Hi1. Network extension documents are either in objective c or swiftDoes Network extension API support C++, if yes, is there any document?2. In the real world, Many Network extensions (e.g. Content filters) will be running developed by different vendors like Antivirus vendors, Firewall vendors, etc.How does Network Extension framework arbitrate/adjudicate among multiple Network Extension running simultaneously on the system?ThanksAnand
Post
Replies
Boosts
Views
Activity
Hi
I am building my component for M1. I choose the universal binary.
My component uses Boost static lib. Boost builds for x86_64 and arm64 separately.
XCode does not provide two options to link different arch libs.
Please suggest to me how to link a lib if 3rd party build process does not offer universal static lib.
Regards,
Anand Choubey
Hi,
I do not find any new feature or bug fix info in macOS 12 beta release notes?
Is there a future for any new Network Extension in macOS 12?
Regards,
Anand Choubey
Hi
Does inbuilt iOS VPN FedRamp Support?
Thanks
Hi
I am building NETransparentProxyProvider proxy. Observing a problem with L2TP over IPsec VPN. As soon as the following UDP filter is set. L2TP over IPSec VPN is disconnected after some time.
includeRule = [[NENetworkRule alloc] initWithRemoteNetwork:nil
remotePrefix:0
localNetwork:nil
localPrefix:0
protocol:NENetworkRuleProtocolUDP
direction:NETrafficDirectionOutbound];
In this case, Wireshark capture shows only outgoing packets on the ppp0 interface.
I also set up exception rules:
500/4500 UDP ports bypass.
NSString *ipAddress = [NSString stringWithUTF8String:"0.0.0.0"];
NSString *portNum = [NSString stringWithUTF8String: "500"];
NWHostEndpoint *endpoint = [NWHostEndpoint endpointWithHostname:ipAddress port:portNum];
NENetworkRule *rule = [[NENetworkRule alloc]
initWithDestinationNetwork:endpoint
prefix:0 protocol:NENetworkRuleProtocolAny];
[excludeRules addObject:rule];
ipAddress = [NSString stringWithUTF8String:"0.0.0.0"];
portNum = [NSString stringWithUTF8String: "4500"];
endpoint = [NWHostEndpoint endpointWithHostname:ipAddress port:portNum];
rule = [[NENetworkRule alloc]
initWithDestinationNetwork:endpoint
prefix:0 protocol:NENetworkRuleProtocolAny];
[excludeRules addObject:rule];
Always returning NO in handleNewUDPFlow
initialRemoteEndpoint:(NWEndpoint *)remoteEndpoint {
return NO;
}
Both options did not resolve the issue.
Please let give me some pointers to resolve it.
I am running 11.3.1
Hi
Does osinstallersetupd (OS update process) not work in the presence of App Proxy? Is it a known issue?
I have NETransparentProxyProvider App Proxy Network extension. It captures all the 80/443 port traffic but bypasses flows "osinstallersetupd" flow. "osinstallersetupd" is responsible to download installer (If my understanding is correct).
default 23:26:38.755784-0700 osinstallersetupd [C2 Hostname#f47785d7:80 in_progress resolver (satisfied (Path is satisfied), interface: en0, ipv4, dns, flow divert agg: 1)] event: resolver:receive_dns @0.061s
default 23:26:38.755896-0700 osinstallersetupd [C2.1 IPv4#6be093f2:80 initial path ((null))] event: path:start @0.061s
default 23:26:38.756109-0700 osinstallersetupd [C2.1 IPv4#6be093f2:80 waiting path (satisfied (Path is satisfied), interface: en0, ipv4, dns, flow divert agg: 1)] event: path:satisfied @0.061s, uuid: 16290408-B0BD-4E4E-A194-FBD44E525E8C
default 23:26:38.756417-0700 osinstallersetupd [C2.1 IPv4#6be093f2:80 in_progress socket-flow (satisfied (Path is satisfied), interface: en0, ipv4, dns, flow divert agg: 1)] event: flow:start_connect @0.061s
default 23:26:38.756557-0700 com.myapp.AppClientMacAppProxy (0): Flow 3816135374 is connecting
default 23:26:38.756701-0700 com.myapp.AppClientMacAppProxy (3816135374): New flow: NEFlow type = stream, app = com.apple.installer.osinstallersetupd, name = gs.apple.com, 10.10.15.6:0 - 17.137.162.1:80, filter_id = , interface = en0
