What is the difference between AppProxyProvider and TransparentProxyProvider?
I can see in documentation that NETransparentProxyProvider is derived from NEAppProxyProvider, but what was the need to add a new proxyprovider (NETransparentProxyProvider) when we already had NEAppProxyProvider?
Post
Replies
Boosts
Views
Activity
The following call to getaddrinfo makes ‘PacketTunnelProvider’ system extension SIGSEGV:
if (hostname != NULL) {
int ret = getaddrinfo(hostname, port, &hints, results);
if (ret != 0) {
printf(“Failed to resolve host : %s by getaddrinfo, err : %d", hostname, ret);
return false;
}
}
Most of the time getaddrinfo() is working fine. Can someone please help in understanding what could be causing this crash.
Can this caused due to stack corruption due to C++/C code switched to objective C?
Below is the crash details:
-------------------------------------
Translated Report (Full Report Below)
-------------------------------------
Process: com.mycompany.client.product-Client.ui.pkttunnel [29951]
Path: /Library/SystemExtensions/*/com.mycompany.client.product-Client.ui.pkttunnel
Identifier: com.mycompany.client.product-Client.ui.pkttunnel
Version: 1.0 (1)
Code Type: X86-64 (Native)
Parent Process: launchd [1]
User ID: 0
Date/Time: 2023-08-18 20:04:43.6346 +0530
OS Version: macOS 13.5 (22G74)
Report Version: 12
Bridge OS Version: 7.6 (20P6072)
Anonymous UUID: F235BB2F-C030-0A58-E5C1-C3FE9796F29C
Sleep/Wake UUID: C73181BF-B3A9-4DED-9556-897ED8C2E0A1
Time Awake Since Boot: 65000 seconds
Time Since Wake: 37781 seconds
System Integrity Protection: enabled
Crashed Thread: 2
Exception Type: EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x00000001e13dfa50
Exception Codes: 0x0000000000000001, 0x00000001e13dfa50
Termination Reason: Namespace SIGNAL, Code 11 Segmentation fault: 11
Terminating Process: exc handler [29951]
VM Region Info: 0x1e13dfa50 is not in any region. Bytes after previous region: 3477011025 Bytes before following region: 105545042363824
REGION TYPE START - END [ VSIZE] PRT/MAX SHRMOD REGION DETAIL
shared memory 111fef000-111ff0000 [ 4K] rw-/rw- SM=SHM
---> GAP OF 0x5ffeee010000 BYTES
MALLOC_NANO 600000000000-600008000000 [128.0M] rw-/rwx SM=PRV
Thread 0:
0 libsystem_kernel.dylib 0x7ff80ee222b2 __sigsuspend_nocancel + 10
1 libdispatch.dylib 0x7ff80eccbd2f _dispatch_sigsuspend + 36
2 libdispatch.dylib 0x7ff80eccbd0b _dispatch_sig_thread + 49
Thread 1:
********************
********************
********************
********************
Thread 2 Crashed:
0 libobjc.A.dylib 0x7ff80eac64a9 objc_msgSend + 41
1 libobjc.A.dylib 0x7ff80eae6582 objc_object::sidetable_release(bool, bool) + 270
2 Network 0x7ff81553fa04 -[NWConcrete_nw_endpoint .cxx_destruct] + 52
3 libobjc.A.dylib 0x7ff80eacfa5b object_cxxDestructFromClass(objc_object*, objc_class*) + 83
4 libobjc.A.dylib 0x7ff80eac8e31 objc_destructInstance + 99
5 libobjc.A.dylib 0x7ff80eac8dbf _objc_rootDealloc + 62
6 Network 0x7ff81553e05a -[NWConcrete_nw_endpoint dealloc] + 778
7 Network 0x7ff815c30f1a -[NWOSAddressEndpoint dealloc] + 74
8 Network 0x7ff815a175bf nw_array_dispose + 383
9 Network 0x7ff815718ab1 -[OS_nw_array dealloc] + 17
