I'm developing transparent proxy extension and noticed the following misbehaviour:
When NETransparentProxyProvider starts, if there are existing connections that matches rules, apps with these connections will get error (-41 Protocol wrong type for socket) on write()/send() syscall.
This leads Apple SSH and node.js to consume 100% CPU because they want to write to socket and can’t, while not receiving read event with an error.
Steps to reproduce (on Big Sur):
Run SSH to some server in the internet.
Run NETransparentProxyProvider example from https://github.com/sfionov/expert-octo-chainsaw
Press a key in SSH
See that Apple SSH consumes 100% CPU in Activity monitor.
In Activity Monitor’s sample you may see thousands of selects and unsuccessful writes.
Usually socket error is processed in read event, not write event, so lack of read event with error on unusable socket confuses a lot. :(
node.js apps with libuv SSL sockets start consuming a lot of CPU too.
Is there any workaround? Or a way I could force this applications to close unusable sockets after network extension start?
Post
Replies
Boosts
Views
Activity
Hello!
I faced a problem (reproducer is attached to FB8918126) when both NEFilterDataProvider and NEProxyTransparentManager matches the same connection.
Safari cannot connect and web socket, other programs (e.g. Adobe Cloud Sync) fail too.
Steps to reproduce: Enable data filter extension that matches every outgoing connection and returns allowVerdict() it in handleNewFlow.
Enable transparent proxy extension that matches every outgoing connection and returns NO in handleNewFlow (actually, YES and properly redirecting data doesn’t help).
Make sure that both filter data provider and transparent proxy are enabled in network settings.
Open web.whatsapp.com in Safari.
Expected behaviour:
Site opens
Actual behaviour:
WebSocket network error: OSStatus Error -9810: Internal error
Note that Turning off one of extensions immediately eliminates the issue.
OS is Big Sur beta 11.1
Hello!
I create NETransparentProxy with the following configuration:
settings.includedNetworkRules = @[[[NENetworkRule alloc]
		initWithRemoteNetwork:
				[NWHostEndpoint endpointWithHostname:@"2000::" port:@"0"]
		remotePrefix:3
		localNetwork:nil localPrefix:0
		protocol:NENetworkRuleProtocolTCP
		direction:NETrafficDirectionOutbound]];
So, there is wildcard port and IPv6 network 2000::/3 (global unicast)
After this rule is created, any incoming connection from any IPv6 host will be dropped.
And when it is dropped, there is no any activity in AppProxyProvider or and NSLog of Network extension.
Is it a bug? Why it affects incoming traffic while NETransparentProxy may only have outbound rules?
Good old kernel extensions don't break incoming connections when diverting sockets.
I use Catalina but Big Sur users are also reporting this problem.