locked
WFP connect/bind redirection problem RRS feed

  • Question

  • Hello, everyone! I have the callout driver  which works on ALE_CONNECT_REDIRECT layer. It changes source ip for specified user if this user tries to send packets to specified ip(1.2.0.1). Also I have udp client application(udp_sender) which sends several UDP packet to specified ip(1.2.0.1) - it uses two func: socket and sendto. I have two net adapters with ips (1.2.0.2 and 1.2.0.3) which are located in the same subnet with specified ip(1.2.0.1). WFP should change source ip to 1.2.0.3 for specified user sending packets to 1.2.0.1. In order to check redirection I use wireshark, with udp condition on to monitor trafic to (1.2.0.1). So I add required proxy_context, callout, filter. And what i see when I start my application udp_sender - the redirection works only for the FIRST packet sended by sendto function(source ip changes to 1.2.0.3). For other calls of sendto function (second, third, ... ) - source ip remains 1.2.0.2 - that means that callout driver doesn't call its callout func which changes source ip. Here is what I found on MSDN article Using Bind or Connect Redirection (https://msdn.microsoft.com/en-us/library/windows/hardware/ff571005(v=vs.85).aspx) - "The layer at which redirection is performed determines the effect of the change. Changes at connect layers affect only the flow being connected. Changes at bind layers affect all connections that are using that socket."

    So I've  gotten  several questions:

    1) Do these sentences mean that I can change source ip on ALE_CONNECT_REDIRECT layer only for the first call of sendto func?

    2) How flows are devided for TCP UDP ICMP connections?

    3) When we send UDP packet we don't call connect() func, so why do ALE_CONNECT layers exist for UDP at all?

    4) I must check target ip(REMOTE_IP_ADRESS)and if it fits I must change source ip - which layers should I use(I can't use REMOTE_IP_ADRESS on ALE_BIND_REDIRECT layer)?

    Thank you for your answers!



    • Edited by chipic Tuesday, January 26, 2016 9:38 AM
    Tuesday, January 26, 2016 9:34 AM

All replies

  • 1) I do not believe you can change the source details at CONNECT_REDIRECT, only the destination. Source details should be changed at BIND_REDIRECT.

    2) I don't understand

    3) ALE layers operate on the notionof flows, in order to keep consistancy between TCP and UDP WFP will fire the AUTH_CONNECT handler for the first UDP packet set for a given flow. A flow can be identified by it's unique tuple (source address, source port, protocol, destination address, destination port)

    4)The only way I can think of doing this would be to do this on a per packet basis at the TRANSPORT layer. You'd need to do this INBOUND and OUTBOUND.

    J

    • Proposed as answer by JST86 Friday, March 4, 2016 3:26 PM
    Friday, March 4, 2016 3:26 PM