void
TLInspectALERecvAcceptClassify(
_In_ const FWPS_INCOMING_VALUES* inFixedValues,
_In_ const FWPS_INCOMING_METADATA_VALUES* inMetaValues,
_Inout_opt_ void* layerData,
_In_ const FWPS_FILTER* filter,
_In_ UINT64 flowContext,
_Inout_ FWPS_CLASSIFY_OUT* classifyOut
)
#endif /// (NTDDI_VERSION >= NTDDI_WIN7)
/* ++
This is the classifyFn function for the ALE Recv-Accept (v4 and v6) callout.
For an initial classify (where the FWP_CONDITION_FLAG_IS_REAUTHORIZE flag
is not set), it is queued to the connection list for inspection by the
worker thread. For re-auth, it is queued to the packet queue to be process
by the worker thread like any other regular packets.
-- */
{
NTSTATUS status;
KLOCK_QUEUE_HANDLE connListLockHandle;
KLOCK_QUEUE_HANDLE packetQueueLockHandle;
TL_INSPECT_PENDED_PACKET* pendedRecvAccept = NULL;
TL_INSPECT_PENDED_PACKET* pendedPacket = NULL;
ADDRESS_FAMILY addressFamily;
FWPS_PACKET_INJECTION_STATE packetState;
BOOLEAN signalWorkerThread;
#if(NTDDI_VERSION >= NTDDI_WIN7)
UNREFERENCED_PARAMETER(classifyContext);
#endif /// (NTDDI_VERSION >= NTDDI_WIN7)
UNREFERENCED_PARAMETER(filter);
UNREFERENCED_PARAMETER(flowContext);
//
// We don't have the necessary right to alter the classify, exit.
//
if ((classifyOut->rights & FWPS_RIGHT_ACTION_WRITE) == 0)
{
goto Exit;
}
NT_ASSERT(layerData != NULL);
_Analysis_assume_(layerData != NULL);
//
// We don't re-inspect packets that we've inspected earlier.
//
packetState = FwpsQueryPacketInjectionState(
gInjectionHandle,
layerData,
NULL
);
if ((packetState == FWPS_PACKET_INJECTED_BY_SELF) ||
(packetState == FWPS_PACKET_PREVIOUSLY_INJECTED_BY_SELF))
{
classifyOut->actionType = FWP_ACTION_PERMIT;
if (filter->flags & FWPS_FILTER_FLAG_CLEAR_ACTION_RIGHT)
{
classifyOut->rights &= ~FWPS_RIGHT_ACTION_WRITE;
}
goto Exit;
}
addressFamily = GetAddressFamilyForLayer(inFixedValues->layerId);
if (!IsAleReauthorize(inFixedValues))
{
//
// If the classify is the initial authorization for a connection, we
// queue it to the pended connection list and notify the worker thread
// for out-of-band processing.
//
pendedRecvAccept = AllocateAndInitializePendedPacket(
inFixedValues,
inMetaValues,
addressFamily,
layerData,
TL_INSPECT_CONNECT_PACKET,
FWP_DIRECTION_INBOUND
);
if (pendedRecvAccept == NULL)
{
classifyOut->actionType = FWP_ACTION_BLOCK;
classifyOut->rights &= ~FWPS_RIGHT_ACTION_WRITE;
goto Exit;
}
NT_ASSERT(FWPS_IS_METADATA_FIELD_PRESENT(inMetaValues,
FWPS_METADATA_FIELD_COMPLETION_HANDLE));
//
// Pend the ALE_AUTH_RECV_ACCEPT classify.
