Microsoft Internet Security and Acceleration Server 2000

Filter Object Model

When the Firewall service starts, it implements the IFWXFirewall interface.

The Firewall service creates application filter instances. Each application filter implements the IFWXFilter interface. The Firewall service initializes the application filter by using the IFWXFilter::FilterInit.

The application filter registers for events. When the Firewall service detects an event for which the application filter is registered, it uses IFWXFilter::AttachToSession to inform the application filter that the event has occurred. The application filter then creates an instance of the session filter, which implements IFWXSessionFilter.

The session filter object refers to the session object, represented by the IFWXSession interface, for client and user information.

When an event is detected that the filter is interested in, as indicated in the output of IFWXFilter::AttachToSession, the Firewall service notifies the filter by calling the IFWXSessionFilter::FirewallEventHandler method.

When it is notified by the Firewall service that an event the filter is interested in has occurred, the session filter can create an instance of a data filter, which implements the interface IFWXDataFilter. Alternatively, data filters can be created by using IFWXSession::SetDataFilterFactory. The session filter object attaches the data filter to the connection related to the specific event. The connection implements the IFWXConnection interface.

IFWXConnection provides the data filter with the internal and external sockets by using IFWXDataFilter::SetSockets. Each socket object implements the IFWXSocket interface. The data filter then performs the data pumping and filtering for a specific connection.

Data is received as buffers. To avoid the need to copy buffers, each buffer is handled as an object, FWXIOBuffer, that implements the IFWXIOBuffer interface. Since data is received asynchronously, the data filter must implement IFWXIOCompletion, which is necessary for asynchronous input/output (I/O) on the sockets. When an asynchronous I/O operation is completed, the Firewall service uses IFWXIOCompletion::CompleteAsyncIO to notify the data filter that the buffer is available to it.

The data filter can then perform its filtering function on the data buffer.

Filter registration procedures are described in Filter Setup.

The phases of a filter's operation are shown in the following figure. See ConnectorFilter for a diagram that illustrates the logic of a specific filter.