Hey team, We have a use case where we need to block all the MacOS network traffic except our app's network traffic. But I don't find any apis from apple with that capability. I see using NEFilterSettings, we can allow the required endpoints and block all the other endpoints we get from handleNewFlow(_ flow:. But this api has a control in endpoint level not the app level. Could you suggest if we have any other apis for this use case? Thanks

Since NEFilterFlow.identifier is documented as The unique identifier of the flow., I thought I could use it to store the flow by its identifier in a dictionary in order to retrieve it later. I do this when the system extension pauses a flow because it needs to ask the user whether the flow should eventually be allowed or dropped. But then I noticed that sometimes when allowing a previously paused flow, identified by its identifier, my system extension doesn't find that flow anymore. After some debugging it turned out that this happens because I stored at least one other flow with the same id which, when confirmed, is removed again from the dictionary, so there is no more flow with that identifier waiting in the dictionary. Is it expected that the identifiers are recycled for different flows, or does it mean that the same flow is effectively being passed to handleNewFlow(_:) multiple times, such as if the extension waited "too long" between pausing a flow and allowing or dropping it? handle(_:) can be called multiple times for the same flow, but why .handleNewFlow(_:)? All flows with duplicate ids seem to be UDP, and the local host and port and remote host and port are the same for all flows with the same id. Most of the duplicate flows have a process path of /usr/sbin/mDNSResponder (resolved with the sourceAppAuditToken).

I have a recurring problem with software updates by Apple killing all networking when I have a network system extension distributed by TestFlight installed on my Mac. Any pointers on how to resolve this would be greatly appreciated! I don't know if it is my network system extension, the fact that it is distributed via TestFlight, or something else. The latest example is updating to macOS 14.2 today. I think the relevant Console message is: Code has restricted entitlements, but the validation of its code signature failed. The full message for that console message is. mac_vnode_check_signature: /Library/SystemExtensions/ACB1E368-5355-4959-9800-737ED2BE9EDC/com.xxxxxxxxxxxxxxxx.networkagent.systemextension/Contents/MacOS/com.xxxxxxxxxxxxxxxx.networkagent: code signature validation failed fatally: When validating /Library/SystemExtensions/ACB1E368-5355-4959-9800-737ED2BE9EDC/com.xxxxxxxxxxxxxxxx.networkagent.systemextension/Contents/MacOS/com.xxxxxxxxxxxxxxxx.networkagent: Code has restricted entitlements, but the validation of its code signature failed. Unsatisfied Entitlements: Deleting the app (with its network system extension) immediately restores networking. I can reinstall the exact same program via TestFlight, and everything runs fine. The feedback ID (which includes additional details, a screenshot, and a video) is: FB13458972

Hi Team, I have a Network Extension application and UI frontend for it. The UI frontend talks to the Network Extension using XPC, as provided by NEMachServiceName. On M2 machine, The application and XPC connection works fine on clean installation. But, when the application is upgraded, the XPC connection keeps failing. Upgrade steps: PreInstall script kills the running processes, both UI and Network Extension Let installation continue PostInstall script to launch the application after installation complete. Following code is successful to the point of resume from UI application NSXPCInterface *exportedInterface = [NSXPCInterface interfaceWithProtocol:@protocol(IPCUIObject)]; newConnection.exportedInterface = exportedInterface; newConnection.exportedObject = delegate; NSXPCInterface *remoteObjectInterface = [NSXPCInterface interfaceWithProtocol:@protocol(IPCExtObject)]; newConnection.remoteObjectInterface = remoteObjectInterface; self.currentConnection = newConnection; [newConnection resume]; But it fails to get the object id<IPCExtObject> providerProxy = [self.currentConnection remoteObjectProxyWithErrorHandler:^(NSError *registerError) { }]; Please note, this only fails for M2. For M1, this exact code is running fine. Additionally, if I uninstall the application by dropping it in Trash and then installing the newer version, then too, the application works fine.

