System Extensions packet handling order

Question

Created Sep ’20

Replies 3

Boosts 0

Participants 2

Hello All,

I am starting to investigate into this new SystemExtension/NetworkExtension and I am not able to determine if my use case ends up having multiple extensions then is there a way for me to specify the order between them?
More specifically, in my use case I might resort to both VPN and Transparent proxy extensions, but i expect pkt to first hit VPN and then the proxy.

Thank you in advance.
Apologies if I am overlooking something basic here.

Boost

Answer 1

Systems Engineer OP

Apple

Sep ’20

is there a way for me to specify the order between them?

Not exactly. The way the traffic flows are based is handled by which network extension claims the traffic first, so the way I've found to do this is to start a network extension in a specific order to make sure if one extension needs a flow it can lay claim to it first.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

0

Answer 2

vtewari OP

Jan ’21

Hello Matt,
If I go with your suggestion, then in second extension how would I know if the packet traversed the first extension?
I see flow has a meta data that can be used to identify the application that originated the packet to avoid loops, however i didn't find anything that can tell extensions along the way the pkt has been through?

0

Answer 3

Systems Engineer OP

Apple

Jan ’21

If I go with your suggestion, then in second extension how would I know if the packet traversed the first extension?

If you went with a Transparent proxy and then a VPN, you could attempt to tag the frame on the remote side of the connection in the proxy. Just be sure this does not cause packet parsing issues when the connection does not pass through the VPN.

However, what is the goal for running two extensions side by side? Maybe there is something else I can suggest here.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

0