I have a Network extension contains App Proxy and Content Filter.
After installation, extension process is not getting auto launch. We want to execute some code in main.swift.
extension process is getting launch on enabling either App Proxy or Content Filter.
how to launch network extension process after installation?
Installations Sample code:
let activationRequest = OSSystemExtensionRequest.activationRequest(forExtensionWithIdentifier: id, queue: .main)
OSSystemExtensionManager.shared.submitRequest(activationRequest)
I have a system extension which contains 3 capabilities: App Proxy, Content Filter, Packet Tunnel.
System extension process doesn't auto stops on disabling all of its Capabilities: App Proxy, Content Filter, Packet Tunnel
How to make system extension process auto stop if all of its capabilities disabled?
Disable can happens via system extension hosting app or system preference network settings
I have following in mind:
Whenever we disables any capabilities via system extension hosting app, it can check if all others are disabled then
Use KILL bash command to terminate system extension process
System extension hosting app can send message via XPC to extension to terminate it self via NSApp.terminate
On disabling from system preference, ssystem extensions can check if all other disables in delegate method and terminate itself
I wanted to know what is better way to handle system extension process stop
Post not yet marked as solved
I want to understand in which API triggers this below popup.
1.
This below code always trigger popup after fresh install which make sense:
`//manager NETunnelProviderManager
manager.connection.startVPNTunnel(options: [:])`
2. This below code sometime triggers popup intermittently. Ideally this shouldn't trigger or always trigger.
I tried running this code in loop to check this behaviour, some time around 50th or sometime around 88th execution observed this popup.
config.providerBundleIdentifier =“bundleId”
config.serverAddress = "Connection managed by app”Name//
let manager = NETunnelProviderManager()
manager.protocolConfiguration = config
manager.localizedDescription = “xyz”
manager.saveToPreferences(completionHandler: { (saveError) -> Void in
}```
no where startVPNTunnel called in 2nd code sample.
Post not yet marked as solved
On Ventura -
We have a network extension(Transparent Proxy) which blocks IPv6 traffic as below.
override func handleNewFlow(_ flow: NEAppProxyFlow) -> Bool {
//Ipv6 gets blocks by below code
let error = NSError(domain: "", code: 0, userInfo: [NSLocalizedDescriptionKey : "Connection Refused"])
flow.closeReadWithError(error)
flow.closeWriteWithError(error)
On IPv6 enabled client machine, when a client application(Browser, curl, Teams etc), try to send HTTP/s requests, first they try to send the request over IPv6 and if it fails, they try with IPv4 (Happy eyeballs Algorithm)
In our case, as network extension blocks IPv6 traffic, client applications will fail to establish connection over IPv6 and fallback to IPv4 as per Happy eyeballs Algorithm
The above scenario works fine till MacOS Ventura.
For Sonoma, this behaviour seems to have changed
When our network extension blocks IPv6 traffic, client applications do not fallback to IPv4.
They simply fail without trying IPv4. We tested with curl, Google chrome browser, Microsoft Teams. All these fail to load pages on Sonoma and they work fine on Ventura.
Note : No change in our network extension code, curl and browser versions. Only change is MacOS version
Please find attached screenshots with Ventura and with Sonoma, running curl
One other difference seen here is the error code received by client applications with Ventura and Sonoma.
On Ventura, when IPv6 is blocked, error is Network is down and client application establishes connection with IPv4.
On Sonoma, error code is 22 : Invalid arguments and client application does not retry with IPv4.
Curl_Ventura.jpg
Curl_Sonoma.png
Hi,
AFAIK Safari or any macOS apps which uses WKWebview, uses com.apple.WebKit.Networking.xpc to do actual networking.
I am working on a packet tunnel, where I am able to get process id associated with packet read. Based on process id, i am using libproc to get process name.
I am facing below problem:
For Safari or any other apps which uses WKWebview having same process name: com.apple.WebKit.Networking
Any ways to distinguish wether it is from safari or other xyz wkwebview apps?
Related Problem: https://developer.apple.com/forums/thread/693528 In this thread, app proxy can help but in packet tunnel no such options exposed.
I am trying to get ports used by processes. It can be done via lsof on macOS, i am trying to do it via libproc.
#include <iostream>
#include <libproc.h>
int main(int argc, const char * argv[]) {
pid_t pids[3072];
int count = proc_listpids(PROC_ALL_PIDS, 0, pids, sizeof(pids));
for (int i = 0; i < count; i++) {
char buffer[1024];
for (int j = 1; j < 50000; j++) { //port range
int ret = proc_pidfileportinfo(pids[i], j, PROC_PIDFILEPORTVNODEPATHINFO, buffer, sizeof(buffer));
if(ret != 0) {
printf("proc_pidfileportinfo returned %d bytes of data\n", ret);
printf("%s\n", name);
}
}
}
return 0;
}
proc_pidfileportinfo function is not working for any port, i tried iterating till 50K. What i am doing wrong with proc_pidfileportinfo? how to properly use proc_pidfileportinfo?
