A rule defines the filtering flag for network activity, described by other rule fields.

typedef struct _NF_RULE_EX
	int		protocol;	// IPPROTO_TCP or IPPROTO_UDP        
	unsigned long	processId;	// Process identifier
	unsigned char	direction;	// See NF_DIRECTION (NF_D_IN, NF_D_OUT or NF_D_BOTH)
	unsigned short	localPort;	// Local port
	unsigned short	remotePort;	// Remote port
	unsigned short	ip_family;	// AF_INET for IPv4 and AF_INET6 for IPv6
	// Local IP (or network if localIpAddressMask is not zero)
	unsigned char	localIpAddress[NF_MAX_IP_ADDRESS_LENGTH];	
	// Local IP mask
	unsigned char	localIpAddressMask[NF_MAX_IP_ADDRESS_LENGTH]; 
	// Remote IP (or network if remoteIpAddressMask is not zero)
	unsigned char	remoteIpAddress[NF_MAX_IP_ADDRESS_LENGTH]; 
	// Remote IP mask
	unsigned char	remoteIpAddressMask[NF_MAX_IP_ADDRESS_LENGTH]; 

	unsigned long	filteringFlag;	// See NF_FILTERING_FLAG

	// Process name tail mask (supports * as 0 or more symbols)
	wchar_t			processName[MAX_PATH];


Network protocol (IPPROTO_TCP or IPPROTO_UDP). Zero means any protocol.
Process identifier. Zero means any process.
The direction of network activity. Specify NF_D_IN for the inbound TCP connections and UDP datagrams, NF_D_OUT for the outbound TCP connections and UDP datagrams. Zero or NF_D_BOTH mean any direction.
Local port.
Remote port.
Describes the family of IP addresses in rule. Specify AF_INET for IPv4 and AF_INET6 for IPv6. If ip_family is zero, the driver doesn't use the IP addresses specified in a rule.
Local IPv4 or IPv6 address. Zero means any address.
If localIpAddressMask is not zero, the rule will be applied to network activity with a local address from the network localIpAddress & localIpAddressMask.
Remote IPv4 or IPv6 address. Zero means any address.
If remoteIpAddressMask is not zero, the rule will be applied to network activity with a remote address from the network remoteIpAddress & remoteIpAddressMask.
A value from NF_FILTERING_FLAG enumeration.
Process name mask. It can contain symbols * matching 0 or more symbols. The driver compares mask from the tail of process name, until the end of mask. The mask is case insensitive. Also it is possible to specify a string representation of SID for AppContainer application instead of process name.
The internal representation of process names uses device names instead of drive letters. For example c:\ can be represented as \Device\HarddiskVolume0. The driver letters are removed by nf_addRuleEx. If it is necessary to use the full path specifying the exact drive, it is possible to get the appropriate device name using QueryDosDevice.

firefox.exe - matches firefox.exe in any folder.
program files*firefox.exe - matches firefox.exe in any folder containing "program files" as a substring.
program files* - matches any process in any folder containing "program files" as a substring.


NF_RULE_EX rules are added to the same list with NF_RULE. NF_RULE is treated as NF_RULE_EX without additional condition. So it is possible to add both types of rules in any order.
The description of common fields with NF_RULE is applied to NF_RULE_EX.


Driver type WFP, TDI
Header nfapi.h
Library nfapi.lib