Hello, I have a company laptop thats connected to the internet without a VPN. I need to be able to resolve my company's sub domains using a specific dns server, and have all other domains resolved by the system wide name server. In windows, this is trivial to do. In an admin powershell I run "Add-DnsClientNrptRule -Namespace ".foo.mycompany.com" -Nameserver "127.0.0.1" and resolution requests for *.foo.mycompany.com is sent to a name server running on the localhost. All other dns resolution requests are handled by the system configured resolver. MacOS does have the /etc/resolver/ solution for this, but my understanding from these forums is that this is not the recommended approach. Note - I have tried it and it works. AFAIU, the recommended approach is to create a system Network extension using NEDNSProxyProvider, override handleNewFlow() and do what's necessary. The issue with this solution is that it requires handling all the dns flow parsing of DNS datagrams to extract the host forwarding the datagrams to the appropriate dns server Handle responses. Deal with flow control Handle edge cases. I was hoping for something much simpler than us needing to implement datagram parsing. Could you please shed light on our options and how we could proceed ?

Hello! I'd like to ask about the best way of getting a list of DNS servers from the system (iOS & macOS). Why? I am using NEPacketTunnelProvider to implement a VPN app. When a device joins a network with a Captive Portal and the VPN is on, the VPN should redirect DNS queries to the DNS servers that were received from the network's DHCP server. So that my VPN is able to correctly reroute the traffic which is not blocked by the network's gateway and the Captive Portal landing page is served. When I don't do anything, the traffic goes to the tunnel and the tunnel's encrypted traffic is then dropped by the gateway serving the Captive Portal. When I temporarily turn off the VPN, opt out of all the traffic or pass the traffic to the system resolver, the traffic gets affected by other network settings (like DNSSettings) which leads to the same situation - the user not being able to authenticate with the Captive Portal. So far, I have tried multiple ways, including res_9_getservers but unsuccessfully. As a part of my investigation, I have found out that the /etc/resolv.conf file is not populated with DNS servers until the Captive Portal is acknowledged by the user which makes getaddrinfo unusable to achieve my goal. But I am not sure if that's a bug or intended behavior. Thank you for your help!

I am working on developing a Mac app (WireGuard Apple VPN) that will be distributed outside the App Store. I have added the network extension which is included in the system extension with packet tunneling capability. I have created a build following these steps here: https://developer.apple.com/forums/thread/737894 as per your suggestions in my accepted post: https://developer.apple.com/forums/thread/761251 It works fine in this case when the machine has SIP disabled and systemextensionsctl developer enabled. As soon as I have made changes on the machine to disable systemextensionsctl developer and enable SIP, it loads the system extension and also asks for network extension permission. But it does not connect to the VPN. I have copied the app to the "/Applications" directory before opening it. This issue is specific to macOS 15.1. It works fine for macOS 14.* and 13.*. Speaking of macOS 15.0, it didn't work in both cases with SIP enabled or disabled. So, it seems that it must be a bug in macOS 15.0 and it seems that this bug was partially fixed in macOS 15.1. Is that right? I am currently planning to distribute the app to testers for final testing before rolling it out to a wider audience. Am I missing something? Thanks in advance.

I have a need to do a coverage test for the networkextension function code implemented by the system extension, but I don't know how to implement this method. For example, how do you use gtest or how do you use xctest to achieve these capabilities? If you know, please let me know. Thanks

