Hello, I have a company laptop thats connected to the internet without a VPN. I need to be able to resolve my company's sub domains using a specific dns server, and have all other domains resolved by the system wide name server. In windows, this is trivial to do. In an admin powershell I run "Add-DnsClientNrptRule -Namespace ".foo.mycompany.com" -Nameserver "127.0.0.1" and resolution requests for *.foo.mycompany.com is sent to a name server running on the localhost. All other dns resolution requests are handled by the system configured resolver. MacOS does have the /etc/resolver/ solution for this, but my understanding from these forums is that this is not the recommended approach. Note - I have tried it and it works. AFAIU, the recommended approach is to create a system Network extension using NEDNSProxyProvider, override handleNewFlow() and do what's necessary. The issue with this solution is that it requires handling all the dns flow parsing of DNS datagrams to extract the host forwarding the datagrams to the appropriate dns server Handle responses. Deal with flow control Handle edge cases. I was hoping for something much simpler than us needing to implement datagram parsing. Could you please shed light on our options and how we could proceed ?

最近服务器做了防重放功能，发现iOS有很多命中重放错误，因为我们的请求使用了UUID签名，排除了算法问题 经过排查发现iOS在请求过程中，如果网络发生变化，例如开启和断开vpn，或者开启和关闭WIFI，就会导致系统把正在进行的请求多次重放，这会导致从App的感知来看，请求和响应都只调用了一次，但是服务端却收到了多次 具体操作步骤： 1、开启抓包工具，例如wireshark 2、使用demo代码发送请求（先开启慢速网络，不然速度太快来不及操作）： 3、不等请求完成，关闭wifi，这时会切换到蜂窝数据 4、等待请求完成后，通过日志可以看出请求的发送和响应都只进行了一次，但是抓包工具可以看到请求被发送了2次 demo如下： // Create a URLSession with the default configuration NSURLSession *defaultSession = [NSURLSession sharedSession]; // Setup the request to the URL NSTimeInterval ms = [NSDate.date timeIntervalSinceReferenceDate] * 1000; NSURL *url = [NSURL URLWithString:[NSString stringWithFormat:@"https://static.fusionbank.com/resource/20240930/8f54352194ac8beecbd5d3f5842b27bb.png?_t=%f",ms]]; NSMutableURLRequest *urlRequest = [NSMutableURLRequest requestWithURL:url]; urlRequest.timeoutInterval = 20; // Create dataTask NSLog(@"--- request start"); dataTask = [defaultSession dataTaskWithRequest:urlRequest completionHandler:^(NSData *data, NSURLResponse *response, NSError *error) { dispatch_async(dispatch_get_main_queue(), ^{ NSLog(@"--- request finish %@", [error localizedDescription]); // Handle your response here [self.loadingView stopAnimating]; if (data) { UIImage* img = [UIImage imageWithData:data]; self.imageView.image = img; } }); }]; // Fire the request [dataTask resume]; 日志如下： 111.log 抓包工具显示请求发了2次： 请求和响应情况：

In the past, I used to ping my iPhone‘s local IP address via UDP. If local network permissions were not enabled, it would return an error. If they were enabled, it would return success, which I used to determine whether my app had local network permissions enabled. Now, with iOS 18, it seems to not work anymore. Regardless of whether local network permissions are enabled, pinging the iPhone‘s local IP address always returns success. Is there any other good method to check this permission status? Case-ID: 9934335

WiFi and Bluetooth are both enabled on Mac and iPhone, neither device is connected to a network Running MultipeerConnectivity on the Mac as Advertiser and iPhone as Browser, the invitation is sent from the phone and accepted by the mac, but the connection is then dropped. This doesn’t happen when the Advertiser is another iOS device. STEPS TO REPRODUCE THE PROBLEM We have created a small sample project that demonstrates the problem. It can be found at: https://github.com/eidria/Multipeer-Progress-Demo.git. It contains both a Mac app and a iOS app. Run the Mac app and start Advertising Run iOS app and start Browsing The iOS app automatically issues an invitation to the browser (Mac) which accepts. Shortly after the connection is dropped.

Hi Everyone, Is there a framework or pattern to allow peer to peer communication between multiple iOS application? The use case would be as follow: An organizer creates a session with multiple users. The users receive an invitation (initially via email or sms), they install the app, upon accepting the invitation, they join a session. The session then allow peer to peer communication between users, not necessarily in the form of text messages, but more on information and synchronization between states of models between the members. Is there a framework for such a communication, or are we forced to go through a server to relay messages? I found the Multipeer communication Framework but it is for the discovery of devices, not for communication between applications. Thanks a lot.

