I am writing a WFP driver to perform deep inspection at the Stream layer.
A context is associated at ALE_CONNECT (Connect layer) using FwpsFlowAssociateContext.
There is a specific need to associate a context in the Connect layer.
However for FlowEstablishedClassify or StreamClassify callouts, WFP passes the flowContext as 0.
Hence I am not able to dereference my context and perform the deep inspection at the stream layer.
Please let me know if there is anything I am missing here.
When the flow gets closed WFP calls AleConnectFlowDeleteFn() with the correct context which wad allocated during AleConnectClassify()
thanks for your response, I saw this response just now… The issue was that I was passing a wrong calloutID and layerID. It started working correctly after passing callout and streamID. I have another issue now - and this is when FwpsFlowRemoveContext returns STATUS_UNSUCCESSFUL (There is no context currently associated with the data flow.) for existing flows and hence the callout can’t be unregistered.
Just an update - the issue reported in the above URL when a context is associated at ALE_CONNECT layer is a definite MS WFP bug. The driver cannot be unloaded in this case, the code works perfectly well when the context is attached at FLOW_ESTABLISHED layer.