Move Firewall.wixext into ext

12 files changed, 883 insertions, 0 deletions

diff --git a/src/ext/Firewall/wixext/FirewallCompiler.cs b/src/ext/Firewall/wixext/FirewallCompiler.cs
new file mode 100644
index 00000000..cbe82d37
--- /dev/null
+++ b/src/ext/Firewall/wixext/FirewallCompiler.cs
@@ -0,0 +1,354 @@
+// Copyright (c) .NET Foundation and contributors. All rights reserved. Licensed under the Microsoft Reciprocal License. See LICENSE.TXT file in the project root for full license information.
+
+namespace WixToolset.Firewall
+{
+    using System;
+    using System.Collections.Generic;
+    using System.Xml.Linq;
+    using WixToolset.Data;
+    using WixToolset.Extensibility;
+    using WixToolset.Extensibility.Data;
+    using WixToolset.Firewall.Symbols;
+
+    /// <summary>
+    /// The compiler for the WiX Toolset Firewall Extension.
+    /// </summary>
+    public sealed class FirewallCompiler : BaseCompilerExtension
+    {
+        public override XNamespace Namespace => "http://wixtoolset.org/schemas/v4/wxs/firewall";
+
+        /// <summary>
+        /// Processes an element for the Compiler.
+        /// </summary>
+        /// <param name="sourceLineNumbers">Source line number for the parent element.</param>
+        /// <param name="parentElement">Parent element of element to process.</param>
+        /// <param name="element">Element to process.</param>
+        /// <param name="contextValues">Extra information about the context in which this element is being parsed.</param>
+        public override void ParseElement(Intermediate intermediate, IntermediateSection section, XElement parentElement, XElement element, IDictionary<string, string> context)
+        {
+            switch (parentElement.Name.LocalName)
+            {
+                case "File":
+                    var fileId = context["FileId"];
+                    var fileComponentId = context["ComponentId"];
+
+                    switch (element.Name.LocalName)
+                    {
+                        case "FirewallException":
+                            this.ParseFirewallExceptionElement(intermediate, section, element, fileComponentId, fileId);
+                            break;
+                        default:
+                            this.ParseHelper.UnexpectedElement(parentElement, element);
+                            break;
+                    }
+                    break;
+                case "Component":
+                    var componentId = context["ComponentId"];
+
+                    switch (element.Name.LocalName)
+                    {
+                        case "FirewallException":
+                            this.ParseFirewallExceptionElement(intermediate, section, element, componentId, null);
+                            break;
+                        default:
+                            this.ParseHelper.UnexpectedElement(parentElement, element);
+                            break;
+                    }
+                    break;
+                default:
+                    this.ParseHelper.UnexpectedElement(parentElement, element);
+                    break;
+            }
+        }
+
+        /// <summary>
+        /// Parses a FirewallException element.
+        /// </summary>
+        /// <param name="element">The element to parse.</param>
+        /// <param name="componentId">Identifier of the component that owns this firewall exception.</param>
+        /// <param name="fileId">The file identifier of the parent element (null if nested under Component).</param>
+        private void ParseFirewallExceptionElement(Intermediate intermediate, IntermediateSection section, XElement element, string componentId, string fileId)
+        {
+            var sourceLineNumbers = this.ParseHelper.GetSourceLineNumbers(element);
+            Identifier id = null;
+            string name = null;
+            int attributes = 0;
+            string file = null;
+            string program = null;
+            string port = null;
+            int? protocol = null;
+            int? profile = null;
+            string scope = null;
+            string remoteAddresses = null;
+            string description = null;
+            int? direction = null;
+
+            foreach (var attrib in element.Attributes())
+            {
+                if (String.IsNullOrEmpty(attrib.Name.NamespaceName) || this.Namespace == attrib.Name.Namespace)
+                {
+                    switch (attrib.Name.LocalName)
+                    {
+                        case "Id":
+                            id = this.ParseHelper.GetAttributeIdentifier(sourceLineNumbers, attrib);
+                            break;
+                        case "Name":
+                            name = this.ParseHelper.GetAttributeValue(sourceLineNumbers, attrib);
+                            break;
+                        case "File":
+                            if (null != fileId)
+                            {
+                                this.Messaging.Write(ErrorMessages.IllegalAttributeWhenNested(sourceLineNumbers, element.Name.LocalName, "File", "File"));
+                            }
+                            else
+                            {
+                                file = this.ParseHelper.GetAttributeIdentifierValue(sourceLineNumbers, attrib);
+                            }
+                            break;
+                        case "IgnoreFailure":
+                            if (YesNoType.Yes == this.ParseHelper.GetAttributeYesNoValue(sourceLineNumbers, attrib))
+                            {
+                                attributes |= 0x1; // feaIgnoreFailures
+                            }
+                            break;
+                        case "Program":
+                            if (null != fileId)
+                            {
+                                this.Messaging.Write(ErrorMessages.IllegalAttributeWhenNested(sourceLineNumbers, element.Name.LocalName, "Program", "File"));
+                            }
+                            else
+                            {
+                                program = this.ParseHelper.GetAttributeValue(sourceLineNumbers, attrib);
