Hi there, I am using NEAppProxyProvider to filter a scope of port traffics. Am I am trying to capture all port traffic (except udp port 53) like below. There are mainly two problems with below approach: Sometimes it works that can capture all traffic, but sometimes it cannot. All the time, udp 53 traffic is always captured in. Is this a bug? private func buildRules(fullMode: Bool) - [NENetworkRule] { var hosts = [("", "")] var rules: [NENetworkRule] = [] hosts = [("0.0.0.0", "0...52"), ("0.0.0.0", "54...65535"),] for host in hosts { let ep = NWHostEndpoint(hostname: host.0, port: host.1) let rule = NENetworkRule.init(remoteNetwork: ep, remotePrefix: 0, localNetwork: nil, localPrefix: 0, protocol: .any, direction: .outbound) rules.append(rule) } } ... let settings = NETransparentProxyNetworkSettings.init(tunnelRemoteAddress: "127.0.0.1") settings.includedNetworkRules = buildRules() settings.excludedNetworkRules = nil settings.dnsSettings = NEDNSSettings(servers: ["1.1.1.1", "1.0.0.1", "8.8.8.8", "8.8.4.4"]) setTunnelNetworkSettings(settings) { [unowned self] (error) in ...

Hi there, This is found with duration test on Monterey 12.0. We are using appproxy and pipe through all udp traffics including dns requests (udp port 53). With below script doing only nslookup per second, in a couple of hours, it just fails. No network at all although no error on appproxy level reported. Only way to recover so far is uninstall the system extension. #!/bin/bash i=1 while true do i=$((i+1)) echo "loop $i" nslookup www.google.com sleep 1 done Tried the latest 12.1 beta, same failure. This test has no problem with Bigsur including 11.6. Thanks in advance for any suggestion. Regards Richard

Hi there, When I check the SSLContext class, it says  most of the api deprecated: 10.15, use Network.framework instead. Do you have any suggest on the example code of using this new tls implementation with Network.framework? Thanks and regards

Hi there, I am using AppProxyProvider and DNSProxyProvider together. When using only one of them, it works well so far. But when putting together the two things, no traffic through. For example, nslookup google.com doesn't work anymore. So just to confirm with you: is it allowed to use these two at the same time? Thanks in advance for any suggestion.

Hi there, During the test when using appproxy from systemextension (TransparentProxyProvider) capturing 80/443 tcp traffic, it is found that while visiting some website, there are hundreds of tcp flows generated, causing the appproxy stuck for some period (if we have some tasks for each flow). The websites can be some speedtest sites, such as https://www.speedtest.net or some complex forums, for example, https://www.wenxuecity.com Do you have any suggestion on how to reduce the number of flows? Thanks in advance. Regards Richard

Hi there, I have a set of filter code based on AppProxyProvider that works pretty well: it just work capture in tcp and udp traffic using NWConnection. Unfortunately recently I upgraded to 11.5 Beta then everything goes wrong: the bandwidth as tested via some website, say, fast.com will drop after running for several minutes to 2Mbps for both upload/download (although my broadband's normal speed is 50Mbps ). I capture in only tcp traffic to port 80 and 443. I wonder is it some bug in network extension or some API level change I need to adapt to. Checked the release note, but nothing mentioned about any change around network extension. That blocks our beta plan! Thanks in advance for any suggestion.

Hi there, I am using AppProxyProvider and it can capture packets as I defined. But when I try to exclude traffics with excludedNetworkRules, but it seems does not work. Below is my code for setting things up. I capture all 443 port traffic for includedNetworkRules and exclude facebook.com for excludedNetworkRules. But facebook.com:443 traffic is still captured. private func includeRules() - [NENetworkRule] { // Web mode let hosts = [("0.0.0.0", "443")] var rules: [NENetworkRule] = [] for host in hosts { let ep = NWHostEndpoint(hostname: host.0, port: host.1) let rule = NENetworkRule.init(remoteNetwork: ep, remotePrefix: 0, localNetwork: nil, localPrefix: 0, protocol: .any, direction: .outbound) rules.append(rule) } return rules } private func excludeRules() - [NENetworkRule] { let hosts = [("facebook.com", "443")] var rules: [NENetworkRule] = [] for host in hosts { let ep = NWHostEndpoint(hostname: host.0, port: host.1) let rule = NENetworkRule.init(remoteNetwork: ep, remotePrefix: 0, localNetwork: nil, localPrefix: 0, protocol: .any, direction: .outbound) rules.append(rule) } return rules } ... settings.includedNetworkRules = includeRules() settings.excludedNetworkRules = excludeRules() If I replace like below in excludeRules() by replacing facebook.com domain name with its ip address, then all 443 port traffics is not captured at all. let hosts = [("157.240.8.35", "443")] Am I doing anything wrong? Thanks in advance for any suggestion.

Hi there, We are using systemextension for network and now we try to turn on SIP and install/uninstall systemextension. Current status is that: with SIP on, systemextension can be installed correctly, but cannot be uninstalled. The install/uninstall code is like below. Calling installSystemExtension() from the entrance of ProxyManger.swift:loadProxyManager returns success: activation request succeeded And systemextension list common shows the newly installed sysExt. But calling uninstallSystemExtension() from the entrance of ProxyManger.swift:remove() results in error: deactivation request failed authorization: unauthorized And systemextension list common shows no difference. @available(macOS 11.0, *) private func installSystemExtension() { log.info("[LogApp] will submit activation request") let request = OSSystemExtensionRequest.activationRequest( forExtensionWithIdentifier: "com.familyzone.macappproxy.fzmacappproxy", queue: .main ) request.delegate = self OSSystemExtensionManager.shared.submitRequest(request) log.info("[LogApp] did submit activation request") } // MARK: - Unload System Extension @available(macOS 11.0, *) public func uninstallSystemExtension() { log.info("[LogApp] will submit deactivation request") let request = OSSystemExtensionRequest.deactivationRequest( forExtensionWithIdentifier: "com.familyzone.macappproxy.fzmacappproxy", queue: .main ) request.delegate = self OSSystemExtensionManager.shared.submitRequest(request) log.info("[LogApp] did submit deactivation request") } Thanks in advance for any suggestion.

