Windows网络过滤平台中的ALEReauthorization详解-CSDN博客

ALE Reauthorization（重新授权记为Reauth）
在WFP的Application Layer Enforcement（ALE）层的网络流量是用ALE flows来过滤的。一旦一个ALE flow被允许，所有这个ALE flow的流量都会被允许。Reauth是一个验证ALE flow permission的请求，典型的情况是网络策略更改。
根据第一个触发flow创建和授权的packet direction，ALE flows被赋予这个direction。Inbound ALE flows在FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V{4|6}这一层被创建和授权，Outbound ALE flows则在FWPM_LAYER_ALE_AUTH_CONNECT_V{4|6}这一层。
下列动作会触发ALE flow的Reauth：
在ALE flow最初被授权或创建的那一层，发生了策略更改。
一个arrival interface，和ALE flow最初被授权或创建的interface不一样了。
一个pending connection。
Reauth通过标志FWP_CONDITION_FLAG_IS_REAUTHORIZE，来和最初的授权区别开来。
Reauth只可能在这两层发生：FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V{4|6}和FWPM_LAYER_ALE_AUTH_CONNECT_V{4|6}。

1、策略变更Reauth
2、Arrival interface Reauth
3、Pending connection Reauth

----------------------------------------------------------------下边是原链接和原文-------------------------------------------------------------------------------------

https://docs.microsoft.com/en-us/windows/win32/fwp/ale-re-authorization

ALE Reauthorization
05/31/2018
3 minutes to read

Network traffic at the Application Layer Enforcement (ALE) layers of the Windows Filtering Platform (WFP) is filtered by ALE flows. Once an ALE flow has been permitted, all traffic that is part of the ALE flow is permitted. Reauthorization is a request to validate the permissions of the ALE flow, typically due to a change in network policy.

ALE flows are assigned a direction, inbound or outbound, based on the direction of the first packet that triggered the creation and authorization of the flow. Inbound ALE flows are created and authorized at the FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V{4|6} layer. Outbound ALE flows are created and authorized at the FWPM_LAYER_ALE_AUTH_CONNECT_V{4|6} layer. The direction of the ALE flow does not limit the direction of packets that belong to the flow. ALE flows contain both inbound and outbound packets regardless of the direction of the ALE flow itself.

Reauthorization of an ALE flow is triggered by:

A policy change at the layer where the ALE flow was originally authorized or created.
An arrival interface different from the interface where the ALE flow was originally authorized or created.
A pending connection.
Reauthorization is distinguished from the initial authorization by the presence of the FWP_CONDITION_FLAG_IS_REAUTHORIZE flag.

Reauthorization can take place only at the FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V{4|6} and FWPM_LAYER_ALE_AUTH_CONNECT_V{4|6} layers.

Policy-Change Reauthorization
A policy change is implemented as a filter addition or removal at an ALE layer. Once a policy change is detected, the first packet that traverses an ALE flow created at the affected layer will be specified for reauthorization to the layer. Therefore, for reauthorization it is entirely possible that an outbound packet is classified at the FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V{4|6} layer and that an inbound packet is classified at the FWPM_LAYER_ALE_AUTH_CONNECT_V{4|6} layer.

One reason for this mixed-direction classification is that there might not be further network traffic from the original direction (for example, inbound packet for inbound ALE flow). One such example is one-way UDP streaming after an initial two-way handshake. In this case it is more desirable to tear down the streaming as soon as possible.

Arrival Interface Reauthorization
Arrival interface reauthorization is available starting with Windows Server 2008 and Windows Vista with Service Pack 1 (SP1).

Packets belonging to the same ALE flow can arrive from multiple interfaces. The first packet to come in over an interface different from the original interface of the ALE flow is reauthorized.

In a strong host model, which is the default security model for the TCP/IP stack, a connection on a network interface accepts only packets that come in on the same interface. Therefore, arrival interface reauthorization is not used on a strong host computer.

In a weak host model, a connection on a network interface allows packets coming in on any other network interface. Arrival interface reauthorization is used on a weak host computer to implement interface-specific policies. For more information, see “The Cable Guy: Strong and Weak Host Models.”

Some classifiable fields may be unknown during reauthorization. For example, if an outbound packet is being reauthorized at the FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V{4|6} layer, all the fields pertaining to the arrival interface are unknown. In that case, the values of the unknown fields are indicated as FWP_EMPTY.

Fields of type FWP_EMPTY can be matched with FWP_MATCH_EQUAL. Therefore, a policy can be set to block reauthorizations and tear down an ALE flow when reauthorization requests for the ALE flow arrive.

Pending Connection Reauthorization
A callout driver may postpone a classify operation at ALE layers and complete it at a later time, when the filtering decision can be safely made. The ALE postpone/complete functionality is supported via the kernel-mode functions FwpsPendOperation0 and FwpsCompleteOperation0.

The reauthorization is triggered immediately following the FwpsCompleteOperation0 call, and it allows the callout driver to permit or to block the flow.

Only an initial authorization can be postponed. A call to FwpsPendOperation0 will fail if FWP_CONDITION_FLAG_IS_REAUTHORIZE flag is set.

For more information, see the Windows Driver Kit documentation.