Filtering by protocol using STATIC_FILTER structure

Tagged: staticfilter

This topic has 7 replies, 2 voices, and was last updated 3 years, 3 months ago by Vadim Smirnov.

Viewing 8 posts - 1 through 8 (of 8 total)

Author

Posts
January 11, 2021 at 8:01 pm #11451
sumitani
Participant
It is possible to filter by protocol (TCP/UDP/ICMP) the packets using the STATIC_FILTER structure without defining the range of ports or IPs?

I tried to add a filter with the following parameters but did not redirect any packet.
Example:
```
	sf->m_dwDirectionFlags = MSTCP_FLAG_SENT_TUNNEL
	sf->m_FilterAction = FILTER_PACKET_REDIRECT;
	sf->m_ValidFields = NETWORK_LAYER_VALID;
	sf->m_NetworkFilter.m_dwUnionSelector = IPV4;
	sf->m_NetworkFilter.m_IPv4.m_ValidFields = IP_V4_FILTER_PROTOCOL;
	sf->m_NetworkFilter.m_IPv4.m_Protocol = IPPROTO_TCP;
```
And added another filter to action ‘pass’ the other packets.

It is mandatory to use other fields than IP_V4_FILTER_PROTOCOL in order to work?
January 11, 2021 at 8:12 pm #11452
Vadim Smirnov
Keymaster
Yes, it is possible. As an example you can check the 3rd scenario in filter.cpp:
```
//**************************************************************************************
// 1. Block all ICMP packets
// Common values
pFilters->m_StaticFilters[0].m_Adapter.QuadPart = 0; // applied to all adapters
pFilters->m_StaticFilters[0].m_ValidFields = NETWORK_LAYER_VALID;
pFilters->m_StaticFilters[0].m_FilterAction = FILTER_PACKET_DROP;
pFilters->m_StaticFilters[0].m_dwDirectionFlags = PACKET_FLAG_ON_SEND | PACKET_FLAG_ON_RECEIVE;

// Network layer filter
pFilters->m_StaticFilters[0].m_NetworkFilter.m_dwUnionSelector = IPV4; 
pFilters->m_StaticFilters[0].m_NetworkFilter.m_IPv4.m_ValidFields = IP_V4_FILTER_PROTOCOL;
pFilters->m_StaticFilters[0].m_NetworkFilter.m_IPv4.m_Protocol = IPPROTO_ICMP;
```
Please note, that in you code you use incorrect value for m_dwDirectionFlags
January 12, 2021 at 10:29 am #11453
sumitani
Participant
I sent the wrong parameter in m_dwDirectionFlags.

This is the first filter, to capture only outbound TCP:

m_Adapter.QuadPart = 0;
m_ValidFields = NETWORK_LAYER_VALID;
m_FilterAction = FILTER_PACKET_REDIRECT;
m_dwDirectionFlags = PACKET_FLAG_ON_SEND;

m_NetworkFilter.m_dwUnionSelector = IPV4;
m_NetworkFilter.m_IPv4.m_ValidFields = IP_V4_FILTER_PROTOCOL;
m_NetworkFilter.m_IPv4.m_Protocol = IPPROTO_TCP;

Then the second pass the other packets:
m_Adapter.QuadPart = 0;
m_dwDirectionFlags = PACKET_FLAG_ON_SEND;
m_FilterAction = FILTER_PACKET_PASS;

This combination is not working, I need to change the approach and filter the ICMP and UDP in order to capture TCP?
January 12, 2021 at 12:45 pm #11455
Vadim Smirnov
Keymaster
What do you mean “is not working”?

If the table you load into the driver is equivalent to the following:
```
// Common values
pFilters->m_StaticFilters[0].m_Adapter.QuadPart = 0; // applied to all adapters
pFilters->m_StaticFilters[0].m_ValidFields = NETWORK_LAYER_VALID;
pFilters->m_StaticFilters[0].m_FilterAction = FILTER_PACKET_REDIRECT;
pFilters->m_StaticFilters[0].m_dwDirectionFlags = PACKET_FLAG_ON_SEND;

// Network layer filter
pFilters->m_StaticFilters[0].m_NetworkFilter.m_dwUnionSelector = IPV4; 
pFilters->m_StaticFilters[0].m_NetworkFilter.m_IPv4.m_ValidFields = IP_V4_FILTER_PROTOCOL;
pFilters->m_StaticFilters[0].m_NetworkFilter.m_IPv4.m_Protocol = IPPROTO_TCP;

pFilters->m_StaticFilters[1].m_Adapter.QuadPart = 0; // applied to all adapters
pFilters->m_StaticFilters[1].m_ValidFields = 0;
pFilters->m_StaticFilters[1].m_FilterAction = FILTER_PACKET_PASS;
pFilters->m_StaticFilters[1].m_dwDirectionFlags = PACKET_FLAG_ON_SEND;
```
Then it should redirect outgoing TCP packets into the user mode, pass any other outgoing packets (except TCP) over and redirect ALL incoming packets into the user mode.
January 12, 2021 at 1:19 pm #11456
sumitani
Participant
It is not possible to instantiate more than one CNdisApi class to apply different filters for each protocol? Using only the filter as you said worked well for TCP.
January 12, 2021 at 3:32 pm #11457
Vadim Smirnov
Keymaster
Standard driver build supports only one packet filter table and is supposed to be used from one user mode process. You can use multiply CNdisApi instances but setting the new filter table will override the previously loaded one. So you are supposed to collect all required filters into the single table.

However, there is also a multiply layers driver build available to winpkfilter customers which supports multiply packet filter tables (one per filter layer) which can be used from several application as long as they use different layers.
January 12, 2021 at 4:34 pm #11458
sumitani
Participant
Oh, I see. This is the behavior that I getting here.

Regarding the multiply layers driver. When you refer to the layers, are you referring to the layer defined in the STATIC_FILTER structure (DATALINK, NETWORK, TRANSPORT) or the multiple STATIC_FILTERS for each CNdisApi instance without override?

Using different layers for each application, both of them cannot intercept the same packet?
January 12, 2021 at 10:13 pm #11459
Vadim Smirnov
Keymaster
In this context above the layer is the driver level abstraction associated with FILE_OBJECT (CNdisApi object) with independent static filters table, packets queue and etc..

Using different layers for each application, both of them cannot intercept the same packet?

They can if packet was not previously dropped by upper (for outgoing packets) or lower (for incoming packets) layers.

Layers architecture allows to share single driver between several different packet filter applications.
Author

Posts

Viewing 8 posts - 1 through 8 (of 8 total)

You must be logged in to reply to this topic.