When I make a local network HTTP request, an error occurs. I'm sure I've granted wireless data permissions and local network permissions, and I'm connected to the correct Wi-Fi. This problem is intermittent, but once it happens, it will keep happening, and the only way to fix it is to restart the phone. Here is the error log: sessionTaskFailed(error: Error Domain=NSURLErrorDomain Code=-1009 "似乎已断开与互联网的连接。" UserInfo={_kCFStreamErrorCodeKey=50, NSUnderlyingError=0x30398a5b0 {Error Domain=kCFErrorDomainCFNetwork Code=-1009 "(null)" UserInfo={_NSURLErrorNWPathKey=unsatisfied (Local network prohibited), interface: en0[802.11], uses wifi, _kCFStreamErrorCodeKey=50, _kCFStreamErrorDomainKey=1}}, _NSURLErrorFailingURLSessionTaskErrorKey=LocalDataTask .<63>, _NSURLErrorRelatedURLSessionTaskErrorKey=( "LocalDataTask .<63>" ), NSLocalizedDescription=似乎已断开与互联网的连接。, NSErrorFailingURLStringKey=http://192.168.2.1:80/v1/parameters, NSErrorFailingURLKey=http://192.168.2.1:80/v1/parameters, _kCFStreamErrorDomainKey=1})

I develop a terminal app with c++. Everything was fin until i upgraded to Sequoia. If i debug my program with Xcode, all requests to a local network like MQTT fails. How can i grant XCODE the privilege to access the local network?

In my Packet Tunnel Provider, I'm setting the NEDNSSettings to localhost as I have a local DNS server listening on port 53 (this is a dns forwarder which conditionally forwards to different upstreams based on rules). On iOS it works just fine, I'm able to listen on localhost:53 in the Network Extension, then set NEDNSSettings servers to "127.0.0.1". However on macOS due to the port being under 1024, I get a Permission denied OS code 13 error. I'm assuming this is due to the Network Extension not running as root. Can this be changed? This could be rectified if you could customize the port in NEDNSSettings, as the listener could be on port 5353, but it doesn't look like it is possible? Just wondering if there is some other way to accomplish what I'm trying to do in the macOS Network Extension?

Problem Description When using iCloud Private Relay (Limit IP address tracking) on macOS Sonoma, I'm experiencing a DNS resolving issue when simultaneously connected via OpenVPN. The system activates iCloud Private Relay instead of using the DNS servers provided by the VPN connection, resulting in incorrect IP address resolution. Specific issues: When connected to my company VPN, the system ignores DNS servers set by the VPN connection When attempting to ping internal servers in the corporate network, I receive public IP addresses instead of internal corporate IP addresses These public IP addresses are not accessible from outside as some services are disabled for external access Tools like nslookup and dig correctly resolve internal addresses, but ping and regular applications use incorrect (public) IP addresses Access to local servers in the corporate network/subnet is problematic Expected Behavior I need the system to: Use DNS servers provided by the VPN connection for accessing internal corporate resources when connected via VPN Simultaneously maintain iCloud Private Relay protection for regular internet browsing while connected to VPN Technical Details Based on available information, the problem is likely caused by "iCloud Private Relay" inserting an additional DNS resolver that isn't visible through the scutil tool. Regular applications use macOS internal API for DNS resolving, while tools like dig and nslookup work differently. According to Apple documentation, it should be possible to use custom DNS settings with iCloud Private Relay, but it doesn't seem to work properly with OpenVPN. Temporary Solutions I've Tried Some sources suggest: Disabling iCloud Private Relay (I don't want to lose privacy protection) Creating an /etc/resolver directory with configuration for specific domains Manually adding static routes for specific IP addresses None of these solutions provide the ideal combination of VPN DNS functionality and privacy protection. Request for Solution Please implement a solution that allows: Prioritizing DNS servers provided by VPN connection for internal domains Maintaining iCloud Private Relay protection for other communications Ensuring consistent behavior of all applications during DNS resolving Thank you for your help.

