]> git.saurik.com Git - apple/xnu.git/blobdiff - bsd/net/necp.c
projects / apple / xnu.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
xnu-7195.50.7.100.1.tar.gz
[apple/xnu.git] / bsd / net / necp.c
diff --git a/bsd/net/necp.c b/bsd/net/necp.c
index 0c014f0be174d69e74fdbbcf7b5f63f9b2816c4d..ac3b6fbb367d06dd38f1c4c9071d0b746ca8bc0b 100644 (file)
--- a/bsd/net/necp.c
+++ b/bsd/net/necp.c
@@ -1,5 +1,5 @@
 /*
 /*
- * Copyright (c) 2013-2019 Apple Inc. All rights reserved.
+ * Copyright (c) 2013-2020 Apple Inc. All rights reserved.
  *
  * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
  *
  *
  * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
  *
@@ -31,7 +31,6 @@
 #include <sys/types.h>
 #include <sys/queue.h>
 #include <sys/malloc.h>
 #include <sys/types.h>
 #include <sys/queue.h>
 #include <sys/malloc.h>
-#include <libkern/OSMalloc.h>
 #include <sys/kernel.h>
 #include <sys/kern_control.h>
 #include <sys/mbuf.h>
 #include <sys/kernel.h>
 #include <sys/kern_control.h>
 #include <sys/mbuf.h>
@@ -70,6 +69,7 @@
 #include <os/refcnt.h>
 #include <net/network_agent.h>
 #include <net/necp.h>
 #include <os/refcnt.h>
 #include <net/network_agent.h>
 #include <net/necp.h>
+#include <netinet/flow_divert_proto.h>
 
 /*
  * NECP - Network Extension Control Policy database
 
 /*
  * NECP - Network Extension Control Policy database
@@ -144,6 +144,8 @@ u_int32_t necp_drop_all_level = 0;
 u_int32_t necp_pass_loopback = 1; // 0=Off, 1=On
 u_int32_t necp_pass_keepalives = 1; // 0=Off, 1=On
 u_int32_t necp_pass_interpose = 1; // 0=Off, 1=On
 u_int32_t necp_pass_loopback = 1; // 0=Off, 1=On
 u_int32_t necp_pass_keepalives = 1; // 0=Off, 1=On
 u_int32_t necp_pass_interpose = 1; // 0=Off, 1=On
+u_int32_t necp_restrict_multicast = 1; // 0=Off, 1=On
+u_int32_t necp_dedup_policies = 0; // 0=Off, 1=On
 
 u_int32_t necp_drop_unentitled_order = 0;
 #ifdef XNU_TARGET_OS_WATCH
 
 u_int32_t necp_drop_unentitled_order = 0;
 #ifdef XNU_TARGET_OS_WATCH
@@ -154,8 +156,17 @@ u_int32_t necp_drop_unentitled_level = 0;
 
 u_int32_t necp_debug = 0; // 0=None, 1=Basic, 2=EveryMatch
 
 
 u_int32_t necp_debug = 0; // 0=None, 1=Basic, 2=EveryMatch
 
+os_log_t necp_log_handle = NULL;
+
 u_int32_t necp_session_count = 0;
 
 u_int32_t necp_session_count = 0;
 
+ZONE_DECLARE(necp_session_policy_zone, "necp_session_policy",
+    sizeof(struct necp_session_policy), ZC_ZFREE_CLEARMEM | ZC_NOENCRYPT);
+ZONE_DECLARE(necp_socket_policy_zone, "necp_socket_policy",
+    sizeof(struct necp_kernel_socket_policy), ZC_ZFREE_CLEARMEM | ZC_NOENCRYPT);
+ZONE_DECLARE(necp_ip_policy_zone, "necp_ip_policy",
+    sizeof(struct necp_kernel_ip_output_policy), ZC_ZFREE_CLEARMEM | ZC_NOENCRYPT);
+
 #define LIST_INSERT_SORTED_ASCENDING(head, elm, field, sortfield, tmpelm) do {          \
        if (LIST_EMPTY((head)) || (LIST_FIRST(head)->sortfield >= (elm)->sortfield)) {  \
                LIST_INSERT_HEAD((head), elm, field);                                                                           \
 #define LIST_INSERT_SORTED_ASCENDING(head, elm, field, sortfield, tmpelm) do {          \
        if (LIST_EMPTY((head)) || (LIST_FIRST(head)->sortfield >= (elm)->sortfield)) {  \
                LIST_INSERT_HEAD((head), elm, field);                                                                           \
@@ -227,7 +238,9 @@ u_int32_t necp_session_count = 0;
 #define NECP_KERNEL_CONDITION_LOCAL_EMPTY                       0x1000000
 #define NECP_KERNEL_CONDITION_REMOTE_EMPTY                      0x2000000
 #define NECP_KERNEL_CONDITION_PLATFORM_BINARY                   0x4000000
 #define NECP_KERNEL_CONDITION_LOCAL_EMPTY                       0x1000000
 #define NECP_KERNEL_CONDITION_REMOTE_EMPTY                      0x2000000
 #define NECP_KERNEL_CONDITION_PLATFORM_BINARY                   0x4000000
-#define NECP_KERNEL_CONDITION_SIGNING_IDENTIFIER                0x8000000
+#define NECP_KERNEL_CONDITION_SDK_VERSION                       0x8000000
+#define NECP_KERNEL_CONDITION_SIGNING_IDENTIFIER                0x10000000
+#define NECP_KERNEL_CONDITION_PACKET_FILTER_TAGS                0x20000000
 
 #define NECP_MAX_POLICY_RESULT_SIZE                                     512
 #define NECP_MAX_ROUTE_RULES_ARRAY_SIZE                         1024
 
 #define NECP_MAX_POLICY_RESULT_SIZE                                     512
 #define NECP_MAX_ROUTE_RULES_ARRAY_SIZE                         1024
@@ -379,13 +392,13 @@ static bool necp_policy_mark_all_for_deletion(struct necp_session *session);
 static bool necp_policy_delete(struct necp_session *session, struct necp_session_policy *policy);
 static void necp_policy_apply_all(struct necp_session *session);
 
 static bool necp_policy_delete(struct necp_session *session, struct necp_session_policy *policy);
 static void necp_policy_apply_all(struct necp_session *session);
 
-static necp_kernel_policy_id necp_kernel_socket_policy_add(necp_policy_order order, u_int32_t session_order, int session_pid, u_int32_t condition_mask, u_int32_t condition_negated_mask, necp_app_id cond_app_id, necp_app_id cond_real_app_id, char *cond_custom_entitlement, u_int32_t cond_account_id, char *domain, pid_t cond_pid, uid_t cond_uid, ifnet_t cond_bound_interface, struct necp_policy_condition_tc_range cond_traffic_class, u_int16_t cond_protocol, union necp_sockaddr_union *cond_local_start, union necp_sockaddr_union *cond_local_end, u_int8_t cond_local_prefix, union necp_sockaddr_union *cond_remote_start, union necp_sockaddr_union *cond_remote_end, u_int8_t cond_remote_prefix, struct necp_policy_condition_agent_type *cond_agent_type, u_int32_t cond_client_flags, char *cond_signing_identifier, necp_kernel_policy_result result, necp_kernel_policy_result_parameter result_parameter);
+static necp_kernel_policy_id necp_kernel_socket_policy_add(necp_policy_order order, u_int32_t session_order, int session_pid, u_int32_t condition_mask, u_int32_t condition_negated_mask, necp_app_id cond_app_id, necp_app_id cond_real_app_id, char *cond_custom_entitlement, u_int32_t cond_account_id, char *domain, pid_t cond_pid, uid_t cond_uid, ifnet_t cond_bound_interface, struct necp_policy_condition_tc_range cond_traffic_class, u_int16_t cond_protocol, union necp_sockaddr_union *cond_local_start, union necp_sockaddr_union *cond_local_end, u_int8_t cond_local_prefix, union necp_sockaddr_union *cond_remote_start, union necp_sockaddr_union *cond_remote_end, u_int8_t cond_remote_prefix, struct necp_policy_condition_agent_type *cond_agent_type, struct necp_policy_condition_sdk_version *cond_sdk_version, u_int32_t cond_client_flags, char *cond_signing_identifier, u_int16_t cond_packet_filter_tags, necp_kernel_policy_result result, necp_kernel_policy_result_parameter result_parameter);
 static bool necp_kernel_socket_policy_delete(necp_kernel_policy_id policy_id);
 static bool necp_kernel_socket_policies_reprocess(void);
 static bool necp_kernel_socket_policies_update_uuid_table(void);
 static bool necp_kernel_socket_policy_delete(necp_kernel_policy_id policy_id);
 static bool necp_kernel_socket_policies_reprocess(void);
 static bool necp_kernel_socket_policies_update_uuid_table(void);
-static inline struct necp_kernel_socket_policy *necp_socket_find_policy_match_with_info_locked(struct necp_kernel_socket_policy **policy_search_array, struct necp_socket_info *info, necp_kernel_policy_filter *return_filter, u_int32_t *return_route_rule_id_array, size_t *return_route_rule_id_array_count, size_t route_rule_id_array_count, necp_kernel_policy_result *return_service_action, necp_kernel_policy_service *return_service, u_int32_t *return_netagent_array, u_int32_t *return_netagent_use_flags_array, size_t netagent_array_count, struct necp_client_parameter_netagent_type *required_agent_types, u_int32_t num_required_agent_types, proc_t proc, necp_kernel_policy_id *skip_policy_id, struct rtentry *rt, necp_kernel_policy_result *return_drop_dest_policy_result, necp_drop_all_bypass_check_result_t *return_drop_all_bypass);
+static inline struct necp_kernel_socket_policy *necp_socket_find_policy_match_with_info_locked(struct necp_kernel_socket_policy **policy_search_array, struct necp_socket_info *info, necp_kernel_policy_filter *return_filter, u_int32_t *return_route_rule_id_array, size_t *return_route_rule_id_array_count, size_t route_rule_id_array_count, necp_kernel_policy_result *return_service_action, necp_kernel_policy_service *return_service, u_int32_t *return_netagent_array, u_int32_t *return_netagent_use_flags_array, size_t netagent_array_count, struct necp_client_parameter_netagent_type *required_agent_types, u_int32_t num_required_agent_types, proc_t proc, u_int16_t pf_tag, necp_kernel_policy_id *skip_policy_id, struct rtentry *rt, necp_kernel_policy_result *return_drop_dest_policy_result, necp_drop_all_bypass_check_result_t *return_drop_all_bypass, u_int32_t *return_flow_divert_aggregate_unit);
 
 
-static necp_kernel_policy_id necp_kernel_ip_output_policy_add(necp_policy_order order, necp_policy_order suborder, u_int32_t session_order, int session_pid, u_int32_t condition_mask, u_int32_t condition_negated_mask, necp_kernel_policy_id cond_policy_id, ifnet_t cond_bound_interface, u_int32_t cond_last_interface_index, u_int16_t cond_protocol, union necp_sockaddr_union *cond_local_start, union necp_sockaddr_union *cond_local_end, u_int8_t cond_local_prefix, union necp_sockaddr_union *cond_remote_start, union necp_sockaddr_union *cond_remote_end, u_int8_t cond_remote_prefix, necp_kernel_policy_result result, necp_kernel_policy_result_parameter result_parameter);
+static necp_kernel_policy_id necp_kernel_ip_output_policy_add(necp_policy_order order, necp_policy_order suborder, u_int32_t session_order, int session_pid, u_int32_t condition_mask, u_int32_t condition_negated_mask, necp_kernel_policy_id cond_policy_id, ifnet_t cond_bound_interface, u_int32_t cond_last_interface_index, u_int16_t cond_protocol, union necp_sockaddr_union *cond_local_start, union necp_sockaddr_union *cond_local_end, u_int8_t cond_local_prefix, union necp_sockaddr_union *cond_remote_start, union necp_sockaddr_union *cond_remote_end, u_int8_t cond_remote_prefix, u_int16_t cond_packet_filter_tags, necp_kernel_policy_result result, necp_kernel_policy_result_parameter result_parameter);
 static bool necp_kernel_ip_output_policy_delete(necp_kernel_policy_id policy_id);
 static bool necp_kernel_ip_output_policies_reprocess(void);
 
 static bool necp_kernel_ip_output_policy_delete(necp_kernel_policy_id policy_id);
 static bool necp_kernel_ip_output_policies_reprocess(void);
 
@@ -480,6 +493,8 @@ static int sysctl_handle_necp_level SYSCTL_HANDLER_ARGS;
 static int sysctl_handle_necp_unentitled_level SYSCTL_HANDLER_ARGS;
 
 SYSCTL_NODE(_net, OID_AUTO, necp, CTLFLAG_RW | CTLFLAG_LOCKED, 0, "NECP");
 static int sysctl_handle_necp_unentitled_level SYSCTL_HANDLER_ARGS;
 
 SYSCTL_NODE(_net, OID_AUTO, necp, CTLFLAG_RW | CTLFLAG_LOCKED, 0, "NECP");
+SYSCTL_INT(_net_necp, NECPCTL_DEDUP_POLICIES, dedup_policies, CTLFLAG_LOCKED | CTLFLAG_RW, &necp_dedup_policies, 0, "");
+SYSCTL_INT(_net_necp, NECPCTL_RESTRICT_MULTICAST, restrict_multicast, CTLFLAG_LOCKED | CTLFLAG_RW, &necp_restrict_multicast, 0, "");
 SYSCTL_INT(_net_necp, NECPCTL_PASS_LOOPBACK, pass_loopback, CTLFLAG_LOCKED | CTLFLAG_RW, &necp_pass_loopback, 0, "");
 SYSCTL_INT(_net_necp, NECPCTL_PASS_KEEPALIVES, pass_keepalives, CTLFLAG_LOCKED | CTLFLAG_RW, &necp_pass_keepalives, 0, "");
 SYSCTL_INT(_net_necp, NECPCTL_PASS_INTERPOSE, pass_interpose, CTLFLAG_LOCKED | CTLFLAG_RW, &necp_pass_interpose, 0, "");
 SYSCTL_INT(_net_necp, NECPCTL_PASS_LOOPBACK, pass_loopback, CTLFLAG_LOCKED | CTLFLAG_RW, &necp_pass_loopback, 0, "");
 SYSCTL_INT(_net_necp, NECPCTL_PASS_KEEPALIVES, pass_keepalives, CTLFLAG_LOCKED | CTLFLAG_RW, &necp_pass_keepalives, 0, "");
 SYSCTL_INT(_net_necp, NECPCTL_PASS_INTERPOSE, pass_interpose, CTLFLAG_LOCKED | CTLFLAG_RW, &necp_pass_interpose, 0, "");
@@ -576,6 +591,12 @@ static const struct fileops necp_session_fd_ops = {
        .fo_kqfilter = fo_no_kqfilter,
 };
 
        .fo_kqfilter = fo_no_kqfilter,
 };
 
+static inline int
+necp_is_platform_binary(proc_t proc)
+{
+       return (proc != NULL) ? (csproc_get_platform_binary(proc) && cs_valid(proc)) : 0;
+}
+
 static inline necp_drop_all_bypass_check_result_t
 necp_check_drop_all_bypass_result(proc_t proc)
 {
 static inline necp_drop_all_bypass_check_result_t
 necp_check_drop_all_bypass_result(proc_t proc)
 {
@@ -588,7 +609,7 @@ necp_check_drop_all_bypass_result(proc_t proc)
 
 #if defined(XNU_TARGET_OS_OSX)
        const char *signing_id = NULL;
 
 #if defined(XNU_TARGET_OS_OSX)
        const char *signing_id = NULL;
-       const bool isConfigd = (csproc_get_platform_binary(proc) &&
+       const bool isConfigd = (necp_is_platform_binary(proc) &&
            (signing_id = cs_identity_get(proc)) &&
            (strlen(signing_id) == SIGNING_ID_CONFIGD_LEN) &&
            (memcmp(signing_id, SIGNING_ID_CONFIGD, SIGNING_ID_CONFIGD_LEN) == 0));
            (signing_id = cs_identity_get(proc)) &&
            (strlen(signing_id) == SIGNING_ID_CONFIGD_LEN) &&
            (memcmp(signing_id, SIGNING_ID_CONFIGD, SIGNING_ID_CONFIGD_LEN) == 0));
@@ -632,9 +653,9 @@ necp_session_open(struct proc *p, struct necp_session_open_args *uap, int *retva
                goto done;
        }
 
                goto done;
        }
 
-       fp->f_fglob->fg_flag = 0;
-       fp->f_fglob->fg_ops = &necp_session_fd_ops;
-       fp->f_fglob->fg_data = session;
+       fp->fp_glob->fg_flag = 0;
+       fp->fp_glob->fg_ops = &necp_session_fd_ops;
+       fp->fp_glob->fg_data = session;
 
        proc_fdlock(p);
        FDFLAGS_SET(p, fd, (UF_EXCLOSE | UF_FORKCLOSE));
 
        proc_fdlock(p);
        FDFLAGS_SET(p, fd, (UF_EXCLOSE | UF_FORKCLOSE));
@@ -672,32 +693,22 @@ necp_session_op_close(struct fileglob *fg, vfs_context_t ctx)
 }
 
 static int
 }
 
 static int
-necp_session_find_from_fd(int fd, struct necp_session **session)
+necp_session_find_from_fd(struct proc *p, int fd,
+    struct fileproc **fpp, struct necp_session **session)
 {
 {
-       proc_t p = current_proc();
        struct fileproc *fp = NULL;
        struct fileproc *fp = NULL;
-       int error = 0;
-
-       proc_fdlock_spin(p);
-       if ((error = fp_lookup(p, fd, &fp, 1)) != 0) {
-               goto done;
-       }
-       if (fp->f_fglob->fg_ops->fo_type != DTYPE_NETPOLICY) {
-               fp_drop(p, fd, fp, 1);
-               error = ENODEV;
-               goto done;
-       }
-       *session = (struct necp_session *)fp->f_fglob->fg_data;
+       int error = fp_get_ftype(p, fd, DTYPE_NETPOLICY, ENODEV, &fp);
 
 
-       if ((*session)->necp_fd_type != necp_fd_type_session) {
-               // Not a client fd, ignore
-               fp_drop(p, fd, fp, 1);
-               error = EINVAL;
-               goto done;
+       if (error == 0) {
+               *fpp = fp;
+               *session = (struct necp_session *)fp->fp_glob->fg_data;
+               if ((*session)->necp_fd_type != necp_fd_type_session) {
+                       // Not a client fd, ignore
+                       fp_drop(p, fd, fp, 0);
+                       error = EINVAL;
+               }
        }
 