default 23:26:38.756885-0700 com.myapp.AppClientMacAppProxy [Extension com.myapp.AppClientMacAppProxy]: Calling handleNewFlow with TCP com.apple.installer.osinstallersetupd[{length = 20, bytes = 0x7a8ea62f5a0144dd918e822a56207859cd5a0159}] remote: 17.137.162.1:80 interface en0
default 23:26:38.757858-0700 com.myapp.AppClientMacAppProxy [Extension com.myapp.AppClientMacAppProxy]: provider rejected new flow TCP com.apple.installer.osinstallersetupd[{length = 20, bytes = 0x7a8ea62f5a0144dd918e822a56207859cd5a0159}] remote: 17.137.162.1:80 interface en0
default 23:26:38.757962-0700 kernel (3816135374): No more valid control units, disabling flow divert
default 23:26:38.758141-0700 com.myapp.AppClientMacAppProxy (3816135374): Destroying, client tx 0, client rx 0, kernel rx 0, kernel tx 0
default 23:26:38.757963-0700 kernel (3816135374): Skipped all flow divert services, disabling flow divert
default 23:26:38.788429-0700 osinstallersetupd nw_socket_handle_socket_event [C2.1:1] Socket received CONNECTED event
default 23:26:38.788686-0700 osinstallersetupd nw_flow_connected [C2.1 IPv4#6be093f2:80 in_progress socket-flow (satisfied (Path is satisfied), viable, interface: en0, ipv4, dns, flow divert agg: 1)] Output protocol connected
default 23:26:38.788922-0700 osinstallersetupd [C2.1 IPv4#6be093f2:80 ready socket-flow (satisfied (Path is satisfied), viable, interface: en0, ipv4, dns, flow divert agg: 1)] event: flow:finish_connect @0.094s
default 23:26:38.788990-0700 osinstallersetupd nw_connection_report_state_with_handler_on_nw_queue [C2] reporting state ready
default 23:26:38.789046-0700 osinstallersetupd [C2 Hostname#f47785d7:80 ready resolver (satisfied (Path is satisfied), interface: en0, ipv4, dns, flow divert agg: 1)] event: flow:finish_connect @0.094s
default 23:26:38.789134-0700 osinstallersetupd [C2.1 IPv4#6be093f2:80 ready socket-flow (satisfied (Path is satisfied), viable, interface: en0, ipv4, dns, flow divert agg: 1)] event: flow:changed_viability @0.094s
default 23:26:38.789186-0700 osinstallersetupd [C2 Hostname#f47785d7:80 ready resolver (satisfied (Path is satisfied), interface: en0, ipv4, dns, flow divert agg: 1)] event: flow:changed_viability @0.094s
default 23:26:38.789300-0700 osinstallersetupd TCP Conn 0x7fad21865890 event 1. err: 0
default 23:26:38.789359-0700 osinstallersetupd TCP Conn 0x7fad21865890 complete. fd: 8, err: 0
error 23:26:38.789855-0700 osinstallersetupd SocketStream write error [0x7fad21865890]: 1 32
default 23:26:38.790040-0700 osinstallersetupd TCP Conn 0x7fad21865890 canceled
error 23:26:38.790164-0700 osinstallersetupd AMAuthInstallHttpMessageSendSync: no response header
error 23:26:38.790230-0700 osinstallersetupd tss_submit_job: SendHttpRequest failed -1
The above log shows:
My app proxy bypasses the flow:
default 23:26:38.757858-0700 com.myapp.AppClientMacAppProxy [Extension com.myapp.AppClientMacAppProxy]: provider rejected new flow TCP com.apple.installer.osinstallersetupd[{length = 20, bytes = 0x7a8ea62f5a0144dd918e822a56207859cd5a0159}] remote: 17.137.162.1:80 interface en0
Eventually, "osinstallersetupd" connection gets closed too.
default 23:26:38.789359-0700 osinstallersetupd TCP Conn 0x7fad21865890 complete. fd: 8, err: 0
error 23:26:38.789855-0700 osinstallersetupd SocketStream write error [0x7fad21865890]: 1 32
default 23:26:38.790040-0700 osinstallersetupd TCP Conn 0x7fad21865890 canceled
Thanks
Hi
I am developing App proxy network system extension on 10.15.5. Reachability callaback is registered using below method but reachability_callback is never called.
		sockaddr_in ipv4{};
		ipv4.sin_family = AF_INET;
		ipv4.sin_len = sizeof(sockaddr_in);
		ipv4.sin_addr.s_addr = 0x08080808; /*dummy ip*/
		SCNetworkReachabilityRef	reachableTarget = SCNetworkReachabilityCreateWithAddress(NULL, (sockaddr *)&ipv4);
		 Boolean ok = SCNetworkReachabilitySetCallback(reachableTarget, reachability_callback, NULL);
		ok = SCNetworkReachabilityScheduleWithRunLoop(reachableTarget,
																									CFRunLoopGetMain(),
																									kCFRunLoopDefaultMode
																									);
}
I know "defaultPath" can be used to detect the network change.
