xnu-6153.61.1.tar.gz

[apple/xnu.git] / bsd / net / necp.c
diff --git a/bsd/net/necp.c b/bsd/net/necp.c

index 86cfe97ebe18972f4276fffcf734ef6644972780..2133f31f3601376d03be95e0c2f2eedc550860c0 100644 (file)
--- a/bsd/net/necp.c
+++ b/bsd/net/necp.c
@@ -1,5 +1,5 @@
  /*
  /*
- * Copyright (c) 2013-2016 Apple Inc. All rights reserved.
+ * Copyright (c) 2013-2019 Apple Inc. All rights reserved.
   *
   * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
   *
   *
   * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
   *
@@ -42,10 +42,15 @@
  #include <sys/protosw.h>
  #include <sys/socket.h>
  #include <sys/socketvar.h>
  #include <sys/protosw.h>
  #include <sys/socket.h>
  #include <sys/socketvar.h>
+#include <sys/coalition.h>
+#include <sys/ubc.h>
+#include <sys/codesign.h>
+#include <kern/cs_blobs.h>
  #include <netinet/ip.h>
  #include <netinet/ip6.h>
  #include <netinet/tcp.h>
  #include <netinet/tcp_var.h>
  #include <netinet/ip.h>
  #include <netinet/ip6.h>
  #include <netinet/tcp.h>
  #include <netinet/tcp_var.h>
+#include <netinet/tcp_cache.h>
  #include <netinet/udp.h>
  #include <netinet/in_pcb.h>
  #include <netinet/in_tclass.h>
  #include <netinet/udp.h>
  #include <netinet/in_pcb.h>
  #include <netinet/in_tclass.h>
@@ -57,7 +62,12 @@
  #include <sys/sysproto.h>
  #include <sys/priv.h>
  #include <sys/kern_event.h>
  #include <sys/sysproto.h>
  #include <sys/priv.h>
  #include <sys/kern_event.h>
+#include <sys/file_internal.h>
  #include <IOKit/IOBSD.h>
  #include <IOKit/IOBSD.h>
+#include <libkern/crypto/rand.h>
+#include <corecrypto/cchmac.h>
+#include <corecrypto/ccsha2.h>
+#include <os/refcnt.h>
  #include <net/network_agent.h>
  #include <net/necp.h>
  
  #include <net/network_agent.h>
  #include <net/necp.h>
  
@@ -65,7 +75,7 @@
   * NECP - Network Extension Control Policy database
   * ------------------------------------------------
   * The goal of this module is to allow clients connecting via a
   * NECP - Network Extension Control Policy database
   * ------------------------------------------------
   * The goal of this module is to allow clients connecting via a
- * kernel control socket to create high-level policy sessions, which
+ * policy file descriptor to create high-level policy sessions, which
   * are ingested into low-level kernel policies that control and tag
   * traffic at the application, socket, and IP layers.
   *
   * are ingested into low-level kernel policies that control and tag
   * traffic at the application, socket, and IP layers.
   *
@@ -81,7 +91,7 @@
   * can specify the sub-order for each policy it creates which will be
   * used to further sort the kernel policies.
   *
   * can specify the sub-order for each policy it creates which will be
   * used to further sort the kernel policies.
   *
- *  Kernel Control Socket --> 1 necp_session --> list of necp_session_policy structs
+ *  Policy fd --> 1 necp_session --> list of necp_session_policy structs
   *
   * ------------------------------------------------
   * Kernel Policies
   *
   * ------------------------------------------------
   * Kernel Policies
@@ -133,98 +143,132 @@ u_int32_t necp_drop_all_level = 0;
  
  u_int32_t necp_pass_loopback = 1; // 0=Off, 1=On
  u_int32_t necp_pass_keepalives = 1; // 0=Off, 1=On
  
  u_int32_t necp_pass_loopback = 1; // 0=Off, 1=On
  u_int32_t necp_pass_keepalives = 1; // 0=Off, 1=On
+u_int32_t necp_pass_interpose = 1; // 0=Off, 1=On
+
+u_int32_t necp_drop_unentitled_order = 0;
+#ifdef XNU_TARGET_OS_WATCH
+u_int32_t necp_drop_unentitled_level = NECP_SESSION_PRIORITY_CONTROL + 1; // Block all unentitled traffic from policies below control level
+#else // XNU_TARGET_OS_WATCH
+u_int32_t necp_drop_unentitled_level = 0;
+#endif // XNU_TARGET_OS_WATCH
  
  u_int32_t necp_debug = 0; // 0=None, 1=Basic, 2=EveryMatch
  
  u_int32_t necp_session_count = 0;
  
  
  u_int32_t necp_debug = 0; // 0=None, 1=Basic, 2=EveryMatch
  
  u_int32_t necp_session_count = 0;
  
-#define        LIST_INSERT_SORTED_ASCENDING(head, elm, field, sortfield, tmpelm) do {          \
-       if (LIST_EMPTY((head)) || (LIST_FIRST(head)->sortfield >= (elm)->sortfield)) {  \
-               LIST_INSERT_HEAD((head), elm, field);                                                                           \
-       } else {                                                                                                                                                \
-               LIST_FOREACH(tmpelm, head, field) {                                                                                     \
-                       if (LIST_NEXT(tmpelm, field) == NULL || LIST_NEXT(tmpelm, field)->sortfield >= (elm)->sortfield) {      \
-                               LIST_INSERT_AFTER(tmpelm, elm, field);                                                          \
-                               break;                                                                                                                          \
-                       }                                                                                                                                               \
-               }                                                                                                                                                       \
-       }                                                                                                                                                               \
+#define LIST_INSERT_SORTED_ASCENDING(head, elm, field, sortfield, tmpelm) do {          \
+       if (LIST_EMPTY((head)) || (LIST_FIRST(head)->sortfield >= (elm)->sortfield)) {  \
+               LIST_INSERT_HEAD((head), elm, field);                                                                           \
+       } else {                                                                                                                                                \
+               LIST_FOREACH(tmpelm, head, field) {                                                                                     \
+                       if (LIST_NEXT(tmpelm, field) == NULL || LIST_NEXT(tmpelm, field)->sortfield >= (elm)->sortfield) {      \
+                               LIST_INSERT_AFTER(tmpelm, elm, field);                                                          \
+                               break;                                                                                                                          \
+                       }                                                                                                                                               \
+               }                                                                                                                                                       \
+       }                                                                                                                                                               \
  } while (0)
  
  } while (0)
  
-#define        LIST_INSERT_SORTED_TWICE_ASCENDING(head, elm, field, firstsortfield, secondsortfield, tmpelm) do {      \
-       if (LIST_EMPTY((head)) || (LIST_FIRST(head)->firstsortfield > (elm)->firstsortfield) || ((LIST_FIRST(head)->firstsortfield == (elm)->firstsortfield) && (LIST_FIRST(head)->secondsortfield >= (elm)->secondsortfield))) {                                                                                                               \
-               LIST_INSERT_HEAD((head), elm, field);                                                                           \
-       } else {                                                                                                                                                \
-               LIST_FOREACH(tmpelm, head, field) {                                                                                     \
-                       if (LIST_NEXT(tmpelm, field) == NULL || (LIST_NEXT(tmpelm, field)->firstsortfield > (elm)->firstsortfield) || ((LIST_NEXT(tmpelm, field)->firstsortfield == (elm)->firstsortfield) && (LIST_NEXT(tmpelm, field)->secondsortfield >= (elm)->secondsortfield))) {         \
-                               LIST_INSERT_AFTER(tmpelm, elm, field);                                                          \
-                               break;                                                                                                                          \
-                       }                                                                                                                                               \
-               }                                                                                                                                                       \
-       }                                                                                                                                                               \
+#define LIST_INSERT_SORTED_TWICE_ASCENDING(head, elm, field, firstsortfield, secondsortfield, tmpelm) do {      \
+       if (LIST_EMPTY((head)) || (LIST_FIRST(head)->firstsortfield > (elm)->firstsortfield) || ((LIST_FIRST(head)->firstsortfield == (elm)->firstsortfield) && (LIST_FIRST(head)->secondsortfield >= (elm)->secondsortfield))) {                                                                                                               \
+               LIST_INSERT_HEAD((head), elm, field);                                                                           \
+       } else {                                                                                                                                                \
+               LIST_FOREACH(tmpelm, head, field) {                                                                                     \
+                       if (LIST_NEXT(tmpelm, field) == NULL || (LIST_NEXT(tmpelm, field)->firstsortfield > (elm)->firstsortfield) || ((LIST_NEXT(tmpelm, field)->firstsortfield == (elm)->firstsortfield) && (LIST_NEXT(tmpelm, field)->secondsortfield >= (elm)->secondsortfield))) {         \
+                               LIST_INSERT_AFTER(tmpelm, elm, field);                                                          \
+                               break;                                                                                                                          \
+                       }                                                                                                                                               \
+               }                                                                                                                                                       \
+       }                                                                                                                                                               \
  } while (0)
  
  } while (0)
  
-#define        LIST_INSERT_SORTED_THRICE_ASCENDING(head, elm, field, firstsortfield, secondsortfield, thirdsortfield, tmpelm) do { \
-       if (LIST_EMPTY((head)) || (LIST_FIRST(head)->firstsortfield > (elm)->firstsortfield) || ((LIST_FIRST(head)->firstsortfield == (elm)->firstsortfield) && (LIST_FIRST(head)->secondsortfield >= (elm)->secondsortfield)) || ((LIST_FIRST(head)->firstsortfield == (elm)->firstsortfield) && (LIST_FIRST(head)->secondsortfield == (elm)->secondsortfield) && (LIST_FIRST(head)->thirdsortfield >= (elm)->thirdsortfield))) {                                                                                                                      \
-               LIST_INSERT_HEAD((head), elm, field);                                                                           \
-       } else {                                                                                                                                                \
-               LIST_FOREACH(tmpelm, head, field) {                                                                                     \
-                       if (LIST_NEXT(tmpelm, field) == NULL || (LIST_NEXT(tmpelm, field)->firstsortfield > (elm)->firstsortfield) || ((LIST_NEXT(tmpelm, field)->firstsortfield == (elm)->firstsortfield) && (LIST_NEXT(tmpelm, field)->secondsortfield >= (elm)->secondsortfield)) || ((LIST_NEXT(tmpelm, field)->firstsortfield == (elm)->firstsortfield) && (LIST_NEXT(tmpelm, field)->secondsortfield == (elm)->secondsortfield) && (LIST_NEXT(tmpelm, field)->thirdsortfield >= (elm)->thirdsortfield)))  { \
-                               LIST_INSERT_AFTER(tmpelm, elm, field);                                                          \
-                               break;                                                                                                                          \
-                       }                                                                                                                                               \
-               }                                                                                                                                                       \
-       }                                                                                                                                                               \
+#define LIST_INSERT_SORTED_THRICE_ASCENDING(head, elm, field, firstsortfield, secondsortfield, thirdsortfield, tmpelm) do { \
+       if (LIST_EMPTY((head)) || (LIST_FIRST(head)->firstsortfield > (elm)->firstsortfield) || ((LIST_FIRST(head)->firstsortfield == (elm)->firstsortfield) && (LIST_FIRST(head)->secondsortfield >= (elm)->secondsortfield)) || ((LIST_FIRST(head)->firstsortfield == (elm)->firstsortfield) && (LIST_FIRST(head)->secondsortfield == (elm)->secondsortfield) && (LIST_FIRST(head)->thirdsortfield >= (elm)->thirdsortfield))) {                                                                                                                      \
+               LIST_INSERT_HEAD((head), elm, field);                                                                           \
+       } else {                                                                                                                                                \
+               LIST_FOREACH(tmpelm, head, field) {                                                                                     \
+                       if (LIST_NEXT(tmpelm, field) == NULL || (LIST_NEXT(tmpelm, field)->firstsortfield > (elm)->firstsortfield) || ((LIST_NEXT(tmpelm, field)->firstsortfield == (elm)->firstsortfield) && (LIST_NEXT(tmpelm, field)->secondsortfield >= (elm)->secondsortfield)) || ((LIST_NEXT(tmpelm, field)->firstsortfield == (elm)->firstsortfield) && (LIST_NEXT(tmpelm, field)->secondsortfield == (elm)->secondsortfield) && (LIST_NEXT(tmpelm, field)->thirdsortfield >= (elm)->thirdsortfield)))  { \
+                               LIST_INSERT_AFTER(tmpelm, elm, field);                                                          \
+                               break;                                                                                                                          \
+                       }                                                                                                                                               \
+               }                                                                                                                                                       \
+       }                                                                                                                                                               \
  } while (0)
  
  } while (0)
  
-#define        IS_NECP_ROUTE_RULE_ALLOW_OR_DENY(x)     ((x) == NECP_ROUTE_RULE_DENY_INTERFACE || (x) == NECP_ROUTE_RULE_ALLOW_INTERFACE)
-
-#define        NECP_KERNEL_CONDITION_ALL_INTERFACES            0x00001
-#define        NECP_KERNEL_CONDITION_BOUND_INTERFACE           0x00002
-#define        NECP_KERNEL_CONDITION_PROTOCOL                          0x00004
-#define        NECP_KERNEL_CONDITION_LOCAL_START                       0x00008
-#define        NECP_KERNEL_CONDITION_LOCAL_END                         0x00010
-#define        NECP_KERNEL_CONDITION_LOCAL_PREFIX                      0x00020
-#define        NECP_KERNEL_CONDITION_REMOTE_START                      0x00040
-#define        NECP_KERNEL_CONDITION_REMOTE_END                        0x00080
-#define        NECP_KERNEL_CONDITION_REMOTE_PREFIX                     0x00100
-#define        NECP_KERNEL_CONDITION_APP_ID                            0x00200
-#define        NECP_KERNEL_CONDITION_REAL_APP_ID                       0x00400
-#define        NECP_KERNEL_CONDITION_DOMAIN                            0x00800
-#define        NECP_KERNEL_CONDITION_ACCOUNT_ID                        0x01000
-#define        NECP_KERNEL_CONDITION_POLICY_ID                         0x02000
-#define        NECP_KERNEL_CONDITION_PID                                       0x04000
-#define        NECP_KERNEL_CONDITION_UID                                       0x08000
-#define        NECP_KERNEL_CONDITION_LAST_INTERFACE            0x10000                 // Only set from packets looping between interfaces
-#define        NECP_KERNEL_CONDITION_TRAFFIC_CLASS                     0x20000
-#define        NECP_KERNEL_CONDITION_ENTITLEMENT                       0x40000
-#define        NECP_KERNEL_CONDITION_CUSTOM_ENTITLEMENT        0x80000
-
-#define NECP_MAX_POLICY_RESULT_SIZE                                    512
-#define NECP_MAX_ROUTE_RULES_ARRAY_SIZE                                1024
-#define NECP_MAX_CONDITIONS_ARRAY_SIZE                         4096
+#define IS_NECP_ROUTE_RULE_ALLOW_OR_DENY(x)     ((x) == NECP_ROUTE_RULE_DENY_INTERFACE || (x) == NECP_ROUTE_RULE_ALLOW_INTERFACE)
+
+#define IS_NECP_DEST_IN_LOCAL_NETWORKS(rt) \
+    ((rt) != NULL && !((rt)->rt_flags & RTF_GATEWAY) && ((rt)->rt_ifa && (rt)->rt_ifa->ifa_ifp && !((rt)->rt_ifa->ifa_ifp->if_flags & IFF_POINTOPOINT)))
+
+#define NECP_KERNEL_CONDITION_ALL_INTERFACES            0x000001
+#define NECP_KERNEL_CONDITION_BOUND_INTERFACE           0x000002
+#define NECP_KERNEL_CONDITION_PROTOCOL                          0x000004
+#define NECP_KERNEL_CONDITION_LOCAL_START                       0x000008
+#define NECP_KERNEL_CONDITION_LOCAL_END                         0x000010
+#define NECP_KERNEL_CONDITION_LOCAL_PREFIX                      0x000020
+#define NECP_KERNEL_CONDITION_REMOTE_START                      0x000040
+#define NECP_KERNEL_CONDITION_REMOTE_END                        0x000080
+#define NECP_KERNEL_CONDITION_REMOTE_PREFIX                     0x000100
+#define NECP_KERNEL_CONDITION_APP_ID                            0x000200
+#define NECP_KERNEL_CONDITION_REAL_APP_ID                       0x000400
+#define NECP_KERNEL_CONDITION_DOMAIN                            0x000800
+#define NECP_KERNEL_CONDITION_ACCOUNT_ID                        0x001000
+#define NECP_KERNEL_CONDITION_POLICY_ID                         0x002000
+#define NECP_KERNEL_CONDITION_PID                                       0x004000
+#define NECP_KERNEL_CONDITION_UID                                       0x008000
+#define NECP_KERNEL_CONDITION_LAST_INTERFACE            0x010000                        // Only set from packets looping between interfaces
+#define NECP_KERNEL_CONDITION_TRAFFIC_CLASS                     0x020000
+#define NECP_KERNEL_CONDITION_ENTITLEMENT                       0x040000
+#define NECP_KERNEL_CONDITION_CUSTOM_ENTITLEMENT        0x080000
+#define NECP_KERNEL_CONDITION_AGENT_TYPE                        0x100000
+#define NECP_KERNEL_CONDITION_HAS_CLIENT                        0x200000
+#define NECP_KERNEL_CONDITION_LOCAL_NETWORKS                    0x400000
+#define NECP_KERNEL_CONDITION_CLIENT_FLAGS                      0x800000
+#define NECP_KERNEL_CONDITION_LOCAL_EMPTY                       0x1000000
+#define NECP_KERNEL_CONDITION_REMOTE_EMPTY                      0x2000000
+#define NECP_KERNEL_CONDITION_PLATFORM_BINARY                   0x4000000
+
+#define NECP_MAX_POLICY_RESULT_SIZE                                     512
+#define NECP_MAX_ROUTE_RULES_ARRAY_SIZE                         1024
+#define NECP_MAX_CONDITIONS_ARRAY_SIZE                          4096
+#define NECP_MAX_POLICY_LIST_COUNT                                      1024
+
+// Cap the policy size at the max result + conditions size, with room for extra TLVs
+#define NECP_MAX_POLICY_SIZE                                            (1024 + NECP_MAX_POLICY_RESULT_SIZE + NECP_MAX_CONDITIONS_ARRAY_SIZE)
  
  struct necp_service_registration {
  
  struct necp_service_registration {
-       LIST_ENTRY(necp_service_registration)   session_chain;
-       LIST_ENTRY(necp_service_registration)   kernel_chain;
-       u_int32_t                                                               service_id;
+       LIST_ENTRY(necp_service_registration)   session_chain;
+       LIST_ENTRY(necp_service_registration)   kernel_chain;
+       u_int32_t                                                               service_id;
  };
  
  struct necp_session {
  };
  
  struct necp_session {
-       u_int32_t                                       control_unit;
-       u_int32_t                                       session_priority; // Descriptive priority rating
-       u_int32_t                                       session_order;
+       u_int8_t                                        necp_fd_type;
+       u_int32_t                                       control_unit;
+       u_int32_t                                       session_priority; // Descriptive priority rating
+       u_int32_t                                       session_order;
+
+       necp_policy_id                          last_policy_id;
  
  
-       bool                                            proc_locked; // Messages must come from proc_uuid
-       uuid_t                                          proc_uuid;
-       int                                                     proc_pid;
+       decl_lck_mtx_data(, lock);
  
  
-       bool                                            dirty;
+       bool                                            proc_locked; // Messages must come from proc_uuid
+       uuid_t                                          proc_uuid;
+       int                                                     proc_pid;
+
+       bool                                            dirty;
         LIST_HEAD(_policies, necp_session_policy) policies;
  
         LIST_HEAD(_services, necp_service_registration) services;
         LIST_HEAD(_policies, necp_session_policy) policies;
  
         LIST_HEAD(_services, necp_service_registration) services;
+
+       TAILQ_ENTRY(necp_session) chain;
  };
  
  };
  
+#define NECP_SESSION_LOCK(_s) lck_mtx_lock(&_s->lock)
+#define NECP_SESSION_UNLOCK(_s) lck_mtx_unlock(&_s->lock)
+
+static TAILQ_HEAD(_necp_session_list, necp_session) necp_session_list;
+
  struct necp_socket_info {
         pid_t pid;
         uid_t uid;
  struct necp_socket_info {
         pid_t pid;
         uid_t uid;
@@ -236,29 +280,26 @@ struct necp_socket_info {
         u_int32_t application_id;
         u_int32_t real_application_id;
         u_int32_t account_id;
         u_int32_t application_id;
         u_int32_t real_application_id;
         u_int32_t account_id;
+       u_int32_t drop_order;
+       u_int32_t client_flags;
         char *domain;
         errno_t cred_result;
         char *domain;
         errno_t cred_result;
+       unsigned has_client : 1;
+       unsigned is_platform_binary : 1;
+       unsigned __pad_bits : 6;
  };
  
  };
  
-static kern_ctl_ref    necp_kctlref;
-static u_int32_t       necp_family;
-static OSMallocTag     necp_malloc_tag;
-static lck_grp_attr_t  *necp_kernel_policy_grp_attr    = NULL;
-static lck_attr_t              *necp_kernel_policy_mtx_attr    = NULL;
-static lck_grp_t               *necp_kernel_policy_mtx_grp             = NULL;
+static  lck_grp_attr_t  *necp_kernel_policy_grp_attr    = NULL;
+static  lck_attr_t              *necp_kernel_policy_mtx_attr    = NULL;
+static  lck_grp_t               *necp_kernel_policy_mtx_grp             = NULL;
  decl_lck_rw_data(static, necp_kernel_policy_lock);
  
  decl_lck_rw_data(static, necp_kernel_policy_lock);
  
-static lck_grp_attr_t  *necp_route_rule_grp_attr       = NULL;
-static lck_attr_t              *necp_route_rule_mtx_attr       = NULL;
-static lck_grp_t               *necp_route_rule_mtx_grp        = NULL;
+static  lck_grp_attr_t  *necp_route_rule_grp_attr       = NULL;
+static  lck_attr_t              *necp_route_rule_mtx_attr       = NULL;
+static  lck_grp_t               *necp_route_rule_mtx_grp        = NULL;
  decl_lck_rw_data(static, necp_route_rule_lock);
  
  decl_lck_rw_data(static, necp_route_rule_lock);
  
-static necp_policy_id necp_last_policy_id = 0;
-static necp_kernel_policy_id necp_last_kernel_policy_id = 0;
-static u_int32_t necp_last_uuid_id = 0;
-static u_int32_t necp_last_string_id = 0;
-static u_int32_t necp_last_route_rule_id = 0;
-static u_int32_t necp_last_aggregate_route_rule_id = 0;
+os_refgrp_decl(static, necp_refgrp, "NECPRefGroup", NULL);
  
  /*
   * On modification, invalidate cached lookups by bumping the generation count.
  
  /*
   * On modification, invalidate cached lookups by bumping the generation count.
@@ -266,20 +307,36 @@ static u_int32_t necp_last_aggregate_route_rule_id = 0;
   * the subsystem lock.
   */
  static volatile int32_t necp_kernel_socket_policies_gencount;
   * the subsystem lock.
   */
  static volatile int32_t necp_kernel_socket_policies_gencount;
-#define        BUMP_KERNEL_SOCKET_POLICIES_GENERATION_COUNT() do {                                                     \
-       if (OSIncrementAtomic(&necp_kernel_socket_policies_gencount) == (INT32_MAX - 1)) {      \
-               necp_kernel_socket_policies_gencount = 1;                                                                               \
-       }                                                                                                                                                               \
+#define BUMP_KERNEL_SOCKET_POLICIES_GENERATION_COUNT() do {                                                     \
+       if (OSIncrementAtomic(&necp_kernel_socket_policies_gencount) == (INT32_MAX - 1)) {      \
+               necp_kernel_socket_policies_gencount = 1;                                                                               \
+       }                                                                                                                                                               \
  } while (0)
  
  } while (0)
  
+/*
+ * Drop-all Bypass:
+ * Allow priviledged processes to bypass the default drop-all
+ * via entitlement check.  For OSX, since entitlement check is
+ * not supported for configd, configd signing identity is checked
+ * instead.
+ */
+#define SIGNING_ID_CONFIGD "com.apple.configd"
+#define SIGNING_ID_CONFIGD_LEN (sizeof(SIGNING_ID_CONFIGD) - 1)
+
+typedef enum {
+       NECP_DROP_ALL_BYPASS_CHECK_RESULT_NONE = 0,
+       NECP_DROP_ALL_BYPASS_CHECK_RESULT_TRUE = 1,
+       NECP_DROP_ALL_BYPASS_CHECK_RESULT_FALSE = 2,
+} necp_drop_all_bypass_check_result_t;
+
  static u_int32_t necp_kernel_application_policies_condition_mask;
  static size_t necp_kernel_application_policies_count;
  static u_int32_t necp_kernel_socket_policies_condition_mask;
  static size_t necp_kernel_socket_policies_count;
  static size_t necp_kernel_socket_policies_non_app_count;
  static LIST_HEAD(_necpkernelsocketconnectpolicies, necp_kernel_socket_policy) necp_kernel_socket_policies;
  static u_int32_t necp_kernel_application_policies_condition_mask;
  static size_t necp_kernel_application_policies_count;
  static u_int32_t necp_kernel_socket_policies_condition_mask;
  static size_t necp_kernel_socket_policies_count;
  static size_t necp_kernel_socket_policies_non_app_count;
  static LIST_HEAD(_necpkernelsocketconnectpolicies, necp_kernel_socket_policy) necp_kernel_socket_policies;
-#define        NECP_KERNEL_SOCKET_POLICIES_MAP_NUM_APP_ID_BUCKETS 5
-#define        NECP_SOCKET_MAP_APP_ID_TO_BUCKET(appid) (appid ? (appid%(NECP_KERNEL_SOCKET_POLICIES_MAP_NUM_APP_ID_BUCKETS - 1) + 1) : 0)
+#define NECP_KERNEL_SOCKET_POLICIES_MAP_NUM_APP_ID_BUCKETS 5
+#define NECP_SOCKET_MAP_APP_ID_TO_BUCKET(appid) (appid ? (appid%(NECP_KERNEL_SOCKET_POLICIES_MAP_NUM_APP_ID_BUCKETS - 1) + 1) : 0)
  static struct necp_kernel_socket_policy **necp_kernel_socket_policies_map[NECP_KERNEL_SOCKET_POLICIES_MAP_NUM_APP_ID_BUCKETS];
  static struct necp_kernel_socket_policy **necp_kernel_socket_policies_app_layer_map;
  /*
  static struct necp_kernel_socket_policy **necp_kernel_socket_policies_map[NECP_KERNEL_SOCKET_POLICIES_MAP_NUM_APP_ID_BUCKETS];
  static struct necp_kernel_socket_policy **necp_kernel_socket_policies_app_layer_map;
  /*
@@ -294,24 +351,21 @@ static u_int32_t necp_kernel_ip_output_policies_condition_mask;
  static size_t necp_kernel_ip_output_policies_count;
  static size_t necp_kernel_ip_output_policies_non_id_count;
  static LIST_HEAD(_necpkernelipoutputpolicies, necp_kernel_ip_output_policy) necp_kernel_ip_output_policies;
  static size_t necp_kernel_ip_output_policies_count;
  static size_t necp_kernel_ip_output_policies_non_id_count;
  static LIST_HEAD(_necpkernelipoutputpolicies, necp_kernel_ip_output_policy) necp_kernel_ip_output_policies;
-#define        NECP_KERNEL_IP_OUTPUT_POLICIES_MAP_NUM_ID_BUCKETS 5
-#define        NECP_IP_OUTPUT_MAP_ID_TO_BUCKET(id) (id ? (id%(NECP_KERNEL_IP_OUTPUT_POLICIES_MAP_NUM_ID_BUCKETS - 1) + 1) : 0)
+#define NECP_KERNEL_IP_OUTPUT_POLICIES_MAP_NUM_ID_BUCKETS 5
+#define NECP_IP_OUTPUT_MAP_ID_TO_BUCKET(id) (id ? (id%(NECP_KERNEL_IP_OUTPUT_POLICIES_MAP_NUM_ID_BUCKETS - 1) + 1) : 0)
  static struct necp_kernel_ip_output_policy **necp_kernel_ip_output_policies_map[NECP_KERNEL_IP_OUTPUT_POLICIES_MAP_NUM_ID_BUCKETS];
  static struct necp_kernel_ip_output_policy **necp_kernel_ip_output_policies_map[NECP_KERNEL_IP_OUTPUT_POLICIES_MAP_NUM_ID_BUCKETS];
+static struct necp_kernel_socket_policy pass_policy =
+{
+       .id = NECP_KERNEL_POLICY_ID_NO_MATCH,
+       .result = NECP_KERNEL_POLICY_RESULT_PASS,
+};
  
  
-static struct necp_session *necp_create_session(u_int32_t control_unit);
+static struct necp_session *necp_create_session(void);
  static void necp_delete_session(struct necp_session *session);
  
  static void necp_delete_session(struct necp_session *session);
  
-static void necp_handle_policy_add(struct necp_session *session, u_int32_t message_id, mbuf_t packet, int offset);
-static void necp_handle_policy_get(struct necp_session *session, u_int32_t message_id, mbuf_t packet, int offset);
-static void necp_handle_policy_delete(struct necp_session *session, u_int32_t message_id, mbuf_t packet, int offset);
-static void necp_handle_policy_apply_all(struct necp_session *session, u_int32_t message_id, mbuf_t packet, int offset);
-static void necp_handle_policy_list_all(struct necp_session *session, u_int32_t message_id, mbuf_t packet, int offset);
-static void necp_handle_policy_delete_all(struct necp_session *session, u_int32_t message_id, mbuf_t packet, int offset);
-static void necp_handle_policy_dump_all(struct necp_session *session, u_int32_t message_id, mbuf_t packet, int offset);
-static void necp_handle_set_session_priority(struct necp_session *session, u_int32_t message_id, mbuf_t packet, int offset);
-static void necp_handle_lock_session_to_proc(struct necp_session *session, u_int32_t message_id, mbuf_t packet, int offset);
-static void necp_handle_register_service(struct necp_session *session, u_int32_t message_id, mbuf_t packet, int offset);
-static void necp_handle_unregister_service(struct necp_session *session, u_int32_t message_id, mbuf_t packet, int offset);
+static necp_policy_id necp_handle_policy_add(struct necp_session *session,
+    u_int8_t *tlv_buffer, size_t tlv_buffer_length, int offset, int *error);
+static int necp_handle_policy_dump_all(user_addr_t out_buffer, size_t out_buffer_length);
  
  #define MAX_RESULT_STRING_LEN 64
  static inline const char * necp_get_result_description(char *result_string, necp_kernel_policy_result result, necp_kernel_policy_result_parameter result_parameter);
  
  #define MAX_RESULT_STRING_LEN 64
  static inline const char * necp_get_result_description(char *result_string, necp_kernel_policy_result result, necp_kernel_policy_result_parameter result_parameter);
@@ -323,13 +377,13 @@ static bool necp_policy_mark_all_for_deletion(struct necp_session *session);
  static bool necp_policy_delete(struct necp_session *session, struct necp_session_policy *policy);
  static void necp_policy_apply_all(struct necp_session *session);
  
  static bool necp_policy_delete(struct necp_session *session, struct necp_session_policy *policy);
  static void necp_policy_apply_all(struct necp_session *session);
  
-static necp_kernel_policy_id necp_kernel_socket_policy_add(necp_policy_id parent_policy_id, necp_policy_order order, u_int32_t session_order, int session_pid, u_int32_t condition_mask, u_int32_t condition_negated_mask, necp_app_id cond_app_id, necp_app_id cond_real_app_id, char *cond_custom_entitlement, u_int32_t cond_account_id, char *domain, pid_t cond_pid, uid_t cond_uid, ifnet_t cond_bound_interface, struct necp_policy_condition_tc_range cond_traffic_class, u_int16_t cond_protocol, union necp_sockaddr_union *cond_local_start, union necp_sockaddr_union *cond_local_end, u_int8_t cond_local_prefix, union necp_sockaddr_union *cond_remote_start, union necp_sockaddr_union *cond_remote_end, u_int8_t cond_remote_prefix, necp_kernel_policy_result result, necp_kernel_policy_result_parameter result_parameter);
+static necp_kernel_policy_id necp_kernel_socket_policy_add(necp_policy_order order, u_int32_t session_order, int session_pid, u_int32_t condition_mask, u_int32_t condition_negated_mask, necp_app_id cond_app_id, necp_app_id cond_real_app_id, char *cond_custom_entitlement, u_int32_t cond_account_id, char *domain, pid_t cond_pid, uid_t cond_uid, ifnet_t cond_bound_interface, struct necp_policy_condition_tc_range cond_traffic_class, u_int16_t cond_protocol, union necp_sockaddr_union *cond_local_start, union necp_sockaddr_union *cond_local_end, u_int8_t cond_local_prefix, union necp_sockaddr_union *cond_remote_start, union necp_sockaddr_union *cond_remote_end, u_int8_t cond_remote_prefix, struct necp_policy_condition_agent_type *cond_agent_type, u_int32_t cond_client_flags, necp_kernel_policy_result result, necp_kernel_policy_result_parameter result_parameter);
  static bool necp_kernel_socket_policy_delete(necp_kernel_policy_id policy_id);
  static bool necp_kernel_socket_policies_reprocess(void);
  static bool necp_kernel_socket_policies_update_uuid_table(void);
  static bool necp_kernel_socket_policy_delete(necp_kernel_policy_id policy_id);
  static bool necp_kernel_socket_policies_reprocess(void);
  static bool necp_kernel_socket_policies_update_uuid_table(void);
-static inline struct necp_kernel_socket_policy *necp_socket_find_policy_match_with_info_locked(struct necp_kernel_socket_policy **policy_search_array, struct necp_socket_info *info, necp_kernel_policy_filter *return_filter, u_int32_t *return_route_rule_id, necp_kernel_policy_result *return_service_action, necp_kernel_policy_service *return_service, u_int32_t *return_netagent_array, size_t netagent_array_count, proc_t proc);
+static inline struct necp_kernel_socket_policy *necp_socket_find_policy_match_with_info_locked(struct necp_kernel_socket_policy **policy_search_array, struct necp_socket_info *info, necp_kernel_policy_filter *return_filter, u_int32_t *return_route_rule_id_array, size_t *return_route_rule_id_array_count, size_t route_rule_id_array_count, necp_kernel_policy_result *return_service_action, necp_kernel_policy_service *return_service, u_int32_t *return_netagent_array, u_int32_t *return_netagent_use_flags_array, size_t netagent_array_count, struct necp_client_parameter_netagent_type *required_agent_types, u_int32_t num_required_agent_types, proc_t proc, necp_kernel_policy_id *skip_policy_id, struct rtentry *rt, necp_kernel_policy_result *return_drop_dest_policy_result, necp_drop_all_bypass_check_result_t *return_drop_all_bypass);
  
  
-static necp_kernel_policy_id necp_kernel_ip_output_policy_add(necp_policy_id parent_policy_id, necp_policy_order order, necp_policy_order suborder, u_int32_t session_order, int session_pid, u_int32_t condition_mask, u_int32_t condition_negated_mask, necp_kernel_policy_id cond_policy_id, ifnet_t cond_bound_interface, u_int32_t cond_last_interface_index, u_int16_t cond_protocol, union necp_sockaddr_union *cond_local_start, union necp_sockaddr_union *cond_local_end, u_int8_t cond_local_prefix, union necp_sockaddr_union *cond_remote_start, union necp_sockaddr_union *cond_remote_end, u_int8_t cond_remote_prefix, necp_kernel_policy_result result, necp_kernel_policy_result_parameter result_parameter);
+static necp_kernel_policy_id necp_kernel_ip_output_policy_add(necp_policy_order order, necp_policy_order suborder, u_int32_t session_order, int session_pid, u_int32_t condition_mask, u_int32_t condition_negated_mask, necp_kernel_policy_id cond_policy_id, ifnet_t cond_bound_interface, u_int32_t cond_last_interface_index, u_int16_t cond_protocol, union necp_sockaddr_union *cond_local_start, union necp_sockaddr_union *cond_local_end, u_int8_t cond_local_prefix, union necp_sockaddr_union *cond_remote_start, union necp_sockaddr_union *cond_remote_end, u_int8_t cond_remote_prefix, necp_kernel_policy_result result, necp_kernel_policy_result_parameter result_parameter);
  static bool necp_kernel_ip_output_policy_delete(necp_kernel_policy_id policy_id);
  static bool necp_kernel_ip_output_policies_reprocess(void);
  
  static bool necp_kernel_ip_output_policy_delete(necp_kernel_policy_id policy_id);
  static bool necp_kernel_ip_output_policies_reprocess(void);
  
@@ -338,23 +392,24 @@ static bool necp_is_range_in_range(struct sockaddr *inner_range_start, struct so
  static bool necp_is_addr_in_subnet(struct sockaddr *addr, struct sockaddr *subnet_addr, u_int8_t subnet_prefix);
  static int necp_addr_compare(struct sockaddr *sa1, struct sockaddr *sa2, int check_port);
  static bool necp_buffer_compare_with_bit_prefix(u_int8_t *p1, u_int8_t *p2, u_int32_t bits);
  static bool necp_is_addr_in_subnet(struct sockaddr *addr, struct sockaddr *subnet_addr, u_int8_t subnet_prefix);
  static int necp_addr_compare(struct sockaddr *sa1, struct sockaddr *sa2, int check_port);
  static bool necp_buffer_compare_with_bit_prefix(u_int8_t *p1, u_int8_t *p2, u_int32_t bits);
-static bool necp_is_loopback(struct sockaddr *local_addr, struct sockaddr *remote_addr, struct inpcb *inp, struct mbuf *packet);
+static bool necp_addr_is_empty(struct sockaddr *addr);
+static bool necp_is_loopback(struct sockaddr *local_addr, struct sockaddr *remote_addr, struct inpcb *inp, struct mbuf *packet, u_int32_t bound_interface_index);
  static bool necp_is_intcoproc(struct inpcb *inp, struct mbuf *packet);
  
  struct necp_uuid_id_mapping {
         LIST_ENTRY(necp_uuid_id_mapping) chain;
  static bool necp_is_intcoproc(struct inpcb *inp, struct mbuf *packet);
  
  struct necp_uuid_id_mapping {
         LIST_ENTRY(necp_uuid_id_mapping) chain;
-       uuid_t          uuid;
-       u_int32_t       id;
-       u_int32_t       refcount;
-       u_int32_t       table_refcount; // Add to UUID policy table count
+       uuid_t          uuid;
+       u_int32_t       id;
+       os_refcnt_t     refcount;
+       u_int32_t       table_usecount; // Add to UUID policy table count
  };
  static size_t necp_num_uuid_app_id_mappings;
  static bool necp_uuid_app_id_mappings_dirty;
  };
  static size_t necp_num_uuid_app_id_mappings;
  static bool necp_uuid_app_id_mappings_dirty;
-#define        NECP_UUID_APP_ID_HASH_SIZE 64
+#define NECP_UUID_APP_ID_HASH_SIZE 64
  static u_long necp_uuid_app_id_hash_mask;
  static u_long necp_uuid_app_id_hash_num_buckets;
  static u_long necp_uuid_app_id_hash_mask;
  static u_long necp_uuid_app_id_hash_num_buckets;
-static LIST_HEAD(necp_uuid_id_mapping_head, necp_uuid_id_mapping) *necp_uuid_app_id_hashtbl, necp_uuid_service_id_list; // App map is real hash table, service map is just mapping
-#define        APPUUIDHASH(uuid) (&necp_uuid_app_id_hashtbl[uuid[0] & necp_uuid_app_id_hash_mask]) // Assume first byte of UUIDs are evenly distributed
+static LIST_HEAD(necp_uuid_id_mapping_head, necp_uuid_id_mapping) * necp_uuid_app_id_hashtbl, necp_uuid_service_id_list; // App map is real hash table, service map is just mapping
+#define APPUUIDHASH(uuid) (&necp_uuid_app_id_hashtbl[uuid[0] & necp_uuid_app_id_hash_mask]) // Assume first byte of UUIDs are evenly distributed
  static u_int32_t necp_create_uuid_app_id_mapping(uuid_t uuid, bool *allocated_mapping, bool uuid_policy_table);
  static bool necp_remove_uuid_app_id_mapping(uuid_t uuid, bool *removed_mapping, bool uuid_policy_table);
  static struct necp_uuid_id_mapping *necp_uuid_lookup_uuid_with_app_id_locked(u_int32_t local_id);
  static u_int32_t necp_create_uuid_app_id_mapping(uuid_t uuid, bool *allocated_mapping, bool uuid_policy_table);
  static bool necp_remove_uuid_app_id_mapping(uuid_t uuid, bool *removed_mapping, bool uuid_policy_table);
  static struct necp_uuid_id_mapping *necp_uuid_lookup_uuid_with_app_id_locked(u_int32_t local_id);
@@ -366,65 +421,84 @@ static bool necp_remove_uuid_service_id_mapping(uuid_t uuid);
  
  struct necp_string_id_mapping {
         LIST_ENTRY(necp_string_id_mapping) chain;
  
  struct necp_string_id_mapping {
         LIST_ENTRY(necp_string_id_mapping) chain;
-       char            *string;
-       necp_app_id     id;
-       u_int32_t       refcount;
+       char            *string;
+       necp_app_id     id;
+       os_refcnt_t     refcount;
  };
  static LIST_HEAD(necp_string_id_mapping_list, necp_string_id_mapping) necp_account_id_list;
  static u_int32_t necp_create_string_to_id_mapping(struct necp_string_id_mapping_list *list, char *domain);
  static bool necp_remove_string_to_id_mapping(struct necp_string_id_mapping_list *list, char *domain);
  static struct necp_string_id_mapping *necp_lookup_string_with_id_locked(struct necp_string_id_mapping_list *list, u_int32_t local_id);
  
  };
  static LIST_HEAD(necp_string_id_mapping_list, necp_string_id_mapping) necp_account_id_list;
  static u_int32_t necp_create_string_to_id_mapping(struct necp_string_id_mapping_list *list, char *domain);
  static bool necp_remove_string_to_id_mapping(struct necp_string_id_mapping_list *list, char *domain);
  static struct necp_string_id_mapping *necp_lookup_string_with_id_locked(struct necp_string_id_mapping_list *list, u_int32_t local_id);
  
+static struct necp_kernel_socket_policy *necp_kernel_socket_policy_find(necp_kernel_policy_id policy_id);
+static struct necp_kernel_ip_output_policy *necp_kernel_ip_output_policy_find(necp_kernel_policy_id policy_id);
+
  static LIST_HEAD(_necp_kernel_service_list, necp_service_registration) necp_registered_service_list;
  
  static char *necp_create_trimmed_domain(char *string, size_t length);
  static inline int necp_count_dots(char *string, size_t length);
  
  static char *necp_copy_string(char *string, size_t length);
  static LIST_HEAD(_necp_kernel_service_list, necp_service_registration) necp_registered_service_list;
  
  static char *necp_create_trimmed_domain(char *string, size_t length);
  static inline int necp_count_dots(char *string, size_t length);
  
  static char *necp_copy_string(char *string, size_t length);
+static bool necp_update_qos_marking(struct ifnet *ifp, u_int32_t route_rule_id);
  
  #define ROUTE_RULE_IS_AGGREGATE(ruleid) (ruleid > UINT16_MAX)
  
  #define MAX_ROUTE_RULE_INTERFACES 10
  struct necp_route_rule {
         LIST_ENTRY(necp_route_rule) chain;
  
  #define ROUTE_RULE_IS_AGGREGATE(ruleid) (ruleid > UINT16_MAX)
  
  #define MAX_ROUTE_RULE_INTERFACES 10
  struct necp_route_rule {
         LIST_ENTRY(necp_route_rule) chain;
-       u_int32_t       id;
-       u_int32_t       default_action;
-       u_int8_t        cellular_action;
-       u_int8_t        wifi_action;
-       u_int8_t        wired_action;
-       u_int8_t        expensive_action;
-       u_int           exception_if_indices[MAX_ROUTE_RULE_INTERFACES];
-       u_int8_t        exception_if_actions[MAX_ROUTE_RULE_INTERFACES];
-       u_int32_t       refcount;
+       u_int32_t       id;
+       u_int32_t       default_action;
+       u_int8_t        cellular_action;
+       u_int8_t        wifi_action;
+       u_int8_t        wired_action;
+       u_int8_t        expensive_action;
+       u_int8_t        constrained_action;
+       u_int           exception_if_indices[MAX_ROUTE_RULE_INTERFACES];
+       u_int8_t        exception_if_actions[MAX_ROUTE_RULE_INTERFACES];
+       os_refcnt_t     refcount;
  };
  static LIST_HEAD(necp_route_rule_list, necp_route_rule) necp_route_rules;
  static u_int32_t necp_create_route_rule(struct necp_route_rule_list *list, u_int8_t *route_rules_array, u_int32_t route_rules_array_size);
  static bool necp_remove_route_rule(struct necp_route_rule_list *list, u_int32_t route_rule_id);
  static bool necp_route_is_allowed(struct rtentry *route, ifnet_t interface, u_int32_t route_rule_id, u_int32_t *interface_type_denied);
  static struct necp_route_rule *necp_lookup_route_rule_locked(struct necp_route_rule_list *list, u_int32_t route_rule_id);
  };
  static LIST_HEAD(necp_route_rule_list, necp_route_rule) necp_route_rules;
  static u_int32_t necp_create_route_rule(struct necp_route_rule_list *list, u_int8_t *route_rules_array, u_int32_t route_rules_array_size);
  static bool necp_remove_route_rule(struct necp_route_rule_list *list, u_int32_t route_rule_id);
  static bool necp_route_is_allowed(struct rtentry *route, ifnet_t interface, u_int32_t route_rule_id, u_int32_t *interface_type_denied);
  static struct necp_route_rule *necp_lookup_route_rule_locked(struct necp_route_rule_list *list, u_int32_t route_rule_id);
+static inline void necp_get_parent_cred_result(proc_t proc, struct necp_socket_info *info);
  
  #define MAX_AGGREGATE_ROUTE_RULES 16
  struct necp_aggregate_route_rule {
         LIST_ENTRY(necp_aggregate_route_rule) chain;
  
  #define MAX_AGGREGATE_ROUTE_RULES 16
  struct necp_aggregate_route_rule {
         LIST_ENTRY(necp_aggregate_route_rule) chain;
-       u_int32_t       id;
-       u_int32_t       rule_ids[MAX_AGGREGATE_ROUTE_RULES];
+       u_int32_t       id;
+       u_int32_t       rule_ids[MAX_AGGREGATE_ROUTE_RULES];
  };
  static LIST_HEAD(necp_aggregate_route_rule_list, necp_aggregate_route_rule) necp_aggregate_route_rules;
  static u_int32_t necp_create_aggregate_route_rule(u_int32_t *rule_ids);
  
  // Sysctl definitions
  static int sysctl_handle_necp_level SYSCTL_HANDLER_ARGS;
  };
  static LIST_HEAD(necp_aggregate_route_rule_list, necp_aggregate_route_rule) necp_aggregate_route_rules;
  static u_int32_t necp_create_aggregate_route_rule(u_int32_t *rule_ids);
  
  // Sysctl definitions
  static int sysctl_handle_necp_level SYSCTL_HANDLER_ARGS;
+static int sysctl_handle_necp_unentitled_level SYSCTL_HANDLER_ARGS;
  
  SYSCTL_NODE(_net, OID_AUTO, necp, CTLFLAG_RW | CTLFLAG_LOCKED, 0, "NECP");
  SYSCTL_INT(_net_necp, NECPCTL_PASS_LOOPBACK, pass_loopback, CTLFLAG_LOCKED | CTLFLAG_RW, &necp_pass_loopback, 0, "");
  SYSCTL_INT(_net_necp, NECPCTL_PASS_KEEPALIVES, pass_keepalives, CTLFLAG_LOCKED | CTLFLAG_RW, &necp_pass_keepalives, 0, "");
  
  SYSCTL_NODE(_net, OID_AUTO, necp, CTLFLAG_RW | CTLFLAG_LOCKED, 0, "NECP");
  SYSCTL_INT(_net_necp, NECPCTL_PASS_LOOPBACK, pass_loopback, CTLFLAG_LOCKED | CTLFLAG_RW, &necp_pass_loopback, 0, "");
  SYSCTL_INT(_net_necp, NECPCTL_PASS_KEEPALIVES, pass_keepalives, CTLFLAG_LOCKED | CTLFLAG_RW, &necp_pass_keepalives, 0, "");
+SYSCTL_INT(_net_necp, NECPCTL_PASS_INTERPOSE, pass_interpose, CTLFLAG_LOCKED | CTLFLAG_RW, &necp_pass_interpose, 0, "");
  SYSCTL_INT(_net_necp, NECPCTL_DEBUG, debug, CTLFLAG_LOCKED | CTLFLAG_RW, &necp_debug, 0, "");
  SYSCTL_INT(_net_necp, NECPCTL_DEBUG, debug, CTLFLAG_LOCKED | CTLFLAG_RW, &necp_debug, 0, "");
+SYSCTL_PROC(_net_necp, NECPCTL_DROP_UNENTITLED_LEVEL, drop_unentitled_level, CTLTYPE_INT | CTLFLAG_LOCKED | CTLFLAG_RW, &necp_drop_unentitled_level, 0, &sysctl_handle_necp_unentitled_level, "IU", "");
  SYSCTL_PROC(_net_necp, NECPCTL_DROP_ALL_LEVEL, drop_all_level, CTLTYPE_INT | CTLFLAG_LOCKED | CTLFLAG_RW, &necp_drop_all_level, 0, &sysctl_handle_necp_level, "IU", "");
  SYSCTL_LONG(_net_necp, NECPCTL_SOCKET_POLICY_COUNT, socket_policy_count, CTLFLAG_LOCKED | CTLFLAG_RD, &necp_kernel_socket_policies_count, "");
  SYSCTL_LONG(_net_necp, NECPCTL_SOCKET_NON_APP_POLICY_COUNT, socket_non_app_policy_count, CTLFLAG_LOCKED | CTLFLAG_RD, &necp_kernel_socket_policies_non_app_count, "");
  SYSCTL_LONG(_net_necp, NECPCTL_IP_POLICY_COUNT, ip_policy_count, CTLFLAG_LOCKED | CTLFLAG_RD, &necp_kernel_ip_output_policies_count, "");
  SYSCTL_INT(_net_necp, NECPCTL_SESSION_COUNT, session_count, CTLFLAG_LOCKED | CTLFLAG_RD, &necp_session_count, 0, "");
  
  SYSCTL_PROC(_net_necp, NECPCTL_DROP_ALL_LEVEL, drop_all_level, CTLTYPE_INT | CTLFLAG_LOCKED | CTLFLAG_RW, &necp_drop_all_level, 0, &sysctl_handle_necp_level, "IU", "");
  SYSCTL_LONG(_net_necp, NECPCTL_SOCKET_POLICY_COUNT, socket_policy_count, CTLFLAG_LOCKED | CTLFLAG_RD, &necp_kernel_socket_policies_count, "");
  SYSCTL_LONG(_net_necp, NECPCTL_SOCKET_NON_APP_POLICY_COUNT, socket_non_app_policy_count, CTLFLAG_LOCKED | CTLFLAG_RD, &necp_kernel_socket_policies_non_app_count, "");
  SYSCTL_LONG(_net_necp, NECPCTL_IP_POLICY_COUNT, ip_policy_count, CTLFLAG_LOCKED | CTLFLAG_RD, &necp_kernel_ip_output_policies_count, "");
  SYSCTL_INT(_net_necp, NECPCTL_SESSION_COUNT, session_count, CTLFLAG_LOCKED | CTLFLAG_RD, &necp_session_count, 0, "");
  
+static struct necp_drop_dest_policy necp_drop_dest_policy;
+static int necp_drop_dest_debug = 0;    // 0: off, 1: match, >1: every evaluation
+SYSCTL_INT(_net_necp, OID_AUTO, drop_dest_debug, CTLFLAG_LOCKED | CTLFLAG_RW, &necp_drop_dest_debug, 0, "");
+
+static int sysctl_handle_necp_drop_dest_level SYSCTL_HANDLER_ARGS;
+SYSCTL_PROC(_net_necp, OID_AUTO, drop_dest_level, CTLTYPE_STRUCT | CTLFLAG_LOCKED | CTLFLAG_ANYBODY | CTLFLAG_RW,
+    0, 0, &sysctl_handle_necp_drop_dest_level, "S,necp_drop_dest_level", "");
+
+static bool necp_address_matches_drop_dest_policy(union necp_sockaddr_union *, u_int32_t);
+
  // Session order allocation
  static u_int32_t
  necp_allocate_new_session_order(u_int32_t priority, u_int32_t control_unit)
  // Session order allocation
  static u_int32_t
  necp_allocate_new_session_order(u_int32_t priority, u_int32_t control_unit)
@@ -439,13 +513,16 @@ necp_allocate_new_session_order(u_int32_t priority, u_int32_t control_unit)
         // Use the control unit to decide the offset into the priority list
         new_order = (control_unit) + ((priority - 1) * 1000);
  
         // Use the control unit to decide the offset into the priority list
         new_order = (control_unit) + ((priority - 1) * 1000);
  
-       return (new_order);
+       return new_order;
  }
  
  static inline u_int32_t
  necp_get_first_order_for_priority(u_int32_t priority)
  {
  }
  
  static inline u_int32_t
  necp_get_first_order_for_priority(u_int32_t priority)
  {
-       return (((priority - 1) * 1000) + 1);
+       if (priority == 0) {
+               return 0;
+       }
+       return ((priority - 1) * 1000) + 1;
  }
  
  // Sysctl handler
  }
  
  // Sysctl handler
@@ -454,373 +531,962 @@ sysctl_handle_necp_level SYSCTL_HANDLER_ARGS
  {
  #pragma unused(arg1, arg2)
         int error = sysctl_handle_int(oidp, oidp->oid_arg1, oidp->oid_arg2, req);
  {
  #pragma unused(arg1, arg2)
         int error = sysctl_handle_int(oidp, oidp->oid_arg1, oidp->oid_arg2, req);
-       if (necp_drop_all_level == 0) {
-               necp_drop_all_order = 0;
+       necp_drop_all_order = necp_get_first_order_for_priority(necp_drop_all_level);
+       return error;
+}
+
+static int
+sysctl_handle_necp_unentitled_level SYSCTL_HANDLER_ARGS
+{
+#pragma unused(arg1, arg2)
+       int error = sysctl_handle_int(oidp, oidp->oid_arg1, oidp->oid_arg2, req);
+       necp_drop_unentitled_order = necp_get_first_order_for_priority(necp_drop_unentitled_level);
+       return error;
+}
+
+// Use a macro here to avoid computing the kauth_cred_t when necp_drop_unentitled_level is 0
+static inline u_int32_t
+_necp_process_drop_order_inner(kauth_cred_t cred)
+{
+       if (priv_check_cred(cred, PRIV_NET_PRIVILEGED_CLIENT_ACCESS, 0) != 0 &&
+           priv_check_cred(cred, PRIV_NET_PRIVILEGED_SERVER_ACCESS, 0) != 0) {
+               return necp_drop_unentitled_order;
         } else {
         } else {
-               necp_drop_all_order = necp_get_first_order_for_priority(necp_drop_all_level);
+               return 0;
         }
         }
-       return (error);
  }
  
  }
  
-// Kernel Control functions
-static errno_t necp_register_control(void);
-static errno_t necp_ctl_connect(kern_ctl_ref kctlref, struct sockaddr_ctl *sac, void **unitinfo);
-static errno_t necp_ctl_disconnect(kern_ctl_ref kctlref, u_int32_t unit, void *unitinfo);
-static errno_t necp_ctl_send(kern_ctl_ref kctlref, u_int32_t unit, void *unitinfo, mbuf_t m, int flags);
-static void necp_ctl_rcvd(kern_ctl_ref kctlref, u_int32_t unit, void *unitinfo, int flags);
-static errno_t necp_ctl_getopt(kern_ctl_ref kctlref, u_int32_t unit, void *unitinfo, int opt, void *data, size_t *len);
-static errno_t necp_ctl_setopt(kern_ctl_ref kctlref, u_int32_t unit, void *unitinfo, int opt, void *data, size_t len);
+#define necp_process_drop_order(_cred) (necp_drop_unentitled_order != 0 ? _necp_process_drop_order_inner(_cred) : necp_drop_unentitled_order)
+#pragma GCC poison _necp_process_drop_order_inner
  
  
-static bool necp_send_ctl_data(struct necp_session *session, u_int8_t *buffer, size_t buffer_size);
+// Session fd
  
  
-errno_t
-necp_init(void)
-{
-       errno_t result = 0;
+static int necp_session_op_close(struct fileglob *, vfs_context_t);
  
  
-       result = necp_register_control();
-       if (result != 0) {
-               goto done;
-       }
+static const struct fileops necp_session_fd_ops = {
+       .fo_type     = DTYPE_NETPOLICY,
+       .fo_read     = fo_no_read,
+       .fo_write    = fo_no_write,
+       .fo_ioctl    = fo_no_ioctl,
+       .fo_select   = fo_no_select,
+       .fo_close    = necp_session_op_close,
+       .fo_drain    = fo_no_drain,
+       .fo_kqfilter = fo_no_kqfilter,
+};
  
  
-       necp_kernel_policy_grp_attr = lck_grp_attr_alloc_init();
-       if (necp_kernel_policy_grp_attr == NULL) {
-               NECPLOG0(LOG_ERR, "lck_grp_attr_alloc_init failed");
-               result = ENOMEM;
-               goto done;
+static inline necp_drop_all_bypass_check_result_t
+necp_check_drop_all_bypass_result(proc_t proc)
+{
+       if (proc == NULL) {
+               proc = current_proc();
+               if (proc == NULL) {
+                       return NECP_DROP_ALL_BYPASS_CHECK_RESULT_FALSE;
+               }
         }
  
         }
  
-       necp_kernel_policy_mtx_grp = lck_grp_alloc_init(NECP_CONTROL_NAME, necp_kernel_policy_grp_attr);
-       if (necp_kernel_policy_mtx_grp == NULL) {
-               NECPLOG0(LOG_ERR, "lck_grp_alloc_init failed");
-               result = ENOMEM;
-               goto done;
+#if defined(XNU_TARGET_OS_OSX)
+       const char *signing_id = NULL;
+       const bool isConfigd = (csproc_get_platform_binary(proc) &&
+           (signing_id = cs_identity_get(proc)) &&
+           (strlen(signing_id) == SIGNING_ID_CONFIGD_LEN) &&
+           (memcmp(signing_id, SIGNING_ID_CONFIGD, SIGNING_ID_CONFIGD_LEN) == 0));
+       if (isConfigd) {
+               return NECP_DROP_ALL_BYPASS_CHECK_RESULT_TRUE;
         }
         }
+#endif
  
  
-       necp_kernel_policy_mtx_attr = lck_attr_alloc_init();
-       if (necp_kernel_policy_mtx_attr == NULL) {
-               NECPLOG0(LOG_ERR, "lck_attr_alloc_init failed");
-               result = ENOMEM;
-               goto done;
+       const task_t task = proc_task(proc);
+       if (task == NULL || !IOTaskHasEntitlement(task, "com.apple.private.necp.drop_all_bypass")) {
+               return NECP_DROP_ALL_BYPASS_CHECK_RESULT_FALSE;
+       } else {
+               return NECP_DROP_ALL_BYPASS_CHECK_RESULT_TRUE;
         }
         }
+}
  
  
-       lck_rw_init(&necp_kernel_policy_lock, necp_kernel_policy_mtx_grp, necp_kernel_policy_mtx_attr);
-
-       necp_route_rule_grp_attr = lck_grp_attr_alloc_init();
-       if (necp_route_rule_grp_attr == NULL) {
-               NECPLOG0(LOG_ERR, "lck_grp_attr_alloc_init failed");
-               result = ENOMEM;
+int
+necp_session_open(struct proc *p, struct necp_session_open_args *uap, int *retval)
+{
+#pragma unused(uap)
+       int error = 0;
+       struct necp_session *session = NULL;
+       struct fileproc *fp = NULL;
+       int fd = -1;
+
+       uid_t uid = kauth_cred_getuid(proc_ucred(p));
+       if (uid != 0 && priv_check_cred(kauth_cred_get(), PRIV_NET_PRIVILEGED_NECP_POLICIES, 0) != 0) {
+               NECPLOG0(LOG_ERR, "Process does not hold necessary entitlement to open NECP session");
+               error = EACCES;
                 goto done;
         }
  
                 goto done;
         }
  
-       necp_route_rule_mtx_grp = lck_grp_alloc_init("necp_route_rule", necp_route_rule_grp_attr);
-       if (necp_route_rule_mtx_grp == NULL) {
-               NECPLOG0(LOG_ERR, "lck_grp_alloc_init failed");
-               result = ENOMEM;
+       error = falloc(p, &fp, &fd, vfs_context_current());
+       if (error != 0) {
                 goto done;
         }
  
                 goto done;
         }
  
-       necp_route_rule_mtx_attr = lck_attr_alloc_init();
-       if (necp_route_rule_mtx_attr == NULL) {
-               NECPLOG0(LOG_ERR, "lck_attr_alloc_init failed");
-               result = ENOMEM;
+       session = necp_create_session();
+       if (session == NULL) {
+               error = ENOMEM;
                 goto done;
         }
  
                 goto done;
         }
  
-       lck_rw_init(&necp_route_rule_lock, necp_route_rule_mtx_grp, necp_route_rule_mtx_attr);
-
-       necp_client_init();
-
-       LIST_INIT(&necp_kernel_socket_policies);
-       LIST_INIT(&necp_kernel_ip_output_policies);
-
-       LIST_INIT(&necp_account_id_list);
-
-       LIST_INIT(&necp_uuid_service_id_list);
-
-       LIST_INIT(&necp_registered_service_list);
-
-       LIST_INIT(&necp_route_rules);
-       LIST_INIT(&necp_aggregate_route_rules);
-
-       necp_uuid_app_id_hashtbl = hashinit(NECP_UUID_APP_ID_HASH_SIZE, M_NECP, &necp_uuid_app_id_hash_mask);
-       necp_uuid_app_id_hash_num_buckets = necp_uuid_app_id_hash_mask + 1;
-       necp_num_uuid_app_id_mappings = 0;
-       necp_uuid_app_id_mappings_dirty = FALSE;
-
-       necp_kernel_application_policies_condition_mask = 0;
-       necp_kernel_socket_policies_condition_mask = 0;
-       necp_kernel_ip_output_policies_condition_mask = 0;
+       fp->f_fglob->fg_flag = 0;
+       fp->f_fglob->fg_ops = &necp_session_fd_ops;
+       fp->f_fglob->fg_data = session;
  
  
-       necp_kernel_application_policies_count = 0;
-       necp_kernel_socket_policies_count = 0;
-       necp_kernel_socket_policies_non_app_count = 0;
-       necp_kernel_ip_output_policies_count = 0;
-       necp_kernel_ip_output_policies_non_id_count = 0;
+       proc_fdlock(p);
+       FDFLAGS_SET(p, fd, (UF_EXCLOSE | UF_FORKCLOSE));
+       procfdtbl_releasefd(p, fd, NULL);
+       fp_drop(p, fd, fp, 1);
+       proc_fdunlock(p);
  
  
-       necp_last_policy_id = 0;
-       necp_last_kernel_policy_id = 0;
-       necp_last_uuid_id = 0;
-       necp_last_string_id = 0;
-       necp_last_route_rule_id = 0;
-       necp_last_aggregate_route_rule_id = 0;
+       *retval = fd;
+done:
+       if (error != 0) {
+               if (fp != NULL) {
+                       fp_free(p, fd, fp);
+                       fp = NULL;
+               }
+       }
  
  
-       necp_kernel_socket_policies_gencount = 1;
+       return error;
+}
  
  
-       memset(&necp_kernel_socket_policies_map, 0, sizeof(necp_kernel_socket_policies_map));
-       memset(&necp_kernel_ip_output_policies_map, 0, sizeof(necp_kernel_ip_output_policies_map));
-       necp_kernel_socket_policies_app_layer_map = NULL;
+static int
+necp_session_op_close(struct fileglob *fg, vfs_context_t ctx)
+{
+#pragma unused(ctx)
+       struct necp_session *session = (struct necp_session *)fg->fg_data;
+       fg->fg_data = NULL;
  
  
-done:
-       if (result != 0) {
-               if (necp_kernel_policy_mtx_attr != NULL) {
-                       lck_attr_free(necp_kernel_policy_mtx_attr);
-                       necp_kernel_policy_mtx_attr = NULL;
-               }
-               if (necp_kernel_policy_mtx_grp != NULL) {
-                       lck_grp_free(necp_kernel_policy_mtx_grp);
-                       necp_kernel_policy_mtx_grp = NULL;
-               }
-               if (necp_kernel_policy_grp_attr != NULL) {
-                       lck_grp_attr_free(necp_kernel_policy_grp_attr);
-                       necp_kernel_policy_grp_attr = NULL;
-               }
-               if (necp_route_rule_mtx_attr != NULL) {
-                       lck_attr_free(necp_route_rule_mtx_attr);
-                       necp_route_rule_mtx_attr = NULL;
-               }
-               if (necp_route_rule_mtx_grp != NULL) {
-                       lck_grp_free(necp_route_rule_mtx_grp);
-                       necp_route_rule_mtx_grp = NULL;
-               }
-               if (necp_route_rule_grp_attr != NULL) {
-                       lck_grp_attr_free(necp_route_rule_grp_attr);
-                       necp_route_rule_grp_attr = NULL;
-               }
-               if (necp_kctlref != NULL) {
-                       ctl_deregister(necp_kctlref);
-                       necp_kctlref = NULL;
-               }
+       if (session != NULL) {
+               necp_policy_mark_all_for_deletion(session);
+               necp_policy_apply_all(session);
+               necp_delete_session(session);
+               return 0;
+       } else {
+               return ENOENT;
         }
         }
-       return (result);
  }
  
  }
  
-static errno_t
-necp_register_control(void)
+static int
+necp_session_find_from_fd(int fd, struct necp_session **session)
  {
  {
-       struct kern_ctl_reg     kern_ctl;
-       errno_t                         result = 0;
+       proc_t p = current_proc();
+       struct fileproc *fp = NULL;
+       int error = 0;
  
  
-       // Create a tag to allocate memory
-       necp_malloc_tag = OSMalloc_Tagalloc(NECP_CONTROL_NAME, OSMT_DEFAULT);
+       proc_fdlock_spin(p);
+       if ((error = fp_lookup(p, fd, &fp, 1)) != 0) {
+               goto done;
+       }
+       if (fp->f_fglob->fg_ops->fo_type != DTYPE_NETPOLICY) {
+               fp_drop(p, fd, fp, 1);
+               error = ENODEV;
+               goto done;
+       }
+       *session = (struct necp_session *)fp->f_fglob->fg_data;
  
  
-       // Find a unique value for our interface family
-       result = mbuf_tag_id_find(NECP_CONTROL_NAME, &necp_family);
-       if (result != 0) {
-               NECPLOG(LOG_ERR, "mbuf_tag_id_find_internal failed: %d", result);
-               return (result);
-       }
-
-       bzero(&kern_ctl, sizeof(kern_ctl));
-       strlcpy(kern_ctl.ctl_name, NECP_CONTROL_NAME, sizeof(kern_ctl.ctl_name));
-       kern_ctl.ctl_name[sizeof(kern_ctl.ctl_name) - 1] = 0;
-       kern_ctl.ctl_flags = CTL_FLAG_PRIVILEGED; // Require root
-       kern_ctl.ctl_sendsize = 64 * 1024;
-       kern_ctl.ctl_recvsize = 64 * 1024;
-       kern_ctl.ctl_connect = necp_ctl_connect;
-       kern_ctl.ctl_disconnect = necp_ctl_disconnect;
-       kern_ctl.ctl_send = necp_ctl_send;
-       kern_ctl.ctl_rcvd = necp_ctl_rcvd;
-       kern_ctl.ctl_setopt = necp_ctl_setopt;
-       kern_ctl.ctl_getopt = necp_ctl_getopt;
-
-       result = ctl_register(&kern_ctl, &necp_kctlref);
-       if (result != 0) {
-               NECPLOG(LOG_ERR, "ctl_register failed: %d", result);
-               return (result);
+       if ((*session)->necp_fd_type != necp_fd_type_session) {
+               // Not a client fd, ignore
+               fp_drop(p, fd, fp, 1);
+               error = EINVAL;
+               goto done;
         }
  
         }
  
-       return (0);
+done:
+       proc_fdunlock(p);
+       return error;
  }
  
  }
  
-static void
-necp_post_change_event(struct kev_necp_policies_changed_data *necp_event_data)
+static int
+necp_session_add_policy(struct necp_session *session, struct necp_session_action_args *uap, int *retval)
  {
  {
-       struct kev_msg ev_msg;
-       memset(&ev_msg, 0, sizeof(ev_msg));
+       int error = 0;
+       u_int8_t *tlv_buffer = NULL;
  
  
-       ev_msg.vendor_code      = KEV_VENDOR_APPLE;
-       ev_msg.kev_class        = KEV_NETWORK_CLASS;
-       ev_msg.kev_subclass     = KEV_NECP_SUBCLASS;
-       ev_msg.event_code       = KEV_NECP_POLICIES_CHANGED;
+       if (uap->in_buffer_length == 0 || uap->in_buffer_length > NECP_MAX_POLICY_SIZE || uap->in_buffer == 0) {
+               NECPLOG(LOG_ERR, "necp_session_add_policy invalid input (%zu)", uap->in_buffer_length);
+               error = EINVAL;
+               goto done;
+       }
  
  
-       ev_msg.dv[0].data_ptr    = necp_event_data;
-       ev_msg.dv[0].data_length = sizeof(necp_event_data->changed_count);
-       ev_msg.dv[1].data_length = 0;
+       if (uap->out_buffer_length < sizeof(necp_policy_id) || uap->out_buffer == 0) {
+               NECPLOG(LOG_ERR, "necp_session_add_policy invalid output buffer (%zu)", uap->out_buffer_length);
+               error = EINVAL;
+               goto done;
+       }
  
  
-       kev_post_msg(&ev_msg);
-}
+       if ((tlv_buffer = _MALLOC(uap->in_buffer_length, M_NECP, M_WAITOK | M_ZERO)) == NULL) {
+               error = ENOMEM;
+               goto done;
+       }
  
  
-static errno_t
-necp_ctl_connect(kern_ctl_ref kctlref, struct sockaddr_ctl *sac, void **unitinfo)
-{
-#pragma unused(kctlref)
-       *unitinfo = necp_create_session(sac->sc_unit);
-       if (*unitinfo == NULL) {
-               // Could not allocate session
-               return (ENOBUFS);
+       error = copyin(uap->in_buffer, tlv_buffer, uap->in_buffer_length);
+       if (error != 0) {
+               NECPLOG(LOG_ERR, "necp_session_add_policy tlv copyin error (%d)", error);
+               goto done;
         }
  
         }
  
-       return (0);
-}
+       necp_policy_id new_policy_id = necp_handle_policy_add(session, tlv_buffer, uap->in_buffer_length, 0, &error);
+       if (error != 0) {
+               NECPLOG(LOG_ERR, "necp_session_add_policy failed to add policy (%d)", error);
+               goto done;
+       }
  
  
-static errno_t
-necp_ctl_disconnect(kern_ctl_ref kctlref, u_int32_t unit, void *unitinfo)
-{
-#pragma unused(kctlref, unit)
-       struct necp_session *session = (struct necp_session *)unitinfo;
-       if (session != NULL) {
-               necp_policy_mark_all_for_deletion(session);
-               necp_policy_apply_all(session);
-               necp_delete_session((struct necp_session *)unitinfo);
+       error = copyout(&new_policy_id, uap->out_buffer, sizeof(new_policy_id));
+       if (error != 0) {
+               NECPLOG(LOG_ERR, "necp_session_add_policy policy_id copyout error (%d)", error);
+               goto done;
         }
  
         }
  
-       return (0);
-}
+done:
+       if (tlv_buffer != NULL) {
+               FREE(tlv_buffer, M_NECP);
+               tlv_buffer = NULL;
+       }
+       *retval = error;
  
  
+       return error;
+}
  
  
-// Message handling
  static int
  static int
-necp_packet_find_tlv(mbuf_t packet, int offset, u_int8_t type, int *err, int next)
+necp_session_get_policy(struct necp_session *session, struct necp_session_action_args *uap, int *retval)
  {
  {
-       size_t  cursor                  = offset;
-       int             error                   = 0;
-       u_int32_t       curr_length;
-       u_int8_t        curr_type;
+       int error = 0;
+       u_int8_t *response = NULL;
  
  
-       *err = 0;
+       if (uap->in_buffer_length < sizeof(necp_policy_id) || uap->in_buffer == 0) {
+               NECPLOG(LOG_ERR, "necp_session_get_policy invalid input (%zu)", uap->in_buffer_length);
+               error = EINVAL;
+               goto done;
+       }
  
  
-       do {
-               if (!next) {
-                       error = mbuf_copydata(packet, cursor, sizeof(curr_type), &curr_type);
-                       if (error) {
-                               *err = ENOENT;
-                               return (-1);
-                       }
-               } else {
-                       next = 0;
-                       curr_type = NECP_TLV_NIL;
-               }
+       necp_policy_id policy_id = 0;
+       error = copyin(uap->in_buffer, &policy_id, sizeof(policy_id));
+       if (error != 0) {
+               NECPLOG(LOG_ERR, "necp_session_get_policy policy_id copyin error (%d)", error);
+               goto done;
+       }
  
  
-               if (curr_type != type) {
-                       cursor += sizeof(curr_type);
-                       error = mbuf_copydata(packet, cursor, sizeof(curr_length), &curr_length);
-                       if (error) {
-                               *err = error;
-                               return (-1);
-                       }
-                       cursor += (sizeof(curr_length) + curr_length);
-               }
-       } while (curr_type != type);
+       struct necp_session_policy *policy = necp_policy_find(session, policy_id);
+       if (policy == NULL || policy->pending_deletion) {
+               NECPLOG(LOG_ERR, "Failed to find policy with id %d", policy_id);
+               error = ENOENT;
+               goto done;
+       }
  
  
-       return (cursor);
-}
+       u_int32_t order_tlv_size = sizeof(u_int8_t) + sizeof(u_int32_t) + sizeof(necp_policy_order);
+       u_int32_t result_tlv_size = (policy->result_size ? (sizeof(u_int8_t) + sizeof(u_int32_t) + policy->result_size) : 0);
+       u_int32_t response_size = order_tlv_size + result_tlv_size + policy->conditions_size;
  
  
-static int
-necp_packet_get_tlv_at_offset(mbuf_t packet, int tlv_offset, u_int32_t buff_len, void *buff, u_int32_t *value_size)
-{
-       int                     error   = 0;
-       u_int32_t       length;
+       if (uap->out_buffer_length < response_size || uap->out_buffer == 0) {
+               NECPLOG(LOG_ERR, "necp_session_get_policy buffer not large enough (%u < %u)", uap->out_buffer_length, response_size);
+               error = EINVAL;
+               goto done;
+       }
  
  
-       if (tlv_offset < 0) {
-               return (EINVAL);
+       if (response_size > NECP_MAX_POLICY_SIZE) {
+               NECPLOG(LOG_ERR, "necp_session_get_policy size too large to copy (%u)", response_size);
+               error = EINVAL;
+               goto done;
         }
  
         }
  
-       error = mbuf_copydata(packet, tlv_offset + sizeof(u_int8_t), sizeof(length), &length);
-       if (error) {
-               return (error);
+       MALLOC(response, u_int8_t *, response_size, M_NECP, M_WAITOK | M_ZERO);
+       if (response == NULL) {
+               error = ENOMEM;
+               goto done;
         }
  
         }
  
-       u_int32_t total_len = m_length2(packet, NULL);
-       if (total_len < (tlv_offset + sizeof(u_int8_t) + sizeof(length) + length)) {
-               NECPLOG(LOG_ERR, "Got a bad TLV, length (%u) + offset (%d) < total length (%u)",
-                               length, (tlv_offset + sizeof(u_int8_t) + sizeof(length)), total_len);
-               return (EINVAL);
+       u_int8_t *cursor = response;
+       cursor = necp_buffer_write_tlv(cursor, NECP_TLV_POLICY_ORDER, sizeof(necp_policy_order), &policy->order, response, response_size);
+       if (result_tlv_size) {
+               cursor = necp_buffer_write_tlv(cursor, NECP_TLV_POLICY_RESULT, policy->result_size, &policy->result, response, response_size);
+       }
+       if (policy->conditions_size) {
+               memcpy(((u_int8_t *)(void *)(cursor)), policy->conditions, policy->conditions_size);
         }
  
         }
  
-       if (value_size != NULL) {
-               *value_size = length;
+       error = copyout(response, uap->out_buffer, response_size);
+       if (error != 0) {
+               NECPLOG(LOG_ERR, "necp_session_get_policy TLV copyout error (%d)", error);
+               goto done;
         }
  
         }
  
-       if (buff != NULL && buff_len > 0) {
-               u_int32_t to_copy = (length < buff_len) ? length : buff_len;
-               error = mbuf_copydata(packet, tlv_offset + sizeof(u_int8_t) + sizeof(length), to_copy, buff);
-               if (error) {
-                       return (error);
-               }
+done:
+       if (response != NULL) {
+               FREE(response, M_NECP);
+               response = NULL;
         }
         }
+       *retval = error;
  
  
-       return (0);
+       return error;
  }
  
  static int
  }
  
  static int
-necp_packet_get_tlv(mbuf_t packet, int offset, u_int8_t type, u_int32_t buff_len, void *buff, u_int32_t *value_size)
+necp_session_delete_policy(struct necp_session *session, struct necp_session_action_args *uap, int *retval)
  {
  {
-       int             error           = 0;
-       int             tlv_offset;
+       int error = 0;
  
  
-       tlv_offset = necp_packet_find_tlv(packet, offset, type, &error, 0);
-       if (tlv_offset < 0) {
-               return (error);
+       if (uap->in_buffer_length < sizeof(necp_policy_id) || uap->in_buffer == 0) {
+               NECPLOG(LOG_ERR, "necp_session_delete_policy invalid input (%zu)", uap->in_buffer_length);
+               error = EINVAL;
+               goto done;
         }
  
         }
  
-       return (necp_packet_get_tlv_at_offset(packet, tlv_offset, buff_len, buff, value_size));
-}
+       necp_policy_id delete_policy_id = 0;
+       error = copyin(uap->in_buffer, &delete_policy_id, sizeof(delete_policy_id));
+       if (error != 0) {
+               NECPLOG(LOG_ERR, "necp_session_delete_policy policy_id copyin error (%d)", error);
+               goto done;
+       }
  
  
-static u_int8_t *
-necp_buffer_write_packet_header(u_int8_t *buffer, u_int8_t packet_type, u_int8_t flags, u_int32_t message_id)
-{
-       ((struct necp_packet_header *)(void *)buffer)->packet_type = packet_type;
-       ((struct necp_packet_header *)(void *)buffer)->flags = flags;
-       ((struct necp_packet_header *)(void *)buffer)->message_id = message_id;
-       return (buffer + sizeof(struct necp_packet_header));
-}
+       struct necp_session_policy *policy = necp_policy_find(session, delete_policy_id);
+       if (policy == NULL || policy->pending_deletion) {
+               NECPLOG(LOG_ERR, "necp_session_delete_policy failed to find policy with id %u", delete_policy_id);
+               error = ENOENT;
+               goto done;
+       }
  
  
+       necp_policy_mark_for_deletion(session, policy);
+done:
+       *retval = error;
+       return error;
+}
  
  
-u_int8_t *
-necp_buffer_write_tlv_if_different(u_int8_t *buffer, const u_int8_t *max, u_int8_t type,
-                                                                  u_int32_t length, const void *value, bool *updated)
+static int
+necp_session_apply_all(struct necp_session *session, struct necp_session_action_args *uap, int *retval)
  {
  {
-       u_int8_t *next_tlv = (u_int8_t *)(buffer + sizeof(type) + sizeof(length) + length);
-       if (next_tlv <= max) {
-               if (*updated || *(u_int8_t *)(buffer) != type) {
-                       *(u_int8_t *)(buffer) = type;
-                       *updated = TRUE;
-               }
-               if (*updated || *(u_int32_t *)(void *)(buffer + sizeof(type)) != length) {
-                       *(u_int32_t *)(void *)(buffer + sizeof(type)) = length;
-                       *updated = TRUE;
-               }
-               if (length > 0) {
-                       if (*updated || memcmp((u_int8_t *)(buffer + sizeof(type) + sizeof(length)), value, length) != 0) {
-                               memcpy((u_int8_t *)(buffer + sizeof(type) + sizeof(length)), value, length);
-                               *updated = TRUE;
-                       }
-               }
-       }
-       return (next_tlv);
+#pragma unused(uap)
+       necp_policy_apply_all(session);
+       *retval = 0;
+       return 0;
  }
  
