Driver: Prepare "prompt" flag

src/driver/common/fortdef.h

@@ -3,14 +3,19 @@
 
 enum FortLogType {
     FORT_LOG_TYPE_NONE = 0,
-    FORT_LOG_TYPE_BLOCKED = 1,
+    FORT_LOG_TYPE_BLOCKED,
     FORT_LOG_TYPE_BLOCKED_IP,
     FORT_LOG_TYPE_ALLOWED,
+    FORT_LOG_TYPE_PROMPT,
     FORT_LOG_TYPE_PROC_NEW,
     FORT_LOG_TYPE_STAT_TRAF,
     FORT_LOG_TYPE_TIME,
 };
 
+enum FortLogBlockedIpFlag {
+    FORT_LOG_BLOCKED_IP_INHERITED = (1 << 0),
+};
+
 enum FortBlockReason {
     FORT_BLOCK_REASON_NONE = -1,
     FORT_BLOCK_REASON_UNKNOWN = 0,
@@ -20,6 +25,8 @@ enum FortBlockReason {
     FORT_BLOCK_REASON_APP_GROUP_FOUND,
     FORT_BLOCK_REASON_FILTER_MODE,
     FORT_BLOCK_REASON_LAN_ONLY,
+    FORT_BLOCK_REASON_PROMPT_TIMEOUT,
+    FORT_BLOCK_REASON_PROMPT /* must be last! */
 };
 
 #endif // FORTDEF_H

src/driver/common/fortlog.c

@@ -40,11 +40,12 @@ void fort_log_blocked_ip_header_write(char *p, BOOL isIPv6, BOOL inbound, BOOL i
 
     *up++ = fort_log_flag_type(FORT_LOG_TYPE_BLOCKED_IP) | (isIPv6 ? FORT_LOG_FLAG_IP6 : 0)
             | (inbound ? FORT_LOG_FLAG_IP_INBOUND : 0) | path_len;
-    *up++ = inherited | ((UINT32) block_reason << 8) | ((UINT32) ip_proto << 16);
+    *up++ = (inherited ? FORT_LOG_BLOCKED_IP_INHERITED : 0) | ((UINT32) block_reason << 8)
+            | ((UINT32) ip_proto << 16);
     *up++ = local_port | ((UINT32) remote_port << 16);
     *up++ = pid;
 
-    const int ip_size = FORT_IP_SIZE(isIPv6);
+    const int ip_size = FORT_IP_ADDR_SIZE(isIPv6);
     RtlCopyMemory(up, local_ip, ip_size);
 
     up = (UINT32 *) ((PCHAR) up + ip_size);
@@ -73,14 +74,16 @@ void fort_log_blocked_ip_header_read(const char *p, BOOL *isIPv6, BOOL *inbound,
     *isIPv6 = (*up & FORT_LOG_FLAG_IP6) != 0;
     *inbound = (*up & FORT_LOG_FLAG_IP_INBOUND) != 0;
     *path_len = (*up++ & ~FORT_LOG_FLAG_EX_MASK);
-    *inherited = (UCHAR) *up;
+
+    const UCHAR flags = (UCHAR) *up;
+    *inherited = (flags & FORT_LOG_BLOCKED_IP_INHERITED) != 0;
     *block_reason = (UCHAR) (*up >> 8);
     *ip_proto = (UCHAR) (*up++ >> 16);
     *local_port = *((const UINT16 *) up);
     *remote_port = (UINT16) (*up++ >> 16);
     *pid = *up++;
 
-    const int ip_size = FORT_IP_SIZE(*isIPv6);
+    const int ip_size = FORT_IP_ADDR_SIZE(*isIPv6);
     RtlCopyMemory(local_ip, up, ip_size);
 
     up = (const UINT32 *) ((const PCHAR) up + ip_size);

src/driver/common/fortlog.h

@@ -29,9 +29,9 @@
 
 #define FORT_LOG_BLOCKED_SIZE_MAX FORT_LOG_BLOCKED_SIZE(FORT_LOG_PATH_MAX)
 
-#define FORT_IP_SIZE(isIPv6) ((isIPv6) ? sizeof(ip6_addr_t) : sizeof(UINT32))
+#define FORT_IP_ADDR_SIZE(isIPv6) ((isIPv6) ? sizeof(ip6_addr_t) : sizeof(UINT32))
 
