Filtering condition flags

  • Article

The Windows Filtering Platform (WFP) filtering condition flags are each represented by a bitfield.

These flags and the filtering layers where they can be used are defined as follows.

FWP_CONDITION_FLAG_IS_LOOPBACK

Tests whether the network traffic is loopback traffic.

Filtering layers:

  • FWPM_LAYER_INBOUND_IPPACKET_V{4|6}

  • FWPM_LAYER_OUTBOUND_IPPACKET_V{4|6}

  • FWPM_LAYER_INBOUND_TRANSPORT_V{4|6}

  • FWPM_LAYER_OUTBOUND_TRANSPORT_V{4|6}

  • FWPM_LAYER_STREAM_{V4|6}

    Note

    Available only on Windows Server 2008, Windows Vista with SP1, and later.

  • FWPM_LAYER_INBOUND_ICMP_ERROR_V{4|6}

    Note

    Available only on Windows Server 2008, Windows Vista with SP1, and later.

  • FWPM_LAYER_OUTBOUND_ICMP_ERROR_V{4|6}

    Note

    Available only on Windows Server 2008, Windows Vista with SP1, and later.

  • FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V{4|6}

  • FWPM_LAYER_ALE_AUTH_CONNECT_V{4|6}

    Note

    Available only on Windows Server 2008, Windows Vista with SP1, and later.

  • FWPM_LAYER_ALE_FLOW_ESTABLISHED_V{4|6}

    Note

    Available only on Windows Server 2008, Windows Vista with SP1, and later.

FWP_CONDITION_FLAG_IS_IPSEC_SECURED

Tests if the network traffic is protected by IPsec.

Filtering layers:

  • FWPM_LAYER_INBOUND_IPPACKET_V{4|6}
  • FWPM_LAYER_INBOUND_TRANSPORT_V{4|6}
  • FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V{4|6}
  • FWPM_LAYER_ALE_AUTH_CONNECT_V{4|6}

FWP_CONDITION_FLAG_IS_REAUTHORIZE

Tests for a policy change as opposed to a new connection.

Filtering layers:

  • FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V{4|6}
  • FWPM_LAYER_ALE_AUTH_CONNECT_V{4|6}

FWP_CONDITION_FLAG_IS_WILDCARD_BIND

Tests if the application specified a wildcard address when binding to a local network address.

Filtering layer:

  • FWPM_LAYER_ALE_RESOURCE_ASSIGNMENT_V{4|6}

FWP_CONDITION_FLAG_IS_RAW_ENDPOINT

Tests if the local endpoint that is sending and receiving traffic is a raw endpoint.

Filtering layers:

  • FWPM_LAYER_INBOUND_TRANSPORT_V{4|6}

    Note

    Available only on Windows Server 2008, Windows Vista with SP1, and later.

  • FWPM_LAYER_OUTBOUND_TRANSPORT_V{4|6}

    Note

    Available only on Windows Server 2008, Windows Vista with SP1, and later.

  • FWPM_LAYER_DATAGRAM_DATA_{V4|6}

    Note

    Available only on Windows Server 2008, Windows Vista with SP1, and later.

  • FWPM_LAYER_ALE_RESOURCE_ASSIGNMENT_V{4|6}

  • FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V{4|6}

  • FWPM_LAYER_ALE_AUTH_CONNECT_V{4|6}

FWP_CONDITION_FLAG_IS_FRAGMENT

Tests if the NET_BUFFER_LIST structure passed to a callout driver is an IP packet fragment.

Filtering layers:

  • FWPM_LAYER_INBOUND_IPPACKET_V{4|6}
  • FWPM_LAYER_INBOUND_IPPACKET_V{4|6}_DISCARD

FWP_CONDITION_FLAG_IS_FRAGMENT_GROUP

Tests if the NET_BUFFER_LIST structure passed to a callout driver describes a linked list of packet fragments.

Filtering layer:

  • FWPM_LAYER_IPFORWARD_V{4|6}

FWP_CONDITION_FLAG_IS_IPSEC_NATT_RECLASSIFY

Indicates that the same packet is being re-classified at the transport layer, when the IPsec NAT shim translates the remote port value.

