FWPM_LAYER_INBOUND_IPPACKET_V4 and the loopback adapter RRS feed

  • Question

  • Hello,

    I have ran into a problem with a callout driver that is inspecting packets at FWPM_LAYER_INBOUND_IPPACKET_V4 with a filter set up having no conditions (so as to act as a "catch all incoming IPv4 packets" filter).

    All network packets are caught by the filter as expected, however loopback packets are also caught and this was unexpected. For example, if I ping on a machine with my callout driver installed and running, my classifyFn receives the ping request.

    Question 1: Is this behavior expected? I always assumed that only packets from the network would be received by this filter and not packets to the loopback adapter (generated on the same machine).

    Question 2: In the case Q1 results as this being expected behaviour, is there a way to inject the "loopback" packet that is accepted by the system?

    When received, the loopback packet has an IP header checksum of 0. Injecting the packet with this checksum results in NBL->Status being set to STATUS_DATA_NOT_ACCEPTED in completioncompletionFn.

    Calculating the checksum of the packet and injecting this packet causes NBL->Status to also be set to STATUS_DATA_NOT_ACCEPTED in completionFn.

    In both of the above cases FwpsInjectNetworkReceiveAsync0 returns STATUS_SUCCESS.

    I would like to avoid the requiring a filter on specific adapters in order to reduce the amount of configuration required; my goal is to capture all incoming packets on all network adapters but such loopback packet behaviour is causing certain third party applications not to work because they need to make a connection to the adapter (the reason for this is obscure to me).

    Monday, June 4, 2012 11:42 AM


  • Yes this is expected.  You can modify your filter with a condition like the following:
       fieldKey = FWPM_CONDITION_FLAGS
       matchType = FWP_MATCH_FLAGS_NONE_SET
       value.type = FWP_UINT32
       value.uint32 = FWP_CONDITION_FLAG_IS_LOOPBACK

    This would catch everything but loopback traffic.

    Yes you can inject the loopback traffic.  You need to bypass the TCP/IP stack's zone crossing validation though.  In order to do this, you need the source IP address and destination IP address to be in the same zone.  This means if you have a packet from to, then you either modify the source IP ( to, or modify the destination IP ( to a valid IP on the local machine (i.e.

    The WFPSampler demonstrates this ( search for "software loopback"  in sys\ClassifyFunctions_BasicPacketInjectionCallouts.cpp )

    Hope this helps,

    Dusty Harper [MSFT]
    Microsoft Corporation
    This posting is provided "AS IS", with NO warranties and confers NO rights

    Monday, June 4, 2012 3:06 PM