Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTDEV

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


Before Posting...

Please check out the Community Guidelines in the Announcements and Administration Category.

Dual-stack socket and FWPM_LAYER_ALE_ENDPOINT_CLOSURE_V4

alexvasalexvas Member Posts: 5

Hello,

I have an issue with handling dual-stack sockets in my driver with WFP callouts.

The driver performs out-of-band inspection:

  • clones a network packet
  • sends the cloned packet to a worker thread
  • drops the original packet

For now the worker thread just injects cloned packets back to the stream.

The test application sends WOL packets by using UDP:

  • creates a socket
  • configures it to be used as dual-stack socket (by using setsockopt and clearing IPV6_V6ONLY flag)
  • sends a small datagram to a nother PC
  • closes the socket

When the test application uses only IPv4 (192.168.56.25), the following callouts are executed in the driver:

  • FWPM_LAYER_ALE_RESOURCE_ASSIGNMENT_V4
  • FWPM_LAYER_ALE_AUTH_CONNECT_V4
  • FWPM_LAYER_ALE_FLOW_ESTABLISHED_V4
  • FWPM_LAYER_DATAGRAM_DATA_V4
  • FWPM_LAYER_DATAGRAM_DATA_V4 (when the data is injected to the stream from the worker thread)
  • FWPM_LAYER_OUTBOUND_TRANSPORT_V4
  • FWPM_LAYER_ALE_ENDPOINT_CLOSURE_V4
  • FWPM_LAYER_ALE_RESOURCE_RELEASE_V4

In this case the another PC receives a network packet (I'm using Wireshark to check that).

When the test application configures a dual-stack socket and uses IPv6 (::FFFF:ACA8:3819, the same test PC), the second FWPM_LAYER_DATAGRAM_DATA_V4 isn't called. The FwpsInjectTransportSendAsync0 returns SUCCESS, the completion routine is executed, but NET_BUFFER_LIST status is SUCCESS too. Also FWPM_LAYER_ALE_ENDPOINT_CLOSURE_V4 is not called (in this callout I postpone closing the socket by using FwpsPendClassify0). As a result, a network packet is not delivered to another PC.

I'm not interested in handling IPv6 in my driver, so there are no IPv6 callouts registered. Also I haven't seen this issue with TCP or when I modified the application to sleep some time before closing the socket.

Does anyone know why FWPM_LAYER_ALE_ENDPOINT_CLOSURE_V4 is not called in this case? Or there are some special rules to handle dual-sockets in WFP driver?

Comments

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. Sign in or register to get started.

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Internals & Software Drivers 15 November 2021 Live, Online
Writing WDF Drivers 24 January 2022 Live, Online
Developing Minifilters 7 February 2022 Live, Online
Kernel Debugging 21 March 2022 Live, Online