Definitions

最新推荐文章于 2021-01-26 12:42:57 发布

xbgprogrammer

最新推荐文章于 2021-01-26 12:42:57 发布

阅读量488

点赞数

Callout

A callout provides functionality that extends the capabilities of the Windows Filtering Platform. A callout consists of a set of callout functions and a GUID key that uniquely identifies the callout. There are several built-in callouts that are included with the Windows Filtering Platform. Additional callouts can be added by using callout drivers.

一个callout提供扩展WFP的功能。一个callout由一组callout 函数及一个唯一标识这个GUID的key值组成。这有一些内置的callout被包含在了WFP中，其它的callouts可以使用callout driver添加。

Callout Driver

A callout driver is a kernel-mode driver that implements one or more callouts. A callout driver registers its callouts with the filter engine so that the filter engine can call the callout functions for the callout when the computer processes connections or packets.

一个callout driver就是实现了一个或者多个callouts的内核驱动，callout driver向过滤引擎注册自己的callouts，所以过滤引擎可以调用callout 函数处理连接或者数据包。

Callout Function

A callout function is a function that is implemented by a callout driver that is one of the functions that defines a callout. A callout consists of the following list of callout functions:

A notifyFn function to process notifications.
A classifyFn function to process classifications.
A flowDeleteFn function to process flow deletions (optional).

The filter engine calls a callout's callout functions so that the callout can process the network data.

一个callout函数就是callout driver实现的、用于定义callout的一个函数。一个callout包含下面的callout函数。

notifyFn函数处理通知，classifyFn函数处理分类，flowDeleteFn函数处理流量删除（可选）。

Filter

A filter defines several filtering conditions for filtering TCP/IP network data and an action that is to be taken on the data if all the filtering conditions are true. If a filter requires additional processing of the network data, it can specify a callout for the filter's action. If the filtering conditions for such a filter are all true, the filter engine passes the network data to the specified callout for additional processing.

一个过滤为过滤tcp网络数据定义了几个过滤条件，和当所有的过滤条件为真时执行的动作。如果一个filter需要额外的数据处理，它可以为过滤的action指定一个callout。如果过滤条件都为true，过滤引擎将网络数据传递给指定的callout进行处理。

Filter Engine

The filter engine is a component of the Windows Filtering Platform that stores filters and performs filter arbitration. Filters are added to the filter engine at designated filtering layers so that the filter engine can perform the desired filtering action (permit, drop, or a callout). If a filter in the filter engine specifies a callout for the filter's action, the filter engine calls the callout's classifyFn function so that the callout can process the network data.

过滤引擎是WFP平台的一个组件，存储着过滤器和执行过滤仲裁。过滤器在指定的过滤层添加进过滤引擎，过滤引擎执行指定的过滤动作。如果过滤器为action指定了callout，过滤器引擎调用callout的classifyFN函数处理数据。

Filtering Layer

A filtering layer is a point in the TCP/IP network stack where network data is passed to the filter engine for matching against the current set of filters. Each filtering layer in the network stack is identified by a unique filtering layer identifier.

filter layer是TCP/IP栈中一个点，在这个点网络数据被传递给过滤引擎处理，匹配当前的过滤器，每一个过滤层被filter layer indentifier标识。

When a filter is added to the filter engine, it is added at a designated filtering layer where it will filter the network data. Specific data fields are made available at each filtering layer for processing by the filters that have been added to the filter engine at that layer. If the filter engine passes the network data to a callout for additional processing, it includes these data fields and any metadata that is available at that filtering layer.

当一个过滤器被添加到过滤引擎，它被添加到指定的过滤层。在每一个过滤层，只有指定的数据域可以操作。如果过滤引擎将网络数据传递给callout处理，它将包含这些可用的数据域及本层可用的元数据。

Run-time Filtering Layer Identifiers (FWPS_XXX) are used by kernel-mode callout drivers. Management Filtering Layer Identifiers (FWPM_XXX) are used by FwpmXxx functions that interact with the Base Filtering Engine (BFE) from either user mode or kernel mode (for example, FwpmFilterAdd0).

内核callout driver使用运行时过滤层标识符FWPS_XXX)。FwpmXXX使用管理过滤层标识符FWPM_XXX。

The FWPS data types are smaller than their FWPM counterparts: the FWPM filtering layer identifiers are GUIDs (128 bits), whereas the FWPS filtering layer identifiers are LUIDs (64 bits). The smaller size for FWPS data types improves system performance because integer comparisons are faster than GUID comparisons for real-time traffic, and the kernel memory handles FWPS types more efficiently.

FWPS数据类型小于它们的FWPM对应者。FWPM过滤层标识符是GUID，而FWPS是LUIDs。因为内核层处理FWPS更有效率。