General: Forums subtopic: App & System Services > Networking DevForums tag: Network Extension Network Extension framework documentation Routing your VPN network traffic article Filtering traffic by URL sample code Filtering Network Traffic sample code TN3120 Expected use cases for Network Extension packet tunnel providers technote TN3134 Network Extension provider deployment technote TN3165 Packet Filter is not API technote Network Extension and VPN Glossary forums post Debugging a Network Extension Provider forums post Exporting a Developer ID Network Extension forums post Network Extension Framework Entitlements forums post Network Extension vs ad hoc techniques on macOS forums post Network Extension Provider Packaging forums post NWEndpoint History and Advice forums post Extra-ordinary Networking forums post Wi-Fi management: Wi-Fi Fundamentals forums post TN3111 iOS Wi-Fi API overview technote How to modernize your captive network developer news post iOS Network Signal Strength forums post See also Networking Resources. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com"

Apple is encouraging VPN apps on macOS to transition to Network Extension APIs, if they haven't done so yet, see: TN3165: Packet Filter is not API WWDC25: Filter and tunnel network traffic with NetworkExtension Using Network Extension is fine for VPN apps that are distributed via the Mac App Store. Users get one pop-up requesting permission to add VPN configurations and that's it. However, VPN apps that are distributed outside of the App Store (using Developer ID) cannot use Network Extension in the same way, such apps need to install a System Extension first (see TN3134: Network Extension provider deployment). Installing a System Extension is a very poor user experience. There is a pop-up informing about a system extension, which the user has to manually enable. The main button is "OK", which only dismisses the pop-up and in such case there is little chance that the user will be able to find the correct place to enable the extension. The other button in that pop-up navigates to the correct screen in System Settings, where the user has to enable a toggle. Then there is a password prompt. Then the user has to close the System Settings and return to the app. This whole dance is not necessary for VPN apps on the Mac App Store, because they work with "app extensions" rather than "system extensions". As a developer of a VPN app that is distributed outside of the App Store, my options are: Implement VPN functionality in an alternative way, without Network Extension. This is discouraged by Apple. Use a System Extension with Network Extension. This is going to discourage my users. I have submitted feedback to Apple: FB19631390. But I wonder, why did Apple create this difference in the first place? Is there a chance that they will either improve the System Extension installation process or even allow "app extensions" outside of the Mac App Store?

We create custom VPN tunnel by overriding PacketTunnelProvider on MacOS. Normal VPN connection works seamlessly. But if we enable onDemand rules on VPN manager, intemittently during tunnel creation via OnDemand, internet goes away on machine leading to a connection stuck state. Why does internet goes away during tunnel creation?

Hello team, I am trying to find out a way to block urls in the chrome browser if it is found in local blocked list cache. I found URL Filter Network very much suitable for my requirement. But I see at multiple places that this solution is only for Enterprise level or MDM or supervised device. So can I run this for normal user ? as my targeting audience would be bank users. One more thing how can I test this in development environment if we need supervised devices and do we need special entitlement ? When trying to run sample project in the simulator then getting below error

Hi, After the release of macOS Tahoe 26.2. We are seeing memory leaks if our Network Protection Extension is used alongside the Apple Built In Firewall, a second Security Solution that does Network Protection and a VPN. Our NEXT, socketfilterfw and the other security solution consume instead of a few MB of Memory now multiple Gigabytes of Memory. This issue started with the public release of macOS Tahoe 26.2, this issue was not present in earlier versions of macOS and the same set of Software. Just testing our solution by itself will not show this behavior. I unfortunately can't try to reproduce the issue on my test device that runs the latest 26.3 beta as I do not have the third party software installed there and I can't get it. Our Network extension implements depending on the license and enabled features: NEFilterDataProvider NEDNSProxyProvider NETransparentProxyProvider For all man in the middle Use Cases we are using Network Framework, to communicate with the peers. And leaks suggest that the there is a memory leak within internals of the Network Framework. Here is a shortened sample of the leaks output of our Network extension. However, the third party NEXT does show the same leaks. More details can be found on the Feedback with the ID FB21649104 snippet is blocking post? sensitive language Does anyone see similar issues or has an idea what could cause this issue, except a regression of the Network.framework introduced with macOS Tahoe 26.2? Best Regards, Timo