I'm working on a network extension that provides a VPN tunnel. The logic behind the tunnel provider requires me to connect the backend to pull recent configuration and then configure the routing. It works in general but fails with some circumstances. I have 100% reproducible fails if I run OpenVPN tunnel in parallel. When it happens it looks like the network extension cannot connect the backend (any internet resource actually). Requests fail by timeout. To troubleshoot this situations I've added NWPathMonitor at my NEPacketTunnelProvider subclass: pathMonitor?.pathUpdateHandler = { path in logger.info("Path update: \(path)") logger.info(" : \(path.availableInterfaces)") } On successful scenarios I observed logs: 14:53:19:829 Starting VPN tunnel... 14:53:19:895 Path update: satisfied (Path is satisfied), interface: en0[802.11], scoped, ipv4, ipv6, dns, uses wifi 14:53:19:899 : [en0] 14:53:22:237 Path update: satisfied (Path is satisfied), interface: en0[802.11], scoped, ipv4, ipv6, dns, uses wifi 14:53:22:253 : [en0, utun12] 14:53:22:325 VPN tunnel is started. But if I start another tunnel first using OpenVPN (it's our corporate VPN) I observe failures with such log messages: 14:54:26:113 Starting VPN tunnel... 14:54:26:140 Path update: satisfied (Path is satisfied), interface: en0[802.11], scoped, ipv4, ipv6, dns, uses wifi 14:54:26:141 : [en0] 14:55:28:259 Failed to start VPN tunnel. utun12 that was used by the extension in case of success is now occupied by the OpenVPN tunnel. The system creates utun13 for me but it feels like its misconfigured: > ifconfig (omitted most of the output) utun12: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500 inet 172.28.11.236 --> 172.28.10.1 netmask 0xfffffe00 nd6 options=201<PERFORMNUD,DAD> utun13: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500 options=6460<TSO4,TSO6,CHANNEL_IO,PARTIAL_CSUM,ZEROINVERT_CSUM> Is it a system bug and what else can I do to diagnose the root cause of these failures?

Hi, I would like to know if it is safe to call the uploadTask from URLSession from the main thread ? We've a user who is reporting repeated crashes at startup, here is the stack we see: Exception Type: EXC_CRASH (SIGKILL) Exception Codes: 0x0000000000000000, 0x0000000000000000 Termination Reason: FRONTBOARD 2343432205 <RBSTerminateContext| domain:10 code:0x8BADF00D explanation:scene-update watchdog transgression: app<com.appspot.myApp(E7590BB1-722C-491D-9199-F867DE4B880A)>:2212 exhausted real (wall clock) time allowance of 10.00 seconds ProcessVisibility: Background ProcessState: Running WatchdogEvent: scene-update WatchdogVisibility: Background WatchdogCPUStatistics: ( "Elapsed total CPU time (seconds): 21.260 (user 10.230, system 11.030), 35% CPU", "Elapsed application CPU time (seconds): 0.006, 0% CPU" ) reportType:CrashLog maxTerminationResistance:Interactive> Triggered by Thread: 0 Thread 0 name: Dispatch queue: com.apple.main-thread Thread 0 Crashed: 0 libsystem_kernel.dylib 0x1def7a688 mach_msg2_trap + 8 1 libsystem_kernel.dylib 0x1def7dd98 mach_msg2_internal + 80 2 libsystem_kernel.dylib 0x1def7dcb0 mach_msg_overwrite + 424 3 libsystem_kernel.dylib 0x1def7dafc mach_msg + 24 4 libdispatch.dylib 0x1968d8f14 _dispatch_mach_send_and_wait_for_reply + 544 5 libdispatch.dylib 0x1968d92b4 dispatch_mach_send_with_result_and_wait_for_reply + 60 6 libxpc.dylib 0x21714a930 xpc_connection_send_message_with_reply_sync + 256 7 Foundation 0x18d80a3ac __NSXPCCONNECTION_IS_WAITING_FOR_A_SYNCHRONOUS_REPLY__ + 16 8 Foundation 0x18d806b14 -[NSXPCConnection _sendInvocation:orArguments:count:methodSignature:selector:withProxy:] + 2160 9 CoreFoundation 0x18eb868dc ___forwarding___ + 1004 10 CoreFoundation 0x18eb86430 _CF_forwarding_prep_0 + 96 11 CFNetwork 0x1900c71e0 -[__NSURLBackgroundSession setupBackgroundSession] + 800 12 CFNetwork 0x1900b3e80 -[__NSURLBackgroundSession initWithConfiguration:delegate:delegateQueue:delegateDispatchQueue:] + 552 13 CFNetwork 0x1900b4784 +[NSURLSession _sessionWithConfiguration:delegate:delegateQueue:delegateDispatchQueue:] + 1496 14 MyApp 0x1054210b4 CombineBgXferRepository.session.getter (in MyApp) (CombineBgXferRepository.swift:62) + 7966900 15 MyApp 0x105422fa4 CombineBgXferRepository.startUploadTask(fileURL:request:) (in MyApp) (CombineBgXferRepository.swift:310) + 7974820 If it is ok to call this uploadTask from the main thread, does this crash indicate a problem with the operating system? Are there scenarios where the background upload service does not respond to requests?

