Skip to content

feat(windows-kext): owner PID tracking, downstream filter bypass, and split-tunneling routing support#2137

Merged
stenya merged 6 commits intodevelopmentfrom
feature/kext-improvements
Mar 10, 2026
Merged

feat(windows-kext): owner PID tracking, downstream filter bypass, and split-tunneling routing support#2137
stenya merged 6 commits intodevelopmentfrom
feature/kext-improvements

Conversation

@stenya
Copy link
Copy Markdown
Contributor

@stenya stenya commented Mar 6, 2026
edited by coderabbitai Bot
Loading

Summary

Windows kernel extension (kext) changes that prepare the driver for split-tunneling support:

  1. Owner PID tracking — lets the driver identify Portmaster's own connections at callout time.
  2. Downstream filter bypass — prevents other WFP filters from overriding a permit decision on Portmaster's own outbound connections.
  3. New RedirectSplitTunnel verdict — adds the routing primitive needed to steer selected traffic to the split-tunnel proxy.

Changes

feat(kext): track owner PID of connected user-space process

  • Device struct gains an AtomicU32 owner_pid field — written once on IRP_MJ_CREATE, cleared on IRP_MJ_CLEANUP. Lock-free reads are safe from callout context.
  • IRP_MJ_CREATE / IRP_MJ_CLEANUP dispatch routines registered in entry.rs (driver_create / driver_cleanup).
  • New CreateRequest and CleanupRequest IRP wrapper types added to wdk/src/irp_helpers.rs.
  • PsGetCurrentProcessId FFI binding added to wdk/src/ffi.rs.

feat(kext): bypass downstream filters for Portmaster's own outbound connections

  • In the ALE callout, when the verdict is permit/redirect and the connection belongs to Portmaster itself (owner PID match + Outbound direction), the write-flag on the classify result is cleared. This prevents subsequent WFP filters in the sublayer chain from overriding the permit action.

feat(kext): add RedirectSplitTunnel verdict

  • Added Verdict::RedirectSplitTunnel = 11 to the verdict enum in connection.rs, mapped to the new well-known port PM_SPLIT_TUN_PORT = 719.
  • Wired the new verdict in the ALE callout, packet callout, and device layers alongside the existing redirect verdicts.
  • IPv4 and IPv6 is_own_packet() extended with matching RedirectSplitTunnel arms.

RedirectSplitTunnel is kept last in the enum so older Portmaster versions (verdicts 0–10 only) are not affected.

Notes / Follow-ups

  • The Go-side code that issues RedirectSplitTunnel verdicts is not yet merged — this PR only adds the kext-side handling.

Summary by CodeRabbit

Release Notes

  • New Features

    • Added split tunnel redirection support, enabling new network traffic routing capability alongside existing tunnel and name server redirects.

  • Documentation

    • Added comprehensive Windows kernel driver build and test documentation, including prerequisites, signing setup, and troubleshooting guidance.

stenya added 6 commits January 12, 2026 17:01
@stenya
chore(windows_kext): reduce compiler warnings for cleaner build output
9e8acb2
@stenya
feat(tests): add documentation and build script for Windows kernel dr…
def9d34 
…iver testing
@stenya
feat(kext): add RedirectSplitTunnel verdict support
78fce76 
Add Verdict::RedirectSplitTunnel (11) with PM_SPLIT_TUN_PORT redirection.
Wire up the new verdict in ALE, packet, and device layers alongside the
existing redirect verdicts. RedirectSplitTunnel is kept last in the enum
so older Portmaster versions (which only know verdicts 0–10) remain
unaffected.
@stenya
feat(kext): track owner PID of connected user-space process
13f8592 
Add IRP_MJ_CREATE and IRP_MJ_CLEANUP handlers to capture and clear the
PID of the user-space process that holds the device handle open.

- wdk/ffi: expose PsGetCurrentProcessId kernel API
- wdk/irp_helpers: add CreateRequest and CleanupRequest wrappers
- driver/device: add owner_pid AtomicU32 field with lock-free access
  for callouts; add is_owner_pid() helper
- driver/entry: register driver_create/driver_cleanup dispatch routines
  that store/clear owner_pid on connect/disconnect
@stenya
feat(kext): bypass downstream filters for Portmaster's own outbound c…
d11b0ee 
…onnections

When a permitted connection is initiated by Portmaster itself, clear the
write flag on the classify result so subsequent filters in the sublayer
chain cannot override the permit action.
@stenya
refactor(device): improve comments for clarity on event queue and cac…
baf436c 
…hes in Device struct
@stenya stenya self-assigned this Mar 6, 2026
@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai Bot commented Mar 6, 2026
edited
Loading

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: ee79f3a3-3f88-4f72-985b-7dd5d24b60df

📥 Commits

Reviewing files that changed from the base of the PR and between d216fc2 and baf436c.

