Networking

RSS for tag

Explore the networking protocols and technologies used by the device to connect to Wi-Fi networks, Bluetooth devices, and cellular data services.

Networking Documentation

Post

Replies

Boosts

Views

Activity

Disabling Fragmented Packets on NWConnection - What Is Expected from disableFragmentation?
Hello everyone, We have a use case where we need to disable the sending and receiving of fragmented packets on the network while using NWConnection. However, even after setting the disableFragmentation flag to true, the connection still sends fragmented packets.We’ve tried setting the flag as follows, but the packets are still being fragmented: var connection : NWConnection var udp_options : NWProtocolUDP.Optionsudp_options = NWProtocolUDP.Options() var connection_parameters = NWParameters(dtls: nil, udp: udp_options) let ip_options = connection_parameters.defaultProtocolStack.internetProtocol! as! NWProtocolIP.Options ip_options.disableFragmentation = true connection = NWConnection (host: "XX.XX.XX.***", port: NWEndpoint.Port(25000), using: connection_parameters) The issue we are encountering is that even though we’ve set disableFragmentation to true on the sender, the receiver still receives fragmented UDP packets. This can be observed using Wireshark, where we are sending a 10k byte data from the sender and receiving the fragmented datagram packets on the receiver end while both the devices are on the same WiFi network. Additionally, Wireshark shows that the packet has the "DF" bit set to '0', indicating that fragmentation is allowed. What is exactly expected from the disableFragmentation flag? Are we misunderstanding how this flag works? Or is there something else we should be doing to ensure that fragmentation is completely disabled? Looking forward to your insights!
1
0
150
4w
Clarification on .v6 Listener Accepting Both IPv4 and IPv6 Traffic vs NWListener with .any
Hello everyone, I have a question regarding the behavior of network listeners in my application. Here's the scenario I'm seeing: When I open a .v6 listener, it accepts both IPv4 and IPv6 traffic. However, when I run the netstat -tln command, the socket is shown as udp6. When I open a NWListener with the IP version set to .any, I receive both IPv4 and IPv6 traffic on the listener. In this case, running netstat -tln shows a udp46 socket. My understanding is that if I create a socket with .v6, it should only accept IPv6 connections, not both IPv4 and IPv6. However, the .v6 listener appears to be accepting both types of traffic, which is causing some confusion. Additionally, I am seeking to understand the difference between a udp6 socket and a udp46 socket, and also the difference between sockets created using .v6 and .any. What exactly does udp46 represent, and how is it different from udp6 in terms of accepting traffic? Is this expected behavior, or is there something I am missing in how the listeners are set up? Looking forward to hearing your insights!
1
0
157
4w
NEPacketTunnelProvider - Tunnel Works but Internet Connection Fails
Hi, I'm working on a VPN app using NEPacketTunnelProvider. The primary goal is to capture outgoing network packets while keeping the internet connection functional. However, with the current implementation, the internet connection stops working after the VPN is enabled. Specifically, browsers like Safari and Chrome fail to load any website (e.g., google.com or apple.com). Below is the relevant code snippet from my startTunnel method: override func startTunnel(options: [String : NSObject]?, completionHandler: @escaping (Error?) -> Void) { os_log("Starting tunnel...", log: self.log, type: .info) // Configure network settings let networkSettings = NEPacketTunnelNetworkSettings(tunnelRemoteAddress: "10.0.0.1") networkSettings.ipv4Settings = NEIPv4Settings(addresses: ["10.0.0.2"], subnetMasks: ["255.255.255.0"]) networkSettings.ipv4Settings?.includedRoutes = [NEIPv4Route.default()] // Route all traffic through tunnel networkSettings.ipv4Settings?.excludedRoutes = [] // No exceptions // DNS configuration networkSettings.dnsSettings = NEDNSSettings(servers: ["8.8.8.8"]) //networkSettings.dnsSettings?.matchDomains = [""] // Uncommented to process all domains // MTU configuration networkSettings.mtu = 1400 // Apply tunnel network settings setTunnelNetworkSettings(networkSettings) { [weak self] error in guard let self = self else { return } if let error = error { os_log("Failed to set tunnel settings: %{public}@", log: self.log, type: .error, error.localizedDescription) completionHandler(error) return } os_log("Tunnel settings applied successfully", log: self.log, type: .info) self.readPackets() // Start reading packets