void
TlInspectCompletePendedConnection(
IN OUT TL_INSPECT_PENDED_PACKET** pendedConnect,
BOOLEAN permitTraffic
)
/* ++
This function completes the pended connection (inbound or outbound)
with the inspection result.
-- */
{
TL_INSPECT_PENDED_PACKET* pendedConnectLocal = *pendedConnect;
if (pendedConnectLocal->direction == FWP_DIRECTION_OUTBOUND)
{
HANDLE completionContext = pendedConnectLocal->completionContext;
pendedConnectLocal->authConnectDecision =
permitTraffic ? FWP_ACTION_PERMIT : FWP_ACTION_BLOCK;
//
// For pended ALE_AUTH_CONNECT, FwpsCompleteOperation0 will trigger
// a re-auth during which the inspection decision is to be returned.
// Here we don't remove the pended entry from the list such that the
// re-auth can find it along with the recorded inspection result.
//
pendedConnectLocal->completionContext = NULL;
FwpsCompleteOperation0(
completionContext,
NULL
);
*pendedConnect = NULL; // ownership transferred to the re-auth path.
}
else
{
if (!configPermitTraffic)
{
FreePendedPacket(pendedConnectLocal);
*pendedConnect = NULL;
}
//
// Permitted ALE_RECV_ACCEPT will pass thru and be processed by
// TLInspectCloneReinjectInbound. FwpsCompleteOperation0 will be called
// then when the net buffer list is cloned; after which the clone will
// be recv-injected.
//
}
}
void NTAPI StreamInjectCompletionFn(
IN void* context,
IN OUT NET_BUFFER_LIST* netBufferList,
IN BOOLEAN dispatchLevel)
{
PENDED_PACKET *packet = (PENDED_PACKET*) context;
UNREFERENCED_PARAMETER(dispatchLevel);
FwpsFreeNetBufferList(netBufferList);
FreePendedPacket(packet);
}
void TLInspectInjectComplete(
IN void* context,
IN OUT NET_BUFFER_LIST* netBufferList,
IN BOOLEAN dispatchLevel
)
{
TL_INSPECT_PENDED_PACKET* packet = context;
UNREFERENCED_PARAMETER(dispatchLevel);
FwpsFreeCloneNetBufferList0(netBufferList, 0);
FreePendedPacket(packet);
}
void
TLInspectTransportClassify(
IN const FWPS_INCOMING_VALUES0* inFixedValues,
IN const FWPS_INCOMING_METADATA_VALUES0* inMetaValues,
IN OUT void* layerData,
IN const FWPS_FILTER0* filter,
IN UINT64 flowContext,
OUT FWPS_CLASSIFY_OUT0* classifyOut
)
/* ++
This is the classifyFn function for the Transport (v4 and v6) callout.
packets (inbound or outbound) are ueued to the packet queue to be processed
by the worker thread.
-- */
{
KLOCK_QUEUE_HANDLE connListLockHandle;
KLOCK_QUEUE_HANDLE packetQueueLockHandle;
TL_INSPECT_PENDED_PACKET* pendedPacket = NULL;
FWP_DIRECTION packetDirection;
ADDRESS_FAMILY addressFamily;
FWPS_PACKET_INJECTION_STATE packetState;
BOOLEAN signalWorkerThread;
UNREFERENCED_PARAMETER(flowContext);
UNREFERENCED_PARAMETER(filter);
//
// We don't have the necessary right to alter the classify, exit.
//
if ((classifyOut->rights & FWPS_RIGHT_ACTION_WRITE) == 0)
{
goto Exit;
}
ASSERT(layerData != NULL);
//
// We don't re-inspect packets that we've inspected earlier.
//
packetState = FwpsQueryPacketInjectionState0(
gInjectionHandle,
layerData,
NULL
);
if ((packetState == FWPS_PACKET_INJECTED_BY_SELF) ||
(packetState == FWPS_PACKET_PREVIOUSLY_INJECTED_BY_SELF))
{
classifyOut->actionType = FWP_ACTION_PERMIT;
goto Exit;
}
addressFamily = GetAddressFamilyForLayer(inFixedValues->layerId);
packetDirection =
GetPacketDirectionForLayer(inFixedValues->layerId);
if (packetDirection == FWP_DIRECTION_INBOUND)
{
if (IsAleClassifyRequired(inFixedValues, inMetaValues))
{
//
// Inbound transport packets that are destined to ALE Recv-Accept
// layers, for initial authorization or reauth, should be inspected
// at the ALE layer. We permit it from Tranport here.
//
classifyOut->actionType = FWP_ACTION_PERMIT;
goto Exit;
}
else
{
//
// To be compatible with Vista's IpSec implementation, we must not
// intercept not-yet-detunneled IpSec traffic.