  }
  
-u_int8_t *
-necp_buffer_write_tlv(u_int8_t *buffer, u_int8_t type, u_int32_t length, const void *value)
+static int
+necp_session_list_all(struct necp_session *session, struct necp_session_action_args *uap, int *retval)
  {
  {
-       *(u_int8_t *)(buffer) = type;
-       *(u_int32_t *)(void *)(buffer + sizeof(type)) = length;
+       u_int32_t tlv_size = (sizeof(u_int8_t) + sizeof(u_int32_t) + sizeof(necp_policy_id));
+       u_int32_t response_size = 0;
+       u_int8_t *response = NULL;
+       int num_policies = 0;
+       int cur_policy_index = 0;
+       int error = 0;
+       struct necp_session_policy *policy;
+
+       LIST_FOREACH(policy, &session->policies, chain) {
+               if (!policy->pending_deletion) {
+                       num_policies++;
+               }
+       }
+
+       if (num_policies > NECP_MAX_POLICY_LIST_COUNT) {
+               NECPLOG(LOG_ERR, "necp_session_list_all size too large to copy (%u policies)", num_policies);
+               error = EINVAL;
+               goto done;
+       }
+
+       response_size = num_policies * tlv_size;
+       if (uap->out_buffer_length < response_size || uap->out_buffer == 0) {
+               NECPLOG(LOG_ERR, "necp_session_list_all buffer not large enough (%u < %u)", uap->out_buffer_length, response_size);
+               error = EINVAL;
+               goto done;
+       }
+
+       // Create a response with one Policy ID TLV for each policy
+       MALLOC(response, u_int8_t *, response_size, M_NECP, M_WAITOK | M_ZERO);
+       if (response == NULL) {
+               error = ENOMEM;
+               goto done;
+       }
+
+       u_int8_t *cursor = response;
+       LIST_FOREACH(policy, &session->policies, chain) {
+               if (!policy->pending_deletion && cur_policy_index < num_policies) {
+                       cursor = necp_buffer_write_tlv(cursor, NECP_TLV_POLICY_ID, sizeof(u_int32_t), &policy->local_id, response, response_size);
+                       cur_policy_index++;
+               }
+       }
+
+       error = copyout(response, uap->out_buffer, response_size);
+       if (error != 0) {
+               NECPLOG(LOG_ERR, "necp_session_list_all TLV copyout error (%d)", error);
+               goto done;
+       }
+
+done:
+       if (response != NULL) {
+               FREE(response, M_NECP);
+               response = NULL;
+       }
+       *retval = error;
+
+       return error;
+}
+
+
+static int
+necp_session_delete_all(struct necp_session *session, struct necp_session_action_args *uap, int *retval)
+{
+#pragma unused(uap)
+       necp_policy_mark_all_for_deletion(session);
+       *retval = 0;
+       return 0;
+}
+
+static int
+necp_session_set_session_priority(struct necp_session *session, struct necp_session_action_args *uap, int *retval)
+{
+       int error = 0;
+       struct necp_session_policy *policy = NULL;
+       struct necp_session_policy *temp_policy = NULL;
+
+       if (uap->in_buffer_length < sizeof(necp_session_priority) || uap->in_buffer == 0) {
+               NECPLOG(LOG_ERR, "necp_session_set_session_priority invalid input (%zu)", uap->in_buffer_length);
+               error = EINVAL;
+               goto done;
+       }
+
+       necp_session_priority requested_session_priority = 0;
+       error = copyin(uap->in_buffer, &requested_session_priority, sizeof(requested_session_priority));
+       if (error != 0) {
+               NECPLOG(LOG_ERR, "necp_session_set_session_priority priority copyin error (%d)", error);
+               goto done;
+       }
+
+       // Enforce special session priorities with entitlements
+       if (requested_session_priority == NECP_SESSION_PRIORITY_CONTROL ||
+           requested_session_priority == NECP_SESSION_PRIORITY_PRIVILEGED_TUNNEL) {
+               errno_t cred_result = priv_check_cred(kauth_cred_get(), PRIV_NET_PRIVILEGED_NECP_POLICIES, 0);
+               if (cred_result != 0) {
+                       NECPLOG(LOG_ERR, "Session does not hold necessary entitlement to claim priority level %d", requested_session_priority);
+                       error = EPERM;
+                       goto done;
+               }
+       }
+
+       if (session->session_priority != requested_session_priority) {
+               session->session_priority = requested_session_priority;
+               session->session_order = necp_allocate_new_session_order(session->session_priority, session->control_unit);
+               session->dirty = TRUE;
+
+               // Mark all policies as needing updates
+               LIST_FOREACH_SAFE(policy, &session->policies, chain, temp_policy) {
+                       policy->pending_update = TRUE;
+               }
+       }
+
+done:
+       *retval = error;
+       return error;
+}
+
+static int
+necp_session_lock_to_process(struct necp_session *session, struct necp_session_action_args *uap, int *retval)
+{
+#pragma unused(uap)
+       session->proc_locked = TRUE;
+       *retval = 0;
+       return 0;
+}
+
+static int
+necp_session_register_service(struct necp_session *session, struct necp_session_action_args *uap, int *retval)
+{
+       int error = 0;
+       struct necp_service_registration *new_service = NULL;
+
+       if (uap->in_buffer_length < sizeof(uuid_t) || uap->in_buffer == 0) {
+               NECPLOG(LOG_ERR, "necp_session_register_service invalid input (%zu)", uap->in_buffer_length);
+               error = EINVAL;
+               goto done;
+       }
+
+       uuid_t service_uuid;
+       error = copyin(uap->in_buffer, service_uuid, sizeof(service_uuid));
+       if (error != 0) {
+               NECPLOG(LOG_ERR, "necp_session_register_service uuid copyin error (%d)", error);
+               goto done;
+       }
+
+       MALLOC(new_service, struct necp_service_registration *, sizeof(*new_service), M_NECP, M_WAITOK | M_ZERO);
+       if (new_service == NULL) {
+               NECPLOG0(LOG_ERR, "Failed to allocate service registration");
+               error = ENOMEM;
+               goto done;
+       }
+
+       lck_rw_lock_exclusive(&necp_kernel_policy_lock);
+       new_service->service_id = necp_create_uuid_service_id_mapping(service_uuid);
+       LIST_INSERT_HEAD(&session->services, new_service, session_chain);
+       LIST_INSERT_HEAD(&necp_registered_service_list, new_service, kernel_chain);
+       lck_rw_done(&necp_kernel_policy_lock);
+
+done:
+       *retval = error;
+       return error;
+}
+
+static int
+necp_session_unregister_service(struct necp_session *session, struct necp_session_action_args *uap, int *retval)
+{
+       int error = 0;
+       struct necp_service_registration *service = NULL;
+       struct necp_service_registration *temp_service = NULL;
+       struct necp_uuid_id_mapping *mapping = NULL;
+
+       if (uap->in_buffer_length < sizeof(uuid_t) || uap->in_buffer == 0) {
+               NECPLOG(LOG_ERR, "necp_session_unregister_service invalid input (%zu)", uap->in_buffer_length);
+               error = EINVAL;
+               goto done;
+       }
+
+       uuid_t service_uuid;
+       error = copyin(uap->in_buffer, service_uuid, sizeof(service_uuid));
+       if (error != 0) {
+               NECPLOG(LOG_ERR, "necp_session_unregister_service uuid copyin error (%d)", error);
+               goto done;
+       }
+
+       // Remove all matching services for this session
+       lck_rw_lock_exclusive(&necp_kernel_policy_lock);
+       mapping = necp_uuid_lookup_service_id_locked(service_uuid);
+       if (mapping != NULL) {
+               LIST_FOREACH_SAFE(service, &session->services, session_chain, temp_service) {
+                       if (service->service_id == mapping->id) {
+                               LIST_REMOVE(service, session_chain);
+                               LIST_REMOVE(service, kernel_chain);
+                               FREE(service, M_NECP);
+                       }
+               }
+               necp_remove_uuid_service_id_mapping(service_uuid);
+       }
+       lck_rw_done(&necp_kernel_policy_lock);
+
+done:
+       *retval = error;
+       return error;
+}
+
+static int
+necp_session_dump_all(struct necp_session *session, struct necp_session_action_args *uap, int *retval)
+{
+#pragma unused(session)
+       int error = 0;
+
+       if (uap->out_buffer_length == 0 || uap->out_buffer == 0) {
+               NECPLOG(LOG_ERR, "necp_session_dump_all invalid output buffer (%zu)", uap->out_buffer_length);
+               error = EINVAL;
+               goto done;
+       }
+
+       error = necp_handle_policy_dump_all(uap->out_buffer, uap->out_buffer_length);
+done:
+       *retval = error;
+       return error;
+}
+
+int
+necp_session_action(struct proc *p, struct necp_session_action_args *uap, int *retval)
+{
+#pragma unused(p)
+       int error = 0;
+       int return_value = 0;
+       struct necp_session *session = NULL;
+       error = necp_session_find_from_fd(uap->necp_fd, &session);
+       if (error != 0) {
+               NECPLOG(LOG_ERR, "necp_session_action find fd error (%d)", error);
+               return error;
+       }
+
+       NECP_SESSION_LOCK(session);
+
+       if (session->proc_locked) {
+               // Verify that the calling process is allowed to do actions
+               uuid_t proc_uuid;
+               proc_getexecutableuuid(current_proc(), proc_uuid, sizeof(proc_uuid));
+               if (uuid_compare(proc_uuid, session->proc_uuid) != 0) {
+                       error = EPERM;
+                       goto done;
+               }
+       } else {
+               // If not locked, update the proc_uuid and proc_pid of the session
+               proc_getexecutableuuid(current_proc(), session->proc_uuid, sizeof(session->proc_uuid));
+               session->proc_pid = proc_pid(current_proc());
+       }
+
+       u_int32_t action = uap->action;
+       switch (action) {
+       case NECP_SESSION_ACTION_POLICY_ADD: {
+               return_value = necp_session_add_policy(session, uap, retval);
+               break;
+       }
+       case NECP_SESSION_ACTION_POLICY_GET: {
+               return_value = necp_session_get_policy(session, uap, retval);
+               break;
+       }
+       case NECP_SESSION_ACTION_POLICY_DELETE:  {
+               return_value = necp_session_delete_policy(session, uap, retval);
+               break;
+       }
+       case NECP_SESSION_ACTION_POLICY_APPLY_ALL: {
+               return_value = necp_session_apply_all(session, uap, retval);
+               break;
+       }
+       case NECP_SESSION_ACTION_POLICY_LIST_ALL: {
+               return_value = necp_session_list_all(session, uap, retval);
+               break;
+       }
+       case NECP_SESSION_ACTION_POLICY_DELETE_ALL: {
+               return_value = necp_session_delete_all(session, uap, retval);
+               break;
+       }
+       case NECP_SESSION_ACTION_SET_SESSION_PRIORITY: {
+               return_value = necp_session_set_session_priority(session, uap, retval);
+               break;
+       }
+       case NECP_SESSION_ACTION_LOCK_SESSION_TO_PROC: {
+               return_value = necp_session_lock_to_process(session, uap, retval);
+               break;
+       }
+       case NECP_SESSION_ACTION_REGISTER_SERVICE: {
+               return_value = necp_session_register_service(session, uap, retval);
+               break;
+       }
+       case NECP_SESSION_ACTION_UNREGISTER_SERVICE: {
+               return_value = necp_session_unregister_service(session, uap, retval);
+               break;
+       }
+       case NECP_SESSION_ACTION_POLICY_DUMP_ALL: {
+               return_value = necp_session_dump_all(session, uap, retval);
+               break;
+       }
+       default: {
+               NECPLOG(LOG_ERR, "necp_session_action unknown action (%u)", action);
+               return_value = EINVAL;
+               break;
+       }
+       }
+
+done:
+       NECP_SESSION_UNLOCK(session);
+       file_drop(uap->necp_fd);
+
+       return return_value;
+}
+
+struct necp_resolver_key_state {
+       const struct ccdigest_info *digest_info;
+       uint8_t key[CCSHA256_OUTPUT_SIZE];
+};
+static struct necp_resolver_key_state s_necp_resolver_key_state;
+
+static void
+necp_generate_resolver_key(void)
+{
+       s_necp_resolver_key_state.digest_info = ccsha256_di();
+       cc_rand_generate(s_necp_resolver_key_state.key, sizeof(s_necp_resolver_key_state.key));
+}
+
+static void
+necp_sign_update_context(const struct ccdigest_info *di,
+    cchmac_ctx_t ctx,
+    uuid_t client_id,
+    u_int8_t *query,
+    u_int32_t query_length,
+    u_int8_t *answer,
+    u_int32_t answer_length)
+{
+       const uint8_t context[32] = {[0 ... 31] = 0x20}; // 0x20 repeated 32 times
+       const char *context_string = "NECP Resolver Binder";
+       uint8_t separator = 0;
+       cchmac_update(di, ctx, sizeof(context), context);
+       cchmac_update(di, ctx, strlen(context_string), context_string);
+       cchmac_update(di, ctx, sizeof(separator), &separator);
+       cchmac_update(di, ctx, sizeof(uuid_t), client_id);
+       cchmac_update(di, ctx, sizeof(query_length), &query_length);
+       cchmac_update(di, ctx, query_length, query);
+       cchmac_update(di, ctx, sizeof(answer_length), &answer_length);
+       cchmac_update(di, ctx, answer_length, answer);
+}
+
+int
+necp_sign_resolver_answer(uuid_t client_id, u_int8_t *query, u_int32_t query_length,
+    u_int8_t *answer, u_int32_t answer_length,
+    u_int8_t *tag, u_int32_t *out_tag_length)
+{
+       if (s_necp_resolver_key_state.digest_info == NULL) {
+               return EINVAL;
+       }
+
+       if (query == NULL ||
+           query_length == 0 ||
+           answer == NULL ||
+           answer_length == 0 ||
+           tag == NULL ||
+           out_tag_length == NULL) {
+               return EINVAL;
+       }
+
+       size_t required_tag_length = s_necp_resolver_key_state.digest_info->output_size;
+       if (*out_tag_length < required_tag_length) {
+               return ERANGE;
+       }
+
+       *out_tag_length = required_tag_length;
+
+       cchmac_ctx_decl(s_necp_resolver_key_state.digest_info->state_size,
+           s_necp_resolver_key_state.digest_info->block_size, ctx);
+       cchmac_init(s_necp_resolver_key_state.digest_info, ctx,
+           sizeof(s_necp_resolver_key_state.key),
+           s_necp_resolver_key_state.key);
+       necp_sign_update_context(s_necp_resolver_key_state.digest_info,
+           ctx, client_id, query, query_length,
+           answer, answer_length);
+       cchmac_final(s_necp_resolver_key_state.digest_info, ctx, tag);
+
+       return 0;
+}
+
+bool
+necp_validate_resolver_answer(uuid_t client_id, u_int8_t *query, u_int32_t query_length,
+    u_int8_t *answer, u_int32_t answer_length,
+    u_int8_t *tag, u_int32_t tag_length)
+{
+       if (s_necp_resolver_key_state.digest_info == NULL) {
+               return false;
+       }
+
+       if (query == NULL ||
+           query_length == 0 ||
+           answer == NULL ||
+           answer_length == 0 ||
+           tag == NULL ||
+           tag_length == 0) {
+               return false;
+       }
+
+       size_t required_tag_length = s_necp_resolver_key_state.digest_info->output_size;
+       if (tag_length != required_tag_length) {
+               return false;
+       }
+
+       uint8_t actual_tag[required_tag_length];
+
+       cchmac_ctx_decl(s_necp_resolver_key_state.digest_info->state_size,
+           s_necp_resolver_key_state.digest_info->block_size, ctx);
+       cchmac_init(s_necp_resolver_key_state.digest_info, ctx,
+           sizeof(s_necp_resolver_key_state.key),
+           s_necp_resolver_key_state.key);
+       necp_sign_update_context(s_necp_resolver_key_state.digest_info,
+           ctx, client_id, query, query_length,
+           answer, answer_length);
+       cchmac_final(s_necp_resolver_key_state.digest_info, ctx, actual_tag);
+
+       return cc_cmp_safe(s_necp_resolver_key_state.digest_info->output_size, tag, actual_tag) == 0;
+}
+
+errno_t
+necp_init(void)
+{
+       errno_t result = 0;
+
+       necp_kernel_policy_grp_attr = lck_grp_attr_alloc_init();
+       if (necp_kernel_policy_grp_attr == NULL) {
+               NECPLOG0(LOG_ERR, "lck_grp_attr_alloc_init failed");
+               result = ENOMEM;
+               goto done;
+       }
+
+       necp_kernel_policy_mtx_grp = lck_grp_alloc_init(NECP_CONTROL_NAME, necp_kernel_policy_grp_attr);
+       if (necp_kernel_policy_mtx_grp == NULL) {
+               NECPLOG0(LOG_ERR, "lck_grp_alloc_init failed");
+               result = ENOMEM;
+               goto done;
+       }
+
+       necp_kernel_policy_mtx_attr = lck_attr_alloc_init();
+       if (necp_kernel_policy_mtx_attr == NULL) {
+               NECPLOG0(LOG_ERR, "lck_attr_alloc_init failed");
+               result = ENOMEM;
+               goto done;
+       }
+
+       lck_rw_init(&necp_kernel_policy_lock, necp_kernel_policy_mtx_grp, necp_kernel_policy_mtx_attr);
+
+       necp_route_rule_grp_attr = lck_grp_attr_alloc_init();
+       if (necp_route_rule_grp_attr == NULL) {
+               NECPLOG0(LOG_ERR, "lck_grp_attr_alloc_init failed");
+               result = ENOMEM;
+               goto done;
+       }
+
+       necp_route_rule_mtx_grp = lck_grp_alloc_init("necp_route_rule", necp_route_rule_grp_attr);
+       if (necp_route_rule_mtx_grp == NULL) {
+               NECPLOG0(LOG_ERR, "lck_grp_alloc_init failed");
+               result = ENOMEM;
+               goto done;
+       }
+
+       necp_route_rule_mtx_attr = lck_attr_alloc_init();
+       if (necp_route_rule_mtx_attr == NULL) {
+               NECPLOG0(LOG_ERR, "lck_attr_alloc_init failed");
+               result = ENOMEM;
+               goto done;
+       }
+
+       lck_rw_init(&necp_route_rule_lock, necp_route_rule_mtx_grp, necp_route_rule_mtx_attr);
+
+       necp_client_init();
+
+       TAILQ_INIT(&necp_session_list);
+
+       LIST_INIT(&necp_kernel_socket_policies);
+       LIST_INIT(&necp_kernel_ip_output_policies);
+
+       LIST_INIT(&necp_account_id_list);
+
+       LIST_INIT(&necp_uuid_service_id_list);
+
+       LIST_INIT(&necp_registered_service_list);
+
+       LIST_INIT(&necp_route_rules);
+       LIST_INIT(&necp_aggregate_route_rules);
+
+       necp_generate_resolver_key();
+
+       necp_uuid_app_id_hashtbl = hashinit(NECP_UUID_APP_ID_HASH_SIZE, M_NECP, &necp_uuid_app_id_hash_mask);
+       necp_uuid_app_id_hash_num_buckets = necp_uuid_app_id_hash_mask + 1;
+       necp_num_uuid_app_id_mappings = 0;
+       necp_uuid_app_id_mappings_dirty = FALSE;
+
+       necp_kernel_application_policies_condition_mask = 0;
+       necp_kernel_socket_policies_condition_mask = 0;
+       necp_kernel_ip_output_policies_condition_mask = 0;
+
+       necp_kernel_application_policies_count = 0;
+       necp_kernel_socket_policies_count = 0;
+       necp_kernel_socket_policies_non_app_count = 0;
+       necp_kernel_ip_output_policies_count = 0;
+       necp_kernel_ip_output_policies_non_id_count = 0;
+
+       necp_kernel_socket_policies_gencount = 1;
+
+       memset(&necp_kernel_socket_policies_map, 0, sizeof(necp_kernel_socket_policies_map));
+       memset(&necp_kernel_ip_output_policies_map, 0, sizeof(necp_kernel_ip_output_policies_map));
+       necp_kernel_socket_policies_app_layer_map = NULL;
+
+       necp_drop_unentitled_order = necp_get_first_order_for_priority(necp_drop_unentitled_level);
+
+done:
+       if (result != 0) {
+               if (necp_kernel_policy_mtx_attr != NULL) {
+                       lck_attr_free(necp_kernel_policy_mtx_attr);
+                       necp_kernel_policy_mtx_attr = NULL;
+               }
+               if (necp_kernel_policy_mtx_grp != NULL) {
+                       lck_grp_free(necp_kernel_policy_mtx_grp);
+                       necp_kernel_policy_mtx_grp = NULL;
+               }
+               if (necp_kernel_policy_grp_attr != NULL) {
+                       lck_grp_attr_free(necp_kernel_policy_grp_attr);
+                       necp_kernel_policy_grp_attr = NULL;
+               }
+               if (necp_route_rule_mtx_attr != NULL) {
+                       lck_attr_free(necp_route_rule_mtx_attr);
+                       necp_route_rule_mtx_attr = NULL;
+               }
+               if (necp_route_rule_mtx_grp != NULL) {
+                       lck_grp_free(necp_route_rule_mtx_grp);
+                       necp_route_rule_mtx_grp = NULL;
+               }
+               if (necp_route_rule_grp_attr != NULL) {
+                       lck_grp_attr_free(necp_route_rule_grp_attr);
+                       necp_route_rule_grp_attr = NULL;
+               }
+       }
+       return result;
+}
+
+static void
+necp_post_change_event(struct kev_necp_policies_changed_data *necp_event_data)
+{
+       struct kev_msg ev_msg;
+       memset(&ev_msg, 0, sizeof(ev_msg));
+
+       ev_msg.vendor_code      = KEV_VENDOR_APPLE;
+       ev_msg.kev_class        = KEV_NETWORK_CLASS;
+       ev_msg.kev_subclass     = KEV_NECP_SUBCLASS;
+       ev_msg.event_code       = KEV_NECP_POLICIES_CHANGED;
+
+       ev_msg.dv[0].data_ptr    = necp_event_data;
+       ev_msg.dv[0].data_length = sizeof(necp_event_data->changed_count);
+       ev_msg.dv[1].data_length = 0;
+
+       kev_post_msg(&ev_msg);
+}
+
+static inline bool
+necp_buffer_write_tlv_validate(u_int8_t *cursor, u_int8_t type, u_int32_t length,
+    u_int8_t *buffer, u_int32_t buffer_length)
+{
+       if (cursor < buffer || (uintptr_t)(cursor - buffer) > buffer_length) {
+               NECPLOG0(LOG_ERR, "Cannot write TLV in buffer (invalid cursor)");
+               return false;
+       }
+       u_int8_t *next_tlv = (u_int8_t *)(cursor + sizeof(type) + sizeof(length) + length);
+       if (next_tlv <= buffer || // make sure the next TLV start doesn't overflow
+           (uintptr_t)(next_tlv - buffer) > buffer_length) {     // make sure the next TLV has enough room in buffer
+               NECPLOG(LOG_ERR, "Cannot write TLV in buffer (TLV length %u, buffer length %u)",
+                   length, buffer_length);
+               return false;
+       }
+       return true;
+}
+
+u_int8_t *
+necp_buffer_write_tlv_if_different(u_int8_t *cursor, u_int8_t type,
+    u_int32_t length, const void *value, bool *updated,
+    u_int8_t *buffer, u_int32_t buffer_length)
+{
+       if (!necp_buffer_write_tlv_validate(cursor, type, length, buffer, buffer_length)) {
+               // If we can't fit this TLV, return the current cursor
+               return cursor;
+       }
+       u_int8_t *next_tlv = (u_int8_t *)(cursor + sizeof(type) + sizeof(length) + length);
+       if (*updated || *(u_int8_t *)(cursor) != type) {
+               *(u_int8_t *)(cursor) = type;
+               *updated = TRUE;
+       }
+       if (*updated || *(u_int32_t *)(void *)(cursor + sizeof(type)) != length) {
+               *(u_int32_t *)(void *)(cursor + sizeof(type)) = length;
+               *updated = TRUE;
+       }
+       if (length > 0) {
+               if (*updated || memcmp((u_int8_t *)(cursor + sizeof(type) + sizeof(length)), value, length) != 0) {
+                       memcpy((u_int8_t *)(cursor + sizeof(type) + sizeof(length)), value, length);
+                       *updated = TRUE;
+               }
+       }
+       return next_tlv;
+}
+
+u_int8_t *
+necp_buffer_write_tlv(u_int8_t *cursor, u_int8_t type,
+    u_int32_t length, const void *value,
+    u_int8_t *buffer, u_int32_t buffer_length)
+{
+       if (!necp_buffer_write_tlv_validate(cursor, type, length, buffer, buffer_length)) {
+               return NULL;
+       }
+       u_int8_t *next_tlv = (u_int8_t *)(cursor + sizeof(type) + sizeof(length) + length);
+       *(u_int8_t *)(cursor) = type;
+       *(u_int32_t *)(void *)(cursor + sizeof(type)) = length;
         if (length > 0) {
         if (length > 0) {
-               memcpy((u_int8_t *)(buffer + sizeof(type) + sizeof(length)), value, length);
+               memcpy((u_int8_t *)(cursor + sizeof(type) + sizeof(length)), value, length);
         }
  
         }
  
-       return ((u_int8_t *)(buffer + sizeof(type) + sizeof(length) + length));
+       return next_tlv;
  }
  
  u_int8_t
  }
  
  u_int8_t
@@ -829,11 +1495,11 @@ necp_buffer_get_tlv_type(u_int8_t *buffer, int tlv_offset)
         u_int8_t *type = NULL;
  
         if (buffer == NULL) {
         u_int8_t *type = NULL;
  
         if (buffer == NULL) {
-               return (0);
+               return 0;
         }
  
         type = (u_int8_t *)((u_int8_t *)buffer + tlv_offset);
         }
  
         type = (u_int8_t *)((u_int8_t *)buffer + tlv_offset);
-       return (type ? *type : 0);
+       return type ? *type : 0;
  }
  
  u_int32_t
  }
  
  u_int32_t
@@ -842,11 +1508,11 @@ necp_buffer_get_tlv_length(u_int8_t *buffer, int tlv_offset)
         u_int32_t *length = NULL;
  
         if (buffer == NULL) {
         u_int32_t *length = NULL;
  
         if (buffer == NULL) {
-               return (0);
+               return 0;
         }
  
         length = (u_int32_t *)(void *)((u_int8_t *)buffer + tlv_offset + sizeof(u_int8_t));
         }
  
         length = (u_int32_t *)(void *)((u_int8_t *)buffer + tlv_offset + sizeof(u_int8_t));
-       return (length ? *length : 0);
+       return length ? *length : 0;
  }
  
  u_int8_t *
  }
  
  u_int8_t *
@@ -855,7 +1521,7 @@ necp_buffer_get_tlv_value(u_int8_t *buffer, int tlv_offset, u_int32_t *value_siz
         u_int8_t *value = NULL;
         u_int32_t length = necp_buffer_get_tlv_length(buffer, tlv_offset);
         if (length == 0) {
         u_int8_t *value = NULL;
         u_int32_t length = necp_buffer_get_tlv_length(buffer, tlv_offset);
         if (length == 0) {
-               return (value);
+               return value;
         }
  
         if (value_size) {
         }
  
         if (value_size) {
@@ -863,14 +1529,20 @@ necp_buffer_get_tlv_value(u_int8_t *buffer, int tlv_offset, u_int32_t *value_siz
         }
  
         value = (u_int8_t *)((u_int8_t *)buffer + tlv_offset + sizeof(u_int8_t) + sizeof(u_int32_t));
         }
  
         value = (u_int8_t *)((u_int8_t *)buffer + tlv_offset + sizeof(u_int8_t) + sizeof(u_int32_t));
-       return (value);
+       return value;
  }
  
  int
  }
  
  int
-necp_buffer_find_tlv(u_int8_t *buffer, u_int32_t buffer_length, int offset, u_int8_t type, int next)
+necp_buffer_find_tlv(u_int8_t *buffer, u_int32_t buffer_length, int offset, u_int8_t type, int *err, int next)
  {
  {
+       if (err != NULL) {
+               *err = ENOENT;
+       }
         if (offset < 0) {
         if (offset < 0) {
-               return (-1);
+               if (err != NULL) {
+                       *err = EINVAL;
+               }
+               return -1;
         }
         int cursor = offset;
         int next_cursor;
         }
         int cursor = offset;
         int next_cursor;
@@ -879,7 +1551,7 @@ necp_buffer_find_tlv(u_int8_t *buffer, u_int32_t buffer_length, int offset, u_in
  
         while (TRUE) {
                 if ((((u_int32_t)cursor) + sizeof(curr_type) + sizeof(curr_length)) > buffer_length) {
  
         while (TRUE) {
                 if ((((u_int32_t)cursor) + sizeof(curr_type) + sizeof(curr_length)) > buffer_length) {
-                       return (-1);
+                       return -1;
                 }
                 if (!next) {
                         curr_type = necp_buffer_get_tlv_type(buffer, cursor);
                 }
                 if (!next) {
                         curr_type = necp_buffer_get_tlv_type(buffer, cursor);
@@ -888,247 +1560,155 @@ necp_buffer_find_tlv(u_int8_t *buffer, u_int32_t buffer_length, int offset, u_in
                         curr_type = NECP_TLV_NIL;
                 }
                 curr_length = necp_buffer_get_tlv_length(buffer, cursor);
                         curr_type = NECP_TLV_NIL;
                 }
                 curr_length = necp_buffer_get_tlv_length(buffer, cursor);
+               if (curr_length > buffer_length - ((u_int32_t)cursor + sizeof(curr_type) + sizeof(curr_length))) {
+                       return -1;
+               }
+
                 next_cursor = (cursor + sizeof(curr_type) + sizeof(curr_length) + curr_length);
                 if (curr_type == type) {
                         // check if entire TLV fits inside buffer
                         if (((u_int32_t)next_cursor) <= buffer_length) {
                 next_cursor = (cursor + sizeof(curr_type) + sizeof(curr_length) + curr_length);
                 if (curr_type == type) {
                         // check if entire TLV fits inside buffer
                         if (((u_int32_t)next_cursor) <= buffer_length) {
-                               return (cursor);
+                               if (err != NULL) {
+                                       *err = 0;
+                               }
+                               return cursor;
                         } else {
                         } else {
-                               return (-1);
+                               return -1;
                         }
                 }
                 cursor = next_cursor;
         }
  }
  
                         }
                 }
                 cursor = next_cursor;
         }
  }
  
-static bool
-necp_send_ctl_data(struct necp_session *session, u_int8_t *buffer, size_t buffer_size)
-{
-       int             error;
-
-       if (necp_kctlref == NULL || session == NULL || buffer == NULL || buffer_size == 0) {
-               return (FALSE);
-       }
-
-       error = ctl_enqueuedata(necp_kctlref, session->control_unit, buffer, buffer_size, CTL_DATA_EOR);
-
-       return (error == 0);
-}
-
-static bool
-necp_send_success_response(struct necp_session *session, u_int8_t packet_type, u_int32_t message_id)
-{
-       bool success = TRUE;
-       u_int8_t *response = NULL;
-       u_int8_t *cursor = NULL;
-       size_t response_size = sizeof(struct necp_packet_header) + sizeof(u_int8_t) + sizeof(u_int32_t);
-       MALLOC(response, u_int8_t *, response_size, M_NECP, M_WAITOK);
-       if (response == NULL) {
-               return (FALSE);
-       }
-       cursor = response;
-       cursor = necp_buffer_write_packet_header(cursor, packet_type, NECP_PACKET_FLAGS_RESPONSE, message_id);
-       cursor = necp_buffer_write_tlv(cursor, NECP_TLV_NIL, 0, NULL);
-
-       if (!(success = necp_send_ctl_data(session, (u_int8_t *)response, response_size))) {
-               NECPLOG0(LOG_ERR, "Failed to send response");
-       }
-
-       FREE(response, M_NECP);
-       return (success);
-}
-
-static bool
-necp_send_error_response(struct necp_session *session, u_int8_t packet_type, u_int32_t message_id, u_int32_t error)
-{
-       bool success = TRUE;
-       u_int8_t *response = NULL;
-       u_int8_t *cursor = NULL;
-       size_t response_size = sizeof(struct necp_packet_header) + sizeof(u_int8_t) + sizeof(u_int32_t) + sizeof(u_int32_t);
-       MALLOC(response, u_int8_t *, response_size, M_NECP, M_WAITOK);
-       if (response == NULL) {
-               return (FALSE);
-       }
-       cursor = response;
-       cursor = necp_buffer_write_packet_header(cursor, packet_type, NECP_PACKET_FLAGS_RESPONSE, message_id);
-       cursor = necp_buffer_write_tlv(cursor, NECP_TLV_ERROR, sizeof(error), &error);
-
-       if (!(success = necp_send_ctl_data(session, (u_int8_t *)response, response_size))) {
-               NECPLOG0(LOG_ERR, "Failed to send response");
-       }
-
-       FREE(response, M_NECP);
-       return (success);
-}
-
-static bool
-necp_send_policy_id_response(struct necp_session *session, u_int8_t packet_type, u_int32_t message_id, necp_policy_id policy_id)
-{
-       bool success = TRUE;
-       u_int8_t *response = NULL;
-       u_int8_t *cursor = NULL;
-       size_t response_size = sizeof(struct necp_packet_header) + sizeof(u_int8_t) + sizeof(u_int32_t) + sizeof(u_int32_t);
-       MALLOC(response, u_int8_t *, response_size, M_NECP, M_WAITOK);
-       if (response == NULL) {
-               return (FALSE);
-       }
-       cursor = response;
-       cursor = necp_buffer_write_packet_header(cursor, packet_type, NECP_PACKET_FLAGS_RESPONSE, message_id);
-       cursor = necp_buffer_write_tlv(cursor, NECP_TLV_POLICY_ID, sizeof(policy_id), &policy_id);
-
-       if (!(success = necp_send_ctl_data(session, (u_int8_t *)response, response_size))) {
-               NECPLOG0(LOG_ERR, "Failed to send response");
-       }
-
-       FREE(response, M_NECP);
-       return (success);
-}
-
-static errno_t
-necp_ctl_send(kern_ctl_ref kctlref, u_int32_t unit, void *unitinfo, mbuf_t packet, int flags)
-{
-#pragma unused(kctlref, unit, flags)
-       struct necp_session *session = (struct necp_session *)unitinfo;
-       struct necp_packet_header header;
-       int error = 0;
-
-       if (session == NULL) {
-               NECPLOG0(LOG_ERR, "Got a NULL session");
-               error = EINVAL;
-               goto done;
+static int
+necp_find_tlv(u_int8_t *buffer, u_int32_t buffer_length, int offset, u_int8_t type, int *err, int next)
+{
+       int cursor = -1;
+       if (buffer != NULL) {
+               cursor = necp_buffer_find_tlv(buffer, buffer_length, offset, type, err, next);
         }
         }
+       return cursor;
+}
  
  
-       if (mbuf_pkthdr_len(packet) < sizeof(header)) {
-               NECPLOG(LOG_ERR, "Got a bad packet, length (%lu) < sizeof header (%lu)", mbuf_pkthdr_len(packet), sizeof(header));
-               error = EINVAL;
-               goto done;
+static int
+necp_get_tlv_at_offset(u_int8_t *buffer, u_int32_t buffer_length,
+    int tlv_offset, u_int32_t out_buffer_length, void *out_buffer, u_int32_t *value_size)
+{
+       if (buffer == NULL) {
+               NECPLOG0(LOG_ERR, "necp_get_tlv_at_offset buffer is NULL");
+               return EINVAL;
         }
  
         }
  
-       error = mbuf_copydata(packet, 0, sizeof(header), &header);
-       if (error) {
-               NECPLOG(LOG_ERR, "mbuf_copydata failed for the header: %d", error);
-               error = ENOBUFS;
-               goto done;
+       // Handle buffer parsing
+
+       // Validate that buffer has enough room for any TLV
+       if (tlv_offset + sizeof(u_int8_t) + sizeof(u_int32_t) > buffer_length) {
+               NECPLOG(LOG_ERR, "necp_get_tlv_at_offset buffer_length is too small for TLV (%u < %u)",
+                   buffer_length, tlv_offset + sizeof(u_int8_t) + sizeof(u_int32_t));
+               return EINVAL;
         }
  
         }
  
-       if (session->proc_locked) {
-               // Verify that the calling process is allowed to send messages
-               uuid_t proc_uuid;
-               proc_getexecutableuuid(current_proc(), proc_uuid, sizeof(proc_uuid));
-               if (uuid_compare(proc_uuid, session->proc_uuid) != 0) {
-                       necp_send_error_response(session, header.packet_type, header.message_id, NECP_ERROR_INVALID_PROCESS);
-                       goto done;
-               }
-       } else {
-               // If not locked, update the proc_uuid and proc_pid of the session
-               proc_getexecutableuuid(current_proc(), session->proc_uuid, sizeof(session->proc_uuid));
-               session->proc_pid = proc_pid(current_proc());
+       // Validate that buffer has enough room for this TLV
+       u_int32_t tlv_length = necp_buffer_get_tlv_length(buffer, tlv_offset);
+       if (tlv_length > buffer_length - (tlv_offset + sizeof(u_int8_t) + sizeof(u_int32_t))) {
+               NECPLOG(LOG_ERR, "necp_get_tlv_at_offset buffer_length is too small for TLV of length %u (%u < %u)",
+                   tlv_length, buffer_length, tlv_offset + sizeof(u_int8_t) + sizeof(u_int32_t) + tlv_length);
+               return EINVAL;
         }
  
         }
  
-       switch (header.packet_type) {
-               case NECP_PACKET_TYPE_POLICY_ADD: {
-                       necp_handle_policy_add(session, header.message_id, packet, sizeof(header));
-                       break;
-               }
-               case NECP_PACKET_TYPE_POLICY_GET: {
-                       necp_handle_policy_get(session, header.message_id, packet, sizeof(header));
-                       break;
-               }
-               case NECP_PACKET_TYPE_POLICY_DELETE: {
-                       necp_handle_policy_delete(session, header.message_id, packet, sizeof(header));
-                       break;
-               }
-               case NECP_PACKET_TYPE_POLICY_APPLY_ALL: {
-                       necp_handle_policy_apply_all(session, header.message_id, packet, sizeof(header));
-                       break;
-               }
-               case NECP_PACKET_TYPE_POLICY_LIST_ALL: {
-                       necp_handle_policy_list_all(session, header.message_id, packet, sizeof(header));
-                       break;
-               }
-               case NECP_PACKET_TYPE_POLICY_DELETE_ALL: {
-                       necp_handle_policy_delete_all(session, header.message_id, packet, sizeof(header));
-                       break;
-               }
-               case NECP_PACKET_TYPE_POLICY_DUMP_ALL: {
-                       necp_handle_policy_dump_all(session, header.message_id, packet, sizeof(header));
-                       break;
-               }
-               case NECP_PACKET_TYPE_SET_SESSION_PRIORITY: {
-                       necp_handle_set_session_priority(session, header.message_id, packet, sizeof(header));
-                       break;
-               }
-               case NECP_PACKET_TYPE_LOCK_SESSION_TO_PROC: {
-                       necp_handle_lock_session_to_proc(session, header.message_id, packet, sizeof(header));
-                       break;
-               }
-               case NECP_PACKET_TYPE_REGISTER_SERVICE: {
-                       necp_handle_register_service(session, header.message_id, packet, sizeof(header));
-                       break;
-               }
-               case NECP_PACKET_TYPE_UNREGISTER_SERVICE: {
-                       necp_handle_unregister_service(session, header.message_id, packet, sizeof(header));
-                       break;
+       if (out_buffer != NULL && out_buffer_length > 0) {
+               // Validate that out buffer is large enough for  value
+               if (out_buffer_length < tlv_length) {
+                       NECPLOG(LOG_ERR, "necp_get_tlv_at_offset out_buffer_length is too small for TLV value (%u < %u)",
+                           out_buffer_length, tlv_length);
+                       return EINVAL;
                 }
                 }
-               default: {
-                       NECPLOG(LOG_ERR, "Received unknown message type %d", header.packet_type);
-                       necp_send_error_response(session, header.packet_type, header.message_id, NECP_ERROR_UNKNOWN_PACKET_TYPE);
-                       break;
+
+               // Get value pointer
+               u_int8_t *tlv_value = necp_buffer_get_tlv_value(buffer, tlv_offset, NULL);
+               if (tlv_value == NULL) {
+                       NECPLOG0(LOG_ERR, "necp_get_tlv_at_offset tlv_value is NULL");
+                       return ENOENT;
                 }
                 }
+
+               // Copy value
+               memcpy(out_buffer, tlv_value, tlv_length);
         }
  
         }
  
-done:
-       mbuf_freem(packet);
-       return (error);
-}
+       // Copy out length
+       if (value_size != NULL) {
+               *value_size = tlv_length;
+       }
  
  
-static void
-necp_ctl_rcvd(kern_ctl_ref kctlref, u_int32_t unit, void *unitinfo, int flags)
-{
-#pragma unused(kctlref, unit, unitinfo, flags)
-       return;
+       return 0;
  }
  
  }
  
-static errno_t
-necp_ctl_getopt(kern_ctl_ref kctlref, u_int32_t unit, void *unitinfo, int opt, void *data, size_t *len)
+static int
+necp_get_tlv(u_int8_t *buffer, u_int32_t buffer_length,
+    int offset, u_int8_t type, u_int32_t buff_len, void *buff, u_int32_t *value_size)
  {
  {
-#pragma unused(kctlref, unit, unitinfo, opt, data, len)
-       return (0);
-}
+       int error = 0;
  
  
-static errno_t
-necp_ctl_setopt(kern_ctl_ref kctlref, u_int32_t unit, void *unitinfo, int opt, void *data, size_t len)
-{
-#pragma unused(kctlref, unit, unitinfo, opt, data, len)
-       return (0);
+       int tlv_offset = necp_find_tlv(buffer, buffer_length, offset, type, &error, 0);
+       if (tlv_offset < 0) {
+               return error;
+       }
+
+       return necp_get_tlv_at_offset(buffer, buffer_length, tlv_offset, buff_len, buff, value_size);
  }
  
  // Session Management
  }
  
  // Session Management
+
  static struct necp_session *
  static struct necp_session *
-necp_create_session(u_int32_t control_unit)
+necp_create_session(void)
  {
         struct necp_session *new_session = NULL;
  
  {
         struct necp_session *new_session = NULL;
  
-       MALLOC(new_session, struct necp_session *, sizeof(*new_session), M_NECP, M_WAITOK);
+       MALLOC(new_session, struct necp_session *, sizeof(*new_session), M_NECP, M_WAITOK | M_ZERO);
         if (new_session == NULL) {
                 goto done;
         }
         if (new_session == NULL) {
                 goto done;
         }
-       if (necp_debug) {
-               NECPLOG(LOG_DEBUG, "Create NECP session, control unit %d", control_unit);
-       }
-       memset(new_session, 0, sizeof(*new_session));
+
+       new_session->necp_fd_type = necp_fd_type_session;
         new_session->session_priority = NECP_SESSION_PRIORITY_UNKNOWN;
         new_session->session_priority = NECP_SESSION_PRIORITY_UNKNOWN;
-       new_session->session_order = necp_allocate_new_session_order(new_session->session_priority, control_unit);
-       new_session->control_unit = control_unit;
         new_session->dirty = FALSE;
         LIST_INIT(&new_session->policies);
         new_session->dirty = FALSE;
         LIST_INIT(&new_session->policies);
+       lck_mtx_init(&new_session->lock, necp_kernel_policy_mtx_grp, necp_kernel_policy_mtx_attr);
  
  
+       // Take the lock
         lck_rw_lock_exclusive(&necp_kernel_policy_lock);
         lck_rw_lock_exclusive(&necp_kernel_policy_lock);
+
+       // Find the next available control unit
+       u_int32_t control_unit = 1;
+       struct necp_session *next_session = NULL;
+       TAILQ_FOREACH(next_session, &necp_session_list, chain) {
+               if (next_session->control_unit > control_unit) {
+                       // Found a gap, grab this control unit
+                       break;
+               }
+
+               // Try the next control unit, loop around
+               control_unit = next_session->control_unit + 1;
+       }
+
+       new_session->control_unit = control_unit;
+       new_session->session_order = necp_allocate_new_session_order(new_session->session_priority, control_unit);
+
+       if (next_session != NULL) {
+               TAILQ_INSERT_BEFORE(next_session, new_session, chain);
+       } else {
+               TAILQ_INSERT_TAIL(&necp_session_list, new_session, chain);
+       }
+
         necp_session_count++;
         lck_rw_done(&necp_kernel_policy_lock);
  
         necp_session_count++;
         lck_rw_done(&necp_kernel_policy_lock);
  
+       if (necp_debug) {
+               NECPLOG(LOG_DEBUG, "Created NECP session, control unit %d", control_unit);
+       }
+
  done:
  done:
-       return (new_session);
+       return new_session;
  }
  
  static void
  }
  
  static void
@@ -1147,11 +1727,14 @@ necp_delete_session(struct necp_session *session)
                 if (necp_debug) {
                         NECPLOG0(LOG_DEBUG, "Deleted NECP session");
                 }
                 if (necp_debug) {
                         NECPLOG0(LOG_DEBUG, "Deleted NECP session");
                 }
-               FREE(session, M_NECP);
  
                 lck_rw_lock_exclusive(&necp_kernel_policy_lock);
  
                 lck_rw_lock_exclusive(&necp_kernel_policy_lock);
+               TAILQ_REMOVE(&necp_session_list, session, chain);
                 necp_session_count--;
                 lck_rw_done(&necp_kernel_policy_lock);
                 necp_session_count--;
                 lck_rw_done(&necp_kernel_policy_lock);
+
+               lck_mtx_destroy(&session->lock, necp_kernel_policy_mtx_grp);
+               FREE(session, M_NECP);
         }
  }
  
         }
  }
  
@@ -1160,19 +1743,19 @@ necp_delete_session(struct necp_session *session)
  static inline u_int8_t
  necp_policy_result_get_type_from_buffer(u_int8_t *buffer, u_int32_t length)
  {
  static inline u_int8_t
  necp_policy_result_get_type_from_buffer(u_int8_t *buffer, u_int32_t length)
  {
-       return ((buffer && length >= sizeof(u_int8_t)) ? buffer[0] : 0);
+       return (buffer && length >= sizeof(u_int8_t)) ? buffer[0] : 0;
  }
  
  static inline u_int32_t
  necp_policy_result_get_parameter_length_from_buffer(u_int8_t *buffer, u_int32_t length)
  {
  }
  
  static inline u_int32_t
  necp_policy_result_get_parameter_length_from_buffer(u_int8_t *buffer, u_int32_t length)
  {
-       return ((buffer && length > sizeof(u_int8_t)) ? (length - sizeof(u_int8_t)) : 0);
+       return (buffer && length > sizeof(u_int8_t)) ? (length - sizeof(u_int8_t)) : 0;
  }
  
  static inline u_int8_t *
  necp_policy_result_get_parameter_pointer_from_buffer(u_int8_t *buffer, u_int32_t length)
  {
  }
  
  static inline u_int8_t *
  necp_policy_result_get_parameter_pointer_from_buffer(u_int8_t *buffer, u_int32_t length)
  {
-       return ((buffer && length > sizeof(u_int8_t)) ? (buffer + sizeof(u_int8_t)) : NULL);
+       return (buffer && length > sizeof(u_int8_t)) ? (buffer + sizeof(u_int8_t)) : NULL;
  }
  
  static bool
  }
  
  static bool
@@ -1180,20 +1763,20 @@ necp_policy_result_requires_route_rules(u_int8_t *buffer, u_int32_t length)
  {
         u_int8_t type = necp_policy_result_get_type_from_buffer(buffer, length);
         if (type == NECP_POLICY_RESULT_ROUTE_RULES) {
  {
         u_int8_t type = necp_policy_result_get_type_from_buffer(buffer, length);
         if (type == NECP_POLICY_RESULT_ROUTE_RULES) {
-               return (TRUE);
+               return TRUE;
         }
         }
-       return (FALSE);
+       return FALSE;
  }
  
  static inline bool
  necp_address_is_valid(struct sockaddr *address)
  {
         if (address->sa_family == AF_INET) {
  }
  
  static inline bool
  necp_address_is_valid(struct sockaddr *address)
  {
         if (address->sa_family == AF_INET) {
-               return (address->sa_len == sizeof(struct sockaddr_in));
+               return address->sa_len == sizeof(struct sockaddr_in);
         } else if (address->sa_family == AF_INET6) {
         } else if (address->sa_family == AF_INET6) {
-               return (address->sa_len == sizeof(struct sockaddr_in6));
+               return address->sa_len == sizeof(struct sockaddr_in6);
         } else {
         } else {
-               return (FALSE);
+               return FALSE;
         }
  }
  
         }
  }
  
@@ -1204,112 +1787,112 @@ necp_policy_result_is_valid(u_int8_t *buffer, u_int32_t length)
         u_int8_t type = necp_policy_result_get_type_from_buffer(buffer, length);
         u_int32_t parameter_length = necp_policy_result_get_parameter_length_from_buffer(buffer, length);
         switch (type) {
         u_int8_t type = necp_policy_result_get_type_from_buffer(buffer, length);
         u_int32_t parameter_length = necp_policy_result_get_parameter_length_from_buffer(buffer, length);
         switch (type) {
-               case NECP_POLICY_RESULT_PASS: {
+       case NECP_POLICY_RESULT_PASS:
+       case NECP_POLICY_RESULT_DROP:
+       case NECP_POLICY_RESULT_ROUTE_RULES:
+       case NECP_POLICY_RESULT_SCOPED_DIRECT:
+       case NECP_POLICY_RESULT_ALLOW_UNENTITLED: {
+               validated = TRUE;
+               break;
+       }
+       case NECP_POLICY_RESULT_SKIP:
+       case NECP_POLICY_RESULT_SOCKET_DIVERT:
+       case NECP_POLICY_RESULT_SOCKET_FILTER: {
+               if (parameter_length >= sizeof(u_int32_t)) {
                         validated = TRUE;
                         validated = TRUE;
-                       break;
-               }
-               case NECP_POLICY_RESULT_SKIP: {
-                       if (parameter_length >= sizeof(u_int32_t)) {
-                               validated = TRUE;
-                       }
-                       break;
                 }
                 }
-               case NECP_POLICY_RESULT_DROP: {
+               break;
+       }
+       case NECP_POLICY_RESULT_IP_TUNNEL: {
+               if (parameter_length > sizeof(u_int32_t)) {
                         validated = TRUE;
                         validated = TRUE;
-                       break;
-               }
-               case NECP_POLICY_RESULT_SOCKET_DIVERT: {
-                       if (parameter_length >= sizeof(u_int32_t)) {
-                               validated = TRUE;
-                       }
-                       break;
-               }
-               case NECP_POLICY_RESULT_SOCKET_SCOPED: {
-                       if (parameter_length > 0) {
-                               validated = TRUE;
-                       }
-                       break;
-               }
-               case NECP_POLICY_RESULT_IP_TUNNEL: {
-                       if (parameter_length > sizeof(u_int32_t)) {
-                               validated = TRUE;
-                       }
-                       break;
-               }
-               case NECP_POLICY_RESULT_SOCKET_FILTER: {
-                       if (parameter_length >= sizeof(u_int32_t)) {
-                               validated = TRUE;
-                       }
-                       break;
                 }
                 }
-               case NECP_POLICY_RESULT_ROUTE_RULES: {
+               break;
+       }
+       case NECP_POLICY_RESULT_SOCKET_SCOPED: {
+               if (parameter_length > 0) {
                         validated = TRUE;
                         validated = TRUE;
-                       break;
-               }
-               case NECP_POLICY_RESULT_TRIGGER:
-               case NECP_POLICY_RESULT_TRIGGER_IF_NEEDED:
-               case NECP_POLICY_RESULT_TRIGGER_SCOPED:
-               case NECP_POLICY_RESULT_NO_TRIGGER_SCOPED:
-               case NECP_POLICY_RESULT_USE_NETAGENT: {
-                       if (parameter_length >= sizeof(uuid_t)) {
-                               validated = TRUE;
-                       }
-                       break;
                 }
                 }
-               default: {
-                       validated = FALSE;
-                       break;
+               break;
+       }
+       case NECP_POLICY_RESULT_TRIGGER:
+       case NECP_POLICY_RESULT_TRIGGER_IF_NEEDED:
+       case NECP_POLICY_RESULT_TRIGGER_SCOPED:
+       case NECP_POLICY_RESULT_NO_TRIGGER_SCOPED:
+       case NECP_POLICY_RESULT_USE_NETAGENT:
+       case NECP_POLICY_RESULT_NETAGENT_SCOPED:{
+               if (parameter_length >= sizeof(uuid_t)) {
+                       validated = TRUE;
                 }
                 }
+               break;
+       }
+       default: {
+               validated = FALSE;
+               break;
+       }
         }
  
         if (necp_debug) {
                 NECPLOG(LOG_DEBUG, "Policy result type %d, valid %d", type, validated);
         }
  
         }
  
         if (necp_debug) {
                 NECPLOG(LOG_DEBUG, "Policy result type %d, valid %d", type, validated);
         }
  
-       return (validated);
+       return validated;
  }
  
  static inline u_int8_t
  necp_policy_condition_get_type_from_buffer(u_int8_t *buffer, u_int32_t length)
  {
  }
  
  static inline u_int8_t
  necp_policy_condition_get_type_from_buffer(u_int8_t *buffer, u_int32_t length)
  {
-       return ((buffer && length >= sizeof(u_int8_t)) ? buffer[0] : 0);
+       return (buffer && length >= sizeof(u_int8_t)) ? buffer[0] : 0;
  }
  
  static inline u_int8_t
  necp_policy_condition_get_flags_from_buffer(u_int8_t *buffer, u_int32_t length)
  {
  }
  
  static inline u_int8_t
  necp_policy_condition_get_flags_from_buffer(u_int8_t *buffer, u_int32_t length)
  {
-       return ((buffer && length >= (2 * sizeof(u_int8_t))) ? buffer[1] : 0);
+       return (buffer && length >= (2 * sizeof(u_int8_t))) ? buffer[1] : 0;
  }
  
  static inline u_int32_t
  necp_policy_condition_get_value_length_from_buffer(u_int8_t *buffer, u_int32_t length)
  {
  }
  
  static inline u_int32_t
  necp_policy_condition_get_value_length_from_buffer(u_int8_t *buffer, u_int32_t length)
  {
-       return ((buffer && length >= (2 * sizeof(u_int8_t))) ? (length - (2 * sizeof(u_int8_t))) : 0);
+       return (buffer && length >= (2 * sizeof(u_int8_t))) ? (length - (2 * sizeof(u_int8_t))) : 0;
  }
  
  static inline u_int8_t *
  necp_policy_condition_get_value_pointer_from_buffer(u_int8_t *buffer, u_int32_t length)
  {
  }
  
  static inline u_int8_t *
  necp_policy_condition_get_value_pointer_from_buffer(u_int8_t *buffer, u_int32_t length)
  {
-       return ((buffer && length > (2 * sizeof(u_int8_t))) ? (buffer + (2 * sizeof(u_int8_t))) : NULL);
+       return (buffer && length > (2 * sizeof(u_int8_t))) ? (buffer + (2 * sizeof(u_int8_t))) : NULL;
  }
  
  static inline bool
  necp_policy_condition_is_default(u_int8_t *buffer, u_int32_t length)
  {
  }
  
  static inline bool
  necp_policy_condition_is_default(u_int8_t *buffer, u_int32_t length)
  {
-       return (necp_policy_condition_get_type_from_buffer(buffer, length) == NECP_POLICY_CONDITION_DEFAULT);
+       return necp_policy_condition_get_type_from_buffer(buffer, length) == NECP_POLICY_CONDITION_DEFAULT;
  }
  
  static inline bool
  necp_policy_condition_is_application(u_int8_t *buffer, u_int32_t length)
  {
  }
  
  static inline bool
  necp_policy_condition_is_application(u_int8_t *buffer, u_int32_t length)
  {
-       return (necp_policy_condition_get_type_from_buffer(buffer, length) == NECP_POLICY_CONDITION_APPLICATION);
+       return necp_policy_condition_get_type_from_buffer(buffer, length) == NECP_POLICY_CONDITION_APPLICATION;
+}
+
+static inline bool
+necp_policy_condition_is_real_application(u_int8_t *buffer, u_int32_t length)
+{
+       return necp_policy_condition_get_type_from_buffer(buffer, length) == NECP_POLICY_CONDITION_REAL_APPLICATION;
  }
  
  static inline bool
  necp_policy_condition_requires_application(u_int8_t *buffer, u_int32_t length)
  {
         u_int8_t type = necp_policy_condition_get_type_from_buffer(buffer, length);
  }
  
  static inline bool
  necp_policy_condition_requires_application(u_int8_t *buffer, u_int32_t length)
  {
         u_int8_t type = necp_policy_condition_get_type_from_buffer(buffer, length);
-       return (type == NECP_POLICY_CONDITION_REAL_APPLICATION);
+       return type == NECP_POLICY_CONDITION_REAL_APPLICATION;
+}
+
+static inline bool
+necp_policy_condition_requires_real_application(u_int8_t *buffer, u_int32_t length)
+{
+       u_int8_t type = necp_policy_condition_get_type_from_buffer(buffer, length);
+       return type == NECP_POLICY_CONDITION_ENTITLEMENT;
  }
  
  static bool
  }
  
  static bool
@@ -1317,302 +1900,227 @@ necp_policy_condition_is_valid(u_int8_t *buffer, u_int32_t length, u_int8_t poli
  {
         bool validated = FALSE;
         bool result_cannot_have_ip_layer = (policy_result_type == NECP_POLICY_RESULT_SOCKET_DIVERT ||
  {
         bool validated = FALSE;
         bool result_cannot_have_ip_layer = (policy_result_type == NECP_POLICY_RESULT_SOCKET_DIVERT ||
-                                                                               policy_result_type == NECP_POLICY_RESULT_SOCKET_FILTER ||
-                                                                               policy_result_type == NECP_POLICY_RESULT_TRIGGER ||
-                                                                               policy_result_type == NECP_POLICY_RESULT_TRIGGER_IF_NEEDED ||
-                                                                               policy_result_type == NECP_POLICY_RESULT_TRIGGER_SCOPED ||
-                                                                               policy_result_type == NECP_POLICY_RESULT_NO_TRIGGER_SCOPED ||
-                                                                               policy_result_type == NECP_POLICY_RESULT_SOCKET_SCOPED ||
-                                                                               policy_result_type == NECP_POLICY_RESULT_ROUTE_RULES ||
-                                                                               policy_result_type == NECP_POLICY_RESULT_USE_NETAGENT) ? TRUE : FALSE;
+           policy_result_type == NECP_POLICY_RESULT_SOCKET_FILTER ||
+           policy_result_type == NECP_POLICY_RESULT_TRIGGER ||
+           policy_result_type == NECP_POLICY_RESULT_TRIGGER_IF_NEEDED ||
+           policy_result_type == NECP_POLICY_RESULT_TRIGGER_SCOPED ||
+           policy_result_type == NECP_POLICY_RESULT_NO_TRIGGER_SCOPED ||
+           policy_result_type == NECP_POLICY_RESULT_SOCKET_SCOPED ||
+           policy_result_type == NECP_POLICY_RESULT_ROUTE_RULES ||
+           policy_result_type == NECP_POLICY_RESULT_USE_NETAGENT ||
+           policy_result_type == NECP_POLICY_RESULT_NETAGENT_SCOPED ||
+           policy_result_type == NECP_POLICY_RESULT_SCOPED_DIRECT ||
+           policy_result_type == NECP_POLICY_RESULT_ALLOW_UNENTITLED) ? TRUE : FALSE;
         u_int32_t condition_length = necp_policy_condition_get_value_length_from_buffer(buffer, length);
         u_int8_t *condition_value = necp_policy_condition_get_value_pointer_from_buffer(buffer, length);
         u_int8_t type = necp_policy_condition_get_type_from_buffer(buffer, length);
         u_int8_t flags = necp_policy_condition_get_flags_from_buffer(buffer, length);
         switch (type) {
         u_int32_t condition_length = necp_policy_condition_get_value_length_from_buffer(buffer, length);
         u_int8_t *condition_value = necp_policy_condition_get_value_pointer_from_buffer(buffer, length);
         u_int8_t type = necp_policy_condition_get_type_from_buffer(buffer, length);
         u_int8_t flags = necp_policy_condition_get_flags_from_buffer(buffer, length);
         switch (type) {
-               case NECP_POLICY_CONDITION_APPLICATION:
-               case NECP_POLICY_CONDITION_REAL_APPLICATION: {
-                       if (!(flags & NECP_POLICY_CONDITION_FLAGS_NEGATIVE) &&
-                               condition_length >= sizeof(uuid_t) &&
-                               condition_value != NULL &&
-                               !uuid_is_null(condition_value)) {
-                               validated = TRUE;
-                       }
-                       break;
-               }
-               case NECP_POLICY_CONDITION_DOMAIN:
-               case NECP_POLICY_CONDITION_ACCOUNT:
-               case NECP_POLICY_CONDITION_BOUND_INTERFACE: {
-                       if (condition_length > 0) {
-                               validated = TRUE;
-                       }
-                       break;
+       case NECP_POLICY_CONDITION_APPLICATION:
+       case NECP_POLICY_CONDITION_REAL_APPLICATION: {
+               if (!(flags & NECP_POLICY_CONDITION_FLAGS_NEGATIVE) &&
+                   condition_length >= sizeof(uuid_t) &&
+                   condition_value != NULL &&
+                   !uuid_is_null(condition_value)) {
+                       validated = TRUE;
                 }
                 }
-               case NECP_POLICY_CONDITION_TRAFFIC_CLASS: {
-                       if (condition_length >= sizeof(struct necp_policy_condition_tc_range)) {
-                               validated = TRUE;
-                       }
-                       break;
+               break;
+       }
+       case NECP_POLICY_CONDITION_DOMAIN:
+       case NECP_POLICY_CONDITION_ACCOUNT:
+       case NECP_POLICY_CONDITION_BOUND_INTERFACE: {
+               if (condition_length > 0) {
+                       validated = TRUE;
                 }
                 }
-               case NECP_POLICY_CONDITION_DEFAULT:
-               case NECP_POLICY_CONDITION_ALL_INTERFACES:
-               case NECP_POLICY_CONDITION_ENTITLEMENT: {
-                       if (!(flags & NECP_POLICY_CONDITION_FLAGS_NEGATIVE)) {
-                               validated = TRUE;
-                       }
-                       break;
+               break;
+       }
+       case NECP_POLICY_CONDITION_TRAFFIC_CLASS: {
+               if (condition_length >= sizeof(struct necp_policy_condition_tc_range)) {
+                       validated = TRUE;
                 }
                 }
-               case NECP_POLICY_CONDITION_IP_PROTOCOL: {
-                       if (condition_length >= sizeof(u_int16_t)) {
-                               validated = TRUE;
-                       }
-                       break;
+               break;
+       }
+       case NECP_POLICY_CONDITION_DEFAULT:
+       case NECP_POLICY_CONDITION_ALL_INTERFACES:
+       case NECP_POLICY_CONDITION_ENTITLEMENT:
+       case NECP_POLICY_CONDITION_PLATFORM_BINARY:
+       case NECP_POLICY_CONDITION_HAS_CLIENT:
+       case NECP_POLICY_CONDITION_LOCAL_NETWORKS: {
+               if (!(flags & NECP_POLICY_CONDITION_FLAGS_NEGATIVE)) {
+                       validated = TRUE;
                 }
                 }
-               case NECP_POLICY_CONDITION_PID: {
-                       if (condition_length >= sizeof(pid_t) &&
-                               condition_value != NULL &&
-                               *((pid_t *)(void *)condition_value) != 0) {
-                               validated = TRUE;
-                       }
-                       break;
+               break;
+       }
+       case NECP_POLICY_CONDITION_IP_PROTOCOL: {
+               if (condition_length >= sizeof(u_int16_t)) {
+                       validated = TRUE;
                 }
                 }
-               case NECP_POLICY_CONDITION_UID: {
-                       if (condition_length >= sizeof(uid_t)) {
-                               validated = TRUE;
-                       }
-                       break;
+               break;
+       }
+       case NECP_POLICY_CONDITION_PID: {
+               if (condition_length >= sizeof(pid_t) &&
+                   condition_value != NULL &&
+                   *((pid_t *)(void *)condition_value) != 0) {
+                       validated = TRUE;
                 }
                 }
-               case NECP_POLICY_CONDITION_LOCAL_ADDR:
-               case NECP_POLICY_CONDITION_REMOTE_ADDR: {
-                       if (!result_cannot_have_ip_layer && condition_length >= sizeof(struct necp_policy_condition_addr) &&
-                               necp_address_is_valid(&((struct necp_policy_condition_addr *)(void *)condition_value)->address.sa)) {
-                               validated = TRUE;
-                       }
-                       break;
+               break;
+       }
+       case NECP_POLICY_CONDITION_UID: {
+               if (condition_length >= sizeof(uid_t)) {
+                       validated = TRUE;
                 }
                 }
-               case NECP_POLICY_CONDITION_LOCAL_ADDR_RANGE:
-               case NECP_POLICY_CONDITION_REMOTE_ADDR_RANGE: {
-                       if (!result_cannot_have_ip_layer && condition_length >= sizeof(struct necp_policy_condition_addr_range) &&
-                               necp_address_is_valid(&((struct necp_policy_condition_addr_range *)(void *)condition_value)->start_address.sa) &&
-                               necp_address_is_valid(&((struct necp_policy_condition_addr_range *)(void *)condition_value)->end_address.sa)) {
-                               validated = TRUE;
-                       }
-                       break;
+               break;
+       }
+       case NECP_POLICY_CONDITION_LOCAL_ADDR:
+       case NECP_POLICY_CONDITION_REMOTE_ADDR: {
+               if (!result_cannot_have_ip_layer && condition_length >= sizeof(struct necp_policy_condition_addr) &&
+                   necp_address_is_valid(&((struct necp_policy_condition_addr *)(void *)condition_value)->address.sa)) {
+                       validated = TRUE;
                 }
                 }
-               default: {
-                       validated = FALSE;
-                       break;
+               break;
+       }
+       case NECP_POLICY_CONDITION_LOCAL_ADDR_RANGE:
+       case NECP_POLICY_CONDITION_REMOTE_ADDR_RANGE: {
+               if (!result_cannot_have_ip_layer && condition_length >= sizeof(struct necp_policy_condition_addr_range) &&
+                   necp_address_is_valid(&((struct necp_policy_condition_addr_range *)(void *)condition_value)->start_address.sa) &&
+                   necp_address_is_valid(&((struct necp_policy_condition_addr_range *)(void *)condition_value)->end_address.sa)) {
+                       validated = TRUE;
                 }
                 }
+               break;
         }
         }
-
-       if (necp_debug) {
-               NECPLOG(LOG_DEBUG, "Policy condition type %d, valid %d", type, validated);
+       case NECP_POLICY_CONDITION_AGENT_TYPE: {
+               if (!(flags & NECP_POLICY_CONDITION_FLAGS_NEGATIVE) &&
+                   condition_length >= sizeof(struct necp_policy_condition_agent_type)) {
+                       validated = TRUE;
+               }
+               break;
         }
         }
-
-       return (validated);
-}
-
-static bool
-necp_policy_route_rule_is_default(u_int8_t *buffer, u_int32_t length)
-{
-       return (necp_policy_condition_get_value_length_from_buffer(buffer, length) == 0 &&
-                       necp_policy_condition_get_flags_from_buffer(buffer, length) == 0);
-}
-
-static bool
-necp_policy_route_rule_is_valid(u_int8_t *buffer, u_int32_t length)
-{
-       bool validated = FALSE;
-       u_int8_t type = necp_policy_condition_get_type_from_buffer(buffer, length);
-       switch (type) {
-               case NECP_ROUTE_RULE_ALLOW_INTERFACE: {
+       case NECP_POLICY_CONDITION_FLOW_IP_PROTOCOL: {
+               if (condition_length >= sizeof(u_int16_t)) {
                         validated = TRUE;
                         validated = TRUE;
-                       break;
                 }
                 }
-               case NECP_ROUTE_RULE_DENY_INTERFACE: {
+               break;
+       }
+       case NECP_POLICY_CONDITION_FLOW_LOCAL_ADDR:
+       case NECP_POLICY_CONDITION_FLOW_REMOTE_ADDR: {
+               if (condition_length >= sizeof(struct necp_policy_condition_addr) &&
+                   necp_address_is_valid(&((struct necp_policy_condition_addr *)(void *)condition_value)->address.sa)) {
                         validated = TRUE;
                         validated = TRUE;
-                       break;
                 }
                 }
-               case NECP_ROUTE_RULE_QOS_MARKING: {
+               break;
+       }
+       case NECP_POLICY_CONDITION_FLOW_LOCAL_ADDR_RANGE:
+       case NECP_POLICY_CONDITION_FLOW_REMOTE_ADDR_RANGE: {
+               if (condition_length >= sizeof(struct necp_policy_condition_addr_range) &&
+                   necp_address_is_valid(&((struct necp_policy_condition_addr_range *)(void *)condition_value)->start_address.sa) &&
+                   necp_address_is_valid(&((struct necp_policy_condition_addr_range *)(void *)condition_value)->end_address.sa)) {
                         validated = TRUE;
                         validated = TRUE;
-                       break;
                 }
                 }
-               default: {
-                       validated = FALSE;
-                       break;
+               break;
+       }
+       case NECP_POLICY_CONDITION_CLIENT_FLAGS: {
+               if (condition_length == 0 || condition_length >= sizeof(u_int32_t)) {
+                       validated = TRUE;
                 }
                 }
+               break;
         }
         }
-
-       if (necp_debug) {
-               NECPLOG(LOG_DEBUG, "Policy route rule type %d, valid %d", type, validated);
+       case NECP_POLICY_CONDITION_FLOW_LOCAL_ADDR_EMPTY: {
+               validated = TRUE;
+               break;
         }
         }
-
-       return (validated);
-}
-
-static void
-necp_handle_set_session_priority(struct necp_session *session, u_int32_t message_id, mbuf_t packet, int offset)
-{
-       int error;
-       struct necp_session_policy *policy = NULL;
-       struct necp_session_policy *temp_policy = NULL;
-       u_int32_t response_error = NECP_ERROR_INTERNAL;
-       u_int32_t requested_session_priority = NECP_SESSION_PRIORITY_UNKNOWN;
-
-       // Read policy id
-       error = necp_packet_get_tlv(packet, offset, NECP_TLV_SESSION_PRIORITY, sizeof(requested_session_priority), &requested_session_priority, NULL);
-       if (error) {
-               NECPLOG(LOG_ERR, "Failed to get session priority: %d", error);
-               response_error = NECP_ERROR_INVALID_TLV;
-               goto fail;
+       case NECP_POLICY_CONDITION_FLOW_REMOTE_ADDR_EMPTY: {
+               validated = TRUE;
+               break;
         }
         }
-
-       if (session == NULL) {
-               NECPLOG0(LOG_ERR, "Failed to find session");
-               response_error = NECP_ERROR_INTERNAL;
-               goto fail;
+       default: {
+               validated = FALSE;
+               break;
         }
         }
-
-       // Enforce special session priorities with entitlements
-       if (requested_session_priority == NECP_SESSION_PRIORITY_CONTROL ||
-               requested_session_priority == NECP_SESSION_PRIORITY_PRIVILEGED_TUNNEL) {
-               errno_t cred_result = priv_check_cred(kauth_cred_get(), PRIV_NET_PRIVILEGED_NECP_POLICIES, 0);
-               if (cred_result != 0) {
-                       NECPLOG(LOG_ERR, "Session does not hold necessary entitlement to claim priority level %d", requested_session_priority);
-                       goto fail;
-               }
         }
  
         }
  
-       if (session->session_priority != requested_session_priority) {
-               session->session_priority = requested_session_priority;
-               session->session_order = necp_allocate_new_session_order(session->session_priority, session->control_unit);
-               session->dirty = TRUE;
-
-               // Mark all policies as needing updates
-               LIST_FOREACH_SAFE(policy, &session->policies, chain, temp_policy) {
-                       policy->pending_update = TRUE;
-               }
+       if (necp_debug) {
+               NECPLOG(LOG_DEBUG, "Policy condition type %d, valid %d", type, validated);
         }
  
         }
  
-       necp_send_success_response(session, NECP_PACKET_TYPE_SET_SESSION_PRIORITY, message_id);
-       return;
-
-fail:
-       necp_send_error_response(session, NECP_PACKET_TYPE_SET_SESSION_PRIORITY, message_id, response_error);
+       return validated;
  }
  
  }
  
-static void
-necp_handle_lock_session_to_proc(struct necp_session *session, u_int32_t message_id, mbuf_t packet, int offset)
+static bool
+necp_policy_route_rule_is_default(u_int8_t *buffer, u_int32_t length)
  {
  {
-#pragma unused(packet, offset)
-       // proc_uuid already filled out
-       session->proc_locked = TRUE;
-       necp_send_success_response(session, NECP_PACKET_TYPE_LOCK_SESSION_TO_PROC, message_id);
+       return necp_policy_condition_get_value_length_from_buffer(buffer, length) == 0 &&
+              necp_policy_condition_get_flags_from_buffer(buffer, length) == 0;
  }
  
  }
  
-static void
-necp_handle_register_service(struct necp_session *session, u_int32_t message_id, mbuf_t packet, int offset)
+static bool
+necp_policy_route_rule_is_valid(u_int8_t *buffer, u_int32_t length)
  {
  {
-       int error;
-       struct necp_service_registration *new_service = NULL;
-       u_int32_t response_error = NECP_ERROR_INTERNAL;
-       uuid_t service_uuid;
-       uuid_clear(service_uuid);
-
-       if (session == NULL) {
-               NECPLOG0(LOG_ERR, "Failed to find session");
-               response_error = NECP_ERROR_INTERNAL;
-               goto fail;
+       bool validated = FALSE;
+       u_int8_t type = necp_policy_condition_get_type_from_buffer(buffer, length);
+       switch (type) {
+       case NECP_ROUTE_RULE_ALLOW_INTERFACE: {
+               validated = TRUE;
+               break;
+       }
+       case NECP_ROUTE_RULE_DENY_INTERFACE: {
+               validated = TRUE;
+               break;
         }
         }
-
-       // Enforce entitlements
-       errno_t cred_result = priv_check_cred(kauth_cred_get(), PRIV_NET_PRIVILEGED_NECP_POLICIES, 0);
-       if (cred_result != 0) {
-               NECPLOG0(LOG_ERR, "Session does not hold necessary entitlement to register service");
-               goto fail;
+       case NECP_ROUTE_RULE_QOS_MARKING: {
+               validated = TRUE;
+               break;
         }
         }
-
-       // Read service uuid
-       error = necp_packet_get_tlv(packet, offset, NECP_TLV_SERVICE_UUID, sizeof(uuid_t), service_uuid, NULL);
-       if (error) {
-               NECPLOG(LOG_ERR, "Failed to get service UUID: %d", error);
-               response_error = NECP_ERROR_INVALID_TLV;
-               goto fail;
+       case NECP_ROUTE_RULE_DENY_LQM_ABORT: {
+               validated = TRUE;
+               break;
+       }
+       default: {
+               validated = FALSE;
+               break;
         }
         }
-
-       MALLOC(new_service, struct necp_service_registration *, sizeof(*new_service), M_NECP, M_WAITOK);
-       if (new_service == NULL) {
-               NECPLOG0(LOG_ERR, "Failed to allocate service registration");
-               response_error = NECP_ERROR_INTERNAL;
-               goto fail;
         }
  
         }
  
-       lck_rw_lock_exclusive(&necp_kernel_policy_lock);
-       memset(new_service, 0, sizeof(*new_service));
-       new_service->service_id = necp_create_uuid_service_id_mapping(service_uuid);
-       LIST_INSERT_HEAD(&session->services, new_service, session_chain);
-       LIST_INSERT_HEAD(&necp_registered_service_list, new_service, kernel_chain);
-       lck_rw_done(&necp_kernel_policy_lock);
+       if (necp_debug) {
+               NECPLOG(LOG_DEBUG, "Policy route rule type %d, valid %d", type, validated);
+       }
  
  
-       necp_send_success_response(session, NECP_PACKET_TYPE_REGISTER_SERVICE, message_id);
-       return;
-fail:
-       necp_send_error_response(session, NECP_PACKET_TYPE_REGISTER_SERVICE, message_id, response_error);
+       return validated;
  }
  
  }
  
-static void
-necp_handle_unregister_service(struct necp_session *session, u_int32_t message_id, mbuf_t packet, int offset)
+static int
+necp_get_posix_error_for_necp_error(int response_error)
  {
  {
-       int error;
-       struct necp_service_registration *service = NULL;
-       struct necp_service_registration *temp_service = NULL;
-       u_int32_t response_error = NECP_ERROR_INTERNAL;
-       struct necp_uuid_id_mapping *mapping = NULL;
-       uuid_t service_uuid;
-       uuid_clear(service_uuid);
-
-       if (session == NULL) {
-               NECPLOG0(LOG_ERR, "Failed to find session");
-               response_error = NECP_ERROR_INTERNAL;
-               goto fail;
+       switch (response_error) {
+       case NECP_ERROR_UNKNOWN_PACKET_TYPE:
+       case NECP_ERROR_INVALID_TLV:
+       case NECP_ERROR_POLICY_RESULT_INVALID:
+       case NECP_ERROR_POLICY_CONDITIONS_INVALID:
+       case NECP_ERROR_ROUTE_RULES_INVALID: {
+               return EINVAL;
         }
         }
-
-       // Read service uuid
-       error = necp_packet_get_tlv(packet, offset, NECP_TLV_SERVICE_UUID, sizeof(uuid_t), service_uuid, NULL);
-       if (error) {
-               NECPLOG(LOG_ERR, "Failed to get service UUID: %d", error);
-               response_error = NECP_ERROR_INVALID_TLV;
-               goto fail;
+       case NECP_ERROR_POLICY_ID_NOT_FOUND: {
+               return ENOENT;
+       }
+       case NECP_ERROR_INVALID_PROCESS: {
+               return EPERM;
+       }
+       case NECP_ERROR_INTERNAL:
+       default: {
+               return ENOMEM;
         }
         }
-
-       // Mark remove all matching services for this session
-       lck_rw_lock_exclusive(&necp_kernel_policy_lock);
-       mapping = necp_uuid_lookup_service_id_locked(service_uuid);
-       if (mapping != NULL) {
-               LIST_FOREACH_SAFE(service, &session->services, session_chain, temp_service) {
-                       if (service->service_id == mapping->id) {
-                               LIST_REMOVE(service, session_chain);
-                               LIST_REMOVE(service, kernel_chain);
-                               FREE(service, M_NECP);
-                       }
-               }
-               necp_remove_uuid_service_id_mapping(service_uuid);
         }
         }
-       lck_rw_done(&necp_kernel_policy_lock);
-
-       necp_send_success_response(session, NECP_PACKET_TYPE_UNREGISTER_SERVICE, message_id);
-       return;
-fail:
-       necp_send_error_response(session, NECP_PACKET_TYPE_UNREGISTER_SERVICE, message_id, response_error);
  }
  
  }
  
-static void
-necp_handle_policy_add(struct necp_session *session, u_int32_t message_id, mbuf_t packet, int offset)
+static necp_policy_id
+necp_handle_policy_add(struct necp_session *session,
+    u_int8_t *tlv_buffer, size_t tlv_buffer_length, int offset, int *return_error)
  {
         bool has_default_condition = FALSE;
         bool has_non_default_condition = FALSE;
         bool has_application_condition = FALSE;
  {
         bool has_default_condition = FALSE;
         bool has_non_default_condition = FALSE;
         bool has_application_condition = FALSE;
+       bool has_real_application_condition = FALSE;
         bool requires_application_condition = FALSE;
         bool requires_application_condition = FALSE;
+       bool requires_real_application_condition = FALSE;
         u_int8_t *conditions_array = NULL;
         u_int32_t conditions_array_size = 0;
         int conditions_array_cursor;
         u_int8_t *conditions_array = NULL;
         u_int32_t conditions_array_size = 0;
         int conditions_array_cursor;
@@ -1632,7 +2140,7 @@ necp_handle_policy_add(struct necp_session *session, u_int32_t message_id, mbuf_
         u_int32_t policy_result_size = 0;
  
         // Read policy order
         u_int32_t policy_result_size = 0;
  
         // Read policy order
-       error = necp_packet_get_tlv(packet, offset, NECP_TLV_POLICY_ORDER, sizeof(order), &order, NULL);
+       error = necp_get_tlv(tlv_buffer, tlv_buffer_length, offset, NECP_TLV_POLICY_ORDER, sizeof(order), &order, NULL);
         if (error) {
                 NECPLOG(LOG_ERR, "Failed to get policy order: %d", error);
                 response_error = NECP_ERROR_INVALID_TLV;
         if (error) {
                 NECPLOG(LOG_ERR, "Failed to get policy order: %d", error);
                 response_error = NECP_ERROR_INVALID_TLV;
@@ -1640,8 +2148,13 @@ necp_handle_policy_add(struct necp_session *session, u_int32_t message_id, mbuf_
         }
  
         // Read policy result
         }
  
         // Read policy result
-       cursor = necp_packet_find_tlv(packet, offset, NECP_TLV_POLICY_RESULT, &error, 0);
-       error = necp_packet_get_tlv_at_offset(packet, cursor, 0, NULL, &policy_result_size);
+       cursor = necp_find_tlv(tlv_buffer, tlv_buffer_length, offset, NECP_TLV_POLICY_RESULT, &error, 0);
+       if (error || cursor < 0) {
+               NECPLOG(LOG_ERR, "Failed to find policy result TLV: %d", error);
+               response_error = NECP_ERROR_INVALID_TLV;
+               goto fail;
+       }
+       error = necp_get_tlv_at_offset(tlv_buffer, tlv_buffer_length, cursor, 0, NULL, &policy_result_size);
         if (error || policy_result_size == 0) {
                 NECPLOG(LOG_ERR, "Failed to get policy result length: %d", error);
                 response_error = NECP_ERROR_INVALID_TLV;
         if (error || policy_result_size == 0) {
                 NECPLOG(LOG_ERR, "Failed to get policy result length: %d", error);
                 response_error = NECP_ERROR_INVALID_TLV;
@@ -1658,7 +2171,7 @@ necp_handle_policy_add(struct necp_session *session, u_int32_t message_id, mbuf_
                 response_error = NECP_ERROR_INTERNAL;
                 goto fail;
         }
                 response_error = NECP_ERROR_INTERNAL;
                 goto fail;
         }
-       error = necp_packet_get_tlv_at_offset(packet, cursor, policy_result_size, policy_result, NULL);
+       error = necp_get_tlv_at_offset(tlv_buffer, tlv_buffer_length, cursor, policy_result_size, policy_result, NULL);
         if (error) {
                 NECPLOG(LOG_ERR, "Failed to get policy result: %d", error);
                 response_error = NECP_ERROR_POLICY_RESULT_INVALID;
         if (error) {
                 NECPLOG(LOG_ERR, "Failed to get policy result: %d", error);
                 response_error = NECP_ERROR_POLICY_RESULT_INVALID;
@@ -1672,13 +2185,17 @@ necp_handle_policy_add(struct necp_session *session, u_int32_t message_id, mbuf_
  
         if (necp_policy_result_requires_route_rules(policy_result, policy_result_size)) {
                 // Read route rules conditions
  
         if (necp_policy_result_requires_route_rules(policy_result, policy_result_size)) {
                 // Read route rules conditions
-               for (cursor = necp_packet_find_tlv(packet, offset, NECP_TLV_ROUTE_RULE, &error, 0);
-                        cursor >= 0;
-                        cursor = necp_packet_find_tlv(packet, cursor, NECP_TLV_ROUTE_RULE, &error, 1)) {
+               for (cursor = necp_find_tlv(tlv_buffer, tlv_buffer_length, offset, NECP_TLV_ROUTE_RULE, &error, 0);
+                   cursor >= 0;
+                   cursor = necp_find_tlv(tlv_buffer, tlv_buffer_length, cursor, NECP_TLV_ROUTE_RULE, &error, 1)) {
                         u_int32_t route_rule_size = 0;
                         u_int32_t route_rule_size = 0;
-                       necp_packet_get_tlv_at_offset(packet, cursor, 0, NULL, &route_rule_size);
-                       if (route_rule_size > 0) {
-                               route_rules_array_size += (sizeof(u_int8_t) + sizeof(u_int32_t) + route_rule_size);
+                       necp_get_tlv_at_offset(tlv_buffer, tlv_buffer_length, cursor, 0, NULL, &route_rule_size);
+                       if (os_add_overflow(route_rules_array_size,
+                           (sizeof(u_int8_t) + sizeof(u_int32_t) + route_rule_size),
+                           &route_rules_array_size)) {
+                               NECPLOG0(LOG_ERR, "Route rules size overflowed, too large");
+                               response_error = NECP_ERROR_INVALID_TLV;
+                               goto fail;
                         }
                 }
  