completionHandler(nil) } } private func readPackets() { let queue = DispatchQueue(label: "PacketProcessing", qos: .userInitiated) self.packetFlow.readPackets { packets, protocols in queue.async { for (i, packet) in packets.enumerated() { self.logPacketInfo(packet: packet, protocolCheck: Int32(protocols[i])) self.packetFlow.writePackets([packet], withProtocols: [protocols[i]]) // Re-send packet } self.readPackets() // Continue reading } } } Questions Are there additional configurations required to ensure that the VPN forwards packets correctly to maintain internet connectivity? Could there be a missing setting related to includedRoutes or dnsSettings that is causing the issue? How should packets be properly handled in the readPackets method to avoid breaking the internet connection? With this approach, is it possible to read network packets generated by browsers like Safari and Chrome? Please understand that it's my first time leaving a question, so it's not readable. Thank you!!
1
0
131
4w
After iOS 18,can not connect to Lot devices hotpot
when my iPhone15 pro max upgrade to iOS18.1.1,it can not connect to hotPot of my lot device(os android5.1) any more and my iPhone12(iOS 18.1.1) has no issues. Both the 15 pro max and the iPhone12 works well with another device (OS android 10.0). had tried: 1.Forget Network (and re-add your desired Wifi network), 2.Reset Network Settings (under Settings/General/Transfer or Reset iPhone) 3.Turn Airplane Mode On then Off after a few seconds 4.Restart the iPhone. 5.Rest all setting 6.Disable VPN 7.close the the settings from rotating my WiFi address Did anyone have similar issues?
1
0
146
4w
Add "local network access" permission for macOS 15 runners
Hi, We have an issue (https://github.com/actions/runner-images/issues/10924) raised by a user requesting to add 'local network access' permission for macOS 15 and macOS 15-arm64 image runners. Apple introduced a new LNP policy with macOS Sequoia that is not controlled by TCC or MDM. Could you please guide us on how to add 'local network access' permission for macOS 15 and macOS 15-arm64 image runners? Thanks.
5
0
328
4w
Can't add `com.apple.managed.vpn.shared` to App Store Connect build
Hi, We have been granted the com.apple.managed.vpn.shared entitlement and are able to use it for builds/TestFlight builds. We can access the cert in a mobile config. and everything works fine. However when we try to archive a build and distribute for App Store Connect it fails if the entitlement file contains this entry. If we take it out the upload succeeds but the app can't load the cert from the keychain. The Distribution profile has the entry: keychain-access-groups: [TEAM ID].*, com.apple.managed.vpn.shared Is there an extra step for App Store Connect builds? Thanks, Dave
1
0
141
4w
Crash in macOS Content Filter System Extension
Hi, One of our customers is seeing a crash in our Content Filter in our network system extension. We're kind of at a loss for the cause of this as only one specific person is running into this and we're not at all in the stacktrace, out of the hundreds of others deployed with our extension. It would be greatly appreciated if we could have any help in diagnosing this issue. Attached is the crash report, and below is the crashing stacktrace. If this crash log is not sufficient, I have many more from the customer that I can attatch here. crash.txt Thread 4 Crashed:: Dispatch queue: NEFilterExtensionProviderContext queue 0 libsystem_kernel.dylib 0x18cd4e600 __pthread_kill + 8 1 libsystem_pthread.dylib 0x18cd86f70 pthread_kill + 288 2 libsystem_c.dylib 0x18cc93908 abort + 128 3 libc++abi.dylib 0x18cd3d44c abort_message + 132 4 libc++abi.dylib 0x18cd2ba40 demangling_terminate_handler() + 348 5 libobjc.A.dylib 0x18c9d13e4 _objc_terminate() + 156 6 libc++abi.dylib 0x18cd3c710 std::__terminate(void (*)()) + 16 7 libc++abi.dylib 0x18cd3c6b4 std::terminate() + 108 8 libdispatch.dylib 0x18cbd466c _dispatch_client_callout + 40 9 libdispatch.dylib 0x18cbdbc60 _dispatch_lane_serial_drain + 744 10 libdispatch.dylib 0x18cbdc79c _dispatch_lane_invoke + 432 11 libdispatch.dylib 0x18cbe77e8 _dispatch_root_queue_drain_deferred_wlh + 288 12 libdispatch.dylib 0x18cbe7034 _dispatch_workloop_worker_thread + 540 13 libsystem_pthread.dylib 0x18cd833d8 _pthread_wqthread + 288 14 libsystem_pthread.dylib 0x18cd820f0 start_wqthread + 8
2
0
233
Dec ’24
How to implement server-side authentication for text filtering requests??
