My Callout currently gets registered to the OUTBOUND_TRANSPORT layer.
Is it allowed to use FwpsInjectNetworkSendAsync0 (I need to set the source IP)?
It seems to work, however I am experiencing a memory leak:
WFP NBL info container is fixed now, but the NDIS_TAG_POOL_NDIS one still occurs. Could it be because somehow FwpsInjectNetwork(Receive|Send)Async are not supposed to be used in OUTBOUND_TRANSPORT?
Thinking about it, it seems like there should be no way for Fwps to tell from which layer the “original” packet got received - Unless FwpsAllocateCloneNetBufferList or FwpsConstructIpHeaderForTransportPacket0 note this information in some opaque member (e.g. NetBuffer->NetBufferListInfo).
Maybe I will try to create a new NetBufferList “from scratch” and inject that.
Thinking about it, Fwps should not be able to tell where the “original packet” came from - Unless either FwpsAllocateCloneNetBufferList or FwpsConstructIpHeaderForTransportPacket0 save this info in some opaque struct member (e.g. NetBuffer->NetBufferListInfo).
I might try to clone the NetBufferList manually “from scratch”.
For the record… The problem was that FwpsConstructIpHeaderForTransportPacket0 extended the NBL, and the freeing-routine that I had in place did not account for that.