New APIs available for Network Extension apps
- Content Filter
- Transparent Proxy
- DNS Proxy
- VPN
- Virtual Machine
- Custom Protocols
Content Filter app
Example: Personal firewall app
Example: Parental control app
System Extensions
Packaged inside your app
Managed by the OS
Easy to develop and debug
Run independently of any user
System Extensions require user approval to load, like user-approved kernel extension loading (UAKEL).
Content Filter
NetworkExtension Framework
Transparent Proxy
NetworkExtension Framework
DNS Proxy
NetworkExtension Framework
VPN
NetworkExtension Framework
includeAllNetworks - All traffic gets routed via the VPN. If VPN is unreachable, traffic is dropped.
excludeLocalNetworks - Allows traffic sent to local network to be excluded from VPN traffic.
Per-App VPN
MailDomains
CalendarDomains
ContactsDomains
Virtual Machine
NetworkExtension Framework
VMs aren't very useful if they can't connect to the network. Apple has the vmnet.framework to handle this
Shared Mode enhancements
- iPv6 in shared mode
- Specify IP range of inside network
- Port Forwarding
Bridged Mode - VM has separate IP, does not use NAT. This has previously not been available for VM hypervisor software which uses Apple's Hypervisor framework: https://developer.apple.com/documentation/hypervisor
Custom IP protocol
NetworkExtension Framework
Network Kernel Extensions are deprecated in macOS Catalina
Move to using System Extensions
Summary:
New APIs available for Network Extension apps
- Content Filter
- Transparent Proxy
- DNS Proxy
- VPN
- Virtual Machine
- Custom Protocols
Network kernel extensions are deprecated and will stop working in the future.