locked
Confused with FwpsPendOperation0 RRS feed

  • Question

  • Question 1: Can callout in FWPS_LAYER_ALE_AUTH_RECV_ACCEPT_Xxx layer call FwpsPendOperation0 to pend incoming connection?

    Quote from FwpsPendOperation0 document: http://msdn2.microsoft.com/en-us/library/aa938348.aspx

    A callout can call this function only to pend a packet that originates from the FWPM_LAYER_ALE_RESOURCE_ASSIGNMENT_Xxx, FWPM_LAYER_ALE_AUTH_LISTEN_Xxx, or FWPM_LAYER_ALE_AUTH_CONNECT_Xxx filtering layers.

    It did not list the FWPS_LAYER_ALE_AUTH_RECV_ACCEPT_Xxx layer here.

    But in FwpsCompleteOperation0 document: http://msdn2.microsoft.com/en-us/library/aa938476.aspx

    To complete a connection that was previously pended at the FWPS_LAYER_ALE_AUTH_RECV_ACCEPT_Xxx layer, the callout must reinject the packet that was cloned at that layer, and the callout should also call FwpsCompleteOperation0

    It seems this layer can also be pended.

     

    Question 2: When calling FwpsCompleteOperation0, what should I passed as parameter netBufferList? The initial layerData passed to my ClassifyFn, or the cloned one I made? I wonder maybe it should be the cloned one, because the original one was flushed and removed from memory when ClassifyFn returned, right? But if this is the cloned one, should I still re-inject the cloned data later after re-authed? filter engine already has the data.

     

    Question 3: When my callout is called for re-auth after FwpsCompleteOperation0, how do I match it with previous initial call? any field in meta data which unique and keep same for both initial and re-auth calls?
    Friday, October 26, 2007 12:32 AM

Answers

  • Yes ALE_AUTH_LISTEN layers have flags field -- doc needs to be changed.

     

    WFP does not take ownership of the clone during FwpsCompleteOperation0 -- it records necessary information in the NBL to complete the flow creation when it is re-injected. After FwpsCompleteOperation0 returns, the callout driver will need call FwpsInjectTransport{Send|Receive}Async0 to inject the clone.

     

    Biao.W.

    Saturday, October 27, 2007 2:09 AM

All replies

  •  

    Yes FWPS_LAYER_ALE_AUTH_RECV_ACCEPT_Xxx classifies can be pended using FwpsPendOperation0. This function is required to pend incoming IPsec connections such that the IPsec context can be carried to the new connection after you complete and re-inject.

     

    The net buffer list parameter you pass into FwpsCompleteOperation0 must be a clone or a newly created NBL using the FwpsAllocateNetBufferAndNetBufferList0 function.

     

    Unlike completion from other layers, Completion of a pended FWPS_LAYER_ALE_AUTH_RECV_ACCEPT_Xxx  classify does not trigger re-auth. Instead the re-injected clone will trigger a new classify, in which case you can use the FwpsQueryPacketInjectionState0 function to check for self-injected packets. The discrepency is because WFP attempts to avoid creating inbound states until an inbound packet has been accepted.

     

    For other layers, there is no built-in support to associate initial auth and completion- triggered re-auth -- callout drivers will need to maintain states to associate the two classifies.

     

    Hope this helps,

    Biao.W.

    Friday, October 26, 2007 11:31 PM
  • Thanks for explanation.

     

    One more question, will the completion of pended FWPS_LAYER_ALE_AUTH_LISTEN_Xxx cause re-auth?

    Because to detect re-auth, I need to check the xxx_FLAGS field of inFixedValues, but according to document: http://msdn2.microsoft.com/en-us/library/aa504848.aspx, there is no xxx_FLAGS field for FWPS_LAYER_ALE_AUTH_LISTEN_Xxx layer.

    Though I do found a definition of FWPS_FIELD_ALE_AUTH_LISTEN_V4_FLAGS in DDK header file.

    Can I safely assume that this layer also has re-auth after completion pended operation? and the above document need to be changed?

     

    And one question for the net buffer list again.

    If I put my cloned NBL into FwpsCompleteOperation0, how the WFP will use it? and who will delete it later?

    For example, there is a call on FWPS_LAYER_ALE_AUTH_CONNECT_V4 layer into my classifyFn function, and protocol is UDP, so the layerData contains the first UDP data NBL, right? I pend it and make a clone of the UDP data NBL. Later when I decide to allow the flow and complete the pended opeartion, I input the cloned UDP data NBL as FwpsCompleteOperation0 parameter. Will WFP use my inputed NBL and send it out? If so, I don't need re-inject the cloned NBL again using FwpsInjectTransportSendAsync0. If WFP will not use my cloned NBL, why should I pass it into FwpsCompleteOperation0?

    Saturday, October 27, 2007 1:25 AM
  • Yes ALE_AUTH_LISTEN layers have flags field -- doc needs to be changed.

     

    WFP does not take ownership of the clone during FwpsCompleteOperation0 -- it records necessary information in the NBL to complete the flow creation when it is re-injected. After FwpsCompleteOperation0 returns, the callout driver will need call FwpsInjectTransport{Send|Receive}Async0 to inject the clone.

     

    Biao.W.

    Saturday, October 27, 2007 2:09 AM