Hi ,
We have a WFP driver in which we are performing out of band inspection for stream layer data.
Following are the steps performed in stream classify callout function:
- By default set classifyOut->actionType = FWP_ACTION_PERMIT
- Check for certain conditions(Ex: port number) and if it doesn’t match then return.
- Clone the net buffer list and push into a queue for out of band inspection.
- Block and absorb the packet.
Under scanning thread:
- Scan the data.
- Reinject net buffer list .
Crash dump occurs while browsing and the dump shows that crash is in TCPIP.sys.
So i want to know the behavior WFP engine in following contexts:
Case 1:
Under stream layer callout, Set permit action :“classifyOut->actionType = FWP_ACTION_PERMIT”.
Do not clear write flag “classifyOut->rights &= ~FWPS_RIGHT_ACTION_WRITE”.
In this case can there be conflict for stream data if there are multiple filter drivers attached?
Why do we need to clear FWPS_RIGHT_ACTION_WRITE flag in classifyOut, if FWPS_FILTER_FLAG_CLEAR_ACTION_RIGHT is set in filter flags?
What is the significance of FWPS_FILTER_FLAG_CLEAR_ACTION_RIGHT for WFP?
Case 2:
Under stream layer callout Set Permit action “classifyOut->actionType = FWP_ACTION_CONTINUE”.
How does this action differ from Case 1 where we set FWP_ACTION_PERMIT without clearing FWPS_RIGHT_ACTION_WRITE?
Thanks,