This chapter describes how to filter hook drivers. A filter hook driver is used to process or filter network packets in the context of an IP Filter Driver in the operating system. The filter hook driver extends the IP Filter Driver function. The following topic describes some features of the filter hook driver, explains how to create a filter hook, and lists the reference for the input/output control code functions related to a filter hook driver.
Information:
1.1 about the filter hook driver
A filter hook driver is a core mode driver used to filter network packets. A filter hook driver extends the functions of the IP Filter Driver provided by the system. A filter hook driver can only be installed on the system 2000 and later. Only one filter hook driver can be installed on the system and used by the IP Filter Driver. If an extension hook pointer pointing to an IP Filter Driver is null, the extension hook pointer of the driver can only register itself with the IP Filter Driver. Once a filter hook driver registers itself using the IP Filter Driver, the IP Filter program assigns file objects to the extension hook of the IP Filter program. In this way, this IP Filter Driver ensures that you can only accept and use a single filter hook driver. 1.2 create a filter hook driver
A filter hook driver is created when the package filtering API cannot meet the criteria for filtering network packets. User Mode Applications use these APIs to create and manage the output and input filters provided by the system in the IP Filter Driver. For more API information, see SDK.
A filter hook driver is developed under the core mode driver. in addition, a filter hook driver completes a filter hook callback function and registers the callback function in the IP Filter Driver provided by the system. this callback function is considered as a filter hook. This IP Filter Driver will use this filter hook later to decide how to handle incoming and output packets. The following section describes how to create a filter hook driver.
1.2.1 create a filter hook
A filter hook is created when a function of the packetfilterextensionptr type is executed.
When a filter hook driver registers its own filter hook object pointer in the system-provided IP Filter Driver, the filter hook Driver provides the symbolic address to its filter hook. because a filter hook Driver provides this address, rather than the name, this filter Hook can select any name. Of course, a good program habit is to use its basic function to name the name of the filter hook.
A filter hook performs a specific action on the arrived and sent packets, it will be compared with the IP Filter Driver to send a filter hook to check what kind of package will further process the information compared with the specific information arriving. After filtering the hook check package, he will use pf_forward, pf_drop, or pf_pass to return the response code to the IP address to filter the information processed by the driver:
Pf_forward
It is required that the IP Filter Driver immediately return a response to the IP stack. for local packages, IP addresses are forwarded to the top of the stack. if the destination address of the package is an external machine and the route is permitted, IP addresses route them to the corresponding route.
Pf_drop
It is required that the IP Filter Driver immediately return the drop response to the IP stack. The IP will drop this package.
Pf_pass
The IP address filtering driver is required to filter the package and return the result to the IP stack. the IP address filtering driver determines how the package is configured in the packet filtering API. filter hook if he finds that he cannot process the package, but will allow the IP to filter the driver to filter the package, return this pass response. 1.2.2 hook filtering example
This section shows a simple filter hook that consists of forward and drop checks based on several fixed packet attributes. This filter hook specifies to drop the TCP packet while forward other protocols.
NOTE: If packets of a specific IP address or TCP/UDP port must be filtered, use the packet filtering API to create a user-mode application. These APIs optimize the IP address filtering driver processing package provided by the system without associating a filter hook driver on it.
# Define prot_tcp 6
// Drop all TCP Packets
Pf_forward_action
Droptcppackets (
Unsigned char * packetheader,
Unsigned char * packet,
Unsigned int packetlength,
Unsigned int recvinterfaceindex,
Unsigned int sendinterfaceindex,
Ipaddr recvlinknexthop,
Ipaddr sendlinknexthop
)
{
If (packetheader-> iph_protocol = prot_tcp)
{
Return pf_drop;
}
Return pf_forward;
} |
