Fix: Mitmproxy run in local mode stops working on Mac OS in an hour #7675 (#260)

dmitryskorbovenko · Дмитрий Скорбовенко · web-flow · commit 2905bbb747f5 · 2025-05-29T13:27:03.000Z
Co-authored-by: Дмитрий Скорбовенко &lt;d.skorbovenko@bestdoctor.ru&gt;
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,7 @@
 ## Unreleased: mitmproxy_rs next
 
+- Fix a bug where macOS local capture mode wouldn't clean up connections and stop working after a while.
+  The changes may break half-closed TCP streams.
 - tun mode: allow using a pre-configured persistent tun interface, to avoid requiring CAP_NET_ADMIN.
 
 ## 29 April 2025: mitmproxy_rs 0.12.3
diff --git a/mitmproxy-macos/redirector/network-extension/FlowExtensions.swift b/mitmproxy-macos/redirector/network-extension/FlowExtensions.swift
@@ -17,17 +17,17 @@ extension NEAppProxyTCPFlow {
                             self.outboundCopier(conn)
                         } else {
                             // log.debug("outbound copier: error copying: \(String(describing: error), privacy: .public)")
+                            self.closeConnection(conn, error)
                         }
                     }))
             } else {
                 log.debug(
                     "outbound copier end: \(String(describing: data), privacy: .public) \(String(describing: error), privacy: .public)"
                 )
                 conn.send(content: nil, isComplete: true, completion: .contentProcessed({ error in
-                    conn.cancel()
                     // log.debug("outbound copier: sent end.")
+                    self.closeConnection(conn, error)
                 }))
-                self.closeWriteWithError(error)
             }
         }
     }
@@ -40,12 +40,14 @@ extension NEAppProxyTCPFlow {
                 self.write(data) { error in
                     if error == nil {
                         self.inboundCopier(conn)
+                    } else {
+                        self.closeConnection(conn, error)
                     }
                 }
             case (_, true, _):
-                self.closeReadWithError(error)
+                self.closeConnection(conn, error)
             default:
-                self.closeReadWithError(error)
+                self.closeConnection(conn, error)
                 log.info(
                     "inbound copier error=\(String(describing: error), privacy: .public) isComplete=\(String(describing: isComplete), privacy: .public)"
                 )
@@ -61,8 +63,9 @@ extension NEAppProxyUDPFlow {
     func readDatagrams() async throws -> ([Data], [NetworkExtension.NWEndpoint]) {
         return try await withCheckedThrowingContinuation { continuation in
             readDatagrams { datagrams, endpoints, error in
-                if let error = error {
+                if let error {
                     continuation.resume(throwing: error)
+                    return
                 }
                 guard let datagrams = datagrams, let endpoints = endpoints else {
                     fatalError("No error, but also no datagrams")
@@ -94,10 +97,10 @@ extension NEAppProxyUDPFlow {
                         try await conn.send(ipc: message)
                     }
                 }
+                self.closeConnection(conn, nil)
             } catch {
                 log.error("Error in outbound UDP copier: \(String(describing: error), privacy: .public)")
-                self.closeWriteWithError(error)
-                conn.cancel()
+                self.closeConnection(conn, error)
             }
         }
     }
@@ -108,18 +111,25 @@ extension NEAppProxyUDPFlow {
                 while true {
                     // log.debug("UDP inbound: receiving...")
                     guard let packet = try await conn.receive(ipc: MitmproxyIpc_UdpPacket.self) else {
-                        self.closeReadWithError(nil)
                         break
                     }
                     // log.debug("UDP inbound: received packet.: \(String(describing: packet), privacy: .public)")
                     let endpoint = NWHostEndpoint(address: packet.remoteAddress)
                     try await self.writeDatagrams([packet.data], sentBy: [endpoint])
                 }
+                self.closeConnection(conn, nil)
             } catch {
                 log.error("Error in inbound UDP copier: \(String(describing: error), privacy: .public)")
-                self.closeReadWithError(error)
-                conn.cancel()
+                self.closeConnection(conn, error)
             }
         }
     }
 }
+
+extension NEAppProxyFlow {
+    func closeConnection(_ conn: NWConnection, _ error: Error?) {
+        conn.cancel()
+        self.closeReadWithError(error)
+        self.closeWriteWithError(error)
+    }
+}
diff --git a/mitmproxy-macos/redirector/network-extension/TransparentProxyProvider.swift b/mitmproxy-macos/redirector/network-extension/TransparentProxyProvider.swift
@@ -32,9 +32,11 @@ class TransparentProxyProvider: NETransparentProxyProvider {
             switch state {
             case .failed(.posix(.ENETDOWN)):
                 log.debug("control channel closed, stopping proxy.")
+                control.forceCancel()
                 self.cancelProxyWithError(.none)
             case .failed(let err):
                 log.error("control channel failed: \(err, privacy: .public)")
+                control.forceCancel()
                 self.cancelProxyWithError(err)
             default:
                 break
@@ -48,6 +50,7 @@ class TransparentProxyProvider: NETransparentProxyProvider {
                 }
             } catch {
                 log.error("Error on control channel: \(String(describing: error), privacy: .public)")
+                control.forceCancel()
                 self.cancelProxyWithError(error)
             }
         }

