Hello,
I have some question about the usage of the function:
func update(NEFilterSocketFlow, using: NEFilterDataVerdict, for: NETrafficDirection)
(https://developer.apple.com/documentation/networkextension/nefilterdataprovider/3543400-update)
provided by the NEFilterDataProvider class of the content filter network extension.
If I understand correctly, this function can be used on an instance of NEFilterDataProvider to update an already issued verdict for a network flow. By "issuing verdict" I mean returning any of .allow()/.drop()/.init(pass: peek:) in handleNewFlow/handleInboundData/handleOutboundData
However, I am having difficulty with it. My workflow involves maintaining an array of currently active flows. Flows are inserted in handleNewFlow() and they are deleted when handleReport(report: NEFilterReport) with event flowClosed is called (flow identification is based on their UUID). Then, at some point in future, based on our business logic, I iterate through the container of "active flows" and attempt to call func update(NEFilterSocketFlow, using: NEFilterDataVerdict, for: NETrafficDirection) on all of them, with intention of changing the already issued verdict.
However, calling that function seems to have no effect. Am I using it the wrong way? What is the intended usage? Is it even possible to update verdict of already allowed or postponed by .init(peek:pass:) flows?
The issue I'm trying to solve is that we evaluate flows based on our business logic and return either .drop() or .init(pass: peek:) verdicts for them. Sometimes, we want to reevaluate the .init(pass: peek:) verdict immediately, which is when we attempt to call the update() function and provide a new .init(pass:peek) or .drop() verdict.
The main objective is to promptly drop certain flows, particularly those awaiting further data evaluation due to .init(pass: peek), immediately on demand.
Thanks.