I've been able to run this sample project with the PIRServer. But the urls are still not blocked. https://developer.apple.com/documentation/networkextension/filtering-traffic-by-url https://github.com/apple/pir-service-example I got this on the log Received filter status change: <FilterStatus: 'running'>

Hi, I tried to follow this guide: https://developer.apple.com/documentation/networkextension/filtering-traffic-by-url And this: https://github.com/apple/pir-service-example I already deploy the pir service on my server. And set the configuration on the app like this: { name = SimpleURLFilter identifier = xxxxx applicationName = SimpleURLFilter application = com.xxxx.SimpleURLFilter grade = 2 urlFilter = { Enabled = YES FailClosed = NO AppBundleIdentifier = com.mastersystem.SimpleURLFilter ControlProviderBundleIdentifier = com.xxxx.SimpleURLFilter.SimpleURLFilterExtension PrefilterFetchFrequency = 2700 pirServerURL = https://xxxxx/pir pirPrivacyPassIssuerURL = https://xxxxx/pir AuthenticationToken = AAAA pirPrivacyProxyFailOpen = NO pirSkipRegistration = NO } } But I got this error when I tried to enable the service on the app: Received filter status change: <FilterStatus: 'stopped' errorMessage: 'The operation couldn’t be completed. (NetworkExtension.NEURLFilterManager.Error error 9.)'> What does that error mean? And how to fix it?

I haven’t been able to get this to work at any level! I’m running into multiple issues, any light shed on any of these would be nice: I can’t implement a bloom filter that produces the same output as can be found in the SimpleURLFilter sample project, after following the textual description of it that’s available in the documentation. No clue what my implementation is doing wrong, and because of the nature of hashing, there is no way to know. Specifically: The web is full of implementations of FNV-1a and MurmurHash3, and they all produce different hashes for the same input. Can we get the proper hashes for some sample strings, so we know which is the “correct” one? Similarly, different implementations use different encodings for the strings to hash. Which should we use here? The formulas for numberOfBits and numberOfHashes give Doubles and assign them to Ints. It seems we should do this conversing by rounding them, is this correct? Can we get a sample correct value for the combined hash, so we can verify our implementations against it? Or ignoring all of the above, can we have the actual code instead of a textual description of it? 😓 I managed to get Settings to register my first attempt at this extension in beta 1. Now, in beta 2, any other project (including the sample code) will redirect to Settings, show the Allow/Deny message box, I tap Allow, and then nothing happens. This must be a bug, right? Whenever I try to enable the only extension that Settings accepted (by setting its isEnabled to true), its status goes to .stopped and the error is, of course, .unknown. How do I debug this? While the extension is .stopped, ALL URL LOADS are blocked on the device. Is this to be expected? (shouldFailClosed is set to false) Is there any way to manually reload the bloom filter? My app ships blocklist updates with background push, so it would be wasteful to fetch the filter at a fixed interval. If so, can we opt out of the periodic fetch altogether? I initially believed the API to be near useless because I didn’t know of its “fuzzy matching” capabilities, which I’ve discovered by accident in a forum post. It’d be nice if those were documented somewhere! Thanks!!

My team is developing an enterprise VPN application that needs to respond to Mobile Device Management (MDM) profile installations and removals in real-time. Our app uses the NetworkExtension framework and needs to update the UI immediately when VPN configurations are added or removed via MDM. We are currently observing NEVPNConfigurationChangeNotification to detect VPN configuration changes: While NEVPNConfigurationChangeNotification fires reliably when users manually remove VPN profiles through Settings > General > VPN & Device Management, it appears to have inconsistent behavior when MDM profiles containing VPN configurations are installed programmatically via MDM systems. STEPS TO REPRODUCE From MDM Admin Console: Deploy a new VPN profile to the test device On Device: Wait for MDM profile installation (usually silent, no user interaction required) Check Device Settings: Go to Settings > General > VPN & Device Management to confirm profile is installed Return to App: Check if the UI shows the new VPN profile