+                            }
+                            break;
+                        case "Port":
+                            port = this.ParseHelper.GetAttributeValue(sourceLineNumbers, attrib);
+                            break;
+                        case "Protocol":
+                            var protocolValue = this.ParseHelper.GetAttributeValue(sourceLineNumbers, attrib);
+                            switch (protocolValue)
+                            {
+                                case "tcp":
+                                    protocol = FirewallConstants.NET_FW_IP_PROTOCOL_TCP;
+                                    break;
+                                case "udp":
+                                    protocol = FirewallConstants.NET_FW_IP_PROTOCOL_UDP;
+                                    break;
+                                default:
+                                    this.Messaging.Write(ErrorMessages.IllegalAttributeValue(sourceLineNumbers, element.Name.LocalName, "Protocol", protocolValue, "tcp", "udp"));
+                                    break;
+                            }
+                            break;
+                        case "Scope":
+                            scope = this.ParseHelper.GetAttributeValue(sourceLineNumbers, attrib);
+                            switch (scope)
+                            {
+                                case "any":
+                                    remoteAddresses = "*";
+                                    break;
+                                case "localSubnet":
+                                    remoteAddresses = "LocalSubnet";
+                                    break;
+                                default:
+                                    this.Messaging.Write(ErrorMessages.IllegalAttributeValue(sourceLineNumbers, element.Name.LocalName, "Scope", scope, "any", "localSubnet"));
+                                    break;
+                            }
+                            break;
+                        case "Profile":
+                            var profileValue = this.ParseHelper.GetAttributeValue(sourceLineNumbers, attrib);
+                            switch (profileValue)
+                            {
+                                case "domain":
+                                    profile = FirewallConstants.NET_FW_PROFILE2_DOMAIN;
+                                    break;
+                                case "private":
+                                    profile = FirewallConstants.NET_FW_PROFILE2_PRIVATE;
+                                    break;
+                                case "public":
+                                    profile = FirewallConstants.NET_FW_PROFILE2_PUBLIC;
+                                    break;
+                                case "all":
+                                    profile = FirewallConstants.NET_FW_PROFILE2_ALL;
+                                    break;
+                                default:
+                                    this.Messaging.Write(ErrorMessages.IllegalAttributeValue(sourceLineNumbers, element.Name.LocalName, "Profile", profileValue, "domain", "private", "public", "all"));
+                                    break;
+                            }
+                            break;
+                        case "Description":
+                            description = this.ParseHelper.GetAttributeValue(sourceLineNumbers, attrib);
+                            break;
+                        case "Outbound":
+                            direction = this.ParseHelper.GetAttributeYesNoValue(sourceLineNumbers, attrib) == YesNoType.Yes
+                                ? FirewallConstants.NET_FW_RULE_DIR_OUT
+                                : FirewallConstants.NET_FW_RULE_DIR_IN;
+                            break;
+                        default:
+                            this.ParseHelper.UnexpectedAttribute(element, attrib);
+                            break;
+                    }
+                }
+                else
+                {
+                    this.ParseHelper.ParseExtensionAttribute(this.Context.Extensions, intermediate, section, element, attrib);
+                }
+            }
+
+            // parse RemoteAddress children
+            foreach (var child in element.Elements())
+            {
+                if (this.Namespace == child.Name.Namespace)
+                {
+                    switch (child.Name.LocalName)
+                    {
+                        case "RemoteAddress":
+                            if (null != scope)
+                            {
+                                this.Messaging.Write(FirewallErrors.IllegalRemoteAddressWithScopeAttribute(sourceLineNumbers));
+                            }
+                            else
+                            {
+                                this.ParseRemoteAddressElement(intermediate, section, child, ref remoteAddresses);
+                            }
+                            break;
+                        default:
+                            this.ParseHelper.UnexpectedElement(element, child);
+                            break;
+                    }
+                }
+                else
+                {
+                    this.ParseHelper.ParseExtensionElement(this.Context.Extensions, intermediate, section, element, child);
+                }
+            }
+
+            if (null == id)
+            {
+                id = this.ParseHelper.CreateIdentifier("fex", name, remoteAddresses, componentId);
+            }
+
+            // Name is required
+            if (null == name)
+            {
+                this.Messaging.Write(ErrorMessages.ExpectedAttribute(sourceLineNumbers, element.Name.LocalName, "Name"));
+            }
+
+            // Scope or child RemoteAddress(es) are required
+            if (null == remoteAddresses)
+            {
+                this.Messaging.Write(ErrorMessages.ExpectedAttributeOrElement(sourceLineNumbers, element.Name.LocalName, "Scope", "RemoteAddress"));
+            }
+
+            // can't have both Program and File
+            if (null != program && null != file)
+            {