For our outdoor power supply company that builds public WiFi networks at camping sites, we want to implement the following features in our app: Scan surrounding WiFi networks When detecting specific public WiFi SSIDs, provide users with corresponding passwords Automatically connect to those WiFi networks Regarding the NEHotspotHelper API permission application, when I clicked on https://developer.apple.com/contact/request/network-extension, it redirected me to https://developer.apple.com/unauthorized/. I'm not sure where to properly apply for this permission now.

Sometimes when adding a VPN configuration, it just redirects to the Settings app and doesn’t continue with the rest of the configuration process like prompting for passcode. But it proceeds as normal after the 2nd or 3rd try. This issue is occurring on iOS 18.5 build 22F5068a but it has been a problem over several versions now. Feedback ID: FB17458055

The newly introduced enum value NEProviderStopReasonInternalError (macOS 15.1) is not documented (assuming being documented means having at least a sentence describing the enum value). [Q] What kind of situation is the NEProviderStopReasonInternalError enum value supposed to describe? An internal error that requires to try to restart the provider? A fatal error that requires to reinstall macOS? A fatal error that requires to purchase a new Mac? Something less serious but with a human friendly description in the headers (I'm using Xcode 16.2) and online documentation.

Hello, im currently developing proxy app with XrayCore trying to bypass APNs when tunnel us up and i found .excludeAPNs property in NETunnelProviderProtocol that works only when includeAllNetworks property is also TRUE. I wonder if there is a possible way to make APNs bypass tunnel in split tunnelling mode? because we use excludedRoutes and full tunnel is not an option

Dear apple: Our app uses the BSD socket interface for socket communication over the local area network. However, when using the socket's connect interface, some iPhone devices fail, and the socket has also bound the local Wi-Fi card's IP using the bind interface. The errno is 65, indicating "no route." We have checked that the app has already requested local network permissions and permissions to use the local area network. The TCP server on the other end is also listening normally. Please help us see if any additional permissions need to be requested. Thank you

I am in the middle of investigating an issue arising in the call to setsockopt syscall where it returns an undocumented and unexpected errno. As part of that, I'm looking for a way to list any socket content filters or any such extensions are in play on the system where this happens. To do that, I ran: systemextensionsctl list That retuns the following output: 0 extension(s) which seems to indicate there's no filters or extensions in play. However, when I do: netstat -s among other things, it shows: net_api: 2 interface filters currently attached 2 interface filters currently attached by OS 2 interface filters attached since boot 2 interface filters attached since boot by OS ... 4 socket filters currently attached 4 socket filters currently attached by OS 4 socket filters attached since boot 4 socket filters attached since boot by OS What would be the right command/tool/options that I could use to list all the socket filters/extensions (and their details) that are in use and applicable when a call to setsockopt is made from an application on that system? Edit: This is on a macosx-aarch64 with various different OS versions - 13.6.7, 14.3.1 and even 14.4.1.

In our project, we download H5 resources to the local device and then open the H5 pages through WKWebView(-loadFileURL:allowingReadAccessToURL:). When the H5 pages request server resources, cookies are required. Before opening the H5 page, we set the required cookies in the WKHTTPCookieStore using the setCookie method. Additionally, we set the allowFileAccessFromFileURLs and allowUniversalAccessFromFileURLs properties for the WebView. On other mobile phones, the cookies can be carried normally. However, on mobile phones running the iOS 18.0 system, the cookies cannot be carried. Moreover, this problem only emerged after we upgraded Xcode to version 16.2. We've also tried injecting cookies via JavaScript, but it didn't work(document.cookie = xx=${xx}; path=/; expires=weekday, xx jan xxxx xx:xx:xx GMT; Domain=example.com; Secure; SameSite=None ;). Can anyone help me on this? Thanks in advance.

