Hello Matt. Thanks a lot for your quick reply and interest in the issue. We are going to perform some other tests and if we don't manage to solve it we'll follow your recommendation and open a TSI. Regards

Hello Matt. During the last days we have been working on this issue and fortunately we came up with a valid solution. Here we detail the new processing flow and some related questions. Solution for the Pause-Resume issue We moved the asynchronous analysis starting point from C to Swift, as follows: Process the Pause action in a method following the next steps: Enqueue a task in an asynchronous global dispatch queue, passing a closure as a responseHandler that will be called at the end of the task execution. Implement the closure that will manage the final action. This closure captures the local NEFilterFlow, which is required to perform the resumeFlow (similar to the one implemented in the SimpleFirewall example). The dispatch queue processes the task, which: Calls the C code section to perform the analysis. When the analysis is finished the responseHandler closure is executed. Finally, from the closure we call resumeFlow with the required verdict. Do you have any comment about this processing? Nevertheless, the problem from the original question remains unsolved and this new processing flow rise some new questions and other problems. Pause-Resume Related questions Can we request more data after resuming a paused flow? That is, not resuming with a final allow or drop action but asking for more data to analyze (“NEFilterDataVerdict.init(passBytes: passBytesCount, peekBytes: Int.max)”): Pause ---> Resume(MoreDataRequired) ---> Allow/Drop If so, can we make several pause-resume cycles for the same flow? HandleDataComplete Callback Issue This is very likely related to our management of the pause-resume cycle, but in both handleInboundDataComplete and handleOubtoundDataComplete methods, most of the times the NEFilterFlow parameter comes with a nil value. Moreover, we have tested the same pause-resume mechanism implemented in the SimpleFirewall sample but moved to the handleInboundData and handleOutboundData callbacks, and the nil parameter issue does not occur. Any idea why is this happening? Thanks a lot for your help. Regards, Rodrigo Ortega

If you are pausing then you will need to call resume on the flow to bring it out of the paused state. If you need to analyze more data on the flow I would go straight to: return [NEFilterNewFlowVerdict filterDataVerdictWithFilterInbound:YES peekInboundBytes:PEEKSIZE filterOutbound:YES peekOutboundBytes:PEEKSIZE]; Our question was related to multiple analysis task in the same flow, each processing as follows: Get and parse some data. Asynchronously analyze accumulated data up to a point, and pause the flow in the meantime. When the analysis is finished, resume the flow. When the flow is resumed, is it mandatory to set an ALLOW/DENY action, or can we request more data and continue analyzing the flow? With respect to this: The NEFilterFlow values should be non-nil in the handleInboundData and handleOutboundData methods because the connections have been setup and the data is flowing back and forth on the connection. We have no idea what is causing this issue, but we guess it is something related to our asynchronous analysis flow. We have tested different options but none works. Moreover, it is weird that in spite of it, the network connections are working. We will continue studying it, and maybe open a TSI for deeper investigation. Best regards, Rodrigo Ortega

Hello there. Ok, took me a long time to figure out all of the signing, provisioning, entitlements, and notarization stuff, but when I finally successfully signed it with a developer ID and notarized it, it started working on the test machine. So maybe the error messages were misleading me and the true issue might have been less about the extension being built properly within the bundle, and more about permissions and entitlements. We are facing the same problem right now. Could you please give more details about what you changed regarding the signing, provisioning profiles, entitlements and notarization to make it work? We have revised the process and tested different alternatives unsuccessfully. Thanks a lot in advance

Thanks for your answer Matt, we appreciate the questions. They have helped to clarify some points. It is a network app extension on MacOS. Revising the code we noticed that we had left a misconfiguration from previous tests when establishing the network extension configuration. We had set: filterPackets = true filterSockets = false But now we need: filterPackets = false filterSockets = true After changing this, the extension was successfully loaded.