        }
 
-done:
-       proc_fdunlock(p);
        return error;
 }
 
        return error;
 }
 
@@ -708,13 +719,13 @@ necp_session_add_policy(struct necp_session *session, struct necp_session_action
        u_int8_t *tlv_buffer = NULL;
 
        if (uap->in_buffer_length == 0 || uap->in_buffer_length > NECP_MAX_POLICY_SIZE || uap->in_buffer == 0) {
        u_int8_t *tlv_buffer = NULL;
 
        if (uap->in_buffer_length == 0 || uap->in_buffer_length > NECP_MAX_POLICY_SIZE || uap->in_buffer == 0) {
-               NECPLOG(LOG_ERR, "necp_session_add_policy invalid input (%zu)", uap->in_buffer_length);
+               NECPLOG(LOG_ERR, "necp_session_add_policy invalid input (%zu)", (size_t)uap->in_buffer_length);
                error = EINVAL;
                goto done;
        }
 
        if (uap->out_buffer_length < sizeof(necp_policy_id) || uap->out_buffer == 0) {
                error = EINVAL;
                goto done;
        }
 
        if (uap->out_buffer_length < sizeof(necp_policy_id) || uap->out_buffer == 0) {
-               NECPLOG(LOG_ERR, "necp_session_add_policy invalid output buffer (%zu)", uap->out_buffer_length);
+               NECPLOG(LOG_ERR, "necp_session_add_policy invalid output buffer (%zu)", (size_t)uap->out_buffer_length);
                error = EINVAL;
                goto done;
        }
                error = EINVAL;
                goto done;
        }
@@ -759,7 +770,7 @@ necp_session_get_policy(struct necp_session *session, struct necp_session_action
        u_int8_t *response = NULL;
 
        if (uap->in_buffer_length < sizeof(necp_policy_id) || uap->in_buffer == 0) {
        u_int8_t *response = NULL;
 
        if (uap->in_buffer_length < sizeof(necp_policy_id) || uap->in_buffer == 0) {
-               NECPLOG(LOG_ERR, "necp_session_get_policy invalid input (%zu)", uap->in_buffer_length);
+               NECPLOG(LOG_ERR, "necp_session_get_policy invalid input (%zu)", (size_t)uap->in_buffer_length);
                error = EINVAL;
                goto done;
        }
                error = EINVAL;
                goto done;
        }
@@ -783,7 +794,7 @@ necp_session_get_policy(struct necp_session *session, struct necp_session_action
        u_int32_t response_size = order_tlv_size + result_tlv_size + policy->conditions_size;
 
        if (uap->out_buffer_length < response_size || uap->out_buffer == 0) {
        u_int32_t response_size = order_tlv_size + result_tlv_size + policy->conditions_size;
 
        if (uap->out_buffer_length < response_size || uap->out_buffer == 0) {
-               NECPLOG(LOG_ERR, "necp_session_get_policy buffer not large enough (%u < %u)", uap->out_buffer_length, response_size);
+               NECPLOG(LOG_ERR, "necp_session_get_policy buffer not large enough (%zu < %u)", (size_t)uap->out_buffer_length, response_size);
                error = EINVAL;
                goto done;
        }
                error = EINVAL;
                goto done;
        }
@@ -831,7 +842,7 @@ necp_session_delete_policy(struct necp_session *session, struct necp_session_act
        int error = 0;
 
        if (uap->in_buffer_length < sizeof(necp_policy_id) || uap->in_buffer == 0) {
        int error = 0;
 
        if (uap->in_buffer_length < sizeof(necp_policy_id) || uap->in_buffer == 0) {
-               NECPLOG(LOG_ERR, "necp_session_delete_policy invalid input (%zu)", uap->in_buffer_length);
+               NECPLOG(LOG_ERR, "necp_session_delete_policy invalid input (%zu)", (size_t)uap->in_buffer_length);
                error = EINVAL;
                goto done;
        }
                error = EINVAL;
                goto done;
        }
@@ -890,7 +901,7 @@ necp_session_list_all(struct necp_session *session, struct necp_session_action_a
 
        response_size = num_policies * tlv_size;
        if (uap->out_buffer_length < response_size || uap->out_buffer == 0) {
 
        response_size = num_policies * tlv_size;
        if (uap->out_buffer_length < response_size || uap->out_buffer == 0) {
-               NECPLOG(LOG_ERR, "necp_session_list_all buffer not large enough (%u < %u)", uap->out_buffer_length, response_size);
+               NECPLOG(LOG_ERR, "necp_session_list_all buffer not large enough (%zu < %u)", (size_t)uap->out_buffer_length, response_size);
                error = EINVAL;
                goto done;
        }
                error = EINVAL;
                goto done;
        }
@@ -944,7 +955,7 @@ necp_session_set_session_priority(struct necp_session *session, struct necp_sess
        struct necp_session_policy *temp_policy = NULL;
 
        if (uap->in_buffer_length < sizeof(necp_session_priority) || uap->in_buffer == 0) {
        struct necp_session_policy *temp_policy = NULL;
 
        if (uap->in_buffer_length < sizeof(necp_session_priority) || uap->in_buffer == 0) {
-               NECPLOG(LOG_ERR, "necp_session_set_session_priority invalid input (%zu)", uap->in_buffer_length);
+               NECPLOG(LOG_ERR, "necp_session_set_session_priority invalid input (%zu)", (size_t)uap->in_buffer_length);
                error = EINVAL;
                goto done;
        }
                error = EINVAL;
                goto done;
        }
@@ -1000,7 +1011,7 @@ necp_session_register_service(struct necp_session *session, struct necp_session_
        struct necp_service_registration *new_service = NULL;
 
        if (uap->in_buffer_length < sizeof(uuid_t) || uap->in_buffer == 0) {
        struct necp_service_registration *new_service = NULL;
 
        if (uap->in_buffer_length < sizeof(uuid_t) || uap->in_buffer == 0) {
-               NECPLOG(LOG_ERR, "necp_session_register_service invalid input (%zu)", uap->in_buffer_length);
+               NECPLOG(LOG_ERR, "necp_session_register_service invalid input (%zu)", (size_t)uap->in_buffer_length);
                error = EINVAL;
                goto done;
        }
                error = EINVAL;
                goto done;
        }
@@ -1039,7 +1050,7 @@ necp_session_unregister_service(struct necp_session *session, struct necp_sessio
        struct necp_uuid_id_mapping *mapping = NULL;
 
        if (uap->in_buffer_length < sizeof(uuid_t) || uap->in_buffer == 0) {
        struct necp_uuid_id_mapping *mapping = NULL;
 
        if (uap->in_buffer_length < sizeof(uuid_t) || uap->in_buffer == 0) {
-               NECPLOG(LOG_ERR, "necp_session_unregister_service invalid input (%zu)", uap->in_buffer_length);
+               NECPLOG(LOG_ERR, "necp_session_unregister_service invalid input (%zu)", (size_t)uap->in_buffer_length);
                error = EINVAL;
                goto done;
        }
                error = EINVAL;
                goto done;
        }
@@ -1078,7 +1089,7 @@ necp_session_dump_all(struct necp_session *session, struct necp_session_action_a
        int error = 0;
 
        if (uap->out_buffer_length == 0 || uap->out_buffer == 0) {
        int error = 0;
 
        if (uap->out_buffer_length == 0 || uap->out_buffer == 0) {
-               NECPLOG(LOG_ERR, "necp_session_dump_all invalid output buffer (%zu)", uap->out_buffer_length);
+               NECPLOG(LOG_ERR, "necp_session_dump_all invalid output buffer (%zu)", (size_t)uap->out_buffer_length);
                error = EINVAL;
                goto done;
        }
                error = EINVAL;
                goto done;
        }
@@ -1092,11 +1103,12 @@ done:
 int
 necp_session_action(struct proc *p, struct necp_session_action_args *uap, int *retval)
 {
 int
 necp_session_action(struct proc *p, struct necp_session_action_args *uap, int *retval)
 {
-#pragma unused(p)
+       struct fileproc *fp;
        int error = 0;
        int return_value = 0;
        struct necp_session *session = NULL;
        int error = 0;
        int return_value = 0;
        struct necp_session *session = NULL;
-       error = necp_session_find_from_fd(uap->necp_fd, &session);
+
+       error = necp_session_find_from_fd(p, uap->necp_fd, &fp, &session);
        if (error != 0) {
                NECPLOG(LOG_ERR, "necp_session_action find fd error (%d)", error);
                return error;
        if (error != 0) {
                NECPLOG(LOG_ERR, "necp_session_action find fd error (%d)", error);
                return error;
@@ -1173,8 +1185,7 @@ necp_session_action(struct proc *p, struct necp_session_action_args *uap, int *r
 
 done:
        NECP_SESSION_UNLOCK(session);
 
 done:
        NECP_SESSION_UNLOCK(session);
-       file_drop(uap->necp_fd);
-
+       fp_drop(p, uap->necp_fd, fp, 0);
        return return_value;
 }
 
        return return_value;
 }
 
@@ -1294,6 +1305,8 @@ necp_init(void)
 {
        errno_t result = 0;
 
 {
        errno_t result = 0;
 
+       necp_log_handle = os_log_create("com.apple.xnu.net.necp", "necp");
+
        necp_kernel_policy_grp_attr = lck_grp_attr_alloc_init();
        if (necp_kernel_policy_grp_attr == NULL) {
                NECPLOG0(LOG_ERR, "lck_grp_attr_alloc_init failed");
        necp_kernel_policy_grp_attr = lck_grp_attr_alloc_init();
        if (necp_kernel_policy_grp_attr == NULL) {
                NECPLOG0(LOG_ERR, "lck_grp_attr_alloc_init failed");
@@ -1606,7 +1619,7 @@ necp_get_tlv_at_offset(u_int8_t *buffer, u_int32_t buffer_length,
 
        // Validate that buffer has enough room for any TLV
        if (tlv_offset + sizeof(u_int8_t) + sizeof(u_int32_t) > buffer_length) {
 
        // Validate that buffer has enough room for any TLV
        if (tlv_offset + sizeof(u_int8_t) + sizeof(u_int32_t) > buffer_length) {
-               NECPLOG(LOG_ERR, "necp_get_tlv_at_offset buffer_length is too small for TLV (%u < %u)",
+               NECPLOG(LOG_ERR, "necp_get_tlv_at_offset buffer_length is too small for TLV (%u < %lu)",
                    buffer_length, tlv_offset + sizeof(u_int8_t) + sizeof(u_int32_t));
                return EINVAL;
        }
                    buffer_length, tlv_offset + sizeof(u_int8_t) + sizeof(u_int32_t));
                return EINVAL;
        }
@@ -1614,7 +1627,7 @@ necp_get_tlv_at_offset(u_int8_t *buffer, u_int32_t buffer_length,
        // Validate that buffer has enough room for this TLV
        u_int32_t tlv_length = necp_buffer_get_tlv_length(buffer, tlv_offset);
        if (tlv_length > buffer_length - (tlv_offset + sizeof(u_int8_t) + sizeof(u_int32_t))) {
        // Validate that buffer has enough room for this TLV
        u_int32_t tlv_length = necp_buffer_get_tlv_length(buffer, tlv_offset);
        if (tlv_length > buffer_length - (tlv_offset + sizeof(u_int8_t) + sizeof(u_int32_t))) {
-               NECPLOG(LOG_ERR, "necp_get_tlv_at_offset buffer_length is too small for TLV of length %u (%u < %u)",
+               NECPLOG(LOG_ERR, "necp_get_tlv_at_offset buffer_length is too small for TLV of length %u (%u < %lu)",
                    tlv_length, buffer_length, tlv_offset + sizeof(u_int8_t) + sizeof(u_int32_t) + tlv_length);
                return EINVAL;
        }
                    tlv_length, buffer_length, tlv_offset + sizeof(u_int8_t) + sizeof(u_int32_t) + tlv_length);
                return EINVAL;
        }
@@ -1790,12 +1803,18 @@ necp_policy_result_is_valid(u_int8_t *buffer, u_int32_t length)
        u_int8_t type = necp_policy_result_get_type_from_buffer(buffer, length);
        u_int32_t parameter_length = necp_policy_result_get_parameter_length_from_buffer(buffer, length);
        switch (type) {
        u_int8_t type = necp_policy_result_get_type_from_buffer(buffer, length);
        u_int32_t parameter_length = necp_policy_result_get_parameter_length_from_buffer(buffer, length);
        switch (type) {
-       case NECP_POLICY_RESULT_PASS:
+       case NECP_POLICY_RESULT_PASS: {
+               if (parameter_length == 0 || parameter_length == sizeof(u_int32_t)) {
+                       validated = TRUE;
+               }
+               break;
+       }
+       case NECP_POLICY_RESULT_DROP: {
                if (parameter_length == 0 || parameter_length == sizeof(u_int32_t)) {
                        validated = TRUE;
                }
                break;
                if (parameter_length == 0 || parameter_length == sizeof(u_int32_t)) {
                        validated = TRUE;
                }
                break;
-       case NECP_POLICY_RESULT_DROP:
+       }
        case NECP_POLICY_RESULT_ROUTE_RULES:
        case NECP_POLICY_RESULT_SCOPED_DIRECT:
        case NECP_POLICY_RESULT_ALLOW_UNENTITLED: {
        case NECP_POLICY_RESULT_ROUTE_RULES:
        case NECP_POLICY_RESULT_SCOPED_DIRECT:
        case NECP_POLICY_RESULT_ALLOW_UNENTITLED: {
@@ -1899,7 +1918,8 @@ static inline bool
 necp_policy_condition_requires_real_application(u_int8_t *buffer, u_int32_t length)
 {
        u_int8_t type = necp_policy_condition_get_type_from_buffer(buffer, length);
 necp_policy_condition_requires_real_application(u_int8_t *buffer, u_int32_t length)
 {
        u_int8_t type = necp_policy_condition_get_type_from_buffer(buffer, length);
-       return type == NECP_POLICY_CONDITION_ENTITLEMENT;
+       u_int32_t condition_length = necp_policy_condition_get_value_length_from_buffer(buffer, length);
+       return type == NECP_POLICY_CONDITION_ENTITLEMENT && condition_length > 0;
 }
 
 static bool
 }
 
 static bool
@@ -1959,6 +1979,13 @@ necp_policy_condition_is_valid(u_int8_t *buffer, u_int32_t length, u_int8_t poli
                }
                break;
        }
                }
                break;
        }
+       case NECP_POLICY_CONDITION_SDK_VERSION: {
+               if (!(flags & NECP_POLICY_CONDITION_FLAGS_NEGATIVE) &&
+                   condition_length >= sizeof(struct necp_policy_condition_sdk_version)) {
+                       validated = TRUE;
+               }
+               break;
+       }
        case NECP_POLICY_CONDITION_IP_PROTOCOL: {
                if (condition_length >= sizeof(u_int16_t)) {
                        validated = TRUE;
        case NECP_POLICY_CONDITION_IP_PROTOCOL: {
                if (condition_length >= sizeof(u_int16_t)) {
                        validated = TRUE;
@@ -2040,6 +2067,15 @@ necp_policy_condition_is_valid(u_int8_t *buffer, u_int32_t length, u_int8_t poli
                validated = TRUE;
                break;
        }
                validated = TRUE;
                break;
        }
+       case NECP_POLICY_CONDITION_PACKET_FILTER_TAGS: {
+               if (condition_length >= sizeof(u_int16_t)) {
+                       u_int16_t packet_filter_tags = *(u_int16_t *)(void *)condition_value;
+                       if (packet_filter_tags > 0 && packet_filter_tags <= NECP_POLICY_CONDITION_PACKET_FILTER_TAG_MAX) {
+                               validated = TRUE;
+                       }
+               }
+               break;
+       }
        default: {
                validated = FALSE;
                break;
        default: {
                validated = FALSE;
                break;
@@ -2547,13 +2583,13 @@ necp_handle_policy_dump_all(user_addr_t out_buffer, size_t out_buffer_length)
 
        MALLOC(tlv_buffer_pointers, u_int8_t * *, sizeof(u_int8_t *) * policy_count, M_NECP, M_NOWAIT | M_ZERO);
        if (tlv_buffer_pointers == NULL) {
 
        MALLOC(tlv_buffer_pointers, u_int8_t * *, sizeof(u_int8_t *) * policy_count, M_NECP, M_NOWAIT | M_ZERO);
        if (tlv_buffer_pointers == NULL) {
-               NECPLOG(LOG_DEBUG, "Failed to allocate tlv_buffer_pointers (%u bytes)", sizeof(u_int8_t *) * policy_count);
+               NECPLOG(LOG_DEBUG, "Failed to allocate tlv_buffer_pointers (%lu bytes)", sizeof(u_int8_t *) * policy_count);
                UNLOCK_AND_REPORT_ERROR(&necp_kernel_policy_lock, NECP_ERROR_INTERNAL);
        }
 
        MALLOC(tlv_buffer_lengths, u_int32_t *, sizeof(u_int32_t) * policy_count, M_NECP, M_NOWAIT | M_ZERO);
        if (tlv_buffer_lengths == NULL) {
                UNLOCK_AND_REPORT_ERROR(&necp_kernel_policy_lock, NECP_ERROR_INTERNAL);
        }
 
        MALLOC(tlv_buffer_lengths, u_int32_t *, sizeof(u_int32_t) * policy_count, M_NECP, M_NOWAIT | M_ZERO);
        if (tlv_buffer_lengths == NULL) {
-               NECPLOG(LOG_DEBUG, "Failed to allocate tlv_buffer_lengths (%u bytes)", sizeof(u_int32_t) * policy_count);
+               NECPLOG(LOG_DEBUG, "Failed to allocate tlv_buffer_lengths (%lu bytes)", sizeof(u_int32_t) * policy_count);
                UNLOCK_AND_REPORT_ERROR(&necp_kernel_policy_lock, NECP_ERROR_INTERNAL);
        }
 
                UNLOCK_AND_REPORT_ERROR(&necp_kernel_policy_lock, NECP_ERROR_INTERNAL);
        }
 
@@ -2651,6 +2687,10 @@ necp_handle_policy_dump_all(user_addr_t out_buffer, size_t out_buffer_length)
                        if (condition_mask & NECP_KERNEL_CONDITION_PLATFORM_BINARY) {
                                num_conditions++;
                        }
                        if (condition_mask & NECP_KERNEL_CONDITION_PLATFORM_BINARY) {
                                num_conditions++;
                        }
+                       if (condition_mask & NECP_KERNEL_CONDITION_SDK_VERSION) {
+                               condition_tlv_length += sizeof(struct necp_policy_condition_sdk_version);
+                               num_conditions++;
+                       }
                        if (condition_mask & NECP_KERNEL_CONDITION_LOCAL_NETWORKS) {
                                num_conditions++;
                        }
                        if (condition_mask & NECP_KERNEL_CONDITION_LOCAL_NETWORKS) {
                                num_conditions++;
                        }
@@ -2689,6 +2729,10 @@ necp_handle_policy_dump_all(user_addr_t out_buffer, size_t out_buffer_length)
                                condition_tlv_length += identifier_len;
                                num_conditions++;
                        }
                                condition_tlv_length += identifier_len;
                                num_conditions++;
                        }
+                       if (condition_mask & NECP_KERNEL_CONDITION_PACKET_FILTER_TAGS) {
+                               condition_tlv_length += sizeof(u_int16_t);
+                               num_conditions++;
+                       }
                }
 
                condition_tlv_length += num_conditions * (sizeof(u_int8_t) + sizeof(u_int32_t)); // These are for the condition TLVs. The space for "value" is already accounted for above.
                }
 
                condition_tlv_length += num_conditions * (sizeof(u_int8_t) + sizeof(u_int32_t)); // These are for the condition TLVs. The space for "value" is already accounted for above.
@@ -2792,6 +2836,11 @@ necp_handle_policy_dump_all(user_addr_t out_buffer, size_t out_buffer_length)
                        if (condition_mask & NECP_KERNEL_CONDITION_PLATFORM_BINARY) {
                                cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_PLATFORM_BINARY, 0, "", cond_buf, condition_tlv_length);
                        }
                        if (condition_mask & NECP_KERNEL_CONDITION_PLATFORM_BINARY) {
                                cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_PLATFORM_BINARY, 0, "", cond_buf, condition_tlv_length);
                        }
+                       if (condition_mask & NECP_KERNEL_CONDITION_SDK_VERSION) {
+                               cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_SDK_VERSION,
+                                   sizeof(policy->cond_sdk_version), &policy->cond_sdk_version,
+                                   cond_buf, condition_tlv_length);
+                       }
                        if (condition_mask & NECP_KERNEL_CONDITION_LOCAL_START) {
                                if (condition_mask & NECP_KERNEL_CONDITION_LOCAL_END) {
                                        struct necp_policy_condition_addr_range range;
                        if (condition_mask & NECP_KERNEL_CONDITION_LOCAL_START) {
                                if (condition_mask & NECP_KERNEL_CONDITION_LOCAL_END) {
                                        struct necp_policy_condition_addr_range range;
@@ -2840,6 +2889,9 @@ necp_handle_policy_dump_all(user_addr_t out_buffer, size_t out_buffer_length)
                                cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_SIGNING_IDENTIFIER, strlen(policy->cond_signing_identifier) + 1, policy->cond_signing_identifier,
                                    cond_buf, condition_tlv_length);
                        }
                                cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_SIGNING_IDENTIFIER, strlen(policy->cond_signing_identifier) + 1, policy->cond_signing_identifier,
                                    cond_buf, condition_tlv_length);
                        }
+                       if (condition_mask & NECP_KERNEL_CONDITION_PACKET_FILTER_TAGS) {
+                               cond_buf_cursor = necp_buffer_write_tlv(cond_buf_cursor, NECP_POLICY_CONDITION_PACKET_FILTER_TAGS, sizeof(policy->cond_packet_filter_tags), &policy->cond_packet_filter_tags, cond_buf, condition_tlv_length);
+                       }
                }
 
                cursor = necp_buffer_write_tlv(cursor, NECP_TLV_POLICY_CONDITION, cond_buf_cursor - cond_buf, cond_buf, tlv_buffer, total_allocated_bytes);
                }
 
                cursor = necp_buffer_write_tlv(cursor, NECP_TLV_POLICY_CONDITION, cond_buf_cursor - cond_buf, cond_buf, tlv_buffer, total_allocated_bytes);
@@ -2860,14 +2912,14 @@ necp_handle_policy_dump_all(user_addr_t out_buffer, size_t out_buffer_length)
        // Copy out
        if (out_buffer != 0) {
                if (out_buffer_length < total_tlv_len + sizeof(u_int32_t)) {
        // Copy out
        if (out_buffer != 0) {
                if (out_buffer_length < total_tlv_len + sizeof(u_int32_t)) {
-                       NECPLOG(LOG_DEBUG, "out_buffer_length too small (%u < %u)", out_buffer_length, total_tlv_len + sizeof(u_int32_t));
+                       NECPLOG(LOG_DEBUG, "out_buffer_length too small (%lu < %lu)", out_buffer_length, total_tlv_len + sizeof(u_int32_t));
                        REPORT_ERROR(NECP_ERROR_INVALID_TLV);
                }
 
