(..continued) NEFilterManager must be enabled after the System Extension is activated and enabled, it might be a disaster if NEFilterManager is enabled without a runnable System Extension (all network connection lost, or even T2 watchdog panic). A new status API/notification would help developer to implement this feature more easily.

Hi all, I did some experiment on user's computer, it seems that the leak might relate to netbios (UDP targeting local port 137, 138) and mDNSResponder (UDP targeting local port 5353). Run 1: I forgot to backup the code for filtering all UDP traffic, the app retained 786 NEFilterSocketFlow instances in 30 minutes. Run 2: When filtering everything except the traffic mentioned above, the app retained only 5 NEFilterSocketFlow in 20 minutes. 				let rules = ["0.0.0.0", "::"].map { address -> [NEFilterRule] in 						["137", "138", "5353"].map { port -> NEFilterRule in 								let localNetwork = NWHostEndpoint(hostname: address, port: port) 								let networkRule = NENetworkRule( 										remoteNetwork: nil, 										remotePrefix: 0, 										localNetwork: localNetwork, 										localPrefix: 0, 										protocol: .UDP, 										direction: .any 								) 								return NEFilterRule(networkRule: networkRule, action: .allow) 						} 				}.flatMap { $0 } 				let filterSettings = NEFilterSettings(rules: rules, defaultAction: .filterData) It would be more precise if I do another experiment filtering everything (to compare with run 2), but I think the data above should be sufficient to isolate the problem, and that's the workaround that I've found with current NetworkExtension APIs. Shay

Hi Obenshalom, I also run into some similar kernel hang/panic. When inspecting the spindump captured before panic, I found 50+ processes were blocked in the "sosend". I resolved these symbols to find that, the kernel might had exhausted mbuf(s). I have no idea how to reproduce this issue, and I didn't collect memory footprint this time. Could you check my spindump to see if there are any similarities? Thanks Shay spindump.txt - https://developer.apple.com/forums/content/attachment/c92fb4cf-92c6-43f5-9346-6dc1e006de56

Hi Eaton It seems that filtering TCP traffic won't leak NEFilterSocketFlow. If I close network applications a few moments before taking memgraph, there will be almost no NEFilterSocketFlow left (instead of 10~15 more NEFilterSocketFlow per minute if UDP traffic is also filtered). Shay

Seems fixed in macOS 11.0 beta 4, but more system processes report the same "failed to retrieve client crypto key" error, including diagnosticextensiond, itunescloudd and mapspushd. :-/

I forgot to mention that, I reproduced this issue on macOS 10.15.5 and 10.15.6 beta.