FWP_CONDITION_FLAG_REQUIRES_ALE_CLASSIFY

Indicates that the packet will be reclassified at the ALE receive/accept layer.

FWP_CONDITION_FLAG_IS_IMPLICIT_BIND

Tests if Windows Sockets is performing an implicit bind.

Available only on Windows Vista and Windows Server 2008.

FWP_CONDITION_FLAG_IS_REASSEMBLED

Tests if the packet has been reassembled.

Note

Available only on Windows Server 2008, Windows Vista with SP1, and later.

Filtering layer:

  • FWPM_LAYER_INBOUND_IPPACKET_V{4|6}

FWP_CONDITION_FLAG_IS_NAME_APP_SPECIFIED

Tests if the name of the peer machine that the application is expecting to connect to has been received via an API such as WSASetSocketPeerTargetName and not obtained via the caching heuristics.

Note

Available only on Windows Server 2008 R2, Windows 7, and later.

Filtering layer:

  • FWPM_LAYER_ALE_AUTH_CONNECT_V{4|6}

FWP_CONDITION_FLAG_IS_PROMISCUOUS

Reserved.

FWP_CONDITION_FLAG_IS_AUTH_FW

Tests if the connection is end-to-end authenticated, even if the individual packets have not been verified.

Note

Available only on Windows Server 2008 R2, Windows 7, and later.

Filtering layer:

  • FWPM_LAYER_ALE_AUTH_CONNECT_V{4|6}
  • FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V{4|6}

FWP_CONDITION_FLAG_IS_RECLASSIFY

Tests if the filtering engine is reclassifying a previous bind or listen request.

Note

Available only on Windows Server 2008 R2, Windows 7, and later.

Filtering layer:

  • FWPM_LAYER_ALE_AUTH_LISTEN_V{4|6}
  • FWPM_LAYER_ALE_RESOURCE_ASSIGNMENT_V{4|6}

FWP_CONDITION_FLAG_IS_PROXY_CONNECTION

Tests if the connection uses a proxy.

Note

Available only on Windows 8 and Windows Server 2012.

FWP_CONDITION_FLAG_IS_APPCONTAINER_LOOPBACK

Tests if the network traffic is app container loopback traffic.

Note

Available only on Windows 8 and Windows Server 2012.

FWP_CONDITION_FLAG_IS_NON_APPCONTAINER_LOOPBACK

Tests if the network traffic is non-app container loopback traffic.

Note

Available only on Windows 8 and Windows Server 2012.

FWP_CONDITION_FLAG_IS_RESERVED

Reserved.

FWP_CONDITION_FLAG_IS_HONORING_POLICY_AUTHORIZE

Indicates that the current classification is being performed to honor the intention of a redirected Windows Store app to connect to a specified host. Such a classification will contain the same classifiable field values as if the app were never redirected. The flag also indicates that a future classification will be invoked to match the effective redirected destination. If the app is redirected to a proxy service for inspection, it also means a future classification will be invoked on the proxy connection. Callout drivers should generally allow this classification.

Note

Available only on Windows 8 and Windows Server 2012.

Filtering layer:

  • FWPM_LAYER_ALE_AUTH_CONNECT_V{4|6}

The following flags specify the reason for reauthorizing a previously authorized connection. These flags and the filtering layers where they can be used are defined as follows.

Note

These filtering conditions are available only on Windows Server 2008 R2, Windows 7, and later.

FWP_CONDITION_REAUTHORIZE_REASON_POLICY_CHANGE

Indicates that the connection was reauthorized due to filters being added or removed.

Filtering layer:

  • FWPM_LAYER_ALE_AUTH_CONNECT_V{4|6}
  • FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V{4|6}

FWP_CONDITION_REAUTHORIZE_REASON_NEW_ARRIVAL_INTERFACE

Indicates that the packet has arrived from an unknown interface.

Filtering layer:

  • FWPM_LAYER_ALE_AUTH_CONNECT_V{4|6}
  • FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V{4|6}

FWP_CONDITION_REAUTHORIZE_REASON_NEW_NEXTHOP_INTERFACE

Indicates that the packet will be departing from an unknown interface.

