]> git.saurik.com Git - apple/xnu.git/blobdiff - bsd/net/necp.c
projects / apple / xnu.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
xnu-7195.81.3.tar.gz
[apple/xnu.git] / bsd / net / necp.c
diff --git a/bsd/net/necp.c b/bsd/net/necp.c
index e40268c30a510fec642b7ee5ea67bf4a51208e28..a06dc3914133efd2a11e1c66f3d7e90a8a826852 100644 (file)
--- a/bsd/net/necp.c
+++ b/bsd/net/necp.c
@@ -1,5 +1,5 @@
 /*
 /*
- * Copyright (c) 2013-2015 Apple Inc. All rights reserved.
+ * Copyright (c) 2013-2020 Apple Inc. All rights reserved.
  *
  * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
  *
  *
  * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
  *
@@ -29,10 +29,8 @@
 #include <string.h>
 #include <sys/systm.h>
 #include <sys/types.h>
 #include <string.h>
 #include <sys/systm.h>
 #include <sys/types.h>
-#include <sys/syslog.h>
 #include <sys/queue.h>
 #include <sys/malloc.h>
 #include <sys/queue.h>
 #include <sys/malloc.h>
-#include <libkern/OSMalloc.h>
 #include <sys/kernel.h>
 #include <sys/kern_control.h>
 #include <sys/mbuf.h>
 #include <sys/kernel.h>
 #include <sys/kern_control.h>
 #include <sys/mbuf.h>
@@ -43,12 +41,18 @@
 #include <sys/protosw.h>
 #include <sys/socket.h>
 #include <sys/socketvar.h>
 #include <sys/protosw.h>
 #include <sys/socket.h>
 #include <sys/socketvar.h>
+#include <sys/coalition.h>
+#include <sys/ubc.h>
+#include <sys/codesign.h>
+#include <kern/cs_blobs.h>
 #include <netinet/ip.h>
 #include <netinet/ip6.h>
 #include <netinet/tcp.h>
 #include <netinet/tcp_var.h>
 #include <netinet/ip.h>
 #include <netinet/ip6.h>
 #include <netinet/tcp.h>
 #include <netinet/tcp_var.h>
+#include <netinet/tcp_cache.h>
 #include <netinet/udp.h>
 #include <netinet/in_pcb.h>
 #include <netinet/udp.h>
 #include <netinet/in_pcb.h>
+#include <netinet/in_tclass.h>
 #include <netinet6/esp.h>
 #include <net/flowhash.h>
 #include <net/if_var.h>
 #include <netinet6/esp.h>
 #include <net/flowhash.h>
 #include <net/if_var.h>
@@ -57,14 +61,21 @@
 #include <sys/sysproto.h>
 #include <sys/priv.h>
 #include <sys/kern_event.h>
 #include <sys/sysproto.h>
 #include <sys/priv.h>
 #include <sys/kern_event.h>
+#include <sys/file_internal.h>
+#include <IOKit/IOBSD.h>
+#include <libkern/crypto/rand.h>
+#include <corecrypto/cchmac.h>
+#include <corecrypto/ccsha2.h>
+#include <os/refcnt.h>
 #include <net/network_agent.h>
 #include <net/necp.h>
 #include <net/network_agent.h>
 #include <net/necp.h>
+#include <netinet/flow_divert_proto.h>
 
 /*
  * NECP - Network Extension Control Policy database
  * ------------------------------------------------
  * The goal of this module is to allow clients connecting via a
 
 /*
  * NECP - Network Extension Control Policy database
  * ------------------------------------------------
  * The goal of this module is to allow clients connecting via a
- * kernel control socket to create high-level policy sessions, which
+ * policy file descriptor to create high-level policy sessions, which
  * are ingested into low-level kernel policies that control and tag
  * traffic at the application, socket, and IP layers.
  *
  * are ingested into low-level kernel policies that control and tag
  * traffic at the application, socket, and IP layers.
  *
@@ -80,7 +91,7 @@
  * can specify the sub-order for each policy it creates which will be
  * used to further sort the kernel policies.
  *
  * can specify the sub-order for each policy it creates which will be
  * used to further sort the kernel policies.
  *
- *  Kernel Control Socket --> 1 necp_session --> list of necp_session_policy structs
+ *  Policy fd --> 1 necp_session --> list of necp_session_policy structs
  *
  * ------------------------------------------------
  * Kernel Policies
  *
  * ------------------------------------------------
  * Kernel Policies
@@ -105,7 +116,7 @@
  *    list is traversed to create optimized sub-lists ("Maps") which are used during
  *    data-path evaluation. IP policies are sent into necp_kernel_ip_output_policies_map,
  *    which hashes incoming packets based on marked socket-layer policies, and removes
  *    list is traversed to create optimized sub-lists ("Maps") which are used during
  *    data-path evaluation. IP policies are sent into necp_kernel_ip_output_policies_map,
  *    which hashes incoming packets based on marked socket-layer policies, and removes
- *    duplicate or overlapping polcies. Socket policies are sent into two maps,
+ *    duplicate or overlapping policies. Socket policies are sent into two maps,
  *    necp_kernel_socket_policies_map and necp_kernel_socket_policies_app_layer_map.
  *    The app layer map is used for policy checks coming in from user space, and is one
  *    list with duplicate and overlapping policies removed. The socket map hashes based
  *    necp_kernel_socket_policies_map and necp_kernel_socket_policies_app_layer_map.
  *    The app layer map is used for policy checks coming in from user space, and is one
  *    list with duplicate and overlapping policies removed. The socket map hashes based
@@ -130,101 +141,164 @@
 u_int32_t necp_drop_all_order = 0;
 u_int32_t necp_drop_all_level = 0;
 
 u_int32_t necp_drop_all_order = 0;
 u_int32_t necp_drop_all_level = 0;
 
-u_int32_t necp_pass_loopback = 1; // 0=Off, 1=On
+#define NECP_LOOPBACK_PASS_ALL         1  // Pass all loopback traffic
+#define NECP_LOOPBACK_PASS_WITH_FILTER 2  // Pass all loopback traffic, but activate content filter and/or flow divert if applicable
+
+#if defined(XNU_TARGET_OS_OSX)
+#define NECP_LOOPBACK_PASS_DEFAULT NECP_LOOPBACK_PASS_WITH_FILTER
+#else
+#define NECP_LOOPBACK_PASS_DEFAULT NECP_LOOPBACK_PASS_ALL
+#endif
+
+u_int32_t necp_pass_loopback = NECP_LOOPBACK_PASS_DEFAULT;
 u_int32_t necp_pass_keepalives = 1; // 0=Off, 1=On
 u_int32_t necp_pass_keepalives = 1; // 0=Off, 1=On
+u_int32_t necp_pass_interpose = 1; // 0=Off, 1=On
+u_int32_t necp_restrict_multicast = 1; // 0=Off, 1=On
+u_int32_t necp_dedup_policies = 0; // 0=Off, 1=On
 
 
-u_int32_t necp_debug = 0; // 0=None, 1=Basic, 2=EveryMatch
+u_int32_t necp_drop_unentitled_order = 0;
+#ifdef XNU_TARGET_OS_WATCH
+u_int32_t necp_drop_unentitled_level = NECP_SESSION_PRIORITY_CONTROL + 1; // Block all unentitled traffic from policies below control level
+#else // XNU_TARGET_OS_WATCH
+u_int32_t necp_drop_unentitled_level = 0;
+#endif // XNU_TARGET_OS_WATCH
 
 
-u_int32_t necp_session_count = 0;
+u_int32_t necp_debug = 0; // 0=None, 1=Basic, 2=EveryMatch
 
 
-#define        NECPLOG(level, format, ...) do {                                                                                        \
-       log((level > LOG_NOTICE ? LOG_NOTICE : level), "%s: " format "\n", __FUNCTION__, __VA_ARGS__);  \
-} while (0)
+os_log_t necp_log_handle = NULL;
 
 
-#define        NECPLOG0(level, msg) do {                                                                                       \
-       log((level > LOG_NOTICE ? LOG_NOTICE : level), "%s: %s\n", __FUNCTION__, msg);  \
-} while (0)
+u_int32_t necp_session_count = 0;
 
 
-#define        LIST_INSERT_SORTED_ASCENDING(head, elm, field, sortfield, tmpelm) do {          \
-       if (LIST_EMPTY((head)) || (LIST_FIRST(head)->sortfield >= (elm)->sortfield)) {  \
-               LIST_INSERT_HEAD((head), elm, field);                                                                           \
-       } else {                                                                                                                                                \
-               LIST_FOREACH(tmpelm, head, field) {                                                                                     \
-                       if (LIST_NEXT(tmpelm, field) == NULL || LIST_NEXT(tmpelm, field)->sortfield >= (elm)->sortfield) {      \
-                               LIST_INSERT_AFTER(tmpelm, elm, field);                                                          \
-                               break;                                                                                                                          \
-                       }                                                                                                                                               \
-               }                                                                                                                                                       \
-       }                                                                                                                                                               \
+ZONE_DECLARE(necp_session_policy_zone, "necp_session_policy",
+    sizeof(struct necp_session_policy), ZC_ZFREE_CLEARMEM | ZC_NOENCRYPT);
+ZONE_DECLARE(necp_socket_policy_zone, "necp_socket_policy",
+    sizeof(struct necp_kernel_socket_policy), ZC_ZFREE_CLEARMEM | ZC_NOENCRYPT);
+ZONE_DECLARE(necp_ip_policy_zone, "necp_ip_policy",
+    sizeof(struct necp_kernel_ip_output_policy), ZC_ZFREE_CLEARMEM | ZC_NOENCRYPT);
+
+#define LIST_INSERT_SORTED_ASCENDING(head, elm, field, sortfield, tmpelm) do {          \
+       if (LIST_EMPTY((head)) || (LIST_FIRST(head)->sortfield >= (elm)->sortfield)) {  \
+               LIST_INSERT_HEAD((head), elm, field);                                                                           \
+       } else {                                                                                                                                                \
+               LIST_FOREACH(tmpelm, head, field) {                                                                                     \
+                       if (LIST_NEXT(tmpelm, field) == NULL || LIST_NEXT(tmpelm, field)->sortfield >= (elm)->sortfield) {      \
+                               LIST_INSERT_AFTER(tmpelm, elm, field);                                                          \
+                               break;                                                                                                                          \
+                       }                                                                                                                                               \
+               }                                                                                                                                                       \
+       }                                                                                                                                                               \
 } while (0)
 
 } while (0)
 
-#define        LIST_INSERT_SORTED_TWICE_ASCENDING(head, elm, field, firstsortfield, secondsortfield, tmpelm) do {      \
-       if (LIST_EMPTY((head)) || (LIST_FIRST(head)->firstsortfield > (elm)->firstsortfield) || ((LIST_FIRST(head)->firstsortfield == (elm)->firstsortfield) && (LIST_FIRST(head)->secondsortfield >= (elm)->secondsortfield))) {                                                                                                               \
-               LIST_INSERT_HEAD((head), elm, field);                                                                           \
-       } else {                                                                                                                                                \
-               LIST_FOREACH(tmpelm, head, field) {                                                                                     \
-                       if (LIST_NEXT(tmpelm, field) == NULL || (LIST_NEXT(tmpelm, field)->firstsortfield > (elm)->firstsortfield) || ((LIST_NEXT(tmpelm, field)->firstsortfield == (elm)->firstsortfield) && (LIST_NEXT(tmpelm, field)->secondsortfield >= (elm)->secondsortfield))) {         \
-                               LIST_INSERT_AFTER(tmpelm, elm, field);                                                          \
-                               break;                                                                                                                          \
-                       }                                                                                                                                               \
-               }                                                                                                                                                       \
-       }                                                                                                                                                               \
+#define LIST_INSERT_SORTED_TWICE_ASCENDING(head, elm, field, firstsortfield, secondsortfield, tmpelm) do {      \
+       if (LIST_EMPTY((head)) || (LIST_FIRST(head)->firstsortfield > (elm)->firstsortfield) || ((LIST_FIRST(head)->firstsortfield == (elm)->firstsortfield) && (LIST_FIRST(head)->secondsortfield >= (elm)->secondsortfield))) {                                                                                                               \
+               LIST_INSERT_HEAD((head), elm, field);                                                                           \
+       } else {                                                                                                                                                \
+               LIST_FOREACH(tmpelm, head, field) {                                                                                     \
+                       if (LIST_NEXT(tmpelm, field) == NULL || (LIST_NEXT(tmpelm, field)->firstsortfield > (elm)->firstsortfield) || ((LIST_NEXT(tmpelm, field)->firstsortfield == (elm)->firstsortfield) && (LIST_NEXT(tmpelm, field)->secondsortfield >= (elm)->secondsortfield))) {         \
+                               LIST_INSERT_AFTER(tmpelm, elm, field);                                                          \
+                               break;                                                                                                                          \
+                       }                                                                                                                                               \
+               }                                                                                                                                                       \
+       }                                                                                                                                                               \
 } while (0)
 
 } while (0)
 
-#define        LIST_INSERT_SORTED_THRICE_ASCENDING(head, elm, field, firstsortfield, secondsortfield, thirdsortfield, tmpelm) do { \
-       if (LIST_EMPTY((head)) || (LIST_FIRST(head)->firstsortfield > (elm)->firstsortfield) || ((LIST_FIRST(head)->firstsortfield == (elm)->firstsortfield) && (LIST_FIRST(head)->secondsortfield >= (elm)->secondsortfield)) || ((LIST_FIRST(head)->firstsortfield == (elm)->firstsortfield) && (LIST_FIRST(head)->secondsortfield == (elm)->secondsortfield) && (LIST_FIRST(head)->thirdsortfield >= (elm)->thirdsortfield))) {                                                                                                                      \
-               LIST_INSERT_HEAD((head), elm, field);                                                                           \
-       } else {                                                                                                                                                \
-               LIST_FOREACH(tmpelm, head, field) {                                                                                     \
-                       if (LIST_NEXT(tmpelm, field) == NULL || (LIST_NEXT(tmpelm, field)->firstsortfield > (elm)->firstsortfield) || ((LIST_NEXT(tmpelm, field)->firstsortfield == (elm)->firstsortfield) && (LIST_NEXT(tmpelm, field)->secondsortfield >= (elm)->secondsortfield)) || ((LIST_NEXT(tmpelm, field)->firstsortfield == (elm)->firstsortfield) && (LIST_NEXT(tmpelm, field)->secondsortfield == (elm)->secondsortfield) && (LIST_NEXT(tmpelm, field)->thirdsortfield >= (elm)->thirdsortfield)))  { \
-                               LIST_INSERT_AFTER(tmpelm, elm, field);                                                          \
-                               break;                                                                                                                          \
-                       }                                                                                                                                               \
-               }                                                                                                                                                       \
-       }                                                                                                                                                               \
+#define LIST_INSERT_SORTED_THRICE_ASCENDING(head, elm, field, firstsortfield, secondsortfield, thirdsortfield, tmpelm) do { \
+       if (LIST_EMPTY((head)) || (LIST_FIRST(head)->firstsortfield > (elm)->firstsortfield) || ((LIST_FIRST(head)->firstsortfield == (elm)->firstsortfield) && (LIST_FIRST(head)->secondsortfield >= (elm)->secondsortfield)) || ((LIST_FIRST(head)->firstsortfield == (elm)->firstsortfield) && (LIST_FIRST(head)->secondsortfield == (elm)->secondsortfield) && (LIST_FIRST(head)->thirdsortfield >= (elm)->thirdsortfield))) {                                                                                                                      \
+               LIST_INSERT_HEAD((head), elm, field);                                                                           \
+       } else {                                                                                                                                                \
+               LIST_FOREACH(tmpelm, head, field) {                                                                                     \
+                       if (LIST_NEXT(tmpelm, field) == NULL || (LIST_NEXT(tmpelm, field)->firstsortfield > (elm)->firstsortfield) || ((LIST_NEXT(tmpelm, field)->firstsortfield == (elm)->firstsortfield) && (LIST_NEXT(tmpelm, field)->secondsortfield >= (elm)->secondsortfield)) || ((LIST_NEXT(tmpelm, field)->firstsortfield == (elm)->firstsortfield) && (LIST_NEXT(tmpelm, field)->secondsortfield == (elm)->secondsortfield) && (LIST_NEXT(tmpelm, field)->thirdsortfield >= (elm)->thirdsortfield)))  { \
+                               LIST_INSERT_AFTER(tmpelm, elm, field);                                                          \
+                               break;                                                                                                                          \
+                       }                                                                                                                                               \
+               }                                                                                                                                                       \
+       }                                                                                                                                                               \
 } while (0)
 
 } while (0)
 
-#define        NECP_KERNEL_CONDITION_ALL_INTERFACES    0x00001
-#define        NECP_KERNEL_CONDITION_BOUND_INTERFACE   0x00002
-#define        NECP_KERNEL_CONDITION_PROTOCOL                  0x00004
-#define        NECP_KERNEL_CONDITION_LOCAL_START               0x00008
-#define        NECP_KERNEL_CONDITION_LOCAL_END                 0x00010
-#define        NECP_KERNEL_CONDITION_LOCAL_PREFIX              0x00020
-#define        NECP_KERNEL_CONDITION_REMOTE_START              0x00040
-#define        NECP_KERNEL_CONDITION_REMOTE_END                0x00080
-#define        NECP_KERNEL_CONDITION_REMOTE_PREFIX             0x00100
-#define        NECP_KERNEL_CONDITION_APP_ID                    0x00200
-#define        NECP_KERNEL_CONDITION_REAL_APP_ID               0x00400
-#define        NECP_KERNEL_CONDITION_DOMAIN                    0x00800
-#define        NECP_KERNEL_CONDITION_ACCOUNT_ID                0x01000
-#define        NECP_KERNEL_CONDITION_POLICY_ID                 0x02000
-#define        NECP_KERNEL_CONDITION_PID                               0x04000
-#define        NECP_KERNEL_CONDITION_UID                               0x08000
-#define        NECP_KERNEL_CONDITION_LAST_INTERFACE    0x10000                 // Only set from packets looping between interfaces
-#define NECP_KERNEL_CONDITION_TRAFFIC_CLASS            0x20000
-#define NECP_KERNEL_CONDITION_ENTITLEMENT              0x40000
+#define IS_NECP_ROUTE_RULE_ALLOW_OR_DENY(x)     ((x) == NECP_ROUTE_RULE_DENY_INTERFACE || (x) == NECP_ROUTE_RULE_ALLOW_INTERFACE)
+
+#define IS_NECP_DEST_IN_LOCAL_NETWORKS(rt) \
+    ((rt) != NULL && !((rt)->rt_flags & RTF_GATEWAY) && ((rt)->rt_ifa && (rt)->rt_ifa->ifa_ifp && !((rt)->rt_ifa->ifa_ifp->if_flags & IFF_POINTOPOINT)))
+
+#define NECP_KERNEL_CONDITION_ALL_INTERFACES            0x000001
+#define NECP_KERNEL_CONDITION_BOUND_INTERFACE           0x000002
+#define NECP_KERNEL_CONDITION_PROTOCOL                          0x000004
+#define NECP_KERNEL_CONDITION_LOCAL_START                       0x000008
+#define NECP_KERNEL_CONDITION_LOCAL_END                         0x000010
+#define NECP_KERNEL_CONDITION_LOCAL_PREFIX                      0x000020
+#define NECP_KERNEL_CONDITION_REMOTE_START                      0x000040
+#define NECP_KERNEL_CONDITION_REMOTE_END                        0x000080
+#define NECP_KERNEL_CONDITION_REMOTE_PREFIX                     0x000100
+#define NECP_KERNEL_CONDITION_APP_ID                            0x000200
+#define NECP_KERNEL_CONDITION_REAL_APP_ID                       0x000400
+#define NECP_KERNEL_CONDITION_DOMAIN                            0x000800
+#define NECP_KERNEL_CONDITION_ACCOUNT_ID                        0x001000
+#define NECP_KERNEL_CONDITION_POLICY_ID                         0x002000
+#define NECP_KERNEL_CONDITION_PID                                       0x004000
+#define NECP_KERNEL_CONDITION_UID                                       0x008000
+#define NECP_KERNEL_CONDITION_LAST_INTERFACE            0x010000                        // Only set from packets looping between interfaces
+#define NECP_KERNEL_CONDITION_TRAFFIC_CLASS                     0x020000
+#define NECP_KERNEL_CONDITION_ENTITLEMENT                       0x040000
+#define NECP_KERNEL_CONDITION_CUSTOM_ENTITLEMENT        0x080000
+#define NECP_KERNEL_CONDITION_AGENT_TYPE                        0x100000
+#define NECP_KERNEL_CONDITION_HAS_CLIENT                        0x200000
+#define NECP_KERNEL_CONDITION_LOCAL_NETWORKS                    0x400000
+#define NECP_KERNEL_CONDITION_CLIENT_FLAGS                      0x800000
+#define NECP_KERNEL_CONDITION_LOCAL_EMPTY                       0x1000000
+#define NECP_KERNEL_CONDITION_REMOTE_EMPTY                      0x2000000
+#define NECP_KERNEL_CONDITION_PLATFORM_BINARY                   0x4000000
+#define NECP_KERNEL_CONDITION_SDK_VERSION                       0x8000000
+#define NECP_KERNEL_CONDITION_SIGNING_IDENTIFIER                0x10000000
+#define NECP_KERNEL_CONDITION_PACKET_FILTER_TAGS                0x20000000
+#define NECP_KERNEL_CONDITION_IS_LOOPBACK                       0x40000000
+
+#define NECP_MAX_POLICY_RESULT_SIZE                                     512
+#define NECP_MAX_ROUTE_RULES_ARRAY_SIZE                         1024
+#define NECP_MAX_CONDITIONS_ARRAY_SIZE                          4096
+#define NECP_MAX_POLICY_LIST_COUNT                                      1024
+
+typedef enum {
+       NECP_BYPASS_TYPE_NONE = 0,
+       NECP_BYPASS_TYPE_INTCOPROC = 1,
+       NECP_BYPASS_TYPE_LOOPBACK = 2,
+} necp_socket_bypass_type_t;
+
+// Cap the policy size at the max result + conditions size, with room for extra TLVs
+#define NECP_MAX_POLICY_SIZE                                            (1024 + NECP_MAX_POLICY_RESULT_SIZE + NECP_MAX_CONDITIONS_ARRAY_SIZE)
 
 struct necp_service_registration {
 
 struct necp_service_registration {
-       LIST_ENTRY(necp_service_registration)   session_chain;
-       LIST_ENTRY(necp_service_registration)   kernel_chain;
-       u_int32_t                                                               service_id;
+       LIST_ENTRY(necp_service_registration)   session_chain;
+       LIST_ENTRY(necp_service_registration)   kernel_chain;
+       u_int32_t                                                               service_id;
 };
 
 struct necp_session {
 };
 
 struct necp_session {
-       u_int32_t                                       control_unit;
-       u_int32_t                                       session_priority; // Descriptive priority rating
-       u_int32_t                                       session_order;
+       u_int8_t                                        necp_fd_type;
+       u_int32_t                                       control_unit;
+       u_int32_t                                       session_priority; // Descriptive priority rating
+       u_int32_t                                       session_order;
+
+       necp_policy_id                          last_policy_id;
+
+       decl_lck_mtx_data(, lock);
 
 
-       bool                                            proc_locked; // Messages must come from proc_uuid
-       uuid_t                                          proc_uuid;
-       int                                                     proc_pid;
+       bool                                            proc_locked; // Messages must come from proc_uuid
+       uuid_t                                          proc_uuid;
+       int                                                     proc_pid;
 
 
-       bool                                            dirty;
+       bool                                            dirty;
        LIST_HEAD(_policies, necp_session_policy) policies;
 
        LIST_HEAD(_services, necp_service_registration) services;
        LIST_HEAD(_policies, necp_session_policy) policies;
 
        LIST_HEAD(_services, necp_service_registration) services;
+
+       TAILQ_ENTRY(necp_session) chain;
 };
 
 };
 
+#define NECP_SESSION_LOCK(_s) lck_mtx_lock(&_s->lock)
+#define NECP_SESSION_UNLOCK(_s) lck_mtx_unlock(&_s->lock)
+
+static TAILQ_HEAD(_necp_session_list, necp_session) necp_session_list;
+
 struct necp_socket_info {
        pid_t pid;
        uid_t uid;
 struct necp_socket_info {
        pid_t pid;
        uid_t uid;
@@ -236,29 +310,28 @@ struct necp_socket_info {
        u_int32_t application_id;
        u_int32_t real_application_id;
        u_int32_t account_id;
        u_int32_t application_id;
        u_int32_t real_application_id;
        u_int32_t account_id;
+       u_int32_t drop_order;
+       u_int32_t client_flags;
        char *domain;
        errno_t cred_result;
        char *domain;
        errno_t cred_result;
+       unsigned has_client : 1;
+       unsigned is_platform_binary : 1;
+       unsigned used_responsible_pid : 1;
+       unsigned is_loopback : 1;
+       unsigned __pad_bits : 4;
 };
 
 };
 
-static kern_ctl_ref    necp_kctlref;
-static u_int32_t       necp_family;
-static OSMallocTag     necp_malloc_tag;
-static lck_grp_attr_t  *necp_kernel_policy_grp_attr    = NULL;
-static lck_attr_t              *necp_kernel_policy_mtx_attr    = NULL;
-static lck_grp_t               *necp_kernel_policy_mtx_grp             = NULL;
+static  lck_grp_attr_t  *necp_kernel_policy_grp_attr    = NULL;
+static  lck_attr_t              *necp_kernel_policy_mtx_attr    = NULL;
+static  lck_grp_t               *necp_kernel_policy_mtx_grp             = NULL;
 decl_lck_rw_data(static, necp_kernel_policy_lock);
 
 decl_lck_rw_data(static, necp_kernel_policy_lock);
 
-static lck_grp_attr_t  *necp_route_rule_grp_attr       = NULL;
-static lck_attr_t              *necp_route_rule_mtx_attr       = NULL;
-static lck_grp_t               *necp_route_rule_mtx_grp        = NULL;
+static  lck_grp_attr_t  *necp_route_rule_grp_attr       = NULL;
+static  lck_attr_t              *necp_route_rule_mtx_attr       = NULL;
+static  lck_grp_t               *necp_route_rule_mtx_grp        = NULL;
 decl_lck_rw_data(static, necp_route_rule_lock);
 
 decl_lck_rw_data(static, necp_route_rule_lock);
 
-static necp_policy_id necp_last_policy_id = 0;
-static necp_kernel_policy_id necp_last_kernel_policy_id = 0;
-static u_int32_t necp_last_uuid_id = 0;
-static u_int32_t necp_last_string_id = 0;
-static u_int32_t necp_last_route_rule_id = 0;
-static u_int32_t necp_last_aggregate_route_rule_id = 0;
+os_refgrp_decl(static, necp_refgrp, "NECPRefGroup", NULL);
 
 /*
  * On modification, invalidate cached lookups by bumping the generation count.
 
 /*
  * On modification, invalidate cached lookups by bumping the generation count.
@@ -266,20 +339,36 @@ static u_int32_t necp_last_aggregate_route_rule_id = 0;
  * the subsystem lock.
  */
 static volatile int32_t necp_kernel_socket_policies_gencount;
  * the subsystem lock.
  */
 static volatile int32_t necp_kernel_socket_policies_gencount;
-#define        BUMP_KERNEL_SOCKET_POLICIES_GENERATION_COUNT() do {                                                     \
-       if (OSIncrementAtomic(&necp_kernel_socket_policies_gencount) == (INT32_MAX - 1)) {      \
-               necp_kernel_socket_policies_gencount = 1;                                                                               \
-       }                                                                                                                                                               \
+#define BUMP_KERNEL_SOCKET_POLICIES_GENERATION_COUNT() do {                                                     \
+       if (OSIncrementAtomic(&necp_kernel_socket_policies_gencount) == (INT32_MAX - 1)) {      \
+               necp_kernel_socket_policies_gencount = 1;                                                                               \
+       }                                                                                                                                                               \
 } while (0)
 
 } while (0)
 
+/*
+ * Drop-all Bypass:
+ * Allow priviledged processes to bypass the default drop-all
+ * via entitlement check.  For OSX, since entitlement check is
+ * not supported for configd, configd signing identity is checked
+ * instead.
+ */
+#define SIGNING_ID_CONFIGD "com.apple.configd"
+#define SIGNING_ID_CONFIGD_LEN (sizeof(SIGNING_ID_CONFIGD) - 1)
+
+typedef enum {
+       NECP_DROP_ALL_BYPASS_CHECK_RESULT_NONE = 0,
+       NECP_DROP_ALL_BYPASS_CHECK_RESULT_TRUE = 1,
+       NECP_DROP_ALL_BYPASS_CHECK_RESULT_FALSE = 2,
+} necp_drop_all_bypass_check_result_t;
+
 static u_int32_t necp_kernel_application_policies_condition_mask;
 static size_t necp_kernel_application_policies_count;
 static u_int32_t necp_kernel_socket_policies_condition_mask;
 static size_t necp_kernel_socket_policies_count;
 static size_t necp_kernel_socket_policies_non_app_count;
 static LIST_HEAD(_necpkernelsocketconnectpolicies, necp_kernel_socket_policy) necp_kernel_socket_policies;
 static u_int32_t necp_kernel_application_policies_condition_mask;
 static size_t necp_kernel_application_policies_count;
 static u_int32_t necp_kernel_socket_policies_condition_mask;
 static size_t necp_kernel_socket_policies_count;
 static size_t necp_kernel_socket_policies_non_app_count;
 static LIST_HEAD(_necpkernelsocketconnectpolicies, necp_kernel_socket_policy) necp_kernel_socket_policies;
-#define        NECP_KERNEL_SOCKET_POLICIES_MAP_NUM_APP_ID_BUCKETS 5
-#define        NECP_SOCKET_MAP_APP_ID_TO_BUCKET(appid) (appid ? (appid%(NECP_KERNEL_SOCKET_POLICIES_MAP_NUM_APP_ID_BUCKETS - 1) + 1) : 0)
+#define NECP_KERNEL_SOCKET_POLICIES_MAP_NUM_APP_ID_BUCKETS 5
+#define NECP_SOCKET_MAP_APP_ID_TO_BUCKET(appid) (appid ? (appid%(NECP_KERNEL_SOCKET_POLICIES_MAP_NUM_APP_ID_BUCKETS - 1) + 1) : 0)
 static struct necp_kernel_socket_policy **necp_kernel_socket_policies_map[NECP_KERNEL_SOCKET_POLICIES_MAP_NUM_APP_ID_BUCKETS];
 static struct necp_kernel_socket_policy **necp_kernel_socket_policies_app_layer_map;
 /*
 static struct necp_kernel_socket_policy **necp_kernel_socket_policies_map[NECP_KERNEL_SOCKET_POLICIES_MAP_NUM_APP_ID_BUCKETS];
 static struct necp_kernel_socket_policy **necp_kernel_socket_policies_app_layer_map;
 /*
@@ -294,23 +383,24 @@ static u_int32_t necp_kernel_ip_output_policies_condition_mask;
 static size_t necp_kernel_ip_output_policies_count;
 static size_t necp_kernel_ip_output_policies_non_id_count;
 static LIST_HEAD(_necpkernelipoutputpolicies, necp_kernel_ip_output_policy) necp_kernel_ip_output_policies;
 static size_t necp_kernel_ip_output_policies_count;
 static size_t necp_kernel_ip_output_policies_non_id_count;
 static LIST_HEAD(_necpkernelipoutputpolicies, necp_kernel_ip_output_policy) necp_kernel_ip_output_policies;
-#define        NECP_KERNEL_IP_OUTPUT_POLICIES_MAP_NUM_ID_BUCKETS 5
-#define        NECP_IP_OUTPUT_MAP_ID_TO_BUCKET(id) (id ? (id%(NECP_KERNEL_IP_OUTPUT_POLICIES_MAP_NUM_ID_BUCKETS - 1) + 1) : 0)
+#define NECP_KERNEL_IP_OUTPUT_POLICIES_MAP_NUM_ID_BUCKETS 5
+#define NECP_IP_OUTPUT_MAP_ID_TO_BUCKET(id) (id ? (id%(NECP_KERNEL_IP_OUTPUT_POLICIES_MAP_NUM_ID_BUCKETS - 1) + 1) : 0)
 static struct necp_kernel_ip_output_policy **necp_kernel_ip_output_policies_map[NECP_KERNEL_IP_OUTPUT_POLICIES_MAP_NUM_ID_BUCKETS];
 static struct necp_kernel_ip_output_policy **necp_kernel_ip_output_policies_map[NECP_KERNEL_IP_OUTPUT_POLICIES_MAP_NUM_ID_BUCKETS];
+static struct necp_kernel_socket_policy pass_policy =
+{
+       .id = NECP_KERNEL_POLICY_ID_NO_MATCH,
+       .result = NECP_KERNEL_POLICY_RESULT_PASS,
+};
 
 
-static struct necp_session *necp_create_session(u_int32_t control_unit);
+static struct necp_session *necp_create_session(void);
 static void necp_delete_session(struct necp_session *session);
 
 static void necp_delete_session(struct necp_session *session);
 
-static void necp_handle_policy_add(struct necp_session *session, u_int32_t message_id, mbuf_t packet, int offset);
-static void necp_handle_policy_get(struct necp_session *session, u_int32_t message_id, mbuf_t packet, int offset);
-static void necp_handle_policy_delete(struct necp_session *session, u_int32_t message_id, mbuf_t packet, int offset);
-static void necp_handle_policy_apply_all(struct necp_session *session, u_int32_t message_id, mbuf_t packet, int offset);
-static void necp_handle_policy_list_all(struct necp_session *session, u_int32_t message_id, mbuf_t packet, int offset);
-static void necp_handle_policy_delete_all(struct necp_session *session, u_int32_t message_id, mbuf_t packet, int offset);
-static void necp_handle_set_session_priority(struct necp_session *session, u_int32_t message_id, mbuf_t packet, int offset);
-static void necp_handle_lock_session_to_proc(struct necp_session *session, u_int32_t message_id, mbuf_t packet, int offset);
-static void necp_handle_register_service(struct necp_session *session, u_int32_t message_id, mbuf_t packet, int offset);
-static void necp_handle_unregister_service(struct necp_session *session, u_int32_t message_id, mbuf_t packet, int offset);
+static necp_policy_id necp_handle_policy_add(struct necp_session *session,
+    u_int8_t *tlv_buffer, size_t tlv_buffer_length, int offset, int *error);
+static int necp_handle_policy_dump_all(user_addr_t out_buffer, size_t out_buffer_length);
+
+#define MAX_RESULT_STRING_LEN 64
+static inline const char * necp_get_result_description(char *result_string, necp_kernel_policy_result result, necp_kernel_policy_result_parameter result_parameter);
 
 static struct necp_session_policy *necp_policy_create(struct necp_session *session, necp_policy_order order, u_int8_t *conditions_array, u_int32_t conditions_array_size, u_int8_t *route_rules_array, u_int32_t route_rules_array_size, u_int8_t *result, u_int32_t result_size);
 static struct necp_session_policy *necp_policy_find(struct necp_session *session, necp_policy_id policy_id);
 
 static struct necp_session_policy *necp_policy_create(struct necp_session *session, necp_policy_order order, u_int8_t *conditions_array, u_int32_t conditions_array_size, u_int8_t *route_rules_array, u_int32_t route_rules_array_size, u_int8_t *result, u_int32_t result_size);
 static struct necp_session_policy *necp_policy_find(struct necp_session *session, necp_policy_id policy_id);
@@ -319,13 +409,13 @@ static bool necp_policy_mark_all_for_deletion(struct necp_session *session);
 static bool necp_policy_delete(struct necp_session *session, struct necp_session_policy *policy);
 static void necp_policy_apply_all(struct necp_session *session);
 
 static bool necp_policy_delete(struct necp_session *session, struct necp_session_policy *policy);
 static void necp_policy_apply_all(struct necp_session *session);
 
-static necp_kernel_policy_id necp_kernel_socket_policy_add(necp_policy_id parent_policy_id, necp_policy_order order, u_int32_t session_order, int session_pid, u_int32_t condition_mask, u_int32_t condition_negated_mask, necp_app_id cond_app_id, necp_app_id cond_real_app_id, u_int32_t cond_account_id, char *domain, pid_t cond_pid, uid_t cond_uid, ifnet_t cond_bound_interface, struct necp_policy_condition_tc_range cond_traffic_class, u_int16_t cond_protocol, union necp_sockaddr_union *cond_local_start, union necp_sockaddr_union *cond_local_end, u_int8_t cond_local_prefix, union necp_sockaddr_union *cond_remote_start, union necp_sockaddr_union *cond_remote_end, u_int8_t cond_remote_prefix, necp_kernel_policy_result result, necp_kernel_policy_result_parameter result_parameter);
+static necp_kernel_policy_id necp_kernel_socket_policy_add(necp_policy_order order, u_int32_t session_order, int session_pid, u_int32_t condition_mask, u_int32_t condition_negated_mask, necp_app_id cond_app_id, necp_app_id cond_real_app_id, char *cond_custom_entitlement, u_int32_t cond_account_id, char *domain, pid_t cond_pid, uid_t cond_uid, ifnet_t cond_bound_interface, struct necp_policy_condition_tc_range cond_traffic_class, u_int16_t cond_protocol, union necp_sockaddr_union *cond_local_start, union necp_sockaddr_union *cond_local_end, u_int8_t cond_local_prefix, union necp_sockaddr_union *cond_remote_start, union necp_sockaddr_union *cond_remote_end, u_int8_t cond_remote_prefix, struct necp_policy_condition_agent_type *cond_agent_type, struct necp_policy_condition_sdk_version *cond_sdk_version, u_int32_t cond_client_flags, char *cond_signing_identifier, u_int16_t cond_packet_filter_tags, necp_kernel_policy_result result, necp_kernel_policy_result_parameter result_parameter);
 static bool necp_kernel_socket_policy_delete(necp_kernel_policy_id policy_id);
 static bool necp_kernel_socket_policies_reprocess(void);
 static bool necp_kernel_socket_policies_update_uuid_table(void);
 static bool necp_kernel_socket_policy_delete(necp_kernel_policy_id policy_id);
 static bool necp_kernel_socket_policies_reprocess(void);
 static bool necp_kernel_socket_policies_update_uuid_table(void);
-static inline struct necp_kernel_socket_policy *necp_socket_find_policy_match_with_info_locked(struct necp_kernel_socket_policy **policy_search_array, struct necp_socket_info *info, necp_kernel_policy_filter *return_filter, u_int32_t *return_route_rule_id, necp_kernel_policy_result *return_service_action, necp_kernel_policy_service *return_service, u_int32_t *return_netagent_array, size_t netagent_array_count);
+static inline struct necp_kernel_socket_policy *necp_socket_find_policy_match_with_info_locked(struct necp_kernel_socket_policy **policy_search_array, struct necp_socket_info *info, necp_kernel_policy_filter *return_filter, u_int32_t *return_route_rule_id_array, size_t *return_route_rule_id_array_count, size_t route_rule_id_array_count, necp_kernel_policy_result *return_service_action, necp_kernel_policy_service *return_service, u_int32_t *return_netagent_array, u_int32_t *return_netagent_use_flags_array, size_t netagent_array_count, struct necp_client_parameter_netagent_type *required_agent_types, u_int32_t num_required_agent_types, proc_t proc, u_int16_t pf_tag, necp_kernel_policy_id *skip_policy_id, struct rtentry *rt, necp_kernel_policy_result *return_drop_dest_policy_result, necp_drop_all_bypass_check_result_t *return_drop_all_bypass, u_int32_t *return_flow_divert_aggregate_unit);
 
 
-static necp_kernel_policy_id necp_kernel_ip_output_policy_add(necp_policy_id parent_policy_id, necp_policy_order order, necp_policy_order suborder, u_int32_t session_order, int session_pid, u_int32_t condition_mask, u_int32_t condition_negated_mask, necp_kernel_policy_id cond_policy_id, ifnet_t cond_bound_interface, u_int32_t cond_last_interface_index, u_int16_t cond_protocol, union necp_sockaddr_union *cond_local_start, union necp_sockaddr_union *cond_local_end, u_int8_t cond_local_prefix, union necp_sockaddr_union *cond_remote_start, union necp_sockaddr_union *cond_remote_end, u_int8_t cond_remote_prefix, necp_kernel_policy_result result, necp_kernel_policy_result_parameter result_parameter);
+static necp_kernel_policy_id necp_kernel_ip_output_policy_add(necp_policy_order order, necp_policy_order suborder, u_int32_t session_order, int session_pid, u_int32_t condition_mask, u_int32_t condition_negated_mask, necp_kernel_policy_id cond_policy_id, ifnet_t cond_bound_interface, u_int32_t cond_last_interface_index, u_int16_t cond_protocol, union necp_sockaddr_union *cond_local_start, union necp_sockaddr_union *cond_local_end, u_int8_t cond_local_prefix, union necp_sockaddr_union *cond_remote_start, union necp_sockaddr_union *cond_remote_end, u_int8_t cond_remote_prefix, u_int16_t cond_packet_filter_tags, necp_kernel_policy_result result, necp_kernel_policy_result_parameter result_parameter);
 static bool necp_kernel_ip_output_policy_delete(necp_kernel_policy_id policy_id);
 static bool necp_kernel_ip_output_policies_reprocess(void);
 
 static bool necp_kernel_ip_output_policy_delete(necp_kernel_policy_id policy_id);
 static bool necp_kernel_ip_output_policies_reprocess(void);
 
@@ -334,24 +424,27 @@ static bool necp_is_range_in_range(struct sockaddr *inner_range_start, struct so
 static bool necp_is_addr_in_subnet(struct sockaddr *addr, struct sockaddr *subnet_addr, u_int8_t subnet_prefix);
 static int necp_addr_compare(struct sockaddr *sa1, struct sockaddr *sa2, int check_port);
 static bool necp_buffer_compare_with_bit_prefix(u_int8_t *p1, u_int8_t *p2, u_int32_t bits);
 static bool necp_is_addr_in_subnet(struct sockaddr *addr, struct sockaddr *subnet_addr, u_int8_t subnet_prefix);
 static int necp_addr_compare(struct sockaddr *sa1, struct sockaddr *sa2, int check_port);
 static bool necp_buffer_compare_with_bit_prefix(u_int8_t *p1, u_int8_t *p2, u_int32_t bits);
-static bool necp_is_loopback(struct sockaddr *local_addr, struct sockaddr *remote_addr, struct inpcb *inp, struct mbuf *packet);
+static bool necp_addr_is_empty(struct sockaddr *addr);
+static bool necp_is_loopback(struct sockaddr *local_addr, struct sockaddr *remote_addr, struct inpcb *inp, struct mbuf *packet, u_int32_t bound_interface_index);
+static bool necp_is_intcoproc(struct inpcb *inp, struct mbuf *packet);
 
 struct necp_uuid_id_mapping {
        LIST_ENTRY(necp_uuid_id_mapping) chain;
 
 struct necp_uuid_id_mapping {
        LIST_ENTRY(necp_uuid_id_mapping) chain;
-       uuid_t          uuid;
-       u_int32_t       id;
-       u_int32_t       refcount;
-       u_int32_t       table_refcount; // Add to UUID policy table count
+       uuid_t          uuid;
+       u_int32_t       id;
+       os_refcnt_t     refcount;
+       u_int32_t       table_usecount; // Add to UUID policy table count
 };
 static size_t necp_num_uuid_app_id_mappings;
 static bool necp_uuid_app_id_mappings_dirty;
 };
 static size_t necp_num_uuid_app_id_mappings;
 static bool necp_uuid_app_id_mappings_dirty;
-#define        NECP_UUID_APP_ID_HASH_SIZE 64
+#define NECP_UUID_APP_ID_HASH_SIZE 64
 static u_long necp_uuid_app_id_hash_mask;
 static u_long necp_uuid_app_id_hash_num_buckets;
 static u_long necp_uuid_app_id_hash_mask;
 static u_long necp_uuid_app_id_hash_num_buckets;
-static LIST_HEAD(necp_uuid_id_mapping_head, necp_uuid_id_mapping) *necp_uuid_app_id_hashtbl, necp_uuid_service_id_list; // App map is real hash table, service map is just mapping
-#define        APPUUIDHASH(uuid) (&necp_uuid_app_id_hashtbl[uuid[0] & necp_uuid_app_id_hash_mask]) // Assume first byte of UUIDs are evenly distributed
+static LIST_HEAD(necp_uuid_id_mapping_head, necp_uuid_id_mapping) * necp_uuid_app_id_hashtbl, necp_uuid_service_id_list; // App map is real hash table, service map is just mapping
+#define APPUUIDHASH(uuid) (&necp_uuid_app_id_hashtbl[uuid[0] & necp_uuid_app_id_hash_mask]) // Assume first byte of UUIDs are evenly distributed
 static u_int32_t necp_create_uuid_app_id_mapping(uuid_t uuid, bool *allocated_mapping, bool uuid_policy_table);
 static bool necp_remove_uuid_app_id_mapping(uuid_t uuid, bool *removed_mapping, bool uuid_policy_table);
 static u_int32_t necp_create_uuid_app_id_mapping(uuid_t uuid, bool *allocated_mapping, bool uuid_policy_table);
 static bool necp_remove_uuid_app_id_mapping(uuid_t uuid, bool *removed_mapping, bool uuid_policy_table);
+static struct necp_uuid_id_mapping *necp_uuid_lookup_uuid_with_app_id_locked(u_int32_t local_id);
 
 static struct necp_uuid_id_mapping *necp_uuid_lookup_service_id_locked(uuid_t uuid);
 static struct necp_uuid_id_mapping *necp_uuid_lookup_uuid_with_service_id_locked(u_int32_t local_id);
 
 static struct necp_uuid_id_mapping *necp_uuid_lookup_service_id_locked(uuid_t uuid);
 static struct necp_uuid_id_mapping *necp_uuid_lookup_uuid_with_service_id_locked(u_int32_t local_id);
@@ -360,62 +453,86 @@ static bool necp_remove_uuid_service_id_mapping(uuid_t uuid);
 
 struct necp_string_id_mapping {
        LIST_ENTRY(necp_string_id_mapping) chain;
 
 struct necp_string_id_mapping {
        LIST_ENTRY(necp_string_id_mapping) chain;
-       char            *string;
-       necp_app_id     id;
-       u_int32_t       refcount;
+       char            *string;
+       necp_app_id     id;
+       os_refcnt_t     refcount;
 };
 static LIST_HEAD(necp_string_id_mapping_list, necp_string_id_mapping) necp_account_id_list;
 static u_int32_t necp_create_string_to_id_mapping(struct necp_string_id_mapping_list *list, char *domain);
 static bool necp_remove_string_to_id_mapping(struct necp_string_id_mapping_list *list, char *domain);
 };
 static LIST_HEAD(necp_string_id_mapping_list, necp_string_id_mapping) necp_account_id_list;
 static u_int32_t necp_create_string_to_id_mapping(struct necp_string_id_mapping_list *list, char *domain);
 static bool necp_remove_string_to_id_mapping(struct necp_string_id_mapping_list *list, char *domain);
+static struct necp_string_id_mapping *necp_lookup_string_with_id_locked(struct necp_string_id_mapping_list *list, u_int32_t local_id);
+
+static struct necp_kernel_socket_policy *necp_kernel_socket_policy_find(necp_kernel_policy_id policy_id);
+static struct necp_kernel_ip_output_policy *necp_kernel_ip_output_policy_find(necp_kernel_policy_id policy_id);
 
 static LIST_HEAD(_necp_kernel_service_list, necp_service_registration) necp_registered_service_list;
 
 static char *necp_create_trimmed_domain(char *string, size_t length);
 static inline int necp_count_dots(char *string, size_t length);
 
 
 static LIST_HEAD(_necp_kernel_service_list, necp_service_registration) necp_registered_service_list;
 
 static char *necp_create_trimmed_domain(char *string, size_t length);
 static inline int necp_count_dots(char *string, size_t length);
 
+static char *necp_copy_string(char *string, size_t length);
+static bool necp_update_qos_marking(struct ifnet *ifp, u_int32_t route_rule_id);
+
 #define ROUTE_RULE_IS_AGGREGATE(ruleid) (ruleid > UINT16_MAX)
 
 #define MAX_ROUTE_RULE_INTERFACES 10
 struct necp_route_rule {
        LIST_ENTRY(necp_route_rule) chain;
 #define ROUTE_RULE_IS_AGGREGATE(ruleid) (ruleid > UINT16_MAX)
 
 #define MAX_ROUTE_RULE_INTERFACES 10
 struct necp_route_rule {
        LIST_ENTRY(necp_route_rule) chain;
-       u_int32_t       id;
-       u_int32_t       default_action;
-       u_int8_t        cellular_action;
-       u_int8_t        wifi_action;
-       u_int8_t        wired_action;
-       u_int8_t        expensive_action;
-       u_int           exception_if_indices[MAX_ROUTE_RULE_INTERFACES];
-       u_int8_t        exception_if_actions[MAX_ROUTE_RULE_INTERFACES];
-       u_int32_t       refcount;
+       u_int32_t       id;
+       u_int32_t       default_action;
+       u_int8_t        cellular_action;
+       u_int8_t        wifi_action;
+       u_int8_t        wired_action;
+       u_int8_t        expensive_action;
+       u_int8_t        constrained_action;
+       u_int           exception_if_indices[MAX_ROUTE_RULE_INTERFACES];
+       u_int8_t        exception_if_actions[MAX_ROUTE_RULE_INTERFACES];
+       os_refcnt_t     refcount;
 };
 static LIST_HEAD(necp_route_rule_list, necp_route_rule) necp_route_rules;
 static u_int32_t necp_create_route_rule(struct necp_route_rule_list *list, u_int8_t *route_rules_array, u_int32_t route_rules_array_size);
 static bool necp_remove_route_rule(struct necp_route_rule_list *list, u_int32_t route_rule_id);
 };
 static LIST_HEAD(necp_route_rule_list, necp_route_rule) necp_route_rules;
 static u_int32_t necp_create_route_rule(struct necp_route_rule_list *list, u_int8_t *route_rules_array, u_int32_t route_rules_array_size);
 static bool necp_remove_route_rule(struct necp_route_rule_list *list, u_int32_t route_rule_id);
-static bool necp_route_is_allowed(struct rtentry *route, ifnet_t interface, u_int32_t route_rule_id, bool *cellular_denied);
+static bool necp_route_is_allowed(struct rtentry *route, ifnet_t interface, u_int32_t route_rule_id, u_int32_t *interface_type_denied);
 static struct necp_route_rule *necp_lookup_route_rule_locked(struct necp_route_rule_list *list, u_int32_t route_rule_id);
 static struct necp_route_rule *necp_lookup_route_rule_locked(struct necp_route_rule_list *list, u_int32_t route_rule_id);
+static inline void necp_get_parent_cred_result(proc_t proc, struct necp_socket_info *info);
 
 #define MAX_AGGREGATE_ROUTE_RULES 16
 struct necp_aggregate_route_rule {
        LIST_ENTRY(necp_aggregate_route_rule) chain;
 
 #define MAX_AGGREGATE_ROUTE_RULES 16
 struct necp_aggregate_route_rule {
        LIST_ENTRY(necp_aggregate_route_rule) chain;
-       u_int32_t       id;
-       u_int32_t       rule_ids[MAX_AGGREGATE_ROUTE_RULES];
+       u_int32_t       id;
+       u_int32_t       rule_ids[MAX_AGGREGATE_ROUTE_RULES];
 };
 static LIST_HEAD(necp_aggregate_route_rule_list, necp_aggregate_route_rule) necp_aggregate_route_rules;
 static u_int32_t necp_create_aggregate_route_rule(u_int32_t *rule_ids);
 
 // Sysctl definitions
 static int sysctl_handle_necp_level SYSCTL_HANDLER_ARGS;
 };
 static LIST_HEAD(necp_aggregate_route_rule_list, necp_aggregate_route_rule) necp_aggregate_route_rules;
 static u_int32_t necp_create_aggregate_route_rule(u_int32_t *rule_ids);
 
 // Sysctl definitions
 static int sysctl_handle_necp_level SYSCTL_HANDLER_ARGS;
+static int sysctl_handle_necp_unentitled_level SYSCTL_HANDLER_ARGS;
 
 SYSCTL_NODE(_net, OID_AUTO, necp, CTLFLAG_RW | CTLFLAG_LOCKED, 0, "NECP");
 
 SYSCTL_NODE(_net, OID_AUTO, necp, CTLFLAG_RW | CTLFLAG_LOCKED, 0, "NECP");
+SYSCTL_INT(_net_necp, NECPCTL_DEDUP_POLICIES, dedup_policies, CTLFLAG_LOCKED | CTLFLAG_RW, &necp_dedup_policies, 0, "");
+SYSCTL_INT(_net_necp, NECPCTL_RESTRICT_MULTICAST, restrict_multicast, CTLFLAG_LOCKED | CTLFLAG_RW, &necp_restrict_multicast, 0, "");
 SYSCTL_INT(_net_necp, NECPCTL_PASS_LOOPBACK, pass_loopback, CTLFLAG_LOCKED | CTLFLAG_RW, &necp_pass_loopback, 0, "");
 SYSCTL_INT(_net_necp, NECPCTL_PASS_KEEPALIVES, pass_keepalives, CTLFLAG_LOCKED | CTLFLAG_RW, &necp_pass_keepalives, 0, "");
 SYSCTL_INT(_net_necp, NECPCTL_PASS_LOOPBACK, pass_loopback, CTLFLAG_LOCKED | CTLFLAG_RW, &necp_pass_loopback, 0, "");
 SYSCTL_INT(_net_necp, NECPCTL_PASS_KEEPALIVES, pass_keepalives, CTLFLAG_LOCKED | CTLFLAG_RW, &necp_pass_keepalives, 0, "");
+SYSCTL_INT(_net_necp, NECPCTL_PASS_INTERPOSE, pass_interpose, CTLFLAG_LOCKED | CTLFLAG_RW, &necp_pass_interpose, 0, "");
 SYSCTL_INT(_net_necp, NECPCTL_DEBUG, debug, CTLFLAG_LOCKED | CTLFLAG_RW, &necp_debug, 0, "");
 SYSCTL_INT(_net_necp, NECPCTL_DEBUG, debug, CTLFLAG_LOCKED | CTLFLAG_RW, &necp_debug, 0, "");
+SYSCTL_PROC(_net_necp, NECPCTL_DROP_UNENTITLED_LEVEL, drop_unentitled_level, CTLTYPE_INT | CTLFLAG_LOCKED | CTLFLAG_RW, &necp_drop_unentitled_level, 0, &sysctl_handle_necp_unentitled_level, "IU", "");
 SYSCTL_PROC(_net_necp, NECPCTL_DROP_ALL_LEVEL, drop_all_level, CTLTYPE_INT | CTLFLAG_LOCKED | CTLFLAG_RW, &necp_drop_all_level, 0, &sysctl_handle_necp_level, "IU", "");
 SYSCTL_LONG(_net_necp, NECPCTL_SOCKET_POLICY_COUNT, socket_policy_count, CTLFLAG_LOCKED | CTLFLAG_RD, &necp_kernel_socket_policies_count, "");
 SYSCTL_LONG(_net_necp, NECPCTL_SOCKET_NON_APP_POLICY_COUNT, socket_non_app_policy_count, CTLFLAG_LOCKED | CTLFLAG_RD, &necp_kernel_socket_policies_non_app_count, "");
 SYSCTL_LONG(_net_necp, NECPCTL_IP_POLICY_COUNT, ip_policy_count, CTLFLAG_LOCKED | CTLFLAG_RD, &necp_kernel_ip_output_policies_count, "");
 SYSCTL_INT(_net_necp, NECPCTL_SESSION_COUNT, session_count, CTLFLAG_LOCKED | CTLFLAG_RD, &necp_session_count, 0, "");
 
 SYSCTL_PROC(_net_necp, NECPCTL_DROP_ALL_LEVEL, drop_all_level, CTLTYPE_INT | CTLFLAG_LOCKED | CTLFLAG_RW, &necp_drop_all_level, 0, &sysctl_handle_necp_level, "IU", "");
 SYSCTL_LONG(_net_necp, NECPCTL_SOCKET_POLICY_COUNT, socket_policy_count, CTLFLAG_LOCKED | CTLFLAG_RD, &necp_kernel_socket_policies_count, "");
 SYSCTL_LONG(_net_necp, NECPCTL_SOCKET_NON_APP_POLICY_COUNT, socket_non_app_policy_count, CTLFLAG_LOCKED | CTLFLAG_RD, &necp_kernel_socket_policies_non_app_count, "");
 SYSCTL_LONG(_net_necp, NECPCTL_IP_POLICY_COUNT, ip_policy_count, CTLFLAG_LOCKED | CTLFLAG_RD, &necp_kernel_ip_output_policies_count, "");
 SYSCTL_INT(_net_necp, NECPCTL_SESSION_COUNT, session_count, CTLFLAG_LOCKED | CTLFLAG_RD, &necp_session_count, 0, "");
 
+static struct necp_drop_dest_policy necp_drop_dest_policy;
+static int necp_drop_dest_debug = 0;    // 0: off, 1: match, >1: every evaluation
+SYSCTL_INT(_net_necp, OID_AUTO, drop_dest_debug, CTLFLAG_LOCKED | CTLFLAG_RW, &necp_drop_dest_debug, 0, "");
+
+static int sysctl_handle_necp_drop_dest_level SYSCTL_HANDLER_ARGS;
+SYSCTL_PROC(_net_necp, OID_AUTO, drop_dest_level, CTLTYPE_STRUCT | CTLFLAG_LOCKED | CTLFLAG_ANYBODY | CTLFLAG_RW,
+    0, 0, &sysctl_handle_necp_drop_dest_level, "S,necp_drop_dest_level", "");
+
+static bool necp_address_matches_drop_dest_policy(union necp_sockaddr_union *, u_int32_t);
+
 // Session order allocation
 static u_int32_t
 necp_allocate_new_session_order(u_int32_t priority, u_int32_t control_unit)
 // Session order allocation
 static u_int32_t
 necp_allocate_new_session_order(u_int32_t priority, u_int32_t control_unit)
@@ -430,13 +547,16 @@ necp_allocate_new_session_order(u_int32_t priority, u_int32_t control_unit)
        // Use the control unit to decide the offset into the priority list
        new_order = (control_unit) + ((priority - 1) * 1000);
 
        // Use the control unit to decide the offset into the priority list
        new_order = (control_unit) + ((priority - 1) * 1000);
 
-       return (new_order);
+       return new_order;
 }
 
 static inline u_int32_t
 necp_get_first_order_for_priority(u_int32_t priority)
 {
 }
 
 static inline u_int32_t
 necp_get_first_order_for_priority(u_int32_t priority)
 {
-       return (((priority - 1) * 1000) + 1);
+       if (priority == 0) {
+               return 0;
+       }
+       return ((priority - 1) * 1000) + 1;
 }
 
 // Sysctl handler
 }
 
 // Sysctl handler
@@ -445,651 +565,1183 @@ sysctl_handle_necp_level SYSCTL_HANDLER_ARGS
 {
 #pragma unused(arg1, arg2)
        int error = sysctl_handle_int(oidp, oidp->oid_arg1, oidp->oid_arg2, req);
 {
 #pragma unused(arg1, arg2)
        int error = sysctl_handle_int(oidp, oidp->oid_arg1, oidp->oid_arg2, req);
-       if (necp_drop_all_level == 0) {
-               necp_drop_all_order = 0;
+       necp_drop_all_order = necp_get_first_order_for_priority(necp_drop_all_level);
+       return error;
+}
+
+static int
+sysctl_handle_necp_unentitled_level SYSCTL_HANDLER_ARGS
+{
+#pragma unused(arg1, arg2)
+       int error = sysctl_handle_int(oidp, oidp->oid_arg1, oidp->oid_arg2, req);
+       necp_drop_unentitled_order = necp_get_first_order_for_priority(necp_drop_unentitled_level);
+       return error;
+}
+
+// Use a macro here to avoid computing the kauth_cred_t when necp_drop_unentitled_level is 0
+static inline u_int32_t
+_necp_process_drop_order_inner(kauth_cred_t cred)
+{
+       if (priv_check_cred(cred, PRIV_NET_PRIVILEGED_CLIENT_ACCESS, 0) != 0 &&
+           priv_check_cred(cred, PRIV_NET_PRIVILEGED_SERVER_ACCESS, 0) != 0) {
+               return necp_drop_unentitled_order;
        } else {
        } else {
-               necp_drop_all_order = necp_get_first_order_for_priority(necp_drop_all_level);
+               return 0;
        }
        }
-       return (error);
 }
 
 }
 
+#define necp_process_drop_order(_cred) (necp_drop_unentitled_order != 0 ? _necp_process_drop_order_inner(_cred) : necp_drop_unentitled_order)
+#pragma GCC poison _necp_process_drop_order_inner
 
 
-// Kernel Control functions
-static errno_t necp_register_control(void);
-static errno_t necp_ctl_connect(kern_ctl_ref kctlref, struct sockaddr_ctl *sac, void **unitinfo);
-static errno_t necp_ctl_disconnect(kern_ctl_ref kctlref, u_int32_t unit, void *unitinfo);
-static errno_t necp_ctl_send(kern_ctl_ref kctlref, u_int32_t unit, void *unitinfo, mbuf_t m, int flags);
-static void necp_ctl_rcvd(kern_ctl_ref kctlref, u_int32_t unit, void *unitinfo, int flags);
-static errno_t necp_ctl_getopt(kern_ctl_ref kctlref, u_int32_t unit, void *unitinfo, int opt, void *data, size_t *len);
-static errno_t necp_ctl_setopt(kern_ctl_ref kctlref, u_int32_t unit, void *unitinfo, int opt, void *data, size_t len);
+// Session fd
 
 
-static bool necp_send_ctl_data(struct necp_session *session, u_int8_t *buffer, size_t buffer_size);
+static int necp_session_op_close(struct fileglob *, vfs_context_t);
 
 
-errno_t
-necp_init(void)
-{
-       errno_t result = 0;
+static const struct fileops necp_session_fd_ops = {
+       .fo_type     = DTYPE_NETPOLICY,
+       .fo_read     = fo_no_read,
+       .fo_write    = fo_no_write,
+       .fo_ioctl    = fo_no_ioctl,
+       .fo_select   = fo_no_select,
+       .fo_close    = necp_session_op_close,
+       .fo_drain    = fo_no_drain,
+       .fo_kqfilter = fo_no_kqfilter,
+};
 
 
-       result = necp_register_control();
-       if (result != 0) {
-               goto done;
-       }
+static inline int
+necp_is_platform_binary(proc_t proc)
+{
+       return (proc != NULL) ? (csproc_get_platform_binary(proc) && cs_valid(proc)) : 0;
+}
 
 
-       necp_kernel_policy_grp_attr = lck_grp_attr_alloc_init();
-       if (necp_kernel_policy_grp_attr == NULL) {
-               NECPLOG0(LOG_ERR, "lck_grp_attr_alloc_init failed");
-               result = ENOMEM;
-               goto done;
+static inline necp_drop_all_bypass_check_result_t
+necp_check_drop_all_bypass_result(proc_t proc)
+{
+       if (proc == NULL) {
+               proc = current_proc();
+               if (proc == NULL) {
+                       return NECP_DROP_ALL_BYPASS_CHECK_RESULT_FALSE;
+               }
        }
 
        }
 
-       necp_kernel_policy_mtx_grp = lck_grp_alloc_init(NECP_CONTROL_NAME, necp_kernel_policy_grp_attr);
-       if (necp_kernel_policy_mtx_grp == NULL) {
-               NECPLOG0(LOG_ERR, "lck_grp_alloc_init failed");
-               result = ENOMEM;
-               goto done;
+#if defined(XNU_TARGET_OS_OSX)
+       const char *signing_id = NULL;
+       const bool isConfigd = (necp_is_platform_binary(proc) &&
+           (signing_id = cs_identity_get(proc)) &&
+           (strlen(signing_id) == SIGNING_ID_CONFIGD_LEN) &&
+           (memcmp(signing_id, SIGNING_ID_CONFIGD, SIGNING_ID_CONFIGD_LEN) == 0));
+       if (isConfigd) {
+               return NECP_DROP_ALL_BYPASS_CHECK_RESULT_TRUE;
        }
        }
+#endif
 
 
-       necp_kernel_policy_mtx_attr = lck_attr_alloc_init();
-       if (necp_kernel_policy_mtx_attr == NULL) {
-               NECPLOG0(LOG_ERR, "lck_attr_alloc_init failed");
-               result = ENOMEM;
-               goto done;
+       const task_t task = proc_task(proc);
+       if (task == NULL || !IOTaskHasEntitlement(task, "com.apple.private.necp.drop_all_bypass")) {
+               return NECP_DROP_ALL_BYPASS_CHECK_RESULT_FALSE;
+       } else {
+               return NECP_DROP_ALL_BYPASS_CHECK_RESULT_TRUE;
        }
        }
+}
 
 
-       lck_rw_init(&necp_kernel_policy_lock, necp_kernel_policy_mtx_grp, necp_kernel_policy_mtx_attr);
-
-       necp_route_rule_grp_attr = lck_grp_attr_alloc_init();
-       if (necp_route_rule_grp_attr == NULL) {
-               NECPLOG0(LOG_ERR, "lck_grp_attr_alloc_init failed");
-               result = ENOMEM;
+int
+necp_session_open(struct proc *p, struct necp_session_open_args *uap, int *retval)
+{
+#pragma unused(uap)
+       int error = 0;
+       struct necp_session *session = NULL;
+       struct fileproc *fp = NULL;
+       int fd = -1;
+
+       uid_t uid = kauth_cred_getuid(proc_ucred(p));
+       if (uid != 0 && priv_check_cred(kauth_cred_get(), PRIV_NET_PRIVILEGED_NECP_POLICIES, 0) != 0) {
+               NECPLOG0(LOG_ERR, "Process does not hold necessary entitlement to open NECP session");
+               error = EACCES;
                goto done;
        }
 
                goto done;
        }
 
-       necp_route_rule_mtx_grp = lck_grp_alloc_init("necp_route_rule", necp_route_rule_grp_attr);
-       if (necp_route_rule_mtx_grp == NULL) {
-               NECPLOG0(LOG_ERR, "lck_grp_alloc_init failed");
-               result = ENOMEM;
+       error = falloc(p, &fp, &fd, vfs_context_current());
+       if (error != 0) {
                goto done;
        }
 
                goto done;
        }
 
-       necp_route_rule_mtx_attr = lck_attr_alloc_init();
-       if (necp_route_rule_mtx_attr == NULL) {
-               NECPLOG0(LOG_ERR, "lck_attr_alloc_init failed");
-               result = ENOMEM;
+       session = necp_create_session();
+       if (session == NULL) {
+               error = ENOMEM;
                goto done;
        }
 
                goto done;
        }
 
-       lck_rw_init(&necp_route_rule_lock, necp_route_rule_mtx_grp, necp_route_rule_mtx_attr);
-
-       LIST_INIT(&necp_kernel_socket_policies);
-       LIST_INIT(&necp_kernel_ip_output_policies);
-
-       LIST_INIT(&necp_account_id_list);
-
-       LIST_INIT(&necp_uuid_service_id_list);
-
-       LIST_INIT(&necp_registered_service_list);
-
-       LIST_INIT(&necp_route_rules);
-       LIST_INIT(&necp_aggregate_route_rules);
-
-       necp_uuid_app_id_hashtbl = hashinit(NECP_UUID_APP_ID_HASH_SIZE, M_NECP, &necp_uuid_app_id_hash_mask);
-       necp_uuid_app_id_hash_num_buckets = necp_uuid_app_id_hash_mask + 1;
-       necp_num_uuid_app_id_mappings = 0;
-       necp_uuid_app_id_mappings_dirty = FALSE;
-
-       necp_kernel_application_policies_condition_mask = 0;
-       necp_kernel_socket_policies_condition_mask = 0;
-       necp_kernel_ip_output_policies_condition_mask = 0;
-
-       necp_kernel_application_policies_count = 0;
-       necp_kernel_socket_policies_count = 0;
-       necp_kernel_socket_policies_non_app_count = 0;
-       necp_kernel_ip_output_policies_count = 0;
-       necp_kernel_ip_output_policies_non_id_count = 0;
-
-       necp_last_policy_id = 0;
-       necp_last_kernel_policy_id = 0;
-       necp_last_uuid_id = 0;
-       necp_last_string_id = 0;
-       necp_last_route_rule_id = 0;
-       necp_last_aggregate_route_rule_id = 0;
-
-       necp_kernel_socket_policies_gencount = 1;
+       fp->fp_glob->fg_flag = 0;
+       fp->fp_glob->fg_ops = &necp_session_fd_ops;
+       fp->fp_glob->fg_data = session;
 
 
-       memset(&necp_kernel_socket_policies_map, 0, sizeof(necp_kernel_socket_policies_map));
-       memset(&necp_kernel_ip_output_policies_map, 0, sizeof(necp_kernel_ip_output_policies_map));
-       necp_kernel_socket_policies_app_layer_map = NULL;
+       proc_fdlock(p);
+       FDFLAGS_SET(p, fd, (UF_EXCLOSE | UF_FORKCLOSE));
+       procfdtbl_releasefd(p, fd, NULL);
+       fp_drop(p, fd, fp, 1);
+       proc_fdunlock(p);
 
 
+       *retval = fd;
 done:
 done:
-       if (result != 0) {
-               if (necp_kernel_policy_mtx_attr != NULL) {
-                       lck_attr_free(necp_kernel_policy_mtx_attr);
-                       necp_kernel_policy_mtx_attr = NULL;
-               }
-               if (necp_kernel_policy_mtx_grp != NULL) {
-                       lck_grp_free(necp_kernel_policy_mtx_grp);
-                       necp_kernel_policy_mtx_grp = NULL;
-               }
-               if (necp_kernel_policy_grp_attr != NULL) {
-                       lck_grp_attr_free(necp_kernel_policy_grp_attr);
-                       necp_kernel_policy_grp_attr = NULL;
-               }
-               if (necp_route_rule_mtx_attr != NULL) {
-                       lck_attr_free(necp_route_rule_mtx_attr);
-                       necp_route_rule_mtx_attr = NULL;
-               }
-               if (necp_route_rule_mtx_grp != NULL) {
-                       lck_grp_free(necp_route_rule_mtx_grp);
-                       necp_route_rule_mtx_grp = NULL;
-               }
-               if (necp_route_rule_grp_attr != NULL) {
-                       lck_grp_attr_free(necp_route_rule_grp_attr);
-                       necp_route_rule_grp_attr = NULL;
-               }
-               if (necp_kctlref != NULL) {
-                       ctl_deregister(necp_kctlref);
-                       necp_kctlref = NULL;
+       if (error != 0) {
+               if (fp != NULL) {
+                       fp_free(p, fd, fp);
+                       fp = NULL;
                }
        }
                }
        }
-       return (result);
+
+       return error;
 }
 
 }
 
-static errno_t
-necp_register_control(void)
+static int
+necp_session_op_close(struct fileglob *fg, vfs_context_t ctx)
 {
 {
-       struct kern_ctl_reg     kern_ctl;
-       errno_t                         result = 0;
+#pragma unused(ctx)
+       struct necp_session *session = (struct necp_session *)fg->fg_data;
+       fg->fg_data = NULL;
 
 
-       // Create a tag to allocate memory
-       necp_malloc_tag = OSMalloc_Tagalloc(NECP_CONTROL_NAME, OSMT_DEFAULT);
+       if (session != NULL) {
+               necp_policy_mark_all_for_deletion(session);
+               necp_policy_apply_all(session);
+               necp_delete_session(session);
+               return 0;
+       } else {
+               return ENOENT;
+       }
+}
 
 
-       // Find a unique value for our interface family
-       result = mbuf_tag_id_find(NECP_CONTROL_NAME, &necp_family);
-       if (result != 0) {
-               NECPLOG(LOG_ERR, "mbuf_tag_id_find_internal failed: %d", result);
-               return (result);
-       }
-
-       bzero(&kern_ctl, sizeof(kern_ctl));
-       strlcpy(kern_ctl.ctl_name, NECP_CONTROL_NAME, sizeof(kern_ctl.ctl_name));
-       kern_ctl.ctl_name[sizeof(kern_ctl.ctl_name) - 1] = 0;
-       kern_ctl.ctl_flags = CTL_FLAG_PRIVILEGED; // Require root
-       kern_ctl.ctl_sendsize = 64 * 1024;
-       kern_ctl.ctl_recvsize = 64 * 1024;
-       kern_ctl.ctl_connect = necp_ctl_connect;
-       kern_ctl.ctl_disconnect = necp_ctl_disconnect;
-       kern_ctl.ctl_send = necp_ctl_send;
-       kern_ctl.ctl_rcvd = necp_ctl_rcvd;
-       kern_ctl.ctl_setopt = necp_ctl_setopt;
-       kern_ctl.ctl_getopt = necp_ctl_getopt;
-
-       result = ctl_register(&kern_ctl, &necp_kctlref);
-       if (result != 0) {
-               NECPLOG(LOG_ERR, "ctl_register failed: %d", result);
-               return (result);
+static int
+necp_session_find_from_fd(struct proc *p, int fd,
+    struct fileproc **fpp, struct necp_session **session)
+{
+       struct fileproc *fp = NULL;
+       int error = fp_get_ftype(p, fd, DTYPE_NETPOLICY, ENODEV, &fp);
+
+       if (error == 0) {
+               *fpp = fp;
+               *session = (struct necp_session *)fp->fp_glob->fg_data;
+               if ((*session)->necp_fd_type != necp_fd_type_session) {
+                       // Not a client fd, ignore
+                       fp_drop(p, fd, fp, 0);
+                       error = EINVAL;
+               }
        }
 
        }
 
-       return (0);
+       return error;
 }
 
 }
 
-static void
-necp_post_change_event(struct kev_necp_policies_changed_data *necp_event_data)
+static int
+necp_session_add_policy(struct necp_session *session, struct necp_session_action_args *uap, int *retval)
 {
 {
-       struct kev_msg ev_msg;
-       memset(&ev_msg, 0, sizeof(ev_msg));
+       int error = 0;
+       u_int8_t *tlv_buffer = NULL;
 
 
-       ev_msg.vendor_code      = KEV_VENDOR_APPLE;
-       ev_msg.kev_class        = KEV_NETWORK_CLASS;
-       ev_msg.kev_subclass     = KEV_NECP_SUBCLASS;
-       ev_msg.event_code       = KEV_NECP_POLICIES_CHANGED;
+       if (uap->in_buffer_length == 0 || uap->in_buffer_length > NECP_MAX_POLICY_SIZE || uap->in_buffer == 0) {
+               NECPLOG(LOG_ERR, "necp_session_add_policy invalid input (%zu)", (size_t)uap->in_buffer_length);
+               error = EINVAL;
+               goto done;
+       }
 
 
-       ev_msg.dv[0].data_ptr    = necp_event_data;
-       ev_msg.dv[0].data_length = sizeof(necp_event_data->changed_count);
-       ev_msg.dv[1].data_length = 0;
+       if (uap->out_buffer_length < sizeof(necp_policy_id) || uap->out_buffer == 0) {
+               NECPLOG(LOG_ERR, "necp_session_add_policy invalid output buffer (%zu)", (size_t)uap->out_buffer_length);
+               error = EINVAL;
+               goto done;
+       }
 
 
-       kev_post_msg(&ev_msg);
-}
+       if ((tlv_buffer = _MALLOC(uap->in_buffer_length, M_NECP, M_WAITOK | M_ZERO)) == NULL) {
+               error = ENOMEM;
+               goto done;
+       }
 
 
-static errno_t
-necp_ctl_connect(kern_ctl_ref kctlref, struct sockaddr_ctl *sac, void **unitinfo)
-{
-#pragma unused(kctlref)
-       *unitinfo = necp_create_session(sac->sc_unit);
-       if (*unitinfo == NULL) {
-               // Could not allocate session
-               return (ENOBUFS);
+       error = copyin(uap->in_buffer, tlv_buffer, uap->in_buffer_length);
+       if (error != 0) {
+               NECPLOG(LOG_ERR, "necp_session_add_policy tlv copyin error (%d)", error);
+               goto done;
        }
 
        }
 
-       return (0);
-}
+       necp_policy_id new_policy_id = necp_handle_policy_add(session, tlv_buffer, uap->in_buffer_length, 0, &error);
+       if (error != 0) {
+               NECPLOG(LOG_ERR, "necp_session_add_policy failed to add policy (%d)", error);
+               goto done;
+       }
 
 
-static errno_t
-necp_ctl_disconnect(kern_ctl_ref kctlref, u_int32_t unit, void *unitinfo)
-{
-#pragma unused(kctlref, unit)
-       struct necp_session *session = (struct necp_session *)unitinfo;
-       if (session != NULL) {
-               necp_policy_mark_all_for_deletion(session);
-               necp_policy_apply_all(session);
-               necp_delete_session((struct necp_session *)unitinfo);
+       error = copyout(&new_policy_id, uap->out_buffer, sizeof(new_policy_id));
+       if (error != 0) {
+               NECPLOG(LOG_ERR, "necp_session_add_policy policy_id copyout error (%d)", error);
+               goto done;
        }
 
        }
 
-       return (0);
-}
+done:
+       if (tlv_buffer != NULL) {
+               FREE(tlv_buffer, M_NECP);
+               tlv_buffer = NULL;
+       }
+       *retval = error;
 
 
+       return error;
+}
 
 
-// Message handling
 static int
 static int
-necp_packet_find_tlv(mbuf_t packet, int offset, u_int8_t type, int *err, int next)
+necp_session_get_policy(struct necp_session *session, struct necp_session_action_args *uap, int *retval)
 {
 {
-       size_t  cursor                  = offset;
-       int             error                   = 0;
-       u_int32_t       curr_length;
-       u_int8_t        curr_type;
+       int error = 0;
+       u_int8_t *response = NULL;
 
 
-       *err = 0;
+       if (uap->in_buffer_length < sizeof(necp_policy_id) || uap->in_buffer == 0) {
+               NECPLOG(LOG_ERR, "necp_session_get_policy invalid input (%zu)", (size_t)uap->in_buffer_length);
+               error = EINVAL;
+               goto done;
+       }
 
 
-       do {
-               if (!next) {
-                       error = mbuf_copydata(packet, cursor, sizeof(curr_type), &curr_type);
-                       if (error) {
-                               *err = ENOENT;
-                               return (-1);
-                       }
-               } else {
-                       next = 0;
-                       curr_type = NECP_TLV_NIL;
-               }
+       necp_policy_id policy_id = 0;
+       error = copyin(uap->in_buffer, &policy_id, sizeof(policy_id));
+       if (error != 0) {
+               NECPLOG(LOG_ERR, "necp_session_get_policy policy_id copyin error (%d)", error);
+               goto done;
+       }
 
 
-               if (curr_type != type) {
-                       cursor += sizeof(curr_type);
-                       error = mbuf_copydata(packet, cursor, sizeof(curr_length), &curr_length);
-                       if (error) {
-                               *err = error;
-                               return (-1);
-                       }
-                       cursor += (sizeof(curr_length) + curr_length);
-               }
-       } while (curr_type != type);
+       struct necp_session_policy *policy = necp_policy_find(session, policy_id);
+       if (policy == NULL || policy->pending_deletion) {
+               NECPLOG(LOG_ERR, "Failed to find policy with id %d", policy_id);
+               error = ENOENT;
+               goto done;
+       }
 
 
-       return (cursor);
-}
+       u_int32_t order_tlv_size = sizeof(u_int8_t) + sizeof(u_int32_t) + sizeof(necp_policy_order);
+       u_int32_t result_tlv_size = (policy->result_size ? (sizeof(u_int8_t) + sizeof(u_int32_t) + policy->result_size) : 0);
+       u_int32_t response_size = order_tlv_size + result_tlv_size + policy->conditions_size;
 
 
-static int
-necp_packet_get_tlv_at_offset(mbuf_t packet, int tlv_offset, u_int32_t buff_len, void *buff, u_int32_t *value_size)
-{
-       int                     error   = 0;
-       u_int32_t       length;
+       if (uap->out_buffer_length < response_size || uap->out_buffer == 0) {
+               NECPLOG(LOG_ERR, "necp_session_get_policy buffer not large enough (%zu < %u)", (size_t)uap->out_buffer_length, response_size);
+               error = EINVAL;
+               goto done;
+       }
 
 
-       if (tlv_offset < 0) {
-               return (error);
+       if (response_size > NECP_MAX_POLICY_SIZE) {
+               NECPLOG(LOG_ERR, "necp_session_get_policy size too large to copy (%u)", response_size);
+               error = EINVAL;
+               goto done;
        }
 
        }
 
-       error = mbuf_copydata(packet, tlv_offset + sizeof(u_int8_t), sizeof(length), &length);
-       if (error) {
-               return (error);
+       MALLOC(response, u_int8_t *, response_size, M_NECP, M_WAITOK | M_ZERO);
+       if (response == NULL) {
+               error = ENOMEM;
+               goto done;
        }
 
        }
 
-       u_int32_t total_len = m_length2(packet, NULL);
-       if (total_len < (tlv_offset + sizeof(u_int8_t) + sizeof(length) + length)) {
-               NECPLOG(LOG_ERR, "Got a bad TLV, length (%u) + offset (%d) < total length (%u)",
-                               length, (tlv_offset + sizeof(u_int8_t) + sizeof(length)), total_len);
-               return (EINVAL);
+       u_int8_t *cursor = response;
+       cursor = necp_buffer_write_tlv(cursor, NECP_TLV_POLICY_ORDER, sizeof(necp_policy_order), &policy->order, response, response_size);
+       if (result_tlv_size) {
+               cursor = necp_buffer_write_tlv(cursor, NECP_TLV_POLICY_RESULT, policy->result_size, &policy->result, response, response_size);
+       }
+       if (policy->conditions_size) {
+               memcpy(((u_int8_t *)(void *)(cursor)), policy->conditions, policy->conditions_size);
        }
 
        }
 
-       if (value_size != NULL) {
-               *value_size = length;
+       error = copyout(response, uap->out_buffer, response_size);
+       if (error != 0) {
+               NECPLOG(LOG_ERR, "necp_session_get_policy TLV copyout error (%d)", error);
+               goto done;
        }
 
        }
 
-       if (buff != NULL && buff_len > 0) {
-               u_int32_t to_copy = (length < buff_len) ? length : buff_len;
-               error = mbuf_copydata(packet, tlv_offset + sizeof(u_int8_t) + sizeof(length), to_copy, buff);
-               if (error) {
-                       return (error);
-               }
+done:
+       if (response != NULL) {
+               FREE(response, M_NECP);
+               response = NULL;
        }
        }
+       *retval = error;
 
 
-       return (0);
+       return error;
 }
 
 static int
 }
 
 static int
-necp_packet_get_tlv(mbuf_t packet, int offset, u_int8_t type, u_int32_t buff_len, void *buff, u_int32_t *value_size)
+necp_session_delete_policy(struct necp_session *session, struct necp_session_action_args *uap, int *retval)
 {
 {
-       int             error           = 0;
-       int             tlv_offset;
+       int error = 0;
 
 
-       tlv_offset = necp_packet_find_tlv(packet, offset, type, &error, 0);
-       if (tlv_offset < 0) {
-               return (error);
+       if (uap->in_buffer_length < sizeof(necp_policy_id) || uap->in_buffer == 0) {
+               NECPLOG(LOG_ERR, "necp_session_delete_policy invalid input (%zu)", (size_t)uap->in_buffer_length);
+               error = EINVAL;
+               goto done;
        }
 
        }
 
-       return (necp_packet_get_tlv_at_offset(packet, tlv_offset, buff_len, buff, value_size));
-}
-
-static u_int8_t *
-necp_buffer_write_packet_header(u_int8_t *buffer, u_int8_t packet_type, u_int8_t flags, u_int32_t message_id)
-{
-       ((struct necp_packet_header *)(void *)buffer)->packet_type = packet_type;
-       ((struct necp_packet_header *)(void *)buffer)->flags = flags;
-       ((struct necp_packet_header *)(void *)buffer)->message_id = message_id;
-       return (buffer + sizeof(struct necp_packet_header));
-}
+       necp_policy_id delete_policy_id = 0;
+       error = copyin(uap->in_buffer, &delete_policy_id, sizeof(delete_policy_id));
+       if (error != 0) {
+               NECPLOG(LOG_ERR, "necp_session_delete_policy policy_id copyin error (%d)", error);
+               goto done;
+       }
 
 
-static u_int8_t *
-necp_buffer_write_tlv(u_int8_t *buffer, u_int8_t type, u_int32_t length, const void *value)
-{
-       *(u_int8_t *)(buffer) = type;
-       *(u_int32_t *)(void *)(buffer + sizeof(type)) = length;
-       if (length > 0) {
-               memcpy((u_int8_t *)(buffer + sizeof(type) + sizeof(length)), value, length);
+       struct necp_session_policy *policy = necp_policy_find(session, delete_policy_id);
+       if (policy == NULL || policy->pending_deletion) {
+               NECPLOG(LOG_ERR, "necp_session_delete_policy failed to find policy with id %u", delete_policy_id);
+               error = ENOENT;
+               goto done;
        }
 
        }
 
-       return ((u_int8_t *)(buffer + sizeof(type) + sizeof(length) + length));
+       necp_policy_mark_for_deletion(session, policy);
+done:
+       *retval = error;
+       return error;
 }
 
 }
 
-static u_int8_t
-necp_buffer_get_tlv_type(u_int8_t *buffer, int tlv_offset)
+static int
+necp_session_apply_all(struct necp_session *session, struct necp_session_action_args *uap, int *retval)
 {
 {
-       u_int8_t *type = NULL;
+#pragma unused(uap)
+       necp_policy_apply_all(session);
+       *retval = 0;
+       return 0;
+}
 
 
-       if (buffer == NULL) {
-               return (0);
+static int
+necp_session_list_all(struct necp_session *session, struct necp_session_action_args *uap, int *retval)
+{
+       u_int32_t tlv_size = (sizeof(u_int8_t) + sizeof(u_int32_t) + sizeof(necp_policy_id));
+       u_int32_t response_size = 0;
+       u_int8_t *response = NULL;
+       int num_policies = 0;
+       int cur_policy_index = 0;
+       int error = 0;
+       struct necp_session_policy *policy;
+
+       LIST_FOREACH(policy, &session->policies, chain) {
+               if (!policy->pending_deletion) {
+                       num_policies++;
+               }
        }
 
        }
 
-       type = (u_int8_t *)((u_int8_t *)buffer + tlv_offset);
-       return (type ? *type : 0);
+       if (num_policies > NECP_MAX_POLICY_LIST_COUNT) {
+               NECPLOG(LOG_ERR, "necp_session_list_all size too large to copy (%u policies)", num_policies);
+               error = EINVAL;
+               goto done;
+       }
+
+       response_size = num_policies * tlv_size;
+       if (uap->out_buffer_length < response_size || uap->out_buffer == 0) {
+               NECPLOG(LOG_ERR, "necp_session_list_all buffer not large enough (%zu < %u)", (size_t)uap->out_buffer_length, response_size);
+               error = EINVAL;
+               goto done;
+       }
+
+       // Create a response with one Policy ID TLV for each policy
+       MALLOC(response, u_int8_t *, response_size, M_NECP, M_WAITOK | M_ZERO);
+       if (response == NULL) {
+               error = ENOMEM;
+               goto done;
+       }
+
+       u_int8_t *cursor = response;
+       LIST_FOREACH(policy, &session->policies, chain) {
+               if (!policy->pending_deletion && cur_policy_index < num_policies) {
+                       cursor = necp_buffer_write_tlv(cursor, NECP_TLV_POLICY_ID, sizeof(u_int32_t), &policy->local_id, response, response_size);
+                       cur_policy_index++;
+               }
+       }
+
+       error = copyout(response, uap->out_buffer, response_size);
+       if (error != 0) {
+               NECPLOG(LOG_ERR, "necp_session_list_all TLV copyout error (%d)", error);
+               goto done;
+       }
+
+done:
+       if (response != NULL) {
+               FREE(response, M_NECP);
+               response = NULL;
+       }
+       *retval = error;
+
+       return error;
 }
 
 }
 
-static u_int32_t
-necp_buffer_get_tlv_length(u_int8_t *buffer, int tlv_offset)
+
+static int
+necp_session_delete_all(struct necp_session *session, struct necp_session_action_args *uap, int *retval)
 {
 {
-       u_int32_t *length = NULL;
+#pragma unused(uap)
+       necp_policy_mark_all_for_deletion(session);
+       *retval = 0;
+       return 0;
+}
 
 
-       if (buffer == NULL) {
-               return (0);
+static int
+necp_session_set_session_priority(struct necp_session *session, struct necp_session_action_args *uap, int *retval)
+{
+       int error = 0;
+       struct necp_session_policy *policy = NULL;
+       struct necp_session_policy *temp_policy = NULL;
+
+       if (uap->in_buffer_length < sizeof(necp_session_priority) || uap->in_buffer == 0) {
+               NECPLOG(LOG_ERR, "necp_session_set_session_priority invalid input (%zu)", (size_t)uap->in_buffer_length);
+               error = EINVAL;
+               goto done;
        }
 