10 Network 0x7ff815bd2b3d -[NWConcrete_nw_path .cxx_destruct] + 93
11 libobjc.A.dylib 0x7ff80eacfa5b object_cxxDestructFromClass(objc_object*, objc_class*) + 83
12 libobjc.A.dylib 0x7ff80eac8e31 objc_destructInstance + 99
13 libobjc.A.dylib 0x7ff80eac8dbf _objc_rootDealloc + 62
14 Network 0x7ff815bd29af -[NWConcrete_nw_path dealloc] + 127
15 Network 0x7ff815bd045a -[NWConcrete_nw_path_evaluator .cxx_destruct] + 58
16 libobjc.A.dylib 0x7ff80eacfa5b object_cxxDestructFromClass(objc_object*, objc_class*) + 83
17 libobjc.A.dylib 0x7ff80eac8e31 objc_destructInstance + 99
18 libobjc.A.dylib 0x7ff80eac8dbf _objc_rootDealloc + 62
19 Network 0x7ff815bd0377 -[NWConcrete_nw_path_evaluator dealloc] + 967
20 Network 0x7ff815a606ca nw_nat64_get_interface_state_internal + 2634
21 Network 0x7ff815a5f905 nw_nat64_copy_prefixes_internal + 101
22 Network 0x7ff815a5f482 nw_nat64_copy_prefixes + 210
23 Network 0x7ff815a62537 nw_nat64_synthesize + 215
24 libsystem_info.dylib 0x7ff80ee9447e _gai_nat64_synthesis + 309
25 libsystem_info.dylib 0x7ff80ee940c2 si_addrinfo + 886
26 libsystem_info.dylib 0x7ff80ee93caf getaddrinfo + 176
27 com.mycompany.client.product-Client.ui.pkttunnel 0x10f3c2bb4 ******::resolvehostname(char const*, char const*, addrinfo, addrinfo**) + 32
28 com.mycompany.client.product-Client.ui.pkttunnel 0x10f3c4e57 ******::udp_connect() + 323
29 com.mycompany.client.product-Client.ui.pkttunnel 0x10f3c48c7 ******::ssl_create() + 129
30 com.mycompany.client.product-Client.ui.pkttunnel 0x10f3c9014 ******::ssl_initiate_connect(fd_set&, fd_set&, int&) + 288
31 com.mycompany.client.product-Client.ui.pkttunnel 0x10f3c3b3c ******::ssl_connect_thread(int) + 228
32 com.mycompany.client.product-Client.ui.pkttunnel 0x10f3cc691 void* std::__1::__thread_proxy<std::__1::tuple<std::__1::unique_ptr<std::__1::__thread_struct, std::__1::default_delete<std::__1::__thread_struct>>, void (*)(int), int>>(void*) + 39
33 libsystem_pthread.dylib 0x7ff80ee5b1d3 _pthread_start + 125
34 libsystem_pthread.dylib 0x7ff80ee56bd3 thread_start + 15
We have a packettunnelprovider which we are using for intercepting IP packets. We define includeroutes while setting tunnel using 'setTunnelNetworkSettings'.
But later when we want to disable packet interception, we want to do it from packettunnelprovider extension itself by reseting tunnel settings, for which we set 'NETunnelNetworkSettings' to nil in setTunnelNetworkSettings call. This deletes most of the routes added by includeroutes but few are always left out.
% ifconfig utun3
utun3: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1300
options=6463<RXCSUM,TXCSUM,TSO4,TSO6,CHANNEL_IO,PARTIAL_CSUM,ZEROINVERT_CSUM>
% netstat -rn -f inet | grep utun3
11.99/24 link#25 UCS utun3
269.254 link#25 UCS utun3
192.168.0 link#25 UCS utun3
Code which we use to reset packet tunnel:
[g_PacketTunnelProvider setTunnelNetworkSettings:nil completionHandler:^(NSError * _Nullable errorNE) {
if (errorNE != nil) {
// handle error
} else {
// handle success
}
}];
Can you please help in what could be the reason behind it?
Note: I am aware that VPN can be disabled from provider app, but I want to handle this in packettunnelprovider extension by resetting 'NETunnelNetworkSettings'.
