none
STATUS_FWP_LAYER _NOT_FOUND returned from FwpmCalloutAdd0 RRS feed

  • Question

  • Ok, so I'm trying to do a callout driver that will basically just dump all packets going in or out from the system. However, when I call FwpmCalloutAdd0 I get STATUS_FWP_LAYER _NOT_FOUND back. Here is the current code:

    NTSTATUS retVal = STATUS_SUCCESS;
    	RPC_STATUS rpsStatus = { 0 };
    	FWPM_DISPLAY_DATA displayData = { 0 };
    	FWPM_SUBLAYER0 SubLayer = { 0 };
    	FWPS_CALLOUT0 scallout = { 0 };
    	FWPM_CALLOUT0 callout = { 0 };
    	FWPM_SESSION0 session = { 0 };
    
    	FWPM_FILTER0 incomingFilter = { 0 };
    	FWPM_FILTER0 outgoingFilter = { 0 };
    
    	session.flags = FWPM_SESSION_FLAG_DYNAMIC;
    
    	retVal = FwpmEngineOpen0(NULL, RPC_C_AUTHN_WINNT, NULL, &session, &g_FwEngineHandle);
    
    	if(!NT_SUCCESS(retVal))
    	{
    		return retVal;
    	}
    	
    	retVal = STATUS_RETRY;
    	while(retVal == STATUS_RETRY)
    	{
    		retVal = ExUuidCreate(&g_uuid);
    	}
    
    	if(!NT_SUCCESS(retVal))
    	{
    		return retVal;
    	}
    
    	retVal = STATUS_RETRY;
    	while(retVal == STATUS_RETRY)
    	{
    		retVal = ExUuidCreate(&g_Sublayer_Uuid);
    	}
    
    	if(!NT_SUCCESS(retVal))
    	{
    		return retVal;
    	}
    
    	SubLayer.displayData.name = L"SubLayer";
    	SubLayer.displayData.description = L"SubLayer";
    	memcpy(&SubLayer.subLayerKey, &g_Sublayer_Uuid, sizeof(UUID));
    	SubLayer.flags = 0;
    	SubLayer.weight = FWP_EMPTY;
    
    	DbgPrint("Adding a new sublayer\r\n");
    	retVal = FwpmSubLayerAdd0(g_FwEngineHandle, &SubLayer, 0);
    	displayData.description = L"callouts";
    	displayData.name = L"sublayer";
    
    	memcpy(&scallout.calloutKey, &g_uuid, sizeof(UUID));
    	scallout.classifyFn = CalloutClassify;
    	scallout.notifyFn = CalloutNotify;
    
    	DbgPrint("Registering callout\r\n");
    	retVal = FwpsCalloutRegister0(DeviceObject, &scallout, &incomingCalloutId);
    
    	if(!NT_SUCCESS(retVal))
    	{
    		return retVal;	
    	}
    
    	callout.displayData = displayData;
    	memcpy(&callout.applicableLayer, &g_Sublayer_Uuid, sizeof(UUID));
    	memcpy(&callout.calloutKey, &g_uuid, sizeof(UUID));
    	
    	DbgPrint("Adding firewall callout\r\n");
    	retVal = FwpmCalloutAdd0(g_FwEngineHandle, &callout, NULL, NULL);
    	
    	if(!NT_SUCCESS(retVal))
    	{
    		return retVal;	
    	}
    	
    	incomingFilter.displayData = displayData;
    	incomingFilter.flags = FWPM_FILTER_FLAG_NONE;
    	incomingFilter.layerKey = FWPM_LAYER_INBOUND_IPPACKET_V4;
    	incomingFilter.subLayerKey = FWPM_SUBLAYER_INSPECTION;
    	incomingFilter.action.type = FWP_ACTION_CALLOUT_INSPECTION;
    	incomingFilter.weight.type = FWP_EMPTY;
    	incomingFilter.action.calloutKey = g_uuid;
    
    	DbgPrint("Adding incoming filter\r\n");
    	retVal = FwpmFilterAdd0(g_FwEngineHandle, &incomingFilter, NULL, NULL);
    
    	if(!NT_SUCCESS(retVal))
    	{
    		return retVal;
    	}
    
    	memcpy(&outgoingFilter, &incomingFilter, sizeof(FWPM_FILTER0));
    
    	outgoingFilter.displayData.name = FIREWALL_FILTER_NAME_OUTGOING;
    	outgoingFilter.layerKey = FWPM_LAYER_OUTBOUND_IPPACKET_V4;
    
    	DbgPrint("Adding outgoing filter\r\n");
    	retVal = FwpmFilterAdd0(g_FwEngineHandle, &outgoingFilter, NULL, NULL);
    
    	if(!NT_SUCCESS(retVal))
    	{
    		return retVal;
    	}
    
    	return STATUS_SUCCESS;
    }

    So, something is going bonkers but I have no clue what. Googling the error code returns no hits.

    Edit: Same error code is returned if I use FWPM_LAYER_INBOUND_IPPACKET_V4 as callout.applicableLayer

    Edit 2: To make things even more baffling I did a FwpmLayerEnum0 which returned 0x40 entries and showed that FWPM_LAYER_INBOUND_IPPACKET_V4 is present. Are any of the MS wizards reading this forum because I'm starting to run out of ideas...

    • Edited by tokoivun Friday, September 12, 2014 4:39 AM
    Wednesday, September 10, 2014 8:11 AM

All replies

  • It looks like you are specifying a GUID that you are creating for "applicableLayer"... you should be supplying one of the known GUIDs like:

    callout.applicableLayer = FWPM_LAYER_OUTBOUND_IPPACKET_V4;

    Wednesday, September 10, 2014 2:49 PM
  • As in the edit, using FWPM_LAYER_INBOUND_IPPACKET_V4 produces the exact same error code :(
    Wednesday, September 10, 2014 5:49 PM
  • Bump, still having the issue...
    Thursday, September 18, 2014 7:20 AM
  • Well, I reckon that the "Priority support in MSDN Forums" part of the MSDN subscription is not exactly correct. Two weeks without even a hint of what is going bonkers...
    Wednesday, September 24, 2014 9:05 AM
  • Tried your code and got the FWP_E_LAYER_NOT_FOUND error with:

    memcpy(&callout.applicableLayer, &g_Sublayer_Uuid, sizeof(UUID));

    But FwpmCalloutAdd0 works for me when changed to:

    memcpy(&callout.applicableLayer, &FWPM_LAYER_INBOUND_IPPACKET_V4, sizeof(UUID));

    So not sure what the issue is there.

    A few other observations from the code you posted (I assume you have been trying a few things out):

    You don't need to create a sublayer if you are going to use FWPM_SUBLAYER_INSPECTION.

    You'll need another FwpmCalloutAdd0 for FWPM_LAYER_OUTBOUND_IPPACKET_V4

    Hope that helps, good luck.

    Wednesday, September 24, 2014 9:36 PM
  • Thanks for the reply :) I'm still getting the same error with the memcpy(&callout.applicableLayer, &FWPM_LAYER_INBOUND_IPPACKET_V4, sizeof(UUID)); -call :(

    This is what WinDBG shows (The GUID is correctly in the struct):

    hxxp://imgur.com/E2FjkSQ

    Thursday, September 25, 2014 6:03 AM
  • Hum, can you share either the VS solution you used or the compiled driver? That way I could verify whether the issue is in the code or in the environment.
    Friday, September 26, 2014 6:52 AM