Filtering layer:

  • FWPM_LAYER_ALE_AUTH_CONNECT_V{4|6}
  • FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V{4|6}

FWP_CONDITION_REAUTHORIZE_REASON_PROFILE_CROSSING

Indicates that the packet has passed through interfaces of more than one network category.

Filtering layer:

  • FWPM_LAYER_ALE_AUTH_CONNECT_V{4|6}
  • FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V{4|6}

FWP_CONDITION_REAUTHORIZE_REASON_CLASSIFY_COMPLETION

Indicates that a previously held connection is now being allowed to complete.

Filtering layer:

  • FWPM_LAYER_ALE_AUTH_CONNECT_V{4|6}
  • FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V{4|6}

FWP_CONDITION_REAUTHORIZE_REASON_IPSEC_PROPERTIES_CHANGED

Indicates that IPsec properties have changed, or that the connection has changed from clear text to a secure connection.

Filtering layer:

  • FWPM_LAYER_ALE_AUTH_CONNECT_V{4|6}
  • FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V{4|6}

FWP_CONDITION_REAUTHORIZE_REASON_MID_STREAM_INSPECTION

Indicates that a previously established TCP connection is now being inspected.

Filtering layer:

  • FWPM_LAYER_ALE_AUTH_CONNECT_V{4|6}
  • FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V{4|6}

FWP_CONDITION_REAUTHORIZE_REASON_SOCKET_PROPERTY_CHANGED

Indicates that socket properties have been set after a connection was authorized and established.

Filtering layer:

  • FWPM_LAYER_ALE_AUTH_CONNECT_V{4|6}
  • FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V{4|6}

FWP_CONDITION_REAUTHORIZE_REASON_NEW_INBOUND_MCAST_BCAST_PACKET

Indicates that new inbound multicast or broadcast packets are being re-authorized at ALE_RECV_ACCEPT callouts.

Filtering layer:

  • FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V{4|6}

The following flags specify socket properties which are related to whether an application wants to receive Edge Traversal traffic. These flags and the filtering layers where they can be used are defined as follows.

Note

These filtering conditions are available only on Windows Server 2008 R2, Windows 7, and later.

FWP_CONDITION_SOCKET_PROPERTY_FLAG_IS_SYSTEM_PORT_RPC

Indicates that the application is communicating with a dynamic RPC port.

Filtering layer:

  • FWPM_LAYER_ALE_AUTH_LISTEN_V{4|6}
  • FWPM_LAYER_ALE_RESOURCE_ASSIGNMENT_V{4|6}

FWP_CONDITION_SOCKET_PROPERTY_FLAG_ALLOW_EDGE_TRAFFIC

Indicates that the application wants to receive edge traversal-specific traffic.

Filtering layer:

  • FWPM_LAYER_ALE_AUTH_LISTEN_V{4|6}
  • FWPM_LAYER_ALE_RESOURCE_ASSIGNMENT_V{4|6}

FWP_CONDITION_SOCKET_PROPERTY_FLAG_DENY_EDGE_TRAFFIC

Indicates that the application does not want to receive or process edge traversal-specific traffic.

Filtering layer:

  • FWPM_LAYER_ALE_AUTH_LISTEN_V{4|6}
  • FWPM_LAYER_ALE_RESOURCE_ASSIGNMENT_V{4|6}

The following flags specify connection details related to L2 filtering.

Note

These filtering conditions are available only on Windows 8 and Windows Server 2012.

FWP_CONDITION_L2_IS_NATIVE_ETHERNET

Indicates that the connection is native Ethernet.

Filtering layer:

  • FWPM_LAYER_INBOUND_MAC_FRAME_ETHERNET
  • FWPM_LAYER_INBOUND_MAC_FRAME_NATIVE
  • FWPM_LAYER_OUTBOUND_MAC_FRAME_ETHERNET
  • FWPM_LAYER_OUTBOUND_MAC_FRAME_NATIVE

FWP_CONDITION_L2_IS_WIFI

Indicates that the connection is Wi-Fi.

