We are having two projects and both of them have NETransparentProxyProvider extension. Which NETransparentProxyProvider will receive the flow first? Or in other word which handleNewFlow will be called first? Assuming include and exclude network rules are identical. Is it dependent on the installation order, or naming convention? We have already tested these scenarios, but only one of them is getting the flow first no matter what. Is there any APIs or other settings need to be done, in order to get flow in a particular project first?

Can we return NEPacketTunnelProvider's NEPacket to macOS kernel? Snippet- packetFlow.readPacketObjects {[weak self] packets in As per network rules, packets read from packetFlow. After parsing packets, in some conditional use cases(such as ip), if we decide not to handle the packets, could we return it to kernel? We can easily achieve it in NETransparentProxyProvider by returning false from below method. We are looking for similar mechanisms to do return the traffic to Kernel. override func handleNewFlow(_ flow: NEAppProxyFlow) -> Bool May we achieve the same with any other Network.framework or low level API? If any advance Code-level support could solve this issue, we could raise a TSI as well.