NF_SRV_RULE

A rule defines the required action for network activity, described by other rule fields.

typedef enum _NF_SRV_DIRECTION
{
	NF_SRV_D_SRC_TO_DST = 0,	// Packets directed from source to destination
	NF_SRV_D_BOTH = 1			// Both directions
} NF_SRV_DIRECTION;

typedef enum _NF_SRV_FILTERING_FLAG
{
	NF_SRV_ALLOW = 0,		// Allow the activity 
	NF_SRV_BLOCK = 1,		// Block the activity
	NF_SRV_FILTER = 2,		// Filter the transmitted packets
} NF_SRV_FILTERING_FLAG;

typedef struct _NF_SRV_PORT_RANGE
{
    unsigned short valueLow;
    unsigned short valueHigh;
} NF_SRV_PORT_RANGE, *PNF_SRV_PORT_RANGE;

typedef struct _NF_IP_ADDRESS
{
	union 
	{
		DWORD	v4;
		UCHAR	v6[16];
	};
} NF_IP_ADDRESS, *PNF_IP_ADDRESS;

typedef struct _NF_ADDRESS
{
	unsigned char	ipFamily;
	unsigned short	port;
	NF_IP_ADDRESS	ip;
} NF_ADDRESS, *PNF_ADDRESS;

typedef struct _NF_SRV_RULE_ACTION
{
	NF_ADDRESS	tcpRedirectTo;	// Local address for redirecting TCP when NF_SRV_FILTER flag is set in filteringFlag
	NF_ADDRESS	udpRedirectTo;	// Local address for redirecting UDP when NF_SRV_FILTER flag is set in filteringFlag
	unsigned int	fcHandle;	// Flow control context
	unsigned long	filteringFlag;	// See NF_SRV_FILTERING_FLAG
} NF_SRV_RULE_ACTION, *PNF_SRV_RULE_ACTION;

#ifndef NF_MAX_IP_ADDRESS_LENGTH
#define NF_MAX_IP_ADDRESS_LENGTH	16
#endif

typedef struct _NF_SRV_RULE
{
    unsigned short	ip_family;	// AF_INET for IPv4 and AF_INET6 for IPv6
    int			protocol;	// IPPROTO_TCP, IPPROTO_UDP, ...
    unsigned __int64	interfaceLuid; // Luid of the network interface

    // NF_D_SRC_TO_DST - apply the rule to traffic directed from source to destination
    // NF_D_BOTH - apply the rule to all traffic between 
    //		the specified destination and source IP addresses and ports
    NF_SRV_DIRECTION direction;	

    NF_SRV_PORT_RANGE	srcPort;	// Source port(s)
    NF_SRV_PORT_RANGE	dstPort;	// Destination port(s)
	
    // Source IP (or network if srcIpAddressMask is not zero)
    unsigned char	srcIpAddress[NF_MAX_IP_ADDRESS_LENGTH];	
    // Source IP mask
    unsigned char	srcIpAddressMask[NF_MAX_IP_ADDRESS_LENGTH]; 
	
    // Destination IP (or network if remoteIpAddressMask is not zero)
    unsigned char	dstIpAddress[NF_MAX_IP_ADDRESS_LENGTH]; 
    // Destination IP mask
    unsigned char	dstIpAddressMask[NF_MAX_IP_ADDRESS_LENGTH]; 

    NF_SRV_RULE_ACTION		action;	// Rule action fields
} NF_SRV_RULE, *PNF_SRV_RULE;

NF_SRV_RULE members

ip_family

Describes the family of IP addresses in rule. Specify AF_INET for IPv4 and AF_INET6 for IPv6. If ip_family is zero, the driver doesn't use the IP addresses specified in a rule.

protocol

Network protocol (IPPROTO_TCP, IPPROTO_UDP, IPPROTO_ICMP etc.). Zero means any protocol.

interfaceLuid

Identifier of a network interface for applying the rule.

direction

The direction of network activity. The default value NF_SRV_D_SRC_TO_DST instructs to apply the IP and port conditions as-is for source and destination IP and port. NF_SRV_D_BOTH makes the driver to apply the IP and port conditions also to backward traffic. It allows to avoid using an additional rule with swapped source and destination conditions when it is necessary to bypass or block the traffic in both directions.

srcPort

Source port range (the ports are in host order).

dstPort

Destination port range (the ports are in host order).

srcIpAddress

Source IPv4 or IPv6 address. Zero means any address.

srcIpAddressMask

If srcIpAddressMask is not zero, the rule is applied to network activity with a source address from the network srcIpAddress & srcIpAddressMask.

dstIpAddress

Destination IPv4 or IPv6 address. Zero means any address.

dstIpAddressMask

If dstIpAddressMask is not zero, the rule is applied to network activity with a destination address from the network dstIpAddress & dstIpAddressMask.

action

NF_SRV_RULE_ACTION structure specifying the required rule actions.

 

NF_SRV_RULE_ACTION members

tcpRedirectTo

Specifies IP and port of a local proxy for redirection of filtered TCP connections. Zeros means that the library must assign the IP and port of internal TCP proxy.

udpRedirectTo

Specifies IP and port of a local proxy for redirection of filtered UDP packets. Zeros means that the library must assign the IP and port of internal UDP proxy.

fcHandle

Flow control handle for the suitable network activity. Zero means no handle.

filteringFlag

NF_SRV_ALLOW = 0
Allow the activity without filtering transmitted packets. This flag is applied to all network activity, which is not described by any rule.
NF_SRV_BLOCK = 1
Block the activity.
NF_SRV_FILTER = 2
Filter the transmitted packets by redirecting them to local proxies.

Remarks

The IP addresses in rule must have network byte order. The port ranges are in host byte order. Zero in rule field means that it's value is undefined, and the field should be ignored.

Requirements

Header

nfsrvapi.h