[SOLVED] Filtering outgoing TCP traffic to specific IP with macOS Network Extension

Filtering outgoing TCP traffic to specific IP with macOS Network Extension

I'm using Network Extension to filter the outgoing TCP traffic to specific IP:

import NetworkExtension
import os.log


class FilterDataProvider: NEFilterDataProvider {

    override func startFilter(completionHandler: @escaping (Error?) -> Void) {

        let endpoint = NWHostEndpoint(hostname: "111.111.111.111", port: "0")
        let networkRule = NENetworkRule(remoteNetwork: endpoint,
                                               remotePrefix: 0,
                                               localNetwork: nil,
                                               localPrefix: 0,
                                               protocol: .TCP,
                                               direction: .outbound)
        let filterRule = NEFilterRule(networkRule: networkRule, action: .filterData)

        // Allow all flows that do not match the filter rules.
        let filterSettings = NEFilterSettings(rules: [filterRule], defaultAction: .allow)

        apply(filterSettings) { error in
            if let applyError = error {
                os_log("Failed to apply filter settings: %@", applyError.localizedDescription)
            }
            completionHandler(error)
        }
    }
    
    override func stopFilter(with reason: NEProviderStopReason, completionHandler: @escaping () -> Void) {

        completionHandler()
    }
    
    override func handleNewFlow(_ flow: NEFilterFlow) -> NEFilterNewFlowVerdict {

        guard let socketFlow = flow as? NEFilterSocketFlow,
            let remoteEndpoint = socketFlow.remoteEndpoint as? NWHostEndpoint,
            let localEndpoint = socketFlow.localEndpoint as? NWHostEndpoint else {
                return .allow()
        }

        os_log("Got a new flow with local endpoint %{public}@, remote endpoint %{public}@, direction %{public}@", localEndpoint, remoteEndpoint, flow.direction == .inbound ? "inbound" : "outbound")

        return .allow()
    }
}

However, I receive callbacks also for the IPs that I'm not interested in:

2021-06-02 06:58:53.333438-0700 0x1bf8     Default     0x0                  666    0    com.mycompany.MyApp: Got a new flow with local endpoint 0.0.0.0:0, remote endpoint 111.111.111.111:80, direction outbound
2021-06-02 06:59:27.487968-0700 0x1d11     Default     0x0                  666    0    com.mycompany.MyApp: Got a new flow with local endpoint 0.0.0.0:0, remote endpoint 111.222.111.222:80, direction outbound
2021-06-02 07:00:06.118907-0700 0x1d74     Default     0x0                  666    0    com.mycompany.MyApp: Got a new flow with local endpoint 0.0.0.0:0, remote endpoint 123.123.123.123:80, direction outbound

Also, when I try to intercept not only TCP traffic but also UDP, providing ".all" instead of ".TCP" in NENetworkRule constructor, I start receiving outbound AND INBOUND traffic from and to many different IPs.

What am I doing wrong? Thanks.

Solution

At less one problem I've solved. The "remotePrefix" has the meaning of subnet mask. Providing it's value of 0 was the mistake. To catch only the IP I am interested in, need to set it to 32. Described here.