                         }
                 }
  
@@ -1700,13 +2217,14 @@ necp_handle_policy_add(struct necp_session *session, u_int32_t message_id, mbuf_
                 }
  
                 route_rules_array_cursor = 0;
                 }
  
                 route_rules_array_cursor = 0;
-               for (cursor = necp_packet_find_tlv(packet, offset, NECP_TLV_ROUTE_RULE, &error, 0);
-                        cursor >= 0;
-                        cursor = necp_packet_find_tlv(packet, cursor, NECP_TLV_ROUTE_RULE, &error, 1)) {
+               for (cursor = necp_find_tlv(tlv_buffer, tlv_buffer_length, offset, NECP_TLV_ROUTE_RULE, &error, 0);
+                   cursor >= 0;
+                   cursor = necp_find_tlv(tlv_buffer, tlv_buffer_length, cursor, NECP_TLV_ROUTE_RULE, &error, 1)) {
                         u_int8_t route_rule_type = NECP_TLV_ROUTE_RULE;
                         u_int32_t route_rule_size = 0;
                         u_int8_t route_rule_type = NECP_TLV_ROUTE_RULE;
                         u_int32_t route_rule_size = 0;
-                       necp_packet_get_tlv_at_offset(packet, cursor, 0, NULL, &route_rule_size);
-                       if (route_rule_size > 0 && route_rule_size <= (route_rules_array_size - route_rules_array_cursor)) {
+                       necp_get_tlv_at_offset(tlv_buffer, tlv_buffer_length, cursor, 0, NULL, &route_rule_size);
+                       if (route_rule_size > 0 &&
+                           (sizeof(route_rule_type) + sizeof(route_rule_size) + route_rule_size) <= (route_rules_array_size - route_rules_array_cursor)) {
                                 // Add type
                                 memcpy((route_rules_array + route_rules_array_cursor), &route_rule_type, sizeof(route_rule_type));
                                 route_rules_array_cursor += sizeof(route_rule_type);
                                 // Add type
                                 memcpy((route_rules_array + route_rules_array_cursor), &route_rule_type, sizeof(route_rule_type));
                                 route_rules_array_cursor += sizeof(route_rule_type);
@@ -1716,7 +2234,7 @@ necp_handle_policy_add(struct necp_session *session, u_int32_t message_id, mbuf_
                                 route_rules_array_cursor += sizeof(route_rule_size);
  
                                 // Add value
                                 route_rules_array_cursor += sizeof(route_rule_size);
  
                                 // Add value
-                               necp_packet_get_tlv_at_offset(packet, cursor, route_rule_size, (route_rules_array + route_rules_array_cursor), NULL);
+                               necp_get_tlv_at_offset(tlv_buffer, tlv_buffer_length, cursor, route_rule_size, (route_rules_array + route_rules_array_cursor), NULL);
  
                                 if (!necp_policy_route_rule_is_valid((route_rules_array + route_rules_array_cursor), route_rule_size)) {
                                         NECPLOG0(LOG_ERR, "Failed to validate policy route rule");
  
                                 if (!necp_policy_route_rule_is_valid((route_rules_array + route_rules_array_cursor), route_rule_size)) {
                                         NECPLOG0(LOG_ERR, "Failed to validate policy route rule");
@@ -1739,14 +2257,20 @@ necp_handle_policy_add(struct necp_session *session, u_int32_t message_id, mbuf_
         }
  
         // Read policy conditions
         }
  
         // Read policy conditions
-       for (cursor = necp_packet_find_tlv(packet, offset, NECP_TLV_POLICY_CONDITION, &error, 0);
-               cursor >= 0;
-               cursor = necp_packet_find_tlv(packet, cursor, NECP_TLV_POLICY_CONDITION, &error, 1)) {
+       for (cursor = necp_find_tlv(tlv_buffer, tlv_buffer_length, offset, NECP_TLV_POLICY_CONDITION, &error, 0);
+           cursor >= 0;
+           cursor = necp_find_tlv(tlv_buffer, tlv_buffer_length, cursor, NECP_TLV_POLICY_CONDITION, &error, 1)) {
                 u_int32_t condition_size = 0;
                 u_int32_t condition_size = 0;
-               necp_packet_get_tlv_at_offset(packet, cursor, 0, NULL, &condition_size);
+               necp_get_tlv_at_offset(tlv_buffer, tlv_buffer_length, cursor, 0, NULL, &condition_size);
  
                 if (condition_size > 0) {
  
                 if (condition_size > 0) {
-                       conditions_array_size += (sizeof(u_int8_t) + sizeof(u_int32_t) + condition_size);
+                       if (os_add_overflow(conditions_array_size,
+                           (sizeof(u_int8_t) + sizeof(u_int32_t) + condition_size),
+                           &conditions_array_size)) {
+                               NECPLOG0(LOG_ERR, "Conditions size overflowed, too large");
+                               response_error = NECP_ERROR_INVALID_TLV;
+                               goto fail;
+                       }
                 }
         }
  
                 }
         }
  
@@ -1768,13 +2292,14 @@ necp_handle_policy_add(struct necp_session *session, u_int32_t message_id, mbuf_
         }
  
         conditions_array_cursor = 0;
         }
  
         conditions_array_cursor = 0;
-       for (cursor = necp_packet_find_tlv(packet, offset, NECP_TLV_POLICY_CONDITION, &error, 0);
-               cursor >= 0;
-               cursor = necp_packet_find_tlv(packet, cursor, NECP_TLV_POLICY_CONDITION, &error, 1)) {
+       for (cursor = necp_find_tlv(tlv_buffer, tlv_buffer_length, offset, NECP_TLV_POLICY_CONDITION, &error, 0);
+           cursor >= 0;
+           cursor = necp_find_tlv(tlv_buffer, tlv_buffer_length, cursor, NECP_TLV_POLICY_CONDITION, &error, 1)) {
                 u_int8_t condition_type = NECP_TLV_POLICY_CONDITION;
                 u_int32_t condition_size = 0;
                 u_int8_t condition_type = NECP_TLV_POLICY_CONDITION;
                 u_int32_t condition_size = 0;
-               necp_packet_get_tlv_at_offset(packet, cursor, 0, NULL, &condition_size);
-               if (condition_size > 0 && condition_size <= (conditions_array_size - conditions_array_cursor)) {
+               necp_get_tlv_at_offset(tlv_buffer, tlv_buffer_length, cursor, 0, NULL, &condition_size);
+               if (condition_size > 0 &&
+                   (sizeof(condition_type) + sizeof(condition_size) + condition_size) <= (conditions_array_size - conditions_array_cursor)) {
                         // Add type
                         memcpy((conditions_array + conditions_array_cursor), &condition_type, sizeof(condition_type));
                         conditions_array_cursor += sizeof(condition_type);
                         // Add type
                         memcpy((conditions_array + conditions_array_cursor), &condition_type, sizeof(condition_type));
                         conditions_array_cursor += sizeof(condition_type);
@@ -1784,7 +2309,7 @@ necp_handle_policy_add(struct necp_session *session, u_int32_t message_id, mbuf_
                         conditions_array_cursor += sizeof(condition_size);
  
                         // Add value
                         conditions_array_cursor += sizeof(condition_size);
  
                         // Add value
-                       necp_packet_get_tlv_at_offset(packet, cursor, condition_size, (conditions_array + conditions_array_cursor), NULL);
+                       necp_get_tlv_at_offset(tlv_buffer, tlv_buffer_length, cursor, condition_size, (conditions_array + conditions_array_cursor), NULL);
                         if (!necp_policy_condition_is_valid((conditions_array + conditions_array_cursor), condition_size, necp_policy_result_get_type_from_buffer(policy_result, policy_result_size))) {
                                 NECPLOG0(LOG_ERR, "Failed to validate policy condition");
                                 response_error = NECP_ERROR_POLICY_CONDITIONS_INVALID;
                         if (!necp_policy_condition_is_valid((conditions_array + conditions_array_cursor), condition_size, necp_policy_result_get_type_from_buffer(policy_result, policy_result_size))) {
                                 NECPLOG0(LOG_ERR, "Failed to validate policy condition");
                                 response_error = NECP_ERROR_POLICY_CONDITIONS_INVALID;
@@ -1806,10 +2331,18 @@ necp_handle_policy_add(struct necp_session *session, u_int32_t message_id, mbuf_
                                 has_application_condition = TRUE;
                         }
  
                                 has_application_condition = TRUE;
                         }
  
+                       if (necp_policy_condition_is_real_application((conditions_array + conditions_array_cursor), condition_size)) {
+                               has_real_application_condition = TRUE;
+                       }
+
                         if (necp_policy_condition_requires_application((conditions_array + conditions_array_cursor), condition_size)) {
                                 requires_application_condition = TRUE;
                         }
  
                         if (necp_policy_condition_requires_application((conditions_array + conditions_array_cursor), condition_size)) {
                                 requires_application_condition = TRUE;
                         }
  
+                       if (necp_policy_condition_requires_real_application((conditions_array + conditions_array_cursor), condition_size)) {
+                               requires_real_application_condition = TRUE;
+                       }
+
                         conditions_array_cursor += condition_size;
                 }
         }
                         conditions_array_cursor += condition_size;
                 }
         }
@@ -1820,13 +2353,18 @@ necp_handle_policy_add(struct necp_session *session, u_int32_t message_id, mbuf_
                 goto fail;
         }
  
                 goto fail;
         }
  
+       if (requires_real_application_condition && !has_real_application_condition) {
+               NECPLOG0(LOG_ERR, "Failed to validate conditions; did not contain real application condition");
+               response_error = NECP_ERROR_POLICY_CONDITIONS_INVALID;
+               goto fail;
+       }
+
         if ((policy = necp_policy_create(session, order, conditions_array, conditions_array_size, route_rules_array, route_rules_array_size, policy_result, policy_result_size)) == NULL) {
                 response_error = NECP_ERROR_INTERNAL;
                 goto fail;
         }
  
         if ((policy = necp_policy_create(session, order, conditions_array, conditions_array_size, route_rules_array, route_rules_array_size, policy_result, policy_result_size)) == NULL) {
                 response_error = NECP_ERROR_INTERNAL;
                 goto fail;
         }
  
-       necp_send_policy_id_response(session, NECP_PACKET_TYPE_POLICY_ADD, message_id, policy->id);
-       return;
+       return policy->local_id;
  
  fail:
         if (policy_result != NULL) {
  
  fail:
         if (policy_result != NULL) {
@@ -1839,183 +2377,28 @@ fail:
                 FREE(route_rules_array, M_NECP);
         }
  
                 FREE(route_rules_array, M_NECP);
         }
  
-       necp_send_error_response(session, NECP_PACKET_TYPE_POLICY_ADD, message_id, response_error);
-}
-
-static void
-necp_handle_policy_get(struct necp_session *session, u_int32_t message_id, mbuf_t packet, int offset)
-{
-#pragma unused(offset)
-       int error;
-       u_int8_t *response = NULL;
-       u_int8_t *cursor = NULL;
-       u_int32_t response_error = NECP_ERROR_INTERNAL;
-       necp_policy_id policy_id = 0;
-       u_int32_t order_tlv_size = 0;
-       u_int32_t result_tlv_size = 0;
-       u_int32_t response_size = 0;
-
-       struct necp_session_policy *policy = NULL;
-
-       // Read policy id
-       error = necp_packet_get_tlv(packet, offset, NECP_TLV_POLICY_ID, sizeof(policy_id), &policy_id, NULL);
-       if (error) {
-               NECPLOG(LOG_ERR, "Failed to get policy id: %d", error);
-               response_error = NECP_ERROR_INVALID_TLV;
-               goto fail;
-       }
-
-       policy = necp_policy_find(session, policy_id);
-       if (policy == NULL || policy->pending_deletion) {
-               NECPLOG(LOG_ERR, "Failed to find policy with id %d", policy_id);
-               response_error = NECP_ERROR_POLICY_ID_NOT_FOUND;
-               goto fail;
-       }
-
-       order_tlv_size = sizeof(u_int8_t) + sizeof(u_int32_t) + sizeof(necp_policy_order);
-       result_tlv_size = (policy->result_size ? (sizeof(u_int8_t) + sizeof(u_int32_t) + policy->result_size) : 0);
-       response_size = sizeof(struct necp_packet_header) + order_tlv_size + result_tlv_size + policy->conditions_size;
-       MALLOC(response, u_int8_t *, response_size, M_NECP, M_WAITOK);
-       if (response == NULL) {
-               necp_send_error_response(session, NECP_PACKET_TYPE_POLICY_LIST_ALL, message_id, NECP_ERROR_INTERNAL);
-               return;
-       }
-
-       cursor = response;
-       cursor = necp_buffer_write_packet_header(cursor, NECP_PACKET_TYPE_POLICY_GET, NECP_PACKET_FLAGS_RESPONSE, message_id);
-       cursor = necp_buffer_write_tlv(cursor, NECP_TLV_POLICY_ORDER, sizeof(necp_policy_order), &policy->order);
-
-       if (result_tlv_size) {
-               cursor = necp_buffer_write_tlv(cursor, NECP_TLV_POLICY_RESULT, policy->result_size, &policy->result);
-       }
-       if (policy->conditions_size) {
-               memcpy(((u_int8_t *)(void *)(cursor)), policy->conditions, policy->conditions_size);
-       }
-
-       if (!necp_send_ctl_data(session, (u_int8_t *)response, response_size)) {
-               NECPLOG0(LOG_ERR, "Failed to send response");
-       }
-
-       FREE(response, M_NECP);
-       return;
-
-fail:
-       necp_send_error_response(session, NECP_PACKET_TYPE_POLICY_GET, message_id, response_error);
-}
-
-static void
-necp_handle_policy_delete(struct necp_session *session, u_int32_t message_id, mbuf_t packet, int offset)
-{
-       int error;
-       u_int32_t response_error = NECP_ERROR_INTERNAL;
-       necp_policy_id policy_id = 0;
-
-       struct necp_session_policy *policy = NULL;
-
-       // Read policy id
-       error = necp_packet_get_tlv(packet, offset, NECP_TLV_POLICY_ID, sizeof(policy_id), &policy_id, NULL);
-       if (error) {
-               NECPLOG(LOG_ERR, "Failed to get policy id: %d", error);
-               response_error = NECP_ERROR_INVALID_TLV;
-               goto fail;
-       }
-
-       policy = necp_policy_find(session, policy_id);
-       if (policy == NULL || policy->pending_deletion) {
-               NECPLOG(LOG_ERR, "Failed to find policy with id %d", policy_id);
-               response_error = NECP_ERROR_POLICY_ID_NOT_FOUND;
-               goto fail;
-       }
-
-       necp_policy_mark_for_deletion(session, policy);
-
-       necp_send_success_response(session, NECP_PACKET_TYPE_POLICY_DELETE, message_id);
-       return;
-
-fail:
-       necp_send_error_response(session, NECP_PACKET_TYPE_POLICY_DELETE, message_id, response_error);
-}
-
-static void
-necp_handle_policy_apply_all(struct necp_session *session, u_int32_t message_id, mbuf_t packet, int offset)
-{
-#pragma unused(packet, offset)
-       necp_policy_apply_all(session);
-       necp_send_success_response(session, NECP_PACKET_TYPE_POLICY_APPLY_ALL, message_id);
-}
-
-static void
-necp_handle_policy_list_all(struct necp_session *session, u_int32_t message_id, mbuf_t packet, int offset)
-{
-#pragma unused(packet, offset)
-       u_int32_t tlv_size = (sizeof(u_int8_t) + sizeof(u_int32_t) + sizeof(u_int32_t));
-       u_int32_t response_size = 0;
-       u_int8_t *response = NULL;
-       u_int8_t *cursor = NULL;
-       int num_policies = 0;
-       int cur_policy_index = 0;
-       struct necp_session_policy *policy;
-
-       LIST_FOREACH(policy, &session->policies, chain) {
-               if (!policy->pending_deletion) {
-                       num_policies++;
-               }
-       }
-
-       // Create a response with one Policy ID TLV for each policy
-       response_size = sizeof(struct necp_packet_header) + num_policies * tlv_size;
-       MALLOC(response, u_int8_t *, response_size, M_NECP, M_WAITOK);
-       if (response == NULL) {
-               necp_send_error_response(session, NECP_PACKET_TYPE_POLICY_LIST_ALL, message_id, NECP_ERROR_INTERNAL);
-               return;
-       }
-
-       cursor = response;
-       cursor = necp_buffer_write_packet_header(cursor, NECP_PACKET_TYPE_POLICY_LIST_ALL, NECP_PACKET_FLAGS_RESPONSE, message_id);
-
-       LIST_FOREACH(policy, &session->policies, chain) {
-               if (!policy->pending_deletion && cur_policy_index < num_policies) {
-                       cursor = necp_buffer_write_tlv(cursor, NECP_TLV_POLICY_ID, sizeof(u_int32_t), &policy->id);
-                       cur_policy_index++;
-               }
-       }
-
-       if (!necp_send_ctl_data(session, (u_int8_t *)response, response_size)) {
-               NECPLOG0(LOG_ERR, "Failed to send response");
+       if (return_error != NULL) {
+               *return_error = necp_get_posix_error_for_necp_error(response_error);
         }
         }
-
-       FREE(response, M_NECP);
-}
-
-static void
-necp_handle_policy_delete_all(struct necp_session *session, u_int32_t message_id, mbuf_t packet, int offset)
-{
-#pragma unused(packet, offset)
-       necp_policy_mark_all_for_deletion(session);
-       necp_send_success_response(session, NECP_PACKET_TYPE_POLICY_DELETE_ALL, message_id);
+       return 0;
  }
  
  static necp_policy_id
  }
  
  static necp_policy_id
-necp_policy_get_new_id(void)
+necp_policy_get_new_id(struct necp_session *session)
  {
  {
-       necp_policy_id newid = 0;
-
-       lck_rw_lock_exclusive(&necp_kernel_policy_lock);
-
-       necp_last_policy_id++;
-       if (necp_last_policy_id < 1) {
-               necp_last_policy_id = 1;
+       session->last_policy_id++;
+       if (session->last_policy_id < 1) {
+               session->last_policy_id = 1;
         }
  
         }
  
-       newid = necp_last_policy_id;
-       lck_rw_done(&necp_kernel_policy_lock);
+       necp_policy_id newid = session->last_policy_id;
  
         if (newid == 0) {
  
         if (newid == 0) {
-               NECPLOG0(LOG_DEBUG, "Allocate policy id failed.\n");
-               return (0);
+               NECPLOG0(LOG_ERR, "Allocate policy id failed.\n");
+               return 0;
         }
  
         }
  
-       return (newid);
+       return newid;
  }
  
  /*
  }
  
  /*
@@ -2114,30 +2497,30 @@ necp_policy_get_new_id(void)
   *     }
   *     ...
   */
   *     }
   *     ...
   */
-static void
-necp_handle_policy_dump_all(struct necp_session *session, u_int32_t message_id, mbuf_t packet, int offset)
+static int
+necp_handle_policy_dump_all(user_addr_t out_buffer, size_t out_buffer_length)
  {
  {
-#pragma unused(packet, offset)
         struct necp_kernel_socket_policy *policy = NULL;
         int policy_i;
         int policy_count = 0;
         u_int8_t **tlv_buffer_pointers = NULL;
         u_int32_t *tlv_buffer_lengths = NULL;
         struct necp_kernel_socket_policy *policy = NULL;
         int policy_i;
         int policy_count = 0;
         u_int8_t **tlv_buffer_pointers = NULL;
         u_int32_t *tlv_buffer_lengths = NULL;
-       int total_tlv_len = 0;
+       u_int32_t total_tlv_len = 0;
         u_int8_t *result_buf = NULL;
         u_int8_t *result_buf_cursor = result_buf;
         char result_string[MAX_RESULT_STRING_LEN];
         char proc_name_string[MAXCOMLEN + 1];
  
         u_int8_t *result_buf = NULL;
         u_int8_t *result_buf_cursor = result_buf;
         char result_string[MAX_RESULT_STRING_LEN];
         char proc_name_string[MAXCOMLEN + 1];
  
+       int error_code = 0;
         bool error_occured = false;
         u_int32_t response_error = NECP_ERROR_INTERNAL;
  
         bool error_occured = false;
         u_int32_t response_error = NECP_ERROR_INTERNAL;
  
-#define REPORT_ERROR(error) error_occured = true;              \
-                                                       response_error = error;         \
-                                                       goto done
+#define REPORT_ERROR(error) error_occured = true;               \
+                                                       response_error = error;         \
+                                                       goto done
  
  
-#define UNLOCK_AND_REPORT_ERROR(lock, error)   lck_rw_done(lock);      \
-                                                                                               REPORT_ERROR(error)
+#define UNLOCK_AND_REPORT_ERROR(lock, error)    lck_rw_done(lock);      \
+                                                                                               REPORT_ERROR(error)
  
         errno_t cred_result = priv_check_cred(kauth_cred_get(), PRIV_NET_PRIVILEGED_NECP_POLICIES, 0);
         if (cred_result != 0) {
  
         errno_t cred_result = priv_check_cred(kauth_cred_get(), PRIV_NET_PRIVILEGED_NECP_POLICIES, 0);
         if (cred_result != 0) {
@@ -2148,11 +2531,13 @@ necp_handle_policy_dump_all(struct necp_session *session, u_int32_t message_id,
         // LOCK
         lck_rw_lock_shared(&necp_kernel_policy_lock);
  
         // LOCK
         lck_rw_lock_shared(&necp_kernel_policy_lock);
  
-       NECPLOG0(LOG_DEBUG, "Gathering policies");
+       if (necp_debug) {
+               NECPLOG0(LOG_DEBUG, "Gathering policies");
+       }
  
         policy_count = necp_kernel_application_policies_count;
  
  
         policy_count = necp_kernel_application_policies_count;
  
-       MALLOC(tlv_buffer_pointers, u_int8_t **, sizeof(u_int8_t *) * policy_count, M_NECP, M_NOWAIT | M_ZERO);
+       MALLOC(tlv_buffer_pointers, u_int8_t * *, sizeof(u_int8_t *) * policy_count, M_NECP, M_NOWAIT | M_ZERO);
         if (tlv_buffer_pointers == NULL) {
                 NECPLOG(LOG_DEBUG, "Failed to allocate tlv_buffer_pointers (%u bytes)", sizeof(u_int8_t *) * policy_count);
                 UNLOCK_AND_REPORT_ERROR(&necp_kernel_policy_lock, NECP_ERROR_INTERNAL);
         if (tlv_buffer_pointers == NULL) {
                 NECPLOG(LOG_DEBUG, "Failed to allocate tlv_buffer_pointers (%u bytes)", sizeof(u_int8_t *) * policy_count);
                 UNLOCK_AND_REPORT_ERROR(&necp_kernel_policy_lock, NECP_ERROR_INTERNAL);
@@ -2176,14 +2561,16 @@ necp_handle_policy_dump_all(struct necp_session *session, u_int32_t message_id,
                 u_int16_t proc_name_len = strlen(proc_name_string) + 1;
                 u_int16_t result_string_len = strlen(result_string) + 1;
  
                 u_int16_t proc_name_len = strlen(proc_name_string) + 1;
                 u_int16_t result_string_len = strlen(result_string) + 1;
  
-               NECPLOG(LOG_DEBUG, "Policy: process: %s, result: %s", proc_name_string, result_string);
+               if (necp_debug) {
+                       NECPLOG(LOG_DEBUG, "Policy: process: %s, result: %s", proc_name_string, result_string);
+               }
  
  
-               u_int32_t total_allocated_bytes =       sizeof(u_int8_t) + sizeof(u_int32_t) + sizeof(policy->id) +                                     // NECP_TLV_POLICY_ID
-                                                                                       sizeof(u_int8_t) + sizeof(u_int32_t) + sizeof(policy->order) +                          // NECP_TLV_POLICY_ORDER
-                                                                                       sizeof(u_int8_t) + sizeof(u_int32_t) + sizeof(policy->session_order) +          // NECP_TLV_POLICY_SESSION_ORDER
-                                                                                       sizeof(u_int8_t) + sizeof(u_int32_t) + result_string_len +                                      // NECP_TLV_POLICY_RESULT_STRING
-                                                                                       sizeof(u_int8_t) + sizeof(u_int32_t) + proc_name_len +                                          // NECP_TLV_POLICY_OWNER
-                                                                                       sizeof(u_int8_t) + sizeof(u_int32_t);                                                                           // NECP_TLV_POLICY_CONDITION
+               u_int32_t total_allocated_bytes =       sizeof(u_int8_t) + sizeof(u_int32_t) + sizeof(policy->id) +                                     // NECP_TLV_POLICY_ID
+                   sizeof(u_int8_t) + sizeof(u_int32_t) + sizeof(policy->order) +                                                                                              // NECP_TLV_POLICY_ORDER
+                   sizeof(u_int8_t) + sizeof(u_int32_t) + sizeof(policy->session_order) +                                                                              // NECP_TLV_POLICY_SESSION_ORDER
+                   sizeof(u_int8_t) + sizeof(u_int32_t) + result_string_len +                                                                                                          // NECP_TLV_POLICY_RESULT_STRING
+                   sizeof(u_int8_t) + sizeof(u_int32_t) + proc_name_len +                                                                                                              // NECP_TLV_POLICY_OWNER
+                   sizeof(u_int8_t) + sizeof(u_int32_t);                                                                                                                                               // NECP_TLV_POLICY_CONDITION
  
                 // We now traverse the condition_mask to see how much space we need to allocate
                 u_int32_t condition_mask = policy->condition_mask;
  
                 // We now traverse the condition_mask to see how much space we need to allocate
                 u_int32_t condition_mask = policy->condition_mask;
@@ -2199,6 +2586,9 @@ necp_handle_policy_dump_all(struct necp_session *session, u_int32_t message_id,
                         if (condition_mask & NECP_KERNEL_CONDITION_ALL_INTERFACES) {
                                 num_conditions++;
                         }
                         if (condition_mask & NECP_KERNEL_CONDITION_ALL_INTERFACES) {
                                 num_conditions++;
                         }
+                       if (condition_mask & NECP_KERNEL_CONDITION_HAS_CLIENT) {
+                               num_conditions++;
+                       }
                         if (condition_mask & NECP_KERNEL_CONDITION_BOUND_INTERFACE) {
                                 snprintf(if_name, IFXNAMSIZ, "%s%d", ifnet_name(policy->cond_bound_interface), ifnet_unit(policy->cond_bound_interface));
                                 condition_tlv_length += strlen(if_name) + 1;
                         if (condition_mask & NECP_KERNEL_CONDITION_BOUND_INTERFACE) {
                                 snprintf(if_name, IFXNAMSIZ, "%s%d", ifnet_name(policy->cond_bound_interface), ifnet_unit(policy->cond_bound_interface));
                                 condition_tlv_length += strlen(if_name) + 1;
@@ -2250,6 +2640,12 @@ necp_handle_policy_dump_all(struct necp_session *session, u_int32_t message_id,
                                 condition_tlv_length += entitlement_len;
                                 num_conditions++;
                         }
                                 condition_tlv_length += entitlement_len;
                                 num_conditions++;
                         }
+                       if (condition_mask & NECP_KERNEL_CONDITION_PLATFORM_BINARY) {
+                               num_conditions++;
+                       }
+                       if (condition_mask & NECP_KERNEL_CONDITION_LOCAL_NETWORKS) {
+                               num_conditions++;
+                       }
                         if (condition_mask & NECP_KERNEL_CONDITION_LOCAL_START) {
                                 if (condition_mask & NECP_KERNEL_CONDITION_LOCAL_END) {
                                         condition_tlv_length += sizeof(struct necp_policy_condition_addr_range);
                         if (condition_mask & NECP_KERNEL_CONDITION_LOCAL_START) {
                                 if (condition_mask & NECP_KERNEL_CONDITION_LOCAL_END) {
                                         condition_tlv_length += sizeof(struct necp_policy_condition_addr_range);
@@ -2266,6 +2662,20 @@ necp_handle_policy_dump_all(struct necp_session *session, u_int32_t message_id,
                                 }
                                 num_conditions++;
                         }
                                 }
                                 num_conditions++;
                         }
+                       if (condition_mask & NECP_KERNEL_CONDITION_AGENT_TYPE) {
+                               condition_tlv_length += sizeof(struct necp_policy_condition_agent_type);
+                               num_conditions++;
+                       }
+                       if (condition_mask & NECP_KERNEL_CONDITION_CLIENT_FLAGS) {
+                               condition_tlv_length += sizeof(u_int32_t);
+                               num_conditions++;
+                       }
+                       if (condition_mask & NECP_KERNEL_CONDITION_LOCAL_EMPTY) {
+                               num_conditions++;
+                       }
+                       if (condition_mask & NECP_KERNEL_CONDITION_REMOTE_EMPTY) {
+                               num_conditions++;
+                       }
                 }
  
                 condition_tlv_length += num_conditions * (sizeof(u_int8_t) + sizeof(u_int32_t)); // These are for the condition TLVs. The space for "value" is already accounted for above.
                 }
  
                 condition_tlv_length += num_conditions * (sizeof(u_int8_t) + sizeof(u_int32_t)); // These are for the condition TLVs. The space for "value" is already accounted for above.
@@ -2279,11 +2689,11 @@ necp_handle_policy_dump_all(struct necp_session *session, u_int32_t message_id,
                 }
  
                 u_int8_t *cursor = tlv_buffer;
                 }
  
                 u_int8_t *cursor = tlv_buffer;
-               cursor = necp_buffer_write_tlv(cursor, NECP_TLV_POLICY_ID, sizeof(policy->id), &policy->id);
-               cursor = necp_buffer_write_tlv(cursor, NECP_TLV_POLICY_ORDER, sizeof(necp_policy_order), &policy->order);
-               cursor = necp_buffer_write_tlv(cursor, NECP_TLV_POLICY_SESSION_ORDER, sizeof(policy->session_order), &policy->session_order);
-               cursor = necp_buffer_write_tlv(cursor, NECP_TLV_POLICY_RESULT_STRING, result_string_len , result_string);
-               cursor = necp_buffer_write_tlv(cursor, NECP_TLV_POLICY_OWNER, proc_name_len , proc_name_string);
+               cursor = necp_buffer_write_tlv(cursor, NECP_TLV_POLICY_ID, sizeof(policy->id), &policy->id, tlv_buffer, total_allocated_bytes);
+               cursor = necp_buffer_write_tlv(cursor, NECP_TLV_POLICY_ORDER, sizeof(necp_policy_order), &policy->order, tlv_buffer, total_allocated_bytes);
+               cursor = necp_buffer_write_tlv(cursor, NECP_TLV_POLICY_SESSION_ORDER, sizeof(policy->session_order), &policy->session_order, tlv_buffer, total_allocated_bytes);
+               cursor = necp_buffer_write_tlv(cursor, NECP_TLV_POLICY_RESULT_STRING, result_string_len, result_string, tlv_buffer, total_allocated_bytes);
+               cursor = necp_buffer_write_tlv(cursor, NECP_TLV_POLICY_OWNER, proc_name_len, proc_name_string, tlv_buffer, total_allocated_bytes);
  
  #define N_QUICK 256
                 u_int8_t q_cond_buf[N_QUICK]; // Minor optimization
  
  #define N_QUICK 256
                 u_int8_t q_cond_buf[N_QUICK]; // Minor optimization
@@ -2303,63 +2713,85 @@ necp_handle_policy_dump_all(struct necp_session *session, u_int32_t message_id,
                 memset(cond_buf, 0, condition_tlv_length);
                 u_int8_t *cond_buf_cursor = cond_buf;
                 if (condition_mask == NECP_POLICY_CONDITION_DEFAULT) {
                 memset(cond_buf, 0, condition_tlv_length);
                 u_int8_t *cond_buf_cursor = cond_buf;
                 if (condition_mask == NECP_POLICY_CONDITION_DEFAULT) {
-                       cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_DEFAULT, 0, "");
+                       cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_DEFAULT, 0, "", cond_buf, condition_tlv_length);
                 } else {
                         if (condition_mask & NECP_KERNEL_CONDITION_ALL_INTERFACES) {
                 } else {
                         if (condition_mask & NECP_KERNEL_CONDITION_ALL_INTERFACES) {
-                               cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_ALL_INTERFACES, 0, "");
+                               cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_ALL_INTERFACES, 0, "", cond_buf, condition_tlv_length);
+                       }
+                       if (condition_mask & NECP_KERNEL_CONDITION_HAS_CLIENT) {
+                               cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_HAS_CLIENT, 0, "", cond_buf, condition_tlv_length);
+                       }
+                       if (condition_mask & NECP_KERNEL_CONDITION_LOCAL_NETWORKS) {
+                               cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_LOCAL_NETWORKS, 0, "", cond_buf, condition_tlv_length);
                         }
                         if (condition_mask & NECP_KERNEL_CONDITION_BOUND_INTERFACE) {
                         }
                         if (condition_mask & NECP_KERNEL_CONDITION_BOUND_INTERFACE) {
-                               cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_BOUND_INTERFACE, strlen(if_name) + 1, if_name);
+                               cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_BOUND_INTERFACE, strlen(if_name) + 1,
+                                   if_name, cond_buf, condition_tlv_length);
                         }
                         if (condition_mask & NECP_KERNEL_CONDITION_PROTOCOL) {
                         }
                         if (condition_mask & NECP_KERNEL_CONDITION_PROTOCOL) {
-                               cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_IP_PROTOCOL, sizeof(policy->cond_protocol), &policy->cond_protocol);
+                               cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_IP_PROTOCOL, sizeof(policy->cond_protocol), &policy->cond_protocol,
+                                   cond_buf, condition_tlv_length);
                         }
                         if (condition_mask & NECP_KERNEL_CONDITION_APP_ID) {
                                 struct necp_uuid_id_mapping *entry = necp_uuid_lookup_uuid_with_app_id_locked(policy->cond_app_id);
                                 if (entry != NULL) {
                         }
                         if (condition_mask & NECP_KERNEL_CONDITION_APP_ID) {
                                 struct necp_uuid_id_mapping *entry = necp_uuid_lookup_uuid_with_app_id_locked(policy->cond_app_id);
                                 if (entry != NULL) {
-                                       cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_APPLICATION, sizeof(entry->uuid), entry->uuid);
+                                       cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_APPLICATION, sizeof(entry->uuid), entry->uuid,
+                                           cond_buf, condition_tlv_length);
                                 }
                         }
                         if (condition_mask & NECP_KERNEL_CONDITION_REAL_APP_ID) {
                                 struct necp_uuid_id_mapping *entry = necp_uuid_lookup_uuid_with_app_id_locked(policy->cond_real_app_id);
                                 if (entry != NULL) {
                                 }
                         }
                         if (condition_mask & NECP_KERNEL_CONDITION_REAL_APP_ID) {
                                 struct necp_uuid_id_mapping *entry = necp_uuid_lookup_uuid_with_app_id_locked(policy->cond_real_app_id);
                                 if (entry != NULL) {
-                                       cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_REAL_APPLICATION, sizeof(entry->uuid), entry->uuid);
+                                       cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_REAL_APPLICATION, sizeof(entry->uuid), entry->uuid,
+                                           cond_buf, condition_tlv_length);
                                 }
                         }
                         if (condition_mask & NECP_KERNEL_CONDITION_DOMAIN) {
                                 }
                         }
                         if (condition_mask & NECP_KERNEL_CONDITION_DOMAIN) {
-                               cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_DOMAIN, strlen(policy->cond_domain) + 1, policy->cond_domain);
+                               cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_DOMAIN, strlen(policy->cond_domain) + 1, policy->cond_domain,
+                                   cond_buf, condition_tlv_length);
                         }
                         if (condition_mask & NECP_KERNEL_CONDITION_ACCOUNT_ID) {
                                 if (account_id_entry != NULL) {
                         }
                         if (condition_mask & NECP_KERNEL_CONDITION_ACCOUNT_ID) {
                                 if (account_id_entry != NULL) {
-                                       cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_ACCOUNT, strlen(account_id_entry->string) + 1, account_id_entry->string);
+                                       cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_ACCOUNT, strlen(account_id_entry->string) + 1, account_id_entry->string,
+                                           cond_buf, condition_tlv_length);
                                 }
                         }
                         if (condition_mask & NECP_KERNEL_CONDITION_PID) {
                                 }
                         }
                         if (condition_mask & NECP_KERNEL_CONDITION_PID) {
-                               cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_PID, sizeof(policy->cond_pid), &policy->cond_pid);
+                               cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_PID, sizeof(policy->cond_pid), &policy->cond_pid,
+                                   cond_buf, condition_tlv_length);
                         }
                         if (condition_mask & NECP_KERNEL_CONDITION_UID) {
                         }
                         if (condition_mask & NECP_KERNEL_CONDITION_UID) {
-                               cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_UID, sizeof(policy->cond_uid), &policy->cond_uid);
+                               cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_UID, sizeof(policy->cond_uid), &policy->cond_uid,
+                                   cond_buf, condition_tlv_length);
                         }
                         if (condition_mask & NECP_KERNEL_CONDITION_TRAFFIC_CLASS) {
                         }
                         if (condition_mask & NECP_KERNEL_CONDITION_TRAFFIC_CLASS) {
-                               cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_TRAFFIC_CLASS, sizeof(policy->cond_traffic_class), &policy->cond_traffic_class);
+                               cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_TRAFFIC_CLASS, sizeof(policy->cond_traffic_class), &policy->cond_traffic_class,
+                                   cond_buf, condition_tlv_length);
                         }
                         if (condition_mask & NECP_KERNEL_CONDITION_ENTITLEMENT) {
                         }
                         if (condition_mask & NECP_KERNEL_CONDITION_ENTITLEMENT) {
-                               cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_ENTITLEMENT, 0, "");
+                               cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_ENTITLEMENT, 0, "",
+                                   cond_buf, condition_tlv_length);
                         }
                         if (condition_mask & NECP_KERNEL_CONDITION_CUSTOM_ENTITLEMENT) {
                         }
                         if (condition_mask & NECP_KERNEL_CONDITION_CUSTOM_ENTITLEMENT) {
-                               cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_ENTITLEMENT, strlen(policy->cond_custom_entitlement) + 1, policy->cond_custom_entitlement);
+                               cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_ENTITLEMENT, strlen(policy->cond_custom_entitlement) + 1, policy->cond_custom_entitlement,
+                                   cond_buf, condition_tlv_length);
+                       }
+                       if (condition_mask & NECP_KERNEL_CONDITION_PLATFORM_BINARY) {
+                               cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_PLATFORM_BINARY, 0, "", cond_buf, condition_tlv_length);
                         }
                         if (condition_mask & NECP_KERNEL_CONDITION_LOCAL_START) {
                                 if (condition_mask & NECP_KERNEL_CONDITION_LOCAL_END) {
                                         struct necp_policy_condition_addr_range range;
                                         memcpy(&range.start_address, &policy->cond_local_start, sizeof(policy->cond_local_start));
                                         memcpy(&range.end_address, &policy->cond_local_end, sizeof(policy->cond_local_end));
                         }
                         if (condition_mask & NECP_KERNEL_CONDITION_LOCAL_START) {
                                 if (condition_mask & NECP_KERNEL_CONDITION_LOCAL_END) {
                                         struct necp_policy_condition_addr_range range;
                                         memcpy(&range.start_address, &policy->cond_local_start, sizeof(policy->cond_local_start));
                                         memcpy(&range.end_address, &policy->cond_local_end, sizeof(policy->cond_local_end));
-                                       cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_LOCAL_ADDR_RANGE, sizeof(range), &range);
+                                       cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_LOCAL_ADDR_RANGE, sizeof(range), &range,
+                                           cond_buf, condition_tlv_length);
                                 } else {
                                         struct necp_policy_condition_addr addr;
                                         addr.prefix = policy->cond_local_prefix;
                                         memcpy(&addr.address, &policy->cond_local_start, sizeof(policy->cond_local_start));
                                 } else {
                                         struct necp_policy_condition_addr addr;
                                         addr.prefix = policy->cond_local_prefix;
                                         memcpy(&addr.address, &policy->cond_local_start, sizeof(policy->cond_local_start));
-                                       cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_LOCAL_ADDR, sizeof(addr), &addr);
+                                       cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_LOCAL_ADDR, sizeof(addr), &addr,
+                                           cond_buf, condition_tlv_length);
                                 }
                         }
                         if (condition_mask & NECP_KERNEL_CONDITION_REMOTE_START) {
                                 }
                         }
                         if (condition_mask & NECP_KERNEL_CONDITION_REMOTE_START) {
@@ -2367,17 +2799,33 @@ necp_handle_policy_dump_all(struct necp_session *session, u_int32_t message_id,
                                         struct necp_policy_condition_addr_range range;
                                         memcpy(&range.start_address, &policy->cond_remote_start, sizeof(policy->cond_remote_start));
                                         memcpy(&range.end_address, &policy->cond_remote_end, sizeof(policy->cond_remote_end));
                                         struct necp_policy_condition_addr_range range;
                                         memcpy(&range.start_address, &policy->cond_remote_start, sizeof(policy->cond_remote_start));
                                         memcpy(&range.end_address, &policy->cond_remote_end, sizeof(policy->cond_remote_end));
-                                       cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_REMOTE_ADDR_RANGE, sizeof(range), &range);
+                                       cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_REMOTE_ADDR_RANGE, sizeof(range), &range,
+                                           cond_buf, condition_tlv_length);
                                 } else {
                                         struct necp_policy_condition_addr addr;
                                         addr.prefix = policy->cond_remote_prefix;
                                         memcpy(&addr.address, &policy->cond_remote_start, sizeof(policy->cond_remote_start));
                                 } else {
                                         struct necp_policy_condition_addr addr;
                                         addr.prefix = policy->cond_remote_prefix;
                                         memcpy(&addr.address, &policy->cond_remote_start, sizeof(policy->cond_remote_start));
-                                       cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_REMOTE_ADDR, sizeof(addr), &addr);
+                                       cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_REMOTE_ADDR, sizeof(addr), &addr,
+                                           cond_buf, condition_tlv_length);
                                 }
                         }
                                 }
                         }
+                       if (condition_mask & NECP_KERNEL_CONDITION_AGENT_TYPE) {
+                               cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_AGENT_TYPE,
+                                   sizeof(policy->cond_agent_type), &policy->cond_agent_type,
+                                   cond_buf, condition_tlv_length);
+                       }
+                       if (condition_mask & NECP_KERNEL_CONDITION_CLIENT_FLAGS) {
+                               cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_CLIENT_FLAGS, sizeof(policy->cond_client_flags), &policy->cond_client_flags, cond_buf, condition_tlv_length);
+                       }
+                       if (condition_mask & NECP_KERNEL_CONDITION_LOCAL_EMPTY) {
+                               cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_FLOW_LOCAL_ADDR_EMPTY, 0, "", cond_buf, condition_tlv_length);
+                       }
+                       if (condition_mask & NECP_KERNEL_CONDITION_REMOTE_EMPTY) {
+                               cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_FLOW_REMOTE_ADDR_EMPTY, 0, "", cond_buf, condition_tlv_length);
+                       }
                 }
  
                 }
  
-               cursor = necp_buffer_write_tlv(cursor, NECP_TLV_POLICY_CONDITION, cond_buf_cursor - cond_buf, cond_buf);
+               cursor = necp_buffer_write_tlv(cursor, NECP_TLV_POLICY_CONDITION, cond_buf_cursor - cond_buf, cond_buf, tlv_buffer, total_allocated_bytes);
                 if (cond_buf != q_cond_buf) {
                         FREE(cond_buf, M_NECP);
                 }
                 if (cond_buf != q_cond_buf) {
                         FREE(cond_buf, M_NECP);
                 }
@@ -2392,36 +2840,43 @@ necp_handle_policy_dump_all(struct necp_session *session, u_int32_t message_id,
         // UNLOCK
         lck_rw_done(&necp_kernel_policy_lock);
  
         // UNLOCK
         lck_rw_done(&necp_kernel_policy_lock);
  
-       u_int32_t total_result_length = sizeof(struct necp_packet_header) + total_tlv_len;
-       MALLOC(result_buf, u_int8_t *, total_result_length, M_NECP, M_NOWAIT | M_ZERO);
-       if (result_buf == NULL) {
-               NECPLOG(LOG_DEBUG, "Failed to allocate result_buffer (%u bytes)", total_result_length);
-               REPORT_ERROR(NECP_ERROR_INTERNAL);
-       }
+       // Copy out
+       if (out_buffer != 0) {
+               if (out_buffer_length < total_tlv_len + sizeof(u_int32_t)) {
+                       NECPLOG(LOG_DEBUG, "out_buffer_length too small (%u < %u)", out_buffer_length, total_tlv_len + sizeof(u_int32_t));
+                       REPORT_ERROR(NECP_ERROR_INVALID_TLV);
+               }
+
+               // Allow malloc to wait, since the total buffer may be large and we are not holding any locks
+               MALLOC(result_buf, u_int8_t *, total_tlv_len + sizeof(u_int32_t), M_NECP, M_WAITOK | M_ZERO);
+               if (result_buf == NULL) {
+                       NECPLOG(LOG_DEBUG, "Failed to allocate result_buffer (%u bytes)", total_tlv_len + sizeof(u_int32_t));
+                       REPORT_ERROR(NECP_ERROR_INTERNAL);
+               }
  
  
-       result_buf_cursor = result_buf;
-       result_buf_cursor = necp_buffer_write_packet_header(result_buf_cursor, NECP_PACKET_TYPE_POLICY_DUMP_ALL, NECP_PACKET_FLAGS_RESPONSE, message_id);
+               // Add four bytes for total length at the start
+               memcpy(result_buf, &total_tlv_len, sizeof(u_int32_t));
  
  
-       for (int i = 0; i < policy_count; i++) {
-               if (tlv_buffer_pointers[i] != NULL) {
-                       result_buf_cursor = necp_buffer_write_tlv(result_buf_cursor, NECP_TLV_POLICY_DUMP, tlv_buffer_lengths[i], tlv_buffer_pointers[i]);
+               // Copy the TLVs
+               result_buf_cursor = result_buf + sizeof(u_int32_t);
+               for (int i = 0; i < policy_count; i++) {
+                       if (tlv_buffer_pointers[i] != NULL) {
+                               result_buf_cursor = necp_buffer_write_tlv(result_buf_cursor, NECP_TLV_POLICY_DUMP, tlv_buffer_lengths[i], tlv_buffer_pointers[i],
+                                   result_buf, total_tlv_len + sizeof(u_int32_t));
+                       }
                 }
                 }
-       }
  
  
-       if (!necp_send_ctl_data(session, result_buf, result_buf_cursor - result_buf)) {
-               NECPLOG(LOG_ERR, "Failed to send response (%u bytes)", result_buf_cursor - result_buf);
-       } else {
-               NECPLOG(LOG_ERR, "Sent data worth %u bytes. Total result buffer length was %u bytes", result_buf_cursor - result_buf, total_result_length);
+               int copy_error = copyout(result_buf, out_buffer, total_tlv_len + sizeof(u_int32_t));
+               if (copy_error) {
+                       NECPLOG(LOG_DEBUG, "Failed to copy out result_buffer (%u bytes)", total_tlv_len + sizeof(u_int32_t));
+                       REPORT_ERROR(NECP_ERROR_INTERNAL);
+               }
         }
  
  done:
  
         if (error_occured) {
         }
  
  done:
  
         if (error_occured) {
-               if(!necp_send_error_response(session, NECP_PACKET_TYPE_POLICY_DUMP_ALL, message_id, response_error)) {
-                       NECPLOG0(LOG_ERR, "Failed to send error response");
-               } else {
-                       NECPLOG0(LOG_ERR, "Sent error response");
-               }
+               error_code = necp_get_posix_error_for_necp_error(response_error);
         }
  
         if (result_buf != NULL) {
         }
  
         if (result_buf != NULL) {
@@ -2445,6 +2900,8 @@ done:
  #undef RESET_COND_BUF
  #undef REPORT_ERROR
  #undef UNLOCK_AND_REPORT_ERROR
  #undef RESET_COND_BUF
  #undef REPORT_ERROR
  #undef UNLOCK_AND_REPORT_ERROR
+
+       return error_code;
  }
  
  static struct necp_session_policy *
  }
  
  static struct necp_session_policy *
@@ -2462,7 +2919,7 @@ necp_policy_create(struct necp_session *session, necp_policy_order order, u_int8
                 goto done;
         }
  
                 goto done;
         }
  
-       memset(new_policy, 0, sizeof(*new_policy));
+       memset(new_policy, 0, sizeof(*new_policy)); // M_ZERO is not supported for MALLOC_ZONE
         new_policy->applied = FALSE;
         new_policy->pending_deletion = FALSE;
         new_policy->pending_update = FALSE;
         new_policy->applied = FALSE;
         new_policy->pending_deletion = FALSE;
         new_policy->pending_update = FALSE;
@@ -2473,7 +2930,7 @@ necp_policy_create(struct necp_session *session, necp_policy_order order, u_int8
         new_policy->route_rules_size = route_rules_array_size;
         new_policy->result = result;
         new_policy->result_size = result_size;
         new_policy->route_rules_size = route_rules_array_size;
         new_policy->result = result;
         new_policy->result_size = result_size;
-       new_policy->id = necp_policy_get_new_id();
+       new_policy->local_id = necp_policy_get_new_id(session);
  
         LIST_INSERT_SORTED_ASCENDING(&session->policies, new_policy, chain, order, tmp_policy);
  
  
         LIST_INSERT_SORTED_ASCENDING(&session->policies, new_policy, chain, order, tmp_policy);
  
@@ -2483,7 +2940,7 @@ necp_policy_create(struct necp_session *session, necp_policy_order order, u_int8
                 NECPLOG(LOG_DEBUG, "Created NECP policy, order %d", order);
         }
  done:
                 NECPLOG(LOG_DEBUG, "Created NECP policy, order %d", order);
         }
  done:
-       return (new_policy);
+       return new_policy;
  }
  
  static struct necp_session_policy *
  }
  
  static struct necp_session_policy *
@@ -2491,28 +2948,28 @@ necp_policy_find(struct necp_session *session, necp_policy_id policy_id)
  {
         struct necp_session_policy *policy = NULL;
         if (policy_id == 0) {
  {
         struct necp_session_policy *policy = NULL;
         if (policy_id == 0) {
-               return (NULL);
+               return NULL;
         }
  
         LIST_FOREACH(policy, &session->policies, chain) {
         }
  
         LIST_FOREACH(policy, &session->policies, chain) {
-               if (policy->id == policy_id) {
-                       return (policy);
+               if (policy->local_id == policy_id) {
+                       return policy;
                 }
         }
  
                 }
         }
  
-       return (NULL);
+       return NULL;
  }
  
  static inline u_int8_t
  necp_policy_get_result_type(struct necp_session_policy *policy)
  {
  }
  
  static inline u_int8_t
  necp_policy_get_result_type(struct necp_session_policy *policy)
  {
-       return (policy ? necp_policy_result_get_type_from_buffer(policy->result, policy->result_size) : 0);
+       return policy ? necp_policy_result_get_type_from_buffer(policy->result, policy->result_size) : 0;
  }
  
  static inline u_int32_t
  necp_policy_get_result_parameter_length(struct necp_session_policy *policy)
  {
  }
  
  static inline u_int32_t
  necp_policy_get_result_parameter_length(struct necp_session_policy *policy)
  {
-       return (policy ? necp_policy_result_get_parameter_length_from_buffer(policy->result, policy->result_size) : 0);
+       return policy ? necp_policy_result_get_parameter_length_from_buffer(policy->result, policy->result_size) : 0;
  }
  
  static bool
  }
  
  static bool
@@ -2524,19 +2981,19 @@ necp_policy_get_result_parameter(struct necp_session_policy *policy, u_int8_t *p
                         u_int8_t *parameter = necp_policy_result_get_parameter_pointer_from_buffer(policy->result, policy->result_size);
                         if (parameter && parameter_buffer) {
                                 memcpy(parameter_buffer, parameter, parameter_length);
                         u_int8_t *parameter = necp_policy_result_get_parameter_pointer_from_buffer(policy->result, policy->result_size);
                         if (parameter && parameter_buffer) {
                                 memcpy(parameter_buffer, parameter, parameter_length);
-                               return (TRUE);
+                               return TRUE;
                         }
                 }
         }
  
                         }
                 }
         }
  
-       return (FALSE);
+       return FALSE;
  }
  
  static bool
  necp_policy_mark_for_deletion(struct necp_session *session, struct necp_session_policy *policy)
  {
         if (session == NULL || policy == NULL) {
  }
  
  static bool
  necp_policy_mark_for_deletion(struct necp_session *session, struct necp_session_policy *policy)
  {
         if (session == NULL || policy == NULL) {
-               return (FALSE);
+               return FALSE;
         }
  
         policy->pending_deletion = TRUE;
         }
  
         policy->pending_deletion = TRUE;
@@ -2545,7 +3002,7 @@ necp_policy_mark_for_deletion(struct necp_session *session, struct necp_session_
         if (necp_debug) {
                 NECPLOG0(LOG_DEBUG, "Marked NECP policy for removal");
         }
         if (necp_debug) {
                 NECPLOG0(LOG_DEBUG, "Marked NECP policy for removal");
         }
-       return (TRUE);
+       return TRUE;
  }
  
  static bool
  }
  
  static bool
@@ -2558,14 +3015,14 @@ necp_policy_mark_all_for_deletion(struct necp_session *session)
                 necp_policy_mark_for_deletion(session, policy);
         }
  
                 necp_policy_mark_for_deletion(session, policy);
         }
  
-       return (TRUE);
+       return TRUE;
  }
  
  static bool
  necp_policy_delete(struct necp_session *session, struct necp_session_policy *policy)
  {
         if (session == NULL || policy == NULL) {
  }
  
  static bool
  necp_policy_delete(struct necp_session *session, struct necp_session_policy *policy)
  {
         if (session == NULL || policy == NULL) {
-               return (FALSE);
+               return FALSE;
         }
  
         LIST_REMOVE(policy, chain);
         }
  
         LIST_REMOVE(policy, chain);
@@ -2590,7 +3047,7 @@ necp_policy_delete(struct necp_session *session, struct necp_session_policy *pol
         if (necp_debug) {
                 NECPLOG0(LOG_DEBUG, "Removed NECP policy");
         }
         if (necp_debug) {
                 NECPLOG0(LOG_DEBUG, "Removed NECP policy");
         }
-       return (TRUE);
+       return TRUE;
  }
  
  static bool
  }
  
  static bool
@@ -2598,10 +3055,10 @@ necp_policy_unapply(struct necp_session_policy *policy)
  {
         int i = 0;
         if (policy == NULL) {
  {
         int i = 0;
         if (policy == NULL) {
-               return (FALSE);
+               return FALSE;
         }
  
         }
  
-       lck_rw_assert(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
+       LCK_RW_ASSERT(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
  
         // Release local uuid mappings
         if (!uuid_is_null(policy->applied_app_uuid)) {
  
         // Release local uuid mappings
         if (!uuid_is_null(policy->applied_app_uuid)) {
@@ -2652,13 +3109,13 @@ necp_policy_unapply(struct necp_session_policy *policy)
  
         policy->applied = FALSE;
  
  
         policy->applied = FALSE;
  
-       return (TRUE);
+       return TRUE;
  }
  
  }
  
-#define        NECP_KERNEL_POLICY_SUBORDER_ID_TUNNEL_CONDITION                 0
-#define        NECP_KERNEL_POLICY_SUBORDER_NON_ID_TUNNEL_CONDITION             1
-#define        NECP_KERNEL_POLICY_SUBORDER_ID_CONDITION                                2
-#define        NECP_KERNEL_POLICY_SUBORDER_NON_ID_CONDITIONS                   3
+#define NECP_KERNEL_POLICY_SUBORDER_ID_TUNNEL_CONDITION                 0
+#define NECP_KERNEL_POLICY_SUBORDER_NON_ID_TUNNEL_CONDITION             1
+#define NECP_KERNEL_POLICY_SUBORDER_ID_CONDITION                                2
+#define NECP_KERNEL_POLICY_SUBORDER_NON_ID_CONDITIONS                   3
  struct necp_policy_result_ip_tunnel {
         u_int32_t secondary_result;
         char interface_name[IFXNAMSIZ];
  struct necp_policy_result_ip_tunnel {
         u_int32_t secondary_result;
         char interface_name[IFXNAMSIZ];
@@ -2703,9 +3160,11 @@ necp_policy_apply(struct necp_session *session, struct necp_session_policy *poli
         union necp_sockaddr_union cond_remote_start;
         union necp_sockaddr_union cond_remote_end;
         u_int8_t cond_remote_prefix = 0;
         union necp_sockaddr_union cond_remote_start;
         union necp_sockaddr_union cond_remote_end;
         u_int8_t cond_remote_prefix = 0;
+       u_int32_t cond_client_flags = 0;
         u_int32_t offset = 0;
         u_int8_t ultimate_result = 0;
         u_int32_t secondary_result = 0;
         u_int32_t offset = 0;
         u_int8_t ultimate_result = 0;
         u_int32_t secondary_result = 0;
+       struct necp_policy_condition_agent_type cond_agent_type = {};
         necp_kernel_policy_result_parameter secondary_result_parameter;
         memset(&secondary_result_parameter, 0, sizeof(secondary_result_parameter));
         u_int32_t cond_last_interface_index = 0;
         necp_kernel_policy_result_parameter secondary_result_parameter;
         memset(&secondary_result_parameter, 0, sizeof(secondary_result_parameter));
         u_int32_t cond_last_interface_index = 0;
@@ -2713,10 +3172,10 @@ necp_policy_apply(struct necp_session *session, struct necp_session_policy *poli
         memset(&ultimate_result_parameter, 0, sizeof(ultimate_result_parameter));
  
         if (policy == NULL) {
         memset(&ultimate_result_parameter, 0, sizeof(ultimate_result_parameter));
  
         if (policy == NULL) {
-               return (FALSE);
+               return FALSE;
         }
  
         }
  
-       lck_rw_assert(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
+       LCK_RW_ASSERT(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
  
         // Process conditions
         while (offset < policy->conditions_size) {
  
         // Process conditions
         while (offset < policy->conditions_size) {
@@ -2729,395 +3188,488 @@ necp_policy_apply(struct necp_session *session, struct necp_session_policy *poli
                 u_int32_t condition_length = necp_policy_condition_get_value_length_from_buffer(value, length);
                 u_int8_t *condition_value = necp_policy_condition_get_value_pointer_from_buffer(value, length);
                 switch (condition_type) {
                 u_int32_t condition_length = necp_policy_condition_get_value_length_from_buffer(value, length);
                 u_int8_t *condition_value = necp_policy_condition_get_value_pointer_from_buffer(value, length);
                 switch (condition_type) {
-                       case NECP_POLICY_CONDITION_DEFAULT: {
-                               socket_ip_conditions = TRUE;
-                               break;
-                       }
-                       case NECP_POLICY_CONDITION_ALL_INTERFACES: {
-                               master_condition_mask |= NECP_KERNEL_CONDITION_ALL_INTERFACES;
-                               socket_ip_conditions = TRUE;
-                               break;
-                       }
-                       case NECP_POLICY_CONDITION_ENTITLEMENT: {
-                               if (condition_length > 0) {
-                                       if (cond_custom_entitlement == NULL) {
-                                               cond_custom_entitlement = necp_copy_string((char *)condition_value, condition_length);
-                                               if (cond_custom_entitlement != NULL) {
-                                                       master_condition_mask |= NECP_KERNEL_CONDITION_CUSTOM_ENTITLEMENT;
-                                                       socket_only_conditions = TRUE;
-                                               }
-                                       }
-                               } else {
-                                       master_condition_mask |= NECP_KERNEL_CONDITION_ENTITLEMENT;
-                                       socket_only_conditions = TRUE;
-                               }
-                               break;
-                       }
-                       case NECP_POLICY_CONDITION_DOMAIN: {
-                               // Make sure there is only one such rule
-                               if (condition_length > 0 && cond_domain == NULL) {
-                                       cond_domain = necp_create_trimmed_domain((char *)condition_value, condition_length);
-                                       if (cond_domain != NULL) {
-                                               master_condition_mask |= NECP_KERNEL_CONDITION_DOMAIN;
-                                               if (condition_is_negative) {
-                                                       master_condition_negated_mask |= NECP_KERNEL_CONDITION_DOMAIN;
-                                               }
+               case NECP_POLICY_CONDITION_DEFAULT: {
+                       socket_ip_conditions = TRUE;
+                       break;
+               }
+               case NECP_POLICY_CONDITION_ALL_INTERFACES: {
+                       master_condition_mask |= NECP_KERNEL_CONDITION_ALL_INTERFACES;
+                       socket_ip_conditions = TRUE;
+                       break;
+               }
+               case NECP_POLICY_CONDITION_HAS_CLIENT: {
+                       master_condition_mask |= NECP_KERNEL_CONDITION_HAS_CLIENT;
+                       socket_only_conditions = TRUE;
+                       break;
+               }
+               case NECP_POLICY_CONDITION_ENTITLEMENT: {
+                       if (condition_length > 0) {
+                               if (cond_custom_entitlement == NULL) {
+                                       cond_custom_entitlement = necp_copy_string((char *)condition_value, condition_length);
+                                       if (cond_custom_entitlement != NULL) {
+                                               master_condition_mask |= NECP_KERNEL_CONDITION_CUSTOM_ENTITLEMENT;
                                                 socket_only_conditions = TRUE;
                                         }
                                 }
                                                 socket_only_conditions = TRUE;
                                         }
                                 }
-                               break;
-                       }
-                       case NECP_POLICY_CONDITION_ACCOUNT: {
-                               // Make sure there is only one such rule
-                               if (condition_length > 0 && cond_account_id == 0 && policy->applied_account == NULL) {
-                                       char *string = NULL;
-                                       MALLOC(string, char *, condition_length + 1, M_NECP, M_WAITOK);
-                                       if (string != NULL) {
-                                               memcpy(string, condition_value, condition_length);
-                                               string[condition_length] = 0;
-                                               cond_account_id = necp_create_string_to_id_mapping(&necp_account_id_list, string);
-                                               if (cond_account_id != 0) {
-                                                       policy->applied_account = string; // Save the string in parent policy
-                                                       master_condition_mask |= NECP_KERNEL_CONDITION_ACCOUNT_ID;
-                                                       if (condition_is_negative) {
-                                                               master_condition_negated_mask |= NECP_KERNEL_CONDITION_ACCOUNT_ID;
-                                                       }
-                                                       socket_only_conditions = TRUE;
-                                               } else {
-                                                       FREE(string, M_NECP);
-                                               }
-                                       }
-                               }
-                               break;
+                       } else {
+                               master_condition_mask |= NECP_KERNEL_CONDITION_ENTITLEMENT;
+                               socket_only_conditions = TRUE;
                         }
                         }
-                       case NECP_POLICY_CONDITION_APPLICATION: {
-                               // Make sure there is only one such rule, because we save the uuid in the policy
-                               if (condition_length >= sizeof(uuid_t) && cond_app_id == 0) {
-                                       bool allocated_mapping = FALSE;
-                                       uuid_t application_uuid;
-                                       memcpy(application_uuid, condition_value, sizeof(uuid_t));
-                                       cond_app_id = necp_create_uuid_app_id_mapping(application_uuid, &allocated_mapping, TRUE);
-                                       if (cond_app_id != 0) {
-                                               if (allocated_mapping) {
-                                                       necp_uuid_app_id_mappings_dirty = TRUE;
-                                                       necp_num_uuid_app_id_mappings++;
-                                               }
-                                               uuid_copy(policy->applied_app_uuid, application_uuid);
-                                               master_condition_mask |= NECP_KERNEL_CONDITION_APP_ID;
-                                               if (condition_is_negative) {
-                                                       master_condition_negated_mask |= NECP_KERNEL_CONDITION_APP_ID;
-                                               }
-                                               socket_only_conditions = TRUE;
+                       break;
+               }
+               case NECP_POLICY_CONDITION_PLATFORM_BINARY: {
+                       master_condition_mask |= NECP_KERNEL_CONDITION_PLATFORM_BINARY;
+                       socket_only_conditions = TRUE;
+                       break;
+               }
+               case NECP_POLICY_CONDITION_DOMAIN: {
+                       // Make sure there is only one such rule
+                       if (condition_length > 0 && cond_domain == NULL) {
+                               cond_domain = necp_create_trimmed_domain((char *)condition_value, condition_length);
+                               if (cond_domain != NULL) {
+                                       master_condition_mask |= NECP_KERNEL_CONDITION_DOMAIN;
+                                       if (condition_is_negative) {
+                                               master_condition_negated_mask |= NECP_KERNEL_CONDITION_DOMAIN;
                                         }
                                         }
+                                       socket_only_conditions = TRUE;
                                 }
                                 }
-                               break;
                         }
                         }
-                       case NECP_POLICY_CONDITION_REAL_APPLICATION: {
-                               // Make sure there is only one such rule, because we save the uuid in the policy
-                               if (condition_length >= sizeof(uuid_t) && cond_real_app_id == 0) {
-                                       uuid_t real_application_uuid;
-                                       memcpy(real_application_uuid, condition_value, sizeof(uuid_t));
-                                       cond_real_app_id = necp_create_uuid_app_id_mapping(real_application_uuid, NULL, FALSE);
-                                       if (cond_real_app_id != 0) {
-                                               uuid_copy(policy->applied_real_app_uuid, real_application_uuid);
-                                               master_condition_mask |= NECP_KERNEL_CONDITION_REAL_APP_ID;
+                       break;
+               }
+               case NECP_POLICY_CONDITION_ACCOUNT: {
+                       // Make sure there is only one such rule
+                       if (condition_length > 0 && cond_account_id == 0 && policy->applied_account == NULL) {
+                               char *string = NULL;
+                               MALLOC(string, char *, condition_length + 1, M_NECP, M_WAITOK);
+                               if (string != NULL) {
+                                       memcpy(string, condition_value, condition_length);
+                                       string[condition_length] = 0;
+                                       cond_account_id = necp_create_string_to_id_mapping(&necp_account_id_list, string);
+                                       if (cond_account_id != 0) {
+                                               policy->applied_account = string;         // Save the string in parent policy
+                                               master_condition_mask |= NECP_KERNEL_CONDITION_ACCOUNT_ID;
                                                 if (condition_is_negative) {
                                                 if (condition_is_negative) {
-                                                       master_condition_negated_mask |= NECP_KERNEL_CONDITION_REAL_APP_ID;
+                                                       master_condition_negated_mask |= NECP_KERNEL_CONDITION_ACCOUNT_ID;
                                                 }
                                                 socket_only_conditions = TRUE;
                                                 }
                                                 socket_only_conditions = TRUE;
+                                       } else {
+                                               FREE(string, M_NECP);
                                         }
                                 }
                                         }
                                 }
-                               break;
                         }
                         }
-                       case NECP_POLICY_CONDITION_PID: {
-                               if (condition_length >= sizeof(pid_t)) {
-                                       master_condition_mask |= NECP_KERNEL_CONDITION_PID;
+                       break;
+               }
+               case NECP_POLICY_CONDITION_APPLICATION: {
+                       // Make sure there is only one such rule, because we save the uuid in the policy
+                       if (condition_length >= sizeof(uuid_t) && cond_app_id == 0) {
+                               bool allocated_mapping = FALSE;
+                               uuid_t application_uuid;
+                               memcpy(application_uuid, condition_value, sizeof(uuid_t));
+                               cond_app_id = necp_create_uuid_app_id_mapping(application_uuid, &allocated_mapping, TRUE);
+                               if (cond_app_id != 0) {
+                                       if (allocated_mapping) {
+                                               necp_uuid_app_id_mappings_dirty = TRUE;
+                                               necp_num_uuid_app_id_mappings++;
+                                       }
+                                       uuid_copy(policy->applied_app_uuid, application_uuid);
+                                       master_condition_mask |= NECP_KERNEL_CONDITION_APP_ID;
                                         if (condition_is_negative) {
                                         if (condition_is_negative) {
-                                               master_condition_negated_mask |= NECP_KERNEL_CONDITION_PID;
+                                               master_condition_negated_mask |= NECP_KERNEL_CONDITION_APP_ID;
                                         }
                                         }
-                                       memcpy(&cond_pid, condition_value, sizeof(cond_pid));
                                         socket_only_conditions = TRUE;
                                 }
                                         socket_only_conditions = TRUE;
                                 }
-                               break;
                         }
                         }
-                       case NECP_POLICY_CONDITION_UID: {
-                               if (condition_length >= sizeof(uid_t)) {
-                                       master_condition_mask |= NECP_KERNEL_CONDITION_UID;
+                       break;
+               }
+               case NECP_POLICY_CONDITION_REAL_APPLICATION: {
+                       // Make sure there is only one such rule, because we save the uuid in the policy
+                       if (condition_length >= sizeof(uuid_t) && cond_real_app_id == 0) {
+                               uuid_t real_application_uuid;
+                               memcpy(real_application_uuid, condition_value, sizeof(uuid_t));
+                               cond_real_app_id = necp_create_uuid_app_id_mapping(real_application_uuid, NULL, FALSE);
+                               if (cond_real_app_id != 0) {
+                                       uuid_copy(policy->applied_real_app_uuid, real_application_uuid);
+                                       master_condition_mask |= NECP_KERNEL_CONDITION_REAL_APP_ID;
                                         if (condition_is_negative) {
                                         if (condition_is_negative) {
-                                               master_condition_negated_mask |= NECP_KERNEL_CONDITION_UID;
+                                               master_condition_negated_mask |= NECP_KERNEL_CONDITION_REAL_APP_ID;
                                         }
                                         }
-                                       memcpy(&cond_uid, condition_value, sizeof(cond_uid));
                                         socket_only_conditions = TRUE;
                                 }
                                         socket_only_conditions = TRUE;
                                 }
-                               break;
                         }
                         }
-                       case NECP_POLICY_CONDITION_TRAFFIC_CLASS: {
-                               if (condition_length >= sizeof(struct necp_policy_condition_tc_range)) {
-                                       master_condition_mask |= NECP_KERNEL_CONDITION_TRAFFIC_CLASS;
-                                       if (condition_is_negative) {
-                                               master_condition_negated_mask |= NECP_KERNEL_CONDITION_TRAFFIC_CLASS;
-                                       }
-                                       memcpy(&cond_traffic_class, condition_value, sizeof(cond_traffic_class));
-                                       socket_only_conditions = TRUE;
+                       break;
+               }
+               case NECP_POLICY_CONDITION_PID: {
+                       if (condition_length >= sizeof(pid_t)) {
+                               master_condition_mask |= NECP_KERNEL_CONDITION_PID;
+                               if (condition_is_negative) {
+                                       master_condition_negated_mask |= NECP_KERNEL_CONDITION_PID;
                                 }
                                 }
-                               break;
+                               memcpy(&cond_pid, condition_value, sizeof(cond_pid));
+                               socket_only_conditions = TRUE;
                         }
                         }
-                       case NECP_POLICY_CONDITION_BOUND_INTERFACE: {
-                               if (condition_length <= IFXNAMSIZ && condition_length > 0) {
-                                       char interface_name[IFXNAMSIZ];
-                                       memcpy(interface_name, condition_value, condition_length);
-                                       interface_name[condition_length - 1] = 0; // Make sure the string is NULL terminated
-                                       if (ifnet_find_by_name(interface_name, &cond_bound_interface) == 0) {
-                                               master_condition_mask |= NECP_KERNEL_CONDITION_BOUND_INTERFACE;
-                                               if (condition_is_negative) {
-                                                       master_condition_negated_mask |= NECP_KERNEL_CONDITION_BOUND_INTERFACE;
-                                               }
-                                       }
-                                       socket_ip_conditions = TRUE;
+                       break;
+               }
+               case NECP_POLICY_CONDITION_UID: {
+                       if (condition_length >= sizeof(uid_t)) {
+                               master_condition_mask |= NECP_KERNEL_CONDITION_UID;
+                               if (condition_is_negative) {
+                                       master_condition_negated_mask |= NECP_KERNEL_CONDITION_UID;
                                 }
                                 }
-                               break;
+                               memcpy(&cond_uid, condition_value, sizeof(cond_uid));
+                               socket_only_conditions = TRUE;
+                       }
+                       break;
+               }
+               case NECP_POLICY_CONDITION_TRAFFIC_CLASS: {
+                       if (condition_length >= sizeof(struct necp_policy_condition_tc_range)) {
+                               master_condition_mask |= NECP_KERNEL_CONDITION_TRAFFIC_CLASS;
+                               if (condition_is_negative) {
+                                       master_condition_negated_mask |= NECP_KERNEL_CONDITION_TRAFFIC_CLASS;
+                               }
+                               memcpy(&cond_traffic_class, condition_value, sizeof(cond_traffic_class));
+                               socket_only_conditions = TRUE;
                         }
                         }
-                       case NECP_POLICY_CONDITION_IP_PROTOCOL: {
-                               if (condition_length >= sizeof(u_int16_t)) {
-                                       master_condition_mask |= NECP_KERNEL_CONDITION_PROTOCOL;
+                       break;
+               }
+               case NECP_POLICY_CONDITION_BOUND_INTERFACE: {
+                       if (condition_length <= IFXNAMSIZ && condition_length > 0) {
+                               char interface_name[IFXNAMSIZ];
+                               memcpy(interface_name, condition_value, condition_length);
+                               interface_name[condition_length - 1] = 0;         // Make sure the string is NULL terminated
+                               if (ifnet_find_by_name(interface_name, &cond_bound_interface) == 0) {
+                                       master_condition_mask |= NECP_KERNEL_CONDITION_BOUND_INTERFACE;
                                         if (condition_is_negative) {
                                         if (condition_is_negative) {
-                                               master_condition_negated_mask |= NECP_KERNEL_CONDITION_PROTOCOL;
+                                               master_condition_negated_mask |= NECP_KERNEL_CONDITION_BOUND_INTERFACE;
                                         }
                                         }
-                                       memcpy(&cond_protocol, condition_value, sizeof(cond_protocol));
-                                       socket_ip_conditions = TRUE;
                                 }
                                 }
-                               break;
+                               socket_ip_conditions = TRUE;
                         }
                         }
-                       case NECP_POLICY_CONDITION_LOCAL_ADDR: {
-                               struct necp_policy_condition_addr *address_struct = (struct necp_policy_condition_addr *)(void *)condition_value;
-                               if (!necp_address_is_valid(&address_struct->address.sa)) {
-                                       break;
-                               }
-
-                               cond_local_prefix = address_struct->prefix;
-                               memcpy(&cond_local_start, &address_struct->address, sizeof(address_struct->address));
-                               master_condition_mask |= NECP_KERNEL_CONDITION_LOCAL_START;
-                               master_condition_mask |= NECP_KERNEL_CONDITION_LOCAL_PREFIX;
+                       break;
+               }
+               case NECP_POLICY_CONDITION_IP_PROTOCOL:
+               case NECP_POLICY_CONDITION_FLOW_IP_PROTOCOL: {
+                       if (condition_length >= sizeof(u_int16_t)) {
+                               master_condition_mask |= NECP_KERNEL_CONDITION_PROTOCOL;
                                 if (condition_is_negative) {
                                 if (condition_is_negative) {
-                                       master_condition_negated_mask |= NECP_KERNEL_CONDITION_LOCAL_START;
-                                       master_condition_negated_mask |= NECP_KERNEL_CONDITION_LOCAL_PREFIX;
+                                       master_condition_negated_mask |= NECP_KERNEL_CONDITION_PROTOCOL;
                                 }
                                 }
-                               socket_ip_conditions = TRUE;
+                               memcpy(&cond_protocol, condition_value, sizeof(cond_protocol));
+                               if (condition_type == NECP_POLICY_CONDITION_FLOW_IP_PROTOCOL) {
+                                       socket_only_conditions = TRUE;
+                               } else {
+                                       socket_ip_conditions = TRUE;
+                               }
+                       }
+                       break;
+               }
+               case NECP_POLICY_CONDITION_LOCAL_NETWORKS: {
+                       master_condition_mask |= NECP_KERNEL_CONDITION_LOCAL_NETWORKS;
+                       socket_ip_conditions = TRUE;
+                       break;
+               }
+               case NECP_POLICY_CONDITION_LOCAL_ADDR:
+               case NECP_POLICY_CONDITION_FLOW_LOCAL_ADDR: {
+                       struct necp_policy_condition_addr *address_struct = (struct necp_policy_condition_addr *)(void *)condition_value;
+                       if (!necp_address_is_valid(&address_struct->address.sa)) {
                                 break;
                         }
                                 break;
                         }
-                       case NECP_POLICY_CONDITION_REMOTE_ADDR: {
-                               struct necp_policy_condition_addr *address_struct = (struct necp_policy_condition_addr *)(void *)condition_value;
-                               if (!necp_address_is_valid(&address_struct->address.sa)) {
-                                       break;
-                               }
  
  
-                               cond_remote_prefix = address_struct->prefix;
-                               memcpy(&cond_remote_start, &address_struct->address, sizeof(address_struct->address));
-                               master_condition_mask |= NECP_KERNEL_CONDITION_REMOTE_START;
-                               master_condition_mask |= NECP_KERNEL_CONDITION_REMOTE_PREFIX;
-                               if (condition_is_negative) {
-                                       master_condition_negated_mask |= NECP_KERNEL_CONDITION_REMOTE_START;
-                                       master_condition_negated_mask |= NECP_KERNEL_CONDITION_REMOTE_PREFIX;
-                               }
+                       cond_local_prefix = address_struct->prefix;
+                       memcpy(&cond_local_start, &address_struct->address, sizeof(address_struct->address));
+                       master_condition_mask |= NECP_KERNEL_CONDITION_LOCAL_START;
+                       master_condition_mask |= NECP_KERNEL_CONDITION_LOCAL_PREFIX;
+                       if (condition_is_negative) {
+                               master_condition_negated_mask |= NECP_KERNEL_CONDITION_LOCAL_START;
+                               master_condition_negated_mask |= NECP_KERNEL_CONDITION_LOCAL_PREFIX;
+                       }
+                       if (condition_type == NECP_POLICY_CONDITION_FLOW_LOCAL_ADDR) {
+                               socket_only_conditions = TRUE;
+                       } else {
                                 socket_ip_conditions = TRUE;
                                 socket_ip_conditions = TRUE;
+                       }
+                       break;
+               }
+               case NECP_POLICY_CONDITION_REMOTE_ADDR:
+               case NECP_POLICY_CONDITION_FLOW_REMOTE_ADDR: {
+                       struct necp_policy_condition_addr *address_struct = (struct necp_policy_condition_addr *)(void *)condition_value;
+                       if (!necp_address_is_valid(&address_struct->address.sa)) {
                                 break;
                         }
                                 break;
                         }
-                       case NECP_POLICY_CONDITION_LOCAL_ADDR_RANGE: {
-                               struct necp_policy_condition_addr_range *address_struct = (struct necp_policy_condition_addr_range *)(void *)condition_value;
-                               if (!necp_address_is_valid(&address_struct->start_address.sa) ||
-                                       !necp_address_is_valid(&address_struct->end_address.sa)) {
-                                       break;
-                               }
  
  
-                               memcpy(&cond_local_start, &address_struct->start_address, sizeof(address_struct->start_address));
-                               memcpy(&cond_local_end, &address_struct->end_address, sizeof(address_struct->end_address));
-                               master_condition_mask |= NECP_KERNEL_CONDITION_LOCAL_START;
-                               master_condition_mask |= NECP_KERNEL_CONDITION_LOCAL_END;
-                               if (condition_is_negative) {
-                                       master_condition_negated_mask |= NECP_KERNEL_CONDITION_LOCAL_START;
-                                       master_condition_negated_mask |= NECP_KERNEL_CONDITION_LOCAL_END;
-                               }
+                       cond_remote_prefix = address_struct->prefix;
+                       memcpy(&cond_remote_start, &address_struct->address, sizeof(address_struct->address));
+                       master_condition_mask |= NECP_KERNEL_CONDITION_REMOTE_START;
+                       master_condition_mask |= NECP_KERNEL_CONDITION_REMOTE_PREFIX;
+                       if (condition_is_negative) {
+                               master_condition_negated_mask |= NECP_KERNEL_CONDITION_REMOTE_START;
+                               master_condition_negated_mask |= NECP_KERNEL_CONDITION_REMOTE_PREFIX;
+                       }
+                       if (condition_type == NECP_POLICY_CONDITION_FLOW_REMOTE_ADDR) {
+                               socket_only_conditions = TRUE;
+                       } else {
                                 socket_ip_conditions = TRUE;
                                 socket_ip_conditions = TRUE;
+                       }
+                       break;
+               }
+               case NECP_POLICY_CONDITION_LOCAL_ADDR_RANGE:
+               case NECP_POLICY_CONDITION_FLOW_LOCAL_ADDR_RANGE: {
+                       struct necp_policy_condition_addr_range *address_struct = (struct necp_policy_condition_addr_range *)(void *)condition_value;
+                       if (!necp_address_is_valid(&address_struct->start_address.sa) ||
+                           !necp_address_is_valid(&address_struct->end_address.sa)) {
                                 break;
                         }
                                 break;
                         }
-                       case NECP_POLICY_CONDITION_REMOTE_ADDR_RANGE: {
-                               struct necp_policy_condition_addr_range *address_struct = (struct necp_policy_condition_addr_range *)(void *)condition_value;
-                               if (!necp_address_is_valid(&address_struct->start_address.sa) ||
-                                       !necp_address_is_valid(&address_struct->end_address.sa)) {
-                                       break;
-                               }
  
  
-                               memcpy(&cond_remote_start, &address_struct->start_address, sizeof(address_struct->start_address));
-                               memcpy(&cond_remote_end, &address_struct->end_address, sizeof(address_struct->end_address));
-                               master_condition_mask |= NECP_KERNEL_CONDITION_REMOTE_START;
-                               master_condition_mask |= NECP_KERNEL_CONDITION_REMOTE_END;
-                               if (condition_is_negative) {
-                                       master_condition_negated_mask |= NECP_KERNEL_CONDITION_REMOTE_START;
-                                       master_condition_negated_mask |= NECP_KERNEL_CONDITION_REMOTE_END;
-                               }
+                       memcpy(&cond_local_start, &address_struct->start_address, sizeof(address_struct->start_address));
+                       memcpy(&cond_local_end, &address_struct->end_address, sizeof(address_struct->end_address));
+                       master_condition_mask |= NECP_KERNEL_CONDITION_LOCAL_START;
+                       master_condition_mask |= NECP_KERNEL_CONDITION_LOCAL_END;
+                       if (condition_is_negative) {
+                               master_condition_negated_mask |= NECP_KERNEL_CONDITION_LOCAL_START;
+                               master_condition_negated_mask |= NECP_KERNEL_CONDITION_LOCAL_END;
+                       }
+                       if (condition_type == NECP_POLICY_CONDITION_FLOW_LOCAL_ADDR_RANGE) {
+                               socket_only_conditions = TRUE;
+                       } else {
                                 socket_ip_conditions = TRUE;
                                 socket_ip_conditions = TRUE;
-                               break;
                         }
                         }
-                       default: {
+                       break;
+               }
+               case NECP_POLICY_CONDITION_REMOTE_ADDR_RANGE:
+               case NECP_POLICY_CONDITION_FLOW_REMOTE_ADDR_RANGE: {
+                       struct necp_policy_condition_addr_range *address_struct = (struct necp_policy_condition_addr_range *)(void *)condition_value;
+                       if (!necp_address_is_valid(&address_struct->start_address.sa) ||
+                           !necp_address_is_valid(&address_struct->end_address.sa)) {
                                 break;
                         }
                                 break;
                         }
-               }
-
-               offset += sizeof(u_int8_t) + sizeof(u_int32_t) + length;
-       }
  
