On Ventura -
- We have a network extension(Transparent Proxy) which blocks IPv6 traffic as below.
override func handleNewFlow(_ flow: NEAppProxyFlow) -> Bool {
//Ipv6 gets blocks by below code
let error = NSError(domain: "", code: 0, userInfo: [NSLocalizedDescriptionKey : "Connection Refused"])
flow.closeReadWithError(error)
flow.closeWriteWithError(error)
- On IPv6 enabled client machine, when a client application(Browser, curl, Teams etc), try to send HTTP/s requests, first they try to send the request over IPv6 and if it fails, they try with IPv4 (Happy eyeballs Algorithm)
- In our case, as network extension blocks IPv6 traffic, client applications will fail to establish connection over IPv6 and fallback to IPv4 as per Happy eyeballs Algorithm
The above scenario works fine till MacOS Ventura.
For Sonoma, this behaviour seems to have changed
- When our network extension blocks IPv6 traffic, client applications do not fallback to IPv4.
- They simply fail without trying IPv4. We tested with curl, Google chrome browser, Microsoft Teams. All these fail to load pages on Sonoma and they work fine on Ventura.
Note : No change in our network extension code, curl and browser versions. Only change is MacOS version
Please find attached screenshots with Ventura and with Sonoma, running curl
One other difference seen here is the error code received by client applications with Ventura and Sonoma.
- On Ventura, when IPv6 is blocked, error is Network is down and client application establishes connection with IPv4.
- On Sonoma, error code is 22 : Invalid arguments and client application does not retry with IPv4.
Curl_Ventura.jpg
Curl_Sonoma.png