As per : TN3120: Expected use cases for Network Extension packet tunnel providers | Apple Developer Documentation It is clear that Packets that are read from NEPacketTunnelFlow are meant to be sent over a tunnel connection to a remote server for injection into a remote network. They are not meant to be dropped or re-injected back into the system. In my usecase: NEPacketTunnelProvider is separate process. which reads the packet using packetFlow.readPacketObjects Send it over to other process i.e privileged helper(Non-bundle/command line tool/non sandboxed) via UDS IPC. Helpers send to to remote tunnel and return back the packet to NEPacketTunnelFlow via same IPC. NEPacketTunnelProvider uses packetFlow.writePacketObjects to inject packets. Things works fine. We don't distribute it via Appstore. We are now attempting to implement a on device bypass mechanism from helper tool side. Could you please suggest if there is any approach I could try, even if it involves proceeding at my own risk?

NEAppProxyUDPFlow contains below property: open var localEndpoint: NWEndpoint? { get } Why is localEndpoint not available for NEAppProxyTCPFlow? Is there a way to determine the source port of a flow of type NEAppProxyTCPFlow within the following method of NETransparentProxyProvider? override func handleNewFlow(_ flow: NEAppProxyFlow) -> Bool {

I haven’t come across any official documentation regarding the limit on the number of Network Extensions macOS can run. However, I did see some discussions suggesting that Apple might restrict this to 5 extensions in macOS Tahoe. Is there any official confirmation on this?

We have a NEFilterDataProvider extension that intercepts all TCP and UDP IPv4/6 traffic. At times just after wakeup from sleep, it causes internet access issues, such as showing "This site can't be reached" when opening websites. The traffic is not being dropped by the extension. According to the logs, the connection is being closed after approximately 4 minutes. During the issue, the flow logs are as follows: Flow 515129771 is connecting New flow: NEFlow type = stream, app = com.google.Chrome.helper... Detaching, ref count = 2 (logged after ~4 minutes) Sending close, how = 2 Removing from group 2, ref count = 2 Destroying, app tx 0, tunnel tx 0, tunnel rx 0 Closing reads, not closed by plugin Closing writes, not sending close Any suggestions on the possible cause and how to further debug it?

We want to ressolve dns for predefined sets of private app domains. We've added this rule: NENetworkRule(destinationHost: NWHostEndpoint(hostname: Private Domain1(example.com), port: 53), protocol: .UDP) As per apple documentation: A rule that matches all DNS queries/responses for hosts in the example.com domain. do you think it will work i.e it will forward DNS requests UDP flow to transparent provider in all the cases? or do you think the text is a bit misleading. it should instead say: "A rule that matches all DNS queries/responses for nameservers in the example.com domain"? This rule that look for port 53 of that domain only works if the system really asks a nameserver of that specific domain, right? So, what if a local DNS server or a different nameserver are taking care of the resolution?

I have a process [command line cpp application] which i want to run always such as it should relaunch after a crash, after device startup etc. I created a launchd Property List File with KeepAlive true and placed under /Library/LaunchDaemons. Problem Statements: I have a bash script to start and stop this process. start using: launchctl bootstrap. stop involve these two steps: send SIGTERM signal and wait untill process stops after doing some cleanups launchctl bootout [It doesn't sends SIGTERM] during steps 1 - Process is getting stop, but also getting immediate relaunch by launchctl during step 2 - it getting stop again. is there a proper way so that we can disable KeepAlive temporarily so that process will not launch during step 1? or suggest other ways to handle this?

NETransparentProxyProvider having these two methods: override func handleNewFlow(_ flow: NEAppProxyFlow) -> Bool override func handleNewUDPFlow( _ flow: NEAppProxyUDPFlow, initialRemoteEndpoint remoteEndpoint: NWEndpoint ) -> Bool During initial days when NETransparentProxyProvider was introduced, We used handleNewFlow to handle NEAppProxyTCPFlow and handleNewUDPFlow to handle NEAppProxyUDPFlow . Since handleNewUDPFlow is now deprecated, is it just okay to use handleNewFlow to handle both NEAppProxyTCPFlow & NEAppProxyUDPFlow? will this works always or there are some scenario where keeping handleNewUDPFlow will be usefull?

NETransparentProxyProvider have below method: override func handleNewFlow(_ flow: NEAppProxyFlow) -> Bool This method is blocking. Until we returns value from this method, next flow will be blocked, macOS doesn’t calls it on new thread. for example: if we take 10 second to check what to do with this flow, whether to handle it(true) or return to kernel(false), another flow will be block for 10 sec. how to not block future flow while it is taking longer to process current flow?

my macOS process is crashing when i keep my mac sleep for about 1 hour. Under Crash Reports, Console app shows two type of file. .diag type .ips type ips file doesn't shows exact line of crash as you can see below sample. Thread 67 Crashed: 0 libsystem_kernel.dylib 0x19a4aea60 __pthread_kill + 8 1 libsystem_pthread.dylib 0x19a4e6c20 pthread_kill + 288 2 libsystem_c.dylib 0x19a3f3a30 abort + 180 3 libsystem_malloc.dylib 0x19a303dc4 malloc_vreport + 896 4 libsystem_malloc.dylib 0x19a307430 malloc_report + 64 5 libsystem_malloc.dylib 0x19a321494 find_zone_and_free + 528 6 Firewall.so 0x103c8a744 TunnelSendQueue::ResumeSend() + 460 resource.diag file sgowing warning about exceeding limit of 150 wakeups per second over 300 seconds. attached here. reasource_consumptions_W36RNW09G.wakeups_resource_diag.txt is this something macOS stopping app because of some resource consumptions?

