NETransparentProxyProvider excludedRules limit?

App & System Services Networking
kithrup OP
Created Jul ’24
Replies 5
Boosts 0
Views 279
Participants 2

I have this in my start code:

        for p in [4500] + Array(3478...3497) + Array(16384...16387) + Array(16393...16402) {
            // According to the documentation, I *should* be able to                                                                  
            // use "" for the hostname, and prefix:0, but it complained                                                               
            // about the prefix length, so we use the top bit for ipv4                                                                
            // and ipv6.                                                                                                              
            let port = "\(p)"
            os_log(.debug, log: Self.log, "Setting up to exclude port %{public}s", port)
            let host_1 = NWHostEndpoint(hostname:"0.0.0.0", port: port)
            let host_2 = NWHostEndpoint(hostname:"255.0.0.0", port: port)
            let host_3 = NWHostEndpoint(hostname:"0::0", port: port)
            let host_4 = NWHostEndpoint(hostname:"ffff::0", port: port)
            for host in [host_1, host_3] {
                let udpPortRule = NENetworkRule(destinationNetwork: host, prefix:1, protocol: .UDP)
                excludeRules.append(udpPortRule)
            }
        }

        settings.excludedNetworkRules = excludeRules

This produces the log message

2024-07-23 11:16:38.335649+0100 0x901984   Debug       0x0                  20686  0    com.kithrup.SimpleTPP.Provider: [com.kithrup:Provider] Setting up to exclude port 3483

Later on, when running, I log the new flows in handleNewUDPFlow(:,initialRemoteEndpoint:), and it produces

2024-07-23 11:17:05.712055+0100 0x901984   Debug       0x0                  20686  0    com.kithrup.SimpleTPP.Provider: [com.kithrup:Provider] handleNewUDPFlow(_:initialRemoteEndpoint:): new UDP flow for host 17.252.13.7:3483 app com.apple.identityservicesd

So port 3483 is definitely in the excludedRules array, but it's not being excluded.

(All of this is because I still can't figure out why FaceTime isn't working with us.)

Answered by Systems Engineer in 796689022

Please open a bug report here with these logs and a sysdiagnose . Please post the feedback ID here.

Matt Eaton - Networking

Replies  5
Boosts  0
Views  279
Participants  2
Systems Engineer OP
Apple
Jul ’24

I think there could be a few different things going on here. For me to get a better picture of how to proceed on the excludedRules case, can you provide the log for the entire flow that includes things like local address etc?

Regarding:

(All of this is because I still can't figure out why FaceTime isn't working with us.)

Do you mean that when you have the Proxy Provider running that FaceTime is not working or FaceTime does not work at all?

All of your utun interfaces are available, correct?

Matt Eaton - Networking

0
kithrup OP
Jul ’24

Do you mean that when you have the Proxy Provider running that FaceTime is not working or FaceTime does not work at all?

When it is running, neither FaceTime video nor audio work. I can get it to connect outbound (haven't tried inbound recently, so I forget), but there's just no audio or video.

Let me get all of the log messages for a small time frame.

0
kithrup OP
Jul ’24

Here is the (somewhat edited) sequence of system logs for a flow. I pared down the excludedRules a bit, and added:

        let appleRule = NENetworkRule(destinationNetwork: NWHostEndpoint(hostname: "17.0.0.0", port: "0"), prefix: 8, protocol: .any)

so nothing in 17/8 should have come to the provider, right? And yet it did. I must be doing something very very wrong, but I can't figure it out yet.

