WFP运行时过滤层与管理过滤层有什么区别？ [英] what is the difference between WFP runtime filtering layer vs Management filtering layer?

问题描述

从文档中看，似乎运行时过滤层标识符应由内核标注使用，管理过滤层标识符应由用户模式/ kernle模式标注使用。

From documentation it seems runtime filtering layer identifiers should be used by kernal callouts and management filtering layer identifiers should be used by user mode/kernle mode callouts.

但它是不清楚两者的用法。

but it is not clear the usage of both.

过滤器可以使用运行时层标识符和FwpsCalloutRegister0（）& nbsp;注册& nbsp;但无法添加& nbsp;因为没有等效于FwpmCalloutAdd0（）即FwpsCalloutAdd0（）。 FwpmFilterAdd0（）的情况也是如此。

filter can be registered using runtime layer identifiers by FwpsCalloutRegister0() but cannot be added as there is no equivalent to FwpmCalloutAdd0() i.e. FwpsCalloutAdd0(). Same is the case for FwpmFilterAdd0().

有人可以解释一下这个区别吗？< / p>< p>另外文档说LUID比GUID快。

Can anybody please explain the difference?</p><p>Also documentation says LUID is faster than GUID.

如果在内核模式标注中使用管理层，是否会对性能产生影响？

Is there a performance impact if Management layer is used in kernel mode callout?

推荐答案

正如文档所说，运行时标识符是LUID（UINT64），管理标识符是GUID。 所有管理API都使用GUID。  过滤器引擎将层存储为LUID，因此当公开该信息时（如classifyFn的FWPS_INCOMING_VALUES
或FWPS_FILTER结构中），它将显示为LUID。 

As the docs say, the runtime identifier is a LUID (UINT64) and the management identifier is a GUID.  All of the management APIs use the GUID.  The filter engine stores the layers as LUIDs, so when that information is exposed (like in the FWPS_INCOMING_VALUES of the classifyFn or in the FWPS_FILTER struct) it is displayed as the LUID. 

对于FwpsCalloutRegister，这是一个运行时调用。它的功能是只用过滤引擎注册各种函数指针。

FwpmCalloutAdd是一个管理功能，它基本上将一个callout对象与注册的函数相关联，并识别可以使用标注的位置（ applicableLayer）群组。这允许您注册一次，并在各个图层添加您需要的每个标注
。

As for FwpsCalloutRegister, this is a runtime call. Its function is to only register the various function pointers with the filtering engine.
FwpmCalloutAdd is a management function which essentially associates a callout object with the functions registered, and identifies where the callout can be used (applicableLayer).  This allows you to register once, and add how many ever callouts you need at various layers.

过滤器不需要这样。  FwpmFilterAdd是一个管理功能。 该对象指示它影响的层（layerKey）以及使用的callout对象（calloutKey）（如果需要）。 没有注册过滤器。

This isn't needed for filters.  FwpmFilterAdd is a management function. This object indicates which layer it affects (layerKey) and what callout object to use (calloutKey) if needed.  There is nothing to register for Filters.

正在使用的对象将指示您使用的对象。 比较，存储，散列等时会看到Perf影响。 所有这些操作的LUID都更便宜。 我们提供多种管理API来删除对象。  Fwpm * DeleteById
使用LUID。 这个操作比DeleteByKey对应的更高效。

The objects being used will dictate which you use.  Perf impacts are seen when comparing, storing, hashing, etc.  LUIDs are cheaper for all of these operations.  We offer multiple management APIs to delete objects.  Fwpm*DeleteById uses the LUID.  this operation is more performant than it's DeleteByKey counterpart.

希望这有帮助，

这篇关于WFP运行时过滤层与管理过滤层有什么区别？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！