Hello,
I have some question about the usage of the function:
func update(NEFilterSocketFlow, using: NEFilterDataVerdict, for: NETrafficDirection)
(https://developer.apple.com/documentation/networkextension/nefilterdataprovider/3543400-update)
provided by the NEFilterDataProvider class of the content filter network extension.
If I understand correctly, this function can be used on an instance of NEFilterDataProvider to update an already issued verdict for a network flow. By "issuing verdict" I mean returning any of .allow()
/.drop()
/.init(pass: peek:)
in handleNewFlow
/handleInboundData
/handleOutboundData
However, I am having difficulty with it. My workflow involves maintaining an array of currently active flows. Flows are inserted in handleNewFlow()
and they are deleted when handleReport(report: NEFilterReport)
with event flowClosed
is called (flow identification is based on their UUID). Then, at some point in future, based on our business logic, I iterate through the container of "active flows" and attempt to call func update(NEFilterSocketFlow, using: NEFilterDataVerdict, for: NETrafficDirection)
on all of them, with intention of changing the already issued verdict.
However, calling that function seems to have no effect. Am I using it the wrong way? What is the intended usage? Is it even possible to update verdict of already allowed or postponed by .init(peek:pass:)
flows?
The issue I'm trying to solve is that we evaluate flows based on our business logic and return either .drop()
or .init(pass: peek:)
verdicts for them. Sometimes, we want to reevaluate the .init(pass: peek:)
verdict immediately, which is when we attempt to call the update() function and provide a new .init(pass:peek)
or .drop()
verdict.
The main objective is to promptly drop certain flows, particularly those awaiting further data evaluation due to .init(pass: peek)
, immediately on demand.
Thanks.