[Vadim Smirnov]

Is it possible to unaccept a certain kind of packet(e.g. packets with the same source IP addr) just using the use-mode APIs provided in WinpkFilter?

You mean drop these packets? If so then yes you can just skip reinjecting into the stack API calls (SendPacketToMstcp, SendPacketToAdapter) for these packets.

[Vadim Smirnov]

I wonder if the Net Firewall supports a simple one to many NAT.

One to many NAT is not implemented in the current version of NeT Firewall.

[Vadim Smirnov]

if we detect some harmful site(http packet) in winpkfilter we redirect alert site.

Since connection to the harmful site already established it can’t be easily redirected (normally redirection should occure during connection establishment). However, you can terminate connection to the harmful site and drop all packet to/from it, alert user about harmful site, redirect all newly established HTTP user sessions from the registered harmful site to the alert site and etc…

[Vadim Smirnov]

Пишу TDI-фильтр для устройства TCP. Задача фильтра — определять и собирать в буфер сообщения HTTP с последующей выдачей наверх приложению Win32. Через обработчик TDI_SEND может проходить как полноформатное HTTP сообщение, так и отдельные куски, вплоть до отдельных байтов. Интересует вопрос, есть ли способы корректно определить, что передаваемое побайтно сообщение именно HTTP, а не что-то другое.

На уровне TDI все выглядит точно так же как и в обычном сокете, так что есть ли способ по куску данных случайно выхваченого из потока данных сокета достоверно определить HTTP протокол? Маловероятно, если только этот кусок не достаточно велик чтобы содержать достоверные сигнатуры HTTP (заголовки запросов/ответов например). Можно еще смотреть на порты, но вообще говоря HTTP сервер не обязан работать на 80 порту. Единственный достоверный способ – это анализировать весь поток данных, выбирать и опознавать HTTP заголовки.

[Vadim Smirnov]

I am just running the examples, PassThru and PacketSniffer only.

but its not sniffing in the XP-bridge mode.

Well it works OK in test environment and you are the first one who reported problems like this. Could you provide the complete details about it? It would be good if you provide ipconfig output, listadapters output and how do you start passthru sample (with it’s output compared to some other tool which shows you packets). Some broken functionality can be alo caused by installed firewall or some sort of other low level network software.

Also, which version of WinpkFilter are you using?

[Vadim Smirnov]

Can you provide some C code for this purpose ?

The routine below is taken from the Internet Gateway source and implements NAT processing:

unsigned __stdcall CsnatDlg::StartNAT ( void* pArguments )

{

CsnatDlg*			pDlg = (CsnatDlg*)pArguments;

HANDLE				hEvents[ADAPTER_LIST_SIZE + 1];

CNetworkInterface*	hAdapters [ADAPTER_LIST_SIZE + 1];

CNetworkInterface	*pNetCard, *pProviderCard;

unsigned			dwActiveAdaptersCount = 1;

ADAPTER_MODE		Mode;

ETH_REQUEST			Request;

INTERMEDIATE_BUFFER PacketBuffer;

DWORD				dwWait, dwIndex;

ether_header*		pEthHeader;

iphdr*				pIpHeader;

tcphdr*				pTcpHeader;

udphdr*				pUdpHeader;



Mode.dwFlags = MSTCP_FLAG_SENT_TUNNEL|MSTCP_FLAG_RECV_TUNNEL;



hEvents[0] = pDlg->m_hNATTerminateEvent;



// Walk adapters list and initialize provider and clients interfaces

POSITION pos = pDlg->m_NetCardsList.GetHeadPosition();



for (unsigned i = 0; i < pDlg->m_dwAdapterCount; ++i)

{

pNetCard = (CNetworkInterface*)pDlg->m_NetCardsList.GetNext(pos);



if ((pNetCard->m_NATState == CLIENT) || (pNetCard->m_NATState == PROVIDER))

{

hAdapters[dwActiveAdaptersCount] = pNetCard;

hEvents[dwActiveAdaptersCount] = ::CreateEvent(NULL, TRUE, FALSE, NULL);

pDlg->m_NdisApi.SetPacketEvent(pNetCard->m_hAdapter, hEvents[dwActiveAdaptersCount]);

