Filtering Layer

A filtering layer is a point in the TCP/IP network stack where network data is passed to the filter engine for matching against the current set of filters. Each filtering layer in the network stack is identified by a unique filtering layer identifier.

When a filter is added to the filter engine, it is added at a designated filtering layer where it will filter the network data. Specific data fields are made available at each filtering layer for processing by the filters that have been added to the filter engine at that layer. If the filter engine passes the network data to a callout for additional processing, it includes these data fields and any metadata that is available at that filtering layer.

Run-time Filtering Layer Identifiers (FWPS_XXX) are used by kernel-mode callout drivers. Management Filtering Layer Identifiers (FWPM_XXX) are used by FwpmXxx functions that interact with the Base Filtering Engine (BFE) from either user mode or kernel mode (for example, FwpmFilterAdd0).

The FWPS data types are smaller than their FWPM counterparts: the FWPM filtering layer identifiers are GUIDs (128 bits), whereas the FWPS filtering layer identifiers are LUIDs(64 bits). The smaller size for FWPS data types improves system performance because integer comparisons are faster than GUID comparisons for real-time traffic, and the kernel memory handles FWPS types more efficiently.