If an app has a text filtering extension and associated server that the iPhone OS communicates with, then how can that communication be authenticated? In other words, how can the server verify that the request is valid and coming from the iPhone and not from some spoofer? If somebody reverse engineers the associated domain urls our of the app's info.plist or entitlement files and calls the server url directly, then how can the server detect this has occurred and the request is not coming from the iPhone OS of a handset on which the app is installed?
12
0
260
Dec ’24
SSL error while using self signed certificate for an accessory device
I used the SSH approach method in the post https://developer.apple.com/forums/thread/703234 to add TLS trust for the local accessory device with a self signed certificate. In the Info.plist, I disabled App Transport Security for local networking by setting the NSAllowsLocalNetworking property, as mentioned in the post. However, I am still encountering the following SSL error: ATS failed system trust Connection 3: system TLS Trust evaluation failed(-9802) Connection 3: TLS Trust encountered error 3:-9802 Connection 3: encountered error(3:-9802) Task <9432C2C5-C7A1-44E4-95CC-2AFA49D6C501>.<1> HTTP load failed, 0/0 bytes (error code: -1200 [3:-9802]) Task <9432C2C5-C7A1-44E4-95CC-2AFA49D6C501>.<1> finished with error [-1200] Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3 In the code everything is working fine. The certificates are compared and CFEqual(expected, actual), is returning true. Also in urlSession delegate method , the return completionHandler(.useCredential, credential) is returned. When I disable ATS in Info.plist by setting NSAllowsArbitraryLoads, it works fine. I have the following questions: Should I disable ATS by setting NSAllowsArbitraryLoads along with setting ? Instead of accepting the server certificate for the first time and saving it in the app, why can’t we embed the self-signed certificate in the app directly and use it for comparison?
4
0
262
Dec ’24
Force socket() level UDP sockets to use IGMP v2 and not adaptive to v3
I'm working with an app that was developed with the CocoaAsyncSocket library, which uses <sys/socket.h> style socket programming. We have a customer where certain features are not working if iOS "adapts" to v3 IGMP but seems to work if v2 IGMP is used. I can't say I understand all the low level aspects and am trying to inform myself. I've been searching online to find out about socket and IGMP but don't see anything coming up. Is there a way to force iOS to use IGMP v2 for broadcast? Our company also makes a hardware communicator and their code forces v2 and we've been asked to see if we can do the same. Thanks for any leads on where to go to inform myself. more or code snippets on how to do this.
2
0
203
Dec ’24
System Network Extension and Sleep
I've implemented a custom VPN for macOS (system extension, Packet Tunnel Provider, Developer ID). My tunneling logic uses BSD sockets. My VPN is configured with on-demand and should always connect when there's traffic: targetManager?.isOnDemandEnabled = true targetManager?.onDemandRules = [NEOnDemandRuleConnect()] I have encountered some issues when the device enters sleep (or waking up from sleep). I've tried two scenarios. Scenario 1: protocolConfiguration?.disconnectOnSleep = true With this flag set, the OS will disconnect the VPN just before entering to sleep. However, there were cases when the OS disconnected the VPN but immediately restarted it - probably because of how I defined the on-demand rules. This resulted in the VPN disconnection, then trying to reconnect, and then the Mac entered sleep. When the Mac woke up, the VPN didn't work well. Is there a way to avoid waking up, just before the Mac enters sleep? Scenario 2: protocolConfiguration?.disconnectOnSleep = false Disconnect on sleep is unset, and I've implemented the sleep/wake functions at the provider. With this configuration, the OS won't disconnect the VPN, so even in sleep, the extension should stay 'alive,' so it won't have the problem from (1). But in this case, I had other problems: On sleep, I'm disconnecting the tunnel. But sometimes, on wake(), all my network calls fail. Are the interfaces still down? How can I detect this case from the system extension? Is it possible that the OS would call sleep and then quickly call wake? Is it possible that after sleep, the OS would call the startTunnelWithOptions() function? Is it possible to restart the extension from a clean state right from the wake() function?
5
0
239
Dec ’24
Transparent Proxy: Enhancement Requests for setMetadata API