                // Allow malloc to wait, since the total buffer may be large and we are not holding any locks
                MALLOC(result_buf, u_int8_t *, total_tlv_len + sizeof(u_int32_t), M_NECP, M_WAITOK | M_ZERO);
                if (result_buf == NULL) {
                        REPORT_ERROR(NECP_ERROR_INVALID_TLV);
                }
 
                // Allow malloc to wait, since the total buffer may be large and we are not holding any locks
                MALLOC(result_buf, u_int8_t *, total_tlv_len + sizeof(u_int32_t), M_NECP, M_WAITOK | M_ZERO);
                if (result_buf == NULL) {
-                       NECPLOG(LOG_DEBUG, "Failed to allocate result_buffer (%u bytes)", total_tlv_len + sizeof(u_int32_t));
+                       NECPLOG(LOG_DEBUG, "Failed to allocate result_buffer (%lu bytes)", total_tlv_len + sizeof(u_int32_t));
                        REPORT_ERROR(NECP_ERROR_INTERNAL);
                }
 
                        REPORT_ERROR(NECP_ERROR_INTERNAL);
                }
 
@@ -2885,7 +2937,7 @@ necp_handle_policy_dump_all(user_addr_t out_buffer, size_t out_buffer_length)
 
                int copy_error = copyout(result_buf, out_buffer, total_tlv_len + sizeof(u_int32_t));
                if (copy_error) {
 
                int copy_error = copyout(result_buf, out_buffer, total_tlv_len + sizeof(u_int32_t));
                if (copy_error) {
-                       NECPLOG(LOG_DEBUG, "Failed to copy out result_buffer (%u bytes)", total_tlv_len + sizeof(u_int32_t));
+                       NECPLOG(LOG_DEBUG, "Failed to copy out result_buffer (%lu bytes)", total_tlv_len + sizeof(u_int32_t));
                        REPORT_ERROR(NECP_ERROR_INTERNAL);
                }
        }
                        REPORT_ERROR(NECP_ERROR_INTERNAL);
                }
        }
@@ -2931,12 +2983,7 @@ necp_policy_create(struct necp_session *session, necp_policy_order order, u_int8
                goto done;
        }
 
                goto done;
        }
 
-       MALLOC_ZONE(new_policy, struct necp_session_policy *, sizeof(*new_policy), M_NECP_SESSION_POLICY, M_WAITOK);
-       if (new_policy == NULL) {
-               goto done;
-       }
-
-       memset(new_policy, 0, sizeof(*new_policy)); // M_ZERO is not supported for MALLOC_ZONE
+       new_policy = zalloc_flags(necp_session_policy_zone, Z_WAITOK | Z_ZERO);
        new_policy->applied = FALSE;
        new_policy->pending_deletion = FALSE;
        new_policy->pending_update = FALSE;
        new_policy->applied = FALSE;
        new_policy->pending_deletion = FALSE;
        new_policy->pending_update = FALSE;
@@ -3059,7 +3106,7 @@ necp_policy_delete(struct necp_session *session, struct necp_session_policy *pol
                policy->route_rules = NULL;
        }
 
                policy->route_rules = NULL;
        }
 
-       FREE_ZONE(policy, sizeof(*policy), M_NECP_SESSION_POLICY);
+       zfree(necp_session_policy_zone, policy);
 
        if (necp_debug) {
                NECPLOG0(LOG_DEBUG, "Removed NECP policy");
 
        if (necp_debug) {
                NECPLOG0(LOG_DEBUG, "Removed NECP policy");
@@ -3183,6 +3230,8 @@ necp_policy_apply(struct necp_session *session, struct necp_session_policy *poli
        u_int8_t ultimate_result = 0;
        u_int32_t secondary_result = 0;
        struct necp_policy_condition_agent_type cond_agent_type = {};
        u_int8_t ultimate_result = 0;
        u_int32_t secondary_result = 0;
        struct necp_policy_condition_agent_type cond_agent_type = {};
+       struct necp_policy_condition_sdk_version cond_sdk_version = {};
+       u_int16_t cond_packet_filter_tags = 0;
        necp_kernel_policy_result_parameter secondary_result_parameter;
        memset(&secondary_result_parameter, 0, sizeof(secondary_result_parameter));
        u_int32_t cond_last_interface_index = 0;
        necp_kernel_policy_result_parameter secondary_result_parameter;
        memset(&secondary_result_parameter, 0, sizeof(secondary_result_parameter));
        u_int32_t cond_last_interface_index = 0;
@@ -3240,6 +3289,14 @@ necp_policy_apply(struct necp_session *session, struct necp_session_policy *poli
                        socket_only_conditions = TRUE;
                        break;
                }
                        socket_only_conditions = TRUE;
                        break;
                }
+               case NECP_POLICY_CONDITION_SDK_VERSION: {
+                       if (condition_length >= sizeof(cond_sdk_version)) {
+                               master_condition_mask |= NECP_KERNEL_CONDITION_SDK_VERSION;
+                               memcpy(&cond_sdk_version, condition_value, sizeof(cond_sdk_version));
+                               socket_only_conditions = TRUE;
+                       }
+                       break;
+               }
                case NECP_POLICY_CONDITION_DOMAIN: {
                        // Make sure there is only one such rule
                        if (condition_length > 0 && cond_domain == NULL) {
                case NECP_POLICY_CONDITION_DOMAIN: {
                        // Make sure there is only one such rule
                        if (condition_length > 0 && cond_domain == NULL) {
@@ -3528,6 +3585,17 @@ necp_policy_apply(struct necp_session *session, struct necp_session_policy *poli
                        }
                        break;
                }
                        }
                        break;
                }
+               case NECP_POLICY_CONDITION_PACKET_FILTER_TAGS: {
+                       if (condition_length >= sizeof(u_int16_t)) {
+                               master_condition_mask |= NECP_KERNEL_CONDITION_PACKET_FILTER_TAGS;
+                               if (condition_is_negative) {
+                                       master_condition_negated_mask |= NECP_KERNEL_CONDITION_PACKET_FILTER_TAGS;
+                               }
+                               memcpy(&cond_packet_filter_tags, condition_value, sizeof(cond_packet_filter_tags));
+                               socket_ip_conditions = TRUE;
+                       }
+                       break;
+               }
                default: {
                        break;
                }
                default: {
                        break;
                }
@@ -3557,6 +3625,12 @@ necp_policy_apply(struct necp_session *session, struct necp_session_policy *poli
                break;
        }
        case NECP_POLICY_RESULT_DROP: {
                break;
        }
        case NECP_POLICY_RESULT_DROP: {
+               u_int32_t drop_flags = 0;
+               if (necp_policy_result_get_parameter_length_from_buffer(policy->result, policy->result_size) > 0) {
+                       if (necp_policy_get_result_parameter(policy, (u_int8_t *)&drop_flags, sizeof(drop_flags))) {
+                               ultimate_result_parameter.drop_flags = drop_flags;
+                       }
+               }
                if (socket_only_conditions) {         // socket_ip_conditions can be TRUE or FALSE
                        socket_layer_non_id_conditions = TRUE;
                } else if (socket_ip_conditions) {
                if (socket_only_conditions) {         // socket_ip_conditions can be TRUE or FALSE
                        socket_layer_non_id_conditions = TRUE;
                } else if (socket_ip_conditions) {
@@ -3708,7 +3782,7 @@ necp_policy_apply(struct necp_session *session, struct necp_session_policy *poli
        }
 
        if (socket_layer_non_id_conditions) {
        }
 
        if (socket_layer_non_id_conditions) {
-               necp_kernel_policy_id policy_id = necp_kernel_socket_policy_add(policy->order, session->session_order, session->proc_pid, master_condition_mask, master_condition_negated_mask, cond_app_id, cond_real_app_id, cond_custom_entitlement, cond_account_id, cond_domain, cond_pid, cond_uid, cond_bound_interface, cond_traffic_class, cond_protocol, &cond_local_start, &cond_local_end, cond_local_prefix, &cond_remote_start, &cond_remote_end, cond_remote_prefix, &cond_agent_type, cond_client_flags, cond_signing_identifier, ultimate_result, ultimate_result_parameter);
+               necp_kernel_policy_id policy_id = necp_kernel_socket_policy_add(policy->order, session->session_order, session->proc_pid, master_condition_mask, master_condition_negated_mask, cond_app_id, cond_real_app_id, cond_custom_entitlement, cond_account_id, cond_domain, cond_pid, cond_uid, cond_bound_interface, cond_traffic_class, cond_protocol, &cond_local_start, &cond_local_end, cond_local_prefix, &cond_remote_start, &cond_remote_end, cond_remote_prefix, &cond_agent_type, &cond_sdk_version, cond_client_flags, cond_signing_identifier, cond_packet_filter_tags, ultimate_result, ultimate_result_parameter);
 
                if (policy_id == 0) {
                        NECPLOG0(LOG_DEBUG, "Error applying socket kernel policy");
 
                if (policy_id == 0) {
                        NECPLOG0(LOG_DEBUG, "Error applying socket kernel policy");
@@ -3725,7 +3799,7 @@ necp_policy_apply(struct necp_session *session, struct necp_session_policy *poli
                        condition_mask |= NECP_KERNEL_CONDITION_POLICY_ID;
                }
 
                        condition_mask |= NECP_KERNEL_CONDITION_POLICY_ID;
                }
 
-               necp_kernel_policy_id policy_id = necp_kernel_ip_output_policy_add(policy->order, NECP_KERNEL_POLICY_SUBORDER_NON_ID_CONDITIONS, session->session_order, session->proc_pid, condition_mask, master_condition_negated_mask, NECP_KERNEL_POLICY_ID_NONE, cond_bound_interface, 0, cond_protocol, &cond_local_start, &cond_local_end, cond_local_prefix, &cond_remote_start, &cond_remote_end, cond_remote_prefix, ultimate_result, ultimate_result_parameter);
+               necp_kernel_policy_id policy_id = necp_kernel_ip_output_policy_add(policy->order, NECP_KERNEL_POLICY_SUBORDER_NON_ID_CONDITIONS, session->session_order, session->proc_pid, condition_mask, master_condition_negated_mask, NECP_KERNEL_POLICY_ID_NONE, cond_bound_interface, 0, cond_protocol, &cond_local_start, &cond_local_end, cond_local_prefix, &cond_remote_start, &cond_remote_end, cond_remote_prefix, cond_packet_filter_tags, ultimate_result, ultimate_result_parameter);
 
                if (policy_id == 0) {
                        NECPLOG0(LOG_DEBUG, "Error applying IP output kernel policy");
 
                if (policy_id == 0) {
                        NECPLOG0(LOG_DEBUG, "Error applying IP output kernel policy");
@@ -3736,7 +3810,7 @@ necp_policy_apply(struct necp_session *session, struct necp_session_policy *poli
        }
 
        if (ip_output_layer_id_condition) {
        }
 
        if (ip_output_layer_id_condition) {
-               necp_kernel_policy_id policy_id = necp_kernel_ip_output_policy_add(policy->order, NECP_KERNEL_POLICY_SUBORDER_ID_CONDITION, session->session_order, session->proc_pid, NECP_KERNEL_CONDITION_POLICY_ID | NECP_KERNEL_CONDITION_ALL_INTERFACES, 0, cond_ip_output_layer_id, NULL, 0, 0, NULL, NULL, 0, NULL, NULL, 0, ultimate_result, ultimate_result_parameter);
+               necp_kernel_policy_id policy_id = necp_kernel_ip_output_policy_add(policy->order, NECP_KERNEL_POLICY_SUBORDER_ID_CONDITION, session->session_order, session->proc_pid, NECP_KERNEL_CONDITION_POLICY_ID | NECP_KERNEL_CONDITION_ALL_INTERFACES, 0, cond_ip_output_layer_id, NULL, 0, 0, NULL, NULL, 0, NULL, NULL, 0, 0, ultimate_result, ultimate_result_parameter);
 
                if (policy_id == 0) {
                        NECPLOG0(LOG_DEBUG, "Error applying IP output kernel policy");
 
                if (policy_id == 0) {
                        NECPLOG0(LOG_DEBUG, "Error applying IP output kernel policy");
@@ -3748,7 +3822,7 @@ necp_policy_apply(struct necp_session *session, struct necp_session_policy *poli
 
        // Extra policies for IP Output tunnels for when packets loop back
        if (ip_output_layer_tunnel_condition_from_id) {
 
        // Extra policies for IP Output tunnels for when packets loop back
        if (ip_output_layer_tunnel_condition_from_id) {
-               necp_kernel_policy_id policy_id = necp_kernel_ip_output_policy_add(policy->order, NECP_KERNEL_POLICY_SUBORDER_NON_ID_TUNNEL_CONDITION, session->session_order, session->proc_pid, NECP_KERNEL_CONDITION_POLICY_ID | NECP_KERNEL_CONDITION_LAST_INTERFACE | NECP_KERNEL_CONDITION_ALL_INTERFACES, 0, policy->kernel_ip_output_policies[NECP_KERNEL_POLICY_SUBORDER_NON_ID_CONDITIONS], NULL, cond_last_interface_index, 0, NULL, NULL, 0, NULL, NULL, 0, secondary_result, secondary_result_parameter);
+               necp_kernel_policy_id policy_id = necp_kernel_ip_output_policy_add(policy->order, NECP_KERNEL_POLICY_SUBORDER_NON_ID_TUNNEL_CONDITION, session->session_order, session->proc_pid, NECP_KERNEL_CONDITION_POLICY_ID | NECP_KERNEL_CONDITION_LAST_INTERFACE | NECP_KERNEL_CONDITION_ALL_INTERFACES, 0, policy->kernel_ip_output_policies[NECP_KERNEL_POLICY_SUBORDER_NON_ID_CONDITIONS], NULL, cond_last_interface_index, 0, NULL, NULL, 0, NULL, NULL, 0, 0, secondary_result, secondary_result_parameter);
 
                if (policy_id == 0) {
                        NECPLOG0(LOG_DEBUG, "Error applying IP output kernel policy");
 
                if (policy_id == 0) {
                        NECPLOG0(LOG_DEBUG, "Error applying IP output kernel policy");
@@ -3759,7 +3833,7 @@ necp_policy_apply(struct necp_session *session, struct necp_session_policy *poli
        }
 
        if (ip_output_layer_tunnel_condition_from_id) {
        }
 
        if (ip_output_layer_tunnel_condition_from_id) {
-               necp_kernel_policy_id policy_id = necp_kernel_ip_output_policy_add(policy->order, NECP_KERNEL_POLICY_SUBORDER_ID_TUNNEL_CONDITION, session->session_order, session->proc_pid, NECP_KERNEL_CONDITION_POLICY_ID | NECP_KERNEL_CONDITION_LAST_INTERFACE | NECP_KERNEL_CONDITION_ALL_INTERFACES, 0, policy->kernel_ip_output_policies[NECP_KERNEL_POLICY_SUBORDER_ID_CONDITION], NULL, cond_last_interface_index, 0, NULL, NULL, 0, NULL, NULL, 0, secondary_result, secondary_result_parameter);
+               necp_kernel_policy_id policy_id = necp_kernel_ip_output_policy_add(policy->order, NECP_KERNEL_POLICY_SUBORDER_ID_TUNNEL_CONDITION, session->session_order, session->proc_pid, NECP_KERNEL_CONDITION_POLICY_ID | NECP_KERNEL_CONDITION_LAST_INTERFACE | NECP_KERNEL_CONDITION_ALL_INTERFACES, 0, policy->kernel_ip_output_policies[NECP_KERNEL_POLICY_SUBORDER_ID_CONDITION], NULL, cond_last_interface_index, 0, NULL, NULL, 0, NULL, NULL, 0, 0, secondary_result, secondary_result_parameter);
 
                if (policy_id == 0) {
                        NECPLOG0(LOG_DEBUG, "Error applying IP output kernel policy");
 
                if (policy_id == 0) {
                        NECPLOG0(LOG_DEBUG, "Error applying IP output kernel policy");
@@ -3877,20 +3951,16 @@ necp_kernel_policy_get_new_id(bool socket_level)
        return newid;
 }
 
        return newid;
 }
 
-#define NECP_KERNEL_VALID_SOCKET_CONDITIONS (NECP_KERNEL_CONDITION_APP_ID | NECP_KERNEL_CONDITION_REAL_APP_ID | NECP_KERNEL_CONDITION_DOMAIN | NECP_KERNEL_CONDITION_ACCOUNT_ID | NECP_KERNEL_CONDITION_PID | NECP_KERNEL_CONDITION_UID | NECP_KERNEL_CONDITION_ALL_INTERFACES | NECP_KERNEL_CONDITION_BOUND_INTERFACE | NECP_KERNEL_CONDITION_TRAFFIC_CLASS | NECP_KERNEL_CONDITION_PROTOCOL | NECP_KERNEL_CONDITION_LOCAL_START | NECP_KERNEL_CONDITION_LOCAL_END | NECP_KERNEL_CONDITION_LOCAL_PREFIX | NECP_KERNEL_CONDITION_REMOTE_START | NECP_KERNEL_CONDITION_REMOTE_END | NECP_KERNEL_CONDITION_REMOTE_PREFIX | NECP_KERNEL_CONDITION_ENTITLEMENT | NECP_KERNEL_CONDITION_CUSTOM_ENTITLEMENT | NECP_KERNEL_CONDITION_AGENT_TYPE | NECP_KERNEL_CONDITION_HAS_CLIENT | NECP_KERNEL_CONDITION_LOCAL_NETWORKS | NECP_KERNEL_CONDITION_CLIENT_FLAGS | NECP_KERNEL_CONDITION_LOCAL_EMPTY | NECP_KERNEL_CONDITION_REMOTE_EMPTY | NECP_KERNEL_CONDITION_PLATFORM_BINARY | NECP_KERNEL_CONDITION_SIGNING_IDENTIFIER)
+#define NECP_KERNEL_VALID_SOCKET_CONDITIONS (NECP_KERNEL_CONDITION_APP_ID | NECP_KERNEL_CONDITION_REAL_APP_ID | NECP_KERNEL_CONDITION_DOMAIN | NECP_KERNEL_CONDITION_ACCOUNT_ID | NECP_KERNEL_CONDITION_PID | NECP_KERNEL_CONDITION_UID | NECP_KERNEL_CONDITION_ALL_INTERFACES | NECP_KERNEL_CONDITION_BOUND_INTERFACE | NECP_KERNEL_CONDITION_TRAFFIC_CLASS | NECP_KERNEL_CONDITION_PROTOCOL | NECP_KERNEL_CONDITION_LOCAL_START | NECP_KERNEL_CONDITION_LOCAL_END | NECP_KERNEL_CONDITION_LOCAL_PREFIX | NECP_KERNEL_CONDITION_REMOTE_START | NECP_KERNEL_CONDITION_REMOTE_END | NECP_KERNEL_CONDITION_REMOTE_PREFIX | NECP_KERNEL_CONDITION_ENTITLEMENT | NECP_KERNEL_CONDITION_CUSTOM_ENTITLEMENT | NECP_KERNEL_CONDITION_AGENT_TYPE | NECP_KERNEL_CONDITION_HAS_CLIENT | NECP_KERNEL_CONDITION_LOCAL_NETWORKS | NECP_KERNEL_CONDITION_CLIENT_FLAGS | NECP_KERNEL_CONDITION_LOCAL_EMPTY | NECP_KERNEL_CONDITION_REMOTE_EMPTY | NECP_KERNEL_CONDITION_PLATFORM_BINARY | NECP_KERNEL_CONDITION_SDK_VERSION | NECP_KERNEL_CONDITION_SIGNING_IDENTIFIER | NECP_KERNEL_CONDITION_PACKET_FILTER_TAGS)
 
 static necp_kernel_policy_id
 
 static necp_kernel_policy_id
-necp_kernel_socket_policy_add(necp_policy_order order, u_int32_t session_order, int session_pid, u_int32_t condition_mask, u_int32_t condition_negated_mask, necp_app_id cond_app_id, necp_app_id cond_real_app_id, char *cond_custom_entitlement, u_int32_t cond_account_id, char *cond_domain, pid_t cond_pid, uid_t cond_uid, ifnet_t cond_bound_interface, struct necp_policy_condition_tc_range cond_traffic_class, u_int16_t cond_protocol, union necp_sockaddr_union *cond_local_start, union necp_sockaddr_union *cond_local_end, u_int8_t cond_local_prefix, union necp_sockaddr_union *cond_remote_start, union necp_sockaddr_union *cond_remote_end, u_int8_t cond_remote_prefix, struct necp_policy_condition_agent_type *cond_agent_type, u_int32_t cond_client_flags, char *cond_signing_identifier, necp_kernel_policy_result result, necp_kernel_policy_result_parameter result_parameter)
+necp_kernel_socket_policy_add(necp_policy_order order, u_int32_t session_order, int session_pid, u_int32_t condition_mask, u_int32_t condition_negated_mask, necp_app_id cond_app_id, necp_app_id cond_real_app_id, char *cond_custom_entitlement, u_int32_t cond_account_id, char *cond_domain, pid_t cond_pid, uid_t cond_uid, ifnet_t cond_bound_interface, struct necp_policy_condition_tc_range cond_traffic_class, u_int16_t cond_protocol, union necp_sockaddr_union *cond_local_start, union necp_sockaddr_union *cond_local_end, u_int8_t cond_local_prefix, union necp_sockaddr_union *cond_remote_start, union necp_sockaddr_union *cond_remote_end, u_int8_t cond_remote_prefix, struct necp_policy_condition_agent_type *cond_agent_type, struct necp_policy_condition_sdk_version *cond_sdk_version, u_int32_t cond_client_flags, char *cond_signing_identifier, u_int16_t cond_packet_filter_tags, necp_kernel_policy_result result, necp_kernel_policy_result_parameter result_parameter)
 {
        struct necp_kernel_socket_policy *new_kernel_policy = NULL;
        struct necp_kernel_socket_policy *tmp_kernel_policy = NULL;
 
