fix: avoid remote ports on any-protocol firewall rule

2026-05-04 21:32:21 +03:00 · 2026-04-14 11:05:25 -07:00
parent 95845cf6ce
commit d79ff53953
1 changed files with 31 additions and 8 deletions
--- a/codex-rs/windows-sandbox-rs/src/firewall.rs
+++ b/codex-rs/windows-sandbox-rs/src/firewall.rs
@@ -317,14 +317,16 @@ fn configure_rule(rule: &INetFwRule3, spec: &BlockRuleSpec<'_>) -> Result<()> {
                    format!("SetRemoteAddresses failed: {err:?}"),
                ))
            })?;
-        let remote_ports = spec.remote_ports.unwrap_or("*");
-        rule.SetRemotePorts(&BSTR::from(remote_ports))
-            .map_err(|err| {
-                anyhow::Error::new(SetupFailure::new(
-                    SetupErrorCode::HelperFirewallRuleCreateOrAddFailed,
-                    format!("SetRemotePorts failed: {err:?}"),
-                ))
-            })?;
+        if should_set_remote_ports(spec.protocol, spec.remote_ports) {
+            let remote_ports = spec.remote_ports.unwrap_or("*");
+            rule.SetRemotePorts(&BSTR::from(remote_ports))
+                .map_err(|err| {
+                    anyhow::Error::new(SetupFailure::new(
+                        SetupErrorCode::HelperFirewallRuleCreateOrAddFailed,
+                        format!("SetRemotePorts failed: {err:?}"),
+                    ))
+                })?;
+        }
        rule.SetLocalUserAuthorizedList(&BSTR::from(spec.local_user_spec))
            .map_err(|err| {
                anyhow::Error::new(SetupFailure::new(
@@ -354,6 +356,10 @@ fn configure_rule(rule: &INetFwRule3, spec: &BlockRuleSpec<'_>) -> Result<()> {
    Ok(())
 }

+fn should_set_remote_ports(protocol: i32, remote_ports: Option<&str>) -> bool {
+    remote_ports.is_some() || protocol != NET_FW_IP_PROTOCOL_ANY.0
+}
+
 fn blocked_loopback_tcp_remote_ports(proxy_ports: &[u16]) -> Option<String> {
    let mut allowed_ports = proxy_ports
        .iter()
@@ -400,3 +406,20 @@ fn log_line(log: &mut File, msg: &str) -> Result<()> {
    writeln!(log, "[{ts}] {msg}")?;
    Ok(())
 }
+
+#[cfg(test)]
+mod tests {
+    use super::should_set_remote_ports;
+    use windows::Win32::NetworkManagement::WindowsFirewall::NET_FW_IP_PROTOCOL_ANY;
+    use windows::Win32::NetworkManagement::WindowsFirewall::NET_FW_IP_PROTOCOL_TCP;
+
+    #[test]
+    fn remote_ports_are_skipped_for_any_protocol_without_port_filter() {
+        assert!(!should_set_remote_ports(NET_FW_IP_PROTOCOL_ANY.0, None));
+        assert!(should_set_remote_ports(
+            NET_FW_IP_PROTOCOL_ANY.0,
+            Some("1-65535")
+        ));
+        assert!(should_set_remote_ports(NET_FW_IP_PROTOCOL_TCP.0, None));
+    }
+}