(..continued) NEFilterManager must be enabled after the System Extension is activated and enabled, it might be a disaster if NEFilterManager is enabled without a runnable System Extension (all network connection lost, or even T2 watchdog panic). A new status API/notification would help developer to implement this feature more easily.

I think you're testing connections to localhost (127.0.0.1 or ::1), which requires explicit network rules. Refer: NetworkExtensions/NENetworkRule.h If the address is a wildcard address (0.0.0.0 or ::) then the rule will match all destinations except for loopback (127.0.0.1 or ::1). To match loopback traffic set the address to the loopback address.

Hi Quinn, Thanks for your valuable information. Unfortunately I don't have experience with threat intelligence, and our threat intelligence team is also new to URL Filter and Private Information Retrieval. We are learning these technologies and will file enhancement requests if we need more from the OS frameworks. I filed FB18302351 for documentation improvement regarding question 3: The documentation itself needs to clarify the fuzzy matching behaviour of NEURLFilter. My colleague filed another feedback for question 4, I asked for the FB number but I haven't heard from him yet. Kindly Regards, Shay