//
FWPS_PACKET_LIST_INFORMATION0 packetInfo = {0};
FwpsGetPacketListSecurityInformation0(
layerData,
FWPS_PACKET_LIST_INFORMATION_QUERY_IPSEC |
FWPS_PACKET_LIST_INFORMATION_QUERY_INBOUND,
&packetInfo
);
if (packetInfo.ipsecInformation.inbound.isTunnelMode &&
!packetInfo.ipsecInformation.inbound.isDeTunneled)
{
classifyOut->actionType = FWP_ACTION_PERMIT;
goto Exit;
}
}
}
pendedPacket = AllocateAndInitializePendedPacket(
inFixedValues,
inMetaValues,
addressFamily,
layerData,
TL_INSPECT_DATA_PACKET,
packetDirection
);
if (pendedPacket == NULL)
{
classifyOut->actionType = FWP_ACTION_BLOCK;
classifyOut->rights &= ~FWPS_RIGHT_ACTION_WRITE;
goto Exit;
}
KeAcquireInStackQueuedSpinLock(
&gConnListLock,
&connListLockHandle
);
KeAcquireInStackQueuedSpinLock(
&gPacketQueueLock,
&packetQueueLockHandle
);
if (!gDriverUnloading)
{
signalWorkerThread = IsListEmpty(&gPacketQueue) &&
IsListEmpty(&gConnList);
InsertTailList(&gPacketQueue, &pendedPacket->listEntry);
pendedPacket = NULL; // ownership transferred
classifyOut->actionType = FWP_ACTION_BLOCK;
classifyOut->flags |= FWPS_CLASSIFY_OUT_FLAG_ABSORB;
}
else
{
//
// Driver is being unloaded, permit any connect classify.
//
signalWorkerThread = FALSE;
classifyOut->actionType = FWP_ACTION_PERMIT;
}
KeReleaseInStackQueuedSpinLock(&packetQueueLockHandle);
KeReleaseInStackQueuedSpinLock(&connListLockHandle);
if (signalWorkerThread)
{
KeSetEvent(
&gWorkerEvent,
0,
FALSE
);
}
Exit:
if (pendedPacket != NULL)
{
FreePendedPacket(pendedPacket);
}
return;
}
void
TLInspectALERecvAcceptClassify(
IN const FWPS_INCOMING_VALUES0* inFixedValues,
IN const FWPS_INCOMING_METADATA_VALUES0* inMetaValues,
IN OUT void* layerData,
IN const FWPS_FILTER0* filter,
IN UINT64 flowContext,
OUT FWPS_CLASSIFY_OUT0* classifyOut
)
/* ++
This is the classifyFn function for the ALE Recv-Accept (v4 and v6) callout.
For an initial classify (where the FWP_CONDITION_FLAG_IS_REAUTHORIZE flag
is not set), it is queued to the connection list for inspection by the
worker thread. For re-auth, it is queued to the packet queue to be process
by the worker thread like any other regular packets.
-- */
{
NTSTATUS status;
KLOCK_QUEUE_HANDLE connListLockHandle;
KLOCK_QUEUE_HANDLE packetQueueLockHandle;
TL_INSPECT_PENDED_PACKET* pendedRecvAccept = NULL;
TL_INSPECT_PENDED_PACKET* pendedPacket = NULL;
ADDRESS_FAMILY addressFamily;
FWPS_PACKET_INJECTION_STATE packetState;
BOOLEAN signalWorkerThread;
UNREFERENCED_PARAMETER(flowContext);
UNREFERENCED_PARAMETER(filter);
//
// We don't have the necessary right to alter the classify, exit.
//
if ((classifyOut->rights & FWPS_RIGHT_ACTION_WRITE) == 0)
{
goto Exit;
}
ASSERT(layerData != NULL);
//
// We don't re-inspect packets that we've inspected earlier.
//
packetState = FwpsQueryPacketInjectionState0(
gInjectionHandle,
layerData,
NULL
);
if ((packetState == FWPS_PACKET_INJECTED_BY_SELF) ||
(packetState == FWPS_PACKET_PREVIOUSLY_INJECTED_BY_SELF))
{
classifyOut->actionType = FWP_ACTION_PERMIT;
goto Exit;
}
addressFamily = GetAddressFamilyForLayer(inFixedValues->layerId);
if (!IsAleReauthorize(inFixedValues))
{
//
// If the classify is the initial authorization for a connection, we
// queue it to the pended connection list and notify the worker thread
// for out-of-band processing.
//
pendedRecvAccept = AllocateAndInitializePendedPacket(
inFixedValues,
inMetaValues,
addressFamily,
layerData,
TL_INSPECT_CONNECT_PACKET,
FWP_DIRECTION_INBOUND
);
if (pendedRecvAccept == NULL)
{
classifyOut->actionType = FWP_ACTION_BLOCK;
classifyOut->rights &= ~FWPS_RIGHT_ACTION_WRITE;
goto Exit;
}
ASSERT(FWPS_IS_METADATA_FIELD_PRESENT(inMetaValues,
FWPS_METADATA_FIELD_COMPLETION_HANDLE));
//
// Pend the ALE_AUTH_RECV_ACCEPT classify.
