I am trying to update the source IP address of the UDP and TCP packets which are captured at layer FWPM_LAYER_ALE_CONNECT_REDIRECT_V4and FWPM_LAYER_ALE_AUTH_CONNECT_V4.
In case of TCP packets source IP address is successfully updated but in the case of UDP packets source IP address is not updated.
I am checking the IP address used in the packet using Wireshark.
UINT64 classifyHandle = 0;
NTSTATUS status = FwpsAcquireClassifyHandle0(
(void*)classifyContext,
(UINT32)0,
&classifyHandle
);
if (!NT_SUCCESS(status))
{
DbgPrintEx(DPFLTR_IHVNETWORK_ID, DPFLTR_ERROR_LEVEL, "Could not get the classify handle %x\r\n", status);
return;
}
FWPS_CONNECT_REQUEST* writableLayerData = NULL;
status = FwpsAcquireWritableLayerDataPointer(
classifyHandle,
filter->filterId,
0,
(PVOID*)&writableLayerData,
classifyOut
);
if (!NT_SUCCESS(status))
{
DbgPrintEx(DPFLTR_IHVNETWORK_ID, DPFLTR_ERROR_LEVEL, "FwpsAcquireWritableLayerDataPointer Failed %x\r\n", status);
return;
}
SOCKADDR_IN* sourceAddr = (SOCKADDR_IN*)(&(writableLayerData->localAddressAndPort));
if(sourceAddr ==NULL)
{
DbgPrintEx(DPFLTR_IHVNETWORK_ID, DPFLTR_ERROR_LEVEL, "socket address is NULL\r\n");
goto Exit;
}
sourceAddr->sin_addr.S_un.S_addr = RtlUlongByteSwap(*(unsigned long*)&vip);
#if (NTDDI_VERSION >= NTDDI_WIN8)
if (inFixedValues->layerId == FWPS_LAYER_ALE_CONNECT_REDIRECT_V4)
writableLayerData->localRedirectHandle = gRedirectConnectHandlev4;
else if (inFixedValues->layerId == FWPS_LAYER_ALE_AUTH_CONNECT_V4)
writableLayerData->localRedirectHandle = gAuthConnectHandlev4;
writableLayerData->localRedirectContext = NULL;
writableLayerData->localRedirectContextSize = 0;
#endif
classifyOut->actionType = FWP_ACTION_PERMIT;
FwpsApplyModifiedLayerData(
classifyHandle,
writableLayerData,
0
);
Exit:
FwpsReleaseClassifyHandle(classifyHandle);
Please let me know how to correctly update the source IP address in UDP packets.
Thanks,
Chetan