Hi I tried to follow this guide https://developer.apple.com/documentation/networkextension/filtering-traffic-by-url I downloaded the sample app and put our pir service server address in the app. The service is already running and the app is connected to the pir service but the url is still not blocked. We tried to block example.com. Is there anything that we need to do in iOS code? This is the sample when there's dataset This is the sample when there's no dataset

Hi We are modifying the official Wi‑Fi Aware sample app to integrate QUIC for transmission speed testing. Unfortunately, we have been unable to establish a successful QUIC connection between two iOS devices. Could you provide a correct implementation example of using QUIC over Wi‑Fi Aware? I have attached the iOS system logs and our modified app project for your reference in case FB22499984 . Thanks

We are building a VPN using NEPacketTunnelProvider where the intent is to route HTTP/S traffic through a local proxy server, while non-HTTP/S traffic flows directly to the network without being tunnelled at the IP layer. The configuration claims no included IP routes — it relies entirely on NEProxySettings to intercept HTTP/S traffic via the URL loading layer. private func configureIPSettings(_ settings: NEPacketTunnelNetworkSettings) { settings.ipv4Settings = NEIPv4Settings( addresses: ["192.168.1.1"], subnetMasks: ["255.255.255.255"] ) // No includedRoutes set — no IP traffic enters the tunnel } private func configureProxySettings(_ settings: NEPacketTunnelNetworkSettings) { let proxySettings = NEProxySettings() proxySettings.httpEnabled = true proxySettings.httpServer = NEProxyServer(address: "127.0.0.1", port: 9000) proxySettings.httpsEnabled = true proxySettings.httpsServer = NEProxyServer(address: "127.0.0.1", port: 9000) proxySettings.matchDomains = [""] settings.proxySettings = proxySettings } When matchDomains is nil or not set, HTTP/S traffic does not reach the local proxy in this configuration. Setting matchDomains = [""] makes it work correctly. The matchDomains documentation states: "If the destination host name of a HTTP connection shares a suffix with one of these strings then the proxy settings will be used." An empty string is a suffix of every string, so [""] matching all hostnames follows from that definition. But this isn't explicitly documented. Questions: Is matchDomains = [""] a supported and stable way to apply proxy settings to all HTTP/S traffic when no IP routes are claimed, or is this an unintended side-effect? Why does matchDomains = nil not apply the proxy globally in this configuration? The documentation doesn't describe its behaviour relative to IP routing. NEDNSSettings.matchDomains explicitly documents an empty string as matching all domains — is the same semantics intended for NEProxySettings.matchDomains?

Hello, I am currently developing a PIR server using the pir-server-example repository. We are anticipating a total of 10 million URLs for our dataset. In this context, what would be the optimal shard size (number of records per shard) to balance computational latency and communication overhead? Any advice or best practices for handling a dataset of this scale would be greatly appreciated. Thank you.

