initWithRemoteNetwork in Transparent Proxy block the icmp request

Hi

I set NETransparentProxyProvider include wild card filter rule using initWithRemoteNetwork like below on macOS Big Sur:
Code Block 
NENetworkRule *includeRule = [[NENetworkRule alloc]
                              initWithRemoteNetwork: nil
                                       remotePrefix: 0
                                       localNetwork: nil
                                       localPrefix: 0
                                       protocol:NENetworkRuleProtocolAny                                        direction:NETrafficDirectionOutbound];

My transparent proxy works fine and receives all the traffic but ping to any host starts failing as long as NE proxy is up. But DNS resolution happens successfully too.

Ping response:


ping cnn.com
PING cnn.com (151.101.193.67): 56 data bytes
ping: sendto: Protocol wrong type for socket
ping: sendto: Protocol wrong type for socket
Request timeout for icmpseq 0
ping: sendto: Protocol wrong type for socket
Request timeout for icmpseq 1

Please recommend, whether it is known behavior or I should improve my code.

Thanks


Up vote post of anandfrombangalore Down vote post of anandfrombangalore
738 views
Posted by
anandfrombangalore
Reply
Add a Comment

Replies

I just tested a TCP flow copier version of NETransparentProxyProvider in Big Sur for this and was able to reproduce what you are seeing with ping using NENetworkRuleProtocolAny.

A few notes about this test bed project; The provider returns false for all UDP flows and lets the system handle them. All TCP Safari based flows the the provider will perform the flow copying. All other TCP flows the provider returns false and lets the system handle them.

Now, when using NENetworkRuleProtocolAny as mentioned, I can reproduce this. When using NENetworkRuleProtocolTCP alone, ping does work. When using NENetworkRuleProtocolUDP
alone, ping does work. When using NENetworkRuleProtocolTCP and NENetworkRuleProtocolUDP together, ping does work as well. So essentially:

Code Block objective-c
NENetworkRule *includeTCP = [[NENetworkRule alloc]
                              initWithRemoteNetwork: nil
                                       remotePrefix: 0
                                       localNetwork: nil
                                       localPrefix: 0
                                       protocol:NENetworkRuleProtocolTCP 
                                       direction:NETrafficDirectionOutbound];
NENetworkRule *includeUDP = [[NENetworkRule alloc]
                              initWithRemoteNetwork: nil
                                       remotePrefix: 0
                                       localNetwork: nil
                                       localPrefix: 0
                                       protocol:NENetworkRuleProtocolUDP 
                                       direction:NETrafficDirectionOutbound];


Try this and see if this works out for you. As to what is happening directly with NENetworkRuleProtocolAny, I think that needs to be covered in a bug report. Please respond back with the Feedback ID.



Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
Posted by
meaton
Up vote reply of meaton Down vote reply of meaton
Add a Comment
Thanks Matt!

Your recommendation solved the issue. But I observed unexpected system restart too few times after setting the filter but could not get any system crash report. feedback id is 8912278.

Regards,
Posted by
anandfrombangalore
Up vote reply of anandfrombangalore Down vote reply of anandfrombangalore
Add a Comment