Passthrough incoming objects without filtering.
Passthrough outgoing objects without filtering.
Filter incoming objects in read-only mode. The filters with this flag passthrough the incoming packets to destination immediately, and indicate classified objects with read-only flag.
Filter outgoing objects in read-only mode. The filters with this flag passthrough the outgoing packets to destination immediately, and indicate classified objects with read-only flag.
SSL filter flags:
Decode SSL TLS sessions. For example this flag should be used during filtering POP3 and SMTP protocols after STARTTLS command.
Generate self-signed certificates instead of using root CA. By default the library generates chained certificates during filtering SSL sessions, signed by a root certificate with a subject specified in pf_setRootSSLCertSubject call (default root - NetFilterSDK). This flag instructs the library to generate self signed certificates and add them to Windows storage automatically.
Indicate OT_SSL_HANDSHAKE_OUTGOING/OT_SSL_HANDSHAKE_INCOMING via dataPartAvailable
Try to detect TLS handshake automatically in first 8 kilobytes of packets.
Use RC4 for SSL sessions with local and remote endpoints
Verify server certificates and don't filter SSL if the certificate is not valid
Filter SSL connections in case when server requests a client certificate.
This method requires appropriate client certificates to be in
Windows certificate storage with exportable private key.
Indicate OT_SSL_SERVER_CERTIFICATE via dataPartAvailable
Indicate OT_SSL_EXCEPTION via dataPartAvailable
Support ALPN TLS extension for negotiating next protocols (HTTP/2,SPDY)
Indicate OT_SSL_CLIENT_CERT_REQUEST via dataPartAvailable
Don't encode the traffic between proxy and server
Instructs to copy serial numbers from original server certificates.
Don't import the generated self signed certificates to trusted storages
Disable TLS 1.0 protocol support for the connection with remote servers
Disable TLS 1.1 protocol support for the connection with remote servers
Enable automatic switching to old protocol TLS 1.0 when server doesn't support newer versions
Use strict rules when FF_SSL_VERIFY flag is enabled
Enables Signed Certificate Timestamps verification for server certificates when FF_SSL_VERIFY flag is enabled
The flag FF_SSL_INDICATE_ALPN_SELECT_PROTOCOL enables indication of each ALPN protocol offered by client via dataPartAvailable as OT_SSL_HANDSHAKE_OUTGOING_PROTOCOL objects
HTTP filter flags:
By default the filter sends pipelined requests by one, after receiving a response
from server for a previous request. This flag instructs the filter to send all pipelined
Indicate via dataAvailable the objects of types OT_HTTP_SKIPPED_REQUEST_COMPLETE
and OT_HTTP_SKIPPED_RESPONSE_COMPLETE. When a filtering application returns DPCR_BYPASS
or DPCR_BYPASS or DPCR_BLOCK from dataPartAvailable, or specify flags FF_DONT_FILTER_IN/FF_DONT_FILTER_OUT
for HTTP filter, the filter doesn't save the contents of transmitted HTTP objects,
but indicates the completion of skipped HTTP objects as OT_HTTP_SKIPPED_REQUEST_COMPLETE/OT_HTTP_SKIPPED_RESPONSE_COMPLETE.
The objects of these types contain only two streams: HS_STATUS and HS_HEADER.
Block SPDY protocol
This flag is required to filter WebSocket data