We have a VPN app built using PacketTunnelProvider and support per-app VPN on iOS. We're currently investigating an issue specific to per-app VPN configurations that use split tunneling, where some URLs are routed through the VPN tunnel while others are intended to go directly. Tunneled traffic works as expected. However, for direct traffic, we observe intermittent failures where the browser does not receive an ACK, leading to repeated retransmissions and eventual page load failures. This issue appears only in per-app VPN scenarios, and we've reproduced it across multiple MDM solutions (Intune, CEM) and multiple managed browsers. It's intermittent but frequently reproducible with common public URLs routed directly. Key observations: writePackets returns true, confirming the VPN app writes packets to the TUN interface. Despite that, the browser often fails to acknowledge receipt (no ACK), suggesting it may not receive the packet at all. We suspect a possible packet loop, where packets written to TUN are immediately read back by the app. However, due to the intermittent nature of the issue, this is hard to confirm. A consistent loop would likely result in persistent failures, not sporadic ones. We are attaching: A Wireshark summary - highlighting the missing ACK and retransmission pattern. As we cannot attach the xlsx file or a zip file, we have took the screenshots of the files names as image1, image2, image3, image4 and image5 in sequence. Dails on the iOS device and MDM environment. NETunnelProviderProtocol configuration that reproduces the issue Any guidance on how to further debug this, particularly on confirming packet delivery to the browser and identifying potential loops would be greatly appreciated. Thank you. e t

Hi all! I’m having trouble distributing an iOS app with a DNS Proxy NetworkExtension via AdHoc. The app and extension work perfectly with development profiles, but when I export and install the AdHoc IPA, I get a “permission denied” error when trying to install/enable the DNS Proxy extension. What I’ve done: Both the app and the DNS Proxy extension have their own App IDs in the Apple Developer portal. Both App IDs have the same App Group enabled: group.com.irakai.SafeLinkApp2. The extension App ID has the NetworkExtension capability with dns-proxy enabled. I created two AdHoc provisioning profiles (one for the app, one for the extension), both including the same devices and the correct entitlements. I assigned the correct AdHoc profiles to each target in Xcode and exported the IPA via Organizer. I install the IPA on a registered device using Apple Configurator. Entitlements (extracted from the signed binaries on device): App: <key>application-identifier</key><string>6PBG234246.com.irakai.SafeLinkApp2</string> <key>com.apple.developer.networking.networkextension</key><array> <string>packet-tunnel-provider</string> <string>dns-proxy</string> </array> <key>com.apple.developer.team-identifier</key><string>6PBG234246</string> <key>com.apple.security.application-groups</key><array> <string>group.com.irakai.SafeLinkApp2</string> </array> <key>get-task-allow</key><false/> DNSProxy Extension: <key>application-identifier</key><string>6PBG234246.com.irakai.SafeLinkApp2.DNSProxy</string> <key>com.apple.developer.networking.networkextension</key><array> <string>dns-proxy</string> </array> <key>com.apple.developer.team-identifier</key><string>6PBG234246</string> <key>com.apple.security.application-groups</key><array> <string>group.com.irakai.SafeLinkApp2</string> </array> <key>get-task-allow</key><false/> Error message (from my app’s logs): Error instalando DNS Proxy: permission denied Usuario: Roberto AppGroup: group.com.irakai.SafeLinkApp2 AppGroupPath: /private/var/mobile/Containers/Shared/AppGroup/D8AD2DED-AD96-4915-9B7A-648C9504679B Entitlements: BundleId: com.irakai.SafeLinkApp2 Debug info: Error Domain=NEDNSProxyErrorDomain Code=1 "permission denied" UserInfo={NSLocalizedDescription=permission denied} Other details: The device is included in both AdHoc profiles. The App Group is present and identical in both entitlements. The extension’s bundle identifier matches the App ID in the portal. The extension is signed with the correct AdHoc profile. I have tried rebooting the device and reinstalling the IPA. The error only occurs with AdHoc; development builds work fine. Questions: Is there anything else I should check regarding AdHoc provisioning for NetworkExtension DNS Proxy? Are there any known issues with AdHoc and NetworkExtension on recent iOS versions? Is there a way to get more detailed diagnostics from the system about why the permission is denied? Could this be a bug in iOS, or am I missing a subtle configuration step? Any help or suggestions would be greatly appreciated. Thank you!