Starting on macOS Sequoia, flows originated in Firefox have an empty sourceAppAuditToken. Other apps contain a valid token. Background: in order to fetch process info for a certain NEFilterFlow, my content filter extension uses sourceAppAuditToken, audit_token_to_pid() and proc_* (as recommended in #126820). When that fails, we use SecCodeCopyGuestWithAttributes, recommended in some other thread as a better alternative. Both approaches break when the sourceAppAuditToken is empty since they need the pid. Debugging: My logging shows audit token is empty for Firefox Typical logs from com.apple.networkextension also indicate it fails to fetch the same info I'm looking for: com.apple.networkextension debug 11:22:07.024588-0300 Fetching appInfo from cache for pid: 948 uuid: 5C40B765-C6C9-3641-A822-2BC44D264361 bundle id: (null) com.apple.networkextension debug 11:22:07.024657-0300 Calling delegate lookup handler with pid: 948, uuid: 5C40B765-C6C9-3641-A822-2BC44D264361, bundleID: (null) com.apple.networkextension debug 11:22:07.025856-0300 Could not look up appInfo for pid: 948 bundle id: (null) uuid: 5C40B765-C6C9-3641-A822-2BC44D264361 com.apple.networkextension error 11:22:07.025897-0300 Could not find app info, return the original flow without filling in app info Handling new flow: identifier = D89B5B5D-793C-4940-D992-4E90F2AD1900 procPID = 953 eprocPID = 948 direction = outbound inBytes = 0 outBytes = 0 signature = {length = 32, bytes = 0x4afeafde b484aa0c c5cb8698 0567343d ... 7cdee33e 135666dd } socketID = 19adf2904e92d9 localEndpoint = 0.0.0.0:0 remoteEndpoint = 17.33.202.170:443 protocol = 6 family = 2 type = 1 procUUID = 0C68E603-967E-3643-B225-378BD2A655F7 eprocUUID = 5C40B765-C6C9-3641-A822-2BC44D264361 Perhaps there's a bug when generating the audit token or could it be something with the Firefox signature? I double-checked Firefox and it seems fine: $ codesign --verify --verbose /Applications/Firefox.app /Applications/Firefox.app: valid on disk /Applications/Firefox.app: satisfies its Designated Requirement Not sure if relevant, but codesign with -dv showed different flags in CodeDirectory when compared to chrome: codesign -dv /Applications/Firefox.app ... CodeDirectory v=20500 size=863 flags=0x10000(runtime) hashes=18+5 ... Versus chrome CodeDirectory v=20500 size=1821 flags=0x12a00(kill,restrict,library-validation,runtime) hashes=46+7 location=embedded

Hi, I developed a system extension that uses the content filter providers of the network extension. When I am using a VPN, I turn on the network extension and the VPN is disconnected. Can this problem be avoided? How to prevent VPN disconnection

Hello Apple Developer Community, I am currently working on a macOS project where my primary goal is to intercept IP packets, modify them (specifically the TCP payload), and then forward them. My intended use case involves selectively intercepting outgoing packets based on their destination IP, altering their content, and sending them on their way to the original destination. What I’ve Tried: NEAppProxyProvider: • I explored using App Proxy Provider to handle new TCP and UDP flows. • While it allowed me to read the data, handling direct packet modification and forwarding without creating a new connection or proxy setup proved challenging, especially for maintaining TCP state and handling TLS traffic. System Extension with NEFilterPacketProvider: • I considered NEFilterPacketProvider for intercepting and modifying network packets. • However, the documentation implies that packet filtering only supports allow/block actions, not modification and reinjection of packets back into the system. I am planning to try NEPacketTunnelProvider: But the documentation states that this is not the right use case. Packets are expected to go into the tunnel. Since I don't have any requirement to create and maintain a tunnel, this doesn't look like an option for me. Transparent proxy setups like NETransparentProxyProvider do not appear to offer direct packet modification capabilities without involving a user-space proxy approach. Implementing packet-level interception outside of the Network Extension framework (e.g., Network Kernel Extension) seems unsupported in newer macOS versions (Sequoia and later). My Questions: Is there a recommended approach or combination of Network Extension capabilities that would allow intercepting and modifying IP packets directly? Can NEFilterPacketProvider or any other extension be utilized in a way to modify and reinject packets back into the system? Are there any examples or sample projects that achieve similar functionality, possibly using a blend of Network Extension and lower-level networking frameworks? I appreciate any insights or pointers to documentation or examples that could help achieve this. Thanks and Regards. Prasanna.

