int main() { HMODULE hNsi = LoadLibraryW(L"Nsi.dll"); NsiGetParameterProc _NsiGetParameter = (NsiGetParameterProc)GetProcAddress(hNsi, "NsiGetParameter"); // Declare and initialize variables PIP_INTERFACE_INFO pInfo = NULL; ULONG ulOutBufLen = 0; DWORD dwRetVal = 0; int iReturn = 1; int i; // Make an initial call to GetInterfaceInfo to get // the necessary size in the ulOutBufLen variable dwRetVal = GetInterfaceInfo(NULL, &ulOutBufLen); if (dwRetVal == ERROR_INSUFFICIENT_BUFFER) { pInfo = (IP_INTERFACE_INFO *)MALLOC(ulOutBufLen); if (pInfo == NULL) { printf ("Unable to allocate memory needed to call GetInterfaceInfo\n"); return 1; } } // Make a second call to GetInterfaceInfo to get // the actual data we need dwRetVal = GetInterfaceInfo(pInfo, &ulOutBufLen); if (dwRetVal == NO_ERROR) { printf("Number of Adapters: %ld\n\n", pInfo->NumAdapters); for (i = 0; i < pInfo->NumAdapters; i++) { printf("Adapter Index[%d]: %ld\n", i, pInfo->Adapter[i].Index); NET_LUID Luid; NETIO_STATUS st = ConvertInterfaceIndexToLuid(pInfo->Adapter[i].Index, &Luid); if (st == NO_ERROR) { BYTE OutputBuffer[0xB8] = { /* zero padding */ }; DWORD nsi_st = _NsiGetParameter(1, NPI_MS_IPV4_MODULEID, 7, &Luid, sizeof(Luid), 0, OutputBuffer, sizeof(OutputBuffer), 0); if (nsi_st == NO_ERROR) { PrintHex(OutputBuffer, sizeof(OutputBuffer)); } } } iReturn = 0; } else if (dwRetVal == ERROR_NO_DATA) { printf ("There are no network adapters with IPv4 enabled on the local system\n"); iReturn = 0; } else { printf("GetInterfaceInfo failed with error: %d\n", dwRetVal); iReturn = 1; } FREE(pInfo); return (iReturn); }
int uv_if_indextoname(unsigned int ifindex, char* buffer, size_t* size) { NET_LUID luid; wchar_t wname[NDIS_IF_MAX_STRING_SIZE + 1]; /* Add one for the NUL. */ DWORD bufsize; int r; if (buffer == NULL || size == NULL || *size == 0) return UV_EINVAL; r = ConvertInterfaceIndexToLuid(ifindex, &luid); if (r != 0) return uv_translate_sys_error(r); r = ConvertInterfaceLuidToNameW(&luid, wname, ARRAY_SIZE(wname)); if (r != 0) return uv_translate_sys_error(r); /* Check how much space we need */ bufsize = WideCharToMultiByte(CP_UTF8, 0, wname, -1, NULL, 0, NULL, NULL); if (bufsize == 0) { return uv_translate_sys_error(GetLastError()); } else if (bufsize > *size) { *size = bufsize; return UV_ENOBUFS; } /* Convert to UTF-8 */ bufsize = WideCharToMultiByte(CP_UTF8, 0, wname, -1, buffer, *size, NULL, NULL); if (bufsize == 0) return uv_translate_sys_error(GetLastError()); *size = bufsize - 1; return 0; }
/****************************************************************************** PacketFilter::StartFirewall - This public method starts firewall. *******************************************************************************/ BOOL PacketFilter::StartFirewall() { BOOL bStarted = FALSE; NET_LUID tapluid; PIP_ADAPTER_INFO pAdapterInfo; PIP_ADAPTER_INFO pAdapter = NULL; DWORD dwRetVal = 0; ULONG ulOutBufLen = sizeof(IP_ADAPTER_INFO); pAdapterInfo = (IP_ADAPTER_INFO *)MALLOC(sizeof(IP_ADAPTER_INFO)); if (pAdapterInfo == NULL) { printf("Error allocating memory needed to call GetAdaptersinfo\n"); return 1; } // Make an initial call to GetAdaptersInfo to get // the necessary size into the ulOutBufLen variable if (GetAdaptersInfo(pAdapterInfo, &ulOutBufLen) == ERROR_BUFFER_OVERFLOW) { FREE(pAdapterInfo); pAdapterInfo = (IP_ADAPTER_INFO *)MALLOC(ulOutBufLen); if (pAdapterInfo == NULL) { printf("Error allocating memory needed to call GetAdaptersinfo\n"); return 2; } } if ((dwRetVal = GetAdaptersInfo(pAdapterInfo, &ulOutBufLen)) == NO_ERROR) { pAdapter = pAdapterInfo; while (pAdapter) { if ((strstr(pAdapter->Description, "TAP-Windows Adapter V9") != NULL) || (strstr(pAdapter->Description, "Viscosity Virtual Adapter") != NULL)) { if (ConvertInterfaceIndexToLuid(pAdapter->Index, &tapluid) == NO_ERROR) tapluids.push_back(tapluid.Value); } pAdapter = pAdapter->Next; } } else { printf("GetAdaptersInfo failed with error: %d\n", dwRetVal); } if (pAdapterInfo) FREE(pAdapterInfo); if (tapluids.size() <= 0) { printf("No TAP adapters found!