Windows Filtering Platform (WFP). Filter arbitration

Question

Windows Filtering Platform (WFP). Filter arbitration

Mattew Frazer 0

I was reading documentation here https://learn.microsoft.com/en-us/windows/win32/fwp/filter-arbitration about WFP filter arbitration. I was looking for some clarity around the following:

The document states the following in regards to filter arbitration at the layer level of granularity: "Evaluate all sub-layers even if a higher priority sub-layer has decided to block the traffic."
The next line states the following: "Return the resulting action based on the policy rules described in the following section."
The following section goes on to say the following about the rules governing filter arbitration at the granularity of the layer: ""Block" is final (cannot be overridden) and stops the evaluation. The packet is discarded."

To me these statements seem to be a contradictory. Which is it? Is that all the sublayers are evaluated or is it that if a sublayer gives a BLOCK response that the evaluation is short circuited? Is there something I'm otherwise missing?

Gary Nebbett 6,216 Reputation points

2023-10-21T09:17:01.9633333+00:00

Hello Mattew,

If you read that documentation carefully, especially focusing on the FWPS_RIGHT_ACTION_WRITE flag, you should see that "Block" can sometimes be overridden (i.e. it is a "soft block").

Gary
Mattew Frazer 0 Reputation points

2023-10-21T13:54:21.37+00:00

Hi Gary,
Thank you for your comment. My question is more in the way of don't all the sublayers get evaluated no matter what? Isn't that one of the main reasons for using a custom sublayer? The part that says BLOCK is final isn't confusing to me, the next part that says it stops evaluation at the granularity of the layer is. By stops evaluation does that mean "effectively" stops evaluation as in the sublayers will be evaluated, but the response will not be effected? To me it seems to contradict when one part mentions how all sublayers get evaluated even when a higher level sublayer responds with BLOCK and another says that BLOCK stops sublayer evaluation. I do see this "These rules are used by the filter engine to decide which one of the sub-layer actions is applied to the network traffic". Does that mean it is only referring to the response itself and not the evaluation of the sublayers?

Gary Nebbett 6,216

Hello Mattew,

All of the sublayers in an applicable layer are evaluated. This can be seen when looking at drop/block events:

<item>
  <header>
    <timeStamp>2023-10-22T16:44:59.835Z</timeStamp>
    <flags numItems="9">
      <item>FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET</item>
      <item>FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET</item>
      <item>FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET</item>
      <item>FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET</item>
      <item>FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET</item>
      <item>FWPM_NET_EVENT_FLAG_APP_ID_SET</item>
      <item>FWPM_NET_EVENT_FLAG_USER_ID_SET</item>
      <item>FWPM_NET_EVENT_FLAG_IP_VERSION_SET</item>
      <item>FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET</item>
    </flags>
    <ipVersion>FWP_IP_VERSION_V6</ipVersion>
    <ipProtocol>17</ipProtocol>
    <localAddrV6.byteArray16>::1</localAddrV6.byteArray16>
    <remoteAddrV6.byteArray16>::1</remoteAddrV6.byteArray16>
    <localPort>60854</localPort>
    <remotePort>3702</remotePort>
    <scopeId>0</scopeId>
    <appId>
      <data>5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650033005c00770069006e0064006f00770073005c00730079007300740065006d00330032005c0073007600630068006f00730074002e006500780065000000</data>
      <asString>\.d.e.v.i.c.e.\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.3.\.w.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.\.s.v.c.h.o.s.t...e.x.e...</asString>
    </appId>
    <userId>S-1-5-19</userId>
    <addressFamily>FWP_AF_INET6</addressFamily>
    <packageSid>S-1-0-0</packageSid>
    <enterpriseId />
    <policyFlags>0</policyFlags>
    <effectiveName />
  </header>
  <type>FWPM_NET_EVENT_TYPE_PUBLIC_CLASSIFY_DROP</type>
  <classifyDrop>
    <filterId>71028</filterId>
    <layerId>46</layerId>
    <reauthReason>0</reauthReason>
    <originalProfile>0</originalProfile>
    <currentProfile>0</currentProfile>
    <msFwpDirection>MS_FWP_DIRECTION_OUT</msFwpDirection>
    <isLoopback>true</isLoopback>
    <vSwitchId />
    <vSwitchSourcePort>0</vSwitchSourcePort>
    <vSwitchDestinationPort>0</vSwitchDestinationPort>
  </classifyDrop>
  <internalFields>
    <internalFlags numItems="1">
      <item>FWPM_NET_EVENT_INTERNAL_FLAG_FILTER_ORIGIN_SET</item>
    </internalFlags>
    <capabilities />
    <fqbnVersion>0</fqbnVersion>
    <fqbnName />
    <terminatingFiltersInfo numItems="4">
      <item>
        <filterId>67004</filterId>
        <subLayer>FWPP_SUBLAYER_INTERNAL_FIREWALL_APP_ISOLATION</subLayer>
        <actionType>FWP_ACTION_PERMIT</actionType>
      </item>
      <item>
        <filterId>66827</filterId>
        <subLayer>FWPP_SUBLAYER_INTERNAL_FIREWALL_QUARANTINE</subLayer>
        <actionType>FWP_ACTION_PERMIT</actionType>
      </item>
      <item>
        <filterId>71028</filterId>
        <subLayer>FWPP_SUBLAYER_INTERNAL_FIREWALL_WSH</subLayer>
        <actionType>FWP_ACTION_BLOCK</actionType>
      </item>
      <item>
        <filterId>66219</filterId>
        <subLayer>FWPP_SUBLAYER_INTERNAL_FIREWALL_WF</subLayer>
        <actionType>FWP_ACTION_PERMIT</actionType>
      </item>
    </terminatingFiltersInfo>
    <filterOrigin>WSH Default</filterOrigin>
    <interfaceLuid>6755399457832960</interfaceLuid>
    <policyAppId />
  </internalFields>
</item>

Four sublayers of FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6 containing matching filters were found, one of which reported FWP_ACTION_BLOCK.

Gary

Mattew Frazer 0 Reputation points

2023-10-22T17:27:06.5333333+00:00

Thank you Gary for clearing this up for me

Your answer

Gary Nebbett 6,216 Reputation points

2023-10-21T09:17:01.9633333+00:00

Hello Mattew,

If you read that documentation carefully, especially focusing on the FWPS_RIGHT_ACTION_WRITE flag, you should see that "Block" can sometimes be overridden (i.e. it is a "soft block").

Gary
Mattew Frazer 0 Reputation points

2023-10-21T13:54:21.37+00:00

Hi Gary,
Thank you for your comment. My question is more in the way of don't all the sublayers get evaluated no matter what? Isn't that one of the main reasons for using a custom sublayer? The part that says BLOCK is final isn't confusing to me, the next part that says it stops evaluation at the granularity of the layer is. By stops evaluation does that mean "effectively" stops evaluation as in the sublayers will be evaluated, but the response will not be effected? To me it seems to contradict when one part mentions how all sublayers get evaluated even when a higher level sublayer responds with BLOCK and another says that BLOCK stops sublayer evaluation. I do see this "These rules are used by the filter engine to decide which one of the sub-layer actions is applied to the network traffic". Does that mean it is only referring to the response itself and not the evaluation of the sublayers?
Mattew Frazer 0 Reputation points

2023-10-22T17:27:06.5333333+00:00

Thank you Gary for clearing this up for me

Share via

Windows Filtering Platform (WFP). Filter arbitration

Your answer