Hi, By mistake i have pasted wrong code of filter rule. I don't see any option to edit post hence replying. I have applied rules on remote as below. let filterRules = ["0.0.0.0", "::"].map { address -> NEFilterRule in       let remoteNetwork = NWHostEndpoint(hostname: address, port: "0")       let networkRule = NENetworkRule(remoteNetwork: remoteNetwork,                           remotePrefix: 0,                           localNetwork: nil,                           localPrefix: 0,                           protocol: .TCP,                           direction: .any)       return NEFilterRule(networkRule: networkRule, action: .filterData)     }

I have added dropping 10.207.135.79 in method override func handleOutboundData as well

FYI Following code working fine on linux, but not working on mac. #include <stdio.h> #include <stdlib.h> #include <string.h> #include <sys/socket.h> #include <netinet/in.h> #include <arpa/inet.h> int main(void) {   int i, recv_length, sockfd;   u_char buffer[9000];   printf("Opening socket\n");   if ((sockfd = socket(PF_INET, SOCK_RAW, IPPROTO_TCP)) == -1) {     printf("Socket failed!!\n");     return -1;   }   printf("Socket opened\n");   for(i=0; i < 3; i++) {    printf("Going to read i: %d\n", i);    recv_length = recv(sockfd, buffer, 8000, 0);    printf("Got some bytes : %d\n", recv_length);   }   return 0; }

Can you take a step back and explain your high-level goal? I am getting NEPacket via Packet tunnel provider System extension. I need to forward this packet to server Which will re-injected this ip packet into network stack after processing. Since raw socket can't be opened by system extension due to sandbox restriction, i am reading IP packet in separate process via BSD Packet Filter(BPF) - read(bpf, bpfBuffer, bufLength); After receiving IP Packet at the bpf end, I am using raw socket to send it to server. sendto is working fine, its getting receive at server end. recvfrom is failing. For ICMP, both sendto and recvfrom is working fine. Please let me know if any other ways to achieve this?

Hi @eskimo, This book is really helpful. Thank you. There is one more point under Raw Socket Input: All IP datagrams with a protocol field that the kernel does not understand are passed to a raw socket. The only kernel processing done on these packets is the minimal verification of some IP header fields: the IP version, IPv4 header checksum, header length, and destination IP address (pp. 213–220 of TCPv2). is there any workaround that we can do with ip packet during sendto so that kernel does not understand and passes to raw socket?

Hi @eskimo, You can see below console SS my app com.xyz.abc.networkextension not available.

@Igal, @UnisysDavidMcLaren I am also trying to open raw socket in PacketTunnelProvider systemextension and running into same issue Operation not permitted. please let me know if you guys succeeded on this?