i see that FWPM_CONDITION_IP_DESTINATION_ADDRESS_TYPE represents "the destination IP address type for forwarded packets."
this condition is supported for the following layers
- FWPM_LAYER_IPFORWARD
- FWPM_LAYER_OUTBOUND_TRANSPORT
- FWPM_LAYER_ALE_CONNECT_REDIRECT
- FWPM_LAYER_ALE_AUTH_CONNECT
- FWPM_LAYER_ALE_FLOW_ESTABLISHED
but for the enumeration type, the condition is described as "The destination IP address type"
e.g: FWPS_FIELDS_ALE_AUTH_CONNECT_V4 / FWPS_FIELD_ALE_AUTH_CONNECT_V4_IP_DESTINATION_ADDRESS_TYPE
so I've a few concerns here
- WFP uses a local/remote name convention with a direction flag, but in this case, it provides a destination for ALE layers which is quite unusual, Why doesn't provide FWPM_CONDITION_IP_REMOTE_ADDRESS_TYPE ?
- moreover, except for ipforward and flow established, i see it's supported for outbound layers so in this case local = source, remote = destination, therefore, can i assume that FWPM_CONDITION_IP_DESTINATION_ADDRESS_TYPE provides the address type of the remote address? for testing: I've added logs to callout that associate with FWPM_LAYER_ALE_AUTH_CONNECT and seems that for "authorization", FWPS_FIELD_ALE_AUTH_CONNECT_V4_IP_DESTINATION_ADDRESS_TYPE provides the expected address type for remote address (btw, for "reauthorization" it doesn't work well)
- does FWPM_CONDITION_IP_DESTINATION_ADDRESS_TYPE have a wrong description? or should i use it only for forwarded packets?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(28.799999999999997, 3%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EOE%3C/text%3E%3C/svg%3E)
