Deployment

The topics in this section provide information regarding the deployment of applications built with PCAP Filter.

Topics

Driver-specific

The topics in this section provide information relevant to the deployment of applications built with the NetFilter struct that includes a kernel-mode driver.

This information should be reviewed carefully when designing a deployment strategy for such an application, since PCAP Filter's kernel mode drivers and other supplementary DLLs must be distributed along with the application in order for it to function correctly.

Topics

Prerequisites

The structs create a virtual drive or directory, visible to other processes, which requires a certain level of integration between the structs and the system itself. In order for an application that uses such struct to function correctly, the following prerequisites must first be met on the target machine:

  • Windows: The kernel mode drivers must be installed; please refer to the Driver Installation topic for more information.
  • macOS: The struct uses an embedded NFS Server and relies on the availability of the "mount_nfs" tool in the system to create a mounting point.
  • Linux: The system's kernel must have been compiled with support for FUSE. Also, FUSE 2.9 user-mode libraries must be installed in the development system. This can be achieved using the following commands:
    • RedHat/CentOS and derivative Linux distributions: sudo yum install fuse-devel
    • Debian/Ubuntu and derivative Linux distributions: sudo apt-get install libfuse-dev

Driver Installation

The topics in this section provide information regarding the deployment of applications built with the NetFilter struct on Windows. The information in these topics should be reviewed carefully when designing a deployment strategy, because PCAP Filter's kernel mode drivers and supplementary dynamic link libraries (DLLs) must be distributed along with the application for it to function correctly.

At a high level, PCAP Filter consists of a kernel mode driver, a helper DLL, and a user mode library; all of which work together in tandem to provide the product's functionality. Therefore, it is necessary to install the PCAP Filter kernel mode driver and helper DLL when deploying an application built with the PCAP Filter user mode library.

The functionality needed to install the above-mentioned modules is included in the user mode library itself, as well as in a separate installer DLL.

Important: the signatures of the functions in the installer DLL differ from the signatures of the corresponding methods of the structs. Use the signatures provided in installer/{StructName}Inst.h when using the installer DLL.

The drivers directory, located within the product's installation directory, contains the following files:

{StructName}.cab Contains the main drivers, PnP bus drivers, helper DLLs, and the supplementary installation/uninstallation files.
installer/{StructName}Inst.h A header file for the installer DLL. The installer DLL may be used on the target system to install (or uninstall) the items within {StructName}.cab.
installer/x64/{StructName}Inst.dll The C/C++ installer DLL for the x64 (AMD64) processor architecture.
installer/x86/{StructName}Inst.dll The C/C++ installer DLL for 32-bit x86 processor architecture.
installer/ARM/{StructName}Inst.dll The C/C++ installer DLL for 32-bit ARM processor architecture.
installer/ARM64/{StructName}Inst.dll The C/C++ installer DLL for 64-bit ARM processor architecture.
NOTE: When the user-mode library is installed or updated on end-user systems, it is required to ensure that the kernel-mode drivers already present in the system are updated to match the version of the installed user-mode library.

Installation and Uninstallation via User Mode Library Methods

The struct includes the following methods to install and uninstall the required files; please refer to their documentation for more information:

Important: uninstall must only be used when completely removing the driver. When updating the driver, this method must not be used as it may cause the OS to incorrectly remove the driver on reboot. Please refer to the "Updating the Driver" section, below, for more information.

Installation and Uninstallation via Installer DLL Functions

The installer DLL is a lightweight, stand-alone library that contains only the functionality required for installing and uninstalling the required files. It is available in both 32-bit and 64-bit versions (each of which is capable of installing both 32-bit and 64-bit drivers and helper DLLs); and may be used as desired in installation scripts, setup applications, or any other executable capable of loading dynamically-linked libraries (DLLs).

The functions exposed by the installer DLL mirror the struct methods listed above. Each function is available in two forms: those with an *A suffix, which can be used with ANSI/UTF8 strings; and those with a *W suffix, which can be used with Unicode (UTF16) strings.

Windows 7/8/8.1 and Windows 2008R2/2012/2012R2 Server notes: to install the drivers, you need to have certificate-related updates installed on the target system. This includes KB3033929 that adds support for SHA2 certificates. Other notable updates are are KB976932 (Service Pack 1 of the mentioned systems) and KB4474419 (Security Update). Other updates, such as updates to known Root and CA certificates may be required as well. Without these updates, the drivers can be installed but may not be loaded by the OS.

