wf: implement windows firewall using inet.af/wf.

Signed-off-by: Maisem Ali <maisem@tailscale.com>
pull/1895/head
Maisem Ali 4 years ago
parent 8d2a90529e
commit 7027fa06c3

@ -506,7 +506,7 @@ func TestPrefsFromUpArgs(t *testing.T) {
args: upArgsT{ args: upArgsT{
exitNodeIP: "foo", exitNodeIP: "foo",
}, },
wantErr: `invalid IP address "foo" for --exit-node: unable to parse IP`, wantErr: `invalid IP address "foo" for --exit-node: ParseIP("foo"): unable to parse IP`,
}, },
{ {
name: "error_exit_node_allow_lan_without_exit_node", name: "error_exit_node_allow_lan_without_exit_node",

@ -33,16 +33,17 @@ require (
golang.org/x/crypto v0.0.0-20210317152858-513c2a44f670 golang.org/x/crypto v0.0.0-20210317152858-513c2a44f670
golang.org/x/net v0.0.0-20210510120150-4163338589ed golang.org/x/net v0.0.0-20210510120150-4163338589ed
golang.org/x/sync v0.0.0-20210220032951-036812b2e83c golang.org/x/sync v0.0.0-20210220032951-036812b2e83c
golang.org/x/sys v0.0.0-20210423082822-04245dca01da golang.org/x/sys v0.0.0-20210510120138-977fb7262007
golang.org/x/term v0.0.0-20210317153231-de623e64d2a6 golang.org/x/term v0.0.0-20210317153231-de623e64d2a6
golang.org/x/time v0.0.0-20210220033141-f8bda1e9f3ba golang.org/x/time v0.0.0-20210220033141-f8bda1e9f3ba
golang.org/x/tools v0.0.0-20201211185031-d93e913c1a58 golang.org/x/tools v0.1.0
golang.zx2c4.com/wireguard/windows v0.1.2-0.20201113162609-9b85be97fdf8 golang.zx2c4.com/wireguard/windows v0.1.2-0.20201113162609-9b85be97fdf8
gopkg.in/yaml.v2 v2.2.8 // indirect gopkg.in/yaml.v2 v2.2.8 // indirect
honnef.co/go/tools v0.1.0 honnef.co/go/tools v0.1.0
inet.af/netaddr v0.0.0-20210222205655-a1ec2b7b8c44 inet.af/netaddr v0.0.0-20210508014949-da1c2a70a83d
inet.af/netstack v0.0.0-20210317161235-a1bf4e56ef22 inet.af/netstack v0.0.0-20210317161235-a1bf4e56ef22
inet.af/peercred v0.0.0-20210302202138-56e694897155 inet.af/peercred v0.0.0-20210302202138-56e694897155
inet.af/wf v0.0.0-20210424212123-eaa011a774a4
rsc.io/goversion v1.2.0 rsc.io/goversion v1.2.0
) )

@ -23,6 +23,7 @@ github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSs
github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/dvyukov/go-fuzz v0.0.0-20201127111758-49e582c6c23d/go.mod h1:11Gm+ccJnvAhCNLlf5+cS9KjtbaD5I5zaZpFMsTHWTw= github.com/dvyukov/go-fuzz v0.0.0-20201127111758-49e582c6c23d/go.mod h1:11Gm+ccJnvAhCNLlf5+cS9KjtbaD5I5zaZpFMsTHWTw=
github.com/dvyukov/go-fuzz v0.0.0-20210103155950-6a8e9d1f2415/go.mod h1:11Gm+ccJnvAhCNLlf5+cS9KjtbaD5I5zaZpFMsTHWTw=
github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568 h1:BHsljHzVlRcyQhjrss6TZTdY2VfCqZPbv5k3iBFa2ZQ= github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568 h1:BHsljHzVlRcyQhjrss6TZTdY2VfCqZPbv5k3iBFa2ZQ=
github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568/go.mod h1:xEzjJPgXI435gkrCt3MPfRiAkVrwSbHsst4LCFVfpJc= github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568/go.mod h1:xEzjJPgXI435gkrCt3MPfRiAkVrwSbHsst4LCFVfpJc=
