Address CodeRabbit nits: errors.As, defensive disable, port-aware filter name, log wording, provenance

2026-05-06 00:56:39 +00:00 · 2026-05-05 18:29:23 +02:00
parent 7fd16666e3
commit 0415137acd
8 changed files with 16 additions and 5 deletions
--- a/client/internal/dns/dnsfw/config.go
+++ b/client/internal/dns/dnsfw/config.go
@@ -52,7 +52,7 @@ func blockedPorts() []uint16 {
 		ports = append(ports, uint16(port))
 	}
 	if len(ports) == 0 {
-		log.Infof("dns firewall disabled via empty %s", EnvPorts)
+		log.Infof("dns firewall disabled: %s yielded no valid ports", EnvPorts)
 		return nil
 	}
 	return ports
--- a/client/internal/dns/dnsfw/dnsfw_windows.go
+++ b/client/internal/dns/dnsfw/dnsfw_windows.go
@@ -91,10 +91,11 @@ func (m *windowsManager) disableLocked() error {
 	if m.session == 0 {
 		return nil
 	}
-	if err := closeSession(m.session); err != nil {
+	session := m.session
+	m.session = 0
+	if err := closeSession(session); err != nil {
 		return fmt.Errorf("close wfp session: %w", err)
 	}
-	m.session = 0
 	log.Info("dns firewall removed")
 	return nil
 }
--- a/client/internal/dns/dnsfw/helpers_windows.go
+++ b/client/internal/dns/dnsfw/helpers_windows.go
@@ -8,6 +8,7 @@
 package dnsfw

 import (
+	"errors"
 	"fmt"
 	"runtime"
 	"syscall"
@@ -40,7 +41,8 @@ func filterWeight(weight uint8) wtFwpValue0 {
 }

 func wrapErr(err error) error {
-	if _, ok := err.(syscall.Errno); !ok {
+	var errno syscall.Errno
+	if !errors.As(err, &errno) {
 		return err
 	}
 	_, file, line, ok := runtime.Caller(1)
--- a/client/internal/dns/dnsfw/rules_windows.go
+++ b/client/internal/dns/dnsfw/rules_windows.go
@@ -214,7 +214,7 @@ func blockDNSPort(session uintptr, base *baseObjects, port uint16, weight uint8)
 		action:              wtFwpmAction0{_type: cFWP_ACTION_BLOCK},
 	}

-	return addOutboundFilters(session, &filter, "Block DNS port")
+	return addOutboundFilters(session, &filter, fmt.Sprintf("Block DNS port %d", port))
 }

 // addOutboundFilters installs the same filter on the v4 and v6 outbound ALE
--- a/client/internal/dns/dnsfw/syscall_windows.go
+++ b/client/internal/dns/dnsfw/syscall_windows.go
@@ -1,6 +1,8 @@
 /* SPDX-License-Identifier: MIT
 *
 * Copyright (C) 2019-2021 WireGuard LLC. All Rights Reserved.
+ *
+ * Adapted from wireguard-windows tunnel/firewall/syscall_windows.go.
 */

 package dnsfw
--- a/client/internal/dns/dnsfw/types_windows.go
+++ b/client/internal/dns/dnsfw/types_windows.go
@@ -1,6 +1,8 @@
 /* SPDX-License-Identifier: MIT
 *
 * Copyright (C) 2019-2021 WireGuard LLC. All Rights Reserved.
+ *
+ * Adapted from wireguard-windows tunnel/firewall/types_windows.go.
 */

 package dnsfw
--- a/client/internal/dns/dnsfw/types_windows_32.go
+++ b/client/internal/dns/dnsfw/types_windows_32.go
@@ -3,6 +3,8 @@
 /* SPDX-License-Identifier: MIT
 *
 * Copyright (C) 2019-2021 WireGuard LLC. All Rights Reserved.
+ *
+ * Adapted from wireguard-windows tunnel/firewall/types_windows_32.go.
 */

 package dnsfw
--- a/client/internal/dns/dnsfw/types_windows_64.go
+++ b/client/internal/dns/dnsfw/types_windows_64.go
@@ -3,6 +3,8 @@
 /* SPDX-License-Identifier: MIT
 *
 * Copyright (C) 2019-2021 WireGuard LLC. All Rights Reserved.
+ *
+ * Adapted from wireguard-windows tunnel/firewall/types_windows_64.go.
 */

 package dnsfw