Hi.
I am trying to understand how NEFilterDataProvider works.
I see handleNewFlow handles newly created flow matches to the NEFilterRule that I set.
However, it doesn't look like it handles the preexisting connections.
The existing traffic doesn't go to any of the handlers so that there is no way to give a verdict.
How do I make preexisting connection not interrupted?
The existing traffic doesn't go to any of the handlers so that there is no way to give a verdict. How do I make preexisting connection not interrupted?
Do you mean that you want to get connection data for flows that existed prior to the NEFilterDataProvider being started? If so, then this will not happen. That is why on macOS at least these providers are available as Network System Extension, so they can start at boot of the system if needed.
Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
No. That is not the question.
Here is the case.
I have an ssh connection to outside somewhere.
And I start SimpleFirewall app with a modified filter like follows.
let anyHostAndPortRule = NENetworkRule(
remoteNetwork: nil,
remotePrefix: 0,
localNetwork: nil,
localPrefix: 0,
protocol: .any,
direction: .outbound
)
and here is my handleNewFlow
override func handleNewFlow(_ flow: NEFilterFlow) -> NEFilterNewFlowVerdict {
os_log("Received a new flow: %{public}@", flow.description)
guard let socketFlow = flow as? NEFilterSocketFlow,
let remoteEndpoint = socketFlow.remoteEndpoint as? NWHostEndpoint,
let localEndpoint = socketFlow.localEndpoint as? NWHostEndpoint else {
return .allow()
}
os_log("Got a new flow with local endpoint %@, remote endpoint %@", localEndpoint, remoteEndpoint)
return .allow()
}
Now, as soon as I start the filter, (by clicking the button in the app), what is happening is it freezes my existing ssh connection, while I can open a new ssh connection to the same destination.
So My question is, is there any way I can add a filter without interrupting the existing connection?
My theory here is that apple network extension cannot handle TCP loose cases. Is that true?
Thank you for the clarification here. There used to be similar issues with NETransparentProxyProvider, and it looks like a fix has been created here but it has not landed in a build yet. (r. 76264309).
Note that I did test this scenario with NEFilterDataProvider and NETransparentProxyProvider a few months ago running at the same time on the system and NEFilterDataProvider did not log any traffic for SSH.
My advice would be to open a bug report here with the information that you have. Please respond back with the Feedback ID.
Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
I opened the ticket and here is the feedback ID FB9719459
I opened the ticket and here is the feedback ID FB9719459
Thank you. I see that there was Feedback internally on your bug report already, "This happens for Security reasons, all existing flows are terminated when the filter provider starts."
Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
That doesn't make sense.
For example, I have an ssh connection and add an outbound rule to allow ssh traffic.
In this case, the adding filter should not block or interrupt the existing connection because the rule I added matches the existing flow.
So it means no matter how many times I add the same rule for the same flow, it will drop the connection always.
So I see it as a lack of resilience, not the security feature.