locked
ClassifyFn is not called … RRS feed

  • Question

  • Hi everyone,

     

    I am trying to implement a basic callout driver, which blocks all outgoing tcp traffic (at this stage, it will be extended and some useful features will be added later).

    The callout registers at FWPM_LAYER_STREAM_V4 and I use the following filter conditions to catch all outgoing tcp traffic:

     

    filterCondition[0].fieldKey = FWPM_CONDITION_DIRECTION;

          filterCondition[0].matchType = FWP_MATCH_EQUAL;

          filterCondition[0].conditionValue.type = FWP_UINT32;

          filterCondition[0].conditionValue.uint32 = FWP_DIRECTION_OUTBOUND;

     

    my simple classifyfn functionworks as follows:

     

    catchall(…)

    {

          FWPS_STREAM_DATA *streamData;

     

          streamData = ((FWPS_STREAM_CALLOUT_IO_PACKET *) layerData)->streamData;

     

          DbgPrint("HW: Blocking Traffic!" );

     

          if (streamData->flags & FWPS_STREAM_FLAG_RECEIVE)

          {

                DbgPrint("Pkg: incoming" );

          }

          if (streamData->flags & FWPS_STREAM_FLAG_SEND)

          {

                DbgPrint("Pkg: Outgoing" );

          }

     

          classifyOut->actionType = FWP_ACTION_BLOCK;

          ((FWPS_STREAM_CALLOUT_IO_PACKET *) layerData)->streamAction = FWPS_STREAM_ACTION_NONE;

    }

     

    After I’ve loaded the callout driver, all tcp traffic is blocked as supposed to. But I don’t see any of the debug messages from this functions. The registration sof the callout and filter are successful.

    I don’t get it, because as far as I understand it, the classifyfn function decides to block the traffic. Because the traffic “seems” to be blocked, the function should be called, but no dbg messages from this function show up in DebugView.

     

    Some code snippets, which may be helpful:

     

    The FWPM_FILTER initialization:

          filter.layerKey = *layer;

          filter.displayData.name = L"BlockAll Filter" ;

          filter.displayData.description = L"Filter that blocks all data" ;

          filter.action.type = FWP_ACTION_CALLOUT_TERMINATING;

          filter.action.calloutKey = *cKey;

          filter.filterCondition = filterCondition;

          filter.numFilterConditions = 0;

          filter.subLayerKey = FWPM_SUBLAYER_UNIVERSAL;

          filter.weight.type = FWP_EMPTY;

     

     

    Can somebody give me a hint where to look, because I don’t understand why my classifyfn function is not called. Thanks for any advise.

     

    Kind Regards,

    Den

    Sunday, October 18, 2009 6:22 PM

Answers

  • Found my error: I just forget to call FwpmTransactionCommit0(DeviceExtension->EngineHandle);

    • Marked as answer by Mips128 Monday, October 19, 2009 5:41 PM
    Monday, October 19, 2009 5:41 PM

All replies

  • I just found in the documentation that if the classifyfn function does not alter / set classifyOut->actionType and the filter action.type is set to FWP_ACTION_CALLOUT_TERMINATING that the default behavior is to block the package. So this explains why all traffic is blocked while the calssify function is not executed, but I am still searching for the problem why catchall is not called. Event though the call out registration is successful:
        sCallout.calloutKey = *cKey;
        sCallout.classifyFn = catchall;
        sCallout.notifyFn = notifyall;

        status = FwpsCalloutRegister(pdev, &sCallout, id);

    And I forgot to add: I am running this on Windows 7 (32 Bit)

    Any ideas?

    Monday, October 19, 2009 3:45 PM
  • Have you set a break point on your Classify Function, have you verified your KD's debug message mask?

    Do you have any other filters on the box (maybe at ALE which would block the TCP handshake)?

    Hope this helps.


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------
    Monday, October 19, 2009 5:41 PM
    Moderator
  • Found my error: I just forget to call FwpmTransactionCommit0(DeviceExtension->EngineHandle);

    • Marked as answer by Mips128 Monday, October 19, 2009 5:41 PM
    Monday, October 19, 2009 5:41 PM