Does stopping a NEFilterPacketProvider require to restart the Mac if we need to start it again?

Question

Created Jul ’20

Replies 1

Boosts 0

Participants 2

I'm observing something that is a bit worrying when it comes to system extensions.

I have a simple system extension that contains 2 providers:

a NEFilterDataProvider
a NEFilterPacketProvider

It's basically the Simple Firewall sample code with the additional NEFilterPacketProvider provider.

Problem:

When I start the system extension from a clean state, everything works as fine as it can.

When I stop the system extension, it does stop as fine as it can.

When I try to start the system extension again, the network extension is reported not to be running in the System Preferences > Network pref pane.

If I restart the Mac, the network extension is reported to be running in the System Preferences > Network pref pane.

Question:

Is this the expected behavior?

No restart was required when there was only a NEFilterDataProvider in the system extension.

Environment:

macOS 10.15.4 / Xcode 11.4.1

Side note:

Is system extensions UX improved in Big Sur when it comes to installation, activation, etc. ?

When something goes sideways in Catalina, it's more difficult to figure out the origin of the issue when using system extensions than it used to be with kernel extensions. Part of this is due to the different sources of information not being synchronised or consistent/coherent. e.g. what systemextensionsctl says may not match what the system Preferences > Network panel says.

Boost

Answer 1

Systems Engineer OP

Apple

Jul ’20

Interesting. If you're using a derivative of the SimpleFirewall project with these two providers then the first approach to debugging this is to do a filter in the Console app to see what is happening in the SimpleFirewallExtension target. This should provide at least a bit of insight into where the breakdown is taking place. Possibly something is munged up with the TCC database and you need to delete and re-install. Possibly there is an issue with your NEProviderClasses, but this is the first place to look. If you still come up blank there, add logging to your host and extension to filter specifically on what is happening. This should be able to tell you exactly where the breakdown is taking place with enough logs.

One way to add logs is to setup a subsystem filter like so:

Code Block swiftstatic let log = OSLog(subsystem: "com.example.apple-samplecode.SimpleFirewallTestBed.SimpleFirewallExtension", category: "DataProvider")
override init() {
		self.log = Self.log
		os_log(.debug, log: self.log, "init")
		super.init()
}
private let log: OSLog
override func startFilter(completionHandler: @escaping (Error?) -> Void) {
		os_log(.debug, log: self.log, "startFilter")
		
		completionHandler(nil)
}

Then use log stream in the Terminal to filter on this subsystem:

Code Block textlog stream --level debug --predicate 'subsystem == "com.example.apple-samplecode.SimpleFirewallTestBed.SimpleFirewallExtension"'

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

0