hello community. I want to write driver to intercepts TCP/UDP connections, and i choose WFP Callout driver model for this.
_
Main driver’s purpose is: pending inbound/outbound connections, send connection info to user application and user make decision to allow or block that connection.
i read “inspect” sample from Microsoft carefully, but still can’t understand at some points:
- About filter condition: if i need to inspect TCP/UDP connections at layers, the filter need to define 2 conditions (FWPM_FILTER_CONDITION), doesn’t it? the classifyFn function will be triggered like OR operator or how?
- To intercept inbound connection, is the only way is discard the connecting packet at FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V*? if so, that not my purpose, i need it can reply the client connecting to immediately, not after a “timeout” (on TCP) because of the first packet was “dropped”.
- Does my driver can work without a classiyFn at transport layers? one classifyFn at ALE_CONNECT layer for outbound and another at ALE_RECV_ACCEPT layer for inbound connections?
_
im stuck with these questions for weeks,
thank you for your help so much.