locked
Question with stream layer callout for incoming traffic directed to port 139 RRS feed

  • Question

  • Hi,

    I posted the following question in my previous thread without creating a new post but I have not got any feedback probably because my first question was answered in that post. So let me post the question again and I hope that is okay with all.

    My main question right now is to find out why filter does not work with stream layer. As a background, I am trying to create a callout for incoming traffic directed to port 139. To this end, I have created two callouts using the same filter and the thing is that my callout at Transport layer is called correctly and I can print out IP addresses and Port number without any problem.
    However, for my stream layer callout, it is never called. So I searched through the forum and I found the following post.


    According to this post, there was a bug with stream layer callout when it tries to filter the traffice directed to port 139.

    So I would like to know whether my code has bugs which is the case most of the time ;-) or it is a bug with WFP and I need a fix for it.

    Following is my code for filters and I pretty much took the sample code from stream editor. Thank you.


    Code Snippet

    NTSTATUS
    RegisterCalloutForLayer(
       IN const GUID* layerKey,
       IN const GUID* calloutKey,
       IN void* deviceObject,
       IN int layer_mode,
       OUT UINT32* calloutId
       )
    {
       NTSTATUS status = STATUS_SUCCESS;

       FWPS_CALLOUT0 sCallout = {0};

       FWPM_FILTER0 filter = {0};
       FWPM_FILTER_CONDITION0 filterConditions[1] = {0};

       FWPM_CALLOUT0 mCallout = {0};
       FWPM_DISPLAY_DATA0 displayData = {0};

       BOOLEAN calloutRegistered = FALSE;

       sCallout.calloutKey = *calloutKey;
       if (layer_mode == __stream) {
          sCallout.classifyFn = SMBInlineEditStreamClassify;
       } else  {
          sCallout.classifyFn = SMBInlineEditTrasnportClassify;
       }
       sCallout.notifyFn = SMBNotify;

       status = FwpsCalloutRegister0(
                   deviceObject,
                   &sCallout,
                   calloutId
                   );
       if (!NT_SUCCESS(status))
       {
          goto Exit;
       }
       calloutRegistered = TRUE;

       displayData.name = L"SMB Callout";
       displayData.description = L"Callout that finds and replaces a token from a TCP stream";

       mCallout.calloutKey = *calloutKey;
       mCallout.displayData = displayData;
       mCallout.applicableLayer = FWPM_LAYER_STREAM_V4;
       status = FwpmCalloutAdd0(
                   gEngineHandle,
                   &mCallout,
                   NULL,
                   NULL
                   );

       if (!NT_SUCCESS(status))
       {
          goto Exit;
       }

       filter.layerKey = FWPM_LAYER_STREAM_V4;
       filter.displayData.name = L"SMB Filter";
       filter.displayData.description = L"Filter that finds and replaces a token from a TCP stream";

       filter.action.type = FWP_ACTION_CALLOUT_TERMINATING;
       filter.action.calloutKey = TCP_SMB_CALLOUT_V4;
       filter.filterCondition = filterConditions;
       filter.numFilterConditions = 1;
       filter.subLayerKey = FWPM_SUBLAYER_UNIVERSAL;
       filter.weight.type = FWP_EMPTY; // auto-weight.

       filterConditions[0].fieldKey = FWPM_CONDITION_IP_LOCAL_PORT;
       filterConditions[0].matchType = FWP_MATCH_EQUAL;
       filterConditions[0].conditionValue.type = FWP_UINT16;
       filterConditions[0].conditionValue.uint16 = 139;

       status = FwpmFilterAdd0(gEngineHandle, &filter, NULL, NULL);

       if (!NT_SUCCESS(status))
       {
    goto Exit;
    }
    DbgPrint("Filter registration done \r\n");

    Exit:
                   
       if (!NT_SUCCESS(status))
       {
          if (inTransaction)
          {
             FwpmTransactionAbort0(gEngineHandle);
          }
          if (engineOpened)
          {
             FwpmEngineClose0(gEngineHandle);
             gEngineHandle = NULL;
          }
       }
          
       return status;
    }




    Lastly, I have one more question. I noticed that my callout does not get called again once I load/unload my driver and load it again after I make some changes. 
    I can see that my driver is being loaded but callout is not called any more and I suspect that it might have to do with filter that was registered before was not cleared up.
    Does anyone know what causes this misbehavior? Like I said, I am using stream editor as my template and I have not made any changes to driver load/unload routine so it should be fine. Please let me know how to fix this problem. Thank you again.

    Ilho

    Wednesday, September 24, 2008 2:28 PM

Answers

  • I am still not sure for my initial question but I have found out that I only need to concern traffic directed to port 445 and my callout is called with that traffic. So things are fine with me for the time being. (I have other things to worry as I move on)  :-)
    Thank you all and I will probably ask more questions soon.

    Ilho
    Tuesday, September 30, 2008 7:21 PM