A rule defines the filtering flag for network activity, described by other rule fields.
typedef struct _NF_RULE_EX
int protocol; // IPPROTO_TCP or IPPROTO_UDP
unsigned long processId; // Process identifier
unsigned char direction; // See NF_DIRECTION (NF_D_IN, NF_D_OUT or NF_D_BOTH)
unsigned short localPort; // Local port
unsigned short remotePort; // Remote port
unsigned short ip_family; // AF_INET for IPv4 and AF_INET6 for IPv6
// Local IP (or network if localIpAddressMask is not zero)
unsigned char localIpAddress[NF_MAX_IP_ADDRESS_LENGTH];
// Local IP mask
unsigned char localIpAddressMask[NF_MAX_IP_ADDRESS_LENGTH];
// Remote IP (or network if remoteIpAddressMask is not zero)
unsigned char remoteIpAddress[NF_MAX_IP_ADDRESS_LENGTH];
// Remote IP mask
unsigned char remoteIpAddressMask[NF_MAX_IP_ADDRESS_LENGTH];
unsigned long filteringFlag; // See NF_FILTERING_FLAG
// Process name tail mask (supports * as 0 or more symbols)
} NF_RULE_EX, *PNF_RULE_EX;
- Network protocol (IPPROTO_TCP or IPPROTO_UDP). Zero means any protocol.
- Process identifier. Zero means any process.
- The direction of network activity. Specify NF_D_IN for the inbound TCP connections and UDP datagrams, NF_D_OUT for the outbound TCP connections and UDP datagrams. Zero or NF_D_BOTH mean any direction.
- Local port.
- Remote port.
- Describes the family of IP addresses in rule. Specify AF_INET for IPv4 and AF_INET6 for IPv6. If ip_family is zero, the driver doesn't use the IP addresses specified in a rule.
- Local IPv4 or IPv6 address. Zero means any address.
- If localIpAddressMask is not zero, the rule will be applied to network activity with a local address from the network localIpAddress & localIpAddressMask.
- Remote IPv4 or IPv6 address. Zero means any address.
- If remoteIpAddressMask is not zero, the rule will be applied to network activity with a remote address from the network remoteIpAddress & remoteIpAddressMask.
- A value from NF_FILTERING_FLAG enumeration.
- Process name mask. It can contain symbols * matching 0 or more symbols. The driver compares mask from the tail of process name, until the end of mask.
The mask is case insensitive. Also it is possible to specify a string representation of SID for AppContainer application instead of process name.
The internal representation of process names uses device names instead of drive letters. For example c:\ can be represented as \Device\HarddiskVolume0.
The driver letters are removed by nf_addRuleEx. If it is necessary to use the full path specifying the exact drive,
it is possible to get the appropriate device name using QueryDosDevice.
firefox.exe - matches firefox.exe in any folder.
program files*firefox.exe - matches firefox.exe in any folder containing "program files" as a substring.
program files* - matches any process in any folder containing "program files" as a substring.
NF_RULE_EX rules are added to the same list with NF_RULE. NF_RULE is treated as NF_RULE_EX without additional condition. So it is possible to add both types of rules in any order.
The description of common fields with NF_RULE
is applied to NF_RULE_EX.