I am bit confused about user mode and kernel mode WFP API usage.
Suppose I have a rule engine in usermode that given the IP,Port and other information allows or disallows the operation.Rules can be added dynamically i.e rules becomes effective immediately it is applied.So basically we don’t have a static set of rules which are to be checked.
From my analysis WDK inspect sample is best suited.
I want to know can WFP user mode be used to achieve such a functionality entirely in user mode.
If yes then how the WDK inspect differs from user mode solution.
No you cannot achieve all the implementation of WFP in usermode. There are certain API’s which can be called from both user mode and kernel, but there are some which need to be called from kernel only
To check whether the WFP engine is ready or not, you can only do it in kernel by calling these API?s
FwpsInjectionHandleCreate - KM only
PwpmBfeStateSubscribeChanges0 ? KM only
If the WFP engine is not ready at boot time, then you will have to call these API?s
FwpmEngineOpen0 ? UM and KM
FwpsCalloutRegister ? KM only
FwpmCalloutAdd0 ? UM and KM
FwpmFilterAdd0 ? UM and KM
FwpmEngineClose ? UM and KM
As you can see all but one API can be called from user mode but FwpsCalloutRegister still needs to be called from kernel
When WFP is closing or shutting down, following API can be called
FwpmCalloutDeleteById0 -UM and KM
FwpsCalloutUnRegisterById0 ? KM only
FwpmEngineClose ? UM and KM
As you can see all but one API can be called from user mode but FwpsCalloutUnRegisterById0 still needs to be called from kernel.