Filtering condition identifiers
The filtering condition identifiers are each represented by a GUID. These identifiers are described in the following table.
Filtering condition identifier | Description |
---|---|
FWPM_CONDITION_ARRIVAL_INTERFACE_INDEX | The index of the arrival network interface, as enumerated by the network stack. WFP uses the Arrival interface to match this condition. The Arrival Interface is the first interface the packet sees before entering the IP stack inbound from the network, before weak-host or forwarding are performed. This condition is asymmetric for reauthorization purposes, as it is intrinsically an inbound condition. This means that WFP will use an empty value on this condition when reauthorizing an inbound connection on a response outbound packet. To handle reauthorization a second filter must be used. This second filter can either permit or block the empty values, or use a different condition that will have a valid value for such circumstance. In the case of arrival interface conditions, the next hop class of interface conditions will have a valid interface on outbound packets. Note that this is available only in Windows Server 2008 R2, Windows 7, and later versions of Windows. |
FWPM_CONDITION_ARRIVAL_INTERFACE_TYPE | The type of the arrival network interface, as defined by the Internet Assigned Numbers Authority (IANA). For more information, see IANAifType-MIB Definitions. WFP uses the Arrival interface to match this condition. The Arrival Interface is the first interface the packet sees before entering the IP stack inbound from the network, before weak-host or forwarding are performed. This condition is asymmetric for reauthorization purposes, as it is intrinsically an inbound condition. This means that WFP will use an empty value on this condition when reauthorizing an inbound connection on a response outbound packet. To handle reauthorization a second filter must be used. This second filter can either permit or block the empty values, or use a different condition that will have a valid value for such circumstance. In the case of arrival interface conditions, the next hop class of interface conditions will have a valid interface on outbound packets. Note that this is available only in Windows Server 2008 R2, Windows 7, and later versions of Windows. |
FWPM_CONDITION_ARRIVAL_TUNNEL_TYPE | The encapsulation method used by a tunnel if the IfType member of the IP_ADAPTER_ADDRESSES structure is IF_TYPE_TUNNEL. The tunnel type is defined by the IANA. For more information, see IANAifType-MIB Definitions and the Windows SDK IP Helper documentation. WFP uses the Arrival interface to match this condition. The Arrival Interface is the first interface the packet sees before entering the IP stack inbound from the network, before weak-host or forwarding are performed. This condition is asymmetric for reauthorization purposes, as it is intrinsically an inbound condition. This means that WFP will use an empty value on this condition when reauthorizing an inbound connection on a response outbound packet. To handle reauthorization a second filter must be used. This second filter can either permit or block the empty values, or use a different condition that will have a valid value for such circumstance. In the case of arrival interface conditions, the next hop class of interface conditions will have a valid interface on outbound packets. Note that this is available only in Windows Server 2008 R2, Windows 7, and later versions of Windows. |
FWPM_CONDITION_IP_ARRIVAL_INTERFACE | The LUID for the network interface that is associated with the arrival IP address. WFP uses the Arrival interface to match this condition. The Arrival Interface is the first interface the packet sees before entering the IP stack inbound from the network, before weak-host or forwarding are performed. This condition is asymmetric for reauthorization purposes, as it is intrinsically an inbound condition. This means that WFP will use an empty value on this condition when reauthorizing an inbound connection on a response outbound packet. To handle reauthorization a second filter must be used. This second filter can either permit or block the empty values, or use a different condition that will have a valid value for such circumstance. In the case of arrival interface conditions, the next hop class of interface conditions will have a valid interface on outbound packets. Note that this is available only in Windows Server 2008 R2, Windows 7, and later versions of Windows. |
