From 749d3024b68a3115f836fd1e888d1b2b7dd69ab9 Mon Sep 17 00:00:00 2001 From: Nodir Temirkhodjaev Date: Fri, 8 Nov 2024 14:46:39 +0500 Subject: [PATCH] Driver: Refactor loopback address handling --- src/driver/fortcnf.c | 17 +++++++---------- src/driver/fortcnf.h | 4 ---- src/driver/fortcout.c | 18 ++++++++++-------- src/driver/fortcoutarg.h | 1 + src/driver/fortutl.c | 2 +- src/driver/fortutl.h | 2 +- 6 files changed, 20 insertions(+), 24 deletions(-) diff --git a/src/driver/fortcnf.c b/src/driver/fortcnf.c index 7f65c6bd..772d83b4 100644 --- a/src/driver/fortcnf.c +++ b/src/driver/fortcnf.c @@ -48,7 +48,7 @@ FORT_API UINT16 fort_device_flag_set(PFORT_DEVICE_CONF device_conf, UINT16 flag, : InterlockedAnd16(&device_conf->flags, ~flag); } -FORT_API UINT16 fort_device_flags(PFORT_DEVICE_CONF device_conf) +static UINT16 fort_device_flags(PFORT_DEVICE_CONF device_conf) { return fort_device_flag_set(device_conf, 0, TRUE); } @@ -340,9 +340,6 @@ static void fort_device_flags_conf_set(PFORT_DEVICE_CONF device_conf, FORT_CONF_ { fort_device_flag_set(device_conf, FORT_DEVICE_BOOT_FILTER, conf_flags.boot_filter); fort_device_flag_set(device_conf, FORT_DEVICE_BOOT_FILTER_LOCALS, conf_flags.filter_locals); - - fort_device_flag_set(device_conf, FORT_DEVICE_BLOCK_TRAFFIC, conf_flags.block_traffic); - fort_device_flag_set(device_conf, FORT_DEVICE_BLOCK_LAN_TRAFFIC, conf_flags.block_lan_traffic); } FORT_API FORT_CONF_FLAGS fort_conf_ref_set(PFORT_DEVICE_CONF device_conf, PFORT_CONF_REF conf_ref) @@ -354,7 +351,7 @@ FORT_API FORT_CONF_FLAGS fort_conf_ref_set(PFORT_DEVICE_CONF device_conf, PFORT_ if (old_conf_ref != NULL) { old_conf_flags = old_conf_ref->conf.flags; } else { - const UINT16 flags = fort_device_flag(device_conf, FORT_DEVICE_BOOT_MASK); + const UINT16 flags = fort_device_flags(device_conf); RtlZeroMemory(&old_conf_flags, sizeof(FORT_CONF_FLAGS)); old_conf_flags.boot_filter = (flags & FORT_DEVICE_BOOT_FILTER) != 0; @@ -392,7 +389,7 @@ FORT_API FORT_CONF_FLAGS fort_conf_ref_set(PFORT_DEVICE_CONF device_conf, PFORT_ } FORT_API FORT_CONF_FLAGS fort_conf_ref_flags_set( - PFORT_DEVICE_CONF device_conf, const FORT_CONF_FLAGS conf_flags) + PFORT_DEVICE_CONF device_conf, FORT_CONF_FLAGS conf_flags) { FORT_CONF_FLAGS old_conf_flags; @@ -408,17 +405,17 @@ FORT_API FORT_CONF_FLAGS fort_conf_ref_flags_set( conf->flags = conf_flags; fort_device_flags_conf_set(device_conf, conf_flags); - - device_conf->conf_flags = conf_flags; } else { - const UINT16 flags = fort_device_flag(device_conf, FORT_DEVICE_BOOT_MASK); + const UINT16 flags = fort_device_flags(device_conf); RtlZeroMemory(&old_conf_flags, sizeof(FORT_CONF_FLAGS)); old_conf_flags.boot_filter = (flags & FORT_DEVICE_BOOT_FILTER) != 0; old_conf_flags.filter_locals = (flags & FORT_DEVICE_BOOT_FILTER_LOCALS) != 0; - device_conf->conf_flags = old_conf_flags; + conf_flags = old_conf_flags; } + + device_conf->conf_flags = conf_flags; } KeReleaseInStackQueuedSpinLock(&lock_queue); diff --git a/src/driver/fortcnf.h b/src/driver/fortcnf.h index 95d57892..5866b36d 100644 --- a/src/driver/fortcnf.h +++ b/src/driver/fortcnf.h @@ -29,8 +29,6 @@ typedef struct fort_conf_ref #define FORT_DEVICE_BOOT_FILTER 0x01 #define FORT_DEVICE_BOOT_FILTER_LOCALS 0x02 #define FORT_DEVICE_BOOT_MASK (FORT_DEVICE_BOOT_FILTER | FORT_DEVICE_BOOT_FILTER_LOCALS) -#define FORT_DEVICE_BLOCK_TRAFFIC 0x04 -#define