Hi Simon, I am trying to do this as well, but have been unable to. Have you found any idea?
Post
Replies
Boosts
Views
Activity
Hey Matt,thanks for your answer.I'd like to know things like which application it came from, where it's going to, etc...
Unfortunately this didn't work. I think I'll just write the core of the extension in swift, and just use some bridges to import some C code I need.
Yes, I did. Inside the Info.plist for the extension, NEProviderClasses specified as a dict, with one element.For swift, this element is:com.apple.networkextension.filter-packet -> $(PRODUCT_MODULE_NAME).FilterPacketProviderFor objective-c, it is:com.apple.networkextension.filter-packet ->FilterPacketProvider(In both cases, FilterPacketProvider is indeed the name of the class I implement, that inherits from NEFilterPacketProvider).
Thanks Eskimo, that's useful.Following your advice, I am starting in the grand adventure of parsing packet bytes. I am not very familiar with that. Do you have a recommendation for a library that would help me in that regard ? My current plan is to use the library libcap (pcap). I wouldn't mind something a bit higher level, but it does not seem to be widespread.Also, if by any chance you have some random code lying around that could get me started on parsing the packet bytes, that would be fantastic.Thanks
Thanks, very useful!
Thanks for that. That makes sense, I will do so.Do you know if I am guaranteed that NEFilterPacketProvider will return absolutely all packet, for any protocol (for example ICMP, ARP, NAT, etc) ? In other words, am I guaranteed that any packet going through the network card will be realyed by NEFilterPacketProvider ?
And also another quick question:I set up my app so that it now launches two system extensions: 1 for the NEFilterPacketProvider 1 for the NEFilterDataProvider.It seems set up correctly in the sense that when I set :providerConfiguration.filterSockets = false
providerConfiguration.filterPackets = trueThen only my system extension for NEFilterPacketProvider will launch and work correctly. The other one is not launched.When I setproviderConfiguration.filterSockets = true
providerConfiguration.filterPackets = falseThen only the system extension for NEFilterDataProvider will launch and work correctly.So this works correctly, and shows that my configuration is correct.However, if I set both to true, only the extension for NEFilterDataProvider will launch (even though I do send the activation message correctly for both). Do I need to add something to the config to allow my main app to launch 2 system extensions?Thanks!
Yes, both filterDataProviderBundleIdentifier and filterPacketProviderBundleIdentifier are set correctly.I tried two ways : having two different targets and bundles for each extension. This didn't work, as explained above.I also tried having only 1 system extension, containing both the FilterDataProvider and FilterPacketProvider (in 2 different files). I also set up the Info.plist to look like this:<dict> <key>NEProviderClasses</key> <dict> <key>com.apple.networkextension.filter-packet</key> <string>$(PRODUCT_MODULE_NAME).FilterPacketProvider</string> <key>com.apple.networkextension.filter-data</key> <string>$(PRODUCT_MODULE_NAME).FilterDataProvider</string> </dict></dict></plist>However, it still didn't work. Do you know what approach is the correct one (2 targets versus 1 target) ? Do you know what else I could be doing wrong?
I realized that using 1 target per network extension (so 2 targets in total) is a non starter, because the main app can only have one NEFIlterManager, so couldn’t control both.So I focused on the solution of having 1 system extension that cumulates the two Filter%Provider, with this Info.plist: NEProviderClasses
com.apple.networkextension.filter-packet
$(PRODUCT_MODULE_NAME).FilterPacketProvider
com.apple.networkextension.filter-data
$(PRODUCT_MODULE_NAME).FilterDataProvider
The extension loads fine, the problem is that only 1 FilterProvider receives the startFilter callback when I do this:func loadFilterConfiguration(completionHandler: @escaping (Bool) -> Void) {
NEFilterManager.shared().loadFromPreferences { loadError in
DispatchQueue.main.async {
var success = true
if let error = loadError {
print("Failed to load the filter configuration: %@", error.localizedDescription)
success = false
}
completionHandler(success)
}
}
}loadFilterConfiguration { success in
guard success else {
print("Errrrror !")
return
}
if (true) {
let providerConfiguration = NEFilterProviderConfiguration()
providerConfiguration.filterSockets = true
providerConfiguration.filterPackets = true
filterManager.providerConfiguration = providerConfiguration
if let appName = Bundle.main.infoDictionary?["CFBundleName"] as? String {
filterManager.localizedDescription = appName
}
}
filterManager.isEnabled = true
filterManager.saveToPreferences { saveError in
DispatchQueue.main.async {
if let error = saveError {
os_log("%@", error.localizedDescription)
return
}
os_log("%{public}s %{public}s", NEFilterManager.shared().providerConfiguration!.filterDataProviderBundleIdentifier!, NEFilterManager.shared().providerConfiguration!.filterPacketProviderBundleIdentifier! )
}
}
}Unless there is something I am doing wrong in the code above, this starts feeling like a bug in macOS. Both the filters should receive the startFilter callback, after this.Note that when I keep only 1 FIlter%Provider (either one) in my extension, it works fine, indicating there is no issue in the Filter%Provider code themselves.
Ok, thanks for that. I will start by parsing the link-layer header then. You don't happen to also have some code doing this by any chance, to get me started?
Yes, you're right, very straightfoward. Thanks a lot!
I understand, thanks for your help through this. I'll poke around a bit more, and I might open the ticket if I can't figure it out.
I have gathered that I should use SecCodeCopyGuestWithAttributes with the flag kSecGuestAttributeAudit.However, I am unclear as to exactly how to do it:- how can I convert a kSecGuestAttributeAudit to a SecCSFlags ?- how can I convert flow.sourceAppAuditToken to UnsafeMutablePointer<SecCode?> ?- should I use nil for host ?
Hi Eskimo, that is right, it is modularized and not deprecated. I was misled by the fact that when I type "import Darwin" it appears with a red strikethrough, which I mistakenly interpreted as deprecated.Thanks a lot for the code, I was indeed missing this. I was looking around for this info, but couldn't find the procedure you sent on "https://developer.apple.com/documentation/security/code_signing_services"Is there another source of documentation or code examples that you would recommend ?Thanks for the tip on using the code's designated identifier. I assume you mean kSecCodeInfoIdentifier. I will use this.Thanks a lot for your help!