+                this.Messaging.Write(ErrorMessages.IllegalAttributeWithOtherAttribute(sourceLineNumbers, element.Name.LocalName, "File", "Program"));
+            }
+
+            // must be nested under File, have File or Program attributes, or have Port attribute
+            if (String.IsNullOrEmpty(fileId) && String.IsNullOrEmpty(file) && String.IsNullOrEmpty(program) && String.IsNullOrEmpty(port))
+            {
+                this.Messaging.Write(FirewallErrors.NoExceptionSpecified(sourceLineNumbers));
+            }
+
+            if (!this.Messaging.EncounteredError)
+            {
+                // at this point, File attribute and File parent element are treated the same
+                if (null != file)
+                {
+                    fileId = file;
+                }
+
+                var symbol = section.AddSymbol(new WixFirewallExceptionSymbol(sourceLineNumbers, id)
+                {
+                    Name = name,
+                    RemoteAddresses = remoteAddresses,
+                    Profile = profile ?? FirewallConstants.NET_FW_PROFILE2_ALL,
+                    ComponentRef = componentId,
+                    Description = description,
+                    Direction = direction ?? FirewallConstants.NET_FW_RULE_DIR_IN,
+                });
+
+                if (!String.IsNullOrEmpty(port))
+                {
+                    symbol.Port = port;
+
+                    if (!protocol.HasValue)
+                    {
+                        // default protocol is "TCP"
+                        protocol = FirewallConstants.NET_FW_IP_PROTOCOL_TCP;
+                    }
+                }
+
+                if (protocol.HasValue)
+                {
+                    symbol.Protocol = protocol.Value;
+                }
+
+                if (!String.IsNullOrEmpty(fileId))
+                {
+                    symbol.Program = $"[#{fileId}]";
+                    this.ParseHelper.CreateSimpleReference(section, sourceLineNumbers, SymbolDefinitions.File, fileId);
+                }
+                else if (!String.IsNullOrEmpty(program))
+                {
+                    symbol.Program = program;
+                }
+
+                if (CompilerConstants.IntegerNotSet != attributes)
+                {
+                    symbol.Attributes = attributes;
+                }
+
+                this.ParseHelper.CreateCustomActionReference(sourceLineNumbers, section, "Wix4SchedFirewallExceptionsInstall", this.Context.Platform, CustomActionPlatforms.ARM64 | CustomActionPlatforms.X64 | CustomActionPlatforms.X86);
+                this.ParseHelper.CreateCustomActionReference(sourceLineNumbers, section, "Wix4SchedFirewallExceptionsUninstall", this.Context.Platform, CustomActionPlatforms.ARM64 | CustomActionPlatforms.X64 | CustomActionPlatforms.X86);
+            }
+        }
+
+        /// <summary>
+        /// Parses a RemoteAddress element
+        /// </summary>
+        /// <param name="element">The element to parse.</param>
+        private void ParseRemoteAddressElement(Intermediate intermediate, IntermediateSection section, XElement element, ref string remoteAddresses)
+        {
+            var sourceLineNumbers = this.ParseHelper.GetSourceLineNumbers(element);
+            string address = null;
+
+            // no attributes
+            foreach (var attrib in element.Attributes())
+            {
+                if (String.IsNullOrEmpty(attrib.Name.NamespaceName) || this.Namespace == attrib.Name.Namespace)
+                {
+                    switch (attrib.Name.LocalName)
+                    {
+                        case "Value":
+                            address = this.ParseHelper.GetAttributeValue(sourceLineNumbers, attrib);
+                            break;
+                    }
+                }
+                else
+                {
+                    this.ParseHelper.ParseExtensionAttribute(this.Context.Extensions, intermediate, section, element, attrib);
+                }
+            }
+
+            this.ParseHelper.ParseForExtensionElements(this.Context.Extensions, intermediate, section, element);
+
+            if (String.IsNullOrEmpty(address))
+            {
+                this.Messaging.Write(ErrorMessages.ExpectedAttribute(sourceLineNumbers, element.Name.LocalName, "Value"));
+            }
+            else
+            {
+                if (String.IsNullOrEmpty(remoteAddresses))
+                {
+                    remoteAddresses = address;
+                }
+                else
+                {
+                    remoteAddresses = String.Concat(remoteAddresses, ",", address);
+                }
+            }
+        }
+    }
+}
diff --git a/src/ext/Firewall/wixext/FirewallConstants.cs b/src/ext/Firewall/wixext/FirewallConstants.cs
new file mode 100644
index 00000000..7bb12ba4
--- /dev/null
+++ b/src/ext/Firewall/wixext/FirewallConstants.cs
@@ -0,0 +1,23 @@
+// Copyright (c) .NET Foundation and contributors. All rights reserved. Licensed under the Microsoft Reciprocal License. See LICENSE.TXT file in the project root for full license information.
+
+namespace WixToolset.Firewall
+{
+    using System;
+    using System.Collections.Generic;
+    using System.Text;
+
+    static class FirewallConstants
+    {
+        // from icftypes.h
+        public const int NET_FW_RULE_DIR_IN = 1;
+        public const int NET_FW_RULE_DIR_OUT = 2;
+        public const int NET_FW_IP_PROTOCOL_TCP = 6;
+        public const int NET_FW_IP_PROTOCOL_UDP = 17;
+
+        // from icftypes.h
+        public const int NET_FW_PROFILE2_DOMAIN = 0x0001;
+        public const int NET_FW_PROFILE2_PRIVATE = 0x0002;
+        public const int NET_FW_PROFILE2_PUBLIC = 0x0004;
+        public const int NET_FW_PROFILE2_ALL = 0x7FFFFFFF;
+    }
+}
diff --git a/src/ext/Firewall/wixext/FirewallDecompiler.cs b/src/ext/Firewall/wixext/FirewallDecompiler.cs
new file mode 100644
index 00000000..c9478de1
--- /dev/null
+++ b/src/ext/Firewall/wixext/FirewallDecompiler.cs
@@ -0,0 +1,182 @@
+// Copyright (c) .NET Foundation and contributors. All rights reserved. Licensed under the Microsoft Reciprocal License. See LICENSE.TXT file in the project root for full license information.