FORT_DEVICE_BLOCK_LAN_TRAFFIC 0x08 #define FORT_DEVICE_IS_OPENED 0x10 #define FORT_DEVICE_IS_VALIDATED 0x20 #define FORT_DEVICE_POWER_OFF 0x40 @@ -57,8 +55,6 @@ FORT_API void fort_device_conf_open(PFORT_DEVICE_CONF device_conf); FORT_API UINT16 fort_device_flag_set(PFORT_DEVICE_CONF device_conf, UINT16 flag, BOOL on); -FORT_API UINT16 fort_device_flags(PFORT_DEVICE_CONF device_conf); - FORT_API UINT16 fort_device_flag(PFORT_DEVICE_CONF device_conf, UINT16 flag); FORT_API FORT_APP_DATA fort_conf_exe_find( diff --git a/src/driver/fortcout.c b/src/driver/fortcout.c index 700baf35..77263bc6 100644 --- a/src/driver/fortcout.c +++ b/src/driver/fortcout.c @@ -299,7 +299,7 @@ inline static BOOL fort_callout_ale_check_filter_flags(PCFORT_CALLOUT_ARG ca, cx->remote_ip, ca->isIPv6); if (cx->is_local_net) { - if (conf_flags.block_lan_traffic) { + if (conf_flags.block_lan_traffic && !cx->is_loopback) { return TRUE; /* block LAN */ } @@ -439,19 +439,21 @@ inline static void fort_callout_ale_by_conf( } inline static BOOL fort_callout_ale_is_local_address(PFORT_CALLOUT_ARG ca, - PCFORT_CALLOUT_ALE_EXTRA cx, PFORT_DEVICE_CONF device_conf, const UINT32 classify_flags) + PFORT_CALLOUT_ALE_EXTRA cx, PFORT_DEVICE_CONF device_conf, const UINT32 classify_flags) { - const UINT16 device_flags = fort_device_flags(device_conf); + const FORT_CONF_FLAGS conf_flags = device_conf->conf_flags; - if ((device_flags & FORT_DEVICE_BOOT_FILTER_LOCALS) != 0) + cx->is_loopback = (classify_flags & FWP_CONDITION_FLAG_IS_LOOPBACK) != 0; + + if (conf_flags.filter_locals) return FALSE; - if ((classify_flags & FWP_CONDITION_FLAG_IS_LOOPBACK) == 0 - || (device_flags & FORT_DEVICE_BLOCK_TRAFFIC) != 0) + /* Loopback */ + if (!cx->is_loopback || conf_flags.block_traffic) return FALSE; - if (!fort_addr_is_local_broadcast(cx->remote_ip, ca->isIPv6) - || (device_flags & FORT_DEVICE_BLOCK_LAN_TRAFFIC) != 0) + /* Multicast */ + if (!fort_addr_is_local_multicast(cx->remote_ip, ca->isIPv6) || conf_flags.block_lan_traffic) return FALSE; return TRUE; diff --git a/src/driver/fortcoutarg.h b/src/driver/fortcoutarg.h index 438c3d62..ac6d9ff5 100644 --- a/src/driver/fortcoutarg.h +++ b/src/driver/fortcoutarg.h @@ -44,6 +44,7 @@ typedef const FORT_CALLOUT_ARG *PCFORT_CALLOUT_ARG; typedef struct fort_callout_ale_extra { UCHAR is_reauth : 1; + UCHAR is_loopback : 1; UCHAR is_local_net : 1; UCHAR app_data_found : 1; UCHAR inherited : 1; diff --git a/src/driver/fortutl.c b/src/driver/fortutl.c index bcbb9d1a..1ce528ba 100644 --- a/src/driver/fortutl.c +++ b/src/driver/fortutl.c @@ -444,7 +444,7 @@ FORT_API void fort_ascii_downcase(PUNICODE_STRING dst, PCUNICODE_STRING src) } } -FORT_API BOOL fort_addr_is_local_broadcast(const UINT32 *ip, BOOL isIPv6) +FORT_API BOOL fort_addr_is_local_multicast(const UINT32 *ip, BOOL isIPv6) { if (isIPv6) { const ip6_addr_t *ip6 = (const ip6_addr_t *) ip; diff --git a/src/driver/fortutl.h b/src/driver/fortutl.h index 855e52e5..968ed2f4 100644 --- a/src/driver/fortutl.h +++ b/src/driver/fortutl.h @@ -30,7 +30,7 @@ FORT_API DWORD fort_le_u32_read(const char *cp, int offset); FORT_API void fort_ascii_downcase(PUNICODE_STRING dst, PCUNICODE_STRING src); -FORT_API BOOL fort_addr_is_local_broadcast(const UINT32 *ip, BOOL isIPv6); +FORT_API BOOL fort_addr_is_local_multicast(const UINT32 *ip, BOOL isIPv6); FORT_API UINT32 fort_bits_duplicate16(UINT16 num);