Processing Classify Callouts Asynchronously
A WFP callout driver can authorize or deny a network operation, or admit or discard a network packet, by returning the action types FWP_ACTION_PERMIT, FWP_ACTION_CONTINUE, or FWP_ACTION_BLOCK from the classifyFn callout function. Frequently a callout driver cannot return an inspection decision from its classifyFn function until the indicated information, such as classifiable fields, metadata, or packets, can be forwarded for processing to another component, such as a user-mode application. In these cases a decision may have to be made asynchronously at some later time.
Asynchronous ALE Classify
A callout driver must call the FwpsPendOperation0 function from classifyFn. The asynchronous operation must be completed with a call to the FwpsCompleteOperation0 function.
Asynchronous Packet Classify
A callout driver should return FWP_ACTION_BLOCK from the classifyFn function, with the FWPS_CLASSIFY_OUT_FLAG_ABSORB flag set. Network packets must be referenced or cloned. The asynchronous operation is completed by either reinjecting the cloned or modified packet or by silently discarding the packet.
Asynchronous ALE Classify That Includes Packets
A combination of the previous two procedures is used: the classify operation is pended and the packet is referenced or cloned, and at some time later the call to classifyFn is completed and the cloned packet is reinjected or discarded.
Special Cases and Considerations
- ALE Connect vs. Receive/Accept Layers
-
When FwpsCompleteOperation0 is called to complete a pended classify operation at an ALE connect layer (FWPS_LAYER_ALE_AUTH_CONNECT_V4 or
FWPS_LAYER_ALE_AUTH_CONNECT_V6), an ALE reauthorization classify operation is triggered at the respective ALE connect layer. The callout driver should return an inspection decision from this reauthorization classify operation. You can detect
an ALE reauthorization classify operation by checking whether the FWP_CONDITION_FLAG_IS_REAUTHORIZE flag is set.The callout driver must maintain a unique state for each pended ALE_AUTH_CONNECT classify operation in such a way that the inspection decision for each classify operation can be looked up during a
FwpsCompleteOperation0-triggered reauthorization. If packets are referenced or cloned during a pended ALE_AUTH_CONNECT classify operation (for example, for non-TCP connections), they can be reinjected after reauthorization occurs.When FwpsCompleteOperation0 is called during with a classify operation at an ALE receive/accept layer (FWPS_LAYER_ALE_AUTH_RECV_ACCEPT_V4 or
FWPS_LAYER_ALE_AUTH_RECV_ACCEPT_V6), FwpsCompleteOperation0 does not trigger an ALE reauthorization. Instead a new call to
classifyFn is made again when the cloned packet is reinjected incoming if the modification was not significant enough to bypass the filter. Permitting the self-injected clone from the ALE_RECV_ACCEPT layer effectively authorizes the incoming connection.
If the incoming connection is not to be allowed, discard the incoming packet after it calls
FwpsCompleteOperation0. - ALE Reauthorization
-
A callout driver can be reclassified at an ALE connect or receive/accept layer for events such as a policy change (for example, adding or removing a filter at the layer), detecting a new arrival interface, and re-keying a connection by using IPsec. Such
a reauthorization cannot be pended by calling FwpsCompleteOperation0, and it is not necessary to do so. A callout driver should use the rules listed previously to process packets that are indicated during reauthorization.Be aware that both incoming and outgoing packet can be reauthorized at ALE_AUTH_CONNECT or ALE_RECV_ACCEPT layers. For example, an incoming packet can be reauthorized at the ALE_AUTH_CONNECT layer. A callout driver must not assume that the direction of the
packet is the same as the direction of the connection. - ALE_FLOW_ESTABLISHED Layers
-
Asynchronous processing is not supported at these layers (FWPS_LAYER_ALE_FLOW_ESTABLISHED_V4 or
FWPS_LAYER_ALE_FLOW_ESTABLISHED_V6). - INBOUND_TRANSPORT Layers
-
A callout driver must not perform asynchronous processing of packets that require ALE classify processing at an incoming (inbound) transport layer (FWPS_LAYER_INBOUND_TRANSPORT_V4 or
FWPS_LAYER_INBOUND_TRANSPORT_V6). Doing this can interfere with flow creation. When WFP calls the
classifyFn callout function at an incoming transport layer, it sets the
FWPS_METADATA_FIELD_ALE_CLASSIFY_REQUIRED flag for those packets that require ALE classify processing. A callout driver should permit such packets from an INBOUND_TRANSPORT layer and should defer processing them until they reach an ALE_RECV_ACCEPT
layer. - STREAM Layers
-
At a stream layer (FWPS_LAYER_STREAM_V4 or FWPS_LAYER_STREAM_V6), TCP data segments are indicated instead of an IP or TCP header. The stream layer is also where a chain of net buffer lists can be indicated in one call to
the classifyFn callout function. WFP makes available specialized clone and injection functions,
FwpsCloneStreamData0 and
FwpsStreamInjectAsync0, for stream layer callouts to use.Because of the ordered delivery nature of stream layer data, a callout driver must continue to clone and absorb data as long any stream data is still pending. Mixing asynchronous and synchronous operations for a given stream flow can result in undefined
behavior.
