wf icon indicating copy to clipboard operation
wf copied to clipboard

Published 20 hours ago verified publisher icon tailscale

Understanding `dataTypeBitmapIndex`

Open calebstewart opened this issue 2 years ago • 2 comments

Do you have any information on what exactly dataTypeBitmapIndex is? I can't find the corresponding definition in MSDN at all. It doesn't appear in the FWP_DATA_TYPE documentation.

We recently hit a snag where some workstations had rules using that data type, which causes this library to be incapable of iterating over the rules (since parsing that filter rule breaks fromValue0).

I'm trying to figure out a way to sanely handle this, but I don't even know what it is.

calebstewart avatar Apr 03 '23 17:04 calebstewart

Ah, just found this from a dump of fwptypes.idl. It's not authoritative (since I'm not sure where to officially get a copy of that file), but may shed some light?

// Generic data value. This is primarily used to supply incoming values to the
// filter engine.
typedef struct FWP_VALUE0_
{
   FWP_DATA_TYPE type;
   [switch_type(FWP_DATA_TYPE), switch_is(type)]
   union
   {
      [case(FWP_EMPTY)]
         ;
      [case(FWP_UINT8, FWP_BITMAP_INDEX_TYPE)]
         UINT8 uint8;
      [case(FWP_UINT16)]
         UINT16 uint16;
      [case(FWP_UINT32)]
         UINT32 uint32;
      [case(FWP_UINT64)]
         [unique] UINT64* uint64;
      [case(FWP_INT8)]
         INT8 int8;
      [case(FWP_INT16)]
         INT16 int16;
      [case(FWP_INT32)]
         INT32 int32;
      [case(FWP_INT64)]
         [unique] INT64* int64;
      [case(FWP_FLOAT)]
         float float32;
      [case(FWP_DOUBLE)]
         [unique] double* double64;
      [case(FWP_BYTE_ARRAY16_TYPE)]
         [unique] FWP_BYTE_ARRAY16* byteArray16;
      [case(FWP_BYTE_BLOB_TYPE)]
         [unique] FWP_BYTE_BLOB* byteBlob;
      [case(FWP_SID)]
         [unique] SID* sid;
      [case(FWP_SECURITY_DESCRIPTOR_TYPE)]
         [unique] FWP_BYTE_BLOB* sd;
      [case(FWP_TOKEN_INFORMATION_TYPE)]
         [unique] FWP_TOKEN_INFORMATION* tokenInformation;
      [case(FWP_TOKEN_ACCESS_INFORMATION_TYPE)]
         [unique] FWP_BYTE_BLOB* tokenAccessInformation;
      [case(FWP_UNICODE_STRING_TYPE)]
         [string] LPWSTR unicodeString;
      [case(FWP_BYTE_ARRAY6_TYPE)]
         [unique] FWP_BYTE_ARRAY6* byteArray6;
      [case(FWP_BITMAP_ARRAY64_TYPE)]
         [unique] FWP_BITMAP_ARRAY64* bitmapArray64;
   };
} FWP_VALUE0;

According to that (again, not authoritative), it seems that FWP_BITMAP_INDEX_TYPE is parsed the same as FWP_UINT8.

calebstewart avatar Apr 03 '23 17:04 calebstewart

No idea, WFP is mysterious and the thing that are implemented, are the things I was able to make sense of. Anything else is unknown.

danderson avatar Apr 04 '23 17:04 danderson