none
BUG: NDIS Filter Drivers w/o optional FilterStatus handler stall filter stack. RRS feed

  • Question

  • Was: "NDIS Filter Driver: No Traffic on Boot Until Stack Restart"--renamed to be more descriptive of actual issue.

    I have a filter driver that works as expected EXCEPT on boot: if it is installed and enabled, no traffic appears to reach the protocol level. The driver loads normally and enters into a no-op/bypass state. I've attempted to diagnose this in several ways:

    • Instrument attach/pause/restart: On boot, the driver successfully loads, then attaches to and restarts on each ethernet stack.
    • Break into FilterSendNetBufferLists and FilterReceiveNetBufferLists: NBLs are directly handed to the next link in the filter stack without modification(beyond scratch).
    • Inspect NDIS for lost/pending packets and stacks: Nothing shows following steps outlined here: https://social.msdn.microsoft.com/Forums/en-US/74370fd1-ca39-4c36-8043-fea6120f874d/ndis-driver-reload?forum=wd

    The driver is a minimal modifying/queuing driver--much simpler than the ndis lwf example. It only implements Attach, Detach, Pause, Restart, Send, Receive, Return, Complete, and CancelSend and only operates at NDIS 6.0 feature level. Likewise the INF looks like a slightly stripped version of the NDIS LWF sample(https://github.com/Microsoft/Windows-driver-samples/blob/master/network/ndis/filter/netlwf.inf): it doesn't have any custom registry keys, ia64 support, or media type support beyond ethernet.

    The filter stack functions as expected from driver install to reboot and after restarting the filter stack for an adapter after reboot.

    Any suggestions for diagnosing and removing this behavior?


    Tuesday, March 15, 2016 9:57 PM

Answers

  • I figured it out: MSDN is INCORRECT about FilterStatus(...):

    • The callback's documentation say's it's OPTIONAL: https://msdn.microsoft.com/en-us/library/windows/hardware/ff549973%28v=vs.85%29.aspx
    • NDIS_FILTER_DRIVER_CHARACTERISTICS's documentation say's its OPTIONAL:
      https://msdn.microsoft.com/en-us/library/windows/hardware/ff565515%28v=vs.85%29.aspx

    However, if my driver does not register it, the driver stack will not functional properly on boot(even if it's not called).

    Example driver code (straight MSVC LWF driver template project): https://github.com/AlexanderHaase/NDIS-FilterStatus-Broken


    Monday, March 21, 2016 10:24 PM

All replies

  • I figured it out: MSDN is INCORRECT about FilterStatus(...):

    • The callback's documentation say's it's OPTIONAL: https://msdn.microsoft.com/en-us/library/windows/hardware/ff549973%28v=vs.85%29.aspx
    • NDIS_FILTER_DRIVER_CHARACTERISTICS's documentation say's its OPTIONAL:
      https://msdn.microsoft.com/en-us/library/windows/hardware/ff565515%28v=vs.85%29.aspx

    However, if my driver does not register it, the driver stack will not functional properly on boot(even if it's not called).

    Example driver code (straight MSVC LWF driver template project): https://github.com/AlexanderHaase/NDIS-FilterStatus-Broken


    Monday, March 21, 2016 10:24 PM
  • Went as so far to verify this on the three filter drivers I'm curating. Definitely a case of documentation-implementation mismatch.
    Tuesday, March 22, 2016 4:19 PM
  • We had the same issue, took us some days to find the reason. On our side it only seems to affect Windows 7.
    Tuesday, June 7, 2016 11:58 AM