Some more traces with that filter rules: 🤪FZ$--hostName: www.apple.com remoteEp: 23.202.173.153:443 appId: com.google.Chrome.helper fzmacappproxy 18:22:57.007704+1000 🤪FZ$--hostName: supportmetrics.apple.com remoteEp: 17.137.160.100:443 appId: com.google.Chrome.helper fzmacappproxy 18:23:47.128264+1000 🤪FZ$--hostName: developer.apple.com remoteEp: 17.253.67.203:443 appId: com.google.Chrome.helper fzmacappproxy 18:23:47.485234+1000

Hi Matt, I am using the same setting as you do: let settings = NETransparentProxyNetworkSettings.init(tunnelRemoteAddress: "127.0.0.1") settings.includedNetworkRules = [ NENetworkRule(remoteNetwork: NWHostEndpoint(hostname: "0.0.0.0", port: "443"),  remotePrefix: 0,  localNetwork: nil,  localPrefix: 0,  protocol:.TCP,  direction: .outbound) ] settings.excludedNetworkRules = [ NENetworkRule(remoteNetwork: NWHostEndpoint(hostname: "apple.com", port: "0"),  remotePrefix: 0,  localNetwork: nil,  localPrefix: 0,  protocol:.TCP,  direction: .outbound) ] But I can still get apple.com traffic in as seen console when visiting from chrome apple.com: 🤪FZ$--hostName: www.apple.com appId: com.google.Chrome.helper fzmacappproxy 16:21:02.531007+1000 🤪FZ$--hostName: supportmetrics.apple.com appId: com.google.Chrome.helper fzmacappproxy 16:21:14.125574+1000

Some progress: After updated the code like below, that web page show up. Only thing remains is: the browser keeps loading this web page: waiting for .... Seen from the traces, new flowId keeps generated. connection.readMinimumLength(1, maximumLength: 65535, completionHandler: { [unowned self] (data, error) in guard error == nil else { FZLog(.error, "read from TCP connection error: \(error.debugDescription) \(connection.remoteAddress.debugDescription)") // Close down only when read complete if let error = error { if error._code == ECANCELED { FZLog(.verbose, "TCP connection cancelled: \(connection.debugDescription)") tcpflow.closeWriteWithError(error) tcpflow.closeReadWithError(error) connection.cancel() } } return } ...

Following your suggestions, tested with below code capturing all port traffics: Two things to mention: It is better than before: network keeps alive for a couple of hours before it dies. Attached the log when it crashed. 2. still seen udp 53 traffic. for seg in 1...254 { if seg != 127 { hosts = [("\(seg).0.0.0", "0")] for host in hosts { let ep = NWHostEndpoint(hostname: host.0, port: host.1) var rule = NENetworkRule.init(remoteNetwork: ep, remotePrefix: 8, localNetwork: nil, localPrefix: 0, protocol: .TCP, direction: .outbound) rules.append(rule) hosts = [("\(seg).0.0.0", "0...52"), ("\(seg).0.0.0", "54...65535"),] rule = NENetworkRule.init(remoteNetwork: ep, remotePrefix: 8, localNetwork: nil, localPrefix: 0, protocol: .UDP, direction: .outbound) rules.append(rule) } } } let settings = NETransparentProxyNetworkSettings.init(tunnelRemoteAddress: "127.0.0.1") settings.includedNetworkRules = rules settings.excludedNetworkRules = nil [full mode crash](https://developer.apple.com/forums/content/attachment/88570304-6dc8-4bcb-a54e-5df782fdebca){: .log-attachment}

Attach the full mode crash log: full mode crash - https://developer.apple.com/forums/content/attachment/1cb207e3-6fb0-4df4-9484-bcae07ae33b5

Thanks for the good point. To rule out whether it is tcp or udp that caused the crash, I would like to have a try with NWConnection rather than NWUDPSession (I am currently in use). The question is: If I want to try NWConnection for udp flow handle (with .udp option), how to handle the multi datagrams with connection.send? udpflow.readDatagrams(completionHandler: { [unowned self] (datagrams: [Data]?, endpoints: [NWEndpoint]?, readError) in

Confirmed that only by doing all udp traffic capturing like below will cause network crash. Would like to try NWConnection .udp rather than NWUDPSession currently in use. Do you have any sample code for using NWconnection together with NEAppProxyUDPFlow? for seg in 1...254 { if seg != 127 { hosts = [("\(seg).0.0.0", "0")] for host in hosts { let ep = NWHostEndpoint(hostname: host.0, port: host.1) let rule = NENetworkRule.init(remoteNetwork: ep, remotePrefix: 8, localNetwork: nil, localPrefix: 0, protocol: .UDP, direction: .outbound) rules.append(rule) } } }

