/* Prepare filter. */
Filter.subLayerKey = SubLayer.subLayerKey;
Filter.displayData.name = FIREWALL_NAME;
- Filter.weight.type = FWP_EMPTY;
+ Filter.weight.type = FWP_UINT8;
+ Filter.weight.uint8 = 0xF;
Filter.filterCondition = Condition;
Filter.numFilterConditions = 2;
- /* First filter. Block IPv4 DNS queries except from OpenVPN itself. */
+ /* First filter. Permit IPv4 DNS queries from OpenVPN itself. */
Filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V4;
- Filter.action.type = FWP_ACTION_BLOCK;
+ Filter.action.type = FWP_ACTION_PERMIT;
Condition[0].fieldKey = FWPM_CONDITION_IP_REMOTE_PORT;
Condition[0].matchType = FWP_MATCH_EQUAL;
Condition[0].conditionValue.uint16 = 53;
Condition[1].fieldKey = FWPM_CONDITION_ALE_APP_ID;
- Condition[1].matchType = FWP_MATCH_NOT_EQUAL;
+ Condition[1].matchType = FWP_MATCH_EQUAL;
Condition[1].conditionValue.type = FWP_BYTE_BLOB_TYPE;
Condition[1].conditionValue.byteBlob = openvpnblob;
/* Add filter condition to our interface. */
if (!win_wfp_add_filter(m_hEngineHandle, &Filter, NULL, &filterid))
goto err;
- dmsg (D_LOW, "Filter (Block IPv4 DNS) added with ID=%I64d", filterid);
+ dmsg (D_LOW, "Filter (Permit OpenVPN IPv4 DNS) added with ID=%I64d", filterid);
- /* Second filter. Block IPv6 DNS queries except from OpenVPN itself. */
+ /* Second filter. Permit IPv6 DNS queries from OpenVPN itself. */
Filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V6;
/* Add filter condition to our interface. */
+ if (!win_wfp_add_filter(m_hEngineHandle, &Filter, NULL, &filterid))
+ goto err;
+ dmsg (D_LOW, "Filter (Permit OpenVPN IPv6 DNS) added with ID=%I64d", filterid);
+
+ /* Third filter. Block all IPv4 DNS queries. */
+ Filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V4;
+ Filter.action.type = FWP_ACTION_BLOCK;
+ Filter.weight.type = FWP_EMPTY;
+ Filter.numFilterConditions = 1;
+
+ if (!win_wfp_add_filter(m_hEngineHandle, &Filter, NULL, &filterid))
+ goto err;
+ dmsg (D_LOW, "Filter (Block IPv4 DNS) added with ID=%I64d", filterid);
+
+ /* Forth filter. Block all IPv6 DNS queries. */
+ Filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V6;
+
if (!win_wfp_add_filter(m_hEngineHandle, &Filter, NULL, &filterid))
goto err;
dmsg (D_LOW, "Filter (Block IPv6 DNS) added with ID=%I64d", filterid);
- /* Third filter. Permit IPv4 DNS queries from TAP. */
+ /* Fifth filter. Permit IPv4 DNS queries from TAP. */
Filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V4;
Filter.action.type = FWP_ACTION_PERMIT;
+ Filter.numFilterConditions = 2;
Condition[1].fieldKey = FWPM_CONDITION_IP_LOCAL_INTERFACE;
Condition[1].matchType = FWP_MATCH_EQUAL;
goto err;
dmsg (D_LOW, "Filter (Permit IPv4 DNS queries from TAP) added with ID=%I64d", filterid);
- /* Forth filter. Permit IPv6 DNS queries from TAP. */
+ /* Sixth filter. Permit IPv6 DNS queries from TAP. */
Filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V6;
/* Add filter condition to our interface. */
projects / thirdparty / openvpn.git / commitdiff