\n"); return 3; } printf("Found %d TAP adapters\n", tapluids.size()); try { // Create packet filter interface. printf("before CreateDeleteInterface()\n"); if( ERROR_SUCCESS == CreateDeleteInterface(true) ) { printf("before BindUnbindInterface()\n"); // Bind to packet filter interface. if( ERROR_SUCCESS == BindUnbindInterface(true) ) { printf("before AddRemoveFilter()\n"); // Add filters. AddRemoveFilter(true); bStarted = TRUE; } } } catch(...) { printf("catch ...\n"); } return bStarted; }
/****************************************************************************** PacketFilter::StartFirewall - This public method starts firewall. *******************************************************************************/ BOOL PacketFilter::StartFirewall() { BOOL bStarted = FALSE; int tapadapter_index = -1; PIP_ADAPTER_INFO pAdapterInfo; PIP_ADAPTER_INFO pAdapter = NULL; DWORD dwRetVal = 0; ULONG ulOutBufLen = sizeof(IP_ADAPTER_INFO); pAdapterInfo = (IP_ADAPTER_INFO *)MALLOC(sizeof(IP_ADAPTER_INFO)); if (pAdapterInfo == NULL) { printf("Error allocating memory needed to call GetAdaptersinfo\n"); return 1; } // Make an initial call to GetAdaptersInfo to get // the necessary size into the ulOutBufLen variable if (GetAdaptersInfo(pAdapterInfo, &ulOutBufLen) == ERROR_BUFFER_OVERFLOW) { FREE(pAdapterInfo); pAdapterInfo = (IP_ADAPTER_INFO *)MALLOC(ulOutBufLen); if (pAdapterInfo == NULL) { printf("Error allocating memory needed to call GetAdaptersinfo\n"); return 2; } } if ((dwRetVal = GetAdaptersInfo(pAdapterInfo, &ulOutBufLen)) == NO_ERROR) { pAdapter = pAdapterInfo; while (pAdapter) { if (strcmp(pAdapter->Description, "TAP-Windows Adapter V9") == 0) { tapadapter_index = pAdapter->Index; break; } pAdapter = pAdapter->Next; } } else { printf("GetAdaptersInfo failed with error: %d\n", dwRetVal); } if (pAdapterInfo) FREE(pAdapterInfo); NET_LUID tapluid; if (tapadapter_index < 0) { printf("Tap Adapter not found!\n"); return 3; } if (ConvertInterfaceIndexToLuid(tapadapter_index, &tapluid) != NO_ERROR) { printf("Cant find LUID for TAP adapter!\n"); return 4; } this->tapluid64 = tapluid.Value; try { // Create packet filter interface. if( ERROR_SUCCESS == CreateDeleteInterface( true ) ) { // Bind to packet filter interface. if( ERROR_SUCCESS == BindUnbindInterface( true ) ) { // Add filters. AddRemoveFilter( true ); bStarted = TRUE; } } } catch(...) { } return bStarted; }
DWORD add_block_dns_filters(HANDLE *engine_handle, int index, const WCHAR *exe_path, block_dns_msg_handler_t msg_handler ) { FWPM_SESSION0 session = {0}; FWPM_SUBLAYER0 *sublayer_ptr = NULL; NET_LUID tapluid; UINT64 filterid; FWP_BYTE_BLOB *openvpnblob = NULL; FWPM_FILTER0 Filter = {0}; FWPM_FILTER_CONDITION0 Condition[2] = {0}; DWORD err = 0; if (!msg_handler) { msg_handler = default_msg_handler; } /* Add temporary filters which don't survive reboots or crashes. */ session.flags = FWPM_SESSION_FLAG_DYNAMIC; *engine_handle = NULL; err = FwpmEngineOpen0(NULL, RPC_C_AUTHN_WINNT, NULL, &session, engine_handle); CHECK_ERROR(err, "FwpEngineOpen: open fwp session failed"); msg_handler(0, "Block_DNS: WFP engine opened"); /* Check sublayer exists and add one if it does not. */ if (FwpmSubLayerGetByKey0(*engine_handle, &OPENVPN_BLOCK_OUTSIDE_DNS_SUBLAYER, &sublayer_ptr) == ERROR_SUCCESS) { msg_handler(0, "Block_DNS: Using existing sublayer"); FwpmFreeMemory0((void **)&sublayer_ptr); } else { /* Add a new sublayer -- as another process may add it