Updating the Driver

To update the driver, call the install method. The new version of the driver will replace the older version. Please do not call the uninstall method when updating the driver.

Uninstalling the Driver

To uninstall the driver completely, call the uninstall method. If the driver cannot be immediately uninstalled, it will be marked for removal and uninstalled on the next reboot.

Use caution when calling uninstall ; if it gets called and the driver cannot be uninstalled immediately, and then install is subsequently called to install a new version, then upon reboot, the OS will end up uninstalling the newly-installed driver.

Important: The driver should only be uninstalled when the intent is to completely remove it from the system. Do not uninstall the driver to update it.

Reboot Requirements

Depending on the current state of the system, as well as the options chosen when installing or uninstalling the driver, the OS may need to reboot to complete the operation.

For example, the helper DLL must be loaded by Windows File Explorer when it starts, and a reboot or restart of Explorer is required for this to occur. When installing or uninstalling the Plug-and-Play (PnP) drivers, a reboot is almost always requested by Windows.

Always check the return value of the install and uninstall methods/functions; it will indicate whether a reboot is required (and if so, which module(s) required it).

Additional Notes

The OS treats major versions of the driver as separate products; they can operate in parallel and do not share any resources. Old major versions may optionally be removed from the system when calling install by passing the appropriate value for its Flags parameter.

For each major version of the product, only one copy of the driver can be installed at any time. When the driver is being installed, its version is checked, and one of the following three things occurs:

  • If no driver with the same major version is currently installed, then the install procedure installs the driver as a new product.
  • If a driver with the same major version and an older minor version is currently installed, then the install procedure updates the existing driver with the new one.
  • If a driver with the same major version and a newer minor version is currently installed, then the install procedure leaves the existing driver unchanged.

When deploying files to a target system, the CAB file must remain present on the system. This file is required for uninstallation of the driver at a later time.

The product's installation code maintains a ProductGUID-based record of driver installations in the Windows Registry, creating a separate registry entry for each different ProductGUID. When the driver is "uninstalled", the corresponding registry entry is removed. The driver is only removed from the system if there are no entries left in the registry that reference the driver.

Required Permissions

By default, Windows only allows installation and uninstallation of the PCAP Filter system files (kernel mode drivers and helper DLLs) to be performed from a user account which is a member of the Administrators group.

On systems where UAC is enabled, the process responsible for installing or uninstalling the system files must run with elevated permissions. Detection of current privileges and elevation of permissions is not within the scope of the struct itself.

Some examples of obtaining the required permissions for driver installation and uninstallation are below.

  • Starting the application which uses the struct with the "Run as administrator" option.
  • Modifying the Load and unload device drivers setting in the Local Security Policy under the User Rights Assignment section.
  • Including a manifest alongside the application indicating the requirement for elevated permissions. For instance, if a file MyApp.exe.manifest with the content below exists next to the application MyApp.exe, it will prompt for elevated permissions when started (if required).

    <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="ExeName" type="win32"/> <description>elevate execution level</description> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges> <requestedExecutionLevel level="requireAdministrator" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly>

User Mode Library

The user-mode library must be deployed to end-user systems along with the kernel-mode drivers; the version of the kernel-mode drivers on the end-user systems must be equal to or newer than the version of the user-mode library. Thus, when the user-mode library is installed or updated on end-user systems, it is required to ensure that the kernel-mode drivers already present in the system are updated to match the version of the installed user-mode library.

If you use the IPMonitor struct in Windows with the NetFilter driver, you need to make the packet.dll and wpcap.dll libraries, included with PCAP Filter in the "pcaplibs" directory, available to your application and deploy the libraries together with the application. IPMonitor will use these libraries as a bridge to the NetFilter driver. Note: the libraries included with PCAP Filter are part of the product and differ from the third-party ones that you can find in libpcap-based products; those third-party libraries will not communicate with the NetFilter driver.

The user-mode library comes as DLLs (dynamic libraries), named rustpcapfilter24.dll. The libraries are available for 32-bit (x86) and 64-bit (x64) processor architectures.