Filtering layer:

  • FWPM_LAYER_INBOUND_MAC_FRAME_ETHERNET
  • FWPM_LAYER_INBOUND_MAC_FRAME_NATIVE
  • FWPM_LAYER_OUTBOUND_MAC_FRAME_ETHERNET
  • FWPM_LAYER_OUTBOUND_MAC_FRAME_NATIVE

FWP_CONDITION_L2_IS_MOBILE_BROADBAND

Indicates that the connection is mobile broadband.

Filtering layer:

  • FWPM_LAYER_INBOUND_MAC_FRAME_ETHERNET
  • FWPM_LAYER_INBOUND_MAC_FRAME_NATIVE
  • FWPM_LAYER_OUTBOUND_MAC_FRAME_ETHERNET
  • FWPM_LAYER_OUTBOUND_MAC_FRAME_NATIVE

FWP_CONDITION_L2_IS_WIFI_DIRECT_DATA

Indicates that the connection is Wi-Fi Direct.

Filtering layer:

  • FWPM_LAYER_INBOUND_MAC_FRAME_ETHERNET
  • FWPM_LAYER_INBOUND_MAC_FRAME_NATIVE
  • FWPM_LAYER_OUTBOUND_MAC_FRAME_ETHERNET
  • FWPM_LAYER_OUTBOUND_MAC_FRAME_NATIVE

FWP_CONDITION_L2_IS_VM2VM

Indicates that the connection is between virtual machines.

Filtering layer:

  • FWPM_LAYER_INBOUND_MAC_FRAME_ETHERNET
  • FWPM_LAYER_INBOUND_MAC_FRAME_NATIVE
  • FWPM_LAYER_OUTBOUND_MAC_FRAME_ETHERNET
  • FWPM_LAYER_OUTBOUND_MAC_FRAME_NATIVE

FWP_CONDITION_L2_IS_MALFORMED_PACKET

Indicates that a packet appears to be malformed.

Filtering layer:

  • FWPM_LAYER_INBOUND_MAC_FRAME_ETHERNET
  • FWPM_LAYER_INBOUND_MAC_FRAME_NATIVE
  • FWPM_LAYER_OUTBOUND_MAC_FRAME_ETHERNET
  • FWPM_LAYER_OUTBOUND_MAC_FRAME_NATIVE

FWP_CONDITION_L2_IS_IP_FRAGMENT_GROUP

Indicates an IP packet fragment group.

Filtering layer:

  • FWPM_LAYER_INBOUND_MAC_FRAME_ETHERNET
  • FWPM_LAYER_INBOUND_MAC_FRAME_NATIVE
  • FWPM_LAYER_OUTBOUND_MAC_FRAME_ETHERNET
  • FWPM_LAYER_OUTBOUND_MAC_FRAME_NATIVE

FWP_CONDITION_L2_IF_CONNECTOR_PRESENT

Indicates that a connector is present.

Filtering layer:

  • FWPM_LAYER_INBOUND_MAC_FRAME_ETHERNET
  • FWPM_LAYER_INBOUND_MAC_FRAME_NATIVE
  • FWPM_LAYER_OUTBOUND_MAC_FRAME_ETHERNET
  • FWPM_LAYER_OUTBOUND_MAC_FRAME_NATIVE

FWP_CONDITION_FLAG_IS_CONNECTION_REDIRECTED

FWP_CONDITION_FLAG_IS_OUTBOUND_PASS_THRU

FWP_CONDITION_FLAG_IS_INBOUND_PASS_THRU

FWP_CONDITION_REAUTHORIZE_REASON_EDP_POLICY_CHANGED

FWP_CONDITION_REAUTHORIZE_REASON_PROXY_HANDLE_CHANGED

FWP_CONDITION_REAUTHORIZE_REASON_CHECK_OFFLOAD

Requirements

Requirement Value
Minimum supported client
 Windows Vista [desktop apps only]
Minimum supported server
 Windows Server 2008 [desktop apps only]
Header
Fwptypes.h

See also

Filtering Layer Identifiers