From 489a4f2192a4cc246869fe8e129e7f31196ccc77 Mon Sep 17 00:00:00 2001 From: Martin Willi Date: Mon, 16 Dec 2013 17:13:03 +0100 Subject: kernel-wfp: Add an ipsecdump utility to show installed SAs/SPs on Windows --- src/libcharon/plugins/kernel_wfp/ipsecdump.c | 419 +++++++++++++++++++++++++++ 1 file changed, 419 insertions(+) create mode 100644 src/libcharon/plugins/kernel_wfp/ipsecdump.c (limited to 'src/libcharon/plugins/kernel_wfp/ipsecdump.c') diff --git a/src/libcharon/plugins/kernel_wfp/ipsecdump.c b/src/libcharon/plugins/kernel_wfp/ipsecdump.c new file mode 100644 index 000000000..af3bd044c --- /dev/null +++ b/src/libcharon/plugins/kernel_wfp/ipsecdump.c @@ -0,0 +1,419 @@ +/* + * Copyright (C) 2013 Martin Willi + * Copyright (C) 2013 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/* Windows 7, for some fwpmu.h functionality */ +#define _WIN32_WINNT 0x0601 + +#include "kernel_wfp_compat.h" + +#include + +ENUM(auth_type_names, IPSEC_AUTH_MD5, IPSEC_AUTH_AES_256, + "MD5", + "SHA1", + "SHA256", + "AES128", + "AES192", + "AES256", +); + +ENUM(auth_config_names, 0, 5, + "HMAC96", + "HMAC96", + "HMAC128", + "GMAC", + "GMAC", + "GMAC", +); + +ENUM(cipher_type_names, IPSEC_CIPHER_TYPE_DES, IPSEC_CIPHER_TYPE_AES_256, + "DES", + "3DES", + "AES128", + "AES192", + "AES256", +); + +ENUM(cipher_config_names, 1, 8, + "CBC", + "CBC", + "CBC", + "CBC", + "CBC", + "GCM", + "GCM", + "GCM", +); + +ENUM(match_type_names, FWP_MATCH_EQUAL, FWP_MATCH_NOT_EQUAL, + "equals", + "greater", + "less than", + "greater or equal than", + "less or equal than", + "in range", + "has all flags set", + "has any flags set", + "has none flags set", + "equals case insensitive", + "not equal", +); + +ENUM(traffic_type_names, IPSEC_TRAFFIC_TYPE_TRANSPORT, IPSEC_TRAFFIC_TYPE_TUNNEL, + "Transport", + "Tunnel", +); + +/** + * Print a GUID to a static buffer + */ +static char *guid2string(GUID *guid) +{ + static char buf[64]; + + snprintf(buf, sizeof(buf), + "%08x,%04x,%04x%02x,%02x,%02x,%02x,%02x,%02x,%02x,%02x", + guid->Data1, guid->Data2, guid->Data3, + guid->Data4[0], guid->Data4[1], guid->Data4[2], guid->Data4[3], + guid->Data4[4], guid->Data4[5], guid->Data4[6], guid->Data4[7]); + + return buf; +} + +const GUID FWPM_CONDITION_IP_SOURCE_ADDRESS = { + 0xae96897e, 0x2e94, 0x4bc9, { 0xb3,0x13,0xb2,0x7e,0xe8,0x0e,0x57,0x4d } +}; +const GUID FWPM_CONDITION_IP_DESTINATION_ADDRESS = { + 0x2d79133b, 0xb390, 0x45c6, { 0x86,0x99,0xac,0xac,0xea,0xaf,0xed,0x33 } +}; + +/** + * Convert filter condition key GUID to some known strings + */ +static char* cond2name(GUID *guid, bool *address) +{ + struct { + GUID guid; + char *name; + bool address; + } map[] = { + { FWPM_CONDITION_IP_LOCAL_ADDRESS, "local address", TRUE}, + { FWPM_CONDITION_IP_REMOTE_ADDRESS, "remote address", TRUE}, + { FWPM_CONDITION_IP_SOURCE_ADDRESS, "source address", TRUE}, + { FWPM_CONDITION_IP_DESTINATION_ADDRESS, "destination address", TRUE}, + { FWPM_CONDITION_IP_LOCAL_PORT, "local port", FALSE}, + { FWPM_CONDITION_IP_REMOTE_PORT, "remote port", FALSE}, + { FWPM_CONDITION_IP_PROTOCOL, "protocol", FALSE}, + { FWPM_CONDITION_ICMP_CODE, "icmp