Does NEFilterPacketProvider provide virtual interface traffics

We are moving our network kernel extension to NetworkExtension system extension. We use NEFilterPacketProvider to monitor all network traffics on a host. In testing we found even though NEFilterPacketProvider provides packets from/to physcical interfaces, it doesn't provide any virtual interface traffics, such as loopback, or utun[x] traffics, which we used to be able to intercept with an IP filter in network kernel extension. Is that intentional in the new NetworkExtension? If not, what should we do to correctly receive virtual interface traffics(utun traffic particularly) using NEFilterPacketProvider?

Up vote post of trinityfromdublin Down vote post of trinityfromdublin
1.4k views
Posted by
trinityfromdublin
Reply
Add a Comment

Replies

Yes, you would need to open an enhancement requestfor this. Also, what are you in need of this information for in your NEFilterPacketProvider? If you open an enhancement request please follow up with the ID number so I can copy myself on it.


Matt Eaton

DTS Engineering, CoreOS

meaton3 at apple.com

Posted by
meaton
Up vote reply of meaton Down vote reply of meaton
Add a Comment

Thanks @meaton for help!

I've created feedback FB7721570. We need this information to properly identify and whitelist VPN internal traffics.

Posted by
trinityfromdublin
Up vote reply of trinityfromdublin Down vote reply of trinityfromdublin
Add a Comment

Thank you. I see the Feedback internally here and have request to be notified when updates are made. I will keep this thread updated as I hear more.


Matt Eaton

DTS Engineering, CoreOS

meaton3 at apple.com

Posted by
meaton
Up vote reply of meaton Down vote reply of meaton
Add a Comment

Thank you very much @meaton!

Posted by
trinityfromdublin
Up vote reply of trinityfromdublin Down vote reply of trinityfromdublin
Add a Comment

Hi, This ticket is 1year old. Is there any update on this? I also evaluate NEFilterPacketProvider for our product and see the limitation above are still present.

NEFilterPacketProvider is designed for implementing custom firewalls/content filters. How it can be used reliably if all needed to bypass it is a simple VPN installation?

Are there any alternative we can use to reliably catch all inbound and outbound packets on all interfaces including utun and loopback?

Posted by
Zilberkant
Up vote reply of Zilberkant Down vote reply of Zilberkant
Add a Comment

How it can be used reliably if all needed to bypass it is a simple VPN installation?

I took a look at the bug report and it was not able to be reliably reproduced. If you are seeing this on your end then I would encourage you to open a bug report. However, when you do, please add a sample project that reproduces the issue.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
Posted by
meaton
Up vote reply of meaton Down vote reply of meaton
Add a Comment

It looks like NEFilterPacketProvider can intercept packets on interfaces with Ethernet and Raw IP link-layer only. Other interfaces I tested on Catalina, e.g. one with BSD loopback link-layer and with PPP link-layer, don't seem to be available for interception. So, it'd be great to mention in Apple Developer Documentation which data link-layer types this provider supports.

Meanwhile good news is that NEFilterPacketProvider could intercept traffic from NETunnelProvider as it makes use of a virtual interface with Raw IP link-layer. But other VPN clients, like PulseSecure or built-in LT2P/IPsec VPN, can't be intercepted. I guess this provider has serious security limitations because users may bypass it by running VPN clients.

Posted by
dad4kid
Up vote reply of dad4kid Down vote reply of dad4kid
Add a Comment