  com.kithrup.SimpleTPP.Provider: (libnetworkextension.dylib) [com.apple.networkextension:] (0): Flow 1864790775 is connecting
  com.kithrup.SimpleTPP.Provider: (libnetworkextension.dylib) [com.apple.networkextension:] (1864790775): New flow: NEFlow type = datagram, app = com.apple.identityservicesd, name = , 192.168.43.105:16393 <-> 17.252.14.81:3478, filter_id = , interface = en0(bound)
  com.kithrup.SimpleTPP.Provider: (NetworkExtension) [com.apple.networkextension:] [Extension com.kithrup.SimpleTPP.Provider]: Calling handleNewUDPFlow with UDP com.apple.identityservicesd[{length = 20, bytes = 0x9369f2790daea880d6d0dca66519aa9ae04f7bcc}] local port 16393 interface en0(bound), remoteEndpoint = 17.252.14.81:3478
  com.kithrup.SimpleTPP.Provider: [com.kithrup.SimpleTPP.Provider:redirector] handleNewUDPFlow(_:initialRemoteEndpoint:): new UDP flow for host 17.252.14.81:3478 app com.apple.identityservicesd
  com.kithrup.SimpleTPP.Provider: [com.kithrup.SimpleTPP.Provider:redirector] Got flow for com.apple.identityservicesd
  identityservicesd: (libquic.dylib) [com.apple.network:quic] quic_crypto_new_flow [C382:2] [b3582e00-b4c3556dcba3be09] TLS stream is: [C383]
  identityservicesd: (Network) [com.apple.network:connection] [C383 C99F226F-F5A6-49B2-9AE1-ACE580B7619A IPv4#c62ff9e2:3478 quic, tls, definite, attribution: developer, reuse local address, context: IDSRealTime (private), proc: 24A8D0C7-FB75-37DE-8065-5EB68A7790DE, effective proc: 7FD7A321-FDAF-3CF4-926E-BF555C540CE0, local address: 192.168.43.105:16393, required interface: en0(13), has demux] start
  identityservicesd: (Network) [com.apple.network:connection] [C383 IPv4#c62ff9e2:3478 initial socket-flow (satisfied (Path is satisfied), interface: en0[802.11], scoped, ipv4, ipv6, dns, uses wifi)] event: path:start @0.000s
  identityservicesd: (Network) [com.apple.network:connection] [C383 IPv4#c62ff9e2:3478 waiting socket-flow (satisfied (Path is satisfied), interface: en0[802.11], scoped, ipv4, ipv6, dns, uses wifi)] event: path:satisfied @0.000s, uuid: A457D7C0-8173-4B04-B722-747C0287E464
  identityservicesd: (Network) [com.apple.network:connection] [C383 IPv4#c62ff9e2:3478 in_progress socket-flow (satisfied (Path is satisfied), interface: en0[802.11], scoped, ipv4, ipv6, dns, uses wifi)] event: flow:start_connect @0.000s
  identityservicesd: (Network) [com.apple.network:connection] nw_connection_report_state_with_handler_on_nw_queue [C383] reporting state preparing
  identityservicesd: (Network) [com.apple.network:connection] nw_flow_connected [C383 IPv4#c62ff9e2:3478 in_progress socket-flow (satisfied (Path is satisfied), interface: en0[802.11], scoped, ipv4, ipv6, dns, uses wifi)] Joined protocol connected (quic)
  identityservicesd: (Network) [com.apple.network:connection] [C383 IPv4#c62ff9e2:3478 in_progress socket-flow (satisfied (Path is satisfied), interface: en0[802.11], scoped, ipv4, ipv6, dns, uses wifi)] event: flow:finish_transport @0.000s
  com.kithrup.SimpleTPP.Provider: [com.kithrup.SimpleTPP.Provider:redirector] We are bypassing the app com.apple.identityservicesd (path /system/library/privateframeworks/ids.framework/identityservicesd.app/contents/macos/identityservicesd)!
  com.kithrup.SimpleTPP.Provider: (NetworkExtension) [com.apple.networkextension:] [Extension com.kithrup.SimpleTPP.Provider]: provider rejected new flow UDP com.apple.identityservicesd[{length = 20, bytes = 0x9369f2790daea880d6d0dca66519aa9ae04f7bcc}] local port 16393 interface en0(bound)
  identityservicesd: (libboringssl.dylib) [com.apple.network:boringssl] boringssl_session_apply_protocol_options_for_transport_block_invoke(2007) [C383:1][0x125f17eb0] TLS configured [min_version(0x0304) max_version(0x0304) name(redacted) tickets(true) false_start(true) enforce_ev(false) enforce_ats(false) ech(false)]
  containermanagerd: (ContainerManagerCommon) [com.apple.containermanager:fs] stat [<private>]: exists: 1, isDirectory: 0, fsNode: <~~~>
  kernel: (1864790775): No more valid control units, disabling flow divert
  kernel: (1864790775): Skipped all flow divert services, disabling flow divert
  identityservicesd: (libboringssl.dylib) [com.apple.network:boringssl] boringssl_context_info_handler(2133) [C383:1][0x125f17eb0] Client handshake started
  com.kithrup.SimpleTPP.Provider: (libnetworkextension.dylib) [com.apple.networkextension:] (1864790775): Closing reads (sending SHUT_WR), closed by plugin (flow error: 0)
  com.kithrup.SimpleTPP.Provider: (libnetworkextension.dylib) [com.apple.networkextension:] (1864790775): Closing writes, sending SHUT_RD
  com.kithrup.SimpleTPP.Provider: (libnetworkextension.dylib) [com.apple.networkextension:] (1864790775): Destroying, client tx 0, client rx 0, kernel rx 0, kernel tx 0
  identityservicesd: (libboringssl.dylib) [com.apple.network:boringssl] boringssl_context_info_handler(2150) [C383:1][0x125f17eb0] Client handshake state: TLS client enter_early_data
0
Systems Engineer OP
Apple
Jul ’24
Recommended

Please open a bug report here with these logs and a sysdiagnose . Please post the feedback ID here.

Matt Eaton - Networking

0
kithrup OP
Jul ’24

FB14453214, alas. I'm going to try my minimal TPP as well.

0
NETransparentProxyProvider excludedRules limit?
First post date Last post date
 
 
Q