        }
 
-       length = (u_int32_t *)(void *)((u_int8_t *)buffer + tlv_offset + sizeof(u_int8_t));
-       return (length ? *length : 0);
+       necp_session_priority requested_session_priority = 0;
+       error = copyin(uap->in_buffer, &requested_session_priority, sizeof(requested_session_priority));
+       if (error != 0) {
+               NECPLOG(LOG_ERR, "necp_session_set_session_priority priority copyin error (%d)", error);
+               goto done;
+       }
+
+       // Enforce special session priorities with entitlements
+       if (requested_session_priority == NECP_SESSION_PRIORITY_CONTROL ||
+           requested_session_priority == NECP_SESSION_PRIORITY_PRIVILEGED_TUNNEL ||
+           requested_session_priority == NECP_SESSION_PRIORITY_HIGH_RESTRICTED) {
+               errno_t cred_result = priv_check_cred(kauth_cred_get(), PRIV_NET_PRIVILEGED_NECP_POLICIES, 0);
+               if (cred_result != 0) {
+                       NECPLOG(LOG_ERR, "Session does not hold necessary entitlement to claim priority level %d", requested_session_priority);
+                       error = EPERM;
+                       goto done;
+               }
+       }
+
+       if (session->session_priority != requested_session_priority) {
+               session->session_priority = requested_session_priority;
+               session->session_order = necp_allocate_new_session_order(session->session_priority, session->control_unit);
+               session->dirty = TRUE;
+
+               // Mark all policies as needing updates
+               LIST_FOREACH_SAFE(policy, &session->policies, chain, temp_policy) {
+                       policy->pending_update = TRUE;
+               }
+       }
+
+done:
+       *retval = error;
+       return error;
 }
 
 }
 
-static u_int8_t *
-necp_buffer_get_tlv_value(u_int8_t *buffer, int tlv_offset, u_int32_t *value_size)
+static int
+necp_session_lock_to_process(struct necp_session *session, struct necp_session_action_args *uap, int *retval)
 {
 {
-       u_int8_t *value = NULL;
-       u_int32_t length = necp_buffer_get_tlv_length(buffer, tlv_offset);
-       if (length == 0) {
-               return (value);
+#pragma unused(uap)
+       session->proc_locked = TRUE;
+       *retval = 0;
+       return 0;
+}
+
+static int
+necp_session_register_service(struct necp_session *session, struct necp_session_action_args *uap, int *retval)
+{
+       int error = 0;
+       struct necp_service_registration *new_service = NULL;
+
+       if (uap->in_buffer_length < sizeof(uuid_t) || uap->in_buffer == 0) {
+               NECPLOG(LOG_ERR, "necp_session_register_service invalid input (%zu)", (size_t)uap->in_buffer_length);
+               error = EINVAL;
+               goto done;
        }
 
        }
 
-       if (value_size) {
-               *value_size = length;
+       uuid_t service_uuid;
+       error = copyin(uap->in_buffer, service_uuid, sizeof(service_uuid));
+       if (error != 0) {
+               NECPLOG(LOG_ERR, "necp_session_register_service uuid copyin error (%d)", error);
+               goto done;
        }
 
        }
 
-       value = (u_int8_t *)((u_int8_t *)buffer + tlv_offset + sizeof(u_int8_t) + sizeof(u_int32_t));
-       return (value);
+       MALLOC(new_service, struct necp_service_registration *, sizeof(*new_service), M_NECP, M_WAITOK | M_ZERO);
+       if (new_service == NULL) {
+               NECPLOG0(LOG_ERR, "Failed to allocate service registration");
+               error = ENOMEM;
+               goto done;
+       }
+
+       lck_rw_lock_exclusive(&necp_kernel_policy_lock);
+       new_service->service_id = necp_create_uuid_service_id_mapping(service_uuid);
+       LIST_INSERT_HEAD(&session->services, new_service, session_chain);
+       LIST_INSERT_HEAD(&necp_registered_service_list, new_service, kernel_chain);
+       lck_rw_done(&necp_kernel_policy_lock);
+
+done:
+       *retval = error;
+       return error;
 }
 
 static int
 }
 
 static int
-necp_buffer_find_tlv(u_int8_t *buffer, u_int32_t buffer_length, int offset, u_int8_t type, int next)
+necp_session_unregister_service(struct necp_session *session, struct necp_session_action_args *uap, int *retval)
 {
 {
-       if (offset < 0) {
-               return (-1);
+       int error = 0;
+       struct necp_service_registration *service = NULL;
+       struct necp_service_registration *temp_service = NULL;
+       struct necp_uuid_id_mapping *mapping = NULL;
+
+       if (uap->in_buffer_length < sizeof(uuid_t) || uap->in_buffer == 0) {
+               NECPLOG(LOG_ERR, "necp_session_unregister_service invalid input (%zu)", (size_t)uap->in_buffer_length);
+               error = EINVAL;
+               goto done;
        }
        }
-       int cursor = offset;
-       int next_cursor;
-       u_int32_t curr_length;
-       u_int8_t curr_type;
 
 
-       while (TRUE) {
-               if ((((u_int32_t)cursor) + sizeof(curr_type) + sizeof(curr_length)) > buffer_length) {
-                       return (-1);
-               }
-               if (!next) {
-                       curr_type = necp_buffer_get_tlv_type(buffer, cursor);
-               } else {
-                       next = 0;
-                       curr_type = NECP_TLV_NIL;
-               }
-               curr_length = necp_buffer_get_tlv_length(buffer, cursor);
-               next_cursor = (cursor + sizeof(curr_type) + sizeof(curr_length) + curr_length);
-               if (curr_type == type) {
-                       // check if entire TLV fits inside buffer
-                       if (((u_int32_t)next_cursor) <= buffer_length) {
-                               return (cursor);
-                       } else {
-                               return (-1);
+       uuid_t service_uuid;
+       error = copyin(uap->in_buffer, service_uuid, sizeof(service_uuid));
+       if (error != 0) {
+               NECPLOG(LOG_ERR, "necp_session_unregister_service uuid copyin error (%d)", error);
+               goto done;
+       }
+
+       // Remove all matching services for this session
+       lck_rw_lock_exclusive(&necp_kernel_policy_lock);
+       mapping = necp_uuid_lookup_service_id_locked(service_uuid);
+       if (mapping != NULL) {
+               LIST_FOREACH_SAFE(service, &session->services, session_chain, temp_service) {
+                       if (service->service_id == mapping->id) {
+                               LIST_REMOVE(service, session_chain);
+                               LIST_REMOVE(service, kernel_chain);
+                               FREE(service, M_NECP);
                        }
                }
                        }
                }
-               cursor = next_cursor;
+               necp_remove_uuid_service_id_mapping(service_uuid);
        }
        }
+       lck_rw_done(&necp_kernel_policy_lock);
+
+done:
+       *retval = error;
+       return error;
 }
 
 }
 
-static bool
-necp_send_ctl_data(struct necp_session *session, u_int8_t *buffer, size_t buffer_size)
+static int
+necp_session_dump_all(struct necp_session *session, struct necp_session_action_args *uap, int *retval)
 {
 {
-       int             error;
+#pragma unused(session)
+       int error = 0;
 
 
-       if (necp_kctlref == NULL || session == NULL || buffer == NULL || buffer_size == 0) {
-               return (FALSE);
+       if (uap->out_buffer_length == 0 || uap->out_buffer == 0) {
+               NECPLOG(LOG_ERR, "necp_session_dump_all invalid output buffer (%zu)", (size_t)uap->out_buffer_length);
+               error = EINVAL;
+               goto done;
        }
 
        }
 
-       error = ctl_enqueuedata(necp_kctlref, session->control_unit, buffer, buffer_size, CTL_DATA_EOR);
-
-       return (error == 0);
+       error = necp_handle_policy_dump_all(uap->out_buffer, uap->out_buffer_length);
+done:
+       *retval = error;
+       return error;
 }
 
 }
 
-static bool
-necp_send_success_response(struct necp_session *session, u_int8_t packet_type, u_int32_t message_id)
+int
+necp_session_action(struct proc *p, struct necp_session_action_args *uap, int *retval)
 {
 {
-       bool success = TRUE;
-       u_int8_t *response = NULL;
-       u_int8_t *cursor = NULL;
-       size_t response_size = sizeof(struct necp_packet_header) + sizeof(u_int8_t) + sizeof(u_int32_t);
-       MALLOC(response, u_int8_t *, response_size, M_NECP, M_WAITOK);
-       if (response == NULL) {
-               return (FALSE);
+       struct fileproc *fp;
+       int error = 0;
+       int return_value = 0;
+       struct necp_session *session = NULL;
+
+       error = necp_session_find_from_fd(p, uap->necp_fd, &fp, &session);
+       if (error != 0) {
+               NECPLOG(LOG_ERR, "necp_session_action find fd error (%d)", error);
+               return error;
+       }
+
+       NECP_SESSION_LOCK(session);
+
+       if (session->proc_locked) {
+               // Verify that the calling process is allowed to do actions
+               uuid_t proc_uuid;
+               proc_getexecutableuuid(current_proc(), proc_uuid, sizeof(proc_uuid));
+               if (uuid_compare(proc_uuid, session->proc_uuid) != 0) {
+                       error = EPERM;
+                       goto done;
+               }
+       } else {
+               // If not locked, update the proc_uuid and proc_pid of the session
+               proc_getexecutableuuid(current_proc(), session->proc_uuid, sizeof(session->proc_uuid));
+               session->proc_pid = proc_pid(current_proc());
        }
        }
-       cursor = response;
-       cursor = necp_buffer_write_packet_header(cursor, packet_type, NECP_PACKET_FLAGS_RESPONSE, message_id);
-       cursor = necp_buffer_write_tlv(cursor, NECP_TLV_NIL, 0, NULL);
 
 
-       if (!(success = necp_send_ctl_data(session, (u_int8_t *)response, response_size))) {
-               NECPLOG0(LOG_ERR, "Failed to send response");
+       u_int32_t action = uap->action;
+       switch (action) {
+       case NECP_SESSION_ACTION_POLICY_ADD: {
+               return_value = necp_session_add_policy(session, uap, retval);
+               break;
+       }
+       case NECP_SESSION_ACTION_POLICY_GET: {
+               return_value = necp_session_get_policy(session, uap, retval);
+               break;
+       }
+       case NECP_SESSION_ACTION_POLICY_DELETE:  {
+               return_value = necp_session_delete_policy(session, uap, retval);
+               break;
+       }
+       case NECP_SESSION_ACTION_POLICY_APPLY_ALL: {
+               return_value = necp_session_apply_all(session, uap, retval);
+               break;
+       }
+       case NECP_SESSION_ACTION_POLICY_LIST_ALL: {
+               return_value = necp_session_list_all(session, uap, retval);
+               break;
+       }
+       case NECP_SESSION_ACTION_POLICY_DELETE_ALL: {
+               return_value = necp_session_delete_all(session, uap, retval);
+               break;
+       }
+       case NECP_SESSION_ACTION_SET_SESSION_PRIORITY: {
+               return_value = necp_session_set_session_priority(session, uap, retval);
+               break;
+       }
+       case NECP_SESSION_ACTION_LOCK_SESSION_TO_PROC: {
+               return_value = necp_session_lock_to_process(session, uap, retval);
+               break;
+       }
+       case NECP_SESSION_ACTION_REGISTER_SERVICE: {
+               return_value = necp_session_register_service(session, uap, retval);
+               break;
+       }
+       case NECP_SESSION_ACTION_UNREGISTER_SERVICE: {
+               return_value = necp_session_unregister_service(session, uap, retval);
+               break;
+       }
+       case NECP_SESSION_ACTION_POLICY_DUMP_ALL: {
+               return_value = necp_session_dump_all(session, uap, retval);
+               break;
+       }
+       default: {
+               NECPLOG(LOG_ERR, "necp_session_action unknown action (%u)", action);
+               return_value = EINVAL;
+               break;
+       }
        }
 
        }
 
-       FREE(response, M_NECP);
-       return (success);
+done:
+       NECP_SESSION_UNLOCK(session);
+       fp_drop(p, uap->necp_fd, fp, 0);
+       return return_value;
 }
 
 }
 
-static bool
-necp_send_error_response(struct necp_session *session, u_int8_t packet_type, u_int32_t message_id, u_int32_t error)
+struct necp_resolver_key_state {
+       const struct ccdigest_info *digest_info;
+       uint8_t key[CCSHA256_OUTPUT_SIZE];
+};
+static struct necp_resolver_key_state s_necp_resolver_key_state;
+
+static void
+necp_generate_resolver_key(void)
 {
 {
-       bool success = TRUE;
-       u_int8_t *response = NULL;
-       u_int8_t *cursor = NULL;
-       size_t response_size = sizeof(struct necp_packet_header) + sizeof(u_int8_t) + sizeof(u_int32_t) + sizeof(u_int32_t);
-       MALLOC(response, u_int8_t *, response_size, M_NECP, M_WAITOK);
-       if (response == NULL) {
-               return (FALSE);
+       s_necp_resolver_key_state.digest_info = ccsha256_di();
+       cc_rand_generate(s_necp_resolver_key_state.key, sizeof(s_necp_resolver_key_state.key));
+}
+
+static void
+necp_sign_update_context(const struct ccdigest_info *di,
+    cchmac_ctx_t ctx,
+    uuid_t client_id,
+    u_int8_t *query,
+    u_int32_t query_length,
+    u_int8_t *answer,
+    u_int32_t answer_length)
+{
+       const uint8_t context[32] = {[0 ... 31] = 0x20}; // 0x20 repeated 32 times
+       const char *context_string = "NECP Resolver Binder";
+       uint8_t separator = 0;
+       cchmac_update(di, ctx, sizeof(context), context);
+       cchmac_update(di, ctx, strlen(context_string), context_string);
+       cchmac_update(di, ctx, sizeof(separator), &separator);
+       cchmac_update(di, ctx, sizeof(uuid_t), client_id);
+       cchmac_update(di, ctx, sizeof(query_length), &query_length);
+       cchmac_update(di, ctx, query_length, query);
+       cchmac_update(di, ctx, sizeof(answer_length), &answer_length);
+       cchmac_update(di, ctx, answer_length, answer);
+}
+
+int
+necp_sign_resolver_answer(uuid_t client_id, u_int8_t *query, u_int32_t query_length,
+    u_int8_t *answer, u_int32_t answer_length,
+    u_int8_t *tag, u_int32_t *out_tag_length)
+{
+       if (s_necp_resolver_key_state.digest_info == NULL) {
+               return EINVAL;
+       }
+
+       if (query == NULL ||
+           query_length == 0 ||
+           answer == NULL ||
+           answer_length == 0 ||
+           tag == NULL ||
+           out_tag_length == NULL) {
+               return EINVAL;
        }
        }
-       cursor = response;
-       cursor = necp_buffer_write_packet_header(cursor, packet_type, NECP_PACKET_FLAGS_RESPONSE, message_id);
-       cursor = necp_buffer_write_tlv(cursor, NECP_TLV_ERROR, sizeof(error), &error);
 
 
-       if (!(success = necp_send_ctl_data(session, (u_int8_t *)response, response_size))) {
-               NECPLOG0(LOG_ERR, "Failed to send response");
+       size_t required_tag_length = s_necp_resolver_key_state.digest_info->output_size;
+       if (*out_tag_length < required_tag_length) {
+               return ERANGE;
        }
 
        }
 
-       FREE(response, M_NECP);
-       return (success);
+       *out_tag_length = required_tag_length;
+
+       cchmac_ctx_decl(s_necp_resolver_key_state.digest_info->state_size,
+           s_necp_resolver_key_state.digest_info->block_size, ctx);
+       cchmac_init(s_necp_resolver_key_state.digest_info, ctx,
+           sizeof(s_necp_resolver_key_state.key),
+           s_necp_resolver_key_state.key);
+       necp_sign_update_context(s_necp_resolver_key_state.digest_info,
+           ctx, client_id, query, query_length,
+           answer, answer_length);
+       cchmac_final(s_necp_resolver_key_state.digest_info, ctx, tag);
+
+       return 0;
 }
 
 }
 
-static bool
-necp_send_policy_id_response(struct necp_session *session, u_int8_t packet_type, u_int32_t message_id, necp_policy_id policy_id)
+bool
+necp_validate_resolver_answer(uuid_t client_id, u_int8_t *query, u_int32_t query_length,
+    u_int8_t *answer, u_int32_t answer_length,
+    u_int8_t *tag, u_int32_t tag_length)
 {
 {
-       bool success = TRUE;
-       u_int8_t *response = NULL;
-       u_int8_t *cursor = NULL;
-       size_t response_size = sizeof(struct necp_packet_header) + sizeof(u_int8_t) + sizeof(u_int32_t) + sizeof(u_int32_t);
-       MALLOC(response, u_int8_t *, response_size, M_NECP, M_WAITOK);
-       if (response == NULL) {
-               return (FALSE);
+       if (s_necp_resolver_key_state.digest_info == NULL) {
+               return false;
        }
        }
-       cursor = response;
-       cursor = necp_buffer_write_packet_header(cursor, packet_type, NECP_PACKET_FLAGS_RESPONSE, message_id);
-       cursor = necp_buffer_write_tlv(cursor, NECP_TLV_POLICY_ID, sizeof(policy_id), &policy_id);
 
 
-       if (!(success = necp_send_ctl_data(session, (u_int8_t *)response, response_size))) {
-               NECPLOG0(LOG_ERR, "Failed to send response");
+       if (query == NULL ||
+           query_length == 0 ||
+           answer == NULL ||
+           answer_length == 0 ||
+           tag == NULL ||
+           tag_length == 0) {
+               return false;
        }
 
        }
 
-       FREE(response, M_NECP);
-       return (success);
+       size_t required_tag_length = s_necp_resolver_key_state.digest_info->output_size;
+       if (tag_length != required_tag_length) {
+               return false;
+       }
+
+       uint8_t actual_tag[required_tag_length];
+
+       cchmac_ctx_decl(s_necp_resolver_key_state.digest_info->state_size,
+           s_necp_resolver_key_state.digest_info->block_size, ctx);
+       cchmac_init(s_necp_resolver_key_state.digest_info, ctx,
+           sizeof(s_necp_resolver_key_state.key),
+           s_necp_resolver_key_state.key);
+       necp_sign_update_context(s_necp_resolver_key_state.digest_info,
+           ctx, client_id, query, query_length,
+           answer, answer_length);
+       cchmac_final(s_necp_resolver_key_state.digest_info, ctx, actual_tag);
+
+       return cc_cmp_safe(s_necp_resolver_key_state.digest_info->output_size, tag, actual_tag) == 0;
 }
 
 }
 
-static errno_t
-necp_ctl_send(kern_ctl_ref kctlref, u_int32_t unit, void *unitinfo, mbuf_t packet, int flags)
+errno_t
+necp_init(void)
 {
 {
-#pragma unused(kctlref, unit, flags)
-       struct necp_session *session = (struct necp_session *)unitinfo;
-       struct necp_packet_header header;
-       int error = 0;
+       errno_t result = 0;
 
 
-       if (session == NULL) {
-               NECPLOG0(LOG_ERR, "Got a NULL session");
-               error = EINVAL;
+       necp_log_handle = os_log_create("com.apple.xnu.net.necp", "necp");
+
+       necp_kernel_policy_grp_attr = lck_grp_attr_alloc_init();
+       if (necp_kernel_policy_grp_attr == NULL) {
+               NECPLOG0(LOG_ERR, "lck_grp_attr_alloc_init failed");
+               result = ENOMEM;
                goto done;
        }
 
                goto done;
        }
 
-       if (mbuf_pkthdr_len(packet) < sizeof(header)) {
-               NECPLOG(LOG_ERR, "Got a bad packet, length (%lu) < sizeof header (%lu)", mbuf_pkthdr_len(packet), sizeof(header));
-               error = EINVAL;
+       necp_kernel_policy_mtx_grp = lck_grp_alloc_init(NECP_CONTROL_NAME, necp_kernel_policy_grp_attr);
+       if (necp_kernel_policy_mtx_grp == NULL) {
+               NECPLOG0(LOG_ERR, "lck_grp_alloc_init failed");
+               result = ENOMEM;
                goto done;
        }
 
                goto done;
        }
 
-       error = mbuf_copydata(packet, 0, sizeof(header), &header);
-       if (error) {
-               NECPLOG(LOG_ERR, "mbuf_copydata failed for the header: %d", error);
-               error = ENOBUFS;
+       necp_kernel_policy_mtx_attr = lck_attr_alloc_init();
+       if (necp_kernel_policy_mtx_attr == NULL) {
+               NECPLOG0(LOG_ERR, "lck_attr_alloc_init failed");
+               result = ENOMEM;
                goto done;
        }
 
                goto done;
        }
 
-       if (session->proc_locked) {
-               // Verify that the calling process is allowed to send messages
-               uuid_t proc_uuid;
-               proc_getexecutableuuid(current_proc(), proc_uuid, sizeof(proc_uuid));
-               if (uuid_compare(proc_uuid, session->proc_uuid) != 0) {
-                       necp_send_error_response(session, header.packet_type, header.message_id, NECP_ERROR_INVALID_PROCESS);
-                       goto done;
-               }
-       } else {
-               // If not locked, update the proc_uuid and proc_pid of the session
-               proc_getexecutableuuid(current_proc(), session->proc_uuid, sizeof(session->proc_uuid));
-               session->proc_pid = proc_pid(current_proc());
+       lck_rw_init(&necp_kernel_policy_lock, necp_kernel_policy_mtx_grp, necp_kernel_policy_mtx_attr);
+
+       necp_route_rule_grp_attr = lck_grp_attr_alloc_init();
+       if (necp_route_rule_grp_attr == NULL) {
+               NECPLOG0(LOG_ERR, "lck_grp_attr_alloc_init failed");
+               result = ENOMEM;
+               goto done;
        }
 
        }
 
-       switch (header.packet_type) {
-               case NECP_PACKET_TYPE_POLICY_ADD: {
-                       necp_handle_policy_add(session, header.message_id, packet, sizeof(header));
-                       break;
+       necp_route_rule_mtx_grp = lck_grp_alloc_init("necp_route_rule", necp_route_rule_grp_attr);
+       if (necp_route_rule_mtx_grp == NULL) {
+               NECPLOG0(LOG_ERR, "lck_grp_alloc_init failed");
+               result = ENOMEM;
+               goto done;
+       }
+
+       necp_route_rule_mtx_attr = lck_attr_alloc_init();
+       if (necp_route_rule_mtx_attr == NULL) {
+               NECPLOG0(LOG_ERR, "lck_attr_alloc_init failed");
+               result = ENOMEM;
+               goto done;
+       }
+
+       lck_rw_init(&necp_route_rule_lock, necp_route_rule_mtx_grp, necp_route_rule_mtx_attr);
+
+       necp_client_init();
+
+       TAILQ_INIT(&necp_session_list);
+
+       LIST_INIT(&necp_kernel_socket_policies);
+       LIST_INIT(&necp_kernel_ip_output_policies);
+
+       LIST_INIT(&necp_account_id_list);
+
+       LIST_INIT(&necp_uuid_service_id_list);
+
+       LIST_INIT(&necp_registered_service_list);
+
+       LIST_INIT(&necp_route_rules);
+       LIST_INIT(&necp_aggregate_route_rules);
+
+       necp_generate_resolver_key();
+
+       necp_uuid_app_id_hashtbl = hashinit(NECP_UUID_APP_ID_HASH_SIZE, M_NECP, &necp_uuid_app_id_hash_mask);
+       necp_uuid_app_id_hash_num_buckets = necp_uuid_app_id_hash_mask + 1;
+       necp_num_uuid_app_id_mappings = 0;
+       necp_uuid_app_id_mappings_dirty = FALSE;
+
+       necp_kernel_application_policies_condition_mask = 0;
+       necp_kernel_socket_policies_condition_mask = 0;
+       necp_kernel_ip_output_policies_condition_mask = 0;
+
+       necp_kernel_application_policies_count = 0;
+       necp_kernel_socket_policies_count = 0;
+       necp_kernel_socket_policies_non_app_count = 0;
+       necp_kernel_ip_output_policies_count = 0;
+       necp_kernel_ip_output_policies_non_id_count = 0;
+
+       necp_kernel_socket_policies_gencount = 1;
+
+       memset(&necp_kernel_socket_policies_map, 0, sizeof(necp_kernel_socket_policies_map));
+       memset(&necp_kernel_ip_output_policies_map, 0, sizeof(necp_kernel_ip_output_policies_map));
+       necp_kernel_socket_policies_app_layer_map = NULL;
+
+       necp_drop_unentitled_order = necp_get_first_order_for_priority(necp_drop_unentitled_level);
+
+done:
+       if (result != 0) {
+               if (necp_kernel_policy_mtx_attr != NULL) {
+                       lck_attr_free(necp_kernel_policy_mtx_attr);
+                       necp_kernel_policy_mtx_attr = NULL;
                }
                }
-               case NECP_PACKET_TYPE_POLICY_GET: {
-                       necp_handle_policy_get(session, header.message_id, packet, sizeof(header));
-                       break;
+               if (necp_kernel_policy_mtx_grp != NULL) {
+                       lck_grp_free(necp_kernel_policy_mtx_grp);
+                       necp_kernel_policy_mtx_grp = NULL;
                }
                }
-               case NECP_PACKET_TYPE_POLICY_DELETE: {
-                       necp_handle_policy_delete(session, header.message_id, packet, sizeof(header));
-                       break;
+               if (necp_kernel_policy_grp_attr != NULL) {
+                       lck_grp_attr_free(necp_kernel_policy_grp_attr);
+                       necp_kernel_policy_grp_attr = NULL;
                }
                }
-               case NECP_PACKET_TYPE_POLICY_APPLY_ALL: {
-                       necp_handle_policy_apply_all(session, header.message_id, packet, sizeof(header));
-                       break;
+               if (necp_route_rule_mtx_attr != NULL) {
+                       lck_attr_free(necp_route_rule_mtx_attr);
+                       necp_route_rule_mtx_attr = NULL;
                }
                }
-               case NECP_PACKET_TYPE_POLICY_LIST_ALL: {
-                       necp_handle_policy_list_all(session, header.message_id, packet, sizeof(header));
-                       break;
+               if (necp_route_rule_mtx_grp != NULL) {
+                       lck_grp_free(necp_route_rule_mtx_grp);
+                       necp_route_rule_mtx_grp = NULL;
                }
                }
-               case NECP_PACKET_TYPE_POLICY_DELETE_ALL: {
-                       necp_handle_policy_delete_all(session, header.message_id, packet, sizeof(header));
-                       break;
+               if (necp_route_rule_grp_attr != NULL) {
+                       lck_grp_attr_free(necp_route_rule_grp_attr);
+                       necp_route_rule_grp_attr = NULL;
                }
                }
-               case NECP_PACKET_TYPE_SET_SESSION_PRIORITY: {
-                       necp_handle_set_session_priority(session, header.message_id, packet, sizeof(header));
-                       break;
+       }
+       return result;
+}
+
+static void
+necp_post_change_event(struct kev_necp_policies_changed_data *necp_event_data)
+{
+       struct kev_msg ev_msg;
+       memset(&ev_msg, 0, sizeof(ev_msg));
+
+       ev_msg.vendor_code      = KEV_VENDOR_APPLE;
+       ev_msg.kev_class        = KEV_NETWORK_CLASS;
+       ev_msg.kev_subclass     = KEV_NECP_SUBCLASS;
+       ev_msg.event_code       = KEV_NECP_POLICIES_CHANGED;
+
+       ev_msg.dv[0].data_ptr    = necp_event_data;
+       ev_msg.dv[0].data_length = sizeof(necp_event_data->changed_count);
+       ev_msg.dv[1].data_length = 0;
+
+       kev_post_msg(&ev_msg);
+}
+
+static inline bool
+necp_buffer_write_tlv_validate(u_int8_t *cursor, u_int8_t type, u_int32_t length,
+    u_int8_t *buffer, u_int32_t buffer_length)
+{
+       if (cursor < buffer || (uintptr_t)(cursor - buffer) > buffer_length) {
+               NECPLOG0(LOG_ERR, "Cannot write TLV in buffer (invalid cursor)");
+               return false;
+       }
+       u_int8_t *next_tlv = (u_int8_t *)(cursor + sizeof(type) + sizeof(length) + length);
+       if (next_tlv <= buffer || // make sure the next TLV start doesn't overflow
+           (uintptr_t)(next_tlv - buffer) > buffer_length) {     // make sure the next TLV has enough room in buffer
+               NECPLOG(LOG_ERR, "Cannot write TLV in buffer (TLV length %u, buffer length %u)",
+                   length, buffer_length);
+               return false;
+       }
+       return true;
+}
+
+u_int8_t *
+necp_buffer_write_tlv_if_different(u_int8_t *cursor, u_int8_t type,
+    u_int32_t length, const void *value, bool *updated,
+    u_int8_t *buffer, u_int32_t buffer_length)
+{
+       if (!necp_buffer_write_tlv_validate(cursor, type, length, buffer, buffer_length)) {
+               // If we can't fit this TLV, return the current cursor
+               return cursor;
+       }
+       u_int8_t *next_tlv = (u_int8_t *)(cursor + sizeof(type) + sizeof(length) + length);
+       if (*updated || *(u_int8_t *)(cursor) != type) {
+               *(u_int8_t *)(cursor) = type;
+               *updated = TRUE;
+       }
+       if (*updated || *(u_int32_t *)(void *)(cursor + sizeof(type)) != length) {
+               *(u_int32_t *)(void *)(cursor + sizeof(type)) = length;
+               *updated = TRUE;
+       }
+       if (length > 0) {
+               if (*updated || memcmp((u_int8_t *)(cursor + sizeof(type) + sizeof(length)), value, length) != 0) {
+                       memcpy((u_int8_t *)(cursor + sizeof(type) + sizeof(length)), value, length);
+                       *updated = TRUE;
                }
                }
-               case NECP_PACKET_TYPE_LOCK_SESSION_TO_PROC: {
-                       necp_handle_lock_session_to_proc(session, header.message_id, packet, sizeof(header));
-                       break;
+       }
+       return next_tlv;
+}
+
+u_int8_t *
+necp_buffer_write_tlv(u_int8_t *cursor, u_int8_t type,
+    u_int32_t length, const void *value,
+    u_int8_t *buffer, u_int32_t buffer_length)
+{
+       if (!necp_buffer_write_tlv_validate(cursor, type, length, buffer, buffer_length)) {
+               return NULL;
+       }
+       u_int8_t *next_tlv = (u_int8_t *)(cursor + sizeof(type) + sizeof(length) + length);
+       *(u_int8_t *)(cursor) = type;
+       *(u_int32_t *)(void *)(cursor + sizeof(type)) = length;
+       if (length > 0) {
+               memcpy((u_int8_t *)(cursor + sizeof(type) + sizeof(length)), value, length);
+       }
+
+       return next_tlv;
+}
+
+u_int8_t
+necp_buffer_get_tlv_type(u_int8_t *buffer, int tlv_offset)
+{
+       u_int8_t *type = NULL;
+
+       if (buffer == NULL) {
+               return 0;
+       }
+
+       type = (u_int8_t *)((u_int8_t *)buffer + tlv_offset);
+       return type ? *type : 0;
+}
+
+u_int32_t
+necp_buffer_get_tlv_length(u_int8_t *buffer, int tlv_offset)
+{
+       u_int32_t *length = NULL;
+
+       if (buffer == NULL) {
+               return 0;
+       }
+
+       length = (u_int32_t *)(void *)((u_int8_t *)buffer + tlv_offset + sizeof(u_int8_t));
+       return length ? *length : 0;
+}
+
+u_int8_t *
+necp_buffer_get_tlv_value(u_int8_t *buffer, int tlv_offset, u_int32_t *value_size)
+{
+       u_int8_t *value = NULL;
+       u_int32_t length = necp_buffer_get_tlv_length(buffer, tlv_offset);
+       if (length == 0) {
+               return value;
+       }
+
+       if (value_size) {
+               *value_size = length;
+       }
+
+       value = (u_int8_t *)((u_int8_t *)buffer + tlv_offset + sizeof(u_int8_t) + sizeof(u_int32_t));
+       return value;
+}
+
+int
+necp_buffer_find_tlv(u_int8_t *buffer, u_int32_t buffer_length, int offset, u_int8_t type, int *err, int next)
+{
+       if (err != NULL) {
+               *err = ENOENT;
+       }
+       if (offset < 0) {
+               if (err != NULL) {
+                       *err = EINVAL;
                }
                }
-               case NECP_PACKET_TYPE_REGISTER_SERVICE: {
-                       necp_handle_register_service(session, header.message_id, packet, sizeof(header));
-                       break;
+               return -1;
+       }
+       int cursor = offset;
+       int next_cursor;
+       u_int32_t curr_length;
+       u_int8_t curr_type;
+
+       while (TRUE) {
+               if ((((u_int32_t)cursor) + sizeof(curr_type) + sizeof(curr_length)) > buffer_length) {
+                       return -1;
                }
                }
-               case NECP_PACKET_TYPE_UNREGISTER_SERVICE: {
-                       necp_handle_unregister_service(session, header.message_id, packet, sizeof(header));
-                       break;
+               if (!next) {
+                       curr_type = necp_buffer_get_tlv_type(buffer, cursor);
+               } else {
+                       next = 0;
+                       curr_type = NECP_TLV_NIL;
                }
                }
-               default: {
-                       NECPLOG(LOG_ERR, "Received unknown message type %d", header.packet_type);
-                       necp_send_error_response(session, header.packet_type, header.message_id, NECP_ERROR_UNKNOWN_PACKET_TYPE);
-                       break;
+               curr_length = necp_buffer_get_tlv_length(buffer, cursor);
+               if (curr_length > buffer_length - ((u_int32_t)cursor + sizeof(curr_type) + sizeof(curr_length))) {
+                       return -1;
                }
                }
+
+               next_cursor = (cursor + sizeof(curr_type) + sizeof(curr_length) + curr_length);
+               if (curr_type == type) {
+                       // check if entire TLV fits inside buffer
+                       if (((u_int32_t)next_cursor) <= buffer_length) {
+                               if (err != NULL) {
+                                       *err = 0;
+                               }
+                               return cursor;
+                       } else {
+                               return -1;
+                       }
+               }
+               cursor = next_cursor;
+       }
+}
+
+static int
+necp_find_tlv(u_int8_t *buffer, u_int32_t buffer_length, int offset, u_int8_t type, int *err, int next)
+{
+       int cursor = -1;
+       if (buffer != NULL) {
+               cursor = necp_buffer_find_tlv(buffer, buffer_length, offset, type, err, next);
+       }
+       return cursor;
+}
+
+static int
+necp_get_tlv_at_offset(u_int8_t *buffer, u_int32_t buffer_length,
+    int tlv_offset, u_int32_t out_buffer_length, void *out_buffer, u_int32_t *value_size)
+{
+       if (buffer == NULL) {
+               NECPLOG0(LOG_ERR, "necp_get_tlv_at_offset buffer is NULL");
+               return EINVAL;
+       }
+
+       // Handle buffer parsing
+
+       // Validate that buffer has enough room for any TLV
+       if (tlv_offset + sizeof(u_int8_t) + sizeof(u_int32_t) > buffer_length) {
+               NECPLOG(LOG_ERR, "necp_get_tlv_at_offset buffer_length is too small for TLV (%u < %lu)",
+                   buffer_length, tlv_offset + sizeof(u_int8_t) + sizeof(u_int32_t));
+               return EINVAL;
+       }
+
+       // Validate that buffer has enough room for this TLV
+       u_int32_t tlv_length = necp_buffer_get_tlv_length(buffer, tlv_offset);
+       if (tlv_length > buffer_length - (tlv_offset + sizeof(u_int8_t) + sizeof(u_int32_t))) {
+               NECPLOG(LOG_ERR, "necp_get_tlv_at_offset buffer_length is too small for TLV of length %u (%u < %lu)",
+                   tlv_length, buffer_length, tlv_offset + sizeof(u_int8_t) + sizeof(u_int32_t) + tlv_length);
+               return EINVAL;
+       }
+
+       if (out_buffer != NULL && out_buffer_length > 0) {
+               // Validate that out buffer is large enough for  value
+               if (out_buffer_length < tlv_length) {
+                       NECPLOG(LOG_ERR, "necp_get_tlv_at_offset out_buffer_length is too small for TLV value (%u < %u)",
+                           out_buffer_length, tlv_length);
+                       return EINVAL;
+               }
+
+               // Get value pointer
+               u_int8_t *tlv_value = necp_buffer_get_tlv_value(buffer, tlv_offset, NULL);
+               if (tlv_value == NULL) {
+                       NECPLOG0(LOG_ERR, "necp_get_tlv_at_offset tlv_value is NULL");
+                       return ENOENT;
+               }
+
+               // Copy value
+               memcpy(out_buffer, tlv_value, tlv_length);
+       }
+
+       // Copy out length
+       if (value_size != NULL) {
+               *value_size = tlv_length;
        }
 
        }
 
-done:
-       mbuf_freem(packet);
-       return (error);
+       return 0;
 }
 
 }
 
-static void
-necp_ctl_rcvd(kern_ctl_ref kctlref, u_int32_t unit, void *unitinfo, int flags)
+static int
+necp_get_tlv(u_int8_t *buffer, u_int32_t buffer_length,
+    int offset, u_int8_t type, u_int32_t buff_len, void *buff, u_int32_t *value_size)
 {
 {
-#pragma unused(kctlref, unit, unitinfo, flags)
-       return;
-}
+       int error = 0;
 
 
-static errno_t
-necp_ctl_getopt(kern_ctl_ref kctlref, u_int32_t unit, void *unitinfo, int opt, void *data, size_t *len)
-{
-#pragma unused(kctlref, unit, unitinfo, opt, data, len)
-       return (0);
-}
+       int tlv_offset = necp_find_tlv(buffer, buffer_length, offset, type, &error, 0);
+       if (tlv_offset < 0) {
+               return error;
+       }
 
 
-static errno_t
-necp_ctl_setopt(kern_ctl_ref kctlref, u_int32_t unit, void *unitinfo, int opt, void *data, size_t len)
-{
-#pragma unused(kctlref, unit, unitinfo, opt, data, len)
-       return (0);
+       return necp_get_tlv_at_offset(buffer, buffer_length, tlv_offset, buff_len, buff, value_size);
 }
 
 // Session Management
 }
 
 // Session Management
+
 static struct necp_session *
 static struct necp_session *
-necp_create_session(u_int32_t control_unit)
+necp_create_session(void)
 {
        struct necp_session *new_session = NULL;
 
 {
        struct necp_session *new_session = NULL;
 
-       MALLOC(new_session, struct necp_session *, sizeof(*new_session), M_NECP, M_WAITOK);
+       MALLOC(new_session, struct necp_session *, sizeof(*new_session), M_NECP, M_WAITOK | M_ZERO);
        if (new_session == NULL) {
                goto done;
        }
        if (new_session == NULL) {
                goto done;
        }
-       if (necp_debug) {
-               NECPLOG(LOG_DEBUG, "Create NECP session, control unit %d", control_unit);
-       }
-       memset(new_session, 0, sizeof(*new_session));
+
+       new_session->necp_fd_type = necp_fd_type_session;
        new_session->session_priority = NECP_SESSION_PRIORITY_UNKNOWN;
        new_session->session_priority = NECP_SESSION_PRIORITY_UNKNOWN;
-       new_session->session_order = necp_allocate_new_session_order(new_session->session_priority, control_unit);
-       new_session->control_unit = control_unit;
        new_session->dirty = FALSE;
        LIST_INIT(&new_session->policies);
        new_session->dirty = FALSE;
        LIST_INIT(&new_session->policies);
+       lck_mtx_init(&new_session->lock, necp_kernel_policy_mtx_grp, necp_kernel_policy_mtx_attr);
 
 
+       // Take the lock
        lck_rw_lock_exclusive(&necp_kernel_policy_lock);
        lck_rw_lock_exclusive(&necp_kernel_policy_lock);
+
+       // Find the next available control unit
+       u_int32_t control_unit = 1;
+       struct necp_session *next_session = NULL;
+       TAILQ_FOREACH(next_session, &necp_session_list, chain) {
+               if (next_session->control_unit > control_unit) {
+                       // Found a gap, grab this control unit
+                       break;
+               }
+
+               // Try the next control unit, loop around
+               control_unit = next_session->control_unit + 1;
+       }
+
+       new_session->control_unit = control_unit;
+       new_session->session_order = necp_allocate_new_session_order(new_session->session_priority, control_unit);
+
+       if (next_session != NULL) {
+               TAILQ_INSERT_BEFORE(next_session, new_session, chain);
+       } else {
+               TAILQ_INSERT_TAIL(&necp_session_list, new_session, chain);
+       }
+
        necp_session_count++;
        lck_rw_done(&necp_kernel_policy_lock);
 
        necp_session_count++;
        lck_rw_done(&necp_kernel_policy_lock);
 
+       if (necp_debug) {
+               NECPLOG(LOG_DEBUG, "Created NECP session, control unit %d", control_unit);
+       }
+
 done:
 done:
-       return (new_session);
+       return new_session;
 }
 
 static void
 }
 
 static void
@@ -1108,31 +1760,35 @@ necp_delete_session(struct necp_session *session)
                if (necp_debug) {
                        NECPLOG0(LOG_DEBUG, "Deleted NECP session");
                }
                if (necp_debug) {
                        NECPLOG0(LOG_DEBUG, "Deleted NECP session");
                }
-               FREE(session, M_NECP);
 
                lck_rw_lock_exclusive(&necp_kernel_policy_lock);
 
                lck_rw_lock_exclusive(&necp_kernel_policy_lock);
+               TAILQ_REMOVE(&necp_session_list, session, chain);
                necp_session_count--;
                lck_rw_done(&necp_kernel_policy_lock);
                necp_session_count--;
                lck_rw_done(&necp_kernel_policy_lock);
+
+               lck_mtx_destroy(&session->lock, necp_kernel_policy_mtx_grp);
+               FREE(session, M_NECP);
        }
 }
 
 // Session Policy Management
        }
 }
 
 // Session Policy Management
+
 static inline u_int8_t
 necp_policy_result_get_type_from_buffer(u_int8_t *buffer, u_int32_t length)
 {
 static inline u_int8_t
 necp_policy_result_get_type_from_buffer(u_int8_t *buffer, u_int32_t length)
 {
-       return ((buffer && length >= sizeof(u_int8_t)) ? buffer[0] : 0);
+       return (buffer && length >= sizeof(u_int8_t)) ? buffer[0] : 0;
 }
 
 static inline u_int32_t
 necp_policy_result_get_parameter_length_from_buffer(u_int8_t *buffer, u_int32_t length)
 {
 }
 
 static inline u_int32_t
 necp_policy_result_get_parameter_length_from_buffer(u_int8_t *buffer, u_int32_t length)
 {
-       return ((buffer && length > sizeof(u_int8_t)) ? (length - sizeof(u_int8_t)) : 0);
+       return (buffer && length > sizeof(u_int8_t)) ? (length - sizeof(u_int8_t)) : 0;
 }
 
 static inline u_int8_t *
 necp_policy_result_get_parameter_pointer_from_buffer(u_int8_t *buffer, u_int32_t length)
 {
 }
 
 static inline u_int8_t *
 necp_policy_result_get_parameter_pointer_from_buffer(u_int8_t *buffer, u_int32_t length)
 {
-       return ((buffer && length > sizeof(u_int8_t)) ? (buffer + sizeof(u_int8_t)) : NULL);
+       return (buffer && length > sizeof(u_int8_t)) ? (buffer + sizeof(u_int8_t)) : NULL;
 }
 
 static bool
 }
 
 static bool
@@ -1140,9 +1796,21 @@ necp_policy_result_requires_route_rules(u_int8_t *buffer, u_int32_t length)
 {
        u_int8_t type = necp_policy_result_get_type_from_buffer(buffer, length);
        if (type == NECP_POLICY_RESULT_ROUTE_RULES) {
 {
        u_int8_t type = necp_policy_result_get_type_from_buffer(buffer, length);
        if (type == NECP_POLICY_RESULT_ROUTE_RULES) {
-               return (TRUE);
+               return TRUE;
+       }
+       return FALSE;
+}
+
+static inline bool
+necp_address_is_valid(struct sockaddr *address)
+{
+       if (address->sa_family == AF_INET) {
+               return address->sa_len == sizeof(struct sockaddr_in);
+       } else if (address->sa_family == AF_INET6) {
+               return address->sa_len == sizeof(struct sockaddr_in6);
+       } else {
+               return FALSE;
        }
        }
-       return (FALSE);
 }
 
 static bool
 }
 
 static bool
@@ -1152,113 +1820,123 @@ necp_policy_result_is_valid(u_int8_t *buffer, u_int32_t length)
        u_int8_t type = necp_policy_result_get_type_from_buffer(buffer, length);
        u_int32_t parameter_length = necp_policy_result_get_parameter_length_from_buffer(buffer, length);
        switch (type) {
        u_int8_t type = necp_policy_result_get_type_from_buffer(buffer, length);
        u_int32_t parameter_length = necp_policy_result_get_parameter_length_from_buffer(buffer, length);
        switch (type) {
-               case NECP_POLICY_RESULT_PASS: {
+       case NECP_POLICY_RESULT_PASS: {
+               if (parameter_length == 0 || parameter_length == sizeof(u_int32_t)) {
                        validated = TRUE;
                        validated = TRUE;
-                       break;
-               }
-               case NECP_POLICY_RESULT_SKIP: {
-                       if (parameter_length >= sizeof(u_int32_t)) {
-                               validated = TRUE;
-                       }
-                       break;
                }
                }
-               case NECP_POLICY_RESULT_DROP: {
+               break;
+       }
+       case NECP_POLICY_RESULT_DROP: {
+               if (parameter_length == 0 || parameter_length == sizeof(u_int32_t)) {
                        validated = TRUE;
                        validated = TRUE;
-                       break;
-               }
-               case NECP_POLICY_RESULT_SOCKET_DIVERT: {
-                       if (parameter_length >= sizeof(u_int32_t)) {
-                               validated = TRUE;
-                       }
-                       break;
-               }
-               case NECP_POLICY_RESULT_SOCKET_SCOPED: {
-                       if (parameter_length > 0) {
-                               validated = TRUE;
-                       }
-                       break;
-               }
-               case NECP_POLICY_RESULT_IP_TUNNEL: {
-                       if (parameter_length > sizeof(u_int32_t)) {
-                               validated = TRUE;
-                       }
-                       break;
                }
                }
-               case NECP_POLICY_RESULT_SOCKET_FILTER: {
-                       if (parameter_length >= sizeof(u_int32_t)) {
-                               validated = TRUE;
-                       }
-                       break;
+               break;
+       }
+       case NECP_POLICY_RESULT_ROUTE_RULES:
+       case NECP_POLICY_RESULT_SCOPED_DIRECT:
+       case NECP_POLICY_RESULT_ALLOW_UNENTITLED: {
+               validated = TRUE;
+               break;
+       }
+       case NECP_POLICY_RESULT_SKIP:
+       case NECP_POLICY_RESULT_SOCKET_DIVERT:
+       case NECP_POLICY_RESULT_SOCKET_FILTER: {
+               if (parameter_length >= sizeof(u_int32_t)) {
+                       validated = TRUE;
                }
                }
-               case NECP_POLICY_RESULT_ROUTE_RULES: {
+               break;
+       }
+       case NECP_POLICY_RESULT_IP_TUNNEL: {
+               if (parameter_length > sizeof(u_int32_t)) {
                        validated = TRUE;
                        validated = TRUE;
-                       break;
                }
                }
-               case NECP_POLICY_RESULT_TRIGGER:
-               case NECP_POLICY_RESULT_TRIGGER_IF_NEEDED:
-               case NECP_POLICY_RESULT_TRIGGER_SCOPED:
-               case NECP_POLICY_RESULT_NO_TRIGGER_SCOPED:
-               case NECP_POLICY_RESULT_USE_NETAGENT: {
-                       if (parameter_length >= sizeof(uuid_t)) {
-                               validated = TRUE;
-                       }
-                       break;
+               break;
+       }
+       case NECP_POLICY_RESULT_SOCKET_SCOPED: {
+               if (parameter_length > 0) {
+                       validated = TRUE;
                }
                }
-               default: {
-                       validated = FALSE;
-                       break;
+               break;
+       }
+       case NECP_POLICY_RESULT_TRIGGER:
+       case NECP_POLICY_RESULT_TRIGGER_IF_NEEDED:
+       case NECP_POLICY_RESULT_TRIGGER_SCOPED:
+       case NECP_POLICY_RESULT_NO_TRIGGER_SCOPED:
+       case NECP_POLICY_RESULT_USE_NETAGENT:
+       case NECP_POLICY_RESULT_NETAGENT_SCOPED:{
+               if (parameter_length >= sizeof(uuid_t)) {
+                       validated = TRUE;
                }
                }
+               break;
+       }
+       default: {
+               validated = FALSE;
+               break;
+       }
        }
 
        if (necp_debug) {
                NECPLOG(LOG_DEBUG, "Policy result type %d, valid %d", type, validated);
        }
 
        }
 
        if (necp_debug) {
                NECPLOG(LOG_DEBUG, "Policy result type %d, valid %d", type, validated);
        }
 
-       return (validated);
+       return validated;
 }
 
 static inline u_int8_t
 necp_policy_condition_get_type_from_buffer(u_int8_t *buffer, u_int32_t length)
 {
 }
 
 static inline u_int8_t
 necp_policy_condition_get_type_from_buffer(u_int8_t *buffer, u_int32_t length)
 {
-       return ((buffer && length >= sizeof(u_int8_t)) ? buffer[0] : 0);
+       return (buffer && length >= sizeof(u_int8_t)) ? buffer[0] : 0;
 }
 
 static inline u_int8_t
 necp_policy_condition_get_flags_from_buffer(u_int8_t *buffer, u_int32_t length)
 {
 }
 
 static inline u_int8_t
 necp_policy_condition_get_flags_from_buffer(u_int8_t *buffer, u_int32_t length)
 {
-       return ((buffer && length >= (2 * sizeof(u_int8_t))) ? buffer[1] : 0);
+       return (buffer && length >= (2 * sizeof(u_int8_t))) ? buffer[1] : 0;
 }
 
 static inline u_int32_t
 necp_policy_condition_get_value_length_from_buffer(u_int8_t *buffer, u_int32_t length)
 {
 }
 
 static inline u_int32_t
 necp_policy_condition_get_value_length_from_buffer(u_int8_t *buffer, u_int32_t length)
 {
-       return ((buffer && length >= (2 * sizeof(u_int8_t))) ? (length - (2 * sizeof(u_int8_t))) : 0);
+       return (buffer && length >= (2 * sizeof(u_int8_t))) ? (length - (2 * sizeof(u_int8_t))) : 0;
 }
 
 static inline u_int8_t *
 necp_policy_condition_get_value_pointer_from_buffer(u_int8_t *buffer, u_int32_t length)
 {
 }
 
 static inline u_int8_t *
 necp_policy_condition_get_value_pointer_from_buffer(u_int8_t *buffer, u_int32_t length)
 {
-       return ((buffer && length > (2 * sizeof(u_int8_t))) ? (buffer + (2 * sizeof(u_int8_t))) : NULL);
+       return (buffer && length > (2 * sizeof(u_int8_t))) ? (buffer + (2 * sizeof(u_int8_t))) : NULL;
 }
 
 static inline bool
 necp_policy_condition_is_default(u_int8_t *buffer, u_int32_t length)
 {
 }
 
 static inline bool
 necp_policy_condition_is_default(u_int8_t *buffer, u_int32_t length)
 {
-       return (necp_policy_condition_get_type_from_buffer(buffer, length) == NECP_POLICY_CONDITION_DEFAULT);
+       return necp_policy_condition_get_type_from_buffer(buffer, length) == NECP_POLICY_CONDITION_DEFAULT;
 }
 
 static inline bool
 necp_policy_condition_is_application(u_int8_t *buffer, u_int32_t length)
 {
 }
 
 static inline bool
 necp_policy_condition_is_application(u_int8_t *buffer, u_int32_t length)
 {
-       return (necp_policy_condition_get_type_from_buffer(buffer, length) == NECP_POLICY_CONDITION_APPLICATION);
+       return necp_policy_condition_get_type_from_buffer(buffer, length) == NECP_POLICY_CONDITION_APPLICATION;
+}
+
+static inline bool
+necp_policy_condition_is_real_application(u_int8_t *buffer, u_int32_t length)
+{
+       return necp_policy_condition_get_type_from_buffer(buffer, length) == NECP_POLICY_CONDITION_REAL_APPLICATION;
 }
 
 static inline bool
 necp_policy_condition_requires_application(u_int8_t *buffer, u_int32_t length)
 {
        u_int8_t type = necp_policy_condition_get_type_from_buffer(buffer, length);
 }
 
 static inline bool
 necp_policy_condition_requires_application(u_int8_t *buffer, u_int32_t length)
 {
        u_int8_t type = necp_policy_condition_get_type_from_buffer(buffer, length);
-       return (type == NECP_POLICY_CONDITION_REAL_APPLICATION ||
-                       type == NECP_POLICY_CONDITION_ENTITLEMENT);
+       return type == NECP_POLICY_CONDITION_REAL_APPLICATION;
+}
+
+static inline bool
+necp_policy_condition_requires_real_application(u_int8_t *buffer, u_int32_t length)
+{
+       u_int8_t type = necp_policy_condition_get_type_from_buffer(buffer, length);
+       u_int32_t condition_length = necp_policy_condition_get_value_length_from_buffer(buffer, length);
+       return type == NECP_POLICY_CONDITION_ENTITLEMENT && condition_length > 0;
 }
 
 static bool
 }
 
 static bool
@@ -1266,295 +1944,248 @@ necp_policy_condition_is_valid(u_int8_t *buffer, u_int32_t length, u_int8_t poli
 {
        bool validated = FALSE;
        bool result_cannot_have_ip_layer = (policy_result_type == NECP_POLICY_RESULT_SOCKET_DIVERT ||
 {
        bool validated = FALSE;
        bool result_cannot_have_ip_layer = (policy_result_type == NECP_POLICY_RESULT_SOCKET_DIVERT ||
-                                                                               policy_result_type == NECP_POLICY_RESULT_SOCKET_FILTER ||
-                                                                               policy_result_type == NECP_POLICY_RESULT_TRIGGER ||
-                                                                               policy_result_type == NECP_POLICY_RESULT_TRIGGER_IF_NEEDED ||
-                                                                               policy_result_type == NECP_POLICY_RESULT_TRIGGER_SCOPED ||
-                                                                               policy_result_type == NECP_POLICY_RESULT_NO_TRIGGER_SCOPED ||
-                                                                               policy_result_type == NECP_POLICY_RESULT_SOCKET_SCOPED ||
-                                                                               policy_result_type == NECP_POLICY_RESULT_ROUTE_RULES ||
-                                                                               policy_result_type == NECP_POLICY_RESULT_USE_NETAGENT) ? TRUE : FALSE;
+           policy_result_type == NECP_POLICY_RESULT_SOCKET_FILTER ||
+           policy_result_type == NECP_POLICY_RESULT_TRIGGER ||
+           policy_result_type == NECP_POLICY_RESULT_TRIGGER_IF_NEEDED ||
+           policy_result_type == NECP_POLICY_RESULT_TRIGGER_SCOPED ||
+           policy_result_type == NECP_POLICY_RESULT_NO_TRIGGER_SCOPED ||
+           policy_result_type == NECP_POLICY_RESULT_SOCKET_SCOPED ||
+           policy_result_type == NECP_POLICY_RESULT_ROUTE_RULES ||
+           policy_result_type == NECP_POLICY_RESULT_USE_NETAGENT ||
+           policy_result_type == NECP_POLICY_RESULT_NETAGENT_SCOPED ||
+           policy_result_type == NECP_POLICY_RESULT_SCOPED_DIRECT ||
+           policy_result_type == NECP_POLICY_RESULT_ALLOW_UNENTITLED) ? TRUE : FALSE;
        u_int32_t condition_length = necp_policy_condition_get_value_length_from_buffer(buffer, length);
        u_int8_t *condition_value = necp_policy_condition_get_value_pointer_from_buffer(buffer, length);
        u_int8_t type = necp_policy_condition_get_type_from_buffer(buffer, length);
        u_int8_t flags = necp_policy_condition_get_flags_from_buffer(buffer, length);
        switch (type) {
        u_int32_t condition_length = necp_policy_condition_get_value_length_from_buffer(buffer, length);
        u_int8_t *condition_value = necp_policy_condition_get_value_pointer_from_buffer(buffer, length);
        u_int8_t type = necp_policy_condition_get_type_from_buffer(buffer, length);
        u_int8_t flags = necp_policy_condition_get_flags_from_buffer(buffer, length);
        switch (type) {
-               case NECP_POLICY_CONDITION_APPLICATION:
-               case NECP_POLICY_CONDITION_REAL_APPLICATION: {
-                       if (!(flags & NECP_POLICY_CONDITION_FLAGS_NEGATIVE) &&
-                               condition_length >= sizeof(uuid_t) &&
-                               condition_value != NULL &&
-                               !uuid_is_null(condition_value)) {
-                               validated = TRUE;
-                       }
-                       break;
+       case NECP_POLICY_CONDITION_APPLICATION:
+       case NECP_POLICY_CONDITION_REAL_APPLICATION: {
+               if (!(flags & NECP_POLICY_CONDITION_FLAGS_NEGATIVE) &&
+                   condition_length >= sizeof(uuid_t) &&
+                   condition_value != NULL &&
+                   !uuid_is_null(condition_value)) {
+                       validated = TRUE;
                }
                }
-               case NECP_POLICY_CONDITION_DOMAIN:
-               case NECP_POLICY_CONDITION_ACCOUNT:
-               case NECP_POLICY_CONDITION_BOUND_INTERFACE: {
-                       if (condition_length > 0) {
-                               validated = TRUE;
-                       }
-                       break;
+               break;
+       }
+       case NECP_POLICY_CONDITION_DOMAIN:
+       case NECP_POLICY_CONDITION_ACCOUNT:
+       case NECP_POLICY_CONDITION_BOUND_INTERFACE:
+       case NECP_POLICY_CONDITION_SIGNING_IDENTIFIER: {
+               if (condition_length > 0) {
+                       validated = TRUE;
                }
                }
-               case NECP_POLICY_CONDITION_TRAFFIC_CLASS: {
-                       if (condition_length >= sizeof(struct necp_policy_condition_tc_range)) {
-                               validated = TRUE;
-                       }
-                       break;
+               break;
+       }
+       case NECP_POLICY_CONDITION_TRAFFIC_CLASS: {
+               if (condition_length >= sizeof(struct necp_policy_condition_tc_range)) {
+                       validated = TRUE;
                }
                }
-               case NECP_POLICY_CONDITION_DEFAULT:
-               case NECP_POLICY_CONDITION_ALL_INTERFACES:
-               case NECP_POLICY_CONDITION_ENTITLEMENT: {
-                       if (!(flags & NECP_POLICY_CONDITION_FLAGS_NEGATIVE)) {
-                               validated = TRUE;
-                       }
-                       break;
+               break;
+       }
+       case NECP_POLICY_CONDITION_DEFAULT:
+       case NECP_POLICY_CONDITION_ALL_INTERFACES:
+       case NECP_POLICY_CONDITION_ENTITLEMENT:
+       case NECP_POLICY_CONDITION_PLATFORM_BINARY:
+       case NECP_POLICY_CONDITION_HAS_CLIENT:
+       case NECP_POLICY_CONDITION_LOCAL_NETWORKS: {
+               if (!(flags & NECP_POLICY_CONDITION_FLAGS_NEGATIVE)) {
+                       validated = TRUE;
                }
                }
-               case NECP_POLICY_CONDITION_IP_PROTOCOL: {
-                       if (condition_length >= sizeof(u_int16_t)) {
-                               validated = TRUE;
-                       }
-                       break;
+               break;
+       }
+       case NECP_POLICY_CONDITION_SDK_VERSION: {
+               if (!(flags & NECP_POLICY_CONDITION_FLAGS_NEGATIVE) &&
+                   condition_length >= sizeof(struct necp_policy_condition_sdk_version)) {
+                       validated = TRUE;
                }
                }
-               case NECP_POLICY_CONDITION_PID: {
-                       if (condition_length >= sizeof(pid_t) &&
-                               condition_value != NULL &&
-                               *((pid_t *)(void *)condition_value) != 0) {
-                               validated = TRUE;
-                       }
-                       break;
+               break;
+       }
+       case NECP_POLICY_CONDITION_IP_PROTOCOL: {
+               if (condition_length >= sizeof(u_int16_t)) {
+                       validated = TRUE;
                }
                }
-               case NECP_POLICY_CONDITION_UID: {
-                       if (condition_length >= sizeof(uid_t)) {
-                               validated = TRUE;
-                       }
-                       break;
+               break;
+       }
+       case NECP_POLICY_CONDITION_PID: {
+               if (condition_length >= sizeof(pid_t) &&
+                   condition_value != NULL &&
+                   *((pid_t *)(void *)condition_value) != 0) {
+                       validated = TRUE;
                }
                }
-               case NECP_POLICY_CONDITION_LOCAL_ADDR:
-               case NECP_POLICY_CONDITION_REMOTE_ADDR: {
-                       if (!result_cannot_have_ip_layer && condition_length >= sizeof(struct necp_policy_condition_addr)) {
-                               validated = TRUE;
-                       }
-                       break;
+               break;
+       }
+       case NECP_POLICY_CONDITION_UID: {
+               if (condition_length >= sizeof(uid_t)) {
+                       validated = TRUE;
                }
                }
-               case NECP_POLICY_CONDITION_LOCAL_ADDR_RANGE:
-               case NECP_POLICY_CONDITION_REMOTE_ADDR_RANGE: {
-                       if (!result_cannot_have_ip_layer && condition_length >= sizeof(struct necp_policy_condition_addr_range)) {
-                               validated = TRUE;
-                       }
-                       break;
+               break;
+       }
+       case NECP_POLICY_CONDITION_LOCAL_ADDR:
+       case NECP_POLICY_CONDITION_REMOTE_ADDR: {
+               if (!result_cannot_have_ip_layer && condition_length >= sizeof(struct necp_policy_condition_addr) &&
+                   necp_address_is_valid(&((struct necp_policy_condition_addr *)(void *)condition_value)->address.sa)) {
+                       validated = TRUE;
                }
                }
-               default: {
-                       validated = FALSE;
-                       break;
+               break;
+       }
+       case NECP_POLICY_CONDITION_LOCAL_ADDR_RANGE:
+       case NECP_POLICY_CONDITION_REMOTE_ADDR_RANGE: {
+               if (!result_cannot_have_ip_layer && condition_length >= sizeof(struct necp_policy_condition_addr_range) &&
+                   necp_address_is_valid(&((struct necp_policy_condition_addr_range *)(void *)condition_value)->start_address.sa) &&
+                   necp_address_is_valid(&((struct necp_policy_condition_addr_range *)(void *)condition_value)->end_address.sa)) {
+                       validated = TRUE;
                }
                }
+               break;
        }
        }
-
-       if (necp_debug) {
-               NECPLOG(LOG_DEBUG, "Policy condition type %d, valid %d", type, validated);
+       case NECP_POLICY_CONDITION_AGENT_TYPE: {
+               if (!(flags & NECP_POLICY_CONDITION_FLAGS_NEGATIVE) &&
+                   condition_length >= sizeof(struct necp_policy_condition_agent_type)) {
+                       validated = TRUE;
+               }
+               break;
        }
        }
-
-       return (validated);
-}
-
-static bool
-necp_policy_route_rule_is_default(u_int8_t *buffer, u_int32_t length)
-{
-       return (necp_policy_condition_get_value_length_from_buffer(buffer, length) == 0 &&
-                       necp_policy_condition_get_flags_from_buffer(buffer, length) == 0);
-}
-
-static bool
-necp_policy_route_rule_is_valid(u_int8_t *buffer, u_int32_t length)
-{
-       bool validated = FALSE;
-       u_int8_t type = necp_policy_condition_get_type_from_buffer(buffer, length);
-       switch (type) {
-               case NECP_ROUTE_RULE_ALLOW_INTERFACE: {
+       case NECP_POLICY_CONDITION_FLOW_IP_PROTOCOL: {
+               if (condition_length >= sizeof(u_int16_t)) {
                        validated = TRUE;
                        validated = TRUE;
-                       break;
                }
                }
-               case NECP_ROUTE_RULE_DENY_INTERFACE: {
+               break;
+       }
+       case NECP_POLICY_CONDITION_FLOW_LOCAL_ADDR:
+       case NECP_POLICY_CONDITION_FLOW_REMOTE_ADDR: {
+               if (condition_length >= sizeof(struct necp_policy_condition_addr) &&
+                   necp_address_is_valid(&((struct necp_policy_condition_addr *)(void *)condition_value)->address.sa)) {
                        validated = TRUE;
                        validated = TRUE;
-                       break;
                }
                }
-               default: {
-                       validated = FALSE;
-                       break;
+               break;
+       }
+       case NECP_POLICY_CONDITION_FLOW_LOCAL_ADDR_RANGE:
+       case NECP_POLICY_CONDITION_FLOW_REMOTE_ADDR_RANGE: {
+               if (condition_length >= sizeof(struct necp_policy_condition_addr_range) &&
+                   necp_address_is_valid(&((struct necp_policy_condition_addr_range *)(void *)condition_value)->start_address.sa) &&
+                   necp_address_is_valid(&((struct necp_policy_condition_addr_range *)(void *)condition_value)->end_address.sa)) {
+                       validated = TRUE;
                }
                }
+               break;
        }
        }
-
-       if (necp_debug) {
-               NECPLOG(LOG_DEBUG, "Policy route rule type %d, valid %d", type, validated);
+       case NECP_POLICY_CONDITION_CLIENT_FLAGS: {
+               if (condition_length == 0 || condition_length >= sizeof(u_int32_t)) {
+                       validated = TRUE;
+               }
+               break;
        }
        }
-
-       return (validated);
-}
-
-static void
-necp_handle_set_session_priority(struct necp_session *session, u_int32_t message_id, mbuf_t packet, int offset)
-{
-       int error;
-       struct necp_session_policy *policy = NULL;
-       struct necp_session_policy *temp_policy = NULL;
-       u_int32_t response_error = NECP_ERROR_INTERNAL;
-       u_int32_t requested_session_priority = NECP_SESSION_PRIORITY_UNKNOWN;
-
-       // Read policy id
-       error = necp_packet_get_tlv(packet, offset, NECP_TLV_SESSION_PRIORITY, sizeof(requested_session_priority), &requested_session_priority, NULL);
-       if (error) {
-               NECPLOG(LOG_ERR, "Failed to get session priority: %d", error);
-               response_error = NECP_ERROR_INVALID_TLV;
-               goto fail;
+       case NECP_POLICY_CONDITION_FLOW_LOCAL_ADDR_EMPTY: {
+               validated = TRUE;
+               break;
        }
        }
-
-       if (session == NULL) {
-               NECPLOG0(LOG_ERR, "Failed to find session");
-               response_error = NECP_ERROR_INTERNAL;
-               goto fail;
+       case NECP_POLICY_CONDITION_FLOW_REMOTE_ADDR_EMPTY: {
+               validated = TRUE;
+               break;
        }
        }
-
-       // Enforce special session priorities with entitlements
-       if (requested_session_priority == NECP_SESSION_PRIORITY_CONTROL ||
-               requested_session_priority == NECP_SESSION_PRIORITY_PRIVILEGED_TUNNEL) {
-               errno_t cred_result = priv_check_cred(kauth_cred_get(), PRIV_NET_PRIVILEGED_NECP_POLICIES, 0);
-               if (cred_result != 0) {
-                       NECPLOG(LOG_ERR, "Session does not hold necessary entitlement to claim priority level %d", requested_session_priority);
-                       goto fail;
+       case NECP_POLICY_CONDITION_PACKET_FILTER_TAGS: {
+               if (condition_length >= sizeof(u_int16_t)) {
+                       u_int16_t packet_filter_tags = *(u_int16_t *)(void *)condition_value;
+                       if (packet_filter_tags > 0 && packet_filter_tags <= NECP_POLICY_CONDITION_PACKET_FILTER_TAG_MAX) {
+                               validated = TRUE;
+                       }
                }
                }
+               break;
+       }
+       case NECP_POLICY_CONDITION_FLOW_IS_LOOPBACK: {
+               validated = TRUE;
+               break;
+       }
+       default: {
+               validated = FALSE;
+               break;
        }
        }
-
-       if (session->session_priority != requested_session_priority) {
-               session->session_priority = requested_session_priority;
-               session->session_order = necp_allocate_new_session_order(session->session_priority, session->control_unit);
-               session->dirty = TRUE;
-
-               // Mark all policies as needing updates
-               LIST_FOREACH_SAFE(policy, &session->policies, chain, temp_policy) {
-                       policy->pending_update = TRUE;
-               }
        }
 
        }
 
-       necp_send_success_response(session, NECP_PACKET_TYPE_SET_SESSION_PRIORITY, message_id);
-       return;
+       if (necp_debug) {
+               NECPLOG(LOG_DEBUG, "Policy condition type %d, valid %d", type, validated);
+       }
 
 
-fail:
-       necp_send_error_response(session, NECP_PACKET_TYPE_SET_SESSION_PRIORITY, message_id, response_error);
+       return validated;
 }
 
 }
 
-static void
-necp_handle_lock_session_to_proc(struct necp_session *session, u_int32_t message_id, mbuf_t packet, int offset)
+static bool
+necp_policy_route_rule_is_default(u_int8_t *buffer, u_int32_t length)
 {
 {
-#pragma unused(packet, offset)
-       // proc_uuid already filled out
-       session->proc_locked = TRUE;
-       necp_send_success_response(session, NECP_PACKET_TYPE_LOCK_SESSION_TO_PROC, message_id);
+       return necp_policy_condition_get_value_length_from_buffer(buffer, length) == 0 &&
+              necp_policy_condition_get_flags_from_buffer(buffer, length) == 0;
 }
 
 }
 
-static void
-necp_handle_register_service(struct necp_session *session, u_int32_t message_id, mbuf_t packet, int offset)
+static bool
+necp_policy_route_rule_is_valid(u_int8_t *buffer, u_int32_t length)
 {
 {
-       int error;
-       struct necp_service_registration *new_service = NULL;
-       u_int32_t response_error = NECP_ERROR_INTERNAL;
-       uuid_t service_uuid;
-       uuid_clear(service_uuid);
-
-       if (session == NULL) {
-               NECPLOG0(LOG_ERR, "Failed to find session");
-               response_error = NECP_ERROR_INTERNAL;
-               goto fail;
+       bool validated = FALSE;
+       u_int8_t type = necp_policy_condition_get_type_from_buffer(buffer, length);
+       switch (type) {
+       case NECP_ROUTE_RULE_ALLOW_INTERFACE: {
+               validated = TRUE;
+               break;
        }
        }
-
-       // Enforce entitlements
-       errno_t cred_result = priv_check_cred(kauth_cred_get(), PRIV_NET_PRIVILEGED_NECP_POLICIES, 0);
-       if (cred_result != 0) {
-               NECPLOG0(LOG_ERR, "Session does not hold necessary entitlement to register service");
-               goto fail;
+       case NECP_ROUTE_RULE_DENY_INTERFACE: {
+               validated = TRUE;
+               break;
        }
        }
-
-       // Read service uuid
-       error = necp_packet_get_tlv(packet, offset, NECP_TLV_SERVICE_UUID, sizeof(uuid_t), service_uuid, NULL);
-       if (error) {
-               NECPLOG(LOG_ERR, "Failed to get service UUID: %d", error);
-               response_error = NECP_ERROR_INVALID_TLV;
-               goto fail;
+       case NECP_ROUTE_RULE_QOS_MARKING: {
+               validated = TRUE;
+               break;
+       }
+       case NECP_ROUTE_RULE_DENY_LQM_ABORT: {
+               validated = TRUE;
+               break;
+       }
+       default: {
+               validated = FALSE;
+               break;
        }
        }
-
-       MALLOC(new_service, struct necp_service_registration *, sizeof(*new_service), M_NECP, M_WAITOK);
-       if (new_service == NULL) {
-               NECPLOG0(LOG_ERR, "Failed to allocate service registration");
-               response_error = NECP_ERROR_INTERNAL;
-               goto fail;
        }
        }
-       
-       lck_rw_lock_exclusive(&necp_kernel_policy_lock);
-       memset(new_service, 0, sizeof(*new_service));
-       new_service->service_id = necp_create_uuid_service_id_mapping(service_uuid);
-       LIST_INSERT_HEAD(&session->services, new_service, session_chain);
-       LIST_INSERT_HEAD(&necp_registered_service_list, new_service, kernel_chain);
-       lck_rw_done(&necp_kernel_policy_lock);
 
 
-       necp_send_success_response(session, NECP_PACKET_TYPE_REGISTER_SERVICE, message_id);
-       return;
-fail:
-       necp_send_error_response(session, NECP_PACKET_TYPE_REGISTER_SERVICE, message_id, response_error);
+       if (necp_debug) {
+               NECPLOG(LOG_DEBUG, "Policy route rule type %d, valid %d", type, validated);
+       }
+
+       return validated;
 }
 
 }
 
-static void
-necp_handle_unregister_service(struct necp_session *session, u_int32_t message_id, mbuf_t packet, int offset)
+static int
+necp_get_posix_error_for_necp_error(int response_error)
 {
 {
-       int error;
-       struct necp_service_registration *service = NULL;
-       struct necp_service_registration *temp_service = NULL;
-       u_int32_t response_error = NECP_ERROR_INTERNAL;
-       struct necp_uuid_id_mapping *mapping = NULL;
-       uuid_t service_uuid;
-       uuid_clear(service_uuid);
-
-       if (session == NULL) {
-               NECPLOG0(LOG_ERR, "Failed to find session");
-               response_error = NECP_ERROR_INTERNAL;
-               goto fail;
+       switch (response_error) {
+       case NECP_ERROR_UNKNOWN_PACKET_TYPE:
+       case NECP_ERROR_INVALID_TLV:
+       case NECP_ERROR_POLICY_RESULT_INVALID:
+       case NECP_ERROR_POLICY_CONDITIONS_INVALID:
+       case NECP_ERROR_ROUTE_RULES_INVALID: {
+               return EINVAL;
        }
        }
-
-       // Read service uuid
-       error = necp_packet_get_tlv(packet, offset, NECP_TLV_SERVICE_UUID, sizeof(uuid_t), service_uuid, NULL);
-       if (error) {
-               NECPLOG(LOG_ERR, "Failed to get service UUID: %d", error);
-               response_error = NECP_ERROR_INVALID_TLV;
-               goto fail;
+       case NECP_ERROR_POLICY_ID_NOT_FOUND: {
+               return ENOENT;
+       }
+       case NECP_ERROR_INVALID_PROCESS: {
+               return EPERM;
+       }
+       case NECP_ERROR_INTERNAL:
+       default: {
+               return ENOMEM;
        }
        }
-
-       // Mark remove all matching services for this session
-       lck_rw_lock_exclusive(&necp_kernel_policy_lock);
-       mapping = necp_uuid_lookup_service_id_locked(service_uuid);
-       if (mapping != NULL) {
-               LIST_FOREACH_SAFE(service, &session->services, session_chain, temp_service) {
-                       if (service->service_id == mapping->id) {
-                               LIST_REMOVE(service, session_chain);
-                               LIST_REMOVE(service, kernel_chain);
-                               FREE(service, M_NECP);
-                       }
-               }
-               necp_remove_uuid_service_id_mapping(service_uuid);
        }
        }
-       lck_rw_done(&necp_kernel_policy_lock);
-
-       necp_send_success_response(session, NECP_PACKET_TYPE_UNREGISTER_SERVICE, message_id);
-       return;
-fail:
-       necp_send_error_response(session, NECP_PACKET_TYPE_UNREGISTER_SERVICE, message_id, response_error);
 }
 
 }
 
-static void
-necp_handle_policy_add(struct necp_session *session, u_int32_t message_id, mbuf_t packet, int offset)
+static necp_policy_id
+necp_handle_policy_add(struct necp_session *session,
+    u_int8_t *tlv_buffer, size_t tlv_buffer_length, int offset, int *return_error)
 {
        bool has_default_condition = FALSE;
        bool has_non_default_condition = FALSE;
        bool has_application_condition = FALSE;
 {
        bool has_default_condition = FALSE;
        bool has_non_default_condition = FALSE;
        bool has_application_condition = FALSE;
+       bool has_real_application_condition = FALSE;
        bool requires_application_condition = FALSE;
        bool requires_application_condition = FALSE;
+       bool requires_real_application_condition = FALSE;
        u_int8_t *conditions_array = NULL;
        u_int32_t conditions_array_size = 0;
        int conditions_array_cursor;
        u_int8_t *conditions_array = NULL;
        u_int32_t conditions_array_size = 0;
        int conditions_array_cursor;
@@ -1574,7 +2205,7 @@ necp_handle_policy_add(struct necp_session *session, u_int32_t message_id, mbuf_
        u_int32_t policy_result_size = 0;
 
        // Read policy order
        u_int32_t policy_result_size = 0;
 
        // Read policy order
-       error = necp_packet_get_tlv(packet, offset, NECP_TLV_POLICY_ORDER, sizeof(order), &order, NULL);
+       error = necp_get_tlv(tlv_buffer, tlv_buffer_length, offset, NECP_TLV_POLICY_ORDER, sizeof(order), &order, NULL);
        if (error) {
                NECPLOG(LOG_ERR, "Failed to get policy order: %d", error);
                response_error = NECP_ERROR_INVALID_TLV;
        if (error) {
                NECPLOG(LOG_ERR, "Failed to get policy order: %d", error);
                response_error = NECP_ERROR_INVALID_TLV;
@@ -1582,20 +2213,30 @@ necp_handle_policy_add(struct necp_session *session, u_int32_t message_id, mbuf_
        }
 
        // Read policy result
        }
 
        // Read policy result
-       cursor = necp_packet_find_tlv(packet, offset, NECP_TLV_POLICY_RESULT, &error, 0);
-       error = necp_packet_get_tlv_at_offset(packet, cursor, 0, NULL, &policy_result_size);
+       cursor = necp_find_tlv(tlv_buffer, tlv_buffer_length, offset, NECP_TLV_POLICY_RESULT, &error, 0);
+       if (error || cursor < 0) {
+               NECPLOG(LOG_ERR, "Failed to find policy result TLV: %d", error);
+               response_error = NECP_ERROR_INVALID_TLV;
+               goto fail;
+       }
+       error = necp_get_tlv_at_offset(tlv_buffer, tlv_buffer_length, cursor, 0, NULL, &policy_result_size);
        if (error || policy_result_size == 0) {
                NECPLOG(LOG_ERR, "Failed to get policy result length: %d", error);
                response_error = NECP_ERROR_INVALID_TLV;
                goto fail;
        }
        if (error || policy_result_size == 0) {
                NECPLOG(LOG_ERR, "Failed to get policy result length: %d", error);
                response_error = NECP_ERROR_INVALID_TLV;
                goto fail;
        }
+       if (policy_result_size > NECP_MAX_POLICY_RESULT_SIZE) {
+               NECPLOG(LOG_ERR, "Policy result length too large: %u", policy_result_size);
+               response_error = NECP_ERROR_INVALID_TLV;
+               goto fail;
+       }
        MALLOC(policy_result, u_int8_t *, policy_result_size, M_NECP, M_WAITOK);
        if (policy_result == NULL) {
                NECPLOG(LOG_ERR, "Failed to allocate a policy result buffer (size %d)", policy_result_size);
                response_error = NECP_ERROR_INTERNAL;
                goto fail;
        }
        MALLOC(policy_result, u_int8_t *, policy_result_size, M_NECP, M_WAITOK);
        if (policy_result == NULL) {
                NECPLOG(LOG_ERR, "Failed to allocate a policy result buffer (size %d)", policy_result_size);
                response_error = NECP_ERROR_INTERNAL;
                goto fail;
        }
-       error = necp_packet_get_tlv_at_offset(packet, cursor, policy_result_size, policy_result, NULL);
+       error = necp_get_tlv_at_offset(tlv_buffer, tlv_buffer_length, cursor, policy_result_size, policy_result, NULL);
        if (error) {
                NECPLOG(LOG_ERR, "Failed to get policy result: %d", error);
                response_error = NECP_ERROR_POLICY_RESULT_INVALID;
        if (error) {
                NECPLOG(LOG_ERR, "Failed to get policy result: %d", error);
                response_error = NECP_ERROR_POLICY_RESULT_INVALID;
@@ -1609,13 +2250,17 @@ necp_handle_policy_add(struct necp_session *session, u_int32_t message_id, mbuf_
 
        if (necp_policy_result_requires_route_rules(policy_result, policy_result_size)) {
                // Read route rules conditions
 
        if (necp_policy_result_requires_route_rules(policy_result, policy_result_size)) {
                // Read route rules conditions
-               for (cursor = necp_packet_find_tlv(packet, offset, NECP_TLV_ROUTE_RULE, &error, 0);
-                        cursor >= 0;
-                        cursor = necp_packet_find_tlv(packet, cursor, NECP_TLV_ROUTE_RULE, &error, 1)) {
+               for (cursor = necp_find_tlv(tlv_buffer, tlv_buffer_length, offset, NECP_TLV_ROUTE_RULE, &error, 0);
+                   cursor >= 0;
+                   cursor = necp_find_tlv(tlv_buffer, tlv_buffer_length, cursor, NECP_TLV_ROUTE_RULE, &error, 1)) {
                        u_int32_t route_rule_size = 0;
                        u_int32_t route_rule_size = 0;
-                       necp_packet_get_tlv_at_offset(packet, cursor, 0, NULL, &route_rule_size);
-                       if (route_rule_size > 0) {
-                               route_rules_array_size += (sizeof(u_int8_t) + sizeof(u_int32_t) + route_rule_size);
+                       necp_get_tlv_at_offset(tlv_buffer, tlv_buffer_length, cursor, 0, NULL, &route_rule_size);
+                       if (os_add_overflow(route_rules_array_size,
+                           (sizeof(u_int8_t) + sizeof(u_int32_t) + route_rule_size),
+                           &route_rules_array_size)) {
+                               NECPLOG0(LOG_ERR, "Route rules size overflowed, too large");
+                               response_error = NECP_ERROR_INVALID_TLV;
+                               goto fail;
                        }
                }
 
                        }
                }
 
@@ -1624,7 +2269,11 @@ necp_handle_policy_add(struct necp_session *session, u_int32_t message_id, mbuf_
                        response_error = NECP_ERROR_INVALID_TLV;
                        goto fail;
                }
                        response_error = NECP_ERROR_INVALID_TLV;
                        goto fail;
                }
-
+               if (route_rules_array_size > NECP_MAX_ROUTE_RULES_ARRAY_SIZE) {
+                       NECPLOG(LOG_ERR, "Route rules length too large: %u", route_rules_array_size);
+                       response_error = NECP_ERROR_INVALID_TLV;
+                       goto fail;
+               }
                MALLOC(route_rules_array, u_int8_t *, route_rules_array_size, M_NECP, M_WAITOK);
                if (route_rules_array == NULL) {
                        NECPLOG(LOG_ERR, "Failed to allocate a policy route rules array (size %d)", route_rules_array_size);
                MALLOC(route_rules_array, u_int8_t *, route_rules_array_size, M_NECP, M_WAITOK);
                if (route_rules_array == NULL) {
                        NECPLOG(LOG_ERR, "Failed to allocate a policy route rules array (size %d)", route_rules_array_size);
@@ -1633,13 +2282,14 @@ necp_handle_policy_add(struct necp_session *session, u_int32_t message_id, mbuf_
                }
 
                route_rules_array_cursor = 0;
                }
 
                route_rules_array_cursor = 0;
-               for (cursor = necp_packet_find_tlv(packet, offset, NECP_TLV_ROUTE_RULE, &error, 0);
-                        cursor >= 0;
-                        cursor = necp_packet_find_tlv(packet, cursor, NECP_TLV_ROUTE_RULE, &error, 1)) {
+               for (cursor = necp_find_tlv(tlv_buffer, tlv_buffer_length, offset, NECP_TLV_ROUTE_RULE, &error, 0);
+                   cursor >= 0;
+                   cursor = necp_find_tlv(tlv_buffer, tlv_buffer_length, cursor, NECP_TLV_ROUTE_RULE, &error, 1)) {
                        u_int8_t route_rule_type = NECP_TLV_ROUTE_RULE;
                        u_int32_t route_rule_size = 0;
                        u_int8_t route_rule_type = NECP_TLV_ROUTE_RULE;
                        u_int32_t route_rule_size = 0;
-                       necp_packet_get_tlv_at_offset(packet, cursor, 0, NULL, &route_rule_size);
-                       if (route_rule_size > 0 && route_rule_size <= (route_rules_array_size - route_rules_array_cursor)) {
+                       necp_get_tlv_at_offset(tlv_buffer, tlv_buffer_length, cursor, 0, NULL, &route_rule_size);
+                       if (route_rule_size > 0 &&
+                           (sizeof(route_rule_type) + sizeof(route_rule_size) + route_rule_size) <= (route_rules_array_size - route_rules_array_cursor)) {
                                // Add type
                                memcpy((route_rules_array + route_rules_array_cursor), &route_rule_type, sizeof(route_rule_type));
                                route_rules_array_cursor += sizeof(route_rule_type);
                                // Add type
                                memcpy((route_rules_array + route_rules_array_cursor), &route_rule_type, sizeof(route_rule_type));
                                route_rules_array_cursor += sizeof(route_rule_type);
@@ -1649,7 +2299,7 @@ necp_handle_policy_add(struct necp_session *session, u_int32_t message_id, mbuf_
                                route_rules_array_cursor += sizeof(route_rule_size);
 
                                // Add value
                                route_rules_array_cursor += sizeof(route_rule_size);
 
                                // Add value
-                               necp_packet_get_tlv_at_offset(packet, cursor, route_rule_size, (route_rules_array + route_rules_array_cursor), NULL);
+                               necp_get_tlv_at_offset(tlv_buffer, tlv_buffer_length, cursor, route_rule_size, (route_rules_array + route_rules_array_cursor), NULL);
 
                                if (!necp_policy_route_rule_is_valid((route_rules_array + route_rules_array_cursor), route_rule_size)) {
                                        NECPLOG0(LOG_ERR, "Failed to validate policy route rule");
 
                                if (!necp_policy_route_rule_is_valid((route_rules_array + route_rules_array_cursor), route_rule_size)) {
                                        NECPLOG0(LOG_ERR, "Failed to validate policy route rule");
@@ -1672,14 +2322,20 @@ necp_handle_policy_add(struct necp_session *session, u_int32_t message_id, mbuf_
        }
 
        // Read policy conditions
        }
 
        // Read policy conditions
-       for (cursor = necp_packet_find_tlv(packet, offset, NECP_TLV_POLICY_CONDITION, &error, 0);
-               cursor >= 0;
-               cursor = necp_packet_find_tlv(packet, cursor, NECP_TLV_POLICY_CONDITION, &error, 1)) {
+       for (cursor = necp_find_tlv(tlv_buffer, tlv_buffer_length, offset, NECP_TLV_POLICY_CONDITION, &error, 0);
+           cursor >= 0;
+           cursor = necp_find_tlv(tlv_buffer, tlv_buffer_length, cursor, NECP_TLV_POLICY_CONDITION, &error, 1)) {
                u_int32_t condition_size = 0;
                u_int32_t condition_size = 0;
-               necp_packet_get_tlv_at_offset(packet, cursor, 0, NULL, &condition_size);
+               necp_get_tlv_at_offset(tlv_buffer, tlv_buffer_length, cursor, 0, NULL, &condition_size);
 
                if (condition_size > 0) {
 
                if (condition_size > 0) {
-                       conditions_array_size += (sizeof(u_int8_t) + sizeof(u_int32_t) + condition_size);
+                       if (os_add_overflow(conditions_array_size,
+                           (sizeof(u_int8_t) + sizeof(u_int32_t) + condition_size),
+                           &conditions_array_size)) {
+                               NECPLOG0(LOG_ERR, "Conditions size overflowed, too large");
+                               response_error = NECP_ERROR_INVALID_TLV;
+                               goto fail;
+                       }
                }
        }
 
                }
        }
 
@@ -1688,6 +2344,11 @@ necp_handle_policy_add(struct necp_session *session, u_int32_t message_id, mbuf_
                response_error = NECP_ERROR_INVALID_TLV;
                goto fail;
        }
                response_error = NECP_ERROR_INVALID_TLV;
                goto fail;
        }
+       if (conditions_array_size > NECP_MAX_CONDITIONS_ARRAY_SIZE) {
+               NECPLOG(LOG_ERR, "Conditions length too large: %u", conditions_array_size);
+               response_error = NECP_ERROR_INVALID_TLV;
+               goto fail;
+       }
        MALLOC(conditions_array, u_int8_t *, conditions_array_size, M_NECP, M_WAITOK);
        if (conditions_array == NULL) {
                NECPLOG(LOG_ERR, "Failed to allocate a policy conditions array (size %d)", conditions_array_size);
        MALLOC(conditions_array, u_int8_t *, conditions_array_size, M_NECP, M_WAITOK);
        if (conditions_array == NULL) {
                NECPLOG(LOG_ERR, "Failed to allocate a policy conditions array (size %d)", conditions_array_size);
@@ -1696,13 +2357,14 @@ necp_handle_policy_add(struct necp_session *session, u_int32_t message_id, mbuf_
        }
 
        conditions_array_cursor = 0;
        }
 
        conditions_array_cursor = 0;
-       for (cursor = necp_packet_find_tlv(packet, offset, NECP_TLV_POLICY_CONDITION, &error, 0);
-               cursor >= 0;
-               cursor = necp_packet_find_tlv(packet, cursor, NECP_TLV_POLICY_CONDITION, &error, 1)) {
+       for (cursor = necp_find_tlv(tlv_buffer, tlv_buffer_length, offset, NECP_TLV_POLICY_CONDITION, &error, 0);
+           cursor >= 0;
+           cursor = necp_find_tlv(tlv_buffer, tlv_buffer_length, cursor, NECP_TLV_POLICY_CONDITION, &error, 1)) {
                u_int8_t condition_type = NECP_TLV_POLICY_CONDITION;
                u_int32_t condition_size = 0;
                u_int8_t condition_type = NECP_TLV_POLICY_CONDITION;
                u_int32_t condition_size = 0;
-               necp_packet_get_tlv_at_offset(packet, cursor, 0, NULL, &condition_size);
-               if (condition_size > 0 && condition_size <= (conditions_array_size - conditions_array_cursor)) {
+               necp_get_tlv_at_offset(tlv_buffer, tlv_buffer_length, cursor, 0, NULL, &condition_size);
+               if (condition_size > 0 &&
+                   (sizeof(condition_type) + sizeof(condition_size) + condition_size) <= (conditions_array_size - conditions_array_cursor)) {
                        // Add type
                        memcpy((conditions_array + conditions_array_cursor), &condition_type, sizeof(condition_type));
                        conditions_array_cursor += sizeof(condition_type);
                        // Add type
                        memcpy((conditions_array + conditions_array_cursor), &condition_type, sizeof(condition_type));
                        conditions_array_cursor += sizeof(condition_type);
@@ -1712,7 +2374,7 @@ necp_handle_policy_add(struct necp_session *session, u_int32_t message_id, mbuf_
                        conditions_array_cursor += sizeof(condition_size);
 