Hi, I see an interaction issue between a DNS Proxy system extension and MDM on macOS: after some time the device stops processing MDM commands until reboot, while DNS filtering continues to work. Environment: macOS: 15.x / 26.x (reproduced on multiple minor versions) App: /Applications/MyMacProxy.app System extension: NEDNSProxyProvider as system extension Bundle id: com.company.agent.MyMacProxy.dnsProxy Deployment: MDM (SimpleMDM) DNS proxy config via com.apple.dnsProxy.managed Devices: supervised Macs Steps to reproduce: Enrol Mac into MDM. Install MyMacProxy app + DNS proxy system extension via pkg and apply com.apple.dnsProxy.managed profile. DNS proxy starts, DNS is filtered correctly, user network works normally. After some hours, try to manage the device from MDM: push a new configuration profile, remove an existing profile, or install / remove an app. 5.MDM server shows commands as pending / not completed. On the Mac, DNS is still filtered via our DNS proxy, and general network access (Safari etc.) continues to work. After reboot, pending MDM commands are processed and we can remove the app, profile and system extension normally. This is reproducible on our test machines. What I see on the Mac in the “stuck” state apsd is running: sudo launchctl print system/com.apple.apsd # job state = running com.apple.mdmclient.daemon exists as a job but is not running: sudo launchctl print system/com.apple.mdmclient.daemon Abbreviated output: system/com.apple.mdmclient.daemon = { ... state = not running job state = exited runs = 5 last exit code = 0 ... } So the MDM client daemon has exited cleanly (exit code 0) and is currently not running; its APS endpoints are configured. Our DNS proxy system extension is still processing flows: we see continuous logging from our NEDNSProxyProvider, and DNS filtering is clearly active (requests go through our upstream). systemextensionsctl list still shows our DNS proxy system extension as active. From the user’s perspective, everything works (with filtered DNS). From the MDM server’s perspective, commands stay pending until the next reboot. After reboot, MDM behaviour is normal again. Uninstall / cleanup (current approach, simplified) We currently use an MDM‑delivered shell script that: disables our DNS proxy configuration for the console user by editing ~/Library/Preferences/com.apple.networkextension.plist and setting Enabled = false for our DNSProxyConfigurations entries; flushes DNS cache and restarts mDNSResponder; unloads our LaunchDaemon / LaunchAgent for the host app; kills the system extension process using pgrep -f "com.company.agent.MyMacProxy.dnsProxy" | xargs kill -9; removes the extension binary from /Library/SystemExtensions/.../com.company.agent.MyMacProxy.dnsProxy.systemextension; removes /Applications/MyMacProxy.app and related support files. We currently do not call systemextensionsctl uninstall <TEAMID> com.company.agent.MyMacProxy.dnsProxy from MDM, mainly because of SIP and because we understand that fully silent system extension uninstall is constrained. The MDM responsiveness issue, however, can appear even if we don’t run this aggressive uninstall script and just let the extension run for some hours. Questions Is it expected that a DNS Proxy system extension (managed via com.apple.dnsProxy.managed) can leave a device in a state where: apsd is running, com.apple.mdmclient.daemon is not running (last exit code 0), DNS proxy continues to filter traffic, but MDM commands remain pending until reboot? Are there known best practices or pitfalls when combining: DNS Proxy system extensions (NEDNSProxyProvider), MDM‑distributed com.apple.dnsProxy.managed profiles, and MDM app / profile management on recent macOS versions? For uninstall in an MDM environment, what pattern do you recommend? For example, is it better to: disable / remove the DNS proxy profile, stop the NE configuration via NEDNSProxyManager from the app, avoid killing the system extension or removing files from /Library/SystemExtensions immediately, and instead require a reboot for full removal? I can provide a sysdiagnose and unified logs (including nesessionmanager, mdmclient and our logs) from an affected machine if that would be helpful.

Hello! I have an accessory, which is paired already with an iPhone, and am attempting to upgrade its SSID permission to Wi-Fi Aware. In ideal conditions, it works perfectly. However, if I dismiss the picker at the time of pin-code entry, I am unable to re-initialize an upgrade authorization picker. Even though the authorization is not completed a WAPairedDeviceID is assigned to the object of 18446744073709551615. Any subsequent attempts to start the picker up again spits out when treated as a failure serves: [ERROR] updateAuthorization error=Error Domain=ASErrorDomain Code=450 "No new updates detected from existing accessory descriptor." Attempting with a mutated descriptor serves: [ERROR] updateAuthorization error=Error Domain=ASErrorDomain Code=450 "Accessory cannot be upgraded with given descriptor." If I try using failAuthorization i get a 550 "Invalid State" error and furthermore if I try finishAuthorization to attempt to clear the descriptor/paired device ID it fails to clear it. If I could be pointed to the intended behavior on how to handle this, or this can be acknowledged as a bug, that would be incredibly appreciated. Thank you!

