provide some samples using content filters in objective c or c++ to register network extensions, to catch all non-browser network operations

not found samples on content filters in objective-c or c plus plus except simplefirewall example in swift language.

Anyone pls provide some samples in objective c or c plus plus to register network extensions, to catch all non-browser network operations,

Right, the Simple Firewall example is written in Swift, however if you run into any issues with pieces of code from that example that you need to convert to Objective-C, just let me know and I can attempt to help out.

For example, you mentioned you had a need to catch all non-browser based flows, this very general rule should allow you to get started, and then you will have to weed out your flows based on what you can match as being browser based from there.

Code Block 
- (void)startFilterWithCompletionHandler:(void (^)(NSError *error))completionHandler {
    
    NWHostEndpoint *hostEndpoint = [NWHostEndpoint endpointWithHostname:@"0.0.0.0" port: @"0"];
    NENetworkRule *anyHostAndPortRule = [[NENetworkRule alloc] initWithRemoteNetwork: hostEndpoint
                                                                        remotePrefix: 0
                                                                        localNetwork: nil
                                                                         localPrefix: 0
                                                                            protocol: NENetworkRuleProtocolAny
                                                                           direction: NETrafficDirectionAny];
    
    NEFilterRule *filterRule = [[NEFilterRule alloc] initWithNetworkRule: anyHostAndPortRule 
                                                                  action: NEFilterActionFilterData];
    NEFilterSettings *filterSettings = [[NEFilterSettings alloc] initWithRules:@[filterRule] 
                                                                 defaultAction: NEFilterActionAllow];
    [self applySettings:filterSettings completionHandler:^(NSError *error) {
        if (error != nil) {
            os_log(self.log, "Failed to apply filter settings: %{public}@", error.localizedDescription);
        }
        completionHandler(error);
    }];
}
- (NEFilterNewFlowVerdict *)handleNewFlow:(NEFilterFlow *)flow {
    
    os_log(self.log, "handleAppMessage with flow: %{public}@", flow.description);
    ...
}

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

Thanks for reply. I have one doubt. I want to add network extension support from my C++ application. Is it possible to add the support from my C++ application?

Depends what you mean here. If you want to take your existing C++ code and port it directly into your Network Extension to hook and filter network traffic, then that will not work. You will need to rely on the Network Extension APIs, depending upon the route you take here, to filter and deliver the connection to you. From there, if you want to perform policy evaluation based on a specific set of logic you have designed in C++, then this piece could be ported over and interop with Objective-C.


Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

Thanks for your response.

Here my intention is, I will remove my hooking calls and I want to write a functionality using content filters in my C++ application with Objective-C or Objective-C++. This functionality should has ability to catch all TCP/UDP operations, I will perform my policies on these events by porting/calling my APIs and I don't want app functionality like in SimpleFirewall. Is this possible? or Is this should be an app to support content filters?

To do this, as part of my application I am trying to write below functionality in main.swift & FilterDataProvider.swift files of SimpleFirewall using Objective-C.

• first I will register systemextension mode using NEProvider.startSystemExtensionMode()

• second will override startFilter() in FilterDataProvider & will write filter rule to catch all TCP/UDP operations

• third I will override handleNewFlow() & will evaluate my own polices by reading NEFilterSocketFlow parameters like port & ip.

Apart from above three steps, Am I need to perform any other steps to catch TCP/UDP operations using Content Filter rules?

I have noticed few functionality in SimpleFirewall at IPCConnection.swift (like startListener(), listener(), register()) & ViewController.swift (loadFilterConfiguration, extensionBundle, enableFilterConfiguration() ) files. I think these are related to app. Am I correct? Please help me on this.

This functionality should has ability to catch all TCP/UDP operations, I will perform my policies on these events by porting/calling my APIs and I don't want app functionality like in SimpleFirewall. Is this possible? or Is this should be an app to support content filters?

Yes. To prove my statement I would suggest creating a POC project Objective-c that is a recreation of the logic in Simple Firewall in Objective-C. Instead of pausing the flow and sending it to the container app for approval and then resuming the flow, you could pause the flow and run it through your customer filtering logic, make a decision, and then resume it.

To do this, as part of my application I am trying to write below functionality in main.swift & FilterDataProvider.swift files of SimpleFirewall using Objective-C.

Excellent.

Am I need to perform any other steps to catch TCP/UDP operations using Content Filter rules?

I believe you covered this in your above steps, but you will want to make sure your container app installs the Network System Extension, configures and saves the new Network Configuration, and as you mentioned starts the filter. From there, using the previous filter I provided, you should be able to start catching TCP/UDP flows in handleNewFlow.

I have noticed few functionality in SimpleFirewall at IPCConnection.swift (like startListener(), listener(), register()) & ViewController.swift (loadFilterConfiguration, extensionBundle, enableFilterConfiguration() ) files. I think these are related to app. Am I correct? Please help me on this.

Yes, this is communication back and forth between the container app and the Network System Extension. This provides the prompt for the user to allow/deny the flow, and sets up the user interface for that and provides the response back to the extension. As mentioned above, this is where you could skip this logic and add you own custom filtering logic into the process. What I like to do when testing or rebuilding projects like this is to just setup handleNewFlow to return [NEFilterNewFlowVerdict allowVerdict] each time. That way you can get a feel for the data provided here and start to get an idea of where you want to go next.


Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

Thanks for great response. As per your inputs, following are my steps to make tcp/udp traffic filtering from my c++ application.

• Will write a wrapper class in Objective-c which covers functionality in main.swift & FilterDataProvider.swift (NEProvider.startSystemExtensionMode(), startFilter(), handlerNewFlow())

• I will call above Objective-c API (startSystemExtensionMode) to start System Extension Mode from my C++ application

• After above step & if my understanding is correct, If I perform any tcp operation then I will get into handleNewFlow()

• I will perform my custom polices and return NEFilterNewFlowVerdict.

I am asking this for my confirmation purpose about my understanding. Please wont hesitate.

I have noticed loadFilterConfiguration() API about NEFilterProviderConfiguration & var extensionBundle: Bundle in ViewController.swift and . Are these not required?

I think to deploy a system extension or network extension module, you need an app bundle. A command line app built from C or Objective C or CPP won't be able to deploy the network extension module..

If my understanding is correct, you can deploy the SE module using a dummy app, but using some sort of IPC Connection, your cpp CLI app can communicate with the SE module.

Correct me if Im wrong, Im trying to do the exact same steps as you.

I think to deploy a system extension or network extension module, you need an app bundle. A command line app built from C or Objective C or CPP won't be able to deploy the network extension module..

Yes, to install the system extension and allow the network configuration being installed, you will need to have a container like app bundle to prompt the user in both steps.

If my understanding is correct, you can deploy the SE module using a dummy app, but using some sort of IPC Connection, your cpp CLI app can communicate with the SE module.

If you mean that you can deploy a Network System Extension through the normal container app process described above, and then communicate from the Network System Extension to a System daemon through a XPC service, then yes, this should be possible.


Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com