public void RemoveAllRules()
{
lock (m_rules)
{
foreach (WfpItem item in m_rules.Values)
{
Wfp.RemoveItem(item);
}
m_rules.Clear();
}
}
/*
* public override void OnRecoveryLoad(XmlElement root)
* {
* base.OnRecoveryLoad(root);
*
* if (root.HasAttribute("ids"))
* {
* string list = root.GetAttribute("ids");
* string[] ids = list.Split(';');
* foreach(string id in ids)
* {
* ulong nid;
* if(ulong.TryParse(id, out nid))
* Wfp.RemoveItemId(nid);
* }
* }
* }
*
* public override void OnRecoverySave(XmlElement root)
* {
* base.OnRecoverySave(root);
*
* lock (m_rules)
* {
* string list = "";
* foreach (WfpItem item in m_rules.Values)
* {
* foreach (ulong id in item.FirewallIds)
* list += id.ToString() + ";";
* }
* root.SetAttributeNode("ids", list);
* }
* }
*/
public void AddRule(string code, XmlElement xmlRule)
{
lock (m_rules)
{
if (m_rules.ContainsKey(code))
{
throw new Exception("Unexpected: NetLock WFP rule '" + code + "' already exists");
}
WfpItem item = Wfp.AddItem(code, xmlRule);
m_rules[code] = item;
}
}
public override void AllowInterface(string id)
{
base.AllowInterface(id);
AddRule("netlock_allow_interface_" + id + "_ipv4", Wfp.CreateItemAllowInterface("NetLock - Interface - Allow " + id + " - IPv4", id, "ipv4"));
/*
* // TOFIX: Must be enabled in future when IPv6 support is well tested.
* // Remember: May fail at WFP side with a "Unknown interface" because network interface with IPv6 disabled have Ipv6IfIndex == 0.
* if (Engine.Instance.Storage.GetLower("ipv6.mode") != "disable")
* AddRule("netlock_allow_interface_" + id + "_ipv6", Wfp.CreateItemAllowInterface("NetLock - Interface - Allow " + id + " - IPv6", id, "ipv6"));
*/
}
public void RemoveRule(string code)
{
lock (m_rules)
{
if (m_rules.ContainsKey(code) == false)
{
return;
}
//throw new Exception("Unexpected: NetLock WFP rule '" + code + "' doesn't exists");
WfpItem item = m_rules[code];
m_rules.Remove(code);
Wfp.RemoveItem(item);
}
}
public override void AllowInterface(string id)
{
base.AllowInterface(id);
Json jInfo = Engine.Instance.FindNetworkInterfaceInfo(id);
// Remember: Fail at WFP side with a "Unknown interface" if the network interface have IPv4 or IPv6 disabled (Ipv6IfIndex == 0).
if ((jInfo != null) && (jInfo.HasKey("support_ipv4")) && (Conversions.ToBool(jInfo["support_ipv4"].Value)))
{
AddRule("netlock_allow_interface_" + id + "_ipv4", Wfp.CreateItemAllowInterface("NetLock - Interface - Allow " + id + " - IPv4", id, "ipv4"));
}
if ((jInfo != null) && (jInfo.HasKey("support_ipv6")) && (Conversions.ToBool(jInfo["support_ipv6"].Value)))
{
AddRule("netlock_allow_interface_" + id + "_ipv6", Wfp.CreateItemAllowInterface("NetLock - Interface - Allow " + id + " - IPv6", id, "ipv6"));
}
}
public override void Activation()
{
base.Activation();
// Block All
if (Engine.Instance.Storage.Get("netlock.incoming") == "block")
{
XmlDocument xmlDocRule = new XmlDocument();
XmlElement xmlRule = xmlDocRule.CreateElement("rule");
xmlRule.SetAttribute("name", "NetLock - In - Block All");
xmlRule.SetAttribute("layer", "all-in");
xmlRule.SetAttribute("action", "block");
AddRule("netlock_in_block_all", xmlRule);
}
if (Engine.Instance.Storage.Get("netlock.outgoing") == "block")
{
XmlDocument xmlDocRule = new XmlDocument();
XmlElement xmlRule = xmlDocRule.CreateElement("rule");
xmlRule.SetAttribute("name", "NetLock - Out - Block All");
xmlRule.SetAttribute("layer", "all-out");
xmlRule.SetAttribute("action", "block");
AddRule("netlock_out_block_all", xmlRule);
}
// Allow Eddie / OpenVPN / Stunnel / Plink
AddRule("netlock_allow_eddie", Wfp.CreateItemAllowProgram("NetLock - Allow Eddie", Platform.Instance.GetExecutablePath()));
