Hi Matt, Along with old rule I tried to add the new NENetworkRule rules matching any port on localhost (127.0.0.1 ) but still didn't see handleNewFlow() called for localhost connection requests. Following is the rule written let loNetworkRules1 = NENetworkRule(       remoteNetwork: nil,       remotePrefix: 0,       localNetwork: NWHostEndpoint(hostname: "127.0.0.1", port: "0"),       localPrefix: 0,       protocol: .any,       direction: .any     )     let loFilterRule1 = NEFilterRule(networkRule: loNetworkRules1, action: .filterData)           let loNetworkRules2 = NENetworkRule(       remoteNetwork: NWHostEndpoint(hostname: "127.0.0.1", port: "0"),       remotePrefix: 0,       localNetwork: nil,       localPrefix: 0,       protocol: .any,       direction: .any     )     let loFilterRule2 = NEFilterRule(networkRule: loNetworkRules2, action: .filterData)           let loFilterSettings = NEFilterSettings(rules: [loFilterRule1,loFilterRule2], defaultAction: .allow)            apply(loFilterSettings) { error in        if let applyError = error {          netopsLog(level: LOGLEVEL_ERROR, format: "Failed to apply localhost filter settings: %@", applyError.localizedDescription)        }        completionHandler(error)      }

Yes, this process we are running for our purpose.  We have servers where many USB devices connected, the VMs can connect to these USB devices using "Eltima USB Network Gate" software. This software daemon generates huge number of connections per seconds. The approx 250 is the lower end of the count, sometimes it is more per seconds. The majority of connections are unique in terms of IP and port numbers.  We have tested after stopping this daemon and then everything works fine that include browsing, ssh connections and all other network operations. But this is temporary solution as we don't know in in future some other process can start behaving similar way which may lead to similar behaviour on Network Extension and all other connections will timeout.

Yes