hi I have a Network Extension that uses content-filter-provider-systemextension. It has been running stably before, but some problems occurred after I updated the system to MacOS 14.1. The main problem is that I registered the data filtering of the loopback address of 127, which caused a direct error in my DataGrip software, even if I directly returned .allow() in the handler function example code: class Filter: NEFilterDataProvider { // MARK: NEFilterDataProvider override func startFilter(completionHandler: @escaping (Error?) -> Void) { // loop, all 127.*.*.* will matched let loNetworkRules4 = NENetworkRule( remoteNetwork: NWHostEndpoint(hostname: "127.0.0.1", port: "0"), remotePrefix: 0, localNetwork: NWHostEndpoint(hostname: "127.0.0.1", port: "0"), localPrefix: 0, protocol: .any, direction: .any ) let loFilterRule4 = NEFilterRule(networkRule: loNetworkRules4, action: .filterData) let filterSettings = NEFilterSettings(rules: [loFilterRule4], defaultAction: .filterData) apply(filterSettings) { error in if let applyError = error { } completionHandler(error) } } override func handleNewFlow(_ flow: NEFilterFlow) -> NEFilterNewFlowVerdict { return .allow() } } This will cause DataGrip's database connection test to report an error directly. It seems that the local network communication of Java is blocked. So I also used nc to test the local network. nc -l 8888 nc 127.0.0.1 8888 But the result obtained is completely fine Everything got better when I rolled the system back to macos14 Now I have updated the system to macos14.2 and the problem remains I've submitted feedback on this issue in Feedback Assistant FB13463323 But obviously the feedback is too slow, I can't wait a bit, so I took the liberty to send you an email to ask for help I want to confirm if this is a macos bug or do I need to modify some NENetworkRule configurations? If it is confirmed to be a BUG, how long will the repair cycle take? If it will be fixed soon, then I will just wait for the system to be repaired. If the repair cycle will be very long, then I have to consider other solutions for my product. thanks

We've recently noticed frequent crashes on the macOS system after an OS update when using the system extension with NETransparentProxyProvider. Below are the crash logs that appear in a pop-up after the machine starts. I'm having difficulty understanding the exact point at which it crashes, and it shows my process below. Panicked task 0xfffffe2d0a36abf8: 8190 pages, 143 threads: pid 9134: com.xxxx.na Panicked thread: 0xfffffe236ea13010, backtrace: 0xfffffe67858d2b80, tid: 337348 Detailed logs attached. system_cash_log.txt