Hello there! We have an app that connects to an external device via Wi-Fi to send and query content from it. This external device generates a hidden AP that the phone connects against. However, sometimes the app fails to connect to the external device with the system alert "Unable to join the network...". We have been debugging for a couple but couldn't find any clear reason of why this thing is happening. What could be the reason behind this alert appearing? For the connection, we are using the NEHotspotConfigurationManager to connect to the AP of this external device. The configuration for the connection is the following: NEHotspotConfiguration( ssid: ssid, passphrase: password, isWEP: false ) configuration.hidden = true There are some logs that we extracted that show two connections. One happened at 20:37, which was a successful connection. wifi_logs_success 2.log Another connection was made at 20:38, which failed. wifi_logs_failure.log Inspecting the logs, one difference that I see between them is the __WiFiDeviceManagerDispatchUserForcedAssociationCallback: result %lld, which in the successful case is 0 and in the failed case is 1. Can anyone help with this? We're very lost on why this configuration could be an issue at all.

func setupUDPSocket() { stopSearch() udpSocket = GCDAsyncUdpSocket(delegate: self, delegateQueue: DispatchQueue.main) do { try udpSocket?.bind(toPort: 4012) try udpSocket?.beginReceiving() try udpSocket?.joinMulticastGroup("239.255.255.250") } catch let error { DispatchQueue.main.async { print(Thread.current) print(error) print(error) } } } private func search() { guard let udpSocket = udpSocket else { print("not set udpSocket") stopSearch() return } let message = "M-SEARCH * HTTP/1.1\r\n" + "HOST: 239.255.255.250:1900\r\n" + "MAN: \"ssdp:discover\"\r\n" + "MX: 3\r\n" + "ST: ssdp:all\r\n" + "\r\n" let data = message.data(using: .utf8)! udpSocket.send(data, toHost: "239.255.255.250", port: 1900, withTimeout: -1, tag: 0) } This is my send SSDP code, my project was inited in Objective-C, recently I update xcode to 16, I get Error Domain=NSPOSIXErrorDomain Code=65 "No route to host", when I send UPD data in iOS 18, but iOS 17 is ok. Even I found, if I init a new project in Swift, this bug is disappear.

I see that the iOS API includes the following NEHotspotConfigurationManager NEHotspotEAPSettings NEHotspotHS20Settings and NEHotspotTTLSInnerAuthenticationMSCHAPv2 But.. I need to access the cloud server from the app to obtain the Passpoint configuration, and then set it to the user's phone. Authentication requires EAP2 & MSCHAPv2, and of course, leaf certificates need to be loaded to the user. I cannot find a simple code example to do this... HELP! THKS..

Hello, I recently replaced NSURLConnection with NSURLSession in my application, and I have noticed a significant decrease in network speed. I am seeking advice on why this might be happening and how to resolve the issue. Here is the code before the change: Old Code: - (void)execute:(id<STHttpEntity>)entity { [entity addHeader:API_HDR_CLASS_NAME value:self.apiClass]; [entity addHeader:API_HDR_METHOD_NAME value:self.apiMethod]; NSMutableURLRequest *req = [self createRequest:entity]; self.connection = [[NSURLConnection alloc] initWithRequest:req delegate:self]; [self.connection start]; } - (void)connectionDidFinishLoading:(NSURLConnection *)connection { [self clearConnectionTimeout]; self.requestData = nil; if (self.httpStatus != HTTPSTATUS_OK) { [self callFailedWithStatus:self.httpStatus]; return; } [self callSucceeded]; } And here is the code after the change: New Code: - (void)execute:(id<STHttpEntity>)entity { [entity addHeader:API_HDR_CLASS_NAME value:self.apiClass]; [entity addHeader:API_HDR_METHOD_NAME value:self.apiMethod]; NSMutableURLRequest *req = [self createRequest:entity]; NSURLSessionConfiguration *sessionConfig = [NSURLSessionConfiguration defaultSessionConfiguration]; NSURLSession *session = [NSURLSession sessionWithConfiguration:sessionConfig delegate:self delegateQueue:nil]; self.dataTask = [session dataTaskWithRequest:req]; [self.dataTask resume]; } - (void)URLSession:(NSURLSession *)session task:(NSURLSessionTask *)task didCompleteWithError:(nullable NSError *)error { [self clearConnectionTimeout]; self.requestData = nil; if (error) { [self callFailed:error]; } else { [self callSucceeded]; } } Issue: After replacing NSURLConnection with NSURLSession, the network speed has significantly decreased. The new implementation seems to be much slower than the old one. Questions: 1.What could be the reasons for the significant decrease in network speed after switching to NSURLSession? 2.Are there any specific configurations or best practices for NSURLSession that I should be aware of to improve performance? 3.Is there any known issue with NSURLSession that could cause such a performance drop? Any insights or suggestions would be greatly appreciated. Thank you in advance for your help!