if (Engine.Instance.Storage.GetLower("proxy.mode") == "tor")
{
string path = TorControl.GetTorExecutablePath();
if (path != "")
{
AddRule("netlock_allow_tor", Wfp.CreateItemAllowProgram("NetLock - Allow Tor", path));
}
}
// Allow loopback
{
XmlDocument xmlDocRule = new XmlDocument();
XmlElement xmlRule = xmlDocRule.CreateElement("rule");
xmlRule.SetAttribute("name", "NetLock - Allow loopback");
xmlRule.SetAttribute("layer", "all");
xmlRule.SetAttribute("action", "permit");
XmlElement XmlIf1 = xmlDocRule.CreateElement("if");
xmlRule.AppendChild(XmlIf1);
XmlIf1.SetAttribute("field", "ip_local_interface");
XmlIf1.SetAttribute("match", "equal");
XmlIf1.SetAttribute("interface", "loopback");
AddRule("netlock_allow_loopback", xmlRule);
}
if (Engine.Instance.Storage.GetBool("netlock.allow_ping") == true)
{
// Allow ICMP
{
XmlDocument xmlDocRule = new XmlDocument();
XmlElement xmlRule = xmlDocRule.CreateElement("rule");
xmlRule.SetAttribute("name", "NetLock - Allow ICMP");
xmlRule.SetAttribute("layer", "all");
xmlRule.SetAttribute("action", "permit");
XmlElement XmlIf1 = xmlDocRule.CreateElement("if");
xmlRule.AppendChild(XmlIf1);
XmlIf1.SetAttribute("field", "ip_protocol");
XmlIf1.SetAttribute("match", "equal");
XmlIf1.SetAttribute("protocol", "icmp");
AddRule("netlock_allow_icmp", xmlRule);
}
}
if (Engine.Instance.Storage.GetBool("netlock.allow_private") == true)
{
AddRule("netlock_allow_ipv4_local1", Wfp.CreateItemAllowAddress("NetLock - Private - Allow Local Subnet 1 - IPv4", new IpAddress("192.168.0.0/255.255.0.0")));
AddRule("netlock_allow_ipv4_local2", Wfp.CreateItemAllowAddress("NetLock - Private - Allow Local Subnet 2 - IPv4", new IpAddress("172.16.0.0/255.240.0.0")));
AddRule("netlock_allow_ipv4_local3", Wfp.CreateItemAllowAddress("NetLock - Private - Allow Local Subnet 3 - IPv4", new IpAddress("10.0.0.0/255.0.0.0")));
AddRule("netlock_allow_ipv4_multicast", Wfp.CreateItemAllowAddress("NetLock - Private - Allow Multicast - IPv4", new IpAddress("224.0.0.0/255.255.255.0")));
AddRule("netlock_allow_ipv4_ssdp", Wfp.CreateItemAllowAddress("NetLock - Private - Allow Simple Service Discovery Protocol address", new IpAddress("239.255.255.250/255.255.255.255")));
AddRule("netlock_allow_ipv4_slp", Wfp.CreateItemAllowAddress("NetLock - Private - Allow Service Location Protocol", new IpAddress("239.255.255.253/255.255.255.255")));
}
// Without this, Windows stay in 'Identifying network...' and OpenVPN in 'Waiting TUN to come up'. // Note 2018: don't occur in Win10?
if (Engine.Instance.Storage.GetBool("netlock.allow_dhcp") == true)
{
XmlDocument xmlDocRule = new XmlDocument();
XmlElement xmlRule = xmlDocRule.CreateElement("rule");
xmlRule.SetAttribute("name", "NetLock - Allow DHCP");
xmlRule.SetAttribute("layer", "all");
xmlRule.SetAttribute("action", "permit");
XmlElement XmlIf1 = xmlDocRule.CreateElement("if");
xmlRule.AppendChild(XmlIf1);
XmlIf1.SetAttribute("field", "ip_protocol");
XmlIf1.SetAttribute("match", "equal");
XmlIf1.SetAttribute("protocol", "udp");
XmlElement XmlIf2 = xmlDocRule.CreateElement("if");
xmlRule.AppendChild(XmlIf2);
XmlIf2.SetAttribute("field", "ip_local_port");
XmlIf2.SetAttribute("match", "equal");
XmlIf2.SetAttribute("port", "68");
XmlElement XmlIf3 = xmlDocRule.CreateElement("if");
xmlRule.AppendChild(XmlIf3);
XmlIf3.SetAttribute("field", "ip_remote_port");
XmlIf3.SetAttribute("match", "equal");
XmlIf3.SetAttribute("port", "67");
AddRule("netlock_allow_dhcp", xmlRule);
}
OnUpdateIps();
}
public override void AllowProgram(string path, string name, string guid)
{
base.AllowProgram(path, name, guid);
AddRule("netlock_allow_program_" + guid, Wfp.CreateItemAllowProgram("NetLock - Program - Allow " + name, path));
}
