I was reading documentation here https://learn.microsoft.com/en-us/windows/win32/fwp/filter-arbitration about WFP filter arbitration. I was looking for some clarity around the following:
-
The document states the following in regards to filter arbitration at the layer level of granularity: “Evaluate all sub-layers even if a higher priority sub-layer has decided to block the traffic.”
-
The next line states the following: “Return the resulting action based on the policy rules described in the following section.”
-
The following section goes on to say the following about the rules governing filter arbitration at the granularity of the layer: ““Block” is final (cannot be overridden) and stops the evaluation. The packet is discarded.”
To me these statements seem to be a contradictory. Which is it? Is that all the sublayers are evaluated or is it that if a sublayer gives a BLOCK response that the evaluation is short circuited? Is there something I’m otherwise missing?