BOOL inherited,
UCHAR block_reason, UCHAR ip_proto, UINT16 local_port, UINT16 remote_port,
const UINT32 *local_ip, const UINT32 *remote_ip, UINT32 pid, PCFORT_APP_PATH path,
PIRP *irp, ULONG_PTR *info)
FORT_API NTSTATUS fort_buffer_blocked_ip_write(
PFORT_BUFFER buf, PCFORT_CONF_META_CONN conn, PIRP *irp, ULONG_PTR *info)
{
FORT_CHECK_STACK(FORT_BUFFER_BLOCKED_IP_WRITE);
NTSTATUS status;
const FORT_APP_PATH log_path = fort_buffer_adjust_log_path(path);
const FORT_APP_PATH log_path = fort_buffer_adjust_log_path(&conn->real_path);
const UINT32 len = FORT_LOG_BLOCKED_IP_SIZE(log_path.len, isIPv6);
const UINT32 len = FORT_LOG_BLOCKED_IP_SIZE(log_path.len, conn->isIPv6);
KLOCK_QUEUE_HANDLE lock_queue;
KeAcquireInStackQueuedSpinLock(&buf->lock, &lock_queue);
@ -209,8 +207,7 @@ NTSTATUS fort_buffer_blocked_ip_write(PFORT_BUFFER buf, BOOL isIPv6, BOOL inboun
status = fort_buffer_prepare(buf, len, &out, irp, info);
if (NT_SUCCESS(status)) {
fort_log_blocked_ip_write(out, isIPv6, inbound, inherited, block_reason, ip_proto,
local_port, remote_port, local_ip, remote_ip, pid, &log_path);
fort_log_blocked_ip_write(out, conn, &log_path);
}
}
KeReleaseInStackQueuedSpinLock(&lock_queue);

7
src/driver/fortbuf.h
View File

@ -3,6 +3,7 @@
#include "fortdrv.h"
#include "common/fortconf.h"
#include "common/fortlog.h"
typedef struct fort_buffer_data
@ -43,10 +44,8 @@ FORT_API NTSTATUS fort_buffer_prepare(
FORT_API NTSTATUS fort_buffer_blocked_write(PFORT_BUFFER buf, BOOL blocked, UINT32 pid,
PCFORT_APP_PATH path, PIRP *irp, ULONG_PTR *info);
FORT_API NTSTATUS fort_buffer_blocked_ip_write(PFORT_BUFFER buf, BOOL isIPv6, BOOL inbound,
BOOL inherited, UCHAR block_reason, UCHAR ip_proto, UINT16 local_port, UINT16 remote_port,
const UINT32 *local_ip, const UINT32 *remote_ip, UINT32 pid, PCFORT_APP_PATH path,
PIRP *irp, ULONG_PTR *info);
FORT_API NTSTATUS fort_buffer_blocked_ip_write(
PFORT_BUFFER buf, PCFORT_CONF_META_CONN conn, PIRP *irp, ULONG_PTR *info);
FORT_API NTSTATUS fort_buffer_proc_new_write(
PFORT_BUFFER buf, UINT32 pid, PCFORT_APP_PATH path, PIRP *irp, ULONG_PTR *info);

4
src/driver/fortcnf.c
View File

@ -452,8 +452,8 @@ FORT_API void fort_conf_zone_flag_set(PFORT_DEVICE_CONF device_conf, PFORT_CONF_
ExReleaseSpinLockExclusive(&device_conf->lock, oldIrql);
}
FORT_API BOOL fort_conf_zones_ip_included(
PFORT_DEVICE_CONF device_conf, UINT32 zones_mask, const UINT32 *remote_ip, BOOL isIPv6)
FORT_API BOOL fort_conf_zones_ip_included(PFORT_DEVICE_CONF device_conf, UINT32 zones_mask,
const ip_addr_t remote_ip, BOOL isIPv6)
{
BOOL res = FALSE;

