Hey All, I'm currently trying to use the BCT v1.5.3 to validate the avahi mdns implementation. This is not so much to validate the avahi implementation but to actually understand how the BCT works. My setup is the following: the testing machine, where the BCT runs, is a 13-inch MacBook Pro 2019 the DUT (Device Under test) where avahi runs is a Linux machine (arch) and avahi runs version 0.8 I've tried several connection between the two: they have been connected point-to-point by a single network cable and the IPs have been set statically they have been connected via a router (that's not connected to the interned) both by cable and with IPs statically set connected via a router where the BCT computer is connected via cable and the DUT is connected via WIFI. My requirement is to run only the MDNS tests so the command I'm issuing on the BCT side is: sudo ./BounjourConformanceTest -M -I en4 -DD -V -Aip None -Amac None On the DUT side I start avahi as a daemon: sudo avahi-daemon And after that I also publish a service. I've done several tries but one that I think should be working is: sudo avahi-publish -s "My HAP Service" _hap._tcp 3213 [] I can see the three packets that make up the probing packets spaced out at 250ms each on wireshark both on the DUT and on the BCT device and the BCT prints: recv_packet 01997: received packet (96 bytes) recv_packet 01997: received packet (96 bytes) recv_packet 01997: received packet (96 bytes) But the tests doesn't seem to finish correctly. What am I doing wrong? Is my configuration incorrect/incomplete? Do I need to advertise a certain service? Thanks for the response in advance.

We have an app that exports PDFs with a custom page size, using PSDKit. In iOS16 the PDF export would have the correct page size dimensions, but now iOS17 exports everything to a Letter (8.5x11) size, regardless of what the PDF size specs are defined in the code: let pageWidth: CGFloat = 86.0 / 25.4 * 72 let pageHeight: CGFloat = 54.0 / 25.4 * 72 let pageSize = CGRect(x: 0, y: 0, width: pageWidth, height: pageHeight) Any thoughts as to how to fix this?

Our inhouse app has allowed VPN, and it works fine for most users, however, some users come to this NEVPNErrorDomain Code=5 "permission denied" error and could never start the VPN connection. It happens on iOS 17.1.2 + iPhone16,2 iOS 17.0.2 + iPhone16,2 Any clue? Thx.

I have a custom framework that allows you to handle all Bluetooth actions, such as connect, scan, etc. Additionally, I have two applications using this framework: a test app and a real app. I'm trying to implement auto-reconnection for turning Bluetooth off/on and out of range. While it works well in my test app, it doesn't in the real app. Here is my logic: Firstly, I scan for a peripheral with a specific service UUID: manager.scanForPeripherals(withServices: [self.targetUuid], options: scanOptions) As a result, I have a CoreBluetooth callback response: func centralManager(_ central: CBCentralManager, didDiscover peripheral: CBPeripheral, advertisementData: [String : Any], rssi RSSI: NSNumber) Then I connect to the peripheral: connect(cbPeripheral, options: options) And as a result: func centralManager(_ central: CBCentralManager, didConnect peripheral: CBPeripheral) After that, I save the UUID as a String. Then, I try to disconnect the peripheral from the phone (turn BT off/on or go out of range) and connect back. I've investigated different behaviours and found that in my test app, I have the same peripheral UUID even after disconnection, but in the real app, the UUID changes. I found this: The UUID will stay constant for a peripheral with randomized addresses for paired devices only for the lifetime of the pairing. If a device is not paired, according to the LE Privacy rules (RRA), the UUID will change as a peer unit is neither capable nor supposed to track a device across changing addresses. And this: Connection attempts do not time out (as stated in the Apple documentation: [link]). Just be sure to also keep a reference to the peripheral object; otherwise, the connection gets canceled. Here is my logic for reconnection in case of being out of range: centralManager(_:didDisconnectPeripheral:error:) [ERROR] - Peripheral was disconnected error -> Optional(Error Domain=CBErrorDomain Code=6 "The connection has timed out unexpectedly." UserInfo={NSLocalizedDescription=The connection has timed out unexpectedly.}) connect(cbPeripheral, options: options) My question is: What can affect UUID changing? Do I need to store a whole Peripheral Device object instead of UUID string?

