My callout register at FWPM_LAYER_ALE_AUTH_CONNECT_V4 layer, and filter condition is “Protocol ==UDP”.
Either UDP packet sent by system or my test program, each outbound UDP packet will trigger classifyFn twice.
The first call is normal, **FWP_CONDITION_FLAG_IS_REAUTHORIZE **not set.
The second call, **FWP_CONDITION_FLAG_IS_REAUTHORIZE **set.
At second call I check the FWPS_FIELD_ALE_AUTH_CONNECT_Vx_REAUTHORIZE_REASON, that is 1, it means FWP_CONDITION_REAUTHORIZE_REASON_POLICY_CHANGE,
“Indicates that the connection was reauthorized due to filters being added or removed.” from document:
But I never add or remove any filters between packets sent.
Is this expected behavior ?