I need some reference on how to check what is the IP version (IPv4 or IPv6) of the flow we have received in AppProxy::handleNewFlow(). Based on this there are business logic which I need apply on the flow.
I checked the flow::metadata and other references in AppProxy documentation but couldn’t find anything.
freefire
Users receive reputation points by contributing quality content to the forums.
Posts include post and replies published on the forums.
Post authors can mark replies as Accepted to indicate successful solutions.
Apple Developer Forums admins can mark replies as Apple Recommended to indicate an approved solution
Last seen
From
India
Post
Replies
Boosts
Views
Activity
I need some reference on how to check what is the IP version (IPv4 or IPv6) of the flow we have received in AppProxy::handleNewFlow(). Based on this there are business logic which I need apply on the flow.
I checked the flow::metadata and other references in AppProxy documentation but couldn’t find anything.
When we activate AppProxyProvider to proxy traffic, Youtube streaming is not working. But at the same time Google chrome seems to be working. We also verified this with some Apple services and below services also seems to be not working:
1) Apple Safari - Not working
2) Apple Mail- Not working
3) Apple Maps- Not working (showing connection issue)
4) App Store- Not working
5) some more might not be working with Approxy enabled, we have not verified all of them
Issues are not seen when we disable AppProxyProvider.
In my testing i am observing many times NEAppProxyFlow is running domain name for hostname field:
(tcpFlow.remoteEndpoint as! NWHostEndpoint).hostname.
I am not sure I am not changing anything in setting anywhere and it starts returning domain name. I dont have steps to re-produce this. Due to this my policy look ups are failing as I am expecting to get IP address all the time.
How can I make sure that '(tcpFlow.remoteEndpoint as! NWHostEndpoint).hostname' always return a ip address?
Below are some logs around this:
2020-11-09 22:30:41.842395-0800 0x6b8ee		Default		 0x0									353		0		com.mcafee.CMF.networkextension: (libnetwork.dylib) [com.apple.network:connection] [C2726.1 IPv4#655f88fe:443 waiting path (satisfied (Path is satisfied), interface: en0, ipv4, dns)] event: path:satisfied @0.061s, uuid: 9A4D9824-E905-45EE-9FB4-07B4E6B0A00F
2020-11-09 22:30:41.842583-0800 0x6b8ee		Default		 0x0									353		0		com.mcafee.CMF.networkextension: (libnetwork.dylib) [com.apple.network:connection] [C2726.1 IPv4#655f88fe:443 in_progress socket-flow (satisfied (Path is satisfied), interface: en0, ipv4, dns)] event: flow:start_connect @0.061s
2020-11-09 22:30:42.014713-0800 0x6b92d		Default		 0x0									353		0		com.mcafee.CMF.networkextension: (libnetwork.dylib) [com.apple.network:connection] [C2726 Hostname#acf7adf9:443 in_progress resolver (satisfied (Path is satisfied), interface: en0, ipv4, dns)] event: resolver:receive_dns @0.233s
2020-11-09 22:30:42.391795-0800 0x6b92d		Default		 0x0									353		0		com.mcafee.CMF.networkextension: (libnetwork.dylib) [com.apple.network:connection] [C2726.2 IPv4#bfba2279:443 initial path ((null))] event: path:start @0.610s
2020-11-09 22:30:42.392011-0800 0x6b92d		Default		 0x0									353		0		com.mcafee.CMF.networkextension: (libnetwork.dylib) [com.apple.network:connection] [C2726.2 IPv4#bfba2279:443 waiting path (satisfied (Path is satisfied), interface: en0, ipv4, dns)] event: path:satisfied @0.611s, uuid: DB896A4B-0054-48A3-B0A4-5ECF95C32670
2020-11-09 22:30:42.392356-0800 0x6b92d		Default		 0x0									353		0		com.mcafee.CMF.networkextension: (libnetwork.dylib) [com.apple.network:connection] [C2726.2 IPv4#bfba2279:443 in_progress socket-flow (satisfied (Path is satisfied), interface: en0, ipv4, dns)] event: flow:start_connect @0.611s
2020-11-09 22:30:42.393115-0800 0x6b92d		Default		 0x0									353		0		com.mcafee.CMF.networkextension: (NetworkExtension) [com.apple.networkextension:] (0): Flow 1907125168 is connecting
2020-11-09 22:30:42.393348-0800 0x6b92d		Default		 0x0									353		0		com.mcafee.CMF.networkextension: (NetworkExtension) [com.apple.networkextension:] (1907125168): New flow: NEFlow type = stream, app = ksfetch, name = tools.google.com, 10.213.175.250:0 <-> 172.217.6.174:443, filter_id = , interface = en0
2020-11-09 22:30:42.393547-0800 0x6b92d		Default		 0x0									353		0		com.mcafee.CMF.networkextension: (NetworkExtension) [com.apple.networkextension:] [Extension com.mcafee.containerapp]: Calling handleNewFlow with TCP ksfetch[{length = 20, bytes = 0x1af5d141044be4f949ec1beea77f1127d4a6ce56}] remote: tools.google.com:443
2020-11-09 22:30:42.395619-0800 0x6b92d		Default		 0x0									353		0		com.mcafee.CMF.networkextension: (Security) [com.apple.securityd:security_exception] UNIX error exception: 1
2020-11-09 22:30:42.395710-0800 0x6b92d		Error			 0x0									353		0		com.mcafee.CMF.networkextension:	PolicyDataStore: AddEventInfo Point product is DOWN.