Hi, I am writing a transparent proxy (using NETransparentProxyProvider) which could potentially multiplex thousands of flows. When i've done this in the past on other platforms i've used libev or epoll - but NEAppProxyFlow (such as NEAppProxyTcpFlow) don't work with any of those approaches afaict, it doesn't even appear to work with swift-nio - what is the recommended way to multiplex thousands of flows? I still intend to use swift-nio when i manage the real sockets (which proxy the flows), but how do i multiplex the NEAppProxyFlows themselves? Can someone suggest a highly scalable design? I'm new to this, and haven't found a good solution yet. Thanks

Our web server sets pf rules to block all 443 traffice that doesn't come from CloudFlare whitelisted servers. Allowed traffic is forwarded to the application running on another port. It appears a client updated 14.1.1 to 14.1.2 and after that no traffic is getting thru. I didn't want to waste a lot of time diagnosing this if the issue is out of my control.

Hi, I have a C++ application on OSX that normally works on systems with multiple network interfaces and I'd like to offer a dialog to the users to select the appropriate NIC for the different tasks. It would be fine to show the users the name they assigned to the NIC inside the system settings but I don't know how to read these names. I tried to use SCNetworkInterfaceGetLocalizedDisplayName() but that only gives me the name before I entered my own user defined name (something like "USB 10/100/1000 LAN"). Is there a way to read the user defined name of each NIC? Thanks and best regards, Johannes

My environment is a router with OpenWRT, a laptop connected to the router via patch cable and an untagged VLAN with VID 5 configured on that port in the router, and a MacBook M1 Pro connected via Wi-Fi to the router. On the macbook, I created a VLAN interface by specifying en0 (AirPort) as the parent interface, then created a VM using QEMU with hvf accelerator or lima/UTM with VZ and I observe a strange situation: using arping, packets from the laptop sometimes reach the VM connected to the VLAN interface on the macbook, but arping running on the VM only sends requests but does not receive replies from the laptop. If I assign an IP address to the VLAN interface in macOS, packets are transmitted over either protocol without any problems. The problem is delivering packets to the virtual machine. With tcpdump on the laptop I can see that it reply to arp requests, I can also see on the router that replies to arp requests passed through the Wi-Fi interface, but I don't see them in tcpdump on en0 on the macbook, which is also strange. But as I wrote before, if I assign an address from the same network on the macbook's VLAN interface, any packets are delivered between the laptop and macbook. Laptop: 192.168.24.50 MacBook: 192.168.24.20 (vlan5 interface). VM: 192.168.24.10 With lima-vm I use socket_vmnet in bridge mode. With QEMU I use vmnet-bridged. ➜ ~ ifconfig vlan5 vlan5: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1496 options=6063<RXCSUM,TXCSUM,TSO4,TSO6,PARTIAL_CSUM,ZEROINVERT_CSUM> ether f0:2f:4b:xx:xx:xx inet 192.168.24.20 netmask 0xffffff00 broadcast 192.168.24.255 vlan: 5 parent interface: en0 media: autoselect status: active ➜ ~ ping 192.168.24.50 -c2 PING 192.168.24.50 (192.168.24.50): 56 data bytes 64 bytes from 192.168.24.50: icmp_seq=0 ttl=64 time=5.241 ms 64 bytes from 192.168.24.50: icmp_seq=1 ttl=64 time=5.429 ms --- 192.168.24.50 ping statistics --- 2 packets transmitted, 2 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 5.241/5.335/5.429/0.094 ms ➜ ~ sudo arping -c 5 -i vlan5 192.168.24.50 ARPING 192.168.24.50 60 bytes from 10:e7:c6:xx:xx:xx (192.168.24.50): index=0 time=6.061 msec 60 bytes from 10:e7:c6:xx:xx:xx (192.168.24.50): index=1 time=6.084 msec 60 bytes from 10:e7:c6:xx:xx:xx (192.168.24.50): index=2 time=5.945 msec 60 bytes from 10:e7:c6:xx:xx:xx (192.168.24.50): index=3 time=3.092 msec 60 bytes from 10:e7:c6:xx:xx:xx (192.168.24.50): index=4 time=3.848 msec --- 192.168.24.50 statistics --- 5 packets transmitted, 5 packets received, 0% unanswered (0 extra) rtt min/avg/max/std-dev = 3.092/5.006/6.084/1.278 ms ➜ ~ ifconfig bridge100 bridge100: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1496 options=3<RXCSUM,TXCSUM> ether f2:2f:4b:xx:xx:xx Configuration: id 0:0:0:0:0:0 priority 0 hellotime 0 fwddelay 0 maxage 0 holdcnt 0 proto stp maxaddr 100 timeout 1200 root id 0:0:0:0:0:0 priority 0 ifcost 0 port 0 ipfilter disabled flags 0x0 member: vlan5 flags=3<LEARNING,DISCOVER> ifmaxaddr 0 port 22 priority 0 path cost 0 member: vmenet0 flags=3<LEARNING,DISCOVER> ifmaxaddr 0 port 23 priority 0 path cost 0 Address cache: 10:e7:c6:xx:xx:xx Vlan1 vlan5 326 flags=0<> 52:55:55:ae:36:b4 Vlan1 vmenet0 1172 flags=0<> nd6 options=201<PERFORMNUD,DAD> media: autoselect status: active [root@VM1 ~]# arping 192.168.24.50 -c5 ARPING 192.168.24.50 from 192.168.24.10 lima0 Sent 5 probes (5 broadcast(s)) Received 0 response(s) [root@VM1 ~]# [root@laptop ~]# arping 192.168.24.10 -c5 ARPING 192.168.24.15 from 192.168.24.10 lima0 Unicast reply from 192.168.24.10 [52:55:55:AE:36:B4] 2.492ms Unicast reply from 192.168.24.10 [52:55:55:AE:36:B4] 1.791ms Unicast reply from 192.168.24.10 [52:55:55:AE:36:B4] 3.059ms Sent 5 probes (1 broadcast(s)) Received 3 response(s) [root@laptop ~]# What could be the reason for this behavior?

