Hi I am developing the packet tunnel extension on a SIP enabled device. If I build the app and notarize and install it on the device, it works fine. If I modify, build and execute the App (which contains the system extension), it fails with below error. 102.3.1.4 is production build. And 201.202.0.101 is for XCode build. SystemExtension "<<complete name>>.pkttunnel" request for replacement from 102.3.1.4 to 201.202.0.101 Packet Tunnel SystemExtension "<<complete name>>.pkttunnel" activation request did fail: Error Domain=OSSystemExtensionErrorDomain Code=8 "(null)" If SIP is disabled, it works fine. Is there a way the system extension can be developed even if SIP remains enabled?

Hi1. Network extension documents are either in objective c or swiftDoes Network extension API support C++, if yes, is there any document?2. In the real world, Many Network extensions (e.g. Content filters) will be running developed by different vendors like Antivirus vendors, Firewall vendors, etc.How does Network Extension framework arbitrate/adjudicate among multiple Network Extension running simultaneously on the system?ThanksAnand

Hi I am building my component for M1. I choose the universal binary. My component uses Boost static lib. Boost builds for x86_64 and arm64 separately. XCode does not provide two options to link different arch libs. Please suggest to me how to link a lib if 3rd party build process does not offer universal static lib. Regards, Anand Choubey

Hi, I do not find any new feature or bug fix info in macOS 12 beta release notes? Is there a future for any new Network Extension in macOS 12? Regards, Anand Choubey

Hi Does inbuilt iOS VPN FedRamp Support? Thanks

Hi I am building NETransparentProxyProvider proxy. Observing a problem with L2TP over IPsec VPN. As soon as the following UDP filter is set. L2TP over IPSec VPN is disconnected after some time.  includeRule = [[NENetworkRule alloc] initWithRemoteNetwork:nil                                  remotePrefix:0                                  localNetwork:nil                                   localPrefix:0                                    protocol:NENetworkRuleProtocolUDP                                    direction:NETrafficDirectionOutbound]; In this case, Wireshark capture shows only outgoing packets on the ppp0 interface. I also set up exception rules: 500/4500 UDP ports bypass.   NSString *ipAddress = [NSString stringWithUTF8String:"0.0.0.0"];   NSString *portNum = [NSString stringWithUTF8String: "500"];   NWHostEndpoint *endpoint = [NWHostEndpoint endpointWithHostname:ipAddress port:portNum];   NENetworkRule *rule = [[NENetworkRule alloc]                   initWithDestinationNetwork:endpoint                   prefix:0 protocol:NENetworkRuleProtocolAny];   [excludeRules addObject:rule];       ipAddress = [NSString stringWithUTF8String:"0.0.0.0"];   portNum = [NSString stringWithUTF8String: "4500"];   endpoint = [NWHostEndpoint endpointWithHostname:ipAddress port:portNum];   rule = [[NENetworkRule alloc]       initWithDestinationNetwork:endpoint       prefix:0 protocol:NENetworkRuleProtocolAny];   [excludeRules addObject:rule]; Always returning NO in handleNewUDPFlow   initialRemoteEndpoint:(NWEndpoint *)remoteEndpoint { return NO; } Both options did not resolve the issue. Please let give me some pointers to resolve it. I am running 11.3.1

