Whay是否在具有相同数据包的循环中调用了Classify例程? [英] Whay is Classify routine called in a loop with same packet?
问题描述
我正在传输层进行WFP筛选.我正在捕获数据包,进行克隆,进行带外编辑,然后注入.一切都很好,除了分类总是在同一个数据包的循环中被调用之外.我返回块,清除正确的位 并设置放弃位.
它如果我还给我许可证,也要这样做.它针对入站和出站执行此操作.之前,它也在Stream级别上这样做.设置过滤器(终止和未知)时,我还使用了不同的值,以及位设置/重置的许多组合. 简而言之,它似乎没有刷新数据包,并且循环阻止了用户模式代码的处理.
当我执行NetSh时,过滤器看起来不错,但是我注意到权重总是由Windows改变的.我尝试设置最大权重和最小权重,但它们始终是有效权重中的其他内容.该层确实有2个Microsoft标注,其中1个 用于IPSec等,但我看不到任何过滤器.
我想知道打开引擎时是否需要某种特殊的安全设置.请注意,它是一个内核驱动程序,可与IRP通信到用户模式.
我尝试创建自己的子层,但是没有任何变化.再次,Windows将更改Sublayer的权重.
我也尝试添加提供程序,但是如果我尝试使用过滤器,添加失败.何时需要提供者,因为这里的Doc很少.
我还想知道每次创建一个设备时,它是否都可以生存,我有50个设备,尽管这对我来说似乎不太可能,但是我想知道是否有一种方法可以对其进行检查.另外,我要添加为FILE_DEVICE_NETWORK,是否需要 要阻止的其他类型?
我需要帮助,为什么Windows会在循环中继续用相同的数据包调用Classify?
答案:问题是在创建IO设备时我没有使用正确的设备类型.我使用网络时,当我改变交通工具时,一切开始正常工作
1)您是否在设置阻止时设置FWPS_CLASSIFY_OUT_FLAG_ABSORB?这将导致堆栈吞没原始的NBL.此外,当您克隆并重新插入克隆时,您的classifyFn必须返回FWP_ACTION_BLOCK并在理想情况下进行设置 标记.
请注意,系统支持多个标注,并且只要过滤条件匹配(请参阅过滤仲裁),每个图层都会被调用.您还应该使用FwpsQueryPacketInjectionState()API.这会告诉你是否 还没有人注入(FWPS_PACKET_NOT_INJECTED),您已经注入了NBL(FWPS_PACKET_INJECTED_BY_SELF),另一个标注在您之前注入了NBL(FWPS_PACKET_INJECTED_BY_OTHER),或者您注入了NBL,又重新注入了一个标注 NBL,现在您将再次看到NBL(FWPS_PACKET_PREVIOUSLY_INJECTED_BY_SELF).理想情况下,如果状态为FWPS_PACKET_INJECTED_BY_SELF,则可以安全地返回FWP_ACTION_PERMIT或FWP_ACTION_CONTINUE.如果状态为FWPS_PACKET_PREVIOUSLY_INJECTED_BY_SELF, 那么您需要做出决定,是否信任其他标注以及它们已完成的操作,并允许NBL进行进一步的注入,或者不信任它们并阻止NBL.
2)BFE将所有权重作为建议并尝试相应地进行调整.如果您将UINT64指定为权重,则BFE会尝试将UINT64的权重设置为最大程度地发挥其权重(即尚未分配相同类型的其他对象) 重量).
3)FwpmEngineOpen不需要特殊的安全设置(管理员权限除外).以下是对FwpmEngineOpen()的最简单调用:
status = FwpmEngineOpen0(0, RPC_C_AUTHN_WINNT, 0, 0, &engineHandle);
I'm doing WFP filters at the transport layer. I'm catching the packet, cloning, doing out-of-band edit and then injecting. Everything is fine, except the classify keeps getting called in a loop with the same packet. I return block, clear the right bit and set the abandon bit.
It also does this if I return permit. It does this for inbound and outbound. It was also doing this before at the Stream level. I've also used different values when setting up the filter (terminating and unknown) and many combinations of the bit sets/resets. In a nutshell it doesn't seem to flush the packet, and the looping is blocking out the user mode code from processing.
When I do NetSh, the filter looks fine, thoug I've noticed the weights are always changed by windows. I've tried to set max weights and min weights, but they are always something else in the effective weight. This layer does have 2 Microsoft callouts, one for IPSec and another, but no filters I can see.
I've wondered whether I need some kind of special security setting when I open the Engine. Note, that it's a kernel driver which communicates with IRPs to user mode.
I've tried to create my own sublayer, but no change. And again, the Sublayer weight gets changed by Windows.
I've also tried adding a Provider, but the filter add fails if I try and use it. When is a provider needed, as Doc here is sparse.
And I've also wondered whether each time I'm creating a device it sometikeeps living, and I have 50 devices, though this seems unlikely to me, but I was wondering if there was a way to check it. Also, I'm adding as FILE_DEVICE_NETWORK, could it be I need a different type to block??
I need help, why would Windows keep calling Classify with the same packet in a loop?????
Answer: The problem was that I was not using the right Device type when creating the IO device. I was using Network, when I changed to transport, things started to work properly
解决方案1) Are you setting the FWPS_CLASSIFY_OUT_FLAG_ABSORB when blocking? This will cause the stack to swallow the original NBL. Additionally when you clone and re-inject the clone, your classifyFn must return FWP_ACTION_BLOCK and ideally set this flag.
Note that multiple callouts are supported, and each one gets called for any layer provided the filters match (see filter arbitration). You should also be using the FwpsQueryPacketInjectionState() API. This will tell if no one has injected yet (FWPS_PACKET_NOT_INJECTED), you have already injected the NBL (FWPS_PACKET_INJECTED_BY_SELF), another callout has injected the NBL before you (FWPS_PACKET_INJECTED_BY_OTHER), or you injected the NBL, another callout(s) reinjected the NBL, and you are now seeing the NBL again (FWPS_PACKET_PREVIOUSLY_INJECTED_BY_SELF). Ideally if the state is FWPS_PACKET_INJECTED_BY_SELF, you can safely return FWP_ACTION_PERMIT or FWP_ACTION_CONTINUE. If the state is FWPS_PACKET_PREVIOUSLY_INJECTED_BY_SELF, then you need to make a decision whether you trust the other callouts and what they have done and allow the NBL by without further injection, or don't trust them and block the NBL.
2)BFE takes all weights as suggestions and tries to accommodate accordingly. If you specify a UINT64 as a weight, BFE will try to set the weight as that UINT64 to the best of its abilities (i.e. no other object of the same type is already assigned that weight).
3) No special security setting is needed for FwpmEngineOpen (other than Administrator rights). The following is the simplest call to FwpmEngineOpen():
status = FwpmEngineOpen0(0, RPC_C_AUTHN_WINNT, 0, 0, &engineHandle);
这篇关于Whay是否在具有相同数据包的循环中调用了Classify例程?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