Hello! I am using a NETransparentProxy and I need to manage multiple NEAppProxyFlow. I am dealing with hundreds / thousands connections, so the one-thread-per-connection approach is really not feasible. Regarding raw bsd sockets, I know multiple ways of achieving good results when managing a large number of sockets using: poll() kqueue SwiftNIO library but I am struggling to find a way to do something similar with flows. My current "solution" is to create a new Task.detached for each new connection and have this Task 'block' on readData / readDatagrams. It works for low numbers of connections but it does not scale well when the number of connections increases. Is there a way to achieve a similar result as poll() for sockets for flows? Otherwise, is there a way to make my current solution work? (even though I don't think it is able to scale well) I can provide more details about the architecture if needed, or code snippets. Thank you!!

NEHotspotConfigurationManager-(void)applyConfiguration:(NEHotspotConfiguration *)configuration completionHandler: There was only once to call the applyConfiguration, the completionHandler was never be called. After this, the phone can not connect any other hotspot until restart the phone. Pls check this issue. Thanks.

Since NEFilterFlow.identifier is documented as The unique identifier of the flow., I thought I could use it to store the flow by its identifier in a dictionary in order to retrieve it later. I do this when the system extension pauses a flow because it needs to ask the user whether the flow should eventually be allowed or dropped. But then I noticed that sometimes when allowing a previously paused flow, identified by its identifier, my system extension doesn't find that flow anymore. After some debugging it turned out that this happens because I stored at least one other flow with the same id which, when confirmed, is removed again from the dictionary, so there is no more flow with that identifier waiting in the dictionary. Is it expected that the identifiers are recycled for different flows, or does it mean that the same flow is effectively being passed to handleNewFlow(_:) multiple times, such as if the extension waited "too long" between pausing a flow and allowing or dropping it? handle(_:) can be called multiple times for the same flow, but why .handleNewFlow(_:)? All flows with duplicate ids seem to be UDP, and the local host and port and remote host and port are the same for all flows with the same id. Most of the duplicate flows have a process path of /usr/sbin/mDNSResponder (resolved with the sourceAppAuditToken).

I have a recurring problem with software updates by Apple killing all networking when I have a network system extension distributed by TestFlight installed on my Mac. Any pointers on how to resolve this would be greatly appreciated! I don't know if it is my network system extension, the fact that it is distributed via TestFlight, or something else. The latest example is updating to macOS 14.2 today. I think the relevant Console message is: Code has restricted entitlements, but the validation of its code signature failed. The full message for that console message is. mac_vnode_check_signature: /Library/SystemExtensions/ACB1E368-5355-4959-9800-737ED2BE9EDC/com.xxxxxxxxxxxxxxxx.networkagent.systemextension/Contents/MacOS/com.xxxxxxxxxxxxxxxx.networkagent: code signature validation failed fatally: When validating /Library/SystemExtensions/ACB1E368-5355-4959-9800-737ED2BE9EDC/com.xxxxxxxxxxxxxxxx.networkagent.systemextension/Contents/MacOS/com.xxxxxxxxxxxxxxxx.networkagent: Code has restricted entitlements, but the validation of its code signature failed. Unsatisfied Entitlements: Deleting the app (with its network system extension) immediately restores networking. I can reinstall the exact same program via TestFlight, and everything runs fine. The feedback ID (which includes additional details, a screenshot, and a video) is: FB13458972

