In Microsoft computer-systems, the Windows Filtering Platform (WFP) comprises a set of system services and an application programming interface first introduced with Windows Vista in 2006/2007. It allows applications to tie into the packet processing and filtering pipeline of the Next Generation TCP/IP network stack. It provides features such as integrated communication, and administrators can configure it to invoke processing logic on a per-application basis. Microsoft intended WFP for use by firewalls and by other packet-processing or connection-monitoring components, such as antivirus and antimalware software and parental controls. Additionally, WFP is used to implement NAT and to store IPSec policy configuration.
The filtering platform includes the following components:
shims, which expose the internal structure of a packet as properties. Different shims exist for protocols at different layers. WFP comes with a set of shims; users can register shims for other protocols using the API. The in-built set of shims includes:
Application Layer Enforcement (ALE) shim
Transport Layer Module (TLM) shim
Network Layer Module (NLM) shim
RPC Runtime shim
Internet Control Message Protocol (ICMP) shim
Stream shim
Since Windows 8 and Windows Server 2012, WFP allows filtering at the second layer of TCP/IP.
filter engine, which spans both kernel-mode and user-mode, providing basic filtering capabilities. It matches the data within a packet - as exposed by the shims - against filtering rules, and either blocks or permits the packet. A callout may implement any other action as required. The filters operate on a per-application basis. To mitigate conflicts between filters, they are given weights (priorities) and grouped into sublayers which also have weights. Filters and callouts may be associated to providers which may be given a name and description and are essentially associated to a particular application or service.
base filtering engine, the module that manages the filtering engine. It accepts filtering rules and enforces the security model of the application. It also maintains statistics for the WFP and logs its state.
callout, a callback function exposed by a filtering driver. The filtering drivers provide filtering capabilities other than the default block/allow. Administrators specify a callout function during registration of a filter rule. When the filter matches, the system invokes the callout, which handles a specified action.
In Windows 7, functionality was added to the netsh command which allows for rich diagnostics of the internal state of WFP. This functionality is useful to debug and root-cause issues such as packet drops.
Memory leaks and race conditions
MS KB # 979223 documents a serious memory leak, affecting Vista through Windows 7. Because of this and of some other issues, all deployments of WFP should include MS hotfix rollup # 981889. Windows 7 SP1 or for Vista SP3 (when it comes out) or newer do not require fixes.
Note that other problems persist regarding use of multiple Network Buffer Lists.