 {
        struct necp_kernel_socket_policy *new_kernel_policy = NULL;
        struct necp_kernel_socket_policy *tmp_kernel_policy = NULL;
 
-       MALLOC_ZONE(new_kernel_policy, struct necp_kernel_socket_policy *, sizeof(*new_kernel_policy), M_NECP_SOCKET_POLICY, M_WAITOK);
-       if (new_kernel_policy == NULL) {
-               goto done;
-       }
+       new_kernel_policy = zalloc_flags(necp_socket_policy_zone, Z_WAITOK | Z_ZERO);
 
 
-       memset(new_kernel_policy, 0, sizeof(*new_kernel_policy)); // M_ZERO is not supported for MALLOC_ZONE
        new_kernel_policy->id = necp_kernel_policy_get_new_id(true);
        new_kernel_policy->order = order;
        new_kernel_policy->session_order = session_order;
        new_kernel_policy->id = necp_kernel_policy_get_new_id(true);
        new_kernel_policy->order = order;
        new_kernel_policy->session_order = session_order;
@@ -3904,8 +3974,8 @@ necp_kernel_socket_policy_add(necp_policy_order order, u_int32_t session_order,
        if ((new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_REAL_APP_ID) && !(new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_APP_ID)) {
                new_kernel_policy->condition_mask &= ~NECP_KERNEL_CONDITION_REAL_APP_ID;
        }
        if ((new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_REAL_APP_ID) && !(new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_APP_ID)) {
                new_kernel_policy->condition_mask &= ~NECP_KERNEL_CONDITION_REAL_APP_ID;
        }
-       if ((new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_ENTITLEMENT) && !(new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_APP_ID)) {
-               new_kernel_policy->condition_mask &= ~NECP_KERNEL_CONDITION_ENTITLEMENT;
+       if ((new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_CUSTOM_ENTITLEMENT) && !(new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_APP_ID)) {
+               new_kernel_policy->condition_mask &= ~NECP_KERNEL_CONDITION_CUSTOM_ENTITLEMENT;
        }
        if ((new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_END) && (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_PREFIX)) {
                new_kernel_policy->condition_mask &= ~NECP_KERNEL_CONDITION_LOCAL_PREFIX;
        }
        if ((new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_END) && (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_PREFIX)) {
                new_kernel_policy->condition_mask &= ~NECP_KERNEL_CONDITION_LOCAL_PREFIX;
@@ -3978,12 +4048,18 @@ necp_kernel_socket_policy_add(necp_policy_order order, u_int32_t session_order,
        if (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_AGENT_TYPE) {
                memcpy(&new_kernel_policy->cond_agent_type, cond_agent_type, sizeof(*cond_agent_type));
        }
        if (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_AGENT_TYPE) {
                memcpy(&new_kernel_policy->cond_agent_type, cond_agent_type, sizeof(*cond_agent_type));
        }
+       if (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_SDK_VERSION) {
+               memcpy(&new_kernel_policy->cond_sdk_version, cond_sdk_version, sizeof(*cond_sdk_version));
+       }
        if (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_CLIENT_FLAGS) {
                new_kernel_policy->cond_client_flags = cond_client_flags;
        }
        if (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_SIGNING_IDENTIFIER) {
                new_kernel_policy->cond_signing_identifier = cond_signing_identifier;
        }
        if (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_CLIENT_FLAGS) {
                new_kernel_policy->cond_client_flags = cond_client_flags;
        }
        if (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_SIGNING_IDENTIFIER) {
                new_kernel_policy->cond_signing_identifier = cond_signing_identifier;
        }
+       if (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_PACKET_FILTER_TAGS) {
+               new_kernel_policy->cond_packet_filter_tags = cond_packet_filter_tags;
+       }
 
        new_kernel_policy->result = result;
        memcpy(&new_kernel_policy->result_parameter, &result_parameter, sizeof(result_parameter));
 
        new_kernel_policy->result = result;
        memcpy(&new_kernel_policy->result_parameter, &result_parameter, sizeof(result_parameter));
@@ -3992,7 +4068,7 @@ necp_kernel_socket_policy_add(necp_policy_order order, u_int32_t session_order,
                NECPLOG(LOG_DEBUG, "Added kernel policy: socket, id=%d, mask=%x\n", new_kernel_policy->id, new_kernel_policy->condition_mask);
        }
        LIST_INSERT_SORTED_TWICE_ASCENDING(&necp_kernel_socket_policies, new_kernel_policy, chain, session_order, order, tmp_kernel_policy);
                NECPLOG(LOG_DEBUG, "Added kernel policy: socket, id=%d, mask=%x\n", new_kernel_policy->id, new_kernel_policy->condition_mask);
        }
        LIST_INSERT_SORTED_TWICE_ASCENDING(&necp_kernel_socket_policies, new_kernel_policy, chain, session_order, order, tmp_kernel_policy);
-done:
+
        return new_kernel_policy ? new_kernel_policy->id : 0;
 }
 
        return new_kernel_policy ? new_kernel_policy->id : 0;
 }
 
@@ -4046,7 +4122,7 @@ necp_kernel_socket_policy_delete(necp_kernel_policy_id policy_id)
                        policy->cond_signing_identifier = NULL;
                }
 
                        policy->cond_signing_identifier = NULL;
                }
 
-               FREE_ZONE(policy, sizeof(*policy), M_NECP_SOCKET_POLICY);
+               zfree(necp_socket_policy_zone, policy);
                return TRUE;
        }
 
                return TRUE;
        }
 
@@ -4071,7 +4147,7 @@ necp_get_result_description(char *result_string, necp_kernel_policy_result resul
                break;
        }
        case NECP_KERNEL_POLICY_RESULT_DROP: {
                break;
        }
        case NECP_KERNEL_POLICY_RESULT_DROP: {
-               snprintf(result_string, MAX_RESULT_STRING_LEN, "Drop");
+               snprintf(result_string, MAX_RESULT_STRING_LEN, "Drop (%X)", result_parameter.drop_flags);
                break;
        }
        case NECP_KERNEL_POLICY_RESULT_SOCKET_DIVERT: {
                break;
        }
        case NECP_KERNEL_POLICY_RESULT_SOCKET_DIVERT: {
@@ -4512,6 +4588,16 @@ necp_kernel_socket_policy_is_unnecessary(struct necp_kernel_socket_policy *polic
                        continue;
                }
 
                        continue;
                }
 
+               if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_SDK_VERSION &&
+                   memcmp(&compared_policy->cond_sdk_version, &policy->cond_sdk_version, sizeof(policy->cond_sdk_version)) == 0) {
+                       continue;
+               }
+
+               if (compared_policy->condition_mask & NECP_KERNEL_CONDITION_PACKET_FILTER_TAGS &&
+                   memcmp(&compared_policy->cond_packet_filter_tags, &policy->cond_packet_filter_tags, sizeof(policy->cond_packet_filter_tags)) == 0) {
+                       continue;
+               }
+
                return TRUE;
        }
 
                return TRUE;
        }
 
@@ -4602,7 +4688,7 @@ necp_kernel_socket_policies_reprocess(void)
        // Fill out maps
        LIST_FOREACH(kernel_policy, &necp_kernel_socket_policies, chain) {
                // Add app layer policies
        // Fill out maps
        LIST_FOREACH(kernel_policy, &necp_kernel_socket_policies, chain) {
                // Add app layer policies
-               if (!necp_kernel_socket_policy_is_unnecessary(kernel_policy, necp_kernel_socket_policies_app_layer_map, app_layer_current_free_index)) {
+               if (!necp_dedup_policies || !necp_kernel_socket_policy_is_unnecessary(kernel_policy, necp_kernel_socket_policies_app_layer_map, app_layer_current_free_index)) {
                        necp_kernel_socket_policies_app_layer_map[app_layer_current_free_index] = kernel_policy;
                        app_layer_current_free_index++;
                        necp_kernel_socket_policies_app_layer_map[app_layer_current_free_index] = NULL;
                        necp_kernel_socket_policies_app_layer_map[app_layer_current_free_index] = kernel_policy;
                        app_layer_current_free_index++;
                        necp_kernel_socket_policies_app_layer_map[app_layer_current_free_index] = NULL;
@@ -4617,7 +4703,7 @@ necp_kernel_socket_policies_reprocess(void)
                if (!(kernel_policy->condition_mask & NECP_KERNEL_CONDITION_APP_ID) ||
                    kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_APP_ID) {
                        for (app_i = 0; app_i < NECP_KERNEL_SOCKET_POLICIES_MAP_NUM_APP_ID_BUCKETS; app_i++) {
                if (!(kernel_policy->condition_mask & NECP_KERNEL_CONDITION_APP_ID) ||
                    kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_APP_ID) {
                        for (app_i = 0; app_i < NECP_KERNEL_SOCKET_POLICIES_MAP_NUM_APP_ID_BUCKETS; app_i++) {
-                               if (!necp_kernel_socket_policy_is_unnecessary(kernel_policy, necp_kernel_socket_policies_map[app_i], bucket_current_free_index[app_i])) {
+                               if (!necp_dedup_policies || !necp_kernel_socket_policy_is_unnecessary(kernel_policy, necp_kernel_socket_policies_map[app_i], bucket_current_free_index[app_i])) {
                                        (necp_kernel_socket_policies_map[app_i])[(bucket_current_free_index[app_i])] = kernel_policy;
                                        bucket_current_free_index[app_i]++;
                                        (necp_kernel_socket_policies_map[app_i])[(bucket_current_free_index[app_i])] = NULL;
                                        (necp_kernel_socket_policies_map[app_i])[(bucket_current_free_index[app_i])] = kernel_policy;
                                        bucket_current_free_index[app_i]++;
                                        (necp_kernel_socket_policies_map[app_i])[(bucket_current_free_index[app_i])] = NULL;
@@ -4625,7 +4711,7 @@ necp_kernel_socket_policies_reprocess(void)
                        }
                } else {
                        app_i = NECP_SOCKET_MAP_APP_ID_TO_BUCKET(kernel_policy->cond_app_id);
                        }
                } else {
                        app_i = NECP_SOCKET_MAP_APP_ID_TO_BUCKET(kernel_policy->cond_app_id);
-                       if (!necp_kernel_socket_policy_is_unnecessary(kernel_policy, necp_kernel_socket_policies_map[app_i], bucket_current_free_index[app_i])) {
+                       if (!necp_dedup_policies || !necp_kernel_socket_policy_is_unnecessary(kernel_policy, necp_kernel_socket_policies_map[app_i], bucket_current_free_index[app_i])) {
                                (necp_kernel_socket_policies_map[app_i])[(bucket_current_free_index[app_i])] = kernel_policy;
                                bucket_current_free_index[app_i]++;
                                (necp_kernel_socket_policies_map[app_i])[(bucket_current_free_index[app_i])] = NULL;
                                (necp_kernel_socket_policies_map[app_i])[(bucket_current_free_index[app_i])] = kernel_policy;
                                bucket_current_free_index[app_i]++;
                                (necp_kernel_socket_policies_map[app_i])[(bucket_current_free_index[app_i])] = NULL;
@@ -5401,19 +5487,14 @@ necp_kernel_socket_policies_update_uuid_table(void)
        return TRUE;
 }
 
        return TRUE;
 }
 
-#define NECP_KERNEL_VALID_IP_OUTPUT_CONDITIONS (NECP_KERNEL_CONDITION_ALL_INTERFACES | NECP_KERNEL_CONDITION_BOUND_INTERFACE | NECP_KERNEL_CONDITION_PROTOCOL | NECP_KERNEL_CONDITION_LOCAL_START | NECP_KERNEL_CONDITION_LOCAL_END | NECP_KERNEL_CONDITION_LOCAL_PREFIX | NECP_KERNEL_CONDITION_REMOTE_START | NECP_KERNEL_CONDITION_REMOTE_END | NECP_KERNEL_CONDITION_REMOTE_PREFIX | NECP_KERNEL_CONDITION_POLICY_ID | NECP_KERNEL_CONDITION_LAST_INTERFACE | NECP_KERNEL_CONDITION_LOCAL_NETWORKS)
+#define NECP_KERNEL_VALID_IP_OUTPUT_CONDITIONS (NECP_KERNEL_CONDITION_ALL_INTERFACES | NECP_KERNEL_CONDITION_BOUND_INTERFACE | NECP_KERNEL_CONDITION_PROTOCOL | NECP_KERNEL_CONDITION_LOCAL_START | NECP_KERNEL_CONDITION_LOCAL_END | NECP_KERNEL_CONDITION_LOCAL_PREFIX | NECP_KERNEL_CONDITION_REMOTE_START | NECP_KERNEL_CONDITION_REMOTE_END | NECP_KERNEL_CONDITION_REMOTE_PREFIX | NECP_KERNEL_CONDITION_POLICY_ID | NECP_KERNEL_CONDITION_LAST_INTERFACE | NECP_KERNEL_CONDITION_LOCAL_NETWORKS | NECP_KERNEL_CONDITION_PACKET_FILTER_TAGS)
 static necp_kernel_policy_id
 static necp_kernel_policy_id
-necp_kernel_ip_output_policy_add(necp_policy_order order, necp_policy_order suborder, u_int32_t session_order, int session_pid, u_int32_t condition_mask, u_int32_t condition_negated_mask, necp_kernel_policy_id cond_policy_id, ifnet_t cond_bound_interface, u_int32_t cond_last_interface_index, u_int16_t cond_protocol, union necp_sockaddr_union *cond_local_start, union necp_sockaddr_union *cond_local_end, u_int8_t cond_local_prefix, union necp_sockaddr_union *cond_remote_start, union necp_sockaddr_union *cond_remote_end, u_int8_t cond_remote_prefix, necp_kernel_policy_result result, necp_kernel_policy_result_parameter result_parameter)
+necp_kernel_ip_output_policy_add(necp_policy_order order, necp_policy_order suborder, u_int32_t session_order, int session_pid, u_int32_t condition_mask, u_int32_t condition_negated_mask, necp_kernel_policy_id cond_policy_id, ifnet_t cond_bound_interface, u_int32_t cond_last_interface_index, u_int16_t cond_protocol, union necp_sockaddr_union *cond_local_start, union necp_sockaddr_union *cond_local_end, u_int8_t cond_local_prefix, union necp_sockaddr_union *cond_remote_start, union necp_sockaddr_union *cond_remote_end, u_int8_t cond_remote_prefix, u_int16_t cond_packet_filter_tags, necp_kernel_policy_result result, necp_kernel_policy_result_parameter result_parameter)
 {
        struct necp_kernel_ip_output_policy *new_kernel_policy = NULL;
        struct necp_kernel_ip_output_policy *tmp_kernel_policy = NULL;
 
 {
        struct necp_kernel_ip_output_policy *new_kernel_policy = NULL;
        struct necp_kernel_ip_output_policy *tmp_kernel_policy = NULL;
 
-       MALLOC_ZONE(new_kernel_policy, struct necp_kernel_ip_output_policy *, sizeof(*new_kernel_policy), M_NECP_IP_POLICY, M_WAITOK);
-       if (new_kernel_policy == NULL) {
-               goto done;
-       }
-
-       memset(new_kernel_policy, 0, sizeof(*new_kernel_policy)); // M_ZERO is not supported for MALLOC_ZONE
+       new_kernel_policy = zalloc_flags(necp_ip_policy_zone, Z_WAITOK | Z_ZERO);
        new_kernel_policy->id = necp_kernel_policy_get_new_id(false);
        new_kernel_policy->suborder = suborder;
        new_kernel_policy->order = order;
        new_kernel_policy->id = necp_kernel_policy_get_new_id(false);
        new_kernel_policy->suborder = suborder;
        new_kernel_policy->order = order;
@@ -5467,6 +5548,9 @@ necp_kernel_ip_output_policy_add(necp_policy_order order, necp_policy_order subo
        if (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_REMOTE_PREFIX) {
                new_kernel_policy->cond_remote_prefix = cond_remote_prefix;
        }
        if (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_REMOTE_PREFIX) {
                new_kernel_policy->cond_remote_prefix = cond_remote_prefix;
        }
+       if (new_kernel_policy->condition_mask & NECP_KERNEL_CONDITION_PACKET_FILTER_TAGS) {
+               new_kernel_policy->cond_packet_filter_tags = cond_packet_filter_tags;
+       }
 
        new_kernel_policy->result = result;
        memcpy(&new_kernel_policy->result_parameter, &result_parameter, sizeof(result_parameter));
 
        new_kernel_policy->result = result;
        memcpy(&new_kernel_policy->result_parameter, &result_parameter, sizeof(result_parameter));
@@ -5475,7 +5559,7 @@ necp_kernel_ip_output_policy_add(necp_policy_order order, necp_policy_order subo
                NECPLOG(LOG_DEBUG, "Added kernel policy: ip output, id=%d, mask=%x\n", new_kernel_policy->id, new_kernel_policy->condition_mask);
        }
        LIST_INSERT_SORTED_THRICE_ASCENDING(&necp_kernel_ip_output_policies, new_kernel_policy, chain, session_order, order, suborder, tmp_kernel_policy);
                NECPLOG(LOG_DEBUG, "Added kernel policy: ip output, id=%d, mask=%x\n", new_kernel_policy->id, new_kernel_policy->condition_mask);
        }
        LIST_INSERT_SORTED_THRICE_ASCENDING(&necp_kernel_ip_output_policies, new_kernel_policy, chain, session_order, order, suborder, tmp_kernel_policy);
-done:
+
        return new_kernel_policy ? new_kernel_policy->id : 0;
 }
 
        return new_kernel_policy ? new_kernel_policy->id : 0;
 }
 
@@ -5514,7 +5598,7 @@ necp_kernel_ip_output_policy_delete(necp_kernel_policy_id policy_id)
                        policy->cond_bound_interface = NULL;
                }
 