Mode.hAdapterHandle = pNetCard->m_hAdapter;

pDlg->m_NdisApi.SetAdapterMode(&Mode);

dwActiveAdaptersCount++;



if(pNetCard->m_NATState == PROVIDER)

pProviderCard = pNetCard;

}

}



// Initialize Request

ZeroMemory ( &Request, sizeof(ETH_REQUEST) );

ZeroMemory ( &PacketBuffer, sizeof(INTERMEDIATE_BUFFER) );

Request.EthPacket.Buffer = &PacketBuffer;



do

{

dwWait = ::WaitForMultipleObjects(

dwActiveAdaptersCount,

hEvents,

FALSE,

INFINITE

);



dwIndex = dwWait - WAIT_OBJECT_0;



if (!dwIndex)

continue;



::ResetEvent(hEvents[dwIndex]);



Request.hAdapterHandle = hAdapters[dwIndex]->m_hAdapter;



// Read all queued packets from the specified interface

while(pDlg->m_NdisApi.ReadPacket(&Request))

{

pEthHeader = (ether_header*)PacketBuffer.m_IBuffer;

if ( ntohs(pEthHeader->h_proto) == ETH_P_IP )

{

pIpHeader = (iphdr*)(PacketBuffer.m_IBuffer + ETHER_HEADER_LENGTH);



// Check if connection is established from local system (we don't do NAT processing

// for local system)

BOOL bIsLocalAddress = hAdapters[dwIndex]->IsLocalAddress(&pIpHeader->ip_src);



if (bIsLocalAddress && (PacketBuffer.m_dwDeviceFlags == PACKET_FLAG_ON_SEND))

{

// Place packet on the network interface

pDlg->m_NdisApi.SendPacketToAdapter(&Request);



continue;

}



// TCP packet processing

if (pIpHeader->ip_p == IPPROTO_TCP)

{

// This is TCP packet, get TCP header pointer

pTcpHeader = (tcphdr*)(((PUCHAR)pIpHeader) + sizeof(DWORD)*pIpHeader->ip_hl);



// Outgoing TCP packets processing

if ((hAdapters[dwIndex]->m_NATState == PROVIDER)&&

(PacketBuffer.m_dwDeviceFlags == PACKET_FLAG_ON_SEND))

{

CPortNATEntry* pTcpNE = NULL;



if (pTcpHeader->th_flags == TH_SYN)

{

// New TCP connnection established, allocate dynamic NAT entry

pTcpNE = pDlg->m_TcpNatTable.Allocate(pIpHeader->ip_src, pTcpHeader->th_sport, pIpHeader->ip_dst, pTcpHeader->th_dport);



if(pTcpNE)

{

pTcpNE->m_IpNAT = hAdapters[dwIndex]->m_NATIp;

}

}

else

{

// Try to locate xisting NAT entry

pTcpNE = pDlg->m_TcpNatTable.Find(pIpHeader->ip_src, pTcpHeader->th_sport, pIpHeader->ip_dst, pTcpHeader->th_dport);

}



if (pTcpNE)

{

// If NAT entry is found perform NAT processing

pIpHeader->ip_src.S_un.S_addr = htonl(pTcpNE->m_IpNAT.S_un.S_addr);

pTcpHeader->th_sport = htons(pTcpNE->m_usNATPort);

// Recalculate checksums

RecalculateTCPChecksum (&PacketBuffer);

RecalculateIPChecksum(pIpHeader);

}

}



// Incoming TCP packets processing

if ((hAdapters[dwIndex]->m_NATState == PROVIDER)&&

(PacketBuffer.m_dwDeviceFlags == PACKET_FLAG_ON_RECEIVE))

{

// Map connection to the NAT entry if the one exists

CPortNATEntry* pTcpNE = pDlg->m_TcpNatTable.Map(pTcpHeader->th_dport);

if (pTcpNE)

{

// NAT entry exists, make NAT processing

if (htonl(pTcpNE->m_IpDst.S_un.S_addr) == pIpHeader->ip_src.S_un.S_addr)

