Interference Issue: PacketTunnelProvider vs. ContentFilter

App & System Services Networking
BugBuster90 OP
Created Apr ’24
Replies 7
Boosts 0
Views 674
Participants 2

Hey everyone,

I'm currently working on an app where I've already implemented a packet tunnel provider. Now, I'm looking to introduce a content filter. One crucial feature I need is the ability to read the bundle ID of the app originating the network flows.

However, I've hit a roadblock when combining both components; When I run the content filter sans packet tunnel provider, I can read the originating app's bundle ID for network flows just fine. But when I add packet tunnel provider, the app's bundle ID defaults to my own app's bundle ID, which is unexpected.

Has anyone else encountered this? Any thoughts on why it's happening or how to fix it?

Cheers!

Replies  7
Boosts  0
Views  674
Participants  2
DTS Engineer OP
Apple
Apr ’24

What platform are you targeting?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
DTS Engineer OP
Apple
Apr ’24

Hmmm, weird.

Is your packet tunnel provider running in per-app VPN mode?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
DTS Engineer OP
Apple
Apr ’24

It’s unlikely you landed in per-app VPN mode by accident. It requires a bunch of extra setup. However, you can confirm this by checking the routingMethod property. A value of .sourceApplication indicates per-app VPN.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
DTS Engineer OP
Apple
Apr ’24

Note Please reply as a reply, not in the comments. I’m not notified of replies in the comments. See Quinn’s Top Ten DevForums Tips for this and other hints.

Apparently we don't use the NETunnelProviderManager at all

Bah, this is complex. There are two routingMethod properties:

You can’t avoid these types when building a tunnel:

  • Both NEAppProxyProvider and NEPacketTunnelProvider are subclasses of NETunnelProvider.

  • NEAppProxyProviderManager is a subclass of NETunnelProviderManager.

  • Packet tunnel apps use NETunnelProviderManager directly.

Both properties are read-only because:

  • An app proxy provider is always in per-app mode, and thus the property is always .sourceApplication.

  • A packet tunnel provider can only be put into per-app mode via a configuration profile.

Anyway, back to your main issue. I can’t see any reason why your packet tunnel provider should interfere with the flow metadata on content filter. This is true in general, but especially true in destination IP mode, where the packet tunnel provider operates entirely ‘below’ the content filter.

Does this problem only occur with your packet tunnel provider? Or can you reproduce it with a third-party VPN product that uses a packet tunnel provider?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
BugBuster90 OP
Apr ’24

I was able to reproduce it with a third-party VPN product too, specifically the Proxyman's iOS app. Looking at the socket flows in handleNewFlow(:) method, most of them have the value .com.nsproxy.NSProxy-iOS.PacketTunnel which I believe is Proxyman's bundle ID.

0
DTS Engineer OP
Apple
Apr ’24

I was able to reproduce it with a third-party VPN product too

Interesting. That radically reduces the chances of this being your fault. I recommend that you file a bug about this.

Please post your bug number, just for the record.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
BugBuster90 OP
Apr ’24

Thank you for your prompt response and guidance. I've filed a bug report as you suggested. The bug number is FB13764321. Appreciate your assistance!

0
Interference Issue: PacketTunnelProvider vs. ContentFilter
First post date Last post date
 
 
Q