Transparent Proxy IPv6 problem

I'd have to look deeper into this situation to see what is happening, i.e., why apps are not working with your NENetworkRule However, since you mentioned that when you disable your IPv6 rule, that everything works properly, I would be inclined to try a very general rule with your handleNewFlow methods to see what specifically your provider is not picking up to see where the delta is. For example:

NENetworkRule(remoteNetwork: nil,
              remotePrefix: 0,
              localNetwork: nil,
              localPrefix: 0,
              protocol: .TCP,
              direction: .outbound)

NENetworkRule(remoteNetwork: nil,
              remotePrefix: 0,
              localNetwork: nil,
              localPrefix: 0,
              protocol: .UDP,
              direction: .outbound)
...

override func handleNewFlow(_ flow: NEAppProxyFlow) -> Bool {

    // What are you getting here that you did not previously?

    if let tcpFlow = flow as? NEAppProxyTCPFlow {
        ...
    } else if let udpFlow = flow as? NEAppProxyUDPFlow {
        // I'm betting you are missing some traffic here

    }
    return false
}

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

Thanks for your quick reply. I tried exactly with the rules received from you and everything is works as expected. I also have 2 questions regarding this case:

1. Why if I set the following rules the Chrome browser is stil blocked?

NENetworkRule(

          remoteNetwork: nil,
          remotePrefix: 0,
          localNetwork: nil,
          localPrefix: 0,
          protocol: .TCP,
          direction: .outbound)

NENetworkRule(

          remoteNetwork: NWHostEndpoint(hostname: "172.217.0.0", port: "443"),
          **remotePrefix: 0, // with 0 NOT WORKS, but with 16 WORKS as expected**
          localNetwork: nil,
          localPrefix: 0,
          protocol: .UDP,
          direction: .outbound)

1. The remote host for UDP connections are not set (are nil). The remote host should be set? (I attached after question a sample from Console app)

I want to monitor/block some IPs on QUIC protocol and I suppose (I test this scenario with Wireshark) the QUIC is intercepted with UDP not with TCP. Is it possible to monitor only some address on UDP protocol? (the rule from example) I tested with 2 set of rules for UDP one with remotePrefix 0 and it is not works, and one with 16 which works as expected. Is there any explanation for this scenario?

// NSLog("New UDP flow: (flow.osLogID) - (udpFlow.description) - (udpFlow.metaData.debugDescription) - (udpFlow.remoteHostname)")

New UDP flow: 5814370464 - UDP com.google.Chrome.helper[{length = 20, bytes = 0x8336889fb3c42875c64cd9bc36f64da3ca34d1dc}] local port 6339 interface en0 - com.google.Chrome.helper[{length = 20, bytes = 0x8336889fb3c42875c64cd9bc36f64da3ca34d1dc}] - nil

New UDP flow: 5802858192 - UDP com.google.Chrome.helper[{length = 20, bytes = 0x8336889fb3c42875c64cd9bc36f64da3ca34d1dc}] local port 0 interface en0 - com.google.Chrome.helper[{length = 20, bytes = 0x8336889fb3c42875c64cd9bc36f64da3ca34d1dc}] - nil

Why if I set the following rules the Chrome browser is stil blocked?

Not exactly sure, but from what I can tell the remotePrefix may not have been matching any part of the remoteNetwork with the prefix set to 0.

Regarding:

The remote host for UDP connections are not set (are nil). The remote host should be set? (I attached after question a sample from Console app)

Are the localEndpoint and ports set? If you call open on the local flow and then read from the local side of the flow, do you get remote endpoints for the datagrams?

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com