+
+namespace WixToolset.Firewall
+{
+#if TODO_CONSIDER_DECOMPILER
+    using System;
+    using System.Collections;
+    using System.Diagnostics;
+    using System.Globalization;
+    using WixToolset.Data;
+    using WixToolset.Extensibility;
+    using Firewall = WixToolset.Extensions.Serialize.Firewall;
+    using Wix = WixToolset.Data.Serialize;
+
+    /// <summary>
+    /// The decompiler for the WiX Toolset Firewall Extension.
+    /// </summary>
+    public sealed class FirewallDecompiler : DecompilerExtension
+    {
+        /// <summary>
+        /// Creates a decompiler for Firewall Extension.
+        /// </summary>
+        public FirewallDecompiler()
+        {
+            this.TableDefinitions = FirewallExtensionData.GetExtensionTableDefinitions();
+        }
+
+        /// <summary>
+        /// Get the extensions library to be removed.
+        /// </summary>
+        /// <param name="tableDefinitions">Table definitions for library.</param>
+        /// <returns>Library to remove from decompiled output.</returns>
+        public override Library GetLibraryToRemove(TableDefinitionCollection tableDefinitions)
+        {
+            return FirewallExtensionData.GetExtensionLibrary(tableDefinitions);
+        }
+
+        /// <summary>
+        /// Decompiles an extension table.
+        /// </summary>
+        /// <param name="table">The table to decompile.</param>
+        public override void DecompileTable(Table table)
+        {
+            switch (table.Name)
+            {
+                case "WixFirewallException":
+                    this.DecompileWixFirewallExceptionTable(table);
+                    break;
+                default:
+                    base.DecompileTable(table);
+                    break;
+            }
+        }
+
+        /// <summary>
+        /// Decompile the WixFirewallException table.
+        /// </summary>
+        /// <param name="table">The table to decompile.</param>
+        private void DecompileWixFirewallExceptionTable(Table table)
+        {
+            foreach (Row row in table.Rows)
+            {
+                Firewall.FirewallException fire = new Firewall.FirewallException();
+                fire.Id = (string)row[0];
+                fire.Name = (string)row[1];
+
+                string[] addresses = ((string)row[2]).Split(',');
+                if (1 == addresses.Length)
+                {
+                    // special-case the Scope attribute values
+                    if ("*" == addresses[0])
+                    {
+                        fire.Scope = Firewall.FirewallException.ScopeType.any;
+                    }
+                    else if ("LocalSubnet" == addresses[0])
+                    {
+                        fire.Scope = Firewall.FirewallException.ScopeType.localSubnet;
+                    }
+                    else
+                    {
+                        FirewallDecompiler.AddRemoteAddress(fire, addresses[0]);
+                    }
+                }
+                else
+                {
+                    foreach (string address in addresses)
+                    {
+                        FirewallDecompiler.AddRemoteAddress(fire, address);
+                    }
+                }
+
+                if (!row.IsColumnEmpty(3))
+                {
+                    fire.Port = (string)row[3];
+                }
+
+                if (!row.IsColumnEmpty(4))
+                {
+                    switch (Convert.ToInt32(row[4]))
+                    {
+                        case FirewallConstants.NET_FW_IP_PROTOCOL_TCP:
+                            fire.Protocol = Firewall.FirewallException.ProtocolType.tcp;
+                            break;
+                        case FirewallConstants.NET_FW_IP_PROTOCOL_UDP:
+                            fire.Protocol = Firewall.FirewallException.ProtocolType.udp;
+                            break;
+                    }
+                }
+
+                if (!row.IsColumnEmpty(5))
+                {
+                    fire.Program = (string)row[5];
+                }
+
+                if (!row.IsColumnEmpty(6))
+                {
+                    int attr = Convert.ToInt32(row[6]);
+                    if (0x1 == (attr & 0x1)) // feaIgnoreFailures
+                    {
+                        fire.IgnoreFailure = Firewall.YesNoType.yes;
+                    }
+                }
+
+                if (!row.IsColumnEmpty(7))
+                {
+                    switch (Convert.ToInt32(row[7]))
+                    {
+                        case FirewallConstants.NET_FW_PROFILE2_DOMAIN:
+                            fire.Profile = Firewall.FirewallException.ProfileType.domain;
+                            break;
+                        case FirewallConstants.NET_FW_PROFILE2_PRIVATE:
+                            fire.Profile = Firewall.FirewallException.ProfileType.@private;
+                            break;
+                        case FirewallConstants.NET_FW_PROFILE2_PUBLIC:
+                            fire.Profile = Firewall.FirewallException.ProfileType.@public;
+                            break;
+                        case FirewallConstants.NET_FW_PROFILE2_ALL:
+                            fire.Profile = Firewall.FirewallException.ProfileType.all;
+                            break;
+                    }
+                }
+
