Hi everyone, I am developing a macOS virtualization manager (VirtualProg) using the Virtualization.framework. The application is distributed via the Mac App Store, so it operates strictly within the App Store Sandbox. I am looking for a reliable, programmatic way to discover the IP address assigned to a guest (both macOS and Linux). Is there a recommended "Sandbox-safe" API or pattern within the Virtualization framework—or a lower-level networking entitlement—that allows a host application to retrieve the guest's assigned IP address? Ideally, I am looking for a solution that does not require the user to manually install a non-sandboxed helper tool. Thanks in advance for any insights or guidance!

I have the following code for port forwarding in mac os virtualization var ipAddr = in_addr() // 1. Convert String to in_addr inet_pton(AF_INET, guestIP, &ipAddr) let status = vmnet_network_configuration_add_port_forwarding_rule( config, UInt8(IPPROTO_TCP), // TCP protocol sa_family_t(AF_INET), // address family guestPort, // internal port (guest) externalPort, // external port (host) &ipAddr // internal address (guest IP) ) if status == .VMNET_SUCCESS { print("✅ Port Forwarding set: Mac:\(externalPort) -> VM(\(guestIP)):\(guestPort)") } else { print("❌ Port Forwarding failed for \(guestIP): \(status.rawValue)") } It is returning success but when i test it it does not work. Is there anything i am doing wrong? Please help me also in fixing this problem. Note: The app runs in sandbox i tried without sandboxing and it does not work either. Please refer to this link https://developer.apple.com/forums/thread/822025?login=true&page=1#884236022 how i am creating the VZVmnetNetworkDeviceAttachment

We are investigating bridged Wi-Fi DHCP behavior on recent macOS releases and would appreciate some clarification regarding the net.link.bridge.use_dhcp_xid sysctl. We observed that with the default setting, DHCP packets transmitted from a virtual machine through a bridged Wi-Fi interface may have their DHCP client identity modified (chaddr). In our testing, setting: net.link.bridge.use_dhcp_xid=0 prevents this behavior and restores the DHCP packet format observed on older macOS versions. We would like to better understand the intended purpose of this sysctl: What functionality does net.link.bridge.use_dhcp_xid control internally? Besides DHCP chaddr rewriting, what other bridge or DHCP processing behavior is affected by this setting? Is this sysctl related to DHCP snooping, anti-spoofing protection, Wi-Fi bridging compatibility, or another mechanism? Is the current default behavior (use_dhcp_xid=1) a recent change introduced in macOS 26.4.x? Is the modified DHCP behavior considered expected and supported, or is it intended as an implementation detail? For additional context, we previously submitted feedback regarding DHCP handling for virtual machines using Virtualization Framework. Since packet modification is restricted from user space, we are wondering whether this sysctl is related to DHCP processing implemented by the bridge subsystem to address DHCP spoofing, client identification, or Wi-Fi bridging limitations. One concern we have is that net.link.bridge.use_dhcp_xid appears to be a system-wide setting. In our use case, DHCP handling requirements may differ between virtual machines, networks, and environments. As a result, changing a global bridge behavior for the entire host system is not always desirable. If this sysctl is intended to control DHCP processing for bridged virtual machines, would it be possible to expose similar functionality on a per-interface, per-bridge, or per-VM basis rather than as a host-wide setting? This would allow virtualization products to adapt DHCP behavior to specific network environments without affecting all bridged networking on the host. One additional question: Apple suggested making this setting persistent via /etc/sysctl.conf. However, this file does not exist by default on our macOS 26.4.x systems. Is /etc/sysctl.conf still a supported mechanism for persistent sysctl configuration, or is there a preferred modern alternative? Any documentation or implementation details that can be shared would be greatly appreciated.

Hi guys, I am building a custom virtualization utility for macOS using the native Virtualization Framework. My goal is to allow local guest virtual machines to run in Bridged Mode (VZBridgedNetworkDeviceAttachment) so they can acquire their own distinct local IP address from my router and expose service ports directly to the local network. When attempting to compile and run my app with the com.apple.vm.networking entitlement, Xcode throws the following error:"Entitlement com.apple.vm.networking not found and could not be included in profile. This likely is not a valid entitlement and should be removed from your entitlements file" I understand that this is a restricted capability that is hidden from the standard Apple Developer Portal by default. I have already reached out via email to Apple Developer Support to request it, but I have not received a definitive answer on the process or exact entitlement string name. For those who have successfully shipped or tested a virtualization app with bridged networking, Is com.apple.vm.networking the correct string name for modern macOS versions, or is there a newer, specific identifier required? What is the actual entitlement that i should see in my developer account? I can't seem to find it in the docs as well. Would it be called "VM Networking" Thanks,

