WFP Filtering Condition Flags (Compact 7)

Article
08/17/2015

3/12/2014

The Windows Filtering Platform (WFP) filtering condition flags are each represented by a bit field.

These flags and the filtering layers where they can be used are defined as follows.

Flag	Description
FWP_CONDITION_FLAG_IS_LOOPBACK	Tests if the network traffic is loopback traffic. Filtering layers: FWPM_LAYER_INBOUND_IPPACKET_V{4\|6} FWPM_LAYER_INBOUND_TRANSPORT_V{4\|6} FWPM_LAYER_STREAM_{V4\|6} FWPM_LAYER_INBOUND_ICMP_ERROR_V{4\|6} FWPM_LAYER_OUTBOUND_ICMP_ERROR_V{4\|6} FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V{4\|6} FWPM_LAYER_ALE_AUTH_CONNECT_V{4\|6} FWPM_LAYER_ALE_FLOW_ESTABLISHED_V{4\|6}
FWP_CONDITION_FLAG_IS_IPSEC_SECURED	Tests if the network traffic is protected by IPsec. Filtering layers: FWPM_LAYER_INBOUND_IPPACKET_V{4\|6} FWPM_LAYER_INBOUND_TRANSPORT_V{4\|6} FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V{4\|6} FWPM_LAYER_ALE_AUTH_CONNECT_V{4\|6}
FWP_CONDITION_FLAG_IS_REAUTHORIZE	Tests for a policy change as opposed to a new connection. Filtering layers: FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V{4\|6} FWPM_LAYER_ALE_AUTH_CONNECT_V{4\|6}
FWP_CONDITION_FLAG_IS_WILDCARD_BIND	Tests if the application specified a wildcard address when binding to a local network address. Filtering layer: FWPM_LAYER_ALE_RESOURCE_ASSIGNMENT_V{4\|6}
FWP_CONDITION_FLAG_IS_RAW_ENDPOINT	Tests if the local endpoint that is sending and receiving traffic is a raw endpoint. Filtering layers: FWPM_LAYER_INBOUND_TRANSPORT_V{4\|6} FWPM_LAYER_OUTBOUND_TRANSPORT_V{4\|6} FWPM_LAYER_DATAGRAM_DATA_{V4\|6} FWPM_LAYER_ALE_RESOURCE_ASSIGNMENT_V{4\|6} FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V{4\|6} FWPM_LAYER_ALE_AUTH_CONNECT_V{4\|6}
FWP_CONDITION_FLAG_IS_FRAGMENT	Tests if the NET_BUFFER_LIST structure passed to a callout driver is an IP packet fragment. Filtering layers: FWPM_LAYER_INBOUND_IPPACKET_V{4\|6} FWPM_LAYER_INBOUND_IPPACKET_V{4\|6}_DISCARD
FWP_CONDITION_FLAG_IS_FRAGMENT_GROUP	Tests if the NET_BUFFER_LIST structure passed to a callout driver describes a linked list of packet fragments. Filtering layer: FWPM_LAYER_IPFORWARD_V{4\|6}
FWP_CONDITION_FLAG_IS_IPSEC_NATT_RECLASSIFY	Indicates that the same packet is being re-classified at the transport layer, when the IPSec NAT shim translates the remote port value.
FWP_CONDITION_FLAG_REQUIRES_ALE_CLASSIFY	Indicates that the packet will be reclassified at the ALE receive/accept layer.
FWP_CONDITION_FLAG_IS_IMPLICIT_BIND	Tests if Windows Sockets is performing an implicit bind. Filtering layer: FWPM_LAYER_INBOUND_IPPACKET_V{4\|6}

See Also

Reference

WFP Filtering Conditions

Other Resources

Windows Filtering Platform