+                // Description column is new in v3.6
+                if (9 < row.Fields.Length && !row.IsColumnEmpty(9))
+                {
+                    fire.Description = (string)row[9];
+                }
+
+                if (!row.IsColumnEmpty(10))
+                {
+                    switch (Convert.ToInt32(row[10]))
+                    {
+                        case FirewallConstants.NET_FW_RULE_DIR_IN:
+                            fire.Direction = Firewall.FirewallException.DirectionType.@in;
+                            break;
+                        case FirewallConstants.NET_FW_RULE_DIR_OUT:
+                            fire.Direction = Firewall.FirewallException.DirectionType.@out;
+                            break;
+                    }
+                }
+
+                Wix.Component component = (Wix.Component)this.Core.GetIndexedElement("Component", (string)row[8]);
+                if (null != component)
+                {
+                    component.AddChild(fire);
+                }
+                else
+                {
+                    this.Core.OnMessage(WixWarnings.ExpectedForeignRow(row.SourceLineNumbers, table.Name, row.GetPrimaryKey(DecompilerConstants.PrimaryKeyDelimiter), "Component_", (string)row[6], "Component"));
+                }
+            }
+        }
+
+        private static void AddRemoteAddress(Firewall.FirewallException fire, string address)
+        {
+            Firewall.RemoteAddress remote = new Firewall.RemoteAddress();
+            remote.Content = address;
+            fire.AddChild(remote);
+        }
+    }
+#endif
+}
diff --git a/src/ext/Firewall/wixext/FirewallErrors.cs b/src/ext/Firewall/wixext/FirewallErrors.cs
new file mode 100644
index 00000000..b2dac782
--- /dev/null
+++ b/src/ext/Firewall/wixext/FirewallErrors.cs
@@ -0,0 +1,36 @@
+// Copyright (c) .NET Foundation and contributors. All rights reserved. Licensed under the Microsoft Reciprocal License. See LICENSE.TXT file in the project root for full license information.
+
+namespace WixToolset.Firewall
+{
+    using System.Resources;
+    using WixToolset.Data;
+
+    public static class FirewallErrors
+    {
+        public static Message IllegalRemoteAddressWithScopeAttribute(SourceLineNumber sourceLineNumbers)
+        {
+            return Message(sourceLineNumbers, Ids.IllegalRemoteAddressWithScopeAttribute, "The RemoteAddress element cannot be specified because its parent FirewallException already specified the Scope attribute. To use RemoteAddress elements, omit the Scope attribute.");
+        }
+
+        public static Message NoExceptionSpecified(SourceLineNumber sourceLineNumbers)
+        {
+            return Message(sourceLineNumbers, Ids.NoExceptionSpecified, "The FirewallException element doesn't identify the target of the firewall exception. To create an application exception, nest the FirewallException element under a File element or provide a value for the File or Program attributes. To create a port exception, provide a value for the Port attribute.");
+        }
+
+        private static Message Message(SourceLineNumber sourceLineNumber, Ids id, string format, params object[] args)
+        {
+            return new Message(sourceLineNumber, MessageLevel.Error, (int)id, format, args);
+        }
+
+        private static Message Message(SourceLineNumber sourceLineNumber, Ids id, ResourceManager resourceManager, string resourceName, params object[] args)
+        {
+            return new Message(sourceLineNumber, MessageLevel.Error, (int)id, resourceManager, resourceName, args);
+        }
+
+        public enum Ids
+        {
+            IllegalRemoteAddressWithScopeAttribute = 6401,
+            NoExceptionSpecified = 6403,
+        }
+    }
+}
diff --git a/src/ext/Firewall/wixext/FirewallExtensionData.cs b/src/ext/Firewall/wixext/FirewallExtensionData.cs
new file mode 100644
index 00000000..7481d993
--- /dev/null
+++ b/src/ext/Firewall/wixext/FirewallExtensionData.cs
@@ -0,0 +1,23 @@
+// Copyright (c) .NET Foundation and contributors. All rights reserved. Licensed under the Microsoft Reciprocal License. See LICENSE.TXT file in the project root for full license information.
+
+namespace WixToolset.Firewall
+{
+    using WixToolset.Data;
+    using WixToolset.Extensibility;
+
+    public sealed class FirewallExtensionData : BaseExtensionData
+    {
+        public override string DefaultCulture => "en-US";
+
+        public override bool TryGetSymbolDefinitionByName(string name, out IntermediateSymbolDefinition symbolDefinition)
+        {
+            symbolDefinition = FirewallSymbolDefinitions.ByName(name);
+            return symbolDefinition != null;
+        }
+
+        public override Intermediate GetLibrary(ISymbolDefinitionCreator symbolDefinitions)
+        {
+            return Intermediate.Load(typeof(FirewallExtensionData).Assembly, "WixToolset.Firewall.firewall.wixlib", symbolDefinitions);
+        }
+    }
+}
diff --git a/src/ext/Firewall/wixext/FirewallExtensionFactory.cs b/src/ext/Firewall/wixext/FirewallExtensionFactory.cs
new file mode 100644
index 00000000..279b322a
--- /dev/null
+++ b/src/ext/Firewall/wixext/FirewallExtensionFactory.cs
@@ -0,0 +1,18 @@
+// Copyright (c) .NET Foundation and contributors. All rights reserved. Licensed under the Microsoft Reciprocal License. See LICENSE.TXT file in the project root for full license information.