When deploying the application, copy the dynamic library to the target system and place it next to the application's .exe file .

Alternatively, the native library may be placed into one of directories, the paths to which are contained in the PATH environment variable, such as C:\Windows\System32 (or C:\Windows\SysWOW64 when deploying a 32-bit application on a 64-bit Windows system).

Remember to deploy the drivers too, as they are an integral part of PCAP Filter.

General Information

The topics in this section provide general information about various aspects of the product's functionality.

Common

The topics in this section provide additional information common to multiple components.

Topics

Thread Safety of the API

The properties and methods provided by PCAP Filter's APIs fall into one of the following categories when it comes to thread safety:

  • Properties and methods that are intended to be accessed from event handlers (i.e., those documented as such) are thread-safe, since event handlers always execute in the context of worker threads.
  • Methods related to installation, uninstallation, and status retrieval are not thread-safe, since they are expected to be used during the application installation process. (Methods in this category are those which are documented as being "available in both the struct API and the Installer DLL".)
  • Any helper methods documented in the struct's API (i.e., those used to convert error codes, or provide similar supplementary functionality) don't use any explicit thread synchronization, but also don't access any other struct properties or methods, and thus are inherently thread-safe.
  • All other properties and methods are not thread-safe, so applications must employ proper thread synchronization techniques when using them on multiple threads (including, but not limited to, during event handlers).

Error Handling

Error Codes

The PCAP Filter communicates errors using the Win32 error codes defined in WinError.h, which is part of the Windows Platform SDK. The PCAP Filter system drivers, however, use NT native error codes, which do not have one-to-one mappings with Win32 error codes. The struct includes logic for converting between the two as necessary, and that logic can be updated if any codes are not covered.

Additionally, PCAP Filter uses use certain error codes in a special manner. For more information about such error codes, please refer to the Error Codes page .

Reporting Errors to the Struct from Event Handlers

If an event has a ResultCode parameter, an event handler can use it to return the result code of the operation to the struct. The ResultCode parameter is set to 0 by default, which indicates the operation was successful.

If the event handler panics, the struct will recover from an error and fire the OnError event.

In some events, the OS does not expect the error code to be returned and either the struct or the OS ignores the returned error code. Please refer to the description of a particular event for more information.

How to Handle Errors Reported by the Struct

If an error occurs, the functions of the struct will return an error structure in the result. The get_code() function of the structure will return an error code, and the get_message() function will return an error message (if available).

Extended Logging in Windows

Some struct methods in PCAP Filter are capable of writing extended information about reported errors to the Windows event logs, which can be viewed using the system's eventvwr.exe tool. The user mode part of the struct writes to the "Windows Logs \ Application" or to "CBFS \ {struct}" folder, while the kernel mode part (where applicable) writes to the "Windows Logs \ System" folder.

The information written in the extended logs is meaningful to the Callback Technologies development team, but not to end-users, so extended logging is disabled by default. Important: These logs are not trace logs; do not enable them expecting to see detailed logging of the operations. The logs are used solely for troubleshooting.

If issues occur during the installation of the PCAP Filter system drivers, or while using the struct, please do the following:

  1. Enable extended logging (see below).
  2. Replicate the issue.
  3. Using Event Viewer (eventvwr.exe), export the event log entries from the locations mentioned above in native format (please restrict the scope of the export to just those entries related to PCAP Filter).
  4. Submit an issue report that includes the exported file.

There are two ways to toggle extended logging for a struct:

  1. By toggling the struct's LoggingEnabled configuration setting.
  2. By adding a DWORD-typed value named Enabled to the HKEY_LOCAL_MACHINE\SOFTWARE\Callback Technologies\{StructName}\EventLog registry key and setting it to 0 (disabled) or 1 (enabled).
    • Replace the {StructName} part of the registry key path with the name of the applicable struct.
    • If this registry key, one of its parents, or the actual value does not exist, please create it manually.

    NOTE: If your code runs in emulated mode (x86 mode on x64 or ARM64 architecture), you need to add the value to the HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Callback Technologies\{StructName}\EventLog registry key in addition to the "main" registry key.

If modification of the flag is done via the registry, the system must be rebooted anytime extended logging is enabled or disabled to make the changes take effect.

