locked
problem with FwpmFilterAdd0 RRS feed

  • Question

  • hi, i have met a problem.when i add a filter to FWPM_LAYER_ALE_AUTH_CONNECT_V4 layer ,the function FwpmFilterAdd0 return an error of STATUS_FWP_CONDITION_NOT_FOUND(status code:c0220002). I didn't understand what it is meaning.

    it confuse me a lot . anyone can help me ?Thanks!!!

    NTSTATUS
    AddFilter2ALEConnectLayer(
             IN const wchar_t* filterName,
             IN const wchar_t* filterDesc,
             IN UINT64 context,
             IN const GUID* layerKey,
             IN const GUID* calloutKey)
    {
     NTSTATUS status = STATUS_SUCCESS;

     FWPM_FILTER0 filter = { 0 };
     FWPM_FILTER_CONDITION0 filterConditions[6] = { 0 };
     FWP_RANGE0 IpRange,RemotePortRange, LocalPortRange;
     UINT conditionIndex;
     FWP_BYTE_BLOB applicationPath; 

    filter.layerKey = *layerKey;
     filter.displayData.name = (wchar_t*)filterName;
     filter.displayData.description = (wchar_t*)filterDesc;
     filter.action.type = FWP_ACTION_CALLOUT_TERMINATING;
     filter.action.calloutKey = *calloutKey;
     filter.filterCondition = 0;
     filter.subLayerKey = WFP_FILTER_SUBLAYER;
     filter.weight.type = FWP_EMPTY;
     filter.rawContext = context;

     conditionIndex = 0;

     status = get_appid_from_k(&applicationPath,
      L"\\DosDevices\\C:\\Users\\ShenDayu\\Desktop\\IPMSG.exe",
      wcslen(L"\\DosDevices\\C:\\Users\\ShenDayu\\Desktop\\IPMSG.exe"));
     if (!NT_SUCCESS(status))
     {
      goto Exit;
     }

     filterConditions[conditionIndex].fieldKey =
      FWPM_CONDITION_ALE_APP_ID;
     filterConditions[conditionIndex].matchType = FWP_MATCH_EQUAL;
     filterConditions[conditionIndex].conditionValue.type = FWP_BYTE_BLOB_TYPE;
     filterConditions[conditionIndex].conditionValue.byteBlob = &applicationPath;

     conditionIndex++;
     //
     // remote IP range
     //
     IpRange.valueHigh.type  = FWP_UINT32;
     IpRange.valueHigh.uint32 = 0xFFFFFFFF;
     IpRange.valueLow.type  = FWP_UINT32;
     IpRange.valueLow.uint32  = 0;
     filterConditions[conditionIndex].fieldKey =
      FWPM_CONDITION_IP_REMOTE_ADDRESS;
     filterConditions[conditionIndex].matchType = FWP_MATCH_RANGE;
     filterConditions[conditionIndex].conditionValue.type = FWP_RANGE_TYPE;
     filterConditions[conditionIndex].conditionValue.rangeValue = &IpRange;

     conditionIndex++;
     //
     //remote port range
     //
     RemotePortRange.valueHigh.type = FWP_UINT16;
     RemotePortRange.valueHigh.uint32= 65535;
     RemotePortRange.valueLow.type = FWP_UINT16;
     RemotePortRange.valueLow.uint32 = 0;

     filterConditions[conditionIndex].fieldKey =
      FWPM_CONDITION_IP_REMOTE_PORT;
     filterConditions[conditionIndex].matchType = FWP_MATCH_RANGE;
     filterConditions[conditionIndex].conditionValue.type = FWP_RANGE_TYPE;
     filterConditions[conditionIndex].conditionValue.rangeValue = &RemotePortRange;

     conditionIndex++;