We observed intermittent failures when iOS devices repeatedly attempt to connect to an AP via NEHotspotConfiguration. When sniffing the packets, most failures occur before the WPA 4‑way handshake, with a smaller number happening during the handshake itself. SSID and Password were verified to be correct. Root Causes Association fails before handshake (primary issue) iOS often fails at the association phase (Apple80211AssociateAsync errors such as -3905 / -3940). These attempts never reach the WPA 4‑way handshake. iOS auto‑join suppression amplifies the problem After a single association failure, iOS marks the network as failed and blocks retry attempts. Subsequent attempts are rejected by policy (Already failed to auto-join known network profile) without new radio activity. This makes one real failure appear as many repeated failures. 4‑Way handshake failures (secondary) In some cases, association succeeds but the connection drops during WPA setup (Join Failure(6)). The error (if received, not always) is Internal Error - 8. Could we inquire on what might be the best steps to resolve this issue?

I'm developing a lighting control app for iOS that receives Art-Net (UDP port 6454) and sACN (UDP port 5568) packets from a lighting console and relays commands to BLE wristbands with LEDs. This is used in live event production — the participant locks their phone while in a show and expects lighting control to continue uninterrupted. The problem UDP receive stops reliably ~30 seconds after the screen locks. I understand this is by design - iOS suspends apps in the background. However, I'm trying to understand if any supported path exists for this use case. What I've already tried UIRequiresPersistentWiFi = true - helps with Wi-Fi association but doesn't prevent app suspension Silent AVAudioEngine loop with UIBackgroundModes: audio - keeps the app alive, works in testing, but risks App Store rejection and feels like an abuse of the audio background mode NWListener (Network framework) on the UDP port - same suspension behaviour Socket rebind on applicationWillEnterForeground - recovers after resume but doesn't prevent dropout What I'm asking Is there any supported background mode or entitlement for sustained UDP receive in a professional/enterprise context? (Similar to how VoIP apps get the voip background mode for sustained network activity.) Is the silent audio workaround considered acceptable for App Store distribution in a professional tools context, or will it be rejected? Is NEAppProxyProvider or another Network Extension a viable path, and if so does it require a special entitlement? Test project I have a minimal Xcode project (~130 lines) demonstrating the issue — NWListener on port 6454, packet counter, staleness timer, and silent audio toggle. I can share the test code. STEPS TO REPRODUCE In Xcode (one-time setup): Select the UDPBackgroundTest target → Signing & Capabilities → set your Team Plug in your iPhone → select it as the run destination Build & run — confirm packets appear on screen when you run 'send_test_udp.py' Lock the phone and observe the dropout Test: Open the app and run 'python3 send_test_udp.py 192.168.0.XXX' The app counts up the packages, they match the python output. 1 packet per second. lock screen & and wait 10 seconds unlock phone an see the numbers are 10 packets off

We use TeamCity as our Continuous Integration (CI) solution to build and run automated tests. These are integration tests executed through our 4D application, which is properly code‑signed and notarized. These CI machines are heavily used and build multiple versions per day, making them critical to our development workflow. However, we are experiencing an issue on some machines: after a certain period of time, network communication through our application stops working, while network communication remains fully functional when using third‑party tools (for example, LDAP clients). Based on our investigation, this issue appears to be related to Local Network Privacy management. We have followed the procedure described in Apple’s Technical Note: TN3179: Understanding local network privacy | Apple Developer Documentation to reset network authorizations, but this has not been sufficient to resolve the issue. In addition, our CI environment requires acknowledging a large number of Local Network access permission prompts. Given that these machines build multiple versions per day and are intended to run unattended, this is not practical in an automated CI context. We have around ten Macs dedicated to running these tests, and manually approving these pop‑ups is not a viable solution.

Hello. There is a condition that two requests are executed from an iPhone to the application, and the same session must be maintained throughout the execution of these two requests. The application resides within AWS. AWS ALB offers a Sticky Session feature to maintain sessions; to use this feature, Sticky Session Cookies are utilized, and it seems that the iPhone must be able to set the cookie. I would like to know if the iPhone can accept cookies for Sticky Sessions. Has anyone experienced a similar situation before?

https://developer.apple.com/documentation/corewlan/cweventtype/linkqualitydidchange As per the documentation core WLAN will send notification when there is a change in RSSI. I did not receive any notification when there is a change in RSSI.