                        // Add value
                        conditions_array_cursor += sizeof(condition_size);
 
                        // Add value
-                       necp_packet_get_tlv_at_offset(packet, cursor, condition_size, (conditions_array + conditions_array_cursor), NULL);
+                       necp_get_tlv_at_offset(tlv_buffer, tlv_buffer_length, cursor, condition_size, (conditions_array + conditions_array_cursor), NULL);
                        if (!necp_policy_condition_is_valid((conditions_array + conditions_array_cursor), condition_size, necp_policy_result_get_type_from_buffer(policy_result, policy_result_size))) {
                                NECPLOG0(LOG_ERR, "Failed to validate policy condition");
                                response_error = NECP_ERROR_POLICY_CONDITIONS_INVALID;
                        if (!necp_policy_condition_is_valid((conditions_array + conditions_array_cursor), condition_size, necp_policy_result_get_type_from_buffer(policy_result, policy_result_size))) {
                                NECPLOG0(LOG_ERR, "Failed to validate policy condition");
                                response_error = NECP_ERROR_POLICY_CONDITIONS_INVALID;
@@ -1729,32 +2391,45 @@ necp_handle_policy_add(struct necp_session *session, u_int32_t message_id, mbuf_
                                response_error = NECP_ERROR_POLICY_CONDITIONS_INVALID;
                                goto fail;
                        }
                                response_error = NECP_ERROR_POLICY_CONDITIONS_INVALID;
                                goto fail;
                        }
-                       
+
                        if (necp_policy_condition_is_application((conditions_array + conditions_array_cursor), condition_size)) {
                                has_application_condition = TRUE;
                        }
                        if (necp_policy_condition_is_application((conditions_array + conditions_array_cursor), condition_size)) {
                                has_application_condition = TRUE;
                        }
-                       
+
+                       if (necp_policy_condition_is_real_application((conditions_array + conditions_array_cursor), condition_size)) {
+                               has_real_application_condition = TRUE;
+                       }
+
                        if (necp_policy_condition_requires_application((conditions_array + conditions_array_cursor), condition_size)) {
                                requires_application_condition = TRUE;
                        }
 
                        if (necp_policy_condition_requires_application((conditions_array + conditions_array_cursor), condition_size)) {
                                requires_application_condition = TRUE;
                        }
 
+                       if (necp_policy_condition_requires_real_application((conditions_array + conditions_array_cursor), condition_size)) {
+                               requires_real_application_condition = TRUE;
+                       }
+
                        conditions_array_cursor += condition_size;
                }
        }
                        conditions_array_cursor += condition_size;
                }
        }
-       
+
        if (requires_application_condition && !has_application_condition) {
                NECPLOG0(LOG_ERR, "Failed to validate conditions; did not contain application condition");
                response_error = NECP_ERROR_POLICY_CONDITIONS_INVALID;
                goto fail;
        }
 
        if (requires_application_condition && !has_application_condition) {
                NECPLOG0(LOG_ERR, "Failed to validate conditions; did not contain application condition");
                response_error = NECP_ERROR_POLICY_CONDITIONS_INVALID;
                goto fail;
        }
 
+       if (requires_real_application_condition && !has_real_application_condition) {
+               NECPLOG0(LOG_ERR, "Failed to validate conditions; did not contain real application condition");
+               response_error = NECP_ERROR_POLICY_CONDITIONS_INVALID;
+               goto fail;
+       }
+
        if ((policy = necp_policy_create(session, order, conditions_array, conditions_array_size, route_rules_array, route_rules_array_size, policy_result, policy_result_size)) == NULL) {
                response_error = NECP_ERROR_INTERNAL;
                goto fail;
        }
 
        if ((policy = necp_policy_create(session, order, conditions_array, conditions_array_size, route_rules_array, route_rules_array_size, policy_result, policy_result_size)) == NULL) {
                response_error = NECP_ERROR_INTERNAL;
                goto fail;
        }
 
-       necp_send_policy_id_response(session, NECP_PACKET_TYPE_POLICY_ADD, message_id, policy->id);
-       return;
+       return policy->local_id;
 
 fail:
        if (policy_result != NULL) {
 
 fail:
        if (policy_result != NULL) {
@@ -1767,183 +2442,562 @@ fail:
                FREE(route_rules_array, M_NECP);
        }
 
                FREE(route_rules_array, M_NECP);
        }
 
-       necp_send_error_response(session, NECP_PACKET_TYPE_POLICY_ADD, message_id, response_error);
+       if (return_error != NULL) {
+               *return_error = necp_get_posix_error_for_necp_error(response_error);
+       }
+       return 0;
 }
 
 }
 
-static void
-necp_handle_policy_get(struct necp_session *session, u_int32_t message_id, mbuf_t packet, int offset)
+static necp_policy_id
+necp_policy_get_new_id(struct necp_session *session)
 {
 {
-#pragma unused(offset)
-       int error;
-       u_int8_t *response = NULL;
-       u_int8_t *cursor = NULL;
-       u_int32_t response_error = NECP_ERROR_INTERNAL;
-       necp_policy_id policy_id = 0;
-       u_int32_t order_tlv_size = 0;
-       u_int32_t result_tlv_size = 0;
-       u_int32_t response_size = 0;
+       session->last_policy_id++;
+       if (session->last_policy_id < 1) {
+               session->last_policy_id = 1;
+       }
 
 
-       struct necp_session_policy *policy = NULL;
+       necp_policy_id newid = session->last_policy_id;
 
 
-       // Read policy id
-       error = necp_packet_get_tlv(packet, offset, NECP_TLV_POLICY_ID, sizeof(policy_id), &policy_id, NULL);
-       if (error) {
-               NECPLOG(LOG_ERR, "Failed to get policy id: %d", error);
-               response_error = NECP_ERROR_INVALID_TLV;
-               goto fail;
+       if (newid == 0) {
+               NECPLOG0(LOG_ERR, "Allocate policy id failed.\n");
+               return 0;
        }
 
        }
 
-       policy = necp_policy_find(session, policy_id);
-       if (policy == NULL || policy->pending_deletion) {
-               NECPLOG(LOG_ERR, "Failed to find policy with id %d", policy_id);
-               response_error = NECP_ERROR_POLICY_ID_NOT_FOUND;
-               goto fail;
-       }
+       return newid;
+}
 
 
-       order_tlv_size = sizeof(u_int8_t) + sizeof(u_int32_t) + sizeof(necp_policy_order);
-       result_tlv_size = (policy->result_size ? (sizeof(u_int8_t) + sizeof(u_int32_t) + policy->result_size) : 0);
-       response_size = sizeof(struct necp_packet_header) + order_tlv_size + result_tlv_size + policy->conditions_size;
-       MALLOC(response, u_int8_t *, response_size, M_NECP, M_WAITOK);
-       if (response == NULL) {
-               necp_send_error_response(session, NECP_PACKET_TYPE_POLICY_LIST_ALL, message_id, NECP_ERROR_INTERNAL);
-               return;
+/*
+ *     For the policy dump response this is the structure:
+ *
+ *     <NECP_PACKET_HEADER>
+ *     {
+ *             type    :       NECP_TLV_POLICY_DUMP
+ *             length  :       ...
+ *             value   :
+ *             {
+ *                     {
+ *                             type    :       NECP_TLV_POLICY_ID
+ *                             len             :       ...
+ *                             value   :       ...
+ *                     }
+ *                     {
+ *                             type    :       NECP_TLV_POLICY_ORDER
+ *                             len             :       ...
+ *                             value   :       ...
+ *                     }
+ *                     {
+ *                             type    :       NECP_TLV_POLICY_RESULT_STRING
+ *                             len             :       ...
+ *                             value   :       ...
+ *                     }
+ *                     {
+ *                             type    :       NECP_TLV_POLICY_OWNER
+ *                             len             :       ...
+ *                             value   :       ...
+ *                     }
+ *                     {
+ *                             type    :       NECP_TLV_POLICY_CONDITION
+ *                             len             :       ...
+ *                             value   :
+ *                             {
+ *                                     {
+ *                                             type    :       NECP_POLICY_CONDITION_ALL_INTERFACES
+ *                                             len             :       ...
+ *                                             value   :       ...
+ *                                     }
+ *                                     {
+ *                                             type    :       NECP_POLICY_CONDITION_BOUND_INTERFACES
+ *                                             len             :       ...
+ *                                             value   :       ...
+ *                                     }
+ *                                     ...
+ *                             }
+ *                     }
+ *             }
+ *     }
+ *     {
+ *             type    :       NECP_TLV_POLICY_DUMP
+ *             length  :       ...
+ *             value   :
+ *             {
+ *                     {
+ *                             type    :       NECP_TLV_POLICY_ID
+ *                             len             :       ...
+ *                             value   :       ...
+ *                     }
+ *                     {
+ *                             type    :       NECP_TLV_POLICY_ORDER
+ *                             len             :       ...
+ *                             value   :       ...
+ *                     }
+ *                     {
+ *                             type    :       NECP_TLV_POLICY_RESULT_STRING
+ *                             len             :       ...
+ *                             value   :       ...
+ *                     }
+ *                     {
+ *                             type    :       NECP_TLV_POLICY_OWNER
+ *                             len             :       ...
+ *                             value   :       ...
+ *                     }
+ *                     {
+ *                             type    :       NECP_TLV_POLICY_CONDITION
+ *                             len             :       ...
+ *                             value   :
+ *                             {
+ *                                     {
+ *                                             type    :       NECP_POLICY_CONDITION_ALL_INTERFACES
+ *                                             len             :       ...
+ *                                             value   :       ...
+ *                                     }
+ *                                     {
+ *                                             type    :       NECP_POLICY_CONDITION_BOUND_INTERFACES
+ *                                             len             :       ...
+ *                                             value   :       ...
+ *                                     }
+ *                                     ...
+ *                             }
+ *                     }
+ *             }
+ *     }
+ *     ...
+ */
+static int
+necp_handle_policy_dump_all(user_addr_t out_buffer, size_t out_buffer_length)
+{
+       struct necp_kernel_socket_policy *policy = NULL;
+       int policy_i;
+       int policy_count = 0;
+       u_int8_t **tlv_buffer_pointers = NULL;
+       u_int32_t *tlv_buffer_lengths = NULL;
+       u_int32_t total_tlv_len = 0;
+       u_int8_t *result_buf = NULL;
+       u_int8_t *result_buf_cursor = result_buf;
+       char result_string[MAX_RESULT_STRING_LEN];
+       char proc_name_string[MAXCOMLEN + 1];
+
+       int error_code = 0;
+       bool error_occured = false;
+       u_int32_t response_error = NECP_ERROR_INTERNAL;
+
+#define REPORT_ERROR(error) error_occured = true;               \
+                                                       response_error = error;         \
+                                                       goto done
+
+#define UNLOCK_AND_REPORT_ERROR(lock, error)    lck_rw_done(lock);      \
+                                                                                               REPORT_ERROR(error)
+
+       errno_t cred_result = priv_check_cred(kauth_cred_get(), PRIV_NET_PRIVILEGED_NECP_POLICIES, 0);
+       if (cred_result != 0) {
+               NECPLOG0(LOG_ERR, "Session does not hold the necessary entitlement to get Network Extension Policy information");
+               REPORT_ERROR(NECP_ERROR_INTERNAL);
        }
 
        }
 
-       cursor = response;
-       cursor = necp_buffer_write_packet_header(cursor, NECP_PACKET_TYPE_POLICY_GET, NECP_PACKET_FLAGS_RESPONSE, message_id);
-       cursor = necp_buffer_write_tlv(cursor, NECP_TLV_POLICY_ORDER, sizeof(necp_policy_order), &policy->order);
+       // LOCK
+       lck_rw_lock_shared(&necp_kernel_policy_lock);
 
 
-       if (result_tlv_size) {
-               cursor = necp_buffer_write_tlv(cursor, NECP_TLV_POLICY_RESULT, policy->result_size, &policy->result);
+       if (necp_debug) {
+               NECPLOG0(LOG_DEBUG, "Gathering policies");
        }
        }
-       if (policy->conditions_size) {
-               memcpy(((u_int8_t *)(void *)(cursor)), policy->conditions, policy->conditions_size);
+
+       policy_count = necp_kernel_application_policies_count;
+
+       MALLOC(tlv_buffer_pointers, u_int8_t * *, sizeof(u_int8_t *) * policy_count, M_NECP, M_NOWAIT | M_ZERO);
+       if (tlv_buffer_pointers == NULL) {
+               NECPLOG(LOG_DEBUG, "Failed to allocate tlv_buffer_pointers (%lu bytes)", sizeof(u_int8_t *) * policy_count);
+               UNLOCK_AND_REPORT_ERROR(&necp_kernel_policy_lock, NECP_ERROR_INTERNAL);
        }
 
        }
 
-       if (!necp_send_ctl_data(session, (u_int8_t *)response, response_size)) {
-               NECPLOG0(LOG_ERR, "Failed to send response");
+       MALLOC(tlv_buffer_lengths, u_int32_t *, sizeof(u_int32_t) * policy_count, M_NECP, M_NOWAIT | M_ZERO);
+       if (tlv_buffer_lengths == NULL) {
+               NECPLOG(LOG_DEBUG, "Failed to allocate tlv_buffer_lengths (%lu bytes)", sizeof(u_int32_t) * policy_count);
+               UNLOCK_AND_REPORT_ERROR(&necp_kernel_policy_lock, NECP_ERROR_INTERNAL);
        }
 
        }
 
-       FREE(response, M_NECP);
-       return;
+       for (policy_i = 0; necp_kernel_socket_policies_app_layer_map != NULL && necp_kernel_socket_policies_app_layer_map[policy_i] != NULL; policy_i++) {
+               policy = necp_kernel_socket_policies_app_layer_map[policy_i];
 
 
-fail:
-       necp_send_error_response(session, NECP_PACKET_TYPE_POLICY_GET, message_id, response_error);
-}
+               memset(result_string, 0, MAX_RESULT_STRING_LEN);
+               memset(proc_name_string, 0, MAXCOMLEN + 1);
 
 
-static void
-necp_handle_policy_delete(struct necp_session *session, u_int32_t message_id, mbuf_t packet, int offset)
-{
-       int error;
-       u_int32_t response_error = NECP_ERROR_INTERNAL;
-       necp_policy_id policy_id = 0;
+               necp_get_result_description(result_string, policy->result, policy->result_parameter);
+               proc_name(policy->session_pid, proc_name_string, MAXCOMLEN);
 
 
-       struct necp_session_policy *policy = NULL;
+               u_int16_t proc_name_len = strlen(proc_name_string) + 1;
+               u_int16_t result_string_len = strlen(result_string) + 1;
 
 
-       // Read policy id
-       error = necp_packet_get_tlv(packet, offset, NECP_TLV_POLICY_ID, sizeof(policy_id), &policy_id, NULL);
-       if (error) {
-               NECPLOG(LOG_ERR, "Failed to get policy id: %d", error);
-               response_error = NECP_ERROR_INVALID_TLV;
-               goto fail;
-       }
+               if (necp_debug) {
+                       NECPLOG(LOG_DEBUG, "Policy: process: %s, result: %s", proc_name_string, result_string);
+               }
+
+               u_int32_t total_allocated_bytes =       sizeof(u_int8_t) + sizeof(u_int32_t) + sizeof(policy->id) +                                     // NECP_TLV_POLICY_ID
+                   sizeof(u_int8_t) + sizeof(u_int32_t) + sizeof(policy->order) +                                                                                              // NECP_TLV_POLICY_ORDER
+                   sizeof(u_int8_t) + sizeof(u_int32_t) + sizeof(policy->session_order) +                                                                              // NECP_TLV_POLICY_SESSION_ORDER
+                   sizeof(u_int8_t) + sizeof(u_int32_t) + result_string_len +                                                                                                          // NECP_TLV_POLICY_RESULT_STRING
+                   sizeof(u_int8_t) + sizeof(u_int32_t) + proc_name_len +                                                                                                              // NECP_TLV_POLICY_OWNER
+                   sizeof(u_int8_t) + sizeof(u_int32_t);                                                                                                                                               // NECP_TLV_POLICY_CONDITION
+
+               // We now traverse the condition_mask to see how much space we need to allocate
+               u_int32_t condition_mask = policy->condition_mask;
+               u_int8_t num_conditions = 0;
+               struct necp_string_id_mapping *account_id_entry = NULL;
+               char if_name[IFXNAMSIZ];
+               u_int32_t condition_tlv_length = 0;
+               memset(if_name, 0, sizeof(if_name));
+
+               if (condition_mask == NECP_POLICY_CONDITION_DEFAULT) {
+                       num_conditions++;
+               } else {
+                       if (condition_mask & NECP_KERNEL_CONDITION_ALL_INTERFACES) {
+                               num_conditions++;
+                       }
+                       if (condition_mask & NECP_KERNEL_CONDITION_HAS_CLIENT) {
+                               num_conditions++;
+                       }
+                       if (condition_mask & NECP_KERNEL_CONDITION_BOUND_INTERFACE) {
+                               snprintf(if_name, IFXNAMSIZ, "%s%d", ifnet_name(policy->cond_bound_interface), ifnet_unit(policy->cond_bound_interface));
+                               condition_tlv_length += strlen(if_name) + 1;
+                               num_conditions++;
+                       }
+                       if (condition_mask & NECP_KERNEL_CONDITION_PROTOCOL) {
+                               condition_tlv_length += sizeof(policy->cond_protocol);
+                               num_conditions++;
+                       }
+                       if (condition_mask & NECP_KERNEL_CONDITION_APP_ID) {
+                               condition_tlv_length += sizeof(uuid_t);
+                               num_conditions++;
+                       }
+                       if (condition_mask & NECP_KERNEL_CONDITION_REAL_APP_ID) {
+                               condition_tlv_length += sizeof(uuid_t);
+                               num_conditions++;
+                       }
+                       if (condition_mask & NECP_KERNEL_CONDITION_DOMAIN) {
+                               u_int32_t domain_len = strlen(policy->cond_domain) + 1;
+                               condition_tlv_length += domain_len;
+                               num_conditions++;
+                       }
+                       if (condition_mask & NECP_KERNEL_CONDITION_ACCOUNT_ID) {
+                               account_id_entry = necp_lookup_string_with_id_locked(&necp_account_id_list, policy->cond_account_id);
+                               u_int32_t account_id_len = 0;
+                               if (account_id_entry) {
+                                       account_id_len = account_id_entry->string ? strlen(account_id_entry->string) + 1 : 0;
+                               }
+                               condition_tlv_length += account_id_len;
+                               num_conditions++;
+                       }
+                       if (condition_mask & NECP_KERNEL_CONDITION_PID) {
+                               condition_tlv_length += sizeof(pid_t);
+                               num_conditions++;
+                       }
+                       if (condition_mask & NECP_KERNEL_CONDITION_UID) {
+                               condition_tlv_length += sizeof(uid_t);
+                               num_conditions++;
+                       }
+                       if (condition_mask & NECP_KERNEL_CONDITION_TRAFFIC_CLASS) {
+                               condition_tlv_length += sizeof(struct necp_policy_condition_tc_range);
+                               num_conditions++;
+                       }
+                       if (condition_mask & NECP_KERNEL_CONDITION_ENTITLEMENT) {
+                               num_conditions++;
+                       }
+                       if (condition_mask & NECP_KERNEL_CONDITION_CUSTOM_ENTITLEMENT) {
+                               u_int32_t entitlement_len = strlen(policy->cond_custom_entitlement) + 1;
+                               condition_tlv_length += entitlement_len;
+                               num_conditions++;
+                       }
+                       if (condition_mask & NECP_KERNEL_CONDITION_PLATFORM_BINARY) {
+                               num_conditions++;
+                       }
+                       if (condition_mask & NECP_KERNEL_CONDITION_SDK_VERSION) {
+                               condition_tlv_length += sizeof(struct necp_policy_condition_sdk_version);
+                               num_conditions++;
+                       }
+                       if (condition_mask & NECP_KERNEL_CONDITION_LOCAL_NETWORKS) {
+                               num_conditions++;
+                       }
+                       if (condition_mask & NECP_KERNEL_CONDITION_LOCAL_START) {
+                               if (condition_mask & NECP_KERNEL_CONDITION_LOCAL_END) {
+                                       condition_tlv_length += sizeof(struct necp_policy_condition_addr_range);
+                               } else {
+                                       condition_tlv_length += sizeof(struct necp_policy_condition_addr);
+                               }
+                               num_conditions++;
+                       }
+                       if (condition_mask & NECP_KERNEL_CONDITION_REMOTE_START) {
+                               if (condition_mask & NECP_KERNEL_CONDITION_REMOTE_END) {
+                                       condition_tlv_length += sizeof(struct necp_policy_condition_addr_range);
+                               } else {
+                                       condition_tlv_length += sizeof(struct necp_policy_condition_addr);
+                               }
+                               num_conditions++;
+                       }
+                       if (condition_mask & NECP_KERNEL_CONDITION_AGENT_TYPE) {
+                               condition_tlv_length += sizeof(struct necp_policy_condition_agent_type);
+                               num_conditions++;
+                       }
+                       if (condition_mask & NECP_KERNEL_CONDITION_CLIENT_FLAGS) {
+                               condition_tlv_length += sizeof(u_int32_t);
+                               num_conditions++;
+                       }
+                       if (condition_mask & NECP_KERNEL_CONDITION_LOCAL_EMPTY) {
+                               num_conditions++;
+                       }
+                       if (condition_mask & NECP_KERNEL_CONDITION_REMOTE_EMPTY) {
+                               num_conditions++;
+                       }
+                       if (condition_mask & NECP_KERNEL_CONDITION_SIGNING_IDENTIFIER) {
+                               u_int32_t identifier_len = strlen(policy->cond_signing_identifier) + 1;
+                               condition_tlv_length += identifier_len;
+                               num_conditions++;
+                       }
+                       if (condition_mask & NECP_KERNEL_CONDITION_PACKET_FILTER_TAGS) {
+                               condition_tlv_length += sizeof(u_int16_t);
+                               num_conditions++;
+                       }
+                       if (condition_mask & NECP_KERNEL_CONDITION_IS_LOOPBACK) {
+                               num_conditions++;
+                       }
+               }
 
 
-       policy = necp_policy_find(session, policy_id);
-       if (policy == NULL || policy->pending_deletion) {
-               NECPLOG(LOG_ERR, "Failed to find policy with id %d", policy_id);
-               response_error = NECP_ERROR_POLICY_ID_NOT_FOUND;
-               goto fail;
-       }
+               condition_tlv_length += num_conditions * (sizeof(u_int8_t) + sizeof(u_int32_t)); // These are for the condition TLVs. The space for "value" is already accounted for above.
+               total_allocated_bytes += condition_tlv_length;
 
 
-       necp_policy_mark_for_deletion(session, policy);
+               u_int8_t *tlv_buffer;
+               MALLOC(tlv_buffer, u_int8_t *, total_allocated_bytes, M_NECP, M_NOWAIT | M_ZERO);
+               if (tlv_buffer == NULL) {
+                       NECPLOG(LOG_DEBUG, "Failed to allocate tlv_buffer (%u bytes)", total_allocated_bytes);
+                       continue;
+               }
 
 
-       necp_send_success_response(session, NECP_PACKET_TYPE_POLICY_DELETE, message_id);
-       return;
+               u_int8_t *cursor = tlv_buffer;
+               cursor = necp_buffer_write_tlv(cursor, NECP_TLV_POLICY_ID, sizeof(policy->id), &policy->id, tlv_buffer, total_allocated_bytes);
+               cursor = necp_buffer_write_tlv(cursor, NECP_TLV_POLICY_ORDER, sizeof(necp_policy_order), &policy->order, tlv_buffer, total_allocated_bytes);
+               cursor = necp_buffer_write_tlv(cursor, NECP_TLV_POLICY_SESSION_ORDER, sizeof(policy->session_order), &policy->session_order, tlv_buffer, total_allocated_bytes);
+               cursor = necp_buffer_write_tlv(cursor, NECP_TLV_POLICY_RESULT_STRING, result_string_len, result_string, tlv_buffer, total_allocated_bytes);
+               cursor = necp_buffer_write_tlv(cursor, NECP_TLV_POLICY_OWNER, proc_name_len, proc_name_string, tlv_buffer, total_allocated_bytes);
 
 
-fail:
-       necp_send_error_response(session, NECP_PACKET_TYPE_POLICY_DELETE, message_id, response_error);
-}
+#define N_QUICK 256
+               u_int8_t q_cond_buf[N_QUICK]; // Minor optimization
 
 
-static void
-necp_handle_policy_apply_all(struct necp_session *session, u_int32_t message_id, mbuf_t packet, int offset)
-{
-#pragma unused(packet, offset)
-       necp_policy_apply_all(session);
-       necp_send_success_response(session, NECP_PACKET_TYPE_POLICY_APPLY_ALL, message_id);
-}
+               u_int8_t *cond_buf; // To be used for condition TLVs
+               if (condition_tlv_length <= N_QUICK) {
+                       cond_buf = q_cond_buf;
+               } else {
+                       MALLOC(cond_buf, u_int8_t *, condition_tlv_length, M_NECP, M_NOWAIT);
+                       if (cond_buf == NULL) {
+                               NECPLOG(LOG_DEBUG, "Failed to allocate cond_buffer (%u bytes)", condition_tlv_length);
+                               FREE(tlv_buffer, M_NECP);
+                               continue;
+                       }
+               }
 
 
-static void
-necp_handle_policy_list_all(struct necp_session *session, u_int32_t message_id, mbuf_t packet, int offset)
-{
-#pragma unused(packet, offset)
-       u_int32_t tlv_size = (sizeof(u_int8_t) + sizeof(u_int32_t) + sizeof(u_int32_t));
-       u_int32_t response_size = 0;
-       u_int8_t *response = NULL;
-       u_int8_t *cursor = NULL;
-       int num_policies = 0;
-       int cur_policy_index = 0;
-       struct necp_session_policy *policy;
+               memset(cond_buf, 0, condition_tlv_length);
+               u_int8_t *cond_buf_cursor = cond_buf;
+               if (condition_mask == NECP_POLICY_CONDITION_DEFAULT) {
+                       cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_DEFAULT, 0, "", cond_buf, condition_tlv_length);
+               } else {
+                       if (condition_mask & NECP_KERNEL_CONDITION_ALL_INTERFACES) {
+                               cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_ALL_INTERFACES, 0, "", cond_buf, condition_tlv_length);
+                       }
+                       if (condition_mask & NECP_KERNEL_CONDITION_HAS_CLIENT) {
+                               cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_HAS_CLIENT, 0, "", cond_buf, condition_tlv_length);
+                       }
+                       if (condition_mask & NECP_KERNEL_CONDITION_LOCAL_NETWORKS) {
+                               cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_LOCAL_NETWORKS, 0, "", cond_buf, condition_tlv_length);
+                       }
+                       if (condition_mask & NECP_KERNEL_CONDITION_BOUND_INTERFACE) {
+                               cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_BOUND_INTERFACE, strlen(if_name) + 1,
+                                   if_name, cond_buf, condition_tlv_length);
+                       }
+                       if (condition_mask & NECP_KERNEL_CONDITION_PROTOCOL) {
+                               cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_IP_PROTOCOL, sizeof(policy->cond_protocol), &policy->cond_protocol,
+                                   cond_buf, condition_tlv_length);
+                       }
+                       if (condition_mask & NECP_KERNEL_CONDITION_APP_ID) {
+                               struct necp_uuid_id_mapping *entry = necp_uuid_lookup_uuid_with_app_id_locked(policy->cond_app_id);
+                               if (entry != NULL) {
+                                       cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_APPLICATION, sizeof(entry->uuid), entry->uuid,
+                                           cond_buf, condition_tlv_length);
+                               }
+                       }
+                       if (condition_mask & NECP_KERNEL_CONDITION_REAL_APP_ID) {
+                               struct necp_uuid_id_mapping *entry = necp_uuid_lookup_uuid_with_app_id_locked(policy->cond_real_app_id);
+                               if (entry != NULL) {
+                                       cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_REAL_APPLICATION, sizeof(entry->uuid), entry->uuid,
+                                           cond_buf, condition_tlv_length);
+                               }
+                       }
+                       if (condition_mask & NECP_KERNEL_CONDITION_DOMAIN) {
+                               cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_DOMAIN, strlen(policy->cond_domain) + 1, policy->cond_domain,
+                                   cond_buf, condition_tlv_length);
+                       }
+                       if (condition_mask & NECP_KERNEL_CONDITION_ACCOUNT_ID) {
+                               if (account_id_entry != NULL) {
+                                       cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_ACCOUNT, strlen(account_id_entry->string) + 1, account_id_entry->string,
+                                           cond_buf, condition_tlv_length);
+                               }
+                       }
+                       if (condition_mask & NECP_KERNEL_CONDITION_PID) {
+                               cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_PID, sizeof(policy->cond_pid), &policy->cond_pid,
+                                   cond_buf, condition_tlv_length);
+                       }
+                       if (condition_mask & NECP_KERNEL_CONDITION_UID) {
+                               cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_UID, sizeof(policy->cond_uid), &policy->cond_uid,
+                                   cond_buf, condition_tlv_length);
+                       }
+                       if (condition_mask & NECP_KERNEL_CONDITION_TRAFFIC_CLASS) {
+                               cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_TRAFFIC_CLASS, sizeof(policy->cond_traffic_class), &policy->cond_traffic_class,
+                                   cond_buf, condition_tlv_length);
+                       }
+                       if (condition_mask & NECP_KERNEL_CONDITION_ENTITLEMENT) {
+                               cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_ENTITLEMENT, 0, "",
+                                   cond_buf, condition_tlv_length);
+                       }
+                       if (condition_mask & NECP_KERNEL_CONDITION_CUSTOM_ENTITLEMENT) {
+                               cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_ENTITLEMENT, strlen(policy->cond_custom_entitlement) + 1, policy->cond_custom_entitlement,
+                                   cond_buf, condition_tlv_length);
+                       }
+                       if (condition_mask & NECP_KERNEL_CONDITION_PLATFORM_BINARY) {
+                               cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_PLATFORM_BINARY, 0, "", cond_buf, condition_tlv_length);
+                       }
+                       if (condition_mask & NECP_KERNEL_CONDITION_SDK_VERSION) {
+                               cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_SDK_VERSION,
+                                   sizeof(policy->cond_sdk_version), &policy->cond_sdk_version,
+                                   cond_buf, condition_tlv_length);
+                       }
+                       if (condition_mask & NECP_KERNEL_CONDITION_LOCAL_START) {
+                               if (condition_mask & NECP_KERNEL_CONDITION_LOCAL_END) {
+                                       struct necp_policy_condition_addr_range range;
+                                       memcpy(&range.start_address, &policy->cond_local_start, sizeof(policy->cond_local_start));
+                                       memcpy(&range.end_address, &policy->cond_local_end, sizeof(policy->cond_local_end));
+                                       cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_LOCAL_ADDR_RANGE, sizeof(range), &range,
+                                           cond_buf, condition_tlv_length);
+                               } else {
+                                       struct necp_policy_condition_addr addr;
+                                       addr.prefix = policy->cond_local_prefix;
+                                       memcpy(&addr.address, &policy->cond_local_start, sizeof(policy->cond_local_start));
+                                       cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_LOCAL_ADDR, sizeof(addr), &addr,
+                                           cond_buf, condition_tlv_length);
+                               }
+                       }
+                       if (condition_mask & NECP_KERNEL_CONDITION_REMOTE_START) {
+                               if (condition_mask & NECP_KERNEL_CONDITION_REMOTE_END) {
+                                       struct necp_policy_condition_addr_range range;
+                                       memcpy(&range.start_address, &policy->cond_remote_start, sizeof(policy->cond_remote_start));
+                                       memcpy(&range.end_address, &policy->cond_remote_end, sizeof(policy->cond_remote_end));
+                                       cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_REMOTE_ADDR_RANGE, sizeof(range), &range,
+                                           cond_buf, condition_tlv_length);
+                               } else {
+                                       struct necp_policy_condition_addr addr;
+                                       addr.prefix = policy->cond_remote_prefix;
+                                       memcpy(&addr.address, &policy->cond_remote_start, sizeof(policy->cond_remote_start));
+                                       cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_REMOTE_ADDR, sizeof(addr), &addr,
+                                           cond_buf, condition_tlv_length);
+                               }
+                       }
+                       if (condition_mask & NECP_KERNEL_CONDITION_AGENT_TYPE) {
+                               cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_AGENT_TYPE,
+                                   sizeof(policy->cond_agent_type), &policy->cond_agent_type,
+                                   cond_buf, condition_tlv_length);
+                       }
+                       if (condition_mask & NECP_KERNEL_CONDITION_CLIENT_FLAGS) {
+                               cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_CLIENT_FLAGS, sizeof(policy->cond_client_flags), &policy->cond_client_flags, cond_buf, condition_tlv_length);
+                       }
+                       if (condition_mask & NECP_KERNEL_CONDITION_LOCAL_EMPTY) {
+                               cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_FLOW_LOCAL_ADDR_EMPTY, 0, "", cond_buf, condition_tlv_length);
+                       }
+                       if (condition_mask & NECP_KERNEL_CONDITION_REMOTE_EMPTY) {
+                               cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_FLOW_REMOTE_ADDR_EMPTY, 0, "", cond_buf, condition_tlv_length);
+                       }
+                       if (condition_mask & NECP_KERNEL_CONDITION_SIGNING_IDENTIFIER) {
+                               cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_SIGNING_IDENTIFIER, strlen(policy->cond_signing_identifier) + 1, policy->cond_signing_identifier,
+                                   cond_buf, condition_tlv_length);
+                       }
+                       if (condition_mask & NECP_KERNEL_CONDITION_PACKET_FILTER_TAGS) {
+                               cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_PACKET_FILTER_TAGS, sizeof(policy->cond_packet_filter_tags), &policy->cond_packet_filter_tags, cond_buf, condition_tlv_length);
+                       }
+                       if (condition_mask & NECP_KERNEL_CONDITION_IS_LOOPBACK) {
+                               cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_FLOW_IS_LOOPBACK, 0, "", cond_buf, condition_tlv_length);
+                       }
+               }
 
 
-       LIST_FOREACH(policy, &session->policies, chain) {
-               if (!policy->pending_deletion) {
-                       num_policies++;
+               cursor = necp_buffer_write_tlv(cursor, NECP_TLV_POLICY_CONDITION, cond_buf_cursor - cond_buf, cond_buf, tlv_buffer, total_allocated_bytes);
+               if (cond_buf != q_cond_buf) {
+                       FREE(cond_buf, M_NECP);
                }
                }
-       }
 
 
-       // Create a response with one Policy ID TLV for each policy
-       response_size = sizeof(struct necp_packet_header) + num_policies * tlv_size;
-       MALLOC(response, u_int8_t *, response_size, M_NECP, M_WAITOK);
-       if (response == NULL) {
-               necp_send_error_response(session, NECP_PACKET_TYPE_POLICY_LIST_ALL, message_id, NECP_ERROR_INTERNAL);
-               return;
+               tlv_buffer_pointers[policy_i] = tlv_buffer;
+               tlv_buffer_lengths[policy_i] = (cursor - tlv_buffer);
+
+               // This is the length of the TLV for NECP_TLV_POLICY_DUMP
+               total_tlv_len += sizeof(u_int8_t) + sizeof(u_int32_t) + (cursor - tlv_buffer);
        }
 
        }
 
-       cursor = response;
-       cursor = necp_buffer_write_packet_header(cursor, NECP_PACKET_TYPE_POLICY_LIST_ALL, NECP_PACKET_FLAGS_RESPONSE, message_id);
+       // UNLOCK
+       lck_rw_done(&necp_kernel_policy_lock);
 
 
-       LIST_FOREACH(policy, &session->policies, chain) {
-               if (!policy->pending_deletion && cur_policy_index < num_policies) {
-                       cursor = necp_buffer_write_tlv(cursor, NECP_TLV_POLICY_ID, sizeof(u_int32_t), &policy->id);
-                       cur_policy_index++;
+       // Copy out
+       if (out_buffer != 0) {
+               if (out_buffer_length < total_tlv_len + sizeof(u_int32_t)) {
+                       NECPLOG(LOG_DEBUG, "out_buffer_length too small (%lu < %lu)", out_buffer_length, total_tlv_len + sizeof(u_int32_t));
+                       REPORT_ERROR(NECP_ERROR_INVALID_TLV);
                }
                }
-       }
 
 
-       if (!necp_send_ctl_data(session, (u_int8_t *)response, response_size)) {
-               NECPLOG0(LOG_ERR, "Failed to send response");
-       }
+               // Allow malloc to wait, since the total buffer may be large and we are not holding any locks
+               MALLOC(result_buf, u_int8_t *, total_tlv_len + sizeof(u_int32_t), M_NECP, M_WAITOK | M_ZERO);
+               if (result_buf == NULL) {
+                       NECPLOG(LOG_DEBUG, "Failed to allocate result_buffer (%lu bytes)", total_tlv_len + sizeof(u_int32_t));
+                       REPORT_ERROR(NECP_ERROR_INTERNAL);
+               }
 
 
-       FREE(response, M_NECP);
-}
+               // Add four bytes for total length at the start
+               memcpy(result_buf, &total_tlv_len, sizeof(u_int32_t));
 
 
-static void
-necp_handle_policy_delete_all(struct necp_session *session, u_int32_t message_id, mbuf_t packet, int offset)
-{
-#pragma unused(packet, offset)
-       necp_policy_mark_all_for_deletion(session);
-       necp_send_success_response(session, NECP_PACKET_TYPE_POLICY_DELETE_ALL, message_id);
-}
+               // Copy the TLVs
+               result_buf_cursor = result_buf + sizeof(u_int32_t);
+               for (int i = 0; i < policy_count; i++) {
+                       if (tlv_buffer_pointers[i] != NULL) {
+                               result_buf_cursor = necp_buffer_write_tlv(result_buf_cursor, NECP_TLV_POLICY_DUMP, tlv_buffer_lengths[i], tlv_buffer_pointers[i],
+                                   result_buf, total_tlv_len + sizeof(u_int32_t));
+                       }
+               }
 
 
-static necp_policy_id
-necp_policy_get_new_id(void)
-{
-       necp_policy_id newid = 0;
+               int copy_error = copyout(result_buf, out_buffer, total_tlv_len + sizeof(u_int32_t));
+               if (copy_error) {
+                       NECPLOG(LOG_DEBUG, "Failed to copy out result_buffer (%lu bytes)", total_tlv_len + sizeof(u_int32_t));
+                       REPORT_ERROR(NECP_ERROR_INTERNAL);
+               }
+       }
 
 
-       lck_rw_lock_exclusive(&necp_kernel_policy_lock);
+done:
 
 
-       necp_last_policy_id++;
-       if (necp_last_policy_id < 1) {
-               necp_last_policy_id = 1;
+       if (error_occured) {
+               error_code = necp_get_posix_error_for_necp_error(response_error);
        }
 
        }
 
-       newid = necp_last_policy_id;
-       lck_rw_done(&necp_kernel_policy_lock);
+       if (result_buf != NULL) {
+               FREE(result_buf, M_NECP);
+       }
 
 
-       if (newid == 0) {
-               NECPLOG0(LOG_DEBUG, "Allocate policy id failed.\n");
-               return (0);
+       if (tlv_buffer_pointers != NULL) {
+               for (int i = 0; i < policy_count; i++) {
+                       if (tlv_buffer_pointers[i] != NULL) {
+                               FREE(tlv_buffer_pointers[i], M_NECP);
+                               tlv_buffer_pointers[i] = NULL;
+                       }
+               }
+               FREE(tlv_buffer_pointers, M_NECP);
+       }
+
+       if (tlv_buffer_lengths != NULL) {
+               FREE(tlv_buffer_lengths, M_NECP);
        }
        }
+#undef N_QUICK
+#undef RESET_COND_BUF
+#undef REPORT_ERROR
+#undef UNLOCK_AND_REPORT_ERROR
 
 
-       return (newid);
+       return error_code;
 }
 
 static struct necp_session_policy *
 }
 
 static struct necp_session_policy *
@@ -1956,12 +3010,7 @@ necp_policy_create(struct necp_session *session, necp_policy_order order, u_int8
                goto done;
        }
 
                goto done;
        }
 
-       MALLOC_ZONE(new_policy, struct necp_session_policy *, sizeof(*new_policy), M_NECP_SESSION_POLICY, M_WAITOK);
-       if (new_policy == NULL) {
-               goto done;
-       }
-
-       memset(new_policy, 0, sizeof(*new_policy));
+       new_policy = zalloc_flags(necp_session_policy_zone, Z_WAITOK | Z_ZERO);
        new_policy->applied = FALSE;
        new_policy->pending_deletion = FALSE;
        new_policy->pending_update = FALSE;
        new_policy->applied = FALSE;
        new_policy->pending_deletion = FALSE;
        new_policy->pending_update = FALSE;
@@ -1972,7 +3021,7 @@ necp_policy_create(struct necp_session *session, necp_policy_order order, u_int8
        new_policy->route_rules_size = route_rules_array_size;
        new_policy->result = result;
        new_policy->result_size = result_size;
        new_policy->route_rules_size = route_rules_array_size;
        new_policy->result = result;
        new_policy->result_size = result_size;
-       new_policy->id = necp_policy_get_new_id();
+       new_policy->local_id = necp_policy_get_new_id(session);
 
        LIST_INSERT_SORTED_ASCENDING(&session->policies, new_policy, chain, order, tmp_policy);
 
 
        LIST_INSERT_SORTED_ASCENDING(&session->policies, new_policy, chain, order, tmp_policy);
 
@@ -1982,7 +3031,7 @@ necp_policy_create(struct necp_session *session, necp_policy_order order, u_int8
                NECPLOG(LOG_DEBUG, "Created NECP policy, order %d", order);
        }
 done:
                NECPLOG(LOG_DEBUG, "Created NECP policy, order %d", order);
        }
 done:
-       return (new_policy);
+       return new_policy;
 }
 
 static struct necp_session_policy *
 }
 
 static struct necp_session_policy *
@@ -1990,28 +3039,28 @@ necp_policy_find(struct necp_session *session, necp_policy_id policy_id)
 {
        struct necp_session_policy *policy = NULL;
        if (policy_id == 0) {
 {
        struct necp_session_policy *policy = NULL;
        if (policy_id == 0) {
-               return (NULL);
+               return NULL;
        }
 
        LIST_FOREACH(policy, &session->policies, chain) {
        }
 
        LIST_FOREACH(policy, &session->policies, chain) {
-               if (policy->id == policy_id) {
-                       return (policy);
+               if (policy->local_id == policy_id) {
+                       return policy;
                }
        }
 
                }
        }
 
-       return (NULL);
+       return NULL;
 }
 
 static inline u_int8_t
 necp_policy_get_result_type(struct necp_session_policy *policy)
 {
 }
 
 static inline u_int8_t
 necp_policy_get_result_type(struct necp_session_policy *policy)
 {
-       return (policy ? necp_policy_result_get_type_from_buffer(policy->result, policy->result_size) : 0);
+       return policy ? necp_policy_result_get_type_from_buffer(policy->result, policy->result_size) : 0;
 }
 
 static inline u_int32_t
 necp_policy_get_result_parameter_length(struct necp_session_policy *policy)
 {
 }
 
 static inline u_int32_t
 necp_policy_get_result_parameter_length(struct necp_session_policy *policy)
 {
-       return (policy ? necp_policy_result_get_parameter_length_from_buffer(policy->result, policy->result_size) : 0);
+       return policy ? necp_policy_result_get_parameter_length_from_buffer(policy->result, policy->result_size) : 0;
 }
 
 static bool
 }
 
 static bool
@@ -2023,19 +3072,19 @@ necp_policy_get_result_parameter(struct necp_session_policy *policy, u_int8_t *p
                        u_int8_t *parameter = necp_policy_result_get_parameter_pointer_from_buffer(policy->result, policy->result_size);
                        if (parameter && parameter_buffer) {
                                memcpy(parameter_buffer, parameter, parameter_length);
                        u_int8_t *parameter = necp_policy_result_get_parameter_pointer_from_buffer(policy->result, policy->result_size);
                        if (parameter && parameter_buffer) {
                                memcpy(parameter_buffer, parameter, parameter_length);
-                               return (TRUE);
+                               return TRUE;
                        }
                }
        }
 
                        }
                }
        }
 
-       return (FALSE);
+       return FALSE;
 }
 
 static bool
 necp_policy_mark_for_deletion(struct necp_session *session, struct necp_session_policy *policy)
 {
        if (session == NULL || policy == NULL) {
 }
 
 static bool
 necp_policy_mark_for_deletion(struct necp_session *session, struct necp_session_policy *policy)
 {
        if (session == NULL || policy == NULL) {
-               return (FALSE);
+               return FALSE;
        }
 
        policy->pending_deletion = TRUE;
        }
 
        policy->pending_deletion = TRUE;
@@ -2044,7 +3093,7 @@ necp_policy_mark_for_deletion(struct necp_session *session, struct necp_session_
        if (necp_debug) {
                NECPLOG0(LOG_DEBUG, "Marked NECP policy for removal");
        }
        if (necp_debug) {
                NECPLOG0(LOG_DEBUG, "Marked NECP policy for removal");
        }
-       return (TRUE);
+       return TRUE;
 }
 
 static bool
 }
 
 static bool
@@ -2057,14 +3106,14 @@ necp_policy_mark_all_for_deletion(struct necp_session *session)
                necp_policy_mark_for_deletion(session, policy);
        }
 
                necp_policy_mark_for_deletion(session, policy);
        }
 
-       return (TRUE);
+       return TRUE;
 }
 
 static bool
 necp_policy_delete(struct necp_session *session, struct necp_session_policy *policy)
 {
        if (session == NULL || policy == NULL) {
 }
 
 static bool
 necp_policy_delete(struct necp_session *session, struct necp_session_policy *policy)
 {
        if (session == NULL || policy == NULL) {
-               return (FALSE);
+               return FALSE;
        }
 
        LIST_REMOVE(policy, chain);
        }
 
        LIST_REMOVE(policy, chain);
@@ -2079,12 +3128,17 @@ necp_policy_delete(struct necp_session *session, struct necp_session_policy *pol
                policy->conditions = NULL;
        }
 
                policy->conditions = NULL;
        }
 
-       FREE_ZONE(policy, sizeof(*policy), M_NECP_SESSION_POLICY);
+       if (policy->route_rules) {
+               FREE(policy->route_rules, M_NECP);
+               policy->route_rules = NULL;
+       }
+
+       zfree(necp_session_policy_zone, policy);
 
        if (necp_debug) {
                NECPLOG0(LOG_DEBUG, "Removed NECP policy");
        }
 
        if (necp_debug) {
                NECPLOG0(LOG_DEBUG, "Removed NECP policy");
        }
-       return (TRUE);
+       return TRUE;
 }
 
 static bool
 }
 
 static bool
@@ -2092,10 +3146,10 @@ necp_policy_unapply(struct necp_session_policy *policy)
 {
        int i = 0;
        if (policy == NULL) {
 {
        int i = 0;
        if (policy == NULL) {
-               return (FALSE);
+               return FALSE;
        }
 
        }
 
-       lck_rw_assert(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
+       LCK_RW_ASSERT(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
 
        // Release local uuid mappings
        if (!uuid_is_null(policy->applied_app_uuid)) {
 
        // Release local uuid mappings
        if (!uuid_is_null(policy->applied_app_uuid)) {
@@ -2146,13 +3200,13 @@ necp_policy_unapply(struct necp_session_policy *policy)
 
        policy->applied = FALSE;
 
 
        policy->applied = FALSE;
 
-       return (TRUE);
+       return TRUE;
 }
 
 }
 
-#define        NECP_KERNEL_POLICY_SUBORDER_ID_TUNNEL_CONDITION                 0
-#define        NECP_KERNEL_POLICY_SUBORDER_NON_ID_TUNNEL_CONDITION             1
-#define        NECP_KERNEL_POLICY_SUBORDER_ID_CONDITION                                2
-#define        NECP_KERNEL_POLICY_SUBORDER_NON_ID_CONDITIONS                   3
+#define NECP_KERNEL_POLICY_SUBORDER_ID_TUNNEL_CONDITION                 0
+#define NECP_KERNEL_POLICY_SUBORDER_NON_ID_TUNNEL_CONDITION             1
+#define NECP_KERNEL_POLICY_SUBORDER_ID_CONDITION                                2
+#define NECP_KERNEL_POLICY_SUBORDER_NON_ID_CONDITIONS                   3
 struct necp_policy_result_ip_tunnel {
        u_int32_t secondary_result;
        char interface_name[IFXNAMSIZ];
 struct necp_policy_result_ip_tunnel {
        u_int32_t secondary_result;
        char interface_name[IFXNAMSIZ];
@@ -2171,6 +3225,7 @@ necp_policy_apply(struct necp_session *session, struct necp_session_policy *poli
 
        bool socket_layer_non_id_conditions = FALSE;
        bool ip_output_layer_non_id_conditions = FALSE;
 
        bool socket_layer_non_id_conditions = FALSE;
        bool ip_output_layer_non_id_conditions = FALSE;
+       bool ip_output_layer_non_id_only = FALSE;
        bool ip_output_layer_id_condition = FALSE;
        bool ip_output_layer_tunnel_condition_from_id = FALSE;
        bool ip_output_layer_tunnel_condition_from_non_id = FALSE;
        bool ip_output_layer_id_condition = FALSE;
        bool ip_output_layer_tunnel_condition_from_id = FALSE;
        bool ip_output_layer_tunnel_condition_from_non_id = FALSE;
@@ -2181,6 +3236,8 @@ necp_policy_apply(struct necp_session *session, struct necp_session_policy *poli
        ifnet_t cond_bound_interface = NULL;
        u_int32_t cond_account_id = 0;
        char *cond_domain = NULL;
        ifnet_t cond_bound_interface = NULL;
        u_int32_t cond_account_id = 0;
        char *cond_domain = NULL;
+       char *cond_custom_entitlement = NULL;
+       char *cond_signing_identifier = NULL;
        pid_t cond_pid = 0;
        uid_t cond_uid = 0;
        necp_app_id cond_app_id = 0;
        pid_t cond_pid = 0;
        uid_t cond_uid = 0;
        necp_app_id cond_app_id = 0;
@@ -2195,9 +3252,13 @@ necp_policy_apply(struct necp_session *session, struct necp_session_policy *poli
        union necp_sockaddr_union cond_remote_start;
        union necp_sockaddr_union cond_remote_end;
        u_int8_t cond_remote_prefix = 0;
        union necp_sockaddr_union cond_remote_start;
        union necp_sockaddr_union cond_remote_end;
        u_int8_t cond_remote_prefix = 0;
+       u_int32_t cond_client_flags = 0;
        u_int32_t offset = 0;
        u_int8_t ultimate_result = 0;
        u_int32_t secondary_result = 0;
        u_int32_t offset = 0;
        u_int8_t ultimate_result = 0;
        u_int32_t secondary_result = 0;
+       struct necp_policy_condition_agent_type cond_agent_type = {};
+       struct necp_policy_condition_sdk_version cond_sdk_version = {};
+       u_int16_t cond_packet_filter_tags = 0;
        necp_kernel_policy_result_parameter secondary_result_parameter;
        memset(&secondary_result_parameter, 0, sizeof(secondary_result_parameter));
        u_int32_t cond_last_interface_index = 0;
        necp_kernel_policy_result_parameter secondary_result_parameter;
        memset(&secondary_result_parameter, 0, sizeof(secondary_result_parameter));
        u_int32_t cond_last_interface_index = 0;
@@ -2205,10 +3266,10 @@ necp_policy_apply(struct necp_session *session, struct necp_session_policy *poli
        memset(&ultimate_result_parameter, 0, sizeof(ultimate_result_parameter));
 
        if (policy == NULL) {
        memset(&ultimate_result_parameter, 0, sizeof(ultimate_result_parameter));
 
        if (policy == NULL) {
-               return (FALSE);
+               return FALSE;
        }
 
        }
 
-       lck_rw_assert(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
+       LCK_RW_ASSERT(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
 
        // Process conditions
        while (offset < policy->conditions_size) {
 
        // Process conditions
        while (offset < policy->conditions_size) {
@@ -2217,366 +3278,546 @@ necp_policy_apply(struct necp_session *session, struct necp_session_policy *poli
 
                u_int8_t condition_type = necp_policy_condition_get_type_from_buffer(value, length);
                u_int8_t condition_flags = necp_policy_condition_get_flags_from_buffer(value, length);
 
                u_int8_t condition_type = necp_policy_condition_get_type_from_buffer(value, length);
                u_int8_t condition_flags = necp_policy_condition_get_flags_from_buffer(value, length);
-               bool condition_is_negative = condition_flags & NECP_POLICY_CONDITION_FLAGS_NEGATIVE;
-               u_int32_t condition_length = necp_policy_condition_get_value_length_from_buffer(value, length);
-               u_int8_t *condition_value = necp_policy_condition_get_value_pointer_from_buffer(value, length);
-               switch (condition_type) {
-                       case NECP_POLICY_CONDITION_DEFAULT: {
-                               socket_ip_conditions = TRUE;
-                               break;
-                       }
-                       case NECP_POLICY_CONDITION_ALL_INTERFACES: {
-                               master_condition_mask |= NECP_KERNEL_CONDITION_ALL_INTERFACES;
-                               socket_ip_conditions = TRUE;
-                               break;
-                       }
-                       case NECP_POLICY_CONDITION_ENTITLEMENT: {
-                               master_condition_mask |= NECP_KERNEL_CONDITION_ENTITLEMENT;
-                               socket_only_conditions = TRUE;
-                               break;
-                       }
-                       case NECP_POLICY_CONDITION_DOMAIN: {
-                               // Make sure there is only one such rule
-                               if (condition_length > 0 && cond_domain == NULL) {
-                                       cond_domain = necp_create_trimmed_domain((char *)condition_value, condition_length);
-                                       if (cond_domain != NULL) {
-                                               master_condition_mask |= NECP_KERNEL_CONDITION_DOMAIN;
-                                               if (condition_is_negative) {
-                                                       master_condition_negated_mask |= NECP_KERNEL_CONDITION_DOMAIN;
-                                               }
+               bool condition_is_negative = condition_flags & NECP_POLICY_CONDITION_FLAGS_NEGATIVE;
+               u_int32_t condition_length = necp_policy_condition_get_value_length_from_buffer(value, length);
+               u_int8_t *condition_value = necp_policy_condition_get_value_pointer_from_buffer(value, length);
+               switch (condition_type) {
+               case NECP_POLICY_CONDITION_DEFAULT: {
+                       socket_ip_conditions = TRUE;
+                       break;
+               }
+               case NECP_POLICY_CONDITION_ALL_INTERFACES: {
+                       master_condition_mask |= NECP_KERNEL_CONDITION_ALL_INTERFACES;
+                       socket_ip_conditions = TRUE;
+                       break;
+               }
+               case NECP_POLICY_CONDITION_HAS_CLIENT: {
+                       master_condition_mask |= NECP_KERNEL_CONDITION_HAS_CLIENT;
+                       socket_only_conditions = TRUE;
+                       break;
+               }
+               case NECP_POLICY_CONDITION_ENTITLEMENT: {
+                       if (condition_length > 0) {
+                               if (cond_custom_entitlement == NULL) {
+                                       cond_custom_entitlement = necp_copy_string((char *)condition_value, condition_length);
+                                       if (cond_custom_entitlement != NULL) {
+                                               master_condition_mask |= NECP_KERNEL_CONDITION_CUSTOM_ENTITLEMENT;
                                                socket_only_conditions = TRUE;
                                        }
                                }
                                                socket_only_conditions = TRUE;
                                        }
                                }
-                               break;
+                       } else {
+                               master_condition_mask |= NECP_KERNEL_CONDITION_ENTITLEMENT;
+                               socket_only_conditions = TRUE;
                        }
                        }
-                       case NECP_POLICY_CONDITION_ACCOUNT: {
-                               // Make sure there is only one such rule
-                               if (condition_length > 0 && cond_account_id == 0 && policy->applied_account == NULL) {
-                                       char *string = NULL;
-                                       MALLOC(string, char *, condition_length + 1, M_NECP, M_WAITOK);
-                                       if (string != NULL) {
-                                               memcpy(string, condition_value, condition_length);
-                                               string[condition_length] = 0;
-                                               cond_account_id = necp_create_string_to_id_mapping(&necp_account_id_list, string);
-                                               if (cond_account_id != 0) {
-                                                       policy->applied_account = string; // Save the string in parent policy
-                                                       master_condition_mask |= NECP_KERNEL_CONDITION_ACCOUNT_ID;
-                                                       if (condition_is_negative) {
-                                                               master_condition_negated_mask |= NECP_KERNEL_CONDITION_ACCOUNT_ID;
-                                                       }
-                                                       socket_only_conditions = TRUE;
-                                               } else {
-                                                       FREE(string, M_NECP);
-                                               }
-                                       }
-                               }
-                               break;
+                       break;
+               }
+               case NECP_POLICY_CONDITION_PLATFORM_BINARY: {
+                       master_condition_mask |= NECP_KERNEL_CONDITION_PLATFORM_BINARY;
+                       socket_only_conditions = TRUE;
+                       break;
+               }
+               case NECP_POLICY_CONDITION_SDK_VERSION: {
+                       if (condition_length >= sizeof(cond_sdk_version)) {
+                               master_condition_mask |= NECP_KERNEL_CONDITION_SDK_VERSION;
+                               memcpy(&cond_sdk_version, condition_value, sizeof(cond_sdk_version));
+                               socket_only_conditions = TRUE;
                        }
                        }
-                       case NECP_POLICY_CONDITION_APPLICATION: {
-                               // Make sure there is only one such rule, because we save the uuid in the policy
-                               if (condition_length >= sizeof(uuid_t) && cond_app_id == 0) {
-                                       bool allocated_mapping = FALSE;
-                                       uuid_t application_uuid;
-                                       memcpy(application_uuid, condition_value, sizeof(uuid_t));
-                                       cond_app_id = necp_create_uuid_app_id_mapping(application_uuid, &allocated_mapping, TRUE);
-                                       if (cond_app_id != 0) {
-                                               if (allocated_mapping) {
-                                                       necp_uuid_app_id_mappings_dirty = TRUE;
-                                                       necp_num_uuid_app_id_mappings++;
-                                               }
-                                               uuid_copy(policy->applied_app_uuid, application_uuid);
-                                               master_condition_mask |= NECP_KERNEL_CONDITION_APP_ID;
-                                               if (condition_is_negative) {
-                                                       master_condition_negated_mask |= NECP_KERNEL_CONDITION_APP_ID;
-                                               }
-                                               socket_only_conditions = TRUE;
+                       break;
+               }
+               case NECP_POLICY_CONDITION_DOMAIN: {
+                       // Make sure there is only one such rule
+                       if (condition_length > 0 && cond_domain == NULL) {
+                               cond_domain = necp_create_trimmed_domain((char *)condition_value, condition_length);
+                               if (cond_domain != NULL) {
+                                       master_condition_mask |= NECP_KERNEL_CONDITION_DOMAIN;
+                                       if (condition_is_negative) {
+                                               master_condition_negated_mask |= NECP_KERNEL_CONDITION_DOMAIN;
                                        }
                                        }
+                                       socket_only_conditions = TRUE;
                                }
                                }
-                               break;
                        }
                        }
-                       case NECP_POLICY_CONDITION_REAL_APPLICATION: {
-                               // Make sure there is only one such rule, because we save the uuid in the policy
-                               if (condition_length >= sizeof(uuid_t) && cond_real_app_id == 0) {
-                                       uuid_t real_application_uuid;
-                                       memcpy(real_application_uuid, condition_value, sizeof(uuid_t));
-                                       cond_real_app_id = necp_create_uuid_app_id_mapping(real_application_uuid, NULL, FALSE);
-                                       if (cond_real_app_id != 0) {
-                                               uuid_copy(policy->applied_real_app_uuid, real_application_uuid);
-                                               master_condition_mask |= NECP_KERNEL_CONDITION_REAL_APP_ID;
+                       break;
+               }
+               case NECP_POLICY_CONDITION_ACCOUNT: {
+                       // Make sure there is only one such rule
+                       if (condition_length > 0 && cond_account_id == 0 && policy->applied_account == NULL) {
+                               char *string = NULL;
+                               MALLOC(string, char *, condition_length + 1, M_NECP, M_WAITOK);
+                               if (string != NULL) {
+                                       memcpy(string, condition_value, condition_length);
+                                       string[condition_length] = 0;
+                                       cond_account_id = necp_create_string_to_id_mapping(&necp_account_id_list, string);
+                                       if (cond_account_id != 0) {
+                                               policy->applied_account = string;         // Save the string in parent policy
+                                               master_condition_mask |= NECP_KERNEL_CONDITION_ACCOUNT_ID;
                                                if (condition_is_negative) {
                                                if (condition_is_negative) {
-                                                       master_condition_negated_mask |= NECP_KERNEL_CONDITION_REAL_APP_ID;
+                                                       master_condition_negated_mask |= NECP_KERNEL_CONDITION_ACCOUNT_ID;
                                                }
                                                socket_only_conditions = TRUE;
                                                }
                                                socket_only_conditions = TRUE;
+                                       } else {
+                                               FREE(string, M_NECP);
                                        }
                                }
                                        }
                                }
-                               break;
                        }
                        }
-                       case NECP_POLICY_CONDITION_PID: {
-                               if (condition_length >= sizeof(pid_t)) {
-                                       master_condition_mask |= NECP_KERNEL_CONDITION_PID;
+                       break;
+               }
+               case NECP_POLICY_CONDITION_APPLICATION: {
+                       // Make sure there is only one such rule, because we save the uuid in the policy
+                       if (condition_length >= sizeof(uuid_t) && cond_app_id == 0) {
+                               bool allocated_mapping = FALSE;
+                               uuid_t application_uuid;
+                               memcpy(application_uuid, condition_value, sizeof(uuid_t));
+                               cond_app_id = necp_create_uuid_app_id_mapping(application_uuid, &allocated_mapping, TRUE);
+                               if (cond_app_id != 0) {
+                                       if (allocated_mapping) {
+                                               necp_uuid_app_id_mappings_dirty = TRUE;
+                                               necp_num_uuid_app_id_mappings++;
+                                       }
+                                       uuid_copy(policy->applied_app_uuid, application_uuid);
+                                       master_condition_mask |= NECP_KERNEL_CONDITION_APP_ID;
                                        if (condition_is_negative) {
                                        if (condition_is_negative) {
-                                               master_condition_negated_mask |= NECP_KERNEL_CONDITION_PID;
+                                               master_condition_negated_mask |= NECP_KERNEL_CONDITION_APP_ID;
                                        }
                                        }
-                                       memcpy(&cond_pid, condition_value, sizeof(cond_pid));
                                        socket_only_conditions = TRUE;
                                }
                                        socket_only_conditions = TRUE;
                                }
-                               break;
                        }
                        }
-                       case NECP_POLICY_CONDITION_UID: {
-                               if (condition_length >= sizeof(uid_t)) {
-                                       master_condition_mask |= NECP_KERNEL_CONDITION_UID;
+                       break;
+               }
+               case NECP_POLICY_CONDITION_REAL_APPLICATION: {
+                       // Make sure there is only one such rule, because we save the uuid in the policy
+                       if (condition_length >= sizeof(uuid_t) && cond_real_app_id == 0) {
+                               uuid_t real_application_uuid;
+                               memcpy(real_application_uuid, condition_value, sizeof(uuid_t));
+                               cond_real_app_id = necp_create_uuid_app_id_mapping(real_application_uuid, NULL, FALSE);
+                               if (cond_real_app_id != 0) {
+                                       uuid_copy(policy->applied_real_app_uuid, real_application_uuid);
+                                       master_condition_mask |= NECP_KERNEL_CONDITION_REAL_APP_ID;
                                        if (condition_is_negative) {
                                        if (condition_is_negative) {
-                                               master_condition_negated_mask |= NECP_KERNEL_CONDITION_UID;
+                                               master_condition_negated_mask |= NECP_KERNEL_CONDITION_REAL_APP_ID;
                                        }
                                        }
-                                       memcpy(&cond_uid, condition_value, sizeof(cond_uid));
                                        socket_only_conditions = TRUE;
                                }
                                        socket_only_conditions = TRUE;
                                }
-                               break;
                        }
                        }
-                       case NECP_POLICY_CONDITION_TRAFFIC_CLASS: {
-                               if (condition_length >= sizeof(struct necp_policy_condition_tc_range)) {
-                                       master_condition_mask |= NECP_KERNEL_CONDITION_TRAFFIC_CLASS;
-                                       if (condition_is_negative) {
-                                               master_condition_negated_mask |= NECP_KERNEL_CONDITION_TRAFFIC_CLASS;
-                                       }
-                                       memcpy(&cond_traffic_class, condition_value, sizeof(cond_traffic_class));
-                                       socket_only_conditions = TRUE;
+                       break;
+               }
+               case NECP_POLICY_CONDITION_PID: {
+                       if (condition_length >= sizeof(pid_t)) {
+                               master_condition_mask |= NECP_KERNEL_CONDITION_PID;
+                               if (condition_is_negative) {
+                                       master_condition_negated_mask |= NECP_KERNEL_CONDITION_PID;
                                }
                                }
-                               break;
+                               memcpy(&cond_pid, condition_value, sizeof(cond_pid));
+                               socket_only_conditions = TRUE;
                        }
                        }
-                       case NECP_POLICY_CONDITION_BOUND_INTERFACE: {
-                               if (condition_length <= IFXNAMSIZ && condition_length > 0) {
-                                       char interface_name[IFXNAMSIZ];
-                                       memcpy(interface_name, condition_value, condition_length);
-                                       interface_name[condition_length - 1] = 0; // Make sure the string is NULL terminated
-                                       if (ifnet_find_by_name(interface_name, &cond_bound_interface) == 0) {
-                                               master_condition_mask |= NECP_KERNEL_CONDITION_BOUND_INTERFACE;
-                                               if (condition_is_negative) {
-                                                       master_condition_negated_mask |= NECP_KERNEL_CONDITION_BOUND_INTERFACE;
-                                               }
-                                       }
-                                       socket_ip_conditions = TRUE;
+                       break;
+               }
+               case NECP_POLICY_CONDITION_UID: {
+                       if (condition_length >= sizeof(uid_t)) {
+                               master_condition_mask |= NECP_KERNEL_CONDITION_UID;
+                               if (condition_is_negative) {
+                                       master_condition_negated_mask |= NECP_KERNEL_CONDITION_UID;
                                }
                                }
-                               break;
+                               memcpy(&cond_uid, condition_value, sizeof(cond_uid));
+                               socket_only_conditions = TRUE;
+                       }
+                       break;
+               }
+               case NECP_POLICY_CONDITION_TRAFFIC_CLASS: {
+                       if (condition_length >= sizeof(struct necp_policy_condition_tc_range)) {
+                               master_condition_mask |= NECP_KERNEL_CONDITION_TRAFFIC_CLASS;
+                               if (condition_is_negative) {
+                                       master_condition_negated_mask |= NECP_KERNEL_CONDITION_TRAFFIC_CLASS;
+                               }
+                               memcpy(&cond_traffic_class, condition_value, sizeof(cond_traffic_class));
+                               socket_only_conditions = TRUE;
                        }
                        }
-                       case NECP_POLICY_CONDITION_IP_PROTOCOL: {
-                               if (condition_length >= sizeof(u_int16_t)) {
-                                       master_condition_mask |= NECP_KERNEL_CONDITION_PROTOCOL;
+                       break;
+               }
+               case NECP_POLICY_CONDITION_BOUND_INTERFACE: {
+                       if (condition_length <= IFXNAMSIZ && condition_length > 0) {
+                               char interface_name[IFXNAMSIZ];
+                               memcpy(interface_name, condition_value, condition_length);
+                               interface_name[condition_length - 1] = 0;         // Make sure the string is NULL terminated
+                               if (ifnet_find_by_name(interface_name, &cond_bound_interface) == 0) {
+                                       master_condition_mask |= NECP_KERNEL_CONDITION_BOUND_INTERFACE;
                                        if (condition_is_negative) {
                                        if (condition_is_negative) {
-                                               master_condition_negated_mask |= NECP_KERNEL_CONDITION_PROTOCOL;
+                                               master_condition_negated_mask |= NECP_KERNEL_CONDITION_BOUND_INTERFACE;
                                        }
                                        }
-                                       memcpy(&cond_protocol, condition_value, sizeof(cond_protocol));
-                                       socket_ip_conditions = TRUE;
                                }
                                }
-                               break;
+                               socket_ip_conditions = TRUE;
                        }
                        }
-                       case NECP_POLICY_CONDITION_LOCAL_ADDR: {
-                               struct necp_policy_condition_addr *address_struct = (struct necp_policy_condition_addr *)(void *)condition_value;
-                               cond_local_prefix = address_struct->prefix;
-                               memcpy(&cond_local_start, &address_struct->address, sizeof(address_struct->address));
-                               master_condition_mask |= NECP_KERNEL_CONDITION_LOCAL_START;
-                               master_condition_mask |= NECP_KERNEL_CONDITION_LOCAL_PREFIX;
+                       break;
+               }
+               case NECP_POLICY_CONDITION_IP_PROTOCOL:
+               case NECP_POLICY_CONDITION_FLOW_IP_PROTOCOL: {
+                       if (condition_length >= sizeof(u_int16_t)) {
+                               master_condition_mask |= NECP_KERNEL_CONDITION_PROTOCOL;
                                if (condition_is_negative) {
                                if (condition_is_negative) {
-                                       master_condition_negated_mask |= NECP_KERNEL_CONDITION_LOCAL_START;
-                                       master_condition_negated_mask |= NECP_KERNEL_CONDITION_LOCAL_PREFIX;
+                                       master_condition_negated_mask |= NECP_KERNEL_CONDITION_PROTOCOL;
                                }
                                }
-                               socket_ip_conditions = TRUE;
+                               memcpy(&cond_protocol, condition_value, sizeof(cond_protocol));
+                               if (condition_type == NECP_POLICY_CONDITION_FLOW_IP_PROTOCOL) {
+                                       socket_only_conditions = TRUE;
+                               } else {
+                                       socket_ip_conditions = TRUE;
+                               }
+                       }
+                       break;
+               }
+               case NECP_POLICY_CONDITION_LOCAL_NETWORKS: {
+                       master_condition_mask |= NECP_KERNEL_CONDITION_LOCAL_NETWORKS;
+                       socket_ip_conditions = TRUE;
+                       break;
+               }
+               case NECP_POLICY_CONDITION_LOCAL_ADDR:
+               case NECP_POLICY_CONDITION_FLOW_LOCAL_ADDR: {
+                       struct necp_policy_condition_addr *address_struct = (struct necp_policy_condition_addr *)(void *)condition_value;
+                       if (!necp_address_is_valid(&address_struct->address.sa)) {
                                break;
                        }
                                break;
                        }
-                       case NECP_POLICY_CONDITION_REMOTE_ADDR: {
-                               struct necp_policy_condition_addr *address_struct = (struct necp_policy_condition_addr *)(void *)condition_value;
-                               cond_remote_prefix = address_struct->prefix;
-                               memcpy(&cond_remote_start, &address_struct->address, sizeof(address_struct->address));
-                               master_condition_mask |= NECP_KERNEL_CONDITION_REMOTE_START;
-                               master_condition_mask |= NECP_KERNEL_CONDITION_REMOTE_PREFIX;
-                               if (condition_is_negative) {
-                                       master_condition_negated_mask |= NECP_KERNEL_CONDITION_REMOTE_START;
-                                       master_condition_negated_mask |= NECP_KERNEL_CONDITION_REMOTE_PREFIX;
-                               }
+
+                       cond_local_prefix = address_struct->prefix;
+                       memcpy(&cond_local_start, &address_struct->address, sizeof(address_struct->address));
+                       master_condition_mask |= NECP_KERNEL_CONDITION_LOCAL_START;
+                       master_condition_mask |= NECP_KERNEL_CONDITION_LOCAL_PREFIX;
+                       if (condition_is_negative) {
+                               master_condition_negated_mask |= NECP_KERNEL_CONDITION_LOCAL_START;
+                               master_condition_negated_mask |= NECP_KERNEL_CONDITION_LOCAL_PREFIX;
+                       }
+                       if (condition_type == NECP_POLICY_CONDITION_FLOW_LOCAL_ADDR) {
+                               socket_only_conditions = TRUE;
+                       } else {
                                socket_ip_conditions = TRUE;
                                socket_ip_conditions = TRUE;
+                       }
+                       break;
+               }
+               case NECP_POLICY_CONDITION_REMOTE_ADDR:
+               case NECP_POLICY_CONDITION_FLOW_REMOTE_ADDR: {
+                       struct necp_policy_condition_addr *address_struct = (struct necp_policy_condition_addr *)(void *)condition_value;
+                       if (!necp_address_is_valid(&address_struct->address.sa)) {
                                break;
                        }
                                break;
                        }
-                       case NECP_POLICY_CONDITION_LOCAL_ADDR_RANGE: {
-                               struct necp_policy_condition_addr_range *address_struct = (struct necp_policy_condition_addr_range *)(void *)condition_value;
-                               memcpy(&cond_local_start, &address_struct->start_address, sizeof(address_struct->start_address));
-                               memcpy(&cond_local_end, &address_struct->end_address, sizeof(address_struct->end_address));
-                               master_condition_mask |= NECP_KERNEL_CONDITION_LOCAL_START;
-                               master_condition_mask |= NECP_KERNEL_CONDITION_LOCAL_END;
-                               if (condition_is_negative) {
-                                       master_condition_negated_mask |= NECP_KERNEL_CONDITION_LOCAL_START;
-                                       master_condition_negated_mask |= NECP_KERNEL_CONDITION_LOCAL_END;
-                               }
+
+                       cond_remote_prefix = address_struct->prefix;
+                       memcpy(&cond_remote_start, &address_struct->address, sizeof(address_struct->address));
+                       master_condition_mask |= NECP_KERNEL_CONDITION_REMOTE_START;
+                       master_condition_mask |= NECP_KERNEL_CONDITION_REMOTE_PREFIX;
+                       if (condition_is_negative) {
+                               master_condition_negated_mask |= NECP_KERNEL_CONDITION_REMOTE_START;
+                               master_condition_negated_mask |= NECP_KERNEL_CONDITION_REMOTE_PREFIX;
+                       }
+                       if (condition_type == NECP_POLICY_CONDITION_FLOW_REMOTE_ADDR) {
+                               socket_only_conditions = TRUE;
+                       } else {
                                socket_ip_conditions = TRUE;
                                socket_ip_conditions = TRUE;
+                       }
+                       break;
+               }
+               case NECP_POLICY_CONDITION_LOCAL_ADDR_RANGE:
+               case NECP_POLICY_CONDITION_FLOW_LOCAL_ADDR_RANGE: {
+                       struct necp_policy_condition_addr_range *address_struct = (struct necp_policy_condition_addr_range *)(void *)condition_value;
+                       if (!necp_address_is_valid(&address_struct->start_address.sa) ||
+                           !necp_address_is_valid(&address_struct->end_address.sa)) {
                                break;
                        }
                                break;
                        }
-                       case NECP_POLICY_CONDITION_REMOTE_ADDR_RANGE: {
-                               struct necp_policy_condition_addr_range *address_struct = (struct necp_policy_condition_addr_range *)(void *)condition_value;
-                               memcpy(&cond_remote_start, &address_struct->start_address, sizeof(address_struct->start_address));
-                               memcpy(&cond_remote_end, &address_struct->end_address, sizeof(address_struct->end_address));
-                               master_condition_mask |= NECP_KERNEL_CONDITION_REMOTE_START;
-                               master_condition_mask |= NECP_KERNEL_CONDITION_REMOTE_END;
-                               if (condition_is_negative) {
-                                       master_condition_negated_mask |= NECP_KERNEL_CONDITION_REMOTE_START;
-                                       master_condition_negated_mask |= NECP_KERNEL_CONDITION_REMOTE_END;
-                               }
+
+                       memcpy(&cond_local_start, &address_struct->start_address, sizeof(address_struct->start_address));
+                       memcpy(&cond_local_end, &address_struct->end_address, sizeof(address_struct->end_address));
+                       master_condition_mask |= NECP_KERNEL_CONDITION_LOCAL_START;
+                       master_condition_mask |= NECP_KERNEL_CONDITION_LOCAL_END;
+                       if (condition_is_negative) {
+                               master_condition_negated_mask |= NECP_KERNEL_CONDITION_LOCAL_START;
+                               master_condition_negated_mask |= NECP_KERNEL_CONDITION_LOCAL_END;
+                       }
+                       if (condition_type == NECP_POLICY_CONDITION_FLOW_LOCAL_ADDR_RANGE) {
+                               socket_only_conditions = TRUE;
+                       } else {
                                socket_ip_conditions = TRUE;
                                socket_ip_conditions = TRUE;
-                               break;
                        }
                        }
-                       default: {
+                       break;
+               }
+               case NECP_POLICY_CONDITION_REMOTE_ADDR_RANGE:
+               case NECP_POLICY_CONDITION_FLOW_REMOTE_ADDR_RANGE: {
+                       struct necp_policy_condition_addr_range *address_struct = (struct necp_policy_condition_addr_range *)(void *)condition_value;
+                       if (!necp_address_is_valid(&address_struct->start_address.sa) ||
+                           !necp_address_is_valid(&address_struct->end_address.sa)) {
                                break;
                        }
                                break;
                        }
-               }
-
-               offset += sizeof(u_int8_t) + sizeof(u_int32_t) + length;
-       }
 
