locked
FwpsStreamInjectAsync0 and lower weighted filters RRS feed

  • Question

  • Hello,

    I have a WFP fiter driver which routes HTTP connections through a user-mode application.

    This driver is part of 2 different products, which work fine on their own. But when both of them are installed, only one of them sees the network traffic.

    The driver is installed twice under different paths. The connect, disconnect events are received by both filters, but send/receive events reach only one of the filters.

    The drivers use FwpsStreamInjectAsync0 to reinject data back into the stream after the user mode application finishes analyzing it. This data reaches the application but not the other filter.

    Both filters are at sublayer FWPM_SUBLAYER_UNIVERSAL. Initially the weight was FWP_EMPTY, but the effective weight computer by the WFP system was 0 in both cases, so I manually set the weight to type FWP_UINT8 and values 1 and 2. Now the filters have different weights but the problem still occurs.

    I'm testing on a Windows 7 system.

    Where should I look next?

    Thank you.

     

    Tuesday, July 13, 2010 1:06 PM

Answers

  • I have solved it by registering and using a different sub-layer for each driver instead of FWPM_SUBLAYER_UNIVERSAL.

    The FWPM_FILTER0.weight parameter seems broken.

    Tuesday, July 13, 2010 4:08 PM

All replies

  • I have solved it by registering and using a different sub-layer for each driver instead of FWPM_SUBLAYER_UNIVERSAL.

    The FWPM_FILTER0.weight parameter seems broken.

    Tuesday, July 13, 2010 4:08 PM
  • This is likely by design.  Youre filters were arbitrated, and 1 won out over the other.  The weight is an input parameter which is used to help comput the filters effective weight.

     


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------
    Friday, July 16, 2010 1:44 AM
    Moderator