Filtering layer identifiers

The Windows Filtering Platform (WFP) layer identifiers are each represented by a GUID. These identifiers are defined as follows.

The V4 and V6 suffixes at the end of the layer identifiers indicate whether the layer is located in the IPv4 network stack or in the IPv6 network stack.

FWPM_LAYER_INBOUND_IPPACKET_V4 / FWPM_LAYER_INBOUND_IPPACKET_V6

This filtering layer is located in the receive path just after the IP header of a received packet has been parsed but before any IP header processing takes place. No IPsec decryption or reassembly has occurred.

FWPM_LAYER_INBOUND_IPPACKET_V4_DISCARD / FWPM_LAYER_INBOUND_IPPACKET_V6_DISCARD

This filtering layer is located in the receive path for inspecting any received packets that have been discarded at the network layer.

FWPM_LAYER_OUTBOUND_IPPACKET_V4 / FWPM_LAYER_OUTBOUND_IPPACKET_V6

This filtering layer is located in the send path just before the sent packet is evaluated for fragmentation. All IP header processing is complete and all extension headers are in place. Any IPsec authentication and encryption has already occurred.

FWPM_LAYER_OUTBOUND_IPPACKET_V4_DISCARD / FWPM_LAYER_OUTBOUND_IPPACKET_V6_DISCARD

This filtering layer is located in the send path for inspecting any sent packets that have been discarded at the network layer.

FWPM_LAYER_IPFORWARD_V4 / FWPM_LAYER_IPFORWARD_V6

This filtering layer is located in the forwarding path at the point where a received packet is forwarded.

FWPM_LAYER_IPFORWARD_V4_DISCARD / FWPM_LAYER_IPFORWARD_V6_DISCARD

This filtering layer is located in the forwarding path for inspecting any forwarded packets that have been discarded at the forwarding layer.

FWPM_LAYER_INBOUND_TRANSPORT_V4 / FWPM_LAYER_INBOUND_TRANSPORT_V6

This filtering layer is located in the receive path just after a received packet's transport header has been parsed by the network stack at the transport layer, but before any transport layer processing takes place.

FWPM_LAYER_INBOUND_TRANSPORT_V4_DISCARD / FWPM_LAYER_INBOUND_TRANSPORT_V6_DISCARD

This filtering layer is located in the receive path for inspecting any received packets that have been discarded at the transport layer.

FWPM_LAYER_OUTBOUND_TRANSPORT_V4 / FWPM_LAYER_OUTBOUND_TRANSPORT_V6

This filtering layer is located in the send path just after a sent packet has been passed to the network layer for processing but before any network layer processing takes place. This filtering layer is located at the top of the network layer instead of at the bottom of the transport layer so that any packets that are sent by third-party transports or as raw packets are filtered at this layer.

FWPM_LAYER_OUTBOUND_TRANSPORT_V4_DISCARD / FWPM_LAYER_OUTBOUND_TRANSPORT_V6_DISCARD

This filtering layer is located in the send path for inspecting any sent packets that have been discarded at the transport layer.

FWPM_LAYER_STREAM_V4 / FWPM_LAYER_STREAM_V6

This filtering layer is located in the stream data path. This layer allows for inspecting network data on a per stream basis. At the stream layer, the network data is bidirectional.

FWPM_LAYER_STREAM_V4_DISCARD / FWPM_LAYER_STREAM_V6_DISCARD

This filtering layer is located in the stream data path for inspecting any stream data that has been discarded.

FWPM_LAYER_DATAGRAM_DATA_V4 / FWPM_LAYER_DATAGRAM_DATA_V6

This filtering layer is located in the datagram data path. This layer allows for inspecting network data on a per datagram basis. At the datagram layer, the network data is bidirectional.

FWPM_LAYER_DATAGRAM_DATA_V4_DISCARD / FWPM_LAYER_DATAGRAM_DATA_V6_DISCARD

This filtering layer is located in the datagram data path for inspecting any datagrams that have been discarded.

FWPM_LAYER_INBOUND_ICMP_ERROR_V4 / FWPM_LAYER_INBOUND_ICMP_ERROR_V6

This filtering layer is located in the receive path for inspecting received ICMP error messages for the transport protocol.