 
-       // Process result
-       ultimate_result = necp_policy_get_result_type(policy);
-       switch (ultimate_result) {
-               case NECP_POLICY_RESULT_PASS: {
-                       if (socket_only_conditions) { // socket_ip_conditions can be TRUE or FALSE
-                               socket_layer_non_id_conditions = TRUE;
-                               ip_output_layer_id_condition = TRUE;
-                       } else if (socket_ip_conditions) {
-                               socket_layer_non_id_conditions = TRUE;
-                               ip_output_layer_id_condition = TRUE;
-                               ip_output_layer_non_id_conditions = TRUE;
+                       memcpy(&cond_remote_start, &address_struct->start_address, sizeof(address_struct->start_address));
+                       memcpy(&cond_remote_end, &address_struct->end_address, sizeof(address_struct->end_address));
+                       master_condition_mask |= NECP_KERNEL_CONDITION_REMOTE_START;
+                       master_condition_mask |= NECP_KERNEL_CONDITION_REMOTE_END;
+                       if (condition_is_negative) {
+                               master_condition_negated_mask |= NECP_KERNEL_CONDITION_REMOTE_START;
+                               master_condition_negated_mask |= NECP_KERNEL_CONDITION_REMOTE_END;
+                       }
+                       if (condition_type == NECP_POLICY_CONDITION_FLOW_REMOTE_ADDR_RANGE) {
+                               socket_only_conditions = TRUE;
+                       } else {
+                               socket_ip_conditions = TRUE;
                        }
                        break;
                }
                        }
                        break;
                }
-               case NECP_POLICY_RESULT_DROP: {
-                       if (socket_only_conditions) { // socket_ip_conditions can be TRUE or FALSE
-                               socket_layer_non_id_conditions = TRUE;
-                       } else if (socket_ip_conditions) {
-                               socket_layer_non_id_conditions = TRUE;
-                               ip_output_layer_non_id_conditions = TRUE;
+               case NECP_POLICY_CONDITION_AGENT_TYPE: {
+                       if (condition_length >= sizeof(cond_agent_type)) {
+                               master_condition_mask |= NECP_KERNEL_CONDITION_AGENT_TYPE;
+                               memcpy(&cond_agent_type, condition_value, sizeof(cond_agent_type));
+                               socket_only_conditions = TRUE;
                        }
                        break;
                }
                        }
                        break;
                }
-               case NECP_POLICY_RESULT_SKIP: {
-                       u_int32_t skip_policy_order = 0;
-                       if (necp_policy_get_result_parameter(policy, (u_int8_t *)&skip_policy_order, sizeof(skip_policy_order))) {
-                               ultimate_result_parameter.skip_policy_order = skip_policy_order;
+               case NECP_POLICY_CONDITION_CLIENT_FLAGS: {
+                       if (condition_is_negative) {
+                               master_condition_negated_mask |= NECP_KERNEL_CONDITION_CLIENT_FLAGS;
                        }
                        }
-
-                       if (socket_only_conditions) { // socket_ip_conditions can be TRUE or FALSE
-                               socket_layer_non_id_conditions = TRUE;
-                               ip_output_layer_id_condition = TRUE;
-                       } else if (socket_ip_conditions) {
-                               socket_layer_non_id_conditions = TRUE;
-                               ip_output_layer_non_id_conditions = TRUE;
+                       master_condition_mask |= NECP_KERNEL_CONDITION_CLIENT_FLAGS;
+                       socket_only_conditions = TRUE;
+                       if (condition_length >= sizeof(u_int32_t)) {
+                               memcpy(&cond_client_flags, condition_value, sizeof(cond_client_flags));
+                       } else {
+                               // Empty means match on fallback traffic
+                               cond_client_flags = NECP_CLIENT_PARAMETER_FLAG_FALLBACK_TRAFFIC;
                        }
                        break;
                }
                        }
                        break;
                }
-               case NECP_POLICY_RESULT_SOCKET_DIVERT:
-               case NECP_POLICY_RESULT_SOCKET_FILTER: {
-                       u_int32_t control_unit = 0;
-                       if (necp_policy_get_result_parameter(policy, (u_int8_t *)&control_unit, sizeof(control_unit))) {
-                               ultimate_result_parameter.flow_divert_control_unit = control_unit;
+               case NECP_POLICY_CONDITION_FLOW_LOCAL_ADDR_EMPTY: {
+                       master_condition_mask |= NECP_KERNEL_CONDITION_LOCAL_EMPTY;
+                       if (condition_is_negative) {
+                               master_condition_negated_mask |= NECP_KERNEL_CONDITION_LOCAL_EMPTY;
                        }
                        }
-                       socket_layer_non_id_conditions = TRUE;
+                       socket_only_conditions = TRUE;
                        break;
                }
                        break;
                }
-               case NECP_POLICY_RESULT_IP_TUNNEL: {
-                       struct necp_policy_result_ip_tunnel tunnel_parameters;
-                       u_int32_t tunnel_parameters_length = necp_policy_get_result_parameter_length(policy);
-                       if (tunnel_parameters_length > sizeof(u_int32_t) &&
-                               tunnel_parameters_length <= sizeof(struct necp_policy_result_ip_tunnel) &&
-                               necp_policy_get_result_parameter(policy, (u_int8_t *)&tunnel_parameters, sizeof(tunnel_parameters))) {
-                               ifnet_t tunnel_interface = NULL;
-                               tunnel_parameters.interface_name[tunnel_parameters_length - sizeof(u_int32_t) - 1] = 0; // Make sure the string is NULL terminated
-                               if (ifnet_find_by_name(tunnel_parameters.interface_name, &tunnel_interface) == 0) {
-                                       ultimate_result_parameter.tunnel_interface_index = tunnel_interface->if_index;
-                               }
-
-                               secondary_result = tunnel_parameters.secondary_result;
-                               if (secondary_result) {
-                                       cond_last_interface_index = ultimate_result_parameter.tunnel_interface_index;
-                               }
-                       }
-
-                       if (socket_only_conditions) { // socket_ip_conditions can be TRUE or FALSE
-                               socket_layer_non_id_conditions = TRUE;
-                               ip_output_layer_id_condition = TRUE;
-                               if (secondary_result) {
-                                       ip_output_layer_tunnel_condition_from_id = TRUE;
-                               }
-                       } else if (socket_ip_conditions) {
-                               socket_layer_non_id_conditions = TRUE;
-                               ip_output_layer_id_condition = TRUE;
-                               ip_output_layer_non_id_conditions = TRUE;
-                               if (secondary_result) {
-                                       ip_output_layer_tunnel_condition_from_id = TRUE;
-                                       ip_output_layer_tunnel_condition_from_non_id = TRUE;
-                               }
+               case NECP_POLICY_CONDITION_FLOW_REMOTE_ADDR_EMPTY: {
+                       master_condition_mask |= NECP_KERNEL_CONDITION_REMOTE_EMPTY;
+                       if (condition_is_negative) {
+                               master_condition_negated_mask |= NECP_KERNEL_CONDITION_REMOTE_EMPTY;
                        }
                        }
+                       socket_only_conditions = TRUE;
                        break;
                }
                        break;
                }
-               case NECP_POLICY_RESULT_TRIGGER:
-               case NECP_POLICY_RESULT_TRIGGER_IF_NEEDED:
-               case NECP_POLICY_RESULT_TRIGGER_SCOPED:
-               case NECP_POLICY_RESULT_NO_TRIGGER_SCOPED: {
-                       struct necp_policy_result_service service_parameters;
-                       u_int32_t service_result_length = necp_policy_get_result_parameter_length(policy);
-                       bool has_extra_service_data = FALSE;
-                       if (service_result_length >= (sizeof(service_parameters))) {
-                               has_extra_service_data = TRUE;
-                       }
-                       if (necp_policy_get_result_parameter(policy, (u_int8_t *)&service_parameters, sizeof(service_parameters))) {
-                               ultimate_result_parameter.service.identifier = necp_create_uuid_service_id_mapping(service_parameters.identifier);
-                               if (ultimate_result_parameter.service.identifier != 0) {
-                                       uuid_copy(policy->applied_result_uuid, service_parameters.identifier);
-                                       socket_layer_non_id_conditions = TRUE;
-                                       if (has_extra_service_data) {
-                                               ultimate_result_parameter.service.data = service_parameters.data;
-                                       } else {
-                                               ultimate_result_parameter.service.data = 0;
+               case NECP_POLICY_CONDITION_SIGNING_IDENTIFIER: {
+                       if (condition_length > 0) {
+                               if (cond_signing_identifier == NULL) {
+                                       cond_signing_identifier = necp_copy_string((char *)condition_value, condition_length);
+                                       if (cond_signing_identifier != NULL) {
+                                               master_condition_mask |= NECP_KERNEL_CONDITION_SIGNING_IDENTIFIER;
+                                               socket_only_conditions = TRUE;
+                                               if (condition_is_negative) {
+                                                       master_condition_negated_mask |= NECP_KERNEL_CONDITION_SIGNING_IDENTIFIER;
+                                               }
                                        }
                                }
                        }
                        break;
                }
                                        }
                                }
                        }
                        break;
                }
-               case NECP_POLICY_RESULT_USE_NETAGENT: {
-                       uuid_t netagent_uuid;
-                       if (necp_policy_get_result_parameter(policy, (u_int8_t *)&netagent_uuid, sizeof(netagent_uuid))) {
-                               ultimate_result_parameter.netagent_id = necp_create_uuid_service_id_mapping(netagent_uuid);
-                               if (ultimate_result_parameter.netagent_id != 0) {
-                                       uuid_copy(policy->applied_result_uuid, netagent_uuid);
-                                       socket_layer_non_id_conditions = TRUE;
+               case NECP_POLICY_CONDITION_PACKET_FILTER_TAGS: {
+                       if (condition_length >= sizeof(u_int16_t)) {
+                               master_condition_mask |= NECP_KERNEL_CONDITION_PACKET_FILTER_TAGS;
+                               if (condition_is_negative) {
+                                       master_condition_negated_mask |= NECP_KERNEL_CONDITION_PACKET_FILTER_TAGS;
                                }
                                }
+                               memcpy(&cond_packet_filter_tags, condition_value, sizeof(cond_packet_filter_tags));
+                               socket_ip_conditions = TRUE;
                        }
                        break;
                }
                        }
                        break;
                }
-               case NECP_POLICY_RESULT_SOCKET_SCOPED: {
-                       u_int32_t interface_name_length = necp_policy_get_result_parameter_length(policy);
-                       if (interface_name_length <= IFXNAMSIZ && interface_name_length > 0) {
-                               char interface_name[IFXNAMSIZ];
-                               ifnet_t scope_interface = NULL;
-                               necp_policy_get_result_parameter(policy, (u_int8_t *)interface_name, interface_name_length);
-                               interface_name[interface_name_length - 1] = 0; // Make sure the string is NULL terminated
-                               if (ifnet_find_by_name(interface_name, &scope_interface) == 0) {
-                                       ultimate_result_parameter.scoped_interface_index = scope_interface->if_index;
-                                       socket_layer_non_id_conditions = TRUE;
+               case NECP_POLICY_CONDITION_FLOW_IS_LOOPBACK: {
+                       master_condition_mask |= NECP_KERNEL_CONDITION_IS_LOOPBACK;
+                       if (condition_is_negative) {
+                               master_condition_negated_mask |= NECP_KERNEL_CONDITION_IS_LOOPBACK;
+                       }
+                       socket_only_conditions = TRUE;
+                       break;
+               }
+               default: {
+                       break;
+               }
+               }
+
+               offset += sizeof(u_int8_t) + sizeof(u_int32_t) + length;
+       }
+
+       // Process result
+       ultimate_result = necp_policy_get_result_type(policy);
+       switch (ultimate_result) {
+       case NECP_POLICY_RESULT_PASS: {
+               u_int32_t pass_flags = 0;
+               if (necp_policy_result_get_parameter_length_from_buffer(policy->result, policy->result_size) > 0) {
+                       if (necp_policy_get_result_parameter(policy, (u_int8_t *)&pass_flags, sizeof(pass_flags))) {
+                               ultimate_result_parameter.pass_flags = pass_flags;
+                       }
+               }
+               if (socket_only_conditions) {         // socket_ip_conditions can be TRUE or FALSE
+                       socket_layer_non_id_conditions = TRUE;
+                       ip_output_layer_id_condition = TRUE;
+               } else if (socket_ip_conditions) {
+                       socket_layer_non_id_conditions = TRUE;
+                       ip_output_layer_id_condition = TRUE;
+                       ip_output_layer_non_id_conditions = TRUE;
+               }
+               break;
+       }
+       case NECP_POLICY_RESULT_DROP: {
+               u_int32_t drop_flags = 0;
+               if (necp_policy_result_get_parameter_length_from_buffer(policy->result, policy->result_size) > 0) {
+                       if (necp_policy_get_result_parameter(policy, (u_int8_t *)&drop_flags, sizeof(drop_flags))) {
+                               ultimate_result_parameter.drop_flags = drop_flags;
+                       }
+               }
+               if (socket_only_conditions) {         // socket_ip_conditions can be TRUE or FALSE
+                       socket_layer_non_id_conditions = TRUE;
+               } else if (socket_ip_conditions) {
+                       socket_layer_non_id_conditions = TRUE;
+                       ip_output_layer_non_id_conditions = TRUE;
+                       ip_output_layer_non_id_only = TRUE;         // Only apply drop to packets that didn't go through socket layer
+               }
+               break;
+       }
+       case NECP_POLICY_RESULT_SKIP: {
+               u_int32_t skip_policy_order = 0;
+               if (necp_policy_get_result_parameter(policy, (u_int8_t *)&skip_policy_order, sizeof(skip_policy_order))) {
+                       ultimate_result_parameter.skip_policy_order = skip_policy_order;
+               }
+
+               if (socket_only_conditions) {         // socket_ip_conditions can be TRUE or FALSE
+                       socket_layer_non_id_conditions = TRUE;
+                       ip_output_layer_id_condition = TRUE;
+               } else if (socket_ip_conditions) {
+                       socket_layer_non_id_conditions = TRUE;
+                       ip_output_layer_non_id_conditions = TRUE;
+               }
+               break;
+       }
+       case NECP_POLICY_RESULT_SOCKET_DIVERT:
+       case NECP_POLICY_RESULT_SOCKET_FILTER: {
+               u_int32_t control_unit = 0;
+               if (necp_policy_get_result_parameter(policy, (u_int8_t *)&control_unit, sizeof(control_unit))) {
+                       ultimate_result_parameter.flow_divert_control_unit = control_unit;
+               }
+               socket_layer_non_id_conditions = TRUE;
+               break;
+       }
+       case NECP_POLICY_RESULT_IP_TUNNEL: {
+               struct necp_policy_result_ip_tunnel tunnel_parameters;
+               u_int32_t tunnel_parameters_length = necp_policy_get_result_parameter_length(policy);
+               if (tunnel_parameters_length > sizeof(u_int32_t) &&
+                   tunnel_parameters_length <= sizeof(struct necp_policy_result_ip_tunnel) &&
+                   necp_policy_get_result_parameter(policy, (u_int8_t *)&tunnel_parameters, sizeof(tunnel_parameters))) {
+                       ifnet_t tunnel_interface = NULL;
+                       tunnel_parameters.interface_name[tunnel_parameters_length - sizeof(u_int32_t) - 1] = 0;         // Make sure the string is NULL terminated
+                       if (ifnet_find_by_name(tunnel_parameters.interface_name, &tunnel_interface) == 0) {
+                               ultimate_result_parameter.tunnel_interface_index = tunnel_interface->if_index;
+                               ifnet_release(tunnel_interface);
+                       }
+
+                       secondary_result = tunnel_parameters.secondary_result;
+                       if (secondary_result) {
+                               cond_last_interface_index = ultimate_result_parameter.tunnel_interface_index;
+                       }
+               }
+
+               if (socket_only_conditions) {         // socket_ip_conditions can be TRUE or FALSE
+                       socket_layer_non_id_conditions = TRUE;
+                       ip_output_layer_id_condition = TRUE;
+                       if (secondary_result) {
+                               ip_output_layer_tunnel_condition_from_id = TRUE;
+                       }
+               } else if (socket_ip_conditions) {
+                       socket_layer_non_id_conditions = TRUE;
+                       ip_output_layer_id_condition = TRUE;
+                       ip_output_layer_non_id_conditions = TRUE;
+                       if (secondary_result) {
+                               ip_output_layer_tunnel_condition_from_id = TRUE;
+                               ip_output_layer_tunnel_condition_from_non_id = TRUE;
+                       }
+               }
+               break;
+       }
+       case NECP_POLICY_RESULT_TRIGGER:
+       case NECP_POLICY_RESULT_TRIGGER_IF_NEEDED:
+       case NECP_POLICY_RESULT_TRIGGER_SCOPED:
+       case NECP_POLICY_RESULT_NO_TRIGGER_SCOPED: {
+               struct necp_policy_result_service service_parameters;
+               u_int32_t service_result_length = necp_policy_get_result_parameter_length(policy);
+               bool has_extra_service_data = FALSE;
+               if (service_result_length >= (sizeof(service_parameters))) {
+                       has_extra_service_data = TRUE;
+               }
+               if (necp_policy_get_result_parameter(policy, (u_int8_t *)&service_parameters, sizeof(service_parameters))) {
+                       ultimate_result_parameter.service.identifier = necp_create_uuid_service_id_mapping(service_parameters.identifier);
+                       if (ultimate_result_parameter.service.identifier != 0) {
+                               uuid_copy(policy->applied_result_uuid, service_parameters.identifier);
+                               socket_layer_non_id_conditions = TRUE;
+                               if (has_extra_service_data) {
+                                       ultimate_result_parameter.service.data = service_parameters.data;
+                               } else {
+                                       ultimate_result_parameter.service.data = 0;
                                }
                        }
                }
                                }
                        }
                }
-               case NECP_POLICY_RESULT_ROUTE_RULES: {
-                       if (policy->route_rules != NULL && policy->route_rules_size > 0) {
-                               u_int32_t route_rule_id = necp_create_route_rule(&necp_route_rules, policy->route_rules, policy->route_rules_size);
-                               if (route_rule_id > 0) {
-                                       policy->applied_route_rules_id = route_rule_id;
-                                       ultimate_result_parameter.route_rule_id = route_rule_id;
+               break;
+       }
+       case NECP_POLICY_RESULT_USE_NETAGENT:
+       case NECP_POLICY_RESULT_NETAGENT_SCOPED: {
+               uuid_t netagent_uuid;
+               if (necp_policy_get_result_parameter(policy, (u_int8_t *)&netagent_uuid, sizeof(netagent_uuid))) {
+                       ultimate_result_parameter.netagent_id = necp_create_uuid_service_id_mapping(netagent_uuid);
+                       if (ultimate_result_parameter.netagent_id != 0) {
+                               uuid_copy(policy->applied_result_uuid, netagent_uuid);
+                               socket_layer_non_id_conditions = TRUE;
+                       }
+               }
+               break;
+       }
+       case NECP_POLICY_RESULT_SOCKET_SCOPED: {
+               u_int32_t interface_name_length = necp_policy_get_result_parameter_length(policy);
+               if (interface_name_length <= IFXNAMSIZ && interface_name_length > 0) {
+                       char interface_name[IFXNAMSIZ];
+                       ifnet_t scope_interface = NULL;
+                       necp_policy_get_result_parameter(policy, (u_int8_t *)interface_name, interface_name_length);
+                       interface_name[interface_name_length - 1] = 0;         // Make sure the string is NULL terminated
+                       if (ifnet_find_by_name(interface_name, &scope_interface) == 0) {
+                               ultimate_result_parameter.scoped_interface_index = scope_interface->if_index;
+                               socket_layer_non_id_conditions = TRUE;
+                               ifnet_release(scope_interface);
+                       }
+               }
+               break;
+       }
+       case NECP_POLICY_RESULT_SCOPED_DIRECT: {
+               socket_layer_non_id_conditions = TRUE;
+               break;
+       }
+       case NECP_POLICY_RESULT_ALLOW_UNENTITLED: {
+               socket_layer_non_id_conditions = TRUE;
+               break;
+       }
+       case NECP_POLICY_RESULT_ROUTE_RULES: {
+               if (policy->route_rules != NULL && policy->route_rules_size > 0) {
+                       u_int32_t route_rule_id = necp_create_route_rule(&necp_route_rules, policy->route_rules, policy->route_rules_size);
+                       if (route_rule_id > 0) {
+                               policy->applied_route_rules_id = route_rule_id;
+                               ultimate_result_parameter.route_rule_id = route_rule_id;
+                               if (socket_only_conditions) { // socket_ip_conditions can be TRUE or FALSE
+                                       socket_layer_non_id_conditions = TRUE;
+                               } else if (socket_ip_conditions) {
                                        socket_layer_non_id_conditions = TRUE;
                                        socket_layer_non_id_conditions = TRUE;
+                                       ip_output_layer_non_id_conditions = TRUE;
+                                       ip_output_layer_non_id_only = TRUE; // Only apply route rules to packets that didn't go through socket layer
                                }
                        }
                }
                                }
                        }
                }
-               default: {
-                       break;
-               }
+               break;
+       }
+       default: {
+               break;
+       }
        }
 
        if (socket_layer_non_id_conditions) {
        }
 
        if (socket_layer_non_id_conditions) {
-               necp_kernel_policy_id policy_id = necp_kernel_socket_policy_add(policy->id, policy->order, session->session_order, session->proc_pid, master_condition_mask, master_condition_negated_mask, cond_app_id, cond_real_app_id, cond_account_id, cond_domain, cond_pid, cond_uid, cond_bound_interface, cond_traffic_class, cond_protocol, &cond_local_start, &cond_local_end, cond_local_prefix, &cond_remote_start, &cond_remote_end, cond_remote_prefix, ultimate_result, ultimate_result_parameter);
+               necp_kernel_policy_id policy_id = necp_kernel_socket_policy_add(policy->order, session->session_order, session->proc_pid, master_condition_mask, master_condition_negated_mask, cond_app_id, cond_real_app_id, cond_custom_entitlement, cond_account_id, cond_domain, cond_pid, cond_uid, cond_bound_interface, cond_traffic_class, cond_protocol, &cond_local_start, &cond_local_end, cond_local_prefix, &cond_remote_start, &cond_remote_end, cond_remote_prefix, &cond_agent_type, &cond_sdk_version, cond_client_flags, cond_signing_identifier, cond_packet_filter_tags, ultimate_result, ultimate_result_parameter);
 
                if (policy_id == 0) {
                        NECPLOG0(LOG_DEBUG, "Error applying socket kernel policy");
 
                if (policy_id == 0) {
                        NECPLOG0(LOG_DEBUG, "Error applying socket kernel policy");
@@ -2588,7 +3829,12 @@ necp_policy_apply(struct necp_session *session, struct necp_session_policy *poli
        }
 
        if (ip_output_layer_non_id_conditions) {
        }
 
        if (ip_output_layer_non_id_conditions) {
-               necp_kernel_policy_id policy_id = necp_kernel_ip_output_policy_add(policy->id, policy->order, NECP_KERNEL_POLICY_SUBORDER_NON_ID_CONDITIONS, session->session_order, session->proc_pid, master_condition_mask, master_condition_negated_mask, NECP_KERNEL_POLICY_ID_NONE, cond_bound_interface, 0, cond_protocol, &cond_local_start, &cond_local_end, cond_local_prefix, &cond_remote_start, &cond_remote_end, cond_remote_prefix, ultimate_result, ultimate_result_parameter);
+               u_int32_t condition_mask = master_condition_mask;
+               if (ip_output_layer_non_id_only) {
+                       condition_mask |= NECP_KERNEL_CONDITION_POLICY_ID;
+               }
+
+               necp_kernel_policy_id policy_id = necp_kernel_ip_output_policy_add(policy->order, NECP_KERNEL_POLICY_SUBORDER_NON_ID_CONDITIONS, session->session_order, session->proc_pid, condition_mask, master_condition_negated_mask, NECP_KERNEL_POLICY_ID_NONE, cond_bound_interface, 0, cond_protocol, &cond_local_start, &cond_local_end, cond_local_prefix, &cond_remote_start, &cond_remote_end, cond_remote_prefix, cond_packet_filter_tags, ultimate_result, ultimate_result_parameter);
 
                if (policy_id == 0) {
                        NECPLOG0(LOG_DEBUG, "Error applying IP output kernel policy");
 
                if (policy_id == 0) {
                        NECPLOG0(LOG_DEBUG, "Error applying IP output kernel policy");
@@ -2599,7 +3845,7 @@ necp_policy_apply(struct necp_session *session, struct necp_session_policy *poli
        }
 
        if (ip_output_layer_id_condition) {
        }
 
        if (ip_output_layer_id_condition) {
-               necp_kernel_policy_id policy_id = necp_kernel_ip_output_policy_add(policy->id, policy->order, NECP_KERNEL_POLICY_SUBORDER_ID_CONDITION, session->session_order, session->proc_pid, NECP_KERNEL_CONDITION_POLICY_ID | NECP_KERNEL_CONDITION_ALL_INTERFACES, 0, cond_ip_output_layer_id, NULL, 0, 0, NULL, NULL, 0, NULL, NULL, 0, ultimate_result, ultimate_result_parameter);
+               necp_kernel_policy_id policy_id = necp_kernel_ip_output_policy_add(policy->order, NECP_KERNEL_POLICY_SUBORDER_ID_CONDITION, session->session_order, session->proc_pid, NECP_KERNEL_CONDITION_POLICY_ID | NECP_KERNEL_CONDITION_ALL_INTERFACES, 0, cond_ip_output_layer_id, NULL, 0, 0, NULL, NULL, 0, NULL, NULL, 0, 0, ultimate_result, ultimate_result_parameter);
 
                if (policy_id == 0) {
                        NECPLOG0(LOG_DEBUG, "Error applying IP output kernel policy");
 
                if (policy_id == 0) {
                        NECPLOG0(LOG_DEBUG, "Error applying IP output kernel policy");
@@ -2611,7 +3857,7 @@ necp_policy_apply(struct necp_session *session, struct necp_session_policy *poli
 
        // Extra policies for IP Output tunnels for when packets loop back
        if (ip_output_layer_tunnel_condition_from_id) {
 
        // Extra policies for IP Output tunnels for when packets loop back
        if (ip_output_layer_tunnel_condition_from_id) {
-               necp_kernel_policy_id policy_id = necp_kernel_ip_output_policy_add(policy->id, policy->order, NECP_KERNEL_POLICY_SUBORDER_NON_ID_TUNNEL_CONDITION, session->session_order, session->proc_pid, NECP_KERNEL_CONDITION_POLICY_ID | NECP_KERNEL_CONDITION_LAST_INTERFACE | NECP_KERNEL_CONDITION_ALL_INTERFACES, 0, policy->kernel_ip_output_policies[NECP_KERNEL_POLICY_SUBORDER_NON_ID_CONDITIONS], NULL, cond_last_interface_index, 0, NULL, NULL, 0, NULL, NULL, 0, secondary_result, secondary_result_parameter);
+               necp_kernel_policy_id policy_id = necp_kernel_ip_output_policy_add(policy->order, NECP_KERNEL_POLICY_SUBORDER_NON_ID_TUNNEL_CONDITION, session->session_order, session->proc_pid, NECP_KERNEL_CONDITION_POLICY_ID | NECP_KERNEL_CONDITION_LAST_INTERFACE | NECP_KERNEL_CONDITION_ALL_INTERFACES, 0, policy->kernel_ip_output_policies[NECP_KERNEL_POLICY_SUBORDER_NON_ID_CONDITIONS], NULL, cond_last_interface_index, 0, NULL, NULL, 0, NULL, NULL, 0, 0, secondary_result, secondary_result_parameter);
 
                if (policy_id == 0) {
                        NECPLOG0(LOG_DEBUG, "Error applying IP output kernel policy");
 
                if (policy_id == 0) {
                        NECPLOG0(LOG_DEBUG, "Error applying IP output kernel policy");
@@ -2622,7 +3868,7 @@ necp_policy_apply(struct necp_session *session, struct necp_session_policy *poli
        }
 
        if (ip_output_layer_tunnel_condition_from_id) {
        }
 
        if (ip_output_layer_tunnel_condition_from_id) {
-               necp_kernel_policy_id policy_id = necp_kernel_ip_output_policy_add(policy->id, policy->order, NECP_KERNEL_POLICY_SUBORDER_ID_TUNNEL_CONDITION, session->session_order, session->proc_pid, NECP_KERNEL_CONDITION_POLICY_ID | NECP_KERNEL_CONDITION_LAST_INTERFACE | NECP_KERNEL_CONDITION_ALL_INTERFACES, 0, policy->kernel_ip_output_policies[NECP_KERNEL_POLICY_SUBORDER_ID_CONDITION], NULL, cond_last_interface_index, 0, NULL, NULL, 0, NULL, NULL, 0, secondary_result, secondary_result_parameter);
+               necp_kernel_policy_id policy_id = necp_kernel_ip_output_policy_add(policy->order, NECP_KERNEL_POLICY_SUBORDER_ID_TUNNEL_CONDITION, session->session_order, session->proc_pid, NECP_KERNEL_CONDITION_POLICY_ID | NECP_KERNEL_CONDITION_LAST_INTERFACE | NECP_KERNEL_CONDITION_ALL_INTERFACES, 0, policy->kernel_ip_output_policies[NECP_KERNEL_POLICY_SUBORDER_ID_CONDITION], NULL, cond_last_interface_index, 0, NULL, NULL, 0, NULL, NULL, 0, 0, secondary_result, secondary_result_parameter);
 
                if (policy_id == 0) {
                        NECPLOG0(LOG_DEBUG, "Error applying IP output kernel policy");
 
                if (policy_id == 0) {
                        NECPLOG0(LOG_DEBUG, "Error applying IP output kernel policy");
@@ -2634,10 +3880,10 @@ necp_policy_apply(struct necp_session *session, struct necp_session_policy *poli
 
        policy->applied = TRUE;
        policy->pending_update = FALSE;
 
        policy->applied = TRUE;
        policy->pending_update = FALSE;
-       return (TRUE);
+       return TRUE;
 
 fail:
 
 fail:
-       return (FALSE);
+       return FALSE;
 }
 
 static void
 }
 
 static void
@@ -2678,6 +3924,7 @@ necp_policy_apply_all(struct necp_session *session)
 
        lck_rw_done(&necp_kernel_policy_lock);
 
 
        lck_rw_done(&necp_kernel_policy_lock);
 
+       necp_update_all_clients();
        necp_post_change_event(&kev_data);
 
        if (necp_debug) {
        necp_post_change_event(&kev_data);
 
        if (necp_debug) {
@@ -2689,41 +3936,67 @@ necp_policy_apply_all(struct necp_session *session)
 // ---------------------
 // Kernel policies are derived from session policies
 static necp_kernel_policy_id
 // ---------------------
 // Kernel policies are derived from session policies
 static necp_kernel_policy_id
-necp_kernel_policy_get_new_id(void)
+necp_kernel_policy_get_new_id(bool socket_level)
 {
 {
-       necp_kernel_policy_id newid = NECP_KERNEL_POLICY_ID_NONE;
+       static necp_kernel_policy_id necp_last_kernel_socket_policy_id = 0;
+       static necp_kernel_policy_id necp_last_kernel_ip_policy_id = 0;
 
 
-       lck_rw_assert(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
+       necp_kernel_policy_id newid = NECP_KERNEL_POLICY_ID_NONE;
 
 
-       necp_last_kernel_policy_id++;
-       if (necp_last_kernel_policy_id < NECP_KERNEL_POLICY_ID_FIRST_VALID) {
-               necp_last_kernel_policy_id = NECP_KERNEL_POLICY_ID_FIRST_VALID;
+       LCK_RW_ASSERT(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
+
+       if (socket_level) {
+               bool wrapped = FALSE;
+               do {
+                       necp_last_kernel_socket_policy_id++;
+                       if (necp_last_kernel_socket_policy_id < NECP_KERNEL_POLICY_ID_FIRST_VALID_SOCKET ||
+                           necp_last_kernel_socket_policy_id >= NECP_KERNEL_POLICY_ID_FIRST_VALID_IP) {
+                               if (wrapped) {
+                                       // Already wrapped, give up
+                                       NECPLOG0(LOG_ERR, "Failed to find a free socket kernel policy ID.\n");
+                                       return NECP_KERNEL_POLICY_ID_NONE;
+                               }
+                               necp_last_kernel_socket_policy_id = NECP_KERNEL_POLICY_ID_FIRST_VALID_SOCKET;
+                               wrapped = TRUE;
+                       }
+                       newid = necp_last_kernel_socket_policy_id;
+               } while (necp_kernel_socket_policy_find(newid) != NULL); // If already used, keep trying
+       } else {
+               bool wrapped = FALSE;
+               do {
+                       necp_last_kernel_ip_policy_id++;
+                       if (necp_last_kernel_ip_policy_id < NECP_KERNEL_POLICY_ID_FIRST_VALID_IP) {
+                               if (wrapped) {
+                                       // Already wrapped, give up
+                                       NECPLOG0(LOG_ERR, "Failed to find a free IP kernel policy ID.\n");
+                                       return NECP_KERNEL_POLICY_ID_NONE;
+                               }
+                               necp_last_kernel_ip_policy_id = NECP_KERNEL_POLICY_ID_FIRST_VALID_IP;
+                               wrapped = TRUE;
+                       }
+                       newid = necp_last_kernel_ip_policy_id;
+               } while (necp_kernel_ip_output_policy_find(newid) != NULL); // If already used, keep trying
        }
 
        }
 
-       newid = necp_last_kernel_policy_id;
        if (newid == NECP_KERNEL_POLICY_ID_NONE) {
        if (newid == NECP_KERNEL_POLICY_ID_NONE) {
-               NECPLOG0(LOG_DEBUG, "Allocate kernel policy id failed.\n");
-               return (0);
+               NECPLOG0(LOG_ERR, "Allocate kernel policy id failed.\n");
+               return NECP_KERNEL_POLICY_ID_NONE;
        }
 
        }
 
-       return (newid);
+       return newid;
 }
 
 }
 
-#define        NECP_KERNEL_VALID_SOCKET_CONDITIONS (NECP_KERNEL_CONDITION_APP_ID | NECP_KERNEL_CONDITION_REAL_APP_ID | NECP_KERNEL_CONDITION_DOMAIN | NECP_KERNEL_CONDITION_ACCOUNT_ID | NECP_KERNEL_CONDITION_PID | NECP_KERNEL_CONDITION_UID | NECP_KERNEL_CONDITION_ALL_INTERFACES | NECP_KERNEL_CONDITION_BOUND_INTERFACE | NECP_KERNEL_CONDITION_TRAFFIC_CLASS | NECP_KERNEL_CONDITION_PROTOCOL | NECP_KERNEL_CONDITION_LOCAL_START | NECP_KERNEL_CONDITION_LOCAL_END | NECP_KERNEL_CONDITION_LOCAL_PREFIX | NECP_KERNEL_CONDITION_REMOTE_START | NECP_KERNEL_CONDITION_REMOTE_END | NECP_KERNEL_CONDITION_REMOTE_PREFIX | NECP_KERNEL_CONDITION_ENTITLEMENT)
+#define NECP_KERNEL_VALID_SOCKET_CONDITIONS (NECP_KERNEL_CONDITION_APP_ID | NECP_KERNEL_CONDITION_REAL_APP_ID | NECP_KERNEL_CONDITION_DOMAIN | NECP_KERNEL_CONDITION_ACCOUNT_ID | NECP_KERNEL_CONDITION_PID | NECP_KERNEL_CONDITION_UID | NECP_KERNEL_CONDITION_ALL_INTERFACES | NECP_KERNEL_CONDITION_BOUND_INTERFACE | NECP_KERNEL_CONDITION_TRAFFIC_CLASS | NECP_KERNEL_CONDITION_PROTOCOL | NECP_KERNEL_CONDITION_LOCAL_START | NECP_KERNEL_CONDITION_LOCAL_END | NECP_KERNEL_CONDITION_LOCAL_PREFIX | NECP_KERNEL_CONDITION_REMOTE_START | NECP_KERNEL_CONDITION_REMOTE_END | NECP_KERNEL_CONDITION_REMOTE_PREFIX | NECP_KERNEL_CONDITION_ENTITLEMENT | NECP_KERNEL_CONDITION_CUSTOM_ENTITLEMENT | NECP_KERNEL_CONDITION_AGENT_TYPE | NECP_KERNEL_CONDITION_HAS_CLIENT | NECP_KERNEL_CONDITION_LOCAL_NETWORKS | NECP_KERNEL_CONDITION_CLIENT_FLAGS | NECP_KERNEL_CONDITION_LOCAL_EMPTY | NECP_KERNEL_CONDITION_REMOTE_EMPTY | NECP_KERNEL_CONDITION_PLATFORM_BINARY | NECP_KERNEL_CONDITION_SDK_VERSION | NECP_KERNEL_CONDITION_SIGNING_IDENTIFIER | NECP_KERNEL_CONDITION_PACKET_FILTER_TAGS | NECP_KERNEL_CONDITION_IS_LOOPBACK)
+
 static necp_kernel_policy_id
 static necp_kernel_policy_id
-necp_kernel_socket_policy_add(necp_policy_id parent_policy_id, necp_policy_order order, u_int32_t session_order, int session_pid, u_int32_t condition_mask, u_int32_t condition_negated_mask, necp_app_id cond_app_id, necp_app_id cond_real_app_id, u_int32_t cond_account_id, char *cond_domain, pid_t cond_pid, uid_t cond_uid, ifnet_t cond_bound_interface, struct necp_policy_condition_tc_range cond_traffic_class, u_int16_t cond_protocol, union necp_sockaddr_union *cond_local_start, union necp_sockaddr_union *cond_local_end, u_int8_t cond_local_prefix, union necp_sockaddr_union *cond_remote_start, union necp_sockaddr_union *cond_remote_end, u_int8_t cond_remote_prefix, necp_kernel_policy_result result, necp_kernel_policy_result_parameter result_parameter)
+necp_kernel_socket_policy_add(necp_policy_order order, u_int32_t session_order, int session_pid, u_int32_t condition_mask, u_int32_t condition_negated_mask, necp_app_id cond_app_id, necp_app_id cond_real_app_id, char *cond_custom_entitlement, u_int32_t cond_account_id, char *cond_domain, pid_t cond_pid, uid_t cond_uid, ifnet_t cond_bound_interface, struct necp_policy_condition_tc_range cond_traffic_class, u_int16_t cond_protocol, union necp_sockaddr_union *cond_local_start, union necp_sockaddr_union *cond_local_end, u_int8_t cond_local_prefix, union necp_sockaddr_union *cond_remote_start, union necp_sockaddr_union *cond_remote_end, u_int8_t cond_remote_prefix, struct necp_policy_condition_agent_type *cond_agent_type, struct necp_policy_condition_sdk_version *cond_sdk_version, u_int32_t cond_client_flags, char *cond_signing_identifier, u_int16_t cond_packet_filter_tags, necp_kernel_policy_result result, necp_kernel_policy_result_parameter result_parameter)
 {
        struct necp_kernel_socket_policy *new_kernel_policy = NULL;
        struct necp_kernel_socket_policy *tmp_kernel_policy = NULL;
 
 {
        struct necp_kernel_socket_policy *new_kernel_policy = NULL;
        struct necp_kernel_socket_policy *tmp_kernel_policy = NULL;
 
-       MALLOC_ZONE(new_kernel_policy, struct necp_kernel_socket_policy *, sizeof(*new_kernel_policy), M_NECP_SOCKET_POLICY, M_WAITOK);
-       if (new_kernel_policy == NULL) {
-               goto done;
-       }
+       new_kernel_policy = zalloc_flags(necp_socket_policy_zone, Z_WAITOK | Z_ZERO);
 
 
-       memset(new_kernel_policy, 0, sizeof(*new_kernel_policy));
-       new_kernel_policy->parent_policy_id = parent_policy_id;
-       new_kernel_policy->id = necp_kernel_policy_get_new_id();
+       new_kernel_policy->id = necp_kernel_policy_get_new_id(true);
        new_kernel_policy->order = order;
        new_kernel_policy->session_order = session_order;
        new_kernel_policy->session_pid = session_pid;
        new_kernel_policy->order = order;
        new_kernel_policy->session_order = session_order;
        new_kernel_policy->session_pid = session_pid;
@@ -2736,8 +4009,8 @@ necp_kernel_socket_policy_add(necp_policy_id parent_policy_id, necp_policy_order
        if ((new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_REAL_APP_ID) && !(new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_APP_ID)) {
                new_kernel_policy->condition_mask &= ~NECP_KERNEL_CONDITION_REAL_APP_ID;
        }
        if ((new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_REAL_APP_ID) && !(new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_APP_ID)) {
                new_kernel_policy->condition_mask &= ~NECP_KERNEL_CONDITION_REAL_APP_ID;
        }
-       if ((new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_ENTITLEMENT) && !(new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_APP_ID)) {
-               new_kernel_policy->condition_mask &= ~NECP_KERNEL_CONDITION_ENTITLEMENT;
+       if ((new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_CUSTOM_ENTITLEMENT) && !(new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_APP_ID)) {
+               new_kernel_policy->condition_mask &= ~NECP_KERNEL_CONDITION_CUSTOM_ENTITLEMENT;
        }
        if ((new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_END) && (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_PREFIX)) {
                new_kernel_policy->condition_mask &= ~NECP_KERNEL_CONDITION_LOCAL_PREFIX;
        }
        if ((new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_END) && (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_PREFIX)) {
                new_kernel_policy->condition_mask &= ~NECP_KERNEL_CONDITION_LOCAL_PREFIX;
@@ -2745,6 +4018,12 @@ necp_kernel_socket_policy_add(necp_policy_id parent_policy_id, necp_policy_order
        if ((new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_REMOTE_END) && (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_REMOTE_PREFIX)) {
                new_kernel_policy->condition_mask &= ~NECP_KERNEL_CONDITION_REMOTE_PREFIX;
        }
        if ((new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_REMOTE_END) && (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_REMOTE_PREFIX)) {
                new_kernel_policy->condition_mask &= ~NECP_KERNEL_CONDITION_REMOTE_PREFIX;
        }
+       if (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_EMPTY) {
+               new_kernel_policy->condition_mask &= ~(NECP_KERNEL_CONDITION_LOCAL_PREFIX | NECP_KERNEL_CONDITION_LOCAL_END);
+       }
+       if ((new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_REMOTE_EMPTY)) {
+               new_kernel_policy->condition_mask &= ~(NECP_KERNEL_CONDITION_REMOTE_PREFIX | NECP_KERNEL_CONDITION_REMOTE_END);
+       }
        new_kernel_policy->condition_negated_mask = condition_negated_mask & new_kernel_policy->condition_mask;
 
        // Set condition values
        new_kernel_policy->condition_negated_mask = condition_negated_mask & new_kernel_policy->condition_mask;
 
        // Set condition values
@@ -2754,6 +4033,10 @@ necp_kernel_socket_policy_add(necp_policy_id parent_policy_id, necp_policy_order
        if (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_REAL_APP_ID) {
                new_kernel_policy->cond_real_app_id = cond_real_app_id;
        }
        if (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_REAL_APP_ID) {
                new_kernel_policy->cond_real_app_id = cond_real_app_id;
        }
+       if (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_CUSTOM_ENTITLEMENT) {
+               new_kernel_policy->cond_custom_entitlement = cond_custom_entitlement;
+               new_kernel_policy->cond_custom_entitlement_matched = necp_boolean_state_unknown;
+       }
        if (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_ACCOUNT_ID) {
                new_kernel_policy->cond_account_id = cond_account_id;
        }
        if (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_ACCOUNT_ID) {
                new_kernel_policy->cond_account_id = cond_account_id;
        }
@@ -2797,6 +4080,21 @@ necp_kernel_socket_policy_add(necp_policy_id parent_policy_id, necp_policy_order
        if (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_REMOTE_PREFIX) {
                new_kernel_policy->cond_remote_prefix = cond_remote_prefix;
        }
        if (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_REMOTE_PREFIX) {
                new_kernel_policy->cond_remote_prefix = cond_remote_prefix;
        }
+       if (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_AGENT_TYPE) {
+               memcpy(&new_kernel_policy->cond_agent_type, cond_agent_type, sizeof(*cond_agent_type));
+       }
+       if (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_SDK_VERSION) {
+               memcpy(&new_kernel_policy->cond_sdk_version, cond_sdk_version, sizeof(*cond_sdk_version));
+       }
+       if (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_CLIENT_FLAGS) {
+               new_kernel_policy->cond_client_flags = cond_client_flags;
+       }
+       if (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_SIGNING_IDENTIFIER) {
+               new_kernel_policy->cond_signing_identifier = cond_signing_identifier;
+       }
+       if (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_PACKET_FILTER_TAGS) {
+               new_kernel_policy->cond_packet_filter_tags = cond_packet_filter_tags;
+       }
 
        new_kernel_policy->result = result;
        memcpy(&new_kernel_policy->result_parameter, &result_parameter, sizeof(result_parameter));
 
        new_kernel_policy->result = result;
        memcpy(&new_kernel_policy->result_parameter, &result_parameter, sizeof(result_parameter));
@@ -2805,8 +4103,8 @@ necp_kernel_socket_policy_add(necp_policy_id parent_policy_id, necp_policy_order
                NECPLOG(LOG_DEBUG, "Added kernel policy: socket, id=%d, mask=%x\n", new_kernel_policy->id, new_kernel_policy->condition_mask);
        }
        LIST_INSERT_SORTED_TWICE_ASCENDING(&necp_kernel_socket_policies, new_kernel_policy, chain, session_order, order, tmp_kernel_policy);
                NECPLOG(LOG_DEBUG, "Added kernel policy: socket, id=%d, mask=%x\n", new_kernel_policy->id, new_kernel_policy->condition_mask);
        }
        LIST_INSERT_SORTED_TWICE_ASCENDING(&necp_kernel_socket_policies, new_kernel_policy, chain, session_order, order, tmp_kernel_policy);
-done:
-       return (new_kernel_policy ? new_kernel_policy->id : 0);
+
+       return new_kernel_policy ? new_kernel_policy->id : 0;
 }
 
 static struct necp_kernel_socket_policy *
 }
 
 static struct necp_kernel_socket_policy *
@@ -2816,16 +4114,16 @@ necp_kernel_socket_policy_find(necp_kernel_policy_id policy_id)
        struct necp_kernel_socket_policy *tmp_kernel_policy = NULL;
 
        if (policy_id == 0) {
        struct necp_kernel_socket_policy *tmp_kernel_policy = NULL;
 
        if (policy_id == 0) {
-               return (NULL);
+               return NULL;
        }
 
        LIST_FOREACH_SAFE(kernel_policy, &necp_kernel_socket_policies, chain, tmp_kernel_policy) {
                if (kernel_policy->id == policy_id) {
        }
 
        LIST_FOREACH_SAFE(kernel_policy, &necp_kernel_socket_policies, chain, tmp_kernel_policy) {
                if (kernel_policy->id == policy_id) {
-                       return (kernel_policy);
+                       return kernel_policy;
                }
        }
 
                }
        }
 
-       return (NULL);
+       return NULL;
 }
 
 static bool
 }
 
 static bool
@@ -2833,7 +4131,7 @@ necp_kernel_socket_policy_delete(necp_kernel_policy_id policy_id)
 {
        struct necp_kernel_socket_policy *policy = NULL;
 
 {
        struct necp_kernel_socket_policy *policy = NULL;
 
-       lck_rw_assert(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
+       LCK_RW_ASSERT(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
 
        policy = necp_kernel_socket_policy_find(policy_id);
        if (policy) {
 
        policy = necp_kernel_socket_policy_find(policy_id);
        if (policy) {
@@ -2843,185 +4141,249 @@ necp_kernel_socket_policy_delete(necp_kernel_policy_id policy_id)
                        ifnet_release(policy->cond_bound_interface);
                        policy->cond_bound_interface = NULL;
                }
                        ifnet_release(policy->cond_bound_interface);
                        policy->cond_bound_interface = NULL;
                }
-               
+
                if (policy->cond_domain) {
                        FREE(policy->cond_domain, M_NECP);
                        policy->cond_domain = NULL;
                }
 
                if (policy->cond_domain) {
                        FREE(policy->cond_domain, M_NECP);
                        policy->cond_domain = NULL;
                }
 
-               FREE_ZONE(policy, sizeof(*policy), M_NECP_SOCKET_POLICY);
-               return (TRUE);
+               if (policy->cond_custom_entitlement) {
+                       FREE(policy->cond_custom_entitlement, M_NECP);
+                       policy->cond_custom_entitlement = NULL;
+               }
+
+               if (policy->cond_signing_identifier) {
+                       FREE(policy->cond_signing_identifier, M_NECP);
+                       policy->cond_signing_identifier = NULL;
+               }
+
+               zfree(necp_socket_policy_zone, policy);
+               return TRUE;
        }
 
        }
 
-       return (FALSE);
+       return FALSE;
 }
 
 }
 
-#define MAX_RESULT_STRING_LEN 64
 static inline const char *
 necp_get_result_description(char *result_string, necp_kernel_policy_result result, necp_kernel_policy_result_parameter result_parameter)
 {
        uuid_string_t uuid_string;
        switch (result) {
 static inline const char *
 necp_get_result_description(char *result_string, necp_kernel_policy_result result, necp_kernel_policy_result_parameter result_parameter)
 {
        uuid_string_t uuid_string;
        switch (result) {
-               case NECP_KERNEL_POLICY_RESULT_NONE: {
-                       return ("None");
-               }
-               case NECP_KERNEL_POLICY_RESULT_PASS: {
-                       return ("Pass");
-               }
-               case NECP_KERNEL_POLICY_RESULT_SKIP: {
-                       return ("Skip");
-               }
-               case NECP_KERNEL_POLICY_RESULT_DROP: {
-                       return ("Drop");
-               }
-               case NECP_KERNEL_POLICY_RESULT_SOCKET_DIVERT: {
-                       snprintf(result_string, MAX_RESULT_STRING_LEN, "SocketDivert (%d)", result_parameter.flow_divert_control_unit);
-                       break;
-               }
-               case NECP_KERNEL_POLICY_RESULT_SOCKET_FILTER: {
-                       snprintf(result_string, MAX_RESULT_STRING_LEN, "SocketFilter (%d)", result_parameter.filter_control_unit);
-                       break;
-               }
-               case NECP_KERNEL_POLICY_RESULT_IP_TUNNEL: {
-                       ifnet_t interface = ifindex2ifnet[result_parameter.tunnel_interface_index];
-                       snprintf(result_string, MAX_RESULT_STRING_LEN, "IPTunnel (%s%d)", ifnet_name(interface), ifnet_unit(interface));
-                       break;
-               }
-               case NECP_KERNEL_POLICY_RESULT_IP_FILTER: {
-                       return ("IPFilter");
-               }
-               case NECP_KERNEL_POLICY_RESULT_SOCKET_SCOPED: {
-                       ifnet_t interface = ifindex2ifnet[result_parameter.scoped_interface_index];
-                       snprintf(result_string, MAX_RESULT_STRING_LEN, "SocketScoped (%s%d)", ifnet_name(interface), ifnet_unit(interface));
-                       break;
-               }
-               case NECP_KERNEL_POLICY_RESULT_ROUTE_RULES: {
-                       int index = 0;
-                       char interface_names[IFXNAMSIZ][MAX_ROUTE_RULE_INTERFACES];
-                       struct necp_route_rule *route_rule = necp_lookup_route_rule_locked(&necp_route_rules, result_parameter.route_rule_id);
-                       if (route_rule != NULL) {
-                               bool default_drop = (route_rule->default_action == NECP_ROUTE_RULE_DENY_INTERFACE);
-                               for (index = 0; index < MAX_ROUTE_RULE_INTERFACES; index++) {
-                                       if (route_rule->exception_if_indices[index] != 0) {
-                                               ifnet_t interface = ifindex2ifnet[route_rule->exception_if_indices[index]];
-                                               snprintf(interface_names[index], IFXNAMSIZ, "%s%d", ifnet_name(interface), ifnet_unit(interface));
-                                       } else {
-                                               memset(interface_names[index], 0, IFXNAMSIZ);
-                                       }
-                               }
-                               if (default_drop) {
-                                       snprintf(result_string, MAX_RESULT_STRING_LEN, "RouteRules (Only %s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s)",
-                                                        (route_rule->cellular_action == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? "Cell " : "",
-                                                        (route_rule->wifi_action == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? "WiFi " : "",
-                                                        (route_rule->wired_action == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? "Wired " : "",
-                                                        (route_rule->expensive_action == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? "Exp " : "",
-                                                        (route_rule->exception_if_actions[0] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? interface_names[0] : "",
-                                                        (route_rule->exception_if_actions[0] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? " " : "",
-                                                        (route_rule->exception_if_actions[1] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? interface_names[1] : "",
-                                                        (route_rule->exception_if_actions[1] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? " " : "",
-                                                        (route_rule->exception_if_actions[2] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? interface_names[2] : "",
-                                                        (route_rule->exception_if_actions[2] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? " " : "",
-                                                        (route_rule->exception_if_actions[3] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? interface_names[3] : "",
-                                                        (route_rule->exception_if_actions[3] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? " " : "",
-                                                        (route_rule->exception_if_actions[4] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? interface_names[4] : "",
-                                                        (route_rule->exception_if_actions[4] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? " " : "",
-                                                        (route_rule->exception_if_actions[5] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? interface_names[5] : "",
-                                                        (route_rule->exception_if_actions[5] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? " " : "",
-                                                        (route_rule->exception_if_actions[6] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? interface_names[6] : "",
-                                                        (route_rule->exception_if_actions[6] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? " " : "",
-                                                        (route_rule->exception_if_actions[7] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? interface_names[7] : "",
-                                                        (route_rule->exception_if_actions[7] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? " " : "",
-                                                        (route_rule->exception_if_actions[8] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? interface_names[8] : "",
-                                                        (route_rule->exception_if_actions[8] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? " " : "",
-                                                        (route_rule->exception_if_actions[9] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? interface_names[9] : "");
+       case NECP_KERNEL_POLICY_RESULT_NONE: {
+               snprintf(result_string, MAX_RESULT_STRING_LEN, "None");
+               break;
+       }
+       case NECP_KERNEL_POLICY_RESULT_PASS: {
+               snprintf(result_string, MAX_RESULT_STRING_LEN, "Pass (%X)", result_parameter.pass_flags);
+               break;
+       }
+       case NECP_KERNEL_POLICY_RESULT_SKIP: {
+               snprintf(result_string, MAX_RESULT_STRING_LEN, "Skip (%u)", result_parameter.skip_policy_order);
+               break;
+       }
+       case NECP_KERNEL_POLICY_RESULT_DROP: {
+               snprintf(result_string, MAX_RESULT_STRING_LEN, "Drop (%X)", result_parameter.drop_flags);
+               break;
+       }
+       case NECP_KERNEL_POLICY_RESULT_SOCKET_DIVERT: {
+               snprintf(result_string, MAX_RESULT_STRING_LEN, "SocketDivert (%d)", result_parameter.flow_divert_control_unit);
+               break;
+       }
+       case NECP_KERNEL_POLICY_RESULT_SOCKET_FILTER: {
+               snprintf(result_string, MAX_RESULT_STRING_LEN, "SocketFilter (%d)", result_parameter.filter_control_unit);
+               break;
+       }
+       case NECP_KERNEL_POLICY_RESULT_IP_TUNNEL: {
+               ifnet_t interface = ifindex2ifnet[result_parameter.tunnel_interface_index];
+               snprintf(result_string, MAX_RESULT_STRING_LEN, "IPTunnel (%s%d)", ifnet_name(interface), ifnet_unit(interface));
+               break;
+       }
+       case NECP_KERNEL_POLICY_RESULT_IP_FILTER: {
+               snprintf(result_string, MAX_RESULT_STRING_LEN, "IPFilter");
+               break;
+       }
+       case NECP_KERNEL_POLICY_RESULT_SOCKET_SCOPED: {
+               ifnet_t interface = ifindex2ifnet[result_parameter.scoped_interface_index];
+               snprintf(result_string, MAX_RESULT_STRING_LEN, "SocketScoped (%s%d)", ifnet_name(interface), ifnet_unit(interface));
+               break;
+       }
+       case NECP_KERNEL_POLICY_RESULT_SCOPED_DIRECT: {
+               snprintf(result_string, MAX_RESULT_STRING_LEN, "ScopedDirect");
+               break;
+       }
+       case NECP_KERNEL_POLICY_RESULT_ALLOW_UNENTITLED: {
+               snprintf(result_string, MAX_RESULT_STRING_LEN, "AllowUnentitled");
+               break;
+       }
+       case NECP_KERNEL_POLICY_RESULT_ROUTE_RULES: {
+               int index = 0;
+               char interface_names[MAX_ROUTE_RULE_INTERFACES][IFXNAMSIZ];
+               struct necp_route_rule *route_rule = necp_lookup_route_rule_locked(&necp_route_rules, result_parameter.route_rule_id);
+               if (route_rule != NULL) {
+                       for (index = 0; index < MAX_ROUTE_RULE_INTERFACES; index++) {
+                               if (route_rule->exception_if_indices[index] != 0) {
+                                       ifnet_t interface = ifindex2ifnet[route_rule->exception_if_indices[index]];
+                                       snprintf(interface_names[index], IFXNAMSIZ, "%s%d", ifnet_name(interface), ifnet_unit(interface));
                                } else {
                                } else {
-                                       snprintf(result_string, MAX_RESULT_STRING_LEN, "RouteRules (%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s)",
-                                                        (route_rule->cellular_action == NECP_ROUTE_RULE_DENY_INTERFACE) ? "!Cell " : "",
-                                                        (route_rule->wifi_action == NECP_ROUTE_RULE_DENY_INTERFACE) ? "!WiFi " : "",
-                                                        (route_rule->wired_action == NECP_ROUTE_RULE_DENY_INTERFACE) ? "!Wired " : "",
-                                                        (route_rule->expensive_action == NECP_ROUTE_RULE_DENY_INTERFACE) ? "!Exp " : "",
-                                                        (route_rule->exception_if_actions[0] == NECP_ROUTE_RULE_DENY_INTERFACE) ? "!" : "",
-                                                        (route_rule->exception_if_actions[0] == NECP_ROUTE_RULE_DENY_INTERFACE) ? interface_names[0] : "",
-                                                        (route_rule->exception_if_actions[1] == NECP_ROUTE_RULE_DENY_INTERFACE) ? "!" : "",
-                                                        (route_rule->exception_if_actions[1] == NECP_ROUTE_RULE_DENY_INTERFACE) ? interface_names[1] : "",
-                                                        (route_rule->exception_if_actions[2] == NECP_ROUTE_RULE_DENY_INTERFACE) ? "!" : "",
-                                                        (route_rule->exception_if_actions[2] == NECP_ROUTE_RULE_DENY_INTERFACE) ? interface_names[2] : "",
-                                                        (route_rule->exception_if_actions[3] == NECP_ROUTE_RULE_DENY_INTERFACE) ? "!" : "",
-                                                        (route_rule->exception_if_actions[3] == NECP_ROUTE_RULE_DENY_INTERFACE) ? interface_names[3] : "",
-                                                        (route_rule->exception_if_actions[4] == NECP_ROUTE_RULE_DENY_INTERFACE) ? "!" : "",
-                                                        (route_rule->exception_if_actions[4] == NECP_ROUTE_RULE_DENY_INTERFACE) ? interface_names[4] : "",
-                                                        (route_rule->exception_if_actions[5] == NECP_ROUTE_RULE_DENY_INTERFACE) ? "!" : "",
-                                                        (route_rule->exception_if_actions[5] == NECP_ROUTE_RULE_DENY_INTERFACE) ? interface_names[5] : "",
-                                                        (route_rule->exception_if_actions[6] == NECP_ROUTE_RULE_DENY_INTERFACE) ? "!" : "",
-                                                        (route_rule->exception_if_actions[6] == NECP_ROUTE_RULE_DENY_INTERFACE) ? interface_names[6] : "",
-                                                        (route_rule->exception_if_actions[7] == NECP_ROUTE_RULE_DENY_INTERFACE) ? "!" : "",
-                                                        (route_rule->exception_if_actions[7] == NECP_ROUTE_RULE_DENY_INTERFACE) ? interface_names[7] : "",
-                                                        (route_rule->exception_if_actions[8] == NECP_ROUTE_RULE_DENY_INTERFACE) ? "!" : "",
-                                                        (route_rule->exception_if_actions[8] == NECP_ROUTE_RULE_DENY_INTERFACE) ? interface_names[8] : "",
-                                                        (route_rule->exception_if_actions[9] == NECP_ROUTE_RULE_DENY_INTERFACE) ? "!" : "",
-                                                        (route_rule->exception_if_actions[9] == NECP_ROUTE_RULE_DENY_INTERFACE) ? interface_names[9] : "");
+                                       memset(interface_names[index], 0, IFXNAMSIZ);
                                }
                                }
-                       } else {
+                       }
+                       switch (route_rule->default_action) {
+                       case NECP_ROUTE_RULE_DENY_INTERFACE:
+                               snprintf(result_string, MAX_RESULT_STRING_LEN, "RouteRules (Only %s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s)",
+                                   (route_rule->cellular_action == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? "Cell " : "",
+                                   (route_rule->wifi_action == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? "WiFi " : "",
+                                   (route_rule->wired_action == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? "Wired " : "",
+                                   (route_rule->expensive_action == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? "Exp " : "",
+                                   (route_rule->constrained_action == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? "Constrained " : "",
+                                   (route_rule->exception_if_actions[0] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? interface_names[0] : "",
+                                   (route_rule->exception_if_actions[0] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? " " : "",
+                                   (route_rule->exception_if_actions[1] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? interface_names[1] : "",
+                                   (route_rule->exception_if_actions[1] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? " " : "",
+                                   (route_rule->exception_if_actions[2] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? interface_names[2] : "",
+                                   (route_rule->exception_if_actions[2] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? " " : "",
+                                   (route_rule->exception_if_actions[3] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? interface_names[3] : "",
+                                   (route_rule->exception_if_actions[3] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? " " : "",
+                                   (route_rule->exception_if_actions[4] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? interface_names[4] : "",
+                                   (route_rule->exception_if_actions[4] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? " " : "",
+                                   (route_rule->exception_if_actions[5] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? interface_names[5] : "",
+                                   (route_rule->exception_if_actions[5] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? " " : "",
+                                   (route_rule->exception_if_actions[6] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? interface_names[6] : "",
+                                   (route_rule->exception_if_actions[6] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? " " : "",
+                                   (route_rule->exception_if_actions[7] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? interface_names[7] : "",
+                                   (route_rule->exception_if_actions[7] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? " " : "",
+                                   (route_rule->exception_if_actions[8] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? interface_names[8] : "",
+                                   (route_rule->exception_if_actions[8] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? " " : "",
+                                   (route_rule->exception_if_actions[9] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? interface_names[9] : "");
+                               break;
+                       case NECP_ROUTE_RULE_ALLOW_INTERFACE:
+                               snprintf(result_string, MAX_RESULT_STRING_LEN, "RouteRules (%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s)",
+                                   (route_rule->cellular_action == NECP_ROUTE_RULE_DENY_INTERFACE) ? "!Cell " : "",
+                                   (route_rule->wifi_action == NECP_ROUTE_RULE_DENY_INTERFACE) ? "!WiFi " : "",
+                                   (route_rule->wired_action == NECP_ROUTE_RULE_DENY_INTERFACE) ? "!Wired " : "",
+                                   (route_rule->expensive_action == NECP_ROUTE_RULE_DENY_INTERFACE) ? "!Exp " : "",
+                                   (route_rule->constrained_action == NECP_ROUTE_RULE_DENY_INTERFACE) ? "!Constrained " : "",
+                                   (route_rule->exception_if_actions[0] == NECP_ROUTE_RULE_DENY_INTERFACE) ? "!" : "",
+                                   (route_rule->exception_if_actions[0] == NECP_ROUTE_RULE_DENY_INTERFACE) ? interface_names[0] : "",
+                                   (route_rule->exception_if_actions[1] == NECP_ROUTE_RULE_DENY_INTERFACE) ? "!" : "",
+                                   (route_rule->exception_if_actions[1] == NECP_ROUTE_RULE_DENY_INTERFACE) ? interface_names[1] : "",
+                                   (route_rule->exception_if_actions[2] == NECP_ROUTE_RULE_DENY_INTERFACE) ? "!" : "",
+                                   (route_rule->exception_if_actions[2] == NECP_ROUTE_RULE_DENY_INTERFACE) ? interface_names[2] : "",
+                                   (route_rule->exception_if_actions[3] == NECP_ROUTE_RULE_DENY_INTERFACE) ? "!" : "",
+                                   (route_rule->exception_if_actions[3] == NECP_ROUTE_RULE_DENY_INTERFACE) ? interface_names[3] : "",
+                                   (route_rule->exception_if_actions[4] == NECP_ROUTE_RULE_DENY_INTERFACE) ? "!" : "",
+                                   (route_rule->exception_if_actions[4] == NECP_ROUTE_RULE_DENY_INTERFACE) ? interface_names[4] : "",
+                                   (route_rule->exception_if_actions[5] == NECP_ROUTE_RULE_DENY_INTERFACE) ? "!" : "",
+                                   (route_rule->exception_if_actions[5] == NECP_ROUTE_RULE_DENY_INTERFACE) ? interface_names[5] : "",
+                                   (route_rule->exception_if_actions[6] == NECP_ROUTE_RULE_DENY_INTERFACE) ? "!" : "",
+                                   (route_rule->exception_if_actions[6] == NECP_ROUTE_RULE_DENY_INTERFACE) ? interface_names[6] : "",
+                                   (route_rule->exception_if_actions[7] == NECP_ROUTE_RULE_DENY_INTERFACE) ? "!" : "",
+                                   (route_rule->exception_if_actions[7] == NECP_ROUTE_RULE_DENY_INTERFACE) ? interface_names[7] : "",
+                                   (route_rule->exception_if_actions[8] == NECP_ROUTE_RULE_DENY_INTERFACE) ? "!" : "",
+                                   (route_rule->exception_if_actions[8] == NECP_ROUTE_RULE_DENY_INTERFACE) ? interface_names[8] : "",
+                                   (route_rule->exception_if_actions[9] == NECP_ROUTE_RULE_DENY_INTERFACE) ? "!" : "",
+                                   (route_rule->exception_if_actions[9] == NECP_ROUTE_RULE_DENY_INTERFACE) ? interface_names[9] : "");
+                               break;
+                       case NECP_ROUTE_RULE_QOS_MARKING:
+                               snprintf(result_string, MAX_RESULT_STRING_LEN, "RouteRules (QoSMarking %s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s)",
+                                   (route_rule->cellular_action == NECP_ROUTE_RULE_QOS_MARKING) ? "Cell " : "",
+                                   (route_rule->wifi_action == NECP_ROUTE_RULE_QOS_MARKING) ? "WiFi " : "",
+                                   (route_rule->wired_action == NECP_ROUTE_RULE_QOS_MARKING) ? "Wired " : "",
+                                   (route_rule->expensive_action == NECP_ROUTE_RULE_QOS_MARKING) ? "Exp " : "",
+                                   (route_rule->constrained_action == NECP_ROUTE_RULE_QOS_MARKING) ? "Constrained " : "",
+                                   (route_rule->exception_if_actions[0] == NECP_ROUTE_RULE_QOS_MARKING) ? interface_names[0] : "",
+                                   (route_rule->exception_if_actions[0] == NECP_ROUTE_RULE_QOS_MARKING) ? " " : "",
+                                   (route_rule->exception_if_actions[1] == NECP_ROUTE_RULE_QOS_MARKING) ? interface_names[1] : "",
+                                   (route_rule->exception_if_actions[1] == NECP_ROUTE_RULE_QOS_MARKING) ? " " : "",
+                                   (route_rule->exception_if_actions[2] == NECP_ROUTE_RULE_QOS_MARKING) ? interface_names[2] : "",
+                                   (route_rule->exception_if_actions[2] == NECP_ROUTE_RULE_QOS_MARKING) ? " " : "",
+                                   (route_rule->exception_if_actions[3] == NECP_ROUTE_RULE_QOS_MARKING) ? interface_names[3] : "",
+                                   (route_rule->exception_if_actions[3] == NECP_ROUTE_RULE_QOS_MARKING) ? " " : "",
+                                   (route_rule->exception_if_actions[4] == NECP_ROUTE_RULE_QOS_MARKING) ? interface_names[4] : "",
+                                   (route_rule->exception_if_actions[4] == NECP_ROUTE_RULE_QOS_MARKING) ? " " : "",
+                                   (route_rule->exception_if_actions[5] == NECP_ROUTE_RULE_QOS_MARKING) ? interface_names[5] : "",
+                                   (route_rule->exception_if_actions[5] == NECP_ROUTE_RULE_QOS_MARKING) ? " " : "",
+                                   (route_rule->exception_if_actions[6] == NECP_ROUTE_RULE_QOS_MARKING) ? interface_names[6] : "",
+                                   (route_rule->exception_if_actions[6] == NECP_ROUTE_RULE_QOS_MARKING) ? " " : "",
+                                   (route_rule->exception_if_actions[7] == NECP_ROUTE_RULE_QOS_MARKING) ? interface_names[7] : "",
+                                   (route_rule->exception_if_actions[7] == NECP_ROUTE_RULE_QOS_MARKING) ? " " : "",
+                                   (route_rule->exception_if_actions[8] == NECP_ROUTE_RULE_QOS_MARKING) ? interface_names[8] : "",
+                                   (route_rule->exception_if_actions[8] == NECP_ROUTE_RULE_QOS_MARKING) ? " " : "",
+                                   (route_rule->exception_if_actions[9] == NECP_ROUTE_RULE_QOS_MARKING) ? interface_names[9] : "");
+                               break;
+                       default:
                                snprintf(result_string, MAX_RESULT_STRING_LEN, "RouteRules (Unknown)");
                                snprintf(result_string, MAX_RESULT_STRING_LEN, "RouteRules (Unknown)");
+                               break;
                        }
                        }
-                       break;
                }
                }
-               case NECP_KERNEL_POLICY_RESULT_USE_NETAGENT: {
-                       bool found_mapping = FALSE;
-                       struct necp_uuid_id_mapping *mapping = necp_uuid_lookup_uuid_with_service_id_locked(result_parameter.netagent_id);
-                       if (mapping != NULL) {
-                               uuid_unparse(mapping->uuid, uuid_string);
-                               found_mapping = TRUE;
-                       }
-                       snprintf(result_string, MAX_RESULT_STRING_LEN, "UseNetAgent (%s)", found_mapping ? uuid_string : "Unknown");
-                       break;
+               break;
+       }
+       case NECP_KERNEL_POLICY_RESULT_USE_NETAGENT: {
+               bool found_mapping = FALSE;
+               struct necp_uuid_id_mapping *mapping = necp_uuid_lookup_uuid_with_service_id_locked(result_parameter.netagent_id);
+               if (mapping != NULL) {
+                       uuid_unparse(mapping->uuid, uuid_string);
+                       found_mapping = TRUE;
                }
                }
-               case NECP_POLICY_RESULT_TRIGGER: {
-                       bool found_mapping = FALSE;
-                       struct necp_uuid_id_mapping *mapping = necp_uuid_lookup_uuid_with_service_id_locked(result_parameter.service.identifier);
-                       if (mapping != NULL) {
-                               uuid_unparse(mapping->uuid, uuid_string);
-                               found_mapping = TRUE;
-                       }
-                       snprintf(result_string, MAX_RESULT_STRING_LEN, "Trigger (%s.%d)", found_mapping ? uuid_string : "Unknown", result_parameter.service.data);
-                       break;
+               snprintf(result_string, MAX_RESULT_STRING_LEN, "UseNetAgent (%s)", found_mapping ? uuid_string : "Unknown");
+               break;
+       }
+       case NECP_KERNEL_POLICY_RESULT_NETAGENT_SCOPED: {
+               bool found_mapping = FALSE;
+               struct necp_uuid_id_mapping *mapping = necp_uuid_lookup_uuid_with_service_id_locked(result_parameter.netagent_id);
+               if (mapping != NULL) {
+                       uuid_unparse(mapping->uuid, uuid_string);
+                       found_mapping = TRUE;
                }
                }
-               case NECP_POLICY_RESULT_TRIGGER_IF_NEEDED: {
-                       bool found_mapping = FALSE;
-                       struct necp_uuid_id_mapping *mapping = necp_uuid_lookup_uuid_with_service_id_locked(result_parameter.service.identifier);
-                       if (mapping != NULL) {
-                               uuid_unparse(mapping->uuid, uuid_string);
-                               found_mapping = TRUE;
-                       }
-                       snprintf(result_string, MAX_RESULT_STRING_LEN, "TriggerIfNeeded (%s.%d)", found_mapping ? uuid_string : "Unknown", result_parameter.service.data);
-                       break;
+               snprintf(result_string, MAX_RESULT_STRING_LEN, "NetAgentScoped (%s)", found_mapping ? uuid_string : "Unknown");
+               break;
+       }
+       case NECP_POLICY_RESULT_TRIGGER: {
+               bool found_mapping = FALSE;
+               struct necp_uuid_id_mapping *mapping = necp_uuid_lookup_uuid_with_service_id_locked(result_parameter.service.identifier);
+               if (mapping != NULL) {
+                       uuid_unparse(mapping->uuid, uuid_string);
+                       found_mapping = TRUE;
                }
                }
-               case NECP_POLICY_RESULT_TRIGGER_SCOPED: {
-                       bool found_mapping = FALSE;
-                       struct necp_uuid_id_mapping *mapping = necp_uuid_lookup_uuid_with_service_id_locked(result_parameter.service.identifier);
-                       if (mapping != NULL) {
-                               uuid_unparse(mapping->uuid, uuid_string);
-                               found_mapping = TRUE;
-                       }
-                       snprintf(result_string, MAX_RESULT_STRING_LEN, "TriggerScoped (%s.%d)", found_mapping ? uuid_string : "Unknown", result_parameter.service.data);
-                       break;
+               snprintf(result_string, MAX_RESULT_STRING_LEN, "Trigger (%s.%d)", found_mapping ? uuid_string : "Unknown", result_parameter.service.data);
+               break;
+       }
+       case NECP_POLICY_RESULT_TRIGGER_IF_NEEDED: {
+               bool found_mapping = FALSE;
+               struct necp_uuid_id_mapping *mapping = necp_uuid_lookup_uuid_with_service_id_locked(result_parameter.service.identifier);
+               if (mapping != NULL) {
+                       uuid_unparse(mapping->uuid, uuid_string);
+                       found_mapping = TRUE;
                }
                }
-               case NECP_POLICY_RESULT_NO_TRIGGER_SCOPED: {
-                       bool found_mapping = FALSE;
-                       struct necp_uuid_id_mapping *mapping = necp_uuid_lookup_uuid_with_service_id_locked(result_parameter.service.identifier);
-                       if (mapping != NULL) {
-                               uuid_unparse(mapping->uuid, uuid_string);
-                               found_mapping = TRUE;
-                       }
-                       snprintf(result_string, MAX_RESULT_STRING_LEN, "NoTriggerScoped (%s.%d)", found_mapping ? uuid_string : "Unknown", result_parameter.service.data);
-                       break;
+               snprintf(result_string, MAX_RESULT_STRING_LEN, "TriggerIfNeeded (%s.%d)", found_mapping ? uuid_string : "Unknown", result_parameter.service.data);
+               break;
+       }
+       case NECP_POLICY_RESULT_TRIGGER_SCOPED: {
+               bool found_mapping = FALSE;
+               struct necp_uuid_id_mapping *mapping = necp_uuid_lookup_uuid_with_service_id_locked(result_parameter.service.identifier);
+               if (mapping != NULL) {
+                       uuid_unparse(mapping->uuid, uuid_string);
+                       found_mapping = TRUE;
                }
                }
-               default: {
-                       snprintf(result_string, MAX_RESULT_STRING_LEN, "Unknown %d (%d)", result, result_parameter.tunnel_interface_index);
-                       break;
+               snprintf(result_string, MAX_RESULT_STRING_LEN, "TriggerScoped (%s.%d)", found_mapping ? uuid_string : "Unknown", result_parameter.service.data);
+               break;
+       }
+       case NECP_POLICY_RESULT_NO_TRIGGER_SCOPED: {
+               bool found_mapping = FALSE;
+               struct necp_uuid_id_mapping *mapping = necp_uuid_lookup_uuid_with_service_id_locked(result_parameter.service.identifier);
+               if (mapping != NULL) {
+                       uuid_unparse(mapping->uuid, uuid_string);
+                       found_mapping = TRUE;
                }
                }
+               snprintf(result_string, MAX_RESULT_STRING_LEN, "NoTriggerScoped (%s.%d)", found_mapping ? uuid_string : "Unknown", result_parameter.service.data);
+               break;
+       }
+       default: {
+               snprintf(result_string, MAX_RESULT_STRING_LEN, "Unknown %d (%d)", result, result_parameter.tunnel_interface_index);
+               break;
        }
        }
-       return (result_string);
+       }
+       return result_string;
 }
 
 static void
 }
 
 static void
@@ -3064,7 +4426,7 @@ necp_kernel_socket_policies_dump_all(void)
 static inline bool
 necp_kernel_socket_result_is_trigger_service_type(struct necp_kernel_socket_policy *kernel_policy)
 {
 static inline bool
 necp_kernel_socket_result_is_trigger_service_type(struct necp_kernel_socket_policy *kernel_policy)
 {
-       return (kernel_policy->result >= NECP_KERNEL_POLICY_RESULT_TRIGGER && kernel_policy->result <= NECP_KERNEL_POLICY_RESULT_NO_TRIGGER_SCOPED);
+       return kernel_policy->result >= NECP_KERNEL_POLICY_RESULT_TRIGGER && kernel_policy->result <= NECP_KERNEL_POLICY_RESULT_NO_TRIGGER_SCOPED;
 }
 
 static inline bool
 }
 
 static inline bool
@@ -3072,33 +4434,35 @@ necp_kernel_socket_policy_results_overlap(struct necp_kernel_socket_policy *uppe
 {
        if (upper_policy->result == NECP_KERNEL_POLICY_RESULT_DROP) {
                // Drop always cancels out lower policies
 {
        if (upper_policy->result == NECP_KERNEL_POLICY_RESULT_DROP) {
                // Drop always cancels out lower policies
-               return (TRUE);
+               return TRUE;
        } else if (upper_policy->result == NECP_KERNEL_POLICY_RESULT_SOCKET_FILTER ||
        } else if (upper_policy->result == NECP_KERNEL_POLICY_RESULT_SOCKET_FILTER ||
-                          upper_policy->result == NECP_KERNEL_POLICY_RESULT_ROUTE_RULES ||
-                          upper_policy->result == NECP_KERNEL_POLICY_RESULT_USE_NETAGENT) {
+           upper_policy->result == NECP_KERNEL_POLICY_RESULT_ROUTE_RULES ||
+           upper_policy->result == NECP_KERNEL_POLICY_RESULT_USE_NETAGENT ||
+           upper_policy->result == NECP_KERNEL_POLICY_RESULT_NETAGENT_SCOPED ||
+           upper_policy->result == NECP_KERNEL_POLICY_RESULT_ALLOW_UNENTITLED) {
                // Filters and route rules never cancel out lower policies
                // Filters and route rules never cancel out lower policies
-               return (FALSE);
+               return FALSE;
        } else if (necp_kernel_socket_result_is_trigger_service_type(upper_policy)) {
                // Trigger/Scoping policies can overlap one another, but not other results
        } else if (necp_kernel_socket_result_is_trigger_service_type(upper_policy)) {
                // Trigger/Scoping policies can overlap one another, but not other results
-               return (necp_kernel_socket_result_is_trigger_service_type(lower_policy));
+               return necp_kernel_socket_result_is_trigger_service_type(lower_policy);
        } else if (upper_policy->result == NECP_KERNEL_POLICY_RESULT_SKIP) {
                if (upper_policy->session_order != lower_policy->session_order) {
                        // A skip cannot override a policy of a different session
        } else if (upper_policy->result == NECP_KERNEL_POLICY_RESULT_SKIP) {
                if (upper_policy->session_order != lower_policy->session_order) {
                        // A skip cannot override a policy of a different session
-                       return (FALSE);
+                       return FALSE;
                } else {
                        if (upper_policy->result_parameter.skip_policy_order == 0 ||
                } else {
                        if (upper_policy->result_parameter.skip_policy_order == 0 ||
-                               lower_policy->order >= upper_policy->result_parameter.skip_policy_order) {
+                           lower_policy->order >= upper_policy->result_parameter.skip_policy_order) {
                                // This policy is beyond the skip
                                // This policy is beyond the skip
-                               return (FALSE);
+                               return FALSE;
                        } else {
                                // This policy is inside the skip
                        } else {
                                // This policy is inside the skip
-                               return (TRUE);
+                               return TRUE;
                        }
                }
        }
 
        // A hard pass, flow divert, tunnel, or scope will currently block out lower policies
                        }
                }
        }
 
        // A hard pass, flow divert, tunnel, or scope will currently block out lower policies
-       return (TRUE);
+       return TRUE;
 }
 
 static bool
 }
 
 static bool
@@ -3114,7 +4478,7 @@ necp_kernel_socket_policy_is_unnecessary(struct necp_kernel_socket_policy *polic
                // For policies in a skip window, we can't mark conflicting policies as unnecessary
                if (can_skip) {
                        if (highest_skip_session_order != compared_policy->session_order ||
                // For policies in a skip window, we can't mark conflicting policies as unnecessary
                if (can_skip) {
                        if (highest_skip_session_order != compared_policy->session_order ||
-                               (highest_skip_order != 0 && compared_policy->order >= highest_skip_order)) {
+                           (highest_skip_order != 0 && compared_policy->order >= highest_skip_order)) {
                                // If we've moved on to the next session, or passed the skip window
                                highest_skip_session_order = 0;
                                highest_skip_order = 0;
                                // If we've moved on to the next session, or passed the skip window
                                highest_skip_session_order = 0;
                                highest_skip_order = 0;
@@ -3147,9 +4511,14 @@ necp_kernel_socket_policy_is_unnecessary(struct necp_kernel_socket_policy *polic
                        continue;
                }
 
                        continue;
                }
 
+               // If new policy matches Local Networks, compared policy must also
+               if ((policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_NETWORKS) && !(compared_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_NETWORKS)) {
+                       continue;
+               }
+
                // Default makes lower policies unecessary always
                if (compared_policy->condition_mask == 0) {
                // Default makes lower policies unecessary always
                if (compared_policy->condition_mask == 0) {
-                       return (TRUE);
+                       return TRUE;
                }
 
                // Compared must be more general than policy, and include only conditions within policy
                }
 
                // Compared must be more general than policy, and include only conditions within policy
@@ -3163,53 +4532,63 @@ necp_kernel_socket_policy_is_unnecessary(struct necp_kernel_socket_policy *polic
                }
 
                if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_DOMAIN &&
                }
 
                if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_DOMAIN &&
-                       strcmp(compared_policy->cond_domain, policy->cond_domain) != 0) {
+                   strcmp(compared_policy->cond_domain, policy->cond_domain) != 0) {
+                       continue;
+               }
+
+               if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_CUSTOM_ENTITLEMENT &&
+                   strcmp(compared_policy->cond_custom_entitlement, policy->cond_custom_entitlement) != 0) {
                        continue;
                }
 
                if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_ACCOUNT_ID &&
                        continue;
                }
 
                if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_ACCOUNT_ID &&
-                       compared_policy->cond_account_id != policy->cond_account_id) {
+                   compared_policy->cond_account_id != policy->cond_account_id) {
                        continue;
                }
 
                if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_POLICY_ID &&
                        continue;
                }
 
                if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_POLICY_ID &&
-                       compared_policy->cond_policy_id != policy->cond_policy_id) {
+                   compared_policy->cond_policy_id != policy->cond_policy_id) {
                        continue;
                }
 
                if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_APP_ID &&
                        continue;
                }
 
                if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_APP_ID &&
-                       compared_policy->cond_app_id != policy->cond_app_id) {
+                   compared_policy->cond_app_id != policy->cond_app_id) {
                        continue;
                }
 
                if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_REAL_APP_ID &&
                        continue;
                }
 
                if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_REAL_APP_ID &&
-                       compared_policy->cond_real_app_id != policy->cond_real_app_id) {
+                   compared_policy->cond_real_app_id != policy->cond_real_app_id) {
                        continue;
                }
 
                if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_PID &&
                        continue;
                }
 
                if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_PID &&
-                       compared_policy->cond_pid != policy->cond_pid) {
+                   compared_policy->cond_pid != policy->cond_pid) {
                        continue;
                }
 
                if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_UID &&
                        continue;
                }
 
                if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_UID &&
-                       compared_policy->cond_uid != policy->cond_uid) {
+                   compared_policy->cond_uid != policy->cond_uid) {
                        continue;
                }
 
                if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_BOUND_INTERFACE &&
                        continue;
                }
 
                if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_BOUND_INTERFACE &&
-                       compared_policy->cond_bound_interface != policy->cond_bound_interface) {
+                   compared_policy->cond_bound_interface != policy->cond_bound_interface) {
                        continue;
                }
 
                if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_PROTOCOL &&
                        continue;
                }
 
                if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_PROTOCOL &&
-                       compared_policy->cond_protocol != policy->cond_protocol) {
+                   compared_policy->cond_protocol != policy->cond_protocol) {
+                       continue;
+               }
+
+               if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_CLIENT_FLAGS &&
+                   compared_policy->cond_client_flags != policy->cond_client_flags) {
                        continue;
                }
 
                if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_TRAFFIC_CLASS &&
                        continue;
                }
 
                if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_TRAFFIC_CLASS &&
-                       !(compared_policy->cond_traffic_class.start_tc <= policy->cond_traffic_class.start_tc &&
-                         compared_policy->cond_traffic_class.end_tc >= policy->cond_traffic_class.end_tc)) {
+                   !(compared_policy->cond_traffic_class.start_tc <= policy->cond_traffic_class.start_tc &&
+                   compared_policy->cond_traffic_class.end_tc >= policy->cond_traffic_class.end_tc)) {
                        continue;
                }
 
                        continue;
                }
 
@@ -3220,7 +4599,7 @@ necp_kernel_socket_policy_is_unnecessary(struct necp_kernel_socket_policy *polic
                                }
                        } else if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_PREFIX) {
                                if (compared_policy->cond_local_prefix > policy->cond_local_prefix ||
                                }
                        } else if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_PREFIX) {
                                if (compared_policy->cond_local_prefix > policy->cond_local_prefix ||
-                                       !necp_is_addr_in_subnet((struct sockaddr *)&policy->cond_local_start, (struct sockaddr *)&compared_policy->cond_local_start, compared_policy->cond_local_prefix)) {
+                                   !necp_is_addr_in_subnet((struct sockaddr *)&policy->cond_local_start, (struct sockaddr *)&compared_policy->cond_local_start, compared_policy->cond_local_prefix)) {
                                        continue;
                                }
                        }
                                        continue;
                                }
                        }
@@ -3233,16 +4612,31 @@ necp_kernel_socket_policy_is_unnecessary(struct necp_kernel_socket_policy *polic
                                }
                        } else if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_REMOTE_PREFIX) {
                                if (compared_policy->cond_remote_prefix > policy->cond_remote_prefix ||
                                }
                        } else if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_REMOTE_PREFIX) {
                                if (compared_policy->cond_remote_prefix > policy->cond_remote_prefix ||
-                                       !necp_is_addr_in_subnet((struct sockaddr *)&policy->cond_remote_start, (struct sockaddr *)&compared_policy->cond_remote_start, compared_policy->cond_remote_prefix)) {
+                                   !necp_is_addr_in_subnet((struct sockaddr *)&policy->cond_remote_start, (struct sockaddr *)&compared_policy->cond_remote_start, compared_policy->cond_remote_prefix)) {
                                        continue;
                                }
                        }
                }
 
                                        continue;
                                }
                        }
                }
 
-               return (TRUE);
+               if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_AGENT_TYPE &&
+                   memcmp(&compared_policy->cond_agent_type, &policy->cond_agent_type, sizeof(policy->cond_agent_type)) == 0) {
+                       continue;
+               }
+
+               if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_SDK_VERSION &&
+                   memcmp(&compared_policy->cond_sdk_version, &policy->cond_sdk_version, sizeof(policy->cond_sdk_version)) == 0) {
+                       continue;
+               }
+
+               if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_PACKET_FILTER_TAGS &&
+                   memcmp(&compared_policy->cond_packet_filter_tags, &policy->cond_packet_filter_tags, sizeof(policy->cond_packet_filter_tags)) == 0) {
+                       continue;
+               }
+
+               return TRUE;
        }
 
        }
 
-       return (FALSE);
+       return FALSE;
 }
 
 static bool
 }
 
 static bool
@@ -3255,7 +4649,7 @@ necp_kernel_socket_policies_reprocess(void)
        int app_layer_current_free_index = 0;
        struct necp_kernel_socket_policy *kernel_policy = NULL;
 
        int app_layer_current_free_index = 0;
        struct necp_kernel_socket_policy *kernel_policy = NULL;
 
-       lck_rw_assert(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
+       LCK_RW_ASSERT(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
 
        // Reset mask to 0
        necp_kernel_application_policies_condition_mask = 0;
 
        // Reset mask to 0
        necp_kernel_application_policies_condition_mask = 0;
@@ -3286,12 +4680,17 @@ necp_kernel_socket_policies_reprocess(void)
                necp_kernel_application_policies_count++;
                app_layer_allocation_count++;
 
                necp_kernel_application_policies_count++;
                app_layer_allocation_count++;
 
+               if ((kernel_policy->condition_mask & NECP_KERNEL_CONDITION_AGENT_TYPE)) {
+                       // Agent type conditions only apply to app layer
+                       continue;
+               }
+
                // Update socket layer bucket mask/counts
                necp_kernel_socket_policies_condition_mask |= kernel_policy->condition_mask;
                necp_kernel_socket_policies_count++;
 
                if (!(kernel_policy->condition_mask & NECP_KERNEL_CONDITION_APP_ID) ||
                // Update socket layer bucket mask/counts
                necp_kernel_socket_policies_condition_mask |= kernel_policy->condition_mask;
                necp_kernel_socket_policies_count++;
 
                if (!(kernel_policy->condition_mask & NECP_KERNEL_CONDITION_APP_ID) ||
-                       kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_APP_ID) {
+                   kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_APP_ID) {
                        necp_kernel_socket_policies_non_app_count++;
                        for (app_i = 0; app_i < NECP_KERNEL_SOCKET_POLICIES_MAP_NUM_APP_ID_BUCKETS; app_i++) {
                                bucket_allocation_counts[app_i]++;
                        necp_kernel_socket_policies_non_app_count++;
                        for (app_i = 0; app_i < NECP_KERNEL_SOCKET_POLICIES_MAP_NUM_APP_ID_BUCKETS; app_i++) {
                                bucket_allocation_counts[app_i]++;
@@ -3323,11 +4722,23 @@ necp_kernel_socket_policies_reprocess(void)
 
        // Fill out maps
        LIST_FOREACH(kernel_policy, &necp_kernel_socket_policies, chain) {
 
        // Fill out maps
        LIST_FOREACH(kernel_policy, &necp_kernel_socket_policies, chain) {
-               // Insert pointers into map
+               // Add app layer policies
+               if (!necp_dedup_policies || !necp_kernel_socket_policy_is_unnecessary(kernel_policy, necp_kernel_socket_policies_app_layer_map, app_layer_current_free_index)) {
+                       necp_kernel_socket_policies_app_layer_map[app_layer_current_free_index] = kernel_policy;
+                       app_layer_current_free_index++;
+                       necp_kernel_socket_policies_app_layer_map[app_layer_current_free_index] = NULL;
+               }
+
+               if ((kernel_policy->condition_mask & NECP_KERNEL_CONDITION_AGENT_TYPE)) {
+                       // Agent type conditions only apply to app layer
+                       continue;
+               }
+
+               // Add socket policies
                if (!(kernel_policy->condition_mask & NECP_KERNEL_CONDITION_APP_ID) ||
                if (!(kernel_policy->condition_mask & NECP_KERNEL_CONDITION_APP_ID) ||
-                       kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_APP_ID) {
+                   kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_APP_ID) {
                        for (app_i = 0; app_i < NECP_KERNEL_SOCKET_POLICIES_MAP_NUM_APP_ID_BUCKETS; app_i++) {
                        for (app_i = 0; app_i < NECP_KERNEL_SOCKET_POLICIES_MAP_NUM_APP_ID_BUCKETS; app_i++) {
-                               if (!necp_kernel_socket_policy_is_unnecessary(kernel_policy, necp_kernel_socket_policies_map[app_i], bucket_current_free_index[app_i])) {
+                               if (!necp_dedup_policies || !necp_kernel_socket_policy_is_unnecessary(kernel_policy, necp_kernel_socket_policies_map[app_i], bucket_current_free_index[app_i])) {
                                        (necp_kernel_socket_policies_map[app_i])[(bucket_current_free_index[app_i])] = kernel_policy;
                                        bucket_current_free_index[app_i]++;
                                        (necp_kernel_socket_policies_map[app_i])[(bucket_current_free_index[app_i])] = NULL;
                                        (necp_kernel_socket_policies_map[app_i])[(bucket_current_free_index[app_i])] = kernel_policy;
                                        bucket_current_free_index[app_i]++;
                                        (necp_kernel_socket_policies_map[app_i])[(bucket_current_free_index[app_i])] = NULL;
@@ -3335,22 +4746,16 @@ necp_kernel_socket_policies_reprocess(void)
                        }
                } else {
                        app_i = NECP_SOCKET_MAP_APP_ID_TO_BUCKET(kernel_policy->cond_app_id);
                        }
                } else {
                        app_i = NECP_SOCKET_MAP_APP_ID_TO_BUCKET(kernel_policy->cond_app_id);
-                       if (!necp_kernel_socket_policy_is_unnecessary(kernel_policy, necp_kernel_socket_policies_map[app_i], bucket_current_free_index[app_i])) {
+                       if (!necp_dedup_policies || !necp_kernel_socket_policy_is_unnecessary(kernel_policy, necp_kernel_socket_policies_map[app_i], bucket_current_free_index[app_i])) {
                                (necp_kernel_socket_policies_map[app_i])[(bucket_current_free_index[app_i])] = kernel_policy;
                                bucket_current_free_index[app_i]++;
                                (necp_kernel_socket_policies_map[app_i])[(bucket_current_free_index[app_i])] = NULL;
                        }
                }
                                (necp_kernel_socket_policies_map[app_i])[(bucket_current_free_index[app_i])] = kernel_policy;
                                bucket_current_free_index[app_i]++;
                                (necp_kernel_socket_policies_map[app_i])[(bucket_current_free_index[app_i])] = NULL;
                        }
                }
-
-               if (!necp_kernel_socket_policy_is_unnecessary(kernel_policy, necp_kernel_socket_policies_app_layer_map, app_layer_current_free_index)) {
-                       necp_kernel_socket_policies_app_layer_map[app_layer_current_free_index] = kernel_policy;
-                       app_layer_current_free_index++;
-                       necp_kernel_socket_policies_app_layer_map[app_layer_current_free_index] = NULL;
-               }
        }
        necp_kernel_socket_policies_dump_all();
        BUMP_KERNEL_SOCKET_POLICIES_GENERATION_COUNT();
        }
        necp_kernel_socket_policies_dump_all();
        BUMP_KERNEL_SOCKET_POLICIES_GENERATION_COUNT();
-       return (TRUE);
+       return TRUE;
 
 fail:
        // Free memory, reset masks to 0
 
 fail:
        // Free memory, reset masks to 0
@@ -3369,28 +4774,39 @@ fail:
                FREE(necp_kernel_socket_policies_app_layer_map, M_NECP);
                necp_kernel_socket_policies_app_layer_map = NULL;
        }
                FREE(necp_kernel_socket_policies_app_layer_map, M_NECP);
                necp_kernel_socket_policies_app_layer_map = NULL;
        }
-       return (FALSE);
+       return FALSE;
 }
 
 static u_int32_t
 necp_get_new_string_id(void)
 {
 }
 
 static u_int32_t
 necp_get_new_string_id(void)
 {
+       static u_int32_t necp_last_string_id = 0;
+
        u_int32_t newid = 0;
 
        u_int32_t newid = 0;
 
-       lck_rw_assert(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
+       LCK_RW_ASSERT(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
 
 
-       necp_last_string_id++;
-       if (necp_last_string_id < 1) {
-               necp_last_string_id = 1;
-       }
+       bool wrapped = FALSE;
+       do {
+               necp_last_string_id++;
+               if (necp_last_string_id < 1) {
+                       if (wrapped) {
+                               // Already wrapped, give up
+                               NECPLOG0(LOG_ERR, "Failed to find a free app UUID.\n");
+                               return 0;
+                       }
+                       necp_last_string_id = 1;
+                       wrapped = TRUE;
+               }
+               newid = necp_last_string_id;
+       } while (necp_lookup_string_with_id_locked(&necp_account_id_list, newid) != NULL); // If already used, keep trying
 
 
-       newid = necp_last_string_id;
        if (newid == 0) {
        if (newid == 0) {
-               NECPLOG0(LOG_DEBUG, "Allocate string id failed.\n");
-               return (0);
+               NECPLOG0(LOG_ERR, "Allocate string id failed.\n");
+               return 0;
        }
 
        }
 
-       return (newid);
+       return newid;
 }
 
 static struct necp_string_id_mapping *
 }
 
 static struct necp_string_id_mapping *
@@ -3406,7 +4822,23 @@ necp_lookup_string_to_id_locked(struct necp_string_id_mapping_list *list, char *
                }
        }
 
                }
        }
 
-       return (foundentry);
+       return foundentry;
+}
+
+static struct necp_string_id_mapping *
+necp_lookup_string_with_id_locked(struct necp_string_id_mapping_list *list, u_int32_t local_id)
+{
+       struct necp_string_id_mapping *searchentry = NULL;
+       struct necp_string_id_mapping *foundentry = NULL;
+
+       LIST_FOREACH(searchentry, list, chain) {
+               if (searchentry->id == local_id) {
+                       foundentry = searchentry;
+                       break;
+               }
+       }
+
+       return foundentry;
 }
 
 static u_int32_t
 }
 
 static u_int32_t
@@ -3415,12 +4847,12 @@ necp_create_string_to_id_mapping(struct necp_string_id_mapping_list *list, char
        u_int32_t string_id = 0;
        struct necp_string_id_mapping *existing_mapping = NULL;
 
        u_int32_t string_id = 0;
        struct necp_string_id_mapping *existing_mapping = NULL;
 
-       lck_rw_assert(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
+       LCK_RW_ASSERT(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
 
        existing_mapping = necp_lookup_string_to_id_locked(list, string);
        if (existing_mapping != NULL) {
                string_id = existing_mapping->id;
 
        existing_mapping = necp_lookup_string_to_id_locked(list, string);
        if (existing_mapping != NULL) {
                string_id = existing_mapping->id;
-               existing_mapping->refcount++;
+               os_ref_retain_locked(&existing_mapping->refcount);
        } else {
                struct necp_string_id_mapping *new_mapping = NULL;
                MALLOC(new_mapping, struct necp_string_id_mapping *, sizeof(struct necp_string_id_mapping), M_NECP, M_WAITOK);
        } else {
                struct necp_string_id_mapping *new_mapping = NULL;
                MALLOC(new_mapping, struct necp_string_id_mapping *, sizeof(struct necp_string_id_mapping), M_NECP, M_WAITOK);
@@ -3432,7 +4864,7 @@ necp_create_string_to_id_mapping(struct necp_string_id_mapping_list *list, char
                        if (new_mapping->string != NULL) {
                                memcpy(new_mapping->string, string, length);
                                new_mapping->id = necp_get_new_string_id();
                        if (new_mapping->string != NULL) {
                                memcpy(new_mapping->string, string, length);
                                new_mapping->id = necp_get_new_string_id();
-                               new_mapping->refcount = 1;
+                               os_ref_init(&new_mapping->refcount, &necp_refgrp);
                                LIST_INSERT_HEAD(list, new_mapping, chain);
                                string_id = new_mapping->id;
                        } else {
                                LIST_INSERT_HEAD(list, new_mapping, chain);
                                string_id = new_mapping->id;
                        } else {
@@ -3441,7 +4873,7 @@ necp_create_string_to_id_mapping(struct necp_string_id_mapping_list *list, char
                        }
                }
        }
                        }
                }
        }
-       return (string_id);
+       return string_id;
 }
 
 static bool
 }
 
 static bool
@@ -3449,61 +4881,76 @@ necp_remove_string_to_id_mapping(struct necp_string_id_mapping_list *list, char
 {
        struct necp_string_id_mapping *existing_mapping = NULL;
 
 {
        struct necp_string_id_mapping *existing_mapping = NULL;
 
-       lck_rw_assert(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
+       LCK_RW_ASSERT(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
 
        existing_mapping = necp_lookup_string_to_id_locked(list, string);
        if (existing_mapping != NULL) {
 
        existing_mapping = necp_lookup_string_to_id_locked(list, string);
        if (existing_mapping != NULL) {
-               if (--existing_mapping->refcount == 0) {
+               if (os_ref_release_locked(&existing_mapping->refcount) == 0) {
                        LIST_REMOVE(existing_mapping, chain);
                        FREE(existing_mapping->string, M_NECP);
                        FREE(existing_mapping, M_NECP);
                }
                        LIST_REMOVE(existing_mapping, chain);
                        FREE(existing_mapping->string, M_NECP);
                        FREE(existing_mapping, M_NECP);
                }
-               return (TRUE);
+               return TRUE;
        }
 
