FwpsStreamInjectAsync0 fails after receiving TCP FIN RRS feed

  • Question

  • Hi,

     I'm writing a WFP driver that will  route all TCP traffic through a user app which inspects and/or modifies the data. So I added a filter to the stream layer with flag FWP_CALLOUT_FLAG_CONDITIONAL_ON_FLOW.

    As a first step, I'm just cloning the stream data every time my classifyFn is called, block the original data by returning FWP_ACTION_BLOCK and then I inject the cloned data back from within a worker thread.

     Everything works fine except of one little thing:

    I'm testing my driver in Windows 7 by using Chrome as a browser. The packets are blocked and reinjected later successfully. But there seems to be a problem when I receive a TCP FIN and there exist some packets that belong to the flow and have not been reinjected yet.  

    When I receive a TCP FIN my callout blocks it and force the reinjection of any  remaining packet  to the flow but FwpsStreamInjectAsync0 fails with error code STATUS_NOT_FOUND (0xc0000225).

    After checking thoroughly my logs I have realized that flowDeleteFn is called despite of blocking TCP FIN, so any later reinjection will fail. What could be the reason for this strange effect? Is there any  work around?

    Thanks for your answer.

    Tuesday, September 27, 2011 12:19 PM

All replies

  • I am having this exact problem. Is there any resolution?



    Joe Field

    Friday, March 14, 2014 3:21 PM
  • You need to pend at FWPM_LAYER_ALE_ENDPOINT_CLOSURE_V{4|6}. Doing so will keep the endpoint from "disappearing" on you while you finish injecting. Once all the data is injected, complete the pend.


    Hope this helps

    Dusty Harper [MSFT]
    Microsoft Corporation
    This posting is provided "AS IS", with NO warranties and confers NO rights

    Tuesday, March 18, 2014 9:43 PM