@Igal, @UnisysDavidMcLaren I am also trying to open raw socket in PacketTunnelProvider systemextension and running into same issue Operation not permitted. please let me know if you guys succeeded on this?

Hi @eskimo, You can see below console SS my app com.xyz.abc.networkextension not available.

Hi @eskimo, This book is really helpful. Thank you. There is one more point under Raw Socket Input: All IP datagrams with a protocol field that the kernel does not understand are passed to a raw socket. The only kernel processing done on these packets is the minimal verification of some IP header fields: the IP version, IPv4 header checksum, header length, and destination IP address (pp. 213–220 of TCPv2). is there any workaround that we can do with ip packet during sendto so that kernel does not understand and passes to raw socket?

Can you take a step back and explain your high-level goal? I am getting NEPacket via Packet tunnel provider System extension. I need to forward this packet to server Which will re-injected this ip packet into network stack after processing. Since raw socket can't be opened by system extension due to sandbox restriction, i am reading IP packet in separate process via BSD Packet Filter(BPF) - read(bpf, bpfBuffer, bufLength); After receiving IP Packet at the bpf end, I am using raw socket to send it to server. sendto is working fine, its getting receive at server end. recvfrom is failing. For ICMP, both sendto and recvfrom is working fine. Please let me know if any other ways to achieve this?

FYI Following code working fine on linux, but not working on mac. #include <stdio.h> #include <stdlib.h> #include <string.h> #include <sys/socket.h> #include <netinet/in.h> #include <arpa/inet.h> int main(void) {   int i, recv_length, sockfd;   u_char buffer[9000];   printf("Opening socket\n");   if ((sockfd = socket(PF_INET, SOCK_RAW, IPPROTO_TCP)) == -1) {     printf("Socket failed!!\n");     return -1;   }   printf("Socket opened\n");   for(i=0; i < 3; i++) {    printf("Going to read i: %d\n", i);    recv_length = recv(sockfd, buffer, 8000, 0);    printf("Got some bytes : %d\n", recv_length);   }   return 0; }

I have added dropping 10.207.135.79 in method override func handleOutboundData as well

Hi, By mistake i have pasted wrong code of filter rule. I don't see any option to edit post hence replying. I have applied rules on remote as below. let filterRules = ["0.0.0.0", "::"].map { address -> NEFilterRule in       let remoteNetwork = NWHostEndpoint(hostname: address, port: "0")       let networkRule = NENetworkRule(remoteNetwork: remoteNetwork,                           remotePrefix: 0,                           localNetwork: nil,                           localPrefix: 0,                           protocol: .TCP,                           direction: .any)       return NEFilterRule(networkRule: networkRule, action: .filterData)     }

Hi, Following include setting working. But i am not sure below setting in place of ipv4Settings 0.0.0.0 or default will have any serious drawbacks. settings.ipv4Settings?.includedRoutes = [ NEIPv4Route(destinationAddress: "0.0.0.0", subnetMask: "128.0.0.0"), NEIPv4Route(destinationAddress: "128.0.0.0", subnetMask: "128.0.0.0") ] //DNS 8.8.8.8, 10.212.24.222 settings.ipv4Settings?.excludedRoutes = [ NEIPv4Route(destinationAddress: "8.8.8.8", subnetMask: "255.255.255.255"), NEIPv4Route(destinationAddress: "10.212.24.222", subnetMask: "255.255.255.255")]

@eskimo it is port used for network communication over the internet such as TCP, UDP etc

Thanks a ton @eskimo lsof doesn't works in sandboxed enviroment. i wanted to use lsof -i:port. i.e lsof -i:443 and grab Name(TCP 172.20.10.3:62323->52.98.87.66:https (ESTABLISHED)) as you can see last part in below command output. faisalikwal@TTWPXM6W4Y ~ % lsof -i:443 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME CalendarA 757 faisalikwal 82u IPv4 0x9b970081ec8283e5 0t0 TCP 172.20.10.3:62323->52.98.87.66:https (ESTABLISHED) exchanges 758 faisalikwal 8u IPv4 0x9b970081ec8303e5 0t0 TCP 172.20.10.3:62241->40.99.34.226:https (ESTABLISHED) Notes 867 faisalikwal 28u IPv4 0x9b970081ec001915 0t0 TCP localhost:62472->52.98.86.162:https (CLOSED) Mail 868 faisalikwal 83u IPv4 0x9b970081ec7d0e7d 0t0 TCP 172.20.10.3:62488->40.99.34.242:https (ESTABLISHED) Google 942 faisalikwal 22u IPv4 0x9b970081ec02794d 0t0 TCP 172.20.10.3:62512->okapi-services-apse1.apple.com:https (ESTABLISHED) My ultimate goal is to identify process belong to NEPacket received by packet tunnel provider since apple doesn't exposes metadata in packet tunnel(except perapp cases). I will have a look at lsof code to check how they do it.

Hi Eskimo, Please find the crash dumps attached. Crash Dumps

Hi @eskimo C++ code is cross platform library for tunnel related tasks. It uses libcurl to do HTTP/HTTPS requests. what may be the reason for http not working? how to get exception for http?

@anoojkrishnan How did you solved this probelm?

Hi @eskimo, any thoughts on this?

Hi @eskimo Looks like ip 239.255.255.250 is multicast address (Simple Service Discovery Protocol - SSDP) I have following questions: is multicast ip gets forwarded to every packet tunnel utun interface even-though it is not added in include rule? What if we ignore these packets from packet tunnel readPacketObjects as we don't want to handle these packets? when multicast entitlement needed?