Post not yet marked as solved
I have an app which hosts network extensions(Packet Tunnel, Filter). I am facing uninstallation issue in scenario 2.
Uninstall API: OSSystemExtensionRequest.deactivationRequest
Scenarion 1:
app version 1.0.0.1,
extension inside app bundle version 1.0.0.1
Installed extension -> version 1.0.0.1
Uninstallation works fine.
Scenarion 2:
app version 1.0.0.2,
extension inside app bundle version 1.0.0.2
Installed extension -> version 1.0.0.1
Uninstallation fails with below error:
deactivation failed for client: /Applications/Remo Security Endpoint Client/ep-client.app/Contents/MacOS/ep-client, error: Error Domain=OSSystemExtensionErrorDomain Code=4 "(null)"
Question 1: is this by design or we can do something to make uninstall works in case application upgraded and tries to uninstall previous extension version.
Snippet from Apple Doc for API: OSSystemExtensionRequest.deactivationRequest
A deactivation request may require a restart before deactivating the extension. If the request succeeds but requires a restart to complete, the extension may still appear operational until the next restart.
Question 2: How do we know if restart needed or not?
Post not yet marked as solved
We gets NEPacket during packetFlow.readPacketObjects. Each packet contains src ip as packet tunnel utun virtual interface address.
for example if packet tunnel utun address is 10.10.10.10, then src ip of every packet is 10.10.10.10.
Can we configure packet tunnel in such a way that it gives src ip as ip assigned to system via dhcp/static (primary Ethernet interface en0) instead of 10.10.10.10? I want to do this because tunnel server uses this src ip to perform some business logic.
What if we assigns primary Ethernet interface en0 address to packet tunnel utun address?
Hi,
This is how we create ipv4Settings, then we add includedRoutes, excludedRoutes.
let ipv4Settings = NEIPv4Settings(addresses: addresses, subnetMasks: subnetMask)
In my case, Packet Tunnel Provider reads the packet like this - packetFlow.readPacketObjects, sends packets to C++ module which takes care of sending it to wireguard tunnel, returns packet back to Packet Tunnel Provider for writing. C++ Module does everything related to wireguard tunnel.
As per my understanding, any unique private ipv4, ipv6 address should be fine for creating NEIPv4Settings, NEIPv6Settings. is that correct? or is there anything else i need to consider for setting Utun addresses
as of now i have harcoded it to 10.10.10.10/32 and 2001:db8::/128, will it cause any problem?
Hi,
We are observing few NEPacketTunnelNetworkSettings excludedRoutes ip's in PacketTunnel even-though it is added in exclude routes.
As you can see in network setting where we have added
destinationAddress = 239.255.255.0 destinationSubnetMask = 255.255.255.0
in exclude route, still traffic of IP 239.255.255.250 coming to packet tunnel.
We also observing other IP's traffic that is not added in include route such as: 20.192.170.9
//Network Settings for Packet Tunnel
IPv4Settings = {
configMethod = PPP
addresses = (
10.10.10.10,
)
subnetMasks = (
255.255.255.255,
)
includedRoutes = (
{
destinationAddress = 10.10.10.10
destinationSubnetMask = 255.255.255.255
gatewayAddress = 10.10.10.10
},
)
excludedRoutes = (
{
destinationAddress = 192.168.0.0
destinationSubnetMask = 255.255.0.0
},
{
destinationAddress = 10.0.0.0
destinationSubnetMask = 255.0.0.0
},
{
destinationAddress = 127.0.0.1
destinationSubnetMask = 255.255.255.255
},
{
destinationAddress = 172.16.0.0
destinationSubnetMask = 255.240.0.0
},
{
destinationAddress = 239.255.255.0
destinationSubnetMask = 255.255.255.0
},
)
am i doing something wrong in setting NEPacketTunnelNetworkSettings?