+
+namespace WixToolset.Firewall
+{
+    using System;
+    using System.Collections.Generic;
+    using WixToolset.Extensibility;
+
+    public class FirewallExtensionFactory : BaseExtensionFactory
+    {
+        protected override IReadOnlyCollection<Type> ExtensionTypes => new[]
+        {
+            typeof(FirewallCompiler),
+            typeof(FirewallExtensionData),
+            typeof(FirewallWindowsInstallerBackendBinderExtension),
+        };
+    }
+}
diff --git a/src/ext/Firewall/wixext/FirewallTableDefinitions.cs b/src/ext/Firewall/wixext/FirewallTableDefinitions.cs
new file mode 100644
index 00000000..04918f5f
--- /dev/null
+++ b/src/ext/Firewall/wixext/FirewallTableDefinitions.cs
@@ -0,0 +1,34 @@
+// Copyright (c) .NET Foundation and contributors. All rights reserved. Licensed under the Microsoft Reciprocal License. See LICENSE.TXT file in the project root for full license information.
+
+namespace WixToolset.Firewall
+{
+    using WixToolset.Data.WindowsInstaller;
+
+    public static class FirewallTableDefinitions
+    {
+        public static readonly TableDefinition WixFirewallException = new TableDefinition(
+            "Wix4FirewallException",
+            FirewallSymbolDefinitions.WixFirewallException,
+            new[]
+            {
+                new ColumnDefinition("Wix4FirewallException", ColumnType.String, 72, primaryKey: true, nullable: false, ColumnCategory.Identifier, description: "The primary key, a non-localized token.", modularizeType: ColumnModularizeType.Column),
+                new ColumnDefinition("Name", ColumnType.Localized, 255, primaryKey: false, nullable: true, ColumnCategory.Formatted, description: "Localizable display name.", modularizeType: ColumnModularizeType.Property),
+                new ColumnDefinition("RemoteAddresses", ColumnType.String, 0, primaryKey: false, nullable: false, ColumnCategory.Formatted, description: "Remote address to accept incoming connections from.", modularizeType: ColumnModularizeType.Property),
+                new ColumnDefinition("Port", ColumnType.String, 0, primaryKey: false, nullable: true, ColumnCategory.Formatted, minValue: 1, description: "Port number.", modularizeType: ColumnModularizeType.Property),
+                new ColumnDefinition("Protocol", ColumnType.Number, 1, primaryKey: false, nullable: true, ColumnCategory.Integer, minValue: 6, maxValue: 17, description: "Protocol (6=TCP; 17=UDP)."),
+                new ColumnDefinition("Program", ColumnType.String, 255, primaryKey: false, nullable: true, ColumnCategory.Formatted, description: "Exception for a program (formatted path name).", modularizeType: ColumnModularizeType.Property),
+                new ColumnDefinition("Attributes", ColumnType.Number, 4, primaryKey: false, nullable: true, ColumnCategory.Unknown, description: "Vital=1"),
+                new ColumnDefinition("Profile", ColumnType.Number, 4, primaryKey: false, nullable: false, ColumnCategory.Integer, minValue: 1, maxValue: 2147483647, description: "Profile (1=domain; 2=private; 4=public; 2147483647=all)."),
+                new ColumnDefinition("Component_", ColumnType.String, 72, primaryKey: false, nullable: false, ColumnCategory.Identifier, keyTable: "Component", keyColumn: 1, description: "Foreign key into the Component table referencing component that controls the firewall configuration.", modularizeType: ColumnModularizeType.Column),
+                new ColumnDefinition("Description", ColumnType.String, 255, primaryKey: false, nullable: true, ColumnCategory.Formatted, description: "Description displayed in Windows Firewall manager for this firewall rule."),
+                new ColumnDefinition("Direction", ColumnType.Number, 1, primaryKey: false, nullable: true, ColumnCategory.Integer, minValue: 1, maxValue: 2, description: "Direction (1=in; 2=out)"),
+            },
+            symbolIdIsPrimaryKey: true
+        );
+
+        public static readonly TableDefinition[] All = new[]
+        {
+            WixFirewallException,
+        };
+    }
+}
diff --git a/src/ext/Firewall/wixext/FirewallWindowsInstallerBackendExtension.cs b/src/ext/Firewall/wixext/FirewallWindowsInstallerBackendExtension.cs
new file mode 100644
index 00000000..b5b97d85
--- /dev/null
+++ b/src/ext/Firewall/wixext/FirewallWindowsInstallerBackendExtension.cs
@@ -0,0 +1,13 @@
+// Copyright (c) .NET Foundation and contributors. All rights reserved. Licensed under the Microsoft Reciprocal License. See LICENSE.TXT file in the project root for full license information.
