I tried to unit test the method "FilterDataProvider.handleNewFlow" from the sample project https://developer.apple.com/documentation/networkextension/filtering_network_traffic I always get this below issue, Undefined symbols: Linker command failed with exit code 1 (use -v to see invocation) Could someone help with it?

We have a main app that handles UI and interaction with the user. And we also have daemon contained inside of it. Daemon has all the business logic and FDA and root permissions. Now we want to add a network extension. First we added the Network Extension to Main app and it was working fine (to test the waters). But then we decided to move it to Daemon since it has all the business logic and NE mostly contains business logic and no UI. It needs to be there. Now NE activationRequest(forExtensionWithIdentifier is working fine. But deactivationRequest(forExtensionWithIdentifier: during uninstall always fails with this error System Extension deactivationRequest fails with error he operation couldn’t be completed. (OSSystemExtensionErrorDomain error 13.) OSSystemExtensionError Code 13 says "An error code that indicates the system was unable to obtain the proper authorization." What does this actually mean. Also if there is an error why is it throwing it during uninstall rather than install? To make it more clear this is our app structure is Main.app -> Contents -> Mac OS -> Daemon.app -> Contents -> Library -> SystemExtensions -> System Extension Bundle Apple doc says @discussion This method creates a new request to activate/deactivate a System Extension. Extensions are discovered from the `Contents/Library/SystemExtensions` directory of the main application bundle. Our System Extension is present on the main app bundle and has Contents/Library/SystemExtensions structure but one extra layer deep. Is this supported app structure?. If not is there any way to succesfully uninstall NE from code. Right now systemextensionsctl uninstall won't work without System Integrity Protection disabled. Keeping NE on the main app will break our project structure and require major rewrite of the app. Also whenever I run systemextensionsctl with SIP on I get this message At this time, this tool cannot be used if System Integrity Protection is enabled. This limitation will be removed in the near future. Please remember to re-enable System Integrity Protection! Apple introduced System Extensions in 2019. It is still not there yet. Does anybody have any idea when will Apple make it work? if at all?

[iOS 17] We are trying to configure below Tunnel Provider configuration and we are saving it in NETunnelProviderManager preferences before calling startTunnelWithOptions tunnelProvider.protocolConfiguration.includeAllNetworks = YES; tunnelProvider.protocolConfiguration.excludeLocalNetworks = NO; tunnelProvider.protocolConfiguration.enforceRoutes = NO; We are adding an IP in the excludeRoutes which belongs to server address[10.97.6.244]. Please refer the below network settings for VPN IPv4Settings = { configMethod = manual addresses = ( 10.97.4.188, ) subnetMasks = ( 255.255.255.255, ) includedRoutes = ( { destinationAddress = 0.0.0.0 destinationSubnetMask = 0.0.0.0 }, ) excludedRoutes = ( { destinationAddress = 10.97.6.244 destinationSubnetMask = 255.255.255.255 }, ) overridePrimary = NO } Issue: when we are trying to access server address, it's getting tunneled because of that few of our APIs are sending failure and we are unable to connect to VPN. Expected Results : excludedRoutes IPs should go via physical interface. STEPS TO REPRODUCE Configure VPN packet tunnel provider config as mentioned above and add some IPs in excludeRoutes Save the configuration to NETunnelProviderManager preferences using “saveToPreferencesWithCompletionHandler” Try to connect to VPN excludeRoutes are tunneled via VA

Requirement: We need to update below tunnel provider properties once VPN is up. Is it possible? includeAllNetworks excludeLocalNetworks enforceRoutes When is the standard time to configure and save the below properties in system preferences? Is it possible to save these properties in system preference when VPN is up? saveToPreferencesWithCompletionHandler If we can change these properties in VPN connected state, When these tunnel provider properties will come into effect?

