Ok. Will raise a new one for it (handleNewFlow() sometimes not invoked). Seems need to pay then.

If I put in excluded rule with port 53, appproxy will keep recycling. Removing NEDNSSettings doesn't help with the two issues. Raised a TSI case 767665663 only for udp 53 traffic issue. When I try to update with the other issue (handleNewFlow() sometimes not invoked) in the same scenario, couldn't find anywhere to edit my ticket. Do you know how to edit a TSI request?

There is a dns setting like below: settings.dnsSettings = NEDNSSettings(servers: ["1.1.1.1", "1.0.0.1", "8.8.8.8", "8.8.4.4"]) Commenting it out still see the port 53 traffic like below: 🤪FZ$--traffic handling tcp flow TCP fc-system-service_darwin-amd64[{length = 20, bytes = 0xf2eb944db46831eb67c5114a4da698418011e2ad}] remote: 52.95.132.69:80 interface en0 fzmacappproxy 07:59:41.762307+1000 🤪FZ$--traffic handling udp flow to: 192.168.0.1:53 fzmacappproxy 07:59:41.989191+1000 🤪FZ$--traffic handling udp flow to: 192.168.0.1:53 fzmacappproxy 07:59:42.195246+1000 🤪FZ$--traffic handling udp flow to: 192.168.0.1:53 fzmacappproxy 07:59:42.196681+1000 🤪FZ$--traffic handling udp flow to: 192.168.0.1:53 fzmacappproxy 07:59:42.399203+1000 🤪FZ$--traffic handling udp flow to: fe80::1.53 fzmacappproxy 07:59:42.400754+1000 🤪FZ$--traffic handling udp flow to: fe80::1.53 fzmacappproxy 07:59:42.402079+1000 🤪FZ$--traffic handling udp flow to: 192.168.0.1:53 fzmacappproxy 07:59:42.609971+1000 🤪FZ$--traffic handling udp flow to: 192.168.0.1:53 fzmacappproxy 07:59:42.614274+1000 🤪FZ$--traffic handling udp flow to: 2001:4860:4860::8888.53 fzmacappproxy 07:59:53.037751+1000 🤪FZ$--traffic handling udp flow to: 10.0.0.10:53 fzmacappproxy 07:59:53.046197+1000 🤪FZ$--traffic handling udp flow to: 10.0.0.10:53 fzmacappproxy 07:59:53.048681+1000 🤪FZ$--traffic handling udp flow to: 1.1.1.1:53 fzmacappproxy 07:59:53.760442+1000 🤪FZ$--traffic handling udp flow to: 2001:4860:4860::8888.53 fzmacappproxy 07:59:55.095695+1000 🤪FZ$--traffic handling udp flow to: fe80::1.53 fzmacappproxy 07:59:56.042586+1000 handleNewFlow() is like below: override func handleNewFlow(_ flow: NEAppProxyFlow) - Bool { if let TCPFlow = flow as? NEAppProxyTCPFlow { FZLog(.verbose, "traffic handling tcp flow \(TCPFlow.debugDescription)") TCPFlow.open(withLocalEndpoint: nil) { [unowned self] (error) in guard error == nil else { FZLog(.error, "tcp flow open error: \(error.debugDescription)") self.closeAppProxyFlow(flow: TCPFlow, error: error) return } self.handleFlow(tcpflow: TCPFlow) } } else if let UDPFlow = flow as? NEAppProxyUDPFlow { FZLog(.fatal, "UDP flow should not be captured \(UDPFlow.debugDescription) if handleNewUDPFlow is overridden") } else { FZLog(.fatal, "Should not capture something here \(flow.metaData.debugDescription)") } return true } checking for a property of variable that is not set or nil? What property of variable here do you mean? Code example?

I have put in place some traced from within handleNewFlow together with the rule setting: ("0.0.0.0", "0...52") and ("0.0.0.0", "54...65535") And I can get below traces 🤪FZ$--traffic handling udp flow to: 8.8.4.4:53 fzmacappproxy 04:16:22.468086+1000 🤪FZ$--traffic handling udp flow to: 1.1.1.1:53 fzmacappproxy 04:16:22.470011+1000 🤪FZ$--traffic handling udp flow to: 10.0.0.10:53 fzmacappproxy 04:16:22.471286+1000 🤪FZ$--traffic handling udp flow to: 10.0.0.10:53 fzmacappproxy 04:16:22.472517+1000 🤪FZ$--traffic handling udp flow to: 10.0.0.10:53 fzmacappproxy 04:16:22.473659+1000 🤪FZ$--traffic handling udp flow to: 10.0.0.10:53 fzmacappproxy 04:16:22.475028+1000 This is one thing. The second thing is that with that rule set, sometimes it can capture all traffics, some times it seems blocked some where. That can be verified by using netcat command sending out packets with the same subnet of en0. If I filter with com.apple.nc on console app, with the command nc 192.168.0.100 8888, in good cases I can get below trace: (2281480580): New flow: NEFlow type = stream, app = com.apple.nc, name = , 192.168.0.183:0 - 192.168.0.100:8888, filter_id = , interface = en0 fzmacappproxy 08:16:13.368577+1000 [Extension com.familyzone.macappproxy.proxy]: Calling handleNewFlow with TCP com.apple.nc[{length = 20, bytes = 0xb98252db9f8d8bbe4c383cf2ce6374eb34e3b83a}] remote: 192.168.0.100:8888 interface en0 fzmacappproxy 08:16:17.992887+1000 🤪FZ$--traffic handling tcp flow TCP com.apple.nc[{length = 20, bytes = 0xb98252db9f8d8bbe4c383cf2ce6374eb34e3b83a}] remote: 192.168.0.100:8888 interface en0 fzmacappproxy 08:16:17.992990+1000 [Extension com.familyzone.macappproxy.proxy]: provider accepted new flow TCP com.apple.nc[{length = 20, bytes = 0xb98252db9f8d8bbe4c383cf2ce6374eb34e3b83a}] remote: 192.168.0.100:8888 interface en0 fzmacappproxy 08:16:17.993701+1000 But sometimes it only show the first line below without the rest, which means NE callback is not envoked for some reason. (95809956): New flow: NEFlow type = stream, app = com.apple.nc, name = , 192.168.0.183:0 - 192.168.0.100:8888, filter_id = , interface = en0 fzmacappproxy 08:19:05.315187+1000 Is it another bug?

Rules with only 0.0.0 : 52 and 0.0.0.0 : 54 not going wrong, but it overlaps with rules like: ("0.0.0.0", "0...52") and ("0.0.0.0", "54...65535")

Thank you Eskimo.

let c1 = NWConnection(host: "example.com", port: 80, using: .tcp)let c2 = NWConnection(host: "example.com", port: 443, using: .tls) How about the usage when I use NetworkExtension? Thanks in advance.

Thanks for the suggestion. Is there any server side tcp tls usage example?

It is swift based one.

That is TCP based.

Thanks for the suggestion. Will trace down any crash happened as you pointed out.

Thank you for the conformation. That is clear to me :)