code", FALSE}, + { FWPM_CONDITION_ICMP_TYPE, "icmp type", FALSE}, + }; + int i; + + for (i = 0; i < countof(map); i++) + { + if (memeq(&map[i].guid, guid, sizeof(GUID))) + { + *address = map[i].address; + return map[i].name; + } + } + *address = FALSE; + return guid2string(guid); +} + +/** + * Print a host from raw data and IP version + */ +static void print_host(FWP_IP_VERSION version, void *data) +{ + host_t *host = NULL; + UINT32 ints[4]; + + switch (version) + { + case FWP_IP_VERSION_V4: + ints[0] = untoh32(data); + host = host_create_from_chunk(AF_INET, chunk_from_thing(ints[0]), 0); + break; + case FWP_IP_VERSION_V6: + ints[3] = untoh32(data); + ints[2] = untoh32(data + 4); + ints[1] = untoh32(data + 8); + ints[0] = untoh32(data + 12); + host = host_create_from_chunk(AF_INET6, chunk_from_thing(ints), 0); + break; + default: + break; + } + if (host) + { + printf("%H", host); + host->destroy(host); + } +} + +/** + * Print IPSEC_SA_AUTH_INFORMATION0 + */ +static void print_auth(IPSEC_SA_AUTH_INFORMATION0 *a) +{ + printf("%N-%N", + auth_type_names, a->authTransform.authTransformId.authType, + auth_config_names, a->authTransform.authTransformId.authConfig); +} + +/** + * Print IPSEC_SA_CIPHER_INFORMATION0 + */ +static void print_cipher(IPSEC_SA_CIPHER_INFORMATION0 *c) +{ + printf("%N-%N", + cipher_type_names, c->cipherTransform.cipherTransformId.cipherType, + cipher_config_names, c->cipherTransform.cipherTransformId.cipherConfig); +} + +/** + * Print IPsec SA transform + */ +static void list_sa(HANDLE engine, IPSEC_SA0 *sa) +{ + printf(" SPI 0x%08x\n", sa->spi); + switch (sa->saTransformType) + { + case IPSEC_TRANSFORM_AH: + printf(" AH: "); + print_auth(sa->ahInformation); + break; + case IPSEC_TRANSFORM_ESP_AUTH: + printf(" ESP: "); + print_auth(sa->espAuthInformation); + break; + case IPSEC_TRANSFORM_ESP_CIPHER: + printf(" ESP: "); + print_cipher(sa->espCipherInformation); + break; + case IPSEC_TRANSFORM_ESP_AUTH_AND_CIPHER: + printf(" ESP: "); + print_auth(&sa->espAuthAndCipherInformation->saAuthInformation); + printf(", "); + print_cipher(&sa->espAuthAndCipherInformation->saCipherInformation); + break; + default: + printf(" (Transform %d)", sa->saTransformType); + break; + } + printf("\n"); +} + +/** + * List a filter condition value, optionally as IP address + */ +static void print_value(FWP_CONDITION_VALUE0 *value, bool address) +{ + chunk_t chunk; + + switch (value->type) + { + case FWP_EMPTY: + printf("empty"); + break; + case FWP_UINT8: + printf("%u", value->uint8); + break; + case FWP_UINT16: + printf("%u", value->uint16); + break; + case FWP_UINT32: + if (address) + { + print_host(FWP_IP_VERSION_V4, &value->uint32); + } + else + { + printf("%u", value->uint32); + } + break; + case FWP_UINT64: + printf("%llu", value->uint64); + break; + case FWP_INT8: + printf("%d", value->int8); + break; + case FWP_INT16: + printf("%d", value->int16); + break; + case FWP_INT32: + printf("%d", value->int32); + break; + case FWP_INT64: + printf("%lld", value->int64); + break; + case FWP_FLOAT: + printf("%f", value->float32); + break; + case FWP_DOUBLE: + printf("%lf", value->double64); + break; + case FWP_BYTE_ARRAY16_TYPE: + if (address) + { + print_host(FWP_IP_VERSION_V6, value->byteArray16); + } + else + { + chunk = chunk_create((u_char*)value->byteArray16, 16); + printf("%#B", &chunk); + } + break; + case FWP_BYTE_BLOB_TYPE: + chunk = chunk_create(value->byteBlob->data, value->byteBlob->size); + printf("%#B", &chunk); + break; + case FWP_V4_ADDR_MASK: + print_host(FWP_IP_VERSION_V4, &value->v4AddrMask->addr); + printf("/"); + print_host(FWP_IP_VERSION_V4, &value->v4AddrMask->mask); + break; + case FWP_V6_ADDR_MASK: + print_host(FWP_IP_VERSION_V6, &value->v6AddrMask->addr); + printf("/%u", &value->v6AddrMask->prefixLength); + break; + case FWP_RANGE_TYPE: + print_value((FWP_CONDITION_VALUE0*)&value->rangeValue->valueLow, + address); + printf(" - "); + print_value((FWP_CONDITION_VALUE0*)&value->rangeValue->valueHigh, + address); + break; + default: + printf("(unsupported)"); + break; + } +} + +/** + * List a filter condition + */ +static void list_cond(HANDLE engine, FWPM_FILTER_CONDITION0 *cond) +{ + bool address; + + printf(" '%s' %N '", cond2name(&cond->fieldKey, &address), + match_type_names, cond->matchType); + print_value(&cond->conditionValue, address); + printf("'\n"); +} + +/** + * Print IPsec SA details + */ +static void list_details(HANDLE engine, IPSEC_SA_DETAILS1 *details) +{ + int i; + + printf(" %sbound SA: ", + details->saDirection == FWP_DIRECTION_INBOUND ? "In" : "Out"); + print_host(details->traffic.ipVersion, &details->traffic.localV4Address); + printf(" %s ", details->saDirection == FWP_DIRECTION_INBOUND ? "<-" : "->"); + print_host(details->traffic.ipVersion, &details->traffic.remoteV4Address); + printf("\n %N, flags: 0x%06x, lifetime: %us\n", + traffic_type_names, details->traffic.trafficType, + details->saBundle.flags, details->saBundle.lifetime.lifetimeSeconds); + if (details->udpEncapsulation) + { + printf(" UDP encap ports %u - %u\n", + details->udpEncapsulation->localUdpEncapPort, + details->udpEncapsulation->remoteUdpEncapPort); + } + for (i = 0; i < details->saBundle.numSAs; i++) + { + list_sa(engine, &details->saBundle.saList[i]); + } + printf(" Filter ID %llu\n", details->transportFilter->filterId); + for (i = 0; i < details->transportFilter->numFilterConditions; i++) + { + list_cond(engine, &details->transportFilter->filterCondition[i]); + } +} + +/** + * List installed SA contexts + */ +static bool list_contexts(HANDLE engine) +{ + HANDLE handle; + UINT32 returned; + DWORD res; + IPSEC_SA_CONTEXT1 **entries; + + res = IPsecSaContextCreateEnumHandle0(engine, NULL, &handle); + if (res != ERROR_SUCCESS) + { + fprintf(stderr, "IPsecSaContextCreateEnumHandle0(): 0x%08x\n", res); + return FALSE; + } + + while (TRUE) + { + res = IPsecSaContextEnum1(engine, handle, 1, &entries, &returned); + if (res != ERROR_SUCCESS) + { + fprintf(stderr, "IPsecSaContextEnum1(): 0x%08x\n", res); + IPsecSaContextDestroyEnumHandle0(engine, handle); + return FALSE; + } + if (returned == 0) + { + break; + } + + printf("SA context %llu:\n", entries[0]->saContextId); + list_details(engine, entries[0]->inboundSa); + list_details(engine, entries[0]->outboundSa); + + FwpmFreeMemory0((void**)&entries); + } + IPsecSaContextDestroyEnumHandle0(engine, handle); + return