Windows Filtering Platform
Encyclopedia
Windows Filtering Platform (WFP) is a set of system services and an application programming interface
Application programming interface
An application programming interface is a source code based specification intended to be used as an interface by software components to communicate with each other...

 introduced with Windows Vista
Windows Vista
Windows Vista is an operating system released in several variations developed by Microsoft for use on personal computers, including home and business desktops, laptops, tablet PCs, and media center PCs...

 that allows applications to tie into the packet processing and filtering pipeline of the new network stack. It provides features such as integrated communication and it can be configured for invoking processing logic on a per-application basis. It is intended for use by firewalls and other packet-processing or connection monitoring components.

It consists of the following components:
  • Shims, which exposes the internal structure of a packet as properties. Different shims exist for protocols
    Communications protocol
    A communications protocol is a system of digital message formats and rules for exchanging those messages in or between computing systems and in telecommunications...

     at different layers. The filtering engine filters the packets by verifying the data against the specified set of rules. WFP comes with a set of shims, shims for other protocols can be registered using the API. The in-built set of shims include:
    • Application Layer Enforcement (ALE) shim
    • Transport Layer
      Transport layer
      In computer networking, the transport layer or layer 4 provides end-to-end communication services for applications within a layered architecture of network components and protocols...

       Module (TLM) shim
    • Network Layer
      Network layer
      The network layer is layer 3 of the seven-layer OSI model of computer networking.The network layer is responsible for packet forwarding including routing through intermediate routers, whereas the data link layer is responsible for media access control, flow control and error checking.The network...

       Module (NLM) shim
    • RPC
      Remote procedure call
      In computer science, a remote procedure call is an inter-process communication that allows a computer program to cause a subroutine or procedure to execute in another address space without the programmer explicitly coding the details for this remote interaction...

       Runtime shim
    • Internet Control Message Protocol
      Internet Control Message Protocol
      The Internet Control Message Protocol is one of the core protocols of the Internet Protocol Suite. It is chiefly used by the operating systems of networked computers to send error messages indicating, for example, that a requested service is not available or that a host or router could not be...

       (ICMP) shim
    • Stream shim

  • Filter engine, which spans across both kernel-mode and user-mode, provides basic filtering capabilities. It matches the data in packets, exposed by the shims, against filtering rules, and either blocks or permits the packet. If any other action is necessary, it can be implemented by means of a callout. The filters are applied on a per-application basis.

  • Base filtering engine, is the module that manages the filtering engine. It accepts filtering rules, and enforces the security model of the application. It also maintains statistics for the WFP and logs its state.

  • Callout is a callback
    Callback (computer science)
    In computer programming, a callback is a reference to executable code, or a piece of executable code, that is passed as an argument to other code. This allows a lower-level software layer to call a subroutine defined in a higher-level layer....

    function exposed by a filtering driver. The filtering drivers are used to provide filtering capabilities other than the default block/allow. During registration of a filter rule, the callout function is specified. When the filter is matched, the callout is invoked which handles what needs to be done.

Memory leaks And Race conditions

There is a report of a serious memory leak, affecting Vista through Windows 7, in MS KB # 979223.
Because of this and some other issues, All deployments of WFP should include MS hotfix rollup # 981889 http://support.microsoft.com/kb/981889
Fixes are unnecessary for Windows 7 SP1 or Vista SP3 (when it comes out) or newer.

Note that other problems persist: Only can call FwpsStreamInjectAsync0 once during the execution of stream callout routine, or memory leak/corruption occurs.

External links

The source of this article is wikipedia, the free encyclopedia.  The text of this article is licensed under the GFDL.
 
x
OK