The OpenSSL library interface to Allegro Common Lisp system stopped working with macOS 15.x (15.0.1 and 15.1). We have tried many versions of OpenSSL. 1.1.1t (which we built ourselves), 3.0.x, 3.3.x, 3.4.0. All work fine on macOS 14 and earlier. All fail on macOS 15. What is bizarre about the failure: we can load the SSL libraries fine, but when we try to make an outgoing connection it fails (with varying errors). Also, trying to use lldb to debug just hangs, once we step into the SSL libraries. More specifically, using Homebrew OpenSSL 3.0.15 gives an exception that we see in lldb, but we cannot step into SSL_ctrl(), which is in libssl.3.dylib, provided by Homebrew. We have also tried a version of OpenSSL 1.1.1t that we built ourselves (and codesigned and is included in the notarized app), and it fails with a SEGV, rather than the error below, which is using 3.0.15: What started this were errors using the OpenSSL libraries. Here's the use case: cl-user(2): (net.aserve.client:do-http-request "https://franz.com") (net.aserve.client:do-http-request "https://franz.com") Error: Received signal number 0 [condition type: synchronous-operating-system-signal] Restart actions (select using :continue): 0: Return to Top Level (an "abort" restart). 1: Abort entirely from this (lisp) process. [1] cl-user(3): :zo :all t :count 5 :zo :all t :count 5 Evaluation stack: ... 5 more newer frames ... (excl::SSL_ctrl 6133462816 55 ...) (excl::ssl-device-open-common #<excl::ssl-client-stream closed fd # @ #x3079fed32> nil ...) ->((method device-open (excl::ssl-client-stream t t)) #<excl::ssl-client-stream closed fd # @ #x3079fed32> t ...) ((:internal (:effective-method 3 nil nil nil t) 0) #<excl::ssl-client-stream closed fd # @ #x3079fed32> t ...) ((:runsys sys::lisp_apply)) [... excl::function_lisp_apply ] (excl::caching-miss #<standard-generic-function device-open> (# t #) ...) [... device-open ] ... more older frames ... [1] cl-user(4): If you want to see the problem for yourself, I created a new, signed and notarized version of our application https://franz.com/ftp/pri/layer/acl11.0express-macos-arm64.dmg. To use it, install Homebrew and do brew install openssl@3.0, then execute the following to get the error: cd /Applications/AllegroCL64express.app/Contents/Resources env ACL_OPENSSL_VERSION=30 DYLD_LIBRARY_PATH="$(brew --prefix openssl@3.0)/lib:$DYLD_LIBRARY_PATH" ./alisp (progn (require :ssl)(require :aserve)) (net.aserve.client:do-http-request "https://franz.com") You should get the error shown above. Here's what we see when we set a breakpoint at SSL_ctrl: lldb alisp _regexp-env ACL_OPENSSL_VERSION=30 _regexp-env DYLD_LIBRARY_PATH=/opt/homebrew/opt/openssl@3.0/lib: br s -n SSL_ctrl run (progn (require :ssl)(require :aserve)) (net.aserve.client:do-http-request "https://franz.com") Then, we see this: cl-user(2): (net.aserve.client:do-http-request "https://franz.com") (net.aserve.client:do-http-request "https://franz.com") Process 5886 stopped * thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 1.2 frame #0: 0x0000000102081090 libssl.3.dylib`SSL_ctrl libssl.3.dylib`SSL_ctrl: -> 0x102081090 <+0>: stp x20, x19, [sp, #-0x20]! 0x102081094 <+4>: stp x29, x30, [sp, #0x10] 0x102081098 <+8>: add x29, sp, #0x10 0x10208109c <+12>: mov x20, x2 (lldb) si <<<hang here>>> Again, it only started with macOS 15. We have not seen this on any previous version. More detail: $ codesign -vvvv /Applications/AllegroCL64express.app /Applications/AllegroCL64express.app: valid on disk /Applications/AllegroCL64express.app: satisfies its Designated Requirement $ $ codesign -d --entitlements - /Applications/AllegroCL64express.app Executable=/Applications/AllegroCL64express.app/Contents/MacOS/AllegroCL64express [Dict] [Key] com.apple.security.cs.allow-dyld-environment-variables [Value] [Bool] true [Key] com.apple.security.cs.allow-jit [Value] [Bool] true [Key] com.apple.security.cs.disable-library-validation [Value] [Bool] true [Key] com.apple.security.get-task-allow [Value] [Bool] true $ The other thing we noticed in debugging this is even though we set DYLD_LIBRARY_PATH, another libssl seemed to be found by lldb. For example, in this case 3 versions of SSL_new were found by lldb: $ lldb alisp (lldb) target create "alisp" Current executable set to '/Applications/AllegroCL64express.app/Contents/Resources/alisp' (arm64). (lldb) _regexp-env ACL_OPENSSL_VERSION=30 (lldb) _regexp-env DYLD_LIBRARY_PATH=/opt/homebrew/opt/openssl@3.0/lib: (lldb) br s -n SSL_new br s -n SSL_new Breakpoint 1: 2 locations. (lldb) run Process 6339 launched: '/Applications/AllegroCL64express.app/Contents/Resources/alisp' (arm64) Copyright (C) 1985-2023, Franz Inc., Lafayette, CA, USA. All Rights Reserved. ... CL-USER(1): (progn (require :ssl)(require :aserve)) ; Fast loading ; /Applications/AllegroCL64express.app/Contents/Resources/code/SSL.002 ... T CL-USER(2): (net.aserve.client:do-http-request "https://franz.com") Process 6339 stopped * thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 1.3 frame #0: 0x00000001020803ec libssl.3.dylib`SSL_new libssl.3.dylib`SSL_new: -> 0x1020803ec <+0>: stp x20, x19, [sp, #-0x20]! 0x1020803f0 <+4>: stp x29, x30, [sp, #0x10] 0x1020803f4 <+8>: add x29, sp, #0x10 0x1020803f8 <+12>: cbz x0, 0x102080700 ; <+788> (lldb) br list Current breakpoints: 1: name = 'SSL_new', locations = 3, resolved = 3, hit count = 1 1.1: where = libboringssl.dylib`SSL_new, address = 0x0000000193f1b160, resolved, hit count = 0 1.2: where = libssl.48.dylib`SSL_new, address = 0x000000026907f64c, resolved, hit count = 0 1.3: where = libssl.3.dylib`SSL_new, address = 0x00000001020803ec, resolved, hit count = 1 (lldb) We are out of ideas on how to debug this.

