Hi there, I am using AppProxyProvider and it can capture packets as I defined. But when I try to exclude traffics with excludedNetworkRules, but it seems does not work. Below is my code for setting things up. I capture all 443 port traffic for includedNetworkRules and exclude facebook.com for excludedNetworkRules. But facebook.com:443 traffic is still captured. private func includeRules() - [NENetworkRule] { // Web mode let hosts = [("0.0.0.0", "443")] var rules: [NENetworkRule] = [] for host in hosts { let ep = NWHostEndpoint(hostname: host.0, port: host.1) let rule = NENetworkRule.init(remoteNetwork: ep, remotePrefix: 0, localNetwork: nil, localPrefix: 0, protocol: .any, direction: .outbound) rules.append(rule) } return rules } private func excludeRules() - [NENetworkRule] { let hosts = [("facebook.com", "443")] var rules: [NENetworkRule] = [] for host in hosts { let ep = NWHostEndpoint(hostname: host.0, port: host.1) let rule = NENetworkRule.init(remoteNetwork: ep, remotePrefix: 0, localNetwork: nil, localPrefix: 0, protocol: .any, direction: .outbound) rules.append(rule) } return rules } ... settings.includedNetworkRules = includeRules() settings.excludedNetworkRules = excludeRules() If I replace like below in excludeRules() by replacing facebook.com domain name with its ip address, then all 443 port traffics is not captured at all. let hosts = [("157.240.8.35", "443")] Am I doing anything wrong? Thanks in advance for any suggestion.

Hi there, I am using NEAppProxyProvider to filter a scope of port traffics. Am I am trying to capture all port traffic (except udp port 53) like below. There are mainly two problems with below approach: Sometimes it works that can capture all traffic, but sometimes it cannot. All the time, udp 53 traffic is always captured in. Is this a bug? private func buildRules(fullMode: Bool) - [NENetworkRule] { var hosts = [("", "")] var rules: [NENetworkRule] = [] hosts = [("0.0.0.0", "0...52"), ("0.0.0.0", "54...65535"),] for host in hosts { let ep = NWHostEndpoint(hostname: host.0, port: host.1) let rule = NENetworkRule.init(remoteNetwork: ep, remotePrefix: 0, localNetwork: nil, localPrefix: 0, protocol: .any, direction: .outbound) rules.append(rule) } } ... let settings = NETransparentProxyNetworkSettings.init(tunnelRemoteAddress: "127.0.0.1") settings.includedNetworkRules = buildRules() settings.excludedNetworkRules = nil settings.dnsSettings = NEDNSSettings(servers: ["1.1.1.1", "1.0.0.1", "8.8.8.8", "8.8.4.4"]) setTunnelNetworkSettings(settings) { [unowned self] (error) in ...

Hi there, I am using AppProxyProvider and DNSProxyProvider together. When using only one of them, it works well so far. But when putting together the two things, no traffic through. For example, nslookup google.com doesn't work anymore. So just to confirm with you: is it allowed to use these two at the same time? Thanks in advance for any suggestion.

Hi there, This is for making it a separate thread for this capturing all udp traffic case that causes network gone. I am using this filter setting: for seg in 1...254 { if seg != 127 { hosts = [("\(seg).0.0.0", "0")] for host in hosts { let ep = NWHostEndpoint(hostname: host.0, port: host.1) let rule = NENetworkRule.init(remoteNetwork: ep, remotePrefix: 8, localNetwork: nil, localPrefix: 0, protocol: .UDP, direction: .outbound) rules.append(rule) } } } It works since the beginning as expecting capturing all udp traffic including port 53 ones. But then after around three hours time, network is gone like below: ping apple.com ... Request timeout for icmp_seq 14745 ping: sendto: No route to host Request timeout for icmp_seq 14746 ping: sendto: No route to host When issue happens, appproxy network service is still connected and running, but my wifi network service becomes unconnected (as self-assigned IP) and not recoverable. Only by removing the appproxy service and reconnect wifi, can it recover. I have tried for udp both NWUDPSession and NWConnection, but with the same result. Would like to see with your suggestion as got your point before saying: Proxying UDP flows is something that can be done without a crash. Thanks in advance.

Hi there, I have a set of filter code based on AppProxyProvider that works pretty well: it just work capture in tcp and udp traffic using NWConnection. Unfortunately recently I upgraded to 11.5 Beta then everything goes wrong: the bandwidth as tested via some website, say, fast.com will drop after running for several minutes to 2Mbps for both upload/download (although my broadband's normal speed is 50Mbps ). I capture in only tcp traffic to port 80 and 443. I wonder is it some bug in network extension or some API level change I need to adapt to. Checked the release note, but nothing mentioned about any change around network extension. That blocks our beta plan! Thanks in advance for any suggestion.