I'm writing a SwiftUI LDAP Browser. I built a command line swift app to do some testing and it works fine. I had to add the certificates from the LDAP server to the system keychain before it would work with TLS/SSL. Then I ported the same code into a SwiftUI app but I cannot get it to connect via TLS/SSL. On the same machine with the same certs it errors with: An unexpected error occurred: message("Can't contact LDAP server") It connect fine with our TLS/SSL. I suspect this may have to do with App Transport Security. Can anyone point me in the right direction to resolve this? App is MacOS only.

Hi, I have been using iPhones 14Pro, 15Pro for the last couple of years for 5G SA research applications. As far as the iPhone14 Pro goes, even with the latest upgrade 18.2 beta 2 it works flawlessly, upon inserting the SIM CARD, I can activate VoLTE and then there is a toggle that enables 5G SA. The phone connects to the network using PLMN 001 01 and functions perfectly. iPhone 15 Pro is behaving completely different. Upon inserting the SIMCARD it also lets enabling the 5G SA functionality but the phone never searches for a cell. Even putting the phone into mobile field test, it never searches for NR even with the same SIM card working in the 14 PRO. This particular mobile phone did work in the first iOS versions and stopped working after upgrading to 18.1. Just a few days ago, I bought a 16 PRO to try it with our 5G SA networks, and it is behaving the exact same way as the iPhone 15 PRO. It never tries to attach to the 5G SA even with the same SIM card as the 14PRO. I would like to understand this difference in behaviour across all these devices and understand if this is a new implementation or a SW bug. In the case this is a new implementation, please point me towards novel documentation so I can understand what to change in the network configurations to have the communication back. Thanks.

My personal project is a bit further along however after not being able to get this to work in my app I fell back to a much simpler/proven implementation out there. There is this project on GitHub with a guide that implements a barebones app extension with packet tunneling. I figure this can give us common ground. After changing the bundle and group identifiers to all end with -Caleb and or match up I tried running the app. The app extension does not work whatsoever and seemingly for reasons that are similar to my personal project. If I pull up the console and filter for the subsystem (com.github.kean.vpn-client-caleb.vpn-tunnel) I see the following. First you see installd installing it 0x16ba5f000 -[MIUninstaller _uninstallBundleWithIdentity:linkedToChildren:waitForDeletion:uninstallReason:temporaryReference:deleteDataContainers:wasLastReference:error:]: Destroying container com.github.kean.vpn-client-caleb.vpn-tunnel with persona 54D15361-A614-4E0D-931A-0953CDB50CE8 at /private/var/mobile/Containers/Data/PluginKitPlugin/2D0AE485-BB56-4E3E-B59E-48424CD4FD65 And then installd says this (No idea what it means) 0x16b9d3000 -[MIInstallationJournalEntry _refreshUUIDForContainer:withError:]: Data container for com.github.kean.vpn-client-caleb.vpn-tunnel is now at /private/var/mobile/Containers/Data/PluginKitPlugin/2D0AE485-BB56-4E3E-B59E-48424CD4FD65 Concerningly runningboardd seems to immediately try and stop it? Executing termination request for: <RBSProcessPredicate <RBSProcessBundleIdentifiersPredicate| {( "com.github.kean.vpn-client-caleb", "com.github.kean.vpn-client-caleb.vpn-tunnel" )}>> [app<com.github.kean.vpn-client-caleb(54D15361-A614-4E0D-931A-0953CDB50CE8)>:1054] Terminating with context: <RBSTerminateContext| explanation:installcoordinationd app:[com.github.kean.vpn-client-caleb/54D15361-A614-4E0D-931A-0953CDB50CE8] uuid:963149FA-F712-460B-9B5C-5CE1C309B2FC isPlaceholder:Y reportType:None maxTerminationResistance:Absolute attrs:[ <RBSPreventLaunchLimitation| <RBSProcessPredicate <RBSProcessBundleIdentifiersPredicate| {( "com.github.kean.vpn-client-caleb", "com.github.kean.vpn-client-caleb.vpn-tunnel" )}>> allow:(null)> ]> Then runningboardd leaves a cryptic message Acquiring assertion targeting system from originator [osservice<com.apple.installcoordinationd>:244] with description <RBSAssertionDescriptor| "installcoordinationd app:[com.github.kean.vpn-client-caleb/54D15361-A614-4E0D-931A-0953CDB50CE8] uuid:963149FA-F712-460B-9B5C-5CE1C309B2FC isPlaceholder:Y" ID:33-244-5222 target:system attributes:[ <RBSPreventLaunchLimitation| <RBSProcessPredicate <RBSProcessBundleIdentifiersPredicate| {( "com.github.kean.vpn-client-caleb", "com.github.kean.vpn-client-caleb.vpn-tunnel" )}>> allow:(null)> ]> And that seems to be all I have to go off of.... If I widen my search a bit I can see backboardd saying things like Connection removed: IOHIDEventSystemConnection uuid:57E97E5D-8CDE-467B-81CA-36A93C7684AD pid:1054 process:vpn-client type:Passive entitlements:0x0 caller:BackBoardServices: <redacted> + 280 attributes:{ HighFrequency = 1; bundleID = "com.github.kean.vpn-client-caleb"; pid = 1054; } state:0x1 events:119 mask:0x800 dropped:0 dropStatus:0 droppedMask:0x0 lastDroppedTime:NONE Or Removing client connection <BKHIDClientConnection: 0xbf9828cd0; IOHIDEventSystemConnectionRef: 0xbf96d9600; vpid: 1054(vAF7); taskPort: 0x5D777; bundleID: com.github.kean.vpn-client-caleb> for client: IOHIDEventSystemConnection uuid:57E97E5D-8CDE-467B-81CA-36A93C7684AD pid:1054 process:vpn-client type:Passive entitlements:0x0 caller:BackBoardServices: <redacted> + 280 attributes:{ HighFrequency = 1; bundleID = "com.github.kean.vpn-client-caleb"; pid = 1054; } state:0x1 events:119 mask:0x800 dropped:0 dropStatus:0 droppedMask:0x0 lastDroppedTime:NONE source:HID There's really nothing in the sysdiagnose either. No crash no nothing. I am stumped. Any idea what might be going wrong for me here? Has something about the way app extensions or sandbox rules work changed in later OSes?

