locked
Failure in REQ - WFP-based products must ensure network connectivity upon recovering from power managed states RRS feed

  • Question

  • I am running my WFP callout driver through the WHCK tests, and I see the "REQ - WFP-based products must ensure network connectivity upon recovering from power managed states" tests consistently fail. This is odd because of the following:

    1. The callout driver is not a firewall.

    2. The callout driver is not filtering or inspecting any packets at the time the test is run.

    In the WFPLogo.Info file, I have the following set in the requirements section:

      UseAnswerFile = 1;

      CalloutDriver = 1;

      IsAFirewall = 0;

      LayeredOnMicrosoftWindowsFirewall = 0;

      DoesMACFiltering = 0;

      DoesVSwitchFiltering = 0;

      DoesPacketInjection = 1;

      DoesStreamInjection = 0;

      DoesConnectionProxying = 0;

    All of the Attestations are set to 1.

    It appears to me that this test is more for the verification of firewalls, especially since the relevant sections of the WFPLogo.Answer file for this test appear to configure the firewall. I'm also assuming that these sections configure the Windows Firewall by default if no other FW is installed.

    The test fails on the inbound path. Here's a snippet from the Filter.Driver.WindowsFilteringPlatform.ArchitecturalDesign.SupportPowerManagedStates.NTLog:

    [[IGN-]Wed Apr 24 18:36:45 2013[-IGN]]
     Script Run: cmd.exe /C " %WinDir%\System32\NetSh.exe AdvFirewall Firewall Delete Rule Name="WFPLogo"                                                     Dir=In              Program=%WinDir%\System32\WFPLogo.Exe LocalIP=fe80::bc5e:7287:ea27:fb2 RemoteIP=fe80::1:0:0:FE Protocol=17            Profile=Any"
     Script Run: cmd.exe /C " %WinDir%\System32\NetSh.exe AdvFirewall Firewall Add    Rule Name="WFPLogo" Description="Block Inbound IPv4 with Power States" Dir=In Action=block Program=%WinDir%\System32\WFPLogo.Exe LocalIP=fe80::bc5e:7287:ea27:fb2 RemoteIP=fe80::1:0:0:FE Protocol=17 Enable=Yes Profile=Any"
     +VAR+INFO+     3 : [IPVersion: IPv6][Direction: Inbound][Protocol: UDP (17)][Source / Remote Address: fe80::1:0:0:FE][Destination / Local  Address: fe80::bc5e:7287:ea27:fb2][Source / Remote Port: 44833][Destination / Local  Port: 46081][Action: PERMIT]
        LocalUDP::SocketBind : bind() [Local Bound Address: fe80::bc5e:7287:ea27:fb2][Local Bound Port: 0xb401] [status: 0]
        LocalUDP::SocketSetToNonBlocking : ioctlsocket() [status: 0]
        LocalUDP::SocketRecv : recv() [bytes received: 0] [status: 0x274c]
        LocalUDP::SocketSetToNonBlocking : ioctlsocket() [status: 0]
     AnalyzeTrafficResults() [Analysis: Blocked][local Error: 0x274c][peer Error: 0][packet(s) Rx'd: No][packet(s) Tx'd: Yes]
        LocalUDP::SocketClose : closesocket() [status: 0]
     +VAR+SEV1     3 :  +SUB_VAR+     1 : [IPVersion: IPv6][Direction: Inbound][Protocol: UDP (17)][Source / Remote Address: fe80::1:0:0:FE][Destination / Local  Address: fe80::bc5e:7287:ea27:fb2][Source / Remote Port: 44833][Destination / Local  Port: 46081][Action: PERMIT]
     PowerStates [status: 0][IPv6][Inbound][From: fe80::1:0:0:FE][To: fe80::bc5e:7287:ea27:fb2][PERMIT]
     Variation:  +SUB_VAR+     1 : [IPVersion: IPv6][Direction: Inbound][Protocol: UDP (17)][Source / Remote Address: fe80::1:0:0:FE][Destination / Local  Address: fe80::bc5e:7287:ea27:fb2][Source / Remote Port: 44833][Destination / Local  Port: 46081][Action: PERMIT]
     PowerStates [status: 0][IPv6][Inbound][From: fe80::1:0:0:FE][To: fe80::bc5e:7287:ea27:fb2][PERMIT]:FAIL:

    The failure of 0x247c is WSAETIMEDOUT, but isn't that expected if the FW rule is to block all incoming IPv4 packets? At any rate, since my driver is not monitoring or blocking traffic when the test is run, something else must be causing this. Does anyone have any ideas about what could be causing these failures?

    Friday, April 26, 2013 1:52 AM

All replies

  • If you are not a firewall, then it does not make sense to run any cases which asks you to block traffic for the testing provided.  This means that for the PowerState tests, only the PERMIT cases will run.  If this is the case, then you need to remove the BLOCK cases from the Answer file. 

    Essentially what has happened is the PERMIT case was run:
    +VAR+INFO+     3 : [IPVersion: IPv6][Direction: Inbound][Protocol: UDP (17)][Source / Remote Address: fe80::1:0:0:FE][Destination / Local  Address: fe80::bc5e:7287:ea27:fb2][Source / Remote Port: 44833][Destination / Local  Port: 46081][Action: PERMIT]

    But you answered with adding a BLOCK filter:
    Script Run: cmd.exe /C " %WinDir%\System32\NetSh.exe AdvFirewall Firewall Delete Rule Name="WFPLogo"                                                     Dir=In              Program=%WinDir%\System32\WFPLogo.Exe LocalIP=fe80::bc5e:7287:ea27:fb2 RemoteIP=fe80::1:0:0:FE Protocol=17            Profile=Any"
     Script Run: cmd.exe /C " %WinDir%\System32\NetSh.exe AdvFirewall Firewall Add    Rule Name="WFPLogo" Description="Block Inbound IPv4 with Power States" Dir=In Action=block Program=%WinDir%\System32\WFPLogo.Exe LocalIP=fe80::bc5e:7287:ea27:fb2 RemoteIP=fe80::1:0:0:FE Protocol=17 Enable=Yes Profile=Any"

    Hope this helps,


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------

    Friday, April 26, 2013 7:58 PM
    Moderator
  • Thanks, Dusty!

    That sounds so obvious now but I didn't see mention of editing the answer file for non-FWs in the WHCK .chm. I'll do as you say and see how it works out.

    Friday, April 26, 2013 10:19 PM