Filtering Layer Identifiers
The Windows Filtering Platform (WFP) layer identifiers are each represented by a GUID. These identifiers are defined as follows.
The V4 and V6 suffixes at the end of the layer identifiers indicate whether the layer is located in the IPv4 network stack or in the IPv6 network stack.
-
FWPM_LAYER_INBOUND_IPPACKET_V4 / FWPM_LAYER_INBOUND_IPPACKET_V6
-
-
This filtering layer is located in the receive path just after the IP header of a received packet has been parsed but before any IP header processing takes place. No IPsec decryption or reassembly has occurred.
-
-
FWPM_LAYER_INBOUND_IPPACKET_V4_DISCARD / FWPM_LAYER_INBOUND_IPPACKET_V6_DISCARD
-
-
This filtering layer is located in the receive path for inspecting any received packets that have been discarded at the network layer.
-
-
FWPM_LAYER_OUTBOUND_IPPACKET_V4 / FWPM_LAYER_OUTBOUND_IPPACKET_V6
-
-
This filtering layer is located in the send path just before the sent packet is evaluated for fragmentation. All IP header processing is complete and all extension headers are in place. Any IPsec authentication and encryption has already occurred.
-
-
FWPM_LAYER_OUTBOUND_IPPACKET_V4_DISCARD / FWPM_LAYER_OUTBOUND_IPPACKET_V6_DISCARD
-
-
This filtering layer is located in the send path for inspecting any sent packets that have been discarded at the network layer.
-
-
FWPM_LAYER_IPFORWARD_V4 / FWPM_LAYER_IPFORWARD_V6
-
-
This filtering layer is located in the forwarding path at the point where a received packet is forwarded.
-
-
FWPM_LAYER_IPFORWARD_V4_DISCARD / FWPM_LAYER_IPFORWARD_V6_DISCARD
-
-
This filtering layer is located in the forwarding path for inspecting any forwarded packets that have been discarded at the forwarding layer.
-
-
FWPM_LAYER_INBOUND_TRANSPORT_V4 / FWPM_LAYER_INBOUND_TRANSPORT_V6
-
-
This filtering layer is located in the receive path just after a received packet's transport header has been parsed by the network stack at the transport layer, but before any transport layer processing takes place.
-
-
FWPM_LAYER_INBOUND_TRANSPORT_V4_DISCARD / FWPM_LAYER_INBOUND_TRANSPORT_V6_DISCARD
-
-
This filtering layer is located in the receive path for inspecting any received packets that have been discarded at the transport layer.
-
-
FWPM_LAYER_OUTBOUND_TRANSPORT_V4 / FWPM_LAYER_OUTBOUND_TRANSPORT_V6
-
-
This filtering layer is located in the send path just after a sent packet has been passed to the network layer for processing but before any network layer processing takes place. This filtering layer is located at the top of the network layer instead of at the bottom of the transport layer so that any packets that are sent by third-party transports or as raw packets are filtered at this layer.
-
-
FWPM_LAYER_OUTBOUND_TRANSPORT_V4_DISCARD / FWPM_LAYER_OUTBOUND_TRANSPORT_V6_DISCARD
-
-
This filtering layer is located in the send path for inspecting any sent packets that have been discarded at the transport layer.
-
-
FWPM_LAYER_STREAM_V4 / FWPM_LAYER_STREAM_V6
-
-
This filtering layer is located in the stream data path. This layer allows for inspecting network data on a per stream basis. At the stream layer, the network data is bidirectional.
-
-
FWPM_LAYER_STREAM_V4_DISCARD / FWPM_LAYER_STREAM_V6_DISCARD
-
-
This filtering layer is located in the stream data path for inspecting any stream data that has been discarded.
-
-
FWPM_LAYER_DATAGRAM_DATA_V4 / FWPM_LAYER_DATAGRAM_DATA_V6
-
-
This filtering layer is located in the datagram data path. This layer allows for inspecting network data on a per datagram basis. At the datagram layer, the network data is bidirectional.