        }
 
-       return (FALSE);
+       return FALSE;
 }
 
 }
 
+#define NECP_FIRST_VALID_ROUTE_RULE_ID 1
+#define NECP_FIRST_VALID_AGGREGATE_ROUTE_RULE_ID UINT16_MAX
 static u_int32_t
 static u_int32_t
-necp_get_new_route_rule_id(void)
+necp_get_new_route_rule_id(bool aggregate)
 {
 {
-       u_int32_t newid = 0;
-
-       lck_rw_assert(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
-
-       necp_last_route_rule_id++;
-       if (necp_last_route_rule_id < 1 || necp_last_route_rule_id > UINT16_MAX) {
-               necp_last_route_rule_id = 1;
-       }
-
-       newid = necp_last_route_rule_id;
-       if (newid == 0) {
-               NECPLOG0(LOG_DEBUG, "Allocate route rule id failed.\n");
-               return (0);
-       }
+       static u_int32_t necp_last_route_rule_id = 0;
+       static u_int32_t necp_last_aggregate_route_rule_id = 0;
 
 
-       return (newid);
-}
-
-static u_int32_t
-necp_get_new_aggregate_route_rule_id(void)
-{
        u_int32_t newid = 0;
 
        u_int32_t newid = 0;
 
-       lck_rw_assert(&necp_route_rule_lock, LCK_RW_ASSERT_EXCLUSIVE);
-
-       necp_last_aggregate_route_rule_id++;
-       if (necp_last_aggregate_route_rule_id <= UINT16_MAX) {
-               necp_last_aggregate_route_rule_id = UINT16_MAX + 1;
+       if (!aggregate) {
+               // Main necp_kernel_policy_lock protects non-aggregate rule IDs
+               LCK_RW_ASSERT(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
+
+               bool wrapped = FALSE;
+               do {
+                       necp_last_route_rule_id++;
+                       if (necp_last_route_rule_id < NECP_FIRST_VALID_ROUTE_RULE_ID ||
+                           necp_last_route_rule_id >= NECP_FIRST_VALID_AGGREGATE_ROUTE_RULE_ID) {
+                               if (wrapped) {
+                                       // Already wrapped, give up
+                                       NECPLOG0(LOG_ERR, "Failed to find a free route rule id.\n");
+                                       return 0;
+                               }
+                               necp_last_route_rule_id = NECP_FIRST_VALID_ROUTE_RULE_ID;
+                               wrapped = TRUE;
+                       }
+                       newid = necp_last_route_rule_id;
+               } while (necp_lookup_route_rule_locked(&necp_route_rules, newid) != NULL); // If already used, keep trying
+       } else {
+               // necp_route_rule_lock protects aggregate rule IDs
+               LCK_RW_ASSERT(&necp_route_rule_lock, LCK_RW_ASSERT_EXCLUSIVE);
+
+               bool wrapped = FALSE;
+               do {
+                       necp_last_aggregate_route_rule_id++;
+                       if (necp_last_aggregate_route_rule_id < NECP_FIRST_VALID_AGGREGATE_ROUTE_RULE_ID) {
+                               if (wrapped) {
+                                       // Already wrapped, give up
+                                       NECPLOG0(LOG_ERR, "Failed to find a free aggregate route rule id.\n");
+                                       return 0;
+                               }
+                               necp_last_aggregate_route_rule_id = NECP_FIRST_VALID_AGGREGATE_ROUTE_RULE_ID;
+                               wrapped = TRUE;
+                       }
+                       newid = necp_last_aggregate_route_rule_id;
+               } while (necp_lookup_route_rule_locked(&necp_route_rules, newid) != NULL); // If already used, keep trying
        }
 
        }
 
-       newid = necp_last_aggregate_route_rule_id;
        if (newid == 0) {
        if (newid == 0) {
-               NECPLOG0(LOG_DEBUG, "Allocate aggregate route rule id failed.\n");
-               return (0);
+               NECPLOG0(LOG_ERR, "Allocate route rule ID failed.\n");
+               return 0;
        }
 
        }
 
-       return (newid);
+       return newid;
 }
 
 static struct necp_route_rule *
 }
 
 static struct necp_route_rule *
@@ -3519,21 +4966,22 @@ necp_lookup_route_rule_locked(struct necp_route_rule_list *list, u_int32_t route
                }
        }
 
                }
        }
 
-       return (foundentry);
+       return foundentry;
 }
 
 static struct necp_route_rule *
 }
 
 static struct necp_route_rule *
-necp_lookup_route_rule_by_contents_locked(struct necp_route_rule_list *list, u_int32_t default_action, u_int8_t cellular_action, u_int8_t wifi_action, u_int8_t wired_action, u_int8_t expensive_action, u_int32_t *if_indices, u_int8_t *if_actions)
+necp_lookup_route_rule_by_contents_locked(struct necp_route_rule_list *list, u_int32_t default_action, u_int8_t cellular_action, u_int8_t wifi_action, u_int8_t wired_action, u_int8_t expensive_action, u_int8_t constrained_action, u_int32_t *if_indices, u_int8_t *if_actions)
 {
        struct necp_route_rule *searchentry = NULL;
        struct necp_route_rule *foundentry = NULL;
 
        LIST_FOREACH(searchentry, list, chain) {
                if (searchentry->default_action == default_action &&
 {
        struct necp_route_rule *searchentry = NULL;
        struct necp_route_rule *foundentry = NULL;
 
        LIST_FOREACH(searchentry, list, chain) {
                if (searchentry->default_action == default_action &&
-                       searchentry->cellular_action == cellular_action &&
-                       searchentry->wifi_action == wifi_action &&
-                       searchentry->wired_action == wired_action &&
-                       searchentry->expensive_action == expensive_action) {
+                   searchentry->cellular_action == cellular_action &&
+                   searchentry->wifi_action == wifi_action &&
+                   searchentry->wired_action == wired_action &&
+                   searchentry->expensive_action == expensive_action &&
+                   searchentry->constrained_action == constrained_action) {
                        bool match_failed = FALSE;
                        size_t index_a = 0;
                        size_t index_b = 0;
                        bool match_failed = FALSE;
                        size_t index_a = 0;
                        size_t index_b = 0;
@@ -3553,7 +5001,7 @@ necp_lookup_route_rule_by_contents_locked(struct necp_route_rule_list *list, u_i
                                                count_b = index_b + 1;
                                        }
                                        if (searchentry->exception_if_indices[index_a] == if_indices[index_b] &&
                                                count_b = index_b + 1;
                                        }
                                        if (searchentry->exception_if_indices[index_a] == if_indices[index_b] &&
-                                               searchentry->exception_if_actions[index_a] == if_actions[index_b]) {
+                                           searchentry->exception_if_actions[index_a] == if_actions[index_b]) {
                                                found_index = TRUE;
                                                break;
                                        }
                                                found_index = TRUE;
                                                break;
                                        }
@@ -3570,7 +5018,7 @@ necp_lookup_route_rule_by_contents_locked(struct necp_route_rule_list *list, u_i
                }
        }
 
                }
        }
 
-       return (foundentry);
+       return foundentry;
 }
 
 static u_int32_t
 }
 
 static u_int32_t
@@ -3584,16 +5032,17 @@ necp_create_route_rule(struct necp_route_rule_list *list, u_int8_t *route_rules_
        u_int8_t wifi_action = NECP_ROUTE_RULE_NONE;
        u_int8_t wired_action = NECP_ROUTE_RULE_NONE;
        u_int8_t expensive_action = NECP_ROUTE_RULE_NONE;
        u_int8_t wifi_action = NECP_ROUTE_RULE_NONE;
        u_int8_t wired_action = NECP_ROUTE_RULE_NONE;
        u_int8_t expensive_action = NECP_ROUTE_RULE_NONE;
+       u_int8_t constrained_action = NECP_ROUTE_RULE_NONE;
        u_int32_t if_indices[MAX_ROUTE_RULE_INTERFACES];
        size_t num_valid_indices = 0;
        memset(&if_indices, 0, sizeof(if_indices));
        u_int8_t if_actions[MAX_ROUTE_RULE_INTERFACES];
        memset(&if_actions, 0, sizeof(if_actions));
 
        u_int32_t if_indices[MAX_ROUTE_RULE_INTERFACES];
        size_t num_valid_indices = 0;
        memset(&if_indices, 0, sizeof(if_indices));
        u_int8_t if_actions[MAX_ROUTE_RULE_INTERFACES];
        memset(&if_actions, 0, sizeof(if_actions));
 
-       lck_rw_assert(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
+       LCK_RW_ASSERT(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
 
        if (route_rules_array == NULL || route_rules_array_size == 0) {
 
        if (route_rules_array == NULL || route_rules_array_size == 0) {
-               return (0);
+               return 0;
        }
 
        // Process rules
        }
 
        // Process rules
@@ -3626,6 +5075,9 @@ necp_create_route_rule(struct necp_route_rule_list *list, u_int8_t *route_rules_
                        if (rule_flags & NECP_ROUTE_RULE_FLAG_EXPENSIVE) {
                                expensive_action = rule_type;
                        }
                        if (rule_flags & NECP_ROUTE_RULE_FLAG_EXPENSIVE) {
                                expensive_action = rule_type;
                        }
+                       if (rule_flags & NECP_ROUTE_RULE_FLAG_CONSTRAINED) {
+                               constrained_action = rule_type;
+                       }
                        if (rule_flags == 0) {
                                default_action = rule_type;
                        }
                        if (rule_flags == 0) {
                                default_action = rule_type;
                        }
@@ -3638,38 +5090,41 @@ necp_create_route_rule(struct necp_route_rule_list *list, u_int8_t *route_rules_
                        continue;
                }
 
                        continue;
                }
 
-               memcpy(interface_name, rule_value, rule_length);
-               interface_name[length - 1] = 0; // Make sure the string is NULL terminated
-               if (ifnet_find_by_name(interface_name, &rule_interface) == 0) {
-                       if_actions[num_valid_indices] = rule_type;
-                       if_indices[num_valid_indices++] = rule_interface->if_index;
+               if (rule_length <= IFXNAMSIZ) {
+                       memcpy(interface_name, rule_value, rule_length);
+                       interface_name[rule_length - 1] = 0; // Make sure the string is NULL terminated
+                       if (ifnet_find_by_name(interface_name, &rule_interface) == 0) {
+                               if_actions[num_valid_indices] = rule_type;
+                               if_indices[num_valid_indices++] = rule_interface->if_index;
+                               ifnet_release(rule_interface);
+                       }
                }
                }
-
                offset += sizeof(u_int8_t) + sizeof(u_int32_t) + length;
        }
 
                offset += sizeof(u_int8_t) + sizeof(u_int32_t) + length;
        }
 
-       existing_rule = necp_lookup_route_rule_by_contents_locked(list, default_action, cellular_action, wifi_action, wired_action, expensive_action, if_indices, if_actions);
+       existing_rule = necp_lookup_route_rule_by_contents_locked(list, default_action, cellular_action, wifi_action, wired_action, expensive_action, constrained_action, if_indices, if_actions);
        if (existing_rule != NULL) {
                route_rule_id = existing_rule->id;
        if (existing_rule != NULL) {
                route_rule_id = existing_rule->id;
-               existing_rule->refcount++;
+               os_ref_retain_locked(&existing_rule->refcount);
        } else {
                struct necp_route_rule *new_rule = NULL;
                MALLOC(new_rule, struct necp_route_rule *, sizeof(struct necp_route_rule), M_NECP, M_WAITOK);
                if (new_rule != NULL) {
                        memset(new_rule, 0, sizeof(struct necp_route_rule));
        } else {
                struct necp_route_rule *new_rule = NULL;
                MALLOC(new_rule, struct necp_route_rule *, sizeof(struct necp_route_rule), M_NECP, M_WAITOK);
                if (new_rule != NULL) {
                        memset(new_rule, 0, sizeof(struct necp_route_rule));
-                       route_rule_id = new_rule->id = necp_get_new_route_rule_id();
+                       route_rule_id = new_rule->id = necp_get_new_route_rule_id(false);
                        new_rule->default_action = default_action;
                        new_rule->cellular_action = cellular_action;
                        new_rule->wifi_action = wifi_action;
                        new_rule->wired_action = wired_action;
                        new_rule->expensive_action = expensive_action;
                        new_rule->default_action = default_action;
                        new_rule->cellular_action = cellular_action;
                        new_rule->wifi_action = wifi_action;
                        new_rule->wired_action = wired_action;
                        new_rule->expensive_action = expensive_action;
+                       new_rule->constrained_action =  constrained_action;
                        memcpy(&new_rule->exception_if_indices, &if_indices, sizeof(if_indices));
                        memcpy(&new_rule->exception_if_actions, &if_actions, sizeof(if_actions));
                        memcpy(&new_rule->exception_if_indices, &if_indices, sizeof(if_indices));
                        memcpy(&new_rule->exception_if_actions, &if_actions, sizeof(if_actions));
-                       new_rule->refcount = 1;
+                       os_ref_init(&new_rule->refcount, &necp_refgrp);
                        LIST_INSERT_HEAD(list, new_rule, chain);
                }
        }
                        LIST_INSERT_HEAD(list, new_rule, chain);
                }
        }
-       return (route_rule_id);
+       return route_rule_id;
 }
 
 static void
 }
 
 static void
@@ -3702,19 +5157,19 @@ necp_remove_route_rule(struct necp_route_rule_list *list, u_int32_t route_rule_i
 {
        struct necp_route_rule *existing_rule = NULL;
 
 {
        struct necp_route_rule *existing_rule = NULL;
 
-       lck_rw_assert(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
+       LCK_RW_ASSERT(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
 
        existing_rule = necp_lookup_route_rule_locked(list, route_rule_id);
        if (existing_rule != NULL) {
 
        existing_rule = necp_lookup_route_rule_locked(list, route_rule_id);
        if (existing_rule != NULL) {
-               if (--existing_rule->refcount == 0) {
+               if (os_ref_release_locked(&existing_rule->refcount) == 0) {
                        necp_remove_aggregate_route_rule_for_id(existing_rule->id);
                        LIST_REMOVE(existing_rule, chain);
                        FREE(existing_rule, M_NECP);
                }
                        necp_remove_aggregate_route_rule_for_id(existing_rule->id);
                        LIST_REMOVE(existing_rule, chain);
                        FREE(existing_rule, M_NECP);
                }
-               return (TRUE);
+               return TRUE;
        }
 
        }
 
-       return (FALSE);
+       return FALSE;
 }
 
 static struct necp_aggregate_route_rule *
 }
 
 static struct necp_aggregate_route_rule *
@@ -3734,7 +5189,7 @@ necp_lookup_aggregate_route_rule_locked(u_int32_t route_rule_id)
 
        lck_rw_done(&necp_route_rule_lock);
 
 
        lck_rw_done(&necp_route_rule_lock);
 
-       return (foundentry);
+       return foundentry;
 }
 
 static u_int32_t
 }
 
 static u_int32_t
@@ -3744,55 +5199,81 @@ necp_create_aggregate_route_rule(u_int32_t *rule_ids)
        struct necp_aggregate_route_rule *new_rule = NULL;
        struct necp_aggregate_route_rule *existing_rule = NULL;
 
        struct necp_aggregate_route_rule *new_rule = NULL;
        struct necp_aggregate_route_rule *existing_rule = NULL;
 
-       LIST_FOREACH(existing_rule, &necp_aggregate_route_rules, chain) {
-               if (memcmp(existing_rule->rule_ids, rule_ids, (sizeof(u_int32_t) * MAX_AGGREGATE_ROUTE_RULES)) == 0) {
-                       return (existing_rule->id);
-               }
-       }
-
        lck_rw_lock_exclusive(&necp_route_rule_lock);
 
        lck_rw_lock_exclusive(&necp_route_rule_lock);
 
+       // Check if the rule already exists
        LIST_FOREACH(existing_rule, &necp_aggregate_route_rules, chain) {
        LIST_FOREACH(existing_rule, &necp_aggregate_route_rules, chain) {
-               // Re-check, in case something else created the rule while we are waiting to lock
                if (memcmp(existing_rule->rule_ids, rule_ids, (sizeof(u_int32_t) * MAX_AGGREGATE_ROUTE_RULES)) == 0) {
                        lck_rw_done(&necp_route_rule_lock);
                if (memcmp(existing_rule->rule_ids, rule_ids, (sizeof(u_int32_t) * MAX_AGGREGATE_ROUTE_RULES)) == 0) {
                        lck_rw_done(&necp_route_rule_lock);
-                       return (existing_rule->id);
+                       return existing_rule->id;
                }
        }
 
        MALLOC(new_rule, struct necp_aggregate_route_rule *, sizeof(struct necp_aggregate_route_rule), M_NECP, M_WAITOK);
        if (new_rule != NULL) {
                memset(new_rule, 0, sizeof(struct necp_aggregate_route_rule));
                }
        }
 
        MALLOC(new_rule, struct necp_aggregate_route_rule *, sizeof(struct necp_aggregate_route_rule), M_NECP, M_WAITOK);
        if (new_rule != NULL) {
                memset(new_rule, 0, sizeof(struct necp_aggregate_route_rule));
-               aggregate_route_rule_id = new_rule->id = necp_get_new_aggregate_route_rule_id();
+               aggregate_route_rule_id = new_rule->id = necp_get_new_route_rule_id(true);
                new_rule->id = aggregate_route_rule_id;
                memcpy(new_rule->rule_ids, rule_ids, (sizeof(u_int32_t) * MAX_AGGREGATE_ROUTE_RULES));
                LIST_INSERT_HEAD(&necp_aggregate_route_rules, new_rule, chain);
        }
        lck_rw_done(&necp_route_rule_lock);
 
                new_rule->id = aggregate_route_rule_id;
                memcpy(new_rule->rule_ids, rule_ids, (sizeof(u_int32_t) * MAX_AGGREGATE_ROUTE_RULES));
                LIST_INSERT_HEAD(&necp_aggregate_route_rules, new_rule, chain);
        }
        lck_rw_done(&necp_route_rule_lock);
 
-       return (aggregate_route_rule_id);
+       return aggregate_route_rule_id;
 }
 
 #define NECP_NULL_SERVICE_ID 1
 }
 
 #define NECP_NULL_SERVICE_ID 1
+#define NECP_FIRST_VALID_SERVICE_ID  2
+#define NECP_FIRST_VALID_APP_ID  UINT16_MAX
 static u_int32_t
 static u_int32_t
-necp_get_new_uuid_id(void)
+necp_get_new_uuid_id(bool service)
 {
 {
-       u_int32_t newid = 0;
+       static u_int32_t necp_last_service_uuid_id = 0;
+       static u_int32_t necp_last_app_uuid_id = 0;
 
 
-       lck_rw_assert(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
+       u_int32_t newid = 0;
 
 
-       necp_last_uuid_id++;
-       if (necp_last_uuid_id < (NECP_NULL_SERVICE_ID + 1)) {
-               necp_last_uuid_id = (NECP_NULL_SERVICE_ID + 1);
+       LCK_RW_ASSERT(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
+
+       if (service) {
+               bool wrapped = FALSE;
+               do {
+                       necp_last_service_uuid_id++;
+                       if (necp_last_service_uuid_id < NECP_FIRST_VALID_SERVICE_ID ||
+                           necp_last_service_uuid_id >= NECP_FIRST_VALID_APP_ID) {
+                               if (wrapped) {
+                                       // Already wrapped, give up
+                                       NECPLOG0(LOG_ERR, "Failed to find a free service UUID.\n");
+                                       return NECP_NULL_SERVICE_ID;
+                               }
+                               necp_last_service_uuid_id = NECP_FIRST_VALID_SERVICE_ID;
+                               wrapped = TRUE;
+                       }
+                       newid = necp_last_service_uuid_id;
+               } while (necp_uuid_lookup_uuid_with_service_id_locked(newid) != NULL); // If already used, keep trying
+       } else {
+               bool wrapped = FALSE;
+               do {
+                       necp_last_app_uuid_id++;
+                       if (necp_last_app_uuid_id < NECP_FIRST_VALID_APP_ID) {
+                               if (wrapped) {
+                                       // Already wrapped, give up
+                                       NECPLOG0(LOG_ERR, "Failed to find a free app UUID.\n");
+                                       return NECP_NULL_SERVICE_ID;
+                               }
+                               necp_last_app_uuid_id = NECP_FIRST_VALID_APP_ID;
+                               wrapped = TRUE;
+                       }
+                       newid = necp_last_app_uuid_id;
+               } while (necp_uuid_lookup_uuid_with_app_id_locked(newid) != NULL); // If already used, keep trying
        }
 
        }
 
-       newid = necp_last_uuid_id;
-       if (newid == 0) {
-               NECPLOG0(LOG_DEBUG, "Allocate uuid id failed.\n");
-               return (0);
+       if (newid == NECP_NULL_SERVICE_ID) {
+               NECPLOG0(LOG_ERR, "Allocate uuid ID failed.\n");
+               return NECP_NULL_SERVICE_ID;
        }
 
        }
 
-       return (newid);
+       return newid;
 }
 
 static struct necp_uuid_id_mapping *
 }
 
 static struct necp_uuid_id_mapping *
@@ -3808,7 +5289,26 @@ necp_uuid_lookup_app_id_locked(uuid_t uuid)
                }
        }
 
                }
        }
 
-       return (foundentry);
+       return foundentry;
+}
+
+static struct necp_uuid_id_mapping *
+necp_uuid_lookup_uuid_with_app_id_locked(u_int32_t local_id)
+{
+       struct necp_uuid_id_mapping *searchentry = NULL;
+       struct necp_uuid_id_mapping *foundentry = NULL;
+
+       struct necp_uuid_id_mapping_head *uuid_list_head = NULL;
+       for (uuid_list_head = &necp_uuid_app_id_hashtbl[necp_uuid_app_id_hash_num_buckets - 1]; uuid_list_head >= necp_uuid_app_id_hashtbl; uuid_list_head--) {
+               LIST_FOREACH(searchentry, uuid_list_head, chain) {
+                       if (searchentry->id == local_id) {
+                               foundentry = searchentry;
+                               break;
+                       }
+               }
+       }
+
+       return foundentry;
 }
 
 static u_int32_t
 }
 
 static u_int32_t
@@ -3817,7 +5317,7 @@ necp_create_uuid_app_id_mapping(uuid_t uuid, bool *allocated_mapping, bool uuid_
        u_int32_t local_id = 0;
        struct necp_uuid_id_mapping *existing_mapping = NULL;
 
        u_int32_t local_id = 0;
        struct necp_uuid_id_mapping *existing_mapping = NULL;
 
-       lck_rw_assert(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
+       LCK_RW_ASSERT(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
 
        if (allocated_mapping) {
                *allocated_mapping = FALSE;
 
        if (allocated_mapping) {
                *allocated_mapping = FALSE;
@@ -3826,21 +5326,21 @@ necp_create_uuid_app_id_mapping(uuid_t uuid, bool *allocated_mapping, bool uuid_
        existing_mapping = necp_uuid_lookup_app_id_locked(uuid);
        if (existing_mapping != NULL) {
                local_id = existing_mapping->id;
        existing_mapping = necp_uuid_lookup_app_id_locked(uuid);
        if (existing_mapping != NULL) {
                local_id = existing_mapping->id;
-               existing_mapping->refcount++;
+               os_ref_retain_locked(&existing_mapping->refcount);
                if (uuid_policy_table) {
                if (uuid_policy_table) {
-                       existing_mapping->table_refcount++;
+                       existing_mapping->table_usecount++;
                }
        } else {
                struct necp_uuid_id_mapping *new_mapping = NULL;
                MALLOC(new_mapping, struct necp_uuid_id_mapping *, sizeof(*new_mapping), M_NECP, M_WAITOK);
                if (new_mapping != NULL) {
                        uuid_copy(new_mapping->uuid, uuid);
                }
        } else {
                struct necp_uuid_id_mapping *new_mapping = NULL;
                MALLOC(new_mapping, struct necp_uuid_id_mapping *, sizeof(*new_mapping), M_NECP, M_WAITOK);
                if (new_mapping != NULL) {
                        uuid_copy(new_mapping->uuid, uuid);
-                       new_mapping->id = necp_get_new_uuid_id();
-                       new_mapping->refcount = 1;
+                       new_mapping->id = necp_get_new_uuid_id(false);
+                       os_ref_init(&new_mapping->refcount, &necp_refgrp);
                        if (uuid_policy_table) {
                        if (uuid_policy_table) {
-                               new_mapping->table_refcount = 1;
+                               new_mapping->table_usecount = 1;
                        } else {
                        } else {
-                               new_mapping->table_refcount = 0;
+                               new_mapping->table_usecount = 0;
                        }
 
                        LIST_INSERT_HEAD(APPUUIDHASH(uuid), new_mapping, chain);
                        }
 
                        LIST_INSERT_HEAD(APPUUIDHASH(uuid), new_mapping, chain);
@@ -3853,7 +5353,7 @@ necp_create_uuid_app_id_mapping(uuid_t uuid, bool *allocated_mapping, bool uuid_
                }
        }
 
                }
        }
 
-       return (local_id);
+       return local_id;
 }
 
 static bool
 }
 
 static bool
@@ -3861,7 +5361,7 @@ necp_remove_uuid_app_id_mapping(uuid_t uuid, bool *removed_mapping, bool uuid_po
 {
        struct necp_uuid_id_mapping *existing_mapping = NULL;
 
 {
        struct necp_uuid_id_mapping *existing_mapping = NULL;
 
-       lck_rw_assert(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
+       LCK_RW_ASSERT(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
 
        if (removed_mapping) {
                *removed_mapping = FALSE;
 
        if (removed_mapping) {
                *removed_mapping = FALSE;
@@ -3870,19 +5370,19 @@ necp_remove_uuid_app_id_mapping(uuid_t uuid, bool *removed_mapping, bool uuid_po
        existing_mapping = necp_uuid_lookup_app_id_locked(uuid);
        if (existing_mapping != NULL) {
                if (uuid_policy_table) {
        existing_mapping = necp_uuid_lookup_app_id_locked(uuid);
        if (existing_mapping != NULL) {
                if (uuid_policy_table) {
-                       existing_mapping->table_refcount--;
+                       existing_mapping->table_usecount--;
                }
                }
-               if (--existing_mapping->refcount == 0) {
+               if (os_ref_release_locked(&existing_mapping->refcount) == 0) {
                        LIST_REMOVE(existing_mapping, chain);
                        FREE(existing_mapping, M_NECP);
                        if (removed_mapping) {
                                *removed_mapping = TRUE;
                        }
                }
                        LIST_REMOVE(existing_mapping, chain);
                        FREE(existing_mapping, M_NECP);
                        if (removed_mapping) {
                                *removed_mapping = TRUE;
                        }
                }
-               return (TRUE);
+               return TRUE;
        }
 
        }
 
-       return (FALSE);
+       return FALSE;
 }
 
 static struct necp_uuid_id_mapping *
 }
 
 static struct necp_uuid_id_mapping *
@@ -3891,8 +5391,8 @@ necp_uuid_get_null_service_id_mapping(void)
        static struct necp_uuid_id_mapping null_mapping;
        uuid_clear(null_mapping.uuid);
        null_mapping.id = NECP_NULL_SERVICE_ID;
        static struct necp_uuid_id_mapping null_mapping;
        uuid_clear(null_mapping.uuid);
        null_mapping.id = NECP_NULL_SERVICE_ID;
-       
-       return (&null_mapping);
+
+       return &null_mapping;
 }
 
 static struct necp_uuid_id_mapping *
 }
 
 static struct necp_uuid_id_mapping *
@@ -3900,11 +5400,11 @@ necp_uuid_lookup_service_id_locked(uuid_t uuid)
 {
        struct necp_uuid_id_mapping *searchentry = NULL;
        struct necp_uuid_id_mapping *foundentry = NULL;
 {
        struct necp_uuid_id_mapping *searchentry = NULL;
        struct necp_uuid_id_mapping *foundentry = NULL;
-       
+
        if (uuid_is_null(uuid)) {
                return necp_uuid_get_null_service_id_mapping();
        }
        if (uuid_is_null(uuid)) {
                return necp_uuid_get_null_service_id_mapping();
        }
-       
+
        LIST_FOREACH(searchentry, &necp_uuid_service_id_list, chain) {
                if (uuid_compare(searchentry->uuid, uuid) == 0) {
                        foundentry = searchentry;
        LIST_FOREACH(searchentry, &necp_uuid_service_id_list, chain) {
                if (uuid_compare(searchentry->uuid, uuid) == 0) {
                        foundentry = searchentry;
@@ -3912,7 +5412,7 @@ necp_uuid_lookup_service_id_locked(uuid_t uuid)
                }
        }
 
                }
        }
 
-       return (foundentry);
+       return foundentry;
 }
 
 static struct necp_uuid_id_mapping *
 }
 
 static struct necp_uuid_id_mapping *
@@ -3920,11 +5420,11 @@ necp_uuid_lookup_uuid_with_service_id_locked(u_int32_t local_id)
 {
        struct necp_uuid_id_mapping *searchentry = NULL;
        struct necp_uuid_id_mapping *foundentry = NULL;
 {
        struct necp_uuid_id_mapping *searchentry = NULL;
        struct necp_uuid_id_mapping *foundentry = NULL;
-       
+
        if (local_id == NECP_NULL_SERVICE_ID) {
                return necp_uuid_get_null_service_id_mapping();
        }
        if (local_id == NECP_NULL_SERVICE_ID) {
                return necp_uuid_get_null_service_id_mapping();
        }
-       
+
        LIST_FOREACH(searchentry, &necp_uuid_service_id_list, chain) {
                if (searchentry->id == local_id) {
                        foundentry = searchentry;
        LIST_FOREACH(searchentry, &necp_uuid_service_id_list, chain) {
                if (searchentry->id == local_id) {
                        foundentry = searchentry;
@@ -3932,7 +5432,7 @@ necp_uuid_lookup_uuid_with_service_id_locked(u_int32_t local_id)
                }
        }
 
                }
        }
 
-       return (foundentry);
+       return foundentry;
 }
 
 static u_int32_t
 }
 
 static u_int32_t
@@ -3940,24 +5440,24 @@ necp_create_uuid_service_id_mapping(uuid_t uuid)
 {
        u_int32_t local_id = 0;
        struct necp_uuid_id_mapping *existing_mapping = NULL;
 {
        u_int32_t local_id = 0;
        struct necp_uuid_id_mapping *existing_mapping = NULL;
-       
+
        if (uuid_is_null(uuid)) {
        if (uuid_is_null(uuid)) {
-               return (NECP_NULL_SERVICE_ID);
+               return NECP_NULL_SERVICE_ID;
        }
        }
-       
-       lck_rw_assert(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
+
+       LCK_RW_ASSERT(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
 
        existing_mapping = necp_uuid_lookup_service_id_locked(uuid);
        if (existing_mapping != NULL) {
                local_id = existing_mapping->id;
 
        existing_mapping = necp_uuid_lookup_service_id_locked(uuid);
        if (existing_mapping != NULL) {
                local_id = existing_mapping->id;
-               existing_mapping->refcount++;
+               os_ref_retain_locked(&existing_mapping->refcount);
        } else {
                struct necp_uuid_id_mapping *new_mapping = NULL;
                MALLOC(new_mapping, struct necp_uuid_id_mapping *, sizeof(*new_mapping), M_NECP, M_WAITOK);
                if (new_mapping != NULL) {
                        uuid_copy(new_mapping->uuid, uuid);
        } else {
                struct necp_uuid_id_mapping *new_mapping = NULL;
                MALLOC(new_mapping, struct necp_uuid_id_mapping *, sizeof(*new_mapping), M_NECP, M_WAITOK);
                if (new_mapping != NULL) {
                        uuid_copy(new_mapping->uuid, uuid);
-                       new_mapping->id = necp_get_new_uuid_id();
-                       new_mapping->refcount = 1;
+                       new_mapping->id = necp_get_new_uuid_id(true);
+                       os_ref_init(&new_mapping->refcount, &necp_refgrp);
 
                        LIST_INSERT_HEAD(&necp_uuid_service_id_list, new_mapping, chain);
 
 
                        LIST_INSERT_HEAD(&necp_uuid_service_id_list, new_mapping, chain);
 
@@ -3965,42 +5465,42 @@ necp_create_uuid_service_id_mapping(uuid_t uuid)
                }
        }
 
                }
        }
 
-       return (local_id);
+       return local_id;
 }
 
 static bool
 necp_remove_uuid_service_id_mapping(uuid_t uuid)
 {
        struct necp_uuid_id_mapping *existing_mapping = NULL;
 }
 
 static bool
 necp_remove_uuid_service_id_mapping(uuid_t uuid)
 {
        struct necp_uuid_id_mapping *existing_mapping = NULL;
-       
+
        if (uuid_is_null(uuid)) {
        if (uuid_is_null(uuid)) {
-               return (TRUE);
+               return TRUE;
        }
        }
-       
-       lck_rw_assert(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
 
 
-       existing_mapping = necp_uuid_lookup_app_id_locked(uuid);
+       LCK_RW_ASSERT(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
+
+       existing_mapping = necp_uuid_lookup_service_id_locked(uuid);
        if (existing_mapping != NULL) {
        if (existing_mapping != NULL) {
-               if (--existing_mapping->refcount == 0) {
+               if (os_ref_release_locked(&existing_mapping->refcount) == 0) {
                        LIST_REMOVE(existing_mapping, chain);
                        FREE(existing_mapping, M_NECP);
                }
                        LIST_REMOVE(existing_mapping, chain);
                        FREE(existing_mapping, M_NECP);
                }
-               return (TRUE);
+               return TRUE;
        }
 
        }
 
-       return (FALSE);
+       return FALSE;
 }
 
 
 static bool
 necp_kernel_socket_policies_update_uuid_table(void)
 {
 }
 
 
 static bool
 necp_kernel_socket_policies_update_uuid_table(void)
 {
-       lck_rw_assert(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
+       LCK_RW_ASSERT(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
 
        if (necp_uuid_app_id_mappings_dirty) {
                if (proc_uuid_policy_kernel(PROC_UUID_POLICY_OPERATION_CLEAR, NULL, PROC_UUID_NECP_APP_POLICY) < 0) {
                        NECPLOG0(LOG_DEBUG, "Error clearing uuids from policy table\n");
 
        if (necp_uuid_app_id_mappings_dirty) {
                if (proc_uuid_policy_kernel(PROC_UUID_POLICY_OPERATION_CLEAR, NULL, PROC_UUID_NECP_APP_POLICY) < 0) {
                        NECPLOG0(LOG_DEBUG, "Error clearing uuids from policy table\n");
-                       return (FALSE);
+                       return FALSE;
                }
 
                if (necp_num_uuid_app_id_mappings > 0) {
                }
 
                if (necp_num_uuid_app_id_mappings > 0) {
@@ -4008,8 +5508,8 @@ necp_kernel_socket_policies_update_uuid_table(void)
                        for (uuid_list_head = &necp_uuid_app_id_hashtbl[necp_uuid_app_id_hash_num_buckets - 1]; uuid_list_head >= necp_uuid_app_id_hashtbl; uuid_list_head--) {
                                struct necp_uuid_id_mapping *mapping = NULL;
                                LIST_FOREACH(mapping, uuid_list_head, chain) {
                        for (uuid_list_head = &necp_uuid_app_id_hashtbl[necp_uuid_app_id_hash_num_buckets - 1]; uuid_list_head >= necp_uuid_app_id_hashtbl; uuid_list_head--) {
                                struct necp_uuid_id_mapping *mapping = NULL;
                                LIST_FOREACH(mapping, uuid_list_head, chain) {
-                                       if (mapping->table_refcount > 0 &&
-                                               proc_uuid_policy_kernel(PROC_UUID_POLICY_OPERATION_ADD, mapping->uuid, PROC_UUID_NECP_APP_POLICY) < 0) {
+                                       if (mapping->table_usecount > 0 &&
+                                           proc_uuid_policy_kernel(PROC_UUID_POLICY_OPERATION_ADD, mapping->uuid, PROC_UUID_NECP_APP_POLICY) < 0) {
                                                NECPLOG0(LOG_DEBUG, "Error adding uuid to policy table\n");
                                        }
                                }
                                                NECPLOG0(LOG_DEBUG, "Error adding uuid to policy table\n");
                                        }
                                }
@@ -4019,24 +5519,18 @@ necp_kernel_socket_policies_update_uuid_table(void)
                necp_uuid_app_id_mappings_dirty = FALSE;
        }
 
                necp_uuid_app_id_mappings_dirty = FALSE;
        }
 
-       return (TRUE);
+       return TRUE;
 }
 
 }
 
-#define        NECP_KERNEL_VALID_IP_OUTPUT_CONDITIONS (NECP_KERNEL_CONDITION_ALL_INTERFACES | NECP_KERNEL_CONDITION_BOUND_INTERFACE | NECP_KERNEL_CONDITION_PROTOCOL | NECP_KERNEL_CONDITION_LOCAL_START | NECP_KERNEL_CONDITION_LOCAL_END | NECP_KERNEL_CONDITION_LOCAL_PREFIX | NECP_KERNEL_CONDITION_REMOTE_START | NECP_KERNEL_CONDITION_REMOTE_END | NECP_KERNEL_CONDITION_REMOTE_PREFIX | NECP_KERNEL_CONDITION_POLICY_ID | NECP_KERNEL_CONDITION_LAST_INTERFACE)
+#define NECP_KERNEL_VALID_IP_OUTPUT_CONDITIONS (NECP_KERNEL_CONDITION_ALL_INTERFACES | NECP_KERNEL_CONDITION_BOUND_INTERFACE | NECP_KERNEL_CONDITION_PROTOCOL | NECP_KERNEL_CONDITION_LOCAL_START | NECP_KERNEL_CONDITION_LOCAL_END | NECP_KERNEL_CONDITION_LOCAL_PREFIX | NECP_KERNEL_CONDITION_REMOTE_START | NECP_KERNEL_CONDITION_REMOTE_END | NECP_KERNEL_CONDITION_REMOTE_PREFIX | NECP_KERNEL_CONDITION_POLICY_ID | NECP_KERNEL_CONDITION_LAST_INTERFACE | NECP_KERNEL_CONDITION_LOCAL_NETWORKS | NECP_KERNEL_CONDITION_PACKET_FILTER_TAGS)
 static necp_kernel_policy_id
 static necp_kernel_policy_id
-necp_kernel_ip_output_policy_add(necp_policy_id parent_policy_id, necp_policy_order order, necp_policy_order suborder, u_int32_t session_order, int session_pid, u_int32_t condition_mask, u_int32_t condition_negated_mask, necp_kernel_policy_id cond_policy_id, ifnet_t cond_bound_interface, u_int32_t cond_last_interface_index, u_int16_t cond_protocol, union necp_sockaddr_union *cond_local_start, union necp_sockaddr_union *cond_local_end, u_int8_t cond_local_prefix, union necp_sockaddr_union *cond_remote_start, union necp_sockaddr_union *cond_remote_end, u_int8_t cond_remote_prefix, necp_kernel_policy_result result, necp_kernel_policy_result_parameter result_parameter)
+necp_kernel_ip_output_policy_add(necp_policy_order order, necp_policy_order suborder, u_int32_t session_order, int session_pid, u_int32_t condition_mask, u_int32_t condition_negated_mask, necp_kernel_policy_id cond_policy_id, ifnet_t cond_bound_interface, u_int32_t cond_last_interface_index, u_int16_t cond_protocol, union necp_sockaddr_union *cond_local_start, union necp_sockaddr_union *cond_local_end, u_int8_t cond_local_prefix, union necp_sockaddr_union *cond_remote_start, union necp_sockaddr_union *cond_remote_end, u_int8_t cond_remote_prefix, u_int16_t cond_packet_filter_tags, necp_kernel_policy_result result, necp_kernel_policy_result_parameter result_parameter)
 {
        struct necp_kernel_ip_output_policy *new_kernel_policy = NULL;
        struct necp_kernel_ip_output_policy *tmp_kernel_policy = NULL;
 
 {
        struct necp_kernel_ip_output_policy *new_kernel_policy = NULL;
        struct necp_kernel_ip_output_policy *tmp_kernel_policy = NULL;
 
-       MALLOC_ZONE(new_kernel_policy, struct necp_kernel_ip_output_policy *, sizeof(*new_kernel_policy), M_NECP_IP_POLICY, M_WAITOK);
-       if (new_kernel_policy == NULL) {
-               goto done;
-       }
-
-       memset(new_kernel_policy, 0, sizeof(*new_kernel_policy));
-       new_kernel_policy->parent_policy_id = parent_policy_id;
-       new_kernel_policy->id = necp_kernel_policy_get_new_id();
+       new_kernel_policy = zalloc_flags(necp_ip_policy_zone, Z_WAITOK | Z_ZERO);
+       new_kernel_policy->id = necp_kernel_policy_get_new_id(false);
        new_kernel_policy->suborder = suborder;
        new_kernel_policy->order = order;
        new_kernel_policy->session_order = session_order;
        new_kernel_policy->suborder = suborder;
        new_kernel_policy->order = order;
        new_kernel_policy->session_order = session_order;
@@ -4089,6 +5583,9 @@ necp_kernel_ip_output_policy_add(necp_policy_id parent_policy_id, necp_policy_or
        if (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_REMOTE_PREFIX) {
                new_kernel_policy->cond_remote_prefix = cond_remote_prefix;
        }
        if (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_REMOTE_PREFIX) {
                new_kernel_policy->cond_remote_prefix = cond_remote_prefix;
        }
+       if (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_PACKET_FILTER_TAGS) {
+               new_kernel_policy->cond_packet_filter_tags = cond_packet_filter_tags;
+       }
 
        new_kernel_policy->result = result;
        memcpy(&new_kernel_policy->result_parameter, &result_parameter, sizeof(result_parameter));
 
        new_kernel_policy->result = result;
        memcpy(&new_kernel_policy->result_parameter, &result_parameter, sizeof(result_parameter));
@@ -4097,8 +5594,8 @@ necp_kernel_ip_output_policy_add(necp_policy_id parent_policy_id, necp_policy_or
                NECPLOG(LOG_DEBUG, "Added kernel policy: ip output, id=%d, mask=%x\n", new_kernel_policy->id, new_kernel_policy->condition_mask);
        }
        LIST_INSERT_SORTED_THRICE_ASCENDING(&necp_kernel_ip_output_policies, new_kernel_policy, chain, session_order, order, suborder, tmp_kernel_policy);
                NECPLOG(LOG_DEBUG, "Added kernel policy: ip output, id=%d, mask=%x\n", new_kernel_policy->id, new_kernel_policy->condition_mask);
        }
        LIST_INSERT_SORTED_THRICE_ASCENDING(&necp_kernel_ip_output_policies, new_kernel_policy, chain, session_order, order, suborder, tmp_kernel_policy);
-done:
-       return (new_kernel_policy ? new_kernel_policy->id : 0);
+
+       return new_kernel_policy ? new_kernel_policy->id : 0;
 }
 
 static struct necp_kernel_ip_output_policy *
 }
 
 static struct necp_kernel_ip_output_policy *
@@ -4108,16 +5605,16 @@ necp_kernel_ip_output_policy_find(necp_kernel_policy_id policy_id)
        struct necp_kernel_ip_output_policy *tmp_kernel_policy = NULL;
 
        if (policy_id == 0) {
        struct necp_kernel_ip_output_policy *tmp_kernel_policy = NULL;
 
        if (policy_id == 0) {
-               return (NULL);
+               return NULL;
        }
 
        LIST_FOREACH_SAFE(kernel_policy, &necp_kernel_ip_output_policies, chain, tmp_kernel_policy) {
                if (kernel_policy->id == policy_id) {
        }
 
        LIST_FOREACH_SAFE(kernel_policy, &necp_kernel_ip_output_policies, chain, tmp_kernel_policy) {
                if (kernel_policy->id == policy_id) {
-                       return (kernel_policy);
+                       return kernel_policy;
                }
        }
 
                }
        }
 
-       return (NULL);
+       return NULL;
 }
 
 static bool
 }
 
 static bool
@@ -4125,7 +5622,7 @@ necp_kernel_ip_output_policy_delete(necp_kernel_policy_id policy_id)
 {
        struct necp_kernel_ip_output_policy *policy = NULL;
 
 {
        struct necp_kernel_ip_output_policy *policy = NULL;
 
-       lck_rw_assert(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
+       LCK_RW_ASSERT(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
 
        policy = necp_kernel_ip_output_policy_find(policy_id);
        if (policy) {
 
        policy = necp_kernel_ip_output_policy_find(policy_id);
        if (policy) {
@@ -4136,11 +5633,11 @@ necp_kernel_ip_output_policy_delete(necp_kernel_policy_id policy_id)
                        policy->cond_bound_interface = NULL;
                }
 
                        policy->cond_bound_interface = NULL;
                }
 
-               FREE_ZONE(policy, sizeof(*policy), M_NECP_IP_POLICY);
-               return (TRUE);
+               zfree(necp_ip_policy_zone, policy);
+               return TRUE;
        }
 
        }
 
-       return (FALSE);
+       return FALSE;
 }
 
 static void
 }
 
 static void
@@ -4175,21 +5672,21 @@ necp_kernel_ip_output_policy_results_overlap(struct necp_kernel_ip_output_policy
        if (upper_policy->result == NECP_KERNEL_POLICY_RESULT_SKIP) {
                if (upper_policy->session_order != lower_policy->session_order) {
                        // A skip cannot override a policy of a different session
        if (upper_policy->result == NECP_KERNEL_POLICY_RESULT_SKIP) {
                if (upper_policy->session_order != lower_policy->session_order) {
                        // A skip cannot override a policy of a different session
-                       return (FALSE);
+                       return FALSE;
                } else {
                        if (upper_policy->result_parameter.skip_policy_order == 0 ||
                } else {
                        if (upper_policy->result_parameter.skip_policy_order == 0 ||
-                               lower_policy->order >= upper_policy->result_parameter.skip_policy_order) {
+                           lower_policy->order >= upper_policy->result_parameter.skip_policy_order) {
                                // This policy is beyond the skip
                                // This policy is beyond the skip
-                               return (FALSE);
+                               return FALSE;
                        } else {
                                // This policy is inside the skip
                        } else {
                                // This policy is inside the skip
-                               return (TRUE);
+                               return TRUE;
                        }
                }
        }
 
        // All other IP Output policy results (drop, tunnel, hard pass) currently overlap
                        }
                }
        }
 
        // All other IP Output policy results (drop, tunnel, hard pass) currently overlap
-       return (TRUE);
+       return TRUE;
 }
 
 static bool
 }
 
 static bool
@@ -4205,7 +5702,7 @@ necp_kernel_ip_output_policy_is_unnecessary(struct necp_kernel_ip_output_policy
                // For policies in a skip window, we can't mark conflicting policies as unnecessary
                if (can_skip) {
                        if (highest_skip_session_order != compared_policy->session_order ||
                // For policies in a skip window, we can't mark conflicting policies as unnecessary
                if (can_skip) {
                        if (highest_skip_session_order != compared_policy->session_order ||
-                               (highest_skip_order != 0 && compared_policy->order >= highest_skip_order)) {
+                           (highest_skip_order != 0 && compared_policy->order >= highest_skip_order)) {
                                // If we've moved on to the next session, or passed the skip window
                                highest_skip_session_order = 0;
                                highest_skip_order = 0;
                                // If we've moved on to the next session, or passed the skip window
                                highest_skip_session_order = 0;
                                highest_skip_order = 0;
@@ -4238,9 +5735,14 @@ necp_kernel_ip_output_policy_is_unnecessary(struct necp_kernel_ip_output_policy
                        continue;
                }
 
                        continue;
                }
 
+               // If new policy matches Local Networks, compared policy must also
+               if ((policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_NETWORKS) && !(compared_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_NETWORKS)) {
+                       continue;
+               }
+
                // Default makes lower policies unecessary always
                if (compared_policy->condition_mask == 0) {
                // Default makes lower policies unecessary always
                if (compared_policy->condition_mask == 0) {
-                       return (TRUE);
+                       return TRUE;
                }
 
                // Compared must be more general than policy, and include only conditions within policy
                }
 
                // Compared must be more general than policy, and include only conditions within policy
@@ -4254,17 +5756,17 @@ necp_kernel_ip_output_policy_is_unnecessary(struct necp_kernel_ip_output_policy
                }
 
                if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_POLICY_ID &&
                }
 
                if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_POLICY_ID &&
-                       compared_policy->cond_policy_id != policy->cond_policy_id) {
+                   compared_policy->cond_policy_id != policy->cond_policy_id) {
                        continue;
                }
 
                if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_BOUND_INTERFACE &&
                        continue;
                }
 
                if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_BOUND_INTERFACE &&
-                       compared_policy->cond_bound_interface != policy->cond_bound_interface) {
+                   compared_policy->cond_bound_interface != policy->cond_bound_interface) {
                        continue;
                }
 
                if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_PROTOCOL &&
                        continue;
                }
 
                if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_PROTOCOL &&
-                       compared_policy->cond_protocol != policy->cond_protocol) {
+                   compared_policy->cond_protocol != policy->cond_protocol) {
                        continue;
                }
 
                        continue;
                }
 
@@ -4275,7 +5777,7 @@ necp_kernel_ip_output_policy_is_unnecessary(struct necp_kernel_ip_output_policy
                                }
                        } else if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_PREFIX) {
                                if (compared_policy->cond_local_prefix > policy->cond_local_prefix ||
                                }
                        } else if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_PREFIX) {
                                if (compared_policy->cond_local_prefix > policy->cond_local_prefix ||
-                                       !necp_is_addr_in_subnet((struct sockaddr *)&policy->cond_local_start, (struct sockaddr *)&compared_policy->cond_local_start, compared_policy->cond_local_prefix)) {
+                                   !necp_is_addr_in_subnet((struct sockaddr *)&policy->cond_local_start, (struct sockaddr *)&compared_policy->cond_local_start, compared_policy->cond_local_prefix)) {
                                        continue;
                                }
                        }
                                        continue;
                                }
                        }
@@ -4288,16 +5790,16 @@ necp_kernel_ip_output_policy_is_unnecessary(struct necp_kernel_ip_output_policy
                                }
                        } else if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_REMOTE_PREFIX) {
                                if (compared_policy->cond_remote_prefix > policy->cond_remote_prefix ||
                                }
                        } else if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_REMOTE_PREFIX) {
                                if (compared_policy->cond_remote_prefix > policy->cond_remote_prefix ||
-                                       !necp_is_addr_in_subnet((struct sockaddr *)&policy->cond_remote_start, (struct sockaddr *)&compared_policy->cond_remote_start, compared_policy->cond_remote_prefix)) {
+                                   !necp_is_addr_in_subnet((struct sockaddr *)&policy->cond_remote_start, (struct sockaddr *)&compared_policy->cond_remote_start, compared_policy->cond_remote_prefix)) {
                                        continue;
                                }
                        }
                }
 
                                        continue;
                                }
                        }
                }
 
-               return (TRUE);
+               return TRUE;
        }
 
        }
 
-       return (FALSE);
+       return FALSE;
 }
 
 static bool
 }
 
 static bool
@@ -4308,7 +5810,7 @@ necp_kernel_ip_output_policies_reprocess(void)
        int bucket_current_free_index[NECP_KERNEL_IP_OUTPUT_POLICIES_MAP_NUM_ID_BUCKETS];
        struct necp_kernel_ip_output_policy *kernel_policy = NULL;
 
        int bucket_current_free_index[NECP_KERNEL_IP_OUTPUT_POLICIES_MAP_NUM_ID_BUCKETS];
        struct necp_kernel_ip_output_policy *kernel_policy = NULL;
 
-       lck_rw_assert(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
+       LCK_RW_ASSERT(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
 
        // Reset mask to 0
        necp_kernel_ip_output_policies_condition_mask = 0;
 
        // Reset mask to 0
        necp_kernel_ip_output_policies_condition_mask = 0;
@@ -4330,12 +5832,19 @@ necp_kernel_ip_output_policies_reprocess(void)
                necp_kernel_ip_output_policies_condition_mask |= kernel_policy->condition_mask;
                necp_kernel_ip_output_policies_count++;
 
                necp_kernel_ip_output_policies_condition_mask |= kernel_policy->condition_mask;
                necp_kernel_ip_output_policies_count++;
 
-               // Update bucket counts
-               if (!(kernel_policy->condition_mask & NECP_KERNEL_CONDITION_POLICY_ID)) {
-                       necp_kernel_ip_output_policies_non_id_count++;
+               /* Update bucket counts:
+                * Non-id and SKIP policies will be added to all buckets
+                * Add local networks policy to all buckets for incoming IP
+                */
+               if (!(kernel_policy->condition_mask & NECP_KERNEL_CONDITION_POLICY_ID) ||
+                   (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_NETWORKS) ||
+                   kernel_policy->result == NECP_KERNEL_POLICY_RESULT_SKIP) {
                        for (i = 0; i < NECP_KERNEL_IP_OUTPUT_POLICIES_MAP_NUM_ID_BUCKETS; i++) {
                                bucket_allocation_counts[i]++;
                        }
                        for (i = 0; i < NECP_KERNEL_IP_OUTPUT_POLICIES_MAP_NUM_ID_BUCKETS; i++) {
                                bucket_allocation_counts[i]++;
                        }
+               }
+               if (!(kernel_policy->condition_mask & NECP_KERNEL_CONDITION_POLICY_ID)) {
+                       necp_kernel_ip_output_policies_non_id_count++;
                } else {
                        bucket_allocation_counts[NECP_IP_OUTPUT_MAP_ID_TO_BUCKET(kernel_policy->cond_policy_id)]++;
                }
                } else {
                        bucket_allocation_counts[NECP_IP_OUTPUT_MAP_ID_TO_BUCKET(kernel_policy->cond_policy_id)]++;
                }
@@ -4357,9 +5866,11 @@ necp_kernel_ip_output_policies_reprocess(void)
 
        LIST_FOREACH(kernel_policy, &necp_kernel_ip_output_policies, chain) {
                // Insert pointers into map
 
        LIST_FOREACH(kernel_policy, &necp_kernel_ip_output_policies, chain) {
                // Insert pointers into map
-               if (!(kernel_policy->condition_mask & NECP_KERNEL_CONDITION_POLICY_ID)) {
+               if (!(kernel_policy->condition_mask & NECP_KERNEL_CONDITION_POLICY_ID) ||
+                   (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_NETWORKS) ||
+                   kernel_policy->result == NECP_KERNEL_POLICY_RESULT_SKIP) {
                        for (i = 0; i < NECP_KERNEL_IP_OUTPUT_POLICIES_MAP_NUM_ID_BUCKETS; i++) {
                        for (i = 0; i < NECP_KERNEL_IP_OUTPUT_POLICIES_MAP_NUM_ID_BUCKETS; i++) {
-                               if (!necp_kernel_ip_output_policy_is_unnecessary(kernel_policy, necp_kernel_ip_output_policies_map[i], bucket_current_free_index[i])) {
+                               if (!necp_dedup_policies || !necp_kernel_ip_output_policy_is_unnecessary(kernel_policy, necp_kernel_ip_output_policies_map[i], bucket_current_free_index[i])) {
                                        (necp_kernel_ip_output_policies_map[i])[(bucket_current_free_index[i])] = kernel_policy;
                                        bucket_current_free_index[i]++;
                                        (necp_kernel_ip_output_policies_map[i])[(bucket_current_free_index[i])] = NULL;
                                        (necp_kernel_ip_output_policies_map[i])[(bucket_current_free_index[i])] = kernel_policy;
                                        bucket_current_free_index[i]++;
                                        (necp_kernel_ip_output_policies_map[i])[(bucket_current_free_index[i])] = NULL;
@@ -4367,7 +5878,7 @@ necp_kernel_ip_output_policies_reprocess(void)
                        }
                } else {
                        i = NECP_IP_OUTPUT_MAP_ID_TO_BUCKET(kernel_policy->cond_policy_id);
                        }
                } else {
                        i = NECP_IP_OUTPUT_MAP_ID_TO_BUCKET(kernel_policy->cond_policy_id);
-                       if (!necp_kernel_ip_output_policy_is_unnecessary(kernel_policy, necp_kernel_ip_output_policies_map[i], bucket_current_free_index[i])) {
+                       if (!necp_dedup_policies || !necp_kernel_ip_output_policy_is_unnecessary(kernel_policy, necp_kernel_ip_output_policies_map[i], bucket_current_free_index[i])) {
                                (necp_kernel_ip_output_policies_map[i])[(bucket_current_free_index[i])] = kernel_policy;
                                bucket_current_free_index[i]++;
                                (necp_kernel_ip_output_policies_map[i])[(bucket_current_free_index[i])] = NULL;
                                (necp_kernel_ip_output_policies_map[i])[(bucket_current_free_index[i])] = kernel_policy;
                                bucket_current_free_index[i]++;
                                (necp_kernel_ip_output_policies_map[i])[(bucket_current_free_index[i])] = NULL;
@@ -4375,7 +5886,7 @@ necp_kernel_ip_output_policies_reprocess(void)
                }
        }
        necp_kernel_ip_output_policies_dump_all();
                }
        }
        necp_kernel_ip_output_policies_dump_all();
-       return (TRUE);
+       return TRUE;
 
 fail:
        // Free memory, reset mask to 0
 
 fail:
        // Free memory, reset mask to 0
@@ -4388,7 +5899,7 @@ fail:
                        necp_kernel_ip_output_policies_map[i] = NULL;
                }
        }
                        necp_kernel_ip_output_policies_map[i] = NULL;
                }
        }
-       return (FALSE);
+       return FALSE;
 }
 
 // Outbound Policy Matching
 }
 
 // Outbound Policy Matching
@@ -4414,7 +5925,7 @@ necp_trim_dots_and_stars(char *string, size_t length)
                sub.length--;
        }
 
                sub.length--;
        }
 
-       return (sub);
+       return sub;
 }
 
 static char *
 }
 
 static char *
@@ -4425,13 +5936,13 @@ necp_create_trimmed_domain(char *string, size_t length)
 
        MALLOC(trimmed_domain, char *, sub.length + 1, M_NECP, M_WAITOK);
        if (trimmed_domain == NULL) {
 
        MALLOC(trimmed_domain, char *, sub.length + 1, M_NECP, M_WAITOK);
        if (trimmed_domain == NULL) {
-               return (NULL);
+               return NULL;
        }
 
        memcpy(trimmed_domain, sub.string, sub.length);
        trimmed_domain[sub.length] = 0;
 
        }
 
        memcpy(trimmed_domain, sub.string, sub.length);
        trimmed_domain[sub.length] = 0;
 
-       return (trimmed_domain);
+       return trimmed_domain;
 }
 
 static inline int
 }
 
 static inline int
@@ -4446,32 +5957,33 @@ necp_count_dots(char *string, size_t length)
                }
        }
 
                }
        }
 
-       return (dot_count);
+       return dot_count;
 }
 
 static bool
 necp_check_suffix(struct substring parent, struct substring suffix, bool require_dot_before_suffix)
 {
        if (parent.length <= suffix.length) {
 }
 
 static bool
 necp_check_suffix(struct substring parent, struct substring suffix, bool require_dot_before_suffix)
 {
        if (parent.length <= suffix.length) {
-               return (FALSE);
+               return FALSE;
        }
 
        size_t length_difference = (parent.length - suffix.length);
 
        if (require_dot_before_suffix) {
                if (((char *)(parent.string + length_difference - 1))[0] != '.') {
        }
 
        size_t length_difference = (parent.length - suffix.length);
 
        if (require_dot_before_suffix) {
                if (((char *)(parent.string + length_difference - 1))[0] != '.') {
-                       return (FALSE);
+                       return FALSE;
                }
        }
 
                }
        }
 
-       return (memcmp(parent.string + length_difference, suffix.string, suffix.length) == 0);
+       // strncasecmp does case-insensitive check for all UTF-8 strings (ignores non-ASCII characters)
+       return strncasecmp(parent.string + length_difference, suffix.string, suffix.length) == 0;
 }
 
 static bool
 necp_hostname_matches_domain(struct substring hostname_substring, u_int8_t hostname_dot_count, char *domain, u_int8_t domain_dot_count)
 {
        if (hostname_substring.string == NULL || domain == NULL) {
 }
 
 static bool
 necp_hostname_matches_domain(struct substring hostname_substring, u_int8_t hostname_dot_count, char *domain, u_int8_t domain_dot_count)
 {
        if (hostname_substring.string == NULL || domain == NULL) {
-               return (hostname_substring.string == domain);
+               return hostname_substring.string == domain;
        }
 
        struct substring domain_substring;
        }
 
        struct substring domain_substring;
@@ -4479,22 +5991,185 @@ necp_hostname_matches_domain(struct substring hostname_substring, u_int8_t hostn
        domain_substring.length = strlen(domain);
 
        if (hostname_dot_count == domain_dot_count) {
        domain_substring.length = strlen(domain);
 
        if (hostname_dot_count == domain_dot_count) {
+               // strncasecmp does case-insensitive check for all UTF-8 strings (ignores non-ASCII characters)
                if (hostname_substring.length == domain_substring.length &&
                if (hostname_substring.length == domain_substring.length &&
-                       memcmp(hostname_substring.string, domain_substring.string, hostname_substring.length) == 0) {
-                       return (TRUE);
+                   strncasecmp(hostname_substring.string, domain_substring.string, hostname_substring.length) == 0) {
+                       return TRUE;
                }
        } else if (domain_dot_count < hostname_dot_count) {
                if (necp_check_suffix(hostname_substring, domain_substring, TRUE)) {
                }
        } else if (domain_dot_count < hostname_dot_count) {
                if (necp_check_suffix(hostname_substring, domain_substring, TRUE)) {
-                       return (TRUE);
+                       return TRUE;
+               }
+       }
+
+       return FALSE;
+}
+
+bool
+net_domain_contains_hostname(char *hostname_string, char *domain_string)
+{
+       if (hostname_string == NULL ||
+           domain_string == NULL) {
+               return false;
+       }
+
+       struct substring hostname_substring;
+       hostname_substring.string = hostname_string;
+       hostname_substring.length = strlen(hostname_string);
+
+       return necp_hostname_matches_domain(hostname_substring,
+                  necp_count_dots(hostname_string, hostname_substring.length),
+                  domain_string,
+                  necp_count_dots(domain_string, strlen(domain_string)));
+}
+
+#define NECP_MAX_STRING_LEN 1024
+
+static char *
+necp_copy_string(char *string, size_t length)
+{
+       char *copied_string = NULL;
+
+       if (length > NECP_MAX_STRING_LEN) {
+               return NULL;
+       }
+
+       MALLOC(copied_string, char *, length + 1, M_NECP, M_WAITOK);
+       if (copied_string == NULL) {
+               return NULL;
+       }
+
+       memcpy(copied_string, string, length);
+       copied_string[length] = 0;
+
+       return copied_string;
+}
+
+static u_int32_t
+necp_get_primary_direct_interface_index(void)
+{
+       u_int32_t interface_index = IFSCOPE_NONE;
+
+       ifnet_head_lock_shared();
+       struct ifnet *ordered_interface = NULL;
+       TAILQ_FOREACH(ordered_interface, &ifnet_ordered_head, if_ordered_link) {
+               const u_int8_t functional_type = if_functional_type(ordered_interface, TRUE);
+               if (functional_type != IFRTYPE_FUNCTIONAL_UNKNOWN &&
+                   functional_type != IFRTYPE_FUNCTIONAL_LOOPBACK) {
+                       // All known, non-loopback functional types represent direct physical interfaces (Wi-Fi, Cellular, Wired)
+                       interface_index = ordered_interface->if_index;
+                       break;
+               }
+       }
+       ifnet_head_done();
+
+       return interface_index;
+}
+
+static inline void
+necp_get_parent_cred_result(proc_t proc, struct necp_socket_info *info)
+{
+       task_t task = proc_task(proc ? proc : current_proc());
+       coalition_t coal = task_get_coalition(task, COALITION_TYPE_JETSAM);
+
+       if (coal == COALITION_NULL || coalition_is_leader(task, coal)) {
+               // No parent, nothing to do
+               return;
+       }
+
+       task_t lead_task = coalition_get_leader(coal);
+       if (lead_task != NULL) {
+               proc_t lead_proc = get_bsdtask_info(lead_task);
+               if (lead_proc != NULL) {
+                       kauth_cred_t lead_cred = kauth_cred_proc_ref(lead_proc);
+                       if (lead_cred != NULL) {
+                               errno_t cred_result = priv_check_cred(lead_cred, PRIV_NET_PRIVILEGED_NECP_MATCH, 0);
+                               kauth_cred_unref(&lead_cred);
+                               info->cred_result = cred_result;
+                       }
+               }
+               task_deallocate(lead_task);
+       }
+}
+
+// Some processes, due to particular entitlements, require using an NECP client to
+// access networking. Returns true if the result should be a Drop.
+static inline bool
+necp_check_missing_client_drop(proc_t proc, struct necp_socket_info *info)
+{
+       task_t task = proc_task(proc ? proc : current_proc());
+
+       if (!info->has_client &&
+           task != NULL &&
+           IOTaskHasEntitlement(task, "com.apple.developer.on-demand-install-capable")) {
+               // Drop connections that don't use NECP clients and have the
+               // com.apple.developer.on-demand-install-capable entitlement.
+               // This effectively restricts those processes to only using
+               // an NECP-aware path for networking.
+               return true;
+       } else {
+               return false;
+       }
+}
+
+static inline bool
+necp_check_restricted_multicast_drop(proc_t proc, struct necp_socket_info *info, bool check_minor_version)
+{
+       if (!necp_restrict_multicast || proc == NULL) {
+               return false;
+       }
+
+       // Check for multicast/broadcast here
+       if (info->remote_addr.sa.sa_family == AF_INET) {
+               if (!IN_MULTICAST(ntohl(info->remote_addr.sin.sin_addr.s_addr)) &&
+                   info->remote_addr.sin.sin_addr.s_addr != INADDR_BROADCAST) {
+                       return false;
+               }
+       } else if (info->remote_addr.sa.sa_family == AF_INET6) {
+               if (!IN6_IS_ADDR_MULTICAST(&info->remote_addr.sin6.sin6_addr)) {
+                       return false;
                }
                }
+       } else {
+               // Not IPv4/IPv6
+               return false;
+       }
+
+       if (necp_is_platform_binary(proc)) {
+               return false;
+       }
+
+       const uint32_t platform = proc_platform(proc);
+       const uint32_t sdk = proc_sdk(proc);
+
+       // Enforce for iOS, linked on or after version 14
+       // If the caller set `check_minor_version`, only enforce starting at 14.TBD
+       if (platform != PLATFORM_IOS ||
+           sdk == 0 ||
+           (sdk >> 16) < 14 ||
+#if 0
+           (check_minor_version && (sdk >> 16) == 14 && ((sdk >> 8) & 0xff) < TBD)) {
+#else
+           (check_minor_version)) {
+#endif
+               return false;
        }
 
        }
 
-       return (FALSE);
+       // Allow entitled processes to use multicast
+       task_t task = proc_task(proc);
+       if (task != NULL &&
+           IOTaskHasEntitlement(task, "com.apple.developer.networking.multicast")) {
+               return false;
+       }
+
+       const uint32_t min_sdk = proc_min_sdk(proc);
+       NECPLOG(LOG_INFO, "Dropping unentitled multicast (SDK 0x%x, min 0x%x)", sdk, min_sdk);
+
+       return true;
 }
 
 }
 
-#define        NECP_KERNEL_ADDRESS_TYPE_CONDITIONS (NECP_KERNEL_CONDITION_LOCAL_START | NECP_KERNEL_CONDITION_LOCAL_END | NECP_KERNEL_CONDITION_LOCAL_PREFIX | NECP_KERNEL_CONDITION_REMOTE_START | NECP_KERNEL_CONDITION_REMOTE_END | NECP_KERNEL_CONDITION_REMOTE_PREFIX)
+#define NECP_KERNEL_ADDRESS_TYPE_CONDITIONS (NECP_KERNEL_CONDITION_LOCAL_START | NECP_KERNEL_CONDITION_LOCAL_END | NECP_KERNEL_CONDITION_LOCAL_PREFIX | NECP_KERNEL_CONDITION_REMOTE_START | NECP_KERNEL_CONDITION_REMOTE_END | NECP_KERNEL_CONDITION_REMOTE_PREFIX | NECP_KERNEL_CONDITION_LOCAL_EMPTY | NECP_KERNEL_CONDITION_REMOTE_EMPTY | NECP_KERNEL_CONDITION_LOCAL_NETWORKS)
 static void
 static void
-necp_application_fillout_info_locked(uuid_t application_uuid, uuid_t real_application_uuid, char *account, char *domain, pid_t pid, uid_t uid, u_int16_t protocol, u_int32_t bound_interface_index, u_int32_t traffic_class, union necp_sockaddr_union *local_addr, union necp_sockaddr_union *remote_addr, struct necp_socket_info *info)
+necp_application_fillout_info_locked(uuid_t application_uuid, uuid_t real_application_uuid, uuid_t responsible_application_uuid, char *account, char *domain, pid_t pid, uid_t uid, u_int16_t protocol, u_int32_t bound_interface_index, u_int32_t traffic_class, union necp_sockaddr_union *local_addr, union necp_sockaddr_union *remote_addr, u_int16_t local_port, u_int16_t remote_port, bool has_client, proc_t proc, proc_t responsible_proc, u_int32_t drop_order, u_int32_t client_flags, struct necp_socket_info *info, bool is_loopback)
 {
        memset(info, 0, sizeof(struct necp_socket_info));
 
 {
        memset(info, 0, sizeof(struct necp_socket_info));
 
@@ -4503,7 +6178,10 @@ necp_application_fillout_info_locked(uuid_t application_uuid, uuid_t real_applic
        info->protocol = protocol;
        info->bound_interface_index = bound_interface_index;
        info->traffic_class = traffic_class;
        info->protocol = protocol;
        info->bound_interface_index = bound_interface_index;
        info->traffic_class = traffic_class;
-       info->cred_result = 0; // Don't check the entitlement here, only in the socket layer
+       info->has_client = has_client;
+       info->drop_order = drop_order;
+       info->client_flags = client_flags;
+       info->is_loopback = is_loopback;
 
        if (necp_kernel_application_policies_condition_mask & NECP_KERNEL_CONDITION_APP_ID && !uuid_is_null(application_uuid)) {
                struct necp_uuid_id_mapping *existing_mapping = necp_uuid_lookup_app_id_locked(application_uuid);
 
        if (necp_kernel_application_policies_condition_mask & NECP_KERNEL_CONDITION_APP_ID && !uuid_is_null(application_uuid)) {
                struct necp_uuid_id_mapping *existing_mapping = necp_uuid_lookup_app_id_locked(application_uuid);
@@ -4512,17 +6190,42 @@ necp_application_fillout_info_locked(uuid_t application_uuid, uuid_t real_applic
                }
        }
 
                }
        }
 
-       if (necp_kernel_application_policies_condition_mask & NECP_KERNEL_CONDITION_REAL_APP_ID && !uuid_is_null(real_application_uuid)) {
-               if (uuid_compare(application_uuid, real_application_uuid) == 0) {
-                       info->real_application_id = info->application_id;
-               } else {
-                       struct necp_uuid_id_mapping *existing_mapping = necp_uuid_lookup_app_id_locked(real_application_uuid);
-                       if (existing_mapping) {
-                               info->real_application_id = existing_mapping->id;
-                       }
+       if (necp_kernel_application_policies_condition_mask & NECP_KERNEL_CONDITION_REAL_APP_ID && !uuid_is_null(real_application_uuid)) {
+               if (uuid_compare(application_uuid, real_application_uuid) == 0) {
+                       info->real_application_id = info->application_id;
+               } else {
+                       struct necp_uuid_id_mapping *existing_mapping = necp_uuid_lookup_app_id_locked(real_application_uuid);
+                       if (existing_mapping) {
+                               info->real_application_id = existing_mapping->id;
+                       }
+               }
+       }
+
+       if (necp_kernel_application_policies_condition_mask & NECP_KERNEL_CONDITION_APP_ID && !uuid_is_null(responsible_application_uuid)) {
+               struct necp_uuid_id_mapping *existing_mapping = necp_uuid_lookup_app_id_locked(responsible_application_uuid);
+               if (existing_mapping != NULL) {
+                       info->real_application_id = info->application_id;
+                       info->application_id = existing_mapping->id;
+                       info->used_responsible_pid = true;
+               }
+       }
+
+       if (info->used_responsible_pid) {
+               proc = responsible_proc;
+       }
+
+       if (necp_kernel_application_policies_condition_mask & NECP_KERNEL_CONDITION_ENTITLEMENT && proc != NULL) {
+               info->cred_result = priv_check_cred(proc_ucred(proc), PRIV_NET_PRIVILEGED_NECP_MATCH, 0);
+               if (info->cred_result != 0) {
+                       // Process does not have entitlement, check the parent process
+                       necp_get_parent_cred_result(proc, info);
                }
        }
 
                }
        }
 
+       if (necp_kernel_application_policies_condition_mask & NECP_KERNEL_CONDITION_PLATFORM_BINARY && proc != NULL) {
+               info->is_platform_binary = necp_is_platform_binary(proc) ? true : false;
+       }
+
        if (necp_kernel_application_policies_condition_mask & NECP_KERNEL_CONDITION_ACCOUNT_ID && account != NULL) {
                struct necp_string_id_mapping *existing_mapping = necp_lookup_string_to_id_locked(&necp_account_id_list, account);
                if (existing_mapping) {
        if (necp_kernel_application_policies_condition_mask & NECP_KERNEL_CONDITION_ACCOUNT_ID && account != NULL) {
                struct necp_string_id_mapping *existing_mapping = necp_lookup_string_to_id_locked(&necp_account_id_list, account);
                if (existing_mapping) {
@@ -4534,18 +6237,33 @@ necp_application_fillout_info_locked(uuid_t application_uuid, uuid_t real_applic
                info->domain = domain;
        }
 
                info->domain = domain;
        }
 
-       if (necp_kernel_application_policies_condition_mask & NECP_KERNEL_ADDRESS_TYPE_CONDITIONS) {
+       if (necp_restrict_multicast ||
+           (necp_kernel_application_policies_condition_mask & NECP_KERNEL_ADDRESS_TYPE_CONDITIONS)) {
                if (local_addr && local_addr->sa.sa_len > 0) {
                        memcpy(&info->local_addr, local_addr, local_addr->sa.sa_len);
                if (local_addr && local_addr->sa.sa_len > 0) {
                        memcpy(&info->local_addr, local_addr, local_addr->sa.sa_len);
+                       if (local_port != 0) {
+                               info->local_addr.sin6.sin6_port = local_port;
+                       }
+               } else if (local_port != 0) {
+                       info->local_addr.sin6.sin6_len = sizeof(struct sockaddr_in6);
+                       info->local_addr.sin6.sin6_family = AF_INET6;
+                       info->local_addr.sin6.sin6_port = local_port;
                }
                if (remote_addr && remote_addr->sa.sa_len > 0) {
                        memcpy(&info->remote_addr, remote_addr, remote_addr->sa.sa_len);
                }
                if (remote_addr && remote_addr->sa.sa_len > 0) {
                        memcpy(&info->remote_addr, remote_addr, remote_addr->sa.sa_len);
+                       if (remote_port != 0) {
+                               info->remote_addr.sin6.sin6_port = remote_port;
+                       }
+               } else if (remote_port != 0) {
+                       info->remote_addr.sin6.sin6_len = sizeof(struct sockaddr_in6);
+                       info->remote_addr.sin6.sin6_family = AF_INET6;
+                       info->remote_addr.sin6.sin6_port = remote_port;
                }
        }
 }
 
 static void
                }
        }
 }
 
 static void
-necp_send_application_cell_denied_event(pid_t pid, uuid_t proc_uuid)
+necp_send_application_interface_denied_event(pid_t pid, uuid_t proc_uuid, u_int32_t if_functional_type)
 {
        struct kev_netpolicy_ifdenied ev_ifdenied;
 
 {
        struct kev_netpolicy_ifdenied ev_ifdenied;
 
@@ -4553,12 +6271,53 @@ necp_send_application_cell_denied_event(pid_t pid, uuid_t proc_uuid)
 
        ev_ifdenied.ev_data.epid = pid;
        uuid_copy(ev_ifdenied.ev_data.euuid, proc_uuid);
 
        ev_ifdenied.ev_data.epid = pid;
        uuid_copy(ev_ifdenied.ev_data.euuid, proc_uuid);
+       ev_ifdenied.ev_if_functional_type = if_functional_type;
 
        netpolicy_post_msg(KEV_NETPOLICY_IFDENIED, &ev_ifdenied.ev_data, sizeof(ev_ifdenied));
 }
 
 
        netpolicy_post_msg(KEV_NETPOLICY_IFDENIED, &ev_ifdenied.ev_data, sizeof(ev_ifdenied));
 }
 
-static int
-necp_application_find_policy_match_internal(u_int8_t *parameters, u_int32_t parameters_size, struct necp_aggregate_result *returned_result)
+static void
+necp_send_network_denied_event(pid_t pid, uuid_t proc_uuid, u_int32_t network_type)
+{
+       struct kev_netpolicy_netdenied ev_netdenied = {};
+
+       bzero(&ev_netdenied, sizeof(ev_netdenied));
+
+       ev_netdenied.ev_data.epid = pid;
+       uuid_copy(ev_netdenied.ev_data.euuid, proc_uuid);
+       ev_netdenied.ev_network_type = network_type;
+
+       netpolicy_post_msg(KEV_NETPOLICY_NETDENIED, &ev_netdenied.ev_data, sizeof(ev_netdenied));
+}
+
+extern char *proc_name_address(void *p);
+
+#define NECP_VERIFY_DELEGATION_ENTITLEMENT(_p, _d) \
+       if (!has_checked_delegation_entitlement) { \
+               has_delegation_entitlement = (priv_check_cred(proc_ucred(_p), PRIV_NET_PRIVILEGED_SOCKET_DELEGATE, 0) == 0); \
+               has_checked_delegation_entitlement = TRUE; \
+       } \
+       if (!has_delegation_entitlement) { \
+               NECPLOG(LOG_ERR, "%s(%d) does not hold the necessary entitlement to delegate network traffic for other processes by %s", \
+                                                 proc_name_address(_p), proc_pid(_p), _d); \
+               break; \
+       }
+
+int
+necp_application_find_policy_match_internal(proc_t proc,
+    u_int8_t *parameters,
+    u_int32_t parameters_size,
+    struct necp_aggregate_result *returned_result,
+    u_int32_t *flags,
+    u_int32_t *reason,
+    u_int required_interface_index,
+    const union necp_sockaddr_union *override_local_addr,
+    const union necp_sockaddr_union *override_remote_addr,
+    struct necp_client_endpoint *returned_v4_gateway,
+    struct necp_client_endpoint *returned_v6_gateway,
+    struct rtentry **returned_route, bool ignore_address,
+    bool has_client,
+    uuid_t *returned_override_euuid)
 {
        int error = 0;
        size_t offset = 0;
 {
        int error = 0;
        size_t offset = 0;
@@ -4566,44 +6325,97 @@ necp_application_find_policy_match_internal(u_int8_t *parameters, u_int32_t para
        struct necp_kernel_socket_policy *matched_policy = NULL;
        struct necp_socket_info info;
        necp_kernel_policy_filter filter_control_unit = 0;
        struct necp_kernel_socket_policy *matched_policy = NULL;
        struct necp_socket_info info;
        necp_kernel_policy_filter filter_control_unit = 0;
-       u_int32_t route_rule_id = 0;
        necp_kernel_policy_result service_action = 0;
        necp_kernel_policy_service service = { 0, 0 };
 
        necp_kernel_policy_result service_action = 0;
        necp_kernel_policy_service service = { 0, 0 };
 
-       pid_t pid = 0;
-       uid_t uid = 0;
        u_int16_t protocol = 0;
        u_int16_t protocol = 0;
-       u_int32_t bound_interface_index = 0;
+       u_int32_t bound_interface_index = required_interface_index;
        u_int32_t traffic_class = 0;
        u_int32_t traffic_class = 0;
+       u_int32_t client_flags = 0;
        union necp_sockaddr_union local_addr;
        union necp_sockaddr_union remote_addr;
        bool no_remote_addr = FALSE;
        union necp_sockaddr_union local_addr;
        union necp_sockaddr_union remote_addr;
        bool no_remote_addr = FALSE;
+       u_int8_t remote_family = 0;
+       bool no_local_addr = FALSE;
+       u_int16_t local_port = 0;
+       u_int16_t remote_port = 0;
+       necp_drop_all_bypass_check_result_t drop_all_bypass = NECP_DROP_ALL_BYPASS_CHECK_RESULT_NONE;
+
+       if (override_local_addr) {
+               memcpy(&local_addr, override_local_addr, sizeof(local_addr));
+       } else {
+               memset(&local_addr, 0, sizeof(local_addr));
+       }
+       if (override_remote_addr) {
+               memcpy(&remote_addr, override_remote_addr, sizeof(remote_addr));
+       } else {
+               memset(&remote_addr, 0, sizeof(remote_addr));
+       }
 
 
-       memset(&local_addr, 0, sizeof(local_addr));
-       memset(&remote_addr, 0, sizeof(remote_addr));
+       // Initialize UID, PID, and UUIDs to the current process
+       uid_t uid = kauth_cred_getuid(proc_ucred(proc));
+       pid_t pid = proc_pid(proc);
        uuid_t application_uuid;
        uuid_clear(application_uuid);
        uuid_t real_application_uuid;
        uuid_clear(real_application_uuid);
        uuid_t application_uuid;
        uuid_clear(application_uuid);
        uuid_t real_application_uuid;
        uuid_clear(real_application_uuid);
+       proc_getexecutableuuid(proc, real_application_uuid, sizeof(real_application_uuid));
+       uuid_copy(application_uuid, real_application_uuid);
+       uuid_t responsible_application_uuid;
+       uuid_clear(responsible_application_uuid);
+
        char *domain = NULL;
        char *account = NULL;
 
        char *domain = NULL;
        char *account = NULL;
 
+#define NECP_MAX_REQUIRED_AGENTS 16
+       u_int32_t num_required_agent_types = 0;
+       struct necp_client_parameter_netagent_type required_agent_types[NECP_MAX_REQUIRED_AGENTS];
+       memset(&required_agent_types, 0, sizeof(required_agent_types));
+
        u_int32_t netagent_ids[NECP_MAX_NETAGENTS];
        u_int32_t netagent_ids[NECP_MAX_NETAGENTS];
+       u_int32_t netagent_use_flags[NECP_MAX_NETAGENTS];
        memset(&netagent_ids, 0, sizeof(netagent_ids));
        memset(&netagent_ids, 0, sizeof(netagent_ids));
+       memset(&netagent_use_flags, 0, sizeof(netagent_use_flags));
        int netagent_cursor;
 
        int netagent_cursor;
 
+       bool has_checked_delegation_entitlement = FALSE;
+       bool has_delegation_entitlement = FALSE;
+
+       proc_t responsible_proc = PROC_NULL;
+       proc_t effective_proc = proc;
+       bool release_eproc = false;
+       necp_socket_bypass_type_t bypass_type = NECP_BYPASS_TYPE_NONE;
+
+       u_int32_t flow_divert_aggregate_unit = 0;
+
        if (returned_result == NULL) {
        if (returned_result == NULL) {
-               return (EINVAL);
+               return EINVAL;
+       }
+
+       if (returned_v4_gateway != NULL) {
+               memset(returned_v4_gateway, 0, sizeof(struct necp_client_endpoint));
+       }
+
+       if (returned_v6_gateway != NULL) {
+               memset(returned_v6_gateway, 0, sizeof(struct necp_client_endpoint));
+       }
+
+       if (returned_override_euuid != NULL) {
+               uuid_clear(*returned_override_euuid);
        }
 
        memset(returned_result, 0, sizeof(struct necp_aggregate_result));
 
        }
 
        memset(returned_result, 0, sizeof(struct necp_aggregate_result));
 
+       u_int32_t drop_order = necp_process_drop_order(proc_ucred(proc));
+
+       necp_kernel_policy_result drop_dest_policy_result = NECP_KERNEL_POLICY_RESULT_NONE;
+
        lck_rw_lock_shared(&necp_kernel_policy_lock);
        if (necp_kernel_application_policies_count == 0) {
        lck_rw_lock_shared(&necp_kernel_policy_lock);
        if (necp_kernel_application_policies_count == 0) {
-               if (necp_drop_all_order > 0) {
+               if (necp_drop_all_order > 0 || drop_order > 0) {
                        returned_result->routing_result = NECP_KERNEL_POLICY_RESULT_DROP;
                        lck_rw_done(&necp_kernel_policy_lock);
                        returned_result->routing_result = NECP_KERNEL_POLICY_RESULT_DROP;
                        lck_rw_done(&necp_kernel_policy_lock);
-                       return (0);
+                       return 0;
                }
        }
        lck_rw_done(&necp_kernel_policy_lock);
                }
        }
        lck_rw_done(&necp_kernel_policy_lock);
@@ -4612,85 +6424,181 @@ necp_application_find_policy_match_internal(u_int8_t *parameters, u_int32_t para
                u_int8_t type = necp_buffer_get_tlv_type(parameters, offset);
                u_int32_t length = necp_buffer_get_tlv_length(parameters, offset);
 
                u_int8_t type = necp_buffer_get_tlv_type(parameters, offset);
                u_int32_t length = necp_buffer_get_tlv_length(parameters, offset);
 
