Hi,
I search the list and found the previous post
http://www.osronline.com/showThread.cfm?link=103827
I would like to do WFP firewall all in a driver, but my WFP callouts never
get invoked. It works when I use usermode + kernel WFP calls. And it also
works fine with usermode WFP API without kernel mode component (no
callouts).
Based on the previous post, Preston Wilson mentioned that it is possible to
do all this inside a driver using the following sequences:
FwpmEngineOpen0()
FwpmSubLayerAdd0() // Add my own sub layer
// result used in calls to
FwpmFilterAdd0()
FwpmCalloutAdd0() // Add FWPM_LAYER_ALE_FLOW_ESTABLISHED_V4
FwpmFilterAdd0() // Add filter
FwpsCalloutRegister0() // Register callout
FwpmEngineClose0()
I tried the above sequences in my driver without usermode code. Below are
the detailed sequences:
FwpmEngineOpen0()
FwpmTransactionBegin0()
FwpmSubLayerAdd0() // Add my own sublayer, subLayerKey =
FWPM_SUBLAYER_ALE_FLOW_ESTABLISHED_V4
FwpmCalloutAdd0() // Add applicableLayer =
FWPM_LAYER_ALE_FLOW_ESTABLISHED_V4,
// my own calloutKey,
calloutKey = FWHOOK_FLOW_ESTABLISHED_CALLOUT_V4
FwpmFilterAdd0() // filter.layerKey =
FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4
FwpsCalloutRegister0() // my callout functions are in classifyFn and
notifyFn
FwpmTransactionCommit0()
All WFP API calls are successful, but my callout functions are never getting
invoked. Is there any sample of WFP written only in kernel mode?
Any suggestion is appreciated!
Regards,
Sin Lam
Found out the problem why WFP callouts never get invoked, it is due to my
own mistake.
In the FwpmFilterAdd0(), the filter.action.type is set to FWP_ACTION_PERMIT,
instead of FWP_ACTION_CALLOUT_TERMINATING, etc.
Regards,
Sin Lam
“Tan Sin Lam” wrote in message news:xxxxx@ntdev…
> Hi,
> I search the list and found the previous post
> http://www.osronline.com/showThread.cfm?link=103827
> I would like to do WFP firewall all in a driver, but my WFP callouts never
> get invoked. It works when I use usermode + kernel WFP calls. And it also
> works fine with usermode WFP API without kernel mode component (no
> callouts).
>
> Based on the previous post, Preston Wilson mentioned that it is possible
> to do all this inside a driver using the following sequences:
>
> FwpmEngineOpen0()
> FwpmSubLayerAdd0() // Add my own sub layer
> // result used in calls to
> FwpmFilterAdd0()
>
> FwpmCalloutAdd0() // Add FWPM_LAYER_ALE_FLOW_ESTABLISHED_V4
> FwpmFilterAdd0() // Add filter
> FwpsCalloutRegister0() // Register callout
>
> FwpmEngineClose0()
>
> I tried the above sequences in my driver without usermode code. Below are
> the detailed sequences:
>
> FwpmEngineOpen0()
> FwpmTransactionBegin0()
> FwpmSubLayerAdd0() // Add my own sublayer, subLayerKey =
> FWPM_SUBLAYER_ALE_FLOW_ESTABLISHED_V4
> FwpmCalloutAdd0() // Add applicableLayer =
> FWPM_LAYER_ALE_FLOW_ESTABLISHED_V4,
> // my own calloutKey,
> calloutKey = FWHOOK_FLOW_ESTABLISHED_CALLOUT_V4
> FwpmFilterAdd0() // filter.layerKey =
> FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4
> FwpsCalloutRegister0() // my callout functions are in classifyFn
> and notifyFn
> FwpmTransactionCommit0()
>
> All WFP API calls are successful, but my callout functions are never
> getting invoked. Is there any sample of WFP written only in kernel mode?
> Any suggestion is appreciated!
>
> Regards,
> Sin Lam
>