locked
What's the difference between "Veto" and "Hard Block"? RRS feed

Answers

  • A Hard action is when the callout sets the action and removes the FWPS_RIGHT_ACTION_WRITE flag.

    A Veto is when a callout overwrites the action of a previous callout that has performed a "Hard" action (removed the FWPS_RIGHT_ACTION_WRITE flag).

    Your sample would be a Hard BLOCK (you overrode a soft permit and by removing the FWPS_RIGHT_ACTION_WRITE flag, you made your BLOCK Hard).

    I'd suggest for compatibility reasons using "classifyOut->rights ^= FWPS_RIGHT_ACTION_WRITE;" . This will help future proof your code should more rights become available.

    Hope this helps,


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------

    Tuesday, January 15, 2013 8:12 PM
    Moderator
  • 1) Ideally, yes.  once the RIGHT_ACTION_WRITE has been removed and the callout returns, no one should set it again.  Being that this is kernel code, this is not enforced to my knowledge, but highly frowned upon (and a good candidate for a WHCK validation test).

    2) Ideally all BLOCK Vetos are Hard BLOCKS

    Hope this helps,


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------

    Wednesday, January 16, 2013 4:55 AM
    Moderator

All replies

  • A Hard action is when the callout sets the action and removes the FWPS_RIGHT_ACTION_WRITE flag.

    A Veto is when a callout overwrites the action of a previous callout that has performed a "Hard" action (removed the FWPS_RIGHT_ACTION_WRITE flag).

    Your sample would be a Hard BLOCK (you overrode a soft permit and by removing the FWPS_RIGHT_ACTION_WRITE flag, you made your BLOCK Hard).

    I'd suggest for compatibility reasons using "classifyOut->rights ^= FWPS_RIGHT_ACTION_WRITE;" . This will help future proof your code should more rights become available.

    Hope this helps,


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------

    Tuesday, January 15, 2013 8:12 PM
    Moderator
  • Thanks, Dusty. Your explanation is clear; and your suggestion is helpful.

    Still another question:

    Are the following statements correct?

    1, A "Veto" MUST be a "Hard Block".

    2, A "Hard Block" MAY NOT be a "Veto".




    • Edited by xmllmx Wednesday, January 16, 2013 4:38 AM
    Wednesday, January 16, 2013 4:21 AM
  • 1) Ideally, yes.  once the RIGHT_ACTION_WRITE has been removed and the callout returns, no one should set it again.  Being that this is kernel code, this is not enforced to my knowledge, but highly frowned upon (and a good candidate for a WHCK validation test).

    2) Ideally all BLOCK Vetos are Hard BLOCKS

    Hope this helps,


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------

    Wednesday, January 16, 2013 4:55 AM
    Moderator