NF_RULE_EX

A rule defines the filtering flag for network activity, described by other rule fields.

typedef struct _NF_PORT_RANGE
{
    unsigned short valueLow;
    unsigned short valueHigh;
} NF_PORT_RANGE, *PNF_PORT_RANGE;

typedef struct _NF_RULE_EX
{
	int		protocol;	// IPPROTO_TCP or IPPROTO_UDP        
	unsigned long	processId;	// Process identifier
	unsigned char	direction;	// See NF_DIRECTION (NF_D_IN, NF_D_OUT or NF_D_BOTH)
	unsigned short	localPort;	// Local port
	unsigned short	remotePort;	// Remote port
	unsigned short	ip_family;	// AF_INET for IPv4 and AF_INET6 for IPv6
	
	// Local IP (or network if localIpAddressMask is not zero)
	unsigned char	localIpAddress[NF_MAX_IP_ADDRESS_LENGTH];	
	
	// Local IP mask
	unsigned char	localIpAddressMask[NF_MAX_IP_ADDRESS_LENGTH]; 
	
	// Remote IP (or network if remoteIpAddressMask is not zero)
	unsigned char	remoteIpAddress[NF_MAX_IP_ADDRESS_LENGTH]; 
	
	// Remote IP mask
	unsigned char	remoteIpAddressMask[NF_MAX_IP_ADDRESS_LENGTH]; 

	unsigned long	filteringFlag;	// See NF_FILTERING_FLAG

	// Process name tail mask (supports * as 0 or more symbols)
	wchar_t			processName[MAX_PATH];

	NF_PORT_RANGE	localPortRange; // Local port(s)
	NF_PORT_RANGE	remotePortRange; // Remote port(s)

	// Remote address for redirection as sockaddr_in for IPv4 and sockaddr_in6 for IPv6
	unsigned char	redirectTo[NF_MAX_ADDRESS_LENGTH];
	// Process identifier of a local proxy
	unsigned long	localProxyProcessId;	

} NF_RULE_EX, *PNF_RULE_EX;

Members

protocol

Network protocol (IPPROTO_TCP or IPPROTO_UDP). Zero means any protocol.

processId

Process identifier. Zero means any process.

direction

The direction of network activity. Specify NF_D_IN for the inbound TCP connections and UDP datagrams, NF_D_OUT for the outbound TCP connections and UDP datagrams. Zero or NF_D_BOTH mean any direction.

localPort

Local port.

remotePort

Remote port.

ip_family

Describes the family of IP addresses in rule. Specify AF_INET for IPv4 and AF_INET6 for IPv6. If ip_family is zero, the driver doesn't use the IP addresses specified in a rule.

localIpAddress

Local IPv4 or IPv6 address. Zero means any address.

localIpAddressMask

If localIpAddressMask is not zero, the rule will be applied to network activity with a local address from the network localIpAddress & localIpAddressMask.

remoteIpAddress

Remote IPv4 or IPv6 address. Zero means any address.

remoteIpAddressMask

If remoteIpAddressMask is not zero, the rule will be applied to network activity with a remote address from the network remoteIpAddress & remoteIpAddressMask.

filteringFlag

A value from NF_FILTERING_FLAG enumeration.

processName

Process name mask. It can contain symbols * matching 0 or more symbols. The driver compares mask from the tail of process name, until the end of mask. The mask is case insensitive. Also it is possible to specify a string representation of SID for AppContainer application instead of process name.
The internal representation of process names uses device names instead of drive letters. For example c:\ can be represented as \Device\HarddiskVolume0. The driver letters are removed by nf_addRuleEx. If it is necessary to use the full path specifying the exact drive, it is possible to get the appropriate device name using QueryDosDevice.

Examples:
firefox.exe - matches firefox.exe in any folder.
program files*firefox.exe - matches firefox.exe in any folder containing "program files" as a substring.
program files* - matches any process in any folder containing "program files" as a substring.

localPortRange

Local port range as NF_PORT_RANGE structure.

remotePortRange

Remote port range as NF_PORT_RANGE structure.

redirectTo

Address for TCP redirection as sockaddr_in or sockaddr_in6 when NF_REDIRECT flag is specified in filteringFlag field.

localProxyProcessId

Process id of a local proxy for TCP redirection when NF_REDIRECT flag is specified in filteringFlag field. It is necessary to specify this field when redirecting to a local proxy to avoid blocking redirected connection on Windows 8/10.

 

Remarks

NF_RULE_EX rules are added to the same list with NF_RULE. NF_RULE is treated as NF_RULE_EX without additional condition. So it is possible to add both types of rules in any order.

When NF_REDIRECT flag is specified in filteringFlag field, it is possible to get the original remote address of a redirected TCP connection from local proxy by querying the accepted socket using this code, which requires Windows 8/10:

#ifndef SIO_QUERY_WFP_CONNECTION_REDIRECT_CONTEXT
#define SIO_QUERY_WFP_CONNECTION_REDIRECT_CONTEXT  _WSAIOW(IOC_VENDOR, 221)
#endif

DWORD retLen = 0;
unsigned char remoteAddress[NF_MAX_ADDRESS_LENGTH];
int result = WSAIoctl(acceptSocket,
        SIO_QUERY_WFP_CONNECTION_REDIRECT_CONTEXT,
        0, NULL,
        remoteAddress, NF_MAX_ADDRESS_LENGTH,
        &retLen, NULL, NULL);

The description of common fields with NF_RULE is applied to NF_RULE_EX.

Requirements

Driver type	WFP, TDI
Header	nfapi.h
Library	nfapi.lib