4
src/driver/fortcnf.h
View File

@ -86,8 +86,8 @@ FORT_API void fort_conf_zones_set(PFORT_DEVICE_CONF device_conf, PFORT_CONF_ZONE
FORT_API void fort_conf_zone_flag_set(
PFORT_DEVICE_CONF device_conf, PFORT_CONF_ZONE_FLAG zone_flag);
FORT_API BOOL fort_conf_zones_ip_included(
PFORT_DEVICE_CONF device_conf, UINT32 zones_mask, const UINT32 *remote_ip, BOOL isIPv6);
FORT_API BOOL fort_conf_zones_ip_included(PFORT_DEVICE_CONF device_conf, UINT32 zones_mask,
const ip_addr_t remote_ip, BOOL isIPv6);
#ifdef __cplusplus
} // extern "C"

99
src/driver/fortcout.c
View File

@ -60,7 +60,7 @@ static FORT_APP_DATA fort_callout_ale_conf_app_data(
return cx->app_data;
const FORT_APP_DATA app_data =
fort_conf_app_find(&conf_ref->conf, &cx->path, fort_conf_exe_find, conf_ref);
fort_conf_app_find(&conf_ref->conf, &cx->conn.path, fort_conf_exe_find, conf_ref);
fort_callout_ale_set_app_flags(cx, app_data);
@ -80,7 +80,7 @@ inline static BOOL fort_callout_ale_associate_flow(
BOOL log_stat = FALSE;
const NTSTATUS status = fort_flow_associate(&fort_device()->stat, flow_id, cx->process_id,
const NTSTATUS status = fort_flow_associate(&fort_device()->stat, flow_id, cx->conn.process_id,
group_index, ca->isIPv6, is_tcp, ca->inbound, cx->is_reauth, &log_stat);
if (!NT_SUCCESS(status)) {
@ -89,13 +89,13 @@ inline static BOOL fort_callout_ale_associate_flow(
TRACE(FORT_CALLOUT_FLOW_ASSOC_ERROR, status, 0, 0);
}
cx->block_reason = FORT_BLOCK_REASON_REAUTH;
cx->conn.block_reason = FORT_BLOCK_REASON_REAUTH;
return TRUE; /* block (Error) */
}
if (!log_stat) {
fort_buffer_proc_new_write(
&fort_device()->buffer, cx->process_id, &cx->real_path, &cx->irp, &cx->info);
fort_buffer_proc_new_write(&fort_device()->buffer, cx->conn.process_id, &cx->conn.real_path,
&cx->irp, &cx->info);
}
return FALSE;
@ -124,16 +124,16 @@ inline static void fort_callout_ale_log_app_path(PFORT_CALLOUT_ALE_EXTRA cx,
FORT_APP_ENTRY app_entry = {
.app_data = app_data,
.path_len = cx->path.len,
.path_len = cx->conn.path.len,
};
if (!NT_SUCCESS(fort_conf_ref_exe_add_path(conf_ref, &app_entry, &cx->path)))
if (!NT_SUCCESS(fort_conf_ref_exe_add_path(conf_ref, &app_entry, &cx->conn.path)))
return;
fort_callout_ale_set_app_flags(cx, app_data);
fort_buffer_blocked_write(&fort_device()->buffer, cx->blocked, cx->process_id, &cx->real_path,
&cx->irp, &cx->info);
fort_buffer_blocked_write(&fort_device()->buffer, cx->blocked, cx->conn.process_id,
&cx->conn.real_path, &cx->irp, &cx->info);
}
inline static BOOL fort_callout_ale_log_blocked_ip_check_app(
@ -146,7 +146,7 @@ inline static BOOL fort_callout_ale_log_blocked_ip_check_app(
inline static BOOL fort_callout_ale_log_blocked_ip_check(
PFORT_CALLOUT_ALE_EXTRA cx, PFORT_CONF_REF conf_ref, FORT_CONF_FLAGS conf_flags)
{
if (cx->block_reason == FORT_BLOCK_REASON_UNKNOWN)
if (cx->conn.block_reason == FORT_BLOCK_REASON_UNKNOWN)
return FALSE;
if (!(conf_flags.ask_to_connect || conf_flags.log_blocked_ip))
@ -157,31 +157,51 @@ inline static BOOL fort_callout_ale_log_blocked_ip_check(