The first time my application opened the app on macos15, after I enabled the LNP, my app could access the local network (a socket service was opened locally), but when I restarted the computer and opened the APP again, I could not access the local network at this time, why? Solution :1. Disable and enable the LNP or 2. Reinstall the app

In my iOS app I am currently using Bonjour (via Network.framework) to have two local devices find each other and then establish a single bidirectional QUIC connection between them. I am now trying to transition from a single QUIC connection to a QUIC multiplex group (NWMultiplexGroup) with multiple QUIC streams sharing a single tunnel. However I am hitting an error when trying to establish the NWConnectionGroup tunnel to the endpoint discovered via Bonjour. I am using the same "_aircam._udp" Bonjour service name I used before (for the single connection) and am getting the following error: nw_group_descriptor_allows_endpoint Endpoint iPhone15Pro._aircam._udp.local. is of invalid type for multiplex group Does NWConnectionGroup not support connecting to Bonjour endpoints? Or do I need a different service name string? Or is there something else I could be doing wrong? If connecting to Bonjour endpoints isn't supported, I assume I'll have to work around this by first resolving the discovered endpoint using Quinn's code from this thread? And I guess I would then have to have two NWListeners, one just for Bonjour discovery and one listening on a port of my choice for the multiplex tunnel connection?

I'm currently working on an iOS app where I need to trigger an API call as soon as applicationWillResignActive is called. The method is designed to save user data and sync certain settings before the app transitions to the background. However, I'm experiencing issues where the API call is not consistently being triggered within this method. Does applicationWillResignActive not fully warrant an api call?

