Unexpected behaviour adding an exclude rule on NETransparentProxyNetworkSettings

Hi. I implementing an AppProxyProvider that has to handle all TCP flows. This is the rule (based on https://developer.apple.com/forums/thread/667431):

            NENetworkRule * filterRule = [[NENetworkRule new] initWithRemoteNetwork: nil remotePrefix: 0 localNetwork: nil localPrefix: 0 protocol:NENetworkRuleProtocolTCP direction:NETrafficDirectionOutbound];

proxySettings.includedNetworkRules = @[filterRule];

This is shown in the console log:

[Extension *****]: provider set tunnel configuration to tunnelRemoteAddress = <14-char-str> includedNetworkRules = ( { matchRemotePrefix = 0 matchProtocol = <3-char-str> matchDirection = <8-char-str> appliesToLoopback = NO }, ) isFullyTransparent = YES

This is working OK. But when I add an exclude rule (in order to sort out the issue mentioned in https://developer.apple.com/forums/thread/660195) the behaviour of the AppProxyProvider is strange: there is no any incoming flow. This is the rule:

            NWHostEndpoint * tunnelHostIpRuleEndpoint = [NWHostEndpoint endpointWithHostname: @"xx.xx.xx.xx" port:@"0"];

            NENetworkRule * tunnelHostIpRule = [[NENetworkRule new] initWithDestinationNetwork:tunnelHostIpRuleEndpoint prefix:0 protocol:NENetworkRuleProtocolTCP];

proxySettings.excludedNetworkRules = @[tunnelHostIpRule];

And this is shown in the console log:

[Extension ******]: provider set tunnel configuration to tunnelRemoteAddress = <14-char-str> includedNetworkRules = ( { matchRemotePrefix = 0 matchProtocol = <3-char-str> matchDirection = <8-char-str> appliesToLoopback = NO }, ) excludedNetworkRules = ( { matchRemoteEndpoint = xx.xx.xx.xx:0 matchRemotePrefix = 0 matchProtocol = <3-char-str> matchDirection = <8-char-str> appliesToLoopback = NO }, ) isFullyTransparent = YES

My expectation is that all flows be handled by the AppProxyProvider except the flows that match with the IP set in the exclude rule for any port.

Can you please advice if this is a bug or expected behaviour and recommend some option to accomplish my goal? Thanks

Can you please advice if this is a bug or expected behaviour and recommend some option to accomplish my goal?

Not sure exactly what is happening, I'd have to run a test to find out more. What happening if you add a rule for all public address ranges expect for the one(s) you are looking to exclude? This is another common technique to exclude addresses.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

Hi @meaton

What happening if you add a rule for all public address ranges expect for the one(s) you are looking to exclude? -> That approach worked excluding the IPs. Now I only have include rules. I will fill a bug for the combination of wildcard rule (to accept all TCP flows) + particular exclude rule Thanks

That approach worked excluding the IPs. Now I only have include rules. I will fill a bug for the combination of wildcard rule (to accept all TCP flows) + particular exclude rule

Okay, glad to hear you were able to resolve your issue. If you do open a bug report, please follow up with the Feedback ID.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
Unexpected behaviour adding an exclude rule on NETransparentProxyNetworkSettings
 
 
Q