feat: Add firewall rule automatically for TCP mode

moeleak · moeleak · commit e63010bbaf96 · 2025-12-19T16:29:39.000+08:00
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -116,7 +116,7 @@ add_executable(connecttool-qt
     steam/steam_vpn_bridge.cpp)
 
 if(WIN32)
-    target_sources(connecttool-qt PRIVATE tun/tun_windows.cpp)
+    target_sources(connecttool-qt PRIVATE tun/tun_windows.cpp src/firewall_windows.cpp)
 elseif(APPLE)
     target_sources(connecttool-qt PRIVATE tun/tun_macos.cpp)
 else()
diff --git a/net/tcp_server.cpp b/net/tcp_server.cpp
@@ -1,5 +1,6 @@
 #include "tcp_server.h"
 #include "../steam/steam_networking_manager.h"
+#include "firewall_windows.h"
 #include <iostream>
 #include <algorithm>
 
@@ -15,6 +16,16 @@ bool TCPServer::start() {
         acceptor_.bind(endpoint);
         acceptor_.listen();
 
+#if defined(_WIN32)
+        if (!ensureTcpFirewallRule("ConnectTool TCP inbound", port_)) {
+            std::cerr << "Failed to add firewall rule for TCP port " << port_
+                      << std::endl;
+        } else {
+            std::cout << "Added firewall rule for TCP port " << port_
+                      << std::endl;
+        }
+#endif
+
         running_ = true;
         serverThread_ = std::thread([this]() { 
             std::cout << "Server thread started" << std::endl;
diff --git a/src/backend.cpp b/src/backend.cpp
@@ -6,6 +6,7 @@
 #include "../steam/steam_utils.h"
 #include "../steam/steam_vpn_bridge.h"
 #include "../steam/steam_vpn_networking_manager.h"
+#include "firewall_windows.h"
 
 #include <QClipboard>
 #include <QCoreApplication>
@@ -224,6 +225,7 @@ QString stripGhProxyPrefix(const QString &url) {
   }
   return url;
 }
+
 } // namespace
 
 Backend::Backend(QObject *parent)
@@ -627,6 +629,15 @@ void Backend::startHosting() {
 
   if (roomManager_ && roomManager_->startHosting()) {
     steamManager_->setHostSteamID(SteamUser()->GetSteamID());
+#ifdef Q_OS_WIN
+    if (localPort_ > 0) {
+      if (!ensureTcpFirewallRule("ConnectTool TCP forward", localPort_)) {
+        qWarning() << "Failed to add firewall rule for TCP port" << localPort_;
+      } else {
+        qInfo() << "Added firewall rule for TCP port" << localPort_;
+      }
+    }
+#endif
     updateStatus();
     refreshLobbies();
   } else {
diff --git a/src/firewall_windows.cpp b/src/firewall_windows.cpp
@@ -0,0 +1,56 @@
+#ifdef _WIN32
+
+#include "firewall_windows.h"
+
+#include <cstdlib>
+#include <sstream>
+#include <string>
+
+namespace {
+std::string escape_ps(const std::string &value) {
+  std::string escaped;
+  escaped.reserve(value.size());
+  for (char c : value) {
+    if (c == '\'') {
+      escaped += "''";
+    } else {
+      escaped.push_back(c);
+    }
+  }
+  return escaped;
+}
+} // namespace
+
+bool ensureTcpFirewallRule(const char *ruleName, int port) {
+  if (port <= 0 || ruleName == nullptr || ruleName[0] == '\0') {
+    return false;
+  }
+  const std::string escapedName = escape_ps(ruleName);
+  std::ostringstream ps;
+  ps << "powershell -Command \"$ErrorActionPreference='SilentlyContinue'; "
+     << "Remove-NetFirewallRule -DisplayName '" << escapedName
+     << "' -ErrorAction SilentlyContinue; "
+     << "New-NetFirewallRule -DisplayName '" << escapedName
+     << "' -Direction Inbound -Action Allow -Protocol TCP -LocalPort "
+     << port << " -Enabled True\"";
+  return ::system(ps.str().c_str()) == 0;
+}
+
+bool ensureTunFirewallRule(const char *ruleName, const char *interfaceAlias) {
+  if (ruleName == nullptr || ruleName[0] == '\0' || interfaceAlias == nullptr ||
+      interfaceAlias[0] == '\0') {
+    return false;
+  }
+  const std::string escapedName = escape_ps(ruleName);
+  const std::string escapedAlias = escape_ps(interfaceAlias);
+  std::ostringstream ps;
+  ps << "powershell -Command \"$ErrorActionPreference='SilentlyContinue'; "
+     << "Remove-NetFirewallRule -DisplayName '" << escapedName
+     << "' -ErrorAction SilentlyContinue; "
+     << "New-NetFirewallRule -DisplayName '" << escapedName
+     << "' -Direction Inbound -Action Allow -Protocol Any "
+     << "-InterfaceAlias '" << escapedAlias << "' -Enabled True\"";
+  return ::system(ps.str().c_str()) == 0;
+}
+
+#endif
diff --git a/src/firewall_windows.h b/src/firewall_windows.h
@@ -0,0 +1,9 @@
+#pragma once
+
+#ifdef _WIN32
+bool ensureTcpFirewallRule(const char *ruleName, int port);
+bool ensureTunFirewallRule(const char *ruleName, const char *interfaceAlias);
+#else
+inline bool ensureTcpFirewallRule(const char *, int) { return true; }
+inline bool ensureTunFirewallRule(const char *, const char *) { return true; }
+#endif
diff --git a/tun/tun_windows.cpp b/tun/tun_windows.cpp
@@ -1,6 +1,7 @@
 #ifdef _WIN32
 
 #include "tun_interface.h"
+#include "firewall_windows.h"
 
 #ifndef _WIN32_WINNT
 #define _WIN32_WINNT 0x0601
@@ -381,37 +382,14 @@ class TunWindows : public TunInterface {
   }
 
 private:
-  static std::string escape_ps(const std::string &value) {
-    std::string escaped;
-    escaped.reserve(value.size());
-    for (char c : value) {
-      if (c == '\'') {
-        escaped += "''";
-      } else {
-        escaped.push_back(c);
-      }
-    }
-    return escaped;
-  }
-
   void ensureFirewallRule() const {
     if (deviceName_.empty()) {
       return;
     }
-    const std::string ruleName = "ConnectTool TUN inbound";
-    const std::string escapedName = escape_ps(ruleName);
-    const std::string escapedAlias = escape_ps(deviceName_);
-    std::ostringstream ps;
-    ps << "powershell -Command \"$ErrorActionPreference='SilentlyContinue'; "
-       << "Remove-NetFirewallRule -DisplayName '" << escapedName
-       << "' -ErrorAction SilentlyContinue; "
-       << "New-NetFirewallRule -DisplayName '" << escapedName
-       << "' -Direction Inbound -Action Allow -Protocol Any "
-       << "-InterfaceAlias '" << escapedAlias << "' -Enabled True\"";
-    const int rc = ::system(ps.str().c_str());
-    if (rc != 0) {
+    const char *ruleName = "ConnectTool TUN inbound";
+    if (!ensureTunFirewallRule(ruleName, deviceName_.c_str())) {
       std::cerr << "Failed to add firewall rule for " << deviceName_
-                << " (rc=" << rc << ")" << std::endl;
+                << std::endl;
     } else {
       std::cout << "Added firewall rule for interface " << deviceName_
                 << std::endl;
