Hello,
We are implementing a Transparent Proxy using NETransparentProxyProvider and configuring NETransparentProxyNetworkSettings with NENetworkRule.
Currently, NENetworkRule requires:
NENetworkRule(
destinationHost: NWHostEndpoint(hostname: String, port: String),
protocol: .TCP / .UDP / .any
)
NWHostEndpoint.port accepts only a single port value (as a String) or an empty string for all ports.
At present, we are creating a separate NENetworkRule for each port in the range (ex for range 49152–65535 approximately 16,384 rules). After deploying this configuration, we observe the following behavior:
- nesessionmanager starts consuming very high CPU (near 100%)
- The system becomes unresponsive
- The device eventually hangs and restarts automatically
- The behavior resembles a kernel panic scenario
This strongly suggests that creating thousands of NENetworkRule entries may not be a supported or scalable approach.
Questions:
- Is there any officially supported way to specify a port range in NENetworkRule?
- Is creating thousands of rules (one per port) considered acceptable or supported?
- Is the recommended design to intercept broadly (e.g., port = "") and filter port ranges inside handleNewTCPFlow / handleNewUDPFlow instead?
- Are there documented system limits for the number of NENetworkRule entries allowed in NETransparentProxyNetworkSettings?