none
Callout is not blocking my traffic RRS feed

  • Question

  • hi

    i hava a question

    i register a  callout in wfp filter driver

    by FWPM_LAYER_ALE_AUTH_CONNECT_V4 i register a callout ALEConnectClassify

    in ALEConnectClassify i want to block a packet by some rules of firewall

    ALEConnectClassify(
       IN const FWPS_INCOMING_VALUES0* inFixedValues,
       IN const FWPS_INCOMING_METADATA_VALUES0* inMetaValues,
       IN OUT void* layerData,
       IN const FWPS_FILTER0* filter,
       IN UINT64 flowContext,
       OUT FWPS_CLASSIFY_OUT0* classifyOut
       )

    {

           NTSTATUS status;

           if (matchrules(inMetaValues))

          {

              classifyOut->actionType = FWP_ACTION_BLOCK;
              classifyOut->rights &= ~FWPS_RIGHT_ACTION_WRITE;

          }

          else

         {

               classifyOut->actionType = FWP_ACTION_PERMIT;

         }

          return;

    }

     if the rule is remote port == 80  i will bock the web packet

    but it not block the web packet

    help  and i not use filter condition

    Thursday, July 26, 2012 3:01 AM

All replies

  • What does matchrules() do?  There is nothing in your callout which could determine which port you are blocking (this info is in inFixedValues and the layerData).

    Once I know what matchrules() does, I can assist you further.

    Thanks,


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------

    Thursday, July 26, 2012 3:55 AM
    Moderator
  • matchrules(inMetaValues) the rule is ip and port include in or out
    Friday, July 27, 2012 7:19 AM
  • This information is not in the metadata though.  It's in the inFixedValues.

    This is the logic you should focus on to fix your issue.  Essentially matchrules() is returning FALSE, so you are permitting the traffic.

    If you are looking for the port match, then you should look at  inFixedValues->incomingValue[FWPS_FIELD_ALE_AUTH_CONNECT_V4_IP_REMOTE_PORT].value.uint16

    if you need to see if the address matches, you'd look at inFixedValues->incomingValue[FWPS_FIELD_ALE_AUTH_CONNECT_V4_IP_REMOTE_ADDRESS].value.uint32

     

    Hope this helps,


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------





    Friday, July 27, 2012 3:15 PM
    Moderator