github.com/frankban/quicktest v1.12.1 h1:P6vQcHwZYgVGIpUzKB5DXzkEeYJppJOStPLuh9aB89c= github.com/frankban/quicktest v1.12.1 h1:P6vQcHwZYgVGIpUzKB5DXzkEeYJppJOStPLuh9aB89c=
@ -106,6 +107,7 @@ github.com/pborman/getopt v0.0.0-20190409184431-ee0cd42419d3/go.mod h1:85jBQOZwp
github.com/pelletier/go-toml v1.6.0/go.mod h1:5N711Q9dKgbdkxHL+MEfF31hpT7l0S0s/t2kKREewys= github.com/pelletier/go-toml v1.6.0/go.mod h1:5N711Q9dKgbdkxHL+MEfF31hpT7l0S0s/t2kKREewys=
github.com/peterbourgon/ff/v2 v2.0.0 h1:lx0oYI5qr/FU1xnpNhQ+EZM04gKgn46jyYvGEEqBBbY= github.com/peterbourgon/ff/v2 v2.0.0 h1:lx0oYI5qr/FU1xnpNhQ+EZM04gKgn46jyYvGEEqBBbY=
github.com/peterbourgon/ff/v2 v2.0.0/go.mod h1:xjwr+t+SjWm4L46fcj/D+Ap+6ME7+HqFzaP22pP5Ggk= github.com/peterbourgon/ff/v2 v2.0.0/go.mod h1:xjwr+t+SjWm4L46fcj/D+Ap+6ME7+HqFzaP22pP5Ggk=
github.com/peterbourgon/ff/v3 v3.0.0/go.mod h1:UILIFjRH5a/ar8TjXYLTkIvSvekZqPm5Eb/qbGk6CT0=
github.com/pkg/diff v0.0.0-20200914180035-5b29258ca4f7 h1:+/+DxvQaYifJ+grD4klzrS5y+KJXldn/2YTl5JG+vZ8= github.com/pkg/diff v0.0.0-20200914180035-5b29258ca4f7 h1:+/+DxvQaYifJ+grD4klzrS5y+KJXldn/2YTl5JG+vZ8=
github.com/pkg/diff v0.0.0-20200914180035-5b29258ca4f7/go.mod h1:zO8QMzTeZd5cpnIkz/Gn6iK0jDfGicM1nynOkkPIl28= github.com/pkg/diff v0.0.0-20200914180035-5b29258ca4f7/go.mod h1:zO8QMzTeZd5cpnIkz/Gn6iK0jDfGicM1nynOkkPIl28=
github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
@ -197,14 +199,17 @@ golang.org/x/sys v0.0.0-20201118182958-a01c418693c7/go.mod h1:h1NjWce9XRLGQEsW7w
golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20201218084310-7d0127a74742/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201218084310-7d0127a74742/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20210110051926-789bb1bd4061/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210110051926-789bb1bd4061/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20210123111255-9b0068b26619/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210123111255-9b0068b26619/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20210216163648-f7da38b97c65/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210216163648-f7da38b97c65/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20210301091718-77cc2087c03b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210301091718-77cc2087c03b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20210305230114-8fe3ee5dd75b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20210316164454-77fc1eacc6aa/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210316164454-77fc1eacc6aa/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20210403161142-5e06dd20ab57/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210403161142-5e06dd20ab57/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20210423082822-04245dca01da h1:b3NXsE2LusjYGGjL5bxEVZZORm/YEFFrWFjR8eFrw/c=
golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20210510120138-977fb7262007 h1:gG67DSER+11cZvqIMb8S8bt0vZtiN6xWYARwirrOSfE=
golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw= golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
golang.org/x/term v0.0.0-20210317153231-de623e64d2a6 h1:EC6+IGYTjPpRfv9a2b/6Puw0W+hLtAhkV1tPsXhutqs= golang.org/x/term v0.0.0-20210317153231-de623e64d2a6 h1:EC6+IGYTjPpRfv9a2b/6Puw0W+hLtAhkV1tPsXhutqs=
@ -220,8 +225,9 @@ golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGm
golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
golang.org/x/tools v0.0.0-20191216052735-49a3e744a425/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= golang.org/x/tools v0.0.0-20191216052735-49a3e744a425/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
golang.org/x/tools v0.0.0-20200609164405-eb789aa7ce50/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200609164405-eb789aa7ce50/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
golang.org/x/tools v0.0.0-20201211185031-d93e913c1a58 h1:1Bs6RVeBFtLZ8Yi1Hk07DiOqzvwLD/4hln4iahvFlag=
golang.org/x/tools v0.0.0-20201211185031-d93e913c1a58/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.0.0-20201211185031-d93e913c1a58/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
golang.org/x/tools v0.1.0 h1:po9/4sTYwZU9lPhi1tOrb4hCv3qrhiQ77LZfGa2OjwY=
golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0=
golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@ -243,11 +249,14 @@ gopkg.in/yaml.v2 v2.2.8 h1:obN1ZagJSUGI0Ek/LBmuj4SNLPfIny3KsKFopxRdj10=
gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
honnef.co/go/tools v0.1.0 h1:AWNL1W1i7f0wNZ8VwOKNJ0sliKvOF/adn0EHenfUh+c= honnef.co/go/tools v0.1.0 h1:AWNL1W1i7f0wNZ8VwOKNJ0sliKvOF/adn0EHenfUh+c=
honnef.co/go/tools v0.1.0/go.mod h1:XtegFAyX/PfluP4921rXU5IkjkqBCDnUq4W8VCIoKvM= honnef.co/go/tools v0.1.0/go.mod h1:XtegFAyX/PfluP4921rXU5IkjkqBCDnUq4W8VCIoKvM=
inet.af/netaddr v0.0.0-20210222205655-a1ec2b7b8c44 h1:p7fX77zWzZMuNdJUhniBsmN1OvFOrW9SOtvgnzqUZX4=
inet.af/netaddr v0.0.0-20210222205655-a1ec2b7b8c44/go.mod h1:I2i9ONCXRZDnG1+7O8fSuYzjcPxHQXrIfzD/IkR87x4= inet.af/netaddr v0.0.0-20210222205655-a1ec2b7b8c44/go.mod h1:I2i9ONCXRZDnG1+7O8fSuYzjcPxHQXrIfzD/IkR87x4=
inet.af/netaddr v0.0.0-20210508014949-da1c2a70a83d h1:9tuJMxDV7THGfXWirKBD/v9rbsBC21bHd2eEYsYuIek=
inet.af/netaddr v0.0.0-20210508014949-da1c2a70a83d/go.mod h1:z0nx+Dh+7N7CC8V5ayHtHGpZpxLQZZxkIaaz6HN65Ls=
inet.af/netstack v0.0.0-20210317161235-a1bf4e56ef22 h1:DNtszwGa6w76qlIr+PbPEnlBJdiRV8SaxeigOy0q1gg= inet.af/netstack v0.0.0-20210317161235-a1bf4e56ef22 h1:DNtszwGa6w76qlIr+PbPEnlBJdiRV8SaxeigOy0q1gg=
inet.af/netstack v0.0.0-20210317161235-a1bf4e56ef22/go.mod h1:GVx+5OZtbG4TVOW5ilmyRZAZXr1cNwfqUEkTOtWK0PM= inet.af/netstack v0.0.0-20210317161235-a1bf4e56ef22/go.mod h1:GVx+5OZtbG4TVOW5ilmyRZAZXr1cNwfqUEkTOtWK0PM=