Hi, With iOS-17.4 update, we are seeing AppProxy VPN not getting started when Apps (associated with PerAppVPN) tried to access network resource after MDM PerAppVPN profile install/update. Looks like PerApp rules associated with applayer vpn profile are broken after profile update/install as we see internet sites working without going through VPN (appProxy network extension), this start working if we toggle WiFi and then access network resource from Apps associated with PerAppVPN. Created FB13688086 with all the details for this iOS 17.4 and AppLayerVPN, looking for and update here and any feedback/pointers will help. Thanks

Is it possible to mock the behavior of NWPathMonitor for a specific app? The scenario I want to support I've created an app called RocketSim, a developer tool for Xcode's Simulator. I've already created Airplane mode, which disables networking calls from URLSession from a specific bundle identifier app installed on the Simulator. Now, I want to support blocking NWPathMonitor as well. I believe the Simulator uses macOS's NWPathMonitor and does not use any specific HTTP request or similar to determine the reachability state. Is there a way I can make NWPathMonitor return unsatisfied when my 'airplane mode' is turned on? Potentially using a Network Extension?

Hello, We would like to track the open sockets on the machine. we don't want to use a constantly running thread that polls the open sockets (such as by using sysctlbyname) since it sometimes will miss short-lived sockets. After some research we decided to implement a content filter (NEFilterDataProvider) that pass-through every socket flow. However, as we see and read in the forum, all previously opened sockets are disconnected once the filter is applied, which is an undesired thing for users using a VPN that will disconnect as well. We would like to know if there is a better way to track all sockets, preferably in an event-driven way, or, to prevent the existing sockets from disconnecting if we use the filter or other network extension.

Hello! I am part of a research team who need advice on how to track and intercept network requests from a device. More specifically, we are interested in collecting the websites the research participants have tried to access. We want something like what YouGov does with their Pulse App. Also, is it possible to implement this without having to rely on an external server that acts as a intermediary? How do we achieve this? We'd appreciate a detailed response with helpful links to how to implement it. Thank you very much for your time.

We have a network content-filter consisting of a main target/GUI, a FilterDataProvider extension and a FilterControlprovider extension. The app is installed via MDMs and works without issues the vast majority of times, but during testing of TestFlight builds we've found that intermittently the device fails to install the network extensions and blocks internet access. The GUI is working fine though. From the logs we can see that when this happens the device tries to start the network extensions repeatedly. The issue is solved by restarting the device. Has anyone experienced similar issues or have some ideas of what might cause this behaviour? These are some of the logs we see in Console: neagent [u E6D696F2-62FB-4262-A97C-B2006EC528C5:m (null)] [<private>(<private>)] Hub connection error: Error Domain=NSCocoaErrorDomain Code=4097 "connection to service named <BundleID>.FilterDataProvider" ugDescription=connection to service named <BundleID>.FilterDataProvider}code-block Failed to start the data extension <BundleID>.FilterDataProvider: Error Domain=NSCocoaErrorDomain Code=4097 "connection to service named <BundleID>.FilterDataProvider" ugDescription=connection to service named <BundleID>.FilterDataProvider} nehelper Denying connection from nesessionmanager (264) because it is missing the com.apple.private.network.socket-delegate entitlement nesessionmanager <BundleID>[inactive]: starting launchd Service could not initialize: posix_spawn(/private/var/containers/Bundle/Application/F84E2325-05A6-4DC2-8DD6-20C97EF43E8D/<AppName>.app/PlugIns/FilterDataProvider.appex/FilterDataProvider) failed, error 0x2 - No such file or directory nesessionmanager NEFilterPlugin(<BundleID>[inactive]): Sending start command nesessionmanager <BundleID>[inactive]: starting neagent Looking for a data extension with identifier <BundleID>.FilterDataProvider neagent [d <private>] <PKHost:0x718915550> Query: { NSExtensionIdentifier = "<BundleID>.FilterDataProvider"; NSExtensionPointName = "com.apple.networkextension.filter-data"; } neagent Found 1 data extension(s) with identifier <BundleID>.FilterDataProvider neagent Looking for a control extension with identifier <BundleID>.FilterControlProvider neagent [d <private>] <PKHost:0x718915550> Query: { NSExtensionIdentifier = "<BundleID>.FilterControlProvider"; NSExtensionPointName = "com.apple.networkextension.filter-control"; } neagent Found 1 control extension(s) with identifier <BundleID>.FilterControlProvider neagent Beginning data extension request with extension <BundleID>.FilterDataProvider neagent [u C743CE7B-9E19-4A41-BF46-91AEFB24169D:m (null)] [<private>(<private>)] Failed to start plugin; pkd returned an error: Error Domain=PlugInKit Code=4 .<AppName>.FilterDataProvider(C743CE7B-9E19-4A41-BF46-91AEFB24169D): Error Domain=RBSRequestErrorDomain Code=5 "Launch failed." UserInfo={NSLocalizedFailureReason=Launch ErrorDomain Code=2 "No such file or directory" UserInfo={NSLocalizedDescription=Launchd job spawn failed}}}" UserInfo={NSLocalizedDescription=RBSLaunchRequest error trying to launch 7B-9E19-4A41-BF46-91AEFB24169D): Error Domain=RBSRequestErrorDomain Code=5 "Launch failed." UserInfo={NSLocalizedFailureReason=Launch failed., NSUnderlyingError=0xdb88df3d0 {Error UserInfo={NSLocalizedDescription=Launchd job spawn failed}}}} neagent Extension request with data extension <BundleID>.FilterDataProvider started with identifier (null) neagent Failed to start the data extension <BundleID>.FilterDataProvider: Error Domain=PlugInKit Code=4 "RBSLaunchRequest error trying to launch vider(C743CE7B-9E19-4A41-BF46-91AEFB24169D): Error Domain=RBSRequestErrorDomain Code=5 "Launch failed." UserInfo={NSLocalizedFailureReason=Launch failed., SIXErrorDomain Code=2 "No such file or directory" UserInfo={NSLocalizedDescription=Launchd job spawn failed}}}" UserInfo={NSLocalizedDescription=RBSLaunchRequest error trying to DataProvider(C743CE7B-9E19-4A41-BF46-91AEFB24169D): Error Domain=RBSRequestErrorDomain Code=5 "Launch failed." UserInfo={NSLocalizedFailureReason=Launch failed., SIXErrorDomain Code=2 "No such file or directory" UserInfo={NSLocalizedDescription=Launchd job spawn failed}}}} nesessionmanager NESMFilterSession[FilterDataProvider:0C4C9E40-5005-47A5-8C60-F7C8630F29DF] in state NESMFilterSessionStateStarting: plugin NEFilterPlugin(e with error: 1 nesessionmanager <BundleID>[266]: disposing neagent Initializing the delegate neagent App <BundleID> is not installed or is not valid neagent App <BundleID> is not installed or is not valid neagent Failed to find a com.apple.networkextension.filter-data extension inside of app <BundleID> neagent NEAgentSession: failed to create the delegate nesessionmanager <BundleID>[259]: Tearing down XPC connection due to setup error: Error Domain=NEAgentErrorDomain Code=2 "(null)" nesessionmanager <BundleID>[259]: XPC connection went away nesessionmanager NESMFilterSession[FilterDataProvider:0C4C9E40-5005-47A5-8C60-F7C8630F29DF]: Failed to start with error: Error Domain=NEAgentErrorDomain Code=2 "(null)"

