NF_RULE¶
A rule defines the filtering flag for network activity, described by other rule fields.
typedef struct _NF_RULE
{
int protocol; // IPPROTO_TCP or IPPROTO_UDP
unsigned long processId; // Process identifier
unsigned char direction; // See NF_DIRECTION (NF_D_IN, NF_D_OUT or NF_D_BOTH)
unsigned short localPort; // Local port
unsigned short remotePort; // Remote port
unsigned short ip_family; // AF_INET for IPv4 and AF_INET6 for IPv6
// Local IP (or network if localIpAddressMask is not zero)
unsigned char localIpAddress[NF_MAX_IP_ADDRESS_LENGTH];
// Local IP mask
unsigned char localIpAddressMask[NF_MAX_IP_ADDRESS_LENGTH];
// Remote IP (or network if remoteIpAddressMask is not zero)
unsigned char remoteIpAddress[NF_MAX_IP_ADDRESS_LENGTH];
// Remote IP mask
unsigned char remoteIpAddressMask[NF_MAX_IP_ADDRESS_LENGTH];
unsigned long filteringFlag; // See NF_FILTERING_FLAG
} NF_RULE, *PNF_RULE;
- protocol
Network protocol (IPPROTO_TCP or IPPROTO_UDP). Zero means any protocol.
- processId
Process identifier. Zero means any process.
- direction
The direction of network activity. Specify NF_D_IN for the inbound TCP connections and UDP datagrams, NF_D_OUT for the outbound TCP connections and UDP datagrams. Zero or NF_D_BOTH mean any direction.
- localPort
Local port.
- remotePort
Remote port.
- ip_family
Describes the family of IP addresses in rule. Specify AF_INET for IPv4 and AF_INET6 for IPv6. If ip_family is zero, the driver doesn’t use the IP addresses specified in a rule.
- localIpAddress
Local IPv4 or IPv6 address. Zero means any address.
- localIpAddressMask
If localIpAddressMask is not zero, the rule will be applied to network activity with a local address from the network localIpAddress & localIpAddressMask.
- remoteIpAddress
Remote IPv4 or IPv6 address. Zero means any address.
- remoteIpAddressMask
If remoteIpAddressMask is not zero, the rule will be applied to network activity with a remote address from the network remoteIpAddress & remoteIpAddressMask.
- filteringFlag
A value from NF_FILTERING_FLAG enumeration.
All ports and IP addresses in rule must have network byte order. Zero in rule field means that its value is undefined, and the field should be ignored.
The following values are allowed for filteringFlag:
- NF_ALLOW = 0
Allow the activity without filtering transmitted packets. This flag is applied to all network activity, which is not described by any rule.
- NF_BLOCK = 1
Block the activity.
- NF_FILTER = 2
Filter the transmitted packets. I.e. the packets will be indicated via NF_EventHandler methods.
- NF_INDICATE_CONNECT_REQUESTS = 16
Call tcpConnectRequest event before establishing an outgoing TCP connection. In this event it is possible to modify the fields filteringFlag and remoteAddress in NF_TCP_CONN_INFO structure. The changes are applied to the connection.
- NF_PEND_CONNECT_REQUEST = 64
Pend the connect request to complete it later using nf_complete(TCP|UDP)ConnectRequest. This flag can be assigned only from (tcp|udp)ConnectRequest events.
- NF_CONTROL_FLOW = 512
This flag can be added instead of NF_FILTER to apply flow control contexts for limiting and counting TCP/UDP traffic. When NF_CONTROL_FLOW is specified instead of NF_FILTER, the driver indicates only tcpConnectRequest/tcpConnected/tcpClosed and udpCreated/udpClosed events, i.e. doesn’t indicate the data packets for filtering. In this case there are no delays because of filtering the packets in user mode, but it is possible to use the control contexts to count and limit the traffic.
- NF_REDIRECT = 1024
Redirect the outgoing TCP connections inline in driver to the address specified in redirectTo. The additional field redirectTo required for redirection is available in NF_RULE_EX structure.