Original file line number	Diff line number	Diff line change
`@@ -17,17 +17,17 @@ extension NEAppProxyTCPFlow {`
`17`	`17`	`self.outboundCopier(conn)`
`18`	`18`	`} else {`
`19`	`19`	`// log.debug("outbound copier: error copying: \(String(describing: error), privacy: .public)")`
	`20`	`+ self.closeConnection(conn, error)`
`20`	`21`	`}`
`21`	`22`	`}))`
`22`	`23`	`} else {`
`23`	`24`	`log.debug(`
`24`	`25`	`"outbound copier end: \(String(describing: data), privacy: .public) \(String(describing: error), privacy: .public)"`
`25`	`26`	`)`
`26`	`27`	`conn.send(content: nil, isComplete: true, completion: .contentProcessed({ error in`
`27`		`- conn.cancel()`
`28`	`28`	`// log.debug("outbound copier: sent end.")`
	`29`	`+ self.closeConnection(conn, error)`
`29`	`30`	`}))`
`30`		`- self.closeWriteWithError(error)`
`31`	`31`	`}`
`32`	`32`	`}`
`33`	`33`	`}`
`@@ -40,12 +40,14 @@ extension NEAppProxyTCPFlow {`
`40`	`40`	`self.write(data) { error in`
`41`	`41`	`if error == nil {`
`42`	`42`	`self.inboundCopier(conn)`
	`43`	`+ } else {`
	`44`	`+ self.closeConnection(conn, error)`
`43`	`45`	`}`
`44`	`46`	`}`
`45`	`47`	`case (_, true, _):`
`46`		`- self.closeReadWithError(error)`
	`48`	`+ self.closeConnection(conn, error)`
`47`	`49`	`default:`
`48`		`- self.closeReadWithError(error)`
	`50`	`+ self.closeConnection(conn, error)`
`49`	`51`	`log.info(`
`50`	`52`	`"inbound copier error=\(String(describing: error), privacy: .public) isComplete=\(String(describing: isComplete), privacy: .public)"`
`51`	`53`	`)`
`@@ -61,8 +63,9 @@ extension NEAppProxyUDPFlow {`
`61`	`63`	`func readDatagrams() async throws -> ([Data], [NetworkExtension.NWEndpoint]) {`
`62`	`64`	`return try await withCheckedThrowingContinuation { continuation in`
`63`	`65`	`readDatagrams { datagrams, endpoints, error in`
`64`		`- if let error = error {`
	`66`	`+ if let error {`
`65`	`67`	`continuation.resume(throwing: error)`
	`68`	`+ return`
`66`	`69`	`}`
`67`	`70`	`guard let datagrams = datagrams, let endpoints = endpoints else {`
`68`	`71`	`fatalError("No error, but also no datagrams")`
`@@ -94,10 +97,10 @@ extension NEAppProxyUDPFlow {`
`94`	`97`	`try await conn.send(ipc: message)`
`95`	`98`	`}`
`96`	`99`	`}`
	`100`	`+ self.closeConnection(conn, nil)`
`97`	`101`	`} catch {`
`98`	`102`	`log.error("Error in outbound UDP copier: \(String(describing: error), privacy: .public)")`
`99`		`- self.closeWriteWithError(error)`
`100`		`- conn.cancel()`
	`103`	`+ self.closeConnection(conn, error)`
`101`	`104`	`}`
`102`	`105`	`}`
`103`	`106`	`}`
`@@ -108,18 +111,25 @@ extension NEAppProxyUDPFlow {`
`108`	`111`	`while true {`
`109`	`112`	`// log.debug("UDP inbound: receiving...")`
`110`	`113`	`guard let packet = try await conn.receive(ipc: MitmproxyIpc_UdpPacket.self) else {`
`111`		`- self.closeReadWithError(nil)`
`112`	`114`	`break`
`113`	`115`	`}`
`114`	`116`	`// log.debug("UDP inbound: received packet.: \(String(describing: packet), privacy: .public)")`
`115`	`117`	`let endpoint = NWHostEndpoint(address: packet.remoteAddress)`
`116`	`118`	`try await self.writeDatagrams([packet.data], sentBy: [endpoint])`
`117`	`119`	`}`
	`120`	`+ self.closeConnection(conn, nil)`
`118`	`121`	`} catch {`
`119`	`122`	`log.error("Error in inbound UDP copier: \(String(describing: error), privacy: .public)")`
`120`		`- self.closeReadWithError(error)`
`121`		`- conn.cancel()`
	`123`	`+ self.closeConnection(conn, error)`
`122`	`124`	`}`
`123`	`125`	`}`
`124`	`126`	`}`
`125`	`127`	`}`
	`128`	`+`
	`129`	`+extension NEAppProxyFlow {`
	`130`	`+ func closeConnection(_ conn: NWConnection, _ error: Error?) {`
	`131`	`+ conn.cancel()`
	`132`	`+ self.closeReadWithError(error)`
	`133`	`+ self.closeWriteWithError(error)`
	`134`	`+ }`
	`135`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -32,9 +32,11 @@ class TransparentProxyProvider: NETransparentProxyProvider {`
`32`	`32`	`switch state {`
`33`	`33`	`case .failed(.posix(.ENETDOWN)):`
`34`	`34`	`log.debug("control channel closed, stopping proxy.")`
	`35`	`+ control.forceCancel()`
`35`	`36`	`self.cancelProxyWithError(.none)`
`36`	`37`	`case .failed(let err):`
`37`	`38`	`log.error("control channel failed: \(err, privacy: .public)")`
	`39`	`+ control.forceCancel()`
`38`	`40`	`self.cancelProxyWithError(err)`
`39`	`41`	`default:`
`40`	`42`	`break`
`@@ -48,6 +50,7 @@ class TransparentProxyProvider: NETransparentProxyProvider {`
`48`	`50`	`}`
`49`	`51`	`} catch {`
`50`	`52`	`log.error("Error on control channel: \(String(describing: error), privacy: .public)")`
	`53`	`+ control.forceCancel()`
`51`	`54`	`self.cancelProxyWithError(error)`
`52`	`55`	`}`
`53`	`56`	`}`