{

pIpHeader->ip_dst.S_un.S_addr = htonl(pTcpNE->m_IpSrc.S_un.S_addr);

pTcpHeader->th_dport = htons(pTcpNE->m_usSrcPort);

RecalculateTCPChecksum (&PacketBuffer);

RecalculateIPChecksum(pIpHeader);

}

}



}

}

// UDP packets processing

if (pIpHeader->ip_p == IPPROTO_UDP)

{

// This is UDP packet, get UDP header pointer

pUdpHeader = (udphdr*)(((PUCHAR)pIpHeader) + sizeof(DWORD)*pIpHeader->ip_hl);



// DNS hook

// If we receive DNS packet on the NAT client adapter then we redirect it

// to this system configured DNS server

if ((hAdapters[dwIndex]->m_NATState == CLIENT)&&

(PacketBuffer.m_dwDeviceFlags == PACKET_FLAG_ON_RECEIVE))

{

if (ntohs(pUdpHeader->th_dport) == 53/*DNS port*/)

{

// Save the DNS IP used by the NAT client system

hAdapters[dwIndex]->m_LocalDNS.S_un.S_addr = ntohl(pIpHeader->ip_dst.S_un.S_addr);

pIpHeader->ip_dst.S_un.S_addr = pDlg->m_DNSIp.S_un.S_addr;

RecalculateIPChecksum(pIpHeader);

}

}

// DNS reply came, substitute source IP back to the original DNS address

if ((hAdapters[dwIndex]->m_NATState == CLIENT)&&

(PacketBuffer.m_dwDeviceFlags == PACKET_FLAG_ON_SEND))

{

if (ntohs(pUdpHeader->th_sport) == 53/*DNS port*/)

{

pIpHeader->ip_src.S_un.S_addr = htonl(hAdapters[dwIndex]->m_LocalDNS.S_un.S_addr);

RecalculateIPChecksum(pIpHeader);

}

}

// Outgoing UDP NAT processing

if ((hAdapters[dwIndex]->m_NATState == PROVIDER)&&

(PacketBuffer.m_dwDeviceFlags == PACKET_FLAG_ON_SEND))

{

CPortNATEntry* pUdpNE = NULL;

// Try to find existing entry

pUdpNE = pDlg->m_UdpNatTable.Find(pIpHeader->ip_src, pUdpHeader->th_sport, pIpHeader->ip_dst, pUdpHeader->th_dport);

// If not found -> allocate a new one

if (!pUdpNE)

{

pUdpNE = pDlg->m_UdpNatTable.Allocate(pIpHeader->ip_src, pUdpHeader->th_sport, pIpHeader->ip_dst, pUdpHeader->th_dport);



if(pUdpNE)

{

pUdpNE->m_IpNAT = hAdapters[dwIndex]->m_NATIp;

}

}

// NAT processing

if (pUdpNE)

{

pIpHeader->ip_src.S_un.S_addr = htonl(pUdpNE->m_IpNAT.S_un.S_addr);

pUdpHeader->th_sport = htons(pUdpNE->m_usNATPort);

RecalculateUDPChecksum (&PacketBuffer);

RecalculateIPChecksum(pIpHeader);

}

}

// Incoming UDP packets processing

if ((hAdapters[dwIndex]->m_NATState == PROVIDER)&&

(PacketBuffer.m_dwDeviceFlags == PACKET_FLAG_ON_RECEIVE))

{

CPortNATEntry* pUdpNE = pDlg->m_UdpNatTable.Map(pUdpHeader->th_dport);

if (pUdpNE)

{

if (htonl(pUdpNE->m_IpDst.S_un.S_addr) == pIpHeader->ip_src.S_un.S_addr)

{

pIpHeader->ip_dst.S_un.S_addr = htonl(pUdpNE->m_IpSrc.S_un.S_addr);

pUdpHeader->th_dport = htons(pUdpNE->m_usSrcPort);

RecalculateUDPChecksum (&PacketBuffer);

RecalculateIPChecksum(pIpHeader);

}

}



}

}



}



// Reinject packet into the stack

if (PacketBuffer.m_dwDeviceFlags == PACKET_FLAG_ON_SEND)

{

// Place packet on the network interface

pDlg->m_NdisApi.SendPacketToAdapter(&Request);

