NetFilter SDK SockFilter

NetFilter SDK is a framework for transparent filtering the data packets transmitted via network. This is a high performance proxy-less solution, compatible with antiviruses/firewalls/other network filters. It suits for developing the content filters, basic application level firewalls, traffic analyzers/shapers, other software that requires viewing and modifying TCP/UDP traffic on Windows.

SDK consists of kernel mode and user mode parts. The kernel driver SockFilter works on the top of WinSock driver and filters TCP/UDP protocols. It has a simple user mode API, which can be used from C/C++/.NET/Delphi code.

Key features

• The solution allows filtering incoming/outgoing TCP connections and UDP datagrams in user mode application. It is possible to filter the specified subset of connections/datagrams, restricted by filtering rules. The outgoing TCP connections can be redirected to different address.

• By default the filtering is transparent for other filters, because the driver allows viewing and changing TCP/UDP data without redirecting the traffic to proxy and modifying the addresses. It reduces to minimum the probability of conflicts with antiviruses, firewalls and other filters.

• The filtering driver operates on transport level, on the top of TCP/IP stack. In effect it automatically supports all kinds of TCP/IP capable network adapters: Ethernet, Dial-up/DSL/Cable modems, wireless adapters including Wi-Fi and Bluetooth, virtual adapters like loopback or VPN.

• Both IPv6 and IPv4 are supported.

• The process context (as process identifier) is available for all network activity.

• The driver user level interface (API) is easy in use, but powerful.

• It is possible to control the speed of data transmission and count the traffic.

• The driver works in the same way on 32-bit and 64-bit Windows operating systems. It is possible to use 32-bit API for working with 64-bit driver.

• Installation
• Building drivers
• Using API
  • Usage scenarios
• Configurations
• Flow control contexts
• Driver registry settings
  • seclevel
  • disabledprotocols
• I found a bug in drivers
• Signing the drivers
• Frequently asked questions
• The differences of SockFilter driver from WFP
  • The advantages of SockFilter driver
  • The disadvantages of SockFilter driver
• API reference
  • Functions
    • Driver registration
      • nf_registerDriver()
      • nf_registerDriverEx()
      • nf_unRegisterDriver()
    • Initialization
      • nf_init()
      • nf_free()
      • nf_setOptions()
    • Filtering rules
      • nf_addRule()
      • nf_addRuleEx()
      • nf_setRules()
      • nf_setRulesEx()
      • nf_deleteRules()
    • TCP protocol
      • nf_tcpClose()
      • nf_tcpPostReceive()
      • nf_tcpPostSend()
      • nf_tcpSetConnectionState()
      • nf_tcpDisableFiltering()
      • nf_tcpSetSockOpt()
      • nf_tcpIsProxy()
      • nf_getTCPConnInfo()
      • nf_completeTCPConnectRequest()
      • nf_findOriginalRemoteAddress()
    • UDP protocol
      • nf_udpPostReceive()
      • nf_udpPostSend()
      • nf_udpSetConnectionState()
      • nf_udpDisableFiltering()
      • nf_getUDPConnInfo()
    • Flow control contexts and statistics
      • nf_addFlowCtl()
      • nf_deleteFlowCtl()
      • nf_modifyFlowCtl()
      • nf_setTCPFlowCtl()
      • nf_setUDPFlowCtl()
      • nf_getFlowCtlStat()
      • nf_getTCPStat()
      • nf_getUDPStat()
    • Common functions
      • nf_getProcessNameA()
      • nf_getProcessNameW()
      • nf_getProcessNameFromKernel()
  • Structures
    • NF_EventHandler
      • threadStart()
      • threadEnd()
      • tcpConnectRequest()
      • tcpConnected()
      • tcpClosed()
      • tcpReceive()
      • tcpSend()
      • tcpCanReceive()
      • tcpCanSend()
      • udpCreated()
      • udpConnectRequest()
      • udpClosed()
      • udpReceive()
      • udpSend()
      • udpCanReceive()
      • udpCanSend()
    • NF_RULE
    • NF_RULE_EX
    • NF_TCP_CONN_INFO
    • NF_UDP_CONN_INFO
    • NF_UDP_OPTIONS
    • NF_FLOWCTL_DATA
    • NF_FLOWCTL_STAT