I've found that completely uninstalling and reinstalling the system extension allows us to provide a flow verdict for existing connections. This is most likely because when installing a new system extension is temporarily causes network outage and requires all existing connections to attempt to reconnect. So in this case "existing" is a misnomer. Uninstalling and re-installing is a no-go since it causes UI popups. In my testing, it seems to only way to provide a verdict for existing connections is to force all existing connections to re-connect by forcing a network outage, thereby allowing us to place a verdict on these "new" connections. Please can you confirm there is no better approach for allowing an NEFilter to provide a verdict on existing connections, when these connects are going down a VPN tunnel ?

For anyone stumbling upon this question, I've found what I believe to be the answer. In the NEFilterDataProvider class, there is a method : @available(macOS 10.15.4, *)   open func update(_ flow: NEFilterSocketFlow, using verdict: NEFilterDataVerdict, for direction: NETrafficDirection) In an initial test demo, this appeared to be what I'm looking for. NEFilterFlow objects from handleNewFlow can be cached and this update method can be used to change a verdict at a later date. No idea when this method was added to the system extension framework SDK as it definitely didn't exist when this problem initially arose. Few other comments: it appears that trying to update a flow thats finished doesn't seem to cause harm I believe all flow operations take place on the extensions main dispatchqueue. If the new flow object doesn't contain the full 5 tuple information, peeking 1 byte will allow the information to become available in the cached NEFilterSocketFlow object.