Network Extension stopped working with SIP disabled

App & System Services Networking
terransw OP
Created 6d
Replies 7
Boosts 0
Views 149
Participants 2

Whenever I'm working on my content filter for macOS, I usually keep SIP disabled and with developer mode on (systemextensionsctl) as a convenience.

The issue: content filter stopped receiving any kind of traffic when SIP is disabled. I don't see any log lines in Console for new flows, and the filter can't block anything, since it doesn't get any flows. Issue started yesterday.

I tried several things and did some investigation, here are some findings:

  • Reboot: rebooting did not fix the issue (while keeping SIP disabled).
  • Reenabling SIP fixes the issue for both App Store and Xcode builds.
  • Code: latest published version also stopped working with SIP disabled. This version is stable and confirmed to work as reported by users.
  • Clean Xcode + rebuild did not fix the issue.

Lastly, I inspected the logs and did not see any errors standing out. I noticed the filter does get started (startFilter is called) and registered, but after that there are no errors/new flows or anything, just silence (logs below).

com.apple.networkextension	default	15:22:22.270746-0300	: Calling startFilterWithCompletionHandler
com.extension.MyExtension	info	15:22:22.270998-0300	Success applying filter settings
com.apple.networkextension	debug	15:22:22.272705-0300	NESMFilterSession[My Extension:B9F3F30E-E0E0-4E53-8B32-EFC285E3CF6A]: Checking providerBundleIdentifier com.extension.MyExtension for pluginClass 4
com.apple.networkextension	debug	15:22:22.272717-0300	Checking for com.extension.MyExtension - com.apple.networkextension.filter-data
com.apple.networkextension	default	15:22:22.272728-0300	Found 1 registrations for com.extension.MyExtension (com.apple.networkextension.filter-data)
com.apple.networkextension	debug	15:22:22.272778-0300	NESMFilterSession[My Extension:B9F3F30E-E0E0-4E53-8B32-EFC285E3CF6A]: com.extension.MyExtension is registered for pluginClass 4

Here are some additional info about my system:

  • macOS 15.1
  • Between yesterday and today, the only new Installation is XProtectPlistConfigData at 12:10AM

Thanks!

Answered by terransw in 814298022

Turning the firewall off fixes the issue. Content filter starts receiving and filtering flows again. Everything works fine.

Turning the firewall back on stops working again.

Idea from "Do they have the built-in firewall enabled? If so, does disabling it, and then restarting, cure this problem?" #768656

Replies  7
Boosts  0
Views  149
Participants  2
DTS Engineer OP
Apple
5d

Well, that’s weird.

I mean, I usually recommend against disabling SIP, but doing so shouldn’t break things (well, other than your sense of security :-).

Can you reproduce this with a trivial content filter test project?

Are you seeing this on multiple Macs? More specifically, can you reproduce this in a ‘clean’ VM?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
terransw OP
5d

The issue can be reproduced with SimpleFirewall + SIP disabled. No flows despite being successfully installed.

Another machines: I don't have a spare Mac at the moment. I'm trying to test with a clean VM via VirtualBuddy + macOS 15.1, but I'm having difficulties getting my app to run in there.

I tried to add the VM uuid into Certificates, Identifiers & Profiles but it looks like it's in a different format and the form doesn't let me add the device, which blocks the Archive > Debug path to test the app (ticket). I'm now trying the Developer ID path.

Any tips/resources on running dev apps on clean VMs would be greatly appreciated, if any available :)

0
terransw OP
4d
Recommended

Turning the firewall off fixes the issue. Content filter starts receiving and filtering flows again. Everything works fine.

Turning the firewall back on stops working again.

Idea from "Do they have the built-in firewall enabled? If so, does disabling it, and then restarting, cure this problem?" #768656

0
DTS Engineer OP
Apple
4d
Accepted Answer

Let’s start with your VM question.

I’ve not had significant problems using development-side binaries in a VM. I add the VM’s UDID to my account and things generally Just Work™. However, I have a couple of notes:

  • I get the guest’s UDID from the Hardware > Provisioning UDID field in System Information running in that guest.

  • If you’re using automatic signing, you have to convince Xcode to include the UDID in your profile. I generally do this by building an Xcode archive and then exporting that via the Distribute App > Debugging workflow. I usually only have to do this once, after which the normal Product > Build command picks up the new profile.

Coming back to your real issue:

Turning the firewall off fixes the issue.

OK, I’m glad that you managed to isolate it.

Clearly this is an Apple problem, in that you can reproduce it with none of your software installed. Given that, the path forward is clear: File a bug about it.

Please posting your bug number, just for the record.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
terransw OP
4d

On VMs: thanks for the tips.

I did the same, but I'm unable to register a new device in my account. The Provisioning UDID looks off. Tried with VirtualBuddy and UTM, open to suggestions. By the way I'm picking macOS in the device dropdown.

Back to the real issue: will file a bug and post the bug number here. Thanks!

0
DTS Engineer OP
Apple
1d

Are you on Intel?

On my Apple silicon Mac, using UTM 4.5.4 with macOS 14.7.1 as the host and macOS 15.1 as the guest, the Provisioning UDID field has a value of 0000FE00-4AB88A42E2066946. I’m able to add that to my developer account just fine.

I’ve done similar things will Intel, but:

  • On Intel I used VMware Fusion

  • I haven’t done it for at least a year, so things might’ve drifted.

My last Intel VM had a Provisioning UDID of 564DE608-4269-43C0-99C4-BFC8C02A6EDC. The Developer website still accepts that, with or without the dashes.

will file a bug and post the bug number here.

Thanks.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
terransw OP
1d

Please posting your bug number, just for the record.

FB15879569 Network extension does not work with firewall enabled and SIP disabled

FB15876115 Malformed Provisioning UUID for VMs with macOS 15.1 as host

I'm also on Apple silicon (M1), same UTM version, also macOS 15.1 as guest, but I'm on macOS 15.1 24B83 as the host. I keep getting Provisioning UDIDs in the VM that are not accepted in the Developer website. Filed a bug and included system reports from the host and VM.

0
Network Extension stopped working with SIP disabled
First post date Last post date
 
 
Q