locked
To block incoming packets from a particular ip address RRS feed

  • Question

  • hi,

    i'm very new to wfp. i'm developing a driver to block packets from an ip. the code is compiling correct but the filter is not working. pls guide me.

    code :

    #include <ntddk.h>
    #include <winerror.h>
    #pragma warning(push)
    #pragma warning(disable:4201)    
    #include <fwpsk.h>
    #pragma warning(pop)
    #include <fwpmk.h>
    #include <fwpmu.h>
    #include <stdio.h>
    #pragma comment(lib, "Fwpuclnt.lib")
    DRIVER_UNLOAD DriverUnload;
    VOID DriverUnload(IN PDRIVER_OBJECT driverObject );
    FWPM_ACTION action;
    FWPM_FILTER blockfilterin;
    NTSTATUS status;
    FWPM_FILTER_CONDITION pcondition[1];
    HANDLE engineHanle;
    FWPM_SESSION session;
    DRIVER_INITIALIZE DriverEntry;
    NTSTATUS DriverEntry(
    IN PDRIVER_OBJECT driverObject,
    IN PUNICODE_STRING registryPath)
    {
    driverObject->DriverUnload = DriverUnload;
    status=STATUS_SUCCESS;
    session.flags = FWPM_SESSION_FLAG_DYNAMIC;
    status = FwpmEngineOpen(0,RPC_C_AUTHN_WINNT,0,&session,&engineHanle);
    RtlZeroMemory(&pcondition,sizeof(FWPM_FILTER_CONDITION));
    blockfilterin.layerKey = FWPM_LAYER_INBOUND_IPPACKET_V4;
    blockfilterin.weight.uint8 = 0xF;
    blockfilterin.numFilterConditions = 1;
    blockfilterin.filterCondition = pcondition;
    blockfilterin.action.type = FWP_ACTION_BLOCK;
    pcondition[0].fieldKey = FWPM_CONDITION_IP_REMOTE_ADDRESS;
    pcondition[0].matchType = FWP_MATCH_EQUAL;
    pcondition[0].conditionValue.type = FWP_UINT32;
    pcondition[0].conditionValue.uint32 = 0xADC0310A;
    if(status != STATUS_SUCCESS)
    {
    goto HLPR_BAIL_LABEL;
    }
    else
    {
    FwpmTransactionBegin(engineHanle,0);
    FwpmFilterAdd(engineHanle,&blockfilterin,0,&(blockfilterin.filterId));
    FwpmTransactionCommit(engineHanle);
    return status;
    }
    HLPR_BAIL_LABEL:
    if(engineHanle)
     {
      if(status != STATUS_SUCCESS)
       FwpmTransactionAbort(engineHanle);
      FwpmEngineClose(engineHanle);
     }
    }
    VOID DriverUnload(
      IN PDRIVER_OBJECT driverObject )
    {
        FwpmFilterDeleteById(engineHanle, blockfilterin.filterId);
         FwpmEngineClose(engineHanle);
         engineHanle = 0;
    }
    Monday, June 20, 2011 2:09 PM

All replies

  • Are there other filters on the machine.  You would likely benefit from creating your own subLayer and having your filter associated with it. You can type "NetSh.exe WFP Show State" and look for your filter in the resultant .xml.  This will let you know it was added correctly.  Double check your conditions (were you intending to block all traffic from 173.192.49.10).

    Also, each individual API is already transactional, therefore if you are making a single API call, you don't need to call FwpmTransactionBegin() and FwpmTransactionCommit().  These APIs are meant to be used when calling multiple Fwpm APIs as a single transaction.

     

    Hope this helps,


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------
    Monday, June 20, 2011 4:50 PM
    Moderator
  • Hi,

    You can also add this filter in user-mode. And even if you have WFP driver with classify function, it is still possible to add WFP filters in user-mode.

    -- Antti

    Monday, June 20, 2011 5:20 PM