Windows Filtering Platform
Updated: May 15, 2008
On This Page
This information applies for the following operating systems:
Windows Filtering Platform (WFP) is a new architecture in Windows Vista and Windows Server 2008 that enables independent software vendors (ISVs) to filter and modify TCP/IP packets, monitor or authorize connections, filter Internet Protocol security (IPsec)-protected traffic, and filter remote procedure calls (RPCs). Filtering and modifying TCP/IP packets provides unprecedented access to the TCP/IP packet processing path. In this path, you can examine or modify outgoing and incoming packets before additional processing occurs. By accessing the TCP/IP processing path at different layers, you can more easily create firewalls, antivirus software, diagnostic software, and other types of applications and services.
WFP provides APIs so that you can participate in the filtering decisions that occur at several layers in the TCP/IP protocol stack. WFP also integrates and provides support for next-generation firewall features such as authenticated communication and dynamic firewall configuration that is based on an application's use of the Windows Sockets API. This capability is also known as an application-based policy.
WFP is not a firewall. It is a set of system services and user-mode and kernel-mode APIs that enable you to develop firewalls and other connection-monitoring or packet-processing software. For example, the Windows Firewall in Windows Vista and Windows Server 2008 uses WFP.
If you are building new software for Windows Vista or Windows Server 2008, the advantages of using WFP are higher performance, less programming complexity, and built-in diagnostic support. Additionally, you can use the built-in filtering engine for both Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6) traffic. WFP also provides a strong security framework in which correctly configured filters cannot be bypassed.
Note: To improve performance, TCP/IP in Windows Vista and Windows Server 2008 can offload tasks or connections to a network adapter that has the appropriate TCP/IP-offload capabilities. Connections that are not filtered by WFP can be offloaded without affecting performance.
Why You Should Convert Your Components to WFP
Windows Vista includes a new architecture for the TCP/IP protocol stack. This architecture is an integrated implementation of both IPv4 and IPv6 and is known as a dual IP layer architecture. The methods of directly accessing the TCP/IP protocol stack for packet processing in Windows XP and Windows Server 2003 have changed significantly. These methods include the firewall hook, the filter hook, and other methods that involve custom solutions such as Transport Driver Interface (TDI) filter drivers. For correct operation and to perform the equivalent function in Windows Vista and Windows Server 2008, generally you must change your application, service, or driver.
Note: Windows Vista and Windows Server 2008 continue to support TDI filter drivers and Windows Sockets layered service providers (LSPs).
To change your existing component, see "Converting Components to Use WFP" later in this paper. Generally, you must map the current method that is used to access the TCP/IP packet processing path to the equivalent method that uses WFP for Windows Vista and Windows Server 2008. Revising your software for the new TCP/IP protocol stack and WFP architecture can provide additional capabilities for components that rely on the TCP/IP packet processing path. These capabilities might not have existed in versions of Windows earlier than Windows Vista and Windows Server 2008.
The following list outlines some benefits of using WFP:
You should use WFP in the following situations:
Figure 1 shows the WFP architecture and its extensibility for third-party applications, services, and drivers.
The WFP architecture consists of the following components:
Third-party ISVs can use WFP to build applications or services in the following ways:
Converting Components to Use WFP
Table 1 lists the existing methods for packet processing in Windows XP and Windows Server 2003 and how you must change them in Windows Vista and Windows Server 2008 to use WFP.
Table 1. Changes to existing packet processing methods
Note: TDI is supported in Windows Vista and Windows Server 2008. However, Microsoft is considering removing TDI in future versions of Windows.
The new WFP in Windows Vista and Windows Server 2008 enables TCP/IP packet filtering and modification, connection monitoring or authorization, IPsec filtering, and RPC filtering. Generally, you must convert your TCP/IP filtering or connection monitoring component in Windows XP and Windows Server 2003 to use a WFP user-mode application or service, a WFP kernel-mode callout driver, or both for Windows Vista and Windows Server 2008.
WFP User-Mode Application or Service:
WFP Kernel-Mode Callout Driver: