Skip to content

feat: add macOS system extension for transparent proxy support#67

Draft
josezy wants to merge 2 commits intoGreyhavenHQ:mainfrom
josezy:macos-traffic-capture
Draft

feat: add macOS system extension for transparent proxy support#67
josezy wants to merge 2 commits intoGreyhavenHQ:mainfrom
josezy:macos-traffic-capture

Conversation

@josezy
Copy link
Copy Markdown
Contributor

@josezy josezy commented Mar 31, 2026

Add Xcode project for GreywallProxy system extension using NetworkExtension framework. The extension implements NETransparentProxyProvider to intercept network traffic at the kernel level on macOS, enabling transparent proxying without requiring manual proxy configuration in sandboxed apps.

Greywall Transparent Proxy – System Extension (PoC)

Minimal macOS system extension using NETransparentProxyProvider to intercept TCP/UDP flows at the socket layer. This is a proof-of-concept for validating transparent traffic capture before full integration with greywall/greyproxy.

Step 1 (current): passive logging – intercepts all outbound flows, logs PID + app signing ID + remote hostname, and passes everything through. No traffic is modified.

Prerequisites

  • macOS 12+ (Monterey)
  • Xcode 15+
  • Paid Apple Developer Program ($99/year) – personal/free accounts cannot use the Network Extensions entitlement
  • xcodegen: brew install xcodegen

Project Structure

swift-extension/
├── project.yml                              # xcodegen spec
├── GreywallProxy.xcodeproj/                 # generated Xcode project
├── GreywallProxy/                           # container app (activates the extension)
│   ├── AppDelegate.swift
│   ├── GreywallProxy.entitlements
│   └── Info.plist
└── GreywallProxyExtension/                  # system extension (NETransparentProxyProvider)
    ├── main.swift
    ├── TransparentProxyProvider.swift
    ├── GreywallProxyExtension.entitlements
    └── Info.plist

Setup

1. Set your Team ID

Find your Team ID:

security find-identity -p codesigning -v
# Look for the OU field in the certificate subject, or check Xcode > Settings > Accounts

Edit project.yml and replace the DEVELOPMENT_TEAM value with your Team ID:

settings:
  base:
    DEVELOPMENT_TEAM: YOUR_TEAM_ID

2. Generate the Xcode project

xcodegen generate

Important: xcodegen clears the entitlements files on every regeneration. After running xcodegen, either:

  • Restore entitlements manually (see Entitlements below), or
  • Open the project in Xcode and set capabilities via Signing & Capabilities tab (easier):
    • GreywallProxy target: enable "System Extension" + "Network Extensions" (App Proxy Provider)
    • GreywallProxyExtension target: enable "Network Extensions" (App Proxy Provider)

3. Build

From Xcode (Product > Run), or from the command line:

xcodebuild -project GreywallProxy.xcodeproj -scheme GreywallProxy \
  -configuration Debug -allowProvisioningUpdates build

Testing

1. Launch the app to activate the extension

open ~/Library/Developer/Xcode/DerivedData/GreywallProxy-*/Build/Products/Debug/GreywallProxy.app

Two approval dialogs will appear:

  1. System Settings > Privacy & Security: "GreywallProxy" system extension – click Allow
  2. "Allow GreywallProxy to filter network content?" – click Allow

2. Watch the logs

log stream --predicate 'subsystem == "io.greywall.proxy"' --level info

3. Generate traffic

In another terminal:

curl https://example.com

Expected log output:

TCP flow: pid=12345 app=com.apple.curl host=example.com dest=93.184.216.34:443

This confirms: traffic interception works, PID metadata is available, remoteHostname provides domain visibility, and passthrough does not break the connection.

4. Uninstall

systemextensionsctl list
systemextensionsctl uninstall YOUR_TEAM_ID io.greywall.proxy.extension

Entitlements

If xcodegen clears the entitlements, restore them manually:

GreywallProxy/GreywallProxy.entitlements:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.developer.system-extension.install</key>
    <true/>
    <key>com.apple.developer.networking.networkextension</key>
    <array>
        <string>app-proxy-provider-systemextension</string>
    </array>
</dict>
</plist>

GreywallProxyExtension/GreywallProxyExtension.entitlements:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.developer.networking.networkextension</key>
    <array>
        <string>app-proxy-provider-systemextension</string>
    </array>
</dict>
</plist>

References

josezy added 2 commits March 30, 2026 11:23
@josezy
feat: add macOS system extension for transparent proxy support
1774feb 
Add Xcode project for GreywallProxy system extension using NetworkExtension framework. The extension implements NETransparentProxyProvider to intercept network traffic at the kernel level on macOS, enabling transparent proxying without requiring manual proxy configuration in sandboxed apps.
@josezy
add readme
066e0bb
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@josezy