Windows Filtering Platform issue.

NTDEV
1

I have a WFP driver that uses the ALE accept and connect callbacks. The
driver is based on the Microsoft inspect sample. The sample is in the WIN10
samples so it should be pretty much up to date.

My issue is that I am getting UDP reauthorization calls in the accept
callback. I don’t know where these are originating. The comment in the
sample states that these will only come if a policy is changed. I am getting
lots of these.

Any suggestions will be appreciated.

Thanks,

Bill Wandel

2

can you print ( pid,incoming(IP,port),outgoing(IP,port) ) values.
It will give some information.

Or can can send these to me and also process name matching pid

3

ReAuthorization can come due to policy change(any other filter has been
added) or it can also come if other driver re injecting the packets.
Are you processing ReAuth packets , what functionality this driver is
supposed to do?

On Wed, Feb 21, 2018 at 10:29 PM, xxxxx@bwandel.com <
xxxxx@lists.osr.com> wrote:

I have a WFP driver that uses the ALE accept and connect callbacks. The
driver is based on the Microsoft inspect sample. The sample is in the WIN10
samples so it should be pretty much up to date.

My issue is that I am getting UDP reauthorization calls in the accept
callback. I don’t know where these are originating. The comment in the
sample states that these will only come if a policy is changed. I am
getting lots of these.

Any suggestions will be appreciated.

Thanks,

Bill Wandel

NTDEV is sponsored by OSR

Visit the list online at: http:> showlists.cfm?list=ntdev>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer&gt;
></http:></http:>

4

We are processing connects and accepts. We pend the callbacks in order to process at PASSIVE irql. We expect reauth for UDP when we pend the UDP packets but don’t expect the reauth when they are not from our pending.

Bill Wandel

From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Thursday, February 22, 2018 8:06 AM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Windows Filtering Platform issue.

ReAuthorization can come due to policy change(any other filter has been added) or it can also come if other driver re injecting the packets.

Are you processing ReAuth packets , what functionality this driver is supposed to do?

On Wed, Feb 21, 2018 at 10:29 PM, xxxxx@bwandel.com mailto:xxxxx > wrote:

I have a WFP driver that uses the ALE accept and connect callbacks. The driver is based on the Microsoft inspect sample. The sample is in the WIN10 samples so it should be pretty much up to date.

My issue is that I am getting UDP reauthorization calls in the accept callback. I don’t know where these are originating. The comment in the sample states that these will only come if a policy is changed. I am getting lots of these.

Any suggestions will be appreciated.

Thanks,

Bill Wandel


NTDEV is sponsored by OSR

Visit the list online at: http:

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at http:

To unsubscribe, visit the List Server section of OSR Online at http:

— NTDEV is sponsored by OSR Visit the list online at: MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers! Details at To unsubscribe, visit the List Server section of OSR Online at</http:></http:></http:></mailto:xxxxx>

5

I have another issue (one issue at a time). I do not get any errors when I inject the packets after they were pended. The injection return is SUCCESS but when I check the status in the completion routine I sometimes get a DATA_NOT_ACCEPTED error. I put in some retry code and sometimes it takes many retries for the injection to completely work. These are UDP packets. The end result of all this is that some UDP packets get dropped/lost.

Bill Wandel

From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Thursday, February 22, 2018 8:06 AM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Windows Filtering Platform issue.

ReAuthorization can come due to policy change(any other filter has been added) or it can also come if other driver re injecting the packets.

Are you processing ReAuth packets , what functionality this driver is supposed to do?

On Wed, Feb 21, 2018 at 10:29 PM, xxxxx@bwandel.com mailto:xxxxx > wrote:

I have a WFP driver that uses the ALE accept and connect callbacks. The driver is based on the Microsoft inspect sample. The sample is in the WIN10 samples so it should be pretty much up to date.

My issue is that I am getting UDP reauthorization calls in the accept callback. I don’t know where these are originating. The comment in the sample states that these will only come if a policy is changed. I am getting lots of these.

Any suggestions will be appreciated.

Thanks,

Bill Wandel


NTDEV is sponsored by OSR

Visit the list online at: http:

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at http:

To unsubscribe, visit the List Server section of OSR Online at http:

— NTDEV is sponsored by OSR Visit the list online at: MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers! Details at To unsubscribe, visit the List Server section of OSR Online at</http:></http:></http:></mailto:xxxxx>