  
-       // Process result
-       ultimate_result = necp_policy_get_result_type(policy);
-       switch (ultimate_result) {
-               case NECP_POLICY_RESULT_PASS: {
-                       if (socket_only_conditions) { // socket_ip_conditions can be TRUE or FALSE
-                               socket_layer_non_id_conditions = TRUE;
-                               ip_output_layer_id_condition = TRUE;
-                       } else if (socket_ip_conditions) {
-                               socket_layer_non_id_conditions = TRUE;
-                               ip_output_layer_id_condition = TRUE;
-                               ip_output_layer_non_id_conditions = TRUE;
+                       memcpy(&cond_remote_start, &address_struct->start_address, sizeof(address_struct->start_address));
+                       memcpy(&cond_remote_end, &address_struct->end_address, sizeof(address_struct->end_address));
+                       master_condition_mask |= NECP_KERNEL_CONDITION_REMOTE_START;
+                       master_condition_mask |= NECP_KERNEL_CONDITION_REMOTE_END;
+                       if (condition_is_negative) {
+                               master_condition_negated_mask |= NECP_KERNEL_CONDITION_REMOTE_START;
+                               master_condition_negated_mask |= NECP_KERNEL_CONDITION_REMOTE_END;
+                       }
+                       if (condition_type == NECP_POLICY_CONDITION_FLOW_REMOTE_ADDR_RANGE) {
+                               socket_only_conditions = TRUE;
+                       } else {
+                               socket_ip_conditions = TRUE;
                         }
                         break;
                 }
                         }
                         break;
                 }
-               case NECP_POLICY_RESULT_DROP: {
-                       if (socket_only_conditions) { // socket_ip_conditions can be TRUE or FALSE
-                               socket_layer_non_id_conditions = TRUE;
-                       } else if (socket_ip_conditions) {
-                               socket_layer_non_id_conditions = TRUE;
-                               ip_output_layer_non_id_conditions = TRUE;
-                               ip_output_layer_non_id_only = TRUE; // Only apply drop to packets that didn't go through socket layer
+               case NECP_POLICY_CONDITION_AGENT_TYPE: {
+                       if (condition_length >= sizeof(cond_agent_type)) {
+                               master_condition_mask |= NECP_KERNEL_CONDITION_AGENT_TYPE;
+                               memcpy(&cond_agent_type, condition_value, sizeof(cond_agent_type));
+                               socket_only_conditions = TRUE;
                         }
                         break;
                 }
                         }
                         break;
                 }
-               case NECP_POLICY_RESULT_SKIP: {
-                       u_int32_t skip_policy_order = 0;
-                       if (necp_policy_get_result_parameter(policy, (u_int8_t *)&skip_policy_order, sizeof(skip_policy_order))) {
-                               ultimate_result_parameter.skip_policy_order = skip_policy_order;
+               case NECP_POLICY_CONDITION_CLIENT_FLAGS: {
+                       if (condition_is_negative) {
+                               master_condition_negated_mask |= NECP_KERNEL_CONDITION_CLIENT_FLAGS;
                         }
                         }
-
-                       if (socket_only_conditions) { // socket_ip_conditions can be TRUE or FALSE
-                               socket_layer_non_id_conditions = TRUE;
-                               ip_output_layer_id_condition = TRUE;
-                       } else if (socket_ip_conditions) {
-                               socket_layer_non_id_conditions = TRUE;
-                               ip_output_layer_non_id_conditions = TRUE;
+                       master_condition_mask |= NECP_KERNEL_CONDITION_CLIENT_FLAGS;
+                       socket_only_conditions = TRUE;
+                       if (condition_length >= sizeof(u_int32_t)) {
+                               memcpy(&cond_client_flags, condition_value, sizeof(cond_client_flags));
+                       } else {
+                               // Empty means match on fallback traffic
+                               cond_client_flags = NECP_CLIENT_PARAMETER_FLAG_FALLBACK_TRAFFIC;
                         }
                         break;
                 }
                         }
                         break;
                 }
-               case NECP_POLICY_RESULT_SOCKET_DIVERT:
-               case NECP_POLICY_RESULT_SOCKET_FILTER: {
-                       u_int32_t control_unit = 0;
-                       if (necp_policy_get_result_parameter(policy, (u_int8_t *)&control_unit, sizeof(control_unit))) {
-                               ultimate_result_parameter.flow_divert_control_unit = control_unit;
+               case NECP_POLICY_CONDITION_FLOW_LOCAL_ADDR_EMPTY: {
+                       master_condition_mask |= NECP_KERNEL_CONDITION_LOCAL_EMPTY;
+                       if (condition_is_negative) {
+                               master_condition_negated_mask |= NECP_KERNEL_CONDITION_LOCAL_EMPTY;
                         }
                         }
-                       socket_layer_non_id_conditions = TRUE;
+                       socket_only_conditions = TRUE;
                         break;
                 }
                         break;
                 }
-               case NECP_POLICY_RESULT_IP_TUNNEL: {
-                       struct necp_policy_result_ip_tunnel tunnel_parameters;
-                       u_int32_t tunnel_parameters_length = necp_policy_get_result_parameter_length(policy);
-                       if (tunnel_parameters_length > sizeof(u_int32_t) &&
-                               tunnel_parameters_length <= sizeof(struct necp_policy_result_ip_tunnel) &&
-                               necp_policy_get_result_parameter(policy, (u_int8_t *)&tunnel_parameters, sizeof(tunnel_parameters))) {
-                               ifnet_t tunnel_interface = NULL;
-                               tunnel_parameters.interface_name[tunnel_parameters_length - sizeof(u_int32_t) - 1] = 0; // Make sure the string is NULL terminated
-                               if (ifnet_find_by_name(tunnel_parameters.interface_name, &tunnel_interface) == 0) {
-                                       ultimate_result_parameter.tunnel_interface_index = tunnel_interface->if_index;
-                                       ifnet_release(tunnel_interface);
-                               }
+               case NECP_POLICY_CONDITION_FLOW_REMOTE_ADDR_EMPTY: {
+                       master_condition_mask |= NECP_KERNEL_CONDITION_REMOTE_EMPTY;
+                       if (condition_is_negative) {
+                               master_condition_negated_mask |= NECP_KERNEL_CONDITION_REMOTE_EMPTY;
+                       }
+                       socket_only_conditions = TRUE;
+                       break;
+               }
+               default: {
+                       break;
+               }
+               }
  
  
-                               secondary_result = tunnel_parameters.secondary_result;
-                               if (secondary_result) {
-                                       cond_last_interface_index = ultimate_result_parameter.tunnel_interface_index;
-                               }
+               offset += sizeof(u_int8_t) + sizeof(u_int32_t) + length;
+       }
+
+       // Process result
+       ultimate_result = necp_policy_get_result_type(policy);
+       switch (ultimate_result) {
+       case NECP_POLICY_RESULT_PASS: {
+               if (socket_only_conditions) {         // socket_ip_conditions can be TRUE or FALSE
+                       socket_layer_non_id_conditions = TRUE;
+                       ip_output_layer_id_condition = TRUE;
+               } else if (socket_ip_conditions) {
+                       socket_layer_non_id_conditions = TRUE;
+                       ip_output_layer_id_condition = TRUE;
+                       ip_output_layer_non_id_conditions = TRUE;
+               }
+               break;
+       }
+       case NECP_POLICY_RESULT_DROP: {
+               if (socket_only_conditions) {         // socket_ip_conditions can be TRUE or FALSE
+                       socket_layer_non_id_conditions = TRUE;
+               } else if (socket_ip_conditions) {
+                       socket_layer_non_id_conditions = TRUE;
+                       ip_output_layer_non_id_conditions = TRUE;
+                       ip_output_layer_non_id_only = TRUE;         // Only apply drop to packets that didn't go through socket layer
+               }
+               break;
+       }
+       case NECP_POLICY_RESULT_SKIP: {
+               u_int32_t skip_policy_order = 0;
+               if (necp_policy_get_result_parameter(policy, (u_int8_t *)&skip_policy_order, sizeof(skip_policy_order))) {
+                       ultimate_result_parameter.skip_policy_order = skip_policy_order;
+               }
+
+               if (socket_only_conditions) {         // socket_ip_conditions can be TRUE or FALSE
+                       socket_layer_non_id_conditions = TRUE;
+                       ip_output_layer_id_condition = TRUE;
+               } else if (socket_ip_conditions) {
+                       socket_layer_non_id_conditions = TRUE;
+                       ip_output_layer_non_id_conditions = TRUE;
+               }
+               break;
+       }
+       case NECP_POLICY_RESULT_SOCKET_DIVERT:
+       case NECP_POLICY_RESULT_SOCKET_FILTER: {
+               u_int32_t control_unit = 0;
+               if (necp_policy_get_result_parameter(policy, (u_int8_t *)&control_unit, sizeof(control_unit))) {
+                       ultimate_result_parameter.flow_divert_control_unit = control_unit;
+               }
+               socket_layer_non_id_conditions = TRUE;
+               break;
+       }
+       case NECP_POLICY_RESULT_IP_TUNNEL: {
+               struct necp_policy_result_ip_tunnel tunnel_parameters;
+               u_int32_t tunnel_parameters_length = necp_policy_get_result_parameter_length(policy);
+               if (tunnel_parameters_length > sizeof(u_int32_t) &&
+                   tunnel_parameters_length <= sizeof(struct necp_policy_result_ip_tunnel) &&
+                   necp_policy_get_result_parameter(policy, (u_int8_t *)&tunnel_parameters, sizeof(tunnel_parameters))) {
+                       ifnet_t tunnel_interface = NULL;
+                       tunnel_parameters.interface_name[tunnel_parameters_length - sizeof(u_int32_t) - 1] = 0;         // Make sure the string is NULL terminated
+                       if (ifnet_find_by_name(tunnel_parameters.interface_name, &tunnel_interface) == 0) {
+                               ultimate_result_parameter.tunnel_interface_index = tunnel_interface->if_index;
+                               ifnet_release(tunnel_interface);
                         }
  
                         }
  
-                       if (socket_only_conditions) { // socket_ip_conditions can be TRUE or FALSE
-                               socket_layer_non_id_conditions = TRUE;
-                               ip_output_layer_id_condition = TRUE;
-                               if (secondary_result) {
-                                       ip_output_layer_tunnel_condition_from_id = TRUE;
-                               }
-                       } else if (socket_ip_conditions) {
-                               socket_layer_non_id_conditions = TRUE;
-                               ip_output_layer_id_condition = TRUE;
-                               ip_output_layer_non_id_conditions = TRUE;
-                               if (secondary_result) {
-                                       ip_output_layer_tunnel_condition_from_id = TRUE;
-                                       ip_output_layer_tunnel_condition_from_non_id = TRUE;
-                               }
+                       secondary_result = tunnel_parameters.secondary_result;
+                       if (secondary_result) {
+                               cond_last_interface_index = ultimate_result_parameter.tunnel_interface_index;
                         }
                         }
-                       break;
                 }
                 }
-               case NECP_POLICY_RESULT_TRIGGER:
-               case NECP_POLICY_RESULT_TRIGGER_IF_NEEDED:
-               case NECP_POLICY_RESULT_TRIGGER_SCOPED:
-               case NECP_POLICY_RESULT_NO_TRIGGER_SCOPED: {
-                       struct necp_policy_result_service service_parameters;
-                       u_int32_t service_result_length = necp_policy_get_result_parameter_length(policy);
-                       bool has_extra_service_data = FALSE;
-                       if (service_result_length >= (sizeof(service_parameters))) {
-                               has_extra_service_data = TRUE;
-                       }
-                       if (necp_policy_get_result_parameter(policy, (u_int8_t *)&service_parameters, sizeof(service_parameters))) {
-                               ultimate_result_parameter.service.identifier = necp_create_uuid_service_id_mapping(service_parameters.identifier);
-                               if (ultimate_result_parameter.service.identifier != 0) {
-                                       uuid_copy(policy->applied_result_uuid, service_parameters.identifier);
-                                       socket_layer_non_id_conditions = TRUE;
-                                       if (has_extra_service_data) {
-                                               ultimate_result_parameter.service.data = service_parameters.data;
-                                       } else {
-                                               ultimate_result_parameter.service.data = 0;
-                                       }
+
+               if (socket_only_conditions) {         // socket_ip_conditions can be TRUE or FALSE
+                       socket_layer_non_id_conditions = TRUE;
+                       ip_output_layer_id_condition = TRUE;
+                       if (secondary_result) {
+                               ip_output_layer_tunnel_condition_from_id = TRUE;
+                       }
+               } else if (socket_ip_conditions) {
+                       socket_layer_non_id_conditions = TRUE;
+                       ip_output_layer_id_condition = TRUE;
+                       ip_output_layer_non_id_conditions = TRUE;
+                       if (secondary_result) {
+                               ip_output_layer_tunnel_condition_from_id = TRUE;
+                               ip_output_layer_tunnel_condition_from_non_id = TRUE;
+                       }
+               }
+               break;
+       }
+       case NECP_POLICY_RESULT_TRIGGER:
+       case NECP_POLICY_RESULT_TRIGGER_IF_NEEDED:
+       case NECP_POLICY_RESULT_TRIGGER_SCOPED:
+       case NECP_POLICY_RESULT_NO_TRIGGER_SCOPED: {
+               struct necp_policy_result_service service_parameters;
+               u_int32_t service_result_length = necp_policy_get_result_parameter_length(policy);
+               bool has_extra_service_data = FALSE;
+               if (service_result_length >= (sizeof(service_parameters))) {
+                       has_extra_service_data = TRUE;
+               }
+               if (necp_policy_get_result_parameter(policy, (u_int8_t *)&service_parameters, sizeof(service_parameters))) {
+                       ultimate_result_parameter.service.identifier = necp_create_uuid_service_id_mapping(service_parameters.identifier);
+                       if (ultimate_result_parameter.service.identifier != 0) {
+                               uuid_copy(policy->applied_result_uuid, service_parameters.identifier);
+                               socket_layer_non_id_conditions = TRUE;
+                               if (has_extra_service_data) {
+                                       ultimate_result_parameter.service.data = service_parameters.data;
+                               } else {
+                                       ultimate_result_parameter.service.data = 0;
                                 }
                         }
                                 }
                         }
-                       break;
                 }
                 }
-               case NECP_POLICY_RESULT_USE_NETAGENT: {
-                       uuid_t netagent_uuid;
-                       if (necp_policy_get_result_parameter(policy, (u_int8_t *)&netagent_uuid, sizeof(netagent_uuid))) {
-                               ultimate_result_parameter.netagent_id = necp_create_uuid_service_id_mapping(netagent_uuid);
-                               if (ultimate_result_parameter.netagent_id != 0) {
-                                       uuid_copy(policy->applied_result_uuid, netagent_uuid);
-                                       socket_layer_non_id_conditions = TRUE;
-                               }
+               break;
+       }
+       case NECP_POLICY_RESULT_USE_NETAGENT:
+       case NECP_POLICY_RESULT_NETAGENT_SCOPED: {
+               uuid_t netagent_uuid;
+               if (necp_policy_get_result_parameter(policy, (u_int8_t *)&netagent_uuid, sizeof(netagent_uuid))) {
+                       ultimate_result_parameter.netagent_id = necp_create_uuid_service_id_mapping(netagent_uuid);
+                       if (ultimate_result_parameter.netagent_id != 0) {
+                               uuid_copy(policy->applied_result_uuid, netagent_uuid);
+                               socket_layer_non_id_conditions = TRUE;
                         }
                         }
-                       break;
                 }
                 }
-               case NECP_POLICY_RESULT_SOCKET_SCOPED: {
-                       u_int32_t interface_name_length = necp_policy_get_result_parameter_length(policy);
-                       if (interface_name_length <= IFXNAMSIZ && interface_name_length > 0) {
-                               char interface_name[IFXNAMSIZ];
-                               ifnet_t scope_interface = NULL;
-                               necp_policy_get_result_parameter(policy, (u_int8_t *)interface_name, interface_name_length);
-                               interface_name[interface_name_length - 1] = 0; // Make sure the string is NULL terminated
-                               if (ifnet_find_by_name(interface_name, &scope_interface) == 0) {
-                                       ultimate_result_parameter.scoped_interface_index = scope_interface->if_index;
-                                       socket_layer_non_id_conditions = TRUE;
-                                       ifnet_release(scope_interface);
-                               }
+               break;
+       }
+       case NECP_POLICY_RESULT_SOCKET_SCOPED: {
+               u_int32_t interface_name_length = necp_policy_get_result_parameter_length(policy);
+               if (interface_name_length <= IFXNAMSIZ && interface_name_length > 0) {
+                       char interface_name[IFXNAMSIZ];
+                       ifnet_t scope_interface = NULL;
+                       necp_policy_get_result_parameter(policy, (u_int8_t *)interface_name, interface_name_length);
+                       interface_name[interface_name_length - 1] = 0;         // Make sure the string is NULL terminated
+                       if (ifnet_find_by_name(interface_name, &scope_interface) == 0) {
+                               ultimate_result_parameter.scoped_interface_index = scope_interface->if_index;
+                               socket_layer_non_id_conditions = TRUE;
+                               ifnet_release(scope_interface);
                         }
                         }
-                       break;
                 }
                 }
-               case NECP_POLICY_RESULT_ROUTE_RULES: {
-                       if (policy->route_rules != NULL && policy->route_rules_size > 0) {
-                               u_int32_t route_rule_id = necp_create_route_rule(&necp_route_rules, policy->route_rules, policy->route_rules_size);
-                               if (route_rule_id > 0) {
-                                       policy->applied_route_rules_id = route_rule_id;
-                                       ultimate_result_parameter.route_rule_id = route_rule_id;
+               break;
+       }
+       case NECP_POLICY_RESULT_SCOPED_DIRECT: {
+               socket_layer_non_id_conditions = TRUE;
+               break;
+       }
+       case NECP_POLICY_RESULT_ALLOW_UNENTITLED: {
+               socket_layer_non_id_conditions = TRUE;
+               break;
+       }
+       case NECP_POLICY_RESULT_ROUTE_RULES: {
+               if (policy->route_rules != NULL && policy->route_rules_size > 0) {
+                       u_int32_t route_rule_id = necp_create_route_rule(&necp_route_rules, policy->route_rules, policy->route_rules_size);
+                       if (route_rule_id > 0) {
+                               policy->applied_route_rules_id = route_rule_id;
+                               ultimate_result_parameter.route_rule_id = route_rule_id;
+                               if (socket_only_conditions) { // socket_ip_conditions can be TRUE or FALSE
                                         socket_layer_non_id_conditions = TRUE;
                                         socket_layer_non_id_conditions = TRUE;
+                               } else if (socket_ip_conditions) {
+                                       socket_layer_non_id_conditions = TRUE;
+                                       ip_output_layer_non_id_conditions = TRUE;
+                                       ip_output_layer_non_id_only = TRUE; // Only apply route rules to packets that didn't go through socket layer
                                 }
                         }
                                 }
                         }
-                       break;
-               }
-               default: {
-                       break;
                 }
                 }
+               break;
+       }
+       default: {
+               break;
+       }
         }
  
         if (socket_layer_non_id_conditions) {
         }
  
         if (socket_layer_non_id_conditions) {
-               necp_kernel_policy_id policy_id = necp_kernel_socket_policy_add(policy->id, policy->order, session->session_order, session->proc_pid, master_condition_mask, master_condition_negated_mask, cond_app_id, cond_real_app_id, cond_custom_entitlement, cond_account_id, cond_domain, cond_pid, cond_uid, cond_bound_interface, cond_traffic_class, cond_protocol, &cond_local_start, &cond_local_end, cond_local_prefix, &cond_remote_start, &cond_remote_end, cond_remote_prefix, ultimate_result, ultimate_result_parameter);
+               necp_kernel_policy_id policy_id = necp_kernel_socket_policy_add(policy->order, session->session_order, session->proc_pid, master_condition_mask, master_condition_negated_mask, cond_app_id, cond_real_app_id, cond_custom_entitlement, cond_account_id, cond_domain, cond_pid, cond_uid, cond_bound_interface, cond_traffic_class, cond_protocol, &cond_local_start, &cond_local_end, cond_local_prefix, &cond_remote_start, &cond_remote_end, cond_remote_prefix, &cond_agent_type, cond_client_flags, ultimate_result, ultimate_result_parameter);
  
                 if (policy_id == 0) {
                         NECPLOG0(LOG_DEBUG, "Error applying socket kernel policy");
  
                 if (policy_id == 0) {
                         NECPLOG0(LOG_DEBUG, "Error applying socket kernel policy");
@@ -3133,7 +3685,8 @@ necp_policy_apply(struct necp_session *session, struct necp_session_policy *poli
                 if (ip_output_layer_non_id_only) {
                         condition_mask |= NECP_KERNEL_CONDITION_POLICY_ID;
                 }
                 if (ip_output_layer_non_id_only) {
                         condition_mask |= NECP_KERNEL_CONDITION_POLICY_ID;
                 }
-               necp_kernel_policy_id policy_id = necp_kernel_ip_output_policy_add(policy->id, policy->order, NECP_KERNEL_POLICY_SUBORDER_NON_ID_CONDITIONS, session->session_order, session->proc_pid, condition_mask, master_condition_negated_mask, NECP_KERNEL_POLICY_ID_NONE, cond_bound_interface, 0, cond_protocol, &cond_local_start, &cond_local_end, cond_local_prefix, &cond_remote_start, &cond_remote_end, cond_remote_prefix, ultimate_result, ultimate_result_parameter);
+
+               necp_kernel_policy_id policy_id = necp_kernel_ip_output_policy_add(policy->order, NECP_KERNEL_POLICY_SUBORDER_NON_ID_CONDITIONS, session->session_order, session->proc_pid, condition_mask, master_condition_negated_mask, NECP_KERNEL_POLICY_ID_NONE, cond_bound_interface, 0, cond_protocol, &cond_local_start, &cond_local_end, cond_local_prefix, &cond_remote_start, &cond_remote_end, cond_remote_prefix, ultimate_result, ultimate_result_parameter);
  
                 if (policy_id == 0) {
                         NECPLOG0(LOG_DEBUG, "Error applying IP output kernel policy");
  
                 if (policy_id == 0) {
                         NECPLOG0(LOG_DEBUG, "Error applying IP output kernel policy");
@@ -3144,7 +3697,7 @@ necp_policy_apply(struct necp_session *session, struct necp_session_policy *poli
         }
  
         if (ip_output_layer_id_condition) {
         }
  
         if (ip_output_layer_id_condition) {
-               necp_kernel_policy_id policy_id = necp_kernel_ip_output_policy_add(policy->id, policy->order, NECP_KERNEL_POLICY_SUBORDER_ID_CONDITION, session->session_order, session->proc_pid, NECP_KERNEL_CONDITION_POLICY_ID | NECP_KERNEL_CONDITION_ALL_INTERFACES, 0, cond_ip_output_layer_id, NULL, 0, 0, NULL, NULL, 0, NULL, NULL, 0, ultimate_result, ultimate_result_parameter);
+               necp_kernel_policy_id policy_id = necp_kernel_ip_output_policy_add(policy->order, NECP_KERNEL_POLICY_SUBORDER_ID_CONDITION, session->session_order, session->proc_pid, NECP_KERNEL_CONDITION_POLICY_ID | NECP_KERNEL_CONDITION_ALL_INTERFACES, 0, cond_ip_output_layer_id, NULL, 0, 0, NULL, NULL, 0, NULL, NULL, 0, ultimate_result, ultimate_result_parameter);
  
                 if (policy_id == 0) {
                         NECPLOG0(LOG_DEBUG, "Error applying IP output kernel policy");
  
                 if (policy_id == 0) {
                         NECPLOG0(LOG_DEBUG, "Error applying IP output kernel policy");
@@ -3156,7 +3709,7 @@ necp_policy_apply(struct necp_session *session, struct necp_session_policy *poli
  
         // Extra policies for IP Output tunnels for when packets loop back
         if (ip_output_layer_tunnel_condition_from_id) {
  
         // Extra policies for IP Output tunnels for when packets loop back
         if (ip_output_layer_tunnel_condition_from_id) {
-               necp_kernel_policy_id policy_id = necp_kernel_ip_output_policy_add(policy->id, policy->order, NECP_KERNEL_POLICY_SUBORDER_NON_ID_TUNNEL_CONDITION, session->session_order, session->proc_pid, NECP_KERNEL_CONDITION_POLICY_ID | NECP_KERNEL_CONDITION_LAST_INTERFACE | NECP_KERNEL_CONDITION_ALL_INTERFACES, 0, policy->kernel_ip_output_policies[NECP_KERNEL_POLICY_SUBORDER_NON_ID_CONDITIONS], NULL, cond_last_interface_index, 0, NULL, NULL, 0, NULL, NULL, 0, secondary_result, secondary_result_parameter);
+               necp_kernel_policy_id policy_id = necp_kernel_ip_output_policy_add(policy->order, NECP_KERNEL_POLICY_SUBORDER_NON_ID_TUNNEL_CONDITION, session->session_order, session->proc_pid, NECP_KERNEL_CONDITION_POLICY_ID | NECP_KERNEL_CONDITION_LAST_INTERFACE | NECP_KERNEL_CONDITION_ALL_INTERFACES, 0, policy->kernel_ip_output_policies[NECP_KERNEL_POLICY_SUBORDER_NON_ID_CONDITIONS], NULL, cond_last_interface_index, 0, NULL, NULL, 0, NULL, NULL, 0, secondary_result, secondary_result_parameter);
  
                 if (policy_id == 0) {
                         NECPLOG0(LOG_DEBUG, "Error applying IP output kernel policy");
  
                 if (policy_id == 0) {
                         NECPLOG0(LOG_DEBUG, "Error applying IP output kernel policy");
@@ -3167,7 +3720,7 @@ necp_policy_apply(struct necp_session *session, struct necp_session_policy *poli
         }
  
         if (ip_output_layer_tunnel_condition_from_id) {
         }
  
         if (ip_output_layer_tunnel_condition_from_id) {
-               necp_kernel_policy_id policy_id = necp_kernel_ip_output_policy_add(policy->id, policy->order, NECP_KERNEL_POLICY_SUBORDER_ID_TUNNEL_CONDITION, session->session_order, session->proc_pid, NECP_KERNEL_CONDITION_POLICY_ID | NECP_KERNEL_CONDITION_LAST_INTERFACE | NECP_KERNEL_CONDITION_ALL_INTERFACES, 0, policy->kernel_ip_output_policies[NECP_KERNEL_POLICY_SUBORDER_ID_CONDITION], NULL, cond_last_interface_index, 0, NULL, NULL, 0, NULL, NULL, 0, secondary_result, secondary_result_parameter);
+               necp_kernel_policy_id policy_id = necp_kernel_ip_output_policy_add(policy->order, NECP_KERNEL_POLICY_SUBORDER_ID_TUNNEL_CONDITION, session->session_order, session->proc_pid, NECP_KERNEL_CONDITION_POLICY_ID | NECP_KERNEL_CONDITION_LAST_INTERFACE | NECP_KERNEL_CONDITION_ALL_INTERFACES, 0, policy->kernel_ip_output_policies[NECP_KERNEL_POLICY_SUBORDER_ID_CONDITION], NULL, cond_last_interface_index, 0, NULL, NULL, 0, NULL, NULL, 0, secondary_result, secondary_result_parameter);
  
                 if (policy_id == 0) {
                         NECPLOG0(LOG_DEBUG, "Error applying IP output kernel policy");
  
                 if (policy_id == 0) {
                         NECPLOG0(LOG_DEBUG, "Error applying IP output kernel policy");
@@ -3179,10 +3732,10 @@ necp_policy_apply(struct necp_session *session, struct necp_session_policy *poli
  
         policy->applied = TRUE;
         policy->pending_update = FALSE;
  
         policy->applied = TRUE;
         policy->pending_update = FALSE;
-       return (TRUE);
+       return TRUE;
  
  fail:
  
  fail:
-       return (FALSE);
+       return FALSE;
  }
  
  static void
  }
  
  static void
@@ -3235,29 +3788,60 @@ necp_policy_apply_all(struct necp_session *session)
  // ---------------------
  // Kernel policies are derived from session policies
  static necp_kernel_policy_id
  // ---------------------
  // Kernel policies are derived from session policies
  static necp_kernel_policy_id
-necp_kernel_policy_get_new_id(void)
+necp_kernel_policy_get_new_id(bool socket_level)
  {
  {
-       necp_kernel_policy_id newid = NECP_KERNEL_POLICY_ID_NONE;
+       static necp_kernel_policy_id necp_last_kernel_socket_policy_id = 0;
+       static necp_kernel_policy_id necp_last_kernel_ip_policy_id = 0;
  
  
-       lck_rw_assert(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
+       necp_kernel_policy_id newid = NECP_KERNEL_POLICY_ID_NONE;
  
  
-       necp_last_kernel_policy_id++;
-       if (necp_last_kernel_policy_id < NECP_KERNEL_POLICY_ID_FIRST_VALID) {
-               necp_last_kernel_policy_id = NECP_KERNEL_POLICY_ID_FIRST_VALID;
+       LCK_RW_ASSERT(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
+
+       if (socket_level) {
+               bool wrapped = FALSE;
+               do {
+                       necp_last_kernel_socket_policy_id++;
+                       if (necp_last_kernel_socket_policy_id < NECP_KERNEL_POLICY_ID_FIRST_VALID_SOCKET ||
+                           necp_last_kernel_socket_policy_id >= NECP_KERNEL_POLICY_ID_FIRST_VALID_IP) {
+                               if (wrapped) {
+                                       // Already wrapped, give up
+                                       NECPLOG0(LOG_ERR, "Failed to find a free socket kernel policy ID.\n");
+                                       return NECP_KERNEL_POLICY_ID_NONE;
+                               }
+                               necp_last_kernel_socket_policy_id = NECP_KERNEL_POLICY_ID_FIRST_VALID_SOCKET;
+                               wrapped = TRUE;
+                       }
+                       newid = necp_last_kernel_socket_policy_id;
+               } while (necp_kernel_socket_policy_find(newid) != NULL); // If already used, keep trying
+       } else {
+               bool wrapped = FALSE;
+               do {
+                       necp_last_kernel_ip_policy_id++;
+                       if (necp_last_kernel_ip_policy_id < NECP_KERNEL_POLICY_ID_FIRST_VALID_IP) {
+                               if (wrapped) {
+                                       // Already wrapped, give up
+                                       NECPLOG0(LOG_ERR, "Failed to find a free IP kernel policy ID.\n");
+                                       return NECP_KERNEL_POLICY_ID_NONE;
+                               }
+                               necp_last_kernel_ip_policy_id = NECP_KERNEL_POLICY_ID_FIRST_VALID_IP;
+                               wrapped = TRUE;
+                       }
+                       newid = necp_last_kernel_ip_policy_id;
+               } while (necp_kernel_ip_output_policy_find(newid) != NULL); // If already used, keep trying
         }
  
         }
  
-       newid = necp_last_kernel_policy_id;
         if (newid == NECP_KERNEL_POLICY_ID_NONE) {
         if (newid == NECP_KERNEL_POLICY_ID_NONE) {
-               NECPLOG0(LOG_DEBUG, "Allocate kernel policy id failed.\n");
-               return (0);
+               NECPLOG0(LOG_ERR, "Allocate kernel policy id failed.\n");
+               return NECP_KERNEL_POLICY_ID_NONE;
         }
  
         }
  
-       return (newid);
+       return newid;
  }
  
  }
  
-#define        NECP_KERNEL_VALID_SOCKET_CONDITIONS (NECP_KERNEL_CONDITION_APP_ID | NECP_KERNEL_CONDITION_REAL_APP_ID | NECP_KERNEL_CONDITION_DOMAIN | NECP_KERNEL_CONDITION_ACCOUNT_ID | NECP_KERNEL_CONDITION_PID | NECP_KERNEL_CONDITION_UID | NECP_KERNEL_CONDITION_ALL_INTERFACES | NECP_KERNEL_CONDITION_BOUND_INTERFACE | NECP_KERNEL_CONDITION_TRAFFIC_CLASS | NECP_KERNEL_CONDITION_PROTOCOL | NECP_KERNEL_CONDITION_LOCAL_START | NECP_KERNEL_CONDITION_LOCAL_END | NECP_KERNEL_CONDITION_LOCAL_PREFIX | NECP_KERNEL_CONDITION_REMOTE_START | NECP_KERNEL_CONDITION_REMOTE_END | NECP_KERNEL_CONDITION_REMOTE_PREFIX | NECP_KERNEL_CONDITION_ENTITLEMENT | NECP_KERNEL_CONDITION_CUSTOM_ENTITLEMENT)
+#define NECP_KERNEL_VALID_SOCKET_CONDITIONS (NECP_KERNEL_CONDITION_APP_ID | NECP_KERNEL_CONDITION_REAL_APP_ID | NECP_KERNEL_CONDITION_DOMAIN | NECP_KERNEL_CONDITION_ACCOUNT_ID | NECP_KERNEL_CONDITION_PID | NECP_KERNEL_CONDITION_UID | NECP_KERNEL_CONDITION_ALL_INTERFACES | NECP_KERNEL_CONDITION_BOUND_INTERFACE | NECP_KERNEL_CONDITION_TRAFFIC_CLASS | NECP_KERNEL_CONDITION_PROTOCOL | NECP_KERNEL_CONDITION_LOCAL_START | NECP_KERNEL_CONDITION_LOCAL_END | NECP_KERNEL_CONDITION_LOCAL_PREFIX | NECP_KERNEL_CONDITION_REMOTE_START | NECP_KERNEL_CONDITION_REMOTE_END | NECP_KERNEL_CONDITION_REMOTE_PREFIX | NECP_KERNEL_CONDITION_ENTITLEMENT | NECP_KERNEL_CONDITION_CUSTOM_ENTITLEMENT | NECP_KERNEL_CONDITION_AGENT_TYPE | NECP_KERNEL_CONDITION_HAS_CLIENT | NECP_KERNEL_CONDITION_LOCAL_NETWORKS | NECP_KERNEL_CONDITION_CLIENT_FLAGS | NECP_KERNEL_CONDITION_LOCAL_EMPTY | NECP_KERNEL_CONDITION_REMOTE_EMPTY | NECP_KERNEL_CONDITION_PLATFORM_BINARY)
+
  static necp_kernel_policy_id
  static necp_kernel_policy_id
-necp_kernel_socket_policy_add(necp_policy_id parent_policy_id, necp_policy_order order, u_int32_t session_order, int session_pid, u_int32_t condition_mask, u_int32_t condition_negated_mask, necp_app_id cond_app_id, necp_app_id cond_real_app_id, char *cond_custom_entitlement, u_int32_t cond_account_id, char *cond_domain, pid_t cond_pid, uid_t cond_uid, ifnet_t cond_bound_interface, struct necp_policy_condition_tc_range cond_traffic_class, u_int16_t cond_protocol, union necp_sockaddr_union *cond_local_start, union necp_sockaddr_union *cond_local_end, u_int8_t cond_local_prefix, union necp_sockaddr_union *cond_remote_start, union necp_sockaddr_union *cond_remote_end, u_int8_t cond_remote_prefix, necp_kernel_policy_result result, necp_kernel_policy_result_parameter result_parameter)
+necp_kernel_socket_policy_add(necp_policy_order order, u_int32_t session_order, int session_pid, u_int32_t condition_mask, u_int32_t condition_negated_mask, necp_app_id cond_app_id, necp_app_id cond_real_app_id, char *cond_custom_entitlement, u_int32_t cond_account_id, char *cond_domain, pid_t cond_pid, uid_t cond_uid, ifnet_t cond_bound_interface, struct necp_policy_condition_tc_range cond_traffic_class, u_int16_t cond_protocol, union necp_sockaddr_union *cond_local_start, union necp_sockaddr_union *cond_local_end, u_int8_t cond_local_prefix, union necp_sockaddr_union *cond_remote_start, union necp_sockaddr_union *cond_remote_end, u_int8_t cond_remote_prefix, struct necp_policy_condition_agent_type *cond_agent_type, u_int32_t cond_client_flags, necp_kernel_policy_result result, necp_kernel_policy_result_parameter result_parameter)
  {
         struct necp_kernel_socket_policy *new_kernel_policy = NULL;
         struct necp_kernel_socket_policy *tmp_kernel_policy = NULL;
  {
         struct necp_kernel_socket_policy *new_kernel_policy = NULL;
         struct necp_kernel_socket_policy *tmp_kernel_policy = NULL;
@@ -3267,9 +3851,8 @@ necp_kernel_socket_policy_add(necp_policy_id parent_policy_id, necp_policy_order
                 goto done;
         }
  
                 goto done;
         }
  
-       memset(new_kernel_policy, 0, sizeof(*new_kernel_policy));
-       new_kernel_policy->parent_policy_id = parent_policy_id;
-       new_kernel_policy->id = necp_kernel_policy_get_new_id();
+       memset(new_kernel_policy, 0, sizeof(*new_kernel_policy)); // M_ZERO is not supported for MALLOC_ZONE
+       new_kernel_policy->id = necp_kernel_policy_get_new_id(true);
         new_kernel_policy->order = order;
         new_kernel_policy->session_order = session_order;
         new_kernel_policy->session_pid = session_pid;
         new_kernel_policy->order = order;
         new_kernel_policy->session_order = session_order;
         new_kernel_policy->session_pid = session_pid;
@@ -3291,6 +3874,12 @@ necp_kernel_socket_policy_add(necp_policy_id parent_policy_id, necp_policy_order
         if ((new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_REMOTE_END) && (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_REMOTE_PREFIX)) {
                 new_kernel_policy->condition_mask &= ~NECP_KERNEL_CONDITION_REMOTE_PREFIX;
         }
         if ((new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_REMOTE_END) && (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_REMOTE_PREFIX)) {
                 new_kernel_policy->condition_mask &= ~NECP_KERNEL_CONDITION_REMOTE_PREFIX;
         }
+       if (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_EMPTY) {
+               new_kernel_policy->condition_mask &= ~(NECP_KERNEL_CONDITION_LOCAL_PREFIX | NECP_KERNEL_CONDITION_LOCAL_END);
+       }
+       if ((new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_REMOTE_EMPTY)) {
+               new_kernel_policy->condition_mask &= ~(NECP_KERNEL_CONDITION_REMOTE_PREFIX | NECP_KERNEL_CONDITION_REMOTE_END);
+       }
         new_kernel_policy->condition_negated_mask = condition_negated_mask & new_kernel_policy->condition_mask;
  
         // Set condition values
         new_kernel_policy->condition_negated_mask = condition_negated_mask & new_kernel_policy->condition_mask;
  
         // Set condition values
@@ -3302,6 +3891,7 @@ necp_kernel_socket_policy_add(necp_policy_id parent_policy_id, necp_policy_order
         }
         if (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_CUSTOM_ENTITLEMENT) {
                 new_kernel_policy->cond_custom_entitlement = cond_custom_entitlement;
         }
         if (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_CUSTOM_ENTITLEMENT) {
                 new_kernel_policy->cond_custom_entitlement = cond_custom_entitlement;
+               new_kernel_policy->cond_custom_entitlement_matched = necp_boolean_state_unknown;
         }
         if (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_ACCOUNT_ID) {
                 new_kernel_policy->cond_account_id = cond_account_id;
         }
         if (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_ACCOUNT_ID) {
                 new_kernel_policy->cond_account_id = cond_account_id;
@@ -3346,6 +3936,12 @@ necp_kernel_socket_policy_add(necp_policy_id parent_policy_id, necp_policy_order
         if (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_REMOTE_PREFIX) {
                 new_kernel_policy->cond_remote_prefix = cond_remote_prefix;
         }
         if (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_REMOTE_PREFIX) {
                 new_kernel_policy->cond_remote_prefix = cond_remote_prefix;
         }
+       if (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_AGENT_TYPE) {
+               memcpy(&new_kernel_policy->cond_agent_type, cond_agent_type, sizeof(*cond_agent_type));
+       }
+       if (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_CLIENT_FLAGS) {
+               new_kernel_policy->cond_client_flags = cond_client_flags;
+       }
  
         new_kernel_policy->result = result;
         memcpy(&new_kernel_policy->result_parameter, &result_parameter, sizeof(result_parameter));
  
         new_kernel_policy->result = result;
         memcpy(&new_kernel_policy->result_parameter, &result_parameter, sizeof(result_parameter));
@@ -3355,7 +3951,7 @@ necp_kernel_socket_policy_add(necp_policy_id parent_policy_id, necp_policy_order
         }
         LIST_INSERT_SORTED_TWICE_ASCENDING(&necp_kernel_socket_policies, new_kernel_policy, chain, session_order, order, tmp_kernel_policy);
  done:
         }
         LIST_INSERT_SORTED_TWICE_ASCENDING(&necp_kernel_socket_policies, new_kernel_policy, chain, session_order, order, tmp_kernel_policy);
  done:
-       return (new_kernel_policy ? new_kernel_policy->id : 0);
+       return new_kernel_policy ? new_kernel_policy->id : 0;
  }
  
  static struct necp_kernel_socket_policy *
  }
  
  static struct necp_kernel_socket_policy *
@@ -3365,16 +3961,16 @@ necp_kernel_socket_policy_find(necp_kernel_policy_id policy_id)
         struct necp_kernel_socket_policy *tmp_kernel_policy = NULL;
  
         if (policy_id == 0) {
         struct necp_kernel_socket_policy *tmp_kernel_policy = NULL;
  
         if (policy_id == 0) {
-               return (NULL);
+               return NULL;
         }
  
         LIST_FOREACH_SAFE(kernel_policy, &necp_kernel_socket_policies, chain, tmp_kernel_policy) {
                 if (kernel_policy->id == policy_id) {
         }
  
         LIST_FOREACH_SAFE(kernel_policy, &necp_kernel_socket_policies, chain, tmp_kernel_policy) {
                 if (kernel_policy->id == policy_id) {
-                       return (kernel_policy);
+                       return kernel_policy;
                 }
         }
  
                 }
         }
  
-       return (NULL);
+       return NULL;
  }
  
  static bool
  }
  
  static bool
@@ -3382,7 +3978,7 @@ necp_kernel_socket_policy_delete(necp_kernel_policy_id policy_id)
  {
         struct necp_kernel_socket_policy *policy = NULL;
  
  {
         struct necp_kernel_socket_policy *policy = NULL;
  
-       lck_rw_assert(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
+       LCK_RW_ASSERT(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
  
         policy = necp_kernel_socket_policy_find(policy_id);
         if (policy) {
  
         policy = necp_kernel_socket_policy_find(policy_id);
         if (policy) {
@@ -3404,10 +4000,10 @@ necp_kernel_socket_policy_delete(necp_kernel_policy_id policy_id)
                 }
  
                 FREE_ZONE(policy, sizeof(*policy), M_NECP_SOCKET_POLICY);
                 }
  
                 FREE_ZONE(policy, sizeof(*policy), M_NECP_SOCKET_POLICY);
-               return (TRUE);
+               return TRUE;
         }
  
         }
  
-       return (FALSE);
+       return FALSE;
  }
  
  static inline const char *
  }
  
  static inline const char *
@@ -3415,200 +4011,221 @@ necp_get_result_description(char *result_string, necp_kernel_policy_result resul
  {
         uuid_string_t uuid_string;
         switch (result) {
  {
         uuid_string_t uuid_string;
         switch (result) {
-               case NECP_KERNEL_POLICY_RESULT_NONE: {
-                       snprintf(result_string, MAX_RESULT_STRING_LEN, "None");
-                       break;
-               }
-               case NECP_KERNEL_POLICY_RESULT_PASS: {
-                       snprintf(result_string, MAX_RESULT_STRING_LEN, "Pass");
-                       break;
-               }
-               case NECP_KERNEL_POLICY_RESULT_SKIP: {
-                       snprintf(result_string, MAX_RESULT_STRING_LEN, "Skip (%u)", result_parameter.skip_policy_order);
-                       break;
-               }
-               case NECP_KERNEL_POLICY_RESULT_DROP: {
-                       snprintf(result_string, MAX_RESULT_STRING_LEN, "Drop");
-                       break;
-               }
-               case NECP_KERNEL_POLICY_RESULT_SOCKET_DIVERT: {
-                       snprintf(result_string, MAX_RESULT_STRING_LEN, "SocketDivert (%d)", result_parameter.flow_divert_control_unit);
-                       break;
-               }
-               case NECP_KERNEL_POLICY_RESULT_SOCKET_FILTER: {
-                       snprintf(result_string, MAX_RESULT_STRING_LEN, "SocketFilter (%d)", result_parameter.filter_control_unit);
-                       break;
-               }
-               case NECP_KERNEL_POLICY_RESULT_IP_TUNNEL: {
-                       ifnet_t interface = ifindex2ifnet[result_parameter.tunnel_interface_index];
-                       snprintf(result_string, MAX_RESULT_STRING_LEN, "IPTunnel (%s%d)", ifnet_name(interface), ifnet_unit(interface));
-                       break;
-               }
-               case NECP_KERNEL_POLICY_RESULT_IP_FILTER: {
-                       snprintf(result_string, MAX_RESULT_STRING_LEN, "IPFilter");
-                       break;
-               }
-               case NECP_KERNEL_POLICY_RESULT_SOCKET_SCOPED: {
-                       ifnet_t interface = ifindex2ifnet[result_parameter.scoped_interface_index];
-                       snprintf(result_string, MAX_RESULT_STRING_LEN, "SocketScoped (%s%d)", ifnet_name(interface), ifnet_unit(interface));
-                       break;
-               }
-               case NECP_KERNEL_POLICY_RESULT_ROUTE_RULES: {
-                       int index = 0;
-                       char interface_names[IFXNAMSIZ][MAX_ROUTE_RULE_INTERFACES];
-                       struct necp_route_rule *route_rule = necp_lookup_route_rule_locked(&necp_route_rules, result_parameter.route_rule_id);
-                       if (route_rule != NULL) {
-                               for (index = 0; index < MAX_ROUTE_RULE_INTERFACES; index++) {
-                                       if (route_rule->exception_if_indices[index] != 0) {
-                                               ifnet_t interface = ifindex2ifnet[route_rule->exception_if_indices[index]];
-                                               snprintf(interface_names[index], IFXNAMSIZ, "%s%d", ifnet_name(interface), ifnet_unit(interface));
-                                       } else {
-                                               memset(interface_names[index], 0, IFXNAMSIZ);
-                                       }
-                               }
-                               switch (route_rule->default_action) {
-                               case NECP_ROUTE_RULE_DENY_INTERFACE:
-                                       snprintf(result_string, MAX_RESULT_STRING_LEN, "RouteRules (Only %s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s)",
-                                                        (route_rule->cellular_action == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? "Cell " : "",
-                                                        (route_rule->wifi_action == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? "WiFi " : "",
-                                                        (route_rule->wired_action == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? "Wired " : "",
-                                                        (route_rule->expensive_action == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? "Exp " : "",
-                                                        (route_rule->exception_if_actions[0] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? interface_names[0] : "",
-                                                        (route_rule->exception_if_actions[0] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? " " : "",
-                                                        (route_rule->exception_if_actions[1] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? interface_names[1] : "",
-                                                        (route_rule->exception_if_actions[1] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? " " : "",
-                                                        (route_rule->exception_if_actions[2] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? interface_names[2] : "",
-                                                        (route_rule->exception_if_actions[2] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? " " : "",
-                                                        (route_rule->exception_if_actions[3] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? interface_names[3] : "",
-                                                        (route_rule->exception_if_actions[3] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? " " : "",
-                                                        (route_rule->exception_if_actions[4] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? interface_names[4] : "",
-                                                        (route_rule->exception_if_actions[4] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? " " : "",
-                                                        (route_rule->exception_if_actions[5] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? interface_names[5] : "",
-                                                        (route_rule->exception_if_actions[5] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? " " : "",
-                                                        (route_rule->exception_if_actions[6] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? interface_names[6] : "",
-                                                        (route_rule->exception_if_actions[6] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? " " : "",
-                                                        (route_rule->exception_if_actions[7] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? interface_names[7] : "",
-                                                        (route_rule->exception_if_actions[7] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? " " : "",
-                                                        (route_rule->exception_if_actions[8] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? interface_names[8] : "",
-                                                        (route_rule->exception_if_actions[8] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? " " : "",
-                                                        (route_rule->exception_if_actions[9] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? interface_names[9] : "");
-                                       break;
-                               case NECP_ROUTE_RULE_ALLOW_INTERFACE:
-                                       snprintf(result_string, MAX_RESULT_STRING_LEN, "RouteRules (%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s)",
-                                                        (route_rule->cellular_action == NECP_ROUTE_RULE_DENY_INTERFACE) ? "!Cell " : "",
-                                                        (route_rule->wifi_action == NECP_ROUTE_RULE_DENY_INTERFACE) ? "!WiFi " : "",
-                                                        (route_rule->wired_action == NECP_ROUTE_RULE_DENY_INTERFACE) ? "!Wired " : "",
-                                                        (route_rule->expensive_action == NECP_ROUTE_RULE_DENY_INTERFACE) ? "!Exp " : "",
-                                                        (route_rule->exception_if_actions[0] == NECP_ROUTE_RULE_DENY_INTERFACE) ? "!" : "",
-                                                        (route_rule->exception_if_actions[0] == NECP_ROUTE_RULE_DENY_INTERFACE) ? interface_names[0] : "",
-                                                        (route_rule->exception_if_actions[1] == NECP_ROUTE_RULE_DENY_INTERFACE) ? "!" : "",
-                                                        (route_rule->exception_if_actions[1] == NECP_ROUTE_RULE_DENY_INTERFACE) ? interface_names[1] : "",
-                                                        (route_rule->exception_if_actions[2] == NECP_ROUTE_RULE_DENY_INTERFACE) ? "!" : "",
-                                                        (route_rule->exception_if_actions[2] == NECP_ROUTE_RULE_DENY_INTERFACE) ? interface_names[2] : "",
-                                                        (route_rule->exception_if_actions[3] == NECP_ROUTE_RULE_DENY_INTERFACE) ? "!" : "",
-                                                        (route_rule->exception_if_actions[3] == NECP_ROUTE_RULE_DENY_INTERFACE) ? interface_names[3] : "",
-                                                        (route_rule->exception_if_actions[4] == NECP_ROUTE_RULE_DENY_INTERFACE) ? "!" : "",
-                                                        (route_rule->exception_if_actions[4] == NECP_ROUTE_RULE_DENY_INTERFACE) ? interface_names[4] : "",
-                                                        (route_rule->exception_if_actions[5] == NECP_ROUTE_RULE_DENY_INTERFACE) ? "!" : "",
-                                                        (route_rule->exception_if_actions[5] == NECP_ROUTE_RULE_DENY_INTERFACE) ? interface_names[5] : "",
-                                                        (route_rule->exception_if_actions[6] == NECP_ROUTE_RULE_DENY_INTERFACE) ? "!" : "",
-                                                        (route_rule->exception_if_actions[6] == NECP_ROUTE_RULE_DENY_INTERFACE) ? interface_names[6] : "",
-                                                        (route_rule->exception_if_actions[7] == NECP_ROUTE_RULE_DENY_INTERFACE) ? "!" : "",
-                                                        (route_rule->exception_if_actions[7] == NECP_ROUTE_RULE_DENY_INTERFACE) ? interface_names[7] : "",
-                                                        (route_rule->exception_if_actions[8] == NECP_ROUTE_RULE_DENY_INTERFACE) ? "!" : "",
-                                                        (route_rule->exception_if_actions[8] == NECP_ROUTE_RULE_DENY_INTERFACE) ? interface_names[8] : "",
-                                                        (route_rule->exception_if_actions[9] == NECP_ROUTE_RULE_DENY_INTERFACE) ? "!" : "",
-                                                        (route_rule->exception_if_actions[9] == NECP_ROUTE_RULE_DENY_INTERFACE) ? interface_names[9] : "");
-                                       break;
-                               case NECP_ROUTE_RULE_QOS_MARKING:
-                                       snprintf(result_string, MAX_RESULT_STRING_LEN, "RouteRules (QoSMarking %s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s)",
-                                                        (route_rule->cellular_action == NECP_ROUTE_RULE_QOS_MARKING) ? "Cell " : "",
-                                                        (route_rule->wifi_action == NECP_ROUTE_RULE_QOS_MARKING) ? "WiFi " : "",
-                                                        (route_rule->wired_action == NECP_ROUTE_RULE_QOS_MARKING) ? "Wired " : "",
-                                                        (route_rule->expensive_action == NECP_ROUTE_RULE_QOS_MARKING) ? "Exp " : "",
-                                                        (route_rule->exception_if_actions[0] == NECP_ROUTE_RULE_QOS_MARKING) ? interface_names[0] : "",
-                                                        (route_rule->exception_if_actions[0] == NECP_ROUTE_RULE_QOS_MARKING) ? " " : "",
-                                                        (route_rule->exception_if_actions[1] == NECP_ROUTE_RULE_QOS_MARKING) ? interface_names[1] : "",
-                                                        (route_rule->exception_if_actions[1] == NECP_ROUTE_RULE_QOS_MARKING) ? " " : "",
-                                                        (route_rule->exception_if_actions[2] == NECP_ROUTE_RULE_QOS_MARKING) ? interface_names[2] : "",
-                                                        (route_rule->exception_if_actions[2] == NECP_ROUTE_RULE_QOS_MARKING) ? " " : "",
-                                                        (route_rule->exception_if_actions[3] == NECP_ROUTE_RULE_QOS_MARKING) ? interface_names[3] : "",
-                                                        (route_rule->exception_if_actions[3] == NECP_ROUTE_RULE_QOS_MARKING) ? " " : "",
-                                                        (route_rule->exception_if_actions[4] == NECP_ROUTE_RULE_QOS_MARKING) ? interface_names[4] : "",
-                                                        (route_rule->exception_if_actions[4] == NECP_ROUTE_RULE_QOS_MARKING) ? " " : "",
-                                                        (route_rule->exception_if_actions[5] == NECP_ROUTE_RULE_QOS_MARKING) ? interface_names[5] : "",
-                                                        (route_rule->exception_if_actions[5] == NECP_ROUTE_RULE_QOS_MARKING) ? " " : "",
-                                                        (route_rule->exception_if_actions[6] == NECP_ROUTE_RULE_QOS_MARKING) ? interface_names[6] : "",
-                                                        (route_rule->exception_if_actions[6] == NECP_ROUTE_RULE_QOS_MARKING) ? " " : "",
-                                                        (route_rule->exception_if_actions[7] == NECP_ROUTE_RULE_QOS_MARKING) ? interface_names[7] : "",
-                                                        (route_rule->exception_if_actions[7] == NECP_ROUTE_RULE_QOS_MARKING) ? " " : "",
-                                                        (route_rule->exception_if_actions[8] == NECP_ROUTE_RULE_QOS_MARKING) ? interface_names[8] : "",
-                                                        (route_rule->exception_if_actions[8] == NECP_ROUTE_RULE_QOS_MARKING) ? " " : "",
-                                                        (route_rule->exception_if_actions[9] == NECP_ROUTE_RULE_QOS_MARKING) ? interface_names[9] : "");
-                                       break;
-                               default:
-                                       snprintf(result_string, MAX_RESULT_STRING_LEN, "RouteRules (Unknown)");
-                                       break;
+       case NECP_KERNEL_POLICY_RESULT_NONE: {
+               snprintf(result_string, MAX_RESULT_STRING_LEN, "None");
+               break;
+       }
+       case NECP_KERNEL_POLICY_RESULT_PASS: {
+               snprintf(result_string, MAX_RESULT_STRING_LEN, "Pass");
+               break;
+       }
+       case NECP_KERNEL_POLICY_RESULT_SKIP: {
+               snprintf(result_string, MAX_RESULT_STRING_LEN, "Skip (%u)", result_parameter.skip_policy_order);
+               break;
+       }
+       case NECP_KERNEL_POLICY_RESULT_DROP: {
+               snprintf(result_string, MAX_RESULT_STRING_LEN, "Drop");
+               break;
+       }
+       case NECP_KERNEL_POLICY_RESULT_SOCKET_DIVERT: {
+               snprintf(result_string, MAX_RESULT_STRING_LEN, "SocketDivert (%d)", result_parameter.flow_divert_control_unit);
+               break;
+       }
+       case NECP_KERNEL_POLICY_RESULT_SOCKET_FILTER: {
+               snprintf(result_string, MAX_RESULT_STRING_LEN, "SocketFilter (%d)", result_parameter.filter_control_unit);
+               break;
+       }
+       case NECP_KERNEL_POLICY_RESULT_IP_TUNNEL: {
+               ifnet_t interface = ifindex2ifnet[result_parameter.tunnel_interface_index];
+               snprintf(result_string, MAX_RESULT_STRING_LEN, "IPTunnel (%s%d)", ifnet_name(interface), ifnet_unit(interface));
+               break;
+       }
+       case NECP_KERNEL_POLICY_RESULT_IP_FILTER: {
+               snprintf(result_string, MAX_RESULT_STRING_LEN, "IPFilter");
+               break;
+       }
+       case NECP_KERNEL_POLICY_RESULT_SOCKET_SCOPED: {
+               ifnet_t interface = ifindex2ifnet[result_parameter.scoped_interface_index];
+               snprintf(result_string, MAX_RESULT_STRING_LEN, "SocketScoped (%s%d)", ifnet_name(interface), ifnet_unit(interface));
+               break;
+       }
+       case NECP_KERNEL_POLICY_RESULT_SCOPED_DIRECT: {
+               snprintf(result_string, MAX_RESULT_STRING_LEN, "ScopedDirect");
+               break;
+       }
+       case NECP_KERNEL_POLICY_RESULT_ALLOW_UNENTITLED: {
+               snprintf(result_string, MAX_RESULT_STRING_LEN, "AllowUnentitled");
+               break;
+       }
+       case NECP_KERNEL_POLICY_RESULT_ROUTE_RULES: {
+               int index = 0;
+               char interface_names[MAX_ROUTE_RULE_INTERFACES][IFXNAMSIZ];
+               struct necp_route_rule *route_rule = necp_lookup_route_rule_locked(&necp_route_rules, result_parameter.route_rule_id);
+               if (route_rule != NULL) {
+                       for (index = 0; index < MAX_ROUTE_RULE_INTERFACES; index++) {
+                               if (route_rule->exception_if_indices[index] != 0) {
+                                       ifnet_t interface = ifindex2ifnet[route_rule->exception_if_indices[index]];
+                                       snprintf(interface_names[index], IFXNAMSIZ, "%s%d", ifnet_name(interface), ifnet_unit(interface));
+                               } else {
+                                       memset(interface_names[index], 0, IFXNAMSIZ);
                                 }
                         }
                                 }
                         }
-                       break;
-               }
-               case NECP_KERNEL_POLICY_RESULT_USE_NETAGENT: {
-                       bool found_mapping = FALSE;
-                       struct necp_uuid_id_mapping *mapping = necp_uuid_lookup_uuid_with_service_id_locked(result_parameter.netagent_id);
-                       if (mapping != NULL) {
-                               uuid_unparse(mapping->uuid, uuid_string);
-                               found_mapping = TRUE;
+                       switch (route_rule->default_action) {
+                       case NECP_ROUTE_RULE_DENY_INTERFACE:
+                               snprintf(result_string, MAX_RESULT_STRING_LEN, "RouteRules (Only %s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s)",
+                                   (route_rule->cellular_action == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? "Cell " : "",
+                                   (route_rule->wifi_action == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? "WiFi " : "",
+                                   (route_rule->wired_action == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? "Wired " : "",
+                                   (route_rule->expensive_action == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? "Exp " : "",
+                                   (route_rule->constrained_action == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? "Constrained " : "",
+                                   (route_rule->exception_if_actions[0] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? interface_names[0] : "",
+                                   (route_rule->exception_if_actions[0] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? " " : "",
+                                   (route_rule->exception_if_actions[1] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? interface_names[1] : "",
+                                   (route_rule->exception_if_actions[1] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? " " : "",
+                                   (route_rule->exception_if_actions[2] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? interface_names[2] : "",
+                                   (route_rule->exception_if_actions[2] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? " " : "",
+                                   (route_rule->exception_if_actions[3] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? interface_names[3] : "",
+                                   (route_rule->exception_if_actions[3] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? " " : "",
+                                   (route_rule->exception_if_actions[4] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? interface_names[4] : "",
+                                   (route_rule->exception_if_actions[4] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? " " : "",
+                                   (route_rule->exception_if_actions[5] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? interface_names[5] : "",
+                                   (route_rule->exception_if_actions[5] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? " " : "",
+                                   (route_rule->exception_if_actions[6] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? interface_names[6] : "",
+                                   (route_rule->exception_if_actions[6] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? " " : "",
+                                   (route_rule->exception_if_actions[7] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? interface_names[7] : "",
+                                   (route_rule->exception_if_actions[7] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? " " : "",
+                                   (route_rule->exception_if_actions[8] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? interface_names[8] : "",
+                                   (route_rule->exception_if_actions[8] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? " " : "",
+                                   (route_rule->exception_if_actions[9] == NECP_ROUTE_RULE_ALLOW_INTERFACE) ? interface_names[9] : "");
+                               break;
+                       case NECP_ROUTE_RULE_ALLOW_INTERFACE:
+                               snprintf(result_string, MAX_RESULT_STRING_LEN, "RouteRules (%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s)",
+                                   (route_rule->cellular_action == NECP_ROUTE_RULE_DENY_INTERFACE) ? "!Cell " : "",
+                                   (route_rule->wifi_action == NECP_ROUTE_RULE_DENY_INTERFACE) ? "!WiFi " : "",
+                                   (route_rule->wired_action == NECP_ROUTE_RULE_DENY_INTERFACE) ? "!Wired " : "",
+                                   (route_rule->expensive_action == NECP_ROUTE_RULE_DENY_INTERFACE) ? "!Exp " : "",
+                                   (route_rule->constrained_action == NECP_ROUTE_RULE_DENY_INTERFACE) ? "!Constrained " : "",
+                                   (route_rule->exception_if_actions[0] == NECP_ROUTE_RULE_DENY_INTERFACE) ? "!" : "",
+                                   (route_rule->exception_if_actions[0] == NECP_ROUTE_RULE_DENY_INTERFACE) ? interface_names[0] : "",
+                                   (route_rule->exception_if_actions[1] == NECP_ROUTE_RULE_DENY_INTERFACE) ? "!" : "",
+                                   (route_rule->exception_if_actions[1] == NECP_ROUTE_RULE_DENY_INTERFACE) ? interface_names[1] : "",
+                                   (route_rule->exception_if_actions[2] == NECP_ROUTE_RULE_DENY_INTERFACE) ? "!" : "",
+                                   (route_rule->exception_if_actions[2] == NECP_ROUTE_RULE_DENY_INTERFACE) ? interface_names[2] : "",
+                                   (route_rule->exception_if_actions[3] == NECP_ROUTE_RULE_DENY_INTERFACE) ? "!" : "",
+                                   (route_rule->exception_if_actions[3] == NECP_ROUTE_RULE_DENY_INTERFACE) ? interface_names[3] : "",
+                                   (route_rule->exception_if_actions[4] == NECP_ROUTE_RULE_DENY_INTERFACE) ? "!" : "",
+                                   (route_rule->exception_if_actions[4] == NECP_ROUTE_RULE_DENY_INTERFACE) ? interface_names[4] : "",
+                                   (route_rule->exception_if_actions[5] == NECP_ROUTE_RULE_DENY_INTERFACE) ? "!" : "",
+                                   (route_rule->exception_if_actions[5] == NECP_ROUTE_RULE_DENY_INTERFACE) ? interface_names[5] : "",
+                                   (route_rule->exception_if_actions[6] == NECP_ROUTE_RULE_DENY_INTERFACE) ? "!" : "",
+                                   (route_rule->exception_if_actions[6] == NECP_ROUTE_RULE_DENY_INTERFACE) ? interface_names[6] : "",
+                                   (route_rule->exception_if_actions[7] == NECP_ROUTE_RULE_DENY_INTERFACE) ? "!" : "",
+                                   (route_rule->exception_if_actions[7] == NECP_ROUTE_RULE_DENY_INTERFACE) ? interface_names[7] : "",
+                                   (route_rule->exception_if_actions[8] == NECP_ROUTE_RULE_DENY_INTERFACE) ? "!" : "",
+                                   (route_rule->exception_if_actions[8] == NECP_ROUTE_RULE_DENY_INTERFACE) ? interface_names[8] : "",
+                                   (route_rule->exception_if_actions[9] == NECP_ROUTE_RULE_DENY_INTERFACE) ? "!" : "",
+                                   (route_rule->exception_if_actions[9] == NECP_ROUTE_RULE_DENY_INTERFACE) ? interface_names[9] : "");
+                               break;
+                       case NECP_ROUTE_RULE_QOS_MARKING:
+                               snprintf(result_string, MAX_RESULT_STRING_LEN, "RouteRules (QoSMarking %s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s)",
+                                   (route_rule->cellular_action == NECP_ROUTE_RULE_QOS_MARKING) ? "Cell " : "",
+                                   (route_rule->wifi_action == NECP_ROUTE_RULE_QOS_MARKING) ? "WiFi " : "",
+                                   (route_rule->wired_action == NECP_ROUTE_RULE_QOS_MARKING) ? "Wired " : "",
+                                   (route_rule->expensive_action == NECP_ROUTE_RULE_QOS_MARKING) ? "Exp " : "",
+                                   (route_rule->constrained_action == NECP_ROUTE_RULE_QOS_MARKING) ? "Constrained " : "",
+                                   (route_rule->exception_if_actions[0] == NECP_ROUTE_RULE_QOS_MARKING) ? interface_names[0] : "",
+                                   (route_rule->exception_if_actions[0] == NECP_ROUTE_RULE_QOS_MARKING) ? " " : "",
+                                   (route_rule->exception_if_actions[1] == NECP_ROUTE_RULE_QOS_MARKING) ? interface_names[1] : "",
+                                   (route_rule->exception_if_actions[1] == NECP_ROUTE_RULE_QOS_MARKING) ? " " : "",
+                                   (route_rule->exception_if_actions[2] == NECP_ROUTE_RULE_QOS_MARKING) ? interface_names[2] : "",
+                                   (route_rule->exception_if_actions[2] == NECP_ROUTE_RULE_QOS_MARKING) ? " " : "",
+                                   (route_rule->exception_if_actions[3] == NECP_ROUTE_RULE_QOS_MARKING) ? interface_names[3] : "",
+                                   (route_rule->exception_if_actions[3] == NECP_ROUTE_RULE_QOS_MARKING) ? " " : "",
+                                   (route_rule->exception_if_actions[4] == NECP_ROUTE_RULE_QOS_MARKING) ? interface_names[4] : "",
+                                   (route_rule->exception_if_actions[4] == NECP_ROUTE_RULE_QOS_MARKING) ? " " : "",
+                                   (route_rule->exception_if_actions[5] == NECP_ROUTE_RULE_QOS_MARKING) ? interface_names[5] : "",
+                                   (route_rule->exception_if_actions[5] == NECP_ROUTE_RULE_QOS_MARKING) ? " " : "",
+                                   (route_rule->exception_if_actions[6] == NECP_ROUTE_RULE_QOS_MARKING) ? interface_names[6] : "",
+                                   (route_rule->exception_if_actions[6] == NECP_ROUTE_RULE_QOS_MARKING) ? " " : "",
+                                   (route_rule->exception_if_actions[7] == NECP_ROUTE_RULE_QOS_MARKING) ? interface_names[7] : "",
+                                   (route_rule->exception_if_actions[7] == NECP_ROUTE_RULE_QOS_MARKING) ? " " : "",
+                                   (route_rule->exception_if_actions[8] == NECP_ROUTE_RULE_QOS_MARKING) ? interface_names[8] : "",
+                                   (route_rule->exception_if_actions[8] == NECP_ROUTE_RULE_QOS_MARKING) ? " " : "",
+                                   (route_rule->exception_if_actions[9] == NECP_ROUTE_RULE_QOS_MARKING) ? interface_names[9] : "");
+                               break;
+                       default:
+                               snprintf(result_string, MAX_RESULT_STRING_LEN, "RouteRules (Unknown)");
+                               break;
                         }
                         }
-                       snprintf(result_string, MAX_RESULT_STRING_LEN, "UseNetAgent (%s)", found_mapping ? uuid_string : "Unknown");
-                       break;
                 }
                 }
-               case NECP_POLICY_RESULT_TRIGGER: {
-                       bool found_mapping = FALSE;
-                       struct necp_uuid_id_mapping *mapping = necp_uuid_lookup_uuid_with_service_id_locked(result_parameter.service.identifier);
-                       if (mapping != NULL) {
-                               uuid_unparse(mapping->uuid, uuid_string);
-                               found_mapping = TRUE;
-                       }
-                       snprintf(result_string, MAX_RESULT_STRING_LEN, "Trigger (%s.%d)", found_mapping ? uuid_string : "Unknown", result_parameter.service.data);
-                       break;
+               break;
+       }
+       case NECP_KERNEL_POLICY_RESULT_USE_NETAGENT: {
+               bool found_mapping = FALSE;
+               struct necp_uuid_id_mapping *mapping = necp_uuid_lookup_uuid_with_service_id_locked(result_parameter.netagent_id);
+               if (mapping != NULL) {
+                       uuid_unparse(mapping->uuid, uuid_string);
+                       found_mapping = TRUE;
                 }
                 }
-               case NECP_POLICY_RESULT_TRIGGER_IF_NEEDED: {
-                       bool found_mapping = FALSE;
-                       struct necp_uuid_id_mapping *mapping = necp_uuid_lookup_uuid_with_service_id_locked(result_parameter.service.identifier);
-                       if (mapping != NULL) {
-                               uuid_unparse(mapping->uuid, uuid_string);
-                               found_mapping = TRUE;
-                       }
-                       snprintf(result_string, MAX_RESULT_STRING_LEN, "TriggerIfNeeded (%s.%d)", found_mapping ? uuid_string : "Unknown", result_parameter.service.data);
-                       break;
+               snprintf(result_string, MAX_RESULT_STRING_LEN, "UseNetAgent (%s)", found_mapping ? uuid_string : "Unknown");
+               break;
+       }
+       case NECP_KERNEL_POLICY_RESULT_NETAGENT_SCOPED: {
+               bool found_mapping = FALSE;
+               struct necp_uuid_id_mapping *mapping = necp_uuid_lookup_uuid_with_service_id_locked(result_parameter.netagent_id);
+               if (mapping != NULL) {
+                       uuid_unparse(mapping->uuid, uuid_string);
+                       found_mapping = TRUE;
                 }
                 }
-               case NECP_POLICY_RESULT_TRIGGER_SCOPED: {
-                       bool found_mapping = FALSE;
-                       struct necp_uuid_id_mapping *mapping = necp_uuid_lookup_uuid_with_service_id_locked(result_parameter.service.identifier);
-                       if (mapping != NULL) {
-                               uuid_unparse(mapping->uuid, uuid_string);
-                               found_mapping = TRUE;
-                       }
-                       snprintf(result_string, MAX_RESULT_STRING_LEN, "TriggerScoped (%s.%d)", found_mapping ? uuid_string : "Unknown", result_parameter.service.data);
-                       break;
+               snprintf(result_string, MAX_RESULT_STRING_LEN, "NetAgentScoped (%s)", found_mapping ? uuid_string : "Unknown");
+               break;
+       }
+       case NECP_POLICY_RESULT_TRIGGER: {
+               bool found_mapping = FALSE;
+               struct necp_uuid_id_mapping *mapping = necp_uuid_lookup_uuid_with_service_id_locked(result_parameter.service.identifier);
+               if (mapping != NULL) {
+                       uuid_unparse(mapping->uuid, uuid_string);
+                       found_mapping = TRUE;
                 }
                 }
-               case NECP_POLICY_RESULT_NO_TRIGGER_SCOPED: {
-                       bool found_mapping = FALSE;
-                       struct necp_uuid_id_mapping *mapping = necp_uuid_lookup_uuid_with_service_id_locked(result_parameter.service.identifier);
-                       if (mapping != NULL) {
-                               uuid_unparse(mapping->uuid, uuid_string);
-                               found_mapping = TRUE;
-                       }
-                       snprintf(result_string, MAX_RESULT_STRING_LEN, "NoTriggerScoped (%s.%d)", found_mapping ? uuid_string : "Unknown", result_parameter.service.data);
-                       break;
+               snprintf(result_string, MAX_RESULT_STRING_LEN, "Trigger (%s.%d)", found_mapping ? uuid_string : "Unknown", result_parameter.service.data);
+               break;
+       }
+       case NECP_POLICY_RESULT_TRIGGER_IF_NEEDED: {
+               bool found_mapping = FALSE;
+               struct necp_uuid_id_mapping *mapping = necp_uuid_lookup_uuid_with_service_id_locked(result_parameter.service.identifier);
+               if (mapping != NULL) {
+                       uuid_unparse(mapping->uuid, uuid_string);
+                       found_mapping = TRUE;
                 }
                 }
-               default: {
-                       snprintf(result_string, MAX_RESULT_STRING_LEN, "Unknown %d (%d)", result, result_parameter.tunnel_interface_index);
-                       break;
+               snprintf(result_string, MAX_RESULT_STRING_LEN, "TriggerIfNeeded (%s.%d)", found_mapping ? uuid_string : "Unknown", result_parameter.service.data);
+               break;
+       }
+       case NECP_POLICY_RESULT_TRIGGER_SCOPED: {
+               bool found_mapping = FALSE;
+               struct necp_uuid_id_mapping *mapping = necp_uuid_lookup_uuid_with_service_id_locked(result_parameter.service.identifier);
+               if (mapping != NULL) {
+                       uuid_unparse(mapping->uuid, uuid_string);
+                       found_mapping = TRUE;
                 }
                 }
+               snprintf(result_string, MAX_RESULT_STRING_LEN, "TriggerScoped (%s.%d)", found_mapping ? uuid_string : "Unknown", result_parameter.service.data);
+               break;
+       }
+       case NECP_POLICY_RESULT_NO_TRIGGER_SCOPED: {
+               bool found_mapping = FALSE;
+               struct necp_uuid_id_mapping *mapping = necp_uuid_lookup_uuid_with_service_id_locked(result_parameter.service.identifier);
+               if (mapping != NULL) {
+                       uuid_unparse(mapping->uuid, uuid_string);
+                       found_mapping = TRUE;
+               }
+               snprintf(result_string, MAX_RESULT_STRING_LEN, "NoTriggerScoped (%s.%d)", found_mapping ? uuid_string : "Unknown", result_parameter.service.data);
+               break;
+       }
+       default: {
+               snprintf(result_string, MAX_RESULT_STRING_LEN, "Unknown %d (%d)", result, result_parameter.tunnel_interface_index);
+               break;
         }
         }
-       return (result_string);
+       }
+       return result_string;
  }
  
  static void
  }
  
  static void
@@ -3651,7 +4268,7 @@ necp_kernel_socket_policies_dump_all(void)
  static inline bool
  necp_kernel_socket_result_is_trigger_service_type(struct necp_kernel_socket_policy *kernel_policy)
  {
  static inline bool
  necp_kernel_socket_result_is_trigger_service_type(struct necp_kernel_socket_policy *kernel_policy)
  {
-       return (kernel_policy->result >= NECP_KERNEL_POLICY_RESULT_TRIGGER && kernel_policy->result <= NECP_KERNEL_POLICY_RESULT_NO_TRIGGER_SCOPED);
+       return kernel_policy->result >= NECP_KERNEL_POLICY_RESULT_TRIGGER && kernel_policy->result <= NECP_KERNEL_POLICY_RESULT_NO_TRIGGER_SCOPED;
  }
  
  static inline bool
  }
  
  static inline bool
@@ -3659,33 +4276,35 @@ necp_kernel_socket_policy_results_overlap(struct necp_kernel_socket_policy *uppe
  {
         if (upper_policy->result == NECP_KERNEL_POLICY_RESULT_DROP) {
                 // Drop always cancels out lower policies
  {
         if (upper_policy->result == NECP_KERNEL_POLICY_RESULT_DROP) {
                 // Drop always cancels out lower policies
-               return (TRUE);
+               return TRUE;
         } else if (upper_policy->result == NECP_KERNEL_POLICY_RESULT_SOCKET_FILTER ||
         } else if (upper_policy->result == NECP_KERNEL_POLICY_RESULT_SOCKET_FILTER ||
-                          upper_policy->result == NECP_KERNEL_POLICY_RESULT_ROUTE_RULES ||
-                          upper_policy->result == NECP_KERNEL_POLICY_RESULT_USE_NETAGENT) {
+           upper_policy->result == NECP_KERNEL_POLICY_RESULT_ROUTE_RULES ||
+           upper_policy->result == NECP_KERNEL_POLICY_RESULT_USE_NETAGENT ||
+           upper_policy->result == NECP_KERNEL_POLICY_RESULT_NETAGENT_SCOPED ||
+           upper_policy->result == NECP_KERNEL_POLICY_RESULT_ALLOW_UNENTITLED) {
                 // Filters and route rules never cancel out lower policies
                 // Filters and route rules never cancel out lower policies
-               return (FALSE);
+               return FALSE;
         } else if (necp_kernel_socket_result_is_trigger_service_type(upper_policy)) {
                 // Trigger/Scoping policies can overlap one another, but not other results
         } else if (necp_kernel_socket_result_is_trigger_service_type(upper_policy)) {
                 // Trigger/Scoping policies can overlap one another, but not other results
-               return (necp_kernel_socket_result_is_trigger_service_type(lower_policy));
+               return necp_kernel_socket_result_is_trigger_service_type(lower_policy);
         } else if (upper_policy->result == NECP_KERNEL_POLICY_RESULT_SKIP) {
                 if (upper_policy->session_order != lower_policy->session_order) {
                         // A skip cannot override a policy of a different session
         } else if (upper_policy->result == NECP_KERNEL_POLICY_RESULT_SKIP) {
                 if (upper_policy->session_order != lower_policy->session_order) {
                         // A skip cannot override a policy of a different session
-                       return (FALSE);
+                       return FALSE;
                 } else {
                         if (upper_policy->result_parameter.skip_policy_order == 0 ||
                 } else {
                         if (upper_policy->result_parameter.skip_policy_order == 0 ||
-                               lower_policy->order >= upper_policy->result_parameter.skip_policy_order) {
+                           lower_policy->order >= upper_policy->result_parameter.skip_policy_order) {
                                 // This policy is beyond the skip
                                 // This policy is beyond the skip
-                               return (FALSE);
+                               return FALSE;
                         } else {
                                 // This policy is inside the skip
                         } else {
                                 // This policy is inside the skip
-                               return (TRUE);
+                               return TRUE;
                         }
                 }
         }
  
         // A hard pass, flow divert, tunnel, or scope will currently block out lower policies
                         }
                 }
         }
  
         // A hard pass, flow divert, tunnel, or scope will currently block out lower policies
-       return (TRUE);
+       return TRUE;
  }
  
  static bool
  }
  
  static bool
@@ -3701,7 +4320,7 @@ necp_kernel_socket_policy_is_unnecessary(struct necp_kernel_socket_policy *polic
                 // For policies in a skip window, we can't mark conflicting policies as unnecessary
                 if (can_skip) {
                         if (highest_skip_session_order != compared_policy->session_order ||
                 // For policies in a skip window, we can't mark conflicting policies as unnecessary
                 if (can_skip) {
                         if (highest_skip_session_order != compared_policy->session_order ||
-                               (highest_skip_order != 0 && compared_policy->order >= highest_skip_order)) {
+                           (highest_skip_order != 0 && compared_policy->order >= highest_skip_order)) {
                                 // If we've moved on to the next session, or passed the skip window
                                 highest_skip_session_order = 0;
                                 highest_skip_order = 0;
                                 // If we've moved on to the next session, or passed the skip window
                                 highest_skip_session_order = 0;
                                 highest_skip_order = 0;
@@ -3734,9 +4353,14 @@ necp_kernel_socket_policy_is_unnecessary(struct necp_kernel_socket_policy *polic
                         continue;
                 }
  
                         continue;
                 }
  
+               // If new policy matches Local Networks, compared policy must also
+               if ((policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_NETWORKS) && !(compared_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_NETWORKS)) {
+                       continue;
+               }
+
                 // Default makes lower policies unecessary always
                 if (compared_policy->condition_mask == 0) {
                 // Default makes lower policies unecessary always
                 if (compared_policy->condition_mask == 0) {
-                       return (TRUE);
+                       return TRUE;
                 }
  
                 // Compared must be more general than policy, and include only conditions within policy
                 }
  
