OK but then is it expected for a NEFilterSocketFlow to have the following properties: direction = outbound protocol = 255 (IPPROTO_RAW) family = 2 (PF_INET) type = 3 (SOCK_RAW) localEndpoint = 0.0.0.0:0 remoteEndpoint = not.a.local.ip:0 ?

OK. I will file a feedback assistant ticket to at least get the minimum one line sentence in the online documentation. BTW, the Comment feature (popup window icon) is broken at the time of this writing. Filing another feedback assistant ticket about this.

It's actually more what is not seen. TCP traffic is seen by the handleNewFlow method/function. UDP traffic is not. Ref. https://feedbackassistant.apple.com/feedback/16846115

I'm able to reproduce the problem with the SimpleFirewall example. When following the procedure described in the ticket: UDP traffic is never seen. TCP traffic is seen. As far as I can tell, the issue is with incoming UDP traffic. I tried with a binary where the Apple signature was removed, I tried different ports.

I removed the filter. Outbound UDP flows are all seen. The inbound UDP flow in the test scenario is never seen. Some other inbound UDP flows are seen. Here's the modified source I used for the FilterDataProvider: // MARK: Properties // The TCP port which the filter is interested in. // MARK: NEFilterDataProvider override func startFilter(completionHandler: @escaping (Error?) -> Void) { completionHandler(nil) } override func stopFilter(with reason: NEProviderStopReason, completionHandler: @escaping () -> Void) { completionHandler() } override func handleNewFlow(_ flow: NEFilterFlow) -> NEFilterNewFlowVerdict { guard let socketFlow = flow as? NEFilterSocketFlow, let remoteEndpoint = socketFlow.remoteEndpoint as? NWHostEndpoint else { os_log("Early return") return .allow() } os_log("Got a new flow (socket protocol: %d direction: %d) with remote endpoint %{public}@", socketFlow.socketProtocol, socketFlow.direction.rawValue, remoteEndpoint) os_log("Got a new flow with remote port %{public}@", remoteEndpoint.port) return .allow() } }

IMHO, it matters considering that: this is the Objective-C flavor of the documentation. the prototype of the method returns a BOOL. the title of the chapter is "Return value". The type is a BOOL. for more than 30 years, it has been YES or NO (e.g. https://www.nextop.de/NeXTstep_3.3_Developer_Documentation/Foundation/Classes/NSDictionaryClassCluster.htmld/index.html). It's a documentation so I don't see how the fact that TRUE, true, YES or 1 are all the same matters.

Is DocC also responsible for the gotoNextPane and gotoPreviousPane methods of InstallerPane (InstallerPlugins framework) being weirdly defined as readonly properties? Already filed another feedback ticket about that one.

It can be reproduced on macOS 15.4.

Feedback ticket for the documentation: FB17345983                  But as a third-party developer I’m not sure that’s a significant restriction. If you’re building your own daemon or agent, you can bake spawn constraint into its code signature. This would protect the daemon or agent from being launched by an unexpected executable. BUT this would not prevent the launchd plist from starting an executable at the path pointed by the plist but which is not the expected executable.

Most folks who install launchd property list files install the target executable in a directory that’s only writable by root. Because of what could be seen as a security regression introduced in macOS Installation framework some years ago, this can't be guaranteed.

It can be reproduced on macOS 15.5 (and at least another 3rd party software).

It's not specific to a location. But then there's the SIP factor and whether the default ownership and permissions are restrictive enough. Which is the case for /Library/LaunchDaemons. So the issue I'm concerned about is not with the launchd plist file but really with the program targeted by the plist.

Is there some reason you’re unable to do that? Yes, it's related to other macOS requirements that make it mandatory to have the binary in this location (whose parent system directories are not root:wheel 755).

A sub folder of /Applications, yes.

It is a System Extension with only one data filter.