We have MacOS application which uses Network Extensions. When building it with XCode 15 and 15.0.1 the extension crashes on Intel based Macs with the following error: Symbol not found: _swift_getTypeByMangledNameInContext2 Expected in: /usr/lib/swift/libswiftCore.dylib We tested it on Big Sur and Ventura with the same outcome. On Ventura when running on Intel based Mac libswiftCore.dylib really doesn't provide this symbol: nm -g libswiftCore.dylib | grep Mangle 00007ff80faf6150 T _$ss031_getFunctionFullNameFromMangledD007mangledD0SSSgSS_tF 00007ff80fcc4460 T _swift_getFunctionFullNameFromMangledName 00007ff80fcc40b0 T _swift_getMangledTypeName 00007ff80fcf7ed0 T _swift_getTypeByMangledName 00007ff80fcf8230 T _swift_getTypeByMangledNameInContext 00007ff80fcf8370 T _swift_getTypeByMangledNameInContextInMetadataState 00007ff80fcf7d90 T _swift_getTypeByMangledNameInEnvironment 00007ff80fcf80f0 T _swift_getTypeByMangledNameInEnvironmentInMetadataState 00007ff80fcfb460 T _swift_getTypeByMangledNode Is there any workaround for this issue? Crash log is the following: Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 dyld 0x000000010a165f7a __abort_with_payload + 10 1 dyld 0x000000010a18ef40 abort_with_payload_wrapper_internal + 80 2 dyld 0x000000010a18ef72 abort_with_payload + 9 3 dyld 0x000000010a10f14a dyld::halt(char const*) + 672 4 dyld 0x000000010a10f274 dyld::fastBindLazySymbol(ImageLoader**, unsigned long) + 167 5 libdyld.dylib 0x00007fff203b3376 dyld_stub_binder + 282 6 ??? 0x0000000104b086a0 0 + 4373644960 7 com.xxxx.Tunnel 0x00000001049d318a 0x10489e000 + 1266058 8 com.xxxx.Tunnel 0x00000001049df35d 0x10489e000 + 1315677 9 com.xxxx.Tunnel 0x00000001048a0765 0x10489e000 + 10085 10 com.apple.ExtensionKit 0x00007fff31bda683 __112-[EXConcreteExtensionContextVendor _beginRequestWithExtensionItems:listenerEndpoint:withContextUUID:completion:]_block_invoke + 808 11 libdispatch.dylib 0x00007fff201ec5dd _dispatch_call_block_and_release + 12 12 libdispatch.dylib 0x00007fff201ed7c7 _dispatch_client_callout + 8 13 libdispatch.dylib 0x00007fff201f9b86 _dispatch_main_queue_callback_4CF + 940 14 com.apple.CoreFoundation 0x00007fff204ce356 __CFRUNLOOP_IS_SERVICING_THE_MAIN_DISPATCH_QUEUE__ + 9 15 com.apple.CoreFoundation 0x00007fff20490188 __CFRunLoopRun + 2745 16 com.apple.CoreFoundation 0x00007fff2048efe2 CFRunLoopRunSpecific + 567 17 com.apple.Foundation 0x00007fff21151fa1 -[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 212 18 com.apple.Foundation 0x00007fff211e0384 -[NSRunLoop(NSRunLoop) run] + 76 19 libxpc.dylib 0x00007fff200e53dd _xpc_objc_main + 825 20 libxpc.dylib 0x00007fff200e4e65 xpc_main + 437 21 com.apple.Foundation 0x00007fff211732bd -[NSXPCListener resume] + 262 22 com.apple.pluginkit.framework 0x00007fff2b288273 0x7fff2b26d000 + 111219 23 com.apple.pluginkit.framework 0x00007fff2b287efb 0x7fff2b26d000 + 110331 24 com.apple.pluginkit.framework 0x00007fff2b288639 0x7fff2b26d000 + 112185 25 com.apple.ExtensionKit 0x00007fff31be6d05 EXExtensionMain + 70 26 com.apple.Foundation 0x00007fff211e2479 NSExtensionMain + 208 27 libdyld.dylib 0x00007fff203b4621 start + 1

I connect to a hotspot where the Internet is not accessible, but I also want to access the Internet through the network of my mobile card, what should I do? Is it possible to provide a scheme to switch directly between WiFi and mobile networks without any sense。

Hi everyone. I wrote VPN application used packet tunnel provider. Now i want to setup to provide functionality, to allow turn on just for specific applications. I saw apps provide to setup this functionality, like select the list of apps where VPN will work, some of them has a big list. As i understand i need Per app vpn or i need to setup Rules for NEVPNManager, could someone provide the documentation, or the link to sample, how that feature works?

Hi, I'm currently looking for the exact criteria which sets NEHotspotNetwork.isSecure() value. I guess this boolean value depends on whether protocol &gt;= WPA2 or 3, but I'm not sure. I hope someone tell me. If possible, linking references would be a great help. Please help me.