                 // Compared must be more general than policy, and include only conditions within policy
@@ -3750,58 +4374,63 @@ necp_kernel_socket_policy_is_unnecessary(struct necp_kernel_socket_policy *polic
                 }
  
                 if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_DOMAIN &&
                 }
  
                 if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_DOMAIN &&
-                       strcmp(compared_policy->cond_domain, policy->cond_domain) != 0) {
+                   strcmp(compared_policy->cond_domain, policy->cond_domain) != 0) {
                         continue;
                 }
  
                 if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_CUSTOM_ENTITLEMENT &&
                         continue;
                 }
  
                 if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_CUSTOM_ENTITLEMENT &&
-                       strcmp(compared_policy->cond_custom_entitlement, policy->cond_custom_entitlement) != 0) {
+                   strcmp(compared_policy->cond_custom_entitlement, policy->cond_custom_entitlement) != 0) {
                         continue;
                 }
  
                 if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_ACCOUNT_ID &&
                         continue;
                 }
  
                 if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_ACCOUNT_ID &&
-                       compared_policy->cond_account_id != policy->cond_account_id) {
+                   compared_policy->cond_account_id != policy->cond_account_id) {
                         continue;
                 }
  
                 if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_POLICY_ID &&
                         continue;
                 }
  
                 if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_POLICY_ID &&
-                       compared_policy->cond_policy_id != policy->cond_policy_id) {
+                   compared_policy->cond_policy_id != policy->cond_policy_id) {
                         continue;
                 }
  
                 if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_APP_ID &&
                         continue;
                 }
  
                 if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_APP_ID &&
-                       compared_policy->cond_app_id != policy->cond_app_id) {
+                   compared_policy->cond_app_id != policy->cond_app_id) {
                         continue;
                 }
  
                 if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_REAL_APP_ID &&
                         continue;
                 }
  
                 if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_REAL_APP_ID &&
-                       compared_policy->cond_real_app_id != policy->cond_real_app_id) {
+                   compared_policy->cond_real_app_id != policy->cond_real_app_id) {
                         continue;
                 }
  
                 if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_PID &&
                         continue;
                 }
  
                 if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_PID &&
-                       compared_policy->cond_pid != policy->cond_pid) {
+                   compared_policy->cond_pid != policy->cond_pid) {
                         continue;
                 }
  
                 if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_UID &&
                         continue;
                 }
  
                 if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_UID &&
-                       compared_policy->cond_uid != policy->cond_uid) {
+                   compared_policy->cond_uid != policy->cond_uid) {
                         continue;
                 }
  
                 if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_BOUND_INTERFACE &&
                         continue;
                 }
  
                 if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_BOUND_INTERFACE &&
-                       compared_policy->cond_bound_interface != policy->cond_bound_interface) {
+                   compared_policy->cond_bound_interface != policy->cond_bound_interface) {
                         continue;
                 }
  
                 if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_PROTOCOL &&
                         continue;
                 }
  
                 if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_PROTOCOL &&
-                       compared_policy->cond_protocol != policy->cond_protocol) {
+                   compared_policy->cond_protocol != policy->cond_protocol) {
+                       continue;
+               }
+
+               if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_CLIENT_FLAGS &&
+                   compared_policy->cond_client_flags != policy->cond_client_flags) {
                         continue;
                 }
  
                 if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_TRAFFIC_CLASS &&
                         continue;
                 }
  
                 if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_TRAFFIC_CLASS &&
-                       !(compared_policy->cond_traffic_class.start_tc <= policy->cond_traffic_class.start_tc &&
-                         compared_policy->cond_traffic_class.end_tc >= policy->cond_traffic_class.end_tc)) {
+                   !(compared_policy->cond_traffic_class.start_tc <= policy->cond_traffic_class.start_tc &&
+                   compared_policy->cond_traffic_class.end_tc >= policy->cond_traffic_class.end_tc)) {
                         continue;
                 }
  
                         continue;
                 }
  
@@ -3812,7 +4441,7 @@ necp_kernel_socket_policy_is_unnecessary(struct necp_kernel_socket_policy *polic
                                 }
                         } else if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_PREFIX) {
                                 if (compared_policy->cond_local_prefix > policy->cond_local_prefix ||
                                 }
                         } else if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_PREFIX) {
                                 if (compared_policy->cond_local_prefix > policy->cond_local_prefix ||
-                                       !necp_is_addr_in_subnet((struct sockaddr *)&policy->cond_local_start, (struct sockaddr *)&compared_policy->cond_local_start, compared_policy->cond_local_prefix)) {
+                                   !necp_is_addr_in_subnet((struct sockaddr *)&policy->cond_local_start, (struct sockaddr *)&compared_policy->cond_local_start, compared_policy->cond_local_prefix)) {
                                         continue;
                                 }
                         }
                                         continue;
                                 }
                         }
@@ -3825,16 +4454,21 @@ necp_kernel_socket_policy_is_unnecessary(struct necp_kernel_socket_policy *polic
                                 }
                         } else if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_REMOTE_PREFIX) {
                                 if (compared_policy->cond_remote_prefix > policy->cond_remote_prefix ||
                                 }
                         } else if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_REMOTE_PREFIX) {
                                 if (compared_policy->cond_remote_prefix > policy->cond_remote_prefix ||
-                                       !necp_is_addr_in_subnet((struct sockaddr *)&policy->cond_remote_start, (struct sockaddr *)&compared_policy->cond_remote_start, compared_policy->cond_remote_prefix)) {
+                                   !necp_is_addr_in_subnet((struct sockaddr *)&policy->cond_remote_start, (struct sockaddr *)&compared_policy->cond_remote_start, compared_policy->cond_remote_prefix)) {
                                         continue;
                                 }
                         }
                 }
  
                                         continue;
                                 }
                         }
                 }
  
-               return (TRUE);
+               if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_AGENT_TYPE &&
+                   memcmp(&compared_policy->cond_agent_type, &policy->cond_agent_type, sizeof(policy->cond_agent_type)) == 0) {
+                       continue;
+               }
+
+               return TRUE;
         }
  
         }
  
-       return (FALSE);
+       return FALSE;
  }
  
  static bool
  }
  
  static bool
@@ -3847,7 +4481,7 @@ necp_kernel_socket_policies_reprocess(void)
         int app_layer_current_free_index = 0;
         struct necp_kernel_socket_policy *kernel_policy = NULL;
  
         int app_layer_current_free_index = 0;
         struct necp_kernel_socket_policy *kernel_policy = NULL;
  
-       lck_rw_assert(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
+       LCK_RW_ASSERT(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
  
         // Reset mask to 0
         necp_kernel_application_policies_condition_mask = 0;
  
         // Reset mask to 0
         necp_kernel_application_policies_condition_mask = 0;
@@ -3878,12 +4512,17 @@ necp_kernel_socket_policies_reprocess(void)
                 necp_kernel_application_policies_count++;
                 app_layer_allocation_count++;
  
                 necp_kernel_application_policies_count++;
                 app_layer_allocation_count++;
  
+               if ((kernel_policy->condition_mask & NECP_KERNEL_CONDITION_AGENT_TYPE)) {
+                       // Agent type conditions only apply to app layer
+                       continue;
+               }
+
                 // Update socket layer bucket mask/counts
                 necp_kernel_socket_policies_condition_mask |= kernel_policy->condition_mask;
                 necp_kernel_socket_policies_count++;
  
                 if (!(kernel_policy->condition_mask & NECP_KERNEL_CONDITION_APP_ID) ||
                 // Update socket layer bucket mask/counts
                 necp_kernel_socket_policies_condition_mask |= kernel_policy->condition_mask;
                 necp_kernel_socket_policies_count++;
  
                 if (!(kernel_policy->condition_mask & NECP_KERNEL_CONDITION_APP_ID) ||
-                       kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_APP_ID) {
+                   kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_APP_ID) {
                         necp_kernel_socket_policies_non_app_count++;
                         for (app_i = 0; app_i < NECP_KERNEL_SOCKET_POLICIES_MAP_NUM_APP_ID_BUCKETS; app_i++) {
                                 bucket_allocation_counts[app_i]++;
                         necp_kernel_socket_policies_non_app_count++;
                         for (app_i = 0; app_i < NECP_KERNEL_SOCKET_POLICIES_MAP_NUM_APP_ID_BUCKETS; app_i++) {
                                 bucket_allocation_counts[app_i]++;
@@ -3915,9 +4554,21 @@ necp_kernel_socket_policies_reprocess(void)
  
         // Fill out maps
         LIST_FOREACH(kernel_policy, &necp_kernel_socket_policies, chain) {
  
         // Fill out maps
         LIST_FOREACH(kernel_policy, &necp_kernel_socket_policies, chain) {
-               // Insert pointers into map
+               // Add app layer policies
+               if (!necp_kernel_socket_policy_is_unnecessary(kernel_policy, necp_kernel_socket_policies_app_layer_map, app_layer_current_free_index)) {
+                       necp_kernel_socket_policies_app_layer_map[app_layer_current_free_index] = kernel_policy;
+                       app_layer_current_free_index++;
+                       necp_kernel_socket_policies_app_layer_map[app_layer_current_free_index] = NULL;
+               }
+
+               if ((kernel_policy->condition_mask & NECP_KERNEL_CONDITION_AGENT_TYPE)) {
+                       // Agent type conditions only apply to app layer
+                       continue;
+               }
+
+               // Add socket policies
                 if (!(kernel_policy->condition_mask & NECP_KERNEL_CONDITION_APP_ID) ||
                 if (!(kernel_policy->condition_mask & NECP_KERNEL_CONDITION_APP_ID) ||
-                       kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_APP_ID) {
+                   kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_APP_ID) {
                         for (app_i = 0; app_i < NECP_KERNEL_SOCKET_POLICIES_MAP_NUM_APP_ID_BUCKETS; app_i++) {
                                 if (!necp_kernel_socket_policy_is_unnecessary(kernel_policy, necp_kernel_socket_policies_map[app_i], bucket_current_free_index[app_i])) {
                                         (necp_kernel_socket_policies_map[app_i])[(bucket_current_free_index[app_i])] = kernel_policy;
                         for (app_i = 0; app_i < NECP_KERNEL_SOCKET_POLICIES_MAP_NUM_APP_ID_BUCKETS; app_i++) {
                                 if (!necp_kernel_socket_policy_is_unnecessary(kernel_policy, necp_kernel_socket_policies_map[app_i], bucket_current_free_index[app_i])) {
                                         (necp_kernel_socket_policies_map[app_i])[(bucket_current_free_index[app_i])] = kernel_policy;
@@ -3933,16 +4584,10 @@ necp_kernel_socket_policies_reprocess(void)
                                 (necp_kernel_socket_policies_map[app_i])[(bucket_current_free_index[app_i])] = NULL;
                         }
                 }
                                 (necp_kernel_socket_policies_map[app_i])[(bucket_current_free_index[app_i])] = NULL;
                         }
                 }
-
-               if (!necp_kernel_socket_policy_is_unnecessary(kernel_policy, necp_kernel_socket_policies_app_layer_map, app_layer_current_free_index)) {
-                       necp_kernel_socket_policies_app_layer_map[app_layer_current_free_index] = kernel_policy;
-                       app_layer_current_free_index++;
-                       necp_kernel_socket_policies_app_layer_map[app_layer_current_free_index] = NULL;
-               }
         }
         necp_kernel_socket_policies_dump_all();
         BUMP_KERNEL_SOCKET_POLICIES_GENERATION_COUNT();
         }
         necp_kernel_socket_policies_dump_all();
         BUMP_KERNEL_SOCKET_POLICIES_GENERATION_COUNT();
-       return (TRUE);
+       return TRUE;
  
  fail:
         // Free memory, reset masks to 0
  
  fail:
         // Free memory, reset masks to 0
@@ -3961,28 +4606,39 @@ fail:
                 FREE(necp_kernel_socket_policies_app_layer_map, M_NECP);
                 necp_kernel_socket_policies_app_layer_map = NULL;
         }
                 FREE(necp_kernel_socket_policies_app_layer_map, M_NECP);
                 necp_kernel_socket_policies_app_layer_map = NULL;
         }
-       return (FALSE);
+       return FALSE;
  }
  
  static u_int32_t
  necp_get_new_string_id(void)
  {
  }
  
  static u_int32_t
  necp_get_new_string_id(void)
  {
+       static u_int32_t necp_last_string_id = 0;
+
         u_int32_t newid = 0;
  
         u_int32_t newid = 0;
  
-       lck_rw_assert(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
+       LCK_RW_ASSERT(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
  
  
-       necp_last_string_id++;
-       if (necp_last_string_id < 1) {
-               necp_last_string_id = 1;
-       }
+       bool wrapped = FALSE;
+       do {
+               necp_last_string_id++;
+               if (necp_last_string_id < 1) {
+                       if (wrapped) {
+                               // Already wrapped, give up
+                               NECPLOG0(LOG_ERR, "Failed to find a free app UUID.\n");
+                               return 0;
+                       }
+                       necp_last_string_id = 1;
+                       wrapped = TRUE;
+               }
+               newid = necp_last_string_id;
+       } while (necp_lookup_string_with_id_locked(&necp_account_id_list, newid) != NULL); // If already used, keep trying
  
  
-       newid = necp_last_string_id;
         if (newid == 0) {
         if (newid == 0) {
-               NECPLOG0(LOG_DEBUG, "Allocate string id failed.\n");
-               return (0);
+               NECPLOG0(LOG_ERR, "Allocate string id failed.\n");
+               return 0;
         }
  
         }
  
-       return (newid);
+       return newid;
  }
  
  static struct necp_string_id_mapping *
  }
  
  static struct necp_string_id_mapping *
@@ -3998,7 +4654,7 @@ necp_lookup_string_to_id_locked(struct necp_string_id_mapping_list *list, char *
                 }
         }
  
                 }
         }
  
-       return (foundentry);
+       return foundentry;
  }
  
  static struct necp_string_id_mapping *
  }
  
  static struct necp_string_id_mapping *
@@ -4014,7 +4670,7 @@ necp_lookup_string_with_id_locked(struct necp_string_id_mapping_list *list, u_in
                 }
         }
  
                 }
         }
  
-       return (foundentry);
+       return foundentry;
  }
  
  static u_int32_t
  }
  
  static u_int32_t
@@ -4023,12 +4679,12 @@ necp_create_string_to_id_mapping(struct necp_string_id_mapping_list *list, char
         u_int32_t string_id = 0;
         struct necp_string_id_mapping *existing_mapping = NULL;
  
         u_int32_t string_id = 0;
         struct necp_string_id_mapping *existing_mapping = NULL;
  
-       lck_rw_assert(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
+       LCK_RW_ASSERT(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
  
         existing_mapping = necp_lookup_string_to_id_locked(list, string);
         if (existing_mapping != NULL) {
                 string_id = existing_mapping->id;
  
         existing_mapping = necp_lookup_string_to_id_locked(list, string);
         if (existing_mapping != NULL) {
                 string_id = existing_mapping->id;
-               existing_mapping->refcount++;
+               os_ref_retain_locked(&existing_mapping->refcount);
         } else {
                 struct necp_string_id_mapping *new_mapping = NULL;
                 MALLOC(new_mapping, struct necp_string_id_mapping *, sizeof(struct necp_string_id_mapping), M_NECP, M_WAITOK);
         } else {
                 struct necp_string_id_mapping *new_mapping = NULL;
                 MALLOC(new_mapping, struct necp_string_id_mapping *, sizeof(struct necp_string_id_mapping), M_NECP, M_WAITOK);
@@ -4040,7 +4696,7 @@ necp_create_string_to_id_mapping(struct necp_string_id_mapping_list *list, char
                         if (new_mapping->string != NULL) {
                                 memcpy(new_mapping->string, string, length);
                                 new_mapping->id = necp_get_new_string_id();
                         if (new_mapping->string != NULL) {
                                 memcpy(new_mapping->string, string, length);
                                 new_mapping->id = necp_get_new_string_id();
-                               new_mapping->refcount = 1;
+                               os_ref_init(&new_mapping->refcount, &necp_refgrp);
                                 LIST_INSERT_HEAD(list, new_mapping, chain);
                                 string_id = new_mapping->id;
                         } else {
                                 LIST_INSERT_HEAD(list, new_mapping, chain);
                                 string_id = new_mapping->id;
                         } else {
@@ -4049,7 +4705,7 @@ necp_create_string_to_id_mapping(struct necp_string_id_mapping_list *list, char
                         }
                 }
         }
                         }
                 }
         }
-       return (string_id);
+       return string_id;
  }
  
  static bool
  }
  
  static bool
@@ -4057,61 +4713,76 @@ necp_remove_string_to_id_mapping(struct necp_string_id_mapping_list *list, char
  {
         struct necp_string_id_mapping *existing_mapping = NULL;
  
  {
         struct necp_string_id_mapping *existing_mapping = NULL;
  
-       lck_rw_assert(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
+       LCK_RW_ASSERT(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
  
         existing_mapping = necp_lookup_string_to_id_locked(list, string);
         if (existing_mapping != NULL) {
  
         existing_mapping = necp_lookup_string_to_id_locked(list, string);
         if (existing_mapping != NULL) {
-               if (--existing_mapping->refcount == 0) {
+               if (os_ref_release_locked(&existing_mapping->refcount) == 0) {
                         LIST_REMOVE(existing_mapping, chain);
                         FREE(existing_mapping->string, M_NECP);
                         FREE(existing_mapping, M_NECP);
                 }
                         LIST_REMOVE(existing_mapping, chain);
                         FREE(existing_mapping->string, M_NECP);
                         FREE(existing_mapping, M_NECP);
                 }
-               return (TRUE);
+               return TRUE;
         }
  
         }
  
-       return (FALSE);
+       return FALSE;
  }
  
  }
  
+#define NECP_FIRST_VALID_ROUTE_RULE_ID 1
+#define NECP_FIRST_VALID_AGGREGATE_ROUTE_RULE_ID UINT16_MAX
  static u_int32_t
  static u_int32_t
-necp_get_new_route_rule_id(void)
+necp_get_new_route_rule_id(bool aggregate)
  {
  {
-       u_int32_t newid = 0;
-
-       lck_rw_assert(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
-
-       necp_last_route_rule_id++;
-       if (necp_last_route_rule_id < 1 || necp_last_route_rule_id > UINT16_MAX) {
-               necp_last_route_rule_id = 1;
-       }
-
-       newid = necp_last_route_rule_id;
-       if (newid == 0) {
-               NECPLOG0(LOG_DEBUG, "Allocate route rule id failed.\n");
-               return (0);
-       }
-
-       return (newid);
-}
+       static u_int32_t necp_last_route_rule_id = 0;
+       static u_int32_t necp_last_aggregate_route_rule_id = 0;
  
  
-static u_int32_t
-necp_get_new_aggregate_route_rule_id(void)
-{
         u_int32_t newid = 0;
  
         u_int32_t newid = 0;
  
-       lck_rw_assert(&necp_route_rule_lock, LCK_RW_ASSERT_EXCLUSIVE);
-
-       necp_last_aggregate_route_rule_id++;
-       if (necp_last_aggregate_route_rule_id <= UINT16_MAX) {
-               necp_last_aggregate_route_rule_id = UINT16_MAX + 1;
+       if (!aggregate) {
+               // Main necp_kernel_policy_lock protects non-aggregate rule IDs
+               LCK_RW_ASSERT(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
+
+               bool wrapped = FALSE;
+               do {
+                       necp_last_route_rule_id++;
+                       if (necp_last_route_rule_id < NECP_FIRST_VALID_ROUTE_RULE_ID ||
+                           necp_last_route_rule_id >= NECP_FIRST_VALID_AGGREGATE_ROUTE_RULE_ID) {
+                               if (wrapped) {
+                                       // Already wrapped, give up
+                                       NECPLOG0(LOG_ERR, "Failed to find a free route rule id.\n");
+                                       return 0;
+                               }
+                               necp_last_route_rule_id = NECP_FIRST_VALID_ROUTE_RULE_ID;
+                               wrapped = TRUE;
+                       }
+                       newid = necp_last_route_rule_id;
+               } while (necp_lookup_route_rule_locked(&necp_route_rules, newid) != NULL); // If already used, keep trying
+       } else {
+               // necp_route_rule_lock protects aggregate rule IDs
+               LCK_RW_ASSERT(&necp_route_rule_lock, LCK_RW_ASSERT_EXCLUSIVE);
+
+               bool wrapped = FALSE;
+               do {
+                       necp_last_aggregate_route_rule_id++;
+                       if (necp_last_aggregate_route_rule_id < NECP_FIRST_VALID_AGGREGATE_ROUTE_RULE_ID) {
+                               if (wrapped) {
+                                       // Already wrapped, give up
+                                       NECPLOG0(LOG_ERR, "Failed to find a free aggregate route rule id.\n");
+                                       return 0;
+                               }
+                               necp_last_aggregate_route_rule_id = NECP_FIRST_VALID_AGGREGATE_ROUTE_RULE_ID;
+                               wrapped = TRUE;
+                       }
+                       newid = necp_last_aggregate_route_rule_id;
+               } while (necp_lookup_route_rule_locked(&necp_route_rules, newid) != NULL); // If already used, keep trying
         }
  
         }
  
-       newid = necp_last_aggregate_route_rule_id;
         if (newid == 0) {
         if (newid == 0) {
-               NECPLOG0(LOG_DEBUG, "Allocate aggregate route rule id failed.\n");
-               return (0);
+               NECPLOG0(LOG_ERR, "Allocate route rule ID failed.\n");
+               return 0;
         }
  
         }
  
-       return (newid);
+       return newid;
  }
  
  static struct necp_route_rule *
  }
  
  static struct necp_route_rule *
@@ -4127,21 +4798,22 @@ necp_lookup_route_rule_locked(struct necp_route_rule_list *list, u_int32_t route
                 }
         }
  
                 }
         }
  
-       return (foundentry);
+       return foundentry;
  }
  
  static struct necp_route_rule *
  }
  
  static struct necp_route_rule *
-necp_lookup_route_rule_by_contents_locked(struct necp_route_rule_list *list, u_int32_t default_action, u_int8_t cellular_action, u_int8_t wifi_action, u_int8_t wired_action, u_int8_t expensive_action, u_int32_t *if_indices, u_int8_t *if_actions)
+necp_lookup_route_rule_by_contents_locked(struct necp_route_rule_list *list, u_int32_t default_action, u_int8_t cellular_action, u_int8_t wifi_action, u_int8_t wired_action, u_int8_t expensive_action, u_int8_t constrained_action, u_int32_t *if_indices, u_int8_t *if_actions)
  {
         struct necp_route_rule *searchentry = NULL;
         struct necp_route_rule *foundentry = NULL;
  
         LIST_FOREACH(searchentry, list, chain) {
                 if (searchentry->default_action == default_action &&
  {
         struct necp_route_rule *searchentry = NULL;
         struct necp_route_rule *foundentry = NULL;
  
         LIST_FOREACH(searchentry, list, chain) {
                 if (searchentry->default_action == default_action &&
-                       searchentry->cellular_action == cellular_action &&
-                       searchentry->wifi_action == wifi_action &&
-                       searchentry->wired_action == wired_action &&
-                       searchentry->expensive_action == expensive_action) {
+                   searchentry->cellular_action == cellular_action &&
+                   searchentry->wifi_action == wifi_action &&
+                   searchentry->wired_action == wired_action &&
+                   searchentry->expensive_action == expensive_action &&
+                   searchentry->constrained_action == constrained_action) {
                         bool match_failed = FALSE;
                         size_t index_a = 0;
                         size_t index_b = 0;
                         bool match_failed = FALSE;
                         size_t index_a = 0;
                         size_t index_b = 0;
@@ -4161,7 +4833,7 @@ necp_lookup_route_rule_by_contents_locked(struct necp_route_rule_list *list, u_i
                                                 count_b = index_b + 1;
                                         }
                                         if (searchentry->exception_if_indices[index_a] == if_indices[index_b] &&
                                                 count_b = index_b + 1;
                                         }
                                         if (searchentry->exception_if_indices[index_a] == if_indices[index_b] &&
-                                               searchentry->exception_if_actions[index_a] == if_actions[index_b]) {
+                                           searchentry->exception_if_actions[index_a] == if_actions[index_b]) {
                                                 found_index = TRUE;
                                                 break;
                                         }
                                                 found_index = TRUE;
                                                 break;
                                         }
@@ -4178,7 +4850,7 @@ necp_lookup_route_rule_by_contents_locked(struct necp_route_rule_list *list, u_i
                 }
         }
  
                 }
         }
  
-       return (foundentry);
+       return foundentry;
  }
  
  static u_int32_t
  }
  
  static u_int32_t
@@ -4192,16 +4864,17 @@ necp_create_route_rule(struct necp_route_rule_list *list, u_int8_t *route_rules_
         u_int8_t wifi_action = NECP_ROUTE_RULE_NONE;
         u_int8_t wired_action = NECP_ROUTE_RULE_NONE;
         u_int8_t expensive_action = NECP_ROUTE_RULE_NONE;
         u_int8_t wifi_action = NECP_ROUTE_RULE_NONE;
         u_int8_t wired_action = NECP_ROUTE_RULE_NONE;
         u_int8_t expensive_action = NECP_ROUTE_RULE_NONE;
+       u_int8_t constrained_action = NECP_ROUTE_RULE_NONE;
         u_int32_t if_indices[MAX_ROUTE_RULE_INTERFACES];
         size_t num_valid_indices = 0;
         memset(&if_indices, 0, sizeof(if_indices));
         u_int8_t if_actions[MAX_ROUTE_RULE_INTERFACES];
         memset(&if_actions, 0, sizeof(if_actions));
  
         u_int32_t if_indices[MAX_ROUTE_RULE_INTERFACES];
         size_t num_valid_indices = 0;
         memset(&if_indices, 0, sizeof(if_indices));
         u_int8_t if_actions[MAX_ROUTE_RULE_INTERFACES];
         memset(&if_actions, 0, sizeof(if_actions));
  
-       lck_rw_assert(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
+       LCK_RW_ASSERT(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
  
         if (route_rules_array == NULL || route_rules_array_size == 0) {
  
         if (route_rules_array == NULL || route_rules_array_size == 0) {
-               return (0);
+               return 0;
         }
  
         // Process rules
         }
  
         // Process rules
@@ -4234,6 +4907,9 @@ necp_create_route_rule(struct necp_route_rule_list *list, u_int8_t *route_rules_
                         if (rule_flags & NECP_ROUTE_RULE_FLAG_EXPENSIVE) {
                                 expensive_action = rule_type;
                         }
                         if (rule_flags & NECP_ROUTE_RULE_FLAG_EXPENSIVE) {
                                 expensive_action = rule_type;
                         }
+                       if (rule_flags & NECP_ROUTE_RULE_FLAG_CONSTRAINED) {
+                               constrained_action = rule_type;
+                       }
                         if (rule_flags == 0) {
                                 default_action = rule_type;
                         }
                         if (rule_flags == 0) {
                                 default_action = rule_type;
                         }
@@ -4258,28 +4934,29 @@ necp_create_route_rule(struct necp_route_rule_list *list, u_int8_t *route_rules_
                 offset += sizeof(u_int8_t) + sizeof(u_int32_t) + length;
         }
  
                 offset += sizeof(u_int8_t) + sizeof(u_int32_t) + length;
         }
  
-       existing_rule = necp_lookup_route_rule_by_contents_locked(list, default_action, cellular_action, wifi_action, wired_action, expensive_action, if_indices, if_actions);
+       existing_rule = necp_lookup_route_rule_by_contents_locked(list, default_action, cellular_action, wifi_action, wired_action, expensive_action, constrained_action, if_indices, if_actions);
         if (existing_rule != NULL) {
                 route_rule_id = existing_rule->id;
         if (existing_rule != NULL) {
                 route_rule_id = existing_rule->id;
-               existing_rule->refcount++;
+               os_ref_retain_locked(&existing_rule->refcount);
         } else {
                 struct necp_route_rule *new_rule = NULL;
                 MALLOC(new_rule, struct necp_route_rule *, sizeof(struct necp_route_rule), M_NECP, M_WAITOK);
                 if (new_rule != NULL) {
                         memset(new_rule, 0, sizeof(struct necp_route_rule));
         } else {
                 struct necp_route_rule *new_rule = NULL;
                 MALLOC(new_rule, struct necp_route_rule *, sizeof(struct necp_route_rule), M_NECP, M_WAITOK);
                 if (new_rule != NULL) {
                         memset(new_rule, 0, sizeof(struct necp_route_rule));
-                       route_rule_id = new_rule->id = necp_get_new_route_rule_id();
+                       route_rule_id = new_rule->id = necp_get_new_route_rule_id(false);
                         new_rule->default_action = default_action;
                         new_rule->cellular_action = cellular_action;
                         new_rule->wifi_action = wifi_action;
                         new_rule->wired_action = wired_action;
                         new_rule->expensive_action = expensive_action;
                         new_rule->default_action = default_action;
                         new_rule->cellular_action = cellular_action;
                         new_rule->wifi_action = wifi_action;
                         new_rule->wired_action = wired_action;
                         new_rule->expensive_action = expensive_action;
+                       new_rule->constrained_action =  constrained_action;
                         memcpy(&new_rule->exception_if_indices, &if_indices, sizeof(if_indices));
                         memcpy(&new_rule->exception_if_actions, &if_actions, sizeof(if_actions));
                         memcpy(&new_rule->exception_if_indices, &if_indices, sizeof(if_indices));
                         memcpy(&new_rule->exception_if_actions, &if_actions, sizeof(if_actions));
-                       new_rule->refcount = 1;
+                       os_ref_init(&new_rule->refcount, &necp_refgrp);
                         LIST_INSERT_HEAD(list, new_rule, chain);
                 }
         }
                         LIST_INSERT_HEAD(list, new_rule, chain);
                 }
         }
-       return (route_rule_id);
+       return route_rule_id;
  }
  
  static void
  }
  
  static void
@@ -4312,19 +4989,19 @@ necp_remove_route_rule(struct necp_route_rule_list *list, u_int32_t route_rule_i
  {
         struct necp_route_rule *existing_rule = NULL;
  
  {
         struct necp_route_rule *existing_rule = NULL;
  
-       lck_rw_assert(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
+       LCK_RW_ASSERT(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
  
         existing_rule = necp_lookup_route_rule_locked(list, route_rule_id);
         if (existing_rule != NULL) {
  
         existing_rule = necp_lookup_route_rule_locked(list, route_rule_id);
         if (existing_rule != NULL) {
-               if (--existing_rule->refcount == 0) {
+               if (os_ref_release_locked(&existing_rule->refcount) == 0) {
                         necp_remove_aggregate_route_rule_for_id(existing_rule->id);
                         LIST_REMOVE(existing_rule, chain);
                         FREE(existing_rule, M_NECP);
                 }
                         necp_remove_aggregate_route_rule_for_id(existing_rule->id);
                         LIST_REMOVE(existing_rule, chain);
                         FREE(existing_rule, M_NECP);
                 }
-               return (TRUE);
+               return TRUE;
         }
  
         }
  
-       return (FALSE);
+       return FALSE;
  }
  
  static struct necp_aggregate_route_rule *
  }
  
  static struct necp_aggregate_route_rule *
@@ -4344,7 +5021,7 @@ necp_lookup_aggregate_route_rule_locked(u_int32_t route_rule_id)
  
         lck_rw_done(&necp_route_rule_lock);
  
  
         lck_rw_done(&necp_route_rule_lock);
  
-       return (foundentry);
+       return foundentry;
  }
  
  static u_int32_t
  }
  
  static u_int32_t
@@ -4354,55 +5031,81 @@ necp_create_aggregate_route_rule(u_int32_t *rule_ids)
         struct necp_aggregate_route_rule *new_rule = NULL;
         struct necp_aggregate_route_rule *existing_rule = NULL;
  
         struct necp_aggregate_route_rule *new_rule = NULL;
         struct necp_aggregate_route_rule *existing_rule = NULL;
  
-       LIST_FOREACH(existing_rule, &necp_aggregate_route_rules, chain) {
-               if (memcmp(existing_rule->rule_ids, rule_ids, (sizeof(u_int32_t) * MAX_AGGREGATE_ROUTE_RULES)) == 0) {
-                       return (existing_rule->id);
-               }
-       }
-
         lck_rw_lock_exclusive(&necp_route_rule_lock);
  
         lck_rw_lock_exclusive(&necp_route_rule_lock);
  
+       // Check if the rule already exists
         LIST_FOREACH(existing_rule, &necp_aggregate_route_rules, chain) {
         LIST_FOREACH(existing_rule, &necp_aggregate_route_rules, chain) {
-               // Re-check, in case something else created the rule while we are waiting to lock
                 if (memcmp(existing_rule->rule_ids, rule_ids, (sizeof(u_int32_t) * MAX_AGGREGATE_ROUTE_RULES)) == 0) {
                         lck_rw_done(&necp_route_rule_lock);
                 if (memcmp(existing_rule->rule_ids, rule_ids, (sizeof(u_int32_t) * MAX_AGGREGATE_ROUTE_RULES)) == 0) {
                         lck_rw_done(&necp_route_rule_lock);
-                       return (existing_rule->id);
+                       return existing_rule->id;
                 }
         }
  
         MALLOC(new_rule, struct necp_aggregate_route_rule *, sizeof(struct necp_aggregate_route_rule), M_NECP, M_WAITOK);
         if (new_rule != NULL) {
                 memset(new_rule, 0, sizeof(struct necp_aggregate_route_rule));
                 }
         }
  
         MALLOC(new_rule, struct necp_aggregate_route_rule *, sizeof(struct necp_aggregate_route_rule), M_NECP, M_WAITOK);
         if (new_rule != NULL) {
                 memset(new_rule, 0, sizeof(struct necp_aggregate_route_rule));
-               aggregate_route_rule_id = new_rule->id = necp_get_new_aggregate_route_rule_id();
+               aggregate_route_rule_id = new_rule->id = necp_get_new_route_rule_id(true);
                 new_rule->id = aggregate_route_rule_id;
                 memcpy(new_rule->rule_ids, rule_ids, (sizeof(u_int32_t) * MAX_AGGREGATE_ROUTE_RULES));
                 LIST_INSERT_HEAD(&necp_aggregate_route_rules, new_rule, chain);
         }
         lck_rw_done(&necp_route_rule_lock);
  
                 new_rule->id = aggregate_route_rule_id;
                 memcpy(new_rule->rule_ids, rule_ids, (sizeof(u_int32_t) * MAX_AGGREGATE_ROUTE_RULES));
                 LIST_INSERT_HEAD(&necp_aggregate_route_rules, new_rule, chain);
         }
         lck_rw_done(&necp_route_rule_lock);
  
-       return (aggregate_route_rule_id);
+       return aggregate_route_rule_id;
  }
  
  #define NECP_NULL_SERVICE_ID 1
  }
  
  #define NECP_NULL_SERVICE_ID 1
+#define NECP_FIRST_VALID_SERVICE_ID  2
+#define NECP_FIRST_VALID_APP_ID  UINT16_MAX
  static u_int32_t
  static u_int32_t
-necp_get_new_uuid_id(void)
+necp_get_new_uuid_id(bool service)
  {
  {
-       u_int32_t newid = 0;
+       static u_int32_t necp_last_service_uuid_id = 0;
+       static u_int32_t necp_last_app_uuid_id = 0;
  
  
-       lck_rw_assert(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
+       u_int32_t newid = 0;
  
  
-       necp_last_uuid_id++;
-       if (necp_last_uuid_id < (NECP_NULL_SERVICE_ID + 1)) {
-               necp_last_uuid_id = (NECP_NULL_SERVICE_ID + 1);
+       LCK_RW_ASSERT(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
+
+       if (service) {
+               bool wrapped = FALSE;
+               do {
+                       necp_last_service_uuid_id++;
+                       if (necp_last_service_uuid_id < NECP_FIRST_VALID_SERVICE_ID ||
+                           necp_last_service_uuid_id >= NECP_FIRST_VALID_APP_ID) {
+                               if (wrapped) {
+                                       // Already wrapped, give up
+                                       NECPLOG0(LOG_ERR, "Failed to find a free service UUID.\n");
+                                       return NECP_NULL_SERVICE_ID;
+                               }
+                               necp_last_service_uuid_id = NECP_FIRST_VALID_SERVICE_ID;
+                               wrapped = TRUE;
+                       }
+                       newid = necp_last_service_uuid_id;
+               } while (necp_uuid_lookup_uuid_with_service_id_locked(newid) != NULL); // If already used, keep trying
+       } else {
+               bool wrapped = FALSE;
+               do {
+                       necp_last_app_uuid_id++;
+                       if (necp_last_app_uuid_id < NECP_FIRST_VALID_APP_ID) {
+                               if (wrapped) {
+                                       // Already wrapped, give up
+                                       NECPLOG0(LOG_ERR, "Failed to find a free app UUID.\n");
+                                       return NECP_NULL_SERVICE_ID;
+                               }
+                               necp_last_app_uuid_id = NECP_FIRST_VALID_APP_ID;
+                               wrapped = TRUE;
+                       }
+                       newid = necp_last_app_uuid_id;
+               } while (necp_uuid_lookup_uuid_with_app_id_locked(newid) != NULL); // If already used, keep trying
         }
  
         }
  
-       newid = necp_last_uuid_id;
-       if (newid == 0) {
-               NECPLOG0(LOG_DEBUG, "Allocate uuid id failed.\n");
-               return (0);
+       if (newid == NECP_NULL_SERVICE_ID) {
+               NECPLOG0(LOG_ERR, "Allocate uuid ID failed.\n");
+               return NECP_NULL_SERVICE_ID;
         }
  
         }
  
-       return (newid);
+       return newid;
  }
  
  static struct necp_uuid_id_mapping *
  }
  
  static struct necp_uuid_id_mapping *
@@ -4418,7 +5121,7 @@ necp_uuid_lookup_app_id_locked(uuid_t uuid)
                 }
         }
  
                 }
         }
  
-       return (foundentry);
+       return foundentry;
  }
  
  static struct necp_uuid_id_mapping *
  }
  
  static struct necp_uuid_id_mapping *
@@ -4437,7 +5140,7 @@ necp_uuid_lookup_uuid_with_app_id_locked(u_int32_t local_id)
                 }
         }
  
                 }
         }
  
-       return (foundentry);
+       return foundentry;
  }
  
  static u_int32_t
  }
  
  static u_int32_t
@@ -4446,7 +5149,7 @@ necp_create_uuid_app_id_mapping(uuid_t uuid, bool *allocated_mapping, bool uuid_
         u_int32_t local_id = 0;
         struct necp_uuid_id_mapping *existing_mapping = NULL;
  
         u_int32_t local_id = 0;
         struct necp_uuid_id_mapping *existing_mapping = NULL;
  
-       lck_rw_assert(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
+       LCK_RW_ASSERT(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
  
         if (allocated_mapping) {
                 *allocated_mapping = FALSE;
  
         if (allocated_mapping) {
                 *allocated_mapping = FALSE;
@@ -4455,21 +5158,21 @@ necp_create_uuid_app_id_mapping(uuid_t uuid, bool *allocated_mapping, bool uuid_
         existing_mapping = necp_uuid_lookup_app_id_locked(uuid);
         if (existing_mapping != NULL) {
                 local_id = existing_mapping->id;
         existing_mapping = necp_uuid_lookup_app_id_locked(uuid);
         if (existing_mapping != NULL) {
                 local_id = existing_mapping->id;
-               existing_mapping->refcount++;
+               os_ref_retain_locked(&existing_mapping->refcount);
                 if (uuid_policy_table) {
                 if (uuid_policy_table) {
-                       existing_mapping->table_refcount++;
+                       existing_mapping->table_usecount++;
                 }
         } else {
                 struct necp_uuid_id_mapping *new_mapping = NULL;
                 MALLOC(new_mapping, struct necp_uuid_id_mapping *, sizeof(*new_mapping), M_NECP, M_WAITOK);
                 if (new_mapping != NULL) {
                         uuid_copy(new_mapping->uuid, uuid);
                 }
         } else {
                 struct necp_uuid_id_mapping *new_mapping = NULL;
                 MALLOC(new_mapping, struct necp_uuid_id_mapping *, sizeof(*new_mapping), M_NECP, M_WAITOK);
                 if (new_mapping != NULL) {
                         uuid_copy(new_mapping->uuid, uuid);
-                       new_mapping->id = necp_get_new_uuid_id();
-                       new_mapping->refcount = 1;
+                       new_mapping->id = necp_get_new_uuid_id(false);
+                       os_ref_init(&new_mapping->refcount, &necp_refgrp);
                         if (uuid_policy_table) {
                         if (uuid_policy_table) {
-                               new_mapping->table_refcount = 1;
+                               new_mapping->table_usecount = 1;
                         } else {
                         } else {
-                               new_mapping->table_refcount = 0;
+                               new_mapping->table_usecount = 0;
                         }
  
                         LIST_INSERT_HEAD(APPUUIDHASH(uuid), new_mapping, chain);
                         }
  
                         LIST_INSERT_HEAD(APPUUIDHASH(uuid), new_mapping, chain);
@@ -4482,7 +5185,7 @@ necp_create_uuid_app_id_mapping(uuid_t uuid, bool *allocated_mapping, bool uuid_
                 }
         }
  
                 }
         }
  
-       return (local_id);
+       return local_id;
  }
  
  static bool
  }
  
  static bool
@@ -4490,7 +5193,7 @@ necp_remove_uuid_app_id_mapping(uuid_t uuid, bool *removed_mapping, bool uuid_po
  {
         struct necp_uuid_id_mapping *existing_mapping = NULL;
  
  {
         struct necp_uuid_id_mapping *existing_mapping = NULL;
  
-       lck_rw_assert(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
+       LCK_RW_ASSERT(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
  
         if (removed_mapping) {
                 *removed_mapping = FALSE;
  
         if (removed_mapping) {
                 *removed_mapping = FALSE;
@@ -4499,19 +5202,19 @@ necp_remove_uuid_app_id_mapping(uuid_t uuid, bool *removed_mapping, bool uuid_po
         existing_mapping = necp_uuid_lookup_app_id_locked(uuid);
         if (existing_mapping != NULL) {
                 if (uuid_policy_table) {
         existing_mapping = necp_uuid_lookup_app_id_locked(uuid);
         if (existing_mapping != NULL) {
                 if (uuid_policy_table) {
-                       existing_mapping->table_refcount--;
+                       existing_mapping->table_usecount--;
                 }
                 }
-               if (--existing_mapping->refcount == 0) {
+               if (os_ref_release_locked(&existing_mapping->refcount) == 0) {
                         LIST_REMOVE(existing_mapping, chain);
                         FREE(existing_mapping, M_NECP);
                         if (removed_mapping) {
                                 *removed_mapping = TRUE;
                         }
                 }
                         LIST_REMOVE(existing_mapping, chain);
                         FREE(existing_mapping, M_NECP);
                         if (removed_mapping) {
                                 *removed_mapping = TRUE;
                         }
                 }
-               return (TRUE);
+               return TRUE;
         }
  
         }
  
-       return (FALSE);
+       return FALSE;
  }
  
  static struct necp_uuid_id_mapping *
  }
  
  static struct necp_uuid_id_mapping *
@@ -4521,7 +5224,7 @@ necp_uuid_get_null_service_id_mapping(void)
         uuid_clear(null_mapping.uuid);
         null_mapping.id = NECP_NULL_SERVICE_ID;
  
         uuid_clear(null_mapping.uuid);
         null_mapping.id = NECP_NULL_SERVICE_ID;
  
-       return (&null_mapping);
+       return &null_mapping;
  }
  
  static struct necp_uuid_id_mapping *
  }
  
  static struct necp_uuid_id_mapping *
@@ -4541,7 +5244,7 @@ necp_uuid_lookup_service_id_locked(uuid_t uuid)
                 }
         }
  
                 }
         }
  
-       return (foundentry);
+       return foundentry;
  }
  
  static struct necp_uuid_id_mapping *
  }
  
  static struct necp_uuid_id_mapping *
@@ -4561,7 +5264,7 @@ necp_uuid_lookup_uuid_with_service_id_locked(u_int32_t local_id)
                 }
         }
  
                 }
         }
  
-       return (foundentry);
+       return foundentry;
  }
  
  static u_int32_t
  }
  
  static u_int32_t
@@ -4571,22 +5274,22 @@ necp_create_uuid_service_id_mapping(uuid_t uuid)
         struct necp_uuid_id_mapping *existing_mapping = NULL;
  
         if (uuid_is_null(uuid)) {
         struct necp_uuid_id_mapping *existing_mapping = NULL;
  
         if (uuid_is_null(uuid)) {
-               return (NECP_NULL_SERVICE_ID);
+               return NECP_NULL_SERVICE_ID;
         }
  
         }
  
-       lck_rw_assert(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
+       LCK_RW_ASSERT(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
  
         existing_mapping = necp_uuid_lookup_service_id_locked(uuid);
         if (existing_mapping != NULL) {
                 local_id = existing_mapping->id;
  
         existing_mapping = necp_uuid_lookup_service_id_locked(uuid);
         if (existing_mapping != NULL) {
                 local_id = existing_mapping->id;
-               existing_mapping->refcount++;
+               os_ref_retain_locked(&existing_mapping->refcount);
         } else {
                 struct necp_uuid_id_mapping *new_mapping = NULL;
                 MALLOC(new_mapping, struct necp_uuid_id_mapping *, sizeof(*new_mapping), M_NECP, M_WAITOK);
                 if (new_mapping != NULL) {
                         uuid_copy(new_mapping->uuid, uuid);
         } else {
                 struct necp_uuid_id_mapping *new_mapping = NULL;
                 MALLOC(new_mapping, struct necp_uuid_id_mapping *, sizeof(*new_mapping), M_NECP, M_WAITOK);
                 if (new_mapping != NULL) {
                         uuid_copy(new_mapping->uuid, uuid);
-                       new_mapping->id = necp_get_new_uuid_id();
-                       new_mapping->refcount = 1;
+                       new_mapping->id = necp_get_new_uuid_id(true);
+                       os_ref_init(&new_mapping->refcount, &necp_refgrp);
  
                         LIST_INSERT_HEAD(&necp_uuid_service_id_list, new_mapping, chain);
  
  
                         LIST_INSERT_HEAD(&necp_uuid_service_id_list, new_mapping, chain);
  
@@ -4594,7 +5297,7 @@ necp_create_uuid_service_id_mapping(uuid_t uuid)
                 }
         }
  
                 }
         }
  
-       return (local_id);
+       return local_id;
  }
  
  static bool
  }
  
  static bool
@@ -4603,33 +5306,33 @@ necp_remove_uuid_service_id_mapping(uuid_t uuid)
         struct necp_uuid_id_mapping *existing_mapping = NULL;
  
         if (uuid_is_null(uuid)) {
         struct necp_uuid_id_mapping *existing_mapping = NULL;
  
         if (uuid_is_null(uuid)) {
-               return (TRUE);
+               return TRUE;
         }
  
         }
  
-       lck_rw_assert(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
+       LCK_RW_ASSERT(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
  
  
-       existing_mapping = necp_uuid_lookup_app_id_locked(uuid);
+       existing_mapping = necp_uuid_lookup_service_id_locked(uuid);
         if (existing_mapping != NULL) {
         if (existing_mapping != NULL) {
-               if (--existing_mapping->refcount == 0) {
+               if (os_ref_release_locked(&existing_mapping->refcount) == 0) {
                         LIST_REMOVE(existing_mapping, chain);
                         FREE(existing_mapping, M_NECP);
                 }
                         LIST_REMOVE(existing_mapping, chain);
                         FREE(existing_mapping, M_NECP);
                 }
-               return (TRUE);
+               return TRUE;
         }
  
         }
  
-       return (FALSE);
+       return FALSE;
  }
  
  
  static bool
  necp_kernel_socket_policies_update_uuid_table(void)
  {
  }
  
  
  static bool
  necp_kernel_socket_policies_update_uuid_table(void)
  {
-       lck_rw_assert(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
+       LCK_RW_ASSERT(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
  
         if (necp_uuid_app_id_mappings_dirty) {
                 if (proc_uuid_policy_kernel(PROC_UUID_POLICY_OPERATION_CLEAR, NULL, PROC_UUID_NECP_APP_POLICY) < 0) {
                         NECPLOG0(LOG_DEBUG, "Error clearing uuids from policy table\n");
  
         if (necp_uuid_app_id_mappings_dirty) {
                 if (proc_uuid_policy_kernel(PROC_UUID_POLICY_OPERATION_CLEAR, NULL, PROC_UUID_NECP_APP_POLICY) < 0) {
                         NECPLOG0(LOG_DEBUG, "Error clearing uuids from policy table\n");
-                       return (FALSE);
+                       return FALSE;
                 }
  
                 if (necp_num_uuid_app_id_mappings > 0) {
                 }
  
                 if (necp_num_uuid_app_id_mappings > 0) {
@@ -4637,8 +5340,8 @@ necp_kernel_socket_policies_update_uuid_table(void)
                         for (uuid_list_head = &necp_uuid_app_id_hashtbl[necp_uuid_app_id_hash_num_buckets - 1]; uuid_list_head >= necp_uuid_app_id_hashtbl; uuid_list_head--) {
                                 struct necp_uuid_id_mapping *mapping = NULL;
                                 LIST_FOREACH(mapping, uuid_list_head, chain) {
                         for (uuid_list_head = &necp_uuid_app_id_hashtbl[necp_uuid_app_id_hash_num_buckets - 1]; uuid_list_head >= necp_uuid_app_id_hashtbl; uuid_list_head--) {
                                 struct necp_uuid_id_mapping *mapping = NULL;
                                 LIST_FOREACH(mapping, uuid_list_head, chain) {
-                                       if (mapping->table_refcount > 0 &&
-                                               proc_uuid_policy_kernel(PROC_UUID_POLICY_OPERATION_ADD, mapping->uuid, PROC_UUID_NECP_APP_POLICY) < 0) {
+                                       if (mapping->table_usecount > 0 &&
+                                           proc_uuid_policy_kernel(PROC_UUID_POLICY_OPERATION_ADD, mapping->uuid, PROC_UUID_NECP_APP_POLICY) < 0) {
                                                 NECPLOG0(LOG_DEBUG, "Error adding uuid to policy table\n");
                                         }
                                 }
                                                 NECPLOG0(LOG_DEBUG, "Error adding uuid to policy table\n");
                                         }
                                 }
@@ -4648,12 +5351,12 @@ necp_kernel_socket_policies_update_uuid_table(void)
                 necp_uuid_app_id_mappings_dirty = FALSE;
         }
  
                 necp_uuid_app_id_mappings_dirty = FALSE;
         }
  
-       return (TRUE);
+       return TRUE;
  }
  
  }
  
-#define        NECP_KERNEL_VALID_IP_OUTPUT_CONDITIONS (NECP_KERNEL_CONDITION_ALL_INTERFACES | NECP_KERNEL_CONDITION_BOUND_INTERFACE | NECP_KERNEL_CONDITION_PROTOCOL | NECP_KERNEL_CONDITION_LOCAL_START | NECP_KERNEL_CONDITION_LOCAL_END | NECP_KERNEL_CONDITION_LOCAL_PREFIX | NECP_KERNEL_CONDITION_REMOTE_START | NECP_KERNEL_CONDITION_REMOTE_END | NECP_KERNEL_CONDITION_REMOTE_PREFIX | NECP_KERNEL_CONDITION_POLICY_ID | NECP_KERNEL_CONDITION_LAST_INTERFACE)
+#define NECP_KERNEL_VALID_IP_OUTPUT_CONDITIONS (NECP_KERNEL_CONDITION_ALL_INTERFACES | NECP_KERNEL_CONDITION_BOUND_INTERFACE | NECP_KERNEL_CONDITION_PROTOCOL | NECP_KERNEL_CONDITION_LOCAL_START | NECP_KERNEL_CONDITION_LOCAL_END | NECP_KERNEL_CONDITION_LOCAL_PREFIX | NECP_KERNEL_CONDITION_REMOTE_START | NECP_KERNEL_CONDITION_REMOTE_END | NECP_KERNEL_CONDITION_REMOTE_PREFIX | NECP_KERNEL_CONDITION_POLICY_ID | NECP_KERNEL_CONDITION_LAST_INTERFACE | NECP_KERNEL_CONDITION_LOCAL_NETWORKS)
  static necp_kernel_policy_id
  static necp_kernel_policy_id
-necp_kernel_ip_output_policy_add(necp_policy_id parent_policy_id, necp_policy_order order, necp_policy_order suborder, u_int32_t session_order, int session_pid, u_int32_t condition_mask, u_int32_t condition_negated_mask, necp_kernel_policy_id cond_policy_id, ifnet_t cond_bound_interface, u_int32_t cond_last_interface_index, u_int16_t cond_protocol, union necp_sockaddr_union *cond_local_start, union necp_sockaddr_union *cond_local_end, u_int8_t cond_local_prefix, union necp_sockaddr_union *cond_remote_start, union necp_sockaddr_union *cond_remote_end, u_int8_t cond_remote_prefix, necp_kernel_policy_result result, necp_kernel_policy_result_parameter result_parameter)
+necp_kernel_ip_output_policy_add(necp_policy_order order, necp_policy_order suborder, u_int32_t session_order, int session_pid, u_int32_t condition_mask, u_int32_t condition_negated_mask, necp_kernel_policy_id cond_policy_id, ifnet_t cond_bound_interface, u_int32_t cond_last_interface_index, u_int16_t cond_protocol, union necp_sockaddr_union *cond_local_start, union necp_sockaddr_union *cond_local_end, u_int8_t cond_local_prefix, union necp_sockaddr_union *cond_remote_start, union necp_sockaddr_union *cond_remote_end, u_int8_t cond_remote_prefix, necp_kernel_policy_result result, necp_kernel_policy_result_parameter result_parameter)
  {
         struct necp_kernel_ip_output_policy *new_kernel_policy = NULL;
         struct necp_kernel_ip_output_policy *tmp_kernel_policy = NULL;
  {
         struct necp_kernel_ip_output_policy *new_kernel_policy = NULL;
         struct necp_kernel_ip_output_policy *tmp_kernel_policy = NULL;
@@ -4663,9 +5366,8 @@ necp_kernel_ip_output_policy_add(necp_policy_id parent_policy_id, necp_policy_or
                 goto done;
         }
  
                 goto done;
         }
  
-       memset(new_kernel_policy, 0, sizeof(*new_kernel_policy));
-       new_kernel_policy->parent_policy_id = parent_policy_id;
-       new_kernel_policy->id = necp_kernel_policy_get_new_id();
+       memset(new_kernel_policy, 0, sizeof(*new_kernel_policy)); // M_ZERO is not supported for MALLOC_ZONE
+       new_kernel_policy->id = necp_kernel_policy_get_new_id(false);
         new_kernel_policy->suborder = suborder;
         new_kernel_policy->order = order;
         new_kernel_policy->session_order = session_order;
         new_kernel_policy->suborder = suborder;
         new_kernel_policy->order = order;
         new_kernel_policy->session_order = session_order;
@@ -4727,7 +5429,7 @@ necp_kernel_ip_output_policy_add(necp_policy_id parent_policy_id, necp_policy_or
         }
         LIST_INSERT_SORTED_THRICE_ASCENDING(&necp_kernel_ip_output_policies, new_kernel_policy, chain, session_order, order, suborder, tmp_kernel_policy);
  done:
         }
         LIST_INSERT_SORTED_THRICE_ASCENDING(&necp_kernel_ip_output_policies, new_kernel_policy, chain, session_order, order, suborder, tmp_kernel_policy);
  done:
-       return (new_kernel_policy ? new_kernel_policy->id : 0);
+       return new_kernel_policy ? new_kernel_policy->id : 0;
  }
  
  static struct necp_kernel_ip_output_policy *
  }
  
  static struct necp_kernel_ip_output_policy *
@@ -4737,16 +5439,16 @@ necp_kernel_ip_output_policy_find(necp_kernel_policy_id policy_id)
         struct necp_kernel_ip_output_policy *tmp_kernel_policy = NULL;
  
         if (policy_id == 0) {
         struct necp_kernel_ip_output_policy *tmp_kernel_policy = NULL;
  
         if (policy_id == 0) {
-               return (NULL);
+               return NULL;
         }
  
         LIST_FOREACH_SAFE(kernel_policy, &necp_kernel_ip_output_policies, chain, tmp_kernel_policy) {
                 if (kernel_policy->id == policy_id) {
         }
  
         LIST_FOREACH_SAFE(kernel_policy, &necp_kernel_ip_output_policies, chain, tmp_kernel_policy) {
                 if (kernel_policy->id == policy_id) {
-                       return (kernel_policy);
+                       return kernel_policy;
                 }
         }
  
                 }
         }
  
-       return (NULL);
+       return NULL;
  }
  
  static bool
  }
  
  static bool
@@ -4754,7 +5456,7 @@ necp_kernel_ip_output_policy_delete(necp_kernel_policy_id policy_id)
  {
         struct necp_kernel_ip_output_policy *policy = NULL;
  
  {
         struct necp_kernel_ip_output_policy *policy = NULL;
  
-       lck_rw_assert(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
+       LCK_RW_ASSERT(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
  
         policy = necp_kernel_ip_output_policy_find(policy_id);
         if (policy) {
  
         policy = necp_kernel_ip_output_policy_find(policy_id);
         if (policy) {
@@ -4766,10 +5468,10 @@ necp_kernel_ip_output_policy_delete(necp_kernel_policy_id policy_id)
                 }
  
                 FREE_ZONE(policy, sizeof(*policy), M_NECP_IP_POLICY);
                 }
  
                 FREE_ZONE(policy, sizeof(*policy), M_NECP_IP_POLICY);
-               return (TRUE);
+               return TRUE;
         }
  
         }
  
-       return (FALSE);
+       return FALSE;
  }
  
  static void
  }
  
  static void
@@ -4804,21 +5506,21 @@ necp_kernel_ip_output_policy_results_overlap(struct necp_kernel_ip_output_policy
         if (upper_policy->result == NECP_KERNEL_POLICY_RESULT_SKIP) {
                 if (upper_policy->session_order != lower_policy->session_order) {
                         // A skip cannot override a policy of a different session
         if (upper_policy->result == NECP_KERNEL_POLICY_RESULT_SKIP) {
                 if (upper_policy->session_order != lower_policy->session_order) {
                         // A skip cannot override a policy of a different session
-                       return (FALSE);
+                       return FALSE;
                 } else {
                         if (upper_policy->result_parameter.skip_policy_order == 0 ||
                 } else {
                         if (upper_policy->result_parameter.skip_policy_order == 0 ||
-                               lower_policy->order >= upper_policy->result_parameter.skip_policy_order) {
+                           lower_policy->order >= upper_policy->result_parameter.skip_policy_order) {
                                 // This policy is beyond the skip
                                 // This policy is beyond the skip
-                               return (FALSE);
+                               return FALSE;
                         } else {
                                 // This policy is inside the skip
                         } else {
                                 // This policy is inside the skip
-                               return (TRUE);
+                               return TRUE;
                         }
                 }
         }
  
         // All other IP Output policy results (drop, tunnel, hard pass) currently overlap
                         }
                 }
         }
  
         // All other IP Output policy results (drop, tunnel, hard pass) currently overlap
-       return (TRUE);
+       return TRUE;
  }
  
  static bool
  }
  
  static bool
@@ -4834,7 +5536,7 @@ necp_kernel_ip_output_policy_is_unnecessary(struct necp_kernel_ip_output_policy
                 // For policies in a skip window, we can't mark conflicting policies as unnecessary
                 if (can_skip) {
                         if (highest_skip_session_order != compared_policy->session_order ||
                 // For policies in a skip window, we can't mark conflicting policies as unnecessary
                 if (can_skip) {
                         if (highest_skip_session_order != compared_policy->session_order ||
-                               (highest_skip_order != 0 && compared_policy->order >= highest_skip_order)) {
+                           (highest_skip_order != 0 && compared_policy->order >= highest_skip_order)) {
                                 // If we've moved on to the next session, or passed the skip window
                                 highest_skip_session_order = 0;
                                 highest_skip_order = 0;
                                 // If we've moved on to the next session, or passed the skip window
                                 highest_skip_session_order = 0;
                                 highest_skip_order = 0;
@@ -4867,9 +5569,14 @@ necp_kernel_ip_output_policy_is_unnecessary(struct necp_kernel_ip_output_policy
                         continue;
                 }
  
                         continue;
                 }
  
+               // If new policy matches Local Networks, compared policy must also
+               if ((policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_NETWORKS) && !(compared_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_NETWORKS)) {
+                       continue;
+               }
+
                 // Default makes lower policies unecessary always
                 if (compared_policy->condition_mask == 0) {
                 // Default makes lower policies unecessary always
                 if (compared_policy->condition_mask == 0) {
-                       return (TRUE);
+                       return TRUE;
                 }
  
                 // Compared must be more general than policy, and include only conditions within policy
                 }
  
                 // Compared must be more general than policy, and include only conditions within policy
@@ -4883,17 +5590,17 @@ necp_kernel_ip_output_policy_is_unnecessary(struct necp_kernel_ip_output_policy
                 }
  
                 if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_POLICY_ID &&
                 }
  
                 if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_POLICY_ID &&
-                       compared_policy->cond_policy_id != policy->cond_policy_id) {
+                   compared_policy->cond_policy_id != policy->cond_policy_id) {
                         continue;
                 }
  
                 if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_BOUND_INTERFACE &&
                         continue;
                 }
  
                 if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_BOUND_INTERFACE &&
-                       compared_policy->cond_bound_interface != policy->cond_bound_interface) {
+                   compared_policy->cond_bound_interface != policy->cond_bound_interface) {
                         continue;
                 }
  
                 if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_PROTOCOL &&
                         continue;
                 }
  
                 if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_PROTOCOL &&
-                       compared_policy->cond_protocol != policy->cond_protocol) {
+                   compared_policy->cond_protocol != policy->cond_protocol) {
                         continue;
                 }
  
                         continue;
                 }
  
@@ -4904,7 +5611,7 @@ necp_kernel_ip_output_policy_is_unnecessary(struct necp_kernel_ip_output_policy
                                 }
                         } else if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_PREFIX) {
                                 if (compared_policy->cond_local_prefix > policy->cond_local_prefix ||
                                 }
                         } else if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_PREFIX) {
                                 if (compared_policy->cond_local_prefix > policy->cond_local_prefix ||
-                                       !necp_is_addr_in_subnet((struct sockaddr *)&policy->cond_local_start, (struct sockaddr *)&compared_policy->cond_local_start, compared_policy->cond_local_prefix)) {
+                                   !necp_is_addr_in_subnet((struct sockaddr *)&policy->cond_local_start, (struct sockaddr *)&compared_policy->cond_local_start, compared_policy->cond_local_prefix)) {
                                         continue;
                                 }
                         }
                                         continue;
                                 }
                         }
@@ -4917,16 +5624,16 @@ necp_kernel_ip_output_policy_is_unnecessary(struct necp_kernel_ip_output_policy
                                 }
                         } else if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_REMOTE_PREFIX) {
                                 if (compared_policy->cond_remote_prefix > policy->cond_remote_prefix ||
                                 }
                         } else if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_REMOTE_PREFIX) {
                                 if (compared_policy->cond_remote_prefix > policy->cond_remote_prefix ||
-                                       !necp_is_addr_in_subnet((struct sockaddr *)&policy->cond_remote_start, (struct sockaddr *)&compared_policy->cond_remote_start, compared_policy->cond_remote_prefix)) {
+                                   !necp_is_addr_in_subnet((struct sockaddr *)&policy->cond_remote_start, (struct sockaddr *)&compared_policy->cond_remote_start, compared_policy->cond_remote_prefix)) {
                                         continue;
                                 }
                         }
                 }
  
                                         continue;
                                 }
                         }
                 }
  
-               return (TRUE);
+               return TRUE;
         }
  
         }
  
-       return (FALSE);
+       return FALSE;
  }
  
  static bool
  }
  
  static bool
@@ -4937,7 +5644,7 @@ necp_kernel_ip_output_policies_reprocess(void)
         int bucket_current_free_index[NECP_KERNEL_IP_OUTPUT_POLICIES_MAP_NUM_ID_BUCKETS];
         struct necp_kernel_ip_output_policy *kernel_policy = NULL;
  
         int bucket_current_free_index[NECP_KERNEL_IP_OUTPUT_POLICIES_MAP_NUM_ID_BUCKETS];
         struct necp_kernel_ip_output_policy *kernel_policy = NULL;
  
-       lck_rw_assert(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
+       LCK_RW_ASSERT(&necp_kernel_policy_lock, LCK_RW_ASSERT_EXCLUSIVE);
  
         // Reset mask to 0
         necp_kernel_ip_output_policies_condition_mask = 0;
  
         // Reset mask to 0
         necp_kernel_ip_output_policies_condition_mask = 0;
@@ -4959,12 +5666,19 @@ necp_kernel_ip_output_policies_reprocess(void)
                 necp_kernel_ip_output_policies_condition_mask |= kernel_policy->condition_mask;
                 necp_kernel_ip_output_policies_count++;
  
                 necp_kernel_ip_output_policies_condition_mask |= kernel_policy->condition_mask;
                 necp_kernel_ip_output_policies_count++;
  
-               // Update bucket counts
-               if (!(kernel_policy->condition_mask & NECP_KERNEL_CONDITION_POLICY_ID)) {
-                       necp_kernel_ip_output_policies_non_id_count++;
+               /* Update bucket counts:
+                * Non-id and SKIP policies will be added to all buckets
+                * Add local networks policy to all buckets for incoming IP
+                */
+               if (!(kernel_policy->condition_mask & NECP_KERNEL_CONDITION_POLICY_ID) ||
+                   (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_NETWORKS) ||
+                   kernel_policy->result == NECP_KERNEL_POLICY_RESULT_SKIP) {
                         for (i = 0; i < NECP_KERNEL_IP_OUTPUT_POLICIES_MAP_NUM_ID_BUCKETS; i++) {
                                 bucket_allocation_counts[i]++;
                         }
                         for (i = 0; i < NECP_KERNEL_IP_OUTPUT_POLICIES_MAP_NUM_ID_BUCKETS; i++) {
                                 bucket_allocation_counts[i]++;
                         }
+               }
+               if (!(kernel_policy->condition_mask & NECP_KERNEL_CONDITION_POLICY_ID)) {
+                       necp_kernel_ip_output_policies_non_id_count++;
                 } else {
                         bucket_allocation_counts[NECP_IP_OUTPUT_MAP_ID_TO_BUCKET(kernel_policy->cond_policy_id)]++;
                 }
                 } else {
                         bucket_allocation_counts[NECP_IP_OUTPUT_MAP_ID_TO_BUCKET(kernel_policy->cond_policy_id)]++;
                 }
@@ -4986,7 +5700,9 @@ necp_kernel_ip_output_policies_reprocess(void)
  
         LIST_FOREACH(kernel_policy, &necp_kernel_ip_output_policies, chain) {
                 // Insert pointers into map
  
         LIST_FOREACH(kernel_policy, &necp_kernel_ip_output_policies, chain) {
                 // Insert pointers into map
-               if (!(kernel_policy->condition_mask & NECP_KERNEL_CONDITION_POLICY_ID)) {
+               if (!(kernel_policy->condition_mask & NECP_KERNEL_CONDITION_POLICY_ID) ||
+                   (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_NETWORKS) ||
+                   kernel_policy->result == NECP_KERNEL_POLICY_RESULT_SKIP) {
                         for (i = 0; i < NECP_KERNEL_IP_OUTPUT_POLICIES_MAP_NUM_ID_BUCKETS; i++) {
                                 if (!necp_kernel_ip_output_policy_is_unnecessary(kernel_policy, necp_kernel_ip_output_policies_map[i], bucket_current_free_index[i])) {
                                         (necp_kernel_ip_output_policies_map[i])[(bucket_current_free_index[i])] = kernel_policy;
                         for (i = 0; i < NECP_KERNEL_IP_OUTPUT_POLICIES_MAP_NUM_ID_BUCKETS; i++) {
                                 if (!necp_kernel_ip_output_policy_is_unnecessary(kernel_policy, necp_kernel_ip_output_policies_map[i], bucket_current_free_index[i])) {
                                         (necp_kernel_ip_output_policies_map[i])[(bucket_current_free_index[i])] = kernel_policy;
@@ -5004,7 +5720,7 @@ necp_kernel_ip_output_policies_reprocess(void)
                 }
         }
         necp_kernel_ip_output_policies_dump_all();
                 }
         }
         necp_kernel_ip_output_policies_dump_all();
-       return (TRUE);
+       return TRUE;
  
  fail:
         // Free memory, reset mask to 0
  
  fail:
         // Free memory, reset mask to 0
@@ -5017,7 +5733,7 @@ fail:
                         necp_kernel_ip_output_policies_map[i] = NULL;
                 }
         }
                         necp_kernel_ip_output_policies_map[i] = NULL;
                 }
         }
-       return (FALSE);
+       return FALSE;
  }
  
  // Outbound Policy Matching
  }
  
  // Outbound Policy Matching
@@ -5043,7 +5759,7 @@ necp_trim_dots_and_stars(char *string, size_t length)
                 sub.length--;
         }
  
                 sub.length--;
         }
  
-       return (sub);
+       return sub;
  }
  
  static char *
  }
  
  static char *
@@ -5054,13 +5770,13 @@ necp_create_trimmed_domain(char *string, size_t length)
  
         MALLOC(trimmed_domain, char *, sub.length + 1, M_NECP, M_WAITOK);
         if (trimmed_domain == NULL) {
  
         MALLOC(trimmed_domain, char *, sub.length + 1, M_NECP, M_WAITOK);
         if (trimmed_domain == NULL) {
-               return (NULL);
+               return NULL;
         }
  
         memcpy(trimmed_domain, sub.string, sub.length);
         trimmed_domain[sub.length] = 0;
  
         }
  
         memcpy(trimmed_domain, sub.string, sub.length);
         trimmed_domain[sub.length] = 0;
  
-       return (trimmed_domain);
+       return trimmed_domain;
  }
  
  static inline int
  }
  
  static inline int
@@ -5075,33 +5791,33 @@ necp_count_dots(char *string, size_t length)
                 }
         }
  
                 }
         }
  
-       return (dot_count);
+       return dot_count;
  }
  
  static bool
  necp_check_suffix(struct substring parent, struct substring suffix, bool require_dot_before_suffix)
  {
         if (parent.length <= suffix.length) {
  }
  
  static bool
  necp_check_suffix(struct substring parent, struct substring suffix, bool require_dot_before_suffix)
  {
         if (parent.length <= suffix.length) {
-               return (FALSE);
+               return FALSE;
         }
  
         size_t length_difference = (parent.length - suffix.length);
  
         if (require_dot_before_suffix) {
                 if (((char *)(parent.string + length_difference - 1))[0] != '.') {
         }
  
         size_t length_difference = (parent.length - suffix.length);
  
         if (require_dot_before_suffix) {
                 if (((char *)(parent.string + length_difference - 1))[0] != '.') {
-                       return (FALSE);
+                       return FALSE;
                 }
         }
  
         // strncasecmp does case-insensitive check for all UTF-8 strings (ignores non-ASCII characters)
                 }
         }
  
         // strncasecmp does case-insensitive check for all UTF-8 strings (ignores non-ASCII characters)
-       return (strncasecmp(parent.string + length_difference, suffix.string, suffix.length) == 0);
+       return strncasecmp(parent.string + length_difference, suffix.string, suffix.length) == 0;
  }
  
  static bool
  necp_hostname_matches_domain(struct substring hostname_substring, u_int8_t hostname_dot_count, char *domain, u_int8_t domain_dot_count)
  {
         if (hostname_substring.string == NULL || domain == NULL) {
  }
  
  static bool
  necp_hostname_matches_domain(struct substring hostname_substring, u_int8_t hostname_dot_count, char *domain, u_int8_t domain_dot_count)
  {
         if (hostname_substring.string == NULL || domain == NULL) {
-               return (hostname_substring.string == domain);
+               return hostname_substring.string == domain;
         }
  
         struct substring domain_substring;
         }
  
         struct substring domain_substring;
@@ -5111,37 +5827,108 @@ necp_hostname_matches_domain(struct substring hostname_substring, u_int8_t hostn
         if (hostname_dot_count == domain_dot_count) {
                 // strncasecmp does case-insensitive check for all UTF-8 strings (ignores non-ASCII characters)
                 if (hostname_substring.length == domain_substring.length &&
         if (hostname_dot_count == domain_dot_count) {
                 // strncasecmp does case-insensitive check for all UTF-8 strings (ignores non-ASCII characters)
                 if (hostname_substring.length == domain_substring.length &&
-                       strncasecmp(hostname_substring.string, domain_substring.string, hostname_substring.length) == 0) {
-                       return (TRUE);
+                   strncasecmp(hostname_substring.string, domain_substring.string, hostname_substring.length) == 0) {
+                       return TRUE;
                 }
         } else if (domain_dot_count < hostname_dot_count) {
                 if (necp_check_suffix(hostname_substring, domain_substring, TRUE)) {
                 }
         } else if (domain_dot_count < hostname_dot_count) {
                 if (necp_check_suffix(hostname_substring, domain_substring, TRUE)) {
-                       return (TRUE);
+                       return TRUE;
                 }
         }
  
                 }
         }
  
-       return (FALSE);
+       return FALSE;
+}
+
+bool
+net_domain_contains_hostname(char *hostname_string, char *domain_string)
+{
+       if (hostname_string == NULL ||
+           domain_string == NULL) {
+               return false;
+       }
+
+       struct substring hostname_substring;
+       hostname_substring.string = hostname_string;
+       hostname_substring.length = strlen(hostname_string);
+
+       return necp_hostname_matches_domain(hostname_substring,
+                  necp_count_dots(hostname_string, hostname_substring.length),
+                  domain_string,
+                  necp_count_dots(domain_string, strlen(domain_string)));
  }
  
  }
  
+#define NECP_MAX_STRING_LEN 1024
+
  static char *
  necp_copy_string(char *string, size_t length)
  {
         char *copied_string = NULL;
  
  static char *
  necp_copy_string(char *string, size_t length)
  {
         char *copied_string = NULL;
  
+       if (length > NECP_MAX_STRING_LEN) {
+               return NULL;
+       }
+
         MALLOC(copied_string, char *, length + 1, M_NECP, M_WAITOK);
         if (copied_string == NULL) {
         MALLOC(copied_string, char *, length + 1, M_NECP, M_WAITOK);
         if (copied_string == NULL) {
-               return (NULL);
+               return NULL;
         }
  
         memcpy(copied_string, string, length);
         copied_string[length] = 0;
  
         }
  
         memcpy(copied_string, string, length);
         copied_string[length] = 0;
  
-       return (copied_string);
+       return copied_string;
+}
+
+static u_int32_t
+necp_get_primary_direct_interface_index(void)
+{
+       u_int32_t interface_index = IFSCOPE_NONE;
+
+       ifnet_head_lock_shared();
+       struct ifnet *ordered_interface = NULL;
+       TAILQ_FOREACH(ordered_interface, &ifnet_ordered_head, if_ordered_link) {
+               const u_int8_t functional_type = if_functional_type(ordered_interface, TRUE);
+               if (functional_type != IFRTYPE_FUNCTIONAL_UNKNOWN &&
+                   functional_type != IFRTYPE_FUNCTIONAL_LOOPBACK) {
+                       // All known, non-loopback functional types represent direct physical interfaces (Wi-Fi, Cellular, Wired)
+                       interface_index = ordered_interface->if_index;
+                       break;
+               }
+       }
+       ifnet_head_done();
+
+       return interface_index;
+}
+
+static inline void
+necp_get_parent_cred_result(proc_t proc, struct necp_socket_info *info)
+{
+       task_t task = proc_task(proc ? proc : current_proc());
+       coalition_t coal = task_get_coalition(task, COALITION_TYPE_JETSAM);
+
+       if (coal == COALITION_NULL || coalition_is_leader(task, coal)) {
+               // No parent, nothing to do
+               return;
+       }
+
+       task_t lead_task = coalition_get_leader(coal);
+       if (lead_task != NULL) {
+               proc_t lead_proc = get_bsdtask_info(lead_task);
+               if (lead_proc != NULL) {
+                       kauth_cred_t lead_cred = kauth_cred_proc_ref(lead_proc);
+                       if (lead_cred != NULL) {
+                               errno_t cred_result = priv_check_cred(lead_cred, PRIV_NET_PRIVILEGED_NECP_MATCH, 0);
+                               kauth_cred_unref(&lead_cred);
+                               info->cred_result = cred_result;
+                       }
+               }
+               task_deallocate(lead_task);
+       }
  }
  
  }
  
-#define        NECP_KERNEL_ADDRESS_TYPE_CONDITIONS (NECP_KERNEL_CONDITION_LOCAL_START | NECP_KERNEL_CONDITION_LOCAL_END | NECP_KERNEL_CONDITION_LOCAL_PREFIX | NECP_KERNEL_CONDITION_REMOTE_START | NECP_KERNEL_CONDITION_REMOTE_END | NECP_KERNEL_CONDITION_REMOTE_PREFIX)
+#define NECP_KERNEL_ADDRESS_TYPE_CONDITIONS (NECP_KERNEL_CONDITION_LOCAL_START | NECP_KERNEL_CONDITION_LOCAL_END | NECP_KERNEL_CONDITION_LOCAL_PREFIX | NECP_KERNEL_CONDITION_REMOTE_START | NECP_KERNEL_CONDITION_REMOTE_END | NECP_KERNEL_CONDITION_REMOTE_PREFIX | NECP_KERNEL_CONDITION_LOCAL_EMPTY | NECP_KERNEL_CONDITION_REMOTE_EMPTY | NECP_KERNEL_CONDITION_LOCAL_NETWORKS)
  static void
  static void
-necp_application_fillout_info_locked(uuid_t application_uuid, uuid_t real_application_uuid, char *account, char *domain, pid_t pid, uid_t uid, u_int16_t protocol, u_int32_t bound_interface_index, u_int32_t traffic_class, union necp_sockaddr_union *local_addr, union necp_sockaddr_union *remote_addr, proc_t proc, struct necp_socket_info *info)
+necp_application_fillout_info_locked(uuid_t application_uuid, uuid_t real_application_uuid, char *account, char *domain, pid_t pid, uid_t uid, u_int16_t protocol, u_int32_t bound_interface_index, u_int32_t traffic_class, union necp_sockaddr_union *local_addr, union necp_sockaddr_union *remote_addr, u_int16_t local_port, u_int16_t remote_port, bool has_client, proc_t proc, u_int32_t drop_order, u_int32_t client_flags, struct necp_socket_info *info)
  {
         memset(info, 0, sizeof(struct necp_socket_info));
  
  {
         memset(info, 0, sizeof(struct necp_socket_info));
  
@@ -5150,9 +5937,20 @@ necp_application_fillout_info_locked(uuid_t application_uuid, uuid_t real_applic
         info->protocol = protocol;
         info->bound_interface_index = bound_interface_index;
         info->traffic_class = traffic_class;
         info->protocol = protocol;
         info->bound_interface_index = bound_interface_index;
         info->traffic_class = traffic_class;
+       info->has_client = has_client;
+       info->drop_order = drop_order;
+       info->client_flags = client_flags;
  
         if (necp_kernel_application_policies_condition_mask & NECP_KERNEL_CONDITION_ENTITLEMENT && proc != NULL) {
                 info->cred_result = priv_check_cred(proc_ucred(proc), PRIV_NET_PRIVILEGED_NECP_MATCH, 0);
  
         if (necp_kernel_application_policies_condition_mask & NECP_KERNEL_CONDITION_ENTITLEMENT && proc != NULL) {
                 info->cred_result = priv_check_cred(proc_ucred(proc), PRIV_NET_PRIVILEGED_NECP_MATCH, 0);
+               if (info->cred_result != 0) {
+                       // Process does not have entitlement, check the parent process
+                       necp_get_parent_cred_result(proc, info);
+               }
+       }
+
+       if (necp_kernel_application_policies_condition_mask & NECP_KERNEL_CONDITION_PLATFORM_BINARY && proc != NULL) {
+               info->is_platform_binary = csproc_get_platform_binary(proc) ? true : false;
         }
  
         if (necp_kernel_application_policies_condition_mask & NECP_KERNEL_CONDITION_APP_ID && !uuid_is_null(application_uuid)) {
         }
  
         if (necp_kernel_application_policies_condition_mask & NECP_KERNEL_CONDITION_APP_ID && !uuid_is_null(application_uuid)) {
@@ -5187,9 +5985,23 @@ necp_application_fillout_info_locked(uuid_t application_uuid, uuid_t real_applic
         if (necp_kernel_application_policies_condition_mask & NECP_KERNEL_ADDRESS_TYPE_CONDITIONS) {
                 if (local_addr && local_addr->sa.sa_len > 0) {
                         memcpy(&info->local_addr, local_addr, local_addr->sa.sa_len);
         if (necp_kernel_application_policies_condition_mask & NECP_KERNEL_ADDRESS_TYPE_CONDITIONS) {
                 if (local_addr && local_addr->sa.sa_len > 0) {
                         memcpy(&info->local_addr, local_addr, local_addr->sa.sa_len);
+                       if (local_port != 0) {
+                               info->local_addr.sin6.sin6_port = local_port;
+                       }
+               } else if (local_port != 0) {
+                       info->local_addr.sin6.sin6_len = sizeof(struct sockaddr_in6);
+                       info->local_addr.sin6.sin6_family = AF_INET6;
+                       info->local_addr.sin6.sin6_port = local_port;
                 }
                 if (remote_addr && remote_addr->sa.sa_len > 0) {
                         memcpy(&info->remote_addr, remote_addr, remote_addr->sa.sa_len);
                 }
                 if (remote_addr && remote_addr->sa.sa_len > 0) {
                         memcpy(&info->remote_addr, remote_addr, remote_addr->sa.sa_len);
+                       if (remote_port != 0) {
+                               info->remote_addr.sin6.sin6_port = remote_port;
+                       }
+               } else if (remote_port != 0) {
+                       info->remote_addr.sin6.sin6_len = sizeof(struct sockaddr_in6);
+                       info->remote_addr.sin6.sin6_family = AF_INET6;
+                       info->remote_addr.sin6.sin6_port = remote_port;
                 }
         }
  }
                 }
         }
  }
@@ -5212,22 +6024,29 @@ extern char *proc_name_address(void *p);
  
  #define NECP_VERIFY_DELEGATION_ENTITLEMENT(_p, _d) \
         if (!has_checked_delegation_entitlement) { \
  
  #define NECP_VERIFY_DELEGATION_ENTITLEMENT(_p, _d) \
         if (!has_checked_delegation_entitlement) { \
-               has_delegation_entitlement = (priv_check_cred(proc_ucred(_p), PRIV_NET_PRIVILEGED_SOCKET_DELEGATE, 0) == 0); \
-               has_checked_delegation_entitlement = TRUE; \
+               has_delegation_entitlement = (priv_check_cred(proc_ucred(_p), PRIV_NET_PRIVILEGED_SOCKET_DELEGATE, 0) == 0); \
+               has_checked_delegation_entitlement = TRUE; \
         } \
         if (!has_delegation_entitlement) { \
         } \
         if (!has_delegation_entitlement) { \
-               NECPLOG(LOG_ERR, "%s(%d) does not hold the necessary entitlement to delegate network traffic for other processes by %s", \
-                                                 proc_name_address(_p), proc_pid(_p), _d); \
-               break; \
+               NECPLOG(LOG_ERR, "%s(%d) does not hold the necessary entitlement to delegate network traffic for other processes by %s", \
+                                                 proc_name_address(_p), proc_pid(_p), _d); \
+               break; \
         }
  
  int
  necp_application_find_policy_match_internal(proc_t proc,
         }
  
  int
  necp_application_find_policy_match_internal(proc_t proc,
-                                                                                       u_int8_t *parameters,
-                                                                                       u_int32_t parameters_size,
-                                                                                       struct necp_aggregate_result *returned_result,
-                                                                                       u_int32_t *flags,
-                                                                                       u_int required_interface_index)
+    u_int8_t *parameters,
+    u_int32_t parameters_size,
+    struct necp_aggregate_result *returned_result,
+    u_int32_t *flags,
+    u_int32_t *reason,
+    u_int required_interface_index,
+    const union necp_sockaddr_union *override_local_addr,
+    const union necp_sockaddr_union *override_remote_addr,
+    struct necp_client_endpoint *returned_v4_gateway,
+    struct necp_client_endpoint *returned_v6_gateway,
+    struct rtentry **returned_route, bool ignore_address,
+    bool has_client)
  {
         int error = 0;
         size_t offset = 0;
  {
         int error = 0;
         size_t offset = 0;
@@ -5235,21 +6054,32 @@ necp_application_find_policy_match_internal(proc_t proc,
         struct necp_kernel_socket_policy *matched_policy = NULL;
         struct necp_socket_info info;
         necp_kernel_policy_filter filter_control_unit = 0;
         struct necp_kernel_socket_policy *matched_policy = NULL;
         struct necp_socket_info info;
         necp_kernel_policy_filter filter_control_unit = 0;
-       u_int32_t route_rule_id = 0;
         necp_kernel_policy_result service_action = 0;
         necp_kernel_policy_service service = { 0, 0 };
  
         u_int16_t protocol = 0;
         u_int32_t bound_interface_index = required_interface_index;
         u_int32_t traffic_class = 0;
         necp_kernel_policy_result service_action = 0;
         necp_kernel_policy_service service = { 0, 0 };
  
         u_int16_t protocol = 0;
         u_int32_t bound_interface_index = required_interface_index;
         u_int32_t traffic_class = 0;
+       u_int32_t client_flags = 0;
         union necp_sockaddr_union local_addr;
         union necp_sockaddr_union remote_addr;
         bool no_remote_addr = FALSE;
         u_int8_t remote_family = 0;
         bool no_local_addr = FALSE;
         union necp_sockaddr_union local_addr;
         union necp_sockaddr_union remote_addr;
         bool no_remote_addr = FALSE;
         u_int8_t remote_family = 0;
         bool no_local_addr = FALSE;
+       u_int16_t local_port = 0;
+       u_int16_t remote_port = 0;
+       necp_drop_all_bypass_check_result_t drop_all_bypass = NECP_DROP_ALL_BYPASS_CHECK_RESULT_NONE;
  
