WFP Inspect Sample Reinjection Questions RRS feed

  • Question

  • Hello, I've been looking at the inspect driver sample found in the WDK 10 samples (samples\network\trans\inspect\) and I don't seem to understand some piece of code and I'm hoping someone could shed some light on this issue.

    We have the following code:

       // The TCP/IP stack could have retreated the net buffer list by the 
       // transportHeaderSize amount; detect the condition here to avoid
       // retreating twice.
       if (nblOffset != packet->nblOffset)
          NT_ASSERT(packet->nblOffset - nblOffset == packet->transportHeaderSize);
          packet->transportHeaderSize = 0;

    This code is found in the TLInspectCloneReinjectInbound function - which as the name implies - is responsible for reinjecting the net buffer list which was referenced at the ALE_AUTH_CONNECT/RECV layer for a reauth.

    My questions are the following:

    1. Why is it possible (and normal) for the TCP/IP stack to have retreated the net buffer list by the transport header size?

    2. Also, I've seem to have stumbled upon the case in which the net buffer list is retreated by the size of the transport header size + the size of the ip header size. Is this normal or is there some problem with the way my WFP driver handles reinjections?

    3. In the MSDN documentation (https://msdn.microsoft.com/en-us/library/windows/hardware/ff570963%28v=vs.85%29.aspx) it is stated that for OOB inspection pending is done by cloning the net buffer list. The way in which the inspect sample pends the operation is by referencing the net buffer list and not by cloning it - this seems like OOB modification and not inspection. Is there a reason why the inspect sample does this (considering it does not modify the packets)?

    I appreciate your help, thanks!

    Monday, September 14, 2015 12:51 PM