Combining Packet Tunnel and Content Filter in network extension

Question

Created May ’23

Replies 3

Boosts 0

Participants 2

Hi, We are writing a vpn based filter network extension app for closed group which is provided over managed devices. Our algorithm and filter works fine but we are facing an issue with identifying the source application for a specific request from the tunnel.

packetFlow.readPacketObjects provides a packet but packet.metaData is always nil

We also tried using content filter extension and it provides correct bundle if for the source application but it execute independently on the system and we can not figure out a way to transfer control between extensions.

Also, When trying to enable both capabilities (tunnel provide and content filter) seem impossible because in the plist of extension we can only define 1 NSExtensionPrincipalClass

Thank you for the help in advance

Boost

Answer 1

DTS Engineer OP

Apple

May ’23

Combining Packet Tunnel and Content Filter in network extension

What platform are you targeting? The iOS / macOS split really matters in this case.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 2

mabubakar OP

May ’23

Our app is for iOS only. Thank you for your reply @eskimo

0

Answer 3

DTS Engineer OP

Apple

May ’23

On iOS there will be three providers in play:

Filter data
Filter control
Packet tunnel

Each has its own appex and will end up running in its own process. You can use an app group to share state between them but with one important caveat: The filter data provider can only read the app group. That’s a consequence of this comment in the docs:

The filter data provider runs in a very restrictive sandbox that prevents user network content from escaping that provider.

Note that the app group isn’t just about sharing files. You can use it to share memory or even do IPC (using Unix domain sockets), at least with the second two providers. I’m not entirely sure how the more advanced stuff will pan out with the read-only app group access provided to the filter data provider.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0