-#define FORT_LOG_BLOCKED_IP_HEADER_SIZE(isIPv6) (4 * sizeof(UINT32) + 2 * FORT_IP_SIZE(isIPv6))
+#define FORT_LOG_BLOCKED_IP_HEADER_SIZE(isIPv6) (4 * sizeof(UINT32) + 2 * FORT_IP_ADDR_SIZE(isIPv6))
 
 #define FORT_LOG_BLOCKED_IP_SIZE(path_len, isIPv6)                                                 \
     ((FORT_LOG_BLOCKED_IP_HEADER_SIZE(isIPv6) + (path_len) + (FORT_LOG_ALIGN - 1))                 \

src/driver/fortcout.c

@@ -63,12 +63,11 @@ inline static BOOL fort_callout_ale_associate_flow(FORT_CALLOUT_ARG ca, FORT_CAL
     const BOOL is_tcp = (ip_proto == IPPROTO_TCP);
 
     const UCHAR group_index = (UCHAR) app_flags.group_index;
-    const BOOL is_reauth = (cx->classify_flags & FWP_CONDITION_FLAG_IS_REAUTHORIZE) != 0;
 
     BOOL is_new_proc = FALSE;
 
     const NTSTATUS status = fort_flow_associate(&fort_device()->stat, flow_id, cx->process_id,
-            group_index, ca.isIPv6, is_tcp, ca.inbound, is_reauth, &is_new_proc);
+            group_index, ca.isIPv6, is_tcp, ca.inbound, cx->is_reauth, &is_new_proc);
 
     if (!NT_SUCCESS(status)) {
         if (status == FORT_STATUS_FLOW_BLOCK) {
@@ -108,23 +107,25 @@ inline static void fort_callout_ale_log_app_path(PFORT_CALLOUT_ALE_EXTRA cx,
 inline static void fort_callout_ale_log_blocked_ip(FORT_CALLOUT_ARG ca, FORT_CALLOUT_ALE_INDEX ci,
         PFORT_CALLOUT_ALE_EXTRA cx, PFORT_CONF_REF conf_ref, FORT_CONF_FLAGS conf_flags)
 {
-    if (cx->block_reason != FORT_BLOCK_REASON_UNKNOWN && conf_flags.log_blocked_ip) {
-        const FORT_APP_FLAGS app_flags = fort_callout_ale_conf_app_flags(cx, conf_ref);
-        if (app_flags.v != 0 && !app_flags.log_blocked)
-            return;
+    if (cx->block_reason == FORT_BLOCK_REASON_UNKNOWN
+            || !(conf_flags.prompt || conf_flags.log_blocked_ip))
+        return;
 
-        const UINT32 *local_ip = ca.isIPv6
-                ? (const UINT32 *) ca.inFixedValues->incomingValue[ci.localIp].value.byteArray16
-                : &ca.inFixedValues->incomingValue[ci.localIp].value.uint32;
+    const FORT_APP_FLAGS app_flags = fort_callout_ale_conf_app_flags(cx, conf_ref);
+    if (app_flags.v != 0 && !app_flags.log_blocked)
+        return;
 
-        const UINT16 local_port = ca.inFixedValues->incomingValue[ci.localPort].value.uint16;
-        const UINT16 remote_port = ca.inFixedValues->incomingValue[ci.remotePort].value.uint16;
-        const IPPROTO ip_proto = (IPPROTO) ca.inFixedValues->incomingValue[ci.ipProto].value.uint8;
+    const UINT32 *local_ip = ca.isIPv6
+            ? (const UINT32 *) ca.inFixedValues->incomingValue[ci.localIp].value.byteArray16
+            : &ca.inFixedValues->incomingValue[ci.localIp].value.uint32;
 
-        fort_buffer_blocked_ip_write(&fort_device()->buffer, ca.isIPv6, ca.inbound, cx->inherited,
-                cx->block_reason, ip_proto, local_port, remote_port, local_ip, cx->remote_ip,
-                cx->process_id, cx->real_path->Length, cx->real_path->Buffer, &cx->irp, &cx->info);
-    }
+    const UINT16 local_port = ca.inFixedValues->incomingValue[ci.localPort].value.uint16;
+    const UINT16 remote_port = ca.inFixedValues->incomingValue[ci.remotePort].value.uint16;
+    const IPPROTO ip_proto = (IPPROTO) ca.inFixedValues->incomingValue[ci.ipProto].value.uint8;
+
+    fort_buffer_blocked_ip_write(&fort_device()->buffer, ca.isIPv6, ca.inbound, cx->inherited,
+            cx->block_reason, ip_proto, local_port, remote_port, local_ip, cx->remote_ip,
+            cx->process_id, cx->real_path->Length, cx->real_path->Buffer, &cx->irp, &cx->info);
 }
 
