WFP connect redirect to local proxy RRS feed

  • Question

  • Hello, everyone! 

    I am implementing a WFP callout driver to redirect connection to local user mode proxy. Doing inline redirection as per

    As proxy service is in user mode, after getting the redirected connection, I fetch the redirect record and redirect context and the associate context. while i do this, do i need to be in sync with driver's call out function! 
    Driver callout function gets executed and calls FwpsReleaseClassifyHandle at the end. 
    User mode code query redirect record & context and associate the context later. Is that a problem!

    I am getting connection redirected to my local service. To forward the connection to original destination, if set the redirect record to outbound socket, I see webpage is not loading and its getting timed out. 
    Without setting the redirect record, webpage is loading without any issue. This looks really strange. can someone explain this behavior.

    Thursday, November 21, 2019 1:30 AM

All replies

  • Would it be possible to share the relevant areas of source code of your callout driver’s classifyFn and the proxy service? We can see if there is anything being missed.


    One common source of issue is having the driver redirect the proxied connection. In order to ensure this is done properly, please see this section of the documentation:

    In Windows 8 and later, your callout driver must query the redirection state of the connection (to see if your callout driver or another callout driver has modified it) by using the FwpsQueryConnectionRedirectState0 function. If the connection is redirected by your callout driver, or if it was previously redirected by your callout driver, the callout driver should do nothing. Otherwise, it should also check for local redirection as shown in the following example:


    FwpsAcquireWritableLayerDataPointer(...,(PVOID*)&connectRequest), ...);

    if(connectRequest->previousVersion->modifierFilterId != filterId)




            classifyOut->actionType = FWP_ACTION_PERMIT;

            classifyOut->rights &= FWPS_RIGHT_ACTION_WRITE;









    As you mention that you are seeing a successful connection when you do not set the redirect record, there may also be an issue with your policy configuration such that the original connection is being blocked. You can take a look at what WFP is doing by taking a look at the following log:

    Netsh wfp cap start


    Netsh wfp cap stop


    You should see your traffic in this log, and can correlate to the filter which is dropping it. The filter which drops the traffic may help identify if there is a policy misconfiguration.


    Wednesday, February 5, 2020 7:44 PM