_Inquirer_

I have the following situation. I am creating a new simple Filter in the BFE.

The session has a Name, Description and is not Dynamic.

The custom provider has a defined provider ID, name, description and host service name.

The custom sublayer has a sublayer ID, provider ID, name. description and weight.

A condition has been set to 'FWPM_CONDITION_IP_PROTOCOL', 'FWP_MATCH_EQUAL'.

A condition value has been set to the ICMP Protocol number.

An Action has been defined to Block.

When the filter is created, it works as expected and the ICMP Protocol is correctly filtered out. I can correctly retrieve my Provider and Sublayer information by their Unique Identifier.

However, when I attempt to retrieve the Filter by its Unique Identifier (using FwpmFilterGetByKey0), something unexpected happens. All values seem to be returned correctly, except for 'GUID filterType'.

The GUID Struct has its Data4 field set to all '0' characters. The other 3 Data Fields come back correctly. Also, all other GUID fields for the Provider, Sublayer and Filter come back completely, as expected. The filterType field is the only Struct element that is somehow truncated.

As I said, the filter works correctly and all other Guids (for the provider, sublayer and filter) come back completely. This one field (filterType) seems to be having the issue. I have verified that the complete GUID is being written to the BFE when the filter is created.

My custom Guid is set to: 9D5EDEBA-4BA0-4cad-B42D-BA9C2E5053E4

What is returned by FwpmFilterGetByKey0: 9D5EDEBA-4BA0-4cad-B42D-000000000000

Is there a known issue, or something I could be missing here

Thanks,

Inq.



Re: Windows Filtering Platform (WFP) The method FwpmFilterGetByKey0 does not seem to return (FWPM_ACTION0) filterType correctly

Biao Wang [MSFT]

We are trying to see if we can reproduce the issue you reported here in our lab.

Will keep you posted.

Thanks,

Biao.W.





Re: Windows Filtering Platform (WFP) The method FwpmFilterGetByKey0 does not seem to return (FWPM_ACTION0) filterType correctly

Dusty Harper [MSFT]

I am not able to repro the issue (neither on Vista nor Vista SP1).

I have provided a copy of code that was used to verify this scenario.

** The function HlprFwpmProviderAreEqual, HlprFwpmSubLayerAreEqual, and HlprFwpmFilterAreEqual() each do a deep compare of the two corresponding objects objects.**

Code Snippet

UINT32 status = ERROR_SUCCESS;
HANDLE engineHandle = 0;
PWSTR pCompanyName = L"Block You Enterprise";
FWPM_PROVIDER0* pBFEStoredProvider = 0;
FWPM_SUBLAYER0* pBFEStoredSubLayer = 0;
FWPM_FILTER0* pBFEStoredFilter = 0;
FWPM_SESSION0 mySession;
FWPM_PROVIDER0 myProvider;
FWPM_SUBLAYER0 mySubLayer;
FWPM_FILTER_CONDITION0 myFilterCondition;
FWPM_FILTER0 myFilter;

ZeroMemory(&mySession,
sizeof(FWPM_SESSION0));

ZeroMemory(&myProvider,
sizeof(FWPM_PROVIDER0));

ZeroMemory(&mySubLayer,
sizeof(FWPM_SUBLAYER0));

ZeroMemory(&myFilterCondition,
sizeof(FWPM_FILTER_CONDITION0));

ZeroMemory(&myFilter,
sizeof(FWPM_FILTER0));

mySession.displayData.name = pCompanyName;
mySession.displayData.description = L"Non Dynamic Session";
mySession.flags = 0; /// Non-Dynamic

myProvider.displayData.name = pCompanyName;
myProvider.displayData.description = L"Block You Enterprise Provider";
myProvider.serviceName = L"Windows Time";

status = UuidCreate(&(myProvider.providerKey));
if(status != 0 &&
status != RPC_S_UUID_LOCAL_ONLY)
{
wprintf(L"UuidCreate [status: 0x%x]",
status);

goto EXIT;
}

mySubLayer.displayData.name = pCompanyName;
mySubLayer.displayData.description = L"Block You Enterprise SubLayer";
mySubLayer.providerKey = &(myProvider.providerKey);
mySubLayer.weight = 0xFF;

status = UuidCreate(&(mySubLayer.subLayerKey));
if(status != RPC_S_OK &&
status != RPC_S_UUID_LOCAL_ONLY)
{
wprintf(L"UuidCreate [status: 0x%x]",
status);

goto EXIT;
}

myFilterCondition.fieldKey = FWPM_CONDITION_IP_PROTOCOL;
myFilterCondition.matchType = FWP_MATCH_EQUAL;
myFilterCondition.conditionValue.type = FWP_UINT8;
myFilterCondition.conditionValue.uint8 = 1; /// IPv4 ICMP

myFilter.displayData.name = pCompanyName;
myFilter.displayData.description = L"Block incoming ICMP packets @ INBOUND_TRANSPORT_V4";
myFilter.layerKey = FWPM_LAYER_INBOUND_TRANSPORT_V4;
myFilter.subLayerKey = mySubLayer.subLayerKey;
myFilter.providerKey = &(myProvider.providerKey);

myFilter.numFilterConditions = 1;

