- This topic has 5 replies, 2 voices, and was last updated 10 years, 7 months ago by
.
-
Posts
-
Hi,
I have a filter on a 2 network cards gateway machine on which for internal network card I “inspect” (FILTER_PACKET_REDIRECT) based on some rules some traffic (and pass it to the network stack) and the same I do for block(FILTER_PACKET_DROP) or allow(FILTER_PACKET_PASS)
What I find strange is that even if I have set as priority rules, a rule that blocks all tcp and one all udp traffic I still “catch” netbios(port 137, broadcast) and link local multicast resolution (port 5355) traffic on my last filter rule (the rule that says to inspect – FILTER_PACKET_REDIRECT)
Are there some kinds of network packets handled differently by ntkernel ? What I find strange though is that FILTER_PACKET_PASS/FILTER_PACKET_DROP does not match my first filter but FILTER_PACKET_REDIRECT applies to the same packet.
ADAPTER_MODE.dwFlags were set to MSTCP_FLAG_SENT_TUNNEL|MSTCP_FLAG_RECV_TUNNEL
Regards,
-GhitaHi Ghita,
I can’t see the filters you have set, but I suspect that your filters for blocking TCP/UDP may be destination IP/MAC address specfic and therefore broadcast/multicast packets get passed (they have special broadcast/multicast MAC and IP adresses).
Hope it helps…
Thanks for the response SerpentFly.
I’ll have to evaluate in this case what rule we apply exactly, because the intent was in the manifesting case for all Tcp/Udp packets regardless of IP-s to be applied (allowed, FILTER_PACKET_PASS) but instead the same rule (same fields, except action field) applied only for FILTER_PACKET_REDIRECTRegards
-Ghita“What I find strange is that even if I have set as priority rules, a rule that blocks all tcp and one all udp traffic I still “catch” netbios(port 137, broadcast) and link local multicast resolution (port 5355) traffic on my last filter rule (the rule that says to inspect – FILTER_PACKET_REDIRECT)”
I come with new information about my findings. I simplified my used filters and have following conclusions:
1. In our application packets that don’t have to be allowed/blocked/intercepted by using our custom nt kernel filters have to be allowed to pass without interception (we **don’t** need them to be passed into user mode at all)
2. what I’ve observed is that any packet that doesn’t match a specific filter seem to be intercepted by default by ntkernel (passed to user mode). Is this true ?
3. In case 2 is true how do I define a “default” filter rule so that all non matched (by more priority filters) traffic gets allowed(FILTER_PACKET_PASS) and not intercepted(FILTER_PACKET_REDIRECT) ? We use now what’s bellow but seems to not match all (remaining) traffic:
STATIC_FILTER result = {0};
result.m_Adapter.QuadPart = 0;
result.m_ValidFields = 0;
result.m_FilterAction = FILTER_PACKET_PASS;
result.m_dwDirectionFlags = PACKET_FLAG_ON_SEND | PACKET_FLAG_ON_RECEIVE;
return result;As you can see I use m_Adapter set to 0 in hope that default will be allow traffic for all network interfaces.
Any hints are appreciated.
Thanks
-GhitaAny ideas anybody ?
The facts were presented in my last post. I can reproduce the behavior with the piece of code posted. Is there a way to handle some packets with PACKET_REDIRECT (based on some filters) and for the rest to have a default rule that says PACKET_PASS, so that I don’t receive in user mode traffic I’m not interested in ?
-Ghita
If you look at the filter.cpp sample you can find the scenario which redirects only DNS packets to user mode and passes any other packets. Filters are defined as the following:
//**************************************************************************************
// 1. Outgoing DNS requests filter: REDIRECT OUT UDP packets with destination PORT 53
// Common values
pFilters->m_StaticFilters[0].m_Adapter.QuadPart = 0; // applied to all adapters
pFilters->m_StaticFilters[0].m_ValidFields = NETWORK_LAYER_VALID | TRANSPORT_LAYER_VALID;
pFilters->m_StaticFilters[0].m_FilterAction = FILTER_PACKET_REDIRECT;
pFilters->m_StaticFilters[0].m_dwDirectionFlags = PACKET_FLAG_ON_SEND;
// Network layer filter
pFilters->m_StaticFilters[0].m_NetworkFilter.m_dwUnionSelector = IPV4;
pFilters->m_StaticFilters[0].m_NetworkFilter.m_IPv4.m_ValidFields = IP_V4_FILTER_PROTOCOL;
pFilters->m_StaticFilters[0].m_NetworkFilter.m_IPv4.m_Protocol = IPPROTO_UDP;
// Transport layer filter
pFilters->m_StaticFilters[0].m_TransportFilter.m_dwUnionSelector = TCPUDP;
pFilters->m_StaticFilters[0].m_TransportFilter.m_TcpUdp.m_ValidFields = TCPUDP_DEST_PORT;
pFilters->m_StaticFilters[0].m_TransportFilter.m_TcpUdp.m_DestPort.m_StartRange = 53; // DNS
pFilters->m_StaticFilters[0].m_TransportFilter.m_TcpUdp.m_DestPort.m_EndRange = 53;
//****************************************************************************************
// 2. Incoming DNS responses filter: REDIRECT IN UDP packets with source PORT 53
// Common values
pFilters->m_StaticFilters[1].m_Adapter.QuadPart = 0; // applied to all adapters
pFilters->m_StaticFilters[1].m_ValidFields = NETWORK_LAYER_VALID | TRANSPORT_LAYER_VALID;
pFilters->m_StaticFilters[1].m_FilterAction = FILTER_PACKET_REDIRECT;
pFilters->m_StaticFilters[1].m_dwDirectionFlags = PACKET_FLAG_ON_RECEIVE;
// Network layer filter
pFilters->m_StaticFilters[1].m_NetworkFilter.m_dwUnionSelector = IPV4;
pFilters->m_StaticFilters[1].m_NetworkFilter.m_IPv4.m_ValidFields = IP_V4_FILTER_PROTOCOL;
pFilters->m_StaticFilters[1].m_NetworkFilter.m_IPv4.m_Protocol = IPPROTO_UDP;
// Transport layer filter
pFilters->m_StaticFilters[1].m_TransportFilter.m_dwUnionSelector = TCPUDP;
pFilters->m_StaticFilters[1].m_TransportFilter.m_TcpUdp.m_ValidFields = TCPUDP_SRC_PORT;
pFilters->m_StaticFilters[1].m_TransportFilter.m_TcpUdp.m_SourcePort.m_StartRange = 53; // DNS
pFilters->m_StaticFilters[1].m_TransportFilter.m_TcpUdp.m_SourcePort.m_EndRange = 53;
//***************************************************************************************
// 3. Pass all packets (skipped by previous filters) without processing in user mode
// Common values
pFilters->m_StaticFilters[2].m_Adapter.QuadPart = 0; // applied to all adapters
pFilters->m_StaticFilters[2].m_ValidFields = 0;
pFilters->m_StaticFilters[2].m_FilterAction = FILTER_PACKET_PASS;
pFilters->m_StaticFilters[2].m_dwDirectionFlags = PACKET_FLAG_ON_RECEIVE | PACKET_FLAG_ON_SEND;
break;Does this sample work for you?
- You must be logged in to reply to this topic.