What's New / Connectivity & Hardware

What's new in NetworkExtension

+19 NewiOS · macOS · tvOS

NetworkExtension is Apple's framework for network features including VPN configurations and tunnels, Wi-Fi hotspot integration, content filters, and DNS proxies. It covers per-app and system VPN routing and IKEv2 connection settings.

The 27 SDK adds 19 APIs with no deprecations or removals. New types are the IPFamily and ReportFormat enums and the ParsingConfiguration struct. New symbols cover routing and traffic controls (excludeCellularServices, excludeAPNs, excludeDeviceCommunication, enforceRoutes, includeAllNetworks, excludeLocalNetworks), IKEv2 TLS 1.3 via NEVPNIKEv2TLSVersion.version1_3, matchMissionCriticalService, and the reporting fields reportEndpoint and reportInterval.

New

19
var

enforceRoutes

NewiOSmacOStvOS
open var enforceRoutes: Bool
var

excludeAPNs

NewiOSmacOStvOS
open var excludeAPNs: Bool
var

excludeCellularServices

NewiOSmacOStvOS
open var excludeCellularServices: Bool
var

excludeDeviceCommunication

NewiOSmacOStvOS
open var excludeDeviceCommunication: Bool
var

excludeLocalNetworks

NewiOSmacOStvOS
open var excludeLocalNetworks: NEPacketTunnelNetworkSettings.IPFamily
var

includeAllNetworks

NewiOSmacOStvOS
open var includeAllNetworks: NEPacketTunnelNetworkSettings.IPFamily
var

matchMissionCriticalService

NewiOS
open var matchMissionCriticalService: Bool
extension

NEURLFilterManager.ReportFormat

NewiOSmacOS
extension NEURLFilterManager.ReportFormat : Equatable
Declaration
extension NEURLFilterManager.ReportFormat : Equatable {
}
extension

NEURLFilterManager.ReportFormat

NewiOSmacOS
extension NEURLFilterManager.ReportFormat : Hashable
Declaration
extension NEURLFilterManager.ReportFormat : Hashable {
}
struct

ParsingConfiguration

NewiOSmacOS
public struct ParsingConfiguration : Sendable

URL parsing configuration for controlling which URL components to exclude and parsing behavior during sub-URL enumeration. By default, all components (except Scheme and www subdomain) are included and parsing is case-insensitive. All possible sub-URL combinations are enumerated by walking up both the domain hierarchy and path hierarchy, including intermediate results.

For example:

  • domain hierarchy (e.g., a.b.c.com -> a.b.c.com, b.c.com, c.com)
  • path hierarchy (e.g., /a/b/c -> /a, /a/b, /a/b/c)
  • intermediate pattern combinations (e.g., example.com/a/b/c?id=123 -> example.com,

example.com/a, example.com/a/b, example.com/a/b/c, example.com/a/b/c?id=123)

Use this configuration to change the default behavior.

Declaration
public struct ParsingConfiguration : Sendable {

    /// Creates a new parsing configuration with default values.
    ///
    /// Default behavior:
    /// - Domain, path, query and fragment are included, Scheme and WWW are excluded
    /// - Parsing is case-insensitive
    /// - All possible sub-URL combinations are enumerated
    public init(excludeScheme: Bool = true, domain: NEURLFilterManager.ParsingConfiguration.DomainOptions = DomainOptions(), path: NEURLFilterManager.ParsingConfiguration.PathOptions = PathOptions(), query: NEURLFilterManager.ParsingConfiguration.QueryOptions = QueryOptions(), excludeFragment: Bool = false, excludeIntermediates: Bool = false, caseSensitive: Bool = false)

    public var excludeScheme: Bool

    public var domain: NEURLFilterManager.ParsingConfiguration.DomainOptions

    public var path: NEURLFilterManager.ParsingConfiguration.PathOptions

    public var query: NEURLFilterManager.ParsingConfiguration.QueryOptions

    public var excludeFragment: Bool

    public var excludeIntermediates: Bool

    public var caseSensitive: Bool

    public struct DomainOptions : Sendable {

        /// Creates a new domain options configuration with default values.
        ///
        /// Default behavior:
        /// - Domain is included
        /// - WWW prefix is stripped
        /// - All domain levels are kept
        /// - Domain hierarchy enumeration is enabled
        public init(excluded: Bool = false, stripWWW: Bool = true, levels: UInt = 0, enumerateHierarchy: Bool = true)

