From 916a83a2a01ddfaf42df1c740bac1e82fba9bb36 Mon Sep 17 00:00:00 2001
From: Vladimir Stoilov <vladimir@safing.io>
Date: Wed, 5 Jun 2024 15:22:45 +0300
Subject: [PATCH] [windows_kext] Update docs and few minor fixes

---
 windows_kext/PacketFlow.md                 |  9 +++++----
 windows_kext/driver/src/ale_callouts.rs    | 15 ++++++---------
 windows_kext/driver/src/packet_callouts.rs | 10 ++++++++++
 3 files changed, 21 insertions(+), 13 deletions(-)

diff --git a/windows_kext/PacketFlow.md b/windows_kext/PacketFlow.md
index 67eab5f31..d4adecbc4 100644
--- a/windows_kext/PacketFlow.md
+++ b/windows_kext/PacketFlow.md
@@ -26,12 +26,11 @@ For outgoing connections this logic fallows:
   - If Packet is not TCP/UDP forward to packet layer
 
 For incoming connection this logic fallow:
-  - Packet enter in one of the Packet layer, if packet is TCP or UDP it will be forwarded to ALE layer. From there:
+  - Packet enter in one of the Packet layer:
     1. Save packet and absorb.
     2. Send an event to Portmaster. 
-    2. Create a cache entry.
+    2. Create a cache entry if the protocol is TCP or UDP.
     3. Wait for Portmasters decision.
-  - If Packet is not TCP/UDP. It will be handled only by the packet layer. 
 
 
 If more packets arrive before Portmaster returns a decision, packet will be absorbed and another event will be sent.
@@ -49,7 +48,9 @@ The next steps depend of the direction of the packet and the verdict
   - Always Allow - this connections are solely handled by the packet layer. (This is true only for outgoing connections) 
 
 * Permanent or Temporary Verdict / Incoming connection
-  - Allow / Block / Drop directly in the ALE layer. They always go through the packet layer first no need to do anything special
+  - Allow / Block / Drop. Handled by the Packet layer
+
+> There is no defined ALE layers for inbound connection. Inbound packets are handed compactly by the packet layer 
 
 Fallowing specifics apply to the ALE layer:  
 1. Connections with flag `reauthorize == false` are special. When the flag is `false` that means that a applications is calling a function `connect()` or `accept()` for a connection. This is a special case because we control the result of the function, telling the application that it's allowed or not allowed to continue with the connection. Since we are making request to Portmaster we need to take longer time. This is done with pending the packet. This allows the kernel extension to pause the event and continue when it has the verdict. See `ale_callouts.rs -> save_packet()` function.
diff --git a/windows_kext/driver/src/ale_callouts.rs b/windows_kext/driver/src/ale_callouts.rs
index 8e4d3070e..7ab824e5d 100644
--- a/windows_kext/driver/src/ale_callouts.rs
+++ b/windows_kext/driver/src/ale_callouts.rs
@@ -226,7 +226,7 @@ fn ale_layer_auth(mut data: CalloutData, ale_data: AleLayerData) {
         };
 
         // Connection is not in cache, add it.
-        crate::dbg!("adding connection: {} PID: {}", key, ale_data.process_id);
+        crate::dbg!("ale layer adding connection: {} PID: {}", key, ale_data.process_id);
         if ale_data.is_ipv6 {
             let conn =
                 ConnectionV6::from_key(&key, ale_data.process_id, ale_data.direction).unwrap();
@@ -250,15 +250,12 @@ fn save_packet(
 ) -> Result<Packet, alloc::string::String> {
     let mut packet_list = None;
     let mut save_packet_list = true;
-    match ale_data.protocol {
-        IpProtocol::Tcp => {
-            if let Direction::Outbound = ale_data.direction {
-                // Only time a packet data is missing is during connect state of outbound TCP connection.
-                // Don't save packet list only if connection is outbound, reauthorize is false and the protocol is TCP.
-                save_packet_list = ale_data.reauthorize;
-            }
+    if ale_data.protocol == IpProtocol::Tcp {
+        if let Direction::Outbound = ale_data.direction {
+            // Only time a packet data is missing is during connect state of outbound TCP connection.
+            // Don't save packet list only if connection is outbound, reauthorize is false and the protocol is TCP.
+            save_packet_list = ale_data.reauthorize;
         }
-        _ => {}
     };
     if save_packet_list {
         packet_list = create_packet_list(device, callout_data, ale_data);
diff --git a/windows_kext/driver/src/packet_callouts.rs b/windows_kext/driver/src/packet_callouts.rs
index f4491092e..6b0cf8e44 100644
--- a/windows_kext/driver/src/packet_callouts.rs
+++ b/windows_kext/driver/src/packet_callouts.rs
@@ -201,6 +201,16 @@ fn ip_packet_layer(
                         continue;
                     }
                 }
+            } else {
+                // Connections is not in the cache.
+                crate::dbg!("packet layer adding connection: {} PID: 0", key);
+                if ipv6 {
+                    let conn = ConnectionV6::from_key(&key, 0, direction).unwrap();
+                    device.connection_cache.add_connection_v6(conn);
+                } else {
+                    let conn = ConnectionV4::from_key(&key, 0, direction).unwrap();
+                    device.connection_cache.add_connection_v4(conn);
+                }
             }
         }