Based on the documentation, the FWPM_CONDITION_ALE_USER_ID field should have the type FWP_SECURITY_DESCRIPTOR TYPE. This fix forces this type because WFP is incorrectly reporting TOKEN_ACCESS_INFORMATION_TYPE instead.

Relevant Documentation.

I believe I got the Sign-Off stuff right this time, but I've never used it before. :eye: :nose: :eye:

This would fix #12.

Range values currently seem to be only supported implicitly when using an IP address field with a value of type netaddr.IPRange or for fields whose type is explicitly dataTypeRange (of which I couldn't find any, in my brief overview). This means that adding a Rule that matches e.g. a port range is not possible.

This PR makes Range values usable for all sortable types (a list of which is found in the comment for FWP_MATCH_GREATER here: https://docs.microsoft.com/en-us/windows/win32/api/fwptypes/ne-fwptypes-fwp_match_type#constants).

Please let me know if I can improve anything!

P.S.: It also seems that building a Range from netaddr.IPRange is not possible due to the Range being built as Range{m.From, m.To} instead of Range{m.From(), m.To()}. Should I add a fix to this PR or open a separate one?

This fix wraps the SECURITY_DESCRIPTOR structure in a FWP_BYTE_BLOB structure to adhere to the documentation. I also corrected my tab/space usage from the previous merge (really, I just ran go fmt).

Relevant Documentation

This would fix #13.

The FWP_SECURITY_DESCRIPTOR_TYPE field type is being incorrectly serialized/copied in toValue0. Currently, the module copies the given security descriptor to the arena allocator and then sets the field value to the SECURITY_DESCRIPTOR pointer. However, according to the documentation, security descriptors are passed inside a FWP_BYTE_BLOB struct.

I have some local modifications to make this work by copying the golang SECURITY_DESCRIPTOR to the arena (same as before), then creating a fwpByteBlob struct, and assigning Length to security_descriptor.Length() and Data to the arena-allocated SECURITY_DESCRIPTOR pointer. This is working for me to assign FWP_SECURITY_DESCRIPTOR_TYPE fields.

~~I will try to clean this up and bundle both this and #12 together in one PR since I have them working on my end if you're open to it.~~

Edit: Instead of putting them together, I made two separate pull requests, since they are technically separate problems. I assume that will make review a bit easier. :+1:

This PR simply adds the correct flag to the fwpmSublayer0 struct in toSublayer0 based on the Persistent flag. I've tested this to work for me.

This would fix #10.

The tests used to pass but then started failing because the CI environment changed underfoot. Don't test on "latest". Pin to 2019 explicitly for now until we adjust the tests to be tolerant of 2019 vs 2022, and then we can add CI coverage for both.

For some reason, the WFP reports the User ID field as taking a TOKEN_ACCESS_INFORMATION as the value type. However, the documentation indicates that it takes a SECURITY_DESCRIPTOR type.

Anecdotally, dumping existing WFP rules with netsh wfp show filters does show existing/default filters using the SECURITY_DESCRIPTOR type for ALE_USER_ID fields.

Any idea why there is a mismatch here? It seems to be coming directly from the Win32 layer enumeration methods and not from your module, but I'm interested in any insight you may have. I've been able to work around this by forcing the type for this specific field to typeSecurityDescriptor in func fieldType(f *fwpmField0) (reflect.Type, error), but that seemed rather hacky.

When creating a sublayer, the function toSublayer0 is used to serialize the wf.Sublayer struct into the required fwpmSublayer0 struct in order to pass into the Win32 API. The Flags field should be set to fwpmSublayerFlagsPersistent when the Persistent option is set to true.

This is the same process as when constructing the fwpmProvider0 structure as seen just below it in compose.go:

// toSublayer0 converts sl into an arena-allocated fwpmSublayer0.
func toSublayer0(a *arena, sl *Sublayer) *fwpmSublayer0 {
	ret := (*fwpmSublayer0)(a.Alloc(unsafe.Sizeof(fwpmSublayer0{})))
	*ret = fwpmSublayer0{
		SublayerKey: sl.ID,
		DisplayData: fwpmDisplayData0{
			Name:        toUint16(a, sl.Name),
			Description: toUint16(a, sl.Description),
		},
		ProviderKey: toGUID(a, windows.GUID(sl.Provider)),
		ProviderData: fwpByteBlob{
			Size: uint32(len(sl.ProviderData)),
			Data: toBytes(a, sl.ProviderData),
		},
		Weight: sl.Weight,
	}

	return ret
}

// toProvider0 converts p into an arena-allocated fwpmProvider0.
func toProvider0(a *arena, p *Provider) *fwpmProvider0 {
	ret := (*fwpmProvider0)(a.Alloc(unsafe.Sizeof(fwpmProvider0{})))
	*ret = fwpmProvider0{
		ProviderKey: p.ID,
		DisplayData: fwpmDisplayData0{
			Name:        toUint16(a, p.Name),
			Description: toUint16(a, p.Description),
		},
		ProviderData: fwpByteBlob{
			Size: uint32(len(p.Data)),
			Data: toBytes(a, p.Data),
		},
		ServiceName: toUint16(a, p.ServiceName),
	}
	if p.Persistent {
		ret.Flags = fwpmProviderFlagsPersistent
	}

	return ret
}

Addresses the first issue in https://github.com/tailscale/tailscale/issues/3260#issuecomment-962858025

I have tested this on Windows 7 32bit and it works fine. I still have to test it on a 64 bit machine and other windows versions.

Signed-off-by: Maisem Ali [email protected]

In go1.20, //go:notinheap pragma will be removed, see mode details at these CLs stack: https://go-review.googlesource.com/c/go/+/421878

//go:notinheap was first introduced for using internally in runtime package only, user code should not rely on this. There're number of places are using //go:notinheap in https://github.com/inetaf/wf/blob/2db5c3d6461ca87de5e8bb3644858c02ad0dae7a/types.go

We should remove them.

First of all thank you for this beautiful package! I think i've found a problem when trying to set an ip range

	// Get the absolute path of the current program
	execPath := ""C:\\Windows\\system32\\cmd.exe""
	// Ask windows for the corresponding application ID
	appID, err := wf.AppID(execPath)
	if err != nil {
		println("Error Getting AppID:", err)
	}
	ruleGuid, _ := windows.GenerateGUID()
	iprange, err := netaddr.ParseIPRange("192.168.1.10-192.168.1.25")
	if err != nil {
		println("Error parsing IP:", err)
	}
	err = session.AddRule(&wf.Rule{
		ID:       wf.RuleID(ruleGuid),
		Name:     "My Rule",
		Layer:    wf.LayerALEAuthConnectV4,
		Sublayer: sublayerID,
		Weight:   900,
		Conditions: []*wf.Match{
			{
				Field: wf.FieldALEAppID,
				Op:    wf.MatchTypeEqual,
				Value: appID,
			},
			{
				Field: wf.FieldIPRemoteAddress,
				Op:    wf.MatchTypeRange,
				Value: iprange, // IP Range
			},
		},
		Action: wf.ActionBlock,
	})

Cannot add rule: (0x1bada0,0xc00032b120)

WFP provides access to TOKEN_ACCESS_INFORMATION structs in some filters. This is a standard winnt.h struct, so it should be exposed by x/sys/windows.

For now, there's just a placeholder in this package, so that field reflection can provide some type.