Hi there, Something interesting and not understand when trying to fetch my appproxy (and dnsproxy) system extension process with commands like below. With Intel macbook pro, all good to fetch back that pid. But with M1 macbook pro, it returns nothing although installed with the same Big Sur 11.6.1. ps -A | grep $MY_SYS_EXTENSION_PROCESS_NAME pgrep $MY_SYS_EXTENSION_PROCESS_NAME Do you have any suggestion to make it the same on M1? Thanks in advance for any suggestion. Regards Richard

Hi there, As seen from console error periodically message like "deny system-priviledge" for our appproxy, dnsproxy process as well as our system serivce process. Thanks in advance for any suggestion. deny_macappproxy.txt deny_dnsproxy.txt deny_system_service.txt

Hi there, I am using AppProxyProvider. It seems that there is some problem to visit some website going through appproxy even if it is only pass through all traffics. How to reproduce: With AppProxyProvider, setup the filter rule and capture only tcp 80 and 443. Then passthrough all traffic between tcp flow and remote connection. Then try to visit site: http://13.210.37.51 With chrome browser, there is no content shown. But if visit the same site without going through appproxy, all good. Digging more into the trace got, it seems might have something to do with below error: ⛔️FZ$--read from TCP connection error: Optional(Error Domain=kNWErrorDomainPOSIX Code=96 "No message available on STREAM" UserInfo={NSDescription=No message available on STREAM}) Optional(13.210.37.51:80) fzmacappproxy 11:18:16.988853+1000 Thanks in advance for any suggestion.

Hi there, It is well known that system extension could not be uninstalled via api level since the beginning, typically OSSystemExtensionRequest.deactivationRequest. Now that with the latest Monterey release 12.2, is it still the case? Thanks in advance for any suggestion. Regards Richard

Hi there, This was realised during the test. That is: When we use appproxy to filter all udp traffics with netbiosd running, and observe netbiosd cpu usage with Activity Monitor. Then if we just restart the appproxy (just kill the sys extension process is fine). After system extension process is re-spawn, you will find that netbiosd cpu usage boosts to above 100%. Tried as well to put netbiosd related udp port (137, 138 and 139) as excludedNetworkRules, but doesn't help. How to reproduce: Start netbios service by isudo launchctl load -w /System/Library/LaunchDaemons/com.apple.netbiosd.plist Start appproxy application (with wrapper process and system extension process). Setup in includedNetworkRules filtering all udp outbound traffics. Just kill appproxy system extension process so that the wrapper process will spawn a new system extension process. Observe from Activity Monitor cpu usage of netbiosd, you will find that it is above 100% then. It makes no difference even if you put in excludedNetworkRules all netbiosd related ports including 137, 138 and 139 (tcp and udp). Thanks in advance for any suggestion. Regards Richard

Hi there, This is realized during the test on Monterey 12.2. Normally when we kill the dns proxy sys ext process, it will respawn very quickly within a couple of seconds. But after multiple times of trials, it can take more than one minute to respawn. Worst case even encountered was that it never gets respawn anymore. By comparison, the app proxy doesn't have the same problem: always gets respawn instantly. Not sure whether it is a bug or not. Thanks in advance for the suggestions. Regards Richard

Hi there, We have a batch of customer ipad running our software older version with dnsproxy. They have not been running for a while. Then it is found that these devices cannnot load dnsproxy network extension and no network access anymore. Below is the ipad console. iPad neagent(NetworkExtension)[220] <Error>: Failed to start extension com.***.ios-dns.ext: Error Domain=PlugInKit Code=4 "RBSLaunchRequest error trying to launch plugin com.***.ios-dns.ext(***): Error Domain=RBSRequestErrorDomain Code=5 "Launch failed." UserInfo={NSLocalizedFailureReason=Launch failed., NSUnderlyingError=0x14de85170 {Error Domain=NSPOSIXErrorDomain Code=85 "Bad executable (or shared library)" UserInfo={NSLocalizedDescription=Launchd job spawn failed with error: 85}}}" UserInfo={NSLocalizedDescription=RBSLaunchRequest error trying to launch plugin com.***.ios-dns.ext(***): Error Domain=RBSRequestErrorDomain Code=5 "Launch failed." UserInfo={NSLocalizedFailureReason=Launch failed., NSUnderlyingError=0x14de85170 {Error Domain=NSPOSIXErrorDomain Code=85 "Bad executable (or shared library)" UserInfo={NSLocalizedDescription=Launchd job spawn failed with error: 85}}}} I guess it is because the dnsproxy provisioning profile there expires already? In this case is there any way to retain the network access remotely? There are hundreds of them. Cannot imagine need to remove the app one by one manually. Furthermore, is there any way to avoid such a situation: devices wakeup after not in use for some time, provisioning profile expires, not able to load dnsproxy network extension and no network anymore. Thanks in advance for any suggestion, Richard