//
status = FwpsPendOperation0(
inMetaValues->completionHandle,
&pendedRecvAccept->completionContext
);
if (!NT_SUCCESS(status))
{
classifyOut->actionType = FWP_ACTION_BLOCK;
classifyOut->rights &= ~FWPS_RIGHT_ACTION_WRITE;
goto Exit;
}
KeAcquireInStackQueuedSpinLock(
&gConnListLock,
&connListLockHandle
);
KeAcquireInStackQueuedSpinLock(
&gPacketQueueLock,
&packetQueueLockHandle
);
signalWorkerThread = IsListEmpty(&gConnList) &&
IsListEmpty(&gPacketQueue);
InsertTailList(&gConnList, &pendedRecvAccept->listEntry);
pendedRecvAccept = NULL; // ownership transferred
KeReleaseInStackQueuedSpinLock(&packetQueueLockHandle);
KeReleaseInStackQueuedSpinLock(&connListLockHandle);
classifyOut->actionType = FWP_ACTION_BLOCK;
classifyOut->flags |= FWPS_CLASSIFY_OUT_FLAG_ABSORB;
if (signalWorkerThread)
{
KeSetEvent(
&gWorkerEvent,
0,
FALSE
);
}
}
else // re-auth @ ALE_AUTH_RECV_ACCEPT
{
FWP_DIRECTION packetDirection;
//
// The classify is the re-authorization for a existing connection, it
// could have been triggered for one of the two cases --
//
// 1) The re-auth is triggered by an outbound packet sent immediately
// after a policy change at ALE_AUTH_RECV_ACCEPT layer.
// 2) The re-auth is triggered by an inbound packet received
// immediately after a policy change at ALE_AUTH_RECV_ACCEPT layer.
//
ASSERT(FWPS_IS_METADATA_FIELD_PRESENT(inMetaValues,
FWPS_METADATA_FIELD_PACKET_DIRECTION));
packetDirection = inMetaValues->packetDirection;
pendedPacket = AllocateAndInitializePendedPacket(
inFixedValues,
inMetaValues,
addressFamily,
layerData,
TL_INSPECT_REAUTH_PACKET,
packetDirection
);
if (pendedPacket == NULL)
{
classifyOut->actionType = FWP_ACTION_BLOCK;
classifyOut->rights &= ~FWPS_RIGHT_ACTION_WRITE;
goto Exit;
}
if (packetDirection == FWP_DIRECTION_INBOUND)
{
pendedPacket->ipSecProtected = IsSecureConnection(inFixedValues);
}
KeAcquireInStackQueuedSpinLock(
&gConnListLock,
&connListLockHandle
);
KeAcquireInStackQueuedSpinLock(
&gPacketQueueLock,
&packetQueueLockHandle
);
if (!gDriverUnloading)
{
signalWorkerThread = IsListEmpty(&gPacketQueue) &&
IsListEmpty(&gConnList);
InsertTailList(&gPacketQueue, &pendedPacket->listEntry);
pendedPacket = NULL; // ownership transferred
classifyOut->actionType = FWP_ACTION_BLOCK;
classifyOut->flags |= FWPS_CLASSIFY_OUT_FLAG_ABSORB;
}
else
{
//
// Driver is being unloaded, permit any connect classify.
//
signalWorkerThread = FALSE;
classifyOut->actionType = FWP_ACTION_PERMIT;
}
KeReleaseInStackQueuedSpinLock(&packetQueueLockHandle);
KeReleaseInStackQueuedSpinLock(&connListLockHandle);
if (signalWorkerThread)
{
KeSetEvent(
&gWorkerEvent,
0,
FALSE
);
}
}
Exit:
if (pendedPacket != NULL)
{
FreePendedPacket(pendedPacket);
}
if (pendedRecvAccept != NULL)
{
FreePendedPacket(pendedRecvAccept);
}
return;
}
void
TLInspectALEConnectClassify(
IN const FWPS_INCOMING_VALUES0* inFixedValues,
IN const FWPS_INCOMING_METADATA_VALUES0* inMetaValues,
IN OUT void* layerData,
IN const FWPS_FILTER0* filter,
IN UINT64 flowContext,
OUT FWPS_CLASSIFY_OUT0* classifyOut
)
/* ++
This is the classifyFn function for the ALE connect (v4 and v6) callout.
For an initial classify (where the FWP_CONDITION_FLAG_IS_REAUTHORIZE flag
is not set), it is queued to the connection list for inspection by the
worker thread. For re-auth, we first check if it is triggered by an ealier
FwpsCompleteOperation0 call by looking for an pended connect that has been
inspected. If found, we remove it from the connect list and return the
inspection result; otherwise we can conclude that the re-auth is triggered
by policy change so we queue it to the packet queue to be process by the
worker thread like any other regular packets.
-- */
{
NTSTATUS status;
KLOCK_QUEUE_HANDLE connListLockHandle;
KLOCK_QUEUE_HANDLE packetQueueLockHandle;
TL_INSPECT_PENDED_PACKET* pendedConnect = NULL;
TL_INSPECT_PENDED_PACKET* pendedPacket = NULL;
ADDRESS_FAMILY addressFamily;
FWPS_PACKET_INJECTION_STATE packetState;
BOOLEAN signalWorkerThread;
UNREFERENCED_PARAMETER(flowContext);
UNREFERENCED_PARAMETER(filter);
//
// We don't have the necessary right to alter the classify, exit.
//
if ((classifyOut->rights & FWPS_RIGHT_ACTION_WRITE) == 0)
{
goto Exit;
}
if (layerData != NULL)
{
//
// We don't re-inspect packets that we've inspected earlier.
//
packetState = FwpsQueryPacketInjectionState0(
gInjectionHandle,
layerData,
NULL
);
if ((packetState == FWPS_PACKET_INJECTED_BY_SELF) ||
(packetState == FWPS_PACKET_PREVIOUSLY_INJECTED_BY_SELF))
{
classifyOut->actionType = FWP_ACTION_PERMIT;
goto Exit;
}
}
addressFamily = GetAddressFamilyForLayer(inFixedValues->layerId);
if (!IsAleReauthorize(inFixedValues))
{
//
// If the classify is the initial authorization for a connection, we
// queue it to the pended connection list and notify the worker thread
// for out-of-band processing.
//
pendedConnect = AllocateAndInitializePendedPacket(
inFixedValues,
inMetaValues,
addressFamily,
layerData,
TL_INSPECT_CONNECT_PACKET,
FWP_DIRECTION_OUTBOUND
);
if (pendedConnect == NULL)
{
classifyOut->actionType = FWP_ACTION_BLOCK;
classifyOut->rights &= ~FWPS_RIGHT_ACTION_WRITE;
goto Exit;
}
ASSERT(FWPS_IS_METADATA_FIELD_PRESENT(inMetaValues,
FWPS_METADATA_FIELD_COMPLETION_HANDLE));
//
// Pend the ALE_AUTH_CONNECT classify.
//
status = FwpsPendOperation0(
inMetaValues->completionHandle,
&pendedConnect->completionContext
);
if (!NT_SUCCESS(status))
{
classifyOut->actionType = FWP_ACTION_BLOCK;
classifyOut->rights &= ~FWPS_RIGHT_ACTION_WRITE;
goto Exit;
}
KeAcquireInStackQueuedSpinLock(
&gConnListLock,
&connListLockHandle
);
KeAcquireInStackQueuedSpinLock(
&gPacketQueueLock,
&packetQueueLockHandle
);
signalWorkerThread = IsListEmpty(&gConnList) &&
IsListEmpty(&gPacketQueue);
InsertTailList(&gConnList, &pendedConnect->listEntry);
pendedConnect = NULL; // ownership transferred
KeReleaseInStackQueuedSpinLock(&packetQueueLockHandle);
KeReleaseInStackQueuedSpinLock(&connListLockHandle);
classifyOut->actionType = FWP_ACTION_BLOCK;
classifyOut->flags |= FWPS_CLASSIFY_OUT_FLAG_ABSORB;
if (signalWorkerThread)
{
KeSetEvent(
&gWorkerEvent,
0,
FALSE
);
}
}
else // re-auth @ ALE_AUTH_CONNECT
{
FWP_DIRECTION packetDirection;
//
// The classify is the re-authorization for an existing connection, it
// could have been triggered for one of the three cases --
//
// 1) The re-auth is triggered by a FwpsCompleteOperation0 call to
// complete a ALE_AUTH_CONNECT classify pended earlier.
// 2) The re-auth is triggered by an outbound packet sent immediately
// after a policy change at ALE_AUTH_CONNECT layer.
// 3) The re-auth is triggered by an inbound packet received
// immediately after a policy change at ALE_AUTH_CONNECT layer.
//
ASSERT(FWPS_IS_METADATA_FIELD_PRESENT(inMetaValues,
FWPS_METADATA_FIELD_PACKET_DIRECTION));
packetDirection = inMetaValues->packetDirection;
if (packetDirection == FWP_DIRECTION_OUTBOUND)
{
LIST_ENTRY* listEntry;
BOOLEAN authComplete = FALSE;
//
// We first check whether this is a FwpsCompleteOperation0- triggered
// reauth by looking for a pended connect that has the inspection
// decision recorded. If found, we return that decision and remove
// the pended connect from the list.
//
KeAcquireInStackQueuedSpinLock(
&gConnListLock,
&connListLockHandle
);
for (listEntry = gConnList.Flink;
listEntry != &gConnList;
listEntry = listEntry->Flink)
{
pendedConnect = CONTAINING_RECORD(
listEntry,
TL_INSPECT_PENDED_PACKET,
listEntry
);
if (IsMatchingConnectPacket(
inFixedValues,
addressFamily,
packetDirection,
pendedConnect
) && (pendedConnect->authConnectDecision != 0))
{
ASSERT((pendedConnect->authConnectDecision == FWP_ACTION_PERMIT) ||
(pendedConnect->authConnectDecision == FWP_ACTION_BLOCK));
classifyOut->actionType = pendedConnect->authConnectDecision;
RemoveEntryList(&pendedConnect->listEntry);
if (!gDriverUnloading &&
(pendedConnect->netBufferList != NULL) &&
(pendedConnect->authConnectDecision == FWP_ACTION_PERMIT))
{
//
// Now the outbound connection has been authorized. If the
// pended connect has a net buffer list in it, we need it
// morph it into a data packet and queue it to the packet
// queue for send injecition.