                        policy->cond_bound_interface = NULL;
                }
 
-               FREE_ZONE(policy, sizeof(*policy), M_NECP_IP_POLICY);
+               zfree(necp_ip_policy_zone, policy);
                return TRUE;
        }
 
                return TRUE;
        }
 
@@ -5751,7 +5835,7 @@ necp_kernel_ip_output_policies_reprocess(void)
                    (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_NETWORKS) ||
                    kernel_policy->result == NECP_KERNEL_POLICY_RESULT_SKIP) {
                        for (i = 0; i < NECP_KERNEL_IP_OUTPUT_POLICIES_MAP_NUM_ID_BUCKETS; i++) {
                    (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_NETWORKS) ||
                    kernel_policy->result == NECP_KERNEL_POLICY_RESULT_SKIP) {
                        for (i = 0; i < NECP_KERNEL_IP_OUTPUT_POLICIES_MAP_NUM_ID_BUCKETS; i++) {
-                               if (!necp_kernel_ip_output_policy_is_unnecessary(kernel_policy, necp_kernel_ip_output_policies_map[i], bucket_current_free_index[i])) {
+                               if (!necp_dedup_policies || !necp_kernel_ip_output_policy_is_unnecessary(kernel_policy, necp_kernel_ip_output_policies_map[i], bucket_current_free_index[i])) {
                                        (necp_kernel_ip_output_policies_map[i])[(bucket_current_free_index[i])] = kernel_policy;
                                        bucket_current_free_index[i]++;
                                        (necp_kernel_ip_output_policies_map[i])[(bucket_current_free_index[i])] = NULL;
                                        (necp_kernel_ip_output_policies_map[i])[(bucket_current_free_index[i])] = kernel_policy;
                                        bucket_current_free_index[i]++;
                                        (necp_kernel_ip_output_policies_map[i])[(bucket_current_free_index[i])] = NULL;
@@ -5759,7 +5843,7 @@ necp_kernel_ip_output_policies_reprocess(void)
                        }
                } else {
                        i = NECP_IP_OUTPUT_MAP_ID_TO_BUCKET(kernel_policy->cond_policy_id);
                        }
                } else {
                        i = NECP_IP_OUTPUT_MAP_ID_TO_BUCKET(kernel_policy->cond_policy_id);
-                       if (!necp_kernel_ip_output_policy_is_unnecessary(kernel_policy, necp_kernel_ip_output_policies_map[i], bucket_current_free_index[i])) {
+                       if (!necp_dedup_policies || !necp_kernel_ip_output_policy_is_unnecessary(kernel_policy, necp_kernel_ip_output_policies_map[i], bucket_current_free_index[i])) {
                                (necp_kernel_ip_output_policies_map[i])[(bucket_current_free_index[i])] = kernel_policy;
                                bucket_current_free_index[i]++;
                                (necp_kernel_ip_output_policies_map[i])[(bucket_current_free_index[i])] = NULL;
                                (necp_kernel_ip_output_policies_map[i])[(bucket_current_free_index[i])] = kernel_policy;
                                bucket_current_free_index[i]++;
                                (necp_kernel_ip_output_policies_map[i])[(bucket_current_free_index[i])] = NULL;
@@ -5973,6 +6057,81 @@ necp_get_parent_cred_result(proc_t proc, struct necp_socket_info *info)
        }
 }
 
        }
 }
 
+// Some processes, due to particular entitlements, require using an NECP client to
+// access networking. Returns true if the result should be a Drop.
+static inline bool
+necp_check_missing_client_drop(proc_t proc, struct necp_socket_info *info)
+{
+       task_t task = proc_task(proc ? proc : current_proc());
+
+       if (!info->has_client &&
+           task != NULL &&
+           IOTaskHasEntitlement(task, "com.apple.developer.on-demand-install-capable")) {
+               // Drop connections that don't use NECP clients and have the
+               // com.apple.developer.on-demand-install-capable entitlement.
+               // This effectively restricts those processes to only using
+               // an NECP-aware path for networking.
+               return true;
+       } else {
+               return false;
+       }
+}
+
+static inline bool
+necp_check_restricted_multicast_drop(proc_t proc, struct necp_socket_info *info, bool check_minor_version)
+{
+       if (!necp_restrict_multicast || proc == NULL) {
+               return false;
+       }
+
+       // Check for multicast/broadcast here
+       if (info->remote_addr.sa.sa_family == AF_INET) {
+               if (!IN_MULTICAST(ntohl(info->remote_addr.sin.sin_addr.s_addr)) &&
+                   info->remote_addr.sin.sin_addr.s_addr != INADDR_BROADCAST) {
+                       return false;
+               }
+       } else if (info->remote_addr.sa.sa_family == AF_INET6) {
+               if (!IN6_IS_ADDR_MULTICAST(&info->remote_addr.sin6.sin6_addr)) {
+                       return false;
+               }
+       } else {
+               // Not IPv4/IPv6
+               return false;
+       }
+
+       if (necp_is_platform_binary(proc)) {
+               return false;
+       }
+
+       const uint32_t platform = proc_platform(proc);
+       const uint32_t sdk = proc_sdk(proc);
+
+       // Enforce for iOS, linked on or after version 14
+       // If the caller set `check_minor_version`, only enforce starting at 14.TBD
+       if (platform != PLATFORM_IOS ||
+           sdk == 0 ||
+           (sdk >> 16) < 14 ||
+#if 0
+           (check_minor_version && (sdk >> 16) == 14 && ((sdk >> 8) & 0xff) < TBD)) {
+#else
+           (check_minor_version)) {
+#endif
+               return false;
+       }
+
+       // Allow entitled processes to use multicast
+       task_t task = proc_task(proc);
+       if (task != NULL &&
+           IOTaskHasEntitlement(task, "com.apple.developer.networking.multicast")) {
+               return false;
+       }
+
+       const uint32_t min_sdk = proc_min_sdk(proc);
+       NECPLOG(LOG_INFO, "Dropping unentitled multicast (SDK 0x%x, min 0x%x)", sdk, min_sdk);
+
+       return true;
+}
+
 #define NECP_KERNEL_ADDRESS_TYPE_CONDITIONS (NECP_KERNEL_CONDITION_LOCAL_START | NECP_KERNEL_CONDITION_LOCAL_END | NECP_KERNEL_CONDITION_LOCAL_PREFIX | NECP_KERNEL_CONDITION_REMOTE_START | NECP_KERNEL_CONDITION_REMOTE_END | NECP_KERNEL_CONDITION_REMOTE_PREFIX | NECP_KERNEL_CONDITION_LOCAL_EMPTY | NECP_KERNEL_CONDITION_REMOTE_EMPTY | NECP_KERNEL_CONDITION_LOCAL_NETWORKS)
 static void
 necp_application_fillout_info_locked(uuid_t application_uuid, uuid_t real_application_uuid, uuid_t responsible_application_uuid, char *account, char *domain, pid_t pid, uid_t uid, u_int16_t protocol, u_int32_t bound_interface_index, u_int32_t traffic_class, union necp_sockaddr_union *local_addr, union necp_sockaddr_union *remote_addr, u_int16_t local_port, u_int16_t remote_port, bool has_client, proc_t proc, proc_t responsible_proc, u_int32_t drop_order, u_int32_t client_flags, struct necp_socket_info *info)
 #define NECP_KERNEL_ADDRESS_TYPE_CONDITIONS (NECP_KERNEL_CONDITION_LOCAL_START | NECP_KERNEL_CONDITION_LOCAL_END | NECP_KERNEL_CONDITION_LOCAL_PREFIX | NECP_KERNEL_CONDITION_REMOTE_START | NECP_KERNEL_CONDITION_REMOTE_END | NECP_KERNEL_CONDITION_REMOTE_PREFIX | NECP_KERNEL_CONDITION_LOCAL_EMPTY | NECP_KERNEL_CONDITION_REMOTE_EMPTY | NECP_KERNEL_CONDITION_LOCAL_NETWORKS)
 static void
 necp_application_fillout_info_locked(uuid_t application_uuid, uuid_t real_application_uuid, uuid_t responsible_application_uuid, char *account, char *domain, pid_t pid, uid_t uid, u_int16_t protocol, u_int32_t bound_interface_index, u_int32_t traffic_class, union necp_sockaddr_union *local_addr, union necp_sockaddr_union *remote_addr, u_int16_t local_port, u_int16_t remote_port, bool has_client, proc_t proc, proc_t responsible_proc, u_int32_t drop_order, u_int32_t client_flags, struct necp_socket_info *info)
@@ -6028,7 +6187,7 @@ necp_application_fillout_info_locked(uuid_t application_uuid, uuid_t real_applic
        }
 
        if (necp_kernel_application_policies_condition_mask & NECP_KERNEL_CONDITION_PLATFORM_BINARY && proc != NULL) {
        }
 
        if (necp_kernel_application_policies_condition_mask & NECP_KERNEL_CONDITION_PLATFORM_BINARY && proc != NULL) {
-               info->is_platform_binary = csproc_get_platform_binary(proc) ? true : false;
+               info->is_platform_binary = necp_is_platform_binary(proc) ? true : false;
        }
 
        if (necp_kernel_application_policies_condition_mask & NECP_KERNEL_CONDITION_ACCOUNT_ID && account != NULL) {
        }
 
        if (necp_kernel_application_policies_condition_mask & NECP_KERNEL_CONDITION_ACCOUNT_ID && account != NULL) {
@@ -6042,7 +6201,8 @@ necp_application_fillout_info_locked(uuid_t application_uuid, uuid_t real_applic
                info->domain = domain;
        }
 
                info->domain = domain;
        }
 
-       if (necp_kernel_application_policies_condition_mask & NECP_KERNEL_ADDRESS_TYPE_CONDITIONS) {
+       if (necp_restrict_multicast ||
+           (necp_kernel_application_policies_condition_mask & NECP_KERNEL_ADDRESS_TYPE_CONDITIONS)) {
                if (local_addr && local_addr->sa.sa_len > 0) {
                        memcpy(&info->local_addr, local_addr, local_addr->sa.sa_len);
                        if (local_port != 0) {
                if (local_addr && local_addr->sa.sa_len > 0) {
                        memcpy(&info->local_addr, local_addr, local_addr->sa.sa_len);
                        if (local_port != 0) {
@@ -6080,6 +6240,20 @@ necp_send_application_interface_denied_event(pid_t pid, uuid_t proc_uuid, u_int3
        netpolicy_post_msg(KEV_NETPOLICY_IFDENIED, &ev_ifdenied.ev_data, sizeof(ev_ifdenied));
 }
 
        netpolicy_post_msg(KEV_NETPOLICY_IFDENIED, &ev_ifdenied.ev_data, sizeof(ev_ifdenied));
 }
 
+static void
+necp_send_network_denied_event(pid_t pid, uuid_t proc_uuid, u_int32_t network_type)
+{
+       struct kev_netpolicy_netdenied ev_netdenied = {};
+
+       bzero(&ev_netdenied, sizeof(ev_netdenied));
+
+       ev_netdenied.ev_data.epid = pid;
+       uuid_copy(ev_netdenied.ev_data.euuid, proc_uuid);
+       ev_netdenied.ev_network_type = network_type;
+
+       netpolicy_post_msg(KEV_NETPOLICY_NETDENIED, &ev_netdenied.ev_data, sizeof(ev_netdenied));
+}
+
 extern char *proc_name_address(void *p);
 
 #define NECP_VERIFY_DELEGATION_ENTITLEMENT(_p, _d) \
 extern char *proc_name_address(void *p);
 
 #define NECP_VERIFY_DELEGATION_ENTITLEMENT(_p, _d) \
@@ -6175,6 +6349,8 @@ necp_application_find_policy_match_internal(proc_t proc,
        proc_t effective_proc = proc;
        bool release_eproc = false;
 
        proc_t effective_proc = proc;
        bool release_eproc = false;
 
+       u_int32_t flow_divert_aggregate_unit = 0;
+
        if (returned_result == NULL) {
                return EINVAL;
        }
        if (returned_result == NULL) {
                return EINVAL;
        }
@@ -6424,7 +6600,7 @@ necp_application_find_policy_match_internal(proc_t proc,
        u_int32_t route_rule_id_array[MAX_AGGREGATE_ROUTE_RULES];
        size_t route_rule_id_array_count = 0;
        necp_application_fillout_info_locked(application_uuid, real_application_uuid, responsible_application_uuid, account, domain, pid, uid, protocol, bound_interface_index, traffic_class, &local_addr, &remote_addr, local_port, remote_port, has_client, effective_proc, responsible_proc, drop_order, client_flags, &info);
        u_int32_t route_rule_id_array[MAX_AGGREGATE_ROUTE_RULES];
        size_t route_rule_id_array_count = 0;
        necp_application_fillout_info_locked(application_uuid, real_application_uuid, responsible_application_uuid, account, domain, pid, uid, protocol, bound_interface_index, traffic_class, &local_addr, &remote_addr, local_port, remote_port, has_client, effective_proc, responsible_proc, drop_order, client_flags, &info);
-       matched_policy = necp_socket_find_policy_match_with_info_locked(necp_kernel_socket_policies_app_layer_map, &info, &filter_control_unit, route_rule_id_array, &route_rule_id_array_count, MAX_AGGREGATE_ROUTE_RULES, &service_action, &service, netagent_ids, netagent_use_flags, NECP_MAX_NETAGENTS, required_agent_types, num_required_agent_types, info.used_responsible_pid ? responsible_proc : effective_proc, NULL, NULL, &drop_dest_policy_result, &drop_all_bypass);
+       matched_policy = necp_socket_find_policy_match_with_info_locked(necp_kernel_socket_policies_app_layer_map, &info, &filter_control_unit, route_rule_id_array, &route_rule_id_array_count, MAX_AGGREGATE_ROUTE_RULES, &service_action, &service, netagent_ids, netagent_use_flags, NECP_MAX_NETAGENTS, required_agent_types, num_required_agent_types, info.used_responsible_pid ? responsible_proc : effective_proc, 0, NULL, NULL, &drop_dest_policy_result, &drop_all_bypass, &flow_divert_aggregate_unit);
        if (matched_policy) {
                returned_result->policy_id = matched_policy->id;
                returned_result->routing_result = matched_policy->result;
        if (matched_policy) {
                returned_result->policy_id = matched_policy->id;
                returned_result->routing_result = matched_policy->result;
@@ -6449,11 +6625,22 @@ necp_application_find_policy_match_internal(proc_t proc,
                        returned_result->routing_result = NECP_KERNEL_POLICY_RESULT_NONE;
                }
        }
                        returned_result->routing_result = NECP_KERNEL_POLICY_RESULT_NONE;
                }
        }
+       if (necp_check_missing_client_drop(proc, &info) ||
+           necp_check_restricted_multicast_drop(proc, &info, false)) {
+               // Mark as drop
+               returned_result->policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
+               returned_result->routing_result = NECP_KERNEL_POLICY_RESULT_DROP;
+       }
        if (filter_control_unit == NECP_FILTER_UNIT_NO_FILTER) {
                returned_result->filter_control_unit = 0;
        } else {
                returned_result->filter_control_unit = filter_control_unit;
        }
        if (filter_control_unit == NECP_FILTER_UNIT_NO_FILTER) {
                returned_result->filter_control_unit = 0;
        } else {
                returned_result->filter_control_unit = filter_control_unit;
        }
+
+       if (flow_divert_aggregate_unit > 0) {
+               returned_result->flow_divert_aggregate_unit = flow_divert_aggregate_unit;
+       }
+
        returned_result->service_action = service_action;
 
        // Handle trigger service
        returned_result->service_action = service_action;
 
        // Handle trigger service
@@ -6507,6 +6694,15 @@ necp_application_find_policy_match_internal(proc_t proc,
                }
        }
 
                }
        }
 
+       if (returned_result->routing_result == NECP_KERNEL_POLICY_RESULT_DROP &&
+           returned_result->routing_result_parameter.drop_flags & NECP_KERNEL_POLICY_DROP_FLAG_LOCAL_NETWORK) {
+               // Trigger the event that we dropped due to a local network policy
+               necp_send_network_denied_event(pid, application_uuid, NETPOLICY_NETWORKTYPE_LOCAL);
+               if (reason != NULL) {
+                       *reason = NECP_CLIENT_RESULT_REASON_LOCAL_NETWORK_PROHIBITED;
+               }
+       }
+
        if (local_addr.sa.sa_len == 0 ||
            (local_addr.sa.sa_family == AF_INET && local_addr.sin.sin_addr.s_addr == 0) ||
            (local_addr.sa.sa_family == AF_INET6 && IN6_IS_ADDR_UNSPECIFIED(&local_addr.sin6.sin6_addr))) {
        if (local_addr.sa.sa_len == 0 ||
            (local_addr.sa.sa_family == AF_INET && local_addr.sin.sin_addr.s_addr == 0) ||
            (local_addr.sa.sa_family == AF_INET6 && IN6_IS_ADDR_UNSPECIFIED(&local_addr.sin6.sin6_addr))) {
@@ -6907,7 +7103,7 @@ done:
 }
 
 static bool
 }
 
 static bool
-necp_socket_check_policy(struct necp_kernel_socket_policy *kernel_policy, necp_app_id app_id, necp_app_id real_app_id, errno_t cred_result, u_int32_t account_id, struct substring domain, u_int8_t domain_dot_count, pid_t pid, uid_t uid, u_int32_t bound_interface_index, u_int32_t traffic_class, u_int16_t protocol, union necp_sockaddr_union *local, union necp_sockaddr_union *remote, struct necp_client_parameter_netagent_type *required_agent_types, u_int32_t num_required_agent_types, bool has_client, uint32_t client_flags, int is_platform_binary, proc_t proc, struct rtentry *rt)
+necp_socket_check_policy(struct necp_kernel_socket_policy *kernel_policy, necp_app_id app_id, necp_app_id real_app_id, errno_t cred_result, u_int32_t account_id, struct substring domain, u_int8_t domain_dot_count, pid_t pid, uid_t uid, u_int32_t bound_interface_index, u_int32_t traffic_class, u_int16_t protocol, union necp_sockaddr_union *local, union necp_sockaddr_union *remote, struct necp_client_parameter_netagent_type *required_agent_types, u_int32_t num_required_agent_types, bool has_client, uint32_t client_flags, int is_platform_binary, proc_t proc, u_int16_t pf_tag, struct rtentry *rt)
 {
        if (!(kernel_policy->condition_mask & NECP_KERNEL_CONDITION_ALL_INTERFACES)) {
                if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_BOUND_INTERFACE) {
 {
        if (!(kernel_policy->condition_mask & NECP_KERNEL_CONDITION_ALL_INTERFACES)) {
                if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_BOUND_INTERFACE) {
@@ -7007,6 +7203,31 @@ necp_socket_check_policy(struct necp_kernel_socket_policy *kernel_policy, necp_a
                }
        }
 
                }
        }
 
+       if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_SDK_VERSION) {
+               if (proc != NULL) {
+                       if (kernel_policy->cond_sdk_version.platform != 0) {
+                               if (kernel_policy->cond_sdk_version.platform != proc_platform(proc)) {
+                                       // Process does not match platform
+                                       return FALSE;
+                               }
+                       }
+
+                       if (kernel_policy->cond_sdk_version.min_version != 0) {
+                               if (kernel_policy->cond_sdk_version.min_version > proc_min_sdk(proc)) {
+                                       // Process min version is older than required min version
+                                       return FALSE;
+                               }
+                       }
+
+                       if (kernel_policy->cond_sdk_version.version != 0) {
+                               if (kernel_policy->cond_sdk_version.version > proc_sdk(proc)) {
+                                       // Process SDK version is older than required version
+                                       return FALSE;
+                               }
+                       }
+               }
+       }
+
        if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_CUSTOM_ENTITLEMENT) {
                if (kernel_policy->cond_custom_entitlement_matched == necp_boolean_state_false) {
                        // Process is missing entitlement based on previous check
        if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_CUSTOM_ENTITLEMENT) {
                if (kernel_policy->cond_custom_entitlement_matched == necp_boolean_state_false) {
                        // Process is missing entitlement based on previous check
@@ -7242,6 +7463,25 @@ necp_socket_check_policy(struct necp_kernel_socket_policy *kernel_policy, necp_a
                }
        }
 