I am trying to understand underlying root cause of this issue. Does reachability callback not work with CFRunLoopGetMain?
Regards,
Anand Choubey
Hi
I set NETransparentProxyProvider include wild card filter rule using initWithRemoteNetwork like below on macOS Big Sur:
NENetworkRule *includeRule = [[NENetworkRule alloc]
															initWithRemoteNetwork: nil
																			 remotePrefix: 0
																			 localNetwork: nil
																			 localPrefix: 0
																			 protocol:NENetworkRuleProtocolAny																				direction:NETrafficDirectionOutbound];
My transparent proxy works fine and receives all the traffic but ping to any host starts failing as long as NE proxy is up. But DNS resolution happens successfully too.
Ping response:
ping cnn.com
PING cnn.com (151.101.193.67): 56 data bytes
ping: sendto: Protocol wrong type for socket
ping: sendto: Protocol wrong type for socket
Request timeout for icmpseq 0
ping: sendto: Protocol wrong type for socket
Request timeout for icmpseq 1 Please recommend, whether it is known behavior or I should improve my code.
Thanks
Hi
My App installs Transparent App Proxy And DNS Network System extensions on macOS Big Sur. Everything was working fine till Big Sur beta 5.
Big Sur beta 6+, I am observing problem in approving the Network System extensions.
My application calls below API:
[[OSSystemExtensionManager sharedManager] submitRequest:req];
requestNeedsUserApproval callback is also called by framework.
systemextensionsctl list It shows all Network extensions in user approval pending list.
When I click on System Preferences -> "Security and Privacy" to approve my extensions.
It throws "Preferences Error", There was an error in "Security and Privacy". And Console log shows:
Sep 18 22:03:57 New-Mac-mini com.apple.preference.security.remoteservice[917]: objc[917]: Class AWDSecurityPrefAutoUnlockSetup is implemented in both /System/Library/PreferencePanes/Security.prefPane/Contents/XPCServices/com.apple.preference.security.remoteservice.xpc/Contents/MacOS/com.apple.preference.security.remoteservice (0x10e665768) and /System/Library/PreferencePanes/Security.prefPane/Contents/MacOS/Security (0x111e9e6f8). One of the two will be used. Which one is undefined.
Sep 18 22:04:02 New-Mac-mini com.apple.xpc.launchd[1] (com.apple.preference.security.remoteservice[917]): Service exited due to SIGILL | sent by exc handler[917] Could you please guide me to get the root cause?
Regards,
Anand Choubey
Hi
The same behaviour exist on latest Big Sur beta.
I am developing a Transparent and DNS Network System Extension on macOS Big Sur.
I request to help me solving Network System Extension initialization problem. These extensions are in the Single App.
My Network extensions do not come up the first time of UI. UI needs to be restarted again i.e. OSSystemExtensionRequestDelegate:activationRequestForExtension should be reinitiated again.
Console log shows during initialization:
Failed to save configuration myext Client DNS Proxy: Error Domain=NEConfigurationErrorDomain Code=10 "permission denied" UserInfo={NSLocalizedDescription=permission denied}
Application logs show:
App Proxy Logs:
AppProxyManager Failed to save configurations, error: NEVPNErrorDomain / 5
DNS Proxy Application Logs:
dnsproxymgr Failed to save configurations, error: NEConfigurationErrorDomain 10
App Proxy gets failed to start:
Application logs:
AppProxyManager Failed to start App Prxoy Description The operation couldn’t be completed. (NEVPNErrorDomain error 1.) Reason (null) Recovery suggestion (null)
sudo systemextensionsctl list output shows extensions are enabled.
-- com.apple.systemextension.networkextension
enabled active teamID bundleID (version) name [state] * <<team id>> com.myext.client.myext-Client.myextClientMacAppProxy (1.0/1) myextMacAppProxy [activated enabled]<<team id>> com.myext.client.myext-Client.myextClientMacDNSProxy (1.0/1) myextMacDNSProxy [activated enabled]Activity Monitor shows, App Proxy and DNS Proxy System extensions are running.
System Preferences Security and Privacy shows two entries after clicking on "Allow" button.
Could you please recommend, how to debug it?
Thanks
Hi
I am developing NEDNSProxyProvider System Extension on macOS 10.15+.
My solution is monitor the DNS request and apply the policy based on domains in DNS request.
The challenge is, NEDNSProxyProvider DNS Proxy does not flush existing DNS cache at start up of DNS Proxy. Therefore, Cached DNS requests are used by Apps, until DNS cache entry is expired.
Due to this reason, my Application loses the visibility.
"killall -HUP mDNSResponder" is not helping due to NEDNSProxyProvider Sandboxing.
