From db49f9a32d249e4beed366b4532b2cd766ce5532 Mon Sep 17 00:00:00 2001 From: Vladimir Stoilov Date: Wed, 12 Jun 2024 18:06:42 +0300 Subject: [PATCH] [windows_kext] Add check for previously injected packets in the ALE layer --- windows_kext/driver/src/ale_callouts.rs | 15 ++++++++++++++- windows_kext/driver/src/device.rs | 3 +++ windows_kext/driver/src/packet_callouts.rs | 1 + 3 files changed, 18 insertions(+), 1 deletion(-) diff --git a/windows_kext/driver/src/ale_callouts.rs b/windows_kext/driver/src/ale_callouts.rs index 7ab824e5d..ed478938e 100644 --- a/windows_kext/driver/src/ale_callouts.rs +++ b/windows_kext/driver/src/ale_callouts.rs @@ -109,6 +109,15 @@ fn ale_layer_auth(mut data: CalloutData, ale_data: AleLayerData) { return; }; + // Check if packet was previously injected from the packet layer. + if device + .injector + .was_network_packet_injected_by_self(data.get_layer_data() as _, ale_data.is_ipv6) + { + data.action_permit(); + return; + } + match ale_data.protocol { IpProtocol::Tcp | IpProtocol::Udp => { // Only TCP and UDP make sense to be supported in the ALE layer. @@ -226,7 +235,11 @@ fn ale_layer_auth(mut data: CalloutData, ale_data: AleLayerData) { }; // Connection is not in cache, add it. - crate::dbg!("ale layer adding connection: {} PID: {}", key, ale_data.process_id); + crate::dbg!( + "ale layer adding connection: {} PID: {}", + key, + ale_data.process_id + ); if ale_data.is_ipv6 { let conn = ConnectionV6::from_key(&key, ale_data.process_id, ale_data.direction).unwrap(); diff --git a/windows_kext/driver/src/device.rs b/windows_kext/driver/src/device.rs index b71752076..801b7a98b 100644 --- a/windows_kext/driver/src/device.rs +++ b/windows_kext/driver/src/device.rs @@ -164,6 +164,7 @@ impl Device { crate::connection::Verdict::RedirectNameServer | crate::connection::Verdict::RedirectTunnel => { if let Some(redirect_info) = redirect_info { + // Will not redirect packets from ALE layer if let Err(err) = packet.redirect(redirect_info) { err!("failed to redirect packet: {}", err); } @@ -173,6 +174,8 @@ impl Device { } } _ => { + // Inject only ALE layer. This will trigger proper block/drop. + // Packet layer just drop the packet. if let Err(err) = self.inject_packet(packet, true) { err!("failed to inject packet: {}", err); } diff --git a/windows_kext/driver/src/packet_callouts.rs b/windows_kext/driver/src/packet_callouts.rs index 6b0cf8e44..a1b5733ad 100644 --- a/windows_kext/driver/src/packet_callouts.rs +++ b/windows_kext/driver/src/packet_callouts.rs @@ -173,6 +173,7 @@ fn ip_packet_layer( data.action_block(); } Verdict::Undeterminable | Verdict::PermanentDrop | Verdict::Failed => { + send_request_to_portmaster = false; data.block_and_absorb(); } Verdict::RedirectNameServer | Verdict::RedirectTunnel => {