Hi, I am working on the app for some basic concept, I would like to intercept both DNS and IP connections. I succeeded in intercepting DNS using NEDNSProxyProvider, however I seem to have some troubles with IPConnections using NEFilterDataProvider. First thing, I have three targets in my app. For some reason, when I run DNS Proxy Extension target it doesn't ask me to choose the app for target run, and after the application if launched, it correctly intercepts DNS traffic and inits NEDNSProxyManager ps: all logs are correctly displayed for NEFilterDataProvider However, when I try to run Filter Data Extension target with Content Filter capability, it asks me to choose the app for run. Even tho I checked the Build Settings and those are identical to DNS Proxy Extension target. And finally, when I run main target it still inits NEDNSProxyManager properly and the NEFilterManager returns this warning -[NEFilterManager saveToPreferencesWithCompletionHandler:]_block_invoke_3: failed to save the new configuration: (null) I tried to log the configuration and compared to some code samples, but I can't identify the problem. I'd very grateful if somebody could suggest where the problems might be (targets builds difference & NEFilterManager config) I will attach a sample of code where I add configuration to my NEFilterManager // MARK: - FilterDataManager final class FilterDataManager: NSObject, ObservableObject { // MARK: - Properties private let manager = NEFilterManager.shared() private let filterName = "Data Filter" @Published private(set) var isEnabled: Bool? = nil // MARK: - Singleton static let shared = FilterDataManager() // Cancellables set private var subs: Set<AnyCancellable> = [] private override init() { super.init() enable() manager.isEnabledPublisher() .receive(on: DispatchQueue.main) .sink(receiveValue: { [weak self] isEnabled in self?.setIsEnabled(isEnabled) }) .store(in: &subs) } // MARK: - Filter Configurations func enable() { manager.updateConfiguration { [unowned self] manager in manager.localizedDescription = filterName manager.providerConfiguration = createFilterProviderConfiguration() manager.isEnabled = true } completion: { result in guard case let .failure(error) = result else { return } Log("Filter enable failed: \(error)", prefix: "[Filter]") } } private func createFilterProviderConfiguration() -> NEFilterProviderConfiguration { let configuration = NEFilterProviderConfiguration() configuration.organization = "***" configuration.filterBrowsers = true configuration.filterSockets = true return configuration } func disable() { Log("Will disable filter", prefix: "[Filter]") manager.updateConfiguration { manager in manager.isEnabled = false } completion: { result in guard case let .failure(error) = result else { return } Log("Filter enable failed: \(error)") } } private func setIsEnabled(_ isEnabled: Bool) { guard self.isEnabled != isEnabled else { return } self.isEnabled = isEnabled Log("Filter \(isEnabled ? "enabled" : "disabled")", prefix: "[Filter]") } } ```Swift extension NEFilterManager { // MARK: - NEFilterManager config update func updateConfiguration(_ body: @escaping (NEFilterManager) -> Void, completion: @escaping (Result<Void, Error>) -> Void) { loadFromPreferences { [unowned self] error in if let error, let filterError = FilterError(error) { completion(.failure(filterError)) return } body(self) saveToPreferences { (error) in if let error, let filterError = FilterError(error) { completion(.failure(filterError)) return } completion(.success(())) } } } // MARK: - Publisher enabling func isEnabledPublisher() -> AnyPublisher<Bool, Never> { NotificationCenter.default .publisher(for: NSNotification.Name.NEFilterConfigurationDidChange) .compactMap { [weak self] notification in guard let self else { return nil } return self.isEnabled } .eraseToAnyPublisher() } } // MARK: - FilterError @available(iOS 8.0, *) enum FilterError: Error { /// The Filter configuration is invalid case configurationInvalid /// The Filter configuration is not enabled. case configurationDisabled /// The Filter configuration needs to be loaded. case configurationStale /// The Filter configuration cannot be removed. case configurationCannotBeRemoved /// Permission denied to modify the configuration case configurationPermissionDenied /// Internal error occurred while managing the configuration case configurationInternalError case unknown init?(_ error: Error) { switch error { case let error as NSError: switch NEFilterManagerError(rawValue: error.code) { case .configurationInvalid: self = .configurationInvalid return case .configurationDisabled: self = .configurationDisabled return case .configurationStale: self = .configurationStale return case .configurationCannotBeRemoved: self = .configurationCannotBeRemoved return case .some(.configurationPermissionDenied): self = .configurationPermissionDenied return case .some(.configurationInternalError): self = .configurationInternalError return case .none: return nil @unknown default: break } default: break } assertionFailure("Invalid error \(error)") return nil } }

