locked
How to Delete entity(a filter) from base filtering engine. RRS feed

  • Question

  • Hello,

    I want to ask you how to delete the filter (individually from base filtering engine) after I got Filters . 

    Next Question : 

    How does FWMP_FILTER0 *** works. I mean in the Function of Enum Handle we need to send a type of Fwmp_filter0 *** work. 


    RBN

    Tuesday, September 25, 2012 7:03 AM

Answers

  • To delete a filter you can use either FwpmFilterDeleteById or FwpmFilterDeleteByKey.  The following code demonstrates FwpmFilterDeleteById:

    #include <windows.h> /// Include\UM
    #include <stdio.h>  /// Inc\CRT
    #include <wchar.h>  /// Inc\CRT
    #include <fwpmu.h>  /// Include\UM
    static const GUID CONTOSO_PROVIDER = 
    {
      /* 746E6F43-736F-5F6F-5072-6F7669646572 */
      0x746E6F43,
      0x736F,
      0x5F6F,
      {0x50, 0x72, 0x6F, 0x76, 0x69, 0x64, 0x65, 0x72}
    };
    static const GUID CONTOSO_SUBLAYER = 
    {
      /* 746E6F43-736F-5F6F-5375-626C61796572 */
      0x746E6F43,
      0x736F,
      0x5F6F,
      {0x53, 0x75, 0x62, 0x6C, 0x61, 0x79, 0x65, 0x72}
    };
    int __cdecl wmain(__in const int argumentCount,
             __in_ecount(argumentCount) PCWSTR pArguments[])
    {
      UNREFERENCED_PARAMETER(argumentCount);
      UNREFERENCED_PARAMETER(pArguments);
      UINT32 status    = NO_ERROR;
      HANDLE engineHandle = 0;
      status = FwpmEngineOpen(0,
                  RPC_C_AUTHN_WINNT,
                  0,
                  0,
                  &engineHandle);
      if(engineHandle)
      {
       FWPM_PROVIDER     provider    = {0};
       FWPM_SUBLAYER     subLayer    = {0};
       FWPM_FILTER_CONDITION filterCondition = {0};
       FWPM_FILTER      filter     = {0};
       provider.providerKey   = CONTOSO_PROVIDER;
       provider.displayData.name = L"Contoso";
       subLayer.subLayerKey   = CONTOSO_SUBLAYER;
       subLayer.displayData.name = L"Contoso's sublayer";
       subLayer.providerKey   = &(provider.providerKey);
       subLayer.weight      = 0x7FFF;
       filterCondition.fieldKey       = FWPM_CONDITION_IP_REMOTE_PORT;
       filterCondition.matchType       = FWP_MATCH_EQUAL;
       filterCondition.conditionValue.type  = FWP_UINT16;
       filterCondition.conditionValue.uint16 = 80;
       filter.displayData.name  = L"Blocks connect attempts to IPv4 Port 80";
       filter.providerKey     = &(provider.providerKey);
       filter.layerKey      = FWPM_LAYER_ALE_AUTH_CONNECT_V4;
       filter.numFilterConditions = 1;
       filter.filterCondition   = &filterCondition;
       filter.action.type     = FWP_ACTION_BLOCK;
       status = FwpmTransactionBegin(engineHandle,
                      0);
       if(status != NO_ERROR)
       {
         wprintf(L"FwpmProviderAdd() [status: %#x]",
             status);
         goto EXIT;
       }
       status = FwpmProviderAdd(engineHandle,
                    &provider,
                    0);
       if(status != NO_ERROR)
       {
         wprintf(L"FwpmProviderAdd() [status: %#x]",
             status);
         goto EXIT;
       }
       status = FwpmSubLayerAdd(engineHandle,
                    &subLayer,
                    0);
       if(status != NO_ERROR)
       {
         wprintf(L"FwpmSubLayerAdd() [status: %#x]",
             status);
         goto EXIT;
       }
       status = FwpmFilterAdd(engineHandle,
                   &filter,
                   0,
                   &(filter.filterId));
       if(status != NO_ERROR)
       {
         wprintf(L"FwpmFilterAdd() [status: %#x]",
             status);
         goto EXIT;
       }
       status = FwpmTransactionCommit(engineHandle);
       if(status == NO_ERROR)
       {
         wprintf(L"Hit Any Key To Exit");
         _getwch();
       }
       EXIT:
       if(status != NO_ERROR)
         FwpmTransactionAbort(engineHandle);
       else
       {
         FwpmFilterDeleteById(engineHandle,
                   filter.filterId);
         FwpmSubLayerDeleteByKey(engineHandle,
                     &(subLayer.subLayerKey));
         FwpmProviderDeleteByKey(engineHandle,
                     &(provider.providerKey));
       }
       FwpmEngineClose(engineHandle);
      }
      else
       wprintf(L"FwpmEngineOpen() [status: %#x]",
           status);
      return status;
    }

    The following code demonstrates the use of the triple pointer (FWPM_FILTER***)  This is essentially an allocated* array* of FWPM_FILTER pointers*

      UINT32 status       = NO_ERROR;
      HANDLE engineHandle = 0;
      status = FwpmEngineOpen(0,
                  RPC_C_AUTHN_WINNT,
                  0,
                  0,
                  &engineHandle);
      if(engineHandle)
      {
          HANDLE        enumHandle = 0;
          UINT32        numEntries = 0;
          FWPM_FILTER** ppFilter   = 0;
          /// take a snapshot of the current filters
          status = FwpmFilterCreateEnumHandle(engineHandle,
                                              0,
                                              &enumHandle);
          if(status != NO_ERROR)
          {
             /// HANDLE ERROR
             goto EXIT;
          }
          /// enumerate all filters
          status = FwpmFilterEnum(engineHandle,
                                  enumHandle,
                                  0xFFFFFFFF,
                                  &ppFilters,
                                  &numEntries);
          if(status != NO_ERROR)
          {
             /// HANDLE ERROR
             goto EXIT;
          }
          for(UINT32 index = 0;
              index < numEntries;
              index++)
          {
             wprintf(L"filter %d" : ID %#x,
                     index,
                     ppFilters[index]->filterId);
          }
          :EXIT
          if(enumHandle)
          {
            if(ppFilters)
               FwpmFreeMemory((VOID**)&ppFilters);
             FwpmFilterDestroyEnumHandle(engineHandle,
                                         enumHandle);
             enumHandle = 0;
          }
       }
    Hope this helps,

    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------



    Tuesday, September 25, 2012 10:12 PM
    Moderator