myFilter.filterCondition = &myFilterCondition;
myFilter.weight.type = FWP_UINT8;
myFilter.weight.uint8 = 0xF;
myFilter.action.type = FWP_ACTION_BLOCK;
myFilter.action.filterType.Data1 = 0x9D5EDEBA;
myFilter.action.filterType.Data2 = 0x4BA0;
myFilter.action.filterType.Data3 = 0x4cad;
myFilter.action.filterType.Data4[0] = 0xB4;
myFilter.action.filterType.Data4[1] = 0x2D;
myFilter.action.filterType.Data4[2] = 0xBA;
myFilter.action.filterType.Data4[3] = 0x9C;
myFilter.action.filterType.Data4[4] = 0x2E;
myFilter.action.filterType.Data4[5] = 0x50;
myFilter.action.filterType.Data4[6] = 0x53;
myFilter.action.filterType.Data4[7] = 0xE4; /// 9D5EDEBA-4BA0-4cad-B42D-BA9C2E5053E4;

status = UuidCreate(&(myFilter.filterKey));
if(status != RPC_S_OK &&
status != RPC_S_UUID_LOCAL_ONLY)
{
wprintf(L"UuidCreate [status: 0x%x]",
status);

goto EXIT;
}

/// OBJECT ADDITION

status = FwpmEngineOpen0(0,
RPC_C_AUTHN_WINNT,
0,
&mySession,
&engineHandle);
if(status != ERROR_SUCCESS)
{
wprintf(L"FwpmEngineOpen0() [status: 0x%x]",
status);

goto EXIT;
}

status = FwpmProviderAdd0(engineHandle,
&myProvider,
0);
if(status != ERROR_SUCCESS)
{
wprintf(L"FwpmProviderAdd0() [status: 0x%x]",
status);

goto EXIT;
}

status = FwpmSubLayerAdd0(engineHandle,
&mySubLayer,
0);
if(status != ERROR_SUCCESS)
{
wprintf(L"FwpmSubLayerAdd0() [status: 0x%x]",
status);

goto EXIT;
}

status = FwpmFilterAdd0(engineHandle,
&myFilter,
0,
&(myFilter.filterId));
if(status != ERROR_SUCCESS)
{
wprintf(L"FwpmFilterAdd0() [status: 0x%x]",
status);

goto EXIT;
}

/// OBJECT ENUMERATION & VALIDATION

status = FwpmProviderGetByKey0(engineHandle,
&(myProvider.providerKey),
&pBFEStoredProvider);
if(status != ERROR_SUCCESS)
{
wprintf(L"FwpmProviderGetByKey0() [status: 0x%x]",
status);

goto EXIT;
}
else
{
if(!HlprFwpmProviderAreEqual(&myProvider,
pBFEStoredProvider))
wprintf(L"HlprFwpmProviderAreEqual(): NOT EQUAL");
}

status = FwpmSubLayerGetByKey0(engineHandle,
&(mySubLayer.subLayerKey),
&pBFEStoredSubLayer);
if(status != ERROR_SUCCESS)
{
wprintf(L"FwpmSubLayerGetByKey0() [status: 0x%x]",
status);

goto EXIT;
}
else
{
if(!HlprFwpmSubLayerAreEqual(&mySubLayer,
pBFEStoredSubLayer))
wprintf(L"HlprFwpmSubLayerAreEqual(): NOT EQUAL");
}

status = FwpmFilterGetByKey0(engineHandle,
&(myFilter.filterKey),
&pBFEStoredFilter);

if(status != ERROR_SUCCESS)
{
wprintf(L"FwpmFilterGetByKey0() [status: 0x%x]",
status);

goto EXIT;
}
else
{
PWSTR pMyFilterType = 0;
PWSTR pBFEStoredFilterType = 0;

status = UuidToString(&(myFilter.action.filterType),
&pMyFilterType);
if(status != ERROR_SUCCESS)
{
wprintf(L"UuidToString() [status: 0x%x]",
status);

goto EXIT;
}

status = UuidToString(&(pBFEStoredFilter->action.filterType),
&pBFEStoredFilterType);
if(status != ERROR_SUCCESS)
{
wprintf(L"UuidToString() [status: 0x%x]",
status);

goto EXIT;
}

wprintf(L"[myFilter.action.filterType: %s][pBFEStoredFilter->action.filterType: %s]",
pMyFilterType,
pBFEStoredFilterType);

if(!HlprFwpmFilterAreEqual(&myFilter,
pBFEStoredFilter))
wprintf(L"HlprFwpmFilterAreEqual(): NOT EQUAL");
else
wprintf(L"Filters are identical");

}

EXIT:

/// CLEANUP

FwpmFreeMemory0((void**)&pBFEStoredFilter);

FwpmFreeMemory0((void**)&pBFEStoredSubLayer);

FwpmFreeMemory0((void**)&pBFEStoredProvider);

FwpmFilterDeleteByKey0(engineHandle,
&(myFilter.filterKey));

FwpmSubLayerDeleteByKey0(engineHandle,
&(mySubLayer.subLayerKey));

FwpmProviderDeleteByKey0(engineHandle,
&(myProvider.providerKey));

FwpmEngineClose0(engineHandle);

Results

[myFilter.action.filterType: 9d5edeba-4ba0-4cad-b42d-ba9c2e5053e4][pBFEStoredFilter->action.filterType: 9d5edeba-4ba0-4cad-b42d-ba9c2e5053e4]
Variation: Filters are identical






Re: Windows Filtering Platform (WFP) The method FwpmFilterGetByKey0 does not seem to return (FWPM_ACTION0) filterType correctly

_Inquirer_

Thank you for taking the time to attempt to recreate the issue. I adapted the sample you provided to exactly what I am trying to achieve and the sample still worked as expected. So that means I made a mistake in my initial implementation.