NTSTATUS DDProxyRegisterDatagramDataCallouts( IN const GUID* layerKey, IN const GUID* calloutKey, IN void* deviceObject, OUT UINT32* calloutId ) /* ++ This function registers callouts and filters that intercept TCP traffic at WFP FWPM_LAYER_DATAGRAM_DATA_V4 or FWPM_LAYER_DATAGRAM_DATA_V6 layer. -- */ { NTSTATUS status = STATUS_SUCCESS; FWPS_CALLOUT0 sCallout = {0}; FWPM_CALLOUT0 mCallout = {0}; FWPM_DISPLAY_DATA0 displayData = {0}; BOOLEAN calloutRegistered = FALSE; sCallout.calloutKey = *calloutKey; sCallout.classifyFn = DDProxyClassify; sCallout.notifyFn = DDProxyNotify; sCallout.flowDeleteFn = DDProxyFlowDelete; sCallout.flags = FWP_CALLOUT_FLAG_CONDITIONAL_ON_FLOW; status = FwpsCalloutRegister0( deviceObject, &sCallout, calloutId ); if (!NT_SUCCESS(status)) { goto Exit; } calloutRegistered = TRUE; displayData.name = L"Datagram-Data Proxy Callout"; displayData.description = L"Proxies destination address/port for UDP/ICMP"; mCallout.calloutKey = *calloutKey; mCallout.displayData = displayData; mCallout.applicableLayer = *layerKey; status = FwpmCalloutAdd0( gEngineHandle, &mCallout, NULL, NULL ); if (!NT_SUCCESS(status)) { goto Exit; } status = DDProxyAddFilter( L"Datagram-Data Proxy Filter (Outbound)", L"Proxies destination address/port for UDP/ICMP", IsEqualGUID(layerKey, &FWPM_LAYER_DATAGRAM_DATA_V4) ? configInspectDestAddrV4 : configInspectDestAddrV6, configInspectDestPort, FWP_DIRECTION_OUTBOUND, 0, layerKey, calloutKey ); if (!NT_SUCCESS(status)) { goto Exit; } status = DDProxyAddFilter( L"Datagram-Data Proxy Filter (Inbound)", L"Proxies destination address/port for UDP/ICMP", IsEqualGUID(layerKey, &FWPM_LAYER_DATAGRAM_DATA_V4) ? configNewDestAddrV4 : configNewDestAddrV6, configNewDestPort, FWP_DIRECTION_INBOUND, 0, layerKey, calloutKey ); if (!NT_SUCCESS(status)) { goto Exit; } Exit: if (!NT_SUCCESS(status)) { if (calloutRegistered) { FwpsCalloutUnregisterById0(*calloutId); *calloutId = 0; } } return status; }
NTSTATUS TLInspectRegisterTransportCallouts( IN const GUID* layerKey, IN const GUID* calloutKey, IN void* deviceObject, OUT UINT32* calloutId ) /* ++ This function registers callouts and filters that intercept transport traffic at the following layers -- FWPM_LAYER_OUTBOUND_TRANSPORT_V4 FWPM_LAYER_OUTBOUND_TRANSPORT_V6 FWPM_LAYER_INBOUND_TRANSPORT_V4 FWPM_LAYER_INBOUND_TRANSPORT_V6 -- */ { NTSTATUS status = STATUS_SUCCESS; FWPS_CALLOUT0 sCallout = {0}; FWPM_CALLOUT0 mCallout = {0}; FWPM_DISPLAY_DATA0 displayData = {0}; BOOLEAN calloutRegistered = FALSE; sCallout.calloutKey = *calloutKey; sCallout.classifyFn = TLInspectTransportClassify; sCallout.notifyFn = TLInspectTransportNotify; status = FwpsCalloutRegister0( deviceObject, &sCallout, calloutId ); if (!NT_SUCCESS(status)) { goto Exit; } calloutRegistered = TRUE; displayData.name = L"Transport Inspect Callout"; displayData.description = L"Inspect inbound/outbound transport traffic"; mCallout.calloutKey = *calloutKey; mCallout.displayData = displayData; mCallout.applicableLayer = *layerKey; status = FwpmCalloutAdd0( gEngineHandle, &mCallout, NULL, NULL ); if (!NT_SUCCESS(status)) { goto Exit; } status = TLInspectAddFilter( L"Transport Inspect Filter (Outbound)", L"Inspect inbound/outbound transport traffic", (IsEqualGUID(layerKey, &FWPM_LAYER_OUTBOUND_TRANSPORT_V4) || IsEqualGUID(layerKey, &FWPM_LAYER_INBOUND_TRANSPORT_V4))? configInspectRemoteAddrV4 : configInspectRemoteAddrV6, 0, layerKey, calloutKey ); if (!NT_SUCCESS(status)) { goto Exit; } Exit: if (!NT_SUCCESS(status)) { if (calloutRegistered) { FwpsCalloutUnregisterById0(*calloutId); *calloutId = 0; } } return status; }
