CFIL: Falied to create UDP flow

App & System Services Networking
windpx
windpx OP
Created Apr ’23
Replies 6
Boosts 0
Views 992
Participants 2

I am developing a firewall program to block some DNS requests. It works normally on most Mac computers, but a few computers experience internet connectivity issues after installing the firewall. I have noticed a large number of logs in the console, such as "CFIL: Failed to create UDP flow".

I want to know what caused this?

Here is my code

override func handleNewFlow(_ flow: NEFilterFlow) -> NEFilterNewFlowVerdict {
    guard
        let socketFlow = flow as? NEFilterSocketFlow,
        let endpoint = socketFlow.remoteEndpoint as? NWHostEndpoint,
        let appToken = flow.sourceAppAuditToken
    else {
        return .allow()
    }

    if endpoint.port == "53" && socketFlow.socketProtocol == IPPROTO_UDP {
        return .filterDataVerdict(
            withFilterInbound: false,
            peekInboundBytes: 0,
            filterOutbound: true,
            peekOutboundBytes: 1560)
    }
    return .allow()
}

override func handleOutboundData(from flow: NEFilterFlow, readBytesStartOffset offset: Int, readBytes: Data) -> NEFilterDataVerdict {
    guard
        let socketFlow = flow as? NEFilterSocketFlow,
        let endpoint = socketFlow.remoteEndpoint as? NWHostEndpoint,
        let appToken = flow.sourceAppAuditToken
    else {
        return .allow()
    }
    
    /* find rule... */
    
    if let ruleName = ruleName {
        return .drop()
    }

    return .allow()
}
Replies  6
Boosts  0
Views  992
Participants  2
Apple Staff, Systems Engineer
Systems Engineer OP
Apple
Apr ’23

Would you be able to post any more logs that associate with these issues? For example, could you post the complete log that you mentioned with any other associated logs around it. Please also make sure to redact and sensitive information.

0
windpx
windpx OP
Apr ’23 
default	2023-04-17 13:40:21.471858 +0800	kernel	cfil_sock_udp_handle_data:6495 CFIL: Falied to create UDP flow
error	2023-04-17 13:40:21.471879 +0800	mDNSResponder	sending to <IPv4:BBEgZPbq> failed: [32: Broken pipe]
default	2023-04-17 13:40:21.471894 +0800	mDNSResponder	[Q32291] Sent 37-byte query #5 to <IPv4:BBEgZPbq> over UDP via en0/6 -- id: 0x1886 (6278), flags: 0x0100 (Q/Query, RD, NoError), counts: 1/0/0/0, BBWaCfNd IN HTTPS?
default	2023-04-17 13:40:21.471934 +0800	kernel	cfil_sock_udp_handle_data:6495 CFIL: Falied to create UDP flow
error	2023-04-17 13:40:21.471987 +0800	mDNSResponder	sending to <IPv4:BBEgZPbq> failed: [32: Broken pipe]
default	2023-04-17 13:40:21.472002 +0800	mDNSResponder	[Q20160] Sent 37-byte query #5 to <IPv4:BBEgZPbq> over UDP via en0/6 -- id: 0xAF28 (44840), flags: 0x0100 (Q/Query, RD, NoError), counts: 1/0/0/0, BBWaCfNd IN A?
default	2023-04-17 13:40:21.472042 +0800	kernel	cfil_sock_udp_handle_data:6495 CFIL: Falied to create UDP flow
error	2023-04-17 13:40:21.472067 +0800	mDNSResponder	sending to <IPv4:BBEgZPbq> failed: [32: Broken pipe]
default	2023-04-17 13:40:21.472068 +0800	kernel	PMRD: kIOMessageSystemWillPowerOn to com.apple.iokit.IONetworkingFamily
default	2023-04-17 13:40:21.472100 +0800	mDNSResponder	[Q21000] Sent 48-byte query #7 to <IPv4:BBEgZPbq> over UDP via en0/6 -- id: 0xBB72 (47986), flags: 0x0100 (Q/Query, RD, NoError), counts: 1/0/0/0, BBAdvaQU IN HTTPS?
default	2023-04-17 13:40:21.472129 +0800	mDNSResponder	[R850] getaddrinfo stop -- hostname: <mask.hash: 'IUEDPruiVj0cmSGVftMKvQ=='>, client pid: 1417 (Core Sync)
default	2023-04-17 13:40:21.472137 +0800	mDNSResponder	[Q35650] Keeping orphaned querier for up to 5 seconds
default	2023-04-17 13:40:21.472148 +0800	kernel	cfil_sock_udp_handle_data:6495 CFIL: Falied to create UDP flow
default	2023-04-17 13:40:21.472156 +0800	mDNSResponder	[Q41] Keeping orphaned querier for up to 5 seconds
error	2023-04-17 13:40:21.472171 +0800	mDNSResponder	sending to <IPv4:BBEgZPbq> failed: [32: Broken pipe]
default	2023-04-17 13:40:21.472198 +0800	mDNSResponder	[Q32014] Sent 48-byte query #7 to <IPv4:BBEgZPbq> over UDP via en0/6 -- id: 0x1406 (5126), flags: 0x0100 (Q/Query, RD, NoError), counts: 1/0/0/0, BBAdvaQU IN A?
0
Apple Staff, Systems Engineer
Systems Engineer OP
Apple
Apr ’23

Thank you for updating the post with the logs. Okay, so you can actually see where this error is happening in our open source docs here. What I think is happening is that there is no local endpoint here and so these logs are emitted. Do you happen to see the same thing "IF" the local endpoint is present (which it may not be because it's UDP)?

0
windpx
windpx OP
Apr ’23

Thank you for your reply.

There are multiple content filters on my computer. I want to know if there will be conflicts. Once tow content filters are installed at the same time, some computers may have a problem with DNS resolution. A large number of "CFIL: Falied to create UDP flow" logs will appear in the console. Then, if I uninstall one of the content filters, the computer will return to normal, and the above-mentioned logs will no longer be displayed. Additionally, in most computers, I haven't observed the above-mentioned logs. Is there a way for me to reproduce the issue you mentioned?

0
Apple Staff, Systems Engineer
Systems Engineer OP
Apple
Apr ’23

There are multiple content filters on my computer. Once tow content filters are installed at the same time, some computers may have a problem with DNS resolution. A large number of "CFIL: Falied to create UDP flow" logs will appear in the console. Then, if I uninstall one of the content filters, the computer will return to normal,

Yes, strange issue often show up when there are two or more content filters or even Network Extensions that are try to delegate or handle the same traffic so this does not surprise me.

Regarding:

Is there a way for me to reproduce the issue you mentioned?

One way to attempt to reproduce this is to setup two bare bones content filters that claims that exact same traffic and try to route them through the handleOutboundData paths as you are.

0
windpx
windpx OP
Apr ’23

Yes, strange issue often show up when there are two or more content filters or even Network Extensions that are try to delegate or handle the same traffic so this does not surprise me.

I would like to know what caused this problem? Is there no solution?

0
CFIL: Falied to create UDP flow
First post date Last post date
 
 
Q