-               if (length > 0 && (offset + sizeof(u_int8_t) + sizeof(u_int32_t) + length) <= parameters_size) {
+               if (length > (parameters_size - (offset + sizeof(u_int8_t) + sizeof(u_int32_t)))) {
+                       // If the length is larger than what can fit in the remaining parameters size, bail
+                       NECPLOG(LOG_ERR, "Invalid TLV length (%u)", length);
+                       break;
+               }
+
+               if (length > 0) {
                        u_int8_t *value = necp_buffer_get_tlv_value(parameters, offset, NULL);
                        if (value != NULL) {
                                switch (type) {
                        u_int8_t *value = necp_buffer_get_tlv_value(parameters, offset, NULL);
                        if (value != NULL) {
                                switch (type) {
-                                       case NECP_POLICY_CONDITION_APPLICATION: {
-                                               if (length >= sizeof(uuid_t)) {
-                                                       uuid_copy(application_uuid, value);
+                               case NECP_CLIENT_PARAMETER_APPLICATION: {
+                                       if (length >= sizeof(uuid_t)) {
+                                               if (uuid_compare(application_uuid, value) == 0) {
+                                                       // No delegation
+                                                       break;
                                                }
                                                }
-                                               break;
+
+                                               NECP_VERIFY_DELEGATION_ENTITLEMENT(proc, "euuid");
+
+                                               uuid_copy(application_uuid, value);
                                        }
                                        }
-                                       case NECP_POLICY_CONDITION_REAL_APPLICATION: {
-                                               if (length >= sizeof(uuid_t)) {
-                                                       uuid_copy(real_application_uuid, value);
+                                       break;
+                               }
+                               case NECP_CLIENT_PARAMETER_REAL_APPLICATION: {
+                                       if (length >= sizeof(uuid_t)) {
+                                               if (uuid_compare(real_application_uuid, value) == 0) {
+                                                       // No delegation
+                                                       break;
                                                }
                                                }
-                                               break;
-                                       }
-                                       case NECP_POLICY_CONDITION_DOMAIN: {
-                                               domain = (char *)value;
-                                               domain[length - 1] = 0;
-                                               break;
-                                       }
-                                       case NECP_POLICY_CONDITION_ACCOUNT: {
-                                               account = (char *)value;
-                                               account[length - 1] = 0;
-                                               break;
+
+                                               NECP_VERIFY_DELEGATION_ENTITLEMENT(proc, "uuid");
+
+                                               uuid_copy(real_application_uuid, value);
                                        }
                                        }
-                                       case NECP_POLICY_CONDITION_TRAFFIC_CLASS: {
-                                               if (length >= sizeof(u_int32_t)) {
-                                                       memcpy(&traffic_class, value, sizeof(u_int32_t));
+                                       break;
+                               }
+                               case NECP_CLIENT_PARAMETER_PID: {
+                                       if (length >= sizeof(pid_t)) {
+                                               if (memcmp(&pid, value, sizeof(pid_t)) == 0) {
+                                                       // No delegation
+                                                       break;
                                                }
                                                }
-                                               break;
+
+                                               NECP_VERIFY_DELEGATION_ENTITLEMENT(proc, "pid");
+
+                                               memcpy(&pid, value, sizeof(pid_t));
                                        }
                                        }
-                                       case NECP_POLICY_CONDITION_PID: {
-                                               if (length >= sizeof(pid_t)) {
-                                                       memcpy(&pid, value, sizeof(pid_t));
+                                       break;
+                               }
+                               case NECP_CLIENT_PARAMETER_UID: {
+                                       if (length >= sizeof(uid_t)) {
+                                               if (memcmp(&uid, value, sizeof(uid_t)) == 0) {
+                                                       // No delegation
+                                                       break;
                                                }
                                                }
-                                               break;
+
+                                               NECP_VERIFY_DELEGATION_ENTITLEMENT(proc, "uid");
+
+                                               memcpy(&uid, value, sizeof(uid_t));
+                                       }
+                                       break;
+                               }
+                               case NECP_CLIENT_PARAMETER_DOMAIN: {
+                                       domain = (char *)value;
+                                       domain[length - 1] = 0;
+                                       break;
+                               }
+                               case NECP_CLIENT_PARAMETER_ACCOUNT: {
+                                       account = (char *)value;
+                                       account[length - 1] = 0;
+                                       break;
+                               }
+                               case NECP_CLIENT_PARAMETER_TRAFFIC_CLASS: {
+                                       if (length >= sizeof(u_int32_t)) {
+                                               memcpy(&traffic_class, value, sizeof(u_int32_t));
+                                       }
+                                       break;
+                               }
+                               case NECP_CLIENT_PARAMETER_IP_PROTOCOL: {
+                                       if (length >= sizeof(u_int16_t)) {
+                                               memcpy(&protocol, value, sizeof(u_int16_t));
+                                       } else if (length >= sizeof(u_int8_t)) {
+                                               memcpy(&protocol, value, sizeof(u_int8_t));
                                        }
                                        }
-                                       case NECP_POLICY_CONDITION_UID: {
-                                               if (length >= sizeof(uid_t)) {
-                                                       memcpy(&uid, value, sizeof(uid_t));
+                                       break;
+                               }
+                               case NECP_CLIENT_PARAMETER_BOUND_INTERFACE: {
+                                       if (length <= IFXNAMSIZ && length > 0) {
+                                               ifnet_t bound_interface = NULL;
+                                               char interface_name[IFXNAMSIZ];
+                                               memcpy(interface_name, value, length);
+                                               interface_name[length - 1] = 0;         // Make sure the string is NULL terminated
+                                               if (ifnet_find_by_name(interface_name, &bound_interface) == 0) {
+                                                       bound_interface_index = bound_interface->if_index;
+                                                       ifnet_release(bound_interface);
                                                }
                                                }
+                                       }
+                                       break;
+                               }
+                               case NECP_CLIENT_PARAMETER_LOCAL_ADDRESS: {
+                                       if (ignore_address || override_local_addr) {
                                                break;
                                        }
                                                break;
                                        }
-                                       case NECP_POLICY_CONDITION_IP_PROTOCOL: {
-                                               if (length >= sizeof(u_int16_t)) {
-                                                       memcpy(&protocol, value, sizeof(u_int16_t));
+
+                                       if (length >= sizeof(struct necp_policy_condition_addr)) {
+                                               struct necp_policy_condition_addr *address_struct = (struct necp_policy_condition_addr *)(void *)value;
+                                               if (necp_address_is_valid(&address_struct->address.sa)) {
+                                                       memcpy(&local_addr, &address_struct->address, sizeof(address_struct->address));
                                                }
                                                }
+                                       }
+                                       break;
+                               }
+                               case NECP_CLIENT_PARAMETER_REMOTE_ADDRESS: {
+                                       if (ignore_address || override_remote_addr) {
                                                break;
                                        }
                                                break;
                                        }
-                                       case NECP_POLICY_CONDITION_BOUND_INTERFACE: {
-                                               if (length <= IFXNAMSIZ && length > 0) {
-                                                       ifnet_t bound_interface = NULL;
-                                                       char interface_name[IFXNAMSIZ];
-                                                       memcpy(interface_name, value, length);
-                                                       interface_name[length - 1] = 0; // Make sure the string is NULL terminated
-                                                       if (ifnet_find_by_name(interface_name, &bound_interface) == 0) {
-                                                               bound_interface_index = bound_interface->if_index;
-                                                       }
+
+                                       if (length >= sizeof(struct necp_policy_condition_addr)) {
+                                               struct necp_policy_condition_addr *address_struct = (struct necp_policy_condition_addr *)(void *)value;
+                                               if (necp_address_is_valid(&address_struct->address.sa)) {
+                                                       memcpy(&remote_addr, &address_struct->address, sizeof(address_struct->address));
                                                }
                                                }
+                                       }
+                                       break;
+                               }
+                               case NECP_CLIENT_PARAMETER_LOCAL_ENDPOINT: {
+                                       if (ignore_address || override_local_addr) {
                                                break;
                                        }
                                                break;
                                        }
-                                       case NECP_POLICY_CONDITION_LOCAL_ADDR: {
-                                               if (length >= sizeof(struct necp_policy_condition_addr)) {
-                                                       struct necp_policy_condition_addr *address_struct = (struct necp_policy_condition_addr *)(void *)value;
-                                                       memcpy(&local_addr, &address_struct->address, sizeof(address_struct->address));
+
+                                       if (length >= sizeof(struct necp_client_endpoint)) {
+                                               struct necp_client_endpoint *endpoint = (struct necp_client_endpoint *)(void *)value;
+                                               if (endpoint->u.endpoint.endpoint_family == AF_UNSPEC &&
+                                                   endpoint->u.endpoint.endpoint_port != 0) {
+                                                       // Save port
+                                                       local_port = endpoint->u.endpoint.endpoint_port;
                                                }
                                                }
+                                       }
+                                       break;
+                               }
+                               case NECP_CLIENT_PARAMETER_REMOTE_ENDPOINT: {
+                                       if (ignore_address || override_remote_addr) {
                                                break;
                                        }
                                                break;
                                        }
-                                       case NECP_POLICY_CONDITION_REMOTE_ADDR: {
-                                               if (length >= sizeof(struct necp_policy_condition_addr)) {
-                                                       struct necp_policy_condition_addr *address_struct = (struct necp_policy_condition_addr *)(void *)value;
-                                                       memcpy(&remote_addr, &address_struct->address, sizeof(address_struct->address));
+
+                                       if (length >= sizeof(struct necp_client_endpoint)) {
+                                               struct necp_client_endpoint *endpoint = (struct necp_client_endpoint *)(void *)value;
+                                               if (endpoint->u.endpoint.endpoint_family == AF_UNSPEC &&
+                                                   endpoint->u.endpoint.endpoint_port != 0) {
+                                                       // Save port
+                                                       remote_port = endpoint->u.endpoint.endpoint_port;
                                                }
                                                }
-                                               break;
                                        }
                                        }
-                                       default: {
+                                       break;
+                               }
+                               case NECP_CLIENT_PARAMETER_FLAGS: {
+                                       if (length >= sizeof(client_flags)) {
+                                               memcpy(&client_flags, value, sizeof(client_flags));
+                                       }
+                                       break;
+                               }
+                               case NECP_CLIENT_PARAMETER_REQUIRE_AGENT_TYPE:
+                               case NECP_CLIENT_PARAMETER_PREFER_AGENT_TYPE: {
+                                       if (num_required_agent_types >= NECP_MAX_REQUIRED_AGENTS) {
                                                break;
                                        }
                                                break;
                                        }
+                                       if (length >= sizeof(struct necp_client_parameter_netagent_type)) {
+                                               memcpy(&required_agent_types[num_required_agent_types], value, sizeof(struct necp_client_parameter_netagent_type));
+                                               num_required_agent_types++;
+                                       }
+                                       break;
+                               }
+                               default: {
+                                       break;
+                               }
                                }
                        }
                }
                                }
                        }
                }
@@ -4698,20 +6606,105 @@ necp_application_find_policy_match_internal(u_int8_t *parameters, u_int32_t para
                offset += sizeof(u_int8_t) + sizeof(u_int32_t) + length;
        }
 
                offset += sizeof(u_int8_t) + sizeof(u_int32_t) + length;
        }
 
+       // Check for loopback exception
+       if (necp_pass_loopback > 0 && necp_is_loopback(&local_addr.sa, &remote_addr.sa, NULL, NULL, bound_interface_index)) {
+               bypass_type = NECP_BYPASS_TYPE_LOOPBACK;
+       }
+
+       if (bypass_type == NECP_BYPASS_TYPE_LOOPBACK && necp_pass_loopback == NECP_LOOPBACK_PASS_ALL) {
+               returned_result->policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
+               returned_result->routing_result = NECP_KERNEL_POLICY_RESULT_PASS;
+               returned_result->routed_interface_index = lo_ifp->if_index;
+               *flags |= (NECP_CLIENT_RESULT_FLAG_IS_LOCAL | NECP_CLIENT_RESULT_FLAG_IS_DIRECT);
+               return 0;
+       }
+
+       if (proc_pid(effective_proc) != pid) {
+               proc_t found_proc = proc_find(pid);
+               if (found_proc != PROC_NULL) {
+                       effective_proc = found_proc;
+                       release_eproc = true;
+               }
+       }
+#if defined(XNU_TARGET_OS_OSX)
+       if (effective_proc->p_responsible_pid > 0 && effective_proc->p_responsible_pid != pid) {
+               responsible_proc = proc_find(effective_proc->p_responsible_pid);
+               if (responsible_proc != PROC_NULL) {
+                       proc_getexecutableuuid(responsible_proc, responsible_application_uuid, sizeof(responsible_application_uuid));
+               }
+       }
+#endif /* defined(XNU_TARGET_OS_OSX) */
+
        // Lock
        lck_rw_lock_shared(&necp_kernel_policy_lock);
 
        // Lock
        lck_rw_lock_shared(&necp_kernel_policy_lock);
 
-       necp_application_fillout_info_locked(application_uuid, real_application_uuid, account, domain, pid, uid, protocol, bound_interface_index, traffic_class, &local_addr, &remote_addr, &info);
-       matched_policy = necp_socket_find_policy_match_with_info_locked(necp_kernel_socket_policies_app_layer_map, &info, &filter_control_unit, &route_rule_id, &service_action, &service, netagent_ids, NECP_MAX_NETAGENTS);
+       u_int32_t route_rule_id_array[MAX_AGGREGATE_ROUTE_RULES];
+       size_t route_rule_id_array_count = 0;
+       necp_application_fillout_info_locked(application_uuid, real_application_uuid, responsible_application_uuid, account, domain, pid, uid, protocol, bound_interface_index, traffic_class, &local_addr, &remote_addr, local_port, remote_port, has_client, effective_proc, responsible_proc, drop_order, client_flags, &info, (bypass_type == NECP_BYPASS_TYPE_LOOPBACK));
+       matched_policy = necp_socket_find_policy_match_with_info_locked(necp_kernel_socket_policies_app_layer_map, &info, &filter_control_unit, route_rule_id_array, &route_rule_id_array_count, MAX_AGGREGATE_ROUTE_RULES, &service_action, &service, netagent_ids, netagent_use_flags, NECP_MAX_NETAGENTS, required_agent_types, num_required_agent_types, info.used_responsible_pid ? responsible_proc : effective_proc, 0, NULL, NULL, &drop_dest_policy_result, &drop_all_bypass, &flow_divert_aggregate_unit);
+
+       // Check for loopback exception again after the policy match
+       if (bypass_type == NECP_BYPASS_TYPE_LOOPBACK &&
+           necp_pass_loopback == NECP_LOOPBACK_PASS_WITH_FILTER &&
+           (matched_policy == NULL || matched_policy->result != NECP_KERNEL_POLICY_RESULT_SOCKET_DIVERT)) {
+               if (filter_control_unit == NECP_FILTER_UNIT_NO_FILTER) {
+                       returned_result->filter_control_unit = 0;
+               } else {
+                       returned_result->filter_control_unit = filter_control_unit;
+               }
+
+               if (flow_divert_aggregate_unit > 0) {
+                       returned_result->flow_divert_aggregate_unit = flow_divert_aggregate_unit;
+               }
+
+               returned_result->policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
+               returned_result->routing_result = NECP_KERNEL_POLICY_RESULT_PASS;
+               returned_result->routed_interface_index = lo_ifp->if_index;
+               *flags |= (NECP_CLIENT_RESULT_FLAG_IS_LOCAL | NECP_CLIENT_RESULT_FLAG_IS_DIRECT);
+               error = 0;
+               goto done;
+       }
+
        if (matched_policy) {
                returned_result->policy_id = matched_policy->id;
                returned_result->routing_result = matched_policy->result;
                memcpy(&returned_result->routing_result_parameter, &matched_policy->result_parameter, sizeof(returned_result->routing_result_parameter));
        if (matched_policy) {
                returned_result->policy_id = matched_policy->id;
                returned_result->routing_result = matched_policy->result;
                memcpy(&returned_result->routing_result_parameter, &matched_policy->result_parameter, sizeof(returned_result->routing_result_parameter));
+               if (returned_override_euuid != NULL && info.used_responsible_pid && !(matched_policy->condition_mask & NECP_KERNEL_CONDITION_REAL_APP_ID)) {
+                       uuid_copy(*returned_override_euuid, responsible_application_uuid);
+               }
+       } else {
+               bool drop_all = false;
+               if (necp_drop_all_order > 0 || info.drop_order > 0 || drop_dest_policy_result == NECP_KERNEL_POLICY_RESULT_DROP) {
+                       // Mark socket as a drop if drop_all is set
+                       drop_all = true;
+                       if (drop_all_bypass == NECP_DROP_ALL_BYPASS_CHECK_RESULT_NONE) {
+                               drop_all_bypass = necp_check_drop_all_bypass_result(proc);
+                       }
+               }
+               if (drop_all && drop_all_bypass == NECP_DROP_ALL_BYPASS_CHECK_RESULT_FALSE) {
+                       returned_result->policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
+                       returned_result->routing_result = NECP_KERNEL_POLICY_RESULT_DROP;
+               } else {
+                       returned_result->policy_id = 0;
+                       returned_result->routing_result = NECP_KERNEL_POLICY_RESULT_NONE;
+               }
+       }
+       if (necp_check_missing_client_drop(proc, &info) ||
+           necp_check_restricted_multicast_drop(proc, &info, false)) {
+               // Mark as drop
+               returned_result->policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
+               returned_result->routing_result = NECP_KERNEL_POLICY_RESULT_DROP;
+       }
+       if (filter_control_unit == NECP_FILTER_UNIT_NO_FILTER) {
+               returned_result->filter_control_unit = 0;
        } else {
        } else {
-               returned_result->policy_id = 0;
-               returned_result->routing_result = NECP_KERNEL_POLICY_RESULT_NONE;
+               returned_result->filter_control_unit = filter_control_unit;
        }
        }
-       returned_result->filter_control_unit = filter_control_unit;
+
+       if (flow_divert_aggregate_unit > 0) {
+               returned_result->flow_divert_aggregate_unit = flow_divert_aggregate_unit;
+       }
+
        returned_result->service_action = service_action;
 
        // Handle trigger service
        returned_result->service_action = service_action;
 
        // Handle trigger service
@@ -4745,7 +6738,7 @@ necp_application_find_policy_match_internal(u_int8_t *parameters, u_int32_t para
                mapping = necp_uuid_lookup_uuid_with_service_id_locked(netagent_id);
                if (mapping != NULL) {
                        uuid_copy(returned_result->netagents[netagent_cursor], mapping->uuid);
                mapping = necp_uuid_lookup_uuid_with_service_id_locked(netagent_id);
                if (mapping != NULL) {
                        uuid_copy(returned_result->netagents[netagent_cursor], mapping->uuid);
-                       returned_result->netagent_flags[netagent_cursor] = netagent_get_flags(mapping->uuid);
+                       returned_result->netagent_use_flags[netagent_cursor] = netagent_use_flags[netagent_cursor];
                }
        }
 
                }
        }
 
@@ -4755,139 +6748,428 @@ necp_application_find_policy_match_internal(u_int8_t *parameters, u_int32_t para
                output_bound_interface = returned_result->routing_result_parameter.scoped_interface_index;
        } else if (returned_result->routing_result == NECP_KERNEL_POLICY_RESULT_IP_TUNNEL) {
                output_bound_interface = returned_result->routing_result_parameter.tunnel_interface_index;
                output_bound_interface = returned_result->routing_result_parameter.scoped_interface_index;
        } else if (returned_result->routing_result == NECP_KERNEL_POLICY_RESULT_IP_TUNNEL) {
                output_bound_interface = returned_result->routing_result_parameter.tunnel_interface_index;
+       } else if (returned_result->routing_result == NECP_KERNEL_POLICY_RESULT_SCOPED_DIRECT) {
+               output_bound_interface = necp_get_primary_direct_interface_index();
+               if (output_bound_interface == IFSCOPE_NONE) {
+                       returned_result->routing_result = NECP_KERNEL_POLICY_RESULT_DROP;
+               } else {
+                       returned_result->routing_result = NECP_KERNEL_POLICY_RESULT_SOCKET_SCOPED;
+                       returned_result->routing_result_parameter.scoped_interface_index = output_bound_interface;
+               }
+       }
+
+       if (returned_result->routing_result == NECP_KERNEL_POLICY_RESULT_DROP &&
+           returned_result->routing_result_parameter.drop_flags & NECP_KERNEL_POLICY_DROP_FLAG_LOCAL_NETWORK) {
+               // Trigger the event that we dropped due to a local network policy
+               necp_send_network_denied_event(pid, application_uuid, NETPOLICY_NETWORKTYPE_LOCAL);
+               if (reason != NULL) {
+                       *reason = NECP_CLIENT_RESULT_REASON_LOCAL_NETWORK_PROHIBITED;
+               }
+       }
+
+       if (local_addr.sa.sa_len == 0 ||
+           (local_addr.sa.sa_family == AF_INET && local_addr.sin.sin_addr.s_addr == 0) ||
+           (local_addr.sa.sa_family == AF_INET6 && IN6_IS_ADDR_UNSPECIFIED(&local_addr.sin6.sin6_addr))) {
+               no_local_addr = TRUE;
        }
 
        }
 
-       if (remote_addr.sa.sa_len == 0) {
+       if (remote_addr.sa.sa_len == 0 ||
+           (remote_addr.sa.sa_family == AF_INET && remote_addr.sin.sin_addr.s_addr == 0) ||
+           (remote_addr.sa.sa_family == AF_INET6 && IN6_IS_ADDR_UNSPECIFIED(&remote_addr.sin6.sin6_addr))) {
                no_remote_addr = TRUE;
                no_remote_addr = TRUE;
-               // Default to 0.0.0.0:0
-               remote_addr.sa.sa_family = AF_INET;
-               remote_addr.sa.sa_len = sizeof(struct sockaddr_in);
+               remote_family = remote_addr.sa.sa_family;
        }
 
        }
 
+       returned_result->routed_interface_index = 0;
        struct rtentry *rt = NULL;
        struct rtentry *rt = NULL;
-       rt = rtalloc1_scoped((struct sockaddr *)&remote_addr, 0, 0, output_bound_interface);
+       if (!no_local_addr && (client_flags & NECP_CLIENT_PARAMETER_FLAG_LISTENER) != 0) {
+               // Treat the output bound interface as the routed interface for local address
+               // validation later.
+               returned_result->routed_interface_index = output_bound_interface;
+       } else {
+               if (no_remote_addr) {
+                       memset(&remote_addr, 0, sizeof(remote_addr));
+                       if (remote_family == AF_INET6) {
+                               // Reset address to ::
+                               remote_addr.sa.sa_family = AF_INET6;
+                               remote_addr.sa.sa_len = sizeof(struct sockaddr_in6);
+                       } else {
+                               // Reset address to 0.0.0.0
+                               remote_addr.sa.sa_family = AF_INET;
+                               remote_addr.sa.sa_len = sizeof(struct sockaddr_in);
+                       }
+               }
 
 
-       if (no_remote_addr &&
-               (rt == NULL || rt->rt_ifp == NULL)) {
-               // Route lookup for default IPv4 failed, try IPv6
+               rt = rtalloc1_scoped((struct sockaddr *)&remote_addr, 0, 0,
+                   output_bound_interface);
 
 
-               // Cleanup old route if necessary
-               if (rt != NULL) {
+               if (remote_addr.sa.sa_family == AF_INET && rt != NULL &&
+                   IS_INTF_CLAT46(rt->rt_ifp)) {
                        rtfree(rt);
                        rt = NULL;
                        rtfree(rt);
                        rt = NULL;
+                       returned_result->routed_interface_index = 0;
                }
 
                }
 
-               // Reset address to ::
-               memset(&remote_addr, 0, sizeof(remote_addr));
-               remote_addr.sa.sa_family = AF_INET6;
-               remote_addr.sa.sa_len = sizeof(struct sockaddr_in6);
+               if (no_remote_addr && remote_family == AF_UNSPEC &&
+                   (rt == NULL || rt->rt_ifp == NULL)) {
+                       // Route lookup for default IPv4 failed, try IPv6
 
 
-               // Get route
-               rt = rtalloc1_scoped((struct sockaddr *)&remote_addr, 0, 0, output_bound_interface);
-       }
+                       // Cleanup old route if necessary
+                       if (rt != NULL) {
+                               rtfree(rt);
+                               rt = NULL;
+                       }
 
 
-       returned_result->routed_interface_index = 0;
-       if (rt != NULL &&
-           rt->rt_ifp != NULL) {
-               returned_result->routed_interface_index = rt->rt_ifp->if_index;
-               /*
-                * For local addresses, we allow the interface scope to be
-                * either the loopback interface or the interface hosting the
-                * local address.
-                */
-               if (bound_interface_index != IFSCOPE_NONE &&
-                   rt->rt_ifa != NULL && rt->rt_ifa->ifa_ifp &&
-                   (output_bound_interface == lo_ifp->if_index ||
-                   rt->rt_ifp->if_index == lo_ifp->if_index ||
-                   rt->rt_ifa->ifa_ifp->if_index == bound_interface_index)) {
-                       struct sockaddr_storage dst;
-                       unsigned int ifscope = bound_interface_index;
+                       // Reset address to ::
+                       memset(&remote_addr, 0, sizeof(remote_addr));
+                       remote_addr.sa.sa_family = AF_INET6;
+                       remote_addr.sa.sa_len = sizeof(struct sockaddr_in6);
+
+                       // Get route
+                       rt = rtalloc1_scoped((struct sockaddr *)&remote_addr, 0, 0,
+                           output_bound_interface);
+               }
 
 
+               if (rt != NULL &&
+                   rt->rt_ifp != NULL) {
+                       returned_result->routed_interface_index = rt->rt_ifp->if_index;
                        /*
                        /*
-                        * Transform dst into the internal routing table form
+                        * For local addresses, we allow the interface scope to be
+                        * either the loopback interface or the interface hosting the
+                        * local address.
                         */
                         */
-                       (void) sa_copy((struct sockaddr *)&remote_addr,
-                                       &dst, &ifscope);
+                       if (bound_interface_index != IFSCOPE_NONE &&
+                           rt->rt_ifa != NULL && rt->rt_ifa->ifa_ifp &&
+                           (output_bound_interface == lo_ifp->if_index ||
+                           rt->rt_ifp->if_index == lo_ifp->if_index ||
+                           rt->rt_ifa->ifa_ifp->if_index == bound_interface_index)) {
+                               struct sockaddr_storage dst;
+                               unsigned int ifscope = bound_interface_index;
+
+                               /*
+                                * Transform dst into the internal routing table form
+                                */
+                               (void) sa_copy((struct sockaddr *)&remote_addr,
+                                   &dst, &ifscope);
+
+                               if ((rt->rt_ifp->if_index == lo_ifp->if_index) ||
+                                   rt_ifa_is_dst((struct sockaddr *)&dst, rt->rt_ifa)) {
+                                       returned_result->routed_interface_index =
+                                           bound_interface_index;
+                               }
+                       }
+               }
+       }
+
+       if (returned_result->routed_interface_index != 0 &&
+           returned_result->routed_interface_index != lo_ifp->if_index &&     // Loopback can accept any local address
+           !no_local_addr) {
+               // Transform local_addr into the ifaddr form
+               // IPv6 Scope IDs are always embedded in the ifaddr list
+               struct sockaddr_storage local_address_sanitized;
+               u_int ifscope = IFSCOPE_NONE;
+               (void)sa_copy(&local_addr.sa, &local_address_sanitized, &ifscope);
+               SIN(&local_address_sanitized)->sin_port = 0;
+               if (local_address_sanitized.ss_family == AF_INET6) {
+                       SIN6(&local_address_sanitized)->sin6_scope_id = 0;
+               }
+
+               // Validate local address on routed interface
+               struct ifaddr *ifa = ifa_ifwithaddr_scoped((struct sockaddr *)&local_address_sanitized, returned_result->routed_interface_index);
+               if (ifa == NULL) {
+                       // Interface address not found, reject route
+                       returned_result->routed_interface_index = 0;
+                       if (rt != NULL) {
+                               rtfree(rt);
+                               rt = NULL;
+                       }
+               } else {
+                       ifaddr_release(ifa);
+                       ifa = NULL;
+               }
+       }
+
+       if (flags != NULL) {
+               if ((client_flags & NECP_CLIENT_PARAMETER_FLAG_LISTENER) == 0) {
+                       // Check for local/direct
+                       bool is_local = FALSE;
+                       if (rt != NULL && (rt->rt_flags & RTF_LOCAL)) {
+                               is_local = TRUE;
+                       } else if (returned_result->routed_interface_index != 0 &&
+                           !no_remote_addr) {
+                               // Clean up the address before comparison with interface addresses
+
+                               // Transform remote_addr into the ifaddr form
+                               // IPv6 Scope IDs are always embedded in the ifaddr list
+                               struct sockaddr_storage remote_address_sanitized;
+                               u_int ifscope = IFSCOPE_NONE;
+                               (void)sa_copy(&remote_addr.sa, &remote_address_sanitized, &ifscope);
+                               SIN(&remote_address_sanitized)->sin_port = 0;
+                               if (remote_address_sanitized.ss_family == AF_INET6) {
+                                       SIN6(&remote_address_sanitized)->sin6_scope_id = 0;
+                               }
+
+                               // Check if remote address is an interface address
+                               struct ifaddr *ifa = ifa_ifwithaddr((struct sockaddr *)&remote_address_sanitized);
+                               if (ifa != NULL && ifa->ifa_ifp != NULL) {
+                                       u_int if_index_for_remote_addr = ifa->ifa_ifp->if_index;
+                                       if (if_index_for_remote_addr == returned_result->routed_interface_index ||
+                                           if_index_for_remote_addr == lo_ifp->if_index) {
+                                               is_local = TRUE;
+                                       }
+                               }
+                               if (ifa != NULL) {
+                                       ifaddr_release(ifa);
+                                       ifa = NULL;
+                               }
+                       }
+
+                       if (is_local) {
+                               *flags |= (NECP_CLIENT_RESULT_FLAG_IS_LOCAL | NECP_CLIENT_RESULT_FLAG_IS_DIRECT);
+                       } else {
+                               if (rt != NULL &&
+                                   !(rt->rt_flags & RTF_GATEWAY) &&
+                                   (rt->rt_ifa && rt->rt_ifa->ifa_ifp && !(rt->rt_ifa->ifa_ifp->if_flags & IFF_POINTOPOINT))) {
+                                       // Route is directly accessible
+                                       *flags |= NECP_CLIENT_RESULT_FLAG_IS_DIRECT;
+                               }
+                       }
+
+                       if (rt != NULL &&
+                           rt->rt_ifp != NULL) {
+                               // Check probe status
+                               if (rt->rt_ifp->if_eflags & IFEF_PROBE_CONNECTIVITY) {
+                                       *flags |= NECP_CLIENT_RESULT_FLAG_PROBE_CONNECTIVITY;
+                               }
+
+                               if (rt->rt_ifp->if_type == IFT_CELLULAR) {
+                                       struct if_cellular_status_v1 *ifsr;
+
+                                       ifnet_lock_shared(rt->rt_ifp);
+                                       lck_rw_lock_exclusive(&rt->rt_ifp->if_link_status_lock);
 
 
-                       if ((rt->rt_ifp->if_index == lo_ifp->if_index) ||
-                           rt_ifa_is_dst((struct sockaddr *)&dst, rt->rt_ifa))
-                               returned_result->routed_interface_index =
-                                       bound_interface_index;
+                                       if (rt->rt_ifp->if_link_status != NULL) {
+                                               ifsr = &rt->rt_ifp->if_link_status->ifsr_u.ifsr_cell.if_cell_u.if_status_v1;
+
+                                               if (ifsr->valid_bitmask & IF_CELL_UL_MSS_RECOMMENDED_VALID) {
+                                                       if (ifsr->mss_recommended == IF_CELL_UL_MSS_RECOMMENDED_NONE) {
+                                                               returned_result->mss_recommended = NECP_CLIENT_RESULT_RECOMMENDED_MSS_NONE;
+                                                       } else if (ifsr->mss_recommended == IF_CELL_UL_MSS_RECOMMENDED_MEDIUM) {
+                                                               returned_result->mss_recommended = NECP_CLIENT_RESULT_RECOMMENDED_MSS_MEDIUM;
+                                                       } else if (ifsr->mss_recommended == IF_CELL_UL_MSS_RECOMMENDED_LOW) {
+                                                               returned_result->mss_recommended = NECP_CLIENT_RESULT_RECOMMENDED_MSS_LOW;
+                                                       }
+                                               }
+                                       }
+                                       lck_rw_done(&rt->rt_ifp->if_link_status_lock);
+                                       ifnet_lock_done(rt->rt_ifp);
+                               }
+
+                               // Check link quality
+                               if ((client_flags & NECP_CLIENT_PARAMETER_FLAG_DISCRETIONARY) &&
+                                   (rt->rt_ifp->if_interface_state.valid_bitmask & IF_INTERFACE_STATE_LQM_STATE_VALID) &&
+                                   rt->rt_ifp->if_interface_state.lqm_state == IFNET_LQM_THRESH_ABORT) {
+                                       *flags |= NECP_CLIENT_RESULT_FLAG_LINK_QUALITY_ABORT;
+                               }
+
+                               // Check QoS marking (fastlane)
+                               for (size_t route_rule_index = 0; route_rule_index < route_rule_id_array_count; route_rule_index++) {
+                                       if (necp_update_qos_marking(rt->rt_ifp, route_rule_id_array[route_rule_index])) {
+                                               *flags |= NECP_CLIENT_RESULT_FLAG_ALLOW_QOS_MARKING;
+                                               // If the route can use QoS markings, stop iterating route rules
+                                               break;
+                                       }
+                               }
+
+                               if (IFNET_IS_LOW_POWER(rt->rt_ifp)) {
+                                       *flags |= NECP_CLIENT_RESULT_FLAG_INTERFACE_LOW_POWER;
+                               }
+
+                               if (traffic_class == SO_TC_BK_SYS) {
+                                       // Block BK_SYS traffic if interface is throttled
+                                       u_int32_t throttle_level = 0;
+                                       if (ifnet_get_throttle(rt->rt_ifp, &throttle_level) == 0) {
+                                               if (throttle_level == IFNET_THROTTLE_OPPORTUNISTIC) {
+                                                       returned_result->routing_result = NECP_KERNEL_POLICY_RESULT_DROP;
+                                                       memset(&returned_result->routing_result_parameter, 0, sizeof(returned_result->routing_result_parameter));
+                                               }
+                                       }
+                               }
+                       }
+               }
+
+               if (returned_result->routed_interface_index != 0) {
+                       union necp_sockaddr_union default_address;
+                       struct rtentry *v4Route = NULL;
+                       struct rtentry *v6Route = NULL;
+
+                       memset(&default_address, 0, sizeof(default_address));
+
+                       // Reset address to 0.0.0.0
+                       default_address.sa.sa_family = AF_INET;
+                       default_address.sa.sa_len = sizeof(struct sockaddr_in);
+                       v4Route = rtalloc1_scoped((struct sockaddr *)&default_address, 0, 0,
+                           returned_result->routed_interface_index);
+
+                       // Reset address to ::
+                       default_address.sa.sa_family = AF_INET6;
+                       default_address.sa.sa_len = sizeof(struct sockaddr_in6);
+                       v6Route = rtalloc1_scoped((struct sockaddr *)&default_address, 0, 0,
+                           returned_result->routed_interface_index);
+
+                       if (v4Route != NULL) {
+                               if (v4Route->rt_ifp != NULL && !IS_INTF_CLAT46(v4Route->rt_ifp)) {
+                                       *flags |= NECP_CLIENT_RESULT_FLAG_HAS_IPV4;
+                               }
+                               if (returned_v4_gateway != NULL &&
+                                   v4Route->rt_gateway != NULL &&
+                                   v4Route->rt_gateway->sa_len == sizeof(returned_v4_gateway->u.sin)) {
+                                       memcpy(&returned_v4_gateway->u.sin, v4Route->rt_gateway, sizeof(returned_v4_gateway->u.sin));
+                                       memset(&returned_v4_gateway->u.sin.sin_zero, 0, sizeof(returned_v4_gateway->u.sin.sin_zero));
+                               }
+                               rtfree(v4Route);
+                               v4Route = NULL;
+                       }
+
+                       if (v6Route != NULL) {
+                               if (v6Route->rt_ifp != NULL) {
+                                       *flags |= NECP_CLIENT_RESULT_FLAG_HAS_IPV6;
+
+                                       if (ifnet_get_nat64prefix(v6Route->rt_ifp, NULL) == 0) {
+                                               *flags |= NECP_CLIENT_RESULT_FLAG_HAS_NAT64;
+                                       }
+                               }
+                               if (returned_v6_gateway != NULL &&
+                                   v6Route->rt_gateway != NULL &&
+                                   v6Route->rt_gateway->sa_len == sizeof(returned_v6_gateway->u.sin6)) {
+                                       memcpy(&returned_v6_gateway->u.sin6, v6Route->rt_gateway, sizeof(returned_v6_gateway->u.sin6));
+                               }
+                               rtfree(v6Route);
+                               v6Route = NULL;
+                       }
                }
        }
 
                }
        }
 
-       bool cellular_denied = FALSE;
-       bool route_is_allowed = necp_route_is_allowed(rt, NULL, route_rule_id, &cellular_denied);
-       if (!route_is_allowed) {
-               // If the route is blocked, treat the lookup as a drop
-               returned_result->routing_result = NECP_KERNEL_POLICY_RESULT_DROP;
-               memset(&returned_result->routing_result_parameter, 0, sizeof(returned_result->routing_result_parameter));
+       for (size_t route_rule_index = 0; route_rule_index < route_rule_id_array_count; route_rule_index++) {
+               u_int32_t interface_type_denied = IFRTYPE_FUNCTIONAL_UNKNOWN;
+               bool route_is_allowed = necp_route_is_allowed(rt, NULL, route_rule_id_array[route_rule_index], &interface_type_denied);
+               if (!route_is_allowed) {
+                       // If the route is blocked, treat the lookup as a drop
+                       returned_result->routing_result = NECP_KERNEL_POLICY_RESULT_DROP;
+                       memset(&returned_result->routing_result_parameter, 0, sizeof(returned_result->routing_result_parameter));
+
+                       if (interface_type_denied != IFRTYPE_FUNCTIONAL_UNKNOWN) {
+                               if (reason != NULL) {
+                                       if (interface_type_denied == IFRTYPE_FUNCTIONAL_CELLULAR) {
+                                               *reason = NECP_CLIENT_RESULT_REASON_CELLULAR_DENIED;
+                                       } else if (interface_type_denied == IFRTYPE_FUNCTIONAL_WIFI_INFRA) {
+                                               *reason = NECP_CLIENT_RESULT_REASON_WIFI_DENIED;
+                                       }
+                               }
+                               necp_send_application_interface_denied_event(pid, application_uuid, interface_type_denied);
+                       }
+                       // If the route gets denied, stop matching rules
+                       break;
+               }
+       }
 
 
-               if (cellular_denied) {
-                       necp_send_application_cell_denied_event(pid, application_uuid);
+       if (rt != NULL && rt->rt_ifp != NULL) {
+               const bool expensive_prohibited = ((client_flags & NECP_CLIENT_PARAMETER_FLAG_PROHIBIT_EXPENSIVE) &&
+                   IFNET_IS_EXPENSIVE(rt->rt_ifp));
+               const bool constrained_prohibited = ((client_flags & NECP_CLIENT_PARAMETER_FLAG_PROHIBIT_CONSTRAINED) &&
+                   IFNET_IS_CONSTRAINED(rt->rt_ifp));
+               if (reason != NULL) {
+                       if (expensive_prohibited) {
+                               *reason = NECP_CLIENT_RESULT_REASON_EXPENSIVE_PROHIBITED;
+                       } else if (constrained_prohibited) {
+                               *reason = NECP_CLIENT_RESULT_REASON_CONSTRAINED_PROHIBITED;
+                       }
+               }
+               if (expensive_prohibited || constrained_prohibited) {
+                       // If the client flags prohibited a property of the interface, treat it as a drop
+                       returned_result->routing_result = NECP_KERNEL_POLICY_RESULT_DROP;
+                       memset(&returned_result->routing_result_parameter, 0, sizeof(returned_result->routing_result_parameter));
                }
        }
 
        if (rt != NULL) {
                }
        }
 
        if (rt != NULL) {
-               rtfree(rt);
+               if (returned_route != NULL) {
+                       *returned_route = rt;
+               } else {
+                       rtfree(rt);
+               }
                rt = NULL;
        }
                rt = NULL;
        }
+
+done:
        // Unlock
        lck_rw_done(&necp_kernel_policy_lock);
 
        // Unlock
        lck_rw_done(&necp_kernel_policy_lock);
 
-       return (error);
-}
+       if (release_eproc && effective_proc != PROC_NULL) {
+               proc_rele(effective_proc);
+       }
+#if defined(XNU_TARGET_OS_OSX)
+       if (responsible_proc != PROC_NULL) {
+               proc_rele(responsible_proc);
+       }
+#endif
 
 
-#define NECP_MAX_MATCH_POLICY_PARAMETER_SIZE 1024
+       return error;
+}
 
 
-int
-necp_match_policy(struct proc *p, struct necp_match_policy_args *uap, int32_t *retval)
+static bool
+necp_is_route_local(union necp_sockaddr_union *remote_addr)
 {
 {
-#pragma unused(p, retval)
-       u_int8_t *parameters = NULL;
-       struct necp_aggregate_result returned_result;
-       int error = 0;
+       bool no_remote_addr = FALSE;
+       u_int8_t remote_family = 0;
+       struct rtentry *rt = NULL;
+       bool is_local = FALSE;
 
 
-       if (uap == NULL) {
-               error = EINVAL;
-               goto done;
+       if (remote_addr == NULL) {
+               return NULL;
+       }
+
+       if (remote_addr->sa.sa_len == 0 ||
+           (remote_addr->sa.sa_family == AF_INET && remote_addr->sin.sin_addr.s_addr == 0) ||
+           (remote_addr->sa.sa_family == AF_INET6 && IN6_IS_ADDR_UNSPECIFIED(&remote_addr->sin6.sin6_addr))) {
+               no_remote_addr = TRUE;
+               remote_family = remote_addr->sa.sa_family;
        }
 
        }
 
-       if (uap->parameters == 0 || uap->parameters_size == 0 || uap->parameters_size > NECP_MAX_MATCH_POLICY_PARAMETER_SIZE || uap->returned_result == 0) {
-               error = EINVAL;
-               goto done;
+       if (no_remote_addr) {
+               memset(remote_addr, 0, sizeof(union necp_sockaddr_union));
+               if (remote_family == AF_INET6) {
+                       // Reset address to ::
+                       remote_addr->sa.sa_family = AF_INET6;
+                       remote_addr->sa.sa_len = sizeof(struct sockaddr_in6);
+               } else {
+                       // Reset address to 0.0.0.0
+                       remote_addr->sa.sa_family = AF_INET;
+                       remote_addr->sa.sa_len = sizeof(struct sockaddr_in);
+               }
        }
 
        }
 
-       MALLOC(parameters, u_int8_t *, uap->parameters_size, M_NECP, M_WAITOK);
-       if (parameters == NULL) {
-               error = ENOMEM;
+       // Lookup route regardless of the scoped interface to check if
+       // remote address is in a local network.
+       rt = rtalloc1_scoped((struct sockaddr *)remote_addr, 0, 0, 0);
+
+       if (rt == NULL) {
                goto done;
        }
                goto done;
        }
-       // Copy parameters in
-       error = copyin(uap->parameters, parameters, uap->parameters_size);
-       if (error) {
-               goto done;
+       if (remote_addr->sa.sa_family == AF_INET && IS_INTF_CLAT46(rt->rt_ifp)) {
+               goto free_rt;
        }
        }
+       is_local = IS_NECP_DEST_IN_LOCAL_NETWORKS(rt);
 
 
-       error = necp_application_find_policy_match_internal(parameters, uap->parameters_size, &returned_result);
-       if (error) {
-               goto done;
-       }
+free_rt:
+       rtfree(rt);
 
 
-       // Copy return value back
-       error = copyout(&returned_result, uap->returned_result, sizeof(struct necp_aggregate_result));
-       if (error) {
-               goto done;
-       }
 done:
 done:
-       if (parameters != NULL) {
-               FREE(parameters, M_NECP);
-       }
-       return (error);
+       return is_local;
 }
 
 static bool
 }
 
 static bool
-necp_socket_check_policy(struct necp_kernel_socket_policy *kernel_policy, necp_app_id app_id, necp_app_id real_app_id, errno_t cred_result, u_int32_t account_id, struct substring domain, u_int8_t domain_dot_count, pid_t pid, uid_t uid, u_int32_t bound_interface_index, u_int32_t traffic_class, u_int16_t protocol, union necp_sockaddr_union *local, union necp_sockaddr_union *remote)
+necp_socket_check_policy(struct necp_kernel_socket_policy *kernel_policy, necp_app_id app_id, necp_app_id real_app_id, errno_t cred_result, u_int32_t account_id, struct substring domain, u_int8_t domain_dot_count, pid_t pid, uid_t uid, u_int32_t bound_interface_index, u_int32_t traffic_class, u_int16_t protocol, union necp_sockaddr_union *local, union necp_sockaddr_union *remote, struct necp_client_parameter_netagent_type *required_agent_types, u_int32_t num_required_agent_types, bool has_client, uint32_t client_flags, int is_platform_binary, proc_t proc, u_int16_t pf_tag, struct rtentry *rt, bool is_loopback)
 {
        if (!(kernel_policy->condition_mask & NECP_KERNEL_CONDITION_ALL_INTERFACES)) {
                if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_BOUND_INTERFACE) {
 {
        if (!(kernel_policy->condition_mask & NECP_KERNEL_CONDITION_ALL_INTERFACES)) {
                if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_BOUND_INTERFACE) {
@@ -4895,36 +7177,60 @@ necp_socket_check_policy(struct necp_kernel_socket_policy *kernel_policy, necp_a
                        if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_BOUND_INTERFACE) {
                                if (bound_interface_index == cond_bound_interface_index) {
                                        // No match, matches forbidden interface
                        if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_BOUND_INTERFACE) {
                                if (bound_interface_index == cond_bound_interface_index) {
                                        // No match, matches forbidden interface
-                                       return (FALSE);
+                                       return FALSE;
                                }
                        } else {
                                if (bound_interface_index != cond_bound_interface_index) {
                                        // No match, does not match required interface
                                }
                        } else {
                                if (bound_interface_index != cond_bound_interface_index) {
                                        // No match, does not match required interface
-                                       return (FALSE);
+                                       return FALSE;
                                }
                        }
                } else {
                        if (bound_interface_index != 0) {
                                // No match, requires a non-bound packet
                                }
                        }
                } else {
                        if (bound_interface_index != 0) {
                                // No match, requires a non-bound packet
-                               return (FALSE);
+                               return FALSE;
                        }
                }
        }
 
        if (kernel_policy->condition_mask == 0) {
                        }
                }
        }
 
        if (kernel_policy->condition_mask == 0) {
-               return (TRUE);
+               return TRUE;
        }
 
        if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_APP_ID) {
                if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_APP_ID) {
                        if (app_id == kernel_policy->cond_app_id) {
                                // No match, matches forbidden application
        }
 
        if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_APP_ID) {
                if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_APP_ID) {
                        if (app_id == kernel_policy->cond_app_id) {
                                // No match, matches forbidden application
-                               return (FALSE);
+                               return FALSE;
                        }
                } else {
                        if (app_id != kernel_policy->cond_app_id) {
                                // No match, does not match required application
                        }
                } else {
                        if (app_id != kernel_policy->cond_app_id) {
                                // No match, does not match required application
-                               return (FALSE);
+                               return FALSE;
+                       }
+               }
+
+               // Check signing identifier only after APP ID matched
+               if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_SIGNING_IDENTIFIER ||
+                   kernel_policy->condition_mask & NECP_KERNEL_CONDITION_SIGNING_IDENTIFIER) {
+                       u_int8_t matched = necp_boolean_state_false;
+                       const char *signing_id = cs_identity_get(proc ? proc : current_proc());
+
+                       if (signing_id != NULL) {
+                               size_t signing_id_size = strlen(signing_id) + 1;
+                               if (memcmp(signing_id, kernel_policy->cond_signing_identifier, signing_id_size) == 0) {
+                                       matched = necp_boolean_state_true;
+                               }
+                       }
+
+                       if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_SIGNING_IDENTIFIER) {
+                               if (matched == necp_boolean_state_true) {
+                                       return FALSE;
+                               }
+                       } else {
+                               if (matched != necp_boolean_state_true) {
+                                       return FALSE;
+                               }
                        }
                }
        }
                        }
                }
        }
@@ -4933,20 +7239,81 @@ necp_socket_check_policy(struct necp_kernel_socket_policy *kernel_policy, necp_a
                if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_REAL_APP_ID) {
                        if (real_app_id == kernel_policy->cond_real_app_id) {
                                // No match, matches forbidden application
                if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_REAL_APP_ID) {
                        if (real_app_id == kernel_policy->cond_real_app_id) {
                                // No match, matches forbidden application
-                               return (FALSE);
+                               return FALSE;
                        }
                } else {
                        if (real_app_id != kernel_policy->cond_real_app_id) {
                                // No match, does not match required application
                        }
                } else {
                        if (real_app_id != kernel_policy->cond_real_app_id) {
                                // No match, does not match required application
-                               return (FALSE);
+                               return FALSE;
                        }
                }
        }
                        }
                }
        }
-       
+
+       if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_HAS_CLIENT) {
+               if (!has_client) {
+                       return FALSE;
+               }
+       }
+
        if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_ENTITLEMENT) {
                if (cred_result != 0) {
                        // Process is missing entitlement
        if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_ENTITLEMENT) {
                if (cred_result != 0) {
                        // Process is missing entitlement
-                       return (FALSE);
+                       return FALSE;
+               }
+       }
+
+       if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_PLATFORM_BINARY) {
+               if (is_platform_binary == 0) {
+                       // Process is not platform binary
+                       return FALSE;
+               }
+       }
+
+       if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_SDK_VERSION) {
+               if (proc != NULL) {
+                       if (kernel_policy->cond_sdk_version.platform != 0) {
+                               if (kernel_policy->cond_sdk_version.platform != proc_platform(proc)) {
+                                       // Process does not match platform
+                                       return FALSE;
+                               }
+                       }
+
+                       if (kernel_policy->cond_sdk_version.min_version != 0) {
+                               if (kernel_policy->cond_sdk_version.min_version > proc_min_sdk(proc)) {
+                                       // Process min version is older than required min version
+                                       return FALSE;
+                               }
+                       }
+
+                       if (kernel_policy->cond_sdk_version.version != 0) {
+                               if (kernel_policy->cond_sdk_version.version > proc_sdk(proc)) {
+                                       // Process SDK version is older than required version
+                                       return FALSE;
+                               }
+                       }
+               }
+       }
+
+       if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_CUSTOM_ENTITLEMENT) {
+               if (kernel_policy->cond_custom_entitlement_matched == necp_boolean_state_false) {
+                       // Process is missing entitlement based on previous check
+                       return FALSE;
+               } else if (kernel_policy->cond_custom_entitlement_matched == necp_boolean_state_unknown) {
+                       if (kernel_policy->cond_custom_entitlement != NULL) {
+                               if (proc == NULL) {
+                                       // No process found, cannot check entitlement
+                                       return FALSE;
+                               }
+                               task_t task = proc_task(proc);
+                               if (task == NULL ||
+                                   !IOTaskHasEntitlement(task, kernel_policy->cond_custom_entitlement)) {
+                                       // Process is missing custom entitlement
+                                       kernel_policy->cond_custom_entitlement_matched = necp_boolean_state_false;
+                                       return FALSE;
+                               } else {
+                                       kernel_policy->cond_custom_entitlement_matched = necp_boolean_state_true;
+                               }
+                       }
                }
        }
 
                }
        }
 
@@ -4955,12 +7322,12 @@ necp_socket_check_policy(struct necp_kernel_socket_policy *kernel_policy, necp_a
                if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_DOMAIN) {
                        if (domain_matches) {
                                // No match, matches forbidden domain
                if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_DOMAIN) {
                        if (domain_matches) {
                                // No match, matches forbidden domain
-                               return (FALSE);
+                               return FALSE;
                        }
                } else {
                        if (!domain_matches) {
                                // No match, does not match required domain
                        }
                } else {
                        if (!domain_matches) {
                                // No match, does not match required domain
-                               return (FALSE);
+                               return FALSE;
                        }
                }
        }
                        }
                }
        }
@@ -4969,12 +7336,12 @@ necp_socket_check_policy(struct necp_kernel_socket_policy *kernel_policy, necp_a
                if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_ACCOUNT_ID) {
                        if (account_id == kernel_policy->cond_account_id) {
                                // No match, matches forbidden account
                if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_ACCOUNT_ID) {
                        if (account_id == kernel_policy->cond_account_id) {
                                // No match, matches forbidden account
-                               return (FALSE);
+                               return FALSE;
                        }
                } else {
                        if (account_id != kernel_policy->cond_account_id) {
                                // No match, does not match required account
                        }
                } else {
                        if (account_id != kernel_policy->cond_account_id) {
                                // No match, does not match required account
-                               return (FALSE);
+                               return FALSE;
                        }
                }
        }
                        }
                }
        }
@@ -4983,12 +7350,12 @@ necp_socket_check_policy(struct necp_kernel_socket_policy *kernel_policy, necp_a
                if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_PID) {
                        if (pid == kernel_policy->cond_pid) {
                                // No match, matches forbidden pid
                if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_PID) {
                        if (pid == kernel_policy->cond_pid) {
                                // No match, matches forbidden pid
-                               return (FALSE);
+                               return FALSE;
                        }
                } else {
                        if (pid != kernel_policy->cond_pid) {
                                // No match, does not match required pid
                        }
                } else {
                        if (pid != kernel_policy->cond_pid) {
                                // No match, does not match required pid
-                               return (FALSE);
+                               return FALSE;
                        }
                }
        }
                        }
                }
        }
@@ -4997,28 +7364,28 @@ necp_socket_check_policy(struct necp_kernel_socket_policy *kernel_policy, necp_a
                if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_UID) {
                        if (uid == kernel_policy->cond_uid) {
                                // No match, matches forbidden uid
                if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_UID) {
                        if (uid == kernel_policy->cond_uid) {
                                // No match, matches forbidden uid
-                               return (FALSE);
+                               return FALSE;
                        }
                } else {
                        if (uid != kernel_policy->cond_uid) {
                                // No match, does not match required uid
                        }
                } else {
                        if (uid != kernel_policy->cond_uid) {
                                // No match, does not match required uid
-                               return (FALSE);
+                               return FALSE;
                        }
                }
        }
                        }
                }
        }
-       
+
        if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_TRAFFIC_CLASS) {
                if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_TRAFFIC_CLASS) {
                        if (traffic_class >= kernel_policy->cond_traffic_class.start_tc &&
        if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_TRAFFIC_CLASS) {
                if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_TRAFFIC_CLASS) {
                        if (traffic_class >= kernel_policy->cond_traffic_class.start_tc &&
-                               traffic_class <= kernel_policy->cond_traffic_class.end_tc) {
+                           traffic_class <= kernel_policy->cond_traffic_class.end_tc) {
                                // No match, matches forbidden traffic class
                                // No match, matches forbidden traffic class
-                               return (FALSE);
+                               return FALSE;
                        }
                } else {
                        if (traffic_class < kernel_policy->cond_traffic_class.start_tc ||
                        }
                } else {
                        if (traffic_class < kernel_policy->cond_traffic_class.start_tc ||
-                               traffic_class > kernel_policy->cond_traffic_class.end_tc) {
+                           traffic_class > kernel_policy->cond_traffic_class.end_tc) {
                                // No match, does not match required traffic class
                                // No match, does not match required traffic class
-                               return (FALSE);
+                               return FALSE;
                        }
                }
        }
                        }
                }
        }
@@ -5027,14 +7394,47 @@ necp_socket_check_policy(struct necp_kernel_socket_policy *kernel_policy, necp_a
                if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_PROTOCOL) {
                        if (protocol == kernel_policy->cond_protocol) {
                                // No match, matches forbidden protocol
                if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_PROTOCOL) {
                        if (protocol == kernel_policy->cond_protocol) {
                                // No match, matches forbidden protocol
-                               return (FALSE);
+                               return FALSE;
                        }
                } else {
                        if (protocol != kernel_policy->cond_protocol) {
                                // No match, does not match required protocol
                        }
                } else {
                        if (protocol != kernel_policy->cond_protocol) {
                                // No match, does not match required protocol
-                               return (FALSE);
+                               return FALSE;
+                       }
+               }
+       }
+
+       if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_AGENT_TYPE) {
+               bool matches_agent_type = FALSE;
+               for (u_int32_t i = 0; i < num_required_agent_types; i++) {
+                       struct necp_client_parameter_netagent_type *required_agent_type = &required_agent_types[i];
+                       if ((strlen(kernel_policy->cond_agent_type.agent_domain) == 0 ||
+                           strncmp(required_agent_type->netagent_domain, kernel_policy->cond_agent_type.agent_domain, NETAGENT_DOMAINSIZE) == 0) &&
+                           (strlen(kernel_policy->cond_agent_type.agent_type) == 0 ||
+                           strncmp(required_agent_type->netagent_type, kernel_policy->cond_agent_type.agent_type, NETAGENT_TYPESIZE) == 0)) {
+                               // Found a required agent that matches
+                               matches_agent_type = TRUE;
+                               break;
                        }
                }
                        }
                }
+               if (!matches_agent_type) {
+                       return FALSE;
+               }
+       }
+
+       if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_NETWORKS) {
+               bool is_local = FALSE;
+
+               if (rt != NULL) {
+                       is_local = IS_NECP_DEST_IN_LOCAL_NETWORKS(rt);
+               } else {
+                       is_local = necp_is_route_local(remote);
+               }
+
+               if (!is_local) {
+                       // Either no route to validate or no match for local networks
+                       return FALSE;
+               }
        }
 
        if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_START) {
        }
 
        if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_START) {
@@ -5042,22 +7442,22 @@ necp_socket_check_policy(struct necp_kernel_socket_policy *kernel_policy, necp_a
                        bool inRange = necp_is_addr_in_range((struct sockaddr *)local, (struct sockaddr *)&kernel_policy->cond_local_start, (struct sockaddr *)&kernel_policy->cond_local_end);
                        if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_LOCAL_END) {
                                if (inRange) {
                        bool inRange = necp_is_addr_in_range((struct sockaddr *)local, (struct sockaddr *)&kernel_policy->cond_local_start, (struct sockaddr *)&kernel_policy->cond_local_end);
                        if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_LOCAL_END) {
                                if (inRange) {
-                                       return (FALSE);
+                                       return FALSE;
                                }
                        } else {
                                if (!inRange) {
                                }
                        } else {
                                if (!inRange) {
-                                       return (FALSE);
+                                       return FALSE;
                                }
                        }
                } else if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_PREFIX) {
                        bool inSubnet = necp_is_addr_in_subnet((struct sockaddr *)local, (struct sockaddr *)&kernel_policy->cond_local_start, kernel_policy->cond_local_prefix);
                        if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_LOCAL_PREFIX) {
                                if (inSubnet) {
                                }
                        }
                } else if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_PREFIX) {
                        bool inSubnet = necp_is_addr_in_subnet((struct sockaddr *)local, (struct sockaddr *)&kernel_policy->cond_local_start, kernel_policy->cond_local_prefix);
                        if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_LOCAL_PREFIX) {
                                if (inSubnet) {
-                                       return (FALSE);
+                                       return FALSE;
                                }
                        } else {
                                if (!inSubnet) {
                                }
                        } else {
                                if (!inSubnet) {
-                                       return (FALSE);
+                                       return FALSE;
                                }
                        }
                }
                                }
                        }
                }
@@ -5068,45 +7468,121 @@ necp_socket_check_policy(struct necp_kernel_socket_policy *kernel_policy, necp_a
                        bool inRange = necp_is_addr_in_range((struct sockaddr *)remote, (struct sockaddr *)&kernel_policy->cond_remote_start, (struct sockaddr *)&kernel_policy->cond_remote_end);
                        if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_REMOTE_END) {
                                if (inRange) {
                        bool inRange = necp_is_addr_in_range((struct sockaddr *)remote, (struct sockaddr *)&kernel_policy->cond_remote_start, (struct sockaddr *)&kernel_policy->cond_remote_end);
                        if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_REMOTE_END) {
                                if (inRange) {
-                                       return (FALSE);
+                                       return FALSE;
                                }
                        } else {
                                if (!inRange) {
                                }
                        } else {
                                if (!inRange) {
-                                       return (FALSE);
+                                       return FALSE;
                                }
                        }
                } else if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_REMOTE_PREFIX) {
                        bool inSubnet = necp_is_addr_in_subnet((struct sockaddr *)remote, (struct sockaddr *)&kernel_policy->cond_remote_start, kernel_policy->cond_remote_prefix);
                        if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_REMOTE_PREFIX) {
                                if (inSubnet) {
                                }
                        }
                } else if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_REMOTE_PREFIX) {
                        bool inSubnet = necp_is_addr_in_subnet((struct sockaddr *)remote, (struct sockaddr *)&kernel_policy->cond_remote_start, kernel_policy->cond_remote_prefix);
                        if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_REMOTE_PREFIX) {
                                if (inSubnet) {
-                                       return (FALSE);
+                                       return FALSE;
                                }
                        } else {
                                if (!inSubnet) {
                                }
                        } else {
                                if (!inSubnet) {
-                                       return (FALSE);
+                                       return FALSE;
                                }
                        }
                }
        }
 
                                }
                        }
                }
        }
 
-       return (TRUE);
+       if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_CLIENT_FLAGS) {
+               if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_CLIENT_FLAGS) {
+                       if ((client_flags & kernel_policy->cond_client_flags) == kernel_policy->cond_client_flags) {
+                               // Flags do match, and condition is negative, fail.
+                               return FALSE;
+                       }
+               } else {
+                       if ((client_flags & kernel_policy->cond_client_flags) != kernel_policy->cond_client_flags) {
+                               // Flags do not match, fail.
+                               return FALSE;
+                       }
+               }
+       }
+
+       if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_EMPTY) {
+               bool isEmpty = necp_addr_is_empty((struct sockaddr *)local);
+               if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_LOCAL_EMPTY) {
+                       if (isEmpty) {
+                               return FALSE;
+                       }
+               } else {
+                       if (!isEmpty) {
+                               return FALSE;
+                       }
+               }
+       }
+
+       if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_REMOTE_EMPTY) {
+               bool isEmpty = necp_addr_is_empty((struct sockaddr *)remote);
+               if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_REMOTE_EMPTY) {
+                       if (isEmpty) {
+                               return FALSE;
+                       }
+               } else {
+                       if (!isEmpty) {
+                               return FALSE;
+                       }
+               }
+       }
+
+       if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_PACKET_FILTER_TAGS) {
+               bool tags_matched = false;
+               if (kernel_policy->cond_packet_filter_tags & NECP_POLICY_CONDITION_PACKET_FILTER_TAG_STACK_DROP) {
+                       if (pf_tag == PF_TAG_ID_STACK_DROP) {
+                               tags_matched = true;
+                       }
+               }
+
+               if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_PACKET_FILTER_TAGS) {
+                       if (tags_matched) {
+                               return FALSE;
+                       }
+               } else {
+                       if (!tags_matched) {
+                               return FALSE;
+                       }
+               }
+       }
+
+       if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_IS_LOOPBACK) {
+               if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_IS_LOOPBACK) {
+                       if (is_loopback) {
+                               return FALSE;
+                       }
+               } else {
+                       if (!is_loopback) {
+                               return FALSE;
+                       }
+               }
+       }
+
+       return TRUE;
 }
 
 static inline u_int32_t
 necp_socket_calc_flowhash_locked(struct necp_socket_info *info)
 {
 }
 
 static inline u_int32_t
 necp_socket_calc_flowhash_locked(struct necp_socket_info *info)
 {
-       return (net_flowhash(info, sizeof(*info), necp_kernel_socket_policies_gencount));
+       return net_flowhash(info, sizeof(*info), necp_kernel_socket_policies_gencount);
 }
 
 static void
 }
 
 static void
-necp_socket_fillout_info_locked(struct inpcb *inp, struct sockaddr *override_local_addr, struct sockaddr *override_remote_addr, u_int32_t override_bound_interface, struct necp_socket_info *info)
+necp_socket_fillout_info_locked(struct inpcb *inp, struct sockaddr *override_local_addr, struct sockaddr *override_remote_addr, u_int32_t override_bound_interface, u_int32_t drop_order, proc_t *socket_proc, struct necp_socket_info *info, bool is_loopback)
 {
        struct socket *so = NULL;
 {
        struct socket *so = NULL;
+       proc_t sock_proc = NULL;
+       proc_t curr_proc = current_proc();
 
        memset(info, 0, sizeof(struct necp_socket_info));
 
        so = inp->inp_socket;
 
 
        memset(info, 0, sizeof(struct necp_socket_info));
 
        so = inp->inp_socket;
 
+       info->drop_order = drop_order;
+       info->is_loopback = is_loopback;
+
        if (necp_kernel_socket_policies_condition_mask & NECP_KERNEL_CONDITION_PID) {
                info->pid = ((so->so_flags & SOF_DELEGATED) ? so->e_pid : so->last_pid);
        }
        if (necp_kernel_socket_policies_condition_mask & NECP_KERNEL_CONDITION_PID) {
                info->pid = ((so->so_flags & SOF_DELEGATED) ? so->e_pid : so->last_pid);
        }
@@ -5114,11 +7590,35 @@ necp_socket_fillout_info_locked(struct inpcb *inp, struct sockaddr *override_loc
        if (necp_kernel_socket_policies_condition_mask & NECP_KERNEL_CONDITION_UID) {
                info->uid = kauth_cred_getuid(so->so_cred);
        }
        if (necp_kernel_socket_policies_condition_mask & NECP_KERNEL_CONDITION_UID) {
                info->uid = kauth_cred_getuid(so->so_cred);
        }
-       
+
        if (necp_kernel_socket_policies_condition_mask & NECP_KERNEL_CONDITION_TRAFFIC_CLASS) {
                info->traffic_class = so->so_traffic_class;
        }
 
        if (necp_kernel_socket_policies_condition_mask & NECP_KERNEL_CONDITION_TRAFFIC_CLASS) {
                info->traffic_class = so->so_traffic_class;
        }
 
+       if (necp_kernel_socket_policies_condition_mask & NECP_KERNEL_CONDITION_HAS_CLIENT) {
+               info->has_client = !uuid_is_null(inp->necp_client_uuid);
+       }
+
+       if (necp_kernel_socket_policies_condition_mask & NECP_KERNEL_CONDITION_CLIENT_FLAGS) {
+               info->client_flags = 0;
+               if (INP_NO_CONSTRAINED(inp)) {
+                       info->client_flags |= NECP_CLIENT_PARAMETER_FLAG_PROHIBIT_CONSTRAINED;
+               }
+               if (INP_NO_EXPENSIVE(inp)) {
+                       info->client_flags |= NECP_CLIENT_PARAMETER_FLAG_PROHIBIT_EXPENSIVE;
+               }
+               if (inp->inp_socket->so_flags1 & SOF1_CELLFALLBACK) {
+                       info->client_flags |= NECP_CLIENT_PARAMETER_FLAG_FALLBACK_TRAFFIC;
+               }
+               if (inp->inp_socket->so_flags1 & SOF1_INBOUND) {
+                       info->client_flags |= NECP_CLIENT_PARAMETER_FLAG_INBOUND;
+               }
+               if (inp->inp_socket->so_options & SO_ACCEPTCONN ||
+                   inp->inp_flags2 & INP2_EXTERNAL_PORT) {
+                       info->client_flags |= NECP_CLIENT_PARAMETER_FLAG_LISTENER;
+               }
+       }
+
        if (necp_kernel_socket_policies_condition_mask & NECP_KERNEL_CONDITION_PROTOCOL) {
                if (inp->inp_ip_p) {
                        info->protocol = inp->inp_ip_p;
        if (necp_kernel_socket_policies_condition_mask & NECP_KERNEL_CONDITION_PROTOCOL) {
                if (inp->inp_ip_p) {
                        info->protocol = inp->inp_ip_p;
@@ -5128,12 +7628,27 @@ necp_socket_fillout_info_locked(struct inpcb *inp, struct sockaddr *override_loc
        }
 
        if (inp->inp_flags2 & INP2_WANT_APP_POLICY && necp_kernel_socket_policies_condition_mask & NECP_KERNEL_CONDITION_APP_ID) {
        }
 
        if (inp->inp_flags2 & INP2_WANT_APP_POLICY && necp_kernel_socket_policies_condition_mask & NECP_KERNEL_CONDITION_APP_ID) {
+               u_int32_t responsible_application_id = 0;
+
                struct necp_uuid_id_mapping *existing_mapping = necp_uuid_lookup_app_id_locked(((so->so_flags & SOF_DELEGATED) ? so->e_uuid : so->last_uuid));
                if (existing_mapping) {
                        info->application_id = existing_mapping->id;
                }
 
                struct necp_uuid_id_mapping *existing_mapping = necp_uuid_lookup_app_id_locked(((so->so_flags & SOF_DELEGATED) ? so->e_uuid : so->last_uuid));
                if (existing_mapping) {
                        info->application_id = existing_mapping->id;
                }
 
-               if (!(so->so_flags & SOF_DELEGATED)) {
+#if defined(XNU_TARGET_OS_OSX)
+               if (so->so_rpid > 0) {
+                       existing_mapping = necp_uuid_lookup_app_id_locked(so->so_ruuid);
+                       if (existing_mapping != NULL) {
+                               responsible_application_id = existing_mapping->id;
+                       }
+               }
+#endif
+
+               if (responsible_application_id > 0) {
+                       info->real_application_id = info->application_id;
+                       info->application_id = responsible_application_id;
+                       info->used_responsible_pid = true;
+               } else if (!(so->so_flags & SOF_DELEGATED)) {
                        info->real_application_id = info->application_id;
                } else if (necp_kernel_socket_policies_condition_mask & NECP_KERNEL_CONDITION_REAL_APP_ID) {
                        struct necp_uuid_id_mapping *real_existing_mapping = necp_uuid_lookup_app_id_locked(so->last_uuid);
                        info->real_application_id = info->application_id;
                } else if (necp_kernel_socket_policies_condition_mask & NECP_KERNEL_CONDITION_REAL_APP_ID) {
                        struct necp_uuid_id_mapping *real_existing_mapping = necp_uuid_lookup_app_id_locked(so->last_uuid);
@@ -5141,12 +7656,32 @@ necp_socket_fillout_info_locked(struct inpcb *inp, struct sockaddr *override_loc
                                info->real_application_id = real_existing_mapping->id;
                        }
                }
                                info->real_application_id = real_existing_mapping->id;
                        }
                }
-               
+
                if (necp_kernel_socket_policies_condition_mask & NECP_KERNEL_CONDITION_ENTITLEMENT) {
                        info->cred_result = priv_check_cred(so->so_cred, PRIV_NET_PRIVILEGED_NECP_MATCH, 0);
                if (necp_kernel_socket_policies_condition_mask & NECP_KERNEL_CONDITION_ENTITLEMENT) {
                        info->cred_result = priv_check_cred(so->so_cred, PRIV_NET_PRIVILEGED_NECP_MATCH, 0);
+                       if (info->cred_result != 0) {
+                               // Process does not have entitlement, check the parent process
+                               necp_get_parent_cred_result(NULL, info);
+                       }
+               }
+       }
+
+       pid_t socket_pid =
+#if defined(XNU_TARGET_OS_OSX)
+           info->used_responsible_pid ? so->so_rpid :
+#endif
+           ((so->so_flags & SOF_DELEGATED) ? so->e_pid : so->last_pid);
+       if (socket_pid && (socket_pid != proc_pid(curr_proc))) {
+               sock_proc = proc_find(socket_pid);
+               if (socket_proc) {
+                       *socket_proc = sock_proc;
                }
        }
 
                }
        }
 
+       if (necp_kernel_socket_policies_condition_mask & NECP_KERNEL_CONDITION_PLATFORM_BINARY) {
+               info->is_platform_binary = necp_is_platform_binary(sock_proc ? sock_proc : curr_proc) ? true : false;
+       }
+
        if (necp_kernel_socket_policies_condition_mask & NECP_KERNEL_CONDITION_ACCOUNT_ID && inp->inp_necp_attributes.inp_account != NULL) {
                struct necp_string_id_mapping *existing_mapping = necp_lookup_string_to_id_locked(&necp_account_id_list, inp->inp_necp_attributes.inp_account);
                if (existing_mapping) {
        if (necp_kernel_socket_policies_condition_mask & NECP_KERNEL_CONDITION_ACCOUNT_ID && inp->inp_necp_attributes.inp_account != NULL) {
                struct necp_string_id_mapping *existing_mapping = necp_lookup_string_to_id_locked(&necp_account_id_list, inp->inp_necp_attributes.inp_account);
                if (existing_mapping) {
@@ -5166,38 +7701,53 @@ necp_socket_fillout_info_locked(struct inpcb *inp, struct sockaddr *override_loc
                }
        }
 
                }
        }
 
-       if (necp_kernel_socket_policies_condition_mask & NECP_KERNEL_ADDRESS_TYPE_CONDITIONS) {
-               if (inp->inp_vflag & INP_IPV4) {
-                       if (override_local_addr) {
+       if (necp_restrict_multicast ||
+           (necp_kernel_socket_policies_condition_mask & NECP_KERNEL_ADDRESS_TYPE_CONDITIONS)) {
+               if (override_local_addr != NULL) {
+                       if (override_local_addr->sa_family == AF_INET6 && override_local_addr->sa_len <= sizeof(struct sockaddr_in6)) {
                                memcpy(&info->local_addr, override_local_addr, override_local_addr->sa_len);
                                memcpy(&info->local_addr, override_local_addr, override_local_addr->sa_len);
-                       } else {
+                               if (IN6_IS_ADDR_V4MAPPED(&(info->local_addr.sin6.sin6_addr))) {
+                                       struct sockaddr_in sin;
+                                       in6_sin6_2_sin(&sin, &(info->local_addr.sin6));
+                                       memset(&info->local_addr, 0, sizeof(union necp_sockaddr_union));
+                                       memcpy(&info->local_addr, &sin, sin.sin_len);
+                               }
+                       } else if (override_local_addr->sa_family == AF_INET && override_local_addr->sa_len <= sizeof(struct sockaddr_in)) {
+                               memcpy(&info->local_addr, override_local_addr, override_local_addr->sa_len);
+                       }
+               } else {
+                       if (inp->inp_vflag & INP_IPV4) {
                                ((struct sockaddr_in *)&info->local_addr)->sin_family = AF_INET;
                                ((struct sockaddr_in *)&info->local_addr)->sin_len = sizeof(struct sockaddr_in);
                                ((struct sockaddr_in *)&info->local_addr)->sin_port = inp->inp_lport;
                                memcpy(&((struct sockaddr_in *)&info->local_addr)->sin_addr, &inp->inp_laddr, sizeof(struct in_addr));
                                ((struct sockaddr_in *)&info->local_addr)->sin_family = AF_INET;
                                ((struct sockaddr_in *)&info->local_addr)->sin_len = sizeof(struct sockaddr_in);
                                ((struct sockaddr_in *)&info->local_addr)->sin_port = inp->inp_lport;
                                memcpy(&((struct sockaddr_in *)&info->local_addr)->sin_addr, &inp->inp_laddr, sizeof(struct in_addr));
-                       }
-
-                       if (override_remote_addr) {
-                               memcpy(&info->remote_addr, override_remote_addr, override_remote_addr->sa_len);
-                       } else {
-                               ((struct sockaddr_in *)&info->remote_addr)->sin_family = AF_INET;
-                               ((struct sockaddr_in *)&info->remote_addr)->sin_len = sizeof(struct sockaddr_in);
-                               ((struct sockaddr_in *)&info->remote_addr)->sin_port = inp->inp_fport;
-                               memcpy(&((struct sockaddr_in *)&info->remote_addr)->sin_addr, &inp->inp_faddr, sizeof(struct in_addr));
-                       }
-               } else if (inp->inp_vflag & INP_IPV6) {
-                       if (override_local_addr) {
-                               memcpy(&info->local_addr, override_local_addr, override_local_addr->sa_len);
-                       } else {
+                       } else if (inp->inp_vflag & INP_IPV6) {
                                ((struct sockaddr_in6 *)&info->local_addr)->sin6_family = AF_INET6;
                                ((struct sockaddr_in6 *)&info->local_addr)->sin6_len = sizeof(struct sockaddr_in6);
                                ((struct sockaddr_in6 *)&info->local_addr)->sin6_port = inp->inp_lport;
                                memcpy(&((struct sockaddr_in6 *)&info->local_addr)->sin6_addr, &inp->in6p_laddr, sizeof(struct in6_addr));
                        }
                                ((struct sockaddr_in6 *)&info->local_addr)->sin6_family = AF_INET6;
                                ((struct sockaddr_in6 *)&info->local_addr)->sin6_len = sizeof(struct sockaddr_in6);
                                ((struct sockaddr_in6 *)&info->local_addr)->sin6_port = inp->inp_lport;
                                memcpy(&((struct sockaddr_in6 *)&info->local_addr)->sin6_addr, &inp->in6p_laddr, sizeof(struct in6_addr));
                        }
+               }
 
 
-                       if (override_remote_addr) {
+               if (override_remote_addr != NULL) {
+                       if (override_remote_addr->sa_family == AF_INET6 && override_remote_addr->sa_len <= sizeof(struct sockaddr_in6)) {
                                memcpy(&info->remote_addr, override_remote_addr, override_remote_addr->sa_len);
                                memcpy(&info->remote_addr, override_remote_addr, override_remote_addr->sa_len);
-                       } else {
+                               if (IN6_IS_ADDR_V4MAPPED(&(info->remote_addr.sin6.sin6_addr))) {
+                                       struct sockaddr_in sin;
+                                       in6_sin6_2_sin(&sin, &(info->remote_addr.sin6));
+                                       memset(&info->remote_addr, 0, sizeof(union necp_sockaddr_union));
+                                       memcpy(&info->remote_addr, &sin, sin.sin_len);
+                               }
+                       } else if (override_remote_addr->sa_family == AF_INET && override_remote_addr->sa_len <= sizeof(struct sockaddr_in)) {
+                               memcpy(&info->remote_addr, override_remote_addr, override_remote_addr->sa_len);
+                       }
+               } else {
+                       if (inp->inp_vflag & INP_IPV4) {
+                               ((struct sockaddr_in *)&info->remote_addr)->sin_family = AF_INET;
+                               ((struct sockaddr_in *)&info->remote_addr)->sin_len = sizeof(struct sockaddr_in);
+                               ((struct sockaddr_in *)&info->remote_addr)->sin_port = inp->inp_fport;
+                               memcpy(&((struct sockaddr_in *)&info->remote_addr)->sin_addr, &inp->inp_faddr, sizeof(struct in_addr));
+                       } else if (inp->inp_vflag & INP_IPV6) {
                                ((struct sockaddr_in6 *)&info->remote_addr)->sin6_family = AF_INET6;
                                ((struct sockaddr_in6 *)&info->remote_addr)->sin6_len = sizeof(struct sockaddr_in6);
                                ((struct sockaddr_in6 *)&info->remote_addr)->sin6_port = inp->inp_fport;
                                ((struct sockaddr_in6 *)&info->remote_addr)->sin6_family = AF_INET6;
                                ((struct sockaddr_in6 *)&info->remote_addr)->sin6_len = sizeof(struct sockaddr_in6);
                                ((struct sockaddr_in6 *)&info->remote_addr)->sin6_port = inp->inp_fport;
@@ -5208,41 +7758,77 @@ necp_socket_fillout_info_locked(struct inpcb *inp, struct sockaddr *override_loc
 }
 
 static inline struct necp_kernel_socket_policy *
 }
 
 static inline struct necp_kernel_socket_policy *
-necp_socket_find_policy_match_with_info_locked(struct necp_kernel_socket_policy **policy_search_array, struct necp_socket_info *info, necp_kernel_policy_filter *return_filter, u_int32_t *return_route_rule_id, necp_kernel_policy_result *return_service_action, necp_kernel_policy_service *return_service, u_int32_t *return_netagent_array, size_t netagent_array_count)
+necp_socket_find_policy_match_with_info_locked(struct necp_kernel_socket_policy **policy_search_array, struct necp_socket_info *info,
+    necp_kernel_policy_filter *return_filter,
+    u_int32_t *return_route_rule_id_array, size_t *return_route_rule_id_array_count, size_t route_rule_id_array_count,
+    necp_kernel_policy_result *return_service_action, necp_kernel_policy_service *return_service,
+    u_int32_t *return_netagent_array, u_int32_t *return_netagent_use_flags_array, size_t netagent_array_count,
+    struct necp_client_parameter_netagent_type *required_agent_types,
+    u_int32_t num_required_agent_types, proc_t proc, u_int16_t pf_tag, necp_kernel_policy_id *skip_policy_id, struct rtentry *rt,
+    necp_kernel_policy_result *return_drop_dest_policy_result, necp_drop_all_bypass_check_result_t *return_drop_all_bypass,
+    u_int32_t *return_flow_divert_aggregate_unit)
 {
        struct necp_kernel_socket_policy *matched_policy = NULL;
        u_int32_t skip_order = 0;
        u_int32_t skip_session_order = 0;
 {
        struct necp_kernel_socket_policy *matched_policy = NULL;
        u_int32_t skip_order = 0;
        u_int32_t skip_session_order = 0;
-       u_int32_t route_rule_id_array[MAX_AGGREGATE_ROUTE_RULES];
        size_t route_rule_id_count = 0;
        int i;
        size_t netagent_cursor = 0;
        size_t route_rule_id_count = 0;
        int i;
        size_t netagent_cursor = 0;
+       necp_drop_all_bypass_check_result_t drop_all_bypass = NECP_DROP_ALL_BYPASS_CHECK_RESULT_NONE;
+       if (return_drop_all_bypass != NULL) {
+               *return_drop_all_bypass = drop_all_bypass;
+       }
 
        // Pre-process domain for quick matching
        struct substring domain_substring = necp_trim_dots_and_stars(info->domain, info->domain ? strlen(info->domain) : 0);
        u_int8_t domain_dot_count = necp_count_dots(domain_substring.string, domain_substring.length);
 
 
        // Pre-process domain for quick matching
        struct substring domain_substring = necp_trim_dots_and_stars(info->domain, info->domain ? strlen(info->domain) : 0);
        u_int8_t domain_dot_count = necp_count_dots(domain_substring.string, domain_substring.length);
 
-       if (return_filter) {
+       if (return_filter != NULL) {
                *return_filter = 0;
        }
 
                *return_filter = 0;
        }
 
-       if (return_route_rule_id) {
-               *return_route_rule_id = 0;
+       if (return_route_rule_id_array_count != NULL) {
+               *return_route_rule_id_array_count = 0;
        }
 
        }
 
-       if (return_service_action) {
+       if (return_service_action != NULL) {
                *return_service_action = 0;
        }
 
                *return_service_action = 0;
        }
 
-       if (return_service) {
+       if (return_service != NULL) {
                return_service->identifier = 0;
                return_service->data = 0;
        }
 
                return_service->identifier = 0;
                return_service->data = 0;
        }
 
+       // Do not subject layer-2 filter to NECP policies, return a PASS policy
+       if (necp_pass_interpose > 0 && info->client_flags & NECP_CLIENT_PARAMETER_FLAG_INTERPOSE) {
+               return &pass_policy;
+       }
+
+       *return_drop_dest_policy_result = NECP_KERNEL_POLICY_RESULT_NONE;
+
        if (policy_search_array != NULL) {
                for (i = 0; policy_search_array[i] != NULL; i++) {
                        if (necp_drop_all_order != 0 && policy_search_array[i]->session_order >= necp_drop_all_order) {
                                // We've hit a drop all rule
        if (policy_search_array != NULL) {
                for (i = 0; policy_search_array[i] != NULL; i++) {
                        if (necp_drop_all_order != 0 && policy_search_array[i]->session_order >= necp_drop_all_order) {
                                // We've hit a drop all rule
+                               if (drop_all_bypass == NECP_DROP_ALL_BYPASS_CHECK_RESULT_NONE) {
+                                       drop_all_bypass = necp_check_drop_all_bypass_result(proc);
+                                       if (return_drop_all_bypass != NULL) {
+                                               *return_drop_all_bypass = drop_all_bypass;
+                                       }
+                               }
+                               if (drop_all_bypass == NECP_DROP_ALL_BYPASS_CHECK_RESULT_FALSE) {
+                                       break;
+                               }
+                       }
+                       if (necp_drop_dest_policy.entry_count != 0 &&
+                           necp_address_matches_drop_dest_policy(&info->remote_addr, policy_search_array[i]->session_order)) {
+                               // We've hit a drop by destination address rule
+                               *return_drop_dest_policy_result = NECP_KERNEL_POLICY_RESULT_DROP;
+                               break;
+                       }
+                       if (info->drop_order != 0 && policy_search_array[i]->session_order >= info->drop_order) {
+                               // We've hit a drop order for this socket
                                break;
                        }
                        if (skip_session_order && policy_search_array[i]->session_order >= skip_session_order) {
                                break;
                        }
                        if (skip_session_order && policy_search_array[i]->session_order >= skip_session_order) {
@@ -5263,18 +7849,24 @@ necp_socket_find_policy_match_with_info_locked(struct necp_kernel_socket_policy
                                // Skip this policy
                                continue;
                        }
                                // Skip this policy
                                continue;
                        }
-                       if (necp_socket_check_policy(policy_search_array[i], info->application_id, info->real_application_id, info->cred_result, info->account_id, domain_substring, domain_dot_count, info->pid, info->uid, info->bound_interface_index, info->traffic_class, info->protocol, &info->local_addr, &info->remote_addr)) {
+
+                       if (necp_socket_check_policy(policy_search_array[i], info->application_id, info->real_application_id, info->cred_result, info->account_id, domain_substring, domain_dot_count, info->pid, info->uid, info->bound_interface_index, info->traffic_class, info->protocol, &info->local_addr, &info->remote_addr, required_agent_types, num_required_agent_types, info->has_client, info->client_flags, info->is_platform_binary, proc, pf_tag, rt, info->is_loopback)) {
                                if (policy_search_array[i]->result == NECP_KERNEL_POLICY_RESULT_SOCKET_FILTER) {
                                if (policy_search_array[i]->result == NECP_KERNEL_POLICY_RESULT_SOCKET_FILTER) {
-                                       if (return_filter && *return_filter == 0) {
-                                               *return_filter = policy_search_array[i]->result_parameter.filter_control_unit;
+                                       if (return_filter && *return_filter != NECP_FILTER_UNIT_NO_FILTER) {
+                                               necp_kernel_policy_filter control_unit = policy_search_array[i]->result_parameter.filter_control_unit;
+                                               if (control_unit == NECP_FILTER_UNIT_NO_FILTER) {
+                                                       *return_filter = control_unit;
+                                               } else {
+                                                       *return_filter |= control_unit;
+                                               }
                                                if (necp_debug > 1) {
                                                        NECPLOG(LOG_DEBUG, "Socket Policy: (Application %d Real Application %d BoundInterface %d Proto %d) Filter %d", info->application_id, info->real_application_id, info->bound_interface_index, info->protocol, policy_search_array[i]->result_parameter.filter_control_unit);
                                                }
                                        }
                                        continue;
                                } else if (policy_search_array[i]->result == NECP_KERNEL_POLICY_RESULT_ROUTE_RULES) {
                                                if (necp_debug > 1) {
                                                        NECPLOG(LOG_DEBUG, "Socket Policy: (Application %d Real Application %d BoundInterface %d Proto %d) Filter %d", info->application_id, info->real_application_id, info->bound_interface_index, info->protocol, policy_search_array[i]->result_parameter.filter_control_unit);
                                                }
                                        }
                                        continue;
                                } else if (policy_search_array[i]->result == NECP_KERNEL_POLICY_RESULT_ROUTE_RULES) {
-                                       if (return_route_rule_id && route_rule_id_count < MAX_AGGREGATE_ROUTE_RULES) {
-                                               route_rule_id_array[route_rule_id_count++] = policy_search_array[i]->result_parameter.route_rule_id;
+                                       if (return_route_rule_id_array && route_rule_id_count < route_rule_id_array_count) {
+                                               return_route_rule_id_array[route_rule_id_count++] = policy_search_array[i]->result_parameter.route_rule_id;
                                                if (necp_debug > 1) {
                                                        NECPLOG(LOG_DEBUG, "Socket Policy: (Application %d Real Application %d BoundInterface %d Proto %d) Route Rule %d", info->application_id, info->real_application_id, info->bound_interface_index, info->protocol, policy_search_array[i]->result_parameter.route_rule_id);
                                                }
                                                if (necp_debug > 1) {
                                                        NECPLOG(LOG_DEBUG, "Socket Policy: (Application %d Real Application %d BoundInterface %d Proto %d) Route Rule %d", info->application_id, info->real_application_id, info->bound_interface_index, info->protocol, policy_search_array[i]->result_parameter.route_rule_id);
                                                }
@@ -5295,36 +7887,65 @@ necp_socket_find_policy_match_with_info_locked(struct necp_kernel_socket_policy
                                                }
                                        }
                                        continue;
                                                }
                                        }
                                        continue;
-                               } else if (policy_search_array[i]->result == NECP_KERNEL_POLICY_RESULT_USE_NETAGENT) {
+                               } else if (policy_search_array[i]->result == NECP_KERNEL_POLICY_RESULT_USE_NETAGENT ||
+                                   policy_search_array[i]->result == NECP_KERNEL_POLICY_RESULT_NETAGENT_SCOPED) {
                                        if (return_netagent_array != NULL &&
                                        if (return_netagent_array != NULL &&
-                                               netagent_cursor < netagent_array_count) {
+                                           netagent_cursor < netagent_array_count) {
                                                return_netagent_array[netagent_cursor] = policy_search_array[i]->result_parameter.netagent_id;
                                                return_netagent_array[netagent_cursor] = policy_search_array[i]->result_parameter.netagent_id;
+                                               if (return_netagent_use_flags_array != NULL &&
+                                                   policy_search_array[i]->result == NECP_KERNEL_POLICY_RESULT_NETAGENT_SCOPED) {
+                                                       return_netagent_use_flags_array[netagent_cursor] |= NECP_AGENT_USE_FLAG_SCOPE;
+                                               }
                                                netagent_cursor++;
                                                if (necp_debug > 1) {
                                                netagent_cursor++;
                                                if (necp_debug > 1) {
-                                                       NECPLOG(LOG_DEBUG, "Socket Policy: (Application %d Real Application %d BoundInterface %d Proto %d) Use Netagent %d", info->application_id, info->real_application_id, info->bound_interface_index, info->protocol, policy_search_array[i]->result_parameter.netagent_id);
+                                                       NECPLOG(LOG_DEBUG, "Socket Policy: (Application %d Real Application %d BoundInterface %d Proto %d) %s Netagent %d",
+                                                           info->application_id, info->real_application_id, info->bound_interface_index, info->protocol,
+                                                           policy_search_array[i]->result == NECP_KERNEL_POLICY_RESULT_USE_NETAGENT ? "Use" : "Scope",
+                                                           policy_search_array[i]->result_parameter.netagent_id);
                                                }
                                        }
                                        continue;
                                                }
                                        }
                                        continue;
+                               } else if (policy_search_array[i]->result == NECP_KERNEL_POLICY_RESULT_SOCKET_DIVERT) {
+                                       u_int32_t control_unit = policy_search_array[i]->result_parameter.flow_divert_control_unit;
+                                       if (control_unit & FLOW_DIVERT_IS_TRANSPARENT) {
+                                               /* For transparent proxies, accumulate the control unit and continue to the next policy */
+                                               if (return_flow_divert_aggregate_unit != NULL) {
+                                                       *return_flow_divert_aggregate_unit |= (control_unit & ~FLOW_DIVERT_IS_TRANSPARENT);
+                                                       if (necp_debug > 1) {
+                                                               NECPLOG(LOG_DEBUG, "Socket Policy: (Application %d Real Application %d BoundInterface %d Proto %d) flow divert %u", info->application_id, info->real_application_id, info->bound_interface_index, info->protocol, control_unit);
+                                                       }
+                                               }
+                                               continue;
+                                       }
                                }
 
                                }
 
-                               // Passed all tests, found a match
-                               matched_policy = policy_search_array[i];
+                               // Matched policy is a skip. Do skip and continue.
                                if (policy_search_array[i]->result == NECP_KERNEL_POLICY_RESULT_SKIP) {
                                        skip_order = policy_search_array[i]->result_parameter.skip_policy_order;
                                        skip_session_order = policy_search_array[i]->session_order + 1;
                                if (policy_search_array[i]->result == NECP_KERNEL_POLICY_RESULT_SKIP) {
                                        skip_order = policy_search_array[i]->result_parameter.skip_policy_order;
                                        skip_session_order = policy_search_array[i]->session_order + 1;
+                                       if (skip_policy_id && *skip_policy_id == NECP_KERNEL_POLICY_ID_NONE) {
+                                               *skip_policy_id = policy_search_array[i]->id;
+                                       }
                                        continue;
                                }
                                        continue;
                                }
+
+                               // Matched an allow unentitled, which clears any drop order
+                               if (policy_search_array[i]->result == NECP_KERNEL_POLICY_RESULT_ALLOW_UNENTITLED) {
+                                       info->drop_order = 0;
+                                       continue;
+                               }
+
+                               // Passed all tests, found a match
+                               matched_policy = policy_search_array[i];
                                break;
                        }
                }
        }
 
