Intercept inbound connections in WFP Callout driver is just discard incoming packets?

hello community. I want to write driver to intercepts TCP/UDP connections, and i choose WFP Callout driver model for this.
_
Main driver’s purpose is: pending inbound/outbound connections, send connection info to user application and user make decision to allow or block that connection.
i read “inspect” sample from Microsoft carefully, but still can’t understand at some points:

1. About filter condition: if i need to inspect TCP/UDP connections at layers, the filter need to define 2 conditions (FWPM_FILTER_CONDITION), doesn’t it? the classifyFn function will be triggered like OR operator or how?
2. To intercept inbound connection, is the only way is discard the connecting packet at FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V*? if so, that not my purpose, i need it can reply the client connecting to immediately, not after a “timeout” (on TCP) because of the first packet was “dropped”.
3. Does my driver can work without a classiyFn at transport layers? one classifyFn at ALE_CONNECT layer for outbound and another at ALE_RECV_ACCEPT layer for inbound connections?
   _
   im stuck with these questions for weeks,
   thank you for your help so much.

An incoming packet is not discarded. It is initially blocked and then reinserted if you allow it.
I had issues with this technique. Every time a packet is blocked an entry is added to the system event log even if you reinset the packet

@Bill_Wandel
yes, i knew that a incoming packet need to call pending operation and block packet with absorb flag, then reinject if that packet is allowed.
i just dont understand the way WFP block it. this is my way to block inbound connection (correct me if im wrong): first, dereference NetBufferList then call FwpsCompleteOperation and Free memory packet’s info?