//
pendedConnect->type = TL_INSPECT_DATA_PACKET;
KeAcquireInStackQueuedSpinLock(
&gPacketQueueLock,
&packetQueueLockHandle
);
signalWorkerThread = IsListEmpty(&gPacketQueue) &&
IsListEmpty(&gConnList);
InsertTailList(&gPacketQueue, &pendedConnect->listEntry);
pendedConnect = NULL; // ownership transferred
KeReleaseInStackQueuedSpinLock(&packetQueueLockHandle);
if (signalWorkerThread)
{
KeSetEvent(
&gWorkerEvent,
0,
FALSE
);
}
}
authComplete = TRUE;
break;
}
}
KeReleaseInStackQueuedSpinLock(&connListLockHandle);
if (authComplete)
{
goto Exit;
}
}
//
// If we reach here it means this is a policy change triggered re-auth
// for an pre-existing connection. For such a packet (inbound or
// outbound) we queue it to the packet queue and inspect it just like
// other regular data packets from TRANSPORT layers.
//
ASSERT(layerData != NULL);
pendedPacket = AllocateAndInitializePendedPacket(
inFixedValues,
inMetaValues,
addressFamily,
layerData,
TL_INSPECT_REAUTH_PACKET,
packetDirection
);
if (pendedPacket == NULL)
{
classifyOut->actionType = FWP_ACTION_BLOCK;
classifyOut->rights &= ~FWPS_RIGHT_ACTION_WRITE;
goto Exit;
}
if (packetDirection == FWP_DIRECTION_INBOUND)
{
pendedPacket->ipSecProtected = IsSecureConnection(inFixedValues);
}
KeAcquireInStackQueuedSpinLock(
&gConnListLock,
&connListLockHandle
);
KeAcquireInStackQueuedSpinLock(
&gPacketQueueLock,
&packetQueueLockHandle
);
if (!gDriverUnloading)
{
signalWorkerThread = IsListEmpty(&gPacketQueue) &&
IsListEmpty(&gConnList);
InsertTailList(&gPacketQueue, &pendedPacket->listEntry);
pendedPacket = NULL; // ownership transferred
classifyOut->actionType = FWP_ACTION_BLOCK;
classifyOut->flags |= FWPS_CLASSIFY_OUT_FLAG_ABSORB;
}
else
{
//
// Driver is being unloaded, permit any connect classify.
//
signalWorkerThread = FALSE;
classifyOut->actionType = FWP_ACTION_PERMIT;
}
KeReleaseInStackQueuedSpinLock(&packetQueueLockHandle);
KeReleaseInStackQueuedSpinLock(&connListLockHandle);
if (signalWorkerThread)
{
KeSetEvent(
&gWorkerEvent,
0,
FALSE
);
}
}
Exit:
if (pendedPacket != NULL)
{
FreePendedPacket(pendedPacket);
}
if (pendedConnect != NULL)
{
FreePendedPacket(pendedConnect);
}
return;
}
void
TLInspectWorker(
IN PVOID StartContext
)
/* ++
This worker thread waits for the connect and packet queue event when the
queues are empty; and it will be woken up when there are connects/packets
queued needing to be inspected. Once awaking, It will run in a loop to
complete the pended ALE classifies and/or clone-reinject packets back
until both queues are exhausted (and it will go to sleep waiting for more
work).
The worker thread will end once it detected the driver is unloading.
-- */
{
NTSTATUS status;
TL_INSPECT_PENDED_PACKET* packet = NULL;
LIST_ENTRY* listEntry;
KLOCK_QUEUE_HANDLE packetQueueLockHandle;
KLOCK_QUEUE_HANDLE connListLockHandle;
UNREFERENCED_PARAMETER(StartContext);
for(;;)
{
KeWaitForSingleObject(
&gWorkerEvent,
Executive,
KernelMode,
FALSE,
NULL
);
if (gDriverUnloading)
{
break;
}
configPermitTraffic = IsTrafficPermitted();
listEntry = NULL;
KeAcquireInStackQueuedSpinLock(
&gConnListLock,
&connListLockHandle
);
if (!IsListEmpty(&gConnList))
{
listEntry = gConnList.Flink;
packet = CONTAINING_RECORD(
listEntry,
TL_INSPECT_PENDED_PACKET,
listEntry
);
if (packet->direction == FWP_DIRECTION_INBOUND)
{
RemoveEntryList(&packet->listEntry);
}
//
// Leave the pended ALE_AUTH_CONNECT in the connection list, it will
// be processed and removed from the list during re-auth.
