nw_listener_inbox_accept_udp bind failed

After update from 10.14 beta 1 to beta 2 app started to return error


We're trying to listen to port 53 using NWListener and according to netstat and lsof

$ netstat -aLn
Current listen queue sizes (qlen/incqlen/maxqlen)
Listen         Local Address        
0/0/10         *.53   

$netstat -p udp -n
Active Internet connections
Proto Recv-Q Send-Q  Local Address          Foreign Address        (state)    
udp4       0      0  *.53                   *.* 

$lsof -i :53
COMMAND    PID          USER   FD   TYPE             DEVICE SIZE/OFF NODE NAME
Privaguar 4875 administrator   10u  IPv4 0xcc9a81e8ff81b149      0t0  UDP *:domain
Privaguar 4875 administrator   11u  IPv4 0xcc9a81e9060b9eb1      0t0  TCP *:domain (LISTEN)

Both TCP and UDP listening on port is suceeding but when new UDP connection arrives

"nw_listener_inbox_accept_udp bind failed [13: Permission denied]"

error is returned.

Strange, but TCP socket on port 53 still works.


We believe this could be due to priveleged port being requested, because after changing UDP listening port from 53 to 1053 app worked again.

If this is no longer possible what are the options for listening to priveleged ports in macOS sandboxed environment ?

Are there any limitations regarding priveleged ports(<1024) for NWListener ?

Up vote post of ElenaS Down vote post of ElenaS
2.9k views
Posted by
ElenaS
Reply
Add a Comment

Replies

The story with privileged ports varies by platform:

  • On iOS the traditional UNIX privileged port restrictions were disabled before the first iOS SDK.

  • Likewise for tvOS.

  • On watchOS there’s no direct access to TCP, so this issue is irrelevant.

  • On macOS 10.13.x and earlier these restrictions applied as they would on any other UNIX machine.

  • On macOS 10.14 there is work afoot to ease these restrictions (r. 17427890), although it won’t be completely unlimited like it is on iOS.

The macOS 10.14 change is still very much in motion, so I’m not 100% sure what the current state of affairs is. My recommendation is that you file a bug about the issue you’re seeing, making sure that:

  1. No one else is using port 53 before you start your project (

    netstat -an | grep udp
    will confirm that)

  2. You include the specific build number you’re having problems with

  3. If possible, you include a small test project that illustrates the issue

Please post your bug number, just for the record.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

Bug ID: 41633699

(sample project attached)


Thank You eskimo

Posted by
ElenaS
Up vote reply of ElenaS Down vote reply of ElenaS
Add a Comment

Bug ID: 41633699

Thanks for that. Since you filed that bug I’ve learnt more about this issue. As I mentioned back on 25 Jun we’ve been making changes in macOS 10.14 beta to ease the low-number port restrictions traditionally imposed on UNIX systems. This seems to be working for TCP but there are technical issues getting it to work for UDP. We’re using your bug to track further investigation of that issue, but at this point I can’t guarantee that this will be resolved before 10.14 ships.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

Quinn, thanks for this update.

As we understood Apple's plan i to ease restriction on priveledged(<=1024) IP ports for macOS, no matter the protocol(UDP/TCP).

We hope to see it resolved in 10.4.X 🙂

Posted by
ElenaS
Up vote reply of ElenaS Down vote reply of ElenaS
Add a Comment

Just received a message, my bug report is dublicate to 40571326

Posted by
ElenaS
Up vote reply of ElenaS Down vote reply of ElenaS
Add a Comment