inet.af/peercred v0.0.0-20210302202138-56e694897155 h1:KojYNEYqDkZ2O3LdyTstR1l13L3ePKTIEM2h7ONkfkE= inet.af/peercred v0.0.0-20210302202138-56e694897155 h1:KojYNEYqDkZ2O3LdyTstR1l13L3ePKTIEM2h7ONkfkE=
inet.af/peercred v0.0.0-20210302202138-56e694897155/go.mod h1:FjawnflS/udxX+SvpsMgZfdqx2aykOlkISeAsADi5IU= inet.af/peercred v0.0.0-20210302202138-56e694897155/go.mod h1:FjawnflS/udxX+SvpsMgZfdqx2aykOlkISeAsADi5IU=
inet.af/wf v0.0.0-20210424212123-eaa011a774a4 h1:g1VVXY1xRKoO17aKY3g9KeJxDW0lGx1n2Y+WPSWkOL8=
inet.af/wf v0.0.0-20210424212123-eaa011a774a4/go.mod h1:56/0QVlZ4NmPRh1QuU2OfrKqjSgt5P39R534gD2JMpQ=
rsc.io/goversion v1.2.0 h1:SPn+NLTiAG7w30IRK/DKp1BjvpWabYgxlLp/+kx5J8w= rsc.io/goversion v1.2.0 h1:SPn+NLTiAG7w30IRK/DKp1BjvpWabYgxlLp/+kx5J8w=
rsc.io/goversion v1.2.0/go.mod h1:Eih9y/uIBS3ulggl7KNJ09xGSLcuNaLgmvvqa07sgfo= rsc.io/goversion v1.2.0/go.mod h1:Eih9y/uIBS3ulggl7KNJ09xGSLcuNaLgmvvqa07sgfo=

@ -0,0 +1,510 @@
// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
// +build windows
package wf
import (
"fmt"
"os"
"golang.org/x/sys/windows"
"inet.af/netaddr"
"inet.af/wf"
)
// Known addresses.
var (
linkLocalRange = netaddr.MustParseIPPrefix("ff80::/10")
linkLocalDHCPMulticast = netaddr.MustParseIP("ff02::1:2")
siteLocalDHCPMulticast = netaddr.MustParseIP("ff05::1:3")
linkLocalRouterMulticast = netaddr.MustParseIP("ff02::2")
)
type direction int
const (
directionInbound direction = iota
directionOutbound
directionBoth
)
type protocol int
const (
protocolV4 protocol = iota
protocolV6
protocolAll
)
// getLayers returns the wf.LayerIDs where the rules should be added based
// on the protocol and direction.
func (p protocol) getLayers(d direction) []wf.LayerID {
var layers []wf.LayerID
if p == protocolAll || p == protocolV4 {
if d == directionBoth || d == directionInbound {
layers = append(layers, wf.LayerALEAuthRecvAcceptV4)
}
if d == directionBoth || d == directionOutbound {
layers = append(layers, wf.LayerALEAuthConnectV4)
}
}
if p == protocolAll || p == protocolV6 {
if d == directionBoth || d == directionInbound {
layers = append(layers, wf.LayerALEAuthRecvAcceptV6)
}
if d == directionBoth || d == directionOutbound {
layers = append(layers, wf.LayerALEAuthConnectV6)
}
}
return layers
}
func ruleName(action wf.Action, l wf.LayerID, name string) string {
switch l {
case wf.LayerALEAuthConnectV4:
return fmt.Sprintf("%s outbound %s (IPv4)", action, name)
case wf.LayerALEAuthConnectV6:
return fmt.Sprintf("%s outbound %s (IPv6)", action, name)
case wf.LayerALEAuthRecvAcceptV4:
return fmt.Sprintf("%s inbound %s (IPv4)", action, name)
case wf.LayerALEAuthRecvAcceptV6:
return fmt.Sprintf("%s inbound %s (IPv6)", action, name)
}
return ""
}
// Firewall uses the Windows Filtering Platform to implement a network firewall.
type Firewall struct {
luid uint64
providerID wf.ProviderID
sublayerID wf.SublayerID
session *wf.Session
permittedRoutes map[netaddr.IPPrefix][]*wf.Rule
}
// New returns a new Firewall for the provdied interface ID.