Dear Apple Support Team, Thank you for your continued support. I would like to inquire about the behavior of CallKit. Our company provides an office PBX extension phone application (iPhone app). When the iPhone is placed into sleep mode (screen off) and our app receives an incoming call, the following sequence sometimes results in an audio playback panel appearing at the bottom of the lock screen for a few seconds after the call ends(See attachment file for detail). Sequence to reproduce the issue: Put the iPhone into sleep mode (screen off). Receive an incoming call to our extension phone app. CallKit incoming call screen appears. Answer the call. Conduct the call. End the call from the peer. iOS versions with confirmed behavior: iOS 26.0: Not observed. iOS 26.2: Observed. iOS 26.3: Not observed. This behavior does not affect the call functionality itself; however, some users report that the temporary appearance of the audio playback panel feels unusual. If there is any known reason for this behavior or any recommended workaround, we would greatly appreciate your guidance. Additionally, if this is a known issue that was addressed in iOS 26.3, we would appreciate any information you can provide regarding that as well. Thank you very much for your assistance.

I have been toying around with the URL filter API, and now a few installed configurations have piled up. I can't seem to remove them. I swear a few betas ago I could tap on one and then delete it. But now no tap, swipe, or long press does anything. Is this a bug?

Hi! I recently had an idea to build an iOS app that allows users to create a system-level block of specified web domains by curating a "blacklist" on their device. If the user, for instance, inputs "*example.com" to their list, their iPhone would be blocked from relaying that network traffic to their ISP/DNS, and hence return an error message ("iPhone can't open the page because the address is invalid") instead of successfully fetching the response from example.com's servers. The overarching goal of this app would be to allow users to time-block their use of specified websites/apps and grant them greater agency over their technology consumption, and I thought that an app that blocks traffic at the network level, combined with the ability to control when to/not to allow access, would be a powerful alternative to the existing implementations out there that work more on the browser-level (eg. via Safari extension, which is isolated to the scope of user's Safari browser) or via Screen Time (which can be easy to bypass by inputting one's passcode). Another thing to mention is that since the app would serve as a local DNS proxy (instead of relying on a third party DNS resolver), none of their internet activity will be collected/transmitted off-device and be used for commercial purposes. I feel particularly driven to create a privacy-centered app in this way, since no user data needs to be harvested to implement this kind of filtering. I'd also love to get suggestions for a transparent privacy policy that respects users control over their device. With all this said, I found that the Network Extension APIs may be the only way that an app like this could be built on iOS and, I wanted to ask if the above-mentioned use case of Network Extension would be eligible to be granted access to its entitlement before I go ahead and purchase the $99/year Apple Developer Program membership. Happy to provide further information, and I'd also particularly be open to any mentions of existing solutions out there (since I might have missed some in my search). Maybe something like this already exists, in which case it'd be great to know in any case! :). Thank you so much in advance!

I'm building a content filtering app using NEURLFilterManager and NEURLFilterControlProvider (introduced in iOS 26). The app uses a PIR server for privacy-preserving URL filtering. Everything works with development-signed builds, but App Store export validation rejects: Entitlement value "url-filter-provider" for com.apple.developer.networking.networkextension — "not supported on iOS" I have "Network Extensions" enabled on my App IDs in the developer portal, but the provisioning profiles don't seem to include url-filter-provider, and I don't see a URL filter option in the Capability Requests tab. What I've tried: Entitlement values: url-filter-provider, url-filter — both rejected at export Extension points: com.apple.networkextension.url-filter, com.apple.networkextension.url-filter-control — both rejected Regenerating provisioning profiles after enabling Network Extensions capability My setup: iOS 26, Xcode 26 Main app bundle: com.pledgelock.app URL filter extension bundle: com.pledgelock.app.url-filter PIR server deployed and functional Is there a specific request or approval process needed for the url-filter-provider entitlement? The WWDC25 session "Filter and tunnel network traffic with NetworkExtension" mentions this entitlement but I can't find documentation on how to get it approved for distribution. Any guidance appreciated. Thanks!