     LocalPortRange.valueHigh.type = FWP_UINT16;
     LocalPortRange.valueHigh.uint32 = 65535;
     LocalPortRange.valueLow.type = FWP_UINT16;
     LocalPortRange.valueLow.uint32 = 0;

     filterConditions[conditionIndex].fieldKey =
      FWPM_CONDITION_IP_LOCAL_PORT;
     filterConditions[conditionIndex].matchType = FWP_MATCH_RANGE;
     filterConditions[conditionIndex].conditionValue.type = FWP_RANGE_TYPE;
     filterConditions[conditionIndex].conditionValue.rangeValue = &LocalPortRange;

      conditionIndex++;

      filterConditions[conditionIndex].fieldKey =
       FWPM_CONDITION_DIRECTION;
      filterConditions[conditionIndex].matchType = FWP_MATCH_EQUAL;
      filterConditions[conditionIndex].conditionValue.type = FWP_UINT32;
      filterConditions[conditionIndex].conditionValue.uint32 = DIRECTION_ANY;

      conditionIndex++;

      filterConditions[conditionIndex].fieldKey =
       FWPM_CONDITION_IP_PROTOCOL;
      filterConditions[conditionIndex].matchType = FWP_MATCH_EQUAL;
      filterConditions[conditionIndex].conditionValue.type = FWP_UINT16;
      filterConditions[conditionIndex].conditionValue.uint16 = IPPROTO_TCP;

     conditionIndex++;

     filter.filterCondition = filterConditions;
     filter.numFilterConditions = conditionIndex;

     status = FwpmFilterAdd0(
      gEngineHandle,
      &filter,
      NULL,
      NULL);
    Exit:
     return status;
    }

    Tuesday, March 22, 2011 2:25 PM

Answers

  • You are using a condition that is not supported for the layer you are using (in this case FWPM_LAYER_ALE_AUTH_CONNECT_V4 does not support FWPM_CONDITION_DIRECTION).

    FWPM_LAYER_ALE_AUTH_CONNECT_V{4 / 6} is by definition an OUTBOUND layer.  There are some rare cases (Policy Change Reauthorizations) where you may indicated an inbound packet, in which case you would check the Metadata (FWPS_METADATA_FIELD_PACKET_DIRECTION).

    Hope this helps,

     


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------
    Tuesday, March 22, 2011 3:45 PM
    Moderator
  • Yes you can.  Note that each Add API is already tranasctional, so it doesn't make sense to call TransactionBegin and then add a single object.  The purpose of the Transaction APIs was to make multiple Add calls act as a single trasaction.

    Hope this helps,


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------
    Wednesday, March 23, 2011 3:20 PM
    Moderator
  • If you at DISPATCH, then you would need to kick off a worker thread to do it as this is only available in PASSIVE_LEVEL

    _IRQL_requires_max_(PASSIVE_LEVEL)
    NTSTATUS
    NTAPI
    FwpmFilterAdd0(
       _In_ HANDLE engineHandle,
       _In_ const FWPM_FILTER0* filter,
       _In_opt_ PSECURITY_DESCRIPTOR sd,
       _Out_opt_ UINT64* id
       );

    Hope this helps,


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------
    Friday, March 25, 2011 6:39 PM
    Moderator
  • Convert the error to hex, and its 80320007. This is fwp_e_sublayer_not_found.  You need to add the sublayer before you can add another object that references it.

    Hope this helps,


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------


    Sunday, November 10, 2013 11:13 PM
    Moderator

All replies

  • You are using a condition that is not supported for the layer you are using (in this case FWPM_LAYER_ALE_AUTH_CONNECT_V4 does not support FWPM_CONDITION_DIRECTION).

    FWPM_LAYER_ALE_AUTH_CONNECT_V{4 / 6} is by definition an OUTBOUND layer.  There are some rare cases (Policy Change Reauthorizations) where you may indicated an inbound packet, in which case you would check the Metadata (FWPS_METADATA_FIELD_PACKET_DIRECTION).

    Hope this helps,

     


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------
    Tuesday, March 22, 2011 3:45 PM
    Moderator
  • Thank you Harper!this problem have been solved with your help!

    but i still have a question, could i call FwpmTransactionBegin0 and FwpmFilterAdd0 to add a fiter in a IRP devicecontrol routine, if it coudn't ,which method i can use to add fitlers dynamicly, Thanks again!