FWPM_LAYER_INBOUND_ICMP_ERROR_V4_DISCARD / FWPM_LAYER_INBOUND_ICMP_ERROR_V6_DISCARD

This filtering layer is located in the receive path for inspecting received ICMP error messages that have been discarded.

FWPM_LAYER_OUTBOUND_ICMP_ERROR_V4 / FWPM_LAYER_OUTBOUND_ICMP_ERROR_V6

This filtering layer is located in the send path for inspecting received ICMP error messages for the transport protocol.

FWPM_LAYER_OUTBOUND_ICMP_ERROR_V4_DISCARD / FWPM_LAYER_OUTBOUND_ICMP_ERROR_V6_DISCARD

This filtering layer is located in the send path for inspecting received ICMP error messages that have been discarded.

FWPM_LAYER_ALE_RESOURCE_ASSIGNMENT_V4 / FWPM_LAYER_ALE_RESOURCE_ASSIGNMENT_V6

This filtering layer allows for authorizing transport port assignments, bind requests, promiscuous mode requests, and raw mode requests.

See ALE Layers for more information.

FWPM_LAYER_ALE_RESOURCE_ASSIGNMENT_V4_DISCARD / FWPM_LAYER_ALE_RESOURCE_ASSIGNMENT_V6_DISCARD

This filtering layer allows for inspecting the following discarded items: transport port assignments, bind requests, promiscuous mode requests, and raw mode requests.

FWPM_LAYER_ALE_AUTH_LISTEN_V4 / FWPM_LAYER_ALE_AUTH_LISTEN_V6

This filtering layer allows for authorizing TCP listen requests.

See ALE Layers for more information.

FWPM_LAYER_ALE_AUTH_LISTEN_V4_DISCARD / FWPM_LAYER_ALE_AUTH_LISTEN_V6_DISCARD

This filtering layer allows for inspecting TCP listen requests that have been discarded.

FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4 / FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6

This filtering layer allows for authorizing accept requests for incoming TCP connections, as well as authorizing incoming non-TCP traffic based on the first packet received.

See ALE Layers for more information.

FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4_DISCARD / FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6_DISCARD

This filtering layer allows for inspecting accept requests for incoming TCP connections that have been discarded, as well as inspecting authorizations for incoming non-TCP traffic that have been discarded.

FWPM_LAYER_ALE_AUTH_CONNECT_V4 / FWPM_LAYER_ALE_AUTH_CONNECT_V6

This filtering layer allows for authorizing connect requests for outgoing TCP connections, as well as authorizing outgoing non-TCP traffic based on the first packet sent.

See ALE Layers for more information.

FWPM_LAYER_ALE_AUTH_CONNECT_V4_DISCARD / FWPM_LAYER_ALE_AUTH_CONNECT_V6_DISCARD

This filtering layer allows for inspecting connect requests for outgoing TCP connections that have been discarded, as well as inspecting authorizations for outgoing non-TCP traffic that have been discarded.

FWPM_LAYER_ALE_FLOW_ESTABLISHED_V4 / FWPM_LAYER_ALE_FLOW_ESTABLISHED_V6

This filtering layer allows for notification of when a TCP connection has been established, or when non-TCP traffic has been authorized.

See ALE Layers for more information.

FWPM_LAYER_ALE_FLOW_ESTABLISHED_V4_DISCARD / FWPM_LAYER_ALE_FLOW_ESTABLISHED_V6_DISCARD

This filtering layer allows for inspecting when an established TCP connection has been discarded at the flow established layer, as well as when authorized non-TCP traffic has been discarded at the flow established layer.

FWPM_LAYER_INBOUND_MAC_FRAME_ETHERNET

This filtering layer is located in the receive path after the MAC (802.3) layer processing has occurred but before the frame is processed by the framing layer. This is the layer after native in which all frames look like Ethernet frames.

Note

Available in Windows 8 and Windows Server 2012 and later releases.

FWPM_LAYER_OUTBOUND_MAC_FRAME_ETHERNET

This filtering layer is located in the send path after the framing layer processing has occurred but before the frame is processed by the MAC (802.3) layer. This is the layer after native in which all frames look like Ethernet frames.