        /// Excludes the domain component from URL parsing.
        /// When true, all other options on this type are ignored.
        public var excluded: Bool

        public var stripWWW: Bool

        /// Max domain levels to keep. `0` means keep all domains.
        /// E.g. `levels = 2` keeps `example.com` from `www.sub.example.com`
        public var levels: UInt

        /// Walk the domain hierarchy for matching
        public var enumerateHierarchy: Bool
    }

    public struct PathOptions : Sendable {

        /// Creates a new path options configuration with default values.
        ///
        /// Default behavior:
        /// - Path is included
        /// - All path segments are kept
        /// - Path hierarchy enumeration is enabled
        public init(excluded: Bool = false, segments: UInt = 0, enumerateHierarchy: Bool = true)

        /// Excludes the path component from URL parsing.
        /// When true, all other options on this type are ignored.
        public var excluded: Bool

        /// Max path segments to keep. `0` means keep all path segments.
        /// E.g. `segments = 2` keeps `/a/b` from `/a/b/c/d`
        public var segments: UInt

        /// Walk the path hierarchy for matching
        public var enumerateHierarchy: Bool
    }

    public struct QueryOptions : Sendable {

        /// Creates a new query options configuration with default values.
        ///
        /// Default behavior:
        /// - Query is included
        /// - All query parameters are kept
        public init(excluded: Bool = false, parameters: [String]? = nil)

Truncated.

var

reportEndpoint

NewiOSmacOS
public var reportEndpoint: String?

Configure the report endpoint to enable periodic blocked URL reporting. Reports will be posted to the specified report endpoint on the PIR server URL, i.e. <URL server URL>/<report endpoint> at the specified interval. An HTTPS POST request will be sent to the specified PIR server URL report endpoint. The data of the request will be the list of blocked URLs accumulated during the last report interval. Report will not be sent if there is no blocked URLs in the last interval. The report requests will be authenticated and sent over the same OHTTP relay as the PIR traffic. Due to scheduling mechanism on the system, implementation should allow slight deviation between the scheduled time and the actual execution time of the task. Reporting will take effect on supervised devices only. Setting this property on a non-supervised device has no effect. The configuration will be saved successfully, but no reports will be sent. If nil, reporting will be disabled.

var

reportFormat

NewiOSmacOS
public var reportFormat: NEURLFilterManager.ReportFormat

The format for blocked URL reports. Supported values: "json" or "protobuf". Default is "json".

JSON Format Details: The output uses standard JSON format with a simple array of strings. The structure is:

[
	"example.com",
	"example2.com",
	"example3.com"
]

Protobuf Format Details: The output uses Protocol Buffers wire format with manual encoding for a repeated string field. Each URL entry follows this binary structure:

  • Field Tag: 1 byte (0x0A = field number 1, wire type 2 for length-delimited)
  • String Length: Variable-length integer (varint) encoding the byte length of the URL string
  • String Data: UTF-8 encoded URL bytes

For strings under 128 bytes, the length is a single byte. For longer strings, varint encoding is used where each byte has the MSB set (0x80) except the final byte.

Example encoding for URL "https://example.com": [0x0A] [0x13] [h][t][t][p][s][:][/][/][e][x][a][m][p][l][e][.][c][o][m] ^tag ^len=19 ^----------------------- 19 bytes of UTF-8 string data ----------------------^

enum

ReportFormat

NewiOSmacOS
public enum ReportFormat : Sendable

Report format types for blocked URL reporting

Declaration
public enum ReportFormat : Sendable {

    /// JSON format for reports.
    case json

    /// Protocol Buffers format for reports.
    case protobuf

    /// Returns a Boolean value indicating whether two values are equal.
    ///
    /// Equality is the inverse of inequality. For any values `a` and `b`,
    /// `a == b` implies that `a != b` is `false`.
    ///
    /// - Parameters:
    ///   - lhs: A value to compare.
    ///   - rhs: Another value to compare.
    public static func == (a: NEURLFilterManager.ReportFormat, b: NEURLFilterManager.ReportFormat) -> Bool

    /// Hashes the essential components of this value by feeding them into the
    /// given hasher.
    ///
    /// Implement this method to conform to the `Hashable` protocol. The
    /// components used for hashing must be the same as the components compared
    /// in your type's `==` operator implementation. Call `hasher.combine(_:)`
    /// with each of these components.
    ///
    /// - Important: In your implementation of `hash(into:)`,
    ///   don't call `finalize()` on the `hasher` instance provided,
    ///   or replace it with a different instance.
    ///   Doing so may become a compile-time error in the future.
    ///
    /// - Parameter hasher: The hasher to use when combining the components
    ///   of this instance.
    public func hash(into hasher: inout Hasher)

