WFP连接/绑定重定向问题 [英] WFP connect/bind redirection problem
问题描述
大家好!我有标注驱动程序 它适用于ALE_CONNECT_REDIRECT图层。如果此用户尝试将数据包发送到指定的ip(1.2.0.1),它将更改指定用户的源IP。此外,我有udp客户端应用程序(udp_sender),它发送几个
UDP数据包到指定的IP(1.2.0.1) - 它使用两个func:socket和sendto。我有两个带有ips(1.2.0.2和1.2.0.3)的网络适配器,它们与指定的ip(1.2.0.1)位于同一子网中。对于将
数据包发送到1.2.0.1的指定用户,WFP应将源IP更改为1.2.0.3。为了检查重定向,我使用wireshark,使用udp条件来监视trafic到(1.2.0.1)。所以我添加了必需的proxy_context,callout,filter。当我启动我的应用程序udp_sender时我看到 - 重定向仅适用于
由sendto函数发送的FIRST数据包(源IP更改为1.2.0.3)。对于sendto函数的其他调用(第二,第三,......) - 源IP保持为1.2.0.2 - 这意味着callout驱动程序不会调用其callout func来更改源ip。以下是我在MSDN文章中使用绑定或连接重定向找到的
(https://msdn.microsoft.com/en-us/library/windows/hardware/ff571005(v=vs.85).aspx) - " 执行重定向的
层确定更改的效果。连接层的更改仅影响所连接的流。绑定层的更改会影响使用该套接字的所有连接。"
Hello, everyone! I have the callout driver which works on ALE_CONNECT_REDIRECT layer. It changes source ip for specified user if this user tries to send packets to specified ip(1.2.0.1). Also I have udp client application(udp_sender) which sends several UDP packet to specified ip(1.2.0.1) - it uses two func: socket and sendto. I have two net adapters with ips (1.2.0.2 and 1.2.0.3) which are located in the same subnet with specified ip(1.2.0.1). WFP should change source ip to 1.2.0.3 for specified user sending packets to 1.2.0.1. In order to check redirection I use wireshark, with udp condition on to monitor trafic to (1.2.0.1). So I add required proxy_context, callout, filter. And what i see when I start my application udp_sender - the redirection works only for the FIRST packet sended by sendto function(source ip changes to 1.2.0.3). For other calls of sendto function (second, third, ... ) - source ip remains 1.2.0.2 - that means that callout driver doesn't call its callout func which changes source ip. Here is what I found on MSDN article Using Bind or Connect Redirection (https://msdn.microsoft.com/en-us/library/windows/hardware/ff571005(v=vs.85).aspx) - "The layer at which redirection is performed determines the effect of the change. Changes at connect layers affect only the flow being connected. Changes at bind layers affect all connections that are using that socket."
所以我已经得到了几个问题:
So I've gotten several questions:
1)这些句子是否意味着我只能在第一次调用sendto func时更改ALE_CONNECT_REDIRECT图层上的源IP?
1) Do these sentences mean that I can change source ip on ALE_CONNECT_REDIRECT layer only for the first call of sendto func?
2 )如何为TCP UDP ICMP连接分配流量?
2) How flows are devided for TCP UDP ICMP connections?
3)当我们发送UDP数据包时,我们不调用connect()func,那么为什么UDP存在ALE_CONNECT层呢?
3) When we send UDP packet we don't call connect() func, so why do ALE_CONNECT layers exist for UDP at all?
4)我必须检查目标IP(REMOTE_IP_ADRESS),如果它适合我必须更改源IP - 我应该使用哪些层(我不能在ALE_BIND_REDIRECT层使用REMOTE_IP_ADRESS )?
4) I must check target ip(REMOTE_IP_ADRESS)and if it fits I must change source ip - which layers should I use(I can't use REMOTE_IP_ADRESS on ALE_BIND_REDIRECT layer)?
感谢您的回答!
推荐答案
1)我不相信你可以改变CONNECT_REDIRECT的源细节,只改变目的地。应该在BIND_REDIRECT更改源详细信息。
1) I do not believe you can change the source details at CONNECT_REDIRECT, only the destination. Source details should be changed at BIND_REDIRECT.
2)我不明白
3)ALE层对流的概念进行操作,以便保持TCP和UDP之间的一致性WFP将为给定流的第一个UDP数据包集合触发AUTH_CONNECT处理程序。可以通过它唯一的元组(源地址,源端口,
协议,目标地址,目标端口)来识别流。
3) ALE layers operate on the notionof flows, in order to keep consistancy between TCP and UDP WFP will fire the AUTH_CONNECT handler for the first UDP packet set for a given flow. A flow can be identified by it's unique tuple (source address, source port, protocol, destination address, destination port)
4)我能想到这样做的唯一方法将在TRANSPORT层基于每个数据包执行此操作。你需要做这个INBOUND和OUTBOUND。
4)The only way I can think of doing this would be to do this on a per packet basis at the TRANSPORT layer. You'd need to do this INBOUND and OUTBOUND.
J
这篇关于WFP连接/绑定重定向问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
