Interference Issue: PacketTunnelProvider vs. ContentFilter

Question

Created Apr ’24

Replies 7

Boosts 0

Participants 2

Hey everyone,

I'm currently working on an app where I've already implemented a packet tunnel provider. Now, I'm looking to introduce a content filter. One crucial feature I need is the ability to read the bundle ID of the app originating the network flows.

However, I've hit a roadblock when combining both components; When I run the content filter sans packet tunnel provider, I can read the originating app's bundle ID for network flows just fine. But when I add packet tunnel provider, the app's bundle ID defaults to my own app's bundle ID, which is unexpected.

Has anyone else encountered this? Any thoughts on why it's happening or how to fix it?

Cheers!

Boost

Answer 1

DTS Engineer OP

Apple

Apr ’24

What platform are you targeting?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 2

DTS Engineer OP

Apple

Apr ’24

Hmmm, weird.

Is your packet tunnel provider running in per-app VPN mode?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 3

DTS Engineer OP

Apple

Apr ’24

It’s unlikely you landed in per-app VPN mode by accident. It requires a bunch of extra setup. However, you can confirm this by checking the routingMethod property. A value of .sourceApplication indicates per-app VPN.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 4

DTS Engineer OP

Apple

Apr ’24

Note Please reply as a reply, not in the comments. I’m not notified of replies in the comments. See Quinn’s Top Ten DevForums Tips for this and other hints.

Apparently we don't use the NETunnelProviderManager at all

Bah, this is complex. There are two routingMethod properties:

You can’t avoid these types when building a tunnel:

Both NEAppProxyProvider and NEPacketTunnelProvider are subclasses of NETunnelProvider.
NEAppProxyProviderManager is a subclass of NETunnelProviderManager.
Packet tunnel apps use NETunnelProviderManager directly.

Both properties are read-only because:

An app proxy provider is always in per-app mode, and thus the property is always .sourceApplication.
A packet tunnel provider can only be put into per-app mode via a configuration profile.

Anyway, back to your main issue. I can’t see any reason why your packet tunnel provider should interfere with the flow metadata on content filter. This is true in general, but especially true in destination IP mode, where the packet tunnel provider operates entirely ‘below’ the content filter.

Does this problem only occur with your packet tunnel provider? Or can you reproduce it with a third-party VPN product that uses a packet tunnel provider?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 5

BugBuster90 OP

Apr ’24

I was able to reproduce it with a third-party VPN product too, specifically the Proxyman's iOS app. Looking at the socket flows in handleNewFlow(:) method, most of them have the value .com.nsproxy.NSProxy-iOS.PacketTunnel which I believe is Proxyman's bundle ID.

0

Answer 6

DTS Engineer OP

Apple

Apr ’24

I was able to reproduce it with a third-party VPN product too

Interesting. That radically reduces the chances of this being your fault. I recommend that you file a bug about this.

Please post your bug number, just for the record.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 7

BugBuster90 OP

Apr ’24

Thank you for your prompt response and guidance. I've filed a bug report as you suggested. The bug number is FB13764321. Appreciate your assistance!

0