We want to ressolve dns for predefined sets of private app domains.
We've added this rule:
NENetworkRule(destinationHost: NWHostEndpoint(hostname: Private Domain1(example.com), port: 53), protocol: .UDP)
As per apple documentation: A rule that matches all DNS queries/responses for hosts in the example.com domain.
do you think it will work i.e it will forward DNS requests UDP flow to transparent provider in all the cases?
or do you think the text is a bit misleading. it should instead say: "A rule that matches all DNS queries/responses for nameservers in the example.com domain"?
This rule that look for port 53 of that domain only works if the system really asks a nameserver of that specific domain, right?
So, what if a local DNS server or a different nameserver are taking care of the resolution?
Post
Replies
Boosts
Views
Activity
I have a process [command line cpp application] which i want to run always such as it should relaunch after a crash, after device startup etc.
I created a launchd Property List File with KeepAlive true and placed under /Library/LaunchDaemons.
Problem Statements:
I have a bash script to start and stop this process.
start using: launchctl bootstrap.
stop involve these two steps:
send SIGTERM signal and wait untill process stops after doing some cleanups
launchctl bootout [It doesn't sends SIGTERM]
during steps 1 - Process is getting stop, but also getting immediate relaunch by launchctl
during step 2 - it getting stop again.
is there a proper way so that we can disable KeepAlive temporarily so that process will not launch during step 1?
or suggest other ways to handle this?
NETransparentProxyProvider having these two methods:
override func handleNewFlow(_ flow: NEAppProxyFlow) -> Bool
override func handleNewUDPFlow(
_ flow: NEAppProxyUDPFlow,
initialRemoteEndpoint remoteEndpoint: NWEndpoint
) -> Bool
During initial days when NETransparentProxyProvider was introduced,
We used handleNewFlow to handle NEAppProxyTCPFlow and handleNewUDPFlow to handle NEAppProxyUDPFlow .
Since handleNewUDPFlow is now deprecated, is it just okay to use handleNewFlow to handle both NEAppProxyTCPFlow & NEAppProxyUDPFlow?
will this works always or there are some scenario where keeping handleNewUDPFlow will be usefull?
NETransparentProxyProvider have below method:
override func handleNewFlow(_ flow: NEAppProxyFlow) -> Bool
This method is blocking. Until we returns value from this method, next flow will be blocked, macOS doesn’t calls it on new thread.
for example: if we take 10 second to check what to do with this flow, whether to handle it(true) or return to kernel(false), another flow will be block for 10 sec.
how to not block future flow while it is taking longer to process current flow?
my macOS process is crashing when i keep my mac sleep for about 1 hour.
Under Crash Reports, Console app shows two type of file.
.diag type
.ips type
ips file doesn't shows exact line of crash as you can see below sample.
Thread 67 Crashed:
0 libsystem_kernel.dylib 0x19a4aea60 __pthread_kill + 8
1 libsystem_pthread.dylib 0x19a4e6c20 pthread_kill + 288
2 libsystem_c.dylib 0x19a3f3a30 abort + 180
3 libsystem_malloc.dylib 0x19a303dc4 malloc_vreport + 896
4 libsystem_malloc.dylib 0x19a307430 malloc_report + 64
5 libsystem_malloc.dylib 0x19a321494 find_zone_and_free + 528
6 Firewall.so 0x103c8a744 TunnelSendQueue::ResumeSend() + 460
resource.diag file sgowing warning about exceeding limit of 150 wakeups per second over 300 seconds. attached here.
reasource_consumptions_W36RNW09G.wakeups_resource_diag.txt
is this something macOS stopping app because of some resource consumptions?
I have a Network extension contains App Proxy and Content Filter.
After installation, extension process is not getting auto launch. We want to execute some code in main.swift.
extension process is getting launch on enabling either App Proxy or Content Filter.
how to launch network extension process after installation?