+
+namespace WixToolset.Firewall
+{
+    using System.Collections.Generic;
+    using WixToolset.Data.WindowsInstaller;
+    using WixToolset.Extensibility;
+
+    public class FirewallWindowsInstallerBackendBinderExtension : BaseWindowsInstallerBackendBinderExtension
+    {
+        public override IReadOnlyCollection<TableDefinition> TableDefinitions => FirewallTableDefinitions.All;
+    }
+}
diff --git a/src/ext/Firewall/wixext/Symbols/FirewallSymbolDefinitions.cs b/src/ext/Firewall/wixext/Symbols/FirewallSymbolDefinitions.cs
new file mode 100644
index 00000000..887893c7
--- /dev/null
+++ b/src/ext/Firewall/wixext/Symbols/FirewallSymbolDefinitions.cs
@@ -0,0 +1,39 @@
+// Copyright (c) .NET Foundation and contributors. All rights reserved. Licensed under the Microsoft Reciprocal License. See LICENSE.TXT file in the project root for full license information.
+
+namespace WixToolset.Firewall
+{
+    using System;
+    using WixToolset.Data;
+
+    public enum FirewallSymbolDefinitionType
+    {
+        WixFirewallException,
+    }
+
+    public static partial class FirewallSymbolDefinitions
+    {
+        public static readonly Version Version = new Version("4.0.0");
+
+        public static IntermediateSymbolDefinition ByName(string name)
+        {
+            if (!Enum.TryParse(name, out FirewallSymbolDefinitionType type))
+            {
+                return null;
+            }
+
+            return ByType(type);
+        }
+
+        public static IntermediateSymbolDefinition ByType(FirewallSymbolDefinitionType type)
+        {
+            switch (type)
+            {
+                case FirewallSymbolDefinitionType.WixFirewallException:
+                    return FirewallSymbolDefinitions.WixFirewallException;
+
+                default:
+                    throw new ArgumentOutOfRangeException(nameof(type));
+            }
+        }
+    }
+}
diff --git a/src/ext/Firewall/wixext/Symbols/WixFirewallExceptionSymbol.cs b/src/ext/Firewall/wixext/Symbols/WixFirewallExceptionSymbol.cs
new file mode 100644
index 00000000..620de969
--- /dev/null
+++ b/src/ext/Firewall/wixext/Symbols/WixFirewallExceptionSymbol.cs
@@ -0,0 +1,119 @@
+// Copyright (c) .NET Foundation and contributors. All rights reserved. Licensed under the Microsoft Reciprocal License. See LICENSE.TXT file in the project root for full license information.
+
+namespace WixToolset.Firewall
+{
+    using WixToolset.Data;
+    using WixToolset.Firewall.Symbols;
+
+    public static partial class FirewallSymbolDefinitions
+    {
+        public static readonly IntermediateSymbolDefinition WixFirewallException = new IntermediateSymbolDefinition(
+            FirewallSymbolDefinitionType.WixFirewallException.ToString(),
+            new[]
+            {
+                new IntermediateFieldDefinition(nameof(WixFirewallExceptionSymbolFields.Name), IntermediateFieldType.String),
+                new IntermediateFieldDefinition(nameof(WixFirewallExceptionSymbolFields.RemoteAddresses), IntermediateFieldType.String),
+                new IntermediateFieldDefinition(nameof(WixFirewallExceptionSymbolFields.Port), IntermediateFieldType.String),
+                new IntermediateFieldDefinition(nameof(WixFirewallExceptionSymbolFields.Protocol), IntermediateFieldType.Number),
+                new IntermediateFieldDefinition(nameof(WixFirewallExceptionSymbolFields.Program), IntermediateFieldType.String),
+                new IntermediateFieldDefinition(nameof(WixFirewallExceptionSymbolFields.Attributes), IntermediateFieldType.Number),
+                new IntermediateFieldDefinition(nameof(WixFirewallExceptionSymbolFields.Profile), IntermediateFieldType.Number),
+                new IntermediateFieldDefinition(nameof(WixFirewallExceptionSymbolFields.ComponentRef), IntermediateFieldType.String),
+                new IntermediateFieldDefinition(nameof(WixFirewallExceptionSymbolFields.Description), IntermediateFieldType.String),
+                new IntermediateFieldDefinition(nameof(WixFirewallExceptionSymbolFields.Direction), IntermediateFieldType.Number),
+            },
+            typeof(WixFirewallExceptionSymbol));
+    }
+}
+
+namespace WixToolset.Firewall.Symbols
+{
+    using WixToolset.Data;
+
+    public enum WixFirewallExceptionSymbolFields
+    {
+        Name,
+        RemoteAddresses,
+        Port,
+        Protocol,
+        Program,
+        Attributes,
+        Profile,
+        ComponentRef,
+        Description,
+        Direction,
+    }
+
+    public class WixFirewallExceptionSymbol : IntermediateSymbol
+    {
+        public WixFirewallExceptionSymbol() : base(FirewallSymbolDefinitions.WixFirewallException, null, null)
+        {
+        }
+
+        public WixFirewallExceptionSymbol(SourceLineNumber sourceLineNumber, Identifier id = null) : base(FirewallSymbolDefinitions.WixFirewallException, sourceLineNumber, id)
+        {
+        }
+
