gmt

Forum Replies Created

Viewing 5 posts - 1 through 5 (of 5 total)
  • Author
    Posts
  • October 30, 2013 at 7:27 am in reply to: NtKernel filter best performance for reinjecting traffic #7154
    gmt
    Participant

      Thanks for your thoughts SerpentFly.

      September 4, 2013 at 7:32 am in reply to: Static filter table – netbios traffic is redirected always #7142
      gmt
      Participant

        Any ideas anybody ?

        The facts were presented in my last post. I can reproduce the behavior with the piece of code posted. Is there a way to handle some packets with PACKET_REDIRECT (based on some filters) and for the rest to have a default rule that says PACKET_PASS, so that I don’t receive in user mode traffic I’m not interested in ?

        -Ghita

        September 2, 2013 at 2:29 pm in reply to: Static filter table – netbios traffic is redirected always #7141
        gmt
        Participant

          “What I find strange is that even if I have set as priority rules, a rule that blocks all tcp and one all udp traffic I still “catch” netbios(port 137, broadcast) and link local multicast resolution (port 5355) traffic on my last filter rule (the rule that says to inspect – FILTER_PACKET_REDIRECT)”

          I come with new information about my findings. I simplified my used filters and have following conclusions:

          1. In our application packets that don’t have to be allowed/blocked/intercepted by using our custom nt kernel filters have to be allowed to pass without interception (we **don’t** need them to be passed into user mode at all)

          2. what I’ve observed is that any packet that doesn’t match a specific filter seem to be intercepted by default by ntkernel (passed to user mode). Is this true ?

          3. In case 2 is true how do I define a “default” filter rule so that all non matched (by more priority filters) traffic gets allowed(FILTER_PACKET_PASS) and not intercepted(FILTER_PACKET_REDIRECT) ? We use now what’s bellow but seems to not match all (remaining) traffic:

                  STATIC_FILTER result = {0};
          
result.m_Adapter.QuadPart = 0;
          
result.m_ValidFields = 0;
          
result.m_FilterAction = FILTER_PACKET_PASS;
          
result.m_dwDirectionFlags = PACKET_FLAG_ON_SEND | PACKET_FLAG_ON_RECEIVE;
          
return result;

          As you can see I use m_Adapter set to 0 in hope that default will be allow traffic for all network interfaces.

          Any hints are appreciated.
          Thanks
          -Ghita

          August 30, 2013 at 10:30 am in reply to: Static filter table – netbios traffic is redirected always #7140
          gmt
          Participant

            Thanks for the response SerpentFly.
            I’ll have to evaluate in this case what rule we apply exactly, because the intent was in the manifesting case for all Tcp/Udp packets regardless of IP-s to be applied (allowed, FILTER_PACKET_PASS) but instead the same rule (same fields, except action field) applied only for FILTER_PACKET_REDIRECT

            Regards
            -Ghita

            August 28, 2013 at 11:41 am in reply to: PSTATIC_FILTER_TABLE blocks DNS traffic #7132
            gmt
            Participant

              Hi, I am one of the “guys” involved in the original issue described here. One of the problems why dns traffic was being affected (blocked) was because we tried adding first some blocking rules that were supposed to affect only a certain types of traffic (say it only tcp or udp) but the FILTER_TABLE filters were not configured corectly for tcp/udp (they were catching other non tcp/udp protocols – arp… etc.)

            • Author
              Posts
            Viewing 5 posts - 1 through 5 (of 5 total)