We have been testing several domains (including xiaohongshu.com, bilibili.com, douyin.com, and tls13.xargs.org) and have encountered a systemic issue related to Apple's Certificate Transparency (CT) policy enforcement on iOS 18. We would like to seek clarification from the Apple team. Observed Behavior: On iOS 18 devices where the CT log list (assetVersion) is at version ≤1006, Safari presents "This Connection Is Not Private" for the affected domains. NSURLSession returns error -1202 (NSURLErrorServerCertificateUntrusted), and SecTrust rejects the certificate chain entirely. Other domains whose certificates use 2026-series CT log servers connect normally on the same device. Key Affected User Pattern: The vast majority of affected devices are those upgraded directly from iOS 14 or iOS 15 to iOS 18, where the CT log list did not automatically update after the upgrade and remains stuck at version ≤1006. Brand-new devices and devices that have updated their CT list to version 1012 connect normally — confirmed through direct testing. This suggests the issue is not a bug in iOS 18 itself, but rather a failure to refresh the CT log list on older devices after a major OS upgrade, resulting in a low-… (truncated) Root Cause Analysis: The failing certificates embed SCTs from three CT log servers: Cloudflare Nimbus2027, Tiger2027h1, and Elephant2027h1. These servers were added to Apple's trusted CT log list between September and November 2025. Devices whose CT list is still at version ≤1006 do not include these servers, causing all SCTs to be deemed invalid and the certificate to be rejected. Questions: What triggers a CT log list update? Under what conditions does the Trusted Asset (CT log list) update on iOS devices? Is there an update mechanism independent of the system OTA? Why does upgrading from iOS 14/15 to iOS 18 appear to leave the CT list at an older version rather than refreshing it as part of the upgrade? Is Apple aware of this as a known issue? For devices that upgraded to iOS 18 from iOS 14/15 and whose CT list was not refreshed, while CAs are already using newly-trusted log servers — does Apple have an official recommendation or a fix planned? Is there a "safe use window" guidance for CAs? Does Apple communicate to CAs a recommended waiting period after a new CT log server is added to the trust list, before it should be used to issue certificates targeting iOS users? If not, are there plans to publish such guidance? CT list behavior across upgrade paths: Can Apple clarify whether devices upgrading from iOS 14/15 to iOS 18 receive a different CT list assetVersion compared to devices upgrading from iOS 16/17 or performing a clean install? Is there a patch or mechanism to ensure devices on older upgrade paths also receive timely CT list updates? Thank you for your attention. We look forward to a clear response.

I’m building an app on macOS 26.4 with Xcode 26.4. When I build and run my app it started prompting me for network access, which it didn’t do before with Xcode 26. It did that repeatedly, and I had been approving the prompts and the app had been working. Now the app’s network features are not working, and I assume its because its being blocked by macOS, even though I accepted the network requests each time. In System Settings - Privacy and Security - Local Network, the app has many repeated entries, like 20, and all of them are turned on.

I'm relatively new to socket networking, and am migrating an older project from CocoaAsyncSocket to Swift's native Network. The project utilises GCDAsyncUdpSocket.enableBroadcast(_ flag: Bool), but I don't know how to replicate this in Network. How do I enable UDP Broadcast on NWConnection?