FWPM_CONDITION_NEXTHOP_INTERFACE_INDEX | The index of the arrival network interface, as enumerated by the network stack. WFP uses the Next Hop interface to match this condition. The Next Hop Interface is the last interface the packet sees before leaving the IP stack outbound towards the network, after weak-host or forwarding are performed. This condition is asymmetric for reauthorization purposes, as it is intrinsically an outbound condition. This means that WFP will use an empty value on this condition when reauthorizing an outbound connection on a response inbound packet. To handle reauthorization a second filter must be used. This second filter can either permit or block the empty values, or use a different condition that will have a valid value for such circumstance. In the case of next hop interface conditions, the arrival class of interface conditions will have a valid interface on inbound packets. Note that this is available only in Windows Server 2008 R2, Windows 7, and later versions of Windows. |
FWPM_CONDITION_NEXTHOP_INTERFACE_TYPE | The type of the arrival network interface, as defined by the Internet Assigned Numbers Authority (IANA). For more information, see IANAifType-MIB Definitions. WFP uses the Next Hop interface to match this condition. The Next Hop Interface is the last interface the packet sees before leaving the IP stack outbound towards the network, after weak-host or forwarding are performed. This condition is asymmetric for reauthorization purposes, as it is intrinsically an outbound condition. This means that WFP will use an empty value on this condition when reauthorizing an outbound connection on a response inbound packet. To handle reauthorization a second filter must be used. This second filter can either permit or block the empty values, or use a different condition that will have a valid value for such circumstance. In the case of next hop interface conditions, the arrival class of interface conditions will have a valid interface on inbound packets. Note that this is available only in Windows Server 2008 R2, Windows 7, and later versions of Windows. |
FWPM_CONDITION_NEXTHOP_TUNNEL_TYPE | The encapsulation method used by a tunnel if the IfType member of the IP_ADAPTER_ADDRESSES structure is IF_TYPE_TUNNEL. The tunnel type is defined by the IANA. For more information, see IANAifType-MIB Definitions and the Windows SDK IP Helper documentation. WFP uses the Next Hop interface to match this condition. The Next Hop Interface is the last interface the packet sees before leaving the IP stack outbound towards the network, after weak-host or forwarding are performed. This condition is asymmetric for reauthorization purposes, as it is intrinsically an outbound condition. This means that WFP will use an empty value on this condition when reauthorizing an outbound connection on a response inbound packet. To handle reauthorization a second filter must be used. This second filter can either permit or block the empty values, or use a different condition that will have a valid value for such circumstance. In the case of next hop interface conditions, the arrival class of interface conditions will have a valid interface on inbound packets. Note that this is available only in Windows Server 2008 R2, Windows 7, and later versions of Windows. |
FWPM_CONDITION_IP_NEXTHOP_INTERFACE | The LUID for the network interface that is associated with the arrival IP addres WFP uses the Next Hop interface to match this condition. The Next Hop Interface is the last interface the packet sees before leaving the IP stack outbound towards the network, after weak-host or forwarding are performed. This condition is asymmetric for reauthorization purposes, as it is intrinsically an outbound condition. This means that WFP will use an empty value on this condition when reauthorizing an outbound connection on a response inbound packet. To handle reauthorization a second filter must be used. This second filter can either permit or block the empty values, or use a different condition that will have a valid value for such circumstance. In the case of next hop interface conditions, the arrival class of interface conditions will have a valid interface on inbound packets. Note that this is available only in Windows Server 2008 R2, Windows 7, and later versions of Windows. |
FWPM_CONDITION_IP_LOCAL_ADDRESS | The local IP address. |
FWPM_CONDITION_IP_REMOTE_ADDRESS | The remote IP address. |
