最近在项目中需要使用FwpsPendOperation0这个函数,仔仔细细的把msdn上关于这个函数的英文都看了,受益匪浅,这个函数还是挺有意思的.
NTSTATUS NTAPI FwpsPendOperation0( _In_ HANDLE completionHandle, _Out_ HANDLE *completionContext );
- completionHandle [in]
-
A completion handle that is required to pend the current filtering operation. This parameter is obtained from the
completionHandle member of the
FWPS_INCOMING_METADATA_VALUES0 structure passed into the callout driver's
classifyFn function. - completionContext [out]
-
The handle to the completion context of this pend operation. When the callout is ready to resume packet processing, it calls the
FwpsCompleteOperation0 function with the value of this parameter as the input
completionContext parameter.
To complete a connection that was previously pended at the FWPS_LAYER_ALE_AUTH_RECV_ACCEPT_
Xxx layer, the callout driver must reinject the packet that was cloned at that layer as well as call the
FwpsCompleteOperation0 function.
//一个在FWPS_LAYER_ALE_AUTH_RECV_ACCEPT_ Xxx层之前挂起的连接,如果想完成它,Callout比如reinject在那一层克隆的包,同时还要调用FwpsCompleteOperation0函数
To be able to pend packet processing, the callout driver's
classifyFn function should set the actionType member of the
FWPS_CLASSIFY_OUT0 structure to FWP_ACTION_BLOCK and the
Flags member to FWPS_CLASSIFY_OUT_FLAG_ABSORB.
//想挂起一个包处理,在Callout的classifyFn函数中必须设置actionType成员为FWP_ACTION_BLOCK,设置Flags成员为FWPS_CLASSIFY_OUT_FLAG_ABSORB.
Pended connections are reauthenticated after the FwpsCompleteOperation0 function executes. TCP connections, if allowed, are created by completing the handshake operation, but non-TCP connections only create state entries. Any pended packet
data is flushed from memory when the FwpsPendOperation0 function completes, so applications must retransmit those packets after
FwpsCompleteOperation0 runs. Callouts could buffer such data and reinject the data on their behalf.
//已被挂起的连接在FwpsCompleteOperation0函数执行后,就被重新识别了.
tcp连接,在三次握手完成以后就被创建了,但是非tcp连接仅仅创建了状态信息.当FwpsPendOperation0函数完成时,所有pended包数据都将从内存中清除.所以,应用程序在FwpsCompleteOperation0函数运行以后,必须重传这些数据,Callout函数可以缓冲一些数据,然后reinject这些数据on their behalf.(*^__^*) 嘻嘻……
Only an initial Application Layer Enforcement (ALE) flow authorization can be postponed by calling
FwpsPendOperation0 and FwpsCompleteOperation0.
If an ALE flow is reauthorized, the FWP_CONDITION_FLAG_IS_REAUTHORIZE flag is set. A call to
FwpsPendOperation0 from the FWPM_LAYER_ALE_AUTH_CONNECT_ Xxx or FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_
Xxx filtering layers will fail if the FWP_CONDITION_FLAG_IS_REAUTHORIZE flag is set, and the STATUS_FWP_CANNOT_PEND status code will be
returned. For more information, see ALE Reauthorization in the Windows SDK.
如果一个ALE流是reauthorized的,FWP_CONDITION_FLAG_IS_REAUTHORIZE这个标志被设置.
在FWPM_LAYER_ALE_AUTH_CONNECT_ Xxx层和FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_
Xxx层调用FwpsPendOperation0函数,如果设置了FWP_CONDITION_FLAG_IS_REAUTHORIZE标志.那么函数调用将会失败.
状态码返回STATUS_FWP_CANNOT_PEND
所以在处理的时候必须要对FWP_CONDITION_FLAG_IS_REAUTHORIZE这个标志进行判断,否则