Installations Sample code:
let activationRequest = OSSystemExtensionRequest.activationRequest(forExtensionWithIdentifier: id, queue: .main)
OSSystemExtensionManager.shared.submitRequest(activationRequest)
I have a system extension which contains 3 capabilities: App Proxy, Content Filter, Packet Tunnel.
System extension process doesn't auto stops on disabling all of its Capabilities: App Proxy, Content Filter, Packet Tunnel
How to make system extension process auto stop if all of its capabilities disabled?
Disable can happens via system extension hosting app or system preference network settings
I have following in mind:
Whenever we disables any capabilities via system extension hosting app, it can check if all others are disabled then
Use KILL bash command to terminate system extension process
System extension hosting app can send message via XPC to extension to terminate it self via NSApp.terminate
On disabling from system preference, ssystem extensions can check if all other disables in delegate method and terminate itself
I wanted to know what is better way to handle system extension process stop
I want to understand in which API triggers this below popup.
1.
This below code always trigger popup after fresh install which make sense:
`//manager NETunnelProviderManager
manager.connection.startVPNTunnel(options: [:])`
2. This below code sometime triggers popup intermittently. Ideally this shouldn't trigger or always trigger.
I tried running this code in loop to check this behaviour, some time around 50th or sometime around 88th execution observed this popup.
config.providerBundleIdentifier =“bundleId”
config.serverAddress = "Connection managed by app”Name//
let manager = NETunnelProviderManager()
manager.protocolConfiguration = config
manager.localizedDescription = “xyz”
manager.saveToPreferences(completionHandler: { (saveError) -> Void in
}```
no where startVPNTunnel called in 2nd code sample.
On Ventura -
We have a network extension(Transparent Proxy) which blocks IPv6 traffic as below.
override func handleNewFlow(_ flow: NEAppProxyFlow) -> Bool {
//Ipv6 gets blocks by below code
let error = NSError(domain: "", code: 0, userInfo: [NSLocalizedDescriptionKey : "Connection Refused"])
flow.closeReadWithError(error)
flow.closeWriteWithError(error)
On IPv6 enabled client machine, when a client application(Browser, curl, Teams etc), try to send HTTP/s requests, first they try to send the request over IPv6 and if it fails, they try with IPv4 (Happy eyeballs Algorithm)
In our case, as network extension blocks IPv6 traffic, client applications will fail to establish connection over IPv6 and fallback to IPv4 as per Happy eyeballs Algorithm
The above scenario works fine till MacOS Ventura.
For Sonoma, this behaviour seems to have changed
When our network extension blocks IPv6 traffic, client applications do not fallback to IPv4.
They simply fail without trying IPv4. We tested with curl, Google chrome browser, Microsoft Teams. All these fail to load pages on Sonoma and they work fine on Ventura.
Note : No change in our network extension code, curl and browser versions. Only change is MacOS version
Please find attached screenshots with Ventura and with Sonoma, running curl
One other difference seen here is the error code received by client applications with Ventura and Sonoma.
On Ventura, when IPv6 is blocked, error is Network is down and client application establishes connection with IPv4.
On Sonoma, error code is 22 : Invalid arguments and client application does not retry with IPv4.
Curl_Ventura.jpg
Curl_Sonoma.png
Hi,
AFAIK Safari or any macOS apps which uses WKWebview, uses com.apple.WebKit.Networking.xpc to do actual networking.
I am working on a packet tunnel, where I am able to get process id associated with packet read. Based on process id, i am using libproc to get process name.
I am facing below problem:
For Safari or any other apps which uses WKWebview having same process name: com.apple.WebKit.Networking
Any ways to distinguish wether it is from safari or other xyz wkwebview apps?
Related Problem: https://developer.apple.com/forums/thread/693528 In this thread, app proxy can help but in packet tunnel no such options exposed.
I have an app which hosts network extensions(Packet Tunnel, Filter). I am facing uninstallation issue in scenario 2.