-
-
FWPM_LAYER_DATAGRAM_DATA_V4_DISCARD / FWPM_LAYER_DATAGRAM_DATA_V6_DISCARD
-
-
This filtering layer is located in the datagram data path for inspecting any datagrams that have been discarded.
-
-
FWPM_LAYER_INBOUND_ICMP_ERROR_V4 / FWPM_LAYER_INBOUND_ICMP_ERROR_V6
-
-
This filtering layer is located in the receive path for inspecting received ICMP error messages for the transport protocol.
-
-
FWPM_LAYER_INBOUND_ICMP_ERROR_V4_DISCARD / FWPM_LAYER_INBOUND_ICMP_ERROR_V6_DISCARD
-
-
This filtering layer is located in the receive path for inspecting received ICMP error messages that have been discarded.
-
-
FWPM_LAYER_OUTBOUND_ICMP_ERROR_V4 / FWPM_LAYER_OUTBOUND_ICMP_ERROR_V6
-
-
This filtering layer is located in the send path for inspecting received ICMP error messages for the transport protocol.
-
-
FWPM_LAYER_OUTBOUND_ICMP_ERROR_V4_DISCARD / FWPM_LAYER_OUTBOUND_ICMP_ERROR_V6_DISCARD
-
-
This filtering layer is located in the send path for inspecting received ICMP error messages that have been discarded.
-
-
FWPM_LAYER_ALE_RESOURCE_ASSIGNMENT_V4 / FWPM_LAYER_ALE_RESOURCE_ASSIGNMENT_V6
-
-
This filtering layer allows for authorizing transport port assignments, bind requests, promiscuous mode requests, and raw mode requests.
See ALE Layers for more information.
-
-
FWPM_LAYER_ALE_RESOURCE_ASSIGNMENT_V4_DISCARD / FWPM_LAYER_ALE_RESOURCE_ASSIGNMENT_V6_DISCARD
-
-
This filtering layer allows for inspecting the following discarded items: transport port assignments, bind requests, promiscuous mode requests, and raw mode requests.
-
-
FWPM_LAYER_ALE_AUTH_LISTEN_V4 / FWPM_LAYER_ALE_AUTH_LISTEN_V6
-
-
This filtering layer allows for authorizing TCP listen requests.
See ALE Layers for more information.
-
-
FWPM_LAYER_ALE_AUTH_LISTEN_V4_DISCARD / FWPM_LAYER_ALE_AUTH_LISTEN_V6_DISCARD
-
-
This filtering layer allows for inspecting TCP listen requests that have been discarded.
-
-
FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4 / FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6
-
-
This filtering layer allows for authorizing accept requests for incoming TCP connections, as well as authorizing incoming non-TCP traffic based on the first packet received.
See ALE Layers for more information.
-
-
FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4_DISCARD / FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6_DISCARD
-
-
This filtering layer allows for inspecting accept requests for incoming TCP connections that have been discarded, as well as inspecting authorizations for incoming non-TCP traffic that have been discarded.
-
-
FWPM_LAYER_ALE_AUTH_CONNECT_V4 / FWPM_LAYER_ALE_AUTH_CONNECT_V6
-
-
This filtering layer allows for authorizing connect requests for outgoing TCP connections, as well as authorizing outgoing non-TCP traffic based on the first packet sent.
See ALE Layers for more information.
-
-
FWPM_LAYER_ALE_AUTH_CONNECT_V4_DISCARD / FWPM_LAYER_ALE_AUTH_CONNECT_V6_DISCARD
-
-
This filtering layer allows for inspecting connect requests for outgoing TCP connections that have been discarded, as well as inspecting authorizations for outgoing non-TCP traffic that have been discarded.
-
-
FWPM_LAYER_ALE_FLOW_ESTABLISHED_V4 / FWPM_LAYER_ALE_FLOW_ESTABLISHED_V6
-
-
This filtering layer allows for notification of when a TCP connection has been established, or when non-TCP traffic has been authorized.
See ALE Layers for more information.
