locked
FWP_E_DUPLICATE_CONDITION RRS feed

  • Question

  • I'm trying to add a filter on a Win7 platform with the following conditions:

    FwpmFilterCondition[0].fieldKey = FWPM_CONDITION_IP_PROTOCOL;
    FwpmFilterCondition[0].matchType = FWP_MATCH_EQUAL;
    FwpmFilterCondition[0].conditionValue.type = FWP_UINT8;
    FwpmFilterCondition[0].conditionValue.uint8 = 6; 
    FwpmFilterCondition[1].fieldKey = FWPM_CONDITION_IP_LOCAL_PORT;
    FwpmFilterCondition[1].matchType = FWP_MATCH_NOT_EQUAL;
    FwpmFilterCondition[1].conditionValue.type = FWP_UINT16;
    FwpmFilterCondition[1].conditionValue.uint16= 51004;
    FwpmFilterCondition[2].fieldKey = FWPM_CONDITION_IP_LOCAL_PORT;
    FwpmFilterCondition[2].matchType = FWP_MATCH_NOT_EQUAL;
    FwpmFilterCondition[2].conditionValue.type = FWP_UINT16;
    FwpmFilterCondition[2].conditionValue.uint16 = 51010;
    FwpmFilterCondition[3].fieldKey = FWPM_CONDITION_IP_REMOTE_PORT;
    FwpmFilterCondition[3].matchType = FWP_MATCH_NOT_EQUAL;
    FwpmFilterCondition[3].conditionValue.type = FWP_UINT16;
    FwpmFilterCondition[3].conditionValue.uint16= 51004;
    FwpmFilterCondition[4].fieldKey = FWPM_CONDITION_IP_REMOTE_PORT;
    FwpmFilterCondition[4].matchType = FWP_MATCH_NOT_EQUAL;
    FwpmFilterCondition[4].conditionValue.type = FWP_UINT16;
    FwpmFilterCondition[4].conditionValue.uint16 = 51010;

    I had expected the WFP to AND the 5 conditions together because of the use of FWP_MATCH_NOT_EQUAL on the port conditions.  Instead I get an error code FWP_E_DUPLICATE_CONDITION. Should this filter work or do I need to split the duplicate port fields into separate filters?

    Friday, January 18, 2013 7:17 PM

Answers

  • All consecutive identical conditions are OR'd together.  Your filter essentially says:
    protocol is equal to TCP AND
    (local port is not equal to 51004 OR
    local port is not equal to 51010 ) AND
    (remote port is not equal to 51004 OR
    remote port is not equal to 51010)

    This logic is flawed as port 51010 is not equal to 51004, so that portion would be true...

    You should break this up into more digestible filters, or:
        use ranges (3 MATCH_EQUAL filters using ranges 0-51003, 51005-51009, 51011-65535)

        use better match types (FWP_MATCH_LESS 51004, FWP_MATCH_EQUAL range 51005-51009, FWP_MATCH_GREATER 51010)

    Hope this helps,


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------

    Friday, January 18, 2013 10:41 PM
    Moderator
  • No there is no way to specify the operation.  Vista does not support multiple consecutive conditions, so if you wish to support Vista, then yes, you will need to break them into multiple filters.

    Hope this helps,


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------

    Tuesday, January 22, 2013 4:36 AM
    Moderator

All replies

  • All consecutive identical conditions are OR'd together.  Your filter essentially says:
    protocol is equal to TCP AND
    (local port is not equal to 51004 OR
    local port is not equal to 51010 ) AND
    (remote port is not equal to 51004 OR
    remote port is not equal to 51010)

    This logic is flawed as port 51010 is not equal to 51004, so that portion would be true...

    You should break this up into more digestible filters, or:
        use ranges (3 MATCH_EQUAL filters using ranges 0-51003, 51005-51009, 51011-65535)

        use better match types (FWP_MATCH_LESS 51004, FWP_MATCH_EQUAL range 51005-51009, FWP_MATCH_GREATER 51010)

    Hope this helps,


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------

    Friday, January 18, 2013 10:41 PM
    Moderator
  • Thanks Dusty.   One follow up question.  From reading about the OR function it appears it was added in Windows 7, but not in Vista.  I'm assuming there is no way to specify to the OS which method you want (AND or OR).  Is that true?  My concern is that I will have to use a completely different set of filters on each OS.
    Monday, January 21, 2013 2:53 PM
  • No there is no way to specify the operation.  Vista does not support multiple consecutive conditions, so if you wish to support Vista, then yes, you will need to break them into multiple filters.

    Hope this helps,


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------

    Tuesday, January 22, 2013 4:36 AM
    Moderator
  • One final question on this subject.  I have a filter with consecutive remote IP address conditions for which I did not get a duplicate error result.

