none
Default callout actions RRS feed

  • Question

  • What are the default actions when a FWP_ACTION_CALLOUT_TERMINATING  or FWP_ACTION_CALLOUT_UNKNOWN callout doesn't update the classifyOut->actionType field (leaving it at 0)? Is the operation blocked or permitted? This doesn't seem to be documented anywhere.
    Friday, October 2, 2009 2:58 PM

Answers

  • My mistake.  If the callout is declared to be a terminating callout and no action is supplied, it will default to BLOCK.  if it's an unknown or inspection callout then the above applies and no action is taken.  Sorry for the misinformation. (previous post ameded and corrected)

    Hope this helps


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------
    Wednesday, October 7, 2009 12:08 AM
    Moderator

All replies

  • If the callout doesn't make a decision (i.e. pClassifyOut->actionType is unchanged) and the filter declares the callout as FWP_ACTION_CALLOUT_TERMINATING, then pClassifyOut->actionType gets modified to FWP_ACTION_BLOCK under the covers.

    if the filter declares the callout as FWP_ACTION_CALLOUT_UNKNOWN or FWP_ACTION_CALLOUT_INSPECTION, annd the callout doesn't make a decision, then the callout essentially returns FWP_ACTION_NONE which means no action will be taken on the packet(s) / flow.

    Hope this helps


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------
    Tuesday, October 6, 2009 10:27 PM
    Moderator
  • From my experiments with FWP_ACTION_CALLOUT_TERMINATING, not specifying an action seems to block. There are no other filters specifying actions. Does this sound right?
    Tuesday, October 6, 2009 11:53 PM
  • My mistake.  If the callout is declared to be a terminating callout and no action is supplied, it will default to BLOCK.  if it's an unknown or inspection callout then the above applies and no action is taken.  Sorry for the misinformation. (previous post ameded and corrected)

    Hope this helps


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------
    Wednesday, October 7, 2009 12:08 AM
    Moderator