[WFP] Why ALE_AUTH_CONNECT layer always reauthorize for outbound UDP ?

iFengHuang · December 29, 2018, 12:41am

My callout register at FWPM_LAYER_ALE_AUTH_CONNECT_V4 layer, and filter condition is “Protocol ==UDP”.

Either UDP packet sent by system or my test program, each outbound UDP packet will trigger classifyFn twice.

The first call is normal, **FWP_CONDITION_FLAG_IS_REAUTHORIZE **not set.

The second call, **FWP_CONDITION_FLAG_IS_REAUTHORIZE **set.

At second call I check the FWPS_FIELD_ALE_AUTH_CONNECT_Vx_REAUTHORIZE_REASON, that is 1, it means FWP_CONDITION_REAUTHORIZE_REASON_POLICY_CHANGE,
“Indicates that the connection was reauthorized due to filters being added or removed.” from document:

But I never add or remove any filters between packets sent.

Is this expected behavior ?

iFengHuang · December 29, 2018, 12:53am

I found the reason, because I call FwpsFlowAssociateContext, it cause reauthorize. But why it cause reauthorize? My system is VMWare Win7.

iFengHuang · December 29, 2018, 2:17am

I found the reason… I pass an error layerId to FwpsFlowAssociateContext.

zhjwang · May 22, 2019, 2:23pm

Hello, my question is I want to reauthorize ALE, but when I call FwpmFilterDeleteById , it always return 0xc00000bb.