Capturing ipv6 traffic with AppProxyProvider on MacOS

I have implemented an AppProxyProvider (NETransparentProxyProvider) and I am able to capture traffic with it.

I am also able to define network rules allowing me to exclude some traffic:

let settings = NETransparentProxyNetworkSettings(tunnelRemoteAddress: "127.0.0.1:8080")
settings.includedNetworkRules = [
    NENetworkRule(remoteNetwork: NWHostEndpoint(hostname: "0.0.0.0", port: "0", remotePrefix: 0, localNetwork: nil, localPrefix: 0, protocol: .TCP, direction: .outbound)
]

Now the documentation states that if I want to capture localhost traffic, I need to explicitly add the following rule:

NENetworkRule(remoteNetwork: NWHostEndpoint(hostname: "127.0.0.0", port: "0", remotePrefix: 8, localNetwork: nil, localPrefix: 0, protocol: .TCP, direction: .outbound)

and if I want to capture ipv6 localhost address:

NENetworkRule(remoteNetwork: NWHostEndpoint(hostname: "::1", port: "0", remotePrefix: 128, localNetwork: nil, localPrefix: 0, protocol: .TCP, direction: .outbound)

All this works great.

Now I am having trouble capturing external ipv6 traffic. For example my ISP supports ipv6 and facebook.com resolves to 2a03:2880:f128:181:face:b00c:0:25de on my machine.

I am unable to write any rule allowing me to capture with the system extension such traffic. Either I get errors that the network mask cannot be greater than 32 or the traffic simply doesn't flow through the extension.

Here's an example request that I would like to capture:

curl https://facebook.com -kvp
*   Trying [2a03:2880:f128:181:face:b00c:0:25de]:443...
* Connected to facebook.com (2a03:2880:f128:181:face:b00c:0:25de) port 443 (#0)
* ALPN: offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-CHACHA20-POLY1305-SHA256
* ALPN: server accepted h2
* Server certificate:
*  subject: C=US; ST=California; L=Menlo Park; O=Meta Platforms, Inc.; CN=*.facebook.com
*  start date: Aug 26 00:00:00 2023 GMT
*  expire date: Nov 24 23:59:59 2023 GMT
*  issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=DigiCert SHA2 High Assurance Server CA
*  SSL certificate verify ok.
* using HTTP/2
* h2 [:method: GET]
* h2 [:scheme: https]
* h2 [:authority: facebook.com]
* h2 [:path: /]
* h2 [user-agent: curl/8.1.2]
* h2 [accept: */*]
* Using Stream ID: 1 (easy handle 0x7fcb5c011e00)
> GET / HTTP/2
> Host: facebook.com
> User-Agent: curl/8.1.2
> Accept: */*
>
< HTTP/2 301
< location: https://www.facebook.com/
< strict-transport-security: max-age=15552000; preload
< content-type: text/html; charset="utf-8"
< x-fb-debug: uWVEw8FZUIXozHae5VgKvIDY5lgH/4Aph+h+nJNJpIr7jFZIFGy9LRLGCSwPudcFBdi4Mf4rLaKsNGCBxHDmrA==
< content-length: 0
< date: Fri, 17 Nov 2023 14:14:03 GMT
< alt-svc: h3=":443"; ma=86400
<
* Connection #0 to host facebook.com left intact

Can this be achieved?

Either I get errors that the network mask cannot be greater than 32 or the traffic simply doesn't flow through the extension.

The former suggests that NE thinks you’re creating an IPv4 rule. What does your rule creation code actually look like?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

@eskimo,

Here's what I tried in order to intercept this particular address:

NENetworkRule(remoteNetwork: NWHostEndpoint(hostname: "2a03:2880:f128:181:face:b00c:0:25de", port: "443"), remotePrefix: 128, localNetwork: nil, localPrefix: 0, protocol: .TCP, direction: .outbound)

I also tried a catch-all rule:

NENetworkRule(remoteNetwork: NWHostEndpoint(hostname: "::0", port: "0"), remotePrefix: 0, localNetwork: nil, localPrefix: 0, protocol: .TCP, direction: .outbound)

What would be the proper way to add a rule that can intercept ipv6 traffic?

In the first case, if you drop one bit off the prefix (so use 127 instead of 128) does that work?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Capturing ipv6 traffic with AppProxyProvider on MacOS
 
 
Q