safing · dhaavi · Jul 2, 2024 · Jun 27, 2024 · Jun 28, 2024 · Jun 28, 2024
diff --git a/service/firewall/interception/windowskext2/handler.go b/service/firewall/interception/windowskext2/handler.go
@@ -5,11 +5,13 @@ package windowskext
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"net"
 	"time"
 
 	"github.com/safing/portmaster/service/process"
+	"github.com/safing/portmaster/windows_kext/kextinterface"
 
 	"github.com/tevino/abool"
 
@@ -32,8 +34,15 @@ func (v *VersionInfo) String() string {
 func Handler(ctx context.Context, packets chan packet.Packet, bandwidthUpdate chan *packet.BandwidthUpdate) {
 	for {
 		packetInfo, err := RecvVerdictRequest()
+
+		if errors.Is(err, kextinterface.ErrUnexpectedInfoSize) || errors.Is(err, kextinterface.ErrUnexpectedReadError) {
+			log.Criticalf("unexpected kext info data: %s", err)
+			continue // Depending on the info type this may not affect the functionality. Try to continue reading the next commands.
+		}
+
 		if err != nil {
 			log.Warningf("failed to get packet from windows kext: %s", err)
+			// Probably IO error, nothing else we can do.
 			return
 		}
 

diff --git a/service/firewall/interception/windowskext2/kext.go b/service/firewall/interception/windowskext2/kext.go
@@ -39,9 +39,12 @@ func Start() error {
 	}
 
 	// Start service and open file
-	service.Start(true)
-	kextFile, err = service.OpenFile(1024)
+	err = service.Start(true)
+	if err != nil {
+		log.Errorf("failed to start service: %s", err)
+	}
 
+	kextFile, err = service.OpenFile(1024)
 	if err != nil {
 		return fmt.Errorf("failed to open driver: %w", err)
 	}
@@ -130,7 +133,7 @@ func UpdateVerdict(conn *network.Connection) error {
 			LocalPort:     conn.LocalPort,
 			RemoteAddress: [4]byte(conn.Entity.IP),
 			RemotePort:    conn.Entity.Port,
-			Verdict:       uint8(conn.Verdict),
+			Verdict:       uint8(getKextVerdictFromConnection(conn)),
 		}
 
 		return kextinterface.SendUpdateV4Command(kextFile, update)
@@ -141,14 +144,48 @@ func UpdateVerdict(conn *network.Connection) error {
 			LocalPort:     conn.LocalPort,
 			RemoteAddress: [16]byte(conn.Entity.IP),
 			RemotePort:    conn.Entity.Port,
-			Verdict:       uint8(conn.Verdict),
+			Verdict:       uint8(getKextVerdictFromConnection(conn)),
 		}
 
 		return kextinterface.SendUpdateV6Command(kextFile, update)
 	}
 	return nil
 }
 
+func getKextVerdictFromConnection(conn *network.Connection) kextinterface.KextVerdict {
+	switch conn.Verdict {
+	case network.VerdictUndecided:
+		return kextinterface.VerdictUndecided
+	case network.VerdictUndeterminable:
+		return kextinterface.VerdictUndeterminable
+	case network.VerdictAccept:
+		if conn.VerdictPermanent {
+			return kextinterface.VerdictPermanentAccept
+		} else {
+			return kextinterface.VerdictAccept
+		}
+	case network.VerdictBlock:
+		if conn.VerdictPermanent {
+			return kextinterface.VerdictPermanentBlock
+		} else {
+			return kextinterface.VerdictBlock
+		}
+	case network.VerdictDrop:
+		if conn.VerdictPermanent {
+			return kextinterface.VerdictPermanentDrop
+		} else {
+			return kextinterface.VerdictDrop
+		}
+	case network.VerdictRerouteToNameserver:
+		return kextinterface.VerdictRerouteToNameserver
+	case network.VerdictRerouteToTunnel:
+		return kextinterface.VerdictRerouteToTunnel
+	case network.VerdictFailed:
+		return kextinterface.VerdictFailed
+	}
+	return kextinterface.VerdictUndeterminable
+}
+
 // Returns the kext version.
 func GetVersion() (*VersionInfo, error) {
 	data, err := kextinterface.ReadVersion(kextFile)