//
status = FwpsPendOperation(
inMetaValues->completionHandle,
&pendedRecvAccept->completionContext
);
if (!NT_SUCCESS(status))
{
classifyOut->actionType = FWP_ACTION_BLOCK;
classifyOut->rights &= ~FWPS_RIGHT_ACTION_WRITE;
goto Exit;
}
KeAcquireInStackQueuedSpinLock(
&gConnListLock,
&connListLockHandle
);
KeAcquireInStackQueuedSpinLock(
&gPacketQueueLock,
&packetQueueLockHandle
);
signalWorkerThread = IsListEmpty(&gConnList) &&
IsListEmpty(&gPacketQueue);
InsertTailList(&gConnList, &pendedRecvAccept->listEntry);
pendedRecvAccept = NULL; // ownership transferred
KeReleaseInStackQueuedSpinLock(&packetQueueLockHandle);
KeReleaseInStackQueuedSpinLock(&connListLockHandle);
classifyOut->actionType = FWP_ACTION_BLOCK;
classifyOut->rights &= ~FWPS_RIGHT_ACTION_WRITE;
classifyOut->flags |= FWPS_CLASSIFY_OUT_FLAG_ABSORB;
if (signalWorkerThread)
{
KeSetEvent(
&gWorkerEvent,
0,
FALSE
);
}
}
else // re-auth @ ALE_AUTH_RECV_ACCEPT
{
FWP_DIRECTION packetDirection;
//
// The classify is the re-authorization for a existing connection, it
// could have been triggered for one of the two cases --
//
// 1) The re-auth is triggered by an outbound packet sent immediately
// after a policy change at ALE_AUTH_RECV_ACCEPT layer.
// 2) The re-auth is triggered by an inbound packet received
// immediately after a policy change at ALE_AUTH_RECV_ACCEPT layer.
//
NT_ASSERT(FWPS_IS_METADATA_FIELD_PRESENT(inMetaValues,
FWPS_METADATA_FIELD_PACKET_DIRECTION));
packetDirection = inMetaValues->packetDirection;
pendedPacket = AllocateAndInitializePendedPacket(
inFixedValues,
inMetaValues,
addressFamily,
layerData,
TL_INSPECT_REAUTH_PACKET,
packetDirection
);
if (pendedPacket == NULL)
{
classifyOut->actionType = FWP_ACTION_BLOCK;
classifyOut->rights &= ~FWPS_RIGHT_ACTION_WRITE;
goto Exit;
}
if (packetDirection == FWP_DIRECTION_INBOUND)
{
pendedPacket->ipSecProtected = IsSecureConnection(inFixedValues);
}
KeAcquireInStackQueuedSpinLock(
&gConnListLock,
&connListLockHandle
);
KeAcquireInStackQueuedSpinLock(
&gPacketQueueLock,
&packetQueueLockHandle
);
if (!gDriverUnloading)
{
signalWorkerThread = IsListEmpty(&gPacketQueue) &&
IsListEmpty(&gConnList);
InsertTailList(&gPacketQueue, &pendedPacket->listEntry);
pendedPacket = NULL; // ownership transferred
classifyOut->actionType = FWP_ACTION_BLOCK;
classifyOut->rights &= ~FWPS_RIGHT_ACTION_WRITE;
classifyOut->flags |= FWPS_CLASSIFY_OUT_FLAG_ABSORB;
}
else
{
//
// Driver is being unloaded, permit any connect classify.
//
signalWorkerThread = FALSE;
classifyOut->actionType = FWP_ACTION_PERMIT;
if (filter->flags & FWPS_FILTER_FLAG_CLEAR_ACTION_RIGHT)
{
classifyOut->rights &= ~FWPS_RIGHT_ACTION_WRITE;
}
}
KeReleaseInStackQueuedSpinLock(&packetQueueLockHandle);
KeReleaseInStackQueuedSpinLock(&connListLockHandle);
if (signalWorkerThread)
{
KeSetEvent(
&gWorkerEvent,
0,
FALSE
);
}
}
Exit:
if (pendedPacket != NULL)
{
FreePendedPacket(pendedPacket);
}
if (pendedRecvAccept != NULL)
{
FreePendedPacket(pendedRecvAccept);
}
return;
}
void
TLInspectALEConnectClassify(
_In_ const FWPS_INCOMING_VALUES* inFixedValues,
_In_ const FWPS_INCOMING_METADATA_VALUES* inMetaValues,
_Inout_opt_ void* layerData,
_In_ const FWPS_FILTER* filter,
_In_ UINT64 flowContext,
_Inout_ FWPS_CLASSIFY_OUT* classifyOut
)
#endif /// (NTDDI_VERSION >= NTDDI_WIN7)
/* ++
This is the classifyFn function for the ALE connect (v4 and v6) callout.