Hi Team, I have a Network Extension application and UI frontend for it. The UI frontend talks to the Network Extension using XPC, as provided by NEMachServiceName. On M2 machine, The application and XPC connection works fine on clean installation. But, when the application is upgraded, the XPC connection keeps failing. Upgrade steps: PreInstall script kills the running processes, both UI and Network Extension Let installation continue PostInstall script to launch the application after installation complete. Following code is successful to the point of resume from UI application NSXPCInterface *exportedInterface = [NSXPCInterface interfaceWithProtocol:@protocol(IPCUIObject)]; newConnection.exportedInterface = exportedInterface; newConnection.exportedObject = delegate; NSXPCInterface *remoteObjectInterface = [NSXPCInterface interfaceWithProtocol:@protocol(IPCExtObject)]; newConnection.remoteObjectInterface = remoteObjectInterface; self.currentConnection = newConnection; [newConnection resume]; But it fails to get the object id<IPCExtObject> providerProxy = [self.currentConnection remoteObjectProxyWithErrorHandler:^(NSError *registerError) { }]; Please note, this only fails for M2. For M1, this exact code is running fine. Additionally, if I uninstall the application by dropping it in Trash and then installing the newer version, then too, the application works fine.

We have an application design where, every instance (process) is acting as a UDP server as well as UDP client, using the same UDP port: to listen & respond (as a server) to multiple destinations as well to send (as a client) to multiple destinations. This considering the implicit nature of UDP being connectionless. At any given point in time, I would be, as a server, talking to many clients and as a client, talking to many servers. We were using BSD sockets for the purpose across all our target platforms including Apple Kernel (macOS, iOS, iPadOS, tvOS, watchOS etc.). Then we learnt about limitation on watchOS, where we started exploring 'Network Framework' as an alternative to BSD sockets on watchOS (or even others on Apple Kernel). This is to understand, how can we achieve the same (if at all) using 'Network Framework'? Process A [To act as UDP server] We will have NWListener on inaddrany, local port X, using UDP Does it implicitly work for both IPv4 and IPv6 incoming data? In case of BSD sockets, we would have created two sockets - one bound on INADDR_ANY and other on in6addr_any. Does in case of NWListener, also internally it creates two sockets - one for IPv4 and other for IPv6? For every incoming data from a client (which may not be on Apple Kernel and hence not using NWConnection), a NWConnection would be created on this UDP server (off course, if NWConnection does not already exist for the same local and remote IP/Port). Just for our clarity: An underlying socket is not created (like it would have in case of TCP)? The underlying data exchange between the UDP clients and this UDP server would happen on the same socket bound on port X? NWConnection for UDP is more a logical construct created to represent a “UDP flow”, that is, a sequence of datagrams, including both inbound and outbound, that share the same local IP / port and same remote IP / port tuple, where for 'local IP/Port', there would a socket bound on it internally. I can use the same NWConnection to respond (send data) back to the client. Since UDP is connectionless, how do we manage the lifecycle of these NWConnection(s) getting created? Though there is no socket resource to be freed per NWConnection basis BUT there must be some other system resources like memory being occupied. We understand that once cancelled, if we receive a datagram from the same client (actually, on the same UDP flow), the listener will create a new connection. [To act as UDP client] We will have to create a NWConnection to a UDP server We would like to have that NWConnection internally use the same local port X to send data to the remote UDP server, is that possible? The interface to init NWConnection seem to only take remote endpoint as an input and protocol as an input. And this we would like to do for all UDP servers we want to connect as client? Which would mean multiple NWConnection - one for each UDP Server we want to communicate to BUT same local port X is being used on the UDP Client. I will receive the response from the Server also on the same NWConnection (if still active and not cancelled). The client cancels the NWConnection when no more intends to talk to the same UDP Server.