Post not yet marked as solved
Hi,
I am experiencing following crashes intermittently in macOS network extension. Sometime in an hour or two or three. I don't see anywhere references to my project code hence i am unable to understand this crashes. Anyone please point me into right direction from here:
Crash Dumps
Samples:
Process: com.skyhighsecurity.epclient.networkextension [39224]
Path: /Library/SystemExtensions/*/com.skyhighsecurity.epclient.networkextension
Identifier: com.skyhighsecurity.epclient.networkextension
Version: 1.0 (1)
Code Type: ARM-64 (Native)
Parent Process: launchd [1]
User ID: 0
Date/Time: 2023-03-20 13:46:51.6991 +0530
OS Version: macOS 12.6.3 (21G419)
Report Version: 12
Anonymous UUID: 72617D4C-9E91-7141-D71D-9CB5BDADAA25
Sleep/Wake UUID: B462FD28-68B4-4B46-84EB-D16E29760748
Time Awake Since Boot: 32000 seconds
Time Since Wake: 5 seconds
System Integrity Protection: disabled
Crashed Thread: 3 Dispatch queue: NEFilterExtensionProviderContext queue
Exception Type: EXC_BREAKPOINT (SIGTRAP)
Exception Codes: 0x0000000000000001, 0x0000000182e26104
Exception Note: EXC_CORPSE_NOTIFY
Termination Reason: Namespace SIGNAL, Code 5 Trace/BPT trap: 5
Terminating Process: exc handler [39224]
Application Specific Information:
BUG IN CLIENT OF LIBPLATFORM: os_unfair_lock is corrupt
Abort Cause 1949042982
Thread 0:
0 libsystem_kernel.dylib 0x182dd5d70 __sigsuspend_nocancel + 8
1 libdispatch.dylib 0x182c5b5e0 _dispatch_sigsuspend + 48
2 libdispatch.dylib 0x182c5b5b0 _dispatch_sig_thread + 60
Thread 1:
0 libsystem_pthread.dylib 0x182e07078 start_wqthread + 0
Thread 2:
0 libsystem_pthread.dylib 0x182e07078 start_wqthread + 0
Thread 3 Crashed:: Dispatch queue: NEFilterExtensionProviderContext queue
0 libsystem_platform.dylib 0x182e26104 _os_unfair_lock_corruption_abort + 88
1 libsystem_platform.dylib 0x182e21184 _os_unfair_lock_lock_slow + 328
2 libsystem_pthread.dylib 0x182e07640 pthread_mutex_destroy + 64
3 Foundation 0x183d7ac18 -[_NSXPCConnectionClassCache dealloc] + 48
4 libobjc.A.dylib 0x182cb7c58 objc_object::sidetable_release(bool, bool) + 260
5 NetworkExtension 0x19148b798 -[NEFilterSocketFlow .cxx_destruct] + 40
6 libobjc.A.dylib 0x182c9d8e4 object_cxxDestructFromClass(objc_object*, objc_class*) + 116
7 libobjc.A.dylib 0x182c94b0c objc_destructInstance + 80
8 libobjc.A.dylib 0x182c94ab8 _objc_rootDealloc + 80
9 NetworkExtension 0x19148246c -[NEFilterDataExtensionProviderContext handleSocketSourceEventWithSocket:] + 132
10 libdispatch.dylib 0x182c481b4 _dispatch_client_callout + 20
11 libdispatch.dylib 0x182c4b670 _dispatch_continuation_pop + 500
12 libdispatch.dylib 0x182c5e8e0 _dispatch_source_invoke + 1596
13 libdispatch.dylib 0x182c4f784 _dispatch_lane_serial_drain + 376
14 libdispatch.dylib 0x182c50404 _dispatch_lane_invoke + 392
15 libdispatch.dylib 0x182c5ac98 _dispatch_workloop_worker_thread + 648
16 libsystem_pthread.dylib 0x182e08360 _pthread_wqthread + 288
17 libsystem_pthread.dylib 0x182e07080 start_wqthread + 8
Post not yet marked as solved
Hi,
we have c++ module inside Network Extension which does rest call.
we want to do http rest call in test environment, but it's not responding. status code is 0. https working fine.
I tried adding NSAppTransportSecurity -> NSAllowsArbitraryLoads -> true, but it's crashing because of it.
how can we make http request from Network Extension in test enviroment?
Hi,
I have a dynamic library libmowglicore.dylib, which works fine in non sandboxed enviroment(command line cpp project). libmowglicore.dylib is signed, it shows valid on disk.
When i add it to network extension project, network extension getting crash on launch.
0 dyld 0x102c8e81c dyld3::MachOFile::compatibleSlice(Diagnostics&, void const*, unsigned long, char const*, dyld3::Platform, bool, dyld3::GradedArchs const&) + 76
1 dyld 0x102c72b9c invocation function for block in dyld4::JustInTimeLoader::makeJustInTimeLoaderDisk(Diagnostics&, dyld4::RuntimeState&, char const*, dyld4::Loader::LoadOptions const&, bool, unsigned int) + 96
2 dyld 0x102c72b9c invocation function for block in dyld4::JustInTimeLoader::makeJustInTimeLoaderDisk(Diagnostics&, dyld4::RuntimeState&, char const*, dyld4::Loader::LoadOptions const&, bool, unsigned int) + 96
3 dyld 0x102c77fcc dyld4::SyscallDelegate::withReadOnlyMappedFile(Diagnostics&, char const*, bool, void (void const*, unsigned long, bool, dyld4::FileID const&, char const*) block_pointer) const + 132
4 dyld 0x102c72b08 dyld4::JustInTimeLoader::makeJustInTimeLoaderDisk(Diagnostics&, dyld4::RuntimeState&, char const*, dyld4::Loader::LoadOptions const&, bool, unsigned int) + 204
Crash Dumps
How to debug it?