Hello, We are implementing a Transparent Proxy using NETransparentProxyProvider and configuring NETransparentProxyNetworkSettings with NENetworkRule. Currently, NENetworkRule requires: NENetworkRule( destinationHost: NWHostEndpoint(hostname: String, port: String), protocol: .TCP / .UDP / .any ) NWHostEndpoint.port accepts only a single port value (as a String) or an empty string for all ports. At present, we are creating a separate NENetworkRule for each port in the range (ex for range 49152–65535 approximately 16,384 rules). After deploying this configuration, we observe the following behavior: nesessionmanager starts consuming very high CPU (near 100%) The system becomes unresponsive The device eventually hangs and restarts automatically The behavior resembles a kernel panic scenario This strongly suggests that creating thousands of NENetworkRule entries may not be a supported or scalable approach. Questions: Is there any officially supported way to specify a port range in NENetworkRule? Is creating thousands of rules (one per port) considered acceptable or supported? Is the recommended design to intercept broadly (e.g., port = "") and filter port ranges inside handleNewTCPFlow / handleNewUDPFlow instead? Are there documented system limits for the number of NENetworkRule entries allowed in NETransparentProxyNetworkSettings?

Hi, I’m implementing a NetworkExtension content filter provider on iOS and I can’t get it to activate on device. I have an iOS app (App Store distribution) with a content filter provider extension (NEFilterDataProvider). The app builds, installs, and runs fine, and the extension is embedded correctly. Entitlements appear to be set for both the app and the extension, and the extension’s Info.plist is configured as expected. However, when I try to enable the filter via NEFilterManager (loadFromPreferences → set configuration → isEnabled = true → saveToPreferences), saveToPreferences fails with NEFilterErrorDomain code 1 and the message “Configuration invalid or read/write failed.” The extension never starts and startFilter() is never called. Main app bundle ID: uk.co.getnovi.student Extension bundle ID: uk.co.getnovi.student.NoviContentFilter Extension type: NEFilterDataProvider We are testing on an iPhone 15 running iOS 18.6.2 (22G100). This app is intended for education use on student-owned personal iPhones installed from the App Store. The devices we are testing on are not supervised and not enrolled in MDM. We already use the Family Controls framework (ManagedSettings) for app restrictions and have the com.apple.developer.family-controls entitlement enabled for App Store distribution. I’ve read TN3134 and noticed content filter providers on iOS are described as “supervised devices only” in general, with additional notes around iOS 15.0 for “apps using Screen Time APIs” and iOS 16.0 for “per-app on managed devices,” plus a note that in the Screen Time case content filters are only supported on child devices. My question is whether this error is what you’d expect when attempting to enable a content filter provider on a non-supervised, non-managed device, or whether this should still work if the entitlement and configuration are correct. If non-supervised devices are not supported, is there any supported path for enabling NEFilter on iOS without supervision/MDM (for example via the Screen Time / Family Controls child authorization pathway), or will the system always refuse to enable the filter on standard devices? TLDR: is NEFilterDataProvider supported on non-supervised devices for consumer App Store apps, or is this a platform restriction that cannot be worked around? Thanks, Matt

