Network kernel extensions deprecated soon

Hello,


In WWDC 2017 session 707 ( advances in networking ), the engineer said Network Kernel Extensions will be deprecated soon, and that we should use network extensions instead. This part of the talk is about iOS, but since its about network kernel extensions, I guess that the warning is about macOS.


The problem is that network extensions are not currently a true alternative of network kernel extensions. For example, they offer no way to intercept network connections and modify their content. Am I missing some network extension API on macOS that allows that? Or maybe this is planed for future releases, hopefully before NKE gets deprecated.

Replies

This part of the talk is about iOS, but since its about network kernel extensions, I guess that the warning is about macOS.

Correct. It came up during the iOS discussion on user space networking because NKEs are a major sticking point in bringing user space networking to the Mac.

The problem is that network extensions are not currently a true alternative of network kernel extensions.

True. We recognise that the current Network Extension architecture does not cover all possible NKE use cases. If you have specific use cases that aren’t covered, please do file an enhancement request describing that use case. I’d appreciate you also posting your bug number here, just for the record.

If you’re not sure whether you’re use case is covered, you can post details here and I’ll be happy to offer an opinion.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Hi Quinn,


I'm a little worried about a use case on macOS. What's the future like for firewalls and network monitors that currently use NKEs to block and report connections?


Will Network Extensions support seeing/blocking connections made by other processes, replacing the current role of socket filters? I'm not talking about inspecting the actual data traffic, but simply seeing who's making connections where and possibly blocking them.

What's the future like for firewalls and network monitors that currently use NKEs to block and report connections?

I can’t do anything here other than to repeat what I wrote above: if you have a specific use case that isn’t covered by the current Network Extension architecture, please do file an enhancement request describing that use case.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

I have the same issue for our application (TripMode) that is used by tens of thousands of customers who rely on it when they travel to save money on their data plans and be productive on slow networks when tethering on their Macs.

The app acts as a specialized application-level firewall, only for blocking selected apps and to limit data usage to set thresholds, there are no rules on addresses like a typical firewall, making it much easier for typical users.

The newly introduced KEXT load blocking and this post made us investigate alternatives to maintain the user experience, and I would be happy to not have to maintain a NKE, but it appears that at least for now the APIs are too restricted in what they can do, or on which device they can be used.

As requested, I have filed an enhancement request (32971342) with some more details.

As requested, I have filed an enhancement request (32971342) with some more details.

Thanks!

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

I’m one of the developers of Little Snitch. For completeness’ sake, here’s the bug ID for our enhancement request: 33051117.

Understood! For the record, I'm the developer of Radio Silence, and just filed the enhancement request 33073877.

I’m one of the developers of Little Snitch. For completeness’ sake, here’s the bug ID for our enhancement request: 33051117.

Thanks. I just checked on this bug and it’s definitely landed in the right place (along with a bunch of friends :-).

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Filed 33532379, 33532466 and 33532420. Let me know if any other information is required.


Thanks,

Ryan

Is that mean "Kernel > kpi_ipfilter.h" APIs are deprecated now?

Is that mean "Kernel > kpi_ipfilter.h" APIs are deprecated now?

No. There were no further announcements about NKE deprecation at WWDC 2018, so the advice from WWDC 2017 stands. Specifically:

  • NKEs are discouraged but not yet formally deprecated

  • NKEs are not compatible with user-space networking

  • Some types of NKEs can be implemented via a Network Extension framework provider

  • You should evaluate your NKE to see if that’s possible

  • If not, you should file an enhancement request explaining what your NKE does and why the existing Network Extension providers don’t work for it

Please post your bug number, just for the record.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

As recommended, I submitted the following NKE request outlining our use-case: 42183210,


Regards,

Adam

Filed 49804986 as suggested.