TRUE; +} + +/** + * ipsecdump main() + */ +int main(int argc, char *argv[]) +{ + FWPM_SESSION0 session = { + .displayData = { + .name = L"ipsecdump", + .description = L"strongSwan SAD/SPD dumper", + }, + }; + HANDLE engine; + DWORD res; + int code; + + library_init(NULL, "ipsecdump"); + atexit(library_deinit); + + res = FwpmEngineOpen0(NULL, RPC_C_AUTHN_WINNT, NULL, &session, &engine); + if (res != ERROR_SUCCESS) + { + fprintf(stderr, "FwpmEngineOpen(): 0x%08x\n", res); + return 2; + } + code = list_contexts(engine) ? 0 : 1; + FwpmEngineClose0(engine); + return code; +} -- cgit v1.2.3 From 288dc68596f6c5b52d061356e3599ba50087e355 Mon Sep 17 00:00:00 2001 From: Martin Willi Date: Wed, 18 Dec 2013 11:57:36 +0100 Subject: kernel-wfp: Add an ipsecdump "filters" command to print IPsec related filters --- src/libcharon/plugins/kernel_wfp/ipsecdump.c | 283 ++++++++++++++++++++++++++- 1 file changed, 282 insertions(+), 1 deletion(-) (limited to 'src/libcharon/plugins/kernel_wfp/ipsecdump.c') diff --git a/src/libcharon/plugins/kernel_wfp/ipsecdump.c b/src/libcharon/plugins/kernel_wfp/ipsecdump.c index af3bd044c..d2aa26182 100644 --- a/src/libcharon/plugins/kernel_wfp/ipsecdump.c +++ b/src/libcharon/plugins/kernel_wfp/ipsecdump.c @@ -389,6 +389,280 @@ static bool list_contexts(HANDLE engine) return TRUE; } +const GUID FWPM_LAYER_IPSEC_KM_DEMUX_V4 = { + 0xf02b1526, 0xa459, 0x4a51, { 0xb9, 0xe3, 0x75, 0x9d, 0xe5, 0x2b, 0x9d, 0x2c } +}; +const GUID FWPM_LAYER_IPSEC_KM_DEMUX_V6 = { + 0x2f755cf6, 0x2fd4, 0x4e88, { 0xb3, 0xe4, 0xa9, 0x1b, 0xca, 0x49, 0x52, 0x35 } +}; +const GUID FWPM_LAYER_IPSEC_V4 = { + 0xeda65c74, 0x610d, 0x4bc5, { 0x94, 0x8f, 0x3c, 0x4f, 0x89, 0x55, 0x68, 0x67 } +}; +const GUID FWPM_LAYER_IPSEC_V6 = { + 0x13c48442, 0x8d87, 0x4261, { 0x9a, 0x29, 0x59, 0xd2, 0xab, 0xc3, 0x48, 0xb4 } +}; +const GUID FWPM_LAYER_IKEEXT_V4 = { + 0xb14b7bdb, 0xdbbd, 0x473e, { 0xbe, 0xd4, 0x8b, 0x47, 0x08, 0xd4, 0xf2, 0x70 } +}; +const GUID FWPM_LAYER_IKEEXT_V6 = { + 0xb64786b3, 0xf687, 0x4eb9, { 0x89, 0xd2, 0x8e, 0xf3, 0x2a, 0xcd, 0xab, 0xe2 } +}; +const GUID FWPM_LAYER_INBOUND_IPPACKET_V4 = { + 0xc86fd1bf, 0x21cd, 0x497e, { 0xa0, 0xbb, 0x17, 0x42, 0x5c, 0x88, 0x5c, 0x58 } +}; +const GUID FWPM_LAYER_INBOUND_IPPACKET_V4_DISCARD = { + 0xb5a230d0, 0xa8c0, 0x44f2, { 0x91, 0x6e, 0x99, 0x1b, 0x53, 0xde, 0xd1, 0xf7 } +}; +const GUID FWPM_LAYER_INBOUND_IPPACKET_V6 = { + 0xf52032cb, 0x991c, 0x46e7, { 0x97, 0x1d, 0x26, 0x01, 0x45, 0x9a, 0x91, 0xca } +}; +const GUID FWPM_LAYER_INBOUND_IPPACKET_V6_DISCARD = { + 0xbb24c279, 0x93b4, 0x47a2, { 0x83, 0xad, 0xae, 0x16, 0x98, 0xb5, 0x08, 0x85 } +}; +const GUID FWPM_LAYER_OUTBOUND_IPPACKET_V4 = { + 0x1e5c9fae, 0x8a84, 0x4135, { 0xa3, 0x31, 0x95, 0x0b, 0x54, 0x22, 0x9e, 0xcd } +}; +const GUID FWPM_LAYER_OUTBOUND_IPPACKET_V4_DISCARD = { + 0x08e4bcb5, 0xb647, 0x48f3, { 0x95, 0x3c, 0xe5, 0xdd, 0xbd, 0x03, 0x93, 0x7e } +}; +const GUID FWPM_LAYER_OUTBOUND_IPPACKET_V6 = { + 0xa3b3ab6b, 0x3564, 0x488c, { 0x91, 0x17, 0xf3, 0x4e, 0x82, 0x14, 0x27, 0x63 } +}; +const GUID FWPM_LAYER_OUTBOUND_IPPACKET_V6_DISCARD = { + 0x9513d7c4, 