Processing FirewallHook Callbacks

After an IPv6 firewall-hook driver successfully enables its FirewallHookfunction, the IPv6 network stack will call the driver's FirewallHookfunction with every IPv6 packet that is transmitted or received. The driver's FirewallHookfunction examines the various parameters that are passed to it to determine whether the packet should be accepted or dropped.

If an IPv6 firewall-hook driver's FirewallHookfunction uses the packet data as criteria to determine whether an IPv6 packet should be accepted or dropped, it must call the IPv6ObtainPacketDatafunction to obtain a pointer to the packet data. If an IPv6 firewall-hook driver's FirewallHookfunction uses the route to the packet's source address or destination address as criteria to determine whether an IPv6 packet should be accepted or dropped, it must call the IPv6GetBestRouteInfofunction to obtain the route information.

For example:


// Alignment for packet data
#define DATA_ALIGNMENT  4

// Driver's FirewallHook function
IPv6Action
  FirewallHook(
    const IPv6Addr  *SourceAddress,
    const IPv6Addr  *DestinationAddress,
    uint  PayloadLength,
    uchar  HeaderType,
    const uchar  *HeaderData,
    const void  *PacketContext,
    uint  DataLength,
    uint  InterfaceIndex,
    IPv6Direction  Direction,
    BOOLEAN  IsLoopBack
    )
{
  const uchar *PacketData;
  IP6RouteEntry SourceRoute;
  IP6RouteEntry DestinationRoute;
  IP_STATUS Status;

  // Obtain a pointer to the packet data
  PacketData =
    IPv6ObtainPacketData(
      PacketContext,
      DataLength,
      DATA_ALIGNMENT
      );

  // Check result
  if (!PacketData)
  {
    // Drop the packet to be safe
    return ActionDrop;
  }

  // Get the source route information
  Status =
    IPv6GetBestRouteInfo(
      SourceAddress,
      0, // Global scope
      0, // No interface constraint
      &SourceRoute
      );

  // Check result
  if (Status != IP_SUCCESS)
  {
    // Drop the packet to be safe
    return ActionDrop;
  }

  // Get the destination route information
  Status =
    IPv6GetBestRouteInfo(
      DestinationAddress,
      0, // Global scope
      0, // No interface constraint
      &DestinationRoute
      );

  // Check result
  if (Status != IP_SUCCESS)
  {
    // Drop the packet to be safe
    return ActionDrop;
  }

  // Inspect the various data sources to determine
  // the action to be taken on the packet
  ...

  // If there is a reason why the packet should be dropped...
  if (...)
  {
    // Drop the packet
    return ActionDrop;
  }

  // Accept the packet
  return ActionAccept;
}

 

 

Send comments about this topic to Microsoft

Show:
© 2014 Microsoft