Hello,I’ve got a few questions regarding the new Network Extension system extensions:it seems that it is not possible to dynamically decide whether to intercept a flow or not. There is only a static specification via NEFilterRule. Thus in case when we want to decide based on the originating process (pid, uid), we will then have to manually connect and handle external side of the connection in case we do not really want to intercept the connection. NEAppProxyProvider’s handleNewFlow should ideally return enum (will_intercept, not_interested, terminate) instead of current bool. Any chance we can eventually expect something like that (low priority issue...)?How is this mechanism designed with regard to chaining/loops? Lets say I get a NEAppProxyTCPFlow; I want to filter the stream, and thus need to open a connection to the target host. How will this new connection be managed by the system? Will all these connections originating from a Network Extension process be ignored by itself and Network Extension processes upstream in the kext chain to prevent cycles (similarly like reinjecting packets via ipf_inject_input when specifying the filter)? Does this mean that all the network communication triggered by a flow must be done (or at least connect() performed) within the Network Extension process to prevent possible loops? (Please note that there are conceptually two sources of loops: within a single application, and between multiple applications that do not know about each other and which all do the transparent proxying on the “same” connection in sequence).Is the Network Extension process somehow limited, or is context of this process equivalent to a root process context? There was some info about Driver Kit SDK being somehow limited within the WWDC video; what about Network Extensions? Can I take an old process running as a root and put the code into the Network Extension and be sure it will work? And if it is possible to do so, is it a good idea/something that is recommended to do?Thanks for any info.Kind regards,Ondrej K

Network Extensions: dynamic interc… | Apple Developer Forums

Hello,

I’ve got a few questions regarding the new Network Extension system extensions:

it seems that it is not possible to dynamically decide whether to intercept a flow or not. There is only a static specification via NEFilterRule. Thus in case when we want to decide based on the originating process (pid, uid), we will then have to manually connect and handle external side of the connection in case we do not really want to intercept the connection. NEAppProxyProvider’s handleNewFlow should ideally return enum (will_intercept, not_interested, terminate) instead of current bool. Any chance we can eventually expect something like that (low priority issue...)?
How is this mechanism designed with regard to chaining/loops? Lets say I get a NEAppProxyTCPFlow; I want to filter the stream, and thus need to open a connection to the target host. How will this new connection be managed by the system? Will all these connections originating from a Network Extension process be ignored by itself and Network Extension processes upstream in the kext chain to prevent cycles (similarly like reinjecting packets via ipf_inject_input when specifying the filter)? Does this mean that all the network communication triggered by a flow must be done (or at least connect() performed) within the Network Extension process to prevent possible loops? (Please note that there are conceptually two sources of loops: within a single application, and between multiple applications that do not know about each other and which all do the transparent proxying on the “same” connection in sequence).
Is the Network Extension process somehow limited, or is context of this process equivalent to a root process context? There was some info about Driver Kit SDK being somehow limited within the WWDC video; what about Network Extensions? Can I take an old process running as a root and put the code into the Network Extension and be sure it will work? And if it is possible to do so, is it a good idea/something that is recommended to do?

Thanks for any info.

Kind regards,

Ondrej K

Network Extensions: dynamic intercept, chaining/loops, sdk