Add RPC, Filter Validation helpers to NtCoreLib.Net.Firewall and PoSH module

[jcspencer]

Hi there!

Recently, I noticed that Windows 11 / Server 2025 added the FWPM_CONDITION_RPC_OPNUM condition to the RPC_UM layer.

Also recently added is the auditparameters setting for RPC filters in netsh, which is feature flagged behind the RpcBufferAuditing flag - pretty neat! That feature flag also fixes the age-old issue of named pipe RPC events not having IP information (inside RPCRT4.dll).

In order to make this a bit more accessible, I've written up a series of changes on top of the NtCoreLib.Net.Firewall package. Specifically:

1. Add basic support for creating providers and sublayers (currently no PoSH support, but an easy add)
2. Added support for the FWPM_CONDITION_RPC_OPNUM condition, along with helpers for other common RPC fields.
   • The IP address helpers have been given an optional flag to use the _V4/_V6-suffixed keys that the RPC layers use.
3. Changed NamedGuidDictionary to reflect constants out of the Firewall<Type>Guids classes.
   • This keeps them better in sync, as I noticed there were values missing from dictionary that were defined statically.
4. Allow setting the RawContext field inside an filter, which is used (for example) to set FWPM_CONTEXT_RPC_AUDIT_ENABLED in the RPC audit sublayer (as well as the currently-undocumented buffer auditing flags)
5. Fixes up an error where SpecializeValue mis-cast an RPC field type
6. Adds some quality-of-life improvements for filter builders
   • We can use a reference to a FirewallLayer to extract field metadata at runtime
   • This allows for condition validation against what's actually available on the host, before submitting the filter to WFP.
   • For example, disallowed match types, field-value mismatches, etc.

Hopefully splitting out the commits helps with merging - if there's any changes you're not too keen on, feel free to cherry-pick!

Thanks for the great library! :)

---

Code samples of the new features:

$Engine = Get-FwEngine
$Builder = New-FwConditionBuilder
Add-FwCondition $Builder -MatchType "Equal" -RpcInterfaceUuid "338CD001-2244-31F1-AAAA-900038001003"
Add-FwCondition $Builder -MatchType "Equal" -RpcOpNum 2
Add-FwFilter -Engine $Engine -Name Test `
    -LayerKey FWPM_LAYER_RPC_UM `
    -SubLayerKey FWPM_SUBLAYER_RPC_AUDIT `
    -RawContext 0x01 `
    -Condition $Builder `
    -Validate

FirewallLayer RPC_UM = engine.GetLayer(FirewallLayerGuids.FWPM_LAYER_RPC_UM);
FirewallSubLayer RPC_AUDIT = engine.GetSubLayer(FirewallSubLayerGuids.FWPM_SUBLAYER_RPC_AUDIT);
Guid MS_RRP = new("338CD001-2244-31F1-AAAA-900038001003");

FirewallFilterBuilder builder = new()
{
    Name = "Test RPC Audit Rule",
    Description = "Audit calls to RemoteRegistry / OpenLocalMachine (Opnum 2)",
    Weight = FirewallValue.Empty,
    LayerKey = RPC_UM.Key,
    SubLayerKey = RPC_AUDIT.Key,
    ActionType = FirewallActionType.Permit
};

builder.AddRpcUuid(FirewallMatchType.Equal, MS_RRP);
builder.AddRpcOpNum(FirewallMatchType.Equal, 2); // OpenLocalMachine
builder.SetContextValue(1); // FWPM_CONTEXT_RPC_AUDIT_ENABLED
builder.ValidateWithLayer(RPC_UM); // Validate that all conditions are valid.

var transaction = engine.BeginTransaction();
engine.AddFilter(builder);
transaction.Commit();

[google-cla]

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.