Filtering condition flags
The filtering condition flags are each represented by a bit field. These flags are defined as follows:
Note
This topic contains filtering condition flags for kernel mode WFP callout drivers. For information about filtering condition flags that are shared between user mode and kernel mode, or if you are looking for information about a flag that isn't listed here, see Filtering Condition Flags.
| Filtering condition flag | Description |
|---|---|
|
FWP_CONDITION_FLAG_IS_LOOPBACK 0x00000001 |
Indicates that the network traffic is loopback traffic. This flag is applicable at the following filtering layers:
|
|
FWP_CONDITION_FLAG_IS_IPSEC_SECURED 0x00000002 |
Indicates that the network traffic is protected by IPsec. This flag is applicable at the following filtering layers:
|
|
FWP_CONDITION_FLAG_IS_REAUTHORIZE 0x00000004 |
Indicates a policy change (as opposed to a new connection). This flag is applicable at the following filtering layers:
This flag is also applicable at the following filtering layers in Windows Server 2008 R2, Windows 7, and later versions of Windows:
|
|
FWP_CONDITION_FLAG_IS_WILDCARD_BIND 0x00000008 |
Indicates that the application specified a wildcard address when binding to a local network address. This flag is applicable at the following filtering layers:
|
|
FWP_CONDITION_FLAG_IS_RAW_ENDPOINT 0x00000010 |
Indicates that the local endpoint that is sending and receiving traffic is a raw endpoint. This flag is applicable at the following filtering layers:
This flag is applicable at the following filtering layers in Windows Server 2008 R2, Windows 7, and later versions of Windows:
|
|
FWP_CONDITION_FLAG_IS_FRAGMENT 0x00000020 |
Indicates that the NET_BUFFER_LIST structure passed to a callout driver is an IP packet fragment. This flag is applicable at the following filtering layers:
|
|
FWP_CONDITION_FLAG_IS_FRAGMENT_GROUP 0x00000040 |
Indicates that the NET_BUFFER_LIST structure passed to a callout driver describes a linked list of packet fragments. This flag is applicable at the following filtering layers:
|
|
FWP_CONDITION_FLAG_IS_IPSEC_NATT_RECLASSIFY 0x00000080 |
This flag is set when an NAT Traversal (UDP port 4500) packet is indicated. Once the decapsulation occurs, the flag is set for the reclassify using the information from the encapsulated packet. This flag is applicable at the following filtering layers:
|
|
FWP_CONDITION_FLAG_REQUIRES_ALE_CLASSIFY 0x00000100 |
Indicates that the packet has not yet reached the ALE receive/accept layer (FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4 or FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6), where its connection state will be tracked. This flag is applicable at the following filtering layers:
|
|
FWP_CONDITION_FLAG_IS_IMPLICIT_BIND 0x00000200 |
Indicates that the socket was not explicitly bound. If the sender calls send without first calling bind, Windows Sockets performs an implicit bind. Note This flag is supported only in Windows Server 2008 and Windows Vista. It is deprecated in later Windows versions.
This flag is applicable at the following filtering layers:
|
|
FWP_CONDITION_FLAG_IS_REASSEMBLED 0x00000400 |
Indicates that the packet has been reassembled from a group of fragments. This flag is applicable at the following filtering layers in Windows Server 2008, Windows Vista with Service Pack 1 (SP1), and later versions of Windows:
|
|
FWP_CONDITION_FLAG_IS_NAME_APP_SPECIFIED 0x00004000 |
Indicates that the name of the peer machine that the application is expecting to connect to has been obtained by calling a function such as WSASetSocketPeerTargetName and not by using the caching heuristics. This flag is applicable at the following filtering layers in Windows Server 2008 R2, Windows 7, and later versions of Windows:
|
|
FWP_CONDITION_FLAG_IS_PROMISCUOUS 0x00008000 |
Reserved for future use. |
|
FWP_CONDITION_FLAG_IS_AUTH_FW 0x00010000 |
Indicates that a packet matches authenticated firewall policies. Only connections matching the "Allow the connection if it is secure" firewall rule option will have this flag set. For more information, see How to Enable Authenticated Firewall Bypass. This flag is also applicable at the following filtering layers in Windows Server 2008, Windows Vista with SP1, and later versions of Windows:
This flag is also applicable at the following filtering layers in Windows Server 2008 R2, Windows 7, and later versions of Windows:
|
|
FWP_CONDITION_FLAG_IS_RECLASSIFY 0x00020000 |
This flag is set when the IPV6_PROTECTION_LEVEL socket option is set on a previously authorized socket. This flag is applicable at the following filtering layers:
|
|
FWP_CONDITION_FLAG_IS_OUTBOUND_PASS_THRU 0x00040000 |
Indicates that the packet is weak-host sent, which means that it isn't leaving this network interface and therefore must be forwarded to another interface. This flag is applicable at the following filtering layers in Windows Server 2008 R2, Windows 7, and later versions of Windows:
|
|
FWP_CONDITION_FLAG_IS_INBOUND_PASS_THRU 0x00080000 |
Indicates that the packet is weak-host received, which means that it isn't destined for the receiving network interface and therefore must be forwarded to another interface. This flag is applicable at the following filtering layers in Windows Server 2008 R2, Windows 7, and later versions of Windows:
|
|
FWP_CONDITION_FLAG_IS_CONNECTION_REDIRECTED 0x00100000 |
Indicates that the connection was redirected by an ALE_CONNECT_REDIRECT callout function. This flag is applicable at the following filtering layers in Windows Server 2008 R2, Windows 7, and later versions of Windows:
|
|
FWP_CONDITION_FLAG_IS_PROXY_CONNECTION 0x00200000 |
Indicates that the connection has been proxied, and therefore previous redirect records exist. This flag is applicable at the following filtering layers in Windows Server 2012, Windows 8, and later versions of Windows:
|
|
FWP_CONDITION_FLAG_IS_APPCONTAINER_LOOPBACK 0x00400000 |
Indicates that the traffic is going to and from an AppContainer that is using loopback. This flag is applicable at the following filtering layers in Windows Server 2012, Windows 8, and later versions of Windows:
|
|
FWP_CONDITION_FLAG_IS_NON_APPCONTAINER_LOOPBACK 0x00800000 |
Indicates that the traffic is going to and from a standard app (not an AppContainer) that is using loopback. This flag is applicable at the following filtering layers in Windows Server 2012, Windows 8, and later versions of Windows:
|
|
FWP_CONDITION_FLAG_IS_RESERVED 0x01000000 |
Reserved for future use. |
|
FWP_CONDITION_FLAG_IS_HONORING_POLICY_AUTHORIZE 0x02000000 |
Indicates that the current classification is being performed to honor the intention of a redirected Universal Windows app to connect to a specified host. Such a classification will contain the same classifiable field values as if the app were never redirected. The flag also indicates that a future classification will be invoked to match the effective redirected destination. If the app is redirected to a proxy service for inspection, it also means a future classification will be invoked on the proxy connection. Callouts should use FWPS_FIELD_ALE_AUTH_CONNECT_V4_ALE_ORIGINAL_APP_ID to find the appid of the (original) redirected connection. This flag is applicable at the following filtering layers in Windows Server 2012, Windows 8, and later versions of Windows:
|