From 2a546ddc28ed2162001e7cd63c7367a0aab43364 Mon Sep 17 00:00:00 2001 From: Mykola Baibuz Date: Sat, 5 Apr 2025 12:33:59 +0300 Subject: [PATCH] Add exclusion method for Windows firewall --- .../windows/daemon/windowsfirewall.cpp | 31 +++++++++++++++++++ .../windows/daemon/windowsfirewall.h | 1 + service/server/killswitch.cpp | 4 +++ 3 files changed, 36 insertions(+) diff --git a/client/platforms/windows/daemon/windowsfirewall.cpp b/client/platforms/windows/daemon/windowsfirewall.cpp index 63f7818b..85a2a155 100644 --- a/client/platforms/windows/daemon/windowsfirewall.cpp +++ b/client/platforms/windows/daemon/windowsfirewall.cpp @@ -241,6 +241,37 @@ bool WindowsFirewall::enableLanBypass(const QList& ranges) { return true; } +// Allow unprotected traffic sent to the following address ranges. +bool WindowsFirewall::allowTrafficRange(const QStringList& ranges) { + // Start the firewall transaction + auto result = FwpmTransactionBegin(m_sessionHandle, NULL); + if (result != ERROR_SUCCESS) { + disableKillSwitch(); + return false; + } + auto cleanup = qScopeGuard([&] { + FwpmTransactionAbort0(m_sessionHandle); + disableKillSwitch(); + }); + + for (const QString& addr : ranges) { + logger.debug() << "Allow killswitch exclude: " << addr; + if (!allowTrafficTo(QHostAddress(addr), LOW_WEIGHT + 1, "Allow killswitch bypass traffic")) { + return false; + } + } + + result = FwpmTransactionCommit0(m_sessionHandle); + if (result != ERROR_SUCCESS) { + logger.error() << "FwpmTransactionCommit0 failed with error:" << result; + return false; + } + + cleanup.dismiss(); + return true; +} + + bool WindowsFirewall::enablePeerTraffic(const InterfaceConfig& config) { // Start the firewall transaction auto result = FwpmTransactionBegin(m_sessionHandle, NULL); diff --git a/client/platforms/windows/daemon/windowsfirewall.h b/client/platforms/windows/daemon/windowsfirewall.h index f7dc84e2..9a0062da 100644 --- a/client/platforms/windows/daemon/windowsfirewall.h +++ b/client/platforms/windows/daemon/windowsfirewall.h @@ -44,6 +44,7 @@ class WindowsFirewall final : public QObject { bool disablePeerTraffic(const QString& pubkey); bool disableKillSwitch(); bool allowAllTraffic(); + bool allowTrafficRange(const QStringList& ranges); private: static bool initSublayer(); diff --git a/service/server/killswitch.cpp b/service/server/killswitch.cpp index 30fb837c..9559e299 100644 --- a/service/server/killswitch.cpp +++ b/service/server/killswitch.cpp @@ -165,6 +165,10 @@ bool KillSwitch::allowTrafficTo(const QStringList &ranges) { MacOSFirewall::setAnchorTable(QStringLiteral("110.allowNets"), true, QStringLiteral("allownets"), ranges); #endif +#ifdef Q_OS_WIN + WindowsFirewall::create(this)->allowTrafficRange(ranges); +#endif + return true; }