Cannot enable content filter - macOS Ventura

I have a content filter hosted as system extension. Once you go through initial approvals for system extension & network filter everything seems fine.

But if I navigate to System Settings --> Network --> Filters & disable the network filter, I am not able to enable it back again.

It just stays in yellow, it does not go back to green. Reboot does not help, in fact the network extension process does not even get spawned.

This is not desirable at all

Has anyone ran into this ?

Workarounds : Uninstall the app & perform the installation again by approving prompts.

Have upgraded to Ventura 13.6 but behavior is still the same.

Has anyone run into this ?

Problems like this are usually the result of a packaging issue with your NE sysex, or an early crash in your sysex code. I recommend that you add a ‘first light’ log point to your sysex, per the instructions in Debugging a Network Extension Provider. Do you see that?

I suspect you won’t, in which case you know that your sysex never ran and you should look for a crash report.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Thank you @eskimo

I do not see a crash report & I am pretty sure Network Extension gets initialized correctly since it works after approving the initial prompts (SysExt + Network Ext).

This happens when you disable network extension using System Settings --> Network --> Filters

Let me follow steps in Debugging a Network Extension Provider link above & will post what I see when is Enable/ Disable Network Filter.

Also, I am using the same notarized build on macOS Sonoma 14.0 & I am able to correctly Enable/Disable via System Settings --> Network --> Filters, so that makes me thing if its confined to Ventura ?

I added logs to SystemExtension main as well as overrode init of FilterDataProvider, this is what i see

2023-10-31 15:19:14.128731-0700 0x169df Debug 0x0 9550 0 com.***.***.net: [scwx:netext] D Main P:09550 T:2080 "first flight " [main.mm:14]

2023-10-31 15:19:14.135417-0700 0x16a0d Debug 0x0 9550 0 com.xxxx.xxxx.net: [scwx:netext] D Main P:09550 T:7000 "FilterDataProvider init" [FilterDataProvider.mm:121]

2023-10-31 15:19:14.136349-0700 0x16a0d Debug 0x0 9550 0 com.xxxx.xxxx.net: [scwx:netext] D Main P:09550 T:7000 "IPC init start event listener" [FilterDataProvider.mm:138]

... [Hit disable via System Settings --> Network --> Filters]

2023-10-31 15:21:11.797161-0700 0x16e11 Debug 0x0 9550 0 com.xxxx.xxxx.net: [scwx:netext] D NetExt P:09550 T:f000 "stopFilterWithReason" 1 [FilterDataProvider.mm:196]

.... [Hit enable via System Settings --> Network --> Filters]

After this nothing happens, I do not see network extension being initialized

I must apologise for not reading your earlier posts properly. I thought the issue was about getting your filter working at all, but now I realise it’s about re-enabling it after first disabling it.

so that makes me thing if its confined to Ventura ?

Right. And I tried this here in my office and I’m seeing the problem on macOS 13 as well.

The obvious conclusion here is that this is a bug that was fixed in macOS 14. There’s an easy user-level workaround: Don’t disable the filter, but rather remove the configuration and then add it back again. That seems to avoid this problem.

Unfortunately, I can’t imagine any code-level workaround, other than to guide your users to apply that user-level one.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Yes I can confirm on Ventura, if you reinstall the network extension, its status goes back to green. We ran into this mainly because of a customer issue they were seeing on their box.

@eskimo : Is this bug being actively worked on & is a fix expected in future version of Ventura ? Do we need to file a feedback/radar for it ?

is a fix expected in future version of Ventura?

That seems unlikely. While I can’t predict the future, in recent years we’ve only published security updates for macOS N once macOS N+1 has shipped.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Cannot enable content filter - macOS Ventura
 
 
Q