I am writing a firewall, and trying to choose between NEFilterDataProvider and NEFilterPacketProvider.
NEFilterDataProvider seems to contain a lot more information. For example, via NEFilterFlow's I can know very easily from which app the flow was originated.
However, I think NEFilterDataProvider only parses UDP and TCP connections ?
If that is correct, then it does not work for a firewall, because a malware could send data with any custom protocol.
Is there a good way to filter absolutely all network content, but still have access to NEFilterFlow's useful information in the subset of cases where it can be populated?
I am assuming that I should set NEFilterProviderConfiguration.filterPacket=true and NEFilterProviderConfiguration.filterSocket=true, but can I somehow use an NEFilterDataProvider that will look at strictly all the flow?
However, I think
only parses UDP and TCP connections ?NEFilterDataProvider
Correct.
Is there a good way to filter absolutely all network content, but still have access to NEFilterFlow's useful information in the subset of cases where it can be populated?
You could implement both providers and have the packet filter ignore TCP and UDP traffic.
Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware
let myEmail = "eskimo" + "1" + "@apple.com"