Network extensions ordering of packet filter and vpn tunnel.

App & System Services Networking
chapo213 OP
Created May ’21
Replies 3
Boosts 0
Views 1.2k
Participants 2

Hi, I'd like to write a network extension for a vpn product, that also filter several types of packets before they arrive to the tunnel represeted by the tunnel virtual interface (utun0)

Is there anyway I can set the packet filtering to occur before the tunnel ? is it the default case ?

Can I use the same network extension for both NEPacketTunnelProvider and NEFilterPacketProvider / NEFilterDataProvider ?

thanks !

Answered by Systems Engineer in 676858022

Is there anyway I can set the packet filtering to occur before the tunnel ? is it the default case ?

There is no API to guarantee that you will always receive the flows or packets in your content filter APIs (NEFilterPacketProvider / NEFilterDataProvider) before they reach your packet tunnel. However, one technique that you could try is install you filter providers first and then your packet tunnel provider second. In the tests that I have done between content filter providers and the proxy providers, if the content filter providers are installed first then the traffic will flow through those providers first and into the proxy providers second.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
Replies  3
Boosts  0
Views  1.2k
Participants  2
Systems Engineer OP
Apple
Jun ’21
Accepted Answer

Is there anyway I can set the packet filtering to occur before the tunnel ? is it the default case ?

There is no API to guarantee that you will always receive the flows or packets in your content filter APIs (NEFilterPacketProvider / NEFilterDataProvider) before they reach your packet tunnel. However, one technique that you could try is install you filter providers first and then your packet tunnel provider second. In the tests that I have done between content filter providers and the proxy providers, if the content filter providers are installed first then the traffic will flow through those providers first and into the proxy providers second.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
1
chapo213 OP
Jun ’21

If you mentioned the proxy provider. I also had an idea to use NETransparentProxyNetworkSettings to create some local proxy and use Include/ExcludeMethodRules in order to decide what will enter my tunnel and what traffic goes to the default interface (like en0). Can this class also replace the NEPacketTunnelProvider in creating and starting the tunnel (along with the tunnel protocol), or it can just be used for splitting the relevant traffic to the tunnel, which will be implemented by the provider itself ?

thanks!

0
Systems Engineer OP
Apple
Jun ’21

Can this class also replace the NEPacketTunnelProvider in creating and starting the tunnel (along with the tunnel protocol), or it can just be used for splitting the relevant traffic to the tunnel, which will be implemented by the provider itself ?

The answer here really depends on what you are looking to do with your tunnel transport. If you need fine-grained control over the the packets that are being routed through your tunnel (i.e., for packet encapsulation etc..) then it is best to use NEPacketTunnelProvider. In that case you can also use includedRoutes and excludedRoutes to determine the traffic you are claiming for your packet tunnel.

The API NETransparentProxyProvider allows your proxy provider to also use includedNetworkRules and excludedNetworkRules to determine what flows this provider is claiming, but the transport here is done differently than a packet tunnel. Specifically, this API providers you flows to work with instead of packets. So if you are able to meet your transport level requirements for your tunnel with an API like NWConnection, then this should work for you. If you need IP packet level control then you should use NEPacketTunnelProvider.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
0
Network extensions ordering of packet filter and vpn tunnel.
First post date Last post date
 
 
Q