return fort_callout_ale_log_blocked_ip_check_app(conf_flags, app_data);
}
static ip_addr_t fort_callout_meta_ip(PFORT_CALLOUT_ARG ca, UCHAR ipIndex)
{
ip_addr_t ip;
if (ca->isIPv6) {
ip.v6 = *((ip6_addr_t *) ca->inFixedValues->incomingValue[ipIndex].value.byteArray16);
} else {
ip.v4 = ca->inFixedValues->incomingValue[ipIndex].value.uint32;
}
return ip;
}
static void fort_callout_ale_fill_meta_conn(PCFORT_CALLOUT_ARG ca, PFORT_CALLOUT_ALE_EXTRA cx)
{
if (cx->is_conn_filled)
return;
cx->is_conn_filled = TRUE;
PFORT_CONF_META_CONN conn = &cx->conn;
conn->ip_proto = ca->inFixedValues->incomingValue[ca->fi->ipProto].value.uint8;
conn->local_port = ca->inFixedValues->incomingValue[ca->fi->localPort].value.uint16;
conn->remote_port = ca->inFixedValues->incomingValue[ca->fi->remotePort].value.uint16;
conn->local_ip = fort_callout_meta_ip(ca, ca->fi->localIp);
}
inline static void fort_callout_ale_log_blocked_ip(
PCFORT_CALLOUT_ARG ca, PFORT_CALLOUT_ALE_EXTRA cx)
{
const UINT32 *local_ip = ca->isIPv6
? (const UINT32 *) ca->inFixedValues->incomingValue[ca->fi->localIp].value.byteArray16
: &ca->inFixedValues->incomingValue[ca->fi->localIp].value.uint32;
fort_callout_ale_fill_meta_conn(ca, cx);
const UINT16 local_port = ca->inFixedValues->incomingValue[ca->fi->localPort].value.uint16;
const UINT16 remote_port = ca->inFixedValues->incomingValue[ca->fi->remotePort].value.uint16;
const UCHAR ip_proto = ca->inFixedValues->incomingValue[ca->fi->ipProto].value.uint8;
fort_buffer_blocked_ip_write(&fort_device()->buffer, ca->isIPv6, ca->inbound, cx->inherited,
cx->block_reason, ip_proto, local_port, remote_port, local_ip, cx->conn.remote_ip,
cx->process_id, &cx->real_path, &cx->irp, &cx->info);
fort_buffer_blocked_ip_write(&fort_device()->buffer, &cx->conn, &cx->irp, &cx->info);
}
inline static BOOL fort_callout_ale_add_pending(PCFORT_CALLOUT_ARG ca, PFORT_CALLOUT_ALE_EXTRA cx)
{
if (!fort_pending_add_packet(&fort_device()->pending, ca, cx)) {
cx->block_reason = FORT_BLOCK_REASON_ASK_LIMIT;
cx->conn.block_reason = FORT_BLOCK_REASON_ASK_LIMIT;
return TRUE; /* block (error) */
}
cx->drop_blocked = TRUE;
cx->block_reason = FORT_BLOCK_REASON_ASK_PENDING;
cx->conn.block_reason = FORT_BLOCK_REASON_ASK_PENDING;
return TRUE; /* drop (pending) */
}
@ -214,23 +234,23 @@ static BOOL fort_callout_ale_app_blocked(PCFORT_CALLOUT_ARG ca, PFORT_CALLOUT_AL
FORT_CONF_FLAGS conf_flags, FORT_APP_DATA app_data)
{
if (fort_conf_app_group_blocked(conf_flags, app_data)) {
cx->block_reason = FORT_BLOCK_REASON_APP_GROUP_FOUND;
cx->conn.block_reason = FORT_BLOCK_REASON_APP_GROUP_FOUND;
return TRUE; /* block Group */
}
if (app_data.flags.blocked) {
cx->block_reason = FORT_BLOCK_REASON_PROGRAM;
cx->conn.block_reason = FORT_BLOCK_REASON_PROGRAM;
return TRUE; /* block Program */
}
if (app_data.flags.lan_only && !cx->conn.is_local_net) {
cx->block_reason = FORT_BLOCK_REASON_LAN_ONLY;
cx->conn.block_reason = FORT_BLOCK_REASON_LAN_ONLY;
return TRUE; /* block LAN Only */
}