I have a network extension that hosts a NEFilterDataProvider & NETransparentProxyProvider. One of the use case that this caters to is : Proxy some flows (depending on originating app) while Content filter is also filtering flows based on business logic. The issue I am running into happens when FilterDataProvider sees a flow & responds with filterDataVerdict(withFilterInbound: false, peekInboundBytes: 0, filterOutbound: true, peekOutboundBytes:1024 to handleNewFlow(_ flow: NEFilterFlow) [wants to peek more bytes on outbound connection before making a decision] TransparentProxyProvider sees the flow & responds with NO to handleNewFlow(_ flow: NEAppProxyFlow) as it is not interested in in proxying that flow. When this occurs, we see connection being dropped by kernel. I wanted to know if this is expected behavior. Logs when this occurs: 2026-02-06 14:57:09.725854-0600 0x17c918f Default 0x0 569 0 com.test.networkextension: (NetworkExtension) [com.apple.networkextension:] [Extension com.test.network]: provider rejected new flow TCP headless_shell[{length = 20, bytes = 0xe69023e655b6065e1a2f94fa508807fa43f6ac8a}] remote: 100.72.0.3:443 interface utun9 2026-02-06 14:57:09.725874-0600 0x17ca166 Debug 0x0 569 0 com.test.networkextension: (NetworkExtension) [com.apple.networkextension:] New flow verdict for D89B5B5D-793C-4940-D955-37BE33F18005: drop = NO remediate = NO needRules = NO shouldReport = YES pause = NO urlAppendString = NO filterInbound = NO peekInboundBytes = 0 filterOutbound = YES peekOutboundBytes = 1024 statisticsReportFrequency = low 2026-02-06 14:57:09.726009-0600 0x17ca24a Default 0x0 569 0 com.test.networkextension: (libnetworkextension.dylib) [com.apple.networkextension:] (410011084): Closing reads (sending SHUT_WR), closed by plugin (flow error: 0) 2026-02-06 14:57:09.726028-0600 0x17ca24a Default 0x0 569 0 com.test.networkextension: (libnetworkextension.dylib) [com.apple.networkextension:] (410011084): Closing writes, sending SHUT_RD 2026-02-06 14:57:09.726040-0600 0x17ca24a Debug 0x0 569 0 com.test.networkextension: (libnetworkextension.dylib) [com.apple.networkextension:] (410011084): Dropping the director 2026-02-06 14:57:09.726047-0600 0x17ca24a Default 0x0 569 0 com.test.networkextension: (libnetworkextension.dylib) [com.apple.networkextension:] (410011084): Destroying, client tx 0, client rx 0, kernel rx 0, kernel tx 0 I wanted to know how neagent is handling this when for a flow, filterDataProvider wants to look at the traffic while transparentProxy is not interested in handling that flow

I have an iOS app with a network extension that's using OSLog to log various bits of information that are useful for debugging. I'm currently trying to add a simple button that bundles up those logs with some other information and presents the user with a Share sheet so they can send it to support teams. I looked at OSLogStore but it only collects logs for the current process so the user clicking a button in my app wouldn't collect logs from my network extension. I would really like to avoid having to guide users through the process of creating and sharing a sysdiagnose but it seems like this might be the only option. How do other folks do this kind of thing? Is there a recommended way to do it?

