Using Virtual Switch Filtering
Virtual Switch Filtering is supported in Windows 8 and later versions of Windows.
This WFP feature allows filtering on fields of the MAC header, IP header, and upper protocol ports as well as virtual switch specific fields such as virtual port (VPort) and virtual machine identifier (VM ID). These layers are invoked on a per-packet basis for all packets traversing the virtual switch. These layers are accessed from a virtual switch extension filter—a type of NDIS lightweight filter (LWF) driver.
A callout driver calls the FwpsvSwitchEventsSubscribe0 function to register callback entry points for virtual switch layer events.
The entry points for the callback notification functions are specified in an FWPS_VSWITCH_EVENT_DISPATCH_TABLE0 structure. The callback functions that are available include:
The FWPS_VSWITCH_EVENT_TYPE enumeration defines the values for the eventType parameter of the virtual switch notification functions.
The callout driver must eventually call FwpsvSwitchEventsUnsubscribe0 to free the system resources.
If a callout driver returns STATUS_PENDING from a WFP notification function, WFP will return STATUS_PENDING to the OID request handler. The callout driver must call the FwpsvSwitchNotifyComplete0 function to complete the pending operation. After the FwpsvSwitchNotifyComplete0 call, WFP calls the NdisFOidRequestComplete function to complete the OID for the virtual switch.
Callbacks should not add or delete WFP filters synchronously in the context of the notification functions. In addition, if the notification function allows the callback to return STATUS_PENDING, and the callout returns STATUS_PENDING, the callout should not add or delete WFP filters before completing the notification.
Run-time Filtering Layer Identifiers for virtual switch filtering include:
Data Field Identifiers for virtual switch filtering include: