Hi all,
I’ve encountered a strange problem concerning WFP filter removal.
I open the engine with FWPM_SESSION_FLAG_DYNAMIC, but see that the filters I subsequently add are still there after I close the engine. I can see them by issuing NETSH WFP SHOW STATE. FwpmEngineClose() returns STATUS_SUCCESS.
I then decided to split the problem and have explicitly removed the filters/callouts/sublayers before closing the engine. What’s interesting is that the first call always returns RPC_NT_CALL_FAILED. If I call the same function once more, it succeeds!
Does anyone have a sane explanation for this?
Thanks in advance,
Greg.
One more observation: the aforementioned code may be called in two different scenarios: in an orderly shutdown when an IOCTL is sent and as a cleanup when the client process is killed and a CLOSE is sent. It’s only the latter path that causes the error to occur.
Greg.
On May 29, 2012, at 18:39, xxxxx@gmail.com wrote:
Hi all,
I’ve encountered a strange problem concerning WFP filter removal.
I open the engine with FWPM_SESSION_FLAG_DYNAMIC, but see that the filters I subsequently add are still there after I close the engine. I can see them by issuing NETSH WFP SHOW STATE. FwpmEngineClose() returns STATUS_SUCCESS.
I then decided to split the problem and have explicitly removed the filters/callouts/sublayers before closing the engine. What’s interesting is that the first call always returns RPC_NT_CALL_FAILED. If I call the same function once more, it succeeds!
Does anyone have a sane explanation for this?
Thanks in advance,
Greg.
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
And one more piece of info:
If done in the context of a system worker thread (via IoQueueWorkItem()), the problem disappears. The IRQL is irrelevant as it’s PASSIVE in all the mentioned cases.
Greg.
On May 30, 2012, at 9:36, Greg wrote:
> One more observation: the aforementioned code may be called in two different scenarios: in an orderly shutdown when an IOCTL is sent and as a cleanup when the client process is killed and a CLOSE is sent. It’s only the latter path that causes the error to occur.
> Greg.
>
> On May 29, 2012, at 18:39, xxxxx@gmail.com wrote:
>
>> Hi all,
>>
>> I’ve encountered a strange problem concerning WFP filter removal.
>>
>> I open the engine with FWPM_SESSION_FLAG_DYNAMIC, but see that the filters I subsequently add are still there after I close the engine. I can see them by issuing NETSH WFP SHOW STATE. FwpmEngineClose() returns STATUS_SUCCESS.
>>
>> I then decided to split the problem and have explicitly removed the filters/callouts/sublayers before closing the engine. What’s interesting is that the first call always returns RPC_NT_CALL_FAILED. If I call the same function once more, it succeeds!
>>
>> Does anyone have a sane explanation for this?
>>
>> Thanks in advance,
>> Greg.
>>
>>
>> —
>> NTDEV is sponsored by OSR
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer