vikarti.anatra/safing-portmaster
1
0
Fork 0
mirror of https://github.com/safing/portmaster synced 2025-09-01 10:09:11 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

[windows_kext] Add check for previously injected packets in the ALE layer

Browse source
This commit is contained in:
Vladimir Stoilov 2024-06-12 18:06:42 +03:00
parent 866aef1857
commit db49f9a32d
No known key found for this signature in database
GPG key ID: 2F190B67A43A81AF
3 changed files with 18 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
windows_kext/driver/src/ale_callouts.rs
View file

@ -109,6 +109,15 @@ fn ale_layer_auth(mut data: CalloutData, ale_data: AleLayerData) {
return; return;
}; };
// Check if packet was previously injected from the packet layer.
if device
.injector
.was_network_packet_injected_by_self(data.get_layer_data() as _, ale_data.is_ipv6)
{
data.action_permit();
return;
}
match ale_data.protocol { match ale_data.protocol {
IpProtocol::Tcp | IpProtocol::Udp => { IpProtocol::Tcp | IpProtocol::Udp => {
// Only TCP and UDP make sense to be supported in the ALE layer. // Only TCP and UDP make sense to be supported in the ALE layer.
@ -226,7 +235,11 @@ fn ale_layer_auth(mut data: CalloutData, ale_data: AleLayerData) {
}; };
// Connection is not in cache, add it. // Connection is not in cache, add it.
crate::dbg!("ale layer adding connection: {} PID: {}", key, ale_data.process_id); crate::dbg!(
"ale layer adding connection: {} PID: {}",
key,
ale_data.process_id
);
if ale_data.is_ipv6 { if ale_data.is_ipv6 {
let conn = let conn =
ConnectionV6::from_key(&key, ale_data.process_id, ale_data.direction).unwrap(); ConnectionV6::from_key(&key, ale_data.process_id, ale_data.direction).unwrap();

3
windows_kext/driver/src/device.rs
View file

@ -164,6 +164,7 @@ impl Device {
crate::connection::Verdict::RedirectNameServer crate::connection::Verdict::RedirectNameServer
| crate::connection::Verdict::RedirectTunnel => { | crate::connection::Verdict::RedirectTunnel => {
if let Some(redirect_info) = redirect_info { if let Some(redirect_info) = redirect_info {
// Will not redirect packets from ALE layer
if let Err(err) = packet.redirect(redirect_info) { if let Err(err) = packet.redirect(redirect_info) {
err!("failed to redirect packet: {}", err); err!("failed to redirect packet: {}", err);
} }
@ -173,6 +174,8 @@ impl Device {
} }
} }
_ => { _ => {
// Inject only ALE layer. This will trigger proper block/drop.
// Packet layer just drop the packet.
if let Err(err) = self.inject_packet(packet, true) { if let Err(err) = self.inject_packet(packet, true) {
err!("failed to inject packet: {}", err); err!("failed to inject packet: {}", err);
} }

1
windows_kext/driver/src/packet_callouts.rs
View file

@ -173,6 +173,7 @@ fn ip_packet_layer(
data.action_block(); data.action_block();
} }
Verdict::Undeterminable | Verdict::PermanentDrop | Verdict::Failed => { Verdict::Undeterminable | Verdict::PermanentDrop | Verdict::Failed => {
send_request_to_portmaster = false;
data.block_and_absorb(); data.block_and_absorb();
} }
Verdict::RedirectNameServer | Verdict::RedirectTunnel => { Verdict::RedirectNameServer | Verdict::RedirectTunnel => {