  
-       memset(&local_addr, 0, sizeof(local_addr));
-       memset(&remote_addr, 0, sizeof(remote_addr));
+       if (override_local_addr) {
+               memcpy(&local_addr, override_local_addr, sizeof(local_addr));
+       } else {
+               memset(&local_addr, 0, sizeof(local_addr));
+       }
+       if (override_remote_addr) {
+               memcpy(&remote_addr, override_remote_addr, sizeof(remote_addr));
+       } else {
+               memset(&remote_addr, 0, sizeof(remote_addr));
+       }
  
         // Initialize UID, PID, and UUIDs to the current process
         uid_t uid = kauth_cred_getuid(proc_ucred(proc));
  
         // Initialize UID, PID, and UUIDs to the current process
         uid_t uid = kauth_cred_getuid(proc_ucred(proc));
@@ -5264,25 +6094,44 @@ necp_application_find_policy_match_internal(proc_t proc,
         char *domain = NULL;
         char *account = NULL;
  
         char *domain = NULL;
         char *account = NULL;
  
+#define NECP_MAX_REQUIRED_AGENTS 16
+       u_int32_t num_required_agent_types = 0;
+       struct necp_client_parameter_netagent_type required_agent_types[NECP_MAX_REQUIRED_AGENTS];
+       memset(&required_agent_types, 0, sizeof(required_agent_types));
+
         u_int32_t netagent_ids[NECP_MAX_NETAGENTS];
         u_int32_t netagent_ids[NECP_MAX_NETAGENTS];
+       u_int32_t netagent_use_flags[NECP_MAX_NETAGENTS];
         memset(&netagent_ids, 0, sizeof(netagent_ids));
         memset(&netagent_ids, 0, sizeof(netagent_ids));
+       memset(&netagent_use_flags, 0, sizeof(netagent_use_flags));
         int netagent_cursor;
  
         bool has_checked_delegation_entitlement = FALSE;
         bool has_delegation_entitlement = FALSE;
  
         if (returned_result == NULL) {
         int netagent_cursor;
  
         bool has_checked_delegation_entitlement = FALSE;
         bool has_delegation_entitlement = FALSE;
  
         if (returned_result == NULL) {
-               return (EINVAL);
+               return EINVAL;
+       }
+
+       if (returned_v4_gateway != NULL) {
+               memset(returned_v4_gateway, 0, sizeof(struct necp_client_endpoint));
+       }
+
+       if (returned_v6_gateway != NULL) {
+               memset(returned_v6_gateway, 0, sizeof(struct necp_client_endpoint));
         }
  
         memset(returned_result, 0, sizeof(struct necp_aggregate_result));
  
         }
  
         memset(returned_result, 0, sizeof(struct necp_aggregate_result));
  
+       u_int32_t drop_order = necp_process_drop_order(proc_ucred(proc));
+
+       necp_kernel_policy_result drop_dest_policy_result = NECP_KERNEL_POLICY_RESULT_NONE;
+
         lck_rw_lock_shared(&necp_kernel_policy_lock);
         if (necp_kernel_application_policies_count == 0) {
         lck_rw_lock_shared(&necp_kernel_policy_lock);
         if (necp_kernel_application_policies_count == 0) {
-               if (necp_drop_all_order > 0) {
+               if (necp_drop_all_order > 0 || drop_order > 0) {
                         returned_result->routing_result = NECP_KERNEL_POLICY_RESULT_DROP;
                         lck_rw_done(&necp_kernel_policy_lock);
                         returned_result->routing_result = NECP_KERNEL_POLICY_RESULT_DROP;
                         lck_rw_done(&necp_kernel_policy_lock);
-                       return (0);
+                       return 0;
                 }
         }
         lck_rw_done(&necp_kernel_policy_lock);
                 }
         }
         lck_rw_done(&necp_kernel_policy_lock);
@@ -5291,118 +6140,181 @@ necp_application_find_policy_match_internal(proc_t proc,
                 u_int8_t type = necp_buffer_get_tlv_type(parameters, offset);
                 u_int32_t length = necp_buffer_get_tlv_length(parameters, offset);
  
                 u_int8_t type = necp_buffer_get_tlv_type(parameters, offset);
                 u_int32_t length = necp_buffer_get_tlv_length(parameters, offset);
  
-               if (length > 0 && (offset + sizeof(u_int8_t) + sizeof(u_int32_t) + length) <= parameters_size) {
+               if (length > (parameters_size - (offset + sizeof(u_int8_t) + sizeof(u_int32_t)))) {
+                       // If the length is larger than what can fit in the remaining parameters size, bail
+                       NECPLOG(LOG_ERR, "Invalid TLV length (%u)", length);
+                       break;
+               }
+
+               if (length > 0) {
                         u_int8_t *value = necp_buffer_get_tlv_value(parameters, offset, NULL);
                         if (value != NULL) {
                                 switch (type) {
                         u_int8_t *value = necp_buffer_get_tlv_value(parameters, offset, NULL);
                         if (value != NULL) {
                                 switch (type) {
-                                       case NECP_CLIENT_PARAMETER_APPLICATION: {
-                                               if (length >= sizeof(uuid_t)) {
-                                                       if (uuid_compare(application_uuid, value) == 0) {
-                                                               // No delegation
-                                                               break;
-                                                       }
+                               case NECP_CLIENT_PARAMETER_APPLICATION: {
+                                       if (length >= sizeof(uuid_t)) {
+                                               if (uuid_compare(application_uuid, value) == 0) {
+                                                       // No delegation
+                                                       break;
+                                               }
  
  
-                                                       NECP_VERIFY_DELEGATION_ENTITLEMENT(proc, "euuid");
+                                               NECP_VERIFY_DELEGATION_ENTITLEMENT(proc, "euuid");
  
  
-                                                       uuid_copy(application_uuid, value);
-                                               }
-                                               break;
+                                               uuid_copy(application_uuid, value);
                                         }
                                         }
-                                       case NECP_CLIENT_PARAMETER_REAL_APPLICATION: {
-                                               if (length >= sizeof(uuid_t)) {
-                                                       if (uuid_compare(real_application_uuid, value) == 0) {
-                                                               // No delegation
-                                                               break;
-                                                       }
+                                       break;
+                               }
+                               case NECP_CLIENT_PARAMETER_REAL_APPLICATION: {
+                                       if (length >= sizeof(uuid_t)) {
+                                               if (uuid_compare(real_application_uuid, value) == 0) {
+                                                       // No delegation
+                                                       break;
+                                               }
  
  
-                                                       NECP_VERIFY_DELEGATION_ENTITLEMENT(proc, "uuid");
+                                               NECP_VERIFY_DELEGATION_ENTITLEMENT(proc, "uuid");
  
  
-                                                       uuid_copy(real_application_uuid, value);
-                                               }
-                                               break;
+                                               uuid_copy(real_application_uuid, value);
                                         }
                                         }
-                                       case NECP_CLIENT_PARAMETER_PID: {
-                                               if (length >= sizeof(pid_t)) {
-                                                       if (memcmp(&pid, value, sizeof(pid_t)) == 0) {
-                                                               // No delegation
-                                                               break;
-                                                       }
+                                       break;
+                               }
+                               case NECP_CLIENT_PARAMETER_PID: {
+                                       if (length >= sizeof(pid_t)) {
+                                               if (memcmp(&pid, value, sizeof(pid_t)) == 0) {
+                                                       // No delegation
+                                                       break;
+                                               }
  
  
-                                                       NECP_VERIFY_DELEGATION_ENTITLEMENT(proc, "pid");
+                                               NECP_VERIFY_DELEGATION_ENTITLEMENT(proc, "pid");
  
  
-                                                       memcpy(&pid, value, sizeof(pid_t));
-                                               }
-                                               break;
+                                               memcpy(&pid, value, sizeof(pid_t));
                                         }
                                         }
-                                       case NECP_CLIENT_PARAMETER_UID: {
-                                               if (length >= sizeof(uid_t)) {
-                                                       if (memcmp(&uid, value, sizeof(uid_t)) == 0) {
-                                                               // No delegation
-                                                               break;
-                                                       }
+                                       break;
+                               }
+                               case NECP_CLIENT_PARAMETER_UID: {
+                                       if (length >= sizeof(uid_t)) {
+                                               if (memcmp(&uid, value, sizeof(uid_t)) == 0) {
+                                                       // No delegation
+                                                       break;
+                                               }
  
  
-                                                       NECP_VERIFY_DELEGATION_ENTITLEMENT(proc, "uid");
+                                               NECP_VERIFY_DELEGATION_ENTITLEMENT(proc, "uid");
  
  
-                                                       memcpy(&uid, value, sizeof(uid_t));
-                                               }
-                                               break;
+                                               memcpy(&uid, value, sizeof(uid_t));
                                         }
                                         }
-                                       case NECP_CLIENT_PARAMETER_DOMAIN: {
-                                               domain = (char *)value;
-                                               domain[length - 1] = 0;
-                                               break;
+                                       break;
+                               }
+                               case NECP_CLIENT_PARAMETER_DOMAIN: {
+                                       domain = (char *)value;
+                                       domain[length - 1] = 0;
+                                       break;
+                               }
+                               case NECP_CLIENT_PARAMETER_ACCOUNT: {
+                                       account = (char *)value;
+                                       account[length - 1] = 0;
+                                       break;
+                               }
+                               case NECP_CLIENT_PARAMETER_TRAFFIC_CLASS: {
+                                       if (length >= sizeof(u_int32_t)) {
+                                               memcpy(&traffic_class, value, sizeof(u_int32_t));
                                         }
                                         }
-                                       case NECP_CLIENT_PARAMETER_ACCOUNT: {
-                                               account = (char *)value;
-                                               account[length - 1] = 0;
-                                               break;
+                                       break;
+                               }
+                               case NECP_CLIENT_PARAMETER_IP_PROTOCOL: {
+                                       if (length >= sizeof(u_int16_t)) {
+                                               memcpy(&protocol, value, sizeof(u_int16_t));
+                                       } else if (length >= sizeof(u_int8_t)) {
+                                               memcpy(&protocol, value, sizeof(u_int8_t));
                                         }
                                         }
-                                       case NECP_CLIENT_PARAMETER_TRAFFIC_CLASS: {
-                                               if (length >= sizeof(u_int32_t)) {
-                                                       memcpy(&traffic_class, value, sizeof(u_int32_t));
+                                       break;
+                               }
+                               case NECP_CLIENT_PARAMETER_BOUND_INTERFACE: {
+                                       if (length <= IFXNAMSIZ && length > 0) {
+                                               ifnet_t bound_interface = NULL;
+                                               char interface_name[IFXNAMSIZ];
+                                               memcpy(interface_name, value, length);
+                                               interface_name[length - 1] = 0;         // Make sure the string is NULL terminated
+                                               if (ifnet_find_by_name(interface_name, &bound_interface) == 0) {
+                                                       bound_interface_index = bound_interface->if_index;
+                                                       ifnet_release(bound_interface);
                                                 }
                                                 }
+                                       }
+                                       break;
+                               }
+                               case NECP_CLIENT_PARAMETER_LOCAL_ADDRESS: {
+                                       if (ignore_address || override_local_addr) {
                                                 break;
                                         }
                                                 break;
                                         }
-                                       case NECP_CLIENT_PARAMETER_IP_PROTOCOL: {
-                                               if (length >= sizeof(u_int16_t)) {
-                                                       memcpy(&protocol, value, sizeof(u_int16_t));
+
+                                       if (length >= sizeof(struct necp_policy_condition_addr)) {
+                                               struct necp_policy_condition_addr *address_struct = (struct necp_policy_condition_addr *)(void *)value;
+                                               if (necp_address_is_valid(&address_struct->address.sa)) {
+                                                       memcpy(&local_addr, &address_struct->address, sizeof(address_struct->address));
                                                 }
                                                 }
+                                       }
+                                       break;
+                               }
+                               case NECP_CLIENT_PARAMETER_REMOTE_ADDRESS: {
+                                       if (ignore_address || override_remote_addr) {
                                                 break;
                                         }
                                                 break;
                                         }
-                                       case NECP_CLIENT_PARAMETER_BOUND_INTERFACE: {
-                                               if (length <= IFXNAMSIZ && length > 0) {
-                                                       ifnet_t bound_interface = NULL;
-                                                       char interface_name[IFXNAMSIZ];
-                                                       memcpy(interface_name, value, length);
-                                                       interface_name[length - 1] = 0; // Make sure the string is NULL terminated
-                                                       if (ifnet_find_by_name(interface_name, &bound_interface) == 0) {
-                                                               bound_interface_index = bound_interface->if_index;
-                                                               ifnet_release(bound_interface);
-                                                       }
+
+                                       if (length >= sizeof(struct necp_policy_condition_addr)) {
+                                               struct necp_policy_condition_addr *address_struct = (struct necp_policy_condition_addr *)(void *)value;
+                                               if (necp_address_is_valid(&address_struct->address.sa)) {
+                                                       memcpy(&remote_addr, &address_struct->address, sizeof(address_struct->address));
                                                 }
                                                 }
+                                       }
+                                       break;
+                               }
+                               case NECP_CLIENT_PARAMETER_LOCAL_ENDPOINT: {
+                                       if (ignore_address || override_local_addr) {
                                                 break;
                                         }
                                                 break;
                                         }
-                                       case NECP_CLIENT_PARAMETER_LOCAL_ADDRESS: {
-                                               if (length >= sizeof(struct necp_policy_condition_addr)) {
-                                                       struct necp_policy_condition_addr *address_struct = (struct necp_policy_condition_addr *)(void *)value;
-                                                       if (necp_address_is_valid(&address_struct->address.sa)) {
-                                                               memcpy(&local_addr, &address_struct->address, sizeof(address_struct->address));
-                                                       }
+
+                                       if (length >= sizeof(struct necp_client_endpoint)) {
+                                               struct necp_client_endpoint *endpoint = (struct necp_client_endpoint *)(void *)value;
+                                               if (endpoint->u.endpoint.endpoint_family == AF_UNSPEC &&
+                                                   endpoint->u.endpoint.endpoint_port != 0) {
+                                                       // Save port
+                                                       local_port = endpoint->u.endpoint.endpoint_port;
                                                 }
                                                 }
+                                       }
+                                       break;
+                               }
+                               case NECP_CLIENT_PARAMETER_REMOTE_ENDPOINT: {
+                                       if (ignore_address || override_remote_addr) {
                                                 break;
                                         }
                                                 break;
                                         }
-                                       case NECP_CLIENT_PARAMETER_REMOTE_ADDRESS: {
-                                               if (length >= sizeof(struct necp_policy_condition_addr)) {
-                                                       struct necp_policy_condition_addr *address_struct = (struct necp_policy_condition_addr *)(void *)value;
-                                                       if (necp_address_is_valid(&address_struct->address.sa)) {
-                                                               memcpy(&remote_addr, &address_struct->address, sizeof(address_struct->address));
-                                                       }
+
+                                       if (length >= sizeof(struct necp_client_endpoint)) {
+                                               struct necp_client_endpoint *endpoint = (struct necp_client_endpoint *)(void *)value;
+                                               if (endpoint->u.endpoint.endpoint_family == AF_UNSPEC &&
+                                                   endpoint->u.endpoint.endpoint_port != 0) {
+                                                       // Save port
+                                                       remote_port = endpoint->u.endpoint.endpoint_port;
                                                 }
                                                 }
-                                               break;
                                         }
                                         }
-                                       default: {
+                                       break;
+                               }
+                               case NECP_CLIENT_PARAMETER_FLAGS: {
+                                       if (length >= sizeof(client_flags)) {
+                                               memcpy(&client_flags, value, sizeof(client_flags));
+                                       }
+                                       break;
+                               }
+                               case NECP_CLIENT_PARAMETER_REQUIRE_AGENT_TYPE:
+                               case NECP_CLIENT_PARAMETER_PREFER_AGENT_TYPE: {
+                                       if (num_required_agent_types >= NECP_MAX_REQUIRED_AGENTS) {
                                                 break;
                                         }
                                                 break;
                                         }
+                                       if (length >= sizeof(struct necp_client_parameter_netagent_type)) {
+                                               memcpy(&required_agent_types[num_required_agent_types], value, sizeof(struct necp_client_parameter_netagent_type));
+                                               num_required_agent_types++;
+                                       }
+                                       break;
+                               }
+                               default: {
+                                       break;
+                               }
                                 }
                         }
                 }
                                 }
                         }
                 }
@@ -5410,20 +6322,48 @@ necp_application_find_policy_match_internal(proc_t proc,
                 offset += sizeof(u_int8_t) + sizeof(u_int32_t) + length;
         }
  
                 offset += sizeof(u_int8_t) + sizeof(u_int32_t) + length;
         }
  
+       // Check for loopback exception
+       if (necp_pass_loopback > 0 && necp_is_loopback(&local_addr.sa, &remote_addr.sa, NULL, NULL, bound_interface_index)) {
+               returned_result->policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
+               returned_result->routing_result = NECP_KERNEL_POLICY_RESULT_PASS;
+               returned_result->routed_interface_index = lo_ifp->if_index;
+               *flags |= (NECP_CLIENT_RESULT_FLAG_IS_LOCAL | NECP_CLIENT_RESULT_FLAG_IS_DIRECT);
+               return 0;
+       }
+
         // Lock
         lck_rw_lock_shared(&necp_kernel_policy_lock);
  
         // Lock
         lck_rw_lock_shared(&necp_kernel_policy_lock);
  
-       necp_application_fillout_info_locked(application_uuid, real_application_uuid, account, domain, pid, uid, protocol, bound_interface_index, traffic_class, &local_addr, &remote_addr, proc, &info);
-       matched_policy = necp_socket_find_policy_match_with_info_locked(necp_kernel_socket_policies_app_layer_map, &info, &filter_control_unit, &route_rule_id, &service_action, &service, netagent_ids, NECP_MAX_NETAGENTS, proc);
+       u_int32_t route_rule_id_array[MAX_AGGREGATE_ROUTE_RULES];
+       size_t route_rule_id_array_count = 0;
+       necp_application_fillout_info_locked(application_uuid, real_application_uuid, account, domain, pid, uid, protocol, bound_interface_index, traffic_class, &local_addr, &remote_addr, local_port, remote_port, has_client, proc, drop_order, client_flags, &info);
+       matched_policy = necp_socket_find_policy_match_with_info_locked(necp_kernel_socket_policies_app_layer_map, &info, &filter_control_unit, route_rule_id_array, &route_rule_id_array_count, MAX_AGGREGATE_ROUTE_RULES, &service_action, &service, netagent_ids, netagent_use_flags, NECP_MAX_NETAGENTS, required_agent_types, num_required_agent_types, proc, NULL, NULL, &drop_dest_policy_result, &drop_all_bypass);
         if (matched_policy) {
                 returned_result->policy_id = matched_policy->id;
                 returned_result->routing_result = matched_policy->result;
                 memcpy(&returned_result->routing_result_parameter, &matched_policy->result_parameter, sizeof(returned_result->routing_result_parameter));
         } else {
         if (matched_policy) {
                 returned_result->policy_id = matched_policy->id;
                 returned_result->routing_result = matched_policy->result;
                 memcpy(&returned_result->routing_result_parameter, &matched_policy->result_parameter, sizeof(returned_result->routing_result_parameter));
         } else {
-               returned_result->policy_id = 0;
-               returned_result->routing_result = NECP_KERNEL_POLICY_RESULT_NONE;
+               bool drop_all = false;
+               if (necp_drop_all_order > 0 || info.drop_order > 0 || drop_dest_policy_result == NECP_KERNEL_POLICY_RESULT_DROP) {
+                       // Mark socket as a drop if drop_all is set
+                       drop_all = true;
+                       if (drop_all_bypass == NECP_DROP_ALL_BYPASS_CHECK_RESULT_NONE) {
+                               drop_all_bypass = necp_check_drop_all_bypass_result(proc);
+                       }
+               }
+               if (drop_all && drop_all_bypass == NECP_DROP_ALL_BYPASS_CHECK_RESULT_FALSE) {
+                       returned_result->policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
+                       returned_result->routing_result = NECP_KERNEL_POLICY_RESULT_DROP;
+               } else {
+                       returned_result->policy_id = 0;
+                       returned_result->routing_result = NECP_KERNEL_POLICY_RESULT_NONE;
+               }
+       }
+       if (filter_control_unit == NECP_FILTER_UNIT_NO_FILTER) {
+               returned_result->filter_control_unit = 0;
+       } else {
+               returned_result->filter_control_unit = filter_control_unit;
         }
         }
-       returned_result->filter_control_unit = filter_control_unit;
         returned_result->service_action = service_action;
  
         // Handle trigger service
         returned_result->service_action = service_action;
  
         // Handle trigger service
@@ -5457,7 +6397,7 @@ necp_application_find_policy_match_internal(proc_t proc,
                 mapping = necp_uuid_lookup_uuid_with_service_id_locked(netagent_id);
                 if (mapping != NULL) {
                         uuid_copy(returned_result->netagents[netagent_cursor], mapping->uuid);
                 mapping = necp_uuid_lookup_uuid_with_service_id_locked(netagent_id);
                 if (mapping != NULL) {
                         uuid_copy(returned_result->netagents[netagent_cursor], mapping->uuid);
-                       returned_result->netagent_flags[netagent_cursor] = netagent_get_flags(mapping->uuid);
+                       returned_result->netagent_use_flags[netagent_cursor] = netagent_use_flags[netagent_cursor];
                 }
         }
  
                 }
         }
  
@@ -5467,92 +6407,113 @@ necp_application_find_policy_match_internal(proc_t proc,
                 output_bound_interface = returned_result->routing_result_parameter.scoped_interface_index;
         } else if (returned_result->routing_result == NECP_KERNEL_POLICY_RESULT_IP_TUNNEL) {
                 output_bound_interface = returned_result->routing_result_parameter.tunnel_interface_index;
                 output_bound_interface = returned_result->routing_result_parameter.scoped_interface_index;
         } else if (returned_result->routing_result == NECP_KERNEL_POLICY_RESULT_IP_TUNNEL) {
                 output_bound_interface = returned_result->routing_result_parameter.tunnel_interface_index;
+       } else if (returned_result->routing_result == NECP_KERNEL_POLICY_RESULT_SCOPED_DIRECT) {
+               output_bound_interface = necp_get_primary_direct_interface_index();
+               if (output_bound_interface == IFSCOPE_NONE) {
+                       returned_result->routing_result = NECP_KERNEL_POLICY_RESULT_DROP;
+               } else {
+                       returned_result->routing_result = NECP_KERNEL_POLICY_RESULT_SOCKET_SCOPED;
+                       returned_result->routing_result_parameter.scoped_interface_index = output_bound_interface;
+               }
         }
  
         if (local_addr.sa.sa_len == 0 ||
         }
  
         if (local_addr.sa.sa_len == 0 ||
-               (local_addr.sa.sa_family == AF_INET && local_addr.sin.sin_addr.s_addr == 0) ||
-               (local_addr.sa.sa_family == AF_INET6 && IN6_IS_ADDR_UNSPECIFIED(&local_addr.sin6.sin6_addr))) {
+           (local_addr.sa.sa_family == AF_INET && local_addr.sin.sin_addr.s_addr == 0) ||
+           (local_addr.sa.sa_family == AF_INET6 && IN6_IS_ADDR_UNSPECIFIED(&local_addr.sin6.sin6_addr))) {
                 no_local_addr = TRUE;
         }
  
         if (remote_addr.sa.sa_len == 0 ||
                 no_local_addr = TRUE;
         }
  
         if (remote_addr.sa.sa_len == 0 ||
-               (remote_addr.sa.sa_family == AF_INET && remote_addr.sin.sin_addr.s_addr == 0) ||
-               (remote_addr.sa.sa_family == AF_INET6 && IN6_IS_ADDR_UNSPECIFIED(&remote_addr.sin6.sin6_addr))) {
+           (remote_addr.sa.sa_family == AF_INET && remote_addr.sin.sin_addr.s_addr == 0) ||
+           (remote_addr.sa.sa_family == AF_INET6 && IN6_IS_ADDR_UNSPECIFIED(&remote_addr.sin6.sin6_addr))) {
                 no_remote_addr = TRUE;
                 remote_family = remote_addr.sa.sa_family;
         }
  
                 no_remote_addr = TRUE;
                 remote_family = remote_addr.sa.sa_family;
         }
  
-       if (no_remote_addr) {
-               memset(&remote_addr, 0, sizeof(remote_addr));
-               if (remote_family == AF_INET6) {
-                       // Reset address to ::
-                       remote_addr.sa.sa_family = AF_INET6;
-                       remote_addr.sa.sa_len = sizeof(struct sockaddr_in6);
-               } else {
-                       // Reset address to 0.0.0.0
-                       remote_addr.sa.sa_family = AF_INET;
-                       remote_addr.sa.sa_len = sizeof(struct sockaddr_in);
-               }
-       }
-
+       returned_result->routed_interface_index = 0;
         struct rtentry *rt = NULL;
         struct rtentry *rt = NULL;
-       rt = rtalloc1_scoped((struct sockaddr *)&remote_addr, 0, 0,
-           output_bound_interface);
+       if (!no_local_addr && (client_flags & NECP_CLIENT_PARAMETER_FLAG_LISTENER) != 0) {
+               // Treat the output bound interface as the routed interface for local address
+               // validation later.
+               returned_result->routed_interface_index = output_bound_interface;
+       } else {
+               if (no_remote_addr) {
+                       memset(&remote_addr, 0, sizeof(remote_addr));
+                       if (remote_family == AF_INET6) {
+                               // Reset address to ::
+                               remote_addr.sa.sa_family = AF_INET6;
+                               remote_addr.sa.sa_len = sizeof(struct sockaddr_in6);
+                       } else {
+                               // Reset address to 0.0.0.0
+                               remote_addr.sa.sa_family = AF_INET;
+                               remote_addr.sa.sa_len = sizeof(struct sockaddr_in);
+                       }
+               }
  
  
-       if (no_remote_addr && remote_family == 0 &&
-               (rt == NULL || rt->rt_ifp == NULL)) {
-               // Route lookup for default IPv4 failed, try IPv6
+               rt = rtalloc1_scoped((struct sockaddr *)&remote_addr, 0, 0,
+                   output_bound_interface);
  
  
-               // Cleanup old route if necessary
-               if (rt != NULL) {
+               if (remote_addr.sa.sa_family == AF_INET && rt != NULL &&
+                   IS_INTF_CLAT46(rt->rt_ifp)) {
                         rtfree(rt);
                         rt = NULL;
                         rtfree(rt);
                         rt = NULL;
+                       returned_result->routed_interface_index = 0;
                 }
  
                 }
  
-               // Reset address to ::
-               memset(&remote_addr, 0, sizeof(remote_addr));
-               remote_addr.sa.sa_family = AF_INET6;
-               remote_addr.sa.sa_len = sizeof(struct sockaddr_in6);
+               if (no_remote_addr && remote_family == AF_UNSPEC &&
+                   (rt == NULL || rt->rt_ifp == NULL)) {
+                       // Route lookup for default IPv4 failed, try IPv6
  
  
-               // Get route
-               rt = rtalloc1_scoped((struct sockaddr *)&remote_addr, 0, 0,
-                   output_bound_interface);
-       }
+                       // Cleanup old route if necessary
+                       if (rt != NULL) {
+                               rtfree(rt);
+                               rt = NULL;
+                       }
  
  
-       returned_result->routed_interface_index = 0;
-       if (rt != NULL &&
-           rt->rt_ifp != NULL) {
-               returned_result->routed_interface_index = rt->rt_ifp->if_index;
-               /*
-                * For local addresses, we allow the interface scope to be
-                * either the loopback interface or the interface hosting the
-                * local address.
-                */
-               if (bound_interface_index != IFSCOPE_NONE &&
-                   rt->rt_ifa != NULL && rt->rt_ifa->ifa_ifp &&
-                   (output_bound_interface == lo_ifp->if_index ||
-                   rt->rt_ifp->if_index == lo_ifp->if_index ||
-                   rt->rt_ifa->ifa_ifp->if_index == bound_interface_index)) {
-                       struct sockaddr_storage dst;
-                       unsigned int ifscope = bound_interface_index;
+                       // Reset address to ::
+                       memset(&remote_addr, 0, sizeof(remote_addr));
+                       remote_addr.sa.sa_family = AF_INET6;
+                       remote_addr.sa.sa_len = sizeof(struct sockaddr_in6);
+
+                       // Get route
+                       rt = rtalloc1_scoped((struct sockaddr *)&remote_addr, 0, 0,
+                           output_bound_interface);
+               }
  
  
+               if (rt != NULL &&
+                   rt->rt_ifp != NULL) {
+                       returned_result->routed_interface_index = rt->rt_ifp->if_index;
                         /*
                         /*
-                        * Transform dst into the internal routing table form
+                        * For local addresses, we allow the interface scope to be
+                        * either the loopback interface or the interface hosting the
+                        * local address.
                          */
                          */
-                       (void) sa_copy((struct sockaddr *)&remote_addr,
-                                       &dst, &ifscope);
-
-                       if ((rt->rt_ifp->if_index == lo_ifp->if_index) ||
-                           rt_ifa_is_dst((struct sockaddr *)&dst, rt->rt_ifa))
-                               returned_result->routed_interface_index =
-                                       bound_interface_index;
+                       if (bound_interface_index != IFSCOPE_NONE &&
+                           rt->rt_ifa != NULL && rt->rt_ifa->ifa_ifp &&
+                           (output_bound_interface == lo_ifp->if_index ||
+                           rt->rt_ifp->if_index == lo_ifp->if_index ||
+                           rt->rt_ifa->ifa_ifp->if_index == bound_interface_index)) {
+                               struct sockaddr_storage dst;
+                               unsigned int ifscope = bound_interface_index;
+
+                               /*
+                                * Transform dst into the internal routing table form
+                                */
+                               (void) sa_copy((struct sockaddr *)&remote_addr,
+                                   &dst, &ifscope);
+
+                               if ((rt->rt_ifp->if_index == lo_ifp->if_index) ||
+                                   rt_ifa_is_dst((struct sockaddr *)&dst, rt->rt_ifa)) {
+                                       returned_result->routed_interface_index =
+                                           bound_interface_index;
+                               }
+                       }
                 }
         }
  
         if (returned_result->routed_interface_index != 0 &&
                 }
         }
  
         if (returned_result->routed_interface_index != 0 &&
-               returned_result->routed_interface_index != lo_ifp->if_index && // Loopback can accept any local address
-               !no_local_addr) {
-
+           returned_result->routed_interface_index != lo_ifp->if_index &&     // Loopback can accept any local address
+           !no_local_addr) {
                 // Transform local_addr into the ifaddr form
                 // IPv6 Scope IDs are always embedded in the ifaddr list
                 struct sockaddr_storage local_address_sanitized;
                 // Transform local_addr into the ifaddr form
                 // IPv6 Scope IDs are always embedded in the ifaddr list
                 struct sockaddr_storage local_address_sanitized;
@@ -5578,36 +6539,112 @@ necp_application_find_policy_match_internal(proc_t proc,
                 }
         }
  
                 }
         }
  
-       if (flags != NULL) {
-               // Check for local/direct
-               bool is_local = FALSE;
-               if (rt != NULL && (rt->rt_flags & RTF_LOCAL)) {
-                       is_local = TRUE;
-               } else if (returned_result->routed_interface_index != 0 &&
-                       !no_remote_addr) {
-                       // Check if remote address is an interface address
-                       struct ifaddr *ifa = ifa_ifwithaddr(&remote_addr.sa);
-                       if (ifa != NULL && ifa->ifa_ifp != NULL) {
-                               u_int if_index_for_remote_addr = ifa->ifa_ifp->if_index;
-                               if (if_index_for_remote_addr == returned_result->routed_interface_index ||
-                                       if_index_for_remote_addr == lo_ifp->if_index) {
-                                       is_local = TRUE;
+       if (flags != NULL) {
+               if ((client_flags & NECP_CLIENT_PARAMETER_FLAG_LISTENER) == 0) {
+                       // Check for local/direct
+                       bool is_local = FALSE;
+                       if (rt != NULL && (rt->rt_flags & RTF_LOCAL)) {
+                               is_local = TRUE;
+                       } else if (returned_result->routed_interface_index != 0 &&
+                           !no_remote_addr) {
+                               // Clean up the address before comparison with interface addresses
+
+                               // Transform remote_addr into the ifaddr form
+                               // IPv6 Scope IDs are always embedded in the ifaddr list
+                               struct sockaddr_storage remote_address_sanitized;
+                               u_int ifscope = IFSCOPE_NONE;
+                               (void)sa_copy(&remote_addr.sa, &remote_address_sanitized, &ifscope);
+                               SIN(&remote_address_sanitized)->sin_port = 0;
+                               if (remote_address_sanitized.ss_family == AF_INET6) {
+                                       SIN6(&remote_address_sanitized)->sin6_scope_id = 0;
+                               }
+
+                               // Check if remote address is an interface address
+                               struct ifaddr *ifa = ifa_ifwithaddr((struct sockaddr *)&remote_address_sanitized);
+                               if (ifa != NULL && ifa->ifa_ifp != NULL) {
+                                       u_int if_index_for_remote_addr = ifa->ifa_ifp->if_index;
+                                       if (if_index_for_remote_addr == returned_result->routed_interface_index ||
+                                           if_index_for_remote_addr == lo_ifp->if_index) {
+                                               is_local = TRUE;
+                                       }
+                               }
+                               if (ifa != NULL) {
+                                       ifaddr_release(ifa);
+                                       ifa = NULL;
+                               }
+                       }
+
+                       if (is_local) {
+                               *flags |= (NECP_CLIENT_RESULT_FLAG_IS_LOCAL | NECP_CLIENT_RESULT_FLAG_IS_DIRECT);
+                       } else {
+                               if (rt != NULL &&
+                                   !(rt->rt_flags & RTF_GATEWAY) &&
+                                   (rt->rt_ifa && rt->rt_ifa->ifa_ifp && !(rt->rt_ifa->ifa_ifp->if_flags & IFF_POINTOPOINT))) {
+                                       // Route is directly accessible
+                                       *flags |= NECP_CLIENT_RESULT_FLAG_IS_DIRECT;
+                               }
+                       }
+
+                       if (rt != NULL &&
+                           rt->rt_ifp != NULL) {
+                               // Check probe status
+                               if (rt->rt_ifp->if_eflags & IFEF_PROBE_CONNECTIVITY) {
+                                       *flags |= NECP_CLIENT_RESULT_FLAG_PROBE_CONNECTIVITY;
+                               }
+
+                               if (rt->rt_ifp->if_type == IFT_CELLULAR) {
+                                       struct if_cellular_status_v1 *ifsr;
+
+                                       ifnet_lock_shared(rt->rt_ifp);
+                                       lck_rw_lock_exclusive(&rt->rt_ifp->if_link_status_lock);
+
+                                       if (rt->rt_ifp->if_link_status != NULL) {
+                                               ifsr = &rt->rt_ifp->if_link_status->ifsr_u.ifsr_cell.if_cell_u.if_status_v1;
+
+                                               if (ifsr->valid_bitmask & IF_CELL_UL_MSS_RECOMMENDED_VALID) {
+                                                       if (ifsr->mss_recommended == IF_CELL_UL_MSS_RECOMMENDED_NONE) {
+                                                               returned_result->mss_recommended = NECP_CLIENT_RESULT_RECOMMENDED_MSS_NONE;
+                                                       } else if (ifsr->mss_recommended == IF_CELL_UL_MSS_RECOMMENDED_MEDIUM) {
+                                                               returned_result->mss_recommended = NECP_CLIENT_RESULT_RECOMMENDED_MSS_MEDIUM;
+                                                       } else if (ifsr->mss_recommended == IF_CELL_UL_MSS_RECOMMENDED_LOW) {
+                                                               returned_result->mss_recommended = NECP_CLIENT_RESULT_RECOMMENDED_MSS_LOW;
+                                                       }
+                                               }
+                                       }
+                                       lck_rw_done(&rt->rt_ifp->if_link_status_lock);
+                                       ifnet_lock_done(rt->rt_ifp);
+                               }
+
+                               // Check link quality
+                               if ((client_flags & NECP_CLIENT_PARAMETER_FLAG_DISCRETIONARY) &&
+                                   (rt->rt_ifp->if_interface_state.valid_bitmask & IF_INTERFACE_STATE_LQM_STATE_VALID) &&
+                                   rt->rt_ifp->if_interface_state.lqm_state == IFNET_LQM_THRESH_ABORT) {
+                                       *flags |= NECP_CLIENT_RESULT_FLAG_LINK_QUALITY_ABORT;
                                 }
                                 }
-                       }
-                       if (ifa != NULL) {
-                               ifaddr_release(ifa);
-                               ifa = NULL;
-                       }
-               }
  
  
-               if (is_local) {
-                       *flags |= (NECP_CLIENT_RESULT_FLAG_IS_LOCAL | NECP_CLIENT_RESULT_FLAG_IS_DIRECT);
-               } else {
-                       if (rt != NULL &&
-                               !(rt->rt_flags & RTF_GATEWAY) &&
-                               (rt->rt_ifa && rt->rt_ifa->ifa_ifp && !(rt->rt_ifa->ifa_ifp->if_flags & IFF_POINTOPOINT))) {
-                               // Route is directly accessible
-                               *flags |= NECP_CLIENT_RESULT_FLAG_IS_DIRECT;
+                               // Check QoS marking (fastlane)
+                               for (size_t route_rule_index = 0; route_rule_index < route_rule_id_array_count; route_rule_index++) {
+                                       if (necp_update_qos_marking(rt->rt_ifp, route_rule_id_array[route_rule_index])) {
+                                               *flags |= NECP_CLIENT_RESULT_FLAG_ALLOW_QOS_MARKING;
+                                               // If the route can use QoS markings, stop iterating route rules
+                                               break;
+                                       }
+                               }
+
+                               if (IFNET_IS_LOW_POWER(rt->rt_ifp)) {
+                                       *flags |= NECP_CLIENT_RESULT_FLAG_INTERFACE_LOW_POWER;
+                               }
+
+                               if (traffic_class == SO_TC_BK_SYS) {
+                                       // Block BK_SYS traffic if interface is throttled
+                                       u_int32_t throttle_level = 0;
+                                       if (ifnet_get_throttle(rt->rt_ifp, &throttle_level) == 0) {
+                                               if (throttle_level == IFNET_THROTTLE_OPPORTUNISTIC) {
+                                                       returned_result->routing_result = NECP_KERNEL_POLICY_RESULT_DROP;
+                                                       memset(&returned_result->routing_result_parameter, 0, sizeof(returned_result->routing_result_parameter));
+                                               }
+                                       }
+                               }
                         }
                 }
  
                         }
                 }
  
@@ -5631,9 +6668,15 @@ necp_application_find_policy_match_internal(proc_t proc,
                             returned_result->routed_interface_index);
  
                         if (v4Route != NULL) {
                             returned_result->routed_interface_index);
  
                         if (v4Route != NULL) {
-                               if (v4Route->rt_ifp != NULL) {
+                               if (v4Route->rt_ifp != NULL && !IS_INTF_CLAT46(v4Route->rt_ifp)) {
                                         *flags |= NECP_CLIENT_RESULT_FLAG_HAS_IPV4;
                                 }
                                         *flags |= NECP_CLIENT_RESULT_FLAG_HAS_IPV4;
                                 }
+                               if (returned_v4_gateway != NULL &&
+                                   v4Route->rt_gateway != NULL &&
+                                   v4Route->rt_gateway->sa_len == sizeof(returned_v4_gateway->u.sin)) {
+                                       memcpy(&returned_v4_gateway->u.sin, v4Route->rt_gateway, sizeof(returned_v4_gateway->u.sin));
+                                       memset(&returned_v4_gateway->u.sin.sin_zero, 0, sizeof(returned_v4_gateway->u.sin.sin_zero));
+                               }
                                 rtfree(v4Route);
                                 v4Route = NULL;
                         }
                                 rtfree(v4Route);
                                 v4Route = NULL;
                         }
@@ -5641,6 +6684,15 @@ necp_application_find_policy_match_internal(proc_t proc,
                         if (v6Route != NULL) {
                                 if (v6Route->rt_ifp != NULL) {
                                         *flags |= NECP_CLIENT_RESULT_FLAG_HAS_IPV6;
                         if (v6Route != NULL) {
                                 if (v6Route->rt_ifp != NULL) {
                                         *flags |= NECP_CLIENT_RESULT_FLAG_HAS_IPV6;
+
+                                       if (ifnet_get_nat64prefix(v6Route->rt_ifp, NULL) == 0) {
+                                               *flags |= NECP_CLIENT_RESULT_FLAG_HAS_NAT64;
+                                       }
+                               }
+                               if (returned_v6_gateway != NULL &&
+                                   v6Route->rt_gateway != NULL &&
+                                   v6Route->rt_gateway->sa_len == sizeof(returned_v6_gateway->u.sin6)) {
+                                       memcpy(&returned_v6_gateway->u.sin6, v6Route->rt_gateway, sizeof(returned_v6_gateway->u.sin6));
                                 }
                                 rtfree(v6Route);
                                 v6Route = NULL;
                                 }
                                 rtfree(v6Route);
                                 v6Route = NULL;
@@ -5648,30 +6700,115 @@ necp_application_find_policy_match_internal(proc_t proc,
                 }
         }
  
                 }
         }
  
-       u_int32_t interface_type_denied = IFRTYPE_FUNCTIONAL_UNKNOWN;
-       bool route_is_allowed = necp_route_is_allowed(rt, NULL, route_rule_id, &interface_type_denied);
-       if (!route_is_allowed) {
-               // If the route is blocked, treat the lookup as a drop
-               returned_result->routing_result = NECP_KERNEL_POLICY_RESULT_DROP;
-               memset(&returned_result->routing_result_parameter, 0, sizeof(returned_result->routing_result_parameter));
+       for (size_t route_rule_index = 0; route_rule_index < route_rule_id_array_count; route_rule_index++) {
+               u_int32_t interface_type_denied = IFRTYPE_FUNCTIONAL_UNKNOWN;
+               bool route_is_allowed = necp_route_is_allowed(rt, NULL, route_rule_id_array[route_rule_index], &interface_type_denied);
+               if (!route_is_allowed) {
+                       // If the route is blocked, treat the lookup as a drop
+                       returned_result->routing_result = NECP_KERNEL_POLICY_RESULT_DROP;
+                       memset(&returned_result->routing_result_parameter, 0, sizeof(returned_result->routing_result_parameter));
+
+                       if (interface_type_denied != IFRTYPE_FUNCTIONAL_UNKNOWN) {
+                               if (reason != NULL) {
+                                       if (interface_type_denied == IFRTYPE_FUNCTIONAL_CELLULAR) {
+                                               *reason = NECP_CLIENT_RESULT_REASON_CELLULAR_DENIED;
+                                       } else if (interface_type_denied == IFRTYPE_FUNCTIONAL_WIFI_INFRA) {
+                                               *reason = NECP_CLIENT_RESULT_REASON_WIFI_DENIED;
+                                       }
+                               }
+                               necp_send_application_interface_denied_event(pid, application_uuid, interface_type_denied);
+                       }
+                       // If the route gets denied, stop matching rules
+                       break;
+               }
+       }
  
  
-               if (interface_type_denied != IFRTYPE_FUNCTIONAL_UNKNOWN) {
-                       necp_send_application_interface_denied_event(pid, application_uuid, interface_type_denied);
+       if (rt != NULL && rt->rt_ifp != NULL) {
+               const bool expensive_prohibited = ((client_flags & NECP_CLIENT_PARAMETER_FLAG_PROHIBIT_EXPENSIVE) &&
+                   IFNET_IS_EXPENSIVE(rt->rt_ifp));
+               const bool constrained_prohibited = ((client_flags & NECP_CLIENT_PARAMETER_FLAG_PROHIBIT_CONSTRAINED) &&
+                   IFNET_IS_CONSTRAINED(rt->rt_ifp));
+               if (reason != NULL) {
+                       if (expensive_prohibited) {
+                               *reason = NECP_CLIENT_RESULT_REASON_EXPENSIVE_PROHIBITED;
+                       } else if (constrained_prohibited) {
+                               *reason = NECP_CLIENT_RESULT_REASON_CONSTRAINED_PROHIBITED;
+                       }
+               }
+               if (expensive_prohibited || constrained_prohibited) {
+                       // If the client flags prohibited a property of the interface, treat it as a drop
+                       returned_result->routing_result = NECP_KERNEL_POLICY_RESULT_DROP;
+                       memset(&returned_result->routing_result_parameter, 0, sizeof(returned_result->routing_result_parameter));
                 }
         }
  
         if (rt != NULL) {
                 }
         }
  
         if (rt != NULL) {
-               rtfree(rt);
+               if (returned_route != NULL) {
+                       *returned_route = rt;
+               } else {
+                       rtfree(rt);
+               }
                 rt = NULL;
         }
         // Unlock
         lck_rw_done(&necp_kernel_policy_lock);
  
                 rt = NULL;
         }
         // Unlock
         lck_rw_done(&necp_kernel_policy_lock);
  
-       return (error);
+       return error;
+}
+
+static bool
+necp_is_route_local(union necp_sockaddr_union *remote_addr)
+{
+       bool no_remote_addr = FALSE;
+       u_int8_t remote_family = 0;
+       struct rtentry *rt = NULL;
+       bool is_local = FALSE;
+
+       if (remote_addr == NULL) {
+               return NULL;
+       }
+
+       if (remote_addr->sa.sa_len == 0 ||
+           (remote_addr->sa.sa_family == AF_INET && remote_addr->sin.sin_addr.s_addr == 0) ||
+           (remote_addr->sa.sa_family == AF_INET6 && IN6_IS_ADDR_UNSPECIFIED(&remote_addr->sin6.sin6_addr))) {
+               no_remote_addr = TRUE;
+               remote_family = remote_addr->sa.sa_family;
+       }
+
+       if (no_remote_addr) {
+               memset(remote_addr, 0, sizeof(union necp_sockaddr_union));
+               if (remote_family == AF_INET6) {
+                       // Reset address to ::
+                       remote_addr->sa.sa_family = AF_INET6;
+                       remote_addr->sa.sa_len = sizeof(struct sockaddr_in6);
+               } else {
+                       // Reset address to 0.0.0.0
+                       remote_addr->sa.sa_family = AF_INET;
+                       remote_addr->sa.sa_len = sizeof(struct sockaddr_in);
+               }
+       }
+
+       // Lookup route regardless of the scoped interface to check if
+       // remote address is in a local network.
+       rt = rtalloc1_scoped((struct sockaddr *)remote_addr, 0, 0, 0);
+
+       if (rt == NULL) {
+               goto done;
+       }
+       if (remote_addr->sa.sa_family == AF_INET && IS_INTF_CLAT46(rt->rt_ifp)) {
+               goto free_rt;
+       }
+       is_local = IS_NECP_DEST_IN_LOCAL_NETWORKS(rt);
+
+free_rt:
+       rtfree(rt);
+
+done:
+       return is_local;
  }
  
  static bool
  }
  
  static bool
-necp_socket_check_policy(struct necp_kernel_socket_policy *kernel_policy, necp_app_id app_id, necp_app_id real_app_id, errno_t cred_result, u_int32_t account_id, struct substring domain, u_int8_t domain_dot_count, pid_t pid, uid_t uid, u_int32_t bound_interface_index, u_int32_t traffic_class, u_int16_t protocol, union necp_sockaddr_union *local, union necp_sockaddr_union *remote, proc_t proc)
+necp_socket_check_policy(struct necp_kernel_socket_policy *kernel_policy, necp_app_id app_id, necp_app_id real_app_id, errno_t cred_result, u_int32_t account_id, struct substring domain, u_int8_t domain_dot_count, pid_t pid, uid_t uid, u_int32_t bound_interface_index, u_int32_t traffic_class, u_int16_t protocol, union necp_sockaddr_union *local, union necp_sockaddr_union *remote, struct necp_client_parameter_netagent_type *required_agent_types, u_int32_t num_required_agent_types, bool has_client, uint32_t client_flags, int is_platform_binary, proc_t proc, struct rtentry *rt)
  {
         if (!(kernel_policy->condition_mask & NECP_KERNEL_CONDITION_ALL_INTERFACES)) {
                 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_BOUND_INTERFACE) {
  {
         if (!(kernel_policy->condition_mask & NECP_KERNEL_CONDITION_ALL_INTERFACES)) {
                 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_BOUND_INTERFACE) {
@@ -5679,36 +6816,36 @@ necp_socket_check_policy(struct necp_kernel_socket_policy *kernel_policy, necp_a
                         if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_BOUND_INTERFACE) {
                                 if (bound_interface_index == cond_bound_interface_index) {
                                         // No match, matches forbidden interface
                         if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_BOUND_INTERFACE) {
                                 if (bound_interface_index == cond_bound_interface_index) {
                                         // No match, matches forbidden interface
-                                       return (FALSE);
+                                       return FALSE;
                                 }
                         } else {
                                 if (bound_interface_index != cond_bound_interface_index) {
                                         // No match, does not match required interface
                                 }
                         } else {
                                 if (bound_interface_index != cond_bound_interface_index) {
                                         // No match, does not match required interface
-                                       return (FALSE);
+                                       return FALSE;
                                 }
                         }
                 } else {
                         if (bound_interface_index != 0) {
                                 // No match, requires a non-bound packet
                                 }
                         }
                 } else {
                         if (bound_interface_index != 0) {
                                 // No match, requires a non-bound packet
-                               return (FALSE);
+                               return FALSE;
                         }
                 }
         }
  
         if (kernel_policy->condition_mask == 0) {
                         }
                 }
         }
  
         if (kernel_policy->condition_mask == 0) {
-               return (TRUE);
+               return TRUE;
         }
  
         if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_APP_ID) {
                 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_APP_ID) {
                         if (app_id == kernel_policy->cond_app_id) {
                                 // No match, matches forbidden application
         }
  
         if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_APP_ID) {
                 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_APP_ID) {
                         if (app_id == kernel_policy->cond_app_id) {
                                 // No match, matches forbidden application
-                               return (FALSE);
+                               return FALSE;
                         }
                 } else {
                         if (app_id != kernel_policy->cond_app_id) {
                                 // No match, does not match required application
                         }
                 } else {
                         if (app_id != kernel_policy->cond_app_id) {
                                 // No match, does not match required application
-                               return (FALSE);
+                               return FALSE;
                         }
                 }
         }
                         }
                 }
         }
@@ -5717,34 +6854,55 @@ necp_socket_check_policy(struct necp_kernel_socket_policy *kernel_policy, necp_a
                 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_REAL_APP_ID) {
                         if (real_app_id == kernel_policy->cond_real_app_id) {
                                 // No match, matches forbidden application
                 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_REAL_APP_ID) {
                         if (real_app_id == kernel_policy->cond_real_app_id) {
                                 // No match, matches forbidden application
-                               return (FALSE);
+                               return FALSE;
                         }
                 } else {
                         if (real_app_id != kernel_policy->cond_real_app_id) {
                                 // No match, does not match required application
                         }
                 } else {
                         if (real_app_id != kernel_policy->cond_real_app_id) {
                                 // No match, does not match required application
-                               return (FALSE);
+                               return FALSE;
                         }
                 }
         }
  
                         }
                 }
         }
  
+       if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_HAS_CLIENT) {
+               if (!has_client) {
+                       return FALSE;
+               }
+       }
+
         if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_ENTITLEMENT) {
                 if (cred_result != 0) {
                         // Process is missing entitlement
         if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_ENTITLEMENT) {
                 if (cred_result != 0) {
                         // Process is missing entitlement
-                       return (FALSE);
+                       return FALSE;
+               }
+       }
+
+       if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_PLATFORM_BINARY) {
+               if (is_platform_binary == 0) {
+                       // Process is not platform binary
+                       return FALSE;
                 }
         }
  
         if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_CUSTOM_ENTITLEMENT) {
                 }
         }
  
         if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_CUSTOM_ENTITLEMENT) {
-               if (kernel_policy->cond_custom_entitlement != NULL) {
-                       if (proc == NULL) {
-                               // No process found, cannot check entitlement
-                               return (FALSE);
-                       }
-                       task_t task = proc_task(proc);
-                       if (task == NULL ||
-                               !IOTaskHasEntitlement(task, kernel_policy->cond_custom_entitlement)) {
-                               // Process is missing custom entitlement
-                               return (FALSE);
+               if (kernel_policy->cond_custom_entitlement_matched == necp_boolean_state_false) {
+                       // Process is missing entitlement based on previous check
+                       return FALSE;
+               } else if (kernel_policy->cond_custom_entitlement_matched == necp_boolean_state_unknown) {
+                       if (kernel_policy->cond_custom_entitlement != NULL) {
+                               if (proc == NULL) {
+                                       // No process found, cannot check entitlement
+                                       return FALSE;
+                               }
+                               task_t task = proc_task(proc);
+                               if (task == NULL ||
+                                   !IOTaskHasEntitlement(task, kernel_policy->cond_custom_entitlement)) {
+                                       // Process is missing custom entitlement
+                                       kernel_policy->cond_custom_entitlement_matched = necp_boolean_state_false;
+                                       return FALSE;
+                               } else {
+                                       kernel_policy->cond_custom_entitlement_matched = necp_boolean_state_true;
+                               }
                         }
                 }
         }
                         }
                 }
         }
@@ -5754,12 +6912,12 @@ necp_socket_check_policy(struct necp_kernel_socket_policy *kernel_policy, necp_a
                 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_DOMAIN) {
                         if (domain_matches) {
                                 // No match, matches forbidden domain
                 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_DOMAIN) {
                         if (domain_matches) {
                                 // No match, matches forbidden domain
-                               return (FALSE);
+                               return FALSE;
                         }
                 } else {
                         if (!domain_matches) {
                                 // No match, does not match required domain
                         }
                 } else {
                         if (!domain_matches) {
                                 // No match, does not match required domain
-                               return (FALSE);
+                               return FALSE;
                         }
                 }
         }
                         }
                 }
         }
@@ -5768,12 +6926,12 @@ necp_socket_check_policy(struct necp_kernel_socket_policy *kernel_policy, necp_a
                 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_ACCOUNT_ID) {
                         if (account_id == kernel_policy->cond_account_id) {
                                 // No match, matches forbidden account
                 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_ACCOUNT_ID) {
                         if (account_id == kernel_policy->cond_account_id) {
                                 // No match, matches forbidden account
-                               return (FALSE);
+                               return FALSE;
                         }
                 } else {
                         if (account_id != kernel_policy->cond_account_id) {
                                 // No match, does not match required account
                         }
                 } else {
                         if (account_id != kernel_policy->cond_account_id) {
                                 // No match, does not match required account
-                               return (FALSE);
+                               return FALSE;
                         }
                 }
         }
                         }
                 }
         }
@@ -5782,12 +6940,12 @@ necp_socket_check_policy(struct necp_kernel_socket_policy *kernel_policy, necp_a
                 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_PID) {
                         if (pid == kernel_policy->cond_pid) {
                                 // No match, matches forbidden pid
                 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_PID) {
                         if (pid == kernel_policy->cond_pid) {
                                 // No match, matches forbidden pid
-                               return (FALSE);
+                               return FALSE;
                         }
                 } else {
                         if (pid != kernel_policy->cond_pid) {
                                 // No match, does not match required pid
                         }
                 } else {
                         if (pid != kernel_policy->cond_pid) {
                                 // No match, does not match required pid
-                               return (FALSE);
+                               return FALSE;
                         }
                 }
         }
                         }
                 }
         }
@@ -5796,12 +6954,12 @@ necp_socket_check_policy(struct necp_kernel_socket_policy *kernel_policy, necp_a
                 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_UID) {
                         if (uid == kernel_policy->cond_uid) {
                                 // No match, matches forbidden uid
                 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_UID) {
                         if (uid == kernel_policy->cond_uid) {
                                 // No match, matches forbidden uid
-                               return (FALSE);
+                               return FALSE;
                         }
                 } else {
                         if (uid != kernel_policy->cond_uid) {
                                 // No match, does not match required uid
                         }
                 } else {
                         if (uid != kernel_policy->cond_uid) {
                                 // No match, does not match required uid
-                               return (FALSE);
+                               return FALSE;
                         }
                 }
         }
                         }
                 }
         }
@@ -5809,15 +6967,15 @@ necp_socket_check_policy(struct necp_kernel_socket_policy *kernel_policy, necp_a
         if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_TRAFFIC_CLASS) {
                 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_TRAFFIC_CLASS) {
                         if (traffic_class >= kernel_policy->cond_traffic_class.start_tc &&
         if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_TRAFFIC_CLASS) {
                 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_TRAFFIC_CLASS) {
                         if (traffic_class >= kernel_policy->cond_traffic_class.start_tc &&
-                               traffic_class <= kernel_policy->cond_traffic_class.end_tc) {
+                           traffic_class <= kernel_policy->cond_traffic_class.end_tc) {
                                 // No match, matches forbidden traffic class
                                 // No match, matches forbidden traffic class
-                               return (FALSE);
+                               return FALSE;
                         }
                 } else {
                         if (traffic_class < kernel_policy->cond_traffic_class.start_tc ||
                         }
                 } else {
                         if (traffic_class < kernel_policy->cond_traffic_class.start_tc ||
-                               traffic_class > kernel_policy->cond_traffic_class.end_tc) {
+                           traffic_class > kernel_policy->cond_traffic_class.end_tc) {
                                 // No match, does not match required traffic class
                                 // No match, does not match required traffic class
-                               return (FALSE);
+                               return FALSE;
                         }
                 }
         }
                         }
                 }
         }
@@ -5826,14 +6984,47 @@ necp_socket_check_policy(struct necp_kernel_socket_policy *kernel_policy, necp_a
                 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_PROTOCOL) {
                         if (protocol == kernel_policy->cond_protocol) {
                                 // No match, matches forbidden protocol
                 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_PROTOCOL) {
                         if (protocol == kernel_policy->cond_protocol) {
                                 // No match, matches forbidden protocol
-                               return (FALSE);
+                               return FALSE;
                         }
                 } else {
                         if (protocol != kernel_policy->cond_protocol) {
                                 // No match, does not match required protocol
                         }
                 } else {
                         if (protocol != kernel_policy->cond_protocol) {
                                 // No match, does not match required protocol
-                               return (FALSE);
+                               return FALSE;
+                       }
+               }
+       }
+
+       if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_AGENT_TYPE) {
+               bool matches_agent_type = FALSE;
+               for (u_int32_t i = 0; i < num_required_agent_types; i++) {
+                       struct necp_client_parameter_netagent_type *required_agent_type = &required_agent_types[i];
+                       if ((strlen(kernel_policy->cond_agent_type.agent_domain) == 0 ||
+                           strncmp(required_agent_type->netagent_domain, kernel_policy->cond_agent_type.agent_domain, NETAGENT_DOMAINSIZE) == 0) &&
+                           (strlen(kernel_policy->cond_agent_type.agent_type) == 0 ||
+                           strncmp(required_agent_type->netagent_type, kernel_policy->cond_agent_type.agent_type, NETAGENT_TYPESIZE) == 0)) {
+                               // Found a required agent that matches
+                               matches_agent_type = TRUE;
+                               break;
                         }
                 }
                         }
                 }
+               if (!matches_agent_type) {
+                       return FALSE;
+               }
+       }
+
+       if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_NETWORKS) {
+               bool is_local = FALSE;
+
+               if (rt != NULL) {
+                       is_local = IS_NECP_DEST_IN_LOCAL_NETWORKS(rt);
+               } else {
+                       is_local = necp_is_route_local(remote);
+               }
+
+               if (!is_local) {
+                       // Either no route to validate or no match for local networks
+                       return FALSE;
+               }
         }
  
         if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_START) {
         }
  
         if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_START) {
@@ -5841,22 +7032,22 @@ necp_socket_check_policy(struct necp_kernel_socket_policy *kernel_policy, necp_a
                         bool inRange = necp_is_addr_in_range((struct sockaddr *)local, (struct sockaddr *)&kernel_policy->cond_local_start, (struct sockaddr *)&kernel_policy->cond_local_end);
                         if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_LOCAL_END) {
                                 if (inRange) {
                         bool inRange = necp_is_addr_in_range((struct sockaddr *)local, (struct sockaddr *)&kernel_policy->cond_local_start, (struct sockaddr *)&kernel_policy->cond_local_end);
                         if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_LOCAL_END) {
                                 if (inRange) {
-                                       return (FALSE);
+                                       return FALSE;
                                 }
                         } else {
                                 if (!inRange) {
                                 }
                         } else {
                                 if (!inRange) {
-                                       return (FALSE);
+                                       return FALSE;
                                 }
                         }
                 } else if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_PREFIX) {
                         bool inSubnet = necp_is_addr_in_subnet((struct sockaddr *)local, (struct sockaddr *)&kernel_policy->cond_local_start, kernel_policy->cond_local_prefix);
                         if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_LOCAL_PREFIX) {
                                 if (inSubnet) {
                                 }
                         }
                 } else if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_PREFIX) {
                         bool inSubnet = necp_is_addr_in_subnet((struct sockaddr *)local, (struct sockaddr *)&kernel_policy->cond_local_start, kernel_policy->cond_local_prefix);
                         if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_LOCAL_PREFIX) {
                                 if (inSubnet) {
-                                       return (FALSE);
+                                       return FALSE;
                                 }
                         } else {
                                 if (!inSubnet) {
                                 }
                         } else {
                                 if (!inSubnet) {
-                                       return (FALSE);
+                                       return FALSE;
                                 }
                         }
                 }
                                 }
                         }
                 }
@@ -5867,38 +7058,78 @@ necp_socket_check_policy(struct necp_kernel_socket_policy *kernel_policy, necp_a
                         bool inRange = necp_is_addr_in_range((struct sockaddr *)remote, (struct sockaddr *)&kernel_policy->cond_remote_start, (struct sockaddr *)&kernel_policy->cond_remote_end);
                         if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_REMOTE_END) {
                                 if (inRange) {
                         bool inRange = necp_is_addr_in_range((struct sockaddr *)remote, (struct sockaddr *)&kernel_policy->cond_remote_start, (struct sockaddr *)&kernel_policy->cond_remote_end);
                         if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_REMOTE_END) {
                                 if (inRange) {
-                                       return (FALSE);
+                                       return FALSE;
                                 }
                         } else {
                                 if (!inRange) {
                                 }
                         } else {
                                 if (!inRange) {
-                                       return (FALSE);
+                                       return FALSE;
                                 }
                         }
                 } else if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_REMOTE_PREFIX) {
                         bool inSubnet = necp_is_addr_in_subnet((struct sockaddr *)remote, (struct sockaddr *)&kernel_policy->cond_remote_start, kernel_policy->cond_remote_prefix);
                         if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_REMOTE_PREFIX) {
                                 if (inSubnet) {
                                 }
                         }
                 } else if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_REMOTE_PREFIX) {
                         bool inSubnet = necp_is_addr_in_subnet((struct sockaddr *)remote, (struct sockaddr *)&kernel_policy->cond_remote_start, kernel_policy->cond_remote_prefix);
                         if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_REMOTE_PREFIX) {
                                 if (inSubnet) {
-                                       return (FALSE);
+                                       return FALSE;
                                 }
                         } else {
                                 if (!inSubnet) {
                                 }
                         } else {
                                 if (!inSubnet) {
-                                       return (FALSE);
+                                       return FALSE;
                                 }
                         }
                 }
         }
  
                                 }
                         }
                 }
         }
  
-       return (TRUE);
+       if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_CLIENT_FLAGS) {
+               if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_CLIENT_FLAGS) {
+                       if ((client_flags & kernel_policy->cond_client_flags) == kernel_policy->cond_client_flags) {
+                               // Flags do match, and condition is negative, fail.
+                               return FALSE;
+                       }
+               } else {
+                       if ((client_flags & kernel_policy->cond_client_flags) != kernel_policy->cond_client_flags) {
+                               // Flags do not match, fail.
+                               return FALSE;
+                       }
+               }
+       }
+
+       if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_EMPTY) {
+               bool isEmpty = necp_addr_is_empty((struct sockaddr *)local);
+               if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_LOCAL_EMPTY) {
+                       if (isEmpty) {
+                               return FALSE;
+                       }
+               } else {
+                       if (!isEmpty) {
+                               return FALSE;
+                       }
+               }
+       }
+
+       if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_REMOTE_EMPTY) {
+               bool isEmpty = necp_addr_is_empty((struct sockaddr *)remote);
+               if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_REMOTE_EMPTY) {
+                       if (isEmpty) {
+                               return FALSE;
+                       }
+               } else {
+                       if (!isEmpty) {
+                               return FALSE;
+                       }
+               }
+       }
+
+       return TRUE;
  }
  
  static inline u_int32_t
  necp_socket_calc_flowhash_locked(struct necp_socket_info *info)
  {
  }
  
  static inline u_int32_t
  necp_socket_calc_flowhash_locked(struct necp_socket_info *info)
  {
-       return (net_flowhash(info, sizeof(*info), necp_kernel_socket_policies_gencount));
+       return net_flowhash(info, sizeof(*info), necp_kernel_socket_policies_gencount);
  }
  
  static void
  }
  
  static void
-necp_socket_fillout_info_locked(struct inpcb *inp, struct sockaddr *override_local_addr, struct sockaddr *override_remote_addr, u_int32_t override_bound_interface, struct necp_socket_info *info)
+necp_socket_fillout_info_locked(struct inpcb *inp, struct sockaddr *override_local_addr, struct sockaddr *override_remote_addr, u_int32_t override_bound_interface, u_int32_t drop_order, struct necp_socket_info *info)
  {
         struct socket *so = NULL;
  
  {
         struct socket *so = NULL;
  
@@ -5906,6 +7137,8 @@ necp_socket_fillout_info_locked(struct inpcb *inp, struct sockaddr *override_loc
  
         so = inp->inp_socket;
  
  
         so = inp->inp_socket;
  
+       info->drop_order = drop_order;
+
         if (necp_kernel_socket_policies_condition_mask & NECP_KERNEL_CONDITION_PID) {
                 info->pid = ((so->so_flags & SOF_DELEGATED) ? so->e_pid : so->last_pid);
         }
         if (necp_kernel_socket_policies_condition_mask & NECP_KERNEL_CONDITION_PID) {
                 info->pid = ((so->so_flags & SOF_DELEGATED) ? so->e_pid : so->last_pid);
         }
@@ -5918,6 +7151,30 @@ necp_socket_fillout_info_locked(struct inpcb *inp, struct sockaddr *override_loc
                 info->traffic_class = so->so_traffic_class;
         }
  
                 info->traffic_class = so->so_traffic_class;
         }
  
+       if (necp_kernel_socket_policies_condition_mask & NECP_KERNEL_CONDITION_HAS_CLIENT) {
+               info->has_client = !uuid_is_null(inp->necp_client_uuid);
+       }
+
+       if (necp_kernel_socket_policies_condition_mask & NECP_KERNEL_CONDITION_CLIENT_FLAGS) {
+               info->client_flags = 0;
+               if (INP_NO_CONSTRAINED(inp)) {
+                       info->client_flags |= NECP_CLIENT_PARAMETER_FLAG_PROHIBIT_CONSTRAINED;
+               }
+               if (INP_NO_EXPENSIVE(inp)) {
+                       info->client_flags |= NECP_CLIENT_PARAMETER_FLAG_PROHIBIT_EXPENSIVE;
+               }
+               if (inp->inp_socket->so_flags1 & SOF1_CELLFALLBACK) {
+                       info->client_flags |= NECP_CLIENT_PARAMETER_FLAG_FALLBACK_TRAFFIC;
+               }
+               if (inp->inp_socket->so_flags1 & SOF1_INBOUND) {
+                       info->client_flags |= NECP_CLIENT_PARAMETER_FLAG_INBOUND;
+               }
+               if (inp->inp_socket->so_options & SO_ACCEPTCONN ||
+                   inp->inp_flags2 & INP2_EXTERNAL_PORT) {
+                       info->client_flags |= NECP_CLIENT_PARAMETER_FLAG_LISTENER;
+               }
+       }
+
         if (necp_kernel_socket_policies_condition_mask & NECP_KERNEL_CONDITION_PROTOCOL) {
                 if (inp->inp_ip_p) {
                         info->protocol = inp->inp_ip_p;
         if (necp_kernel_socket_policies_condition_mask & NECP_KERNEL_CONDITION_PROTOCOL) {
                 if (inp->inp_ip_p) {
                         info->protocol = inp->inp_ip_p;
@@ -5943,6 +7200,14 @@ necp_socket_fillout_info_locked(struct inpcb *inp, struct sockaddr *override_loc
  
                 if (necp_kernel_socket_policies_condition_mask & NECP_KERNEL_CONDITION_ENTITLEMENT) {
                         info->cred_result = priv_check_cred(so->so_cred, PRIV_NET_PRIVILEGED_NECP_MATCH, 0);
  
                 if (necp_kernel_socket_policies_condition_mask & NECP_KERNEL_CONDITION_ENTITLEMENT) {
                         info->cred_result = priv_check_cred(so->so_cred, PRIV_NET_PRIVILEGED_NECP_MATCH, 0);
+                       if (info->cred_result != 0) {
+                               // Process does not have entitlement, check the parent process
+                               necp_get_parent_cred_result(NULL, info);
+                       }
+               }
+
+               if (necp_kernel_socket_policies_condition_mask & NECP_KERNEL_CONDITION_PLATFORM_BINARY) {
+                       info->is_platform_binary = csproc_get_platform_binary(current_proc()) ? true : false;
                 }
         }
  
                 }
         }
  
@@ -5966,45 +7231,51 @@ necp_socket_fillout_info_locked(struct inpcb *inp, struct sockaddr *override_loc
         }
  
         if (necp_kernel_socket_policies_condition_mask & NECP_KERNEL_ADDRESS_TYPE_CONDITIONS) {
         }
  
         if (necp_kernel_socket_policies_condition_mask & NECP_KERNEL_ADDRESS_TYPE_CONDITIONS) {
-               if (inp->inp_vflag & INP_IPV4) {
-                       if (override_local_addr) {
-                               if (override_local_addr->sa_len <= sizeof(struct sockaddr_in)) {
-                                       memcpy(&info->local_addr, override_local_addr, override_local_addr->sa_len);
+               if (override_local_addr != NULL) {
+                       if (override_local_addr->sa_family == AF_INET6 && override_local_addr->sa_len <= sizeof(struct sockaddr_in6)) {
+                               memcpy(&info->local_addr, override_local_addr, override_local_addr->sa_len);
+                               if (IN6_IS_ADDR_V4MAPPED(&(info->local_addr.sin6.sin6_addr))) {
+                                       struct sockaddr_in sin;
+                                       in6_sin6_2_sin(&sin, &(info->local_addr.sin6));
+                                       memset(&info->local_addr, 0, sizeof(union necp_sockaddr_union));
+                                       memcpy(&info->local_addr, &sin, sin.sin_len);
                                 }
                                 }
-                       } else {
+                       } else if (override_local_addr->sa_family == AF_INET && override_local_addr->sa_len <= sizeof(struct sockaddr_in)) {
+                               memcpy(&info->local_addr, override_local_addr, override_local_addr->sa_len);
+                       }
+               } else {
+                       if (inp->inp_vflag & INP_IPV4) {
                                 ((struct sockaddr_in *)&info->local_addr)->sin_family = AF_INET;
                                 ((struct sockaddr_in *)&info->local_addr)->sin_len = sizeof(struct sockaddr_in);
                                 ((struct sockaddr_in *)&info->local_addr)->sin_port = inp->inp_lport;
                                 memcpy(&((struct sockaddr_in *)&info->local_addr)->sin_addr, &inp->inp_laddr, sizeof(struct in_addr));
                                 ((struct sockaddr_in *)&info->local_addr)->sin_family = AF_INET;
                                 ((struct sockaddr_in *)&info->local_addr)->sin_len = sizeof(struct sockaddr_in);
                                 ((struct sockaddr_in *)&info->local_addr)->sin_port = inp->inp_lport;
                                 memcpy(&((struct sockaddr_in *)&info->local_addr)->sin_addr, &inp->inp_laddr, sizeof(struct in_addr));
-                       }
-
-                       if (override_remote_addr) {
-                               if (override_remote_addr->sa_len <= sizeof(struct sockaddr_in)) {
-                                       memcpy(&info->remote_addr, override_remote_addr, override_remote_addr->sa_len);
-                               }
-                       } else {
-                               ((struct sockaddr_in *)&info->remote_addr)->sin_family = AF_INET;
-                               ((struct sockaddr_in *)&info->remote_addr)->sin_len = sizeof(struct sockaddr_in);
-                               ((struct sockaddr_in *)&info->remote_addr)->sin_port = inp->inp_fport;
-                               memcpy(&((struct sockaddr_in *)&info->remote_addr)->sin_addr, &inp->inp_faddr, sizeof(struct in_addr));
-                       }
-               } else if (inp->inp_vflag & INP_IPV6) {
-                       if (override_local_addr) {
-                               if (override_local_addr->sa_len <= sizeof(struct sockaddr_in6)) {
-                                       memcpy(&info->local_addr, override_local_addr, override_local_addr->sa_len);
-                               }
-                       } else {
+                       } else if (inp->inp_vflag & INP_IPV6) {
                                 ((struct sockaddr_in6 *)&info->local_addr)->sin6_family = AF_INET6;
                                 ((struct sockaddr_in6 *)&info->local_addr)->sin6_len = sizeof(struct sockaddr_in6);
                                 ((struct sockaddr_in6 *)&info->local_addr)->sin6_port = inp->inp_lport;
                                 memcpy(&((struct sockaddr_in6 *)&info->local_addr)->sin6_addr, &inp->in6p_laddr, sizeof(struct in6_addr));
                         }
                                 ((struct sockaddr_in6 *)&info->local_addr)->sin6_family = AF_INET6;
                                 ((struct sockaddr_in6 *)&info->local_addr)->sin6_len = sizeof(struct sockaddr_in6);
                                 ((struct sockaddr_in6 *)&info->local_addr)->sin6_port = inp->inp_lport;
                                 memcpy(&((struct sockaddr_in6 *)&info->local_addr)->sin6_addr, &inp->in6p_laddr, sizeof(struct in6_addr));
                         }
+               }
  
  
-                       if (override_remote_addr) {
-                               if (override_remote_addr->sa_len <= sizeof(struct sockaddr_in6)) {
-                                       memcpy(&info->remote_addr, override_remote_addr, override_remote_addr->sa_len);
+               if (override_remote_addr != NULL) {
+                       if (override_remote_addr->sa_family == AF_INET6 && override_remote_addr->sa_len <= sizeof(struct sockaddr_in6)) {
+                               memcpy(&info->remote_addr, override_remote_addr, override_remote_addr->sa_len);
+                               if (IN6_IS_ADDR_V4MAPPED(&(info->remote_addr.sin6.sin6_addr))) {
+                                       struct sockaddr_in sin;
+                                       in6_sin6_2_sin(&sin, &(info->remote_addr.sin6));
+                                       memset(&info->remote_addr, 0, sizeof(union necp_sockaddr_union));
+                                       memcpy(&info->remote_addr, &sin, sin.sin_len);
                                 }
                                 }
-                       } else {
+                       } else if (override_remote_addr->sa_family == AF_INET && override_remote_addr->sa_len <= sizeof(struct sockaddr_in)) {
+                               memcpy(&info->remote_addr, override_remote_addr, override_remote_addr->sa_len);
+                       }
+               } else {
+                       if (inp->inp_vflag & INP_IPV4) {
+                               ((struct sockaddr_in *)&info->remote_addr)->sin_family = AF_INET;
+                               ((struct sockaddr_in *)&info->remote_addr)->sin_len = sizeof(struct sockaddr_in);
+                               ((struct sockaddr_in *)&info->remote_addr)->sin_port = inp->inp_fport;
+                               memcpy(&((struct sockaddr_in *)&info->remote_addr)->sin_addr, &inp->inp_faddr, sizeof(struct in_addr));
+                       } else if (inp->inp_vflag & INP_IPV6) {
                                 ((struct sockaddr_in6 *)&info->remote_addr)->sin6_family = AF_INET6;
                                 ((struct sockaddr_in6 *)&info->remote_addr)->sin6_len = sizeof(struct sockaddr_in6);
                                 ((struct sockaddr_in6 *)&info->remote_addr)->sin6_port = inp->inp_fport;
                                 ((struct sockaddr_in6 *)&info->remote_addr)->sin6_family = AF_INET6;
                                 ((struct sockaddr_in6 *)&info->remote_addr)->sin6_len = sizeof(struct sockaddr_in6);
                                 ((struct sockaddr_in6 *)&info->remote_addr)->sin6_port = inp->inp_fport;
@@ -6015,41 +7286,76 @@ necp_socket_fillout_info_locked(struct inpcb *inp, struct sockaddr *override_loc
  }
  
  static inline struct necp_kernel_socket_policy *
  }
  
  static inline struct necp_kernel_socket_policy *
-necp_socket_find_policy_match_with_info_locked(struct necp_kernel_socket_policy **policy_search_array, struct necp_socket_info *info, necp_kernel_policy_filter *return_filter, u_int32_t *return_route_rule_id, necp_kernel_policy_result *return_service_action, necp_kernel_policy_service *return_service, u_int32_t *return_netagent_array, size_t netagent_array_count, proc_t proc)
+necp_socket_find_policy_match_with_info_locked(struct necp_kernel_socket_policy **policy_search_array, struct necp_socket_info *info,
+    necp_kernel_policy_filter *return_filter,
+    u_int32_t *return_route_rule_id_array, size_t *return_route_rule_id_array_count, size_t route_rule_id_array_count,
+    necp_kernel_policy_result *return_service_action, necp_kernel_policy_service *return_service,
+    u_int32_t *return_netagent_array, u_int32_t *return_netagent_use_flags_array, size_t netagent_array_count,
+    struct necp_client_parameter_netagent_type *required_agent_types,
+    u_int32_t num_required_agent_types, proc_t proc, necp_kernel_policy_id *skip_policy_id, struct rtentry *rt,
+    necp_kernel_policy_result *return_drop_dest_policy_result, necp_drop_all_bypass_check_result_t *return_drop_all_bypass)
  {
         struct necp_kernel_socket_policy *matched_policy = NULL;
         u_int32_t skip_order = 0;
         u_int32_t skip_session_order = 0;
  {
         struct necp_kernel_socket_policy *matched_policy = NULL;
         u_int32_t skip_order = 0;
         u_int32_t skip_session_order = 0;
-       u_int32_t route_rule_id_array[MAX_AGGREGATE_ROUTE_RULES];
         size_t route_rule_id_count = 0;
         int i;
         size_t netagent_cursor = 0;
         size_t route_rule_id_count = 0;
         int i;
         size_t netagent_cursor = 0;
+       necp_drop_all_bypass_check_result_t drop_all_bypass = NECP_DROP_ALL_BYPASS_CHECK_RESULT_NONE;
+       if (return_drop_all_bypass != NULL) {
+               *return_drop_all_bypass = drop_all_bypass;
+       }
  
         // Pre-process domain for quick matching
         struct substring domain_substring = necp_trim_dots_and_stars(info->domain, info->domain ? strlen(info->domain) : 0);
         u_int8_t domain_dot_count = necp_count_dots(domain_substring.string, domain_substring.length);
  
  
         // Pre-process domain for quick matching
         struct substring domain_substring = necp_trim_dots_and_stars(info->domain, info->domain ? strlen(info->domain) : 0);
         u_int8_t domain_dot_count = necp_count_dots(domain_substring.string, domain_substring.length);
  
-       if (return_filter) {
+       if (return_filter != NULL) {
                 *return_filter = 0;
         }
  
                 *return_filter = 0;
         }
  
-       if (return_route_rule_id) {
-               *return_route_rule_id = 0;
+       if (return_route_rule_id_array_count != NULL) {
+               *return_route_rule_id_array_count = 0;
         }
  
         }
  
-       if (return_service_action) {
+       if (return_service_action != NULL) {
                 *return_service_action = 0;
         }
  
                 *return_service_action = 0;
         }
  
-       if (return_service) {
+       if (return_service != NULL) {
                 return_service->identifier = 0;
                 return_service->data = 0;
         }
  
                 return_service->identifier = 0;
                 return_service->data = 0;
         }
  
