locked
WFPSampler: BASIC_PACKET_INJECTION not working with TCP RRS feed

Answers

  • OK, that makes sense.  Yes, injection would not work in that scenario.  I'll add special case logic for a future drop.  Just to reiterate though, TCP injection does work, provided you are at a layer where the NBL is indicated (i.e. FWPM_LAYER_INBOUND_TRANSPORT_V4...)

    Thanks,


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------

    Tuesday, August 7, 2012 4:57 PM
    Moderator

All replies

  • TCP is supported in BASIC_PACKET_INJECTION.  I have discovered an issue in the presence of offload.  Please describe more the scenario (which layer you are using with TCP) and try disabling any offloads the NIC provides.  I'll investigate the issue once I hear back with more details on your setup.

    Thanks,


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------

    Monday, August 6, 2012 5:32 PM
    Moderator
  • Sorry, I should clarify the scenarion:

    WFPSampler -s BASIC_PACKET_INJECTION -l FWPM_LAYER_ALE_AUTH_CONNECT_V4 -v

    For tcp ClassifyBasicPacketInjection is called with pNetBufferList = NULL. And then classify is blocked.

    Maybe, It should change  NT_ASSERT(pNetBufferList) to something:
    if ( pNetBufferList == NULL )
    {
        if(pClassifyOut->rights & FWPS_RIGHT_ACTION_WRITE)
            pClassifyOut->actionType = FWP_ACTION_PERMIT;
        return;
    }

    Tuesday, August 7, 2012 8:37 AM
  • OK, that makes sense.  Yes, injection would not work in that scenario.  I'll add special case logic for a future drop.  Just to reiterate though, TCP injection does work, provided you are at a layer where the NBL is indicated (i.e. FWPM_LAYER_INBOUND_TRANSPORT_V4...)

    Thanks,


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------

    Tuesday, August 7, 2012 4:57 PM
    Moderator