Hi there, Something interesting and not understand when trying to fetch my appproxy (and dnsproxy) system extension process with commands like below. With Intel macbook pro, all good to fetch back that pid. But with M1 macbook pro, it returns nothing although installed with the same Big Sur 11.6.1. ps -A | grep $MY_SYS_EXTENSION_PROCESS_NAME pgrep $MY_SYS_EXTENSION_PROCESS_NAME Do you have any suggestion to make it the same on M1? Thanks in advance for any suggestion. Regards Richard

Hi there, We are using systemextension for network and now we try to turn on SIP and install/uninstall systemextension. Current status is that: with SIP on, systemextension can be installed correctly, but cannot be uninstalled. The install/uninstall code is like below. Calling installSystemExtension() from the entrance of ProxyManger.swift:loadProxyManager returns success: activation request succeeded And systemextension list common shows the newly installed sysExt. But calling uninstallSystemExtension() from the entrance of ProxyManger.swift:remove() results in error: deactivation request failed authorization: unauthorized And systemextension list common shows no difference. @available(macOS 11.0, *) private func installSystemExtension() { log.info("[LogApp] will submit activation request") let request = OSSystemExtensionRequest.activationRequest( forExtensionWithIdentifier: "com.familyzone.macappproxy.fzmacappproxy", queue: .main ) request.delegate = self OSSystemExtensionManager.shared.submitRequest(request) log.info("[LogApp] did submit activation request") } // MARK: - Unload System Extension @available(macOS 11.0, *) public func uninstallSystemExtension() { log.info("[LogApp] will submit deactivation request") let request = OSSystemExtensionRequest.deactivationRequest( forExtensionWithIdentifier: "com.familyzone.macappproxy.fzmacappproxy", queue: .main ) request.delegate = self OSSystemExtensionManager.shared.submitRequest(request) log.info("[LogApp] did submit deactivation request") } Thanks in advance for any suggestion.

Hi there, We have a batch of customer ipad running our software older version with dnsproxy. They have not been running for a while. Then it is found that these devices cannnot load dnsproxy network extension and no network access anymore. Below is the ipad console. iPad neagent(NetworkExtension)[220] <Error>: Failed to start extension com.***.ios-dns.ext: Error Domain=PlugInKit Code=4 "RBSLaunchRequest error trying to launch plugin com.***.ios-dns.ext(***): Error Domain=RBSRequestErrorDomain Code=5 "Launch failed." UserInfo={NSLocalizedFailureReason=Launch failed., NSUnderlyingError=0x14de85170 {Error Domain=NSPOSIXErrorDomain Code=85 "Bad executable (or shared library)" UserInfo={NSLocalizedDescription=Launchd job spawn failed with error: 85}}}" UserInfo={NSLocalizedDescription=RBSLaunchRequest error trying to launch plugin com.***.ios-dns.ext(***): Error Domain=RBSRequestErrorDomain Code=5 "Launch failed." UserInfo={NSLocalizedFailureReason=Launch failed., NSUnderlyingError=0x14de85170 {Error Domain=NSPOSIXErrorDomain Code=85 "Bad executable (or shared library)" UserInfo={NSLocalizedDescription=Launchd job spawn failed with error: 85}}}} I guess it is because the dnsproxy provisioning profile there expires already? In this case is there any way to retain the network access remotely? There are hundreds of them. Cannot imagine need to remove the app one by one manually. Furthermore, is there any way to avoid such a situation: devices wakeup after not in use for some time, provisioning profile expires, not able to load dnsproxy network extension and no network anymore. Thanks in advance for any suggestion, Richard

Solved

Hi there, I am developing a software with Network Extension and it is half way through. One of the requirement is to fetch back local tcp port from a tcp flow that connect to remote endpoint by createTCPConnection(). I can get the local tcp port with connection.localAddress after the the connection is connected. But that is a bit late. If it is possible to get it from createTCPConnection, that will be perfect. But seen from the document, createTCPConnection has only remoteEndpoint, no localEndpoint. Thanks in advance if any suggestion.

Hi there, I am using AppProxyProvider that generates a app proxy. It captures tcp, udp flows and connect to remote endpoints by createTCPConnection() createUDPSession(). In most cases it just works well. There is one thing quite annoying: while browsing with a web browser, sometimes the app proxy can restart itself, seems related to some connection that broken. Is there any suggestion to avoid such app proxy reconnect itself even if any underlying connection is broken? Thanks in advance.

Hi there, When I check the SSLContext class, it says  most of the api deprecated: 10.15, use Network.framework instead. Do you have any suggest on the example code of using this new tls implementation with Network.framework? Thanks and regards

Hi there, Currently I am able to use the app proxy with NENetworkRule setup with separate port. Is it possible to setup the rule with a range of port without the need list one port after the other? Thanks in advance for any suggestion.

