It looks like NEFilterPacketProvider can intercept packets on interfaces with Ethernet and Raw IP link-layer only. Other interfaces I tested on Catalina, e.g. one with BSD loopback link-layer and with PPP link-layer, don't seem to be available for interception. So, it'd be great to mention in Apple Developer Documentation which data link-layer types this provider supports. Meanwhile good news is that NEFilterPacketProvider could intercept traffic from NETunnelProvider as it makes use of a virtual interface with Raw IP link-layer. But other VPN clients, like PulseSecure or built-in LT2P/IPsec VPN, can't be intercepted. I guess this provider has serious security limitations because users may bypass it by running VPN clients.

Hi Mat, I want to filter the packets that are being sent through a virtual interface created by a VPN client. If I go to System Preferences -> Network and create IKEv2 client, NEFilterPacketProvider can intercept the traffic before the client starts encryptying it. But this is not true for LT2P/IPsec client: # scutil --nc list * (Disconnected)   A8BD8B26-2F38-4464-BD4B-87CC64BC556C PPP --> L2TP "VPN (L2TP)" [PPP:L2TP] This issue is easily reproducible on Catalina for some other third-party VPN clients. I'm concerned that our security tool won't be able to filter or inspect traffic for apps sending the traffic through VPN servers as NEFilterPacketProvider doesn't seem to be compatible with a few VPN clients I tested.

Hi Mat, Let me clarify something. NEFilterDataProvider is designed to intercept TCP/UDP traffic only. It doesn't allow to block traffic on the Internet layer if a specific IP address is compromised. This is the main reason why we can't leave corporate/private VPN traffic as it is. Anyway we were expecting that NEFilterPacketProvider could intercept all traffic passing through existing interfaces like tcpdump does. Do you confirm that there's a bug/limitation in a way it filters outbound traffic? If yes, we won't be able to use it for our business purposes until this issue is resolved. Sincerely, Slava

Hi Mat, It's a good idea to check whether NEFilterPacketProvider intercepts packets sent via raw and bpf sockets. But the scenario we are discussing is a bit different. I send HTTP traffic to interfaces with different data link-layers. My findings are as follows: Ethernet (en0) - packets are intercepted Raw IP (utun3) - packets are intercepted BSD loopback (utun4) - packets are NOT intercepted PPP (ppp0) - packets are NOT intercepted The question is this: why NEFilterPacketProvider intercepts HTTP traffic generated by Safari only on two interfaces of four? Slava Dubrava Senior Software Developer Akamai Technologies

I have tested NEFilterDataProvider and it does intercept the traffic sent to the interfaces mentioned above. It makes sense as they are not configured with the loopback address (127.0.0.1 or ::1). The bug report number is FB9735800. Thank you for your assistance, Mat.