We are developers of an app, we found that there's no LN prompt for users to install the app for the 1st time on ios18. We used the following method to prompt the "allow/not allow" alert: // Attempts to trigger the local network privacy alert. /// /// This builds a list of link-local IPv6 addresses and then creates a connected /// UDP socket to each in turn. Connecting a UDP socket triggers the local /// network alert without actually sending any traffic. /// /// This is a ‘best effort’ approach, and it handles errors by ignoring them. /// There’s no guarantee that it’ll actually trigger the alert (FB8711182). func triggerLocalNetworkPrivacyAlert() { let addresses = selectedLinkLocalIPv6Addresses() for address in addresses { let sock6 = socket(AF_INET6, SOCK_DGRAM, 0) guard sock6 >= 0 else { return } defer { close(sock6) } withUnsafePointer(to: address) { sa6 in sa6.withMemoryRebound(to: sockaddr.self, capacity: 1) { sa in _ = connect(sock6, sa, socklen_t(sa.pointee.sa_len)) >= 0 } } } }

We are developing a desktop app for macOS, built with Electron + Angular + Node.js. The app has the ability to access devices on the local network. We are having some trouble with the behavior of the "Local Network" feature added in macOS 15. Procedure: MacBook Pro 14inch (M1Pro) 2021, 16GB memory - macOS Sequoia15.4.1 Network Environment: The PC and the access point are connected by wire, and the target device and the access point are also connected by wire. Not connected to an external network Install the target app Start the application and allow the "Local Network" dialog that appears Open the "Local Network" item in "Privacy and Security" and make sure the target app is allowed. Confirm that you can access the target device on the local network Restart the PC Open the "Local Network" item in "Privacy and Security" and make sure the target app is allowed. Start the app and access the target device on the local network Result: Access to the target device may fail (this does not occur 100% of the time) If you turn the target app in the "Local Network" section of "Privacy and Security" OFF and then ON, you will be able to connect However, it seems that the problem may occur again if you restart your PC. According to our research, the probability of this happening increases if the target app is the only app allowed on the "local network". This happens not only with our app, but also when you follow the above steps in "Google Chrome". Based on the above investigation results, I suspect that this is a problem with the OS. What do you think?

Hi, I'm very new to everything related to networking and I've been trying to make some sort of "parental control" app for macOS where if the user tries to access some website domain (e.g youtube.com) the request is denied and the user can't access the website. Turns out I used NEFilterDataProvider and NEDNSProxyProvider to achieve that but it's not 100% bullet proof. First problem I had is that most of the time I can't access the hostname in the NEFilterDataProvider when trying to extract it from the socketFlow.remoteEndpoint. Most of the time I get the ipv4. And the problem is : I don't know the IPV4 behind the domains, specially when they're changing frequently. if let socketFlow = flow as? NEFilterSocketFlow { let remoteEndpoint = socketFlow.remoteFlowEndpoint switch remoteEndpoint { case .hostPort(let host, _): switch host { case .name(let hostname, _): log.info("🌿 Intercepted hostname: \(hostname, privacy: .public)") case .ipv4(let ipv4): let ipv4String = ipv4.rawValue.map { String($0) }.joined(separator: ".") log.info("🌿 Intercepted IPV4: \(ipv4String, privacy: .public)") So that's why I used the DNSProxyProvider. With it I can get the domains. I succeeded to drop some of the flows by not writing the datagrams when I see a domain to block, but that does not work 100% of the time and sometimes, for youtube.com for example then the website is still reachable (and sometimes it works successfully and I can't access it). I guess because the IP behind the domain has already been resolved and so it's cached somewhere and the browser does not need to send an UDP request anymore to know the IP behind the domain? Is there a 100% bullet proof way to block traffic to specific domains? Ideally I would like to get rid of the DNSProxyProvider and use only the NEFilterDataProvider but if I can't access the hostnames then I don't see how to do it.