                }
        }
 
+       if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_PACKET_FILTER_TAGS) {
+               bool tags_matched = false;
+               if (kernel_policy->cond_packet_filter_tags & NECP_POLICY_CONDITION_PACKET_FILTER_TAG_STACK_DROP) {
+                       if (pf_tag == PF_TAG_ID_STACK_DROP) {
+                               tags_matched = true;
+                       }
+               }
+
+               if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_PACKET_FILTER_TAGS) {
+                       if (tags_matched) {
+                               return FALSE;
+                       }
+               } else {
+                       if (!tags_matched) {
+                               return FALSE;
+                       }
+               }
+       }
+
        return TRUE;
 }
 
        return TRUE;
 }
 
@@ -7360,7 +7600,7 @@ necp_socket_fillout_info_locked(struct inpcb *inp, struct sockaddr *override_loc
        }
 
        if (necp_kernel_socket_policies_condition_mask & NECP_KERNEL_CONDITION_PLATFORM_BINARY) {
        }
 
        if (necp_kernel_socket_policies_condition_mask & NECP_KERNEL_CONDITION_PLATFORM_BINARY) {
-               info->is_platform_binary = csproc_get_platform_binary(sock_proc ? sock_proc : curr_proc) ? true : false;
+               info->is_platform_binary = necp_is_platform_binary(sock_proc ? sock_proc : curr_proc) ? true : false;
        }
 
        if (necp_kernel_socket_policies_condition_mask & NECP_KERNEL_CONDITION_ACCOUNT_ID && inp->inp_necp_attributes.inp_account != NULL) {
        }
 
        if (necp_kernel_socket_policies_condition_mask & NECP_KERNEL_CONDITION_ACCOUNT_ID && inp->inp_necp_attributes.inp_account != NULL) {
@@ -7382,7 +7622,8 @@ necp_socket_fillout_info_locked(struct inpcb *inp, struct sockaddr *override_loc
                }
        }
 
                }
        }
 
-       if (necp_kernel_socket_policies_condition_mask & NECP_KERNEL_ADDRESS_TYPE_CONDITIONS) {
+       if (necp_restrict_multicast ||
+           (necp_kernel_socket_policies_condition_mask & NECP_KERNEL_ADDRESS_TYPE_CONDITIONS)) {
                if (override_local_addr != NULL) {
                        if (override_local_addr->sa_family == AF_INET6 && override_local_addr->sa_len <= sizeof(struct sockaddr_in6)) {
                                memcpy(&info->local_addr, override_local_addr, override_local_addr->sa_len);
                if (override_local_addr != NULL) {
                        if (override_local_addr->sa_family == AF_INET6 && override_local_addr->sa_len <= sizeof(struct sockaddr_in6)) {
                                memcpy(&info->local_addr, override_local_addr, override_local_addr->sa_len);
@@ -7444,8 +7685,9 @@ necp_socket_find_policy_match_with_info_locked(struct necp_kernel_socket_policy
     necp_kernel_policy_result *return_service_action, necp_kernel_policy_service *return_service,
     u_int32_t *return_netagent_array, u_int32_t *return_netagent_use_flags_array, size_t netagent_array_count,
     struct necp_client_parameter_netagent_type *required_agent_types,
     necp_kernel_policy_result *return_service_action, necp_kernel_policy_service *return_service,
     u_int32_t *return_netagent_array, u_int32_t *return_netagent_use_flags_array, size_t netagent_array_count,
     struct necp_client_parameter_netagent_type *required_agent_types,
-    u_int32_t num_required_agent_types, proc_t proc, necp_kernel_policy_id *skip_policy_id, struct rtentry *rt,
-    necp_kernel_policy_result *return_drop_dest_policy_result, necp_drop_all_bypass_check_result_t *return_drop_all_bypass)
+    u_int32_t num_required_agent_types, proc_t proc, u_int16_t pf_tag, necp_kernel_policy_id *skip_policy_id, struct rtentry *rt,
+    necp_kernel_policy_result *return_drop_dest_policy_result, necp_drop_all_bypass_check_result_t *return_drop_all_bypass,
+    u_int32_t *return_flow_divert_aggregate_unit)
 {
        struct necp_kernel_socket_policy *matched_policy = NULL;
        u_int32_t skip_order = 0;
 {
        struct necp_kernel_socket_policy *matched_policy = NULL;
        u_int32_t skip_order = 0;
@@ -7529,7 +7771,7 @@ necp_socket_find_policy_match_with_info_locked(struct necp_kernel_socket_policy
                                continue;
                        }
 
                                continue;
                        }
 
-                       if (necp_socket_check_policy(policy_search_array[i], info->application_id, info->real_application_id, info->cred_result, info->account_id, domain_substring, domain_dot_count, info->pid, info->uid, info->bound_interface_index, info->traffic_class, info->protocol, &info->local_addr, &info->remote_addr, required_agent_types, num_required_agent_types, info->has_client, info->client_flags, info->is_platform_binary, proc, rt)) {
+                       if (necp_socket_check_policy(policy_search_array[i], info->application_id, info->real_application_id, info->cred_result, info->account_id, domain_substring, domain_dot_count, info->pid, info->uid, info->bound_interface_index, info->traffic_class, info->protocol, &info->local_addr, &info->remote_addr, required_agent_types, num_required_agent_types, info->has_client, info->client_flags, info->is_platform_binary, proc, pf_tag, rt)) {
                                if (policy_search_array[i]->result == NECP_KERNEL_POLICY_RESULT_SOCKET_FILTER) {
                                        if (return_filter && *return_filter != NECP_FILTER_UNIT_NO_FILTER) {
                                                necp_kernel_policy_filter control_unit = policy_search_array[i]->result_parameter.filter_control_unit;
                                if (policy_search_array[i]->result == NECP_KERNEL_POLICY_RESULT_SOCKET_FILTER) {
                                        if (return_filter && *return_filter != NECP_FILTER_UNIT_NO_FILTER) {
                                                necp_kernel_policy_filter control_unit = policy_search_array[i]->result_parameter.filter_control_unit;
@@ -7584,6 +7826,18 @@ necp_socket_find_policy_match_with_info_locked(struct necp_kernel_socket_policy
                                                }
                                        }
                                        continue;
                                                }
                                        }
                                        continue;
+                               } else if (policy_search_array[i]->result == NECP_KERNEL_POLICY_RESULT_SOCKET_DIVERT) {
+                                       u_int32_t control_unit = policy_search_array[i]->result_parameter.flow_divert_control_unit;
+                                       if (control_unit & FLOW_DIVERT_IS_TRANSPARENT) {
+                                               /* For transparent proxies, accumulate the control unit and continue to the next policy */
+                                               if (return_flow_divert_aggregate_unit != NULL) {
+                                                       *return_flow_divert_aggregate_unit |= (control_unit & ~FLOW_DIVERT_IS_TRANSPARENT);
+                                                       if (necp_debug > 1) {
+                                                               NECPLOG(LOG_DEBUG, "Socket Policy: (Application %d Real Application %d BoundInterface %d Proto %d) flow divert %u", info->application_id, info->real_application_id, info->bound_interface_index, info->protocol, control_unit);
+                                                       }
+                                               }
+                                               continue;
+                                       }
                                }
 
                                // Matched policy is a skip. Do skip and continue.
                                }
 
                                // Matched policy is a skip. Do skip and continue.
@@ -7682,6 +7936,21 @@ necp_socket_bypass(struct sockaddr *override_local_addr, struct sockaddr *overri
        return false;
 }
 
        return false;
 }
 
+static inline void
+necp_socket_ip_tunnel_tso(struct inpcb *inp)
+{
+       u_int tunnel_interface_index = inp->inp_policyresult.results.result_parameter.tunnel_interface_index;
+       ifnet_t tunnel_interface = NULL;
+
+       ifnet_head_lock_shared();
+       tunnel_interface = ifindex2ifnet[tunnel_interface_index];
+       ifnet_head_done();
+
+       if (tunnel_interface != NULL) {
+               tcp_set_tso(intotcpcb(inp), tunnel_interface);
+       }
+}
+
 necp_kernel_policy_id
 necp_socket_find_policy_match(struct inpcb *inp, struct sockaddr *override_local_addr, struct sockaddr *override_remote_addr, u_int32_t override_bound_interface)
 {
 necp_kernel_policy_id
 necp_socket_find_policy_match(struct inpcb *inp, struct sockaddr *override_local_addr, struct sockaddr *override_remote_addr, u_int32_t override_bound_interface)
 {
@@ -7701,6 +7970,8 @@ necp_socket_find_policy_match(struct inpcb *inp, struct sockaddr *override_local
 
        struct necp_socket_info info;
 
 
        struct necp_socket_info info;
 
+       u_int32_t flow_divert_aggregate_unit = 0;
+
        if (inp == NULL) {
                return NECP_KERNEL_POLICY_ID_NONE;
        }
        if (inp == NULL) {
                return NECP_KERNEL_POLICY_ID_NONE;
        }
@@ -7729,6 +8000,7 @@ necp_socket_find_policy_match(struct inpcb *inp, struct sockaddr *override_local
                        inp->inp_policyresult.app_id = 0;
                        inp->inp_policyresult.flowhash = 0;
                        inp->inp_policyresult.results.filter_control_unit = 0;
                        inp->inp_policyresult.app_id = 0;
                        inp->inp_policyresult.flowhash = 0;
                        inp->inp_policyresult.results.filter_control_unit = 0;
+                       inp->inp_policyresult.results.flow_divert_aggregate_unit = 0;
                        inp->inp_policyresult.results.route_rule_id = 0;
                        if (necp_socket_bypass(override_local_addr, override_remote_addr, inp)) {
                                inp->inp_policyresult.results.result = NECP_KERNEL_POLICY_RESULT_PASS;
                        inp->inp_policyresult.results.route_rule_id = 0;
                        if (necp_socket_bypass(override_local_addr, override_remote_addr, inp)) {
                                inp->inp_policyresult.results.result = NECP_KERNEL_POLICY_RESULT_PASS;
@@ -7753,6 +8025,7 @@ necp_socket_find_policy_match(struct inpcb *inp, struct sockaddr *override_local
                inp->inp_policyresult.app_id = 0;
                inp->inp_policyresult.flowhash = 0;
                inp->inp_policyresult.results.filter_control_unit = 0;
                inp->inp_policyresult.app_id = 0;
                inp->inp_policyresult.flowhash = 0;
                inp->inp_policyresult.results.filter_control_unit = 0;
+               inp->inp_policyresult.results.flow_divert_aggregate_unit = 0;
                inp->inp_policyresult.results.route_rule_id = 0;
                inp->inp_policyresult.results.result = NECP_KERNEL_POLICY_RESULT_PASS;
                return NECP_KERNEL_POLICY_ID_NONE;
                inp->inp_policyresult.results.route_rule_id = 0;
                inp->inp_policyresult.results.result = NECP_KERNEL_POLICY_RESULT_PASS;
                return NECP_KERNEL_POLICY_ID_NONE;
@@ -7760,7 +8033,6 @@ necp_socket_find_policy_match(struct inpcb *inp, struct sockaddr *override_local
 
        // Lock
        lck_rw_lock_shared(&necp_kernel_policy_lock);
 
        // Lock
        lck_rw_lock_shared(&necp_kernel_policy_lock);
-
        necp_socket_fillout_info_locked(inp, override_local_addr, override_remote_addr, override_bound_interface, drop_order, &socket_proc, &info);
 
        // Check info
        necp_socket_fillout_info_locked(inp, override_local_addr, override_remote_addr, override_bound_interface, drop_order, &socket_proc, &info);
 
        // Check info
@@ -7786,7 +8058,7 @@ necp_socket_find_policy_match(struct inpcb *inp, struct sockaddr *override_local
        necp_kernel_policy_id skip_policy_id = NECP_KERNEL_POLICY_ID_NONE;
        u_int32_t route_rule_id_array[MAX_AGGREGATE_ROUTE_RULES];
        size_t route_rule_id_array_count = 0;
        necp_kernel_policy_id skip_policy_id = NECP_KERNEL_POLICY_ID_NONE;
        u_int32_t route_rule_id_array[MAX_AGGREGATE_ROUTE_RULES];
        size_t route_rule_id_array_count = 0;
-       matched_policy = necp_socket_find_policy_match_with_info_locked(necp_kernel_socket_policies_map[NECP_SOCKET_MAP_APP_ID_TO_BUCKET(info.application_id)], &info, &filter_control_unit, route_rule_id_array, &route_rule_id_array_count, MAX_AGGREGATE_ROUTE_RULES, &service_action, &service, netagent_ids, NULL, NECP_MAX_NETAGENTS, NULL, 0, socket_proc ? socket_proc : current_proc(), &skip_policy_id, inp->inp_route.ro_rt, &drop_dest_policy_result, &drop_all_bypass);
+       matched_policy = necp_socket_find_policy_match_with_info_locked(necp_kernel_socket_policies_map[NECP_SOCKET_MAP_APP_ID_TO_BUCKET(info.application_id)], &info, &filter_control_unit, route_rule_id_array, &route_rule_id_array_count, MAX_AGGREGATE_ROUTE_RULES, &service_action, &service, netagent_ids, NULL, NECP_MAX_NETAGENTS, NULL, 0, socket_proc ? socket_proc : current_proc(), 0, &skip_policy_id, inp->inp_route.ro_rt, &drop_dest_policy_result, &drop_all_bypass, &flow_divert_aggregate_unit);
 
        // If the socket matched a scoped service policy, mark as Drop if not registered.
        // This covers the cases in which a service is required (on demand) but hasn't started yet.
 
        // If the socket matched a scoped service policy, mark as Drop if not registered.
        // This covers the cases in which a service is required (on demand) but hasn't started yet.
@@ -7809,6 +8081,7 @@ necp_socket_find_policy_match(struct inpcb *inp, struct sockaddr *override_local
                        inp->inp_policyresult.policy_gencount = necp_kernel_socket_policies_gencount;
                        inp->inp_policyresult.flowhash = flowhash;
                        inp->inp_policyresult.results.filter_control_unit = 0;
                        inp->inp_policyresult.policy_gencount = necp_kernel_socket_policies_gencount;
                        inp->inp_policyresult.flowhash = flowhash;
                        inp->inp_policyresult.results.filter_control_unit = 0;
+                       inp->inp_policyresult.results.flow_divert_aggregate_unit = 0;
                        inp->inp_policyresult.results.route_rule_id = 0;
                        inp->inp_policyresult.results.result = NECP_KERNEL_POLICY_RESULT_DROP;
 
                        inp->inp_policyresult.results.route_rule_id = 0;
                        inp->inp_policyresult.results.result = NECP_KERNEL_POLICY_RESULT_DROP;
 
@@ -7855,6 +8128,7 @@ necp_socket_find_policy_match(struct inpcb *inp, struct sockaddr *override_local
                                        inp->inp_policyresult.policy_gencount = necp_kernel_socket_policies_gencount;
                                        inp->inp_policyresult.flowhash = flowhash;
                                        inp->inp_policyresult.results.filter_control_unit = 0;
                                        inp->inp_policyresult.policy_gencount = necp_kernel_socket_policies_gencount;
                                        inp->inp_policyresult.flowhash = flowhash;
                                        inp->inp_policyresult.results.filter_control_unit = 0;
+                                       inp->inp_policyresult.results.flow_divert_aggregate_unit = 0;
                                        inp->inp_policyresult.results.route_rule_id = 0;
                                        inp->inp_policyresult.results.result = NECP_KERNEL_POLICY_RESULT_DROP;
 
                                        inp->inp_policyresult.results.route_rule_id = 0;
                                        inp->inp_policyresult.results.result = NECP_KERNEL_POLICY_RESULT_DROP;
 
@@ -7882,7 +8156,8 @@ necp_socket_find_policy_match(struct inpcb *inp, struct sockaddr *override_local
                route_rule_id = necp_create_aggregate_route_rule(route_rule_id_array);
        }
 
                route_rule_id = necp_create_aggregate_route_rule(route_rule_id_array);
        }
 
-       bool reset_tcp_mss = false;
+       bool reset_tcp_tunnel_interface = false;
+       bool send_local_network_denied_event = false;
        if (matched_policy) {
                matched_policy_id = matched_policy->id;
                inp->inp_policyresult.policy_id = matched_policy->id;
        if (matched_policy) {
                matched_policy_id = matched_policy->id;
                inp->inp_policyresult.policy_id = matched_policy->id;
@@ -7890,6 +8165,7 @@ necp_socket_find_policy_match(struct inpcb *inp, struct sockaddr *override_local
                inp->inp_policyresult.policy_gencount = necp_kernel_socket_policies_gencount;
                inp->inp_policyresult.flowhash = flowhash;
                inp->inp_policyresult.results.filter_control_unit = filter_control_unit;
                inp->inp_policyresult.policy_gencount = necp_kernel_socket_policies_gencount;
                inp->inp_policyresult.flowhash = flowhash;
                inp->inp_policyresult.results.filter_control_unit = filter_control_unit;
+               inp->inp_policyresult.results.flow_divert_aggregate_unit = flow_divert_aggregate_unit;
                inp->inp_policyresult.results.route_rule_id = route_rule_id;
                inp->inp_policyresult.results.result = matched_policy->result;
                memcpy(&inp->inp_policyresult.results.result_parameter, &matched_policy->result_parameter, sizeof(matched_policy->result_parameter));
                inp->inp_policyresult.results.route_rule_id = route_rule_id;
                inp->inp_policyresult.results.result = matched_policy->result;
                memcpy(&inp->inp_policyresult.results.result_parameter, &matched_policy->result_parameter, sizeof(matched_policy->result_parameter));
@@ -7908,13 +8184,19 @@ necp_socket_find_policy_match(struct inpcb *inp, struct sockaddr *override_local
                } else if (necp_socket_is_connected(inp) &&
                    matched_policy->result == NECP_KERNEL_POLICY_RESULT_IP_TUNNEL &&
                    info.protocol == IPPROTO_TCP) {
                } else if (necp_socket_is_connected(inp) &&
                    matched_policy->result == NECP_KERNEL_POLICY_RESULT_IP_TUNNEL &&
                    info.protocol == IPPROTO_TCP) {
-                       // Reset MSS on TCP socket if tunnel policy changes
-                       reset_tcp_mss = true;
+                       // Reset TCP socket interface based parameters if tunnel policy changes
+                       reset_tcp_tunnel_interface = true;
                }
 
                if (necp_debug > 1) {
                        NECPLOG(LOG_DEBUG, "Socket Policy: %p (BoundInterface %d Proto %d) Policy %d Result %d Parameter %d", inp->inp_socket, info.bound_interface_index, info.protocol, matched_policy->id, matched_policy->result, matched_policy->result_parameter.tunnel_interface_index);
                }
                }
 
                if (necp_debug > 1) {
                        NECPLOG(LOG_DEBUG, "Socket Policy: %p (BoundInterface %d Proto %d) Policy %d Result %d Parameter %d", inp->inp_socket, info.bound_interface_index, info.protocol, matched_policy->id, matched_policy->result, matched_policy->result_parameter.tunnel_interface_index);
                }
+
+               if (matched_policy->result == NECP_KERNEL_POLICY_RESULT_DROP &&
+                   matched_policy->result_parameter.drop_flags & NECP_KERNEL_POLICY_DROP_FLAG_LOCAL_NETWORK) {
+                       // Trigger the event that we dropped due to a local network policy
+                       send_local_network_denied_event = true;
+               }
        } else {
                bool drop_all = false;
                if (necp_drop_all_order > 0 || info.drop_order > 0 || drop_dest_policy_result == NECP_KERNEL_POLICY_RESULT_DROP) {
        } else {
                bool drop_all = false;
                if (necp_drop_all_order > 0 || info.drop_order > 0 || drop_dest_policy_result == NECP_KERNEL_POLICY_RESULT_DROP) {
@@ -7930,6 +8212,7 @@ necp_socket_find_policy_match(struct inpcb *inp, struct sockaddr *override_local
                        inp->inp_policyresult.policy_gencount = necp_kernel_socket_policies_gencount;
                        inp->inp_policyresult.flowhash = flowhash;
                        inp->inp_policyresult.results.filter_control_unit = 0;
                        inp->inp_policyresult.policy_gencount = necp_kernel_socket_policies_gencount;
                        inp->inp_policyresult.flowhash = flowhash;
                        inp->inp_policyresult.results.filter_control_unit = 0;
+                       inp->inp_policyresult.results.flow_divert_aggregate_unit = 0;
                        inp->inp_policyresult.results.route_rule_id = 0;
                        inp->inp_policyresult.results.result = NECP_KERNEL_POLICY_RESULT_DROP;
                } else {
                        inp->inp_policyresult.results.route_rule_id = 0;
                        inp->inp_policyresult.results.result = NECP_KERNEL_POLICY_RESULT_DROP;
                } else {
@@ -7939,17 +8222,40 @@ necp_socket_find_policy_match(struct inpcb *inp, struct sockaddr *override_local
                        inp->inp_policyresult.policy_gencount = necp_kernel_socket_policies_gencount;
                        inp->inp_policyresult.flowhash = flowhash;
                        inp->inp_policyresult.results.filter_control_unit = filter_control_unit; // We may have matched a filter, so mark it!
                        inp->inp_policyresult.policy_gencount = necp_kernel_socket_policies_gencount;
                        inp->inp_policyresult.flowhash = flowhash;
                        inp->inp_policyresult.results.filter_control_unit = filter_control_unit; // We may have matched a filter, so mark it!
+                       inp->inp_policyresult.results.flow_divert_aggregate_unit = flow_divert_aggregate_unit;
                        inp->inp_policyresult.results.route_rule_id = route_rule_id; // We may have matched a route rule, so mark it!
                        inp->inp_policyresult.results.result = NECP_KERNEL_POLICY_RESULT_NONE;
                }
        }
 