I have a system extension which contains 3 capabilities: App Proxy, Content Filter, Packet Tunnel. System extension process doesn't auto stops on disabling all of its Capabilities: App Proxy, Content Filter, Packet Tunnel How to make system extension process auto stop if all of its capabilities disabled? Disable can happens via system extension hosting app or system preference network settings I have following in mind: Whenever we disables any capabilities via system extension hosting app, it can check if all others are disabled then Use KILL bash command to terminate system extension process System extension hosting app can send message via XPC to extension to terminate it self via NSApp.terminate On disabling from system preference, ssystem extensions can check if all other disables in delegate method and terminate itself I wanted to know what is better way to handle system extension process stop

Is it possible to have both 'includeAllNetworks' and split-tunnel simultaneously? I want to enable a split tunnel so only some of the traffic will reach the tunnel, but at the same time, to make sure that the above traffic will always reach the tunnel - even if it's coming from some low-level networking API or even if the traffic started before creating the tunnel. Setting the 'includeAllNetworks' flag will help with the above cases, but then I'll get all the traffic via the tunnel without consideration in the split tunnel configuration. (Details: System-extension, PacketTunnelProvider)

We have a VPN app with Packet Tunnel Provider for iOS. The option disconnectOnSleep from <NetworkExtension/NEVPNProtocol.h> is false. Sometimes our users experiences an issue when the process stops itself after some period of time without crashes. In the logs, everything looks Ok. The iOS versions with the reproduced issue are 16.7.2, 17.1. Memory usage of our VPN app is ~9Mb. I've implemented NEProvider's interfaces in our subclass of NEPacketTunnelProvider: override func sleep(completionHandler: @escaping () -> Void) { NSLog("Sleep") completionHandler() } override func wake() { NSLog("Wake") super.wake() } After retesting by users, I've noticed that there are multiple subsequent calls of sleep-wake, sleep-wake, sleep-wake API, but in the problem scenario, our logs and the process stops after "Sleep". I've read the post https://developer.apple.com/forums/thread/95988, and didn't get an idea: what if sleep(_:) nor wake() are not implemented - how does it affect the VPN app behaviour? Is it a correct hypothesis that sometimes the iOS kills the process silently without crash? What are the triggers that force the system to kill a VPN app?

I have to create project for client that show wifi list to talk with iot device. Should i need MFI program to get all wifi network list? How I can integrate with .net maui, React native cross platform, objective c language?

Hi Team, We are registering Network Extension on application launch. The application shows this dialog [Dialog attached]. The failing case User press OK and hence, dismissing the user approval User click on Apps UI -&gt; Register Register call the same API again i.e. let activationRequest = OSSystemExtensionRequest.activationRequest(forExtensionWithIdentifier: identifier, queue: .main) 4. This time, the dialog is not launched for the user. Whereas, we have observed, it does launch the dialog again on some of the machines. 5. User reboot the machine 6. Click App -&gt; Register. Stil the same case, the dialog is not launched for user. When I check the status using systemextensionsctl list  *  [TeamId]  com.company.extensionname (1.0.100/1.0.100)  ExtensioName  [activated waiting for user] How can I force the launch of this dialog in API, so that, user can be guided to act upon it.

Hello, I'm using an NEFilterDataProvider to filter the HTTP/S flow of applications (based on bundleId). With the help of this forum, I can now retrieve the bundleId of the application's flow from the audit_token (sourceAppAuditToken). Unfortunately, for some applications (e.g., Safari), I get the bundleId of the isolated process that uses WebKit, but I would like to retrieve the bundleId of the responsible process (Safari). My current solution is to obtain the responsible PID of the WebKit process and then retrieve the bundleId from this PID (SecCodeCopyGuestWithAttributes). What is the correct way to get the bundleId of the responsible process?

iPhone X running iOS 15.6 failed to connect to WPA3 Wifi using NEHotspotConfigurationManager API, however device running 16.3.1 can connect to WPA3 Wifi using the same NEHotspotConfigurationManager API. Can someone help me out?

