Missing flows for content filter on macOS 15 Sequoia

We use as content filter in our app to monitor flows, we gather data about the flow and block flows deemed suspicious.

Our content filter is activated/deactivated by a UI app but the flows are reported via XPC to a separate daemon process for analysis.

As of macOS 15, we are seeing cases where flows are missing or flows are not received at all by the content filter. The behaviour is not consistent, some devices seem to receive flows normally but others don't. It appears Intel devices are much less prone to showing the problem, whereas Arm devices routinely exhibit missing flows.

  • On macOS 14 or earlier, there is no sign of missing flows.
  • Testing on earlier beta versions of macOS 15 did not appear to show the problem, however I can't rule out if issue was present but it wasn't spotted.
  • Experimenting with simple examples of using a content filter (e.g. QNE2FilterMac) does not appear to reproduce the issue.

Questions,

  • What has changed between macOS 14 and 15 that could be the cause of the lack of flows?
  • Is our approach to using an app activated content filter reporting to a daemon connected via XPC unsupported?
Answered by DTS Engineer in 814201022

Is our approach to using an app activated content filter reporting to a daemon connected via XPC unsupported?

Yes. [Removed because it’s confusing. See below.]

You have to be careful about performance here, but the basic concept is sound.

Note On the performance front, it’s best if you can avoid routing all the user’s traffic over this XPC channel. My general advice is that you use the XPC channel for ‘command and control’, but not for traffic. So, if there are filter rules that need to be run, put the filtering engine in your NE provider. Then use XPC to get the rules to run, for general logging, and for reporting issues.

What has changed between macOS 14 and 15 that could be the cause of the lack of flows?

macOS 15, like all major OS releases, changed so much stuff that’s it’s not feasible to answer ‘what has changed’ questions. However:

  • I’m not aware of any change to the content filter API.

  • On the implementation side, the most obvious change is that the built-in firewall is now based on NE.

I’ve seen reports from other filter developers that this might be causing problems (FB15699871). If you’re working with a user who’s experiencing this issue, you might ask them:

  • Do they have the built-in firewall enabled?

  • If so, does disabling it, and then restarting, cure this problem?

To be clear, this is a diagnostic test, not an actual workaround.

In addition to that, it’d be good to get an actionable bug report about this. See my Bug Reporting: How and Why? for general info an that topic. In this case:

  • There are specific VPN (Network Extension) instructions on our Bug Reporting > Profiles and Logs page.

  • You want to capture the log as soon as you see the problem.

  • If you’re able to reproduce it with a minimal test content filter, like QNE2FilterMac, that’d be great. If not, it’s better to have a bug with your production content filter than nothing at all.

If you do file a bug, please post your bug number, just for the record.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Accepted Answer

Is our approach to using an app activated content filter reporting to a daemon connected via XPC unsupported?

Yes. [Removed because it’s confusing. See below.]

You have to be careful about performance here, but the basic concept is sound.

Note On the performance front, it’s best if you can avoid routing all the user’s traffic over this XPC channel. My general advice is that you use the XPC channel for ‘command and control’, but not for traffic. So, if there are filter rules that need to be run, put the filtering engine in your NE provider. Then use XPC to get the rules to run, for general logging, and for reporting issues.

What has changed between macOS 14 and 15 that could be the cause of the lack of flows?

macOS 15, like all major OS releases, changed so much stuff that’s it’s not feasible to answer ‘what has changed’ questions. However:

  • I’m not aware of any change to the content filter API.

  • On the implementation side, the most obvious change is that the built-in firewall is now based on NE.

I’ve seen reports from other filter developers that this might be causing problems (FB15699871). If you’re working with a user who’s experiencing this issue, you might ask them:

  • Do they have the built-in firewall enabled?

  • If so, does disabling it, and then restarting, cure this problem?

To be clear, this is a diagnostic test, not an actual workaround.

In addition to that, it’d be good to get an actionable bug report about this. See my Bug Reporting: How and Why? for general info an that topic. In this case:

  • There are specific VPN (Network Extension) instructions on our Bug Reporting > Profiles and Logs page.

  • You want to capture the log as soon as you see the problem.

  • If you’re able to reproduce it with a minimal test content filter, like QNE2FilterMac, that’d be great. If not, it’s better to have a bug with your production content filter than nothing at all.

If you do file a bug, please post your bug number, just for the record.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Hi, thanks for the feedback.

QQ, just to clarify. Your "Yes" means this should be supported but performance could be an issue, right?

Is our approach to using an app activated content filter reporting to a daemon connected via XPC unsupported?

Yes. You have to be careful about performance here, but the basic concept is sound.

I have been able to test the disabling the built-in firewall and after a restart to flows are received normally by our content filter. This would seem to confirm we're hitting the issue reported by others (FB15699871).

I'll work on preparing a bug report and will post it here.

Thanks for the help, Dave

Your "Yes" means this should be supported but performance could be an issue, right?

Correct. As the old adage goes “Real programmers can get the branch backwards in any language.” And apparently that includes English (-:

I’ve edited my previous post in the hope of avoid confusing other folks.

This would seem to confirm we're hitting the issue reported by others

Yep.

I'll work on preparing a bug report and will post it here.

Thanks.

Just FYI, this thread added another wrinkle to this conversation.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Bug report submitted, FB15833538

@DTS Engineer I've been testing this issue against macOS 15.2 and it seems the problem with the built-in firewall may have been resolved.

There's nothing obvious from the release notes though. Can you confirm if the problem has been addressed (or not)?

Missing flows for content filter on macOS 15 Sequoia
 
 
Q