Hi there, I am using AppProxyProvider. While doing some speed test, via some web sites, it raised some error like below and the appproxy restart itself. "app receive buffer is full, queueing *** bytes" "failed to write a message: no buffer space available" Good thing is that no crash happens. Wonder what is going on with the TCPFlow: no fast enough to handle incoming data? Any way to avoid that? Thanks in advance for any suggestion.

Hi there, I am using AppProxyProvider and it can capture packets as I defined. But when I try to exclude traffics with excludedNetworkRules, but it seems does not work. Below is my code for setting things up. I capture all 443 port traffic for includedNetworkRules and exclude facebook.com for excludedNetworkRules. But facebook.com:443 traffic is still captured. private func includeRules() - [NENetworkRule] { // Web mode let hosts = [("0.0.0.0", "443")] var rules: [NENetworkRule] = [] for host in hosts { let ep = NWHostEndpoint(hostname: host.0, port: host.1) let rule = NENetworkRule.init(remoteNetwork: ep, remotePrefix: 0, localNetwork: nil, localPrefix: 0, protocol: .any, direction: .outbound) rules.append(rule) } return rules } private func excludeRules() - [NENetworkRule] { let hosts = [("facebook.com", "443")] var rules: [NENetworkRule] = [] for host in hosts { let ep = NWHostEndpoint(hostname: host.0, port: host.1) let rule = NENetworkRule.init(remoteNetwork: ep, remotePrefix: 0, localNetwork: nil, localPrefix: 0, protocol: .any, direction: .outbound) rules.append(rule) } return rules } ... settings.includedNetworkRules = includeRules() settings.excludedNetworkRules = excludeRules() If I replace like below in excludeRules() by replacing facebook.com domain name with its ip address, then all 443 port traffics is not captured at all. let hosts = [("157.240.8.35", "443")] Am I doing anything wrong? Thanks in advance for any suggestion.

Hi there, In order to get the remote tcp port from a NEAppProxyTCPFlow, what I did is: (NEAppProxyTCPFlow as! NWHostEndpoint).port But I do not think that is a good way of achieving it. Is there any proper way for it? And I believe the ip address can be fetched by: NEAppProxyTCPFlow.remoteHostName Is that right? Thanks in advance for any suggestion.

Hi there, I am using NetworkExtension and would like to create tcp connection to localhost. With below code, faced some strange problems: appproxy restart itself periodically with all the traffic during the test. import NetworkExtension let ep = NWHostEndpoint(hostname: "127.0.0.1", port: String(8888)) let connection = createTCPConnection(to: ep, enableTLS: false, tlsParameters: nil, delegate: nil) Wonder what is the correct way to achieving that? Thanks in advance for any suggestion.

Hi there, With Network NWEndpoint, I can construct it like below. let proxyEp = Network.NWEndpoint.hostPort(host: Network.NWEndpoint.Host("127.0.0.1"), port: Network.NWEndpoint.Port("8888")!) But how about constructing a NetworkExtension NWEndpoint? Do I have to use NWHostEndpoint? Thanks in advance for any suggestion.

Hi there, I am using NEAppProxyProvider to filter a scope of port traffics. Am I am trying to capture all port traffic (except udp port 53) like below. There are mainly two problems with below approach: Sometimes it works that can capture all traffic, but sometimes it cannot. All the time, udp 53 traffic is always captured in. Is this a bug? private func buildRules(fullMode: Bool) - [NENetworkRule] { var hosts = [("", "")] var rules: [NENetworkRule] = [] hosts = [("0.0.0.0", "0...52"), ("0.0.0.0", "54...65535"),] for host in hosts { let ep = NWHostEndpoint(hostname: host.0, port: host.1) let rule = NENetworkRule.init(remoteNetwork: ep, remotePrefix: 0, localNetwork: nil, localPrefix: 0, protocol: .any, direction: .outbound) rules.append(rule) } } ... let settings = NETransparentProxyNetworkSettings.init(tunnelRemoteAddress: "127.0.0.1") settings.includedNetworkRules = buildRules() settings.excludedNetworkRules = nil settings.dnsSettings = NEDNSSettings(servers: ["1.1.1.1", "1.0.0.1", "8.8.8.8", "8.8.4.4"]) setTunnelNetworkSettings(settings) { [unowned self] (error) in ...

Hi there, I am using AppProxyProvider and DNSProxyProvider together. When using only one of them, it works well so far. But when putting together the two things, no traffic through. For example, nslookup google.com doesn't work anymore. So just to confirm with you: is it allowed to use these two at the same time? Thanks in advance for any suggestion.