diff --git a/windows_kext/driver/Cargo.lock b/windows_kext/driver/Cargo.lock
diff --git a/windows_kext/driver/Cargo.toml b/windows_kext/driver/Cargo.toml
@@ -22,5 +22,5 @@ hashbrown = { version = "0.14.3", default-features = false, features = ["ahash"]
 # WARNING: Do not update. The version was choosen for a reason. See wdk/README.md for more detiels.
 [dependencies.windows-sys]
 git = "https://github.com/microsoft/windows-rs"
-rev = "41ad38d8c42c92fd23fe25ba4dca76c2d861ca06"
+rev = "dffa8b03dc4987c278d82e88015ffe96aa8ac317"
 features = ["Wdk_Foundation", "Wdk_Storage_FileSystem", "Wdk_System_SystemServices", "Win32_Foundation", "Win32_Security", "Win32_System_IO", "Win32_System_Kernel", "Win32_System_Power", "Win32_System_WindowsProgramming", "Win32_NetworkManagement_IpHelper", "Win32_Networking_WinSock", "Win32_NetworkManagement_WindowsFilteringPlatform"]
diff --git a/windows_kext/driver/src/callouts.rs b/windows_kext/driver/src/callouts.rs
@@ -12,17 +12,17 @@ pub fn get_callout_vec() -> Vec<Callout> {
         // -----------------------------------------
         // ALE Auth layers
         Callout::new(
-            "AleLayerOutboundV4",
-            "ALE layer for outbound connection for ipv4",
+            "Portmaster ALE Outbound IPv4",
+            "Portmaster uses this layer to block/permit outgoing ipv4 connections",
             0x58545073_f893_454c_bbea_a57bc964f46d,
             Layer::AleAuthConnectV4,
             consts::FWP_ACTION_CALLOUT_TERMINATING,
             FilterType::Resettable,
             ale_callouts::ale_layer_connect_v4,
         ),
         Callout::new(
-            "AleLayerOutboundV6",
-            "ALE layer for outbound connections for ipv6",
+            "Portmaster ALE Outbound IPv6",
+            "Portmaster uses this layer to block/permit outgoing ipv6 connections",
             0x4bd2a080_2585_478d_977c_7f340c6bc3d4,
             Layer::AleAuthConnectV6,
             consts::FWP_ACTION_CALLOUT_TERMINATING,
@@ -32,17 +32,17 @@ pub fn get_callout_vec() -> Vec<Callout> {
         // -----------------------------------------
         // ALE connection end layers
         Callout::new(
-            "AleEndpointClosureV4",
-            "ALE layer for indicating closing of connection for ipv4",
+            "Portmaster Endpoint Closure IPv4",
+            "Portmaster uses this layer to detect when a IPv4 connection has ended",
             0x58f02845_ace9_4455_ac80_8a84b86fe566,
             Layer::AleEndpointClosureV4,
             consts::FWP_ACTION_CALLOUT_INSPECTION,
             FilterType::NonResettable,
             ale_callouts::endpoint_closure_v4,
         ),
         Callout::new(
-            "AleEndpointClosureV6",
-            "ALE layer for indicating closing of connection for ipv6",
+            "Portmaster Endpoint Closure IPv6",
+            "Portmaster uses this layer to detect when a IPv6 connection has ended",
             0x2bc82359_9dc5_4315_9c93_c89467e283ce,
             Layer::AleEndpointClosureV6,
             consts::FWP_ACTION_CALLOUT_INSPECTION,
@@ -61,8 +61,8 @@ pub fn get_callout_vec() -> Vec<Callout> {
         //     ale_callouts::ale_resource_monitor,
         // ),
         Callout::new(
-            "AleResourceReleaseV4",
-            "Ipv4 Port release monitor",
+            "Portmaster resource release IPv4",
+            "Portmaster uses this layer to detect when a IPv4 port has been released",
             0x7b513bb3_a0be_4f77_a4bc_03c052abe8d7,
             Layer::AleResourceReleaseV4,
             consts::FWP_ACTION_CALLOUT_INSPECTION,
@@ -79,8 +79,8 @@ pub fn get_callout_vec() -> Vec<Callout> {
         //     ale_callouts::ale_resource_monitor,
         // ),
         Callout::new(
-            "AleResourceReleaseV6",
-            "Ipv6 Port release monitor",
+            "Portmaster resource release IPv6",
+            "Portmaster uses this layer to detect when a IPv6 port has been released",
             0x6cf36e04_e656_42c3_8cac_a1ce05328bd1,
             Layer::AleResourceReleaseV6,