hi I have a Network Extension that uses content-filter-provider-systemextension. It has been running stably before, but some problems occurred after I updated the system to MacOS 14.1. The main problem is that I registered the data filtering of the loopback address of 127, which caused a direct error in my DataGrip software, even if I directly returned .allow() in the handler function example code: class Filter: NEFilterDataProvider { // MARK: NEFilterDataProvider override func startFilter(completionHandler: @escaping (Error?) -> Void) { // loop, all 127.*.*.* will matched let loNetworkRules4 = NENetworkRule( remoteNetwork: NWHostEndpoint(hostname: "127.0.0.1", port: "0"), remotePrefix: 0, localNetwork: NWHostEndpoint(hostname: "127.0.0.1", port: "0"), localPrefix: 0, protocol: .any, direction: .any ) let loFilterRule4 = NEFilterRule(networkRule: loNetworkRules4, action: .filterData) let filterSettings = NEFilterSettings(rules: [loFilterRule4], defaultAction: .filterData) apply(filterSettings) { error in if let applyError = error { } completionHandler(error) } } override func handleNewFlow(_ flow: NEFilterFlow) -> NEFilterNewFlowVerdict { return .allow() } } This will cause DataGrip's database connection test to report an error directly. It seems that the local network communication of Java is blocked. So I also used nc to test the local network. nc -l 8888 nc 127.0.0.1 8888 But the result obtained is completely fine Everything got better when I rolled the system back to macos14 Now I have updated the system to macos14.2 and the problem remains I've submitted feedback on this issue in Feedback Assistant FB13463323 But obviously the feedback is too slow, I can't wait a bit, so I took the liberty to send you an email to ask for help I want to confirm if this is a macos bug or do I need to modify some NENetworkRule configurations? If it is confirmed to be a BUG, how long will the repair cycle take? If it will be fixed soon, then I will just wait for the system to be repaired. If the repair cycle will be very long, then I have to consider other solutions for my product. thanks

One: does it involve below or any other steps? Create a socket (AF_INET6, SOCK_DGRAM, IPPROTO_UDP) Bind it to AF_INET6, in6addr_any, port X. Disable IPV6_V6ONLY using setsockopt. Second: If answer to above is yes, in other operating system, if a datagram would have got received over IPv4, it would have lead to IPv4-mapped IPv6 address in the recvfrom call and protocol would have been considered udp6. Third: is UDP46 only supported by Apple Kernel (is it not a POSIX standard behaviour) and also within Apple Kernel - not supported on all versions? Why this question? We created a NWListener on a local port, using udp and when we ran a 'netstat -an -p udp', it showed protocol as 'udp46'

I connect to a hotspot where the Internet is not accessible, but I also want to access the Internet through the network of my mobile card, what should I do? Is it possible to provide a scheme to switch directly between WiFi and mobile networks without any sense。

It will only use 127.0.0.1 no matter which technique is used to executed it - even in the IDE debugger. And it changes the listener port. This is not related to the trust execution system, so I recommend that you start a new thread for it. Tag it with Network so that I see it. This is a local or optionally a client/server application that uses multiple TCP/IP protocols. If it's not the "trust" system what is altering the IP addresses and ports and why? What is the procedure to get the application to operate as designed? Is this related to not having a Developer ID and certificate (yet)?? Still evaluating whether the application can be made to work well on macOS and whether the complications involved are worth the time, money and effort for an Open Source project. Further, am concerned that Apple may decide they don't like this application and not allow it to be validated, or whatever, to install and run. Am completely unfamiliar with Apple's policies and procedures when making those decisions. But, from what I've read recently, that has been an issue for some developers. Would you have any guidance regarding that? Again, thank you very much for your time.

Hi everyone. I wrote VPN application used packet tunnel provider. Now i want to setup to provide functionality, to allow turn on just for specific applications. I saw apps provide to setup this functionality, like select the list of apps where VPN will work, some of them has a big list. As i understand i need Per app vpn or i need to setup Rules for NEVPNManager, could someone provide the documentation, or the link to sample, how that feature works?

The connection using MultipeerConnectivity between iPhones and iPads with iOS 17 or higher installed is not functioning. This issue was not observed on iOS 16 or earlier versions. Currently, when advertising from an iPhone, the iPad can detect the device, but the event handling to accept invitations on the iPhone is not being triggered correctly. Consequently, not responding to invitations is preventing the connection. While the Wi-Fi feature is enabled, previously, it was possible to establish connections without being connected to a specific Wi-Fi network. However, presently, connection seems to occur only when the iPad and iPhone are on the same network. Moreover, irregular connections are occurring between iPhones, yet there is no connection whatsoever between iPads and iPhones.