windows-wfp 0.2.1

Safe Rust wrapper for the Windows Filtering Platform (WFP) kernel-level firewall API
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182

//! WFP Engine wrapper with RAII handle management
//!
//! Provides safe Rust wrapper around WFP engine session.

use crate::errors::{WfpError, WfpResult};
use std::ptr;
use windows::core::{PCWSTR, PWSTR};
use windows::Win32::Foundation::{ERROR_SUCCESS, HANDLE};
use windows::Win32::NetworkManagement::WindowsFilteringPlatform::{
    FwpmEngineClose0, FwpmEngineOpen0, FWPM_SESSION0, FWPM_SESSION_FLAG_DYNAMIC,
};

/// WFP Engine session with RAII handle management
///
/// Opens a session to the Windows Filtering Platform on creation
/// and automatically closes it on drop.
///
/// # Examples
///
/// ```no_run
/// use windows_wfp::WfpEngine;
///
/// let engine = WfpEngine::new()?;
/// // Use engine for filter operations
/// // Session automatically closed when engine goes out of scope
/// # Ok::<(), windows_wfp::WfpError>(())
/// ```
#[derive(Debug)]
pub struct WfpEngine {
    /// Handle to WFP engine session
    handle: HANDLE,
}

impl WfpEngine {
    /// Open a new WFP engine session
    ///
    /// Requires administrator privileges.
    ///
    /// # Errors
    ///
    /// Returns `WfpError::EngineOpenFailed` if:
    /// - Insufficient permissions (not running as admin)
    /// - WFP service not available
    /// - Session creation failed
    ///
    /// # Examples
    ///
    /// ```no_run
    /// use windows_wfp::WfpEngine;
    ///
    /// let engine = WfpEngine::new()?;
    /// # Ok::<(), windows_wfp::WfpError>(())
    /// ```
    pub fn new() -> WfpResult<Self> {
        Self::new_with_flags(FWPM_SESSION_FLAG_DYNAMIC)
    }

    /// Open a new WFP engine session with custom flags
    ///
    /// # Arguments
    ///
    /// * `flags` - Session flags (e.g., `FWPM_SESSION_FLAG_DYNAMIC` for automatic cleanup)
    ///
    /// # Errors
    ///
    /// Returns `WfpError::EngineOpenFailed` if session creation fails.
    pub fn new_with_flags(flags: u32) -> WfpResult<Self> {
        let session = FWPM_SESSION0 {
            sessionKey: windows::core::GUID::zeroed(),
            displayData: Default::default(),
            flags,
            txnWaitTimeoutInMSec: 0,
            processId: 0,
            sid: ptr::null_mut(),
            username: PWSTR::null(),
            kernelMode: false.into(),
        };

        let mut handle = HANDLE::default();

        unsafe {
            let result = FwpmEngineOpen0(
                PCWSTR::null(),
                10, // RPC_C_AUTHN_WINNT (Windows NT authentication)
                None,
                Some(&session),
                &mut handle,
            );

            if result != ERROR_SUCCESS.0 {
                return match result {
                    5 => Err(WfpError::InsufficientPermissions),
                    1062 | 1075 => Err(WfpError::ServiceNotAvailable),
                    _ => Err(WfpError::Other(format!(
                        "FwpmEngineOpen0 failed with Windows error code: {} (0x{:X}). \
                        Common causes: BFE service not running, insufficient privileges, or WFP driver not loaded.",
                        result, result
                    ))),
                };
            }
        }

        Ok(Self { handle })
    }

    /// Get raw handle to WFP engine session
    ///
    /// # Safety
    ///
    /// The handle is only valid while this `WfpEngine` instance is alive.
    /// Do not close the handle manually - it will be closed automatically on drop.
    pub fn handle(&self) -> HANDLE {
        self.handle
    }

    /// Check if session is valid
    pub fn is_valid(&self) -> bool {
        !self.handle.is_invalid()
    }
}

impl Drop for WfpEngine {
    /// Automatically close WFP engine session when dropped
    fn drop(&mut self) {
        if !self.handle.is_invalid() {
            unsafe {
                let _ = FwpmEngineClose0(self.handle);
            }
        }
    }
}

// WfpEngine is Send because the handle can be safely transferred between threads
unsafe impl Send for WfpEngine {}

// WfpEngine is NOT Sync because concurrent access requires synchronization
// Multiple threads should not access the same session simultaneously

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    #[ignore] // Requires admin privileges
    fn test_engine_creation() {
        let engine = WfpEngine::new();
        assert!(engine.is_ok(), "Failed to create WFP engine (run as admin)");

        if let Ok(engine) = engine {
            assert!(engine.is_valid());
            assert!(!engine.handle().is_invalid());
        }
    }

    #[test]
    #[ignore] // Requires admin privileges
    fn test_engine_drop_closes_session() {
        {
            let _engine = WfpEngine::new().expect("Failed to create engine");
            // Engine should be valid here
        }
        // Engine dropped - session should be closed automatically
        // No way to verify programmatically without leaking handles
    }

    #[test]
    fn test_engine_without_permissions() {
        // This test will fail if run as admin
        // Useful for CI/CD without admin rights
        let result = WfpEngine::new();

        if let Err(err) = result {
            // Expected when not running as admin
            match err {
                WfpError::InsufficientPermissions => (),
                WfpError::ServiceNotAvailable => (),
                WfpError::EngineOpenFailed => (),
                other => panic!("Unexpected error: {:?}", other),
            }
        }
    }
}