Summary I'm implementing NEURLFilter with the com.apple.developer.networking.networkextension.url-filter-provider entitlement for a system-wide URL filtering feature. The feature works perfectly in development-signed builds (connecting successfully to my PIR server over extended testing) but every production-signed build fails before any network call is made. NEURLFilterManager reports .serverSetupIncomplete (code 9). After installing the NetworkExtension debug profile, the unredacted com.apple.CipherML logs reveal the cause: no privacy proxy is provisioned for this bundle identifier, and the connection is configured proxy fail closed. Environment iOS 26 Entitlement: com.apple.developer.networking.networkextension.url-filter-provider Extension point: com.apple.networkextension.url-filter-control PIR server configured via NEURLFilterManager.setConfiguration(...) Privacy Pass issuer configured Dev-signed builds: working correctly, connecting to the PIR server Production-signed builds (both TestFlight and distribution): failing identically The Error Chain Surfaced to the app via NEURLFilterManager.lastDisconnectError: NEURLFilterManager.Error.serverSetupIncomplete (code 9) ← NEAgentURLFilterErrorDomain Code 3 ← com.apple.CipherML Code 1100 "Unable to query status" ← com.apple.CipherML Code 1800 (error details were logged and redacted) After installing the VPN (NetworkExtension) debug profile, the unredacted com.apple.CipherML subsystem shows: queryStatus(for:options:) threw an error: Error Domain=NSURLErrorDomain Code=-1009 "The Internet connection appears to be offline." UserInfo={ _NSURLErrorNWPathKey = satisfied (Path is satisfied), interface: en0[802.11], ipv4, dns, uses wifi, LQM: good, NSErrorFailingURLKey = https://<my-pir-server>/config, NSUnderlyingError = { Error Domain=NSPOSIXErrorDomain Code=50 "Network is down" }, _NSURLErrorPrivacyProxyFailureKey = true, NSLocalizedDescription = "The Internet connection appears to be offline." } The critical diagnostic line in the com.apple.network subsystem is: nw_endpoint_proxy_handler_should_use_proxy Proxies not present, but required to fail closed And the connection setup shows the proxy fail closed flag is mandatory for the connection: [C... ... Hostname#...:443 quic, bundle id: <my-bundle-id>, attribution: developer, using ephemeral configuration, context: NWURLSession (sensitive), proxy fail closed] start The network path itself is healthy (Wi-Fi good, DNS resolves correctly), but the connection is explicitly configured to fail closed if no proxy is present, and no proxy is provisioned for this bundle identifier. The entire failure happens in approximately 18 ms, far too fast for any network round-trip, confirming no traffic ever leaves the device. What I've Verified The entitlement is present in the distribution build The NEURLFilterControlProvider extension loads and returns a valid Bloom filter prefilter (with a tag that round-trips correctly between extension and framework) NEURLFilterManager.setConfiguration(pirServerURL:pirPrivacyPassIssuerURL:pirAuthenticationToken:controlProviderBundleIdentifier:) accepts all four parameters without error Development-signed builds of the same bundle identifier connect successfully to the same PIR server On production-signed builds, zero requests reach the PIR server — failure is purely client-side, before any network activity The Question How does the OHTTP privacy proxy get provisioned for a bundle identifier so that production builds can successfully use NEURLFilter? Specifically: Is there a Capability Request form I need to submit for url-filter-provider? I cannot find one in the Capability Requests section of my developer portal. Should I be running my own OHTTP gateway (for example using swift-nio-oblivious-http), and if so, does Apple then need to provision routing from their OHTTP relay to my gateway URL? Is the OHTTP relay path meant to be automatic once the entitlement is active, and if so, is there a specific activation step I'm missing? Is there any way to verify the current provisioning state for a specific bundle identifier from the developer portal? I can provide the full sysdiagnose and unredacted bundle/server details privately to an Apple engineer if that would help diagnose. I'd prefer to keep them out of a public post. Thanks!

Hello team, We are using below example https://github.com/apple/pir-service-example as a starting point to setup PIR server for our backend, but I am not really understanding what else we need in this example to configure OHTTP gateway. Any help will be appreciated.

How do I make a basic request with URLSession? See https://stackoverflow.com/questions/30573898 for reference. Also https://developer.apple.com/documentation/ has details.