//
}
KeReleaseInStackQueuedSpinLock(&connListLockHandle);
if (listEntry == NULL)
{
ASSERT(!IsListEmpty(&gPacketQueue));
KeAcquireInStackQueuedSpinLock(
&gPacketQueueLock,
&packetQueueLockHandle
);
listEntry = RemoveHeadList(&gPacketQueue);
packet = CONTAINING_RECORD(
listEntry,
TL_INSPECT_PENDED_PACKET,
listEntry
);
KeReleaseInStackQueuedSpinLock(&packetQueueLockHandle);
}
if (packet->type == TL_INSPECT_CONNECT_PACKET)
{
TlInspectCompletePendedConnection(
&packet,
configPermitTraffic);
}
if ((packet != NULL) && configPermitTraffic)
{
if (packet->direction == FWP_DIRECTION_OUTBOUND)
{
status = TLInspectCloneReinjectOutbound(packet);
}
else
{
status = TLInspectCloneReinjectInbound(packet);
}
if (NT_SUCCESS(status))
{
packet = NULL; // ownership transferred.
}
}
if (packet != NULL)
{
FreePendedPacket(packet);
}
KeAcquireInStackQueuedSpinLock(
&gConnListLock,
&connListLockHandle
);
KeAcquireInStackQueuedSpinLock(
&gPacketQueueLock,
&packetQueueLockHandle
);
if (IsListEmpty(&gConnList) && IsListEmpty(&gPacketQueue) &&
!gDriverUnloading)
{
KeClearEvent(&gWorkerEvent);
}
KeReleaseInStackQueuedSpinLock(&packetQueueLockHandle);
KeReleaseInStackQueuedSpinLock(&connListLockHandle);
}
ASSERT(gDriverUnloading);
while (!IsListEmpty(&gConnList))
{
packet = NULL;
KeAcquireInStackQueuedSpinLock(
&gConnListLock,
&connListLockHandle
);
if (!IsListEmpty(&gConnList))
{
listEntry = gConnList.Flink;
packet = CONTAINING_RECORD(
listEntry,
TL_INSPECT_PENDED_PACKET,
listEntry
);
}
KeReleaseInStackQueuedSpinLock(&connListLockHandle);
if (packet != NULL)
{
TlInspectCompletePendedConnection(&packet, FALSE);
ASSERT(packet == NULL);
}
}
//
// Discard all the pended packets if driver is being unloaded.
//
while (!IsListEmpty(&gPacketQueue))
{
packet = NULL;
KeAcquireInStackQueuedSpinLock(
&gPacketQueueLock,
&packetQueueLockHandle
);
if (!IsListEmpty(&gPacketQueue))
{
listEntry = RemoveHeadList(&gPacketQueue);
packet = CONTAINING_RECORD(
listEntry,
TL_INSPECT_PENDED_PACKET,
listEntry
);
}
KeReleaseInStackQueuedSpinLock(&packetQueueLockHandle);
if (packet != NULL)
{
FreePendedPacket(packet);
}
}
PsTerminateSystemThread(STATUS_SUCCESS);
}
NTSTATUS drvStreamClassify(
IN const FWPS_INCOMING_VALUES* inFixedValues,
IN const FWPS_INCOMING_METADATA_VALUES* inMetaValues,
IN FWPS_STREAM_CALLOUT_IO_PACKET0* packet,
IN const FWPS_FILTER* filter,
IN UINT64 flowContext,
OUT FWPS_CLASSIFY_OUT* classifyOut)
{
KLOCK_QUEUE_HANDLE packetQueueLockHandle;
PENDED_PACKET *pendedPacket = NULL;
BOOLEAN signalWorkerThread;
LARGE_INTEGER systemTime, localTime;
TIME_FIELDS timeFields;
KLOCK_QUEUE_HANDLE lockHandle;
BOOLEAN localInspectEnabled;
KeQuerySystemTime(&systemTime);
ExSystemTimeToLocalTime(&systemTime, &localTime);
// We don't have the necessary right to alter the classify, exit.
if ((classifyOut->rights & FWPS_RIGHT_ACTION_WRITE) == 0)
{
goto Exit;
}
// We don't edit TCP urgent data
if ((packet->streamData->flags & FWPS_STREAM_FLAG_SEND_EXPEDITED)
|| (packet->streamData->flags & FWPS_STREAM_FLAG_RECEIVE_EXPEDITED)
//|| (packet->streamData->flags &
)
{
packet->streamAction = FWPS_STREAM_ACTION_NONE;
classifyOut->actionType = FWP_ACTION_PERMIT;
goto Exit;
}
ASSERT(packet != NULL);
pendedPacket = AllocateAndInitializeStreamPendedPacket(
inFixedValues,
inMetaValues,
(FLOW_DATA*) flowContext,
&localTime,
packet);
if (pendedPacket == NULL)
{
// Insufficient resources?