-
-
FWPM_LAYER_ALE_FLOW_ESTABLISHED_V4_DISCARD / FWPM_LAYER_ALE_FLOW_ESTABLISHED_V6_DISCARD
-
-
This filtering layer allows for inspecting when an established TCP connection has been discarded at the flow established layer, as well as when authorized non-TCP traffic has been discarded at the flow established layer.
-
-
FWPM_LAYER_INBOUND_MAC_FRAME_ETHERNET
-
-
This filtering layer is located in the receive path after the MAC (802.3) layer processing has occurred but before the frame is processed by the framing layer. This is the layer after native in which all frames look like Ethernet frames.
Note
Available in Windows 8 and Windows Server 2012 and later releases.
-
-
FWPM_LAYER_OUTBOUND_MAC_FRAME_ETHERNET
-
-
This filtering layer is located in the send path after the framing layer processing has occurred but before the frame is processed by the MAC (802.3) layer. This is the layer after native in which all frames look like Ethernet frames.
Note
Available in Windows 8 and Windows Server 2012 and later releases.
-
-
FWPM_LAYER_INBOUND_MAC_FRAME_NATIVE
-
-
This filtering layer is located in the receive path after the MAC layer processing has occurred but before the frame is processed by the framing layer. It is the first layer after the Miniport delivers the frame to NDIS.
Note
Available in Windows 8 and Windows Server 2012 and later releases.
-
-
FWPM_LAYER_OUTBOUND_MAC_FRAME_NATIVE
-
-
This filtering layer is located in the send path after the framing layer processing has occurred but before the frame is processed by the MAC (Native 802.11) layer. It is the first layer after the Miniport delivers the frame to NDIS.
Note
Available in Windows 8 and Windows Server 2012 and later releases.
-
-
FWPM_LAYER_INGRESS_VSWITCH_ETHERNET
-
-
This filtering layer is located in the vSwitch ingress path just after the MAC header has been parsed, but before any MAC header processing takes place.
Note
Available in Windows 8 and Windows Server 2012 and later releases.
-
-
FWPM_LAYER_EGRESS_VSWITCH_ETHERNET
-
-
This filtering layer is located in the vSwitch egress path just after the MAC header has been parsed, but before any MAC header processing takes place.
Note
Available in Windows 8 and Windows Server 2012 and later releases.
-
-
FWPM_LAYER_INGRESS_VSWITCH_TRANSPORT_V4 / FWPM_LAYER_INGRESS_VSWITCH_TRANSPORT_V6
-
-
This filtering layer is located in the vSwitch ingress path just after the MAC header has been parsed, but before any MAC header processing takes place. This layer allows for TRANSPORT level filtering conditions to aid in filtering traffic.
If a vSwitchPort is in PVLAN or trunk mode, filters at this layer will be bypassed, letting the traffic flow through without any filtering.
If IPv4 is uninstalled in the host, filters in this layer will cause packets to be dropped.
Note
Available in Windows 8 and Windows Server 2012 and later releases.
-
-
FWPM_LAYER_EGRESS_VSWITCH_TRANSPORT_V4 / FWPM_LAYER_EGRESS_VSWITCH_TRANSPORT_V6
-
-
This filtering layer is located in the vSwitch egress path just after the MAC header has been parsed, but before any MAC header processing takes place. This layer allows for TRANSPORT level filtering conditions to aid in filtering traffic.
If a vSwitchPort is in PVLAN or trunk mode, filters at this layer will be bypassed, letting the traffic flow through without any filtering.
If IPv4 is uninstalled in the host, filters in this layer will cause packets to be dropped.
Note
Available in Windows 8 and Windows Server 2012 and later releases.
-
-
FWPM_LAYER_IPSEC_KM_DEMUX_V4 / FWPM_LAYER_IPSEC_KM_DEMUX_V6
-
-
This filtering layer is used to determine which keying modules are invoked when the local system is the initiator. This is a user-mode filtering layer.
-
-
FWPM_LAYER_IPSEC_V4 / FWPM_LAYER_IPSEC_V6
-
-
This filtering layer allows the keying module to look up quick-mode policy information when negotiating quick-mode security associations. This is a user-mode filtering layer.
