Network Extension is not running

Hi All,
I am trying to do a small POC using network extension's content filter capability. It is just a simple application for listening to all inbound connections on a particular port. I am able to build the application using Xcode. Through the main application i am able to install the network extension as system extension and I am able to view the installed extension in systemextensionctl list.
The problem is the I am not able to do anything after that , I don't think the extension is actually running. I am not able to see any logs in system.log. Few logs were present from devices log which indicate that the extension is running. The last log was 

Code Block 
Request to activate com.sample.xyz.NetworkExtension succeeded (0).
Adding event subscription 930 for provider com.sample.xyz.NetworkExtension with extension point com.apple.networkextension.filter-data


I gave some debug logs and none of them were printed.

I have all entitlements in my provisional profile and if there was any code signing issue I guess it would have been present in system.log (atleast I assume)

Thanks in advance.

Up vote post of PreethamTK Down vote post of PreethamTK
1.7k views
Posted by
PreethamTK
Reply
Add a Comment

Replies

What do you entitlements looks like in the Container App as well as the Network System Extension?

Are you able to verify in the Network System Extension that the system extension is starting without error? I usually do this with code that looks something like this:

Code Block swift
class FilterDataProvider: NEFilterDataProvider {
    
    static let log = OSLog(subsystem: "com.example.apple-samplecode.SimpleFirewallTestBed.SimpleFirewallExtension", category: "provider")
    override init() {
        self.log = Self.log
        os_log(.debug, log: self.log, "init")
        super.init()
    }
    
    private let log: OSLog
    override func startFilter(completionHandler: @escaping (Error?) -> Void) {
    	os_log(.debug, log: self.log, "startFilter")
		/* You NENetworkRule's here as `anyHostAndPortRule` */
    
    	let filterRule = NEFilterRule(networkRule: anyHostAndPortRule, action: .filterData)
    	let filterSettings = NEFilterSettings(rules: [filterRule], defaultAction: .allow)
	    apply(filterSettings) { error in
	        if let applyError = error {
	            os_log(.debug, log: self.log, "Failed to apply filter settings: %{public}@", applyError.localizedDescription)
	        } else {
	        	os_log(.debug, log: self.log, "Success applying filter settings")
	        }
	        completionHandler(error)
	    }
	}
   	override func handleNewFlow(_ flow: NEFilterFlow) -> NEFilterNewFlowVerdict {
        
        os_log(.debug, log: self.log, "Received a new flow: %{public}@", flow.description)
        /* ... */
    }
}


Then by logging this subsystem in the Terminal like so:
Code Block text
log stream --level debug --predicate 'subsystem == "com.example.apple-samplecode.SimpleFirewallTestBed.SimpleFirewallExtension"'


Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
Posted by
meaton
Up vote reply of meaton Down vote reply of meaton
Add a Comment
I am not able to log anything from the network extension. Any way to verify why the extension has not come up ?
Posted by
PreethamTK
Up vote reply of PreethamTK Down vote reply of PreethamTK
Add a Comment
Small update, I gave some logs inside start filter function and it is getting displayed. I have started a server on the port which I am interested in and when I hit that endpoint I am not getting a new flow. I am using the sample code used for the simple firewall application.

Posted by
PreethamTK
Up vote reply of PreethamTK Down vote reply of PreethamTK
Add a Comment

when I hit that endpoint I am not getting a new flow.

Are your network rules capturing the inbound connections for the flow?


Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
Posted by
meaton
Up vote reply of meaton Down vote reply of meaton
Add a Comment

@meaton I am facing the same issue. Using the way you said, I cannot log out anything from the log stream. My entitlement file is like below


<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>com.apple.developer.networking.networkextension</key>
	<array>
		<string>content-filter-provider</string>
	</array>
	<key>com.apple.security.app-sandbox</key>
	<false/>
	<key>com.apple.security.application-groups</key>
	<array>
		<string>$(TeamIdentifierPrefix)com.testing.connectionFilter</string>
	</array>
	<key>com.apple.security.network.client</key>
	<true/>
	<key>com.apple.security.network.server</key>
	<true/>
</dict>
</plist>

@PreethamTK did you resolved this?

Posted by
hkityan
Up vote reply of hkityan Down vote reply of hkityan
Add a Comment