I'm pleased to share some significant updates that have recently been released for our Hypervisor and Virtualization frameworks. We've focused on enhancing efficiency, expanding capabilities, and addressing common developer needs. I believe these will be valuable for many of you. Here’s a look at what’s new: Hypervisor Updates We've introduced support for configuring the intermediate physical address (IPA) memory granularity of a VM. This allows for more granular memory mappings, enabling granularity sizes down to 4KB. This is particularly useful for certain specialized device drivers requiring finer memory control. Virtualization Framework Updates More Efficient VM Image Storage with ASIF: We've integrated support for the Apple Sparse Image Format (ASIF). This results in a smaller disk footprint and optimized transfer for VM disk images when using VZDiskImageStorageDeviceAttachment, improving storage efficiency. Custom Network Topologies with vmnet: We've added support for vmnet custom network topologies. This enables more flexible VM-to-VM communication based on logical networks with customized configurations, useful for complex testing or development environments. See VZVmnetNetworkDeviceAttachment to get started. Simplified VM Queue Discovery: It's now easier to discover a VM’s on-process thanks to a new property on VZVirtualMachine. This should aid in development and debugging when interacting directly with the VM's queue. These are some of the key highlights of the first beta, and I'm looking forward to seeing how these improvements will be utilized. I encourage you to explore the documentation for full details on these features.

I have a simple impossible task, to restore /var/root/Library/Application Support/multipassd/qemu/vault/instances/gcc-cobol/ubuntu-22.04-server-cloudimg-arm64.img as of 8:02 Saturday morning. Because /var/root is owned by, well, root, the usual techniques don't work. This is a VM image hosted by qemu via Canonical's Multipass. ISTM the strategy would be to first mount the NAS filesystem and then use tmutil(8) to list the backups and recover the file. But $ sudo mount -v -o rdonly -t smb //nasa.local/TimeMachine /usr/local/mnt/ mount: exec /Library/Filesystems/smb.fs/Contents/Resources/mount_smb for /usr/local/mnt: No such file or directory mount: /usr/local/mnt failed with 72 Must I defeat SIP to do this?

Hey there! I’ve got some exciting news about Apple’s virtio_net_hdr implementation on macOS 15.4. It’s making communication a lot smoother, with a noticeable improvement! Now, I’d love to hear your thoughts on a couple of things. First, how do you think we can validate the populated values? And secondly, should we consider reusing populated values for the other endpoint, like the ‘flags’ field? Your insights would be invaluable!

Here's a simple program that spoofs an ARP reply for a given IP address. If I spin up two terminal sessions on the same machine. Run this code in one window % ./spoof en0 192.168.1.7 Listening on en0 for ARP requests to 192.168.1.7 Spoofing MAC: 00:0c:87:47:50:27 And in the second window cause the OS to issue an ARP_REQ % ping 192.168.1.7 You will see the program respond to the ARP request. (Wireshark will see the ARP_REQ and ARP_REPLY packets) however my arp table isn't updated with the MAC for the IP address. There is no firewall active. % arp -a|grep 192.168.1.7 (192.168.1.7) at (incomplete) on en0 ifscope [ethernet] This is running on a MacBook pro M3 (OSX 15.4). HOWEVER, on a MacBook pro M4 (OSX 15.2) is does Work !!!!! Can anyone explain why its not working? spoof.txt

Hi, I have couple of inquiries regarding the vmnet framework: Incorporating Global Variables: How should we integrate the new global variables in macOS 15.0+ vmnet_read_max_packets_key and vmnet_write_max_packets_key into our configuration to optimize packet transmission? Are those values populated dynamically or manually if so any recommended value ranges ? Buffer Allocation Issue: What strategies can we employ to mitigate this buffer allocation error and ensure more reliable packet transmission? We occasionally encounter the following error during packet writes: Error Domain=NSCocoaErrorDomain Code=512 "The file couldn’t be saved." Error Domain=NSPOSIXErrorDomain Code=55 "No buffer space available" Your insights on these matters would be greatly appreciated.

