Static filter table – netbios traffic is redirected always

Home Forums Discussions Support Portal Static filter table – netbios traffic is redirected always

This topic contains 5 replies, has 2 voices, and was last updated by  Vadim Smirnov 4 years, 1 month ago.

Viewing 6 posts - 1 through 6 (of 6 total)
  • Author
    Posts
  • #5393

    gmt
    Participant

    Hi,

    I have a filter on a 2 network cards gateway machine on which for internal network card I “inspect” (FILTER_PACKET_REDIRECT) based on some rules some traffic (and pass it to the network stack) and the same I do for block(FILTER_PACKET_DROP) or allow(FILTER_PACKET_PASS)

    What I find strange is that even if I have set as priority rules, a rule that blocks all tcp and one all udp traffic I still “catch” netbios(port 137, broadcast) and link local multicast resolution (port 5355) traffic on my last filter rule (the rule that says to inspect – FILTER_PACKET_REDIRECT)

    Are there some kinds of network packets handled differently by ntkernel ? What I find strange though is that FILTER_PACKET_PASS/FILTER_PACKET_DROP does not match my first filter but FILTER_PACKET_REDIRECT applies to the same packet.

    ADAPTER_MODE.dwFlags were set to MSTCP_FLAG_SENT_TUNNEL|MSTCP_FLAG_RECV_TUNNEL

    Regards,
    -Ghita

    #7139

    Vadim Smirnov
    Moderator

    Hi Ghita,

    I can’t see the filters you have set, but I suspect that your filters for blocking TCP/UDP may be destination IP/MAC address specfic and therefore broadcast/multicast packets get passed (they have special broadcast/multicast MAC and IP adresses).

    Hope it helps…

    #7140

    gmt
    Participant

    Thanks for the response SerpentFly.
    I’ll have to evaluate in this case what rule we apply exactly, because the intent was in the manifesting case for all Tcp/Udp packets regardless of IP-s to be applied (allowed, FILTER_PACKET_PASS) but instead the same rule (same fields, except action field) applied only for FILTER_PACKET_REDIRECT

    Regards
    -Ghita

    #7141

    gmt
    Participant

    “What I find strange is that even if I have set as priority rules, a rule that blocks all tcp and one all udp traffic I still “catch” netbios(port 137, broadcast) and link local multicast resolution (port 5355) traffic on my last filter rule (the rule that says to inspect – FILTER_PACKET_REDIRECT)”

    I come with new information about my findings. I simplified my used filters and have following conclusions:

    1. In our application packets that don’t have to be allowed/blocked/intercepted by using our custom nt kernel filters have to be allowed to pass without interception (we **don’t** need them to be passed into user mode at all)

    2. what I’ve observed is that any packet that doesn’t match a specific filter seem to be intercepted by default by ntkernel (passed to user mode). Is this true ?

    3. In case 2 is true how do I define a “default” filter rule so that all non matched (by more priority filters) traffic gets allowed(FILTER_PACKET_PASS) and not intercepted(FILTER_PACKET_REDIRECT) ? We use now what’s bellow but seems to not match all (remaining) traffic:

            STATIC_FILTER result = {0};
    result.m_Adapter.QuadPart = 0;
    result.m_ValidFields = 0;
    result.m_FilterAction = FILTER_PACKET_PASS;
    result.m_dwDirectionFlags = PACKET_FLAG_ON_SEND | PACKET_FLAG_ON_RECEIVE;
    return result;

    As you can see I use m_Adapter set to 0 in hope that default will be allow traffic for all network interfaces.

    Any hints are appreciated.
    Thanks
    -Ghita

    #7142

    gmt
    Participant

    Any ideas anybody ?

    The facts were presented in my last post. I can reproduce the behavior with the piece of code posted. Is there a way to handle some packets with PACKET_REDIRECT (based on some filters) and for the rest to have a default rule that says PACKET_PASS, so that I don’t receive in user mode traffic I’m not interested in ?

