There seems to be some issues with Network Extension.

Question

WangZiYuan OP

Created Dec ’23

Replies 1

Boosts 0

Participants 2

hi

I have a Network Extension that uses content-filter-provider-systemextension.

It has been running stably before, but some problems occurred after I updated the system to MacOS 14.1.

The main problem is that I registered the data filtering of the loopback address of 127, which caused a direct error in my DataGrip software, even if I directly returned .allow() in the handler function

example code:

class Filter: NEFilterDataProvider {
    // MARK: NEFilterDataProvider
    override func startFilter(completionHandler: @escaping (Error?) -> Void)
    {
        // loop, all 127.*.*.* will matched
        let loNetworkRules4 = NENetworkRule(
            remoteNetwork: NWHostEndpoint(hostname: "127.0.0.1", port: "0"),
            remotePrefix: 0,
            localNetwork: NWHostEndpoint(hostname: "127.0.0.1", port: "0"),
            localPrefix: 0,
            protocol: .any,
            direction: .any
        )
        let loFilterRule4 = NEFilterRule(networkRule: loNetworkRules4, action: .filterData)
        let filterSettings = NEFilterSettings(rules: [loFilterRule4], defaultAction: .filterData)
       
        apply(filterSettings) { error in
            if let applyError = error {
            }
            completionHandler(error)
        }
    }
   
    override func handleNewFlow(_ flow: NEFilterFlow) -> NEFilterNewFlowVerdict
    {
        return .allow()
    }
}

This will cause DataGrip's database connection test to report an error directly. 截屏2023-12-12 16.18.01.png

It seems that the local network communication of Java is blocked.

So I also used nc to test the local network.

nc -l 8888

nc 127.0.0.1 8888

But the result obtained is completely fine

Everything got better when I rolled the system back to macos14

Now I have updated the system to macos14.2 and the problem remains

I've submitted feedback on this issue in Feedback Assistant

FB13463323

But obviously the feedback is too slow, I can't wait a bit, so I took the liberty to send you an email to ask for help

I want to confirm if this is a macos bug or do I need to modify some NENetworkRule configurations?

If it is confirmed to be a BUG, how long will the repair cycle take? If it will be fixed soon, then I will just wait for the system to be repaired. If the repair cycle will be very long, then I have to consider other solutions for my product.

thanks

Boost

Answer 1

DTS Engineer OP

Apple

Dec ’23

I've submitted feedback on this issue in Feedback Assistant

FB13463323

Thanks for filing that.

I want to confirm if this is a macOS bug … ?

My general process for investigating problems like this — and this applies to both content filter and transparent proxy — is to install a no-op provider that claims the flow and then immediately passes it back to the system:

For a content filter, return .allow() from your handleNewFlow(_:) method.
For a transparent proxy, return false from the handleNewFlow(_:) and the handleNewUDPFlow(_:initialRemoteEndpoint:) methods (assuming you implement the latter).

If the problem persists, that’s something that the NE engineer team needs to investigate. A no-op NE provider shouldn’t affect system behaviour.

It sounds like you’ve already done that, which is great.

If it is confirmed to be a BUG, how long will the repair cycle take?

I can’t predict the future, alas. You need to make your own assessment of the impact of this bug and act accordingly.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0