Post

Replies

Boosts

Views

Activity

Alternatives to deprecated NKE APIs
Hi, We have an NKE in our product. This NKE uses deprecated KPIs such as sfltregister , sfltderegister, sockconnect..etc. To our surprise, it got loaded on macOS Big Sur 11 Beta 4 with user’s authorisation from System Preferences (we saw system extension(s) updated warning message when loaded). But on Beta 5, the same NKE is not getting loaded(we saw System Extension Blocked warning). Is there any procedure that we can automate to load an NKE in Big Sur 11.0? Let me explain a bit about what our NKE does. This NKE is used to filter the outbound network traffic on ports, say 123, 234 using socketfilter. We have a client process which listens locally on ports, say 345, 456. We use KEXT control KPIs for bi-directional communication between client process and NKE. Using NKE, this outbound network traffic is diverted to local client process using sockconnect KPI as below:      Socket (<outbound IP>:123) => Socket( 127.0.0.1:345 )      Socket (<outbound IP>:234) => Socket (127.0.0.1:456 ) Since sockfilter and sock_connect and some other NKE related KPIs are deprecated, what are the exact alternative KPIs in NetworkExtension.framework? How can we achieve the above functionality using the NetworkExtension.framework? Appreciate your help in this regard!!
3
0
1.1k
Aug ’20
Transparent proxy on macOS is unable to catch accountsd connections
Hi, We are working on developing a network transparent proxy using system extension for macOS Big Sur using NEAppProxyProvider and NETransparentProxyManager APIs for capturing SMTP, IMAP and POP connections. We have defined network rules in proxy provider to capture outgoing connections on ports 25, 465, 143, 993. We defined only remote network with wild card IPv4 address "0.0.0.0" and above ports. It is able to catch the outgoing connection to port 993 from Mail.app. But when we try to change mail account setting to port 143 and save, Mail app was not making any connection. With some analysis, we found that accountsd was handling accounts and when we change any setting such as port and save, accountsd was connecting to mail server on that port. Now the strange behaviour is our transparent proxy is not able to catch this accountsd connection to port 143. If we use old good NKE on 10.15, we are able to capture outgoing connection from accountsd process. We expect similar behaviour with network system extension too. Right now, we are stuck on this issue. How can we make our network system extension be able to catch accountsd traffic? Thanks in advance!!
5
0
2.4k
Dec ’20
macOS network transparent proxy goes to disconnected state after reboot
I am working on developing network transparent proxy for macOS using NETransparentProxyManager and NEAppProxyProvider. I am doing systtm extension activation and proxy config addition and starting tunnel through the container app of the system extension. I made it as a launchagent in /Library/LaunchAgents. I wanted the proxy to be always in connected state in network preferences even after restart or manual disconnect or manual deletion of the proxy. What I did was I made the container app of system extension as a lunchagent. The task of this launchagent is to check for the proxy configuration and add/update and start the connection. It is working, but it needs a user session to launch that agent. But I am looking for other methods to remove dependency on user session (for VPN tunnel start automatically), something at system level so that when user logs in everything is all ready (like NKE behavior) After restart also, it must go to connected state automatically. I was looking at sleep and wake calls, but they seem to be not getting called at the restart. How to ensure the connected state of network transparent proxy after restart without depending on user session? Another query which is irrelevant to this is: 2. We have a mach service in the system extension. And we have a launchagent which communicates with this mach service. Sometimes, by the time launchagent is launched, mach service is not coming up. How to synchronize these two. How to wait in launchagent until the mach service is ready?
1
0
1.7k
Dec ’20
Content Filter and App proxy provider compatibility issue
We have two different products. Both have implemented network system extensions. One product implemented a content filter provider with both socket and packet level filtering and with rule to filter all data. That means every network connection goes through this provider. The second product implemented App Proxy provider which proxies non-SSL POP3 mail traffic and diverts that connection to local process for further processing and then local process makes a connection outside and sends out to that destination after the required processing. We are currently seeing an issue where both providers are running. The connections made by App proxy provider are being broken in the presence of Content Filter provider. When content filter provider is deleted from network preferences, then we see our app proxy provider is working as expected. Environment: macOS Big Sur 11.2 Can you help me in recognising what is going wrong here?
2
0
598
Feb ’21
Network System Extension upgrade issue
We are trying to update the network system extension on macOS12.4. But sysextd is crashing and failing to update the system extension. I am sharing the sysextd logs and crash report here: sysextd console logs: sysextd_logs.txt sysextd crash report: sysextd_crash.txt I am still working to figure out what is happening right now. Can somebody help me in resolving this issue?
12
0
1.9k
Jun ’22