Packet injection and verdict setting fixes.

[vlabo]

61c3443: Makes the block and drop verdict immutable. This will make windows apply the verdict immediately and not let other layers in the chain override the verdict. Also makes the applying of the verdict immediate in the ALE layer. So applications will get permission denied when trying to create a connection instead of timeout after few seconds.

04f8708: Fixes the packet injection in the packet callout. From what I remember this is only used in packet dns monitoring. Without recalculating the checksums the packet will just get dropped after injection by the network system.

Summary by CodeRabbit

• Bug Fixes
  • Enhanced checksum recalculation for cloned network packets across IPv4 and IPv6 protocols
  • Improved network packet verdict immutability to prevent unintended modifications by subsequent filtering layers

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

The pull request adds checksum recalculation functionality after packet cloning in the Windows kernel extension driver and makes verdict verdicts immutable by clearing write flags in filter engine callouts. A new function computes transport-layer checksums for both IPv4 and IPv6 packets, invoked during packet cloning operations.

Changes

Cohort / File(s)	Summary
Checksum Recalculation windows_kext/driver/src/packet_callouts.rs, windows_kext/driver/src/packet_util.rs	Adds new recalc_header_checksums() function to recompute UDP/TCP checksums for IPv4/IPv6 packets. The clone_packet function now invokes this after cloning to ensure correct checksums. Function handles both IPv4 header checksum and transport-layer checksums using extracted addresses.
Verdict Immutability windows_kext/wdk/src/filter_engine/callout_data.rs	Clears write flags in action_block and block_and_absorb functions before invoking actions to enforce verdict immutability for subsequent processing layers. Includes inline documentation of intent.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested reviewers

• dhaavi

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Packet injection and verdict setting fixes' clearly and specifically describes the main changes: packet injection fixes and verdict setting fixes, which align with the two core commits in the PR.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}