Troubleshooting

PCAP Filter is a complex product that operates in both user mode and kernel mode simultaneously; so when a serious issue occurs, it's critical that we are able to obtain sufficient information about the circumstances of the failure.

In order to help us assist you in a more expedient manner, please collect the information described in the instructions below when reporting a serious issue (i.e., one that causes the system to crash or hang). Our development team cannot effectively diagnose such issues without this information.

Also, please note that these sorts of issues commonly involve environmental differences and other factors that are either unforeseen or otherwise out of our control. It is also not unheard-of for a crash to appear attributable to one thing while in fact being caused by something completely different. Rest assured that we are committed to assisting you as best we can, and we thank you ahead-of-time for your patience and understanding throughout the support process.

System Crashes (BSODs)

If you encounter a consistently-reproducible system crash (BSOD) that you suspect may be due to PCAP Filter, please obtain a crash dump and include it when reporting the issue to us. Our development team is unable to diagnose system crashes without the information these dumps contain.

Ensure that your system is set up to generate crash dumps, and to not restart automatically after a crash, by following the steps found in Microsoft's Enabling a Kernel-Mode Dump File article. The options available in the memory dump dropdown vary depending on your version of Windows; please choose the first one from the following list that is present in yours:

  • Complete
  • Full
  • Automatic
  • Kernel

Once your system is set up to generate crash dumps, perform the same action that caused the BSOD originally to trigger the crash again. When it occurs, be sure to copy the information on the BSOD screen exactly so that it can be included in your submission (a picture of the screen in which all of the information is legible is also acceptable). Here are some examples of the specific information we're looking for:

Recent versions of Windows:

What failed: netfilter24.sys Stop Code: ****

Older versions of Windows:

STOP: 0x00000022 (0x00240076, 0xF7A07AA8, 0xF7A077A8, 0xF7800C82) netfilter24.sys - Address F7800C82 base at F77CD000, DateStamp 447d6975

After you've copied this information, reboot and check that the memory dump file was created at %SYSTEMROOT%\MEMORY.DMP (typically this is C:\Windows\MEMORY.DMP; if you changed the dump file location in the crash dump settings, check the location you specified instead). It will be a very large file that is too big to attach to an email, so please upload it to a file sharing site of your choice and generate a sharing link that our development team can use to download it.

Finally, submit a support issue to us that includes the link to your dump file, all of the information from the BSOD screen (if you took a picture, attach it or provide another sharing link), a description of how the BSOD was triggered, and any other information that you feel is relevant.

System Hangs

If you encounter a consistently-reproducible system hang that you suspect may be due to PCAP Filter, you'll need to collect the same information as described above. But in order to obtain a crash dump, you'll first need to configure your system so that you can trigger a crash from the keyboard once it hangs. To make this possible, follow these steps (adapted from Microsoft's Forcing a System Crash from the Keyboard article):

  1. First, using the instructions provided in the section above, configure your system to generate crash dumps, and to not restart automatically after a crash.
  2. Next, you must enable keyboard-initiated crashes in the registry by creating a new value named CrashOnCtrlScroll, and setting it equal to a REG_DWORD value of 0x01, in all of the following registry keys:
    • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\i8042prt\Parameters
    • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kbdhid\Parameters
    • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\hyperkbd\Parameters
  3. Finally, you must restart the system in order for these settings to take effect.

After these steps are complete, you'll be able to trigger a keyboard-initiated crash by using the following hotkey sequence: hold down the Right CTRL key, and press the SCROLL LOCK key twice.

At this point, you can perform the same action that caused the system to hang originally to trigger the hang again. Once the system hangs, use the hotkey sequence to force it to crash, and then follow the rest of the instructions from the section above to collect and submit the necessary information.

Method Never Returns

If your application makes a call to some PCAP Filter method and that method never returns, there's a high chance that the driver deadlock has occurred. This can be caused by various factors; to determine the reason and possible solutions, we need a memory dump, as described above. If your system remains functional, you may also use easier ways to initiate a crash:

  1. Use the NotMyFault tool by SysInternals to initiate a system crash. This is the preferred way because it generates Complete memory dumps. This tool has a self-explanatory GUI.
  2. Use the LiveKD tool by SysInternals to create a live memory dump without crashing a system. The disadvantage of this method is that it creates Kernel dumps that are missing user-mode information. To use LiveKD on 32-bit systems, use this command: "livekd.exe -ml -o memory.dmp". On 64-bit systems, the command line would be "livekd64.exe -ml -k .\kd64.exe -o memory.dmp".