Setup Details:
Apple M2 Pro
MacOs: 13.6 (22G120)
My machine came back from sleep at 9:25am. At 9:57am packet tunnel stopped, I could find below logs:
2023-11-08 09:57:51.812259+0530 0x72ad Default 0x4adb 261 0 nesessionmanager: [com.apple.networkextension:] NESMVPNSession[Primary Tunnel:mycompany myproduct VPN:22FD4FD4-3E93-446F-961B-BFAE92561DD2:(null)]: Received a stop command from SystemUIServer[604] with reason 1
2023-11-08 09:57:52.115967+0530 0x6d02 Default 0x0 796 0 com.mycompany.client.mycompany-Client.myproductui.myproductpkttunnel: (NetworkExtension) [com.apple.networkextension:] [Extension com.mycompany.client.mycompany-Client.myproductui]: Calling stopTunnelWithReason because: Stop command received
Can someone please help in understand:
Why would 'SystemUIServer' trigger a stop command for my packet tunnel vpn with any user action?
filtered.log
full_logs.log
Apple M2 Pro
MacOs: 13.6 (22G120)
In my system extension installer's postInstall script I have launch agent configured for the app as below:
launchctl enable gui/$user_uid/com.mycompany.client.myproduct
launchctl bootstrap gui/501 /Library/LaunchAgents/com.mycompany.myproduct.plist
When I install the software using a local user, the service works fine without any issue and the service is shown listed in 'launchctl list' command:
% launchctl list | grep -i mycompany
84714 0 com.mycompany.client.myproduct
But when I login using on the same machine using a AD (Active Directory) user, the service/agent doesnt start and I don't see any entry service listed in 'launchctl list'.
This is how my plist file looks like:
% defaults read /Library/LaunchAgents/com.mycompany.myproduct.plist
{
CFBundleVersion = "200.200.200.200";
KeepAlive = 1;
Label = "com.mycompany.client.myproduct";
LimitLoadToSessionType = (
Aqua
);
ProgramArguments = (
"/Applications/mycompany.app/Contents/MacOS/Mycompany Module"
);
RunAtLoad = 1;
Version = "200.200.200.200";
}
What am I missing here?
Platform: MacOS 12.0
I have an app bundle which contains an packet tunnel extension. I am not running my packettunnel extension in a Sandbox as I dont plan to post my app in Apple's App Store.
I have an requirement to run privilege operations which I have run any place from the app. As we know the user app cannot run these privilege operations we can use the 'Service Management' api: SMJobBless to start a helper tool which can run these privileged tasks. But as I stated earlier I can run these privileged tasks from any place in the bundle, we have packettunnel extension which is running with root privileges.
So looking at my above environment what would be recommended? do I really need to start a privileged helper tool or I can directly run these privileged operations from packettunnel extension?
One advantage of running these privilege tasks in packettunnel extension I see is that it will not require additional an user authentication which is needed in case of using SMJobBless(), this will also avoid upgrade management of the helper tool.
Xcode Version 15.2 (15C500b)
After upgrading Xcode from 14 to 15.2 I am not able to attach system extension (packettunnel) process to Instruments tools for memory debugging. Same is working fine with Xcode 14.
Error displayed: "Process No Longer Exists". But the service is running and is listed in process list.
% ps -ax | grep -i pkttunnel | grep -v grep
61910 ?? 0:01.04 /Library/SystemExtensions/5F4AF6EF-****-****-****-F11****9CE78/com.******.client.*****-Client.***ui.***pkttunnel.systemextension/Contents/MacOS/com.******.client.*****-Client.***ui.***pkttunnel.systemextension
Note: I am able to attach a normal program to Instruments tool for memory debugging, I have noticed this issue with system extension processes only.
I have a cert in a key chain that contains a private key. I'd like to add an application to the access control "white list" for that key. I know how to do this using the graphical key chain tool, but I'd like to do it via the command line (inside post install script) or programmatically.
Is it possible it do so?
We have a test scenario where we install our app package on a Mac setup using MDM (Jamf). Below are the test steps and observation:
This installation is done on this Mac with no user logged in.
Installation is completed successfully.
Now when an user log in on this mac machine, the expectation is that the app bundle will be started by the launchd (RunAtLoad). But the app is not started. When I check console logs I could see few logs around the app but from those logs I couldn't figure out why the app didn't start.
I rebooted my test machine but that also didnt start my app. My app is not listed in 'launchctl list' command.
My App bundle contains container app and a packet tunnel extension.