func New(luid uint64) (*Firewall, error) {
session, err := wf.New(&wf.Options{
Name: "Tailscale firewall",
Dynamic: true,
})
if err != nil {
return nil, err
}
wguid, err := windows.GenerateGUID()
if err != nil {
return nil, err
}
providerID := wf.ProviderID(wguid)
if err := session.AddProvider(&wf.Provider{
ID: providerID,
Name: "Tailscale provider",
}); err != nil {
return nil, err
}
wguid, err = windows.GenerateGUID()
if err != nil {
return nil, err
}
sublayerID := wf.SublayerID(wguid)
if err := session.AddSublayer(&wf.Sublayer{
ID: sublayerID,
Name: "Tailscale permissive and blocking filters",
Weight: 0,
}); err != nil {
return nil, err
}
f := &Firewall{
luid: luid,
session: session,
providerID: providerID,
sublayerID: sublayerID,
permittedRoutes: make(map[netaddr.IPPrefix][]*wf.Rule),
}
if err := f.enable(); err != nil {
return nil, err
}
return f, nil
}
type weight uint64
const (
weightTailscaleTraffic weight = 15
weightKnownTraffic weight = 12
weightCatchAll weight = 0
)
func (f *Firewall) enable() error {
if err := f.permitTailscaleService(weightTailscaleTraffic); err != nil {
return fmt.Errorf("permitTailscaleService failed: %w", err)
}
if err := f.permitTunInterface(weightTailscaleTraffic); err != nil {
return fmt.Errorf("permitTunInterface failed: %w", err)
}
if err := f.permitDNS(weightTailscaleTraffic); err != nil {
return fmt.Errorf("permitDNS failed: %w", err)
}
if err := f.permitLoopback(weightKnownTraffic); err != nil {
return fmt.Errorf("permitLoopback failed: %w", err)
}
if err := f.permitDHCPv4(weightKnownTraffic); err != nil {
return fmt.Errorf("permitDHCPv4 failed: %w", err)
}
if err := f.permitDHCPv6(weightKnownTraffic); err != nil {
return fmt.Errorf("permitDHCPv6 failed: %w", err)
}
if err := f.permitNDP(weightKnownTraffic); err != nil {
return fmt.Errorf("permitNDP failed: %w", err)
}
/* TODO: actually evaluate if this does anything and if we need this. It's layer 2; our other rules are layer 3.
* In other words, if somebody complains, try enabling it. For now, keep it off.
* TODO(maisem): implement this.
err = permitHyperV(session, baseObjects, weightKnownTraffic)
if err != nil {
return wrapErr(err)
}
*/
if err := f.blockAll(weightCatchAll); err != nil {
return fmt.Errorf("blockAll failed: %w", err)
}
return nil
}
// UpdatedPermittedRoutes adds rules to allow incoming and outgoing connections
// from the provided prefixes. It will also remove rules for routes that were
// previously added but have been removed.
func (f *Firewall) UpdatePermittedRoutes(newRoutes []netaddr.IPPrefix) error {
var routesToAdd []netaddr.IPPrefix
routeMap := make(map[netaddr.IPPrefix]bool)
for _, r := range newRoutes {
routeMap[r] = true
if _, ok := f.permittedRoutes[r]; !ok {
routesToAdd = append(routesToAdd, r)
}
}
var routesToRemove []netaddr.IPPrefix
for r := range f.permittedRoutes {
if !routeMap[r] {
routesToRemove = append(routesToRemove, r)
}
}
for _, r := range routesToRemove {
for _, rule := range f.permittedRoutes[r] {
if err := f.session.DeleteRule(rule.ID); err != nil {
return err
}
}
delete(f.permittedRoutes, r)
}
for _, r := range routesToAdd {
conditions := []*wf.Match{
{
Field: wf.FieldIPRemoteAddress,
Op: wf.MatchTypeEqual,
Value: r,
},
}
var p protocol
if r.IP.Is4() {
p = protocolV4
} else {
p = protocolV6
}
rules, err := f.addRules("local route", weightKnownTraffic, conditions, wf.ActionPermit, p, directionBoth)
