Multiple injection handles for WFP

Hello. I am trying to learn WFP, and one thing has me confused. In Microsoft example (WFPSampler) multiple injection handles are created for each layer. Specifically, for layer 2 6 handles are created: inbound and outbound for AF_INTE, AF_INET6 and AF_UNSPEC. But MSDN tells me to only use AF_UNSPEC for this layer. Also, I fail to find a mention of needing separate handles for inboud and outbound packets. Can someone please explain me why so many handles are used in practice?
Thanks in advance.

xxxxx@gmail.com wrote:

Hello. I am trying to learn WFP, and one thing has me confused. In Microsoft example (WFPSampler) multiple injection handles are created for each layer. Specifically, for layer 2 6 handles are created: inbound and outbound for AF_INTE, AF_INET6 and AF_UNSPEC. But MSDN tells me to only use AF_UNSPEC for this layer.

One of the problems with this sample – like most of the samples – is
that they try to demonstrate EVERYTHING. I assume you’re talking about
PrvWFPSamplerDeviceDataPopulate. For each of those six combinations, it
actually creates six injection handles, spanning layers 2, 3, and 4. If
you only care about layer 2 data, then you can simplify
KrnlHlprInjectionHandleDataCreate.

Also, I fail to find a mention of needing separate handles for inboud and outbound packets.

The MSDN page on packet injection functions certainly lists separate
functions for forward, send, and receive.

Can someone please explain me why so many handles are used in practice?

Because there are lot of different kinds of packets.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

> If you only care about layer 2 data, then you can simplify KrnlHlprInjectionHandleDataCreate.

Well, in that sample they also use different handles in KrnlHlprInjectionDataPopulate when processing FWPS_LAYER_INBOUND_MAC_FRAME_ETHERNET.
They get ethernet type from header, and choose handle corresponding to the type (so injection handle opened with AF_INET for type 0x800 and handle opened with AF_INET6 for type 0x86DD). Is there practical purpose in that?

The MSDN page on packet injection functions certainly lists separate
functions for forward, send, and receive.

Sure, but do I need different injection handles for send and receive functions? Or maybe I can use a single one for all those operations?

xxxxx@gmail.com wrote:

> If you only care about layer 2 data, then you can simplify KrnlHlprInjectionHandleDataCreate.
Well, in that sample they also use different handles in KrnlHlprInjectionDataPopulate when processing FWPS_LAYER_INBOUND_MAC_FRAME_ETHERNET.
They get ethernet type from header, and choose handle corresponding to the type (so injection handle opened with AF_INET for type 0x800 and handle opened with AF_INET6 for type 0x86DD). Is there practical purpose in that?

Each family takes a different handle. Look at the doc for
FwpsInjectionHandleCreate0. The address family is an enumeration, not a
bitmask.

> The MSDN page on packet injection functions certainly lists separate functions for forward, send, and receive.
Sure, but do I need different injection handles for send and receive functions? Or maybe I can use a single one for all those operations?

I don’t know. I suspect you are guilty of premature optimization here.
Make it work first, then tweak to see if you can make it better.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.