Hi,
We have NEPacketTunnelProvider which creates a virtual interface.
I am trying to Read and write virtual interface in separate process(c++ command line project). Read works fine, but write is not working.
Reading packet in separate process as below:
int bpf = 0;
for (int i = 0; i < 99; ++i) {
snprintf(buf, 11, "/dev/bpf%i", i);
bpf = open(buf, O_RDWR);
if (bpf != -1) break;
}
struct ifreq interface;
strcpy(interface.ifr_name, interfaceName.c_str());
if(ioctl(bpf, BIOCSETIF, &interface) > 0) {
return errno;
}
unsigned int one = 1;
if (ioctl(bpf, BIOCIMMEDIATE, &one) == -1) {
return errno;
}
int bufLength = 1;
if (ioctl(bpf, BIOCGBLEN, &bufLength) == -1) {
return errno;
}
if (ioctl(bpf, BIOCPROMISC, NULL) == -1) {
return errno;
}
//Reading bpf as below
readBytes = (int)read(bpf, bpfBuffer, bufLength);
**Whenever traffic routed to Packet Tunnel provider interface as per network rule, Read works fine in this process(separate c++ process). We are able to read valid packet.
**
//Writing as below
ssize_t writtenBytes = write(bpf, packet, size);
if (writtenBytes < 1)
{
return false;
} else {
return true;
}
Above write API is not giving any error, returning byte written correctly.
But after write, packet is not reaching to application which generated traffic. For example, for ping, it is showing 1 packets transmitted, 0 packets received, 100.0% packet loss
I also tried sending it over raw socket. Since separate process is command line and not sandboxed, raw socket getting openned.
`ssize_t bytes = sendto (fRawSocket, packet, size, 0, (sockaddr*) dest, sizeof(*dest)); //dest is packet tunnel virtual interface ip addres`
This also not returning any error but this packet is also not reaching to application which generated traffic.
There is packetFlow.writePacketObjects which works fine in swift.
but due to some architecture constraint, i am reading and writing packet in separate process.
is this something macOS doesn't allow or i am doing something wrong?
I am trying to pause NEFilterFlow and then resuming NEFilterFlow from function **handleInboundData**
let goingToApply = someFunctionWithClosure { applied in
if applied {
let verdict: NEFilterNewFlowVerdict = .allow()
self.resumeFlow(flow, with: verdict)
}
}
if goingToApply == true {
return .pause()
}
The line self.resumeFlow(flow, with: verdict) crashing with following exception:
terminating with uncaught exception of type NSException
*** Terminating app due to uncaught exception 'NSInvalidArgumentException', reason: '-[NEFilterNewFlowVerdict passBytes]: unrecognized selector sent to instance 0x10b8662a0'
Crash dump showing below logs:
Thread 3 Crashed:: Dispatch queue: NEFilterExtensionProviderContext queue
0 libsystem_kernel.dylib 0x1b7aa6d78 __pthread_kill + 8
1 libsystem_pthread.dylib 0x1b7adbee0 pthread_kill + 288
2 libsystem_c.dylib 0x1b7a16340 abort + 168
3 libc++abi.dylib 0x1b7a96b18 abort_message + 132
4 libc++abi.dylib 0x1b7a86a54 demangling_terminate_handler() + 336
5 libobjc.A.dylib 0x1b797c320 _objc_terminate() + 144
6 libc++abi.dylib 0x1b7a95eb4 std::__terminate(void (*)()) + 20
7 libc++abi.dylib 0x1b7a95e50 std::terminate() + 64
8 libdispatch.dylib 0x1b79181c8 _dispatch_client_callout + 40
9 libdispatch.dylib 0x1b791f8a8 _dispatch_lane_serial_drain + 668
10 libdispatch.dylib 0x1b7920404 _dispatch_lane_invoke + 392
11 libdispatch.dylib 0x1b792ac98 _dispatch_workloop_worker_thread + 648
12 libsystem_pthread.dylib 0x1b7ad8360 _pthread_wqthread + 288
13 libsystem_pthread.dylib 0x1b7ad7080 start_wqthread + 8
Why this exception is occurring for .allow() verdict only. For .drop() it is not crashing.
No where i'm calling passBytes method on NEFilterNewFlowVerdict
faisalIkwal.