About Windows Filtering Platform
Windows Filtering Platform (WFP) is a network traffic processing platform designed to replace the Windows XP and Windows Server 2003 network traffic filtering interfaces. WFP consists of a set of hooks into the network stack and a filtering engine that coordinates network stack interactions.
The WFP components are as follows.
|Filter Engine||The core multi-layer filtering infrastructure, hosted in both kernel-mode and user-mode, that replaces the multiple filtering modules in the Windows XP and Windows Server 2003 networking subsystem.|
|Base Filtering Engine (BFE)||A service that controls the operation of the Windows Filtering Platform. It performs the following tasks.|
|Shims||Kernel-mode components that reside between the Network Stack and the filter engine. Shims make the filtering decision by classifying against the filter engine. Following is a list of available shims.|
|Callouts||Set of functions exposed by a driver and used for specialized filtering. Besides the basic actions of "Permit" and "Block", callouts can modify and secure inbound and outbound network traffic. See the Windows Filtering Platform Callout Drivers topic in the Windows Driver Kit (WDK) documentation for more information on callouts. |
WFP provides built-in callouts that accomplish the following tasks.
The filter engine allows third-party callouts to register at each of its kernel-mode layers.
|Application Programming Interface||A set of data types and functions available to the developers to build and manage network filtering applications. These data types and functions are grouped into multiple API sets.|
- Provides a packet filtering infrastructure where independent software vendors (ISVs) can plug-in specialized filtering modules.
- Works with both IPv4 and IPv6.
- Allows for data filtering, modification, and re-injection.
- Performs both packet and stream processing.
- Allows packet filtering to be enabled per application, per user, and per connection in addition to per network interface or per port.
- Provides boot-time security until Base Filtering Engine (BFE) can start.
- Enables stateful connection filtering.
- Handles both pre and post IPsec-encrypted data.
- Allows integration of IPsec and firewall filtering policies.
- Provides a policy management infrastructure to determine when specific filters should be activated. This includes mediating conflicting requirements from multiple filters provided by different vendors.
- Handles most packet reassembly and state tracking.
- Includes a generic user notification system that informs subscribers of changes to the filtering system.
- Implements enumeration functions that report on the state of the system.
- Uses net events to record IPsec errors and packet drops.
- Supports a Network Diagnostics Framework (NDF) helper class.
- Supports the Secure Socket extensions to the Winsock API, which allow network applications to secure their traffic by configuring WFP.
- At Application Layer Enforcement (ALE) layers, minimally impacts network performance by processing only the first packet in a connection.
- Integrates hardware offload where kernel-mode callout modules can use hardware to perform specific packet inspection.
- WFP Architecture
- WFP Operation
- Application Layer Enforcement (ALE)
- IPsec Configuration
- WFP Configuration
- WFP Monitoring
- WFP API