             consts::FWP_ACTION_CALLOUT_INSPECTION,
@@ -90,35 +90,35 @@ pub fn get_callout_vec() -> Vec<Callout> {
         // -----------------------------------------
         // Stream layer
         Callout::new(
-            "StreamLayerV4",
-            "Stream layer for ipv4",
+            "Portmaster Stream IPv4",
+            "Portmaster uses this layer for bandwidth statistics of IPv4 TCP connections",
             0xe2ca13bf_9710_4caa_a45c_e8c78b5ac780,
             Layer::StreamV4,
             consts::FWP_ACTION_CALLOUT_INSPECTION,
             FilterType::NonResettable,
             stream_callouts::stream_layer_tcp_v4,
         ),
         Callout::new(
-            "StreamLayerV6",
-            "Stream layer for ipv6",
+            "Portmaster Stream IPv6",
+            "Portmaster uses this layer for bandwidth statistics of IPv6 TCP connections",
             0x66c549b3_11e2_4b27_8f73_856e6fd82baa,
             Layer::StreamV6,
             consts::FWP_ACTION_CALLOUT_INSPECTION,
             FilterType::NonResettable,
             stream_callouts::stream_layer_tcp_v6,
         ),
         Callout::new(
-            "DatagramDataLayerV4",
-            "DatagramData layer for ipv4",
+            "Portmaster Datagram IPv4",
+            "Portmaster uses this layer for bandwidth statistics of IPv4 UDP connections",
             0xe7eeeaba_168a_45bb_8747_e1a702feb2c5,
             Layer::DatagramDataV4,
             consts::FWP_ACTION_CALLOUT_INSPECTION,
             FilterType::NonResettable,
             stream_callouts::stream_layer_udp_v4,
         ),
         Callout::new(
-            "DatagramDataLayerV6",
-            "DatagramData layer for ipv4",
+            "Portmaster Datagram IPv6",
+            "Portmaster uses this layer for bandwidth statistics of IPv6 UDP connections",
             0xb25862cd_f744_4452_b14a_d0c1e5a25b30,
             Layer::DatagramDataV6,
             consts::FWP_ACTION_CALLOUT_INSPECTION,
@@ -128,35 +128,35 @@ pub fn get_callout_vec() -> Vec<Callout> {
         // -----------------------------------------
         // Packet layers
         Callout::new(
-            "IPPacketOutboundV4",
-            "IP packet outbound network layer callout for Ipv4",
+            "Portmaster Packet Outbound IPv4",
+            "Portmaster uses this layer to redirect/block/permit outgoing ipv4 packets",
             0xf3183afe_dc35_49f1_8ea2_b16b5666dd36,
             Layer::OutboundIppacketV4,
             consts::FWP_ACTION_CALLOUT_TERMINATING,
             FilterType::NonResettable,
             packet_callouts::ip_packet_layer_outbound_v4,
         ),
         Callout::new(
-            "IPPacketInboundV4",
-            "IP packet inbound network layer callout for Ipv4",
+            "Portmaster Packet Inbound IPv4",
+            "Portmaster uses this layer to redirect/block/permit inbound ipv4 packets",
             0xf0369374_203d_4bf0_83d2_b2ad3cc17a50,
             Layer::InboundIppacketV4,
             consts::FWP_ACTION_CALLOUT_TERMINATING,
             FilterType::NonResettable,
             packet_callouts::ip_packet_layer_inbound_v4,
         ),
         Callout::new(
-            "IPPacketOutboundV6",
-            "IP packet outbound network layer callout for Ipv6",
+            "Portmaster Packet Outbound IPv6",
+            "Portmaster uses this layer to redirect/block/permit outgoing ipv6 packets",
             0x91daf8bc_0908_4bf8_9f81_2c538ab8f25a,
             Layer::OutboundIppacketV6,
             consts::FWP_ACTION_CALLOUT_TERMINATING,
             FilterType::NonResettable,
             packet_callouts::ip_packet_layer_outbound_v6,
         ),
         Callout::new(
-            "IPPacketInboundV6",
-            "IP packet inbound network layer callout for Ipv6",
+            "Portmaster Packet Inbound IPv6",
+            "Portmaster uses this layer to redirect/block/permit inbound ipv6 packets",
             0xfe9faf5f_ceb2_4cd9_9995_f2f2b4f5fcc0,
             Layer::InboundIppacketV6,
             consts::FWP_ACTION_CALLOUT_TERMINATING,