From 0415137acdb58d966e6d4033e9d4fe81f76ff0ec Mon Sep 17 00:00:00 2001 From: Viktor Liu Date: Tue, 5 May 2026 18:29:23 +0200 Subject: [PATCH] Address CodeRabbit nits: errors.As, defensive disable, port-aware filter name, log wording, provenance --- client/internal/dns/dnsfw/config.go | 2 +- client/internal/dns/dnsfw/dnsfw_windows.go | 5 +++-- client/internal/dns/dnsfw/helpers_windows.go | 4 +++- client/internal/dns/dnsfw/rules_windows.go | 2 +- client/internal/dns/dnsfw/syscall_windows.go | 2 ++ client/internal/dns/dnsfw/types_windows.go | 2 ++ client/internal/dns/dnsfw/types_windows_32.go | 2 ++ client/internal/dns/dnsfw/types_windows_64.go | 2 ++ 8 files changed, 16 insertions(+), 5 deletions(-) diff --git a/client/internal/dns/dnsfw/config.go b/client/internal/dns/dnsfw/config.go index f11913cdd..0f4fb673a 100644 --- a/client/internal/dns/dnsfw/config.go +++ b/client/internal/dns/dnsfw/config.go @@ -52,7 +52,7 @@ func blockedPorts() []uint16 { ports = append(ports, uint16(port)) } if len(ports) == 0 { - log.Infof("dns firewall disabled via empty %s", EnvPorts) + log.Infof("dns firewall disabled: %s yielded no valid ports", EnvPorts) return nil } return ports diff --git a/client/internal/dns/dnsfw/dnsfw_windows.go b/client/internal/dns/dnsfw/dnsfw_windows.go index 5ee95fbc1..2fefc34bb 100644 --- a/client/internal/dns/dnsfw/dnsfw_windows.go +++ b/client/internal/dns/dnsfw/dnsfw_windows.go @@ -91,10 +91,11 @@ func (m *windowsManager) disableLocked() error { if m.session == 0 { return nil } - if err := closeSession(m.session); err != nil { + session := m.session + m.session = 0 + if err := closeSession(session); err != nil { return fmt.Errorf("close wfp session: %w", err) } - m.session = 0 log.Info("dns firewall removed") return nil } diff --git a/client/internal/dns/dnsfw/helpers_windows.go b/client/internal/dns/dnsfw/helpers_windows.go index d13dde9f9..a17906f08 100644 --- a/client/internal/dns/dnsfw/helpers_windows.go +++ b/client/internal/dns/dnsfw/helpers_windows.go @@ -8,6 +8,7 @@ package dnsfw import ( + "errors" "fmt" "runtime" "syscall" @@ -40,7 +41,8 @@ func filterWeight(weight uint8) wtFwpValue0 { } func wrapErr(err error) error { - if _, ok := err.(syscall.Errno); !ok { + var errno syscall.Errno + if !errors.As(err, &errno) { return err } _, file, line, ok := runtime.Caller(1) diff --git a/client/internal/dns/dnsfw/rules_windows.go b/client/internal/dns/dnsfw/rules_windows.go index 3287e3940..f0a145ae9 100644 --- a/client/internal/dns/dnsfw/rules_windows.go +++ b/client/internal/dns/dnsfw/rules_windows.go @@ -214,7 +214,7 @@ func blockDNSPort(session uintptr, base *baseObjects, port uint16, weight uint8) action: wtFwpmAction0{_type: cFWP_ACTION_BLOCK}, } - return addOutboundFilters(session, &filter, "Block DNS port") + return addOutboundFilters(session, &filter, fmt.Sprintf("Block DNS port %d", port)) } // addOutboundFilters installs the same filter on the v4 and v6 outbound ALE diff --git a/client/internal/dns/dnsfw/syscall_windows.go b/client/internal/dns/dnsfw/syscall_windows.go index 56d33290a..4b01798ba 100644 --- a/client/internal/dns/dnsfw/syscall_windows.go +++ b/client/internal/dns/dnsfw/syscall_windows.go @@ -1,6 +1,8 @@ /* SPDX-License-Identifier: MIT * * Copyright (C) 2019-2021 WireGuard LLC. All Rights Reserved. + * + * Adapted from wireguard-windows tunnel/firewall/syscall_windows.go. */ package dnsfw diff --git a/client/internal/dns/dnsfw/types_windows.go b/client/internal/dns/dnsfw/types_windows.go index aac39dbea..85dfc8692 100644 --- a/client/internal/dns/dnsfw/types_windows.go +++ b/client/internal/dns/dnsfw/types_windows.go @@ -1,6 +1,8 @@ /* SPDX-License-Identifier: MIT * * Copyright (C) 2019-2021 WireGuard LLC. All Rights Reserved. + * + * Adapted from wireguard-windows tunnel/firewall/types_windows.go. */ package dnsfw diff --git a/client/internal/dns/dnsfw/types_windows_32.go b/client/internal/dns/dnsfw/types_windows_32.go index af8a1951e..eff82fe4e 100644 --- a/client/internal/dns/dnsfw/types_windows_32.go +++ b/client/internal/dns/dnsfw/types_windows_32.go @@ -3,6 +3,8 @@ /* SPDX-License-Identifier: MIT * * Copyright (C) 2019-2021 WireGuard LLC. All Rights Reserved. + * + * Adapted from wireguard-windows tunnel/firewall/types_windows_32.go. */ package dnsfw diff --git a/client/internal/dns/dnsfw/types_windows_64.go b/client/internal/dns/dnsfw/types_windows_64.go index 5ccdc428f..30d2e4b60 100644 --- a/client/internal/dns/dnsfw/types_windows_64.go +++ b/client/internal/dns/dnsfw/types_windows_64.go @@ -3,6 +3,8 @@ /* SPDX-License-Identifier: MIT * * Copyright (C) 2019-2021 WireGuard LLC. All Rights Reserved. + * + * Adapted from wireguard-windows tunnel/firewall/types_windows_64.go. */ package dnsfw