Application Crashes

Sometimes, an application crashes while the OS continues to operate, and the name of one of the modules of PCAP Filter is present in the crash information. A crashing application can be the one that uses PCAP Filter or some third-party process. If the crash occurs repeatedly, it is possible to make use of a User-Mode Crash Dump to locate or narrow down the source of the crash. Generation of crash dumps is disabled by default. Before you reproduce the crash, you need to Enable Collecting User-Mode Crash Dumps.

After you enable the crash dump, you don't need to reboot, you can proceed to reproduction of the crash immediately. After the crash re-occurs, you can pick the dump file from its location. The default locations of user-mode dump files are:

  • For regular applications: %LOCALAPPDATA%\CrashDumps
  • For System services: %WINDIR%\System32\Config\SystemProfile
  • For Network and Local services: %WINDIR%\ServiceProfiles
If you changed the dump file location in the crash dump settings in the Registry, check the location you specified instead.

A crash dump can be a large file (depending on the settings) that is too big to attach to an email, so please upload it to a file sharing site of your choice and generate a sharing link that our development team can use to download it.

Finally, submit a support issue to us that includes the link to your dump file, a description of how the BSOD or a manual crash was triggered, and any other information that you feel is relevant.

IPMonitor

The topics in this section provide additional information specific to the IPMonitor struct.

Topics

Network Filter Library

The IPMonitor struct requires a libpcap-compatible library to be installed in the system.

Windows

On Windows 10 and later, the struct requires npcap to be installed. On Windows 7 and 8, either npcap or Winpcap can be used.

Linux

On Linux, the struct will automatically attempt to locate libpcap if it is installed. The following commands may be used to install libpcap: sudo apt install libpcap0.8 or yum install libpcap

macOS

On macOS, libpcap must be present in the system. It can be installed from source by downloading the source code from the TCPDump site and building it locally. Alternatively, libpcap can also be installed via the Homebrew package manager on macOS: brew install libpcap

System Configuration in Linux and macOS

In systems like Linux, *BSD and macOS, capturing the network traffic requires special configuration, and the approach is different between Linux and macOS, supported by the product. In most cases, the superuser or root can capture the network traffic without any extra steps; below instructions are mostly applicable to limited users who want to use an application without elevating rights (or those who don't have root or sudo rights in the first place).

Linux

In Linux, the process that attempts to capture the traffic, must have cap_net_raw and cap_net_admin capabilities. These capabilities are added by the operator or setup script using a command similar to sudo setcap cap_net_raw,cap_net_admin=eip {path-to-process} Note that the setcap tool replaces the capabilities, so if the process must have other capabilities too, all of them must be included in the command.

macOS

In macOS, the procedure is more complicated. There are several devices related to packet capturing present, which can be listed using the command ls -l /dev/bpf* You will need to adjust permissions of those devices.

The common approach is to create a dedicated group, which will have read-write access to those devices, and add a user (the one who needs access to capturing) to this group. A simple sequence of steps here is: sudo chgrp your_group /dev/bpf* sudo chmod 660 /dev/bpf* where "your_group" is the name of the group to which the user account belongs. If necessary, you can create a dedicated group for BPF monitoring, add a user to this group, then use the group as shown above.

The above changes should be done on every system start, so it may be necessary to configure a small launch daemon which will execute the above lines:

  1. Write the above or similar lines to a file, let's call it "set_bpf_perms.sh"
  2. make the script executable by using chmod: chmod +x /path/to/set_bpf_perms.sh"
  3. Create a launch daemon plist file (e.g., com.user.bpf.plist) in /Library/LaunchDaemons: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Label</key> <string>com.user.bpf</string> <key>ProgramArguments</key> <array> <string>/path/to/set_bpf_perms.sh</string> </array> <key>RunAtLoad</key> <true/> <key>KeepAlive</key> <true/> </dict> </plist> </xml>
  4. Load the daemon: sudo launchctl load /Library/LaunchDaemons/com.user.bpf.plist

Additional information on BPF devices and libpcap can be found in the libpcap files.

