We use as content filter in our app to monitor flows, we gather data about the flow and block flows deemed suspicious.
Our content filter is activated/deactivated by a UI app but the flows are reported via XPC to a separate daemon process for analysis.
As of macOS 15, we are seeing cases where flows are missing or flows are not received at all by the content filter. The behaviour is not consistent, some devices seem to receive flows normally but others don't. It appears Intel devices are much less prone to showing the problem, whereas Arm devices routinely exhibit missing flows.
- On macOS 14 or earlier, there is no sign of missing flows.
- Testing on earlier beta versions of macOS 15 did not appear to show the problem, however I can't rule out if issue was present but it wasn't spotted.
- Experimenting with simple examples of using a content filter (e.g. QNE2FilterMac) does not appear to reproduce the issue.
Questions,
- What has changed between macOS 14 and 15 that could be the cause of the lack of flows?
- Is our approach to using an app activated content filter reporting to a daemon connected via XPC unsupported?
Is our approach to using an app activated content filter reporting to a daemon connected via XPC unsupported?
Yes. [Removed because it’s confusing. See below.]
You have to be careful about performance here, but the basic concept is sound.
Note On the performance front, it’s best if you can avoid routing all the user’s traffic over this XPC channel. My general advice is that you use the XPC channel for ‘command and control’, but not for traffic. So, if there are filter rules that need to be run, put the filtering engine in your NE provider. Then use XPC to get the rules to run, for general logging, and for reporting issues.
What has changed between macOS 14 and 15 that could be the cause of the lack of flows?
macOS 15, like all major OS releases, changed so much stuff that’s it’s not feasible to answer ‘what has changed’ questions. However:
-
I’m not aware of any change to the content filter API.
-
On the implementation side, the most obvious change is that the built-in firewall is now based on NE.
I’ve seen reports from other filter developers that this might be causing problems (FB15699871). If you’re working with a user who’s experiencing this issue, you might ask them:
-
Do they have the built-in firewall enabled?
-
If so, does disabling it, and then restarting, cure this problem?
To be clear, this is a diagnostic test, not an actual workaround.
In addition to that, it’d be good to get an actionable bug report about this. See my Bug Reporting: How and Why? for general info an that topic. In this case:
-
There are specific VPN (Network Extension) instructions on our Bug Reporting > Profiles and Logs page.
-
You want to capture the log as soon as you see the problem.
-
If you’re able to reproduce it with a minimal test content filter, like QNE2FilterMac, that’d be great. If not, it’s better to have a bug with your production content filter than nothing at all.
If you do file a bug, please post your bug number, just for the record.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"