locked
Possible to manage static route in WFP? RRS feed

  • Question

  • We'd like to send traffic to a large list of ip through a VPN tunnel, so that we can do filtering on the VPN server side.

    Originally, we call CreateIpForwardEntry()/CreateIpForwardEntry2() to add static route after we establish a tunnel. it works fine with a small size of ip list(less than 5k). Once the list goes up to 25k, we find that svchost.exe(LocalService and NetworkService) consume almost 100% CPU for quite a long time(more than 5 minutes), the adding route operation is within one seconds though.

    If we trickling the route entries (e.g. adding 16 with sleep(100ms)), svchost can keep up and consume less than 25% CPU, and once the adding operation is done, svchost will be quiet. But this is not idea, especially the list might keep on growing.

    So we are looking at if there is a way in WFP to change the next hop of ip packet? I saw there is BIND_REDIRECT, but at that stage, we don't know the destination yet. We want to support at least TCP/UDP/ICMP.

    Jeff

    Friday, November 28, 2014 9:05 PM