For an initial classify (where the FWP_CONDITION_FLAG_IS_REAUTHORIZE flag
is not set), it is queued to the connection list for inspection by the
worker thread. For re-auth, we first check if it is triggered by an ealier
FwpsCompleteOperation call by looking for an pended connect that has been
inspected. If found, we remove it from the connect list and return the
inspection result; otherwise we can conclude that the re-auth is triggered
by policy change so we queue it to the packet queue to be process by the
worker thread like any other regular packets.
-- */
{
NTSTATUS status;
KLOCK_QUEUE_HANDLE connListLockHandle;
KLOCK_QUEUE_HANDLE packetQueueLockHandle;
TL_INSPECT_PENDED_PACKET* pendedConnect = NULL;
TL_INSPECT_PENDED_PACKET* connEntry;
TL_INSPECT_PENDED_PACKET* pendedPacket = NULL;
ADDRESS_FAMILY addressFamily;
FWPS_PACKET_INJECTION_STATE packetState;
BOOLEAN signalWorkerThread;
#if(NTDDI_VERSION >= NTDDI_WIN7)
UNREFERENCED_PARAMETER(classifyContext);
#endif /// (NTDDI_VERSION >= NTDDI_WIN7)
UNREFERENCED_PARAMETER(filter);
UNREFERENCED_PARAMETER(flowContext);
//
// We don't have the necessary right to alter the classify, exit.
//
if ((classifyOut->rights & FWPS_RIGHT_ACTION_WRITE) == 0)
{
goto Exit;
}
if (layerData != NULL)
{
//
// We don't re-inspect packets that we've inspected earlier.
//
packetState = FwpsQueryPacketInjectionState(
gInjectionHandle,
layerData,
NULL
);
if ((packetState == FWPS_PACKET_INJECTED_BY_SELF) ||
(packetState == FWPS_PACKET_PREVIOUSLY_INJECTED_BY_SELF))
{
classifyOut->actionType = FWP_ACTION_PERMIT;
if (filter->flags & FWPS_FILTER_FLAG_CLEAR_ACTION_RIGHT)
{
classifyOut->rights &= ~FWPS_RIGHT_ACTION_WRITE;
}
goto Exit;
}
}
addressFamily = GetAddressFamilyForLayer(inFixedValues->layerId);
if (!IsAleReauthorize(inFixedValues))
{
//
// If the classify is the initial authorization for a connection, we
// queue it to the pended connection list and notify the worker thread
// for out-of-band processing.
//
pendedConnect = AllocateAndInitializePendedPacket(
inFixedValues,
inMetaValues,
addressFamily,
layerData,
TL_INSPECT_CONNECT_PACKET,
FWP_DIRECTION_OUTBOUND
);
if (pendedConnect == NULL)
{
classifyOut->actionType = FWP_ACTION_BLOCK;
classifyOut->rights &= ~FWPS_RIGHT_ACTION_WRITE;
goto Exit;
}
NT_ASSERT(FWPS_IS_METADATA_FIELD_PRESENT(inMetaValues,
FWPS_METADATA_FIELD_COMPLETION_HANDLE));
//
// Pend the ALE_AUTH_CONNECT classify.