if (fort_callout_ale_ip_zone_check(ca, cx, app_data.reject_zones, /*included=*/TRUE)
|| fort_callout_ale_ip_zone_check(ca, cx, app_data.accept_zones, /*included=*/FALSE)) {
cx->block_reason = FORT_BLOCK_REASON_ZONE;
cx->conn.block_reason = FORT_BLOCK_REASON_ZONE;
return TRUE; /* block Rejected or Not Accepted Zones */
}
@ -251,7 +271,7 @@ inline static BOOL fort_callout_ale_flags_allowed(
/* Ignore */
cx->ignore = TRUE;
cx->block_reason = FORT_BLOCK_REASON_NONE; /* Don't block or allow */
cx->conn.block_reason = FORT_BLOCK_REASON_NONE; /* Don't block or allow */
return TRUE;
}
@ -315,7 +335,7 @@ inline static BOOL fort_callout_ale_check_filter_flags(PCFORT_CALLOUT_ARG ca,
if (!fort_conf_ip_inet_included(&conf_ref->conf,
(fort_conf_zones_ip_included_func *) &fort_conf_zones_ip_included,
&fort_device()->conf, cx->conn.remote_ip, ca->isIPv6)) {
cx->block_reason = FORT_BLOCK_REASON_IP_INET;
cx->conn.block_reason = FORT_BLOCK_REASON_IP_INET;
return TRUE; /* block address */
}
@ -371,16 +391,21 @@ inline static void fort_callout_ale_classify_action(PCFORT_CALLOUT_ARG ca,
inline static void fort_callout_ale_fill_path(PCFORT_CALLOUT_ARG ca, PFORT_CALLOUT_ALE_EXTRA cx)
{
PFORT_APP_PATH real_path = &cx->real_path;
if (cx->is_path_filled)
return;
cx->is_path_filled = TRUE;
PFORT_APP_PATH real_path = &cx->conn.real_path;
real_path->len = (UINT16) (ca->inMetaValues->processPath->size
- sizeof(WCHAR)); /* chop terminating zero */
real_path->buffer = (PCWSTR) ca->inMetaValues->processPath->data;
PFORT_APP_PATH path = &cx->path;
PFORT_APP_PATH path = &cx->conn.path;
BOOL inherited = FALSE;
if (fort_pstree_get_proc_name(&fort_device()->ps_tree, cx->process_id, path, &inherited)) {
if (fort_pstree_get_proc_name(&fort_device()->ps_tree, cx->conn.process_id, path, &inherited)) {
if (!inherited) {
*real_path = *path;
}
@ -388,19 +413,19 @@ inline static void fort_callout_ale_fill_path(PCFORT_CALLOUT_ARG ca, PFORT_CALLO
*path = *real_path;
}
cx->inherited = (UCHAR) inherited;
cx->conn.inherited = (UCHAR) inherited;
}
inline static void fort_callout_ale_check_conf(
PCFORT_CALLOUT_ARG ca, PFORT_CALLOUT_ALE_EXTRA cx, PFORT_CONF_REF conf_ref)
{
cx->process_id = (UINT32) ca->inMetaValues->processId;
cx->conn.process_id = (UINT32) ca->inMetaValues->processId;
fort_callout_ale_fill_path(ca, cx);
cx->blocked = TRUE;
cx->ignore = FALSE;
cx->block_reason = FORT_BLOCK_REASON_UNKNOWN;
cx->conn.block_reason = FORT_BLOCK_REASON_UNKNOWN;
const FORT_CONF_FLAGS conf_flags = conf_ref->conf.flags;
@ -470,16 +495,12 @@ static void fort_callout_ale_classify(PFORT_CALLOUT_ARG ca)
ca->inbound = (ca->inMetaValues->packetDirection == FWP_DIRECTION_INBOUND);
}
const UINT32 *remote_ip = ca->isIPv6
? (const UINT32 *) ca->inFixedValues->incomingValue[ca->fi->remoteIp].value.byteArray16
: &ca->inFixedValues->incomingValue[ca->fi->remoteIp].value.uint32;
FORT_CALLOUT_ALE_EXTRA cx = {
.is_reauth = is_reauth,
.conn = {
.inbound = ca->inbound,
.isIPv6 = ca->isIPv6,
.remote_ip = remote_ip,
.remote_ip = fort_callout_meta_ip(ca, ca->fi->remoteIp),
},
};