if err != nil {
return err
}
f.permittedRoutes[r] = rules
}
return nil
}
func (f *Firewall) newRule(name string, w weight, layer wf.LayerID, conditions []*wf.Match, action wf.Action) (*wf.Rule, error) {
id, err := windows.GenerateGUID()
if err != nil {
return nil, err
}
return &wf.Rule{
Name: ruleName(action, layer, name),
ID: wf.RuleID(id),
Provider: f.providerID,
Sublayer: f.sublayerID,
Layer: layer,
Weight: uint64(w),
Conditions: conditions,
Action: action,
}, nil
}
func (f *Firewall) addRules(name string, w weight, conditions []*wf.Match, action wf.Action, p protocol, d direction) ([]*wf.Rule, error) {
var rules []*wf.Rule
for _, l := range p.getLayers(d) {
r, err := f.newRule(name, w, l, conditions, action)
if err != nil {
return nil, err
}
if err := f.session.AddRule(r); err != nil {
return nil, err
}
rules = append(rules, r)
}
return rules, nil
}
func (f *Firewall) blockAll(w weight) error {
_, err := f.addRules("all", w, nil, wf.ActionBlock, protocolAll, directionBoth)
return err
}
func (f *Firewall) permitNDP(w weight) error {
// These are aliased according to:
// https://social.msdn.microsoft.com/Forums/azure/en-US/eb2aa3cd-5f1c-4461-af86-61e7d43ccc23/filtering-icmp-by-type-code?forum=wfp
fieldICMPType := wf.FieldIPLocalPort
fieldICMPCode := wf.FieldIPRemotePort
var icmpConditions = func(t, c uint16, remoteAddress interface{}) []*wf.Match {
conditions := []*wf.Match{
{
Field: wf.FieldIPProtocol,
Op: wf.MatchTypeEqual,
Value: wf.IPProtoICMPV6,
},
{
Field: fieldICMPType,
Op: wf.MatchTypeEqual,
Value: t,
},
{
Field: fieldICMPCode,
Op: wf.MatchTypeEqual,
Value: c,
},
}
if remoteAddress != nil {
conditions = append(conditions, &wf.Match{
Field: wf.FieldIPRemoteAddress,
Op: wf.MatchTypeEqual,
Value: linkLocalRouterMulticast,
})
}
return conditions
}
/* TODO: actually handle the hop limit somehow! The rules should vaguely be:
* - icmpv6 133: must be outgoing, dst must be FF02::2/128, hop limit must be 255
* - icmpv6 134: must be incoming, src must be FE80::/10, hop limit must be 255
* - icmpv6 135: either incoming or outgoing, hop limit must be 255
* - icmpv6 136: either incoming or outgoing, hop limit must be 255
* - icmpv6 137: must be incoming, src must be FE80::/10, hop limit must be 255
*/
//
// Router Solicitation Message
// ICMP type 133, code 0. Outgoing.
//
conditions := icmpConditions(133, 0, linkLocalRouterMulticast)
if _, err := f.addRules("NDP type 133", w, conditions, wf.ActionPermit, protocolV6, directionOutbound); err != nil {
return err
}
//
// Router Advertisement Message
// ICMP type 134, code 0. Incoming.
//
conditions = icmpConditions(134, 0, linkLocalRange)
if _, err := f.addRules("NDP type 134", w, conditions, wf.ActionPermit, protocolV6, directionInbound); err != nil {
return err
}
//
// Neighbor Solicitation Message
// ICMP type 135, code 0. Bi-directional.
//
conditions = icmpConditions(135, 0, nil)
if _, err := f.addRules("NDP type 135", w, conditions, wf.ActionPermit, protocolV6, directionBoth); err != nil {
return err
}
//
// Neighbor Advertisement Message
// ICMP type 136, code 0. Bi-directional.
//
conditions = icmpConditions(136, 0, nil)
if _, err := f.addRules("NDP type 136", w, conditions, wf.ActionPermit, protocolV6, directionBoth); err != nil {
return err
}
//
// Redirect Message
// ICMP type 137, code 0. Incoming.