Uninstall API: OSSystemExtensionRequest.deactivationRequest
Scenarion 1:
app version 1.0.0.1,
extension inside app bundle version 1.0.0.1
Installed extension -> version 1.0.0.1
Uninstallation works fine.
Scenarion 2:
app version 1.0.0.2,
extension inside app bundle version 1.0.0.2
Installed extension -> version 1.0.0.1
Uninstallation fails with below error:
deactivation failed for client: /Applications/Remo Security Endpoint Client/ep-client.app/Contents/MacOS/ep-client, error: Error Domain=OSSystemExtensionErrorDomain Code=4 "(null)"
Question 1: is this by design or we can do something to make uninstall works in case application upgraded and tries to uninstall previous extension version.
Snippet from Apple Doc for API: OSSystemExtensionRequest.deactivationRequest
A deactivation request may require a restart before deactivating the extension. If the request succeeds but requires a restart to complete, the extension may still appear operational until the next restart.
Question 2: How do we know if restart needed or not?
We gets NEPacket during packetFlow.readPacketObjects. Each packet contains src ip as packet tunnel utun virtual interface address.
for example if packet tunnel utun address is 10.10.10.10, then src ip of every packet is 10.10.10.10.
Can we configure packet tunnel in such a way that it gives src ip as ip assigned to system via dhcp/static (primary Ethernet interface en0) instead of 10.10.10.10? I want to do this because tunnel server uses this src ip to perform some business logic.
What if we assigns primary Ethernet interface en0 address to packet tunnel utun address?
Hi,
This is how we create ipv4Settings, then we add includedRoutes, excludedRoutes.
let ipv4Settings = NEIPv4Settings(addresses: addresses, subnetMasks: subnetMask)
In my case, Packet Tunnel Provider reads the packet like this - packetFlow.readPacketObjects, sends packets to C++ module which takes care of sending it to wireguard tunnel, returns packet back to Packet Tunnel Provider for writing. C++ Module does everything related to wireguard tunnel.
As per my understanding, any unique private ipv4, ipv6 address should be fine for creating NEIPv4Settings, NEIPv6Settings. is that correct? or is there anything else i need to consider for setting Utun addresses
as of now i have harcoded it to 10.10.10.10/32 and 2001:db8::/128, will it cause any problem?
Hi,
We are observing few NEPacketTunnelNetworkSettings excludedRoutes ip's in PacketTunnel even-though it is added in exclude routes.
As you can see in network setting where we have added
destinationAddress = 239.255.255.0 destinationSubnetMask = 255.255.255.0
in exclude route, still traffic of IP 239.255.255.250 coming to packet tunnel.
We also observing other IP's traffic that is not added in include route such as: 20.192.170.9
//Network Settings for Packet Tunnel
IPv4Settings = {
configMethod = PPP
addresses = (
10.10.10.10,
)
subnetMasks = (
255.255.255.255,
)
includedRoutes = (
{
destinationAddress = 10.10.10.10
destinationSubnetMask = 255.255.255.255
gatewayAddress = 10.10.10.10
},
)
excludedRoutes = (
{
destinationAddress = 192.168.0.0
destinationSubnetMask = 255.255.0.0
},
{
destinationAddress = 10.0.0.0
destinationSubnetMask = 255.0.0.0
},
{
destinationAddress = 127.0.0.1
destinationSubnetMask = 255.255.255.255
},
{
destinationAddress = 172.16.0.0
destinationSubnetMask = 255.240.0.0
},
{
destinationAddress = 239.255.255.0
destinationSubnetMask = 255.255.255.0
},
)
am i doing something wrong in setting NEPacketTunnelNetworkSettings?
Hi,
we have c++ module inside Network Extension which does rest call.
we want to do http rest call in test environment, but it's not responding. status code is 0. https working fine.
I tried adding NSAppTransportSecurity -> NSAllowsArbitraryLoads -> true, but it's crashing because of it.
how can we make http request from Network Extension in test enviroment?