13 Replies
      Latest reply on Apr 11, 2019 12:27 AM by hideme
      Naoned Level 1 Level 1 (0 points)

        Hello,

         

        In WWDC 2017 session 707 ( advances in networking ), the engineer said Network Kernel Extensions will be deprecated soon, and that we should use network extensions instead. This part of the talk is about iOS, but since its about network kernel extensions, I guess that the warning is about macOS.

         

        The problem is that network extensions are not currently a true alternative of network kernel extensions. For example, they offer no way to intercept network connections and modify their content. Am I missing some network extension API on macOS that allows that? Or maybe this is planed for future releases, hopefully before NKE gets deprecated.

        • Re: Network kernel extensions deprecated soon
          eskimo Apple Staff Apple Staff (11,225 points)

          This part of the talk is about iOS, but since its about network kernel extensions, I guess that the warning is about macOS.

          Correct.  It came up during the iOS discussion on user space networking because NKEs are a major sticking point in bringing user space networking to the Mac.

          The problem is that network extensions are not currently a true alternative of network kernel extensions.

          True.  We recognise that the current Network Extension architecture does not cover all possible NKE use cases.  If you have specific use cases that aren’t covered, please do file an enhancement request describing that use case.  I’d appreciate you also posting your bug number here, just for the record.

          If you’re not sure whether you’re use case is covered, you can post details here and I’ll be happy to offer an opinion.

          Share and Enjoy

          Quinn “The Eskimo!”
          Apple Developer Relations, Developer Technical Support, Core OS/Hardware
          let myEmail = "eskimo" + "1" + "@apple.com"

            • Re: Network kernel extensions deprecated soon
              juuso Level 1 Level 1 (0 points)

              Hi Quinn,

               

              I'm a little worried about a use case on macOS. What's the future like for firewalls and network monitors that currently use NKEs to block and report connections?

               

              Will Network Extensions support seeing/blocking connections made by other processes, replacing the current role of socket filters? I'm not talking about inspecting the actual data traffic, but simply seeing who's making connections where and possibly blocking them.

              • Re: Network kernel extensions deprecated soon
                ludovicleger Level 1 Level 1 (0 points)

                I have the same issue for our application (TripMode) that is used by tens of thousands of customers who rely on it when they travel to save money on their data plans and be productive on slow networks when tethering on their Macs.

                The app acts as a specialized application-level firewall, only for blocking selected apps and to limit data usage to set thresholds, there are no rules on addresses like a typical firewall, making it much easier for typical users.

                The newly introduced KEXT load blocking and this post made us investigate alternatives to maintain the user experience, and I would be happy to not have to maintain a NKE, but it appears that at least for now the APIs are too restricted in what they can do, or on which device they can be used.

                As requested, I have filed an enhancement request (32971342) with some more details.

                • Re: Network kernel extensions deprecated soon
                  BoilerLA Level 1 Level 1 (0 points)

                  Filed 33532379, 33532466 and 33532420. Let me know if any other information is required.

                   

                  Thanks,

                  Ryan

                  • Re: Network kernel extensions deprecated soon
                    adam-m Level 1 Level 1 (0 points)

                    As recommended, I submitted the following NKE request outlining our use-case: 42183210,

                     

                    Regards,

                    Adam

                    • Re: Network kernel extensions deprecated soon
                      hideme Level 1 Level 1 (0 points)

                      Filed 49804986 as suggested.

                    • Re: Network kernel extensions deprecated soon
                      MFatihMAR Level 1 Level 1 (0 points)

                      Is that mean "Kernel > kpi_ipfilter.h" APIs are deprecated now?

                        • Re: Network kernel extensions deprecated soon
                          eskimo Apple Staff Apple Staff (11,225 points)

                          Is that mean "Kernel > kpi_ipfilter.h" APIs are deprecated now?

                          No.  There were no further announcements about NKE deprecation at WWDC 2018, so the advice from WWDC 2017 stands.  Specifically:

                          • NKEs are discouraged but not yet formally deprecated

                          • NKEs are not compatible with user-space networking

                          • Some types of NKEs can be implemented via a Network Extension framework provider

                          • You should evaluate your NKE to see if that’s possible

                          • If not, you should file an enhancement request explaining what your NKE does and why the existing Network Extension providers don’t work for it

                          Please post your bug number, just for the record.

                          Share and Enjoy

                          Quinn “The Eskimo!”
                          Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                          let myEmail = "eskimo" + "1" + "@apple.com"