A rule defines the filtering flag and redirection settings for bind requests, described by other rule fields.

typedef struct _NF_BINDING_RULE
    int				protocol;	// IPPROTO_TCP or IPPROTO_UDP        

	unsigned long	processId;	// Process identifier

	// Process name tail mask (supports * as 0 or more symbols)
	wchar_t			processName[MAX_PATH];

	unsigned short	localPort;	// Local port

	unsigned short	ip_family;	// AF_INET for IPv4 and AF_INET6 for IPv6
	// Local IP (or network if localIpAddressMask is not zero)
	unsigned char	localIpAddress[NF_MAX_IP_ADDRESS_LENGTH];	
	// Local IP mask
	unsigned char	localIpAddressMask[NF_MAX_IP_ADDRESS_LENGTH]; 
	// Redirect bind request to this IP 
	unsigned char	newLocalIpAddress[NF_MAX_IP_ADDRESS_LENGTH]; 

	// Redirect bind request to this port, if it is not zero
	unsigned short	newLocalPort;

	unsigned long	filteringFlag;	// See NF_FILTERING_FLAG, NF_ALLOW or NF_FILTER



Network protocol (IPPROTO_TCP or IPPROTO_UDP). Zero means any protocol.
Process identifier. Zero means any process.
Process name mask. It can contain symbols * matching 0 or more symbols. The driver compares mask from the tail of process name, until the end of mask. The mask is case insensitive.
The internal representation of process names uses device names instead of drive letters. For example c:\ can be represented as \Device\HarddiskVolume0. The driver letters are removed by nf_addBindingRule. If it is necessary to use the full path specifying the exact drive, it is possible to get the appropriate device name using QueryDosDevice.

firefox.exe - matches firefox.exe in any folder.
program files*firefox.exe - matches firefox.exe in any folder containing "program files" as a substring.
program files* - matches any process in any folder containing "program files" as a substring.
Local port.
Describes the family of IP addresses in rule. Specify AF_INET for IPv4 and AF_INET6 for IPv6. If ip_family is zero, the driver doesn't use the IP addresses specified in a rule.
Local IPv4 or IPv6 address. Zero means any address.
If localIpAddressMask is not zero, the rule will be applied to network activity with a local address from the network localIpAddress & localIpAddressMask.
New local IPv4 or IPv6 address to use instead of the address in bind request. Zeros means any address.
New local port to use instead of port specified in bind request.
Specify NF_ALLOW to bypass the bind request, NF_FILTER to redirect requests to IP address and/or port specified in newLocalIpAddress and newLocalPort.


The binding rules can be used to redirect the bind requests for specific processes and protocols to the new address and/or port. It allows to bind the sockets of some process to some network interface when there are several network interfaces in system. For example in result the traffic of this process can use VPN via the appropriate link, and other processes use the default routing. Also it is possible to bind the server sockets to another IP/port.

All ports and IP addresses in rule must have network byte order. Zero in rule field means that its value is undefined, and the field should be ignored.

The following values are allowed for filteringFlag:

Bypass the bind request. This flag is applied to all requests not described by any rule.

Redirect requests to IP address and/or port specified in newLocalIpAddress and newLocalPort.


Driver type WFP
Header nfapi.h
Library nfapi.lib