Filtering NFS requests in Windows 2008 using WFP RRS feed

  • Question

  • Hi!

    I have a task of filtering NFS requests coming to my Windows 2008 machine. Basically, I should be able to inspect the data related to a particular NFS request, for example WRITE, READ, etc.

    I am pretty new to WFP. I had some doubts:

    1. At which layer should i add my callback?
    2. Will the classify routine being called at that layer give me the NFS packet in the layerData paramater?

    Ayush Gupta
    Thursday, April 16, 2009 9:35 AM


All replies

  • Based off of the information found in the RFC for NFS, you can probably best inspect the packets at FWPM_LAYER_INBOUND_TRANSPORT_V* and FWPM_LAYER_OUTBOUND_TRANSPORT_V*.

    When the callout is invoked, the NetBuffer list(s) will be indicated as the layer data pointer.  This is essentially the packet.  Depending on which layer you are at, will depend where it points to in the "packet" (i.e. at Inbound Transport, it points to the start of the Transport Header, and you can retreat the size of the IPHeader to get to the beginning of the Packet)

    The following link may be helpful to you:

    Dusty Harper [MSFT]
    Friday, April 17, 2009 6:07 PM
  • Hi Dusty!

    Thanks for the reply.

    Actually I was wondering whether there is a way to filter the requests coming to the rpcxdr driver (basically the NFS RPC requests). Just for the information, Its like the NFS server (nfssvr.sys ) communicates with the rpcxdr.sys and rpcxdr.sys makes various TDI calls.

    Which do you think is a better option? Filtering at the Stream layer or at the transport layer?

    Ayush Gupta
    Monday, April 20, 2009 8:25 AM
  • Yes if the RPC transport is over TCP then you can inspect at STREAM layer where only TCP data segments are indicated.

    Tuesday, April 28, 2009 12:30 AM
  • Hi Biao,

    Thanks for the reply.
    I wanted to know one more thing. Is there a possibility of sending replies to selected packets (say read/ write) from the WFP driver instead of forwarding it to the nfssvr? Of course I would have to unpack the RPC packet in that case and process the NFS request, but is it possible to just stop that incoming packet from going to the nfssvr and inject the reply from the WFP filter?

    Ayush Gupta
    Tuesday, April 28, 2009 2:50 AM
  • WFP's STREAM layer allows you to remove, replace, or "invent" contents into a TCP flow. Please refer to this page for more details -- http://msdn.microsoft.com/en-us/library/aa938501.aspx.

    The "stream editor" in the WDK demostrates some of these functionalities.


    Thursday, May 7, 2009 7:44 AM