NETransparentProxyProvider stops intercepting flows after sleep/wake cycle on macOS intermittently

Question

Created 5d

Replies 3

Boosts 0

Participants 2

I am seeing an issue with NETransparentProxyProvider where the extension successfully transitions from sleep to wake, but stops receiving handleNewFlow(_:) calls.

Only below two methods gets called, We don't apply rules in these methods:

override func wake()
override func sleep(completionHandler: @escaping () -> Void)

This breaking complete proxy workflow as it stops intercepting traffics.

We are not observing this issues always.

FYI: com.apple.developer.endpoint-security.client is not present in .entitlement file. I am not sure adding this will help.

Any possibilities nesessionmanager might fail to re-bind the traffic rules for this extensions?
Any thing we can do to avoid this issues?

Boost

Answer 1

DTS Engineer OP

Apple

5d

We don't apply rules in these methods

So what do you do in those methods?

In many cases a transparent proxy can get away without implementing those methods at all. If you do implement them:

Make sure they return promptly.
In the case of the sleep(…) method:
- Implement the async version and have it return promptly.
- Implement the completion handler version and have it call the completion handler promptly.

com.apple.developer.endpoint-security.client is not present in .entitlement file.

Network Extension and Endpoint Security are separate subsystems. It’s fine to implement an NE sysex without any ES bits in it. In fact, it’s more than fine, it’s very common.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 2

faisalIkwal OP

5d

@DTS Engineer

So what do you do in those methods?

We don't do anything here.

override func wake() {
        EPLog(debug, "provider wake", module: Consts.Module.ProxyProvider)
    }
    
    override func sleep(completionHandler: @escaping () -> Void) {
        EPLog(debug, "provider sleep", module: Consts.Module.ProxyProvider)
        completionHandler()
    }

We apply rule during:

override func startProxy

Why does it stops intercepting traffics?

0

Answer 3

DTS Engineer OP

Apple

4d

We don't do anything here.

Cool.

Why does it stops intercepting traffics?

It’s hard to say without more information:

How reproducible is this? Are you debugging this based on reports coming in from the field? Or can you reproduce it in your office? And if it’s the latter, how long does it take to reproduce?
When it happens, do you have enough logging to confirm whether stopProxy(…) is called or not?
When it happens, is your sysex process still intact? That is, is you sysex still running? And is it the same process as before the sleep/wake cycle, that is, is the PID the same?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0