//
status = FwpsPendOperation(
inMetaValues->completionHandle,
&pendedConnect->completionContext
);
if (!NT_SUCCESS(status))
{
classifyOut->actionType = FWP_ACTION_BLOCK;
classifyOut->rights &= ~FWPS_RIGHT_ACTION_WRITE;
goto Exit;
}
KeAcquireInStackQueuedSpinLock(
&gConnListLock,
&connListLockHandle
);
KeAcquireInStackQueuedSpinLock(
&gPacketQueueLock,
&packetQueueLockHandle
);
signalWorkerThread = IsListEmpty(&gConnList) &&
IsListEmpty(&gPacketQueue);
InsertTailList(&gConnList, &pendedConnect->listEntry);
pendedConnect = NULL; // ownership transferred
KeReleaseInStackQueuedSpinLock(&packetQueueLockHandle);
KeReleaseInStackQueuedSpinLock(&connListLockHandle);
classifyOut->actionType = FWP_ACTION_BLOCK;
classifyOut->rights &= ~FWPS_RIGHT_ACTION_WRITE;
classifyOut->flags |= FWPS_CLASSIFY_OUT_FLAG_ABSORB;
if (signalWorkerThread)
{
KeSetEvent(
&gWorkerEvent,
0,
FALSE
);
}
}
else // re-auth @ ALE_AUTH_CONNECT
{
FWP_DIRECTION packetDirection;
//
// The classify is the re-authorization for an existing connection, it
// could have been triggered for one of the three cases --
//
// 1) The re-auth is triggered by a FwpsCompleteOperation call to
// complete a ALE_AUTH_CONNECT classify pended earlier.
// 2) The re-auth is triggered by an outbound packet sent immediately
// after a policy change at ALE_AUTH_CONNECT layer.
// 3) The re-auth is triggered by an inbound packet received
// immediately after a policy change at ALE_AUTH_CONNECT layer.
//
NT_ASSERT(FWPS_IS_METADATA_FIELD_PRESENT(inMetaValues,
FWPS_METADATA_FIELD_PACKET_DIRECTION));
packetDirection = inMetaValues->packetDirection;
if (packetDirection == FWP_DIRECTION_OUTBOUND)
{
LIST_ENTRY* listEntry;
BOOLEAN authComplete = FALSE;
//
// We first check whether this is a FwpsCompleteOperation-triggered
// reauth by looking for a pended connect that has the inspection
// decision recorded. If found, we return that decision and remove
// the pended connect from the list.
//
KeAcquireInStackQueuedSpinLock(
&gConnListLock,
&connListLockHandle
);
for (listEntry = gConnList.Flink;
listEntry != &gConnList;
listEntry = listEntry->Flink)
{
connEntry = CONTAINING_RECORD(
listEntry,
TL_INSPECT_PENDED_PACKET,
listEntry
);
if (IsMatchingConnectPacket(
inFixedValues,
addressFamily,
packetDirection,
connEntry
) && (connEntry->authConnectDecision != 0))
{
// We found a match.
pendedConnect = connEntry;
NT_ASSERT((pendedConnect->authConnectDecision == FWP_ACTION_PERMIT) ||
(pendedConnect->authConnectDecision == FWP_ACTION_BLOCK));
classifyOut->actionType = pendedConnect->authConnectDecision;
if (classifyOut->actionType == FWP_ACTION_BLOCK ||
filter->flags & FWPS_FILTER_FLAG_CLEAR_ACTION_RIGHT)
{
classifyOut->rights &= ~FWPS_RIGHT_ACTION_WRITE;
}
RemoveEntryList(&pendedConnect->listEntry);
if (!gDriverUnloading &&
(pendedConnect->netBufferList != NULL) &&
(pendedConnect->authConnectDecision == FWP_ACTION_PERMIT))
{
//
// Now the outbound connection has been authorized. If the
// pended connect has a net buffer list in it, we need it
// morph it into a data packet and queue it to the packet
// queue for send injecition.
