Filter Packet Provider Cpu issue

Hi everyone,

I’m exploring Network Extension options for a use case where I need to log and filter network activity at the packet level. More specifically, I need the ability to detect and potentially block certain TCP behaviors during the handshake.

From everything I’ve tested, NEFilterPacketProvider seems to be the only Network Extension type that operates early enough in the flow.

NEFilterDataProvider appears to receive flows after the TCP handshake is already completed.

It also has some limitations with IP-based filtering (might include hostname instead of IP), inconsistent ICMP behavior, etc.

So I went with NEFilterPacketProvider.

However, I’m running into a major issue: extremely high CPU usage.

To isolate the problem, I stripped my packet handler down to the simplest possible implementation — basically returning .allow for every inbound/outbound packet without any filtering logic. Even with that minimal setup, playing one or two videos in a browser causes the CPU usage of the extension to spike to 20–50%. This seems to be caused purely by the packet volume.

I haven’t found any way to pre-filter packets before the handler is invoked, nor any documented method to significantly optimize packet handling at this stage. It’s possible I’m missing something fundamental.

Questions:

Has anyone else experienced this kind of high CPU usage with NEFilterPacketProvider?

Is there any recommended way to reduce the packet handling overhead or avoid processing every single packet?

Any known best practices or configuration tips?

Thanks in advance!