locked
I think monitor all IpAddr of packet in StreamClassify RRS feed

  • Question

  • Because FWPM_LAYER_STREAM_V4 not have FWPM_CONDITION_IP_PROTOCOL,so only monitor of specificall IpAddr.
    But I think monitor all IpAddr of packet in StreamClassify,so I have tried in MonitorCoFlowEstablishedCalloutV4:


    flowContextLocal = ExAllocatePoolWithTag(
      NonPagedPool,
      sizeof(FLOW_CONTEXT),
      'olfD'
      );

    flowContextLocal->LocalIPADDRv4 = inFixedValues->incomingValue[index].value.uint32;;
    flowContextLocal->remoteIPADDRv4 =inFixedValues->incomingValue[index].value.uint32;

    Then in StreamClassify:

     FLOW_CONTEXT* flowContextLocal = (FLOW_CONTEXT*)(DWORD_PTR)flowContext;

     if(flowContextLocal != NULL)
     {
      DbgPrint("TCP OK \n");
      DbgPrint("TCP: LocalIP %lx remoteIP %lx \n",flowContextLocal->LocalIPADDRv4,flowContextLocal->remoteIPADDRv4);
      DbgPrint("\n");

     }
    flowContextLocal is NULL always,why ?

    Thanks

    Thursday, May 23, 2013 11:14 AM

Answers

  • check out the FWPM_FILTER action type while you are adding filter. To block it should be FWP_ACTION_CALLOUT_TERMINATING.
    • Marked as answer by Jiang Kai Thursday, August 14, 2014 10:21 AM
    Thursday, May 30, 2013 12:28 PM

All replies

  • check out MSNMNTR sample in WDK, I hope it will help you.
    Monday, May 27, 2013 4:59 AM
  • This is already OK by Calling FwpsFlowAssociateContext0

    Current Problem:

    void StreamClassify(
              IN const FWPS_INCOMING_VALUES* inFixedValues,
              IN const FWPS_INCOMING_METADATA_VALUES* inMetaValues,
              IN VOID* layerData,
              IN const void* classifyContext,
              IN const FWPS_FILTER* filter,
              IN UINT64 flowContext,
              OUT FWPS_CLASSIFY_OUT* classifyOut)

    {
     classifyOut->actionType = FWP_ACTION_BLOCK;

    }

    But I's TcpTestProgram  is communication still .

    Why ?

    Thanks

    Thursday, May 30, 2013 10:01 AM
  • check out the FWPM_FILTER action type while you are adding filter. To block it should be FWP_ACTION_CALLOUT_TERMINATING.
    • Marked as answer by Jiang Kai Thursday, August 14, 2014 10:21 AM
    Thursday, May 30, 2013 12:28 PM
  • thanks very much !This Problem Alread resolved!

    I am thinking to realize asynchronous operation.

    I alread save Info of Packet to ChainTable on StreamClassifyAnd return classifyOut->actionType = FWP_ACTION_BLOCK & classifyOut->flags |= FWPS_CLASSIFY_OUT_FLAG_ABSORB;

    Then Program of R3 will Take Info of Packet in ChainTable And decide Packet Send.

    But when once more send packet failure,Why ? Thanks again

    I know you to discuss WFP together! very think !

    My EmailAddress is anystayisjk @ hotmail.com ,My msn also is.


    • Edited by Jiang Kai Friday, May 31, 2013 9:19 AM
    Friday, May 31, 2013 12:54 AM