Change Packet interface using NKE - McMap

About

Change Packet interface using NKE

Asked 1/7, 2016 at 6:23 Answered 13/11, 2017 at 9:54

macos sockets kernel kernel-extension

D

1

7

Im developing a VPN app, i was looking for to route App specific packets from the default en0 interface. I was wondering can I achieve this by using NKE?

Let say all data from Safari goes through ppp0 interface and all data from Chrome goes through en0.

Destine answered 1/7, 2016 at 6:23 Comment(0)

M

2

I can't give you a 100% definite answer as I've never had to solve that specific problem before, and it doesn't seem to be documented anywhere. I can point you at a few things, which are where I would be focusing my research if I was being tasked with implementing such functionality.

As of WWDC 2017, Network Kernel Extensions are deprecated. Apple wants you to create user-space "Network Extensions" instead. There are special VPN classes you can implement. In theory, these allow per-app rules (see "Per-App VPN"), but in practice they seem to be tied to MDM, which seems like an odd decision. You may want to get in touch with Apple about getting that changed if that conflicts with what you're trying to do. They're actively soliciting input on the Network Extension API.
Network Kernel Extensions (NKE) are the more mature API. Routing happens between the "IP Filter" and "Interface Filter" stages. I'm not sure you can directly affect them through either of those filtering stages. Perhaps by removing packets using an interface filter on the default interface, and injecting them into your VPN interface's? I'm not sure that's wise though, and you may have trouble matching packets to the process that sent them at that stage of the network stack.
You could try binding a socket to a specific interface device (using IP_BOUND_IF) from a socket filter NKE.
The Berkeley Packet Filter (BPF) is also a possible solution.

Mesarch answered 13/11, 2017 at 9:54 Comment(3)

I can't get the IP_BOUND_IF approach working...i just end up with "host unreachable" errors when i do it. Anyone have any idea? – Kasiekask 10/7, 2019 at 18:21

@Kasiekask That seems far beyond the scope of what can be resolved in a few comments here, so I suggest you post a new question with your code and an explanation of what works and what doesn't (and what behaviour you'd have expected). I will point out that the days of the NKE API are now very much numbered, so if you can't do what you're trying to do with any of the Network Extension APIs, I suggest you get in touch with Apple about that. – Mesarch 10/7, 2019 at 19:0

i looked at "network extensions" but they're a complete clusterfuck, requiring 50x the boilerplate and nonsense that kernel extensions require. I will keep an eye on network extensions and will only move to them when i'm forced to :) Btw i figured out the issue, in order for a socket with "IP_BOUND_IF" to properly send traffic out the bound interface, the route (in the routing table) must be defined with -ifscope, otherwise the route is not itself bound to the interface, and so the routing engine won't be able to match it to the socket defined with the IP_BOUND_IF – Kasiekask 11/7, 2019 at 10:11

Recommended topics

#Godot #Unity #Godot 4.X #Mongodb

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

© 2022 - 2024 — McMap. All rights reserved.