Packet Inspection Points
Incoming packets that are destined for an address that is assigned to the receiving computer (local host traffic) traverse up WFP layers in the following order:
计算机接收的数据包按照下面的次序经过wfp的过滤层:
-
IP Packet (Network Layer)
- All IP packets, including IP packet fragments, are available for inspection at this layer. However, when packets are IPsec-protected, deep content inspection or modification cannot be performed at this layer because the packets are not yet authenticated or decrypted.
- 所有的IP数据包,包括IP数据包分片,可以在这一层监控。但是被IPSEC保护的数据包,不能执行深度内容检测或者修改,因为数据包还未授权或者解密。
-
Transport Layer
- All stand-alone or fully reassembled packets are available for inspection at this layer. IPsec-protected packets have been authenticated or decrypted.
- 所有的单独或者重新组织的数据包可以在这一层检测。IPSEC保护的数据包已经被授权或者解密。
-
Application Layer Enforcement (ALE) Receive or Accept
- The very first packet that arrives at a local endpoint is indicated at this layer. For example, an arriving TCP synchronize (SYN) segment or the first UDP message that is associated with a UDP flow would be indicated. Packets that are required to re-authorize a connection, for example, after a firewall policy change, are also indicated at this layer, and the ALE reauthorization flag will be set.
- 抵达本地端点的第一个数据包这这一层标识。例如,一个SYN数据包或者与一个UDP流关联的第一个udp信息应该被标识。当防火墙策略变化时,重新认证连接的数据包也会在这一层标识。
-
Datagram Data or Stream
- UDP messages and non-ICMP error messages are indicated at the datagram data layer. TCP data flows (data streams only) are available for inspection at the stream layer.
- UDP信息和非ICMP错误信息在数据报数据层标识,而tcp数据流在流层标识。
Outgoing packets that originate from an address that is assigned to the sending computer (local host sourced traffic) traverse down the following WFP layers:
计算机发送的数据按照以下方式经过WFP过滤层。
-
ALE Connect
- TCP connection requests (made before the SYN segment is generated) and the first UDP message that is sent to a remote endpoint are indicated at this layer.
- TCP连接请求(SYN数据包生成之前)、发往远端的第一个UDP信息会在这层标识
- Datagram Data or Stream Transport and ICMP Error
- TCP connection requests (before the SYN segment is generated) and the first UDP message that is sent to a remote endpoint are indicated at this layer. IP Packet
- IP packet fragments are not indicated; inspection of outgoing IP fragments is currently unavailable.
IP packets or fragments that do not originate from, or are not destined for, an address that is assigned to the local computer are available for inspection at the forwarding layer. For example, if a packet that is destined for a local client is modified to have a nonlocal destination address and then is injected into the receive path, it will be injected into the forwarding layer. Similarly, if a packet that originates from a local source address is modified to have a nonlocal source address, it will be delivered to the forwarding layer after it is injected into the send path. ?????????????
WFP Layer Requirements and Restrictions
The following requirements and restrictions apply to WFP layers.
-
Forwarding Layer
-
An IP packet will be delivered to the forwarding layer if IP forwarding is enabled for a packet that originates from, or is destined for, an address that is assigned to the computer and the packet is sent or received on a different interface than the interface on which the local address is assigned. By default, IP forwarding is disabled and can be enabled by using the
netsh interface ipv4 set interface command for IPv4 forwarding or the
netsh interface ipv6 set interface command for IPv6 forwarding.
The forwarding layer can forward each received fragment as it arrives or hold the fragments of an IP payload until all fragments have arrived and then forward them. This is known as fragment grouping. When fragment grouping is disabled (it is disabled by default), forwarded IP packet fragments are indicated to WFP one time. When fragment grouping is enabled, a fragment is indicated to WFP two times—first as the fragment itself, and again inside a fragment group that is described by a NET_BUFFER_LIST chain. WFP sets the FWP_CONDITION_FLAG_IS_FRAGMENT_GROUP flag when it indicates fragment groups to forwarding layer callouts. You can enable fragment grouping by using the netsh interface {ipv4|ipv6} set global groupforwardedfragments=enabled command. Fragment grouping is different than reassembly, which is the reconstruction of the original IP packet at the destination host.
The NET_BUFFER_LIST structure that is indicated at the forwarding layer can describe a full IP packet, an IP packet fragment, or an IP packet fragment group. While an IP packet fragment traverses the forwarding layer, it will be indicated two times to the callout: first as a fragment, and again, as a fragment inside a fragment group.
When a fragment group is indicated, the FWP_CONDITION_FLAG_IS_FRAGMENT_GROUP flag is passed as an incoming value to the callout driver's classifyFn callout function. In this case, the NET_BUFFER_LIST structure pointed to by the netBufferList parameter is the first node of a NET_BUFFER_LIST chain with each NET_BUFFER_LIST describing a packet fragment.
A forward injected packet will not be presented to any WFP layer. The injected packet can be indicated to the callout driver again. To prevent infinite looping, the driver should first call the FwpsQueryPacketInjectionState0 function before it continues with a call to the classifyFn callout function, and the driver should permit packets that have the injection state FWPS_PACKET_INJECTION_STATE set to FWPS_PACKET_INJECTED_BY_SELF or FWPS_PACKET_PREVIOUSLY_INJECTED_BY_SELF to pass through unaltered.
You can use the following command to view the current “Group Forwarded Fragments” setting for the system: netsh interface {ipv4|ipv6} show global.
Network Layer
-
IP packet fragments, which are indicated only for incoming paths, are indicated three times at this layer—first as an IP packet, again as an IP fragment, and a third time as part of a reassembled IP packet. WFP sets the FWP_CONDITION_FLAG_IS_FRAGMENT flag when it indicates fragments to network layer callouts.
When adding filtering conditions, FWP_MATCH_FLAGS_NONE_SET can be used together with the FWP_CONDITION_FLAG_IS_FRAGMENT flag to avoid the second indication. If the callout has to inspect only full packets (those that have not been fragmented and reassembled), it has to parse the IP header to avoid processing fragments that are indicated as IP packets. Alternatively, the callout can inspect packets at the transport layer.
Transport Layer and ALE
-
To be able to coexist with IPsec processing, callouts that inspect packets at the incoming transport layer must also register at the ALE receive and accept layer. Such a callout can inspect/modify most of the traffic at the transport layer, but it must also permit packets that are assigned to the ALE receive/accept layer. Such a callout must also inspect or modify the packets from the ALE layer. WFP sets the FWP_CONDITION_FLAG_REQUIRES_ALE_CLASSIFY flag when it indicates to the transport layer those packets that require ALE inspection. IPsec processing is deferred until those packets that create the initial “connection” and those that are required to re-authorize the connection reach the ALE layer.
Transport layer and ALE layer callouts must register themselves at a sublayer that is of lower weight than the universal sublayer. The built-in IPsec/ALE enforcement callouts reside at the universal sublayer.
The following table shows packet types that can be indicated at ALE layers. Be aware that some ALE layers do not always have a packet associated with their indication.
ALE layer TCP packets UDP packets Bind (resource assignment) not applicable not applicable Connect no packet first UDP packet (outgoing) Receive/Accept SYN (incoming) first UDP packet (incoming) Flow Established final ACK (incoming & outgoing) first UDP packet (incoming & outgoing)