Peek data of TCPFlow in transparent proxy on macOS

Question

Created 1w

Replies 3

Boosts 0

Participants 2

We are developing a tunnel based on transparent proxy system extension. We want to be able to decide whether to handle certain TCP flows based on FQDN.

So, is there a way to peek into TCPFlow data like we can in ContentFilter which will allow use to parse and check for SNI or Host-header?

As far as I understand, we can read data from flows until we have returned a decision from handleNewFlow.

Answered by DTS Engineer in 817738022

is there a way to peek into TCPFlow data … ?

No. In a transparent proxy, once you return true from handleNewFlow(_:) you are responsible for dealing with that flow completely. And handleNewFlow(_:) is fundamentally synchronous; there’s no way to read data from the flow before responding.

If that’d be useful to you, feel free to file an enhancement request with the details. Be aware that this would be a significant change to the architecture, and so you’re unlikely to see a prompt resolution.

If you do file an ER, please post your bug number, just for the record.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Boost

Answer 1

DTS Engineer OP

Apple

1w

Recommended

is there a way to peek into TCPFlow data … ?

No. In a transparent proxy, once you return true from handleNewFlow(_:) you are responsible for dealing with that flow completely. And handleNewFlow(_:) is fundamentally synchronous; there’s no way to read data from the flow before responding.

If that’d be useful to you, feel free to file an enhancement request with the details. Be aware that this would be a significant change to the architecture, and so you’re unlikely to see a prompt resolution.

If you do file an ER, please post your bug number, just for the record.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 2

dispacthMain OP

1w

Thank you for the response Quinn. So, is there any way we get hostname as well as IP of the remote endpoint of a flow?

I can see there is hostname on NWHostEndpoint which is documented to return hostname or address. Is there a way to know when it returns IP and when returns hostname? And is there a way to get both?

Also, AFAIK, the TCP flow for a hostname is created only after hostname is resolved. So, after domain resolution, would remote endpoint hostname will be domain or IP?

0

Answer 3

DTS Engineer OP

Apple

1w

is there any way we get hostname as well as IP of the remote endpoint of a flow?

Last I checked you get the DNS name when the code that starts the connection uses one of our connect-by-name APIs. OTOH, if the code uses resolve-then-connect, you only get the IP.

Sadly, many popular apps do the latter [1].

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] Typically because they use BSD Sockets. I talk about this in a lot more detail in TN3151 Choosing the right networking API.

0