As confirmed that by only capturing all udp traffic can cause the network crash. Tried different approaches around udp, but all failed. That include exclude reserved ip segments for local network, exclude multicast segments, only include 1.0.0.0/8 to 127.0.0.0/8 for udp traffic. So far, I do believe that if there is any way to exclude udp 53 traffic, should get resolved. But as you see, I am using none zero default route as suggested, but udp 53 packets still comes in. Furthermore, as you side noted that " you cannot filter localNetwork traffic with NEAppProxyProvider either", does it mean that we have no way to eliminate udp 53 traffic with NEAppProvider? Thanks in advance for any suggestion.

Hi there, Following this topic, we managed to make both appproxy and dnsproxy work together at the same time, but have some constraints. Wonder if you can provide some help. Need uninstall extension each time before you run the application. It is with below command to control the extension. systemextensionsctl uninstall $DNSExtensionID $DNSExtensionName If start dnsproxy first, then only one network service is prompted and added without the one for appproxy. If start approxy first, both network service are added, but dnsproxy doesn’t work (as the extension access right problem). AppDelegate.swift:applicationDidFinishLaunching() { ...      // Start App Proxy     ProxyManager.shared().loadProxyManager(connect: true) {       ProxyManager.shared().addObserver {}       ProxyManager.shared().start() // Start the DNS Proxy DNSManager.shared().start() {}     } ... Any suggestion on this? Stability thing, mainly from dns proxy.  After running for a while with both proxies, name resolution failed. We will go on checking this point as well.

You can let the system handle all UDP flows. You can attempt to target a small subset of UDP flows and if you receive port 53 flows, you can proxy them. Proxying UDP flows is something that can be done without a crash. That is what I am trying at the moment. But when letting all udp traffic through with filter setting like below, within around three hours, network is gone like below. Crash might not happen though. ping apple.com ... Request timeout for icmp_seq 14745 ping: sendto: No route to host Request timeout for icmp_seq 14746 ping: sendto: No route to host I have tried both udp session and NWConnection for remote connection, same result. Any suggestion? for seg in 1...254 { if seg != 127 { hosts = [("\(seg).0.0.0", "0")] for host in hosts { let ep = NWHostEndpoint(hostname: host.0, port: host.1) let rule = NENetworkRule.init(remoteNetwork: ep, remotePrefix: 8, localNetwork: nil, localPrefix: 0, protocol: .UDP, direction: .outbound) rules.append(rule) } } }

Also, can you help indicate how to update in the tsi ticket? I would like to go on discussion fromTSI case 767665663, but don't know what is the link for it. Thanks in advance.

The version tag of current system is: 11.5 Beta (20G5023d) After some time testing, not able to browse anymore although appproxy device is still connected and can still ping through.

Hi Matt, We still cannot make AppProxyProvider and DNSProxyProvider working together. Main problems still are: Stability thing  After running for a while with both proxies, name resolution failed. Need uninstall extension each time before you run the application. It is with below command to control the extension. systemextensionsctl uninstall 5S77G864UH com.familyzone.macappproxy.dns However, we made it work by using only AppProxyProvider to filter and handle dns traffics based on udp port 53. The problem is that is this way illegal, as nowhere I can find in the document saying that is a valid way of handling dns traffic using only AppProxyProvider. So, need your help in two respects: Solve the issues having both AppProxyProvider and DNSProxyProvider working together. Help confirm whether it is legal to handle dns traffic with AppProxyProvider only? Thanks in advance. Richard

If I am reading this correctly, NWConnection is not broken in macOS 11.5 Beta but you are instead seeing variable network speeds through your provider where NWConnection is used. Is that correct? It is not only network speed drop, but after some time, no network access anymore (I am capturing tcp 80/443 outbound traffic only). That was not the case with bigSur 11.4. Are you using NEAppProxyProvider or are you using NETransparentProxyProvider? I am using NEAppProxyProvider.

Using NEAppProxyProvider or even better yet, NETransparentProxyProvider is one known alternative to creating a NEDNSProxyProvider to handle your system level DNS flows. Good to see that confirmation. As far as your name resolution issues, if you start your NEDNSProxyProvider to handle DNS flows and then you start a NEAppProxyProvider or NETransparentProxyProvider afterwards to only handle TCP flows, do you still run into a conflict here? Tried before as remember with out udp filtering from appproxy with the same problem (network cannot pass through). Can double confirm anyway. Is there any concern who to start first, dnsproxy or appproxy?