Filter by App using NEFilterPacketProvider

Question

Created Jun ’20

Replies 4

Boosts 0

Participants 3

Hi,

I am trying to develop a Firewall using the new Network Extension API, since the KExt API will be deprecated soon.

The new API provides everything I need through the NEFilterDataProvider, but that only works for TCP and UDP sockets.

NEFilterPacketProvider captures packets for all protocols, but it does not provide any other information about the packet. My question is, then, how would I go about, for example, blocking all outgoing non-TCP/UDP packets coming from a certain App? More specifically, how can I tie a Packet to its corresponding App using the NEFilterPacketProvider? Am I even using the right NEProvider class at all?

Thanks!

Boost

Answer 1

Systems Engineer OP

Apple

Jul ’20

This is a difficult one; you could try to delay the packet and then attempt to extract the NEFlowMetaData, which contains the sourceAppAuditToken to identify the app. However, this can have very serious performance impacts when doing so and the NEFlowMetaData is not always available. So my advice here would be to attempt this and if you results match what I am describing here then let's get an enhancement request down for an API to provide the app context directly on the packet or from the NEFilterPacketHandler closure directly.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

0

Answer 2

dlipicar OP

Jul ’20

Hi Matt,

Thanks for the answer!

I have already tried delaying the packet, since I've seen it suggested in other threads. The problem is, it does not give any extra information when it is used in NEFilterPacketProvider (the NEFlowMetaData field is null). Apparently, that only works in some specific cases such as app proxy providers and NEPacketTunnelProvider in per-App VPN mode.

I guess the current API simply does not support my use case and I will have to submit the enhancement request...

Best regards,
Darío

0

Answer 3

Systems Engineer OP

Apple

Jul ’20

Okay, thank you for confirming. If the NEFlowMetaData is routinely null then I would open an enhancement request down for an API to provide the app context directly on the packet or from the NEFilterPacketHandler closure directly.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

0

Answer 4

srikanthiosdev OP

Dec ’23

@dlipicar @meaton we have similar use case to allow network traffic only for our application, could you suggest if we can achieve it with any any of our apis?

https://developer.apple.com/forums/thread/742962

0