Solved

Hi there, Currently I am able to use the app proxy with NENetworkRule setup with separate port. Is it possible to setup the rule with a range of port without the need list one port after the other? Thanks in advance for any suggestion.

Hi there, I am using AppProxyProvider. While doing some speed test, via some web sites, it raised some error like below and the appproxy restart itself. "app receive buffer is full, queueing *** bytes" "failed to write a message: no buffer space available" Good thing is that no crash happens. Wonder what is going on with the TCPFlow: no fast enough to handle incoming data? Any way to avoid that? Thanks in advance for any suggestion.

Hi there, In order to get the remote tcp port from a NEAppProxyTCPFlow, what I did is: (NEAppProxyTCPFlow as! NWHostEndpoint).port But I do not think that is a good way of achieving it. Is there any proper way for it? And I believe the ip address can be fetched by: NEAppProxyTCPFlow.remoteHostName Is that right? Thanks in advance for any suggestion.

Hi there, I am using NetworkExtension and would like to create tcp connection to localhost. With below code, faced some strange problems: appproxy restart itself periodically with all the traffic during the test. import NetworkExtension let ep = NWHostEndpoint(hostname: "127.0.0.1", port: String(8888)) let connection = createTCPConnection(to: ep, enableTLS: false, tlsParameters: nil, delegate: nil) Wonder what is the correct way to achieving that? Thanks in advance for any suggestion.

Hi there, With Network NWEndpoint, I can construct it like below. let proxyEp = Network.NWEndpoint.hostPort(host: Network.NWEndpoint.Host("127.0.0.1"), port: Network.NWEndpoint.Port("8888")!) But how about constructing a NetworkExtension NWEndpoint? Do I have to use NWHostEndpoint? Thanks in advance for any suggestion.

Hi there, This is for making it a separate thread for this capturing all udp traffic case that causes network gone. I am using this filter setting: for seg in 1...254 { if seg != 127 { hosts = [("\(seg).0.0.0", "0")] for host in hosts { let ep = NWHostEndpoint(hostname: host.0, port: host.1) let rule = NENetworkRule.init(remoteNetwork: ep, remotePrefix: 8, localNetwork: nil, localPrefix: 0, protocol: .UDP, direction: .outbound) rules.append(rule) } } } It works since the beginning as expecting capturing all udp traffic including port 53 ones. But then after around three hours time, network is gone like below: ping apple.com ... Request timeout for icmp_seq 14745 ping: sendto: No route to host Request timeout for icmp_seq 14746 ping: sendto: No route to host When issue happens, appproxy network service is still connected and running, but my wifi network service becomes unconnected (as self-assigned IP) and not recoverable. Only by removing the appproxy service and reconnect wifi, can it recover. I have tried for udp both NWUDPSession and NWConnection, but with the same result. Would like to see with your suggestion as got your point before saying: Proxying UDP flows is something that can be done without a crash. Thanks in advance.

Hi there, I am using TransparentProxyProvider at the moment. And would like to hide all the configurations from network service like what it looks like from SimpleFireWall. Took a look at the source code of SimpleFirewall, didn't quite get the idea on how to make all the configuration items hidden. Thanks in advance for any suggestion. Regards Richard

Hi there, We are using at the moment appproxy from system extension. It works fine. But it is realised that the system extension only prompt with csrutil disable. With csrutil enable, there is no prompt to add it thus cannot use it at all. As far as I understand, SIP is enabled by default. We cannot ask the customers to disable it one by one in order to have system extension work? Thanks in advance for any suggestion. Regards Richard

Hi there, Would like to see with you any possibility to remove such a prompt when deleting an application with systemexention from /Applications fold with Finder. Thanks in advance for any suggestion. Regards Richard

Hi there, Encountered something weird when doing beta test on Monterey Beta 8 while all good with Monterey Beta 6: We use system extension for NETransparentProxyProvider and we block QUIC traffics by below codes: override func handleNewUDPFlow(_ flow: NEAppProxyUDPFlow, initialRemoteEndpoint remoteEndpoint: NWEndpoint) -> Bool { let ep = remoteEndpoint as! NWHostEndpoint flow.open(withLocalEndpoint: nil) { [unowned self] error in guard error == nil else { flow.closeReadWithError(error) flow.closeWriteWithError(error) return } } if ep.port == "80" || ep.port == "443" { flow.closeReadWithError(nil) flow.closeWriteWithError(nil) return } ... } That works pretty well all through Big Sur to Monterey Beta 6. But when I upgraded to Beta 8 with the same, the system suffers: Chrome has no network access anymore. System extension get stuck when first time removed (need a second time to be removed) Sometimes the whole macOS has no network access at all. All these can be recovered by simply let QUIC traffics through or not capturing them. But we need to block such traffic in order that Chrome browser falls back to TCP mode. Thanks in advance for any suggestion! Regards Richard

Hi there, This is newly found that with all udp traffic filtered, SIP phone application doesn't have audio anymore. With wireshark analysis, it seems that STUN protocol gets upset in advance of RTP messages. It turns into some unknown format although we only pipe it through. Only way to workaround is to bypass all rtp ports. But we cannot do that as it is a huge range. Thanks in advance for any suggestion. Attached the case with/without rtp range bypassed. That was tested with linphone SIP phone application.

Hi there, This is the question when using dnsproxy together with appproxy. In case I need to filter all udp traffic through appproxy. How about dns traffic to port 53? It will go through both appproxy and dnsproxy! Do I need to return false inside appproxy for outbound 53 udp traffic without even open the flow? Any conflict of such usage? Thanks in advance for any suggestion. Regards Richard

Hi there, This is seen from console log running AppProxyProvider. Sometimes can see like this: nw_endpoint_handler_set_adaptive_write_handler [C978 IPv4#759261e2:443 ready socket-flow (satisfied (Path is satisfied), viable, interface: en0, ipv4, dns)] unregister notification for write_timeout failed Would like to see with you guys what is going on when such logs on show? Is it because the peer flow (connection or session) closed and the local connection (session) timeout? As it have seen with that appproxy gets blocked for a while and then recovers. Is it normal and is it avoidable? Thanks in advance for any suggestion.

Hi there, So far with the deployment of Network System Extension onto end devices of macbook pro, in general it all goes well. However, there do have some older devices, say 2015 macbook proc, even 2019 one has some problem of network drop after running for some time, say, in a couple of hours. Symptom is that network get stuck intermittently and then get totally loss. It seems that from time to time app proxy get stuck and cannot proceed further traffic fast enough, especially for dns request filtering currently going through the same app proxy. Thus causes network loss and not recoverable. So the question is: is there any requirement on the hardware in order to use Network System Extension correctly. Thanks in advance for any suggestion. Richard