What is Filter in WFP?
A filter is basically a rule in the Filtering Engine that says:
When traffic matches these conditions at this layer, perform this action.
That action can be:
- Allow or Block
- Callout (run custom code)
- Permit/continue to next filter
Filters in Context
So far we have:
- Layer – Where in the network stack we are inspecting (e.g., STREAM, ALE, IP packet layers).
- Callout – Custom kernel code (FWPS) + its policy entry (FWPM).
- Filter – The actual rule that says when to run this callout.
Filter Structure
typedef struct FWPM_FILTER_
{
FWPM_DISPLAY_DATA0 displayData; // Name + description
GUID providerKey; // Optional provider
GUID layerKey; // The layer to filter on
GUID subLayerKey; // Sub-layer grouping filters
FWP_FILTER_CONDITION0* filterCondition; // Array of conditions (match criteria)
UINT32 numFilterConditions;
FWP_ACTION0 action; // What to do if match (e.g., callout, allow, block)
UINT64 weight; // Priority weight
} FWPM_FILTER;
Add a Filter to Trigger the Callout
FWPM_FILTER filter = {0};
filter.displayData.name = L"My TCP Stream Filter";
filter.displayData.description = L"Send TCP traffic to my callout";
filter.layerKey = FWPM_LAYER_STREAM_V4;
filter.subLayerKey = MY_SUBLAYER_GUID;
filter.action.type = FWP_ACTION_CALLOUT_TERMINATING;
filter.action.calloutKey = MY_CALLOUT_GUID; // link to callout
filter.filterCondition = NULL; // match all
filter.numFilterConditions = 0;
filter.weight.type = FWP_EMPTY;
status = FwpmFilterAdd(engineHandle, &filter, NULL, NULL);
Leave a comment
Your email address will not be published. Required fields are marked *