我编写了程序,用于检查WFP的DISCARD层上的数据包。为了获得丢弃的原因和过滤器ID,我使用以下代码:
if (FWPS_IS_METADATA_FIELD_PRESENT(inMetaValues, FWPS_METADATA_FIELD_DISCARD_REASON))
{
FWPS_DISCARD_METADATA0 discardData = inMetaValues->discardMetadata;
FWPS_DISCARD_MODULE0 discardModule = discardData.discardModule;
UINT32 discardReason = discardData.discardReason;
UINT64 discardFilter = discardData.filterId;
switch (discardModule)
{
case FWPS_DISCARD_MODULE_NETWORK:
PrintNetworkDiscardReason(discardReason);
break;
case FWPS_DISCARD_MODULE_TRANSPORT:
PrintTransportDiscardReason(discardReason);
break;
case FWPS_DISCARD_MODULE_GENERAL:
if (FWPS_DISCARD_FIREWALL_POLICY == discardReason)
{
PRINT_MSG("DISCARD_REASON: FWPS_DISCARD_FIREWALL_POLICY");
}
else if (FWPS_DISCARD_IPSEC == discardReason)
{
PRINT_MSG("DISCARD_REASON: FWPS_DISCARD_IPSEC");
}
break;
}
PRINT_MSG("DISCARD FILTER: %x", discardFilter);
}
程序在Windows防火墙(在某些销售层上)丢弃数据包时正确编写filterId,但在防病毒软件阻止数据包(在FWPS_LAYER_INBOUND_IPPACKET_V4_DISCARD层上)时,filterId为零。
是否可以获得丢弃那些数据包的过滤器的filterId?