FWPM_CONDITION_IP_SOURCE_ADDRESS | The source IP address for forwarded packets. |
FWPM_CONDITION_IP_DESTINATION_ADDRESS | The destination IP address for forwarded packets. |
FWPM_CONDITION_IP_LOCAL_ADDRESS_TYPE | The local IP address type. The possible condition values are: - NlatUnspecified - NlatUnicast - NlatAnycast - NlatMulticast - NlatBroadcast |
FWPM_CONDITION_IP_DESTINATION_ADDRESS_TYPE | The destination IP address type. The possible condition values are: - NlatUnspecified - NlatUnicast - NlatAnycast - NlatMulticast - NlatBroadcast |
FWPM_CONDITION_IP_LOCAL_INTERFACE | The LUID for the network interface associated with the local IP address. |
FWPM_CONDITION_IP_FORWARD_INTERFACE | The LUID for the network interface on which the packet being forwarded is to be sent out. |
FWPM_CONDITION_IP_PROTOCOL | The IP protocol number, as specified in RFC 1700. |
FWPM_CONDITION_IP_LOCAL_PORT | The local transport protocol port number. |
FWPM_CONDITION_IP_REMOTE_PORT | The remote transport protocol port number. |
FWPM_CONDITION_ICMP_TYPE | The ICMP type field, as specified in RFC 792. |
FWPM_CONDITION_ICMP_CODE | The ICMP code field, as specified in RFC 792. |
FWPM_CONDITION_EMBEDDED_LOCAL_ADDRESS_TYPE | The local IP address type that is embedded in the ICMP packet. The possible condition values are: - NlatUnspecified - NlatUnicast - NlatAnycast - NlatMulticast - NlatBroadcast |
FWPM_CONDITION_EMBEDDED_REMOTE_ADDRESS | The remote IP address that is embedded in the ICMP packet. |
FWPM_CONDITION_EMBEDDED_PROTOCOL | The IP protocol number that is embedded in the ICMP packet, as specified in RFC 1700. |
FWPM_CONDITION_EMBEDDED_LOCAL_PORT | The local transport protocol port number that is embedded in the ICMP packet. |
FWPM_CONDITION_EMBEDDED_REMOTE_PORT | The remote transport protocol port number that is embedded in the ICMP packet. |
FWPM_CONDITION_FLAGS | A bitwise OR of a combination of filtering condition flags. For information about the possible flags, see Filtering Condition Flags. |
FWPM_CONDITION_DIRECTION | The direction of the datagram traffic or data flow. The possible condition values are: - FWP_DIRECTION_INBOUND - FWP_DIRECTION_OUTBOUND In datagram data layers and stream packet layers, this condition specifies the direction of the packet. In stream layers and ALE flow established layers, this condition specifies the direction of the connection (for example, when a local application initiates the connection, an inbound packet has FWPM_CONDITION_DIRECTION set to FWP_DIRECTION_OUTBOUND). |
FWPM_CONDITION_INTERFACE_INDEX | The index of the network interface, as enumerated by the network stack. |
FWPM_CONDITION_INTERFACE_TYPE | The bus type of the network interface. |
FWPM_CONDITION_SUB_INTERFACE_INDEX | The index of the logical network interface, as enumerated by the network stack. |
FWPM_CONDITION_SOURCE_INTERFACE_INDEX | The index of the source network interface for forwarded packets, as enumerated by the network stack. |
FWPM_CONDITION_SOURCE_SUB_INTERFACE_INDEX | The index of the source logical network interface for forwarded packets, as enumerated by the network stack. |
FWPM_CONDITION_DESTINATION_INTERFACE_INDEX | The index of the destination network interface for forwarded packets, as enumerated by the network stack. |
FWPM_CONDITION_DESTINATION_SUB_INTERFACE_INDEX | The index of the destination logical network interface for forwarded packets, as enumerated by the network stack. |
FWPM_CONDITION_ALE_APP_ID | The full path of the application. |
FWPM_CONDITION_ALE_USER_ID | The identification of the local user. |
FWPM_CONDITION_ALE_REMOTE_USER_ID | The identification of the remote user. |
FWPM_CONDITION_ALE_REMOTE_MACHINE_ID | The identification of the remote machine. |
FWPM_CONDITION_ALE_PROMISCUOUS_MODE | The raw socket mode that is allowed or denied. The possible condition values are: - SIO_RCVALL - SIO_RCVALL_IGMPMCAST - SIO_RCVALL_MCAST For a description of these raw socket modes, see WSAIoctl in the Microsoft Windows SDK documentation. |
FWPM_CONDITION_ALE_SIO_FIREWALL_SYSTEM_PORT | Reserved for internal use. |
FWPM_CONDITION_ALE_NAP_CONTEXT | Reserved for internal use. |
FWPM_CONDITION_REMOTE_USER_TOKEN | The identification of the remote user. |
FWPM_CONDITION_RPC_IF_UUID | The UUID of the RPC interface. |
FWPM_CONDITION_RPC_IF_VERSION | The version of the RPC interface. |
FWPM_CONDITION_RCP_IF_FLAG | Reserved for internal use. |
FWPM_CONDITION_DCOM_APP_ID | The identification of the COM application. |
