mirror of
https://github.com/tnodir/fort
synced 2024-11-14 22:19:05 +00:00
Driver: Prepare FORT_CONF_CONN
This commit is contained in:
Nodir Temirkhodjaev
parent
f87d71277f
commit
c049edd332
@ -169,6 +169,24 @@ typedef struct fort_conf_rule_flag
|
|||||||
(sizeof(FORT_CONF_RULE) + ((rule)->has_zones ? sizeof(FORT_CONF_RULE_ZONES) : 0) \
|
(sizeof(FORT_CONF_RULE) + ((rule)->has_zones ? sizeof(FORT_CONF_RULE_ZONES) : 0) \
|
||||||
+ (rule)->set_count * sizeof(UINT16))
|
+ (rule)->set_count * sizeof(UINT16))
|
||||||
|
|
||||||
|
typedef struct fort_conf_conn
|
||||||
|
{
|
||||||
|
UCHAR inbound : 1;
|
||||||
|
UCHAR isIPv6 : 1;
|
||||||
|
UCHAR is_loopback : 1;
|
||||||
|
UCHAR is_local_net : 1;
|
||||||
|
|
||||||
|
const UCHAR ip_proto;
|
||||||
|
|
||||||
|
const UINT16 local_port;
|
||||||
|
const UINT16 remote_port;
|
||||||
|
|
||||||
|
const UINT32 *remote_ip;
|
||||||
|
const UINT32 *local_ip;
|
||||||
|
} FORT_CONF_CONN, *PFORT_CONF_CONN;
|
||||||
|
|
||||||
|
typedef const FORT_CONF_CONN *PCCONF_CONN;
|
||||||
|
|
||||||
typedef struct fort_conf_zones
|
typedef struct fort_conf_zones
|
||||||
{
|
{
|
||||||
UINT32 mask;
|
UINT32 mask;
|
||||||
|
|||||||
@ -166,11 +166,10 @@ inline static void fort_callout_ale_log_blocked_ip(
|
|||||||
|
|
||||||
const UINT16 local_port = ca->inFixedValues->incomingValue[ca->fi->localPort].value.uint16;
|
const UINT16 local_port = ca->inFixedValues->incomingValue[ca->fi->localPort].value.uint16;
|
||||||
const UINT16 remote_port = ca->inFixedValues->incomingValue[ca->fi->remotePort].value.uint16;
|
const UINT16 remote_port = ca->inFixedValues->incomingValue[ca->fi->remotePort].value.uint16;
|
||||||
const IPPROTO ip_proto =
|
const UCHAR ip_proto = ca->inFixedValues->incomingValue[ca->fi->ipProto].value.uint8;
|
||||||
(IPPROTO) ca->inFixedValues->incomingValue[ca->fi->ipProto].value.uint8;
|
|
||||||
|
|
||||||
fort_buffer_blocked_ip_write(&fort_device()->buffer, ca->isIPv6, ca->inbound, cx->inherited,
|
fort_buffer_blocked_ip_write(&fort_device()->buffer, ca->isIPv6, ca->inbound, cx->inherited,
|
||||||
cx->block_reason, ip_proto, local_port, remote_port, local_ip, cx->remote_ip,
|
cx->block_reason, ip_proto, local_port, remote_port, local_ip, cx->conn.remote_ip,
|
||||||
cx->process_id, &cx->real_path, &cx->irp, &cx->info);
|
cx->process_id, &cx->real_path, &cx->irp, &cx->info);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -206,7 +205,7 @@ inline static BOOL fort_callout_ale_ip_zone_check(
|
|||||||
return FALSE;
|
return FALSE;
|
||||||
|
|
||||||
const BOOL ip_included = fort_conf_zones_ip_included(
|
const BOOL ip_included = fort_conf_zones_ip_included(
|
||||||
&fort_device()->conf, zones_mask, cx->remote_ip, ca->isIPv6);
|
&fort_device()->conf, zones_mask, cx->conn.remote_ip, ca->isIPv6);
|
||||||
|
|
||||||
return ip_included == included;
|
return ip_included == included;
|
||||||
}
|
}
|
||||||
@ -224,7 +223,7 @@ static BOOL fort_callout_ale_app_blocked(PCFORT_CALLOUT_ARG ca, PFORT_CALLOUT_AL
|
|||||||
return TRUE; /* block Program */
|
return TRUE; /* block Program */
|
||||||
}
|
}
|
||||||
|
|
||||||
if (app_data.flags.lan_only && !cx->is_local_net) {
|
if (app_data.flags.lan_only && !cx->conn.is_local_net) {
|
||||||
cx->block_reason = FORT_BLOCK_REASON_LAN_ONLY;
|
cx->block_reason = FORT_BLOCK_REASON_LAN_ONLY;
|
||||||
return TRUE; /* block LAN Only */
|
return TRUE; /* block LAN Only */
|
||||||
}
|
}
|
||||||
@ -294,12 +293,12 @@ inline static BOOL fort_callout_ale_check_filter_flags(PCFORT_CALLOUT_ARG ca,
|
|||||||
return TRUE; /* block all */
|
return TRUE; /* block all */
|
||||||
}
|
}
|
||||||
|
|
||||||
cx->is_local_net = !fort_conf_ip_is_inet(&conf_ref->conf,
|
cx->conn.is_local_net = !fort_conf_ip_is_inet(&conf_ref->conf,
|
