Hi!
I am porting existing DPL system on to macOS, which have one key feature: ability to inspect the outgoing traffic of the specified applications (possibly all applications) and to skip the traffic of others not included in the list.
To distinguish traffic of required apps I am trying to use system network extension. Catched traffic should be diverted to the our application that acts like regular proxy which can make 2 desicion: block/terminate connection or allow it.
I was tried app-proxy(NEAppProxyProvider on sext side and NETransparentProxyManager on "client" side) type of network extension.
But I stuck with @method handleNewFlow:
How can I divert traffic to my proxy? Documentation says call [NEAppProxyFlow openWithLocalEndpoint:completionHandler:]
on the flow and it's all? Will traffic goes through my proxy? For what purposes are exists methods like [NEAppProxyTCPFlow readDataWithCompletionHandler:completionHandler:]
or [NEAppProxyTCPFlow writeData:withCompletionHandler:]
?
My goal is get network extension that acts like transparent proxy for specified apps and diverts catched traffic to my existing proxy app, which allow or disallow connection.
One more: during experimentation with app-proxy NE I noticed that my VPN turned off when NEAppProxyProvider started. It is unacceptably, so I drew attention on content-filter(NEFilterDataProvider on sext side and NEFilterManager on "client" side) type of NE.
It seems that it works "before" all vpns and proxies which is desired functionality.
But again, I stuck: how organize diverting traffic to my proxy to make decision about connection?
As I understood general algorithm looks like: handleNewFlow:(return [NEFilterNewFlowVerdict filterDataVerdictWithFilterInbound:NO peekInboundBytes:0 filterOutbound:YES peekOutboundBytes: ChunkBytesSize]; )	--> handleOutboundDataFromFlow:readBytesStartOffset:readBytes:
and here, in this method I should open connection to my proxy and write data. Am I correct?
I am sorry for so complex question, but I am really messed up with all these types of NE provides.
So, summarise: how to divert traffic of specified apps to my proxy that makes decision about termination of connection?
Post
Replies
Boosts
Views
Activity
Hi to all.I am developing network extension and have several issues that I faced and have no idea how to solve.So:1. there is sandboxed application that can install/unintall own network extension;2. there is App Group(https://developer.apple.com/documentation/bundleresources/entitlements/com_apple_security_application-groups?language=objc), sandboxed application and appropriate network extension are included into group via owns entitlement files;3. App group registered manualy on https://developer.apple.com/account/resources/identifiers/list/applicationGroup, the same identifier is used in appropriate entitlement files. Identifier on site looks like "group.TEAM_ID.com.company.app-group". Identifier in entitlement looks like "TEAM_ID.com.company.app-group", i.e. without precending "group";4. It is required to use unix domain socket for IPC communication between sandboxed application and network extension(I am porting existing software, so this is not a blind requirement). According this document(https://developer.apple.com/library/archive/documentation/Miscellaneous/Reference/EntitlementKeyReference/Chapters/EnablingAppSandbox.html#//apple_ref/doc/uid/TP40011195-CH4-SW19) developer should use same app group, which I do.5. I am using com.apple.security.temporary-exception.files.home-relative-path.read-write in network extension's entitlement to specify name of unix domain socket.6. When network extension started it fails to create socket - get EPERM error. I can observe created "/var/root/Library/Group Containers/TEAM_ID.com.company.app-group" folder, but there is no socket.7. Moreover I can observe such error in Console.app: "com.company.MyNetworkExtention: Unsatisfied entitlements: com.apple.security.application-groups"8. Moreover I can't to write anything to file system in my sandbox from network extension, function NSTemporaryDirectory() returns "<private>"Any help is greatly appreciated.