Hello, Sometimes I need to send a message via sendMessageToProvider to tell the proxy service in NetworkExtension that it should be restarted It looks like this: self.sendMessageToProvider("restart"...) { resp if resp != "ok" { // stopVPNTunnel()... } } Then accept the request in NetworkExtension, which looks like: open override func handleAppMessage(_ messageData: Data, completionHandler: ((Data?) -> Void)?) { reasserting = true setTunnelNetworkSettings(nil) { error in startTunnel() { reasserting = false completionHandler("ok"...) } } } But NetworkExtension crashes occasionally and I spent a long time looking for the cause but found nothing. Where should I start? Date/Time: 2023-06-17 08:01:38.2104 +0800 Launch Time: 2023-06-17 08:01:06.5706 +0800 OS Version: iPhone OS 16.5 (20F66) Release Type: User Baseband Version: 3.70.01 Report Version: 104 Exception Type: EXC_BREAKPOINT (SIGTRAP) Exception Codes: 0x0000000000000001, 0x000000022a76b2d0 Termination Reason: SIGNAL 5 Trace/BPT trap: 5 Terminating Process: exc handler [38097] Triggered by Thread: 0 Thread 0 name: Thread 0 Crashed: 0 libxpc.dylib 0x000000022a76b2d0 _xpc_api_misuse + 80 (debug.c:71) 1 libxpc.dylib 0x000000022a75c918 xpc_dictionary_set_value + 128 (dictionary.c:1849) 2 libxpc.dylib 0x000000022a75d888 xpc_dictionary_set_data + 60 (dictionary.c:1983) 3 NetworkExtension 0x00000001e1d69978 __35-[NEIPC handleMessage:withHandler:]_block_invoke + 112 (NEIPC.m:47) 4 PacketTunnel 0x0000000104f5be7c thunk for @escaping @callee_unowned @convention(block) (@unowned NSData?) -> () + 60 (<compiler-generated>:0) 5 PacketTunnel 0x0000000104f5bd4c MyPacketTunnelProvider.responseMessage(msg:completionHandler:) + 96 (MyPacketTunnelProvider.swift:188) 6 PacketTunnel 0x0000000104f5bd4c closure #1 in closure #1 in MyPacketTunnelProvider.handleAppMessage(_:completionHandler:) + 244 (MyPacketTunnelProvider.swift:178) 7 PacketTunnel 0x0000000104f5d808 closure #1 in closure #1 in closure #1 in MyPacketTunnelProvider.startTunnel(config:completionHandler:) + 12 (MyPacketTunnelProvider.swift:54) 8 PacketTunnel 0x0000000104f5d808 partial apply for closure #1 in closure #1 in closure #1 in MyPacketTunnelProvider.startTunnel(config:completionHandler:) + 32 (<compiler-generated>:0) 9 PacketTunnel 0x0000000104f5f720 closure #1 in closure #1 in xxxx.start(config:packetFlow:startCompletion:stoppedCompletion:) + 188 (xxxx.swift:140) 10 PacketTunnel 0x0000000104f5b4f0 thunk for @escaping @callee_guaranteed () -> () + 28 (<compiler-generated>:0) 11 libdispatch.dylib 0x00000001d1e21320 _dispatch_call_block_and_release + 32 (init.c:1518) 12 libdispatch.dylib 0x00000001d1e22eac _dispatch_client_callout + 20 (object.m:560) 13 libdispatch.dylib 0x00000001d1e316a4 _dispatch_main_queue_drain + 928 (queue.c:7794) 14 libdispatch.dylib 0x00000001d1e312f4 _dispatch_main_queue_callback_4CF + 44 (queue.c:7954) 15 CoreFoundation 0x00000001ca9ebc28 __CFRUNLOOP_IS_SERVICING_THE_MAIN_DISPATCH_QUEUE__ + 16 (CFRunLoop.c:1780) 16 CoreFoundation 0x00000001ca9cd560 __CFRunLoopRun + 1992 (CFRunLoop.c:3147) 17 CoreFoundation 0x00000001ca9d23ec CFRunLoopRunSpecific + 612 (CFRunLoop.c:3418) 18 Foundation 0x00000001c4c52fd4 -[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 212 (NSRunLoop.m:373) 19 Foundation 0x00000001c4c52e68 -[NSRunLoop(NSRunLoop) run] + 64 (NSRunLoop.m:398) 20 libxpc.dylib 0x000000022a761678 _xpc_objc_main + 496 (main.m:246) 21 libxpc.dylib 0x000000022a763924 xpc_main + 156 (init.c:1258) 22 Foundation 0x00000001c4c9a930 -[NSXPCListener resume] + 312 (NSXPCListener.m:460) 23 PlugInKit 0x00000001f1177e90 -[PKService run] + 356 (PKService.m:197) 24 PlugInKit 0x00000001f1164628 +[PKService main] + 536 (PKService.m:119) 25 PlugInKit 0x00000001f116393c +[PKService _defaultRun:arguments:] + 16 (PKService.m:244) 26 ExtensionFoundation 0x00000001d7fa5540 EXExtensionMain + 252 (EXExtensionMain.m:34) 27 Foundation 0x00000001c4cdee00 NSExtensionMain + 204 (NSExtensionMain.m:21) 28 dyld 0x00000001e9ed2dec start + 2220 (dyldMain.cpp:1165)