                        inp->inp_policyresult.results.route_rule_id = route_rule_id; // We may have matched a route rule, so mark it!
                        inp->inp_policyresult.results.result = NECP_KERNEL_POLICY_RESULT_NONE;
                }
        }
 
+       if (necp_check_missing_client_drop(socket_proc ? socket_proc : current_proc(), &info) ||
+           necp_check_restricted_multicast_drop(socket_proc ? socket_proc : current_proc(), &info, false)) {
+               // Mark as drop
+               inp->inp_policyresult.policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
+               inp->inp_policyresult.skip_policy_id = NECP_KERNEL_POLICY_ID_NO_MATCH;
+               inp->inp_policyresult.policy_gencount = necp_kernel_socket_policies_gencount;
+               inp->inp_policyresult.flowhash = flowhash;
+               inp->inp_policyresult.results.filter_control_unit = 0;
+               inp->inp_policyresult.results.flow_divert_aggregate_unit = 0;
+               inp->inp_policyresult.results.route_rule_id = 0;
+               inp->inp_policyresult.results.result = NECP_KERNEL_POLICY_RESULT_DROP;
+       }
+
        // Unlock
        lck_rw_done(&necp_kernel_policy_lock);
 
        // Unlock
        lck_rw_done(&necp_kernel_policy_lock);
 
-       if (reset_tcp_mss) {
+       if (reset_tcp_tunnel_interface) {
                // Update MSS when not holding the policy lock to avoid recursive locking
                tcp_mtudisc(inp, 0);
                // Update MSS when not holding the policy lock to avoid recursive locking
                tcp_mtudisc(inp, 0);
+
+               // Update TSO flag based on the tunnel interface
+               necp_socket_ip_tunnel_tso(inp);
+       }
+
+       if (send_local_network_denied_event) {
+               necp_send_network_denied_event(((so->so_flags & SOF_DELEGATED) ? so->e_pid : so->last_pid),
+                   ((so->so_flags & SOF_DELEGATED) ? so->e_uuid : so->last_uuid),
+                   NETPOLICY_NETWORKTYPE_LOCAL);
        }
 
        if (socket_proc) {
        }
 
        if (socket_proc) {
@@ -7960,7 +8266,7 @@ necp_socket_find_policy_match(struct inpcb *inp, struct sockaddr *override_local
 }
 
 static bool
 }
 
 static bool
-necp_ip_output_check_policy(struct necp_kernel_ip_output_policy *kernel_policy, necp_kernel_policy_id socket_policy_id, necp_kernel_policy_id socket_skip_policy_id, u_int32_t bound_interface_index, u_int32_t last_interface_index, u_int16_t protocol, union necp_sockaddr_union *local, union necp_sockaddr_union *remote, struct rtentry *rt)
+necp_ip_output_check_policy(struct necp_kernel_ip_output_policy *kernel_policy, necp_kernel_policy_id socket_policy_id, necp_kernel_policy_id socket_skip_policy_id, u_int32_t bound_interface_index, u_int32_t last_interface_index, u_int16_t protocol, union necp_sockaddr_union *local, union necp_sockaddr_union *remote, struct rtentry *rt, u_int16_t pf_tag)
 {
        if (!(kernel_policy->condition_mask & NECP_KERNEL_CONDITION_ALL_INTERFACES)) {
                if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_BOUND_INTERFACE) {
 {
        if (!(kernel_policy->condition_mask & NECP_KERNEL_CONDITION_ALL_INTERFACES)) {
                if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_BOUND_INTERFACE) {
@@ -8084,11 +8390,31 @@ necp_ip_output_check_policy(struct necp_kernel_ip_output_policy *kernel_policy,
                }
        }
 
                }
        }
 
+       if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_PACKET_FILTER_TAGS) {
+               bool tags_matched = false;
+
+               if (kernel_policy->cond_packet_filter_tags & NECP_POLICY_CONDITION_PACKET_FILTER_TAG_STACK_DROP) {
+                       if ((pf_tag & PF_TAG_ID_STACK_DROP) == PF_TAG_ID_STACK_DROP) {
+                               tags_matched = true;
+                       }
+
+                       if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_PACKET_FILTER_TAGS) {
+                               if (tags_matched) {
+                                       return FALSE;
+                               }
+                       } else {
+                               if (!tags_matched) {
+                                       return FALSE;
+                               }
+                       }
+               }
+       }
+
        return TRUE;
 }
 
 static inline struct necp_kernel_ip_output_policy *
        return TRUE;
 }
 
 static inline struct necp_kernel_ip_output_policy *
-necp_ip_output_find_policy_match_locked(necp_kernel_policy_id socket_policy_id, necp_kernel_policy_id socket_skip_policy_id, u_int32_t bound_interface_index, u_int32_t last_interface_index, u_int16_t protocol, union necp_sockaddr_union *local_addr, union necp_sockaddr_union *remote_addr, struct rtentry *rt, u_int32_t *return_route_rule_id, necp_kernel_policy_result *return_drop_dest_policy_result, necp_drop_all_bypass_check_result_t *return_drop_all_bypass)
+necp_ip_output_find_policy_match_locked(necp_kernel_policy_id socket_policy_id, necp_kernel_policy_id socket_skip_policy_id, u_int32_t bound_interface_index, u_int32_t last_interface_index, u_int16_t protocol, union necp_sockaddr_union *local_addr, union necp_sockaddr_union *remote_addr, struct rtentry *rt, u_int16_t pf_tag, u_int32_t *return_route_rule_id, necp_kernel_policy_result *return_drop_dest_policy_result, necp_drop_all_bypass_check_result_t *return_drop_all_bypass)
 {
        u_int32_t skip_order = 0;
        u_int32_t skip_session_order = 0;
 {
        u_int32_t skip_order = 0;
        u_int32_t skip_session_order = 0;
@@ -8146,7 +8472,7 @@ necp_ip_output_find_policy_match_locked(necp_kernel_policy_id socket_policy_id,
                                continue;
                        }
 
                                continue;
                        }
 
-                       if (necp_ip_output_check_policy(policy_search_array[i], socket_policy_id, socket_skip_policy_id, bound_interface_index, last_interface_index, protocol, local_addr, remote_addr, rt)) {
+                       if (necp_ip_output_check_policy(policy_search_array[i], socket_policy_id, socket_skip_policy_id, bound_interface_index, last_interface_index, protocol, local_addr, remote_addr, rt, pf_tag)) {
                                if (policy_search_array[i]->result == NECP_KERNEL_POLICY_RESULT_ROUTE_RULES) {
                                        if (return_route_rule_id != NULL && route_rule_id_count < MAX_AGGREGATE_ROUTE_RULES) {
                                                route_rule_id_array[route_rule_id_count++] = policy_search_array[i]->result_parameter.route_rule_id;
                                if (policy_search_array[i]->result == NECP_KERNEL_POLICY_RESULT_ROUTE_RULES) {
                                        if (return_route_rule_id != NULL && route_rule_id_count < MAX_AGGREGATE_ROUTE_RULES) {
                                                route_rule_id_array[route_rule_id_count++] = policy_search_array[i]->result_parameter.route_rule_id;
@@ -8206,6 +8532,7 @@ necp_ip_output_find_policy_match(struct mbuf *packet, int flags, struct ip_out_a
        union necp_sockaddr_union remote_addr;
        u_int32_t drop_dest_policy_result = NECP_KERNEL_POLICY_RESULT_NONE;
        necp_drop_all_bypass_check_result_t drop_all_bypass = NECP_DROP_ALL_BYPASS_CHECK_RESULT_NONE;
        union necp_sockaddr_union remote_addr;
        u_int32_t drop_dest_policy_result = NECP_KERNEL_POLICY_RESULT_NONE;
        necp_drop_all_bypass_check_result_t drop_all_bypass = NECP_DROP_ALL_BYPASS_CHECK_RESULT_NONE;
+       u_int16_t pf_tag = 0;
 
        if (result) {
                *result = 0;
 
        if (result) {
                *result = 0;
@@ -8221,6 +8548,7 @@ necp_ip_output_find_policy_match(struct mbuf *packet, int flags, struct ip_out_a
 
        socket_policy_id = necp_get_policy_id_from_packet(packet);
        socket_skip_policy_id = necp_get_skip_policy_id_from_packet(packet);
 
        socket_policy_id = necp_get_policy_id_from_packet(packet);
        socket_skip_policy_id = necp_get_skip_policy_id_from_packet(packet);
+       pf_tag = necp_get_packet_filter_tags_from_packet(packet);
 
        // Exit early for an empty list
        // Don't lock. Possible race condition, but we don't want the performance hit.
 
        // Exit early for an empty list
        // Don't lock. Possible race condition, but we don't want the performance hit.
@@ -8304,7 +8632,7 @@ necp_ip_output_find_policy_match(struct mbuf *packet, int flags, struct ip_out_a
        // Match packet to policy
        lck_rw_lock_shared(&necp_kernel_policy_lock);
        u_int32_t route_rule_id = 0;
        // Match packet to policy
        lck_rw_lock_shared(&necp_kernel_policy_lock);
        u_int32_t route_rule_id = 0;
-       matched_policy = necp_ip_output_find_policy_match_locked(socket_policy_id, socket_skip_policy_id, bound_interface_index, last_interface_index, protocol, &local_addr, &remote_addr, rt, &route_rule_id, &drop_dest_policy_result, &drop_all_bypass);
+       matched_policy = necp_ip_output_find_policy_match_locked(socket_policy_id, socket_skip_policy_id, bound_interface_index, last_interface_index, protocol, &local_addr, &remote_addr, rt, pf_tag, &route_rule_id, &drop_dest_policy_result, &drop_all_bypass);
        if (matched_policy) {
                matched_policy_id = matched_policy->id;
                if (result) {
        if (matched_policy) {
                matched_policy_id = matched_policy->id;
                if (result) {
@@ -8371,6 +8699,7 @@ necp_ip6_output_find_policy_match(struct mbuf *packet, int flags, struct ip6_out
        union necp_sockaddr_union remote_addr;
        u_int32_t drop_dest_policy_result = NECP_KERNEL_POLICY_RESULT_NONE;
        necp_drop_all_bypass_check_result_t drop_all_bypass = NECP_DROP_ALL_BYPASS_CHECK_RESULT_NONE;
        union necp_sockaddr_union remote_addr;
        u_int32_t drop_dest_policy_result = NECP_KERNEL_POLICY_RESULT_NONE;
        necp_drop_all_bypass_check_result_t drop_all_bypass = NECP_DROP_ALL_BYPASS_CHECK_RESULT_NONE;
+       u_int16_t pf_tag = 0;
 
        if (result) {
                *result = 0;
 
        if (result) {
                *result = 0;
@@ -8386,6 +8715,7 @@ necp_ip6_output_find_policy_match(struct mbuf *packet, int flags, struct ip6_out
 
        socket_policy_id = necp_get_policy_id_from_packet(packet);
        socket_skip_policy_id = necp_get_skip_policy_id_from_packet(packet);
 
        socket_policy_id = necp_get_policy_id_from_packet(packet);
        socket_skip_policy_id = necp_get_skip_policy_id_from_packet(packet);
+       pf_tag = necp_get_packet_filter_tags_from_packet(packet);
 
        // Exit early for an empty list
        // Don't lock. Possible race condition, but we don't want the performance hit.
 
        // Exit early for an empty list
        // Don't lock. Possible race condition, but we don't want the performance hit.
@@ -8466,7 +8796,7 @@ necp_ip6_output_find_policy_match(struct mbuf *packet, int flags, struct ip6_out
        // Match packet to policy
        lck_rw_lock_shared(&necp_kernel_policy_lock);
        u_int32_t route_rule_id = 0;
        // Match packet to policy
        lck_rw_lock_shared(&necp_kernel_policy_lock);
        u_int32_t route_rule_id = 0;
-       matched_policy = necp_ip_output_find_policy_match_locked(socket_policy_id, socket_skip_policy_id, bound_interface_index, last_interface_index, protocol, &local_addr, &remote_addr, rt, &route_rule_id, &drop_dest_policy_result, &drop_all_bypass);
+       matched_policy = necp_ip_output_find_policy_match_locked(socket_policy_id, socket_skip_policy_id, bound_interface_index, last_interface_index, protocol, &local_addr, &remote_addr, rt, pf_tag, &route_rule_id, &drop_dest_policy_result, &drop_all_bypass);
        if (matched_policy) {
                matched_policy_id = matched_policy->id;
                if (result) {
        if (matched_policy) {
                matched_policy_id = matched_policy->id;
                if (result) {
@@ -8821,26 +9151,21 @@ done:
        return qos_marking;
 }
 
        return qos_marking;
 }
 
-void
-necp_socket_update_qos_marking(struct inpcb *inp, struct rtentry *route, struct ifnet *interface, u_int32_t route_rule_id)
+bool
+necp_lookup_current_qos_marking(int32_t *qos_marking_gencount, struct rtentry *route, struct ifnet *interface, u_int32_t route_rule_id, bool old_qos_marking)
 {
 {
-       bool qos_marking = FALSE;
-       struct ifnet *ifp = interface = NULL;
+       bool new_qos_marking = old_qos_marking;
+       struct ifnet *ifp = interface;
 
        if (net_qos_policy_restricted == 0) {
 
        if (net_qos_policy_restricted == 0) {
-               return;
-       }
-       if (inp->inp_socket == NULL) {
-               return;
-       }
-       if ((inp->inp_socket->so_flags1 & SOF1_QOSMARKING_POLICY_OVERRIDE)) {
-               return;
+               return new_qos_marking;
        }
        }
+
        /*
         * This is racy but we do not need the performance hit of taking necp_kernel_policy_lock
         */
        /*
         * This is racy but we do not need the performance hit of taking necp_kernel_policy_lock
         */
-       if (inp->inp_policyresult.results.qos_marking_gencount == necp_kernel_socket_policies_gencount) {
-               return;
+       if (*qos_marking_gencount == necp_kernel_socket_policies_gencount) {
+               return new_qos_marking;
        }
 
        lck_rw_lock_shared(&necp_kernel_policy_lock);
        }
 
        lck_rw_lock_shared(&necp_kernel_policy_lock);
@@ -8852,7 +9177,7 @@ necp_socket_update_qos_marking(struct inpcb *inp, struct rtentry *route, struct
         * By default, until we have a interface, do not mark and reevaluate the Qos marking policy
         */
        if (ifp == NULL || route_rule_id == 0) {
         * By default, until we have a interface, do not mark and reevaluate the Qos marking policy
         */
        if (ifp == NULL || route_rule_id == 0) {
-               qos_marking = FALSE;
+               new_qos_marking = FALSE;
                goto done;
        }
 
                goto done;
        }
 
@@ -8865,22 +9190,41 @@ necp_socket_update_qos_marking(struct inpcb *inp, struct rtentry *route, struct
                                if (sub_route_rule_id == 0) {
                                        break;
                                }
                                if (sub_route_rule_id == 0) {
                                        break;
                                }
-                               qos_marking = necp_update_qos_marking(ifp, sub_route_rule_id);
-                               if (qos_marking == TRUE) {
+                               new_qos_marking = necp_update_qos_marking(ifp, sub_route_rule_id);
+                               if (new_qos_marking == TRUE) {
                                        break;
                                }
                        }
                }
        } else {
                                        break;
                                }
                        }
                }
        } else {
-               qos_marking = necp_update_qos_marking(ifp, route_rule_id);
+               new_qos_marking = necp_update_qos_marking(ifp, route_rule_id);
        }
        /*
         * Now that we have an interface we remember the gencount
         */
        }
        /*
         * Now that we have an interface we remember the gencount
         */
-       inp->inp_policyresult.results.qos_marking_gencount = necp_kernel_socket_policies_gencount;
+       *qos_marking_gencount = necp_kernel_socket_policies_gencount;
 
 done:
        lck_rw_done(&necp_kernel_policy_lock);
 
 done:
        lck_rw_done(&necp_kernel_policy_lock);
+       return new_qos_marking;
+}
+
+void
+necp_socket_update_qos_marking(struct inpcb *inp, struct rtentry *route, u_int32_t route_rule_id)
+{
+       bool qos_marking = inp->inp_socket->so_flags1 & SOF1_QOSMARKING_ALLOWED ? TRUE : FALSE;
+
+       if (net_qos_policy_restricted == 0) {
+               return;
+       }
+       if (inp->inp_socket == NULL) {
+               return;
+       }
+       if ((inp->inp_socket->so_flags1 & SOF1_QOSMARKING_POLICY_OVERRIDE)) {
+               return;
+       }
+
+       qos_marking = necp_lookup_current_qos_marking(&(inp->inp_policyresult.results.qos_marking_gencount), route, NULL, route_rule_id, qos_marking);
 
        if (qos_marking == TRUE) {
                inp->inp_socket->so_flags1 |= SOF1_QOSMARKING_ALLOWED;
 
        if (qos_marking == TRUE) {
                inp->inp_socket->so_flags1 |= SOF1_QOSMARKING_ALLOWED;
@@ -9136,7 +9480,20 @@ necp_netagents_allow_traffic(u_int32_t *netagent_ids, size_t netagent_id_count)
 }
 