+        public IntermediateField this[WixFirewallExceptionSymbolFields index] => this.Fields[(int)index];
+
+        public string Name
+        {
+            get => this.Fields[(int)WixFirewallExceptionSymbolFields.Name].AsString();
+            set => this.Set((int)WixFirewallExceptionSymbolFields.Name, value);
+        }
+
+        public string RemoteAddresses
+        {
+            get => this.Fields[(int)WixFirewallExceptionSymbolFields.RemoteAddresses].AsString();
+            set => this.Set((int)WixFirewallExceptionSymbolFields.RemoteAddresses, value);
+        }
+
+        public string Port
+        {
+            get => this.Fields[(int)WixFirewallExceptionSymbolFields.Port].AsString();
+            set => this.Set((int)WixFirewallExceptionSymbolFields.Port, value);
+        }
+
+        public int? Protocol
+        {
+            get => this.Fields[(int)WixFirewallExceptionSymbolFields.Protocol].AsNullableNumber();
+            set => this.Set((int)WixFirewallExceptionSymbolFields.Protocol, value);
+        }
+
+        public string Program
+        {
+            get => this.Fields[(int)WixFirewallExceptionSymbolFields.Program].AsString();
+            set => this.Set((int)WixFirewallExceptionSymbolFields.Program, value);
+        }
+
+        public int Attributes
+        {
+            get => this.Fields[(int)WixFirewallExceptionSymbolFields.Attributes].AsNumber();
+            set => this.Set((int)WixFirewallExceptionSymbolFields.Attributes, value);
+        }
+
+        public int Profile
+        {
+            get => this.Fields[(int)WixFirewallExceptionSymbolFields.Profile].AsNumber();
+            set => this.Set((int)WixFirewallExceptionSymbolFields.Profile, value);
+        }
+
+        public string ComponentRef
+        {
+            get => this.Fields[(int)WixFirewallExceptionSymbolFields.ComponentRef].AsString();
+            set => this.Set((int)WixFirewallExceptionSymbolFields.ComponentRef, value);
+        }
+
+        public string Description
+        {
+            get => this.Fields[(int)WixFirewallExceptionSymbolFields.Description].AsString();
+            set => this.Set((int)WixFirewallExceptionSymbolFields.Description, value);
+        }
+
+        public int Direction
+        {
+            get => this.Fields[(int)WixFirewallExceptionSymbolFields.Direction].AsNumber();
+            set => this.Set((int)WixFirewallExceptionSymbolFields.Direction, value);
+        }
+    }
+}
\ No newline at end of file
diff --git a/src/ext/Firewall/wixext/WixToolset.Firewall.wixext.csproj b/src/ext/Firewall/wixext/WixToolset.Firewall.wixext.csproj
new file mode 100644
index 00000000..6704dad2
--- /dev/null
+++ b/src/ext/Firewall/wixext/WixToolset.Firewall.wixext.csproj
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Copyright (c) .NET Foundation and contributors. All rights reserved. Licensed under the Microsoft Reciprocal License. See LICENSE.TXT file in the project root for full license information. -->
+
+<Project Sdk="Microsoft.NET.Sdk">
+  <PropertyGroup>
+    <TargetFramework>netstandard2.0</TargetFramework>
+    <RootNamespace>WixToolset.Firewall</RootNamespace>
+    <Description>WiX Toolset Firewallity Extension</Description>
+    <Title>WiX Toolset Firewall Extension</Title>
+    <IsTool>true</IsTool>
+    <ContentTargetFolders>build</ContentTargetFolders>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <Content Include="$(MSBuildThisFileName).targets" />
+    <EmbeddedResource Include="$(OutputPath)..\firewall.wixlib" />
+  </ItemGroup>
+
+  <ItemGroup>
+    <PackageReference Include="WixToolset.Data" Version="4.0.*" PrivateAssets="all" />
+    <PackageReference Include="WixToolset.Extensibility" Version="4.0.*" PrivateAssets="all" />
+  </ItemGroup>
+
+  <ItemGroup>
+    <ProjectReference Include="..\wixlib\firewall.wixproj" ReferenceOutputAssembly="false" Condition=" '$(NCrunch)'=='' " />
+  </ItemGroup>
+
+  <ItemGroup>
+    <PackageReference Include="Nerdbank.GitVersioning" Version="3.3.37" PrivateAssets="all" />
+  </ItemGroup>
+</Project>
diff --git a/src/ext/Firewall/wixext/WixToolset.Firewall.wixext.targets b/src/ext/Firewall/wixext/WixToolset.Firewall.wixext.targets
new file mode 100644
index 00000000..c717450f
--- /dev/null
+++ b/src/ext/Firewall/wixext/WixToolset.Firewall.wixext.targets
@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Copyright (c) .NET Foundation and contributors. All rights reserved. Licensed under the Microsoft Reciprocal License. See LICENSE.TXT file in the project root for full license information. -->
+
+<Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003" ToolsVersion="4.0">
+  <PropertyGroup>
+    <WixToolsetFirewallWixextPath Condition=" '$(WixToolsetFirewallWixextPath)' == '' ">$(MSBuildThisFileDirectory)..\tools\WixToolset.Firewall.wixext.dll</WixToolsetFirewallWixextPath>
+  </PropertyGroup>
+  <ItemGroup>
+    <WixExtension Include="$(WixToolsetFirewallWixextPath)" />
+  </ItemGroup>
+</Project>