in the meantime, * do not treat "already exists" as an error */ err = add_sublayer(OPENVPN_BLOCK_OUTSIDE_DNS_SUBLAYER); if (err == FWP_E_ALREADY_EXISTS || err == ERROR_SUCCESS) { msg_handler(0, "Block_DNS: Added a persistent sublayer with pre-defined UUID"); } else { CHECK_ERROR(err, "add_sublayer: failed to add persistent sublayer"); } } err = ConvertInterfaceIndexToLuid(index, &tapluid); CHECK_ERROR(err, "Convert interface index to luid failed"); err = FwpmGetAppIdFromFileName0(exe_path, &openvpnblob); CHECK_ERROR(err, "Get byte blob for openvpn executable name failed"); /* Prepare filter. */ Filter.subLayerKey = OPENVPN_BLOCK_OUTSIDE_DNS_SUBLAYER; Filter.displayData.name = FIREWALL_NAME; Filter.weight.type = FWP_UINT8; Filter.weight.uint8 = 0xF; Filter.filterCondition = Condition; Filter.numFilterConditions = 2; /* First filter. Permit IPv4 DNS queries from OpenVPN itself. */ Filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V4; Filter.action.type = FWP_ACTION_PERMIT; Condition[0].fieldKey = FWPM_CONDITION_IP_REMOTE_PORT; Condition[0].matchType = FWP_MATCH_EQUAL; Condition[0].conditionValue.type = FWP_UINT16; Condition[0].conditionValue.uint16 = 53; Condition[1].fieldKey = FWPM_CONDITION_ALE_APP_ID; Condition[1].matchType = FWP_MATCH_EQUAL; Condition[1].conditionValue.type = FWP_BYTE_BLOB_TYPE; Condition[1].conditionValue.byteBlob = openvpnblob; err = FwpmFilterAdd0(*engine_handle, &Filter, NULL, &filterid); CHECK_ERROR(err, "Add filter to permit IPv4 port 53 traffic from OpenVPN failed"); /* Second filter. Permit IPv6 DNS queries from OpenVPN itself. */ Filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V6; err = FwpmFilterAdd0(*engine_handle, &Filter, NULL, &filterid); CHECK_ERROR(err, "Add filter to permit IPv6 port 53 traffic from OpenVPN failed"); msg_handler(0, "Block_DNS: Added permit filters for exe_path"); /* Third filter. Block all IPv4 DNS queries. */ Filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V4; Filter.action.type = FWP_ACTION_BLOCK; Filter.weight.type = FWP_EMPTY; Filter.numFilterConditions = 1; err = FwpmFilterAdd0(*engine_handle, &Filter, NULL, &filterid); CHECK_ERROR(err, "Add filter to block IPv4 DNS traffic failed"); /* Forth filter. Block all IPv6 DNS queries. */ Filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V6; err = FwpmFilterAdd0(*engine_handle, &Filter, NULL, &filterid); CHECK_ERROR(err, "Add filter to block IPv6 DNS traffic failed"); msg_handler(0, "Block_DNS: Added block filters for all interfaces"); /* Fifth filter. Permit IPv4 DNS queries from TAP. * Use a non-zero weight so that the permit filters get higher priority * over the block filter added with automatic weighting */ Filter.weight.type = FWP_UINT8; Filter.weight.uint8 = 0xE; Filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V4; Filter.action.type = FWP_ACTION_PERMIT; Filter.numFilterConditions = 2; Condition[1].fieldKey = FWPM_CONDITION_IP_LOCAL_INTERFACE; Condition[1].matchType = FWP_MATCH_EQUAL; Condition[1].conditionValue.type = FWP_UINT64; Condition[1].conditionValue.uint64 = &tapluid.Value; err = FwpmFilterAdd0(*engine_handle, &Filter, NULL, &filterid); CHECK_ERROR(err, "Add filter to permit IPv4 DNS traffic through TAP failed"); /* Sixth filter. Permit IPv6 DNS queries from TAP. * Use same weight as IPv4 filter */ Filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V6; err = FwpmFilterAdd0(*engine_handle, &Filter, NULL, &filterid); CHECK_ERROR(err, "Add filter to permit IPv6 DNS traffic through TAP failed"); msg_handler(0, "Block_DNS: Added permit filters for TAP interface"); out: if (openvpnblob) { FwpmFreeMemory0((void **)&openvpnblob); } if (err && *engine_handle) { FwpmEngineClose0(*engine_handle); *engine_handle = NULL; } return err; }