feat: add bindings for network headers (WFP only) #595
Conversation
There was a problem hiding this comment.
Pull request overview
This PR adds FFI bindings for a subset of Windows network headers specifically used with Windows Filtering Platform (WFP). The implementation includes manual definition of NET_BUFFER_HEADER to work around bindgen's limitation with unnamed union fields.
Key changes:
- Adds a new "network" feature flag and corresponding module structure
- Implements bindgen configuration to generate network API bindings from ndis.h, Fwpmk.h, and Fwpsk.h
- Introduces global
wrap_unsafe_ops(true)setting affecting all bindgen-generated code - Adds NDIS_SUPPORT_NDIS6 preprocessor definition and network library linking for kernel-mode drivers
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| crates/wdk-sys/Cargo.toml | Adds "network" feature flag |
| crates/wdk-sys/src/lib.rs | Conditionally exposes network module for WDM, KMDF, and UMDF driver types |
| crates/wdk-sys/src/network.rs | New module containing network API bindings with structure matching other feature modules |
| crates/wdk-sys/src/types.rs | Manual definition of NET_BUFFER_HEADER union to work around bindgen limitation |
| crates/wdk-sys/build.rs | Adds generate_network function and registers it with bindgen generation pipeline |
| crates/wdk-build/src/lib.rs | Adds Network API subset, defines network headers, adds NDIS preprocessor definition, and links network libraries |
| crates/wdk-build/src/bindgen.rs | Blocklists problematic network types and enables wrap_unsafe_ops globally |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
crates/wdk-build/src/bindgen.rs
Outdated
| builder = builder.opaque_type("_USBPM_CLIENT_CONFIG_EXTRA_INFO"); | ||
| } | ||
|
|
||
| builder = builder.wrap_unsafe_ops(true); |
There was a problem hiding this comment.
The wrap_unsafe_ops(true) call affects all bindgen-generated code globally, not just network bindings. This change impacts all existing modules (types, ntddk, wdf, gpio, hid, usb, etc.) and may introduce breaking changes for consumers of this crate who weren't expecting their code to be wrapped in unsafe blocks. Consider whether this should be:
- Applied conditionally only for network bindings if it's specifically needed for network-related types
- Introduced in a separate PR with appropriate version bump and documentation about the breaking change
- Documented in the PR description explaining why this global change is necessary
There was a problem hiding this comment.
Correct me if I'm wrong, but this simply wraps unsafe ops in unsafe blocks for already-unsafe functions. Is that really breaking?
crates/wdk-build/src/lib.rs
Outdated
| println!("cargo:rustc-link-lib=Fwpkclnt"); | ||
| println!("cargo:rustc-link-lib=ntoskrnl"); | ||
| println!("cargo:rustc-link-lib=netio"); |
There was a problem hiding this comment.
The network-related libraries (Fwpkclnt, netio) are being linked unconditionally for all KMDF drivers, even when the network feature is not enabled. This will cause linker errors or unnecessary dependencies for KMDF drivers that don't use network functionality. These library links should be conditional on the network feature being enabled, similar to how other features are handled in the codebase.
| println!("cargo:rustc-link-lib=Fwpkclnt"); | |
| println!("cargo:rustc-link-lib=ntoskrnl"); | |
| println!("cargo:rustc-link-lib=netio"); | |
| if cfg!(feature = "network") { | |
| println!("cargo:rustc-link-lib=Fwpkclnt"); | |
| println!("cargo:rustc-link-lib=ntoskrnl"); | |
| println!("cargo:rustc-link-lib=netio"); | |
| } |
There was a problem hiding this comment.
wdk-build does not hide any of this behind feature flags.
| let mut defs = vec![("NDIS_SUPPORT_NDIS6", None)]; | ||
|
|
There was a problem hiding this comment.
The NDIS_SUPPORT_NDIS6 preprocessor definition is being added unconditionally for all driver builds, regardless of whether the network feature is enabled. This definition should only be added when network functionality is actually being used. Consider making this conditional on the network feature to avoid polluting the preprocessor namespace and potentially affecting non-network driver builds.
| let mut defs = vec![("NDIS_SUPPORT_NDIS6", None)]; | |
| let mut defs = Vec::new(); | |
| if cfg!(feature = "network") { | |
| defs.push(("NDIS_SUPPORT_NDIS6", None)); | |
| } |
There was a problem hiding this comment.
wdk-build does not hide any of this behind feature flags. I don't think this suggestion is correct.
|
@microsoft-github-policy-service agree company="Mullvad VPN" |
53df528 to
d58d810
Compare
d58d810 to
1e7ef94
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 7 out of 7 changed files in this pull request and generated 7 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 7 out of 7 changed files in this pull request and generated no new comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
524a6e9 to
1391495
Compare
1391495 to
20c049d
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 7 out of 7 changed files in this pull request and generated 4 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
20c049d to
52007e9
Compare
This adds a bindings for a small set of network headers (the ones used for WFP).
bindgen apparently struggles a bit with union fields that are not named, so
NET_BUFFER_HEADERhad to be manually defined.The PR conflicts with the #450, so that should perhaps be merged first.
Related issue: #329