-
-
FWPM_LAYER_IKEEXT_V4 / FWPM_LAYER_IKEEXT_V6
-
-
This filtering layer allows the IKE and authenticated IP modules to look up main-mode policy information when negotiating main-mode security associations. This is a user-mode filtering layer.
-
-
FWPM_LAYER_RPC_UM
-
-
This filtering layer allows for inspecting the RPC data fields that are available in user mode. This is a user-mode filtering layer.
-
-
FWPM_LAYER_RPC_EPMAP
-
-
This filtering layer allows for inspecting the RPC data fields that are available in user mode during endpoint resolution. This is a user-mode filtering layer.
-
-
FWPM_LAYER_RPC_EP_ADD
-
-
This filtering layer allows for inspecting the RPC data fields that are available in user mode when a new endpoint is added. This is a user-mode filtering layer.
-
-
FWPM_LAYER_RPC_PROXY_CONN
-
-
This filtering layer allows for inspecting the RpcProxy connection requests. This is a user-mode filtering layer.
-
-
FWPM_LAYER_RPC_PROXY_IF
-
-
This filtering layer allows for inspecting the interface used for RpcProxy connections. This is a user-mode filtering layer.
-
-
FWPM_LAYER_KM_AUTHORIZATION
-
-
This filtering layer allows for authorizing security association establishment.
See ALE Layers for more information.
-
-
FWPM_LAYER_NAME_RESOLUTION_CACHE_V4 / FWPM_LAYER_NAME_RESOLUTION_CACHE_V6
-
-
This filtering layer allows for querying the names recently resolved by the system.
See ALE Layers for more information.
-
-
FWPM_LAYER_ALE_RESOURCE_RELEASE_V4 / FWPM_LAYER_ALE_RESOURCE_RELEASE_V6
-
-
This filtering layer allows for resources previously allocated to be released.
See ALE Layers for more information.
-
-
FWPM_LAYER_ALE_ENDPOINT_CLOSURE_V4 / FWPM_LAYER_ALE_ENDPOINT_CLOSURE_V6
-
-
This filtering layer allows for tracking de-activation of connected TCP flow or UDP sockets.
See ALE Layers for more information.
-
-
FWPM_LAYER_ALE_CONNECT_REDIRECT_V4 / FWPM_LAYER_ALE_CONNECT_REDIRECT_V6
-
-
This filtering layer allows for the modification of the remote address and/or port of an outgoing TCP connection, as well as for non-TCP traffic based on the first packet sent.
For more info, see ALE Layers.
-
-
FWPM_LAYER_ALE_BIND_REDIRECT_V4 / FWPM_LAYER_ALE_BIND_REDIRECT_V6
-
-
This filtering layer allows for the modification of the local address and/or port during the bind operation on a TCP or UDP socket.
For more info, see ALE Layers.
-
-
FWPM_LAYER_STREAM_PACKET_V4 / FWPM_LAYER_STREAM_PACKET_V6
-
-
This filtering layer allows for inspection of TCP packets including handshake and flow control exchanges.
See ALE Layers for more information.
-
Remarks
These filtering layer identifiers are also referred to as management filtering layer identifiers. WFP API also contains a set of run-time filtering layer identifiers, documented in the Windows Driver Kit (WDK). Run-time filtering layer identifiers are LUIDs, and therefore are smaller, only 64 bits in size, compared to the management filtering layer identifiers, which are 128 bits in size.
Management filtering layer identifiers and run-time filtering layer identifiers point to the same layers.
Management filtering layer identifiers are used by functions that interact with the Base Filtering Engine (BFE) from either user mode or kernel mode (for example, FwpmFilterAdd0).
Run-time filtering layer identifiers are used by functions that interact with the filter engine from kernel mode only (for example, FwpsFlowAssociateContext0, FwpsStreamInjectAsync0), and in data structures that come directly from the kernel (for example, FWPM_NET_EVENT_CLASSIFY_DROP0).
Requirements
| Requirement | Value |
|---|---|
| Minimum supported client |
Windows Vista [desktop apps only] |
| Minimum supported server |
Windows Server 2008 [desktop apps only] |
| Header |
|
See also
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for