locked
I Want to Drop specific IP. RRS feed

  • Question

  • Hi there.

    I want to drop IP ( ex) 192.168.0.101 and 61.5.2.1 )

    So , I Make Samplecode But This is not work.

    ////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

       FWPM_FILTER0 filter = {0};
       FWPM_FILTER_CONDITION0 filterConditions[3] = {0};
       UINT conditionIndex;

      

       filter.layerKey = *layerKey;
       filter.action.type = FWP_ACTION_BLOCK;
       filter.action.calloutKey = *calloutKey;
       filter.filterCondition = filterConditions;
       filter.subLayerKey = TL_INSPECT_SUBLAYER;
       filter.weight.type = FWP_EMPTY; // auto-weight.
       filter.rawContext = context;

       conditionIndex = 0;

       //First Drop IP
       filterConditions[conditionIndex].fieldKey =  FWPM_CONDITION_IP_REMOTE_ADDRESS;
       filterConditions[conditionIndex].matchType = FWP_MATCH_EQUAL;
       filterConditions[conditionIndex].conditionValue.type = FWP_UINT32;
       filterConditions[conditionIndex].conditionValue.uint32 = *(UINT32*)remoteAddr;   //First Drop IP 
       conditionIndex++;

      //Second Drop IP

       filterConditions[conditionIndex].fieldKey =  FWPM_CONDITION_IP_REMOTE_ADDRESS;
       filterConditions[conditionIndex].matchType = FWP_MATCH_EQUAL;
       filterConditions[conditionIndex].conditionValue.type = FWP_UINT32;
       filterConditions[conditionIndex].conditionValue.uint32 = *(UINT32*)puConfigAddr;    //Second Drop IP
       conditionIndex++;

       filter.numFilterConditions = conditionIndex;
     
       status = FwpmFilterAdd0(
                   gEngineHandle,
                   &filter,
                   NULL,
                   &(filter.filterId));
       return status;


    Is This Correct ? 


    Friday, December 26, 2008 2:41 AM

Answers

  • You need 2 filters to accomplish this:

    Code Snippet

       FWPM_FILTER0           pFilters[2];
       FWPM_FILTER_CONDITION0 pFilterConditions[2];


       ZeroMemory(pFilters,
                  sizeof(FWPM_FILTER0) * 2);

       ZeroMemory(pFilterConditions,
                  sizeof(FWPM_FILTER_CONDITION0) * 2);

       pFilters[0].layerKey            = pFilters[1].layerKey            = *layerKey;
       pFilters[0].action.type         = pFilters[1].action.type         = FWP_ACTION_BLOCK;
       pFilters[0].subLayerKey         = pFilters[1].subLayerKey         = TL_INSPECT_SUBLAYER;
       pFilters[0].rawContext          = pFilters[1].rawContext          = context;
       pFilters[0].numFilterConditions = pFilters[1].numFilterConditions = 1;
       /// You need to populate the displayData
       pFilters[0].displayData.name = pFilters[0].displayData.name = L"MyCompany";

       pFilters[0].displayData.description = L"Block 192.168.0.1";
       pFilters[0].filterCondition         = &(pFilterConditions[0]);

       pFilters[1].displayData.description = L"Block 10.0.0.1";
       pFilters[1]filterConditions         = &(pFilterConditions[1]);

          /// If your action is not a callout then there is no need to populate the
          /// 
    caloutKey
    ///   pFilters[0].action.calloutKey = pFilters[1].action.calloutKey = *calloutKey;

       /// First Drop IP
       pFilterConditions[0].fieldKey              = FWPM_CONDITION_IP_REMOTE_ADDRESS;
       pFilterConditions[0].matchType             = FWP_MATCH_EQUAL;
       pFilterConditions[0].conditionValue.type   = FWP_UINT32;
       pFilterConditions[0].conditionValue.uint32 = 0xC0A80001; ///*(UINT32*)remoteAddr;

