WFP Callout Driver Data Offset Positions (Compact 2013)
3/26/2014
When the filter engine calls a callout's classifyFn function, the data offset in the NET_BUFFER_LIST structure that was passed to the classifyFn function points to a specific position in the packet data. The position that the data offset points to depends on the filtering layer at which the filter engine calls the callout's classifyFn function. The position at each filtering layer is described in the following table:
Run-time Filtering Layer Identifier |
Position in the Packet Data |
|---|---|
FWPS_LAYER_INBOUND_IPPACKET_V4 FWPS_LAYER_INBOUND_IPPACKET_V6 |
The beginning of the transport header |
FWPS_LAYER_INBOUND_IPPACKET_V4_DISCARD FWPS_LAYER_INBOUND_IPPACKET_V6_DISCARD |
Varies depending on the discard reason |
FWPS_LAYER_OUTBOUND_IPPACKET_V4 FWPS_LAYER_OUTBOUND_IPPACKET_V6 |
The beginning of the IP header |
FWPS_LAYER_OUTBOUND_IPPACKET_V4_DISCARD FWPS_LAYER_OUTBOUND_IPPACKET_V6_DISCARD |
Varies depending on the discard reason |
FWPS_LAYER_IPFORWARD_V4 FWPS_LAYER_IPFORWARD_V6 |
The beginning of the IP header |
FWPS_LAYER_IPFORWARD_V4_DISCARD FWPS_LAYER_IPFORWARD_V6_DISCARD |
The beginning of the IP header |
FWPS_LAYER_INBOUND_TRANSPORT_V4 FWPS_LAYER_INBOUND_TRANSPORT_V6 |
The beginning of the data |
FWPS_LAYER_INBOUND_TRANSPORT_V4_DISCARD FWPS_LAYER_INBOUND_TRANSPORT_V6_DISCARD |
The beginning of the data |
FWPS_LAYER_OUTBOUND_TRANSPORT_V4 FWPS_LAYER_OUTBOUND_TRANSPORT_V6 |
The beginning of the transport header |
FWPS_LAYER_OUTBOUND_TRANSPORT_V4_DISCARD FWPS_LAYER_OUTBOUND_TRANSPORT_V6_DISCARD |
The beginning of the transport header |
FWPS_LAYER_STREAM_V4 FWPS_LAYER_STREAM_V6 |
The beginning of the data |
FWPS_LAYER_STREAM_V4_DISCARD FWPS_LAYER_STREAM_V6_DISCARD |
The beginning of the data |
FWPS_LAYER_DATAGRAM_DATA_V4 FWPS_LAYER_DATAGRAM_DATA_V6 |
For incoming datagrams, the beginning of the data For outgoing datagrams, the beginning of the transport header |
FWPS_LAYER_DATAGRAM_DATA_V4_DISCARD FWPS_LAYER_DATAGRAM_DATA_V6_DISCARD |
For incoming datagrams, the beginning of the data For outgoing datagrams, the beginning of the transport header |
FWPS_LAYER_INBOUND_ICMP_ERROR_V4 FWPS_LAYER_INBOUND_ICMP_ERROR_V6 |
The beginning of the inner IP header |
FWPS_LAYER_INBOUND_ICMP_ERROR_V4_DISCARD FWPS_LAYER_INBOUND_ICMP_ERROR_V6_DISCARD |
The beginning of the inner IP header |
FWPS_LAYER_OUTBOUND_ICMP_ERROR_V4 FWPS_LAYER_OUTBOUND_ICMP_ERROR_V6 |
The beginning of the ICMP header |
FWPS_LAYER_OUTBOUND_ICMP_ERROR_V4_DISCARD FWPS_LAYER_OUTBOUND_ICMP_ERROR_V6_DISCARD |
The beginning of the ICMP header |
FWPS_LAYER_ALE_RESOURCE_ASSIGNMENT_V4 FWPS_LAYER_ALE_RESOURCE_ASSIGNMENT_V6 |
Not applicable |
FWPS_LAYER_ALE_RESOURCE_ASSIGNMENT_V4_DISCARD FWPS_LAYER_ALE_RESOURCE_ASSIGNMENT_V6_DISCARD |
Not applicable |
FWPS_LAYER_ALE_AUTH_LISTEN_V4 FWPS_LAYER_ALE_AUTH_LISTEN_V6 |
Not applicable |
FWPS_LAYER_ALE_AUTH_LISTEN_V4_DISCARD FWPS_LAYER_ALE_AUTH_LISTEN_V6_DISCARD |
Not applicable |
FWPS_LAYER_ALE_AUTH_RECV_ACCEPT_V4 FWPS_LAYER_ALE_AUTH_RECV_ACCEPT_V6 |
For incoming packet direction, the beginning of the data For outgoing packet direction, the beginning of the transport header |
FWPS_LAYER_ALE_AUTH_RECV_ACCEPT_V4_DISCARD FWPS_LAYER_ALE_AUTH_RECV_ACCEPT_V6_DISCARD |
For incoming packet direction, the beginning of the data For outgoing packet direction, the beginning of the transport header |
FWPS_LAYER_ALE_AUTH_CONNECT_V4 FWPS_LAYER_ALE_AUTH_CONNECT_V6 |
For non-TCP traffic, the beginning of the data For TCP traffic, not applicable |
FWPS_LAYER_ALE_AUTH_CONNECT_V4_DISCARD FWPS_LAYER_ALE_AUTH_CONNECT_V6_DISCARD |
For non-TCP traffic, the beginning of the data For TCP traffic, not applicable |
FWPS_LAYER_ALE_FLOW_ESTABLISHED_V4 FWPS_LAYER_ALE_FLOW_ESTABLISHED_V6 |
Not applicable |
FWPS_LAYER_ALE_FLOW_ESTABLISHED_V4_DISCARD FWPS_LAYER_ALE_FLOW_ESTABLISHED_V6_DISCARD |
Not applicable |
FWPS_LAYER_IPSEC_KM_DEMUX_V4 FWPS_LAYER_IPSEC_KM_DEMUX_V6 |
Not applicable |
FWPS_LAYER_IPSEC_V4 FWPS_LAYER_IPSEC_V6 |
Not applicable |
FWPS_LAYER_IKEEXT_V4 FWPS_LAYER_IKEEXT_V6 |
Not applicable |
FWPS_LAYER_RPC_UM |
Not applicable |
FWPS_LAYER_RPC_EPMAP |
Not applicable |
FWPS_LAYER_RPC_EP_ADD |
Not applicable |
FWPS_LAYER_RPC_PROXY_CONN |
Not applicable |
FWPS_LAYER_RPC_PROXY_IF |
Not applicable |
See Also
Reference
WFP Callout Driver Constants
classifyFn
NET_BUFFER_LIST
WFP Callout Driver Built-in Callout Identifiers
WFP Callout Driver Filtering Layer Identifiers
WFP Callout Driver Filtering Conditions
WFP Callout Driver Data Field Identifiers
WFP Callout Driver Metadata Fields
WFP Callout Driver Discard Reason Identifiers
WFP Callout Driver Reference