首页 > 代码库 > FwpsPendOperation函数解析

FwpsPendOperation函数解析

最近在项目中需要使用FwpsPendOperation0这个函数,仔仔细细的把msdn上关于这个函数的英文都看了,受益匪浅,这个函数还是挺有意思的.

NTSTATUS NTAPI FwpsPendOperation0(
  _In_   HANDLE completionHandle,
  _Out_  HANDLE *completionContext
);
completionHandle [in]

A completion handle that is required to pend the current filtering operation. This parameter is obtained from thecompletionHandle member of the FWPS_INCOMING_METADATA_VALUES0 structure passed into the callout driver‘sclassifyFn function.

completionContext [out]

The handle to the completion context of this pend operation. When the callout is ready to resume packet processing, it calls theFwpsCompleteOperation0 function with the value of this parameter as the inputcompletionContext parameter.

To complete a connection that was previously pended at the FWPS_LAYER_ALE_AUTH_RECV_ACCEPT_Xxx layer, the callout driver must reinject the packet that was cloned at that layer as well as call theFwpsCompleteOperation0 function.

//一个在FWPS_LAYER_ALE_AUTH_RECV_ACCEPT_ Xxx层之前挂起的连接,如果想完成它,Callout比如reinject在那一层克隆的包,同时还要调用FwpsCompleteOperation0函数


To be able to pend packet processing, the callout driver‘s classifyFn function should set the actionType member of theFWPS_CLASSIFY_OUT0 structure to FWP_ACTION_BLOCK and the Flags member to FWPS_CLASSIFY_OUT_FLAG_ABSORB.

//想挂起一个包处理,在Callout的classifyFn函数中必须设置actionType成员为FWP_ACTION_BLOCK,设置Flags成员为FWPS_CLASSIFY_OUT_FLAG_ABSORB.


Pended connections are reauthenticated after the FwpsCompleteOperation0 function executes. TCP connections, if allowed, are created by completing the handshake operation, but non-TCP connections only create state entries. Any pended packet data is flushed from memory when the FwpsPendOperation0 function completes, so applications must retransmit those packets afterFwpsCompleteOperation0 runs. Callouts could buffer such data and reinject the data on their behalf.

//已被挂起的连接在FwpsCompleteOperation0函数执行后,就被重新识别了.

tcp连接,在三次握手完成以后就被创建了,但是非tcp连接仅仅创建了状态信息.当FwpsPendOperation0函数完成时,所有pended包数据都将从内存中清除.所以,应用程序在FwpsCompleteOperation0函数运行以后,必须重传这些数据,Callout函数可以缓冲一些数据,然后reinject这些数据on their behalf.(*^__^*) 嘻嘻……


Only an initial Application Layer Enforcement (ALE) flow authorization can be postponed by callingFwpsPendOperation0 and FwpsCompleteOperation0.

If an ALE flow is reauthorized, the FWP_CONDITION_FLAG_IS_REAUTHORIZE flag is set. A call toFwpsPendOperation0 from the FWPM_LAYER_ALE_AUTH_CONNECT_ Xxx or FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_Xxx filtering layers will fail if the FWP_CONDITION_FLAG_IS_REAUTHORIZE flag is set, and the STATUS_FWP_CANNOT_PEND status code will be returned. For more information, see ALE Reauthorization in the Windows SDK.

如果一个ALE流是reauthorized的,FWP_CONDITION_FLAG_IS_REAUTHORIZE这个标志被设置.

在FWPM_LAYER_ALE_AUTH_CONNECT_ Xxx层和FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_ Xxx层调用FwpsPendOperation0函数,如果设置了FWP_CONDITION_FLAG_IS_REAUTHORIZE标志.那么函数调用将会失败.

状态码返回STATUS_FWP_CANNOT_PEND

所以在处理的时候必须要对FWP_CONDITION_FLAG_IS_REAUTHORIZE这个标志进行判断,否则

FwpsPendOperation函数解析