Filtering localhost (loopback) connection with NETransparentProxyProvider

App & System Services Networking
ngorskikh OP
Created May ’21
Replies 3
Boosts 0
Views 1k
Participants 3
Hi! I've been developing a transparent proxy network extension and up until macOS 11.3 my extension could proxy loopback connections (i.e. connections to 127.0.0.1 or ::1). In 11.3 this stopped working (handleNewFlow is not called for such connections at all). I've filed FB9093112 about it but there's been no activity for a couple of weeks. A workaround suggestion would be much appreciated.
Replies  3
Boosts  0
Views  1k
Participants  3
Systems Engineer OP
Apple
May ’21
Are you able to work around this if you explicitly set a NENetworkRule for IPv4 ("127.0.0.1"") and for IPv6 ("::1")?


Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
0
ngorskikh OP
May ’21
Yep, tried adding rules for either/both 127.0.0.1/32 and ::1/128, with specific ports and zero port: no luck.
I'm seeing something like this in the Console:
Code Block 
[Extension com.i.love.apple.APIs.NEService]: provider set tunnel configuration to 
    tunnelRemoteAddress = <9-char-str>
    includedNetworkRules = (
        {
            matchRemoteEndpoint = ::1.0
            matchRemotePrefix = 128
            matchProtocol = <3-char-str>
            matchDirection = <8-char-str>
            appliesToLoopback = NO
        },
        {
            matchRemoteEndpoint = ::1.443
            matchRemotePrefix = 128
            matchProtocol = <3-char-str>
            matchDirection = <8-char-str>
            appliesToLoopback = NO
        },
        {
            matchRemoteEndpoint = 127.0.0.1:0
            matchRemotePrefix = 32
            matchProtocol = <3-char-str>
            matchDirection = <8-char-str>
            appliesToLoopback = NO
        },
        {
            matchRemoteEndpoint = 127.0.0.1:443
            matchRemotePrefix = 32
            matchProtocol = <3-char-str>
            matchDirection = <8-char-str>
            appliesToLoopback = NO
        },
    )
    ...

I think it might have something to do with appliesToLoopback = NO, though I'm not quite sure...
0
Systems Engineer OP
Apple
May ’21

Yep, tried adding rules for either/both 127.0.0.1/32 and ::1/128, with specific ports and zero port: no luck.

Thank you for testing this out. Make sure to add that information to your bug report.


Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
0
Filtering localhost (loopback) connection with NETransparentProxyProvider
First post date Last post date
 
 
Q