Edit

ALE Endpoint Lifetime Management

  • Article

A callout driver that supports application layer enforcement (ALE) may need to allocate resources to process indications. This topic describes how to configure a callout driver to release such resources when the associated endpoint is closed. ALE endpoint lifetime management is supported in Windows 7 and later versions of Windows.

To manage resources associated with ALE endpoints, a callout driver can register at the following layers:

  • FWPS_LAYER_ALE_RESOURCE_RELEASE_V4 (FWPM_LAYER_ALE_RESOURCE_RELEASE_V4)

  • FWPS_LAYER_ALE_RESOURCE_RELEASE_V6 (FWPM_LAYER_ALE_RESOURCE_RELEASE_V6)

  • FWPS_LAYER_ALE_ENDPOINT_CLOSURE_V4 (FWPM_LAYER_ALE_ENDPOINT_CLOSURE_V4)

  • FWPS_LAYER_ALE_ENDPOINT_CLOSURE_V6 (FWPM_LAYER_ALE_ENDPOINT_CLOSURE_V6)

An ALE resource release layer is indicated for every indication at the corresponding ALE resource assignment layer (for example, FWPS_LAYER_ALE_RESOURCE_ASSIGNMENT_V4). To ensure that callout drivers can match the release layer to the assignment layer, the FWPS_METADATA_FIELD_TRANSPORT_ENDPOINT_HANDLE metadata field is provided at both layers and each endpoint is assigned a unique handle.

ALE endpoint closure layers are invoked differently depending on the type of endpoint. For TCP connections, an ALE endpoint closure is indicated for every ALE authorize connect layer (for example FWPS_LAYER_ALE_AUTH_CONNECT_V4) or ALE authorize receive accept layer (for example FWPS_LAYER_ALE_AUTH_RECV_ACCEPT_V4) indication. As with ALE resource release indications, the engine assigns a unique handle for each endpoint and passes it in the FWPS_METADATA_FIELD_TRANSPORT_ENDPOINT_HANDLE metadata field. For non-TCP endpoints, an ALE endpoint closure layer is invoked for each endpoint regardless of the number of unique remote peers the socket communicates with. An ALE endpoint closure layer is also invoked for each TCP listening socket.

Callouts registered for an ALE endpoint closure layer can pend classification. This enables the callout to reinject any packets queued for asynchronous processing before the endpoint is shut down. To pend classification, the callout driver must call FwpsPendClassify0 followed by a call to FwpsCompleteClassify0 when processing is complete.

When applicable, the engine will indicate a unique handle for the parent endpoint in the FWPS_METADATA_FIELD_PARENT_ENDPOINT_HANDLE metadata field. This enables the callout driver to track parent/child relationships, if required.