Stopping TransparentProxy Network Extension

Hello, we need a system extension which will provide both AppProxy and DnsProxy functionality on demand for daemons started by launchd.


We have written a fake application that has application structure for signing purposes but behaves as a command line tool with commands: load sext, unload sext, enable/disable App proxy, enable/disable DNS proxy. It looks like it works. We have verified that even when the sext process is killed, in case DNS proxy is enabled, after sext gets restarted, the dns proxy functionality is restarted. Also enabling and disabling DNS Proxy via NEDNSProxyManager.shared().isEnabled correctly triggers NEDNSProxyProvider’s startProxy/stopProxy methods.


But App Proxy does not behave well. It seems that change of NETransparentProxyManager’s isEnabled to false does not stop running AppProxyProviders (stopProxy method is never called). Even worse, next enabling of NETransparentProxyManager followed by connection.startVPNTunnel() creates another instance of AppProxyProvider (even when it does not intercept any traffic at the moment of disabling it). Calling stopVpnTunnel() fails, probably since we use the command app as a command, so it exits after starting the tunnel and as such does not have the context to stop it in next execution.


What is the correct way how to stop a running Transparent Proxy sext? Or how should the case of sext having multiple running AppProxyProvider instances be handled?

Stopping TransparentProxy Network Extension
 
 
Q