Network Extension and connectivity issues

Hi, We are developing a Network Extension, containing NEFilterDataProvider and NEFilterPacketProvider.

We are seeing, not consistently, issues with network connectivity, or severe latency, in several cases when using Network Extensions:

  1. When there is another Network Extension on the system (VPN)
  2. When network interface is changed between LAN adapter to Wi-Fi, or the other way around.

This possibly started on macOS 11.3.

We were wondering if this (especially the latency) is caused by us filtering some crucial system network operations or processes, that we shouldn't collect statistics on, or at least try our best to refrain from doing so.

Our goal is of course not to affect regular network connectivity, whilst still being able to deny all network connections (including existing) on a specific endpoint.

Is there such list of processes? Are there things we absolutely should refrain from doing?

Thanks.

Up vote post of obenshalom Down vote post of obenshalom
1.1k views
Posted by
obenshalom
Reply
Add a Comment

Replies

What are you doing in your providers? Can you provide a sample of the operations that you are performing in each of your providers?

A few things you could try here to increase network performance:

  1. Only run one provider. For example, either run NEFilterDataProvider or NEFilterPacketProvider Is there a reason why you need to run both? Running both providers a the same time will naturally consume more system resources in any sitation.

  2. Are you examining the peek bytes for each flow in your NEFilterDataProvider? If so, this also incur more system resources usage

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
Posted by
meaton
Up vote reply of meaton Down vote reply of meaton
Add a Comment

Providers are meant to provide network data collection (statistics for existing connections), in addition to some firewall capabilities - network isolation for an endpoint, connection dropping etc.

Both providers are needed since DataProvider does not supply protocols other than TCP/UDP. This means if we want to achieve complete network isolation for an endpoint, or firewall capabilities for ICMP for example, we must use PacketFilter as well.

Usually there isn't any network effect to our usage - Just in the cases I have mentioned above. In both cases PacketFilter is actually configured as pass-through, without any action performed.

Posted by
obenshalom
Up vote reply of obenshalom Down vote reply of obenshalom

  • I also see with other products similar issues of compatibility with VPN products (for example: https://github.com/objective-see/LuLu/issues/355) I was wondering if some allow-listing of specific paths (/Library/SystemExtensions/) or system services might solve this issue.

    obenshalom
Add a Comment

Update - apparently this happens only on 3rd party LAN adapters only, and not ones created by Apple.

When network interface is changed between LAN adapter to Wi-Fi, or the other way around.

Posted by
obenshalom
Up vote reply of obenshalom Down vote reply of obenshalom
Add a Comment

Hi Matt, have you seen anything like that before? Maybe do you know of some workaround? This started on 11.3.

We have opened 3 relevant Bugs for it:

  1. FB9127408
  2. FB9127413
Posted by
obenshalom
Up vote reply of obenshalom Down vote reply of obenshalom

  • Three bug, or two? ’cause you only posted two bug numbers )-:

    eskimo

  • 2, of course😃

    obenshalom
Add a Comment

Update - apparently this happens only on 3rd party LAN adapters only In both cases PacketFilter is actually configured as pass-through, without any action performed.

have you seen anything like that before? Maybe do you know of some workaround? This started on 11.3.

We have opened 3 relevant Bugs for it: FB9127408 FB9127413

Thank you for opening these bugs. I have not been able to reproduce this as I do use any 3rd party LAN adapters in my testing. If you have the make of these adapters it would be helpful to add that information to these bug reports for further insight.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
Posted by
meaton
Up vote reply of meaton Down vote reply of meaton
Add a Comment