Hi @eskimo
C++ code is cross platform library for tunnel related tasks. It uses libcurl to do HTTP/HTTPS requests.
what may be the reason for http not working? how to get exception for http?
Post
Replies
Boosts
Views
Activity
Hi Eskimo,
Please find the crash dumps attached.
Crash Dumps
Thanks a ton @eskimo
lsof doesn't works in sandboxed enviroment.
i wanted to use lsof -i:port. i.e lsof -i:443 and grab Name(TCP 172.20.10.3:62323->52.98.87.66:https (ESTABLISHED)) as you can see last part in below command output.
faisalikwal@TTWPXM6W4Y ~ % lsof -i:443
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
CalendarA 757 faisalikwal 82u IPv4 0x9b970081ec8283e5 0t0 TCP 172.20.10.3:62323->52.98.87.66:https (ESTABLISHED)
exchanges 758 faisalikwal 8u IPv4 0x9b970081ec8303e5 0t0 TCP 172.20.10.3:62241->40.99.34.226:https (ESTABLISHED)
Notes 867 faisalikwal 28u IPv4 0x9b970081ec001915 0t0 TCP localhost:62472->52.98.86.162:https (CLOSED)
Mail 868 faisalikwal 83u IPv4 0x9b970081ec7d0e7d 0t0 TCP 172.20.10.3:62488->40.99.34.242:https (ESTABLISHED)
Google 942 faisalikwal 22u IPv4 0x9b970081ec02794d 0t0 TCP 172.20.10.3:62512->okapi-services-apse1.apple.com:https (ESTABLISHED)
My ultimate goal is to identify process belong to NEPacket received by packet tunnel provider since apple doesn't exposes metadata in packet tunnel(except perapp cases).
I will have a look at lsof code to check how they do it.
@eskimo it is port used for network communication over the internet such as TCP, UDP etc
Hi,
Following include setting working. But i am not sure below setting in place of ipv4Settings 0.0.0.0 or default will have any serious drawbacks.
settings.ipv4Settings?.includedRoutes = [
NEIPv4Route(destinationAddress: "0.0.0.0", subnetMask: "128.0.0.0"),
NEIPv4Route(destinationAddress: "128.0.0.0", subnetMask: "128.0.0.0")
]
//DNS 8.8.8.8, 10.212.24.222
settings.ipv4Settings?.excludedRoutes = [
NEIPv4Route(destinationAddress: "8.8.8.8", subnetMask: "255.255.255.255"),
NEIPv4Route(destinationAddress: "10.212.24.222", subnetMask: "255.255.255.255")]
Hi, By mistake i have pasted wrong code of filter rule. I don't see any option to edit post hence replying.
I have applied rules on remote as below.
let filterRules = ["0.0.0.0", "::"].map { address -> NEFilterRule in
let remoteNetwork = NWHostEndpoint(hostname: address, port: "0")
let networkRule = NENetworkRule(remoteNetwork: remoteNetwork,
remotePrefix: 0,
localNetwork: nil,
localPrefix: 0,
protocol: .TCP,
direction: .any)
return NEFilterRule(networkRule: networkRule, action: .filterData)
}
I have added dropping 10.207.135.79 in method override func handleOutboundData as well
FYI
Following code working fine on linux, but not working on mac.
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
int main(void) {
int i, recv_length, sockfd;
u_char buffer[9000];
printf("Opening socket\n");
if ((sockfd = socket(PF_INET, SOCK_RAW, IPPROTO_TCP)) == -1) {
printf("Socket failed!!\n");
return -1;
}
printf("Socket opened\n");
for(i=0; i < 3; i++) {
printf("Going to read i: %d\n", i);
recv_length = recv(sockfd, buffer, 8000, 0);
printf("Got some bytes : %d\n", recv_length);
}
return 0;
}
Can you take a step back and explain your high-level goal?
I am getting NEPacket via Packet tunnel provider System extension. I need to forward this packet to server Which will re-injected this ip packet into network stack after processing.
Since raw socket can't be opened by system extension due to sandbox restriction, i am reading IP packet in separate process via BSD Packet Filter(BPF) - read(bpf, bpfBuffer, bufLength);
After receiving IP Packet at the bpf end, I am using raw socket to send it to server. sendto is working fine, its getting receive at server end. recvfrom is failing.
For ICMP, both sendto and recvfrom is working fine.
Please let me know if any other ways to achieve this?
Hi @eskimo,
This book is really helpful. Thank you.
There is one more point under Raw Socket Input:
All IP datagrams with a protocol field that the kernel does not understand are passed to a raw socket. The only kernel processing done on these packets is the minimal verification of some IP header fields: the IP version, IPv4 header checksum, header length, and destination IP address (pp. 213–220 of TCPv2).
is there any workaround that we can do with ip packet during sendto so that kernel does not understand and passes to raw socket?
Hi @eskimo,
You can see below console SS my app com.xyz.abc.networkextension not available.
@Igal, @UnisysDavidMcLaren
I am also trying to open raw socket in PacketTunnelProvider systemextension and running into same issue Operation not permitted.
please let me know if you guys succeeded on this?