                                break;
                        }
                }
        }
 
-       if (route_rule_id_count == 1) {
-               *return_route_rule_id = route_rule_id_array[0];
-       } else if (route_rule_id_count > 1) {
-               *return_route_rule_id = necp_create_aggregate_route_rule(route_rule_id_array);
+       if (return_route_rule_id_array_count != NULL) {
+               *return_route_rule_id_array_count = route_rule_id_count;
        }
        }
-       return (matched_policy);
+       return matched_policy;
 }
 
 static bool
 }
 
 static bool
@@ -5337,23 +7958,23 @@ necp_socket_uses_interface(struct inpcb *inp, u_int32_t interface_index)
        int i;
        int family = AF_INET;
        ifnet_t interface = ifindex2ifnet[interface_index];
        int i;
        int family = AF_INET;
        ifnet_t interface = ifindex2ifnet[interface_index];
-       
+
        if (inp == NULL || interface == NULL) {
        if (inp == NULL || interface == NULL) {
-               return (FALSE);
+               return FALSE;
        }
        }
-       
+
        if (inp->inp_vflag & INP_IPV4) {
                family = AF_INET;
        } else if (inp->inp_vflag & INP_IPV6) {
                family = AF_INET6;
        }
        if (inp->inp_vflag & INP_IPV4) {
                family = AF_INET;
        } else if (inp->inp_vflag & INP_IPV6) {
                family = AF_INET6;
        }
-       
+
        result = ifnet_get_address_list_family(interface, &addresses, family);
        if (result != 0) {
                NECPLOG(LOG_ERR, "Failed to get address list for %s%d", ifnet_name(interface), ifnet_unit(interface));
        result = ifnet_get_address_list_family(interface, &addresses, family);
        if (result != 0) {
                NECPLOG(LOG_ERR, "Failed to get address list for %s%d", ifnet_name(interface), ifnet_unit(interface));
-               return (FALSE);
+               return FALSE;
        }
        }
-       
+
        for (i = 0; addresses[i] != NULL; i++) {
                if (ifaddr_address(addresses[i], &address_storage.sa, sizeof(address_storage)) == 0) {
                        if (family == AF_INET) {
        for (i = 0; addresses[i] != NULL; i++) {
                if (ifaddr_address(addresses[i], &address_storage.sa, sizeof(address_storage)) == 0) {
                        if (family == AF_INET) {
@@ -5369,17 +7990,44 @@ necp_socket_uses_interface(struct inpcb *inp, u_int32_t interface_index)
                        }
                }
        }
                        }
                }
        }
-       
+
 done:
        ifnet_free_address_list(addresses);
        addresses = NULL;
 done:
        ifnet_free_address_list(addresses);
        addresses = NULL;
-       return (found_match);
+       return found_match;
 }
 
 static inline bool
 necp_socket_is_connected(struct inpcb *inp)
 {
 }
 
 static inline bool
 necp_socket_is_connected(struct inpcb *inp)
 {
-       return (inp->inp_socket->so_state & (SS_ISCONNECTING | SS_ISCONNECTED | SS_ISDISCONNECTING));
+       return inp->inp_socket->so_state & (SS_ISCONNECTING | SS_ISCONNECTED | SS_ISDISCONNECTING);
+}
+
+static inline necp_socket_bypass_type_t
+necp_socket_bypass(struct sockaddr *override_local_addr, struct sockaddr *override_remote_addr, struct inpcb *inp)
+{
+       if (necp_pass_loopback > 0 && necp_is_loopback(override_local_addr, override_remote_addr, inp, NULL, IFSCOPE_NONE)) {
+               return NECP_BYPASS_TYPE_LOOPBACK;
+       } else if (necp_is_intcoproc(inp, NULL)) {
+               return NECP_BYPASS_TYPE_INTCOPROC;
+       }
+
+       return NECP_BYPASS_TYPE_NONE;
+}
+
+static inline void
+necp_socket_ip_tunnel_tso(struct inpcb *inp)
+{
+       u_int tunnel_interface_index = inp->inp_policyresult.results.result_parameter.tunnel_interface_index;
+       ifnet_t tunnel_interface = NULL;
+
+       ifnet_head_lock_shared();
+       tunnel_interface = ifindex2ifnet[tunnel_interface_index];
+       ifnet_head_done();
+
+       if (tunnel_interface != NULL) {
+               tcp_set_tso(intotcpcb(inp), tunnel_interface);
+       }
 }
 
 necp_kernel_policy_id
 }
 
 necp_kernel_policy_id
@@ -5387,11 +8035,14 @@ necp_socket_find_policy_match(struct inpcb *inp, struct sockaddr *override_local
 {
        struct socket *so = NULL;
        necp_kernel_policy_filter filter_control_unit = 0;
 {
        struct socket *so = NULL;
        necp_kernel_policy_filter filter_control_unit = 0;
-       u_int32_t route_rule_id = 0;
        struct necp_kernel_socket_policy *matched_policy = NULL;
        necp_kernel_policy_id matched_policy_id = NECP_KERNEL_POLICY_ID_NONE;
        necp_kernel_policy_result service_action = 0;
        necp_kernel_policy_service service = { 0, 0 };
        struct necp_kernel_socket_policy *matched_policy = NULL;
        necp_kernel_policy_id matched_policy_id = NECP_KERNEL_POLICY_ID_NONE;
        necp_kernel_policy_result service_action = 0;
        necp_kernel_policy_service service = { 0, 0 };
+       u_int32_t drop_dest_policy_result = NECP_KERNEL_POLICY_RESULT_NONE;
+       necp_drop_all_bypass_check_result_t drop_all_bypass = NECP_DROP_ALL_BYPASS_CHECK_RESULT_NONE;
+       proc_t socket_proc = NULL;
+       necp_socket_bypass_type_t bypass_type = NECP_BYPASS_TYPE_NONE;
 
        u_int32_t netagent_ids[NECP_MAX_NETAGENTS];
        memset(&netagent_ids, 0, sizeof(netagent_ids));
 
        u_int32_t netagent_ids[NECP_MAX_NETAGENTS];
        memset(&netagent_ids, 0, sizeof(netagent_ids));
@@ -5399,70 +8050,133 @@ necp_socket_find_policy_match(struct inpcb *inp, struct sockaddr *override_local
 
        struct necp_socket_info info;
 
 
        struct necp_socket_info info;
 
+       u_int32_t flow_divert_aggregate_unit = 0;
+
        if (inp == NULL) {
        if (inp == NULL) {
-               return (NECP_KERNEL_POLICY_ID_NONE);
+               return NECP_KERNEL_POLICY_ID_NONE;
+       }
+
+       // Ignore invalid addresses
+       if (override_local_addr != NULL &&
+           !necp_address_is_valid(override_local_addr)) {
+               override_local_addr = NULL;
+       }
+       if (override_remote_addr != NULL &&
+           !necp_address_is_valid(override_remote_addr)) {
+               override_remote_addr = NULL;
        }
 
        so = inp->inp_socket;
 
        }
 
        so = inp->inp_socket;
 
+       u_int32_t drop_order = necp_process_drop_order(so->so_cred);
+
        // Don't lock. Possible race condition, but we don't want the performance hit.
        if (necp_kernel_socket_policies_count == 0 ||
        // Don't lock. Possible race condition, but we don't want the performance hit.
        if (necp_kernel_socket_policies_count == 0 ||
-               (!(inp->inp_flags2 & INP2_WANT_APP_POLICY) && necp_kernel_socket_policies_non_app_count == 0)) {
-               if (necp_drop_all_order > 0) {
+           (!(inp->inp_flags2 & INP2_WANT_APP_POLICY) && necp_kernel_socket_policies_non_app_count == 0)) {
+               if (necp_drop_all_order > 0 || drop_order > 0) {
                        inp->inp_policyresult.policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
                        inp->inp_policyresult.policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
+                       inp->inp_policyresult.skip_policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
                        inp->inp_policyresult.policy_gencount = 0;
                        inp->inp_policyresult.policy_gencount = 0;
+                       inp->inp_policyresult.app_id = 0;
                        inp->inp_policyresult.flowhash = 0;
                        inp->inp_policyresult.results.filter_control_unit = 0;
                        inp->inp_policyresult.flowhash = 0;
                        inp->inp_policyresult.results.filter_control_unit = 0;
+                       inp->inp_policyresult.results.flow_divert_aggregate_unit = 0;
                        inp->inp_policyresult.results.route_rule_id = 0;
                        inp->inp_policyresult.results.route_rule_id = 0;
-                       if (necp_pass_loopback > 0 &&
-                               necp_is_loopback(override_local_addr, override_remote_addr, inp, NULL)) {
+                       if (necp_socket_bypass(override_local_addr, override_remote_addr, inp) != NECP_BYPASS_TYPE_NONE) {
                                inp->inp_policyresult.results.result = NECP_KERNEL_POLICY_RESULT_PASS;
                        } else {
                                inp->inp_policyresult.results.result = NECP_KERNEL_POLICY_RESULT_DROP;
                        }
                }
                                inp->inp_policyresult.results.result = NECP_KERNEL_POLICY_RESULT_PASS;
                        } else {
                                inp->inp_policyresult.results.result = NECP_KERNEL_POLICY_RESULT_DROP;
                        }
                }
-               return (NECP_KERNEL_POLICY_ID_NONE);
+               return NECP_KERNEL_POLICY_ID_NONE;
        }
        }
-       
+
        // Check for loopback exception
        // Check for loopback exception
-       if (necp_pass_loopback > 0 &&
-               necp_is_loopback(override_local_addr, override_remote_addr, inp, NULL)) {
+       bypass_type = necp_socket_bypass(override_local_addr, override_remote_addr, inp);
+       if (bypass_type == NECP_BYPASS_TYPE_INTCOPROC || (bypass_type == NECP_BYPASS_TYPE_LOOPBACK && necp_pass_loopback == NECP_LOOPBACK_PASS_ALL)) {
+               if (inp->inp_policyresult.results.result == NECP_KERNEL_POLICY_RESULT_SOCKET_SCOPED) {
+                       // If the previous policy result was "socket scoped", un-scope the socket.
+                       inp->inp_flags &= ~INP_BOUND_IF;
+                       inp->inp_boundifp = NULL;
+               }
                // Mark socket as a pass
                inp->inp_policyresult.policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
                // Mark socket as a pass
                inp->inp_policyresult.policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
+               inp->inp_policyresult.skip_policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
                inp->inp_policyresult.policy_gencount = 0;
                inp->inp_policyresult.policy_gencount = 0;
+               inp->inp_policyresult.app_id = 0;
                inp->inp_policyresult.flowhash = 0;
                inp->inp_policyresult.results.filter_control_unit = 0;
                inp->inp_policyresult.flowhash = 0;
                inp->inp_policyresult.results.filter_control_unit = 0;
+               inp->inp_policyresult.results.flow_divert_aggregate_unit = 0;
                inp->inp_policyresult.results.route_rule_id = 0;
                inp->inp_policyresult.results.result = NECP_KERNEL_POLICY_RESULT_PASS;
                inp->inp_policyresult.results.route_rule_id = 0;
                inp->inp_policyresult.results.result = NECP_KERNEL_POLICY_RESULT_PASS;
-               return (NECP_KERNEL_POLICY_ID_NONE);
+               return NECP_KERNEL_POLICY_ID_NONE;
        }
 
        // Lock
        lck_rw_lock_shared(&necp_kernel_policy_lock);
        }
 
        // Lock
        lck_rw_lock_shared(&necp_kernel_policy_lock);
-       
-       necp_socket_fillout_info_locked(inp, override_local_addr, override_remote_addr, override_bound_interface, &info);
+       necp_socket_fillout_info_locked(inp, override_local_addr, override_remote_addr, override_bound_interface, drop_order, &socket_proc, &info, (bypass_type == NECP_BYPASS_TYPE_LOOPBACK));
 
        // Check info
        u_int32_t flowhash = necp_socket_calc_flowhash_locked(&info);
        if (inp->inp_policyresult.policy_id != NECP_KERNEL_POLICY_ID_NONE &&
 
        // Check info
        u_int32_t flowhash = necp_socket_calc_flowhash_locked(&info);
        if (inp->inp_policyresult.policy_id != NECP_KERNEL_POLICY_ID_NONE &&
-               inp->inp_policyresult.policy_gencount == necp_kernel_socket_policies_gencount &&
-               inp->inp_policyresult.flowhash == flowhash) {
+           inp->inp_policyresult.policy_gencount == necp_kernel_socket_policies_gencount &&
+           inp->inp_policyresult.flowhash == flowhash) {
                // If already matched this socket on this generation of table, skip
 
                // Unlock
                lck_rw_done(&necp_kernel_policy_lock);
 
                // If already matched this socket on this generation of table, skip
 
                // Unlock
                lck_rw_done(&necp_kernel_policy_lock);
 
-               return (inp->inp_policyresult.policy_id);
+               if (socket_proc) {
+                       proc_rele(socket_proc);
+               }
+
+               return inp->inp_policyresult.policy_id;
        }
 
        }
 
+       inp->inp_policyresult.app_id = info.application_id;
+
        // Match socket to policy
        // Match socket to policy
-       matched_policy = necp_socket_find_policy_match_with_info_locked(necp_kernel_socket_policies_map[NECP_SOCKET_MAP_APP_ID_TO_BUCKET(info.application_id)], &info, &filter_control_unit, &route_rule_id, &service_action, &service, netagent_ids, NECP_MAX_NETAGENTS);
+       necp_kernel_policy_id skip_policy_id = NECP_KERNEL_POLICY_ID_NONE;
+       u_int32_t route_rule_id_array[MAX_AGGREGATE_ROUTE_RULES];
+       size_t route_rule_id_array_count = 0;
+       matched_policy = necp_socket_find_policy_match_with_info_locked(necp_kernel_socket_policies_map[NECP_SOCKET_MAP_APP_ID_TO_BUCKET(info.application_id)], &info, &filter_control_unit, route_rule_id_array, &route_rule_id_array_count, MAX_AGGREGATE_ROUTE_RULES, &service_action, &service, netagent_ids, NULL, NECP_MAX_NETAGENTS, NULL, 0, socket_proc ? socket_proc : current_proc(), 0, &skip_policy_id, inp->inp_route.ro_rt, &drop_dest_policy_result, &drop_all_bypass, &flow_divert_aggregate_unit);
+
+       // Check for loopback exception again after the policy match
+       if (bypass_type == NECP_BYPASS_TYPE_LOOPBACK &&
+           necp_pass_loopback == NECP_LOOPBACK_PASS_WITH_FILTER &&
+           (matched_policy == NULL || matched_policy->result != NECP_KERNEL_POLICY_RESULT_SOCKET_DIVERT)) {
+               if (inp->inp_policyresult.results.result == NECP_KERNEL_POLICY_RESULT_SOCKET_SCOPED) {
+                       // If the previous policy result was "socket scoped", un-scope the socket.
+                       inp->inp_flags &= ~INP_BOUND_IF;
+                       inp->inp_boundifp = NULL;
+               }
+               // Mark socket as a pass
+               inp->inp_policyresult.policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
+               inp->inp_policyresult.skip_policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
+               inp->inp_policyresult.policy_gencount = 0;
+               inp->inp_policyresult.app_id = 0;
+               inp->inp_policyresult.flowhash = 0;
+               inp->inp_policyresult.results.filter_control_unit = filter_control_unit;
+               inp->inp_policyresult.results.flow_divert_aggregate_unit = flow_divert_aggregate_unit;
+               inp->inp_policyresult.results.route_rule_id = 0;
+               inp->inp_policyresult.results.result = NECP_KERNEL_POLICY_RESULT_PASS;
+
+               // Unlock
+               lck_rw_done(&necp_kernel_policy_lock);
+
+               if (socket_proc) {
+                       proc_rele(socket_proc);
+               }
+
+               return NECP_KERNEL_POLICY_ID_NONE;
+       }
+
        // If the socket matched a scoped service policy, mark as Drop if not registered.
        // This covers the cases in which a service is required (on demand) but hasn't started yet.
        if ((service_action == NECP_KERNEL_POLICY_RESULT_TRIGGER_SCOPED ||
        // If the socket matched a scoped service policy, mark as Drop if not registered.
        // This covers the cases in which a service is required (on demand) but hasn't started yet.
        if ((service_action == NECP_KERNEL_POLICY_RESULT_TRIGGER_SCOPED ||
-                service_action == NECP_KERNEL_POLICY_RESULT_NO_TRIGGER_SCOPED) &&
-               service.identifier != 0 &&
-               service.identifier != NECP_NULL_SERVICE_ID) {
+           service_action == NECP_KERNEL_POLICY_RESULT_NO_TRIGGER_SCOPED) &&
+           service.identifier != 0 &&
+           service.identifier != NECP_NULL_SERVICE_ID) {
                bool service_is_registered = FALSE;
                struct necp_service_registration *service_registration = NULL;
                LIST_FOREACH(service_registration, &necp_registered_service_list, kernel_chain) {
                bool service_is_registered = FALSE;
                struct necp_service_registration *service_registration = NULL;
                LIST_FOREACH(service_registration, &necp_registered_service_list, kernel_chain) {
@@ -5474,9 +8188,11 @@ necp_socket_find_policy_match(struct inpcb *inp, struct sockaddr *override_local
                if (!service_is_registered) {
                        // Mark socket as a drop if service is not registered
                        inp->inp_policyresult.policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
                if (!service_is_registered) {
                        // Mark socket as a drop if service is not registered
                        inp->inp_policyresult.policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
+                       inp->inp_policyresult.skip_policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
                        inp->inp_policyresult.policy_gencount = necp_kernel_socket_policies_gencount;
                        inp->inp_policyresult.flowhash = flowhash;
                        inp->inp_policyresult.results.filter_control_unit = 0;
                        inp->inp_policyresult.policy_gencount = necp_kernel_socket_policies_gencount;
                        inp->inp_policyresult.flowhash = flowhash;
                        inp->inp_policyresult.results.filter_control_unit = 0;
+                       inp->inp_policyresult.results.flow_divert_aggregate_unit = 0;
                        inp->inp_policyresult.results.route_rule_id = 0;
                        inp->inp_policyresult.results.result = NECP_KERNEL_POLICY_RESULT_DROP;
 
                        inp->inp_policyresult.results.route_rule_id = 0;
                        inp->inp_policyresult.results.result = NECP_KERNEL_POLICY_RESULT_DROP;
 
@@ -5486,7 +8202,12 @@ necp_socket_find_policy_match(struct inpcb *inp, struct sockaddr *override_local
 
                        // Unlock
                        lck_rw_done(&necp_kernel_policy_lock);
 
                        // Unlock
                        lck_rw_done(&necp_kernel_policy_lock);
-                       return (NECP_KERNEL_POLICY_ID_NONE);
+
+                       if (socket_proc) {
+                               proc_rele(socket_proc);
+                       }
+
+                       return NECP_KERNEL_POLICY_ID_NONE;
                }
        }
        // Verify netagents
                }
        }
        // Verify netagents
@@ -5514,9 +8235,11 @@ necp_socket_find_policy_match(struct inpcb *inp, struct sockaddr *override_local
 
                                        // Mark socket as a drop if required agent is not active
                                        inp->inp_policyresult.policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
 
                                        // Mark socket as a drop if required agent is not active
                                        inp->inp_policyresult.policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
+                                       inp->inp_policyresult.skip_policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
                                        inp->inp_policyresult.policy_gencount = necp_kernel_socket_policies_gencount;
                                        inp->inp_policyresult.flowhash = flowhash;
                                        inp->inp_policyresult.results.filter_control_unit = 0;
                                        inp->inp_policyresult.policy_gencount = necp_kernel_socket_policies_gencount;
                                        inp->inp_policyresult.flowhash = flowhash;
                                        inp->inp_policyresult.results.filter_control_unit = 0;
+                                       inp->inp_policyresult.results.flow_divert_aggregate_unit = 0;
                                        inp->inp_policyresult.results.route_rule_id = 0;
                                        inp->inp_policyresult.results.result = NECP_KERNEL_POLICY_RESULT_DROP;
 
                                        inp->inp_policyresult.results.route_rule_id = 0;
                                        inp->inp_policyresult.results.result = NECP_KERNEL_POLICY_RESULT_DROP;
 
@@ -5526,64 +8249,135 @@ necp_socket_find_policy_match(struct inpcb *inp, struct sockaddr *override_local
 
                                        // Unlock
                                        lck_rw_done(&necp_kernel_policy_lock);
 
                                        // Unlock
                                        lck_rw_done(&necp_kernel_policy_lock);
-                                       return (NECP_KERNEL_POLICY_ID_NONE);
+
+                                       if (socket_proc) {
+                                               proc_rele(socket_proc);
+                                       }
+
+                                       return NECP_KERNEL_POLICY_ID_NONE;
                                }
                        }
                }
        }
                                }
                        }
                }
        }
+
+       u_int32_t route_rule_id = 0;
+       if (route_rule_id_array_count == 1) {
+               route_rule_id = route_rule_id_array[0];
+       } else if (route_rule_id_array_count > 1) {
+               route_rule_id = necp_create_aggregate_route_rule(route_rule_id_array);
+       }
+
+       bool reset_tcp_tunnel_interface = false;
+       bool send_local_network_denied_event = false;
        if (matched_policy) {
                matched_policy_id = matched_policy->id;
                inp->inp_policyresult.policy_id = matched_policy->id;
        if (matched_policy) {
                matched_policy_id = matched_policy->id;
                inp->inp_policyresult.policy_id = matched_policy->id;
+               inp->inp_policyresult.skip_policy_id = skip_policy_id;
                inp->inp_policyresult.policy_gencount = necp_kernel_socket_policies_gencount;
                inp->inp_policyresult.flowhash = flowhash;
                inp->inp_policyresult.results.filter_control_unit = filter_control_unit;
                inp->inp_policyresult.policy_gencount = necp_kernel_socket_policies_gencount;
                inp->inp_policyresult.flowhash = flowhash;
                inp->inp_policyresult.results.filter_control_unit = filter_control_unit;
+               inp->inp_policyresult.results.flow_divert_aggregate_unit = flow_divert_aggregate_unit;
                inp->inp_policyresult.results.route_rule_id = route_rule_id;
                inp->inp_policyresult.results.result = matched_policy->result;
                memcpy(&inp->inp_policyresult.results.result_parameter, &matched_policy->result_parameter, sizeof(matched_policy->result_parameter));
 
                inp->inp_policyresult.results.route_rule_id = route_rule_id;
                inp->inp_policyresult.results.result = matched_policy->result;
                memcpy(&inp->inp_policyresult.results.result_parameter, &matched_policy->result_parameter, sizeof(matched_policy->result_parameter));
 
+               if (info.used_responsible_pid && (matched_policy->condition_mask & NECP_KERNEL_CONDITION_REAL_APP_ID)) {
+                       inp->inp_policyresult.app_id = info.real_application_id;
+               }
+
                if (necp_socket_is_connected(inp) &&
                if (necp_socket_is_connected(inp) &&
-                       (matched_policy->result == NECP_KERNEL_POLICY_RESULT_DROP ||
-                       (matched_policy->result == NECP_KERNEL_POLICY_RESULT_IP_TUNNEL && !necp_socket_uses_interface(inp, matched_policy->result_parameter.tunnel_interface_index)))) {
+                   (matched_policy->result == NECP_KERNEL_POLICY_RESULT_DROP ||
+                   (matched_policy->result == NECP_KERNEL_POLICY_RESULT_IP_TUNNEL && !necp_socket_uses_interface(inp, matched_policy->result_parameter.tunnel_interface_index)))) {
                        if (necp_debug) {
                                NECPLOG(LOG_DEBUG, "Marking socket in state %d as defunct", so->so_state);
                        }
                        if (necp_debug) {
                                NECPLOG(LOG_DEBUG, "Marking socket in state %d as defunct", so->so_state);
                        }
-                       sosetdefunct(current_proc(), so, SHUTDOWN_SOCKET_LEVEL_DISCONNECT_ALL, TRUE);
+                       sosetdefunct(current_proc(), so, SHUTDOWN_SOCKET_LEVEL_NECP | SHUTDOWN_SOCKET_LEVEL_DISCONNECT_ALL, TRUE);
                } else if (necp_socket_is_connected(inp) &&
                } else if (necp_socket_is_connected(inp) &&
-                                  matched_policy->result == NECP_KERNEL_POLICY_RESULT_IP_TUNNEL &&
-                                  info.protocol == IPPROTO_TCP) {
-                       // Reset MSS on TCP socket if tunnel policy changes
-                       tcp_mtudisc(inp, 0);
+                   matched_policy->result == NECP_KERNEL_POLICY_RESULT_IP_TUNNEL &&
+                   info.protocol == IPPROTO_TCP) {
+                       // Reset TCP socket interface based parameters if tunnel policy changes
+                       reset_tcp_tunnel_interface = true;
+               }
+
+               if (necp_debug > 1) {
+                       NECPLOG(LOG_DEBUG, "Socket Policy: %p (BoundInterface %d Proto %d) Policy %d Result %d Parameter %d", inp->inp_socket, info.bound_interface_index, info.protocol, matched_policy->id, matched_policy->result, matched_policy->result_parameter.tunnel_interface_index);
+               }
+
+               if (matched_policy->result == NECP_KERNEL_POLICY_RESULT_DROP &&
+                   matched_policy->result_parameter.drop_flags & NECP_KERNEL_POLICY_DROP_FLAG_LOCAL_NETWORK) {
+                       // Trigger the event that we dropped due to a local network policy
+                       send_local_network_denied_event = true;
+               }
+       } else {
+               bool drop_all = false;
+               if (necp_drop_all_order > 0 || info.drop_order > 0 || drop_dest_policy_result == NECP_KERNEL_POLICY_RESULT_DROP) {
+                       // Mark socket as a drop if set
+                       drop_all = true;
+                       if (drop_all_bypass == NECP_DROP_ALL_BYPASS_CHECK_RESULT_NONE) {
+                               drop_all_bypass = necp_check_drop_all_bypass_result(socket_proc ? socket_proc : current_proc());
+                       }
+               }
+               if (drop_all && drop_all_bypass == NECP_DROP_ALL_BYPASS_CHECK_RESULT_FALSE) {
+                       inp->inp_policyresult.policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
+                       inp->inp_policyresult.skip_policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
+                       inp->inp_policyresult.policy_gencount = necp_kernel_socket_policies_gencount;
+                       inp->inp_policyresult.flowhash = flowhash;
+                       inp->inp_policyresult.results.filter_control_unit = 0;
+                       inp->inp_policyresult.results.flow_divert_aggregate_unit = 0;
+                       inp->inp_policyresult.results.route_rule_id = 0;
+                       inp->inp_policyresult.results.result = NECP_KERNEL_POLICY_RESULT_DROP;
+               } else {
+                       // Mark non-matching socket so we don't re-check it
+                       inp->inp_policyresult.policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
+                       inp->inp_policyresult.skip_policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
+                       inp->inp_policyresult.policy_gencount = necp_kernel_socket_policies_gencount;
+                       inp->inp_policyresult.flowhash = flowhash;
+                       inp->inp_policyresult.results.filter_control_unit = filter_control_unit; // We may have matched a filter, so mark it!
+                       inp->inp_policyresult.results.flow_divert_aggregate_unit = flow_divert_aggregate_unit;
+                       inp->inp_policyresult.results.route_rule_id = route_rule_id; // We may have matched a route rule, so mark it!
+                       inp->inp_policyresult.results.result = NECP_KERNEL_POLICY_RESULT_NONE;
                }
                }
+       }
 
 
-               if (necp_debug > 1) {
-                       NECPLOG(LOG_DEBUG, "Socket Policy: %p (BoundInterface %d Proto %d) Policy %d Result %d Parameter %d", inp->inp_socket, info.bound_interface_index, info.protocol, matched_policy->id, matched_policy->result, matched_policy->result_parameter.tunnel_interface_index);
-               }
-       } else if (necp_drop_all_order > 0) {
-               // Mark socket as a drop if set
+       if (necp_check_missing_client_drop(socket_proc ? socket_proc : current_proc(), &info) ||
+           necp_check_restricted_multicast_drop(socket_proc ? socket_proc : current_proc(), &info, false)) {
+               // Mark as drop
                inp->inp_policyresult.policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
                inp->inp_policyresult.policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
+               inp->inp_policyresult.skip_policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
                inp->inp_policyresult.policy_gencount = necp_kernel_socket_policies_gencount;
                inp->inp_policyresult.flowhash = flowhash;
                inp->inp_policyresult.results.filter_control_unit = 0;
                inp->inp_policyresult.policy_gencount = necp_kernel_socket_policies_gencount;
                inp->inp_policyresult.flowhash = flowhash;
                inp->inp_policyresult.results.filter_control_unit = 0;
+               inp->inp_policyresult.results.flow_divert_aggregate_unit = 0;
                inp->inp_policyresult.results.route_rule_id = 0;
                inp->inp_policyresult.results.result = NECP_KERNEL_POLICY_RESULT_DROP;
                inp->inp_policyresult.results.route_rule_id = 0;
                inp->inp_policyresult.results.result = NECP_KERNEL_POLICY_RESULT_DROP;
-       } else {
-               // Mark non-matching socket so we don't re-check it
-               inp->inp_policyresult.policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
-               inp->inp_policyresult.policy_gencount = necp_kernel_socket_policies_gencount;
-               inp->inp_policyresult.flowhash = flowhash;
-               inp->inp_policyresult.results.filter_control_unit = filter_control_unit; // We may have matched a filter, so mark it!
-               inp->inp_policyresult.results.route_rule_id = route_rule_id; // We may have matched a route rule, so mark it!
-               inp->inp_policyresult.results.result = NECP_KERNEL_POLICY_RESULT_NONE;
        }
 
        // Unlock
        lck_rw_done(&necp_kernel_policy_lock);
 
        }
 
        // Unlock
        lck_rw_done(&necp_kernel_policy_lock);
 
-       return (matched_policy_id);
+       if (reset_tcp_tunnel_interface) {
+               // Update MSS when not holding the policy lock to avoid recursive locking
+               tcp_mtudisc(inp, 0);
+
+               // Update TSO flag based on the tunnel interface
+               necp_socket_ip_tunnel_tso(inp);
+       }
+
+       if (send_local_network_denied_event) {
+               necp_send_network_denied_event(((so->so_flags & SOF_DELEGATED) ? so->e_pid : so->last_pid),
+                   ((so->so_flags & SOF_DELEGATED) ? so->e_uuid : so->last_uuid),
+                   NETPOLICY_NETWORKTYPE_LOCAL);
+       }
+
+       if (socket_proc) {
+               proc_rele(socket_proc);
+       }
+
+       return matched_policy_id;
 }
 
 static bool
 }
 
 static bool
-necp_ip_output_check_policy(struct necp_kernel_ip_output_policy *kernel_policy, necp_kernel_policy_id socket_policy_id, u_int32_t bound_interface_index, u_int32_t last_interface_index, u_int16_t protocol, union necp_sockaddr_union *local, union necp_sockaddr_union *remote)
+necp_ip_output_check_policy(struct necp_kernel_ip_output_policy *kernel_policy, necp_kernel_policy_id socket_policy_id, necp_kernel_policy_id socket_skip_policy_id, u_int32_t bound_interface_index, u_int32_t last_interface_index, u_int16_t protocol, union necp_sockaddr_union *local, union necp_sockaddr_union *remote, struct rtentry *rt, u_int16_t pf_tag)
 {
        if (!(kernel_policy->condition_mask & NECP_KERNEL_CONDITION_ALL_INTERFACES)) {
                if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_BOUND_INTERFACE) {
 {
        if (!(kernel_policy->condition_mask & NECP_KERNEL_CONDITION_ALL_INTERFACES)) {
                if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_BOUND_INTERFACE) {
@@ -5591,36 +8385,38 @@ necp_ip_output_check_policy(struct necp_kernel_ip_output_policy *kernel_policy,
                        if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_BOUND_INTERFACE) {
                                if (bound_interface_index == cond_bound_interface_index) {
                                        // No match, matches forbidden interface
                        if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_BOUND_INTERFACE) {
                                if (bound_interface_index == cond_bound_interface_index) {
                                        // No match, matches forbidden interface
-                                       return (FALSE);
+                                       return FALSE;
                                }
                        } else {
                                if (bound_interface_index != cond_bound_interface_index) {
                                        // No match, does not match required interface
                                }
                        } else {
                                if (bound_interface_index != cond_bound_interface_index) {
                                        // No match, does not match required interface
-                                       return (FALSE);
+                                       return FALSE;
                                }
                        }
                } else {
                        if (bound_interface_index != 0) {
                                // No match, requires a non-bound packet
                                }
                        }
                } else {
                        if (bound_interface_index != 0) {
                                // No match, requires a non-bound packet
-                               return (FALSE);
+                               return FALSE;
                        }
                }
        }
 
        if (kernel_policy->condition_mask == 0) {
                        }
                }
        }
 
        if (kernel_policy->condition_mask == 0) {
-               return (TRUE);
+               return TRUE;
        }
 
        if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_POLICY_ID) {
        }
 
        if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_POLICY_ID) {
-               if (socket_policy_id != kernel_policy->cond_policy_id) {
+               necp_kernel_policy_id matched_policy_id =
+                   kernel_policy->result == NECP_KERNEL_POLICY_RESULT_SKIP ? socket_skip_policy_id : socket_policy_id;
+               if (matched_policy_id != kernel_policy->cond_policy_id) {
                        // No match, does not match required id
                        // No match, does not match required id
-                       return (FALSE);
+                       return FALSE;
                }
        }
 
        if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LAST_INTERFACE) {
                if (last_interface_index != kernel_policy->cond_last_interface_index) {
                }
        }
 
        if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LAST_INTERFACE) {
                if (last_interface_index != kernel_policy->cond_last_interface_index) {
-                       return (FALSE);
+                       return FALSE;
                }
        }
 
                }
        }
 
@@ -5628,37 +8424,52 @@ necp_ip_output_check_policy(struct necp_kernel_ip_output_policy *kernel_policy,
                if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_PROTOCOL) {
                        if (protocol == kernel_policy->cond_protocol) {
                                // No match, matches forbidden protocol
                if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_PROTOCOL) {
                        if (protocol == kernel_policy->cond_protocol) {
                                // No match, matches forbidden protocol
-                               return (FALSE);
+                               return FALSE;
                        }
                } else {
                        if (protocol != kernel_policy->cond_protocol) {
                                // No match, does not match required protocol
                        }
                } else {
                        if (protocol != kernel_policy->cond_protocol) {
                                // No match, does not match required protocol
-                               return (FALSE);
+                               return FALSE;
                        }
                }
        }
 
                        }
                }
        }
 
+       if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_NETWORKS) {
+               bool is_local = FALSE;
+
+               if (rt != NULL) {
+                       is_local = IS_NECP_DEST_IN_LOCAL_NETWORKS(rt);
+               } else {
+                       is_local = necp_is_route_local(remote);
+               }
+
+               if (!is_local) {
+                       // Either no route to validate or no match for local networks
+                       return FALSE;
+               }
+       }
+
        if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_START) {
                if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_END) {
                        bool inRange = necp_is_addr_in_range((struct sockaddr *)local, (struct sockaddr *)&kernel_policy->cond_local_start, (struct sockaddr *)&kernel_policy->cond_local_end);
                        if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_LOCAL_END) {
                                if (inRange) {
        if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_START) {
                if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_END) {
                        bool inRange = necp_is_addr_in_range((struct sockaddr *)local, (struct sockaddr *)&kernel_policy->cond_local_start, (struct sockaddr *)&kernel_policy->cond_local_end);
                        if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_LOCAL_END) {
                                if (inRange) {
-                                       return (FALSE);
+                                       return FALSE;
                                }
                        } else {
                                if (!inRange) {
                                }
                        } else {
                                if (!inRange) {
-                                       return (FALSE);
+                                       return FALSE;
                                }
                        }
                } else if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_PREFIX) {
                        bool inSubnet = necp_is_addr_in_subnet((struct sockaddr *)local, (struct sockaddr *)&kernel_policy->cond_local_start, kernel_policy->cond_local_prefix);
                        if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_LOCAL_PREFIX) {
                                if (inSubnet) {
                                }
                        }
                } else if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_PREFIX) {
                        bool inSubnet = necp_is_addr_in_subnet((struct sockaddr *)local, (struct sockaddr *)&kernel_policy->cond_local_start, kernel_policy->cond_local_prefix);
                        if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_LOCAL_PREFIX) {
                                if (inSubnet) {
-                                       return (FALSE);
+                                       return FALSE;
                                }
                        } else {
                                if (!inSubnet) {
                                }
                        } else {
                                if (!inSubnet) {
-                                       return (FALSE);
+                                       return FALSE;
                                }
                        }
                }
                                }
                        }
                }
@@ -5669,42 +8480,88 @@ necp_ip_output_check_policy(struct necp_kernel_ip_output_policy *kernel_policy,
                        bool inRange = necp_is_addr_in_range((struct sockaddr *)remote, (struct sockaddr *)&kernel_policy->cond_remote_start, (struct sockaddr *)&kernel_policy->cond_remote_end);
                        if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_REMOTE_END) {
                                if (inRange) {
                        bool inRange = necp_is_addr_in_range((struct sockaddr *)remote, (struct sockaddr *)&kernel_policy->cond_remote_start, (struct sockaddr *)&kernel_policy->cond_remote_end);
                        if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_REMOTE_END) {
                                if (inRange) {
-                                       return (FALSE);
+                                       return FALSE;
                                }
                        } else {
                                if (!inRange) {
                                }
                        } else {
                                if (!inRange) {
-                                       return (FALSE);
+                                       return FALSE;
                                }
                        }
                } else if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_REMOTE_PREFIX) {
                        bool inSubnet = necp_is_addr_in_subnet((struct sockaddr *)remote, (struct sockaddr *)&kernel_policy->cond_remote_start, kernel_policy->cond_remote_prefix);
                        if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_REMOTE_PREFIX) {
                                if (inSubnet) {
                                }
                        }
                } else if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_REMOTE_PREFIX) {
                        bool inSubnet = necp_is_addr_in_subnet((struct sockaddr *)remote, (struct sockaddr *)&kernel_policy->cond_remote_start, kernel_policy->cond_remote_prefix);
                        if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_REMOTE_PREFIX) {
                                if (inSubnet) {
-                                       return (FALSE);
+                                       return FALSE;
                                }
                        } else {
                                if (!inSubnet) {
                                }
                        } else {
                                if (!inSubnet) {
-                                       return (FALSE);
+                                       return FALSE;
+                               }
+                       }
+               }
+       }
+
+       if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_PACKET_FILTER_TAGS) {
+               bool tags_matched = false;
+
+               if (kernel_policy->cond_packet_filter_tags & NECP_POLICY_CONDITION_PACKET_FILTER_TAG_STACK_DROP) {
+                       if ((pf_tag & PF_TAG_ID_STACK_DROP) == PF_TAG_ID_STACK_DROP) {
+                               tags_matched = true;
+                       }
+
+                       if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_PACKET_FILTER_TAGS) {
+                               if (tags_matched) {
+                                       return FALSE;
+                               }
+                       } else {
+                               if (!tags_matched) {
+                                       return FALSE;
                                }
                        }
                }
        }
 
                                }
                        }
                }
        }
 
-       return (TRUE);
+       return TRUE;
 }
 
 static inline struct necp_kernel_ip_output_policy *
 }
 
 static inline struct necp_kernel_ip_output_policy *
-necp_ip_output_find_policy_match_locked(necp_kernel_policy_id socket_policy_id, u_int32_t bound_interface_index, u_int32_t last_interface_index, u_int16_t protocol, union necp_sockaddr_union *local_addr, union necp_sockaddr_union *remote_addr)
+necp_ip_output_find_policy_match_locked(necp_kernel_policy_id socket_policy_id, necp_kernel_policy_id socket_skip_policy_id, u_int32_t bound_interface_index, u_int32_t last_interface_index, u_int16_t protocol, union necp_sockaddr_union *local_addr, union necp_sockaddr_union *remote_addr, struct rtentry *rt, u_int16_t pf_tag, u_int32_t *return_route_rule_id, necp_kernel_policy_result *return_drop_dest_policy_result, necp_drop_all_bypass_check_result_t *return_drop_all_bypass)
 {
        u_int32_t skip_order = 0;
        u_int32_t skip_session_order = 0;
 {
        u_int32_t skip_order = 0;
        u_int32_t skip_session_order = 0;
-       int i;
        struct necp_kernel_ip_output_policy *matched_policy = NULL;
        struct necp_kernel_ip_output_policy **policy_search_array = necp_kernel_ip_output_policies_map[NECP_IP_OUTPUT_MAP_ID_TO_BUCKET(socket_policy_id)];
        struct necp_kernel_ip_output_policy *matched_policy = NULL;
        struct necp_kernel_ip_output_policy **policy_search_array = necp_kernel_ip_output_policies_map[NECP_IP_OUTPUT_MAP_ID_TO_BUCKET(socket_policy_id)];
+       u_int32_t route_rule_id_array[MAX_AGGREGATE_ROUTE_RULES];
+       size_t route_rule_id_count = 0;
+       necp_drop_all_bypass_check_result_t drop_all_bypass = NECP_DROP_ALL_BYPASS_CHECK_RESULT_NONE;
+       if (return_drop_all_bypass != NULL) {
+               *return_drop_all_bypass = drop_all_bypass;
+       }
+
+       if (return_route_rule_id != NULL) {
+               *return_route_rule_id = 0;
+       }
+
+       *return_drop_dest_policy_result = NECP_KERNEL_POLICY_RESULT_NONE;
+
        if (policy_search_array != NULL) {
        if (policy_search_array != NULL) {
-               for (i = 0; policy_search_array[i] != NULL; i++) {
+               for (int i = 0; policy_search_array[i] != NULL; i++) {
                        if (necp_drop_all_order != 0 && policy_search_array[i]->session_order >= necp_drop_all_order) {
                                // We've hit a drop all rule
                        if (necp_drop_all_order != 0 && policy_search_array[i]->session_order >= necp_drop_all_order) {
                                // We've hit a drop all rule
+                               if (drop_all_bypass == NECP_DROP_ALL_BYPASS_CHECK_RESULT_NONE) {
+                                       drop_all_bypass = necp_check_drop_all_bypass_result(NULL);
+                                       if (return_drop_all_bypass != NULL) {
+                                               *return_drop_all_bypass = drop_all_bypass;
+                                       }
+                               }
+                               if (drop_all_bypass == NECP_DROP_ALL_BYPASS_CHECK_RESULT_FALSE) {
+                                       break;
+                               }
+                       }
+                       if (necp_drop_dest_policy.entry_count > 0 &&
+                           necp_address_matches_drop_dest_policy(remote_addr, policy_search_array[i]->session_order)) {
+                               // We've hit a drop by destination address rule
+                               *return_drop_dest_policy_result = NECP_KERNEL_POLICY_RESULT_DROP;
                                break;
                        }
                        if (skip_session_order && policy_search_array[i]->session_order >= skip_session_order) {
                                break;
                        }
                        if (skip_session_order && policy_search_array[i]->session_order >= skip_session_order) {
@@ -5725,30 +8582,58 @@ necp_ip_output_find_policy_match_locked(necp_kernel_policy_id socket_policy_id,
                                // Skip this policy
                                continue;
                        }
                                // Skip this policy
                                continue;
                        }
-                       if (necp_ip_output_check_policy(policy_search_array[i], socket_policy_id, bound_interface_index, last_interface_index, protocol, local_addr, remote_addr)) {
-                               // Passed all tests, found a match
-                               matched_policy = policy_search_array[i];
 
 
-                               if (policy_search_array[i]->result == NECP_KERNEL_POLICY_RESULT_SKIP) {
+                       if (necp_ip_output_check_policy(policy_search_array[i], socket_policy_id, socket_skip_policy_id, bound_interface_index, last_interface_index, protocol, local_addr, remote_addr, rt, pf_tag)) {
+                               if (policy_search_array[i]->result == NECP_KERNEL_POLICY_RESULT_ROUTE_RULES) {
+                                       if (return_route_rule_id != NULL && route_rule_id_count < MAX_AGGREGATE_ROUTE_RULES) {
+                                               route_rule_id_array[route_rule_id_count++] = policy_search_array[i]->result_parameter.route_rule_id;
+                                       }
+                                       continue;
+                               } else if (policy_search_array[i]->result == NECP_KERNEL_POLICY_RESULT_SKIP) {
                                        skip_order = policy_search_array[i]->result_parameter.skip_policy_order;
                                        skip_session_order = policy_search_array[i]->session_order + 1;
                                        continue;
                                }
 
                                        skip_order = policy_search_array[i]->result_parameter.skip_policy_order;
                                        skip_session_order = policy_search_array[i]->session_order + 1;
                                        continue;
                                }
 
+                               // Passed all tests, found a match
+                               matched_policy = policy_search_array[i];
                                break;
                        }
                }
        }
 
                                break;
                        }
                }
        }
 
-       return (matched_policy);
+       if (route_rule_id_count == 1) {
+               *return_route_rule_id = route_rule_id_array[0];
+       } else if (route_rule_id_count > 1) {
+               *return_route_rule_id = necp_create_aggregate_route_rule(route_rule_id_array);
+       }
+
+       return matched_policy;
+}
+
+static inline bool
+necp_output_bypass(struct mbuf *packet)
+{
+       if (necp_pass_loopback > 0 && necp_is_loopback(NULL, NULL, NULL, packet, IFSCOPE_NONE)) {
+               return true;
+       }
+       if (necp_pass_keepalives > 0 && necp_get_is_keepalive_from_packet(packet)) {
+               return true;
+       }
+       if (necp_is_intcoproc(NULL, packet)) {
+               return true;
+       }
+       return false;
 }
 
 necp_kernel_policy_id
 }
 
 necp_kernel_policy_id
-necp_ip_output_find_policy_match(struct mbuf *packet, int flags, struct ip_out_args *ipoa, necp_kernel_policy_result *result, necp_kernel_policy_result_parameter *result_parameter)
+necp_ip_output_find_policy_match(struct mbuf *packet, int flags, struct ip_out_args *ipoa, struct rtentry *rt,
+    necp_kernel_policy_result *result, necp_kernel_policy_result_parameter *result_parameter)
 {
        struct ip *ip = NULL;
        int hlen = sizeof(struct ip);
        necp_kernel_policy_id socket_policy_id = NECP_KERNEL_POLICY_ID_NONE;
 {
        struct ip *ip = NULL;
        int hlen = sizeof(struct ip);
        necp_kernel_policy_id socket_policy_id = NECP_KERNEL_POLICY_ID_NONE;
+       necp_kernel_policy_id socket_skip_policy_id = NECP_KERNEL_POLICY_ID_NONE;
        necp_kernel_policy_id matched_policy_id = NECP_KERNEL_POLICY_ID_NONE;
        struct necp_kernel_ip_output_policy *matched_policy = NULL;
        u_int16_t protocol = 0;
        necp_kernel_policy_id matched_policy_id = NECP_KERNEL_POLICY_ID_NONE;
        struct necp_kernel_ip_output_policy *matched_policy = NULL;
        u_int16_t protocol = 0;
@@ -5756,6 +8641,9 @@ necp_ip_output_find_policy_match(struct mbuf *packet, int flags, struct ip_out_a
        u_int32_t last_interface_index = 0;
        union necp_sockaddr_union local_addr;
        union necp_sockaddr_union remote_addr;
        u_int32_t last_interface_index = 0;
        union necp_sockaddr_union local_addr;
        union necp_sockaddr_union remote_addr;
+       u_int32_t drop_dest_policy_result = NECP_KERNEL_POLICY_RESULT_NONE;
+       necp_drop_all_bypass_check_result_t drop_all_bypass = NECP_DROP_ALL_BYPASS_CHECK_RESULT_NONE;
+       u_int16_t pf_tag = 0;
 
        if (result) {
                *result = 0;
 
        if (result) {
                *result = 0;
@@ -5766,22 +8654,21 @@ necp_ip_output_find_policy_match(struct mbuf *packet, int flags, struct ip_out_a
        }
 
        if (packet == NULL) {
        }
 
        if (packet == NULL) {
-               return (NECP_KERNEL_POLICY_ID_NONE);
+               return NECP_KERNEL_POLICY_ID_NONE;
        }
        }
-       
+
        socket_policy_id = necp_get_policy_id_from_packet(packet);
        socket_policy_id = necp_get_policy_id_from_packet(packet);
+       socket_skip_policy_id = necp_get_skip_policy_id_from_packet(packet);
+       pf_tag = necp_get_packet_filter_tags_from_packet(packet);
 
        // Exit early for an empty list
        // Don't lock. Possible race condition, but we don't want the performance hit.
        if (necp_kernel_ip_output_policies_count == 0 ||
 
        // Exit early for an empty list
        // Don't lock. Possible race condition, but we don't want the performance hit.
        if (necp_kernel_ip_output_policies_count == 0 ||
-               ((socket_policy_id == NECP_KERNEL_POLICY_ID_NONE) && necp_kernel_ip_output_policies_non_id_count == 0)) {
+           (socket_policy_id == NECP_KERNEL_POLICY_ID_NONE && necp_kernel_ip_output_policies_non_id_count == 0 && necp_drop_dest_policy.entry_count == 0)) {
                if (necp_drop_all_order > 0) {
                        matched_policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
                        if (result) {
                if (necp_drop_all_order > 0) {
                        matched_policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
                        if (result) {
-                               if ((necp_pass_loopback > 0 &&
-                                        necp_is_loopback(NULL, NULL, NULL, packet)) ||
-                                       (necp_pass_keepalives > 0 &&
-                                        necp_get_is_keepalive_from_packet(packet))) {
+                               if (necp_output_bypass(packet)) {
                                        *result = NECP_KERNEL_POLICY_RESULT_PASS;
                                } else {
                                        *result = NECP_KERNEL_POLICY_RESULT_DROP;
                                        *result = NECP_KERNEL_POLICY_RESULT_PASS;
                                } else {
                                        *result = NECP_KERNEL_POLICY_RESULT_DROP;
@@ -5789,21 +8676,18 @@ necp_ip_output_find_policy_match(struct mbuf *packet, int flags, struct ip_out_a
                        }
                }
 
                        }
                }
 
-               return (matched_policy_id);
+               return matched_policy_id;
        }
        }
-       
+
        // Check for loopback exception
        // Check for loopback exception
-       if ((necp_pass_loopback > 0 &&
-                necp_is_loopback(NULL, NULL, NULL, packet)) ||
-               (necp_pass_keepalives > 0 &&
-                necp_get_is_keepalive_from_packet(packet))) {
+       if (necp_output_bypass(packet)) {
                matched_policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
                if (result) {
                        *result = NECP_KERNEL_POLICY_RESULT_PASS;
                }
                matched_policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
                if (result) {
                        *result = NECP_KERNEL_POLICY_RESULT_PASS;
                }
-               return (matched_policy_id);
+               return matched_policy_id;
        }
        }
-       
+
        last_interface_index = necp_get_last_interface_index_from_packet(packet);
 
        // Process packet to get relevant fields
        last_interface_index = necp_get_last_interface_index_from_packet(packet);
 
        // Process packet to get relevant fields
@@ -5817,8 +8701,8 @@ necp_ip_output_find_policy_match(struct mbuf *packet, int flags, struct ip_out_a
        protocol = ip->ip_p;
 
        if ((flags & IP_OUTARGS) && (ipoa != NULL) &&
        protocol = ip->ip_p;
 
        if ((flags & IP_OUTARGS) && (ipoa != NULL) &&
-               (ipoa->ipoa_flags & IPOAF_BOUND_IF) &&
-               ipoa->ipoa_boundif != IFSCOPE_NONE) {
+           (ipoa->ipoa_flags & IPOAF_BOUND_IF) &&
+           ipoa->ipoa_boundif != IFSCOPE_NONE) {
                bound_interface_index = ipoa->ipoa_boundif;
        }
 
                bound_interface_index = ipoa->ipoa_boundif;
        }
 
@@ -5831,34 +8715,35 @@ necp_ip_output_find_policy_match(struct mbuf *packet, int flags, struct ip_out_a
        memcpy(&((struct sockaddr_in *)&remote_addr)->sin_addr, &ip->ip_dst, sizeof(ip->ip_dst));
 
        switch (protocol) {
        memcpy(&((struct sockaddr_in *)&remote_addr)->sin_addr, &ip->ip_dst, sizeof(ip->ip_dst));
 
        switch (protocol) {
-               case IPPROTO_TCP: {
-                       struct tcphdr th;
-                       if ((int)(hlen + sizeof(th)) <= packet->m_pkthdr.len) {
-                               m_copydata(packet, hlen, sizeof(th), (u_int8_t *)&th);
-                               ((struct sockaddr_in *)&local_addr)->sin_port = th.th_sport;
-                               ((struct sockaddr_in *)&remote_addr)->sin_port = th.th_dport;
-                       }
-                       break;
-               }
-               case IPPROTO_UDP: {
-                       struct udphdr uh;
-                       if ((int)(hlen + sizeof(uh)) <= packet->m_pkthdr.len) {
-                               m_copydata(packet, hlen, sizeof(uh), (u_int8_t *)&uh);
-                               ((struct sockaddr_in *)&local_addr)->sin_port = uh.uh_sport;
-                               ((struct sockaddr_in *)&remote_addr)->sin_port = uh.uh_dport;
-                       }
-                       break;
+       case IPPROTO_TCP: {
+               struct tcphdr th;
+               if ((int)(hlen + sizeof(th)) <= packet->m_pkthdr.len) {
+                       m_copydata(packet, hlen, sizeof(th), (u_int8_t *)&th);
+                       ((struct sockaddr_in *)&local_addr)->sin_port = th.th_sport;
+                       ((struct sockaddr_in *)&remote_addr)->sin_port = th.th_dport;
                }
                }
-               default: {
-                       ((struct sockaddr_in *)&local_addr)->sin_port = 0;
-                       ((struct sockaddr_in *)&remote_addr)->sin_port = 0;
-                       break;
+               break;
+       }
+       case IPPROTO_UDP: {
+               struct udphdr uh;
+               if ((int)(hlen + sizeof(uh)) <= packet->m_pkthdr.len) {
+                       m_copydata(packet, hlen, sizeof(uh), (u_int8_t *)&uh);
+                       ((struct sockaddr_in *)&local_addr)->sin_port = uh.uh_sport;
+                       ((struct sockaddr_in *)&remote_addr)->sin_port = uh.uh_dport;
                }
                }
+               break;
+       }
+       default: {
+               ((struct sockaddr_in *)&local_addr)->sin_port = 0;
+               ((struct sockaddr_in *)&remote_addr)->sin_port = 0;
+               break;
+       }
        }
 
        // Match packet to policy
        lck_rw_lock_shared(&necp_kernel_policy_lock);
        }
 
        // Match packet to policy
        lck_rw_lock_shared(&necp_kernel_policy_lock);
-       matched_policy = necp_ip_output_find_policy_match_locked(socket_policy_id, bound_interface_index, last_interface_index, protocol, &local_addr, &remote_addr);
+       u_int32_t route_rule_id = 0;
+       matched_policy = necp_ip_output_find_policy_match_locked(socket_policy_id, socket_skip_policy_id, bound_interface_index, last_interface_index, protocol, &local_addr, &remote_addr, rt, pf_tag, &route_rule_id, &drop_dest_policy_result, &drop_all_bypass);
        if (matched_policy) {
                matched_policy_id = matched_policy->id;
                if (result) {
        if (matched_policy) {
                matched_policy_id = matched_policy->id;
                if (result) {
@@ -5869,28 +8754,53 @@ necp_ip_output_find_policy_match(struct mbuf *packet, int flags, struct ip_out_a
                        memcpy(result_parameter, &matched_policy->result_parameter, sizeof(matched_policy->result_parameter));
                }
 
                        memcpy(result_parameter, &matched_policy->result_parameter, sizeof(matched_policy->result_parameter));
                }
 
+               if (route_rule_id != 0 &&
+                   packet->m_pkthdr.necp_mtag.necp_route_rule_id == 0) {
+                       packet->m_pkthdr.necp_mtag.necp_route_rule_id = route_rule_id;
+               }
+
                if (necp_debug > 1) {
                if (necp_debug > 1) {
-                       NECPLOG(LOG_DEBUG, "IP Output: (ID %d BoundInterface %d LastInterface %d Proto %d) Policy %d Result %d Parameter %d", socket_policy_id, bound_interface_index, last_interface_index, protocol, matched_policy->id, matched_policy->result, matched_policy->result_parameter.tunnel_interface_index);
+                       NECPLOG(LOG_DEBUG, "IP Output: (ID %d BoundInterface %d LastInterface %d Proto %d) Policy %d Result %d Parameter %d Route Rule %u", socket_policy_id, bound_interface_index, last_interface_index, protocol, matched_policy->id, matched_policy->result, matched_policy->result_parameter.tunnel_interface_index, route_rule_id);
                }
                }
-       } else if (necp_drop_all_order > 0) {
-               matched_policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
-               if (result) {
-                       *result = NECP_KERNEL_POLICY_RESULT_DROP;
+       } else {
+               bool drop_all = false;
+               /*
+                * Apply drop-all only to packets which have never matched a primary policy (check
+                * if the packet saved policy id is none or falls within the socket policy id range).
+                */
+               if (socket_policy_id < NECP_KERNEL_POLICY_ID_FIRST_VALID_IP &&
+                   (necp_drop_all_order > 0 || drop_dest_policy_result == NECP_KERNEL_POLICY_RESULT_DROP)) {
+                       drop_all = true;
+                       if (drop_all_bypass == NECP_DROP_ALL_BYPASS_CHECK_RESULT_NONE) {
+                               drop_all_bypass = necp_check_drop_all_bypass_result(NULL);
+                       }
+               }
+               if (drop_all && drop_all_bypass == NECP_DROP_ALL_BYPASS_CHECK_RESULT_FALSE) {
+                       matched_policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
+                       if (result) {
+                               *result = NECP_KERNEL_POLICY_RESULT_DROP;
+                       }
+               } else if (route_rule_id != 0 &&
+                   packet->m_pkthdr.necp_mtag.necp_route_rule_id == 0) {
+                       // If we matched a route rule, mark it
+                       packet->m_pkthdr.necp_mtag.necp_route_rule_id = route_rule_id;
                }
        }
 
        lck_rw_done(&necp_kernel_policy_lock);
 
                }
        }
 
        lck_rw_done(&necp_kernel_policy_lock);
 
-       return (matched_policy_id);
+       return matched_policy_id;
 }
 
 necp_kernel_policy_id
 }
 
 necp_kernel_policy_id
-necp_ip6_output_find_policy_match(struct mbuf *packet, int flags, struct ip6_out_args *ip6oa, necp_kernel_policy_result *result, necp_kernel_policy_result_parameter *result_parameter)
+necp_ip6_output_find_policy_match(struct mbuf *packet, int flags, struct ip6_out_args *ip6oa, struct rtentry *rt,
+    necp_kernel_policy_result *result, necp_kernel_policy_result_parameter *result_parameter)
 {
        struct ip6_hdr *ip6 = NULL;
        int next = -1;
        int offset = 0;
        necp_kernel_policy_id socket_policy_id = NECP_KERNEL_POLICY_ID_NONE;
 {
        struct ip6_hdr *ip6 = NULL;
        int next = -1;
        int offset = 0;
        necp_kernel_policy_id socket_policy_id = NECP_KERNEL_POLICY_ID_NONE;
+       necp_kernel_policy_id socket_skip_policy_id = NECP_KERNEL_POLICY_ID_NONE;
        necp_kernel_policy_id matched_policy_id = NECP_KERNEL_POLICY_ID_NONE;
        struct necp_kernel_ip_output_policy *matched_policy = NULL;
        u_int16_t protocol = 0;
        necp_kernel_policy_id matched_policy_id = NECP_KERNEL_POLICY_ID_NONE;
        struct necp_kernel_ip_output_policy *matched_policy = NULL;
        u_int16_t protocol = 0;
@@ -5898,6 +8808,9 @@ necp_ip6_output_find_policy_match(struct mbuf *packet, int flags, struct ip6_out
        u_int32_t last_interface_index = 0;
        union necp_sockaddr_union local_addr;
        union necp_sockaddr_union remote_addr;
        u_int32_t last_interface_index = 0;
        union necp_sockaddr_union local_addr;
        union necp_sockaddr_union remote_addr;
+       u_int32_t drop_dest_policy_result = NECP_KERNEL_POLICY_RESULT_NONE;
+       necp_drop_all_bypass_check_result_t drop_all_bypass = NECP_DROP_ALL_BYPASS_CHECK_RESULT_NONE;
+       u_int16_t pf_tag = 0;
 
        if (result) {
                *result = 0;
 
        if (result) {
                *result = 0;
@@ -5908,22 +8821,21 @@ necp_ip6_output_find_policy_match(struct mbuf *packet, int flags, struct ip6_out
        }
 
        if (packet == NULL) {
        }
 
        if (packet == NULL) {
-               return (NECP_KERNEL_POLICY_ID_NONE);
+               return NECP_KERNEL_POLICY_ID_NONE;
        }
 
        socket_policy_id = necp_get_policy_id_from_packet(packet);
        }
 
        socket_policy_id = necp_get_policy_id_from_packet(packet);
-       
+       socket_skip_policy_id = necp_get_skip_policy_id_from_packet(packet);
+       pf_tag = necp_get_packet_filter_tags_from_packet(packet);
+
        // Exit early for an empty list
        // Don't lock. Possible race condition, but we don't want the performance hit.
        if (necp_kernel_ip_output_policies_count == 0 ||
        // Exit early for an empty list
        // Don't lock. Possible race condition, but we don't want the performance hit.
        if (necp_kernel_ip_output_policies_count == 0 ||
-               ((socket_policy_id == NECP_KERNEL_POLICY_ID_NONE) && necp_kernel_ip_output_policies_non_id_count == 0)) {
+           (socket_policy_id == NECP_KERNEL_POLICY_ID_NONE && necp_kernel_ip_output_policies_non_id_count == 0 && necp_drop_dest_policy.entry_count == 0)) {
                if (necp_drop_all_order > 0) {
                        matched_policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
                        if (result) {
                if (necp_drop_all_order > 0) {
                        matched_policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
                        if (result) {
-                               if ((necp_pass_loopback > 0 &&
-                                        necp_is_loopback(NULL, NULL, NULL, packet)) ||
-                                       (necp_pass_keepalives > 0 &&
-                                        necp_get_is_keepalive_from_packet(packet))) {
+                               if (necp_output_bypass(packet)) {
                                        *result = NECP_KERNEL_POLICY_RESULT_PASS;
                                } else {
                                        *result = NECP_KERNEL_POLICY_RESULT_DROP;
                                        *result = NECP_KERNEL_POLICY_RESULT_PASS;
                                } else {
                                        *result = NECP_KERNEL_POLICY_RESULT_DROP;
@@ -5931,29 +8843,26 @@ necp_ip6_output_find_policy_match(struct mbuf *packet, int flags, struct ip6_out
                        }
                }
 
                        }
                }
 
-               return (matched_policy_id);
+               return matched_policy_id;
        }
        }
-       
+
        // Check for loopback exception
        // Check for loopback exception
-       if ((necp_pass_loopback > 0 &&
-                necp_is_loopback(NULL, NULL, NULL, packet)) ||
-               (necp_pass_keepalives > 0 &&
-                necp_get_is_keepalive_from_packet(packet))) {
+       if (necp_output_bypass(packet)) {
                matched_policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
                if (result) {
                        *result = NECP_KERNEL_POLICY_RESULT_PASS;
                }
                matched_policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
                if (result) {
                        *result = NECP_KERNEL_POLICY_RESULT_PASS;
                }
-               return (matched_policy_id);
+               return matched_policy_id;
        }
        }
-       
+
        last_interface_index = necp_get_last_interface_index_from_packet(packet);
 
        // Process packet to get relevant fields
        ip6 = mtod(packet, struct ip6_hdr *);
 
        if ((flags & IPV6_OUTARGS) && (ip6oa != NULL) &&
        last_interface_index = necp_get_last_interface_index_from_packet(packet);
 
        // Process packet to get relevant fields
        ip6 = mtod(packet, struct ip6_hdr *);
 
        if ((flags & IPV6_OUTARGS) && (ip6oa != NULL) &&
-               (ip6oa->ip6oa_flags & IP6OAF_BOUND_IF) &&
-               ip6oa->ip6oa_boundif != IFSCOPE_NONE) {
+           (ip6oa->ip6oa_flags & IP6OAF_BOUND_IF) &&
+           ip6oa->ip6oa_boundif != IFSCOPE_NONE) {
                bound_interface_index = ip6oa->ip6oa_boundif;
        }
 
                bound_interface_index = ip6oa->ip6oa_boundif;
        }
 
@@ -5969,35 +8878,36 @@ necp_ip6_output_find_policy_match(struct mbuf *packet, int flags, struct ip6_out
        if (offset >= 0 && packet->m_pkthdr.len >= offset) {
                protocol = next;
                switch (protocol) {
        if (offset >= 0 && packet->m_pkthdr.len >= offset) {
                protocol = next;
                switch (protocol) {
-                       case IPPROTO_TCP: {
-                               struct tcphdr th;
-                               if ((int)(offset + sizeof(th)) <= packet->m_pkthdr.len) {
-                                       m_copydata(packet, offset, sizeof(th), (u_int8_t *)&th);
-                                       ((struct sockaddr_in6 *)&local_addr)->sin6_port = th.th_sport;
-                                       ((struct sockaddr_in6 *)&remote_addr)->sin6_port = th.th_dport;
-                               }
-                               break;
-                       }
-                       case IPPROTO_UDP: {
-                               struct udphdr uh;
-                               if ((int)(offset + sizeof(uh)) <= packet->m_pkthdr.len) {
-                                       m_copydata(packet, offset, sizeof(uh), (u_int8_t *)&uh);
-                                       ((struct sockaddr_in6 *)&local_addr)->sin6_port = uh.uh_sport;
-                                       ((struct sockaddr_in6 *)&remote_addr)->sin6_port = uh.uh_dport;
-                               }
-                               break;
+               case IPPROTO_TCP: {
+                       struct tcphdr th;
+                       if ((int)(offset + sizeof(th)) <= packet->m_pkthdr.len) {
+                               m_copydata(packet, offset, sizeof(th), (u_int8_t *)&th);
+                               ((struct sockaddr_in6 *)&local_addr)->sin6_port = th.th_sport;
+                               ((struct sockaddr_in6 *)&remote_addr)->sin6_port = th.th_dport;
                        }
                        }
-                       default: {
-                               ((struct sockaddr_in6 *)&local_addr)->sin6_port = 0;
-                               ((struct sockaddr_in6 *)&remote_addr)->sin6_port = 0;
-                               break;
+                       break;
+               }
+               case IPPROTO_UDP: {
+                       struct udphdr uh;
+                       if ((int)(offset + sizeof(uh)) <= packet->m_pkthdr.len) {
+                               m_copydata(packet, offset, sizeof(uh), (u_int8_t *)&uh);
+                               ((struct sockaddr_in6 *)&local_addr)->sin6_port = uh.uh_sport;
+                               ((struct sockaddr_in6 *)&remote_addr)->sin6_port = uh.uh_dport;
                        }
                        }
+                       break;
+               }
+               default: {
+                       ((struct sockaddr_in6 *)&local_addr)->sin6_port = 0;
+                       ((struct sockaddr_in6 *)&remote_addr)->sin6_port = 0;
+                       break;
+               }
                }
        }
 
        // Match packet to policy
        lck_rw_lock_shared(&necp_kernel_policy_lock);
                }
        }
 
        // Match packet to policy
        lck_rw_lock_shared(&necp_kernel_policy_lock);
-       matched_policy = necp_ip_output_find_policy_match_locked(socket_policy_id, bound_interface_index, last_interface_index, protocol, &local_addr, &remote_addr);
+       u_int32_t route_rule_id = 0;
+       matched_policy = necp_ip_output_find_policy_match_locked(socket_policy_id, socket_skip_policy_id, bound_interface_index, last_interface_index, protocol, &local_addr, &remote_addr, rt, pf_tag, &route_rule_id, &drop_dest_policy_result, &drop_all_bypass);
        if (matched_policy) {
                matched_policy_id = matched_policy->id;
                if (result) {
        if (matched_policy) {
                matched_policy_id = matched_policy->id;
                if (result) {
@@ -6008,19 +8918,42 @@ necp_ip6_output_find_policy_match(struct mbuf *packet, int flags, struct ip6_out
                        memcpy(result_parameter, &matched_policy->result_parameter, sizeof(matched_policy->result_parameter));
                }
 
                        memcpy(result_parameter, &matched_policy->result_parameter, sizeof(matched_policy->result_parameter));
                }
 
+               if (route_rule_id != 0 &&
+                   packet->m_pkthdr.necp_mtag.necp_route_rule_id == 0) {
+                       packet->m_pkthdr.necp_mtag.necp_route_rule_id = route_rule_id;
+               }
+
                if (necp_debug > 1) {
                if (necp_debug > 1) {
-                       NECPLOG(LOG_DEBUG, "IP6 Output: (ID %d BoundInterface %d LastInterface %d Proto %d) Policy %d Result %d Parameter %d", socket_policy_id, bound_interface_index, last_interface_index, protocol, matched_policy->id, matched_policy->result, matched_policy->result_parameter.tunnel_interface_index);
+                       NECPLOG(LOG_DEBUG, "IP6 Output: (ID %d BoundInterface %d LastInterface %d Proto %d) Policy %d Result %d Parameter %d Route Rule %u", socket_policy_id, bound_interface_index, last_interface_index, protocol, matched_policy->id, matched_policy->result, matched_policy->result_parameter.tunnel_interface_index, route_rule_id);
                }
                }
-       } else if (necp_drop_all_order > 0) {
-               matched_policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
-               if (result) {
-                       *result = NECP_KERNEL_POLICY_RESULT_DROP;
+       } else {
+               bool drop_all = false;
+               /*
+                * Apply drop-all only to packets which have never matched a primary policy (check
+                * if the packet saved policy id is none or falls within the socket policy id range).
+                */
+               if (socket_policy_id < NECP_KERNEL_POLICY_ID_FIRST_VALID_IP &&
+                   (necp_drop_all_order > 0 || drop_dest_policy_result == NECP_KERNEL_POLICY_RESULT_DROP)) {
+                       drop_all = true;
+                       if (drop_all_bypass == NECP_DROP_ALL_BYPASS_CHECK_RESULT_NONE) {
+                               drop_all_bypass = necp_check_drop_all_bypass_result(NULL);
+                       }
+               }
+               if (drop_all && drop_all_bypass == NECP_DROP_ALL_BYPASS_CHECK_RESULT_FALSE) {
+                       matched_policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
+                       if (result) {
+                               *result = NECP_KERNEL_POLICY_RESULT_DROP;
+                       }
+               } else if (route_rule_id != 0 &&
+                   packet->m_pkthdr.necp_mtag.necp_route_rule_id == 0) {
+                       // If we matched a route rule, mark it
+                       packet->m_pkthdr.necp_mtag.necp_route_rule_id = route_rule_id;
                }
        }
 
        lck_rw_done(&necp_kernel_policy_lock);
 
                }
        }
 
        lck_rw_done(&necp_kernel_policy_lock);
 
-       return (matched_policy_id);
+       return matched_policy_id;
 }
 
 // Utilities
 }
 
 // Utilities
@@ -6030,22 +8963,22 @@ necp_is_addr_in_range(struct sockaddr *addr, struct sockaddr *range_start, struc
        int cmp = 0;
 
        if (addr == NULL || range_start == NULL || range_end == NULL) {
        int cmp = 0;
 
        if (addr == NULL || range_start == NULL || range_end == NULL) {
-               return (FALSE);
+               return FALSE;
        }
 
        /* Must be greater than or equal to start */
        cmp = necp_addr_compare(addr, range_start, 1);
        if (cmp != 0 && cmp != 1) {
        }
 
        /* Must be greater than or equal to start */
        cmp = necp_addr_compare(addr, range_start, 1);
        if (cmp != 0 && cmp != 1) {
-               return (FALSE);
+               return FALSE;
        }
 
        /* Must be less than or equal to end */
        cmp = necp_addr_compare(addr, range_end, 1);
        if (cmp != 0 && cmp != -1) {
        }
 
        /* Must be less than or equal to end */
        cmp = necp_addr_compare(addr, range_end, 1);
        if (cmp != 0 && cmp != -1) {
-               return (FALSE);
+               return FALSE;
        }
 
        }
 
-       return (TRUE);
+       return TRUE;
 }
 
 static bool
 }
 
 static bool
@@ -6054,61 +8987,61 @@ necp_is_range_in_range(struct sockaddr *inner_range_start, struct sockaddr *inne
        int cmp = 0;
 
        if (inner_range_start == NULL || inner_range_end == NULL || range_start == NULL || range_end == NULL) {
        int cmp = 0;
 
        if (inner_range_start == NULL || inner_range_end == NULL || range_start == NULL || range_end == NULL) {
-               return (FALSE);
+               return FALSE;
        }
 
        /* Must be greater than or equal to start */
        cmp = necp_addr_compare(inner_range_start, range_start, 1);
        if (cmp != 0 && cmp != 1) {
        }
 
        /* Must be greater than or equal to start */
        cmp = necp_addr_compare(inner_range_start, range_start, 1);
        if (cmp != 0 && cmp != 1) {
-               return (FALSE);
+               return FALSE;
        }
 
        /* Must be less than or equal to end */
        cmp = necp_addr_compare(inner_range_end, range_end, 1);
        if (cmp != 0 && cmp != -1) {
        }
 
        /* Must be less than or equal to end */
        cmp = necp_addr_compare(inner_range_end, range_end, 1);
        if (cmp != 0 && cmp != -1) {
-               return (FALSE);
+               return FALSE;
        }
 
        }
 
-       return (TRUE);
+       return TRUE;
 }
 
 static bool
 necp_is_addr_in_subnet(struct sockaddr *addr, struct sockaddr *subnet_addr, u_int8_t subnet_prefix)
 {
        if (addr == NULL || subnet_addr == NULL) {
 }
 
 static bool
 necp_is_addr_in_subnet(struct sockaddr *addr, struct sockaddr *subnet_addr, u_int8_t subnet_prefix)
 {
        if (addr == NULL || subnet_addr == NULL) {
-               return (FALSE);
+               return FALSE;
        }
 
        if (addr->sa_family != subnet_addr->sa_family || addr->sa_len != subnet_addr->sa_len) {
        }
 
        if (addr->sa_family != subnet_addr->sa_family || addr->sa_len != subnet_addr->sa_len) {
-               return (FALSE);
+               return FALSE;
        }
 
        switch (addr->sa_family) {
        }
 
        switch (addr->sa_family) {
-               case AF_INET: {
-                       if (satosin(subnet_addr)->sin_port != 0 &&
-                               satosin(addr)->sin_port != satosin(subnet_addr)->sin_port) {
-                               return (FALSE);
-                       }
-                       return (necp_buffer_compare_with_bit_prefix((u_int8_t *)&satosin(addr)->sin_addr, (u_int8_t *)&satosin(subnet_addr)->sin_addr, subnet_prefix));
+       case AF_INET: {
+               if (satosin(subnet_addr)->sin_port != 0 &&
+                   satosin(addr)->sin_port != satosin(subnet_addr)->sin_port) {
+                       return FALSE;
                }
                }
-               case AF_INET6: {
-                       if (satosin6(subnet_addr)->sin6_port != 0 &&
-                               satosin6(addr)->sin6_port != satosin6(subnet_addr)->sin6_port) {
-                               return (FALSE);
-                       }
-                       if (satosin6(addr)->sin6_scope_id &&
-                               satosin6(subnet_addr)->sin6_scope_id &&
-                               satosin6(addr)->sin6_scope_id != satosin6(subnet_addr)->sin6_scope_id) {
-                               return (FALSE);
-                       }
-                       return (necp_buffer_compare_with_bit_prefix((u_int8_t *)&satosin6(addr)->sin6_addr, (u_int8_t *)&satosin6(subnet_addr)->sin6_addr, subnet_prefix));
+               return necp_buffer_compare_with_bit_prefix((u_int8_t *)&satosin(addr)->sin_addr, (u_int8_t *)&satosin(subnet_addr)->sin_addr, subnet_prefix);
+       }
+       case AF_INET6: {
+               if (satosin6(subnet_addr)->sin6_port != 0 &&
+                   satosin6(addr)->sin6_port != satosin6(subnet_addr)->sin6_port) {
+                       return FALSE;
                }
                }
-               default: {
-                       return (FALSE);
+               if (satosin6(addr)->sin6_scope_id &&
+                   satosin6(subnet_addr)->sin6_scope_id &&
+                   satosin6(addr)->sin6_scope_id != satosin6(subnet_addr)->sin6_scope_id) {
+                       return FALSE;
                }
                }
+               return necp_buffer_compare_with_bit_prefix((u_int8_t *)&satosin6(addr)->sin6_addr, (u_int8_t *)&satosin6(subnet_addr)->sin6_addr, subnet_prefix);
+       }
+       default: {
+               return FALSE;
+       }
        }
 
        }
 
-       return (FALSE);
+       return FALSE;
 }
 
 /*
 }
 
 /*
@@ -6125,68 +9058,68 @@ necp_addr_compare(struct sockaddr *sa1, struct sockaddr *sa2, int check_port)
        int port_result = 0;
 
        if (sa1->sa_family != sa2->sa_family || sa1->sa_len != sa2->sa_len) {
        int port_result = 0;
 
        if (sa1->sa_family != sa2->sa_family || sa1->sa_len != sa2->sa_len) {
-               return (2);
+               return 2;
        }
 
        if (sa1->sa_len == 0) {
        }
 
        if (sa1->sa_len == 0) {
-               return (0);
+               return 0;
        }
 
        switch (sa1->sa_family) {
        }
 
        switch (sa1->sa_family) {
-               case AF_INET: {
-                       if (sa1->sa_len != sizeof(struct sockaddr_in)) {
-                               return (2);
-                       }
-
-                       result = memcmp(&satosin(sa1)->sin_addr.s_addr, &satosin(sa2)->sin_addr.s_addr, sizeof(satosin(sa1)->sin_addr.s_addr));
+       case AF_INET: {
+               if (sa1->sa_len != sizeof(struct sockaddr_in)) {
+                       return 2;
+               }
 
 
-                       if (check_port) {
-                               if (satosin(sa1)->sin_port < satosin(sa2)->sin_port) {
-                                       port_result = -1;
-                               } else if (satosin(sa1)->sin_port > satosin(sa2)->sin_port) {
-                                       port_result = 1;
-                               }
+               result = memcmp(&satosin(sa1)->sin_addr.s_addr, &satosin(sa2)->sin_addr.s_addr, sizeof(satosin(sa1)->sin_addr.s_addr));
 
 
-                               if (result == 0) {
-                                       result = port_result;
-                               } else if ((result > 0 && port_result < 0) || (result < 0 && port_result > 0)) {
-                                       return (2);
-                               }
+               if (check_port) {
+                       if (satosin(sa1)->sin_port < satosin(sa2)->sin_port) {
+                               port_result = -1;
+                       } else if (satosin(sa1)->sin_port > satosin(sa2)->sin_port) {
+                               port_result = 1;
                        }
 
                        }
 
-                       break;
-               }
-               case AF_INET6: {
-                       if (sa1->sa_len != sizeof(struct sockaddr_in6)) {
-                               return (2);
+                       if (result == 0) {
+                               result = port_result;
+                       } else if ((result > 0 && port_result < 0) || (result < 0 && port_result > 0)) {
+                               return 2;
                        }
                        }
+               }
 
 
-                       if (satosin6(sa1)->sin6_scope_id != satosin6(sa2)->sin6_scope_id) {
-                               return (2);
-                       }
+               break;
+       }
+       case AF_INET6: {
+               if (sa1->sa_len != sizeof(struct sockaddr_in6)) {
+                       return 2;
+               }
 
 
-                       result = memcmp(&satosin6(sa1)->sin6_addr.s6_addr[0], &satosin6(sa2)->sin6_addr.s6_addr[0], sizeof(struct in6_addr));
+               if (satosin6(sa1)->sin6_scope_id != satosin6(sa2)->sin6_scope_id) {
+                       return 2;
+               }
 
 
-                       if (check_port) {
-                               if (satosin6(sa1)->sin6_port < satosin6(sa2)->sin6_port) {
-                                       port_result = -1;
-                               } else if (satosin6(sa1)->sin6_port > satosin6(sa2)->sin6_port) {
-                                       port_result = 1;
-                               }
+               result = memcmp(&satosin6(sa1)->sin6_addr.s6_addr[0], &satosin6(sa2)->sin6_addr.s6_addr[0], sizeof(struct in6_addr));
 
 
-                               if (result == 0) {
-                                       result = port_result;
-                               } else if ((result > 0 && port_result < 0) || (result < 0 && port_result > 0)) {
-                                       return (2);
-                               }
+               if (check_port) {
+                       if (satosin6(sa1)->sin6_port < satosin6(sa2)->sin6_port) {
+                               port_result = -1;
+                       } else if (satosin6(sa1)->sin6_port > satosin6(sa2)->sin6_port) {
+                               port_result = 1;
                        }
 
                        }
 
-                       break;
-               }
-               default: {
-                       result = memcmp(sa1, sa2, sa1->sa_len);
-                       break;
+                       if (result == 0) {
+                               result = port_result;
+                       } else if ((result > 0 && port_result < 0) || (result < 0 && port_result > 0)) {
+                               return 2;
+                       }
                }
                }
+
+               break;
+       }
+       default: {
+               result = memcmp(sa1, sa2, sa1->sa_len);
+               break;
+       }
        }
 
        if (result < 0) {
        }
 
        if (result < 0) {
@@ -6195,7 +9128,7 @@ necp_addr_compare(struct sockaddr *sa1, struct sockaddr *sa2, int check_port)
                result = (1);
        }
 
                result = (1);
        }
 
-       return (result);
+       return result;
 }
 
 static bool
 }
 
 static bool
@@ -6205,183 +9138,230 @@ necp_buffer_compare_with_bit_prefix(u_int8_t *p1, u_int8_t *p2, u_int32_t bits)
 
        /* Handle null pointers */
        if (p1 == NULL || p2 == NULL) {
 
        /* Handle null pointers */
        if (p1 == NULL || p2 == NULL) {
-               return (p1 == p2);
+               return p1 == p2;
        }
 
        while (bits >= 8) {
                if (*p1++ != *p2++) {
        }
 
        while (bits >= 8) {
                if (*p1++ != *p2++) {
-                       return (FALSE);
+                       return FALSE;
                }
                bits -= 8;
        }
 
        if (bits > 0) {
                }
                bits -= 8;
        }
 
        if (bits > 0) {
-               mask = ~((1<<(8-bits))-1);
+               mask = ~((1 << (8 - bits)) - 1);
                if ((*p1 & mask) != (*p2 & mask)) {
                if ((*p1 & mask) != (*p2 & mask)) {
-                       return (FALSE);
+                       return FALSE;
                }
        }
                }
        }
-       return (TRUE);
+       return TRUE;
 }
 
 }
 
-// Socket operations
-#define NECP_MAX_SOCKET_ATTRIBUTE_STRING_LENGTH 253
+static bool
+necp_addr_is_empty(struct sockaddr *addr)
+{
+       if (addr == NULL) {
+               return TRUE;
+       }
+
+       if (addr->sa_len == 0) {
+               return TRUE;
+       }
+
+       switch (addr->sa_family) {
+       case AF_INET: {
+               static struct sockaddr_in ipv4_empty_address = {
+                       .sin_len = sizeof(struct sockaddr_in),
+                       .sin_family = AF_INET,
+                       .sin_port = 0,
+                       .sin_addr = { .s_addr = 0 }, // 0.0.0.0
+                       .sin_zero = {0},
+               };
+               if (necp_addr_compare(addr, (struct sockaddr *)&ipv4_empty_address, 0) == 0) {
+                       return TRUE;
+               } else {
+                       return FALSE;
+               }
+       }
+       case AF_INET6: {
+               static struct sockaddr_in6 ipv6_empty_address = {
+                       .sin6_len = sizeof(struct sockaddr_in6),
+                       .sin6_family = AF_INET6,
+                       .sin6_port = 0,
+                       .sin6_flowinfo = 0,
+                       .sin6_addr = IN6ADDR_ANY_INIT, // ::
+                       .sin6_scope_id = 0,
+               };
+               if (necp_addr_compare(addr, (struct sockaddr *)&ipv6_empty_address, 0) == 0) {
+                       return TRUE;
+               } else {
+                       return FALSE;
+               }
+       }
+       default:
+               return FALSE;
+       }
+
+       return FALSE;
+}
 
 static bool
 
 static bool
-necp_set_socket_attribute(u_int8_t *buffer, size_t buffer_length, u_int8_t type, char **buffer_p)
+necp_update_qos_marking(struct ifnet *ifp, u_int32_t route_rule_id)
 {
 {
-       int error = 0;
-       int cursor = 0;
-       size_t string_size = 0;
-       char *local_string = NULL;
-       u_int8_t *value = NULL;
+       bool qos_marking = FALSE;
+       int exception_index = 0;
+       struct necp_route_rule *route_rule = NULL;
 
 
-       cursor = necp_buffer_find_tlv(buffer, buffer_length, 0, type, 0);
-       if (cursor < 0) {
-               // This will clear out the parameter
+       route_rule = necp_lookup_route_rule_locked(&necp_route_rules, route_rule_id);
+       if (route_rule == NULL) {
+               qos_marking = FALSE;
                goto done;
        }
 
                goto done;
        }
 
-       string_size = necp_buffer_get_tlv_length(buffer, cursor);
-       if (string_size == 0 || string_size > NECP_MAX_SOCKET_ATTRIBUTE_STRING_LENGTH) {
-               // This will clear out the parameter
+       qos_marking = (route_rule->default_action == NECP_ROUTE_RULE_QOS_MARKING) ? TRUE : FALSE;
+
+       if (ifp == NULL) {
                goto done;
        }
 
                goto done;
        }
 
-       MALLOC(local_string, char *, string_size + 1, M_NECP, M_WAITOK);
-       if (local_string == NULL) {
-               NECPLOG(LOG_ERR, "Failed to allocate a socket attribute buffer (size %d)", string_size);
-               goto fail;
+       for (exception_index = 0; exception_index < MAX_ROUTE_RULE_INTERFACES; exception_index++) {
+               if (route_rule->exception_if_indices[exception_index] == 0) {
+                       break;
+               }
+               if (route_rule->exception_if_actions[exception_index] != NECP_ROUTE_RULE_QOS_MARKING) {
+                       continue;
+               }
+               if (route_rule->exception_if_indices[exception_index] == ifp->if_index) {
+                       qos_marking = TRUE;
+                       if (necp_debug > 2) {
+                               NECPLOG(LOG_DEBUG, "QoS Marking : Interface match %d for Rule %d Allowed %d",
+                                   route_rule->exception_if_indices[exception_index], route_rule_id, qos_marking);
+                       }
+                       goto done;
+               }
        }
 
        }
 
-       value = necp_buffer_get_tlv_value(buffer, cursor, NULL);
-       if (value == NULL) {
-               NECPLOG0(LOG_ERR, "Failed to get socket attribute");
-               goto fail;
+       if ((route_rule->cellular_action == NECP_ROUTE_RULE_QOS_MARKING && IFNET_IS_CELLULAR(ifp)) ||
+           (route_rule->wifi_action == NECP_ROUTE_RULE_QOS_MARKING && IFNET_IS_WIFI(ifp)) ||
+           (route_rule->wired_action == NECP_ROUTE_RULE_QOS_MARKING && IFNET_IS_WIRED(ifp)) ||
+           (route_rule->expensive_action == NECP_ROUTE_RULE_QOS_MARKING && IFNET_IS_EXPENSIVE(ifp)) ||
+           (route_rule->constrained_action == NECP_ROUTE_RULE_QOS_MARKING && IFNET_IS_CONSTRAINED(ifp))) {
+               qos_marking = TRUE;
+               if (necp_debug > 2) {
+                       NECPLOG(LOG_DEBUG, "QoS Marking: C:%d WF:%d W:%d E:%d Cn:%d for Rule %d Allowed %d",
+                           route_rule->cellular_action, route_rule->wifi_action, route_rule->wired_action,
+                           route_rule->expensive_action, route_rule->constrained_action, route_rule_id, qos_marking);
+               }
+               goto done;
        }
        }
-
-       memcpy(local_string, value, string_size);
-       local_string[string_size] = 0;
-
 done:
 done:
-       if (*buffer_p != NULL) {
-               FREE(*buffer_p, M_NECP);
-               *buffer_p = NULL;
-       }
-
-       *buffer_p = local_string;
-       return (0);
-fail:
-       if (local_string != NULL) {
-               FREE(local_string, M_NECP);
+       if (necp_debug > 1) {
+               NECPLOG(LOG_DEBUG, "QoS Marking: Rule %d ifp %s Allowed %d",
+                   route_rule_id, ifp ? ifp->if_xname : "", qos_marking);
        }
        }
-       return (error);
+       return qos_marking;
 }
 
 }
 
-errno_t
-necp_set_socket_attributes(struct socket *so, struct sockopt *sopt)
+bool
+necp_lookup_current_qos_marking(int32_t *qos_marking_gencount, struct rtentry *route, struct ifnet *interface, u_int32_t route_rule_id, bool old_qos_marking)
 {
 {
-       int error = 0;
-       u_int8_t *buffer = NULL;
-       struct inpcb *inp = NULL;
-    
-    if ((SOCK_DOM(so) != PF_INET
-#if INET6
-         && SOCK_DOM(so) != PF_INET6
-#endif
-         )) {
-        error = EINVAL;
-        goto done;
-    }
-    
-       inp = sotoinpcb(so);
-
-       size_t valsize = sopt->sopt_valsize;
-       if (valsize == 0 ||
-               valsize > ((sizeof(u_int8_t) + sizeof(u_int32_t) + NECP_MAX_SOCKET_ATTRIBUTE_STRING_LENGTH) * 2)) {
-               goto done;
-       }
+       bool new_qos_marking = old_qos_marking;
+       struct ifnet *ifp = interface;
 
 
-       MALLOC(buffer, u_int8_t *, valsize, M_NECP, M_WAITOK);
-       if (buffer == NULL) {
-               goto done;
+       if (net_qos_policy_restricted == 0) {
+               return new_qos_marking;
        }
 
        }
 
-       error = sooptcopyin(sopt, buffer, valsize, 0);
-       if (error) {
-               goto done;
+       /*
+        * This is racy but we do not need the performance hit of taking necp_kernel_policy_lock
+        */
+       if (*qos_marking_gencount == necp_kernel_socket_policies_gencount) {
+               return new_qos_marking;
        }
 
        }
 
-       error = necp_set_socket_attribute(buffer, valsize, NECP_TLV_ATTRIBUTE_DOMAIN, &inp->inp_necp_attributes.inp_domain);
-       if (error) {
-               NECPLOG0(LOG_ERR, "Could not set domain TLV for socket attributes");
-               goto done;
-       }
+       lck_rw_lock_shared(&necp_kernel_policy_lock);
 