I have a network call that can sometimes take longer than 30 seconds and user might sometimes background the app after waiting a bit (think like a image generation done on a server which takes a while). I want to make sure that I have exhausted all the options available to provide the best possible solution for the user (1) Use beginBackgroundTask. The downside to this is that I'm only given about 30 seconds or so, and if it takes longer, the call just get killed. (2) Use URLSessionConfiguration.background. The upside is that this can take as long as it needs but it seems to be delegated to the system, and you never know when it will run? What if the user stays in the foreground and now the user will not know when the call will even begin (determined by the OS) (3) Use BGProcessingTask. Again problem is that we cant control when the task is run (which in this case we want it to be immediately). So really none of the options really is ideal. Are there other options? What I would like ideally is The call should start immediately upon user request The call should go on indefinitely when the app stays in foreground The call should go on for an extended period (like 2 minutes) if the user puts the app in background If the call is completed in the background, have a way for the app to retrieve the result when the user brings the app back in the foreground

Hi, I observed some unexpected behavior and hope that someone can enlighten me as to what this is about: mDNSResponder prepends IP / network based default search domains that are checked before any other search domain. E.g. 0.1.168.192.in-addr.arpa. would be used for an interface with an address in the the 192.168.1.0/24 subnet. This is done for any configured non-link-local IP address. I tried to find any mention of an approach like this in RFCs but couldn't spot anything. Please note that this is indeed a search domain and different from reverse-DNS lookups. Example output of tcpdump for ping devtest: 10:02:13.850802 IP (tos 0x0, ttl 64, id 43461, offset 0, flags [none], proto UDP (17), length 92) 192.168.1.2.52319 &gt; 192.168.1.1.53: 54890+ [1au] A? devtest.0.1.168.192.in-addr.arpa. (64) I was able to identify the code that adds those default IP subnet based search domains but failed to spot any indication as to what this is about: https://github.com/apple-oss-distributions/mDNSResponder/blob/d5029b5/mDNSMacOSX/mDNSMacOSX.c#L4171-L4211 Does anyone here have an ideas as to what this might be about?

Our app supports live streaming (RTSP, RTMP, WebRTC) functionality. After updating to the 18.5 Developer Beta version, we’ve encountered an issue where streaming over LTE is not working for customers using SKT (SK Telecom) as their carrier. Upon investigation, it seems that a similar issue might be occurring with a streaming service app called "SOOP." I would appreciate it if you could share any information regarding this bug. Thank you.

