NEFilterDataProvider.handleNewFlow(_:) gets called with same flow ids multiple times

Question

Created Oct ’23

Replies 6

Boosts 0

Participants 2

Since NEFilterFlow.identifier is documented as The unique identifier of the flow., I thought I could use it to store the flow by its identifier in a dictionary in order to retrieve it later. I do this when the system extension pauses a flow because it needs to ask the user whether the flow should eventually be allowed or dropped.

But then I noticed that sometimes when allowing a previously paused flow, identified by its identifier, my system extension doesn't find that flow anymore. After some debugging it turned out that this happens because I stored at least one other flow with the same id which, when confirmed, is removed again from the dictionary, so there is no more flow with that identifier waiting in the dictionary.

Is it expected that the identifiers are recycled for different flows, or does it mean that the same flow is effectively being passed to .handleNewFlow(_:) multiple times, such as if the extension waited "too long" between pausing a flow and allowing or dropping it? What does this mean?

Boost

Answer 1

Systems Engineer OP

Apple

Oct ’23

Is it expected that the identifiers are recycled for different flows, or does it mean that the same flow is effectively being passed to .handleNewFlow(_:) multiple times

What type of flow is it? Is it a UDP or TCP?

0

Answer 2

Nickkk OP

Oct ’23

In this case it seems to always be UDP. Is this different from protocol to protocol?

0

Answer 3

Systems Engineer OP

Apple

Oct ’23

In this case it seems to always be UDP

In this case look at the local and remote ports, is everything the same here for the flows or are they different? Does this only happen when data starts moving on the flow?

0

Answer 4

Nickkk OP

Oct ’23

In this case look at the local and remote ports, is everything the same here for the flows or are they different?

If they are equal, would that mean that it's effectively the same flow? Why is then handleNewFlow(_:) called multiple times?

Does this only happen when data starts moving on the flow?

Not sure what you mean... it sounds like handleNewFlow(_:) can indeed be called multiple times. In case it was not clear, the same identifiers really appear multiple times when handling flows in handleNewFlow(_:) and not when handling reports in handle(_:). What I mean is that I didn't even check what happens in handle(_:).

0

Answer 5

Nickkk OP

Nov ’23

Does this only happen when data starts moving on the flow?

Isn't handleNewFlow(_:) called only when data starts moving? I couldn't find any mention of a different behaviour in the documentation.

0

Answer 6

Nickkk OP

Nov ’23

In this case look at the local and remote ports, is everything the same here for the flows or are they different?

I can now confirm that local host and port, and remote host and port are the same. The process path is always /usr/sbin/mDNSResponder.

0