NF_RULE

A rule defines the filtering flag for network activity, described by other rule fields.

typedef struct _NF_RULE
{
	int		protocol;	// IPPROTO_TCP or IPPROTO_UDP        
	unsigned long	processId;	// Process identifier
	unsigned char	direction;	// See NF_DIRECTION (NF_D_IN, NF_D_OUT or NF_D_BOTH)
	unsigned short	localPort;	// Local port
	unsigned short	remotePort;	// Remote port
	unsigned short	ip_family;	// AF_INET for IPv4 and AF_INET6 for IPv6
	
	// Local IP (or network if localIpAddressMask is not zero)
	unsigned char	localIpAddress[NF_MAX_IP_ADDRESS_LENGTH];	
	
	// Local IP mask
	unsigned char	localIpAddressMask[NF_MAX_IP_ADDRESS_LENGTH]; 
	
	// Remote IP (or network if remoteIpAddressMask is not zero)
	unsigned char	remoteIpAddress[NF_MAX_IP_ADDRESS_LENGTH]; 
	
	// Remote IP mask
	unsigned char	remoteIpAddressMask[NF_MAX_IP_ADDRESS_LENGTH]; 

	unsigned long	filteringFlag;	// See NF_FILTERING_FLAG
} NF_RULE, *PNF_RULE;

Members

protocol

Network protocol (IPPROTO_TCP or IPPROTO_UDP). Zero means any protocol.

processId

Process identifier. Zero means any process.

direction

The direction of network activity. Specify NF_D_IN for the inbound TCP connections and UDP datagrams, NF_D_OUT for the outbound TCP connections and UDP datagrams. Zero or NF_D_BOTH mean any direction.

localPort

Local port.

remotePort

Remote port.

ip_family

Describes the family of IP addresses in rule. Specify AF_INET for IPv4 and AF_INET6 for IPv6. If ip_family is zero, the driver doesn't use the IP addresses specified in a rule.

localIpAddress

Local IPv4 or IPv6 address. Zero means any address.

localIpAddressMask

If localIpAddressMask is not zero, the rule will be applied to network activity with a local address from the network localIpAddress & localIpAddressMask.

remoteIpAddress

Remote IPv4 or IPv6 address. Zero means any address.

remoteIpAddressMask

If remoteIpAddressMask is not zero, the rule will be applied to network activity with a remote address from the network remoteIpAddress & remoteIpAddressMask.

filteringFlag

A value from NF_FILTERING_FLAG enumeration.

 

Remarks

All ports and IP addresses in rule must have network byte order. Zero in rule field means that its value is undefined, and the field should be ignored.

The following values are allowed for filteringFlag:

NF_ALLOW = 0
Allow the activity without filtering transmitted packets. This flag is applied to all network activity, which is not described by any rule.

NF_BLOCK = 1
Block the activity.

NF_FILTER = 2
Filter the transmitted packets. I.e. the packets will be indicated via NF_EventHandler methods.

NF_SUSPENDED = 4
Suspend indicating new data packets via NF_EventHandler. It is possible to change this flag for a connection or UDP socket using nf_tcpSetConnectionState or nf_udpSetConnectionState.

NF_OFFLINE = 8
Emulate establishing a connection with remote server. This flag affects only outgoing TCP connections. The connections with remote server are not established, but connect() and WSAConnect() calls succeed immediately for the filtered network application, and it can use WinSock functions as usual. The flag can be useful in case when a connection with remote server is not required, because the client application can respond to requests of the filtered network application locally. For example, if the client application implements a caching HTTP proxy, it is possible to set this flag for HTTP connections. In this case the cached HTTP objects will be returned faster, without wasting time on waiting while a connection with remote server is establishing.

NF_INDICATE_CONNECT_REQUESTS = 16
Call tcpConnectRequest event before establishing an outgoing TCP connection. In this event it is possible to modify the fields filteringFlag and remoteAddress in NF_TCP_CONN_INFO structure. The changes are applied to the connection.

Requirements

Header	nfapi.h
Library	nfapi.lib