URLSession question

Hello, We have a security solution which intercepts network traffic for inspection using a combination of Transparent Proxy Provider and Content filter. Lately we are seeing reports from the market that on M5 Macbooks and A18 Neos the system will kernel panic using our solution, even though it never happens on M1-M4 and no significant code changes were made in the mean time. All crashes seem to be related to an internal double free in the kernel: panic(cpu 0 caller 0xfffffe003bb68224): skmem_slab_free_locked: attempt to free invalid or already-freed obj 0xf2fffe29e15f2400 on skm 0xf6fffe2518aaa200 @skmem_slab.c:646 Debugger message: panic Memory ID: 0xff OS release type: User OS version: 25D2128 Kernel version: Darwin Kernel Version 25.3.0: Wed Jan 28 20:54:38 PST 2026; root:xnu-12377.91.3~2/RELEASE_ARM64_T6050 Additionally, from further log inspection, before panics we find some weird kernel messages which seem to be related to some DMA operations gone wrong in the network driver on some machines: 2026-03-30 14:11:21.779124+0300 0x30f2 Default 0x0 873 0 Arc: (Network) [com.apple.network:connection] [C9.1.1.1 IPv4#e5b4bb04:443 in_progress socket-flow (satisfied (Path is satisfied), interface: en0[802.11], ipv4, ipv6, dns, uses wifi, flow divert agg: 1, LQM: good)] event: flow:start_connect @0.075s 2026-03-30 14:11:21.780015+0300 0x1894 Default 0x0 0 0 kernel: (402262746): No more valid control units, disabling flow divert 2026-03-30 14:11:21.780017+0300 0x1894 Default 0x0 0 0 kernel: (402262746): Skipped all flow divert services, disabling flow divert 2026-03-30 14:11:21.780102+0300 0x1894 Default 0x0 0 0 kernel: SK[2]: flow_entry_alloc fe "0 proc kernel_task(0)Arc nx_port 1 flow_uuid D46E230E-B826-4E0A-8C59-4C4C8BF6AA60 flags 0x14120<CONNECTED,QOS_MARKING,EXT_PORT,EXT_FLOWID> ipver=4,src=<IPv4-redacted>.49703,dst=<IPv4-redacted>.443,proto=0x06 mask=0x0000003f,hash=0x04e0a750 tp_proto=0x06" 2026-03-30 14:11:21.780194+0300 0x1894 Default 0x0 0 0 kernel: tcp connect outgoing: [<IPv4-redacted>:49703<-><IPv4-redacted>:443] interface: en0 (skipped: 0) so_gencnt: 14634 t_state: SYN_SENT process: Arc:873 SYN in/out: 0/1 bytes in/out: 0/0 pkts in/out: 0/0 rtt: 0.0 ms rttvar: 250.0 ms base_rtt: 0 ms error: 0 so_error: 0 svc/tc: 0 flow: 0x9878386f 2026-03-30 14:11:21.934431+0300 0xed Default 0x0 0 0 kernel: Hit error condition (not panicking as we're in error handler): t8110dart <private> (dart-apcie0): invalid SID 2 TTBR access: level 1 table_index 0 page_offset 0x2 2026-03-30 14:11:21.934432+0300 0xed Default 0x0 0 0 kernel: [ 73.511690]: arm_cpu_init(): cpu 6 online 2026-03-30 14:11:21.934441+0300 0xed Default 0x0 0 0 kernel: [ 73.511696]: arm_cpu_init(): cpu 9 online 2026-03-30 14:11:21.934441+0300 0xed Default 0x0 0 0 kernel: [ 73.569033]: arm_cpu_init(): cpu 6 online 2026-03-30 14:11:21.934441+0300 0xed Default 0x0 0 0 kernel: [ 73.569038]: arm_cpu_init(): cpu 9 online 2026-03-30 14:11:21.934442+0300 0xed Default 0x0 0 0 kernel: [ 73.577453]: arm_cpu_init(): cpu 7 online 2026-03-30 14:11:21.934442+0300 0xed Default 0x0 0 0 kernel: [ 73.586328]: arm_cpu_init(): cpu 5 online 2026-03-30 14:11:21.934442+0300 0xed Default 0x0 0 0 kernel: [ 73.586332]: arm_cpu_init(): cpu 8 online 2026-03-30 14:11:21.934442+0300 0xed Default 0x0 0 0 kernel: [ 73.621392]: (dart-apcie0) AppleT8110DART::_fatalException: dart-apcie0 (<ptr>): DART DART SID exception ERROR_SID_SUMMARY 0x00003000 ERROR_ADDRESS 0x0000000000009800 2026-03-30 14:11:21.934443+0300 0xed Default 0x0 0 0 kernel: [ 73.621397]: Hit error condition (not panicking as we're in error handler): 2026-03-30 14:11:21.934443+0300 0xed Default 0x0 0 0 kernel: t8110dart <ptr> (dart-apcie0): invalid SID 2 TTBR access: level 1 table_index 0 page_offset 0x2Expect a `deadbeef` in the error messages below 2026-03-30 14:11:21.934452+0300 0xed Default 0x0 0 0 kernel: Expect a `deadbeef` in the error messages below 2026-03-30 14:11:21.934456+0300 0xed Default 0x0 0 0 kernel: (AppleEmbeddedPCIE) apcie[0:centauri-control]::_dartErrorHandler() InvalidPTE caused by read from address 0x9800 by SID 2 (RID 2:0:1/useCount 1/device <private>) 2026-03-30 14:11:21.934469+0300 0xed Default 0x0 0 0 kernel: (AppleT8110DART) Ignored dart-apcie0 (0xfbfffe18820b0000): DART(DART) error: SID 2 PTE invalid exception on read of DVA 0x9800 (SEG 0 PTE 0x2) ERROR_SID_SUMMARY 0x00003000 TIME 0x11242d43fd TTE 0xffffffffffffffff AXI_ID 0 We do not have any correlation between machines, usage pattern or installed applications. Uninstalling the network protection features seem to largely fix the issues, even though we have heard of crashes happening even in safe mode or with our network extension disabled from system settings. We weren't able to reproduce internally and it seems to happen completely random on client machines, but often enough to be disrupting. Can you tell us please if this is a known problem and if there's a workaround or what can we do to narrow it down? Thanks.