 static bool
 }
 
 static bool
-necp_socket_is_allowed_to_send_recv_internal(struct inpcb *inp, struct sockaddr *override_local_addr, struct sockaddr *override_remote_addr, ifnet_t interface, necp_kernel_policy_id *return_policy_id, u_int32_t *return_route_rule_id, necp_kernel_policy_id *return_skip_policy_id)
+necp_packet_filter_tags_receive(u_int16_t pf_tag, u_int32_t pass_flags)
+{
+       bool allowed_to_receive = TRUE;
+
+       if (pf_tag == PF_TAG_ID_STACK_DROP &&
+           (pass_flags & NECP_KERNEL_POLICY_PASS_PF_TAG) != NECP_KERNEL_POLICY_PASS_PF_TAG) {
+               allowed_to_receive = FALSE;
+       }
+
+       return allowed_to_receive;
+}
+
+static bool
+necp_socket_is_allowed_to_send_recv_internal(struct inpcb *inp, struct sockaddr *override_local_addr, struct sockaddr *override_remote_addr, ifnet_t interface, u_int16_t pf_tag, necp_kernel_policy_id *return_policy_id, u_int32_t *return_route_rule_id, necp_kernel_policy_id *return_skip_policy_id, u_int32_t *return_pass_flags)
 {
        u_int32_t verifyifindex = interface ? interface->if_index : 0;
        bool allowed_to_receive = TRUE;
 {
        u_int32_t verifyifindex = interface ? interface->if_index : 0;
        bool allowed_to_receive = TRUE;
@@ -9150,8 +9507,12 @@ necp_socket_is_allowed_to_send_recv_internal(struct inpcb *inp, struct sockaddr
        necp_kernel_policy_result drop_dest_policy_result = NECP_KERNEL_POLICY_RESULT_NONE;
        necp_drop_all_bypass_check_result_t drop_all_bypass = NECP_DROP_ALL_BYPASS_CHECK_RESULT_NONE;
        u_int32_t netagent_ids[NECP_MAX_NETAGENTS];
        necp_kernel_policy_result drop_dest_policy_result = NECP_KERNEL_POLICY_RESULT_NONE;
        necp_drop_all_bypass_check_result_t drop_all_bypass = NECP_DROP_ALL_BYPASS_CHECK_RESULT_NONE;
        u_int32_t netagent_ids[NECP_MAX_NETAGENTS];
-       memset(&netagent_ids, 0, sizeof(netagent_ids));
        proc_t socket_proc = NULL;
        proc_t socket_proc = NULL;
+       necp_kernel_policy_filter filter_control_unit = 0;
+       u_int32_t pass_flags = 0;
+       u_int32_t flow_divert_aggregate_unit = 0;
+
+       memset(&netagent_ids, 0, sizeof(netagent_ids));
 
        if (return_policy_id) {
                *return_policy_id = NECP_KERNEL_POLICY_ID_NONE;
 
        if (return_policy_id) {
                *return_policy_id = NECP_KERNEL_POLICY_ID_NONE;
@@ -9162,6 +9523,9 @@ necp_socket_is_allowed_to_send_recv_internal(struct inpcb *inp, struct sockaddr
        if (return_route_rule_id) {
                *return_route_rule_id = 0;
        }
        if (return_route_rule_id) {
                *return_route_rule_id = 0;
        }
+       if (return_pass_flags) {
+               *return_pass_flags = 0;
+       }
 
        if (inp == NULL) {
                goto done;
 
        if (inp == NULL) {
                goto done;
@@ -9220,6 +9584,9 @@ necp_socket_is_allowed_to_send_recv_internal(struct inpcb *inp, struct sockaddr
                                if (return_route_rule_id) {
                                        *return_route_rule_id = inp->inp_policyresult.results.route_rule_id;
                                }
                                if (return_route_rule_id) {
                                        *return_route_rule_id = inp->inp_policyresult.results.route_rule_id;
                                }
+                               if (inp->inp_policyresult.results.result == NECP_KERNEL_POLICY_RESULT_PASS) {
+                                       pass_flags = inp->inp_policyresult.results.result_parameter.pass_flags;
+                               }
                        }
                        goto done;
                }
                        }
                        goto done;
                }
@@ -9256,6 +9623,9 @@ necp_socket_is_allowed_to_send_recv_internal(struct inpcb *inp, struct sockaddr
                        if (return_skip_policy_id) {
                                *return_skip_policy_id = inp->inp_policyresult.skip_policy_id;
                        }
                        if (return_skip_policy_id) {
                                *return_skip_policy_id = inp->inp_policyresult.skip_policy_id;
                        }
+                       if (inp->inp_policyresult.results.result == NECP_KERNEL_POLICY_RESULT_PASS) {
+                               pass_flags = inp->inp_policyresult.results.result_parameter.pass_flags;
+                       }
                }
                lck_rw_done(&necp_kernel_policy_lock);
                goto done;
                }
                lck_rw_done(&necp_kernel_policy_lock);
                goto done;
@@ -9263,7 +9633,7 @@ necp_socket_is_allowed_to_send_recv_internal(struct inpcb *inp, struct sockaddr
 
        u_int32_t route_rule_id_array[MAX_AGGREGATE_ROUTE_RULES];
        size_t route_rule_id_array_count = 0;
 
        u_int32_t route_rule_id_array[MAX_AGGREGATE_ROUTE_RULES];
        size_t route_rule_id_array_count = 0;
-       struct necp_kernel_socket_policy *matched_policy = necp_socket_find_policy_match_with_info_locked(necp_kernel_socket_policies_map[NECP_SOCKET_MAP_APP_ID_TO_BUCKET(info.application_id)], &info, NULL, route_rule_id_array, &route_rule_id_array_count, MAX_AGGREGATE_ROUTE_RULES, &service_action, &service, netagent_ids, NULL, NECP_MAX_NETAGENTS, NULL, 0, socket_proc ? socket_proc : current_proc(), return_skip_policy_id, inp->inp_route.ro_rt, &drop_dest_policy_result, &drop_all_bypass);
+       struct necp_kernel_socket_policy *matched_policy = necp_socket_find_policy_match_with_info_locked(necp_kernel_socket_policies_map[NECP_SOCKET_MAP_APP_ID_TO_BUCKET(info.application_id)], &info, &filter_control_unit, route_rule_id_array, &route_rule_id_array_count, MAX_AGGREGATE_ROUTE_RULES, &service_action, &service, netagent_ids, NULL, NECP_MAX_NETAGENTS, NULL, 0, socket_proc ? socket_proc : current_proc(), pf_tag, return_skip_policy_id, inp->inp_route.ro_rt, &drop_dest_policy_result, &drop_all_bypass, &flow_divert_aggregate_unit);
 
        if (route_rule_id_array_count == 1) {
                route_rule_id = route_rule_id_array[0];
 
        if (route_rule_id_array_count == 1) {
                route_rule_id = route_rule_id_array[0];
@@ -9271,7 +9641,14 @@ necp_socket_is_allowed_to_send_recv_internal(struct inpcb *inp, struct sockaddr
                route_rule_id = necp_create_aggregate_route_rule(route_rule_id_array);
        }
 
                route_rule_id = necp_create_aggregate_route_rule(route_rule_id_array);
        }
 
+       bool send_local_network_denied_event = false;
        if (matched_policy != NULL) {
        if (matched_policy != NULL) {
+               if (matched_policy->result == NECP_KERNEL_POLICY_RESULT_DROP &&
+                   matched_policy->result_parameter.drop_flags & NECP_KERNEL_POLICY_DROP_FLAG_LOCAL_NETWORK) {
+                       // Trigger the event that we dropped due to a local network policy
+                       send_local_network_denied_event = true;
+               }
+
                if (matched_policy->result == NECP_KERNEL_POLICY_RESULT_DROP ||
                    matched_policy->result == NECP_KERNEL_POLICY_RESULT_SOCKET_DIVERT ||
                    (matched_policy->result == NECP_KERNEL_POLICY_RESULT_IP_TUNNEL && interface &&
                if (matched_policy->result == NECP_KERNEL_POLICY_RESULT_DROP ||
                    matched_policy->result == NECP_KERNEL_POLICY_RESULT_SOCKET_DIVERT ||
                    (matched_policy->result == NECP_KERNEL_POLICY_RESULT_IP_TUNNEL && interface &&
@@ -9290,13 +9667,21 @@ necp_socket_is_allowed_to_send_recv_internal(struct inpcb *inp, struct sockaddr
                        if (return_route_rule_id) {
                                *return_route_rule_id = route_rule_id;
                        }
                        if (return_route_rule_id) {
                                *return_route_rule_id = route_rule_id;
                        }
+                       if (matched_policy->result == NECP_KERNEL_POLICY_RESULT_PASS) {
+                               pass_flags = matched_policy->result_parameter.pass_flags;
+                       }
+                       // Polices has changed since last evaluation, update inp result with new filter state
+                       if (inp->inp_policyresult.results.filter_control_unit != filter_control_unit) {
+                               inp->inp_policyresult.results.filter_control_unit = filter_control_unit;
+                       }
+                       if (inp->inp_policyresult.results.flow_divert_aggregate_unit != flow_divert_aggregate_unit) {
+                               inp->inp_policyresult.results.flow_divert_aggregate_unit = flow_divert_aggregate_unit;
+                       }
                }
                }
-               lck_rw_done(&necp_kernel_policy_lock);
 
                if (necp_debug > 1 && matched_policy->id != inp->inp_policyresult.policy_id) {
                        NECPLOG(LOG_DEBUG, "Socket Send/Recv Policy: Policy %d Allowed %d", return_policy_id ? *return_policy_id : 0, allowed_to_receive);
                }
 
                if (necp_debug > 1 && matched_policy->id != inp->inp_policyresult.policy_id) {
                        NECPLOG(LOG_DEBUG, "Socket Send/Recv Policy: Policy %d Allowed %d", return_policy_id ? *return_policy_id : 0, allowed_to_receive);
                }
-               goto done;
        } else {
                bool drop_all = false;
                if (necp_drop_all_order > 0 || info.drop_order > 0 || drop_dest_policy_result == NECP_KERNEL_POLICY_RESULT_DROP) {
        } else {
                bool drop_all = false;
                if (necp_drop_all_order > 0 || info.drop_order > 0 || drop_dest_policy_result == NECP_KERNEL_POLICY_RESULT_DROP) {
@@ -9314,12 +9699,38 @@ necp_socket_is_allowed_to_send_recv_internal(struct inpcb *inp, struct sockaddr
                        if (return_route_rule_id) {
                                *return_route_rule_id = route_rule_id;
                        }
                        if (return_route_rule_id) {
                                *return_route_rule_id = route_rule_id;
                        }
+
+                       // Polices has changed since last evaluation, update inp result with new filter state
+                       if (inp->inp_policyresult.results.filter_control_unit != filter_control_unit) {
+                               inp->inp_policyresult.results.filter_control_unit = filter_control_unit;
+                       }
+                       if (inp->inp_policyresult.results.flow_divert_aggregate_unit != flow_divert_aggregate_unit) {
+                               inp->inp_policyresult.results.flow_divert_aggregate_unit = flow_divert_aggregate_unit;
+                       }
                }
        }
 
                }
        }
 
+       if (necp_check_restricted_multicast_drop(socket_proc ? socket_proc : current_proc(), &info, true)) {
+               allowed_to_receive = FALSE;
+       }
+
        lck_rw_done(&necp_kernel_policy_lock);
 
        lck_rw_done(&necp_kernel_policy_lock);
 
+       if (send_local_network_denied_event) {
+               necp_send_network_denied_event(((so->so_flags & SOF_DELEGATED) ? so->e_pid : so->last_pid),
+                   ((so->so_flags & SOF_DELEGATED) ? so->e_uuid : so->last_uuid),
+                   NETPOLICY_NETWORKTYPE_LOCAL);
+       }
+
 done:
 done:
+       if (return_pass_flags != NULL) {
+               *return_pass_flags = pass_flags;
+       }
+
+       if (pf_tag != 0 && allowed_to_receive) {
+               allowed_to_receive = necp_packet_filter_tags_receive(pf_tag, pass_flags);
+       }
+
        if (!allowed_to_receive && interface_type_denied != IFRTYPE_FUNCTIONAL_UNKNOWN) {
                soevent(inp->inp_socket, (SO_FILT_HINT_LOCKED | SO_FILT_HINT_IFDENIED));
        }
        if (!allowed_to_receive && interface_type_denied != IFRTYPE_FUNCTIONAL_UNKNOWN) {
                soevent(inp->inp_socket, (SO_FILT_HINT_LOCKED | SO_FILT_HINT_IFDENIED));
        }
@@ -9332,7 +9743,7 @@ done:
 }
 
 bool
 }
 
 bool
-necp_socket_is_allowed_to_send_recv_v4(struct inpcb *inp, u_int16_t local_port, u_int16_t remote_port, struct in_addr *local_addr, struct in_addr *remote_addr, ifnet_t interface, necp_kernel_policy_id *return_policy_id, u_int32_t *return_route_rule_id, necp_kernel_policy_id *return_skip_policy_id)
+necp_socket_is_allowed_to_send_recv_v4(struct inpcb *inp, u_int16_t local_port, u_int16_t remote_port, struct in_addr *local_addr, struct in_addr *remote_addr, ifnet_t interface, u_int16_t pf_tag, necp_kernel_policy_id *return_policy_id, u_int32_t *return_route_rule_id, necp_kernel_policy_id *return_skip_policy_id, u_int32_t *return_pass_flags)
 {
        struct sockaddr_in local = {};
        struct sockaddr_in remote = {};
 {
        struct sockaddr_in local = {};
        struct sockaddr_in remote = {};
@@ -9344,11 +9755,11 @@ necp_socket_is_allowed_to_send_recv_v4(struct inpcb *inp, u_int16_t local_port,
        memcpy(&remote.sin_addr, remote_addr, sizeof(remote.sin_addr));
 
        return necp_socket_is_allowed_to_send_recv_internal(inp, (struct sockaddr *)&local, (struct sockaddr *)&remote, interface,
        memcpy(&remote.sin_addr, remote_addr, sizeof(remote.sin_addr));
 
        return necp_socket_is_allowed_to_send_recv_internal(inp, (struct sockaddr *)&local, (struct sockaddr *)&remote, interface,
-                  return_policy_id, return_route_rule_id, return_skip_policy_id);
+                  pf_tag, return_policy_id, return_route_rule_id, return_skip_policy_id, return_pass_flags);
 }
 
 bool
 }
 
 bool
-necp_socket_is_allowed_to_send_recv_v6(struct inpcb *inp, u_int16_t local_port, u_int16_t remote_port, struct in6_addr *local_addr, struct in6_addr *remote_addr, ifnet_t interface, necp_kernel_policy_id *return_policy_id, u_int32_t *return_route_rule_id, necp_kernel_policy_id *return_skip_policy_id)
+necp_socket_is_allowed_to_send_recv_v6(struct inpcb *inp, u_int16_t local_port, u_int16_t remote_port, struct in6_addr *local_addr, struct in6_addr *remote_addr, ifnet_t interface, u_int16_t pf_tag, necp_kernel_policy_id *return_policy_id, u_int32_t *return_route_rule_id, necp_kernel_policy_id *return_skip_policy_id, u_int32_t *return_pass_flags)
 {
        struct sockaddr_in6 local = {};
        struct sockaddr_in6 remote = {};
 {
        struct sockaddr_in6 local = {};
        struct sockaddr_in6 remote = {};
@@ -9360,22 +9771,21 @@ necp_socket_is_allowed_to_send_recv_v6(struct inpcb *inp, u_int16_t local_port,
        memcpy(&remote.sin6_addr, remote_addr, sizeof(remote.sin6_addr));
 
        return necp_socket_is_allowed_to_send_recv_internal(inp, (struct sockaddr *)&local, (struct sockaddr *)&remote, interface,
        memcpy(&remote.sin6_addr, remote_addr, sizeof(remote.sin6_addr));
 
        return necp_socket_is_allowed_to_send_recv_internal(inp, (struct sockaddr *)&local, (struct sockaddr *)&remote, interface,
-                  return_policy_id, return_route_rule_id, return_skip_policy_id);
+                  pf_tag, return_policy_id, return_route_rule_id, return_skip_policy_id, return_pass_flags);
 }
 
 bool
 }
 
 bool
-necp_socket_is_allowed_to_send_recv(struct inpcb *inp, ifnet_t interface, necp_kernel_policy_id *return_policy_id,
-    u_int32_t *return_route_rule_id,
-    necp_kernel_policy_id *return_skip_policy_id)
+necp_socket_is_allowed_to_send_recv(struct inpcb *inp, ifnet_t interface, u_int16_t pf_tag, necp_kernel_policy_id *return_policy_id,
+    u_int32_t *return_route_rule_id, necp_kernel_policy_id *return_skip_policy_id, u_int32_t *return_pass_flags)
 {
 {
-       return necp_socket_is_allowed_to_send_recv_internal(inp, NULL, NULL, interface,
+       return necp_socket_is_allowed_to_send_recv_internal(inp, NULL, NULL, interface, pf_tag,
                   return_policy_id, return_route_rule_id,
                   return_policy_id, return_route_rule_id,
-                  return_skip_policy_id);
+                  return_skip_policy_id, return_pass_flags);
 }
 
 int
 necp_mark_packet_from_socket(struct mbuf *packet, struct inpcb *inp, necp_kernel_policy_id policy_id, u_int32_t route_rule_id,
 }
 
 int
 necp_mark_packet_from_socket(struct mbuf *packet, struct inpcb *inp, necp_kernel_policy_id policy_id, u_int32_t route_rule_id,
-    necp_kernel_policy_id skip_policy_id)
+    necp_kernel_policy_id skip_policy_id, u_int32_t pass_flags)
 {
        if (packet == NULL || inp == NULL || !(packet->m_flags & M_PKTHDR)) {
                return EINVAL;
 {
        if (packet == NULL || inp == NULL || !(packet->m_flags & M_PKTHDR)) {
                return EINVAL;
@@ -9412,6 +9822,11 @@ necp_mark_packet_from_socket(struct mbuf *packet, struct inpcb *inp, necp_kernel
                packet->m_pkthdr.necp_mtag.necp_skip_policy_id = NECP_KERNEL_POLICY_ID_NONE;
        }
 
                packet->m_pkthdr.necp_mtag.necp_skip_policy_id = NECP_KERNEL_POLICY_ID_NONE;
        }
 
+       if (((pass_flags & NECP_KERNEL_POLICY_PASS_PF_TAG) == NECP_KERNEL_POLICY_PASS_PF_TAG) ||
+           ((inp->inp_policyresult.results.result_parameter.pass_flags & NECP_KERNEL_POLICY_PASS_PF_TAG) == NECP_KERNEL_POLICY_PASS_PF_TAG)) {
+               m_pftag(packet)->pftag_tag = PF_TAG_ID_SYSTEM_SERVICE;
+       }
+
        return 0;
 }
 
        return 0;
 }
 
@@ -9488,6 +9903,16 @@ necp_get_skip_policy_id_from_packet(struct mbuf *packet)
        return packet->m_pkthdr.necp_mtag.necp_skip_policy_id;
 }
 
        return packet->m_pkthdr.necp_mtag.necp_skip_policy_id;
 }
 
+u_int16_t
+necp_get_packet_filter_tags_from_packet(struct mbuf *packet)
+{
+       if (packet == NULL || !(packet->m_flags & M_PKTHDR)) {
+               return 0;
+       }
+
+       return m_pftag(packet)->pftag_tag;
+}
+
 bool
 necp_packet_should_skip_filters(struct mbuf *packet)
 {
 bool
 necp_packet_should_skip_filters(struct mbuf *packet)
 {
@@ -9572,16 +9997,27 @@ necp_socket_should_use_flow_divert(struct inpcb *inp)
                return FALSE;
        }
 
                return FALSE;
        }
 
-       return inp->inp_policyresult.results.result == NECP_KERNEL_POLICY_RESULT_SOCKET_DIVERT;
+       return !(inp->inp_socket->so_flags1 & SOF1_FLOW_DIVERT_SKIP) &&
+              (inp->inp_policyresult.results.result == NECP_KERNEL_POLICY_RESULT_SOCKET_DIVERT ||
+              (inp->inp_policyresult.results.flow_divert_aggregate_unit != 0));
 }
 
 u_int32_t
 }
 
 u_int32_t
-necp_socket_get_flow_divert_control_unit(struct inpcb *inp)
+necp_socket_get_flow_divert_control_unit(struct inpcb *inp, uint32_t *aggregate_unit)
 {
        if (inp == NULL) {
                return 0;
        }
 
 {
        if (inp == NULL) {
                return 0;
        }
 
+       if (inp->inp_socket->so_flags1 & SOF1_FLOW_DIVERT_SKIP) {
+               return 0;
+       }
+
+       if (aggregate_unit != NULL &&
+           inp->inp_policyresult.results.flow_divert_aggregate_unit != 0) {
+               *aggregate_unit = inp->inp_policyresult.results.flow_divert_aggregate_unit;
+       }
+
        if (inp->inp_policyresult.results.result == NECP_KERNEL_POLICY_RESULT_SOCKET_DIVERT) {
                return inp->inp_policyresult.results.result_parameter.flow_divert_control_unit;
        }
        if (inp->inp_policyresult.results.result == NECP_KERNEL_POLICY_RESULT_SOCKET_DIVERT) {
                return inp->inp_policyresult.results.result_parameter.flow_divert_control_unit;
        }
mirror of XNU