Porting Packet-Processing Drivers and Apps to WFP

Windows Filtering Platform (WFP) enables TCP/IP packet filtering, inspection, and modification, connection monitoring or authorization, IPsec rules and processing, and RPC filtering. Generally, you must convert your TCP/IP filtering or connection monitoring component in Windows XP and Windows Server 2003 to use a WFP user-mode application or service, a WFP kernel-mode callout driver, or both for Windows Vista and Windows Server 2008 and later. The following table lists the existing methods for packet processing in Windows XP and Windows Server 2003 and how you must change them in Windows Vista and Windows Server 2008 and later to use WFP.

Note  As of Windows 8, the Transport Driver Interface (TDI) feature and Layered Service Providers (LSPs) feature are deprecated.

Existing method in Windows XPand Windows Server 2003	New method in Windows Vista and Windows Server 2008 and later
Firewall hook or filter hook driver for simple packet filtering.	User-mode application or service that uses the WFP Win32 API.
Firewall hook or filter hook driver for deep packet inspection or modification.	IP layer, Transport layer, or Application Layer Enforcement (ALE) layer callout driver and optional user-mode application or service that uses the WFP Win32 API.
Transport Driver Interface (TDI) filter driver for simple packet filtering.	User-mode application or service that uses the WFP Win32 API.
TDI filter driver for deep packet or stream inspection or modification.	Transport layer, Stream layer, and/or ALE callout driver and optional user-mode application or service that uses the WFP Win32 API
TDI filter driver for TCP connection or User Datagram Protocol (UDP) traffic management.	For TCP connection management: ALE callout driver and optional user-mode application or service that uses the WFP Win32 API. For TCP proxying: In Windows Vista: Packet modification callout driver. In Windows 7 and later: ALE_REDIRECT layer callout driver. For MAC-level filtering: In Windows 8 and later: MAC_FRAME layer callout driver. In Windows Vista and Windows 7: NDIS lightweight filter driver. For UDP traffic management: Stream or Datagram Data layer callout driver and optional user-mode application or service that uses the WFP Win32 API.
Windows Sockets LSP for simple packet filtering.	User-mode application or service that uses the WFP Win32 API.
Windows Sockets LSP for deep packet inspection or modification.	IP layer, ALE, Transport (such as Datagram Data), or Stream layer callout driver and optional user-mode application or service that uses the WFP Win32 API.
Network Device Interface Specification (NDIS) intermediate driver for simple packet filtering.	For IP-based filtering: User-mode application or service that uses the WFP Win32 API. For MAC-based filtering: In Windows 8 and later: MAC_FRAME layer callout driver. In Windows Vista and Windows 7: NDIS lightweight filter driver.
NDIS intermediate driver for TCP connection or UDP traffic management.	TCP connection management: ALE callout driver and optional user-mode application or service that uses the WFP Win32 API. UDP traffic management: ALE or Transport layer callout driver and optional user-mode application or service that uses the WFP Win32 API.
NDIS lightweight filter driver to perform media access control (MAC)-level filtering.	In Windows 8 and later: MAC_FRAME layer callout driver. In Windows Vista and Windows 7: NDIS lightweight filter driver.