    Wednesday, March 23, 2011 7:08 AM
  • Yes you can.  Note that each Add API is already tranasctional, so it doesn't make sense to call TransactionBegin and then add a single object.  The purpose of the Transaction APIs was to make multiple Add calls act as a single trasaction.

    Hope this helps,


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------
    Wednesday, March 23, 2011 3:20 PM
    Moderator
  • Hello Harper, I have tried in my IRP devicecontrol routine。 but it return error status code c00000bb  when call FwpmFilterAdd0.

    could you check my code if you convenient? Thank you!

    NTSTATUS
    AddFilter2ALE(PRULE_APPLICATION pAppliRule)
    {
     NTSTATUS status = STATUS_SUCCESS;
    
     FWPM_FILTER0 filter = { 0 };
     FWPM_FILTER_CONDITION0 filterConditions[5] = { 0 };
     FWP_RANGE0 IpRange, RemotePortRange, LocalPortRange;
     FWP_BYTE_BLOB applicationPath;
     UINT conditionIndex;
     BOOLEAN inTransaction = FALSE;
    
     applicationPath.data = NULL;
    
     RtlZeroMemory(&filter, sizeof(FWPM_FILTER));
    
     filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V4;
     filter.displayData.name = L"ALE Connect Filter Classify";
     filter.displayData.description = L"Filter ALE Connect";
    
     if (pAppliRule->result == 2)//forbidden
     {
     filter.action.type = FWP_ACTION_BLOCK;
     }
     else// allow
     {
     ASSERT(pAppliRule->result == 1);
      filter.action.type = FWP_ACTION_PERMIT;
     }
     filter.filterCondition = 0;//filterConditions;
     filter.subLayerKey = WFP_FILTER_SUBLAYER;
     filter.weight.type = FWP_EMPTY;
     filter.rawContext = 0;
    
     conditionIndex = 0;
    
     status = get_appid_from_k(&applicationPath, pAppliRule->Name, pAppliRule->length);
     if (!NT_SUCCESS(status))
     {
     goto Exit;
     }
    
     filterConditions[conditionIndex].fieldKey =
     FWPM_CONDITION_ALE_APP_ID;
     filterConditions[conditionIndex].matchType = FWP_MATCH_EQUAL;
     filterConditions[conditionIndex].conditionValue.type = FWP_BYTE_BLOB_TYPE;
     filterConditions[conditionIndex].conditionValue.byteBlob = &applicationPath;
    
     conditionIndex++;
     //
     // remote IP range
     //
     IpRange.valueHigh.type = FWP_UINT32;
     IpRange.valueHigh.uint32 = pAppliRule->RemoteAddress2;
     IpRange.valueLow.type = FWP_UINT32;
     IpRange.valueLow.uint32 = pAppliRule->RemoteAddress1;
     filterConditions[conditionIndex].fieldKey =
     FWPM_CONDITION_IP_REMOTE_ADDRESS;
     filterConditions[conditionIndex].matchType = FWP_MATCH_RANGE;
     filterConditions[conditionIndex].conditionValue.type = FWP_RANGE_TYPE;
     filterConditions[conditionIndex].conditionValue.rangeValue = &IpRange;
    
     conditionIndex++;
     //
     //remote port range
     //
     RemotePortRange.valueHigh.type = FWP_UINT16;
     RemotePortRange.valueHigh.uint16= pAppliRule->RemotePort2;
     RemotePortRange.valueLow.type = FWP_UINT16;
     RemotePortRange.valueLow.uint16 = pAppliRule->RemotePort1;
    
     filterConditions[conditionIndex].fieldKey =
     FWPM_CONDITION_IP_REMOTE_PORT;
     filterConditions[conditionIndex].matchType = FWP_MATCH_RANGE;
     filterConditions[conditionIndex].conditionValue.type = FWP_RANGE_TYPE;
     filterConditions[conditionIndex].conditionValue.rangeValue = &RemotePortRange;
    
