理解Windows網路_WFP
Categories:
- 理解Windows網路_WFP
理解 Windows 網路
- 理解 Windows 網路
WFP
名詞解釋
https://learn.microsoft.com/en-us/windows/win32/fwp/object-model https://learn.microsoft.com/en-us/windows/win32/fwp/basic-operation https://learn.microsoft.com/en-us/windows-hardware/drivers/network
callout: A callout provides functionality that extends the capabilities of the Windows Filtering Platform. A callout consists of a set of callout functions and a GUID key that uniquely identifies the callout. callout driver: A callout driver is a driver that registers callouts with the Windows Filtering Platform. A callout driver is a type of filter driver. callout function: A callout function is a function that is called by the Windows Filtering Platform to perform a specific task. A callout function is associated with a callout. filter: A filter is a set of functions that are called by the Windows Filtering Platform to perform filtering operations. A filter consists of a set of filter functions and a GUID key that uniquely identifies the filter. filter engine: The filter engine is the component of the Windows Filtering Platform that performs filtering operations. The filter engine is responsible for calling the filter functions that are registered with the Windows Filtering Platform. filter layer: A filter layer is a set of functions that are called by the Windows Filtering Platform to perform filtering operations. A filter layer consists of a set of filter layer functions and a GUID key that uniquely identifies the filter layer.
Dispatcher 佇列觸發回呼是盡快觸發形式,不需要等佇列滿,因此可以滿足即時性。 當使用者回呼較慢時,阻塞的封包會盡可能插入下個佇列,佇列上限 256。更多的阻塞封包則由系統快取,粗略的測試快取能力是 16500,系統快取能力可能隨機器效能和配置不同存在差異。 使用者回呼處理封包時,存在兩份封包實體: 內核封包,在回呼處理完佇列後一併釋放。因此回呼較慢時,一次回呼執行會最多鎖定系統 256 個封包的快取能力。 回呼中的複製,處理完單個封包後立即釋放。
在 FwppNetEvent1Callback 中對封包進行複製組裝,不會操作原始封包,對業務沒有影響。
訂閱可以使用範本過濾器,以減少需要處理的封包:
filterCondition
An array of FWPM_FILTER_CONDITION0 structures that contain distinct filter conditions (duplicated filter conditions will generate an error). All conditions must be true for the action to be performed. In other words, the conditions are AND’ed together. If no conditions are specified, the action is always performed.
不可使用相同的 filter 所有過濾器間的關係是「與」,需要全都滿足 微軟文件顯示支援的過濾器有八種,實際上支援的過濾器會更多。
FWPM_CONDITION_IP_PROTOCOL
The IP protocol number, as specified in RFC 1700. FWPM_CONDITION_IP_LOCAL_ADDRESS
The local IP address. FWPM_CONDITION_IP_REMOTE_ADDRESS
The remote IP address. FWPM_CONDITION_IP_LOCAL_PORT
The local transport protocol port number. For ICMP, the message type. FWPM_CONDITION_IP_REMOTE_PORT
The remote transport protocol port number. For ICMP, the message code. FWPM_CONDITION_SCOPE_ID
The interface IPv6 scope identifier. Reserved for internal use. FWPM_CONDITION_ALE_APP_ID
The full path of the application. FWPM_CONDITION_ALE_USER_ID
The identification of the local user. 列舉系統已註冊的訂閱發現已有兩個訂閱,查看其 sessionKey GUID 無法確認由誰註冊,對其進行分析發現兩個訂閱各自實現了以下功能:
訂閱了所有 FWPM_NET_EVENT_TYPE_CLASSIFY_DROP 的資料包,統計了所有被丟棄的包。 訂閱了所有 FWPM_NET_EVENT_TYPE_CLASSIFY_ALLOW 的資料包,可以用來做流量統計 這兩個訂閱用到的 contition filter 都是 FWPM_CONDITION_NET_EVENT_TYPE (206e9996-490e-40cf-b831-b38641eb6fcb),說明可以實現過濾的 filter 不止微軟文件中提到的 8 個。
更多調研發現使用者態呼叫介面僅能捕獲 drop 的事件,非 drop 事件需要使用內核模式獲取,因此微隔離不能使用 FWPM_CONDITION_NET_EVENT_TYPE 獲取事件。