Hosting Packet filtering and Socket filtering in the same Network Extension

Are you working on an NE app extension? Or system extension?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"

I am creating a network system extension with Content Filter Provider for macOS.

I am creating a network system extension

This should work. With regards that other thread, I’m not sure if the developer opened a TSI about this. If they did, it probably landed in Matt’s desk. I’ll ping him…

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"

I dont believe I received the previous incident but I did some further research on this subject. I downloaded the SimpleFirewall example and added a FilterPacketProvider class to the project in the SimpleFirewallExtension target. For testing purposes I just added the following:

Code Block swift
class FilterPacketProvider: NEFilterPacketProvider {
		
		static let log = OSLog(subsystem: "com.example.apple-...", category: "PacketProvider")
		private let queue = DispatchQueue(label: "FilterPacketProvider", autoreleaseFrequency: .workItem)
		private let log: OSLog
		override init() {
				self.log = Self.log
				os_log(.debug, log: self.log, "init")
				super.init()
		}
		
		override func startFilter(completionHandler: @escaping (Error?) -> Void) {
				os_log(.debug, log: self.log, "startFilter")
				completionHandler(nil)
		}
		override func stopFilter(with reason: NEProviderStopReason, completionHandler: @escaping () -> Void) {
				os_log(.debug, log: self.log, "stopFilter")
				
				self.handleNewPacket()
				completionHandler()
		}
		override func allow(_ packet: NEPacket) {
				
		}
}

Then I added the provider class to NEProviderClasses in the extension plist.

Code Block xml
<key>com.apple.networkextension.filter-packet</key>
<string>$(PRODUCT_MODULE_NAME).FilterPacketProvider</string>

I then enabled both socket and packet filtering in the host app:

Code Block swift
let providerConfiguration = NEFilterProviderConfiguration()
providerConfiguration.filterSockets = true
providerConfiguration.filterPackets = true

I built and ran the project locally and seen both providers being initialized in my log stream output:

Code Block text
Debug 0x0 61848	: [com.example.apple-samplecode.SimpleFirewallTestBed.SimpleFirewallExtension:DataProvider] init
Debug 0x0 61848	: [com.example.apple-samplecode.SimpleFirewallTestBed.SimpleFirewallExtension:PacketProvider] init
Debug 0x0 61848	: [com.example.apple-samplecode.SimpleFirewallTestBed.SimpleFirewallExtension:PacketProvider] startFilter
Debug 0x0 61848	: [com.example.apple-samplecode.SimpleFirewallTestBed.SimpleFirewallExtension:PacketProvider] stopFilter

So, both the packet and data providers are being initialized at least. The next step would be to add a packet filter here and send a few requests to your machine and test out the handler logic .


Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

Thank you Matt, I will try this approach and see what happens.

For the record, if you move from a Data Filer only extension to a Data and Packet Filter extension, a restart of the Mac might be required.

That's what I've observed so far when updating the SimpleFirewall sample project.

But at the same time, the system extension manager seems very fragile when it comes to installing/uninstalling, starting and stopping network extensions. So, in theory, a restart may not be required.