11
src/driver/fortcoutarg.h
View File

@ -45,20 +45,15 @@ typedef struct fort_callout_ale_extra
{
UCHAR is_reauth : 1;
UCHAR app_data_found : 1;
UCHAR inherited : 1;
UCHAR drop_blocked : 1;
UCHAR blocked : 1;
UCHAR ignore : 1;
INT8 block_reason;
UCHAR is_path_filled : 1;
UCHAR is_conn_filled : 1;
FORT_APP_DATA app_data;
UINT32 process_id;
FORT_CONF_CONN conn;
FORT_APP_PATH path;
FORT_APP_PATH real_path;
FORT_CONF_META_CONN conn;
PIRP irp;
ULONG_PTR info;

4
src/driver/fortpkt.c
View File

@ -1172,7 +1172,7 @@ static NTSTATUS fort_pending_proc_add_packet_locked(PFORT_PENDING pending, PCFOR
PFORT_CALLOUT_ALE_EXTRA cx, PFORT_PENDING_PACKET pkt)
{
/* Create the Pending Process */
PFORT_PENDING_PROC proc = fort_pending_proc_get_check(pending, cx->process_id);
PFORT_PENDING_PROC proc = fort_pending_proc_get_check(pending, cx->conn.process_id);
if (proc == NULL)
return STATUS_INSUFFICIENT_RESOURCES;
@ -1278,7 +1278,7 @@ FORT_API BOOL fort_pending_add_packet(
return FALSE;
/* Check the Process's Limits */
if (!fort_pending_proc_check_limits(pending, cx->process_id))
if (!fort_pending_proc_check_limits(pending, cx->conn.process_id))
return FALSE;
/* Create the Packet */

7
src/driver/fortutl.c
View File

@ -444,14 +444,13 @@ FORT_API void fort_ascii_downcase(PUNICODE_STRING dst, PCUNICODE_STRING src)
}
}
FORT_API BOOL fort_addr_is_local_multicast(const UINT32 *ip, BOOL isIPv6)
FORT_API BOOL fort_addr_is_local_multicast(const ip_addr_t ip, BOOL isIPv6)
{
if (isIPv6) {
const ip6_addr_t *ip6 = (const ip6_addr_t *) ip;
return ip6->addr16[0] == 0x2FF;
return ip.v2 == 0x2FF;
}
return *ip == 0xFFFFFFFF;
return ip.v4 == 0xFFFFFFFF;
}
inline static UINT32 fort_bits_duplicate8(UINT32 v)

2
src/driver/fortutl.h
View File

@ -30,7 +30,7 @@ FORT_API DWORD fort_le_u32_read(const char *cp, int offset);
FORT_API void fort_ascii_downcase(PUNICODE_STRING dst, PCUNICODE_STRING src);
FORT_API BOOL fort_addr_is_local_multicast(const UINT32 *ip, BOOL isIPv6);
FORT_API BOOL fort_addr_is_local_multicast(const ip_addr_t ip, BOOL isIPv6);
FORT_API UINT32 fort_bits_duplicate16(UINT16 num);

