Thanks for your response.when looking at the entitlements of the embedded provisioning profile with "security cms" as you suggested, I see the correct app identifier:<key>com.apple.application-identifier</key><string>RUXT127L01.com.team.AppName.NetworkExtension</string>So this does not explain the first error I see (ignoring the identifier).However, it does not contain the com.apple.security.application-groups entitlement. So maybe that explain the second error. The profile is managed by xcode. How can I add this entitlement to the provisioning profile ?

I see, that makes sense. Thanks for the explanation, I'll look into that.

Thanks for your response.I am surprised that this would create issues on the memory side. NEFilterRule has a size on the heap of 24 bytes. So 50,000 objects of this size would be about 1.14 MB. That's low even for an iPhone ?I am not entirely sure what you mean by processing the IP addresses into a smaller set of rules. I am not clear how that could be done.From the quick and dirty measurement I made, by doing (2) and organizing the ip addresses into as set, the lookup takes about 200 us (0.2 milliseconds). I was wondering if doing (1) could beat that, but from your answer you do not seem to be bullish on (1).

I missed your reply. Thanks a lot for that, it’s very interesting. You are exactly right in understanding what I am trying to do. I also arrived to the conclusion that I could not really run my network extension in a sandbox. It’s a bit frustrating as I think sandbox are excellent for security. But it’s good to hear it confirmed, I won’t spend more time trying to make it work. Your project seems very interesting. I didn’t move to support unsigned app yet. How do you do this ? Do you take a sha256 hash of the staticCode, and compare it to your stored value ? Something like that ? Thanks again

50,000 right now.

Do you know what "checkTrustedAnchors" does exactly ?It seems great, but I can't find documentation on exactly what it does (beyond the header).

That's very interesting. On MacOS Catalina, Safari's signature is not broken at least.In my opinion, an unsigned third party security software that installs a man in the middle is a big NO-NO, and it would be reasonable for a network filter to block network access of such an app. If a third party developer does not bother signing its own app, they are not a serious security app. Even if the app itself is not outright malicious, it's too easy for a malware to impersonate a non-signed app.

Thanks a lot John for this very detailed and helpful answer! I will do this.Your point about apple breaking its own signature is interesting. I assume this happens only for old mac os versions ?

Hi John,specifically, I have an NEFilterDataProvider class that controls the network flow. To decide whether to allow the flow or not, I need to check securely what application is trying to connect to the internet. So I use this function to check signature.I am open to other ways of doing it though, can you share how you do it?

I get these errors printed in the log :MacOS error: -25337 CSSM Exception: 3 unknown error 3=3 CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR

ok, thank you!

Hey Eskimo,the code works great except for one thing, it will add these errors to the log:MacOS error: -25337 CSSM Exception: 3 unknown error 3=3 CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERRORAlso, when I try to run SecCodeCheckValidity, it will error out. Maybe it's related (though I get the errors above even when I do not call this function).Any idea what the issue could be? Maybe I am missing some entitlements in my app, to validate code?

I agree with you, only 1 extension is better.I tried with 1 or 2 extensions, but it didn't work.I am not sure why, I'll continue to investigate.

Yes, the 2 systems extensions are loaded correctly, I see the running proesses, and via systemextensionctl.I see these messages in the console :"FilterDataProvider init""FilterPacketProvider init""FilterDataProvider startFilter"but I don't see"FilterPacketProvider startFilter"In the init of FilterPacketProvider, I print filterConfiguration.filterPacket and I verified indeed that it was set to True.I tried to reset systemextensionctl and restart but it did not help.

That's great to hear! I'll try again.Here's what I tried but does not work:- 1 system extension : MyDataAndPacketFilter.systemExtension + It's Info.plist contains this :<dict> <key>NEProviderClasses</key> <dict> <key>com.apple.networkextension.filter-data</key> <string>$(PRODUCT_MODULE_NAME).FilterDataProvider</string> <key>com.apple.networkextension.filter-packet</key> <string>$(PRODUCT_MODULE_NAME).FilterPacketProvider</string> </dict></dict></plist>- 1 File FilterDataProvider.swift :class FilterDataProvider: NEFilterDataProvider { override init() { super.init() os_log(" FilterDataProvider init") } override func startFilter(completionHandler: @escaping (Error?) -> Void) { os_log("FilterDataProvider startFilter") } override func stopFilter(with reason: NEProviderStopReason, completionHandler: @escaping () -> Void) { os_log("FilterDataProvider stopFilter") completionHandler() } }- 1 File FilterPacketProvider.swift :class FilterPacketProvider: NEFilterPacketProvider { override init() { super.init() os_log("FilterPacketProvider init") } override func startFilter(completionHandler: @escaping (Error?) -> Void) { os_log("FilterPacketProvider startFilter") } completionHandler(nil) } override func stopFilter(with reason: NEProviderStopReason, completionHandler: @escaping () -> Void) { os_log("FilterPacketProvider stopFilter") completionHandler() } }- In the main app (gui app), I do this: + load the 2 system extensions. This works fine + enable the filter via this :func startFilter() { let filterManager = NEFilterManager.shared() loadFilterConfiguration { success in guard success else { os_log("Eror in startFilter") return } let providerConfiguration = NEFilterProviderConfiguration() providerConfiguration.filterPackets = true // providerConfiguration.filterSockets = true // I set both to true filterManager.providerConfiguration = providerConfiguration filterManager.localizedDescription = appName filterManager.isEnabled = true filterManager.saveToPreferences { saveError in DispatchQueue.main.async { if let error = saveError { os_log("Failed to save the filter configuration: %@", error.localizedDescription) return } } } }This does not work, as only 1 startFilter is called (the one of FilterDataProvider).Can you tell what I am doing wrong?Thanks!