NF_RULE_EX
A rule defines the filtering flag for network activity, described by other rule fields.
typedef struct _NF_PORT_RANGE
{
unsigned short valueLow;
unsigned short valueHigh;
} NF_PORT_RANGE, *PNF_PORT_RANGE;
typedef struct _NF_RULE_EX
{
int protocol; // IPPROTO_TCP or IPPROTO_UDP
unsigned long processId; // Process identifier
unsigned char direction; // See NF_DIRECTION (NF_D_IN, NF_D_OUT or NF_D_BOTH)
unsigned short localPort; // Local port
unsigned short remotePort; // Remote port
unsigned short ip_family; // AF_INET for IPv4 and AF_INET6 for IPv6
// Local IP (or network if localIpAddressMask is not zero)
unsigned char localIpAddress[NF_MAX_IP_ADDRESS_LENGTH];
// Local IP mask
unsigned char localIpAddressMask[NF_MAX_IP_ADDRESS_LENGTH];
// Remote IP (or network if remoteIpAddressMask is not zero)
unsigned char remoteIpAddress[NF_MAX_IP_ADDRESS_LENGTH];
// Remote IP mask
unsigned char remoteIpAddressMask[NF_MAX_IP_ADDRESS_LENGTH];
unsigned long filteringFlag; // See NF_FILTERING_FLAG
// Process name tail mask (supports * as 0 or more symbols)
wchar_t processName[MAX_PATH];
NF_PORT_RANGE localPortRange; // Local port(s)
NF_PORT_RANGE remotePortRange; // Remote port(s)
// Remote address for redirection as sockaddr_in for IPv4 and sockaddr_in6 for IPv6
unsigned char redirectTo[NF_MAX_ADDRESS_LENGTH];
// Process identifier of a local proxy
unsigned long localProxyProcessId;
} NF_RULE_EX, *PNF_RULE_EX;
Members
- protocol
- Network protocol (IPPROTO_TCP or IPPROTO_UDP). Zero means any protocol.
- processId
- Process identifier. Zero means any process.
- direction
- The direction of network activity. Specify NF_D_IN for the inbound TCP connections and UDP datagrams, NF_D_OUT for the outbound TCP connections and UDP datagrams. Zero or NF_D_BOTH mean any direction.
- localPort
- Local port.
- remotePort
- Remote port.
- ip_family
- Describes the family of IP addresses in rule. Specify AF_INET for IPv4 and AF_INET6 for IPv6. If ip_family is zero, the driver doesn't use the IP addresses specified in a rule.
- localIpAddress
- Local IPv4 or IPv6 address. Zero means any address.
- localIpAddressMask
- If localIpAddressMask is not zero, the rule will be applied to network activity with a local address from the network localIpAddress & localIpAddressMask.
- remoteIpAddress
- Remote IPv4 or IPv6 address. Zero means any address.
- remoteIpAddressMask
- If remoteIpAddressMask is not zero, the rule will be applied to network activity with a remote address from the network remoteIpAddress & remoteIpAddressMask.
- filteringFlag
- A value from NF_FILTERING_FLAG enumeration.
- processName
- Process name mask. It can contain symbols * matching 0 or more symbols. The driver compares mask from the tail of process name, until the end of mask.
The mask is case insensitive. Also it is possible to specify a string representation of SID for AppContainer application instead of process name.
The internal representation of process names uses device names instead of drive letters. For example c:\ can be represented as \Device\HarddiskVolume0.
The driver letters are removed by nf_addRuleEx. If it is necessary to use the full path specifying the exact drive,
it is possible to get the appropriate device name using QueryDosDevice.
Examples:
firefox.exe - matches firefox.exe in any folder.
program files*firefox.exe - matches firefox.exe in any folder containing "program files" as a substring.
program files* - matches any process in any folder containing "program files" as a substring.
- localPortRange
- Local port range as NF_PORT_RANGE structure.
- remotePortRange
- Remote port range as NF_PORT_RANGE structure.
- redirectTo
- Address for TCP redirection as sockaddr_in or sockaddr_in6 when NF_REDIRECT flag is specified in filteringFlag field.
- localProxyProcessId
- Process id of a local proxy for TCP redirection when NF_REDIRECT flag is specified in filteringFlag field. It is necessary to specify this field when redirecting to a local proxy to avoid blocking redirected connection on Windows 8/10.
-
Remarks
NF_RULE_EX rules are added to the same list with NF_RULE. NF_RULE is treated as NF_RULE_EX without additional condition. So it is possible to add both types of rules in any order.
When NF_REDIRECT flag is specified in filteringFlag field, it is possible to get the original remote address of a redirected TCP connection
from local proxy by querying the accepted socket using this code, which requires Windows 8/10:
#ifndef SIO_QUERY_WFP_CONNECTION_REDIRECT_CONTEXT
#define SIO_QUERY_WFP_CONNECTION_REDIRECT_CONTEXT _WSAIOW(IOC_VENDOR, 221)
#endif
DWORD retLen = 0;
unsigned char remoteAddress[NF_MAX_ADDRESS_LENGTH];
int result = WSAIoctl(acceptSocket,
SIO_QUERY_WFP_CONNECTION_REDIRECT_CONTEXT,
0, NULL,
remoteAddress, NF_MAX_ADDRESS_LENGTH,
&retLen, NULL, NULL);
The description of common fields with
NF_RULE is applied to NF_RULE_EX.
Requirements
Driver type |
WFP, TDI
|
Header |
nfapi.h
|
Library |
nfapi.lib |