    -Ghita

    #7143

    Vadim Smirnov
    Moderator

    If you look at the filter.cpp sample you can find the scenario which redirects only DNS packets to user mode and passes any other packets. Filters are defined as the following:

    //**************************************************************************************
    // 1. Outgoing DNS requests filter: REDIRECT OUT UDP packets with destination PORT 53
    // Common values
    pFilters->m_StaticFilters[0].m_Adapter.QuadPart = 0; // applied to all adapters
    pFilters->m_StaticFilters[0].m_ValidFields = NETWORK_LAYER_VALID | TRANSPORT_LAYER_VALID;
    pFilters->m_StaticFilters[0].m_FilterAction = FILTER_PACKET_REDIRECT;
    pFilters->m_StaticFilters[0].m_dwDirectionFlags = PACKET_FLAG_ON_SEND;

    // Network layer filter
    pFilters->m_StaticFilters[0].m_NetworkFilter.m_dwUnionSelector = IPV4;
    pFilters->m_StaticFilters[0].m_NetworkFilter.m_IPv4.m_ValidFields = IP_V4_FILTER_PROTOCOL;
    pFilters->m_StaticFilters[0].m_NetworkFilter.m_IPv4.m_Protocol = IPPROTO_UDP;

    // Transport layer filter
    pFilters->m_StaticFilters[0].m_TransportFilter.m_dwUnionSelector = TCPUDP;
    pFilters->m_StaticFilters[0].m_TransportFilter.m_TcpUdp.m_ValidFields = TCPUDP_DEST_PORT;
    pFilters->m_StaticFilters[0].m_TransportFilter.m_TcpUdp.m_DestPort.m_StartRange = 53; // DNS
    pFilters->m_StaticFilters[0].m_TransportFilter.m_TcpUdp.m_DestPort.m_EndRange = 53;

    //****************************************************************************************
    // 2. Incoming DNS responses filter: REDIRECT IN UDP packets with source PORT 53
    // Common values
    pFilters->m_StaticFilters[1].m_Adapter.QuadPart = 0; // applied to all adapters
    pFilters->m_StaticFilters[1].m_ValidFields = NETWORK_LAYER_VALID | TRANSPORT_LAYER_VALID;
    pFilters->m_StaticFilters[1].m_FilterAction = FILTER_PACKET_REDIRECT;
    pFilters->m_StaticFilters[1].m_dwDirectionFlags = PACKET_FLAG_ON_RECEIVE;

    // Network layer filter
    pFilters->m_StaticFilters[1].m_NetworkFilter.m_dwUnionSelector = IPV4;
    pFilters->m_StaticFilters[1].m_NetworkFilter.m_IPv4.m_ValidFields = IP_V4_FILTER_PROTOCOL;
    pFilters->m_StaticFilters[1].m_NetworkFilter.m_IPv4.m_Protocol = IPPROTO_UDP;

    // Transport layer filter
    pFilters->m_StaticFilters[1].m_TransportFilter.m_dwUnionSelector = TCPUDP;
    pFilters->m_StaticFilters[1].m_TransportFilter.m_TcpUdp.m_ValidFields = TCPUDP_SRC_PORT;
    pFilters->m_StaticFilters[1].m_TransportFilter.m_TcpUdp.m_SourcePort.m_StartRange = 53; // DNS
    pFilters->m_StaticFilters[1].m_TransportFilter.m_TcpUdp.m_SourcePort.m_EndRange = 53;

    //***************************************************************************************
    // 3. Pass all packets (skipped by previous filters) without processing in user mode
    // Common values
    pFilters->m_StaticFilters[2].m_Adapter.QuadPart = 0; // applied to all adapters
    pFilters->m_StaticFilters[2].m_ValidFields = 0;
    pFilters->m_StaticFilters[2].m_FilterAction = FILTER_PACKET_PASS;
    pFilters->m_StaticFilters[2].m_dwDirectionFlags = PACKET_FLAG_ON_RECEIVE | PACKET_FLAG_ON_SEND;

    break;

    Does this sample work for you?

Viewing 6 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic.