• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
NKE socket filter stops redirecting TCP connection for Safari on OSX Maverick 10.9
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

NKE socket filter stops redirecting TCP connection for Safari on OSX Maverick 10.9

  • Subject: NKE socket filter stops redirecting TCP connection for Safari on OSX Maverick 10.9
  • From: Jeff Wu <email@hidden>
  • Date: Wed, 17 Jul 2013 12:03:44 -0700
  • Importance: Normal
Hi, there

I'm testing our HTTP content scanning product on OSX 10.9 preview. Basically our product has a NKE socket filter hooked on sf_connect_out(void *cookie, socket_t so, const struct sockaddr *to), and re-write "const struct sockaddr *to" to a loopback address where our content scan HTTP proxy is listening (just as Josh Graessley suggested in some NKE mail list). This model works fine so far until OSX 10.9.

On 10.9, other browsers like chrome, firefox, opera are still fine with this model, except Safari. I did some dtrace and found that Safari is calling connectx() which is a new api on 10.9. I wrote a simple program which is using CFNetwork framework to retrieve a webpage, and it demonstrated the same issue. Program using traditional posix socket API is re-directed as expected on 10.9.

Here is the sample code using CFNetwork:

#import <Foundation/Foundation.h>
#import <CoreFoundation/CoreFoundation.h>
#import <CFNetwork/CFNetwork.h>
#import <CFNetwork/CFHTTPStream.h>

int main(int argc, char *argv[])
{
    CFURLRef url = "" CFSTR("http://www.apple.com/index.html"), NULL);
    CFHTTPMessageRef httpReq = CFHTTPMessageCreateRequest(kCFAllocatorDefault, CFSTR("GET"), url, kCFHTTPVersion1_1);
    CFReadStreamRef readStream = CFReadStreamCreateForHTTPRequest(kCFAllocatorDefault, httpReq);
    CFReadStreamOpen(readStream);   
    CFIndex bytesRead;
   
    do
    {
        const int BuffSize = 1024;
        UInt8 buff[BuffSize];
        bzero(buff, BuffSize);       
        bytesRead = CFReadStreamRead(readStream, buff, BuffSize);
        if( bytesRead > 0 )
        {
             printf("%s", buff);           
        }
    } while( bytesRead > 0 );
   
    CFReadStreamClose(readStream);   
    CFRelease(url);
    CFRelease(httpReq);
    CFRelease(readStream);   
    return 0;
}

In our NKE, we see the sf_connect_out() is being called and re-writing the sockaddr without issue, but in sf_notify() on sock_evt_connected event, sock_getpeername() will return the original website address instead of the loopback one. And in the end, the TCP connection is connected to the original web server instead of our proxy on loopback.

I couldn't find any documentation about this new connectx() except some SDK header file changes. Any suggestion on how to do the re-direct correctly in socketfilter on OSX 10.9? Or I have to switch to IP filter?

Thanks a lot!

Jeff Wu
 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-kernel mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
  • Follow-Ups:
    • Re: NKE socket filter stops redirecting TCP connection for Safari on OSX Maverick 10.9
      • From: "Quinn \"The Eskimo!\"" <email@hidden>
    • RE: NKE socket filter stops redirecting TCP connection for Safari on OSX Maverick 10.9
      • From: Jeff Wu <email@hidden>
  • Prev by Date: Re: Figuring out context of file in an IOFilterScheme driver
  • Next by Date: RE: NKE socket filter stops redirecting TCP connection for Safari on OSX Maverick 10.9
  • Previous by thread: Re: Figuring out context of file in an IOFilterScheme driver
  • Next by thread: RE: NKE socket filter stops redirecting TCP connection for Safari on OSX Maverick 10.9
  • Index(es):
    • Date
    • Thread