WFP 层要求和限制WFP Layer Requirements and Restrictions

01/22/2019

本文内容

以下要求和限制适用于 WFP 层。The following requirements and restrictions apply to WFP layers.

转发层Forwarding Layer

如果为源自的数据包或目标为的数据包启用了 IP 转发，则 IP 数据包将传递到该转发层。如果为该数据包启用了 IP 转发，则会将该地址发送到该计算机，并在与分配本地地址的接口不同的接口上发送或接收该数据包。An IP packet will be delivered to the forwarding layer if IP forwarding is enabled for a packet that originates from, or is destined for, an address that is assigned to the computer and the packet is sent or received on a different interface than the interface on which the local address is assigned. 默认情况下，IP 转发处于禁用状态，并且可以通过使用适用于 IPv4 转发的 netsh 接口 ipv4 集接口 命令或用于 ipv6 转发的 netsh interface ipv6 set interface 命令启用。By default, IP forwarding is disabled and can be enabled by using the netsh interface ipv4 set interface command for IPv4 forwarding or the netsh interface ipv6 set interface command for IPv6 forwarding.

转发层可以在到达时转发每个已接收的片段，也可以保留 IP 有效负载的片段，直到所有片段到达并转发它们为止。The forwarding layer can forward each received fragment as it arrives or hold the fragments of an IP payload until all fragments have arrived and then forward them. 这称为 片段分组。This is known as fragment grouping. 禁用片段分组后 (默认情况下禁用该分组) ，则转发的 IP 数据包段将指示为 WFP 一次。When fragment grouping is disabled (it is disabled by default), forwarded IP packet fragments are indicated to WFP one time. 启用片段分组后，会将一个片段指定为 WFP 两次：第一次为片段本身，并再次在 网络 _ 缓冲区 _ 列表 链描述的片段组内进行。When fragment grouping is enabled, a fragment is indicated to WFP two times--first as the fragment itself, and again inside a fragment group that is described by a NET_BUFFER_LIST chain. 如果将 "WFP 组" 标记指定为要转发的层标注，则会将其设置 _ _ _ 为 _ 分段 _ 组 标志。WFP sets the FWP_CONDITION_FLAG_IS_FRAGMENT_GROUP flag when it indicates fragment groups to forwarding layer callouts. 可以使用 netsh interface {ipv4 | ipv6} set global groupforwardedfragments = enabled 命令启用片段分组。You can enable fragment grouping by using the netsh interface {ipv4|ipv6} set global groupforwardedfragments=enabled command. 片段分组不同于重新组合，后者是目标主机上的原始 IP 数据包的重新构造。Fragment grouping is different than reassembly, which is the reconstruction of the original IP packet at the destination host.

在转发层指示的 网络 _ 缓冲区 _ 列表 结构可以描述完整的 ip 数据包、IP 数据包片段或 ip 数据包片段组。The NET_BUFFER_LIST structure that is indicated at the forwarding layer can describe a full IP packet, an IP packet fragment, or an IP packet fragment group. 当 IP 数据包片段遍历转发层时，它将被指定两次标注：第一次为片段，并再次显示为片段组内的片段。While an IP packet fragment traverses the forwarding layer, it will be indicated two times to the callout: first as a fragment, and again, as a fragment inside a fragment group.

当指示分段组时，" _ _ _ _ 分段 _ 组 " 标志将作为传入值传递到标注驱动程序的 classifyFn callout 函数。When a fragment group is indicated, the FWP_CONDITION_FLAG_IS_FRAGMENT_GROUP flag is passed as an incoming value to the callout driver's classifyFn callout function. 在这种情况下， NetBufferList 参数指向的 网络 _ 缓冲区 _ 列表结构是 网络 _ 缓冲区 _ 列表 链的第一个节点，每个 网络 _ 缓冲区 _ 列表 描述一个数据包片段。In this case, the NET_BUFFER_LIST structure pointed to by the NetBufferList parameter is the first node of a NET_BUFFER_LIST chain with each NET_BUFFER_LIST describing a packet fragment.

正向注入的数据包将不会显示在任何 WFP 层上。A forward injected packet will not be presented to any WFP layer. 可以再次向标注驱动程序指示插入的数据包。The injected packet can be indicated to the callout driver again. 若要防止无限循环，驱动程序应首先调用 FwpsQueryPacketInjectionState0 函数，然后再使用 classifyFn callout 函数调用，驱动程序应允许将处于注入状态 FWPS _ 数据包 _ 注入 _ 状态 的数据包设置为 _ _ _ _ 自 或 _ _ _ _ 由 _ 自身注入 的 FWPS 数据包，以通过未经修改的进行传递。To prevent infinite looping, the driver should first call the FwpsQueryPacketInjectionState0 function before it continues with a call to the classifyFn callout function, and the driver should permit packets that have the injection state FWPS_PACKET_INJECTION_STATE set to FWPS_PACKET_INJECTED_BY_SELF or FWPS_PACKET_PREVIOUSLY_INJECTED_BY_SELF to pass through unaltered.

你可以使用以下命令来查看 system： netsh interface {ipv4 | ipv6} show global 的当前 "组转发片段" 设置。You can use the following command to view the current "Group Forwarded Fragments" setting for the system: netsh interface {ipv4|ipv6} show global.

