Post

Replies

Boosts

Views

Activity

Filter by App using NEFilterPacketProvider
Hi, I am trying to develop a Firewall using the new Network Extension API, since the KExt API will be deprecated soon. The new API provides everything I need through the NEFilterDataProvider, but that only works for TCP and UDP sockets. NEFilterPacketProvider captures packets for all protocols, but it does not provide any other information about the packet. My question is, then, how would I go about, for example, blocking all outgoing non-TCP/UDP packets coming from a certain App? More specifically, how can I tie a Packet to its corresponding App using the NEFilterPacketProvider? Am I even using the right NEProvider class at all? Thanks!
4
0
789
Jun ’20
NEFilterDataProvider and Failed Connections
Hi, I am developing a Firewall using NEFilterDataProvider. I am trying to see what happens when a connection fails, such as when SSHing to a non-existent IP address. The following happens: handleNewFlow is called and I can get the following information: handleNewFlow uuid: D89B5B5D-793C-4940-CA63-5B1444830300 direction: 2, pid: 23910, programPath: /usr/bin/ssh, protocol: 6, localip: 0.0.0.0, localport: 0, remoteip: 192.168.1.80, remoteport: 22 Since the Local IP and LocalPort is not defined at this point, I return the "peek" verdict and wait for the information to be there in the handleXDataFromFlow callback:      return [NEFilterNewFlowVerdict filterDataVerdictWithFilterInbound:YES                              peekInboundBytes:1                               filterOutbound:YES                             peekOutboundBytes:1]; But, since the connection fails, handleXDataCompleteForFlow gets called instead: handleInboundDataCompleteForFlow uuid: D89B5B5D-793C-4940-CA63-5B1444830300 direction: 2, pid: 23910, programPath: /usr/bin/ssh, protocol: 6, localip: 0.0.0.0, localport: 0, remoteip: 192.168.1.80, remoteport: 22 Now, the problem comes when I return a verdict in the handleXDataCompleteForFlow. Regardless of it being allowVerdict or dropVerdict, I get the following error in the console, originating from my System Extension: Write operation on the socket failed (Invalid argument) Should failed connections be handled somehow differently? Is there a more reliable way to detect those cases rather than checking if the localIP/localPort is 0 in the handleXDataCompleteForFlow callback? Thanks
0
0
501
Jun ’20
Pausing/Resuming NEFilter*Provider filtering
Hi! I've already got everything up and running in my Firewall application using NEFilterDataProvider and NEFilterPacketProvider. There are some times when I would like to disable filtering (just allow all traffic), and then re-enable it at a later time (mainly for preventing an unnecessary performance hit). I could, of course, just return the allow verdict in the newFlow/packet handlers, but I was wondering if there's any way to dynamically start/stop the filter (without requiring asking the user for approval again) and not have the handlers called at all. There are the methods stopFilter and startFilter, but according to the documentation those are supposed to be called by the system, not sure if I should be using them for this purpose. Thanks! Best regards, Darío
2
0
489
Feb ’21
Default IPv6 route not restored
Hi! One part of my application is in charge of modifying the network configuration through the SystemConfiguration library. More specifically, I temporarily add entries under State:/Network/Service/Temp/DNS State:/Network/Service/Temp/IPv4 State:/Network/Service/Temp/IPv6 And then remove them when I'm done, expecting the network configuration to return to the one active before this procedure. I have noticed (at least in macOS Catalina) that the Default IPv6 route does not get properly restored if I do this. I can get it back by turning Off and On the network adapter, but I believe that should normally not be necessary. The steps to reproduce this are: 1) Configure a manual IPv6 address for the network adapter, for example: Router: 2001:db8:abcd:12::1 Address: 2001:db8:abcd:12::7 Prefix Length: 64 2) Check that the default IPv6 route is present through 'netsat -nr' language Internet6: Destination               Gateway             Flags     Netif Expire default                 2001:db8:abcd:12::1       UGc       en0     default                 fe80::%utun0          UGcI     utun0     default                 fe80::%utun1          UGcI     utun1     3) Add an IPv6 entry using scutil language d.init d.add Addresses * 2001:db8:abcd:12::7 d.add InterfaceName en0 d.add PrefixLength * 64 d.add Router 2001:db8:abcd:12::1 set State:/Network/Service/Temp/IPv6 4) Default IPv6 route is still present language Internet6: Destination               Gateway             Flags     Netif Expire default                 2001:db8:abcd:12::1       UGc       en0     default                 fe80::%utun0          UGcI     utun0     default                 fe80::%utun1          UGcI     utun1     5) Remove Temp entry language remove State:/Network/Service/Temp/IPv6  6) Default IPv6 route is gone language Internet6: Destination               Gateway             Flags     Netif Expire default                 fe80::%utun0          UGcI     utun0     default                 fe80::%utun1          UGcI     utun1     7) Restart network adapter 8) Default IPv6 route reappears language Internet6: Destination               Gateway             Flags     Netif Expire default                 2001:db8:abcd:12::1       UGc       en0     default                 fe80::%utun0          UGcI     utun0     default                 fe80::%utun1          UGcI     utun1     So, I wanted to know if I'm correctly assuming that the default route should not disappear after removing the IPv6 entry, and if there's any workaround I could use from within my application other than manually restarting the network adapter. Thanks!
3
0
2.3k
Mar ’21