Hi there, It is found that I have to place my application.app using appproxy-systemextension directly under /Applications folder, so that it can load the systemextension properly by open /Application/application.app command. If I place it under /Applications/company.app/bin/application.app, and launch it with command open /Applications/company.app/bin/application.app, it always fails with complain ossystemextensionerrordomain / 1 So the question is: Is it mandatory to have this appproxy-systemextension application directly under /Application folder? Thanks in advance for the confirmation. Regards Richard

Hi there, I am using TransparentProxyProvider at the moment. And would like to hide all the configurations from network service like what it looks like from SimpleFireWall. Took a look at the source code of SimpleFirewall, didn't quite get the idea on how to make all the configuration items hidden. Thanks in advance for any suggestion. Regards Richard

Hi there, During the test when using appproxy from systemextension (TransparentProxyProvider) capturing 80/443 tcp traffic, it is found that while visiting some website, there are hundreds of tcp flows generated, causing the appproxy stuck for some period (if we have some tasks for each flow). The websites can be some speedtest sites, such as https://www.speedtest.net or some complex forums, for example, https://www.wenxuecity.com Do you have any suggestion on how to reduce the number of flows? Thanks in advance. Regards Richard

Hi there, We are using at the moment appproxy from system extension. It works fine. But it is realised that the system extension only prompt with csrutil disable. With csrutil enable, there is no prompt to add it thus cannot use it at all. As far as I understand, SIP is enabled by default. We cannot ask the customers to disable it one by one in order to have system extension work? Thanks in advance for any suggestion. Regards Richard

Hi there, We are using systemextension for network and now we try to turn on SIP and install/uninstall systemextension. Current status is that: with SIP on, systemextension can be installed correctly, but cannot be uninstalled. The install/uninstall code is like below. Calling installSystemExtension() from the entrance of ProxyManger.swift:loadProxyManager returns success: activation request succeeded And systemextension list common shows the newly installed sysExt. But calling uninstallSystemExtension() from the entrance of ProxyManger.swift:remove() results in error: deactivation request failed authorization: unauthorized And systemextension list common shows no difference. @available(macOS 11.0, *) private func installSystemExtension() { log.info("[LogApp] will submit activation request") let request = OSSystemExtensionRequest.activationRequest( forExtensionWithIdentifier: "com.familyzone.macappproxy.fzmacappproxy", queue: .main ) request.delegate = self OSSystemExtensionManager.shared.submitRequest(request) log.info("[LogApp] did submit activation request") } // MARK: - Unload System Extension @available(macOS 11.0, *) public func uninstallSystemExtension() { log.info("[LogApp] will submit deactivation request") let request = OSSystemExtensionRequest.deactivationRequest( forExtensionWithIdentifier: "com.familyzone.macappproxy.fzmacappproxy", queue: .main ) request.delegate = self OSSystemExtensionManager.shared.submitRequest(request) log.info("[LogApp] did submit deactivation request") } Thanks in advance for any suggestion.

Hi there, Would like to see with you any possibility to remove such a prompt when deleting an application with systemexention from /Applications fold with Finder. Thanks in advance for any suggestion. Regards Richard

Hi there, Encountered something weird when doing beta test on Monterey Beta 8 while all good with Monterey Beta 6: We use system extension for NETransparentProxyProvider and we block QUIC traffics by below codes: override func handleNewUDPFlow(_ flow: NEAppProxyUDPFlow, initialRemoteEndpoint remoteEndpoint: NWEndpoint) -> Bool { let ep = remoteEndpoint as! NWHostEndpoint flow.open(withLocalEndpoint: nil) { [unowned self] error in guard error == nil else { flow.closeReadWithError(error) flow.closeWriteWithError(error) return } } if ep.port == "80" || ep.port == "443" { flow.closeReadWithError(nil) flow.closeWriteWithError(nil) return } ... } That works pretty well all through Big Sur to Monterey Beta 6. But when I upgraded to Beta 8 with the same, the system suffers: Chrome has no network access anymore. System extension get stuck when first time removed (need a second time to be removed) Sometimes the whole macOS has no network access at all. All these can be recovered by simply let QUIC traffics through or not capturing them. But we need to block such traffic in order that Chrome browser falls back to TCP mode. Thanks in advance for any suggestion! Regards Richard

Hi there, This is newly found that with all udp traffic filtered, SIP phone application doesn't have audio anymore. With wireshark analysis, it seems that STUN protocol gets upset in advance of RTP messages. It turns into some unknown format although we only pipe it through. Only way to workaround is to bypass all rtp ports. But we cannot do that as it is a huge range. Thanks in advance for any suggestion. Attached the case with/without rtp range bypassed. That was tested with linphone SIP phone application.

Hi there, This is found with duration test on Monterey 12.0. We are using appproxy and pipe through all udp traffics including dns requests (udp port 53). With below script doing only nslookup per second, in a couple of hours, it just fails. No network at all although no error on appproxy level reported. Only way to recover so far is uninstall the system extension. #!/bin/bash i=1 while true do i=$((i+1)) echo "loop $i" nslookup www.google.com sleep 1 done Tried the latest 12.1 beta, same failure. This test has no problem with Bigsur including 11.6. Thanks in advance for any suggestion. Regards Richard

Hi there, This is the question when using dnsproxy together with appproxy. In case I need to filter all udp traffic through appproxy. How about dns traffic to port 53? It will go through both appproxy and dnsproxy! Do I need to return false inside appproxy for outbound 53 udp traffic without even open the flow? Any conflict of such usage? Thanks in advance for any suggestion. Regards Richard