As the new system extension framework is new and quite complicated I'm not sure if this is a BUG or an issue with its use.
Both in my custom system extension AND in the example network extension created by apple, the SimpleFirewall example. The local port of a new flow is always 0.
In the SimpleFirewall example this would be 'socketFlow.localEndpoint.port'
if you log this out, I always get 0.
Note the remote address and remote port seems correct.
Whats going on here ?
I got this when it was HTTPS traffic from Apple's webkit library. If you try Chrome, you will probably have a source port (I haven't verified this).
The good news is that when local port is 0 the flow's .url field is usually populated, so you can pick up interesting things from that.
Hi Todd2, thanks for the suggestion but I've tried with normal HTTP and through Chrome.
source ip and port are always 0.
This really sounds like a bug
I haven’t looked at this specific case but my experience is that values like this tend not to show up until some data has actually passed through the flow. If you peek at a single byte, do you get these values?
Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware
let myEmail = "eskimo" + "1" + "@apple.com"I can confirm that in my testing, eskimo is right. I was unable to see the local port until data passed through the flow.
Thanks. I completely missed the defer verdict functionality.
Makes complete sense, seems we get to decide whether or not to allow the flow even before its opened a socket.