/* Copyright (c) Microsoft Corporation SYNOPSIS Defines common data types shared across the FWP/IPsec API. */ import "wtypes.idl"; cpp_quote("#if _MSC_VER >= 800") cpp_quote("#if _MSC_VER >= 1200") cpp_quote("#pragma warning(push)") cpp_quote("#endif") cpp_quote("#pragma warning(disable:4201)") cpp_quote("#endif") // The system LUID struct isn't defined in wtypes, so we repeat it here just // for the MIDL compiler. cpp_quote("#ifdef __midl") typedef struct _LUID { DWORD LowPart; LONG HighPart; } LUID, *PLUID; cpp_quote("#endif") // Direction of network traffic. typedef [v1_enum] enum FWP_DIRECTION_ { FWP_DIRECTION_OUTBOUND, FWP_DIRECTION_INBOUND, FWP_DIRECTION_MAX } FWP_DIRECTION; // IP version. typedef [v1_enum] enum FWP_IP_VERSION_ { FWP_IP_VERSION_V4, FWP_IP_VERSION_V6, FWP_IP_VERSION_NONE, FWP_IP_VERSION_MAX, } FWP_IP_VERSION; // This is the hindsight catch-all for all net events that aren't either IPv4 or IPv6. typedef [v1_enum] enum FWP_NE_FAMILY_ { FWP_AF_INET = FWP_IP_VERSION_V4, FWP_AF_INET6 = FWP_IP_VERSION_V6, FWP_AF_ETHER = FWP_IP_VERSION_NONE, FWP_AF_NONE, } FWP_AF; typedef [v1_enum] enum FWP_ETHER_ENCAP_METHOD_ { FWP_ETHER_ENCAP_METHOD_ETHER_V2 = 0, FWP_ETHER_ENCAP_METHOD_SNAP = 1, FWP_ETHER_ENCAP_METHOD_SNAP_W_OUI_ZERO = 3, } FWP_ETHER_ENCAP_METHOD; /////////////////////////////////////////////////////////////////////////////// // // Definitions for building data values to be filtered. // /////////////////////////////////////////////////////////////////////////////// // Data types that can be stored in an FWP_VALUE or an FWP_CONDITION_VALUE // struct. Not all data types are valid for each struct; see the tagged union // in each struct to determine which are allowed. typedef [v1_enum] enum FWP_DATA_TYPE_ { FWP_EMPTY, FWP_UINT8, FWP_UINT16, FWP_UINT32, FWP_UINT64, FWP_INT8, FWP_INT16, FWP_INT32, FWP_INT64, FWP_FLOAT, FWP_DOUBLE, FWP_BYTE_ARRAY16_TYPE, FWP_BYTE_BLOB_TYPE, FWP_SID, FWP_SECURITY_DESCRIPTOR_TYPE, FWP_TOKEN_INFORMATION_TYPE, FWP_TOKEN_ACCESS_INFORMATION_TYPE, FWP_UNICODE_STRING_TYPE, FWP_BYTE_ARRAY6_TYPE, FWP_SINGLE_DATA_TYPE_MAX = 0xFF, FWP_V4_ADDR_MASK, FWP_V6_ADDR_MASK, FWP_RANGE_TYPE, FWP_DATA_TYPE_MAX } FWP_DATA_TYPE; // Stores an array of exactly 6 bytes -- useful for Ethernet/802.11 addresses. typedef struct FWP_BYTE_ARRAY6_ { UINT8 byteArray6[6]; } FWP_BYTE_ARRAY6; #define FWP_BYTE_ARRAY6_SIZE 6 cpp_quote("#define FWP_BYTE_ARRAY6_SIZE 6") // Stores an array of exactly 16 bytes -- useful for IPv6 addresses. typedef struct FWP_BYTE_ARRAY16_ { UINT8 byteArray16[16]; } FWP_BYTE_ARRAY16; // Stores an array containing a variable number of bytes. typedef struct FWP_BYTE_BLOB_ { UINT32 size; [size_is(size), unique] UINT8* data; } FWP_BYTE_BLOB; // Stores the user/group and restricted sids for user-mode classification typedef struct FWP_TOKEN_INFORMATION_ { ULONG sidCount; [size_is(sidCount)] PSID_AND_ATTRIBUTES sids; ULONG restrictedSidCount; [size_is(restrictedSidCount)] PSID_AND_ATTRIBUTES restrictedSids; } FWP_TOKEN_INFORMATION; // Generic data value. This is primarily used to supply incoming values to the // filter engine. typedef struct FWP_VALUE0_ { FWP_DATA_TYPE