locked
Intercept inbound connections in WFP Callout driver is just discard incoming packets? RRS feed

  • Question

  • hello community. I want to write driver to intercepts TCP/UDP connections, and i choose WFP Callout driver model for this.
    _
    Main driver's purpose is: pending inbound/outbound connections, send connection info to user application and user make decision to allow or block that connection.
    i read "inspect" sample from Microsoft carefully, but still can't understand at some points:
    1. About filter condition: if i need to inspect TCP/UDP connections at layers, the filter need to define 2 conditions (FWPM_FILTER_CONDITION), doesn't it? the classifyFn function will be triggered like OR operator or how?
    2. To intercept inbound connection, is the only way is discard the connecting packet at FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V*? if so, that not my purpose, i need it can reply the client connecting to immediately, not after a "timeout" (on TCP) because of the first packet was "dropped".
    3. Does my driver can work without a classiyFn at transport layers? one classifyFn at ALE_CONNECT layer for outbound and another at ALE_RECV_ACCEPT layer for inbound connections?
    _
    im stuck with these questions for weeks,
    thank you for your help so much.
    Monday, April 13, 2020 10:08 AM