Thanks a ton @eskimo lsof doesn't works in sandboxed enviroment. i wanted to use lsof -i:port. i.e lsof -i:443 and grab Name(TCP 172.20.10.3:62323->52.98.87.66:https (ESTABLISHED)) as you can see last part in below command output. faisalikwal@TTWPXM6W4Y ~ % lsof -i:443 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME CalendarA 757 faisalikwal 82u IPv4 0x9b970081ec8283e5 0t0 TCP 172.20.10.3:62323->52.98.87.66:https (ESTABLISHED) exchanges 758 faisalikwal 8u IPv4 0x9b970081ec8303e5 0t0 TCP 172.20.10.3:62241->40.99.34.226:https (ESTABLISHED) Notes 867 faisalikwal 28u IPv4 0x9b970081ec001915 0t0 TCP localhost:62472->52.98.86.162:https (CLOSED) Mail 868 faisalikwal 83u IPv4 0x9b970081ec7d0e7d 0t0 TCP 172.20.10.3:62488->40.99.34.242:https (ESTABLISHED) Google 942 faisalikwal 22u IPv4 0x9b970081ec02794d 0t0 TCP 172.20.10.3:62512->okapi-services-apse1.apple.com:https (ESTABLISHED) My ultimate goal is to identify process belong to NEPacket received by packet tunnel provider since apple doesn't exposes metadata in packet tunnel(except perapp cases). I will have a look at lsof code to check how they do it.

@eskimo it is port used for network communication over the internet such as TCP, UDP etc

Hi, Following include setting working. But i am not sure below setting in place of ipv4Settings 0.0.0.0 or default will have any serious drawbacks. settings.ipv4Settings?.includedRoutes = [ NEIPv4Route(destinationAddress: "0.0.0.0", subnetMask: "128.0.0.0"), NEIPv4Route(destinationAddress: "128.0.0.0", subnetMask: "128.0.0.0") ] //DNS 8.8.8.8, 10.212.24.222 settings.ipv4Settings?.excludedRoutes = [ NEIPv4Route(destinationAddress: "8.8.8.8", subnetMask: "255.255.255.255"), NEIPv4Route(destinationAddress: "10.212.24.222", subnetMask: "255.255.255.255")]

Hi, By mistake i have pasted wrong code of filter rule. I don't see any option to edit post hence replying. I have applied rules on remote as below. let filterRules = ["0.0.0.0", "::"].map { address -> NEFilterRule in       let remoteNetwork = NWHostEndpoint(hostname: address, port: "0")       let networkRule = NENetworkRule(remoteNetwork: remoteNetwork,                           remotePrefix: 0,                           localNetwork: nil,                           localPrefix: 0,                           protocol: .TCP,                           direction: .any)       return NEFilterRule(networkRule: networkRule, action: .filterData)     }

I have added dropping 10.207.135.79 in method override func handleOutboundData as well

FYI Following code working fine on linux, but not working on mac. #include <stdio.h> #include <stdlib.h> #include <string.h> #include <sys/socket.h> #include <netinet/in.h> #include <arpa/inet.h> int main(void) {   int i, recv_length, sockfd;   u_char buffer[9000];   printf("Opening socket\n");   if ((sockfd = socket(PF_INET, SOCK_RAW, IPPROTO_TCP)) == -1) {     printf("Socket failed!!\n");     return -1;   }   printf("Socket opened\n");   for(i=0; i < 3; i++) {    printf("Going to read i: %d\n", i);    recv_length = recv(sockfd, buffer, 8000, 0);    printf("Got some bytes : %d\n", recv_length);   }   return 0; }

Can you take a step back and explain your high-level goal? I am getting NEPacket via Packet tunnel provider System extension. I need to forward this packet to server Which will re-injected this ip packet into network stack after processing. Since raw socket can't be opened by system extension due to sandbox restriction, i am reading IP packet in separate process via BSD Packet Filter(BPF) - read(bpf, bpfBuffer, bufLength); After receiving IP Packet at the bpf end, I am using raw socket to send it to server. sendto is working fine, its getting receive at server end. recvfrom is failing. For ICMP, both sendto and recvfrom is working fine. Please let me know if any other ways to achieve this?

Hi @eskimo, This book is really helpful. Thank you. There is one more point under Raw Socket Input: All IP datagrams with a protocol field that the kernel does not understand are passed to a raw socket. The only kernel processing done on these packets is the minimal verification of some IP header fields: the IP version, IPv4 header checksum, header length, and destination IP address (pp. 213–220 of TCPv2). is there any workaround that we can do with ip packet during sendto so that kernel does not understand and passes to raw socket?

Hi @eskimo, You can see below console SS my app com.xyz.abc.networkextension not available.

@Igal, @UnisysDavidMcLaren I am also trying to open raw socket in PacketTunnelProvider systemextension and running into same issue Operation not permitted. please let me know if you guys succeeded on this?