My environment is a router with OpenWRT, a laptop connected to the router via patch cable and an untagged VLAN with VID 5 configured on that port in the router, and a MacBook M1 Pro connected via Wi-Fi to the router. On the macbook, I created a VLAN interface by specifying en0 (AirPort) as the parent interface, then created a VM using QEMU with hvf accelerator or lima/UTM with VZ and I observe a strange situation: using arping, packets from the laptop sometimes reach the VM connected to the VLAN interface on the macbook, but arping running on the VM only sends requests but does not receive replies from the laptop. If I assign an IP address to the VLAN interface in macOS, packets are transmitted over either protocol without any problems. The problem is delivering packets to the virtual machine. With tcpdump on the laptop I can see that it reply to arp requests, I can also see on the router that replies to arp requests passed through the Wi-Fi interface, but I don't see them in tcpdump on en0 on the macbook, which is also strange. But as I wrote before, if I assign an address from the same network on the macbook's VLAN interface, any packets are delivered between the laptop and macbook. Laptop: 192.168.24.50 MacBook: 192.168.24.20 (vlan5 interface). VM: 192.168.24.10 With lima-vm I use socket_vmnet in bridge mode. With QEMU I use vmnet-bridged. ➜ ~ ifconfig vlan5 vlan5: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1496 options=6063<RXCSUM,TXCSUM,TSO4,TSO6,PARTIAL_CSUM,ZEROINVERT_CSUM> ether f0:2f:4b:xx:xx:xx inet 192.168.24.20 netmask 0xffffff00 broadcast 192.168.24.255 vlan: 5 parent interface: en0 media: autoselect status: active ➜ ~ ping 192.168.24.50 -c2 PING 192.168.24.50 (192.168.24.50): 56 data bytes 64 bytes from 192.168.24.50: icmp_seq=0 ttl=64 time=5.241 ms 64 bytes from 192.168.24.50: icmp_seq=1 ttl=64 time=5.429 ms --- 192.168.24.50 ping statistics --- 2 packets transmitted, 2 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 5.241/5.335/5.429/0.094 ms ➜ ~ sudo arping -c 5 -i vlan5 192.168.24.50 ARPING 192.168.24.50 60 bytes from 10:e7:c6:xx:xx:xx (192.168.24.50): index=0 time=6.061 msec 60 bytes from 10:e7:c6:xx:xx:xx (192.168.24.50): index=1 time=6.084 msec 60 bytes from 10:e7:c6:xx:xx:xx (192.168.24.50): index=2 time=5.945 msec 60 bytes from 10:e7:c6:xx:xx:xx (192.168.24.50): index=3 time=3.092 msec 60 bytes from 10:e7:c6:xx:xx:xx (192.168.24.50): index=4 time=3.848 msec --- 192.168.24.50 statistics --- 5 packets transmitted, 5 packets received, 0% unanswered (0 extra) rtt min/avg/max/std-dev = 3.092/5.006/6.084/1.278 ms ➜ ~ ifconfig bridge100 bridge100: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1496 options=3<RXCSUM,TXCSUM> ether f2:2f:4b:xx:xx:xx Configuration: id 0:0:0:0:0:0 priority 0 hellotime 0 fwddelay 0 maxage 0 holdcnt 0 proto stp maxaddr 100 timeout 1200 root id 0:0:0:0:0:0 priority 0 ifcost 0 port 0 ipfilter disabled flags 0x0 member: vlan5 flags=3<LEARNING,DISCOVER> ifmaxaddr 0 port 22 priority 0 path cost 0 member: vmenet0 flags=3<LEARNING,DISCOVER> ifmaxaddr 0 port 23 priority 0 path cost 0 Address cache: 10:e7:c6:xx:xx:xx Vlan1 vlan5 326 flags=0<> 52:55:55:ae:36:b4 Vlan1 vmenet0 1172 flags=0<> nd6 options=201<PERFORMNUD,DAD> media: autoselect status: active [root@VM1 ~]# arping 192.168.24.50 -c5 ARPING 192.168.24.50 from 192.168.24.10 lima0 Sent 5 probes (5 broadcast(s)) Received 0 response(s) [root@VM1 ~]# [root@laptop ~]# arping 192.168.24.10 -c5 ARPING 192.168.24.15 from 192.168.24.10 lima0 Unicast reply from 192.168.24.10 [52:55:55:AE:36:B4] 2.492ms Unicast reply from 192.168.24.10 [52:55:55:AE:36:B4] 1.791ms Unicast reply from 192.168.24.10 [52:55:55:AE:36:B4] 3.059ms Sent 5 probes (1 broadcast(s)) Received 3 response(s) [root@laptop ~]# What could be the reason for this behavior?

