Post

Replies

Boosts

Views

Activity

Network Data Provider - handleXxxboundDataCompleteForFlow()
Hi,1. What does Complete means for methods handleOutboundDataCompleteForFlow() and handleInboundDataCompleteForFlow() ? When is it completed? After an amount of bytes? After a packet (size?) is captured? After a timeout? After the socket is closed?2. Do I need to do/return something special in handleNewFlow() to get these methods called?3. Why is this not well explained in the API documentation? (https://developer.apple.com/documentation/networkextension/nefilterdataprovider,https://developer.apple.com/documentation/networkextension/nefilterdataprovider/1618977-handleinbounddatacompletehttps://developer.apple.com/documentation/networkextension/nefilterdataprovider)Thanks.Regards.
1
0
504
Jun ’20
How do I implement a Network Filter by process (path/id)?
Hi, in almost all network filters there is the possibility to set a rule to allow or deny all network traffic coming from or going to a particular process, it can be done using the program path most of the time, or the boundle id in mac. Guess what... I need to implement such a filter. The problem comes when I try to use some of the new System Network Extension filtering classes. Mac provides the following options:NEDataProvider. Using this filter I can get the process path, pid, boundle-id, what looks great, but... it only filters TCP/UDP protocols. What about all the remaining Layer 4 protocols??? It does not make any sense to me!!! And ups... wait a moment... this only works for new connections, you cannot filter existing connections!!!NEPacketProvider. Using this filter I can filter all protocols above Layer 2 at any time, fantastic! Until... you realize that you cannot get the path, pid, boundle-id of the process generating/receiving the packet.So, is there a way to implement such a filter? Regards!
1
0
934
Jun ’20