网络层Network Layer

仅为传入路径指示的 IP 数据包片段在此层上的三个点上指定：第一种是 IP 数据包，作为 IP 分段再次出现，第三次在重新组合 IP 数据包中。IP packet fragments, which are indicated only for incoming paths, are indicated at three points at this layer: first as an IP packet, again as an IP fragment, and a third time as part of a reassembled IP packet. 在指示网络层标注的片段时，WFP 会将 .Fwp _ 条件 _ 标志设置 _ 为 _ 分段 标志。WFP sets the FWP_CONDITION_FLAG_IS_FRAGMENT flag when it indicates fragments to network layer callouts.

例如，如果单个 IP 数据包分为四个段，则此数据包的指示如下所示：For example, if a single IP packet is divided into four fragments, the indications for this packet occur as follows:

指示每个 "原始" IP 数据包 (4 个分类或对标注的分类函数的调用)One indication for each "original" IP packet (4 classifications, or calls to the callout's classify function)

每个 "原始片段" (4 个分类的一个指示)One indication for each "original fragment" (4 classifications)

最终重新组合 IP 数据包 (1 分类的一个指示)One indication for the final reassembled IP packet (1 classification)

添加筛选条件时，不能将 "合并的 _ 匹配 _ 标志" _ _ 设置 为 "无"，而使用 "合并 _ 条件 _ 标志 _ 为 _ 分段 标志"，以避免第二次指示 () 。When adding filtering conditions, FWP_MATCH_FLAGS_NONE_SET can be used together with the FWP_CONDITION_FLAG_IS_FRAGMENT flag to avoid the second indication(s). 这些条件标志旨在防止标注驱动程序所关心的分类。These condition flags are meant to prevent classifications the callout driver does not care about. 如果标注只需要检查未 (碎片并重新组合) 的完整数据包，则必须分析 IP 标头以避免处理显示为 IP 数据包的片段。If the callout has to inspect only full packets (those that have not been fragmented and reassembled), it has to parse the IP header to avoid processing fragments that are indicated as IP packets. 标注可能执行以下步骤来实现此目的：A callout might do the following steps to achieve this:

通过检查是否设置了 " (MF) 标志的更多片段" 和/或 "片段偏移量" 字段不是0，跳过第一个指示 () 。Skip the first indication(s) by checking if the More Fragments (MF) flag is set and/or the Fragment Offset field is not 0.

编写一个筛选器，该筛选器允许设置 FWP_CONDITION_FLAG_IS_FRAGMENT 的所有分类。Write a filter that allows all classifications where FWP_CONDITION_FLAG_IS_FRAGMENT is set.

执行重新组合的数据包上所需的任何处理。Perform whatever processing is needed on the reassembled packet.

或者，标注可以在传输层检查数据包。Alternatively, the callout can inspect packets at the transport layer.

传输层和 ALETransport Layer and ALE

为了能够与 IPsec 处理共存，在传入传输层检查数据包的标注还必须在 ALE 接收和接受层进行注册。To be able to coexist with IPsec processing, callouts that inspect packets at the incoming transport layer must also register at the ALE receive and accept layer. 此类标注可以在传输层检查/修改大多数流量，但它还必须允许分配给 ALE 接收/接受层的数据包。Such a callout can inspect/modify most of the traffic at the transport layer, but it must also permit packets that are assigned to the ALE receive/accept layer. 此类标注还必须从 ALE 层检查或修改数据包。Such a callout must also inspect or modify the packets from the ALE layer. WFP 设置 FWPS _ 元数据 _ 字段 _ ALE _ 分类 _ 所需 的元数据标志，指示传输层需要 ALE 检查的数据包。WFP sets the FWPS_METADATA_FIELD_ALE_CLASSIFY_REQUIRED metadata flag when it indicates to the transport layer those packets that require ALE inspection. IPsec 处理会推迟，直到创建初始 "连接" 的数据包和重新授权连接所需的数据包到达 ALE 层。IPsec processing is deferred until those packets that create the initial "connection" and those that are required to re-authorize the connection reach the ALE layer.

传输层和 ALE 层标注必须在小于通用子层的子层上注册自身。Transport layer and ALE layer callouts must register themselves at a sublayer that is of lower weight than the universal sublayer. 内置 IPsec/ALE 强制标注位于通用子层上。The built-in IPsec/ALE enforcement callouts reside at the universal sublayer.

下表显示了可以在 ALE 层指示的数据包类型。The following table shows packet types that can be indicated at ALE layers. 请注意，某些 ALE 层并不总是有与其指示关联的数据包。Be aware that some ALE layers do not always have a packet associated with their indication.

ALE 层ALE layer

TCP 数据包TCP packets

UDP 数据包UDP packets

绑定 (资源分配)Bind (resource assignment)

不适用not applicable

不适用not applicable

连接Connect

无数据包no packet

第一个 UDP 数据包 (传出)first UDP packet (outgoing)

接收/接受Receive/Accept

SYN (传入)SYN (incoming)

第一个 UDP 数据包 (传入)first UDP packet (incoming)

已建立流Flow Established

最终确认 (传入 & 传出)final ACK (incoming & outgoing)

第一个 UDP 数据包 (传入 & 传出)first UDP packet (incoming & outgoing)