classifyOut->actionType = FWP_ACTION_CONTINUE;
goto Exit;
}
KeAcquireInStackQueuedSpinLock(
&gPacketQueueLock,
&packetQueueLockHandle);
if (!gDriverUnloading)
{
signalWorkerThread = IsListEmpty(&gPacketQueue);
InsertTailList(&gPacketQueue, &pendedPacket->listEntry);
pendedPacket = NULL; // ownership transferred
classifyOut->actionType = FWP_ACTION_BLOCK;
classifyOut->flags |= FWPS_CLASSIFY_OUT_FLAG_ABSORB;
}
else
{
// Driver is being unloaded, permit any connect classify.
signalWorkerThread = FALSE;
classifyOut->actionType = FWP_ACTION_PERMIT;
}
KeReleaseInStackQueuedSpinLock(&packetQueueLockHandle);
if (signalWorkerThread)
{
KeSetEvent(
&gWorkerEvent,
0,
FALSE);
}
Exit:
if (pendedPacket != NULL)
{
FreePendedPacket(pendedPacket);
}
return STATUS_SUCCESS;
}
PENDED_PACKET*
AllocateAndInitializeStreamPendedPacket(
IN const FWPS_INCOMING_VALUES0* inFixedValues,
IN const FWPS_INCOMING_METADATA_VALUES0* inMetaValues,
IN FLOW_DATA* flowContext,
IN PLARGE_INTEGER localTime,
IN OUT FWPS_STREAM_CALLOUT_IO_PACKET0* packet)
{
PENDED_PACKET *pendedPacket;
UINT index = 0;
SIZE_T bytesCopied;
ASSERT(packet != NULL &&
packet->streamData != NULL);
// pendedPacket gets deleted in FreePendedPacket
#pragma warning( suppress : 803072 )
pendedPacket = ExAllocatePoolWithTag(
NonPagedPool,
sizeof(PENDED_PACKET),
TAG_PENDEDPACKET);
if (pendedPacket == NULL)
{
return NULL;
}
RtlZeroMemory(pendedPacket, sizeof(PENDED_PACKET));
pendedPacket->flags = packet->streamData->flags;
if(pendedPacket->flags & FWPS_STREAM_FLAG_SEND)
{
index = FWPS_FIELD_STREAM_V4_IP_LOCAL_ADDRESS;
pendedPacket->ipv4SrcAddr =
RtlUlongByteSwap( /* host-order -> network-order conversion */
inFixedValues->incomingValue[index].value.uint32);
index = FWPS_FIELD_STREAM_V4_IP_REMOTE_ADDRESS;
pendedPacket->ipv4DstAddr =
RtlUlongByteSwap( /* host-order -> network-order conversion */
inFixedValues->incomingValue[index].value.uint32);
index = FWPS_FIELD_STREAM_V4_IP_LOCAL_PORT;
pendedPacket->srcPort =
inFixedValues->incomingValue[index].value.uint16;
index = FWPS_FIELD_STREAM_V4_IP_REMOTE_PORT;
pendedPacket->dstPort =
inFixedValues->incomingValue[index].value.uint16;
}
else if(pendedPacket->flags & FWPS_STREAM_FLAG_RECEIVE)
{
index = FWPS_FIELD_STREAM_V4_IP_REMOTE_ADDRESS;
pendedPacket->ipv4SrcAddr =
RtlUlongByteSwap( /* host-order -> network-order conversion */
inFixedValues->incomingValue[index].value.uint32);
index = FWPS_FIELD_STREAM_V4_IP_LOCAL_ADDRESS;
pendedPacket->ipv4DstAddr =
RtlUlongByteSwap( /* host-order -> network-order conversion */
inFixedValues->incomingValue[index].value.uint32);
index = FWPS_FIELD_STREAM_V4_IP_REMOTE_PORT;
pendedPacket->srcPort =
inFixedValues->incomingValue[index].value.uint16;
index = FWPS_FIELD_STREAM_V4_IP_LOCAL_PORT;
pendedPacket->dstPort =
inFixedValues->incomingValue[index].value.uint16;
}
pendedPacket->localTime.HighPart = localTime->HighPart;
pendedPacket->localTime.LowPart = localTime->LowPart;
myRtlTimeToSecondsSince1970(localTime, &pendedPacket->timestamp);
// Closing packets are only created at flowDeleteFn
pendedPacket->close = FALSE;
// Protocol analyzers will change this value if needed
pendedPacket->permitted = TRUE;
pendedPacket->mdl = NULL;
pendedPacket->dataLength = (ULONG) packet->streamData->dataLength;
if(pendedPacket->dataLength > 0)
{
// data gets deleted in FreePendedPacket
#pragma warning( suppress : 28197 )
pendedPacket->data = ExAllocatePoolWithTag(
NonPagedPool,
pendedPacket->dataLength,
TAG_PENDEDPACKETDATA);
if (pendedPacket->data == NULL)
{
FreePendedPacket(pendedPacket);
return NULL;
}
RtlZeroMemory(pendedPacket->data, pendedPacket->dataLength);
FwpsCopyStreamDataToBuffer0(
packet->streamData,
pendedPacket->data,
pendedPacket->dataLength,