}

else

{

// Indicate packet to MSTCP

pDlg->m_NdisApi.SendPacketToMstcp(&Request);

}

}



}while (dwIndex);



// Free all NAT entries

pDlg->m_TcpNatTable.RemoveAll();

pDlg->m_UdpNatTable.RemoveAll();



for (unsigned i = 1; i < dwActiveAdaptersCount; ++i)

{

Mode.dwFlags = 0;

Mode.hAdapterHandle = hAdapters->m_hAdapter;



// Set NULL event to release previously set event object

pDlg->m_NdisApi.SetPacketEvent(hAdapters->m_hAdapter, NULL);



// Close Event

if (hEvents)

CloseHandle ( hEvents );



// Set default adapter mode

pDlg->m_NdisApi.SetAdapterMode(&Mode);



// Empty adapter packets queue

pDlg->m_NdisApi.FlushAdapterPacketQueue (hAdapters->m_hAdapter);

}



_endthreadex( 0 );

return 0;

}

Complete source code for the Internet Gateway is available to registered WinpkFilter customers.

[Vadim Smirnov]

Повторюсь:
Надо для 6.0 и только!

DDKBUILD старый продукт, начинался как раз под VC6, сам им не пользуюсь, но думаю и там он еще работает. Если нет ищите старые версии…

P.S. А вежливости Вас в школе видимо недоучили 🙄

[Vadim Smirnov]

DDKBUILD от http://www.hollistech.com/

[Vadim Smirnov]

We are your customer and have baught Individual User License only.

Since Individual license does not include any drivers customization it can be implemented for the extra fee only.

When we are trying to sniff using WinpkFilter, on the XP Bridge, we don’t see any packets. I mean we can’t sniff.

Please clarify. Are you trying to use listening mode or tunnel mode? Have you tried PassThru and PacketSniffer samples over the bridge or it was your own code? In general WinpkFilter intercepts all packets between XP bridge and TCP/IP stack, so if there any packets and driver is used correctly then you can’t miss them.

[Vadim Smirnov]

Yes, we require that feature. Can you please tell me how I can get that that?

This modification is available to WinpkFilter Source Code and Developer (as a custom build) licensees. If you our customer and own one of the licenses mentioned above then please e-mail [email protected] with your order details (license, order ID and approximate date of purchase) in order to get customized WinpkFilter build.

[Vadim Smirnov]

where i edit ?

If you have access to the source code then you should modify the proc.h in line 22

#define INT_BUF_POOL_SIZE 500

change to

#define INT_BUF_POOL_SIZE 1000 //or 1500

[Vadim Smirnov]

Thats right, when you are not using bridge TCP/IP is bound to your LAN adapters (and you can normally see them), but when using bridge – it is bound to the bridge network adapter (bridge itself is intermediate driver which binds like a protocol to LAN adapters and has network interface on top of it, in this case TCP/IP is bound to this interface and since WinpkFilter driver puts itself between TCP/IP and its adapters then you can see only a bridge).

If you require filtering over raw LAN adapters even if XP bridge is used then it is also possible (in general it is just a simple driver modification and we had a customer who requested this feature before).

[Vadim Smirnov]

а в “железных” маршрутизаторах типа циски используется такой же алгоритм?

Что там в сиске, не знает никто кроме разработчиков сиски.

есть ли оценки его эффективности?

Тут есть какая-то теория:
http://www.lan2net.ru/shaper.shtml

[Vadim Smirnov]

Обычно делается очередь пакетов (размер ограничен разумеется), пакеты из очереди выталкиваются в соответствии с установленой скоростью. В случае переполнения очереди пакеты начинают отбрасываться. Цепляться для выталкивания пакетов нужно к таймеру (на случай если долго нет новых пакетов) и событиям прихода новых пакетов (таймер может срабатывать довольно редко по сравнению с приходом пакетов), высчитываем время с последнего события и передаем столько пакетов сколько пролезло бы по установленному каналу за прошедшее время.

[Vadim Smirnov]

Is source code license the only way to do that?

Developer License is enough, since it already includes custom build it won’t be a problem to change one additional constant.

[Author]

Posts