FwpmFilterAdd0 (Compact 2013)

  • Article

3/26/2014

This function adds a new filter object to the system.

Syntax

DWORD WINAPI FwpmFilterAdd0(
  __in       HANDLE engineHandle,
  __in       const FWPM_FILTER0* filter,
  __in_opt   PSECURITY_DESCRIPTOR sd,
  __out_opt  UINT64* id
);

Parameters

  • engineHandle
    A handle for an open session to the filter engine. Call FwpmEngineOpen0 to open a session to the filter engine.
  • filter
    Address of an FWPM_FILTER0 structure that describes the filter object to be added
  • sd
    Pointer to a SECURITY_DESCRIPTOR structure
  • id
    Pointer to a variable that receives a runtime identifier for this filter

Return Value

Return code / value

Description

ERROR_SUCCESS

0

The filter was successfully added

ERROR_INVALID_SECURITY_DESCR

0x8007053a

The security descriptor structure is invalid. Or, a filter condition contains a security descriptor in absolute format.

FWP_E_CALLOUT_NOTIFICATION_FAILED

0x80320037

The caller added a callout filter and the callout returned an error from its notification routine.

FWP_E_* error code

0x80320001-0x80320039

A Windows Filtering Platform (WFP) specific error. See topic WFP Error Codes for details.

RPC_* error code

0x80010001-0x80010122

Failure to communicate with the remote or local firewall engine

Remarks

FwpmFilterAdd0 adds the filter to the specified sub-layer at every filtering layer in the system.

Some fields in the FWPM_FILTER0 structure are assigned by the system, not the caller, and are ignored in the call to FwpmFilterAdd0.

If the caller supplies a NULL security descriptor, the system will assign a default security descriptor.

To block connections to particular locations, add a FWP_ACTION_BLOCK filter specifying the local address at the FWPM_LAYER_ALE_AUTH_CONNECT_V* layer, or add a FWP_ACTION_BLOCK filter without specifying the local address at the FWPM_LAYER_ALE_RESOURCE_ASSIGNMENT_V* layer.

Note

If a local address is specified at the resource assignment layer, an implicit bind would succeed because address, address type, and port may come back as FWP_EMPTY.

The FWPM_FILTER0 structure can label a filter as a boot-time or persistent filter. Boot-time filters are added to the Base Filtering Engine (BFE) when the TCP/IP driver starts, and are removed once the BFE finishes initialization. Persistent objects are added when the BFE starts.

This function cannot be called from within a read-only transaction. It will fail with FWP_E_INCOMPATIBLE_TXN.

The caller needs the following access rights:

  • FWPM_ACTRL_ADD access to the filter's container
  • FWPM_ACTRL_ADD_LINK access to the provider (if any)
  • FWPM_ACTRL_ADD_LINK access to the applicable layer
  • FWPM_ACTRL_ADD_LINK access to the applicable sub-layer
  • FWPM_ACTRL_ADD_LINK access to the callout (if any)
  • FWPM_ACTRL_ADD_LINK access to the provider context (if any).

See WFP Access Right Identifiers for more information.

To add a filter that references a callout, invoke the functions in the following order.

  • Call FwpsCalloutRegister (documented in the Windows Driver Kit), to register the callout with the filter engine.
  • Call FwpmCalloutAdd0 to add the callout to the system.
  • Call FwpmFilterAdd0 to add the filter that references the callout to the system.

By default filters that reference callouts that have been added but have not yet registered with the filter engine are treated as Block filters.

Requirements

Header

fwpmu.h

Library

fwpuclnt.dll

See Also

Reference

WFP Filter Management
WFP Access Right Identifiers

Other Resources

Windows Filtering Platform