Windows Filtering Platform

Windows Filtering Platform (WFP) is a set of system services and an application programming interface introduced with Windows Vista that allows applications to tie into the packet processing and filtering pipeline of the new network stack. It provides features such as integrated communication and it can be configured for invoking processing logic on a per-application basis. It is intended for use by firewalls and other packet-processing or connection monitoring components.

It consists of the following components:

• Shims, which exposes the internal structure of a packet as properties. Different shims exist for protocols at different layers. The filtering engine filters the packets by verifying the data against the specified set of rules. WFP comes with a set of shims, shims for other protocols can be registered using the API. The in-built set of shims include:
  • Application Layer Enforcement (ALE) shim
  • Transport Layer Module (TLM) shim
  • Network Layer Module (NLM) shim
  • RPC Runtime shim
  • Internet Control Message Protocol (ICMP) shim
  • Stream shim

• Filter engine, which spans across both kernel-mode and user-mode, provides basic filtering capabilities. It matches the data in packets, exposed by the shims, against filtering rules, and either blocks or permits the packet. If any other action is necessary, it can be implemented by means of a callout. The filters are applied on a per-application basis.

• Base filtering engine, is the module that manages the filtering engine. It accepts filtering rules, and enforces the security model of the application. It also maintains statistics for the WFP and logs its state.

• Callout is a callback function exposed by a filtering driver. The filtering drivers are used to provide filtering capabilities other than the default block/allow. During registration of a filter rule, the callout function is specified. When the filter is matched, the callout is invoked which handles what needs to be done.