2020-11-09 22:30:42.395713-0800 0x6b92d		Error			 0x0									353		0		com.mcafee.CMF.networkextension:	EvaluateNwPolicies: Returned Reaction = AAC_REACTION_REDIRECT_DEFAULT
2020-11-09 22:30:42.395732-0800 0x6b92d		Default		 0x0									353		0		com.mcafee.CMF.networkextension: [com.mcafee.dev.PassThroughProxy:providerCore] checkPolicyForRedirection: Bypassing. Not redictecing traffic to dest: tools.google.com:443
2020-11-09 22:30:42.395776-0800 0x6b92d		Default		 0x0									353		0		com.mcafee.CMF.networkextension: (NetworkExtension) [com.apple.networkextension:] [Extension com.mcafee.containerapp]: provider accepted new flow TCP ksfetch[{length = 20, bytes = 0x1af5d141044be4f949ec1beea77f1127d4a6ce56}] remote: tools.google.com:443
2020-11-09 22:30:42.395919-0800 0x6b8ee		Default		 0x0									353		0		com.mcafee.CMF.networkextension: (libnetwork.dylib) [com.apple.network:connection] [C2727 38F5ABC4-077F-47F5-B939-8A9E95340EE0 Hostname#acf7adf9:443 tcp, indefinite, context: Default Network Context, proc: 53E40884-A25D-3FDD-A2D4-542F4586BD18] start
2020-11-09 22:30:42.395925-0800 0x6b8ee		Default		 0x0									353		0		com.mcafee.CMF.networkextension: (libnetwork.dylib) [com.apple.network:connection] [C2727 Hostname#acf7adf9:443 initial path ((null))] event: path:start @0.000s
2020-11-09 22:30:42.396006-0800 0x6b8ee		Default		 0x0									353		0		com.mcafee.CMF.networkextension: (libnetwork.dylib) [com.apple.network:connection] [C2727 Hostname#acf7adf9:443 waiting path (satisfied (Path is satisfied), interface: en0, ipv4, dns)] event: path:satisfied @0.000s, uuid: 2B125408-A5D4-4067-92F4-7B8D65C657B4
2020-11-09 22:30:42.396024-0800 0x6b8ee		Default		 0x0									353		0		com.mcafee.CMF.networkextension: (libnetwork.dylib) [com.apple.network:connection] [C2727 Hostname#acf7adf9:443 in_progress resolver (satisfied (Path is satisfied), interface: en0, ipv4, dns)] event: resolver:start_dns @0.000s
2020-11-09 22:30:42.396026-0800 0x6b8ee		Default		 0x0									353		0		com.mcafee.CMF.networkextension: (libnetwork.dylib) [com.apple.network:connection] nw_connection_report_state_with_handler_on_nw_queue [C2727] reporting state preparing
2020-11-09 22:30:42.396112-0800 0x6b8ee		Default		 0x0									353		0		com.mcafee.CMF.networkextension: (libnetwork.dylib) [com.apple.network:connection] [C2727 Hostname#acf7adf9:443 in_progress resolver (satisfied (Path is satisfied), interface: en0, ipv4, dns)] event: resolver:receive_dns @0.000s
Setup Details:
ProductName: macOS
ProductVersion: 11.5.1
BuildVersion: 20G80
Platform: arm64
Rosetta2 emulator is installed.
My Network extension app having below entitlement is not working on many M1 Macbooks. Behavior is very random, on some M1 systems it does work without any issue and on few system it never works:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.temporary-exception.files.absolute-path.read-write</key>
<array>
<string>/private/var/db/mds/</string>
<string>/usr/local/myorg/Mcp/bin/</string>
<string>/usr/local/myorg/StatefulFirewall/bin/</string>
</array>
<key>com.apple.developer.endpoint-security.client</key>
<true/>
<key>com.apple.developer.networking.networkextension</key>
<array>
<string>app-proxy-provider-systemextension</string>
<string>content-filter-provider-systemextension</string>
</array>
<key>com.apple.security.app-sandbox</key>
<true/>
<key>com.apple.security.application-groups</key>
<array>
<string>group.com.myorg.endpoint</string>
</array>
<key>com.apple.security.automation.apple-events</key>
<true/>
<key>com.apple.security.files.user-selected.read-write</key>
<true/>
<key>com.apple.security.network.server</key>
<true/>
<key>com.apple.security.network.client</key>
<true/>
</dict>
</plist>
Error in system extension:
2021-09-30 12:41:53.049345-0400 0x361f5b Error 0x0 60247 0 taskgated-helper: (ConfigurationProfiles) [com.apple.ManagedClient:ProvisioningProfiles] com.myorg.CMF.networkextension: Unsatisfied entitlements: com.apple.security.application-groups
More logs are attached:
More detail logs
At one instance, the package which is working on many M1 machines, crashed with 'EXC_CRASH (Code Signature Invalid)' exception:
Process: com.myorg.CMF.networkextension [503]
Path: /Library/SystemExtensions/*/com.myorg.CMF.networkextension
Identifier: com.myorg.CMF.networkextension
Version: ???