Starting from macOS 15 (macOS Sequoia), a new pop-up is triggered: “Local Network Privacy.” We have some questions regarding this new pop-up on MacOS: Question 1: If a launchd daemon invokes a command-line tool, will this tool trigger the local network prompt if it attempts to access the network? We use a launchd daemon which runs in root context and is started from /Library/LanuchDaemons/ Question 2: How will this prompt work across various macOS executables? I have read other developer forum articles and the https://developer.apple.com/forums/thread/663858 - Local Network Privacy FAQ. The responses are a little unclear and any insight into these questions would be very helpful with this new requirements.

After installing iOS 18.1 RC, VPN using IKEv2 and Wireguard protocols stopped working. VPN successfully connects, but there is no internet. On older versions everything works fine. On OpenVPN protocol everything works fine. I haven't found any errors in Console.log.

PLATFORM AND VERSION macOS Development environment: Xcode 15.0, macOS 15.0.1 Run-time configuration: macOS 15.0.1 DESCRIPTION OF PROBLEM We are currently developing a macOS app using the NEFilterDataProvider in the Network Extension framework, and we've encountered an issue regarding hostname resolution that we would like your guidance on. In our implementation, we need to drop network flows based on the hostname. The app successfully receives the remoteHostname or remoteEndpoint.hostname for browsers such as Safari and Mozilla Firefox. However, for other browsers like Chrome, Opera Mini, Arc, Brave, and Edge, we only receive the IP address instead of the hostname. We are particularly looking for a way to retrieve the hostname for all browsers to apply our filtering logic consistently. Could you please advise whether there is any additional configuration or API we can use to ensure that we receive hostnames for these browsers as well? Alternatively, is this a limitation of the browsers themselves, and should we expect to only receive IP addresses for certain cases? STEPS TO REPRODUCE For Chrome, Brave, Edge, and Arc browsers you won't receive the hostname in NEFilterFlow. Using the same sample project provided in WWDC 2019 https://developer.apple.com/documentation/networkextension/filtering_network_traffic import NetworkExtension import os.log import Network /** The FilterDataProvider class handles connections that match the installed rules by prompting the user to allow or deny the connections. */ class FilterDataProvider: NEFilterDataProvider { // MARK: NEFilterDataProvider override func startFilter(completionHandler: @escaping (Error?) -> Void) { completionHandler(nil) } override func stopFilter(with reason: NEProviderStopReason, completionHandler: @escaping () -> Void) { completionHandler() } override func handleNewFlow(_ flow: NEFilterFlow) -> NEFilterNewFlowVerdict { guard let socketFlow = flow as? NEFilterSocketFlow, let remoteEndpoint = socketFlow.remoteEndpoint as? NWHostEndpoint, let localEndpoint = socketFlow.localEndpoint as? NWHostEndpoint else { return .allow() } var hostName: String? = nil // Attempt to use the URL host for native apps (e.g., Safari) if let url = socketFlow.url { hostName = url.host os_log("URL-based Host: %@", hostName ?? "No host found") } // Fallback: Use remote hostname for third-party browsers like Chrome if hostName == nil { if #available(macOS 11.0, *), let remoteHostname = socketFlow.remoteHostname { hostName = remoteHostname os_log("Remote Hostname: %@", hostName ?? "No hostname found") } else { hostName = remoteEndpoint.hostname os_log("IP-based Hostname: %@", hostName ?? "No hostname found") } } let flowInfo = [ FlowInfoKey.localPort.rawValue: localEndpoint.port, FlowInfoKey.remoteAddress.rawValue: remoteEndpoint.hostname, FlowInfoKey.hostName.rawValue: hostName ?? "No host found" ] // Ask the app to prompt the user let prompted = IPCConnection.shared.promptUser(aboutFlow: flowInfo, rawFlow: flow) { allow in let userVerdict: NEFilterNewFlowVerdict = allow ? .allow() : .drop() self.resumeFlow(flow, with: userVerdict) } guard prompted else { return .allow() } return .pause() } // Helper function to check if a string is an IP address func isIPAddress(_ hostName: String) -> Bool { var sin = sockaddr_in() var sin6 = sockaddr_in6() if hostName.withCString({ inet_pton(AF_INET, $0, &sin.sin_addr) }) == 1 { return true } else if hostName.withCString({ inet_pton(AF_INET6, $0, &sin6.sin6_addr) }) == 1 { return true } return false } }