WFP 驱动翻译第二章-WFP架构

WFP Architecture

The following figure shows the basic architecture of the Windows Filtering Platform

(WFP)

Filter Engine

The filter engine contains a user-mode component and a kernel-mode component,

which together perform all of the filtering operations on network data. The filter engine

contains multiple filtering layers that map loosely to the operating system's networking

stack layers. The filter engine layers are divided into user-mode layers and kernel-mode

layers based on the filter engine component that owns them.

The user-mode component performs RPC and IPsec filtering. The filter engine contains

approximately 10 user-mode filtering layers.

The kernel-mode component performs filtering at the network and transport layers of

the TC/IP stack. This component also calls the available callout functions during the

classification process. The filter engine contains approximately 50 kernel-mode filtering

layers.

See Filtering Layer Identifiers for a description of each of the filter engine layers.

过滤引擎

过滤引擎包含一个用户模式组件和一个内核模式组件，它们共同执行对网络数据的所有过滤操作。过滤引擎包含多个过滤层，这些层与操作系统的网络堆栈层松散映射。过滤引擎的这些层根据所属的过滤引擎组件分为用户模式层和内核模式层。
用户模式组件执行RPC和IPsec过滤。过滤引擎包含大约10个用户模式过滤层。
内核模式组件在TC/IP堆栈的网络层和传输层执行过滤。该组件还在分类过程中调用可用的调用函数。过滤引擎包含大约50个内核模式过滤层。
有关每个过滤引擎层的描述，请参阅过滤层标识符。

Base Filtering Engine

The Base Filtering Engine (BFE) is a user-mode service (bfe.dll running in a svchost.exe

process) that coordinates the WFP components. The principal tasks performed by BFE

are adding and removing filters from the system, storing filter configuration, and

enforcing WFP configuration security. Applications communicate with BFE through the

WFP management functions .

基本过滤引擎
基本过滤引擎（BFE）是一个在用户模式下运行的服务（bfe.dll 在 svchost.exe 进程中），负责协调 WFP 的各个组件。BFE 主要的任务包括从系统中添加和删除filters、存储filter配置，并加强WFP配置安全性。应用程序通过 WFP 管理函数与 BFE 进行通信。

Callout Drivers

Callout drivers provide additional filtering functionality by adding custom callout

functions to the filter engine at one or more of the kernel-mode filtering layers. Callouts

support deep inspection and packet as well as stream modification. After a callout driver

has added its callout functions to the filter engine, filters that specify a given driver's

callout function can be added to the filtering process. Such filters can be added by

either a user-mode management application or by the callout driver itself. The kernel

mode interface, delivered in the Windows Development Kit, should only be used where

needed and not as a substitute for the user-mode API

Note

For more information on callout drivers, see the Windows Filtering Platform section

of the Windows Development Kit .

The Windows Filtering Platform includes a number of built-in callout functions that can

be used for IPsec secure data communication, stateful filtering settings, and stealth

mode filtering. See Built-in Callout Identifiers for a complete list of built-in callout

functions.

 

Callout 驱动
Callout驱动通过将自定义callout函数添加到内核模式的过滤层中，为过滤引擎提供额外的过滤功能。这些Callout支持深度检查、数据包和数据流的修改。Callout驱动将其callout函数添加到过滤引擎后，指定给定驱动的callout函数的过滤器可以被添加到过滤过程中。这样的过滤器可以由用户模式的管理应用程序或callout驱动本身添加。Windows开发工具包中提供的内核模式接口应仅在需要时使用，并不应作为用户模式API的替代品。

WFP包括多个内置的调用函数，可以用于IPsec安全数据通信、有状态过滤设置和隐蔽模式过滤。请参阅内置调用标识符以获取内置调用函数的完整列表。