//
conditions = icmpConditions(137, 0, linkLocalRange)
if _, err := f.addRules("NDP type 137", w, conditions, wf.ActionPermit, protocolV6, directionInbound); err != nil {
return err
}
return nil
}
func (f *Firewall) permitDHCPv6(w weight) error {
var dhcpConditions = func(remoteAddrs ...interface{}) []*wf.Match {
conditions := []*wf.Match{
{
Field: wf.FieldIPProtocol,
Op: wf.MatchTypeEqual,
Value: wf.IPProtoUDP,
},
{
Field: wf.FieldIPLocalAddress,
Op: wf.MatchTypeEqual,
Value: linkLocalRange,
},
{
Field: wf.FieldIPLocalPort,
Op: wf.MatchTypeEqual,
Value: uint16(546),
},
{
Field: wf.FieldIPRemotePort,
Op: wf.MatchTypeEqual,
Value: uint16(547),
},
}
for _, a := range remoteAddrs {
conditions = append(conditions, &wf.Match{
Field: wf.FieldIPRemoteAddress,
Op: wf.MatchTypeEqual,
Value: a,
})
}
return conditions
}
conditions := dhcpConditions(linkLocalDHCPMulticast, siteLocalDHCPMulticast)
if _, err := f.addRules("DHCP request", w, conditions, wf.ActionPermit, protocolV6, directionOutbound); err != nil {
return err
}
conditions = dhcpConditions(linkLocalRange)
if _, err := f.addRules("DHCP response", w, conditions, wf.ActionPermit, protocolV6, directionInbound); err != nil {
return err
}
return nil
}
func (f *Firewall) permitDHCPv4(w weight) error {
var dhcpConditions = func(remoteAddrs ...interface{}) []*wf.Match {
conditions := []*wf.Match{
{
Field: wf.FieldIPProtocol,
Op: wf.MatchTypeEqual,
Value: wf.IPProtoUDP,
},
{
Field: wf.FieldIPLocalPort,
Op: wf.MatchTypeEqual,
Value: uint16(68),
},
{
Field: wf.FieldIPRemotePort,
Op: wf.MatchTypeEqual,
Value: uint16(67),
},
}
for _, a := range remoteAddrs {
conditions = append(conditions, &wf.Match{
Field: wf.FieldIPRemoteAddress,
Op: wf.MatchTypeEqual,
Value: a,
})
}
return conditions
}
conditions := dhcpConditions(netaddr.IPv4(255, 255, 255, 255))
if _, err := f.addRules("DHCP request", w, conditions, wf.ActionPermit, protocolV4, directionOutbound); err != nil {
return err
}
conditions = dhcpConditions()
if _, err := f.addRules("DHCP response", w, conditions, wf.ActionPermit, protocolV4, directionInbound); err != nil {
return err
}
return nil
}
func (f *Firewall) permitTunInterface(w weight) error {
condition := []*wf.Match{
{
Field: wf.FieldIPLocalInterface,
Op: wf.MatchTypeEqual,
Value: f.luid,
},
}
_, err := f.addRules("on TUN", w, condition, wf.ActionPermit, protocolAll, directionBoth)
return err
}
func (f *Firewall) permitLoopback(w weight) error {
condition := []*wf.Match{
{
Field: wf.FieldFlags,
Op: wf.MatchTypeEqual,
Value: wf.ConditionFlagIsLoopback,
},
}
_, err := f.addRules("on loopback", w, condition, wf.ActionPermit, protocolAll, directionBoth)
return err
}
func (f *Firewall) permitDNS(w weight) error {
conditions := []*wf.Match{
{
Field: wf.FieldIPRemotePort,
Op: wf.MatchTypeEqual,
Value: uint16(53),
},
// Repeat the condition type for logical OR.
{
Field: wf.FieldIPProtocol,
Op: wf.MatchTypeEqual,
Value: wf.IPProtoUDP,
},
{
Field: wf.FieldIPProtocol,
Op: wf.MatchTypeEqual,
Value: wf.IPProtoTCP,
},
}
_, err := f.addRules("DNS", w, conditions, wf.ActionPermit, protocolAll, directionBoth)
return err
}
func (f *Firewall) permitTailscaleService(w weight) error {
currentFile, err := os.Executable()
if err != nil {
return err
}
appID, err := wf.AppID(currentFile)
if err != nil {
return fmt.Errorf("could not get app id for %q: %w", currentFile, err)
}
conditions := []*wf.Match{
{
Field: wf.FieldALEAppID,
Op: wf.MatchTypeEqual,
Value: appID,
},
}
_, err = f.addRules("unrestricted traffic for Tailscale service", w, conditions, wf.ActionPermit, protocolAll, directionBoth)
return err
}
Loading…
Cancel
Save