why do all flows droped ? I want each flow can be filter by handleInboundDataFromFlow or handleOutboundDataFromFlow, but sometimes , handleInboundDataFromFlow and handleOutboundDataFromFlow did not called , the following codes will cause all flows droped, why ? - (NEFilterDataVerdict *)handleInboundDataFromFlow:(NEFilterFlow *)flow readBytesStartOffset:(NSUInteger)offset readBytes:(NSData *)readBytes { DDLogDebug(@"method '%s' invoked for flow: %@ ", __PRETTY_FUNCTION__, flow.identifier.UUIDString); //DDLogDebug(@"handleInboundDataFromFlow: %lu", [readBytes length]); NSMutableDictionary *extraInfo = [NSMutableDictionary dictionary]; if ([self isUDPProtocol: flow]) { //so far, we only support UDP dns NSDictionary *dnsInfo = [DNSPacketParseHelper parsePacket: readBytes]; if (dnsInfo) { extraInfo[@"dns"] = dnsInfo; DDLogDebug(@"DNS packet parsed: %@", dnsInfo); } } else if ([self isTCPProtocol: flow]) { //so far, we only support http, not support https NSDictionary *httpInfo = [HttpPacketParseHelper extractHTTPFieldsFromTCPData: readBytes isOutboundPacket: YES]; if (httpInfo && httpInfo.allKeys.count > 0) { extraInfo[@"http"] = httpInfo; DDLogDebug(@"Http packet parsed: %@", httpInfo); } } return [self handlePacket:flow withExtraInfo: extraInfo]; } - (NEFilterDataVerdict *)handleOutboundDataFromFlow:(NEFilterFlow *)flow readBytesStartOffset:(NSUInteger)offset readBytes:(NSData *)readBytes { DDLogDebug(@"method '%s' invoked for flow: %@ ", __PRETTY_FUNCTION__, flow.identifier.UUIDString); //DDLogDebug(@"handleOutboundDataFromFlow: %lu", [readBytes length]); NSMutableDictionary *extraInfo = [NSMutableDictionary dictionary]; if ([self isUDPProtocol: flow]) { //so far, we only support UDP dns NSDictionary *dnsInfo = [DNSPacketParseHelper parsePacket: readBytes]; if (dnsInfo) { extraInfo[@"dns"] = dnsInfo; DDLogDebug(@"DNS packet parsed: %@", dnsInfo); } } else if ([self isTCPProtocol: flow]) { //so far, we only support http, not support https NSDictionary *httpInfo = [HttpPacketParseHelper extractHTTPFieldsFromTCPData: readBytes isOutboundPacket: YES]; if (httpInfo && httpInfo.allKeys.count > 0) { extraInfo[@"http"] = httpInfo; DDLogDebug(@"Http packet parsed: %@", httpInfo); } } return [self handlePacket:flow withExtraInfo: extraInfo]; } - (NEFilterDataVerdict *)handleInboundDataCompleteForFlow:(NEFilterFlow *)flow { DDLogDebug(@"method '%s' invoked for flow: %@ ", __PRETTY_FUNCTION__, flow.identifier.UUIDString); return [NEFilterDataVerdict allowVerdict]; } - (NEFilterDataVerdict *)handleOutboundDataCompleteForFlow:(NEFilterFlow *)flow { DDLogDebug(@"method '%s' invoked for flow: %@ ", __PRETTY_FUNCTION__, flow.identifier.UUIDString); return [NEFilterDataVerdict allowVerdict]; }

- (NEFilterNewFlowVerdict *)handleNewFlow:(NEFilterFlow *)flow { DDLogDebug(@"method '%s' invoked for flow: %@ ", __PRETTY_FUNCTION__, flow.identifier.UUIDString); int PEEKSIZE = 512; NEFilterNewFlowVerdict *flowVerdict = [NEFilterNewFlowVerdict filterDataVerdictWithFilterInbound:YES peekInboundBytes:PEEKSIZE filterOutbound:YES peekOutboundBytes:PEEKSIZE]; return flowVerdict; } handleOutboundDataFromFlow and handleInboundDataCompleteForFlow will not be called when PEEKSIZE == 0 ? all flows will be drop ?

In some client systems, when loading new startup items with the load -w command, issues arise if the new items belong to a team that already has existing startup items. In certain client systems, the newly added startup items fail to load with load -w, and restarting the system does not resolve the issue. Why does this occur?

Only this one user is experiencing this strange issue . When clicking the switch to enable the Network Extension, the window for entering the password doesn't even pop up. could you please tell me how to troubleshoot it ?

This is error that filter "Extension": 2025-02-08 15:44:18.191 Df authd[197:18d4f] [com.apple.Authorization:authd] Failed to authorize right 'com.apple.system-extensions.admin' by client '/System/Library/ExtensionKit/Extensions/SettingsSystemExtensionController.appex' [3006] for authorization created by '/System/Library/ExtensionKit/Extensions/SettingsSystemExtensionController.appex' [3006] (3,0) (-60005) (engine 86) 2025-02-08 15:44:18.191 E SettingsSystemExtensionController[3006:603e] [com.apple.sx:Controller] Failed to allow changes for : Error Domain=OSSystemExtensionErrorDomain Code=1 "" UserInfo={NSLocalizedDescription=}

Thank you for your response. I have a general security application called container.app (which monitors traffic and generates alerts). The app is not an MDM but contains a NetworkExtension. container.app communicates with my own server. When it receives an uninstall command from the server, it needs to uninstall itself. However, after the uninstallation is completed, residual NetworkExtension files are found. How can these be cleared when SIP is enabled? Is the only way for the user to trigger the interaction via the UI, where container.app calls deactivationRequestForExtension to uninstall it? But this requires foreground operation—are there no other methods? Residual NetworkExtension issues are quite common in the community. Are there alternative solutions to clear them? For example, can a machO file with the same signature call deactivationRequestForExtension in the background to perform the cleanup?

Thanks for your reply. I used the following code to uninstall the app files in a command line tool named XXXCoreService: NSString *targetPath = @"/Applications/Container.app"; NSString *cmdStr = [NSString stringWithFormat:@"rm -rf '%@'", targetPath]; const char *cmd = [cmdStr UTF8String]; rc = system(cmd); The execution result shows that Container.app was successfully deleted. However, the NetworkExtension inside Container.app remains in the system. When I check with the command systemextensionsctl list, the status of the NetworkExtension is still [activated enabled]. Could you advise on the proper method to silently remove the residual NetworkExtension in the command line tool ?