Code Type: X86-64 (Translated)
Parent Process: launchd [1]
Responsible: com.myorg.CMF.networkextension [503]
User ID: 0
Date/Time: 2021-09-30 12:55:27.365 -0400
OS Version: macOS 11.5.1 (20G80)
Report Version: 12
Anonymous UUID: BBAF0CEC-BDE6-1239-9E5D-9099403D7616
Time Awake Since Boot: 63 seconds
System Integrity Protection: enabled
Crashed Thread: Unknown
Exception Type: EXC_CRASH (Code Signature Invalid)
Exception Codes: 0x0000000000000000, 0x0000000000000000
Exception Note: EXC_CORPSE_NOTIFY
Termination Reason: Namespace CODESIGNING, Code 0x1
kernel messages:
VM Regions Near 0 (cr2):
-->
mapped file 102b7f000-102baf000 [ 192K] r-x/r-x SM=COW Object_id=2f6c9e1b
Backtrace not available
Unknown thread crashed with ARM Thread State (64-bit):
..................
Could you please help me understand why the same package which is working fine on Intel Mac machines and also working fine on some of M1 Mac machine will fail on other M1 mac machines?
What could we be doing wrong here?
How can a process outside AppGroup, addObserver for a TransparentProxyProvider Network VPN Interface
I have a TransparentProxyProvider VPN implemented in a xcode-project, and it contains the systemextension (TransparentProxyProvider) and an App which configures and enables the VPN. Both of these are inside same AppSanbox.
Now I have another service (a C++ Project) which needs to takes some action when the above VPN status is changing (from Disconnected -> Connecting -> Connected). I have this limitation that I cannot put this service in the same project where SystemExtension is build.
Is there a method available using which I can add observer on the VPN status outside process?
While uninstalling system extension, user gets a pop for user consent and ask to enter administrator credential to allow the uninstallation. We couldnt find a method to avoid this user consent and allow system extension removal silently. This is becoming an issue for one of our customer.
On the other had System Extension installation can be handled silently using MDM profiles.
Can you please suggest a method to allow silent uninstallation of system extension?
AppProxy VPN can be disconnected by using "Disconnect" option in Network settings.
How can I disable the 'Disconnect' button for the VPN in network settings? Current this can be disabled even without opening the lock (bottom).
Or Can we somehow disable the effect of the disconnect action, ie user cannot stop VPN from this place?
I am trying to find the available methods to capture selective IP traffic to tunnel it using an UDP tunneling.
I went through the online resources and found that we can achieve this using PacketTunnelProvider where we will configure the tunnel then define inbound and outbound reader and writer functions.
One another method I found where we open a utun socket, assign source and destination tunnel address of the tunnel endpoints and then start doing read write operations on the utun interface, where our application will be able to read any traffic coming to that interface. (also we need to configure appropriate routes for the utun interface to redirect traffic).
I wanted to understand the difference between the two methods, and in which scenario both should be used?
How to pass a parameter to an async call in swift.
In a function when i try to pass a stack local auto variable to an async block, in some scenario I could see the passed parameter has changed in below code. The possible reason I could think of is that as soon as the function (handleNewFlow) is returned, the stack memory location (for supportedFlow) is freed to be taken by other functions:
// The TCP flows are actually run through the flow copying process
override func handleNewFlow(_ flow: NEAppProxyFlow) -> Bool {
// See the doc comment for `canHandleNewFlow(_:)` for an explanation of
// why the code below is structured this way.
let (supportedFlow, proxyServer, proxyPort, shouldBlock) = self.core.supportedFlowForFlow(flow, remote_endpoint: nil )
// os_log(.debug, log: self.log, "Provider did handle flow with server :: %{public}@ and port :: %{public}@", proxyServer!, proxyPort!)
if (supportedFlow != nil) {
self.queue.async {
if (shouldBlock == true) {
// TODO with proper handling of flow
os_log(.debug, log: self.log, "TransparentProxy Provider want to block this TCP flow, flow: 0x%zx", flow.osLogID)
let error = NSError(domain: "", code: 0, userInfo: [NSLocalizedDescriptionKey : "Connection Refused"])
flow.closeReadWithError(error)
flow.closeWriteWithError(error)
} else {
self.core.handleNewSupportedFlow(supportedFlow!, proxyServer!, proxyPort!)
}
}
os_log(.debug, log: self.log, "Provider did handle new flow, flow: 0x%zx", flow.osLogID)
return true
} else {
os_log(.debug, log: self.log, "Provider did not handle new flow, flow: 0x%zx", flow.osLogID)
return false
}
}
In above code I could see the value 'supportedFlow' is not correct always when 'self.core.handleNewSupportedFlow()' is called:
self.core.handleNewSupportedFlow(supportedFlow!, proxyServer!, proxyPort!)
Can someone help me in passing 'supportedFlow' as thread function parameter in async block?