NTSTATUS DDProxyRegisterFlowEstablishedCallouts( IN const GUID* layerKey, IN const GUID* calloutKey, IN void* deviceObject, OUT UINT32* calloutId ) /* ++ This function registers callouts and filters at the following layers to intercept flow creations for the original and the proxy flows. FWPM_LAYER_ALE_FLOW_ESTABLISHED_V4 FWPM_LAYER_ALE_FLOW_ESTABLISHED_V6 -- */ { NTSTATUS status = STATUS_SUCCESS; FWPS_CALLOUT0 sCallout = {0}; FWPM_CALLOUT0 mCallout = {0}; FWPM_DISPLAY_DATA0 displayData = {0}; BOOLEAN calloutRegistered = FALSE; sCallout.calloutKey = *calloutKey; sCallout.classifyFn = DDProxyFlowEstablishedClassify; sCallout.notifyFn = DDProxyFlowEstablishedNotify; status = FwpsCalloutRegister0( deviceObject, &sCallout, calloutId ); if (!NT_SUCCESS(status)) { goto Exit; } calloutRegistered = TRUE; displayData.name = L"Datagram-Data Proxy Flow-Established Callout"; displayData.description = L"Intercepts flow creations for the original and the proxy flows"; mCallout.calloutKey = *calloutKey; mCallout.displayData = displayData; mCallout.applicableLayer = *layerKey; status = FwpmCalloutAdd0( gEngineHandle, &mCallout, NULL, NULL ); if (!NT_SUCCESS(status)) { goto Exit; } status = DDProxyAddFilter( L"Datagram-Data Proxy Flow-Established Filter (Original Flow)", L"Intercepts flow creations for the original flow", IsEqualGUID(layerKey, &FWPM_LAYER_ALE_FLOW_ESTABLISHED_V4) ? configInspectDestAddrV4 : configInspectDestAddrV6, configInspectDestPort, FWP_DIRECTION_OUTBOUND, DD_PROXY_FLOW_ORIGINAL, layerKey, calloutKey ); if (!NT_SUCCESS(status)) { goto Exit; } status = DDProxyAddFilter( L"Datagram-Data Proxy Flow-Established Filter (Proxy Flow)", L"Intercepts flow creations for the proxy flow", IsEqualGUID(layerKey, &FWPM_LAYER_ALE_FLOW_ESTABLISHED_V4) ? configNewDestAddrV4 : configNewDestAddrV6, configNewDestPort, FWP_DIRECTION_OUTBOUND, DD_PROXY_FLOW_PROXY, layerKey, calloutKey ); if (!NT_SUCCESS(status)) { goto Exit; } Exit: if (!NT_SUCCESS(status)) { if (calloutRegistered) { FwpsCalloutUnregisterById0(*calloutId); *calloutId = 0; } } return status; }
NTSTATUS TLInspectRegisterALEClassifyCallouts( IN const GUID* layerKey, IN const GUID* calloutKey, IN void* deviceObject, OUT UINT32* calloutId ) /* ++ This function registers callouts and filters at the following layers to intercept inbound or outbound connect attempts. FWPM_LAYER_ALE_AUTH_CONNECT_V4 FWPM_LAYER_ALE_AUTH_CONNECT_V6 FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4 FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6 -- */ { NTSTATUS status = STATUS_SUCCESS; FWPS_CALLOUT0 sCallout = {0}; FWPM_CALLOUT0 mCallout = {0}; FWPM_DISPLAY_DATA0 displayData = {0}; BOOLEAN calloutRegistered = FALSE; sCallout.calloutKey = *calloutKey; if (IsEqualGUID(layerKey, &FWPM_LAYER_ALE_AUTH_CONNECT_V4) || IsEqualGUID(layerKey, &FWPM_LAYER_ALE_AUTH_CONNECT_V6)) { sCallout.classifyFn = TLInspectALEConnectClassify; sCallout.notifyFn = TLInspectALEConnectNotify; } else { sCallout.classifyFn = TLInspectALERecvAcceptClassify; sCallout.notifyFn = TLInspectALERecvAcceptNotify; } status = FwpsCalloutRegister0( deviceObject, &sCallout, calloutId ); if (!NT_SUCCESS(status)) { goto Exit; } calloutRegistered = TRUE; displayData.name = L"Transport Inspect ALE Classify Callout"; displayData.description = L"Intercepts inbound or outbound connect attempts"; mCallout.calloutKey = *calloutKey; mCallout.displayData = displayData; mCallout.applicableLayer = *layerKey; status = FwpmCalloutAdd0( gEngineHandle, &mCallout, NULL, NULL ); if (!NT_SUCCESS(status)) { goto Exit; } status = TLInspectAddFilter( L"Transport Inspect ALE Classify", L"Intercepts inbound or outbound connect attempts", (IsEqualGUID(layerKey, &FWPM_LAYER_ALE_AUTH_CONNECT_V4) || IsEqualGUID(layerKey, &FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4)) ? configInspectRemoteAddrV4 : configInspectRemoteAddrV6, 0, layerKey, calloutKey ); if (!NT_SUCCESS(status)) { goto Exit; } Exit: if (!NT_SUCCESS(status)) { if (calloutRegistered) { FwpsCalloutUnregisterById0(*calloutId); *calloutId = 0; } } return status; }