Note

Available in Windows 8 and Windows Server 2012 and later releases.

FWPM_LAYER_INBOUND_MAC_FRAME_NATIVE

This filtering layer is located in the receive path after the MAC layer processing has occurred but before the frame is processed by the framing layer. It is the first layer after the Miniport delivers the frame to NDIS.

Note

Available in Windows 8 and Windows Server 2012 and later releases.

FWPM_LAYER_OUTBOUND_MAC_FRAME_NATIVE

This filtering layer is located in the send path after the framing layer processing has occurred but before the frame is processed by the MAC (Native 802.11) layer. It is the first layer after the Miniport delivers the frame to NDIS.

Note

Available in Windows 8 and Windows Server 2012 and later releases.

FWPM_LAYER_INGRESS_VSWITCH_ETHERNET

This filtering layer is located in the vSwitch ingress path just after the MAC header has been parsed, but before any MAC header processing takes place.

Note

Available in Windows 8 and Windows Server 2012 and later releases.

FWPM_LAYER_EGRESS_VSWITCH_ETHERNET

This filtering layer is located in the vSwitch egress path just after the MAC header has been parsed, but before any MAC header processing takes place.

Note

Available in Windows 8 and Windows Server 2012 and later releases.

FWPM_LAYER_INGRESS_VSWITCH_TRANSPORT_V4 / FWPM_LAYER_INGRESS_VSWITCH_TRANSPORT_V6

This filtering layer is located in the vSwitch ingress path just after the MAC header has been parsed, but before any MAC header processing takes place. This layer allows for TRANSPORT level filtering conditions to aid in filtering traffic.

If a vSwitchPort is in PVLAN or trunk mode, filters at this layer will be bypassed, letting the traffic flow through without any filtering.

If IPv4 is uninstalled in the host, filters in this layer will cause packets to be dropped.

Note

Available in Windows 8 and Windows Server 2012 and later releases.

FWPM_LAYER_EGRESS_VSWITCH_TRANSPORT_V4 / FWPM_LAYER_EGRESS_VSWITCH_TRANSPORT_V6

This filtering layer is located in the vSwitch egress path just after the MAC header has been parsed, but before any MAC header processing takes place. This layer allows for TRANSPORT level filtering conditions to aid in filtering traffic.

If a vSwitchPort is in PVLAN or trunk mode, filters at this layer will be bypassed, letting the traffic flow through without any filtering.

If IPv4 is uninstalled in the host, filters in this layer will cause packets to be dropped.

Note

Available in Windows 8 and Windows Server 2012 and later releases.

FWPM_LAYER_IPSEC_KM_DEMUX_V4 / FWPM_LAYER_IPSEC_KM_DEMUX_V6

This filtering layer is used to determine which keying modules are invoked when the local system is the initiator. This is a user-mode filtering layer.

FWPM_LAYER_IPSEC_V4 / FWPM_LAYER_IPSEC_V6

This filtering layer allows the keying module to look up quick-mode policy information when negotiating quick-mode security associations. This is a user-mode filtering layer.

FWPM_LAYER_IKEEXT_V4 / FWPM_LAYER_IKEEXT_V6

This filtering layer allows the IKE and authenticated IP modules to look up main-mode policy information when negotiating main-mode security associations. This is a user-mode filtering layer.

FWPM_LAYER_RPC_UM

This filtering layer allows for inspecting the RPC data fields that are available in user mode. This is a user-mode filtering layer.

FWPM_LAYER_RPC_EPMAP

This filtering layer allows for inspecting the RPC data fields that are available in user mode during endpoint resolution. This is a user-mode filtering layer.

FWPM_LAYER_RPC_EP_ADD

This filtering layer allows for inspecting the RPC data fields that are available in user mode when a new endpoint is added. This is a user-mode filtering layer.

FWPM_LAYER_RPC_PROXY_CONN

This filtering layer allows for inspecting the RpcProxy connection requests. This is a user-mode filtering layer.

FWPM_LAYER_RPC_PROXY_IF

This filtering layer allows for inspecting the interface used for RpcProxy connections. This is a user-mode filtering layer.

