[windows_kext] Add check for previously injected packets in the ALE layer

2025-04-22 20:09:09 +00:00 · 2024-06-12 18:06:42 +03:00 · 2024-06-12 18:06:42 +03:00 · db49f9a32d
commit db49f9a32d
parent 866aef1857
3 changed files with 18 additions and 1 deletions
--- a/windows_kext/driver/src/ale_callouts.rs
+++ b/windows_kext/driver/src/ale_callouts.rs
@ -109,6 +109,15 @@ fn ale_layer_auth(mut data: CalloutData, ale_data: AleLayerData) {
        return;
    };

+    // Check if packet was previously injected from the packet layer.
+    if device
+        .injector
+        .was_network_packet_injected_by_self(data.get_layer_data() as _, ale_data.is_ipv6)
+    {
+        data.action_permit();
+        return;
+    }
+
    match ale_data.protocol {
        IpProtocol::Tcp | IpProtocol::Udp => {
            // Only TCP and UDP make sense to be supported in the ALE layer.
@ -226,7 +235,11 @@ fn ale_layer_auth(mut data: CalloutData, ale_data: AleLayerData) {
        };

        // Connection is not in cache, add it.
-        crate::dbg!("ale layer adding connection: {} PID: {}", key, ale_data.process_id);
+        crate::dbg!(
+            "ale layer adding connection: {} PID: {}",
+            key,
+            ale_data.process_id
+        );
        if ale_data.is_ipv6 {
            let conn =
                ConnectionV6::from_key(&key, ale_data.process_id, ale_data.direction).unwrap();
--- a/windows_kext/driver/src/device.rs
+++ b/windows_kext/driver/src/device.rs
@ -164,6 +164,7 @@ impl Device {
                            crate::connection::Verdict::RedirectNameServer
                            | crate::connection::Verdict::RedirectTunnel => {
                                if let Some(redirect_info) = redirect_info {
+                                    // Will not redirect packets from ALE layer
                                    if let Err(err) = packet.redirect(redirect_info) {
                                        err!("failed to redirect packet: {}", err);
                                    }
@ -173,6 +174,8 @@ impl Device {
                                }
                            }
                            _ => {
+                                // Inject only ALE layer. This will trigger proper block/drop.
+                                // Packet layer just drop the packet.
                                if let Err(err) = self.inject_packet(packet, true) {
                                    err!("failed to inject packet: {}", err);
                                }
--- a/windows_kext/driver/src/packet_callouts.rs
+++ b/windows_kext/driver/src/packet_callouts.rs
@ -173,6 +173,7 @@ fn ip_packet_layer(
                        data.action_block();
                    }
                    Verdict::Undeterminable | Verdict::PermanentDrop | Verdict::Failed => {
+                        send_request_to_portmaster = false;
                        data.block_and_absorb();
                    }
                    Verdict::RedirectNameServer | Verdict::RedirectTunnel => {