Returning NEPacketTunnelProvider packetFlow.readPacketObjects packets to macOS kernel

Question

Sourab OP

Created Nov ’23

Replies 1

Boosts 0

Participants 2

Can we return NEPacketTunnelProvider's NEPacket to macOS kernel? Snippet-

packetFlow.readPacketObjects {[weak self] packets in

As per network rules, packets read from packetFlow.

After parsing packets, in some conditional use cases(such as ip), if we decide not to handle the packets, could we return it to kernel?

We can easily achieve it in NETransparentProxyProvider by returning false from below method. We are looking for similar mechanisms to do return the traffic to Kernel.

override func handleNewFlow(_ flow: NEAppProxyFlow) -> Bool

May we achieve the same with any other Network.framework or low level API?

If any advance Code-level support could solve this issue, we could raise a TSI as well.

Boost

Answer 1

DTS Engineer OP

Apple

Nov ’23

if we decide not to handle the packets, could we return it to kernel?

No. The system routes packets to your VPN interface based on the destination IP address [1] [2]. If you claim a network, you are responsible for forwarding the packets destined for that network to that network.

Most people who ask this question are trying to use a packet tunnel provider for something other than providing VPN. We recommend against that, per TN3120 Expected use cases for Network Extension packet tunnel providers.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] Assuming you’re not using per-app VPN.

[2] Keep in mind that scoped routing means you may get packets that are destined for other networks. For more on this, see the various posts linked off Extra-ordinary Networking.

1