 
-       error = necp_set_socket_attribute(buffer, valsize, NECP_TLV_ATTRIBUTE_ACCOUNT, &inp->inp_necp_attributes.inp_account);
-       if (error) {
-               NECPLOG0(LOG_ERR, "Could not set account TLV for socket attributes");
+       if (ifp == NULL && route != NULL) {
+               ifp = route->rt_ifp;
+       }
+       /*
+        * By default, until we have a interface, do not mark and reevaluate the Qos marking policy
+        */
+       if (ifp == NULL || route_rule_id == 0) {
+               new_qos_marking = FALSE;
                goto done;
        }
 
                goto done;
        }
 
-       if (necp_debug) {
-               NECPLOG(LOG_DEBUG, "Set on socket: Domain %s, Account %s", inp->inp_necp_attributes.inp_domain, inp->inp_necp_attributes.inp_account);
-       }
-done:
-       if (buffer != NULL) {
-               FREE(buffer, M_NECP);
+       if (ROUTE_RULE_IS_AGGREGATE(route_rule_id)) {
+               struct necp_aggregate_route_rule *aggregate_route_rule = necp_lookup_aggregate_route_rule_locked(route_rule_id);
+               if (aggregate_route_rule != NULL) {
+                       int index = 0;
+                       for (index = 0; index < MAX_AGGREGATE_ROUTE_RULES; index++) {
+                               u_int32_t sub_route_rule_id = aggregate_route_rule->rule_ids[index];
+                               if (sub_route_rule_id == 0) {
+                                       break;
+                               }
+                               new_qos_marking = necp_update_qos_marking(ifp, sub_route_rule_id);
+                               if (new_qos_marking == TRUE) {
+                                       break;
+                               }
+                       }
+               }
+       } else {
+               new_qos_marking = necp_update_qos_marking(ifp, route_rule_id);
        }
        }
+       /*
+        * Now that we have an interface we remember the gencount
+        */
+       *qos_marking_gencount = necp_kernel_socket_policies_gencount;
 
 
-       return (error);
+done:
+       lck_rw_done(&necp_kernel_policy_lock);
+       return new_qos_marking;
 }
 
 }
 
-errno_t
-necp_get_socket_attributes(struct socket *so, struct sockopt *sopt)
+void
+necp_socket_update_qos_marking(struct inpcb *inp, struct rtentry *route, u_int32_t route_rule_id)
 {
 {
-       int error = 0;
-       u_int8_t *buffer = NULL;
-       u_int8_t *cursor = NULL;
-       size_t valsize = 0;
-       struct inpcb *inp = sotoinpcb(so);
-       
-       if (inp->inp_necp_attributes.inp_domain != NULL) {
-               valsize += sizeof(u_int8_t) + sizeof(u_int32_t) + strlen(inp->inp_necp_attributes.inp_domain);
-       }
-       if (inp->inp_necp_attributes.inp_account != NULL) {
-               valsize += sizeof(u_int8_t) + sizeof(u_int32_t) + strlen(inp->inp_necp_attributes.inp_account);
+       bool qos_marking = inp->inp_socket->so_flags1 & SOF1_QOSMARKING_ALLOWED ? TRUE : FALSE;
+
+       if (net_qos_policy_restricted == 0) {
+               return;
        }
        }
-       if (valsize == 0) {
-               goto done;
+       if (inp->inp_socket == NULL) {
+               return;
        }
        }
-
-       MALLOC(buffer, u_int8_t *, valsize, M_NECP, M_WAITOK);
-       if (buffer == NULL) {
-               goto done;
+       if ((inp->inp_socket->so_flags1 & SOF1_QOSMARKING_POLICY_OVERRIDE)) {
+               return;
        }
 
        }
 
-       cursor = buffer;
-       if (inp->inp_necp_attributes.inp_domain != NULL) {
-               cursor = necp_buffer_write_tlv(cursor, NECP_TLV_ATTRIBUTE_DOMAIN, strlen(inp->inp_necp_attributes.inp_domain), inp->inp_necp_attributes.inp_domain);
-       }
+       qos_marking = necp_lookup_current_qos_marking(&(inp->inp_policyresult.results.qos_marking_gencount), route, NULL, route_rule_id, qos_marking);
 
 
-       if (inp->inp_necp_attributes.inp_account != NULL) {
-               cursor = necp_buffer_write_tlv(cursor, NECP_TLV_ATTRIBUTE_ACCOUNT, strlen(inp->inp_necp_attributes.inp_account), inp->inp_necp_attributes.inp_account);
+       if (qos_marking == TRUE) {
+               inp->inp_socket->so_flags1 |= SOF1_QOSMARKING_ALLOWED;
+       } else {
+               inp->inp_socket->so_flags1 &= ~SOF1_QOSMARKING_ALLOWED;
        }
        }
+}
 
 
-       error = sooptcopyout(sopt, buffer, valsize);
-       if (error) {
-               goto done;
+static bool
+necp_route_is_lqm_abort(struct ifnet *ifp, struct ifnet *delegated_ifp)
+{
+       if (ifp != NULL &&
+           (ifp->if_interface_state.valid_bitmask & IF_INTERFACE_STATE_LQM_STATE_VALID) &&
+           ifp->if_interface_state.lqm_state == IFNET_LQM_THRESH_ABORT) {
+               return true;
        }
        }
-done:
-       if (buffer != NULL) {
-               FREE(buffer, M_NECP);
+       if (delegated_ifp != NULL &&
+           (delegated_ifp->if_interface_state.valid_bitmask & IF_INTERFACE_STATE_LQM_STATE_VALID) &&
+           delegated_ifp->if_interface_state.lqm_state == IFNET_LQM_THRESH_ABORT) {
+               return true;
        }
        }
-
-       return (error);
+       return false;
 }
 
 static bool
 }
 
 static bool
-necp_route_is_allowed_inner(struct rtentry *route, struct ifnet *ifp, u_int32_t route_rule_id, bool *cellular_denied)
+necp_route_is_allowed_inner(struct rtentry *route, struct ifnet *ifp, u_int32_t route_rule_id, u_int32_t *interface_type_denied)
 {
        bool default_is_allowed = TRUE;
        u_int8_t type_aggregate_action = NECP_ROUTE_RULE_NONE;
 {
        bool default_is_allowed = TRUE;
        u_int8_t type_aggregate_action = NECP_ROUTE_RULE_NONE;
@@ -6391,7 +9371,7 @@ necp_route_is_allowed_inner(struct rtentry *route, struct ifnet *ifp, u_int32_t
 
        route_rule = necp_lookup_route_rule_locked(&necp_route_rules, route_rule_id);
        if (route_rule == NULL) {
 
        route_rule = necp_lookup_route_rule_locked(&necp_route_rules, route_rule_id);
        if (route_rule == NULL) {
-               return (TRUE);
+               return TRUE;
        }
 
        default_is_allowed = (route_rule->default_action == NECP_ROUTE_RULE_DENY_INTERFACE) ? FALSE : TRUE;
        }
 
        default_is_allowed = (route_rule->default_action == NECP_ROUTE_RULE_DENY_INTERFACE) ? FALSE : TRUE;
@@ -6402,7 +9382,7 @@ necp_route_is_allowed_inner(struct rtentry *route, struct ifnet *ifp, u_int32_t
                if (necp_debug > 1 && !default_is_allowed) {
                        NECPLOG(LOG_DEBUG, "Route Allowed: No interface for route, using default for Rule %d Allowed %d", route_rule_id, default_is_allowed);
                }
                if (necp_debug > 1 && !default_is_allowed) {
                        NECPLOG(LOG_DEBUG, "Route Allowed: No interface for route, using default for Rule %d Allowed %d", route_rule_id, default_is_allowed);
                }
-               return (default_is_allowed);
+               return default_is_allowed;
        }
 
        delegated_ifp = ifp->if_delegated.ifp;
        }
 
        delegated_ifp = ifp->if_delegated.ifp;
@@ -6411,79 +9391,142 @@ necp_route_is_allowed_inner(struct rtentry *route, struct ifnet *ifp, u_int32_t
                        break;
                }
                if (route_rule->exception_if_indices[exception_index] == ifp->if_index ||
                        break;
                }
                if (route_rule->exception_if_indices[exception_index] == ifp->if_index ||
-                       (delegated_ifp != NULL && route_rule->exception_if_indices[exception_index] == delegated_ifp->if_index)) {
-                       if (necp_debug > 1) {
-                               NECPLOG(LOG_DEBUG, "Route Allowed: Interface match %d for Rule %d Allowed %d", route_rule->exception_if_indices[exception_index], route_rule_id, ((route_rule->exception_if_actions[exception_index] == NECP_ROUTE_RULE_DENY_INTERFACE) ? FALSE : TRUE));
+                   (delegated_ifp != NULL && route_rule->exception_if_indices[exception_index] == delegated_ifp->if_index)) {
+                       if (route_rule->exception_if_actions[exception_index] == NECP_ROUTE_RULE_DENY_LQM_ABORT) {
+                               const bool lqm_abort = necp_route_is_lqm_abort(ifp, delegated_ifp);
+                               if (necp_debug > 1 && lqm_abort) {
+                                       NECPLOG(LOG_DEBUG, "Route Allowed: Interface match %d for Rule %d Deny LQM Abort",
+                                           route_rule->exception_if_indices[exception_index], route_rule_id);
+                               }
+                               return false;
+                       } else if (IS_NECP_ROUTE_RULE_ALLOW_OR_DENY(route_rule->exception_if_actions[exception_index])) {
+                               if (necp_debug > 1) {
+                                       NECPLOG(LOG_DEBUG, "Route Allowed: Interface match %d for Rule %d Allowed %d", route_rule->exception_if_indices[exception_index], route_rule_id, ((route_rule->exception_if_actions[exception_index] == NECP_ROUTE_RULE_DENY_INTERFACE) ? FALSE : TRUE));
+                               }
+                               return (route_rule->exception_if_actions[exception_index] == NECP_ROUTE_RULE_DENY_INTERFACE) ? FALSE : TRUE;
                        }
                        }
-                       return ((route_rule->exception_if_actions[exception_index] == NECP_ROUTE_RULE_DENY_INTERFACE) ? FALSE : TRUE);
                }
        }
 
                }
        }
 
-       if (route_rule->cellular_action != NECP_ROUTE_RULE_NONE &&
-               IFNET_IS_CELLULAR(ifp)) {
-               if (cellular_denied != NULL) {
-                       // Let clients know that cellular was blocked
-                       *cellular_denied = TRUE;
-               }
-               if (type_aggregate_action == NECP_ROUTE_RULE_NONE ||
-                       (type_aggregate_action == NECP_ROUTE_RULE_ALLOW_INTERFACE &&
-                        route_rule->cellular_action == NECP_ROUTE_RULE_DENY_INTERFACE)) {
+       if (IFNET_IS_CELLULAR(ifp)) {
+               if (route_rule->cellular_action == NECP_ROUTE_RULE_DENY_LQM_ABORT) {
+                       if (necp_route_is_lqm_abort(ifp, delegated_ifp)) {
+                               if (interface_type_denied != NULL) {
+                                       *interface_type_denied = IFRTYPE_FUNCTIONAL_CELLULAR;
+                               }
+                               // Mark aggregate action as deny
+                               type_aggregate_action = NECP_ROUTE_RULE_DENY_INTERFACE;
+                       }
+               } else if (IS_NECP_ROUTE_RULE_ALLOW_OR_DENY(route_rule->cellular_action)) {
+                       if (interface_type_denied != NULL) {
+                               *interface_type_denied = IFRTYPE_FUNCTIONAL_CELLULAR;
+                       }
+                       if (type_aggregate_action == NECP_ROUTE_RULE_NONE ||
+                           (type_aggregate_action == NECP_ROUTE_RULE_ALLOW_INTERFACE &&
+                           route_rule->cellular_action == NECP_ROUTE_RULE_DENY_INTERFACE)) {
                                // Deny wins if there is a conflict
                                type_aggregate_action = route_rule->cellular_action;
                        }
                                // Deny wins if there is a conflict
                                type_aggregate_action = route_rule->cellular_action;
                        }
+               }
        }
 
        }
 
-       if (route_rule->wifi_action != NECP_ROUTE_RULE_NONE &&
-               IFNET_IS_WIFI(ifp)) {
-               if (type_aggregate_action == NECP_ROUTE_RULE_NONE ||
-                       (type_aggregate_action == NECP_ROUTE_RULE_ALLOW_INTERFACE &&
-                        route_rule->wifi_action == NECP_ROUTE_RULE_DENY_INTERFACE)) {
+       if (IFNET_IS_WIFI(ifp)) {
+               if (route_rule->wifi_action == NECP_ROUTE_RULE_DENY_LQM_ABORT) {
+                       if (necp_route_is_lqm_abort(ifp, delegated_ifp)) {
+                               if (interface_type_denied != NULL) {
+                                       *interface_type_denied = IFRTYPE_FUNCTIONAL_WIFI_INFRA;
+                               }
+                               // Mark aggregate action as deny
+                               type_aggregate_action = NECP_ROUTE_RULE_DENY_INTERFACE;
+                       }
+               } else if (IS_NECP_ROUTE_RULE_ALLOW_OR_DENY(route_rule->wifi_action)) {
+                       if (interface_type_denied != NULL) {
+                               *interface_type_denied = IFRTYPE_FUNCTIONAL_WIFI_INFRA;
+                       }
+                       if (type_aggregate_action == NECP_ROUTE_RULE_NONE ||
+                           (type_aggregate_action == NECP_ROUTE_RULE_ALLOW_INTERFACE &&
+                           route_rule->wifi_action == NECP_ROUTE_RULE_DENY_INTERFACE)) {
                                // Deny wins if there is a conflict
                                type_aggregate_action = route_rule->wifi_action;
                        }
                                // Deny wins if there is a conflict
                                type_aggregate_action = route_rule->wifi_action;
                        }
+               }
        }
 
        }
 
-       if (route_rule->wired_action != NECP_ROUTE_RULE_NONE &&
-               IFNET_IS_WIRED(ifp)) {
-               if (type_aggregate_action == NECP_ROUTE_RULE_NONE ||
-                       (type_aggregate_action == NECP_ROUTE_RULE_ALLOW_INTERFACE &&
-                        route_rule->wired_action == NECP_ROUTE_RULE_DENY_INTERFACE)) {
+       if (IFNET_IS_WIRED(ifp)) {
+               if (route_rule->wired_action == NECP_ROUTE_RULE_DENY_LQM_ABORT) {
+                       if (necp_route_is_lqm_abort(ifp, delegated_ifp)) {
+                               if (interface_type_denied != NULL) {
+                                       *interface_type_denied = IFRTYPE_FUNCTIONAL_WIRED;
+                               }
+                               // Mark aggregate action as deny
+                               type_aggregate_action = NECP_ROUTE_RULE_DENY_INTERFACE;
+                       }
+               } else if (IS_NECP_ROUTE_RULE_ALLOW_OR_DENY(route_rule->wired_action)) {
+                       if (interface_type_denied != NULL) {
+                               *interface_type_denied = IFRTYPE_FUNCTIONAL_WIRED;
+                       }
+                       if (type_aggregate_action == NECP_ROUTE_RULE_NONE ||
+                           (type_aggregate_action == NECP_ROUTE_RULE_ALLOW_INTERFACE &&
+                           route_rule->wired_action == NECP_ROUTE_RULE_DENY_INTERFACE)) {
                                // Deny wins if there is a conflict
                                type_aggregate_action = route_rule->wired_action;
                        }
                                // Deny wins if there is a conflict
                                type_aggregate_action = route_rule->wired_action;
                        }
+               }
        }
 
        }
 
-       if (route_rule->expensive_action != NECP_ROUTE_RULE_NONE &&
-               IFNET_IS_EXPENSIVE(ifp)) {
-               if (type_aggregate_action == NECP_ROUTE_RULE_NONE ||
-                       (type_aggregate_action == NECP_ROUTE_RULE_ALLOW_INTERFACE &&
-                        route_rule->expensive_action == NECP_ROUTE_RULE_DENY_INTERFACE)) {
+       if (IFNET_IS_EXPENSIVE(ifp)) {
+               if (route_rule->expensive_action == NECP_ROUTE_RULE_DENY_LQM_ABORT) {
+                       if (necp_route_is_lqm_abort(ifp, delegated_ifp)) {
+                               // Mark aggregate action as deny
+                               type_aggregate_action = NECP_ROUTE_RULE_DENY_INTERFACE;
+                       }
+               } else if (IS_NECP_ROUTE_RULE_ALLOW_OR_DENY(route_rule->expensive_action)) {
+                       if (type_aggregate_action == NECP_ROUTE_RULE_NONE ||
+                           (type_aggregate_action == NECP_ROUTE_RULE_ALLOW_INTERFACE &&
+                           route_rule->expensive_action == NECP_ROUTE_RULE_DENY_INTERFACE)) {
                                // Deny wins if there is a conflict
                                type_aggregate_action = route_rule->expensive_action;
                        }
                                // Deny wins if there is a conflict
                                type_aggregate_action = route_rule->expensive_action;
                        }
+               }
+       }
+
+       if (IFNET_IS_CONSTRAINED(ifp)) {
+               if (route_rule->constrained_action == NECP_ROUTE_RULE_DENY_LQM_ABORT) {
+                       if (necp_route_is_lqm_abort(ifp, delegated_ifp)) {
+                               // Mark aggregate action as deny
+                               type_aggregate_action = NECP_ROUTE_RULE_DENY_INTERFACE;
+                       }
+               } else if (IS_NECP_ROUTE_RULE_ALLOW_OR_DENY(route_rule->constrained_action)) {
+                       if (type_aggregate_action == NECP_ROUTE_RULE_NONE ||
+                           (type_aggregate_action == NECP_ROUTE_RULE_ALLOW_INTERFACE &&
+                           route_rule->constrained_action == NECP_ROUTE_RULE_DENY_INTERFACE)) {
+                               // Deny wins if there is a conflict
+                               type_aggregate_action = route_rule->constrained_action;
+                       }
+               }
        }
 
        if (type_aggregate_action != NECP_ROUTE_RULE_NONE) {
                if (necp_debug > 1) {
                        NECPLOG(LOG_DEBUG, "Route Allowed: C:%d WF:%d W:%d E:%d for Rule %d Allowed %d", route_rule->cellular_action, route_rule->wifi_action, route_rule->wired_action, route_rule->expensive_action, route_rule_id, ((type_aggregate_action == NECP_ROUTE_RULE_DENY_INTERFACE) ? FALSE : TRUE));
                }
        }
 
        if (type_aggregate_action != NECP_ROUTE_RULE_NONE) {
                if (necp_debug > 1) {
                        NECPLOG(LOG_DEBUG, "Route Allowed: C:%d WF:%d W:%d E:%d for Rule %d Allowed %d", route_rule->cellular_action, route_rule->wifi_action, route_rule->wired_action, route_rule->expensive_action, route_rule_id, ((type_aggregate_action == NECP_ROUTE_RULE_DENY_INTERFACE) ? FALSE : TRUE));
                }
-               return ((type_aggregate_action == NECP_ROUTE_RULE_DENY_INTERFACE) ? FALSE : TRUE);
+               return (type_aggregate_action == NECP_ROUTE_RULE_DENY_INTERFACE) ? FALSE : TRUE;
        }
 
        if (necp_debug > 1 && !default_is_allowed) {
                NECPLOG(LOG_DEBUG, "Route Allowed: Using default for Rule %d Allowed %d", route_rule_id, default_is_allowed);
        }
        }
 
        if (necp_debug > 1 && !default_is_allowed) {
                NECPLOG(LOG_DEBUG, "Route Allowed: Using default for Rule %d Allowed %d", route_rule_id, default_is_allowed);
        }
-       return (default_is_allowed);
+       return default_is_allowed;
 }
 
 static bool
 }
 
 static bool
-necp_route_is_allowed(struct rtentry *route, struct ifnet *interface, u_int32_t route_rule_id, bool *cellular_denied)
+necp_route_is_allowed(struct rtentry *route, struct ifnet *interface, u_int32_t route_rule_id, u_int32_t *interface_type_denied)
 {
        if ((route == NULL && interface == NULL) || route_rule_id == 0) {
                if (necp_debug > 1) {
                        NECPLOG(LOG_DEBUG, "Route Allowed: no route or interface, Rule %d Allowed %d", route_rule_id, TRUE);
                }
 {
        if ((route == NULL && interface == NULL) || route_rule_id == 0) {
                if (necp_debug > 1) {
                        NECPLOG(LOG_DEBUG, "Route Allowed: no route or interface, Rule %d Allowed %d", route_rule_id, TRUE);
                }
-               return (TRUE);
+               return TRUE;
        }
 
        if (ROUTE_RULE_IS_AGGREGATE(route_rule_id)) {
        }
 
        if (ROUTE_RULE_IS_AGGREGATE(route_rule_id)) {
@@ -6495,16 +9538,16 @@ necp_route_is_allowed(struct rtentry *route, struct ifnet *interface, u_int32_t
                                if (sub_route_rule_id == 0) {
                                        break;
                                }
                                if (sub_route_rule_id == 0) {
                                        break;
                                }
-                               if (!necp_route_is_allowed_inner(route, interface, sub_route_rule_id, cellular_denied)) {
-                                       return (FALSE);
+                               if (!necp_route_is_allowed_inner(route, interface, sub_route_rule_id, interface_type_denied)) {
+                                       return FALSE;
                                }
                        }
                }
        } else {
                                }
                        }
                }
        } else {
-               return (necp_route_is_allowed_inner(route, interface, route_rule_id, cellular_denied));
+               return necp_route_is_allowed_inner(route, interface, route_rule_id, interface_type_denied);
        }
 
        }
 
-       return (TRUE);
+       return TRUE;
 }
 
 bool
 }
 
 bool
@@ -6513,12 +9556,12 @@ necp_packet_is_allowed_over_interface(struct mbuf *packet, struct ifnet *interfa
        bool is_allowed = TRUE;
        u_int32_t route_rule_id = necp_get_route_rule_id_from_packet(packet);
        if (route_rule_id != 0 &&
        bool is_allowed = TRUE;
        u_int32_t route_rule_id = necp_get_route_rule_id_from_packet(packet);
        if (route_rule_id != 0 &&
-               interface != NULL) {
+           interface != NULL) {
                lck_rw_lock_shared(&necp_kernel_policy_lock);
                is_allowed = necp_route_is_allowed(NULL, interface, necp_get_route_rule_id_from_packet(packet), NULL);
                lck_rw_done(&necp_kernel_policy_lock);
        }
                lck_rw_lock_shared(&necp_kernel_policy_lock);
                is_allowed = necp_route_is_allowed(NULL, interface, necp_get_route_rule_id_from_packet(packet), NULL);
                lck_rw_done(&necp_kernel_policy_lock);
        }
-       return (is_allowed);
+       return is_allowed;
 }
 
 static bool
 }
 
 static bool
@@ -6539,16 +9582,29 @@ necp_netagents_allow_traffic(u_int32_t *netagent_ids, size_t netagent_id_count)
                                if (agent_flags & NETAGENT_FLAG_ACTIVE) {
                                        continue;
                                } else if ((agent_flags & NETAGENT_FLAG_VOLUNTARY) == 0) {
                                if (agent_flags & NETAGENT_FLAG_ACTIVE) {
                                        continue;
                                } else if ((agent_flags & NETAGENT_FLAG_VOLUNTARY) == 0) {
-                                       return (FALSE);
+                                       return FALSE;
                                }
                        }
                }
        }
                                }
                        }
                }
        }
-       return (TRUE);
+       return TRUE;
+}
+
+static bool
+necp_packet_filter_tags_receive(u_int16_t pf_tag, u_int32_t pass_flags)
+{
+       bool allowed_to_receive = TRUE;
+
+       if (pf_tag == PF_TAG_ID_STACK_DROP &&
+           (pass_flags & NECP_KERNEL_POLICY_PASS_PF_TAG) != NECP_KERNEL_POLICY_PASS_PF_TAG) {
+               allowed_to_receive = FALSE;
+       }
+
+       return allowed_to_receive;
 }
 
 static bool
 }
 
 static bool
-necp_socket_is_allowed_to_send_recv_internal(struct inpcb *inp, struct sockaddr *override_local_addr, struct sockaddr *override_remote_addr, ifnet_t interface, necp_kernel_policy_id *return_policy_id, u_int32_t *return_route_rule_id)
+necp_socket_is_allowed_to_send_recv_internal(struct inpcb *inp, struct sockaddr *override_local_addr, struct sockaddr *override_remote_addr, ifnet_t interface, u_int16_t pf_tag, necp_kernel_policy_id *return_policy_id, u_int32_t *return_route_rule_id, necp_kernel_policy_id *return_skip_policy_id, u_int32_t *return_pass_flags)
 {
        u_int32_t verifyifindex = interface ? interface->if_index : 0;
        bool allowed_to_receive = TRUE;
 {
        u_int32_t verifyifindex = interface ? interface->if_index : 0;
        bool allowed_to_receive = TRUE;
@@ -6558,17 +9614,30 @@ necp_socket_is_allowed_to_send_recv_internal(struct inpcb *inp, struct sockaddr
        necp_kernel_policy_service service = { 0, 0 };
        u_int32_t route_rule_id = 0;
        struct rtentry *route = NULL;
        necp_kernel_policy_service service = { 0, 0 };
        u_int32_t route_rule_id = 0;
        struct rtentry *route = NULL;
-       bool cellular_denied = FALSE;
-
+       u_int32_t interface_type_denied = IFRTYPE_FUNCTIONAL_UNKNOWN;
+       necp_kernel_policy_result drop_dest_policy_result = NECP_KERNEL_POLICY_RESULT_NONE;
+       necp_drop_all_bypass_check_result_t drop_all_bypass = NECP_DROP_ALL_BYPASS_CHECK_RESULT_NONE;
        u_int32_t netagent_ids[NECP_MAX_NETAGENTS];
        u_int32_t netagent_ids[NECP_MAX_NETAGENTS];
+       proc_t socket_proc = NULL;
+       necp_kernel_policy_filter filter_control_unit = 0;
+       u_int32_t pass_flags = 0;
+       u_int32_t flow_divert_aggregate_unit = 0;
+       necp_socket_bypass_type_t bypass_type = NECP_BYPASS_TYPE_NONE;
+
        memset(&netagent_ids, 0, sizeof(netagent_ids));
 
        if (return_policy_id) {
                *return_policy_id = NECP_KERNEL_POLICY_ID_NONE;
        }
        memset(&netagent_ids, 0, sizeof(netagent_ids));
 
        if (return_policy_id) {
                *return_policy_id = NECP_KERNEL_POLICY_ID_NONE;
        }
+       if (return_skip_policy_id) {
+               *return_skip_policy_id = NECP_KERNEL_POLICY_ID_NONE;
+       }
        if (return_route_rule_id) {
                *return_route_rule_id = 0;
        }
        if (return_route_rule_id) {
                *return_route_rule_id = 0;
        }
+       if (return_pass_flags) {
+               *return_pass_flags = 0;
+       }
 
        if (inp == NULL) {
                goto done;
 
        if (inp == NULL) {
                goto done;
@@ -6576,12 +9645,15 @@ necp_socket_is_allowed_to_send_recv_internal(struct inpcb *inp, struct sockaddr
 
        route = inp->inp_route.ro_rt;
 
 
        route = inp->inp_route.ro_rt;
 
+       struct socket *so = inp->inp_socket;
+
+       u_int32_t drop_order = necp_process_drop_order(so->so_cred);
+
        // Don't lock. Possible race condition, but we don't want the performance hit.
        if (necp_kernel_socket_policies_count == 0 ||
        // Don't lock. Possible race condition, but we don't want the performance hit.
        if (necp_kernel_socket_policies_count == 0 ||
-               (!(inp->inp_flags2 & INP2_WANT_APP_POLICY) && necp_kernel_socket_policies_non_app_count == 0)) {
-               if (necp_drop_all_order > 0) {
-                       if (necp_pass_loopback > 0 &&
-                               necp_is_loopback(override_local_addr, override_remote_addr, inp, NULL)) {
+           (!(inp->inp_flags2 & INP2_WANT_APP_POLICY) && necp_kernel_socket_policies_non_app_count == 0)) {
+               if (necp_drop_all_order > 0 || drop_order > 0) {
+                       if (necp_socket_bypass(override_local_addr, override_remote_addr, inp) != NECP_BYPASS_TYPE_NONE) {
                                allowed_to_receive = TRUE;
                        } else {
                                allowed_to_receive = FALSE;
                                allowed_to_receive = TRUE;
                        } else {
                                allowed_to_receive = FALSE;
@@ -6594,57 +9666,65 @@ necp_socket_is_allowed_to_send_recv_internal(struct inpcb *inp, struct sockaddr
        if ((necp_socket_is_connected(inp) || (override_local_addr == NULL && override_remote_addr == NULL)) && inp->inp_policyresult.policy_id != NECP_KERNEL_POLICY_ID_NONE) {
                bool policies_have_changed = FALSE;
                bool route_allowed = TRUE;
        if ((necp_socket_is_connected(inp) || (override_local_addr == NULL && override_remote_addr == NULL)) && inp->inp_policyresult.policy_id != NECP_KERNEL_POLICY_ID_NONE) {
                bool policies_have_changed = FALSE;
                bool route_allowed = TRUE;
-               lck_rw_lock_shared(&necp_kernel_policy_lock);
+
                if (inp->inp_policyresult.policy_gencount != necp_kernel_socket_policies_gencount) {
                        policies_have_changed = TRUE;
                } else {
                if (inp->inp_policyresult.policy_gencount != necp_kernel_socket_policies_gencount) {
                        policies_have_changed = TRUE;
                } else {
-                       if (inp->inp_policyresult.results.route_rule_id != 0 &&
-                               !necp_route_is_allowed(route, interface, inp->inp_policyresult.results.route_rule_id, &cellular_denied)) {
-                               route_allowed = FALSE;
+                       if (inp->inp_policyresult.results.route_rule_id != 0) {
+                               lck_rw_lock_shared(&necp_kernel_policy_lock);
+                               if (!necp_route_is_allowed(route, interface, inp->inp_policyresult.results.route_rule_id, &interface_type_denied)) {
+                                       route_allowed = FALSE;
+                               }
+                               lck_rw_done(&necp_kernel_policy_lock);
                        }
                }
                        }
                }
-               lck_rw_done(&necp_kernel_policy_lock);
 
                if (!policies_have_changed) {
                        if (!route_allowed ||
 
                if (!policies_have_changed) {
                        if (!route_allowed ||
-                               inp->inp_policyresult.results.result == NECP_KERNEL_POLICY_RESULT_DROP ||
-                               inp->inp_policyresult.results.result == NECP_KERNEL_POLICY_RESULT_SOCKET_DIVERT ||
-                               (inp->inp_policyresult.results.result == NECP_KERNEL_POLICY_RESULT_IP_TUNNEL && interface &&
-                               inp->inp_policyresult.results.result_parameter.tunnel_interface_index != verifyifindex)) {
-                                       allowed_to_receive = FALSE;
-                               } else {
-                                       if (return_policy_id) {
-                                               *return_policy_id = inp->inp_policyresult.policy_id;
-                                       }
-                                       if (return_route_rule_id) {
-                                               *return_route_rule_id = inp->inp_policyresult.results.route_rule_id;
-                                       }
+                           inp->inp_policyresult.results.result == NECP_KERNEL_POLICY_RESULT_DROP ||
+                           inp->inp_policyresult.results.result == NECP_KERNEL_POLICY_RESULT_SOCKET_DIVERT ||
+                           (inp->inp_policyresult.results.result == NECP_KERNEL_POLICY_RESULT_IP_TUNNEL && interface &&
+                           inp->inp_policyresult.results.result_parameter.tunnel_interface_index != verifyifindex)) {
+                               allowed_to_receive = FALSE;
+                       } else {
+                               if (return_policy_id) {
+                                       *return_policy_id = inp->inp_policyresult.policy_id;
+                               }
+                               if (return_skip_policy_id) {
+                                       *return_skip_policy_id = inp->inp_policyresult.skip_policy_id;
+                               }
+                               if (return_route_rule_id) {
+                                       *return_route_rule_id = inp->inp_policyresult.results.route_rule_id;
+                               }
+                               if (inp->inp_policyresult.results.result == NECP_KERNEL_POLICY_RESULT_PASS) {
+                                       pass_flags = inp->inp_policyresult.results.result_parameter.pass_flags;
                                }
                                }
+                       }
                        goto done;
                }
        }
 
        // Check for loopback exception
                        goto done;
                }
        }
 
        // Check for loopback exception
-       if (necp_pass_loopback > 0 &&
-               necp_is_loopback(override_local_addr, override_remote_addr, inp, NULL)) {
+       bypass_type = necp_socket_bypass(override_local_addr, override_remote_addr, inp);
+       if (bypass_type == NECP_BYPASS_TYPE_INTCOPROC || (bypass_type == NECP_BYPASS_TYPE_LOOPBACK && necp_pass_loopback == NECP_LOOPBACK_PASS_ALL)) {
                allowed_to_receive = TRUE;
                goto done;
        }
 
        // Actually calculate policy result
        lck_rw_lock_shared(&necp_kernel_policy_lock);
                allowed_to_receive = TRUE;
                goto done;
        }
 
        // Actually calculate policy result
        lck_rw_lock_shared(&necp_kernel_policy_lock);
-       necp_socket_fillout_info_locked(inp, override_local_addr, override_remote_addr, 0, &info);
+       necp_socket_fillout_info_locked(inp, override_local_addr, override_remote_addr, 0, drop_order, &socket_proc, &info, (bypass_type == NECP_BYPASS_TYPE_LOOPBACK));
 
        flowhash = necp_socket_calc_flowhash_locked(&info);
        if (inp->inp_policyresult.policy_id != NECP_KERNEL_POLICY_ID_NONE &&
 
        flowhash = necp_socket_calc_flowhash_locked(&info);
        if (inp->inp_policyresult.policy_id != NECP_KERNEL_POLICY_ID_NONE &&
-               inp->inp_policyresult.policy_gencount == necp_kernel_socket_policies_gencount &&
-               inp->inp_policyresult.flowhash == flowhash) {
+           inp->inp_policyresult.policy_gencount == necp_kernel_socket_policies_gencount &&
+           inp->inp_policyresult.flowhash == flowhash) {
                if (inp->inp_policyresult.results.result == NECP_KERNEL_POLICY_RESULT_DROP ||
                if (inp->inp_policyresult.results.result == NECP_KERNEL_POLICY_RESULT_DROP ||
-                       inp->inp_policyresult.results.result == NECP_KERNEL_POLICY_RESULT_SOCKET_DIVERT ||
-                       (inp->inp_policyresult.results.result == NECP_KERNEL_POLICY_RESULT_IP_TUNNEL && interface &&
-                       inp->inp_policyresult.results.result_parameter.tunnel_interface_index != verifyifindex) ||
-                       (inp->inp_policyresult.results.route_rule_id != 0 &&
-                        !necp_route_is_allowed(route, interface, inp->inp_policyresult.results.route_rule_id, &cellular_denied))) {
+                   inp->inp_policyresult.results.result == NECP_KERNEL_POLICY_RESULT_SOCKET_DIVERT ||
+                   (inp->inp_policyresult.results.result == NECP_KERNEL_POLICY_RESULT_IP_TUNNEL && interface &&
+                   inp->inp_policyresult.results.result_parameter.tunnel_interface_index != verifyifindex) ||
+                   (inp->inp_policyresult.results.route_rule_id != 0 &&
+                   !necp_route_is_allowed(route, interface, inp->inp_policyresult.results.route_rule_id, &interface_type_denied))) {
                        allowed_to_receive = FALSE;
                } else {
                        if (return_policy_id) {
                        allowed_to_receive = FALSE;
                } else {
                        if (return_policy_id) {
@@ -6653,23 +9733,61 @@ necp_socket_is_allowed_to_send_recv_internal(struct inpcb *inp, struct sockaddr
                        if (return_route_rule_id) {
                                *return_route_rule_id = inp->inp_policyresult.results.route_rule_id;
                        }
                        if (return_route_rule_id) {
                                *return_route_rule_id = inp->inp_policyresult.results.route_rule_id;
                        }
+                       if (return_skip_policy_id) {
+                               *return_skip_policy_id = inp->inp_policyresult.skip_policy_id;
+                       }
+                       if (inp->inp_policyresult.results.result == NECP_KERNEL_POLICY_RESULT_PASS) {
+                               pass_flags = inp->inp_policyresult.results.result_parameter.pass_flags;
+                       }
+               }
+               lck_rw_done(&necp_kernel_policy_lock);
+               goto done;
+       }
+
+       u_int32_t route_rule_id_array[MAX_AGGREGATE_ROUTE_RULES];
+       size_t route_rule_id_array_count = 0;
+       struct necp_kernel_socket_policy *matched_policy = necp_socket_find_policy_match_with_info_locked(necp_kernel_socket_policies_map[NECP_SOCKET_MAP_APP_ID_TO_BUCKET(info.application_id)], &info, &filter_control_unit, route_rule_id_array, &route_rule_id_array_count, MAX_AGGREGATE_ROUTE_RULES, &service_action, &service, netagent_ids, NULL, NECP_MAX_NETAGENTS, NULL, 0, socket_proc ? socket_proc : current_proc(), pf_tag, return_skip_policy_id, inp->inp_route.ro_rt, &drop_dest_policy_result, &drop_all_bypass, &flow_divert_aggregate_unit);
+
+       // Check for loopback exception again after the policy match
+       if (bypass_type == NECP_BYPASS_TYPE_LOOPBACK &&
+           necp_pass_loopback == NECP_LOOPBACK_PASS_WITH_FILTER &&
+           (matched_policy == NULL || matched_policy->result != NECP_KERNEL_POLICY_RESULT_SOCKET_DIVERT)) {
+               // Polices have changed since last evaluation, update inp result with new filter state
+               if (inp->inp_policyresult.results.filter_control_unit != filter_control_unit) {
+                       inp->inp_policyresult.results.filter_control_unit = filter_control_unit;
                }
                }
+               if (inp->inp_policyresult.results.flow_divert_aggregate_unit != flow_divert_aggregate_unit) {
+                       inp->inp_policyresult.results.flow_divert_aggregate_unit = flow_divert_aggregate_unit;
+               }
+               allowed_to_receive = TRUE;
                lck_rw_done(&necp_kernel_policy_lock);
                goto done;
        }
 
                lck_rw_done(&necp_kernel_policy_lock);
                goto done;
        }
 
-       struct necp_kernel_socket_policy *matched_policy = necp_socket_find_policy_match_with_info_locked(necp_kernel_socket_policies_map[NECP_SOCKET_MAP_APP_ID_TO_BUCKET(info.application_id)], &info, NULL, &route_rule_id, &service_action, &service, netagent_ids, NECP_MAX_NETAGENTS);
+       if (route_rule_id_array_count == 1) {
+               route_rule_id = route_rule_id_array[0];
+       } else if (route_rule_id_array_count > 1) {
+               route_rule_id = necp_create_aggregate_route_rule(route_rule_id_array);
+       }
+
+       bool send_local_network_denied_event = false;
        if (matched_policy != NULL) {
        if (matched_policy != NULL) {
+               if (matched_policy->result == NECP_KERNEL_POLICY_RESULT_DROP &&
+                   matched_policy->result_parameter.drop_flags & NECP_KERNEL_POLICY_DROP_FLAG_LOCAL_NETWORK) {
+                       // Trigger the event that we dropped due to a local network policy
+                       send_local_network_denied_event = true;
+               }
+
                if (matched_policy->result == NECP_KERNEL_POLICY_RESULT_DROP ||
                if (matched_policy->result == NECP_KERNEL_POLICY_RESULT_DROP ||
-                       matched_policy->result == NECP_KERNEL_POLICY_RESULT_SOCKET_DIVERT ||
-                       (matched_policy->result == NECP_KERNEL_POLICY_RESULT_IP_TUNNEL && interface &&
-                       matched_policy->result_parameter.tunnel_interface_index != verifyifindex) ||
-                       ((service_action == NECP_KERNEL_POLICY_RESULT_TRIGGER_SCOPED ||
-                         service_action == NECP_KERNEL_POLICY_RESULT_NO_TRIGGER_SCOPED) &&
-                        service.identifier != 0 && service.identifier != NECP_NULL_SERVICE_ID) ||
-                       (route_rule_id != 0 &&
-                        !necp_route_is_allowed(route, interface, route_rule_id, &cellular_denied)) ||
-                       !necp_netagents_allow_traffic(netagent_ids, NECP_MAX_NETAGENTS)) {
+                   matched_policy->result == NECP_KERNEL_POLICY_RESULT_SOCKET_DIVERT ||
+                   (matched_policy->result == NECP_KERNEL_POLICY_RESULT_IP_TUNNEL && interface &&
+                   matched_policy->result_parameter.tunnel_interface_index != verifyifindex) ||
+                   ((service_action == NECP_KERNEL_POLICY_RESULT_TRIGGER_SCOPED ||
+                   service_action == NECP_KERNEL_POLICY_RESULT_NO_TRIGGER_SCOPED) &&
+                   service.identifier != 0 && service.identifier != NECP_NULL_SERVICE_ID) ||
+                   (route_rule_id != 0 &&
+                   !necp_route_is_allowed(route, interface, route_rule_id, &interface_type_denied)) ||
+                   !necp_netagents_allow_traffic(netagent_ids, NECP_MAX_NETAGENTS)) {
                        allowed_to_receive = FALSE;
                } else {
                        if (return_policy_id) {
                        allowed_to_receive = FALSE;
                } else {
                        if (return_policy_id) {
@@ -6678,32 +9796,86 @@ necp_socket_is_allowed_to_send_recv_internal(struct inpcb *inp, struct sockaddr
                        if (return_route_rule_id) {
                                *return_route_rule_id = route_rule_id;
                        }
                        if (return_route_rule_id) {
                                *return_route_rule_id = route_rule_id;
                        }
+                       if (matched_policy->result == NECP_KERNEL_POLICY_RESULT_PASS) {
+                               pass_flags = matched_policy->result_parameter.pass_flags;
+                       }
+                       // Polices has changed since last evaluation, update inp result with new filter state
+                       if (inp->inp_policyresult.results.filter_control_unit != filter_control_unit) {
+                               inp->inp_policyresult.results.filter_control_unit = filter_control_unit;
+                       }
+                       if (inp->inp_policyresult.results.flow_divert_aggregate_unit != flow_divert_aggregate_unit) {
+                               inp->inp_policyresult.results.flow_divert_aggregate_unit = flow_divert_aggregate_unit;
+                       }
                }
                }
-               lck_rw_done(&necp_kernel_policy_lock);
 
                if (necp_debug > 1 && matched_policy->id != inp->inp_policyresult.policy_id) {
                        NECPLOG(LOG_DEBUG, "Socket Send/Recv Policy: Policy %d Allowed %d", return_policy_id ? *return_policy_id : 0, allowed_to_receive);
                }
 
                if (necp_debug > 1 && matched_policy->id != inp->inp_policyresult.policy_id) {
                        NECPLOG(LOG_DEBUG, "Socket Send/Recv Policy: Policy %d Allowed %d", return_policy_id ? *return_policy_id : 0, allowed_to_receive);
                }
-               goto done;
-       } else if (necp_drop_all_order > 0) {
+       } else {
+               bool drop_all = false;
+               if (necp_drop_all_order > 0 || info.drop_order > 0 || drop_dest_policy_result == NECP_KERNEL_POLICY_RESULT_DROP) {
+                       drop_all = true;
+                       if (drop_all_bypass == NECP_DROP_ALL_BYPASS_CHECK_RESULT_NONE) {
+                               drop_all_bypass = necp_check_drop_all_bypass_result(socket_proc ? socket_proc : current_proc());
+                       }
+               }
+               if (drop_all && drop_all_bypass == NECP_DROP_ALL_BYPASS_CHECK_RESULT_FALSE) {
+                       allowed_to_receive = FALSE;
+               } else {
+                       if (return_policy_id) {
+                               *return_policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
+                       }
+                       if (return_route_rule_id) {
+                               *return_route_rule_id = route_rule_id;
+                       }
+
+                       // Polices has changed since last evaluation, update inp result with new filter state
+                       if (inp->inp_policyresult.results.filter_control_unit != filter_control_unit) {
+                               inp->inp_policyresult.results.filter_control_unit = filter_control_unit;
+                       }
+                       if (inp->inp_policyresult.results.flow_divert_aggregate_unit != flow_divert_aggregate_unit) {
+                               inp->inp_policyresult.results.flow_divert_aggregate_unit = flow_divert_aggregate_unit;
+                       }
+               }
+       }
+
+       if (necp_check_restricted_multicast_drop(socket_proc ? socket_proc : current_proc(), &info, true)) {
                allowed_to_receive = FALSE;
        }
 
        lck_rw_done(&necp_kernel_policy_lock);
 
                allowed_to_receive = FALSE;
        }
 
        lck_rw_done(&necp_kernel_policy_lock);
 
+       if (send_local_network_denied_event) {
+               necp_send_network_denied_event(((so->so_flags & SOF_DELEGATED) ? so->e_pid : so->last_pid),
+                   ((so->so_flags & SOF_DELEGATED) ? so->e_uuid : so->last_uuid),
+                   NETPOLICY_NETWORKTYPE_LOCAL);
+       }
+
 done:
 done:
-       if (!allowed_to_receive && cellular_denied) {
+       if (return_pass_flags != NULL) {
+               *return_pass_flags = pass_flags;
+       }
+
+       if (pf_tag != 0 && allowed_to_receive) {
+               allowed_to_receive = necp_packet_filter_tags_receive(pf_tag, pass_flags);
+       }
+
+       if (!allowed_to_receive && interface_type_denied != IFRTYPE_FUNCTIONAL_UNKNOWN) {
                soevent(inp->inp_socket, (SO_FILT_HINT_LOCKED | SO_FILT_HINT_IFDENIED));
        }
 
                soevent(inp->inp_socket, (SO_FILT_HINT_LOCKED | SO_FILT_HINT_IFDENIED));
        }
 
-       return (allowed_to_receive);
+       if (socket_proc) {
+               proc_rele(socket_proc);
+       }
+
+       return allowed_to_receive;
 }
 
 bool
 }
 
 bool
-necp_socket_is_allowed_to_send_recv_v4(struct inpcb *inp, u_int16_t local_port, u_int16_t remote_port, struct in_addr *local_addr, struct in_addr *remote_addr, ifnet_t interface, necp_kernel_policy_id *return_policy_id, u_int32_t *return_route_rule_id)
+necp_socket_is_allowed_to_send_recv_v4(struct inpcb *inp, u_int16_t local_port, u_int16_t remote_port, struct in_addr *local_addr, struct in_addr *remote_addr, ifnet_t interface, u_int16_t pf_tag, necp_kernel_policy_id *return_policy_id, u_int32_t *return_route_rule_id, necp_kernel_policy_id *return_skip_policy_id, u_int32_t *return_pass_flags)
 {
 {
-       struct sockaddr_in local;
-       struct sockaddr_in remote;
+       struct sockaddr_in local = {};
+       struct sockaddr_in remote = {};
        local.sin_family = remote.sin_family = AF_INET;
        local.sin_len = remote.sin_len = sizeof(struct sockaddr_in);
        local.sin_port = local_port;
        local.sin_family = remote.sin_family = AF_INET;
        local.sin_len = remote.sin_len = sizeof(struct sockaddr_in);
        local.sin_port = local_port;
@@ -6711,14 +9883,15 @@ necp_socket_is_allowed_to_send_recv_v4(struct inpcb *inp, u_int16_t local_port,
        memcpy(&local.sin_addr, local_addr, sizeof(local.sin_addr));
        memcpy(&remote.sin_addr, remote_addr, sizeof(remote.sin_addr));
 
        memcpy(&local.sin_addr, local_addr, sizeof(local.sin_addr));
        memcpy(&remote.sin_addr, remote_addr, sizeof(remote.sin_addr));
 
-       return (necp_socket_is_allowed_to_send_recv_internal(inp, (struct sockaddr *)&local, (struct sockaddr *)&remote, interface, return_policy_id, return_route_rule_id));
+       return necp_socket_is_allowed_to_send_recv_internal(inp, (struct sockaddr *)&local, (struct sockaddr *)&remote, interface,
+                  pf_tag, return_policy_id, return_route_rule_id, return_skip_policy_id, return_pass_flags);
 }
 
 bool
 }
 
 bool
-necp_socket_is_allowed_to_send_recv_v6(struct inpcb *inp, u_int16_t local_port, u_int16_t remote_port, struct in6_addr *local_addr, struct in6_addr *remote_addr, ifnet_t interface, necp_kernel_policy_id *return_policy_id, u_int32_t *return_route_rule_id)
+necp_socket_is_allowed_to_send_recv_v6(struct inpcb *inp, u_int16_t local_port, u_int16_t remote_port, struct in6_addr *local_addr, struct in6_addr *remote_addr, ifnet_t interface, u_int16_t pf_tag, necp_kernel_policy_id *return_policy_id, u_int32_t *return_route_rule_id, necp_kernel_policy_id *return_skip_policy_id, u_int32_t *return_pass_flags)
 {
 {
-       struct sockaddr_in6 local;
-       struct sockaddr_in6 remote;
+       struct sockaddr_in6 local = {};
+       struct sockaddr_in6 remote = {};
        local.sin6_family = remote.sin6_family = AF_INET6;
        local.sin6_len = remote.sin6_len = sizeof(struct sockaddr_in6);
        local.sin6_port = local_port;
        local.sin6_family = remote.sin6_family = AF_INET6;
        local.sin6_len = remote.sin6_len = sizeof(struct sockaddr_in6);
        local.sin6_port = local_port;
@@ -6726,27 +9899,32 @@ necp_socket_is_allowed_to_send_recv_v6(struct inpcb *inp, u_int16_t local_port,
        memcpy(&local.sin6_addr, local_addr, sizeof(local.sin6_addr));
        memcpy(&remote.sin6_addr, remote_addr, sizeof(remote.sin6_addr));
 
        memcpy(&local.sin6_addr, local_addr, sizeof(local.sin6_addr));
        memcpy(&remote.sin6_addr, remote_addr, sizeof(remote.sin6_addr));
 
-       return (necp_socket_is_allowed_to_send_recv_internal(inp, (struct sockaddr *)&local, (struct sockaddr *)&remote, interface, return_policy_id, return_route_rule_id));
+       return necp_socket_is_allowed_to_send_recv_internal(inp, (struct sockaddr *)&local, (struct sockaddr *)&remote, interface,
+                  pf_tag, return_policy_id, return_route_rule_id, return_skip_policy_id, return_pass_flags);
 }
 
 bool
 }
 
 bool
-necp_socket_is_allowed_to_send_recv(struct inpcb *inp, necp_kernel_policy_id *return_policy_id, u_int32_t *return_route_rule_id)
+necp_socket_is_allowed_to_send_recv(struct inpcb *inp, ifnet_t interface, u_int16_t pf_tag, necp_kernel_policy_id *return_policy_id,
+    u_int32_t *return_route_rule_id, necp_kernel_policy_id *return_skip_policy_id, u_int32_t *return_pass_flags)
 {
 {
-       return (necp_socket_is_allowed_to_send_recv_internal(inp, NULL, NULL, NULL, return_policy_id, return_route_rule_id));
+       return necp_socket_is_allowed_to_send_recv_internal(inp, NULL, NULL, interface, pf_tag,
+                  return_policy_id, return_route_rule_id,
+                  return_skip_policy_id, return_pass_flags);
 }
 
 int
 }
 
 int
-necp_mark_packet_from_socket(struct mbuf *packet, struct inpcb *inp, necp_kernel_policy_id policy_id, u_int32_t route_rule_id)
+necp_mark_packet_from_socket(struct mbuf *packet, struct inpcb *inp, necp_kernel_policy_id policy_id, u_int32_t route_rule_id,
+    necp_kernel_policy_id skip_policy_id, u_int32_t pass_flags)
 {
 {
-       if (packet == NULL || inp == NULL) {
-               return (EINVAL);
+       if (packet == NULL || inp == NULL || !(packet->m_flags & M_PKTHDR)) {
+               return EINVAL;
        }
 
        // Mark ID for Pass and IP Tunnel
        if (policy_id != NECP_KERNEL_POLICY_ID_NONE) {
                packet->m_pkthdr.necp_mtag.necp_policy_id = policy_id;
        } else if (inp->inp_policyresult.results.result == NECP_KERNEL_POLICY_RESULT_PASS ||
        }
 
        // Mark ID for Pass and IP Tunnel
        if (policy_id != NECP_KERNEL_POLICY_ID_NONE) {
                packet->m_pkthdr.necp_mtag.necp_policy_id = policy_id;
        } else if (inp->inp_policyresult.results.result == NECP_KERNEL_POLICY_RESULT_PASS ||
-               inp->inp_policyresult.results.result == NECP_KERNEL_POLICY_RESULT_IP_TUNNEL) {
+           inp->inp_policyresult.results.result == NECP_KERNEL_POLICY_RESULT_IP_TUNNEL) {
                packet->m_pkthdr.necp_mtag.necp_policy_id = inp->inp_policyresult.policy_id;
        } else {
                packet->m_pkthdr.necp_mtag.necp_policy_id = NECP_KERNEL_POLICY_ID_NONE;
                packet->m_pkthdr.necp_mtag.necp_policy_id = inp->inp_policyresult.policy_id;
        } else {
                packet->m_pkthdr.necp_mtag.necp_policy_id = NECP_KERNEL_POLICY_ID_NONE;
@@ -6757,15 +9935,35 @@ necp_mark_packet_from_socket(struct mbuf *packet, struct inpcb *inp, necp_kernel
        } else {
                packet->m_pkthdr.necp_mtag.necp_route_rule_id = inp->inp_policyresult.results.route_rule_id;
        }
        } else {
                packet->m_pkthdr.necp_mtag.necp_route_rule_id = inp->inp_policyresult.results.route_rule_id;
        }
+       packet->m_pkthdr.necp_mtag.necp_app_id = (inp->inp_policyresult.app_id > UINT16_MAX ? (inp->inp_policyresult.app_id - UINT16_MAX) : inp->inp_policyresult.app_id);
+
+       if (skip_policy_id != NECP_KERNEL_POLICY_ID_NONE &&
+           skip_policy_id != NECP_KERNEL_POLICY_ID_NO_MATCH) {
+               // Only mark the skip policy if it is a valid policy ID
+               packet->m_pkthdr.necp_mtag.necp_skip_policy_id = skip_policy_id;
+       } else if (inp->inp_policyresult.results.filter_control_unit == NECP_FILTER_UNIT_NO_FILTER) {
+               // Overload the meaning of "NECP_KERNEL_POLICY_ID_NO_MATCH"
+               // to indicate that NECP_FILTER_UNIT_NO_FILTER was set
+               // See necp_get_skip_policy_id_from_packet() and
+               // necp_packet_should_skip_filters().
+               packet->m_pkthdr.necp_mtag.necp_skip_policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
+       } else {
+               packet->m_pkthdr.necp_mtag.necp_skip_policy_id = NECP_KERNEL_POLICY_ID_NONE;
+       }
+
+       if (((pass_flags & NECP_KERNEL_POLICY_PASS_PF_TAG) == NECP_KERNEL_POLICY_PASS_PF_TAG) ||
+           ((inp->inp_policyresult.results.result_parameter.pass_flags & NECP_KERNEL_POLICY_PASS_PF_TAG) == NECP_KERNEL_POLICY_PASS_PF_TAG)) {
+               m_pftag(packet)->pftag_tag = PF_TAG_ID_SYSTEM_SERVICE;
+       }
 
 
-       return (0);
+       return 0;
 }
 
 int
 necp_mark_packet_from_ip(struct mbuf *packet, necp_kernel_policy_id policy_id)
 {
 }
 
 int
 necp_mark_packet_from_ip(struct mbuf *packet, necp_kernel_policy_id policy_id)
 {
-       if (packet == NULL) {
-               return (EINVAL);
+       if (packet == NULL || !(packet->m_flags & M_PKTHDR)) {
+               return EINVAL;
        }
 
        // Mark ID for Pass and IP Tunnel
        }
 
        // Mark ID for Pass and IP Tunnel
@@ -6775,14 +9973,14 @@ necp_mark_packet_from_ip(struct mbuf *packet, necp_kernel_policy_id policy_id)
                packet->m_pkthdr.necp_mtag.necp_policy_id = NECP_KERNEL_POLICY_ID_NONE;
        }
 
                packet->m_pkthdr.necp_mtag.necp_policy_id = NECP_KERNEL_POLICY_ID_NONE;
        }
 
-       return (0);
+       return 0;
 }
 
 int
 necp_mark_packet_from_interface(struct mbuf *packet, ifnet_t interface)
 {
 }
 
 int
 necp_mark_packet_from_interface(struct mbuf *packet, ifnet_t interface)
 {
-       if (packet == NULL) {
-               return (EINVAL);
+       if (packet == NULL || !(packet->m_flags & M_PKTHDR)) {
+               return EINVAL;
        }
 
        // Mark ID for Pass and IP Tunnel
        }
 
        // Mark ID for Pass and IP Tunnel
@@ -6790,135 +9988,209 @@ necp_mark_packet_from_interface(struct mbuf *packet, ifnet_t interface)
                packet->m_pkthdr.necp_mtag.necp_last_interface_index = interface->if_index;
        }
 
                packet->m_pkthdr.necp_mtag.necp_last_interface_index = interface->if_index;
        }
 
-       return (0);
+       return 0;
 }
 
 int
 necp_mark_packet_as_keepalive(struct mbuf *packet, bool is_keepalive)
 {
 }
 
 int
 necp_mark_packet_as_keepalive(struct mbuf *packet, bool is_keepalive)
 {
-       if (packet == NULL) {
-               return (EINVAL);
+       if (packet == NULL || !(packet->m_flags & M_PKTHDR)) {
+               return EINVAL;
        }
        }
-       
+
        if (is_keepalive) {
                packet->m_pkthdr.pkt_flags |= PKTF_KEEPALIVE;
        } else {
                packet->m_pkthdr.pkt_flags &= ~PKTF_KEEPALIVE;
        }
        if (is_keepalive) {
                packet->m_pkthdr.pkt_flags |= PKTF_KEEPALIVE;
        } else {
                packet->m_pkthdr.pkt_flags &= ~PKTF_KEEPALIVE;
        }
-       
-       return (0);
+
+       return 0;
 }
 
 necp_kernel_policy_id
 necp_get_policy_id_from_packet(struct mbuf *packet)
 {
 }
 
 necp_kernel_policy_id
 necp_get_policy_id_from_packet(struct mbuf *packet)
 {
-       if (packet == NULL) {
-               return (NECP_KERNEL_POLICY_ID_NONE);
+       if (packet == NULL || !(packet->m_flags & M_PKTHDR)) {
+               return NECP_KERNEL_POLICY_ID_NONE;
+       }
+
+       return packet->m_pkthdr.necp_mtag.necp_policy_id;
+}
+
+necp_kernel_policy_id
+necp_get_skip_policy_id_from_packet(struct mbuf *packet)
+{
+       if (packet == NULL || !(packet->m_flags & M_PKTHDR)) {
+               return NECP_KERNEL_POLICY_ID_NONE;
+       }
+
+       // Check for overloaded value. See necp_mark_packet_from_socket().
+       if (packet->m_pkthdr.necp_mtag.necp_skip_policy_id == NECP_KERNEL_POLICY_ID_NO_MATCH) {
+               return NECP_KERNEL_POLICY_ID_NONE;
+       }
+
+       return packet->m_pkthdr.necp_mtag.necp_skip_policy_id;
+}
+
+u_int16_t
+necp_get_packet_filter_tags_from_packet(struct mbuf *packet)
+{
+       if (packet == NULL || !(packet->m_flags & M_PKTHDR)) {
+               return 0;
        }
        }
-       
-       return (packet->m_pkthdr.necp_mtag.necp_policy_id);
+
+       return m_pftag(packet)->pftag_tag;
+}
+
+bool
+necp_packet_should_skip_filters(struct mbuf *packet)
+{
+       if (packet == NULL || !(packet->m_flags & M_PKTHDR)) {
+               return false;
+       }
+
+       // Check for overloaded value. See necp_mark_packet_from_socket().
+       return packet->m_pkthdr.necp_mtag.necp_skip_policy_id == NECP_KERNEL_POLICY_ID_NO_MATCH;
 }
 
 u_int32_t
 necp_get_last_interface_index_from_packet(struct mbuf *packet)
 {
 }
 
 u_int32_t
 necp_get_last_interface_index_from_packet(struct mbuf *packet)
 {
-       if (packet == NULL) {
-               return (0);
+       if (packet == NULL || !(packet->m_flags & M_PKTHDR)) {
+               return 0;
        }
 
        }
 
-       return (packet->m_pkthdr.necp_mtag.necp_last_interface_index);
+       return packet->m_pkthdr.necp_mtag.necp_last_interface_index;
 }
 
 u_int32_t
 necp_get_route_rule_id_from_packet(struct mbuf *packet)
 {
 }
 
 u_int32_t
 necp_get_route_rule_id_from_packet(struct mbuf *packet)
 {
-       if (packet == NULL) {
-               return (0);
+       if (packet == NULL || !(packet->m_flags & M_PKTHDR)) {
+               return 0;
+       }
+
+       return packet->m_pkthdr.necp_mtag.necp_route_rule_id;
+}
+
+int
+necp_get_app_uuid_from_packet(struct mbuf *packet,
+    uuid_t app_uuid)
+{
+       if (packet == NULL || !(packet->m_flags & M_PKTHDR)) {
+               return EINVAL;
        }
 
        }
 
-       return (packet->m_pkthdr.necp_mtag.necp_route_rule_id);
+       bool found_mapping = FALSE;
+       if (packet->m_pkthdr.necp_mtag.necp_app_id != 0) {
+               lck_rw_lock_shared(&necp_kernel_policy_lock);
+               necp_app_id app_id = (packet->m_pkthdr.necp_mtag.necp_app_id < UINT16_MAX ? (packet->m_pkthdr.necp_mtag.necp_app_id + UINT16_MAX) : packet->m_pkthdr.necp_mtag.necp_app_id);
+               struct necp_uuid_id_mapping *entry = necp_uuid_lookup_uuid_with_app_id_locked(app_id);
+               if (entry != NULL) {
+                       uuid_copy(app_uuid, entry->uuid);
+                       found_mapping = true;
+               }
+               lck_rw_done(&necp_kernel_policy_lock);
+       }
+       if (!found_mapping) {
+               uuid_clear(app_uuid);
+       }
+       return 0;
 }
 
 bool
 necp_get_is_keepalive_from_packet(struct mbuf *packet)
 {
 }
 
 bool
 necp_get_is_keepalive_from_packet(struct mbuf *packet)
 {
-       if (packet == NULL) {
-               return (FALSE);
+       if (packet == NULL || !(packet->m_flags & M_PKTHDR)) {
+               return FALSE;
        }
        }
-       
-       return (packet->m_pkthdr.pkt_flags & PKTF_KEEPALIVE);
+
+       return packet->m_pkthdr.pkt_flags & PKTF_KEEPALIVE;
 }
 
 u_int32_t
 necp_socket_get_content_filter_control_unit(struct socket *so)
 {
        struct inpcb *inp = sotoinpcb(so);
 }
 
 u_int32_t
 necp_socket_get_content_filter_control_unit(struct socket *so)
 {
        struct inpcb *inp = sotoinpcb(so);
-       
+
        if (inp == NULL) {
        if (inp == NULL) {
-               return (0);
+               return 0;
        }
        }
-       return (inp->inp_policyresult.results.filter_control_unit);
+       return inp->inp_policyresult.results.filter_control_unit;
 }
 
 bool
 necp_socket_should_use_flow_divert(struct inpcb *inp)
 {
        if (inp == NULL) {
 }
 
 bool
 necp_socket_should_use_flow_divert(struct inpcb *inp)
 {
        if (inp == NULL) {
-               return (FALSE);
+               return FALSE;
        }
 
        }
 
-       return (inp->inp_policyresult.results.result == NECP_KERNEL_POLICY_RESULT_SOCKET_DIVERT);
+       return !(inp->inp_socket->so_flags1 & SOF1_FLOW_DIVERT_SKIP) &&
+              (inp->inp_policyresult.results.result == NECP_KERNEL_POLICY_RESULT_SOCKET_DIVERT ||
+              (inp->inp_policyresult.results.flow_divert_aggregate_unit != 0));
 }
 
 u_int32_t
 }
 
 u_int32_t
-necp_socket_get_flow_divert_control_unit(struct inpcb *inp)
+necp_socket_get_flow_divert_control_unit(struct inpcb *inp, uint32_t *aggregate_unit)
 {
        if (inp == NULL) {
 {
        if (inp == NULL) {
-               return (0);
+               return 0;
+       }
+
+       if (inp->inp_socket->so_flags1 & SOF1_FLOW_DIVERT_SKIP) {
+               return 0;
+       }
+
+       if (aggregate_unit != NULL &&
+           inp->inp_policyresult.results.flow_divert_aggregate_unit != 0) {
+               *aggregate_unit = inp->inp_policyresult.results.flow_divert_aggregate_unit;
        }
 
        if (inp->inp_policyresult.results.result == NECP_KERNEL_POLICY_RESULT_SOCKET_DIVERT) {
        }
 
        if (inp->inp_policyresult.results.result == NECP_KERNEL_POLICY_RESULT_SOCKET_DIVERT) {
-               return (inp->inp_policyresult.results.result_parameter.flow_divert_control_unit);
+               return inp->inp_policyresult.results.result_parameter.flow_divert_control_unit;
        }
 
        }
 
-       return (0);
+       return 0;
 }
 
 bool
 necp_socket_should_rescope(struct inpcb *inp)
 {
        if (inp == NULL) {
 }
 
 bool
 necp_socket_should_rescope(struct inpcb *inp)
 {
        if (inp == NULL) {
-               return (FALSE);
+               return FALSE;
        }
        }
-       
-       return (inp->inp_policyresult.results.result == NECP_KERNEL_POLICY_RESULT_SOCKET_SCOPED);
+
+       return inp->inp_policyresult.results.result == NECP_KERNEL_POLICY_RESULT_SOCKET_SCOPED ||
+              inp->inp_policyresult.results.result == NECP_KERNEL_POLICY_RESULT_SCOPED_DIRECT;
 }
 
 u_int
 necp_socket_get_rescope_if_index(struct inpcb *inp)
 {
        if (inp == NULL) {
 }
 
 u_int
 necp_socket_get_rescope_if_index(struct inpcb *inp)
 {
        if (inp == NULL) {
-               return (0);
+               return 0;
        }
        }
-       
+
        if (inp->inp_policyresult.results.result == NECP_KERNEL_POLICY_RESULT_SOCKET_SCOPED) {
        if (inp->inp_policyresult.results.result == NECP_KERNEL_POLICY_RESULT_SOCKET_SCOPED) {
-               return (inp->inp_policyresult.results.result_parameter.scoped_interface_index);
+               return inp->inp_policyresult.results.result_parameter.scoped_interface_index;
+       } else if (inp->inp_policyresult.results.result == NECP_KERNEL_POLICY_RESULT_SCOPED_DIRECT) {
+               return necp_get_primary_direct_interface_index();
        }
        }
-       
-       return (0);
+
+       return 0;
 }
 
 u_int32_t
 necp_socket_get_effective_mtu(struct inpcb *inp, u_int32_t current_mtu)
 {
        if (inp == NULL) {
 }
 
 u_int32_t
 necp_socket_get_effective_mtu(struct inpcb *inp, u_int32_t current_mtu)
 {
        if (inp == NULL) {
-               return (current_mtu);
+               return current_mtu;
        }
 
        if (inp->inp_policyresult.results.result == NECP_KERNEL_POLICY_RESULT_IP_TUNNEL &&
        }
 
        if (inp->inp_policyresult.results.result == NECP_KERNEL_POLICY_RESULT_IP_TUNNEL &&
-               (inp->inp_flags & INP_BOUND_IF) &&
-               inp->inp_boundifp) {
-
+           (inp->inp_flags & INP_BOUND_IF) &&
+           inp->inp_boundifp) {
                u_int bound_interface_index = inp->inp_boundifp->if_index;
                u_int tunnel_interface_index = inp->inp_policyresult.results.result_parameter.tunnel_interface_index;
 
                u_int bound_interface_index = inp->inp_boundifp->if_index;
                u_int tunnel_interface_index = inp->inp_policyresult.results.result_parameter.tunnel_interface_index;
 
@@ -6934,40 +10206,40 @@ necp_socket_get_effective_mtu(struct inpcb *inp, u_int32_t current_mtu)
                                u_int32_t direct_tunnel_mtu = tunnel_interface->if_mtu;
                                u_int32_t delegate_tunnel_mtu = (tunnel_interface->if_delegated.ifp != NULL) ? tunnel_interface->if_delegated.ifp->if_mtu : 0;
                                if (delegate_tunnel_mtu != 0 &&
                                u_int32_t direct_tunnel_mtu = tunnel_interface->if_mtu;
                                u_int32_t delegate_tunnel_mtu = (tunnel_interface->if_delegated.ifp != NULL) ? tunnel_interface->if_delegated.ifp->if_mtu : 0;
                                if (delegate_tunnel_mtu != 0 &&
-                                       strncmp(tunnel_interface->if_name, "ipsec", strlen("ipsec")) == 0) {
-                                               // For ipsec interfaces, calculate the overhead from the delegate interface
-                                               u_int32_t tunnel_overhead = (u_int32_t)(esp_hdrsiz(NULL) + sizeof(struct ip6_hdr));
-                                               if (delegate_tunnel_mtu > tunnel_overhead) {
-                                                       delegate_tunnel_mtu -= tunnel_overhead;
-                                               }
+                                   strncmp(tunnel_interface->if_name, "ipsec", strlen("ipsec")) == 0) {
+                                       // For ipsec interfaces, calculate the overhead from the delegate interface
+                                       u_int32_t tunnel_overhead = (u_int32_t)(esp_hdrsiz(NULL) + sizeof(struct ip6_hdr));
+                                       if (delegate_tunnel_mtu > tunnel_overhead) {
+                                               delegate_tunnel_mtu -= tunnel_overhead;
+                                       }
 
 
-                                               if (delegate_tunnel_mtu < direct_tunnel_mtu) {
-                                                       // If the (delegate - overhead) < direct, return (delegate - overhead)
-                                                       return (delegate_tunnel_mtu);
-                                               } else {
-                                                       // Otherwise return direct
-                                                       return (direct_tunnel_mtu);
-                                               }
+                                       if (delegate_tunnel_mtu < direct_tunnel_mtu) {
+                                               // If the (delegate - overhead) < direct, return (delegate - overhead)
+                                               return delegate_tunnel_mtu;
+                                       } else {
+                                               // Otherwise return direct
+                                               return direct_tunnel_mtu;
+                                       }
                                } else {
                                        // For non-ipsec interfaces, just return the tunnel MTU
                                } else {
                                        // For non-ipsec interfaces, just return the tunnel MTU
-                                       return (direct_tunnel_mtu);
+                                       return direct_tunnel_mtu;
                                }
                        }
                }
        }
 
        // By default, just return the MTU passed in
                                }
                        }
                }
        }
 
        // By default, just return the MTU passed in
-       return (current_mtu);
+       return current_mtu;
 }
 
 ifnet_t
 necp_get_ifnet_from_result_parameter(necp_kernel_policy_result_parameter *result_parameter)
 {
        if (result_parameter == NULL) {
 }
 
 ifnet_t
 necp_get_ifnet_from_result_parameter(necp_kernel_policy_result_parameter *result_parameter)
 {
        if (result_parameter == NULL) {
-               return (NULL);
+               return NULL;
        }
 
        }
 
-       return (ifindex2ifnet[result_parameter->tunnel_interface_index]);
+       return ifindex2ifnet[result_parameter->tunnel_interface_index];
 }
 
 bool
 }
 
 bool
@@ -6980,13 +10252,13 @@ necp_packet_can_rebind_to_ifnet(struct mbuf *packet, struct ifnet *interface, st
        int i;
 
        if (packet == NULL || interface == NULL || new_route == NULL || (family != AF_INET && family != AF_INET6)) {
        int i;
 
        if (packet == NULL || interface == NULL || new_route == NULL || (family != AF_INET && family != AF_INET6)) {
-               return (FALSE);
+               return FALSE;
        }
 
        result = ifnet_get_address_list_family(interface, &addresses, family);
        if (result != 0) {
                NECPLOG(LOG_ERR, "Failed to get address list for %s%d", ifnet_name(interface), ifnet_unit(interface));
        }
 
        result = ifnet_get_address_list_family(interface, &addresses, family);
        if (result != 0) {
                NECPLOG(LOG_ERR, "Failed to get address list for %s%d", ifnet_name(interface), ifnet_unit(interface));
-               return (FALSE);
+               return FALSE;
        }
 
        for (i = 0; addresses[i] != NULL; i++) {
        }
 
        for (i = 0; addresses[i] != NULL; i++) {
@@ -7025,27 +10297,27 @@ necp_packet_can_rebind_to_ifnet(struct mbuf *packet, struct ifnet *interface, st
 done:
        ifnet_free_address_list(addresses);
        addresses = NULL;
 done:
        ifnet_free_address_list(addresses);
        addresses = NULL;
-       return (found_match);
+       return found_match;
 }
 
 static bool
 necp_addr_is_loopback(struct sockaddr *address)
 {
        if (address == NULL) {
 }
 
 static bool
 necp_addr_is_loopback(struct sockaddr *address)
 {
        if (address == NULL) {
-               return (FALSE);
+               return FALSE;
        }
        }
-       
+
        if (address->sa_family == AF_INET) {
        if (address->sa_family == AF_INET) {
-               return (ntohl(((struct sockaddr_in *)(void *)address)->sin_addr.s_addr) == INADDR_LOOPBACK);
+               return ntohl(((struct sockaddr_in *)(void *)address)->sin_addr.s_addr) == INADDR_LOOPBACK;
        } else if (address->sa_family == AF_INET6) {
                return IN6_IS_ADDR_LOOPBACK(&((struct sockaddr_in6 *)(void *)address)->sin6_addr);
        }
        } else if (address->sa_family == AF_INET6) {
                return IN6_IS_ADDR_LOOPBACK(&((struct sockaddr_in6 *)(void *)address)->sin6_addr);
        }
-       
-       return (FALSE);
+
+       return FALSE;
 }
 
 static bool
 }
 
 static bool
-necp_is_loopback(struct sockaddr *local_addr, struct sockaddr *remote_addr, struct inpcb *inp, struct mbuf *packet)
+necp_is_loopback(struct sockaddr *local_addr, struct sockaddr *remote_addr, struct inpcb *inp, struct mbuf *packet, u_int32_t bound_interface_index)
 {
        // Note: This function only checks for the loopback addresses.
        // In the future, we may want to expand to also allow any traffic
 {
        // Note: This function only checks for the loopback addresses.
        // In the future, we may want to expand to also allow any traffic
@@ -7053,49 +10325,258 @@ necp_is_loopback(struct sockaddr *local_addr, struct sockaddr *remote_addr, stru
        // check is cheaper.
 
        if (local_addr != NULL && necp_addr_is_loopback(local_addr)) {
        // check is cheaper.
 
        if (local_addr != NULL && necp_addr_is_loopback(local_addr)) {
-               return (TRUE);
+               return TRUE;
        }
        }
-       
+
        if (remote_addr != NULL && necp_addr_is_loopback(remote_addr)) {
        if (remote_addr != NULL && necp_addr_is_loopback(remote_addr)) {
-               return (TRUE);
+               return TRUE;
        }
        }
-       
+
        if (inp != NULL) {
                if ((inp->inp_flags & INP_BOUND_IF) && inp->inp_boundifp && (inp->inp_boundifp->if_flags & IFF_LOOPBACK)) {
        if (inp != NULL) {
                if ((inp->inp_flags & INP_BOUND_IF) && inp->inp_boundifp && (inp->inp_boundifp->if_flags & IFF_LOOPBACK)) {
-                       return (TRUE);
+                       return TRUE;
                }
                if (inp->inp_vflag & INP_IPV4) {
                        if (ntohl(inp->inp_laddr.s_addr) == INADDR_LOOPBACK ||
                }
                if (inp->inp_vflag & INP_IPV4) {
                        if (ntohl(inp->inp_laddr.s_addr) == INADDR_LOOPBACK ||
-                               ntohl(inp->inp_faddr.s_addr) == INADDR_LOOPBACK) {
-                               return (TRUE);
+                           ntohl(inp->inp_faddr.s_addr) == INADDR_LOOPBACK) {
+                               return TRUE;
                        }
                } else if (inp->inp_vflag & INP_IPV6) {
                        if (IN6_IS_ADDR_LOOPBACK(&inp->in6p_laddr) ||
                        }
                } else if (inp->inp_vflag & INP_IPV6) {
                        if (IN6_IS_ADDR_LOOPBACK(&inp->in6p_laddr) ||
-                               IN6_IS_ADDR_LOOPBACK(&inp->in6p_faddr)) {
-                               return (TRUE);
+                           IN6_IS_ADDR_LOOPBACK(&inp->in6p_faddr)) {
+                               return TRUE;
                        }
                }
                        }
                }
+       } else if (bound_interface_index != IFSCOPE_NONE && lo_ifp->if_index == bound_interface_index) {
+               return TRUE;
        }
        }
-       
+
        if (packet != NULL) {
                struct ip *ip = mtod(packet, struct ip *);
                if (ip->ip_v == 4) {
                        if (ntohl(ip->ip_src.s_addr) == INADDR_LOOPBACK) {
        if (packet != NULL) {
                struct ip *ip = mtod(packet, struct ip *);
                if (ip->ip_v == 4) {
                        if (ntohl(ip->ip_src.s_addr) == INADDR_LOOPBACK) {
-                               return (TRUE);
+                               return TRUE;
                        }
                        if (ntohl(ip->ip_dst.s_addr) == INADDR_LOOPBACK) {
                        }
                        if (ntohl(ip->ip_dst.s_addr) == INADDR_LOOPBACK) {
-                               return (TRUE);
+                               return TRUE;
                        }
                } else if (ip->ip_v == 6) {
                        struct ip6_hdr *ip6 = mtod(packet, struct ip6_hdr *);
                        if (IN6_IS_ADDR_LOOPBACK(&ip6->ip6_src)) {
                        }
                } else if (ip->ip_v == 6) {
                        struct ip6_hdr *ip6 = mtod(packet, struct ip6_hdr *);
                        if (IN6_IS_ADDR_LOOPBACK(&ip6->ip6_src)) {
-                               return (TRUE);
+                               return TRUE;
                        }
                        if (IN6_IS_ADDR_LOOPBACK(&ip6->ip6_dst)) {
                        }
                        if (IN6_IS_ADDR_LOOPBACK(&ip6->ip6_dst)) {
-                               return (TRUE);
+                               return TRUE;
+                       }
+               }
+       }
+
+       return FALSE;
+}
+
+static bool
+necp_is_intcoproc(struct inpcb *inp, struct mbuf *packet)
+{
+       if (inp != NULL) {
+               if (!(inp->inp_vflag & INP_IPV6)) {
+                       return false;
+               }
+               if (INP_INTCOPROC_ALLOWED(inp)) {
+                       return true;
+               }
+               if ((inp->inp_flags & INP_BOUND_IF) &&
+                   IFNET_IS_INTCOPROC(inp->inp_boundifp)) {
+                       return true;
+               }
+               return false;
+       }
+       if (packet != NULL) {
+               struct ip6_hdr *ip6 = mtod(packet, struct ip6_hdr *);
+               if ((ip6->ip6_vfc & IPV6_VERSION_MASK) == IPV6_VERSION &&
+                   IN6_IS_ADDR_LINKLOCAL(&ip6->ip6_dst) &&
+                   ip6->ip6_dst.s6_addr32[2] == ntohl(0xaede48ff) &&
+                   ip6->ip6_dst.s6_addr32[3] == ntohl(0xfe334455)) {
+                       return true;
+               }
+       }
+
+       return false;
+}
+
+static bool
+necp_address_matches_drop_dest_policy(union necp_sockaddr_union *sau, u_int32_t session_order)
+{
+       char dest_str[MAX_IPv6_STR_LEN];
+
+       if (necp_drop_dest_debug > 0) {
+               if (sau->sa.sa_family == AF_INET) {
+                       (void) inet_ntop(AF_INET, &sau->sin.sin_addr, dest_str, sizeof(dest_str));
+               } else if (sau->sa.sa_family == AF_INET6) {
+                       (void) inet_ntop(AF_INET6, &sau->sin6.sin6_addr, dest_str, sizeof(dest_str));
+               } else {
+                       dest_str[0] = 0;
+               }
+       }
+       for (u_int32_t i = 0; i < necp_drop_dest_policy.entry_count; i++) {
+               struct necp_drop_dest_entry *necp_drop_dest_entry = &necp_drop_dest_policy.entries[i];
+               struct necp_policy_condition_addr *npca = &necp_drop_dest_entry->cond_addr;
+
+               if (session_order >= necp_drop_dest_entry->order && necp_is_addr_in_subnet(&sau->sa, &npca->address.sa, npca->prefix)) {
+                       if (necp_drop_dest_debug > 0) {
+                               char subnet_str[MAX_IPv6_STR_LEN];
+                               struct proc *p = current_proc();
+                               pid_t pid = proc_pid(p);
+
+                               if (sau->sa.sa_family == AF_INET) {
+                                       (void) inet_ntop(AF_INET, &npca->address.sin, subnet_str, sizeof(subnet_str));
+                                       os_log(OS_LOG_DEFAULT, "%s (process %s:%u) %s matches %s/%u", __func__, proc_best_name(p), pid, dest_str, subnet_str, npca->prefix);
+                               } else if (sau->sa.sa_family == AF_INET6) {
+                                       (void) inet_ntop(AF_INET6, &npca->address.sin6, subnet_str, sizeof(subnet_str));
+                                       os_log(OS_LOG_DEFAULT, "%s (process %s:%u) %s matches %s/%u", __func__, proc_best_name(p), pid, dest_str, subnet_str, npca->prefix);
+                               }
+                       }
+                       return true;
+               }
+       }
+       if (necp_drop_dest_debug > 1) {
+               struct proc *p = current_proc();
+               pid_t pid = proc_pid(p);
+
+               os_log(OS_LOG_DEFAULT, "%s (process %s:%u) %s no match", __func__, proc_best_name(p), pid, dest_str);
+       }
+       return false;
+}
+
+static int
+sysctl_handle_necp_drop_dest_level SYSCTL_HANDLER_ARGS
+{
+#pragma unused(arg1, arg2, oidp)
+       int changed = 0;
+       int error = 0;
+       struct necp_drop_dest_policy tmp_drop_dest_policy;
+       struct proc *p = current_proc();
+       pid_t pid = proc_pid(p);
+
+       if (req->newptr != USER_ADDR_NULL && proc_suser(current_proc()) != 0 &&
+           priv_check_cred(kauth_cred_get(), PRIV_NET_PRIVILEGED_NECP_POLICIES, 0) != 0) {
+               NECPLOG(LOG_ERR, "%s (process %s:%u) not permitted", __func__, proc_best_name(p), pid);
+               return EPERM;
+       }
+       if (req->newptr != USER_ADDR_NULL && req->newlen != sizeof(struct necp_drop_dest_policy)) {
+               NECPLOG(LOG_ERR, "%s (process %s:%u) bad newlen %lu", __func__, proc_best_name(p), pid, req->newlen);
+               return EINVAL;
+       }
+
+       memcpy(&tmp_drop_dest_policy, &necp_drop_dest_policy, sizeof(struct necp_drop_dest_policy));
+       error = sysctl_io_opaque(req, &tmp_drop_dest_policy, sizeof(struct necp_drop_dest_policy), &changed);
+       if (error != 0) {
+               NECPLOG(LOG_ERR, "%s (process %s:%u) sysctl_io_opaque() error %d", __func__, proc_best_name(p), pid, error);
+               return error;
+       }
+       if (changed == 0 || req->newptr == USER_ADDR_NULL) {
+               return error;
+       }
+
+       //
+       // Validate the passed parameters
+       //
+       if (tmp_drop_dest_policy.entry_count >= MAX_NECP_DROP_DEST_LEVEL_ADDRS) {
+               NECPLOG(LOG_ERR, "%s (process %s:%u) bad entry_count %u", __func__, proc_best_name(p), pid, tmp_drop_dest_policy.entry_count);
+               return EINVAL;
+       }
+       for (u_int32_t i = 0; i < tmp_drop_dest_policy.entry_count; i++) {
+               struct necp_drop_dest_entry *tmp_drop_dest_entry = &tmp_drop_dest_policy.entries[i];
+               struct necp_policy_condition_addr *npca = &tmp_drop_dest_entry->cond_addr;
+
+               switch (tmp_drop_dest_entry->level) {
+               case NECP_SESSION_PRIORITY_UNKNOWN:
+                       if (tmp_drop_dest_policy.entry_count != 0) {
+                               NECPLOG(LOG_ERR, "%s (process %s:%u) NECP_SESSION_PRIORITY_UNKNOWN bad entry_count %u", __func__, proc_best_name(p), pid, tmp_drop_dest_policy.entry_count);
+                               return EINVAL;
+                       }
+                       break;
+               case NECP_SESSION_PRIORITY_CONTROL:
+               case NECP_SESSION_PRIORITY_PRIVILEGED_TUNNEL:
+               case NECP_SESSION_PRIORITY_HIGH:
+               case NECP_SESSION_PRIORITY_HIGH_1:
+               case NECP_SESSION_PRIORITY_HIGH_2:
+               case NECP_SESSION_PRIORITY_HIGH_3:
+               case NECP_SESSION_PRIORITY_HIGH_4:
+               case NECP_SESSION_PRIORITY_HIGH_RESTRICTED:
+               case NECP_SESSION_PRIORITY_DEFAULT:
+               case NECP_SESSION_PRIORITY_LOW:
+                       if (tmp_drop_dest_policy.entry_count == 0) {
+                               NECPLOG(LOG_ERR, "%s (process %s:%u) priority %u entry_count 0", __func__, proc_best_name(p), pid, tmp_drop_dest_entry->level);
+                               return EINVAL;
+                       }
+                       break;
+               default: {
+                       NECPLOG(LOG_ERR, "%s (process %s:%u) bad level %u", __func__, proc_best_name(p), pid, tmp_drop_dest_entry->level);
+                       return EINVAL;
+               }
+               }
+
+               switch (npca->address.sa.sa_family) {
+               case AF_INET: {
+                       if (npca->prefix > 32) {
+                               NECPLOG(LOG_ERR, "%s (process %s:%u) AF_INET bad prefix %u", __func__, proc_best_name(p), pid, npca->prefix);
+                               return EINVAL;
+                       }
+                       if (npca->address.sin.sin_len != sizeof(struct sockaddr_in)) {
+                               NECPLOG(LOG_ERR, "%s (process %s:%u) AF_INET bad sin_len %u", __func__, proc_best_name(p), pid, npca->address.sin.sin_len);
+                               return EINVAL;
+                       }
+                       if (npca->address.sin.sin_port != 0) {
+                               NECPLOG(LOG_ERR, "%s (process %s:%u) AF_INET bad sin_port %u, not zero", __func__, proc_best_name(p), pid, npca->address.sin.sin_port);
+                               return EINVAL;
+                       }
+                       break;
+               }
+               case AF_INET6: {
+                       if (npca->prefix > 128) {
+                               NECPLOG(LOG_ERR, "%s (process %s:%u) AF_INET6 bad prefix %u", __func__, proc_best_name(p), pid, npca->prefix);
+                               return EINVAL;
                        }
                        }
+                       if (npca->address.sin6.sin6_len != sizeof(struct sockaddr_in6)) {
+                               NECPLOG(LOG_ERR, "%s (process %s:%u) AF_INET6 bad sin6_len %u", __func__, proc_best_name(p), pid, npca->address.sin6.sin6_len);
+                               return EINVAL;
+                       }
+                       if (npca->address.sin6.sin6_port != 0) {
+                               NECPLOG(LOG_ERR, "%s (process %s:%u) AF_INET6 bad sin6_port %u, not zero", __func__, proc_best_name(p), pid, npca->address.sin6.sin6_port);
+                               return EINVAL;
+                       }
+                       if (npca->address.sin6.sin6_flowinfo != 0) {
+                               NECPLOG(LOG_ERR, "%s (process %s:%u) AF_INET6 bad sin6_flowinfo %u, not zero", __func__, proc_best_name(p), pid, npca->address.sin6.sin6_flowinfo);
+                               return EINVAL;
+                       }
+                       if (npca->address.sin6.sin6_scope_id != 0) {
+                               NECPLOG(LOG_ERR, "%s (process %s:%u) AF_INET6 bad sin6_scope_id %u, not zero", __func__, proc_best_name(p), pid, npca->address.sin6.sin6_scope_id);
+                               return EINVAL;
+                       }
+                       break;
+               }
+               default: {
+                       return EINVAL;
+               }
                }
        }
                }
        }
-       
-       return (FALSE);
+
+       //
+       // Commit the changed policy
+       //
+       lck_rw_lock_exclusive(&necp_kernel_policy_lock);
+       memset(&necp_drop_dest_policy, 0, sizeof(struct necp_drop_dest_policy));
+
+       necp_drop_dest_policy.entry_count = tmp_drop_dest_policy.entry_count;
+       for (u_int32_t i = 0; i < tmp_drop_dest_policy.entry_count; i++) {
+               struct necp_drop_dest_entry *tmp_drop_dest_entry = &tmp_drop_dest_policy.entries[i];
+               struct necp_drop_dest_entry *necp_drop_dest_entry = &necp_drop_dest_policy.entries[i];
+
+               memcpy(necp_drop_dest_entry, tmp_drop_dest_entry, sizeof(struct necp_drop_dest_entry));
+
+               necp_drop_dest_entry->order = necp_get_first_order_for_priority(necp_drop_dest_entry->level);
+       }
+       lck_rw_done(&necp_kernel_policy_lock);
+
+       return 0;
 }
 }
mirror of XNU