I installed Gentoo in virtual machine using Apple Virtualization framework. In linux then I installed avahi, configured the network in Bridge mode. Now I want to connect from this virtual machine to other computer in local network. I can see other computers on the local network, and connect with them using local IP address. But for some reason these are not detected using .local domain. I run avahi-browse -at|grep PS3 and it detected 4 entries for this computer: IPV4 _ssh._tcp local IPV6 _ssh._tcp local IPV4 _sftp-ssh._tcp local IPV6 _sftp-ssh._tcp local Also avahi-resolve -n PS3.local correctly detects IPv6 address of this machine. So why cannot I connect with the computer using PS3.local name?

Some APIs seem to require entitlements for any use (sandboxed or not) but don't have any indication where we might sign up. The particular usage here is com.apple.vm.networking for vmnet, as it looks like we can't even get started in development without it.

Hi, I am trying to create a virtual-machine using Virtualization.Framework (Reference) and trying to use VZFileHandleNetworkDeviceAttachment (Referece) as network device. The creation and starting of VM are successful but am not receiving any raw packets via the created datagram socket. Is there any working example for using VZFileHandleNetworkDeviceAttachment. Thanks in advance.

Currently facing below error while opening a Centos Virtual Machine Translated Report (Full Report Below) ------------------------------------- Process: VirtualBoxVM [17916] Path: /Applications/VirtualBox.app/Contents/Resources/VirtualBoxVM.app/Contents/MacOS/VirtualBoxVM Identifier: org.virtualbox.app.VirtualBoxVM Version: 7.0.8 (7.0.8) Code Type: ARM-64 (Native) Parent Process: VBoxSVC [2215] Responsible: VirtualBox [2211] User ID: 501 Date/Time: 2023-06-12 14:45:57.8123 -0500 OS Version: macOS 13.4 (22F66) Report Version: 12 Anonymous UUID: 3011B0EE-B295-B6AE-28D8-47D224DC9296 Time Awake Since Boot: 19000 seconds System Integrity Protection: enabled Crashed Thread: 12 EMT-3 Exception Type: EXC_CRASH (SIGABRT) Exception Codes: 0x0000000000000000, 0x0000000000000000 Application Specific Information: abort() called Model: MacBookPro18,1, BootROM 8422.121.1, proc 10:8:2 processors, 32 GB, SMC Graphics: Apple M1 Pro, Apple M1 Pro, Built-In Display: Color LCD, 3456 x 2234 Retina, Main, MirrorOff, Online Display: DELL P2317H, 1920 x 1080 (1080p FHD - Full High Definition), MirrorOff, Online Display: LG HDR 4K, 3840 x 2160 (2160p/4K UHD 1 - Ultra High Definition), MirrorOff, Online Memory Module: LPDDR5, Hynix AirPort: spairport_wireless_card_type_wifi (0x14E4, 0x4387), wl0: Apr 7 2023 15:18:26 version 20.96.28.1.8.7.146 FWID 01-aff1b48a Bluetooth: Version (null), 0 services, 0 devices, 0 incoming serial ports Network Service: Wi-Fi, AirPort, en0 Network Service: F5 K, VPN (com.f5.access.macos), utun3 USB Device: USB31Bus USB Device: USB3.0 Hub USB Device: USB 10/100/1000 LAN USB Device: USB2.0 Hub USB Device: BILLBOARD DEVICE USB Device: Wireless Receiver USB Device: USB31Bus USB Device: Razer Cynosa Chroma Pro USB Device: USB31Bus Thunderbolt Bus: MacBook Pro, Apple Inc. Thunderbolt Bus: MacBook Pro, Apple Inc. Thunderbolt Bus: MacBook Pro, Apple Inc.

