NE: Disconnect from unmatched network when on-demand policy is "Including" (#338)

keeshux · web-flow · commit e1970dc4d00b · 2026-04-07T14:16:15.000+02:00
It seems to work properly on iOS/macOS 26. Fixes #10
diff --git a/Sources/PartoutOS/AppleNE/Modules/OnDemandModule+NE.swift b/Sources/PartoutOS/AppleNE/Modules/OnDemandModule+NE.swift
@@ -8,7 +8,7 @@ extension OnDemandModule {
     func neRules(_ ctx: PartoutLoggerContext) -> [NEOnDemandRule] {
         var rules: [NEOnDemandRule] = []
 
-        // apply exceptions (unless .any)
+        // Apply exceptions (unless .any)
         if policy != .any {
             if Self.supportsCellular, withMobileNetwork {
                 if let rule = cellularRule() {
@@ -30,14 +30,13 @@ extension OnDemandModule {
             }
         }
 
-        // IMPORTANT: append fallback rule last
+        // IMPORTANT: Append fallback rule last
         rules.append(globalRule())
 
         pp_log(ctx, .os, .info, "On-demand rules:")
         rules.forEach {
             pp_log(ctx, .os, .info, "\($0)")
         }
-
         return rules
     }
 }
@@ -49,10 +48,14 @@ private extension OnDemandModule {
         case .any, .excluding:
             rule = NEOnDemandRuleConnect()
         case .including:
-            rule = NEOnDemandRuleIgnore()
+            rule = NEOnDemandRuleDisconnect()
         @unknown default:
             rule = NEOnDemandRuleConnect()
         }
+        // This might be the culprit, WG only matches .wiFi
+        // IIRC, when .any is set with .including policy (i.e. fall
+        // back to a disconnect rule), the profile could not
+        // activate (forcibly disconnected). Maybe only on iOS?
         rule.interfaceTypeMatch = .any
         return rule
     }
@@ -89,7 +92,7 @@ private extension OnDemandModule {
 
     func wifiRule(SSIDs: [String]) -> NEOnDemandRule {
         let rule = networkRule(matchingInterface: .wiFi)
-        rule.ssidMatch = SSIDs.sorted() // for testing
+        rule.ssidMatch = SSIDs.sorted() // Predictable, for testing
         return rule
     }
 }
diff --git a/Tests/PartoutOSTests/AppleNE/OnDemandModuleRulesTests.swift b/Tests/PartoutOSTests/AppleNE/OnDemandModuleRulesTests.swift
@@ -100,7 +100,7 @@ struct OnDemandModuleRulesTests {
             wifiRule.interfaceTypeMatch = .wiFi
             wifiRule.ssidMatch = ["home", "nope"]
             rules.append(wifiRule)
-            rules.append(NEOnDemandRuleIgnore())
+            rules.append(NEOnDemandRuleDisconnect())
             return rules
         }()
         #expect(sut.neRules == computedRules)

Original file line number	Diff line number	Diff line change
`@@ -8,7 +8,7 @@ extension OnDemandModule {`
`8`	`8`	`func neRules(_ ctx: PartoutLoggerContext) -> [NEOnDemandRule] {`
`9`	`9`	`var rules: [NEOnDemandRule] = []`
`10`	`10`
`11`		`- // apply exceptions (unless .any)`
	`11`	`+ // Apply exceptions (unless .any)`
`12`	`12`	`if policy != .any {`
`13`	`13`	`if Self.supportsCellular, withMobileNetwork {`
`14`	`14`	`if let rule = cellularRule() {`
`@@ -30,14 +30,13 @@ extension OnDemandModule {`
`30`	`30`	`}`
`31`	`31`	`}`
`32`	`32`
`33`		`- // IMPORTANT: append fallback rule last`
	`33`	`+ // IMPORTANT: Append fallback rule last`
`34`	`34`	`rules.append(globalRule())`
`35`	`35`
`36`	`36`	`pp_log(ctx, .os, .info, "On-demand rules:")`
`37`	`37`	`rules.forEach {`
`38`	`38`	`pp_log(ctx, .os, .info, "\($0)")`
`39`	`39`	`}`
`40`		`-`
`41`	`40`	`return rules`
`42`	`41`	`}`
`43`	`42`	`}`
`@@ -49,10 +48,14 @@ private extension OnDemandModule {`
`49`	`48`	`case .any, .excluding:`
`50`	`49`	`rule = NEOnDemandRuleConnect()`
`51`	`50`	`case .including:`
`52`		`- rule = NEOnDemandRuleIgnore()`
	`51`	`+ rule = NEOnDemandRuleDisconnect()`
`53`	`52`	`@unknown default:`
`54`	`53`	`rule = NEOnDemandRuleConnect()`
`55`	`54`	`}`
	`55`	`+ // This might be the culprit, WG only matches .wiFi`
	`56`	`+ // IIRC, when .any is set with .including policy (i.e. fall`
	`57`	`+ // back to a disconnect rule), the profile could not`
	`58`	`+ // activate (forcibly disconnected). Maybe only on iOS?`
`56`	`59`	`rule.interfaceTypeMatch = .any`
`57`	`60`	`return rule`
`58`	`61`	`}`
`@@ -89,7 +92,7 @@ private extension OnDemandModule {`
`89`	`92`
`90`	`93`	`func wifiRule(SSIDs: [String]) -> NEOnDemandRule {`
`91`	`94`	`let rule = networkRule(matchingInterface: .wiFi)`
`92`		`- rule.ssidMatch = SSIDs.sorted() // for testing`
	`95`	`+ rule.ssidMatch = SSIDs.sorted() // Predictable, for testing`
`93`	`96`	`return rule`
`94`	`97`	`}`
`95`	`98`	`}`