+       // Do not subject layer-2 filter to NECP policies, return a PASS policy
+       if (necp_pass_interpose > 0 && info->client_flags & NECP_CLIENT_PARAMETER_FLAG_INTERPOSE) {
+               return &pass_policy;
+       }
+
+       *return_drop_dest_policy_result = NECP_KERNEL_POLICY_RESULT_NONE;
+
         if (policy_search_array != NULL) {
                 for (i = 0; policy_search_array[i] != NULL; i++) {
                         if (necp_drop_all_order != 0 && policy_search_array[i]->session_order >= necp_drop_all_order) {
                                 // We've hit a drop all rule
         if (policy_search_array != NULL) {
                 for (i = 0; policy_search_array[i] != NULL; i++) {
                         if (necp_drop_all_order != 0 && policy_search_array[i]->session_order >= necp_drop_all_order) {
                                 // We've hit a drop all rule
+                               if (drop_all_bypass == NECP_DROP_ALL_BYPASS_CHECK_RESULT_NONE) {
+                                       drop_all_bypass = necp_check_drop_all_bypass_result(proc);
+                                       if (return_drop_all_bypass != NULL) {
+                                               *return_drop_all_bypass = drop_all_bypass;
+                                       }
+                               }
+                               if (drop_all_bypass == NECP_DROP_ALL_BYPASS_CHECK_RESULT_FALSE) {
+                                       break;
+                               }
+                       }
+                       if (necp_drop_dest_policy.entry_count != 0 &&
+                           necp_address_matches_drop_dest_policy(&info->remote_addr, policy_search_array[i]->session_order)) {
+                               // We've hit a drop by destination address rule
+                               *return_drop_dest_policy_result = NECP_KERNEL_POLICY_RESULT_DROP;
+                               break;
+                       }
+                       if (info->drop_order != 0 && policy_search_array[i]->session_order >= info->drop_order) {
+                               // We've hit a drop order for this socket
                                 break;
                         }
                         if (skip_session_order && policy_search_array[i]->session_order >= skip_session_order) {
                                 break;
                         }
                         if (skip_session_order && policy_search_array[i]->session_order >= skip_session_order) {
@@ -6070,18 +7376,24 @@ necp_socket_find_policy_match_with_info_locked(struct necp_kernel_socket_policy
                                 // Skip this policy
                                 continue;
                         }
                                 // Skip this policy
                                 continue;
                         }
-                       if (necp_socket_check_policy(policy_search_array[i], info->application_id, info->real_application_id, info->cred_result, info->account_id, domain_substring, domain_dot_count, info->pid, info->uid, info->bound_interface_index, info->traffic_class, info->protocol, &info->local_addr, &info->remote_addr, proc)) {
+
+                       if (necp_socket_check_policy(policy_search_array[i], info->application_id, info->real_application_id, info->cred_result, info->account_id, domain_substring, domain_dot_count, info->pid, info->uid, info->bound_interface_index, info->traffic_class, info->protocol, &info->local_addr, &info->remote_addr, required_agent_types, num_required_agent_types, info->has_client, info->client_flags, info->is_platform_binary, proc, rt)) {
                                 if (policy_search_array[i]->result == NECP_KERNEL_POLICY_RESULT_SOCKET_FILTER) {
                                 if (policy_search_array[i]->result == NECP_KERNEL_POLICY_RESULT_SOCKET_FILTER) {
-                                       if (return_filter && *return_filter == 0) {
-                                               *return_filter = policy_search_array[i]->result_parameter.filter_control_unit;
+                                       if (return_filter && *return_filter != NECP_FILTER_UNIT_NO_FILTER) {
+                                               necp_kernel_policy_filter control_unit = policy_search_array[i]->result_parameter.filter_control_unit;
+                                               if (control_unit == NECP_FILTER_UNIT_NO_FILTER) {
+                                                       *return_filter = control_unit;
+                                               } else {
+                                                       *return_filter |= control_unit;
+                                               }
                                                 if (necp_debug > 1) {
                                                         NECPLOG(LOG_DEBUG, "Socket Policy: (Application %d Real Application %d BoundInterface %d Proto %d) Filter %d", info->application_id, info->real_application_id, info->bound_interface_index, info->protocol, policy_search_array[i]->result_parameter.filter_control_unit);
                                                 }
                                         }
                                         continue;
                                 } else if (policy_search_array[i]->result == NECP_KERNEL_POLICY_RESULT_ROUTE_RULES) {
                                                 if (necp_debug > 1) {
                                                         NECPLOG(LOG_DEBUG, "Socket Policy: (Application %d Real Application %d BoundInterface %d Proto %d) Filter %d", info->application_id, info->real_application_id, info->bound_interface_index, info->protocol, policy_search_array[i]->result_parameter.filter_control_unit);
                                                 }
                                         }
                                         continue;
                                 } else if (policy_search_array[i]->result == NECP_KERNEL_POLICY_RESULT_ROUTE_RULES) {
-                                       if (return_route_rule_id && route_rule_id_count < MAX_AGGREGATE_ROUTE_RULES) {
-                                               route_rule_id_array[route_rule_id_count++] = policy_search_array[i]->result_parameter.route_rule_id;
+                                       if (return_route_rule_id_array && route_rule_id_count < route_rule_id_array_count) {
+                                               return_route_rule_id_array[route_rule_id_count++] = policy_search_array[i]->result_parameter.route_rule_id;
                                                 if (necp_debug > 1) {
                                                         NECPLOG(LOG_DEBUG, "Socket Policy: (Application %d Real Application %d BoundInterface %d Proto %d) Route Rule %d", info->application_id, info->real_application_id, info->bound_interface_index, info->protocol, policy_search_array[i]->result_parameter.route_rule_id);
                                                 }
                                                 if (necp_debug > 1) {
                                                         NECPLOG(LOG_DEBUG, "Socket Policy: (Application %d Real Application %d BoundInterface %d Proto %d) Route Rule %d", info->application_id, info->real_application_id, info->bound_interface_index, info->protocol, policy_search_array[i]->result_parameter.route_rule_id);
                                                 }
@@ -6102,13 +7414,21 @@ necp_socket_find_policy_match_with_info_locked(struct necp_kernel_socket_policy
                                                 }
                                         }
                                         continue;
                                                 }
                                         }
                                         continue;
-                               } else if (policy_search_array[i]->result == NECP_KERNEL_POLICY_RESULT_USE_NETAGENT) {
+                               } else if (policy_search_array[i]->result == NECP_KERNEL_POLICY_RESULT_USE_NETAGENT ||
+                                   policy_search_array[i]->result == NECP_KERNEL_POLICY_RESULT_NETAGENT_SCOPED) {
                                         if (return_netagent_array != NULL &&
                                         if (return_netagent_array != NULL &&
-                                               netagent_cursor < netagent_array_count) {
+                                           netagent_cursor < netagent_array_count) {
                                                 return_netagent_array[netagent_cursor] = policy_search_array[i]->result_parameter.netagent_id;
                                                 return_netagent_array[netagent_cursor] = policy_search_array[i]->result_parameter.netagent_id;
+                                               if (return_netagent_use_flags_array != NULL &&
+                                                   policy_search_array[i]->result == NECP_KERNEL_POLICY_RESULT_NETAGENT_SCOPED) {
+                                                       return_netagent_use_flags_array[netagent_cursor] |= NECP_AGENT_USE_FLAG_SCOPE;
+                                               }
                                                 netagent_cursor++;
                                                 if (necp_debug > 1) {
                                                 netagent_cursor++;
                                                 if (necp_debug > 1) {
-                                                       NECPLOG(LOG_DEBUG, "Socket Policy: (Application %d Real Application %d BoundInterface %d Proto %d) Use Netagent %d", info->application_id, info->real_application_id, info->bound_interface_index, info->protocol, policy_search_array[i]->result_parameter.netagent_id);
+                                                       NECPLOG(LOG_DEBUG, "Socket Policy: (Application %d Real Application %d BoundInterface %d Proto %d) %s Netagent %d",
+                                                           info->application_id, info->real_application_id, info->bound_interface_index, info->protocol,
+                                                           policy_search_array[i]->result == NECP_KERNEL_POLICY_RESULT_USE_NETAGENT ? "Use" : "Scope",
+                                                           policy_search_array[i]->result_parameter.netagent_id);
                                                 }
                                         }
                                         continue;
                                                 }
                                         }
                                         continue;
@@ -6118,6 +7438,15 @@ necp_socket_find_policy_match_with_info_locked(struct necp_kernel_socket_policy
                                 if (policy_search_array[i]->result == NECP_KERNEL_POLICY_RESULT_SKIP) {
                                         skip_order = policy_search_array[i]->result_parameter.skip_policy_order;
                                         skip_session_order = policy_search_array[i]->session_order + 1;
                                 if (policy_search_array[i]->result == NECP_KERNEL_POLICY_RESULT_SKIP) {
                                         skip_order = policy_search_array[i]->result_parameter.skip_policy_order;
                                         skip_session_order = policy_search_array[i]->session_order + 1;
+                                       if (skip_policy_id) {
+                                               *skip_policy_id = policy_search_array[i]->id;
+                                       }
+                                       continue;
+                               }
+
+                               // Matched an allow unentitled, which clears any drop order
+                               if (policy_search_array[i]->result == NECP_KERNEL_POLICY_RESULT_ALLOW_UNENTITLED) {
+                                       info->drop_order = 0;
                                         continue;
                                 }
  
                                         continue;
                                 }
  
@@ -6128,12 +7457,10 @@ necp_socket_find_policy_match_with_info_locked(struct necp_kernel_socket_policy
                 }
         }
  
                 }
         }
  
-       if (route_rule_id_count == 1) {
-               *return_route_rule_id = route_rule_id_array[0];
-       } else if (route_rule_id_count > 1) {
-               *return_route_rule_id = necp_create_aggregate_route_rule(route_rule_id_array);
+       if (return_route_rule_id_array_count != NULL) {
+               *return_route_rule_id_array_count = route_rule_id_count;
         }
         }
-       return (matched_policy);
+       return matched_policy;
  }
  
  static bool
  }
  
  static bool
@@ -6148,7 +7475,7 @@ necp_socket_uses_interface(struct inpcb *inp, u_int32_t interface_index)
         ifnet_t interface = ifindex2ifnet[interface_index];
  
         if (inp == NULL || interface == NULL) {
         ifnet_t interface = ifindex2ifnet[interface_index];
  
         if (inp == NULL || interface == NULL) {
-               return (FALSE);
+               return FALSE;
         }
  
         if (inp->inp_vflag & INP_IPV4) {
         }
  
         if (inp->inp_vflag & INP_IPV4) {
@@ -6160,7 +7487,7 @@ necp_socket_uses_interface(struct inpcb *inp, u_int32_t interface_index)
         result = ifnet_get_address_list_family(interface, &addresses, family);
         if (result != 0) {
                 NECPLOG(LOG_ERR, "Failed to get address list for %s%d", ifnet_name(interface), ifnet_unit(interface));
         result = ifnet_get_address_list_family(interface, &addresses, family);
         if (result != 0) {
                 NECPLOG(LOG_ERR, "Failed to get address list for %s%d", ifnet_name(interface), ifnet_unit(interface));
-               return (FALSE);
+               return FALSE;
         }
  
         for (i = 0; addresses[i] != NULL; i++) {
         }
  
         for (i = 0; addresses[i] != NULL; i++) {
@@ -6182,26 +7509,25 @@ necp_socket_uses_interface(struct inpcb *inp, u_int32_t interface_index)
  done:
         ifnet_free_address_list(addresses);
         addresses = NULL;
  done:
         ifnet_free_address_list(addresses);
         addresses = NULL;
-       return (found_match);
+       return found_match;
  }
  
  static inline bool
  necp_socket_is_connected(struct inpcb *inp)
  {
  }
  
  static inline bool
  necp_socket_is_connected(struct inpcb *inp)
  {
-       return (inp->inp_socket->so_state & (SS_ISCONNECTING | SS_ISCONNECTED | SS_ISDISCONNECTING));
+       return inp->inp_socket->so_state & (SS_ISCONNECTING | SS_ISCONNECTED | SS_ISDISCONNECTING);
  }
  
  static inline bool
  necp_socket_bypass(struct sockaddr *override_local_addr, struct sockaddr *override_remote_addr, struct inpcb *inp)
  {
  }
  
  static inline bool
  necp_socket_bypass(struct sockaddr *override_local_addr, struct sockaddr *override_remote_addr, struct inpcb *inp)
  {
-
-       if (necp_pass_loopback > 0 && necp_is_loopback(override_local_addr, override_remote_addr, inp, NULL)) {
-               return (true);
+       if (necp_pass_loopback > 0 && necp_is_loopback(override_local_addr, override_remote_addr, inp, NULL, IFSCOPE_NONE)) {
+               return true;
         } else if (necp_is_intcoproc(inp, NULL)) {
         } else if (necp_is_intcoproc(inp, NULL)) {
-               return (true);
+               return true;
         }
  
         }
  
-       return (false);
+       return false;
  }
  
  necp_kernel_policy_id
  }
  
  necp_kernel_policy_id
@@ -6209,11 +7535,12 @@ necp_socket_find_policy_match(struct inpcb *inp, struct sockaddr *override_local
  {
         struct socket *so = NULL;
         necp_kernel_policy_filter filter_control_unit = 0;
  {
         struct socket *so = NULL;
         necp_kernel_policy_filter filter_control_unit = 0;
-       u_int32_t route_rule_id = 0;
         struct necp_kernel_socket_policy *matched_policy = NULL;
         necp_kernel_policy_id matched_policy_id = NECP_KERNEL_POLICY_ID_NONE;
         necp_kernel_policy_result service_action = 0;
         necp_kernel_policy_service service = { 0, 0 };
         struct necp_kernel_socket_policy *matched_policy = NULL;
         necp_kernel_policy_id matched_policy_id = NECP_KERNEL_POLICY_ID_NONE;
         necp_kernel_policy_result service_action = 0;
         necp_kernel_policy_service service = { 0, 0 };
+       u_int32_t drop_dest_policy_result = NECP_KERNEL_POLICY_RESULT_NONE;
+       necp_drop_all_bypass_check_result_t drop_all_bypass = NECP_DROP_ALL_BYPASS_CHECK_RESULT_NONE;
  
         u_int32_t netagent_ids[NECP_MAX_NETAGENTS];
         memset(&netagent_ids, 0, sizeof(netagent_ids));
  
         u_int32_t netagent_ids[NECP_MAX_NETAGENTS];
         memset(&netagent_ids, 0, sizeof(netagent_ids));
@@ -6222,26 +7549,29 @@ necp_socket_find_policy_match(struct inpcb *inp, struct sockaddr *override_local
         struct necp_socket_info info;
  
         if (inp == NULL) {
         struct necp_socket_info info;
  
         if (inp == NULL) {
-               return (NECP_KERNEL_POLICY_ID_NONE);
+               return NECP_KERNEL_POLICY_ID_NONE;
         }
  
         // Ignore invalid addresses
         if (override_local_addr != NULL &&
         }
  
         // Ignore invalid addresses
         if (override_local_addr != NULL &&
-               !necp_address_is_valid(override_local_addr)) {
+           !necp_address_is_valid(override_local_addr)) {
                 override_local_addr = NULL;
         }
         if (override_remote_addr != NULL &&
                 override_local_addr = NULL;
         }
         if (override_remote_addr != NULL &&
-               !necp_address_is_valid(override_remote_addr)) {
+           !necp_address_is_valid(override_remote_addr)) {
                 override_remote_addr = NULL;
         }
  
         so = inp->inp_socket;
  
                 override_remote_addr = NULL;
         }
  
         so = inp->inp_socket;
  
+       u_int32_t drop_order = necp_process_drop_order(so->so_cred);
+
         // Don't lock. Possible race condition, but we don't want the performance hit.
         if (necp_kernel_socket_policies_count == 0 ||
         // Don't lock. Possible race condition, but we don't want the performance hit.
         if (necp_kernel_socket_policies_count == 0 ||
-               (!(inp->inp_flags2 & INP2_WANT_APP_POLICY) && necp_kernel_socket_policies_non_app_count == 0)) {
-               if (necp_drop_all_order > 0) {
+           (!(inp->inp_flags2 & INP2_WANT_APP_POLICY) && necp_kernel_socket_policies_non_app_count == 0)) {
+               if (necp_drop_all_order > 0 || drop_order > 0) {
                         inp->inp_policyresult.policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
                         inp->inp_policyresult.policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
+                       inp->inp_policyresult.skip_policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
                         inp->inp_policyresult.policy_gencount = 0;
                         inp->inp_policyresult.app_id = 0;
                         inp->inp_policyresult.flowhash = 0;
                         inp->inp_policyresult.policy_gencount = 0;
                         inp->inp_policyresult.app_id = 0;
                         inp->inp_policyresult.flowhash = 0;
@@ -6253,49 +7583,54 @@ necp_socket_find_policy_match(struct inpcb *inp, struct sockaddr *override_local
                                 inp->inp_policyresult.results.result = NECP_KERNEL_POLICY_RESULT_DROP;
                         }
                 }
                                 inp->inp_policyresult.results.result = NECP_KERNEL_POLICY_RESULT_DROP;
                         }
                 }
-               return (NECP_KERNEL_POLICY_ID_NONE);
+               return NECP_KERNEL_POLICY_ID_NONE;
         }
  
         // Check for loopback exception
         if (necp_socket_bypass(override_local_addr, override_remote_addr, inp)) {
                 // Mark socket as a pass
                 inp->inp_policyresult.policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
         }
  
         // Check for loopback exception
         if (necp_socket_bypass(override_local_addr, override_remote_addr, inp)) {
                 // Mark socket as a pass
                 inp->inp_policyresult.policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
+               inp->inp_policyresult.skip_policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
                 inp->inp_policyresult.policy_gencount = 0;
                 inp->inp_policyresult.app_id = 0;
                 inp->inp_policyresult.flowhash = 0;
                 inp->inp_policyresult.results.filter_control_unit = 0;
                 inp->inp_policyresult.results.route_rule_id = 0;
                 inp->inp_policyresult.results.result = NECP_KERNEL_POLICY_RESULT_PASS;
                 inp->inp_policyresult.policy_gencount = 0;
                 inp->inp_policyresult.app_id = 0;
                 inp->inp_policyresult.flowhash = 0;
                 inp->inp_policyresult.results.filter_control_unit = 0;
                 inp->inp_policyresult.results.route_rule_id = 0;
                 inp->inp_policyresult.results.result = NECP_KERNEL_POLICY_RESULT_PASS;
-               return (NECP_KERNEL_POLICY_ID_NONE);
+               return NECP_KERNEL_POLICY_ID_NONE;
         }
  
         // Lock
         lck_rw_lock_shared(&necp_kernel_policy_lock);
  
         }
  
         // Lock
         lck_rw_lock_shared(&necp_kernel_policy_lock);
  
-       necp_socket_fillout_info_locked(inp, override_local_addr, override_remote_addr, override_bound_interface, &info);
+       necp_socket_fillout_info_locked(inp, override_local_addr, override_remote_addr, override_bound_interface, drop_order, &info);
         inp->inp_policyresult.app_id = info.application_id;
  
         // Check info
         u_int32_t flowhash = necp_socket_calc_flowhash_locked(&info);
         if (inp->inp_policyresult.policy_id != NECP_KERNEL_POLICY_ID_NONE &&
         inp->inp_policyresult.app_id = info.application_id;
  
         // Check info
         u_int32_t flowhash = necp_socket_calc_flowhash_locked(&info);
         if (inp->inp_policyresult.policy_id != NECP_KERNEL_POLICY_ID_NONE &&
-               inp->inp_policyresult.policy_gencount == necp_kernel_socket_policies_gencount &&
-               inp->inp_policyresult.flowhash == flowhash) {
+           inp->inp_policyresult.policy_gencount == necp_kernel_socket_policies_gencount &&
+           inp->inp_policyresult.flowhash == flowhash) {
                 // If already matched this socket on this generation of table, skip
  
                 // Unlock
                 lck_rw_done(&necp_kernel_policy_lock);
  
                 // If already matched this socket on this generation of table, skip
  
                 // Unlock
                 lck_rw_done(&necp_kernel_policy_lock);
  
-               return (inp->inp_policyresult.policy_id);
+               return inp->inp_policyresult.policy_id;
         }
  
         // Match socket to policy
         }
  
         // Match socket to policy
-       matched_policy = necp_socket_find_policy_match_with_info_locked(necp_kernel_socket_policies_map[NECP_SOCKET_MAP_APP_ID_TO_BUCKET(info.application_id)], &info, &filter_control_unit, &route_rule_id, &service_action, &service, netagent_ids, NECP_MAX_NETAGENTS, current_proc());
+       necp_kernel_policy_id skip_policy_id;
+       u_int32_t route_rule_id_array[MAX_AGGREGATE_ROUTE_RULES];
+       size_t route_rule_id_array_count = 0;
+       matched_policy = necp_socket_find_policy_match_with_info_locked(necp_kernel_socket_policies_map[NECP_SOCKET_MAP_APP_ID_TO_BUCKET(info.application_id)], &info, &filter_control_unit, route_rule_id_array, &route_rule_id_array_count, MAX_AGGREGATE_ROUTE_RULES, &service_action, &service, netagent_ids, NULL, NECP_MAX_NETAGENTS, NULL, 0, current_proc(), &skip_policy_id, inp->inp_route.ro_rt, &drop_dest_policy_result, &drop_all_bypass);
+
         // If the socket matched a scoped service policy, mark as Drop if not registered.
         // This covers the cases in which a service is required (on demand) but hasn't started yet.
         if ((service_action == NECP_KERNEL_POLICY_RESULT_TRIGGER_SCOPED ||
         // If the socket matched a scoped service policy, mark as Drop if not registered.
         // This covers the cases in which a service is required (on demand) but hasn't started yet.
         if ((service_action == NECP_KERNEL_POLICY_RESULT_TRIGGER_SCOPED ||
-                service_action == NECP_KERNEL_POLICY_RESULT_NO_TRIGGER_SCOPED) &&
-               service.identifier != 0 &&
-               service.identifier != NECP_NULL_SERVICE_ID) {
+           service_action == NECP_KERNEL_POLICY_RESULT_NO_TRIGGER_SCOPED) &&
+           service.identifier != 0 &&
+           service.identifier != NECP_NULL_SERVICE_ID) {
                 bool service_is_registered = FALSE;
                 struct necp_service_registration *service_registration = NULL;
                 LIST_FOREACH(service_registration, &necp_registered_service_list, kernel_chain) {
                 bool service_is_registered = FALSE;
                 struct necp_service_registration *service_registration = NULL;
                 LIST_FOREACH(service_registration, &necp_registered_service_list, kernel_chain) {
@@ -6307,6 +7642,7 @@ necp_socket_find_policy_match(struct inpcb *inp, struct sockaddr *override_local
                 if (!service_is_registered) {
                         // Mark socket as a drop if service is not registered
                         inp->inp_policyresult.policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
                 if (!service_is_registered) {
                         // Mark socket as a drop if service is not registered
                         inp->inp_policyresult.policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
+                       inp->inp_policyresult.skip_policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
                         inp->inp_policyresult.policy_gencount = necp_kernel_socket_policies_gencount;
                         inp->inp_policyresult.flowhash = flowhash;
                         inp->inp_policyresult.results.filter_control_unit = 0;
                         inp->inp_policyresult.policy_gencount = necp_kernel_socket_policies_gencount;
                         inp->inp_policyresult.flowhash = flowhash;
                         inp->inp_policyresult.results.filter_control_unit = 0;
@@ -6319,7 +7655,7 @@ necp_socket_find_policy_match(struct inpcb *inp, struct sockaddr *override_local
  
                         // Unlock
                         lck_rw_done(&necp_kernel_policy_lock);
  
                         // Unlock
                         lck_rw_done(&necp_kernel_policy_lock);
-                       return (NECP_KERNEL_POLICY_ID_NONE);
+                       return NECP_KERNEL_POLICY_ID_NONE;
                 }
         }
         // Verify netagents
                 }
         }
         // Verify netagents
@@ -6347,6 +7683,7 @@ necp_socket_find_policy_match(struct inpcb *inp, struct sockaddr *override_local
  
                                         // Mark socket as a drop if required agent is not active
                                         inp->inp_policyresult.policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
  
                                         // Mark socket as a drop if required agent is not active
                                         inp->inp_policyresult.policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
+                                       inp->inp_policyresult.skip_policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
                                         inp->inp_policyresult.policy_gencount = necp_kernel_socket_policies_gencount;
                                         inp->inp_policyresult.flowhash = flowhash;
                                         inp->inp_policyresult.results.filter_control_unit = 0;
                                         inp->inp_policyresult.policy_gencount = necp_kernel_socket_policies_gencount;
                                         inp->inp_policyresult.flowhash = flowhash;
                                         inp->inp_policyresult.results.filter_control_unit = 0;
@@ -6359,14 +7696,24 @@ necp_socket_find_policy_match(struct inpcb *inp, struct sockaddr *override_local
  
                                         // Unlock
                                         lck_rw_done(&necp_kernel_policy_lock);
  
                                         // Unlock
                                         lck_rw_done(&necp_kernel_policy_lock);
-                                       return (NECP_KERNEL_POLICY_ID_NONE);
+                                       return NECP_KERNEL_POLICY_ID_NONE;
                                 }
                         }
                 }
         }
                                 }
                         }
                 }
         }
+
+       u_int32_t route_rule_id = 0;
+       if (route_rule_id_array_count == 1) {
+               route_rule_id = route_rule_id_array[0];
+       } else if (route_rule_id_array_count > 1) {
+               route_rule_id = necp_create_aggregate_route_rule(route_rule_id_array);
+       }
+
+       bool reset_tcp_mss = false;
         if (matched_policy) {
                 matched_policy_id = matched_policy->id;
                 inp->inp_policyresult.policy_id = matched_policy->id;
         if (matched_policy) {
                 matched_policy_id = matched_policy->id;
                 inp->inp_policyresult.policy_id = matched_policy->id;
+               inp->inp_policyresult.skip_policy_id = skip_policy_id;
                 inp->inp_policyresult.policy_gencount = necp_kernel_socket_policies_gencount;
                 inp->inp_policyresult.flowhash = flowhash;
                 inp->inp_policyresult.results.filter_control_unit = filter_control_unit;
                 inp->inp_policyresult.policy_gencount = necp_kernel_socket_policies_gencount;
                 inp->inp_policyresult.flowhash = flowhash;
                 inp->inp_policyresult.results.filter_control_unit = filter_control_unit;
@@ -6375,48 +7722,64 @@ necp_socket_find_policy_match(struct inpcb *inp, struct sockaddr *override_local
                 memcpy(&inp->inp_policyresult.results.result_parameter, &matched_policy->result_parameter, sizeof(matched_policy->result_parameter));
  
                 if (necp_socket_is_connected(inp) &&
                 memcpy(&inp->inp_policyresult.results.result_parameter, &matched_policy->result_parameter, sizeof(matched_policy->result_parameter));
  
                 if (necp_socket_is_connected(inp) &&
-                       (matched_policy->result == NECP_KERNEL_POLICY_RESULT_DROP ||
-                       (matched_policy->result == NECP_KERNEL_POLICY_RESULT_IP_TUNNEL && !necp_socket_uses_interface(inp, matched_policy->result_parameter.tunnel_interface_index)))) {
+                   (matched_policy->result == NECP_KERNEL_POLICY_RESULT_DROP ||
+                   (matched_policy->result == NECP_KERNEL_POLICY_RESULT_IP_TUNNEL && !necp_socket_uses_interface(inp, matched_policy->result_parameter.tunnel_interface_index)))) {
                         if (necp_debug) {
                                 NECPLOG(LOG_DEBUG, "Marking socket in state %d as defunct", so->so_state);
                         }
                         sosetdefunct(current_proc(), so, SHUTDOWN_SOCKET_LEVEL_NECP | SHUTDOWN_SOCKET_LEVEL_DISCONNECT_ALL, TRUE);
                 } else if (necp_socket_is_connected(inp) &&
                         if (necp_debug) {
                                 NECPLOG(LOG_DEBUG, "Marking socket in state %d as defunct", so->so_state);
                         }
                         sosetdefunct(current_proc(), so, SHUTDOWN_SOCKET_LEVEL_NECP | SHUTDOWN_SOCKET_LEVEL_DISCONNECT_ALL, TRUE);
                 } else if (necp_socket_is_connected(inp) &&
-                                  matched_policy->result == NECP_KERNEL_POLICY_RESULT_IP_TUNNEL &&
-                                  info.protocol == IPPROTO_TCP) {
+                   matched_policy->result == NECP_KERNEL_POLICY_RESULT_IP_TUNNEL &&
+                   info.protocol == IPPROTO_TCP) {
                         // Reset MSS on TCP socket if tunnel policy changes
                         // Reset MSS on TCP socket if tunnel policy changes
-                       tcp_mtudisc(inp, 0);
+                       reset_tcp_mss = true;
                 }
  
                 if (necp_debug > 1) {
                         NECPLOG(LOG_DEBUG, "Socket Policy: %p (BoundInterface %d Proto %d) Policy %d Result %d Parameter %d", inp->inp_socket, info.bound_interface_index, info.protocol, matched_policy->id, matched_policy->result, matched_policy->result_parameter.tunnel_interface_index);
                 }
                 }
  
                 if (necp_debug > 1) {
                         NECPLOG(LOG_DEBUG, "Socket Policy: %p (BoundInterface %d Proto %d) Policy %d Result %d Parameter %d", inp->inp_socket, info.bound_interface_index, info.protocol, matched_policy->id, matched_policy->result, matched_policy->result_parameter.tunnel_interface_index);
                 }
-       } else if (necp_drop_all_order > 0) {
-               // Mark socket as a drop if set
-               inp->inp_policyresult.policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
-               inp->inp_policyresult.policy_gencount = necp_kernel_socket_policies_gencount;
-               inp->inp_policyresult.flowhash = flowhash;
-               inp->inp_policyresult.results.filter_control_unit = 0;
-               inp->inp_policyresult.results.route_rule_id = 0;
-               inp->inp_policyresult.results.result = NECP_KERNEL_POLICY_RESULT_DROP;
         } else {
         } else {
-               // Mark non-matching socket so we don't re-check it
-               inp->inp_policyresult.policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
-               inp->inp_policyresult.policy_gencount = necp_kernel_socket_policies_gencount;
-               inp->inp_policyresult.flowhash = flowhash;
-               inp->inp_policyresult.results.filter_control_unit = filter_control_unit; // We may have matched a filter, so mark it!
-               inp->inp_policyresult.results.route_rule_id = route_rule_id; // We may have matched a route rule, so mark it!
-               inp->inp_policyresult.results.result = NECP_KERNEL_POLICY_RESULT_NONE;
+               bool drop_all = false;
+               if (necp_drop_all_order > 0 || info.drop_order > 0 || drop_dest_policy_result == NECP_KERNEL_POLICY_RESULT_DROP) {
+                       // Mark socket as a drop if set
+                       drop_all = true;
+                       if (drop_all_bypass == NECP_DROP_ALL_BYPASS_CHECK_RESULT_NONE) {
+                               drop_all_bypass = necp_check_drop_all_bypass_result(NULL);
+                       }
+               }
+               if (drop_all && drop_all_bypass == NECP_DROP_ALL_BYPASS_CHECK_RESULT_FALSE) {
+                       inp->inp_policyresult.policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
+                       inp->inp_policyresult.skip_policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
+                       inp->inp_policyresult.policy_gencount = necp_kernel_socket_policies_gencount;
+                       inp->inp_policyresult.flowhash = flowhash;
+                       inp->inp_policyresult.results.filter_control_unit = 0;
+                       inp->inp_policyresult.results.route_rule_id = 0;
+                       inp->inp_policyresult.results.result = NECP_KERNEL_POLICY_RESULT_DROP;
+               } else {
+                       // Mark non-matching socket so we don't re-check it
+                       inp->inp_policyresult.policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
+                       inp->inp_policyresult.skip_policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
+                       inp->inp_policyresult.policy_gencount = necp_kernel_socket_policies_gencount;
+                       inp->inp_policyresult.flowhash = flowhash;
+                       inp->inp_policyresult.results.filter_control_unit = filter_control_unit; // We may have matched a filter, so mark it!
+                       inp->inp_policyresult.results.route_rule_id = route_rule_id; // We may have matched a route rule, so mark it!
+                       inp->inp_policyresult.results.result = NECP_KERNEL_POLICY_RESULT_NONE;
+               }
         }
  
         // Unlock
         lck_rw_done(&necp_kernel_policy_lock);
  
         }
  
         // Unlock
         lck_rw_done(&necp_kernel_policy_lock);
  
-       return (matched_policy_id);
+       if (reset_tcp_mss) {
+               // Update MSS when not holding the policy lock to avoid recursive locking
+               tcp_mtudisc(inp, 0);
+       }
+
+       return matched_policy_id;
  }
  
  static bool
  }
  
  static bool
-necp_ip_output_check_policy(struct necp_kernel_ip_output_policy *kernel_policy, necp_kernel_policy_id socket_policy_id, u_int32_t bound_interface_index, u_int32_t last_interface_index, u_int16_t protocol, union necp_sockaddr_union *local, union necp_sockaddr_union *remote)
+necp_ip_output_check_policy(struct necp_kernel_ip_output_policy *kernel_policy, necp_kernel_policy_id socket_policy_id, necp_kernel_policy_id socket_skip_policy_id, u_int32_t bound_interface_index, u_int32_t last_interface_index, u_int16_t protocol, union necp_sockaddr_union *local, union necp_sockaddr_union *remote, struct rtentry *rt)
  {
         if (!(kernel_policy->condition_mask & NECP_KERNEL_CONDITION_ALL_INTERFACES)) {
                 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_BOUND_INTERFACE) {
  {
         if (!(kernel_policy->condition_mask & NECP_KERNEL_CONDITION_ALL_INTERFACES)) {
                 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_BOUND_INTERFACE) {
@@ -6424,36 +7787,38 @@ necp_ip_output_check_policy(struct necp_kernel_ip_output_policy *kernel_policy,
                         if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_BOUND_INTERFACE) {
                                 if (bound_interface_index == cond_bound_interface_index) {
                                         // No match, matches forbidden interface
                         if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_BOUND_INTERFACE) {
                                 if (bound_interface_index == cond_bound_interface_index) {
                                         // No match, matches forbidden interface
-                                       return (FALSE);
+                                       return FALSE;
                                 }
                         } else {
                                 if (bound_interface_index != cond_bound_interface_index) {
                                         // No match, does not match required interface
                                 }
                         } else {
                                 if (bound_interface_index != cond_bound_interface_index) {
                                         // No match, does not match required interface
-                                       return (FALSE);
+                                       return FALSE;
                                 }
                         }
                 } else {
                         if (bound_interface_index != 0) {
                                 // No match, requires a non-bound packet
                                 }
                         }
                 } else {
                         if (bound_interface_index != 0) {
                                 // No match, requires a non-bound packet
-                               return (FALSE);
+                               return FALSE;
                         }
                 }
         }
  
         if (kernel_policy->condition_mask == 0) {
                         }
                 }
         }
  
         if (kernel_policy->condition_mask == 0) {
-               return (TRUE);
+               return TRUE;
         }
  
         if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_POLICY_ID) {
         }
  
         if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_POLICY_ID) {
-               if (socket_policy_id != kernel_policy->cond_policy_id) {
+               necp_kernel_policy_id matched_policy_id =
+                   kernel_policy->result == NECP_KERNEL_POLICY_RESULT_SKIP ? socket_skip_policy_id : socket_policy_id;
+               if (matched_policy_id != kernel_policy->cond_policy_id) {
                         // No match, does not match required id
                         // No match, does not match required id
-                       return (FALSE);
+                       return FALSE;
                 }
         }
  
         if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LAST_INTERFACE) {
                 if (last_interface_index != kernel_policy->cond_last_interface_index) {
                 }
         }
  
         if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LAST_INTERFACE) {
                 if (last_interface_index != kernel_policy->cond_last_interface_index) {
-                       return (FALSE);
+                       return FALSE;
                 }
         }
  
                 }
         }
  
@@ -6461,37 +7826,52 @@ necp_ip_output_check_policy(struct necp_kernel_ip_output_policy *kernel_policy,
                 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_PROTOCOL) {
                         if (protocol == kernel_policy->cond_protocol) {
                                 // No match, matches forbidden protocol
                 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_PROTOCOL) {
                         if (protocol == kernel_policy->cond_protocol) {
                                 // No match, matches forbidden protocol
-                               return (FALSE);
+                               return FALSE;
                         }
                 } else {
                         if (protocol != kernel_policy->cond_protocol) {
                                 // No match, does not match required protocol
                         }
                 } else {
                         if (protocol != kernel_policy->cond_protocol) {
                                 // No match, does not match required protocol
-                               return (FALSE);
+                               return FALSE;
                         }
                 }
         }
  
                         }
                 }
         }
  
+       if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_NETWORKS) {
+               bool is_local = FALSE;
+
+               if (rt != NULL) {
+                       is_local = IS_NECP_DEST_IN_LOCAL_NETWORKS(rt);
+               } else {
+                       is_local = necp_is_route_local(remote);
+               }
+
+               if (!is_local) {
+                       // Either no route to validate or no match for local networks
+                       return FALSE;
+               }
+       }
+
         if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_START) {
                 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_END) {
                         bool inRange = necp_is_addr_in_range((struct sockaddr *)local, (struct sockaddr *)&kernel_policy->cond_local_start, (struct sockaddr *)&kernel_policy->cond_local_end);
                         if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_LOCAL_END) {
                                 if (inRange) {
         if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_START) {
                 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_END) {
                         bool inRange = necp_is_addr_in_range((struct sockaddr *)local, (struct sockaddr *)&kernel_policy->cond_local_start, (struct sockaddr *)&kernel_policy->cond_local_end);
                         if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_LOCAL_END) {
                                 if (inRange) {
-                                       return (FALSE);
+                                       return FALSE;
                                 }
                         } else {
                                 if (!inRange) {
                                 }
                         } else {
                                 if (!inRange) {
-                                       return (FALSE);
+                                       return FALSE;
                                 }
                         }
                 } else if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_PREFIX) {
                         bool inSubnet = necp_is_addr_in_subnet((struct sockaddr *)local, (struct sockaddr *)&kernel_policy->cond_local_start, kernel_policy->cond_local_prefix);
                         if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_LOCAL_PREFIX) {
                                 if (inSubnet) {
                                 }
                         }
                 } else if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_PREFIX) {
                         bool inSubnet = necp_is_addr_in_subnet((struct sockaddr *)local, (struct sockaddr *)&kernel_policy->cond_local_start, kernel_policy->cond_local_prefix);
                         if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_LOCAL_PREFIX) {
                                 if (inSubnet) {
-                                       return (FALSE);
+                                       return FALSE;
                                 }
                         } else {
                                 if (!inSubnet) {
                                 }
                         } else {
                                 if (!inSubnet) {
-                                       return (FALSE);
+                                       return FALSE;
                                 }
                         }
                 }
                                 }
                         }
                 }
@@ -6502,42 +7882,68 @@ necp_ip_output_check_policy(struct necp_kernel_ip_output_policy *kernel_policy,
                         bool inRange = necp_is_addr_in_range((struct sockaddr *)remote, (struct sockaddr *)&kernel_policy->cond_remote_start, (struct sockaddr *)&kernel_policy->cond_remote_end);
                         if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_REMOTE_END) {
                                 if (inRange) {
                         bool inRange = necp_is_addr_in_range((struct sockaddr *)remote, (struct sockaddr *)&kernel_policy->cond_remote_start, (struct sockaddr *)&kernel_policy->cond_remote_end);
                         if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_REMOTE_END) {
                                 if (inRange) {
-                                       return (FALSE);
+                                       return FALSE;
                                 }
                         } else {
                                 if (!inRange) {
                                 }
                         } else {
                                 if (!inRange) {
-                                       return (FALSE);
+                                       return FALSE;
                                 }
                         }
                 } else if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_REMOTE_PREFIX) {
                         bool inSubnet = necp_is_addr_in_subnet((struct sockaddr *)remote, (struct sockaddr *)&kernel_policy->cond_remote_start, kernel_policy->cond_remote_prefix);
                         if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_REMOTE_PREFIX) {
                                 if (inSubnet) {
                                 }
                         }
                 } else if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_REMOTE_PREFIX) {
                         bool inSubnet = necp_is_addr_in_subnet((struct sockaddr *)remote, (struct sockaddr *)&kernel_policy->cond_remote_start, kernel_policy->cond_remote_prefix);
                         if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_REMOTE_PREFIX) {
                                 if (inSubnet) {
-                                       return (FALSE);
+                                       return FALSE;
                                 }
                         } else {
                                 if (!inSubnet) {
                                 }
                         } else {
                                 if (!inSubnet) {
-                                       return (FALSE);
+                                       return FALSE;
                                 }
                         }
                 }
         }
  
                                 }
                         }
                 }
         }
  
-       return (TRUE);
+       return TRUE;
  }
  
  static inline struct necp_kernel_ip_output_policy *
  }
  
  static inline struct necp_kernel_ip_output_policy *
-necp_ip_output_find_policy_match_locked(necp_kernel_policy_id socket_policy_id, u_int32_t bound_interface_index, u_int32_t last_interface_index, u_int16_t protocol, union necp_sockaddr_union *local_addr, union necp_sockaddr_union *remote_addr)
+necp_ip_output_find_policy_match_locked(necp_kernel_policy_id socket_policy_id, necp_kernel_policy_id socket_skip_policy_id, u_int32_t bound_interface_index, u_int32_t last_interface_index, u_int16_t protocol, union necp_sockaddr_union *local_addr, union necp_sockaddr_union *remote_addr, struct rtentry *rt, u_int32_t *return_route_rule_id, necp_kernel_policy_result *return_drop_dest_policy_result, necp_drop_all_bypass_check_result_t *return_drop_all_bypass)
  {
         u_int32_t skip_order = 0;
         u_int32_t skip_session_order = 0;
  {
         u_int32_t skip_order = 0;
         u_int32_t skip_session_order = 0;
-       int i;
         struct necp_kernel_ip_output_policy *matched_policy = NULL;
         struct necp_kernel_ip_output_policy **policy_search_array = necp_kernel_ip_output_policies_map[NECP_IP_OUTPUT_MAP_ID_TO_BUCKET(socket_policy_id)];
         struct necp_kernel_ip_output_policy *matched_policy = NULL;
         struct necp_kernel_ip_output_policy **policy_search_array = necp_kernel_ip_output_policies_map[NECP_IP_OUTPUT_MAP_ID_TO_BUCKET(socket_policy_id)];
+       u_int32_t route_rule_id_array[MAX_AGGREGATE_ROUTE_RULES];
+       size_t route_rule_id_count = 0;
+       necp_drop_all_bypass_check_result_t drop_all_bypass = NECP_DROP_ALL_BYPASS_CHECK_RESULT_NONE;
+       if (return_drop_all_bypass != NULL) {
+               *return_drop_all_bypass = drop_all_bypass;
+       }
+
+       if (return_route_rule_id != NULL) {
+               *return_route_rule_id = 0;
+       }
+
+       *return_drop_dest_policy_result = NECP_KERNEL_POLICY_RESULT_NONE;
+
         if (policy_search_array != NULL) {
         if (policy_search_array != NULL) {
-               for (i = 0; policy_search_array[i] != NULL; i++) {
+               for (int i = 0; policy_search_array[i] != NULL; i++) {
                         if (necp_drop_all_order != 0 && policy_search_array[i]->session_order >= necp_drop_all_order) {
                                 // We've hit a drop all rule
                         if (necp_drop_all_order != 0 && policy_search_array[i]->session_order >= necp_drop_all_order) {
                                 // We've hit a drop all rule
+                               if (drop_all_bypass == NECP_DROP_ALL_BYPASS_CHECK_RESULT_NONE) {
+                                       drop_all_bypass = necp_check_drop_all_bypass_result(NULL);
+                                       if (return_drop_all_bypass != NULL) {
+                                               *return_drop_all_bypass = drop_all_bypass;
+                                       }
+                               }
+                               if (drop_all_bypass == NECP_DROP_ALL_BYPASS_CHECK_RESULT_FALSE) {
+                                       break;
+                               }
+                       }
+                       if (necp_drop_dest_policy.entry_count > 0 &&
+                           necp_address_matches_drop_dest_policy(remote_addr, policy_search_array[i]->session_order)) {
+                               // We've hit a drop by destination address rule
+                               *return_drop_dest_policy_result = NECP_KERNEL_POLICY_RESULT_DROP;
                                 break;
                         }
                         if (skip_session_order && policy_search_array[i]->session_order >= skip_session_order) {
                                 break;
                         }
                         if (skip_session_order && policy_search_array[i]->session_order >= skip_session_order) {
@@ -6558,45 +7964,58 @@ necp_ip_output_find_policy_match_locked(necp_kernel_policy_id socket_policy_id,
                                 // Skip this policy
                                 continue;
                         }
                                 // Skip this policy
                                 continue;
                         }
-                       if (necp_ip_output_check_policy(policy_search_array[i], socket_policy_id, bound_interface_index, last_interface_index, protocol, local_addr, remote_addr)) {
-                               // Passed all tests, found a match
-                               matched_policy = policy_search_array[i];
  
  
-                               if (policy_search_array[i]->result == NECP_KERNEL_POLICY_RESULT_SKIP) {
+                       if (necp_ip_output_check_policy(policy_search_array[i], socket_policy_id, socket_skip_policy_id, bound_interface_index, last_interface_index, protocol, local_addr, remote_addr, rt)) {
+                               if (policy_search_array[i]->result == NECP_KERNEL_POLICY_RESULT_ROUTE_RULES) {
+                                       if (return_route_rule_id != NULL && route_rule_id_count < MAX_AGGREGATE_ROUTE_RULES) {
+                                               route_rule_id_array[route_rule_id_count++] = policy_search_array[i]->result_parameter.route_rule_id;
+                                       }
+                                       continue;
+                               } else if (policy_search_array[i]->result == NECP_KERNEL_POLICY_RESULT_SKIP) {
                                         skip_order = policy_search_array[i]->result_parameter.skip_policy_order;
                                         skip_session_order = policy_search_array[i]->session_order + 1;
                                         continue;
                                 }
  
                                         skip_order = policy_search_array[i]->result_parameter.skip_policy_order;
                                         skip_session_order = policy_search_array[i]->session_order + 1;
                                         continue;
                                 }
  
+                               // Passed all tests, found a match
+                               matched_policy = policy_search_array[i];
                                 break;
                         }
                 }
         }
  
                                 break;
                         }
                 }
         }
  
-       return (matched_policy);
+       if (route_rule_id_count == 1) {
+               *return_route_rule_id = route_rule_id_array[0];
+       } else if (route_rule_id_count > 1) {
+               *return_route_rule_id = necp_create_aggregate_route_rule(route_rule_id_array);
+       }
+
+       return matched_policy;
  }
  
  static inline bool
  necp_output_bypass(struct mbuf *packet)
  {
  }
  
  static inline bool
  necp_output_bypass(struct mbuf *packet)
  {
-       if (necp_pass_loopback > 0 && necp_is_loopback(NULL, NULL, NULL, packet)) {
-               return (true);
+       if (necp_pass_loopback > 0 && necp_is_loopback(NULL, NULL, NULL, packet, IFSCOPE_NONE)) {
+               return true;
         }
         if (necp_pass_keepalives > 0 && necp_get_is_keepalive_from_packet(packet)) {
         }
         if (necp_pass_keepalives > 0 && necp_get_is_keepalive_from_packet(packet)) {
-               return (true);
+               return true;
         }
         if (necp_is_intcoproc(NULL, packet)) {
         }
         if (necp_is_intcoproc(NULL, packet)) {
-               return (true);
+               return true;
         }
         }
-       return (false);
+       return false;
  }
  
  necp_kernel_policy_id
  }
  
  necp_kernel_policy_id
-necp_ip_output_find_policy_match(struct mbuf *packet, int flags, struct ip_out_args *ipoa, necp_kernel_policy_result *result, necp_kernel_policy_result_parameter *result_parameter)
+necp_ip_output_find_policy_match(struct mbuf *packet, int flags, struct ip_out_args *ipoa, struct rtentry *rt,
+    necp_kernel_policy_result *result, necp_kernel_policy_result_parameter *result_parameter)
  {
         struct ip *ip = NULL;
         int hlen = sizeof(struct ip);
         necp_kernel_policy_id socket_policy_id = NECP_KERNEL_POLICY_ID_NONE;
  {
         struct ip *ip = NULL;
         int hlen = sizeof(struct ip);
         necp_kernel_policy_id socket_policy_id = NECP_KERNEL_POLICY_ID_NONE;
+       necp_kernel_policy_id socket_skip_policy_id = NECP_KERNEL_POLICY_ID_NONE;
         necp_kernel_policy_id matched_policy_id = NECP_KERNEL_POLICY_ID_NONE;
         struct necp_kernel_ip_output_policy *matched_policy = NULL;
         u_int16_t protocol = 0;
         necp_kernel_policy_id matched_policy_id = NECP_KERNEL_POLICY_ID_NONE;
         struct necp_kernel_ip_output_policy *matched_policy = NULL;
         u_int16_t protocol = 0;
@@ -6604,6 +8023,8 @@ necp_ip_output_find_policy_match(struct mbuf *packet, int flags, struct ip_out_a
         u_int32_t last_interface_index = 0;
         union necp_sockaddr_union local_addr;
         union necp_sockaddr_union remote_addr;
         u_int32_t last_interface_index = 0;
         union necp_sockaddr_union local_addr;
         union necp_sockaddr_union remote_addr;
+       u_int32_t drop_dest_policy_result = NECP_KERNEL_POLICY_RESULT_NONE;
+       necp_drop_all_bypass_check_result_t drop_all_bypass = NECP_DROP_ALL_BYPASS_CHECK_RESULT_NONE;
  
         if (result) {
                 *result = 0;
  
         if (result) {
                 *result = 0;
@@ -6614,15 +8035,16 @@ necp_ip_output_find_policy_match(struct mbuf *packet, int flags, struct ip_out_a
         }
  
         if (packet == NULL) {
         }
  
         if (packet == NULL) {
-               return (NECP_KERNEL_POLICY_ID_NONE);
+               return NECP_KERNEL_POLICY_ID_NONE;
         }
  
         socket_policy_id = necp_get_policy_id_from_packet(packet);
         }
  
         socket_policy_id = necp_get_policy_id_from_packet(packet);
+       socket_skip_policy_id = necp_get_skip_policy_id_from_packet(packet);
  
         // Exit early for an empty list
         // Don't lock. Possible race condition, but we don't want the performance hit.
         if (necp_kernel_ip_output_policies_count == 0 ||
  
         // Exit early for an empty list
         // Don't lock. Possible race condition, but we don't want the performance hit.
         if (necp_kernel_ip_output_policies_count == 0 ||
-               ((socket_policy_id == NECP_KERNEL_POLICY_ID_NONE) && necp_kernel_ip_output_policies_non_id_count == 0)) {
+           (socket_policy_id == NECP_KERNEL_POLICY_ID_NONE && necp_kernel_ip_output_policies_non_id_count == 0 && necp_drop_dest_policy.entry_count == 0)) {
                 if (necp_drop_all_order > 0) {
                         matched_policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
                         if (result) {
                 if (necp_drop_all_order > 0) {
                         matched_policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
                         if (result) {
@@ -6634,7 +8056,7 @@ necp_ip_output_find_policy_match(struct mbuf *packet, int flags, struct ip_out_a
                         }
                 }
  
                         }
                 }
  
-               return (matched_policy_id);
+               return matched_policy_id;
         }
  
         // Check for loopback exception
         }
  
         // Check for loopback exception
@@ -6643,7 +8065,7 @@ necp_ip_output_find_policy_match(struct mbuf *packet, int flags, struct ip_out_a
                 if (result) {
                         *result = NECP_KERNEL_POLICY_RESULT_PASS;
                 }
                 if (result) {
                         *result = NECP_KERNEL_POLICY_RESULT_PASS;
                 }
-               return (matched_policy_id);
+               return matched_policy_id;
         }
  
         last_interface_index = necp_get_last_interface_index_from_packet(packet);
         }
  
         last_interface_index = necp_get_last_interface_index_from_packet(packet);
@@ -6659,8 +8081,8 @@ necp_ip_output_find_policy_match(struct mbuf *packet, int flags, struct ip_out_a
         protocol = ip->ip_p;
  
         if ((flags & IP_OUTARGS) && (ipoa != NULL) &&
         protocol = ip->ip_p;
  
         if ((flags & IP_OUTARGS) && (ipoa != NULL) &&
-               (ipoa->ipoa_flags & IPOAF_BOUND_IF) &&
-               ipoa->ipoa_boundif != IFSCOPE_NONE) {
+           (ipoa->ipoa_flags & IPOAF_BOUND_IF) &&
+           ipoa->ipoa_boundif != IFSCOPE_NONE) {
                 bound_interface_index = ipoa->ipoa_boundif;
         }
  
                 bound_interface_index = ipoa->ipoa_boundif;
         }
  
@@ -6673,34 +8095,35 @@ necp_ip_output_find_policy_match(struct mbuf *packet, int flags, struct ip_out_a
         memcpy(&((struct sockaddr_in *)&remote_addr)->sin_addr, &ip->ip_dst, sizeof(ip->ip_dst));
  
         switch (protocol) {
         memcpy(&((struct sockaddr_in *)&remote_addr)->sin_addr, &ip->ip_dst, sizeof(ip->ip_dst));
  
         switch (protocol) {
-               case IPPROTO_TCP: {
-                       struct tcphdr th;
-                       if ((int)(hlen + sizeof(th)) <= packet->m_pkthdr.len) {
-                               m_copydata(packet, hlen, sizeof(th), (u_int8_t *)&th);
-                               ((struct sockaddr_in *)&local_addr)->sin_port = th.th_sport;
-                               ((struct sockaddr_in *)&remote_addr)->sin_port = th.th_dport;
-                       }
-                       break;
-               }
-               case IPPROTO_UDP: {
-                       struct udphdr uh;
-                       if ((int)(hlen + sizeof(uh)) <= packet->m_pkthdr.len) {
-                               m_copydata(packet, hlen, sizeof(uh), (u_int8_t *)&uh);
-                               ((struct sockaddr_in *)&local_addr)->sin_port = uh.uh_sport;
-                               ((struct sockaddr_in *)&remote_addr)->sin_port = uh.uh_dport;
-                       }
-                       break;
-               }
-               default: {
-                       ((struct sockaddr_in *)&local_addr)->sin_port = 0;
-                       ((struct sockaddr_in *)&remote_addr)->sin_port = 0;
-                       break;
+       case IPPROTO_TCP: {
+               struct tcphdr th;
+               if ((int)(hlen + sizeof(th)) <= packet->m_pkthdr.len) {
+                       m_copydata(packet, hlen, sizeof(th), (u_int8_t *)&th);
+                       ((struct sockaddr_in *)&local_addr)->sin_port = th.th_sport;
+                       ((struct sockaddr_in *)&remote_addr)->sin_port = th.th_dport;
                 }
                 }
+               break;
+       }
+       case IPPROTO_UDP: {
+               struct udphdr uh;
+               if ((int)(hlen + sizeof(uh)) <= packet->m_pkthdr.len) {
+                       m_copydata(packet, hlen, sizeof(uh), (u_int8_t *)&uh);
+                       ((struct sockaddr_in *)&local_addr)->sin_port = uh.uh_sport;
+                       ((struct sockaddr_in *)&remote_addr)->sin_port = uh.uh_dport;
+               }
+               break;
+       }
+       default: {
+               ((struct sockaddr_in *)&local_addr)->sin_port = 0;
+               ((struct sockaddr_in *)&remote_addr)->sin_port = 0;
+               break;
+       }
         }
  
         // Match packet to policy
         lck_rw_lock_shared(&necp_kernel_policy_lock);
         }
  
         // Match packet to policy
         lck_rw_lock_shared(&necp_kernel_policy_lock);
-       matched_policy = necp_ip_output_find_policy_match_locked(socket_policy_id, bound_interface_index, last_interface_index, protocol, &local_addr, &remote_addr);
+       u_int32_t route_rule_id = 0;
+       matched_policy = necp_ip_output_find_policy_match_locked(socket_policy_id, socket_skip_policy_id, bound_interface_index, last_interface_index, protocol, &local_addr, &remote_addr, rt, &route_rule_id, &drop_dest_policy_result, &drop_all_bypass);
         if (matched_policy) {
                 matched_policy_id = matched_policy->id;
                 if (result) {
         if (matched_policy) {
                 matched_policy_id = matched_policy->id;
                 if (result) {
@@ -6711,28 +8134,53 @@ necp_ip_output_find_policy_match(struct mbuf *packet, int flags, struct ip_out_a
                         memcpy(result_parameter, &matched_policy->result_parameter, sizeof(matched_policy->result_parameter));
                 }
  
                         memcpy(result_parameter, &matched_policy->result_parameter, sizeof(matched_policy->result_parameter));
                 }
  
+               if (route_rule_id != 0 &&
+                   packet->m_pkthdr.necp_mtag.necp_route_rule_id == 0) {
+                       packet->m_pkthdr.necp_mtag.necp_route_rule_id = route_rule_id;
+               }
+
                 if (necp_debug > 1) {
                 if (necp_debug > 1) {
-                       NECPLOG(LOG_DEBUG, "IP Output: (ID %d BoundInterface %d LastInterface %d Proto %d) Policy %d Result %d Parameter %d", socket_policy_id, bound_interface_index, last_interface_index, protocol, matched_policy->id, matched_policy->result, matched_policy->result_parameter.tunnel_interface_index);
+                       NECPLOG(LOG_DEBUG, "IP Output: (ID %d BoundInterface %d LastInterface %d Proto %d) Policy %d Result %d Parameter %d Route Rule %u", socket_policy_id, bound_interface_index, last_interface_index, protocol, matched_policy->id, matched_policy->result, matched_policy->result_parameter.tunnel_interface_index, route_rule_id);
                 }
                 }
-       } else if (necp_drop_all_order > 0) {
-               matched_policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
-               if (result) {
-                       *result = NECP_KERNEL_POLICY_RESULT_DROP;
+       } else {
+               bool drop_all = false;
+               /*
+                * Apply drop-all only to packets which have never matched a primary policy (check
+                * if the packet saved policy id is none or falls within the socket policy id range).
+                */
+               if (socket_policy_id < NECP_KERNEL_POLICY_ID_FIRST_VALID_IP &&
+                   (necp_drop_all_order > 0 || drop_dest_policy_result == NECP_KERNEL_POLICY_RESULT_DROP)) {
+                       drop_all = true;
+                       if (drop_all_bypass == NECP_DROP_ALL_BYPASS_CHECK_RESULT_NONE) {
+                               drop_all_bypass = necp_check_drop_all_bypass_result(NULL);
+                       }
+               }
+               if (drop_all && drop_all_bypass == NECP_DROP_ALL_BYPASS_CHECK_RESULT_FALSE) {
+                       matched_policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
+                       if (result) {
+                               *result = NECP_KERNEL_POLICY_RESULT_DROP;
+                       }
+               } else if (route_rule_id != 0 &&
+                   packet->m_pkthdr.necp_mtag.necp_route_rule_id == 0) {
+                       // If we matched a route rule, mark it
+                       packet->m_pkthdr.necp_mtag.necp_route_rule_id = route_rule_id;
                 }
         }
  
         lck_rw_done(&necp_kernel_policy_lock);
  
                 }
         }
  
         lck_rw_done(&necp_kernel_policy_lock);
  
-       return (matched_policy_id);
+       return matched_policy_id;
  }
  
  necp_kernel_policy_id
  }
  
  necp_kernel_policy_id
-necp_ip6_output_find_policy_match(struct mbuf *packet, int flags, struct ip6_out_args *ip6oa, necp_kernel_policy_result *result, necp_kernel_policy_result_parameter *result_parameter)
+necp_ip6_output_find_policy_match(struct mbuf *packet, int flags, struct ip6_out_args *ip6oa, struct rtentry *rt,
+    necp_kernel_policy_result *result, necp_kernel_policy_result_parameter *result_parameter)
  {
         struct ip6_hdr *ip6 = NULL;
         int next = -1;
         int offset = 0;
         necp_kernel_policy_id socket_policy_id = NECP_KERNEL_POLICY_ID_NONE;
  {
         struct ip6_hdr *ip6 = NULL;
         int next = -1;
         int offset = 0;
         necp_kernel_policy_id socket_policy_id = NECP_KERNEL_POLICY_ID_NONE;
+       necp_kernel_policy_id socket_skip_policy_id = NECP_KERNEL_POLICY_ID_NONE;
         necp_kernel_policy_id matched_policy_id = NECP_KERNEL_POLICY_ID_NONE;
         struct necp_kernel_ip_output_policy *matched_policy = NULL;
         u_int16_t protocol = 0;
         necp_kernel_policy_id matched_policy_id = NECP_KERNEL_POLICY_ID_NONE;
         struct necp_kernel_ip_output_policy *matched_policy = NULL;
         u_int16_t protocol = 0;
@@ -6740,6 +8188,8 @@ necp_ip6_output_find_policy_match(struct mbuf *packet, int flags, struct ip6_out
         u_int32_t last_interface_index = 0;
         union necp_sockaddr_union local_addr;
         union necp_sockaddr_union remote_addr;
         u_int32_t last_interface_index = 0;
         union necp_sockaddr_union local_addr;
         union necp_sockaddr_union remote_addr;
+       u_int32_t drop_dest_policy_result = NECP_KERNEL_POLICY_RESULT_NONE;
+       necp_drop_all_bypass_check_result_t drop_all_bypass = NECP_DROP_ALL_BYPASS_CHECK_RESULT_NONE;
  
         if (result) {
                 *result = 0;
  
         if (result) {
                 *result = 0;
@@ -6750,15 +8200,16 @@ necp_ip6_output_find_policy_match(struct mbuf *packet, int flags, struct ip6_out
         }
  
         if (packet == NULL) {
         }
  
         if (packet == NULL) {
-               return (NECP_KERNEL_POLICY_ID_NONE);
+               return NECP_KERNEL_POLICY_ID_NONE;
         }
  
         socket_policy_id = necp_get_policy_id_from_packet(packet);
         }
  
         socket_policy_id = necp_get_policy_id_from_packet(packet);
+       socket_skip_policy_id = necp_get_skip_policy_id_from_packet(packet);
  
         // Exit early for an empty list
         // Don't lock. Possible race condition, but we don't want the performance hit.
         if (necp_kernel_ip_output_policies_count == 0 ||
  
         // Exit early for an empty list
         // Don't lock. Possible race condition, but we don't want the performance hit.
         if (necp_kernel_ip_output_policies_count == 0 ||
-               ((socket_policy_id == NECP_KERNEL_POLICY_ID_NONE) && necp_kernel_ip_output_policies_non_id_count == 0)) {
+           (socket_policy_id == NECP_KERNEL_POLICY_ID_NONE && necp_kernel_ip_output_policies_non_id_count == 0 && necp_drop_dest_policy.entry_count == 0)) {
                 if (necp_drop_all_order > 0) {
                         matched_policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
                         if (result) {
                 if (necp_drop_all_order > 0) {
                         matched_policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
                         if (result) {
@@ -6770,7 +8221,7 @@ necp_ip6_output_find_policy_match(struct mbuf *packet, int flags, struct ip6_out
                         }
                 }
  
                         }
                 }
  
-               return (matched_policy_id);
+               return matched_policy_id;
         }
  
         // Check for loopback exception
         }
  
         // Check for loopback exception
@@ -6779,7 +8230,7 @@ necp_ip6_output_find_policy_match(struct mbuf *packet, int flags, struct ip6_out
                 if (result) {
                         *result = NECP_KERNEL_POLICY_RESULT_PASS;
                 }
                 if (result) {
                         *result = NECP_KERNEL_POLICY_RESULT_PASS;
                 }
-               return (matched_policy_id);
+               return matched_policy_id;
         }
  
         last_interface_index = necp_get_last_interface_index_from_packet(packet);
         }
  
         last_interface_index = necp_get_last_interface_index_from_packet(packet);
@@ -6788,8 +8239,8 @@ necp_ip6_output_find_policy_match(struct mbuf *packet, int flags, struct ip6_out
         ip6 = mtod(packet, struct ip6_hdr *);
  
         if ((flags & IPV6_OUTARGS) && (ip6oa != NULL) &&
         ip6 = mtod(packet, struct ip6_hdr *);
  
         if ((flags & IPV6_OUTARGS) && (ip6oa != NULL) &&
-               (ip6oa->ip6oa_flags & IP6OAF_BOUND_IF) &&
-               ip6oa->ip6oa_boundif != IFSCOPE_NONE) {
+           (ip6oa->ip6oa_flags & IP6OAF_BOUND_IF) &&
+           ip6oa->ip6oa_boundif != IFSCOPE_NONE) {
                 bound_interface_index = ip6oa->ip6oa_boundif;
         }
  
                 bound_interface_index = ip6oa->ip6oa_boundif;
         }
  
@@ -6805,35 +8256,36 @@ necp_ip6_output_find_policy_match(struct mbuf *packet, int flags, struct ip6_out
         if (offset >= 0 && packet->m_pkthdr.len >= offset) {
                 protocol = next;
                 switch (protocol) {
         if (offset >= 0 && packet->m_pkthdr.len >= offset) {
                 protocol = next;
                 switch (protocol) {
-                       case IPPROTO_TCP: {
-                               struct tcphdr th;
-                               if ((int)(offset + sizeof(th)) <= packet->m_pkthdr.len) {
-                                       m_copydata(packet, offset, sizeof(th), (u_int8_t *)&th);
-                                       ((struct sockaddr_in6 *)&local_addr)->sin6_port = th.th_sport;
-                                       ((struct sockaddr_in6 *)&remote_addr)->sin6_port = th.th_dport;
-                               }
-                               break;
-                       }
-                       case IPPROTO_UDP: {
-                               struct udphdr uh;
-                               if ((int)(offset + sizeof(uh)) <= packet->m_pkthdr.len) {
-                                       m_copydata(packet, offset, sizeof(uh), (u_int8_t *)&uh);
-                                       ((struct sockaddr_in6 *)&local_addr)->sin6_port = uh.uh_sport;
-                                       ((struct sockaddr_in6 *)&remote_addr)->sin6_port = uh.uh_dport;
-                               }
-                               break;
+               case IPPROTO_TCP: {
+                       struct tcphdr th;
+                       if ((int)(offset + sizeof(th)) <= packet->m_pkthdr.len) {
+                               m_copydata(packet, offset, sizeof(th), (u_int8_t *)&th);
+                               ((struct sockaddr_in6 *)&local_addr)->sin6_port = th.th_sport;
+                               ((struct sockaddr_in6 *)&remote_addr)->sin6_port = th.th_dport;
                         }
                         }
-                       default: {
-                               ((struct sockaddr_in6 *)&local_addr)->sin6_port = 0;
-                               ((struct sockaddr_in6 *)&remote_addr)->sin6_port = 0;
-                               break;
+                       break;
+               }
+               case IPPROTO_UDP: {
+                       struct udphdr uh;
+                       if ((int)(offset + sizeof(uh)) <= packet->m_pkthdr.len) {
+                               m_copydata(packet, offset, sizeof(uh), (u_int8_t *)&uh);
+                               ((struct sockaddr_in6 *)&local_addr)->sin6_port = uh.uh_sport;
+                               ((struct sockaddr_in6 *)&remote_addr)->sin6_port = uh.uh_dport;
                         }
                         }
+                       break;
+               }
+               default: {
+                       ((struct sockaddr_in6 *)&local_addr)->sin6_port = 0;
+                       ((struct sockaddr_in6 *)&remote_addr)->sin6_port = 0;
+                       break;
+               }
                 }
         }
  
         // Match packet to policy
         lck_rw_lock_shared(&necp_kernel_policy_lock);
                 }
         }
  
         // Match packet to policy
         lck_rw_lock_shared(&necp_kernel_policy_lock);
-       matched_policy = necp_ip_output_find_policy_match_locked(socket_policy_id, bound_interface_index, last_interface_index, protocol, &local_addr, &remote_addr);
+       u_int32_t route_rule_id = 0;
+       matched_policy = necp_ip_output_find_policy_match_locked(socket_policy_id, socket_skip_policy_id, bound_interface_index, last_interface_index, protocol, &local_addr, &remote_addr, rt, &route_rule_id, &drop_dest_policy_result, &drop_all_bypass);
         if (matched_policy) {
                 matched_policy_id = matched_policy->id;
                 if (result) {
         if (matched_policy) {
                 matched_policy_id = matched_policy->id;
                 if (result) {
@@ -6844,19 +8296,42 @@ necp_ip6_output_find_policy_match(struct mbuf *packet, int flags, struct ip6_out
                         memcpy(result_parameter, &matched_policy->result_parameter, sizeof(matched_policy->result_parameter));
                 }
  
                         memcpy(result_parameter, &matched_policy->result_parameter, sizeof(matched_policy->result_parameter));
                 }
  
+               if (route_rule_id != 0 &&
+                   packet->m_pkthdr.necp_mtag.necp_route_rule_id == 0) {
+                       packet->m_pkthdr.necp_mtag.necp_route_rule_id = route_rule_id;
+               }
+
                 if (necp_debug > 1) {
                 if (necp_debug > 1) {
-                       NECPLOG(LOG_DEBUG, "IP6 Output: (ID %d BoundInterface %d LastInterface %d Proto %d) Policy %d Result %d Parameter %d", socket_policy_id, bound_interface_index, last_interface_index, protocol, matched_policy->id, matched_policy->result, matched_policy->result_parameter.tunnel_interface_index);
+                       NECPLOG(LOG_DEBUG, "IP6 Output: (ID %d BoundInterface %d LastInterface %d Proto %d) Policy %d Result %d Parameter %d Route Rule %u", socket_policy_id, bound_interface_index, last_interface_index, protocol, matched_policy->id, matched_policy->result, matched_policy->result_parameter.tunnel_interface_index, route_rule_id);
                 }
                 }
-       } else if (necp_drop_all_order > 0) {
-               matched_policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
-               if (result) {
-                       *result = NECP_KERNEL_POLICY_RESULT_DROP;
+       } else {
+               bool drop_all = false;
+               /*
+                * Apply drop-all only to packets which have never matched a primary policy (check
+                * if the packet saved policy id is none or falls within the socket policy id range).
+                */
+               if (socket_policy_id < NECP_KERNEL_POLICY_ID_FIRST_VALID_IP &&
+                   (necp_drop_all_order > 0 || drop_dest_policy_result == NECP_KERNEL_POLICY_RESULT_DROP)) {
+                       drop_all = true;
+                       if (drop_all_bypass == NECP_DROP_ALL_BYPASS_CHECK_RESULT_NONE) {
+                               drop_all_bypass = necp_check_drop_all_bypass_result(NULL);
+                       }
+               }
+               if (drop_all && drop_all_bypass == NECP_DROP_ALL_BYPASS_CHECK_RESULT_FALSE) {
+                       matched_policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
+                       if (result) {
+                               *result = NECP_KERNEL_POLICY_RESULT_DROP;
+                       }
+               } else if (route_rule_id != 0 &&
+                   packet->m_pkthdr.necp_mtag.necp_route_rule_id == 0) {
+                       // If we matched a route rule, mark it
+                       packet->m_pkthdr.necp_mtag.necp_route_rule_id = route_rule_id;
                 }
         }
  
         lck_rw_done(&necp_kernel_policy_lock);
  
                 }
         }
  
         lck_rw_done(&necp_kernel_policy_lock);
  
-       return (matched_policy_id);
+       return matched_policy_id;
  }
  
  // Utilities
  }
  
  // Utilities
@@ -6866,22 +8341,22 @@ necp_is_addr_in_range(struct sockaddr *addr, struct sockaddr *range_start, struc
         int cmp = 0;
  
         if (addr == NULL || range_start == NULL || range_end == NULL) {
         int cmp = 0;
  
         if (addr == NULL || range_start == NULL || range_end == NULL) {
-               return (FALSE);
+               return FALSE;
         }
  
         /* Must be greater than or equal to start */
         cmp = necp_addr_compare(addr, range_start, 1);
         if (cmp != 0 && cmp != 1) {
         }
  
         /* Must be greater than or equal to start */
         cmp = necp_addr_compare(addr, range_start, 1);
         if (cmp != 0 && cmp != 1) {
-               return (FALSE);
+               return FALSE;
         }
  
         /* Must be less than or equal to end */
         cmp = necp_addr_compare(addr, range_end, 1);
         if (cmp != 0 && cmp != -1) {
         }
  
         /* Must be less than or equal to end */
         cmp = necp_addr_compare(addr, range_end, 1);
         if (cmp != 0 && cmp != -1) {
-               return (FALSE);
+               return FALSE;
         }
  
         }
  
-       return (TRUE);
+       return TRUE;
  }
  
  static bool
  }
  
  static bool
@@ -6890,61 +8365,61 @@ necp_is_range_in_range(struct sockaddr *inner_range_start, struct sockaddr *inne
         int cmp = 0;
  
         if (inner_range_start == NULL || inner_range_end == NULL || range_start == NULL || range_end == NULL) {
         int cmp = 0;
  
         if (inner_range_start == NULL || inner_range_end == NULL || range_start == NULL || range_end == NULL) {
-               return (FALSE);
+               return FALSE;
         }
  
         /* Must be greater than or equal to start */
         cmp = necp_addr_compare(inner_range_start, range_start, 1);
         if (cmp != 0 && cmp != 1) {
         }
  
         /* Must be greater than or equal to start */
         cmp = necp_addr_compare(inner_range_start, range_start, 1);
         if (cmp != 0 && cmp != 1) {
-               return (FALSE);
+               return FALSE;
         }
  
         /* Must be less than or equal to end */
         cmp = necp_addr_compare(inner_range_end, range_end, 1);
         if (cmp != 0 && cmp != -1) {
         }
  
         /* Must be less than or equal to end */
         cmp = necp_addr_compare(inner_range_end, range_end, 1);
         if (cmp != 0 && cmp != -1) {
-               return (FALSE);
+               return FALSE;
         }
  
         }
  
-       return (TRUE);
+       return TRUE;
  }
  
  static bool
  necp_is_addr_in_subnet(struct sockaddr *addr, struct sockaddr *subnet_addr, u_int8_t subnet_prefix)
  {
         if (addr == NULL || subnet_addr == NULL) {
  }
  
  static bool
  necp_is_addr_in_subnet(struct sockaddr *addr, struct sockaddr *subnet_addr, u_int8_t subnet_prefix)
  {
         if (addr == NULL || subnet_addr == NULL) {
-               return (FALSE);
+               return FALSE;
         }
  
         if (addr->sa_family != subnet_addr->sa_family || addr->sa_len != subnet_addr->sa_len) {
         }
  
         if (addr->sa_family != subnet_addr->sa_family || addr->sa_len != subnet_addr->sa_len) {
-               return (FALSE);
+               return FALSE;
         }
  
         switch (addr->sa_family) {
         }
  
         switch (addr->sa_family) {
-               case AF_INET: {
-                       if (satosin(subnet_addr)->sin_port != 0 &&
-                               satosin(addr)->sin_port != satosin(subnet_addr)->sin_port) {
-                               return (FALSE);
-                       }
-                       return (necp_buffer_compare_with_bit_prefix((u_int8_t *)&satosin(addr)->sin_addr, (u_int8_t *)&satosin(subnet_addr)->sin_addr, subnet_prefix));
+       case AF_INET: {
+               if (satosin(subnet_addr)->sin_port != 0 &&
+                   satosin(addr)->sin_port != satosin(subnet_addr)->sin_port) {
+                       return FALSE;
                 }
                 }
-               case AF_INET6: {
-                       if (satosin6(subnet_addr)->sin6_port != 0 &&
-                               satosin6(addr)->sin6_port != satosin6(subnet_addr)->sin6_port) {
-                               return (FALSE);
-                       }
-                       if (satosin6(addr)->sin6_scope_id &&
-                               satosin6(subnet_addr)->sin6_scope_id &&
-                               satosin6(addr)->sin6_scope_id != satosin6(subnet_addr)->sin6_scope_id) {
-                               return (FALSE);
-                       }
-                       return (necp_buffer_compare_with_bit_prefix((u_int8_t *)&satosin6(addr)->sin6_addr, (u_int8_t *)&satosin6(subnet_addr)->sin6_addr, subnet_prefix));
+               return necp_buffer_compare_with_bit_prefix((u_int8_t *)&satosin(addr)->sin_addr, (u_int8_t *)&satosin(subnet_addr)->sin_addr, subnet_prefix);
+       }
+       case AF_INET6: {
+               if (satosin6(subnet_addr)->sin6_port != 0 &&
+                   satosin6(addr)->sin6_port != satosin6(subnet_addr)->sin6_port) {
+                       return FALSE;
                 }
                 }
-               default: {
-                       return (FALSE);
+               if (satosin6(addr)->sin6_scope_id &&
+                   satosin6(subnet_addr)->sin6_scope_id &&
+                   satosin6(addr)->sin6_scope_id != satosin6(subnet_addr)->sin6_scope_id) {
+                       return FALSE;
                 }
                 }
+               return necp_buffer_compare_with_bit_prefix((u_int8_t *)&satosin6(addr)->sin6_addr, (u_int8_t *)&satosin6(subnet_addr)->sin6_addr, subnet_prefix);
+       }
+       default: {
+               return FALSE;
+       }
         }
  
         }
  
-       return (FALSE);
+       return FALSE;
  }
  
  /*
  }
  
  /*
@@ -6961,68 +8436,68 @@ necp_addr_compare(struct sockaddr *sa1, struct sockaddr *sa2, int check_port)
         int port_result = 0;
  
         if (sa1->sa_family != sa2->sa_family || sa1->sa_len != sa2->sa_len) {
         int port_result = 0;
  
         if (sa1->sa_family != sa2->sa_family || sa1->sa_len != sa2->sa_len) {
-               return (2);
+               return 2;
         }
  
         if (sa1->sa_len == 0) {
         }
  
         if (sa1->sa_len == 0) {
-               return (0);
+               return 0;
         }
  
         switch (sa1->sa_family) {
         }
  
         switch (sa1->sa_family) {
-               case AF_INET: {
-                       if (sa1->sa_len != sizeof(struct sockaddr_in)) {
-                               return (2);
-                       }
-
-                       result = memcmp(&satosin(sa1)->sin_addr.s_addr, &satosin(sa2)->sin_addr.s_addr, sizeof(satosin(sa1)->sin_addr.s_addr));
+       case AF_INET: {
+               if (sa1->sa_len != sizeof(struct sockaddr_in)) {
+                       return 2;
+               }
  
  
-                       if (check_port) {
-                               if (satosin(sa1)->sin_port < satosin(sa2)->sin_port) {
-                                       port_result = -1;
-                               } else if (satosin(sa1)->sin_port > satosin(sa2)->sin_port) {
-                                       port_result = 1;
-                               }
+               result = memcmp(&satosin(sa1)->sin_addr.s_addr, &satosin(sa2)->sin_addr.s_addr, sizeof(satosin(sa1)->sin_addr.s_addr));
  
  
-                               if (result == 0) {
-                                       result = port_result;
-                               } else if ((result > 0 && port_result < 0) || (result < 0 && port_result > 0)) {
-                                       return (2);
-                               }
+               if (check_port) {
+                       if (satosin(sa1)->sin_port < satosin(sa2)->sin_port) {
+                               port_result = -1;
+                       } else if (satosin(sa1)->sin_port > satosin(sa2)->sin_port) {
+                               port_result = 1;
                         }
  
                         }
  
-                       break;
-               }
-               case AF_INET6: {
-                       if (sa1->sa_len != sizeof(struct sockaddr_in6)) {
-                               return (2);
+                       if (result == 0) {
+                               result = port_result;
+                       } else if ((result > 0 && port_result < 0) || (result < 0 && port_result > 0)) {
+                               return 2;
                         }
                         }
+               }
  
  
-                       if (satosin6(sa1)->sin6_scope_id != satosin6(sa2)->sin6_scope_id) {
-                               return (2);
-                       }
+               break;
+       }
+       case AF_INET6: {
+               if (sa1->sa_len != sizeof(struct sockaddr_in6)) {
+                       return 2;
+               }
  
  
-                       result = memcmp(&satosin6(sa1)->sin6_addr.s6_addr[0], &satosin6(sa2)->sin6_addr.s6_addr[0], sizeof(struct in6_addr));
+               if (satosin6(sa1)->sin6_scope_id != satosin6(sa2)->sin6_scope_id) {
+                       return 2;
+               }
  
  
-                       if (check_port) {
-                               if (satosin6(sa1)->sin6_port < satosin6(sa2)->sin6_port) {
-                                       port_result = -1;
-                               } else if (satosin6(sa1)->sin6_port > satosin6(sa2)->sin6_port) {
-                                       port_result = 1;
-                               }
+               result = memcmp(&satosin6(sa1)->sin6_addr.s6_addr[0], &satosin6(sa2)->sin6_addr.s6_addr[0], sizeof(struct in6_addr));
  
  
-                               if (result == 0) {
-                                       result = port_result;
-                               } else if ((result > 0 && port_result < 0) || (result < 0 && port_result > 0)) {
-                                       return (2);
-                               }
+               if (check_port) {
+                       if (satosin6(sa1)->sin6_port < satosin6(sa2)->sin6_port) {
+                               port_result = -1;
+                       } else if (satosin6(sa1)->sin6_port > satosin6(sa2)->sin6_port) {
+                               port_result = 1;
                         }
  
                         }
  
-                       break;
-               }
-               default: {
-                       result = memcmp(sa1, sa2, sa1->sa_len);
-                       break;
+                       if (result == 0) {
+                               result = port_result;
+                       } else if ((result > 0 && port_result < 0) || (result < 0 && port_result > 0)) {
+                               return 2;
+                       }
                 }
                 }
+
+               break;
+       }
+       default: {
+               result = memcmp(sa1, sa2, sa1->sa_len);
+               break;
+       }
         }
  
         if (result < 0) {
         }
  
         if (result < 0) {
@@ -7031,7 +8506,7 @@ necp_addr_compare(struct sockaddr *sa1, struct sockaddr *sa2, int check_port)
                 result = (1);
         }
  
                 result = (1);
         }
  
-       return (result);
+       return result;
  }
  
  static bool
  }
  
  static bool
@@ -7041,27 +8516,75 @@ necp_buffer_compare_with_bit_prefix(u_int8_t *p1, u_int8_t *p2, u_int32_t bits)
  
