sflt_register MacOS 10.15+

In macOS 10.15 you will want to take a look at Network Extensions as the new update to Network Kernel Extensions. For example, instead of registering a socket filter you can now activate a Network Extension in your app that is used is to examine connections or flows using the NEFilterDataProvider class. The NEFilterDataProvider is then used for making filtering decisions about these network data flows in your app.

There is an example of using this new workflow in Filtering Network Traffic sample from last year's WWDC. A code sample from project shows a content filter examining a TCP flow like so:

// MARK: NEFilterDataProvider


override func startFilter(completionHandler: @escaping (Error?) -> Void) {


    // Filter incoming TCP connections on port 8888
    let filterRules = ["0.0.0.0", "::"].map { address -> NEFilterRule in
        let localNetwork = NWHostEndpoint(hostname: address, port: FilterDataProvider.localPort)
        let inboundNetworkRule = NENetworkRule(remoteNetwork: nil,
                                               remotePrefix: 0,
                                               localNetwork: localNetwork,
                                               localPrefix: 0,
                                               protocol: .TCP,
                                               direction: .inbound)
        return NEFilterRule(networkRule: inboundNetworkRule, action: .filterData)
    }


    // Allow all flows that do not match the filter rules.
    let filterSettings = NEFilterSettings(rules: filterRules, defaultAction: .allow)


    apply(filterSettings) { error in
        if let applyError = error {
            os_log("Failed to apply filter settings: %@", applyError.localizedDescription)
        }
        completionHandler(error)
    }
}

If you were looking for another use case, please let me know and I can attempt to point you in the right direction.

Matt Eaton

DTS Engineering, CoreOS

meaton3 at apple.com

Thanks for the answer.

I need to implement the split tunnel feature. To do this I need a global hook on the bind socket function, and do rebind to a different network interface for selected processes. Is this possible with Network Extensions?

Regards,

Alexey.

In Network Extensions you will want to take a look at NEPacketTunnelNetworkSettings, specifically the includedRoutes array. Which will allow you to define a set of routes that will pass through your virtual interface used by the VPN tunnel. Can you tell me more about your use case for split tunneling and how it will be used? Will this include a per-app VPN?

Matt Eaton

DTS Engineering, CoreOS

meaton3 at apple.com

For example, we have an IKEv2/openvpn connection. Some selected applications should bypass VPN, while the other connections(from other applications) should go through a VPN connection.

OK, thanks for the context. It does sound like you are looking for a per-app managed VPN to perform this per-app routing along with your Network Extension. Take a look at the documentation for Routing Network Data to the VPN for more information on how this will work.

Matt Eaton

DTS Engineering, CoreOS

meaton3 at apple.com

Thank you for your answers. I'll try.

Regards,

Alexey.

hello,

i want to write a firewall on macOS 10.15 (Filtering Network Traffic)

I find a demo ( https://developer.apple.com/documentation/networkextension/filtering_network_traffic )

it runs on macOS 10.15, and I think it is ok.

But i find "Content filter providers are only supported on supervised iOS devices." )

so i want to know , Cound the demo run on macOS 10.15 ? and it runs well ?

Thanks and waiting your repsonse.

For writing a Firewall application on macOS 10.15, the SimpleFirewall example you have referenced is a great example to start with.

Could you be a bit more specific about your question?

| But i find "Content filter providers are only supported on supervised iOS devices." )

| so i want to know , Cound the demo run on macOS 10.15 ? and it runs well ?

Matt Eaton

DTS Engineering, CoreOS

meaton3 at apple.com