0xa934, 0x49dc, { 0x91, 0xa7, 0x6c, 0xcb, 0x80, 0xcc, 0x02, 0xe3 } +}; +const GUID FWPM_LAYER_IPFORWARD_V4 = { + 0xa82acc24, 0x4ee1, 0x4ee1, { 0xb4, 0x65, 0xfd, 0x1d, 0x25, 0xcb, 0x10, 0xa4 } +}; +const GUID FWPM_LAYER_IPFORWARD_V4_DISCARD = { + 0x9e9ea773, 0x2fae, 0x4210, { 0x8f, 0x17, 0x34, 0x12, 0x9e, 0xf3, 0x69, 0xeb } +}; +const GUID FWPM_LAYER_IPFORWARD_V6 = { + 0x7b964818, 0x19c7, 0x493a, { 0xb7, 0x1f, 0x83, 0x2c, 0x36, 0x84, 0xd2, 0x8c } +}; +const GUID FWPM_LAYER_IPFORWARD_V6_DISCARD = { + 0x31524a5d, 0x1dfe, 0x472f, { 0xbb, 0x93, 0x51, 0x8e, 0xe9, 0x45, 0xd8, 0xa2 } +}; +const GUID FWPM_LAYER_INBOUND_TRANSPORT_V4_DISCARD = { + 0xac4a9833, 0xf69d, 0x4648, { 0xb2, 0x61, 0x6d, 0xc8, 0x48, 0x35, 0xef, 0x39 } +}; +const GUID FWPM_LAYER_INBOUND_TRANSPORT_V6_DISCARD = { + 0x2a6ff955, 0x3b2b, 0x49d2, { 0x98, 0x48, 0xad, 0x9d, 0x72, 0xdc, 0xaa, 0xb7 } +}; +const GUID FWPM_LAYER_OUTBOUND_TRANSPORT_V4_DISCARD = { + 0xc5f10551, 0xbdb0, 0x43d7, { 0xa3, 0x13, 0x50, 0xe2, 0x11, 0xf4, 0xd6, 0x8a } +}; +const GUID FWPM_LAYER_OUTBOUND_TRANSPORT_V6_DISCARD = { + 0xf433df69, 0xccbd, 0x482e, { 0xb9, 0xb2, 0x57, 0x16, 0x56, 0x58, 0xc3, 0xb3 } +}; + +/** + * Convert filter layer GUID to name + */ +static char* layer2name(GUID *guid) +{ + struct { + GUID guid; + char *name; + } map[] = { + { FWPM_LAYER_IPSEC_KM_DEMUX_V4, "IPsec KM demux v4" }, + { FWPM_LAYER_IPSEC_KM_DEMUX_V6, "IPsec KM demux v6" }, + { FWPM_LAYER_IPSEC_V4, "IPsec v4" }, + { FWPM_LAYER_IPSEC_V6, "IPsec v6" }, + { FWPM_LAYER_IKEEXT_V4, "IKE ext v4" }, + { FWPM_LAYER_IKEEXT_V6, "IKE ext v6" }, + { FWPM_LAYER_INBOUND_IPPACKET_V4, "inbound v4" }, + { FWPM_LAYER_INBOUND_IPPACKET_V4_DISCARD, "inbound v4 dsc" }, + { FWPM_LAYER_INBOUND_IPPACKET_V6, "inbound v6" }, + { FWPM_LAYER_INBOUND_IPPACKET_V6_DISCARD, "inbound v6 dsc" }, + { FWPM_LAYER_OUTBOUND_IPPACKET_V4, "outbound v4" }, + { FWPM_LAYER_OUTBOUND_IPPACKET_V4_DISCARD, "outbound v4 dsc" }, + { FWPM_LAYER_OUTBOUND_IPPACKET_V6, "outbound v6" }, + { FWPM_LAYER_OUTBOUND_IPPACKET_V6_DISCARD, "outbound v6 dsc" }, + { FWPM_LAYER_IPFORWARD_V4, "forward v4" }, + { FWPM_LAYER_IPFORWARD_V4_DISCARD, "forward v4 dsc" }, + { FWPM_LAYER_IPFORWARD_V6, "forward v6" }, + { FWPM_LAYER_IPFORWARD_V6_DISCARD, "forward v6 discard" }, + { FWPM_LAYER_INBOUND_TRANSPORT_V4, "inbound transport v4" }, + { FWPM_LAYER_INBOUND_TRANSPORT_V4_DISCARD, "inbound transport v4 dsc" }, + { FWPM_LAYER_INBOUND_TRANSPORT_V6, "inbound transport v6" }, + { FWPM_LAYER_INBOUND_TRANSPORT_V6_DISCARD, "inbound v6 transport dsc" }, + { FWPM_LAYER_OUTBOUND_TRANSPORT_V4, "outbound transport v4" }, + { FWPM_LAYER_OUTBOUND_TRANSPORT_V4_DISCARD, "outbound transport v4 dsc" }, + { FWPM_LAYER_OUTBOUND_TRANSPORT_V6, "outbound transport v6" }, + { FWPM_LAYER_OUTBOUND_TRANSPORT_V6_DISCARD, "outbound transport v6 dsc" }, + }; + int i; + + for (i = 0; i < countof(map); i++) + { + if (memeq(&map[i].guid, guid, sizeof(GUID))) + { + return map[i].name; + } + } + return NULL; +} + +const GUID FWPM_CALLOUT_IPSEC_INBOUND_TUNNEL_V4 = { + 0x191a8a46, 0x0bf8, 0x46cf, { 0xb0,0x45,0x4b,0x45,0xdf,0xa6,0xa3,0x24 } +}; +const GUID FWPM_CALLOUT_IPSEC_INBOUND_TUNNEL_V6 = { + 0x80c342e3, 0x1e53, 0x4d6f, { 0x9b,0x44,0x03,0xdf,0x5a,0xee,0xe1,0x54 } +}; +const GUID FWPM_CALLOUT_IPSEC_OUTBOUND_TUNNEL_V4 = { + 0x70a4196c, 0x835b, 0x4fb0, { 0x98,0xe8,0x07,0x5f,0x4d,0x97,0x7d,0x46 } +}; +const GUID FWPM_CALLOUT_IPSEC_OUTBOUND_TUNNEL_V6 = { + 0xf1835363, 0xa6a5, 0x4e62, { 0xb1,0x80,0x23,0xdb,0x78,0x9d,0x8d,0xa6 } +}; +const GUID FWPM_CALLOUT_IPSEC_FORWARD_INBOUND_TUNNEL_V4 = { + 0x28829633, 0xc4f0, 0x4e66, { 0x87,0x3f,0x84,0x4d,0xb2,0xa8,0x99,0xc7 } +}; +const GUID FWPM_CALLOUT_IPSEC_FORWARD_INBOUND_TUNNEL_V6 = { + 0xaf50bec2, 0xc686, 0x429a, { 0x88,0x4d,0xb7,0x44,0x43,0xe7,0xb0,0xb4 } +}; +const GUID FWPM_CALLOUT_IPSEC_FORWARD_OUTBOUND_TUNNEL_V4 = { + 0xfb532136, 0x15cb, 0x440b, { 0x93,0x7c,0x17,0x17,0xca,0x32,0x0c,0x40 } +}; +const GUID FWPM_CALLOUT_IPSEC_FORWARD_OUTBOUND_TUNNEL_V6 = { + 0xdae640cc, 0xe021, 0x4bee, { 0x9e,0xb6,0xa4,0x8b,0x27,0x5c,0x8c,0x1d } +}; + +/** + * Convert filter callout GUID to name + */ +static char* callout2name(GUID *guid) +{ + struct { + GUID guid; + char *name; + } map[] = { + { FWPM_CALLOUT_IPSEC_INBOUND_TRANSPORT_V4, "inbound transport v4" }, + { FWPM_CALLOUT_IPSEC_INBOUND_TRANSPORT_V6, "inbound transport v6" }, + { FWPM_CALLOUT_IPSEC_OUTBOUND_TRANSPORT_V4, "outbound transport v4" }, + { FWPM_CALLOUT_IPSEC_OUTBOUND_TRANSPORT_V6, "outbound transport v6" }, + { FWPM_CALLOUT_IPSEC_INBOUND_TUNNEL_V4, "inbound tunnel v4" }, + { FWPM_CALLOUT_IPSEC_INBOUND_TUNNEL_V6, "inbound tunnel v6" }, + { FWPM_CALLOUT_IPSEC_OUTBOUND_TUNNEL_V4, "outbound tunnel v4" }, + { FWPM_CALLOUT_IPSEC_OUTBOUND_TUNNEL_V6, "outbound tunnel v6" }, + { FWPM_CALLOUT_IPSEC_FORWARD_INBOUND_TUNNEL_V4, "forward in tunnel v4" }, + { FWPM_CALLOUT_IPSEC_FORWARD_INBOUND_TUNNEL_V6, "forward in tunnel v6" }, + { FWPM_CALLOUT_IPSEC_FORWARD_OUTBOUND_TUNNEL_V4, "forward out tunnel v4" }, + { FWPM_CALLOUT_IPSEC_FORWARD_OUTBOUND_TUNNEL_V6, "forward out tunnel v6" }, + }; + int i; + + for (i = 0; i < countof(map); i++) + { + if (memeq(&map[i].guid, guid, sizeof(GUID))) + { + return map[i].name; + } + } + return guid2string(guid); +} + +/** + * Print display data with description + */ +static void print_display_data(FWPM_DISPLAY_DATA0 *data) +{ + char buf[128]; + + buf[0] = '\0'; + if (data->name) + { + wcstombs(buf, data->name, sizeof(buf)); + } + printf("%s", buf); + if (data->description) + { + buf[0] = '\0'; + wcstombs(buf, data->description, sizeof(buf)); + if (strlen(buf)) + { + printf(" (%s)", buf); + } + } +} + +/** + * List installed firewall filters + */ +static bool list_filters(HANDLE engine) +{ + HANDLE handle; + UINT32 returned; + DWORD res; + FWPM_FILTER0 **entries; + char *layer; + int i; + + res = FwpmFilterCreateEnumHandle0(engine, NULL, &handle); + if (res != ERROR_SUCCESS) + { + fprintf(stderr, "FwpmFilterCreateEnumHandle0(): 0x%08x\n", res); + return FALSE; + } + + while (TRUE) + { + res = FwpmFilterEnum0(engine, handle, 1, &entries, &returned); + if (res != ERROR_SUCCESS) + { + fprintf(stderr, "FwpmFilterEnum0(): 0x%08x\n", res); + FwpmFilterDestroyEnumHandle0(engine, handle); + return FALSE; + } + if (returned == 0) + { + break; + } + + layer = layer2name(&entries[0]->layerKey); + if (layer) + { + printf("Filter ID %llu, '", entries[0]->filterId); + print_display_data(&entries[0]->displayData); + printf("'\n"); + printf(" %s, ", layer); + + switch (entries[0]->action.type) + { + case FWP_ACTION_BLOCK: + printf("block\n"); + break; + case FWP_ACTION_PERMIT: + printf("permit\n"); + break; + case FWP_ACTION_CALLOUT_TERMINATING: + printf("callout terminating: %s\n", + callout2name(&entries[0]->action.calloutKey)); + break; + case FWP_ACTION_CALLOUT_INSPECTION: + printf("callout inspection: %s\n", + callout2name(&entries[0]->action.calloutKey)); + break; + case FWP_ACTION_CALLOUT_UNKNOWN: + printf("callout unknown: %s\n", + callout2name(&entries[0]->action.calloutKey)); + break; + default: + printf("(unknown action)\n"); + break; + } + for (i = 0; i < entries[0]->numFilterConditions; i++) + { + list_cond(engine, &entries[0]->filterCondition[i]); + } + } + FwpmFreeMemory0((void**)&entries); + } + FwpmFilterDestroyEnumHandle0(engine, handle); + return TRUE; +} + /** * ipsecdump main() */ @@ -413,7 +687,14 @@ int main(int argc, char *argv[]) fprintf(stderr, "FwpmEngineOpen(): 0x%08x\n", res); return 2; } - code = list_contexts(engine) ? 0 : 1; + if (argc > 1 && streq(argv[1], "filters")) + { + code = list_filters(engine) ? 0 : 1; + } + else + { + code = list_contexts(engine) ? 0 : 1; + } FwpmEngineClose0(engine); return code; } -- cgit v1.2.3 From 1ca2b1615ac633f2608c2a4e9107685ab083f42a Mon Sep 17 00:00:00 2001 From: Martin Willi Date: Thu, 19 Dec 2013 14:23:08 +0100 Subject: kernel-wfp: Print filter weight in "ipsecdump filters" --- src/libcharon/plugins/kernel_wfp/ipsecdump.c | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'src/libcharon/plugins/kernel_wfp/ipsecdump.c') diff --git a/src/libcharon/plugins/kernel_wfp/ipsecdump.c b/src/libcharon/plugins/kernel_wfp/ipsecdump.c index d2aa26182..ec3c78ea3 100644 --- a/src/libcharon/plugins/kernel_wfp/ipsecdump.c +++ b/src/libcharon/plugins/kernel_wfp/ipsecdump.c @@ -627,6 +627,10 @@ static bool list_filters(HANDLE engine) print_display_data(&entries[0]->displayData); printf("'\n"); printf(" %s, ", layer); + if (entries[0]->effectiveWeight.type == FWP_UINT64) + { + printf("weight %016llx, ", *entries[0]->effectiveWeight.uint64); + } switch (entries[0]->action.type) { -- cgit v1.2.3 From 1678f0a999bed5e486b56824381332a85c505033 Mon Sep 17 00:00:00 2001 From: Martin Willi Date: Thu, 19 Dec 2013 16:55:43 +0100 Subject: kernel-wfp: Manually create a ProviderContext to attach individual filters This gives us more flexibility than using the intransparent FwpmIPsecTunnelAdd, and fixes the issues we have seen with trap policies. Forward filters are still missing, but required for site-to-site tunnels. --- src/libcharon/plugins/kernel_wfp/ipsecdump.c | 12 ------------ 1 file changed, 12 deletions(-) (limited to 'src/libcharon/plugins/kernel_wfp/ipsecdump.c') diff --git a/src/libcharon/plugins/kernel_wfp/ipsecdump.c b/src/libcharon/plugins/kernel_wfp/ipsecdump.c index ec3c78ea3..55e64fe93 100644 --- a/src/libcharon/plugins/kernel_wfp/ipsecdump.c +++ b/src/libcharon/plugins/kernel_wfp/ipsecdump.c @@ -504,18 +504,6 @@ static char* layer2name(GUID *guid) return NULL; } -const GUID FWPM_CALLOUT_IPSEC_INBOUND_TUNNEL_V4 = { - 0x191a8a46, 0x0bf8, 0x46cf, { 0xb0,0x45,0x4b,0x45,0xdf,0xa6,0xa3,0x24 } -}; -const GUID FWPM_CALLOUT_IPSEC_INBOUND_TUNNEL_V6 = { - 0x80c342e3, 0x1e53, 0x4d6f, { 0x9b,0x44,0x03,0xdf,0x5a,0xee,0xe1,0x54 } -}; -const GUID FWPM_CALLOUT_IPSEC_OUTBOUND_TUNNEL_V4 = { - 0x70a4196c, 0x835b, 0x4fb0, { 0x98,0xe8,0x07,0x5f,0x4d,0x97,0x7d,0x46 } -}; -const GUID FWPM_CALLOUT_IPSEC_OUTBOUND_TUNNEL_V6 = { - 0xf1835363, 0xa6a5, 0x4e62, { 0xb1,0x80,0x23,0xdb,0x78,0x9d,0x8d,0xa6 } -}; const GUID FWPM_CALLOUT_IPSEC_FORWARD_INBOUND_TUNNEL_V4 = { 0x28829633, 0xc4f0, 0x4e66, { 0x87,0x3f,0x84,0x4d,0xb2,0xa8,0x99,0xc7 } }; -- cgit v1.2.3 From 6de788704b0cb4b087719341f0900b1b1992cdb0 Mon Sep 17 00:00:00 2001 From: Martin Willi Date: Fri, 20 Dec 2013 14:42:10 +0100 Subject: kernel-wfp: Install tunnel and trap forward policies --- src/libcharon/plugins/kernel_wfp/ipsecdump.c | 26 -------------------------- 1 file changed, 26 deletions(-) (limited to 'src/libcharon/plugins/kernel_wfp/ipsecdump.c') diff --git a/src/libcharon/plugins/kernel_wfp/ipsecdump.c b/src/libcharon/plugins/kernel_wfp/ipsecdump.c index 55e64fe93..7ca7df5a1 100644 --- a/src/libcharon/plugins/kernel_wfp/ipsecdump.c +++ b/src/libcharon/plugins/kernel_wfp/ipsecdump.c @@ -92,13 +92,6 @@ static char *guid2string(GUID *guid) return buf; } -const GUID FWPM_CONDITION_IP_SOURCE_ADDRESS = { - 0xae96897e, 0x2e94, 0x4bc9, { 0xb3,0x13,0xb2,0x7e,0xe8,0x0e,0x57,0x4d } -}; -const GUID FWPM_CONDITION_IP_DESTINATION_ADDRESS = { - 0x2d79133b, 0xb390, 0x45c6, { 0x86,0x99,0xac,0xac,0xea,0xaf,0xed,0x33 } -}; - /** * Convert filter condition key GUID to some known strings */ @@ -431,15 +424,9 @@ const GUID FWPM_LAYER_OUTBOUND_IPPACKET_V6 = { const GUID FWPM_LAYER_OUTBOUND_IPPACKET_V6_DISCARD = { 0x9513d7c4, 0xa934, 0x49dc, { 0x91, 0xa7, 0x6c, 0xcb, 0x80, 0xcc, 0x02, 0xe3 } }; -const GUID FWPM_LAYER_IPFORWARD_V4 = { - 0xa82acc24, 0x4ee1, 0x4ee1, { 0xb4, 0x65, 0xfd, 0x1d, 0x25, 0xcb, 0x10, 0xa4 } -}; const GUID FWPM_LAYER_IPFORWARD_V4_DISCARD = { 0x9e9ea773, 0x2fae, 0x4210, { 0x8f, 0x17, 0x34, 0x12, 0x9e, 0xf3, 0x69, 0xeb } }; -const GUID FWPM_LAYER_IPFORWARD_V6 = { - 0x7b964818, 0x19c7, 0x493a, { 0xb7, 0x1f, 0x83, 0x2c, 0x36, 0x84, 0xd2, 0x8c } -}; const GUID FWPM_LAYER_IPFORWARD_V6_DISCARD = { 0x31524a5d, 0x1dfe, 0x472f, { 0xbb, 0x93, 0x51, 0x8e, 0xe9, 0x45, 0xd8, 0xa2 } }; @@ -504,19 +491,6 @@ static char* layer2name(GUID *guid) return NULL; } -const GUID FWPM_CALLOUT_IPSEC_FORWARD_INBOUND_TUNNEL_V4 = { - 0x28829633, 0xc4f0, 0x4e66, { 0x87,0x3f,0x84,0x4d,0xb2,0xa8,0x99,0xc7 } -}; -const GUID FWPM_CALLOUT_IPSEC_FORWARD_INBOUND_TUNNEL_V6 = { - 0xaf50bec2, 0xc686, 0x429a, { 0x88,0x4d,0xb7,0x44,0x43,0xe7,0xb0,0xb4 } -}; -const GUID FWPM_CALLOUT_IPSEC_FORWARD_OUTBOUND_TUNNEL_V4 = { - 0xfb532136, 0x15cb, 0x440b, { 0x93,0x7c,0x17,0x17,0xca,0x32,0x0c,0x40 } -}; -const GUID FWPM_CALLOUT_IPSEC_FORWARD_OUTBOUND_TUNNEL_V6 = { - 0xdae640cc, 0xe021, 0x4bee, { 0x9e,0xb6,0xa4,0x8b,0x27,0x5c,0x8c,0x1d } -}; - /** * Convert filter callout GUID to name */ -- cgit v1.2.3