I have a Network extension contains App Proxy and Content Filter. After installation, extension process is not getting auto launch. We want to execute some code in main.swift. extension process is getting launch on enabling either App Proxy or Content Filter. how to launch network extension process after installation? Installations Sample code: let activationRequest = OSSystemExtensionRequest.activationRequest(forExtensionWithIdentifier: id, queue: .main) OSSystemExtensionManager.shared.submitRequest(activationRequest)

I have a system extension which contains 3 capabilities: App Proxy, Content Filter, Packet Tunnel. System extension process doesn't auto stops on disabling all of its Capabilities: App Proxy, Content Filter, Packet Tunnel How to make system extension process auto stop if all of its capabilities disabled? Disable can happens via system extension hosting app or system preference network settings I have following in mind: Whenever we disables any capabilities via system extension hosting app, it can check if all others are disabled then Use KILL bash command to terminate system extension process System extension hosting app can send message via XPC to extension to terminate it self via NSApp.terminate On disabling from system preference, ssystem extensions can check if all other disables in delegate method and terminate itself I wanted to know what is better way to handle system extension process stop

I want to understand in which API triggers this below popup. 1. This below code always trigger popup after fresh install which make sense: `//manager NETunnelProviderManager manager.connection.startVPNTunnel(options: [:])` 2. This below code sometime triggers popup intermittently. Ideally this shouldn't trigger or always trigger. I tried running this code in loop to check this behaviour, some time around 50th or sometime around 88th execution observed this popup. config.providerBundleIdentifier =“bundleId” config.serverAddress = "Connection managed by app”Name// let manager = NETunnelProviderManager() manager.protocolConfiguration = config manager.localizedDescription = “xyz” manager.saveToPreferences(completionHandler: { (saveError) -> Void in }``` no where startVPNTunnel called in 2nd code sample.

On Ventura - We have a network extension(Transparent Proxy) which blocks IPv6 traffic as below. override func handleNewFlow(_ flow: NEAppProxyFlow) -> Bool { //Ipv6 gets blocks by below code let error = NSError(domain: "", code: 0, userInfo: [NSLocalizedDescriptionKey : "Connection Refused"]) flow.closeReadWithError(error) flow.closeWriteWithError(error) On IPv6 enabled client machine, when a client application(Browser, curl, Teams etc), try to send HTTP/s requests, first they try to send the request over IPv6 and if it fails, they try with IPv4 (Happy eyeballs Algorithm) In our case, as network extension blocks IPv6 traffic, client applications will fail to establish connection over IPv6 and fallback to IPv4 as per Happy eyeballs Algorithm The above scenario works fine till MacOS Ventura. For Sonoma, this behaviour seems to have changed When our network extension blocks IPv6 traffic, client applications do not fallback to IPv4. They simply fail without trying IPv4. We tested with curl, Google chrome browser, Microsoft Teams. All these fail to load pages on Sonoma and they work fine on Ventura. Note : No change in our network extension code, curl and browser versions. Only change is MacOS version Please find attached screenshots with Ventura and with Sonoma, running curl One other difference seen here is the error code received by client applications with Ventura and Sonoma. On Ventura, when IPv6 is blocked, error is Network is down and client application establishes connection with IPv4. On Sonoma, error code is 22 : Invalid arguments and client application does not retry with IPv4. Curl_Ventura.jpg Curl_Sonoma.png

Hi, AFAIK Safari or any macOS apps which uses WKWebview, uses com.apple.WebKit.Networking.xpc to do actual networking. I am working on a packet tunnel, where I am able to get process id associated with packet read. Based on process id, i am using libproc to get process name. I am facing below problem: For Safari or any other apps which uses WKWebview having same process name: com.apple.WebKit.Networking Any ways to distinguish wether it is from safari or other xyz wkwebview apps? Related Problem: https://developer.apple.com/forums/thread/693528 In this thread, app proxy can help but in packet tunnel no such options exposed.

I am trying to get ports used by processes. It can be done via lsof on macOS, i am trying to do it via libproc. #include <iostream> #include <libproc.h> int main(int argc, const char * argv[]) { pid_t pids[3072]; int count = proc_listpids(PROC_ALL_PIDS, 0, pids, sizeof(pids)); for (int i = 0; i < count; i++) { char buffer[1024]; for (int j = 1; j < 50000; j++) { //port range int ret = proc_pidfileportinfo(pids[i], j, PROC_PIDFILEPORTVNODEPATHINFO, buffer, sizeof(buffer)); if(ret != 0) { printf("proc_pidfileportinfo returned %d bytes of data\n", ret); printf("%s\n", name); } } } return 0; } proc_pidfileportinfo function is not working for any port, i tried iterating till 50K. What i am doing wrong with proc_pidfileportinfo? how to properly use proc_pidfileportinfo?