I’m building a macOS app with a DNS Proxy system extension for Developer ID + notarization, deployed via MDM, and Xcode fails the Developer ID Release build with a provisioning profile mismatch for com.apple.developer.networking.networkextension. Environment macOS: Sequoia (15.7.2) Xcode: 26.2 Distribution: Developer ID + notarization, deployed via MDM Host bundle ID: com.mydns.agent.MyDNSMacProxy DNS Proxy system extension bundle ID: com.mydns.agent.MyDNSMacProxy.dnsProxy Host entitlements (Release): File: MyDNSMacProxy/MyDNSMacProxyRelease.entitlements: "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.application-identifier</key> <string>B234657989.com.mydns.agent.MyDNSMacProxy</string> <key>com.apple.developer.networking.networkextension</key> <array> <string>dns-proxy</string> </array> <key>com.apple.developer.system-extension.install</key> <true/> <key>com.apple.developer.team-identifier</key> <string>B234657989</string> <key>com.apple.security.app-sandbox</key> <true/> <key>com.apple.security.application-groups</key> <array> <string>group.com.mydns.MyDNSmac</string> </array> <key>keychain-access-groups</key> <array> <string>B234657989.*</string> </array> </dict> </plist> xcodebuild -showBuildSettings -scheme MyDNSMacProxy -configuration Release : PROVISIONING_PROFILE_SPECIFIER = main MyDNSMacProxy5 CODE_SIGN_IDENTITY = Developer ID Application Host Developer ID profile main_MyDNSMacProxy5.provisionprofile (via security cms -D): "Entitlements" => { "com.apple.application-identifier" => "B234657989.com.mydns.agent.MyDNSMacProxy" "com.apple.developer.team-identifier" => "B234657989" "com.apple.security.application-groups" => [ "group.com.mydns.MyDNSmac", ..., "B234657989.*" ] "keychain-access-groups" => [ "B234657989.*" ] "com.apple.developer.system-extension.install" => 1 "com.apple.developer.networking.networkextension" => [ "packet-tunnel-provider-systemextension", "app-proxy-provider-systemextension", "content-filter-provider-systemextension", "dns-proxy-systemextension", "dns-settings", "relay", "url-filter-provider", "hotspot-provider" ] } So: App ID, team ID, keychain and system‑extension.install match. The profile’s com.apple.developer.networking.networkextension is a superset of what I request in the host entitlements (dns-proxy only). System extension (for context) DNS Proxy system extension target: NSExtensionPointIdentifier = com.apple.dns-proxy NetworkExtension → NEProviderClasses → com.apple.networkextension.dns-proxy → my provider class Entitlements: com.apple.developer.networking.networkextension = ["dns-proxy-systemextension"] This target uses a separate Developer ID profile and builds successfully. Xcode error Release build of the host fails with: …MyDNSMacProxy.xcodeproj: error: Provisioning profile "main MyDNSMacProxy5" doesn't match the entitlements file's value for the com.apple.developer.networking.networkextension entitlement. (in target 'MyDNSMacProxy' from project 'MyDNSMacProxy') Xcode UI also says: Entitlements: 6 Included, 1 Missing Includes com.apple.developer.team-identifier, com.apple.application-identifier, keychain-access-groups, com.apple.developer.system-extension.install, and com.apple.security.application-groups. Doesn’t match entitlements file value for com.apple.developer.networking.networkextension. Because of this, the app bundle isn’t produced and I can’t inspect the final signed entitlements. Questions: For com.apple.developer.networking.networkextension, should Xcode accept a subset of values in the entitlements (here just dns-proxy) as long as that value is allowed by the Developer ID profile, or does it currently require a stricter match? Is the following configuration valid for Developer ID + MDM with a DNS Proxy system extension: Host entitlements: ["dns-proxy"] System extension entitlements: ["dns-proxy-systemextension"] Host profile’s NE array includes the DNS Proxy system extension types. If this is a known limitation or bug in how Xcode validates NE entitlements for Developer ID, is there a recommended workaround? Thanks for any guidance.

Hi, I’m implementing a NetworkExtension content filter provider on iOS and I can’t get it to activate on device. I have an iOS app (App Store distribution) with a content filter provider extension (NEFilterDataProvider). The app builds, installs, and runs fine, and the extension is embedded correctly. Entitlements appear to be set for both the app and the extension, and the extension’s Info.plist is configured as expected. However, when I try to enable the filter via NEFilterManager (loadFromPreferences → set configuration → isEnabled = true → saveToPreferences), saveToPreferences fails with NEFilterErrorDomain code 1 and the message “Configuration invalid or read/write failed.” The extension never starts and startFilter() is never called. Main app bundle ID: uk.co.getnovi.student Extension bundle ID: uk.co.getnovi.student.NoviContentFilter Extension type: NEFilterDataProvider We are testing on an iPhone 15 running iOS 18.6.2 (22G100), the app is designed to run on iPhone. This app is intended for education use on student-owned personal iPhones installed from the App Store. The devices we are testing on are not supervised and not enrolled in MDM. We already use the Family Controls framework (ManagedSettings) for app restrictions and have the com.apple.developer.family-controls entitlement enabled for App Store distribution. I’ve read TN3134 and noticed content filter providers on iOS are described as “supervised devices only” in general, with additional notes around iOS 15.0 for “apps using Screen Time APIs” and iOS 16.0 for “per-app on managed devices,” plus a note that in the Screen Time case content filters are only supported on child devices. My question is whether this error is what you’d expect when attempting to enable a content filter provider on a non-supervised, non-managed device, or whether this should still work if the entitlement and configuration are correct. If non-supervised devices are not supported, is there any supported path for enabling NEFilter on iOS without supervision/MDM (for example via the Screen Time / Family Controls child authorization pathway), or will the system always refuse to enable the filter on standard devices? In summary: is NEFilterDataProvider supported on non-supervised devices for consumer App Store apps, or is this a platform restriction that cannot be worked around? Thanks, Matt