    /// The hash value.
    ///
    /// Hash values are not guaranteed to be equal across different executions of
    /// your program. Do not save hash values to use during a future execution.
    ///
    /// - Important: `hashValue` is deprecated as a `Hashable` requirement. To
    ///   conform to `Hashable`, implement the `hash(into:)` requirement instead.
    ///   The compiler provides an implementation for `hashValue` for you.
    public var hashValue: Int { get }
}
var

reportInterval

NewiOSmacOS
public var reportInterval: TimeInterval

The time interval at which the system will send reports of blocked URLs. Default interval is 86400 seconds (1 day). Minimum interval allowed is 3600 seconds (1 hour).

func

setURLParsingRegularExpression

NewiOSmacOS
public func setURLParsingRegularExpression(_ pattern: String?) throws

To set the urlParsingRegularExpression property. This allows for custom URL parsing patterns beyond the standard parsing options. The specified regular expression will be used to parse the URL before matching against the specified data set. URL parsing with regular expression is case insensitive.

The specified regular expression must use the standard name captured group syntax (e.g. "https?://(?<host>[^/]+)" captures the domain using group name 'host'). The group names in the regular expression are custom labels (limited to ASCII alphanumeric characters), selected by you. The delimiter is the space character. The result will be a single string in the following format: <group-1-name>=<group-1-value> <group-2-name>=<group-2-value> <group-3-name>=... where each name-value pair is separated by a space.

  • throws
  • Error : An error if the pattern is invalid.

Any regular expression without any name captured group is invalid and will result in error. For regular expressions that contains a mix of name captured groups and other type of captured groups, only the name captured groups will be included in the result. If urlParsingRegularExpression is specified, urlParsingConfiguration will have no effect.

Parameters

pattern
The regular expression pattern string, or nil to clear the current pattern.
var

urlParsingConfiguration

NewiOSmacOS
public var urlParsingConfiguration: NEURLFilterManager.ParsingConfiguration

URL parsing configuration that controls which URL components are excluded and parsing behavior in the filtering process. This determines how URLs are parsed and what sub-URLs are generated for matching against the filter data set. For any excluded component (domain, path, query, and fragment), the string "%*" will be substituted in place as a placeholder. Excluded scheme and www prefix are always stripped entirely without a placeholder, as URL matching typically does not require them. For example, for the requested URL "https://www.example.com/a/b/c?id=123#fragment", with the configuration set

var config = manager.urlParsingConfiguration
config.excludeScheme = true
config.domain.stripWWW = true
config.path.excluded = true
manager.urlParsingConfiguration = config

the parsing result will be "example.com/%*?id=123#fragment" where "%*" acts as the placeholder for the excluded path component. The presence of a placeholder indicates the original URL contained that component, but it was excluded by the parsing configuration. By default, Scheme and www subdomain are excluded. If urlParsingRegularExpression is set, this configuration has no effect.

var

urlParsingRegularExpression

NewiOSmacOS
public var urlParsingRegularExpression: String? { get }

A regular expression used for advanced URL parsing. This allows for custom URL parsing patterns beyond the standard parsing options. The specified regular expression will be used to parse the URL before matching against the specified data set. URL parsing with regular expression is case insensitive. This get-only property returns a String regex pattern if one has been set. Otherwise returns nil. To set this property, use setURLParsingRegularExpression(_:) which validates the pattern.

enum

NEPacketTunnelNetworkSettings.IPFamily

NewiOSmacOStvOS
public enum IPFamily : Int, @unchecked Sendable

NEPacketTunnelNetworkSettings IP Family types

Declaration
public enum IPFamily : Int, @unchecked Sendable {

    /** @const NEPacketTunnelNetworkSettingsIPFamilyNone None */
    case none = 0

    /** @const NEPacketTunnelNetworkSettingsIPFamilyAny Any IP family, i.e. IPv4, IPv6 */
    case any = 1

    /** @const NEPacketTunnelNetworkSettingsIPFamilyIPv4 IPv4 only */
    case iPv4 = 2

    /** @const NEPacketTunnelNetworkSettingsIPFamilyIPv6 IPv6 only. */
    case iPv6 = 3
}
case

NEVPNIKEv2TLSVersion.version1_3

NewiOSmacOStvOS
case version1_3 = 4

No APIs match your filter.

← More in Connectivity & Hardware