Below is how my plist file looks like in '/Library/LaunchAgents/com.****.***ui.plist':
{
KeepAlive = 1;
Label = "com.*****.client.****ui";
LimitLoadToSessionType = (
Aqua
);
ProgramArguments = (
"/Applications/*********.app/Contents/MacOS/****Module"
);
RunAtLoad = 1;
SuccessfulExit = 1;
Version = "110.200.0.100";
}
In Console below are the last set of log which I could find related to my app:
support_log.txt
In above logs below statement mentions the extn which is related to my app bundle:
2024-03-19 15:48:55.256020+0530 0x462 Default 0x0 206 0 symptomsd: (SymptomEvaluator) [com.apple.symptomsd:analytics] [Skipping first 85 of 95 entries]
2024-03-19 15:48:55.256051+0530 0x462 Default 0x0 206 0 symptomsd: (SymptomEvaluator) [com.apple.symptomsd:analytics] entry: Thu Feb 8 20:48:26 2024 NetworkExtension.com.*****.client.*****-Client.*****ui.*****pkttunnel.104.2.12.191.104.2.12 (bundle) 0 0 0 0 0 0
Can someone please help me in understanding what could be wrong here, why would 'RunAtLoad' key word wont work here to start my app on user login or reboot?
Note: Everything work fine when my app is installed with an user logged in to the test machine. Also App starts successfully if I run command 'lauchctl bootstrap gui/ /Library/LaunchAgents/com.****.****ui.plist' in the above mentioned test scenario where app didnt auto start by launchd: 'RunAtLoad'.
MacOS Version: 14.3 (23D56)
In my testing of PacketTunnelProvider on MacOS I have observed that when I do a system shutdown or reboot, PacketTunnelProvider::stopTunnelWithReason() is getting called with reason: NEProviderStopReasonUserInitiated. Note: when I try to disconnect the VPN from system settings PacketTunnelProvider::stopTunnelWithReason() is called with the same reason: NEProviderStopReasonUserInitiated.
I am facing an issue here to identify what caused PacketTunnelProvider::stopTunnelWithReason(), system shutdown or any user action?
OS: MacOS 14.3 (23D56)
I have PacketTunnelProvider VPN running with MTU on utun interface as 1300.
% ifconfig utun4
utun4: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1300
options=6460<TSO4,TSO6,CHANNEL_IO,PARTIAL_CSUM,ZEROINVERT_CSUM>
inet 192.166.54.1 --> 192.166.54.1 netmask 0xffffff00
nd6 options=201<PERFORMNUD,DAD>
When I am sending Jumbo size packets using ICMP and it is working fine till 4068 bytes packet size, after that ICMP responses are not accepted by the utun interface.
Working till 4068 packets:
% ping 13.71.68.85 -s 4068
PING 13.71.68.85 (13.71.68.85): 4068 data bytes
4076 bytes from 13.71.68.85: icmp_seq=0 ttl=56 time=46.040 ms
4076 bytes from 13.71.68.85: icmp_seq=1 ttl=56 time=25.353 ms
Not Working after sending 4069 packets:
% ping 13.71.68.85 -s 4069
PING 13.71.68.85 (13.71.68.85): 4069 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
In System logs I could see below errors:
% log stream | grep utun4
2024-06-19 17:22:34.666286+0530 0x7ee9e2 Error 0x0 0 0 kernel: utun_netif_sync_rx utun4: legacy packet length 4097 > 4096
2024-06-19 17:22:35.637723+0530 0x7ee9e2 Error 0x0 0 0 kernel: utun_netif_sync_rx utun4: legacy packet length 4097 > 4096
Note: Same works fine on en0 interface when packet is not routed via utun interface.
Working till 8184 packets on en0 interface:
% ping 13.71.68.85 -s 8184
PING 13.71.68.85 (13.71.68.85): 8184 data bytes
8192 bytes from 13.71.68.85: icmp_seq=0 ttl=51 time=198.928 ms
8192 bytes from 13.71.68.85: icmp_seq=1 ttl=51 time=46.139 ms
% ping 13.71.68.85 -s 8185
PING 13.71.68.85 (13.71.68.85): 8185 data bytes
ping: sendto: Message too long
ping: sendto: Message too long
Does this mean, on utun interface we do not support packet inception of more than 4096 size?