FWPM_LAYER_KM_AUTHORIZATION

This filtering layer allows for authorizing security association establishment.

See ALE Layers for more information.

FWPM_LAYER_NAME_RESOLUTION_CACHE_V4 / FWPM_LAYER_NAME_RESOLUTION_CACHE_V6

This filtering layer allows for querying the names recently resolved by the system.

See ALE Layers for more information.

FWPM_LAYER_ALE_RESOURCE_RELEASE_V4 / FWPM_LAYER_ALE_RESOURCE_RELEASE_V6

This filtering layer allows for resources previously allocated to be released.

See ALE Layers for more information.

FWPM_LAYER_ALE_ENDPOINT_CLOSURE_V4 / FWPM_LAYER_ALE_ENDPOINT_CLOSURE_V6

This filtering layer allows for tracking de-activation of connected TCP flow or UDP sockets.

See ALE Layers for more information.

FWPM_LAYER_ALE_CONNECT_REDIRECT_V4 / FWPM_LAYER_ALE_CONNECT_REDIRECT_V6

This filtering layer allows for the modification of the remote address and/or port of an outgoing TCP connection, as well as for non-TCP traffic based on the first packet sent.

For more info, see ALE Layers.

FWPM_LAYER_ALE_BIND_REDIRECT_V4 / FWPM_LAYER_ALE_BIND_REDIRECT_V6

This filtering layer allows for the modification of the local address and/or port during the bind operation on a TCP or UDP socket.

For more info, see ALE Layers.

FWPM_LAYER_STREAM_PACKET_V4 / FWPM_LAYER_STREAM_PACKET_V6

This filtering layer allows for inspection of TCP packets including handshake and flow control exchanges.

See ALE Layers for more information.

FWPM_LAYER_INBOUND_TRANSPORT_FAST

We advise that you don't use this layer, because it's intended for Microsoft's internal use. Attempting to use static filtering will yield when adding the filter.

FWPM_LAYER_OUTBOUND_TRANSPORT_FAST

We advise that you don't use this layer, because it's intended for Microsoft's internal use. Attempting to use static filtering will yield when adding the filter.

FWPM_LAYER_INBOUND_MAC_FRAME_NATIVE_FAST

We advise that you don't use this layer, because it's intended for Microsoft's internal use. Attempting to use static filtering will yield when adding the filter.

FWPM_LAYER_OUTBOUND_MAC_FRAME_NATIVE_FAST

We advise that you don't use this layer, because it's intended for Microsoft's internal use. Attempting to use static filtering will yield when adding the filter.

FWPM_LAYER_OUTBOUND_NETWORK_CONNECTION_POLICY_V4

A callout layer where a WFP filter driver can inspect an outgoing IPv4 connection and read/write the routing policy that was configured for this connection. See FwpmConnectionPolicyAdd0.

FWPM_LAYER_OUTBOUND_NETWORK_CONNECTION_POLICY_V6

A callout layer where a WFP filter driver can inspect an outgoing IPv6 connection and read/write the routing policy that was configured for this connection. See FwpmConnectionPolicyAdd0.

Remarks

These filtering layer identifiers are also referred to as management filtering layer identifiers. WFP API also contains a set of run-time filtering layer identifiers, documented in the Windows Driver Kit (WDK). Run-time filtering layer identifiers are LUIDs, and therefore are smaller, only 64 bits in size, compared to the management filtering layer identifiers, which are 128 bits in size.

Management filtering layer identifiers and run-time filtering layer identifiers point to the same layers.

Management filtering layer identifiers are used by functions that interact with the Base Filtering Engine (BFE) from either user mode or kernel mode (for example, FwpmFilterAdd0).

Run-time filtering layer identifiers are used by functions that interact with the filter engine from kernel mode only (for example, FwpsFlowAssociateContext0, FwpsStreamInjectAsync0), and in data structures that come directly from the kernel (for example, FWPM_NET_EVENT_CLASSIFY_DROP0).

Requirements

Requirement Value
Minimum supported client
Windows Vista [desktop apps only]
Minimum supported server
Windows Server 2008 [desktop apps only]
Header
Fwpmu.h

See also

ALE Layers

WFP Architecture