 inline static void fort_callout_ale_log(FORT_CALLOUT_ARG ca, FORT_CALLOUT_ALE_INDEX ci,
@@ -133,11 +134,21 @@ inline static void fort_callout_ale_log(FORT_CALLOUT_ARG ca, FORT_CALLOUT_ALE_IN
     const FORT_APP_FLAGS app_flags = fort_callout_ale_conf_app_flags(cx, conf_ref);
 
     if (!cx->blocked /* collect traffic, when Filter Disabled */
-            || (app_flags.v == 0 && conf_flags.allow_all_new) /* collect new Blocked Programs */
+            /* collect new Blocked Programs or Prompt */
+            || (app_flags.v == 0 && (conf_flags.allow_all_new || conf_flags.prompt))
+            /* check the conf for a blocked app */
             || !fort_conf_app_blocked(&conf_ref->conf, app_flags, &cx->block_reason)) {
+
+        if (app_flags.v == 0 && conf_flags.prompt) {
+            cx->block_reason =
+                    cx->is_reauth ? FORT_BLOCK_REASON_PROMPT_TIMEOUT : FORT_BLOCK_REASON_PROMPT;
+            cx->blocked = TRUE; /* blocked (prompt) */
+            return;
+        }
+
         if (conf_flags.log_stat
                 && fort_callout_ale_associate_flow(ca, ci, cx, conf_ref, app_flags)) {
-            cx->blocked = TRUE; /* blocked */
+            cx->blocked = TRUE; /* blocked (error) */
             return;
         }
 
@@ -230,8 +241,13 @@ inline static void fort_callout_ale_check_conf(FORT_CALLOUT_ARG ca, FORT_CALLOUT
         /* Log the blocked connection */
         fort_callout_ale_log_blocked_ip(ca, ci, cx, conf_ref, conf_flags);
 
-        /* Block the connection */
-        fort_callout_classify_block(ca.classifyOut);
+        if (cx->block_reason == FORT_BLOCK_REASON_PROMPT) {
+            /* Drop the connection */
+            fort_callout_classify_drop(ca.classifyOut);
+        } else {
+            /* Block the connection */
+            fort_callout_classify_block(ca.classifyOut);
+        }
     } else {
         if (cx->block_reason == FORT_BLOCK_REASON_NONE) {
             /* Continue the search */
@@ -291,7 +307,7 @@ static void fort_callout_ale_classify(FORT_CALLOUT_ARG ca, FORT_CALLOUT_ALE_INDE
     }
 
     FORT_CALLOUT_ALE_EXTRA cx = {
-        .classify_flags = classify_flags,
+        .is_reauth = is_reauth,
         .remote_ip = remote_ip,
     };
 
@@ -877,8 +893,8 @@ FORT_API NTSTATUS fort_callout_force_reauth(const FORT_CONF_FLAGS old_conf_flags
     }
 
     if (NT_SUCCESS(status)) {
-        const BOOL log_enabled = (conf_flags.allow_all_new || conf_flags.log_blocked
-                || conf_flags.log_stat || conf_flags.log_blocked_ip);
+        const BOOL log_enabled = (conf_flags.allow_all_new || conf_flags.prompt
+                || conf_flags.log_blocked || conf_flags.log_stat || conf_flags.log_blocked_ip);
 
         fort_timer_set_running(&fort_device()->log_timer, /*run=*/log_enabled);
     } else {

src/driver/fortcoutarg.h

@@ -33,6 +33,7 @@ typedef struct fort_callout_ale_index
 
 typedef struct fort_callout_ale_extra
 {
+    UCHAR is_reauth : 1;
     UCHAR app_flags_found : 1;
     UCHAR inherited : 1;
     UCHAR blocked : 1;
@@ -42,7 +43,6 @@ typedef struct fort_callout_ale_extra
 
     UINT32 process_id;
 
-    UINT32 classify_flags;
     const UINT32 *remote_ip;
 
     PCUNICODE_STRING path;