A rule defines the filtering flag for network activity, described by other rule fields.
typedef struct _NF_RULE { int protocol; // IPPROTO_TCP or IPPROTO_UDP unsigned long processId; // Process identifier unsigned char direction; // See NF_DIRECTION (NF_D_IN, NF_D_OUT or NF_D_BOTH) unsigned short localPort; // Local port unsigned short remotePort; // Remote port unsigned short ip_family; // AF_INET for IPv4 and AF_INET6 for IPv6 // Local IP (or network if localIpAddressMask is not zero) unsigned char localIpAddress[NF_MAX_IP_ADDRESS_LENGTH]; // Local IP mask unsigned char localIpAddressMask[NF_MAX_IP_ADDRESS_LENGTH]; // Remote IP (or network if remoteIpAddressMask is not zero) unsigned char remoteIpAddress[NF_MAX_IP_ADDRESS_LENGTH]; // Remote IP mask unsigned char remoteIpAddressMask[NF_MAX_IP_ADDRESS_LENGTH]; unsigned long filteringFlag; // See NF_FILTERING_FLAG } NF_RULE, *PNF_RULE;
All ports and IP addresses in rule must have network byte order. Zero in rule field means that its value is undefined, and the field should be ignored.
The following values are allowed for filteringFlag:
NF_ALLOW = 0
Allow the activity without filtering transmitted packets. This flag is
applied to all network activity, which is not described by any rule.
NF_BLOCK = 1
Block the activity.
NF_FILTER = 2
Filter the transmitted packets. I.e. the packets will be indicated via NF_EventHandler methods.
NF_SUSPENDED = 4
Suspend indicating new data packets via NF_EventHandler. It is possible to change this flag for a connection or UDP socket using nf_tcpSetConnectionState or nf_udpSetConnectionState.
NF_OFFLINE = 8
Emulate establishing a connection with remote server. This flag affects only outgoing TCP connections. The connections with remote server are not established, but connect() and WSAConnect() calls succeed immediately for the filtered network application, and it can use WinSock functions as usual. The flag can be useful in case when a connection with remote server is not required, because the client application can respond to requests of the filtered network application locally. For example, if the client application implements a caching HTTP proxy, it is possible to set this flag for HTTP connections. In this case the cached HTTP objects will be returned faster, without wasting time on waiting while a connection with remote server is establishing.
NF_INDICATE_CONNECT_REQUESTS = 16
Call tcpConnectRequest event before establishing an outgoing TCP connection. In this event it is possible to modify the fields filteringFlag and remoteAddress in NF_TCP_CONN_INFO structure. The changes are applied to the connection.
NF_DISABLE_REDIRECT_PROTECTION = 32
Disable blocking indicating connect requests for outgoing connections of local proxies. When this flag is used with NF_INDICATE_CONNECT_REQUESTS, tcpConnectRequest is called for all outgoing connections.
If your filter redirects TCP connections, it is necessary to prevent the possible filtering loops manually. I.e. detect the local proxies of antiviruses and other filters and don't redirect their connections.
To detect the proxies it is possible to use the function nf_tcpIsProxy.
NF_PEND_CONNECT_REQUEST = 64
Pend the connect request to complete it later using nf_complete(TCP|UDP)ConnectRequest. This flag can be assigned only from (tcp|udp)ConnectRequest events.
NF_FILTER_AS_IP_PACKETS = 128
This flag instructs the driver to apply the rule to IP traffic and indicate IP packets via NF_IPEventHandler functions. The flags NF_ALLOW, NF_BLOCK will be applied to IP packets, which suit the rule conditions.
When NF_BLOCK flag is specified in a rule, the packets are silently blocked, without indication to user mode API. The flags NF_FILTER and NF_FILTER_AS_IP_PACKETS are mutually exclusive. When they are specified together, the driver takes in account only NF_FILTER_AS_IP_PACKETS.
IP filtering is supported only with WFP driver.
NF_READONLY = 256
This flag can be added with NF_FILTER_AS_IP_PACKETS to filter the packets in read only mode. In this case the packets are not blocked, and indicated to NF_IPEventHandler functions only for monitoring.
NF_CONTROL_FLOW = 512
This flag can be added instead of NF_FILTER to apply flow control contexts for limiting and counting TCP/UDP traffic.
When NF_CONTROL_FLOW is specified instead of NF_FILTER, the driver indicates only tcpConnectRequest/tcpConnected/tcpClosed and udpCreated/udpClosed events,
i.e. doesn't indicate the data packets for filtering.
In this case there are no delays because of filtering the packets in user mode, but it is possible to use the control contexts to count and limit the traffic.
NF_REDIRECT = 1024
This flag can be used only with WFP driver on Windows 8/10.
Redirect the outgoing TCP connections inline in driver to the address specified in redirectTo. The additional fields redirectTo and localProxyProcessId required for redirection are available in NF_RULE_EX structure.
NF_BYPASS_IP_PACKETS = 2048
When NF_FILTER_AS_IP_PACKETS flag is enabled, NF_BYPASS_IP_PACKETS can be added to bypass the traffic as IP packets. I.e. it works as NF_ALLOW for IP packets.
Driver type | WFP, TDI |
Header | nfapi.h |
Library | nfapi.lib |