Hello all. I noticed, that NSE living more than 30 seconds ( that described in doc ). When app receive notification, it created process NSE, and send notification to didReceive function, after this, app have 30 seconds to call contentHandler closure, after contentHandler is called, I expected that NSE process is killed, but it's not. If app using singletons in NSE, they won't dealloc after contentHandler is called, so, after new notification received, singletons still alive. Does it legal to not drop connection to websocket after contentHandler closure get called? For example, notification received, NSE process is loaded, websocket manager signleton is initialzied and started session, after few seconds contentHandler closure get called, so, system won't kill NSE because of 30 seconds timer, and my web socket connection will alive so long as possible, so, I not need to open it each 30 seconds, is that legal or not?)

This is a topic that comes up regularly, both in my Day Job™ with DTS and here on DevForums. This situation is a bit subtle, and it’s long past the time I should have written a proper explanation of it. If you have questions or comments, put them in a new thread here on DevForums. To ensure that I see your thread, tag it based on the technology you’re using. For example: If you’re working with Endpoint Security, use the Endpoint Security tag. If you’re building a Network Extension provider, use the Network Extension tag. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com" Inferring High-Level Semantics from Low-Level Operations Apple supports a number of APIs that let you observe low-level operations. For example: An Endpoint Security (ES) client can learn about low-level file system operations, like open and close. A Network Extension (NE) filter provider can learn about outgoing and incoming network packets. Folks using these APIs often want to infer high-level semantics from these low-level operations. For example: An ES client might want to prevent the Finder from copying files to an external drive. An NE filter provider might want to block Safari from fetching specific URLs. While DTS supports these APIs, we don’t support this sort of low-to-high inference. That’s because our goal is to help developers use Apple’s APIs in a sustainable way, and it’s impossible to do this inference in a way that will be binary compatible in the long term. Let me illustrate this with an example. Consider the NE scenario above. It’s easy for an NE packet filter to drop packets being sent to a specific host. However, that approach is very brittle. If something changes in the implementation path from Safari requesting a URL to how that’s rendered as IP packets, your product will break. A great example of such a change is iCloud Private Relay. This isn’t to say that such inference can’t be done at all, just that it’s not possible to do it in a sustainable way. Given that, here’s my advice: Try to work with high-level operations where possible. For example, ES recently added high-level log in and log out notifications, which means you no longer need to infer such events from lower-level ones. If the system doesn’t support the necessary high-level operations, file an enhancement request that describes your requirements. In the meantime, you can have a go at doing this inference yourself, but be aware that DTS can’t support you in that task.