       /// Second Drop IP
       pFilterConditions[1].fieldKey              = FWPM_CONDITION_IP_REMOTE_ADDRESS;
       pFilterConditions[1].matchType             = FWP_MATCH_EQUAL;
       pFilterConditions[1].conditionValue.type   = FWP_UINT32;
       pFilterConditions[1].conditionValue.uint32 = 0x0A000001; ///*(UINT32*)puConfigAddr; 

       for(UINT32 filterIndex = 0;
           filterIndex < 2;
           filterIndex++)
       {
          status = FwpmFilterAdd0(gEngineHandle,
                                  &(pFilters[filterIndex],
                                  NULL,
                                  &(pFilters[filterIndex].filterId));

          /// You'll want to handle any errors in this block
       }


       return status;

     

     

    Hope this helps.

    Wednesday, January 7, 2009 8:03 PM
    Moderator

All replies

  • Filter Conditions are AND'd together, so this will not work.  You should create a filter for each IP.  if the IP's were contiguous, you could use a single filter and use the FWP_RANGE_TYPE.

     

    Hope this helps

    Tuesday, January 6, 2009 6:59 PM
    Moderator
  • When IP Address is not contiguous , ( ex) 192.168.0.1 AND 10.0.0.1 ) , Could you show me a simplest way ?

    Wednesday, January 7, 2009 4:14 AM
  • You need 2 filters to accomplish this:

    Code Snippet

       FWPM_FILTER0           pFilters[2];
       FWPM_FILTER_CONDITION0 pFilterConditions[2];


       ZeroMemory(pFilters,
                  sizeof(FWPM_FILTER0) * 2);

       ZeroMemory(pFilterConditions,
                  sizeof(FWPM_FILTER_CONDITION0) * 2);

       pFilters[0].layerKey            = pFilters[1].layerKey            = *layerKey;
       pFilters[0].action.type         = pFilters[1].action.type         = FWP_ACTION_BLOCK;
       pFilters[0].subLayerKey         = pFilters[1].subLayerKey         = TL_INSPECT_SUBLAYER;
       pFilters[0].rawContext          = pFilters[1].rawContext          = context;
       pFilters[0].numFilterConditions = pFilters[1].numFilterConditions = 1;
       /// You need to populate the displayData
       pFilters[0].displayData.name = pFilters[0].displayData.name = L"MyCompany";

       pFilters[0].displayData.description = L"Block 192.168.0.1";
       pFilters[0].filterCondition         = &(pFilterConditions[0]);

       pFilters[1].displayData.description = L"Block 10.0.0.1";
       pFilters[1]filterConditions         = &(pFilterConditions[1]);

          /// If your action is not a callout then there is no need to populate the
          /// 
    caloutKey
    ///   pFilters[0].action.calloutKey = pFilters[1].action.calloutKey = *calloutKey;

       /// First Drop IP
       pFilterConditions[0].fieldKey              = FWPM_CONDITION_IP_REMOTE_ADDRESS;
       pFilterConditions[0].matchType             = FWP_MATCH_EQUAL;
       pFilterConditions[0].conditionValue.type   = FWP_UINT32;
       pFilterConditions[0].conditionValue.uint32 = 0xC0A80001; ///*(UINT32*)remoteAddr;

       /// Second Drop IP
       pFilterConditions[1].fieldKey              = FWPM_CONDITION_IP_REMOTE_ADDRESS;
       pFilterConditions[1].matchType             = FWP_MATCH_EQUAL;
       pFilterConditions[1].conditionValue.type   = FWP_UINT32;
       pFilterConditions[1].conditionValue.uint32 = 0x0A000001; ///*(UINT32*)puConfigAddr; 

       for(UINT32 filterIndex = 0;
           filterIndex < 2;
           filterIndex++)
       {
          status = FwpmFilterAdd0(gEngineHandle,
                                  &(pFilters[filterIndex],
                                  NULL,
                                  &(pFilters[filterIndex].filterId));

          /// You'll want to handle any errors in this block
       }


       return status;

     

     

    Hope this helps.

    Wednesday, January 7, 2009 8:03 PM
    Moderator
  • Thanks Harper!!

     

    This code is very useful !!

     

    Friday, January 9, 2009 12:49 AM