NetFilter

The topics in this section provide additional information specific to the NetFilter struct.

Topics

Buffer Parameters

Some events include one or more parameters intended for use as a binary data buffer. Depending on the event, these parameters may contain data when the event is fired, or it may be expected that the application populates them with the desired amount of data during the event handler. Some events combine both paradigms and then expect the application to modify the data already present when the event is fired.

The documentation for such events will describe which of these cases applies to each buffer parameter. In all cases, buffer parameters point to a preallocated vector. In cases in which data are to be written, be sure to write it directly to this vector, do not resize the vector and don't replace the vector in the parameter.

Recursive Calls

To ensure stable operation, it is critical to avoid accessing drives and filesystems recursively. Essentially, this means that event handlers must not perform any operations involving the drive or filesystem that the event fired for (i.e., don't read from/write to files on it, don't unmount the media, etc.).

Threading and Concurrency

Through the use of multithreading, the NetFilter struct provides powerful concurrency features to help applications maximize their performance. For data integrity purposes, the struct allows applications to specify the extent to which events should be fired concurrently.

NOTE: Even when configured for minimal concurrency, the struct always fires events in the context of some worker thread, and not in the thread the struct was originally created on. Therefore, applications must be sure to synchronize operations between event handlers and other threads as necessary (including, but not limited to, calls to the struct instance, unless a method is explicitly documented as callable within events).

Configuring Event Concurrency

The most important concurrency-related consideration for NetFilter-based applications is whether to enforce event serialization. The serialize_events property controls whether events should be serialized on a single worker thread, or fired in parallel on several threads; by default, this property is set to seOnMultipleThreads, and events are allowed to fire in parallel.

When the serialize_events property is set to seOnMultipleThreads, the MinWorkerThreadCount and MaxWorkerThreadCount configuration settings control the minimum and maximum number of worker threads the struct can use for firing events. By default, both are set to 0, which indicates that the struct's system driver should automatically choose appropriate values based on how many CPU cores the system has. These settings are both ignored if serialize_events is set to values other than seOnMultipleThreads.

Timeouts

Because the struct's events are tied to network packets, it is important that event handlers complete requests quickly to prevent the network traffic from being blocked for longer than necessary. To help prevent such blocking, the PCAP Filter system driver can enforce request timeouts on a per-filter basis.

A request timeout interval is specified by passing the desired number of milliseconds to the Timeout parameter when calling the start_filter method. The value passed to the Timeout parameter must either be a positive value greater than or equal to 3000, or 0, indicating that timeouts should not be enforced, in which case events may take as long as necessary to execute.

When timeout enforcement is in effect and a packet-processing event executes long enough for its timeout to expire, the driver either drops the packet or lets it go further. The tardy event still runs to completion, but any results it returns once finished are ignored because the underlying request has already been handled.

Applications should always strive to ensure that all event handlers complete quickly, even if request timeouts are disabled. Do not perform time-consuming work, especially network operations, within event handlers; offload such work to background threads.

Filter Rules

In its default state, the NetFilter struct ignores all operations; applications must explicitly specify which operations they are interested in by adding one or more filter rules.

A rule specifies whether the packet is dropped or passed for processing by the application (which can include modification of the packet). If a packet is to be passed to the application, the rule also specifies which of the events should be fired.

A rule contains certain conditions to match network packets against, such as an adapter name, the direction of a packet, and packet size limits. Additionally, NetFilter supports advanced conditions ("BPF rules") as used in libpcap.

Order of rules

A network packet is processed if it matches the conditions set in one or more filter rules and when it does not match any passthrough rule; otherwise, the packet is let pass by. The order in which the rules are added is not important: the rules are internally stored not in the list, so the order cannot be kept.

The NetFilter struct provides the following methods for managing standard filter rules:

Filter rules are deactivated and deleted when the application exits.

Passthrough Rules

Passthrough rules instruct the struct's system driver to explicitly exclude certain packets from processing, thus counteracting any filter_rules that they otherwise would match.

A rule contains certain conditions to match network packets against, such as an adapter name, the direction of a packet, and packet size limits. Additionally, NetFilter supports advanced conditions ("BPF rules") as used in libpcap.

The NetFilter struct provides the following methods for managing passthrough rules:

Passthrough rules are deactivated and deleted when the application exits.