Hi!
One part of my application is in charge of modifying the network configuration through the SystemConfiguration library. More specifically, I temporarily add entries under
State:/Network/Service/Temp/DNS
State:/Network/Service/Temp/IPv4
State:/Network/Service/Temp/IPv6
And then remove them when I'm done, expecting the network configuration to return to the one active before this procedure.
I have noticed (at least in macOS Catalina) that the Default IPv6 route does not get properly restored if I do this. I can get it back by turning Off and On the network adapter, but I believe that should normally not be necessary.
The steps to reproduce this are:
1) Configure a manual IPv6 address for the network adapter, for example:
Router: 2001:db8:abcd:12::1
Address: 2001:db8:abcd:12::7
Prefix Length: 64
2) Check that the default IPv6 route is present through 'netsat -nr'
language
Internet6:
Destination Gateway Flags Netif Expire
default 2001:db8:abcd:12::1 UGc en0
default fe80::%utun0 UGcI utun0
default fe80::%utun1 UGcI utun1
3) Add an IPv6 entry using scutil
language
d.init
d.add Addresses * 2001:db8:abcd:12::7
d.add InterfaceName en0
d.add PrefixLength * 64
d.add Router 2001:db8:abcd:12::1
set State:/Network/Service/Temp/IPv6
4) Default IPv6 route is still present
language
Internet6:
Destination Gateway Flags Netif Expire
default 2001:db8:abcd:12::1 UGc en0
default fe80::%utun0 UGcI utun0
default fe80::%utun1 UGcI utun1
5) Remove Temp entry
language
remove State:/Network/Service/Temp/IPv6
6) Default IPv6 route is gone
language
Internet6:
Destination Gateway Flags Netif Expire
default fe80::%utun0 UGcI utun0
default fe80::%utun1 UGcI utun1
7) Restart network adapter
8) Default IPv6 route reappears
language
Internet6:
Destination Gateway Flags Netif Expire
default 2001:db8:abcd:12::1 UGc en0
default fe80::%utun0 UGcI utun0
default fe80::%utun1 UGcI utun1
So, I wanted to know if I'm correctly assuming that the default route should not disappear after removing the IPv6 entry, and if there's any workaround I could use from within my application other than manually restarting the network adapter.
Thanks!
Post
Replies
Boosts
Views
Activity
Hi!
I've already got everything up and running in my Firewall application using NEFilterDataProvider and NEFilterPacketProvider.
There are some times when I would like to disable filtering (just allow all traffic), and then re-enable it at a later time (mainly for preventing an unnecessary performance hit). I could, of course, just return the allow verdict in the newFlow/packet handlers, but I was wondering if there's any way to dynamically start/stop the filter (without requiring asking the user for approval again) and not have the handlers called at all. There are the methods stopFilter and startFilter, but according to the documentation those are supposed to be called by the system, not sure if I should be using them for this purpose.
Thanks!
Best regards,
Darío
Hi,
I am trying to develop a Firewall using the new Network Extension API, since the KExt API will be deprecated soon.
The new API provides everything I need through the NEFilterDataProvider, but that only works for TCP and UDP sockets.
NEFilterPacketProvider captures packets for all protocols, but it does not provide any other information about the packet. My question is, then, how would I go about, for example, blocking all outgoing non-TCP/UDP packets coming from a certain App? More specifically, how can I tie a Packet to its corresponding App using the NEFilterPacketProvider? Am I even using the right NEProvider class at all?
Thanks!
Hi,
I am developing a Firewall using NEFilterDataProvider. I am trying to see what happens when a connection fails, such as when SSHing to a non-existent IP address. The following happens:
handleNewFlow is called and I can get the following information:
handleNewFlow uuid: D89B5B5D-793C-4940-CA63-5B1444830300 direction: 2, pid: 23910, programPath: /usr/bin/ssh, protocol: 6, localip: 0.0.0.0, localport: 0, remoteip: 192.168.1.80, remoteport: 22
Since the Local IP and LocalPort is not defined at this point, I return the "peek" verdict and wait for the information to be there in the handleXDataFromFlow callback:
return [NEFilterNewFlowVerdict filterDataVerdictWithFilterInbound:YES
peekInboundBytes:1
filterOutbound:YES
peekOutboundBytes:1];
But, since the connection fails, handleXDataCompleteForFlow gets called instead:
handleInboundDataCompleteForFlow uuid: D89B5B5D-793C-4940-CA63-5B1444830300 direction: 2, pid: 23910, programPath: /usr/bin/ssh, protocol: 6, localip: 0.0.0.0, localport: 0, remoteip: 192.168.1.80, remoteport: 22
Now, the problem comes when I return a verdict in the handleXDataCompleteForFlow. Regardless of it being allowVerdict or dropVerdict, I get the following error in the console, originating from my System Extension:
Write operation on the socket failed (Invalid argument)
Should failed connections be handled somehow differently? Is there a more reliable way to detect those cases rather than checking if the localIP/localPort is 0 in the handleXDataCompleteForFlow callback?
Thanks