While trying to use Bonjour, i am encountering an issue. I was following the setup of Bonjour as described here: (https://developer.apple.com/forums/thread/735862) the response is this : nw_browser_fail_on_dns_error_locked [B2] nw_browser_dns_service_browse_callback failed: PolicyDenied(-65570) browser did change state, new: waiting(-65570: PolicyDenied) i tried modifying the info.plist to include NSLocalNetworkUsageDescription and NSBonjourServices but still getting the same a workout or solution is much appreciated !

We have used ::gethostname to retrieve hostname in our tunnel provider extension and found it returns "localhost" on iOS 17+. So we changed to use [[NSProcessInfo processInfo] hostName]. However it often caused 30+ delay in the extension process on a few devices and always returns "localhost". The sysdiagnose shows a lot of DNS query logs as below: default mDNSResponder 2025-03-19 17:15:12.453769 +0800 75281: 0x11ad501 [R80937] DNSServiceCreateConnection START PID[79767](ACExtension) default mDNSResponder 2025-03-19 17:15:12.453892 +0800 75281: 0x11ad501 [R80938] DNSServiceQueryRecord START -- qname: <mask.hash: 'fNnSAdyuhKXqCny8+neXvw=='>, qtype: PTR, flags: 0x15000, interface index: -1, client pid: 79767 (ACExtension), name hash: 84de01e1 default mDNSResponder 2025-03-19 17:15:12.458395 +0800 75281: 0x11ad501 [R80939] DNSServiceQueryRecord START -- qname: <mask.hash: '2X6qN/YT0yh2psKwrGWokg=='>, qtype: PTR, flags: 0x15000, interface index: 0, client pid: 79767 (ACExtension), name hash: f25c923e default mDNSResponder 2025-03-19 17:15:12.462924 +0800 75281: 0x11ad501 [R80940] DNSServiceQueryRecord START -- qname: <mask.hash: 'peyRWEblLKbNvcOXPjSeMQ=='>, qtype: PTR, flags: 0x15000, interface index: 0, client pid: 79767 (ACExtension), name hash: 83323cc4

Hello, We have a SwiftUI-based application that runs as a LaunchAgent and communicates with other internal components using Unix domain sockets (UDS). On Sequoia (macOS virtualized environment), when installing the app, we encounter the Local Network Privacy Alert, asking: "Allow [AppName] to find and connect to devices on the local network?" We are not using any actual network communication — only interprocess communication via UDS. Is there a way to prevent this system prompt, either through MDM configuration or by adjusting our socket-related implementation? Here's a brief look at our Swift/NIO usage: class ClientHandler: ChannelInboundHandler { ... public func channelRead(context: ChannelHandlerContext, data: NIOAny) { ... } ... } // init bootstrap. var bootstrap: ClientBootstrap { return ClientBootstrap(group: group) // Also tried to remove the .so_reuseaddr, the prompt was still there. .channelOption(ChannelOptions.socketOption(.so_reuseaddr), value: 1) .channelInitializer { channel in // Add ChannelInboundHandler reader. channel.pipeline.addHandler(ClientHandler()) } } // connect to the UDS. self.bootstrap.connect(unixDomainSocketPath: self.path).whenSuccess { (channel) in .. self.channel = channel } ... ... // Send some data. self.channel?.writeAndFlush(buffer).wait() Any guidance would be greatly appreciated.

I am creating an application that needs to connect to an Iot device, so i want to make a wifi hotspot with a custom SSID and password and WPA3. Could you please provide an example code in Objective-C to get started?