26
src/ui/driver/drivercommon.cpp
View File

@ -142,20 +142,14 @@ void logBlockedHeaderRead(const char *input, int *blocked, quint32 *pid, quint32
fort_log_blocked_header_read(input, blocked, pid, pathLen);
}
void logBlockedIpHeaderWrite(char *output, int isIPv6, int inbound, int inherited,
quint8 blockReason, quint8 ipProto, quint16 localPort, quint16 remotePort,
const ip_addr_t *localIp, const ip_addr_t *remoteIp, quint32 pid, quint32 pathLen)
void logBlockedIpHeaderWrite(char *output, PCFORT_CONF_META_CONN conn, quint32 pathLen)
{
fort_log_blocked_ip_header_write(output, isIPv6, inbound, inherited, blockReason, ipProto,
localPort, remotePort, &localIp->v4, &remoteIp->v4, pid, pathLen);
fort_log_blocked_ip_header_write(output, conn, pathLen);
}
void logBlockedIpHeaderRead(const char *input, int *isIPv6, int *inbound, int *inherited,
quint8 *blockReason, quint8 *ipProto, quint16 *localPort, quint16 *remotePort,
ip_addr_t *localIp, ip_addr_t *remoteIp, quint32 *pid, quint32 *pathLen)
void logBlockedIpHeaderRead(const char *input, PFORT_CONF_META_CONN conn, quint32 *pathLen)
{
fort_log_blocked_ip_header_read(input, isIPv6, inbound, inherited, blockReason, ipProto,
localPort, remotePort, &localIp->v4, &remoteIp->v4, pid, pathLen);
fort_log_blocked_ip_header_read(input, conn, pathLen);
}
void logProcNewHeaderWrite(char *output, quint32 pid, quint32 pathLen)
@ -184,7 +178,7 @@ void logTimeRead(const char *input, int *systemTimeChanged, qint64 *unixTime)
}
bool confIpInRange(
const void *drvConf, const quint32 *ip, bool isIPv6, bool included, int addrGroupIndex)
const void *drvConf, const ip_addr_t ip, bool isIPv6, bool included, int addrGroupIndex)
{
const PFORT_CONF conf = (const PFORT_CONF) drvConf;
const PFORT_CONF_ADDR_GROUP addr_group = fort_conf_addr_group_ref(conf, addrGroupIndex);
@ -202,12 +196,16 @@ bool confIpInRange(
bool confIp4InRange(const void *drvConf, quint32 ip, bool included, int addrGroupIndex)
{
return confIpInRange(drvConf, &ip, /*isIPv6=*/false, included, addrGroupIndex);
const ip_addr_t ip_addr = { .v4 = ip };
return confIpInRange(drvConf, ip_addr, /*isIPv6=*/false, included, addrGroupIndex);
}
bool confIp6InRange(const void *drvConf, const ip6_addr_t ip, bool included, int addrGroupIndex)
bool confIp6InRange(const void *drvConf, ip6_addr_t ip, bool included, int addrGroupIndex)
{
return confIpInRange(drvConf, &ip.addr32[0], /*isIPv6=*/true, included, addrGroupIndex);
const ip_addr_t ip_addr = { .v6 = ip };
return confIpInRange(drvConf, ip_addr, /*isIPv6=*/true, included, addrGroupIndex);
}
FORT_APP_DATA confAppFind(const void *drvConf, const QString &kernelPath)

12
src/ui/driver/drivercommon.h
View File

@ -47,12 +47,8 @@ quint8 logType(const char *input);
void logBlockedHeaderWrite(char *output, bool blocked, quint32 pid, quint32 pathLen);
void logBlockedHeaderRead(const char *input, int *blocked, quint32 *pid, quint32 *pathLen);
void logBlockedIpHeaderWrite(char *output, int isIPv6, int inbound, int inherited,
quint8 blockReason, quint8 ipProto, quint16 localPort, quint16 remotePort,
const ip_addr_t *localIp, const ip_addr_t *remoteIp, quint32 pid, quint32 pathLen);
void logBlockedIpHeaderRead(const char *input, int *isIPv6, int *inbound, int *inherited,
quint8 *blockReason, quint8 *ipProto, quint16 *localPort, quint16 *remotePort,
ip_addr_t *localIp, ip_addr_t *remoteIp, quint32 *pid, quint32 *pathLen);
void logBlockedIpHeaderWrite(char *output, PCFORT_CONF_META_CONN conn, quint32 pathLen);
void logBlockedIpHeaderRead(const char *input, PFORT_CONF_META_CONN conn, quint32 *pathLen);
void logProcNewHeaderWrite(char *output, quint32 pid, quint32 pathLen);
void logProcNewHeaderRead(const char *input, quint32 *pid, quint32 *pathLen);
@ -62,11 +58,11 @@ void logStatTrafHeaderRead(const char *input, quint16 *procCount);
void logTimeWrite(char *output, int systemTimeChanged, qint64 unixTime);
void logTimeRead(const char *input, int *systemTimeChanged, qint64 *unixTime);
bool confIpInRange(const void *drvConf, const quint32 *ip, bool isIPv6 = false,
bool confIpInRange(const void *drvConf, const ip_addr_t ip, bool isIPv6 = false,
bool included = false, int addrGroupIndex = 0);
bool confIp4InRange(const void *drvConf, quint32 ip, bool included = false, int addrGroupIndex = 0);
bool confIp6InRange(
const void *drvConf, const ip6_addr_t ip, bool included = false, int addrGroupIndex = 0);
const void *drvConf, ip6_addr_t ip, bool included = false, int addrGroupIndex = 0);
FORT_APP_DATA confAppFind(const void *drvConf, const QString &kernelPath);