     conditionIndex++;
     //
     //local port range
     //
     LocalPortRange.valueHigh.type = FWP_UINT16;
     LocalPortRange.valueHigh.uint16 = pAppliRule->LocalPort2;
     LocalPortRange.valueLow.type = FWP_UINT16;
     LocalPortRange.valueLow.uint16 = pAppliRule->LocalPort1;
    
     filterConditions[conditionIndex].fieldKey =
     FWPM_CONDITION_IP_LOCAL_PORT;
     filterConditions[conditionIndex].matchType = FWP_MATCH_RANGE;
     filterConditions[conditionIndex].conditionValue.type = FWP_RANGE_TYPE;
     filterConditions[conditionIndex].conditionValue.rangeValue = &LocalPortRange;
     conditionIndex++;
    
    #define PROTECOL_ALL 0
     if (pAppliRule->protocol != PROTECOL_ALL)
     {
     //
     // set protocol rule ==> 8 bits?
     //
     filterConditions[conditionIndex].fieldKey =
      FWPM_CONDITION_IP_PROTOCOL;
     filterConditions[conditionIndex].matchType = FWP_MATCH_EQUAL;
     filterConditions[conditionIndex].conditionValue.type = FWP_UINT8;
    
     if (pAppliRule->protocol == IPPROTO_TCP)
     {
      filterConditions[conditionIndex].conditionValue.uint8 = IPPROTO_TCP;
     }
     else
     {
      filterConditions[conditionIndex].conditionValue.uint8 = IPPROTO_UDP;
     }
     }
     conditionIndex++;
    
     filter.numFilterConditions = conditionIndex;
    
     filter.filterCondition = filterConditions;
    
     status = FwpmFilterAdd0(
     gEngineHandle,
     &filter,
     NULL,
     &pAppliRule->filterid);
     if (!NT_SUCCESS(status))
     {
     FirewallPrint(ERR, "FwpmFilterAdd0 failed");
     goto Exit;
     }
    
     status = FwpmTransactionCommit0(gEngineHandle);
     if (!NT_SUCCESS(status))
     {
     FirewallPrint(ERR, "FwpmTransaction Commit failed");
     goto Exit;
     }
     inTransaction = FALSE;
    Exit:
     if (!NT_SUCCESS(status))
     {
     if (inTransaction)
     {
      FwpmTransactionAbort0(gEngineHandle);
     }
     }
     if (applicationPath.data != NULL)
     {
     ExFreePoolWithTag(
      applicationPath.data,
      MY_TAG);
     }
    
     return status;
    }
    
    
    
    
    Friday, March 25, 2011 2:48 PM
  • If you at DISPATCH, then you would need to kick off a worker thread to do it as this is only available in PASSIVE_LEVEL

    _IRQL_requires_max_(PASSIVE_LEVEL)
    NTSTATUS
    NTAPI
    FwpmFilterAdd0(
       _In_ HANDLE engineHandle,
       _In_ const FWPM_FILTER0* filter,
       _In_opt_ PSECURITY_DESCRIPTOR sd,
       _Out_opt_ UINT64* id
       );

    Hope this helps,


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------
    Friday, March 25, 2011 6:39 PM
    Moderator
  • Hi

    I have a similar error... on fwpfilteradd0.

    My error codes are 5 (as user) and -2144206841 (cmd shell run as Administrator).

    I am using VS2008 , SDK 7 on Windows 7 home premium and the filter add routine is taken off msdn example for the function call.

    Could you please help ?

    Friday, July 12, 2013 1:43 AM
  • Any luck ?

    Sunday, November 10, 2013 5:39 PM
  • Convert the error to hex, and its 80320007. This is fwp_e_sublayer_not_found.  You need to add the sublayer before you can add another object that references it.

    Hope this helps,


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------


    Sunday, November 10, 2013 11:13 PM
    Moderator