NEFilterControlProvider, Web browsers and dropping Socket flow problem

Looks like iOS 15 has another issue with NE Content filtering framework.. So I just done some tests, found what.. I have NEFilterDataProvider and NEFilterControlProvider and intercept both Web and Socket flow, Data provider always returns NEFilterNewFlowVerdict.needRules() verdict. Now Flow gets intercepted by Control provider and... I can see Socket flow coming first to handleNewFlow() in Control provider when I run Safari or Chrome browsers. But even if I drop it by returning completionHandler(NEFilterControlVerdict.drop()) the next thing I get is Web flow coming to handleNewFlow(), which means it's impossible to block Web browsers by dropping Socket flow as even though I return drop verdict for Socket flow, WebKit based apps will be able to make a connection. I don't think that was the case with iOS 14... Any thoughts?

But even if I drop it by returning completionHandler(NEFilterControlVerdict.drop()) the next thing I get is Web flow coming to handleNewFlow(), which means it's impossible to block Web browsers by dropping Socket flow as even though I return drop verdict for Socket flow, WebKit based apps will be able to make a connection. I don't think that was the case with iOS 14... Any thoughts?

This does sound like an issue if you are not able to drop the flow. Is this the case if you run NEFilterDataProvider alone and do not hand the flow off to NEFilterControlProvider?

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
NEFilterControlProvider, Web browsers and dropping Socket flow problem
 
 
Q