WFP Filtering Condition Flags (Compact 2013)

  • Article

3/26/2014

The Windows Filtering Platform (WFP) filtering condition flags are each represented by a bit field.

These flags and the filtering layers where they can be used are defined as follows.

Flag

Description

FWP_CONDITION_FLAG_IS_LOOPBACK

Tests if the network traffic is loopback traffic.

Filtering layers:

  • FWPM_LAYER_INBOUND_IPPACKET_V{4|6}
  • FWPM_LAYER_INBOUND_TRANSPORT_V{4|6}
  • FWPM_LAYER_STREAM_{V4|6}
  • FWPM_LAYER_INBOUND_ICMP_ERROR_V{4|6}
  • FWPM_LAYER_OUTBOUND_ICMP_ERROR_V{4|6}
  • FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V{4|6}
  • FWPM_LAYER_ALE_AUTH_CONNECT_V{4|6}
  • FWPM_LAYER_ALE_FLOW_ESTABLISHED_V{4|6}

FWP_CONDITION_FLAG_IS_IPSEC_SECURED

Tests if the network traffic is protected by IPsec.

Filtering layers:

  • FWPM_LAYER_INBOUND_IPPACKET_V{4|6}
  • FWPM_LAYER_INBOUND_TRANSPORT_V{4|6}
  • FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V{4|6}
  • FWPM_LAYER_ALE_AUTH_CONNECT_V{4|6}

FWP_CONDITION_FLAG_IS_REAUTHORIZE

Tests for a policy change as opposed to a new connection.

Filtering layers:

  • FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V{4|6}
  • FWPM_LAYER_ALE_AUTH_CONNECT_V{4|6}

FWP_CONDITION_FLAG_IS_WILDCARD_BIND

Tests if the application specified a wildcard address when binding to a local network address.

Filtering layer:

  • FWPM_LAYER_ALE_RESOURCE_ASSIGNMENT_V{4|6}

FWP_CONDITION_FLAG_IS_RAW_ENDPOINT

Tests if the local endpoint that is sending and receiving traffic is a raw endpoint.

Filtering layers:

  • FWPM_LAYER_INBOUND_TRANSPORT_V{4|6}
  • FWPM_LAYER_OUTBOUND_TRANSPORT_V{4|6}
  • FWPM_LAYER_DATAGRAM_DATA_{V4|6}
  • FWPM_LAYER_ALE_RESOURCE_ASSIGNMENT_V{4|6}
  • FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V{4|6}
  • FWPM_LAYER_ALE_AUTH_CONNECT_V{4|6}

FWP_CONDITION_FLAG_IS_FRAGMENT

Tests if the NET_BUFFER_LIST structure passed to a callout driver is an IP packet fragment.

Filtering layers:

  • FWPM_LAYER_INBOUND_IPPACKET_V{4|6}
  • FWPM_LAYER_INBOUND_IPPACKET_V{4|6}_DISCARD

FWP_CONDITION_FLAG_IS_FRAGMENT_GROUP

Tests if the NET_BUFFER_LIST structure passed to a callout driver describes a linked list of packet fragments.

Filtering layer:

  • FWPM_LAYER_IPFORWARD_V{4|6}

FWP_CONDITION_FLAG_IS_IPSEC_NATT_RECLASSIFY

Indicates that the same packet is being re-classified at the transport layer, when the IPSec NAT shim translates the remote port value.

FWP_CONDITION_FLAG_REQUIRES_ALE_CLASSIFY

Indicates that the packet will be reclassified at the ALE receive/accept layer.

FWP_CONDITION_FLAG_IS_IMPLICIT_BIND

Tests if Windows Sockets is performing an implicit bind.

Filtering layer:

  • FWPM_LAYER_INBOUND_IPPACKET_V{4|6}

See Also

Reference

WFP Filtering Conditions

Other Resources

Windows Filtering Platform