FWPM_CONDITION_IMAGE_NAME | The name of the application. |
FWPM_CONDITION_RPC_PROTOCOL | The RPC protocol. The possible condition values are: - RPC_PROTSEQ_TCP - RPC_PROTSEQ_HTTP - RPC_PROTSEQ_NMP |
FWPM_CONDITION_RPC_AUTH_TYPE | The authentication service type. For more information about authentication service types, see Authentication-Service Constants in the RPC section of the Windows SDK documentation. |
FWPM_CONDITION_RPC_AUTH_LEVEL | The authentication service level. For more information about authentication service levels, see Authentication-Level Constants in the RPC section of the Windows SDK documentation. |
FWPM_CONDITION_SEC_ENCRYPT_ALGORITHM | The certificate based security service provider interface (SSPI) encryption algorithm. |
FWPM_CONDITION_SEC_KEY_SIZE | The certificate based security service provider interface (SSPI) encryption key size. |
FWPM_CONDITION_IP_LOCAL_ADDRESS_V4 | The local IPv4 address. |
FWPM_CONDITION_IP_LOCAL_ADDRESS_V6 | The local IPv6 address. |
FWPM_CONDITION_PIPE | The name of the remote named pipe. |
FWPM_CONDITION_IP_REMOTE_ADDRESS_V4 | The remote IPv4 address. |
FWPM_CONDITION_IP_REMOTE_ADDRESS_V6 | The remote IPv6 address. |
FWPM_CONDITION_PROCESS_WITH_RPC_IF_UUID | The UUID of the process with the RPC interface. |
FWPM_CONDITION_RPC_EP_VALUE | Reserved for internal use. |
FWPM_CONDITION_RPC_EP_FLAGS | Reserved for internal use. |
FWPM_CONDITION_CLIENT_TOKEN | The identification of the client when using RpcProxy. |
FWPM_CONDITION_RPC_SERVER_NAME | The name of the RPC server when using RpcProxy. |
FWPM_CONDITION_RPC_SERVER_PORT | The port on the RPC server when using RpcProxy. |
FWPM_CONDITION_RPC_PROXY_AUTH_TYPE | The RPC proxy authentication service type. For more information about authentication service types, see Authentication-Service Constants in the RPC section of the Windows SDK documentation. |
FWPM_CONDITION_TUNNEL_TYPE | The encapsulation method used by a tunnel. |
FWPM_CONDITION_CLIENT_CERT_KEY_LENGTH | The secure socket layer (SSL) key length in the client certificate. |
FWPM_CONDITION_CLIENT_CERT_OID | The object identifier (OID) in the client certificate. |
FWPM_CONDITION_INTERFACE_MAC_ADDRESS | The physical address of the sending or receiving network interface. Note Supported in Windows 8, Windows Server 2012, and later versions of Windows. |
FWPM_CONDITION_MAC_LOCAL_ADDRESS | The physical address of the local network interface. For inbound traffic this is the destination MAC address in the frame. For outbound traffic this is the source MAC address of the frame. Note Supported in Windows 8, Windows Server 2012, and later versions of Windows. |
FWPM_CONDITION_MAC_REMOTE_ADDRESS | The physical address of the remote network interface. For inbound traffic this is the source MAC address in the frame. For outbound traffic this is the destination MAC address of the frame. Note Supported in Windows 8, Windows Server 2012, and later versions of Windows. |
FWPM_CONDITION_ETHER_TYPE | The type indicated in the MAC frame. This value is 0x800 for IPv4 traffic, 0x86DD for IPv6 traffic or, 0x806 for ARP traffic. All of the possible values are defined as NDIS_ETH_TYPE_Xxx in ntddndis.h. |
FWPM_CONDITION_VLAN_ID | The identifier of the VLAN in the ETHERNET SNAP header. Note Supported in Windows 8, Windows Server 2012, and later versions of Windows. |
FWPM_CONDITION_NDIS_PORT | The port number identifying a miniport adapter port. Note Supported in Windows 8, Windows Server 2012, and later versions of Windows. |
FWPM_CONDITION_NDIS_MEDIA_TYPE | The type of the NDIS medium specified as one of the NDIS_MEDIUM enumeration values. Note Supported in Windows 8, Windows Server 2012, and later versions of Windows. |
FWPM_CONDITION_NDIS_PHYSICAL_MEDIA_TYPE | The type of the physical medium for the communicating interface specified as one of the NDIS_PHYSICAL_MEDIUM enumeration values. Note Supported in Windows 8, Windows Server 2012, and later versions of Windows. |
FWPM_CONDITION_L2_FLAGS | A bitwise OR of a combination of filtering condition flags for the MAC layers. For information about the possible flags, see Filtering Condition L2 Flags. Note Supported in Windows 8, Windows Server 2012, and later versions of Windows. |
FWPM_CONDITION_MAC_LOCAL_ADDRESS_TYPE | The Datalink type of the local MAC address. This is one of the values that are defined in the DL_ADDRESS_TYPE enumeration in FwpmTypes.h. Note Supported in Windows 8, Windows Server 2012, and later versions of Windows. |
