problem with long-running content-filter network system extension

So, no one has replied to my plaintive cry for help yet, so I'll add a few thoughts here, for the sake of anyone else who might be struggling with similar stuff, or if someone would still be so kind as to offer any thoughts, I would greatly appreciate it.

I forgot to mention in my first writeup that in in my NEFilterDataProvider class I asked to intercept ALL traffic, not just .TCP or .UDP, I set it to .any. I mention this, because after a lot of poking through system logs, it seems that the problem had to do with DNS requests not resolving.

DNS seems like a tricky thing if you want to filter all traffic. I don't honestly care about stopping DNS requests, but I do care about some other UDP traffic, so in my provider I tried to allow all DNS traffic through by testing if the request was a UDP request to port 53 -- I let all of those pass through unblocked.

And again, the problem only manifests after waking from sleep after running well for a number of hours, so DNS things do work for a while at least. But it makes me wonder if there is something having to do with DNS cache, or some other issue I can't quite put my finger on...

I also did some more research to see if the Content Filter system extension seemed fully stable for Catalina, trying to answer my question about whether there were known problems with the framework, or if people were successfully deploying production apps with this filter. I found an article detailing that Apple had put in a set of exclusions into Catalina -- apps that were not subject to filtering. I found that interesting because I had noticed some odd that seemed like my filter never got a chance to see them. I definitely believe the responses from Apple quoted in the article saying that it wasn't some ill-intended plot to circumvent the filter secretly, but rather that there were problems getting the feature ready in time for Catalina, and so the exclusion list was a temporary workaround. But I mention it because this seems to provide fairly strong evidence that (in Catalina at least, which is the only OS version I've tested against so far), the content filter system extension might not be 100% stable or reliable. I can't post the link to the article here, but just google "apple content filter exclusion security researcher big sur catalina" and you'll find it.

I'd still be interested in any (even off-the-cuff) ideas about what to troubleshoot, or whether any of my thoughts outlined above prompt any ideas. I'm considering doing some testing on a recent version of Big Sur to see if things work better.

I'd still definitely be interested if anyone could talk about how many production apps are using this framework, especially in Catalina. Or if anyone could shed light on or had any experience with filtering ALL requests, including (necessarily) DNS requests.

I'd be happy to communicate directly with anyone working on a similar app, if anyone wants to form an informal support-group/griefshare you can reach me at jared [at] netrivet [dot] com. The app I'm working on is still experimental and for various reasons I don't feel much commercial pressure at all about it, so I'm happy to share lessons learned, and would definitely appreciate some feedback or insight from anyone else working on something similar.

So, no one has replied to my plaintive cry for help yet

Keep in mind that DevForums is an informal support channel. Matt and I do what we can to answer all the networking questions that show up here, but we have a lot of other commitments and there are limits to how much time we can spend on that.

If you need formal support, open a DTS tech support incident.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

what would be your first guess as far as what to troubleshoot/test given the description above?
what would be your gut feeling of what I should do first, to investigate this and hopefully get to the bottom?

The long running tests that you have been conducting are the right way to go about debugging something like this. Some things I would recommend:

1. Try running these tests with isolated and combined network interfaces to see if it makes a difference. For example, try running with only Wi-Fi active, only ethernet active, and with the both combine to see if it makes a difference.

2. Try installing these debug profiles on your macOS machine(s) (VPN - Network Extension, Network Diagnostics, Net-Diagnose, and Wi-Fi.), then reproduce the issue and trigger a sysdiagnose. Take a look at the logarchive file at the time you reproduced the issue. There should be some sort of hint or clue on failures that took place when you reproduced your issue.

3. Regarding your mention of, " removing the filter extension from the network system prefs panel and re-installing/activating it from the containing app always seems to restore correct behavior." I worked on a very similar case to which you are describing, and one of the ways to workaround that was concluded was to deactivate the NEFilterPacketProvider on sleep in the container app and keep the NEFilterDataProvider activated still. If this fits your architecture then this could be something you could try as well.

could it be a memory issue? if so, can someone point me in the right direction of how to determine this and address it?

I am operating under the assumption that this is macOS, and if I am correct, then no, I do not think this is a memory issue.

has anyone had a similar problem with long-running sysex processes like this? Is it possible there's a known issue, or some undocumented footgun I'm running into having to do with the system extension API, and not so much my own code?

I would get a bug report down for this with the sysdiagnose that I mentioned in (2) above. That way this issue can be evaluated in closer detail. There was a bug that caused issues specifically for NEFilterPacketProvider in Catalina while connected to Wi-Fi going through sleep/wake cycles (r. 59247350), but I believe this is now resolved in Big Sur. Also, this did cause a panic and not a failure so this may not be the same bug here.

what happens with the content-filter sysex when the machine is asleep? Is it possible that requests queue up in some way that overwhelms the system after waking a long time later?
or is there something else about the sleep/wake cycle that would point to the likely cause of the issue?

Since I am assuming that you are working with Network System Extensions the system keep the extension alive during these transitions. One thing I would recommend is if your application needs to prepare for any state transitions during this time, as there is extremely limited functionality available on the system, I would recommend that you do it in the sleep / wake methods of your provider.


Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

@meaton That all sounds really helpful, exactly the kind of hints I was hoping for. Truly appreciate it. I'll try some of these things and report back any findings that could be useful to others. 👍

@eskimo -- yup, totally understand that, which is why I was trying to partially answer my question for future googlers. thanks for taking a look.