&bytesCopied);
}
if(flowContext != NULL)
{
pendedPacket->flowContext = flowContext;
}
return pendedPacket;
}
void thAnalyzer(IN PVOID StartContext)
{
KLOCK_QUEUE_HANDLE packetQueueLockHandle;
NTSTATUS ntstatus;
BOOLEAN permitted;
UNREFERENCED_PARAMETER(StartContext);
for(;;)
{
LIST_ENTRY *listEntry;
PENDED_PACKET *pendedPacket;
BOOLEAN brk = FALSE;
KeWaitForSingleObject(
&gWorkerEvent,
Executive,
KernelMode,
FALSE,
NULL);
if (gDriverUnloading)
{
break;
}
listEntry = NULL;
KeAcquireInStackQueuedSpinLock(
&gPacketQueueLock,
&packetQueueLockHandle);
if (gDriverUnloading)
{
brk = TRUE;
}
else if(!IsListEmpty(&gPacketQueue))
{
listEntry = RemoveHeadList(&gPacketQueue);
pendedPacket = CONTAINING_RECORD(
listEntry,
PENDED_PACKET,
listEntry);
}
// Clear event if list is empty
// either after we pulled a packet from it or we didn't
if (IsListEmpty(&gPacketQueue))
{
KeClearEvent(&gWorkerEvent);
}
KeReleaseInStackQueuedSpinLock(&packetQueueLockHandle);
if(brk)
{
break;
}
// This is what we build the whole driver for, mate
inspectPacket(pendedPacket);
if(pendedPacket->permitted)
{
// This function flushes out the whole packet, completely taking
// ownership and responsibility of the pendedPacket and
// deallocating its resources
ntstatus = ReinjectPendedPacket(
pendedPacket,
pendedPacket->flowContext);
// Ownership transferred
pendedPacket = NULL;
}
if (pendedPacket != NULL)
{
FreePendedPacket(pendedPacket);
}
}
ASSERT(gDriverUnloading);
// Discard all the pended packets if driver is being unloaded.
while (!IsListEmpty(&gPacketQueue))
{
PENDED_PACKET *packet = NULL;
LIST_ENTRY* listEntry = NULL;
KeAcquireInStackQueuedSpinLock(
&gPacketQueueLock,
&packetQueueLockHandle);
if (!IsListEmpty(&gPacketQueue))
{
listEntry = RemoveHeadList(&gPacketQueue);
packet = CONTAINING_RECORD(
listEntry,
PENDED_PACKET,
listEntry);
}
KeReleaseInStackQueuedSpinLock(&packetQueueLockHandle);
if (packet != NULL)
{
FreePendedPacket(packet);
}
}
Exit:
PsTerminateSystemThread(STATUS_SUCCESS);
}
NTSTATUS
ReinjectPendedPacket(
IN PENDED_PACKET *packet,
IN FLOW_DATA *flowData)
{
NTSTATUS status;
UINT32 flags;
NET_BUFFER_LIST* netBufferList = NULL;
FLOW_DATA *flowCtx;
ULONG dataLength;
if(packet->dataLength == 0 || packet->data == NULL)
{
return STATUS_UNSUCCESSFUL;
}
packet->mdl = IoAllocateMdl(
packet->data,
packet->dataLength,
FALSE,
FALSE,
NULL);
if (packet->mdl == NULL)
{
status = STATUS_NO_MEMORY;
goto Exit;
}
MmBuildMdlForNonPagedPool(packet->mdl);
status = FwpsAllocateNetBufferAndNetBufferList(
gNetBufferListPool,
0,
0,
packet->mdl,
0,
packet->dataLength,
&netBufferList);
if(!NT_SUCCESS(status))
{
goto Exit;
}
flags = packet->flags;
dataLength = packet->dataLength;
flowCtx = packet->flowContext;
#ifdef DEBUG
debugPacket(packet);
DbgPrintEx(
DPFLTR_IHVNETWORK_ID,
DPFLTR_ERROR_LEVEL,
"\n localCtr=%d, remoteCtr=%d\n", flowCtx->localCounter, flowCtx->remoteCounter);
#endif
// Keep correct sequence numbers
// (Assume every reinjection is successful, otherwise synchronous injection is
// needed for consistent sequence numbers implementation)
if(flags & FWPS_STREAM_FLAG_SEND)
{
flowCtx->localCounter += dataLength;
}
else if(flags & FWPS_STREAM_FLAG_RECEIVE)
{
flowCtx->remoteCounter += dataLength;
}
else
{
#ifdef DEBUG
DbgBreakPoint();
#endif
}
status = FwpsStreamInjectAsync(
gInjectionHandle,
NULL,
0,
flowData->flowHandle,
gStreamCalloutIdV4,
FWPS_LAYER_STREAM_V4,
flags,
netBufferList,
packet->dataLength,
StreamInjectCompletionFn,
packet);
if (!NT_SUCCESS(status))
{
goto Exit;
}
// Ownership transferred
netBufferList = NULL;
packet = NULL;
Exit:
if (netBufferList != NULL)
{
FwpsFreeNetBufferList(netBufferList);
}
if (packet != NULL)
{
FreePendedPacket(packet);
}
return status;
}
