Hi there, I am developing a software with Network Extension and it is half way through. One of the requirement is to fetch back local tcp port from a tcp flow that connect to remote endpoint by createTCPConnection(). I can get the local tcp port with connection.localAddress after the the connection is connected. But that is a bit late. If it is possible to get it from createTCPConnection, that will be perfect. But seen from the document, createTCPConnection has only remoteEndpoint, no localEndpoint. Thanks in advance if any suggestion.

Hi there, I am using AppProxyProvider that generates a app proxy. It captures tcp, udp flows and connect to remote endpoints by createTCPConnection() createUDPSession(). In most cases it just works well. There is one thing quite annoying: while browsing with a web browser, sometimes the app proxy can restart itself, seems related to some connection that broken. Is there any suggestion to avoid such app proxy reconnect itself even if any underlying connection is broken? Thanks in advance.

Hi there, It is found that I have to place my application.app using appproxy-systemextension directly under /Applications folder, so that it can load the systemextension properly by open /Application/application.app command. If I place it under /Applications/company.app/bin/application.app, and launch it with command open /Applications/company.app/bin/application.app, it always fails with complain ossystemextensionerrordomain / 1 So the question is: Is it mandatory to have this appproxy-systemextension application directly under /Application folder? Thanks in advance for the confirmation. Regards Richard

Hi there, With app proxy, when in case flow read, tcp connection read or udp session read empty is encountered. In this case, should I return directly, or close flow, connection, session and then return, or should I go on write through the empty data as usual even if it is empty? Put below the code example in case of flow read and connection write.      flow.readData { data, readError in       guard readError == nil, let readData = data else { log.error("[LogApp] Failed to read data from the TCP flow \(self.local.debugDescription)")           local.closeWriteWithError(readError) local.closeReadWithError(readError)         return       }               guard !readData.isEmpty else { log.verbose("[LogApp] Empty data from TCP flow \(self.local.description)") // What should I do here? // return directly // or close flow and return // or keep on going to connection write?       }       connection.send(content: data, completion: .contentProcessed( { connectionError in ...          })) Thanks in advance for any suggestion.

Hi there, This is the case of using dns proxy provider on ios. One thing noticed is that when the system extension process of dns proxy crashes, it is not re-spawn automatically by the wrapper process as it is when using the same dns proxy provider under macOS. The test I carried out was: Under macOS Launch an application with dns proxy provider sys extension. Kill that sys extension process. After several seconds, another sys extension process of dns proxy extension will be re-spawn. sudo ps -A|grep macappproxy Password: 47796 ??     0:00.35 /Applications/macappproxy.app/Contents/MacOS/macappproxy 47875 ??     0:00.62 /Library/SystemExtensions/439F12A7-1304-4A92-BEED-3EBEC979ADBE/com.familyzone.macappproxy.fzmacdnsproxy.systemextension/Contents/MacOS/com.familyzone.macappproxy.fzmacdnsproxy 47929 ttys001  0:00.00 grep macappproxy AU-L-0306:fc-ios-edu-client richardwang$ sudo pkill -9 com.familyzone.macappproxy.fzmacdnsproxy AU-L-0306:fc-ios-edu-client richardwang$ sudo ps -A|grep macappproxy 47796 ??     0:00.35 /Applications/macappproxy.app/Contents/MacOS/macappproxy 48433 ??     0:00.31 /Library/SystemExtensions/439F12A7-1304-4A92-BEED-3EBEC979ADBE/com.familyzone.macappproxy.fzmacdnsproxy.systemextension/Contents/MacOS/com.familyzone.macappproxy.fzmacdnsproxy 48531 ttys001  0:00.00 grep macappproxy We can see from above that dns proxy pid changed after it was killed and re-spawn. Under ios Doing the same thing, but slightly different: By adding below code into startProxy(), crashing dns proxy. 1 let bug: Int? = nil 2 os_log("bug: %{public}s", log: Log.ext, type: .debug, bug!) It can be seen from below the log that “starting proxy“ happens three times before it died. It makes no difference if we put the same bug inside handleNewFlow(). And that causes no browsing through under incognito mode. Can you help confirm this? If it is the case, is there any way to guard sys extension process and respawn it as a kind of robusness? Thanks in advance for any suggestion. Richard

Hi there, Currently I am able to use the app proxy with NENetworkRule setup with separate port. Is it possible to setup the rule with a range of port without the need list one port after the other? Thanks in advance for any suggestion.

