Using a Callout for Deep Inspection of Stream Data

Packet Inspection Points

Incoming packets that are destined for an address that is assigned to the receiving computer (local host traffic) traverse up WFP layers in the following order:

计算机接收的数据包按照下面的次序经过wfp的过滤层:

IP Packet (Network Layer)
All IP packets, including IP packet fragments, are available for inspection at this layer. However, when packets are IPsec-protected, deep content inspection or modification cannot be performed at this layer because the packets are not yet authenticated or decrypted.
所有的IP数据包,包括IP数据包分片,可以在这一层监控。但是被IPSEC保护的数据包,不能执行深度内容检测或者修改,因为数据包还未授权或者解密。

Transport Layer
All stand-alone or fully reassembled packets are available for inspection at this layer. IPsec-protected packets have been authenticated or decrypted.
所有的单独或者重新组织的数据包可以在这一层检测。IPSEC保护的数据包已经被授权或者解密。

Application Layer Enforcement (ALE) Receive or Accept
The very first packet that arrives at a local endpoint is indicated at this layer. For example, an arriving TCP synchronize (SYN) segment or the first UDP message that is associated with a UDP flow would be indicated. Packets that are required to re-authorize a connection, for example, after a firewall policy change, are also indicated at this layer, and the ALE reauthorization flag will be set.
抵达本地端点的第一个数据包这这一层标识。例如,一个SYN数据包或者与一个UDP流关联的第一个udp信息应该被标识。当防火墙策略变化时,重新认证连接的数据包也会在这一层标识。

Datagram Data or Stream
UDP messages and non-ICMP error messages are indicated at the datagram data layer. TCP data flows (data streams only) are available for inspection at the stream layer.
UDP信息和非ICMP错误信息在数据报数据层标识,而tcp数据流在流层标识。

Outgoing packets that originate from an address that is assigned to the sending computer (local host sourced traffic) traverse down the following WFP layers:

计算机发送的数据按照以下方式经过WFP过滤层。

ALE Connect
TCP connection requests (made before the SYN segment is generated) and the first UDP message that is sent to a remote endpoint are indicated at this layer.
TCP连接请求(SYN数据包生成之前)、发往远端的第一个UDP信息会在这层标识

Datagram Data or Stream
Transport and ICMP Error
TCP connection requests (before the SYN segment is generated) and the first UDP message that is sent to a remote endpoint are indicated at this layer.

IP Packet
IP packet fragments are not indicated; inspection of outgoing IP fragments is currently unavailable.

IP packets or fragments that do not originate from, or are not destined for, an address that is assigned to the local computer are available for inspection at the forwarding layer. For example, if a packet that is destined for a local client is modified to have a nonlocal destination address and then is injected into the receive path, it will be injected into the forwarding layer. Similarly, if a packet that originates from a local source address is modified to have a nonlocal source address, it will be delivered to the forwarding layer after it is injected into the send path.   ?????????????


WFP Layer Requirements and Restrictions

The following requirements and restrictions apply to WFP layers.


Forwarding Layer
An IP packet will be delivered to the forwarding layer if IP forwarding is enabled for a packet that originates from, or is destined for, an address that is assigned to the computer and the packet is sent or received on a different interface than the interface on which the local address is assigned. By default, IP forwarding is disabled and can be enabled by using the netsh interface ipv4 set interface command for IPv4 forwarding or the netsh interface ipv6 set interface command for IPv6 forwarding.

The forwarding layer can forward each received fragment as it arrives or hold the fragments of an IP payload until all fragments have arrived and then forward them. This is known as fragment grouping. When fragment grouping is disabled (it is disabled by default), forwarded IP packet fragments are indicated to WFP one time. When fragment grouping is enabled, a fragment is indicated to WFP two times—first as the fragment itself, and again inside a fragment group that is described by a NET_BUFFER_LIST chain. WFP sets the FWP_CONDITION_FLAG_IS_FRAGMENT_GROUP flag when it indicates fragment groups to forwarding layer callouts. You can enable fragment grouping by using the netsh interface {ipv4|ipv6} set global groupforwardedfragments=enabled command. Fragment grouping is different than reassembly, which is the reconstruction of the original IP packet at the destination host.

The NET_BUFFER_LIST structure that is indicated at the forwarding layer can describe a full IP packet, an IP packet fragment, or an IP packet fragment group. While an IP packet fragment traverses the forwarding layer, it will be indicated two times to the callout: first as a fragment, and again, as a fragment inside a fragment group.

When a fragment group is indicated, the FWP_CONDITION_FLAG_IS_FRAGMENT_GROUP flag is passed as an incoming value to the callout driver's classifyFn callout function. In this case, the NET_BUFFER_LIST structure pointed to by the netBufferList parameter is the first node of a NET_BUFFER_LIST chain with each NET_BUFFER_LIST describing a packet fragment.

A forward injected packet will not be presented to any WFP layer. The injected packet can be indicated to the callout driver again. To prevent infinite looping, the driver should first call the FwpsQueryPacketInjectionState0 function before it continues with a call to the classifyFn callout function, and the driver should permit packets that have the injection state FWPS_PACKET_INJECTION_STATE set to FWPS_PACKET_INJECTED_BY_SELF or FWPS_PACKET_PREVIOUSLY_INJECTED_BY_SELF to pass through unaltered.

You can use the following command to view the current “Group Forwarded Fragments” setting for the system: netsh interface {ipv4|ipv6} show global.

Network Layer
IP packet fragments, which are indicated only for incoming paths, are indicated three times at this layer—first as an IP packet, again as an IP fragment, and a third time as part of a reassembled IP packet. WFP sets the FWP_CONDITION_FLAG_IS_FRAGMENT flag when it indicates fragments to network layer callouts.

When adding filtering conditions, FWP_MATCH_FLAGS_NONE_SET can be used together with the FWP_CONDITION_FLAG_IS_FRAGMENT flag to avoid the second indication. If the callout has to inspect only full packets (those that have not been fragmented and reassembled), it has to parse the IP header to avoid processing fragments that are indicated as IP packets. Alternatively, the callout can inspect packets at the transport layer.

Transport Layer and ALE
To be able to coexist with IPsec processing, callouts that inspect packets at the incoming transport layer must also register at the ALE receive and accept layer. Such a callout can inspect/modify most of the traffic at the transport layer, but it must also permit packets that are assigned to the ALE receive/accept layer. Such a callout must also inspect or modify the packets from the ALE layer. WFP sets the FWP_CONDITION_FLAG_REQUIRES_ALE_CLASSIFY flag when it indicates to the transport layer those packets that require ALE inspection. IPsec processing is deferred until those packets that create the initial “connection” and those that are required to re-authorize the connection reach the ALE layer.

Transport layer and ALE layer callouts must register themselves at a sublayer that is of lower weight than the universal sublayer. The built-in IPsec/ALE enforcement callouts reside at the universal sublayer.

The following table shows packet types that can be indicated at ALE layers. Be aware that some ALE layers do not always have a packet associated with their indication.

ALE layerTCP packetsUDP packets
Bind (resource assignment)not applicablenot applicable
Connectno packetfirst UDP packet (outgoing)
Receive/AcceptSYN (incoming)first UDP packet (incoming)
Flow Establishedfinal ACK (incoming & outgoing)first UDP packet (incoming & outgoing)
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值