57
src/ui/log/logbuffer.cpp
View File

@ -106,10 +106,20 @@ void LogBuffer::writeEntryBlockedIp(const LogEntryBlockedIp *logEntry)
char *output = this->output();
DriverCommon::logBlockedIpHeaderWrite(output, logEntry->isIPv6(), logEntry->inbound(),
logEntry->inherited(), logEntry->blockReason(), logEntry->ipProto(),
logEntry->localPort(), logEntry->remotePort(), &logEntry->localIp(),
&logEntry->remoteIp(), logEntry->pid(), pathLen);
const FORT_CONF_META_CONN conn = {
.inbound = logEntry->inbound(),
.isIPv6 = logEntry->isIPv6(),
.inherited = logEntry->inherited(),
.block_reason = logEntry->blockReason(),
.ip_proto = logEntry->ipProto(),
.local_port = logEntry->localPort(),
.remote_port = logEntry->remotePort(),
.process_id = logEntry->pid(),
.local_ip = logEntry->localIp(),
.remote_ip = logEntry->remoteIp(),
};
DriverCommon::logBlockedIpHeaderWrite(output, &conn, pathLen);
if (pathLen) {
output += DriverCommon::logBlockedIpHeaderSize(logEntry->isIPv6());
@ -125,37 +135,30 @@ void LogBuffer::readEntryBlockedIp(LogEntryBlockedIp *logEntry)
const char *input = this->input();
int isIPv6;
int inbound;
int inherited;
quint8 blockReason;
quint8 proto;
quint16 localPort;
quint16 remotePort;
ip_addr_t localIp, remoteIp;
quint32 pid, pathLen;
DriverCommon::logBlockedIpHeaderRead(input, &isIPv6, &inbound, &inherited, &blockReason, &proto,
&localPort, &remotePort, &localIp, &remoteIp, &pid, &pathLen);
FORT_CONF_META_CONN conn;
quint32 pathLen;
DriverCommon::logBlockedIpHeaderRead(input, &conn, &pathLen);
QString path;
if (pathLen) {
input += DriverCommon::logBlockedIpHeaderSize(isIPv6 != 0);
input += DriverCommon::logBlockedIpHeaderSize(conn.isIPv6);
path = QString::fromWCharArray((const wchar_t *) input, pathLen / int(sizeof(wchar_t)));
}
logEntry->setIsIPv6(isIPv6 != 0);
logEntry->setInbound(inbound != 0);
logEntry->setInherited(inherited != 0);
logEntry->setBlockReason(blockReason);
logEntry->setIpProto(proto);
logEntry->setLocalPort(localPort);
logEntry->setRemotePort(remotePort);
logEntry->setLocalIp(localIp);
logEntry->setRemoteIp(remoteIp);
logEntry->setPid(pid);
logEntry->setIsIPv6(conn.isIPv6);
logEntry->setInbound(conn.inbound);
logEntry->setInherited(conn.inherited);
logEntry->setBlockReason(conn.block_reason);
logEntry->setIpProto(conn.ip_proto);
logEntry->setLocalPort(conn.local_port);
logEntry->setRemotePort(conn.remote_port);
logEntry->setLocalIp(conn.local_ip);
logEntry->setRemoteIp(conn.remote_ip);
logEntry->setPid(conn.process_id);
logEntry->setKernelPath(path);
const int entrySize = int(DriverCommon::logBlockedIpSize(pathLen, isIPv6 != 0));
const int entrySize = int(DriverCommon::logBlockedIpSize(pathLen, conn.isIPv6));
m_offset += entrySize;
}