locked
FWPS_FILTER_FLAG_OR_CONDITIONS RRS feed

  • Question

  • I understand that Windows 7 WFP supports OR logic between multiple filter conditions. However I am unable to find the actual usage of FWPS_FILTER_FLAG_OR_CONDITIONS, which field do you set this flag in ?
    Wednesday, February 10, 2010 5:53 AM

Answers

  • This would require 2 separate filters. FWPS_FILTER_FLAG_OR_CONDITIONS is set by BFE if the consecutive conditions I states above is true.  The user does not set this (which is why it's part of the FWPS_FILTER and not FWPM_FILTER).

    Hope this helps.


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------
    Thursday, February 11, 2010 9:58 AM
    Moderator

All replies

  • You don't need to set this.  OR'ing of conditions is done automatically when you have 2 or more consecutive conditions of the same fieldId.

    i.e.
       FWPM_CONDITION_IP_LOCAL_ADDRESS        (1.0.0.1)
       FWPM_CONDITION_IP_REMOTE_ADDRESS      (1.0.0.254)
       FWPM_CONDITION_IP_PROTOCOL                  (TCP(6))
       FWPM_CONDITION_IP_PROTOCOL                  (UDP(17))

    this will be interpreted to match traffic with local address equal 1.0.0.1 AND remote address equal 1.0.0.254 AND (Protocol equal TCP(6) OR Protocol equal UDP(17) ).

    Hope this helps




      
    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------
    Wednesday, February 10, 2010 5:52 PM
    Moderator
  • Thanks Dusty.

    I am trying to implement the following :

    FwpmFilterCondition[0].fieldKey = FWPM_CONDITION_IP_LOCAL_PORT;
    FwpmFilterCondition[0].matchType = FWP_MATCH_EQUAL;
    FwpmFilterCondition[0].conditionValue.type = FWP_UINT16;
    FwpmFilterCondition[0].conditionValue.uint16 = 60000;

    FwpmFilterCondition[1].fieldKey = FWPM_CONDITION_IP_REMOTE_PORT;
    FwpmFilterCondition[1].matchType = FWP_MATCH_EQUAL;
    FwpmFilterCondition[1].conditionValue.type = FWP_UINT16;
    FwpmFilterCondition[1].conditionValue.uint16 = 60000;

    now I understand that I can achieve this using 2 separate filters each with one condition, but I want to make use of this new flag FWPS_FILTER_FLAG_OR_CONDITIONS. Can you advise on how I can go about using it.

    Thursday, February 11, 2010 9:49 AM
  • This would require 2 separate filters. FWPS_FILTER_FLAG_OR_CONDITIONS is set by BFE if the consecutive conditions I states above is true.  The user does not set this (which is why it's part of the FWPS_FILTER and not FWPM_FILTER).

    Hope this helps.


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------
    Thursday, February 11, 2010 9:58 AM
    Moderator