||||||
(fort_conf_zones_ip_included_func *) &fort_conf_zones_ip_included, &fort_device()->conf,
|
(fort_conf_zones_ip_included_func *) &fort_conf_zones_ip_included, &fort_device()->conf,
|
||||||
cx->remote_ip, ca->isIPv6);
|
cx->conn.remote_ip, ca->isIPv6);
|
||||||
|
|
||||||
if (cx->is_local_net) {
|
if (cx->conn.is_local_net) {
|
||||||
if (conf_flags.block_lan_traffic && !cx->is_loopback) {
|
if (conf_flags.block_lan_traffic && !cx->conn.is_loopback) {
|
||||||
return TRUE; /* block LAN */
|
return TRUE; /* block LAN */
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -315,7 +314,7 @@ inline static BOOL fort_callout_ale_check_filter_flags(PCFORT_CALLOUT_ARG ca,
|
|||||||
|
|
||||||
if (!fort_conf_ip_inet_included(&conf_ref->conf,
|
if (!fort_conf_ip_inet_included(&conf_ref->conf,
|
||||||
(fort_conf_zones_ip_included_func *) &fort_conf_zones_ip_included,
|
(fort_conf_zones_ip_included_func *) &fort_conf_zones_ip_included,
|
||||||
&fort_device()->conf, cx->remote_ip, ca->isIPv6)) {
|
&fort_device()->conf, cx->conn.remote_ip, ca->isIPv6)) {
|
||||||
cx->block_reason = FORT_BLOCK_REASON_IP_INET;
|
cx->block_reason = FORT_BLOCK_REASON_IP_INET;
|
||||||
return TRUE; /* block address */
|
return TRUE; /* block address */
|
||||||
}
|
}
|
||||||
@ -443,17 +442,18 @@ inline static BOOL fort_callout_ale_is_local_address(PFORT_CALLOUT_ARG ca,
|
|||||||
{
|
{
|
||||||
const FORT_CONF_FLAGS conf_flags = device_conf->conf_flags;
|
const FORT_CONF_FLAGS conf_flags = device_conf->conf_flags;
|
||||||
|
|
||||||
cx->is_loopback = (classify_flags & FWP_CONDITION_FLAG_IS_LOOPBACK) != 0;
|
cx->conn.is_loopback = (classify_flags & FWP_CONDITION_FLAG_IS_LOOPBACK) != 0;
|
||||||
|
|
||||||
if (conf_flags.filter_locals)
|
if (conf_flags.filter_locals)
|
||||||
return FALSE;
|
return FALSE;
|
||||||
|
|
||||||
/* Loopback */
|
/* Loopback */
|
||||||
if (!cx->is_loopback || conf_flags.block_traffic)
|
if (!cx->conn.is_loopback || conf_flags.block_traffic)
|
||||||
return FALSE;
|
return FALSE;
|
||||||
|
|
||||||
/* Multicast */
|
/* Multicast */
|
||||||
if (!fort_addr_is_local_multicast(cx->remote_ip, ca->isIPv6) || conf_flags.block_lan_traffic)
|
if (!fort_addr_is_local_multicast(cx->conn.remote_ip, ca->isIPv6)
|
||||||
|
|| conf_flags.block_lan_traffic)
|
||||||
return FALSE;
|
return FALSE;
|
||||||
|
|
||||||
return TRUE;
|
return TRUE;
|
||||||
@ -476,7 +476,11 @@ static void fort_callout_ale_classify(PFORT_CALLOUT_ARG ca)
|
|||||||
|
|
||||||
FORT_CALLOUT_ALE_EXTRA cx = {
|
FORT_CALLOUT_ALE_EXTRA cx = {
|
||||||
.is_reauth = is_reauth,
|
.is_reauth = is_reauth,
|
||||||
.remote_ip = remote_ip,
|
.conn = {
|
||||||
|
.inbound = ca->inbound,
|
||||||
|
.isIPv6 = ca->isIPv6,
|
||||||
|
.remote_ip = remote_ip,
|
||||||
|
},
|
||||||
};
|
};
|
||||||
|
|
||||||
PFORT_DEVICE_CONF device_conf = &fort_device()->conf;
|
PFORT_DEVICE_CONF device_conf = &fort_device()->conf;
|
||||||
|
|||||||
@ -44,8 +44,6 @@ typedef const FORT_CALLOUT_ARG *PCFORT_CALLOUT_ARG;
|
|||||||
typedef struct fort_callout_ale_extra
|
typedef struct fort_callout_ale_extra
|
||||||
{
|
{
|
||||||
UCHAR is_reauth : 1;
|
UCHAR is_reauth : 1;
|
||||||
UCHAR is_loopback : 1;
|
|
||||||
UCHAR is_local_net : 1;
|
|
||||||
UCHAR app_data_found : 1;
|
UCHAR app_data_found : 1;
|
||||||
UCHAR inherited : 1;
|
UCHAR inherited : 1;
|
||||||
UCHAR drop_blocked : 1;
|
UCHAR drop_blocked : 1;
|
||||||
@ -57,7 +55,7 @@ typedef struct fort_callout_ale_extra
|
|||||||
|
|
||||||
UINT32 process_id;
|
UINT32 process_id;
|
||||||
|
|
||||||
const UINT32 *remote_ip;
|
FORT_CONF_CONN conn;
|
||||||
|
|
||||||
FORT_APP_PATH path;
|
FORT_APP_PATH path;
|
||||||
FORT_APP_PATH real_path;
|
FORT_APP_PATH real_path;
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user