Hi there, I am using AppProxyProvider. While doing some speed test, via some web sites, it raised some error like below and the appproxy restart itself. "app receive buffer is full, queueing *** bytes" "failed to write a message: no buffer space available" Good thing is that no crash happens. Wonder what is going on with the TCPFlow: no fast enough to handle incoming data? Any way to avoid that? Thanks in advance for any suggestion.

Hi there, In order to get the remote tcp port from a NEAppProxyTCPFlow, what I did is: (NEAppProxyTCPFlow as! NWHostEndpoint).port But I do not think that is a good way of achieving it. Is there any proper way for it? And I believe the ip address can be fetched by: NEAppProxyTCPFlow.remoteHostName Is that right? Thanks in advance for any suggestion.

Hi there, I am using NetworkExtension and would like to create tcp connection to localhost. With below code, faced some strange problems: appproxy restart itself periodically with all the traffic during the test. import NetworkExtension let ep = NWHostEndpoint(hostname: "127.0.0.1", port: String(8888)) let connection = createTCPConnection(to: ep, enableTLS: false, tlsParameters: nil, delegate: nil) Wonder what is the correct way to achieving that? Thanks in advance for any suggestion.

Hi there, With Network NWEndpoint, I can construct it like below. let proxyEp = Network.NWEndpoint.hostPort(host: Network.NWEndpoint.Host("127.0.0.1"), port: Network.NWEndpoint.Port("8888")!) But how about constructing a NetworkExtension NWEndpoint? Do I have to use NWHostEndpoint? Thanks in advance for any suggestion.

Hi there, This is for making it a separate thread for this capturing all udp traffic case that causes network gone. I am using this filter setting: for seg in 1...254 { if seg != 127 { hosts = [("\(seg).0.0.0", "0")] for host in hosts { let ep = NWHostEndpoint(hostname: host.0, port: host.1) let rule = NENetworkRule.init(remoteNetwork: ep, remotePrefix: 8, localNetwork: nil, localPrefix: 0, protocol: .UDP, direction: .outbound) rules.append(rule) } } } It works since the beginning as expecting capturing all udp traffic including port 53 ones. But then after around three hours time, network is gone like below: ping apple.com ... Request timeout for icmp_seq 14745 ping: sendto: No route to host Request timeout for icmp_seq 14746 ping: sendto: No route to host When issue happens, appproxy network service is still connected and running, but my wifi network service becomes unconnected (as self-assigned IP) and not recoverable. Only by removing the appproxy service and reconnect wifi, can it recover. I have tried for udp both NWUDPSession and NWConnection, but with the same result. Would like to see with your suggestion as got your point before saying: Proxying UDP flows is something that can be done without a crash. Thanks in advance.

Hi there, I am using TransparentProxyProvider at the moment. And would like to hide all the configurations from network service like what it looks like from SimpleFireWall. Took a look at the source code of SimpleFirewall, didn't quite get the idea on how to make all the configuration items hidden. Thanks in advance for any suggestion. Regards Richard

Hi there, We are using at the moment appproxy from system extension. It works fine. But it is realised that the system extension only prompt with csrutil disable. With csrutil enable, there is no prompt to add it thus cannot use it at all. As far as I understand, SIP is enabled by default. We cannot ask the customers to disable it one by one in order to have system extension work? Thanks in advance for any suggestion. Regards Richard

Hi there, Would like to see with you any possibility to remove such a prompt when deleting an application with systemexention from /Applications fold with Finder. Thanks in advance for any suggestion. Regards Richard

Hi there, Encountered something weird when doing beta test on Monterey Beta 8 while all good with Monterey Beta 6: We use system extension for NETransparentProxyProvider and we block QUIC traffics by below codes: override func handleNewUDPFlow(_ flow: NEAppProxyUDPFlow, initialRemoteEndpoint remoteEndpoint: NWEndpoint) -> Bool { let ep = remoteEndpoint as! NWHostEndpoint flow.open(withLocalEndpoint: nil) { [unowned self] error in guard error == nil else { flow.closeReadWithError(error) flow.closeWriteWithError(error) return } } if ep.port == "80" || ep.port == "443" { flow.closeReadWithError(nil) flow.closeWriteWithError(nil) return } ... } That works pretty well all through Big Sur to Monterey Beta 6. But when I upgraded to Beta 8 with the same, the system suffers: Chrome has no network access anymore. System extension get stuck when first time removed (need a second time to be removed) Sometimes the whole macOS has no network access at all. All these can be recovered by simply let QUIC traffics through or not capturing them. But we need to block such traffic in order that Chrome browser falls back to TCP mode. Thanks in advance for any suggestion! Regards Richard