Description I am seeing a consistent crash in a NEDNSProxyProvider on iOS when migrating from completion handlers to the new Swift Concurrency async/await variants of readDatagrams() and writeDatagrams() on NEAppProxyUDPFlow. The crash occurs inside the Swift Concurrency runtime during task resumption. Specifically, it seems the Task attempts to return to the flow’s internal serial executor (NEFlow queue) after a suspension point, but fails if the flow was invalidated or deallocated by the kernel while the task was suspended. Error Signature Thread 4: EXC_BAD_ACCESS (code=1, address=0x28) Thread 4 Queue : NEFlow queue (serial) #0 0x000000018fe919cc in swift::AsyncTask::flagAsAndEnqueueOnExecutor () #9 0x00000001ee25c3b8 in _pthread_wqthread () Steps The crash is highly timing-dependent. To reproduce it reliably: Use an iOS device with Developer Settings enabled. Go to Developer > Network Link Conditioner -> High Latency DNS. Intercept a DNS query and perform a DoH (DNS-over-HTTPS) request using URLSession. The first few network requests should trigger the crash Minimum Working Example (MWE) class DNSProxyProvider: NEDNSProxyProvider { override func handleNewFlow(_ flow: NEAppProxyFlow) -> Bool { guard let udpFlow = flow as? NEAppProxyUDPFlow else { return false } Task(priority: .userInitiated) { await handleUDPFlow(udpFlow) } return true } func handleUDPFlow(_ flow: NEAppProxyUDPFlow) async { do { try await flow.open(withLocalFlowEndpoint: nil) while !Task.isCancelled { // Suspension point 1: Waiting for datagrams let (flowData, error) = await flow.readDatagrams() if let error { throw error } guard let flowData, !flowData.isEmpty else { return } var responses: [(Data, Network.NWEndpoint)] = [] for (data, endpoint) in flowData { // Suspension point 2: External DoH resolution let response = try await resolveViaDoH(data) responses.append((response, endpoint)) } // Suspension point 3: Writing back to the flow // Extension will crash here on task resumption try await flow.writeDatagrams(responses) } } catch { flow.closeReadWithError(error) flow.closeWriteWithError(error) } } private func handleFlowData(_ packet: Data, endpoint: Network.NWEndpoint, using parameters: NWParameters) async throws -> Data { let url = URL(string: "https://dns.google/dns-query")! var request = URLRequest(url: url) request.httpMethod = "POST" request.httpBody = packet request.setValue("application/dns-message", forHTTPHeaderField: "Content-Type") let (data, _) = try await URLSession.shared.data(for: request) return data } } Crash Details & Analysis The disassembly at the crash point indicates a null dereference of an internal executor pointer (Voucher context): ldr x20, [TPIDRRO_EL0 + 0x340] ldr x0, [x20, #0x28] // x20 is NULL/0x0 here, resulting in address 0x28 It appears that NEAppProxyUDPFlow’s async methods bind the Task to a specific internal executor. When the kernel reclaims the flow memory, the pointer in x20 becomes invalid. Because the Swift runtime is unaware that the NEFlow queue executor has vanished, it attempts to resume on non-existing flow and then crashes. Checking !Task.isCancelled does not prevent this, as the crash happens during the transition into the task body before the cancellation check can even run. Questions Is this a known issue of the NetworkExtension async bridge? Why does Task.isCancelled not reflect the deallocation of the underlying NEAppProxyFlow? Is the only safe workaround? Please feel free to correct me if I misunderstood anything here. I'll be happy to hear any insights or suggestions :) Thank you!

I added a Content Filter to my app, and when running it in Xcode (Debug/Release), I get the expected permission prompt: "Would like to filter network content (Allow / Don't Allow)". However, when I install the app via TestFlight, this prompt doesn’t appear at all, and the feature doesn’t work. Is there a special configuration required for TestFlight? Has anyone encountered this issue before? Thanks!