type; [switch_type(FWP_DATA_TYPE), switch_is(type)] union { [case(FWP_EMPTY)] ; [case(FWP_UINT8)] UINT8 uint8; [case(FWP_UINT16)] UINT16 uint16; [case(FWP_UINT32)] UINT32 uint32; [case(FWP_UINT64)] [unique] UINT64* uint64; [case(FWP_INT8)] INT8 int8; [case(FWP_INT16)] INT16 int16; [case(FWP_INT32)] INT32 int32; [case(FWP_INT64)] [unique] INT64* int64; [case(FWP_FLOAT)] float float32; [case(FWP_DOUBLE)] [unique] double* double64; [case(FWP_BYTE_ARRAY16_TYPE)] [unique] FWP_BYTE_ARRAY16* byteArray16; [case(FWP_BYTE_BLOB_TYPE)] [unique] FWP_BYTE_BLOB* byteBlob; [case(FWP_SID)] [unique] SID* sid; [case(FWP_SECURITY_DESCRIPTOR_TYPE)] [unique] FWP_BYTE_BLOB* sd; [case(FWP_TOKEN_INFORMATION_TYPE)] [unique] FWP_TOKEN_INFORMATION* tokenInformation; [case(FWP_TOKEN_ACCESS_INFORMATION_TYPE)] [unique] FWP_BYTE_BLOB* tokenAccessInformation; [case(FWP_UNICODE_STRING_TYPE)] [string] LPWSTR unicodeString; [case(FWP_BYTE_ARRAY6_TYPE)] [unique] FWP_BYTE_ARRAY6* byteArray6; }; } FWP_VALUE0; /////////////////////////////////////////////////////////////////////////////// // // Definitions for building conditions. // /////////////////////////////////////////////////////////////////////////////// // Different match types allowed in conditions. Not all match types are // supported by all data types. typedef [v1_enum] enum FWP_MATCH_TYPE_ { FWP_MATCH_EQUAL, FWP_MATCH_GREATER, FWP_MATCH_LESS, FWP_MATCH_GREATER_OR_EQUAL, FWP_MATCH_LESS_OR_EQUAL, FWP_MATCH_RANGE, FWP_MATCH_FLAGS_ALL_SET, FWP_MATCH_FLAGS_ANY_SET, FWP_MATCH_FLAGS_NONE_SET, FWP_MATCH_EQUAL_CASE_INSENSITIVE, FWP_MATCH_NOT_EQUAL, FWP_MATCH_TYPE_MAX } FWP_MATCH_TYPE; // IPv4 address and mask in host order. typedef struct FWP_V4_ADDR_AND_MASK_ { UINT32 addr; UINT32 mask; } FWP_V4_ADDR_AND_MASK; // Length in bytes of an IPv6 address. #define FWP_V6_ADDR_SIZE (16) cpp_quote("#define FWP_V6_ADDR_SIZE (16)") // IPv6 address and mask. The mask is specified by the width in bits. For // example, a prefixLength of 16 specifies a mask consisting of 16 1's followed // by 112 0's. typedef struct FWP_V6_ADDR_AND_MASK_ { UINT8 addr[FWP_V6_ADDR_SIZE]; UINT8 prefixLength; } FWP_V6_ADDR_AND_MASK; // A range of values. valueLow and valueHigh must be the same data type with // valueHigh >= valueLow. Ranges are always inclusive. Thus, if a value equals // valueLow or valueHigh, it is contained in the range. typedef struct FWP_RANGE0_ { FWP_VALUE0 valueLow; FWP_VALUE0 valueHigh; } FWP_RANGE0; // Access control rights for matching security descriptors in Application // Level Enforcement (ALE) layers. cpp_quote("#define FWP_ACTRL_MATCH_FILTER (0x00000001)") cpp_quote("") // Values that conditions can use when testing for matches. The // FWP_CONDITION_VALUE's data type must be compatible with the type of the // FWP_VALUE to which it's being compared. However, this doesn't mean they // necessarily need to be the same. For example, an FWP_V4_ADDR_MASK can be // compared to an FWP_UINT32 containing an IPv4 address. typedef struct FWP_CONDITION_VALUE0_ { FWP_DATA_TYPE type; [switch_type(FWP_DATA_TYPE), switch_is(type)] union { [case(FWP_EMPTY)] ; [case(FWP_UINT8)] UINT8 uint8; [case(FWP_UINT16)] UINT16 