Alternatives to deprecated NKE APIs

Question

rg1985 OP

Created Aug ’20

Replies 3

Boosts 0

Views 1.1k

Participants 2

Hi,

We have an NKE in our product. This NKE uses deprecated KPIs such as sfltregister , sfltderegister, sockconnect..etc. To our surprise, it got loaded on macOS Big Sur 11 Beta 4 with user’s authorisation from System Preferences (we saw system extension(s) updated warning message when loaded). But on Beta 5, the same NKE is not getting loaded(we saw System Extension Blocked warning). Is there any procedure that we can automate to load an NKE in Big Sur 11.0?

Let me explain a bit about what our NKE does.

This NKE is used to filter the outbound network traffic on ports, say 123, 234 using socketfilter. We have a client process which listens locally on ports, say 345, 456. We use KEXT control KPIs for bi-directional communication between client process and NKE. Using NKE, this outbound network traffic is diverted to local client process using sockconnect KPI as below:

Socket (<outbound IP>:123) => Socket( 127.0.0.1:345 )
Socket (<outbound IP>:234) => Socket (127.0.0.1:456 )

Since sockfilter and sock_connect and some other NKE related KPIs are deprecated, what are the exact alternative KPIs in NetworkExtension.framework?
How can we achieve the above functionality using the NetworkExtension.framework?

Appreciate your help in this regard!!

Boost

Answer 1

Systems Engineer OP

Apple

Aug ’20

what are the exact alternative KPIs in NetworkExtension.framework?

There are a few APIs to consider for Network Extensions depending on what the need is for filtering process. If the need is to perform content filtering on the system, then using the NEFilterDataProvider API to enable socket filtering and connection based approval / denial should get you started. There is a Swift based example of how to get start with this here.

If the goal is to capture the connection and proxying it somewhere local or remote, then you should look at the NETransparentProxyManager APIs. The major difference between these two approaches is that NEFilterDataProvider is strictly to content filter an non-altered connection while NETransparentProxyManager allows you to handle both sides of the connection (remote and local).

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

0

Answer 2

rg1985 OP

Sep ’20

Thanks a lot Matt!!

I modified the SimpleFirewall program into simple transparent proxy using NETransparentproxyManager and NEAppProxyProvider. Transparent proxy. It catches the outbound network traffic as per defined NENetworkRule. handleNewFlow is also called.
In handleNewFlow, I opened connection to remote server using NWTCPconnection and once the connection status is connected => I called openWithLocalEndpoint.

For data transfer, I am using tcpflow.read() and conn.write() methods for reading from caught TCP flow and writing on connection to remote server.

It is reading the data properly (I am printing the whole message in logs), but I am getting the following error in console logs while writing on remote connection and nothing is received on remote server.
"Error Domain=kNWErrorDomainPOSIX Code=89 "Operation canceled" UserInfo={NSDescription=Operation canceled}"

Can you please help me resolving this issue.

0

Answer 3

Systems Engineer OP

Apple

Sep ’20

No problem. It sounds like you are off to a good start.

When you see kNWErrorDomainPOSIX, are you also seeing a connection reset from the remote side? If so, are you using a custom framer here on your TCP connection?

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

0