Filtering local connections with NETransparentProxyProvider

Both of them seem to have the same issue where loopback
connections (i.e. connections to localhost, 127.0.0.1, ::1, etc.) can't be intercepted.

I suspect the reason for this is that these flows are technically not .outbound connections on the system and so the proxy provider ignores them.


Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

Hi, @meaton!

Makes sense, but can I still filter them somehow?

The use case is filtering traffic that goes between a browser and a local proxy like ShadowSocks or Tor. Note that filtering the outbound connection of the local proxy itself is problematic because it is encrypted (with a custom protocol) so I won't be able to do anything with it.

Makes sense, but can I still filter them somehow?

How does your browser know to proxy to localhost? Are you setting this via Network -> (Your Network Interface Configuration) -> Advanced -> Proxies, and then using Auto Proxy Discovery with a PAC file?

If you are then you could try setting your NEProxySettings for NETransparentProxyNetworkSettings using SCDynamicStoreCopyProxies`.

Code Block swift
let proxySettings = NEProxySettings()
guard let systemConfiguration = SCDynamicStoreCopyProxies(nil) as? [CFString: AnyObject] else {
    return
}
proxySettings.autoProxyConfigurationEnabled = systemConfiguration[kSCPropNetProxiesProxyAutoConfigEnable] as? Bool ?? false
proxySettings.proxyAutoConfigurationURL = systemConfiguration[kSCPropNetProxiesProxyAutoConfigURLString] as? String
/* And so on */

This may get you what you want, if the traffic matches the PAC rule in your proxy logic before the traffic gets to the Network System Extension. I have seen this work for local network addresses on a private network, but not with localhost traffic. It may be worth a try though.

If this does not work then I would open an Enhancement Request.


Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com