I have a question regarding /etc/pf.conf. If I use this rule, rdr pass on bridge100 inet proto tcp from 192.168.2.104 to any port {80, 443, 8883} -> 127.0.0.1 port 8080 all other traffic on bridge100 will not function properly, even the traffic that is not destined for 192.168.2.104. Additionally, the hotspot generated through bridge100 will also become unavailable. Even if I comment out this rule and run sudo pfctl -e -f /etc/pf.conf, the problem still persists. The situation will only return to normal when I restart my Mac. my macos:15.3.2 my /etc/pf.conf # scrub-anchor "com.apple/*" nat-anchor "com.apple/*" rdr-anchor "com.apple/*" rdr pass on bridge100 inet proto tcp from 192.168.2.104 to any port {80, 443, 8883} -> 127.0.0.1 port 8080 dummynet-anchor "com.apple/*" anchor "com.apple/*" load anchor "com.apple" from "/etc/pf.anchors/com.apple"

Using NEHotspotConfigurationManager.joinAccessoryHotspot(_ accessory: ASAccessory, passphrase: String) to connect the WiFi, but this function implicitly sets joinOnce to YES. Is there any api that can use ASAccessory to connect to WiFi while maintaining JoinOnce = false. Is it possible to open up this feature？

In our iOS networking related app for the app store (with network extension using packet tunnel provider), we are supposed to read the list of nameservers for the network. We use res_ninit function. This function returns only 3 items (but in reality the network has more dns servers. In my case 5. Some ipv4 and some ipv6) Looking at the header file at iOS 18.2 -> user/include/resolve.h, it shows that the __res_state struct has a maximum limit of 3 for the nsaddr_list array. It seems that the reason the res_ninit function returns only 3 values is because of this. For our code to work correctly, it needs to know all the dns servers, but we only get partial results. Is there any other api that can get us all the dns servers ?

Code I have used for years on Macs now crashes after updating OS: SSL_CTX *sslctx = SSL_CTX_new(SSLv23_client_method()); Reading the posts about TLS changes, I change it to this: SSL_CTX *sslctx = SSL_CTX_new(TLS_client_method()); In fact any method I give results in crash.. Is this a known issue? Is there something I now need to call before calling SSL_CTX_new()?

The documentation for the defaultPath property of NEProvider is as follows: This NWPath object contains information about which physical network interface will be used by connections opened by the Network Extension provider. You can determine when this physical interface changes by observing this property using KVO. However, I have noticed that it is deprecated as of iOS 18. Is there any existing replacement for this functionality since it has been deprecated, or is a new replacement on the horizon? This is very useful for network extensions in order to detect changes to the network, for instance when moving from WiFi to mobile data.

We are currently working on a zero-configuration networking compliant device thru avahi-daemon. Our Device want to have multiple Instance name for different services. Example InstanceA._ipps._tcp.local. InstanceA._ipp._tcp.local. InstanceB._ipps._tcp.local. InstanceB._ipp._tcp.local. Will BCT confuse this as multiple device connected in the network and cause it to fail? Does Bonjour only allows only a Single Instance name with multiple services?

I'm running a Node.js server on my MacBook with Apple M4 Pro chip, macOS Sequoia 15.4, and Node.js v23.10.0. The server starts normally on port 5000 and logs show that it's listening correctly. However, when I try to access it via browser or Postman (http://localhost:5000/api/...), I get a 403 Forbidden error. After checking with lsof -i :5000, I noticed that the ControlCenter process is listening on port 5000 under the name commplex-main. Interestingly, this doesn't happen on M3 Pro machines. On those devices, Node.js runs fine on port 5000 and can be accessed from Postman and browsers. Is port 5000 now internally reserved by macOS or used by some system-level service in Sequoia or Apple Silicon (M4 Pro)? Should I avoid using this port going forward? Any official clarification would be appreciated.

A few months ago, I remember reading some official documentation that was describing how to switch to a background upload when the app is about to be suspended. Unfortunately, I can't find that resource back, so it would be fantastic if someone would point it out to me. If I remember correctly, the procedure described was to start a regular upload task within some UIApplication.backgroundTask, and in any case the upload wasn't finished at the moment the system would call the suspension handler, the upload was "transitioned" into a a background one while preserving the current progress (I think because it was using the same URLSession or something, hence why I want to find back the documentation!) Note that I don't want to start a background upload from the beginning (this is what we do already!). I'm mostly looking for that piece of documentation to experiment if that scheme would improve our upload performance. Thanks!

Hi, I have a hardware device that asks as an ethernet server. I need to connect to it using a TCP socket over ethernet. Problem is, I cannot find an API or example code on how to go about this. I have tried to search through the available network interfaces using AF_LINK (link layer) family but only the wifi shows up (en0), even when the device is connected and the iPhone self-assigns an IP etc. Extra challenge is, I am using objective C because all of my other code is written that way. I'm happy to add a swift module where that is the only option. Can someone please point me in the right direction?