📒 Files selected for processing (11)
  • windows_kext/driver/src/ale_callouts.rs
  • windows_kext/driver/src/connection.rs
  • windows_kext/driver/src/device.rs
  • windows_kext/driver/src/entry.rs
  • windows_kext/driver/src/packet_callouts.rs
  • windows_kext/test/BUILD_DEBUG.md
  • windows_kext/test/README.md
  • windows_kext/test/build_test.ps1
  • windows_kext/wdk/src/ffi.rs
  • windows_kext/wdk/src/irp_helpers.rs
  • windows_kext/wdk/src/rw_spin_lock.rs
📝 Walkthrough

Walkthrough

This change extends the Windows kernel driver with split-tunnel redirect support by introducing a new RedirectSplitTunnel verdict variant, implementing device owner process ID tracking for lifecycle management, and wiring up driver create and cleanup handlers to manage device handle lifecycle.

Changes

Cohort / File(s) Summary
Split-Tunnel Redirect Support
windows_kext/driver/src/connection.rs, windows_kext/driver/src/ale_callouts.rs, windows_kext/driver/src/packet_callouts.rs, windows_kext/driver/src/device.rs		 Introduces new RedirectSplitTunnel verdict variant (value 11) with constant PM_SPLIT_TUN_PORT = 719; updates all redirect-handling code paths to recognize and process RedirectSplitTunnel alongside existing RedirectTunnel and RedirectNameServer, including verdict matching logic and packet injection paths.
Device Owner PID Tracking
windows_kext/driver/src/device.rs, windows_kext/driver/src/entry.rs		 Adds atomic PID field (owner_pid: AtomicU32) to Device struct; implements is_owner_pid() query method; initializes tracking in device creation; wires create and cleanup handlers to update owner PID on device open/close.
Driver Lifecycle Handlers
windows_kext/driver/src/entry.rs		 Implements driver_create() and driver_cleanup() handlers to manage IRP_MJ_CREATE and IRP_MJ_CLEANUP requests; extracts requestor PID, updates device owner, logs actions, and completes requests; registers handlers in driver entry.
WDK Bindings and Request Wrappers
windows_kext/wdk/src/ffi.rs, windows_kext/wdk/src/irp_helpers.rs, windows_kext/wdk/src/rw_spin_lock.rs		 Adds PsGetCurrentProcessId() FFI binding for retrieving current process ID; introduces new CreateRequest<'a> and CleanupRequest<'a> wrapper types with lifecycle methods; updates return type signatures of ReadRequest, WriteRequest, DeviceControlRequest constructors and RwSpinLock lock methods to explicitly include lifetime parameters.
Test and Build Documentation
windows_kext/test/BUILD_DEBUG.md, windows_kext/test/README.md, windows_kext/test/build_test.ps1		 Adds comprehensive test infrastructure including build automation script (PowerShell) with cargo compilation, driver linking, and code signing; includes detailed build/debug documentation with prerequisites, commands, troubleshooting, and driver loading instructions.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

Suggested reviewers

  • dhaavi
✨ Finishing Touches
  • 📝 Generate docstrings (stacked PR)
  • 📝 Generate docstrings (commit on current branch)
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch feature/kext-improvements

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@stenya stenya added this to the v2.1.9 milestone Mar 6, 2026
@stenya stenya changed the title feat(kext): owner PID tracking, downstream filter bypass, and split-tunneling routing support feat(windows-kext): owner PID tracking, downstream filter bypass, and split-tunneling routing support Mar 6, 2026
@stenya stenya marked this pull request as ready for review March 10, 2026 12:22
@stenya stenya merged commit 6fd5c72 into development Mar 10, 2026
3 of 4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@stenya stenya

Labels

None yet

Projects

None yet

Milestone

v2.1.18

Development

Successfully merging this pull request may close these issues.

1 participant

@stenya