Host: Mac Ventura 13.3/m1 Xcode:14.3 My request for access to the com.apple.vm.networking entitlement has been approved. In Xcode I have also enabled the ability to automatically manage signing. Then i followed the steps in the link, focusing on new process part (https://developer.apple.com/forums/thread/663271) I encountered some problems when I was trying to enable "com.apple.vm.networking" Adopt an Explicit App ID I already have an explicit App ID for a macOS target. Configure Your App ID My App ID has the VM Networking option checked. Enable the Entitlement (in the https://developer.apple.com/documentation/virtualization/running_macos_in_a_virtual_machine_on_apple_silicon_macs to download sample code) In the sample code macOSVirtualMachineSampleApp.entitlements and InstallationTool.entitlements these two file, I have added the "com.apple.vm.net working", and set the value to YES, but for my build target(InstallationTool-Swift), there is no Personal VPN capability here, so I did not add this capability to update profile, but when I build my target, the terminal always appears the following error. This error caused my virtual machine to not start at all: Message from debugger: no such process. Program ended with exit code: -1 I searched the Internet for this error which may have been caused by my developer account authentication failure, but i'm not sure. Please let me know where I went wrong. Now it seems that "com.apple.vm.networking" does not take effect or authorization is not successful. I also don't know whether there is something wrong with my configuration. Anyway, I hope you can give me some advice.

Im learning about Virtualization framework from Apple, and Im currently trying to create an Arch Linux environment to run on top of it. Im still a bit confused about few concepts regarding how this works, so I gathered them into 3 sections. Kernel and Initial Ram Disk (initrd) usage. From what I learned to start Virtual Machine, I need to have extracted linuz and initrdfiles, and use them to create a bootloader. This is kind of different approach from other VMsolutions, but I think I get why it is. But to make sure few questions: Since Im loading the kernel and initramdisk at this step, I can extract exact files from my linux distribution disk image, and remove them from linux /boot folder right? And going forward since this is a bootloader, I don’t really need to install Grub to run it, right? Kernel and inited capabilities and format. Until now I was only able to run a single kernel and initrd - some Ubuntu cloud 20.04images downloaded from the internet. I tried also other versions of Ubuntu, and my own Arch build, but it usually ends with either some error or sometimes virtualMachine.start()returns success but after that nothing is happening. I think I need either to compile some required features into the kernel (but have no idea which) or have these files with some specific format. I noticed that when using file command on initrd I get different information about these files. For example, the one from Ubuntu that works for me is: LZ4 compressed data (v0.1-v0.9). The other one I tried, but didn’t work was Zstandard compressed data (v0.8+), Dictionary ID: None. Does that play a role here? If so how to prepare initrd in correct format? Virtual disk format. After booting into the environment I would like to perform Arch Linux installation on separate virtual disk, and later switch to use this disk as the main one. How should I prepare .img empty file to use? From Disk utility Im only able to prepare .dmg format. Can I use some other formats as well? And later how should I partition this disk? I was planning to create GTP partition table with just a single Linux ext4 partition. On other Virtual Machine I was also creating a 1MB partition for Grub, but I think this can be skipped here. Is that correct? Do I need initrd? I think that I will need to compile my own kernel to achieve nicely working environment. And this might be the good solution for me. If that's the case do I really need initrd at all? Would it be possible to create fully prepared kernel that boots without it? If so what features do I need to use in kernel config?

We've been working with VMWare on a ticket related to slow upload/download transfers using the VMWare API/SDK on Mac. They believe the root cause is below.  The slow performance is caused by Apple's authentication subsystem (PAM/opendrectoryd) being slow and using a lot of CPU. The security for guestOps file transfer requires an authn check for every packet, packets are limited to ~60k bytes due to the underlying arch; hence every 60k bytes of data has a ~.2 second overhead for the authn. (We see no such delays for Linux or Windows.) Does anyone have any experience with PAM/opendirectoryd who might be able be help me?

The documentation is clear, https://developer.apple.com/documentation/vmnet "Packets sent from a different IPv4 address are dropped by the system." But I wanted to have some proxmox nodes (debian with lxc containers) to test and learn high-availability clustering with it Also it could be cool to use some containers for "micro-services" web architecture I'm using https://github.com/gyf304/vmcli to create the virtual machines (both x86/arm 64bits are usable), but due to this "single IP" limitation, I can't make a virtual hosts communicate Is there any option / configuration on bridge100 interface to bypass this limitation ?

We need the ability to customize the IP ranges used by the virtualization networking on macOS 12.x I see that the ranges are specified in /Library/Preferences/SystemConfiguration/com.apple.vmnet.plist Editing this file and rebooting resulted in the file reverting to its previous state. How can we change the network ranges and have them persist? What service do I need to restart to pickup the changes? -Blake