一个WFP Callout驱动通过在Classify Callout函数中返回FWP_ACTION_PERMIT,FWP_ACTION_CONTINUE或者FWP_ACTION_BLOCK标识,授权或者否决一个网络操作,放行或者丢弃一个网络包.
通常情况下,callout驱动不能在classifyFn函数立即返回检查结果,必须异步等待一些相关数据的处理,比如classifiable fields,metadata,packets,它们可能会被转发给其他组件(比如应用程序)来处理.
异步ALE Classify
callout驱动必须在classifyFn中调用FwpsPendOperation0异步处理。异步操作是通过调用FwpsCompleteOperation0函数来完成的.
异步Packet Classify
callout驱动应该在classify函数中返回FWP_ACTION_BLOCK并设置FWPS_CLASSIFY_OUT_FLAG_ABSORB标志。网络包必须被引用或克隆。异步操作通过重新注入已复制或已修改的包,或静默丢包来完成.
异步ALE Classify包含packet
包括上述的两个过程,classify操作被挂起,包被引用或者克隆,一段时间后,classifyFn 函数调用完成,克隆的包被重新注入或者丢弃.
特殊情况如下:
ALE Connect vs. Receive/Accept 层
当在ALE Connect层调用FwpsCompleteOperation0函数来完成挂起状态的classify 行为(FWPS_LAYER_ALE_AUTH_CONNECT_V4或FWPS_LAYER_ALE_AUTH_CONNECT_V6),此时,ALE的授权classify操作在各自的ALE Connect层被触发.Callout驱动必须在授权classify函数中返回检查结果.可以通过FWP_CONDITION_FLAG_IS_REAUTHORIZE标志看是不是reauthoriaztion行为。
callout驱动必须为每一个pended的ALE_AUTH_CONNECT classify行为维持一个唯一的状态,以便于在FwpsCompleteOperation0函数触发的reauthoriaztion期间,对每一个classify行为的inject结果都可以被查询。如果数据包在挂起的ALE_AUTH_CONNECT classify行为期间被引用或者被克隆,他们将在reauthorization发生后被重新注入网络栈。
当 ALE Receive/Accept((FWPS_LAYER_ALE_AUTH_RECV_ACCEPT_V4 or FWPS_LAYER_ALE_AUTH_RECV_ACCEPT_V6)完成一个classify操作时,此时调用FwpsCompleteOperation0 函数不会触发ALE reauthoriaztion操作。
ALE Reauthorization
当一些事件发生时,比如策略改变(例如增加删除一个filter),检测到新的arrival接口,通过使用IPsec更新连接密钥, callout驱动可以在ALE connect或者receive/accept层被重新分配等级.
这种reauthoriaztion不能通过调用FwpsCompleteOperation0来挂起,而且没有必要这么做。callout驱动在可以利用之前定义的规则来处理数据包.
请注意,所有进来和出去的数据包都可以在ALE_AUTH_CONNECT或者ALE_RECV_ACCEPT层被reauthorized。例如,一个进来的数据包可以被reauthorized在ALE_AUTH_CONNECT层。Callout驱动不可以假设包的方向和连接的方向相同。
ALE_FLOW_ESTABLISHED ALE流建立层
FWPS_LAYER_ALE_FLOW_ESTABLISHED_V4 or FWPS_LAYER_ALE_FLOW_ESTABLISHED_V6)层不支持异步处理数据
INBOUND_TRANSPORT 层
callout驱动不能在Incoming或Inbound 传输层,对需要ALE Classify 处理的数据包进行异步操作.这个可以和流的创建进行交互。当wfp在Incoming传输层调用classify函数时,它对那些需要ALE classify处理的包设置了FWPS_METADATA_FIELD_ALE_CLASSIFY_REQUIRED标志。
callout驱动应该在INBOUND TRANSPORT层对这种包放行,并且到包到达ALE_RECV_ACCEPT层才进行处理。
STREAM Layers 数据流层
在stream层(FWPS_LAYER_STREAM_V4 or FWPS_LAYER_STREAM_V6),tcp数据段代替了ip或者tcp头提交。stream层也是net buffer list可以被提交的在classify 函数中。WFP
WFP使得在stream层可以使用FwpsCloneStreamData0 和 FwpsStreamInjectAsync0函数进行专门的注入和克隆。
因为提交的stream层的数据的有序性,只要流数据是pending的,callout驱动必须持续的复制和处理数据,。对一个给定的数据流混合同步和异步操作对导致异常行为。
codergeek qq:1078285863