We have a test scenario where we install our app package on a Mac setup using MDM (Jamf). Below are the test steps and observation: This installation is done on this Mac with no user logged in. Installation is completed successfully. Now when an user log in on this mac machine, the expectation is that the app bundle will be started by the launchd (RunAtLoad). But the app is not started. When I check console logs I could see few logs around the app but from those logs I couldn't figure out why the app didn't start. I rebooted my test machine but that also didnt start my app. My app is not listed in 'launchctl list' command. My App bundle contains container app and a packet tunnel extension. Below is how my plist file looks like in '/Library/LaunchAgents/com.****.***ui.plist': { KeepAlive = 1; Label = "com.*****.client.****ui"; LimitLoadToSessionType = ( Aqua ); ProgramArguments = ( "/Applications/*********.app/Contents/MacOS/****Module" ); RunAtLoad = 1; SuccessfulExit = 1; Version = "110.200.0.100"; } In Console below are the last set of log which I could find related to my app: support_log.txt In above logs below statement mentions the extn which is related to my app bundle: 2024-03-19 15:48:55.256020+0530 0x462 Default 0x0 206 0 symptomsd: (SymptomEvaluator) [com.apple.symptomsd:analytics] [Skipping first 85 of 95 entries] 2024-03-19 15:48:55.256051+0530 0x462 Default 0x0 206 0 symptomsd: (SymptomEvaluator) [com.apple.symptomsd:analytics] entry: Thu Feb 8 20:48:26 2024 NetworkExtension.com.*****.client.*****-Client.*****ui.*****pkttunnel.104.2.12.191.104.2.12 (bundle) 0 0 0 0 0 0 Can someone please help me in understanding what could be wrong here, why would 'RunAtLoad' key word wont work here to start my app on user login or reboot? Note: Everything work fine when my app is installed with an user logged in to the test machine. Also App starts successfully if I run command 'lauchctl bootstrap gui/ /Library/LaunchAgents/com.****.****ui.plist' in the above mentioned test scenario where app didnt auto start by launchd: 'RunAtLoad'.

Hi, Need some help figuring out the options and actions on following situations: When there are two or more enterprise VPNs installed on a device, one is currently active (some other brand tunnel packet provider). Then the user opens my app that triggers the opening of my network extension packet tunnel provider. Can that situation be identified so a notification be prompted to the user? Can my packet tunnel provider get / have priority over the current running packet tunnel provider? Please guid / direct to relevant document. Thanks in advance, ~r

I use NEHotspotNetwork.fetchCurrentWithCompletionHandle, but it gives me Nil for both SSID and BSSID #import "FPPHotspotNetworkInfoProvider.h" #import <NetworkExtension/NetworkExtension.h> @implementation FPPHotspotNetworkInfoProvider - (void)fetchNetworkInfoWithCompletionHandler: (void (^)(FPPNetworkInfo *network))completionHandler API_AVAILABLE(ios(14)) { [NEHotspotNetwork fetchCurrentWithCompletionHandler:^( NEHotspotNetwork *network) { dispatch_async(dispatch_get_main_queue(), ^{ if (network) { completionHandler([[FPPNetworkInfo alloc] initWithSSID:network.SSID BSSID:network.BSSID]); return; } completionHandler(nil); }); }]; } @end Do I need approval from Apple for this? If so, could you please provide guidance on how to obtain it? Thank you.

We are trying to configure split tunnel with tunnel routes with the below Tunnel Provider configuration tunnelProvider.protocolConfiguration.includeAllNetworks = NO; tunnelProvider.protocolConfiguration.excludeLocalNetworks = NO; tunnelProvider.protocolConfiguration.enforceRoutes = YES; We are adding some IPs in the excludeRoutes[10.168.10.182 and 192.168.10.65]. Please refer the below network settings for VPN IPv4Settings = { configMethod = manual addresses = ( 10.168.10.68, ) subnetMasks = ( 255.255.255.255, ) includedRoutes = ( { destinationAddress = 0.0.0.0 destinationSubnetMask = 0.0.0.0 }, ) excludedRoutes = ( { destinationAddress = 192.168.10.65 destinationSubnetMask = 255.255.255.255 }, { destinationAddress = 10.168.10.182 destinationSubnetMask = 255.255.255.255 }, ) overridePrimary = NO } Issue: when we are trying to access excludedRoute's IP [10.168.10.182 and 192.168.10.65] , it's getting tunneled. Expected Results : excludedRoutes IPs should go via physical interface.