Windows filtering platform - redirect network packets

Hello,

I have an WFP callout driver that is able to redirect (based on some criteria) packets coming at forward ip layer to a user mode application on a specific port. This is used in order to implement a transparent proxy solution for http and https traffic coming from an internal network.

The issue one has when changing ip packet destination from original ip to proxy ip is that the original ip destination gets lost and in case of https connection establishment if it has no SNI (server name indication) information there is no way to know the intended connection ip. How would you solve the need to send to user mode the information about the original ip (considering the server might be on the same machine)?

The CONNECTION_REDIRECTION layers are designed for this. I believe this is the preferred way of achieving your goal.

As for retaining the original destination, in OS >= Win8 this can be achieved using the SIO_QUERY_WFP_CONNECTION_REDIRECT_CONTEXT control code

We also use layer FWPM_LAYER_ALE_CONNECT_REDIRECT_V4 for redirection of connections ORIGINATING from the gateway machine (as opposed to connections coming from outside, on FORWARD).

Because we intercept also connections on FORWARD (and need to filter them based on ip and also some custom filter on port) we cannot use layer CONNECT.

@Jason_Stephenson said:
The CONNECTION_REDIRECTION layers are designed for this. I believe this is the preferred way of achieving your goal.

As for retaining the original destination, in OS >= Win8 this can be achieved using the SIO_QUERY_WFP_CONNECTION_REDIRECT_CONTEXT control code

Is there any solution for Win7 ? SIO_QUERY_WFP_CONNECTION_REDIRECT_CONTEXT not available before Win8.