Multiple network extension in a pipeline

Question

Created Apr ’22

Replies 3

Boosts 0

Views 1.8k

Participants 3

Hey! Currently I have a VPN application implemented using Network Extension PacketTunnelProvider, which works just fine.

The big question I am curious in: could the one connect several Network Extensions into a pipeline, which would do complex tasks in a determined way?

From my point of view, there are several smaller questions to answer the big one:

Could I launch several network extensions in one time, or the system will disable the previous / prevent me from launch?
Is the order of network traffic processing, between several network extensions running on a mac, determined in any way or it is not?
If the order is determined, what exactly it will be? The first launched gets the traffic first, second gets second, ...; or the last launched gets the traffic first, ...?

Is there a difference in the processing order for different Network Extension classes (like, first PacketTunnelProvider will process the traffic only after the last Content filter provider finished its processing, or smth like that)?

Maybe I've missed some important points or simple answers.

It would be very helpful if these could be described here or in documentation.

Answered by Systems Engineer in 712064022

Could I launch several network extensions in one time, or the system will disable the previous / prevent me from launch?

You can launch more than one network extension at one time, yes. For example, start Network System Extension A and then Network System Extension B after A.

Regarding:

Is the order of network traffic processing, between several network extensions running on a mac, determined in any way or it is not?

This greatly depends upon how your extension is configured on the Mac. If for example, you had two NETransparentProxyProviders running on the system, A and B. And A and B were both setup to claim the same type of traffic, and A was setup first and B was setup second, then A would get the traffic first and B would get the traffic second. The caveat here is if A was proxying the traffic then the traffic would show up in B as originating from A and not from Safari.

Regarding:

If the order is determined, what exactly it will be? The first launched gets the traffic first, second gets second, ...; or the last launched gets the traffic first, ...?

See above.

Regarding:

Is there a difference in the processing order for different Network Extension classes (like, first PacketTunnelProvider will process the traffic only after the last Content filter provider finished its processing, or smth like that)?

No. However, if your NEPacketTunnelProvider or NEFilterDataProvider does not claim a specific set of traffic and it's claimed by the other extension that is installed second, then the traffic will pass right through to the second extension.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

Boost

Answer 1

Systems Engineer OP

Apple

Apr ’22

Accepted Answer

Could I launch several network extensions in one time, or the system will disable the previous / prevent me from launch?

You can launch more than one network extension at one time, yes. For example, start Network System Extension A and then Network System Extension B after A.

Regarding:

Is the order of network traffic processing, between several network extensions running on a mac, determined in any way or it is not?

This greatly depends upon how your extension is configured on the Mac. If for example, you had two NETransparentProxyProviders running on the system, A and B. And A and B were both setup to claim the same type of traffic, and A was setup first and B was setup second, then A would get the traffic first and B would get the traffic second. The caveat here is if A was proxying the traffic then the traffic would show up in B as originating from A and not from Safari.

Regarding:

If the order is determined, what exactly it will be? The first launched gets the traffic first, second gets second, ...; or the last launched gets the traffic first, ...?

See above.

Regarding:

Is there a difference in the processing order for different Network Extension classes (like, first PacketTunnelProvider will process the traffic only after the last Content filter provider finished its processing, or smth like that)?

No. However, if your NEPacketTunnelProvider or NEFilterDataProvider does not claim a specific set of traffic and it's claimed by the other extension that is installed second, then the traffic will pass right through to the second extension.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

1

Answer 2

yblk OP

Aug ’22

Hi, Matt and Oskar! Can you explain how the traffic can be redirected from one extension to another? For instance, I would like to set up a pipeline with NETransparentProxyProvider and NEPacketTunnelProvider. As I understand from Matt's reply, if I process traffic inside the transparent proxy and redirect it somewhere, the tunnel provider will consider this traffic as originating from the proxy instead original application. However, for me, it is not clear how the proxy would redirect traffic to the packet tunnel. Should the extension with NEPacketTunnelProvider runs a sort of a server to sniff all traffic from the proxy?

0

Answer 3

Systems Engineer OP

Apple

Aug ’22

Should the extension with NEPacketTunnelProvider runs a sort of a server to sniff all traffic from the proxy?

No, you should not run a server in your NEPacketTunnelProvider.

One way to do this is on the outbound side of the connection, bind it to the interface of your virtual interface. This does have a downside in that you may not be able to directly reference the virtual interface when using an API like NWConnection. Another technique would be to write the traffic on the outbound proxy side to the destination IP that your packet tunnel is claiming.

0