In our setup, our Transparent Proxy (call it TP1) funnels traffic to a helper process running on the same machine (call it Helper), which then actually sends out the traffic to the wider Internet. Now say there's another Transparent Proxy, TP2, on the same machine. Assuming TP1 gets hold of the traffic first, the sequence would look like so: Safari --> TP1 --> Helper --> TP2 We want to make it appear to TP2 that the incoming traffic is from Safari, rather than from the Helper process. We are aware of the Network framework's setMetadata API, but this does not look appropriate for us to use here. The Helper process is pre-existing Golang code, which at best can interface with "pure" (ie BSD) sockets-based C code. In order to use the setMetadata API, looks like we will need to rewrite the entire networking logic to use nw_connection_t (or similar) API, which is too much work, so is infeasible for us to use. Is there a way to make the setMetadata API work at a socket level? e.g., associate the metadata with a socket so that whatever data is sent out on the socket by the Helper will seem to TP2 to be coming from the desired source process. Assuming there isn't such a way, please consider this an Enhancement Request to make it so! Also, this reveals another complication: If and when this Enhancement is implemented, our own TP1 (which interepted the traffic in the first place) would end up thinking that the traffic is from Safari, so ends up re-intercepting it, causing a loop. Safari --> TP1 --> Helper (invokes setMetadata) --> TP1 --> Helper ... Which leads to the next Enhancement Request: Please extend the API to allow setting of the "last-hop" source process in addition to the original source application. If the last-hop source process info is set, our TP1 can query this property, see that it's coming from our own Helper process, and skip interception. In summary, here are the Enhancement Requests: Allow setMetadata API to work at a socket level Allow setting of "last-hop" source process in the metadata, in addition to the original source application More succinctly, please allow setting of metadata to cater to cases where the actual egress happens via a (different) helper process that uses pure C sockets based API. I have also filed this as a Feedback with Apple, at FB16048393.
2
4
197
Dec ’24
How can I control if traffic from other apps goes through the proxy when using a NETunnelProvider?
I am setting up a fake VPN with proxy settings using NEPacketTunnelProvider. When I check proxy check sites, I can see the proxy is detected. let settings = NEPacketTunnelNetworkSettings(tunnelRemoteAddress: "10.0.0.1") let proxySettings = NEProxySettings() proxySettings.httpEnabled = true proxySettings.httpsEnabled = true proxySettings.httpServer = NEProxyServer(address: hostIP, port: portNumber) proxySettings.httpsServer = NEProxyServer(address: hostIP2, port: portNumber2) proxySettings.excludeSimpleHostnames = false proxySettings.matchDomains = [""] settings.proxySettings = proxySettings How can I control whether other installed apps on the phone use or bypass this proxy? Can I do this with exceptionList? Since I am routing everything through a VPN, I assumed I could control this. The selection of which apps use the proxy should be up to the user. Could you provide an explanation of how I can manage this? I am quite new to these types of tasks.
1
0
140
Dec ’24
Content Filtering not working on app from Testflight
The content filtering functionality works perfectly when I install the app directly on my mobile device from Xcode. However, when the app is distributed via TestFlight, the app does not prompt users to save configurations, which causes the configuration-saving process to fail. This app is meant for public use. As per my understanding from TN3134, content filter apps can be shipped for devices running iOS 16 and later. iOS app extension 9.0. supervised devices only iOS app extension 15.0. apps using Screen Time API iOS app extension 16.0. per app on managed devices
2
0
109
Dec ’24
Continued connection failure after server connection failure while local network permission pop-up is displayed
We are trying to connect to Webdav. The file server is in the same network. So when we try to connect, the local network permission pop-up is displayed. If the input information is incorrect in the first login attempt when this permission pop-up is displayed, After that, even after fixing the normal connection, we cannot connect or log in with the message "NSURLErrorDomain Code=-1009", "Internet connection is offline." This symptom seems to persist even after rebooting or deleting and deleting the app in the actual distributed app. If you re-debug while debugging Xcode, you can connect normally. (If you do not re-debug, it fails even if you enter the connection information normally.) And it affects local connection, so you cannot connect to any local network server such as SMB or FTP. Also, you cannot browse the server list within the local network. (SMB) Is there a way to initialize the