Filter by Packet Size

Is there a way to use the NEFilterDataProvider to block traffic based on packet size?

This question suggests you’ve misunderstood how the content filter architecture works. A filter data provider is give data streams. It does not have access to packets and thus can’t possibly filter by packet size.

If you’re targeting macOS, you can use a packet filter provider to filter at the packet level. And, yes, in that case you could block packets based on their size.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Even better; can the data filter block by size of the (entire) data stream?

can the data filter block by size of the (entire) data stream?

None in any sensible way. You could tell the system that you need to peek at N bytes before you make your decision. That’ll yield one of two cases:

• You’ll get N bytes, at which point you can deny the stream.

• You’ll get an EOF before you get N bytes, at which point you can pass through the bytes you got.

However, this is going to require you to buffer a vast amount of data within your provider, which runs the risk of you hitting its memory limit.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Got it. Thanks! I assume setting a cap of 1 MB wouldn't hit the memory limit; correct? Also, would the EOF case result in handleInboundDataComplete() being called? If not, what causes that method to be called?

I assume setting a cap of 1 MB wouldn't hit the memory limit; correct?

No, that’s not correct at all. NE providers have a very tight memory limit. While it’s not officially documented, you can see this thread for a rough idea of what to expect.

Also, would the EOF case result in handleInboundDataComplete() being called?

Yes.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"