safing · vlabo · Nov 25, 2024 · Nov 20, 2024 · Nov 20, 2024
diff --git a/windows_kext/driver/src/ale_callouts.rs b/windows_kext/driver/src/ale_callouts.rs
@@ -105,6 +105,9 @@ pub fn ale_layer_connect_v6(data: CalloutData) {
 }
 
 fn ale_layer_auth(mut data: CalloutData, ale_data: AleLayerData) {
+    // Make the default path as drop.
+    data.block_and_absorb();
+
     let Some(device) = crate::entry::get_device() else {
         return;
     };

diff --git a/windows_kext/driver/src/packet_callouts.rs b/windows_kext/driver/src/packet_callouts.rs
@@ -110,9 +110,12 @@ fn ip_packet_layer(
     interface_index: u32,
     sub_interface_index: u32,
 ) {
+    // Make the default path as drop.
+    data.block_and_absorb();
+
     // Block all fragment data. No easy way to keep track of the origin and they are rarely used.
     if data.is_fragment_data() {
-        data.action_block();
+        data.block_and_absorb();
         crate::err!("blocked fragment packet");
         return;
     }
@@ -147,7 +150,7 @@ fn ip_packet_layer(
         } {
             Ok(key) => key,
             Err(err) => {
-                crate::dbg!("failed to get key from nbl: {}", err);
+                crate::err!("failed to get key from nbl: {}", err);
                 return;
             }
         };

diff --git a/windows_kext/wdk/src/filter_engine/callout_data.rs b/windows_kext/wdk/src/filter_engine/callout_data.rs
@@ -161,24 +161,28 @@ impl<'a> CalloutData<'a> {
     pub fn action_permit(&mut self) {
         unsafe {
             (*self.classify_out).action_permit();
+            (*self.classify_out).clear_absorb_flag();
         }
     }
 
     pub fn action_continue(&mut self) {
         unsafe {
             (*self.classify_out).action_continue();
+            (*self.classify_out).clear_absorb_flag();
         }
     }
 
     pub fn action_block(&mut self) {
         unsafe {
             (*self.classify_out).action_block();
+            (*self.classify_out).clear_absorb_flag();
         }
     }
 
     pub fn action_none(&mut self) {
         unsafe {
             (*self.classify_out).set_none();
+            (*self.classify_out).clear_absorb_flag();
         }
     }
 
@@ -198,13 +202,6 @@ impl<'a> CalloutData<'a> {
         self.get_value_u32(flags_index) & FWP_CONDITION_FLAG_IS_REAUTHORIZE > 0
     }
 
-    pub fn parmit_and_absorb(&mut self) {
-        unsafe {
-            (*self.classify_out).action_permit();
-            (*self.classify_out).set_absorb();
-        }
-    }
-
     pub fn get_callout_id(&self) -> usize {
         self.callout_id
     }

diff --git a/windows_kext/wdk/src/filter_engine/classify.rs b/windows_kext/wdk/src/filter_engine/classify.rs
@@ -80,6 +80,11 @@ impl ClassifyOut {
         self.flags |= FWPS_CLASSIFY_OUT_FLAG_ABSORB;
     }
 
+    // Removes the absorb flag.
+    pub fn clear_absorb_flag(&mut self) {
+        self.flags &= !FWPS_CLASSIFY_OUT_FLAG_ABSORB;
+    }
+
     // Clear the write flag permission. Next filter in the chain will not change the action.
     pub fn clear_write_flag(&mut self) {
         self.rights &= !FWPS_RIGHT_ACTION_WRITE;

diff --git a/windows_kext/wdk/src/filter_engine/ffi.rs b/windows_kext/wdk/src/filter_engine/ffi.rs
@@ -62,7 +62,7 @@ pub(crate) fn register_sublayer(
         sublayer.displayData.name = name.as_ptr() as _;
         sublayer.displayData.description = description.as_ptr() as _;
         sublayer.flags = 0;
-        sublayer.weight = 0xFFFF;
+        sublayer.weight = 0xFFFF; // Set to Max value. Weight compared to other sublayers.
 
         let status = FwpmSubLayerAdd0(filter_engine_handle, &sublayer, core::ptr::null_mut());
         check_ntstatus(status as i32)?;