NF_RULE_EX¶
A rule defines the filtering flag for network activity, described by other rule fields.
typedef struct _NF_PORT_RANGE
{
unsigned short valueLow;
unsigned short valueHigh;
} NF_PORT_RANGE, *PNF_PORT_RANGE;
typedef struct _NF_RULE_EX
{
int protocol; // IPPROTO_TCP or IPPROTO_UDP
unsigned long processId; // Process identifier
unsigned char direction; // See NF_DIRECTION (NF_D_IN, NF_D_OUT or NF_D_BOTH)
unsigned short localPort; // Local port
unsigned short remotePort; // Remote port
unsigned short ip_family; // AF_INET for IPv4 and AF_INET6 for IPv6
// Local IP (or network if localIpAddressMask is not zero)
unsigned char localIpAddress[NF_MAX_IP_ADDRESS_LENGTH];
// Local IP mask
unsigned char localIpAddressMask[NF_MAX_IP_ADDRESS_LENGTH];
// Remote IP (or network if remoteIpAddressMask is not zero)
unsigned char remoteIpAddress[NF_MAX_IP_ADDRESS_LENGTH];
// Remote IP mask
unsigned char remoteIpAddressMask[NF_MAX_IP_ADDRESS_LENGTH];
unsigned long filteringFlag; // See NF_FILTERING_FLAG
// Process name tail mask (supports * as 0 or more symbols)
wchar_t processName[MAX_PATH];
NF_PORT_RANGE localPortRange; // Local port(s)
NF_PORT_RANGE remotePortRange; // Remote port(s)
// Remote address for redirection as sockaddr_in for IPv4 and sockaddr_in6 for IPv6
unsigned char redirectTo[NF_MAX_ADDRESS_LENGTH];
// Process identifier of a local proxy
unsigned long localProxyProcessId;
} NF_RULE_EX, *PNF_RULE_EX;
- protocol
Network protocol (IPPROTO_TCP or IPPROTO_UDP). Zero means any protocol.
- processId
Process identifier. Zero means any process.
- direction
The direction of network activity. Specify NF_D_IN for the inbound TCP connections and UDP datagrams, NF_D_OUT for the outbound TCP connections and UDP datagrams. Zero or NF_D_BOTH mean any direction.
- localPort
Local port.
- remotePort
Remote port.
- ip_family
Describes the family of IP addresses in rule. Specify AF_INET for IPv4 and AF_INET6 for IPv6. If ip_family is zero, the driver doesn’t use the IP addresses specified in a rule.
- localIpAddress
Local IPv4 or IPv6 address. Zero means any address.
- localIpAddressMask
If localIpAddressMask is not zero, the rule will be applied to network activity with a local address from the network localIpAddress & localIpAddressMask.
- remoteIpAddress
Remote IPv4 or IPv6 address. Zero means any address.
- remoteIpAddressMask
If remoteIpAddressMask is not zero, the rule will be applied to network activity with a remote address from the network remoteIpAddress & remoteIpAddressMask.
- filteringFlag
A value from NF_FILTERING_FLAG enumeration.
- processName
Process name mask. It can contain symbols * matching 0 or more symbols. The driver compares mask from the tail of process name, until the end of mask. The mask is case insensitive. Also it is possible to specify a string representation of SID for AppContainer application instead of process name. The internal representation of process names uses device names instead of drive letters. For example c:\ can be represented as \Device\HarddiskVolume0. The driver letters are removed by nf_addRuleEx. If it is necessary to use the full path specifying the exact drive, it is possible to get the appropriate device name using QueryDosDevice.
- Examples:
firefox.exe - matches firefox.exe in any folder.
program files*firefox.exe - matches firefox.exe in any folder containing “program files” as a substring.
program files* - matches any process in any folder containing “program files” as a substring.
- localPortRange
Local port range as NF_PORT_RANGE structure.
- remotePortRange
Remote port range as NF_PORT_RANGE structure.
- redirectTo
Address for TCP redirection as sockaddr_in or sockaddr_in6 when NF_REDIRECT flag is specified in filteringFlag field.
- localProxyProcessId
Not used.
NF_RULE_EX rules are added to the same list with NF_RULE. NF_RULE is treated as NF_RULE_EX without additional condition. So it is possible to add both types of rules in any order.
When NF_REDIRECT flag is specified in filteringFlag field, it is possible to get the original remote address of a redirected TCP connection from local proxy in the filtering process by local port using nf_findOriginalRemoteAddress().
The description of common fields with NF_RULE is applicable to NF_RULE_EX.