Hi Does osinstallersetupd (OS update process) not work in the presence of App Proxy? Is it a known issue? I have NETransparentProxyProvider App Proxy Network extension. It captures all the 80/443 port traffic but bypasses flows "osinstallersetupd" flow. "osinstallersetupd" is responsible to download installer (If my understanding is correct). default 23:26:38.755784-0700 osinstallersetupd [C2 Hostname#f47785d7:80 in_progress resolver (satisfied (Path is satisfied), interface: en0, ipv4, dns, flow divert agg: 1)] event: resolver:receive_dns @0.061s default 23:26:38.755896-0700 osinstallersetupd [C2.1 IPv4#6be093f2:80 initial path ((null))] event: path:start @0.061s default 23:26:38.756109-0700 osinstallersetupd [C2.1 IPv4#6be093f2:80 waiting path (satisfied (Path is satisfied), interface: en0, ipv4, dns, flow divert agg: 1)] event: path:satisfied @0.061s, uuid: 16290408-B0BD-4E4E-A194-FBD44E525E8C default 23:26:38.756417-0700 osinstallersetupd [C2.1 IPv4#6be093f2:80 in_progress socket-flow (satisfied (Path is satisfied), interface: en0, ipv4, dns, flow divert agg: 1)] event: flow:start_connect @0.061s default 23:26:38.756557-0700 com.myapp.AppClientMacAppProxy (0): Flow 3816135374 is connecting default 23:26:38.756701-0700 com.myapp.AppClientMacAppProxy (3816135374): New flow: NEFlow type = stream, app = com.apple.installer.osinstallersetupd, name = gs.apple.com, 10.10.15.6:0 - 17.137.162.1:80, filter_id = , interface = en0 default 23:26:38.756885-0700 com.myapp.AppClientMacAppProxy [Extension com.myapp.AppClientMacAppProxy]: Calling handleNewFlow with TCP com.apple.installer.osinstallersetupd[{length = 20, bytes = 0x7a8ea62f5a0144dd918e822a56207859cd5a0159}] remote: 17.137.162.1:80 interface en0 default 23:26:38.757858-0700 com.myapp.AppClientMacAppProxy [Extension com.myapp.AppClientMacAppProxy]: provider rejected new flow TCP com.apple.installer.osinstallersetupd[{length = 20, bytes = 0x7a8ea62f5a0144dd918e822a56207859cd5a0159}] remote: 17.137.162.1:80 interface en0 default 23:26:38.757962-0700 kernel (3816135374): No more valid control units, disabling flow divert default 23:26:38.758141-0700 com.myapp.AppClientMacAppProxy (3816135374): Destroying, client tx 0, client rx 0, kernel rx 0, kernel tx 0 default 23:26:38.757963-0700 kernel (3816135374): Skipped all flow divert services, disabling flow divert default 23:26:38.788429-0700 osinstallersetupd nw_socket_handle_socket_event [C2.1:1] Socket received CONNECTED event default 23:26:38.788686-0700 osinstallersetupd nw_flow_connected [C2.1 IPv4#6be093f2:80 in_progress socket-flow (satisfied (Path is satisfied), viable, interface: en0, ipv4, dns, flow divert agg: 1)] Output protocol connected default 23:26:38.788922-0700 osinstallersetupd [C2.1 IPv4#6be093f2:80 ready socket-flow (satisfied (Path is satisfied), viable, interface: en0, ipv4, dns, flow divert agg: 1)] event: flow:finish_connect @0.094s default 23:26:38.788990-0700 osinstallersetupd nw_connection_report_state_with_handler_on_nw_queue [C2] reporting state ready default 23:26:38.789046-0700 osinstallersetupd [C2 Hostname#f47785d7:80 ready resolver (satisfied (Path is satisfied), interface: en0, ipv4, dns, flow divert agg: 1)] event: flow:finish_connect @0.094s default 23:26:38.789134-0700 osinstallersetupd [C2.1 IPv4#6be093f2:80 ready socket-flow (satisfied (Path is satisfied), viable, interface: en0, ipv4, dns, flow divert agg: 1)] event: flow:changed_viability @0.094s default 23:26:38.789186-0700 osinstallersetupd [C2 Hostname#f47785d7:80 ready resolver (satisfied (Path is satisfied), interface: en0, ipv4, dns, flow divert agg: 1)] event: flow:changed_viability @0.094s default 23:26:38.789300-0700 osinstallersetupd TCP Conn 0x7fad21865890 event 1. err: 0 default 23:26:38.789359-0700 osinstallersetupd TCP Conn 0x7fad21865890 complete. fd: 8, err: 0 error 23:26:38.789855-0700 osinstallersetupd SocketStream write error [0x7fad21865890]: 1 32 default 23:26:38.790040-0700 osinstallersetupd TCP Conn 0x7fad21865890 canceled error 23:26:38.790164-0700 osinstallersetupd AMAuthInstallHttpMessageSendSync: no response header error 23:26:38.790230-0700 osinstallersetupd tss_submit_job: SendHttpRequest failed -1 The above log shows: My app proxy bypasses the flow: default 23:26:38.757858-0700 com.myapp.AppClientMacAppProxy [Extension com.myapp.AppClientMacAppProxy]: provider rejected new flow TCP com.apple.installer.osinstallersetupd[{length = 20, bytes = 0x7a8ea62f5a0144dd918e822a56207859cd5a0159}] remote: 17.137.162.1:80 interface en0 Eventually, "osinstallersetupd" connection gets closed too. default 23:26:38.789359-0700 osinstallersetupd TCP Conn 0x7fad21865890 complete. fd: 8, err: 0 error 23:26:38.789855-0700 osinstallersetupd SocketStream write error [0x7fad21865890]: 1 32 default 23:26:38.790040-0700 osinstallersetupd TCP Conn 0x7fad21865890 canceled Thanks

Hi I am developing App proxy network system extension on 10.15.5. Reachability callaback is registered using below method but reachability_callback is never called. 		sockaddr_in ipv4{}; 		ipv4.sin_family = AF_INET; 		ipv4.sin_len = sizeof(sockaddr_in); 		ipv4.sin_addr.s_addr = 0x08080808; /*dummy ip*/ 		SCNetworkReachabilityRef	reachableTarget = SCNetworkReachabilityCreateWithAddress(NULL, (sockaddr *)&ipv4); 		 Boolean ok = SCNetworkReachabilitySetCallback(reachableTarget, reachability_callback, NULL); 		ok = SCNetworkReachabilityScheduleWithRunLoop(reachableTarget, 																									CFRunLoopGetMain(), 																									kCFRunLoopDefaultMode 																									); } I know "defaultPath" can be used to detect the network change. I am trying to understand underlying root cause of this issue. Does reachability callback not work with CFRunLoopGetMain? Regards, Anand Choubey