On one test machine, our extension wouldn't load, because [NETransparentProxyManager loadAllFromPreferencesWithCompletionHandler] can't find a manager, saying Skipping configuration appname because it is of the wrong type. This is the first time I've seen this behaviour. (The containing app tries to find a configuration, if it can't find it it creates one, then modifies whatever it found or created, then stores it. I don't have the right logging yet for that, so I can't see the error messages. [NSLog instead of os_log_error.])

This has happened a few times, including out in the field; it's happened on macOS 14 and 15 I think. "This" is: our app runs, activates the extension, it has to get user approval, and... the system dialogue window never appears. The extension stays waiting for user approval. I've got sysdiagnose from one of the systems, and I see the system log about it going into the user approval needed state, and... nothing else. It's there in Settings, and can be approved then. Has anyone run into this? Ever?

I spent 20 minutes trying to figure out why codesigning was failing -- I had the pf block set up correctly, my keychains were unlocked, and then, eventually, it occurred to me, hey, maybe an IP address changed, so I disabled IPv6 except for link local, and then amazingly, it went back to working. I filed FB13706261 over a year ago. This is ridiculous.

We're trying out using a 3rd party java applet as part of our suite, but we're getting inconsistent results that seem to be related to signing. "Fortunately," I can trivially reproduce it! It pops up a dialogue saying "Apple could not verify “java” is free of malware that may harm your Mac or compromise your privacy"; if I click through the dialogue and the system settings, it then does the same for each of the dylib files. The file seems to be signed, so is this a matter of it not being notarized? Will we have to sign and notarize them all on our own?

We have a customer reporting a bunch of problems with our (Transparent Proxy Provider-based) suite. Looking at a sysdiagnose, I see that our GUI applet was killed: Termination Reason: Namespace PORT_SPACE, Code 14123288431434181290 (Limit 305834 ports) Exceeded system-wide per-process Port Limit Looking at the top.txt file from it, I see that it has 193,086 ports -- compared to about ~250 on one of my test systems. Has anyone run into this? Any idea what might be causing it? (I'm still poring over the sysdiagnose, but I don't see any kernel logs around that time -- except that our process does close a dozen or so ports because of cancellation.)

I must be missing something really obvious, and I feel particularly dumb about it: I don't see any event -- authorization or notification -- for creating or removing a directory. I also don't see one for creating a symlink (although that can be handled via unlink, one presumes). The events for create seem to be file only (and I'm also quite surprised that the file mode isn't available in the authorization event for that). So how blind am I here? I mean, I *must* have missed something, right?

The documentation for, eg NEAppProxyProvider, has a lot of redirections and implicit configurations that I simply don't know and sometimes can't follow. I wanted to try making a VPN network extension that (for the moment) just got loaded and did nothing. I can't even get that far, it seems. I'm clearly missing the setup I need to do. Unfortunately, the old SimpleTunnelCustomizedNetworkingUsingtheNetworkExtensionFramework sample doesn't build anymore, what with it being Swift 3 based. Is there a newer, made-for-idiots sample program somewhere?

Has anyone made a Swift class for IP packets? This is just me being lazy -- the goal is to be able to print them out nicely, and possibly change the values, mainly for experimentation and fun. (I mean, I can do it in C, so I can always wrap that in ObjC and bridge to Swift.)

This is mainly caused by my having misread the documentation, but then the behaviour seemed to match my misreading, but then suddenly it didn't. Specifically, I had thought that handleNewFlow could return false to indicate "I'm not interested in this particular connection," but it turns out to close it (killing some but not all? networking on the system) if I always return false. The specific thing I was trying to do was exclude certain apps from being proxied (without building a list of all apps, to filter them all). So my question is two-fold: how dumb was I to misread the documentation, and is there a way to do what I was trying to do? (Short of, say, monitoring all new processes as they start, adding them to the NEAppRule set, and deliberately excluding the ones I wanted to whitelist.)

The proxy doesn't seem to have a way to tell if the application is trying to make an IPv4 or an IPv6 connection (unless the remote endpoint is an explicit IPv4 or IPv6 address). Am I missing something there, or is that in fact how it's intended to be?

I've been trying and googling and forum-reading this for a couple of days, and ... am either missing something obvious, or am simply dumb. I'd prefer to simply be ignorant, and so I ask. 😄 I've got a personal, paid account. I've got some projects, and I've got some git repos. I'd like to allow some other people to check out a repo and then build the associated project. Only they can't, because the bundle identifier conflicts. The bundle identifier is, e.g., com.kithrup.filterTest. In my Xcode, the selected team is me. And that works, which isn't surprising because I did create it after all. I've tried using App Store Connect to invite someone, and they do show up there. But they can't build either, again due to the bundle identifier conflict. (Also they can't find any provisioning profiles, which makes sense given everything else not working.) This is a remarkably basic question for someone who's been developing on the Mac for... oh my, coming up on 20 years in a month. Of course, I managed to avoid Xcode for much of that time, by simply doing unixy stuff. Help?

I know you can go the other way, but I'm curious if there is a way to start with Xcode and end up with CMakeLists.txt?

My project got more complicated, and I had to integrate in some C++ code. In the process, I ended up with a couple of targets, which had some shared ObjC++ and Swift code. Normally, if it's all the same language, I just put the files in question into each of the targets, and we're all happy. But with having both ObjC++ and Swift, I had to deal with the bridging headers. Which got created as ${PRODUCT_NAME}-Swift.h, which made it very difficult for that file to be included in a .mm file used in multiple targets. I tried googling, and forum-searching, and couldn't quite figure out how to make it generate a single header file. Instead, I added a new target, a static library using the common files. I added a Run Script phase which copied *-Swift.h from the Derived Sources directory to the build directory. Then I added the library as a dependency for each of the other targets, and of course linked with it. This seems to work, even after doing a rm -rf build and building everything again. So... was this the (or at least, a) right way to do this? Are there better practices I should be using? Merci beaucou, je suis tres stupid quelquefois.

I wrote a very dumb transparent proxy. The extension simply sends data to a daemon, and that daemon sends network data back to the proxy. It worked with small test connections, and I was fairly pleased. Then I tried transferring a ~4mbyte file (using curl), and it got a way in, and then the daemon did a network read of something like 400kbytes, and went to send that to the extension, and the flow.write method never called the completion handler. If I limit the read size to 64k max, it works. The most frustrating thing is I don't see any logging information related to it, so I can only guess what's going on. Any ideas, thoughts, or clear stupidities on my part?

In particular, network extensions, which need to be installed/activated by the containing app. I'm not particularly great at GUI stuff, so maybe there's a way one can simulate/automate that part? I'm assuming CI testing, presumably done with VMs being created on the fly to build & test. (I admit a historical failure on unit testing for my code, but most of that has historically been kernel code. I'm trying to do better!) I again apologise for my obvious ignorance at some of this.