         /* Handle null pointers */
         if (p1 == NULL || p2 == NULL) {
  
         /* Handle null pointers */
         if (p1 == NULL || p2 == NULL) {
-               return (p1 == p2);
+               return p1 == p2;
         }
  
         while (bits >= 8) {
                 if (*p1++ != *p2++) {
         }
  
         while (bits >= 8) {
                 if (*p1++ != *p2++) {
-                       return (FALSE);
+                       return FALSE;
                 }
                 bits -= 8;
         }
  
         if (bits > 0) {
                 }
                 bits -= 8;
         }
  
         if (bits > 0) {
-               mask = ~((1<<(8-bits))-1);
+               mask = ~((1 << (8 - bits)) - 1);
                 if ((*p1 & mask) != (*p2 & mask)) {
                 if ((*p1 & mask) != (*p2 & mask)) {
-                       return (FALSE);
+                       return FALSE;
                 }
         }
                 }
         }
-       return (TRUE);
+       return TRUE;
  }
  
  static bool
  }
  
  static bool
-necp_socket_update_qos_marking_inner(struct ifnet *ifp, u_int32_t route_rule_id)
+necp_addr_is_empty(struct sockaddr *addr)
+{
+       if (addr == NULL) {
+               return TRUE;
+       }
+
+       if (addr->sa_len == 0) {
+               return TRUE;
+       }
+
+       switch (addr->sa_family) {
+       case AF_INET: {
+               static struct sockaddr_in ipv4_empty_address = {
+                       .sin_len = sizeof(struct sockaddr_in),
+                       .sin_family = AF_INET,
+                       .sin_port = 0,
+                       .sin_addr = { .s_addr = 0 }, // 0.0.0.0
+                       .sin_zero = {0},
+               };
+               if (necp_addr_compare(addr, (struct sockaddr *)&ipv4_empty_address, 0) == 0) {
+                       return TRUE;
+               } else {
+                       return FALSE;
+               }
+       }
+       case AF_INET6: {
+               static struct sockaddr_in6 ipv6_empty_address = {
+                       .sin6_len = sizeof(struct sockaddr_in6),
+                       .sin6_family = AF_INET6,
+                       .sin6_port = 0,
+                       .sin6_flowinfo = 0,
+                       .sin6_addr = IN6ADDR_ANY_INIT, // ::
+                       .sin6_scope_id = 0,
+               };
+               if (necp_addr_compare(addr, (struct sockaddr *)&ipv6_empty_address, 0) == 0) {
+                       return TRUE;
+               } else {
+                       return FALSE;
+               }
+       }
+       default:
+               return FALSE;
+       }
+
+       return FALSE;
+}
+
+static bool
+necp_update_qos_marking(struct ifnet *ifp, u_int32_t route_rule_id)
  {
         bool qos_marking = FALSE;
         int exception_index = 0;
  {
         bool qos_marking = FALSE;
         int exception_index = 0;
@@ -7099,12 +8622,13 @@ necp_socket_update_qos_marking_inner(struct ifnet *ifp, u_int32_t route_rule_id)
         if ((route_rule->cellular_action == NECP_ROUTE_RULE_QOS_MARKING && IFNET_IS_CELLULAR(ifp)) ||
             (route_rule->wifi_action == NECP_ROUTE_RULE_QOS_MARKING && IFNET_IS_WIFI(ifp)) ||
             (route_rule->wired_action == NECP_ROUTE_RULE_QOS_MARKING && IFNET_IS_WIRED(ifp)) ||
         if ((route_rule->cellular_action == NECP_ROUTE_RULE_QOS_MARKING && IFNET_IS_CELLULAR(ifp)) ||
             (route_rule->wifi_action == NECP_ROUTE_RULE_QOS_MARKING && IFNET_IS_WIFI(ifp)) ||
             (route_rule->wired_action == NECP_ROUTE_RULE_QOS_MARKING && IFNET_IS_WIRED(ifp)) ||
-           (route_rule->expensive_action == NECP_ROUTE_RULE_QOS_MARKING && IFNET_IS_EXPENSIVE(ifp))) {
+           (route_rule->expensive_action == NECP_ROUTE_RULE_QOS_MARKING && IFNET_IS_EXPENSIVE(ifp)) ||
+           (route_rule->constrained_action == NECP_ROUTE_RULE_QOS_MARKING && IFNET_IS_CONSTRAINED(ifp))) {
                 qos_marking = TRUE;
                 if (necp_debug > 2) {
                 qos_marking = TRUE;
                 if (necp_debug > 2) {
-                       NECPLOG(LOG_DEBUG, "QoS Marking: C:%d WF:%d W:%d E:%d for Rule %d Allowed %d",
+                       NECPLOG(LOG_DEBUG, "QoS Marking: C:%d WF:%d W:%d E:%d Cn:%d for Rule %d Allowed %d",
                             route_rule->cellular_action, route_rule->wifi_action, route_rule->wired_action,
                             route_rule->cellular_action, route_rule->wifi_action, route_rule->wired_action,
-                           route_rule->expensive_action, route_rule_id, qos_marking);
+                           route_rule->expensive_action, route_rule->constrained_action, route_rule_id, qos_marking);
                 }
                 goto done;
         }
                 }
                 goto done;
         }
@@ -7113,7 +8637,7 @@ done:
                 NECPLOG(LOG_DEBUG, "QoS Marking: Rule %d ifp %s Allowed %d",
                     route_rule_id, ifp ? ifp->if_xname : "", qos_marking);
         }
                 NECPLOG(LOG_DEBUG, "QoS Marking: Rule %d ifp %s Allowed %d",
                     route_rule_id, ifp ? ifp->if_xname : "", qos_marking);
         }
-       return (qos_marking);
+       return qos_marking;
  }
  
  void
  }
  
  void
@@ -7122,8 +8646,9 @@ necp_socket_update_qos_marking(struct inpcb *inp, struct rtentry *route, struct
         bool qos_marking = FALSE;
         struct ifnet *ifp = interface = NULL;
  
         bool qos_marking = FALSE;
         struct ifnet *ifp = interface = NULL;
  
-       ASSERT(net_qos_policy_restricted != 0);
-
+       if (net_qos_policy_restricted == 0) {
+               return;
+       }
         if (inp->inp_socket == NULL) {
                 return;
         }
         if (inp->inp_socket == NULL) {
                 return;
         }
@@ -7159,14 +8684,14 @@ necp_socket_update_qos_marking(struct inpcb *inp, struct rtentry *route, struct
                                 if (sub_route_rule_id == 0) {
                                         break;
                                 }
                                 if (sub_route_rule_id == 0) {
                                         break;
                                 }
-                               qos_marking = necp_socket_update_qos_marking_inner(ifp, sub_route_rule_id);
+                               qos_marking = necp_update_qos_marking(ifp, sub_route_rule_id);
                                 if (qos_marking == TRUE) {
                                         break;
                                 }
                         }
                 }
         } else {
                                 if (qos_marking == TRUE) {
                                         break;
                                 }
                         }
                 }
         } else {
-               qos_marking = necp_socket_update_qos_marking_inner(ifp, route_rule_id);
+               qos_marking = necp_update_qos_marking(ifp, route_rule_id);
         }
         /*
          * Now that we have an interface we remember the gencount
         }
         /*
          * Now that we have an interface we remember the gencount
@@ -7183,6 +8708,22 @@ done:
         }
  }
  
         }
  }
  
+static bool
+necp_route_is_lqm_abort(struct ifnet *ifp, struct ifnet *delegated_ifp)
+{
+       if (ifp != NULL &&
+           (ifp->if_interface_state.valid_bitmask & IF_INTERFACE_STATE_LQM_STATE_VALID) &&
+           ifp->if_interface_state.lqm_state == IFNET_LQM_THRESH_ABORT) {
+               return true;
+       }
+       if (delegated_ifp != NULL &&
+           (delegated_ifp->if_interface_state.valid_bitmask & IF_INTERFACE_STATE_LQM_STATE_VALID) &&
+           delegated_ifp->if_interface_state.lqm_state == IFNET_LQM_THRESH_ABORT) {
+               return true;
+       }
+       return false;
+}
+
  static bool
  necp_route_is_allowed_inner(struct rtentry *route, struct ifnet *ifp, u_int32_t route_rule_id, u_int32_t *interface_type_denied)
  {
  static bool
  necp_route_is_allowed_inner(struct rtentry *route, struct ifnet *ifp, u_int32_t route_rule_id, u_int32_t *interface_type_denied)
  {
@@ -7194,7 +8735,7 @@ necp_route_is_allowed_inner(struct rtentry *route, struct ifnet *ifp, u_int32_t
  
         route_rule = necp_lookup_route_rule_locked(&necp_route_rules, route_rule_id);
         if (route_rule == NULL) {
  
         route_rule = necp_lookup_route_rule_locked(&necp_route_rules, route_rule_id);
         if (route_rule == NULL) {
-               return (TRUE);
+               return TRUE;
         }
  
         default_is_allowed = (route_rule->default_action == NECP_ROUTE_RULE_DENY_INTERFACE) ? FALSE : TRUE;
         }
  
         default_is_allowed = (route_rule->default_action == NECP_ROUTE_RULE_DENY_INTERFACE) ? FALSE : TRUE;
@@ -7205,7 +8746,7 @@ necp_route_is_allowed_inner(struct rtentry *route, struct ifnet *ifp, u_int32_t
                 if (necp_debug > 1 && !default_is_allowed) {
                         NECPLOG(LOG_DEBUG, "Route Allowed: No interface for route, using default for Rule %d Allowed %d", route_rule_id, default_is_allowed);
                 }
                 if (necp_debug > 1 && !default_is_allowed) {
                         NECPLOG(LOG_DEBUG, "Route Allowed: No interface for route, using default for Rule %d Allowed %d", route_rule_id, default_is_allowed);
                 }
-               return (default_is_allowed);
+               return default_is_allowed;
         }
  
         delegated_ifp = ifp->if_delegated.ifp;
         }
  
         delegated_ifp = ifp->if_delegated.ifp;
@@ -7213,78 +8754,133 @@ necp_route_is_allowed_inner(struct rtentry *route, struct ifnet *ifp, u_int32_t
                 if (route_rule->exception_if_indices[exception_index] == 0) {
                         break;
                 }
                 if (route_rule->exception_if_indices[exception_index] == 0) {
                         break;
                 }
-               if (IS_NECP_ROUTE_RULE_ALLOW_OR_DENY(route_rule->exception_if_actions[exception_index]) == FALSE) {
-                       continue;
-               }
                 if (route_rule->exception_if_indices[exception_index] == ifp->if_index ||
                 if (route_rule->exception_if_indices[exception_index] == ifp->if_index ||
-                       (delegated_ifp != NULL && route_rule->exception_if_indices[exception_index] == delegated_ifp->if_index)) {
-                       if (necp_debug > 1) {
-                               NECPLOG(LOG_DEBUG, "Route Allowed: Interface match %d for Rule %d Allowed %d", route_rule->exception_if_indices[exception_index], route_rule_id, ((route_rule->exception_if_actions[exception_index] == NECP_ROUTE_RULE_DENY_INTERFACE) ? FALSE : TRUE));
+                   (delegated_ifp != NULL && route_rule->exception_if_indices[exception_index] == delegated_ifp->if_index)) {
+                       if (route_rule->exception_if_actions[exception_index] == NECP_ROUTE_RULE_DENY_LQM_ABORT) {
+                               const bool lqm_abort = necp_route_is_lqm_abort(ifp, delegated_ifp);
+                               if (necp_debug > 1 && lqm_abort) {
+                                       NECPLOG(LOG_DEBUG, "Route Allowed: Interface match %d for Rule %d Deny LQM Abort",
+                                           route_rule->exception_if_indices[exception_index], route_rule_id);
+                               }
+                               return false;
+                       } else if (IS_NECP_ROUTE_RULE_ALLOW_OR_DENY(route_rule->exception_if_actions[exception_index])) {
+                               if (necp_debug > 1) {
+                                       NECPLOG(LOG_DEBUG, "Route Allowed: Interface match %d for Rule %d Allowed %d", route_rule->exception_if_indices[exception_index], route_rule_id, ((route_rule->exception_if_actions[exception_index] == NECP_ROUTE_RULE_DENY_INTERFACE) ? FALSE : TRUE));
+                               }
+                               return (route_rule->exception_if_actions[exception_index] == NECP_ROUTE_RULE_DENY_INTERFACE) ? FALSE : TRUE;
                         }
                         }
-                       return ((route_rule->exception_if_actions[exception_index] == NECP_ROUTE_RULE_DENY_INTERFACE) ? FALSE : TRUE);
                 }
         }
  
                 }
         }
  
-       if (IS_NECP_ROUTE_RULE_ALLOW_OR_DENY(route_rule->cellular_action) &&
-               IFNET_IS_CELLULAR(ifp)) {
-               if (interface_type_denied != NULL) {
-                       *interface_type_denied = IFRTYPE_FUNCTIONAL_CELLULAR;
-               }
-               if (type_aggregate_action == NECP_ROUTE_RULE_NONE ||
-                       (type_aggregate_action == NECP_ROUTE_RULE_ALLOW_INTERFACE &&
-                        route_rule->cellular_action == NECP_ROUTE_RULE_DENY_INTERFACE)) {
+       if (IFNET_IS_CELLULAR(ifp)) {
+               if (route_rule->cellular_action == NECP_ROUTE_RULE_DENY_LQM_ABORT) {
+                       if (necp_route_is_lqm_abort(ifp, delegated_ifp)) {
+                               if (interface_type_denied != NULL) {
+                                       *interface_type_denied = IFRTYPE_FUNCTIONAL_CELLULAR;
+                               }
+                               // Mark aggregate action as deny
+                               type_aggregate_action = NECP_ROUTE_RULE_DENY_INTERFACE;
+                       }
+               } else if (IS_NECP_ROUTE_RULE_ALLOW_OR_DENY(route_rule->cellular_action)) {
+                       if (interface_type_denied != NULL) {
+                               *interface_type_denied = IFRTYPE_FUNCTIONAL_CELLULAR;
+                       }
+                       if (type_aggregate_action == NECP_ROUTE_RULE_NONE ||
+                           (type_aggregate_action == NECP_ROUTE_RULE_ALLOW_INTERFACE &&
+                           route_rule->cellular_action == NECP_ROUTE_RULE_DENY_INTERFACE)) {
                                 // Deny wins if there is a conflict
                                 type_aggregate_action = route_rule->cellular_action;
                         }
                                 // Deny wins if there is a conflict
                                 type_aggregate_action = route_rule->cellular_action;
                         }
+               }
         }
  
         }
  
-       if (IS_NECP_ROUTE_RULE_ALLOW_OR_DENY(route_rule->wifi_action) &&
-               IFNET_IS_WIFI(ifp)) {
-               if (interface_type_denied != NULL) {
-                       *interface_type_denied = IFRTYPE_FUNCTIONAL_WIFI_INFRA;
-               }
-               if (type_aggregate_action == NECP_ROUTE_RULE_NONE ||
-                       (type_aggregate_action == NECP_ROUTE_RULE_ALLOW_INTERFACE &&
-                        route_rule->wifi_action == NECP_ROUTE_RULE_DENY_INTERFACE)) {
+       if (IFNET_IS_WIFI(ifp)) {
+               if (route_rule->wifi_action == NECP_ROUTE_RULE_DENY_LQM_ABORT) {
+                       if (necp_route_is_lqm_abort(ifp, delegated_ifp)) {
+                               if (interface_type_denied != NULL) {
+                                       *interface_type_denied = IFRTYPE_FUNCTIONAL_WIFI_INFRA;
+                               }
+                               // Mark aggregate action as deny
+                               type_aggregate_action = NECP_ROUTE_RULE_DENY_INTERFACE;
+                       }
+               } else if (IS_NECP_ROUTE_RULE_ALLOW_OR_DENY(route_rule->wifi_action)) {
+                       if (interface_type_denied != NULL) {
+                               *interface_type_denied = IFRTYPE_FUNCTIONAL_WIFI_INFRA;
+                       }
+                       if (type_aggregate_action == NECP_ROUTE_RULE_NONE ||
+                           (type_aggregate_action == NECP_ROUTE_RULE_ALLOW_INTERFACE &&
+                           route_rule->wifi_action == NECP_ROUTE_RULE_DENY_INTERFACE)) {
                                 // Deny wins if there is a conflict
                                 type_aggregate_action = route_rule->wifi_action;
                         }
                                 // Deny wins if there is a conflict
                                 type_aggregate_action = route_rule->wifi_action;
                         }
+               }
         }
  
         }
  
-       if (IS_NECP_ROUTE_RULE_ALLOW_OR_DENY(route_rule->wired_action) &&
-               IFNET_IS_WIRED(ifp)) {
-               if (interface_type_denied != NULL) {
-                       *interface_type_denied = IFRTYPE_FUNCTIONAL_WIRED;
-               }
-               if (type_aggregate_action == NECP_ROUTE_RULE_NONE ||
-                       (type_aggregate_action == NECP_ROUTE_RULE_ALLOW_INTERFACE &&
-                        route_rule->wired_action == NECP_ROUTE_RULE_DENY_INTERFACE)) {
+       if (IFNET_IS_WIRED(ifp)) {
+               if (route_rule->wired_action == NECP_ROUTE_RULE_DENY_LQM_ABORT) {
+                       if (necp_route_is_lqm_abort(ifp, delegated_ifp)) {
+                               if (interface_type_denied != NULL) {
+                                       *interface_type_denied = IFRTYPE_FUNCTIONAL_WIRED;
+                               }
+                               // Mark aggregate action as deny
+                               type_aggregate_action = NECP_ROUTE_RULE_DENY_INTERFACE;
+                       }
+               } else if (IS_NECP_ROUTE_RULE_ALLOW_OR_DENY(route_rule->wired_action)) {
+                       if (interface_type_denied != NULL) {
+                               *interface_type_denied = IFRTYPE_FUNCTIONAL_WIRED;
+                       }
+                       if (type_aggregate_action == NECP_ROUTE_RULE_NONE ||
+                           (type_aggregate_action == NECP_ROUTE_RULE_ALLOW_INTERFACE &&
+                           route_rule->wired_action == NECP_ROUTE_RULE_DENY_INTERFACE)) {
                                 // Deny wins if there is a conflict
                                 type_aggregate_action = route_rule->wired_action;
                         }
                                 // Deny wins if there is a conflict
                                 type_aggregate_action = route_rule->wired_action;
                         }
+               }
         }
  
         }
  
-       if (IS_NECP_ROUTE_RULE_ALLOW_OR_DENY(route_rule->expensive_action) &&
-               IFNET_IS_EXPENSIVE(ifp)) {
-               if (type_aggregate_action == NECP_ROUTE_RULE_NONE ||
-                       (type_aggregate_action == NECP_ROUTE_RULE_ALLOW_INTERFACE &&
-                        route_rule->expensive_action == NECP_ROUTE_RULE_DENY_INTERFACE)) {
+       if (IFNET_IS_EXPENSIVE(ifp)) {
+               if (route_rule->expensive_action == NECP_ROUTE_RULE_DENY_LQM_ABORT) {
+                       if (necp_route_is_lqm_abort(ifp, delegated_ifp)) {
+                               // Mark aggregate action as deny
+                               type_aggregate_action = NECP_ROUTE_RULE_DENY_INTERFACE;
+                       }
+               } else if (IS_NECP_ROUTE_RULE_ALLOW_OR_DENY(route_rule->expensive_action)) {
+                       if (type_aggregate_action == NECP_ROUTE_RULE_NONE ||
+                           (type_aggregate_action == NECP_ROUTE_RULE_ALLOW_INTERFACE &&
+                           route_rule->expensive_action == NECP_ROUTE_RULE_DENY_INTERFACE)) {
                                 // Deny wins if there is a conflict
                                 type_aggregate_action = route_rule->expensive_action;
                         }
                                 // Deny wins if there is a conflict
                                 type_aggregate_action = route_rule->expensive_action;
                         }
+               }
+       }
+
+       if (IFNET_IS_CONSTRAINED(ifp)) {
+               if (route_rule->constrained_action == NECP_ROUTE_RULE_DENY_LQM_ABORT) {
+                       if (necp_route_is_lqm_abort(ifp, delegated_ifp)) {
+                               // Mark aggregate action as deny
+                               type_aggregate_action = NECP_ROUTE_RULE_DENY_INTERFACE;
+                       }
+               } else if (IS_NECP_ROUTE_RULE_ALLOW_OR_DENY(route_rule->constrained_action)) {
+                       if (type_aggregate_action == NECP_ROUTE_RULE_NONE ||
+                           (type_aggregate_action == NECP_ROUTE_RULE_ALLOW_INTERFACE &&
+                           route_rule->constrained_action == NECP_ROUTE_RULE_DENY_INTERFACE)) {
+                               // Deny wins if there is a conflict
+                               type_aggregate_action = route_rule->constrained_action;
+                       }
+               }
         }
  
         if (type_aggregate_action != NECP_ROUTE_RULE_NONE) {
                 if (necp_debug > 1) {
                         NECPLOG(LOG_DEBUG, "Route Allowed: C:%d WF:%d W:%d E:%d for Rule %d Allowed %d", route_rule->cellular_action, route_rule->wifi_action, route_rule->wired_action, route_rule->expensive_action, route_rule_id, ((type_aggregate_action == NECP_ROUTE_RULE_DENY_INTERFACE) ? FALSE : TRUE));
                 }
         }
  
         if (type_aggregate_action != NECP_ROUTE_RULE_NONE) {
                 if (necp_debug > 1) {
                         NECPLOG(LOG_DEBUG, "Route Allowed: C:%d WF:%d W:%d E:%d for Rule %d Allowed %d", route_rule->cellular_action, route_rule->wifi_action, route_rule->wired_action, route_rule->expensive_action, route_rule_id, ((type_aggregate_action == NECP_ROUTE_RULE_DENY_INTERFACE) ? FALSE : TRUE));
                 }
-               return ((type_aggregate_action == NECP_ROUTE_RULE_DENY_INTERFACE) ? FALSE : TRUE);
+               return (type_aggregate_action == NECP_ROUTE_RULE_DENY_INTERFACE) ? FALSE : TRUE;
         }
  
         if (necp_debug > 1 && !default_is_allowed) {
                 NECPLOG(LOG_DEBUG, "Route Allowed: Using default for Rule %d Allowed %d", route_rule_id, default_is_allowed);
         }
         }
  
         if (necp_debug > 1 && !default_is_allowed) {
                 NECPLOG(LOG_DEBUG, "Route Allowed: Using default for Rule %d Allowed %d", route_rule_id, default_is_allowed);
         }
-       return (default_is_allowed);
+       return default_is_allowed;
  }
  
  static bool
  }
  
  static bool
@@ -7294,7 +8890,7 @@ necp_route_is_allowed(struct rtentry *route, struct ifnet *interface, u_int32_t
                 if (necp_debug > 1) {
                         NECPLOG(LOG_DEBUG, "Route Allowed: no route or interface, Rule %d Allowed %d", route_rule_id, TRUE);
                 }
                 if (necp_debug > 1) {
                         NECPLOG(LOG_DEBUG, "Route Allowed: no route or interface, Rule %d Allowed %d", route_rule_id, TRUE);
                 }
-               return (TRUE);
+               return TRUE;
         }
  
         if (ROUTE_RULE_IS_AGGREGATE(route_rule_id)) {
         }
  
         if (ROUTE_RULE_IS_AGGREGATE(route_rule_id)) {
@@ -7307,15 +8903,15 @@ necp_route_is_allowed(struct rtentry *route, struct ifnet *interface, u_int32_t
                                         break;
                                 }
                                 if (!necp_route_is_allowed_inner(route, interface, sub_route_rule_id, interface_type_denied)) {
                                         break;
                                 }
                                 if (!necp_route_is_allowed_inner(route, interface, sub_route_rule_id, interface_type_denied)) {
-                                       return (FALSE);
+                                       return FALSE;
                                 }
                         }
                 }
         } else {
                                 }
                         }
                 }
         } else {
-               return (necp_route_is_allowed_inner(route, interface, route_rule_id, interface_type_denied));
+               return necp_route_is_allowed_inner(route, interface, route_rule_id, interface_type_denied);
         }
  
         }
  
-       return (TRUE);
+       return TRUE;
  }
  
  bool
  }
  
  bool
@@ -7324,12 +8920,12 @@ necp_packet_is_allowed_over_interface(struct mbuf *packet, struct ifnet *interfa
         bool is_allowed = TRUE;
         u_int32_t route_rule_id = necp_get_route_rule_id_from_packet(packet);
         if (route_rule_id != 0 &&
         bool is_allowed = TRUE;
         u_int32_t route_rule_id = necp_get_route_rule_id_from_packet(packet);
         if (route_rule_id != 0 &&
-               interface != NULL) {
+           interface != NULL) {
                 lck_rw_lock_shared(&necp_kernel_policy_lock);
                 is_allowed = necp_route_is_allowed(NULL, interface, necp_get_route_rule_id_from_packet(packet), NULL);
                 lck_rw_done(&necp_kernel_policy_lock);
         }
                 lck_rw_lock_shared(&necp_kernel_policy_lock);
                 is_allowed = necp_route_is_allowed(NULL, interface, necp_get_route_rule_id_from_packet(packet), NULL);
                 lck_rw_done(&necp_kernel_policy_lock);
         }
-       return (is_allowed);
+       return is_allowed;
  }
  
  static bool
  }
  
  static bool
@@ -7350,16 +8946,16 @@ necp_netagents_allow_traffic(u_int32_t *netagent_ids, size_t netagent_id_count)
                                 if (agent_flags & NETAGENT_FLAG_ACTIVE) {
                                         continue;
                                 } else if ((agent_flags & NETAGENT_FLAG_VOLUNTARY) == 0) {
                                 if (agent_flags & NETAGENT_FLAG_ACTIVE) {
                                         continue;
                                 } else if ((agent_flags & NETAGENT_FLAG_VOLUNTARY) == 0) {
-                                       return (FALSE);
+                                       return FALSE;
                                 }
                         }
                 }
         }
                                 }
                         }
                 }
         }
-       return (TRUE);
+       return TRUE;
  }
  
  static bool
  }
  
  static bool
-necp_socket_is_allowed_to_send_recv_internal(struct inpcb *inp, struct sockaddr *override_local_addr, struct sockaddr *override_remote_addr, ifnet_t interface, necp_kernel_policy_id *return_policy_id, u_int32_t *return_route_rule_id)
+necp_socket_is_allowed_to_send_recv_internal(struct inpcb *inp, struct sockaddr *override_local_addr, struct sockaddr *override_remote_addr, ifnet_t interface, necp_kernel_policy_id *return_policy_id, u_int32_t *return_route_rule_id, necp_kernel_policy_id *return_skip_policy_id)
  {
         u_int32_t verifyifindex = interface ? interface->if_index : 0;
         bool allowed_to_receive = TRUE;
  {
         u_int32_t verifyifindex = interface ? interface->if_index : 0;
         bool allowed_to_receive = TRUE;
@@ -7370,13 +8966,17 @@ necp_socket_is_allowed_to_send_recv_internal(struct inpcb *inp, struct sockaddr
         u_int32_t route_rule_id = 0;
         struct rtentry *route = NULL;
         u_int32_t interface_type_denied = IFRTYPE_FUNCTIONAL_UNKNOWN;
         u_int32_t route_rule_id = 0;
         struct rtentry *route = NULL;
         u_int32_t interface_type_denied = IFRTYPE_FUNCTIONAL_UNKNOWN;
-
+       necp_kernel_policy_result drop_dest_policy_result = NECP_KERNEL_POLICY_RESULT_NONE;
+       necp_drop_all_bypass_check_result_t drop_all_bypass = NECP_DROP_ALL_BYPASS_CHECK_RESULT_NONE;
         u_int32_t netagent_ids[NECP_MAX_NETAGENTS];
         memset(&netagent_ids, 0, sizeof(netagent_ids));
  
         if (return_policy_id) {
                 *return_policy_id = NECP_KERNEL_POLICY_ID_NONE;
         }
         u_int32_t netagent_ids[NECP_MAX_NETAGENTS];
         memset(&netagent_ids, 0, sizeof(netagent_ids));
  
         if (return_policy_id) {
                 *return_policy_id = NECP_KERNEL_POLICY_ID_NONE;
         }
+       if (return_skip_policy_id) {
+               *return_skip_policy_id = NECP_KERNEL_POLICY_ID_NONE;
+       }
         if (return_route_rule_id) {
                 *return_route_rule_id = 0;
         }
         if (return_route_rule_id) {
                 *return_route_rule_id = 0;
         }
@@ -7387,10 +8987,14 @@ necp_socket_is_allowed_to_send_recv_internal(struct inpcb *inp, struct sockaddr
  
         route = inp->inp_route.ro_rt;
  
  
         route = inp->inp_route.ro_rt;
  
+       struct socket *so = inp->inp_socket;
+
+       u_int32_t drop_order = necp_process_drop_order(so->so_cred);
+
         // Don't lock. Possible race condition, but we don't want the performance hit.
         if (necp_kernel_socket_policies_count == 0 ||
         // Don't lock. Possible race condition, but we don't want the performance hit.
         if (necp_kernel_socket_policies_count == 0 ||
-               (!(inp->inp_flags2 & INP2_WANT_APP_POLICY) && necp_kernel_socket_policies_non_app_count == 0)) {
-               if (necp_drop_all_order > 0) {
+           (!(inp->inp_flags2 & INP2_WANT_APP_POLICY) && necp_kernel_socket_policies_non_app_count == 0)) {
+               if (necp_drop_all_order > 0 || drop_order > 0) {
                         if (necp_socket_bypass(override_local_addr, override_remote_addr, inp)) {
                                 allowed_to_receive = TRUE;
                         } else {
                         if (necp_socket_bypass(override_local_addr, override_remote_addr, inp)) {
                                 allowed_to_receive = TRUE;
                         } else {
@@ -7404,32 +9008,37 @@ necp_socket_is_allowed_to_send_recv_internal(struct inpcb *inp, struct sockaddr
         if ((necp_socket_is_connected(inp) || (override_local_addr == NULL && override_remote_addr == NULL)) && inp->inp_policyresult.policy_id != NECP_KERNEL_POLICY_ID_NONE) {
                 bool policies_have_changed = FALSE;
                 bool route_allowed = TRUE;
         if ((necp_socket_is_connected(inp) || (override_local_addr == NULL && override_remote_addr == NULL)) && inp->inp_policyresult.policy_id != NECP_KERNEL_POLICY_ID_NONE) {
                 bool policies_have_changed = FALSE;
                 bool route_allowed = TRUE;
-               lck_rw_lock_shared(&necp_kernel_policy_lock);
+
                 if (inp->inp_policyresult.policy_gencount != necp_kernel_socket_policies_gencount) {
                         policies_have_changed = TRUE;
                 } else {
                 if (inp->inp_policyresult.policy_gencount != necp_kernel_socket_policies_gencount) {
                         policies_have_changed = TRUE;
                 } else {
-                       if (inp->inp_policyresult.results.route_rule_id != 0 &&
-                               !necp_route_is_allowed(route, interface, inp->inp_policyresult.results.route_rule_id, &interface_type_denied)) {
-                               route_allowed = FALSE;
+                       if (inp->inp_policyresult.results.route_rule_id != 0) {
+                               lck_rw_lock_shared(&necp_kernel_policy_lock);
+                               if (!necp_route_is_allowed(route, interface, inp->inp_policyresult.results.route_rule_id, &interface_type_denied)) {
+                                       route_allowed = FALSE;
+                               }
+                               lck_rw_done(&necp_kernel_policy_lock);
                         }
                 }
                         }
                 }
-               lck_rw_done(&necp_kernel_policy_lock);
  
                 if (!policies_have_changed) {
                         if (!route_allowed ||
  
                 if (!policies_have_changed) {
                         if (!route_allowed ||
-                               inp->inp_policyresult.results.result == NECP_KERNEL_POLICY_RESULT_DROP ||
-                               inp->inp_policyresult.results.result == NECP_KERNEL_POLICY_RESULT_SOCKET_DIVERT ||
-                               (inp->inp_policyresult.results.result == NECP_KERNEL_POLICY_RESULT_IP_TUNNEL && interface &&
-                               inp->inp_policyresult.results.result_parameter.tunnel_interface_index != verifyifindex)) {
-                                       allowed_to_receive = FALSE;
-                               } else {
-                                       if (return_policy_id) {
-                                               *return_policy_id = inp->inp_policyresult.policy_id;
-                                       }
-                                       if (return_route_rule_id) {
-                                               *return_route_rule_id = inp->inp_policyresult.results.route_rule_id;
-                                       }
+                           inp->inp_policyresult.results.result == NECP_KERNEL_POLICY_RESULT_DROP ||
+                           inp->inp_policyresult.results.result == NECP_KERNEL_POLICY_RESULT_SOCKET_DIVERT ||
+                           (inp->inp_policyresult.results.result == NECP_KERNEL_POLICY_RESULT_IP_TUNNEL && interface &&
+                           inp->inp_policyresult.results.result_parameter.tunnel_interface_index != verifyifindex)) {
+                               allowed_to_receive = FALSE;
+                       } else {
+                               if (return_policy_id) {
+                                       *return_policy_id = inp->inp_policyresult.policy_id;
+                               }
+                               if (return_skip_policy_id) {
+                                       *return_skip_policy_id = inp->inp_policyresult.skip_policy_id;
+                               }
+                               if (return_route_rule_id) {
+                                       *return_route_rule_id = inp->inp_policyresult.results.route_rule_id;
                                 }
                                 }
+                       }
                         goto done;
                 }
         }
                         goto done;
                 }
         }
@@ -7442,18 +9051,18 @@ necp_socket_is_allowed_to_send_recv_internal(struct inpcb *inp, struct sockaddr
  
         // Actually calculate policy result
         lck_rw_lock_shared(&necp_kernel_policy_lock);
  
         // Actually calculate policy result
         lck_rw_lock_shared(&necp_kernel_policy_lock);
-       necp_socket_fillout_info_locked(inp, override_local_addr, override_remote_addr, 0, &info);
+       necp_socket_fillout_info_locked(inp, override_local_addr, override_remote_addr, 0, drop_order, &info);
  
         flowhash = necp_socket_calc_flowhash_locked(&info);
         if (inp->inp_policyresult.policy_id != NECP_KERNEL_POLICY_ID_NONE &&
  
         flowhash = necp_socket_calc_flowhash_locked(&info);
         if (inp->inp_policyresult.policy_id != NECP_KERNEL_POLICY_ID_NONE &&
-               inp->inp_policyresult.policy_gencount == necp_kernel_socket_policies_gencount &&
-               inp->inp_policyresult.flowhash == flowhash) {
+           inp->inp_policyresult.policy_gencount == necp_kernel_socket_policies_gencount &&
+           inp->inp_policyresult.flowhash == flowhash) {
                 if (inp->inp_policyresult.results.result == NECP_KERNEL_POLICY_RESULT_DROP ||
                 if (inp->inp_policyresult.results.result == NECP_KERNEL_POLICY_RESULT_DROP ||
-                       inp->inp_policyresult.results.result == NECP_KERNEL_POLICY_RESULT_SOCKET_DIVERT ||
-                       (inp->inp_policyresult.results.result == NECP_KERNEL_POLICY_RESULT_IP_TUNNEL && interface &&
-                       inp->inp_policyresult.results.result_parameter.tunnel_interface_index != verifyifindex) ||
-                       (inp->inp_policyresult.results.route_rule_id != 0 &&
-                        !necp_route_is_allowed(route, interface, inp->inp_policyresult.results.route_rule_id, &interface_type_denied))) {
+                   inp->inp_policyresult.results.result == NECP_KERNEL_POLICY_RESULT_SOCKET_DIVERT ||
+                   (inp->inp_policyresult.results.result == NECP_KERNEL_POLICY_RESULT_IP_TUNNEL && interface &&
+                   inp->inp_policyresult.results.result_parameter.tunnel_interface_index != verifyifindex) ||
+                   (inp->inp_policyresult.results.route_rule_id != 0 &&
+                   !necp_route_is_allowed(route, interface, inp->inp_policyresult.results.route_rule_id, &interface_type_denied))) {
                         allowed_to_receive = FALSE;
                 } else {
                         if (return_policy_id) {
                         allowed_to_receive = FALSE;
                 } else {
                         if (return_policy_id) {
@@ -7462,23 +9071,35 @@ necp_socket_is_allowed_to_send_recv_internal(struct inpcb *inp, struct sockaddr
                         if (return_route_rule_id) {
                                 *return_route_rule_id = inp->inp_policyresult.results.route_rule_id;
                         }
                         if (return_route_rule_id) {
                                 *return_route_rule_id = inp->inp_policyresult.results.route_rule_id;
                         }
+                       if (return_skip_policy_id) {
+                               *return_skip_policy_id = inp->inp_policyresult.skip_policy_id;
+                       }
                 }
                 lck_rw_done(&necp_kernel_policy_lock);
                 goto done;
         }
  
                 }
                 lck_rw_done(&necp_kernel_policy_lock);
                 goto done;
         }
  
-       struct necp_kernel_socket_policy *matched_policy = necp_socket_find_policy_match_with_info_locked(necp_kernel_socket_policies_map[NECP_SOCKET_MAP_APP_ID_TO_BUCKET(info.application_id)], &info, NULL, &route_rule_id, &service_action, &service, netagent_ids, NECP_MAX_NETAGENTS, current_proc());
+       u_int32_t route_rule_id_array[MAX_AGGREGATE_ROUTE_RULES];
+       size_t route_rule_id_array_count = 0;
+       struct necp_kernel_socket_policy *matched_policy = necp_socket_find_policy_match_with_info_locked(necp_kernel_socket_policies_map[NECP_SOCKET_MAP_APP_ID_TO_BUCKET(info.application_id)], &info, NULL, route_rule_id_array, &route_rule_id_array_count, MAX_AGGREGATE_ROUTE_RULES, &service_action, &service, netagent_ids, NULL, NECP_MAX_NETAGENTS, NULL, 0, current_proc(), return_skip_policy_id, inp->inp_route.ro_rt, &drop_dest_policy_result, &drop_all_bypass);
+
+       if (route_rule_id_array_count == 1) {
+               route_rule_id = route_rule_id_array[0];
+       } else if (route_rule_id_array_count > 1) {
+               route_rule_id = necp_create_aggregate_route_rule(route_rule_id_array);
+       }
+
         if (matched_policy != NULL) {
                 if (matched_policy->result == NECP_KERNEL_POLICY_RESULT_DROP ||
         if (matched_policy != NULL) {
                 if (matched_policy->result == NECP_KERNEL_POLICY_RESULT_DROP ||
-                       matched_policy->result == NECP_KERNEL_POLICY_RESULT_SOCKET_DIVERT ||
-                       (matched_policy->result == NECP_KERNEL_POLICY_RESULT_IP_TUNNEL && interface &&
-                       matched_policy->result_parameter.tunnel_interface_index != verifyifindex) ||
-                       ((service_action == NECP_KERNEL_POLICY_RESULT_TRIGGER_SCOPED ||
-                         service_action == NECP_KERNEL_POLICY_RESULT_NO_TRIGGER_SCOPED) &&
-                        service.identifier != 0 && service.identifier != NECP_NULL_SERVICE_ID) ||
-                       (route_rule_id != 0 &&
-                        !necp_route_is_allowed(route, interface, route_rule_id, &interface_type_denied)) ||
-                       !necp_netagents_allow_traffic(netagent_ids, NECP_MAX_NETAGENTS)) {
+                   matched_policy->result == NECP_KERNEL_POLICY_RESULT_SOCKET_DIVERT ||
+                   (matched_policy->result == NECP_KERNEL_POLICY_RESULT_IP_TUNNEL && interface &&
+                   matched_policy->result_parameter.tunnel_interface_index != verifyifindex) ||
+                   ((service_action == NECP_KERNEL_POLICY_RESULT_TRIGGER_SCOPED ||
+                   service_action == NECP_KERNEL_POLICY_RESULT_NO_TRIGGER_SCOPED) &&
+                   service.identifier != 0 && service.identifier != NECP_NULL_SERVICE_ID) ||
+                   (route_rule_id != 0 &&
+                   !necp_route_is_allowed(route, interface, route_rule_id, &interface_type_denied)) ||
+                   !necp_netagents_allow_traffic(netagent_ids, NECP_MAX_NETAGENTS)) {
                         allowed_to_receive = FALSE;
                 } else {
                         if (return_policy_id) {
                         allowed_to_receive = FALSE;
                 } else {
                         if (return_policy_id) {
@@ -7494,14 +9115,23 @@ necp_socket_is_allowed_to_send_recv_internal(struct inpcb *inp, struct sockaddr
                         NECPLOG(LOG_DEBUG, "Socket Send/Recv Policy: Policy %d Allowed %d", return_policy_id ? *return_policy_id : 0, allowed_to_receive);
                 }
                 goto done;
                         NECPLOG(LOG_DEBUG, "Socket Send/Recv Policy: Policy %d Allowed %d", return_policy_id ? *return_policy_id : 0, allowed_to_receive);
                 }
                 goto done;
-       } else if (necp_drop_all_order > 0) {
-               allowed_to_receive = FALSE;
         } else {
         } else {
-               if (return_policy_id) {
-                       *return_policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
+               bool drop_all = false;
+               if (necp_drop_all_order > 0 || info.drop_order > 0 || drop_dest_policy_result == NECP_KERNEL_POLICY_RESULT_DROP) {
+                       drop_all = true;
+                       if (drop_all_bypass == NECP_DROP_ALL_BYPASS_CHECK_RESULT_NONE) {
+                               drop_all_bypass = necp_check_drop_all_bypass_result(NULL);
+                       }
                 }
                 }
-               if (return_route_rule_id) {
-                       *return_route_rule_id = route_rule_id;
+               if (drop_all && drop_all_bypass == NECP_DROP_ALL_BYPASS_CHECK_RESULT_FALSE) {
+                       allowed_to_receive = FALSE;
+               } else {
+                       if (return_policy_id) {
+                               *return_policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
+                       }
+                       if (return_route_rule_id) {
+                               *return_route_rule_id = route_rule_id;
+                       }
                 }
         }
  
                 }
         }
  
@@ -7512,14 +9142,14 @@ done:
                 soevent(inp->inp_socket, (SO_FILT_HINT_LOCKED | SO_FILT_HINT_IFDENIED));
         }
  
                 soevent(inp->inp_socket, (SO_FILT_HINT_LOCKED | SO_FILT_HINT_IFDENIED));
         }
  
-       return (allowed_to_receive);
+       return allowed_to_receive;
  }
  
  bool
  }
  
  bool
-necp_socket_is_allowed_to_send_recv_v4(struct inpcb *inp, u_int16_t local_port, u_int16_t remote_port, struct in_addr *local_addr, struct in_addr *remote_addr, ifnet_t interface, necp_kernel_policy_id *return_policy_id, u_int32_t *return_route_rule_id)
+necp_socket_is_allowed_to_send_recv_v4(struct inpcb *inp, u_int16_t local_port, u_int16_t remote_port, struct in_addr *local_addr, struct in_addr *remote_addr, ifnet_t interface, necp_kernel_policy_id *return_policy_id, u_int32_t *return_route_rule_id, necp_kernel_policy_id *return_skip_policy_id)
  {
  {
-       struct sockaddr_in local;
-       struct sockaddr_in remote;
+       struct sockaddr_in local = {};
+       struct sockaddr_in remote = {};
         local.sin_family = remote.sin_family = AF_INET;
         local.sin_len = remote.sin_len = sizeof(struct sockaddr_in);
         local.sin_port = local_port;
         local.sin_family = remote.sin_family = AF_INET;
         local.sin_len = remote.sin_len = sizeof(struct sockaddr_in);
         local.sin_port = local_port;
@@ -7527,14 +9157,15 @@ necp_socket_is_allowed_to_send_recv_v4(struct inpcb *inp, u_int16_t local_port,
         memcpy(&local.sin_addr, local_addr, sizeof(local.sin_addr));
         memcpy(&remote.sin_addr, remote_addr, sizeof(remote.sin_addr));
  
         memcpy(&local.sin_addr, local_addr, sizeof(local.sin_addr));
         memcpy(&remote.sin_addr, remote_addr, sizeof(remote.sin_addr));
  
-       return (necp_socket_is_allowed_to_send_recv_internal(inp, (struct sockaddr *)&local, (struct sockaddr *)&remote, interface, return_policy_id, return_route_rule_id));
+       return necp_socket_is_allowed_to_send_recv_internal(inp, (struct sockaddr *)&local, (struct sockaddr *)&remote, interface,
+                  return_policy_id, return_route_rule_id, return_skip_policy_id);
  }
  
  bool
  }
  
  bool
-necp_socket_is_allowed_to_send_recv_v6(struct inpcb *inp, u_int16_t local_port, u_int16_t remote_port, struct in6_addr *local_addr, struct in6_addr *remote_addr, ifnet_t interface, necp_kernel_policy_id *return_policy_id, u_int32_t *return_route_rule_id)
+necp_socket_is_allowed_to_send_recv_v6(struct inpcb *inp, u_int16_t local_port, u_int16_t remote_port, struct in6_addr *local_addr, struct in6_addr *remote_addr, ifnet_t interface, necp_kernel_policy_id *return_policy_id, u_int32_t *return_route_rule_id, necp_kernel_policy_id *return_skip_policy_id)
  {
  {
-       struct sockaddr_in6 local;
-       struct sockaddr_in6 remote;
+       struct sockaddr_in6 local = {};
+       struct sockaddr_in6 remote = {};
         local.sin6_family = remote.sin6_family = AF_INET6;
         local.sin6_len = remote.sin6_len = sizeof(struct sockaddr_in6);
         local.sin6_port = local_port;
         local.sin6_family = remote.sin6_family = AF_INET6;
         local.sin6_len = remote.sin6_len = sizeof(struct sockaddr_in6);
         local.sin6_port = local_port;
@@ -7542,27 +9173,33 @@ necp_socket_is_allowed_to_send_recv_v6(struct inpcb *inp, u_int16_t local_port,
         memcpy(&local.sin6_addr, local_addr, sizeof(local.sin6_addr));
         memcpy(&remote.sin6_addr, remote_addr, sizeof(remote.sin6_addr));
  
         memcpy(&local.sin6_addr, local_addr, sizeof(local.sin6_addr));
         memcpy(&remote.sin6_addr, remote_addr, sizeof(remote.sin6_addr));
  
-       return (necp_socket_is_allowed_to_send_recv_internal(inp, (struct sockaddr *)&local, (struct sockaddr *)&remote, interface, return_policy_id, return_route_rule_id));
+       return necp_socket_is_allowed_to_send_recv_internal(inp, (struct sockaddr *)&local, (struct sockaddr *)&remote, interface,
+                  return_policy_id, return_route_rule_id, return_skip_policy_id);
  }
  
  bool
  }
  
  bool
-necp_socket_is_allowed_to_send_recv(struct inpcb *inp, necp_kernel_policy_id *return_policy_id, u_int32_t *return_route_rule_id)
+necp_socket_is_allowed_to_send_recv(struct inpcb *inp, ifnet_t interface, necp_kernel_policy_id *return_policy_id,
+    u_int32_t *return_route_rule_id,
+    necp_kernel_policy_id *return_skip_policy_id)
  {
  {
-       return (necp_socket_is_allowed_to_send_recv_internal(inp, NULL, NULL, NULL, return_policy_id, return_route_rule_id));
+       return necp_socket_is_allowed_to_send_recv_internal(inp, NULL, NULL, interface,
+                  return_policy_id, return_route_rule_id,
+                  return_skip_policy_id);
  }
  
  int
  }
  
  int
-necp_mark_packet_from_socket(struct mbuf *packet, struct inpcb *inp, necp_kernel_policy_id policy_id, u_int32_t route_rule_id)
+necp_mark_packet_from_socket(struct mbuf *packet, struct inpcb *inp, necp_kernel_policy_id policy_id, u_int32_t route_rule_id,
+    necp_kernel_policy_id skip_policy_id)
  {
         if (packet == NULL || inp == NULL || !(packet->m_flags & M_PKTHDR)) {
  {
         if (packet == NULL || inp == NULL || !(packet->m_flags & M_PKTHDR)) {
-               return (EINVAL);
+               return EINVAL;
         }
  
         // Mark ID for Pass and IP Tunnel
         if (policy_id != NECP_KERNEL_POLICY_ID_NONE) {
                 packet->m_pkthdr.necp_mtag.necp_policy_id = policy_id;
         } else if (inp->inp_policyresult.results.result == NECP_KERNEL_POLICY_RESULT_PASS ||
         }
  
         // Mark ID for Pass and IP Tunnel
         if (policy_id != NECP_KERNEL_POLICY_ID_NONE) {
                 packet->m_pkthdr.necp_mtag.necp_policy_id = policy_id;
         } else if (inp->inp_policyresult.results.result == NECP_KERNEL_POLICY_RESULT_PASS ||
-               inp->inp_policyresult.results.result == NECP_KERNEL_POLICY_RESULT_IP_TUNNEL) {
+           inp->inp_policyresult.results.result == NECP_KERNEL_POLICY_RESULT_IP_TUNNEL) {
                 packet->m_pkthdr.necp_mtag.necp_policy_id = inp->inp_policyresult.policy_id;
         } else {
                 packet->m_pkthdr.necp_mtag.necp_policy_id = NECP_KERNEL_POLICY_ID_NONE;
                 packet->m_pkthdr.necp_mtag.necp_policy_id = inp->inp_policyresult.policy_id;
         } else {
                 packet->m_pkthdr.necp_mtag.necp_policy_id = NECP_KERNEL_POLICY_ID_NONE;
@@ -7575,14 +9212,28 @@ necp_mark_packet_from_socket(struct mbuf *packet, struct inpcb *inp, necp_kernel
         }
         packet->m_pkthdr.necp_mtag.necp_app_id = inp->inp_policyresult.app_id;
  
         }
         packet->m_pkthdr.necp_mtag.necp_app_id = inp->inp_policyresult.app_id;
  
-       return (0);
+       if (skip_policy_id != NECP_KERNEL_POLICY_ID_NONE &&
+           skip_policy_id != NECP_KERNEL_POLICY_ID_NO_MATCH) {
+               // Only mark the skip policy if it is a valid policy ID
+               packet->m_pkthdr.necp_mtag.necp_skip_policy_id = skip_policy_id;
+       } else if (inp->inp_policyresult.results.filter_control_unit == NECP_FILTER_UNIT_NO_FILTER) {
+               // Overload the meaning of "NECP_KERNEL_POLICY_ID_NO_MATCH"
+               // to indicate that NECP_FILTER_UNIT_NO_FILTER was set
+               // See necp_get_skip_policy_id_from_packet() and
+               // necp_packet_should_skip_filters().
+               packet->m_pkthdr.necp_mtag.necp_skip_policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
+       } else {
+               packet->m_pkthdr.necp_mtag.necp_skip_policy_id = NECP_KERNEL_POLICY_ID_NONE;
+       }
+
+       return 0;
  }
  
  int
  necp_mark_packet_from_ip(struct mbuf *packet, necp_kernel_policy_id policy_id)
  {
         if (packet == NULL || !(packet->m_flags & M_PKTHDR)) {
  }
  
  int
  necp_mark_packet_from_ip(struct mbuf *packet, necp_kernel_policy_id policy_id)
  {
         if (packet == NULL || !(packet->m_flags & M_PKTHDR)) {
-               return (EINVAL);
+               return EINVAL;
         }
  
         // Mark ID for Pass and IP Tunnel
         }
  
         // Mark ID for Pass and IP Tunnel
@@ -7592,14 +9243,14 @@ necp_mark_packet_from_ip(struct mbuf *packet, necp_kernel_policy_id policy_id)
                 packet->m_pkthdr.necp_mtag.necp_policy_id = NECP_KERNEL_POLICY_ID_NONE;
         }
  
                 packet->m_pkthdr.necp_mtag.necp_policy_id = NECP_KERNEL_POLICY_ID_NONE;
         }
  
-       return (0);
+       return 0;
  }
  
  int
  necp_mark_packet_from_interface(struct mbuf *packet, ifnet_t interface)
  {
         if (packet == NULL || !(packet->m_flags & M_PKTHDR)) {
  }
  
  int
  necp_mark_packet_from_interface(struct mbuf *packet, ifnet_t interface)
  {
         if (packet == NULL || !(packet->m_flags & M_PKTHDR)) {
-               return (EINVAL);
+               return EINVAL;
         }
  
         // Mark ID for Pass and IP Tunnel
         }
  
         // Mark ID for Pass and IP Tunnel
@@ -7607,14 +9258,14 @@ necp_mark_packet_from_interface(struct mbuf *packet, ifnet_t interface)
                 packet->m_pkthdr.necp_mtag.necp_last_interface_index = interface->if_index;
         }
  
                 packet->m_pkthdr.necp_mtag.necp_last_interface_index = interface->if_index;
         }
  
-       return (0);
+       return 0;
  }
  
  int
  necp_mark_packet_as_keepalive(struct mbuf *packet, bool is_keepalive)
  {
         if (packet == NULL || !(packet->m_flags & M_PKTHDR)) {
  }
  
  int
  necp_mark_packet_as_keepalive(struct mbuf *packet, bool is_keepalive)
  {
         if (packet == NULL || !(packet->m_flags & M_PKTHDR)) {
-               return (EINVAL);
+               return EINVAL;
         }
  
         if (is_keepalive) {
         }
  
         if (is_keepalive) {
@@ -7623,45 +9274,71 @@ necp_mark_packet_as_keepalive(struct mbuf *packet, bool is_keepalive)
                 packet->m_pkthdr.pkt_flags &= ~PKTF_KEEPALIVE;
         }
  
                 packet->m_pkthdr.pkt_flags &= ~PKTF_KEEPALIVE;
         }
  
-       return (0);
+       return 0;
  }
  
  necp_kernel_policy_id
  necp_get_policy_id_from_packet(struct mbuf *packet)
  {
         if (packet == NULL || !(packet->m_flags & M_PKTHDR)) {
  }
  
  necp_kernel_policy_id
  necp_get_policy_id_from_packet(struct mbuf *packet)
  {
         if (packet == NULL || !(packet->m_flags & M_PKTHDR)) {
-               return (NECP_KERNEL_POLICY_ID_NONE);
+               return NECP_KERNEL_POLICY_ID_NONE;
+       }
+
+       return packet->m_pkthdr.necp_mtag.necp_policy_id;
+}
+
+necp_kernel_policy_id
+necp_get_skip_policy_id_from_packet(struct mbuf *packet)
+{
+       if (packet == NULL || !(packet->m_flags & M_PKTHDR)) {
+               return NECP_KERNEL_POLICY_ID_NONE;
+       }
+
+       // Check for overloaded value. See necp_mark_packet_from_socket().
+       if (packet->m_pkthdr.necp_mtag.necp_skip_policy_id == NECP_KERNEL_POLICY_ID_NO_MATCH) {
+               return NECP_KERNEL_POLICY_ID_NONE;
+       }
+
+       return packet->m_pkthdr.necp_mtag.necp_skip_policy_id;
+}
+
+bool
+necp_packet_should_skip_filters(struct mbuf *packet)
+{
+       if (packet == NULL || !(packet->m_flags & M_PKTHDR)) {
+               return false;
         }
  
         }
  
-       return (packet->m_pkthdr.necp_mtag.necp_policy_id);
+       // Check for overloaded value. See necp_mark_packet_from_socket().
+       return packet->m_pkthdr.necp_mtag.necp_skip_policy_id == NECP_KERNEL_POLICY_ID_NO_MATCH;
  }
  
  u_int32_t
  necp_get_last_interface_index_from_packet(struct mbuf *packet)
  {
         if (packet == NULL || !(packet->m_flags & M_PKTHDR)) {
  }
  
  u_int32_t
  necp_get_last_interface_index_from_packet(struct mbuf *packet)
  {
         if (packet == NULL || !(packet->m_flags & M_PKTHDR)) {
-               return (0);
+               return 0;
         }
  
         }
  
-       return (packet->m_pkthdr.necp_mtag.necp_last_interface_index);
+       return packet->m_pkthdr.necp_mtag.necp_last_interface_index;
  }
  
  u_int32_t
  necp_get_route_rule_id_from_packet(struct mbuf *packet)
  {
         if (packet == NULL || !(packet->m_flags & M_PKTHDR)) {
  }
  
  u_int32_t
  necp_get_route_rule_id_from_packet(struct mbuf *packet)
  {
         if (packet == NULL || !(packet->m_flags & M_PKTHDR)) {
-               return (0);
+               return 0;
         }
  
         }
  
-       return (packet->m_pkthdr.necp_mtag.necp_route_rule_id);
+       return packet->m_pkthdr.necp_mtag.necp_route_rule_id;
  }
  
  int
  necp_get_app_uuid_from_packet(struct mbuf *packet,
  }
  
  int
  necp_get_app_uuid_from_packet(struct mbuf *packet,
-                                                         uuid_t app_uuid)
+    uuid_t app_uuid)
  {
         if (packet == NULL || !(packet->m_flags & M_PKTHDR)) {
  {
         if (packet == NULL || !(packet->m_flags & M_PKTHDR)) {
-               return (EINVAL);
+               return EINVAL;
         }
  
         bool found_mapping = FALSE;
         }
  
         bool found_mapping = FALSE;
@@ -7677,17 +9354,17 @@ necp_get_app_uuid_from_packet(struct mbuf *packet,
         if (!found_mapping) {
                 uuid_clear(app_uuid);
         }
         if (!found_mapping) {
                 uuid_clear(app_uuid);
         }
-       return (0);
+       return 0;
  }
  
  bool
  necp_get_is_keepalive_from_packet(struct mbuf *packet)
  {
         if (packet == NULL || !(packet->m_flags & M_PKTHDR)) {
  }
  
  bool
  necp_get_is_keepalive_from_packet(struct mbuf *packet)
  {
         if (packet == NULL || !(packet->m_flags & M_PKTHDR)) {
-               return (FALSE);
+               return FALSE;
         }
  
         }
  
-       return (packet->m_pkthdr.pkt_flags & PKTF_KEEPALIVE);
+       return packet->m_pkthdr.pkt_flags & PKTF_KEEPALIVE;
  }
  
  u_int32_t
  }
  
  u_int32_t
@@ -7696,70 +9373,72 @@ necp_socket_get_content_filter_control_unit(struct socket *so)
         struct inpcb *inp = sotoinpcb(so);
  
         if (inp == NULL) {
         struct inpcb *inp = sotoinpcb(so);
  
         if (inp == NULL) {
-               return (0);
+               return 0;
         }
         }
-       return (inp->inp_policyresult.results.filter_control_unit);
+       return inp->inp_policyresult.results.filter_control_unit;
  }
  
  bool
  necp_socket_should_use_flow_divert(struct inpcb *inp)
  {
         if (inp == NULL) {
  }
  
  bool
  necp_socket_should_use_flow_divert(struct inpcb *inp)
  {
         if (inp == NULL) {
-               return (FALSE);
+               return FALSE;
         }
  
         }
  
-       return (inp->inp_policyresult.results.result == NECP_KERNEL_POLICY_RESULT_SOCKET_DIVERT);
+       return inp->inp_policyresult.results.result == NECP_KERNEL_POLICY_RESULT_SOCKET_DIVERT;
  }
  
  u_int32_t
  necp_socket_get_flow_divert_control_unit(struct inpcb *inp)
  {
         if (inp == NULL) {
  }
  
  u_int32_t
  necp_socket_get_flow_divert_control_unit(struct inpcb *inp)
  {
         if (inp == NULL) {
-               return (0);
+               return 0;
         }
  
         if (inp->inp_policyresult.results.result == NECP_KERNEL_POLICY_RESULT_SOCKET_DIVERT) {
         }
  
         if (inp->inp_policyresult.results.result == NECP_KERNEL_POLICY_RESULT_SOCKET_DIVERT) {
-               return (inp->inp_policyresult.results.result_parameter.flow_divert_control_unit);
+               return inp->inp_policyresult.results.result_parameter.flow_divert_control_unit;
         }
  
         }
  
-       return (0);
+       return 0;
  }
  
  bool
  necp_socket_should_rescope(struct inpcb *inp)
  {
         if (inp == NULL) {
  }
  
  bool
  necp_socket_should_rescope(struct inpcb *inp)
  {
         if (inp == NULL) {
-               return (FALSE);
+               return FALSE;
         }
  
         }
  
-       return (inp->inp_policyresult.results.result == NECP_KERNEL_POLICY_RESULT_SOCKET_SCOPED);
+       return inp->inp_policyresult.results.result == NECP_KERNEL_POLICY_RESULT_SOCKET_SCOPED ||
+              inp->inp_policyresult.results.result == NECP_KERNEL_POLICY_RESULT_SCOPED_DIRECT;
  }
  
  u_int
  necp_socket_get_rescope_if_index(struct inpcb *inp)
  {
         if (inp == NULL) {
  }
  
  u_int
  necp_socket_get_rescope_if_index(struct inpcb *inp)
  {
         if (inp == NULL) {
-               return (0);
+               return 0;
         }
  
         if (inp->inp_policyresult.results.result == NECP_KERNEL_POLICY_RESULT_SOCKET_SCOPED) {
         }
  
         if (inp->inp_policyresult.results.result == NECP_KERNEL_POLICY_RESULT_SOCKET_SCOPED) {
-               return (inp->inp_policyresult.results.result_parameter.scoped_interface_index);
+               return inp->inp_policyresult.results.result_parameter.scoped_interface_index;
+       } else if (inp->inp_policyresult.results.result == NECP_KERNEL_POLICY_RESULT_SCOPED_DIRECT) {
+               return necp_get_primary_direct_interface_index();
         }
  
         }
  
-       return (0);
+       return 0;
  }
  
  u_int32_t
  necp_socket_get_effective_mtu(struct inpcb *inp, u_int32_t current_mtu)
  {
         if (inp == NULL) {
  }
  
  u_int32_t
  necp_socket_get_effective_mtu(struct inpcb *inp, u_int32_t current_mtu)
  {
         if (inp == NULL) {
-               return (current_mtu);
+               return current_mtu;
         }
  
         if (inp->inp_policyresult.results.result == NECP_KERNEL_POLICY_RESULT_IP_TUNNEL &&
         }
  
         if (inp->inp_policyresult.results.result == NECP_KERNEL_POLICY_RESULT_IP_TUNNEL &&
-               (inp->inp_flags & INP_BOUND_IF) &&
-               inp->inp_boundifp) {
-
+           (inp->inp_flags & INP_BOUND_IF) &&
+           inp->inp_boundifp) {
                 u_int bound_interface_index = inp->inp_boundifp->if_index;
                 u_int tunnel_interface_index = inp->inp_policyresult.results.result_parameter.tunnel_interface_index;
  
                 u_int bound_interface_index = inp->inp_boundifp->if_index;
                 u_int tunnel_interface_index = inp->inp_policyresult.results.result_parameter.tunnel_interface_index;
  
@@ -7775,40 +9454,40 @@ necp_socket_get_effective_mtu(struct inpcb *inp, u_int32_t current_mtu)
                                 u_int32_t direct_tunnel_mtu = tunnel_interface->if_mtu;
                                 u_int32_t delegate_tunnel_mtu = (tunnel_interface->if_delegated.ifp != NULL) ? tunnel_interface->if_delegated.ifp->if_mtu : 0;
                                 if (delegate_tunnel_mtu != 0 &&
                                 u_int32_t direct_tunnel_mtu = tunnel_interface->if_mtu;
                                 u_int32_t delegate_tunnel_mtu = (tunnel_interface->if_delegated.ifp != NULL) ? tunnel_interface->if_delegated.ifp->if_mtu : 0;
                                 if (delegate_tunnel_mtu != 0 &&
-                                       strncmp(tunnel_interface->if_name, "ipsec", strlen("ipsec")) == 0) {
-                                               // For ipsec interfaces, calculate the overhead from the delegate interface
-                                               u_int32_t tunnel_overhead = (u_int32_t)(esp_hdrsiz(NULL) + sizeof(struct ip6_hdr));
-                                               if (delegate_tunnel_mtu > tunnel_overhead) {
-                                                       delegate_tunnel_mtu -= tunnel_overhead;
-                                               }
+                                   strncmp(tunnel_interface->if_name, "ipsec", strlen("ipsec")) == 0) {
+                                       // For ipsec interfaces, calculate the overhead from the delegate interface
+                                       u_int32_t tunnel_overhead = (u_int32_t)(esp_hdrsiz(NULL) + sizeof(struct ip6_hdr));
+                                       if (delegate_tunnel_mtu > tunnel_overhead) {
+                                               delegate_tunnel_mtu -= tunnel_overhead;
+                                       }
  
  
-                                               if (delegate_tunnel_mtu < direct_tunnel_mtu) {
-                                                       // If the (delegate - overhead) < direct, return (delegate - overhead)
-                                                       return (delegate_tunnel_mtu);
-                                               } else {
-                                                       // Otherwise return direct
-                                                       return (direct_tunnel_mtu);
-                                               }
+                                       if (delegate_tunnel_mtu < direct_tunnel_mtu) {
+                                               // If the (delegate - overhead) < direct, return (delegate - overhead)
+                                               return delegate_tunnel_mtu;
+                                       } else {
+                                               // Otherwise return direct
+                                               return direct_tunnel_mtu;
+                                       }
                                 } else {
                                         // For non-ipsec interfaces, just return the tunnel MTU
                                 } else {
                                         // For non-ipsec interfaces, just return the tunnel MTU
-                                       return (direct_tunnel_mtu);
+                                       return direct_tunnel_mtu;
                                 }
                         }
                 }
         }
  
         // By default, just return the MTU passed in
                                 }
                         }
                 }
         }
  
         // By default, just return the MTU passed in
-       return (current_mtu);
+       return current_mtu;
  }
  
  ifnet_t
  necp_get_ifnet_from_result_parameter(necp_kernel_policy_result_parameter *result_parameter)
  {
         if (result_parameter == NULL) {
  }
  
  ifnet_t
  necp_get_ifnet_from_result_parameter(necp_kernel_policy_result_parameter *result_parameter)
  {
         if (result_parameter == NULL) {
-               return (NULL);
+               return NULL;
         }
  
         }
  
-       return (ifindex2ifnet[result_parameter->tunnel_interface_index]);
+       return ifindex2ifnet[result_parameter->tunnel_interface_index];
  }
  
  bool
  }
  
  bool
@@ -7821,13 +9500,13 @@ necp_packet_can_rebind_to_ifnet(struct mbuf *packet, struct ifnet *interface, st
         int i;
  
         if (packet == NULL || interface == NULL || new_route == NULL || (family != AF_INET && family != AF_INET6)) {
         int i;
  
         if (packet == NULL || interface == NULL || new_route == NULL || (family != AF_INET && family != AF_INET6)) {
-               return (FALSE);
+               return FALSE;
         }
  
         result = ifnet_get_address_list_family(interface, &addresses, family);
         if (result != 0) {
                 NECPLOG(LOG_ERR, "Failed to get address list for %s%d", ifnet_name(interface), ifnet_unit(interface));
         }
  
         result = ifnet_get_address_list_family(interface, &addresses, family);
         if (result != 0) {
                 NECPLOG(LOG_ERR, "Failed to get address list for %s%d", ifnet_name(interface), ifnet_unit(interface));
-               return (FALSE);
+               return FALSE;
         }
  
         for (i = 0; addresses[i] != NULL; i++) {
         }
  
         for (i = 0; addresses[i] != NULL; i++) {
@@ -7866,27 +9545,27 @@ necp_packet_can_rebind_to_ifnet(struct mbuf *packet, struct ifnet *interface, st
  done:
         ifnet_free_address_list(addresses);
         addresses = NULL;
  done:
         ifnet_free_address_list(addresses);
         addresses = NULL;
-       return (found_match);
+       return found_match;
  }
  
  static bool
  necp_addr_is_loopback(struct sockaddr *address)
  {
         if (address == NULL) {
  }
  
  static bool
  necp_addr_is_loopback(struct sockaddr *address)
  {
         if (address == NULL) {
-               return (FALSE);
+               return FALSE;
         }
  
         if (address->sa_family == AF_INET) {
         }
  
         if (address->sa_family == AF_INET) {
-               return (ntohl(((struct sockaddr_in *)(void *)address)->sin_addr.s_addr) == INADDR_LOOPBACK);
+               return ntohl(((struct sockaddr_in *)(void *)address)->sin_addr.s_addr) == INADDR_LOOPBACK;
         } else if (address->sa_family == AF_INET6) {
                 return IN6_IS_ADDR_LOOPBACK(&((struct sockaddr_in6 *)(void *)address)->sin6_addr);
         }
  
         } else if (address->sa_family == AF_INET6) {
                 return IN6_IS_ADDR_LOOPBACK(&((struct sockaddr_in6 *)(void *)address)->sin6_addr);
         }
  
-       return (FALSE);
+       return FALSE;
  }
  
  static bool
  }
  
  static bool
-necp_is_loopback(struct sockaddr *local_addr, struct sockaddr *remote_addr, struct inpcb *inp, struct mbuf *packet)
+necp_is_loopback(struct sockaddr *local_addr, struct sockaddr *remote_addr, struct inpcb *inp, struct mbuf *packet, u_int32_t bound_interface_index)
  {
         // Note: This function only checks for the loopback addresses.
         // In the future, we may want to expand to also allow any traffic
  {
         // Note: This function only checks for the loopback addresses.
         // In the future, we may want to expand to also allow any traffic
@@ -7894,59 +9573,70 @@ necp_is_loopback(struct sockaddr *local_addr, struct sockaddr *remote_addr, stru
         // check is cheaper.
  
         if (local_addr != NULL && necp_addr_is_loopback(local_addr)) {
         // check is cheaper.
  
         if (local_addr != NULL && necp_addr_is_loopback(local_addr)) {
-               return (TRUE);
+               return TRUE;
         }
  
         if (remote_addr != NULL && necp_addr_is_loopback(remote_addr)) {
         }
  
         if (remote_addr != NULL && necp_addr_is_loopback(remote_addr)) {
-               return (TRUE);
+               return TRUE;
         }
  
         if (inp != NULL) {
                 if ((inp->inp_flags & INP_BOUND_IF) && inp->inp_boundifp && (inp->inp_boundifp->if_flags & IFF_LOOPBACK)) {
         }
  
         if (inp != NULL) {
                 if ((inp->inp_flags & INP_BOUND_IF) && inp->inp_boundifp && (inp->inp_boundifp->if_flags & IFF_LOOPBACK)) {
-                       return (TRUE);
+                       return TRUE;
                 }
                 if (inp->inp_vflag & INP_IPV4) {
                         if (ntohl(inp->inp_laddr.s_addr) == INADDR_LOOPBACK ||
                 }
                 if (inp->inp_vflag & INP_IPV4) {
                         if (ntohl(inp->inp_laddr.s_addr) == INADDR_LOOPBACK ||
-                               ntohl(inp->inp_faddr.s_addr) == INADDR_LOOPBACK) {
-                               return (TRUE);
+                           ntohl(inp->inp_faddr.s_addr) == INADDR_LOOPBACK) {
+                               return TRUE;
                         }
                 } else if (inp->inp_vflag & INP_IPV6) {
                         if (IN6_IS_ADDR_LOOPBACK(&inp->in6p_laddr) ||
                         }
                 } else if (inp->inp_vflag & INP_IPV6) {
                         if (IN6_IS_ADDR_LOOPBACK(&inp->in6p_laddr) ||
-                               IN6_IS_ADDR_LOOPBACK(&inp->in6p_faddr)) {
-                               return (TRUE);
+                           IN6_IS_ADDR_LOOPBACK(&inp->in6p_faddr)) {
+                               return TRUE;
                         }
                 }
                         }
                 }
+       } else if (bound_interface_index != IFSCOPE_NONE && lo_ifp->if_index == bound_interface_index) {
+               return TRUE;
         }
  
         if (packet != NULL) {
                 struct ip *ip = mtod(packet, struct ip *);
                 if (ip->ip_v == 4) {
                         if (ntohl(ip->ip_src.s_addr) == INADDR_LOOPBACK) {
         }
  
         if (packet != NULL) {
                 struct ip *ip = mtod(packet, struct ip *);
                 if (ip->ip_v == 4) {
                         if (ntohl(ip->ip_src.s_addr) == INADDR_LOOPBACK) {
-                               return (TRUE);
+                               return TRUE;
                         }
                         if (ntohl(ip->ip_dst.s_addr) == INADDR_LOOPBACK) {
                         }
                         if (ntohl(ip->ip_dst.s_addr) == INADDR_LOOPBACK) {
-                               return (TRUE);
+                               return TRUE;
                         }
                 } else if (ip->ip_v == 6) {
                         struct ip6_hdr *ip6 = mtod(packet, struct ip6_hdr *);
                         if (IN6_IS_ADDR_LOOPBACK(&ip6->ip6_src)) {
                         }
                 } else if (ip->ip_v == 6) {
                         struct ip6_hdr *ip6 = mtod(packet, struct ip6_hdr *);
                         if (IN6_IS_ADDR_LOOPBACK(&ip6->ip6_src)) {
-                               return (TRUE);
+                               return TRUE;
                         }
                         if (IN6_IS_ADDR_LOOPBACK(&ip6->ip6_dst)) {
                         }
                         if (IN6_IS_ADDR_LOOPBACK(&ip6->ip6_dst)) {
-                               return (TRUE);
+                               return TRUE;
                         }
                 }
         }
  
                         }
                 }
         }
  
-       return (FALSE);
+       return FALSE;
  }
  
  static bool
  necp_is_intcoproc(struct inpcb *inp, struct mbuf *packet)
  {
  }
  
  static bool
  necp_is_intcoproc(struct inpcb *inp, struct mbuf *packet)
  {
-
         if (inp != NULL) {
         if (inp != NULL) {
-               return (sflt_permission_check(inp) ? true : false);
+               if (!(inp->inp_vflag & INP_IPV6)) {
+                       return false;
+               }
+               if (INP_INTCOPROC_ALLOWED(inp)) {
+                       return true;
+               }
+               if ((inp->inp_flags & INP_BOUND_IF) &&
+                   IFNET_IS_INTCOPROC(inp->inp_boundifp)) {
+                       return true;
+               }
+               return false;
         }
         if (packet != NULL) {
                 struct ip6_hdr *ip6 = mtod(packet, struct ip6_hdr *);
         }
         if (packet != NULL) {
                 struct ip6_hdr *ip6 = mtod(packet, struct ip6_hdr *);
@@ -7954,9 +9644,182 @@ necp_is_intcoproc(struct inpcb *inp, struct mbuf *packet)
                     IN6_IS_ADDR_LINKLOCAL(&ip6->ip6_dst) &&
                     ip6->ip6_dst.s6_addr32[2] == ntohl(0xaede48ff) &&
                     ip6->ip6_dst.s6_addr32[3] == ntohl(0xfe334455)) {
                     IN6_IS_ADDR_LINKLOCAL(&ip6->ip6_dst) &&
                     ip6->ip6_dst.s6_addr32[2] == ntohl(0xaede48ff) &&
                     ip6->ip6_dst.s6_addr32[3] == ntohl(0xfe334455)) {
-                       return (true);
+                       return true;
                 }
         }
  
                 }
         }
  
-       return (false);
+       return false;
+}
+
+static bool
+necp_address_matches_drop_dest_policy(union necp_sockaddr_union *sau, u_int32_t session_order)
+{
+       char dest_str[MAX_IPv6_STR_LEN];
+
+       if (necp_drop_dest_debug > 0) {
+               if (sau->sa.sa_family == AF_INET) {
+                       (void) inet_ntop(AF_INET, &sau->sin.sin_addr, dest_str, sizeof(dest_str));
+               } else if (sau->sa.sa_family == AF_INET6) {
+                       (void) inet_ntop(AF_INET6, &sau->sin6.sin6_addr, dest_str, sizeof(dest_str));
+               } else {
+                       dest_str[0] = 0;
+               }
+       }
+       for (u_int32_t i = 0; i < necp_drop_dest_policy.entry_count; i++) {
+               struct necp_drop_dest_entry *necp_drop_dest_entry = &necp_drop_dest_policy.entries[i];
+               struct necp_policy_condition_addr *npca = &necp_drop_dest_entry->cond_addr;
+
+               if (session_order >= necp_drop_dest_entry->order && necp_is_addr_in_subnet(&sau->sa, &npca->address.sa, npca->prefix)) {
+                       if (necp_drop_dest_debug > 0) {
+                               char subnet_str[MAX_IPv6_STR_LEN];
+                               struct proc *p = current_proc();
+                               pid_t pid = proc_pid(p);
+
+                               if (sau->sa.sa_family == AF_INET) {
+                                       (void) inet_ntop(AF_INET, &npca->address.sin, subnet_str, sizeof(subnet_str));
+                                       os_log(OS_LOG_DEFAULT, "%s (process %s:%u) %s matches %s/%u", __func__, proc_best_name(p), pid, dest_str, subnet_str, npca->prefix);
+                               } else if (sau->sa.sa_family == AF_INET6) {
+                                       (void) inet_ntop(AF_INET6, &npca->address.sin6, subnet_str, sizeof(subnet_str));
+                                       os_log(OS_LOG_DEFAULT, "%s (process %s:%u) %s matches %s/%u", __func__, proc_best_name(p), pid, dest_str, subnet_str, npca->prefix);
+                               }
+                       }
+                       return true;
+               }
+       }
+       if (necp_drop_dest_debug > 1) {
+               struct proc *p = current_proc();
+               pid_t pid = proc_pid(p);
+
+               os_log(OS_LOG_DEFAULT, "%s (process %s:%u) %s no match", __func__, proc_best_name(p), pid, dest_str);
+       }
+       return false;
+}
+
+static int
+sysctl_handle_necp_drop_dest_level SYSCTL_HANDLER_ARGS
+{
+#pragma unused(arg1, arg2, oidp)
+       int changed = 0;
+       int error = 0;
+       struct necp_drop_dest_policy tmp_drop_dest_policy;
+       struct proc *p = current_proc();
+       pid_t pid = proc_pid(p);
+
+       if (req->newptr != USER_ADDR_NULL && proc_suser(current_proc()) != 0 &&
+           priv_check_cred(kauth_cred_get(), PRIV_NET_PRIVILEGED_NECP_POLICIES, 0) != 0) {
+               NECPLOG(LOG_ERR, "%s (process %s:%u) not permitted", __func__, proc_best_name(p), pid);
+               return EPERM;
+       }
+       if (req->newptr != USER_ADDR_NULL && req->newlen != sizeof(struct necp_drop_dest_policy)) {
+               NECPLOG(LOG_ERR, "%s (process %s:%u) bad newlen %lu", __func__, proc_best_name(p), pid, req->newlen);
+               return EINVAL;
+       }
+
+       memcpy(&tmp_drop_dest_policy, &necp_drop_dest_policy, sizeof(struct necp_drop_dest_policy));
+       error = sysctl_io_opaque(req, &tmp_drop_dest_policy, sizeof(struct necp_drop_dest_policy), &changed);
+       if (error != 0) {
+               NECPLOG(LOG_ERR, "%s (process %s:%u) sysctl_io_opaque() error %d", __func__, proc_best_name(p), pid, error);
+               return error;
+       }
+       if (changed == 0 || req->newptr == USER_ADDR_NULL) {
+               return error;
+       }
+
+       //
+       // Validate the passed parameters
+       //
+       if (tmp_drop_dest_policy.entry_count >= MAX_NECP_DROP_DEST_LEVEL_ADDRS) {
+               NECPLOG(LOG_ERR, "%s (process %s:%u) bad entry_count %u", __func__, proc_best_name(p), pid, tmp_drop_dest_policy.entry_count);
+               return EINVAL;
+       }
+       for (u_int32_t i = 0; i < tmp_drop_dest_policy.entry_count; i++) {
+               struct necp_drop_dest_entry *tmp_drop_dest_entry = &tmp_drop_dest_policy.entries[i];
+               struct necp_policy_condition_addr *npca = &tmp_drop_dest_entry->cond_addr;
+
+               switch (tmp_drop_dest_entry->level) {
+               case NECP_SESSION_PRIORITY_UNKNOWN:
+                       if (tmp_drop_dest_policy.entry_count != 0) {
+                               NECPLOG(LOG_ERR, "%s (process %s:%u) NECP_SESSION_PRIORITY_UNKNOWN bad entry_count %u", __func__, proc_best_name(p), pid, tmp_drop_dest_policy.entry_count);
+                               return EINVAL;
+                       }
+                       break;
+               case NECP_SESSION_PRIORITY_CONTROL:
+               case NECP_SESSION_PRIORITY_PRIVILEGED_TUNNEL:
+               case NECP_SESSION_PRIORITY_HIGH:
+               case NECP_SESSION_PRIORITY_DEFAULT:
+               case NECP_SESSION_PRIORITY_LOW:
+                       if (tmp_drop_dest_policy.entry_count == 0) {
+                               NECPLOG(LOG_ERR, "%s (process %s:%u) priority %u entry_count 0", __func__, proc_best_name(p), pid, tmp_drop_dest_entry->level);
+                               return EINVAL;
+                       }
+                       break;
+               default: {
+                       NECPLOG(LOG_ERR, "%s (process %s:%u) bad level %u", __func__, proc_best_name(p), pid, tmp_drop_dest_entry->level);
+                       return EINVAL;
+               }
+               }
+
+               switch (npca->address.sa.sa_family) {
+               case AF_INET: {
+                       if (npca->prefix > 32) {
+                               NECPLOG(LOG_ERR, "%s (process %s:%u) AF_INET bad prefix %u", __func__, proc_best_name(p), pid, npca->prefix);
+                               return EINVAL;
+                       }
+                       if (npca->address.sin.sin_len != sizeof(struct sockaddr_in)) {
+                               NECPLOG(LOG_ERR, "%s (process %s:%u) AF_INET bad sin_len %u", __func__, proc_best_name(p), pid, npca->address.sin.sin_len);
+                               return EINVAL;
+                       }
+                       if (npca->address.sin.sin_port != 0) {
+                               NECPLOG(LOG_ERR, "%s (process %s:%u) AF_INET bad sin_port %u, not zero", __func__, proc_best_name(p), pid, npca->address.sin.sin_port);
+                               return EINVAL;
+                       }
+                       break;
+               }
+               case AF_INET6: {
+                       if (npca->prefix > 128) {
+                               NECPLOG(LOG_ERR, "%s (process %s:%u) AF_INET6 bad prefix %u", __func__, proc_best_name(p), pid, npca->prefix);
+                               return EINVAL;
+                       }
+                       if (npca->address.sin6.sin6_len != sizeof(struct sockaddr_in6)) {
+                               NECPLOG(LOG_ERR, "%s (process %s:%u) AF_INET6 bad sin6_len %u", __func__, proc_best_name(p), pid, npca->address.sin6.sin6_len);
+                               return EINVAL;
+                       }
+                       if (npca->address.sin6.sin6_port != 0) {
+                               NECPLOG(LOG_ERR, "%s (process %s:%u) AF_INET6 bad sin6_port %u, not zero", __func__, proc_best_name(p), pid, npca->address.sin6.sin6_port);
+                               return EINVAL;
+                       }
+                       if (npca->address.sin6.sin6_flowinfo != 0) {
+                               NECPLOG(LOG_ERR, "%s (process %s:%u) AF_INET6 bad sin6_flowinfo %u, not zero", __func__, proc_best_name(p), pid, npca->address.sin6.sin6_flowinfo);
+                               return EINVAL;
+                       }
+                       if (npca->address.sin6.sin6_scope_id != 0) {
+                               NECPLOG(LOG_ERR, "%s (process %s:%u) AF_INET6 bad sin6_scope_id %u, not zero", __func__, proc_best_name(p), pid, npca->address.sin6.sin6_scope_id);
+                               return EINVAL;
+                       }
+                       break;
+               }
+               default: {
+                       return EINVAL;
+               }
+               }
+       }
+
+       //
+       // Commit the changed policy
+       //
+       lck_rw_lock_exclusive(&necp_kernel_policy_lock);
+       memset(&necp_drop_dest_policy, 0, sizeof(struct necp_drop_dest_policy));
+
+       necp_drop_dest_policy.entry_count = tmp_drop_dest_policy.entry_count;
+       for (u_int32_t i = 0; i < tmp_drop_dest_policy.entry_count; i++) {
+               struct necp_drop_dest_entry *tmp_drop_dest_entry = &tmp_drop_dest_policy.entries[i];
+               struct necp_drop_dest_entry *necp_drop_dest_entry = &necp_drop_dest_policy.entries[i];
+
+               memcpy(necp_drop_dest_entry, tmp_drop_dest_entry, sizeof(struct necp_drop_dest_entry));
+
+               necp_drop_dest_entry->order = necp_get_first_order_for_priority(necp_drop_dest_entry->level);
+       }
+       lck_rw_done(&necp_kernel_policy_lock);
+
+       return 0;
  }
  }