Uso de una llamada para la inspección profunda de datos de flujo
Cuando una llamada inspecciona los datos del flujo, su función de llamada classifyFn puede inspeccionar cualquier combinación de los campos de datos fijos, los campos de metadatos y los datos de flujo sin procesar que se le pasan y los datos pertinentes que se han almacenado en un contexto asociado al filtro o al flujo de datos.
Por ejemplo:
// classifyFn callout function
VOID NTAPI
ClassifyFn(
IN const FWPS_INCOMING_VALUES0 *inFixedValues,
IN const FWPS_INCOMING_METADATA_VALUES0 *inMetaValues,
IN OUT VOID *layerData,
IN const FWPS_FILTER0 *filter,
IN UINT64 flowContext,
IN OUT FWPS_CLASSIFY_OUT *classifyOut
)
{
FWPS_STREAM_CALLOUT_IO_PACKET0 *ioPacket;
FWPS_STREAM_BUFFER0 *dataStream;
UINT32 bytesRequired;
SIZE_T bytesToPermit;
SIZE_T bytesToBlock;
...
// Get a pointer to the stream callout I/O packet
ioPacket = (FWPS_STREAM_CALLOUT_IO_PACKET0 *)layerData;
// Get the data fields from inFixedValues
...
// Get any metadata fields from inMetaValues
...
// Get the pointer to the data stream
dataStream = ioPacket->dataStream;
// Get any filter context data from filter->context
...
// Get any flow context data from flowContext
...
// Inspect the various data sources to determine
// the action to be taken on the data
...
// If more stream data is required to make a determination...
if (...) {
// Let the filter engine know how many more bytes are needed
ioPacket->streamAction = FWPS_STREAM_ACTION_NEED_MORE_DATA;
ioPacket->countBytesRequired = bytesRequired;
ioPacket->countBytesEnforced = 0;
// Set the action to continue to the next filter
classifyOut->actionType = FWP_ACTION_CONTINUE;
return;
}
...
// If some or all of the data should be permitted...
if (...) {
// No stream-specific action is required
ioPacket->streamAction = FWPS_STREAM_ACTION_NONE;
// Let the filter engine know how many of the leading bytes
// in the stream should be permitted
ioPacket->countBytesRequired = 0;
ioPacket->countBytesEnforced = bytesToPermit;
// Set the action to permit the data
classifyOut->actionType = FWP_ACTION_PERMIT;
return;
}
...
// If some or all of the data should be blocked...
if (...) {
// No stream-specific action is required
ioPacket->streamAction = FWPS_STREAM_ACTION_NONE;
// Let the filter engine know how many of the leading bytes
// in the stream should be blocked
ioPacket->countBytesRequired = 0;
ioPacket->countBytesEnforced = bytesToBlock;
// Set the action to block the data
classifyOut->actionType = FWP_ACTION_BLOCK;
return;
}
...
// If the decision to permit or block should be passed
// to the next filter in the filter engine...
if (...) {
// No stream-specific action is required
ioPacket->streamAction = FWPS_STREAM_ACTION_NONE;
// No bytes are affected by this callout
ioPacket->countBytesRequired = 0;
ioPacket->countBytesEnforced = 0;
return;
}
...
}
El valor de filter-action.type> determina qué acciones debe devolver la función de llamada classifyFn de la llamada en el miembro actionType de la estructura a la que apunta el parámetro classifyOut. Para obtener más información sobre estas acciones, consulte la estructura FWPS_ACTION0 .
Para obtener más información sobre la inspección de datos de paquetes y flujos, consulte Inspección de datos de paquetes y flujos.