TCP Flow dropped by macOS when returned from NETransparentProxyProvider::handleNewFlow()

In my Proxy implementation of NETransparentProxyProvider, a particular flow is not handled when I return (false) from handleNewFlow() and that flow traffic is being dropped by macos. This traffic is generated by a 3rd party VPN client and the VPN client fails to connect to server. This issue is not seen when 'NETransparentProxyProvider' is disabled on the system. I could see below in the logs (VPN server address: 112.198.38.172):

full log

What is special in this VPN client traffic that after returning (false) from 'NETransparentProxyProvider::handleNewFlow()', it is not handled by MacOS. Meanwhile other traffic (eg, raised by browser) are successfully handled when returned from 'NETransparentProxyProvider::handleNewFlow()'

Up vote post of vismacdeveloper Down vote post of vismacdeveloper
1.3k views
Posted by
vismacdeveloper
Reply
Add a Comment

Accepted Reply

I’ve seen problems like this before but there’s really not much I do to help you here. As a transparent proxy provider your only option is:

  • Set up the rules so that you’re not passed the flow.

  • Or return false from the flow.

If you can’t do the first, then your only option is the second. And if you do the second and that causes the flow’s originating process to fail, there’s not much you can do about that. Your only option in that case is to file a bug so that the NE team can investigate why this is failing.

Please post your bug number, just for the record.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved
Add a Comment

Replies

I’ve seen problems like this before but there’s really not much I do to help you here. As a transparent proxy provider your only option is:

  • Set up the rules so that you’re not passed the flow.

  • Or return false from the flow.

If you can’t do the first, then your only option is the second. And if you do the second and that causes the flow’s originating process to fail, there’s not much you can do about that. Your only option in that case is to file a bug so that the NE team can investigate why this is failing.

Please post your bug number, just for the record.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved
Add a Comment

Thanks for the response Quinn. I have filed below two feedback requests for the same:

https://feedbackassistant.apple.com/form-response/26861907

https://feedbackassistant.apple.com/feedback/11639289

If you can forward the same to concern NE team that would be really nice.

Posted by
vismacdeveloper
Up vote reply of vismacdeveloper Down vote reply of vismacdeveloper
Add a Comment

I checked FB11639289, your second link, it it’s landed in the right place.

The number in your first link doesn’t match any bug number format that I know of. Please post the FB number.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

My bad, the form for the 1st feedback had issues. I had to create a new feedback. The two feedbacks are:

https://feedbackassistant.apple.com/feedback/11656147

https://feedbackassistant.apple.com/feedback/11639289

Thanks again for looking into this Quinn.

Posted by
vismacdeveloper
Up vote reply of vismacdeveloper Down vote reply of vismacdeveloper
Add a Comment