Is there anyway to flush the system DNS cache in NEDNSProxyProvider?
Thanks
HiI am wokring on two Network System Extensions (App Proxy and DNS Proxy) on 10.15. I would like send XPC messages betweek these extensions. In my implementation, I will always get "Connection Terminated" message, could not get idea how to move further.My Proxy has listner:- (BOOL)listener:(NSXPCListener *)listener shouldAcceptNewConnection:(NSXPCConnection *)newConnection { newConnection.exportedInterface = [NSXPCInterface interfaceWithProtocol:@protocol(MyListenerXPCProtocol)]; MyListenerXPCService *exportedObject = [DNSXPCService new]; newConnection.exportedObject = exportedObject; [newConnection resume];}-(void) startXPCListner { NSString *machServiceName = @"<<MY TEAM ID>>.com.example.app-group.MyLisetenerSystemExtension"; MyXPCServiceDelegate *delegate = [MyXPCServiceDelegate new]; xpcListener_ = [[NSXPCListener alloc] initWithMachServiceName: machServiceName]; xpcListener_.delegate = delegate; [xpcListener_ resume];}Lisetener entitlement file:Key "com.apple.security.temporary-exception.mach-register.global-name" array value is "<<MY TEAM ID>>.com.example.app-group.MyListenerSystemExtension"In Info.plist, NEMachServiceName has same <<MY TEAM ID>>.com.example.app-group.MyLisetenerSystemExtension".App Proxy message sender:-(void) sendTestXPCMsg { NSXPCConnection *_connectionToService = [[NSXPCConnection alloc] initWithMachServiceName: @"<<MY TEAM ID>>..com.example.app-group.MyListenerSystemExtension" options:0];//initWithServiceName:@"24W52P9M7W.com.example.app-group.MyListenerSystemExtension"]; <-- Tried with it, but same result. _connectionToService.remoteObjectInterface = [NSXPCInterface interfaceWithProtocol:@protocol(MyListenerXPCProtocol)]; _connectionToService.interruptionHandler = ^{ NSLog(@"Connection Terminated"); }; _connectionToService.invalidationHandler = ^{ NSLog(@"Connection invalidated"); }; [_connectionToService resume]; [[_connectionToService remoteObjectProxy] upperCaseString:@"hello" withReply:^(NSString *aString) { NSLog(@"Result string was: %@", aString); }];}Sender entitilement:com.apple.security.temporary-exception.mach-lookup.global-name array value is "<<MY TEAM ID>>.com.example.app-group.MyLisetenerSystemExtension".Whenever sender sends a message, it always receives "Connection Terminated" message. I also tried with removing entitlement but always same result.Could you please help me to solve it?Regards,Anand Choubey
HiI want to share data between host app and network extension on macOS 10.15.5.As per the document, Adding App group in entitlments and using containerURLForSecurityApplicationGroupIdentifier are entry points.But containerURLForSecurityApplicationGroupIdentifier returns different locations. network extension returns "/var/root/Library/Group Containers/...". App returns ~/Library/Group Containers/..." I think, the API's fundamental behavior is correct. Could you please suggest how to share preferences between App Host and Network extension? Regards,Anand Choubey
Hi,I am building Transparent app proxy on 10.15.5. I setup DNS resolver in the app proxy.NEDNSSettings *dnsSettings = [[NEDNSSettings alloc] initWithServers: dnsServerList];NSString* TLD1 = @"com";NSArray<NSString *> *dnsMatchDomainList = [NSArray arrayWithObjects: TLD1, nil];dnsSettings.matchDomains = dnsMatchDomainList;dnsSettings.domainName = @"gp.com";settings.DNSSettings = dnsSettings;getaddrinfo or DNSServiceGetAddrInfo is called later with any com domain(e.g. apple.com) from same system extension, getaddrinfo/DNSServiceGetAddrInfo gets blocked forever. The same result is with asynchrous DNSServiceGetAddrInfo calls.Could you please help me guide to solve it?Please note, if getaddrinfo is called from third party app, it works fine.
HiI am working Transparent App proxy on macOS platform.Filter rule is set:NENetworkRule *includeRule = [[NENetworkRule alloc] initWithDestinationHost:[NWHostEndpoint endpointWithHostname:@"example.com" port:@"0"] protocol:NENetworkRuleProtocolAny];As per the document: Matches all TCP and UDP traffic to hosts in the "example.com" DNS domain, including all DNS queries for names in the example.com DNS domain.Documented behaviour was working for all the applications e.g. Chrome, Safar, curl etc till 10.15.4. BUT dcoumeted behaviour stopped working in 10.15.5 for Chrome only (Please note there was no Chrome update) i.e. all other applications like Safari, curl etc. working fine.Regards,Anand Choubey