//
pendedConnect->type = TL_INSPECT_DATA_PACKET;
KeAcquireInStackQueuedSpinLock(
&gPacketQueueLock,
&packetQueueLockHandle
);
signalWorkerThread = IsListEmpty(&gPacketQueue) &&
IsListEmpty(&gConnList);
InsertTailList(&gPacketQueue, &pendedConnect->listEntry);
pendedConnect = NULL; // ownership transferred
KeReleaseInStackQueuedSpinLock(&packetQueueLockHandle);
if (signalWorkerThread)
{
KeSetEvent(
&gWorkerEvent,
0,
FALSE
);
}
}
authComplete = TRUE;
break;
}
}
KeReleaseInStackQueuedSpinLock(&connListLockHandle);
if (authComplete)
{
goto Exit;
}
}
//
// If we reach here it means this is a policy change triggered re-auth
// for an pre-existing connection. For such a packet (inbound or
// outbound) we queue it to the packet queue and inspect it just like
// other regular data packets from TRANSPORT layers.
//
NT_ASSERT(layerData != NULL);
pendedPacket = AllocateAndInitializePendedPacket(
inFixedValues,
inMetaValues,
addressFamily,
layerData,
TL_INSPECT_REAUTH_PACKET,
packetDirection
);
if (pendedPacket == NULL)
{
classifyOut->actionType = FWP_ACTION_BLOCK;
classifyOut->rights &= ~FWPS_RIGHT_ACTION_WRITE;
goto Exit;
}
if (packetDirection == FWP_DIRECTION_INBOUND)
{
pendedPacket->ipSecProtected = IsSecureConnection(inFixedValues);
}
KeAcquireInStackQueuedSpinLock(
&gConnListLock,
&connListLockHandle
);
KeAcquireInStackQueuedSpinLock(
&gPacketQueueLock,
&packetQueueLockHandle
);
if (!gDriverUnloading)
{
signalWorkerThread = IsListEmpty(&gPacketQueue) &&
IsListEmpty(&gConnList);
InsertTailList(&gPacketQueue, &pendedPacket->listEntry);
pendedPacket = NULL; // ownership transferred
classifyOut->actionType = FWP_ACTION_BLOCK;
classifyOut->rights &= ~FWPS_RIGHT_ACTION_WRITE;
classifyOut->flags |= FWPS_CLASSIFY_OUT_FLAG_ABSORB;
}
else
{
//
// Driver is being unloaded, permit any connect classify.
//
signalWorkerThread = FALSE;
classifyOut->actionType = FWP_ACTION_PERMIT;
if (filter->flags & FWPS_FILTER_FLAG_CLEAR_ACTION_RIGHT)
{
classifyOut->rights &= ~FWPS_RIGHT_ACTION_WRITE;
}
}
KeReleaseInStackQueuedSpinLock(&packetQueueLockHandle);
KeReleaseInStackQueuedSpinLock(&connListLockHandle);
if (signalWorkerThread)
{
KeSetEvent(
&gWorkerEvent,
0,
FALSE
);
}
}
Exit:
if (pendedPacket != NULL)
{
FreePendedPacket(pendedPacket);
}
if (pendedConnect != NULL)
{
FreePendedPacket(pendedConnect);
}
return;
}
NTSTATUS KrnlHlprPendDataPopulate(_Inout_ PEND_DATA* pPendData,
_In_ const FWPS_INCOMING_VALUES* pClassifyValues,
_In_ const FWPS_INCOMING_METADATA_VALUES* pMetadata,
_In_opt_ NET_BUFFER_LIST* pNBL,
_In_ const FWPS_FILTER* pFilter,
_In_opt_ VOID* pClassifyContext, /* 0 */
