Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Network data is indicated in WFP as NDIS net buffer lists (NET_BUFFER_LIST). The Next member of the NET_BUFFER_LIST structure can be used to describe a chain of net buffer lists. WFP only indicates a single net buffer list to callouts (that is, netBufferList->Next == NULL), except for the following cases:
WFP can indicate net buffer list chains to callouts from the Stream layer.
WFP indicates net buffer list chains to callouts when it classifies IP packet fragment groups in the forward path to callouts. Each net buffer list inside the chain describes a single fragment.
Although a net buffer list can describe a whole packet, for different types of layers, WFP indicates net buffer lists to callouts at different offsets from the beginning of IP header. For example, at the incoming network layer, the net buffer list starts after the IP header, while at the incoming transport layer, the net buffer list starts after the transport header. IP and transport headers are always described by the first NET_BUFFER structure inside a net buffer list.
Offsets into the net buffer lists are indicated to callouts by using the ipHeaderSize and transportHeaderSize members of the FWPS_INCOMING_METADATA_VALUES0 structure. Callouts can use the NDIS functions NdisRetreatNetBufferDataStart and NdisAdvanceNetBufferDataStart to adjust the offset of the indicated net buffer lists. However in this case, the callout must undo the offset adjustment before it returns from the classifyFn function.
In a call to the classifyFn function for outgoing data, a NET_BUFFER_LIST can contain more than one NET_BUFFER structure, each of which describes an IP packet. If some packets (for example, net buffers) in a net buffer list are acceptable, but others are not, a callout driver must do the following:
Clone and block the whole net buffer list.
Build a new net buffer list that describes the acceptable subset of net buffers.
Inject the new net buffer list back into the send path.
Alternatively, the callout can unlink the unwanted net buffers from the net buffer list and inject the altered net buffer list back into the send path. However, in this case the callout driver must undo this modification to the cloned net buffer list before it calls the FwpsFreeCloneNetBufferList0 function. The callout driver must also save the original net buffer linkage information as part of its state data.
For more information about data offsets that are used by WFP, see Data Offset Positions.
Note Callouts that work with decrypted IPSec ESP packets must use the data length of the NET_BUFFER structure instead of MDL data to determine the packet length. To obtain the data length, use the NET_BUFFER_DATA_LENGTH macro. For more information, see Developing IPsec-Compatible Callout Drivers.