Hello. I am a new programmer for wfp. My callout register at FWPM_LAYER_ALE_AUTH_CONNECT_V4 layer. I have my own filter logic that maintains a set of hashtable rules in the kernel (such as blocking connections to a connection). However, I found that the ALE layer cannot filter an existing connections and needs to reauthorize ALE. I want to trigger reauthorize ALE every time when I update my hashtable rule, but it always return 0xc00000bb when using FwpmFilterDeleteById and FwpmFilterAdd0, I don’t know why.
Thanks!
zhjwang wrote:
Hello. I am a new programmer for wfp. My callout register at FWPM_LAYER_ALE_AUTH_CONNECT_V4 layer. … but it always return 0xc00000bb when using FwpmFilterDeleteById and FwpmFilterAdd0, I don’t know why.
Did you look that up? C00000BB is STATUS_NOT SUPPORTED. Have you
double-checked that the handle and the ID you are passing actually have
the proper values?
@Tim_Roberts said:
zhjwang wrote:Hello. I am a new programmer for wfp. My callout register at FWPM_LAYER_ALE_AUTH_CONNECT_V4 layer. … but it always return 0xc00000bb when using FwpmFilterDeleteById and FwpmFilterAdd0, I don’t know why.
Did you look that up? C00000BB is STATUS_NOT SUPPORTED. Have you
double-checked that the handle and the ID you are passing actually have
the proper values?
yes, some of my pseudo code
UpdateRule(message)
{
//insert hashtable
..........
if (filterEngineHandle != nullptr && g_ALEConnectFilterId != 0)
{
statusDeleteConnectFilter = FwpmFilterDeleteById(filterEngineHandle, g_ALEConnectFilterId);
if (!NT_SUCCESS(statusDeleteConnectFilter))
{
LOGERROR("Delete statusDeleteConnectFilter is error\n");
}else {
LOGERROR("Delete statusDeleteConnectFilter is success\n");
}
}
}
** The same code , in the DriverUnload function and in RegisterCallout function woks well.
this is FwpmFilterDeleteById0 Remarks. I don’t know if this is a problem with this session. **
Thanks!
@Tim_Roberts said:
zhjwang wrote:Hello. I am a new programmer for wfp. My callout register at FWPM_LAYER_ALE_AUTH_CONNECT_V4 layer. … but it always return 0xc00000bb when using FwpmFilterDeleteById and FwpmFilterAdd0, I don’t know why.
Did you look that up? C00000BB is STATUS_NOT SUPPORTED. Have you
double-checked that the handle and the ID you are passing actually have
the proper values?
yes, some of my Fake code
UpdateRule(message)
{
//insert hashtable
...
...
...
if (filterEngineHandle != nullptr && g_ALEConnectFilterId != 0)
{
NTSTATUS statusDeleteConnectFilter = FwpmFilterDeleteById(filterEngineHandle, g_ALEConnectFilterId);
if (!NT_SUCCESS(statusDeleteConnectFilter))
{
LOGERROR("Delete statusDeleteConnectFilter is error\n");
}
else {
LOGERROR("Delete statusDeleteConnectFilter is success\n");
}
}
}
The same code , works well in DriverUnload function and register Callout function.
I don’t know if this is a problem with this session.
I also do some test about FwpmEngineOpen in my updateRule
statusEngineOpen = FwpmEngineOpen(
NULL,
RPC_C_AUTHN_WINNT,
NULL,
&session,
&filterEngineHandleUpdateRule);
if (!NT_SUCCESS(statusEngineOpen))
{
LOGDEBUG("FwpmEngineOpen is error 0x%08x\n", statusEngineOpen);
return statusEngineOpen;
}
it also return C00000BB . I do not know why? what did i miss?
Any advice and suggestions will be greatly appreciated
Finally, I found this problem. It because FwpmEngineOpen and FwpmFilterDeleteById must run in PASSIVE_LEVE IRQL. But one of the locks in my code raises the IRQL. It is hard to find.