FWPM_FILTER0 structure (fwpmtypes.h)

Article
04/20/2023

The FWPM_FILTER0 structure stores the state associated with a filter.

Syntax

typedef struct FWPM_FILTER0_ {
  GUID                   filterKey;
  FWPM_DISPLAY_DATA0     displayData;
  UINT32                 flags;
  GUID                   *providerKey;
  FWP_BYTE_BLOB          providerData;
  GUID                   layerKey;
  GUID                   subLayerKey;
  FWP_VALUE0             weight;
  UINT32                 numFilterConditions;
  FWPM_FILTER_CONDITION0 *filterCondition;
  FWPM_ACTION0           action;
  union {
    UINT64 rawContext;
    GUID   providerContextKey;
  };
  GUID                   *reserved;
  UINT64                 filterId;
  FWP_VALUE0             effectiveWeight;
} FWPM_FILTER0;

Members

filterKey

Uniquely identifies the session.

If the GUID is initialized to zero in the call to FwpmFilterAdd0, the Base Filtering Engine (BFE) will generate one.

displayData

A FWPM_DISPLAY_DATA0 structure that contains human-readable annotations associated with the filter. The name member of the FWPM_DISPLAY_DATA0 structure is required.

flags

A combination of the following values.

Filter flag	Meaning
FWPM_FILTER_FLAG_NONE	Default.
FWPM_FILTER_FLAG_PERSISTENT	Filter is persistent, that is, it survives across BFE stop/start. Note This flag cannot be set together with FWPM_FILTER_FLAG_BOOTTIME.
FWPM_FILTER_FLAG_BOOTTIME	Filter is enforced at boot-time, even before BFE starts. Note This flag cannot be set together with FWPM_FILTER_FLAG_PERSISTENT.
FWPM_FILTER_FLAG_HAS_PROVIDER_CONTEXT	Filter references a provider context.
FWPM_FILTER_FLAG_CLEAR_ACTION_RIGHT	Clear filter action right.
FWPM_FILTER_FLAG_PERMIT_IF_CALLOUT_UNREGISTERED	If the callout is not registered, the filter is treated as a permit filter. Note This flag can be set only if the action type is FWP_ACTION_CALLOUT_TERMINATING or FWP_ACTION_CALLOUT_UNKNOWN.
FWPM_FILTER_FLAG_DISABLED	Filter is disabled. A provider's filters are disabled when the BFE starts if the provider has no associated Windows service name, or if the associated service is not set to auto-start. Note This flag cannot be set when adding new filters. It can only be returned by BFE when getting or enumerating filters.
FWPM_FILTER_FLAG_INDEXED	Filter is indexed to help enable faster lookup during classification. Note Available only in Windows 8 and Windows Server 2012.

providerKey

Optional GUID of the policy provider that manages this filter. See Built-in Provider Identifiers for a list of predefined policy providers.

providerData

A FWP_BYTE_BLOB structure that contains optional provider-specific data used by providers to store additional context information with the object.

layerKey

GUID of the layer where the filter resides. See Filtering Layer Identifiers for a list of possible values.

subLayerKey

GUID of the sub-layer where the filter resides. See Filtering Sub-Layer Identifiers for a list of built-in sub-layers.

If this is set to IID_NULL, the filter is added to the default sublayer.

weight

A FWP_VALUE0 structure that specifies the weight of the filter. The weight indicates the priority of the filter, where higher-numbered weights have higher priorities (and will be evaluated before lower-weighted filters).

Possible type values for weight are as follows.

weight type	Meaning
FWP_UINT64	BFE will use the supplied value as the filter's weight.
FWP_UINT8 0–15	BFE will use the supplied value as a weight range index and will compute the filter's weight in that range. See Filter Weight Assignment for more information.
FWP_EMPTY	BFE will automatically assign a weight based on the filter conditions.

See Filter Weight Identifiers for built-in constants that may be used to compute the filter weight.

numFilterConditions

Number of filter conditions.

filterCondition

Array of FWPM_FILTER_CONDITION0 structures that contain all the filtering conditions. All must be true for the action to be performed. In other words, the conditions are evaluated using the AND operator. If no conditions are specified, the action is always performed.

**Note** In Windows 7 and Windows Server 2008 R2, consecutive conditions with the same fieldKey will be evaluated using the OR operator.

action

A FWPM_ACTION0 structure that specifies the action to be performed if all the filter conditions are true.

rawContext

Available when the filter does not have provider context information, that is, flags does not contain FWPM_FILTER_FLAG_HAS_PROVIDER_CONTEXT. See Filter Context Identifiers for a list of built-in possible values.

The rawContext is placed 'as is' in the context member of the corresponding FWPS_FILTER0 structure, which is documented in the WDK.

providerContextKey

Available when the filter has provider context information, that is, flags contains FWPM_FILTER_FLAG_HAS_PROVIDER_CONTEXT. See Built-in Provider Context Identifiers for a list of predefined policy provider contexts.

The LUID of the provider context specified by the providerContextKey is used to fill in the context member of the corresponding FWPS_FILTER0 structure, which is documented in the WDK.

reserved

Reserved for system use.

filterId

LUID identifying the filter. This is also the LUID of the corresponding FWPS_FILTER0 structure, which is documented in the WDK.

effectiveWeight

An FWP_VALUE0 structure that contains the weight assigned to FWPS_FILTER0, which is documented in the WDK.

Remarks

The first ten members of this structure contain information supplied when adding objects.

The last members, filterId and effectiveWeight, provides additional information when getting/enumerating objects.

FWPM_FILTER0 is a specific implementation of FWPM_FILTER. See WFP Version-Independent Names and Targeting Specific Versions of Windows for more information.

Requirements

Requirement	Value
Minimum supported client	Windows Vista [desktop apps only]
Minimum supported server	Windows Server 2008 [desktop apps only]
Header	fwpmtypes.h

Filter flag	Meaning
FWPM_FILTER_FLAG_NONE	Default.
FWPM_FILTER_FLAG_PERSISTENT	Filter is persistent, that is, it survives across BFE stop/start. Note This flag cannot be set together with FWPM_FILTER_FLAG_BOOTTIME.
FWPM_FILTER_FLAG_BOOTTIME	Filter is enforced at boot-time, even before BFE starts. Note This flag cannot be set together with FWPM_FILTER_FLAG_PERSISTENT.
FWPM_FILTER_FLAG_HAS_PROVIDER_CONTEXT	Filter references a provider context.
FWPM_FILTER_FLAG_CLEAR_ACTION_RIGHT	Clear filter action right.
FWPM_FILTER_FLAG_PERMIT_IF_CALLOUT_UNREGISTERED	If the callout is not registered, the filter is treated as a permit filter. Note This flag can be set only if the action type is FWP_ACTION_CALLOUT_TERMINATING or FWP_ACTION_CALLOUT_UNKNOWN.
FWPM_FILTER_FLAG_DISABLED	Filter is disabled. A provider's filters are disabled when the BFE starts if the provider has no associated Windows service name, or if the associated service is not set to auto-start. Note This flag cannot be set when adding new filters. It can only be returned by BFE when getting or enumerating filters.
FWPM_FILTER_FLAG_INDEXED	Filter is indexed to help enable faster lookup during classification. Note Available only in Windows 8 and Windows Server 2012.

FWPM_FILTER0 structure (fwpmtypes.h)

Syntax

Members

Remarks

Requirements

See also

Feedback

Feedback

Additional resources