uint16; [case(FWP_UINT32)] UINT32 uint32; [case(FWP_UINT64)] [unique] UINT64* uint64; [case(FWP_INT8)] INT8 int8; [case(FWP_INT16)] INT16 int16; [case(FWP_INT32)] INT32 int32; [case(FWP_INT64)] [unique] INT64* int64; [case(FWP_FLOAT)] float float32; [case(FWP_DOUBLE)] [unique] double* double64; [case(FWP_BYTE_ARRAY16_TYPE)] [unique] FWP_BYTE_ARRAY16* byteArray16; [case(FWP_BYTE_BLOB_TYPE)] [unique] FWP_BYTE_BLOB* byteBlob; [case(FWP_SID)] [unique] SID* sid; [case(FWP_SECURITY_DESCRIPTOR_TYPE)] [unique] FWP_BYTE_BLOB* sd; [case(FWP_TOKEN_INFORMATION_TYPE)] [unique] FWP_TOKEN_INFORMATION* tokenInformation; [case(FWP_TOKEN_ACCESS_INFORMATION_TYPE)] [unique] FWP_BYTE_BLOB* tokenAccessInformation; [case(FWP_UNICODE_STRING_TYPE)] [string] LPWSTR unicodeString; [case(FWP_BYTE_ARRAY6_TYPE)] [unique] FWP_BYTE_ARRAY6* byteArray6; [case(FWP_V4_ADDR_MASK)] [unique] FWP_V4_ADDR_AND_MASK* v4AddrMask; [case(FWP_V6_ADDR_MASK)] [unique] FWP_V6_ADDR_AND_MASK* v6AddrMask; [case(FWP_RANGE_TYPE)] [unique] FWP_RANGE0* rangeValue; }; } FWP_CONDITION_VALUE0; /////////////////////////////////////////////////////////////////////////////// // // Types for classify options. // /////////////////////////////////////////////////////////////////////////////// typedef [v1_enum] enum FWP_CLASSIFY_OPTION_TYPE_ { FWP_CLASSIFY_OPTION_MULTICAST_STATE, FWP_CLASSIFY_OPTION_LOOSE_SOURCE_MAPPING, FWP_CLASSIFY_OPTION_UNICAST_LIFETIME, FWP_CLASSIFY_OPTION_MCAST_BCAST_LIFETIME, FWP_CLASSIFY_OPTION_SECURE_SOCKET_SECURITY_FLAGS, FWP_CLASSIFY_OPTION_SECURE_SOCKET_AUTHIP_MM_POLICY_KEY, FWP_CLASSIFY_OPTION_SECURE_SOCKET_AUTHIP_QM_POLICY_KEY, FWP_CLASSIFY_OPTION_MAX, } FWP_CLASSIFY_OPTION_TYPE; // Valid values for different classify options. cpp_quote("#define FWP_OPTION_VALUE_ALLOW_MULTICAST_STATE (0x00000000)") cpp_quote("#define FWP_OPTION_VALUE_DENY_MULTICAST_STATE (0x00000001)") cpp_quote("#define FWP_OPTION_VALUE_ALLOW_GLOBAL_MULTICAST_STATE (0x00000002)") cpp_quote("#define FWP_OPTION_VALUE_DISABLE_LOOSE_SOURCE (0x00000000)") cpp_quote("#define FWP_OPTION_VALUE_ENABLE_LOOSE_SOURCE (0x00000001)") /////////////////////////////////////////////////////////////////////////////// // // Definitions for building actions. // /////////////////////////////////////////////////////////////////////////////// ////////// // Flags specifying characteristics of a given action type. These should // generally not be used directly. Use one of the action types below instead. ////////// // The action terminates classification, i.e., it returns block or permit. cpp_quote("#define FWP_ACTION_FLAG_TERMINATING (0x00001000)") // The action doesn't terminate classification, i.e., it never returns block or // permit. cpp_quote("#define FWP_ACTION_FLAG_NON_TERMINATING (0x00002000)") // The action invokes a callout. cpp_quote("#define FWP_ACTION_FLAG_CALLOUT (0x00004000)") ////////// // Actions that can be set in the FWPM_ACTION0.type or FWPS_ACTION.type fields. ////////// typedef UINT32 FWP_ACTION_TYPE; // Block the traffic. cpp_quote("#define FWP_ACTION_BLOCK \ (0x00000001 | FWP_ACTION_FLAG_TERMINATING)") // Permit the traffic. cpp_quote("#define FWP_ACTION_PERMIT \ (0x00000002 | FWP_ACTION_FLAG_TERMINATING)") // Invoke a callout that always returns block or permit. cpp_quote("#define FWP_ACTION_CALLOUT_TERMINATING \ (0x00000003 | FWP_ACTION_FLAG_CALLOUT | FWP_ACTION_FLAG_TERMINATING)") // Invoke a callout that never returns block or permit. cpp_quote("#define FWP_ACTION_CALLOUT_INSPECTION \ (0x00000004 | FWP_ACTION_FLAG_CALLOUT | FWP_ACTION_FLAG_NON_TERMINATING)") // Invoke a callout that may return block or permit. cpp_quote("#define FWP_ACTION_CALLOUT_UNKNOWN \ (0x00000005 | FWP_ACTION_FLAG_CALLOUT)") ////////// // Additional actions that may be returned by callouts. They can not be set in // an FWPM_ACTION0 or FWPS_ACTION struct. ////////// cpp_quote("#define FWP_ACTION_CONTINUE \ (0x00000006 | FWP_ACTION_FLAG_NON_TERMINATING)") ////////// // Additional actions that may be returned by classify. These are only used to // indicate the outcome of a classify. They can not be set in an FWPM_ACTION0 // or FWPS_ACTION struct or returned by a callout from its classify function. ////////// // No matching filter generated a terminating action (i.e., block or permit). cpp_quote("#define FWP_ACTION_NONE \ (0x00000007)") // No filter matched. cpp_quote("#define FWP_ACTION_NONE_NO_MATCH \ (0x00000008)") /////////////////////////////////////////////////////////////////////////////// // // Definitions for flags that can be filtered against on certain layers. // /////////////////////////////////////////////////////////////////////////////// cpp_quote("#define FWP_CONDITION_FLAG_IS_LOOPBACK (0x00000001)") cpp_quote("#define FWP_CONDITION_FLAG_IS_IPSEC_SECURED (0x00000002)") cpp_quote("#define FWP_CONDITION_FLAG_IS_REAUTHORIZE (0x00000004)") cpp_quote("#define FWP_CONDITION_FLAG_IS_WILDCARD_BIND (0x00000008)") cpp_quote("#define FWP_CONDITION_FLAG_IS_RAW_ENDPOINT (0x00000010)") cpp_quote("#define FWP_CONDITION_FLAG_IS_FRAGMENT (0x00000020)") cpp_quote("#define FWP_CONDITION_FLAG_IS_FRAGMENT_GROUP (0x00000040)") cpp_quote("#define FWP_CONDITION_FLAG_IS_IPSEC_NATT_RECLASSIFY (0x00000080)") cpp_quote("#define FWP_CONDITION_FLAG_REQUIRES_ALE_CLASSIFY (0x00000100)") cpp_quote("#define FWP_CONDITION_FLAG_IS_IMPLICIT_BIND (0x00000200)") cpp_quote("#if (NTDDI_VERSION >= NTDDI_WIN6SP1)") cpp_quote("#define FWP_CONDITION_FLAG_IS_REASSEMBLED (0x00000400)") cpp_quote("#if (NTDDI_VERSION >= NTDDI_WIN7)") cpp_quote("#define FWP_CONDITION_FLAG_IS_NAME_APP_SPECIFIED (0x00004000)") cpp_quote("#define FWP_CONDITION_FLAG_IS_PROMISCUOUS (0x00008000)") cpp_quote("#define FWP_CONDITION_FLAG_IS_AUTH_FW (0x00010000)") cpp_quote("#define FWP_CONDITION_FLAG_IS_RECLASSIFY (0x00020000)") cpp_quote("#define FWP_CONDITION_FLAG_IS_OUTBOUND_PASS_THRU (0x00040000)") cpp_quote("#define FWP_CONDITION_FLAG_IS_INBOUND_PASS_THRU (0x00080000)") cpp_quote("#define FWP_CONDITION_FLAG_IS_CONNECTION_REDIRECTED (0x00100000)") cpp_quote("#define FWP_CONDITION_REAUTHORIZE_REASON_POLICY_CHANGE (0x00000001)") cpp_quote("#define FWP_CONDITION_REAUTHORIZE_REASON_NEW_ARRIVAL_INTERFACE (0x00000002)") cpp_quote("#define FWP_CONDITION_REAUTHORIZE_REASON_NEW_NEXTHOP_INTERFACE (0x00000004)") cpp_quote("#define FWP_CONDITION_REAUTHORIZE_REASON_PROFILE_CROSSING (0x00000008)") cpp_quote("#define FWP_CONDITION_REAUTHORIZE_REASON_CLASSIFY_COMPLETION (0x00000010)") cpp_quote("#define FWP_CONDITION_REAUTHORIZE_REASON_IPSEC_PROPERTIES_CHANGED (0x00000020)") cpp_quote("#define FWP_CONDITION_REAUTHORIZE_REASON_MID_STREAM_INSPECTION (0x00000040)") cpp_quote("#define FWP_CONDITION_REAUTHORIZE_REASON_SOCKET_PROPERTY_CHANGED (0x00000080)") cpp_quote("#define FWP_CONDITION_REAUTHORIZE_REASON_NEW_INBOUND_MCAST_BCAST_PACKET (0x00000100)") cpp_quote("#define FWP_CONDITION_SOCKET_PROPERTY_FLAG_IS_SYSTEM_PORT_RPC (0x00000001)") cpp_quote("#define FWP_CONDITION_SOCKET_PROPERTY_FLAG_ALLOW_EDGE_TRAFFIC (0x00000002)") cpp_quote("#define FWP_CONDITION_SOCKET_PROPERTY_FLAG_DENY_EDGE_TRAFFIC (0x00000004)") cpp_quote("#endif") cpp_quote("#endif") /////////////////////////////////////////////////////////////////////////////// // // Definitions for enumerating filters. // /////////////////////////////////////////////////////////////////////////////// // Specifies how the filter enum conditions should be interpreted. typedef [v1_enum] enum FWP_FILTER_ENUM_TYPE_ { // Return only filters that fully contain the enum conditions. FWP_FILTER_ENUM_FULLY_CONTAINED, // Return filters that overlap with the enum conditions, including filters // that are fully contained. FWP_FILTER_ENUM_OVERLAPPING, FWP_FILTER_ENUM_TYPE_MAX } FWP_FILTER_ENUM_TYPE; ////////// // Flags controlling how filters matching an enum are returned. ////////// // Only return the terminating filter with the highest weight. cpp_quote("#define FWP_FILTER_ENUM_FLAG_BEST_TERMINATING_MATCH (0x00000001)") // Return all matching filters sorted by weight (highest to lowest). cpp_quote("#define FWP_FILTER_ENUM_FLAG_SORTED (0x00000002)") // Return only boot-time filters. cpp_quote("#define FWP_FILTER_ENUM_FLAG_BOOTTIME_ONLY (0x00000004)") // Include boot-time filters; ignored if the BOOTTIME_ONLY flag is set. cpp_quote("#define FWP_FILTER_ENUM_FLAG_INCLUDE_BOOTTIME (0x00000008)") // Include disabled filters; ignored if the BOOTTIME_ONLY flag is set. cpp_quote("#define FWP_FILTER_ENUM_FLAG_INCLUDE_DISABLED (0x00000010)") // Valid enum flags. If no flags are set, all matching filters will be returned // in an unspecified order. cpp_quote("#define FWP_FILTER_ENUM_VALID_FLAGS \ (FWP_FILTER_ENUM_FLAG_BEST_TERMINATING_MATCH | \ FWP_FILTER_ENUM_FLAG_SORTED)") cpp_quote("#define FWP_CALLOUT_FLAG_CONDITIONAL_ON_FLOW (0x00000001)") // Flags that the callout doesn't mind not being called in the presence // of various offloads cpp_quote("#define FWP_CALLOUT_FLAG_ALLOW_OFFLOAD (0x00000002)") cpp_quote("#if (NTDDI_VERSION >= NTDDI_WIN7)") // Enable add notification after transaction has committed cpp_quote("#define FWP_CALLOUT_FLAG_ENABLE_COMMIT_ADD_NOTIFY (0x00000004)") cpp_quote("#define FWP_CALLOUT_FLAG_ALLOW_MID_STREAM_INSPECTION (0x00000008)") cpp_quote("#define FWP_CALLOUT_FLAG_ALLOW_RECLASSIFY (0x00000010)") cpp_quote("#endif") cpp_quote("#if _MSC_VER >= 800") cpp_quote("#if _MSC_VER >= 1200") cpp_quote("#pragma warning(pop)") cpp_quote("#else") cpp_quote("#pragma warning(default:4201)") cpp_quote("#endif") cpp_quote("#endif")