_In_opt_ FWPS_CLASSIFY_OUT* pClassifyOut) /* 0 */
{
#if DBG
DbgPrintEx(DPFLTR_IHVNETWORK_ID,
DPFLTR_INFO_LEVEL,
" ---> KrnlHlprPendDataPopulate()\n");
#endif /// DBG
NT_ASSERT(pPendData);
NT_ASSERT(pClassifyValues);
NT_ASSERT(pMetadata);
NT_ASSERT(pFilter);
NTSTATUS status = STATUS_SUCCESS;
pPendData->layerID = pClassifyValues->layerId;
#if(NTDDI_VERSION >= NTDDI_WIN7)
if(pPendData->layerID == FWPS_LAYER_ALE_ENDPOINT_CLOSURE_V4 ||
pPendData->layerID == FWPS_LAYER_ALE_ENDPOINT_CLOSURE_V6)
{
NT_ASSERT(pClassifyContext);
NT_ASSERT(pClassifyOut);
if(pClassifyContext &&
pClassifyOut)
{
status = FwpsAcquireClassifyHandle(pClassifyContext,
0,
&(pPendData->classifyHandle));
if(status != STATUS_SUCCESS)
{
DbgPrintEx(DPFLTR_IHVNETWORK_ID,
DPFLTR_ERROR_LEVEL,
" !!!! KrnlHlprPendDataPopulate : FwpsAcquireClassifyHandle() [status: %#x]\n",
status);
HLPR_BAIL;
}
status = FwpsPendClassify(pPendData->classifyHandle,
pFilter->filterId,
0,
pClassifyOut);
if(status != STATUS_SUCCESS)
{
DbgPrintEx(DPFLTR_IHVNETWORK_ID,
DPFLTR_ERROR_LEVEL,
" !!!! KrnlHlprPendDataPopulate : FwpsPendClassify() [status: %#x]\n",
status);
HLPR_BAIL;
}
RtlCopyMemory(&(pPendData->classifyOut),
pClassifyOut,
sizeof(FWPS_CLASSIFY_OUT));
pPendData->pPCPendData = pFilter->providerContext->dataBuffer->data;
pPendData->isPended = TRUE;
}
else
{
status = STATUS_INVALID_PARAMETER;
DbgPrintEx(DPFLTR_IHVNETWORK_ID,
DPFLTR_ERROR_LEVEL,
" !!!! KrnlHlprPendDataPopulate : [status: %#x][pClassifyContext: %#p][pClassifyOut: %#p]\n",
status,
pClassifyContext,
pClassifyOut);
HLPR_BAIL;
}
}
else
#else
UNREFERENCED_PARAMETER(pClassifyContext);
UNREFERENCED_PARAMETER(pClassifyOut);
#endif /// (NTDDI_VERSION >= NTDDI_WIN7)
{
if(FWPS_IS_METADATA_FIELD_PRESENT(pMetadata,
FWPS_METADATA_FIELD_COMPLETION_HANDLE))
{
status = FwpsPendOperation(pMetadata->completionHandle,
&(pPendData->completionContext));
if(status != STATUS_SUCCESS)
{
DbgPrintEx(DPFLTR_IHVNETWORK_ID,
DPFLTR_ERROR_LEVEL,
" !!!! KrnlHlprPendDataPopulate : FwpsPendOperation() [status: %#x]\n",
status);
HLPR_BAIL;
}
pPendData->pNBL = pNBL;
pPendData->pPCPendData = pFilter->providerContext->dataBuffer->data;
pPendData->isPended = TRUE;
}
else
{
status = STATUS_INVALID_HANDLE;
DbgPrintEx(DPFLTR_IHVNETWORK_ID,
DPFLTR_ERROR_LEVEL,
" !!!! KrnlHlprPendDataPopulate() [status: %#x]\n",
status);
}
}
HLPR_BAIL_LABEL:
if(status != STATUS_SUCCESS)
KrnlHlprPendDataPurge(pPendData);
#if DBG
DbgPrintEx(DPFLTR_IHVNETWORK_ID,
DPFLTR_INFO_LEVEL,
" <--- KrnlHlprPendDataPopulate() [status: %#x]\n",
status);
#endif /// DBG
return status;
}