FWPM_CONDITION_MAC_REMOTE_ADDRESS_TYPE | The Datalink type of the remote MAC address. This is one of the values that are defined in the DL_ADDRESS_TYPE enumeration in FwpmTypes.h. Note Supported in Windows 8, Windows Server 2012, and later versions of Windows. |
FWPM_CONDITION_INTERFACE | The LUID for the network interface that is associated with the local MAC address. Note Supported in Windows 8, Windows Server 2012, and later versions of Windows. |
FWPM_CONDITION_ALE_PACKAGE_ID | The security identifier (SID) of the AppContainer restricted package. Note Supported in Windows 8, Windows Server 2012, and later versions of Windows. |
FWPM_CONDITION_MAC_SOURCE_ADDRESS | The physical address of the network interface that created the MAC frame. Note Supported in Windows 8, Windows Server 2012, and later versions of Windows. |
FWPM_CONDITION_MAC_DESTINATION_ADDRESS | The physical address of the network interface to which the frame is destined. Note Supported in Windows 8, Windows Server 2012, and later versions of Windows. |
FWPM_CONDITION_MAC_SOURCE_ADDRESS_TYPE | The Datalink type of the MAC Address for the interface that created the frame. This is one of the values that are defined in the DL_ADDRESS_TYPE enumeration in FwpmTypes.h. Note Supported in Windows 8, Windows Server 2012, and later versions of Windows. |
FWPM_CONDITION_MAC_DESTINATION_ADDRESS_TYPE | The Datalink type of the MAC Address for the interface to which the frame is destined. This is one of the values that are defined in the DL_ADDRESS_TYPE enumeration in FwpmTypes.h. Note Supported in Windows 8, Windows Server 2012, and later versions of Windows. |
FWPM_CONDITION_IP_SOURCE_PORT | The transport protocol source port number. Note Supported in Windows 8, Windows Server 2012, and later versions of Windows. |
FWPM_CONDITION_IP_DESTINATION_PORT | The transport protocol destination port number. Note Supported in Windows 8, Windows Server 2012, and later versions of Windows. |
FWPM_CONDITION_VSWITCH_ID | The GUID of the virtual switch. Note Supported in Windows 8, Windows Server 2012, and later versions of Windows. |
FWPM_CONDITION_VSWITCH_NETWORK_TYPE | The type of network that is associated with the virtual switch. This is one of the values that are defined in the FWP_VSWITCH_NETWORK_TYPE enumeration in FwpTypes.h. Note Supported in Windows 8 and later versions of Windows. |
FWPM_CONDITION_VSWITCH_SOURCE_INTERFACE_ID | The GUID of the interface of the virtual switch that created the frame. Note Supported in Windows 8, Windows Server 2012, and later versions of Windows. |
FWPM_CONDITION_VSWITCH_DESTINATION_INTERFACE_ID | The GUID of the interface of the virtual switch to which the frame is destined. Note Supported in Windows 8 and later versions of Windows. |
FWPM_CONDITION_VSWITCH_SOURCE_INTERFACE_TYPE | The type of the virtual switch interface that created the frame. This is one of the values that are defined in the NDIS_NIC_SWITCH_TYPE enumeration in Ntddndis.h. Note Supported in Windows 8, Windows Server 2012, and later versions of Windows. |
FWPM_CONDITION_VSWITCH_DESTINATION_INTERFACE_TYPE | The type of the virtual switch interface to which the frame is destined. This is one of the values that are defined in the NDIS_NIC_SWITCH_TYPE enumeration in Ntddndis.h. Note Supported in Windows 8, Windows Server 2012, and later versions of Windows. |
FWPM_CONDITION_VSWITCH_SOURCE_VM_ID | Unique identifier of the vSwitch source virtual machine. Note Supported in Windows 8, Windows Server 2012, and later versions of Windows. |
FWPM_CONDITION_VSWITCH_DESTINATION_VM_ID | Unique identifier of the vSwitch destination virtual machine. Note Supported in Windows 8, Windows Server 2012, and later versions of Windows. |
FWPM_CONDITION_VSWITCH_TENANT_NETWORK_ID | Unique identifier for the vSwitch network. Cannot be used in conjunction with VLAN_IDs. Note Supported in Windows 8, Windows Server 2012, and later versions of Windows. |
FWPM_CONDITION_ALE_PACKAGE_ID | The security identifier (SID) of an app container. Note Supported in Windows 8, Windows Server 2012, and later versions of Windows. |
FWPM_CONDITION_ALE_ORIGINAL_APP_ID | The original full path of the application before alteration from proxying. Note that if proxying is not involved, then this will be the same as the FWPM_CONDITION_ALE_APP_ID. Note Supported in Windows 8, Windows Server 2012, and later versions of Windows. |
FWPM_CONDITION_QM_MODE | The quick mode (QM) mode. Note Supported in Windows 8, Windows Server 2012, and later versions of Windows. |