how to multiple content filter system extension verdicts interact with each other ?

Question

Created Apr ’21

Replies 3

Boosts 0

Participants 2

I'm developing a product with a Content Filter System Extension with both NEFilterPacketProvider and NEFilterSocketProvider.

What's the behavior where mutiple system extension verdicts disagree ?

Specifically what happens if our extension .allows a connection and another applications system extension .denys the same connection, or visa versa.

Boost

Answer 1

Systems Engineer OP

Apple

Apr ’21

What's the behavior where mutiple system extension verdicts disagree ?
Specifically what happens if our extension .allows a connection and another applications system extension .denys the same connection, or visa versa.

If your connection passes through the first provider and is denied in the second I suspect you will see a blocked connection on the client and a failure in the first provider.

If your connection is denied in the first provider then I suspect that you will see a blocked connection on the client and no connection reach the second provider.

Is there a reason you need both providers?

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

0

Answer 2

RobHDt OP

Apr ’21

Thank you for your response Matt. Apologies I believe my question may have caused confusion. What happens if the verdict I give in my extension (that contains 2 providers that will give the same answer) disagrees with another third party system extension that's installed on the machine by a different application ?

0

Answer 3

Systems Engineer OP

Apple

Apr ’21

What happens if the verdict I give in my extension (that contains 2 providers that will
give the same answer) disagrees with another third party system extension that's
installed on the machine by a different application ?

Then you will most likely see some similar to what I described here: If your connection passes through the first provider and is denied in the second I suspect you will see a blocked connection on the client and a failure in the first provider.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

0