Content Filter and App proxy provider compatibility issue

App & System Services Networking
rg1985 OP
Created Feb ’21
Replies 2
Boosts 0
Views 599
Participants 2
We have two different products. Both have implemented network system extensions.

One product implemented a content filter provider with both socket and packet level filtering and with rule to filter all data. That means every network connection goes through this provider.

The second product implemented App Proxy provider which proxies non-SSL POP3 mail traffic and diverts that connection to local process for further processing and then local process makes a connection outside and sends out to that destination after the required processing.

We are currently seeing an issue where both providers are running. The connections made by App proxy provider are being broken in the presence of Content Filter provider.

When content filter provider is deleted from network preferences, then we see our app proxy provider is working as expected.

Environment: macOS Big Sur 11.2

Can you help me in recognising what is going wrong here?


Replies  2
Boosts  0
Views  599
Participants  2
Systems Engineer OP
Apple
Feb ’21
First, if you are running on macOS Big Sur 11.2, do you have the flexibility to test out NETransparentProxyProvider? One successful test that I have run here is between HTTP and HTTPS traffic using NETransparentProxyProvider and NEFilterDataProvider. First using this TCP rule on the content filter side:

Code Block swift
let tcpRule = NENetworkRule(
            remoteNetwork: NWHostEndpoint(hostname: "0.0.0.0", port: "0"),
            remotePrefix: 0,
            localNetwork: nil,
            localPrefix: 0,
            protocol: .TCP,
            direction: .any
        )

and then starting the NETransparentProxyProvider using these rules:

Code Block swift
settings.includedNetworkRules = [
    NENetworkRule(remoteNetwork: NWHostEndpoint(hostname: "0.0.0.0", port: "80"),
                  remotePrefix: 0,
                  localNetwork: nil,
                  localPrefix: 0,
                  protocol:.TCP,
                  direction: .outbound),
    
    NENetworkRule(remoteNetwork: NWHostEndpoint(hostname: "0.0.0.0", port: "443"),
                  remotePrefix: 0,
                  localNetwork: nil,
                  localPrefix: 0,
                  protocol:.TCP,
                  direction: .outbound),
    
    NENetworkRule(remoteNetwork: NWHostEndpoint(hostname: "0.0.0.0", port: "80"),
                  remotePrefix: 0,
                  localNetwork: nil,
                  localPrefix: 0,
                  protocol:.UDP,
                  direction: .outbound),
    
    NENetworkRule(remoteNetwork: NWHostEndpoint(hostname: "0.0.0.0", port: "443"),
                  remotePrefix: 0,
                  localNetwork: nil,
                  localPrefix: 0,
                  protocol:.UDP,
                  direction: .outbound)
]


And traffic did flow between both providers. Note that this test did not include a NEFilterPacketProvider or mail traffic filtering, just HTTP and HTTPS traffic filtering, but it could be a good place to start researching your issue.


Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
0
rg1985 OP
Feb ’21
Thanks Matt for your immediate response.

We use NEAppProxyProvider as we still use Xcode11.x. Per your suggestion, we will try using NETransparentProxyProvider and check the behaviour.

0
Content Filter and App proxy provider compatibility issue
First post date Last post date
 
 
Q