local network status within the app to improve this phenomenon? I tried turning Airplane mode ON/OFF, turning Wi-Fi ON/OFF, and turning local network permissions ON/OFF, but it did not work. Also, this phenomenon seems to be a Sandbox for each app. When connecting to the same local server from an app installed on the same iPhone/iPad device, the above phenomenon does not occur if the first connection is successful. ** Summary ** If you fail to connect to a server on your local network, then you will continue to fail to connect to the local server. This happens even when local network permissions are allowed. The error message is NSURLErrorDomain Code=-1009 The current device is an iPhone device running iOS 18.1.1.
1
0
187
Dec ’24
iPhones/iPads unable to connect to ClearPass Captive portals - Issue affecting only Meraki APs with FortiGates
Hi Team, Looking for an answer, if it's just us or a widespread issue. Since Sept, our clients Apple devices can't load a Captive Portal on Apple devices. Client wants the CNA to pop up and I can't get it to happen! Android and Windows devices all work correctly with their respective popups, but CNA will not work. No changes done on our side and after multiple tshoots and getting vendors to take multiple PCAPs found, Apple devices are not initiating a HTTP GET request as per Meraki >> https://documentation.meraki.com/MR/MR_Splash_Page/Splash_Page_Traffic_Flow_and_Troubleshooting The work around is to force a HTTP GET request by manually going into the browser and initiate a http site (we tried 1.1.1.1, also tried other public HTTP sites and it works) and that redirects to our Captive Portal page.
1
0
173
Dec ’24
How can I capture packets while using Wi-Fi or a hub?
I encountered a problem during the development process. I want to enable the rvi0 capture interface using the rvictl command in the terminal while debugging over Wi-Fi in Xcode, but there is no response. Then I tried a different method by connecting the iPhone to a hub. At this point, I can see the device normally in both Xcode and the console, but I still cannot use the rvictl command. How can I capture packets while using Wi-Fi or a hub?
7
0
203
Dec ’24
Inquiry Regarding Differences in Wi-Fi Authentication and Encryption Between iPhone 16 Series and Other iOS 18.0 Devices
Dear Apple Support Team, I hope this message finds you well. I am writing to seek clarification on a specific aspect of Wi-Fi connectivity related to the iPhone 16 series running iOS 18.0. We have encountered an issue where the iPhone 16 series devices fail to connect to Wi-Fi networks, and this failure subsequently affects other devices running iOS 18.0. To better understand the root cause of this issue, I would like to inquire about the differences in the "authentication and encryption" processes between the iPhone 16 series running iOS 18.0 and other devices running iOS 18.0. Specifically, are there any changes or updates in the Wi-Fi authentication and encryption mechanisms that are unique to the iPhone 16 series? Understanding these differences will greatly assist us in diagnosing and resolving the connectivity issues we are experiencing. Thank you for your assistance. I look forward to your prompt response. Best regards, WJohn
1
0
240
Dec ’24
Captive network WebSheet failing when connecting to Hotspot2.0 SSID
iOS devices are failing to launch WebSheet (i.e. captive portal mini browser) when auto-join is used to connect to Hotspot 2.0 SSID with a captive portal. Logs captured from the device & RADIUS show that the device associates to the SSID, but does not launch the WebSheet due to the error, "Unable to launch WebSheet because this network has become captive". Afterwards the device may send an EAPOL Logoff request to the Access Point & disconnect from the network. If manually selecting the SSID from Settings > Wi-Fi, then the same device will log It's a manual join so no further checks required, remain associated to the SSID & launch the captive portal browser which is able to load the captive browser. info 17:28:35.298531-0500 configd device setup is completed info 17:28:35.298566-0500 configd Unable to launch WebSheet because this network has become captive, blacklisting network [HS2_Captive_Test] info 17:28:35.298604-0500 configd Removing FF981347-FDFA-45FD-82D9-88BA0426C0A3 default 17:28:35.298641-0500 configd __BUILTIN__: PresentUI result Temporary Failure (6) default 17:28:35.298677-0500 configd CNPluginHandler en0: Failure (__BUILTIN__) default 17:28:35.298716-0500 configd Temporarily disabling (blacklisting) HS2_Captive_Test Websheet should only be launched when the device is captive. Why wouldWebSheet fail to launch when the device is captive?
1
0
180
Dec ’24