Hello, I am currently developing a headless macOS daemon (HarmonBridge) that requires extremely low-latency, high-bandwidth UDP video streaming between a Mac and a Linux host over a dedicated 2.5GbE/5GbE local network link. We are utilizing widely available Realtek RTL8156 / RTL8156B based USB 2.5G network adapters. Under macOS, these adapters default to the generic com.apple.DriverKit.AppleUserECM driver. The hardware itself natively supports Jumbo Frames (MTU 9000), but the DriverKit implementation artificially restricts the MTU cap to 1500 bytes. Because we are forced through MTU 1500, we are incurring significant performance penalties: Excessive IP fragmentation for our large UDP video payloads. Unnecessary CPU overhead due to increased hardware interrupts and header processing at 2.5Gbps speeds. For a latency-critical application like ours, reducing CPU interrupts and utilizing true hardware-level Jumbo Frames is essential. My Questions: Is there an undocumented boot-arg or network sysctl parameter that permits overriding the AppleUserECM 1500 MTU hard-limit for 2.5G USB adapters on Apple Silicon? Are there any roadmap plans from the DriverKit/Networking team to re-enable standard Jumbo Frame negotiation for RTL8156 hardware using the generic ECM driver? If the answer to both is no, does Apple grant NetworkingDriverKit Entitlements to independent developers specifically for the purpose of writing custom hardware overrides to patch missing MTU features in the default ECM stack? Because AppleUserECM effectively acts as a gatekeeper to the underlying MAC/PHY capabilities of these modern USB NICs, any guidance on achieving wire-native MTU 9000 under the current DriverKit paradigm would be hugely appreciated. Thank you!