    I want the filter to permit traffic to the remote IP address range 2001:c0a8:f400::/48 except for the addresses 2001:c0a8:f400::c0a8:f43c and 2001:c0a8:f400::c0a8:f43e.  When I tested the filter I could see that 2001:c0a8:f400::c0a8:f401 was permitted (was not called out in my callout driver) while 2001:c0a8:f400::c0a8:f43c/f43e were called out.  So I assume that the filter works as I had expected.

    The filter has the following conditions:

    FwpmFilterCondition[0].fieldKey = FWPM_CONDITION_IP_REMOTE_ADDRESS;
    FwpmFilterCondition[0].matchType = FWP_MATCH_EQUAL;
    FwpmFilterCondition[0].conditionValue.type = FWP_V6_ADDR_MASK;
    FwpmFilterCondition[0].conditionValue.v6AddrMask = <2001:c0a8:f400::/48>; 
    FwpmFilterCondition[1].fieldKey = FWPM_CONDITION_IP_REMOTE_ADDRESS;
    FwpmFilterCondition[1].matchType = FWP_MATCH_NOT_EQUAL;
    FwpmFilterCondition[1].conditionValue.type = FWP_BYTE_ARRAY16_TYPE;
    FwpmFilterCondition[1].conditionValue.byteArray16= <2001:c0a8:f400::c0a8:f43c>;
    FwpmFilterCondition[2].fieldKey = FWPM_CONDITION_IP_REMOTE_ADDRESS;
    FwpmFilterCondition[2].matchType = FWP_MATCH_NOT_EQUAL;
    FwpmFilterCondition[2].conditionValue.type = FWP_BYTE_ARRAY16_TYPE;
    FwpmFilterCondition[2].conditionValue.byteArray16 = <2001:c0a8:f400::c0a8:f43e>;

    and results in the following filters.xml (netsh wfp show filters):

    <item>
      <filterKey>{46961bd0-ad8a-456f-9191-36867da210a5}</filterKey>
    - <displayData>
      <name>Stealth Filter</name>
      <description>Clear Text Filter</description>
      </displayData>
      <flags />
      <providerKey>{e3cbf917-b438-41e5-a4b1-af01302871c3}</providerKey>
      <providerData />
      <layerKey>FWPM_LAYER_INBOUND_TRANSPORT_V6</layerKey>
      <subLayerKey>{eb439cf3-ff32-46b0-89fc-8a2ae1b1f92a}</subLayerKey>
    - <weight>
      <type>FWP_UINT64</type>
      <uint64>32786</uint64>
      </weight>
    - <filterCondition numItems="3">
    - <item>
      <fieldKey>FWPM_CONDITION_IP_REMOTE_ADDRESS</fieldKey>
      <matchType>FWP_MATCH_EQUAL</matchType>
    - <conditionValue>
      <type>FWP_V6_ADDR_MASK</type>
    - <v6AddrMask>
      <addr>2001:c0a8:f400::</addr>
      <prefixLength>48</prefixLength>
      </v6AddrMask>
      </conditionValue>
      </item>
    - <item>
      <fieldKey>FWPM_CONDITION_IP_REMOTE_ADDRESS</fieldKey>
      <matchType>10</matchType>
    - <conditionValue>
      <type>FWP_BYTE_ARRAY16_TYPE</type>
      <byteArray16>2001:c0a8:f400::c0a8:f43c</byteArray16>
      </conditionValue>
      </item>
    - <item>
      <fieldKey>FWPM_CONDITION_IP_REMOTE_ADDRESS</fieldKey>
      <matchType>10</matchType>
    - <conditionValue>
      <type>FWP_BYTE_ARRAY16_TYPE</type>
      <byteArray16>2001:c0a8:f400::c0a8:f43e</byteArray16>
      </conditionValue>
      </item>
      </filterCondition>
    - <action>
      <type>FWP_ACTION_PERMIT</type>
      <filterType>{777edad8-0e51-48a4-afeb-f3de9d2d6bfd}</filterType>
      </action>
      <rawContext>0</rawContext>
      <reserved />
      <filterId>67995</filterId>
    - <effectiveWeight>
      <type>FWP_UINT64</type>
      <uint64>32786</uint64>
      </effectiveWeight>
      </item>

    From this thread I would not expect this filter to be allowed or to work on Windows 7.  Are IP address fields handled differently from protocol/port fields?   In other words are the IP address fields ANDed instead of ORed together?

    Thanks so much for your help!

    Tuesday, January 22, 2013 1:12 PM
  • As stated previously, all consecutive conditions of the same condition field are OR'd together.  Yes there is different logic for determining matching between ports and IPs.  There is likely a bug in the IP matching logic which is allowing the behavior you are seeing.

    Hope this helps,


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------

    Tuesday, January 22, 2013 4:33 PM
    Moderator